PeekingPeerConnector.cc
Go to the documentation of this file.
1/*
2 * Copyright (C) 1996-2023 The Squid Software Foundation and contributors
3 *
4 * Squid software is distributed under GPLv2+ license and includes
5 * contributions from numerous individuals and organizations.
6 * Please see the COPYING and CONTRIBUTORS files for details.
7 */
8
9/* DEBUG: section 83 SSL-Bump Server/Peer negotiation */
10
11#include "squid.h"
12#include "acl/FilledChecklist.h"
13#include "client_side.h"
14#include "errorpage.h"
15#include "fde.h"
16#include "http/Stream.h"
17#include "HttpRequest.h"
20#include "SquidConfig.h"
21#include "ssl/bio.h"
23#include "ssl/ServerBump.h"
24#include "tunnel.h"
25
26CBDATA_NAMESPACED_CLASS_INIT(Ssl, PeekingPeerConnector);
27
29 const Comm::ConnectionPointer &aServerConn,
30 const Comm::ConnectionPointer &aClientConn,
32 const AccessLogEntryPointer &alp,
33 const time_t timeout):
34 AsyncJob("Ssl::PeekingPeerConnector"),
35 Security::PeerConnector(aServerConn, aCallback, alp, timeout),
36 clientConn(aClientConn),
37 splice(false),
38 serverCertificateHandled(false)
39{
40 request = aRequest;
41
42 if (const auto csd = request->clientConnectionManager.valid()) {
43 const auto serverBump = csd->serverBump();
44 Must(serverBump);
45 Must(serverBump->at(XactionStep::tlsBump3));
46 }
47 // else the client is gone, and we cannot check the step, but must carry on
48}
49
50void
52{
54 // Use job calls to add done() checks and other job logic/protections.
55 CallJobHere1(83, 7, CbcPointer<PeekingPeerConnector>(peerConnect), Ssl::PeekingPeerConnector, checkForPeekAndSpliceDone, aclAnswer);
56}
57
58void
60{
61 const Ssl::BumpMode finalAction = aclAnswer.allowed() ?
62 static_cast<Ssl::BumpMode>(aclAnswer.kind):
63 checkForPeekAndSpliceGuess();
64 checkForPeekAndSpliceMatched(finalAction);
65}
66
67void
69{
70 handleServerCertificate();
71
72 ACLFilledChecklist *acl_checklist = new ACLFilledChecklist(
73 ::Config.accessList.ssl_bump,
74 request.getRaw(), nullptr);
75 acl_checklist->al = al;
81 Security::SessionPointer session(fd_table[serverConn->fd].ssl);
82 BIO *b = SSL_get_rbio(session.get());
83 Ssl::ServerBio *srvBio = static_cast<Ssl::ServerBio *>(BIO_get_data(b));
84 if (!srvBio->canSplice())
86 if (!srvBio->canBump())
88 acl_checklist->syncAle(request.getRaw(), nullptr);
90}
91
92void
94{
95 Security::SessionPointer session(fd_table[serverConn->fd].ssl);
96 BIO *b = SSL_get_rbio(session.get());
97 Ssl::ServerBio *srvBio = static_cast<Ssl::ServerBio *>(BIO_get_data(b));
98 debugs(83,5, "Will check for peek and splice on FD " << serverConn->fd);
99
100 Ssl::BumpMode finalAction = action;
101 Must(finalAction == Ssl::bumpSplice || finalAction == Ssl::bumpBump || finalAction == Ssl::bumpTerminate);
102 // Record final decision
103 if (request->clientConnectionManager.valid()) {
104 request->clientConnectionManager->sslBumpMode = finalAction;
105 request->clientConnectionManager->serverBump()->act.step3 = finalAction;
106 }
107 al->ssl.bumpMode = finalAction;
108
109 if (finalAction == Ssl::bumpTerminate) {
110 bail(new ErrorState(ERR_SECURE_CONNECT_FAIL, Http::scForbidden, request.getRaw(), al));
111 clientConn->close();
112 clientConn = nullptr;
113 } else if (finalAction != Ssl::bumpSplice) {
114 //Allow write, proceed with the connection
115 srvBio->holdWrite(false);
116 srvBio->recordInput(false);
117 debugs(83,5, "Retry the fwdNegotiateSSL on FD " << serverConn->fd);
119 } else {
120 splice = true;
121 // Ssl Negotiation stops here. Last SSL checks for valid certificates
122 // and if done, switch to tunnel mode
123 if (sslFinalized() && callback)
124 callBack();
125 }
126}
127
130{
131 if (const ConnStateData *csd = request->clientConnectionManager.valid()) {
132 const Ssl::BumpMode currentMode = csd->sslBumpMode;
133 if (currentMode == Ssl::bumpStare) {
134 debugs(83,5, "default to bumping after staring");
135 return Ssl::bumpBump;
136 }
137 debugs(83,5, "default to splicing after " << currentMode);
138 } else {
139 debugs(83,3, "default to splicing due to missing info");
140 }
141
142 return Ssl::bumpSplice;
143}
144
147{
149}
150
151bool
153{
154 if (!Security::PeerConnector::initialize(serverSession))
155 return false;
156
157 // client connection supplies TLS client details and is also used if we
158 // need to splice or terminate the client and server connections
159 if (!Comm::IsConnOpen(clientConn))
160 return false;
161
162 if (ConnStateData *csd = request->clientConnectionManager.valid()) {
163
164 SBuf *hostName = nullptr;
165
166 //Enable Status_request TLS extension, required to bump some clients
167 SSL_set_tlsext_status_type(serverSession.get(), TLSEXT_STATUSTYPE_ocsp);
168
169 const Security::TlsDetails::Pointer details = csd->tlsParser.details;
170 if (details && !details->serverName.isEmpty())
171 hostName = new SBuf(details->serverName);
172
173 if (!hostName) {
174 // While we are peeking at the certificate, we may not know the server
175 // name that the client will request (after interception or CONNECT)
176 // unless it was the CONNECT request with a user-typed address.
177 const bool isConnectRequest = !csd->port->flags.isIntercepted();
178 if (!request->flags.sslPeek || isConnectRequest)
179 hostName = new SBuf(request->url.host());
180 }
181
182 if (hostName)
183 SSL_set_ex_data(serverSession.get(), ssl_ex_index_server, (void*)hostName);
184
185 if (csd->sslBumpMode == Ssl::bumpPeek || csd->sslBumpMode == Ssl::bumpStare) {
186 auto clientSession = fd_table[clientConn->fd].ssl.get();
187 Must(clientSession);
188 BIO *bc = SSL_get_rbio(clientSession);
189 Ssl::ClientBio *cltBio = static_cast<Ssl::ClientBio *>(BIO_get_data(bc));
190 Must(cltBio);
191 if (details && details->tlsVersion.protocol != AnyP::PROTO_NONE)
192 applyTlsDetailsToSSL(serverSession.get(), details, csd->sslBumpMode);
193
194 BIO *b = SSL_get_rbio(serverSession.get());
195 Ssl::ServerBio *srvBio = static_cast<Ssl::ServerBio *>(BIO_get_data(b));
196 Must(srvBio);
197 // inherit client features such as TLS version and SNI
198 srvBio->setClientFeatures(details, cltBio->rBufData());
199 srvBio->recordInput(true);
200 srvBio->mode(csd->sslBumpMode);
201 } else {
202 // Set client SSL options
204
205 const bool redirected = request->flags.redirected && ::Config.onoff.redir_rewrites_host;
206 const char *sniServer = (!hostName || redirected) ?
207 request->url.host() :
208 hostName->c_str();
209 if (sniServer)
210 setClientSNI(serverSession.get(), sniServer);
211 }
212
213 if (Ssl::ServerBump *serverBump = csd->serverBump()) {
214 serverBump->attachServerSession(serverSession);
215 // store peeked cert to check SQUID_X509_V_ERR_CERT_CHANGE
216 if (X509 *peeked_cert = serverBump->serverCert.get()) {
217 X509_up_ref(peeked_cert);
218 SSL_set_ex_data(serverSession.get(), ssl_ex_index_ssl_peeked_cert, peeked_cert);
219 }
220 }
221 }
222
223 return true;
224}
225
226void
228{
229 // Check the list error with
230 if (!request->clientConnectionManager.valid() || !fd_table[serverConnection()->fd].ssl)
231 return;
232
233 // remember the server certificate from the ErrorDetail object
234 if (Ssl::ServerBump *serverBump = request->clientConnectionManager->serverBump()) {
235 if (!serverBump->serverCert.get()) {
236 // remember the server certificate from the ErrorDetail object
237 const auto errDetail = dynamic_cast<Security::ErrorDetail *>(error ? error->detail.getRaw() : nullptr);
238 if (errDetail && errDetail->peerCert())
239 serverBump->serverCert.resetAndLock(errDetail->peerCert());
240 else {
241 handleServerCertificate();
242 }
243 }
244
245 if (error) {
246 // For intercepted connections, set the host name to the server
247 // certificate CN. Otherwise, we just hope that CONNECT is using
248 // a user-entered address (a host name or a user-entered IP).
249 const bool isConnectRequest = !request->clientConnectionManager->port->flags.isIntercepted();
250 if (request->flags.sslPeek && !isConnectRequest) {
251 if (X509 *srvX509 = serverBump->serverCert.get()) {
252 if (const char *name = Ssl::CommonHostName(srvX509)) {
253 request->url.host(name);
254 debugs(83, 3, "reset request host: " << name);
255 }
256 }
257 }
258 }
259 }
260
261 if (!error) {
262 serverCertificateVerified();
263 if (splice) {
264 if (!Comm::IsConnOpen(clientConn)) {
265 bail(new ErrorState(ERR_GATEWAY_FAILURE, Http::scInternalServerError, request.getRaw(), al));
266 throw TextException("from-client connection gone", Here());
267 }
268 startTunneling();
269 }
270 }
271}
272
273void
275{
276 // switchToTunnel() drains any already buffered from-server data (rBufData)
277 fd_table[serverConn->fd].useDefaultIo();
278 // tunnelStartShoveling() drains any buffered from-client data (inBuf)
279 fd_table[clientConn->fd].useDefaultIo();
280
281 // TODO: Encapsulate this frequently repeated logic into a method.
282 const auto session = fd_table[serverConn->fd].ssl;
283 auto b = SSL_get_rbio(session.get());
284 auto srvBio = static_cast<Ssl::ServerBio*>(BIO_get_data(b));
285
286 debugs(83, 5, "will tunnel instead of negotiating TLS");
287 switchToTunnel(request.getRaw(), clientConn, serverConn, srvBio->rBufData());
288 answer().tunneled = true;
289 disconnect();
290 callBack();
291}
292
293void
295{
296 const int fd = serverConnection()->fd;
297 Security::SessionPointer session(fd_table[fd].ssl);
298 BIO *b = SSL_get_rbio(session.get());
299 Ssl::ServerBio *srvBio = static_cast<Ssl::ServerBio *>(BIO_get_data(b));
300
301 if ((srvBio->bumpMode() == Ssl::bumpPeek || srvBio->bumpMode() == Ssl::bumpStare) && srvBio->holdWrite()) {
302 debugs(81, 3, "hold write on SSL connection on FD " << fd);
303 checkForPeekAndSplice();
304 return;
305 }
306
308}
309
310void
312{
313 const int fd = serverConnection()->fd;
314 Security::SessionPointer session(fd_table[fd].ssl);
315 BIO *b = SSL_get_rbio(session.get());
316 Ssl::ServerBio *srvBio = static_cast<Ssl::ServerBio *>(BIO_get_data(b));
317
318 if (srvBio->bumpMode() == Ssl::bumpPeek) {
319 auto bypassValidator = false;
320 if (srvBio->encryptedCertificates()) {
321 // it is pointless to peek at encrypted certificates
322 //
323 // we currently splice all sessions with encrypted certificates
324 // if (const auto spliceEncryptedCertificates = true) {
325 bypassValidator = true;
326 // } // else fall through to find a matching ssl_bump action (with limited info)
327 } else if (srvBio->resumingSession()) {
328 // In peek mode, the ClientHello message is forwarded to the server.
329 // If the server is resuming a previous (spliced) SSL session with
330 // the client, then probably we are here because our local SSL
331 // object does not know anything about the session being resumed.
332 //
333 // we currently splice all resumed sessions
334 // if (const auto spliceResumed = true) {
335 bypassValidator = true;
336 // } // else fall through to find a matching ssl_bump action (with limited info)
337 }
338
339 if (bypassValidator) {
340 bypassCertValidator();
341 checkForPeekAndSpliceMatched(Ssl::bumpSplice);
342 return;
343 }
344 }
345
346 // If we are in peek-and-splice mode and still we did not write to
347 // server yet, try to see if we should splice.
348 // In this case the connection can be saved.
349 // If the checklist decision is do not splice a new error will
350 // occur in the next SSL_connect call, and we will fail again.
351 // Abort on certificate validation errors to avoid splicing and
352 // thus hiding them.
353 // Abort if no certificate found probably because of malformed or
354 // unsupported server Hello message (TODO: make configurable).
355 // TODO: Add/use a positive "successfully validated server cert" signal
356 // instead of relying on the "![presumably_]validation_error && serverCert"
357 // signal combo.
358 if (!SSL_get_ex_data(session.get(), ssl_ex_index_ssl_error_detail) &&
359 (srvBio->bumpMode() == Ssl::bumpPeek || srvBio->bumpMode() == Ssl::bumpStare) && srvBio->holdWrite()) {
360 Security::CertPointer serverCert(SSL_get_peer_certificate(session.get()));
361 if (serverCert) {
362 debugs(81, 3, "hold TLS write on FD " << fd << " despite " << errorDetail);
363 checkForPeekAndSplice();
364 return;
365 }
366 }
367
368 // else call parent noteNegotiationError to produce an error page
370}
371
372void
374{
375 if (serverCertificateHandled)
376 return;
377
378 if (ConnStateData *csd = request->clientConnectionManager.valid()) {
379 const int fd = serverConnection()->fd;
380 Security::SessionPointer session(fd_table[fd].ssl);
381 Security::CertPointer serverCert(SSL_get_peer_certificate(session.get()));
382 if (!serverCert)
383 return;
384
385 serverCertificateHandled = true;
386
387 // remember the server certificate for later use
388 if (Ssl::ServerBump *serverBump = csd->serverBump()) {
389 serverBump->serverCert = std::move(serverCert);
390 }
391 }
392}
393
394void
396{
397 if (ConnStateData *csd = request->clientConnectionManager.valid()) {
398 Security::CertPointer serverCert;
399 if(Ssl::ServerBump *serverBump = csd->serverBump())
400 serverCert.resetAndLock(serverBump->serverCert.get());
401 else {
402 const int fd = serverConnection()->fd;
403 Security::SessionPointer session(fd_table[fd].ssl);
404 serverCert.resetWithoutLocking(SSL_get_peer_certificate(session.get()));
405 }
406 if (serverCert) {
407 csd->resetSslCommonName(Ssl::CommonHostName(serverCert.get()));
408 debugs(83, 5, "HTTPS server CN: " << csd->sslCommonName() <<
409 " bumped: " << *serverConnection());
410 }
411 }
412}
413
#define CallJobHere1(debugSection, debugLevel, job, Class, method, arg1)
Definition: AsyncJobCalls.h:63
#define Here()
source code location of the caller
Definition: Here.h:15
CBDATA_NAMESPACED_CLASS_INIT(Ssl, PeekingPeerConnector)
class SquidConfig Config
Definition: SquidConfig.cc:12
#define Must(condition)
Definition: TextException.h:75
void error(char *format,...)
void applyTlsDetailsToSSL(SSL *ssl, Security::TlsDetails::Pointer const &details, Ssl::BumpMode bumpMode)
Definition: bio.cc:569
void banAction(const Acl::Answer &action)
add action to the list of banned actions
Definition: Checklist.cc:395
void nonBlockingCheck(ACLCB *callback, void *callback_data)
Definition: Checklist.cc:237
AccessLogEntry::Pointer al
info for the future access.log, and external ACL
void syncAle(HttpRequest *adaptedRequest, const char *logUri) const override
assigns uninitialized adapted_request and url ALE components
int kind
the matched custom access list verb (or zero)
Definition: Acl.h:170
bool allowed() const
Definition: Acl.h:156
Cbc * valid() const
was set and is valid
Definition: CbcPointer.h:41
CbcPointer< ConnStateData > clientConnectionManager
Definition: HttpRequest.h:232
Definition: SBuf.h:94
const char * c_str()
Definition: SBuf.cc:516
void resetWithoutLocking(T *t)
Reset raw pointer - unlock any previous one and save new one without locking.
T * get() const
Returns raw and possibly nullptr pointer.
virtual bool initialize(Security::SessionPointer &)
virtual void noteNegotiationError(const Security::ErrorDetailPointer &)
Called when the SSL_connect function aborts with an SSL negotiation error.
virtual void noteWantWrite()
HttpRequestPointer request
peer connection trigger or cause
void updateSessionOptions(Security::SessionPointer &)
setup any library-specific options that can be set for the given session
Definition: PeerOptions.cc:774
struct SquidConfig::@106 onoff
acl_access * ssl_bump
Definition: SquidConfig.h:388
struct SquidConfig::@116 ssl_client
int redir_rewrites_host
Definition: SquidConfig.h:297
Security::ContextPointer sslContext
Definition: SquidConfig.h:506
const SBuf & rBufData()
The buffered input data.
Definition: bio.h:61
A PeerConnector for HTTP origin servers. Capable of SslBumping.
bool initialize(Security::SessionPointer &) override
void checkForPeekAndSpliceDone(Acl::Answer)
Callback function for ssl_bump acl check in step3 SSL bump step.
void noteNegotiationError(const Security::ErrorDetailPointer &) override
Called when the SSL_connect function aborts with an SSL negotiation error.
void startTunneling()
Abruptly stops TLS negotiation and starts tunneling.
void checkForPeekAndSpliceMatched(const Ssl::BumpMode finalMode)
Handles the final bumping decision.
void noteNegotiationDone(ErrorState *error) override
Security::ContextPointer getTlsContext() override
static void cbCheckForPeekAndSpliceDone(Acl::Answer, void *data)
A wrapper function for checkForPeekAndSpliceDone for use with acl.
PeekingPeerConnector(HttpRequestPointer &aRequest, const Comm::ConnectionPointer &aServerConn, const Comm::ConnectionPointer &aClientConn, const AsyncCallback< Security::EncryptorAnswer > &aCallback, const AccessLogEntryPointer &alp, time_t timeout=0)
Ssl::BumpMode checkForPeekAndSpliceGuess() const
Guesses the final bumping decision when no ssl_bump rules match.
void mode(Ssl::BumpMode m)
The bumping mode.
Definition: bio.h:160
bool holdWrite() const
The write hold state.
Definition: bio.h:150
void recordInput(bool r)
Enables or disables the input data recording, for internal analysis.
Definition: bio.h:154
bool canBump()
Whether we can bump or not the SSL stream.
Definition: bio.h:158
void setClientFeatures(Security::TlsDetails::Pointer const &details, SBuf const &hello)
Sets the random number to use in client SSL HELLO message.
Definition: bio.cc:263
bool encryptedCertificates() const
Definition: bio.cc:438
Ssl::BumpMode bumpMode()
return the bumping mode
Definition: bio.h:161
bool resumingSession()
Definition: bio.cc:432
bool canSplice()
Whether we can splice or not the SSL stream.
Definition: bio.h:156
an std::runtime_error with thrower location info
Definition: TextException.h:21
#define debugs(SECTION, LEVEL, CONTENT)
Definition: Stream.h:194
@ ERR_SECURE_CONNECT_FAIL
Definition: forward.h:31
@ ERR_GATEWAY_FAILURE
Definition: forward.h:67
#define fd_table
Definition: fde.h:189
int ssl_ex_index_server
int ssl_ex_index_ssl_peeked_cert
int ssl_ex_index_ssl_error_detail
@ ACCESS_ALLOWED
Definition: Acl.h:116
void setClientSNI(SSL *ssl, const char *fqdn)
Definition: support.cc:1070
const char * CommonHostName(X509 *x509)
Definition: gadgets.cc:969
BumpMode
Definition: support.h:126
@ bumpTerminate
Definition: support.h:126
@ bumpPeek
Definition: support.h:126
@ bumpClientFirst
Definition: support.h:126
@ bumpNone
Definition: support.h:126
@ bumpStare
Definition: support.h:126
@ bumpSplice
Definition: support.h:126
@ bumpBump
Definition: support.h:126
@ bumpServerFirst
Definition: support.h:126
@ PROTO_NONE
Definition: ProtocolType.h:24
bool IsConnOpen(const Comm::ConnectionPointer &conn)
Definition: Connection.cc:27
@ scForbidden
Definition: StatusCode.h:47
@ scInternalServerError
Definition: StatusCode.h:71
Network/connection security abstraction layer.
Definition: Connection.h:34
std::shared_ptr< SSL_CTX > ContextPointer
Definition: Context.h:29
std::shared_ptr< SSL > SessionPointer
Definition: Session.h:49
PeerOptions ProxyOutgoingConfig
configuration options for DIRECT server access
Definition: PeerOptions.cc:24
Definition: Xaction.cc:40
void * BIO_get_data(BIO *table)
Definition: openssl.h:62
static bool action(int fd, size_t metasize, const char *fn, const char *url, const SquidMetaList &meta)
Definition: purge.cc:315
void switchToTunnel(HttpRequest *request, const Comm::ConnectionPointer &clientConn, const Comm::ConnectionPointer &srvConn, const SBuf &preReadServerData)
Definition: tunnel.cc:1488

 

Introduction

Documentation

Support

Miscellaneous

Web Site Translations

Mirrors