helper.cc
Go to the documentation of this file.
1 /*
2  * Copyright (C) 1996-2022 The Squid Software Foundation and contributors
3  *
4  * Squid software is distributed under GPLv2+ license and includes
5  * contributions from numerous individuals and organizations.
6  * Please see the COPYING and CONTRIBUTORS files for details.
7  */
8 
9 #include "squid.h"
10 #include "../helper.h"
11 #include "anyp/PortCfg.h"
12 #include "cache_cf.h"
13 #include "fs_io.h"
14 #include "helper/Reply.h"
15 #include "Parsing.h"
16 #include "sbuf/Stream.h"
17 #include "SquidConfig.h"
18 #include "SquidString.h"
20 #include "ssl/Config.h"
21 #include "ssl/helper.h"
22 #include "wordlist.h"
23 
24 #include <limits>
25 
27 
28 #if USE_SSL_CRTD
29 
30 namespace Ssl {
31 
34 public:
35  GeneratorRequestor(HLPCB *aCallback, void *aData): callback(aCallback), data(aData) {}
38 };
39 
43 
44 public:
46  void emplace(HLPCB *callback, void *data) { requestors.emplace_back(callback, data); }
47 
49 
51  typedef std::vector<GeneratorRequestor> GeneratorRequestors;
53 };
54 
56 typedef std::unordered_map<SBuf, GeneratorRequest*> GeneratorRequests;
57 
58 static void HandleGeneratorReply(void *data, const ::Helper::Reply &reply);
59 
60 } // namespace Ssl
61 
62 CBDATA_NAMESPACED_CLASS_INIT(Ssl, GeneratorRequest);
63 
65 static std::ostream &
66 operator <<(std::ostream &os, const Ssl::GeneratorRequest &gr)
67 {
68  return os << "crtGenRq" << gr.query.id.value << "/" << gr.requestors.size();
69 }
70 
73 
74 helper *Ssl::Helper::ssl_crtd = nullptr;
75 
77 {
78  assert(ssl_crtd == NULL);
79 
80  // we need to start ssl_crtd only if some port(s) need to bump SSL *and* generate certificates
81  // TODO: generate host certificates for SNI enabled accel ports
82  bool found = false;
83  for (AnyP::PortCfgPointer s = HttpPortList; !found && s != NULL; s = s->next)
84  found = s->flags.tunnelSslBumping && s->secure.generateHostCertificates;
85  if (!found)
86  return;
87 
88  ssl_crtd = new helper("sslcrtd_program");
89  ssl_crtd->childs.updateLimits(Ssl::TheConfig.ssl_crtdChildren);
91  // The crtd messages may contain the eol ('\n') character. We are
92  // going to use the '\1' char as the end-of-message mark.
93  ssl_crtd->eom = '\1';
95  {
96  char *tmp = xstrdup(Ssl::TheConfig.ssl_crtd);
97  char *tmp_begin = tmp;
98  char *token = NULL;
99  while ((token = strwordtok(NULL, &tmp))) {
100  wordlistAdd(&ssl_crtd->cmdline, token);
101  }
102  safe_free(tmp_begin);
103  }
105 }
106 
108 {
109  if (!ssl_crtd)
110  return;
111  helperShutdown(ssl_crtd);
112  wordlistDestroy(&ssl_crtd->cmdline);
113  delete ssl_crtd;
114  ssl_crtd = NULL;
115 }
116 
117 void
119 {
120  Shutdown();
121  Init();
122 }
123 
124 void Ssl::Helper::Submit(CrtdMessage const & message, HLPCB * callback, void * data)
125 {
126  SBuf rawMessage(message.compose().c_str()); // XXX: helpers cannot use SBuf
127  rawMessage.append("\n", 1);
128 
129  const auto pending = TheGeneratorRequests.find(rawMessage);
130  if (pending != TheGeneratorRequests.end()) {
131  pending->second->emplace(callback, data);
132  debugs(83, 5, "collapsed request from " << data << " onto " << *pending->second);
133  return;
134  }
135 
137  request->query = rawMessage;
138  request->emplace(callback, data);
139  TheGeneratorRequests.emplace(request->query, request);
140  debugs(83, 5, "request from " << data << " as " << *request);
141  // ssl_crtd becomes nil if Squid is reconfigured without SslBump or
142  // certificate generation disabled in the new configuration
143  if (ssl_crtd && ssl_crtd->trySubmit(request->query.c_str(), HandleGeneratorReply, request))
144  return;
145 
147  failReply.notes.add("message", "error 45 Temporary network problem, please retry later");
148  HandleGeneratorReply(request, failReply);
149 }
150 
152 static void
153 Ssl::HandleGeneratorReply(void *data, const ::Helper::Reply &reply)
154 {
155  const std::unique_ptr<Ssl::GeneratorRequest> request(static_cast<Ssl::GeneratorRequest*>(data));
156  assert(request);
157  const auto erased = TheGeneratorRequests.erase(request->query);
158  assert(erased);
159 
160  for (auto &requestor: request->requestors) {
161  if (void *cbdata = requestor.data.validDone()) {
162  debugs(83, 5, "to " << cbdata << " in " << *request);
163  requestor.callback(cbdata, reply);
164  }
165  }
166 }
167 #endif //USE_SSL_CRTD
168 
170 
172 {
173  if (!Ssl::TheConfig.ssl_crt_validator)
174  return;
175 
176  assert(ssl_crt_validator == NULL);
177 
178  // we need to start ssl_crtd only if some port(s) need to bump SSL
179  bool found = false;
180  for (AnyP::PortCfgPointer s = HttpPortList; !found && s != NULL; s = s->next)
181  found = s->flags.tunnelSslBumping;
182  if (!found)
183  return;
184 
185  ssl_crt_validator = new helper("ssl_crt_validator");
186  ssl_crt_validator->childs.updateLimits(Ssl::TheConfig.ssl_crt_validator_Children);
187  ssl_crt_validator->ipc_type = IPC_STREAM;
188  // The crtd messages may contain the eol ('\n') character. We are
189  // going to use the '\1' char as the end-of-message mark.
190  ssl_crt_validator->eom = '\1';
191  assert(ssl_crt_validator->cmdline == NULL);
192 
193  /* defaults */
194  int ttl = 3600; // 1 hour
195  size_t cache = 64*1024*1024; // 64 MB
196  {
197  // TODO: Do this during parseConfigFile() for proper parsing, error handling
198  char *tmp = xstrdup(Ssl::TheConfig.ssl_crt_validator);
199  char *tmp_begin = tmp;
200  char * token = NULL;
201  bool parseParams = true;
202  while ((token = strwordtok(NULL, &tmp))) {
203  if (parseParams) {
204  if (strcmp(token, "ttl=infinity") == 0) {
206  continue;
207  } else if (strncmp(token, "ttl=", 4) == 0) {
208  ttl = xatoi(token + 4);
209  if (ttl < 0) {
210  throw TextException(ToSBuf("Negative TTL in sslcrtvalidator_program ", Ssl::TheConfig.ssl_crt_validator,
211  Debug::Extra, "For unlimited TTL, use ttl=infinity"),
212  Here());
213  }
214  continue;
215  } else if (strncmp(token, "cache=", 6) == 0) {
216  cache = xatoi(token + 6);
217  continue;
218  } else
219  parseParams = false;
220  }
221  wordlistAdd(&ssl_crt_validator->cmdline, token);
222  }
223  xfree(tmp_begin);
224  }
225  helperOpenServers(ssl_crt_validator);
226 
227  //WARNING: initializing static member in an object initialization method
228  assert(HelperCache == NULL);
229  HelperCache = new CacheType(cache, ttl);
230 }
231 
233 {
234  if (!ssl_crt_validator)
235  return;
236  helperShutdown(ssl_crt_validator);
237  wordlistDestroy(&ssl_crt_validator->cmdline);
238  delete ssl_crt_validator;
239  ssl_crt_validator = NULL;
240 
241  // CertValidationHelper::HelperCache is a static member, it is not good policy to
242  // reset it here. Will work because the current Ssl::CertValidationHelper is
243  // always the same static object.
244  delete HelperCache;
245  HelperCache = NULL;
246 }
247 
248 void
250 {
251  Shutdown();
252  Init();
253 }
254 
256 {
258 
259 public:
263 };
265 
266 static void
267 sslCrtvdHandleReplyWrapper(void *data, const ::Helper::Reply &reply)
268 {
270 
271  submitData *crtdvdData = static_cast<submitData *>(data);
272  assert(crtdvdData->ssl.get());
273  Ssl::CertValidationResponse::Pointer validationResponse = new Ssl::CertValidationResponse(crtdvdData->ssl);
274  if (reply.result == ::Helper::BrokenHelper) {
275  debugs(83, DBG_IMPORTANT, "ERROR: \"ssl_crtvd\" helper error response: " << reply.other().content());
276  validationResponse->resultCode = ::Helper::BrokenHelper;
277  } else if (!reply.other().hasContent()) {
278  debugs(83, DBG_IMPORTANT, "\"ssl_crtvd\" helper returned NULL response");
279  validationResponse->resultCode = ::Helper::BrokenHelper;
280  } else if (replyMsg.parse(reply.other().content(), reply.other().contentSize()) != Ssl::CrtdMessage::OK ||
281  !replyMsg.parseResponse(*validationResponse) ) {
282  debugs(83, DBG_IMPORTANT, "WARNING: Reply from ssl_crtvd for " << " is incorrect");
283  debugs(83, DBG_IMPORTANT, "ERROR: Certificate cannot be validated. ssl_crtvd response: " << replyMsg.getBody());
284  validationResponse->resultCode = ::Helper::BrokenHelper;
285  } else
286  validationResponse->resultCode = reply.result;
287 
289  Must(dialer);
290  dialer->arg1 = validationResponse;
291  ScheduleCallHere(crtdvdData->callback);
292 
294  (validationResponse->resultCode == ::Helper::Okay || validationResponse->resultCode == ::Helper::Error)) {
295  (void)Ssl::CertValidationHelper::HelperCache->add(crtdvdData->query, validationResponse);
296  }
297 
298  delete crtdvdData;
299 }
300 
302 {
305  message.composeRequest(request);
306  debugs(83, 5, "SSL crtvd request: " << message.compose().c_str());
307 
308  submitData *crtdvdData = new submitData;
309  crtdvdData->query.assign(message.compose().c_str());
310  crtdvdData->query.append('\n');
311  crtdvdData->callback = callback;
312  crtdvdData->ssl = request.ssl;
313  Ssl::CertValidationResponse::Pointer const*validationResponse;
314 
316  (validationResponse = CertValidationHelper::HelperCache->get(crtdvdData->query))) {
317 
318  CertValidationHelper::CbDialer *dialer = dynamic_cast<CertValidationHelper::CbDialer*>(callback->getDialer());
319  Must(dialer);
320  dialer->arg1 = *validationResponse;
321  ScheduleCallHere(callback);
322  delete crtdvdData;
323  return;
324  }
325 
326  // ssl_crt_validator becomes nil if Squid is reconfigured with cert
327  // validator disabled in the new configuration
328  if (ssl_crt_validator && ssl_crt_validator->trySubmit(crtdvdData->query.c_str(), sslCrtvdHandleReplyWrapper, crtdvdData))
329  return;
330 
332  resp->resultCode = ::Helper::BrokenHelper;
334  Must(dialer);
335  dialer->arg1 = resp;
336  ScheduleCallHere(callback);
337  delete crtdvdData;
338  return;
339 }
340 
an old-style void* callback parameter
Definition: cbdata.h:377
Value value
instance identifier
Definition: InstanceId.h:69
void helperOpenServers(helper *hlp)
Definition: helper.cc:201
Helper::ChildConfig childs
Configuration settings for number running.
Definition: helper.h:111
std::vector< GeneratorRequestor > GeneratorRequestors
Ssl::Helper request initiators waiting for the same answer (FIFO).
Definition: helper.cc:51
#define Here()
source code location of the caller
Definition: Here.h:15
void wordlistDestroy(wordlist **list)
destroy a wordlist
Definition: wordlist.cc:16
static void HandleGeneratorReply(void *data, const ::Helper::Reply &reply)
receives helper response
Definition: helper.cc:153
static Ssl::GeneratorRequests TheGeneratorRequests
pending Ssl::Helper requests (to all certificate generator helpers combined)
Definition: helper.cc:72
wordlist * cmdline
Definition: helper.h:107
SBuf & assign(const SBuf &S)
Definition: SBuf.cc:83
static std::ostream & Extra(std::ostream &os)
prefixes each grouped debugs() line after the first one in the group
Definition: Stream.h:117
@ Error
Definition: ResultCode.h:19
AnyP::PortCfgPointer HttpPortList
list of Squid http(s)_port configured
Definition: PortCfg.cc:22
Security::SessionPointer ssl
Definition: helper.cc:262
#define CBDATA_NAMESPACED_CLASS_INIT(namespace, type)
Definition: cbdata.h:326
static const std::string code_cert_validate
String code for "cert_validate" messages.
Initiator of an Ssl::Helper query.
Definition: helper.cc:33
void composeRequest(CertValidationRequest const &vcert)
GeneratorRequestors requestors
Definition: helper.cc:52
#define ScheduleCallHere(call)
Definition: AsyncCall.h:164
static void Submit(CrtdMessage const &message, HLPCB *callback, void *data)
Submit crtd message to external crtd server.
Definition: helper.cc:124
#define CBDATA_CLASS(type)
Definition: cbdata.h:302
int ipc_type
Definition: helper.h:112
Definition: SBuf.h:94
static void sslCrtvdHandleReplyWrapper(void *data, const ::Helper::Reply &reply)
Definition: helper.cc:267
static void Shutdown()
Shutdown helper structure.
Definition: helper.cc:232
#define xstrdup
virtual CallDialer * getDialer()=0
Definition: cbdata.cc:60
std::string const & getBody() const
Current body. If parsing is not finished the method returns incompleted body.
ChildConfig & updateLimits(const ChildConfig &rhs)
Definition: ChildConfig.cc:44
A const & max(A const &lhs, A const &rhs)
SBuf query
Ssl::Helper request message (GeneratorRequests key)
Definition: helper.cc:48
static void Reconfigure()
Definition: helper.cc:249
static void Init()
Init helper structure.
Definition: helper.cc:76
#define NULL
Definition: types.h:166
static void Init()
Init helper structure.
Definition: helper.cc:171
void * data
Definition: cbdata.cc:122
static void Shutdown()
Shutdown helper structure.
Definition: helper.cc:107
std::string compose() const
char * strwordtok(char *buf, char **t)
Definition: String.cc:393
Definition: helper.h:64
Definition: ClpMap.h:41
Definition: Xaction.cc:48
NotePairs notes
Definition: Reply.h:62
int xatoi(const char *token)
Definition: Parsing.cc:44
static helper * ssl_crtd
helper for management of ssl_crtd.
Definition: helper.h:37
#define safe_free(x)
Definition: xalloc.h:73
static std::ostream & operator<<(std::ostream &os, const Ssl::GeneratorRequest &gr)
prints Ssl::GeneratorRequest for debugging
Definition: helper.cc:66
Config TheConfig
Definition: Config.cc:12
#define assert(EX)
Definition: assert.h:19
@ Okay
Definition: ResultCode.h:18
void helperShutdown(helper *hlp)
Definition: helper.cc:740
static void Reconfigure()
Definition: helper.cc:118
const char * c_str()
Definition: SBuf.cc:516
#define CBDATA_CLASS_INIT(type)
Definition: cbdata.h:318
SBuf & append(const SBuf &S)
Definition: SBuf.cc:185
#define xfree
void setCode(std::string const &aCode)
Set new request/reply code to compose.
bool parseResponse(CertValidationResponse &resp)
Parse a response message and fill the resp object with parsed information.
std::shared_ptr< SSL > SessionPointer
Definition: Session.h:49
ParseResult parse(const char *buffer, size_t len)
Definition: crtd_message.cc:23
CallbackData data
Definition: helper.cc:37
SBuf query
Definition: helper.cc:257
an std::runtime_error with thrower location info
Definition: TextException.h:21
SBuf ToSBuf(Args &&... args)
slowly stream-prints all arguments into a freshly allocated SBuf
Definition: Stream.h:63
#define Must(condition)
Definition: TextException.h:71
A pending Ssl::Helper request, combining the original and collapsed queries.
Definition: helper.cc:41
#define DBG_IMPORTANT
Definition: Stream.h:41
static void Submit(Ssl::CertValidationRequest const &request, AsyncCall::Pointer &)
Submit crtd request message to external crtd server.
Definition: helper.cc:301
void add(const SBuf &key, const SBuf &value)
Definition: Notes.cc:312
@ BrokenHelper
Definition: ResultCode.h:20
GeneratorRequestor(HLPCB *aCallback, void *aData)
Definition: helper.cc:35
AsyncCall::Pointer callback
Definition: helper.cc:261
std::unordered_map< SBuf, GeneratorRequest * > GeneratorRequests
Ssl::Helper query:GeneratorRequest map.
Definition: helper.cc:56
void HLPCB(void *, const Helper::Reply &)
Definition: forward.h:27
static CacheType * HelperCache
cache for cert validation helper
Definition: helper.h:58
const char * wordlistAdd(wordlist **list, const char *key)
Definition: wordlist.cc:25
const InstanceId< SBuf > id
Definition: SBuf.h:604
#define IPC_STREAM
Definition: defines.h:108
struct _request * request(char *urlin)
Definition: tcp-banger2.c:291
#define debugs(SECTION, LEVEL, CONTENT)
Definition: Stream.h:196
void Init(void)
prepares to parse ACLs configuration
Definition: AclRegs.cc:114
static helper * ssl_crt_validator
helper for management of ssl_crtd.
Definition: helper.h:55
char eom
The char which marks the end of (response) message, normally ' '.
Definition: helper.h:122
void emplace(HLPCB *callback, void *data)
adds a GeneratorRequestor
Definition: helper.cc:46

 

Introduction

Documentation

Support

Miscellaneous

Web Site Translations

Mirrors