helper.cc
Go to the documentation of this file.
1 /*
2  * Copyright (C) 1996-2020 The Squid Software Foundation and contributors
3  *
4  * Squid software is distributed under GPLv2+ license and includes
5  * contributions from numerous individuals and organizations.
6  * Please see the COPYING and CONTRIBUTORS files for details.
7  */
8 
9 #include "squid.h"
10 #include "../helper.h"
11 #include "anyp/PortCfg.h"
12 #include "cache_cf.h"
13 #include "fs_io.h"
14 #include "helper/Reply.h"
15 #include "Parsing.h"
16 #include "SquidConfig.h"
17 #include "SquidString.h"
18 #include "SquidTime.h"
19 #include "sbuf/Stream.h"
21 #include "ssl/Config.h"
22 #include "ssl/helper.h"
23 #include "wordlist.h"
24 
26 
27 #if USE_SSL_CRTD
28 
29 namespace Ssl {
30 
33 public:
34  GeneratorRequestor(HLPCB *aCallback, void *aData): callback(aCallback), data(aData) {}
37 };
38 
42 
43 public:
45  void emplace(HLPCB *callback, void *data) { requestors.emplace_back(callback, data); }
46 
48 
50  typedef std::vector<GeneratorRequestor> GeneratorRequestors;
52 };
53 
55 typedef std::unordered_map<SBuf, GeneratorRequest*> GeneratorRequests;
56 
57 static void HandleGeneratorReply(void *data, const ::Helper::Reply &reply);
58 
59 } // namespace Ssl
60 
61 CBDATA_NAMESPACED_CLASS_INIT(Ssl, GeneratorRequest);
62 
64 static std::ostream &
65 operator <<(std::ostream &os, const Ssl::GeneratorRequest &gr)
66 {
67  return os << "crtGenRq" << gr.query.id.value << "/" << gr.requestors.size();
68 }
69 
72 
73 helper *Ssl::Helper::ssl_crtd = nullptr;
74 
76 {
77  assert(ssl_crtd == NULL);
78 
79  // we need to start ssl_crtd only if some port(s) need to bump SSL *and* generate certificates
80  // TODO: generate host certificates for SNI enabled accel ports
81  bool found = false;
82  for (AnyP::PortCfgPointer s = HttpPortList; !found && s != NULL; s = s->next)
83  found = s->flags.tunnelSslBumping && s->secure.generateHostCertificates;
84  if (!found)
85  return;
86 
88  ssl_crtd->childs.updateLimits(Ssl::TheConfig.ssl_crtdChildren);
90  // The crtd messages may contain the eol ('\n') character. We are
91  // going to use the '\1' char as the end-of-message mark.
92  ssl_crtd->eom = '\1';
94  {
95  char *tmp = xstrdup(Ssl::TheConfig.ssl_crtd);
96  char *tmp_begin = tmp;
97  char *token = NULL;
98  while ((token = strwordtok(NULL, &tmp))) {
99  wordlistAdd(&ssl_crtd->cmdline, token);
100  }
101  safe_free(tmp_begin);
102  }
104 }
105 
107 {
108  if (!ssl_crtd)
109  return;
110  helperShutdown(ssl_crtd);
111  wordlistDestroy(&ssl_crtd->cmdline);
112  delete ssl_crtd;
113  ssl_crtd = NULL;
114 }
115 
116 void
118 {
119  Shutdown();
120  Init();
121 }
122 
123 void Ssl::Helper::Submit(CrtdMessage const & message, HLPCB * callback, void * data)
124 {
125  SBuf rawMessage(message.compose().c_str()); // XXX: helpers cannot use SBuf
126  rawMessage.append("\n", 1);
127 
128  const auto pending = TheGeneratorRequests.find(rawMessage);
129  if (pending != TheGeneratorRequests.end()) {
130  pending->second->emplace(callback, data);
131  debugs(83, 5, "collapsed request from " << data << " onto " << *pending->second);
132  return;
133  }
134 
136  request->query = rawMessage;
137  request->emplace(callback, data);
138  TheGeneratorRequests.emplace(request->query, request);
139  debugs(83, 5, "request from " << data << " as " << *request);
140  // ssl_crtd becomes nil if Squid is reconfigured without SslBump or
141  // certificate generation disabled in the new configuration
142  if (ssl_crtd && ssl_crtd->trySubmit(request->query.c_str(), HandleGeneratorReply, request))
143  return;
144 
146  failReply.notes.add("message", "error 45 Temporary network problem, please retry later");
147  HandleGeneratorReply(request, failReply);
148 }
149 
151 static void
152 Ssl::HandleGeneratorReply(void *data, const ::Helper::Reply &reply)
153 {
154  const std::unique_ptr<Ssl::GeneratorRequest> request(static_cast<Ssl::GeneratorRequest*>(data));
155  assert(request);
156  const auto erased = TheGeneratorRequests.erase(request->query);
157  assert(erased);
158 
159  for (auto &requestor: request->requestors) {
160  if (void *cbdata = requestor.data.validDone()) {
161  debugs(83, 5, "to " << cbdata << " in " << *request);
162  requestor.callback(cbdata, reply);
163  }
164  }
165 }
166 #endif //USE_SSL_CRTD
167 
169 
171 {
172  if (!Ssl::TheConfig.ssl_crt_validator)
173  return;
174 
175  assert(ssl_crt_validator == NULL);
176 
177  // we need to start ssl_crtd only if some port(s) need to bump SSL
178  bool found = false;
179  for (AnyP::PortCfgPointer s = HttpPortList; !found && s != NULL; s = s->next)
180  found = s->flags.tunnelSslBumping;
181  if (!found)
182  return;
183 
184  ssl_crt_validator = new helper("ssl_crt_validator");
185  ssl_crt_validator->childs.updateLimits(Ssl::TheConfig.ssl_crt_validator_Children);
186  ssl_crt_validator->ipc_type = IPC_STREAM;
187  // The crtd messages may contain the eol ('\n') character. We are
188  // going to use the '\1' char as the end-of-message mark.
189  ssl_crt_validator->eom = '\1';
190  assert(ssl_crt_validator->cmdline == NULL);
191 
192  /* defaults */
193  int ttl = 3600; // 1 hour
194  size_t cache = 64*1024*1024; // 64 MB
195  {
196  // TODO: Do this during parseConfigFile() for proper parsing, error handling
197  char *tmp = xstrdup(Ssl::TheConfig.ssl_crt_validator);
198  char *tmp_begin = tmp;
199  char * token = NULL;
200  bool parseParams = true;
201  while ((token = strwordtok(NULL, &tmp))) {
202  if (parseParams) {
203  if (strcmp(token, "ttl=infinity") == 0) {
205  continue;
206  } else if (strncmp(token, "ttl=", 4) == 0) {
207  ttl = xatoi(token + 4);
208  if (ttl < 0) {
209  throw TextException(ToSBuf("Negative TTL in sslcrtvalidator_program ", Ssl::TheConfig.ssl_crt_validator,
210  Debug::Extra, "For unlimited TTL, use ttl=infinity"),
211  Here());
212  }
213  continue;
214  } else if (strncmp(token, "cache=", 6) == 0) {
215  cache = xatoi(token + 6);
216  continue;
217  } else
218  parseParams = false;
219  }
220  wordlistAdd(&ssl_crt_validator->cmdline, token);
221  }
222  xfree(tmp_begin);
223  }
224  helperOpenServers(ssl_crt_validator);
225 
226  //WARNING: initializing static member in an object initialization method
227  assert(HelperCache == NULL);
228  HelperCache = new CacheType(cache, ttl);
229 }
230 
232 {
233  if (!ssl_crt_validator)
234  return;
235  helperShutdown(ssl_crt_validator);
236  wordlistDestroy(&ssl_crt_validator->cmdline);
237  delete ssl_crt_validator;
238  ssl_crt_validator = NULL;
239 
240  // CertValidationHelper::HelperCache is a static member, it is not good policy to
241  // reset it here. Will work because the current Ssl::CertValidationHelper is
242  // always the same static object.
243  delete HelperCache;
244  HelperCache = NULL;
245 }
246 
247 void
249 {
250  Shutdown();
251  Init();
252 }
253 
255 {
257 
258 public:
259  SBuf query;
262 };
264 
265 static void
266 sslCrtvdHandleReplyWrapper(void *data, const ::Helper::Reply &reply)
267 {
269  std::string error;
270 
271  submitData *crtdvdData = static_cast<submitData *>(data);
272  assert(crtdvdData->ssl.get());
273  Ssl::CertValidationResponse::Pointer validationResponse = new Ssl::CertValidationResponse(crtdvdData->ssl);
274  if (reply.result == ::Helper::BrokenHelper) {
275  debugs(83, DBG_IMPORTANT, "\"ssl_crtvd\" helper error response: " << reply.other().content());
276  validationResponse->resultCode = ::Helper::BrokenHelper;
277  } else if (!reply.other().hasContent()) {
278  debugs(83, DBG_IMPORTANT, "\"ssl_crtvd\" helper returned NULL response");
279  validationResponse->resultCode = ::Helper::BrokenHelper;
280  } else if (replyMsg.parse(reply.other().content(), reply.other().contentSize()) != Ssl::CrtdMessage::OK ||
281  !replyMsg.parseResponse(*validationResponse, error) ) {
282  debugs(83, DBG_IMPORTANT, "WARNING: Reply from ssl_crtvd for " << " is incorrect");
283  debugs(83, DBG_IMPORTANT, "Certificate cannot be validated. ssl_crtvd response: " << replyMsg.getBody());
284  validationResponse->resultCode = ::Helper::BrokenHelper;
285  } else
286  validationResponse->resultCode = reply.result;
287 
289  Must(dialer);
290  dialer->arg1 = validationResponse;
291  ScheduleCallHere(crtdvdData->callback);
292 
294  (validationResponse->resultCode == ::Helper::Okay || validationResponse->resultCode == ::Helper::Error)) {
295  (void)Ssl::CertValidationHelper::HelperCache->add(crtdvdData->query, validationResponse);
296  }
297 
298  delete crtdvdData;
299 }
300 
302 {
305  message.composeRequest(request);
306  debugs(83, 5, "SSL crtvd request: " << message.compose().c_str());
307 
308  submitData *crtdvdData = new submitData;
309  crtdvdData->query.assign(message.compose().c_str());
310  crtdvdData->query.append('\n');
311  crtdvdData->callback = callback;
312  crtdvdData->ssl = request.ssl;
313  Ssl::CertValidationResponse::Pointer const*validationResponse;
314 
316  (validationResponse = CertValidationHelper::HelperCache->get(crtdvdData->query))) {
317 
318  CertValidationHelper::CbDialer *dialer = dynamic_cast<CertValidationHelper::CbDialer*>(callback->getDialer());
319  Must(dialer);
320  dialer->arg1 = *validationResponse;
322  delete crtdvdData;
323  return;
324  }
325 
326  // ssl_crt_validator becomes nil if Squid is reconfigured with cert
327  // validator disabled in the new configuration
328  if (ssl_crt_validator && ssl_crt_validator->trySubmit(crtdvdData->query.c_str(), sslCrtvdHandleReplyWrapper, crtdvdData))
329  return;
330 
332  resp->resultCode = ::Helper::BrokenHelper;
334  Must(dialer);
335  dialer->arg1 = resp;
337  delete crtdvdData;
338  return;
339 }
340 
an old-style void* callback parameter
Definition: cbdata.h:376
Value value
instance identifier
Definition: InstanceId.h:69
void helperOpenServers(helper *hlp)
Definition: helper.cc:215
Helper::ChildConfig childs
configuration settings for number running
Definition: helper.h:99
std::vector< GeneratorRequestor > GeneratorRequestors
Ssl::Helper request initiators waiting for the same answer (FIFO).
Definition: helper.cc:50
#define Here()
source code location of the caller
Definition: Here.h:15
void wordlistDestroy(wordlist **list)
destroy a wordlist
Definition: wordlist.cc:16
static void HandleGeneratorReply(void *data, const ::Helper::Reply &reply)
receives helper response
Definition: helper.cc:152
static Ssl::GeneratorRequests TheGeneratorRequests
pending Ssl::Helper requests (to all certificate generator helpers combined)
Definition: helper.cc:71
wordlist * cmdline
Definition: helper.h:95
SBuf & assign(const SBuf &S)
Definition: SBuf.cc:83
static std::ostream & Extra(std::ostream &os)
prefixes each grouped debugs() line after the first one in the group
Definition: Debug.h:104
@ Error
Definition: ResultCode.h:19
AnyP::PortCfgPointer HttpPortList
list of Squid http(s)_port configured
Definition: PortCfg.cc:21
Security::SessionPointer ssl
Definition: helper.cc:261
#define CBDATA_NAMESPACED_CLASS_INIT(namespace, type)
Definition: cbdata.h:326
static const std::string code_cert_validate
String code for "cert_validate" messages.
Initiator of an Ssl::Helper query.
Definition: helper.cc:32
void composeRequest(CertValidationRequest const &vcert)
GeneratorRequestors requestors
Definition: helper.cc:51
#define ScheduleCallHere(call)
Definition: AsyncCall.h:166
void error(char *format,...)
static void Submit(CrtdMessage const &message, HLPCB *callback, void *data)
Submit crtd message to external crtd server.
Definition: helper.cc:123
#define CBDATA_CLASS(type)
Definition: cbdata.h:302
int ipc_type
Definition: helper.h:100
Definition: SBuf.h:86
static void sslCrtvdHandleReplyWrapper(void *data, const ::Helper::Reply &reply)
Definition: helper.cc:266
static void Shutdown()
Shutdown helper structure.
Definition: helper.cc:231
#define xstrdup
const A & max(A const &lhs, A const &rhs)
virtual CallDialer * getDialer()=0
Definition: cbdata.cc:60
ChildConfig & updateLimits(const ChildConfig &rhs)
Definition: ChildConfig.cc:44
#define DBG_IMPORTANT
Definition: Debug.h:46
SBuf query
Ssl::Helper request message (GeneratorRequests key)
Definition: helper.cc:47
static void Reconfigure()
Definition: helper.cc:248
static void Init()
Init helper structure.
Definition: helper.cc:75
#define NULL
Definition: types.h:166
static void Init()
Init helper structure.
Definition: helper.cc:170
#define debugs(SECTION, LEVEL, CONTENT)
Definition: Debug.h:128
void * data
Definition: cbdata.cc:123
static void Shutdown()
Shutdown helper structure.
Definition: helper.cc:106
std::string compose() const
char * strwordtok(char *buf, char **t)
Definition: String.cc:407
Definition: helper.h:65
Definition: ClpMap.h:40
Definition: Xaction.cc:47
NotePairs notes
Definition: Reply.h:62
void const char HLPCB void * data
Definition: stub_helper.cc:16
int xatoi(const char *token)
Definition: Parsing.cc:43
static helper * ssl_crtd
helper for management of ssl_crtd.
Definition: helper.h:37
#define safe_free(x)
Definition: xalloc.h:73
static std::ostream & operator<<(std::ostream &os, const Ssl::GeneratorRequest &gr)
prints Ssl::GeneratorRequest for debugging
Definition: helper.cc:65
Config TheConfig
Definition: Config.cc:12
#define assert(EX)
Definition: assert.h:19
@ Okay
Definition: ResultCode.h:18
void helperShutdown(helper *hlp)
Definition: helper.cc:725
static void Reconfigure()
Definition: helper.cc:117
const char * c_str()
Definition: SBuf.cc:526
#define CBDATA_CLASS_INIT(type)
Definition: cbdata.h:318
SBuf & append(const SBuf &S)
Definition: SBuf.cc:195
#define xfree
void setCode(std::string const &aCode)
Set new request/reply code to compose.
std::shared_ptr< SSL > SessionPointer
Definition: Session.h:44
ParseResult parse(const char *buffer, size_t len)
Definition: crtd_message.cc:21
CallbackData data
Definition: helper.cc:36
SBuf query
Definition: helper.cc:256
an std::runtime_error with thrower location info
Definition: TextException.h:19
SBuf ToSBuf(Args &&... args)
slowly stream-prints all arguments into a freshly allocated SBuf
Definition: Stream.h:124
#define Must(condition)
Like assert() but throws an exception instead of aborting the process.
Definition: TextException.h:69
A pending Ssl::Helper request, combining the original and collapsed queries.
Definition: helper.cc:40
void const char HLPCB * callback
Definition: stub_helper.cc:16
static void Submit(Ssl::CertValidationRequest const &request, AsyncCall::Pointer &)
Submit crtd request message to external crtd server.
Definition: helper.cc:301
void add(const SBuf &key, const SBuf &value)
Definition: Notes.cc:312
@ BrokenHelper
Definition: ResultCode.h:20
GeneratorRequestor(HLPCB *aCallback, void *aData)
Definition: helper.cc:34
AsyncCall::Pointer callback
Definition: helper.cc:260
std::unordered_map< SBuf, GeneratorRequest * > GeneratorRequests
Ssl::Helper query:GeneratorRequest map.
Definition: helper.cc:55
void HLPCB(void *, const Helper::Reply &)
Definition: forward.h:27
static CacheType * HelperCache
cache for cert validation helper
Definition: helper.h:58
const char * wordlistAdd(wordlist **list, const char *key)
Definition: wordlist.cc:25
const InstanceId< SBuf > id
Definition: SBuf.h:593
#define IPC_STREAM
Definition: defines.h:161
struct _request * request(char *urlin)
Definition: tcp-banger2.c:291
void Init(void)
prepares to parse ACLs configuration
Definition: AclRegs.cc:114
static helper * ssl_crt_validator
helper for management of ssl_crtd.
Definition: helper.h:55
char eom
the char which marks the end of (response) message
Definition: helper.h:110
void emplace(HLPCB *callback, void *data)
adds a GeneratorRequestor
Definition: helper.cc:45
bool parseResponse(CertValidationResponse &resp, std::string &error)
Parse a response message and fill the resp object with parsed information.
const std::string & getBody() const
Current body. If parsing is not finished the method returns incompleted body.

 

Introduction

Documentation

Support

Miscellaneous

Web Site Translations

Mirrors