helper.cc
Go to the documentation of this file.
1/*
2 * Copyright (C) 1996-2022 The Squid Software Foundation and contributors
3 *
4 * Squid software is distributed under GPLv2+ license and includes
5 * contributions from numerous individuals and organizations.
6 * Please see the COPYING and CONTRIBUTORS files for details.
7 */
8
9#include "squid.h"
10#include "../helper.h"
11#include "anyp/PortCfg.h"
12#include "cache_cf.h"
13#include "fs_io.h"
14#include "helper/Reply.h"
15#include "Parsing.h"
16#include "sbuf/Stream.h"
17#include "SquidConfig.h"
18#include "SquidString.h"
20#include "ssl/Config.h"
21#include "ssl/helper.h"
22#include "wordlist.h"
23
24#include <limits>
25
27
28#if USE_SSL_CRTD
29
30namespace Ssl {
31
34public:
35 GeneratorRequestor(HLPCB *aCallback, void *aData): callback(aCallback), data(aData) {}
38};
39
43
44public:
46 void emplace(HLPCB *callback, void *data) { requestors.emplace_back(callback, data); }
47
49
51 typedef std::vector<GeneratorRequestor> GeneratorRequestors;
53};
54
56typedef std::unordered_map<SBuf, GeneratorRequest*> GeneratorRequests;
57
58static void HandleGeneratorReply(void *data, const ::Helper::Reply &reply);
59
60} // namespace Ssl
61
62CBDATA_NAMESPACED_CLASS_INIT(Ssl, GeneratorRequest);
63
65static std::ostream &
66operator <<(std::ostream &os, const Ssl::GeneratorRequest &gr)
67{
68 return os << "crtGenRq" << gr.query.id.value << "/" << gr.requestors.size();
69}
70
73
75
77{
78 assert(ssl_crtd == nullptr);
79
80 // we need to start ssl_crtd only if some port(s) need to bump SSL *and* generate certificates
81 // TODO: generate host certificates for SNI enabled accel ports
82 bool found = false;
83 for (AnyP::PortCfgPointer s = HttpPortList; !found && s != nullptr; s = s->next)
84 found = s->flags.tunnelSslBumping && s->secure.generateHostCertificates;
85 if (!found)
86 return;
87
88 ssl_crtd = new helper("sslcrtd_program");
89 ssl_crtd->childs.updateLimits(Ssl::TheConfig.ssl_crtdChildren);
91 // The crtd messages may contain the eol ('\n') character. We are
92 // going to use the '\1' char as the end-of-message mark.
93 ssl_crtd->eom = '\1';
94 assert(ssl_crtd->cmdline == nullptr);
95 {
96 char *tmp = xstrdup(Ssl::TheConfig.ssl_crtd);
97 char *tmp_begin = tmp;
98 char *token = nullptr;
99 while ((token = strwordtok(nullptr, &tmp))) {
100 wordlistAdd(&ssl_crtd->cmdline, token);
101 }
102 safe_free(tmp_begin);
103 }
105}
106
108{
109 if (!ssl_crtd)
110 return;
111 helperShutdown(ssl_crtd);
112 wordlistDestroy(&ssl_crtd->cmdline);
113 delete ssl_crtd;
114 ssl_crtd = nullptr;
115}
116
117void
119{
120 Shutdown();
121 Init();
122}
123
124void Ssl::Helper::Submit(CrtdMessage const & message, HLPCB * callback, void * data)
125{
126 SBuf rawMessage(message.compose().c_str()); // XXX: helpers cannot use SBuf
127 rawMessage.append("\n", 1);
128
129 const auto pending = TheGeneratorRequests.find(rawMessage);
130 if (pending != TheGeneratorRequests.end()) {
131 pending->second->emplace(callback, data);
132 debugs(83, 5, "collapsed request from " << data << " onto " << *pending->second);
133 return;
134 }
135
137 request->query = rawMessage;
138 request->emplace(callback, data);
139 TheGeneratorRequests.emplace(request->query, request);
140 debugs(83, 5, "request from " << data << " as " << *request);
141 // ssl_crtd becomes nil if Squid is reconfigured without SslBump or
142 // certificate generation disabled in the new configuration
143 if (ssl_crtd && ssl_crtd->trySubmit(request->query.c_str(), HandleGeneratorReply, request))
144 return;
145
147 failReply.notes.add("message", "error 45 Temporary network problem, please retry later");
148 HandleGeneratorReply(request, failReply);
149}
150
152static void
153Ssl::HandleGeneratorReply(void *data, const ::Helper::Reply &reply)
154{
155 const std::unique_ptr<Ssl::GeneratorRequest> request(static_cast<Ssl::GeneratorRequest*>(data));
157 const auto erased = TheGeneratorRequests.erase(request->query);
158 assert(erased);
159
160 for (auto &requestor: request->requestors) {
161 if (void *cbdata = requestor.data.validDone()) {
162 debugs(83, 5, "to " << cbdata << " in " << *request);
163 requestor.callback(cbdata, reply);
164 }
165 }
166}
167#endif //USE_SSL_CRTD
168
170
172{
173 if (!Ssl::TheConfig.ssl_crt_validator)
174 return;
175
176 assert(ssl_crt_validator == nullptr);
177
178 // we need to start ssl_crtd only if some port(s) need to bump SSL
179 bool found = false;
180 for (AnyP::PortCfgPointer s = HttpPortList; !found && s != nullptr; s = s->next)
181 found = s->flags.tunnelSslBumping;
182 if (!found)
183 return;
184
185 ssl_crt_validator = new helper("ssl_crt_validator");
186 ssl_crt_validator->childs.updateLimits(Ssl::TheConfig.ssl_crt_validator_Children);
187 ssl_crt_validator->ipc_type = IPC_STREAM;
188 // The crtd messages may contain the eol ('\n') character. We are
189 // going to use the '\1' char as the end-of-message mark.
190 ssl_crt_validator->eom = '\1';
191 assert(ssl_crt_validator->cmdline == nullptr);
192
193 /* defaults */
194 int ttl = 3600; // 1 hour
195 size_t cache = 64*1024*1024; // 64 MB
196 {
197 // TODO: Do this during parseConfigFile() for proper parsing, error handling
198 char *tmp = xstrdup(Ssl::TheConfig.ssl_crt_validator);
199 char *tmp_begin = tmp;
200 char * token = nullptr;
201 bool parseParams = true;
202 while ((token = strwordtok(nullptr, &tmp))) {
203 if (parseParams) {
204 if (strcmp(token, "ttl=infinity") == 0) {
206 continue;
207 } else if (strncmp(token, "ttl=", 4) == 0) {
208 ttl = xatoi(token + 4);
209 if (ttl < 0) {
210 throw TextException(ToSBuf("Negative TTL in sslcrtvalidator_program ", Ssl::TheConfig.ssl_crt_validator,
211 Debug::Extra, "For unlimited TTL, use ttl=infinity"),
212 Here());
213 }
214 continue;
215 } else if (strncmp(token, "cache=", 6) == 0) {
216 cache = xatoi(token + 6);
217 continue;
218 } else
219 parseParams = false;
220 }
221 wordlistAdd(&ssl_crt_validator->cmdline, token);
222 }
223 xfree(tmp_begin);
224 }
225 helperOpenServers(ssl_crt_validator);
226
227 //WARNING: initializing static member in an object initialization method
228 assert(HelperCache == nullptr);
229 HelperCache = new CacheType(cache, ttl);
230}
231
233{
234 if (!ssl_crt_validator)
235 return;
236 helperShutdown(ssl_crt_validator);
237 wordlistDestroy(&ssl_crt_validator->cmdline);
238 delete ssl_crt_validator;
239 ssl_crt_validator = nullptr;
240
241 // CertValidationHelper::HelperCache is a static member, it is not good policy to
242 // reset it here. Will work because the current Ssl::CertValidationHelper is
243 // always the same static object.
244 delete HelperCache;
245 HelperCache = nullptr;
246}
247
248void
250{
251 Shutdown();
252 Init();
253}
254
256{
258
259public:
263};
265
266static void
267sslCrtvdHandleReplyWrapper(void *data, const ::Helper::Reply &reply)
268{
270
271 submitData *crtdvdData = static_cast<submitData *>(data);
272 assert(crtdvdData->ssl.get());
273 Ssl::CertValidationResponse::Pointer validationResponse = new Ssl::CertValidationResponse(crtdvdData->ssl);
274 if (reply.result == ::Helper::BrokenHelper) {
275 debugs(83, DBG_IMPORTANT, "ERROR: \"ssl_crtvd\" helper error response: " << reply.other().content());
276 validationResponse->resultCode = ::Helper::BrokenHelper;
277 } else if (!reply.other().hasContent()) {
278 debugs(83, DBG_IMPORTANT, "\"ssl_crtvd\" helper returned NULL response");
279 validationResponse->resultCode = ::Helper::BrokenHelper;
280 } else if (replyMsg.parse(reply.other().content(), reply.other().contentSize()) != Ssl::CrtdMessage::OK ||
281 !replyMsg.parseResponse(*validationResponse) ) {
282 debugs(83, DBG_IMPORTANT, "WARNING: Reply from ssl_crtvd for " << " is incorrect");
283 debugs(83, DBG_IMPORTANT, "ERROR: Certificate cannot be validated. ssl_crtvd response: " << replyMsg.getBody());
284 validationResponse->resultCode = ::Helper::BrokenHelper;
285 } else
286 validationResponse->resultCode = reply.result;
287
289 Must(dialer);
290 dialer->arg1 = validationResponse;
291 ScheduleCallHere(crtdvdData->callback);
292
294 (validationResponse->resultCode == ::Helper::Okay || validationResponse->resultCode == ::Helper::Error)) {
295 (void)Ssl::CertValidationHelper::HelperCache->add(crtdvdData->query, validationResponse);
296 }
297
298 delete crtdvdData;
299}
300
302{
305 message.composeRequest(request);
306 debugs(83, 5, "SSL crtvd request: " << message.compose().c_str());
307
308 submitData *crtdvdData = new submitData;
309 crtdvdData->query.assign(message.compose().c_str());
310 crtdvdData->query.append('\n');
311 crtdvdData->callback = callback;
312 crtdvdData->ssl = request.ssl;
313 Ssl::CertValidationResponse::Pointer const*validationResponse;
314
316 (validationResponse = CertValidationHelper::HelperCache->get(crtdvdData->query))) {
317
318 CertValidationHelper::CbDialer *dialer = dynamic_cast<CertValidationHelper::CbDialer*>(callback->getDialer());
319 Must(dialer);
320 dialer->arg1 = *validationResponse;
321 ScheduleCallHere(callback);
322 delete crtdvdData;
323 return;
324 }
325
326 // ssl_crt_validator becomes nil if Squid is reconfigured with cert
327 // validator disabled in the new configuration
328 if (ssl_crt_validator && ssl_crt_validator->trySubmit(crtdvdData->query.c_str(), sslCrtvdHandleReplyWrapper, crtdvdData))
329 return;
330
332 resp->resultCode = ::Helper::BrokenHelper;
334 Must(dialer);
335 dialer->arg1 = resp;
336 ScheduleCallHere(callback);
337 delete crtdvdData;
338 return;
339}
340
#define ScheduleCallHere(call)
Definition: AsyncCall.h:164
#define Here()
source code location of the caller
Definition: Here.h:15
int xatoi(const char *token)
Definition: Parsing.cc:44
AnyP::PortCfgPointer HttpPortList
list of Squid http(s)_port configured
Definition: PortCfg.cc:22
char * strwordtok(char *buf, char **t)
Definition: String.cc:393
#define Must(condition)
Definition: TextException.h:71
#define assert(EX)
Definition: assert.h:19
#define CBDATA_CLASS_INIT(type)
Definition: cbdata.h:318
#define CBDATA_CLASS(type)
Definition: cbdata.h:302
#define CBDATA_NAMESPACED_CLASS_INIT(namespace, type)
Definition: cbdata.h:326
virtual CallDialer * getDialer()=0
an old-style void* callback parameter
Definition: cbdata.h:377
Definition: ClpMap.h:41
static std::ostream & Extra(std::ostream &os)
prefixes each grouped debugs() line after the first one in the group
Definition: Stream.h:117
ChildConfig & updateLimits(const ChildConfig &rhs)
Definition: ChildConfig.cc:44
NotePairs notes
Definition: Reply.h:62
Value value
instance identifier
Definition: InstanceId.h:69
void add(const SBuf &key, const SBuf &value)
Definition: Notes.cc:312
Definition: SBuf.h:94
const char * c_str()
Definition: SBuf.cc:516
const InstanceId< SBuf > id
Definition: SBuf.h:604
SBuf & append(const SBuf &S)
Definition: SBuf.cc:185
SBuf & assign(const SBuf &S)
Definition: SBuf.cc:83
static CacheType * HelperCache
cache for cert validation helper
Definition: helper.h:58
static void Submit(Ssl::CertValidationRequest const &request, AsyncCall::Pointer &)
Submit crtd request message to external crtd server.
Definition: helper.cc:301
static void Shutdown()
Shutdown helper structure.
Definition: helper.cc:232
static helper * ssl_crt_validator
helper for management of ssl_crtd.
Definition: helper.h:55
static void Init()
Init helper structure.
Definition: helper.cc:171
static void Reconfigure()
Definition: helper.cc:249
void composeRequest(CertValidationRequest const &vcert)
bool parseResponse(CertValidationResponse &resp)
Parse a response message and fill the resp object with parsed information.
static const std::string code_cert_validate
String code for "cert_validate" messages.
void setCode(std::string const &aCode)
Set new request/reply code to compose.
std::string const & getBody() const
Current body. If parsing is not finished the method returns incompleted body.
ParseResult parse(const char *buffer, size_t len)
Definition: crtd_message.cc:23
std::string compose() const
A pending Ssl::Helper request, combining the original and collapsed queries.
Definition: helper.cc:41
void emplace(HLPCB *callback, void *data)
adds a GeneratorRequestor
Definition: helper.cc:46
GeneratorRequestors requestors
Definition: helper.cc:52
SBuf query
Ssl::Helper request message (GeneratorRequests key)
Definition: helper.cc:48
std::vector< GeneratorRequestor > GeneratorRequestors
Ssl::Helper request initiators waiting for the same answer (FIFO).
Definition: helper.cc:51
Initiator of an Ssl::Helper query.
Definition: helper.cc:33
GeneratorRequestor(HLPCB *aCallback, void *aData)
Definition: helper.cc:35
CallbackData data
Definition: helper.cc:37
static helper * ssl_crtd
helper for management of ssl_crtd.
Definition: helper.h:37
static void Submit(CrtdMessage const &message, HLPCB *callback, void *data)
Submit crtd message to external crtd server.
Definition: helper.cc:124
static void Init()
Init helper structure.
Definition: helper.cc:76
static void Reconfigure()
Definition: helper.cc:118
static void Shutdown()
Shutdown helper structure.
Definition: helper.cc:107
an std::runtime_error with thrower location info
Definition: TextException.h:21
Definition: cbdata.cc:60
void * data
Definition: cbdata.cc:122
Definition: helper.h:64
char eom
The char which marks the end of (response) message, normally ' '.
Definition: helper.h:122
wordlist * cmdline
Definition: helper.h:107
Helper::ChildConfig childs
Configuration settings for number running.
Definition: helper.h:111
int ipc_type
Definition: helper.h:112
SBuf query
Definition: helper.cc:260
Security::SessionPointer ssl
Definition: helper.cc:262
AsyncCall::Pointer callback
Definition: helper.cc:261
A const & max(A const &lhs, A const &rhs)
#define DBG_IMPORTANT
Definition: Stream.h:41
#define debugs(SECTION, LEVEL, CONTENT)
Definition: Stream.h:196
#define IPC_STREAM
Definition: defines.h:106
void HLPCB(void *, const Helper::Reply &)
Definition: forward.h:27
void helperShutdown(helper *hlp)
Definition: helper.cc:740
void helperOpenServers(helper *hlp)
Definition: helper.cc:201
void Init(void)
prepares to parse ACLs configuration
Definition: AclRegs.cc:114
@ BrokenHelper
Definition: ResultCode.h:20
@ Error
Definition: ResultCode.h:19
@ Okay
Definition: ResultCode.h:18
std::shared_ptr< SSL > SessionPointer
Definition: Session.h:49
Definition: Xaction.cc:49
std::unordered_map< SBuf, GeneratorRequest * > GeneratorRequests
Ssl::Helper query:GeneratorRequest map.
Definition: helper.cc:56
Config TheConfig
Definition: Config.cc:12
static void HandleGeneratorReply(void *data, const ::Helper::Reply &reply)
receives helper response
Definition: helper.cc:153
#define xfree
#define xstrdup
SBuf ToSBuf(Args &&... args)
slowly stream-prints all arguments into a freshly allocated SBuf
Definition: Stream.h:63
static Ssl::GeneratorRequests TheGeneratorRequests
pending Ssl::Helper requests (to all certificate generator helpers combined)
Definition: helper.cc:72
static void sslCrtvdHandleReplyWrapper(void *data, const ::Helper::Reply &reply)
Definition: helper.cc:267
static std::ostream & operator<<(std::ostream &os, const Ssl::GeneratorRequest &gr)
prints Ssl::GeneratorRequest for debugging
Definition: helper.cc:66
struct _request * request(char *urlin)
Definition: tcp-banger2.c:291
const char * wordlistAdd(wordlist **list, const char *key)
Definition: wordlist.cc:25
void wordlistDestroy(wordlist **list)
destroy a wordlist
Definition: wordlist.cc:16
#define safe_free(x)
Definition: xalloc.h:73

 

Introduction

Documentation

Support

Miscellaneous

Web Site Translations

Mirrors