--------------------- PatchSet 6204 Date: 2004/04/18 00:09:07 Author: hno Branch: ssl-2_5 Tag: (none) Log: SSL update - sslcontext parameter, for controlling the SSL Session cache context ID - cleanup of error reporting - POST related bugfix where sessions could be randomly terminated due to misunderstanding of error reporting from SSL_read/write. - optimized export ciphers by not regenerating temporary keys on each connection - added debug output of session information and temporary keys to allow easier tracing of SSL related problems. Members: src/defines.h:1.15.6.3->1.15.6.3.2.1 src/forward.c:1.13.6.1.8.11->1.13.6.1.8.12 src/ssl_support.c:1.6.6.1.2.7->1.6.6.1.2.8 src/ssl_support.h:1.5.44.3->1.5.44.4 src/structs.h:1.48.2.8.2.15->1.48.2.8.2.16 src/typedefs.h:1.25.6.1.2.4->1.25.6.1.2.5 Index: squid/src/defines.h =================================================================== RCS file: /cvsroot/squid-sf//squid/src/defines.h,v retrieving revision 1.15.6.3 retrieving revision 1.15.6.3.2.1 diff -u -r1.15.6.3 -r1.15.6.3.2.1 --- squid/src/defines.h 8 Aug 2002 20:18:40 -0000 1.15.6.3 +++ squid/src/defines.h 18 Apr 2004 00:09:07 -0000 1.15.6.3.2.1 @@ -1,6 +1,6 @@ /* - * $Id: defines.h,v 1.15.6.3 2002/08/08 20:18:40 squidadm Exp $ + * $Id: defines.h,v 1.15.6.3.2.1 2004/04/18 00:09:07 hno Exp $ * * * SQUID Web Proxy Cache http://www.squid-cache.org/ @@ -75,8 +75,10 @@ #define COMM_NOCLOEXEC 0x02 #define COMM_REUSEADDR 0x04 +#define do_debug(SECTION, LEVEL) \ + ((_db_level = (LEVEL)) <= debugLevels[SECTION]) #define debug(SECTION, LEVEL) \ - ((_db_level = (LEVEL)) > debugLevels[SECTION]) ? (void) 0 : _db_print + !do_debug(SECTION, LEVEL) ? (void) 0 : _db_print #define safe_free(x) if (x) { xxfree(x); x = NULL; } Index: squid/src/forward.c =================================================================== RCS file: /cvsroot/squid-sf//squid/src/forward.c,v retrieving revision 1.13.6.1.8.11 retrieving revision 1.13.6.1.8.12 diff -u -r1.13.6.1.8.11 -r1.13.6.1.8.12 --- squid/src/forward.c 26 Mar 2004 09:15:39 -0000 1.13.6.1.8.11 +++ squid/src/forward.c 18 Apr 2004 00:09:07 -0000 1.13.6.1.8.12 @@ -1,6 +1,6 @@ /* - * $Id: forward.c,v 1.13.6.1.8.11 2004/03/26 09:15:39 hno Exp $ + * $Id: forward.c,v 1.13.6.1.8.12 2004/04/18 00:09:07 hno Exp $ * * DEBUG: section 17 Request Forwarding * AUTHOR: Duane Wessels @@ -233,7 +233,7 @@ commSetSelect(fd, COMM_SELECT_WRITE, fwdNegotiateSSL, fwdState, 0); return; default: - debug(81, 1) ("fwdNegotiateSSL: Error negotiating SSL connection on FD %d: %s (%d/%d)\n", fd, ERR_error_string(ERR_get_error(), NULL), ssl_error, ret); + debug(81, 1) ("fwdNegotiateSSL: Error negotiating SSL connection on FD %d: %s (%d/%d/%d)\n", fd, ERR_error_string(ERR_get_error(), NULL), ssl_error, ret, errno); err = errorCon(ERR_CONNECT_FAIL, HTTP_SERVICE_UNAVAILABLE); #ifdef EPROTO err->xerrno = EPROTO; Index: squid/src/ssl_support.c =================================================================== RCS file: /cvsroot/squid-sf//squid/src/ssl_support.c,v retrieving revision 1.6.6.1.2.7 retrieving revision 1.6.6.1.2.8 diff -u -r1.6.6.1.2.7 -r1.6.6.1.2.8 --- squid/src/ssl_support.c 29 Dec 2003 10:42:34 -0000 1.6.6.1.2.7 +++ squid/src/ssl_support.c 18 Apr 2004 00:09:08 -0000 1.6.6.1.2.8 @@ -44,10 +44,42 @@ static RSA * ssl_temp_rsa_cb(SSL * ssl, int export, int keylen) { - static RSA *rsa = NULL; + static RSA *rsa_512 = NULL; + static RSA *rsa_1024 = NULL; + RSA *rsa = NULL; + int newkey = 0; + + switch (keylen) { + case 512: + if (!rsa_512) { + rsa_512 = RSA_generate_key(512, RSA_F4, NULL, NULL); + newkey = 1; + } + rsa = rsa_512; + break; + case 1024: + if (!rsa_1024) { + rsa_1024 = RSA_generate_key(1024, RSA_F4, NULL, NULL); + newkey = 1; + } + rsa = rsa_1024; + break; + default: + debug(83,1)("ssl_temp_rsa_cb: Unexpected key length %d\n", keylen); + return NULL; + } + + if (rsa == NULL) { + debug(83,1)("ssl_temp_rsa_cb: Failed to generate key %d\n", keylen); + return NULL; + } + + if (newkey) { + if (do_debug(83, 5)) + PEM_write_RSAPrivateKey(debug_log, rsa, NULL, NULL, 0, NULL, NULL); + debug(83,1)("Generated ephemeral RSA key of length %d\n", keylen); + } - if (rsa == NULL) - rsa = RSA_generate_key(512, RSA_F4, NULL, NULL); return rsa; } @@ -372,7 +404,7 @@ } SSL_CTX * -sslCreateServerContext(const char *certfile, const char *keyfile, int version, const char *cipher, const char *options, const char *flags, const char *clientCA, const char *CAfile, const char *CApath, const char *dhfile) +sslCreateServerContext(const char *certfile, const char *keyfile, int version, const char *cipher, const char *options, const char *flags, const char *clientCA, const char *CAfile, const char *CApath, const char *dhfile, const char *context) { int ssl_error; SSL_METHOD *method; @@ -417,6 +449,10 @@ } SSL_CTX_set_options(sslContext, ssl_parse_options(options)); + if (context && *context) { + SSL_CTX_set_session_id_context(sslContext, context, strlen(context)); + } + if (Config.SSL.unclean_shutdown) { debug(83, 5) ("Enabling quiet SSL shutdowns (RFC violation).\n"); SSL_CTX_set_quiet_shutdown(sslContext, 1); @@ -615,15 +651,23 @@ char *buf; int len; { + SSL *ssl = fd_table[fd].ssl; int i; - i = SSL_read(fd_table[fd].ssl, buf, len); +#if DONT_DO_THIS + if (!SSL_is_init_finished(ssl)) { + errno = ENOTCONN; + return -1; + } +#endif + + i = SSL_read(ssl, buf, len); - if (i > 0 && SSL_pending(fd_table[fd].ssl) > 0) { + if (i > 0 && SSL_pending(ssl) > 0) { debug(83, 2) ("SSL fd %d is pending\n", fd); fd_table[fd].read_pending = COMM_PENDING_NOW; } else if (i <= 0) { - int err = SSL_get_error(fd_table[fd].ssl, i); + int err = SSL_get_error(ssl, i); switch (err) { case SSL_ERROR_NONE: case SSL_ERROR_ZERO_RETURN: @@ -638,8 +682,17 @@ i = -1; errno = EAGAIN; break; + case SSL_ERROR_SYSCALL: + if (i == 0) + break; + if (errno == ECONNRESET) + break; + debug (83, 1) ("SSL fd %d read error %s (%d)\n", fd, strerror(errno), errno); + break; + default: - i = -1; + debug (83, 2) ("SSL fd %d read error %s (%d/%d)\n", fd, ERR_error_string(ERR_get_error(), NULL), i, err); + i = 0; break; } } @@ -652,12 +705,18 @@ const char *buf; int len; { + SSL *ssl = fd_table[fd].ssl; int i; - i = SSL_write(fd_table[fd].ssl, buf, len); + if (!SSL_is_init_finished(ssl)) { + errno = ENOTCONN; + return -1; + } + + i = SSL_write(ssl, buf, len); if (i <= 0) { - int err = SSL_get_error(fd_table[fd].ssl, i); + int err = SSL_get_error(ssl, i); switch (err) { case SSL_ERROR_NONE: case SSL_ERROR_ZERO_RETURN: @@ -672,7 +731,16 @@ i = -1; errno = EAGAIN; break; + case SSL_ERROR_SYSCALL: + if (i == 0) + break; + if (errno == ECONNRESET) + break; + debug (83, 1) ("SSL fd %d write error %s (%d)\n", fd, strerror(errno), errno); + break; + default: + debug (83, 2) ("SSL fd %d write error %s (%d/%d)\n", fd, ERR_error_string(ERR_get_error(), NULL), i, err); i = -1; break; } @@ -685,6 +753,12 @@ { SSL *ssl = fd_table[fd].ssl; int ret; + + if (!SSL_is_init_finished(ssl)) { + errno = ENOTCONN; + return -1; + } + ret = SSL_shutdown(ssl); if (ret <= 0) { int err = SSL_get_error(ssl, ret); Index: squid/src/ssl_support.h =================================================================== RCS file: /cvsroot/squid-sf//squid/src/ssl_support.h,v retrieving revision 1.5.44.3 retrieving revision 1.5.44.4 diff -u -r1.5.44.3 -r1.5.44.4 --- squid/src/ssl_support.h 25 Oct 2003 15:32:26 -0000 1.5.44.3 +++ squid/src/ssl_support.h 18 Apr 2004 00:09:08 -0000 1.5.44.4 @@ -46,7 +46,7 @@ #include #endif -SSL_CTX *sslCreateServerContext(const char *certfile, const char *keyfile, int version, const char *cipher, const char *options, const char *flags, const char *clientCA, const char *CAfile, const char *CApath, const char *dhpath); +SSL_CTX *sslCreateServerContext(const char *certfile, const char *keyfile, int version, const char *cipher, const char *options, const char *flags, const char *clientCA, const char *CAfile, const char *CApath, const char *dhpath, const char *context); SSL_CTX *sslCreateClientContext(const char *certfile, const char *keyfile, int version, const char *cipher, const char *options, const char *flags, const char *CAfile, const char *CApath); int ssl_read_method(int, char *, int); int ssl_write_method(int, const char *, int); Index: squid/src/structs.h =================================================================== RCS file: /cvsroot/squid-sf//squid/src/structs.h,v retrieving revision 1.48.2.8.2.15 retrieving revision 1.48.2.8.2.16 diff -u -r1.48.2.8.2.15 -r1.48.2.8.2.16 --- squid/src/structs.h 26 Mar 2004 09:15:40 -0000 1.48.2.8.2.15 +++ squid/src/structs.h 18 Apr 2004 00:09:08 -0000 1.48.2.8.2.16 @@ -1,6 +1,6 @@ /* - * $Id: structs.h,v 1.48.2.8.2.15 2004/03/26 09:15:40 hno Exp $ + * $Id: structs.h,v 1.48.2.8.2.16 2004/04/18 00:09:08 hno Exp $ * * * SQUID Web Proxy Cache http://www.squid-cache.org/ @@ -352,6 +352,7 @@ char *capath; char *dhfile; char *sslflags; + char *sslcontext; SSL_CTX *sslContext; }; #endif Index: squid/src/typedefs.h =================================================================== RCS file: /cvsroot/squid-sf//squid/src/typedefs.h,v retrieving revision 1.25.6.1.2.4 retrieving revision 1.25.6.1.2.5 diff -u -r1.25.6.1.2.4 -r1.25.6.1.2.5 --- squid/src/typedefs.h 26 Mar 2004 09:15:40 -0000 1.25.6.1.2.4 +++ squid/src/typedefs.h 18 Apr 2004 00:09:08 -0000 1.25.6.1.2.5 @@ -1,6 +1,6 @@ /* - * $Id: typedefs.h,v 1.25.6.1.2.4 2004/03/26 09:15:40 hno Exp $ + * $Id: typedefs.h,v 1.25.6.1.2.5 2004/04/18 00:09:08 hno Exp $ * * * SQUID Web Proxy Cache http://www.squid-cache.org/ @@ -346,7 +346,7 @@ typedef ssize_t HttpHeaderPos; /* big mask for http headers */ -typedef char HttpHeaderMask[8]; +typedef char HttpHeaderMask[(HDR_ENUM_END + 7) / 8]; /* a common objPackInto interface; used by debugObj */ typedef void (*ObjPackMethod) (void *obj, Packer * p);