[squid-dev] [PATCH] splicing resumed sessions

2015-03-17 Thread Tsantilas Christos 

This patch adds the ssl_bump_resuming_sessions directive that controls
SslBump behavior when dealing with resuming SSL/TLS sessions. Without 
these changes, SslBump usually terminates all resuming sessions with an 
error because such sessions do not include server certificates, 
preventing Squid from successfully validating the server identity.


After these changes, Squid either terminates or splices resuming 
sessions, depending on configuration. Splicing is the right default 
because Squid most likely has spliced the original connections that the 
client and server are trying to resume now.  Most likely, the splicing 
decision would not change now (but the lack of the server certificate 
information means we cannot repeat the original ACL checks and need a 
special directive to tell Squid what to do). Also, without SslBump, 
session resumption would just work, and SslBump default should approach 
that ideal.


In many deployment scenarios, this straightforward splice or terminate
resuming sessions implementation is exactly what the admin wants. 
Future projects may add more complex algorithms, including maintaining 
an SMP-shared cache of sessions that may be resumed in the future and 
evaluating client/server attempts to resume a session using that cache.



Example:
  # splice all resuming sessions [this is the default]
  ssl_bump_resuming_sessions allow all

This patch also makes SSL client Hello message parsing more robust and
adds an SSL server Hello message parser.

This patch also prevents occasional segfaults when dealing with SSL
cache_peer negotiation failures.

The last two changes should applied to squid-3.5 even if this patch will 
not go into squid-3.5.


Regards,
   Christos
Added ssl_bump_resuming_sessions to control treatment of resuming sessions
by SslBump.

This patch adds the ssl_bump_resuming_sessions directive that controls
SslBump behavior when dealing with resuming SSL/TLS sessions. Without
these changes, SslBump usually terminates all resuming sessions with an
error because such sessions do not include server certificates, preventing
Squid from successfully validating the server identity.

After these changes, Squid either terminates or splices resuming sessions,
depending on configuration. Splicing is the right default because Squid
most likely has spliced the original connections that the client and server
are trying to resume now. Most likely, the splicing decision would not
change now (but the lack of the server certificate information means we cannot
repeat the original ACL checks and need a special directive to tell Squid what
to do). Also, without SslBump, session resumption would just work, and SslBump
default should approach that ideal.

In many deployment scenarios, this straightforward splice or terminate
resuming sessions implementation is exactly what the admin wants. Future
projects may add more complex algorithms, including maintaining an SMP-shared
cache of sessions that may be resumed in the future and evaluating
client/server attempts to resume a session using that cache.


Example:
  # splice all resuming sessions [this is the default]
  ssl_bump_resuming_sessions allow all


This patch also makes SSL client Hello message parsing more robust and
adds an SSL server Hello message parser.

This patch also prevents occasional segfaults when dealing with SSL
cache_peer negotiation failures.


Technical details
-

In Peek mode, the old Squid code would forward the client Hello message to the
server. If the server tries to resume the previous (spliced) SSL session with
the client, then Squid SSL code gets an ssl/PeerConnector.cc ccs received
early error (or similar) because the Squid SSL object expects a server
certificate and does not know anything about the session being resumed.

With this patch, Squid detects session resumption attempts and consults the
ssl_bump_resuming_sessions access list to decide whether to splice or honor
the error. Honoring the error would usually terminate the client and server
connections.


Session resumption detection


There are two mechanism in SSL/TLS for resuming sessions. The traditional
shared session IDs and the TLS ticket extensions:

* If Squid detects a shared ID in both client and server Hello messages, then
Squid decides whether the session is being resumed by comparing those client
and server shared IDs. If (and only if) the IDs are the same, then Squid
assumes that it is dealing with a resuming session (using session IDs).

* If Squid detects a TLS ticket in the client Hello message and TLS ticket
support in the server Hello message as well as a Change Cipher Spec or a New
TLS Ticket message (following the server Hello message), then (and only then)
Squid assumes that it is dealing with a resuming session (using TLS tickets).

The TLS tickets check is not performed if Squid detects a shared session ID
in both client and server Hello messages.

This is a Measurement Factory

Re: [squid-dev] [PATCH] start workers as root

2015-03-17 Thread Tsantilas Christos 

A patch which solves this problem applied to trunk as rev13984.
The patch is different that the patch I posted here.
It just adds  enter_suid() calls after the writePidFile and removePidFile()
inside the watch_child() function.

Regards,
  Christos

On 03/09/2015 11:09 AM, Tsantilas Christos wrote:

On 03/08/2015 05:57 AM, Amos Jeffries wrote:

On 8/03/2015 6:34 a.m., Tsantilas Christos wrote:

On 03/07/2015 07:18 AM, Amos Jeffries wrote:

On 7/03/2015 12:18 a.m., Tsantilas Christos wrote:

SMP workers in trunk start without root privileges. This results in
startup  failures when workers need to use a privileged port 
(e.g., 443)

or other  root-only features such as TPROXY.

This bug added with my Moved PID file management from Coordinator to
Master patch.

The problem is inside watch_child function which called after a
enter_suid() call, but the  writePidFile() call, inside the
watch_child(), will leave suid mode before exit.

This patch removes the enter_suid/leave_suid cals from the 
writePidFile

   and make the caller responsible for setting the root privileges if
required.


I think this is wrong approach.

Firstly, what are processes without SUID ability doing writing to 
secure

system files?


What do you mean here?


After your patch that makes the master file the one writing the PID file
what are the workers (non-master) doing writing to it?


The workers does not write the PID file.
A single-process squid  (eg when started with the -N parameter) 
still need to write PID file.









Secondly, I thought the entire point of the earlier patch was to make
the *MASTER* process was the one writing the PID file. Not
low-privileged workers.


Yes the master process writing the pid file, not the workers.



Thirdly, the enter/leave_suid calls mean dangerous security stuff 
about

to happen and should only be called if absolutely necessary, AND only
around the (block of) system calls which require them.


I agree.
However the watch_child which is implements the master process, is
designed to run in suid mode. This was not changed by the PID patch.
Just due to a bug added with the PID patch this function leaves the 
suid

mode.



I think I understand you there. You mean this process:

  enter_suid()
  ...
  watch_child()
   ...
   writePidFile() {
enter_squid() // no-op
...
leave_suid()
  }
  ... something that needs suid. oops.

Yep.






Maybe we want to fix master process to not run in suid mode, but I 
believe:

   - This is not a scope for this patch
   - The master process does not do a lot of thinks. Probably we do not
need to make it run with low privileges. Moreover we may have problems
with the kids. (Is it possible for kids to run with different
cache_effective_user parameter?)



Yes, more than possible - probable that somebody will or is already
doing so. Just the other day I saw someone running workers with
different PID files.
Thats the kind of thing that happens with these directives available in
via squid.conf per-worker.




Your description sounds like some part of the code in worker scope is
using enter_suid doing a lot of Squid stuff - plus incidentally some
root system stuff, then leave_suid. That is broken code. None of the
general Squid stuff are security sentitive system calls needing root
privileges.


No, please forget the workers. This patch does not change anything in a
worker.
Please take a look into the writePidFile function, and into watch_child
function (which implements the master process)



The place your patch is changing are all in the workers code.

Instead of moving the enter_suid() outside of writePidFile() in several
places the master code should call enter only to preserve the part of
code *it* needs suid. eg.

  watch_child()
...
writePidFile()
enter_suid(); // writePidFile() uses leave_suid()
...

Much simpler patch, and fewer places overall using enter/leave_suid.



Well, still a writePidFile call in the future may cause similar bug.
The need of calling an enter_suid() after writePidFile,  is not 
something a developer expects.


However I have no problem for this patch too, it is OK for me.
If you prefer it I will apply this patch instead.



Amos

___
squid-dev mailing list
squid-dev@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-dev





___
squid-dev mailing list
squid-dev@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-dev

[squid-dev] Build failed in Jenkins: trunk-matrix » clang,j-fbsd-93 #141

2015-03-17 Thread noc 
See 
http://build.squid-cache.org/job/trunk-matrix/compiler=clang,label=j-fbsd-93/141/

--
[...truncated 2982 lines...]
ccache clang++ -DHAVE_CONFIG_H-I../../../../.. -I../../../../../include  
-I../../../../../lib -I../../../../../src  -I../../../include 
-I/usr/local/include -I/usr/include  -I/usr/include  -I../../../../../libltdl  
-Werror -Qunused-arguments -Wno-deprecated-register  -D_REENTRANT -g -O2 
-std=c++11 -I/usr/local/include -MT basic_pam_auth.o -MD -MP -MF 
.deps/basic_pam_auth.Tpo -c -o basic_pam_auth.o 
../../../../../helpers/basic_auth/PAM/basic_pam_auth.cc
mv -f .deps/basic_pam_auth.Tpo .deps/basic_pam_auth.Po
/bin/sh ../../../libtool  --tag=CXX--mode=link ccache clang++ -Werror 
-Qunused-arguments -Wno-deprecated-register  -D_REENTRANT  -g -O2 -std=c++11 
-I/usr/local/include  -g -L/usr/local/lib -Wl,-R/usr/local/lib -pthread -o 
basic_pam_auth basic_pam_auth.o ../../../lib/libmiscencoding.la  
../../../compat/libcompat-squid.la   -lpam  -lm 
libtool: link: ccache clang++ -Werror -Qunused-arguments 
-Wno-deprecated-register -D_REENTRANT -g -O2 -std=c++11 -I/usr/local/include -g 
-Wl,-R/usr/local/lib -pthread -o basic_pam_auth basic_pam_auth.o  
-L/usr/local/lib ../../../lib/.libs/libmiscencoding.a 
../../../compat/.libs/libcompat-squid.a -lpam -lm -pthread
Making all in POP3
sed -e 's,[@]PERL[@],/usr/bin/perl,g' 
../../../../../helpers/basic_auth/POP3/basic_pop3_auth.pl.in basic_pop3_auth 
|| (/bin/rm -f -f basic_pop3_auth ; exit 1)
pod2man basic_pop3_auth basic_pop3_auth.8
Making all in RADIUS
ccache clang++ -DHAVE_CONFIG_H-I../../../../.. -I../../../../../include  
-I../../../../../lib -I../../../../../src  -I../../../include 
-I/usr/local/include -I/usr/include  -I/usr/include  -I../../../../../libltdl 
-I../../../../../helpers/basic_auth/RADIUS  -Werror -Qunused-arguments 
-Wno-deprecated-register  -D_REENTRANT -g -O2 -std=c++11 -I/usr/local/include 
-MT radius-util.o -MD -MP -MF .deps/radius-util.Tpo -c -o radius-util.o 
../../../../../helpers/basic_auth/RADIUS/radius-util.cc
ccache clang++ -DHAVE_CONFIG_H-I../../../../.. -I../../../../../include  
-I../../../../../lib -I../../../../../src  -I../../../include 
-I/usr/local/include -I/usr/include  -I/usr/include  -I../../../../../libltdl 
-I../../../../../helpers/basic_auth/RADIUS  -Werror -Qunused-arguments 
-Wno-deprecated-register  -D_REENTRANT -g -O2 -std=c++11 -I/usr/local/include 
-MT basic_radius_auth.o -MD -MP -MF .deps/basic_radius_auth.Tpo -c -o 
basic_radius_auth.o 
../../../../../helpers/basic_auth/RADIUS/basic_radius_auth.cc
mv -f .deps/basic_radius_auth.Tpo .deps/basic_radius_auth.Po
mv -f .deps/radius-util.Tpo .deps/radius-util.Po
/bin/sh ../../../libtool  --tag=CXX--mode=link ccache clang++ -Werror 
-Qunused-arguments -Wno-deprecated-register  -D_REENTRANT  -g -O2 -std=c++11 
-I/usr/local/include  -g -L/usr/local/lib -Wl,-R/usr/local/lib -pthread -o 
basic_radius_auth basic_radius_auth.o  radius-util.o 
../../../lib/libmiscencoding.la  ../../../compat/libcompat-squid.la   -lnettle  
  -lm 
libtool: link: ccache clang++ -Werror -Qunused-arguments 
-Wno-deprecated-register -D_REENTRANT -g -O2 -std=c++11 -I/usr/local/include -g 
-Wl,-R/usr/local/lib -pthread -o basic_radius_auth basic_radius_auth.o 
radius-util.o  -L/usr/local/lib ../../../lib/.libs/libmiscencoding.a 
../../../compat/.libs/libcompat-squid.a -lnettle -lm -pthread
Making all in SMB
ccache clang++ -DHAVE_CONFIG_H   -I../../../../.. -I../../../../../include  
-I../../../../../lib -I../../../../../src  -I../../../include 
-I/usr/local/include -I/usr/include  -I/usr/include  -I../../../../../libltdl  
-DHELPERSCRIPT=\/usrhttp://build.squid-cache.org/job/trunk-matrix/compiler=clang,label=j-fbsd-93/ws/btlayer-00-default/squid-4.0.0-BZR/_inst/libexec/basic_smb_auth.sh\;
 -g -O2 -std=c++11 -I/usr/local/include -MT basic_smb_auth-basic_smb_auth.o -MD 
-MP -MF .deps/basic_smb_auth-basic_smb_auth.Tpo -c -o 
basic_smb_auth-basic_smb_auth.o `test -f 'basic_smb_auth.cc' || echo 
'../../../../../helpers/basic_auth/SMB/'`basic_smb_auth.cc
mv -f .deps/basic_smb_auth-basic_smb_auth.Tpo 
.deps/basic_smb_auth-basic_smb_auth.Po
/bin/sh ../../../libtool  --tag=CXX--mode=link ccache clang++  
-DHELPERSCRIPT=\/usrhttp://build.squid-cache.org/job/trunk-matrix/compiler=clang,label=j-fbsd-93/ws/btlayer-00-default/squid-4.0.0-BZR/_inst/libexec/basic_smb_auth.sh\;
 -g -O2 -std=c++11 -I/usr/local/include   -g -L/usr/local/lib 
-Wl,-R/usr/local/lib -pthread -o basic_smb_auth basic_smb_auth-basic_smb_auth.o 
../../../lib/libmiscencoding.la  ../../../compat/libcompat-squid.la   -lm 
libtool: link: ccache clang++ 
-DHELPERSCRIPT=\/usrhttp://build.squid-cache.org/job/trunk-matrix/compiler=clang,label=j-fbsd-93/ws/btlayer-00-default/squid-4.0.0-BZR/_inst/libexec/basic_smb_auth.sh\;
 -g -O2 -std=c++11 -I/usr/local/include -g -Wl,-R/usr/local/lib -pthread -o 
basic_smb_auth basic_smb_auth-basic_smb_auth.o  -L/usr/local/lib

[squid-dev] Build failed in Jenkins: trunk-matrix » gcc,j-fbsd-93 #141

2015-03-17 Thread noc 
See 
http://build.squid-cache.org/job/trunk-matrix/compiler=gcc,label=j-fbsd-93/141/

--
[...truncated 2910 lines...]
cp ../../../libltdl/argz_.h argz.h-t
mv argz.h-t argz.h
make  all-am
/bin/sh ./libtool  --tag=CC   --mode=compile ccache gcc -DHAVE_CONFIG_H -I. 
-I../../../libltdl  -DLT_CONFIG_H='config.h' -DLTDL -I. -I../../../libltdl  
-Ilibltdl -I../../../libltdl/libltdl -I../../../libltdl/libltdl   -g -O2 -MT 
dlopen.lo -MD -MP -MF .deps/dlopen.Tpo -c -o dlopen.lo `test -f 
'loaders/dlopen.c' || echo '../../../libltdl/'`loaders/dlopen.c
/bin/sh ./libtool  --tag=CC   --mode=compile ccache gcc -DHAVE_CONFIG_H -I. 
-I../../../libltdl  -DLTDLOPEN=libltdlc -DLT_CONFIG_H='config.h' -DLTDL -I. 
-I../../../libltdl  -Ilibltdl -I../../../libltdl/libltdl 
-I../../../libltdl/libltdl   -g -O2 -MT libltdlc_la-preopen.lo -MD -MP -MF 
.deps/libltdlc_la-preopen.Tpo -c -o libltdlc_la-preopen.lo `test -f 
'loaders/preopen.c' || echo '../../../libltdl/'`loaders/preopen.c
libtool: compile:  ccache gcc -DHAVE_CONFIG_H -I. -I../../../libltdl 
-DLT_CONFIG_H=config.h -DLTDL -I. -I../../../libltdl -Ilibltdl 
-I../../../libltdl/libltdl -I../../../libltdl/libltdl -g -O2 -MT dlopen.lo -MD 
-MP -MF .deps/dlopen.Tpo -c ../../../libltdl/loaders/dlopen.c -o dlopen.o
libtool: compile:  ccache gcc -DHAVE_CONFIG_H -I. -I../../../libltdl 
-DLTDLOPEN=libltdlc -DLT_CONFIG_H=config.h -DLTDL -I. -I../../../libltdl 
-Ilibltdl -I../../../libltdl/libltdl -I../../../libltdl/libltdl -g -O2 -MT 
libltdlc_la-preopen.lo -MD -MP -MF .deps/libltdlc_la-preopen.Tpo -c 
../../../libltdl/loaders/preopen.c -o libltdlc_la-preopen.o
mv -f .deps/dlopen.Tpo .deps/dlopen.Plo
/bin/sh ./libtool  --tag=CC   --mode=compile ccache gcc -DHAVE_CONFIG_H -I. 
-I../../../libltdl  -DLTDLOPEN=libltdlc -DLT_CONFIG_H='config.h' -DLTDL -I. 
-I../../../libltdl  -Ilibltdl -I../../../libltdl/libltdl 
-I../../../libltdl/libltdl   -g -O2 -MT libltdlc_la-lt__alloc.lo -MD -MP -MF 
.deps/libltdlc_la-lt__alloc.Tpo -c -o libltdlc_la-lt__alloc.lo `test -f 
'lt__alloc.c' || echo '../../../libltdl/'`lt__alloc.c
libtool: compile:  ccache gcc -DHAVE_CONFIG_H -I. -I../../../libltdl 
-DLTDLOPEN=libltdlc -DLT_CONFIG_H=config.h -DLTDL -I. -I../../../libltdl 
-Ilibltdl -I../../../libltdl/libltdl -I../../../libltdl/libltdl -g -O2 -MT 
libltdlc_la-lt__alloc.lo -MD -MP -MF .deps/libltdlc_la-lt__alloc.Tpo -c 
../../../libltdl/lt__alloc.c -o libltdlc_la-lt__alloc.o
mv -f .deps/libltdlc_la-preopen.Tpo .deps/libltdlc_la-preopen.Plo
/bin/sh ./libtool  --tag=CC   --mode=compile ccache gcc -DHAVE_CONFIG_H -I. 
-I../../../libltdl  -DLTDLOPEN=libltdlc -DLT_CONFIG_H='config.h' -DLTDL -I. 
-I../../../libltdl  -Ilibltdl -I../../../libltdl/libltdl 
-I../../../libltdl/libltdl   -g -O2 -MT libltdlc_la-lt_dlloader.lo -MD -MP -MF 
.deps/libltdlc_la-lt_dlloader.Tpo -c -o libltdlc_la-lt_dlloader.lo `test -f 
'lt_dlloader.c' || echo '../../../libltdl/'`lt_dlloader.c
libtool: compile:  ccache gcc -DHAVE_CONFIG_H -I. -I../../../libltdl 
-DLTDLOPEN=libltdlc -DLT_CONFIG_H=config.h -DLTDL -I. -I../../../libltdl 
-Ilibltdl -I../../../libltdl/libltdl -I../../../libltdl/libltdl -g -O2 -MT 
libltdlc_la-lt_dlloader.lo -MD -MP -MF .deps/libltdlc_la-lt_dlloader.Tpo -c 
../../../libltdl/lt_dlloader.c -o libltdlc_la-lt_dlloader.o
mv -f .deps/libltdlc_la-lt__alloc.Tpo .deps/libltdlc_la-lt__alloc.Plo
/bin/sh ./libtool  --tag=CC   --mode=compile ccache gcc -DHAVE_CONFIG_H -I. 
-I../../../libltdl  -DLTDLOPEN=libltdlc -DLT_CONFIG_H='config.h' -DLTDL -I. 
-I../../../libltdl  -Ilibltdl -I../../../libltdl/libltdl 
-I../../../libltdl/libltdl   -g -O2 -MT libltdlc_la-lt_error.lo -MD -MP -MF 
.deps/libltdlc_la-lt_error.Tpo -c -o libltdlc_la-lt_error.lo `test -f 
'lt_error.c' || echo '../../../libltdl/'`lt_error.c
libtool: compile:  ccache gcc -DHAVE_CONFIG_H -I. -I../../../libltdl 
-DLTDLOPEN=libltdlc -DLT_CONFIG_H=config.h -DLTDL -I. -I../../../libltdl 
-Ilibltdl -I../../../libltdl/libltdl -I../../../libltdl/libltdl -g -O2 -MT 
libltdlc_la-lt_error.lo -MD -MP -MF .deps/libltdlc_la-lt_error.Tpo -c 
../../../libltdl/lt_error.c -o libltdlc_la-lt_error.o
mv -f .deps/libltdlc_la-lt_dlloader.Tpo .deps/libltdlc_la-lt_dlloader.Plo
/bin/sh ./libtool  --tag=CC   --mode=compile ccache gcc -DHAVE_CONFIG_H -I. 
-I../../../libltdl  -DLTDLOPEN=libltdlc -DLT_CONFIG_H='config.h' -DLTDL -I. 
-I../../../libltdl  -Ilibltdl -I../../../libltdl/libltdl 
-I../../../libltdl/libltdl   -g -O2 -MT libltdlc_la-ltdl.lo -MD -MP -MF 
.deps/libltdlc_la-ltdl.Tpo -c -o libltdlc_la-ltdl.lo `test -f 'ltdl.c' || echo 
'../../../libltdl/'`ltdl.c
libtool: compile:  ccache gcc -DHAVE_CONFIG_H -I. -I../../../libltdl 
-DLTDLOPEN=libltdlc -DLT_CONFIG_H=config.h -DLTDL -I. -I../../../libltdl 
-Ilibltdl -I../../../libltdl/libltdl -I../../../libltdl/libltdl -g -O2 -MT 
libltdlc_la-ltdl.lo -MD -MP -MF .deps/libltdlc_la-ltdl.Tpo -c 
../../../libltdl/ltdl.c -o libltdlc_la-ltdl.o
mv -f .deps/libltdlc_la-lt_error.Tpo .deps/libltdlc_la-lt_error.Plo