]> git.ipfire.org Git - thirdparty/squid.git/blame - src/ssl/ErrorDetail.cc
projects / thirdparty / squid.git / blame
? search:
summary | shortlog | log | commit | commitdiff | tree
blob | blame (incremental) | history | HEAD
SourceFormat Enforcement
[thirdparty/squid.git] / src / ssl / ErrorDetail.cc
CommitLineData
bbc27441 1/*
bde978a6 2 * Copyright (C) 1996-2015 The Squid Software Foundation and contributors
bbc27441
AJ		 3 *
4 * Squid software is distributed under GPLv2+ license and includes
5 * contributions from numerous individuals and organizations.
6 * Please see the COPYING and CONTRIBUTORS files for details.
7 */
8
582c2af2 9#include "squid.h"
02259ff8 10#include "errorpage.h"
ed6e9fb9 11#include "fatal.h"
4d16918e 12#include "ssl/ErrorDetail.h"
074d6a40 13
582c2af2 14#include <climits>
074d6a40 15#include <map>
4d16918e 16
dc49061a 17struct SslErrorEntry {
461b9576 18 Ssl::ssl_error_t value;
4d16918e 19 const char *name;
4d16918e
CT		 20};
21
8e9bae99 22static const char *SslErrorDetailDefaultStr = "SSL handshake error (%err_name)";
cf09bec7 23//Use std::map to optimize search
02259ff8
CT		 24typedef std::map<Ssl::ssl_error_t, const SslErrorEntry *> SslErrors;
25SslErrors TheSslErrors;
cf09bec7 26
02259ff8 27static SslErrorEntry TheSslErrorArray[] = {
f53969cc
SM		 28 { SQUID_X509_V_ERR_INFINITE_VALIDATION,
29 "SQUID_X509_V_ERR_INFINITE_VALIDATION"
30 },
31 { SQUID_X509_V_ERR_CERT_CHANGE,
32 "SQUID_X509_V_ERR_CERT_CHANGE"
33 },
34 { SQUID_ERR_SSL_HANDSHAKE,
35 "SQUID_ERR_SSL_HANDSHAKE"
36 },
37 { SQUID_X509_V_ERR_DOMAIN_MISMATCH,
38 "SQUID_X509_V_ERR_DOMAIN_MISMATCH"
39 },
40 { X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT,
41 "X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT"
42 },
43 { X509_V_ERR_UNABLE_TO_GET_CRL,
44 "X509_V_ERR_UNABLE_TO_GET_CRL"
45 },
46 { X509_V_ERR_UNABLE_TO_DECRYPT_CERT_SIGNATURE,
47 "X509_V_ERR_UNABLE_TO_DECRYPT_CERT_SIGNATURE"
48 },
49 { X509_V_ERR_UNABLE_TO_DECRYPT_CRL_SIGNATURE,
50 "X509_V_ERR_UNABLE_TO_DECRYPT_CRL_SIGNATURE"
51 },
52 { X509_V_ERR_UNABLE_TO_DECODE_ISSUER_PUBLIC_KEY,
53 "X509_V_ERR_UNABLE_TO_DECODE_ISSUER_PUBLIC_KEY"
54 },
55 { X509_V_ERR_CERT_SIGNATURE_FAILURE,
56 "X509_V_ERR_CERT_SIGNATURE_FAILURE"
57 },
58 { X509_V_ERR_CRL_SIGNATURE_FAILURE,
59 "X509_V_ERR_CRL_SIGNATURE_FAILURE"
60 },
61 { X509_V_ERR_CERT_NOT_YET_VALID,
62 "X509_V_ERR_CERT_NOT_YET_VALID"
63 },
64 { X509_V_ERR_CERT_HAS_EXPIRED,
65 "X509_V_ERR_CERT_HAS_EXPIRED"
66 },
67 { X509_V_ERR_CRL_NOT_YET_VALID,
68 "X509_V_ERR_CRL_NOT_YET_VALID"
69 },
70 { X509_V_ERR_CRL_HAS_EXPIRED,
71 "X509_V_ERR_CRL_HAS_EXPIRED"
72 },
73 { X509_V_ERR_ERROR_IN_CERT_NOT_BEFORE_FIELD,
74 "X509_V_ERR_ERROR_IN_CERT_NOT_BEFORE_FIELD"
75 },
76 { X509_V_ERR_ERROR_IN_CERT_NOT_AFTER_FIELD,
77 "X509_V_ERR_ERROR_IN_CERT_NOT_AFTER_FIELD"
78 },
79 { X509_V_ERR_ERROR_IN_CRL_LAST_UPDATE_FIELD,
80 "X509_V_ERR_ERROR_IN_CRL_LAST_UPDATE_FIELD"
81 },
82 { X509_V_ERR_ERROR_IN_CRL_NEXT_UPDATE_FIELD,
83 "X509_V_ERR_ERROR_IN_CRL_NEXT_UPDATE_FIELD"
84 },
85 { X509_V_ERR_OUT_OF_MEM,
86 "X509_V_ERR_OUT_OF_MEM"
87 },
88 { X509_V_ERR_DEPTH_ZERO_SELF_SIGNED_CERT,
89 "X509_V_ERR_DEPTH_ZERO_SELF_SIGNED_CERT"
90 },
91 { X509_V_ERR_SELF_SIGNED_CERT_IN_CHAIN,
92 "X509_V_ERR_SELF_SIGNED_CERT_IN_CHAIN"
93 },
94 { X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT_LOCALLY,
95 "X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT_LOCALLY"
96 },
97 { X509_V_ERR_UNABLE_TO_VERIFY_LEAF_SIGNATURE,
98 "X509_V_ERR_UNABLE_TO_VERIFY_LEAF_SIGNATURE"
99 },
100 { X509_V_ERR_CERT_CHAIN_TOO_LONG,
101 "X509_V_ERR_CERT_CHAIN_TOO_LONG"
102 },
103 { X509_V_ERR_CERT_REVOKED,
104 "X509_V_ERR_CERT_REVOKED"
105 },
106 { X509_V_ERR_INVALID_CA,
107 "X509_V_ERR_INVALID_CA"
108 },
109 { X509_V_ERR_PATH_LENGTH_EXCEEDED,
110 "X509_V_ERR_PATH_LENGTH_EXCEEDED"
111 },
112 { X509_V_ERR_INVALID_PURPOSE,
113 "X509_V_ERR_INVALID_PURPOSE"
114 },
115 { X509_V_ERR_CERT_UNTRUSTED,
116 "X509_V_ERR_CERT_UNTRUSTED"
117 },
118 { X509_V_ERR_CERT_REJECTED,
119 "X509_V_ERR_CERT_REJECTED"
120 },
121 { X509_V_ERR_SUBJECT_ISSUER_MISMATCH,
122 "X509_V_ERR_SUBJECT_ISSUER_MISMATCH"
123 },
124 { X509_V_ERR_AKID_SKID_MISMATCH,
125 "X509_V_ERR_AKID_SKID_MISMATCH"
126 },
127 { X509_V_ERR_AKID_ISSUER_SERIAL_MISMATCH,
128 "X509_V_ERR_AKID_ISSUER_SERIAL_MISMATCH"
129 },
130 { X509_V_ERR_KEYUSAGE_NO_CERTSIGN,
131 "X509_V_ERR_KEYUSAGE_NO_CERTSIGN"
132 },
7a62af61 133#if defined(X509_V_ERR_UNABLE_TO_GET_CRL_ISSUER)
6265d341
A		 134 {
135 X509_V_ERR_UNABLE_TO_GET_CRL_ISSUER, //33
136 "X509_V_ERR_UNABLE_TO_GET_CRL_ISSUER"
137 },
7a62af61
CT		 138#endif
139#if defined(X509_V_ERR_UNHANDLED_CRITICAL_EXTENSION)
6265d341
A		 140 {
141 X509_V_ERR_UNHANDLED_CRITICAL_EXTENSION, //34
142 "X509_V_ERR_UNHANDLED_CRITICAL_EXTENSION"
143 },
7a62af61
CT		 144#endif
145#if defined(X509_V_ERR_KEYUSAGE_NO_CRL_SIGN)
6265d341
A		 146 {
147 X509_V_ERR_KEYUSAGE_NO_CRL_SIGN, //35
148 "X509_V_ERR_KEYUSAGE_NO_CRL_SIGN"
149 },
7a62af61
CT		 150#endif
151#if defined(X509_V_ERR_UNHANDLED_CRITICAL_CRL_EXTENSION)
6265d341
A		 152 {
153 X509_V_ERR_UNHANDLED_CRITICAL_CRL_EXTENSION, //36
154 "X509_V_ERR_UNHANDLED_CRITICAL_CRL_EXTENSION"
155 },
7a62af61
CT		 156#endif
157#if defined(X509_V_ERR_INVALID_NON_CA)
6265d341
A		 158 {
159 X509_V_ERR_INVALID_NON_CA, //37
160 "X509_V_ERR_INVALID_NON_CA"
161 },
7a62af61
CT		 162#endif
163#if defined(X509_V_ERR_PROXY_PATH_LENGTH_EXCEEDED)
6265d341
A		 164 {
165 X509_V_ERR_PROXY_PATH_LENGTH_EXCEEDED, //38
166 "X509_V_ERR_PROXY_PATH_LENGTH_EXCEEDED"
167 },
7a62af61
CT		 168#endif
169#if defined(X509_V_ERR_KEYUSAGE_NO_DIGITAL_SIGNATURE)
6265d341
A		 170 {
171 X509_V_ERR_KEYUSAGE_NO_DIGITAL_SIGNATURE, //39
172 "X509_V_ERR_KEYUSAGE_NO_DIGITAL_SIGNATURE"
173 },
7a62af61
CT		 174#endif
175#if defined(X509_V_ERR_PROXY_CERTIFICATES_NOT_ALLOWED)
6265d341
A		 176 {
177 X509_V_ERR_PROXY_CERTIFICATES_NOT_ALLOWED, //40
178 "X509_V_ERR_PROXY_CERTIFICATES_NOT_ALLOWED"
179 },
7a62af61
CT		 180#endif
181#if defined(X509_V_ERR_INVALID_EXTENSION)
6265d341
A		 182 {
183 X509_V_ERR_INVALID_EXTENSION, //41
184 "X509_V_ERR_INVALID_EXTENSION"
185 },
7a62af61
CT		 186#endif
187#if defined(X509_V_ERR_INVALID_POLICY_EXTENSION)
6265d341
A		 188 {
189 X509_V_ERR_INVALID_POLICY_EXTENSION, //42
190 "X509_V_ERR_INVALID_POLICY_EXTENSION"
191 },
7a62af61
CT		 192#endif
193#if defined(X509_V_ERR_NO_EXPLICIT_POLICY)
6265d341
A		 194 {
195 X509_V_ERR_NO_EXPLICIT_POLICY, //43
196 "X509_V_ERR_NO_EXPLICIT_POLICY"
197 },
7a62af61
CT		 198#endif
199#if defined(X509_V_ERR_DIFFERENT_CRL_SCOPE)
6265d341
A		 200 {
201 X509_V_ERR_DIFFERENT_CRL_SCOPE, //44
202 "X509_V_ERR_DIFFERENT_CRL_SCOPE"
203 },
7a62af61
CT		 204#endif
205#if defined(X509_V_ERR_UNSUPPORTED_EXTENSION_FEATURE)
6265d341
A		 206 {
207 X509_V_ERR_UNSUPPORTED_EXTENSION_FEATURE, //45
208 "X509_V_ERR_UNSUPPORTED_EXTENSION_FEATURE"
209 },
7a62af61
CT		 210#endif
211#if defined(X509_V_ERR_UNNESTED_RESOURCE)
6265d341
A		 212 {
213 X509_V_ERR_UNNESTED_RESOURCE, //46
214 "X509_V_ERR_UNNESTED_RESOURCE"
215 },
7a62af61
CT		 216#endif
217#if defined(X509_V_ERR_PERMITTED_VIOLATION)
6265d341
A		 218 {
219 X509_V_ERR_PERMITTED_VIOLATION, //47
220 "X509_V_ERR_PERMITTED_VIOLATION"
221 },
7a62af61
CT		 222#endif
223#if defined(X509_V_ERR_EXCLUDED_VIOLATION)
6265d341
A		 224 {
225 X509_V_ERR_EXCLUDED_VIOLATION, //48
226 "X509_V_ERR_EXCLUDED_VIOLATION"
227 },
7a62af61
CT		 228#endif
229#if defined(X509_V_ERR_SUBTREE_MINMAX)
6265d341
A		 230 {
231 X509_V_ERR_SUBTREE_MINMAX, //49
232 "X509_V_ERR_SUBTREE_MINMAX"
233 },
7a62af61
CT		 234#endif
235#if defined(X509_V_ERR_UNSUPPORTED_CONSTRAINT_TYPE)
6265d341
A		 236 {
237 X509_V_ERR_UNSUPPORTED_CONSTRAINT_TYPE, //51
238 "X509_V_ERR_UNSUPPORTED_CONSTRAINT_TYPE"
239 },
7a62af61
CT		 240#endif
241#if defined(X509_V_ERR_UNSUPPORTED_CONSTRAINT_SYNTAX)
6265d341
A		 242 {
243 X509_V_ERR_UNSUPPORTED_CONSTRAINT_SYNTAX, //52
244 "X509_V_ERR_UNSUPPORTED_CONSTRAINT_SYNTAX"
245 },
7a62af61
CT		 246#endif
247#if defined(X509_V_ERR_UNSUPPORTED_NAME_SYNTAX)
6265d341
A		 248 {
249 X509_V_ERR_UNSUPPORTED_NAME_SYNTAX, //53
250 "X509_V_ERR_UNSUPPORTED_NAME_SYNTAX"
251 },
7a62af61
CT		 252#endif
253#if defined(X509_V_ERR_CRL_PATH_VALIDATION_ERROR)
6265d341
A		 254 {
255 X509_V_ERR_CRL_PATH_VALIDATION_ERROR, //54
256 "X509_V_ERR_CRL_PATH_VALIDATION_ERROR"
257 },
7a62af61 258#endif
f53969cc
SM		 259 { X509_V_ERR_APPLICATION_VERIFICATION,
260 "X509_V_ERR_APPLICATION_VERIFICATION"
261 },
02259ff8
CT		 262 { SSL_ERROR_NONE, "SSL_ERROR_NONE"},
263 {SSL_ERROR_NONE, NULL}
4d16918e
CT		 264};
265
645deacc
CT		 266static const char *OptionalSslErrors[] = {
267 "X509_V_ERR_UNABLE_TO_GET_CRL_ISSUER",
268 "X509_V_ERR_UNHANDLED_CRITICAL_EXTENSION",
269 "X509_V_ERR_KEYUSAGE_NO_CRL_SIGN",
270 "X509_V_ERR_UNHANDLED_CRITICAL_CRL_EXTENSION",
271 "X509_V_ERR_INVALID_NON_CA",
272 "X509_V_ERR_PROXY_PATH_LENGTH_EXCEEDED",
273 "X509_V_ERR_KEYUSAGE_NO_DIGITAL_SIGNATURE",
274 "X509_V_ERR_PROXY_CERTIFICATES_NOT_ALLOWED",
275 "X509_V_ERR_INVALID_EXTENSION",
276 "X509_V_ERR_INVALID_POLICY_EXTENSION",
277 "X509_V_ERR_NO_EXPLICIT_POLICY",
278 "X509_V_ERR_DIFFERENT_CRL_SCOPE",
279 "X509_V_ERR_UNSUPPORTED_EXTENSION_FEATURE",
280 "X509_V_ERR_UNNESTED_RESOURCE",
281 "X509_V_ERR_PERMITTED_VIOLATION",
282 "X509_V_ERR_EXCLUDED_VIOLATION",
283 "X509_V_ERR_SUBTREE_MINMAX",
284 "X509_V_ERR_UNSUPPORTED_CONSTRAINT_TYPE",
285 "X509_V_ERR_UNSUPPORTED_CONSTRAINT_SYNTAX",
286 "X509_V_ERR_UNSUPPORTED_NAME_SYNTAX",
287 "X509_V_ERR_CRL_PATH_VALIDATION_ERROR",
288 NULL
289};
290
cf1c09f6
CT		 291struct SslErrorAlias {
292 const char *name;
293 const Ssl::ssl_error_t *errors;
294};
295
296static const Ssl::ssl_error_t hasExpired[] = {X509_V_ERR_CERT_HAS_EXPIRED, SSL_ERROR_NONE};
297static const Ssl::ssl_error_t notYetValid[] = {X509_V_ERR_CERT_NOT_YET_VALID, SSL_ERROR_NONE};
298static const Ssl::ssl_error_t domainMismatch[] = {SQUID_X509_V_ERR_DOMAIN_MISMATCH, SSL_ERROR_NONE};
299static const Ssl::ssl_error_t certUntrusted[] = {X509_V_ERR_INVALID_CA,
f53969cc
SM		 300 X509_V_ERR_SELF_SIGNED_CERT_IN_CHAIN,
301 X509_V_ERR_UNABLE_TO_VERIFY_LEAF_SIGNATURE,
302 X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT,
303 X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT_LOCALLY,
304 X509_V_ERR_CERT_UNTRUSTED, SSL_ERROR_NONE
87f237a9 305 };
cf1c09f6
CT		 306static const Ssl::ssl_error_t certSelfSigned[] = {X509_V_ERR_DEPTH_ZERO_SELF_SIGNED_CERT, SSL_ERROR_NONE};
307
308// The list of error name shortcuts for use with ssl_error acls.
309// The keys without the "ssl::" scope prefix allow shorter error
310// names within the SSL options scope. This is easier than
7a957a93 311// carefully stripping the scope prefix in Ssl::ParseErrorString().
cf1c09f6
CT		 312static SslErrorAlias TheSslErrorShortcutsArray[] = {
313 {"ssl::certHasExpired", hasExpired},
314 {"certHasExpired", hasExpired},
315 {"ssl::certNotYetValid", notYetValid},
316 {"certNotYetValid", notYetValid},
317 {"ssl::certDomainMismatch", domainMismatch},
318 {"certDomainMismatch", domainMismatch},
319 {"ssl::certUntrusted", certUntrusted},
320 {"certUntrusted", certUntrusted},
321 {"ssl::certSelfSigned", certSelfSigned},
322 {"certSelfSigned", certSelfSigned},
323 {NULL, NULL}
324};
325
7a957a93 326// Use std::map to optimize search.
cf1c09f6
CT		 327typedef std::map<std::string, const Ssl::ssl_error_t *> SslErrorShortcuts;
328SslErrorShortcuts TheSslErrorShortcuts;
329
02259ff8 330static void loadSslErrorMap()
cf09bec7 331{
02259ff8
CT		 332 assert(TheSslErrors.empty());
333 for (int i = 0; TheSslErrorArray[i].name; ++i) {
334 TheSslErrors[TheSslErrorArray[i].value] = &TheSslErrorArray[i];
cf09bec7
CT		 335 }
336}
337
cf1c09f6
CT		 338static void loadSslErrorShortcutsMap()
339{
340 assert(TheSslErrorShortcuts.empty());
a38ec4b1 341 for (int i = 0; TheSslErrorShortcutsArray[i].name; ++i)
cf1c09f6
CT		 342 TheSslErrorShortcuts[TheSslErrorShortcutsArray[i].name] = TheSslErrorShortcutsArray[i].errors;
343}
344
02259ff8
CT		 345Ssl::ssl_error_t Ssl::GetErrorCode(const char *name)
346{
d7ae3534
FC		 347 //TODO: use a std::map?
348 for (int i = 0; TheSslErrorArray[i].name != NULL; ++i) {
02259ff8
CT		 349 if (strcmp(name, TheSslErrorArray[i].name) == 0)
350 return TheSslErrorArray[i].value;
351 }
352 return SSL_ERROR_NONE;
353}
354
cf1c09f6 355Ssl::Errors *
5e430bf3 356Ssl::ParseErrorString(const char *name)
4d16918e
CT		 357{
358 assert(name);
359
02259ff8
CT		 360 const Ssl::ssl_error_t ssl_error = GetErrorCode(name);
361 if (ssl_error != SSL_ERROR_NONE)
cf1c09f6 362 return new Ssl::Errors(ssl_error);
4d16918e
CT		 363
364 if (xisdigit(*name)) {
365 const long int value = strtol(name, NULL, 0);
366 if (SQUID_SSL_ERROR_MIN <= value && value <= SQUID_SSL_ERROR_MAX)
cf1c09f6 367 return new Ssl::Errors(value);
4d16918e
CT		 368 fatalf("Too small or too bug SSL error code '%s'", name);
369 }
370
cf1c09f6
CT		 371 if (TheSslErrorShortcuts.empty())
372 loadSslErrorShortcutsMap();
373
374 const SslErrorShortcuts::const_iterator it = TheSslErrorShortcuts.find(name);
375 if (it != TheSslErrorShortcuts.end()) {
376 // Should not be empty...
87f237a9 377 assert(it->second[0] != SSL_ERROR_NONE);
cf1c09f6 378 Ssl::Errors *errors = new Ssl::Errors(it->second[0]);
a38ec4b1 379 for (int i =1; it->second[i] != SSL_ERROR_NONE; ++i) {
cf1c09f6
CT		 380 errors->push_back_unique(it->second[i]);
381 }
382 return errors;
383 }
384
4d16918e 385 fatalf("Unknown SSL error name '%s'", name);
cf1c09f6 386 return NULL; // not reached
4d16918e
CT		 387}
388
02259ff8 389const char *Ssl::GetErrorName(Ssl::ssl_error_t value)
cf09bec7 390{
02259ff8
CT		 391 if (TheSslErrors.empty())
392 loadSslErrorMap();
cf09bec7 393
02259ff8
CT		 394 const SslErrors::const_iterator it = TheSslErrors.find(value);
395 if (it != TheSslErrors.end())
396 return it->second->name;
4d16918e
CT		 397
398 return NULL;
399}
400
645deacc
CT		 401bool
402Ssl::ErrorIsOptional(const char *name)
403{
404 for (int i = 0; OptionalSslErrors[i] != NULL; ++i) {
405 if (strcmp(name, OptionalSslErrors[i]) == 0)
406 return true;
407 }
408 return false;
409}
410
cf09bec7
CT		 411const char *
412Ssl::GetErrorDescr(Ssl::ssl_error_t value)
413{
02259ff8 414 return ErrorDetailsManager::GetInstance().getDefaultErrorDescr(value);
cf09bec7
CT		 415}
416
e34763f4 417Ssl::ErrorDetail::err_frm_code Ssl::ErrorDetail::ErrorFormatingCodes[] = {
4d16918e
CT		 418 {"ssl_subject", &Ssl::ErrorDetail::subject},
419 {"ssl_ca_name", &Ssl::ErrorDetail::ca_name},
420 {"ssl_cn", &Ssl::ErrorDetail::cn},
421 {"ssl_notbefore", &Ssl::ErrorDetail::notbefore},
422 {"ssl_notafter", &Ssl::ErrorDetail::notafter},
423 {"err_name", &Ssl::ErrorDetail::err_code},
cf09bec7 424 {"ssl_error_descr", &Ssl::ErrorDetail::err_descr},
8e9bae99 425 {"ssl_lib_error", &Ssl::ErrorDetail::err_lib_error},
4d16918e
CT		 426 {NULL,NULL}
427};
428
429/**
430 * The subject of the current certification in text form
431 */
432const char *Ssl::ErrorDetail::subject() const
433{
ff3bc018 434 if (!broken_cert)
4d16918e
CT		 435 return "[Not available]";
436
437 static char tmpBuffer[256]; // A temporary buffer
ff3bc018 438 X509_NAME_oneline(X509_get_subject_name(broken_cert.get()), tmpBuffer,
e34763f4
A		 439 sizeof(tmpBuffer));
440 return tmpBuffer;
4d16918e
CT		 441}
442
443// helper function to be used with Ssl::matchX509CommonNames
444static int copy_cn(void *check_data, ASN1_STRING *cn_data)
445{
446 String *str = (String *)check_data;
447 if (!str) // no data? abort
448 return 0;
b38b26cb 449 if (str->size() > 0)
4d16918e
CT		 450 str->append(", ");
451 str->append((const char *)cn_data->data, cn_data->length);
452 return 1;
453}
454
455/**
456 * The list with certificates cn and alternate names
457 */
458const char *Ssl::ErrorDetail::cn() const
459{
ff3bc018 460 if (!broken_cert)
4d16918e
CT		 461 return "[Not available]";
462
463 static String tmpStr; ///< A temporary string buffer
464 tmpStr.clean();
ff3bc018 465 Ssl::matchX509CommonNames(broken_cert.get(), &tmpStr, copy_cn);
4d16918e
CT		 466 return tmpStr.termedBuf();
467}
468
469/**
470 * The issuer name
471 */
472const char *Ssl::ErrorDetail::ca_name() const
473{
ff3bc018 474 if (!broken_cert)
4d16918e
CT		 475 return "[Not available]";
476
477 static char tmpBuffer[256]; // A temporary buffer
ff3bc018 478 X509_NAME_oneline(X509_get_issuer_name(broken_cert.get()), tmpBuffer, sizeof(tmpBuffer));
4d16918e
CT		 479 return tmpBuffer;
480}
481
482/**
483 * The certificate "not before" field
484 */
485const char *Ssl::ErrorDetail::notbefore() const
486{
ff3bc018 487 if (!broken_cert)
4d16918e
CT		 488 return "[Not available]";
489
490 static char tmpBuffer[256]; // A temporary buffer
ff3bc018 491 ASN1_UTCTIME * tm = X509_get_notBefore(broken_cert.get());
4d16918e
CT		 492 Ssl::asn1timeToString(tm, tmpBuffer, sizeof(tmpBuffer));
493 return tmpBuffer;
494}
495
496/**
497 * The certificate "not after" field
498 */
499const char *Ssl::ErrorDetail::notafter() const
500{
ff3bc018 501 if (!broken_cert)
4d16918e
CT		 502 return "[Not available]";
503
504 static char tmpBuffer[256]; // A temporary buffer
ff3bc018 505 ASN1_UTCTIME * tm = X509_get_notAfter(broken_cert.get());
4d16918e
CT		 506 Ssl::asn1timeToString(tm, tmpBuffer, sizeof(tmpBuffer));
507 return tmpBuffer;
508}
509
510/**
511 * The string representation of the error_no
512 */
513const char *Ssl::ErrorDetail::err_code() const
514{
8211c314 515 static char tmpBuffer[64];
02259ff8
CT		 516 // We can use the GetErrorName but using the detailEntry is faster,
517 // so try it first.
518 const char *err = detailEntry.name.termedBuf();
519
520 // error details not loaded yet or not defined in error_details.txt,
521 // try the GetErrorName...
522 if (!err)
523 err = GetErrorName(error_no);
524
8211c314 525 if (!err) {
605b80ca 526 snprintf(tmpBuffer, 64, "%d", (int)error_no);
8211c314
CT		 527 err = tmpBuffer;
528 }
4d16918e
CT		 529 return err;
530}
531
cf09bec7
CT		 532/**
533 * A short description of the error_no
534 */
535const char *Ssl::ErrorDetail::err_descr() const
536{
02259ff8
CT		 537 if (error_no == SSL_ERROR_NONE)
538 return "[No Error]";
539 if (const char *err = detailEntry.descr.termedBuf())
cf09bec7
CT		 540 return err;
541 return "[Not available]";
542}
543
8e9bae99
CT		 544const char *Ssl::ErrorDetail::err_lib_error() const
545{
b38b26cb 546 if (errReason.size() > 0)
2cef0ca6
AR		 547 return errReason.termedBuf();
548 else if (lib_error_no != SSL_ERROR_NONE)
8e9bae99
CT		 549 return ERR_error_string(lib_error_no, NULL);
550 else
551 return "[No Error]";
552}
553
4d16918e 554/**
7a957a93 555 * Converts the code to a string value. Supported formating codes are:
ff3bc018
AR		 556 *
557 * Error meta information:
8e9bae99 558 * %err_name: The name of a high-level SSL error (e.g., X509_V_ERR_*)
cf09bec7 559 * %ssl_error_descr: A short description of the SSL error
ff3bc018
AR		 560 * %ssl_lib_error: human-readable low-level error string by ERR_error_string(3SSL)
561 *
562 * Certificate information extracted from broken (not necessarily peer!) cert
4d16918e
CT		 563 * %ssl_cn: The comma-separated list of common and alternate names
564 * %ssl_subject: The certificate subject
565 * %ssl_ca_name: The certificate issuer name
566 * %ssl_notbefore: The certificate "not before" field
567 * %ssl_notafter: The certificate "not after" field
87f237a9 568 *
4d16918e
CT		 569 \retval the length of the code (the number of characters will be replaced by value)
570*/
571int Ssl::ErrorDetail::convert(const char *code, const char **value) const
572{
573 *value = "-";
d7ae3534 574 for (int i=0; ErrorFormatingCodes[i].code!=NULL; ++i) {
4d16918e
CT		 575 const int len = strlen(ErrorFormatingCodes[i].code);
576 if (strncmp(code,ErrorFormatingCodes[i].code, len)==0) {
577 ErrorDetail::fmt_action_t action = ErrorFormatingCodes[i].fmt_action;
578 *value = (this->*action)();
579 return len;
580 }
e34763f4 581 }
4d16918e
CT		 582 return 0;
583}
584
585/**
e34763f4
A		 586 * It uses the convert method to build the string errDetailStr using
587 * a template message for the current SSL error. The template messages
4d16918e
CT		 588 * can also contain normal error pages formating codes.
589 * Currently the error template messages are hard-coded
590 */
591void Ssl::ErrorDetail::buildDetail() const
592{
02259ff8 593 char const *s = NULL;
4d16918e
CT		 594 char const *p;
595 char const *t;
596 int code_len = 0;
597
b248c2a3 598 if (ErrorDetailsManager::GetInstance().getErrorDetail(error_no, request, detailEntry))
02259ff8
CT		 599 s = detailEntry.detail.termedBuf();
600
601 if (!s)
602 s = SslErrorDetailDefaultStr;
603
8211c314 604 assert(s);
4d16918e
CT		 605 while ((p = strchr(s, '%'))) {
606 errDetailStr.append(s, p - s);
607 code_len = convert(++p, &t);
608 if (code_len)
609 errDetailStr.append(t);
610 else
611 errDetailStr.append("%");
612 s = p + code_len;
613 }
614 errDetailStr.append(s, strlen(s));
615}
616
e34763f4
A		 617const String &Ssl::ErrorDetail::toString() const
618{
b38b26cb 619 if (errDetailStr.size() == 0)
4d16918e
CT		 620 buildDetail();
621 return errDetailStr;
622}
623
2cef0ca6 624Ssl::ErrorDetail::ErrorDetail( Ssl::ssl_error_t err_no, X509 *cert, X509 *broken, const char *aReason): error_no (err_no), lib_error_no(SSL_ERROR_NONE), errReason(aReason)
4d16918e 625{
8e9bae99 626 if (cert)
de878a55
CT		 627 peer_cert.resetAndLock(cert);
628
629 if (broken)
630 broken_cert.resetAndLock(broken);
631 else
632 broken_cert.resetAndLock(cert);
8e9bae99 633
02259ff8 634 detailEntry.error_no = SSL_ERROR_NONE;
4d16918e
CT		 635}
636
637Ssl::ErrorDetail::ErrorDetail(Ssl::ErrorDetail const &anErrDetail)
638{
639 error_no = anErrDetail.error_no;
02259ff8
CT		 640 request = anErrDetail.request;
641
4d16918e 642 if (anErrDetail.peer_cert.get()) {
de878a55
CT		 643 peer_cert.resetAndLock(anErrDetail.peer_cert.get());
644 }
645
646 if (anErrDetail.broken_cert.get()) {
647 broken_cert.resetAndLock(anErrDetail.broken_cert.get());
4d16918e 648 }
02259ff8
CT		 649
650 detailEntry = anErrDetail.detailEntry;
8e9bae99
CT		 651
652 lib_error_no = anErrDetail.lib_error_no;
4d16918e 653}
f53969cc 654
Mirror of https://github.com/squid-cache/squid.git