]>
git.ipfire.org Git - thirdparty/squid.git/blob - src/security/cert_validators/fake/security_fake_certverify.pl.in
7 use Crypt
::OpenSSL
::X509
;
9 use POSIX
qw(strftime);
18 security_fake_certverify - A fake cert validation helper for Squid
22 security_fake_certverify [-d | --debug] [-h | --help]
26 Retrieves the SSL certificate error list from Squid and echo back without any change.
38 enable debug messages to stderr
44 This program and documentation was written by
45 I<Christos Tsantilas <chtsanti@users.sourceforge.net>>
49 * Copyright (C) 1996-2021 The Squid Software Foundation and contributors
51 * Squid software is distributed under GPLv2+ license and includes
52 * contributions from numerous individuals and organizations.
53 * Please see the COPYING and CONTRIBUTORS files for details.
55 (C) 2012 The Measurement Factory, Author: Tsantilas Christos
57 This program is free software. You may redistribute copies of it under the
58 terms of the GNU General Public License version 2, or (at your opinion) any
63 Questions on the usage of this program can be sent to the I<Squid Users mailing list <squid-users@lists.squid-cache.org>>
67 Bug reports need to be made in English.
68 See http://wiki.squid-cache.org/SquidFaq/BugReporting for details of what you need to include with your bug report.
70 Report bugs or bug fixes using http://bugs.squid-cache.org/
72 Report serious security bugs to I<Squid Bugs <squid-bugs@lists.squid-cache.org>>
74 Report ideas for new improvements to the I<Squid Developers mailing list <squid-dev@lists.squid-cache.org>>
80 The Squid FAQ wiki http://wiki.squid-cache.org/SquidFaq
82 The Squid Configuration Manual http://www.squid-cache.org/Doc/config/
91 pod2usage
(1) if ($help);
96 my @line_args = split;
98 if ($first_line =~ /^\s*$/) {
104 my $channelId = $line_args[0];
105 my $code = $line_args[1];
106 my $bodylen = $line_args[2];
107 my $body = $line_args[3] . "\n";
108 if ($channelId !~ /\d+/) {
109 $response = $channelId." BH message=\"This helper is concurrent and requires the concurrency option to be specified.\"\1";
110 } elsif ($bodylen !~ /\d+/) {
111 $response = $channelId." BH message=\"cert validator request syntax error \" \1";
113 my $readlen = length($body);
116 my @responseErrors = ();
118 while($readlen < $bodylen) {
122 $readlen = length($body);
126 print(STDERR logPrefix
()."GOT ". "Code=".$code." $bodylen \n") if ($debug); #.$body;
128 my $sslVersion = "-";
130 parseRequest
($body, \
$hostname, \
$sslVersion, \
$sslCipher, \
%errors, \
%certs);
131 print(STDERR logPrefix
()."Parse result: \n") if ($debug);
132 print(STDERR logPrefix
()."\tFOUND host:".$hostname."\n") if ($debug);
133 print(STDERR logPrefix
()."\tFOUND ssl version:".$sslVersion."\n") if ($debug);
134 print(STDERR logPrefix
()."\tFOUND ssl cipher:".$sslCipher."\n") if ($debug);
135 print(STDERR logPrefix
()."\tFOUND ERRORS:") if ($debug);
136 foreach my $err (keys %errors) {
137 print(STDERR logPrefix
().$errors{$err}{"name"}."/".$errors{$err}{"cert"}." ,") if ($debug);
139 print(STDERR
"\n") if ($debug);
140 foreach my $key (keys %certs) {
141 ## Use "perldoc Crypt::OpenSSL::X509" for X509 available methods.
142 print(STDERR logPrefix
()."\tFOUND cert ".$key.": ".$certs{$key}->subject() . "\n") if ($debug);
145 #got the peer certificate ID. Assume that the peer certificate is the first one.
146 my $peerCertId = (keys %certs)[0];
148 # Echo back the errors: fill the responseErrors array with the errors we read.
149 foreach my $err (keys %errors) {
151 appendError
(\
@responseErrors,
152 $errors{$err}{"name"}, #The error name
153 "Checked by Cert Validator", # An error reason
154 $errors{$err}{"cert"} # The cert ID. We are always filling with the peer certificate.
158 $response = createResponse
(\
@responseErrors);
159 my $len = length($response);
161 $response = $channelId." ERR ".$len." ".$response."\1";
163 $response = $channelId." OK ".$len." ".$response."\1";
168 print(STDERR logPrefix
().">> ".$response."\n") if ($debug);
181 my ($errorArrays) = shift;
182 my($errorName) = shift;
183 my($errorReason) = shift;
184 my($errorCert) = shift;
185 push @
$errorArrays, { "error_name" => $errorName, "error_reason" => $errorReason, "error_cert" => $errorCert};
190 my ($responseErrors) = shift;
193 foreach my $err (@
$responseErrors) {
194 $response=$response."error_name_".$i."=".$err->{"error_name"}."\n".
195 "error_reason_".$i."=".$err->{"error_reason"}."\n".
196 "error_cert_".$i."=".$err->{"error_cert"}."\n";
205 my $hostname = shift;
206 my $sslVersion = shift;
207 my $sslCipher = shift;
210 while ($request !~ /^\s*$/) {
211 $request = trim
($request);
212 if ($request =~ /^host=/) {
213 my($vallen) = index($request, "\n");
214 my $host = substr($request, 5, $vallen - 5);
216 $request =~ s/^host=.*$//m;
218 if ($request =~ s/^proto_version=(.*?)$//m) {
221 if ($request =~ s/^cipher=(.*?)$//m) {
224 if ($request =~ /^cert_(\d+)=/) {
225 my $certId = "cert_".$1;
226 my($vallen) = index($request, "-----END CERTIFICATE-----") + length("-----END CERTIFICATE-----");
227 my $x509 = Crypt
::OpenSSL
::X509
->new_from_string(substr($request, index($request, "-----BEGIN")));
228 $certs->{$certId} = $x509;
229 $request = substr($request, $vallen);
231 elsif ($request =~ /^error_name_(\d+)=(.*)$/m) {
234 $request =~ s/^error_name_\d+=.*$//m;
235 $errors->{$errorId}{"name"} = $errorName;
237 elsif ($request =~ /^error_cert_(\d+)=(.*)$/m) {
240 $request =~ s/^error_cert_\d+=.*$//m;
241 $errors->{$errorId}{"cert"} = $certId;
244 print(STDERR logPrefix
()."ParseError on \"".$request."\"\n") if ($debug);
245 $request = "";# finish processing....
253 return strftime
("%Y/%m/%d %H:%M:%S.0", localtime)." ".$0." ".$$." | " ;