return matchDomainName(server, cn[0] == '*' ? cn + 1 : cn);
}
+bool Ssl::checkX509ServerValidity(X509 *cert, const char *server)
+{
+ return matchX509CommonNames(cert, (void *)server, check_domain);
+}
+
/// \ingroup ServerProtocolSSLInternal
static int
ssl_verify_cb(int ok, X509_STORE_CTX * ctx)
const char *server = (const char *)SSL_get_ex_data(ssl, ssl_ex_index_server);
void *dont_verify_domain = SSL_CTX_get_ex_data(sslctx, ssl_ctx_ex_index_dont_verify_domain);
ACLChecklist *check = (ACLChecklist*)SSL_get_ex_data(ssl, ssl_ex_index_cert_error_check);
+ X509 *peeked_cert = (X509 *)SSL_get_ex_data(ssl, ssl_ex_index_ssl_peeked_cert);
X509 *peer_cert = ctx->cert;
X509_NAME_oneline(X509_get_subject_name(peer_cert), buffer,
debugs(83, 5, "SSL Certificate signature OK: " << buffer);
if (server) {
- int found = Ssl::matchX509CommonNames(peer_cert, (void *)server, check_domain);
-
- if (!found) {
+ if (!Ssl::checkX509ServerValidity(peer_cert, server)) {
debugs(83, 2, "SQUID_X509_V_ERR_DOMAIN_MISMATCH: Certificate " << buffer << " does not match domainname " << server);
ok = 0;
error_no = SQUID_X509_V_ERR_DOMAIN_MISMATCH;
}
}
+ if (ok && peeked_cert) {
+ /*Check if the already peeked certificate match the new one*/
+ if (X509_cmp(peer_cert, peeked_cert) != 0) {
+ debugs(83, 2, "SQUID_X509_V_ERR_CERT_CHANGE: Certificate " << buffer << " does not match peeked certificate");
+ ok = 0;
+ error_no = SQUID_X509_V_ERR_CERT_CHANGE;
+ }
+ }
+
if (!ok) {
+ Ssl::Errors *errNoList = static_cast<Ssl::Errors *>(SSL_get_ex_data(ssl, ssl_ex_index_ssl_error_sslerrno));
+ if (!errNoList) {
+ errNoList = new Ssl::Errors(error_no);
+ if (!SSL_set_ex_data(ssl, ssl_ex_index_ssl_error_sslerrno, (void *)errNoList)) {
+ debugs(83, 2, "Failed to set ssl error_no in ssl_verify_cb: Certificate " << buffer);
+ delete errNoList;
+ errNoList = NULL;
+ }
+ }
+ else // Append the err no to the SSL errors lists.
+ errNoList->push_back_unique(error_no);
+
if (const char *err_descr = Ssl::GetErrorDescr(error_no))
debugs(83, 5, err_descr << ": " << buffer);
else
debugs(83, DBG_IMPORTANT, "SSL unknown certificate error " << error_no << " in " << buffer);
if (check) {
- Filled(check)->ssl_error = error_no;
+ ACLFilledChecklist *filledCheck = Filled(check);
+ assert(filledCheck->sslErrorList == NULL);
+ filledCheck->sslErrorList = new Ssl::Errors(error_no);
if (check->fastCheck() == ACCESS_ALLOWED) {
debugs(83, 3, "bypassing SSL error " << error_no << " in " << buffer);
ok = 1;
} else {
debugs(83, 5, "confirming SSL error " << error_no);
}
+ // Delete the ssl error list
+ delete filledCheck->sslErrorList;
+ filledCheck->sslErrorList = NULL;
}
}
}
Ssl::ErrorDetail *errDetail =
- new Ssl::ErrorDetail(error_no, broken_cert);
+ new Ssl::ErrorDetail(error_no, peer_cert, broken_cert);
if (!SSL_set_ex_data(ssl, ssl_ex_index_ssl_error_detail, errDetail)) {
debugs(83, 2, "Failed to set Ssl::ErrorDetail in ssl_verify_cb: Certificate " << buffer);
delete errDetail;
}
+static void
+ssl_free_SslErrNoList(void *, void *ptr, CRYPTO_EX_DATA *,
+ int, long, void *)
+{
+ Ssl::Errors *errNo = static_cast <Ssl::Errors *>(ptr);
+ delete errNo;
+}
+
+// "free" function for X509 certificates
+static void
+ssl_free_X509(void *, void *ptr, CRYPTO_EX_DATA *,
+ int, long, void *)
+{
+ X509 *cert = static_cast <X509 *>(ptr);
+ X509_free(cert);
+}
+
/// \ingroup ServerProtocolSSLInternal
static void
ssl_initialize(void)
ssl_ctx_ex_index_dont_verify_domain = SSL_CTX_get_ex_new_index(0, (void *) "dont_verify_domain", NULL, NULL, NULL);
ssl_ex_index_cert_error_check = SSL_get_ex_new_index(0, (void *) "cert_error_check", NULL, &ssl_dupAclChecklist, &ssl_freeAclChecklist);
ssl_ex_index_ssl_error_detail = SSL_get_ex_new_index(0, (void *) "ssl_error_detail", NULL, NULL, &ssl_free_ErrorDetail);
+ ssl_ex_index_ssl_peeked_cert = SSL_get_ex_new_index(0, (void *) "ssl_peeked_cert", NULL, NULL, &ssl_free_X509);
+ ssl_ex_index_ssl_error_sslerrno = SSL_get_ex_new_index(0, (void *) "ssl_error_sslerrno", NULL, NULL, &ssl_free_SslErrNoList);
}
/// \ingroup ServerProtocolSSLInternal
return createSSLContext(cert, pkey);
}
-SSL_CTX * Ssl::generateSslContext(char const *host, Ssl::X509_Pointer const & signedX509, Ssl::EVP_PKEY_Pointer const & signedPkey)
+SSL_CTX * Ssl::generateSslContext(CertificateProperties const &properties)
{
Ssl::X509_Pointer cert;
Ssl::EVP_PKEY_Pointer pkey;
- if (!generateSslCertificateAndPrivateKey(host, signedX509, signedPkey, cert, pkey, NULL)) {
+ if (!generateSslCertificate(cert, pkey, properties))
return NULL;
- }
+
if (!cert)
return NULL;
return createSSLContext(cert, pkey);
}
-bool Ssl::verifySslCertificateDate(SSL_CTX * sslContext)
+bool Ssl::verifySslCertificate(SSL_CTX * sslContext, CertificateProperties const &properties)
{
// Temporary ssl for getting X509 certificate from SSL_CTX.
Ssl::SSL_Pointer ssl(SSL_new(sslContext));
ASN1_TIME * time_notBefore = X509_get_notBefore(cert);
ASN1_TIME * time_notAfter = X509_get_notAfter(cert);
bool ret = (X509_cmp_current_time(time_notBefore) < 0 && X509_cmp_current_time(time_notAfter) > 0);
- return ret;
+ if (!ret)
+ return false;
+
+ return certificateMatchesProperties(cert, properties);
}
bool
}
}
+static const char *getSubjectEntry(X509 *x509, int nid)
+{
+ static char name[1024] = ""; // stores common name (CN)
+
+ if (!x509)
+ return NULL;
+
+ // TODO: What if the entry is a UTF8String? See X509_NAME_get_index_by_NID(3ssl).
+ const int nameLen = X509_NAME_get_text_by_NID(
+ X509_get_subject_name(x509),
+ nid, name, sizeof(name));
+
+ if (nameLen > 0)
+ return name;
+
+ return NULL;
+}
+
+const char *Ssl::CommonHostName(X509 *x509)
+{
+ return getSubjectEntry(x509, NID_commonName);
+}
+
+static const char *getOrganization(X509 *x509)
+{
+ return getSubjectEntry(x509, NID_organizationName);
+}
+
+bool Ssl::generateUntrustedCert(X509_Pointer &untrustedCert, EVP_PKEY_Pointer &untrustedPkey, X509_Pointer const &cert, EVP_PKEY_Pointer const & pkey)
+{
+ // Generate the self-signed certificate, using a hard-coded subject prefix
+ Ssl::CertificateProperties certProperties;
+ if (const char *cn = CommonHostName(cert.get())) {
+ certProperties.commonName = "Not trusted by \"";
+ certProperties.commonName += cn;
+ certProperties.commonName += "\"";
+ }
+ else if (const char *org = getOrganization(cert.get())) {
+ certProperties.commonName = "Not trusted by \"";
+ certProperties.commonName += org;
+ certProperties.commonName += "\"";
+ }
+ else
+ certProperties.commonName = "Not trusted";
+ certProperties.setCommonName = true;
+ // O, OU, and other CA subject fields will be mimicked
+ // Expiration date and other common properties will be mimicked
+ certProperties.signAlgorithm = Ssl::algSignSelf;
+ certProperties.signWithPkey.resetAndLock(pkey.get());
+ certProperties.mimicCert.resetAndLock(cert.get());
+ return Ssl::generateSslCertificate(untrustedCert, untrustedPkey, certProperties);
+}
+
#endif /* USE_SSL */