]>
Commit | Line | Data |
---|---|---|
bbc27441 | 1 | /* |
ef57eb7b | 2 | * Copyright (C) 1996-2016 The Squid Software Foundation and contributors |
bbc27441 AJ |
3 | * |
4 | * Squid software is distributed under GPLv2+ license and includes | |
5 | * contributions from numerous individuals and organizations. | |
6 | * Please see the COPYING and CONTRIBUTORS files for details. | |
7 | */ | |
8 | ||
a1f04d64 | 9 | #include "squid.h" |
77dce8a5 | 10 | #include "acl/FilledChecklist.h" |
4747ea4c | 11 | #include "globals.h" |
a9b6afe1 | 12 | #include "helper.h" |
a1f04d64 AR |
13 | #include "ssl/cert_validate_message.h" |
14 | #include "ssl/ErrorDetail.h" | |
602d9612 | 15 | #include "ssl/support.h" |
ed6e9fb9 | 16 | #include "util.h" |
a1f04d64 | 17 | |
3a7d782f | 18 | void |
b56756cb | 19 | Ssl::CertValidationMsg::composeRequest(CertValidationRequest const &vcert) |
a1f04d64 AR |
20 | { |
21 | body.clear(); | |
b56756cb | 22 | body += Ssl::CertValidationMsg::param_host + "=" + vcert.domainName; |
4747ea4c CT |
23 | STACK_OF(X509) *peerCerts = static_cast<STACK_OF(X509) *>(SSL_get_ex_data(vcert.ssl, ssl_ex_index_ssl_cert_chain)); |
24 | ||
6e325882 CT |
25 | if (const char *sslVersion = SSL_get_version(vcert.ssl)) |
26 | body += "\n" + Ssl::CertValidationMsg::param_proto_version + "=" + sslVersion; | |
27 | ||
28 | if (const char *cipherName = SSL_CIPHER_get_name(SSL_get_current_cipher(vcert.ssl))) | |
29 | body += "\n" + Ssl::CertValidationMsg::param_cipher + "=" + cipherName; | |
30 | ||
4747ea4c CT |
31 | if (!peerCerts) |
32 | peerCerts = SSL_get_peer_cert_chain(vcert.ssl); | |
33 | ||
14798e73 | 34 | if (peerCerts) { |
a1f04d64 | 35 | Ssl::BIO_Pointer bio(BIO_new(BIO_s_mem())); |
14798e73 CT |
36 | for (int i = 0; i < sk_X509_num(peerCerts); ++i) { |
37 | X509 *cert = sk_X509_value(peerCerts, i); | |
a1f04d64 | 38 | PEM_write_bio_X509(bio.get(), cert); |
62a7607e | 39 | body = body + "\n" + param_cert + xitoa(i) + "="; |
a1f04d64 AR |
40 | char *ptr; |
41 | long len = BIO_get_mem_data(bio.get(), &ptr); | |
62a7607e | 42 | body.append(ptr, (ptr[len-1] == '\n' ? len - 1 : len)); |
a1f04d64 AR |
43 | if (!BIO_reset(bio.get())) { |
44 | // print an error? | |
45 | } | |
46 | } | |
47 | } | |
62a7607e CT |
48 | |
49 | if (vcert.errors) { | |
50 | int i = 0; | |
51 | for (const Ssl::CertErrors *err = vcert.errors; err; err = err->next, ++i) { | |
52 | body +="\n"; | |
53 | body = body + param_error_name + xitoa(i) + "=" + GetErrorName(err->element.code) + "\n"; | |
54 | int errorCertPos = -1; | |
170cb017 | 55 | if (err->element.cert.get()) |
62a7607e CT |
56 | errorCertPos = sk_X509_find(peerCerts, err->element.cert.get()); |
57 | if (errorCertPos < 0) { | |
58 | // assert this error ? | |
59 | debugs(83, 4, "WARNING: wrong cert in cert validator request"); | |
60 | } | |
61 | body += param_error_cert + xitoa(i) + "="; | |
62 | body += param_cert + xitoa((errorCertPos >= 0 ? errorCertPos : 0)); | |
63 | } | |
64 | } | |
a1f04d64 AR |
65 | } |
66 | ||
3a7d782f CT |
67 | static int |
68 | get_error_id(const char *label, size_t len) | |
a1f04d64 AR |
69 | { |
70 | const char *e = label + len -1; | |
71 | while (e != label && xisdigit(*e)) --e; | |
72 | if (e != label) ++e; | |
73 | return strtol(e, 0 , 10); | |
74 | } | |
75 | ||
3a7d782f | 76 | bool |
b56756cb | 77 | Ssl::CertValidationMsg::parseResponse(CertValidationResponse &resp, STACK_OF(X509) *peerCerts, std::string &error) |
a1f04d64 | 78 | { |
3a7d782f | 79 | std::vector<CertItem> certs; |
a1f04d64 AR |
80 | |
81 | const char *param = body.c_str(); | |
22636a68 CT |
82 | while (*param) { |
83 | while (xisspace(*param)) param++; | |
a1f04d64 AR |
84 | if (! *param) |
85 | break; | |
86 | ||
87 | size_t param_len = strcspn(param, "=\r\n"); | |
88 | if (param[param_len] != '=') { | |
4a77bb4e | 89 | debugs(83, DBG_IMPORTANT, "WARNING: cert validator response parse error: " << param); |
a1f04d64 AR |
90 | return false; |
91 | } | |
92 | const char *value=param+param_len+1; | |
93 | ||
22636a68 CT |
94 | if (param_len > param_cert.length() && |
95 | strncmp(param, param_cert.c_str(), param_cert.length()) == 0) { | |
3a7d782f | 96 | CertItem ci; |
22636a68 | 97 | ci.name.assign(param, param_len); |
f97700a0 | 98 | Security::CertPointer x509; |
a1f04d64 AR |
99 | readCertFromMemory(x509, value); |
100 | ci.setCert(x509.get()); | |
101 | certs.push_back(ci); | |
102 | ||
103 | const char *b = strstr(value, "-----END CERTIFICATE-----"); | |
104 | if (b == NULL) { | |
4a77bb4e | 105 | debugs(83, DBG_IMPORTANT, "WARNING: cert Validator response parse error: Failed to find certificate boundary " << value); |
a1f04d64 AR |
106 | return false; |
107 | } | |
108 | b += strlen("-----END CERTIFICATE-----"); | |
109 | param = b + 1; | |
110 | continue; | |
111 | } | |
112 | ||
113 | size_t value_len = strcspn(value, "\r\n"); | |
114 | std::string v(value, value_len); | |
115 | ||
4a77bb4e | 116 | debugs(83, 5, "Returned value: " << std::string(param, param_len).c_str() << ": " << |
a1f04d64 AR |
117 | v.c_str()); |
118 | ||
119 | int errorId = get_error_id(param, param_len); | |
b56756cb | 120 | Ssl::CertValidationResponse::RecvdError ¤tItem = resp.getError(errorId); |
a1f04d64 | 121 | |
22636a68 CT |
122 | if (param_len > param_error_name.length() && |
123 | strncmp(param, param_error_name.c_str(), param_error_name.length()) == 0) { | |
a1f04d64 | 124 | currentItem.error_no = Ssl::GetErrorCode(v.c_str()); |
3a7d782f | 125 | if (currentItem.error_no == SSL_ERROR_NONE) { |
4a77bb4e | 126 | debugs(83, DBG_IMPORTANT, "WARNING: cert validator response parse error: Unknown SSL Error: " << v); |
3a7d782f CT |
127 | return false; |
128 | } | |
22636a68 | 129 | } else if (param_len > param_error_reason.length() && |
a1f04d64 AR |
130 | strncmp(param, param_error_reason.c_str(), param_error_reason.length()) == 0) { |
131 | currentItem.error_reason = v; | |
132 | } else if (param_len > param_error_cert.length() && | |
133 | strncmp(param, param_error_cert.c_str(), param_error_cert.length()) == 0) { | |
134 | ||
3a7d782f | 135 | if (X509 *cert = getCertByName(certs, v)) { |
4a77bb4e | 136 | debugs(83, 6, "The certificate with id \"" << v << "\" found."); |
3a7d782f CT |
137 | currentItem.setCert(cert); |
138 | } else { | |
139 | //In this case we assume that the certID is one of the certificates sent | |
140 | // to cert validator. The certificates sent to cert validator have names in | |
141 | // form "cert_xx" where the "xx" is an integer represents the position of | |
142 | // the certificate inside peer certificates list. | |
b56756cb | 143 | const int certId = get_error_id(v.c_str(), v.length()); |
4a77bb4e | 144 | debugs(83, 6, "Cert index in peer certificates list:" << certId); |
77dce8a5 CT |
145 | //if certId is not correct sk_X509_value returns NULL |
146 | currentItem.setCert(sk_X509_value(peerCerts, certId)); | |
a1f04d64 | 147 | } |
b4e6a8d4 CT |
148 | } else if (param_len > param_error_depth.length() && |
149 | strncmp(param, param_error_depth.c_str(), param_error_depth.length()) == 0 && | |
150 | std::all_of(v.begin(), v.end(), isdigit)) { | |
96e44f2e | 151 | currentItem.error_depth = atoi(v.c_str()); |
3a7d782f | 152 | } else { |
4a77bb4e | 153 | debugs(83, DBG_IMPORTANT, "WARNING: cert validator response parse error: Unknown parameter name " << std::string(param, param_len).c_str()); |
3a7d782f CT |
154 | return false; |
155 | } | |
a1f04d64 AR |
156 | |
157 | param = value + value_len +1; | |
158 | } | |
159 | ||
3a7d782f | 160 | /*Run through parsed errors to check for errors*/ |
bc624572 CT |
161 | typedef Ssl::CertValidationResponse::RecvdErrors::const_iterator SVCRECI; |
162 | for (SVCRECI i = resp.errors.begin(); i != resp.errors.end(); ++i) { | |
46901eed | 163 | if (i->error_no == SSL_ERROR_NONE) { |
bc624572 CT |
164 | debugs(83, DBG_IMPORTANT, "WARNING: cert validator incomplete response: Missing error name from error_id: " << i->id); |
165 | return false; | |
166 | } | |
167 | } | |
a1f04d64 AR |
168 | |
169 | return true; | |
170 | } | |
171 | ||
3a7d782f | 172 | X509 * |
b56756cb | 173 | Ssl::CertValidationMsg::getCertByName(std::vector<CertItem> const &certs, std::string const & name) |
3a7d782f | 174 | { |
6136ab56 CT |
175 | typedef std::vector<CertItem>::const_iterator SVCI; |
176 | for (SVCI ci = certs.begin(); ci != certs.end(); ++ci) { | |
3a7d782f | 177 | if (ci->name.compare(name) == 0) |
4a77bb4e | 178 | return ci->cert.get(); |
3a7d782f CT |
179 | } |
180 | return NULL; | |
181 | } | |
182 | ||
b56756cb CT |
183 | Ssl::CertValidationResponse::RecvdError & |
184 | Ssl::CertValidationResponse::getError(int errorId) | |
3a7d782f | 185 | { |
6136ab56 | 186 | typedef Ssl::CertValidationResponse::RecvdErrors::iterator SVCREI; |
22636a68 | 187 | for (SVCREI i = errors.begin(); i != errors.end(); ++i) { |
3a7d782f CT |
188 | if (i->id == errorId) |
189 | return *i; | |
190 | } | |
b56756cb | 191 | Ssl::CertValidationResponse::RecvdError errItem; |
3a7d782f CT |
192 | errItem.id = errorId; |
193 | errors.push_back(errItem); | |
194 | return errors.back(); | |
195 | } | |
196 | ||
22636a68 CT |
197 | Ssl::CertValidationResponse::RecvdError::RecvdError(const RecvdError &old) |
198 | { | |
bc624572 | 199 | id = old.id; |
a1f04d64 AR |
200 | error_no = old.error_no; |
201 | error_reason = old.error_reason; | |
92862430 | 202 | error_depth = old.error_depth; |
4a77bb4e | 203 | setCert(old.cert.get()); |
a1f04d64 AR |
204 | } |
205 | ||
22636a68 CT |
206 | Ssl::CertValidationResponse::RecvdError & Ssl::CertValidationResponse::RecvdError::operator = (const RecvdError &old) |
207 | { | |
bc624572 | 208 | id = old.id; |
a1f04d64 AR |
209 | error_no = old.error_no; |
210 | error_reason = old.error_reason; | |
92862430 | 211 | error_depth = old.error_depth; |
4a77bb4e | 212 | setCert(old.cert.get()); |
a1f04d64 AR |
213 | return *this; |
214 | } | |
215 | ||
216 | void | |
22636a68 CT |
217 | Ssl::CertValidationResponse::RecvdError::setCert(X509 *aCert) |
218 | { | |
014a9017 | 219 | cert.resetAndLock(aCert); |
a1f04d64 AR |
220 | } |
221 | ||
b56756cb | 222 | Ssl::CertValidationMsg::CertItem::CertItem(const CertItem &old) |
a1f04d64 AR |
223 | { |
224 | name = old.name; | |
4a77bb4e | 225 | setCert(old.cert.get()); |
a1f04d64 AR |
226 | } |
227 | ||
b56756cb | 228 | Ssl::CertValidationMsg::CertItem & Ssl::CertValidationMsg::CertItem::operator = (const CertItem &old) |
a1f04d64 AR |
229 | { |
230 | name = old.name; | |
4a77bb4e | 231 | setCert(old.cert.get()); |
a1f04d64 AR |
232 | return *this; |
233 | } | |
234 | ||
a1f04d64 | 235 | void |
b56756cb | 236 | Ssl::CertValidationMsg::CertItem::setCert(X509 *aCert) |
a1f04d64 | 237 | { |
014a9017 | 238 | cert.resetAndLock(aCert); |
a1f04d64 AR |
239 | } |
240 | ||
b56756cb CT |
241 | const std::string Ssl::CertValidationMsg::code_cert_validate("cert_validate"); |
242 | const std::string Ssl::CertValidationMsg::param_domain("domain"); | |
b56756cb | 243 | const std::string Ssl::CertValidationMsg::param_cert("cert_"); |
22636a68 | 244 | const std::string Ssl::CertValidationMsg::param_error_name("error_name_"); |
b56756cb CT |
245 | const std::string Ssl::CertValidationMsg::param_error_reason("error_reason_"); |
246 | const std::string Ssl::CertValidationMsg::param_error_cert("error_cert_"); | |
b4e6a8d4 | 247 | const std::string Ssl::CertValidationMsg::param_error_depth("error_depth_"); |
6e325882 CT |
248 | const std::string Ssl::CertValidationMsg::param_proto_version("proto_version"); |
249 | const std::string Ssl::CertValidationMsg::param_cipher("cipher"); | |
f53969cc | 250 |