[thirdparty/squid.git] / src / security / cert_generators / file / security_file_certgen.cc

/*
 * Copyright (C) 1996-2025 The Squid Software Foundation and contributors
 *
 * Squid software is distributed under GPLv2+ license and includes
 * contributions from numerous individuals and organizations.
 * Please see the COPYING and CONTRIBUTORS files for details.
 */

#include "squid.h"
#include "base/TextException.h"
#include "debug/Stream.h"
#include "helper/protocol_defines.h"
#include "sbuf/Stream.h"
#include "security/cert_generators/file/certificate_db.h"
#include "ssl/crtd_message.h"
#include "time/gadgets.h"

#include <cstring>
#include <iostream>
#include <sstream>
#include <stdexcept>
#include <string>
#if HAVE_GETOPT_H
#include <getopt.h>
#endif

/**
 \defgroup ssl_crtd security_file_certgen
 \ingroup ExternalPrograms
 \par
    Because the standard generation of SSL certificates for
    sslBump feature, Squid must use external process to
    actually make these calls. This process generate new ssl
    certificates and worked with ssl certificates disk cache.
    Typically there will be five certificate generator processes
    spawned from Squid. Communication occurs via TCP sockets
    bound to the loopback interface. The class in helper.h are
    primally concerned with starting and stopping the helpers.
    Reading and writing to and from the helpers occurs in the
    \link IPCacheAPI IP\endlink and the dnsservers occurs in
    the \link IPCacheAPI IP\endlink and \link FQDNCacheAPI
    FQDN\endlink cache modules.

 \section ssl_crtdInterface Command Line Interface
 \verbatim
usage: security_file_certgen -hv -s directory -M size -b fs_block_size
    -h                   Help
    -v                   Version
    -s directory         Directory path of SSL storage database.
    -M size              Maximum size of SSL certificate disk storage.
    -b fs_block_size     File system block size in bytes. Need for processing
                         natural size of certificate on disk. Default value is
                         2048 bytes.

    After running write requests in the next format:
    <request code><whitespace><body_len><whitespace><body>
    There are two kind of request now:
    new_certificate 14 host=host.dom
        Create new private key and selfsigned certificate for "host.dom".

    new_certificate xxx host=host.dom
    -----BEGIN CERTIFICATE-----
    ...
    -----END CERTIFICATE-----
    -----BEGIN RSA PRIVATE KEY-----
    ...
    -----END RSA PRIVATE KEY-----
        Create new private key and certificate request for "host.dom".
        Sign new request by received certificate and private key.

usage: security_file_certgen -c -s ssl_store_path\n
    -c                   Init ssl db directories and exit.

 \endverbatim
 */

static const char *const B_KBYTES_STR = "KB";
static const char *const B_MBYTES_STR = "MB";
static const char *const B_GBYTES_STR = "GB";
static const char *const B_BYTES_STR = "B";

/**
 * Parse bytes unit. It would be one of the next value: MB, GB, KB or B.
 * This function is caseinsensitive.
 */
static size_t parseBytesUnits(const char * unit)
{
    if (!strncasecmp(unit, B_BYTES_STR, strlen(B_BYTES_STR)) ||
            !strncasecmp(unit, "", strlen(unit)))
        return 1;

    if (!strncasecmp(unit, B_KBYTES_STR, strlen(B_KBYTES_STR)))
        return 1 << 10;

    if (!strncasecmp(unit, B_MBYTES_STR, strlen(B_MBYTES_STR)))
        return 1 << 20;

    if (!strncasecmp(unit, B_GBYTES_STR, strlen(B_GBYTES_STR)))
        return 1 << 30;

    throw TextException(ToSBuf("Unknown bytes unit: ", unit), Here());
}

/// Parse the number of bytes given as <integer><unit> value (e.g., 4MB).
/// \param name the name of the option being parsed
static size_t
parseBytesOptionValue(const char * const name, const char * const value)
{
    // Find number from string beginning.
    char const * number_begin = value;
    char const * number_end = value;

    while ((*number_end >= '0' && *number_end <= '9')) {
        ++number_end;
    }

    if (number_end <= number_begin)
        throw TextException(ToSBuf("expecting a decimal number at the beginning of ", name, " value but got: ", value), Here());

    std::string number(number_begin, number_end - number_begin);
    std::istringstream in(number);
    size_t base = 0;
    if (!(in >> base) || !in.eof())
        throw TextException(ToSBuf("unsupported integer part of ", name, " value: ", number), Here());

    const auto multiplier = parseBytesUnits(number_end);
    static_assert(std::is_unsigned<decltype(multiplier * base)>::value, "no signed overflows");
    const auto product = multiplier * base;
    if (base && multiplier != product / base)
        throw TextException(ToSBuf(name, " size too large: ", value), Here());

    return product;
}

/// Print help using response code.
static void usage()
{
    std::string example_host_name = "host.dom";
    std::string request_string = Ssl::CrtdMessage::param_host + "=" + example_host_name;
    std::stringstream request_string_size_stream;
    request_string_size_stream << request_string.length();
    std::string help_string =
        "usage: security_file_certgen -hv -s directory -M size -b fs_block_size\n"
        "\t-h                   Help\n"
        "\t-v                   Version\n"
        "\t-s directory         Directory path of SSL storage database.\n"
        "\t-M size              Maximum size of SSL certificate disk storage.\n"
        "\t-b fs_block_size     File system block size in bytes. Need for processing\n"
        "\t                     natural size of certificate on disk. Default value is\n"
        "\t                     2048 bytes.\n"
        "\n"
        "After running write requests in the next format:\n"
        "<request code><whitespace><body_len><whitespace><body>\n"
        "There are two kind of request now:\n"
        + Ssl::CrtdMessage::code_new_certificate + " " + request_string_size_stream.str() + " " + request_string + "\n" +
        "\tCreate new private key and selfsigned certificate for \"host.dom\".\n"
        + Ssl::CrtdMessage::code_new_certificate + " xxx " + request_string + "\n" +
        "-----BEGIN CERTIFICATE-----\n"
        "...\n"
        "-----END CERTIFICATE-----\n"
        "-----BEGIN RSA PRIVATE KEY-----\n"
        "...\n"
        "-----END RSA PRIVATE KEY-----\n"
        "\tCreate new private key and certificate request for \"host.dom\"\n"
        "\tSign new request by received certificate and private key.\n"
        "usage: security_file_certgen -c -s ssl_store_path\n"
        "\t-c                   Init ssl db directories and exit.\n";
    std::cerr << help_string << std::endl;
}

/// Process new request message.
static bool processNewRequest(Ssl::CrtdMessage & request_message, std::string const & db_path, size_t max_db_size, size_t fs_block_size)
{
    Ssl::CertificateProperties certProperties;
    request_message.parseRequest(certProperties);

    // TODO: create a DB object only once, instead re-allocating here on every call.
    std::unique_ptr<Ssl::CertificateDb> db;
    if (!db_path.empty())
        db.reset(new Ssl::CertificateDb(db_path, max_db_size, fs_block_size));

    Security::CertPointer cert;
    Security::PrivateKeyPointer pkey;
    Security::CertPointer orig;
    std::string &certKey = Ssl::OnDiskCertificateDbKey(certProperties);

    bool dbFailed = false;
    try {
        if (db)
            db->find(certKey, certProperties.mimicCert, cert, pkey);

    } catch (...) {
        dbFailed = true;
        debugs(83, DBG_IMPORTANT, "ERROR: Database search failure: " << CurrentException <<
               Debug::Extra << "database location: " << db_path);
    }

    if (!cert || !pkey) {
        if (!Ssl::generateSslCertificate(cert, pkey, certProperties))
            throw TextException("Cannot create ssl certificate or private key.", Here());

        try {
            /* XXX: this !dbFailed condition prevents the helper fixing DB issues
               by adding cleanly generated certs. Which is not consistent with other
               data caches used by Squid - they purge broken entries and allow clean
               entries to later try and fix the issue.
               We leave it in place now only to avoid breaking existing installations
               behaviour with version 1.x of the helper.

               TODO: remove the !dbFailed condition when fixing the CertificateDb
                    object lifecycle and formally altering the helper behaviour.
            */
            if (!dbFailed && db && !db->addCertAndPrivateKey(certKey, cert, pkey, certProperties.mimicCert))
                throw TextException("Cannot add certificate to db.", Here());

        } catch (...) {
            dbFailed = true;
            debugs(83, DBG_IMPORTANT, "ERROR: Database update failure: " << CurrentException <<
                   Debug::Extra << "database location: " << db_path);
        }
    }

    std::string bufferToWrite;
    if (!Ssl::writeCertAndPrivateKeyToMemory(cert, pkey, bufferToWrite))
        throw TextException("Cannot write ssl certificate or/and private key to memory.", Here());

    Ssl::CrtdMessage response_message(Ssl::CrtdMessage::REPLY);
    response_message.setCode("OK");
    response_message.setBody(bufferToWrite);

    // Use the '\1' char as end-of-message character
    std::cout << response_message.compose() << '\1' << std::flush;

    return true;
}

/// This is the external security_file_certgen process.
int main(int argc, char *argv[])
{
    try {
        Debug::NameThisHelper("sslcrtd_program");

        size_t max_db_size = 0;
        size_t fs_block_size = 0;
        int8_t c;
        bool create_new_db = false;
        std::string db_path;
        // process options.
        while ((c = getopt(argc, argv, "dchvs:M:b:")) != -1) {
            switch (c) {
            case 'd':
                debug_enabled = 1;
                break;
            case 'b':
                fs_block_size = parseBytesOptionValue("-b", optarg);
                break;
            case 's':
                db_path = optarg;
                break;
            case 'M':
                // use of -M without -s is probably an admin mistake, so make it an error
                if (db_path.empty()) {
                    throw TextException("Error -M option requires an -s parameter be set first.", Here());
                }
                max_db_size = parseBytesOptionValue("-M", optarg);
                break;
            case 'v':
                std::cout << "security_file_certgen version " << VERSION << std::endl;
                exit(EXIT_SUCCESS);
                break;
            case 'c':
                create_new_db = true;
                break;
            case 'h':
                usage();
                exit(EXIT_SUCCESS);
            default:
                exit(EXIT_FAILURE);
            }
        }

        // when -s is used, -M is required
        if (!db_path.empty() && max_db_size == 0)
            throw TextException("security_file_certgen -s requires an -M parameter", Here());

        if (create_new_db) {
            // when -c is used, -s is required (implying also -M, which is checked above)
            if (db_path.empty())
                throw TextException("security_file_certgen is missing the required parameter. There should be -s and -M parameters when -c is used.", Here());

            std::cout << "Initialization SSL db..." << std::endl;
            Ssl::CertificateDb::Create(db_path);
            std::cout << "Done" << std::endl;
            exit(EXIT_SUCCESS);
        }

        // only do filesystem checks when a path (-s) is given
        if (!db_path.empty()) {
            if (fs_block_size == 0) {
                struct statvfs sfs;

                if (xstatvfs(db_path.c_str(), &sfs)) {
                    fs_block_size = 2048;
                } else {
                    fs_block_size = sfs.f_frsize;
                    // Sanity check; make sure we have a meaningful value.
                    if (fs_block_size < 512)
                        fs_block_size = 2048;
                }
            }
            Ssl::CertificateDb::Check(db_path, max_db_size, fs_block_size);
        }

        // Initialize SSL subsystem
        SQUID_OPENSSL_init_ssl();
        // process request.
        for (;;) {
            char request[HELPER_INPUT_BUFFER];
            Ssl::CrtdMessage request_message(Ssl::CrtdMessage::REQUEST);
            Ssl::CrtdMessage::ParseResult parse_result = Ssl::CrtdMessage::INCOMPLETE;

            while (parse_result == Ssl::CrtdMessage::INCOMPLETE) {
                if (fgets(request, HELPER_INPUT_BUFFER, stdin) == nullptr)
                    exit(EXIT_FAILURE);
                size_t gcount = strlen(request);
                parse_result = request_message.parse(request, gcount);
            }

            if (parse_result == Ssl::CrtdMessage::ERROR) {
                throw TextException("Cannot parse request message.", Here());
            } else if (request_message.getCode() == Ssl::CrtdMessage::code_new_certificate) {
                processNewRequest(request_message, db_path, max_db_size, fs_block_size);
            } else {
                throw TextException(ToSBuf("Unknown request code: \"", request_message.getCode(), "\"."), Here());
            }
            std::cout.flush();
        }
    } catch (...) {
        debugs(83, DBG_CRITICAL, "FATAL: Cannot generate certificates: " << CurrentException);
        return EXIT_FAILURE;
    }
    return EXIT_SUCCESS;
}
Commit	Line	Data
	1	/*
	2	* Copyright (C) 1996-2025 The Squid Software Foundation and contributors
	3	*
	4	* Squid software is distributed under GPLv2+ license and includes
	5	* contributions from numerous individuals and organizations.
	6	* Please see the COPYING and CONTRIBUTORS files for details.
	7	*/
	8
	9	#include "squid.h"
	10	#include "base/TextException.h"
	11	#include "debug/Stream.h"
	12	#include "helper/protocol_defines.h"
	13	#include "sbuf/Stream.h"
	14	#include "security/cert_generators/file/certificate_db.h"
	15	#include "ssl/crtd_message.h"
	16	#include "time/gadgets.h"
	17
	18	#include <cstring>
	19	#include <iostream>
	20	#include <sstream>
	21	#include <stdexcept>
	22	#include <string>
	23	#if HAVE_GETOPT_H
	24	#include <getopt.h>
	25	#endif
	26
	27	/**
	28	\defgroup ssl_crtd security_file_certgen
	29	\ingroup ExternalPrograms
	30	\par
	31	Because the standard generation of SSL certificates for
	32	sslBump feature, Squid must use external process to
	33	actually make these calls. This process generate new ssl
	34	certificates and worked with ssl certificates disk cache.
	35	Typically there will be five certificate generator processes
	36	spawned from Squid. Communication occurs via TCP sockets
	37	bound to the loopback interface. The class in helper.h are
	38	primally concerned with starting and stopping the helpers.
	39	Reading and writing to and from the helpers occurs in the
	40	\link IPCacheAPI IP\endlink and the dnsservers occurs in
	41	the \link IPCacheAPI IP\endlink and \link FQDNCacheAPI
	42	FQDN\endlink cache modules.
	43
	44	\section ssl_crtdInterface Command Line Interface
	45	\verbatim
	46	usage: security_file_certgen -hv -s directory -M size -b fs_block_size
	47	-h Help
	48	-v Version
	49	-s directory Directory path of SSL storage database.
	50	-M size Maximum size of SSL certificate disk storage.
	51	-b fs_block_size File system block size in bytes. Need for processing
	52	natural size of certificate on disk. Default value is
	53	2048 bytes.
	54
	55	After running write requests in the next format:
	56	<request code><whitespace><body_len><whitespace><body>
	57	There are two kind of request now:
	58	new_certificate 14 host=host.dom
	59	Create new private key and selfsigned certificate for "host.dom".
	60
	61	new_certificate xxx host=host.dom
	62	-----BEGIN CERTIFICATE-----
	63	...
	64	-----END CERTIFICATE-----
	65	-----BEGIN RSA PRIVATE KEY-----
	66	...
	67	-----END RSA PRIVATE KEY-----
	68	Create new private key and certificate request for "host.dom".
	69	Sign new request by received certificate and private key.
	70
	71	usage: security_file_certgen -c -s ssl_store_path\n
	72	-c Init ssl db directories and exit.
	73
	74	\endverbatim
	75	*/
	76
	77	static const char *const B_KBYTES_STR = "KB";
	78	static const char *const B_MBYTES_STR = "MB";
	79	static const char *const B_GBYTES_STR = "GB";
	80	static const char *const B_BYTES_STR = "B";
	81
	82	/**
	83	* Parse bytes unit. It would be one of the next value: MB, GB, KB or B.
	84	* This function is caseinsensitive.
	85	*/
	86	static size_t parseBytesUnits(const char * unit)
	87	{
	88	if (!strncasecmp(unit, B_BYTES_STR, strlen(B_BYTES_STR)) \|\|
	89	!strncasecmp(unit, "", strlen(unit)))
	90	return 1;
	91
	92	if (!strncasecmp(unit, B_KBYTES_STR, strlen(B_KBYTES_STR)))
	93	return 1 << 10;
	94
	95	if (!strncasecmp(unit, B_MBYTES_STR, strlen(B_MBYTES_STR)))
	96	return 1 << 20;
	97
	98	if (!strncasecmp(unit, B_GBYTES_STR, strlen(B_GBYTES_STR)))
	99	return 1 << 30;
	100
	101	throw TextException(ToSBuf("Unknown bytes unit: ", unit), Here());
	102	}
	103
	104	/// Parse the number of bytes given as <integer><unit> value (e.g., 4MB).
	105	/// \param name the name of the option being parsed
	106	static size_t
	107	parseBytesOptionValue(const char * const name, const char * const value)
	108	{
	109	// Find number from string beginning.
	110	char const * number_begin = value;
	111	char const * number_end = value;
	112
	113	while ((number_end >= '0' && number_end <= '9')) {
	114	++number_end;
	115	}
	116
	117	if (number_end <= number_begin)
	118	throw TextException(ToSBuf("expecting a decimal number at the beginning of ", name, " value but got: ", value), Here());
	119
	120	std::string number(number_begin, number_end - number_begin);
	121	std::istringstream in(number);
	122	size_t base = 0;
	123	if (!(in >> base) \|\| !in.eof())
	124	throw TextException(ToSBuf("unsupported integer part of ", name, " value: ", number), Here());
	125
	126	const auto multiplier = parseBytesUnits(number_end);
	127	static_assert(std::is_unsigned<decltype(multiplier * base)>::value, "no signed overflows");
	128	const auto product = multiplier * base;
	129	if (base && multiplier != product / base)
	130	throw TextException(ToSBuf(name, " size too large: ", value), Here());
	131
	132	return product;
	133	}
	134
	135	/// Print help using response code.
	136	static void usage()
	137	{
	138	std::string example_host_name = "host.dom";
	139	std::string request_string = Ssl::CrtdMessage::param_host + "=" + example_host_name;
	140	std::stringstream request_string_size_stream;
	141	request_string_size_stream << request_string.length();
	142	std::string help_string =
	143	"usage: security_file_certgen -hv -s directory -M size -b fs_block_size\n"
	144	"\t-h Help\n"
	145	"\t-v Version\n"
	146	"\t-s directory Directory path of SSL storage database.\n"
	147	"\t-M size Maximum size of SSL certificate disk storage.\n"
	148	"\t-b fs_block_size File system block size in bytes. Need for processing\n"
	149	"\t natural size of certificate on disk. Default value is\n"
	150	"\t 2048 bytes.\n"
	151	"\n"
	152	"After running write requests in the next format:\n"
	153	"<request code><whitespace><body_len><whitespace><body>\n"
	154	"There are two kind of request now:\n"
	155	+ Ssl::CrtdMessage::code_new_certificate + " " + request_string_size_stream.str() + " " + request_string + "\n" +
	156	"\tCreate new private key and selfsigned certificate for \"host.dom\".\n"
	157	+ Ssl::CrtdMessage::code_new_certificate + " xxx " + request_string + "\n" +
	158	"-----BEGIN CERTIFICATE-----\n"
	159	"...\n"
	160	"-----END CERTIFICATE-----\n"
	161	"-----BEGIN RSA PRIVATE KEY-----\n"
	162	"...\n"
	163	"-----END RSA PRIVATE KEY-----\n"
	164	"\tCreate new private key and certificate request for \"host.dom\"\n"
	165	"\tSign new request by received certificate and private key.\n"
	166	"usage: security_file_certgen -c -s ssl_store_path\n"
	167	"\t-c Init ssl db directories and exit.\n";
	168	std::cerr << help_string << std::endl;
	169	}
	170
	171	/// Process new request message.
	172	static bool processNewRequest(Ssl::CrtdMessage & request_message, std::string const & db_path, size_t max_db_size, size_t fs_block_size)
	173	{
	174	Ssl::CertificateProperties certProperties;
	175	request_message.parseRequest(certProperties);
	176
	177	// TODO: create a DB object only once, instead re-allocating here on every call.
	178	std::unique_ptr<Ssl::CertificateDb> db;
	179	if (!db_path.empty())
	180	db.reset(new Ssl::CertificateDb(db_path, max_db_size, fs_block_size));
	181
	182	Security::CertPointer cert;
	183	Security::PrivateKeyPointer pkey;
	184	Security::CertPointer orig;
	185	std::string &certKey = Ssl::OnDiskCertificateDbKey(certProperties);
	186
	187	bool dbFailed = false;
	188	try {
	189	if (db)
	190	db->find(certKey, certProperties.mimicCert, cert, pkey);
	191
	192	} catch (...) {
	193	dbFailed = true;
	194	debugs(83, DBG_IMPORTANT, "ERROR: Database search failure: " << CurrentException <<
	195	Debug::Extra << "database location: " << db_path);
	196	}
	197
	198	if (!cert \|\| !pkey) {
	199	if (!Ssl::generateSslCertificate(cert, pkey, certProperties))
	200	throw TextException("Cannot create ssl certificate or private key.", Here());
	201
	202	try {
	203	/* XXX: this !dbFailed condition prevents the helper fixing DB issues
	204	by adding cleanly generated certs. Which is not consistent with other
	205	data caches used by Squid - they purge broken entries and allow clean
	206	entries to later try and fix the issue.
	207	We leave it in place now only to avoid breaking existing installations
	208	behaviour with version 1.x of the helper.
	209
	210	TODO: remove the !dbFailed condition when fixing the CertificateDb
	211	object lifecycle and formally altering the helper behaviour.
	212	*/
	213	if (!dbFailed && db && !db->addCertAndPrivateKey(certKey, cert, pkey, certProperties.mimicCert))
	214	throw TextException("Cannot add certificate to db.", Here());
	215
	216	} catch (...) {
	217	dbFailed = true;
	218	debugs(83, DBG_IMPORTANT, "ERROR: Database update failure: " << CurrentException <<
	219	Debug::Extra << "database location: " << db_path);
	220	}
	221	}
	222
	223	std::string bufferToWrite;
	224	if (!Ssl::writeCertAndPrivateKeyToMemory(cert, pkey, bufferToWrite))
	225	throw TextException("Cannot write ssl certificate or/and private key to memory.", Here());
	226
	227	Ssl::CrtdMessage response_message(Ssl::CrtdMessage::REPLY);
	228	response_message.setCode("OK");
	229	response_message.setBody(bufferToWrite);
	230
	231	// Use the '\1' char as end-of-message character
	232	std::cout << response_message.compose() << '\1' << std::flush;
	233
	234	return true;
	235	}
	236
	237	/// This is the external security_file_certgen process.
	238	int main(int argc, char *argv[])
	239	{
	240	try {
	241	Debug::NameThisHelper("sslcrtd_program");
	242
	243	size_t max_db_size = 0;
	244	size_t fs_block_size = 0;
	245	int8_t c;
	246	bool create_new_db = false;
	247	std::string db_path;
	248	// process options.
	249	while ((c = getopt(argc, argv, "dchvs:M:b:")) != -1) {
	250	switch (c) {
	251	case 'd':
	252	debug_enabled = 1;
	253	break;
	254	case 'b':
	255	fs_block_size = parseBytesOptionValue("-b", optarg);
	256	break;
	257	case 's':
	258	db_path = optarg;
	259	break;
	260	case 'M':
	261	// use of -M without -s is probably an admin mistake, so make it an error
	262	if (db_path.empty()) {
	263	throw TextException("Error -M option requires an -s parameter be set first.", Here());
	264	}
	265	max_db_size = parseBytesOptionValue("-M", optarg);
	266	break;
	267	case 'v':
	268	std::cout << "security_file_certgen version " << VERSION << std::endl;
	269	exit(EXIT_SUCCESS);
	270	break;
	271	case 'c':
	272	create_new_db = true;
	273	break;
	274	case 'h':
	275	usage();
	276	exit(EXIT_SUCCESS);
	277	default:
	278	exit(EXIT_FAILURE);
	279	}
	280	}
	281
	282	// when -s is used, -M is required
	283	if (!db_path.empty() && max_db_size == 0)
	284	throw TextException("security_file_certgen -s requires an -M parameter", Here());
	285
	286	if (create_new_db) {
	287	// when -c is used, -s is required (implying also -M, which is checked above)
	288	if (db_path.empty())
	289	throw TextException("security_file_certgen is missing the required parameter. There should be -s and -M parameters when -c is used.", Here());
	290
	291	std::cout << "Initialization SSL db..." << std::endl;
	292	Ssl::CertificateDb::Create(db_path);
	293	std::cout << "Done" << std::endl;
	294	exit(EXIT_SUCCESS);
	295	}
	296
	297	// only do filesystem checks when a path (-s) is given
	298	if (!db_path.empty()) {
	299	if (fs_block_size == 0) {
	300	struct statvfs sfs;
	301
	302	if (xstatvfs(db_path.c_str(), &sfs)) {
	303	fs_block_size = 2048;
	304	} else {
	305	fs_block_size = sfs.f_frsize;
	306	// Sanity check; make sure we have a meaningful value.
	307	if (fs_block_size < 512)
	308	fs_block_size = 2048;
	309	}
	310	}
	311	Ssl::CertificateDb::Check(db_path, max_db_size, fs_block_size);
	312	}
	313
	314	// Initialize SSL subsystem
	315	SQUID_OPENSSL_init_ssl();
	316	// process request.
	317	for (;;) {
	318	char request[HELPER_INPUT_BUFFER];
	319	Ssl::CrtdMessage request_message(Ssl::CrtdMessage::REQUEST);
	320	Ssl::CrtdMessage::ParseResult parse_result = Ssl::CrtdMessage::INCOMPLETE;
	321
	322	while (parse_result == Ssl::CrtdMessage::INCOMPLETE) {
	323	if (fgets(request, HELPER_INPUT_BUFFER, stdin) == nullptr)
	324	exit(EXIT_FAILURE);
	325	size_t gcount = strlen(request);
	326	parse_result = request_message.parse(request, gcount);
	327	}
	328
	329	if (parse_result == Ssl::CrtdMessage::ERROR) {
	330	throw TextException("Cannot parse request message.", Here());
	331	} else if (request_message.getCode() == Ssl::CrtdMessage::code_new_certificate) {
	332	processNewRequest(request_message, db_path, max_db_size, fs_block_size);
	333	} else {
	334	throw TextException(ToSBuf("Unknown request code: \"", request_message.getCode(), "\"."), Here());
	335	}
	336	std::cout.flush();
	337	}
	338	} catch (...) {
	339	debugs(83, DBG_CRITICAL, "FATAL: Cannot generate certificates: " << CurrentException);
	340	return EXIT_FAILURE;
	341	}
	342	return EXIT_SUCCESS;
	343	}
	344