]> git.ipfire.org Git - thirdparty/squid.git/blob - src/acl/CertificateData.cc
projects / thirdparty / squid.git / blob
? search:
summary | shortlog | log | commit | commitdiff | tree
blame | history | raw | HEAD
SSL server certificate fingerprint ACL type
[thirdparty/squid.git] / src / acl / CertificateData.cc
1 /*
2 * DEBUG: section 28 Access Control
3 * AUTHOR: Duane Wessels
4 *
5 * SQUID Web Proxy Cache http://www.squid-cache.org/
6 * ----------------------------------------------------------
7 *
8 * Squid is the result of efforts by numerous individuals from
9 * the Internet community; see the CONTRIBUTORS file for full
10 * details. Many organizations have provided support for Squid's
11 * development; see the SPONSORS file for full details. Squid is
12 * Copyrighted (C) 2001 by the Regents of the University of
13 * California; see the COPYRIGHT file for full details. Squid
14 * incorporates software developed and/or copyrighted by other
15 * sources; see the CREDITS file for full details.
16 *
17 * This program is free software; you can redistribute it and/or modify
18 * it under the terms of the GNU General Public License as published by
19 * the Free Software Foundation; either version 2 of the License, or
20 * (at your option) any later version.
21 *
22 * This program is distributed in the hope that it will be useful,
23 * but WITHOUT ANY WARRANTY; without even the implied warranty of
24 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
25 * GNU General Public License for more details.
26 *
27 * You should have received a copy of the GNU General Public License
28 * along with this program; if not, write to the Free Software
29 * Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111, USA.
30 *
31 *
32 * Copyright (c) 2003, Robert Collins <robertc@squid-cache.org>
33 */
34
35 #include "squid.h"
36 #include "acl/CertificateData.h"
37 #include "acl/Checklist.h"
38 #include "Debug.h"
39 #include "cache_cf.h"
40 #include "wordlist.h"
41
42 ACLCertificateData::ACLCertificateData(Ssl::GETX509ATTRIBUTE *sslStrategy, const char *attrs, bool optionalAttr) : validAttributesStr(attrs), attributeIsOptional(optionalAttr), attribute (NULL), values (), sslAttributeCall (sslStrategy)
43 {
44 if (attrs) {
45 size_t current;
46 size_t next = -1;
47 std::string valid(attrs);
48 do {
49 current = next + 1;
50 next = valid.find_first_of( "|", current);
51 validAttributes.push_back(valid.substr( current, next - current ));
52 } while (next != std::string::npos);
53 }
54 }
55
56 ACLCertificateData::ACLCertificateData(ACLCertificateData const &old) : attribute (NULL), values (old.values), sslAttributeCall (old.sslAttributeCall)
57 {
58 validAttributesStr = old.validAttributesStr;
59 validAttributes.assign (old.validAttributes.begin(), old.validAttributes.end());
60 attributeIsOptional = old.attributeIsOptional;
61 if (old.attribute)
62 attribute = xstrdup (old.attribute);
63 }
64
65 template<class T>
66 inline void
67 xRefFree(T &thing)
68 {
69 xfree (thing);
70 }
71
72 ACLCertificateData::~ACLCertificateData()
73 {
74 safe_free (attribute);
75 }
76
77 template<class T>
78 inline int
79 splaystrcmp (T&l, T&r)
80 {
81 return strcmp ((char *)l,(char *)r);
82 }
83
84 bool
85 ACLCertificateData::match(X509 *cert)
86 {
87 if (!cert)
88 return 0;
89
90 char const *value = sslAttributeCall(cert, attribute);
91 debugs(28, 6, (attribute ? attribute : "value") << "=" << value);
92 if (value == NULL)
93 return 0;
94
95 return values.match(value);
96 }
97
98 static void
99 aclDumpAttributeListWalkee(char * const & node_data, void *outlist)
100 {
101 /* outlist is really a wordlist ** */
102 wordlistAdd((wordlist **)outlist, node_data);
103 }
104
105 wordlist *
106 ACLCertificateData::dump()
107 {
108 wordlist *wl = NULL;
109 if (validAttributesStr)
110 wordlistAdd(&wl, attribute);
111 /* damn this is VERY inefficient for long ACL lists... filling
112 * a wordlist this way costs Sum(1,N) iterations. For instance
113 * a 1000-elements list will be filled in 499500 iterations.
114 */
115 /* XXX FIXME: don't break abstraction */
116 values.values->walk(aclDumpAttributeListWalkee, &wl);
117 return wl;
118 }
119
120 void
121 ACLCertificateData::parse()
122 {
123 if (validAttributesStr) {
124 char *newAttribute = strtokFile();
125
126 if (!newAttribute) {
127 if (attributeIsOptional)
128 return;
129
130 debugs(28, DBG_CRITICAL, "FATAL: required attribute argument missing");
131 self_destruct();
132 }
133
134 // Handle the cases where we have optional -x type attributes
135 if (attributeIsOptional && newAttribute[0] != '-')
136 // The read token is not an attribute/option, so add it to values list
137 values.insert(newAttribute);
138 else {
139 bool valid = false;
140 for (std::list<std::string>::const_iterator it = validAttributes.begin(); it != validAttributes.end(); ++it) {
141 if (*it == "*" || *it == newAttribute) {
142 valid = true;
143 break;
144 }
145 }
146
147 if (!valid) {
148 debugs(28, DBG_CRITICAL, "FATAL: Unknown option. Supported option(s) are: " << validAttributesStr);
149 self_destruct();
150 }
151
152 /* an acl must use consistent attributes in all config lines */
153 if (attribute) {
154 if (strcasecmp(newAttribute, attribute) != 0) {
155 debugs(28, DBG_CRITICAL, "FATAL: An acl must use consistent attributes in all config lines (" << newAttribute << "!=" << attribute << ").");
156 self_destruct();
157 }
158 } else
159 attribute = xstrdup(newAttribute);
160 }
161 }
162
163 values.parse();
164 }
165
166 bool
167 ACLCertificateData::empty() const
168 {
169 return values.empty();
170 }
171
172 ACLData<X509 *> *
173 ACLCertificateData::clone() const
174 {
175 /* Splay trees don't clone yet. */
176 return new ACLCertificateData(*this);
177 }
Mirror of https://github.com/squid-cache/squid.git