]>
git.ipfire.org Git - thirdparty/squid.git/blob - src/acl/ServerName.cc
2 * Copyright (C) 1996-2015 The Squid Software Foundation and contributors
4 * Squid software is distributed under GPLv2+ license and includes
5 * contributions from numerous individuals and organizations.
6 * Please see the COPYING and CONTRIBUTORS files for details.
9 /* DEBUG: section 28 Access Control */
12 #include "acl/Checklist.h"
13 #include "acl/DomainData.h"
14 #include "acl/RegexData.h"
15 #include "acl/ServerName.h"
16 #include "client_side.h"
18 #include "HttpRequest.h"
20 #include "SquidString.h"
22 #include "ssl/ServerBump.h"
23 #include "ssl/support.h"
26 // Compare function for tree search algorithms
28 aclHostDomainCompare( char *const &a
, char * const &b
)
30 const char *h
= static_cast<const char *>(a
);
31 const char *d
= static_cast<const char *>(b
);
32 debugs(28, 7, "Match:" << h
<< " <> " << d
);
33 return matchDomainName(h
, d
, true);
37 ACLServerNameData::match(const char *host
)
42 debugs(28, 3, "checking '" << host
<< "'");
44 char *h
= const_cast<char *>(host
);
45 char const * const * result
= domains
->find(h
, aclHostDomainCompare
);
47 debugs(28, 3, "'" << host
<< "' " << (result
? "found" : "NOT found"));
49 return (result
!= NULL
);
53 ACLData
<char const *> *
54 ACLServerNameData::clone() const
56 /* Splay trees don't clone yet. */
58 return new ACLServerNameData
;
61 /// A helper function to be used with Ssl::matchX509CommonNames().
62 /// \retval 0 when the name (cn or an alternate name) matches acl data
63 /// \retval 1 when the name does not match
64 template<class MatchType
>
66 check_cert_domain( void *check_data
, ASN1_STRING
*cn_data
)
69 ACLData
<MatchType
> * data
= (ACLData
<MatchType
> *)check_data
;
71 if (cn_data
->length
> (int)sizeof(cn
) - 1)
72 return 1; // ignore data that does not fit our buffer
74 char *s
= reinterpret_cast<char *>(cn_data
->data
);
76 for (int i
= 0; i
< cn_data
->length
; ++i
, ++d
, ++s
) {
78 return 1; // always a domain mismatch. contains 0x00
81 cn
[cn_data
->length
] = '\0';
82 debugs(28, 4, "Verifying certificate name/subjectAltName " << cn
);
89 ACLServerNameStrategy::match (ACLData
<MatchType
> * &data
, ACLFilledChecklist
*checklist
, ACLFlags
&flags
)
91 assert(checklist
!= NULL
&& checklist
->request
!= NULL
);
93 if (checklist
->conn() && checklist
->conn()->serverBump()) {
94 if (X509
*peer_cert
= checklist
->conn()->serverBump()->serverCert
.get()) {
95 if (Ssl::matchX509CommonNames(peer_cert
, (void *)data
, check_cert_domain
<MatchType
>))
100 const char *serverName
= NULL
;
101 if (checklist
->conn() && !checklist
->conn()->sslCommonName().isEmpty()) {
102 SBuf scn
= checklist
->conn()->sslCommonName();
103 serverName
= scn
.c_str();
106 if (serverName
== NULL
)
107 serverName
= checklist
->request
->GetHost();
109 if (serverName
&& data
->match(serverName
)) {
113 return data
->match("none");
116 ACLServerNameStrategy
*
117 ACLServerNameStrategy::Instance()
122 ACLServerNameStrategy
ACLServerNameStrategy::Instance_
;