]>
git.ipfire.org Git - thirdparty/squid.git/blob - src/security/cert_validators/fake/security_fake_certverify.pl.in
3 # A dummy SSL certificate validator helper that
4 # echos back all the SSL errors sent by Squid.
11 use Crypt
::OpenSSL
::X509
;
13 use POSIX
qw(strftime);
22 security_fake_certverify - A fake cert validation helper for Squid
26 security_fake_certverify [-d | --debug] [-h | --help]
36 enable debug messages to stderr
42 Retrieves the SSL certificate error list from squid and echo back without any change.
46 * Copyright (C) 1996-2017 The Squid Software Foundation and contributors
48 * Squid software is distributed under GPLv2+ license and includes
49 * contributions from numerous individuals and organizations.
50 * Please see the COPYING and CONTRIBUTORS files for details.
52 (C) 2012 The Measurement Factory, Author: Tsantilas Christos
54 This program is free software. You may redistribute copies of it under the
55 terms of the GNU General Public License version 2, or (at your opinion) any
65 pod2usage
(1) if ($help);
70 my @line_args = split;
72 if ($first_line =~ /^\s*$/) {
78 my $channelId = $line_args[0];
79 my $code = $line_args[1];
80 my $bodylen = $line_args[2];
81 my $body = $line_args[3] . "\n";
82 if ($channelId !~ /\d+/) {
83 $response = $channelId." BH message=\"This helper is concurrent and requires the concurrency option to be specified.\"\1";
84 } elsif ($bodylen !~ /\d+/) {
85 $response = $channelId." BH message=\"cert validator request syntax error \" \1";
87 my $readlen = length($body);
90 my @responseErrors = ();
92 while($readlen < $bodylen) {
96 $readlen = length($body);
100 print(STDERR logPrefix
()."GOT ". "Code=".$code." $bodylen \n") if ($debug); #.$body;
102 my $sslVersion = "-";
104 parseRequest
($body, \
$hostname, \
$sslVersion, \
$sslCipher, \
%errors, \
%certs);
105 print(STDERR logPrefix
()."Parse result: \n") if ($debug);
106 print(STDERR logPrefix
()."\tFOUND host:".$hostname."\n") if ($debug);
107 print(STDERR logPrefix
()."\tFOUND ssl version:".$sslVersion."\n") if ($debug);
108 print(STDERR logPrefix
()."\tFOUND ssl cipher:".$sslCipher."\n") if ($debug);
109 print(STDERR logPrefix
()."\tFOUND ERRORS:") if ($debug);
110 foreach my $err (keys %errors) {
111 print(STDERR logPrefix
().$errors{$err}{"name"}."/".$errors{$err}{"cert"}." ,") if ($debug);
113 print(STDERR
"\n") if ($debug);
114 foreach my $key (keys %certs) {
115 ## Use "perldoc Crypt::OpenSSL::X509" for X509 available methods.
116 print(STDERR logPrefix
()."\tFOUND cert ".$key.": ".$certs{$key}->subject() . "\n") if ($debug);
119 #got the peer certificate ID. Assume that the peer certificate is the first one.
120 my $peerCertId = (keys %certs)[0];
122 # Echo back the errors: fill the responseErrors array with the errors we read.
123 foreach my $err (keys %errors) {
125 appendError
(\
@responseErrors,
126 $errors{$err}{"name"}, #The error name
127 "Checked by Cert Validator", # An error reason
128 $errors{$err}{"cert"} # The cert ID. We are always filling with the peer certificate.
132 $response = createResponse
(\
@responseErrors);
133 my $len = length($response);
135 $response = $channelId." ERR ".$len." ".$response."\1";
137 $response = $channelId." OK ".$len." ".$response."\1";
142 print(STDERR logPrefix
().">> ".$response."\n") if ($debug);
155 my ($errorArrays) = shift;
156 my($errorName) = shift;
157 my($errorReason) = shift;
158 my($errorCert) = shift;
159 push @
$errorArrays, { "error_name" => $errorName, "error_reason" => $errorReason, "error_cert" => $errorCert};
164 my ($responseErrors) = shift;
167 foreach my $err (@
$responseErrors) {
168 $response=$response."error_name_".$i."=".$err->{"error_name"}."\n".
169 "error_reason_".$i."=".$err->{"error_reason"}."\n".
170 "error_cert_".$i."=".$err->{"error_cert"}."\n";
179 my $hostname = shift;
180 my $sslVersion = shift;
181 my $sslCipher = shift;
184 while ($request !~ /^\s*$/) {
185 $request = trim
($request);
186 if ($request =~ /^host=/) {
187 my($vallen) = index($request, "\n");
188 my $host = substr($request, 5, $vallen - 5);
190 $request =~ s/^host=.*$//m;
192 if ($request =~ s/^proto_version=(.*?)$//m) {
195 if ($request =~ s/^cipher=(.*?)$//m) {
198 if ($request =~ /^cert_(\d+)=/) {
199 my $certId = "cert_".$1;
200 my($vallen) = index($request, "-----END CERTIFICATE-----") + length("-----END CERTIFICATE-----");
201 my $x509 = Crypt
::OpenSSL
::X509
->new_from_string(substr($request, index($request, "-----BEGIN")));
202 $certs->{$certId} = $x509;
203 $request = substr($request, $vallen);
205 elsif ($request =~ /^error_name_(\d+)=(.*)$/m) {
208 $request =~ s/^error_name_\d+=.*$//m;
209 $errors->{$errorId}{"name"} = $errorName;
211 elsif ($request =~ /^error_cert_(\d+)=(.*)$/m) {
214 $request =~ s/^error_cert_\d+=.*$//m;
215 $errors->{$errorId}{"cert"} = $certId;
218 print(STDERR logPrefix
()."ParseError on \"".$request."\"\n") if ($debug);
219 $request = "";# finish processing....
227 return strftime
("%Y/%m/%d %H:%M:%S.0", localtime)." ".$0." ".$$." | " ;