Server certificate testing ACLs Part2

Replace the hard coded implementation for default signing algorithm applied
to generated certificates which does not match the configured sslproxy_cert_sign
access list, with default acl lines.

The new tag POSTSCRIPTUM added to the cf.data.pre file which can be used to
append to the user configuration some default config lines.

diff --git a/src/cache_cf.cc b/src/cache_cf.cc
index c523792e7780b330a3eee175568e7db6bfeb97e1..1d610b042ce4264507cad5a4e7306b1b00fe8138 100644 (file)
--- a/src/cache_cf.cc
+++ b/src/cache_cf.cc
@@ -155,6 +155,7 @@ static void parse_u_short(unsigned short * var);
 static void parse_string(char **);
 static void default_all(void);
 static void defaults_if_none(void);
+static void defaults_postscriptum(void);
 static int parse_line(char *);
 static void parse_obsolete(const char *);
 static void parseBytesLine(size_t * bptr, const char *units);
@@ -572,6 +573,8 @@ parseConfigFile(const char *file_name)
 
     defaults_if_none();
 
+    defaults_postscriptum();
+
     /*
      * We must call configDoConfigure() before leave_suid() because
      * configDoConfigure() is where we turn username strings into

diff --git a/src/cf.data.pre b/src/cf.data.pre
index f1f54d09c098b19df612337f739ee71fb4d45dff..67409e0fe1cfe128d0eb6d8edb153d78a10c77c8 100644 (file)
--- a/src/cf.data.pre
+++ b/src/cf.data.pre
@@ -2086,6 +2086,9 @@ DOC_END
 NAME: sslproxy_cert_sign
 IFDEF: USE_SSL
 DEFAULT: none
+POSTSCRIPTUM: signUntrusted ssl::certUntrusted
+POSTSCRIPTUM: signSelf ssl::certSelfSigned
+POSTSCRIPTUM: signTrusted all
 TYPE: sslproxy_cert_sign
 LOC: Config.ssl_client.cert_sign
 DOC_START

diff --git a/src/cf_gen.cc b/src/cf_gen.cc
index e61dc5dd45ebc1f5275fec65e2fe14444cab3909..491c1775eb85d38b005b74ac319ef7ac79a4bb04 100644 (file)
--- a/src/cf_gen.cc
+++ b/src/cf_gen.cc
@@ -100,6 +100,9 @@ public:
     /// An error will be printed during build if they clash.
     LineList if_none;
 
+    /// Default config lines to parse and add to any prior settings.
+    LineList postscriptum;
+
     /// Text description to use in documentation for the default.
     /// If unset the preset or if-none values will be displayed.
     LineList docs;
@@ -152,6 +155,7 @@ static void gen_dump(const EntryList &, std::ostream&);
 static void gen_free(const EntryList &, std::ostream&);
 static void gen_conf(const EntryList &, std::ostream&, bool verbose_output);
 static void gen_default_if_none(const EntryList &, std::ostream&);
+static void gen_default_postscriptum(const EntryList &, std::ostream&);
 static bool isDefined(const std::string &name);
 
 static void
@@ -333,6 +337,13 @@ main(int argc, char *argv[])
                     ptr++;
 
                 curr.defaults.if_none.push_back(ptr);
+            } else if (!strncmp(buff, "POSTSCRIPTUM:", 13)) {
+                ptr = buff + 13;
+
+                while (isspace((unsigned char)*ptr))
+                    ptr++;
+
+                curr.defaults.postscriptum.push_back(ptr);
             } else if (!strncmp(buff, "DEFAULT_DOC:", 12)) {
                 ptr = buff + 12;
 
@@ -443,6 +454,8 @@ main(int argc, char *argv[])
 
     gen_default_if_none(entries, fout);
 
+    gen_default_postscriptum(entries, fout);
+
     gen_parse(entries, fout);
 
     gen_dump(entries, fout);
@@ -571,6 +584,36 @@ gen_default_if_none(const EntryList &head, std::ostream &fout)
     fout << "}" << std::endl << std::endl;
 }
 
+/// append configuration options specified by POSTSCRIPTUM lines
+static void
+gen_default_postscriptum(const EntryList &head, std::ostream &fout)
+{
+    fout << "static void" << std::endl <<
+    "defaults_postscriptum(void)" << std::endl <<
+    "{" << std::endl;
+
+    for (EntryList::const_iterator entry = head.begin(); entry != head.end(); ++entry) {
+        assert(entry->name.size());
+
+        if (!entry->loc.size())
+            continue;
+
+        if (entry->defaults.postscriptum.empty())
+            continue;
+
+        if (entry->ifdef.size())
+            fout << "#if " << entry->ifdef << std::endl;
+
+        for (LineList::const_iterator l = entry->defaults.postscriptum.begin(); l != entry->defaults.postscriptum.end(); ++l)
+            fout << "    default_line(\"" << entry->name << " " << *l <<"\");" << std::endl;
+
+        if (entry->ifdef.size())
+            fout << "#endif" << std::endl;
+    }
+
+    fout << "}" << std::endl << std::endl;
+}
+
 void
 Entry::genParseAlias(const std::string &aName, std::ostream &fout) const
 {

diff --git a/src/client_side.cc b/src/client_side.cc
index 4c61773d6fdbd3719d1477e8ea811ff553114786..5ca08665e19f01b4a4d7e7dd6d0ed1226922081f 100644 (file)
--- a/src/client_side.cc
+++ b/src/client_side.cc
@@ -3712,43 +3712,7 @@ void ConnStateData::buildSslCertGenerationParams(Ssl::CertificateProperties &cer
         }
     }
 
-    if (certProperties.signAlgorithm == Ssl::algSignEnd) {
-        // Use the default algorithm
-        //Temporary code....
-        // TODO: implement the following using acls:
-        Ssl::ssl_error_t selfSignErrors[] = {X509_V_ERR_DEPTH_ZERO_SELF_SIGNED_CERT, 0};
-        Ssl::ssl_error_t unTrustedErrors[] = {X509_V_ERR_INVALID_CA, 
-                                              X509_V_ERR_SELF_SIGNED_CERT_IN_CHAIN, 
-                                              X509_V_ERR_UNABLE_TO_VERIFY_LEAF_SIGNATURE,
-                                              X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT,
-                                              X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT_LOCALLY,
-                                              X509_V_ERR_CERT_UNTRUSTED,0};
-        for (int i = 0; selfSignErrors[i] != 0; i++) {
-            if (bumpSslErrorNoList->find(selfSignErrors[i])) {
-                certProperties.signAlgorithm = Ssl::algSignSelf;
-                const char *sgAlg = Ssl::CertSignAlgorithmStr[Ssl::algSignSelf];
-                sslBumpCertKey.append("+Sign=");
-                sslBumpCertKey.append(sgAlg);
-                certAdaptParams.insert( std::make_pair(Ssl::CrtdMessage::param_Sign, sgAlg));
-                break;
-            }  
-        }
-        if (certProperties.signAlgorithm == Ssl::algSignEnd) {
-            for (int i = 0; unTrustedErrors[i] != 0; i++) {
-                if (bumpSslErrorNoList->find(selfSignErrors[i])) {
-                    certProperties.signAlgorithm = Ssl::algSignUntrusted;
-                    const char *sgAlg = Ssl::CertSignAlgorithmStr[Ssl::algSignUntrusted];
-                    sslBumpCertKey.append("+Sign=");
-                    sslBumpCertKey.append(sgAlg);
-                    certAdaptParams.insert( std::make_pair(Ssl::CrtdMessage::param_Sign, sgAlg));
-                    break;
-                }  
-            }
-        }
-        if (certProperties.signAlgorithm == Ssl::algSignEnd)
-            certProperties.signAlgorithm = Ssl::algSignTrusted;
-        //End of Temporary code....
-    }
+    assert(certProperties.signAlgorithm != Ssl::algSignEnd);
 
     if (certProperties.signAlgorithm == Ssl::algSignUntrusted) {
         assert(Ssl::SquidCaCert.get() && Ssl::SquidCaCertKey.get());