#if USE_SSL
/// logging information specific to the SSL protocol
- class SslDetails {
+ class SslDetails
+ {
public:
SslDetails();
/// \ingroup ACLAPI
/// ACL check answer; TODO: Rename to Acl::Answer
-class allow_t {
+class allow_t
+{
public:
// not explicit: allow "aclMatchCode to allow_t" conversions (for now)
allow_t(const aclMatchCode aCode): code(aCode), kind(0) {}
void Adaptation::Icap::ModXact::clearError()
{
- HttpRequest *request = dynamic_cast<HttpRequest*>(adapted.header);
+ HttpRequest *request = dynamic_cast<HttpRequest*>(adapted.header);
// if no adapted request, update virgin (and inherit its properties later)
if (!request)
request = const_cast<HttpRequest*>(&virginRequest());
self_destruct();
return;
}
-
+
const char *param;
if ( char *s = strchr(al, '{')) {
*s = '\0'; // terminate the al string
return;
}
*s = '\0';
- }
- else
+ } else
param = NULL;
if (strcmp(al, Ssl::CertAdaptAlgorithmStr[Ssl::algSetValidAfter]) == 0) {
ca->alg = Ssl::algSetValidAfter;
ca->param = strdup("on");
- }
- else if (strcmp(al, Ssl::CertAdaptAlgorithmStr[Ssl::algSetValidBefore]) == 0) {
+ } else if (strcmp(al, Ssl::CertAdaptAlgorithmStr[Ssl::algSetValidBefore]) == 0) {
ca->alg = Ssl::algSetValidBefore;
ca->param = strdup("on");
- }
- else if (strcmp(al, Ssl::CertAdaptAlgorithmStr[Ssl::algSetCommonName]) == 0) {
+ } else if (strcmp(al, Ssl::CertAdaptAlgorithmStr[Ssl::algSetCommonName]) == 0) {
ca->alg = Ssl::algSetCommonName;
if (param) {
if (strlen(param) > 64) {
aclParseAclList(LegacyParser, &ca->aclList);
- while(*cert_adapt)
+ while (*cert_adapt)
cert_adapt = &(*cert_adapt)->next;
*cert_adapt = ca;
static void free_sslproxy_cert_adapt(sslproxy_cert_adapt **cert_adapt)
{
- while(*cert_adapt) {
+ while (*cert_adapt) {
sslproxy_cert_adapt *ca = *cert_adapt;
*cert_adapt = ca->next;
safe_free(ca->param);
aclParseAclList(LegacyParser, &cs->aclList);
- while(*cert_sign)
+ while (*cert_sign)
cert_sign = &(*cert_sign)->next;
*cert_sign = cs;
static void free_sslproxy_cert_sign(sslproxy_cert_sign **cert_sign)
{
- while(*cert_sign) {
+ while (*cert_sign) {
sslproxy_cert_sign *cs = *cert_sign;
*cert_sign = cs->next;
}
if (bumpCfgStyleLast != bcsNone && bumpCfgStyleNow != bumpCfgStyleLast) {
- debugs(3, DBG_CRITICAL, "FATAL: do not mix " << bumpCfgStyleNow << " actions with " <<
+ debugs(3, DBG_CRITICAL, "FATAL: do not mix " << bumpCfgStyleNow << " actions with " <<
bumpCfgStyleLast << " actions. Update your ssl_bump rules.");
self_destruct();
return;
if ((t = strchr(buff, '\n')))
*t = '\0';
- if(strncmp(buff, "IF ", 3) == 0) {
+ if (strncmp(buff, "IF ", 3) == 0) {
if ((ptr = strtok(buff + 3, WS)) == NULL) {
std::cerr << "Missing IF parameter on line" << linenum << std::endl;
exit(1);
exit(1);
}
IFDEFS.pop();
- }
- else if (!IFDEFS.size() || isDefined(IFDEFS.top()))
- switch (state) {
-
- case sSTART:
-
- if ((strlen(buff) == 0) || (!strncmp(buff, "#", 1))) {
- /* ignore empty and comment lines */
- (void) 0;
- } else if (!strncmp(buff, "NAME:", 5)) {
- char *name, *aliasname;
-
- if ((name = strtok(buff + 5, WS)) == NULL) {
- std::cerr << "Error in input file\n";
+ } else if (!IFDEFS.size() || isDefined(IFDEFS.top()))
+ switch (state) {
+
+ case sSTART:
+
+ if ((strlen(buff) == 0) || (!strncmp(buff, "#", 1))) {
+ /* ignore empty and comment lines */
+ (void) 0;
+ } else if (!strncmp(buff, "NAME:", 5)) {
+ char *name, *aliasname;
+
+ if ((name = strtok(buff + 5, WS)) == NULL) {
+ std::cerr << "Error in input file\n";
+ exit(1);
+ }
+
+ entries.push_back(name);
+
+ while ((aliasname = strtok(NULL, WS)) != NULL)
+ entries.back().alias.push_front(aliasname);
+
+ state = s1;
+ } else if (!strcmp(buff, "EOF")) {
+ state = sEXIT;
+ } else if (!strcmp(buff, "COMMENT_START")) {
+ entries.push_back("comment");
+ entries.back().loc = "none";
+ state = sDOC;
+ } else {
+ std::cerr << "Error on line " << linenum << std::endl <<
+ "--> " << buff << std::endl;
exit(1);
}
- entries.push_back(name);
-
- while ((aliasname = strtok(NULL, WS)) != NULL)
- entries.back().alias.push_front(aliasname);
-
- state = s1;
- } else if (!strcmp(buff, "EOF")) {
- state = sEXIT;
- } else if (!strcmp(buff, "COMMENT_START")) {
- entries.push_back("comment");
- entries.back().loc = "none";
- state = sDOC;
- } else {
- std::cerr << "Error on line " << linenum << std::endl <<
- "--> " << buff << std::endl;
- exit(1);
- }
-
- break;
-
- case s1: {
- Entry &curr = entries.back();
-
- if ((strlen(buff) == 0) || (!strncmp(buff, "#", 1))) {
- /* ignore empty and comment lines */
- (void) 0;
- } else if (!strncmp(buff, "COMMENT:", 8)) {
- ptr = buff + 8;
-
- while (isspace((unsigned char)*ptr))
- ptr++;
-
- curr.comment = ptr;
- } else if (!strncmp(buff, "DEFAULT:", 8)) {
- ptr = buff + 8;
-
- while (isspace((unsigned char)*ptr))
- ptr++;
-
- curr.defaults.preset.push_back(ptr);
- } else if (!strncmp(buff, "DEFAULT_IF_NONE:", 16)) {
- ptr = buff + 16;
-
- while (isspace((unsigned char)*ptr))
- ptr++;
-
- curr.defaults.if_none.push_back(ptr);
- } else if (!strncmp(buff, "POSTSCRIPTUM:", 13)) {
- ptr = buff + 13;
-
- while (isspace((unsigned char)*ptr))
- ptr++;
-
- curr.defaults.postscriptum.push_back(ptr);
- } else if (!strncmp(buff, "DEFAULT_DOC:", 12)) {
- ptr = buff + 12;
-
- while (isspace((unsigned char)*ptr))
- ptr++;
-
- curr.defaults.docs.push_back(ptr);
- } else if (!strncmp(buff, "LOC:", 4)) {
- if ((ptr = strtok(buff + 4, WS)) == NULL) {
- std::cerr << "Error on line " << linenum << std::endl;
- exit(1);
- }
-
- curr.loc = ptr;
- } else if (!strncmp(buff, "TYPE:", 5)) {
- if ((ptr = strtok(buff + 5, WS)) == NULL) {
+ break;
+
+ case s1: {
+ Entry &curr = entries.back();
+
+ if ((strlen(buff) == 0) || (!strncmp(buff, "#", 1))) {
+ /* ignore empty and comment lines */
+ (void) 0;
+ } else if (!strncmp(buff, "COMMENT:", 8)) {
+ ptr = buff + 8;
+
+ while (isspace((unsigned char)*ptr))
+ ptr++;
+
+ curr.comment = ptr;
+ } else if (!strncmp(buff, "DEFAULT:", 8)) {
+ ptr = buff + 8;
+
+ while (isspace((unsigned char)*ptr))
+ ptr++;
+
+ curr.defaults.preset.push_back(ptr);
+ } else if (!strncmp(buff, "DEFAULT_IF_NONE:", 16)) {
+ ptr = buff + 16;
+
+ while (isspace((unsigned char)*ptr))
+ ptr++;
+
+ curr.defaults.if_none.push_back(ptr);
+ } else if (!strncmp(buff, "POSTSCRIPTUM:", 13)) {
+ ptr = buff + 13;
+
+ while (isspace((unsigned char)*ptr))
+ ptr++;
+
+ curr.defaults.postscriptum.push_back(ptr);
+ } else if (!strncmp(buff, "DEFAULT_DOC:", 12)) {
+ ptr = buff + 12;
+
+ while (isspace((unsigned char)*ptr))
+ ptr++;
+
+ curr.defaults.docs.push_back(ptr);
+ } else if (!strncmp(buff, "LOC:", 4)) {
+ if ((ptr = strtok(buff + 4, WS)) == NULL) {
+ std::cerr << "Error on line " << linenum << std::endl;
+ exit(1);
+ }
+
+ curr.loc = ptr;
+ } else if (!strncmp(buff, "TYPE:", 5)) {
+ if ((ptr = strtok(buff + 5, WS)) == NULL) {
+ std::cerr << "Error on line " << linenum << std::endl;
+ exit(1);
+ }
+
+ /* hack to support arrays, rather than pointers */
+ if (0 == strcmp(ptr + strlen(ptr) - 2, "[]")) {
+ curr.array_flag = 1;
+ *(ptr + strlen(ptr) - 2) = '\0';
+ }
+
+ checkDepend(curr.name, ptr, types, entries);
+ curr.type = ptr;
+ } else if (!strncmp(buff, "IFDEF:", 6)) {
+ if ((ptr = strtok(buff + 6, WS)) == NULL) {
+ std::cerr << "Error on line " << linenum << std::endl;
+ exit(1);
+ }
+
+ curr.ifdef = ptr;
+ } else if (!strcmp(buff, "DOC_START")) {
+ state = sDOC;
+ } else if (!strcmp(buff, "DOC_NONE")) {
+ state = sSTART;
+ } else {
std::cerr << "Error on line " << linenum << std::endl;
exit(1);
}
+ }
+ break;
- /* hack to support arrays, rather than pointers */
- if (0 == strcmp(ptr + strlen(ptr) - 2, "[]")) {
- curr.array_flag = 1;
- *(ptr + strlen(ptr) - 2) = '\0';
+ case sDOC:
+ if (!strcmp(buff, "DOC_END") || !strcmp(buff, "COMMENT_END")) {
+ state = sSTART;
+ } else if (!strcmp(buff, "NOCOMMENT_START")) {
+ state = sNOCOMMENT;
+ } else { // if (buff != NULL) {
+ assert(buff != NULL);
+ entries.back().doc.push_back(buff);
}
-
- checkDepend(curr.name, ptr, types, entries);
- curr.type = ptr;
- } else if (!strncmp(buff, "IFDEF:", 6)) {
- if ((ptr = strtok(buff + 6, WS)) == NULL) {
- std::cerr << "Error on line " << linenum << std::endl;
- exit(1);
+ break;
+
+ case sNOCOMMENT:
+ if (!strcmp(buff, "NOCOMMENT_END")) {
+ state = sDOC;
+ } else { // if (buff != NULL) {
+ assert(buff != NULL);
+ entries.back().nocomment.push_back(buff);
}
+ break;
- curr.ifdef = ptr;
- } else if (!strcmp(buff, "DOC_START")) {
- state = sDOC;
- } else if (!strcmp(buff, "DOC_NONE")) {
- state = sSTART;
- } else {
- std::cerr << "Error on line " << linenum << std::endl;
- exit(1);
+ case sEXIT:
+ assert(0); /* should never get here */
+ break;
}
- }
- break;
-
- case sDOC:
- if (!strcmp(buff, "DOC_END") || !strcmp(buff, "COMMENT_END")) {
- state = sSTART;
- } else if (!strcmp(buff, "NOCOMMENT_START")) {
- state = sNOCOMMENT;
- } else { // if (buff != NULL) {
- assert(buff != NULL);
- entries.back().doc.push_back(buff);
- }
- break;
-
- case sNOCOMMENT:
- if (!strcmp(buff, "NOCOMMENT_END")) {
- state = sDOC;
- } else { // if (buff != NULL) {
- assert(buff != NULL);
- entries.back().nocomment.push_back(buff);
- }
- break;
-
- case sEXIT:
- assert(0); /* should never get here */
- break;
- }
}
if (bodyPipe != NULL)
stopProducingFor(bodyPipe, false);
-
+
#if USE_SSL
delete sslServerBump;
#endif
request->flags.ignore_cc = conn->port->ignore_cc;
// TODO: decouple http->flags.accel from request->flags.sslBumped
request->flags.no_direct = (request->flags.accelerated && !request->flags.sslBumped) ?
- !conn->port->allow_direct : 0;
+ !conn->port->allow_direct : 0;
#if USE_AUTH
if (request->flags.sslBumped) {
if (conn->auth_user_request != NULL)
typedef CommCbMemFunT<ConnStateData, CommTimeoutCbParams> TimeoutDialer;
AsyncCall::Pointer timeoutCall = JobCallback(33, 5, TimeoutDialer,
- connState, ConnStateData::requestTimeout);
+ connState, ConnStateData::requestTimeout);
commSetConnTimeout(details, Config.Timeout.request, timeoutCall);
- if (ssl)
+ if (ssl)
Comm::SetSelect(details->fd, COMM_SELECT_READ, clientNegotiateSSL, connState, 0);
else {
char buf[MAX_IPSTRLEN];
}
/**
- * A callback function to use with the ACLFilledChecklist callback.
+ * A callback function to use with the ACLFilledChecklist callback.
* In the case of ACCES_ALLOWED answer initializes a bumped SSL connection,
* else reverts the connection to tunnel mode.
*/
httpsSslBumpAccessCheckDone(ACCESS_DENIED, connState);
return;
}
-
+
// Create a fake HTTP request for ssl_bump ACL check,
// using tproxy/intercept provided destination IP and port.
HttpRequest *request = new HttpRequest();
request->SetHost(params.conn->local.NtoA(ip, sizeof(ip)));
request->port = params.conn->local.GetPort();
request->myportname = s->name;
-
+
ACLFilledChecklist *acl_checklist = new ACLFilledChecklist(Config.accessList.ssl_bump, request, NULL);
acl_checklist->src_addr = params.conn->remote;
acl_checklist->my_addr = s->s;
if (X509 *mimicCert = sslServerBump->serverCert.get())
certProperties.mimicCert.resetAndLock(mimicCert);
- ACLFilledChecklist checklist(NULL, sslServerBump->request,
+ ACLFilledChecklist checklist(NULL, sslServerBump->request,
clientConnection != NULL ? clientConnection->rfc931 : dash_str);
checklist.conn(this);
checklist.sslErrors = cbdataReference(sslServerBump->sslErrors);
for (sslproxy_cert_adapt *ca = Config.ssl_client.cert_adapt; ca != NULL; ca = ca->next) {
// If the algorithm already set, then ignore it.
if ((ca->alg == Ssl::algSetCommonName && certProperties.setCommonName) ||
- (ca->alg == Ssl::algSetValidAfter && certProperties.setValidAfter) ||
- (ca->alg == Ssl::algSetValidBefore && certProperties.setValidBefore) )
+ (ca->alg == Ssl::algSetValidAfter && certProperties.setValidAfter) ||
+ (ca->alg == Ssl::algSetValidBefore && certProperties.setValidBefore) )
continue;
if (ca->aclList && checklist.fastCheck(ca->aclList) == ACCESS_ALLOWED) {
const char *alg = Ssl::CertAdaptAlgorithmStr[ca->alg];
const char *param = ca->param;
-
+
// For parameterless CN adaptation, use hostname from the
// CONNECT request.
if (ca->alg == Ssl::algSetCommonName) {
param = sslConnectHostOrIp.termedBuf();
certProperties.commonName = param;
certProperties.setCommonName = true;
- }
- else if(ca->alg == Ssl::algSetValidAfter)
+ } else if (ca->alg == Ssl::algSetValidAfter)
certProperties.setValidAfter = true;
- else if(ca->alg == Ssl::algSetValidBefore)
+ else if (ca->alg == Ssl::algSetValidBefore)
certProperties.setValidBefore = true;
- debugs(33, 5, HERE << "Matches certificate adaptation aglorithm: " <<
+ debugs(33, 5, HERE << "Matches certificate adaptation aglorithm: " <<
alg << " param: " << (param ? param : "-"));
}
}
assert(port->untrustedSigningCert.get());
certProperties.signWithX509.resetAndLock(port->untrustedSigningCert.get());
certProperties.signWithPkey.resetAndLock(port->untrustedSignPkey.get());
- }
- else {
+ } else {
assert(port->signingCert.get());
certProperties.signWithX509.resetAndLock(port->signingCert.get());
#if USE_SSL_CRTD
try {
- debugs(33, 5, HERE << "Generating SSL certificate for " << certProperties.commonName << " using ssl_crtd.");
- Ssl::CrtdMessage request_message;
- request_message.setCode(Ssl::CrtdMessage::code_new_certificate);
- request_message.composeRequest(certProperties);
- debugs(33, 5, HERE << "SSL crtd request: " << request_message.compose().c_str());
- Ssl::Helper::GetInstance()->sslSubmit(request_message, sslCrtdHandleReplyWrapper, this);
- return;
- }
- catch (const std::exception &e) {
+ debugs(33, 5, HERE << "Generating SSL certificate for " << certProperties.commonName << " using ssl_crtd.");
+ Ssl::CrtdMessage request_message;
+ request_message.setCode(Ssl::CrtdMessage::code_new_certificate);
+ request_message.composeRequest(certProperties);
+ debugs(33, 5, HERE << "SSL crtd request: " << request_message.compose().c_str());
+ Ssl::Helper::GetInstance()->sslSubmit(request_message, sslCrtdHandleReplyWrapper, this);
+ return;
+ } catch (const std::exception &e) {
debugs(33, DBG_IMPORTANT, "ERROR: Failed to compose ssl_crtd " <<
"request for " << certProperties.commonName <<
" certificate: " << e.what() << "; will now block to " <<
Ssl::X509_Pointer serverCert(SSL_get_peer_certificate(ssl));
assert(serverCert.get() != NULL);
sslCommonName = Ssl::CommonHostName(serverCert.get());
- debugs(33, 5, HERE << "HTTPS server CN: " << sslCommonName <<
+ debugs(33, 5, HERE << "HTTPS server CN: " << sslCommonName <<
" bumped: " << *serverConnection);
pinConnection(serverConnection, NULL, NULL, false);
cbdataReferenceDone(pinning.peer);
if (Comm::IsConnOpen(pinning.serverConnection)) {
- if (pinning.closeHandler != NULL) {
- comm_remove_close_handler(pinning.serverConnection->fd, pinning.closeHandler);
- pinning.closeHandler = NULL;
- }
- /// also close the server side socket, we should not use it for any future requests...
- // TODO: do not close if called from our close handler?
- pinning.serverConnection->close();
+ if (pinning.closeHandler != NULL) {
+ comm_remove_close_handler(pinning.serverConnection->fd, pinning.closeHandler);
+ pinning.closeHandler = NULL;
+ }
+ /// also close the server side socket, we should not use it for any future requests...
+ // TODO: do not close if called from our close handler?
+ pinning.serverConnection->close();
}
safe_free(pinning.host);
class ConnectionDetail;
#if USE_SSL
-namespace Ssl {
- class ServerBump;
+namespace Ssl
+{
+class ServerBump;
}
#endif
/**
Ip::Address tmpnoaddr;
tmpnoaddr.SetNoAddr();
- error = clientBuildError(page_id, status,
+ error = clientBuildError(page_id, status,
NULL,
http->getConn() != NULL ? http->getConn()->clientConnection->remote : tmpnoaddr,
http->request
- );
+ );
#if USE_AUTH
- error->auth_user_request =
+ error->auth_user_request =
http->getConn() != NULL && http->getConn()->auth_user_request != NULL ?
http->getConn()->auth_user_request : http->request->auth_user_request;
#endif
// (bumping of intercepted SSL conns is decided before we get 1st request).
// We also do not bump redirected CONNECT requests.
if (http->request->method != METHOD_CONNECT || http->redirect.status ||
- !Config.accessList.ssl_bump || !http->getConn()->port->sslBump) {
+ !Config.accessList.ssl_bump || !http->getConn()->port->sslBump) {
http->al->ssl.bumpMode = Ssl::bumpEnd; // SslBump does not apply; log -
debugs(85, 5, HERE << "cannot SslBump this request");
return false;
return;
const Ssl::BumpMode bumpMode = answer == ACCESS_ALLOWED ?
- static_cast<Ssl::BumpMode>(answer.kind) : Ssl::bumpNone;
+ static_cast<Ssl::BumpMode>(answer.kind) : Ssl::bumpNone;
http->sslBumpNeed(bumpMode); // for processRequest() to bump if needed
http->al->ssl.bumpMode = bumpMode; // for logging
calloutContext->http->al->request = HTTPMSGLOCK(request);
if (!calloutContext->error) {
- // CVE-2009-0801: verify the Host: header is consistent with other known details.
+ // CVE-2009-0801: verify the Host: header is consistent with other known details.
if (!calloutContext->host_header_verify_done) {
debugs(83, 3, HERE << "Doing calloutContext->hostHeaderVerify()");
calloutContext->host_header_verify_done = true;
if (!calloutContext->adaptation_acl_check_done) {
calloutContext->adaptation_acl_check_done = true;
if (Adaptation::AccessCheck::Start(
- Adaptation::methodReqmod, Adaptation::pointPreCache,
- request, NULL, this))
+ Adaptation::methodReqmod, Adaptation::pointPreCache,
+ request, NULL, this))
return; // will call callback
}
#endif
calloutContext->error = NULL;
getConn()->setServerBump(srvBump);
e->unlock();
- } else
+ } else
#endif
{
// send the error to the client now
noAddr.SetNoAddr();
ConnStateData * c = getConn();
calloutContext->error = clientBuildError(ERR_ICAP_FAILURE, HTTP_INTERNAL_SERVER_ERROR,
- NULL,
- c != NULL ? c->clientConnection->remote : noAddr,
- request
- );
+ NULL,
+ c != NULL ? c->clientConnection->remote : noAddr,
+ request
+ );
#if USE_AUTH
- calloutContext->error->auth_user_request =
+ calloutContext->error->auth_user_request =
c != NULL && c->auth_user_request != NULL ? c->auth_user_request : request->auth_user_request;
#endif
calloutContext->error->detailError(errDetail);
// remember validation errors, if any
if (Ssl::Errors *errs = static_cast<Ssl::Errors*>(SSL_get_ex_data(ssl, ssl_ex_index_ssl_errors)))
serverBump->sslErrors = cbdataReference(errs);
- }
+ }
}
// For intercepted connections, set the host name to the server
// certificate CN. Otherwise, we just hope that CONNECT is using
// a user-entered address (a host name or a user-entered IP).
- const bool isConnectRequest = !request->clientConnectionManager->port->spoof_client_ip &&
- !request->clientConnectionManager->port->intercepted;
+ const bool isConnectRequest = !request->clientConnectionManager->port->spoof_client_ip &&
+ !request->clientConnectionManager->port->intercepted;
if (request->flags.sslPeek && !isConnectRequest) {
if (X509 *srvX509 = errDetails->peerCert()) {
if (const char *name = Ssl::CommonHostName(srvX509)) {
return;
}
}
-
+
if (request->clientConnectionManager.valid()) {
// remember the server certificate from the ErrorDetail object
if (Ssl::ServerBump *serverBump = request->clientConnectionManager->serverBump()) {
// unless it was the CONNECT request with a user-typed address.
const char *hostname = request->GetHost();
const bool hostnameIsIp = request->GetHostIsNumeric();
- const bool isConnectRequest = !request->clientConnectionManager->port->spoof_client_ip &&
- !request->clientConnectionManager->port->intercepted;
+ const bool isConnectRequest = !request->clientConnectionManager->port->spoof_client_ip &&
+ !request->clientConnectionManager->port->intercepted;
if (!request->flags.sslPeek || isConnectRequest)
SSL_set_ex_data(ssl, ssl_ex_index_server, (void*)hostname);
// store peeked cert to check SQUID_X509_V_ERR_CERT_CHANGE
X509 *peeked_cert;
if (request->clientConnectionManager.valid() &&
- request->clientConnectionManager->serverBump() &&
- (peeked_cert = request->clientConnectionManager->serverBump()->serverCert.get())) {
+ request->clientConnectionManager->serverBump() &&
+ (peeked_cert = request->clientConnectionManager->serverBump()->serverCert.get())) {
CRYPTO_add(&(peeked_cert->references),1,CRYPTO_LOCK_X509);
SSL_set_ex_data(ssl, ssl_ex_index_ssl_peeked_cert, peeked_cert);
}
// some requests benefit from pinning but do not require it and can "repin"
const bool rePin = request->flags.canRePin &&
- request->clientConnectionManager.valid();
+ request->clientConnectionManager.valid();
if (rePin) {
debugs(17, 3, HERE << "repinning " << serverConn);
request->clientConnectionManager->pinConnection(serverConn,
- request, serverConn->getPeer(), request->flags.auth);
+ request, serverConn->getPeer(), request->flags.auth);
request->flags.pinned = 1;
}
static SslErrorEntry TheSslErrorArray[] = {
{SQUID_X509_V_ERR_CERT_CHANGE,
- "SQUID_X509_V_ERR_CERT_CHANGE"},
+ "SQUID_X509_V_ERR_CERT_CHANGE"},
{SQUID_ERR_SSL_HANDSHAKE,
- "SQUID_ERR_SSL_HANDSHAKE"},
+ "SQUID_ERR_SSL_HANDSHAKE"},
{SQUID_X509_V_ERR_DOMAIN_MISMATCH,
"SQUID_X509_V_ERR_DOMAIN_MISMATCH"},
{X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT,
static const Ssl::ssl_error_t notYetValid[] = {X509_V_ERR_CERT_NOT_YET_VALID, SSL_ERROR_NONE};
static const Ssl::ssl_error_t domainMismatch[] = {SQUID_X509_V_ERR_DOMAIN_MISMATCH, SSL_ERROR_NONE};
static const Ssl::ssl_error_t certUntrusted[] = {X509_V_ERR_INVALID_CA,
- X509_V_ERR_SELF_SIGNED_CERT_IN_CHAIN,
- X509_V_ERR_UNABLE_TO_VERIFY_LEAF_SIGNATURE,
- X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT,
- X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT_LOCALLY,
- X509_V_ERR_CERT_UNTRUSTED, SSL_ERROR_NONE};
+ X509_V_ERR_SELF_SIGNED_CERT_IN_CHAIN,
+ X509_V_ERR_UNABLE_TO_VERIFY_LEAF_SIGNATURE,
+ X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT,
+ X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT_LOCALLY,
+ X509_V_ERR_CERT_UNTRUSTED, SSL_ERROR_NONE
+ };
static const Ssl::ssl_error_t certSelfSigned[] = {X509_V_ERR_DEPTH_ZERO_SELF_SIGNED_CERT, SSL_ERROR_NONE};
// The list of error name shortcuts for use with ssl_error acls.
const SslErrorShortcuts::const_iterator it = TheSslErrorShortcuts.find(name);
if (it != TheSslErrorShortcuts.end()) {
// Should not be empty...
- assert(it->second[0] != SSL_ERROR_NONE);
+ assert(it->second[0] != SSL_ERROR_NONE);
Ssl::Errors *errors = new Ssl::Errors(it->second[0]);
for (int i =1; it->second[i] != SSL_ERROR_NONE; i++) {
errors->push_back_unique(it->second[i]);
* %ssl_ca_name: The certificate issuer name
* %ssl_notbefore: The certificate "not before" field
* %ssl_notafter: The certificate "not after" field
- *
+ *
\retval the length of the code (the number of characters will be replaced by value)
*/
int Ssl::ErrorDetail::convert(const char *code, const char **value) const
Ssl::ServerBump::ServerBump(HttpRequest *fakeRequest, StoreEntry *e):
- request(fakeRequest),
- sslErrors(NULL)
+ request(fakeRequest),
+ sslErrors(NULL)
{
debugs(33, 4, HERE << "will peek at " << request->GetHost() << ':' << request->port);
const char *uri = urlCanonical(request);
return false;
}
certProperties.commonName = i->second;
-
- i = map.find(Ssl::CrtdMessage::param_SetValidAfter);
+
+ i = map.find(Ssl::CrtdMessage::param_SetValidAfter);
if (i != map.end() && strcasecmp(i->second.c_str(), "on") == 0)
certProperties.setValidAfter = true;
-
+
i = map.find(Ssl::CrtdMessage::param_SetValidBefore);
if (i != map.end() && strcasecmp(i->second.c_str(), "on") == 0)
certProperties.setValidBefore = true;
i = map.find(Ssl::CrtdMessage::param_SetCommonName);
if (i != map.end()) {
- // use this as Common Name instead of the hostname
+ // use this as Common Name instead of the hostname
// defined with host or Common Name from mimic cert
certProperties.commonName = i->second;
certProperties.setCommonName = true;
error = "Wrong signing algoritm: " + i->second;
return false;
}
- }
- else
+ } else
certProperties.signAlgorithm = Ssl::algSignTrusted;
if (!Ssl::readCertAndPrivateKeyFromMemory(certProperties.signWithX509, certProperties.signWithPkey, certs_part.c_str())) {
body += "\n" + Ssl::CrtdMessage::param_SetValidAfter + "=on";
if (certProperties.setValidBefore)
body += "\n" + Ssl::CrtdMessage::param_SetValidBefore + "=on";
- if(certProperties.signAlgorithm != Ssl::algSignEnd)
+ if (certProperties.signAlgorithm != Ssl::algSignEnd)
body += "\n" + Ssl::CrtdMessage::param_Sign + "=" + certSignAlgorithm(certProperties.signAlgorithm);
std::string certsPart;
if (!ptr)
return false;
- if (!bufferToWrite.empty())
+ if (!bufferToWrite.empty())
bufferToWrite.append(" "); // add a space...
bufferToWrite.append(ptr, len);
size_t pos = 0;
do {
pos = cn.find('.', pos + 1);
- } while(pos != std::string::npos && (cn.length() - pos + 2) > MaxCnLen);
+ } while (pos != std::string::npos && (cn.length() - pos + 2) > MaxCnLen);
// If no short domain found or this domain is a toplevel domain
// we failed to find a good cn name.
const char *Ssl::CertSignAlgorithmStr[] = {
"signTrusted",
- "signUntrusted",
+ "signUntrusted",
"signSelf",
NULL
};
};
Ssl::CertificateProperties::CertificateProperties():
- setValidAfter(false),
- setValidBefore(false),
- setCommonName(false),
- signAlgorithm(Ssl::algSignEnd)
+ setValidAfter(false),
+ setValidBefore(false),
+ setCommonName(false),
+ signAlgorithm(Ssl::algSignEnd)
{}
std::string & Ssl::CertificateProperties::dbKey() const
}
static bool buildCertificate(Ssl::X509_Pointer & cert, Ssl::CertificateProperties const &properties)
-{
+{
// not an Ssl::X509_NAME_Pointer because X509_REQ_get_subject_name()
// returns a pointer to the existing subject name. Nothing to clean here.
if (properties.mimicCert.get()) {
// Leave subject empty if we cannot extract it from true cert.
if (X509_NAME *name = X509_get_subject_name(properties.mimicCert.get())) {
- // X509_set_subject_name will call X509_dup for name
+ // X509_set_subject_name will call X509_dup for name
X509_set_subject_name(cert.get(), name);
}
}
(void)replaceCommonName(cert, properties.commonName);
}
- // We should get caCert notBefore and notAfter fields and do not allow
+ // We should get caCert notBefore and notAfter fields and do not allow
// notBefore/notAfter values from certToMimic before/after notBefore/notAfter
// fields from caCert.
- // Currently there is not any way in openssl tollkit to compare two ASN1_TIME
+ // Currently there is not any way in openssl tollkit to compare two ASN1_TIME
// objects.
ASN1_TIME *aTime = NULL;
if (!properties.setValidBefore && properties.mimicCert.get())
if (aTime) {
if (!X509_set_notBefore(cert.get(), aTime))
return false;
- }
- else if (!X509_gmtime_adj(X509_get_notBefore(cert.get()), (-2)*24*60*60))
+ } else if (!X509_gmtime_adj(X509_get_notBefore(cert.get()), (-2)*24*60*60))
return false;
aTime = NULL;
// certificates with CN unrelated to subjectAltNames.
if (!properties.setCommonName) {
int pos=X509_get_ext_by_NID (properties.mimicCert.get(), OBJ_sn2nid("subjectAltName"), -1);
- X509_EXTENSION *ext=X509_get_ext(properties.mimicCert.get(), pos);
+ X509_EXTENSION *ext=X509_get_ext(properties.mimicCert.get(), pos);
if (ext) {
X509_add_ext(cert.get(), ext, -1);
/* According the RFC 5280 using extensions requires version 3
static BIGNUM *createCertSerial(unsigned char *md, unsigned int n)
{
-
+
assert(n == 20); //for sha1 n is 20 (for md5 n is 16)
BIGNUM *serial = NULL;
return createCertSerial(md, n);
}
-/// Generate a unique serial number based on a Ssl::CertificateProperties object
-/// for a new generated certificate
+/// Generate a unique serial number based on a Ssl::CertificateProperties object
+/// for a new generated certificate
static bool createSerial(Ssl::BIGNUM_Pointer &serial, Ssl::CertificateProperties const &properties)
{
Ssl::EVP_PKEY_Pointer fakePkey;
/// Print the time represented by a ASN1_TIME struct to a string using GeneralizedTime format
static bool asn1timeToGeneralizedTimeStr(ASN1_TIME *aTime, char *buf, int bufLen)
{
- // ASN1_Time holds time to UTCTime or GeneralizedTime form.
+ // ASN1_Time holds time to UTCTime or GeneralizedTime form.
// UTCTime has the form YYMMDDHHMMSS[Z | [+|-]offset]
// GeneralizedTime has the form YYYYMMDDHHMMSS[Z | [+|-] offset]
buf[1] = '0';
}
str = buf +2;
- }
- else // if (aTime->type == V_ASN1_GENERALIZEDTIME)
+ } else // if (aTime->type == V_ASN1_GENERALIZEDTIME)
str = buf;
memcpy(str, aTime->data, aTime->length);
return -1;
if (!asn1timeToGeneralizedTimeStr(asnTime2, strTime2, sizeof(strTime2)))
return -1;
-
+
return strcmp(strTime1, strTime2);
}
if (X509_check_issued(properties.signWithX509.get(), cert) != X509_V_OK)
return false;
}
-
+
X509 *cert2 = properties.mimicCert.get();
// If there is not certificate to mimic stop here
if (!cert2)
X509_NAME *cert2_name = X509_get_subject_name(cert2);
if (X509_NAME_cmp(cert1_name, cert2_name) != 0)
return false;
- }
- else if (properties.commonName != CommonHostName(cert))
- return false;
-
+ } else if (properties.commonName != CommonHostName(cert))
+ return false;
+
if (!properties.setValidBefore) {
ASN1_TIME *aTime = X509_get_notBefore(cert);
ASN1_TIME *bTime = X509_get_notBefore(cert2);
return false;
}
-
+
char *alStr1;
int alLen;
alStr1 = (char *)X509_alias_get0(cert, &alLen);
char *alStr2 = (char *)X509_alias_get0(cert2, &alLen);
if ((!alStr1 && alStr2) || (alStr1 && !alStr2) ||
- (alStr1 && alStr2 && strcmp(alStr1, alStr2)) != 0)
+ (alStr1 && alStr2 && strcmp(alStr1, alStr2)) != 0)
return false;
-
+
// Compare subjectAltName extension
STACK_OF(GENERAL_NAME) * cert1_altnames;
cert1_altnames = (STACK_OF(GENERAL_NAME)*)X509_get_ext_d2i(cert, NID_subject_alt_name, NULL, NULL);
const GENERAL_NAME *aName = sk_GENERAL_NAME_value(cert1_altnames, i);
match = sk_GENERAL_NAME_find(cert2_altnames, aName);
}
- }
- else if (cert2_altnames)
+ } else if (cert2_altnames)
match = false;
-
+
sk_GENERAL_NAME_pop_free(cert1_altnames, GENERAL_NAME_free);
sk_GENERAL_NAME_pop_free(cert2_altnames, GENERAL_NAME_free);
// TODO: What if the entry is a UTF8String? See X509_NAME_get_index_by_NID(3ssl).
const int nameLen = X509_NAME_get_text_by_NID(
- X509_get_subject_name(x509),
- nid, name, sizeof(name));
+ X509_get_subject_name(x509),
+ nid, name, sizeof(name));
if (nameLen > 0)
return name;
\ingroup SslCrtdSslAPI
* Simple struct to pass certificate generation parameters to generateSslCertificate function.
*/
-class CertificateProperties {
+class CertificateProperties
+{
public:
CertificateProperties();
X509_Pointer mimicCert; ///< Certificate to mimic
X509_Pointer signWithX509; ///< Certificate to sign the generated request
EVP_PKEY_Pointer signWithPkey; ///< The key of the signing certificate
- bool setValidAfter; ///< Do not mimic "Not Valid After" field
+ bool setValidAfter; ///< Do not mimic "Not Valid After" field
bool setValidBefore; ///< Do not mimic "Not Valid Before" field
bool setCommonName; ///< Replace the CN field of the mimicing subject with the given
std::string commonName; ///< A CN to use for the generated certificate
Ssl::X509_Pointer cert;
Ssl::EVP_PKEY_Pointer pkey;
std::string &cert_subject = certProperties.dbKey();
-
+
db.find(cert_subject, cert, pkey);
if (cert.get()) {
}
}
- if (!cert || !pkey) {
+ if (!cert || !pkey) {
if (!Ssl::generateSslCertificate(cert, pkey, certProperties))
throw std::runtime_error("Cannot create ssl certificate or private key.");
delete errs;
errs = NULL;
}
- }
- else // remember another error number
+ } else // remember another error number
errs->push_back_unique(error_no);
if (const char *err_descr = Ssl::GetErrorDescr(error_no))
static void
ssl_free_SslErrors(void *, void *ptr, CRYPTO_EX_DATA *,
- int, long, void *)
+ int, long, void *)
{
Ssl::Errors *errs = static_cast <Ssl::Errors*>(ptr);
delete errs;
// "free" function for X509 certificates
static void
ssl_free_X509(void *, void *ptr, CRYPTO_EX_DATA *,
- int, long, void *)
+ int, long, void *)
{
X509 *cert = static_cast <X509 *>(ptr);
X509_free(cert);
certProperties.commonName = "Not trusted by \"";
certProperties.commonName += cn;
certProperties.commonName += "\"";
- }
- else if (const char *org = getOrganization(cert.get())) {
+ } else if (const char *org = getOrganization(cert.get())) {
certProperties.commonName = "Not trusted by \"";
certProperties.commonName += org;
certProperties.commonName += "\"";
- }
- else
+ } else
certProperties.commonName = "Not trusted";
certProperties.setCommonName = true;
// O, OU, and other CA subject fields will be mimicked
}
/**
- * Set the HTTP status for this request and sets the read handlers for client
+ * Set the HTTP status for this request and sets the read handlers for client
* and server side connections.
*/
static void