From: Christos Tsantilas Date: Thu, 2 Feb 2012 19:14:55 +0000 (+0200) Subject: Server certificate testing ACLs Part2 X-Git-Tag: BumpSslServerFirst.take05~30 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=10d914f6e2eae54f6b2af337e3faca3ab9950939;p=thirdparty%2Fsquid.git Server certificate testing ACLs Part2 Replace the hard coded implementation for default signing algorithm applied to generated certificates which does not match the configured sslproxy_cert_sign access list, with default acl lines. The new tag POSTSCRIPTUM added to the cf.data.pre file which can be used to append to the user configuration some default config lines. --- diff --git a/src/cache_cf.cc b/src/cache_cf.cc index c523792e77..1d610b042c 100644 --- a/src/cache_cf.cc +++ b/src/cache_cf.cc @@ -155,6 +155,7 @@ static void parse_u_short(unsigned short * var); static void parse_string(char **); static void default_all(void); static void defaults_if_none(void); +static void defaults_postscriptum(void); static int parse_line(char *); static void parse_obsolete(const char *); static void parseBytesLine(size_t * bptr, const char *units); @@ -572,6 +573,8 @@ parseConfigFile(const char *file_name) defaults_if_none(); + defaults_postscriptum(); + /* * We must call configDoConfigure() before leave_suid() because * configDoConfigure() is where we turn username strings into diff --git a/src/cf.data.pre b/src/cf.data.pre index f1f54d09c0..67409e0fe1 100644 --- a/src/cf.data.pre +++ b/src/cf.data.pre @@ -2086,6 +2086,9 @@ DOC_END NAME: sslproxy_cert_sign IFDEF: USE_SSL DEFAULT: none +POSTSCRIPTUM: signUntrusted ssl::certUntrusted +POSTSCRIPTUM: signSelf ssl::certSelfSigned +POSTSCRIPTUM: signTrusted all TYPE: sslproxy_cert_sign LOC: Config.ssl_client.cert_sign DOC_START diff --git a/src/cf_gen.cc b/src/cf_gen.cc index e61dc5dd45..491c1775eb 100644 --- a/src/cf_gen.cc +++ b/src/cf_gen.cc @@ -100,6 +100,9 @@ public: /// An error will be printed during build if they clash. LineList if_none; + /// Default config lines to parse and add to any prior settings. + LineList postscriptum; + /// Text description to use in documentation for the default. /// If unset the preset or if-none values will be displayed. LineList docs; @@ -152,6 +155,7 @@ static void gen_dump(const EntryList &, std::ostream&); static void gen_free(const EntryList &, std::ostream&); static void gen_conf(const EntryList &, std::ostream&, bool verbose_output); static void gen_default_if_none(const EntryList &, std::ostream&); +static void gen_default_postscriptum(const EntryList &, std::ostream&); static bool isDefined(const std::string &name); static void @@ -333,6 +337,13 @@ main(int argc, char *argv[]) ptr++; curr.defaults.if_none.push_back(ptr); + } else if (!strncmp(buff, "POSTSCRIPTUM:", 13)) { + ptr = buff + 13; + + while (isspace((unsigned char)*ptr)) + ptr++; + + curr.defaults.postscriptum.push_back(ptr); } else if (!strncmp(buff, "DEFAULT_DOC:", 12)) { ptr = buff + 12; @@ -443,6 +454,8 @@ main(int argc, char *argv[]) gen_default_if_none(entries, fout); + gen_default_postscriptum(entries, fout); + gen_parse(entries, fout); gen_dump(entries, fout); @@ -571,6 +584,36 @@ gen_default_if_none(const EntryList &head, std::ostream &fout) fout << "}" << std::endl << std::endl; } +/// append configuration options specified by POSTSCRIPTUM lines +static void +gen_default_postscriptum(const EntryList &head, std::ostream &fout) +{ + fout << "static void" << std::endl << + "defaults_postscriptum(void)" << std::endl << + "{" << std::endl; + + for (EntryList::const_iterator entry = head.begin(); entry != head.end(); ++entry) { + assert(entry->name.size()); + + if (!entry->loc.size()) + continue; + + if (entry->defaults.postscriptum.empty()) + continue; + + if (entry->ifdef.size()) + fout << "#if " << entry->ifdef << std::endl; + + for (LineList::const_iterator l = entry->defaults.postscriptum.begin(); l != entry->defaults.postscriptum.end(); ++l) + fout << " default_line(\"" << entry->name << " " << *l <<"\");" << std::endl; + + if (entry->ifdef.size()) + fout << "#endif" << std::endl; + } + + fout << "}" << std::endl << std::endl; +} + void Entry::genParseAlias(const std::string &aName, std::ostream &fout) const { diff --git a/src/client_side.cc b/src/client_side.cc index 4c61773d6f..5ca08665e1 100644 --- a/src/client_side.cc +++ b/src/client_side.cc @@ -3712,43 +3712,7 @@ void ConnStateData::buildSslCertGenerationParams(Ssl::CertificateProperties &cer } } - if (certProperties.signAlgorithm == Ssl::algSignEnd) { - // Use the default algorithm - //Temporary code.... - // TODO: implement the following using acls: - Ssl::ssl_error_t selfSignErrors[] = {X509_V_ERR_DEPTH_ZERO_SELF_SIGNED_CERT, 0}; - Ssl::ssl_error_t unTrustedErrors[] = {X509_V_ERR_INVALID_CA, - X509_V_ERR_SELF_SIGNED_CERT_IN_CHAIN, - X509_V_ERR_UNABLE_TO_VERIFY_LEAF_SIGNATURE, - X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT, - X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT_LOCALLY, - X509_V_ERR_CERT_UNTRUSTED,0}; - for (int i = 0; selfSignErrors[i] != 0; i++) { - if (bumpSslErrorNoList->find(selfSignErrors[i])) { - certProperties.signAlgorithm = Ssl::algSignSelf; - const char *sgAlg = Ssl::CertSignAlgorithmStr[Ssl::algSignSelf]; - sslBumpCertKey.append("+Sign="); - sslBumpCertKey.append(sgAlg); - certAdaptParams.insert( std::make_pair(Ssl::CrtdMessage::param_Sign, sgAlg)); - break; - } - } - if (certProperties.signAlgorithm == Ssl::algSignEnd) { - for (int i = 0; unTrustedErrors[i] != 0; i++) { - if (bumpSslErrorNoList->find(selfSignErrors[i])) { - certProperties.signAlgorithm = Ssl::algSignUntrusted; - const char *sgAlg = Ssl::CertSignAlgorithmStr[Ssl::algSignUntrusted]; - sslBumpCertKey.append("+Sign="); - sslBumpCertKey.append(sgAlg); - certAdaptParams.insert( std::make_pair(Ssl::CrtdMessage::param_Sign, sgAlg)); - break; - } - } - } - if (certProperties.signAlgorithm == Ssl::algSignEnd) - certProperties.signAlgorithm = Ssl::algSignTrusted; - //End of Temporary code.... - } + assert(certProperties.signAlgorithm != Ssl::algSignEnd); if (certProperties.signAlgorithm == Ssl::algSignUntrusted) { assert(Ssl::SquidCaCert.get() && Ssl::SquidCaCertKey.get());