From: Amos Jeffries Date: Sun, 11 Sep 2016 02:02:11 +0000 (+1200) Subject: Security: replace Ssl::ssl_error_t with Security::ErrorCode X-Git-Tag: SQUID_4_0_15~49 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=13cd7dee40273f93f41ee3b5134e183ead93ccb2;p=thirdparty%2Fsquid.git Security: replace Ssl::ssl_error_t with Security::ErrorCode --- diff --git a/src/format/Format.cc b/src/format/Format.cc index 0f4139d700..ca31e0d2b7 100644 --- a/src/format/Format.cc +++ b/src/format/Format.cc @@ -322,7 +322,7 @@ log_quoted_string(const char *str, char *out) #if USE_OPENSSL static char * -sslErrorName(Ssl::ssl_error_t err, char *buf, size_t size) +sslErrorName(Security::ErrorCode err, char *buf, size_t size) { snprintf(buf, size, "SSL_ERR=%d", err); return buf; diff --git a/src/security/forward.h b/src/security/forward.h index 09759d8e14..4735385a95 100644 --- a/src/security/forward.h +++ b/src/security/forward.h @@ -74,6 +74,10 @@ typedef void *DhePointer; #endif class EncryptorAnswer; + +/// Squid defined error code (<0), an error code returned by X.509 API, or SSL_ERROR_NONE +typedef int ErrorCode; + class KeyData; class PeerConnector; class PeerOptions; diff --git a/src/ssl/ErrorDetail.cc b/src/ssl/ErrorDetail.cc index b6ce27ff92..ffb8c14a52 100644 --- a/src/ssl/ErrorDetail.cc +++ b/src/ssl/ErrorDetail.cc @@ -15,13 +15,13 @@ #include struct SslErrorEntry { - Ssl::ssl_error_t value; + Security::ErrorCode value; const char *name; }; static const char *SslErrorDetailDefaultStr = "SSL handshake error (%err_name)"; //Use std::map to optimize search -typedef std::map SslErrors; +typedef std::map SslErrors; SslErrors TheSslErrors; static SslErrorEntry TheSslErrorArray[] = { @@ -290,20 +290,20 @@ static const char *OptionalSslErrors[] = { struct SslErrorAlias { const char *name; - const Ssl::ssl_error_t *errors; + const Security::ErrorCode *errors; }; -static const Ssl::ssl_error_t hasExpired[] = {X509_V_ERR_CERT_HAS_EXPIRED, SSL_ERROR_NONE}; -static const Ssl::ssl_error_t notYetValid[] = {X509_V_ERR_CERT_NOT_YET_VALID, SSL_ERROR_NONE}; -static const Ssl::ssl_error_t domainMismatch[] = {SQUID_X509_V_ERR_DOMAIN_MISMATCH, SSL_ERROR_NONE}; -static const Ssl::ssl_error_t certUntrusted[] = {X509_V_ERR_INVALID_CA, +static const Security::ErrorCode hasExpired[] = {X509_V_ERR_CERT_HAS_EXPIRED, SSL_ERROR_NONE}; +static const Security::ErrorCode notYetValid[] = {X509_V_ERR_CERT_NOT_YET_VALID, SSL_ERROR_NONE}; +static const Security::ErrorCode domainMismatch[] = {SQUID_X509_V_ERR_DOMAIN_MISMATCH, SSL_ERROR_NONE}; +static const Security::ErrorCode certUntrusted[] = {X509_V_ERR_INVALID_CA, X509_V_ERR_SELF_SIGNED_CERT_IN_CHAIN, X509_V_ERR_UNABLE_TO_VERIFY_LEAF_SIGNATURE, X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT, X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT_LOCALLY, X509_V_ERR_CERT_UNTRUSTED, SSL_ERROR_NONE }; -static const Ssl::ssl_error_t certSelfSigned[] = {X509_V_ERR_DEPTH_ZERO_SELF_SIGNED_CERT, SSL_ERROR_NONE}; +static const Security::ErrorCode certSelfSigned[] = {X509_V_ERR_DEPTH_ZERO_SELF_SIGNED_CERT, SSL_ERROR_NONE}; // The list of error name shortcuts for use with ssl_error acls. // The keys without the "ssl::" scope prefix allow shorter error @@ -324,7 +324,7 @@ static SslErrorAlias TheSslErrorShortcutsArray[] = { }; // Use std::map to optimize search. -typedef std::map SslErrorShortcuts; +typedef std::map SslErrorShortcuts; SslErrorShortcuts TheSslErrorShortcuts; static void loadSslErrorMap() @@ -342,7 +342,7 @@ static void loadSslErrorShortcutsMap() TheSslErrorShortcuts[TheSslErrorShortcutsArray[i].name] = TheSslErrorShortcutsArray[i].errors; } -Ssl::ssl_error_t Ssl::GetErrorCode(const char *name) +Security::ErrorCode Ssl::GetErrorCode(const char *name) { //TODO: use a std::map? for (int i = 0; TheSslErrorArray[i].name != NULL; ++i) { @@ -357,7 +357,7 @@ Ssl::ParseErrorString(const char *name) { assert(name); - const Ssl::ssl_error_t ssl_error = GetErrorCode(name); + const Security::ErrorCode ssl_error = GetErrorCode(name); if (ssl_error != SSL_ERROR_NONE) return new Ssl::Errors(ssl_error); @@ -386,7 +386,7 @@ Ssl::ParseErrorString(const char *name) return NULL; // not reached } -const char *Ssl::GetErrorName(Ssl::ssl_error_t value) +const char *Ssl::GetErrorName(Security::ErrorCode value) { if (TheSslErrors.empty()) loadSslErrorMap(); @@ -409,7 +409,7 @@ Ssl::ErrorIsOptional(const char *name) } const char * -Ssl::GetErrorDescr(Ssl::ssl_error_t value) +Ssl::GetErrorDescr(Security::ErrorCode value) { return ErrorDetailsManager::GetInstance().getDefaultErrorDescr(value); } @@ -625,7 +625,7 @@ const String &Ssl::ErrorDetail::toString() const return errDetailStr; } -Ssl::ErrorDetail::ErrorDetail( Ssl::ssl_error_t err_no, X509 *cert, X509 *broken, const char *aReason): error_no (err_no), lib_error_no(SSL_ERROR_NONE), errReason(aReason) +Ssl::ErrorDetail::ErrorDetail( Security::ErrorCode err_no, X509 *cert, X509 *broken, const char *aReason): error_no (err_no), lib_error_no(SSL_ERROR_NONE), errReason(aReason) { if (cert) peer_cert.resetAndLock(cert); diff --git a/src/ssl/ErrorDetail.h b/src/ssl/ErrorDetail.h index 684dee0630..01779c59c3 100644 --- a/src/ssl/ErrorDetail.h +++ b/src/ssl/ErrorDetail.h @@ -25,23 +25,14 @@ namespace Ssl */ Ssl::Errors *ParseErrorString(const char *name); -/** - \ingroup ServerProtocolSSLAPI - * The ssl_error_t code of the error described by "name". - */ -ssl_error_t GetErrorCode(const char *name); +/// The Security::ErrorCode code of the error described by "name". +Security::ErrorCode GetErrorCode(const char *name); -/** - \ingroup ServerProtocolSSLAPI - * The string representation of the SSL error "value" - */ -const char *GetErrorName(ssl_error_t value); +/// The string representation of the TLS error "value" +const char *GetErrorName(Security::ErrorCode value); -/** - \ingroup ServerProtocolSSLAPI - * A short description of the SSL error "value" - */ -const char *GetErrorDescr(ssl_error_t value); +/// A short description of the TLS error "value" +const char *GetErrorDescr(Security::ErrorCode value); /** \ingroup ServerProtocolSSLAPI @@ -60,14 +51,14 @@ class ErrorDetail { public: // if broken certificate is nil, the peer certificate is broken - ErrorDetail(ssl_error_t err_no, X509 *peer, X509 *broken, const char *aReason = NULL); + ErrorDetail(Security::ErrorCode err_no, X509 *peer, X509 *broken, const char *aReason = NULL); ErrorDetail(ErrorDetail const &); const String &toString() const; ///< An error detail string to embed in squid error pages void useRequest(HttpRequest *aRequest) { if (aRequest != NULL) request = aRequest;} /// The error name to embed in squid error pages const char *errorName() const {return err_code();} /// The error no - ssl_error_t errorNo() const {return error_no;} + Security::ErrorCode errorNo() const {return error_no;} ///Sets the low-level error returned by OpenSSL ERR_get_error() void setLibError(unsigned long lib_err_no) {lib_error_no = lib_err_no;} /// the peer certificate @@ -100,7 +91,7 @@ private: void buildDetail() const; mutable String errDetailStr; ///< Caches the error detail message - ssl_error_t error_no; ///< The error code + Security::ErrorCode error_no; ///< The error code unsigned long lib_error_no; ///< low-level error returned by OpenSSL ERR_get_error(3SSL) Security::CertPointer peer_cert; ///< A pointer to the peer certificate Security::CertPointer broken_cert; ///< A pointer to the broken certificate (peer or intermediate) diff --git a/src/ssl/ErrorDetailManager.cc b/src/ssl/ErrorDetailManager.cc index 45e3b0a68c..96d0bfaf57 100644 --- a/src/ssl/ErrorDetailManager.cc +++ b/src/ssl/ErrorDetailManager.cc @@ -43,7 +43,7 @@ private: /******************/ bool -Ssl::ErrorDetailsList::getRecord(Ssl::ssl_error_t value, ErrorDetailEntry &entry) +Ssl::ErrorDetailsList::getRecord(Security::ErrorCode value, ErrorDetailEntry &entry) { const ErrorDetails::const_iterator it = theList.find(value); if (it != theList.end()) { @@ -57,7 +57,7 @@ Ssl::ErrorDetailsList::getRecord(Ssl::ssl_error_t value, ErrorDetailEntry &entry } const char * -Ssl::ErrorDetailsList::getErrorDescr(Ssl::ssl_error_t value) +Ssl::ErrorDetailsList::getErrorDescr(Security::ErrorCode value) { const ErrorDetails::const_iterator it = theList.find(value); if (it != theList.end()) { @@ -68,7 +68,7 @@ Ssl::ErrorDetailsList::getErrorDescr(Ssl::ssl_error_t value) } const char * -Ssl::ErrorDetailsList::getErrorDetail(Ssl::ssl_error_t value) +Ssl::ErrorDetailsList::getErrorDetail(Security::ErrorCode value) { const ErrorDetails::const_iterator it = theList.find(value); if (it != theList.end()) { @@ -123,7 +123,7 @@ void Ssl::ErrorDetailsManager::cacheDetails(ErrorDetailsList::Pointer &errorDeta } bool -Ssl::ErrorDetailsManager::getErrorDetail(Ssl::ssl_error_t value, const HttpRequest::Pointer &request, ErrorDetailEntry &entry) +Ssl::ErrorDetailsManager::getErrorDetail(Security::ErrorCode value, const HttpRequest::Pointer &request, ErrorDetailEntry &entry) { #if USE_ERR_LOCALES String hdr; @@ -164,13 +164,13 @@ Ssl::ErrorDetailsManager::getErrorDetail(Ssl::ssl_error_t value, const HttpReque } const char * -Ssl::ErrorDetailsManager::getDefaultErrorDescr(Ssl::ssl_error_t value) +Ssl::ErrorDetailsManager::getDefaultErrorDescr(Security::ErrorCode value) { return theDefaultErrorDetails->getErrorDescr(value); } const char * -Ssl::ErrorDetailsManager::getDefaultErrorDetail(Ssl::ssl_error_t value) +Ssl::ErrorDetailsManager::getDefaultErrorDetail(Security::ErrorCode value) { return theDefaultErrorDetails->getErrorDetail(value); } @@ -225,7 +225,7 @@ Ssl::ErrorDetailFile::parse(const char *buffer, int len, bool eof) return false; } - Ssl::ssl_error_t ssl_error = Ssl::GetErrorCode(errorName.termedBuf()); + Security::ErrorCode ssl_error = Ssl::GetErrorCode(errorName.termedBuf()); if (ssl_error != SSL_ERROR_NONE) { if (theDetails->getErrorDetail(ssl_error)) { diff --git a/src/ssl/ErrorDetailManager.h b/src/ssl/ErrorDetailManager.h index 7904eeee50..d62a68d694 100644 --- a/src/ssl/ErrorDetailManager.h +++ b/src/ssl/ErrorDetailManager.h @@ -25,7 +25,7 @@ namespace Ssl class ErrorDetailEntry { public: - Ssl::ssl_error_t error_no; ///< The SSL error code + Security::ErrorCode error_no; ///< The SSL error code String name; ///< a name for the error String detail; ///< for error page %D macro expansion; may contain macros String descr; ///< short error description (for use in debug messages or error pages) @@ -43,12 +43,12 @@ public: * Retrieves the error details for a given error to "entry" object * \return true on success, false otherwise */ - bool getRecord(Ssl::ssl_error_t value, ErrorDetailEntry &entry); - const char *getErrorDescr(Ssl::ssl_error_t value); ///< an error description for an error if exist in list. - const char *getErrorDetail(Ssl::ssl_error_t value); ///< an error details for an error if exist in list. + bool getRecord(Security::ErrorCode value, ErrorDetailEntry &entry); + const char *getErrorDescr(Security::ErrorCode value); ///< an error description for an error if exist in list. + const char *getErrorDetail(Security::ErrorCode value); ///< an error details for an error if exist in list. String errLanguage; ///< The language of the error-details.txt template, if any - typedef std::map ErrorDetails; + typedef std::map ErrorDetails; ErrorDetails theList; ///< The list of error details entries }; @@ -73,9 +73,9 @@ public: * \param entry where to store error details * \return true on success, false otherwise */ - bool getErrorDetail(Ssl::ssl_error_t value, const HttpRequest::Pointer &request, ErrorDetailEntry &entry); - const char *getDefaultErrorDescr(Ssl::ssl_error_t value); ///< the default error description for a given error - const char *getDefaultErrorDetail(Ssl::ssl_error_t value); ///< the default error details for a given error + bool getErrorDetail(Security::ErrorCode value, const HttpRequest::Pointer &request, ErrorDetailEntry &entry); + const char *getDefaultErrorDescr(Security::ErrorCode value); ///< the default error description for a given error + const char *getDefaultErrorDetail(Security::ErrorCode value); ///< the default error details for a given error private: /// Return cached error details list for a given language if exist diff --git a/src/ssl/cert_validate_message.h b/src/ssl/cert_validate_message.h index c9f4ff14d3..382d1274a5 100644 --- a/src/ssl/cert_validate_message.h +++ b/src/ssl/cert_validate_message.h @@ -53,7 +53,7 @@ public: RecvdError & operator =(const RecvdError &); void setCert(X509 *); ///< Sets cert to the given certificate int id; ///< The id of the error - ssl_error_t error_no; ///< The OpenSSL error code + Security::ErrorCode error_no; ///< The OpenSSL error code std::string error_reason; ///< A string describing the error Security::CertPointer cert; ///< The broken certificate int error_depth; ///< The error depth diff --git a/src/ssl/support.cc b/src/ssl/support.cc index bd28f5539f..06bd827e87 100644 --- a/src/ssl/support.cc +++ b/src/ssl/support.cc @@ -230,7 +230,7 @@ static int ssl_verify_cb(int ok, X509_STORE_CTX * ctx) { // preserve original ctx->error before SSL_ calls can overwrite it - Ssl::ssl_error_t error_no = ok ? SSL_ERROR_NONE : ctx->error; + Security::ErrorCode error_no = ok ? SSL_ERROR_NONE : ctx->error; char buffer[256] = ""; SSL *ssl = (SSL *)X509_STORE_CTX_get_ex_data(ctx, SSL_get_ex_data_X509_STORE_CTX_idx()); @@ -1448,7 +1448,7 @@ Ssl::CreateServer(Security::ContextPtr sslContext, const Comm::ConnectionPointer return SslCreate(sslContext, c, Ssl::Bio::BIO_TO_CLIENT, squidCtx); } -Ssl::CertError::CertError(ssl_error_t anErr, X509 *aCert, int aDepth): code(anErr), depth(aDepth) +Ssl::CertError::CertError(Security::ErrorCode anErr, X509 *aCert, int aDepth): code(anErr), depth(aDepth) { cert.resetAndLock(aCert); } diff --git a/src/ssl/support.h b/src/ssl/support.h index 47012a44b6..ce337aab70 100644 --- a/src/ssl/support.h +++ b/src/ssl/support.h @@ -69,10 +69,7 @@ namespace Ssl /// call before generating any SSL context void Initialize(); -/// Squid defined error code (<0), an error code returned by SSL X509 api, or SSL_ERROR_NONE -typedef int ssl_error_t; - -typedef CbDataList Errors; +typedef CbDataList Errors; class ErrorDetail; class CertValidationResponse; @@ -91,7 +88,7 @@ bool CreateServer(Security::ContextPtr sslContext, const Comm::ConnectionPointer class CertError { public: - ssl_error_t code; ///< certificate error code + Security::ErrorCode code; ///< certificate error code Security::CertPointer cert; ///< certificate with the above error code /** * Absolute cert position in the final certificate chain that may include @@ -99,7 +96,7 @@ public: * towards the root certificate. Negative if unknown. */ int depth; - CertError(ssl_error_t anErr, X509 *aCert, int depth = -1); + CertError(Security::ErrorCode anErr, X509 *aCert, int depth = -1); bool operator == (const CertError &ce) const { // We expect to be used in contexts where identical certificates have // identical pointers. diff --git a/src/tests/stub_libsslsquid.cc b/src/tests/stub_libsslsquid.cc index bda3035759..3eb68756d7 100644 --- a/src/tests/stub_libsslsquid.cc +++ b/src/tests/stub_libsslsquid.cc @@ -41,17 +41,16 @@ void Ssl::GlobalContextStorage::reconfigureStart() STUB //Ssl::GlobalContextStorage Ssl::TheGlobalContextStorage; #include "ssl/ErrorDetail.h" -Ssl::ssl_error_t parseErrorString(const char *name) STUB_RETVAL(0) -//const char *Ssl::getErrorName(ssl_error_t value) STUB_RETVAL(NULL) -Ssl::ErrorDetail::ErrorDetail(ssl_error_t err_no, X509 *, X509 *, const char *) STUB +Security::ErrorCode parseErrorString(const char *name) STUB_RETVAL(0) +//const char *Ssl::getErrorName(Security::ErrorCode value) STUB_RETVAL(NULL) +Ssl::ErrorDetail::ErrorDetail(Security::ErrorCode, X509 *, X509 *, const char *) STUB Ssl::ErrorDetail::ErrorDetail(ErrorDetail const &) STUB const String & Ssl::ErrorDetail::toString() const STUB_RETSTATREF(String) #include "ssl/support.h" namespace Ssl { -//CertError::CertError(ssl_error_t anErr, X509 *aCert) STUB -//CertError::CertError(CertError const &err) STUB +//CertError::CertError(Security::ErrorCode, X509 *) STUB bool InitServerContext(const Security::ContextPointer &, AnyP::PortCfg &) STUB_RETVAL(false) bool InitClientContext(Security::ContextPtr &, Security::PeerOptions &, long, const char *) STUB_RETVAL(false) } // namespace Ssl