From: Amos Jeffries Date: Tue, 13 Sep 2016 11:38:07 +0000 (+1200) Subject: Move Ssl::CertError(s) to libsecurity X-Git-Tag: SQUID_4_0_15~45 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=92e3827b8151bd9f0198a7c6fc04fbb6c4f8f400;p=thirdparty%2Fsquid.git Move Ssl::CertError(s) to libsecurity --- diff --git a/src/AclRegs.cc b/src/AclRegs.cc index 694243df75..2c4c7b9649 100644 --- a/src/AclRegs.cc +++ b/src/AclRegs.cc @@ -170,7 +170,7 @@ ACLStrategised ACLUrlPort::RegistryEntry_(new ACLIntRange, ACLUrlPortStrate #if USE_OPENSSL ACL::Prototype ACLSslError::RegistryProtoype(&ACLSslError::RegistryEntry_, "ssl_error"); -ACLStrategised ACLSslError::RegistryEntry_(new ACLSslErrorData, ACLSslErrorStrategy::Instance(), "ssl_error"); +ACLStrategised ACLSslError::RegistryEntry_(new ACLSslErrorData, ACLSslErrorStrategy::Instance(), "ssl_error"); ACL::Prototype ACLCertificate::UserRegistryProtoype(&ACLCertificate::UserRegistryEntry_, "user_cert"); ACLStrategised ACLCertificate::UserRegistryEntry_(new ACLCertificateData (Ssl::GetX509UserAttribute, "*"), ACLCertificateStrategy::Instance(), "user_cert"); ACL::Prototype ACLCertificate::CARegistryProtoype(&ACLCertificate::CARegistryEntry_, "ca_cert"); diff --git a/src/acl/FilledChecklist.h b/src/acl/FilledChecklist.h index b7b0c99705..ba14263735 100644 --- a/src/acl/FilledChecklist.h +++ b/src/acl/FilledChecklist.h @@ -18,9 +18,7 @@ #if USE_AUTH #include "auth/UserRequest.h" #endif -#if USE_OPENSSL -#include "ssl/support.h" -#endif +#include "security/CertError.h" class CachePeer; class ConnStateData; @@ -83,12 +81,10 @@ public: char *snmp_community; #endif -#if USE_OPENSSL /// SSL [certificate validation] errors, in undefined order - const Ssl::CertErrors *sslErrors; + const Security::CertErrors *sslErrors; /// The peer certificate Security::CertPointer serverCert; -#endif AccessLogEntry::Pointer al; ///< info for the future access.log, and external ACL diff --git a/src/acl/SslError.h b/src/acl/SslError.h index 22b405f80d..1c94744276 100644 --- a/src/acl/SslError.h +++ b/src/acl/SslError.h @@ -8,11 +8,11 @@ #ifndef SQUID_ACLSSL_ERROR_H #define SQUID_ACLSSL_ERROR_H + #include "acl/Strategised.h" #include "acl/Strategy.h" -#include "ssl/support.h" -class ACLSslErrorStrategy : public ACLStrategy +class ACLSslErrorStrategy : public ACLStrategy { public: @@ -35,7 +35,7 @@ class ACLSslError private: static ACL::Prototype RegistryProtoype; - static ACLStrategised RegistryEntry_; + static ACLStrategised RegistryEntry_; }; #endif /* SQUID_ACLSSL_ERROR_H */ diff --git a/src/acl/SslErrorData.cc b/src/acl/SslErrorData.cc index 2dc0a47ba1..7d196c8792 100644 --- a/src/acl/SslErrorData.cc +++ b/src/acl/SslErrorData.cc @@ -10,13 +10,14 @@ #include "acl/Checklist.h" #include "acl/SslErrorData.h" #include "ssl/ErrorDetail.h" +#include "security/CertError.h" ACLSslErrorData::ACLSslErrorData(ACLSslErrorData const &o) : values(o.values) {} bool -ACLSslErrorData::match(const Ssl::CertErrors *toFind) +ACLSslErrorData::match(const Security::CertErrors *toFind) { for (const auto *err = toFind; err; err = err->next) { if (values.count(err->element.code)) diff --git a/src/acl/SslErrorData.h b/src/acl/SslErrorData.h index 9a3f1b5386..1715bde218 100644 --- a/src/acl/SslErrorData.h +++ b/src/acl/SslErrorData.h @@ -11,9 +11,9 @@ #include "acl/Acl.h" #include "acl/Data.h" -#include "ssl/support.h" +#include "security/forward.h" -class ACLSslErrorData : public ACLData +class ACLSslErrorData : public ACLData { MEMPROXY_CLASS(ACLSslErrorData); @@ -22,7 +22,7 @@ public: ACLSslErrorData(ACLSslErrorData const &); ACLSslErrorData &operator= (ACLSslErrorData const &); virtual ~ACLSslErrorData() {} - bool match(const Ssl::CertErrors *); + bool match(const Security::CertErrors *); virtual SBufList dump() const; void parse(); bool empty() const { return values.empty(); } diff --git a/src/client_side.cc b/src/client_side.cc index a50307cf98..1fa2ea3a7a 100644 --- a/src/client_side.cc +++ b/src/client_side.cc @@ -1508,16 +1508,16 @@ bool ConnStateData::serveDelayedError(Http::Stream *context) // In bump-server-first mode, we have not necessarily seen the intended // server name at certificate-peeking time. Check for domain mismatch now, // when we can extract the intended name from the bumped HTTP request. - if (X509 *srvCert = sslServerBump->serverCert.get()) { + if (const Security::CertPointer &srvCert = sslServerBump->serverCert) { HttpRequest *request = http->request; - if (!Ssl::checkX509ServerValidity(srvCert, request->url.host())) { + if (!Ssl::checkX509ServerValidity(srvCert.get(), request->url.host())) { debugs(33, 2, "SQUID_X509_V_ERR_DOMAIN_MISMATCH: Certificate " << "does not match domainname " << request->url.host()); bool allowDomainMismatch = false; if (Config.ssl_client.cert_error) { ACLFilledChecklist check(Config.ssl_client.cert_error, request, dash_str); - check.sslErrors = new Ssl::CertErrors(Ssl::CertError(SQUID_X509_V_ERR_DOMAIN_MISMATCH, srvCert)); + check.sslErrors = new Security::CertErrors(Security::CertError(SQUID_X509_V_ERR_DOMAIN_MISMATCH, srvCert)); allowDomainMismatch = (check.fastCheck() == ACCESS_ALLOWED); delete check.sslErrors; check.sslErrors = NULL; @@ -1539,7 +1539,7 @@ bool ConnStateData::serveDelayedError(Http::Stream *context) err->src_addr = clientConnection->remote; Ssl::ErrorDetail *errDetail = new Ssl::ErrorDetail( SQUID_X509_V_ERR_DOMAIN_MISMATCH, - srvCert, NULL); + srvCert.get(), nullptr); err->detail = errDetail; // Save the original request for logging purposes. if (!context->http->al->request) { diff --git a/src/format/Format.cc b/src/format/Format.cc index ca31e0d2b7..97484c232a 100644 --- a/src/format/Format.cc +++ b/src/format/Format.cc @@ -21,6 +21,7 @@ #include "HttpRequest.h" #include "MemBuf.h" #include "rfc1738.h" +#include "security/CertError.h" #include "security/NegotiationHistory.h" #include "SquidTime.h" #include "Store.h" @@ -1261,7 +1262,7 @@ Format::Format::assemble(MemBuf &mb, const AccessLogEntry::Pointer &al, int logS if (al->request && al->request->clientConnectionManager.valid()) { if (Ssl::ServerBump * srvBump = al->request->clientConnectionManager->serverBump()) { const char *separator = fmt->data.string ? fmt->data.string : ":"; - for (Ssl::CertErrors const *sslError = srvBump->sslErrors(); sslError != NULL; sslError = sslError->next) { + for (const Security::CertErrors *sslError = srvBump->sslErrors(); sslError != nullptr; sslError = sslError->next) { if (sb.size()) sb.append(separator); if (const char *errorName = Ssl::GetErrorName(sslError->element.code)) diff --git a/src/security/CertError.h b/src/security/CertError.h new file mode 100644 index 0000000000..ac096fa0cc --- /dev/null +++ b/src/security/CertError.h @@ -0,0 +1,51 @@ +/* + * Copyright (C) 1996-2016 The Squid Software Foundation and contributors + * + * Squid software is distributed under GPLv2+ license and includes + * contributions from numerous individuals and organizations. + * Please see the COPYING and CONTRIBUTORS files for details. + */ + +#ifndef SQUID_SRC_SECURITY_CERTERROR_H +#define SQUID_SRC_SECURITY_CERTERROR_H + +#include "security/forward.h" + +namespace Security +{ + +/// An X.509 certificate-related error. +/// Pairs an error code with the certificate experiencing the error. +class CertError +{ +public: + CertError(int anErr, const Security::CertPointer &aCert, int aDepth = -1) : + code(anErr), cert(aCert), depth(aDepth) + {} + + bool operator == (const CertError &ce) const { + // We expect to be used in contexts where identical certificates have + // identical pointers. + return code == ce.code && depth == ce.depth && cert == ce.cert; + } + + bool operator != (const CertError &ce) const { + return !(*this == ce); + } + +public: + Security::ErrorCode code; ///< certificate error code + Security::CertPointer cert; ///< certificate with the above error code + + /** + * Absolute cert position in the final certificate chain that may include + * intermediate certificates. Chain positions start with zero and increase + * towards the root certificate. Negative if unknown. + */ + int depth; +}; + +} // namespace Security + +#endif /* SQUID_SRC_SECURITY_CERTERROR_H */ + diff --git a/src/security/LockingPointer.h b/src/security/LockingPointer.h index 6024451240..f9ca101d98 100644 --- a/src/security/LockingPointer.h +++ b/src/security/LockingPointer.h @@ -85,6 +85,8 @@ public: bool operator !() const { return !raw; } explicit operator bool() const { return raw; } + bool operator ==(const SelfType &o) const { return (o.get() == raw); } + bool operator !=(const SelfType &o) const { return (o.get() != raw); } /// Returns raw and possibly nullptr pointer T *get() const { return raw; } diff --git a/src/security/Makefile.am b/src/security/Makefile.am index ccc752235c..d3020a0061 100644 --- a/src/security/Makefile.am +++ b/src/security/Makefile.am @@ -15,6 +15,7 @@ noinst_LTLIBRARIES = libsecurity.la libsecurity_la_SOURCES= \ BlindPeerConnector.cc \ BlindPeerConnector.h \ + CertError.h \ Context.h \ EncryptorAnswer.cc \ EncryptorAnswer.h \ diff --git a/src/security/PeerConnector.cc b/src/security/PeerConnector.cc index 30ae857dd2..4aacb070ed 100644 --- a/src/security/PeerConnector.cc +++ b/src/security/PeerConnector.cc @@ -208,7 +208,7 @@ Security::PeerConnector::sslFinalized() // Ssl::CertValidationHelper::submit method. validationRequest.ssl = ssl; validationRequest.domainName = request->url.host(); - if (Ssl::CertErrors *errs = static_cast(SSL_get_ex_data(ssl, ssl_ex_index_ssl_errors))) + if (Security::CertErrors *errs = static_cast(SSL_get_ex_data(ssl, ssl_ex_index_ssl_errors))) // validationRequest disappears on return so no need to cbdataReference validationRequest.errors = errs; else @@ -253,9 +253,9 @@ Security::PeerConnector::sslCrtvdHandleReply(Ssl::CertValidationResponse::Pointe debugs(83,5, request->url.host() << " cert validation result: " << validationResponse->resultCode); if (validationResponse->resultCode == ::Helper::Error) { - if (Ssl::CertErrors *errs = sslCrtvdCheckForErrors(*validationResponse, errDetails)) { + if (Security::CertErrors *errs = sslCrtvdCheckForErrors(*validationResponse, errDetails)) { Security::SessionPtr ssl = fd_table[serverConnection()->fd].ssl.get(); - Ssl::CertErrors *oldErrs = static_cast(SSL_get_ex_data(ssl, ssl_ex_index_ssl_errors)); + Security::CertErrors *oldErrs = static_cast(SSL_get_ex_data(ssl, ssl_ex_index_ssl_errors)); SSL_set_ex_data(ssl, ssl_ex_index_ssl_errors, (void *)errs); delete oldErrs; } @@ -287,18 +287,17 @@ Security::PeerConnector::sslCrtvdHandleReply(Ssl::CertValidationResponse::Pointe #if USE_OPENSSL /// Checks errors in the cert. validator response against sslproxy_cert_error. /// The first honored error, if any, is returned via errDetails parameter. -/// The method returns all seen errors except SSL_ERROR_NONE as Ssl::CertErrors. -Ssl::CertErrors * +/// The method returns all seen errors except SSL_ERROR_NONE as Security::CertErrors. +Security::CertErrors * Security::PeerConnector::sslCrtvdCheckForErrors(Ssl::CertValidationResponse const &resp, Ssl::ErrorDetail *& errDetails) { - Ssl::CertErrors *errs = NULL; - ACLFilledChecklist *check = NULL; if (acl_access *acl = ::Config.ssl_client.cert_error) { check = new ACLFilledChecklist(acl, request.getRaw(), dash_str); check->al = al; } + Security::CertErrors *errs = nullptr; Security::SessionPtr ssl = fd_table[serverConnection()->fd].ssl.get(); typedef Ssl::CertValidationResponse::RecvdErrors::const_iterator SVCRECI; for (SVCRECI i = resp.errors.begin(); i != resp.errors.end(); ++i) { @@ -309,7 +308,7 @@ Security::PeerConnector::sslCrtvdCheckForErrors(Ssl::CertValidationResponse cons if (!errDetails) { bool allowed = false; if (check) { - check->sslErrors = new Ssl::CertErrors(Ssl::CertError(i->error_no, i->cert.get(), i->error_depth)); + check->sslErrors = new Security::CertErrors(Security::CertError(i->error_no, i->cert, i->error_depth)); if (check->fastCheck() == ACCESS_ALLOWED) allowed = true; } @@ -332,9 +331,9 @@ Security::PeerConnector::sslCrtvdCheckForErrors(Ssl::CertValidationResponse cons } if (!errs) - errs = new Ssl::CertErrors(Ssl::CertError(i->error_no, i->cert.get(), i->error_depth)); + errs = new Security::CertErrors(Security::CertError(i->error_no, i->cert, i->error_depth)); else - errs->push_back_unique(Ssl::CertError(i->error_no, i->cert.get(), i->error_depth)); + errs->push_back_unique(Security::CertError(i->error_no, i->cert, i->error_depth)); } if (check) delete check; diff --git a/src/security/PeerConnector.h b/src/security/PeerConnector.h index b1f7cd220f..618c23ed42 100644 --- a/src/security/PeerConnector.h +++ b/src/security/PeerConnector.h @@ -188,7 +188,7 @@ private: void sslCrtvdHandleReply(Ssl::CertValidationResponsePointer); /// Check SSL errors returned from cert validator against sslproxy_cert_error access list - Ssl::CertErrors *sslCrtvdCheckForErrors(Ssl::CertValidationResponse const &, Ssl::ErrorDetail *&); + Security::CertErrors *sslCrtvdCheckForErrors(Ssl::CertValidationResponse const &, Ssl::ErrorDetail *&); #endif /// A wrapper function for negotiateSsl for use with Comm::SetSelect diff --git a/src/security/forward.h b/src/security/forward.h index d762893f15..8f96b8ef47 100644 --- a/src/security/forward.h +++ b/src/security/forward.h @@ -9,6 +9,7 @@ #ifndef SQUID_SRC_SECURITY_FORWARD_H #define SQUID_SRC_SECURITY_FORWARD_H +#include "base/CbDataList.h" #include "security/Context.h" #include "security/Session.h" @@ -43,6 +44,10 @@ namespace Security { +class CertError; +/// Holds a list of X.509 certificate errors +typedef CbDataList CertErrors; + #if USE_OPENSSL CtoCpp1(X509_free, X509 *) typedef Security::LockingPointer CertPointer; diff --git a/src/ssl/ServerBump.cc b/src/ssl/ServerBump.cc index 7d7f06ba89..c16dbdb8d9 100644 --- a/src/ssl/ServerBump.cc +++ b/src/ssl/ServerBump.cc @@ -60,13 +60,13 @@ Ssl::ServerBump::attachServerSSL(SSL *ssl) serverSSL.resetAndLock(ssl); } -const Ssl::CertErrors * +const Security::CertErrors * Ssl::ServerBump::sslErrors() const { if (!serverSSL.get()) return NULL; - const Ssl::CertErrors *errs = static_cast(SSL_get_ex_data(serverSSL.get(), ssl_ex_index_ssl_errors)); + const Security::CertErrors *errs = static_cast(SSL_get_ex_data(serverSSL.get(), ssl_ex_index_ssl_errors)); return errs; } diff --git a/src/ssl/ServerBump.h b/src/ssl/ServerBump.h index 9f22c3b6fd..638f7727cc 100644 --- a/src/ssl/ServerBump.h +++ b/src/ssl/ServerBump.h @@ -33,7 +33,7 @@ public: explicit ServerBump(HttpRequest *fakeRequest, StoreEntry *e = NULL, Ssl::BumpMode mode = Ssl::bumpServerFirst); ~ServerBump(); void attachServerSSL(SSL *); ///< Sets the server SSL object - const Ssl::CertErrors *sslErrors() const; ///< SSL [certificate validation] errors + const Security::CertErrors *sslErrors() const; ///< SSL [certificate validation] errors /// faked, minimal request; required by Client API HttpRequest::Pointer request; diff --git a/src/ssl/cert_validate_message.cc b/src/ssl/cert_validate_message.cc index 7c2249ed61..8e2d6acc1b 100644 --- a/src/ssl/cert_validate_message.cc +++ b/src/ssl/cert_validate_message.cc @@ -10,6 +10,7 @@ #include "acl/FilledChecklist.h" #include "globals.h" #include "helper.h" +#include "security/CertError.h" #include "ssl/cert_validate_message.h" #include "ssl/ErrorDetail.h" #include "ssl/support.h" @@ -48,7 +49,7 @@ Ssl::CertValidationMsg::composeRequest(CertValidationRequest const &vcert) if (vcert.errors) { int i = 0; - for (const Ssl::CertErrors *err = vcert.errors; err; err = err->next, ++i) { + for (const Security::CertErrors *err = vcert.errors; err; err = err->next, ++i) { body +="\n"; body = body + param_error_name + xitoa(i) + "=" + GetErrorName(err->element.code) + "\n"; int errorCertPos = -1; diff --git a/src/ssl/cert_validate_message.h b/src/ssl/cert_validate_message.h index 382d1274a5..299395cdbb 100644 --- a/src/ssl/cert_validate_message.h +++ b/src/ssl/cert_validate_message.h @@ -27,7 +27,7 @@ class CertValidationRequest { public: SSL *ssl; - CertErrors *errors; ///< The list of errors detected + Security::CertErrors *errors; ///< The list of errors detected std::string domainName; ///< The server name CertValidationRequest() : ssl(NULL), errors(NULL) {} }; diff --git a/src/ssl/support.cc b/src/ssl/support.cc index 06bd827e87..500ec04d72 100644 --- a/src/ssl/support.cc +++ b/src/ssl/support.cc @@ -22,6 +22,7 @@ #include "fde.h" #include "globals.h" #include "ipc/MemMap.h" +#include "security/CertError.h" #include "SquidConfig.h" #include "SquidTime.h" #include "ssl/bio.h" @@ -239,10 +240,10 @@ ssl_verify_cb(int ok, X509_STORE_CTX * ctx) void *dont_verify_domain = SSL_CTX_get_ex_data(sslctx, ssl_ctx_ex_index_dont_verify_domain); ACLChecklist *check = (ACLChecklist*)SSL_get_ex_data(ssl, ssl_ex_index_cert_error_check); X509 *peeked_cert = (X509 *)SSL_get_ex_data(ssl, ssl_ex_index_ssl_peeked_cert); - X509 *peer_cert = ctx->cert; + Security::CertPointer peer_cert; + peer_cert.resetAndLock(ctx->cert); - X509_NAME_oneline(X509_get_subject_name(peer_cert), buffer, - sizeof(buffer)); + X509_NAME_oneline(X509_get_subject_name(peer_cert.get()), buffer, sizeof(buffer)); // detect infinite loops uint32_t *validationCounter = static_cast(SSL_get_ex_data(ssl, ssl_ex_index_ssl_validation_counter)); @@ -265,8 +266,8 @@ ssl_verify_cb(int ok, X509_STORE_CTX * ctx) debugs(83, 5, "SSL Certificate signature OK: " << buffer); // Check for domain mismatch only if the current certificate is the peer certificate. - if (!dont_verify_domain && server && peer_cert == X509_STORE_CTX_get_current_cert(ctx)) { - if (!Ssl::checkX509ServerValidity(peer_cert, server->c_str())) { + if (!dont_verify_domain && server && peer_cert.get() == X509_STORE_CTX_get_current_cert(ctx)) { + if (!Ssl::checkX509ServerValidity(peer_cert.get(), server->c_str())) { debugs(83, 2, "SQUID_X509_V_ERR_DOMAIN_MISMATCH: Certificate " << buffer << " does not match domainname " << server); ok = 0; error_no = SQUID_X509_V_ERR_DOMAIN_MISMATCH; @@ -276,7 +277,7 @@ ssl_verify_cb(int ok, X509_STORE_CTX * ctx) if (ok && peeked_cert) { // Check whether the already peeked certificate matches the new one. - if (X509_cmp(peer_cert, peeked_cert) != 0) { + if (X509_cmp(peer_cert.get(), peeked_cert) != 0) { debugs(83, 2, "SQUID_X509_V_ERR_CERT_CHANGE: Certificate " << buffer << " does not match peeked certificate"); ok = 0; error_no = SQUID_X509_V_ERR_CERT_CHANGE; @@ -284,21 +285,22 @@ ssl_verify_cb(int ok, X509_STORE_CTX * ctx) } if (!ok) { - X509 *broken_cert = X509_STORE_CTX_get_current_cert(ctx); + Security::CertPointer broken_cert; + broken_cert.resetAndLock(X509_STORE_CTX_get_current_cert(ctx)); if (!broken_cert) broken_cert = peer_cert; - Ssl::CertErrors *errs = static_cast(SSL_get_ex_data(ssl, ssl_ex_index_ssl_errors)); + Security::CertErrors *errs = static_cast(SSL_get_ex_data(ssl, ssl_ex_index_ssl_errors)); const int depth = X509_STORE_CTX_get_error_depth(ctx); if (!errs) { - errs = new Ssl::CertErrors(Ssl::CertError(error_no, broken_cert, depth)); + errs = new Security::CertErrors(Security::CertError(error_no, broken_cert, depth)); if (!SSL_set_ex_data(ssl, ssl_ex_index_ssl_errors, (void *)errs)) { debugs(83, 2, "Failed to set ssl error_no in ssl_verify_cb: Certificate " << buffer); delete errs; errs = NULL; } } else // remember another error number - errs->push_back_unique(Ssl::CertError(error_no, broken_cert, depth)); + errs->push_back_unique(Security::CertError(error_no, broken_cert, depth)); if (const char *err_descr = Ssl::GetErrorDescr(error_no)) debugs(83, 5, err_descr << ": " << buffer); @@ -311,8 +313,8 @@ ssl_verify_cb(int ok, X509_STORE_CTX * ctx) if (check) { ACLFilledChecklist *filledCheck = Filled(check); assert(!filledCheck->sslErrors); - filledCheck->sslErrors = new Ssl::CertErrors(Ssl::CertError(error_no, broken_cert)); - filledCheck->serverCert.resetAndLock(peer_cert); + filledCheck->sslErrors = new Security::CertErrors(Security::CertError(error_no, broken_cert)); + filledCheck->serverCert = peer_cert; if (check->fastCheck() == ACCESS_ALLOWED) { debugs(83, 3, "bypassing SSL error " << error_no << " in " << buffer); ok = 1; @@ -343,17 +345,15 @@ ssl_verify_cb(int ok, X509_STORE_CTX * ctx) if (!ok && !SSL_get_ex_data(ssl, ssl_ex_index_ssl_error_detail) ) { // Find the broken certificate. It may be intermediate. - X509 *broken_cert = peer_cert; // reasonable default if search fails + Security::CertPointer broken_cert(peer_cert); // reasonable default if search fails // Our SQUID_X509_V_ERR_DOMAIN_MISMATCH implies peer_cert is at fault. if (error_no != SQUID_X509_V_ERR_DOMAIN_MISMATCH) { - if (X509 *last_used_cert = X509_STORE_CTX_get_current_cert(ctx)) - broken_cert = last_used_cert; + if (auto *last_used_cert = X509_STORE_CTX_get_current_cert(ctx)) + broken_cert.resetAndLock(last_used_cert); } - Ssl::ErrorDetail *errDetail = - new Ssl::ErrorDetail(error_no, peer_cert, broken_cert); - - if (!SSL_set_ex_data(ssl, ssl_ex_index_ssl_error_detail, errDetail)) { + auto *errDetail = new Ssl::ErrorDetail(error_no, peer_cert.get(), broken_cert.get()); + if (!SSL_set_ex_data(ssl, ssl_ex_index_ssl_error_detail, errDetail)) { debugs(83, 2, "Failed to set Ssl::ErrorDetail in ssl_verify_cb: Certificate " << buffer); delete errDetail; } @@ -394,7 +394,7 @@ static void ssl_free_SslErrors(void *, void *ptr, CRYPTO_EX_DATA *, int, long, void *) { - Ssl::CertErrors *errs = static_cast (ptr); + Security::CertErrors *errs = static_cast (ptr); delete errs; } @@ -1448,11 +1448,6 @@ Ssl::CreateServer(Security::ContextPtr sslContext, const Comm::ConnectionPointer return SslCreate(sslContext, c, Ssl::Bio::BIO_TO_CLIENT, squidCtx); } -Ssl::CertError::CertError(Security::ErrorCode anErr, X509 *aCert, int aDepth): code(anErr), depth(aDepth) -{ - cert.resetAndLock(aCert); -} - static int store_session_cb(SSL *ssl, SSL_SESSION *session) { diff --git a/src/ssl/support.h b/src/ssl/support.h index 22a37c3f01..fec780d783 100644 --- a/src/ssl/support.h +++ b/src/ssl/support.h @@ -81,33 +81,6 @@ bool CreateClient(Security::ContextPtr sslContext, const Comm::ConnectionPointer /// On errors, emits DBG_IMPORTANT with details and returns false. bool CreateServer(Security::ContextPtr sslContext, const Comm::ConnectionPointer &, const char *squidCtx); -/// An SSL certificate-related error. -/// Pairs an error code with the certificate experiencing the error. -class CertError -{ -public: - Security::ErrorCode code; ///< certificate error code - Security::CertPointer cert; ///< certificate with the above error code - /** - * Absolute cert position in the final certificate chain that may include - * intermediate certificates. Chain positions start with zero and increase - * towards the root certificate. Negative if unknown. - */ - int depth; - CertError(Security::ErrorCode anErr, X509 *aCert, int depth = -1); - bool operator == (const CertError &ce) const { - // We expect to be used in contexts where identical certificates have - // identical pointers. - return code == ce.code && depth == ce.depth && cert.get() == ce.cert.get(); - } - bool operator != (const CertError &ce) const { - return !(*this == ce); - } -}; - -/// Holds a list of certificate SSL errors -typedef CbDataList CertErrors; - void SetSessionCallbacks(Security::ContextPtr); extern Ipc::MemMap *SessionCache; extern const char *SessionCacheName; diff --git a/src/tests/stub_libsslsquid.cc b/src/tests/stub_libsslsquid.cc index 3eb68756d7..801bfa8ecf 100644 --- a/src/tests/stub_libsslsquid.cc +++ b/src/tests/stub_libsslsquid.cc @@ -50,7 +50,6 @@ const String & Ssl::ErrorDetail::toString() const STUB_RETSTATREF(String) #include "ssl/support.h" namespace Ssl { -//CertError::CertError(Security::ErrorCode, X509 *) STUB bool InitServerContext(const Security::ContextPointer &, AnyP::PortCfg &) STUB_RETVAL(false) bool InitClientContext(Security::ContextPtr &, Security::PeerOptions &, long, const char *) STUB_RETVAL(false) } // namespace Ssl