From cb0b3d63ecec34d5378434d54312f9af8e9a3aab Mon Sep 17 00:00:00 2001 From: Amos Jeffries Date: Tue, 2 Feb 2016 00:52:03 +1300 Subject: [PATCH] SourceLayout: rename ssl_crtd helper to security_file_certgen * Add --enable-security-cert-generators="..." option to build sslcrtd_program helpers * Separate --enable-ssl-crtd from helper build and install * Shuffle ssl_crtd to src/security/cert_generators and rename to reflect its helper interface and filesystem backend. Squid binary or helper binary logic changes in this. Just ./configure build system logic changes. --- configure.ac | 28 ++++---- doc/release-notes/release-4.sgml | 15 ++++- src/Makefile.am | 7 +- src/cf.data.pre | 3 +- src/client_side.cc | 4 -- src/main.cc | 3 - src/security/Makefile.am | 2 +- src/security/cert_generators/Makefile.am | 10 +++ src/security/cert_generators/file/Makefile.am | 24 +++++++ .../cert_generators/file}/certificate_db.cc | 2 +- .../cert_generators/file}/certificate_db.h | 0 src/security/cert_generators/file/required.m4 | 10 +++ .../file/security_file_certgen.8} | 20 +++--- .../cert_generators/file}/ssl_crtd.cc | 2 +- src/security/cert_generators/helpers.m4 | 67 +++++++++++++++++++ src/security/cert_validators/helpers.m4 | 6 +- src/ssl/Makefile.am | 25 +------ src/ssl/helper.h | 2 +- 18 files changed, 163 insertions(+), 67 deletions(-) create mode 100644 src/security/cert_generators/Makefile.am create mode 100644 src/security/cert_generators/file/Makefile.am rename src/{ssl => security/cert_generators/file}/certificate_db.cc (99%) rename src/{ssl => security/cert_generators/file}/certificate_db.h (100%) create mode 100644 src/security/cert_generators/file/required.m4 rename src/{ssl/ssl_crtd.8 => security/cert_generators/file/security_file_certgen.8} (90%) rename src/{ssl => security/cert_generators/file}/ssl_crtd.cc (99%) create mode 100644 src/security/cert_generators/helpers.m4 diff --git a/configure.ac b/configure.ac index d61e5260cc..d1b73bcbfc 100644 --- a/configure.ac +++ b/configure.ac @@ -2446,21 +2446,6 @@ AC_ARG_ENABLE(ident-lookups, AC_MSG_NOTICE([Support for Ident lookups enabled: ${enable_ident_lookups:=yes}]) SQUID_DEFINE_BOOL(USE_IDENT,$enable_ident_lookups,[Support for Ident (RFC 931) lookups]) -AM_CONDITIONAL(USE_SSL_CRTD, false) -AC_ARG_ENABLE(ssl-crtd, - AC_HELP_STRING([--enable-ssl-crtd], - [Prevent Squid from directly generation of SSL private key and - certificate request and instead enables the ssl_crtd processes.]), [ - SQUID_YESNO([$enableval], - [unrecogized argument to --enable-ssl-crtd: $enableval]) -]) - -if test "x$enable_ssl_crtd" = "xyes" -a "x$with_openssl" = "xno" ; then - AC_MSG_ERROR([You need to enable ssl gatewaying support to use ssl_crtd feature. Try to use --with-openssl. ]) -fi -SQUID_DEFINE_BOOL(USE_SSL_CRTD, ${enable_ssl_crtd:=no},[Use ssl_crtd daemon]) -AM_CONDITIONAL(USE_SSL_CRTD, [test "x$enable_ssl_crtd" = "xyes"]) - dnl Select Default hosts file location AC_ARG_ENABLE(default-hostsfile, AS_HELP_STRING([--enable-default-hostsfile=path], @@ -2598,6 +2583,17 @@ AC_ARG_ENABLE(security-cert-validator-helpers, ]) m4_include([src/security/cert_validators/helpers.m4]) +AC_ARG_ENABLE(security-cert-generators, + AS_HELP_STRING([--enable-security-cert-generators="list of helpers"], + [This option selects which security certificate validator + helpers to build and install as part of the normal build + process. The default is to attempt the build of all possible + helpers. Use --disable-security-cert-genrators to + build none. For a list of available helpers see the + src/security/cert_generators/ directory.]),[ +]) +m4_include([src/security/cert_generators/helpers.m4]) + dnl Select storeid_rewrite helpers to build AC_ARG_ENABLE(storeid-rewrite-helpers, AS_HELP_STRING([--enable-storeid-rewrite-helpers="list of helpers"], @@ -3886,6 +3882,8 @@ AC_CONFIG_FILES([ src/parser/Makefile src/repl/Makefile src/security/Makefile + src/security/cert_generators/Makefile + src/security/cert_generators/file/Makefile src/security/cert_validators/Makefile src/security/cert_validators/fake/Makefile src/servers/Makefile diff --git a/doc/release-notes/release-4.sgml b/doc/release-notes/release-4.sgml index b54c86b366..5b9bca365d 100644 --- a/doc/release-notes/release-4.sgml +++ b/doc/release-notes/release-4.sgml @@ -108,6 +108,13 @@ Most user-facing changes are reflected in squid.conf (see below). security_fake_certverify, reflecting the Squid helper naming schema and that it does not actually perform any certificate checks. +

The ssl_crtd helper has been renamed to security_file_certgen + and is now built and installed by default whenever OpenSSL support is enabled. + Building the helper can be controlled using the --enable-security-cert-generators="file" + option. + NOTE: The --enable-ssl-crtd option is still required to enable the + sslcrtd_program helper interface within Squid that uses the helper. +

The security_fake_certverify helper is also now built and installed by default. It is written in Perl so does not require OpenSSL dependencies for installation. But does use the Perl Crypt::OpenSSL::X509 module for execution. @@ -333,8 +340,14 @@ This section gives an account of those changes in three categories: New options

+ --enable-security-cert-generators +

New option to control which TLS/SSL dynamic certificate generator + helpers are built and installed. +

Helper ssl_crtd has been renamed to security_file_certgen + and built with module name file. Requires --with-openssl. + --enable-security-cert-validator-helpers -

New directive to control which TLS/SSL certificate validation +

New option to control which TLS/SSL certificate validation helpers are built and installed.

One fake helper that does not actually perform any certificate checks is provided for testing and as an example diff --git a/src/Makefile.am b/src/Makefile.am index 0a034fb035..14a4c23a3c 100644 --- a/src/Makefile.am +++ b/src/Makefile.am @@ -53,8 +53,8 @@ check_PROGRAMS+= tests/testACLMaxUserIP endif DIST_SUBDIRS += auth -SUBDIRS += http ip icmp ident log ipc mgr security -DIST_SUBDIRS += http ip icmp ident log ipc mgr security +SUBDIRS += http ip icmp ident log ipc mgr +DIST_SUBDIRS += http ip icmp ident log ipc mgr SSL_LIBS= if ENABLE_SSL @@ -63,7 +63,8 @@ SSL_LIBS += \ ssl/libsslsquid.la \ ssl/libsslutil.la endif -DIST_SUBDIRS += ssl +DIST_SUBDIRS += ssl security +SUBDIRS += security SNMP_ALL_SOURCE = \ SnmpRequest.h \ diff --git a/src/cf.data.pre b/src/cf.data.pre index 761a4b6c0c..df92fd0a35 100644 --- a/src/cf.data.pre +++ b/src/cf.data.pre @@ -2877,7 +2877,8 @@ IFDEF: USE_SSL_CRTD DEFAULT: @DEFAULT_SSL_CRTD@ -s @DEFAULT_SSL_DB_DIR@ -M 4MB LOC: Ssl::TheConfig.ssl_crtd DOC_START - Specify the location and options of the executable for ssl_crtd process. + Specify the location and options of the executable for certificate + generator. @DEFAULT_SSL_CRTD@ program requires -s and -M parameters For more information use: @DEFAULT_SSL_CRTD@ -h diff --git a/src/client_side.cc b/src/client_side.cc index ca35cb9b44..a2d059c472 100644 --- a/src/client_side.cc +++ b/src/client_side.cc @@ -130,10 +130,6 @@ #include "ssl/ServerBump.h" #include "ssl/support.h" #endif -#if USE_SSL_CRTD -#include "ssl/certificate_db.h" -#include "ssl/crtd_message.h" -#endif // for tvSubUsec() which should be in SquidTime.h #include "util.h" diff --git a/src/main.cc b/src/main.cc index 496ff86e85..0a7949e1e1 100644 --- a/src/main.cc +++ b/src/main.cc @@ -98,9 +98,6 @@ #if USE_LOADABLE_MODULES #include "LoadableModules.h" #endif -#if USE_SSL_CRTD -#include "ssl/certificate_db.h" -#endif #if USE_OPENSSL #include "ssl/context_storage.h" #include "ssl/helper.h" diff --git a/src/security/Makefile.am b/src/security/Makefile.am index e0b9508ce3..21e0b368b4 100644 --- a/src/security/Makefile.am +++ b/src/security/Makefile.am @@ -8,7 +8,7 @@ include $(top_srcdir)/src/Common.am include $(top_srcdir)/src/TestHeaders.am -SUBDIRS= cert_validators +SUBDIRS= cert_generators cert_validators noinst_LTLIBRARIES = libsecurity.la diff --git a/src/security/cert_generators/Makefile.am b/src/security/cert_generators/Makefile.am new file mode 100644 index 0000000000..0834cecb2d --- /dev/null +++ b/src/security/cert_generators/Makefile.am @@ -0,0 +1,10 @@ +## Copyright (C) 1996-2016 The Squid Software Foundation and contributors +## +## Squid software is distributed under GPLv2+ license and includes +## contributions from numerous individuals and organizations. +## Please see the COPYING and CONTRIBUTORS files for details. +## + +DIST_SUBDIRS= file +SUBDIRS= $(SECURITY_CERTGEN_HELPERS) +EXTRA_DIST= helpers.m4 diff --git a/src/security/cert_generators/file/Makefile.am b/src/security/cert_generators/file/Makefile.am new file mode 100644 index 0000000000..eea3cee69f --- /dev/null +++ b/src/security/cert_generators/file/Makefile.am @@ -0,0 +1,24 @@ +## Copyright (C) 1996-2016 The Squid Software Foundation and contributors +## +## Squid software is distributed under GPLv2+ license and includes +## contributions from numerous individuals and organizations. +## Please see the COPYING and CONTRIBUTORS files for details. +## + +include $(top_srcdir)/src/Common.am +include $(top_srcdir)/src/TestHeaders.am + +man_MANS = security_file_certgen.8 +libexec_PROGRAMS = security_file_certgen + +security_file_certgen_SOURCES = \ + certificate_db.cc \ + certificate_db.h \ + security_file_certgen.cc +security_file_certgen_LDADD = \ + $(top_builddir)/src/ssl/libsslutil.la \ + $(SSLLIB) \ + $(COMPAT_LIB) + +EXTRA_DIST = security_file_certgen.8 + diff --git a/src/ssl/certificate_db.cc b/src/security/cert_generators/file/certificate_db.cc similarity index 99% rename from src/ssl/certificate_db.cc rename to src/security/cert_generators/file/certificate_db.cc index 22bd4f7532..dc587e5892 100644 --- a/src/ssl/certificate_db.cc +++ b/src/security/cert_generators/file/certificate_db.cc @@ -7,7 +7,7 @@ */ #include "squid.h" -#include "ssl/certificate_db.h" +#include "security/cert_generators/file/certificate_db.h" #include #include diff --git a/src/ssl/certificate_db.h b/src/security/cert_generators/file/certificate_db.h similarity index 100% rename from src/ssl/certificate_db.h rename to src/security/cert_generators/file/certificate_db.h diff --git a/src/security/cert_generators/file/required.m4 b/src/security/cert_generators/file/required.m4 new file mode 100644 index 0000000000..835bf813d6 --- /dev/null +++ b/src/security/cert_generators/file/required.m4 @@ -0,0 +1,10 @@ +## Copyright (C) 1996-2016 The Squid Software Foundation and contributors +## +## Squid software is distributed under GPLv2+ license and includes +## contributions from numerous individuals and organizations. +## Please see the COPYING and CONTRIBUTORS files for details. +## + +if test "x$with_openssl" = "xno" ; then + BUILD_HELPER="file" +fi diff --git a/src/ssl/ssl_crtd.8 b/src/security/cert_generators/file/security_file_certgen.8 similarity index 90% rename from src/ssl/ssl_crtd.8 rename to src/security/cert_generators/file/security_file_certgen.8 index 9931e7ed02..f95065114d 100644 --- a/src/ssl/ssl_crtd.8 +++ b/src/security/cert_generators/file/security_file_certgen.8 @@ -1,33 +1,33 @@ -.if !'po4a'hide' .TH ssl_crtd 8 +.if !'po4a'hide' .TH security_file_certgen 8 . .SH NAME -ssl_crtd \- SSL certificate generator for Squid. +security_file_certgen \- SSL certificate generator for Squid. .PP Version 1.0 . .SH SYNOPSIS -.if !'po4a'hide' .B ssl_crtd +.if !'po4a'hide' .B security_file_certgen .if !'po4a'hide' .B [\-dhv] . -.if !'po4a'hide' .B ssl_crtd +.if !'po4a'hide' .B security_file_certgen .if !'po4a'hide' .B "[\-d] -s " directory -.if !'po4a'hide' .B [\-M +.if !'po4a'hide' .B "[\-M " size .if !'po4a'hide' .B ] . -.if !'po4a'hide' .B ssl_crtd +.if !'po4a'hide' .B security_file_certgen .if !'po4a'hide' .B "[\-d] \-c \-s " directory .if !'po4a'hide' .B [\-n] serial number . -.if !'po4a'hide' .B ssl_crtd +.if !'po4a'hide' .B security_file_certgen .if !'po4a'hide' .B "[\-d] \-g \-s " directory . .SH DESCRIPTION -.B ssl_crtd +.B security_file_certgen is an installed binary. .PP Because the generation and signing of SSL certificates takes time @@ -113,7 +113,7 @@ parameters. .PP For example: .if !'po4a'hide' .RS -.if !'po4a'hide' .B ssl_crtd -c -s /var/lib/ssl_db +.if !'po4a'hide' .B security_file_certgen -c -s /var/lib/ssl_db .if !'po4a'hide' .RE . .PP @@ -134,7 +134,7 @@ For more customized configuration the helper certificate storage directory locat configuration directive. For example: .if !'po4a'hide' .RS -.if !'po4a'hide' .B sslcrtd_program /usr/local/squid/libexec/ssl_crtd -s /usr/local/squid/var/lib/ssl_db -M 4MB +.if !'po4a'hide' .B sslcrtd_program /usr/local/squid/libexec/security_file_certgen -s /usr/local/squid/var/lib/ssl_db -M 4MB .if !'po4a'hide' . .if !'po4a'hide' .B sslcrtd_children 5 .if !'po4a'hide' .RE diff --git a/src/ssl/ssl_crtd.cc b/src/security/cert_generators/file/ssl_crtd.cc similarity index 99% rename from src/ssl/ssl_crtd.cc rename to src/security/cert_generators/file/ssl_crtd.cc index fabfe750ba..5f57f162b6 100644 --- a/src/ssl/ssl_crtd.cc +++ b/src/security/cert_generators/file/ssl_crtd.cc @@ -8,7 +8,7 @@ #include "squid.h" #include "helper/protocol_defines.h" -#include "ssl/certificate_db.h" +#include "security/cert_generators/file/certificate_db.h" #include "ssl/crtd_message.h" #include diff --git a/src/security/cert_generators/helpers.m4 b/src/security/cert_generators/helpers.m4 new file mode 100644 index 0000000000..31046c4417 --- /dev/null +++ b/src/security/cert_generators/helpers.m4 @@ -0,0 +1,67 @@ +## Copyright (C) 1996-2016 The Squid Software Foundation and contributors +## +## Squid software is distributed under GPLv2+ license and includes +## contributions from numerous individuals and organizations. +## Please see the COPYING and CONTRIBUTORS files for details. +## + +# This file is supposed to run all the tests required to identify which +# configured modules are able to be built in this environment + +# FIXME: de-duplicate $enable_security_cert_generator_helpers list containing double entries. + +#define list of modules to build +auto_security_modules=no +if test "x${enable_security_cert_generator_helpers:=yes}" = "xyes" ; then + SQUID_LOOK_FOR_MODULES([$srcdir/src/security/cert_generators],[enable_security_cert_generator_helpers]) + auto_security_certgen_modules=yes +fi + +enable_security_cert_generator_helpers="`echo $enable_security_cert_generator_helpers| sed -e 's/,/ /g;s/ */ /g'`" +AC_MSG_NOTICE([Security certificate generator helper candidates: $enable_security_cert_generator_helpers]) +SECURITY_CERTGEN_HELPERS="" +if test "x$enable_security_cert_generator_helpers" != "xno" ; then + for helper in $enable_security_cert_generator_helpers; do + dir="$srcdir/src/security/cert_generators/$helper" + + # modules converted to autoconf macros already + # NP: we only need this list because m4_include() does not accept variables + if test "x$helper" = "xfile" ; then + m4_include([src/security/cert_generators/file/required.m4]) + + # modules not yet converted to autoconf macros (or third party drop-in's) + elif test -f "$dir/config.test" && sh "$dir/config.test" "$squid_host_os"; then + BUILD_HELPER="$helper" + fi + + if test -d "$srcdir/src/security/cert_generators/$helper"; then + if test "$BUILD_HELPER" != "$helper"; then + if test "x$auto_security_certgen_modules" = "xyes"; then + AC_MSG_NOTICE([Security certificate generator helper $helper ... found but cannot be built]) + else + AC_MSG_ERROR([Security certificate generator helper $helper ... found but cannot be built]) + fi + else + SECURITY_CERTGEN_HELPERS="$SECURITY_CERTGEN_HELPERS $BUILD_HELPER" + fi + else + AC_MSG_ERROR([Security certificate generator helper $helper ... not found]) + fi + done +fi +AC_MSG_NOTICE([Security certificate generator helpers to be built: $SECURITY_CERTGEN_HELPERS]) +AC_SUBST(SECURITY_CERTGEN_HELPERS) + +# XXX: Enabling the interface in Squid still requires separate option +AC_ARG_ENABLE(ssl-crtd, + AC_HELP_STRING([--enable-ssl-crtd], + [Prevent Squid from directly generating TLS/SSL private key + and certificate. Instead enables the certificate generator + processes.]), [ + SQUID_YESNO([$enableval], + [unrecogized argument to --enable-ssl-crtd: $enableval]) +]) +if test "x$enable_ssl_crtd" = "xyes" -a "x$with_openssl" = "xno" ; then + AC_MSG_ERROR([You need ssl gatewaying support to enable ssl_crtd feature. Try to use --with-openssl.]) +fi +SQUID_DEFINE_BOOL(USE_SSL_CRTD, ${enable_ssl_crtd:=no},[Use ssl_crtd daemon]) diff --git a/src/security/cert_validators/helpers.m4 b/src/security/cert_validators/helpers.m4 index 3fdabad692..2085a27c21 100644 --- a/src/security/cert_validators/helpers.m4 +++ b/src/security/cert_validators/helpers.m4 @@ -11,10 +11,10 @@ # FIXME: de-duplicate $enable_security_cert_validator_helpers list containing double entries. #define list of modules to build -auto_security_modules=no +auto_security_certv_modules=no if test "x${enable_security_cert_validator_helpers:=yes}" = "xyes" ; then SQUID_LOOK_FOR_MODULES([$srcdir/src/security/cert_validators],[enable_security_cert_validator_helpers]) - auto_security_modules=yes + auto_security_certv_modules=yes fi enable_security_cert_validator_helpers="`echo $enable_security_cert_validator_helpers| sed -e 's/,/ /g;s/ */ /g'`" @@ -36,7 +36,7 @@ if test "x$enable_security_cert_validator_helpers" != "xno" ; then if test -d "$srcdir/src/security/cert_validators/$helper"; then if test "$BUILD_HELPER" != "$helper"; then - if test "x$auto_security_modules" = "xyes"; then + if test "x$auto_security_certv_modules" = "xyes"; then AC_MSG_NOTICE([Security certificate validator helper $helper ... found but cannot be built]) else AC_MSG_ERROR([Security certificate validator helper $helper ... found but cannot be built]) diff --git a/src/ssl/Makefile.am b/src/ssl/Makefile.am index 455828de1b..2c2060f2e2 100644 --- a/src/ssl/Makefile.am +++ b/src/ssl/Makefile.am @@ -10,20 +10,7 @@ include $(top_srcdir)/src/TestHeaders.am noinst_LTLIBRARIES = libsslsquid.la libsslutil.la -EXTRA_PROGRAMS = \ - ssl_crtd - -EXTRA_DIST = \ - ssl_crtd.8 - -if USE_SSL_CRTD -SSL_CRTD = ssl_crtd -man_MANS = ssl_crtd.8 -else -SSL_CRTD = -endif - -## SSL stuff used by main Squid but not by ssl_crtd +## SSL stuff used by main Squid but not by certgen helper libsslsquid_la_SOURCES = \ bio.cc \ bio.h \ @@ -51,17 +38,9 @@ libsslsquid_la_SOURCES = \ helper.cc \ helper.h -## SSL stuff used by main Squid and ssl_crtd +## SSL stuff used by main Squid and certgen helper libsslutil_la_SOURCES = \ gadgets.cc \ gadgets.h \ crtd_message.cc \ crtd_message.h - -libexec_PROGRAMS = \ - $(SSL_CRTD) - -if USE_SSL_CRTD -ssl_crtd_SOURCES = ssl_crtd.cc certificate_db.cc certificate_db.h -ssl_crtd_LDADD = libsslutil.la $(SSLLIB) $(COMPAT_LIB) -endif diff --git a/src/ssl/helper.h b/src/ssl/helper.h index b8aa01174a..bb2f3c4836 100644 --- a/src/ssl/helper.h +++ b/src/ssl/helper.h @@ -17,12 +17,12 @@ namespace Ssl { +#if USE_SSL_CRTD /** * Set of thread for ssl_crtd. This class is singleton. Use this class only * over GetIntance() static method. This class use helper structure * for threads management. */ -#if USE_SSL_CRTD class Helper { public: -- 2.47.2