From ba5d55c12baa62bc811b6444ee957e7f7d1cf833 Mon Sep 17 00:00:00 2001
From: Nathan Hoad <nathan@getoffmalawn.com>
Date: Mon, 2 May 2016 15:17:18 +1200
Subject: [PATCH] Prevent Squid forcing -b 2048 into the arguments for
 sslcrtd_program

Previously Squid assumed it was running with the default sslcrtd_program, which
takes an argument for the FS block size. This causes issues for administrators
that use their own helpers that happen to take a -b argument that means
something else entirely, causing confusion and preventing them from removing
this argument.

A summary of the changes:

* Move the block size retrieval from Squid into security_file_certgen. It
  does not use fsBlockSize as that introduces a lot of dependencies on
  unrelated Squid code, e.g. fde, Debug, MemBuf.

* Make the -b argument mostly redundant, but leave it there so
  administrators can overrule xstatvfs.

* Fix a small typo.

This work is submitted on behalf of Bloomberg L.P.
---
 .../file/security_file_certgen.cc             | 27 ++++++++++++++-----
 src/ssl/helper.cc                             | 19 +------------
 2 files changed, 21 insertions(+), 25 deletions(-)

diff --git a/src/security/cert_generators/file/security_file_certgen.cc b/src/security/cert_generators/file/security_file_certgen.cc
index 2b5aa8dc81..ab9f9a9df5 100644
--- a/src/security/cert_generators/file/security_file_certgen.cc
+++ b/src/security/cert_generators/file/security_file_certgen.cc
@@ -25,7 +25,7 @@
  \ingroup ExternalPrograms
  \par
     Because the standard generation of SSL certificates for
-    sslBump feature, Squid must use external proccess to
+    sslBump feature, Squid must use external process to
     actually make these calls. This process generate new ssl
     certificates and worked with ssl certificates disk cache.
     Typically there will be five certificate generator processes
@@ -178,8 +178,8 @@ static void usage()
     std::cerr << help_string << std::endl;
 }
 
-/// Proccess new request message.
-static bool proccessNewRequest(Ssl::CrtdMessage & request_message, std::string const & db_path, size_t max_db_size, size_t fs_block_size)
+/// Process new request message.
+static bool processNewRequest(Ssl::CrtdMessage & request_message, std::string const & db_path, size_t max_db_size, size_t fs_block_size)
 {
     Ssl::CertificateProperties certProperties;
     std::string error;
@@ -249,11 +249,11 @@ int main(int argc, char *argv[])
 {
     try {
         size_t max_db_size = 0;
-        size_t fs_block_size = 2048;
+        size_t fs_block_size = 0;
         int8_t c;
         bool create_new_db = false;
         std::string db_path;
-        // proccess options.
+        // process options.
         while ((c = getopt(argc, argv, "dcghvs:M:b:n:")) != -1) {
             switch (c) {
             case 'd':
@@ -294,13 +294,26 @@ int main(int argc, char *argv[])
             exit(0);
         }
 
+        if (fs_block_size == 0) {
+            struct statvfs sfs;
+
+            if (xstatvfs(db_path.c_str(), &sfs)) {
+                fs_block_size = 2048;
+            } else {
+                fs_block_size = sfs.f_frsize;
+                // Sanity check; make sure we have a meaningful value.
+                if (fs_block_size < 512)
+                    fs_block_size = 2048;
+            }
+        }
+
         {
             Ssl::CertificateDb::check(db_path, max_db_size, fs_block_size);
         }
         // Initialize SSL subsystem
         SSL_load_error_strings();
         SSLeay_add_ssl_algorithms();
-        // proccess request.
+        // process request.
         for (;;) {
             char request[HELPER_INPUT_BUFFER];
             Ssl::CrtdMessage request_message(Ssl::CrtdMessage::REQUEST);
@@ -316,7 +329,7 @@ int main(int argc, char *argv[])
             if (parse_result == Ssl::CrtdMessage::ERROR) {
                 throw std::runtime_error("Cannot parse request message.");
             } else if (request_message.getCode() == Ssl::CrtdMessage::code_new_certificate) {
-                proccessNewRequest(request_message, db_path, max_db_size, fs_block_size);
+                processNewRequest(request_message, db_path, max_db_size, fs_block_size);
             } else {
                 throw std::runtime_error("Unknown request code: \"" + request_message.getCode() + "\".");
             }
diff --git a/src/ssl/helper.cc b/src/ssl/helper.cc
index 224bd4d0fc..dfb8cb2d0c 100644
--- a/src/ssl/helper.cc
+++ b/src/ssl/helper.cc
@@ -59,26 +59,9 @@ void Ssl::Helper::Init()
     {
         char *tmp = xstrdup(Ssl::TheConfig.ssl_crtd);
         char *tmp_begin = tmp;
-        char * token = NULL;
-        bool db_path_was_found = false;
-        bool block_size_was_found = false;
-        char buffer[20] = "2048";
+        char *token = NULL;
         while ((token = strwordtok(NULL, &tmp))) {
             wordlistAdd(&ssl_crtd->cmdline, token);
-            if (!strcmp(token, "-b"))
-                block_size_was_found = true;
-            if (!strcmp(token, "-s")) {
-                db_path_was_found = true;
-            } else if (db_path_was_found) {
-                db_path_was_found = false;
-                int fs_block_size = 0;
-                fsBlockSize(token, &fs_block_size);
-                snprintf(buffer, sizeof(buffer), "%i", fs_block_size);
-            }
-        }
-        if (!block_size_was_found) {
-            wordlistAdd(&ssl_crtd->cmdline, "-b");
-            wordlistAdd(&ssl_crtd->cmdline, buffer);
         }
         safe_free(tmp_begin);
     }
-- 
2.39.2