CertificateData.cc
Go to the documentation of this file.
1 /*
2  * Copyright (C) 1996-2022 The Squid Software Foundation and contributors
3  *
4  * Squid software is distributed under GPLv2+ license and includes
5  * contributions from numerous individuals and organizations.
6  * Please see the COPYING and CONTRIBUTORS files for details.
7  */
8 
9 /* DEBUG: section 28 Access Control */
10 
11 #include "squid.h"
12 #include "acl/CertificateData.h"
13 #include "acl/Checklist.h"
14 #include "cache_cf.h"
15 #include "ConfigParser.h"
16 #include "debug/Stream.h"
17 #include "wordlist.h"
18 
19 ACLCertificateData::ACLCertificateData(Ssl::GETX509ATTRIBUTE *sslStrategy, const char *attrs, bool optionalAttr) : validAttributesStr(attrs), attributeIsOptional(optionalAttr), attribute (nullptr), values (), sslAttributeCall (sslStrategy)
20 {
21  if (attrs) {
22  size_t current = 0;
23  size_t next = std::string::npos;
24  std::string valid(attrs);
25  do {
26  next = valid.find_first_of( "|", current);
27  validAttributes.push_back(valid.substr( current, (next == std::string::npos ? std::string::npos : next - current)));
28  current = next + 1;
29  } while (next != std::string::npos);
30  }
31 }
32 
33 template<class T>
34 inline void
36 {
37  xfree (thing);
38 }
39 
41 {
43 }
44 
45 template<class T>
46 inline int
47 splaystrcmp (T&l, T&r)
48 {
49  return strcmp ((char *)l,(char *)r);
50 }
51 
52 bool
54 {
55  if (!cert)
56  return 0;
57 
58  char const *value = sslAttributeCall(cert, attribute);
59  debugs(28, 6, (attribute ? attribute : "value") << "=" << value);
60  if (value == nullptr)
61  return 0;
62 
63  return values.match(value);
64 }
65 
68 {
69  SBufList sl;
71  sl.push_back(SBuf(attribute));
72 
73  sl.splice(sl.end(),values.dump());
74  return sl;
75 }
76 
77 void
79 {
80  if (validAttributesStr) {
81  char *newAttribute = ConfigParser::strtokFile();
82 
83  if (!newAttribute) {
84  if (!attributeIsOptional) {
85  debugs(28, DBG_CRITICAL, "FATAL: required attribute argument missing");
86  self_destruct();
87  }
88  return;
89  }
90 
91  // Handle the cases where we have optional -x type attributes
92  if (attributeIsOptional && newAttribute[0] != '-')
93  // The read token is not an attribute/option, so add it to values list
94  values.insert(newAttribute);
95  else {
96  bool valid = false;
97  for (std::list<std::string>::const_iterator it = validAttributes.begin(); it != validAttributes.end(); ++it) {
98  if (*it == "*" || *it == newAttribute) {
99  valid = true;
100  break;
101  }
102  }
103 
104  if (!valid) {
105  debugs(28, DBG_CRITICAL, "FATAL: Unknown option. Supported option(s) are: " << validAttributesStr);
106  self_destruct();
107  return;
108  }
109 
110  /* an acl must use consistent attributes in all config lines */
111  if (attribute) {
112  if (strcasecmp(newAttribute, attribute) != 0) {
113  debugs(28, DBG_CRITICAL, "FATAL: An acl must use consistent attributes in all config lines (" << newAttribute << "!=" << attribute << ").");
114  self_destruct();
115  return;
116  }
117  } else {
118  if (strcasecmp(newAttribute, "DN") != 0) {
119  int nid = OBJ_txt2nid(newAttribute);
120  if (nid == 0) {
121  const size_t span = strspn(newAttribute, "0123456789.");
122  if(newAttribute[span] == '\0') { // looks like a numerical OID
123  // create a new object based on this attribute
124 
125  // NOTE: Not a [bad] leak: If the same attribute
126  // has been added before, the OBJ_txt2nid call
127  // would return a valid nid value.
128  // TODO: call OBJ_cleanup() on reconfigure?
129  nid = OBJ_create(newAttribute, newAttribute, newAttribute);
130  debugs(28, 7, "New SSL certificate attribute created with name: " << newAttribute << " and nid: " << nid);
131  }
132  }
133  if (nid == 0) {
134  debugs(28, DBG_CRITICAL, "FATAL: Not valid SSL certificate attribute name or numerical OID: " << newAttribute);
135  self_destruct();
136  return;
137  }
138  }
139  attribute = xstrdup(newAttribute);
140  }
141  }
142  }
143 
144  values.parse();
145 }
146 
147 bool
149 {
150  return values.empty();
151 }
152 
int splaystrcmp(T &l, T &r)
void xRefFree(T &thing)
void self_destruct(void)
Definition: cache_cf.cc:276
virtual ~ACLCertificateData()
bool attributeIsOptional
True if the attribute is optional (-xxx options)
Ssl::GETX509ATTRIBUTE * sslAttributeCall
The callback used to retrieve the data from X509 cert.
virtual SBufList dump() const
ACLCertificateData(Ssl::GETX509ATTRIBUTE *, const char *attributes, bool optionalAttr=false)
ACLStringData values
const char * validAttributesStr
std::list< std::string > validAttributes
Parsed list of valid attribute names.
virtual SBufList dump() const
Definition: StringData.cc:45
bool match(char const *)
Definition: StringData.cc:39
void insert(const char *)
Insert a string data value.
Definition: StringData.cc:18
virtual void parse()
Definition: StringData.cc:53
bool empty() const
Definition: StringData.cc:60
static char * strtokFile()
Definition: ConfigParser.cc:64
Definition: SBuf.h:94
#define debugs(SECTION, LEVEL, CONTENT)
Definition: Stream.h:196
#define DBG_CRITICAL
Definition: Stream.h:40
char const * GETX509ATTRIBUTE(X509 *, const char *)
Definition: support.h:105
#define xfree
#define xstrdup
std::list< SBuf > SBufList
Definition: forward.h:22
#define safe_free(x)
Definition: xalloc.h:73

 

Introduction

Documentation

Support

Miscellaneous

Web Site Translations

Mirrors