CertificateData.cc
Go to the documentation of this file.
1 /*
2  * Copyright (C) 1996-2017 The Squid Software Foundation and contributors
3  *
4  * Squid software is distributed under GPLv2+ license and includes
5  * contributions from numerous individuals and organizations.
6  * Please see the COPYING and CONTRIBUTORS files for details.
7  */
8 
9 /* DEBUG: section 28 Access Control */
10 
11 #include "squid.h"
12 #include "acl/CertificateData.h"
13 #include "acl/Checklist.h"
14 #include "cache_cf.h"
15 #include "ConfigParser.h"
16 #include "Debug.h"
17 #include "wordlist.h"
18 
19 ACLCertificateData::ACLCertificateData(Ssl::GETX509ATTRIBUTE *sslStrategy, const char *attrs, bool optionalAttr) : validAttributesStr(attrs), attributeIsOptional(optionalAttr), attribute (NULL), values (), sslAttributeCall (sslStrategy)
20 {
21  if (attrs) {
22  size_t current = 0;
23  size_t next = std::string::npos;
24  std::string valid(attrs);
25  do {
26  next = valid.find_first_of( "|", current);
27  validAttributes.push_back(valid.substr( current, (next == std::string::npos ? std::string::npos : next - current)));
28  current = next + 1;
29  } while (next != std::string::npos);
30  }
31 }
32 
33 ACLCertificateData::ACLCertificateData(ACLCertificateData const &old) : attribute (NULL), values (old.values), sslAttributeCall (old.sslAttributeCall)
34 {
36  validAttributes.assign (old.validAttributes.begin(), old.validAttributes.end());
38  if (old.attribute)
40 }
41 
42 template<class T>
43 inline void
45 {
46  xfree (thing);
47 }
48 
50 {
52 }
53 
54 template<class T>
55 inline int
56 splaystrcmp (T&l, T&r)
57 {
58  return strcmp ((char *)l,(char *)r);
59 }
60 
61 bool
63 {
64  if (!cert)
65  return 0;
66 
67  char const *value = sslAttributeCall(cert, attribute);
68  debugs(28, 6, (attribute ? attribute : "value") << "=" << value);
69  if (value == NULL)
70  return 0;
71 
72  return values.match(value);
73 }
74 
77 {
78  SBufList sl;
80  sl.push_back(SBuf(attribute));
81 
82  sl.splice(sl.end(),values.dump());
83  return sl;
84 }
85 
86 void
88 {
89  if (validAttributesStr) {
90  char *newAttribute = ConfigParser::strtokFile();
91 
92  if (!newAttribute) {
93  if (!attributeIsOptional) {
94  debugs(28, DBG_CRITICAL, "FATAL: required attribute argument missing");
95  self_destruct();
96  }
97  return;
98  }
99 
100  // Handle the cases where we have optional -x type attributes
101  if (attributeIsOptional && newAttribute[0] != '-')
102  // The read token is not an attribute/option, so add it to values list
103  values.insert(newAttribute);
104  else {
105  bool valid = false;
106  for (std::list<std::string>::const_iterator it = validAttributes.begin(); it != validAttributes.end(); ++it) {
107  if (*it == "*" || *it == newAttribute) {
108  valid = true;
109  break;
110  }
111  }
112 
113  if (!valid) {
114  debugs(28, DBG_CRITICAL, "FATAL: Unknown option. Supported option(s) are: " << validAttributesStr);
115  self_destruct();
116  return;
117  }
118 
119  /* an acl must use consistent attributes in all config lines */
120  if (attribute) {
121  if (strcasecmp(newAttribute, attribute) != 0) {
122  debugs(28, DBG_CRITICAL, "FATAL: An acl must use consistent attributes in all config lines (" << newAttribute << "!=" << attribute << ").");
123  self_destruct();
124  return;
125  }
126  } else {
127  if (strcasecmp(newAttribute, "DN") != 0) {
128  int nid = OBJ_txt2nid(newAttribute);
129  if (nid == 0) {
130  const size_t span = strspn(newAttribute, "0123456789.");
131  if(newAttribute[span] == '\0') { // looks like a numerical OID
132  // create a new object based on this attribute
133 
134  // NOTE: Not a [bad] leak: If the same attribute
135  // has been added before, the OBJ_txt2nid call
136  // would return a valid nid value.
137  // TODO: call OBJ_cleanup() on reconfigure?
138  nid = OBJ_create(newAttribute, newAttribute, newAttribute);
139  debugs(28, 7, "New SSL certificate attribute created with name: " << newAttribute << " and nid: " << nid);
140  }
141  }
142  if (nid == 0) {
143  debugs(28, DBG_CRITICAL, "FATAL: Not valid SSL certificate attribute name or numerical OID: " << newAttribute);
144  self_destruct();
145  return;
146  }
147  }
148  attribute = xstrdup(newAttribute);
149  }
150  }
151  }
152 
153  values.parse();
154 }
155 
156 bool
158 {
159  return values.empty();
160 }
161 
164 {
165  /* Splay trees don't clone yet. */
166  return new ACLCertificateData(*this);
167 }
168 
ACLStringData values
Definition: SBuf.h:87
void self_destruct(void)
Definition: cache_cf.cc:255
#define xstrdup
char const * GETX509ATTRIBUTE(X509 *, const char *)
Definition: support.h:108
Ssl::GETX509ATTRIBUTE * sslAttributeCall
The callback used to retrieve the data from X509 cert.
#define safe_free(x)
Definition: xalloc.h:73
bool attributeIsOptional
True if the attribute is optional (-xxx options)
#define DBG_CRITICAL
Definition: Debug.h:44
virtual SBufList dump() const
Definition: StringData.cc:49
#define debugs(SECTION, LEVEL, CONTENT)
Definition: Debug.h:123
void xRefFree(T &thing)
virtual ~ACLCertificateData()
ACLCertificateData(Ssl::GETX509ATTRIBUTE *, const char *attributes, bool optionalAttr=false)
virtual ACLData< X509 * > * clone() const
std::list< SBuf > SBufList
Definition: forward.h:26
int splaystrcmp(T &l, T &r)
bool match(char const *)
Definition: StringData.cc:43
std::list< std::string > validAttributes
Parsed list of valid attribute names.
const char * validAttributesStr
virtual void parse()
Definition: StringData.cc:57
static char * strtokFile()
Definition: ConfigParser.cc:82
bool empty() const
Definition: StringData.cc:64
void insert(const char *)
Insert a string data value.
Definition: StringData.cc:22
#define xfree
#define NULL
Definition: types.h:166
virtual SBufList dump() const

 

Introduction

Documentation

Support

Miscellaneous

Web Site Translations

Mirrors