ErrorDetail.cc
Go to the documentation of this file.
1 /*
2  * Copyright (C) 1996-2018 The Squid Software Foundation and contributors
3  *
4  * Squid software is distributed under GPLv2+ license and includes
5  * contributions from numerous individuals and organizations.
6  * Please see the COPYING and CONTRIBUTORS files for details.
7  */
8 
9 #include "squid.h"
10 #include "errorpage.h"
11 #include "fatal.h"
12 #include "html_quote.h"
13 #include "ssl/ErrorDetail.h"
14 
15 #include <climits>
16 #include <map>
17 
18 struct SslErrorEntry {
20  const char *name;
21 };
22 
23 static const char *SslErrorDetailDefaultStr = "SSL handshake error (%err_name)";
24 //Use std::map to optimize search
25 typedef std::map<Security::ErrorCode, const SslErrorEntry *> SslErrors;
27 
30  "SQUID_X509_V_ERR_INFINITE_VALIDATION"
31  },
33  "SQUID_X509_V_ERR_CERT_CHANGE"
34  },
36  "SQUID_ERR_SSL_HANDSHAKE"
37  },
39  "SQUID_X509_V_ERR_DOMAIN_MISMATCH"
40  },
41  { X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT,
42  "X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT"
43  },
44  { X509_V_ERR_UNABLE_TO_GET_CRL,
45  "X509_V_ERR_UNABLE_TO_GET_CRL"
46  },
47  { X509_V_ERR_UNABLE_TO_DECRYPT_CERT_SIGNATURE,
48  "X509_V_ERR_UNABLE_TO_DECRYPT_CERT_SIGNATURE"
49  },
50  { X509_V_ERR_UNABLE_TO_DECRYPT_CRL_SIGNATURE,
51  "X509_V_ERR_UNABLE_TO_DECRYPT_CRL_SIGNATURE"
52  },
53  { X509_V_ERR_UNABLE_TO_DECODE_ISSUER_PUBLIC_KEY,
54  "X509_V_ERR_UNABLE_TO_DECODE_ISSUER_PUBLIC_KEY"
55  },
56  { X509_V_ERR_CERT_SIGNATURE_FAILURE,
57  "X509_V_ERR_CERT_SIGNATURE_FAILURE"
58  },
59  { X509_V_ERR_CRL_SIGNATURE_FAILURE,
60  "X509_V_ERR_CRL_SIGNATURE_FAILURE"
61  },
62  { X509_V_ERR_CERT_NOT_YET_VALID,
63  "X509_V_ERR_CERT_NOT_YET_VALID"
64  },
65  { X509_V_ERR_CERT_HAS_EXPIRED,
66  "X509_V_ERR_CERT_HAS_EXPIRED"
67  },
68  { X509_V_ERR_CRL_NOT_YET_VALID,
69  "X509_V_ERR_CRL_NOT_YET_VALID"
70  },
71  { X509_V_ERR_CRL_HAS_EXPIRED,
72  "X509_V_ERR_CRL_HAS_EXPIRED"
73  },
74  { X509_V_ERR_ERROR_IN_CERT_NOT_BEFORE_FIELD,
75  "X509_V_ERR_ERROR_IN_CERT_NOT_BEFORE_FIELD"
76  },
77  { X509_V_ERR_ERROR_IN_CERT_NOT_AFTER_FIELD,
78  "X509_V_ERR_ERROR_IN_CERT_NOT_AFTER_FIELD"
79  },
80  { X509_V_ERR_ERROR_IN_CRL_LAST_UPDATE_FIELD,
81  "X509_V_ERR_ERROR_IN_CRL_LAST_UPDATE_FIELD"
82  },
83  { X509_V_ERR_ERROR_IN_CRL_NEXT_UPDATE_FIELD,
84  "X509_V_ERR_ERROR_IN_CRL_NEXT_UPDATE_FIELD"
85  },
86  { X509_V_ERR_OUT_OF_MEM,
87  "X509_V_ERR_OUT_OF_MEM"
88  },
89  { X509_V_ERR_DEPTH_ZERO_SELF_SIGNED_CERT,
90  "X509_V_ERR_DEPTH_ZERO_SELF_SIGNED_CERT"
91  },
92  { X509_V_ERR_SELF_SIGNED_CERT_IN_CHAIN,
93  "X509_V_ERR_SELF_SIGNED_CERT_IN_CHAIN"
94  },
95  { X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT_LOCALLY,
96  "X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT_LOCALLY"
97  },
98  { X509_V_ERR_UNABLE_TO_VERIFY_LEAF_SIGNATURE,
99  "X509_V_ERR_UNABLE_TO_VERIFY_LEAF_SIGNATURE"
100  },
101  { X509_V_ERR_CERT_CHAIN_TOO_LONG,
102  "X509_V_ERR_CERT_CHAIN_TOO_LONG"
103  },
104  { X509_V_ERR_CERT_REVOKED,
105  "X509_V_ERR_CERT_REVOKED"
106  },
107  { X509_V_ERR_INVALID_CA,
108  "X509_V_ERR_INVALID_CA"
109  },
110  { X509_V_ERR_PATH_LENGTH_EXCEEDED,
111  "X509_V_ERR_PATH_LENGTH_EXCEEDED"
112  },
113  { X509_V_ERR_INVALID_PURPOSE,
114  "X509_V_ERR_INVALID_PURPOSE"
115  },
116  { X509_V_ERR_CERT_UNTRUSTED,
117  "X509_V_ERR_CERT_UNTRUSTED"
118  },
119  { X509_V_ERR_CERT_REJECTED,
120  "X509_V_ERR_CERT_REJECTED"
121  },
122  { X509_V_ERR_SUBJECT_ISSUER_MISMATCH,
123  "X509_V_ERR_SUBJECT_ISSUER_MISMATCH"
124  },
125  { X509_V_ERR_AKID_SKID_MISMATCH,
126  "X509_V_ERR_AKID_SKID_MISMATCH"
127  },
128  { X509_V_ERR_AKID_ISSUER_SERIAL_MISMATCH,
129  "X509_V_ERR_AKID_ISSUER_SERIAL_MISMATCH"
130  },
131  { X509_V_ERR_KEYUSAGE_NO_CERTSIGN,
132  "X509_V_ERR_KEYUSAGE_NO_CERTSIGN"
133  },
134 #if defined(X509_V_ERR_UNABLE_TO_GET_CRL_ISSUER)
135  {
136  X509_V_ERR_UNABLE_TO_GET_CRL_ISSUER, //33
137  "X509_V_ERR_UNABLE_TO_GET_CRL_ISSUER"
138  },
139 #endif
140 #if defined(X509_V_ERR_UNHANDLED_CRITICAL_EXTENSION)
141  {
142  X509_V_ERR_UNHANDLED_CRITICAL_EXTENSION, //34
143  "X509_V_ERR_UNHANDLED_CRITICAL_EXTENSION"
144  },
145 #endif
146 #if defined(X509_V_ERR_KEYUSAGE_NO_CRL_SIGN)
147  {
148  X509_V_ERR_KEYUSAGE_NO_CRL_SIGN, //35
149  "X509_V_ERR_KEYUSAGE_NO_CRL_SIGN"
150  },
151 #endif
152 #if defined(X509_V_ERR_UNHANDLED_CRITICAL_CRL_EXTENSION)
153  {
154  X509_V_ERR_UNHANDLED_CRITICAL_CRL_EXTENSION, //36
155  "X509_V_ERR_UNHANDLED_CRITICAL_CRL_EXTENSION"
156  },
157 #endif
158 #if defined(X509_V_ERR_INVALID_NON_CA)
159  {
160  X509_V_ERR_INVALID_NON_CA, //37
161  "X509_V_ERR_INVALID_NON_CA"
162  },
163 #endif
164 #if defined(X509_V_ERR_PROXY_PATH_LENGTH_EXCEEDED)
165  {
166  X509_V_ERR_PROXY_PATH_LENGTH_EXCEEDED, //38
167  "X509_V_ERR_PROXY_PATH_LENGTH_EXCEEDED"
168  },
169 #endif
170 #if defined(X509_V_ERR_KEYUSAGE_NO_DIGITAL_SIGNATURE)
171  {
172  X509_V_ERR_KEYUSAGE_NO_DIGITAL_SIGNATURE, //39
173  "X509_V_ERR_KEYUSAGE_NO_DIGITAL_SIGNATURE"
174  },
175 #endif
176 #if defined(X509_V_ERR_PROXY_CERTIFICATES_NOT_ALLOWED)
177  {
178  X509_V_ERR_PROXY_CERTIFICATES_NOT_ALLOWED, //40
179  "X509_V_ERR_PROXY_CERTIFICATES_NOT_ALLOWED"
180  },
181 #endif
182 #if defined(X509_V_ERR_INVALID_EXTENSION)
183  {
184  X509_V_ERR_INVALID_EXTENSION, //41
185  "X509_V_ERR_INVALID_EXTENSION"
186  },
187 #endif
188 #if defined(X509_V_ERR_INVALID_POLICY_EXTENSION)
189  {
190  X509_V_ERR_INVALID_POLICY_EXTENSION, //42
191  "X509_V_ERR_INVALID_POLICY_EXTENSION"
192  },
193 #endif
194 #if defined(X509_V_ERR_NO_EXPLICIT_POLICY)
195  {
196  X509_V_ERR_NO_EXPLICIT_POLICY, //43
197  "X509_V_ERR_NO_EXPLICIT_POLICY"
198  },
199 #endif
200 #if defined(X509_V_ERR_DIFFERENT_CRL_SCOPE)
201  {
202  X509_V_ERR_DIFFERENT_CRL_SCOPE, //44
203  "X509_V_ERR_DIFFERENT_CRL_SCOPE"
204  },
205 #endif
206 #if defined(X509_V_ERR_UNSUPPORTED_EXTENSION_FEATURE)
207  {
208  X509_V_ERR_UNSUPPORTED_EXTENSION_FEATURE, //45
209  "X509_V_ERR_UNSUPPORTED_EXTENSION_FEATURE"
210  },
211 #endif
212 #if defined(X509_V_ERR_UNNESTED_RESOURCE)
213  {
214  X509_V_ERR_UNNESTED_RESOURCE, //46
215  "X509_V_ERR_UNNESTED_RESOURCE"
216  },
217 #endif
218 #if defined(X509_V_ERR_PERMITTED_VIOLATION)
219  {
220  X509_V_ERR_PERMITTED_VIOLATION, //47
221  "X509_V_ERR_PERMITTED_VIOLATION"
222  },
223 #endif
224 #if defined(X509_V_ERR_EXCLUDED_VIOLATION)
225  {
226  X509_V_ERR_EXCLUDED_VIOLATION, //48
227  "X509_V_ERR_EXCLUDED_VIOLATION"
228  },
229 #endif
230 #if defined(X509_V_ERR_SUBTREE_MINMAX)
231  {
232  X509_V_ERR_SUBTREE_MINMAX, //49
233  "X509_V_ERR_SUBTREE_MINMAX"
234  },
235 #endif
236 #if defined(X509_V_ERR_UNSUPPORTED_CONSTRAINT_TYPE)
237  {
238  X509_V_ERR_UNSUPPORTED_CONSTRAINT_TYPE, //51
239  "X509_V_ERR_UNSUPPORTED_CONSTRAINT_TYPE"
240  },
241 #endif
242 #if defined(X509_V_ERR_UNSUPPORTED_CONSTRAINT_SYNTAX)
243  {
244  X509_V_ERR_UNSUPPORTED_CONSTRAINT_SYNTAX, //52
245  "X509_V_ERR_UNSUPPORTED_CONSTRAINT_SYNTAX"
246  },
247 #endif
248 #if defined(X509_V_ERR_UNSUPPORTED_NAME_SYNTAX)
249  {
250  X509_V_ERR_UNSUPPORTED_NAME_SYNTAX, //53
251  "X509_V_ERR_UNSUPPORTED_NAME_SYNTAX"
252  },
253 #endif
254 #if defined(X509_V_ERR_CRL_PATH_VALIDATION_ERROR)
255  {
256  X509_V_ERR_CRL_PATH_VALIDATION_ERROR, //54
257  "X509_V_ERR_CRL_PATH_VALIDATION_ERROR"
258  },
259 #endif
260  { X509_V_ERR_APPLICATION_VERIFICATION,
261  "X509_V_ERR_APPLICATION_VERIFICATION"
262  },
263  { SSL_ERROR_NONE, "SSL_ERROR_NONE"},
264  {SSL_ERROR_NONE, NULL}
265 };
266 
267 static const char *OptionalSslErrors[] = {
268  "X509_V_ERR_UNABLE_TO_GET_CRL_ISSUER",
269  "X509_V_ERR_UNHANDLED_CRITICAL_EXTENSION",
270  "X509_V_ERR_KEYUSAGE_NO_CRL_SIGN",
271  "X509_V_ERR_UNHANDLED_CRITICAL_CRL_EXTENSION",
272  "X509_V_ERR_INVALID_NON_CA",
273  "X509_V_ERR_PROXY_PATH_LENGTH_EXCEEDED",
274  "X509_V_ERR_KEYUSAGE_NO_DIGITAL_SIGNATURE",
275  "X509_V_ERR_PROXY_CERTIFICATES_NOT_ALLOWED",
276  "X509_V_ERR_INVALID_EXTENSION",
277  "X509_V_ERR_INVALID_POLICY_EXTENSION",
278  "X509_V_ERR_NO_EXPLICIT_POLICY",
279  "X509_V_ERR_DIFFERENT_CRL_SCOPE",
280  "X509_V_ERR_UNSUPPORTED_EXTENSION_FEATURE",
281  "X509_V_ERR_UNNESTED_RESOURCE",
282  "X509_V_ERR_PERMITTED_VIOLATION",
283  "X509_V_ERR_EXCLUDED_VIOLATION",
284  "X509_V_ERR_SUBTREE_MINMAX",
285  "X509_V_ERR_UNSUPPORTED_CONSTRAINT_TYPE",
286  "X509_V_ERR_UNSUPPORTED_CONSTRAINT_SYNTAX",
287  "X509_V_ERR_UNSUPPORTED_NAME_SYNTAX",
288  "X509_V_ERR_CRL_PATH_VALIDATION_ERROR",
289  NULL
290 };
291 
293  const char *name;
295 };
296 
297 static const Security::ErrorCode hasExpired[] = {X509_V_ERR_CERT_HAS_EXPIRED, SSL_ERROR_NONE};
298 static const Security::ErrorCode notYetValid[] = {X509_V_ERR_CERT_NOT_YET_VALID, SSL_ERROR_NONE};
300 static const Security::ErrorCode certUntrusted[] = {X509_V_ERR_INVALID_CA,
301  X509_V_ERR_SELF_SIGNED_CERT_IN_CHAIN,
302  X509_V_ERR_UNABLE_TO_VERIFY_LEAF_SIGNATURE,
303  X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT,
304  X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT_LOCALLY,
305  X509_V_ERR_CERT_UNTRUSTED, SSL_ERROR_NONE
306  };
307 static const Security::ErrorCode certSelfSigned[] = {X509_V_ERR_DEPTH_ZERO_SELF_SIGNED_CERT, SSL_ERROR_NONE};
308 
309 // The list of error name shortcuts for use with ssl_error acls.
310 // The keys without the "ssl::" scope prefix allow shorter error
311 // names within the SSL options scope. This is easier than
312 // carefully stripping the scope prefix in Ssl::ParseErrorString().
314  {"ssl::certHasExpired", hasExpired},
315  {"certHasExpired", hasExpired},
316  {"ssl::certNotYetValid", notYetValid},
317  {"certNotYetValid", notYetValid},
318  {"ssl::certDomainMismatch", domainMismatch},
319  {"certDomainMismatch", domainMismatch},
320  {"ssl::certUntrusted", certUntrusted},
321  {"certUntrusted", certUntrusted},
322  {"ssl::certSelfSigned", certSelfSigned},
323  {"certSelfSigned", certSelfSigned},
324  {NULL, NULL}
325 };
326 
327 // Use std::map to optimize search.
328 typedef std::map<std::string, const Security::ErrorCode *> SslErrorShortcuts;
330 
331 static void loadSslErrorMap()
332 {
333  assert(TheSslErrors.empty());
334  for (int i = 0; TheSslErrorArray[i].name; ++i) {
335  TheSslErrors[TheSslErrorArray[i].value] = &TheSslErrorArray[i];
336  }
337 }
338 
340 {
341  assert(TheSslErrorShortcuts.empty());
342  for (int i = 0; TheSslErrorShortcutsArray[i].name; ++i)
343  TheSslErrorShortcuts[TheSslErrorShortcutsArray[i].name] = TheSslErrorShortcutsArray[i].errors;
344 }
345 
347 {
348  //TODO: use a std::map?
349  for (int i = 0; TheSslErrorArray[i].name != NULL; ++i) {
350  if (strcmp(name, TheSslErrorArray[i].name) == 0)
351  return TheSslErrorArray[i].value;
352  }
353  return SSL_ERROR_NONE;
354 }
355 
356 bool
357 Ssl::ParseErrorString(const char *name, Security::Errors &errors)
358 {
359  assert(name);
360 
361  const Security::ErrorCode ssl_error = GetErrorCode(name);
362  if (ssl_error != SSL_ERROR_NONE) {
363  errors.emplace(ssl_error);
364  return true;
365  }
366 
367  if (xisdigit(*name)) {
368  const long int value = strtol(name, NULL, 0);
369  if (SQUID_SSL_ERROR_MIN <= value && value <= SQUID_SSL_ERROR_MAX) {
370  errors.emplace(value);
371  return true;
372  }
373  fatalf("Too small or too big TLS error code '%s'", name);
374  }
375 
376  if (TheSslErrorShortcuts.empty())
378 
379  const SslErrorShortcuts::const_iterator it = TheSslErrorShortcuts.find(name);
380  if (it != TheSslErrorShortcuts.end()) {
381  // Should not be empty...
382  assert(it->second[0] != SSL_ERROR_NONE);
383  for (int i = 0; it->second[i] != SSL_ERROR_NONE; ++i) {
384  errors.emplace(it->second[i]);
385  }
386  return true;
387  }
388 
389  fatalf("Unknown TLS error name '%s'", name);
390  return false; // not reached
391 }
392 
394 {
395  if (TheSslErrors.empty())
396  loadSslErrorMap();
397 
398  const SslErrors::const_iterator it = TheSslErrors.find(value);
399  if (it != TheSslErrors.end())
400  return it->second->name;
401 
402  return NULL;
403 }
404 
405 bool
406 Ssl::ErrorIsOptional(const char *name)
407 {
408  for (int i = 0; OptionalSslErrors[i] != NULL; ++i) {
409  if (strcmp(name, OptionalSslErrors[i]) == 0)
410  return true;
411  }
412  return false;
413 }
414 
415 const char *
417 {
418  return ErrorDetailsManager::GetInstance().getDefaultErrorDescr(value);
419 }
420 
422  {"ssl_subject", &Ssl::ErrorDetail::subject},
423  {"ssl_ca_name", &Ssl::ErrorDetail::ca_name},
424  {"ssl_cn", &Ssl::ErrorDetail::cn},
425  {"ssl_notbefore", &Ssl::ErrorDetail::notbefore},
426  {"ssl_notafter", &Ssl::ErrorDetail::notafter},
427  {"err_name", &Ssl::ErrorDetail::err_code},
428  {"ssl_error_descr", &Ssl::ErrorDetail::err_descr},
429  {"ssl_lib_error", &Ssl::ErrorDetail::err_lib_error},
430  {NULL,NULL}
431 };
432 
436 const char *Ssl::ErrorDetail::subject() const
437 {
438  if (broken_cert.get()) {
439  static char tmpBuffer[256]; // A temporary buffer
440  if (X509_NAME_oneline(X509_get_subject_name(broken_cert.get()), tmpBuffer, sizeof(tmpBuffer))) {
441  // quote to avoid possible html code injection through
442  // certificate subject
443  return html_quote(tmpBuffer);
444  }
445  }
446  return "[Not available]";
447 }
448 
449 // helper function to be used with Ssl::matchX509CommonNames
450 static int copy_cn(void *check_data, ASN1_STRING *cn_data)
451 {
452  String *str = (String *)check_data;
453  if (!str) // no data? abort
454  return 0;
455  if (cn_data && cn_data->length) {
456  if (str->size() > 0)
457  str->append(", ");
458  str->append((const char *)cn_data->data, cn_data->length);
459  }
460  return 1;
461 }
462 
466 const char *Ssl::ErrorDetail::cn() const
467 {
468  if (broken_cert.get()) {
469  static String tmpStr;
470  tmpStr.clean();
471  Ssl::matchX509CommonNames(broken_cert.get(), &tmpStr, copy_cn);
472  if (tmpStr.size()) {
473  // quote to avoid possible html code injection through
474  // certificate subject
475  return html_quote(tmpStr.termedBuf());
476  }
477  }
478  return "[Not available]";
479 }
480 
484 const char *Ssl::ErrorDetail::ca_name() const
485 {
486  if (broken_cert.get()) {
487  static char tmpBuffer[256]; // A temporary buffer
488  if (X509_NAME_oneline(X509_get_issuer_name(broken_cert.get()), tmpBuffer, sizeof(tmpBuffer))) {
489  // quote to avoid possible html code injection through
490  // certificate issuer subject
491  return html_quote(tmpBuffer);
492  }
493  }
494  return "[Not available]";
495 }
496 
500 const char *Ssl::ErrorDetail::notbefore() const
501 {
502  if (broken_cert.get()) {
503  if (const auto tm = X509_getm_notBefore(broken_cert.get())) {
504  static char tmpBuffer[256]; // A temporary buffer
505  Ssl::asn1timeToString(tm, tmpBuffer, sizeof(tmpBuffer));
506  return tmpBuffer;
507  }
508  }
509  return "[Not available]";
510 }
511 
515 const char *Ssl::ErrorDetail::notafter() const
516 {
517  if (broken_cert.get()) {
518  if (const auto tm = X509_getm_notAfter(broken_cert.get())) {
519  static char tmpBuffer[256]; // A temporary buffer
520  Ssl::asn1timeToString(tm, tmpBuffer, sizeof(tmpBuffer));
521  return tmpBuffer;
522  }
523  }
524  return "[Not available]";
525 }
526 
530 const char *Ssl::ErrorDetail::err_code() const
531 {
532  static char tmpBuffer[64];
533  // We can use the GetErrorName but using the detailEntry is faster,
534  // so try it first.
535  const char *err = detailEntry.name.termedBuf();
536 
537  // error details not loaded yet or not defined in error_details.txt,
538  // try the GetErrorName...
539  if (!err)
540  err = GetErrorName(error_no);
541 
542  if (!err) {
543  snprintf(tmpBuffer, 64, "%d", (int)error_no);
544  err = tmpBuffer;
545  }
546  return err;
547 }
548 
552 const char *Ssl::ErrorDetail::err_descr() const
553 {
554  if (error_no == SSL_ERROR_NONE)
555  return "[No Error]";
556  if (const char *err = detailEntry.descr.termedBuf())
557  return err;
558  return "[Not available]";
559 }
560 
562 {
563  if (errReason.size() > 0)
564  return errReason.termedBuf();
565  else if (lib_error_no != SSL_ERROR_NONE)
566  return Security::ErrorString(lib_error_no);
567  else
568  return "[No Error]";
569 }
570 
588 int Ssl::ErrorDetail::convert(const char *code, const char **value) const
589 {
590  *value = "-";
591  for (int i=0; ErrorFormatingCodes[i].code!=NULL; ++i) {
592  const int len = strlen(ErrorFormatingCodes[i].code);
593  if (strncmp(code,ErrorFormatingCodes[i].code, len)==0) {
594  ErrorDetail::fmt_action_t action = ErrorFormatingCodes[i].fmt_action;
595  *value = (this->*action)();
596  return len;
597  }
598  }
599  return 0;
600 }
601 
609 {
610  char const *s = NULL;
611  char const *p;
612  char const *t;
613  int code_len = 0;
614 
615  if (ErrorDetailsManager::GetInstance().getErrorDetail(error_no, request, detailEntry))
616  s = detailEntry.detail.termedBuf();
617 
618  if (!s)
620 
621  assert(s);
622  while ((p = strchr(s, '%'))) {
623  errDetailStr.append(s, p - s);
624  code_len = convert(++p, &t);
625  if (code_len)
626  errDetailStr.append(t);
627  else
628  errDetailStr.append("%");
629  s = p + code_len;
630  }
631  errDetailStr.append(s, strlen(s));
632 }
633 
635 {
636  if (errDetailStr.size() == 0)
637  buildDetail();
638  return errDetailStr;
639 }
640 
641 Ssl::ErrorDetail::ErrorDetail( Security::ErrorCode err_no, X509 *cert, X509 *broken, const char *aReason): error_no (err_no), lib_error_no(SSL_ERROR_NONE), errReason(aReason)
642 {
643  if (cert)
644  peer_cert.resetAndLock(cert);
645 
646  if (broken)
647  broken_cert.resetAndLock(broken);
648  else
650 
651  detailEntry.error_no = SSL_ERROR_NONE;
652 }
653 
655 {
656  error_no = anErrDetail.error_no;
657  request = anErrDetail.request;
658 
659  if (anErrDetail.peer_cert.get()) {
660  peer_cert.resetAndLock(anErrDetail.peer_cert.get());
661  }
662 
663  if (anErrDetail.broken_cert.get()) {
664  broken_cert.resetAndLock(anErrDetail.broken_cert.get());
665  }
666 
667  detailEntry = anErrDetail.detailEntry;
668 
669  lib_error_no = anErrDetail.lib_error_no;
670 }
671 
static const Security::ErrorCode certUntrusted[]
Definition: ErrorDetail.cc:300
HttpRequest::Pointer request
Definition: ErrorDetail.h:92
static void loadSslErrorShortcutsMap()
Definition: ErrorDetail.cc:339
#define assert(EX)
Definition: assert.h:17
static const Security::ErrorCode hasExpired[]
Definition: ErrorDetail.cc:297
std::map< Security::ErrorCode, const SslErrorEntry * > SslErrors
Definition: ErrorDetail.cc:25
const char * GetErrorName(Security::ErrorCode value)
The string representation of the TLS error &quot;value&quot;.
Definition: ErrorDetail.cc:393
static SslErrorEntry TheSslErrorArray[]
Definition: ErrorDetail.cc:28
static ErrorDetailsManager & GetInstance()
Instance class.
static const Security::ErrorCode certSelfSigned[]
Definition: ErrorDetail.cc:307
const char * GetErrorDescr(Security::ErrorCode value)
A short description of the TLS error &quot;value&quot;.
Definition: ErrorDetail.cc:416
const char * ca_name() const
Definition: ErrorDetail.cc:484
const char * name
Definition: ErrorDetail.cc:20
struct _request * request(char *urlin)
Definition: tcp-banger2.c:291
const char * subject() const
Definition: ErrorDetail.cc:436
int i
Definition: membanger.c:49
#define SQUID_X509_V_ERR_DOMAIN_MISMATCH
Definition: support.h:44
int convert(const char *code, const char **value) const
Definition: ErrorDetail.cc:588
#define SQUID_X509_V_ERR_CERT_CHANGE
Definition: support.h:42
char * html_quote(const char *)
Definition: html_quote.c:53
Security::ErrorCode GetErrorCode(const char *name)
The Security::ErrorCode code of the error described by &quot;name&quot;.
Definition: ErrorDetail.cc:346
SslErrors TheSslErrors
Definition: ErrorDetail.cc:26
unsigned long lib_error_no
low-level error returned by OpenSSL ERR_get_error(3SSL)
Definition: ErrorDetail.h:87
char * p
Definition: membanger.c:43
size_type size() const
Definition: SquidString.h:72
bool ErrorIsOptional(const char *name)
Definition: ErrorDetail.cc:406
void append(char const *buf, int len)
Definition: String.cc:161
#define X509_getm_notBefore
Definition: openssl.h:206
ErrorDetailEntry detailEntry
Definition: ErrorDetail.h:91
void fatalf(const char *fmt,...)
Definition: fatal.cc:68
const char * err_descr() const
Definition: ErrorDetail.cc:552
static SslErrorAlias TheSslErrorShortcutsArray[]
Definition: ErrorDetail.cc:313
void buildDetail() const
Definition: ErrorDetail.cc:608
static void loadSslErrorMap()
Definition: ErrorDetail.cc:331
const Security::ErrorCode * errors
Definition: ErrorDetail.cc:294
static const char * OptionalSslErrors[]
Definition: ErrorDetail.cc:267
const char * cn() const
Definition: ErrorDetail.cc:466
int ErrorCode
Squid defined error code (&lt;0), an error code returned by X.509 API, or SSL_ERROR_NONE.
Definition: forward.h:91
char const * termedBuf() const
Definition: SquidString.h:91
#define SQUID_SSL_ERROR_MIN
Definition: support.h:46
const char * err_lib_error() const
Definition: ErrorDetail.cc:561
const String & toString() const
An error detail string to embed in squid error pages.
Definition: ErrorDetail.cc:634
const char * err_code() const
Definition: ErrorDetail.cc:530
int unsigned int const char *desc STUB void int len
Definition: stub_fd.cc:20
T * get() const
Returns raw and possibly nullptr pointer.
unsigned char code
Definition: html_quote.c:20
static const Security::ErrorCode notYetValid[]
Definition: ErrorDetail.cc:298
bool action(int fd, size_t metasize, const char *fn, const char *url, const SquidMetaList &meta)
Definition: purge.cc:311
#define SQUID_ERR_SSL_HANDSHAKE
Definition: support.h:43
Security::ErrorCode error_no
The SSL error code.
const char * name
Definition: ErrorDetail.cc:293
Security::CertPointer broken_cert
A pointer to the broken certificate (peer or intermediate)
Definition: ErrorDetail.h:89
#define X509_getm_notAfter
Definition: openssl.h:205
Security::ErrorCode value
Definition: ErrorDetail.cc:19
Security::CertPointer peer_cert
A pointer to the peer certificate.
Definition: ErrorDetail.h:88
#define SQUID_X509_V_ERR_INFINITE_VALIDATION
Definition: support.h:41
Security::ErrorCode error_no
The error code.
Definition: ErrorDetail.h:86
SslErrorShortcuts TheSslErrorShortcuts
Definition: ErrorDetail.cc:329
static const char * SslErrorDetailDefaultStr
Definition: ErrorDetail.cc:23
#define xisdigit(x)
Definition: xis.h:20
#define SQUID_SSL_ERROR_MAX
Definition: support.h:47
std::unordered_set< Security::ErrorCode > Errors
Definition: forward.h:108
const char * notafter() const
Definition: ErrorDetail.cc:515
int asn1timeToString(ASN1_TIME *tm, char *buf, int len)
Definition: support.cc:178
bool ParseErrorString(const char *name, Security::Errors &)
Definition: ErrorDetail.cc:357
const char * notbefore() const
Definition: ErrorDetail.cc:500
ErrorDetail(Security::ErrorCode err_no, X509 *peer, X509 *broken, const char *aReason=NULL)
Definition: ErrorDetail.cc:641
int matchX509CommonNames(X509 *peer_cert, void *check_data, int(*check_func)(void *check_data, ASN1_STRING *cn_data))
Definition: support.cc:192
void clean()
Definition: String.cc:125
static err_frm_code ErrorFormatingCodes[]
The supported formating codes.
Definition: ErrorDetail.h:71
const char *(ErrorDetail::* fmt_action_t)() const
Definition: ErrorDetail.h:61
static const Security::ErrorCode domainMismatch[]
Definition: ErrorDetail.cc:299
const char * ErrorString(const ErrorCode code)
Definition: forward.h:96
std::map< std::string, const Security::ErrorCode * > SslErrorShortcuts
Definition: ErrorDetail.cc:328
#define NULL
Definition: types.h:166
static int copy_cn(void *check_data, ASN1_STRING *cn_data)
Definition: ErrorDetail.cc:450

 

Introduction

Documentation

Support

Miscellaneous

Web Site Translations

Mirrors