------------------------------------------------------------ revno: 12221 revision-id: squidadm@squid-cache.org-20120719001222-mhhjv0ct3xs3phs6 parent: chtsanti@users.sourceforge.net-20120718202034-6qcmia756z3kxh3s committer: Automatic source maintenance branch nick: trunk timestamp: Wed 2012-07-18 18:12:22 -0600 message: SourceFormat Enforcement ------------------------------------------------------------ # Bazaar merge directive format 2 (Bazaar 0.90) # revision_id: squidadm@squid-cache.org-20120719001222-\ # mhhjv0ct3xs3phs6 # target_branch: http://bzr.squid-cache.org/bzr/squid3/trunk/ # testament_sha1: 0c2e15dc67b491ff1b09fb6291d339e6c1e27621 # timestamp: 2012-07-19 00:52:40 +0000 # source_branch: http://bzr.squid-cache.org/bzr/squid3/trunk/ # base_revision_id: chtsanti@users.sourceforge.net-20120718202034-\ # 6qcmia756z3kxh3s # # Begin patch === modified file 'src/AccessLogEntry.h' --- src/AccessLogEntry.h 2012-07-18 16:21:47 +0000 +++ src/AccessLogEntry.h 2012-07-19 00:12:22 +0000 @@ -120,7 +120,8 @@ #if USE_SSL /// logging information specific to the SSL protocol - class SslDetails { + class SslDetails + { public: SslDetails(); === modified file 'src/acl/Acl.h' --- src/acl/Acl.h 2012-05-14 10:37:40 +0000 +++ src/acl/Acl.h 2012-07-19 00:12:22 +0000 @@ -120,7 +120,8 @@ /// \ingroup ACLAPI /// ACL check answer; TODO: Rename to Acl::Answer -class allow_t { +class allow_t +{ public: // not explicit: allow "aclMatchCode to allow_t" conversions (for now) allow_t(const aclMatchCode aCode): code(aCode), kind(0) {} === modified file 'src/adaptation/icap/ModXact.cc' --- src/adaptation/icap/ModXact.cc 2012-07-18 16:21:47 +0000 +++ src/adaptation/icap/ModXact.cc 2012-07-19 00:12:22 +0000 @@ -1925,7 +1925,7 @@ void Adaptation::Icap::ModXact::clearError() { - HttpRequest *request = dynamic_cast(adapted.header); + HttpRequest *request = dynamic_cast(adapted.header); // if no adapted request, update virgin (and inherit its properties later) if (!request) request = const_cast(&virginRequest()); === modified file 'src/cache_cf.cc' --- src/cache_cf.cc 2012-07-18 16:21:47 +0000 +++ src/cache_cf.cc 2012-07-19 00:12:22 +0000 @@ -4349,7 +4349,7 @@ self_destruct(); return; } - + const char *param; if ( char *s = strchr(al, '{')) { *s = '\0'; // terminate the al string @@ -4361,19 +4361,16 @@ return; } *s = '\0'; - } - else + } else param = NULL; if (strcmp(al, Ssl::CertAdaptAlgorithmStr[Ssl::algSetValidAfter]) == 0) { ca->alg = Ssl::algSetValidAfter; ca->param = strdup("on"); - } - else if (strcmp(al, Ssl::CertAdaptAlgorithmStr[Ssl::algSetValidBefore]) == 0) { + } else if (strcmp(al, Ssl::CertAdaptAlgorithmStr[Ssl::algSetValidBefore]) == 0) { ca->alg = Ssl::algSetValidBefore; ca->param = strdup("on"); - } - else if (strcmp(al, Ssl::CertAdaptAlgorithmStr[Ssl::algSetCommonName]) == 0) { + } else if (strcmp(al, Ssl::CertAdaptAlgorithmStr[Ssl::algSetCommonName]) == 0) { ca->alg = Ssl::algSetCommonName; if (param) { if (strlen(param) > 64) { @@ -4391,7 +4388,7 @@ aclParseAclList(LegacyParser, &ca->aclList); - while(*cert_adapt) + while (*cert_adapt) cert_adapt = &(*cert_adapt)->next; *cert_adapt = ca; @@ -4410,7 +4407,7 @@ static void free_sslproxy_cert_adapt(sslproxy_cert_adapt **cert_adapt) { - while(*cert_adapt) { + while (*cert_adapt) { sslproxy_cert_adapt *ca = *cert_adapt; *cert_adapt = ca->next; safe_free(ca->param); @@ -4445,7 +4442,7 @@ aclParseAclList(LegacyParser, &cs->aclList); - while(*cert_sign) + while (*cert_sign) cert_sign = &(*cert_sign)->next; *cert_sign = cs; @@ -4465,7 +4462,7 @@ static void free_sslproxy_cert_sign(sslproxy_cert_sign **cert_sign) { - while(*cert_sign) { + while (*cert_sign) { sslproxy_cert_sign *cs = *cert_sign; *cert_sign = cs->next; @@ -4563,7 +4560,7 @@ } if (bumpCfgStyleLast != bcsNone && bumpCfgStyleNow != bumpCfgStyleLast) { - debugs(3, DBG_CRITICAL, "FATAL: do not mix " << bumpCfgStyleNow << " actions with " << + debugs(3, DBG_CRITICAL, "FATAL: do not mix " << bumpCfgStyleNow << " actions with " << bumpCfgStyleLast << " actions. Update your ssl_bump rules."); self_destruct(); return; === modified file 'src/cf_gen.cc' --- src/cf_gen.cc 2012-07-18 15:19:04 +0000 +++ src/cf_gen.cc 2012-07-19 00:12:22 +0000 @@ -259,7 +259,7 @@ if ((t = strchr(buff, '\n'))) *t = '\0'; - if(strncmp(buff, "IF ", 3) == 0) { + if (strncmp(buff, "IF ", 3) == 0) { if ((ptr = strtok(buff + 3, WS)) == NULL) { std::cerr << "Missing IF parameter on line" << linenum << std::endl; exit(1); @@ -272,147 +272,146 @@ exit(1); } IFDEFS.pop(); - } - else if (!IFDEFS.size() || isDefined(IFDEFS.top())) - switch (state) { - - case sSTART: - - if ((strlen(buff) == 0) || (!strncmp(buff, "#", 1))) { - /* ignore empty and comment lines */ - (void) 0; - } else if (!strncmp(buff, "NAME:", 5)) { - char *name, *aliasname; - - if ((name = strtok(buff + 5, WS)) == NULL) { - std::cerr << "Error in input file\n"; - exit(1); - } - - entries.push_back(name); - - while ((aliasname = strtok(NULL, WS)) != NULL) - entries.back().alias.push_front(aliasname); - - state = s1; - } else if (!strcmp(buff, "EOF")) { - state = sEXIT; - } else if (!strcmp(buff, "COMMENT_START")) { - entries.push_back("comment"); - entries.back().loc = "none"; - state = sDOC; - } else { - std::cerr << "Error on line " << linenum << std::endl << - "--> " << buff << std::endl; - exit(1); - } - - break; - - case s1: { - Entry &curr = entries.back(); - - if ((strlen(buff) == 0) || (!strncmp(buff, "#", 1))) { - /* ignore empty and comment lines */ - (void) 0; - } else if (!strncmp(buff, "COMMENT:", 8)) { - ptr = buff + 8; - - while (isspace((unsigned char)*ptr)) - ptr++; - - curr.comment = ptr; - } else if (!strncmp(buff, "DEFAULT:", 8)) { - ptr = buff + 8; - - while (isspace((unsigned char)*ptr)) - ptr++; - - curr.defaults.preset.push_back(ptr); - } else if (!strncmp(buff, "DEFAULT_IF_NONE:", 16)) { - ptr = buff + 16; - - while (isspace((unsigned char)*ptr)) - ptr++; - - curr.defaults.if_none.push_back(ptr); - } else if (!strncmp(buff, "POSTSCRIPTUM:", 13)) { - ptr = buff + 13; - - while (isspace((unsigned char)*ptr)) - ptr++; - - curr.defaults.postscriptum.push_back(ptr); - } else if (!strncmp(buff, "DEFAULT_DOC:", 12)) { - ptr = buff + 12; - - while (isspace((unsigned char)*ptr)) - ptr++; - - curr.defaults.docs.push_back(ptr); - } else if (!strncmp(buff, "LOC:", 4)) { - if ((ptr = strtok(buff + 4, WS)) == NULL) { - std::cerr << "Error on line " << linenum << std::endl; - exit(1); - } - - curr.loc = ptr; - } else if (!strncmp(buff, "TYPE:", 5)) { - if ((ptr = strtok(buff + 5, WS)) == NULL) { - std::cerr << "Error on line " << linenum << std::endl; - exit(1); - } - - /* hack to support arrays, rather than pointers */ - if (0 == strcmp(ptr + strlen(ptr) - 2, "[]")) { - curr.array_flag = 1; - *(ptr + strlen(ptr) - 2) = '\0'; - } - - checkDepend(curr.name, ptr, types, entries); - curr.type = ptr; - } else if (!strncmp(buff, "IFDEF:", 6)) { - if ((ptr = strtok(buff + 6, WS)) == NULL) { - std::cerr << "Error on line " << linenum << std::endl; - exit(1); - } - - curr.ifdef = ptr; - } else if (!strcmp(buff, "DOC_START")) { - state = sDOC; - } else if (!strcmp(buff, "DOC_NONE")) { - state = sSTART; - } else { - std::cerr << "Error on line " << linenum << std::endl; - exit(1); - } - } - break; - - case sDOC: - if (!strcmp(buff, "DOC_END") || !strcmp(buff, "COMMENT_END")) { - state = sSTART; - } else if (!strcmp(buff, "NOCOMMENT_START")) { - state = sNOCOMMENT; - } else { // if (buff != NULL) { - assert(buff != NULL); - entries.back().doc.push_back(buff); - } - break; - - case sNOCOMMENT: - if (!strcmp(buff, "NOCOMMENT_END")) { - state = sDOC; - } else { // if (buff != NULL) { - assert(buff != NULL); - entries.back().nocomment.push_back(buff); - } - break; - - case sEXIT: - assert(0); /* should never get here */ - break; - } + } else if (!IFDEFS.size() || isDefined(IFDEFS.top())) + switch (state) { + + case sSTART: + + if ((strlen(buff) == 0) || (!strncmp(buff, "#", 1))) { + /* ignore empty and comment lines */ + (void) 0; + } else if (!strncmp(buff, "NAME:", 5)) { + char *name, *aliasname; + + if ((name = strtok(buff + 5, WS)) == NULL) { + std::cerr << "Error in input file\n"; + exit(1); + } + + entries.push_back(name); + + while ((aliasname = strtok(NULL, WS)) != NULL) + entries.back().alias.push_front(aliasname); + + state = s1; + } else if (!strcmp(buff, "EOF")) { + state = sEXIT; + } else if (!strcmp(buff, "COMMENT_START")) { + entries.push_back("comment"); + entries.back().loc = "none"; + state = sDOC; + } else { + std::cerr << "Error on line " << linenum << std::endl << + "--> " << buff << std::endl; + exit(1); + } + + break; + + case s1: { + Entry &curr = entries.back(); + + if ((strlen(buff) == 0) || (!strncmp(buff, "#", 1))) { + /* ignore empty and comment lines */ + (void) 0; + } else if (!strncmp(buff, "COMMENT:", 8)) { + ptr = buff + 8; + + while (isspace((unsigned char)*ptr)) + ptr++; + + curr.comment = ptr; + } else if (!strncmp(buff, "DEFAULT:", 8)) { + ptr = buff + 8; + + while (isspace((unsigned char)*ptr)) + ptr++; + + curr.defaults.preset.push_back(ptr); + } else if (!strncmp(buff, "DEFAULT_IF_NONE:", 16)) { + ptr = buff + 16; + + while (isspace((unsigned char)*ptr)) + ptr++; + + curr.defaults.if_none.push_back(ptr); + } else if (!strncmp(buff, "POSTSCRIPTUM:", 13)) { + ptr = buff + 13; + + while (isspace((unsigned char)*ptr)) + ptr++; + + curr.defaults.postscriptum.push_back(ptr); + } else if (!strncmp(buff, "DEFAULT_DOC:", 12)) { + ptr = buff + 12; + + while (isspace((unsigned char)*ptr)) + ptr++; + + curr.defaults.docs.push_back(ptr); + } else if (!strncmp(buff, "LOC:", 4)) { + if ((ptr = strtok(buff + 4, WS)) == NULL) { + std::cerr << "Error on line " << linenum << std::endl; + exit(1); + } + + curr.loc = ptr; + } else if (!strncmp(buff, "TYPE:", 5)) { + if ((ptr = strtok(buff + 5, WS)) == NULL) { + std::cerr << "Error on line " << linenum << std::endl; + exit(1); + } + + /* hack to support arrays, rather than pointers */ + if (0 == strcmp(ptr + strlen(ptr) - 2, "[]")) { + curr.array_flag = 1; + *(ptr + strlen(ptr) - 2) = '\0'; + } + + checkDepend(curr.name, ptr, types, entries); + curr.type = ptr; + } else if (!strncmp(buff, "IFDEF:", 6)) { + if ((ptr = strtok(buff + 6, WS)) == NULL) { + std::cerr << "Error on line " << linenum << std::endl; + exit(1); + } + + curr.ifdef = ptr; + } else if (!strcmp(buff, "DOC_START")) { + state = sDOC; + } else if (!strcmp(buff, "DOC_NONE")) { + state = sSTART; + } else { + std::cerr << "Error on line " << linenum << std::endl; + exit(1); + } + } + break; + + case sDOC: + if (!strcmp(buff, "DOC_END") || !strcmp(buff, "COMMENT_END")) { + state = sSTART; + } else if (!strcmp(buff, "NOCOMMENT_START")) { + state = sNOCOMMENT; + } else { // if (buff != NULL) { + assert(buff != NULL); + entries.back().doc.push_back(buff); + } + break; + + case sNOCOMMENT: + if (!strcmp(buff, "NOCOMMENT_END")) { + state = sDOC; + } else { // if (buff != NULL) { + assert(buff != NULL); + entries.back().nocomment.push_back(buff); + } + break; + + case sEXIT: + assert(0); /* should never get here */ + break; + } } === modified file 'src/client_side.cc' --- src/client_side.cc 2012-07-18 16:21:47 +0000 +++ src/client_side.cc 2012-07-19 00:12:22 +0000 @@ -811,7 +811,7 @@ if (bodyPipe != NULL) stopProducingFor(bodyPipe, false); - + #if USE_SSL delete sslServerBump; #endif @@ -2642,7 +2642,7 @@ request->flags.ignore_cc = conn->port->ignore_cc; // TODO: decouple http->flags.accel from request->flags.sslBumped request->flags.no_direct = (request->flags.accelerated && !request->flags.sslBumped) ? - !conn->port->allow_direct : 0; + !conn->port->allow_direct : 0; #if USE_AUTH if (request->flags.sslBumped) { if (conn->auth_user_request != NULL) @@ -3550,10 +3550,10 @@ typedef CommCbMemFunT TimeoutDialer; AsyncCall::Pointer timeoutCall = JobCallback(33, 5, TimeoutDialer, - connState, ConnStateData::requestTimeout); + connState, ConnStateData::requestTimeout); commSetConnTimeout(details, Config.Timeout.request, timeoutCall); - if (ssl) + if (ssl) Comm::SetSelect(details->fd, COMM_SELECT_READ, clientNegotiateSSL, connState, 0); else { char buf[MAX_IPSTRLEN]; @@ -3575,7 +3575,7 @@ } /** - * A callback function to use with the ACLFilledChecklist callback. + * A callback function to use with the ACLFilledChecklist callback. * In the case of ACCES_ALLOWED answer initializes a bumped SSL connection, * else reverts the connection to tunnel mode. */ @@ -3645,7 +3645,7 @@ httpsSslBumpAccessCheckDone(ACCESS_DENIED, connState); return; } - + // Create a fake HTTP request for ssl_bump ACL check, // using tproxy/intercept provided destination IP and port. HttpRequest *request = new HttpRequest(); @@ -3654,7 +3654,7 @@ request->SetHost(params.conn->local.NtoA(ip, sizeof(ip))); request->port = params.conn->local.GetPort(); request->myportname = s->name; - + ACLFilledChecklist *acl_checklist = new ACLFilledChecklist(Config.accessList.ssl_bump, request, NULL); acl_checklist->src_addr = params.conn->remote; acl_checklist->my_addr = s->s; @@ -3719,7 +3719,7 @@ if (X509 *mimicCert = sslServerBump->serverCert.get()) certProperties.mimicCert.resetAndLock(mimicCert); - ACLFilledChecklist checklist(NULL, sslServerBump->request, + ACLFilledChecklist checklist(NULL, sslServerBump->request, clientConnection != NULL ? clientConnection->rfc931 : dash_str); checklist.conn(this); checklist.sslErrors = cbdataReference(sslServerBump->sslErrors); @@ -3727,14 +3727,14 @@ for (sslproxy_cert_adapt *ca = Config.ssl_client.cert_adapt; ca != NULL; ca = ca->next) { // If the algorithm already set, then ignore it. if ((ca->alg == Ssl::algSetCommonName && certProperties.setCommonName) || - (ca->alg == Ssl::algSetValidAfter && certProperties.setValidAfter) || - (ca->alg == Ssl::algSetValidBefore && certProperties.setValidBefore) ) + (ca->alg == Ssl::algSetValidAfter && certProperties.setValidAfter) || + (ca->alg == Ssl::algSetValidBefore && certProperties.setValidBefore) ) continue; if (ca->aclList && checklist.fastCheck(ca->aclList) == ACCESS_ALLOWED) { const char *alg = Ssl::CertAdaptAlgorithmStr[ca->alg]; const char *param = ca->param; - + // For parameterless CN adaptation, use hostname from the // CONNECT request. if (ca->alg == Ssl::algSetCommonName) { @@ -3742,13 +3742,12 @@ param = sslConnectHostOrIp.termedBuf(); certProperties.commonName = param; certProperties.setCommonName = true; - } - else if(ca->alg == Ssl::algSetValidAfter) + } else if (ca->alg == Ssl::algSetValidAfter) certProperties.setValidAfter = true; - else if(ca->alg == Ssl::algSetValidBefore) + else if (ca->alg == Ssl::algSetValidBefore) certProperties.setValidBefore = true; - debugs(33, 5, HERE << "Matches certificate adaptation aglorithm: " << + debugs(33, 5, HERE << "Matches certificate adaptation aglorithm: " << alg << " param: " << (param ? param : "-")); } } @@ -3774,8 +3773,7 @@ assert(port->untrustedSigningCert.get()); certProperties.signWithX509.resetAndLock(port->untrustedSigningCert.get()); certProperties.signWithPkey.resetAndLock(port->untrustedSignPkey.get()); - } - else { + } else { assert(port->signingCert.get()); certProperties.signWithX509.resetAndLock(port->signingCert.get()); @@ -3817,15 +3815,14 @@ #if USE_SSL_CRTD try { - debugs(33, 5, HERE << "Generating SSL certificate for " << certProperties.commonName << " using ssl_crtd."); - Ssl::CrtdMessage request_message; - request_message.setCode(Ssl::CrtdMessage::code_new_certificate); - request_message.composeRequest(certProperties); - debugs(33, 5, HERE << "SSL crtd request: " << request_message.compose().c_str()); - Ssl::Helper::GetInstance()->sslSubmit(request_message, sslCrtdHandleReplyWrapper, this); - return; - } - catch (const std::exception &e) { + debugs(33, 5, HERE << "Generating SSL certificate for " << certProperties.commonName << " using ssl_crtd."); + Ssl::CrtdMessage request_message; + request_message.setCode(Ssl::CrtdMessage::code_new_certificate); + request_message.composeRequest(certProperties); + debugs(33, 5, HERE << "SSL crtd request: " << request_message.compose().c_str()); + Ssl::Helper::GetInstance()->sslSubmit(request_message, sslCrtdHandleReplyWrapper, this); + return; + } catch (const std::exception &e) { debugs(33, DBG_IMPORTANT, "ERROR: Failed to compose ssl_crtd " << "request for " << certProperties.commonName << " certificate: " << e.what() << "; will now block to " << @@ -3927,7 +3924,7 @@ Ssl::X509_Pointer serverCert(SSL_get_peer_certificate(ssl)); assert(serverCert.get() != NULL); sslCommonName = Ssl::CommonHostName(serverCert.get()); - debugs(33, 5, HERE << "HTTPS server CN: " << sslCommonName << + debugs(33, 5, HERE << "HTTPS server CN: " << sslCommonName << " bumped: " << *serverConnection); pinConnection(serverConnection, NULL, NULL, false); @@ -4501,13 +4498,13 @@ cbdataReferenceDone(pinning.peer); if (Comm::IsConnOpen(pinning.serverConnection)) { - if (pinning.closeHandler != NULL) { - comm_remove_close_handler(pinning.serverConnection->fd, pinning.closeHandler); - pinning.closeHandler = NULL; - } - /// also close the server side socket, we should not use it for any future requests... - // TODO: do not close if called from our close handler? - pinning.serverConnection->close(); + if (pinning.closeHandler != NULL) { + comm_remove_close_handler(pinning.serverConnection->fd, pinning.closeHandler); + pinning.closeHandler = NULL; + } + /// also close the server side socket, we should not use it for any future requests... + // TODO: do not close if called from our close handler? + pinning.serverConnection->close(); } safe_free(pinning.host); === modified file 'src/client_side.h' --- src/client_side.h 2012-07-18 15:19:04 +0000 +++ src/client_side.h 2012-07-19 00:12:22 +0000 @@ -164,8 +164,9 @@ class ConnectionDetail; #if USE_SSL -namespace Ssl { - class ServerBump; +namespace Ssl +{ +class ServerBump; } #endif /** === modified file 'src/client_side_request.cc' --- src/client_side_request.cc 2012-07-18 20:20:34 +0000 +++ src/client_side_request.cc 2012-07-19 00:12:22 +0000 @@ -822,14 +822,14 @@ Ip::Address tmpnoaddr; tmpnoaddr.SetNoAddr(); - error = clientBuildError(page_id, status, + error = clientBuildError(page_id, status, NULL, http->getConn() != NULL ? http->getConn()->clientConnection->remote : tmpnoaddr, http->request - ); + ); #if USE_AUTH - error->auth_user_request = + error->auth_user_request = http->getConn() != NULL && http->getConn()->auth_user_request != NULL ? http->getConn()->auth_user_request : http->request->auth_user_request; #endif @@ -1301,7 +1301,7 @@ // (bumping of intercepted SSL conns is decided before we get 1st request). // We also do not bump redirected CONNECT requests. if (http->request->method != METHOD_CONNECT || http->redirect.status || - !Config.accessList.ssl_bump || !http->getConn()->port->sslBump) { + !Config.accessList.ssl_bump || !http->getConn()->port->sslBump) { http->al->ssl.bumpMode = Ssl::bumpEnd; // SslBump does not apply; log - debugs(85, 5, HERE << "cannot SslBump this request"); return false; @@ -1343,7 +1343,7 @@ return; const Ssl::BumpMode bumpMode = answer == ACCESS_ALLOWED ? - static_cast(answer.kind) : Ssl::bumpNone; + static_cast(answer.kind) : Ssl::bumpNone; http->sslBumpNeed(bumpMode); // for processRequest() to bump if needed http->al->ssl.bumpMode = bumpMode; // for logging @@ -1533,7 +1533,7 @@ calloutContext->http->al->request = HTTPMSGLOCK(request); if (!calloutContext->error) { - // CVE-2009-0801: verify the Host: header is consistent with other known details. + // CVE-2009-0801: verify the Host: header is consistent with other known details. if (!calloutContext->host_header_verify_done) { debugs(83, 3, HERE << "Doing calloutContext->hostHeaderVerify()"); calloutContext->host_header_verify_done = true; @@ -1552,8 +1552,8 @@ if (!calloutContext->adaptation_acl_check_done) { calloutContext->adaptation_acl_check_done = true; if (Adaptation::AccessCheck::Start( - Adaptation::methodReqmod, Adaptation::pointPreCache, - request, NULL, this)) + Adaptation::methodReqmod, Adaptation::pointPreCache, + request, NULL, this)) return; // will call callback } #endif @@ -1640,7 +1640,7 @@ calloutContext->error = NULL; getConn()->setServerBump(srvBump); e->unlock(); - } else + } else #endif { // send the error to the client now @@ -1892,12 +1892,12 @@ noAddr.SetNoAddr(); ConnStateData * c = getConn(); calloutContext->error = clientBuildError(ERR_ICAP_FAILURE, HTTP_INTERNAL_SERVER_ERROR, - NULL, - c != NULL ? c->clientConnection->remote : noAddr, - request - ); + NULL, + c != NULL ? c->clientConnection->remote : noAddr, + request + ); #if USE_AUTH - calloutContext->error->auth_user_request = + calloutContext->error->auth_user_request = c != NULL && c->auth_user_request != NULL ? c->auth_user_request : request->auth_user_request; #endif calloutContext->error->detailError(errDetail); === modified file 'src/forward.cc' --- src/forward.cc 2012-07-18 17:45:54 +0000 +++ src/forward.cc 2012-07-19 00:12:22 +0000 @@ -674,14 +674,14 @@ // remember validation errors, if any if (Ssl::Errors *errs = static_cast(SSL_get_ex_data(ssl, ssl_ex_index_ssl_errors))) serverBump->sslErrors = cbdataReference(errs); - } + } } // For intercepted connections, set the host name to the server // certificate CN. Otherwise, we just hope that CONNECT is using // a user-entered address (a host name or a user-entered IP). - const bool isConnectRequest = !request->clientConnectionManager->port->spoof_client_ip && - !request->clientConnectionManager->port->intercepted; + const bool isConnectRequest = !request->clientConnectionManager->port->spoof_client_ip && + !request->clientConnectionManager->port->intercepted; if (request->flags.sslPeek && !isConnectRequest) { if (X509 *srvX509 = errDetails->peerCert()) { if (const char *name = Ssl::CommonHostName(srvX509)) { @@ -704,7 +704,7 @@ return; } } - + if (request->clientConnectionManager.valid()) { // remember the server certificate from the ErrorDetail object if (Ssl::ServerBump *serverBump = request->clientConnectionManager->serverBump()) { @@ -777,8 +777,8 @@ // unless it was the CONNECT request with a user-typed address. const char *hostname = request->GetHost(); const bool hostnameIsIp = request->GetHostIsNumeric(); - const bool isConnectRequest = !request->clientConnectionManager->port->spoof_client_ip && - !request->clientConnectionManager->port->intercepted; + const bool isConnectRequest = !request->clientConnectionManager->port->spoof_client_ip && + !request->clientConnectionManager->port->intercepted; if (!request->flags.sslPeek || isConnectRequest) SSL_set_ex_data(ssl, ssl_ex_index_server, (void*)hostname); @@ -799,8 +799,8 @@ // store peeked cert to check SQUID_X509_V_ERR_CERT_CHANGE X509 *peeked_cert; if (request->clientConnectionManager.valid() && - request->clientConnectionManager->serverBump() && - (peeked_cert = request->clientConnectionManager->serverBump()->serverCert.get())) { + request->clientConnectionManager->serverBump() && + (peeked_cert = request->clientConnectionManager->serverBump()->serverCert.get())) { CRYPTO_add(&(peeked_cert->references),1,CRYPTO_LOCK_X509); SSL_set_ex_data(ssl, ssl_ex_index_ssl_peeked_cert, peeked_cert); } @@ -844,11 +844,11 @@ // some requests benefit from pinning but do not require it and can "repin" const bool rePin = request->flags.canRePin && - request->clientConnectionManager.valid(); + request->clientConnectionManager.valid(); if (rePin) { debugs(17, 3, HERE << "repinning " << serverConn); request->clientConnectionManager->pinConnection(serverConn, - request, serverConn->getPeer(), request->flags.auth); + request, serverConn->getPeer(), request->flags.auth); request->flags.pinned = 1; } === modified file 'src/ssl/ErrorDetail.cc' --- src/ssl/ErrorDetail.cc 2012-06-19 21:51:49 +0000 +++ src/ssl/ErrorDetail.cc 2012-07-19 00:12:22 +0000 @@ -17,9 +17,9 @@ static SslErrorEntry TheSslErrorArray[] = { {SQUID_X509_V_ERR_CERT_CHANGE, - "SQUID_X509_V_ERR_CERT_CHANGE"}, + "SQUID_X509_V_ERR_CERT_CHANGE"}, {SQUID_ERR_SSL_HANDSHAKE, - "SQUID_ERR_SSL_HANDSHAKE"}, + "SQUID_ERR_SSL_HANDSHAKE"}, {SQUID_X509_V_ERR_DOMAIN_MISMATCH, "SQUID_X509_V_ERR_DOMAIN_MISMATCH"}, {X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT, @@ -99,11 +99,12 @@ static const Ssl::ssl_error_t notYetValid[] = {X509_V_ERR_CERT_NOT_YET_VALID, SSL_ERROR_NONE}; static const Ssl::ssl_error_t domainMismatch[] = {SQUID_X509_V_ERR_DOMAIN_MISMATCH, SSL_ERROR_NONE}; static const Ssl::ssl_error_t certUntrusted[] = {X509_V_ERR_INVALID_CA, - X509_V_ERR_SELF_SIGNED_CERT_IN_CHAIN, - X509_V_ERR_UNABLE_TO_VERIFY_LEAF_SIGNATURE, - X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT, - X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT_LOCALLY, - X509_V_ERR_CERT_UNTRUSTED, SSL_ERROR_NONE}; + X509_V_ERR_SELF_SIGNED_CERT_IN_CHAIN, + X509_V_ERR_UNABLE_TO_VERIFY_LEAF_SIGNATURE, + X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT, + X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT_LOCALLY, + X509_V_ERR_CERT_UNTRUSTED, SSL_ERROR_NONE + }; static const Ssl::ssl_error_t certSelfSigned[] = {X509_V_ERR_DEPTH_ZERO_SELF_SIGNED_CERT, SSL_ERROR_NONE}; // The list of error name shortcuts for use with ssl_error acls. @@ -174,7 +175,7 @@ const SslErrorShortcuts::const_iterator it = TheSslErrorShortcuts.find(name); if (it != TheSslErrorShortcuts.end()) { // Should not be empty... - assert(it->second[0] != SSL_ERROR_NONE); + assert(it->second[0] != SSL_ERROR_NONE); Ssl::Errors *errors = new Ssl::Errors(it->second[0]); for (int i =1; it->second[i] != SSL_ERROR_NONE; i++) { errors->push_back_unique(it->second[i]); @@ -353,7 +354,7 @@ * %ssl_ca_name: The certificate issuer name * %ssl_notbefore: The certificate "not before" field * %ssl_notafter: The certificate "not after" field - * + * \retval the length of the code (the number of characters will be replaced by value) */ int Ssl::ErrorDetail::convert(const char *code, const char **value) const === modified file 'src/ssl/ServerBump.cc' --- src/ssl/ServerBump.cc 2012-06-19 21:51:49 +0000 +++ src/ssl/ServerBump.cc 2012-07-19 00:12:22 +0000 @@ -17,8 +17,8 @@ Ssl::ServerBump::ServerBump(HttpRequest *fakeRequest, StoreEntry *e): - request(fakeRequest), - sslErrors(NULL) + request(fakeRequest), + sslErrors(NULL) { debugs(33, 4, HERE << "will peek at " << request->GetHost() << ':' << request->port); const char *uri = urlCanonical(request); === modified file 'src/ssl/crtd_message.cc' --- src/ssl/crtd_message.cc 2012-03-08 04:02:40 +0000 +++ src/ssl/crtd_message.cc 2012-07-19 00:12:22 +0000 @@ -189,18 +189,18 @@ return false; } certProperties.commonName = i->second; - - i = map.find(Ssl::CrtdMessage::param_SetValidAfter); + + i = map.find(Ssl::CrtdMessage::param_SetValidAfter); if (i != map.end() && strcasecmp(i->second.c_str(), "on") == 0) certProperties.setValidAfter = true; - + i = map.find(Ssl::CrtdMessage::param_SetValidBefore); if (i != map.end() && strcasecmp(i->second.c_str(), "on") == 0) certProperties.setValidBefore = true; i = map.find(Ssl::CrtdMessage::param_SetCommonName); if (i != map.end()) { - // use this as Common Name instead of the hostname + // use this as Common Name instead of the hostname // defined with host or Common Name from mimic cert certProperties.commonName = i->second; certProperties.setCommonName = true; @@ -212,8 +212,7 @@ error = "Wrong signing algoritm: " + i->second; return false; } - } - else + } else certProperties.signAlgorithm = Ssl::algSignTrusted; if (!Ssl::readCertAndPrivateKeyFromMemory(certProperties.signWithX509, certProperties.signWithPkey, certs_part.c_str())) { @@ -241,7 +240,7 @@ body += "\n" + Ssl::CrtdMessage::param_SetValidAfter + "=on"; if (certProperties.setValidBefore) body += "\n" + Ssl::CrtdMessage::param_SetValidBefore + "=on"; - if(certProperties.signAlgorithm != Ssl::algSignEnd) + if (certProperties.signAlgorithm != Ssl::algSignEnd) body += "\n" + Ssl::CrtdMessage::param_Sign + "=" + certSignAlgorithm(certProperties.signAlgorithm); std::string certsPart; === modified file 'src/ssl/gadgets.cc' --- src/ssl/gadgets.cc 2012-06-02 00:21:53 +0000 +++ src/ssl/gadgets.cc 2012-07-19 00:12:22 +0000 @@ -92,7 +92,7 @@ if (!ptr) return false; - if (!bufferToWrite.empty()) + if (!bufferToWrite.empty()) bufferToWrite.append(" "); // add a space... bufferToWrite.append(ptr, len); @@ -165,7 +165,7 @@ size_t pos = 0; do { pos = cn.find('.', pos + 1); - } while(pos != std::string::npos && (cn.length() - pos + 2) > MaxCnLen); + } while (pos != std::string::npos && (cn.length() - pos + 2) > MaxCnLen); // If no short domain found or this domain is a toplevel domain // we failed to find a good cn name. @@ -200,7 +200,7 @@ const char *Ssl::CertSignAlgorithmStr[] = { "signTrusted", - "signUntrusted", + "signUntrusted", "signSelf", NULL }; @@ -213,10 +213,10 @@ }; Ssl::CertificateProperties::CertificateProperties(): - setValidAfter(false), - setValidBefore(false), - setCommonName(false), - signAlgorithm(Ssl::algSignEnd) + setValidAfter(false), + setValidBefore(false), + setCommonName(false), + signAlgorithm(Ssl::algSignEnd) {} std::string & Ssl::CertificateProperties::dbKey() const @@ -254,13 +254,13 @@ } static bool buildCertificate(Ssl::X509_Pointer & cert, Ssl::CertificateProperties const &properties) -{ +{ // not an Ssl::X509_NAME_Pointer because X509_REQ_get_subject_name() // returns a pointer to the existing subject name. Nothing to clean here. if (properties.mimicCert.get()) { // Leave subject empty if we cannot extract it from true cert. if (X509_NAME *name = X509_get_subject_name(properties.mimicCert.get())) { - // X509_set_subject_name will call X509_dup for name + // X509_set_subject_name will call X509_dup for name X509_set_subject_name(cert.get(), name); } } @@ -273,10 +273,10 @@ (void)replaceCommonName(cert, properties.commonName); } - // We should get caCert notBefore and notAfter fields and do not allow + // We should get caCert notBefore and notAfter fields and do not allow // notBefore/notAfter values from certToMimic before/after notBefore/notAfter // fields from caCert. - // Currently there is not any way in openssl tollkit to compare two ASN1_TIME + // Currently there is not any way in openssl tollkit to compare two ASN1_TIME // objects. ASN1_TIME *aTime = NULL; if (!properties.setValidBefore && properties.mimicCert.get()) @@ -287,8 +287,7 @@ if (aTime) { if (!X509_set_notBefore(cert.get(), aTime)) return false; - } - else if (!X509_gmtime_adj(X509_get_notBefore(cert.get()), (-2)*24*60*60)) + } else if (!X509_gmtime_adj(X509_get_notBefore(cert.get()), (-2)*24*60*60)) return false; aTime = NULL; @@ -315,7 +314,7 @@ // certificates with CN unrelated to subjectAltNames. if (!properties.setCommonName) { int pos=X509_get_ext_by_NID (properties.mimicCert.get(), OBJ_sn2nid("subjectAltName"), -1); - X509_EXTENSION *ext=X509_get_ext(properties.mimicCert.get(), pos); + X509_EXTENSION *ext=X509_get_ext(properties.mimicCert.get(), pos); if (ext) { X509_add_ext(cert.get(), ext, -1); /* According the RFC 5280 using extensions requires version 3 @@ -381,7 +380,7 @@ static BIGNUM *createCertSerial(unsigned char *md, unsigned int n) { - + assert(n == 20); //for sha1 n is 20 (for md5 n is 16) BIGNUM *serial = NULL; @@ -430,8 +429,8 @@ return createCertSerial(md, n); } -/// Generate a unique serial number based on a Ssl::CertificateProperties object -/// for a new generated certificate +/// Generate a unique serial number based on a Ssl::CertificateProperties object +/// for a new generated certificate static bool createSerial(Ssl::BIGNUM_Pointer &serial, Ssl::CertificateProperties const &properties) { Ssl::EVP_PKEY_Pointer fakePkey; @@ -522,7 +521,7 @@ /// Print the time represented by a ASN1_TIME struct to a string using GeneralizedTime format static bool asn1timeToGeneralizedTimeStr(ASN1_TIME *aTime, char *buf, int bufLen) { - // ASN1_Time holds time to UTCTime or GeneralizedTime form. + // ASN1_Time holds time to UTCTime or GeneralizedTime form. // UTCTime has the form YYMMDDHHMMSS[Z | [+|-]offset] // GeneralizedTime has the form YYYYMMDDHHMMSS[Z | [+|-] offset] @@ -541,8 +540,7 @@ buf[1] = '0'; } str = buf +2; - } - else // if (aTime->type == V_ASN1_GENERALIZEDTIME) + } else // if (aTime->type == V_ASN1_GENERALIZEDTIME) str = buf; memcpy(str, aTime->data, aTime->length); @@ -557,7 +555,7 @@ return -1; if (!asn1timeToGeneralizedTimeStr(asnTime2, strTime2, sizeof(strTime2))) return -1; - + return strcmp(strTime1, strTime2); } @@ -571,7 +569,7 @@ if (X509_check_issued(properties.signWithX509.get(), cert) != X509_V_OK) return false; } - + X509 *cert2 = properties.mimicCert.get(); // If there is not certificate to mimic stop here if (!cert2) @@ -582,10 +580,9 @@ X509_NAME *cert2_name = X509_get_subject_name(cert2); if (X509_NAME_cmp(cert1_name, cert2_name) != 0) return false; - } - else if (properties.commonName != CommonHostName(cert)) - return false; - + } else if (properties.commonName != CommonHostName(cert)) + return false; + if (!properties.setValidBefore) { ASN1_TIME *aTime = X509_get_notBefore(cert); ASN1_TIME *bTime = X509_get_notBefore(cert2); @@ -606,15 +603,15 @@ return false; } - + char *alStr1; int alLen; alStr1 = (char *)X509_alias_get0(cert, &alLen); char *alStr2 = (char *)X509_alias_get0(cert2, &alLen); if ((!alStr1 && alStr2) || (alStr1 && !alStr2) || - (alStr1 && alStr2 && strcmp(alStr1, alStr2)) != 0) + (alStr1 && alStr2 && strcmp(alStr1, alStr2)) != 0) return false; - + // Compare subjectAltName extension STACK_OF(GENERAL_NAME) * cert1_altnames; cert1_altnames = (STACK_OF(GENERAL_NAME)*)X509_get_ext_d2i(cert, NID_subject_alt_name, NULL, NULL); @@ -627,10 +624,9 @@ const GENERAL_NAME *aName = sk_GENERAL_NAME_value(cert1_altnames, i); match = sk_GENERAL_NAME_find(cert2_altnames, aName); } - } - else if (cert2_altnames) + } else if (cert2_altnames) match = false; - + sk_GENERAL_NAME_pop_free(cert1_altnames, GENERAL_NAME_free); sk_GENERAL_NAME_pop_free(cert2_altnames, GENERAL_NAME_free); @@ -646,8 +642,8 @@ // TODO: What if the entry is a UTF8String? See X509_NAME_get_index_by_NID(3ssl). const int nameLen = X509_NAME_get_text_by_NID( - X509_get_subject_name(x509), - nid, name, sizeof(name)); + X509_get_subject_name(x509), + nid, name, sizeof(name)); if (nameLen > 0) return name; === modified file 'src/ssl/gadgets.h' --- src/ssl/gadgets.h 2012-04-05 16:38:31 +0000 +++ src/ssl/gadgets.h 2012-07-19 00:12:22 +0000 @@ -198,13 +198,14 @@ \ingroup SslCrtdSslAPI * Simple struct to pass certificate generation parameters to generateSslCertificate function. */ -class CertificateProperties { +class CertificateProperties +{ public: CertificateProperties(); X509_Pointer mimicCert; ///< Certificate to mimic X509_Pointer signWithX509; ///< Certificate to sign the generated request EVP_PKEY_Pointer signWithPkey; ///< The key of the signing certificate - bool setValidAfter; ///< Do not mimic "Not Valid After" field + bool setValidAfter; ///< Do not mimic "Not Valid After" field bool setValidBefore; ///< Do not mimic "Not Valid Before" field bool setCommonName; ///< Replace the CN field of the mimicing subject with the given std::string commonName; ///< A CN to use for the generated certificate === modified file 'src/ssl/ssl_crtd.cc' --- src/ssl/ssl_crtd.cc 2012-06-19 21:51:49 +0000 +++ src/ssl/ssl_crtd.cc 2012-07-19 00:12:22 +0000 @@ -211,7 +211,7 @@ Ssl::X509_Pointer cert; Ssl::EVP_PKEY_Pointer pkey; std::string &cert_subject = certProperties.dbKey(); - + db.find(cert_subject, cert, pkey); if (cert.get()) { @@ -224,7 +224,7 @@ } } - if (!cert || !pkey) { + if (!cert || !pkey) { if (!Ssl::generateSslCertificate(cert, pkey, certProperties)) throw std::runtime_error("Cannot create ssl certificate or private key."); === modified file 'src/ssl/support.cc' --- src/ssl/support.cc 2012-06-19 21:51:49 +0000 +++ src/ssl/support.cc 2012-07-19 00:12:22 +0000 @@ -261,8 +261,7 @@ delete errs; errs = NULL; } - } - else // remember another error number + } else // remember another error number errs->push_back_unique(error_no); if (const char *err_descr = Ssl::GetErrorDescr(error_no)) @@ -615,7 +614,7 @@ static void ssl_free_SslErrors(void *, void *ptr, CRYPTO_EX_DATA *, - int, long, void *) + int, long, void *) { Ssl::Errors *errs = static_cast (ptr); delete errs; @@ -624,7 +623,7 @@ // "free" function for X509 certificates static void ssl_free_X509(void *, void *ptr, CRYPTO_EX_DATA *, - int, long, void *) + int, long, void *) { X509 *cert = static_cast (ptr); X509_free(cert); @@ -1448,13 +1447,11 @@ certProperties.commonName = "Not trusted by \""; certProperties.commonName += cn; certProperties.commonName += "\""; - } - else if (const char *org = getOrganization(cert.get())) { + } else if (const char *org = getOrganization(cert.get())) { certProperties.commonName = "Not trusted by \""; certProperties.commonName += org; certProperties.commonName += "\""; - } - else + } else certProperties.commonName = "Not trusted"; certProperties.setCommonName = true; // O, OU, and other CA subject fields will be mimicked === modified file 'src/tunnel.cc' --- src/tunnel.cc 2012-06-14 21:48:10 +0000 +++ src/tunnel.cc 2012-07-19 00:12:22 +0000 @@ -481,7 +481,7 @@ } /** - * Set the HTTP status for this request and sets the read handlers for client + * Set the HTTP status for this request and sets the read handlers for client * and server side connections. */ static void