crtd__message_8cc_source.html

/*

 * Copyright (C) 1996-2025 The Squid Software Foundation and contributors

 *

 * Squid software is distributed under GPLv2+ license and includes

 * contributions from numerous individuals and organizations.

 * Please see the COPYING and CONTRIBUTORS files for details.

 */


#include "squid.h"

#include "base/TextException.h"

#include "sbuf/Stream.h"

#include "ssl/crtd_message.h"

#include "ssl/gadgets.h"


#include <cstdlib>

#include <cstring>

#include <stdexcept>


Ssl::CrtdMessage::CrtdMessage(MessageKind kind)

    :   body_size(0), state(kind == REPLY ? BEFORE_LENGTH: BEFORE_CODE)

{}


Ssl::CrtdMessage::ParseResult Ssl::CrtdMessage::parse(const char * buffer, size_t len)

{

    char const *current_pos = buffer;

    while (current_pos != buffer + len && state != END) {

        switch (state) {

        case BEFORE_CODE: {

            if (xisspace(*current_pos)) {

                ++current_pos;

                break;

            }

            if (xisalpha(*current_pos)) {

                state = CODE;

                break;

            }

            clear();

            return ERROR;

        }

        case CODE: {

            if (xisalnum(*current_pos) || *current_pos == '_') {

                current_block += *current_pos;

                ++current_pos;

                break;

            }

            if (xisspace(*current_pos)) {

                code = current_block;

                current_block.clear();

                state = BEFORE_LENGTH;

                break;

            }

            clear();

            return ERROR;

        }

        case BEFORE_LENGTH: {

            if (xisspace(*current_pos)) {

                ++current_pos;

                break;

            }

            if (xisdigit(*current_pos)) {

                state = LENGTH;

                break;

            }

            clear();

            return ERROR;

        }

        case LENGTH: {

            if (xisdigit(*current_pos)) {

                current_block += *current_pos;

                ++current_pos;

                break;

            }

            if (xisspace(*current_pos)) {

                body_size = atoi(current_block.c_str());

                current_block.clear();

                state = BEFORE_BODY;

                break;

            }

            clear();

            return ERROR;

        }

        case BEFORE_BODY: {

            if (body_size == 0) {

                state = END;

                break;

            }

            if (xisspace(*current_pos)) {

                ++current_pos;

                break;

            } else {

                state = BODY;

                break;

            }

        }

        case BODY: {

            size_t body_len = (static_cast<size_t>(buffer + len - current_pos) >= body_size - current_block.length())

                              ? body_size - current_block.length()

                              : static_cast<size_t>(buffer + len - current_pos);

            current_block += std::string(current_pos, body_len);

            current_pos += body_len;

            if (current_block.length() == body_size) {

                body = current_block;

                state = END;

            }

            if (current_block.length() > body_size) {

                clear();

                return ERROR;

            }

            break;

        }

        case END: {

            return OK;

        }

        }

    }

    if (state != END) return INCOMPLETE;

    return OK;

}


std::string const & Ssl::CrtdMessage::getBody() const { return body; }


std::string const & Ssl::CrtdMessage::getCode() const { return code; }


void Ssl::CrtdMessage::setBody(std::string const & aBody) { body = aBody; }


void Ssl::CrtdMessage::setCode(std::string const & aCode) { code = aCode; }


std::string Ssl::CrtdMessage::compose() const

{

    if (code.empty()) return std::string();

    return code + ' ' + std::to_string(body.length()) + ' ' + body;

}


void Ssl::CrtdMessage::clear()

{

    body_size = 0;

    state = BEFORE_CODE;

    body.clear();

    code.clear();

    current_block.clear();

}


void Ssl::CrtdMessage::parseBody(CrtdMessage::BodyParams & map, std::string & other_part) const

{

    other_part.clear();

    // Copy string for using it as temp buffer.

    std::string temp_body(body.c_str(), body.length());

    char * buffer = const_cast<char *>(temp_body.c_str());

    char * token = strtok(buffer, "\r\n");

    while (token != nullptr) {

        std::string current_string(token);

        size_t equal_pos = current_string.find('=');

        if (equal_pos == std::string::npos) {

            size_t offset_body_part = token - temp_body.c_str();

            other_part = std::string(body.c_str() + offset_body_part, body.length() - offset_body_part);

            break;

        } else {

            std::string param(current_string.c_str(), current_string.c_str() + equal_pos);

            std::string value(current_string.c_str() + equal_pos + 1);

            map.insert(std::make_pair(param, value));

        }

        token = strtok(nullptr, "\r\n");

    }

}


void Ssl::CrtdMessage::composeBody(CrtdMessage::BodyParams const & map, std::string const & other_part)

{

    body.clear();

    for (BodyParams::const_iterator i = map.begin(); i != map.end(); ++i) {

        if (i != map.begin())

            body += "\n";

        body += i->first + "=" + i->second;

    }

    if (!other_part.empty())

        body += '\n' + other_part;

}


void


Ssl::CrtdMessage::parseRequest(CertificateProperties &certProperties)

{

    Ssl::CrtdMessage::BodyParams map;

    std::string certs_part;

    parseBody(map, certs_part);

    Ssl::CrtdMessage::BodyParams::iterator i = map.find(Ssl::CrtdMessage::param_host);

    if (i == map.end()) {

        throw TextException("Cannot find \"host\" parameter in request message", Here());

    }

    certProperties.commonName = i->second;


    i = map.find(Ssl::CrtdMessage::param_SetValidAfter);

    if (i != map.end() && strcasecmp(i->second.c_str(), "on") == 0)

        certProperties.setValidAfter = true;


    i = map.find(Ssl::CrtdMessage::param_SetValidBefore);

    if (i != map.end() && strcasecmp(i->second.c_str(), "on") == 0)

        certProperties.setValidBefore = true;


    i = map.find(Ssl::CrtdMessage::param_SetCommonName);

    if (i != map.end()) {

        // use this as Common Name  instead of the hostname

        // defined with host or Common Name from mimic cert

        certProperties.commonName = i->second;

        certProperties.setCommonName = true;

    }


    i = map.find(Ssl::CrtdMessage::param_Sign);

    if (i != map.end()) {

        if ((certProperties.signAlgorithm = Ssl::certSignAlgorithmId(i->second.c_str())) == Ssl::algSignEnd) {

            throw TextException(ToSBuf("Wrong signing algorithm: ", i->second), Here());

        }

    } else

        certProperties.signAlgorithm = Ssl::algSignTrusted;


    i = map.find(Ssl::CrtdMessage::param_SignHash);

    const char *signHashName = i != map.end() ? i->second.c_str() : SQUID_SSL_SIGN_HASH_IF_NONE;

    if (!(certProperties.signHash = EVP_get_digestbyname(signHashName))) {

        throw TextException(ToSBuf("Wrong signing hash: ", signHashName), Here());

    }


    if (!Ssl::readCertAndPrivateKeyFromMemory(certProperties.signWithX509, certProperties.signWithPkey, certs_part.c_str())) {

        throw TextException("Broken signing certificate!", Here());

    }


    static const std::string CERT_BEGIN_STR("-----BEGIN CERTIFICATE");

    size_t pos;

    if ((pos = certs_part.find(CERT_BEGIN_STR)) != std::string::npos) {

        pos += CERT_BEGIN_STR.length();

        if ((pos= certs_part.find(CERT_BEGIN_STR, pos)) != std::string::npos)

            certProperties.mimicCert = ReadCertificate(ReadOnlyBioTiedTo(certs_part.c_str() + pos));

    }

}


void Ssl::CrtdMessage::composeRequest(Ssl::CertificateProperties const &certProperties)

{

    body.clear();

    body = Ssl::CrtdMessage::param_host + "=" + certProperties.commonName;

    if (certProperties.setCommonName)

        body +=  "\n" + Ssl::CrtdMessage::param_SetCommonName + "=" + certProperties.commonName;

    if (certProperties.setValidAfter)

        body +=  "\n" + Ssl::CrtdMessage::param_SetValidAfter + "=on";

    if (certProperties.setValidBefore)

        body +=  "\n" + Ssl::CrtdMessage::param_SetValidBefore + "=on";

    if (certProperties.signAlgorithm != Ssl::algSignEnd)

        body +=  "\n" +  Ssl::CrtdMessage::param_Sign + "=" +  certSignAlgorithm(certProperties.signAlgorithm);

    if (certProperties.signHash)

        body +=  "\n" + Ssl::CrtdMessage::param_SignHash + "=" + EVP_MD_name(certProperties.signHash);


    std::string certsPart;

    if (!Ssl::writeCertAndPrivateKeyToMemory(certProperties.signWithX509, certProperties.signWithPkey, certsPart))

        throw TextException("Ssl::writeCertAndPrivateKeyToMemory()", Here());

    if (certProperties.mimicCert.get()) {

        if (!Ssl::appendCertToMemory(certProperties.mimicCert, certsPart))

            throw TextException("Ssl::appendCertToMemory()", Here());

    }

    body += "\n" + certsPart;

}


const std::string Ssl::CrtdMessage::code_new_certificate("new_certificate");

const std::string Ssl::CrtdMessage::param_host("host");

const std::string Ssl::CrtdMessage::param_SetValidAfter(Ssl::CertAdaptAlgorithmStr[algSetValidAfter]);

const std::string Ssl::CrtdMessage::param_SetValidBefore(Ssl::CertAdaptAlgorithmStr[algSetValidBefore]);

const std::string Ssl::CrtdMessage::param_SetCommonName(Ssl::CertAdaptAlgorithmStr[algSetCommonName]);

const std::string Ssl::CrtdMessage::param_Sign("Sign");

const std::string Ssl::CrtdMessage::param_SignHash("SignHash");


Here
#define Here()
source code location of the caller
Definition Here.h:15

TextException.h

Security::LockingPointer::get
T * get() const
Returns raw and possibly nullptr pointer.
Definition LockingPointer.h:103

Ssl::CertificateProperties
Definition gadgets.h:232

Ssl::CertificateProperties::signWithPkey
Security::PrivateKeyPointer signWithPkey
The key of the signing certificate.
Definition gadgets.h:237

Ssl::CertificateProperties::signWithX509
Security::CertPointer signWithX509
Certificate to sign the generated request.
Definition gadgets.h:236

Ssl::CertificateProperties::setCommonName
bool setCommonName
Replace the CN field of the mimicking subject with the given.
Definition gadgets.h:240

Ssl::CertificateProperties::setValidAfter
bool setValidAfter
Do not mimic "Not Valid After" field.
Definition gadgets.h:238

Ssl::CertificateProperties::signAlgorithm
CertSignAlgorithm signAlgorithm
The signing algorithm to use.
Definition gadgets.h:242

Ssl::CertificateProperties::setValidBefore
bool setValidBefore
Do not mimic "Not Valid Before" field.
Definition gadgets.h:239

Ssl::CertificateProperties::mimicCert
Security::CertPointer mimicCert
Certificate to mimic.
Definition gadgets.h:235

Ssl::CertificateProperties::signHash
const EVP_MD * signHash
The signing hash to use.
Definition gadgets.h:243

Ssl::CertificateProperties::commonName
std::string commonName
A CN to use for the generated certificate.
Definition gadgets.h:241

Ssl::CrtdMessage::setCode
void setCode(std::string const &aCode)
Set new request/reply code to compose.
Definition crtd_message.cc:126

Ssl::CrtdMessage::param_SetCommonName
static const std::string param_SetCommonName
Parameter name for passing SetCommonName cert adaptation variable.
Definition crtd_message.h:84

Ssl::CrtdMessage::clear
void clear()
Reset the class.
Definition crtd_message.cc:134

Ssl::CrtdMessage::composeBody
void composeBody(BodyParams const &map, std::string const &other_part)
Definition crtd_message.cc:166

Ssl::CrtdMessage::setBody
void setBody(std::string const &aBody)
Set new body to encode.
Definition crtd_message.cc:124

Ssl::CrtdMessage::param_SignHash
static const std::string param_SignHash
The signing hash to use.
Definition crtd_message.h:88

Ssl::CrtdMessage::param_SetValidBefore
static const std::string param_SetValidBefore
Parameter name for passing SetValidBefore cert adaptation variable.
Definition crtd_message.h:82

Ssl::CrtdMessage::param_SetValidAfter
static const std::string param_SetValidAfter
Parameter name for passing SetValidAfter cert adaptation variable.
Definition crtd_message.h:80

Ssl::CrtdMessage::code_new_certificate
static const std::string code_new_certificate
String code for "new_certificate" messages.
Definition crtd_message.h:76

Ssl::CrtdMessage::CrtdMessage
CrtdMessage(MessageKind kind)
Definition crtd_message.cc:19

Ssl::CrtdMessage::getBody
std::string const & getBody() const
Current body. If parsing is not finished the method returns incompleted body.
Definition crtd_message.cc:120

Ssl::CrtdMessage::ParseResult
ParseResult
Parse result codes.
Definition crtd_message.h:29

Ssl::CrtdMessage::parseBody
void parseBody(BodyParams &map, std::string &other_part) const
Definition crtd_message.cc:143

Ssl::CrtdMessage::param_host
static const std::string param_host
Parameter name for passing hostname.
Definition crtd_message.h:78

Ssl::CrtdMessage::getCode
std::string const & getCode() const
Current response/request code. If parsing is not finished the method may return incompleted code.
Definition crtd_message.cc:122

Ssl::CrtdMessage::parse
ParseResult parse(const char *buffer, size_t len)
Definition crtd_message.cc:23

Ssl::CrtdMessage::parseRequest
void parseRequest(CertificateProperties &)
orchestrates entire request parsing
Definition crtd_message.cc:179

Ssl::CrtdMessage::BodyParams
std::map< std::string, std::string > BodyParams
Definition crtd_message.h:27

Ssl::CrtdMessage::param_Sign
static const std::string param_Sign
Parameter name for passing signing algorithm.
Definition crtd_message.h:86

Ssl::CrtdMessage::composeRequest
void composeRequest(Ssl::CertificateProperties const &)
Definition crtd_message.cc:233

Ssl::CrtdMessage::MessageKind
MessageKind
Definition crtd_message.h:34

Ssl::CrtdMessage::compose
std::string compose() const
Definition crtd_message.cc:128

TextException
an std::runtime_error with thrower location info
Definition TextException.h:21

crtd_message.h

Ssl::certSignAlgorithmId
CertSignAlgorithm certSignAlgorithmId(const char *sg)
Definition gadgets.h:194

Ssl::appendCertToMemory
bool appendCertToMemory(Security::CertPointer const &cert, std::string &bufferToWrite)
Definition gadgets.cc:169

Ssl::writeCertAndPrivateKeyToMemory
bool writeCertAndPrivateKeyToMemory(Security::CertPointer const &cert, Security::PrivateKeyPointer const &pkey, std::string &bufferToWrite)
Definition gadgets.cc:145

Ssl::readCertAndPrivateKeyFromMemory
bool readCertAndPrivateKeyFromMemory(Security::CertPointer &cert, Security::PrivateKeyPointer &pkey, char const *bufferToRead)
Definition gadgets.cc:193

Ssl::CertAdaptAlgorithmStr
const char * CertAdaptAlgorithmStr[]
Definition gadgets.cc:285

Ssl::certSignAlgorithm
const char * certSignAlgorithm(int sg)
Definition gadgets.h:182

Ssl::algSetValidAfter
@ algSetValidAfter
Definition gadgets.h:207

Ssl::algSetCommonName
@ algSetCommonName
Definition gadgets.h:207

Ssl::algSetValidBefore
@ algSetValidBefore
Definition gadgets.h:207

Ssl::algSignEnd
@ algSignEnd
Definition gadgets.h:169

Ssl::algSignTrusted
@ algSignTrusted
Definition gadgets.h:169

Ssl::ReadCertificate
Security::CertPointer ReadCertificate(const BIO_Pointer &)
Definition gadgets.cc:862

Ssl::ReadOnlyBioTiedTo
BIO_Pointer ReadOnlyBioTiedTo(const char *)
Definition gadgets.cc:218

Stream.h

ToSBuf
SBuf ToSBuf(Args &&... args)
slowly stream-prints all arguments into a freshly allocated SBuf
Definition Stream.h:63

squid.h

gadgets.h

SQUID_SSL_SIGN_HASH_IF_NONE
#define SQUID_SSL_SIGN_HASH_IF_NONE
Definition gadgets.h:46

xisspace
#define xisspace(x)
Definition xis.h:15

xisalpha
#define xisalpha(x)
Definition xis.h:21

xisalnum
#define xisalnum(x)
Definition xis.h:23

xisdigit
#define xisdigit(x)
Definition xis.h:18