commit 93f5fda134a2a010b84ffedbe833d670e63ba4be Author: Christos Tsantilas Date: 2020-05-15 04:54:54 +0000 Fix sending of unknown validation errors to cert. validator (#633) Squid may be compiled with an OpenSSL release introducing X509 validation errors that Squid does not have the names for. Send their integer codes. Also sync Squid certificate verification errors with OpenSSL v1.1.1g. This is a Measurement Factory project. diff --git a/src/format/Format.cc b/src/format/Format.cc index 8c5574b..4b4ad42 100644 --- a/src/format/Format.cc +++ b/src/format/Format.cc @@ -322,15 +322,6 @@ log_quoted_string(const char *str, char *out) *p = '\0'; } -#if USE_OPENSSL -static char * -sslErrorName(Security::ErrorCode err, char *buf, size_t size) -{ - snprintf(buf, size, "SSL_ERR=%d", err); - return buf; -} -#endif - /// XXX: Misnamed. TODO: Split request && al->request->errType == ERR_SECURE_CONNECT_FAIL) { - out = Ssl::GetErrorName(al->request->errDetail); - if (!out) - out = sslErrorName(al->request->errDetail, tmp, sizeof(tmp)); + out = Ssl::GetErrorName(al->request->errDetail, true); } else #endif if (al->request && al->request->errDetail != ERR_DETAIL_NONE) { @@ -1263,10 +1252,7 @@ Format::Format::assemble(MemBuf &mb, const AccessLogEntry::Pointer &al, int logS for (const Security::CertErrors *sslError = srvBump->sslErrors(); sslError; sslError = sslError->next) { if (!sb.isEmpty()) sb.append(separator); - if (const char *errorName = Ssl::GetErrorName(sslError->element.code)) - sb.append(errorName); - else - sb.append(sslErrorName(sslError->element.code, tmp, sizeof(tmp))); + sb.append(Ssl::GetErrorName(sslError->element.code, true)); if (sslError->element.depth >= 0) sb.appendf("@depth=%d", sslError->element.depth); } diff --git a/src/ssl/ErrorDetail.cc b/src/ssl/ErrorDetail.cc index ddd61fd..00eb0e2 100644 --- a/src/ssl/ErrorDetail.cc +++ b/src/ssl/ErrorDetail.cc @@ -233,6 +233,9 @@ static SslErrorEntry TheSslErrorArray[] = { "X509_V_ERR_SUBTREE_MINMAX" }, #endif + { X509_V_ERR_APPLICATION_VERIFICATION, //50 + "X509_V_ERR_APPLICATION_VERIFICATION" + }, #if defined(X509_V_ERR_UNSUPPORTED_CONSTRAINT_TYPE) { X509_V_ERR_UNSUPPORTED_CONSTRAINT_TYPE, //51 @@ -257,9 +260,132 @@ static SslErrorEntry TheSslErrorArray[] = { "X509_V_ERR_CRL_PATH_VALIDATION_ERROR" }, #endif - { X509_V_ERR_APPLICATION_VERIFICATION, - "X509_V_ERR_APPLICATION_VERIFICATION" +#if defined(X509_V_ERR_PATH_LOOP) + { + X509_V_ERR_PATH_LOOP, //55 + "X509_V_ERR_PATH_LOOP" + }, +#endif +#if defined(X509_V_ERR_SUITE_B_INVALID_VERSION) + { + X509_V_ERR_SUITE_B_INVALID_VERSION, //56 + "X509_V_ERR_SUITE_B_INVALID_VERSION" + }, +#endif +#if defined(X509_V_ERR_SUITE_B_INVALID_ALGORITHM) + { + X509_V_ERR_SUITE_B_INVALID_ALGORITHM, //57 + "X509_V_ERR_SUITE_B_INVALID_ALGORITHM" + }, +#endif +#if defined(X509_V_ERR_SUITE_B_INVALID_CURVE) + { + X509_V_ERR_SUITE_B_INVALID_CURVE, //58 + "X509_V_ERR_SUITE_B_INVALID_CURVE" + }, +#endif +#if defined(X509_V_ERR_SUITE_B_INVALID_SIGNATURE_ALGORITHM) + { + X509_V_ERR_SUITE_B_INVALID_SIGNATURE_ALGORITHM, //59 + "X509_V_ERR_SUITE_B_INVALID_SIGNATURE_ALGORITHM" + }, +#endif +#if defined(X509_V_ERR_SUITE_B_LOS_NOT_ALLOWED) + { + X509_V_ERR_SUITE_B_LOS_NOT_ALLOWED, //60 + "X509_V_ERR_SUITE_B_LOS_NOT_ALLOWED" + }, +#endif +#if defined(X509_V_ERR_SUITE_B_CANNOT_SIGN_P_384_WITH_P_256) + { + X509_V_ERR_SUITE_B_CANNOT_SIGN_P_384_WITH_P_256, //61 + "X509_V_ERR_SUITE_B_CANNOT_SIGN_P_384_WITH_P_256" + }, +#endif +#if defined(X509_V_ERR_HOSTNAME_MISMATCH) + { + X509_V_ERR_HOSTNAME_MISMATCH, //62 + "X509_V_ERR_HOSTNAME_MISMATCH" + }, +#endif +#if defined(X509_V_ERR_EMAIL_MISMATCH) + { + X509_V_ERR_EMAIL_MISMATCH, //63 + "X509_V_ERR_EMAIL_MISMATCH" + }, +#endif +#if defined(X509_V_ERR_IP_ADDRESS_MISMATCH) + { + X509_V_ERR_IP_ADDRESS_MISMATCH, //64 + "X509_V_ERR_IP_ADDRESS_MISMATCH" + }, +#endif +#if defined(X509_V_ERR_DANE_NO_MATCH) + { + X509_V_ERR_DANE_NO_MATCH, //65 + "X509_V_ERR_DANE_NO_MATCH" }, +#endif +#if defined(X509_V_ERR_EE_KEY_TOO_SMALL) + { + X509_V_ERR_EE_KEY_TOO_SMALL, //66 + "X509_V_ERR_EE_KEY_TOO_SMALL" + }, +#endif +#if defined(X509_V_ERR_CA_KEY_TOO_SMALL) + { + X509_V_ERR_CA_KEY_TOO_SMALL, //67 + "X509_V_ERR_CA_KEY_TOO_SMALL" + }, +#endif +#if defined(X509_V_ERR_CA_MD_TOO_WEAK) + { + X509_V_ERR_CA_MD_TOO_WEAK, //68 + "X509_V_ERR_CA_MD_TOO_WEAK" + }, +#endif +#if defined(X509_V_ERR_INVALID_CALL) + { + X509_V_ERR_INVALID_CALL, //69 + "X509_V_ERR_INVALID_CALL" + }, +#endif +#if defined(X509_V_ERR_STORE_LOOKUP) + { + X509_V_ERR_STORE_LOOKUP, //70 + "X509_V_ERR_STORE_LOOKUP" + }, +#endif +#if defined(X509_V_ERR_NO_VALID_SCTS) + { + X509_V_ERR_NO_VALID_SCTS, //71 + "X509_V_ERR_NO_VALID_SCTS" + }, +#endif +#if defined(X509_V_ERR_PROXY_SUBJECT_NAME_VIOLATION) + { + X509_V_ERR_PROXY_SUBJECT_NAME_VIOLATION, //72 + "X509_V_ERR_PROXY_SUBJECT_NAME_VIOLATION" + }, +#endif +#if defined(X509_V_ERR_OCSP_VERIFY_NEEDED) + { + X509_V_ERR_OCSP_VERIFY_NEEDED, //73 + "X509_V_ERR_OCSP_VERIFY_NEEDED" + }, +#endif +#if defined(X509_V_ERR_OCSP_VERIFY_FAILED) + { + X509_V_ERR_OCSP_VERIFY_FAILED, //74 + "X509_V_ERR_OCSP_VERIFY_FAILED" + }, +#endif +#if defined(X509_V_ERR_OCSP_CERT_UNKNOWN) + { + X509_V_ERR_OCSP_CERT_UNKNOWN, //75 + "X509_V_ERR_OCSP_CERT_UNKNOWN" + }, +#endif { SSL_ERROR_NONE, "SSL_ERROR_NONE"}, {SSL_ERROR_NONE, NULL} }; @@ -286,6 +412,27 @@ static const char *OptionalSslErrors[] = { "X509_V_ERR_UNSUPPORTED_CONSTRAINT_SYNTAX", "X509_V_ERR_UNSUPPORTED_NAME_SYNTAX", "X509_V_ERR_CRL_PATH_VALIDATION_ERROR", + "X509_V_ERR_PATH_LOOP", + "X509_V_ERR_SUITE_B_INVALID_VERSION", + "X509_V_ERR_SUITE_B_INVALID_ALGORITHM", + "X509_V_ERR_SUITE_B_INVALID_CURVE", + "X509_V_ERR_SUITE_B_INVALID_SIGNATURE_ALGORITHM", + "X509_V_ERR_SUITE_B_LOS_NOT_ALLOWED", + "X509_V_ERR_SUITE_B_CANNOT_SIGN_P_384_WITH_P_256", + "X509_V_ERR_HOSTNAME_MISMATCH", + "X509_V_ERR_EMAIL_MISMATCH", + "X509_V_ERR_IP_ADDRESS_MISMATCH", + "X509_V_ERR_DANE_NO_MATCH", + "X509_V_ERR_EE_KEY_TOO_SMALL", + "X509_V_ERR_CA_KEY_TOO_SMALL", + "X509_V_ERR_CA_MD_TOO_WEAK", + "X509_V_ERR_INVALID_CALL", + "X509_V_ERR_STORE_LOOKUP", + "X509_V_ERR_NO_VALID_SCTS", + "X509_V_ERR_PROXY_SUBJECT_NAME_VIOLATION", + "X509_V_ERR_OCSP_VERIFY_NEEDED", + "X509_V_ERR_OCSP_VERIFY_FAILED", + "X509_V_ERR_OCSP_CERT_UNKNOWN", NULL }; @@ -390,7 +537,7 @@ Ssl::ParseErrorString(const char *name, Security::Errors &errors) return false; // not reached } -const char *Ssl::GetErrorName(Security::ErrorCode value) +const char *Ssl::GetErrorName(Security::ErrorCode value, const bool prefixRawCode) { if (TheSslErrors.empty()) loadSslErrorMap(); @@ -399,7 +546,9 @@ const char *Ssl::GetErrorName(Security::ErrorCode value) if (it != TheSslErrors.end()) return it->second->name; - return NULL; + static char tmpBuffer[128]; + snprintf(tmpBuffer, sizeof(tmpBuffer), "%s%d", prefixRawCode ? "SSL_ERR=" : "", (int)value); + return tmpBuffer; } bool @@ -529,21 +678,14 @@ const char *Ssl::ErrorDetail::notafter() const */ const char *Ssl::ErrorDetail::err_code() const { - static char tmpBuffer[64]; // We can use the GetErrorName but using the detailEntry is faster, // so try it first. - const char *err = detailEntry.name.termedBuf(); + if (const char *err = detailEntry.name.termedBuf()) + return err; // error details not loaded yet or not defined in error_details.txt, // try the GetErrorName... - if (!err) - err = GetErrorName(error_no); - - if (!err) { - snprintf(tmpBuffer, 64, "%d", (int)error_no); - err = tmpBuffer; - } - return err; + return GetErrorName(error_no); } /** diff --git a/src/ssl/ErrorDetail.h b/src/ssl/ErrorDetail.h index 48dc405..0eec0a9 100644 --- a/src/ssl/ErrorDetail.h +++ b/src/ssl/ErrorDetail.h @@ -26,8 +26,9 @@ bool ParseErrorString(const char *name, Security::Errors &); /// The Security::ErrorCode code of the error described by "name". Security::ErrorCode GetErrorCode(const char *name); -/// The string representation of the TLS error "value" -const char *GetErrorName(Security::ErrorCode value); +/// \return string representation of a known TLS error (or a raw error code) +/// \param prefixRawCode whether to prefix raw codes with "SSL_ERR=" +const char *GetErrorName(Security::ErrorCode value, const bool prefixRawCode = false); /// A short description of the TLS error "value" const char *GetErrorDescr(Security::ErrorCode value);