[squid-dev] [PATCH] securiy_fake_certv ; aka helpers/ shuffling exemplar
Amos Jeffries
squid3 at treenet.co.nz
Thu Jan 28 13:55:25 UTC 2016
This patch demonstrates my proposed helpers/ shuffling by updating the
demo certificate validator.
* creates src/security/certv/ for certificate validation helpers.
To distinguish from certificate generator helpers which would be in
src/security/certg/.
* renames cert_valid.pl to securiy_fake_certv inline with the helper
naming schema.
* moves helpers/ssl/ to src/security/certv/fake/ as it is the fake helper.
- building the man(8) documentation that was missing previously.
* adds a ./configure option --enable-security-certv-helpers=X to allow
the bundled certv helper(s) to be managed at build time just like any other.
- this involves addition of the modules.m4, requires.m4 and Makefile.am
infrastructire that helpers/ssl/ was previously lacking.
Amos
-------------- next part --------------
=== modified file 'CREDITS'
--- CREDITS 2015-09-27 03:52:12 +0000
+++ CREDITS 2016-01-28 11:19:01 +0000
@@ -1395,16 +1395,6 @@
==============================================================================
-helpers/ssl/cert_valid.pl:
-
-(C) 2012 The Measurement Factory, Author: Tsantilas Christos
-
-This program is free software. You may redistribute copies of it under the
-terms of the GNU General Public License version 2, or (at your opinion) any
-later version.
-
-==============================================================================
-
helpers/storeid_rewrite/file/:
Copyright (C) 2013 Alan Mizrahi <alan at mizrahi.com.ve>
@@ -1869,6 +1859,16 @@
==============================================================================
+src/security/certv/fake/security_fake_certv.pl.in:
+
+(C) 2012 The Measurement Factory, Author: Tsantilas Christos
+
+This program is free software. You may redistribute copies of it under the
+terms of the GNU General Public License version 2, or (at your opinion) any
+later version.
+
+==============================================================================
+
tools/helper-mux.pl:
# AUTHOR: Francesco Chemolli <kinkie at squid-cache.org>
=== modified file 'configure.ac'
--- configure.ac 2016-01-24 01:18:43 +0000
+++ configure.ac 2016-01-28 11:17:22 +0000
@@ -2586,6 +2586,18 @@
])
m4_include([helpers/url_rewrite/modules.m4])
+dnl Select security helpers to build
+AC_ARG_ENABLE(security-certv-helpers,
+ AS_HELP_STRING([--enable-security-certv-helpers="list of helpers"],
+ [This option selects which security certificate verify helpers
+ to build and install as part of the normal build
+ process. The default is to attempt the build of all possible
+ helpers. Use --disable-security-certv-helpers to build none.
+ For a list of available helpers see the
+ src/security/certv/ directory.]),[
+])
+m4_include([src/security/certv/modules.m4])
+
dnl Select storeid_rewrite helpers to build
AC_ARG_ENABLE(storeid-rewrite-helpers,
AS_HELP_STRING([--enable-storeid-rewrite-helpers="list of helpers"],
@@ -3827,7 +3839,6 @@
helpers/ntlm_auth/fake/Makefile
helpers/ntlm_auth/smb_lm/Makefile
helpers/ntlm_auth/SSPI/Makefile
- helpers/ssl/Makefile
helpers/storeid_rewrite/Makefile
helpers/storeid_rewrite/file/Makefile
helpers/url_rewrite/Makefile
@@ -3883,6 +3894,8 @@
src/parser/Makefile
src/repl/Makefile
src/security/Makefile
+ src/security/certv/Makefile
+ src/security/certv/fake/Makefile
src/servers/Makefile
src/snmp/Makefile
src/ssl/Makefile
=== modified file 'doc/release-notes/release-4.sgml'
--- doc/release-notes/release-4.sgml 2016-01-15 06:57:17 +0000
+++ doc/release-notes/release-4.sgml 2016-01-28 11:14:14 +0000
@@ -44,6 +44,7 @@
<item>Configurable helper queue size
<item>Helper concurrency channels changes
<item>SSL support removal
+ <item>cert_valid.pl helper renamed
<item>MSNT-multi-domain helper removal
<item>Secure ICAP
<item>Improved SMP support
@@ -99,6 +100,16 @@
behaviour explicitly if needed.
+<sect1>cert_valid.pl helper renamed
+<p>The <em>cert_valid.pl</em> testing helper has been renamed to
+ <em>security_fake_certv</em>, reflecting the Squid helper naming schema
+ and that it does not actually perform any certificate checks.
+
+<p>This helper is also now built and installed by default. It is written in Perl
+ so does not require OpenSSL dependencies for installation. But does use the
+ Perl OpenSSL crypto modules, so requires it for execution.
+
+
<sect1>MSNT-multi-domain helper removal
<p>The <em>basic_msnt_multi_domain_auth</em> helper has been removed. The
<em>basic_smb_lm_auth</em> helper performs the same actions without extra
@@ -322,6 +333,12 @@
<sect1>New options<label id="newoptions">
<p>
<descrip>
+ <tag>--enable-security-certv-helpers</tag>
+ <p>New directive to control which TLS/SSL certificate verification helpers
+ are built and installed.
+ <p>One <em>fake</em> helper that it does not actually perform any
+ certificate checks is provided for testing and example code for writing
+ custom helpers.
</descrip>
=== modified file 'helpers/Makefile.am'
--- helpers/Makefile.am 2016-01-01 00:12:18 +0000
+++ helpers/Makefile.am 2016-01-28 10:39:21 +0000
@@ -15,7 +15,6 @@
negotiate_auth \
ntlm_auth \
url_rewrite \
- ssl \
storeid_rewrite
SUBDIRS = \
@@ -30,8 +29,3 @@
if ENABLE_AUTH_NTLM
SUBDIRS += ntlm_auth
endif
-
-if ENABLE_SSL
-SUBDIRS += ssl
-endif
-
=== modified file 'src/security/Makefile.am'
--- src/security/Makefile.am 2016-01-01 00:12:18 +0000
+++ src/security/Makefile.am 2016-01-28 10:40:45 +0000
@@ -8,6 +8,8 @@
include $(top_srcdir)/src/Common.am
include $(top_srcdir)/src/TestHeaders.am
+SUBDIRS= certv
+
noinst_LTLIBRARIES = libsecurity.la
libsecurity_la_SOURCES= \
=== added directory 'src/security/certv'
=== added file 'src/security/certv/Makefile.am'
--- src/security/certv/Makefile.am 1970-01-01 00:00:00 +0000
+++ src/security/certv/Makefile.am 2016-01-28 10:59:03 +0000
@@ -0,0 +1,10 @@
+## Copyright (C) 1996-2016 The Squid Software Foundation and contributors
+##
+## Squid software is distributed under GPLv2+ license and includes
+## contributions from numerous individuals and organizations.
+## Please see the COPYING and CONTRIBUTORS files for details.
+##
+
+DIST_SUBDIRS= fake
+SUBDIRS= $(SECURITY_CERTV_HELPERS)
+
=== renamed directory 'helpers/ssl' => 'src/security/certv/fake'
=== modified file 'src/security/certv/fake/Makefile.am'
--- helpers/ssl/Makefile.am 2016-01-01 00:12:18 +0000
+++ src/security/certv/fake/Makefile.am 2016-01-28 12:42:03 +0000
@@ -7,6 +7,21 @@
include $(top_srcdir)/src/Common.am
-libexec_SCRIPTS = cert_valid.pl
+libexec_SCRIPTS = security_fake_certv
+CLEANFILES += security_fake_certv
EXTRA_DIST= \
- cert_valid.pl
+ security_fake_certv.pl.in \
+ required.m4
+
+security_fake_certv: security_fake_certv.pl.in
+ $(subst_perlshell)
+
+if ENABLE_POD2MAN_DOC
+man_MANS = security_fake_certv.8
+CLEANFILES += security_fake_certv.8
+EXTRA_DIST += security_fake_certv.8
+
+security_fake_certv.8: security_fake_certv
+ pod2man --section=8 security_fake_certv security_fake_certv.8
+
+endif
=== added file 'src/security/certv/fake/required.m4'
--- src/security/certv/fake/required.m4 1970-01-01 00:00:00 +0000
+++ src/security/certv/fake/required.m4 2016-01-28 11:00:40 +0000
@@ -0,0 +1,14 @@
+## Copyright (C) 1996-2016 The Squid Software Foundation and contributors
+##
+## Squid software is distributed under GPLv2+ license and includes
+## contributions from numerous individuals and organizations.
+## Please see the COPYING and CONTRIBUTORS files for details.
+##
+
+if test "x$PERL" != "x"; then
+ BUILD_HELPER="fake"
+fi
+if test "x$POD2MAN" = "x"; then
+ AC_MSG_WARN([pod2man not found. security_fake_certv man(8) page will not be built])
+fi
+
=== renamed file 'helpers/ssl/cert_valid.pl' => 'src/security/certv/fake/security_fake_certv.pl.in'
--- helpers/ssl/cert_valid.pl 2016-01-01 00:12:18 +0000
+++ src/security/certv/fake/security_fake_certv.pl.in 2016-01-28 12:41:23 +0000
@@ -1,4 +1,4 @@
-#!/usr/bin/perl -w
+#!@PERL@
#
# A dummy SSL certificate validator helper that
# echos back all the SSL errors sent by Squid.
@@ -19,11 +19,11 @@
=head1 NAME
-cert_valid.pl - A fake cert validation helper for Squid
+security_fake_certv - A fake cert validation helper for Squid
=head1 SYNOPSIS
-cert_valid.pl [-d | --debug] [-h | --help]
+security_fake_certv [-d | --debug] [-h | --help]
=over 8
=== added file 'src/security/certv/modules.m4'
--- src/security/certv/modules.m4 1970-01-01 00:00:00 +0000
+++ src/security/certv/modules.m4 2016-01-28 10:59:56 +0000
@@ -0,0 +1,53 @@
+## Copyright (C) 1996-2016 The Squid Software Foundation and contributors
+##
+## Squid software is distributed under GPLv2+ license and includes
+## contributions from numerous individuals and organizations.
+## Please see the COPYING and CONTRIBUTORS files for details.
+##
+
+# This file is supposed to run all the tests required to identify which
+# configured modules are able to be built in this environment
+
+# FIXME: de-duplicate $enable_security_certv_helpers list containing double entries.
+
+#define list of modules to build
+auto_security_modules=no
+if test "x${enable_security_certv_helpers:=yes}" = "xyes" ; then
+ SQUID_LOOK_FOR_MODULES([$srcdir/src/security/certv],[enable_security_certv_helpers])
+ auto_security_modules=yes
+fi
+
+enable_security_certv_helpers="`echo $enable_security_certv_helpers| sed -e 's/,/ /g;s/ */ /g'`"
+AC_MSG_NOTICE([Security certificate verify helper candidates: $enable_security_certv_helpers])
+SECURITY_CERTV_HELPERS=""
+if test "x$enable_security_certv_helpers" != "xno" ; then
+ for helper in $enable_security_certv_helpers; do
+ dir="$srcdir/src/security/certv/$helper"
+
+ # modules converted to autoconf macros already
+ # NP: we only need this list because m4_include() does not accept variables
+ if test "x$helper" = "xfake" ; then
+ m4_include([src/security/certv/fake/required.m4])
+
+ # modules not yet converted to autoconf macros (or third party drop-in's)
+ elif test -f "$dir/config.test" && sh "$dir/config.test" "$squid_host_os"; then
+ BUILD_HELPER="$helper"
+ fi
+
+ if test -d "$srcdir/src/security/certv/$helper"; then
+ if test "$BUILD_HELPER" != "$helper"; then
+ if test "x$auto_security_modules" = "xyes"; then
+ AC_MSG_NOTICE([Security certificate verify helper $helper ... found but cannot be built])
+ else
+ AC_MSG_ERROR([Security certificate verify helper $helper ... found but cannot be built])
+ fi
+ else
+ SECURITY_CERTV_HELPERS="$SECURITY_CERTV_HELPERS $BUILD_HELPER"
+ fi
+ else
+ AC_MSG_ERROR([Security certificate verify helper $helper ... not found])
+ fi
+ done
+fi
+AC_MSG_NOTICE([Security certificate verify helpers to be built: $SECURITY_CERTV_HELPERS])
+AC_SUBST(SECURITY_CERTV_HELPERS)
More information about the squid-dev
mailing list