This patch demonstrates my proposed helpers/ shuffling by updating the demo certificate validator.
* creates src/security/certv/ for certificate validation helpers. To distinguish from certificate generator helpers which would be in src/security/certg/. * renames cert_valid.pl to securiy_fake_certv inline with the helper naming schema. * moves helpers/ssl/ to src/security/certv/fake/ as it is the fake helper. - building the man(8) documentation that was missing previously. * adds a ./configure option --enable-security-certv-helpers=X to allow the bundled certv helper(s) to be managed at build time just like any other. - this involves addition of the modules.m4, requires.m4 and Makefile.am infrastructire that helpers/ssl/ was previously lacking. Amos
=== modified file 'CREDITS' --- CREDITS 2015-09-27 03:52:12 +0000 +++ CREDITS 2016-01-28 11:19:01 +0000 @@ -1395,16 +1395,6 @@ ============================================================================== -helpers/ssl/cert_valid.pl: - -(C) 2012 The Measurement Factory, Author: Tsantilas Christos - -This program is free software. You may redistribute copies of it under the -terms of the GNU General Public License version 2, or (at your opinion) any -later version. - -============================================================================== - helpers/storeid_rewrite/file/: Copyright (C) 2013 Alan Mizrahi <[email protected]> @@ -1869,6 +1859,16 @@ ============================================================================== +src/security/certv/fake/security_fake_certv.pl.in: + +(C) 2012 The Measurement Factory, Author: Tsantilas Christos + +This program is free software. You may redistribute copies of it under the +terms of the GNU General Public License version 2, or (at your opinion) any +later version. + +============================================================================== + tools/helper-mux.pl: # AUTHOR: Francesco Chemolli <[email protected]> === modified file 'configure.ac' --- configure.ac 2016-01-24 01:18:43 +0000 +++ configure.ac 2016-01-28 11:17:22 +0000 @@ -2586,6 +2586,18 @@ ]) m4_include([helpers/url_rewrite/modules.m4]) +dnl Select security helpers to build +AC_ARG_ENABLE(security-certv-helpers, + AS_HELP_STRING([--enable-security-certv-helpers="list of helpers"], + [This option selects which security certificate verify helpers + to build and install as part of the normal build + process. The default is to attempt the build of all possible + helpers. Use --disable-security-certv-helpers to build none. + For a list of available helpers see the + src/security/certv/ directory.]),[ +]) +m4_include([src/security/certv/modules.m4]) + dnl Select storeid_rewrite helpers to build AC_ARG_ENABLE(storeid-rewrite-helpers, AS_HELP_STRING([--enable-storeid-rewrite-helpers="list of helpers"], @@ -3827,7 +3839,6 @@ helpers/ntlm_auth/fake/Makefile helpers/ntlm_auth/smb_lm/Makefile helpers/ntlm_auth/SSPI/Makefile - helpers/ssl/Makefile helpers/storeid_rewrite/Makefile helpers/storeid_rewrite/file/Makefile helpers/url_rewrite/Makefile @@ -3883,6 +3894,8 @@ src/parser/Makefile src/repl/Makefile src/security/Makefile + src/security/certv/Makefile + src/security/certv/fake/Makefile src/servers/Makefile src/snmp/Makefile src/ssl/Makefile === modified file 'doc/release-notes/release-4.sgml' --- doc/release-notes/release-4.sgml 2016-01-15 06:57:17 +0000 +++ doc/release-notes/release-4.sgml 2016-01-28 11:14:14 +0000 @@ -44,6 +44,7 @@ <item>Configurable helper queue size <item>Helper concurrency channels changes <item>SSL support removal + <item>cert_valid.pl helper renamed <item>MSNT-multi-domain helper removal <item>Secure ICAP <item>Improved SMP support @@ -99,6 +100,16 @@ behaviour explicitly if needed. +<sect1>cert_valid.pl helper renamed +<p>The <em>cert_valid.pl</em> testing helper has been renamed to + <em>security_fake_certv</em>, reflecting the Squid helper naming schema + and that it does not actually perform any certificate checks. + +<p>This helper is also now built and installed by default. It is written in Perl + so does not require OpenSSL dependencies for installation. But does use the + Perl OpenSSL crypto modules, so requires it for execution. + + <sect1>MSNT-multi-domain helper removal <p>The <em>basic_msnt_multi_domain_auth</em> helper has been removed. The <em>basic_smb_lm_auth</em> helper performs the same actions without extra @@ -322,6 +333,12 @@ <sect1>New options<label id="newoptions"> <p> <descrip> + <tag>--enable-security-certv-helpers</tag> + <p>New directive to control which TLS/SSL certificate verification helpers + are built and installed. + <p>One <em>fake</em> helper that it does not actually perform any + certificate checks is provided for testing and example code for writing + custom helpers. </descrip> === modified file 'helpers/Makefile.am' --- helpers/Makefile.am 2016-01-01 00:12:18 +0000 +++ helpers/Makefile.am 2016-01-28 10:39:21 +0000 @@ -15,7 +15,6 @@ negotiate_auth \ ntlm_auth \ url_rewrite \ - ssl \ storeid_rewrite SUBDIRS = \ @@ -30,8 +29,3 @@ if ENABLE_AUTH_NTLM SUBDIRS += ntlm_auth endif - -if ENABLE_SSL -SUBDIRS += ssl -endif - === modified file 'src/security/Makefile.am' --- src/security/Makefile.am 2016-01-01 00:12:18 +0000 +++ src/security/Makefile.am 2016-01-28 10:40:45 +0000 @@ -8,6 +8,8 @@ include $(top_srcdir)/src/Common.am include $(top_srcdir)/src/TestHeaders.am +SUBDIRS= certv + noinst_LTLIBRARIES = libsecurity.la libsecurity_la_SOURCES= \ === added directory 'src/security/certv' === added file 'src/security/certv/Makefile.am' --- src/security/certv/Makefile.am 1970-01-01 00:00:00 +0000 +++ src/security/certv/Makefile.am 2016-01-28 10:59:03 +0000 @@ -0,0 +1,10 @@ +## Copyright (C) 1996-2016 The Squid Software Foundation and contributors +## +## Squid software is distributed under GPLv2+ license and includes +## contributions from numerous individuals and organizations. +## Please see the COPYING and CONTRIBUTORS files for details. +## + +DIST_SUBDIRS= fake +SUBDIRS= $(SECURITY_CERTV_HELPERS) + === renamed directory 'helpers/ssl' => 'src/security/certv/fake' === modified file 'src/security/certv/fake/Makefile.am' --- helpers/ssl/Makefile.am 2016-01-01 00:12:18 +0000 +++ src/security/certv/fake/Makefile.am 2016-01-28 12:42:03 +0000 @@ -7,6 +7,21 @@ include $(top_srcdir)/src/Common.am -libexec_SCRIPTS = cert_valid.pl +libexec_SCRIPTS = security_fake_certv +CLEANFILES += security_fake_certv EXTRA_DIST= \ - cert_valid.pl + security_fake_certv.pl.in \ + required.m4 + +security_fake_certv: security_fake_certv.pl.in + $(subst_perlshell) + +if ENABLE_POD2MAN_DOC +man_MANS = security_fake_certv.8 +CLEANFILES += security_fake_certv.8 +EXTRA_DIST += security_fake_certv.8 + +security_fake_certv.8: security_fake_certv + pod2man --section=8 security_fake_certv security_fake_certv.8 + +endif === added file 'src/security/certv/fake/required.m4' --- src/security/certv/fake/required.m4 1970-01-01 00:00:00 +0000 +++ src/security/certv/fake/required.m4 2016-01-28 11:00:40 +0000 @@ -0,0 +1,14 @@ +## Copyright (C) 1996-2016 The Squid Software Foundation and contributors +## +## Squid software is distributed under GPLv2+ license and includes +## contributions from numerous individuals and organizations. +## Please see the COPYING and CONTRIBUTORS files for details. +## + +if test "x$PERL" != "x"; then + BUILD_HELPER="fake" +fi +if test "x$POD2MAN" = "x"; then + AC_MSG_WARN([pod2man not found. security_fake_certv man(8) page will not be built]) +fi + === renamed file 'helpers/ssl/cert_valid.pl' => 'src/security/certv/fake/security_fake_certv.pl.in' --- helpers/ssl/cert_valid.pl 2016-01-01 00:12:18 +0000 +++ src/security/certv/fake/security_fake_certv.pl.in 2016-01-28 12:41:23 +0000 @@ -1,4 +1,4 @@ -#!/usr/bin/perl -w +#!@PERL@ # # A dummy SSL certificate validator helper that # echos back all the SSL errors sent by Squid. @@ -19,11 +19,11 @@ =head1 NAME -cert_valid.pl - A fake cert validation helper for Squid +security_fake_certv - A fake cert validation helper for Squid =head1 SYNOPSIS -cert_valid.pl [-d | --debug] [-h | --help] +security_fake_certv [-d | --debug] [-h | --help] =over 8 === added file 'src/security/certv/modules.m4' --- src/security/certv/modules.m4 1970-01-01 00:00:00 +0000 +++ src/security/certv/modules.m4 2016-01-28 10:59:56 +0000 @@ -0,0 +1,53 @@ +## Copyright (C) 1996-2016 The Squid Software Foundation and contributors +## +## Squid software is distributed under GPLv2+ license and includes +## contributions from numerous individuals and organizations. +## Please see the COPYING and CONTRIBUTORS files for details. +## + +# This file is supposed to run all the tests required to identify which +# configured modules are able to be built in this environment + +# FIXME: de-duplicate $enable_security_certv_helpers list containing double entries. + +#define list of modules to build +auto_security_modules=no +if test "x${enable_security_certv_helpers:=yes}" = "xyes" ; then + SQUID_LOOK_FOR_MODULES([$srcdir/src/security/certv],[enable_security_certv_helpers]) + auto_security_modules=yes +fi + +enable_security_certv_helpers="`echo $enable_security_certv_helpers| sed -e 's/,/ /g;s/ */ /g'`" +AC_MSG_NOTICE([Security certificate verify helper candidates: $enable_security_certv_helpers]) +SECURITY_CERTV_HELPERS="" +if test "x$enable_security_certv_helpers" != "xno" ; then + for helper in $enable_security_certv_helpers; do + dir="$srcdir/src/security/certv/$helper" + + # modules converted to autoconf macros already + # NP: we only need this list because m4_include() does not accept variables + if test "x$helper" = "xfake" ; then + m4_include([src/security/certv/fake/required.m4]) + + # modules not yet converted to autoconf macros (or third party drop-in's) + elif test -f "$dir/config.test" && sh "$dir/config.test" "$squid_host_os"; then + BUILD_HELPER="$helper" + fi + + if test -d "$srcdir/src/security/certv/$helper"; then + if test "$BUILD_HELPER" != "$helper"; then + if test "x$auto_security_modules" = "xyes"; then + AC_MSG_NOTICE([Security certificate verify helper $helper ... found but cannot be built]) + else + AC_MSG_ERROR([Security certificate verify helper $helper ... found but cannot be built]) + fi + else + SECURITY_CERTV_HELPERS="$SECURITY_CERTV_HELPERS $BUILD_HELPER" + fi + else + AC_MSG_ERROR([Security certificate verify helper $helper ... not found]) + fi + done +fi +AC_MSG_NOTICE([Security certificate verify helpers to be built: $SECURITY_CERTV_HELPERS]) +AC_SUBST(SECURITY_CERTV_HELPERS)
_______________________________________________ squid-dev mailing list [email protected] http://lists.squid-cache.org/listinfo/squid-dev
