From: hno <> Date: Fri, 18 Mar 2005 23:51:22 +0000 (+0000) Subject: From ssl-2.5 2004/10/22 14:52:33 X-Git-Tag: SQUID_3_0_PRE4~834 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=4ac9968fe81ac8105f775a32a7203433126de186;p=thirdparty%2Fsquid.git From ssl-2.5 2004/10/22 14:52:33 %USER_CERT external_acl_type giving the user certificate in PEM format --- diff --git a/src/cf.data.pre b/src/cf.data.pre index 6068cfa601..676502d798 100644 --- a/src/cf.data.pre +++ b/src/cf.data.pre @@ -1,6 +1,6 @@ # -# $Id: cf.data.pre,v 1.382 2005/03/18 16:32:37 hno Exp $ +# $Id: cf.data.pre,v 1.383 2005/03/18 16:51:22 hno Exp $ # # # SQUID Web Proxy Cache http://www.squid-cache.org/ @@ -1986,8 +1986,9 @@ DOC_START %METHOD Request method %MYADDR Squid interface address %MYPORT Squid http_port number - %USER_CERT_xx SSL User certificate attribute xx - %USER_CA_xx SSL User certificate CA attribute xx + %USER_CERT SSL User certificate in PEM format + %USER_CERT_xx SSL User certificate subject attribute xx + %USER_CA_xx SSL User certificate issuer attribute xx %{Header} HTTP request header %{Hdr:member} HTTP request header list member %{Hdr:;member} diff --git a/src/external_acl.cc b/src/external_acl.cc index c62511315f..0c2c15d672 100644 --- a/src/external_acl.cc +++ b/src/external_acl.cc @@ -1,6 +1,6 @@ /* - * $Id: external_acl.cc,v 1.58 2004/08/30 05:12:31 robertc Exp $ + * $Id: external_acl.cc,v 1.59 2005/03/18 16:51:22 hno Exp $ * * DEBUG: section 82 External ACL * AUTHOR: Henrik Nordstrom, MARA Systems AB @@ -148,6 +148,7 @@ struct _external_acl_format #if USE_SSL EXT_ACL_USER_CERT, EXT_ACL_CA_CERT, + EXT_ACL_USER_CERT_RAW, #endif EXT_ACL_EXT_USER, EXT_ACL_END @@ -341,6 +342,8 @@ parse_externalAclHelper(external_acl ** list) #if USE_SSL + else if (strcmp(token, "%USER_CERT") == 0) + format->type = EXT_ACL_USER_CERT_RAW; else if (strncmp(token, "%USER_CERT_", 11)) { format->type = _external_acl_format::EXT_ACL_USER_CERT; format->header = xstrdup(token + 11); @@ -444,6 +447,10 @@ dump_externalAclHelper(StoreEntry * sentry, const char *name, const external_acl DUMP_EXT_ACL_TYPE(METHOD); #if USE_SSL + case _external_acl_format::EXT_ACL_USER_CERT_RAW: + storeAppendPrintf(sentry, " %%USER_CERT"); + break; + case _external_acl_format::EXT_ACL_USER_CERT: storeAppendPrintf(sentry, " %%USER_CERT_%s", format->header); break; @@ -786,6 +793,17 @@ makeExternalAclKey(ACLChecklist * ch, external_acl_data * acl_data) break; #if USE_SSL + case _external_acl_format::EXT_ACL_USER_CERT_RAW: + + if (ch->conn().getRaw()) { + SSL *ssl = fd_table[ch->conn()->fd].ssl; + + if (ssl) + str = sslGetUserCertificatePEM(ssl); + } + + break; + case _external_acl_format::EXT_ACL_USER_CERT: if (ch->conn().getRaw()) { diff --git a/src/ssl_support.cc b/src/ssl_support.cc index dabce4d289..961729b95c 100644 --- a/src/ssl_support.cc +++ b/src/ssl_support.cc @@ -1,6 +1,6 @@ /* - * $Id: ssl_support.cc,v 1.27 2005/03/18 16:46:44 hno Exp $ + * $Id: ssl_support.cc,v 1.28 2005/03/18 16:51:22 hno Exp $ * * AUTHOR: Benno Rice * DEBUG: section 83 SSL accelerator support @@ -918,3 +918,42 @@ sslGetUserEmail(SSL * ssl) { return sslGetUserAttribute(ssl, "Email"); } + +const char * +sslGetUserCertificatePEM(SSL *ssl) +{ + X509 *cert; + BIO *mem; + static char *str = NULL; + char *ptr; + long len; + + safe_free(str); + + if (!ssl) + return NULL; + + cert = SSL_get_peer_certificate(ssl); + + if (!cert) + return NULL; + + mem = BIO_new(BIO_s_mem()); + + PEM_write_bio_X509(mem, cert); + + + len = BIO_get_mem_data(mem, &ptr); + + str = (char *)xmalloc(len + 1); + + memcpy(str, ptr, len); + + str[len] = '\0'; + + X509_free(cert); + + BIO_free(mem); + + return str; +} diff --git a/src/ssl_support.h b/src/ssl_support.h index b00276e153..a1b5fbda04 100644 --- a/src/ssl_support.h +++ b/src/ssl_support.h @@ -1,6 +1,6 @@ /* - * $Id: ssl_support.h,v 1.9 2005/03/18 15:36:08 hno Exp $ + * $Id: ssl_support.h,v 1.10 2005/03/18 16:51:22 hno Exp $ * * AUTHOR: Benno Rice * @@ -56,5 +56,6 @@ const char *sslGetUserEmail(SSL *ssl); typedef char const *SSLGETATTRIBUTE(SSL *, const char *); SSLGETATTRIBUTE sslGetUserAttribute; SSLGETATTRIBUTE sslGetCAAttribute; +const char *sslGetUserCertificatePEM(SSL *ssl); #endif /* SQUID_SSL_SUPPORT_H */