From: Christos Tsantilas <chtsanti@users.sourceforge.net>
Date: Tue, 5 Aug 2014 14:27:34 +0000 (+0300)
Subject: Peek and Splice: %ssl::<cert_subject and %ssl::<cert_issuer formating codes to e
X-Git-Tag: SQUID_3_5_0_1~89^2~8
X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=789dda8dc92f285fbcf6b19a2d719bb927397a26;p=thirdparty%2Fsquid.git

Peek and Splice: %ssl::<cert_subject and %ssl::<cert_issuer formating codes to e
xternal_acl

This patch investigates the %ssl::<cert_subject and %ssl::<cert_issuer
formating codes to external_acl helpers.
 * The %ssl::<cert_subject formating code prints the server certificate DN
 * The %ssl::<cert_issuer formating code prints the server certificate issuer DN

Both formating codes are available after the ssl bumped connection is
established.
When Peek and Splice mode is selected these formating codes are available on
peek or stare mode, after the step2 is comleted and server certificate is
received.
---

diff --git a/src/cf.data.pre b/src/cf.data.pre
index 1f0762f5c1..b5c9a8fd18 100644
--- a/src/cf.data.pre
+++ b/src/cf.data.pre
@@ -741,6 +741,8 @@ DOC_START
 	  %USER_CERT_xx	SSL User certificate subject attribute xx
 	  %USER_CA_xx	SSL User certificate issuer attribute xx
 	  %ssl::>sni	SSL client SNI sent to Squid
+	  %ssl::<cert_subject SSL server certificate DN
+	  %ssl::<cert_issuer SSL server certificate issuer DN
 
 	  %>{Header}	HTTP request header "Header"
 	  %>{Hdr:member}
diff --git a/src/external_acl.cc b/src/external_acl.cc
index 036a3c83f1..ba9296c5f4 100644
--- a/src/external_acl.cc
+++ b/src/external_acl.cc
@@ -426,6 +426,10 @@ parse_externalAclHelper(external_acl ** list)
             format->header = xstrdup(token + 11);
         } else if (strcmp(token, "%ssl::>sni") == 0)
             format->type = Format::LFT_SSL_CLIENT_SNI;
+        else if (strcmp(token, "%ssl::<cert_subject") == 0)
+            format->type = Format::LFT_SSL_SERVER_CERT_SUBJECT;
+        else if (strcmp(token, "%ssl::<cert_issuer") == 0)
+            format->type = Format::LFT_SSL_SERVER_CERT_ISSUER;
 #endif
 #if USE_AUTH
         else if (strcmp(token, "%EXT_USER") == 0 || strcmp(token, "%ue") == 0)
@@ -562,6 +566,8 @@ dump_externalAclHelper(StoreEntry * sentry, const char *name, const external_acl
                 DUMP_EXT_ACL_TYPE_FMT(EXT_ACL_USER_CERT, " %%USER_CERT_%s", format->header);
                 DUMP_EXT_ACL_TYPE_FMT(EXT_ACL_USER_CA_CERT, " %%USER_CA_CERT_%s", format->header);
                 DUMP_EXT_ACL_TYPE_FMT(SSL_CLIENT_SNI, "ssl::>sni");
+                DUMP_EXT_ACL_TYPE_FMT(SSL_SERVER_CERT_SUBJECT, "%%ssl::<cert_subject");
+                DUMP_EXT_ACL_TYPE_FMT(SSL_SERVER_CERT_ISSUER, "%%ssl::<cert_issuer");
 #endif
 #if USE_AUTH
                 DUMP_EXT_ACL_TYPE_FMT(USER_EXTERNAL," %%ue");
@@ -1090,6 +1096,24 @@ makeExternalAclKey(ACLFilledChecklist * ch, external_acl_data * acl_data)
                 }
             }
             break;
+
+        case Format::LFT_SSL_SERVER_CERT_SUBJECT:
+        case Format::LFT_SSL_SERVER_CERT_ISSUER: {
+            X509 *serverCert = NULL;
+            if (ch->serverCert.get())
+                serverCert = ch->serverCert.get();
+            else if (ch->conn()->serverBump())
+                serverCert = ch->conn()->serverBump()->serverCert.get();
+
+            if (serverCert) {
+                if (format->type == Format::LFT_SSL_SERVER_CERT_SUBJECT)
+                    str = Ssl::GetX509UserAttribute(serverCert, "DN");
+                else
+                    str = Ssl::GetX509CAAttribute(serverCert, "DN");
+            }
+            break;
+        }
+
 #endif
 #if USE_AUTH
         case Format::LFT_USER_EXTERNAL:
diff --git a/src/format/ByteCode.h b/src/format/ByteCode.h
index 958eb349d7..024bd7f668 100644
--- a/src/format/ByteCode.h
+++ b/src/format/ByteCode.h
@@ -207,6 +207,8 @@ typedef enum {
     LFT_SSL_USER_CERT_SUBJECT,
     LFT_SSL_USER_CERT_ISSUER,
     LFT_SSL_CLIENT_SNI,
+    LFT_SSL_SERVER_CERT_SUBJECT,
+    LFT_SSL_SERVER_CERT_ISSUER,
 #endif
 
     LFT_NOTE,
diff --git a/src/format/Format.cc b/src/format/Format.cc
index 1c72488ddc..c6ac9766d1 100644
--- a/src/format/Format.cc
+++ b/src/format/Format.cc
@@ -1143,6 +1143,11 @@ Format::Format::assemble(MemBuf &mb, const AccessLogEntry::Pointer &al, int logS
                 }
             }
             break;
+
+        case LFT_SSL_SERVER_CERT_ISSUER:
+        case LFT_SSL_SERVER_CERT_SUBJECT:
+            // Not implemented
+            break;
 #endif
 
         case LFT_REQUEST_URLGROUP_OLD_2X:
diff --git a/src/ssl/PeerConnector.cc b/src/ssl/PeerConnector.cc
index 72c3262ec2..fb504bf43e 100644
--- a/src/ssl/PeerConnector.cc
+++ b/src/ssl/PeerConnector.cc
@@ -283,10 +283,13 @@ Ssl::PeerConnector::cbCheckForPeekAndSplice(allow_t answer, void *data)
 bool
 Ssl::PeerConnector::checkForPeekAndSplice(bool checkDone, Ssl::BumpMode peekMode)
 {
+    SSL *ssl = fd_table[serverConn->fd].ssl;
     // Mark Step3 of bumping
     if (request->clientConnectionManager.valid()) {
         if (Ssl::ServerBump *serverBump = request->clientConnectionManager->serverBump()) {
             serverBump->step = Ssl::bumpStep3;
+            if (!serverBump->serverCert.get())
+                serverBump->serverCert.reset(SSL_get_peer_certificate(ssl));
         }
     }
 
@@ -297,8 +300,7 @@ Ssl::PeerConnector::checkForPeekAndSplice(bool checkDone, Ssl::BumpMode peekMode
         acl_checklist->nonBlockingCheck(Ssl::PeerConnector::cbCheckForPeekAndSplice, this);
         return false;
     }
-    
-    SSL *ssl = fd_table[serverConn->fd].ssl;
+
     BIO *b = SSL_get_rbio(ssl);
     Ssl::ServerBio *srvBio = static_cast<Ssl::ServerBio *>(b->ptr);
     debugs(83,5, "Will check for peek and splice on fd " << serverConn->fd);