------------------------------------------------------------ revno: 13843 revision-id: squid3@treenet.co.nz-20150605233010-191la639zs3rurx9 parent: squid3@treenet.co.nz-20150605232222-i3fy2s83ojbobudm author: Christos Tsantilas committer: Amos Jeffries branch nick: 3.5 timestamp: Fri 2015-06-05 16:30:10 -0700 message: Support custom OIDs in *_cert ACLs This patch allow user_cert and ca_cert ACLs to match arbitrary stand-alone OIDs (not DN/C/O/CN/L/ST objects or their substrings). For example, should be able to match certificates that have 1.3.6.1.4.1.1814.3.1.14 OID in the certificate Subject or Issuer field. Squid configuration would look like this: acl User_Cert-TrustedCustomerNum user_cert 1.3.6.1.4.1.1814.3.1.14 1001 This is a Measurement Factory project ------------------------------------------------------------ # Bazaar merge directive format 2 (Bazaar 0.90) # revision_id: squid3@treenet.co.nz-20150605233010-191la639zs3rurx9 # target_branch: http://bzr.squid-cache.org/bzr/squid3/3.5 # testament_sha1: 21808c1e31ac567fd6e095bfebbdb63ff2803247 # timestamp: 2015-06-05 23:50:57 +0000 # source_branch: http://bzr.squid-cache.org/bzr/squid3/3.5 # base_revision_id: squid3@treenet.co.nz-20150605232222-\ # i3fy2s83ojbobudm # # Begin patch === modified file 'src/acl/CertificateData.cc' --- src/acl/CertificateData.cc 2015-01-20 09:48:40 +0000 +++ src/acl/CertificateData.cc 2015-06-05 23:30:10 +0000 @@ -126,8 +126,29 @@ debugs(28, DBG_CRITICAL, "FATAL: An acl must use consistent attributes in all config lines (" << newAttribute << "!=" << attribute << ")."); self_destruct(); } - } else + } else { + if (strcasecmp(newAttribute, "DN") != 0) { + int nid = OBJ_txt2nid(newAttribute); + if (nid == 0) { + const size_t span = strspn(newAttribute, "0123456789."); + if(newAttribute[span] == '\0') { // looks like a numerical OID + // create a new object based on this attribute + + // NOTE: Not a [bad] leak: If the same attribute + // has been added before, the OBJ_txt2nid call + // would return a valid nid value. + // TODO: call OBJ_cleanup() on reconfigure? + nid = OBJ_create(newAttribute, newAttribute, newAttribute); + debugs(28, 7, "New SSL certificate attribute created with name: " << newAttribute << " and nid: " << nid); + } + } + if (nid == 0) { + debugs(28, DBG_CRITICAL, "FATAL: Not valid SSL certificate attribute name or numerical OID: " << newAttribute); + self_destruct(); + } + } attribute = xstrdup(newAttribute); + } } } === modified file 'src/cf.data.pre' --- src/cf.data.pre 2015-05-10 06:59:41 +0000 +++ src/cf.data.pre 2015-06-05 23:30:10 +0000 @@ -1063,11 +1063,11 @@ acl aclname user_cert attribute values... # match against attributes in a user SSL certificate - # attribute is one of DN/C/O/CN/L/ST [fast] + # attribute is one of DN/C/O/CN/L/ST or a numerical OID [fast] acl aclname ca_cert attribute values... # match against attributes a users issuing CA SSL certificate - # attribute is one of DN/C/O/CN/L/ST [fast] + # attribute is one of DN/C/O/CN/L/ST or a numerical OID [fast] acl aclname ext_user username ... acl aclname ext_user_regex [-i] pattern ...