BUG/MINOR: ssl: Fix external function in order not to return a pointer on an internal trash buffer.

'ssl_sock_get_common_name' applied to a connection was also renamed 'ssl_sock_get_remote_common_name'. Currently, this function is only used with protocol PROXYv2 to retrieve the client certificate's common name. A further usage could be to retrieve the server certificate's common name on an outgoing connection.
2025-09-21 22:01:31 +02:00 · 2014-06-24 18:26:41 +02:00 · 2014-06-24 18:26:41 +02:00 · 0abf836ecb
commit 0abf836ecb
parent 3caf2afabe
3 changed files with 14 additions and 16 deletions
--- a/include/proto/ssl_sock.h
+++ b/include/proto/ssl_sock.h
@ -52,7 +52,7 @@ const char *ssl_sock_get_cipher_name(struct connection *conn);
 const char *ssl_sock_get_proto_version(struct connection *conn);
 char *ssl_sock_get_version(struct connection *conn);
 int ssl_sock_get_cert_used(struct connection *conn);
-char *ssl_sock_get_common_name(struct connection *conn);
+int ssl_sock_get_remote_common_name(struct connection *conn, struct chunk *out);
 unsigned int ssl_sock_get_verify_result(struct connection *conn);
 #ifdef SSL_CTRL_SET_TLSEXT_STATUS_REQ_CB
 int ssl_sock_update_ocsp_response(struct chunk *ocsp_response, char **err);
--- a/src/connection.c
+++ b/src/connection.c
@ -682,9 +682,8 @@ int make_proxy_line_v2(char *buf, int buf_len, struct server *srv, struct connec
 				tlv->verify = htonl(ssl_sock_get_verify_result(remote));
 			}
 			if (srv->pp_opts & SRV_PP_V2_SSL_CN) {
-				value = ssl_sock_get_common_name(remote);
+				if (ssl_sock_get_remote_common_name(remote, &trash) > 0) {
-				if (value) {
+					tlv_len = make_tlv(&buf[ret+ssl_tlv_len], (buf_len - ret - ssl_tlv_len), PP2_TYPE_SSL_CN, trash.len, trash.str);
 					tlv_len = make_tlv(&buf[ret+ssl_tlv_len], (buf_len - ret - ssl_tlv_len), PP2_TYPE_SSL_CN, strlen(value), value);
 					ssl_tlv_len += tlv_len;
 				}
 			}
--- a/src/ssl_sock.c
+++ b/src/ssl_sock.c
@ -2654,21 +2654,25 @@ char *ssl_sock_get_version(struct connection *conn)
 	return (char *)SSL_get_version(conn->xprt_ctx);
 }
-/* returns common name, NULL terminated, from client certificate, or NULL if none */
+/* Extract peer certificate's common name into the chunk dest
-char *ssl_sock_get_common_name(struct connection *conn)
+ * Returns
 *  the len of the extracted common name
 *  or 0 if no CN found in DN
 *  or -1 on error case (i.e. no peer certificate)
 */
 int ssl_sock_get_remote_common_name(struct connection *conn, struct chunk *dest)
 {
 	X509 *crt = NULL;
 	X509_NAME *name;
 	struct chunk *cn_trash;
 	const char find_cn[] = "CN";
 	const struct chunk find_cn_chunk = {
 		.str = (char *)&find_cn,
 		.len = sizeof(find_cn)-1
 	};
-	char *result = NULL;
+	int result = -1;
 	if (!ssl_sock_is_ssl(conn))
-		return NULL;
+		goto out;
 	/* SSL_get_peer_certificate, it increase X509 * ref count */
 	crt = SSL_get_peer_certificate(conn->xprt_ctx);
@ -2679,13 +2683,8 @@ char *ssl_sock_get_common_name(struct connection *conn)
 	if (!name)
 		goto out;
-	cn_trash = get_trash_chunk();
+	result = ssl_sock_get_dn_entry(name, &find_cn_chunk, 1, dest);
-	if (ssl_sock_get_dn_entry(name, &find_cn_chunk, 1, cn_trash) <= 0)
+out:
 		goto out;
 	cn_trash->str[cn_trash->len] = '\0';
 	result = cn_trash->str;
 	out:
 	if (crt)
 		X509_free(crt);