mirrors/haproxy
1
0
Fork 0
mirror of https://git.haproxy.org/git/haproxy.git/ synced 2026-05-04 20:46:11 +02:00
Code Issues Projects Releases Wiki Activity

BUG/MINOR: ssl: fix usage of the various sample fetch functions

Browse Source 
Technically speaking, many SSL sample fetch functions act on the
connection and depend on USE_L5CLI on the client side, which means
they're usable as soon as a handshake is completed on a connection.
This means that the test consisting in refusing to call them when
the stream is NULL will prevent them from working when we implement
the tcp-request session ruleset. Better fix this now. The fix consists
in using smp->sess->origin when they're called for the front connection,
and smp->strm->si[1].end when called for the back connection.

There is currently no known side effect for this issue, though it would
better be backported into 1.6 so that the code base remains consistend.
This commit is contained in:
Willy Tarreau 2016-03-10 17:05:28 +01:00
parent 4cefbc0752
commit e237fe1172
1 changed files with 17 additions and 51 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

68
src/ssl_sock.c
View File

@ -4573,8 +4573,8 @@ smp_fetch_ssl_x_key_alg(const struct arg *args, struct sample *smp, const char *
static int
smp_fetch_ssl_fc(const struct arg *args, struct sample *smp, const char *kw, void *private)
{
int back_conn = (kw[4] == 'b') ? 1 : 0;
struct connection *conn = smp->strm ? objt_conn(smp->strm->si[back_conn].end) : NULL;
struct connection *conn = objt_conn((kw[4] != 'b') ? smp->sess->origin :
smp->strm ? smp->strm->si[1].end : NULL);
smp->data.type = SMP_T_BOOL;
smp->data.u.sint = (conn && conn->xprt == &ssl_sock);
@ -4618,14 +4618,10 @@ smp_fetch_ssl_fc_is_resumed(const struct arg *args, struct sample *smp, const ch
static int
smp_fetch_ssl_fc_cipher(const struct arg *args, struct sample *smp, const char *kw, void *private)
{
int back_conn = (kw[4] == 'b') ? 1 : 0;
struct connection *conn;
if (!smp->strm)
return 0;
struct connection *conn = objt_conn((kw[4] != 'b') ? smp->sess->origin :
smp->strm ? smp->strm->si[1].end : NULL);
smp->flags = 0;
conn = objt_conn(smp->strm->si[back_conn].end);
if (!conn || !conn->xprt_ctx || conn->xprt != &ssl_sock)
return 0;
@ -4648,16 +4644,12 @@ smp_fetch_ssl_fc_cipher(const struct arg *args, struct sample *smp, const char *
static int
smp_fetch_ssl_fc_alg_keysize(const struct arg *args, struct sample *smp, const char *kw, void *private)
{
int back_conn = (kw[4] == 'b') ? 1 : 0;
struct connection *conn;
struct connection *conn = objt_conn((kw[4] != 'b') ? smp->sess->origin :
smp->strm ? smp->strm->si[1].end : NULL);
int sint;
if (!smp->strm)
return 0;
smp->flags = 0;
conn = objt_conn(smp->strm->si[back_conn].end);
if (!conn || !conn->xprt_ctx || conn->xprt != &ssl_sock)
return 0;
@ -4677,15 +4669,10 @@ smp_fetch_ssl_fc_alg_keysize(const struct arg *args, struct sample *smp, const c
static int
smp_fetch_ssl_fc_use_keysize(const struct arg *args, struct sample *smp, const char *kw, void *private)
{
int back_conn = (kw[4] == 'b') ? 1 : 0;
struct connection *conn;
if (!smp->strm)
return 0;
struct connection *conn = objt_conn((kw[4] != 'b') ? smp->sess->origin :
smp->strm ? smp->strm->si[1].end : NULL);
smp->flags = 0;
conn = objt_conn(smp->strm->si[back_conn].end);
if (!conn || !conn->xprt_ctx || conn->xprt != &ssl_sock)
return 0;
@ -4704,9 +4691,6 @@ smp_fetch_ssl_fc_npn(const struct arg *args, struct sample *smp, const char *kw,
{
struct connection *conn;
if (!smp->strm)
return 0;
smp->flags = SMP_F_CONST;
smp->data.type = SMP_T_STR;
@ -4731,9 +4715,6 @@ smp_fetch_ssl_fc_alpn(const struct arg *args, struct sample *smp, const char *kw
{
struct connection *conn;
if (!smp->strm)
return 0;
smp->flags = SMP_F_CONST;
smp->data.type = SMP_T_STR;
@ -4759,15 +4740,10 @@ smp_fetch_ssl_fc_alpn(const struct arg *args, struct sample *smp, const char *kw
static int
smp_fetch_ssl_fc_protocol(const struct arg *args, struct sample *smp, const char *kw, void *private)
{
int back_conn = (kw[4] == 'b') ? 1 : 0;
struct connection *conn;
if (!smp->strm)
return 0;
struct connection *conn = objt_conn((kw[4] != 'b') ? smp->sess->origin :
smp->strm ? smp->strm->si[1].end : NULL);
smp->flags = 0;
conn = objt_conn(smp->strm->si[back_conn].end);
if (!conn || !conn->xprt_ctx || conn->xprt != &ssl_sock)
return 0;
@ -4790,17 +4766,14 @@ static int
smp_fetch_ssl_fc_session_id(const struct arg *args, struct sample *smp, const char *kw, void *private)
{
#if OPENSSL_VERSION_NUMBER > 0x0090800fL
int back_conn = (kw[4] == 'b') ? 1 : 0;
SSL_SESSION *ssl_sess;
struct connection *conn;
struct connection *conn = objt_conn((kw[4] != 'b') ? smp->sess->origin :
smp->strm ? smp->strm->si[1].end : NULL);
if (!smp->strm)
return 0;
SSL_SESSION *ssl_sess;
smp->flags = SMP_F_CONST;
smp->data.type = SMP_T_BIN;
conn = objt_conn(smp->strm->si[back_conn].end);
if (!conn || !conn->xprt_ctx || conn->xprt != &ssl_sock)
return 0;
@ -4824,9 +4797,6 @@ smp_fetch_ssl_fc_sni(const struct arg *args, struct sample *smp, const char *kw,
#ifdef SSL_CTRL_SET_TLSEXT_HOSTNAME
struct connection *conn;
if (!smp->strm)
return 0;
smp->flags = SMP_F_CONST;
smp->data.type = SMP_T_STR;
@ -4849,17 +4819,13 @@ static int
smp_fetch_ssl_fc_unique_id(const struct arg *args, struct sample *smp, const char *kw, void *private)
{
#if OPENSSL_VERSION_NUMBER > 0x0090800fL
int back_conn = (kw[4] == 'b') ? 1 : 0;
struct connection *conn;
struct connection *conn = objt_conn((kw[4] != 'b') ? smp->sess->origin :
smp->strm ? smp->strm->si[1].end : NULL);
int finished_len;
struct chunk *finished_trash;
if (!smp->strm)
return 0;
smp->flags = 0;
conn = objt_conn(smp->strm->si[back_conn].end);
if (!conn || !conn->xprt_ctx || conn->xprt != &ssl_sock)
return 0;