|
|
- From d6ec605d2059191163cad27b7d7b215ed8d3725b Mon Sep 17 00:00:00 2001
- From: Dave McCowan <11235david@gmail.com>
- Date: Wed, 30 Jul 2014 10:39:13 -0400
- Subject: [PATCH 6/6] MEDIUM: connection: add new bit in Proxy Protocol V2
-
- There are two sample commands to get information about the presence of a
- client certificate.
- ssl_fc_has_crt is true if there is a certificate present in the current
- connection
- ssl_c_used is true if there is a certificate present in the session.
- If a session has stopped and resumed, then ssl_c_used could be true, while
- ssl_fc_has_crt is false.
-
- In the client byte of the TLS TLV of Proxy Protocol V2, there is only one
- bit to indicate whether a certificate is present on the connection. The
- attached patch adds a second bit to indicate the presence for the session.
-
- This maintains backward compatibility.
-
- [wt: this should be backported to 1.5 to help maintain compatibility
- between versions]
- (cherry picked from commit 328fb58d745c03a0dc706da9e2fcd4e9f860a14b)
- ---
- include/proto/ssl_sock.h | 3 ++-
- include/types/connection.h | 5 +++--
- src/connection.c | 6 ++++--
- src/ssl_sock.c | 21 +++++++++++++++++++--
- 4 files changed, 28 insertions(+), 7 deletions(-)
-
- diff --git a/include/proto/ssl_sock.h b/include/proto/ssl_sock.h
- index 3e111cd..10541ed 100644
- --- a/include/proto/ssl_sock.h
- +++ b/include/proto/ssl_sock.h
- @@ -51,7 +51,8 @@ void ssl_sock_free_all_ctx(struct bind_conf *bind_conf);
- const char *ssl_sock_get_cipher_name(struct connection *conn);
- const char *ssl_sock_get_proto_version(struct connection *conn);
- char *ssl_sock_get_version(struct connection *conn);
- -int ssl_sock_get_cert_used(struct connection *conn);
- +int ssl_sock_get_cert_used_sess(struct connection *conn);
- +int ssl_sock_get_cert_used_conn(struct connection *conn);
- int ssl_sock_get_remote_common_name(struct connection *conn, struct chunk *out);
- unsigned int ssl_sock_get_verify_result(struct connection *conn);
- #ifdef SSL_CTRL_SET_TLSEXT_STATUS_REQ_CB
- diff --git a/include/types/connection.h b/include/types/connection.h
- index 2ae16d7..b317007 100644
- --- a/include/types/connection.h
- +++ b/include/types/connection.h
- @@ -345,8 +345,9 @@ struct tlv_ssl {
- uint8_t sub_tlv[0];
- }__attribute__((packed));
-
- -#define PP2_CLIENT_SSL 0x01
- -#define PP2_CLIENT_CERT 0x02
- +#define PP2_CLIENT_SSL 0x01
- +#define PP2_CLIENT_CERT_CONN 0x02
- +#define PP2_CLIENT_CERT_SESS 0x04
-
- #endif /* _TYPES_CONNECTION_H */
-
- diff --git a/src/connection.c b/src/connection.c
- index 2dd2c02..3af6d9a 100644
- --- a/src/connection.c
- +++ b/src/connection.c
- @@ -678,9 +678,11 @@ int make_proxy_line_v2(char *buf, int buf_len, struct server *srv, struct connec
- tlv_len = make_tlv(&buf[ret+ssl_tlv_len], (buf_len-ret-ssl_tlv_len), PP2_TYPE_SSL_VERSION, strlen(value), value);
- ssl_tlv_len += tlv_len;
- }
- - if (ssl_sock_get_cert_used(remote)) {
- - tlv->client |= PP2_CLIENT_CERT;
- + if (ssl_sock_get_cert_used_sess(remote)) {
- + tlv->client |= PP2_CLIENT_CERT_SESS;
- tlv->verify = htonl(ssl_sock_get_verify_result(remote));
- + if (ssl_sock_get_cert_used_conn(remote))
- + tlv->client |= PP2_CLIENT_CERT_CONN;
- }
- if (srv->pp_opts & SRV_PP_V2_SSL_CN) {
- cn_trash = get_trash_chunk();
- diff --git a/src/ssl_sock.c b/src/ssl_sock.c
- index cf8adc7..da99a30 100644
- --- a/src/ssl_sock.c
- +++ b/src/ssl_sock.c
- @@ -2720,8 +2720,25 @@ out:
- return result;
- }
-
- -/* returns 1 if client passed a certificate, 0 if not */
- -int ssl_sock_get_cert_used(struct connection *conn)
- +/* returns 1 if client passed a certificate for this session, 0 if not */
- +int ssl_sock_get_cert_used_sess(struct connection *conn)
- +{
- + X509 *crt = NULL;
- +
- + if (!ssl_sock_is_ssl(conn))
- + return 0;
- +
- + /* SSL_get_peer_certificate, it increase X509 * ref count */
- + crt = SSL_get_peer_certificate(conn->xprt_ctx);
- + if (!crt)
- + return 0;
- +
- + X509_free(crt);
- + return 1;
- +}
- +
- +/* returns 1 if client passed a certificate for this connection, 0 if not */
- +int ssl_sock_get_cert_used_conn(struct connection *conn)
- {
- if (!ssl_sock_is_ssl(conn))
- return 0;
- --
- 1.8.5.5
-
|