LILiK
/
openwrt-packages-dist
5
0
Fork 0
Code Issues 0 Pull Requests 0 Projects 0 Releases 0 Wiki Activity
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
998 Commits
1 Branch
46 MiB
Tree: 52f5892565
Branches Tags
${ item.name }
Create branch ${ searchTerm }
from '52f5892565'
${ noResults }
openwrt-packages-dist/net/haproxy/patches/0006-MEDIUM-connection-add-...

112 lines
4.0 KiB
Raw Normal View History

haproxy: patches from upstream - [PATCH 5/6] BUG/MEDIUM: http: tarpit timeout is reset - [PATCH 6/6] MEDIUM: connection: add new bit in Proxy Protocol V2 Signed-off-by: Thomas Heil <heil@terminal-consulting.de>
10 years ago
 
  1. From d6ec605d2059191163cad27b7d7b215ed8d3725b Mon Sep 17 00:00:00 2001
  2. From: Dave McCowan <11235david@gmail.com>
  3. Date: Wed, 30 Jul 2014 10:39:13 -0400
  4. Subject: [PATCH 6/6] MEDIUM: connection: add new bit in Proxy Protocol V2
  5. 

  6. There are two sample commands to get information about the presence of a
  7. client certificate.
  8. ssl_fc_has_crt is true if there is a certificate present in the current
  9. connection
  10. ssl_c_used is true if there is a certificate present in the session.
  11. If a session has stopped and resumed, then ssl_c_used could be true, while
  12. ssl_fc_has_crt is false.
  13. 

  14. In the client byte of the TLS TLV of Proxy Protocol V2, there is only one
  15. bit to indicate whether a certificate is present on the connection.  The
  16. attached patch adds a second bit to indicate the presence for the session.
  17. 

  18. This maintains backward compatibility.
  19. 

  20. [wt: this should be backported to 1.5 to help maintain compatibility
  21.  between versions]
  22. (cherry picked from commit 328fb58d745c03a0dc706da9e2fcd4e9f860a14b)
  23. ---

  24.  include/proto/ssl_sock.h   |  3 ++-
  25.  include/types/connection.h |  5 +++--
  26.  src/connection.c           |  6 ++++--
  27.  src/ssl_sock.c             | 21 +++++++++++++++++++--
  28.  4 files changed, 28 insertions(+), 7 deletions(-)
  29. 

  30. diff --git a/include/proto/ssl_sock.h b/include/proto/ssl_sock.h

  31. index 3e111cd..10541ed 100644

  32. --- a/include/proto/ssl_sock.h

  33. +++ b/include/proto/ssl_sock.h

  34. @@ -51,7 +51,8 @@ void ssl_sock_free_all_ctx(struct bind_conf *bind_conf);

  35.  const char *ssl_sock_get_cipher_name(struct connection *conn);
  36.  const char *ssl_sock_get_proto_version(struct connection *conn);
  37.  char *ssl_sock_get_version(struct connection *conn);
  38. -int ssl_sock_get_cert_used(struct connection *conn);

  39. +int ssl_sock_get_cert_used_sess(struct connection *conn);

  40. +int ssl_sock_get_cert_used_conn(struct connection *conn);

  41.  int ssl_sock_get_remote_common_name(struct connection *conn, struct chunk *out);
  42.  unsigned int ssl_sock_get_verify_result(struct connection *conn);
  43.  #ifdef SSL_CTRL_SET_TLSEXT_STATUS_REQ_CB
  44. diff --git a/include/types/connection.h b/include/types/connection.h

  45. index 2ae16d7..b317007 100644

  46. --- a/include/types/connection.h

  47. +++ b/include/types/connection.h

  48. @@ -345,8 +345,9 @@ struct tlv_ssl {

  49.  	uint8_t sub_tlv[0];
  50.  }__attribute__((packed));
  51.  
  52. -#define PP2_CLIENT_SSL      0x01

  53. -#define PP2_CLIENT_CERT     0x02

  54. +#define PP2_CLIENT_SSL           0x01

  55. +#define PP2_CLIENT_CERT_CONN     0x02

  56. +#define PP2_CLIENT_CERT_SESS     0x04

  57.  
  58.  #endif /* _TYPES_CONNECTION_H */
  59.  
  60. diff --git a/src/connection.c b/src/connection.c

  61. index 2dd2c02..3af6d9a 100644

  62. --- a/src/connection.c

  63. +++ b/src/connection.c

  64. @@ -678,9 +678,11 @@ int make_proxy_line_v2(char *buf, int buf_len, struct server *srv, struct connec

  65.  				tlv_len = make_tlv(&buf[ret+ssl_tlv_len], (buf_len-ret-ssl_tlv_len), PP2_TYPE_SSL_VERSION, strlen(value), value);
  66.  				ssl_tlv_len += tlv_len;
  67.  			}
  68. -			if (ssl_sock_get_cert_used(remote)) {

  69. -				tlv->client |= PP2_CLIENT_CERT;

  70. +			if (ssl_sock_get_cert_used_sess(remote)) {

  71. +				tlv->client |= PP2_CLIENT_CERT_SESS;

  72.  				tlv->verify = htonl(ssl_sock_get_verify_result(remote));
  73. +				if (ssl_sock_get_cert_used_conn(remote))

  74. +					tlv->client |= PP2_CLIENT_CERT_CONN;

  75.  			}
  76.  			if (srv->pp_opts & SRV_PP_V2_SSL_CN) {
  77.  				cn_trash = get_trash_chunk();
  78. diff --git a/src/ssl_sock.c b/src/ssl_sock.c

  79. index cf8adc7..da99a30 100644

  80. --- a/src/ssl_sock.c

  81. +++ b/src/ssl_sock.c

  82. @@ -2720,8 +2720,25 @@ out:

  83.  	return result;
  84.  }
  85.  
  86. -/* returns 1 if client passed a certificate, 0 if not */

  87. -int ssl_sock_get_cert_used(struct connection *conn)

  88. +/* returns 1 if client passed a certificate for this session, 0 if not */

  89. +int ssl_sock_get_cert_used_sess(struct connection *conn)

  90. +{

  91. +	X509 *crt = NULL;

  92. +

  93. +	if (!ssl_sock_is_ssl(conn))

  94. +		return 0;

  95. +

  96. +	/* SSL_get_peer_certificate, it increase X509 * ref count */

  97. +	crt = SSL_get_peer_certificate(conn->xprt_ctx);

  98. +	if (!crt)

  99. +		return 0;

  100. +

  101. +	X509_free(crt);

  102. +	return 1;

  103. +}

  104. +

  105. +/* returns 1 if client passed a certificate for this connection, 0 if not */

  106. +int ssl_sock_get_cert_used_conn(struct connection *conn)

  107.  {
  108.  	if (!ssl_sock_is_ssl(conn))
  109.  		return 0;
  110. -- 

  111. 1.8.5.5
  112.