From: Willy Tarreau Date: Thu, 10 Mar 2016 16:05:28 +0000 (+0100) Subject: BUG/MINOR: ssl: fix usage of the various sample fetch functions X-Git-Tag: v1.7-dev2~58 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=e237fe1172a6e9c562617ccdd38a4a8d58f7ab6a;p=thirdparty%2Fhaproxy.git BUG/MINOR: ssl: fix usage of the various sample fetch functions Technically speaking, many SSL sample fetch functions act on the connection and depend on USE_L5CLI on the client side, which means they're usable as soon as a handshake is completed on a connection. This means that the test consisting in refusing to call them when the stream is NULL will prevent them from working when we implement the tcp-request session ruleset. Better fix this now. The fix consists in using smp->sess->origin when they're called for the front connection, and smp->strm->si[1].end when called for the back connection. There is currently no known side effect for this issue, though it would better be backported into 1.6 so that the code base remains consistend. --- diff --git a/src/ssl_sock.c b/src/ssl_sock.c index 393ec364d3..101738859a 100644 --- a/src/ssl_sock.c +++ b/src/ssl_sock.c @@ -4573,8 +4573,8 @@ smp_fetch_ssl_x_key_alg(const struct arg *args, struct sample *smp, const char * static int smp_fetch_ssl_fc(const struct arg *args, struct sample *smp, const char *kw, void *private) { - int back_conn = (kw[4] == 'b') ? 1 : 0; - struct connection *conn = smp->strm ? objt_conn(smp->strm->si[back_conn].end) : NULL; + struct connection *conn = objt_conn((kw[4] != 'b') ? smp->sess->origin : + smp->strm ? smp->strm->si[1].end : NULL); smp->data.type = SMP_T_BOOL; smp->data.u.sint = (conn && conn->xprt == &ssl_sock); @@ -4618,14 +4618,10 @@ smp_fetch_ssl_fc_is_resumed(const struct arg *args, struct sample *smp, const ch static int smp_fetch_ssl_fc_cipher(const struct arg *args, struct sample *smp, const char *kw, void *private) { - int back_conn = (kw[4] == 'b') ? 1 : 0; - struct connection *conn; - - if (!smp->strm) - return 0; + struct connection *conn = objt_conn((kw[4] != 'b') ? smp->sess->origin : + smp->strm ? smp->strm->si[1].end : NULL); smp->flags = 0; - conn = objt_conn(smp->strm->si[back_conn].end); if (!conn || !conn->xprt_ctx || conn->xprt != &ssl_sock) return 0; @@ -4648,16 +4644,12 @@ smp_fetch_ssl_fc_cipher(const struct arg *args, struct sample *smp, const char * static int smp_fetch_ssl_fc_alg_keysize(const struct arg *args, struct sample *smp, const char *kw, void *private) { - int back_conn = (kw[4] == 'b') ? 1 : 0; - struct connection *conn; - int sint; + struct connection *conn = objt_conn((kw[4] != 'b') ? smp->sess->origin : + smp->strm ? smp->strm->si[1].end : NULL); - if (!smp->strm) - return 0; + int sint; smp->flags = 0; - - conn = objt_conn(smp->strm->si[back_conn].end); if (!conn || !conn->xprt_ctx || conn->xprt != &ssl_sock) return 0; @@ -4677,15 +4669,10 @@ smp_fetch_ssl_fc_alg_keysize(const struct arg *args, struct sample *smp, const c static int smp_fetch_ssl_fc_use_keysize(const struct arg *args, struct sample *smp, const char *kw, void *private) { - int back_conn = (kw[4] == 'b') ? 1 : 0; - struct connection *conn; - - if (!smp->strm) - return 0; + struct connection *conn = objt_conn((kw[4] != 'b') ? smp->sess->origin : + smp->strm ? smp->strm->si[1].end : NULL); smp->flags = 0; - - conn = objt_conn(smp->strm->si[back_conn].end); if (!conn || !conn->xprt_ctx || conn->xprt != &ssl_sock) return 0; @@ -4704,9 +4691,6 @@ smp_fetch_ssl_fc_npn(const struct arg *args, struct sample *smp, const char *kw, { struct connection *conn; - if (!smp->strm) - return 0; - smp->flags = SMP_F_CONST; smp->data.type = SMP_T_STR; @@ -4731,9 +4715,6 @@ smp_fetch_ssl_fc_alpn(const struct arg *args, struct sample *smp, const char *kw { struct connection *conn; - if (!smp->strm) - return 0; - smp->flags = SMP_F_CONST; smp->data.type = SMP_T_STR; @@ -4759,15 +4740,10 @@ smp_fetch_ssl_fc_alpn(const struct arg *args, struct sample *smp, const char *kw static int smp_fetch_ssl_fc_protocol(const struct arg *args, struct sample *smp, const char *kw, void *private) { - int back_conn = (kw[4] == 'b') ? 1 : 0; - struct connection *conn; - - if (!smp->strm) - return 0; + struct connection *conn = objt_conn((kw[4] != 'b') ? smp->sess->origin : + smp->strm ? smp->strm->si[1].end : NULL); smp->flags = 0; - - conn = objt_conn(smp->strm->si[back_conn].end); if (!conn || !conn->xprt_ctx || conn->xprt != &ssl_sock) return 0; @@ -4790,17 +4766,14 @@ static int smp_fetch_ssl_fc_session_id(const struct arg *args, struct sample *smp, const char *kw, void *private) { #if OPENSSL_VERSION_NUMBER > 0x0090800fL - int back_conn = (kw[4] == 'b') ? 1 : 0; - SSL_SESSION *ssl_sess; - struct connection *conn; + struct connection *conn = objt_conn((kw[4] != 'b') ? smp->sess->origin : + smp->strm ? smp->strm->si[1].end : NULL); - if (!smp->strm) - return 0; + SSL_SESSION *ssl_sess; smp->flags = SMP_F_CONST; smp->data.type = SMP_T_BIN; - conn = objt_conn(smp->strm->si[back_conn].end); if (!conn || !conn->xprt_ctx || conn->xprt != &ssl_sock) return 0; @@ -4824,9 +4797,6 @@ smp_fetch_ssl_fc_sni(const struct arg *args, struct sample *smp, const char *kw, #ifdef SSL_CTRL_SET_TLSEXT_HOSTNAME struct connection *conn; - if (!smp->strm) - return 0; - smp->flags = SMP_F_CONST; smp->data.type = SMP_T_STR; @@ -4849,17 +4819,13 @@ static int smp_fetch_ssl_fc_unique_id(const struct arg *args, struct sample *smp, const char *kw, void *private) { #if OPENSSL_VERSION_NUMBER > 0x0090800fL - int back_conn = (kw[4] == 'b') ? 1 : 0; - struct connection *conn; + struct connection *conn = objt_conn((kw[4] != 'b') ? smp->sess->origin : + smp->strm ? smp->strm->si[1].end : NULL); + int finished_len; struct chunk *finished_trash; - if (!smp->strm) - return 0; - smp->flags = 0; - - conn = objt_conn(smp->strm->si[back_conn].end); if (!conn || !conn->xprt_ctx || conn->xprt != &ssl_sock) return 0;