MEDIUM: connection: add new bit in Proxy Protocol V2

author Dave McCowan <11235david@gmail.com>

Wed, 30 Jul 2014 14:39:13 +0000 (10:39 -0400)

committer Willy Tarreau <w@1wt.eu>

Sat, 23 Aug 2014 05:35:29 +0000 (07:35 +0200)
author Dave McCowan <11235david@gmail.com>
Wed, 30 Jul 2014 14:39:13 +0000 (10:39 -0400)
committer Willy Tarreau <w@1wt.eu>
Sat, 23 Aug 2014 05:35:29 +0000 (07:35 +0200)
diff --git a/include/proto/ssl_sock.h b/include/proto/ssl_sock.h

index 6362953ef9e1d008ddd16f36294291d3280da125..217acccba09716704c272a6963552b89d4ad7813 100644 (file)
--- a/include/proto/ssl_sock.h
+++ b/include/proto/ssl_sock.h
@@ -51,7 +51,8 @@ void ssl_sock_free_all_ctx(struct bind_conf *bind_conf);
  const char *ssl_sock_get_cipher_name(struct connection *conn);
  const char *ssl_sock_get_proto_version(struct connection *conn);
  char *ssl_sock_get_version(struct connection *conn);
-int ssl_sock_get_cert_used(struct connection *conn);
+int ssl_sock_get_cert_used_sess(struct connection *conn);
+int ssl_sock_get_cert_used_conn(struct connection *conn);
  int ssl_sock_get_remote_common_name(struct connection *conn, struct chunk *out);
  unsigned int ssl_sock_get_verify_result(struct connection *conn);
  #if (defined SSL_CTRL_SET_TLSEXT_STATUS_REQ_CB && !defined OPENSSL_IS_BORINGSSL)
diff --git a/include/types/connection.h b/include/types/connection.h

index 2ae16d7715b1630fcc26ac3076df84653e2277aa..b31700737ba88342d045426ff52adac1c6ccba35 100644 (file)
--- a/include/types/connection.h
+++ b/include/types/connection.h
@@ -345,8 +345,9 @@ struct tlv_ssl {
         uint8_t sub_tlv[0];
  }__attribute__((packed));
  
-#define PP2_CLIENT_SSL      0x01
-#define PP2_CLIENT_CERT     0x02
+#define PP2_CLIENT_SSL           0x01
+#define PP2_CLIENT_CERT_CONN     0x02
+#define PP2_CLIENT_CERT_SESS     0x04
  
  #endif /* _TYPES_CONNECTION_H */
  
diff --git a/src/connection.c b/src/connection.c

index 2dd2c024aaee41df549da63e78d7e525d4768230..3af6d9afd7e9dda8f768b3158c8ed855c2fb15cf 100644 (file)
--- a/src/connection.c
+++ b/src/connection.c
@@ -678,9 +678,11 @@ int make_proxy_line_v2(char *buf, int buf_len, struct server *srv, struct connec
                                 tlv_len = make_tlv(&buf[ret+ssl_tlv_len], (buf_len-ret-ssl_tlv_len), PP2_TYPE_SSL_VERSION, strlen(value), value);
                                 ssl_tlv_len += tlv_len;
                         }
-                       if (ssl_sock_get_cert_used(remote)) {
-                               tlv->client |= PP2_CLIENT_CERT;
+                       if (ssl_sock_get_cert_used_sess(remote)) {
+                               tlv->client |= PP2_CLIENT_CERT_SESS;
                                 tlv->verify = htonl(ssl_sock_get_verify_result(remote));
+                               if (ssl_sock_get_cert_used_conn(remote))
+                                       tlv->client |= PP2_CLIENT_CERT_CONN;
                         }
                         if (srv->pp_opts & SRV_PP_V2_SSL_CN) {
                                 cn_trash = get_trash_chunk();
diff --git a/src/ssl_sock.c b/src/ssl_sock.c

index f1d604d0a2e66ee088e4ef45c39ef6118df60b49..c35d7ff25a9971897d2d586df67d53d0686770ca 100644 (file)
--- a/src/ssl_sock.c
+++ b/src/ssl_sock.c
@@ -2728,8 +2728,25 @@ out:
         return result;
  }
  
-/* returns 1 if client passed a certificate, 0 if not */
-int ssl_sock_get_cert_used(struct connection *conn)
+/* returns 1 if client passed a certificate for this session, 0 if not */
+int ssl_sock_get_cert_used_sess(struct connection *conn)
+{
+       X509 *crt = NULL;
+
+       if (!ssl_sock_is_ssl(conn))
+               return 0;
+
+       /* SSL_get_peer_certificate, it increase X509 * ref count */
+       crt = SSL_get_peer_certificate(conn->xprt_ctx);
+       if (!crt)
+               return 0;
+
+       X509_free(crt);
+       return 1;
+}
+
+/* returns 1 if client passed a certificate for this connection, 0 if not */
+int ssl_sock_get_cert_used_conn(struct connection *conn)
  {
         if (!ssl_sock_is_ssl(conn))
                 return 0;
author	Dave McCowan <11235david@gmail.com>
	Wed, 30 Jul 2014 14:39:13 +0000 (10:39 -0400)
committer	Willy Tarreau <w@1wt.eu>
	Sat, 23 Aug 2014 05:35:29 +0000 (07:35 +0200)
include/proto/ssl_sock.h		patch \| blob \| blame \| history
include/types/connection.h		patch \| blob \| blame \| history
src/connection.c		patch \| blob \| blame \| history
src/ssl_sock.c		patch \| blob \| blame \| history