MEDIUM: ssl: use ssl_sock_get_ssl_object() in fetchers where appropriate Doing this also makes sure that conn->xprt_ctx is always checked before using it.

commit: 2dec6a3bf120b09cd1b5578b557ce5a65e9cf08d [log] [tgz]
author: Dragan Dosen <ddosen@haproxy.com> Mon May 11 17:25:19 2020 +0200
committer: William Lallemand <wlallemand@haproxy.org> Thu May 14 13:13:14 2020 +0200
tree: 36fb1db8b15a44c26b3e3a939150a5af8ffeb974
parent: eb607fe6a11a8de5b5c30abc20e89c32fe5e2aea [diff] [blame]
diff --git a/src/ssl_sock.c b/src/ssl_sock.c
index 95bf9c2..4f00f7e 100644
--- a/src/ssl_sock.c
+++ b/src/ssl_sock.c

@@ -7936,19 +7936,20 @@
 static int
 smp_fetch_ssl_fc_has_early(const struct arg *args, struct sample *smp, const char *kw, void *private)
 {
+	SSL *ssl;
 	struct connection *conn;
 
 	conn = objt_conn(smp->sess->origin);
-	if (!conn || conn->xprt != &ssl_sock)
+	ssl = ssl_sock_get_ssl_object(conn);
+	if (!ssl)
 		return 0;
 
 	smp->flags = 0;
 	smp->data.type = SMP_T_BOOL;
 #ifdef OPENSSL_IS_BORINGSSL
 	{
-		struct ssl_sock_ctx *ctx = conn->xprt_ctx;
-		smp->data.u.sint = (SSL_in_early_data(ctx->ssl) &&
-				    SSL_early_data_accepted(ctx->ssl));
+		smp->data.u.sint = (SSL_in_early_data(ssl) &&
+				    SSL_early_data_accepted(ssl));
 	}
 #else
 	smp->data.u.sint = ((conn->flags & CO_FL_EARLY_DATA)  &&
@@ -7994,12 +7995,12 @@
 	int ret = 0;
 	struct buffer *smp_trash;
 	struct connection *conn;
-	struct ssl_sock_ctx *ctx;
+	SSL *ssl;
 
 	conn = objt_conn(smp->sess->origin);
-	if (!conn || conn->xprt != &ssl_sock)
+	ssl = ssl_sock_get_ssl_object(conn);
+	if (!ssl)
 		return 0;
-	ctx = conn->xprt_ctx;
 
 	if (conn->flags & CO_FL_WAIT_XPRT) {
 		smp->flags |= SMP_F_MAY_CHANGE;
@@ -8007,9 +8008,9 @@
 	}
 
 	if (cert_peer)
-		crt = SSL_get_peer_certificate(ctx->ssl);
+		crt = SSL_get_peer_certificate(ssl);
 	else
-		crt = SSL_get_certificate(ctx->ssl);
+		crt = SSL_get_certificate(ssl);
 
 	if (!crt)
 		goto out;
@@ -8040,23 +8041,22 @@
 	int ret = 0;
 	struct buffer *smp_trash;
 	struct connection *conn;
-	struct ssl_sock_ctx *ctx;
+	SSL *ssl;
 
 	conn = objt_conn(smp->sess->origin);
-	if (!conn || conn->xprt != &ssl_sock)
+	ssl = ssl_sock_get_ssl_object(conn);
+	if (!ssl)
 		return 0;
 
-	ctx = conn->xprt_ctx;
-
 	if (conn->flags & CO_FL_WAIT_XPRT) {
 		smp->flags |= SMP_F_MAY_CHANGE;
 		return 0;
 	}
 
 	if (cert_peer)
-		crt = SSL_get_peer_certificate(ctx->ssl);
+		crt = SSL_get_peer_certificate(ssl);
 	else
-		crt = SSL_get_certificate(ctx->ssl);
+		crt = SSL_get_certificate(ssl);
 
 	if (!crt)
 		goto out;
@@ -8089,12 +8089,12 @@
 	unsigned int len = 0;
 	struct buffer *smp_trash;
 	struct connection *conn;
-	struct ssl_sock_ctx *ctx;
+	SSL *ssl;
 
 	conn = objt_conn(smp->sess->origin);
-	if (!conn || conn->xprt != &ssl_sock)
+	ssl = ssl_sock_get_ssl_object(conn);
+	if (!ssl)
 		return 0;
-	ctx = conn->xprt_ctx;
 
 	if (conn->flags & CO_FL_WAIT_XPRT) {
 		smp->flags |= SMP_F_MAY_CHANGE;
@@ -8102,9 +8102,9 @@
 	}
 
 	if (cert_peer)
-		crt = SSL_get_peer_certificate(ctx->ssl);
+		crt = SSL_get_peer_certificate(ssl);
 	else
-		crt = SSL_get_certificate(ctx->ssl);
+		crt = SSL_get_certificate(ssl);
 	if (!crt)
 		goto out;
 
@@ -8134,12 +8134,12 @@
 	int ret = 0;
 	struct buffer *smp_trash;
 	struct connection *conn;
-	struct ssl_sock_ctx *ctx;
+	SSL *ssl;
 
 	conn = objt_conn(smp->sess->origin);
-	if (!conn || conn->xprt != &ssl_sock)
+	ssl = ssl_sock_get_ssl_object(conn);
+	if (!ssl)
 		return 0;
-	ctx = conn->xprt_ctx;
 
 	if (conn->flags & CO_FL_WAIT_XPRT) {
 		smp->flags |= SMP_F_MAY_CHANGE;
@@ -8147,9 +8147,9 @@
 	}
 
 	if (cert_peer)
-		crt = SSL_get_peer_certificate(ctx->ssl);
+		crt = SSL_get_peer_certificate(ssl);
 	else
-		crt = SSL_get_certificate(ctx->ssl);
+		crt = SSL_get_certificate(ssl);
 	if (!crt)
 		goto out;
 
@@ -8180,12 +8180,12 @@
 	int ret = 0;
 	struct buffer *smp_trash;
 	struct connection *conn;
-	struct ssl_sock_ctx *ctx;
+	SSL *ssl;
 
 	conn = objt_conn(smp->sess->origin);
-	if (!conn || conn->xprt != &ssl_sock)
+	ssl = ssl_sock_get_ssl_object(conn);
+	if (!ssl)
 		return 0;
-	ctx = conn->xprt_ctx;
 
 	if (conn->flags & CO_FL_WAIT_XPRT) {
 		smp->flags |= SMP_F_MAY_CHANGE;
@@ -8193,9 +8193,9 @@
 	}
 
 	if (cert_peer)
-		crt = SSL_get_peer_certificate(ctx->ssl);
+		crt = SSL_get_peer_certificate(ssl);
 	else
-		crt = SSL_get_certificate(ctx->ssl);
+		crt = SSL_get_certificate(ssl);
 	if (!crt)
 		goto out;
 
@@ -8242,12 +8242,12 @@
 	int ret = 0;
 	struct buffer *smp_trash;
 	struct connection *conn;
-	struct ssl_sock_ctx *ctx;
+	SSL *ssl;
 
 	conn = objt_conn(smp->sess->origin);
-	if (!conn || conn->xprt != &ssl_sock)
+	ssl = ssl_sock_get_ssl_object(conn);
+	if (!ssl)
 		return 0;
-	ctx = conn->xprt_ctx;
 
 	if (conn->flags & CO_FL_WAIT_XPRT) {
 		smp->flags |= SMP_F_MAY_CHANGE;
@@ -8255,9 +8255,9 @@
 	}
 
 	if (cert_peer)
-		crt = SSL_get_peer_certificate(ctx->ssl);
+		crt = SSL_get_peer_certificate(ssl);
 	else
-		crt = SSL_get_certificate(ctx->ssl);
+		crt = SSL_get_certificate(ssl);
 	if (!crt)
 		goto out;
 
@@ -8288,12 +8288,12 @@
 	int ret = 0;
 	struct buffer *smp_trash;
 	struct connection *conn;
-	struct ssl_sock_ctx *ctx;
+	SSL *ssl;
 
 	conn = objt_conn(smp->sess->origin);
-	if (!conn || conn->xprt != &ssl_sock)
+	ssl = ssl_sock_get_ssl_object(conn);
+	if (!ssl)
 		return 0;
-	ctx = conn->xprt_ctx;
 
 	if (conn->flags & CO_FL_WAIT_XPRT) {
 		smp->flags |= SMP_F_MAY_CHANGE;
@@ -8301,9 +8301,9 @@
 	}
 
 	if (cert_peer)
-		crt = SSL_get_peer_certificate(ctx->ssl);
+		crt = SSL_get_peer_certificate(ssl);
 	else
-		crt = SSL_get_certificate(ctx->ssl);
+		crt = SSL_get_certificate(ssl);
 	if (!crt)
 		goto out;
 
@@ -8344,12 +8344,12 @@
 {
 	X509 *crt;
 	struct connection *conn;
-	struct ssl_sock_ctx *ctx;
+	SSL *ssl;
 
 	conn = objt_conn(smp->sess->origin);
-	if (!conn || conn->xprt != &ssl_sock)
+	ssl = ssl_sock_get_ssl_object(conn);
+	if (!ssl)
 		return 0;
-	ctx = conn->xprt_ctx;
 
 	if (conn->flags & CO_FL_WAIT_XPRT) {
 		smp->flags |= SMP_F_MAY_CHANGE;
@@ -8357,7 +8357,7 @@
 	}
 
 	/* SSL_get_peer_certificate returns a ptr on allocated X509 struct */
-	crt = SSL_get_peer_certificate(ctx->ssl);
+	crt = SSL_get_peer_certificate(ssl);
 	if (crt) {
 		X509_free(crt);
 	}
@@ -8377,12 +8377,12 @@
 	int cert_peer = (kw[4] == 'c') ? 1 : 0;
 	X509 *crt;
 	struct connection *conn;
-	struct ssl_sock_ctx *ctx;
+	SSL *ssl;
 
 	conn = objt_conn(smp->sess->origin);
-	if (!conn || conn->xprt != &ssl_sock)
+	ssl = ssl_sock_get_ssl_object(conn);
+	if (!ssl)
 		return 0;
-	ctx = conn->xprt_ctx;
 
 	if (conn->flags & CO_FL_WAIT_XPRT) {
 		smp->flags |= SMP_F_MAY_CHANGE;
@@ -8390,9 +8390,9 @@
 	}
 
 	if (cert_peer)
-		crt = SSL_get_peer_certificate(ctx->ssl);
+		crt = SSL_get_peer_certificate(ssl);
 	else
-		crt = SSL_get_certificate(ctx->ssl);
+		crt = SSL_get_certificate(ssl);
 	if (!crt)
 		return 0;
 
@@ -8417,12 +8417,12 @@
 	__OPENSSL_110_CONST__ ASN1_OBJECT *algorithm;
 	int nid;
 	struct connection *conn;
-	struct ssl_sock_ctx *ctx;
+	SSL *ssl;
 
 	conn = objt_conn(smp->sess->origin);
-	if (!conn || conn->xprt != &ssl_sock)
+	ssl = ssl_sock_get_ssl_object(conn);
+	if (!ssl)
 		return 0;
-	ctx = conn->xprt_ctx;
 
 	if (conn->flags & CO_FL_WAIT_XPRT) {
 		smp->flags |= SMP_F_MAY_CHANGE;
@@ -8430,9 +8430,9 @@
 	}
 
 	if (cert_peer)
-		crt = SSL_get_peer_certificate(ctx->ssl);
+		crt = SSL_get_peer_certificate(ssl);
 	else
-		crt = SSL_get_certificate(ctx->ssl);
+		crt = SSL_get_certificate(ssl);
 	if (!crt)
 		return 0;
 
@@ -8469,12 +8469,12 @@
 	ASN1_OBJECT *algorithm;
 	int nid;
 	struct connection *conn;
-	struct ssl_sock_ctx *ctx;
+	SSL *ssl;
 
 	conn = objt_conn(smp->sess->origin);
-	if (!conn || conn->xprt != &ssl_sock)
+	ssl = ssl_sock_get_ssl_object(conn);
+	if (!ssl)
 		return 0;
-	ctx = conn->xprt_ctx;
 
 	if (conn->flags & CO_FL_WAIT_XPRT) {
 		smp->flags |= SMP_F_MAY_CHANGE;
@@ -8482,9 +8482,9 @@
 	}
 
 	if (cert_peer)
-		crt = SSL_get_peer_certificate(ctx->ssl);
+		crt = SSL_get_peer_certificate(ssl);
 	else
-		crt = SSL_get_certificate(ctx->ssl);
+		crt = SSL_get_certificate(ssl);
 	if (!crt)
 		return 0;
 
@@ -8534,12 +8534,10 @@
 {
 #ifdef SSL_CTRL_SET_TLSEXT_HOSTNAME
 	struct connection *conn = objt_conn(smp->sess->origin);
-	struct ssl_sock_ctx *ctx = conn ? conn->xprt_ctx : NULL;
+	SSL *ssl = ssl_sock_get_ssl_object(conn);
 
 	smp->data.type = SMP_T_BOOL;
-	smp->data.u.sint = (conn && conn->xprt == &ssl_sock) &&
-		conn->xprt_ctx &&
-		SSL_get_servername(ctx->ssl, TLSEXT_NAMETYPE_host_name) != NULL;
+	smp->data.u.sint = ssl && SSL_get_servername(ssl, TLSEXT_NAMETYPE_host_name) != NULL;
 	return 1;
 #else
 	return 0;
@@ -8554,7 +8552,7 @@
 smp_fetch_ssl_fc_is_resumed(const struct arg *args, struct sample *smp, const char *kw, void *private)
 {
 	struct connection *conn;
-	struct ssl_sock_ctx *ctx;
+	SSL *ssl;
 
 	if (obj_type(smp->sess->origin) == OBJ_TYPE_CHECK)
 		conn = (kw[4] != 'b') ? cs_conn(__objt_check(smp->sess->origin)->cs) : NULL;
@@ -8562,12 +8560,10 @@
 		conn = (kw[4] != 'b') ? objt_conn(smp->sess->origin) :
 			smp->strm ? cs_conn(objt_cs(smp->strm->si[1].end)) : NULL;
 
-	ctx = conn ? conn->xprt_ctx : NULL;
+	ssl = ssl_sock_get_ssl_object(conn);
 
 	smp->data.type = SMP_T_BOOL;
-	smp->data.u.sint = (conn && conn->xprt == &ssl_sock) &&
-		conn->xprt_ctx &&
-		SSL_session_reused(ctx->ssl);
+	smp->data.u.sint = ssl && SSL_session_reused(ssl);
 	return 1;
 }
 
@@ -8579,7 +8575,7 @@
 smp_fetch_ssl_fc_cipher(const struct arg *args, struct sample *smp, const char *kw, void *private)
 {
 	struct connection *conn;
-	struct ssl_sock_ctx *ctx;
+	SSL *ssl;
 
 	if (obj_type(smp->sess->origin) == OBJ_TYPE_CHECK)
 		conn = (kw[4] != 'b') ? cs_conn(__objt_check(smp->sess->origin)->cs) : NULL;
@@ -8588,11 +8584,11 @@
 			smp->strm ? cs_conn(objt_cs(smp->strm->si[1].end)) : NULL;
 
 	smp->flags = 0;
-	if (!conn || !conn->xprt_ctx || conn->xprt != &ssl_sock)
+	ssl = ssl_sock_get_ssl_object(conn);
+	if (!ssl)
 		return 0;
-	ctx = conn->xprt_ctx;
 
-	smp->data.u.str.area = (char *)SSL_get_cipher_name(ctx->ssl);
+	smp->data.u.str.area = (char *)SSL_get_cipher_name(ssl);
 	if (!smp->data.u.str.area)
 		return 0;
 
@@ -8612,7 +8608,7 @@
 smp_fetch_ssl_fc_alg_keysize(const struct arg *args, struct sample *smp, const char *kw, void *private)
 {
 	struct connection *conn;
-	struct ssl_sock_ctx *ctx;
+	SSL *ssl;
 	int sint;
 
 	if (obj_type(smp->sess->origin) == OBJ_TYPE_CHECK)
@@ -8622,11 +8618,11 @@
 			smp->strm ? cs_conn(objt_cs(smp->strm->si[1].end)) : NULL;
 
 	smp->flags = 0;
-	if (!conn || !conn->xprt_ctx || conn->xprt != &ssl_sock)
+	ssl = ssl_sock_get_ssl_object(conn);
+	if (!ssl)
 		return 0;
-	ctx = conn->xprt_ctx;
 
-	if (!SSL_get_cipher_bits(ctx->ssl, &sint))
+	if (!SSL_get_cipher_bits(ssl, &sint))
 		return 0;
 
 	smp->data.u.sint = sint;
@@ -8643,7 +8639,7 @@
 smp_fetch_ssl_fc_use_keysize(const struct arg *args, struct sample *smp, const char *kw, void *private)
 {
 	struct connection *conn;
-	struct ssl_sock_ctx *ctx;
+	SSL *ssl;
 
 	if (obj_type(smp->sess->origin) == OBJ_TYPE_CHECK)
 		conn = (kw[4] != 'b') ? cs_conn(__objt_check(smp->sess->origin)->cs) : NULL;
@@ -8652,11 +8648,11 @@
 			smp->strm ? cs_conn(objt_cs(smp->strm->si[1].end)) : NULL;
 
 	smp->flags = 0;
-	if (!conn || !conn->xprt_ctx || conn->xprt != &ssl_sock)
+	ssl = ssl_sock_get_ssl_object(conn);
+	if (!ssl)
 		return 0;
-	ctx = conn->xprt_ctx;
 
-	smp->data.u.sint = (unsigned int)SSL_get_cipher_bits(ctx->ssl, NULL);
+	smp->data.u.sint = (unsigned int)SSL_get_cipher_bits(ssl, NULL);
 	if (!smp->data.u.sint)
 		return 0;
 
@@ -8670,7 +8666,7 @@
 smp_fetch_ssl_fc_npn(const struct arg *args, struct sample *smp, const char *kw, void *private)
 {
 	struct connection *conn;
-	struct ssl_sock_ctx *ctx;
+	SSL *ssl;
 	unsigned int len = 0;
 
 	smp->flags = SMP_F_CONST;
@@ -8682,12 +8678,12 @@
 		conn = (kw[4] != 'b') ? objt_conn(smp->sess->origin) :
 			smp->strm ? cs_conn(objt_cs(smp->strm->si[1].end)) : NULL;
 
-	if (!conn || !conn->xprt_ctx || conn->xprt != &ssl_sock)
+	ssl = ssl_sock_get_ssl_object(conn);
+	if (!ssl)
 		return 0;
-	ctx = conn->xprt_ctx;
 
 	smp->data.u.str.area = NULL;
-	SSL_get0_next_proto_negotiated(ctx->ssl,
+	SSL_get0_next_proto_negotiated(ssl,
 	                               (const unsigned char **)&smp->data.u.str.area,
 	                               &len);
 
@@ -8704,7 +8700,7 @@
 smp_fetch_ssl_fc_alpn(const struct arg *args, struct sample *smp, const char *kw, void *private)
 {
 	struct connection *conn;
-	struct ssl_sock_ctx *ctx;
+	SSL *ssl;
 	unsigned int len = 0;
 
 	smp->flags = SMP_F_CONST;
@@ -8716,12 +8712,12 @@
 		conn = (kw[4] != 'b') ? objt_conn(smp->sess->origin) :
 			smp->strm ? cs_conn(objt_cs(smp->strm->si[1].end)) : NULL;
 
-	if (!conn || !conn->xprt_ctx || conn->xprt != &ssl_sock)
+	ssl = ssl_sock_get_ssl_object(conn);
+	if (!ssl)
 		return 0;
-	ctx = conn->xprt_ctx;
 
 	smp->data.u.str.area = NULL;
-	SSL_get0_alpn_selected(ctx->ssl,
+	SSL_get0_alpn_selected(ssl,
 	                       (const unsigned char **)&smp->data.u.str.area,
 	                       &len);
 
@@ -8741,7 +8737,7 @@
 smp_fetch_ssl_fc_protocol(const struct arg *args, struct sample *smp, const char *kw, void *private)
 {
 	struct connection *conn;
-	struct ssl_sock_ctx *ctx;
+	SSL *ssl;
 
 	if (obj_type(smp->sess->origin) == OBJ_TYPE_CHECK)
 		conn = (kw[4] != 'b') ? cs_conn(__objt_check(smp->sess->origin)->cs) : NULL;
@@ -8750,11 +8746,11 @@
 			smp->strm ? cs_conn(objt_cs(smp->strm->si[1].end)) : NULL;
 
 	smp->flags = 0;
-	if (!conn || !conn->xprt_ctx || conn->xprt != &ssl_sock)
+	ssl = ssl_sock_get_ssl_object(conn);
+	if (!ssl)
 		return 0;
-	ctx = conn->xprt_ctx;
 
-	smp->data.u.str.area = (char *)SSL_get_version(ctx->ssl);
+	smp->data.u.str.area = (char *)SSL_get_version(ssl);
 	if (!smp->data.u.str.area)
 		return 0;
 
@@ -8775,7 +8771,7 @@
 {
 	struct connection *conn;
 	SSL_SESSION *ssl_sess;
-	struct ssl_sock_ctx *ctx;
+	SSL *ssl;
 	unsigned int len = 0;
 
 	smp->flags = SMP_F_CONST;
@@ -8787,11 +8783,11 @@
 		conn = (kw[4] != 'b') ? objt_conn(smp->sess->origin) :
 			smp->strm ? cs_conn(objt_cs(smp->strm->si[1].end)) : NULL;
 
-	if (!conn || !conn->xprt_ctx || conn->xprt != &ssl_sock)
+	ssl = ssl_sock_get_ssl_object(conn);
+	if (!ssl)
 		return 0;
-	ctx = conn->xprt_ctx;
 
-	ssl_sess = SSL_get_session(ctx->ssl);
+	ssl_sess = SSL_get_session(ssl);
 	if (!ssl_sess)
 		return 0;
 
@@ -8811,7 +8807,7 @@
 {
 	struct connection *conn;
 	struct buffer *data;
-	struct ssl_sock_ctx *ctx;
+	SSL *ssl;
 
 	if (obj_type(smp->sess->origin) == OBJ_TYPE_CHECK)
 		conn = (kw[4] != 'b') ? cs_conn(__objt_check(smp->sess->origin)->cs) : NULL;
@@ -8819,17 +8815,17 @@
 		conn = (kw[4] != 'b') ? objt_conn(smp->sess->origin) :
 			smp->strm ? cs_conn(objt_cs(smp->strm->si[1].end)) : NULL;
 
-	if (!conn || !conn->xprt_ctx || conn->xprt != &ssl_sock)
+	ssl = ssl_sock_get_ssl_object(conn);
+	if (!ssl)
 		return 0;
-	ctx = conn->xprt_ctx;
 
 	data = get_trash_chunk();
 	if (kw[7] == 'c')
-		data->data = SSL_get_client_random(ctx->ssl,
+		data->data = SSL_get_client_random(ssl,
 		                                   (unsigned char *) data->area,
 		                                   data->size);
 	else
-		data->data = SSL_get_server_random(ctx->ssl,
+		data->data = SSL_get_server_random(ssl,
 		                                   (unsigned char *) data->area,
 		                                   data->size);
 	if (!data->data)
@@ -8848,7 +8844,7 @@
 	struct connection *conn;
 	SSL_SESSION *ssl_sess;
 	struct buffer *data;
-	struct ssl_sock_ctx *ctx;
+	SSL *ssl;
 
 	if (obj_type(smp->sess->origin) == OBJ_TYPE_CHECK)
 		conn = (kw[4] != 'b') ? cs_conn(__objt_check(smp->sess->origin)->cs) : NULL;
@@ -8856,11 +8852,11 @@
 		conn = (kw[4] != 'b') ? objt_conn(smp->sess->origin) :
 			smp->strm ? cs_conn(objt_cs(smp->strm->si[1].end)) : NULL;
 
-	if (!conn || !conn->xprt_ctx || conn->xprt != &ssl_sock)
+	ssl = ssl_sock_get_ssl_object(conn);
+	if (!ssl)
 		return 0;
-	ctx = conn->xprt_ctx;
 
-	ssl_sess = SSL_get_session(ctx->ssl);
+	ssl_sess = SSL_get_session(ssl);
 	if (!ssl_sess)
 		return 0;
 
@@ -8884,17 +8880,17 @@
 smp_fetch_ssl_fc_sni(const struct arg *args, struct sample *smp, const char *kw, void *private)
 {
 	struct connection *conn;
-	struct ssl_sock_ctx *ctx;
+	SSL *ssl;
 
 	smp->flags = SMP_F_CONST;
 	smp->data.type = SMP_T_STR;
 
 	conn = objt_conn(smp->sess->origin);
-	if (!conn || !conn->xprt_ctx || conn->xprt != &ssl_sock)
+	ssl = ssl_sock_get_ssl_object(conn);
+	if (!ssl)
 		return 0;
-	ctx = conn->xprt_ctx;
 
-	smp->data.u.str.area = (char *)SSL_get_servername(ctx->ssl, TLSEXT_NAMETYPE_host_name);
+	smp->data.u.str.area = (char *)SSL_get_servername(ssl, TLSEXT_NAMETYPE_host_name);
 	if (!smp->data.u.str.area)
 		return 0;
 
@@ -8908,14 +8904,14 @@
 {
 	struct connection *conn;
 	struct ssl_capture *capture;
-	struct ssl_sock_ctx *ctx;
+	SSL *ssl;
 
 	conn = objt_conn(smp->sess->origin);
-	if (!conn || !conn->xprt_ctx || conn->xprt != &ssl_sock)
+	ssl = ssl_sock_get_ssl_object(conn);
+	if (!ssl)
 		return 0;
-	ctx = conn->xprt_ctx;
 
-	capture = SSL_get_ex_data(ctx->ssl, ssl_capture_ptr_index);
+	capture = SSL_get_ex_data(ssl, ssl_capture_ptr_index);
 	if (!capture)
 		return 0;
 
@@ -8946,14 +8942,14 @@
 {
 	struct connection *conn;
 	struct ssl_capture *capture;
-	struct ssl_sock_ctx *ctx;
+	SSL *ssl;
 
 	conn = objt_conn(smp->sess->origin);
-	if (!conn || !conn->xprt_ctx || conn->xprt != &ssl_sock)
+	ssl = ssl_sock_get_ssl_object(conn);
+	if (!ssl)
 		return 0;
-	ctx = conn->xprt_ctx;
 
-	capture = SSL_get_ex_data(ctx->ssl, ssl_capture_ptr_index);
+	capture = SSL_get_ex_data(ssl, ssl_capture_ptr_index);
 	if (!capture)
 		return 0;
 
@@ -8982,8 +8978,8 @@
 		cipher = SSL_get_cipher_by_value(id);
 #else
 		struct connection *conn = __objt_conn(smp->sess->origin);
-		struct ssl_sock_ctx *ctx = conn->xprt_ctx;
-		cipher = SSL_CIPHER_find(ctx->ssl, bin);
+		SSL *ssl = ssl_sock_get_ssl_object(conn);
+		cipher = SSL_CIPHER_find(ssl, bin);
 #endif
 		str = SSL_CIPHER_get_name(cipher);
 		if (!str || strcmp(str, "(NONE)") == 0)
@@ -9006,7 +9002,7 @@
 	struct connection *conn;
 	int finished_len;
 	struct buffer *finished_trash;
-	struct ssl_sock_ctx *ctx;
+	SSL *ssl;
 
 	if (obj_type(smp->sess->origin) == OBJ_TYPE_CHECK)
 		conn = (kw[4] != 'b') ? cs_conn(__objt_check(smp->sess->origin)->cs) : NULL;
@@ -9015,9 +9011,9 @@
 			smp->strm ? cs_conn(objt_cs(smp->strm->si[1].end)) : NULL;
 
 	smp->flags = 0;
-	if (!conn || !conn->xprt_ctx || conn->xprt != &ssl_sock)
+	ssl = ssl_sock_get_ssl_object(conn);
+	if (!ssl)
 		return 0;
-	ctx = conn->xprt_ctx;
 
 	if (conn->flags & CO_FL_WAIT_XPRT) {
 		smp->flags |= SMP_F_MAY_CHANGE;
@@ -9025,12 +9021,12 @@
 	}
 
 	finished_trash = get_trash_chunk();
-	if (!SSL_session_reused(ctx->ssl))
-		finished_len = SSL_get_peer_finished(ctx->ssl,
+	if (!SSL_session_reused(ssl))
+		finished_len = SSL_get_peer_finished(ssl,
 						     finished_trash->area,
 						     finished_trash->size);
 	else
-		finished_len = SSL_get_finished(ctx->ssl,
+		finished_len = SSL_get_finished(ssl,
 						finished_trash->area,
 						finished_trash->size);
 
@@ -9123,10 +9119,11 @@
 smp_fetch_ssl_c_verify(const struct arg *args, struct sample *smp, const char *kw, void *private)
 {
 	struct connection *conn;
-	struct ssl_sock_ctx *ctx;
+	SSL *ssl;
 
 	conn = objt_conn(smp->sess->origin);
-	if (!conn || conn->xprt != &ssl_sock)
+	ssl = ssl_sock_get_ssl_object(conn);
+	if (!ssl)
 		return 0;
 
 	if (conn->flags & CO_FL_WAIT_XPRT) {
@@ -9134,12 +9131,8 @@
 		return 0;
 	}
 
-	if (!conn->xprt_ctx)
-		return 0;
-	ctx = conn->xprt_ctx;
-
 	smp->data.type = SMP_T_SINT;
-	smp->data.u.sint = (long long int)SSL_get_verify_result(ctx->ssl);
+	smp->data.u.sint = (long long int)SSL_get_verify_result(ssl);
 	smp->flags = 0;
 
 	return 1;
commit	2dec6a3bf120b09cd1b5578b557ce5a65e9cf08d	[log] [tgz]
author	Dragan Dosen <ddosen@haproxy.com>	Mon May 11 17:25:19 2020 +0200
committer	William Lallemand <wlallemand@haproxy.org>	Thu May 14 13:13:14 2020 +0200
tree	36fb1db8b15a44c26b3e3a939150a5af8ffeb974
parent	eb607fe6a11a8de5b5c30abc20e89c32fe5e2aea [diff] [blame]