MINOR: ssl: add volatile flags to ssl samples The ssl samples are not constant over time and change according to the session. Add the flag SMP_F_VOL_SESS to indicate this.

commit: 2f0a79763101361ccfb7a643ac18fdf3cfba3e59 [log] [tgz]
author: Amaury Denoyelle <adenoyelle@haproxy.com> Thu Oct 15 16:41:08 2020 +0200
committer: Willy Tarreau <w@1wt.eu> Fri Oct 16 17:47:29 2020 +0200
tree: 8a448e7a26a7c44ec42f1ac00e362168fa9d4513
parent: baeb919177eb717408aa81c9fd053017fa747266 [diff]
diff --git a/src/ssl_sample.c b/src/ssl_sample.c
index 0f59365..fe45ce9 100644
--- a/src/ssl_sample.c
+++ b/src/ssl_sample.c

@@ -77,7 +77,7 @@
 		return 0;
 	}
 
-	smp->flags = 0;
+	smp->flags = SMP_F_VOL_SESS;
 	smp->data.type = SMP_T_BOOL;
 	smp->data.u.sint = SSL_SOCK_ST_FL_VERIFY_DONE & ctx->xprt_st ? 1 : 0;
 
@@ -126,6 +126,7 @@
 	if (ssl_sock_crt2der(crt, smp_trash) <= 0)
 		goto out;
 
+	smp->flags = SMP_F_VOL_SESS;
 	smp->data.u.str = *smp_trash;
 	smp->data.type = SMP_T_BIN;
 	ret = 1;
@@ -192,6 +193,7 @@
 		chunk_cat(smp_trash, tmp_trash);
 	}
 
+	smp->flags = SMP_F_VOL_SESS;
 	smp->data.u.str = *smp_trash;
 	smp->data.type = SMP_T_BIN;
 	ret = 1;
@@ -241,6 +243,7 @@
 	if (ssl_sock_get_serial(crt, smp_trash) <= 0)
 		goto out;
 
+	smp->flags = SMP_F_VOL_SESS;
 	smp->data.u.str = *smp_trash;
 	smp->data.type = SMP_T_BIN;
 	ret = 1;
@@ -293,6 +296,7 @@
 	digest = EVP_sha1();
 	X509_digest(crt, digest, (unsigned char *) smp_trash->area, &len);
 	smp_trash->data = len;
+	smp->flags = SMP_F_VOL_SESS;
 	smp->data.u.str = *smp_trash;
 	smp->data.type = SMP_T_BIN;
 	ret = 1;
@@ -343,6 +347,7 @@
 	if (ssl_sock_get_time(X509_getm_notAfter(crt), smp_trash) <= 0)
 		goto out;
 
+	smp->flags = SMP_F_VOL_SESS;
 	smp->data.u.str = *smp_trash;
 	smp->data.type = SMP_T_STR;
 	ret = 1;
@@ -411,6 +416,7 @@
 	else if (ssl_sock_get_dn_oneline(name, smp_trash) <= 0)
 		goto out;
 
+	smp->flags = SMP_F_VOL_SESS;
 	smp->data.type = SMP_T_STR;
 	smp->data.u.str = *smp_trash;
 	ret = 1;
@@ -461,6 +467,7 @@
 	if (ssl_sock_get_time(X509_getm_notBefore(crt), smp_trash) <= 0)
 		goto out;
 
+	smp->flags = SMP_F_VOL_SESS;
 	smp->data.u.str = *smp_trash;
 	smp->data.type = SMP_T_STR;
 	ret = 1;
@@ -529,6 +536,7 @@
 	else if (ssl_sock_get_dn_oneline(name, smp_trash) <= 0)
 		goto out;
 
+	smp->flags = SMP_F_VOL_SESS;
 	smp->data.type = SMP_T_STR;
 	smp->data.u.str = *smp_trash;
 	ret = 1;
@@ -563,6 +571,7 @@
 		X509_free(crt);
 	}
 
+	smp->flags = SMP_F_VOL_SESS;
 	smp->data.type = SMP_T_BOOL;
 	smp->data.u.sint = (crt != NULL);
 	return 1;
@@ -602,6 +611,7 @@
 	if (!crt)
 		return 0;
 
+	smp->flags = SMP_F_VOL_SESS;
 	smp->data.u.sint = (unsigned int)(1 + X509_get_version(crt));
 	/* SSL_get_peer_certificate increase X509 * ref count  */
 	if (cert_peer)
@@ -659,7 +669,7 @@
 	}
 
 	smp->data.type = SMP_T_STR;
-	smp->flags |= SMP_F_CONST;
+	smp->flags |= SMP_F_VOL_SESS | SMP_F_CONST;
 	smp->data.u.str.data = strlen(smp->data.u.str.area);
 	/* SSL_get_peer_certificate increase X509 * ref count  */
 	if (cert_peer)
@@ -715,7 +725,7 @@
 	}
 
 	smp->data.type = SMP_T_STR;
-	smp->flags |= SMP_F_CONST;
+	smp->flags |= SMP_F_VOL_SESS | SMP_F_CONST;
 	smp->data.u.str.data = strlen(smp->data.u.str.area);
 	if (cert_peer)
 		X509_free(crt);
@@ -808,7 +818,7 @@
 		return 0;
 
 	smp->data.type = SMP_T_STR;
-	smp->flags |= SMP_F_CONST;
+	smp->flags |= SMP_F_VOL_SESS | SMP_F_CONST;
 	smp->data.u.str.data = strlen(smp->data.u.str.area);
 
 	return 1;
@@ -840,6 +850,7 @@
 	if (!SSL_get_cipher_bits(ssl, &sint))
 		return 0;
 
+	smp->flags = SMP_F_VOL_SESS;
 	smp->data.u.sint = sint;
 	smp->data.type = SMP_T_SINT;
 
@@ -871,6 +882,7 @@
 	if (!smp->data.u.sint)
 		return 0;
 
+	smp->flags = SMP_F_VOL_SESS;
 	smp->data.type = SMP_T_SINT;
 
 	return 1;
@@ -897,6 +909,7 @@
 	if (!ssl)
 		return 0;
 
+	smp->flags = SMP_F_VOL_SESS;
 	smp->data.u.str.area = NULL;
 	SSL_get0_next_proto_negotiated(ssl,
 	                               (const unsigned char **)&smp->data.u.str.area,
@@ -918,7 +931,7 @@
 	SSL *ssl;
 	unsigned int len = 0;
 
-	smp->flags = SMP_F_CONST;
+	smp->flags = SMP_F_VOL_SESS | SMP_F_CONST;
 	smp->data.type = SMP_T_STR;
 
 	if (obj_type(smp->sess->origin) == OBJ_TYPE_CHECK)
@@ -970,7 +983,7 @@
 		return 0;
 
 	smp->data.type = SMP_T_STR;
-	smp->flags = SMP_F_CONST;
+	smp->flags = SMP_F_VOL_SESS | SMP_F_CONST;
 	smp->data.u.str.data = strlen(smp->data.u.str.area);
 
 	return 1;
@@ -989,7 +1002,7 @@
 	SSL *ssl;
 	unsigned int len = 0;
 
-	smp->flags = SMP_F_CONST;
+	smp->flags = SMP_F_VOL_SESS | SMP_F_CONST;
 	smp->data.type = SMP_T_BIN;
 
 	if (obj_type(smp->sess->origin) == OBJ_TYPE_CHECK)
@@ -1046,7 +1059,7 @@
 	if (!data->data)
 		return 0;
 
-	smp->flags = 0;
+	smp->flags = SMP_F_VOL_TEST;
 	smp->data.type = SMP_T_BIN;
 	smp->data.u.str = *data;
 
@@ -1082,7 +1095,7 @@
 	if (!data->data)
 		return 0;
 
-	smp->flags = 0;
+	smp->flags = SMP_F_VOL_SESS;
 	smp->data.type = SMP_T_BIN;
 	smp->data.u.str = *data;
 
@@ -1097,7 +1110,7 @@
 	struct connection *conn;
 	SSL *ssl;
 
-	smp->flags = SMP_F_CONST;
+	smp->flags = SMP_F_VOL_SESS | SMP_F_CONST;
 	smp->data.type = SMP_T_STR;
 
 	conn = objt_conn(smp->sess->origin);
@@ -1130,7 +1143,7 @@
 	if (!capture)
 		return 0;
 
-	smp->flags = SMP_F_CONST;
+	smp->flags = SMP_F_VOL_TEST | SMP_F_CONST;
 	smp->data.type = SMP_T_BIN;
 	smp->data.u.str.area = capture->ciphersuite;
 	smp->data.u.str.data = capture->ciphersuite_len;
@@ -1147,6 +1160,7 @@
 
 	data = get_trash_chunk();
 	dump_binary(data, smp->data.u.str.area, smp->data.u.str.data);
+	smp->flags = SMP_F_VOL_SESS;
 	smp->data.type = SMP_T_BIN;
 	smp->data.u.str = *data;
 	return 1;
@@ -1168,6 +1182,7 @@
 	if (!capture)
 		return 0;
 
+	smp->flags = SMP_F_VOL_SESS;
 	smp->data.type = SMP_T_SINT;
 	smp->data.u.sint = capture->xxh64;
 	return 1;
@@ -1225,7 +1240,7 @@
 
 	smp->data.u.str.area = src;
 	smp->data.type = SMP_T_STR;
-	smp->flags |= SMP_F_CONST;
+	smp->flags |= SMP_F_VOL_TEST | SMP_F_CONST;
 	smp->data.u.str.data = strlen(smp->data.u.str.area);
 	return 1;
 }
@@ -1307,6 +1322,7 @@
 		return 0;
 
 	finished_trash->data = finished_len;
+	smp->flags = SMP_F_VOL_SESS;
 	smp->data.u.str = *finished_trash;
 	smp->data.type = SMP_T_BIN;
 
@@ -1333,7 +1349,7 @@
 
 	smp->data.type = SMP_T_SINT;
 	smp->data.u.sint = (unsigned long long int)SSL_SOCK_ST_TO_CA_ERROR(ctx->xprt_st);
-	smp->flags = 0;
+	smp->flags = SMP_F_VOL_SESS;
 
 	return 1;
 }
@@ -1357,7 +1373,7 @@
 
 	smp->data.type = SMP_T_SINT;
 	smp->data.u.sint = (long long int)SSL_SOCK_ST_TO_CAEDEPTH(ctx->xprt_st);
-	smp->flags = 0;
+	smp->flags = SMP_F_VOL_SESS;
 
 	return 1;
 }
@@ -1382,7 +1398,7 @@
 
 	smp->data.type = SMP_T_SINT;
 	smp->data.u.sint = (long long int)SSL_SOCK_ST_TO_CRTERROR(ctx->xprt_st);
-	smp->flags = 0;
+	smp->flags = SMP_F_VOL_SESS;
 
 	return 1;
 }
@@ -1406,7 +1422,7 @@
 
 	smp->data.type = SMP_T_SINT;
 	smp->data.u.sint = (long long int)SSL_get_verify_result(ssl);
-	smp->flags = 0;
+	smp->flags = SMP_F_VOL_SESS;
 
 	return 1;
 }
commit	2f0a79763101361ccfb7a643ac18fdf3cfba3e59	[log] [tgz]
author	Amaury Denoyelle <adenoyelle@haproxy.com>	Thu Oct 15 16:41:08 2020 +0200
committer	Willy Tarreau <w@1wt.eu>	Fri Oct 16 17:47:29 2020 +0200
tree	8a448e7a26a7c44ec42f1ac00e362168fa9d4513
parent	baeb919177eb717408aa81c9fd053017fa747266 [diff]