Gitiles
Code Review Sign In
git01.mediatek.com / haproxy / e237fe1172a6e9c562617ccdd38a4a8d58f7ab6a^! / .
commite237fe1172a6e9c562617ccdd38a4a8d58f7ab6a[log] [tgz]
authorWilly Tarreau <w@1wt.eu>Thu Mar 10 17:05:28 2016 +0100
committerWilly Tarreau <w@1wt.eu>Thu Mar 10 17:28:05 2016 +0100
treeddb4574f947ed2efc157262eda45208c8705a354
parent4cefbc07529923d3d0e89fba52c2e037d70e664e [diff]
BUG/MINOR: ssl: fix usage of the various sample fetch functions

Technically speaking, many SSL sample fetch functions act on the
connection and depend on USE_L5CLI on the client side, which means
they're usable as soon as a handshake is completed on a connection.
This means that the test consisting in refusing to call them when
the stream is NULL will prevent them from working when we implement
the tcp-request session ruleset. Better fix this now. The fix consists
in using smp->sess->origin when they're called for the front connection,
and smp->strm->si[1].end when called for the back connection.

There is currently no known side effect for this issue, though it would
better be backported into 1.6 so that the code base remains consistend.

diff --git a/src/ssl_sock.c b/src/ssl_sock.c
index 393ec36..1017388 100644
--- a/src/ssl_sock.c
+++ b/src/ssl_sock.c

@@ -4573,8 +4573,8 @@
 static int
 smp_fetch_ssl_fc(const struct arg *args, struct sample *smp, const char *kw, void *private)
 {
-	int back_conn = (kw[4] == 'b') ? 1 : 0;
-	struct connection *conn = smp->strm ? objt_conn(smp->strm->si[back_conn].end) : NULL;
+	struct connection *conn = objt_conn((kw[4] != 'b') ? smp->sess->origin :
+	                                    smp->strm ? smp->strm->si[1].end : NULL);
 
 	smp->data.type = SMP_T_BOOL;
 	smp->data.u.sint = (conn && conn->xprt == &ssl_sock);
@@ -4618,14 +4618,10 @@
 static int
 smp_fetch_ssl_fc_cipher(const struct arg *args, struct sample *smp, const char *kw, void *private)
 {
-	int back_conn = (kw[4] == 'b') ? 1 : 0;
-	struct connection *conn;
-
-	if (!smp->strm)
-		return 0;
+	struct connection *conn = objt_conn((kw[4] != 'b') ? smp->sess->origin :
+	                                    smp->strm ? smp->strm->si[1].end : NULL);
 
 	smp->flags = 0;
-	conn = objt_conn(smp->strm->si[back_conn].end);
 	if (!conn || !conn->xprt_ctx || conn->xprt != &ssl_sock)
 		return 0;
 
@@ -4648,16 +4644,12 @@
 static int
 smp_fetch_ssl_fc_alg_keysize(const struct arg *args, struct sample *smp, const char *kw, void *private)
 {
-	int back_conn = (kw[4] == 'b') ? 1 : 0;
-	struct connection *conn;
-	int sint;
+	struct connection *conn = objt_conn((kw[4] != 'b') ? smp->sess->origin :
+	                                    smp->strm ? smp->strm->si[1].end : NULL);
 
-	if (!smp->strm)
-		return 0;
+	int sint;
 
 	smp->flags = 0;
-
-	conn = objt_conn(smp->strm->si[back_conn].end);
 	if (!conn || !conn->xprt_ctx || conn->xprt != &ssl_sock)
 		return 0;
 
@@ -4677,15 +4669,10 @@
 static int
 smp_fetch_ssl_fc_use_keysize(const struct arg *args, struct sample *smp, const char *kw, void *private)
 {
-	int back_conn = (kw[4] == 'b') ? 1 : 0;
-	struct connection *conn;
-
-	if (!smp->strm)
-		return 0;
+	struct connection *conn = objt_conn((kw[4] != 'b') ? smp->sess->origin :
+	                                    smp->strm ? smp->strm->si[1].end : NULL);
 
 	smp->flags = 0;
-
-	conn = objt_conn(smp->strm->si[back_conn].end);
 	if (!conn || !conn->xprt_ctx || conn->xprt != &ssl_sock)
 		return 0;
 
@@ -4704,9 +4691,6 @@
 {
 	struct connection *conn;
 
-	if (!smp->strm)
-		return 0;
-
 	smp->flags = SMP_F_CONST;
 	smp->data.type = SMP_T_STR;
 
@@ -4731,9 +4715,6 @@
 {
 	struct connection *conn;
 
-	if (!smp->strm)
-		return 0;
-
 	smp->flags = SMP_F_CONST;
 	smp->data.type = SMP_T_STR;
 
@@ -4759,15 +4740,10 @@
 static int
 smp_fetch_ssl_fc_protocol(const struct arg *args, struct sample *smp, const char *kw, void *private)
 {
-	int back_conn = (kw[4] == 'b') ? 1 : 0;
-	struct connection *conn;
-
-	if (!smp->strm)
-		return 0;
+	struct connection *conn = objt_conn((kw[4] != 'b') ? smp->sess->origin :
+	                                    smp->strm ? smp->strm->si[1].end : NULL);
 
 	smp->flags = 0;
-
-	conn = objt_conn(smp->strm->si[back_conn].end);
 	if (!conn || !conn->xprt_ctx || conn->xprt != &ssl_sock)
 		return 0;
 
@@ -4790,17 +4766,14 @@
 smp_fetch_ssl_fc_session_id(const struct arg *args, struct sample *smp, const char *kw, void *private)
 {
 #if OPENSSL_VERSION_NUMBER > 0x0090800fL
-	int back_conn = (kw[4] == 'b') ? 1 : 0;
-	SSL_SESSION *ssl_sess;
-	struct connection *conn;
+	struct connection *conn = objt_conn((kw[4] != 'b') ? smp->sess->origin :
+	                                    smp->strm ? smp->strm->si[1].end : NULL);
 
-	if (!smp->strm)
-		return 0;
+	SSL_SESSION *ssl_sess;
 
 	smp->flags = SMP_F_CONST;
 	smp->data.type = SMP_T_BIN;
 
-	conn = objt_conn(smp->strm->si[back_conn].end);
 	if (!conn || !conn->xprt_ctx || conn->xprt != &ssl_sock)
 		return 0;
 
@@ -4824,9 +4797,6 @@
 #ifdef SSL_CTRL_SET_TLSEXT_HOSTNAME
 	struct connection *conn;
 
-	if (!smp->strm)
-		return 0;
-
 	smp->flags = SMP_F_CONST;
 	smp->data.type = SMP_T_STR;
 
@@ -4849,17 +4819,13 @@
 smp_fetch_ssl_fc_unique_id(const struct arg *args, struct sample *smp, const char *kw, void *private)
 {
 #if OPENSSL_VERSION_NUMBER > 0x0090800fL
-	int back_conn = (kw[4] == 'b') ? 1 : 0;
-	struct connection *conn;
+	struct connection *conn = objt_conn((kw[4] != 'b') ? smp->sess->origin :
+	                                    smp->strm ? smp->strm->si[1].end : NULL);
+
 	int finished_len;
 	struct chunk *finished_trash;
 
-	if (!smp->strm)
-		return 0;
-
 	smp->flags = 0;
-
-	conn = objt_conn(smp->strm->si[back_conn].end);
 	if (!conn || !conn->xprt_ctx || conn->xprt != &ssl_sock)
 		return 0;