Gitiles
Code Review Sign In
git01.mediatek.com / haproxy / e38047423da5a123ef21fa0ffac1e36c30c2b686^! / .
commite38047423da5a123ef21fa0ffac1e36c30c2b686[log] [tgz]
authorEmmanuel Hocdet <manu@gandi.net>Wed Mar 08 11:07:10 2017 +0100
committerWilly Tarreau <w@1wt.eu>Wed Mar 08 15:04:43 2017 +0100
treed1f6d32bcb558294484477083529b625c6e11669
parentaaee75088a5c85d77cd87aa91169705215f152d2 [diff]
MINOR: ssl: improved cipherlist captures

Alloc capture buffer later (when filling), parse client-hello after
heartbeat check and remove capture->conn (unused).

diff --git a/src/ssl_sock.c b/src/ssl_sock.c
index fa5ad53..91a15af 100644
--- a/src/ssl_sock.c
+++ b/src/ssl_sock.c

@@ -167,7 +167,6 @@
 
 /* This memory pool is used for capturing clienthello parameters. */
 struct ssl_capture {
-	struct connection *conn;
 	unsigned long long int xxh64;
 	unsigned char ciphersuite_len;
 	char ciphersuite[0];
@@ -1148,12 +1147,12 @@
 
 static inline
 void ssl_sock_parse_clienthello(int write_p, int version, int content_type,
-                                const void *buf, size_t len,
-                                struct ssl_capture *capture)
+                                const void *buf, size_t len, SSL *ssl)
 {
+	struct ssl_capture *capture;
 	unsigned char *msg;
 	unsigned char *end;
-	unsigned int rec_len;
+	size_t rec_len;
 
 	/* This function is called for "from client" and "to server"
 	 * connections. The combination of write_p == 0 and content_type == 22
@@ -1232,25 +1231,23 @@
 	if (msg + rec_len > end || msg + rec_len < msg)
 		return;
 
+	capture = pool_alloc_dirty(pool2_ssl_capture);
+	if (!capture)
+		return;
 	/* Compute the xxh64 of the ciphersuite. */
 	capture->xxh64 = XXH64(msg, rec_len, 0);
 
 	/* Capture the ciphersuite. */
-	capture->ciphersuite_len = rec_len;
-	if (capture->ciphersuite_len > global_ssl.capture_cipherlist)
-		capture->ciphersuite_len = global_ssl.capture_cipherlist;
+	capture->ciphersuite_len = (global_ssl.capture_cipherlist < rec_len) ?
+		global_ssl.capture_cipherlist : rec_len;
 	memcpy(capture->ciphersuite, msg, capture->ciphersuite_len);
+
+	SSL_set_ex_data(ssl, ssl_capture_ptr_index, capture);
 }
 
 /* Callback is called for ssl protocol analyse */
 void ssl_sock_msgcbk(int write_p, int version, int content_type, const void *buf, size_t len, SSL *ssl, void *arg)
 {
-	if (global_ssl.capture_cipherlist) {
-			struct ssl_capture *capture = SSL_get_ex_data(ssl, ssl_capture_ptr_index);
-			if (capture)
-				ssl_sock_parse_clienthello(write_p, version, content_type, buf, len, capture);
-	}
-
 #ifdef TLS1_RT_HEARTBEAT
 	/* test heartbeat received (write_p is set to 0
 	   for a received record) */
@@ -1289,6 +1286,8 @@
 		return;
 	}
 #endif
+	if (global_ssl.capture_cipherlist > 0)
+		ssl_sock_parse_clienthello(write_p, version, content_type, buf, len, ssl);
 }
 
 #ifdef OPENSSL_NPN_NEGOTIATED
@@ -4065,16 +4064,6 @@
 			return -1;
 		}
 
-		/* Set capture struct as opaque argument for the msg callback. */
-		if (global_ssl.capture_cipherlist > 0) {
-			struct ssl_capture *capture = pool_alloc_dirty(pool2_ssl_capture);
-			if (capture) {
-				capture->conn = conn;
-				capture->ciphersuite_len = 0;
-				SSL_set_ex_data(conn->xprt_ctx, ssl_capture_ptr_index, capture);
-			}
-		}
-
 		SSL_set_accept_state(conn->xprt_ctx);
 
 		/* leave init state and start handshake */