MEDIUM: connection: add new bit in Proxy Protocol V2

There are two sample commands to get information about the presence of a client certificate. ssl_fc_has_crt is true if there is a certificate present in the current connection ssl_c_used is true if there is a certificate present in the session. If a session has stopped and resumed, then ssl_c_used could be true, while ssl_fc_has_crt is false. In the client byte of the TLS TLV of Proxy Protocol V2, there is only one bit to indicate whether a certificate is present on the connection. The attached patch adds a second bit to indicate the presence for the session. This maintains backward compatibility. [wt: this should be backported to 1.5 to help maintain compatibility between versions]
2025-01-29 17:42:54 +00:00 · 2014-07-30 10:39:13 -04:00 · 2014-07-30 10:39:13 -04:00 · 328fb58d74
commit 328fb58d74
parent 7566e30477
4 changed files with 28 additions and 7 deletions
--- a/include/proto/ssl_sock.h
+++ b/include/proto/ssl_sock.h
@ -51,7 +51,8 @@ void ssl_sock_free_all_ctx(struct bind_conf *bind_conf);
 const char *ssl_sock_get_cipher_name(struct connection *conn);
 const char *ssl_sock_get_proto_version(struct connection *conn);
 char *ssl_sock_get_version(struct connection *conn);
-int ssl_sock_get_cert_used(struct connection *conn);
+int ssl_sock_get_cert_used_sess(struct connection *conn);
+int ssl_sock_get_cert_used_conn(struct connection *conn);
 int ssl_sock_get_remote_common_name(struct connection *conn, struct chunk *out);
 unsigned int ssl_sock_get_verify_result(struct connection *conn);
 #if (defined SSL_CTRL_SET_TLSEXT_STATUS_REQ_CB && !defined OPENSSL_IS_BORINGSSL)
--- a/include/types/connection.h
+++ b/include/types/connection.h
@ -345,8 +345,9 @@ struct tlv_ssl {
 	uint8_t sub_tlv[0];
 }__attribute__((packed));

-#define PP2_CLIENT_SSL      0x01
-#define PP2_CLIENT_CERT     0x02
+#define PP2_CLIENT_SSL           0x01
+#define PP2_CLIENT_CERT_CONN     0x02
+#define PP2_CLIENT_CERT_SESS     0x04

 #endif /* _TYPES_CONNECTION_H */

--- a/src/connection.c
+++ b/src/connection.c
@ -678,9 +678,11 @@ int make_proxy_line_v2(char *buf, int buf_len, struct server *srv, struct connec
 				tlv_len = make_tlv(&buf[ret+ssl_tlv_len], (buf_len-ret-ssl_tlv_len), PP2_TYPE_SSL_VERSION, strlen(value), value);
 				ssl_tlv_len += tlv_len;
 			}
-			if (ssl_sock_get_cert_used(remote)) {
-				tlv->client |= PP2_CLIENT_CERT;
+			if (ssl_sock_get_cert_used_sess(remote)) {
+				tlv->client |= PP2_CLIENT_CERT_SESS;
 				tlv->verify = htonl(ssl_sock_get_verify_result(remote));
+				if (ssl_sock_get_cert_used_conn(remote))
+					tlv->client |= PP2_CLIENT_CERT_CONN;
 			}
 			if (srv->pp_opts & SRV_PP_V2_SSL_CN) {
 				cn_trash = get_trash_chunk();
--- a/src/ssl_sock.c
+++ b/src/ssl_sock.c
@ -2728,8 +2728,25 @@ out:
 	return result;
 }

-/* returns 1 if client passed a certificate, 0 if not */
-int ssl_sock_get_cert_used(struct connection *conn)
+/* returns 1 if client passed a certificate for this session, 0 if not */
+int ssl_sock_get_cert_used_sess(struct connection *conn)
+{
+	X509 *crt = NULL;
+
+	if (!ssl_sock_is_ssl(conn))
+		return 0;
+
+	/* SSL_get_peer_certificate, it increase X509 * ref count */
+	crt = SSL_get_peer_certificate(conn->xprt_ctx);
+	if (!crt)
+		return 0;
+
+	X509_free(crt);
+	return 1;
+}
+
+/* returns 1 if client passed a certificate for this connection, 0 if not */
+int ssl_sock_get_cert_used_conn(struct connection *conn)
 {
 	if (!ssl_sock_is_ssl(conn))
 		return 0;