Sign Up
Log In
Log In
or
Sign Up
Places
All Projects
Status Monitor
Collapse sidebar
SUSE:SLE-12-SP5:Update
haproxy.748
0001-MINOR-ssl-add-fetchs-ssl_c_der-and-ssl_f_d...
Overview
Repositories
Revisions
Requests
Users
Attributes
Meta
File 0001-MINOR-ssl-add-fetchs-ssl_c_der-and-ssl_f_der-to-retu.patch of Package haproxy.748
From e09266e1aa950b1f956fb4f7b6985f86b6050a24 Mon Sep 17 00:00:00 2001 From: Emeric Brun <ebrun@haproxy.com> Date: Wed, 29 Oct 2014 19:03:26 +0100 Subject: [PATCH 01/13] MINOR: ssl: add fetchs 'ssl_c_der' and 'ssl_f_der' to return DER formatted certs ssl_c_der : binary Returns the DER formatted certificate presented by the client when the incoming connection was made over an SSL/TLS transport layer. When used for an ACL, the value(s) to match against can be passed in hexadecimal form. ssl_f_der : binary Returns the DER formatted certificate presented by the frontend when the incoming connection was made over an SSL/TLS transport layer. When used for an ACL, the value(s) to match against can be passed in hexadecimal form. (cherry picked from commit 43e7958def282deebde934950b133a1dd9edaabf) --- doc/configuration.txt | 10 +++++++ src/ssl_sock.c | 72 +++++++++++++++++++++++++++++++++++++++++++++++++++ 2 files changed, 82 insertions(+) diff --git a/doc/configuration.txt b/doc/configuration.txt index 19df5ae..88e25f0 100644 --- a/doc/configuration.txt +++ b/doc/configuration.txt @@ -10675,6 +10675,11 @@ ssl_c_ca_err_depth : integer verification of the client certificate. If no error is encountered, 0 is returned. +ssl_c_der : binary + Returns the DER formatted certificate presented by the client when the + incoming connection was made over an SSL/TLS transport layer. When used for + an ACL, the value(s) to match against can be passed in hexadecimal form. + ssl_c_err : integer When the incoming connection was made over an SSL/TLS transport layer, returns the ID of the first error detected during verification at depth 0, or @@ -10750,6 +10755,11 @@ ssl_c_version : integer Returns the version of the certificate presented by the client when the incoming connection was made over an SSL/TLS transport layer. +ssl_f_der : binary + Returns the DER formatted certificate presented by the frontend when the + incoming connection was made over an SSL/TLS transport layer. When used for + an ACL, the value(s) to match against can be passed in hexadecimal form. + ssl_f_i_dn([<entry>[,<occ>]]) : string When the incoming connection was made over an SSL/TLS transport layer, returns the full distinguished name of the issuer of the certificate diff --git a/src/ssl_sock.c b/src/ssl_sock.c index da99a30..938e534 100644 --- a/src/ssl_sock.c +++ b/src/ssl_sock.c @@ -2543,6 +2543,28 @@ ssl_sock_get_serial(X509 *crt, struct chunk *out) return 1; } +/* Extract a cert to der, and copy it to a chunk. + * Returns 1 if cert is found and copied, 0 on der convertion failure and + * -1 if output is not large enough. + */ +static int +ssl_sock_crt2der(X509 *crt, struct chunk *out) +{ + int len; + unsigned char *p = (unsigned char *)out->str;; + + len =i2d_X509(crt, NULL); + if (len <= 0) + return 1; + + if (out->size < len) + return -1; + + i2d_X509(crt,&p); + out->len = len; + return 1; +} + /* Copy Date in ASN1_UTCTIME format in struct chunk out. * Returns 1 if serial is found and copied, 0 if no valid time found @@ -2783,6 +2805,54 @@ smp_fetch_ssl_fc_has_crt(struct proxy *px, struct session *l4, void *l7, unsigne return 1; } +/* binary, returns a certificate in a binary chunk (der/raw). + * The 5th keyword char is used to know if SSL_get_certificate or SSL_get_peer_certificate + * should be use. + */ +static int +smp_fetch_ssl_x_der(struct proxy *px, struct session *l4, void *l7, unsigned int opt, + const struct arg *args, struct sample *smp, const char *kw) +{ + int cert_peer = (kw[4] == 'c') ? 1 : 0; + X509 *crt = NULL; + int ret = 0; + struct chunk *smp_trash; + struct connection *conn; + + if (!l4) + return 0; + + conn = objt_conn(l4->si[0].end); + if (!conn || conn->xprt != &ssl_sock) + return 0; + + if (!(conn->flags & CO_FL_CONNECTED)) { + smp->flags |= SMP_F_MAY_CHANGE; + return 0; + } + + if (cert_peer) + crt = SSL_get_peer_certificate(conn->xprt_ctx); + else + crt = SSL_get_certificate(conn->xprt_ctx); + + if (!crt) + goto out; + + smp_trash = get_trash_chunk(); + if (ssl_sock_crt2der(crt, smp_trash) <= 0) + goto out; + + smp->data.str = *smp_trash; + smp->type = SMP_T_BIN; + ret = 1; +out: + /* SSL_get_peer_certificate, it increase X509 * ref count */ + if (cert_peer && crt) + X509_free(crt); + return ret; +} + /* binary, returns serial of certificate in a binary chunk. * The 5th keyword char is used to know if SSL_get_certificate or SSL_get_peer_certificate * should be use. @@ -4309,6 +4379,7 @@ static struct sample_fetch_kw_list sample_fetch_keywords = {ILH, { { "ssl_bc_session_id", smp_fetch_ssl_fc_session_id, 0, NULL, SMP_T_BIN, SMP_USE_L5SRV }, { "ssl_c_ca_err", smp_fetch_ssl_c_ca_err, 0, NULL, SMP_T_UINT, SMP_USE_L5CLI }, { "ssl_c_ca_err_depth", smp_fetch_ssl_c_ca_err_depth, 0, NULL, SMP_T_UINT, SMP_USE_L5CLI }, + { "ssl_c_der", smp_fetch_ssl_x_der, 0, NULL, SMP_T_BIN, SMP_USE_L5CLI }, { "ssl_c_err", smp_fetch_ssl_c_err, 0, NULL, SMP_T_UINT, SMP_USE_L5CLI }, { "ssl_c_i_dn", smp_fetch_ssl_x_i_dn, ARG2(0,STR,SINT), NULL, SMP_T_STR, SMP_USE_L5CLI }, { "ssl_c_key_alg", smp_fetch_ssl_x_key_alg, 0, NULL, SMP_T_STR, SMP_USE_L5CLI }, @@ -4321,6 +4392,7 @@ static struct sample_fetch_kw_list sample_fetch_keywords = {ILH, { { "ssl_c_used", smp_fetch_ssl_c_used, 0, NULL, SMP_T_BOOL, SMP_USE_L5CLI }, { "ssl_c_verify", smp_fetch_ssl_c_verify, 0, NULL, SMP_T_UINT, SMP_USE_L5CLI }, { "ssl_c_version", smp_fetch_ssl_x_version, 0, NULL, SMP_T_UINT, SMP_USE_L5CLI }, + { "ssl_f_der", smp_fetch_ssl_x_der, 0, NULL, SMP_T_BIN, SMP_USE_L5CLI }, { "ssl_f_i_dn", smp_fetch_ssl_x_i_dn, ARG2(0,STR,SINT), NULL, SMP_T_STR, SMP_USE_L5CLI }, { "ssl_f_key_alg", smp_fetch_ssl_x_key_alg, 0, NULL, SMP_T_STR, SMP_USE_L5CLI }, { "ssl_f_notafter", smp_fetch_ssl_x_notafter, 0, NULL, SMP_T_STR, SMP_USE_L5CLI }, -- 2.1.4
Locations
Projects
Search
Status Monitor
Help
OpenBuildService.org
Documentation
API Documentation
Code of Conduct
Contact
Support
@OBShq
Terms
openSUSE Build Service is sponsored by
The Open Build Service is an
openSUSE project
.
Sign Up
Log In
Places
Places
All Projects
Status Monitor