MINOR: ssl: add fetch and acl "ssl_c_used" to check if current SSL session uses a client certificate.

2012-12-20 15:44:16 +01:00 · 2012-12-20 15:44:16 +01:00 · 9143d374e8
commit 9143d374e8
parent c5259fdc57
2 changed files with 46 additions and 0 deletions
--- a/doc/configuration.txt
+++ b/doc/configuration.txt
@ -8641,6 +8641,10 @@ ssl_c_sig_alg <string>
  layer, and the name of the algorithm used to sign the certificate presented
  by the client matches the string.

+ssl_c_used
+  Returns true if current SSL session uses a client certificate even if current
+  connection uses SSL session resumption. See also "ssl_fc_has_crt".
+
 ssl_c_verify <integer>
  Returns true when the incoming connection was made over an SSL/TLS transport
  layer, and the verify result matches the specified value (check man verify
@ -8719,6 +8723,10 @@ ssl_fc_cipher <string>
 ssl_fc_has_crt
  Returns true if a client certificate is present in an incoming connection over
  SSL/TLS transport layer. Useful if 'verify' statement is set to 'optional'.
+  Note: on SSL session resumption with Session ID or TLS ticket, client
+  certificate is not present in the current connection but may be retrieved
+  from the cache or the ticket. So prefer "ssl_c_used" if you want to check if
+  current SSL session uses a client certificate.

 ssl_fc_has_sni
  This is used to check for presence of a Server Name Indication TLS extension
@ -9439,6 +9447,10 @@ The list of currently supported pattern fetch functions is the following :
               presented by the client when the incoming connection was made
               over an SSL/TLS transport layer.

+  ssl_c_used
+               Returns 1 if current SSL session use a client certificate,
+               otherwise 0. See also "ssl_fc_has_crt".
+
  ssl_c_verify Returns the verify result errorID when the incoming connection
               was made over an SSL/TLS transport layer, otherwise zero if no
               error is encountered.
@ -9516,6 +9528,11 @@ The list of currently supported pattern fetch functions is the following :
  ssl_fc_has_crt
               Returns 1 if a client certificate is present in the front
               connection over SSL/TLS transport layer, otherwise 0.
+               Note: on SSL session resumption with Session ID or TLS ticket,
+               client certificate is not present in the current connection but
+               may be retrieved from the cache or the ticket. So prefer
+               "ssl_c_used" if you want to check if current SSL session uses
+               a client certificate.

  ssl_fc_has_sni
               This checks the transport layer used by the front connection, and
--- a/src/ssl_sock.c
+++ b/src/ssl_sock.c
@ -1630,6 +1630,33 @@ out:
 		X509_free(crt);
 	return ret;
 }
+
+/* integer, returns true if current session use a client certificate */
+static int
+smp_fetch_ssl_c_used(struct proxy *px, struct session *l4, void *l7, unsigned int opt,
+                        const struct arg *args, struct sample *smp)
+{
+	X509 *crt;
+
+	if (!l4 || l4->si[0].conn->xprt != &ssl_sock)
+		return 0;
+
+	if (!(l4->si[0].conn->flags & CO_FL_CONNECTED)) {
+		smp->flags |= SMP_F_MAY_CHANGE;
+		return 0;
+	}
+
+	/* SSL_get_peer_certificate returns a ptr on allocated X509 struct */
+	crt = SSL_get_peer_certificate(l4->si[0].conn->xprt_ctx);
+	if (crt) {
+		X509_free(crt);
+	}
+
+	smp->type = SMP_T_BOOL;
+	smp->data.uint = (crt != NULL);
+	return 1;
+}
+
 /* integer, returns the client certificate version */
 static int
 smp_fetch_ssl_c_version(struct proxy *px, struct session *l4, void *l7, unsigned int opt,
@ -2769,6 +2796,7 @@ static struct sample_fetch_kw_list sample_fetch_keywords = {{ },{
 	{ "ssl_c_sig_alg",          smp_fetch_ssl_c_sig_alg,      0,    NULL,    SMP_T_STR,  SMP_CAP_REQ|SMP_CAP_RES },
 	{ "ssl_c_s_dn",             smp_fetch_ssl_c_s_dn,         ARG2(0,STR,SINT),    NULL,    SMP_T_STR,  SMP_CAP_REQ|SMP_CAP_RES },
 	{ "ssl_c_serial",           smp_fetch_ssl_c_serial,       0,    NULL,    SMP_T_BIN,  SMP_CAP_REQ|SMP_CAP_RES },
+	{ "ssl_c_used",             smp_fetch_ssl_c_used,         0,    NULL,    SMP_T_BOOL, SMP_CAP_REQ|SMP_CAP_RES },
 	{ "ssl_c_verify",           smp_fetch_ssl_c_verify,       0,    NULL,    SMP_T_UINT, SMP_CAP_REQ|SMP_CAP_RES },
 	{ "ssl_c_version",          smp_fetch_ssl_c_version,      0,    NULL,    SMP_T_UINT, SMP_CAP_REQ|SMP_CAP_RES },
 	{ "ssl_f_i_dn",             smp_fetch_ssl_f_i_dn,         ARG2(0,STR,SINT),    NULL,    SMP_T_STR,  SMP_CAP_REQ|SMP_CAP_RES },
@ -2808,6 +2836,7 @@ static struct acl_kw_list acl_kws = {{ },{
 	{ "ssl_c_sig_alg",          acl_parse_str, smp_fetch_ssl_c_sig_alg,      acl_match_str,     ACL_USE_L6REQ_PERMANENT|ACL_MAY_LOOKUP, 0 },
 	{ "ssl_c_s_dn",             acl_parse_str, smp_fetch_ssl_c_s_dn,         acl_match_str,     ACL_USE_L6REQ_PERMANENT|ACL_MAY_LOOKUP, ARG2(0,STR,SINT) },
 	{ "ssl_c_serial",           acl_parse_bin, smp_fetch_ssl_c_serial,       acl_match_bin,     ACL_USE_L6REQ_PERMANENT|ACL_MAY_LOOKUP, 0 },
+	{ "ssl_c_used",             acl_parse_int, smp_fetch_ssl_c_used,         acl_match_nothing, ACL_USE_L6REQ_PERMANENT|ACL_MAY_LOOKUP, 0 },
 	{ "ssl_c_verify",           acl_parse_int, smp_fetch_ssl_c_verify,       acl_match_int,     ACL_USE_L6REQ_PERMANENT|ACL_MAY_LOOKUP, 0 },
 	{ "ssl_c_version",          acl_parse_int, smp_fetch_ssl_c_version,      acl_match_int,     ACL_USE_L6REQ_PERMANENT|ACL_MAY_LOOKUP, 0 },
 	{ "ssl_f_i_dn",             acl_parse_str, smp_fetch_ssl_f_i_dn,         acl_match_str,     ACL_USE_L6REQ_PERMANENT|ACL_MAY_LOOKUP, ARG2(0,STR,SINT) },