MINOR: ssl: Add 'ssl-propquery' global option

This option can be used to define a default property query used when
fetching algorithms in OpenSSL providers. It follows the format
described in https://www.openssl.org/docs/man3.0/man7/property.html.
It is only available when haproxy is built with SSL support and linked
to OpenSSLv3 libraries.

diff --git a/doc/configuration.txt b/doc/configuration.txt
index 1b57c6969dba18ddd16ebbdf30ffeeaace0bab44..7632291c20eb34458a23d4bb3e05c7df51899ad6 100644 (file)
--- a/doc/configuration.txt
+++ b/doc/configuration.txt
@@ -1050,6 +1050,7 @@ The following keywords are supported in the "global" section :
    - ssl-default-server-ciphersuites
    - ssl-default-server-options
    - ssl-dh-param-file
+   - ssl-propquery
    - ssl-server-verify
    - ssl-skip-self-issued-ca
    - unix-bind
@@ -2060,6 +2061,17 @@ ssl-dh-param-file <file>
   "openssl dhparam <size>", where size should be at least 2048, as 1024-bit DH
   parameters should not be considered secure anymore.
 
+ssl-propquery <query>
+  This setting is only available when support for OpenSSL was built in and when
+  OpenSSL's version is at least 3.0. It allows to define a default property
+  string used when fetching algorithms in providers. It behave the same way as
+  the openssl propquery option and it follows the same syntax (described in
+  https://www.openssl.org/docs/man3.0/man7/property.html). For instance, if you
+  have two providers loaded, the foo one and the default one, the propquery
+  "?provider=foo" allows to pick the algorithm implementations provided by the
+  foo provider by default, and to fallback on the default provider's one if it
+  was not found.
+
 ssl-load-extra-del-ext
   This setting allows to configure the way HAProxy does the lookup for the
   extra SSL files. By default HAProxy adds a new extension to the filename.

diff --git a/src/cfgparse-ssl.c b/src/cfgparse-ssl.c
index 462743e45e7329ae67f8ae3c38dfefedb95b382f..513cfd6a7ed7bca2172792766466af346248120a 100644 (file)
--- a/src/cfgparse-ssl.c
+++ b/src/cfgparse-ssl.c
@@ -180,6 +180,28 @@ add_engine:
 }
 #endif
 
+#ifdef HAVE_SSL_PROVIDERS
+/* parse the "ssl-propquery" keyword in global section.
+ * Returns <0 on alert, >0 on warning, 0 on success.
+ */
+static int ssl_parse_global_ssl_propquery(char **args, int section_type, struct proxy *curpx,
+                                         const struct proxy *defpx, const char *file, int line,
+                                         char **err)
+{
+       int ret = -1;
+
+       if (*(args[1]) == 0) {
+               memprintf(err, "global statement '%s' expects a property string as an argument.", args[0]);
+               return ret;
+       }
+
+       if (EVP_set_default_properties(NULL, args[1]))
+               ret = 0;
+
+       return ret;
+}
+#endif
+
 /* parse the "ssl-default-bind-ciphers" / "ssl-default-server-ciphers" keywords
  * in global section. Returns <0 on alert, >0 on warning, 0 on success.
  */
@@ -1935,6 +1957,9 @@ static struct cfg_kw_list cfg_kws = {ILH, {
        { CFG_GLOBAL, "ssl-mode-async",  ssl_parse_global_ssl_async },
 #if defined(USE_ENGINE) && !defined(OPENSSL_NO_ENGINE)
        { CFG_GLOBAL, "ssl-engine",  ssl_parse_global_ssl_engine },
+#endif
+#ifdef HAVE_SSL_PROVIDERS
+       { CFG_GLOBAL, "ssl-propquery",  ssl_parse_global_ssl_propquery },
 #endif
        { CFG_GLOBAL, "ssl-skip-self-issued-ca", ssl_parse_skip_self_issued_ca },
        { CFG_GLOBAL, "tune.ssl.cachesize", ssl_parse_global_int },