MINOR: connection: add proxy-v2-options ssl-cipher,cert-sig,cert-key

This patch implement proxy protocol v2 options related to crypto information:
ssl-cipher (PP2_SUBTYPE_SSL_CIPHER), cert-sig (PP2_SUBTYPE_SSL_SIG_ALG) and
cert-key (PP2_SUBTYPE_SSL_KEY_ALG).

diff --git a/doc/configuration.txt b/doc/configuration.txt
index b770b5cbb4ec852602cb1abb45f4913b624ac39e..bb1c4f1f60bc95a3c2890a59a2701627f25a8b92 100644 (file)
--- a/doc/configuration.txt
+++ b/doc/configuration.txt
@@ -11722,7 +11722,9 @@ send-proxy-v2
 proxy-v2-options <option>[,<option>]*
   The "proxy-v2-options" parameter add option to send in PROXY protocol version
   2 when "send-proxy-v2" is used. Options available are "ssl" (see also
-  send-proxy-v2-ssl), "cert-cn" (see also "send-proxy-v2-ssl-cn").
+  send-proxy-v2-ssl), "cert-cn" (see also "send-proxy-v2-ssl-cn"), "ssl-cipher":
+  name of the used cipher, "cert-sig": signature algorithm of the used
+  certificate, "cert-key": key algorithm of the used certificate).
 
 send-proxy-v2-ssl
   The "send-proxy-v2-ssl" parameter enforces use of the PROXY protocol version

diff --git a/include/types/server.h b/include/types/server.h
index fd1dad5bce320dd4c8d9e9fd77bbabce9002e29a..91f8a9d4f6491b90dbe041155060d58e7c74abd3 100644 (file)
--- a/include/types/server.h
+++ b/include/types/server.h
@@ -144,10 +144,13 @@ enum srv_initaddr {
 #define SRV_F_COOKIESET    0x0100        /* this server has a cookie configured, so don't generate dynamic cookies */
 
 /* configured server options for send-proxy (server->pp_opts) */
-#define SRV_PP_V1          0x0001        /* proxy protocol version 1 */
-#define SRV_PP_V2          0x0002        /* proxy protocol version 2 */
-#define SRV_PP_V2_SSL      0x0004        /* proxy protocol version 2 with SSL*/
-#define SRV_PP_V2_SSL_CN   0x0008        /* proxy protocol version 2 with SSL and CN*/
+#define SRV_PP_V1               0x0001   /* proxy protocol version 1 */
+#define SRV_PP_V2               0x0002   /* proxy protocol version 2 */
+#define SRV_PP_V2_SSL           0x0004   /* proxy protocol version 2 with SSL */
+#define SRV_PP_V2_SSL_CN        0x0008   /* proxy protocol version 2 with CN */
+#define SRV_PP_V2_SSL_KEY_ALG   0x0010   /* proxy protocol version 2 with cert key algorithm */
+#define SRV_PP_V2_SSL_SIG_ALG   0x0020   /* proxy protocol version 2 with cert signature algorithm */
+#define SRV_PP_V2_SSL_CIPHER    0x0040   /* proxy protocol version 2 with cipher used */
 
 /* function which act on servers need to return various errors */
 #define SRV_STATUS_OK       0   /* everything is OK. */

diff --git a/src/connection.c b/src/connection.c
index 11cc363733d3986e480affb234282cbc7686534e..e8a02ea40e31c247203069a220e1f2e39ddc4b6d 100644 (file)
--- a/src/connection.c
+++ b/src/connection.c
@@ -1071,6 +1071,24 @@ int make_proxy_line_v2(char *buf, int buf_len, struct server *srv, struct connec
                                        ssl_tlv_len += make_tlv(&buf[ret+ssl_tlv_len], (buf_len - ret - ssl_tlv_len), PP2_SUBTYPE_SSL_CN, cn_trash->len, cn_trash->str);
                                }
                        }
+                       if (srv->pp_opts & SRV_PP_V2_SSL_KEY_ALG) {
+                               struct chunk *pkey_trash = get_trash_chunk();
+                               if (ssl_sock_get_pkey_algo(remote, pkey_trash) > 0) {
+                                       ssl_tlv_len += make_tlv(&buf[ret+ssl_tlv_len], (buf_len - ret - ssl_tlv_len), PP2_SUBTYPE_SSL_KEY_ALG, pkey_trash->len, pkey_trash->str);
+                               }
+                       }
+                       if (srv->pp_opts & SRV_PP_V2_SSL_SIG_ALG) {
+                               value = ssl_sock_get_cert_sig(remote);
+                               if (value) {
+                                       ssl_tlv_len += make_tlv(&buf[ret+ssl_tlv_len], (buf_len - ret - ssl_tlv_len), PP2_SUBTYPE_SSL_SIG_ALG, strlen(value), value);
+                               }
+                       }
+                       if (srv->pp_opts & SRV_PP_V2_SSL_CIPHER) {
+                               value = ssl_sock_get_cipher_name(remote);
+                               if (value) {
+                                       ssl_tlv_len += make_tlv(&buf[ret+ssl_tlv_len], (buf_len - ret - ssl_tlv_len), PP2_SUBTYPE_SSL_CIPHER, strlen(value), value);
+                               }
+                       }
                }
                tlv->tlv.length_hi = (uint16_t)(ssl_tlv_len - sizeof(struct tlv)) >> 8;
                tlv->tlv.length_lo = (uint16_t)(ssl_tlv_len - sizeof(struct tlv)) & 0x00ff;

diff --git a/src/server.c b/src/server.c
index cf041764e38350213db800560f2e8e9123c5b86d..77fc0c6ad6f4c4a8ae440d6210c8c1c0a1590fd0 100644 (file)
--- a/src/server.c
+++ b/src/server.c
@@ -517,6 +517,15 @@ static int srv_parse_proxy_v2_options(char **args, int *cur_arg,
                } else if (!strcmp(p, "cert-cn")) {
                        newsrv->pp_opts |= SRV_PP_V2_SSL;
                        newsrv->pp_opts |= SRV_PP_V2_SSL_CN;
+               } else if (!strcmp(p, "cert-key")) {
+                       newsrv->pp_opts |= SRV_PP_V2_SSL;
+                       newsrv->pp_opts |= SRV_PP_V2_SSL_KEY_ALG;
+               } else if (!strcmp(p, "cert-sig")) {
+                       newsrv->pp_opts |= SRV_PP_V2_SSL;
+                       newsrv->pp_opts |= SRV_PP_V2_SSL_SIG_ALG;
+               } else if (!strcmp(p, "ssl-cipher")) {
+                       newsrv->pp_opts |= SRV_PP_V2_SSL;
+                       newsrv->pp_opts |= SRV_PP_V2_SSL_CIPHER;
                } else
                        goto fail;
        }