MINOR: ssl: add pattern and ACLs 'ssl_c_sig_alg' and 'ssl_f_sig_alg'

ssl_c_sig_alg: client cert signature algo (string). Ex: "RSA-SHA1"
ssl_f_sig_alg: frontend cert signature algo (string). Ex: "RSA-SHA1"

diff --git a/doc/configuration.txt b/doc/configuration.txt
index 3cecf094352c752d9843d8111ad7c4eaa20a4941..e41b1f1c084c86b6920b6a2529a5a8c5024ac3e2 100644 (file)
--- a/doc/configuration.txt
+++ b/doc/configuration.txt
@@ -8385,6 +8385,11 @@ ssl_c_i_dn(entry[,occ]) <string>
   true if the value of the nth given entry value from the beginning/end of the
   DN matches the specified string.
 
+ssl_c_key_alg <string>
+  Returns true when the incoming connection was made over an SSL/TLS transport
+  layer, and the name of the algorithm used to generate the key of the
+  certificate presented by the client matches the string.
+
 ssl_c_s_dn <string>
 ssl_c_s_dn(entry[,occ]) <string>
   If no entry specified, returns true when the incoming connection was made
@@ -8401,6 +8406,11 @@ ssl_c_serial <hexa>
   layer, and the serial of the certificate presented by the client matches
   the value written in hexa.
 
+ssl_c_sig_alg <string>
+  Returns true when the incoming connection was made over an SSL/TLS transport
+  layer, and the name of the algorithm used to sign the certificate presented
+  by the client matches the string.
+
 ssl_c_verify <integer>
   Returns true when the incoming connection was made over an SSL/TLS transport
   layer, and the verify result matches the specified value (check man verify
@@ -8422,6 +8432,11 @@ ssl_f_i_dn(entry[,occ]) <string>
   true if the value of the nth given entry value from the beginning/end of the
   DN matches the specified string.
 
+ssl_c_key_alg <string>
+  Returns true when the incoming connection was made over an SSL/TLS transport
+  layer, and the name of the algorithm used to generate the key of the
+  certificate presented by the frontend matches the string.
+
 ssl_f_s_dn <string>
 ssl_f_s_dn(entry[,occ]) <string>
   If no entry specified, returns true when the incoming connection was made
@@ -8438,6 +8453,11 @@ ssl_f_serial <hexa>
   layer, and the serial of the certificate presented by the frontend matches
   the value written in hexa.
 
+ssl_f_sig_alg <string>
+  Returns true when the incoming connection was made over an SSL/TLS transport
+  layer, and the name of the algorithm used to sign the certificate presented
+  by the frontend matches the string.
+
 ssl_f_version <integer>
   Returns true when the incoming connection was made over an SSL/TLS transport
   layer, and the version of the certificate presented by the frontend matches
@@ -9132,6 +9152,11 @@ The list of currently supported pattern fetch functions is the following :
                name ssl_c_i_dn(CN) and the second organization unit
                ssl_c_i_dn(OU,2).
 
+  ssl_c_key_alg
+               Returns the name of the algorithm used to generate the key of
+               the certificate presented by the client when the incoming
+               connection was made over an SSL/TLS transport layer.
+
   ssl_c_s_dn[(entry[,occ])]
                If no entry specified, returns the full distinguished name of
                the subject of the certificate presented by the client when
@@ -9148,6 +9173,11 @@ The list of currently supported pattern fetch functions is the following :
                when the incoming connection was made over an SSL/TLS transport
                layer.
 
+  ssl_c_sig_alg
+               Returns the name of the algorithm used to sign the certificate
+               presented by the client when the incoming connection was made
+               over an SSL/TLS transport layer.
+
   ssl_c_verify Returns the verify result errorID when the incoming connection
                was made over an SSL/TLS transport layer, otherwise zero if no
                error is encountered.
@@ -9169,6 +9199,11 @@ The list of currently supported pattern fetch functions is the following :
                name ssl_f_i_dn(CN) and the second organization unit
                ssl_f_i_dn(OU,2).
 
+  ssl_f_key_alg
+               Returns the name of the algorithm used to generate the key of
+               the certificate presented by the frontend when the incoming
+               connection was made over an SSL/TLS transport layer.
+
   ssl_f_s_dn[(entry[,occ])]
                If no entry specified, returns the full distinguished name of
                the subject of the certificate presented by the frontend when
@@ -9185,6 +9220,11 @@ The list of currently supported pattern fetch functions is the following :
                when the incoming connection was made over an SSL/TLS transport
                layer.
 
+  ssl_f_sig_alg
+               Returns the name of the algorithm used to sign the certificate
+               presented by the frontend when the incoming connection was made
+               over an SSL/TLS transport layer.
+
   ssl_f_version
                Returns the version of the certificate presented by the frontend
                when the incoming connection was made over an SSL/TLS transport

diff --git a/src/ssl_sock.c b/src/ssl_sock.c
index 295b6c9a2278f497069704ce30c13f9ee53bebb8..13369149bcbbacde73000e0e0687c9fe41ce6fdc 100644 (file)
--- a/src/ssl_sock.c
+++ b/src/ssl_sock.c
@@ -1393,6 +1393,40 @@ smp_fetch_ssl_c_version(struct proxy *px, struct session *l4, void *l7, unsigned
        return 1;
 }
 
+/* str, returns the client certificate sig alg */
+static int
+smp_fetch_ssl_c_sig_alg(struct proxy *px, struct session *l4, void *l7, unsigned int opt,
+                        const struct arg *args, struct sample *smp)
+{
+       X509 *crt;
+       int nid;
+
+       if (!l4 || l4->si[0].conn.xprt != &ssl_sock)
+               return 0;
+
+       if (!(l4->si[0].conn.flags & CO_FL_CONNECTED)) {
+               smp->flags |= SMP_F_MAY_CHANGE;
+               return 0;
+       }
+
+       /* SSL_get_peer_certificate increase X509 * ref count  */
+       crt = SSL_get_peer_certificate(l4->si[0].conn.xprt_ctx);
+       if (!crt)
+               return 0;
+
+       nid = OBJ_obj2nid((ASN1_OBJECT *)(crt->cert_info->signature->algorithm));
+
+       smp->data.str.str = (char *)OBJ_nid2sn(nid);
+       if (!smp->data.str.str)
+               return 0;
+
+       smp->type = SMP_T_CSTR;
+       smp->data.str.len = strlen(smp->data.str.str);
+       X509_free(crt);
+
+       return 1;
+}
+
 /* boolean, returns true if front conn. transport layer is SSL */
 static int
 smp_fetch_ssl_fc(struct proxy *px, struct session *l4, void *l7, unsigned int opt,
@@ -1477,6 +1511,38 @@ smp_fetch_ssl_f_version(struct proxy *px, struct session *l4, void *l7, unsigned
        return 1;
 }
 
+/* str, returns the client certificate sig alg */
+static int
+smp_fetch_ssl_f_sig_alg(struct proxy *px, struct session *l4, void *l7, unsigned int opt,
+                        const struct arg *args, struct sample *smp)
+{
+       X509 *crt;
+       int nid;
+
+       if (!l4 || l4->si[0].conn.xprt != &ssl_sock)
+               return 0;
+
+       if (!(l4->si[0].conn.flags & CO_FL_CONNECTED)) {
+               smp->flags |= SMP_F_MAY_CHANGE;
+               return 0;
+       }
+
+       crt = SSL_get_certificate(l4->si[0].conn.xprt_ctx);
+       if (!crt)
+               return 0;
+
+       nid = OBJ_obj2nid((ASN1_OBJECT *)(crt->cert_info->signature->algorithm));
+
+       smp->data.str.str = (char *)OBJ_nid2sn(nid);
+       if (!smp->data.str.str)
+               return 0;
+
+       smp->type = SMP_T_CSTR;
+       smp->data.str.len = strlen(smp->data.str.str);
+
+       return 1;
+}
+
 /* str, returns a string of a formatted full dn \C=..\O=..\OU=.. \CN=.. */
 static int
 smp_fetch_ssl_f_i_dn(struct proxy *px, struct session *l4, void *l7, unsigned int opt,
@@ -2288,11 +2354,13 @@ static struct sample_fetch_kw_list sample_fetch_keywords = {{ },{
        { "ssl_c_ca_err_depth",     smp_fetch_ssl_c_ca_err_depth, 0,    NULL,    SMP_T_UINT, SMP_CAP_REQ|SMP_CAP_RES },
        { "ssl_c_err",              smp_fetch_ssl_c_err,          0,    NULL,    SMP_T_UINT, SMP_CAP_REQ|SMP_CAP_RES },
        { "ssl_c_i_dn",             smp_fetch_ssl_c_i_dn,         ARG2(0,STR,SINT),    NULL,    SMP_T_STR,  SMP_CAP_REQ|SMP_CAP_RES },
+       { "ssl_c_sig_alg",          smp_fetch_ssl_c_sig_alg,      0,    NULL,    SMP_T_STR,  SMP_CAP_REQ|SMP_CAP_RES },
        { "ssl_c_s_dn",             smp_fetch_ssl_c_s_dn,         ARG2(0,STR,SINT),    NULL,    SMP_T_STR,  SMP_CAP_REQ|SMP_CAP_RES },
        { "ssl_c_serial",           smp_fetch_ssl_c_serial,       0,    NULL,    SMP_T_BIN,  SMP_CAP_REQ|SMP_CAP_RES },
        { "ssl_c_verify",           smp_fetch_ssl_c_verify,       0,    NULL,    SMP_T_UINT, SMP_CAP_REQ|SMP_CAP_RES },
        { "ssl_c_version",          smp_fetch_ssl_c_version,      0,    NULL,    SMP_T_UINT, SMP_CAP_REQ|SMP_CAP_RES },
        { "ssl_f_i_dn",             smp_fetch_ssl_f_i_dn,         ARG2(0,STR,SINT),    NULL,    SMP_T_STR,  SMP_CAP_REQ|SMP_CAP_RES },
+       { "ssl_f_sig_alg",          smp_fetch_ssl_f_sig_alg,      0,    NULL,    SMP_T_STR,  SMP_CAP_REQ|SMP_CAP_RES },
        { "ssl_f_s_dn",             smp_fetch_ssl_f_s_dn,         ARG2(0,STR,SINT),    NULL,    SMP_T_STR,  SMP_CAP_REQ|SMP_CAP_RES },
        { "ssl_f_serial",           smp_fetch_ssl_f_serial,       0,    NULL,    SMP_T_BIN, SMP_CAP_REQ|SMP_CAP_RES },
        { "ssl_f_version",          smp_fetch_ssl_f_version,      0,    NULL,    SMP_T_UINT, SMP_CAP_REQ|SMP_CAP_RES },
@@ -2319,11 +2387,13 @@ static struct acl_kw_list acl_kws = {{ },{
        { "ssl_c_ca_err_depth",     acl_parse_int, smp_fetch_ssl_c_ca_err_depth, acl_match_int,     ACL_USE_L6REQ_PERMANENT|ACL_MAY_LOOKUP, 0 },
        { "ssl_c_err",              acl_parse_int, smp_fetch_ssl_c_err,          acl_match_int,     ACL_USE_L6REQ_PERMANENT|ACL_MAY_LOOKUP, 0 },
        { "ssl_c_i_dn",             acl_parse_str, smp_fetch_ssl_c_i_dn,         acl_match_str,     ACL_USE_L6REQ_PERMANENT|ACL_MAY_LOOKUP, ARG2(0,STR,SINT) },
+       { "ssl_c_sig_alg",          acl_parse_str, smp_fetch_ssl_c_sig_alg,      acl_match_str,     ACL_USE_L6REQ_PERMANENT|ACL_MAY_LOOKUP, 0 },
        { "ssl_c_s_dn",             acl_parse_str, smp_fetch_ssl_c_s_dn,         acl_match_str,     ACL_USE_L6REQ_PERMANENT|ACL_MAY_LOOKUP, ARG2(0,STR,SINT) },
        { "ssl_c_serial",           acl_parse_bin, smp_fetch_ssl_c_serial,       acl_match_bin,     ACL_USE_L6REQ_PERMANENT|ACL_MAY_LOOKUP, 0 },
        { "ssl_c_verify",           acl_parse_int, smp_fetch_ssl_c_verify,       acl_match_int,     ACL_USE_L6REQ_PERMANENT|ACL_MAY_LOOKUP, 0 },
        { "ssl_c_version",          acl_parse_int, smp_fetch_ssl_c_version,      acl_match_int,     ACL_USE_L6REQ_PERMANENT|ACL_MAY_LOOKUP, 0 },
        { "ssl_f_i_dn",             acl_parse_str, smp_fetch_ssl_f_i_dn,         acl_match_str,     ACL_USE_L6REQ_PERMANENT|ACL_MAY_LOOKUP, ARG2(0,STR,SINT) },
+       { "ssl_f_sig_alg",          acl_parse_str, smp_fetch_ssl_f_sig_alg,      acl_match_str,     ACL_USE_L6REQ_PERMANENT|ACL_MAY_LOOKUP, 0 },
        { "ssl_f_s_dn",             acl_parse_str, smp_fetch_ssl_f_s_dn,         acl_match_str,     ACL_USE_L6REQ_PERMANENT|ACL_MAY_LOOKUP, ARG2(0,STR,SINT) },
        { "ssl_f_serial",           acl_parse_bin, smp_fetch_ssl_f_serial,       acl_match_bin,     ACL_USE_L6REQ_PERMANENT|ACL_MAY_LOOKUP, 0 },
        { "ssl_f_version",          acl_parse_int, smp_fetch_ssl_f_version,      acl_match_int,     ACL_USE_L6REQ_PERMANENT|ACL_MAY_LOOKUP, 0 },