From: Emeric Brun Date: Fri, 19 Oct 2012 16:15:40 +0000 (+0200) Subject: MINOR: ssl: add pattern and ACLs 'ssl_c_sig_alg' and 'ssl_f_sig_alg' X-Git-Tag: v1.5-dev13~105 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=7f56e748419255a05fab7147a4bd4bb12e4b81a0;p=thirdparty%2Fhaproxy.git MINOR: ssl: add pattern and ACLs 'ssl_c_sig_alg' and 'ssl_f_sig_alg' ssl_c_sig_alg: client cert signature algo (string). Ex: "RSA-SHA1" ssl_f_sig_alg: frontend cert signature algo (string). Ex: "RSA-SHA1" --- diff --git a/doc/configuration.txt b/doc/configuration.txt index 3cecf09435..e41b1f1c08 100644 --- a/doc/configuration.txt +++ b/doc/configuration.txt @@ -8385,6 +8385,11 @@ ssl_c_i_dn(entry[,occ]) true if the value of the nth given entry value from the beginning/end of the DN matches the specified string. +ssl_c_key_alg + Returns true when the incoming connection was made over an SSL/TLS transport + layer, and the name of the algorithm used to generate the key of the + certificate presented by the client matches the string. + ssl_c_s_dn ssl_c_s_dn(entry[,occ]) If no entry specified, returns true when the incoming connection was made @@ -8401,6 +8406,11 @@ ssl_c_serial layer, and the serial of the certificate presented by the client matches the value written in hexa. +ssl_c_sig_alg + Returns true when the incoming connection was made over an SSL/TLS transport + layer, and the name of the algorithm used to sign the certificate presented + by the client matches the string. + ssl_c_verify Returns true when the incoming connection was made over an SSL/TLS transport layer, and the verify result matches the specified value (check man verify @@ -8422,6 +8432,11 @@ ssl_f_i_dn(entry[,occ]) true if the value of the nth given entry value from the beginning/end of the DN matches the specified string. +ssl_c_key_alg + Returns true when the incoming connection was made over an SSL/TLS transport + layer, and the name of the algorithm used to generate the key of the + certificate presented by the frontend matches the string. + ssl_f_s_dn ssl_f_s_dn(entry[,occ]) If no entry specified, returns true when the incoming connection was made @@ -8438,6 +8453,11 @@ ssl_f_serial layer, and the serial of the certificate presented by the frontend matches the value written in hexa. +ssl_f_sig_alg + Returns true when the incoming connection was made over an SSL/TLS transport + layer, and the name of the algorithm used to sign the certificate presented + by the frontend matches the string. + ssl_f_version Returns true when the incoming connection was made over an SSL/TLS transport layer, and the version of the certificate presented by the frontend matches @@ -9132,6 +9152,11 @@ The list of currently supported pattern fetch functions is the following : name ssl_c_i_dn(CN) and the second organization unit ssl_c_i_dn(OU,2). + ssl_c_key_alg + Returns the name of the algorithm used to generate the key of + the certificate presented by the client when the incoming + connection was made over an SSL/TLS transport layer. + ssl_c_s_dn[(entry[,occ])] If no entry specified, returns the full distinguished name of the subject of the certificate presented by the client when @@ -9148,6 +9173,11 @@ The list of currently supported pattern fetch functions is the following : when the incoming connection was made over an SSL/TLS transport layer. + ssl_c_sig_alg + Returns the name of the algorithm used to sign the certificate + presented by the client when the incoming connection was made + over an SSL/TLS transport layer. + ssl_c_verify Returns the verify result errorID when the incoming connection was made over an SSL/TLS transport layer, otherwise zero if no error is encountered. @@ -9169,6 +9199,11 @@ The list of currently supported pattern fetch functions is the following : name ssl_f_i_dn(CN) and the second organization unit ssl_f_i_dn(OU,2). + ssl_f_key_alg + Returns the name of the algorithm used to generate the key of + the certificate presented by the frontend when the incoming + connection was made over an SSL/TLS transport layer. + ssl_f_s_dn[(entry[,occ])] If no entry specified, returns the full distinguished name of the subject of the certificate presented by the frontend when @@ -9185,6 +9220,11 @@ The list of currently supported pattern fetch functions is the following : when the incoming connection was made over an SSL/TLS transport layer. + ssl_f_sig_alg + Returns the name of the algorithm used to sign the certificate + presented by the frontend when the incoming connection was made + over an SSL/TLS transport layer. + ssl_f_version Returns the version of the certificate presented by the frontend when the incoming connection was made over an SSL/TLS transport diff --git a/src/ssl_sock.c b/src/ssl_sock.c index 295b6c9a22..13369149bc 100644 --- a/src/ssl_sock.c +++ b/src/ssl_sock.c @@ -1393,6 +1393,40 @@ smp_fetch_ssl_c_version(struct proxy *px, struct session *l4, void *l7, unsigned return 1; } +/* str, returns the client certificate sig alg */ +static int +smp_fetch_ssl_c_sig_alg(struct proxy *px, struct session *l4, void *l7, unsigned int opt, + const struct arg *args, struct sample *smp) +{ + X509 *crt; + int nid; + + if (!l4 || l4->si[0].conn.xprt != &ssl_sock) + return 0; + + if (!(l4->si[0].conn.flags & CO_FL_CONNECTED)) { + smp->flags |= SMP_F_MAY_CHANGE; + return 0; + } + + /* SSL_get_peer_certificate increase X509 * ref count */ + crt = SSL_get_peer_certificate(l4->si[0].conn.xprt_ctx); + if (!crt) + return 0; + + nid = OBJ_obj2nid((ASN1_OBJECT *)(crt->cert_info->signature->algorithm)); + + smp->data.str.str = (char *)OBJ_nid2sn(nid); + if (!smp->data.str.str) + return 0; + + smp->type = SMP_T_CSTR; + smp->data.str.len = strlen(smp->data.str.str); + X509_free(crt); + + return 1; +} + /* boolean, returns true if front conn. transport layer is SSL */ static int smp_fetch_ssl_fc(struct proxy *px, struct session *l4, void *l7, unsigned int opt, @@ -1477,6 +1511,38 @@ smp_fetch_ssl_f_version(struct proxy *px, struct session *l4, void *l7, unsigned return 1; } +/* str, returns the client certificate sig alg */ +static int +smp_fetch_ssl_f_sig_alg(struct proxy *px, struct session *l4, void *l7, unsigned int opt, + const struct arg *args, struct sample *smp) +{ + X509 *crt; + int nid; + + if (!l4 || l4->si[0].conn.xprt != &ssl_sock) + return 0; + + if (!(l4->si[0].conn.flags & CO_FL_CONNECTED)) { + smp->flags |= SMP_F_MAY_CHANGE; + return 0; + } + + crt = SSL_get_certificate(l4->si[0].conn.xprt_ctx); + if (!crt) + return 0; + + nid = OBJ_obj2nid((ASN1_OBJECT *)(crt->cert_info->signature->algorithm)); + + smp->data.str.str = (char *)OBJ_nid2sn(nid); + if (!smp->data.str.str) + return 0; + + smp->type = SMP_T_CSTR; + smp->data.str.len = strlen(smp->data.str.str); + + return 1; +} + /* str, returns a string of a formatted full dn \C=..\O=..\OU=.. \CN=.. */ static int smp_fetch_ssl_f_i_dn(struct proxy *px, struct session *l4, void *l7, unsigned int opt, @@ -2288,11 +2354,13 @@ static struct sample_fetch_kw_list sample_fetch_keywords = {{ },{ { "ssl_c_ca_err_depth", smp_fetch_ssl_c_ca_err_depth, 0, NULL, SMP_T_UINT, SMP_CAP_REQ|SMP_CAP_RES }, { "ssl_c_err", smp_fetch_ssl_c_err, 0, NULL, SMP_T_UINT, SMP_CAP_REQ|SMP_CAP_RES }, { "ssl_c_i_dn", smp_fetch_ssl_c_i_dn, ARG2(0,STR,SINT), NULL, SMP_T_STR, SMP_CAP_REQ|SMP_CAP_RES }, + { "ssl_c_sig_alg", smp_fetch_ssl_c_sig_alg, 0, NULL, SMP_T_STR, SMP_CAP_REQ|SMP_CAP_RES }, { "ssl_c_s_dn", smp_fetch_ssl_c_s_dn, ARG2(0,STR,SINT), NULL, SMP_T_STR, SMP_CAP_REQ|SMP_CAP_RES }, { "ssl_c_serial", smp_fetch_ssl_c_serial, 0, NULL, SMP_T_BIN, SMP_CAP_REQ|SMP_CAP_RES }, { "ssl_c_verify", smp_fetch_ssl_c_verify, 0, NULL, SMP_T_UINT, SMP_CAP_REQ|SMP_CAP_RES }, { "ssl_c_version", smp_fetch_ssl_c_version, 0, NULL, SMP_T_UINT, SMP_CAP_REQ|SMP_CAP_RES }, { "ssl_f_i_dn", smp_fetch_ssl_f_i_dn, ARG2(0,STR,SINT), NULL, SMP_T_STR, SMP_CAP_REQ|SMP_CAP_RES }, + { "ssl_f_sig_alg", smp_fetch_ssl_f_sig_alg, 0, NULL, SMP_T_STR, SMP_CAP_REQ|SMP_CAP_RES }, { "ssl_f_s_dn", smp_fetch_ssl_f_s_dn, ARG2(0,STR,SINT), NULL, SMP_T_STR, SMP_CAP_REQ|SMP_CAP_RES }, { "ssl_f_serial", smp_fetch_ssl_f_serial, 0, NULL, SMP_T_BIN, SMP_CAP_REQ|SMP_CAP_RES }, { "ssl_f_version", smp_fetch_ssl_f_version, 0, NULL, SMP_T_UINT, SMP_CAP_REQ|SMP_CAP_RES }, @@ -2319,11 +2387,13 @@ static struct acl_kw_list acl_kws = {{ },{ { "ssl_c_ca_err_depth", acl_parse_int, smp_fetch_ssl_c_ca_err_depth, acl_match_int, ACL_USE_L6REQ_PERMANENT|ACL_MAY_LOOKUP, 0 }, { "ssl_c_err", acl_parse_int, smp_fetch_ssl_c_err, acl_match_int, ACL_USE_L6REQ_PERMANENT|ACL_MAY_LOOKUP, 0 }, { "ssl_c_i_dn", acl_parse_str, smp_fetch_ssl_c_i_dn, acl_match_str, ACL_USE_L6REQ_PERMANENT|ACL_MAY_LOOKUP, ARG2(0,STR,SINT) }, + { "ssl_c_sig_alg", acl_parse_str, smp_fetch_ssl_c_sig_alg, acl_match_str, ACL_USE_L6REQ_PERMANENT|ACL_MAY_LOOKUP, 0 }, { "ssl_c_s_dn", acl_parse_str, smp_fetch_ssl_c_s_dn, acl_match_str, ACL_USE_L6REQ_PERMANENT|ACL_MAY_LOOKUP, ARG2(0,STR,SINT) }, { "ssl_c_serial", acl_parse_bin, smp_fetch_ssl_c_serial, acl_match_bin, ACL_USE_L6REQ_PERMANENT|ACL_MAY_LOOKUP, 0 }, { "ssl_c_verify", acl_parse_int, smp_fetch_ssl_c_verify, acl_match_int, ACL_USE_L6REQ_PERMANENT|ACL_MAY_LOOKUP, 0 }, { "ssl_c_version", acl_parse_int, smp_fetch_ssl_c_version, acl_match_int, ACL_USE_L6REQ_PERMANENT|ACL_MAY_LOOKUP, 0 }, { "ssl_f_i_dn", acl_parse_str, smp_fetch_ssl_f_i_dn, acl_match_str, ACL_USE_L6REQ_PERMANENT|ACL_MAY_LOOKUP, ARG2(0,STR,SINT) }, + { "ssl_f_sig_alg", acl_parse_str, smp_fetch_ssl_f_sig_alg, acl_match_str, ACL_USE_L6REQ_PERMANENT|ACL_MAY_LOOKUP, 0 }, { "ssl_f_s_dn", acl_parse_str, smp_fetch_ssl_f_s_dn, acl_match_str, ACL_USE_L6REQ_PERMANENT|ACL_MAY_LOOKUP, ARG2(0,STR,SINT) }, { "ssl_f_serial", acl_parse_bin, smp_fetch_ssl_f_serial, acl_match_bin, ACL_USE_L6REQ_PERMANENT|ACL_MAY_LOOKUP, 0 }, { "ssl_f_version", acl_parse_int, smp_fetch_ssl_f_version, acl_match_int, ACL_USE_L6REQ_PERMANENT|ACL_MAY_LOOKUP, 0 },