From: Emeric Brun Date: Wed, 17 Oct 2012 13:03:11 +0000 (+0200) Subject: MINOR: ssl: add pattern and ACLs fetches 'ssl_c_version' and 'ssl_f_version' X-Git-Tag: v1.5-dev13~107 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=a7359fd6dd95603f3aa3f86349b9d1340cd2e31c;p=thirdparty%2Fhaproxy.git MINOR: ssl: add pattern and ACLs fetches 'ssl_c_version' and 'ssl_f_version' ssl_c_version : version of the cert presented by the client (integer) ssl_f_version : version of the cert presented by the frontend (integer) --- diff --git a/doc/configuration.txt b/doc/configuration.txt index 3511676cc0..0d92993186 100644 --- a/doc/configuration.txt +++ b/doc/configuration.txt @@ -8384,11 +8384,21 @@ ssl_c_verify layer, and the verify result matches the specified value (check man verify for possible values). Zero indicates no error was detected. +ssl_c_version + Returns true when the incoming connection was made over an SSL/TLS transport + layer, and the version of the certificate presented by the client matches + the value. + ssl_f_serial Returns true when the incoming connection was made over an SSL/TLS transport layer, and the serial of the certificate presented by the frontend matches the value written in hexa. +ssl_f_version + Returns true when the incoming connection was made over an SSL/TLS transport + layer, and the version of the certificate presented by the frontend matches + the value. + ssl_fc Returns true when the front connection was made via an SSL/TLS transport layer and is locally deciphered. This means it has matched a socket declared @@ -9074,10 +9084,20 @@ The list of currently supported pattern fetch functions is the following : was made over an SSL/TLS transport layer, otherwise zero if no error is encountered. + ssl_c_version + Returns the version of the certificate presented by the client + when the incoming connection was made over an SSL/TLS transport + layer. + ssl_f_serial Returns the serial of the certificate presented by the frontend when the incoming connection was made over an SSL/TLS transport layer. + ssl_f_version + Returns the version of the certificate presented by the frontend + when the incoming connection was made over an SSL/TLS transport + layer. + ssl_fc This checks the transport layer used on the front connection, and returns 1 if it was made via an SSL/TLS transport layer, otherwise zero. diff --git a/src/ssl_sock.c b/src/ssl_sock.c index 914a5fde7d..73d97c2540 100644 --- a/src/ssl_sock.c +++ b/src/ssl_sock.c @@ -1173,6 +1173,33 @@ out: return ret; } +/* integer, returns the client certificate version */ +static int +smp_fetch_ssl_c_version(struct proxy *px, struct session *l4, void *l7, unsigned int opt, + const struct arg *args, struct sample *smp) +{ + X509 *crt; + + if (!l4 || l4->si[0].conn.xprt != &ssl_sock) + return 0; + + if (!(l4->si[0].conn.flags & CO_FL_CONNECTED)) { + smp->flags |= SMP_F_MAY_CHANGE; + return 0; + } + + /* SSL_get_peer_certificate returns a ptr on allocated X509 struct */ + crt = SSL_get_peer_certificate(l4->si[0].conn.xprt_ctx); + if (!crt) + return 0; + + smp->data.uint = (unsigned int)(1 + X509_get_version(crt)); + X509_free(crt); + smp->type = SMP_T_UINT; + + return 1; +} + /* boolean, returns true if front conn. transport layer is SSL */ static int smp_fetch_ssl_fc(struct proxy *px, struct session *l4, void *l7, unsigned int opt, @@ -1231,6 +1258,32 @@ out: return ret; } +/* integer, returns the frontend certificate version */ +static int +smp_fetch_ssl_f_version(struct proxy *px, struct session *l4, void *l7, unsigned int opt, + const struct arg *args, struct sample *smp) +{ + X509 *crt; + + if (!l4 || l4->si[0].conn.xprt != &ssl_sock) + return 0; + + if (!(l4->si[0].conn.flags & CO_FL_CONNECTED)) { + smp->flags |= SMP_F_MAY_CHANGE; + return 0; + } + + /* SSL_get_certificate returns a ptr on an SSL * internal sub struct */ + crt = SSL_get_certificate(l4->si[0].conn.xprt_ctx); + if (!crt) + return 0; + + smp->data.uint = (unsigned int)(1 + X509_get_version(crt)); + smp->type = SMP_T_UINT; + + return 1; +} + static int smp_fetch_ssl_fc_cipher(struct proxy *px, struct session *l4, void *l7, unsigned int opt, const struct arg *args, struct sample *smp) @@ -1947,7 +2000,9 @@ static struct sample_fetch_kw_list sample_fetch_keywords = {{ },{ { "ssl_c_err", smp_fetch_ssl_c_err, 0, NULL, SMP_T_UINT, SMP_CAP_REQ|SMP_CAP_RES }, { "ssl_c_serial", smp_fetch_ssl_c_serial, 0, NULL, SMP_T_BIN, SMP_CAP_REQ|SMP_CAP_RES }, { "ssl_c_verify", smp_fetch_ssl_c_verify, 0, NULL, SMP_T_UINT, SMP_CAP_REQ|SMP_CAP_RES }, + { "ssl_c_version", smp_fetch_ssl_c_version, 0, NULL, SMP_T_UINT, SMP_CAP_REQ|SMP_CAP_RES }, { "ssl_f_serial", smp_fetch_ssl_f_serial, 0, NULL, SMP_T_BIN, SMP_CAP_REQ|SMP_CAP_RES }, + { "ssl_f_version", smp_fetch_ssl_f_version, 0, NULL, SMP_T_UINT, SMP_CAP_REQ|SMP_CAP_RES }, { "ssl_fc", smp_fetch_ssl_fc, 0, NULL, SMP_T_BOOL, SMP_CAP_REQ|SMP_CAP_RES }, { "ssl_fc_alg_keysize", smp_fetch_ssl_fc_alg_keysize, 0, NULL, SMP_T_UINT, SMP_CAP_REQ|SMP_CAP_RES }, { "ssl_fc_cipher", smp_fetch_ssl_fc_cipher, 0, NULL, SMP_T_CSTR, SMP_CAP_REQ|SMP_CAP_RES }, @@ -1972,7 +2027,9 @@ static struct acl_kw_list acl_kws = {{ },{ { "ssl_c_err", acl_parse_int, smp_fetch_ssl_c_err, acl_match_int, ACL_USE_L6REQ_PERMANENT|ACL_MAY_LOOKUP, 0 }, { "ssl_c_serial", acl_parse_bin, smp_fetch_ssl_c_serial, acl_match_bin, ACL_USE_L6REQ_PERMANENT|ACL_MAY_LOOKUP, 0 }, { "ssl_c_verify", acl_parse_int, smp_fetch_ssl_c_verify, acl_match_int, ACL_USE_L6REQ_PERMANENT|ACL_MAY_LOOKUP, 0 }, + { "ssl_c_version", acl_parse_int, smp_fetch_ssl_c_version, acl_match_int, ACL_USE_L6REQ_PERMANENT|ACL_MAY_LOOKUP, 0 }, { "ssl_f_serial", acl_parse_bin, smp_fetch_ssl_f_serial, acl_match_bin, ACL_USE_L6REQ_PERMANENT|ACL_MAY_LOOKUP, 0 }, + { "ssl_f_version", acl_parse_int, smp_fetch_ssl_f_version, acl_match_int, ACL_USE_L6REQ_PERMANENT|ACL_MAY_LOOKUP, 0 }, { "ssl_fc", acl_parse_int, smp_fetch_ssl_fc, acl_match_nothing, ACL_USE_L6REQ_PERMANENT|ACL_MAY_LOOKUP, 0 }, { "ssl_fc_alg_keysize", acl_parse_str, smp_fetch_ssl_fc_alg_keysize, acl_match_int, ACL_USE_L6REQ_PERMANENT|ACL_MAY_LOOKUP, 0 }, { "ssl_fc_cipher", acl_parse_str, smp_fetch_ssl_fc_cipher, acl_match_str, ACL_USE_L6REQ_PERMANENT|ACL_MAY_LOOKUP, 0 },