From 589fcadbd9cc4b2b7ddaed739a3fa5ef7fcfd793 Mon Sep 17 00:00:00 2001 From: Emeric Brun Date: Tue, 16 Oct 2012 14:13:26 +0200 Subject: [PATCH] MINOR: ssl: add pattern and ACLs fetches 'ssl_fc_protocol', 'ssl_fc_cipher', 'ssl_fc_use_keysize' and 'ssl_fc_alg_keysize' Some front connection fetches : - ssl_fc_protocol = protocol name (string) - ssl_fc_cipher = cipher name (string) - ssl_fc_use_keysize = symmetric cipher key size used in bits (integer) - ssl_fc_alg_keysize = symmetric cipher key size supported in bits (integer) --- doc/configuration.txt | 32 +++++++++++++++++ src/ssl_sock.c | 81 +++++++++++++++++++++++++++++++++++++++++++ 2 files changed, 113 insertions(+) diff --git a/doc/configuration.txt b/doc/configuration.txt index c7c6b4ba5f..6450042c15 100644 --- a/doc/configuration.txt +++ b/doc/configuration.txt @@ -8384,6 +8384,14 @@ ssl_fc layer and is locally deciphered. This means it has matched a socket declared with a "bind" line having the "ssl" option. +ssl_fc_alg_keysize + Returns true when the incoming connection was made over an SSL/TLS transport + layer and the symmetric cipher key size supported in bits matches the value. + +ssl_fc_cipher + returns true when the incoming connection was made over an ssl/tls transport + layer and the name of the used cipher matches the string. + ssl_fc_has_crt Returns true if a client certificate is present in an incoming connection over SSL/TLS transport layer. Useful if 'verify' statement is set to 'optional'. @@ -8404,6 +8412,10 @@ ssl_fc_npn the "bind" line specifies a protocol list. Also, nothing forces the client to pick a protocol from this list, any other one may be requested. +ssl_fc_protocol + Returns true when the incoming connection was made over an SSL/TLS transport + layer and the name of the used protocol matches the string. + ssl_fc_sni Returns true when the incoming connection was made over an SSL/TLS transport layer which deciphered it and found a Server Name Indication TLS extension @@ -8435,6 +8447,10 @@ ssl_fc_sni_reg requires that the SSL library is build with support for TLS extensions enabled (check haproxy -vv). +ssl_fc_use_keysize + Returns true when the incoming connection was made over an SSL/TLS transport + layer and the symmetric cipher key size used in bits matches the value. + wait_end Waits for the end of the analysis period to return true. This may be used in conjunction with content analysis to avoid returning a wrong verdict early. @@ -9048,6 +9064,14 @@ The list of currently supported pattern fetch functions is the following : and returns 1 if it was made via an SSL/TLS transport layer, otherwise zero. + ssl_fc_alg_keysize + Returns the symmetric cipher key size support d in bits when the + incoming connection was made over an SSL/TLS transport layer. + + ssl_fc_cipher + Returns the name of the used cipher when the incoming connection + was made over an SSL/TLS transport layer. + ssl_fc_has_crt Returns 1 if a client certificate is present in the front connection over SSL/TLS transport layer, otherwise 0. @@ -9066,6 +9090,10 @@ The list of currently supported pattern fetch functions is the following : have been built with support for TLS extensions enabled (check haproxy -vv). See also the "npn" bind keyword. + ssl_fc_protocol + Returns the name of the used protocol when the incoming connection + was made over an SSL/TLS transport layer. + ssl_fc_sni This extracts the Server Name Indication field from an incoming connection made via an SSL/TLS transport layer and locally deciphered by haproxy. The result typically is a string matching @@ -9073,6 +9101,10 @@ The list of currently supported pattern fetch functions is the following : have been built with support for TLS extensions enabled (check haproxy -vv). + ssl_fc_use_keysize + Returns the symmetric cipher key size used in bits when the + incoming connection was made over an SSL/TLS transport layer. + url This extracts the request's URL as presented in the request. A typical use is with prefetch-capable caches, and with portals which need to aggregate multiple information from databases and diff --git a/src/ssl_sock.c b/src/ssl_sock.c index ce0c67d370..650b281ff5 100644 --- a/src/ssl_sock.c +++ b/src/ssl_sock.c @@ -1144,6 +1144,60 @@ smp_fetch_ssl_fc_has_sni(struct proxy *px, struct session *l4, void *l7, unsigne #endif } +static int +smp_fetch_ssl_fc_cipher(struct proxy *px, struct session *l4, void *l7, unsigned int opt, + const struct arg *args, struct sample *smp) +{ + smp->flags = 0; + + if (!l4 || !l4->si[0].conn.xprt_ctx || l4->si[0].conn.xprt != &ssl_sock) + return 0; + + smp->data.str.str = (char *)SSL_get_cipher_name(l4->si[0].conn.xprt_ctx); + if (!smp->data.str.str) + return 0; + + smp->type = SMP_T_CSTR; + smp->data.str.len = strlen(smp->data.str.str); + + return 1; +} + +static int +smp_fetch_ssl_fc_alg_keysize(struct proxy *px, struct session *l4, void *l7, unsigned int opt, + const struct arg *args, struct sample *smp) +{ + smp->flags = 0; + + if (!l4 || !l4->si[0].conn.xprt_ctx || l4->si[0].conn.xprt != &ssl_sock) + return 0; + + if (!SSL_get_cipher_bits(l4->si[0].conn.xprt_ctx, (int *)&smp->data.uint)) + return 0; + + smp->type = SMP_T_UINT; + + return 1; +} + +static int +smp_fetch_ssl_fc_use_keysize(struct proxy *px, struct session *l4, void *l7, unsigned int opt, + const struct arg *args, struct sample *smp) +{ + smp->flags = 0; + + if (!l4 || !l4->si[0].conn.xprt_ctx || l4->si[0].conn.xprt != &ssl_sock) + return 0; + + smp->data.uint = (unsigned int)SSL_get_cipher_bits(l4->si[0].conn.xprt_ctx, NULL); + if (!smp->data.uint) + return 0; + + smp->type = SMP_T_UINT; + + return 1; +} + #ifdef OPENSSL_NPN_NEGOTIATED static int smp_fetch_ssl_fc_npn(struct proxy *px, struct session *l4, void *l7, unsigned int opt, @@ -1166,6 +1220,25 @@ smp_fetch_ssl_fc_npn(struct proxy *px, struct session *l4, void *l7, unsigned in } #endif +static int +smp_fetch_ssl_fc_protocol(struct proxy *px, struct session *l4, void *l7, unsigned int opt, + const struct arg *args, struct sample *smp) +{ + smp->flags = 0; + + if (!l4 || !l4->si[0].conn.xprt_ctx || l4->si[0].conn.xprt != &ssl_sock) + return 0; + + smp->data.str.str = (char *)SSL_get_version(l4->si[0].conn.xprt_ctx); + if (!smp->data.str.str) + return 0; + + smp->type = SMP_T_CSTR; + smp->data.str.len = strlen(smp->data.str.str); + + return 1; +} + static int smp_fetch_ssl_fc_sni(struct proxy *px, struct session *l4, void *l7, unsigned int opt, const struct arg *args, struct sample *smp) @@ -1760,11 +1833,15 @@ static struct sample_fetch_kw_list sample_fetch_keywords = {{ },{ { "ssl_c_err", smp_fetch_ssl_c_err, 0, NULL, SMP_T_UINT, SMP_CAP_REQ|SMP_CAP_RES }, { "ssl_c_verify", smp_fetch_ssl_c_verify, 0, NULL, SMP_T_UINT, SMP_CAP_REQ|SMP_CAP_RES }, { "ssl_fc", smp_fetch_ssl_fc, 0, NULL, SMP_T_BOOL, SMP_CAP_REQ|SMP_CAP_RES }, + { "ssl_fc_alg_keysize", smp_fetch_ssl_fc_alg_keysize, 0, NULL, SMP_T_UINT, SMP_CAP_REQ|SMP_CAP_RES }, + { "ssl_fc_cipher", smp_fetch_ssl_fc_cipher, 0, NULL, SMP_T_CSTR, SMP_CAP_REQ|SMP_CAP_RES }, { "ssl_fc_has_crt", smp_fetch_ssl_fc_has_crt, 0, NULL, SMP_T_BOOL, SMP_CAP_REQ|SMP_CAP_RES }, { "ssl_fc_has_sni", smp_fetch_ssl_fc_has_sni, 0, NULL, SMP_T_BOOL, SMP_CAP_REQ|SMP_CAP_RES }, #ifdef OPENSSL_NPN_NEGOTIATED { "ssl_fc_npn", smp_fetch_ssl_fc_npn, 0, NULL, SMP_T_CSTR, SMP_CAP_REQ|SMP_CAP_RES }, #endif + { "ssl_fc_protocol", smp_fetch_ssl_fc_protocol, 0, NULL, SMP_T_CSTR, SMP_CAP_REQ|SMP_CAP_RES }, + { "ssl_fc_use_keysize", smp_fetch_ssl_fc_use_keysize, 0, NULL, SMP_T_UINT, SMP_CAP_REQ|SMP_CAP_RES }, { "ssl_fc_sni", smp_fetch_ssl_fc_sni, 0, NULL, SMP_T_CSTR, SMP_CAP_REQ|SMP_CAP_RES }, { NULL, NULL, 0, 0, 0 }, }}; @@ -1778,11 +1855,15 @@ static struct acl_kw_list acl_kws = {{ },{ { "ssl_c_err", acl_parse_int, smp_fetch_ssl_c_err, acl_match_int, ACL_USE_L6REQ_PERMANENT|ACL_MAY_LOOKUP, 0 }, { "ssl_c_verify", acl_parse_int, smp_fetch_ssl_c_verify, acl_match_int, ACL_USE_L6REQ_PERMANENT|ACL_MAY_LOOKUP, 0 }, { "ssl_fc", acl_parse_int, smp_fetch_ssl_fc, acl_match_nothing, ACL_USE_L6REQ_PERMANENT|ACL_MAY_LOOKUP, 0 }, + { "ssl_fc_alg_keysize", acl_parse_str, smp_fetch_ssl_fc_alg_keysize, acl_match_int, ACL_USE_L6REQ_PERMANENT|ACL_MAY_LOOKUP, 0 }, + { "ssl_fc_cipher", acl_parse_str, smp_fetch_ssl_fc_cipher, acl_match_str, ACL_USE_L6REQ_PERMANENT|ACL_MAY_LOOKUP, 0 }, { "ssl_fc_has_crt", acl_parse_int, smp_fetch_ssl_fc_has_crt, acl_match_nothing, ACL_USE_L6REQ_PERMANENT, 0 }, { "ssl_fc_has_sni", acl_parse_int, smp_fetch_ssl_fc_has_sni, acl_match_nothing, ACL_USE_L6REQ_PERMANENT, 0 }, #ifdef OPENSSL_NPN_NEGOTIATED { "ssl_fc_npn", acl_parse_str, smp_fetch_ssl_fc_npn, acl_match_str, ACL_USE_L6REQ_PERMANENT|ACL_MAY_LOOKUP, 0 }, #endif + { "ssl_fc_protocol", acl_parse_str, smp_fetch_ssl_fc_protocol, acl_match_str, ACL_USE_L6REQ_PERMANENT|ACL_MAY_LOOKUP, 0 }, + { "ssl_fc_use_keysize", acl_parse_str, smp_fetch_ssl_fc_use_keysize, acl_match_int, ACL_USE_L6REQ_PERMANENT|ACL_MAY_LOOKUP, 0 }, { "ssl_fc_sni", acl_parse_str, smp_fetch_ssl_fc_sni, acl_match_str, ACL_USE_L6REQ_PERMANENT|ACL_MAY_LOOKUP, 0 }, { "ssl_fc_sni_end", acl_parse_str, smp_fetch_ssl_fc_sni, acl_match_end, ACL_USE_L6REQ_PERMANENT, 0 }, { "ssl_fc_sni_reg", acl_parse_reg, smp_fetch_ssl_fc_sni, acl_match_reg, ACL_USE_L6REQ_PERMANENT, 0 }, -- 2.47.2