upstream/haproxy
1
0
Fork 0
mirror of https://github.com/haproxy/haproxy.git synced 2026-02-20 00:10:41 -05:00
Code Issues Projects Releases Packages Wiki Activity Actions 14

MINOR: ssl: add pattern and ACLs 'ssl_c_sig_alg' and 'ssl_f_sig_alg'

Browse source 
ssl_c_sig_alg: client cert signature algo (string). Ex: "RSA-SHA1"
ssl_f_sig_alg: frontend cert signature algo (string). Ex: "RSA-SHA1"
This commit is contained in:
Emeric Brun 2012-10-19 18:15:40 +02:00 committed by Willy Tarreau
parent 8785589ba3
commit 7f56e74841
2 changed files with 110 additions and 0 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

40
doc/configuration.txt
View file

@ -8385,6 +8385,11 @@ ssl_c_i_dn(entry[,occ]) <string>
true if the value of the nth given entry value from the beginning/end of the
DN matches the specified string.
ssl_c_key_alg <string>
Returns true when the incoming connection was made over an SSL/TLS transport
layer, and the name of the algorithm used to generate the key of the
certificate presented by the client matches the string.
ssl_c_s_dn <string>
ssl_c_s_dn(entry[,occ]) <string>
If no entry specified, returns true when the incoming connection was made
@ -8401,6 +8406,11 @@ ssl_c_serial <hexa>
layer, and the serial of the certificate presented by the client matches
the value written in hexa.
ssl_c_sig_alg <string>
Returns true when the incoming connection was made over an SSL/TLS transport
layer, and the name of the algorithm used to sign the certificate presented
by the client matches the string.
ssl_c_verify <integer>
Returns true when the incoming connection was made over an SSL/TLS transport
layer, and the verify result matches the specified value (check man verify
@ -8422,6 +8432,11 @@ ssl_f_i_dn(entry[,occ]) <string>
true if the value of the nth given entry value from the beginning/end of the
DN matches the specified string.
ssl_c_key_alg <string>
Returns true when the incoming connection was made over an SSL/TLS transport
layer, and the name of the algorithm used to generate the key of the
certificate presented by the frontend matches the string.
ssl_f_s_dn <string>
ssl_f_s_dn(entry[,occ]) <string>
If no entry specified, returns true when the incoming connection was made
@ -8438,6 +8453,11 @@ ssl_f_serial <hexa>
layer, and the serial of the certificate presented by the frontend matches
the value written in hexa.
ssl_f_sig_alg <string>
Returns true when the incoming connection was made over an SSL/TLS transport
layer, and the name of the algorithm used to sign the certificate presented
by the frontend matches the string.
ssl_f_version <integer>
Returns true when the incoming connection was made over an SSL/TLS transport
layer, and the version of the certificate presented by the frontend matches
@ -9132,6 +9152,11 @@ The list of currently supported pattern fetch functions is the following :
name ssl_c_i_dn(CN) and the second organization unit
ssl_c_i_dn(OU,2).
ssl_c_key_alg
Returns the name of the algorithm used to generate the key of
the certificate presented by the client when the incoming
connection was made over an SSL/TLS transport layer.
ssl_c_s_dn[(entry[,occ])]
If no entry specified, returns the full distinguished name of
the subject of the certificate presented by the client when
@ -9148,6 +9173,11 @@ The list of currently supported pattern fetch functions is the following :
when the incoming connection was made over an SSL/TLS transport
layer.
ssl_c_sig_alg
Returns the name of the algorithm used to sign the certificate
presented by the client when the incoming connection was made
over an SSL/TLS transport layer.
ssl_c_verify Returns the verify result errorID when the incoming connection
was made over an SSL/TLS transport layer, otherwise zero if no
error is encountered.
@ -9169,6 +9199,11 @@ The list of currently supported pattern fetch functions is the following :
name ssl_f_i_dn(CN) and the second organization unit
ssl_f_i_dn(OU,2).
ssl_f_key_alg
Returns the name of the algorithm used to generate the key of
the certificate presented by the frontend when the incoming
connection was made over an SSL/TLS transport layer.
ssl_f_s_dn[(entry[,occ])]
If no entry specified, returns the full distinguished name of
the subject of the certificate presented by the frontend when
@ -9185,6 +9220,11 @@ The list of currently supported pattern fetch functions is the following :
when the incoming connection was made over an SSL/TLS transport
layer.
ssl_f_sig_alg
Returns the name of the algorithm used to sign the certificate
presented by the frontend when the incoming connection was made
over an SSL/TLS transport layer.
ssl_f_version
Returns the version of the certificate presented by the frontend
when the incoming connection was made over an SSL/TLS transport

70
src/ssl_sock.c
View file

@ -1393,6 +1393,40 @@ smp_fetch_ssl_c_version(struct proxy *px, struct session *l4, void *l7, unsigned
return 1;
}
/* str, returns the client certificate sig alg */
static int
smp_fetch_ssl_c_sig_alg(struct proxy *px, struct session *l4, void *l7, unsigned int opt,
const struct arg *args, struct sample *smp)
{
X509 *crt;
int nid;
if (!l4 || l4->si[0].conn.xprt != &ssl_sock)
return 0;
if (!(l4->si[0].conn.flags & CO_FL_CONNECTED)) {
smp->flags |= SMP_F_MAY_CHANGE;
return 0;
}
/* SSL_get_peer_certificate increase X509 * ref count */
crt = SSL_get_peer_certificate(l4->si[0].conn.xprt_ctx);
if (!crt)
return 0;
nid = OBJ_obj2nid((ASN1_OBJECT *)(crt->cert_info->signature->algorithm));
smp->data.str.str = (char *)OBJ_nid2sn(nid);
if (!smp->data.str.str)
return 0;
smp->type = SMP_T_CSTR;
smp->data.str.len = strlen(smp->data.str.str);
X509_free(crt);
return 1;
}
/* boolean, returns true if front conn. transport layer is SSL */
static int
smp_fetch_ssl_fc(struct proxy *px, struct session *l4, void *l7, unsigned int opt,
@ -1477,6 +1511,38 @@ smp_fetch_ssl_f_version(struct proxy *px, struct session *l4, void *l7, unsigned
return 1;
}
/* str, returns the client certificate sig alg */
static int
smp_fetch_ssl_f_sig_alg(struct proxy *px, struct session *l4, void *l7, unsigned int opt,
const struct arg *args, struct sample *smp)
{
X509 *crt;
int nid;
if (!l4 || l4->si[0].conn.xprt != &ssl_sock)
return 0;
if (!(l4->si[0].conn.flags & CO_FL_CONNECTED)) {
smp->flags |= SMP_F_MAY_CHANGE;
return 0;
}
crt = SSL_get_certificate(l4->si[0].conn.xprt_ctx);
if (!crt)
return 0;
nid = OBJ_obj2nid((ASN1_OBJECT *)(crt->cert_info->signature->algorithm));
smp->data.str.str = (char *)OBJ_nid2sn(nid);
if (!smp->data.str.str)
return 0;
smp->type = SMP_T_CSTR;
smp->data.str.len = strlen(smp->data.str.str);
return 1;
}
/* str, returns a string of a formatted full dn \C=..\O=..\OU=.. \CN=.. */
static int
smp_fetch_ssl_f_i_dn(struct proxy *px, struct session *l4, void *l7, unsigned int opt,
@ -2288,11 +2354,13 @@ static struct sample_fetch_kw_list sample_fetch_keywords = {{ },{
{ "ssl_c_ca_err_depth", smp_fetch_ssl_c_ca_err_depth, 0, NULL, SMP_T_UINT, SMP_CAP_REQ|SMP_CAP_RES },
{ "ssl_c_err", smp_fetch_ssl_c_err, 0, NULL, SMP_T_UINT, SMP_CAP_REQ|SMP_CAP_RES },
{ "ssl_c_i_dn", smp_fetch_ssl_c_i_dn, ARG2(0,STR,SINT), NULL, SMP_T_STR, SMP_CAP_REQ|SMP_CAP_RES },
{ "ssl_c_sig_alg", smp_fetch_ssl_c_sig_alg, 0, NULL, SMP_T_STR, SMP_CAP_REQ|SMP_CAP_RES },
{ "ssl_c_s_dn", smp_fetch_ssl_c_s_dn, ARG2(0,STR,SINT), NULL, SMP_T_STR, SMP_CAP_REQ|SMP_CAP_RES },
{ "ssl_c_serial", smp_fetch_ssl_c_serial, 0, NULL, SMP_T_BIN, SMP_CAP_REQ|SMP_CAP_RES },
{ "ssl_c_verify", smp_fetch_ssl_c_verify, 0, NULL, SMP_T_UINT, SMP_CAP_REQ|SMP_CAP_RES },
{ "ssl_c_version", smp_fetch_ssl_c_version, 0, NULL, SMP_T_UINT, SMP_CAP_REQ|SMP_CAP_RES },
{ "ssl_f_i_dn", smp_fetch_ssl_f_i_dn, ARG2(0,STR,SINT), NULL, SMP_T_STR, SMP_CAP_REQ|SMP_CAP_RES },
{ "ssl_f_sig_alg", smp_fetch_ssl_f_sig_alg, 0, NULL, SMP_T_STR, SMP_CAP_REQ|SMP_CAP_RES },
{ "ssl_f_s_dn", smp_fetch_ssl_f_s_dn, ARG2(0,STR,SINT), NULL, SMP_T_STR, SMP_CAP_REQ|SMP_CAP_RES },
{ "ssl_f_serial", smp_fetch_ssl_f_serial, 0, NULL, SMP_T_BIN, SMP_CAP_REQ|SMP_CAP_RES },
{ "ssl_f_version", smp_fetch_ssl_f_version, 0, NULL, SMP_T_UINT, SMP_CAP_REQ|SMP_CAP_RES },
@ -2319,11 +2387,13 @@ static struct acl_kw_list acl_kws = {{ },{
{ "ssl_c_ca_err_depth", acl_parse_int, smp_fetch_ssl_c_ca_err_depth, acl_match_int, ACL_USE_L6REQ_PERMANENT|ACL_MAY_LOOKUP, 0 },
{ "ssl_c_err", acl_parse_int, smp_fetch_ssl_c_err, acl_match_int, ACL_USE_L6REQ_PERMANENT|ACL_MAY_LOOKUP, 0 },
{ "ssl_c_i_dn", acl_parse_str, smp_fetch_ssl_c_i_dn, acl_match_str, ACL_USE_L6REQ_PERMANENT|ACL_MAY_LOOKUP, ARG2(0,STR,SINT) },
{ "ssl_c_sig_alg", acl_parse_str, smp_fetch_ssl_c_sig_alg, acl_match_str, ACL_USE_L6REQ_PERMANENT|ACL_MAY_LOOKUP, 0 },
{ "ssl_c_s_dn", acl_parse_str, smp_fetch_ssl_c_s_dn, acl_match_str, ACL_USE_L6REQ_PERMANENT|ACL_MAY_LOOKUP, ARG2(0,STR,SINT) },
{ "ssl_c_serial", acl_parse_bin, smp_fetch_ssl_c_serial, acl_match_bin, ACL_USE_L6REQ_PERMANENT|ACL_MAY_LOOKUP, 0 },
{ "ssl_c_verify", acl_parse_int, smp_fetch_ssl_c_verify, acl_match_int, ACL_USE_L6REQ_PERMANENT|ACL_MAY_LOOKUP, 0 },
{ "ssl_c_version", acl_parse_int, smp_fetch_ssl_c_version, acl_match_int, ACL_USE_L6REQ_PERMANENT|ACL_MAY_LOOKUP, 0 },
{ "ssl_f_i_dn", acl_parse_str, smp_fetch_ssl_f_i_dn, acl_match_str, ACL_USE_L6REQ_PERMANENT|ACL_MAY_LOOKUP, ARG2(0,STR,SINT) },
{ "ssl_f_sig_alg", acl_parse_str, smp_fetch_ssl_f_sig_alg, acl_match_str, ACL_USE_L6REQ_PERMANENT|ACL_MAY_LOOKUP, 0 },
{ "ssl_f_s_dn", acl_parse_str, smp_fetch_ssl_f_s_dn, acl_match_str, ACL_USE_L6REQ_PERMANENT|ACL_MAY_LOOKUP, ARG2(0,STR,SINT) },
{ "ssl_f_serial", acl_parse_bin, smp_fetch_ssl_f_serial, acl_match_bin, ACL_USE_L6REQ_PERMANENT|ACL_MAY_LOOKUP, 0 },
{ "ssl_f_version", acl_parse_int, smp_fetch_ssl_f_version, acl_match_int, ACL_USE_L6REQ_PERMANENT|ACL_MAY_LOOKUP, 0 },