MINOR: connection: add proxy-v2-options ssl-cipher,cert-sig,cert-key

This patch implement proxy protocol v2 options related to crypto information:
ssl-cipher (PP2_SUBTYPE_SSL_CIPHER), cert-sig (PP2_SUBTYPE_SSL_SIG_ALG) and
cert-key (PP2_SUBTYPE_SSL_KEY_ALG).
This commit is contained in:
Emmanuel Hocdet 2018-02-01 15:53:52 +01:00 committed by Willy Tarreau
parent 283e004a85
commit fa8d0f1875
4 changed files with 37 additions and 5 deletions

View File

@ -11722,7 +11722,9 @@ send-proxy-v2
proxy-v2-options <option>[,<option>]*
The "proxy-v2-options" parameter add option to send in PROXY protocol version
2 when "send-proxy-v2" is used. Options available are "ssl" (see also
send-proxy-v2-ssl), "cert-cn" (see also "send-proxy-v2-ssl-cn").
send-proxy-v2-ssl), "cert-cn" (see also "send-proxy-v2-ssl-cn"), "ssl-cipher":
name of the used cipher, "cert-sig": signature algorithm of the used
certificate, "cert-key": key algorithm of the used certificate).
send-proxy-v2-ssl
The "send-proxy-v2-ssl" parameter enforces use of the PROXY protocol version

View File

@ -144,10 +144,13 @@ enum srv_initaddr {
#define SRV_F_COOKIESET 0x0100 /* this server has a cookie configured, so don't generate dynamic cookies */
/* configured server options for send-proxy (server->pp_opts) */
#define SRV_PP_V1 0x0001 /* proxy protocol version 1 */
#define SRV_PP_V2 0x0002 /* proxy protocol version 2 */
#define SRV_PP_V2_SSL 0x0004 /* proxy protocol version 2 with SSL*/
#define SRV_PP_V2_SSL_CN 0x0008 /* proxy protocol version 2 with SSL and CN*/
#define SRV_PP_V1 0x0001 /* proxy protocol version 1 */
#define SRV_PP_V2 0x0002 /* proxy protocol version 2 */
#define SRV_PP_V2_SSL 0x0004 /* proxy protocol version 2 with SSL */
#define SRV_PP_V2_SSL_CN 0x0008 /* proxy protocol version 2 with CN */
#define SRV_PP_V2_SSL_KEY_ALG 0x0010 /* proxy protocol version 2 with cert key algorithm */
#define SRV_PP_V2_SSL_SIG_ALG 0x0020 /* proxy protocol version 2 with cert signature algorithm */
#define SRV_PP_V2_SSL_CIPHER 0x0040 /* proxy protocol version 2 with cipher used */
/* function which act on servers need to return various errors */
#define SRV_STATUS_OK 0 /* everything is OK. */

View File

@ -1071,6 +1071,24 @@ int make_proxy_line_v2(char *buf, int buf_len, struct server *srv, struct connec
ssl_tlv_len += make_tlv(&buf[ret+ssl_tlv_len], (buf_len - ret - ssl_tlv_len), PP2_SUBTYPE_SSL_CN, cn_trash->len, cn_trash->str);
}
}
if (srv->pp_opts & SRV_PP_V2_SSL_KEY_ALG) {
struct chunk *pkey_trash = get_trash_chunk();
if (ssl_sock_get_pkey_algo(remote, pkey_trash) > 0) {
ssl_tlv_len += make_tlv(&buf[ret+ssl_tlv_len], (buf_len - ret - ssl_tlv_len), PP2_SUBTYPE_SSL_KEY_ALG, pkey_trash->len, pkey_trash->str);
}
}
if (srv->pp_opts & SRV_PP_V2_SSL_SIG_ALG) {
value = ssl_sock_get_cert_sig(remote);
if (value) {
ssl_tlv_len += make_tlv(&buf[ret+ssl_tlv_len], (buf_len - ret - ssl_tlv_len), PP2_SUBTYPE_SSL_SIG_ALG, strlen(value), value);
}
}
if (srv->pp_opts & SRV_PP_V2_SSL_CIPHER) {
value = ssl_sock_get_cipher_name(remote);
if (value) {
ssl_tlv_len += make_tlv(&buf[ret+ssl_tlv_len], (buf_len - ret - ssl_tlv_len), PP2_SUBTYPE_SSL_CIPHER, strlen(value), value);
}
}
}
tlv->tlv.length_hi = (uint16_t)(ssl_tlv_len - sizeof(struct tlv)) >> 8;
tlv->tlv.length_lo = (uint16_t)(ssl_tlv_len - sizeof(struct tlv)) & 0x00ff;

View File

@ -517,6 +517,15 @@ static int srv_parse_proxy_v2_options(char **args, int *cur_arg,
} else if (!strcmp(p, "cert-cn")) {
newsrv->pp_opts |= SRV_PP_V2_SSL;
newsrv->pp_opts |= SRV_PP_V2_SSL_CN;
} else if (!strcmp(p, "cert-key")) {
newsrv->pp_opts |= SRV_PP_V2_SSL;
newsrv->pp_opts |= SRV_PP_V2_SSL_KEY_ALG;
} else if (!strcmp(p, "cert-sig")) {
newsrv->pp_opts |= SRV_PP_V2_SSL;
newsrv->pp_opts |= SRV_PP_V2_SSL_SIG_ALG;
} else if (!strcmp(p, "ssl-cipher")) {
newsrv->pp_opts |= SRV_PP_V2_SSL;
newsrv->pp_opts |= SRV_PP_V2_SSL_CIPHER;
} else
goto fail;
}