blob: 492c72f6e6525a7790fcac85cfd582075e1ea71a [file] [log] [blame]
Willy Tarreaud4c33c82013-01-07 21:59:07 +01001/*
2 * General protocol-agnostic payload-based sample fetches and ACLs
3 *
4 * Copyright 2000-2013 Willy Tarreau <w@1wt.eu>
5 *
6 * This program is free software; you can redistribute it and/or
7 * modify it under the terms of the GNU General Public License
8 * as published by the Free Software Foundation; either version
9 * 2 of the License, or (at your option) any later version.
10 *
11 */
12
13#include <stdlib.h>
14#include <string.h>
15
Willy Tarreaud716f9b2017-10-13 11:03:15 +020016#include <common/net_helper.h>
Willy Tarreaud4c33c82013-01-07 21:59:07 +010017#include <proto/acl.h>
18#include <proto/arg.h>
19#include <proto/channel.h>
Thierry FOURNIERed66c292013-11-28 11:05:19 +010020#include <proto/pattern.h>
Willy Tarreaud4c33c82013-01-07 21:59:07 +010021#include <proto/payload.h>
22#include <proto/sample.h>
23
24
25/************************************************************************/
26/* All supported sample fetch functions must be declared here */
27/************************************************************************/
28
29/* wait for more data as long as possible, then return TRUE. This should be
30 * used with content inspection.
31 */
32static int
Thierry FOURNIER0786d052015-05-11 15:42:45 +020033smp_fetch_wait_end(const struct arg *args, struct sample *smp, const char *kw, void *private)
Willy Tarreaud4c33c82013-01-07 21:59:07 +010034{
Thierry FOURNIER0786d052015-05-11 15:42:45 +020035 if (!(smp->opt & SMP_OPT_FINAL)) {
Willy Tarreaud4c33c82013-01-07 21:59:07 +010036 smp->flags |= SMP_F_MAY_CHANGE;
37 return 0;
38 }
Thierry FOURNIER8c542ca2015-08-19 09:00:18 +020039 smp->data.type = SMP_T_BOOL;
Thierry FOURNIER136f9d32015-08-19 09:07:19 +020040 smp->data.u.sint = 1;
Willy Tarreaud4c33c82013-01-07 21:59:07 +010041 return 1;
42}
43
44/* return the number of bytes in the request buffer */
45static int
Thierry FOURNIER0786d052015-05-11 15:42:45 +020046smp_fetch_len(const struct arg *args, struct sample *smp, const char *kw, void *private)
Willy Tarreaud4c33c82013-01-07 21:59:07 +010047{
Willy Tarreau22ec1ea2014-11-27 20:45:39 +010048 struct channel *chn;
49
Willy Tarreaube508f12016-03-10 11:47:01 +010050 if (!smp->strm)
51 return 0;
52
Thierry FOURNIER0786d052015-05-11 15:42:45 +020053 chn = ((smp->opt & SMP_OPT_DIR) == SMP_OPT_DIR_RES) ? &smp->strm->res : &smp->strm->req;
Thierry FOURNIER8c542ca2015-08-19 09:00:18 +020054 smp->data.type = SMP_T_SINT;
Thierry FOURNIER136f9d32015-08-19 09:07:19 +020055 smp->data.u.sint = chn->buf->i;
Willy Tarreaud4c33c82013-01-07 21:59:07 +010056 smp->flags = SMP_F_VOLATILE | SMP_F_MAY_CHANGE;
57 return 1;
58}
59
Pradeep Jindalbb2acf52015-09-29 10:12:57 +053060/* Returns 0 if the client didn't send a SessionTicket Extension
61 * Returns 1 if the client sent SessionTicket Extension
62 * Returns 2 if the client also sent non-zero length SessionTicket
63 * Returns SMP_T_SINT data type
64 */
65static int
66smp_fetch_req_ssl_st_ext(const struct arg *args, struct sample *smp, const char *kw, void *private)
67{
68 int hs_len, ext_len, bleft;
69 struct channel *chn;
70 unsigned char *data;
71
Willy Tarreaube508f12016-03-10 11:47:01 +010072 if (!smp->strm)
73 goto not_ssl_hello;
74
Pradeep Jindalbb2acf52015-09-29 10:12:57 +053075 chn = ((smp->opt & SMP_OPT_DIR) == SMP_OPT_DIR_RES) ? &smp->strm->res : &smp->strm->req;
Pradeep Jindalbb2acf52015-09-29 10:12:57 +053076 bleft = chn->buf->i;
77 data = (unsigned char *)chn->buf->p;
78
79 /* Check for SSL/TLS Handshake */
80 if (!bleft)
81 goto too_short;
82 if (*data != 0x16)
83 goto not_ssl_hello;
84
85 /* Check for SSLv3 or later (SSL version >= 3.0) in the record layer*/
86 if (bleft < 3)
87 goto too_short;
88 if (data[1] < 0x03)
89 goto not_ssl_hello;
90
91 if (bleft < 5)
92 goto too_short;
93 hs_len = (data[3] << 8) + data[4];
94 if (hs_len < 1 + 3 + 2 + 32 + 1 + 2 + 2 + 1 + 1 + 2 + 2)
95 goto not_ssl_hello; /* too short to have an extension */
96
97 data += 5; /* enter TLS handshake */
98 bleft -= 5;
99
100 /* Check for a complete client hello starting at <data> */
101 if (bleft < 1)
102 goto too_short;
103 if (data[0] != 0x01) /* msg_type = Client Hello */
104 goto not_ssl_hello;
105
106 /* Check the Hello's length */
107 if (bleft < 4)
108 goto too_short;
109 hs_len = (data[1] << 16) + (data[2] << 8) + data[3];
110 if (hs_len < 2 + 32 + 1 + 2 + 2 + 1 + 1 + 2 + 2)
111 goto not_ssl_hello; /* too short to have an extension */
112
113 /* We want the full handshake here */
114 if (bleft < hs_len)
115 goto too_short;
116
117 data += 4;
118 /* Start of the ClientHello message */
119 if (data[0] < 0x03 || data[1] < 0x01) /* TLSv1 minimum */
120 goto not_ssl_hello;
121
122 ext_len = data[34]; /* session_id_len */
123 if (ext_len > 32 || ext_len > (hs_len - 35)) /* check for correct session_id len */
124 goto not_ssl_hello;
125
126 /* Jump to cipher suite */
127 hs_len -= 35 + ext_len;
128 data += 35 + ext_len;
129
130 if (hs_len < 4 || /* minimum one cipher */
131 (ext_len = (data[0] << 8) + data[1]) < 2 || /* minimum 2 bytes for a cipher */
132 ext_len > hs_len)
133 goto not_ssl_hello;
134
135 /* Jump to the compression methods */
136 hs_len -= 2 + ext_len;
137 data += 2 + ext_len;
138
139 if (hs_len < 2 || /* minimum one compression method */
140 data[0] < 1 || data[0] > hs_len) /* minimum 1 bytes for a method */
141 goto not_ssl_hello;
142
143 /* Jump to the extensions */
144 hs_len -= 1 + data[0];
145 data += 1 + data[0];
146
147 if (hs_len < 2 || /* minimum one extension list length */
148 (ext_len = (data[0] << 8) + data[1]) > hs_len - 2) /* list too long */
149 goto not_ssl_hello;
150
151 hs_len = ext_len; /* limit ourselves to the extension length */
152 data += 2;
153
154 while (hs_len >= 4) {
155 int ext_type, ext_len;
156
157 ext_type = (data[0] << 8) + data[1];
158 ext_len = (data[2] << 8) + data[3];
159
160 if (ext_len > hs_len - 4) /* Extension too long */
161 goto not_ssl_hello;
162
163 /* SesstionTicket extension */
164 if (ext_type == 35) {
165 smp->data.type = SMP_T_SINT;
166 /* SessionTicket also present */
167 if (ext_len > 0)
168 smp->data.u.sint = 2;
169 /* SessionTicket absent */
170 else
171 smp->data.u.sint = 1;
172 smp->flags = SMP_F_VOLATILE;
173 return 1;
174 }
175
176 hs_len -= 4 + ext_len;
177 data += 4 + ext_len;
178 }
179 /* SessionTicket Extension not found */
180 smp->data.type = SMP_T_SINT;
181 smp->data.u.sint = 0;
182 smp->flags = SMP_F_VOLATILE;
183 return 1;
184
Pradeep Jindalbb2acf52015-09-29 10:12:57 +0530185 too_short:
186 smp->flags = SMP_F_MAY_CHANGE;
187
188 not_ssl_hello:
189 return 0;
190}
191
Nenad Merdanovic5fc7d7e2015-07-07 22:00:17 +0200192/* Returns TRUE if the client sent Supported Elliptic Curves Extension (0x000a)
193 * Mainly used to detect if client supports ECC cipher suites.
194 */
195static int
196smp_fetch_req_ssl_ec_ext(const struct arg *args, struct sample *smp, const char *kw, void *private)
197{
198 int hs_len, ext_len, bleft;
199 struct channel *chn;
200 unsigned char *data;
201
Willy Tarreaube508f12016-03-10 11:47:01 +0100202 if (!smp->strm)
203 goto not_ssl_hello;
204
Nenad Merdanovic5fc7d7e2015-07-07 22:00:17 +0200205 chn = ((smp->opt & SMP_OPT_DIR) == SMP_OPT_DIR_RES) ? &smp->strm->res : &smp->strm->req;
Nenad Merdanovic5fc7d7e2015-07-07 22:00:17 +0200206 bleft = chn->buf->i;
207 data = (unsigned char *)chn->buf->p;
208
209 /* Check for SSL/TLS Handshake */
210 if (!bleft)
211 goto too_short;
212 if (*data != 0x16)
213 goto not_ssl_hello;
214
215 /* Check for SSLv3 or later (SSL version >= 3.0) in the record layer*/
216 if (bleft < 3)
217 goto too_short;
218 if (data[1] < 0x03)
219 goto not_ssl_hello;
220
221 if (bleft < 5)
222 goto too_short;
223 hs_len = (data[3] << 8) + data[4];
224 if (hs_len < 1 + 3 + 2 + 32 + 1 + 2 + 2 + 1 + 1 + 2 + 2)
225 goto not_ssl_hello; /* too short to have an extension */
226
227 data += 5; /* enter TLS handshake */
228 bleft -= 5;
229
230 /* Check for a complete client hello starting at <data> */
231 if (bleft < 1)
232 goto too_short;
233 if (data[0] != 0x01) /* msg_type = Client Hello */
234 goto not_ssl_hello;
235
236 /* Check the Hello's length */
237 if (bleft < 4)
238 goto too_short;
239 hs_len = (data[1] << 16) + (data[2] << 8) + data[3];
240 if (hs_len < 2 + 32 + 1 + 2 + 2 + 1 + 1 + 2 + 2)
241 goto not_ssl_hello; /* too short to have an extension */
242
243 /* We want the full handshake here */
244 if (bleft < hs_len)
245 goto too_short;
246
247 data += 4;
248 /* Start of the ClientHello message */
249 if (data[0] < 0x03 || data[1] < 0x01) /* TLSv1 minimum */
250 goto not_ssl_hello;
251
252 ext_len = data[34]; /* session_id_len */
253 if (ext_len > 32 || ext_len > (hs_len - 35)) /* check for correct session_id len */
254 goto not_ssl_hello;
255
256 /* Jump to cipher suite */
257 hs_len -= 35 + ext_len;
258 data += 35 + ext_len;
259
260 if (hs_len < 4 || /* minimum one cipher */
261 (ext_len = (data[0] << 8) + data[1]) < 2 || /* minimum 2 bytes for a cipher */
262 ext_len > hs_len)
263 goto not_ssl_hello;
264
265 /* Jump to the compression methods */
266 hs_len -= 2 + ext_len;
267 data += 2 + ext_len;
268
269 if (hs_len < 2 || /* minimum one compression method */
270 data[0] < 1 || data[0] > hs_len) /* minimum 1 bytes for a method */
271 goto not_ssl_hello;
272
273 /* Jump to the extensions */
274 hs_len -= 1 + data[0];
275 data += 1 + data[0];
276
277 if (hs_len < 2 || /* minimum one extension list length */
278 (ext_len = (data[0] << 8) + data[1]) > hs_len - 2) /* list too long */
279 goto not_ssl_hello;
280
281 hs_len = ext_len; /* limit ourselves to the extension length */
282 data += 2;
283
284 while (hs_len >= 4) {
285 int ext_type, ext_len;
286
287 ext_type = (data[0] << 8) + data[1];
288 ext_len = (data[2] << 8) + data[3];
289
290 if (ext_len > hs_len - 4) /* Extension too long */
291 goto not_ssl_hello;
292
293 /* Elliptic curves extension */
294 if (ext_type == 10) {
Thierry FOURNIER8c542ca2015-08-19 09:00:18 +0200295 smp->data.type = SMP_T_BOOL;
Thierry FOURNIER136f9d32015-08-19 09:07:19 +0200296 smp->data.u.sint = 1;
Nenad Merdanovic8a39a1f2015-07-15 12:51:11 +0200297 smp->flags = SMP_F_VOLATILE;
Nenad Merdanovic5fc7d7e2015-07-07 22:00:17 +0200298 return 1;
299 }
300
301 hs_len -= 4 + ext_len;
302 data += 4 + ext_len;
303 }
304 /* server name not found */
305 goto not_ssl_hello;
306
307 too_short:
308 smp->flags = SMP_F_MAY_CHANGE;
309
310 not_ssl_hello:
311
312 return 0;
313}
Willy Tarreaud4c33c82013-01-07 21:59:07 +0100314/* returns the type of SSL hello message (mainly used to detect an SSL hello) */
315static int
Thierry FOURNIER0786d052015-05-11 15:42:45 +0200316smp_fetch_ssl_hello_type(const struct arg *args, struct sample *smp, const char *kw, void *private)
Willy Tarreaud4c33c82013-01-07 21:59:07 +0100317{
318 int hs_len;
319 int hs_type, bleft;
320 struct channel *chn;
321 const unsigned char *data;
322
Willy Tarreaube508f12016-03-10 11:47:01 +0100323 if (!smp->strm)
324 goto not_ssl_hello;
325
Thierry FOURNIER0786d052015-05-11 15:42:45 +0200326 chn = ((smp->opt & SMP_OPT_DIR) == SMP_OPT_DIR_RES) ? &smp->strm->res : &smp->strm->req;
Willy Tarreaud4c33c82013-01-07 21:59:07 +0100327 bleft = chn->buf->i;
328 data = (const unsigned char *)chn->buf->p;
329
330 if (!bleft)
331 goto too_short;
332
333 if ((*data >= 0x14 && *data <= 0x17) || (*data == 0xFF)) {
334 /* SSLv3 header format */
335 if (bleft < 9)
336 goto too_short;
337
338 /* ssl version 3 */
339 if ((data[1] << 16) + data[2] < 0x00030000)
340 goto not_ssl_hello;
341
342 /* ssl message len must present handshake type and len */
343 if ((data[3] << 8) + data[4] < 4)
344 goto not_ssl_hello;
345
346 /* format introduced with SSLv3 */
347
348 hs_type = (int)data[5];
349 hs_len = ( data[6] << 16 ) + ( data[7] << 8 ) + data[8];
350
351 /* not a full handshake */
352 if (bleft < (9 + hs_len))
353 goto too_short;
354
355 }
356 else {
357 goto not_ssl_hello;
358 }
359
Thierry FOURNIER8c542ca2015-08-19 09:00:18 +0200360 smp->data.type = SMP_T_SINT;
Thierry FOURNIER136f9d32015-08-19 09:07:19 +0200361 smp->data.u.sint = hs_type;
Willy Tarreaud4c33c82013-01-07 21:59:07 +0100362 smp->flags = SMP_F_VOLATILE;
363
364 return 1;
365
366 too_short:
367 smp->flags = SMP_F_MAY_CHANGE;
368
369 not_ssl_hello:
370
371 return 0;
372}
373
374/* Return the version of the SSL protocol in the request. It supports both
375 * SSLv3 (TLSv1) header format for any message, and SSLv2 header format for
376 * the hello message. The SSLv3 format is described in RFC 2246 p49, and the
377 * SSLv2 format is described here, and completed p67 of RFC 2246 :
378 * http://wp.netscape.com/eng/security/SSL_2.html
379 *
380 * Note: this decoder only works with non-wrapping data.
381 */
382static int
Thierry FOURNIER0786d052015-05-11 15:42:45 +0200383smp_fetch_req_ssl_ver(const struct arg *args, struct sample *smp, const char *kw, void *private)
Willy Tarreaud4c33c82013-01-07 21:59:07 +0100384{
385 int version, bleft, msg_len;
386 const unsigned char *data;
Willy Tarreaube508f12016-03-10 11:47:01 +0100387 struct channel *req;
388
389 if (!smp->strm)
390 return 0;
Willy Tarreaud4c33c82013-01-07 21:59:07 +0100391
Willy Tarreaube508f12016-03-10 11:47:01 +0100392 req = &smp->strm->req;
Willy Tarreaud4c33c82013-01-07 21:59:07 +0100393 msg_len = 0;
Thierry FOURNIER0a9a2b82015-05-11 15:20:49 +0200394 bleft = req->buf->i;
Willy Tarreaud4c33c82013-01-07 21:59:07 +0100395 if (!bleft)
396 goto too_short;
397
Thierry FOURNIER0a9a2b82015-05-11 15:20:49 +0200398 data = (const unsigned char *)req->buf->p;
Willy Tarreaud4c33c82013-01-07 21:59:07 +0100399 if ((*data >= 0x14 && *data <= 0x17) || (*data == 0xFF)) {
400 /* SSLv3 header format */
Lukas Tribusc93242c2015-11-05 13:59:30 +0100401 if (bleft < 11)
Willy Tarreaud4c33c82013-01-07 21:59:07 +0100402 goto too_short;
403
Lukas Tribusc93242c2015-11-05 13:59:30 +0100404 version = (data[1] << 16) + data[2]; /* record layer version: major, minor */
Willy Tarreaud4c33c82013-01-07 21:59:07 +0100405 msg_len = (data[3] << 8) + data[4]; /* record length */
406
407 /* format introduced with SSLv3 */
408 if (version < 0x00030000)
409 goto not_ssl;
410
Lukas Tribusc93242c2015-11-05 13:59:30 +0100411 /* message length between 6 and 2^14 + 2048 */
412 if (msg_len < 6 || msg_len > ((1<<14) + 2048))
Willy Tarreaud4c33c82013-01-07 21:59:07 +0100413 goto not_ssl;
414
415 bleft -= 5; data += 5;
Lukas Tribusc93242c2015-11-05 13:59:30 +0100416
417 /* return the client hello client version, not the record layer version */
418 version = (data[4] << 16) + data[5]; /* client hello version: major, minor */
Willy Tarreaud4c33c82013-01-07 21:59:07 +0100419 } else {
420 /* SSLv2 header format, only supported for hello (msg type 1) */
421 int rlen, plen, cilen, silen, chlen;
422
423 if (*data & 0x80) {
424 if (bleft < 3)
425 goto too_short;
426 /* short header format : 15 bits for length */
427 rlen = ((data[0] & 0x7F) << 8) | data[1];
428 plen = 0;
429 bleft -= 2; data += 2;
430 } else {
431 if (bleft < 4)
432 goto too_short;
433 /* long header format : 14 bits for length + pad length */
434 rlen = ((data[0] & 0x3F) << 8) | data[1];
435 plen = data[2];
Willy Tarreau74967f62016-08-30 14:39:46 +0200436 bleft -= 3; data += 3;
Willy Tarreaud4c33c82013-01-07 21:59:07 +0100437 }
438
439 if (*data != 0x01)
440 goto not_ssl;
441 bleft--; data++;
442
443 if (bleft < 8)
444 goto too_short;
445 version = (data[0] << 16) + data[1]; /* version: major, minor */
446 cilen = (data[2] << 8) + data[3]; /* cipher len, multiple of 3 */
447 silen = (data[4] << 8) + data[5]; /* session_id_len: 0 or 16 */
448 chlen = (data[6] << 8) + data[7]; /* 16<=challenge length<=32 */
449
450 bleft -= 8; data += 8;
451 if (cilen % 3 != 0)
452 goto not_ssl;
453 if (silen && silen != 16)
454 goto not_ssl;
455 if (chlen < 16 || chlen > 32)
456 goto not_ssl;
457 if (rlen != 9 + cilen + silen + chlen)
458 goto not_ssl;
459
460 /* focus on the remaining data length */
461 msg_len = cilen + silen + chlen + plen;
462 }
463 /* We could recursively check that the buffer ends exactly on an SSL
464 * fragment boundary and that a possible next segment is still SSL,
465 * but that's a bit pointless. However, we could still check that
466 * all the part of the request which fits in a buffer is already
467 * there.
468 */
Thierry FOURNIER0a9a2b82015-05-11 15:20:49 +0200469 if (msg_len > channel_recv_limit(req) + req->buf->data - req->buf->p)
470 msg_len = channel_recv_limit(req) + req->buf->data - req->buf->p;
Willy Tarreaud4c33c82013-01-07 21:59:07 +0100471
472 if (bleft < msg_len)
473 goto too_short;
474
475 /* OK that's enough. We have at least the whole message, and we have
476 * the protocol version.
477 */
Thierry FOURNIER8c542ca2015-08-19 09:00:18 +0200478 smp->data.type = SMP_T_SINT;
Thierry FOURNIER136f9d32015-08-19 09:07:19 +0200479 smp->data.u.sint = version;
Willy Tarreaud4c33c82013-01-07 21:59:07 +0100480 smp->flags = SMP_F_VOLATILE;
481 return 1;
482
483 too_short:
484 smp->flags = SMP_F_MAY_CHANGE;
485 not_ssl:
486 return 0;
487}
488
489/* Try to extract the Server Name Indication that may be presented in a TLS
490 * client hello handshake message. The format of the message is the following
491 * (cf RFC5246 + RFC6066) :
492 * TLS frame :
493 * - uint8 type = 0x16 (Handshake)
494 * - uint16 version >= 0x0301 (TLSv1)
495 * - uint16 length (frame length)
496 * - TLS handshake :
497 * - uint8 msg_type = 0x01 (ClientHello)
498 * - uint24 length (handshake message length)
499 * - ClientHello :
500 * - uint16 client_version >= 0x0301 (TLSv1)
501 * - uint8 Random[32] (4 first ones are timestamp)
502 * - SessionID :
503 * - uint8 session_id_len (0..32) (SessionID len in bytes)
504 * - uint8 session_id[session_id_len]
505 * - CipherSuite :
506 * - uint16 cipher_len >= 2 (Cipher length in bytes)
507 * - uint16 ciphers[cipher_len/2]
508 * - CompressionMethod :
509 * - uint8 compression_len >= 1 (# of supported methods)
510 * - uint8 compression_methods[compression_len]
511 * - optional client_extension_len (in bytes)
512 * - optional sequence of ClientHelloExtensions (as many bytes as above):
513 * - uint16 extension_type = 0 for server_name
514 * - uint16 extension_len
515 * - opaque extension_data[extension_len]
516 * - uint16 server_name_list_len (# of bytes here)
517 * - opaque server_names[server_name_list_len bytes]
518 * - uint8 name_type = 0 for host_name
519 * - uint16 name_len
520 * - opaque hostname[name_len bytes]
521 */
522static int
Thierry FOURNIER0786d052015-05-11 15:42:45 +0200523smp_fetch_ssl_hello_sni(const struct arg *args, struct sample *smp, const char *kw, void *private)
Willy Tarreaud4c33c82013-01-07 21:59:07 +0100524{
525 int hs_len, ext_len, bleft;
526 struct channel *chn;
527 unsigned char *data;
528
Willy Tarreaube508f12016-03-10 11:47:01 +0100529 if (!smp->strm)
530 goto not_ssl_hello;
531
Thierry FOURNIER0786d052015-05-11 15:42:45 +0200532 chn = ((smp->opt & SMP_OPT_DIR) == SMP_OPT_DIR_RES) ? &smp->strm->res : &smp->strm->req;
Willy Tarreaud4c33c82013-01-07 21:59:07 +0100533 bleft = chn->buf->i;
534 data = (unsigned char *)chn->buf->p;
535
536 /* Check for SSL/TLS Handshake */
537 if (!bleft)
538 goto too_short;
539 if (*data != 0x16)
540 goto not_ssl_hello;
541
Lukas Tribus57d22972014-04-10 21:36:22 +0200542 /* Check for SSLv3 or later (SSL version >= 3.0) in the record layer*/
Willy Tarreaud4c33c82013-01-07 21:59:07 +0100543 if (bleft < 3)
544 goto too_short;
Lukas Tribus57d22972014-04-10 21:36:22 +0200545 if (data[1] < 0x03)
Willy Tarreaud4c33c82013-01-07 21:59:07 +0100546 goto not_ssl_hello;
547
548 if (bleft < 5)
549 goto too_short;
550 hs_len = (data[3] << 8) + data[4];
551 if (hs_len < 1 + 3 + 2 + 32 + 1 + 2 + 2 + 1 + 1 + 2 + 2)
552 goto not_ssl_hello; /* too short to have an extension */
553
554 data += 5; /* enter TLS handshake */
555 bleft -= 5;
556
557 /* Check for a complete client hello starting at <data> */
558 if (bleft < 1)
559 goto too_short;
560 if (data[0] != 0x01) /* msg_type = Client Hello */
561 goto not_ssl_hello;
562
563 /* Check the Hello's length */
564 if (bleft < 4)
565 goto too_short;
566 hs_len = (data[1] << 16) + (data[2] << 8) + data[3];
567 if (hs_len < 2 + 32 + 1 + 2 + 2 + 1 + 1 + 2 + 2)
568 goto not_ssl_hello; /* too short to have an extension */
569
570 /* We want the full handshake here */
571 if (bleft < hs_len)
572 goto too_short;
573
574 data += 4;
575 /* Start of the ClientHello message */
576 if (data[0] < 0x03 || data[1] < 0x01) /* TLSv1 minimum */
577 goto not_ssl_hello;
578
579 ext_len = data[34]; /* session_id_len */
580 if (ext_len > 32 || ext_len > (hs_len - 35)) /* check for correct session_id len */
581 goto not_ssl_hello;
582
583 /* Jump to cipher suite */
584 hs_len -= 35 + ext_len;
585 data += 35 + ext_len;
586
587 if (hs_len < 4 || /* minimum one cipher */
588 (ext_len = (data[0] << 8) + data[1]) < 2 || /* minimum 2 bytes for a cipher */
589 ext_len > hs_len)
590 goto not_ssl_hello;
591
592 /* Jump to the compression methods */
593 hs_len -= 2 + ext_len;
594 data += 2 + ext_len;
595
596 if (hs_len < 2 || /* minimum one compression method */
597 data[0] < 1 || data[0] > hs_len) /* minimum 1 bytes for a method */
598 goto not_ssl_hello;
599
600 /* Jump to the extensions */
601 hs_len -= 1 + data[0];
602 data += 1 + data[0];
603
604 if (hs_len < 2 || /* minimum one extension list length */
605 (ext_len = (data[0] << 8) + data[1]) > hs_len - 2) /* list too long */
606 goto not_ssl_hello;
607
608 hs_len = ext_len; /* limit ourselves to the extension length */
609 data += 2;
610
611 while (hs_len >= 4) {
612 int ext_type, name_type, srv_len, name_len;
613
614 ext_type = (data[0] << 8) + data[1];
615 ext_len = (data[2] << 8) + data[3];
616
617 if (ext_len > hs_len - 4) /* Extension too long */
618 goto not_ssl_hello;
619
620 if (ext_type == 0) { /* Server name */
621 if (ext_len < 2) /* need one list length */
622 goto not_ssl_hello;
623
624 srv_len = (data[4] << 8) + data[5];
625 if (srv_len < 4 || srv_len > hs_len - 6)
626 goto not_ssl_hello; /* at least 4 bytes per server name */
627
628 name_type = data[6];
629 name_len = (data[7] << 8) + data[8];
630
631 if (name_type == 0) { /* hostname */
Thierry FOURNIER8c542ca2015-08-19 09:00:18 +0200632 smp->data.type = SMP_T_STR;
Thierry FOURNIER136f9d32015-08-19 09:07:19 +0200633 smp->data.u.str.str = (char *)data + 9;
634 smp->data.u.str.len = name_len;
Thierry FOURNIER7654c9f2013-12-17 00:20:33 +0100635 smp->flags = SMP_F_VOLATILE | SMP_F_CONST;
Willy Tarreaud4c33c82013-01-07 21:59:07 +0100636 return 1;
637 }
638 }
639
640 hs_len -= 4 + ext_len;
641 data += 4 + ext_len;
642 }
643 /* server name not found */
644 goto not_ssl_hello;
645
646 too_short:
647 smp->flags = SMP_F_MAY_CHANGE;
648
649 not_ssl_hello:
650
651 return 0;
652}
653
Willy Tarreaucadd8c92013-07-22 18:09:52 +0200654/* Fetch the request RDP cookie identified in <cname>:<clen>, or any cookie if
Willy Tarreaub169eba2013-12-16 15:14:43 +0100655 * <clen> is empty (cname is then ignored). It returns the data into sample <smp>
656 * of type SMP_T_CSTR. Note: this decoder only works with non-wrapping data.
Willy Tarreaud4c33c82013-01-07 21:59:07 +0100657 */
658int
Willy Tarreau87b09662015-04-03 00:22:06 +0200659fetch_rdp_cookie_name(struct stream *s, struct sample *smp, const char *cname, int clen)
Willy Tarreaud4c33c82013-01-07 21:59:07 +0100660{
661 int bleft;
662 const unsigned char *data;
663
Thierry FOURNIER7654c9f2013-12-17 00:20:33 +0100664 smp->flags = SMP_F_CONST;
Thierry FOURNIER8c542ca2015-08-19 09:00:18 +0200665 smp->data.type = SMP_T_STR;
Willy Tarreaud4c33c82013-01-07 21:59:07 +0100666
Willy Tarreau22ec1ea2014-11-27 20:45:39 +0100667 bleft = s->req.buf->i;
Willy Tarreaud4c33c82013-01-07 21:59:07 +0100668 if (bleft <= 11)
669 goto too_short;
670
Willy Tarreau22ec1ea2014-11-27 20:45:39 +0100671 data = (const unsigned char *)s->req.buf->p + 11;
Willy Tarreaud4c33c82013-01-07 21:59:07 +0100672 bleft -= 11;
673
674 if (bleft <= 7)
675 goto too_short;
676
677 if (strncasecmp((const char *)data, "Cookie:", 7) != 0)
678 goto not_cookie;
679
680 data += 7;
681 bleft -= 7;
682
683 while (bleft > 0 && *data == ' ') {
684 data++;
685 bleft--;
686 }
687
Willy Tarreaucadd8c92013-07-22 18:09:52 +0200688 if (clen) {
689 if (bleft <= clen)
Willy Tarreaud4c33c82013-01-07 21:59:07 +0100690 goto too_short;
691
Willy Tarreaucadd8c92013-07-22 18:09:52 +0200692 if ((data[clen] != '=') ||
693 strncasecmp(cname, (const char *)data, clen) != 0)
Willy Tarreaud4c33c82013-01-07 21:59:07 +0100694 goto not_cookie;
695
Willy Tarreaucadd8c92013-07-22 18:09:52 +0200696 data += clen + 1;
697 bleft -= clen + 1;
Willy Tarreaud4c33c82013-01-07 21:59:07 +0100698 } else {
699 while (bleft > 0 && *data != '=') {
700 if (*data == '\r' || *data == '\n')
701 goto not_cookie;
702 data++;
703 bleft--;
704 }
705
706 if (bleft < 1)
707 goto too_short;
708
709 if (*data != '=')
710 goto not_cookie;
711
712 data++;
713 bleft--;
714 }
715
716 /* data points to cookie value */
Thierry FOURNIER136f9d32015-08-19 09:07:19 +0200717 smp->data.u.str.str = (char *)data;
718 smp->data.u.str.len = 0;
Willy Tarreaud4c33c82013-01-07 21:59:07 +0100719
720 while (bleft > 0 && *data != '\r') {
721 data++;
722 bleft--;
723 }
724
725 if (bleft < 2)
726 goto too_short;
727
728 if (data[0] != '\r' || data[1] != '\n')
729 goto not_cookie;
730
Thierry FOURNIER136f9d32015-08-19 09:07:19 +0200731 smp->data.u.str.len = (char *)data - smp->data.u.str.str;
Thierry FOURNIER7654c9f2013-12-17 00:20:33 +0100732 smp->flags = SMP_F_VOLATILE | SMP_F_CONST;
Willy Tarreaud4c33c82013-01-07 21:59:07 +0100733 return 1;
734
735 too_short:
Thierry FOURNIER7654c9f2013-12-17 00:20:33 +0100736 smp->flags = SMP_F_MAY_CHANGE | SMP_F_CONST;
Willy Tarreaud4c33c82013-01-07 21:59:07 +0100737 not_cookie:
738 return 0;
739}
740
Willy Tarreaucadd8c92013-07-22 18:09:52 +0200741/* Fetch the request RDP cookie identified in the args, or any cookie if no arg
742 * is passed. It is usable both for ACL and for samples. Note: this decoder
743 * only works with non-wrapping data. Accepts either 0 or 1 argument. Argument
Willy Tarreaub169eba2013-12-16 15:14:43 +0100744 * is a string (cookie name), other types will lead to undefined behaviour. The
745 * returned sample has type SMP_T_CSTR.
Willy Tarreaucadd8c92013-07-22 18:09:52 +0200746 */
747int
Thierry FOURNIER0786d052015-05-11 15:42:45 +0200748smp_fetch_rdp_cookie(const struct arg *args, struct sample *smp, const char *kw, void *private)
Willy Tarreaucadd8c92013-07-22 18:09:52 +0200749{
Willy Tarreaube508f12016-03-10 11:47:01 +0100750 if (!smp->strm)
751 return 0;
752
Thierry FOURNIER0a9a2b82015-05-11 15:20:49 +0200753 return fetch_rdp_cookie_name(smp->strm, smp, args ? args->data.str.str : NULL, args ? args->data.str.len : 0);
Willy Tarreaucadd8c92013-07-22 18:09:52 +0200754}
755
Willy Tarreaud4c33c82013-01-07 21:59:07 +0100756/* returns either 1 or 0 depending on whether an RDP cookie is found or not */
757static int
Thierry FOURNIER0786d052015-05-11 15:42:45 +0200758smp_fetch_rdp_cookie_cnt(const struct arg *args, struct sample *smp, const char *kw, void *private)
Willy Tarreaud4c33c82013-01-07 21:59:07 +0100759{
760 int ret;
761
Thierry FOURNIER0786d052015-05-11 15:42:45 +0200762 ret = smp_fetch_rdp_cookie(args, smp, kw, private);
Willy Tarreaud4c33c82013-01-07 21:59:07 +0100763
764 if (smp->flags & SMP_F_MAY_CHANGE)
765 return 0;
766
767 smp->flags = SMP_F_VOLATILE;
Thierry FOURNIER8c542ca2015-08-19 09:00:18 +0200768 smp->data.type = SMP_T_SINT;
Thierry FOURNIER136f9d32015-08-19 09:07:19 +0200769 smp->data.u.sint = ret;
Willy Tarreaud4c33c82013-01-07 21:59:07 +0100770 return 1;
771}
772
773/* extracts part of a payload with offset and length at a given position */
774static int
Thierry FOURNIER0786d052015-05-11 15:42:45 +0200775smp_fetch_payload_lv(const struct arg *arg_p, struct sample *smp, const char *kw, void *private)
Willy Tarreaud4c33c82013-01-07 21:59:07 +0100776{
Thierry FOURNIERbf65cd42015-07-20 17:45:02 +0200777 unsigned int len_offset = arg_p[0].data.sint;
778 unsigned int len_size = arg_p[1].data.sint;
Willy Tarreaud4c33c82013-01-07 21:59:07 +0100779 unsigned int buf_offset;
780 unsigned int buf_size = 0;
781 struct channel *chn;
782 int i;
783
784 /* Format is (len offset, len size, buf offset) or (len offset, len size) */
785 /* by default buf offset == len offset + len size */
786 /* buf offset could be absolute or relative to len offset + len size if prefixed by + or - */
787
Willy Tarreaube508f12016-03-10 11:47:01 +0100788 if (!smp->strm)
789 return 0;
790
Thierry FOURNIER0786d052015-05-11 15:42:45 +0200791 chn = ((smp->opt & SMP_OPT_DIR) == SMP_OPT_DIR_RES) ? &smp->strm->res : &smp->strm->req;
Willy Tarreaud4c33c82013-01-07 21:59:07 +0100792 if (len_offset + len_size > chn->buf->i)
793 goto too_short;
794
795 for (i = 0; i < len_size; i++) {
796 buf_size = (buf_size << 8) + ((unsigned char *)chn->buf->p)[i + len_offset];
797 }
798
Thierry FOURNIERbf65cd42015-07-20 17:45:02 +0200799 /* buf offset may be implicit, absolute or relative. If the LSB
800 * is set, then the offset is relative otherwise it is absolute.
801 */
Willy Tarreaud4c33c82013-01-07 21:59:07 +0100802 buf_offset = len_offset + len_size;
Thierry FOURNIERbf65cd42015-07-20 17:45:02 +0200803 if (arg_p[2].type == ARGT_SINT) {
804 if (arg_p[2].data.sint & 1)
805 buf_offset += arg_p[2].data.sint >> 1;
806 else
807 buf_offset = arg_p[2].data.sint >> 1;
808 }
Willy Tarreaud4c33c82013-01-07 21:59:07 +0100809
Willy Tarreaud7bdcb82015-09-24 16:33:10 +0200810 if (!buf_size || buf_size > global.tune.bufsize || buf_offset + buf_size > global.tune.bufsize) {
Willy Tarreaud4c33c82013-01-07 21:59:07 +0100811 /* will never match */
812 smp->flags = 0;
813 return 0;
814 }
815
816 if (buf_offset + buf_size > chn->buf->i)
817 goto too_short;
818
819 /* init chunk as read only */
Thierry FOURNIER8c542ca2015-08-19 09:00:18 +0200820 smp->data.type = SMP_T_BIN;
Thierry FOURNIER7654c9f2013-12-17 00:20:33 +0100821 smp->flags = SMP_F_VOLATILE | SMP_F_CONST;
Thierry FOURNIER136f9d32015-08-19 09:07:19 +0200822 chunk_initlen(&smp->data.u.str, chn->buf->p + buf_offset, 0, buf_size);
Willy Tarreaud4c33c82013-01-07 21:59:07 +0100823 return 1;
824
825 too_short:
Thierry FOURNIER7654c9f2013-12-17 00:20:33 +0100826 smp->flags = SMP_F_MAY_CHANGE | SMP_F_CONST;
Willy Tarreaud4c33c82013-01-07 21:59:07 +0100827 return 0;
828}
829
830/* extracts some payload at a fixed position and length */
831static int
Thierry FOURNIER0786d052015-05-11 15:42:45 +0200832smp_fetch_payload(const struct arg *arg_p, struct sample *smp, const char *kw, void *private)
Willy Tarreaud4c33c82013-01-07 21:59:07 +0100833{
Thierry FOURNIERbf65cd42015-07-20 17:45:02 +0200834 unsigned int buf_offset = arg_p[0].data.sint;
835 unsigned int buf_size = arg_p[1].data.sint;
Willy Tarreaud4c33c82013-01-07 21:59:07 +0100836 struct channel *chn;
837
Willy Tarreaube508f12016-03-10 11:47:01 +0100838 if (!smp->strm)
839 return 0;
840
Thierry FOURNIER0786d052015-05-11 15:42:45 +0200841 chn = ((smp->opt & SMP_OPT_DIR) == SMP_OPT_DIR_RES) ? &smp->strm->res : &smp->strm->req;
Felipe Guerreiro Barbosa Ruiz00f55522017-03-16 17:01:41 -0300842 if (buf_size > global.tune.bufsize || buf_offset + buf_size > global.tune.bufsize) {
Willy Tarreaud4c33c82013-01-07 21:59:07 +0100843 /* will never match */
844 smp->flags = 0;
845 return 0;
846 }
847
848 if (buf_offset + buf_size > chn->buf->i)
849 goto too_short;
850
851 /* init chunk as read only */
Thierry FOURNIER8c542ca2015-08-19 09:00:18 +0200852 smp->data.type = SMP_T_BIN;
Thierry FOURNIER7654c9f2013-12-17 00:20:33 +0100853 smp->flags = SMP_F_VOLATILE | SMP_F_CONST;
Thierry FOURNIER136f9d32015-08-19 09:07:19 +0200854 chunk_initlen(&smp->data.u.str, chn->buf->p + buf_offset, 0, buf_size ? buf_size : (chn->buf->i - buf_offset));
Willy Tarreau3889fff2015-01-13 20:20:10 +0100855 if (!buf_size && channel_may_recv(chn) && !channel_input_closed(chn))
Willy Tarreau00f00842013-08-02 11:07:32 +0200856 smp->flags |= SMP_F_MAY_CHANGE;
857
Willy Tarreaud4c33c82013-01-07 21:59:07 +0100858 return 1;
859
860 too_short:
Thierry FOURNIER7654c9f2013-12-17 00:20:33 +0100861 smp->flags = SMP_F_MAY_CHANGE | SMP_F_CONST;
Willy Tarreaud4c33c82013-01-07 21:59:07 +0100862 return 0;
863}
864
Willy Tarreaud4c33c82013-01-07 21:59:07 +0100865/* This function is used to validate the arguments passed to a "payload_lv" fetch
866 * keyword. This keyword allows two positive integers and an optional signed one,
867 * with the second one being strictly positive and the third one being greater than
868 * the opposite of the two others if negative. It is assumed that the types are
869 * already the correct ones. Returns 0 on error, non-zero if OK. If <err_msg> is
870 * not NULL, it will be filled with a pointer to an error message in case of
871 * error, that the caller is responsible for freeing. The initial location must
872 * either be freeable or NULL.
Thierry FOURNIERbf65cd42015-07-20 17:45:02 +0200873 *
874 * Note that offset2 is stored with SINT type, but its not directly usable as is.
875 * The value is contained in the 63 MSB and the LSB is used as a flag for marking
876 * the "relative" property of the value.
Willy Tarreaud4c33c82013-01-07 21:59:07 +0100877 */
Thierry FOURNIER49f45af2014-12-08 19:50:43 +0100878int val_payload_lv(struct arg *arg, char **err_msg)
Willy Tarreaud4c33c82013-01-07 21:59:07 +0100879{
Thierry FOURNIERbf65cd42015-07-20 17:45:02 +0200880 int relative = 0;
881 const char *str;
882
883 if (arg[0].data.sint < 0) {
884 memprintf(err_msg, "payload offset1 must be positive");
Willy Tarreaud4c33c82013-01-07 21:59:07 +0100885 return 0;
886 }
887
Thierry FOURNIERbf65cd42015-07-20 17:45:02 +0200888 if (!arg[1].data.sint) {
889 memprintf(err_msg, "payload length must be > 0");
Willy Tarreaud4c33c82013-01-07 21:59:07 +0100890 return 0;
891 }
Thierry FOURNIERbf65cd42015-07-20 17:45:02 +0200892
893 if (arg[2].type == ARGT_STR && arg[2].data.str.len > 0) {
894 if (arg[2].data.str.str[0] == '+' || arg[2].data.str.str[0] == '-')
895 relative = 1;
896 str = arg[2].data.str.str;
897 arg[2].type = ARGT_SINT;
898 arg[2].data.sint = read_int64(&str, str + arg[2].data.str.len);
899 if (*str != '\0') {
900 memprintf(err_msg, "payload offset2 is not a number");
901 return 0;
902 }
903 if (arg[0].data.sint + arg[1].data.sint + arg[2].data.sint < 0) {
904 memprintf(err_msg, "payload offset2 too negative");
905 return 0;
906 }
907 if (relative)
908 arg[2].data.sint = ( arg[2].data.sint << 1 ) + 1;
909 }
Willy Tarreaud4c33c82013-01-07 21:59:07 +0100910 return 1;
911}
912
Willy Tarreaud716f9b2017-10-13 11:03:15 +0200913/* extracts the parameter value of a distcc token */
914static int
915smp_fetch_distcc_param(const struct arg *arg_p, struct sample *smp, const char *kw, void *private)
916{
917 unsigned int match_tok = arg_p[0].data.sint;
918 unsigned int match_occ = arg_p[1].data.sint;
919 unsigned int token;
920 unsigned int param;
921 unsigned int body;
922 unsigned int ofs;
923 unsigned int occ;
924 struct channel *chn;
925 int i;
926
927 /* Format is (token[,occ]). occ starts at 1. */
928
929 if (!smp->strm)
930 return 0;
931
932 chn = ((smp->opt & SMP_OPT_DIR) == SMP_OPT_DIR_RES) ? &smp->strm->res : &smp->strm->req;
933
934 ofs = 0; occ = 0;
935 while (1) {
936 if (ofs + 12 > chn->buf->i) {
937 /* not there yet but could it at least fit ? */
938 if (!chn->buf->size)
939 goto too_short;
940
941 if (ofs + 12 <= channel_recv_limit(chn) + chn->buf->data - chn->buf->p)
942 goto too_short;
943
944 goto no_match;
945 }
946
947 token = read_n32(chn->buf->p + ofs);
948 ofs += 4;
949
950 for (i = param = 0; i < 8; i++) {
951 int c = hex2i(chn->buf->p[ofs + i]);
952
953 if (c < 0)
954 goto no_match;
955 param = (param << 4) + c;
956 }
957 ofs += 8;
958
959 /* these tokens don't have a body */
960 if (token != 0x41524743 /* ARGC */ && token != 0x44495354 /* DIST */ &&
961 token != 0x4E46494C /* NFIL */ && token != 0x53544154 /* STAT */ &&
962 token != 0x444F4E45 /* DONE */)
963 body = param;
964 else
965 body = 0;
966
967 if (token == match_tok) {
968 occ++;
969 if (!match_occ || match_occ == occ) {
970 /* found */
971 smp->data.type = SMP_T_SINT;
972 smp->data.u.sint = param;
973 smp->flags = SMP_F_VOLATILE | SMP_F_CONST;
974 return 1;
975 }
976 }
977 ofs += body;
978 }
979
980 too_short:
981 smp->flags = SMP_F_MAY_CHANGE | SMP_F_CONST;
982 return 0;
983 no_match:
984 /* will never match (end of buffer, or bad contents) */
985 smp->flags = 0;
986 return 0;
987
988}
989
990/* extracts the (possibly truncated) body of a distcc token */
991static int
992smp_fetch_distcc_body(const struct arg *arg_p, struct sample *smp, const char *kw, void *private)
993{
994 unsigned int match_tok = arg_p[0].data.sint;
995 unsigned int match_occ = arg_p[1].data.sint;
996 unsigned int token;
997 unsigned int param;
998 unsigned int ofs;
999 unsigned int occ;
1000 unsigned int body;
1001 struct channel *chn;
1002 int i;
1003
1004 /* Format is (token[,occ]). occ starts at 1. */
1005
1006 if (!smp->strm)
1007 return 0;
1008
1009 chn = ((smp->opt & SMP_OPT_DIR) == SMP_OPT_DIR_RES) ? &smp->strm->res : &smp->strm->req;
1010
1011 ofs = 0; occ = 0;
1012 while (1) {
1013 if (ofs + 12 > chn->buf->i) {
1014 if (!chn->buf->size)
1015 goto too_short;
1016
1017 if (ofs + 12 <= channel_recv_limit(chn) + chn->buf->data - chn->buf->p)
1018 goto too_short;
1019
1020 goto no_match;
1021 }
1022
1023 token = read_n32(chn->buf->p + ofs);
1024 ofs += 4;
1025
1026 for (i = param = 0; i < 8; i++) {
1027 int c = hex2i(chn->buf->p[ofs + i]);
1028
1029 if (c < 0)
1030 goto no_match;
1031 param = (param << 4) + c;
1032 }
1033 ofs += 8;
1034
1035 /* these tokens don't have a body */
1036 if (token != 0x41524743 /* ARGC */ && token != 0x44495354 /* DIST */ &&
1037 token != 0x4E46494C /* NFIL */ && token != 0x53544154 /* STAT */ &&
1038 token != 0x444F4E45 /* DONE */)
1039 body = param;
1040 else
1041 body = 0;
1042
1043 if (token == match_tok) {
1044 occ++;
1045 if (!match_occ || match_occ == occ) {
1046 /* found */
1047
1048 smp->data.type = SMP_T_BIN;
1049 smp->flags = SMP_F_VOLATILE | SMP_F_CONST;
1050
1051 if (ofs + body > chn->buf->p - chn->buf->data + chn->buf->i) {
1052 /* incomplete body */
1053
1054 if (ofs + body > channel_recv_limit(chn) + chn->buf->data - chn->buf->p) {
1055 /* truncate it to whatever will fit */
1056 smp->flags |= SMP_F_MAY_CHANGE;
1057 body = channel_recv_limit(chn) + chn->buf->data - chn->buf->p - ofs;
1058 }
1059 }
1060
1061 chunk_initlen(&smp->data.u.str, chn->buf->p + ofs, 0, body);
1062 return 1;
1063 }
1064 }
1065 ofs += body;
1066 }
1067
1068 too_short:
1069 smp->flags = SMP_F_MAY_CHANGE | SMP_F_CONST;
1070 return 0;
1071 no_match:
1072 /* will never match (end of buffer, or bad contents) */
1073 smp->flags = 0;
1074 return 0;
1075
1076}
1077
1078/* This function is used to validate the arguments passed to a "distcc_param" or
1079 * "distcc_body" sample fetch keyword. They take a mandatory token name of exactly
1080 * 4 characters, followed by an optional occurrence number starting at 1. It is
1081 * assumed that the types are already the correct ones. Returns 0 on error, non-
1082 * zero if OK. If <err_msg> is not NULL, it will be filled with a pointer to an
1083 * error message in case of error, that the caller is responsible for freeing.
1084 * The initial location must either be freeable or NULL.
1085 */
1086int val_distcc(struct arg *arg, char **err_msg)
1087{
1088 unsigned int token;
1089
1090 if (arg[0].data.str.len != 4) {
1091 memprintf(err_msg, "token name must be exactly 4 characters");
1092 return 0;
1093 }
1094
1095 /* convert the token name to an unsigned int (one byte per character,
1096 * big endian format).
1097 */
1098 token = (arg[0].data.str.str[0] << 24) + (arg[0].data.str.str[1] << 16) +
1099 (arg[0].data.str.str[2] << 8) + (arg[0].data.str.str[3] << 0);
1100
1101 arg[0].type = ARGT_SINT;
1102 arg[0].data.sint = token;
1103
1104 if (arg[1].type != ARGT_SINT) {
1105 arg[1].type = ARGT_SINT;
1106 arg[1].data.sint = 0;
1107 }
1108 return 1;
1109}
1110
Willy Tarreaud4c33c82013-01-07 21:59:07 +01001111/************************************************************************/
1112/* All supported sample and ACL keywords must be declared here. */
1113/************************************************************************/
1114
1115/* Note: must not be declared <const> as its list will be overwritten.
1116 * Note: fetches that may return multiple types must be declared as the lowest
1117 * common denominator, the type that can be casted into all other ones. For
1118 * instance IPv4/IPv6 must be declared IPv4.
1119 */
Willy Tarreaudc13c112013-06-21 23:16:39 +02001120static struct sample_fetch_kw_list smp_kws = {ILH, {
Willy Tarreaud716f9b2017-10-13 11:03:15 +02001121 { "distcc_body", smp_fetch_distcc_body, ARG2(1,STR,SINT), val_distcc, SMP_T_BIN, SMP_USE_L6REQ|SMP_USE_L6RES },
1122 { "distcc_param", smp_fetch_distcc_param, ARG2(1,STR,SINT), val_distcc, SMP_T_SINT, SMP_USE_L6REQ|SMP_USE_L6RES },
Thierry FOURNIERbf65cd42015-07-20 17:45:02 +02001123 { "payload", smp_fetch_payload, ARG2(2,SINT,SINT), NULL, SMP_T_BIN, SMP_USE_L6REQ|SMP_USE_L6RES },
1124 { "payload_lv", smp_fetch_payload_lv, ARG3(2,SINT,SINT,STR), val_payload_lv, SMP_T_BIN, SMP_USE_L6REQ|SMP_USE_L6RES },
Thierry FOURNIER7654c9f2013-12-17 00:20:33 +01001125 { "rdp_cookie", smp_fetch_rdp_cookie, ARG1(0,STR), NULL, SMP_T_STR, SMP_USE_L6REQ },
Thierry FOURNIER07ee64e2015-07-06 23:43:03 +02001126 { "rdp_cookie_cnt", smp_fetch_rdp_cookie_cnt, ARG1(0,STR), NULL, SMP_T_SINT, SMP_USE_L6REQ },
1127 { "rep_ssl_hello_type", smp_fetch_ssl_hello_type, 0, NULL, SMP_T_SINT, SMP_USE_L6RES },
1128 { "req_len", smp_fetch_len, 0, NULL, SMP_T_SINT, SMP_USE_L6REQ },
1129 { "req_ssl_hello_type", smp_fetch_ssl_hello_type, 0, NULL, SMP_T_SINT, SMP_USE_L6REQ },
Thierry FOURNIER7654c9f2013-12-17 00:20:33 +01001130 { "req_ssl_sni", smp_fetch_ssl_hello_sni, 0, NULL, SMP_T_STR, SMP_USE_L6REQ },
Thierry FOURNIER07ee64e2015-07-06 23:43:03 +02001131 { "req_ssl_ver", smp_fetch_req_ssl_ver, 0, NULL, SMP_T_SINT, SMP_USE_L6REQ },
Willy Tarreaufa957342013-01-14 16:07:52 +01001132
Thierry FOURNIER07ee64e2015-07-06 23:43:03 +02001133 { "req.len", smp_fetch_len, 0, NULL, SMP_T_SINT, SMP_USE_L6REQ },
Thierry FOURNIERbf65cd42015-07-20 17:45:02 +02001134 { "req.payload", smp_fetch_payload, ARG2(2,SINT,SINT), NULL, SMP_T_BIN, SMP_USE_L6REQ },
1135 { "req.payload_lv", smp_fetch_payload_lv, ARG3(2,SINT,SINT,STR), val_payload_lv, SMP_T_BIN, SMP_USE_L6REQ },
Thierry FOURNIER7654c9f2013-12-17 00:20:33 +01001136 { "req.rdp_cookie", smp_fetch_rdp_cookie, ARG1(0,STR), NULL, SMP_T_STR, SMP_USE_L6REQ },
Thierry FOURNIER07ee64e2015-07-06 23:43:03 +02001137 { "req.rdp_cookie_cnt", smp_fetch_rdp_cookie_cnt, ARG1(0,STR), NULL, SMP_T_SINT, SMP_USE_L6REQ },
Nenad Merdanovic5fc7d7e2015-07-07 22:00:17 +02001138 { "req.ssl_ec_ext", smp_fetch_req_ssl_ec_ext, 0, NULL, SMP_T_BOOL, SMP_USE_L6REQ },
Pradeep Jindalbb2acf52015-09-29 10:12:57 +05301139 { "req.ssl_st_ext", smp_fetch_req_ssl_st_ext, 0, NULL, SMP_T_SINT, SMP_USE_L6REQ },
Thierry FOURNIER07ee64e2015-07-06 23:43:03 +02001140 { "req.ssl_hello_type", smp_fetch_ssl_hello_type, 0, NULL, SMP_T_SINT, SMP_USE_L6REQ },
Thierry FOURNIER7654c9f2013-12-17 00:20:33 +01001141 { "req.ssl_sni", smp_fetch_ssl_hello_sni, 0, NULL, SMP_T_STR, SMP_USE_L6REQ },
Thierry FOURNIER07ee64e2015-07-06 23:43:03 +02001142 { "req.ssl_ver", smp_fetch_req_ssl_ver, 0, NULL, SMP_T_SINT, SMP_USE_L6REQ },
1143 { "res.len", smp_fetch_len, 0, NULL, SMP_T_SINT, SMP_USE_L6RES },
Thierry FOURNIERbf65cd42015-07-20 17:45:02 +02001144 { "res.payload", smp_fetch_payload, ARG2(2,SINT,SINT), NULL, SMP_T_BIN, SMP_USE_L6RES },
1145 { "res.payload_lv", smp_fetch_payload_lv, ARG3(2,SINT,SINT,STR), val_payload_lv, SMP_T_BIN, SMP_USE_L6RES },
Thierry FOURNIER07ee64e2015-07-06 23:43:03 +02001146 { "res.ssl_hello_type", smp_fetch_ssl_hello_type, 0, NULL, SMP_T_SINT, SMP_USE_L6RES },
Willy Tarreaud4c33c82013-01-07 21:59:07 +01001147 { "wait_end", smp_fetch_wait_end, 0, NULL, SMP_T_BOOL, SMP_USE_INTRN },
1148 { /* END */ },
1149}};
1150
1151
1152/* Note: must not be declared <const> as its list will be overwritten.
1153 * Please take care of keeping this list alphabetically sorted.
1154 */
Willy Tarreaudc13c112013-06-21 23:16:39 +02001155static struct acl_kw_list acl_kws = {ILH, {
Thierry FOURNIERc5a4e982014-03-05 16:07:08 +01001156 { "payload", "req.payload", PAT_MATCH_BIN },
1157 { "payload_lv", "req.payload_lv", PAT_MATCH_BIN },
1158 { "req_rdp_cookie", "req.rdp_cookie", PAT_MATCH_STR },
1159 { "req_rdp_cookie_cnt", "req.rdp_cookie_cnt", PAT_MATCH_INT },
1160 { "req_ssl_sni", "req.ssl_sni", PAT_MATCH_STR },
1161 { "req_ssl_ver", "req.ssl_ver", PAT_MATCH_INT, pat_parse_dotted_ver },
1162 { "req.ssl_ver", "req.ssl_ver", PAT_MATCH_INT, pat_parse_dotted_ver },
Willy Tarreaud4c33c82013-01-07 21:59:07 +01001163 { /* END */ },
1164}};
1165
1166
1167__attribute__((constructor))
1168static void __payload_init(void)
1169{
1170 sample_register_fetches(&smp_kws);
1171 acl_register_keywords(&acl_kws);
1172}
1173
1174/*
1175 * Local variables:
1176 * c-indent-level: 8
1177 * c-basic-offset: 8
1178 * End:
1179 */