blob: 3e74ce5463d6491b8804009d0b5c4d0293911d4a [file] [log] [blame]
Emeric Brun46591952012-05-18 15:47:34 +02001/*
Willy Tarreauf7bc57c2012-10-03 00:19:48 +02002 * SSL/TLS transport layer over SOCK_STREAM sockets
Emeric Brun46591952012-05-18 15:47:34 +02003 *
4 * Copyright (C) 2012 EXCELIANCE, Emeric Brun <ebrun@exceliance.fr>
5 *
6 * This program is free software; you can redistribute it and/or
7 * modify it under the terms of the GNU General Public License
8 * as published by the Free Software Foundation; either version
9 * 2 of the License, or (at your option) any later version.
10 *
Willy Tarreau69845df2012-09-10 09:43:09 +020011 * Acknowledgement:
12 * We'd like to specially thank the Stud project authors for a very clean
13 * and well documented code which helped us understand how the OpenSSL API
14 * ought to be used in non-blocking mode. This is one difficult part which
15 * is not easy to get from the OpenSSL doc, and reading the Stud code made
16 * it much more obvious than the examples in the OpenSSL package. Keep up
17 * the good works, guys !
18 *
19 * Stud is an extremely efficient and scalable SSL/TLS proxy which combines
20 * particularly well with haproxy. For more info about this project, visit :
21 * https://github.com/bumptech/stud
22 *
Emeric Brun46591952012-05-18 15:47:34 +020023 */
24
25#define _GNU_SOURCE
Emeric Brunfc0421f2012-09-07 17:30:07 +020026#include <ctype.h>
27#include <dirent.h>
Emeric Brun46591952012-05-18 15:47:34 +020028#include <errno.h>
29#include <fcntl.h>
30#include <stdio.h>
31#include <stdlib.h>
Emeric Brunfc0421f2012-09-07 17:30:07 +020032#include <string.h>
33#include <unistd.h>
Emeric Brun46591952012-05-18 15:47:34 +020034
35#include <sys/socket.h>
36#include <sys/stat.h>
37#include <sys/types.h>
38
39#include <netinet/tcp.h>
40
41#include <openssl/ssl.h>
Emeric Brunfc0421f2012-09-07 17:30:07 +020042#include <openssl/x509.h>
43#include <openssl/x509v3.h>
44#include <openssl/x509.h>
45#include <openssl/err.h>
Emeric Brun46591952012-05-18 15:47:34 +020046
47#include <common/buffer.h>
48#include <common/compat.h>
49#include <common/config.h>
50#include <common/debug.h>
Willy Tarreau79eeafa2012-09-14 07:53:05 +020051#include <common/errors.h>
Emeric Brun46591952012-05-18 15:47:34 +020052#include <common/standard.h>
53#include <common/ticks.h>
54#include <common/time.h>
55
Emeric Brunfc0421f2012-09-07 17:30:07 +020056#include <ebsttree.h>
57
58#include <types/global.h>
59#include <types/ssl_sock.h>
60
Willy Tarreau7875d092012-09-10 08:20:03 +020061#include <proto/acl.h>
62#include <proto/arg.h>
Emeric Brun46591952012-05-18 15:47:34 +020063#include <proto/connection.h>
64#include <proto/fd.h>
65#include <proto/freq_ctr.h>
66#include <proto/frontend.h>
Willy Tarreau79eeafa2012-09-14 07:53:05 +020067#include <proto/listener.h>
Willy Tarreau92faadf2012-10-10 23:04:25 +020068#include <proto/server.h>
Emeric Brun46591952012-05-18 15:47:34 +020069#include <proto/log.h>
Emeric Brun94324a42012-10-11 14:00:19 +020070#include <proto/proxy.h>
Emeric Brunfc0421f2012-09-07 17:30:07 +020071#include <proto/shctx.h>
Emeric Brun46591952012-05-18 15:47:34 +020072#include <proto/ssl_sock.h>
73#include <proto/task.h>
74
Emeric Brune64aef12012-09-21 13:15:06 +020075#define SSL_SOCK_ST_FL_VERIFY_DONE 0x00000001
Emeric Brunf282a812012-09-21 15:27:54 +020076/* bits 0xFFFF0000 are reserved to store verify errors */
77
78/* Verify errors macros */
79#define SSL_SOCK_CA_ERROR_TO_ST(e) (((e > 63) ? 63 : e) << (16))
80#define SSL_SOCK_CAEDEPTH_TO_ST(d) (((d > 15) ? 15 : d) << (6+16))
81#define SSL_SOCK_CRTERROR_TO_ST(e) (((e > 63) ? 63 : e) << (4+6+16))
82
83#define SSL_SOCK_ST_TO_CA_ERROR(s) ((s >> (16)) & 63)
84#define SSL_SOCK_ST_TO_CAEDEPTH(s) ((s >> (6+16)) & 15)
85#define SSL_SOCK_ST_TO_CRTERROR(s) ((s >> (4+6+16)) & 63)
Emeric Brune64aef12012-09-21 13:15:06 +020086
Willy Tarreau403edff2012-09-06 11:58:37 +020087static int sslconns = 0;
Emeric Brune1f38db2012-09-03 20:36:47 +020088
89void ssl_sock_infocbk(const SSL *ssl, int where, int ret)
90{
91 struct connection *conn = (struct connection *)SSL_get_app_data(ssl);
92 (void)ret; /* shut gcc stupid warning */
93
94 if (where & SSL_CB_HANDSHAKE_START) {
95 /* Disable renegotiation (CVE-2009-3555) */
Willy Tarreau20879a02012-12-03 16:32:10 +010096 if (conn->flags & CO_FL_CONNECTED) {
Emeric Brune1f38db2012-09-03 20:36:47 +020097 conn->flags |= CO_FL_ERROR;
Willy Tarreau20879a02012-12-03 16:32:10 +010098 conn->err_code = CO_ER_SSL_RENEG;
99 }
Emeric Brune1f38db2012-09-03 20:36:47 +0200100 }
Emeric Brunfc0421f2012-09-07 17:30:07 +0200101}
102
Emeric Brune64aef12012-09-21 13:15:06 +0200103/* Callback is called for each certificate of the chain during a verify
104 ok is set to 1 if preverify detect no error on current certificate.
105 Returns 0 to break the handshake, 1 otherwise. */
106int ssl_sock_verifycbk(int ok, X509_STORE_CTX *x_store)
107{
108 SSL *ssl;
109 struct connection *conn;
Emeric Brun81c00f02012-09-21 14:31:21 +0200110 int err, depth;
Emeric Brune64aef12012-09-21 13:15:06 +0200111
112 ssl = X509_STORE_CTX_get_ex_data(x_store, SSL_get_ex_data_X509_STORE_CTX_idx());
113 conn = (struct connection *)SSL_get_app_data(ssl);
114
Willy Tarreauf7bc57c2012-10-03 00:19:48 +0200115 conn->xprt_st |= SSL_SOCK_ST_FL_VERIFY_DONE;
Emeric Brune64aef12012-09-21 13:15:06 +0200116
Emeric Brun81c00f02012-09-21 14:31:21 +0200117 if (ok) /* no errors */
118 return ok;
119
120 depth = X509_STORE_CTX_get_error_depth(x_store);
121 err = X509_STORE_CTX_get_error(x_store);
122
123 /* check if CA error needs to be ignored */
124 if (depth > 0) {
Willy Tarreauf7bc57c2012-10-03 00:19:48 +0200125 if (!SSL_SOCK_ST_TO_CA_ERROR(conn->xprt_st)) {
126 conn->xprt_st |= SSL_SOCK_CA_ERROR_TO_ST(err);
127 conn->xprt_st |= SSL_SOCK_CAEDEPTH_TO_ST(depth);
Emeric Brunf282a812012-09-21 15:27:54 +0200128 }
129
Emeric Brun1eb20ef2012-12-03 13:24:29 +0100130 if (objt_listener(conn->target)->bind_conf->ca_ignerr & (1ULL << err)) {
131 ERR_clear_error();
Emeric Brun81c00f02012-09-21 14:31:21 +0200132 return 1;
Emeric Brun1eb20ef2012-12-03 13:24:29 +0100133 }
Emeric Brun81c00f02012-09-21 14:31:21 +0200134
Willy Tarreau20879a02012-12-03 16:32:10 +0100135 conn->err_code = CO_ER_SSL_CA_FAIL;
Emeric Brun81c00f02012-09-21 14:31:21 +0200136 return 0;
137 }
138
Willy Tarreauf7bc57c2012-10-03 00:19:48 +0200139 if (!SSL_SOCK_ST_TO_CRTERROR(conn->xprt_st))
140 conn->xprt_st |= SSL_SOCK_CRTERROR_TO_ST(err);
Emeric Brunf282a812012-09-21 15:27:54 +0200141
Emeric Brun81c00f02012-09-21 14:31:21 +0200142 /* check if certificate error needs to be ignored */
Emeric Brun1eb20ef2012-12-03 13:24:29 +0100143 if (objt_listener(conn->target)->bind_conf->crt_ignerr & (1ULL << err)) {
144 ERR_clear_error();
Emeric Brun81c00f02012-09-21 14:31:21 +0200145 return 1;
Emeric Brun1eb20ef2012-12-03 13:24:29 +0100146 }
Emeric Brun81c00f02012-09-21 14:31:21 +0200147
Willy Tarreau20879a02012-12-03 16:32:10 +0100148 conn->err_code = CO_ER_SSL_CRT_FAIL;
Emeric Brun81c00f02012-09-21 14:31:21 +0200149 return 0;
Emeric Brune64aef12012-09-21 13:15:06 +0200150}
151
Willy Tarreau6c9a3d52012-10-18 18:57:14 +0200152#ifdef OPENSSL_NPN_NEGOTIATED
153/* This callback is used so that the server advertises the list of
154 * negociable protocols for NPN.
155 */
156static int ssl_sock_advertise_npn_protos(SSL *s, const unsigned char **data,
157 unsigned int *len, void *arg)
158{
159 struct bind_conf *conf = arg;
160
161 *data = (const unsigned char *)conf->npn_str;
162 *len = conf->npn_len;
163 return SSL_TLSEXT_ERR_OK;
164}
165#endif
166
Emeric Brunfc0421f2012-09-07 17:30:07 +0200167#ifdef SSL_CTRL_SET_TLSEXT_HOSTNAME
168/* Sets the SSL ctx of <ssl> to match the advertised server name. Returns a
169 * warning when no match is found, which implies the default (first) cert
170 * will keep being used.
171 */
Willy Tarreau2a65ff02012-09-13 17:54:29 +0200172static int ssl_sock_switchctx_cbk(SSL *ssl, int *al, struct bind_conf *s)
Emeric Brunfc0421f2012-09-07 17:30:07 +0200173{
174 const char *servername;
175 const char *wildp = NULL;
176 struct ebmb_node *node;
177 int i;
178 (void)al; /* shut gcc stupid warning */
179
180 servername = SSL_get_servername(ssl, TLSEXT_NAMETYPE_host_name);
181 if (!servername)
182 return SSL_TLSEXT_ERR_NOACK;
183
Willy Tarreau19d14ef2012-10-29 16:51:55 +0100184 for (i = 0; i < trash.size; i++) {
Emeric Brunfc0421f2012-09-07 17:30:07 +0200185 if (!servername[i])
186 break;
Willy Tarreau19d14ef2012-10-29 16:51:55 +0100187 trash.str[i] = tolower(servername[i]);
188 if (!wildp && (trash.str[i] == '.'))
189 wildp = &trash.str[i];
Emeric Brunfc0421f2012-09-07 17:30:07 +0200190 }
Willy Tarreau19d14ef2012-10-29 16:51:55 +0100191 trash.str[i] = 0;
Emeric Brunfc0421f2012-09-07 17:30:07 +0200192
193 /* lookup in full qualified names */
Willy Tarreau19d14ef2012-10-29 16:51:55 +0100194 node = ebst_lookup(&s->sni_ctx, trash.str);
Emeric Brunfc0421f2012-09-07 17:30:07 +0200195 if (!node) {
196 if (!wildp)
197 return SSL_TLSEXT_ERR_ALERT_WARNING;
198
199 /* lookup in full wildcards names */
200 node = ebst_lookup(&s->sni_w_ctx, wildp);
201 if (!node)
202 return SSL_TLSEXT_ERR_ALERT_WARNING;
203 }
204
205 /* switch ctx */
206 SSL_set_SSL_CTX(ssl, container_of(node, struct sni_ctx, name)->ctx);
207 return SSL_TLSEXT_ERR_OK;
208}
209#endif /* SSL_CTRL_SET_TLSEXT_HOSTNAME */
210
Emeric Bruna4bcd9a2012-09-20 16:19:02 +0200211#ifndef OPENSSL_NO_DH
212/* Loads Diffie-Hellman parameter from a file. Returns 1 if loaded, else -1
213 if an error occured, and 0 if parameter not found. */
214int ssl_sock_load_dh_params(SSL_CTX *ctx, const char *file)
215{
216 int ret = -1;
217 BIO *in;
218 DH *dh = NULL;
219
220 in = BIO_new(BIO_s_file());
221 if (in == NULL)
222 goto end;
223
224 if (BIO_read_filename(in, file) <= 0)
225 goto end;
226
227 dh = PEM_read_bio_DHparams(in, NULL, ctx->default_passwd_callback, ctx->default_passwd_callback_userdata);
228 if (dh) {
229 SSL_CTX_set_tmp_dh(ctx, dh);
230 ret = 1;
231 goto end;
232 }
233
234 ret = 0; /* DH params not found */
Emeric Brun644cde02012-12-14 11:21:13 +0100235
236 /* Clear openssl global errors stack */
237 ERR_clear_error();
Emeric Bruna4bcd9a2012-09-20 16:19:02 +0200238end:
239 if (dh)
240 DH_free(dh);
241
242 if (in)
243 BIO_free(in);
244
245 return ret;
246}
247#endif
248
Emeric Brunfc0421f2012-09-07 17:30:07 +0200249/* Loads a certificate key and CA chain from a file. Returns 0 on error, -1 if
250 * an early error happens and the caller must call SSL_CTX_free() by itelf.
251 */
Willy Tarreau2a65ff02012-09-13 17:54:29 +0200252int ssl_sock_load_cert_chain_file(SSL_CTX *ctx, const char *file, struct bind_conf *s)
Emeric Brunfc0421f2012-09-07 17:30:07 +0200253{
254 BIO *in;
255 X509 *x = NULL, *ca;
256 int i, len, err;
257 int ret = -1;
258 int order = 0;
259 X509_NAME *xname;
260 char *str;
261 struct sni_ctx *sc;
262#ifdef SSL_CTRL_SET_TLSEXT_HOSTNAME
263 STACK_OF(GENERAL_NAME) *names;
264#endif
265
266 in = BIO_new(BIO_s_file());
267 if (in == NULL)
268 goto end;
269
270 if (BIO_read_filename(in, file) <= 0)
271 goto end;
272
273 x = PEM_read_bio_X509_AUX(in, NULL, ctx->default_passwd_callback, ctx->default_passwd_callback_userdata);
274 if (x == NULL)
275 goto end;
276
277#ifdef SSL_CTRL_SET_TLSEXT_HOSTNAME
278 names = X509_get_ext_d2i(x, NID_subject_alt_name, NULL, NULL);
279 if (names) {
280 for (i = 0; i < sk_GENERAL_NAME_num(names); i++) {
281 GENERAL_NAME *name = sk_GENERAL_NAME_value(names, i);
282 if (name->type == GEN_DNS) {
283 if (ASN1_STRING_to_UTF8((unsigned char **)&str, name->d.dNSName) >= 0) {
284 if ((len = strlen(str))) {
285 int j;
286
287 if (*str != '*') {
288 sc = malloc(sizeof(struct sni_ctx) + len + 1);
289 for (j = 0; j < len; j++)
290 sc->name.key[j] = tolower(str[j]);
291 sc->name.key[len] = 0;
292 sc->order = order++;
293 sc->ctx = ctx;
294 ebst_insert(&s->sni_ctx, &sc->name);
295 }
296 else {
297 sc = malloc(sizeof(struct sni_ctx) + len);
298 for (j = 1; j < len; j++)
299 sc->name.key[j-1] = tolower(str[j]);
300 sc->name.key[len-1] = 0;
301 sc->order = order++;
302 sc->ctx = ctx;
303 ebst_insert(&s->sni_w_ctx, &sc->name);
304 }
305 }
306 OPENSSL_free(str);
307 }
308 }
309 }
310 sk_GENERAL_NAME_pop_free(names, GENERAL_NAME_free);
311 }
312#endif /* SSL_CTRL_SET_TLSEXT_HOSTNAME */
313
314 xname = X509_get_subject_name(x);
315 i = -1;
316 while ((i = X509_NAME_get_index_by_NID(xname, NID_commonName, i)) != -1) {
317 X509_NAME_ENTRY *entry = X509_NAME_get_entry(xname, i);
318 if (ASN1_STRING_to_UTF8((unsigned char **)&str, entry->value) >= 0) {
319 if ((len = strlen(str))) {
320 int j;
321
322 if (*str != '*') {
323 sc = malloc(sizeof(struct sni_ctx) + len + 1);
324 for (j = 0; j < len; j++)
325 sc->name.key[j] = tolower(str[j]);
326 sc->name.key[len] = 0;
327 sc->order = order++;
328 sc->ctx = ctx;
329 ebst_insert(&s->sni_ctx, &sc->name);
330 }
331 else {
332 sc = malloc(sizeof(struct sni_ctx) + len);
333 for (j = 1; j < len; j++)
334 sc->name.key[j-1] = tolower(str[j]);
335 sc->name.key[len-1] = 0;
336 sc->order = order++;
337 sc->ctx = ctx;
338 ebst_insert(&s->sni_w_ctx, &sc->name);
339 }
340 }
341 OPENSSL_free(str);
342 }
343 }
344
345 ret = 0; /* the caller must not free the SSL_CTX argument anymore */
346 if (!SSL_CTX_use_certificate(ctx, x))
347 goto end;
348
349 if (ctx->extra_certs != NULL) {
350 sk_X509_pop_free(ctx->extra_certs, X509_free);
351 ctx->extra_certs = NULL;
352 }
353
354 while ((ca = PEM_read_bio_X509(in, NULL, ctx->default_passwd_callback, ctx->default_passwd_callback_userdata))) {
355 if (!SSL_CTX_add_extra_chain_cert(ctx, ca)) {
356 X509_free(ca);
357 goto end;
358 }
359 }
360
361 err = ERR_get_error();
362 if (!err || (ERR_GET_LIB(err) == ERR_LIB_PEM && ERR_GET_REASON(err) == PEM_R_NO_START_LINE)) {
363 /* we successfully reached the last cert in the file */
364 ret = 1;
365 }
366 ERR_clear_error();
367
368end:
369 if (x)
370 X509_free(x);
371
372 if (in)
373 BIO_free(in);
374
375 return ret;
376}
377
Willy Tarreau79eeafa2012-09-14 07:53:05 +0200378static int ssl_sock_load_cert_file(const char *path, struct bind_conf *bind_conf, struct proxy *curproxy, char **err)
Emeric Brunfc0421f2012-09-07 17:30:07 +0200379{
380 int ret;
381 SSL_CTX *ctx;
382
383 ctx = SSL_CTX_new(SSLv23_server_method());
384 if (!ctx) {
Willy Tarreaueb6cead2012-09-20 19:43:14 +0200385 memprintf(err, "%sunable to allocate SSL context for cert '%s'.\n",
386 err && *err ? *err : "", path);
Emeric Brunfc0421f2012-09-07 17:30:07 +0200387 return 1;
388 }
389
390 if (SSL_CTX_use_PrivateKey_file(ctx, path, SSL_FILETYPE_PEM) <= 0) {
Willy Tarreaueb6cead2012-09-20 19:43:14 +0200391 memprintf(err, "%sunable to load SSL private key from PEM file '%s'.\n",
392 err && *err ? *err : "", path);
Emeric Brunfc0421f2012-09-07 17:30:07 +0200393 SSL_CTX_free(ctx);
394 return 1;
395 }
396
Willy Tarreau2a65ff02012-09-13 17:54:29 +0200397 ret = ssl_sock_load_cert_chain_file(ctx, path, bind_conf);
Emeric Brunfc0421f2012-09-07 17:30:07 +0200398 if (ret <= 0) {
Willy Tarreaueb6cead2012-09-20 19:43:14 +0200399 memprintf(err, "%sunable to load SSL certificate from PEM file '%s'.\n",
400 err && *err ? *err : "", path);
Emeric Brunfc0421f2012-09-07 17:30:07 +0200401 if (ret < 0) /* serious error, must do that ourselves */
402 SSL_CTX_free(ctx);
403 return 1;
404 }
Emeric Brun61694ab2012-10-26 13:35:33 +0200405
406 if (SSL_CTX_check_private_key(ctx) <= 0) {
407 memprintf(err, "%sinconsistencies between private key and certificate loaded from PEM file '%s'.\n",
408 err && *err ? *err : "", path);
409 return 1;
410 }
411
Emeric Brunfc0421f2012-09-07 17:30:07 +0200412 /* we must not free the SSL_CTX anymore below, since it's already in
413 * the tree, so it will be discovered and cleaned in time.
414 */
Emeric Bruna4bcd9a2012-09-20 16:19:02 +0200415#ifndef OPENSSL_NO_DH
416 ret = ssl_sock_load_dh_params(ctx, path);
417 if (ret < 0) {
418 if (err)
419 memprintf(err, "%sunable to load DH parameters from file '%s'.\n",
420 *err ? *err : "", path);
421 return 1;
422 }
423#endif
424
Emeric Brunfc0421f2012-09-07 17:30:07 +0200425#ifndef SSL_CTRL_SET_TLSEXT_HOSTNAME
Willy Tarreau2a65ff02012-09-13 17:54:29 +0200426 if (bind_conf->default_ctx) {
Willy Tarreaueb6cead2012-09-20 19:43:14 +0200427 memprintf(err, "%sthis version of openssl cannot load multiple SSL certificates.\n",
428 err && *err ? *err : "");
Emeric Brunfc0421f2012-09-07 17:30:07 +0200429 return 1;
430 }
431#endif
Willy Tarreau2a65ff02012-09-13 17:54:29 +0200432 if (!bind_conf->default_ctx)
433 bind_conf->default_ctx = ctx;
Emeric Brunfc0421f2012-09-07 17:30:07 +0200434
435 return 0;
436}
437
Willy Tarreau79eeafa2012-09-14 07:53:05 +0200438int ssl_sock_load_cert(char *path, struct bind_conf *bind_conf, struct proxy *curproxy, char **err)
Emeric Brunfc0421f2012-09-07 17:30:07 +0200439{
440 struct dirent *de;
441 DIR *dir;
442 struct stat buf;
Willy Tarreauee2663b2012-12-06 11:36:59 +0100443 char *end;
444 char fp[MAXPATHLEN+1];
Emeric Brunfc0421f2012-09-07 17:30:07 +0200445 int cfgerr = 0;
446
447 if (!(dir = opendir(path)))
Willy Tarreau79eeafa2012-09-14 07:53:05 +0200448 return ssl_sock_load_cert_file(path, bind_conf, curproxy, err);
Emeric Brunfc0421f2012-09-07 17:30:07 +0200449
450 /* strip trailing slashes, including first one */
451 for (end = path + strlen(path) - 1; end >= path && *end == '/'; end--)
452 *end = 0;
453
Emeric Brunfc0421f2012-09-07 17:30:07 +0200454 while ((de = readdir(dir))) {
Willy Tarreauee2663b2012-12-06 11:36:59 +0100455 snprintf(fp, sizeof(fp), "%s/%s", path, de->d_name);
Emeric Brunfc0421f2012-09-07 17:30:07 +0200456 if (stat(fp, &buf) != 0) {
Willy Tarreaueb6cead2012-09-20 19:43:14 +0200457 memprintf(err, "%sunable to stat SSL certificate from file '%s' : %s.\n",
458 err && *err ? *err : "", fp, strerror(errno));
Emeric Brunfc0421f2012-09-07 17:30:07 +0200459 cfgerr++;
460 continue;
461 }
462 if (!S_ISREG(buf.st_mode))
463 continue;
Willy Tarreau79eeafa2012-09-14 07:53:05 +0200464 cfgerr += ssl_sock_load_cert_file(fp, bind_conf, curproxy, err);
Emeric Brunfc0421f2012-09-07 17:30:07 +0200465 }
Emeric Brunfc0421f2012-09-07 17:30:07 +0200466 closedir(dir);
467 return cfgerr;
468}
469
470#ifndef SSL_OP_CIPHER_SERVER_PREFERENCE /* needs OpenSSL >= 0.9.7 */
471#define SSL_OP_CIPHER_SERVER_PREFERENCE 0
472#endif
473
474#ifndef SSL_OP_NO_SESSION_RESUMPTION_ON_RENEGOTIATION /* needs OpenSSL >= 0.9.7 */
475#define SSL_OP_NO_SESSION_RESUMPTION_ON_RENEGOTIATION 0
Willy Tarreau7d588ee2012-11-26 18:47:31 +0100476#define SSL_renegotiate_pending(arg) 0
Emeric Brunfc0421f2012-09-07 17:30:07 +0200477#endif
Emeric Brun2b58d042012-09-20 17:10:03 +0200478#ifndef SSL_OP_SINGLE_ECDH_USE /* needs OpenSSL >= 0.9.8 */
479#define SSL_OP_SINGLE_ECDH_USE 0
480#endif
Emeric Brun2d0c4822012-10-02 13:45:20 +0200481#ifndef SSL_OP_NO_TICKET /* needs OpenSSL >= 0.9.8 */
482#define SSL_OP_NO_TICKET 0
483#endif
Emeric Brunfc0421f2012-09-07 17:30:07 +0200484#ifndef SSL_OP_NO_COMPRESSION /* needs OpenSSL >= 0.9.9 */
485#define SSL_OP_NO_COMPRESSION 0
486#endif
Emeric Brunc0ff4922012-09-28 19:37:02 +0200487#ifndef SSL_OP_NO_TLSv1_1 /* needs OpenSSL >= 1.0.1 */
488#define SSL_OP_NO_TLSv1_1 0
489#endif
490#ifndef SSL_OP_NO_TLSv1_2 /* needs OpenSSL >= 1.0.1 */
491#define SSL_OP_NO_TLSv1_2 0
492#endif
Emeric Bruna4bcd9a2012-09-20 16:19:02 +0200493#ifndef SSL_OP_SINGLE_DH_USE /* needs OpenSSL >= 0.9.6 */
494#define SSL_OP_SINGLE_DH_USE 0
495#endif
Emeric Brun2b58d042012-09-20 17:10:03 +0200496#ifndef SSL_OP_SINGLE_ECDH_USE /* needs OpenSSL >= 1.0.0 */
497#define SSL_OP_SINGLE_ECDH_USE 0
498#endif
Emeric Brunfc0421f2012-09-07 17:30:07 +0200499#ifndef SSL_MODE_RELEASE_BUFFERS /* needs OpenSSL >= 1.0.0 */
500#define SSL_MODE_RELEASE_BUFFERS 0
501#endif
Willy Tarreau2a65ff02012-09-13 17:54:29 +0200502int ssl_sock_prepare_ctx(struct bind_conf *bind_conf, SSL_CTX *ctx, struct proxy *curproxy)
Emeric Brunfc0421f2012-09-07 17:30:07 +0200503{
504 int cfgerr = 0;
505 int ssloptions =
506 SSL_OP_ALL | /* all known workarounds for bugs */
507 SSL_OP_NO_SSLv2 |
508 SSL_OP_NO_COMPRESSION |
Emeric Bruna4bcd9a2012-09-20 16:19:02 +0200509 SSL_OP_SINGLE_DH_USE |
Emeric Brun2b58d042012-09-20 17:10:03 +0200510 SSL_OP_SINGLE_ECDH_USE |
Emeric Brun3c4bc6e2012-10-04 18:44:19 +0200511 SSL_OP_NO_SESSION_RESUMPTION_ON_RENEGOTIATION |
512 SSL_OP_CIPHER_SERVER_PREFERENCE;
Emeric Brunfc0421f2012-09-07 17:30:07 +0200513 int sslmode =
514 SSL_MODE_ENABLE_PARTIAL_WRITE |
515 SSL_MODE_ACCEPT_MOVING_WRITE_BUFFER |
516 SSL_MODE_RELEASE_BUFFERS;
517
Emeric Brun89675492012-10-05 13:48:26 +0200518 if (bind_conf->ssl_options & BC_SSL_O_NO_SSLV3)
Emeric Brunfc0421f2012-09-07 17:30:07 +0200519 ssloptions |= SSL_OP_NO_SSLv3;
Emeric Brun89675492012-10-05 13:48:26 +0200520 if (bind_conf->ssl_options & BC_SSL_O_NO_TLSV10)
Emeric Brunfc0421f2012-09-07 17:30:07 +0200521 ssloptions |= SSL_OP_NO_TLSv1;
Emeric Brun89675492012-10-05 13:48:26 +0200522 if (bind_conf->ssl_options & BC_SSL_O_NO_TLSV11)
Emeric Brunc0ff4922012-09-28 19:37:02 +0200523 ssloptions |= SSL_OP_NO_TLSv1_1;
Emeric Brun89675492012-10-05 13:48:26 +0200524 if (bind_conf->ssl_options & BC_SSL_O_NO_TLSV12)
Emeric Brunc0ff4922012-09-28 19:37:02 +0200525 ssloptions |= SSL_OP_NO_TLSv1_2;
Emeric Brun89675492012-10-05 13:48:26 +0200526 if (bind_conf->ssl_options & BC_SSL_O_NO_TLS_TICKETS)
Emeric Brun2d0c4822012-10-02 13:45:20 +0200527 ssloptions |= SSL_OP_NO_TICKET;
Emeric Brun2cb7ae52012-10-05 14:14:21 +0200528 if (bind_conf->ssl_options & BC_SSL_O_USE_SSLV3)
529 SSL_CTX_set_ssl_version(ctx, SSLv3_server_method());
530 if (bind_conf->ssl_options & BC_SSL_O_USE_TLSV10)
531 SSL_CTX_set_ssl_version(ctx, TLSv1_server_method());
532#if SSL_OP_NO_TLSv1_1
533 if (bind_conf->ssl_options & BC_SSL_O_USE_TLSV11)
534 SSL_CTX_set_ssl_version(ctx, TLSv1_1_server_method());
535#endif
536#if SSL_OP_NO_TLSv1_2
537 if (bind_conf->ssl_options & BC_SSL_O_USE_TLSV12)
538 SSL_CTX_set_ssl_version(ctx, TLSv1_2_server_method());
539#endif
Emeric Brunfc0421f2012-09-07 17:30:07 +0200540
541 SSL_CTX_set_options(ctx, ssloptions);
542 SSL_CTX_set_mode(ctx, sslmode);
Emeric Brune64aef12012-09-21 13:15:06 +0200543 SSL_CTX_set_verify(ctx, bind_conf->verify ? bind_conf->verify : SSL_VERIFY_NONE, ssl_sock_verifycbk);
Emeric Brund94b3fe2012-09-20 18:23:56 +0200544 if (bind_conf->verify & SSL_VERIFY_PEER) {
Emeric Brunfb510ea2012-10-05 12:00:26 +0200545 if (bind_conf->ca_file) {
Emeric Brund94b3fe2012-09-20 18:23:56 +0200546 /* load CAfile to verify */
Emeric Brunfb510ea2012-10-05 12:00:26 +0200547 if (!SSL_CTX_load_verify_locations(ctx, bind_conf->ca_file, NULL)) {
Emeric Brund94b3fe2012-09-20 18:23:56 +0200548 Alert("Proxy '%s': unable to load CA file '%s' for bind '%s' at [%s:%d].\n",
Emeric Brunfb510ea2012-10-05 12:00:26 +0200549 curproxy->id, bind_conf->ca_file, bind_conf->arg, bind_conf->file, bind_conf->line);
Emeric Brund94b3fe2012-09-20 18:23:56 +0200550 cfgerr++;
551 }
552 /* set CA names fo client cert request, function returns void */
Emeric Brunfb510ea2012-10-05 12:00:26 +0200553 SSL_CTX_set_client_CA_list(ctx, SSL_load_client_CA_file(bind_conf->ca_file));
Emeric Brund94b3fe2012-09-20 18:23:56 +0200554 }
Emeric Brun051cdab2012-10-02 19:25:50 +0200555#ifdef X509_V_FLAG_CRL_CHECK
Emeric Brunfb510ea2012-10-05 12:00:26 +0200556 if (bind_conf->crl_file) {
Emeric Brund94b3fe2012-09-20 18:23:56 +0200557 X509_STORE *store = SSL_CTX_get_cert_store(ctx);
558
Emeric Brunfb510ea2012-10-05 12:00:26 +0200559 if (!store || !X509_STORE_load_locations(store, bind_conf->crl_file, NULL)) {
Emeric Brund94b3fe2012-09-20 18:23:56 +0200560 Alert("Proxy '%s': unable to configure CRL file '%s' for bind '%s' at [%s:%d].\n",
Emeric Brunfb510ea2012-10-05 12:00:26 +0200561 curproxy->id, bind_conf->ca_file, bind_conf->arg, bind_conf->file, bind_conf->line);
Emeric Brund94b3fe2012-09-20 18:23:56 +0200562 cfgerr++;
563 }
Emeric Brun561e5742012-10-02 15:20:55 +0200564 else {
565 X509_STORE_set_flags(store, X509_V_FLAG_CRL_CHECK|X509_V_FLAG_CRL_CHECK_ALL);
566 }
Emeric Brund94b3fe2012-09-20 18:23:56 +0200567 }
Emeric Brun051cdab2012-10-02 19:25:50 +0200568#endif
Emeric Brun644cde02012-12-14 11:21:13 +0100569 ERR_clear_error();
Emeric Brund94b3fe2012-09-20 18:23:56 +0200570 }
Emeric Brunfc0421f2012-09-07 17:30:07 +0200571
Emeric Brun4f65bff2012-11-16 15:11:00 +0100572 if (global.tune.ssllifetime)
573 SSL_CTX_set_timeout(ctx, global.tune.ssllifetime);
574
Emeric Brunfc0421f2012-09-07 17:30:07 +0200575 shared_context_set_cache(ctx);
Willy Tarreau2a65ff02012-09-13 17:54:29 +0200576 if (bind_conf->ciphers &&
577 !SSL_CTX_set_cipher_list(ctx, bind_conf->ciphers)) {
Emeric Brunfc0421f2012-09-07 17:30:07 +0200578 Alert("Proxy '%s': unable to set SSL cipher list to '%s' for bind '%s' at [%s:%d].\n",
Willy Tarreau2a65ff02012-09-13 17:54:29 +0200579 curproxy->id, bind_conf->ciphers, bind_conf->arg, bind_conf->file, bind_conf->line);
Emeric Brunfc0421f2012-09-07 17:30:07 +0200580 cfgerr++;
581 }
582
583 SSL_CTX_set_info_callback(ctx, ssl_sock_infocbk);
Willy Tarreau6c9a3d52012-10-18 18:57:14 +0200584#ifdef OPENSSL_NPN_NEGOTIATED
585 if (bind_conf->npn_str)
586 SSL_CTX_set_next_protos_advertised_cb(ctx, ssl_sock_advertise_npn_protos, bind_conf);
587#endif
588
Emeric Brunfc0421f2012-09-07 17:30:07 +0200589#ifdef SSL_CTRL_SET_TLSEXT_HOSTNAME
590 SSL_CTX_set_tlsext_servername_callback(ctx, ssl_sock_switchctx_cbk);
Willy Tarreau2a65ff02012-09-13 17:54:29 +0200591 SSL_CTX_set_tlsext_servername_arg(ctx, bind_conf);
Emeric Brunfc0421f2012-09-07 17:30:07 +0200592#endif
Emeric Brun2b58d042012-09-20 17:10:03 +0200593#if defined(SSL_CTX_set_tmp_ecdh) && !defined(OPENSSL_NO_ECDH)
594 if (bind_conf->ecdhe) {
595 int i;
596 EC_KEY *ecdh;
597
598 i = OBJ_sn2nid(bind_conf->ecdhe);
599 if (!i || ((ecdh = EC_KEY_new_by_curve_name(i)) == NULL)) {
600 Alert("Proxy '%s': unable to set elliptic named curve to '%s' for bind '%s' at [%s:%d].\n",
601 curproxy->id, bind_conf->ecdhe, bind_conf->arg, bind_conf->file, bind_conf->line);
602 cfgerr++;
603 }
604 else {
605 SSL_CTX_set_tmp_ecdh(ctx, ecdh);
606 EC_KEY_free(ecdh);
607 }
608 }
609#endif
610
Emeric Brunfc0421f2012-09-07 17:30:07 +0200611 return cfgerr;
612}
613
Emeric Brun94324a42012-10-11 14:00:19 +0200614/* prepare ssl context from servers options. Returns an error count */
615int ssl_sock_prepare_srv_ctx(struct server *srv, struct proxy *curproxy)
616{
617 int cfgerr = 0;
618 int options =
619 SSL_OP_ALL | /* all known workarounds for bugs */
620 SSL_OP_NO_SSLv2 |
621 SSL_OP_NO_COMPRESSION;
622 int mode =
623 SSL_MODE_ENABLE_PARTIAL_WRITE |
624 SSL_MODE_ACCEPT_MOVING_WRITE_BUFFER |
625 SSL_MODE_RELEASE_BUFFERS;
626
627 /* Initiate SSL context for current server */
628 srv->ssl_ctx.reused_sess = NULL;
629 if (srv->use_ssl)
630 srv->xprt = &ssl_sock;
631 if (srv->check.use_ssl)
632 srv->check.xprt = &ssl_sock;
633
634 srv->ssl_ctx.ctx = SSL_CTX_new(SSLv23_client_method());
635 if (!srv->ssl_ctx.ctx) {
636 Alert("config : %s '%s', server '%s': unable to allocate ssl context.\n",
637 proxy_type_str(curproxy), curproxy->id,
638 srv->id);
639 cfgerr++;
640 return cfgerr;
641 }
Emeric Bruna7aa3092012-10-26 12:58:00 +0200642 if (srv->ssl_ctx.client_crt) {
643 if (SSL_CTX_use_PrivateKey_file(srv->ssl_ctx.ctx, srv->ssl_ctx.client_crt, SSL_FILETYPE_PEM) <= 0) {
644 Alert("config : %s '%s', server '%s': unable to load SSL private key from PEM file '%s'.\n",
645 proxy_type_str(curproxy), curproxy->id,
646 srv->id, srv->ssl_ctx.client_crt);
647 cfgerr++;
648 }
649 else if (SSL_CTX_use_certificate_chain_file(srv->ssl_ctx.ctx, srv->ssl_ctx.client_crt) <= 0) {
650 Alert("config : %s '%s', server '%s': unable to load ssl certificate from PEM file '%s'.\n",
651 proxy_type_str(curproxy), curproxy->id,
652 srv->id, srv->ssl_ctx.client_crt);
653 cfgerr++;
654 }
655 else if (SSL_CTX_check_private_key(srv->ssl_ctx.ctx) <= 0) {
656 Alert("config : %s '%s', server '%s': inconsistencies between private key and certificate loaded from PEM file '%s'.\n",
657 proxy_type_str(curproxy), curproxy->id,
658 srv->id, srv->ssl_ctx.client_crt);
659 cfgerr++;
660 }
661 }
Emeric Brun94324a42012-10-11 14:00:19 +0200662
663 if (srv->ssl_ctx.options & SRV_SSL_O_NO_SSLV3)
664 options |= SSL_OP_NO_SSLv3;
665 if (srv->ssl_ctx.options & SRV_SSL_O_NO_TLSV10)
666 options |= SSL_OP_NO_TLSv1;
667 if (srv->ssl_ctx.options & SRV_SSL_O_NO_TLSV11)
668 options |= SSL_OP_NO_TLSv1_1;
669 if (srv->ssl_ctx.options & SRV_SSL_O_NO_TLSV12)
670 options |= SSL_OP_NO_TLSv1_2;
Emeric Brunf9c5c472012-10-11 15:28:34 +0200671 if (srv->ssl_ctx.options & SRV_SSL_O_NO_TLS_TICKETS)
672 options |= SSL_OP_NO_TICKET;
Emeric Brun94324a42012-10-11 14:00:19 +0200673 if (srv->ssl_ctx.options & SRV_SSL_O_USE_SSLV3)
674 SSL_CTX_set_ssl_version(srv->ssl_ctx.ctx, SSLv3_client_method());
675 if (srv->ssl_ctx.options & SRV_SSL_O_USE_TLSV10)
676 SSL_CTX_set_ssl_version(srv->ssl_ctx.ctx, TLSv1_client_method());
677#if SSL_OP_NO_TLSv1_1
678 if (srv->ssl_ctx.options & SRV_SSL_O_USE_TLSV11)
679 SSL_CTX_set_ssl_version(srv->ssl_ctx.ctx, TLSv1_1_client_method());
680#endif
681#if SSL_OP_NO_TLSv1_2
682 if (srv->ssl_ctx.options & SRV_SSL_O_USE_TLSV12)
683 SSL_CTX_set_ssl_version(srv->ssl_ctx.ctx, TLSv1_2_client_method());
684#endif
685
686 SSL_CTX_set_options(srv->ssl_ctx.ctx, options);
687 SSL_CTX_set_mode(srv->ssl_ctx.ctx, mode);
Emeric Brunef42d922012-10-11 16:11:36 +0200688 SSL_CTX_set_verify(srv->ssl_ctx.ctx, srv->ssl_ctx.verify ? srv->ssl_ctx.verify : SSL_VERIFY_NONE, NULL);
689 if (srv->ssl_ctx.verify & SSL_VERIFY_PEER) {
690 if (srv->ssl_ctx.ca_file) {
691 /* load CAfile to verify */
692 if (!SSL_CTX_load_verify_locations(srv->ssl_ctx.ctx, srv->ssl_ctx.ca_file, NULL)) {
693 Alert("Proxy '%s', server '%s' |%s:%d] unable to load CA file '%s'.\n",
694 curproxy->id, srv->id,
695 srv->conf.file, srv->conf.line, srv->ssl_ctx.ca_file);
696 cfgerr++;
697 }
698 }
699#ifdef X509_V_FLAG_CRL_CHECK
700 if (srv->ssl_ctx.crl_file) {
701 X509_STORE *store = SSL_CTX_get_cert_store(srv->ssl_ctx.ctx);
702
703 if (!store || !X509_STORE_load_locations(store, srv->ssl_ctx.crl_file, NULL)) {
704 Alert("Proxy '%s', server '%s' |%s:%d] unable to configure CRL file '%s'.\n",
705 curproxy->id, srv->id,
706 srv->conf.file, srv->conf.line, srv->ssl_ctx.crl_file);
707 cfgerr++;
708 }
709 else {
710 X509_STORE_set_flags(store, X509_V_FLAG_CRL_CHECK|X509_V_FLAG_CRL_CHECK_ALL);
711 }
712 }
713#endif
714 }
715
Emeric Brun4f65bff2012-11-16 15:11:00 +0100716 if (global.tune.ssllifetime)
717 SSL_CTX_set_timeout(srv->ssl_ctx.ctx, global.tune.ssllifetime);
718
Emeric Brun94324a42012-10-11 14:00:19 +0200719 SSL_CTX_set_session_cache_mode(srv->ssl_ctx.ctx, SSL_SESS_CACHE_OFF);
720 if (srv->ssl_ctx.ciphers &&
721 !SSL_CTX_set_cipher_list(srv->ssl_ctx.ctx, srv->ssl_ctx.ciphers)) {
722 Alert("Proxy '%s', server '%s' [%s:%d] : unable to set SSL cipher list to '%s'.\n",
723 curproxy->id, srv->id,
724 srv->conf.file, srv->conf.line, srv->ssl_ctx.ciphers);
725 cfgerr++;
726 }
727
728 return cfgerr;
729}
730
Willy Tarreau2a65ff02012-09-13 17:54:29 +0200731/* Walks down the two trees in bind_conf and prepares all certs. The pointer may
Emeric Brunfc0421f2012-09-07 17:30:07 +0200732 * be NULL, in which case nothing is done. Returns the number of errors
733 * encountered.
734 */
Willy Tarreau2a65ff02012-09-13 17:54:29 +0200735int ssl_sock_prepare_all_ctx(struct bind_conf *bind_conf, struct proxy *px)
Emeric Brunfc0421f2012-09-07 17:30:07 +0200736{
737 struct ebmb_node *node;
738 struct sni_ctx *sni;
739 int err = 0;
740
Willy Tarreau2a65ff02012-09-13 17:54:29 +0200741 if (!bind_conf || !bind_conf->is_ssl)
Emeric Brunfc0421f2012-09-07 17:30:07 +0200742 return 0;
743
Willy Tarreau2a65ff02012-09-13 17:54:29 +0200744 node = ebmb_first(&bind_conf->sni_ctx);
Emeric Brunfc0421f2012-09-07 17:30:07 +0200745 while (node) {
746 sni = ebmb_entry(node, struct sni_ctx, name);
747 if (!sni->order) /* only initialize the CTX on its first occurrence */
Willy Tarreau2a65ff02012-09-13 17:54:29 +0200748 err += ssl_sock_prepare_ctx(bind_conf, sni->ctx, px);
Emeric Brunfc0421f2012-09-07 17:30:07 +0200749 node = ebmb_next(node);
750 }
751
Willy Tarreau2a65ff02012-09-13 17:54:29 +0200752 node = ebmb_first(&bind_conf->sni_w_ctx);
Emeric Brunfc0421f2012-09-07 17:30:07 +0200753 while (node) {
754 sni = ebmb_entry(node, struct sni_ctx, name);
755 if (!sni->order) /* only initialize the CTX on its first occurrence */
Willy Tarreau2a65ff02012-09-13 17:54:29 +0200756 err += ssl_sock_prepare_ctx(bind_conf, sni->ctx, px);
Emeric Brunfc0421f2012-09-07 17:30:07 +0200757 node = ebmb_next(node);
758 }
759 return err;
760}
761
Willy Tarreau2a65ff02012-09-13 17:54:29 +0200762/* Walks down the two trees in bind_conf and frees all the certs. The pointer may
Emeric Brunfc0421f2012-09-07 17:30:07 +0200763 * be NULL, in which case nothing is done. The default_ctx is nullified too.
764 */
Willy Tarreau2a65ff02012-09-13 17:54:29 +0200765void ssl_sock_free_all_ctx(struct bind_conf *bind_conf)
Emeric Brunfc0421f2012-09-07 17:30:07 +0200766{
767 struct ebmb_node *node, *back;
768 struct sni_ctx *sni;
769
Willy Tarreau2a65ff02012-09-13 17:54:29 +0200770 if (!bind_conf || !bind_conf->is_ssl)
Emeric Brunfc0421f2012-09-07 17:30:07 +0200771 return;
772
Willy Tarreau2a65ff02012-09-13 17:54:29 +0200773 node = ebmb_first(&bind_conf->sni_ctx);
Emeric Brunfc0421f2012-09-07 17:30:07 +0200774 while (node) {
775 sni = ebmb_entry(node, struct sni_ctx, name);
776 back = ebmb_next(node);
777 ebmb_delete(node);
778 if (!sni->order) /* only free the CTX on its first occurrence */
779 SSL_CTX_free(sni->ctx);
780 free(sni);
781 node = back;
782 }
783
Willy Tarreau2a65ff02012-09-13 17:54:29 +0200784 node = ebmb_first(&bind_conf->sni_w_ctx);
Emeric Brunfc0421f2012-09-07 17:30:07 +0200785 while (node) {
786 sni = ebmb_entry(node, struct sni_ctx, name);
787 back = ebmb_next(node);
788 ebmb_delete(node);
789 if (!sni->order) /* only free the CTX on its first occurrence */
790 SSL_CTX_free(sni->ctx);
791 free(sni);
792 node = back;
793 }
794
Willy Tarreau2a65ff02012-09-13 17:54:29 +0200795 bind_conf->default_ctx = NULL;
Emeric Brune1f38db2012-09-03 20:36:47 +0200796}
797
Emeric Brun46591952012-05-18 15:47:34 +0200798/*
799 * This function is called if SSL * context is not yet allocated. The function
800 * is designed to be called before any other data-layer operation and sets the
801 * handshake flag on the connection. It is safe to call it multiple times.
802 * It returns 0 on success and -1 in error case.
803 */
804static int ssl_sock_init(struct connection *conn)
805{
806 /* already initialized */
Willy Tarreauf7bc57c2012-10-03 00:19:48 +0200807 if (conn->xprt_ctx)
Emeric Brun46591952012-05-18 15:47:34 +0200808 return 0;
809
Willy Tarreau20879a02012-12-03 16:32:10 +0100810 if (global.maxsslconn && sslconns >= global.maxsslconn) {
811 conn->err_code = CO_ER_SSL_TOO_MANY;
Willy Tarreau403edff2012-09-06 11:58:37 +0200812 return -1;
Willy Tarreau20879a02012-12-03 16:32:10 +0100813 }
Willy Tarreau403edff2012-09-06 11:58:37 +0200814
Emeric Brun46591952012-05-18 15:47:34 +0200815 /* If it is in client mode initiate SSL session
816 in connect state otherwise accept state */
Willy Tarreau3fdb3662012-11-12 00:42:33 +0100817 if (objt_server(conn->target)) {
Emeric Brun46591952012-05-18 15:47:34 +0200818 /* Alloc a new SSL session ctx */
Willy Tarreau3fdb3662012-11-12 00:42:33 +0100819 conn->xprt_ctx = SSL_new(objt_server(conn->target)->ssl_ctx.ctx);
Willy Tarreau20879a02012-12-03 16:32:10 +0100820 if (!conn->xprt_ctx) {
821 conn->err_code = CO_ER_SSL_NO_MEM;
Emeric Brun46591952012-05-18 15:47:34 +0200822 return -1;
Willy Tarreau20879a02012-12-03 16:32:10 +0100823 }
Emeric Brun46591952012-05-18 15:47:34 +0200824
Willy Tarreauf7bc57c2012-10-03 00:19:48 +0200825 SSL_set_connect_state(conn->xprt_ctx);
Willy Tarreau3fdb3662012-11-12 00:42:33 +0100826 if (objt_server(conn->target)->ssl_ctx.reused_sess)
827 SSL_set_session(conn->xprt_ctx, objt_server(conn->target)->ssl_ctx.reused_sess);
Emeric Brun46591952012-05-18 15:47:34 +0200828
829 /* set fd on SSL session context */
Willy Tarreauf7bc57c2012-10-03 00:19:48 +0200830 SSL_set_fd(conn->xprt_ctx, conn->t.sock.fd);
Emeric Brun46591952012-05-18 15:47:34 +0200831
832 /* leave init state and start handshake */
Willy Tarreau05737472012-09-04 08:03:39 +0200833 conn->flags |= CO_FL_SSL_WAIT_HS | CO_FL_WAIT_L6_CONN;
Willy Tarreau403edff2012-09-06 11:58:37 +0200834
835 sslconns++;
Emeric Brun46591952012-05-18 15:47:34 +0200836 return 0;
837 }
Willy Tarreau3fdb3662012-11-12 00:42:33 +0100838 else if (objt_listener(conn->target)) {
Emeric Brun46591952012-05-18 15:47:34 +0200839 /* Alloc a new SSL session ctx */
Willy Tarreau3fdb3662012-11-12 00:42:33 +0100840 conn->xprt_ctx = SSL_new(objt_listener(conn->target)->bind_conf->default_ctx);
Willy Tarreau20879a02012-12-03 16:32:10 +0100841 if (!conn->xprt_ctx) {
842 conn->err_code = CO_ER_SSL_NO_MEM;
Emeric Brun46591952012-05-18 15:47:34 +0200843 return -1;
Willy Tarreau20879a02012-12-03 16:32:10 +0100844 }
Emeric Brun46591952012-05-18 15:47:34 +0200845
Willy Tarreauf7bc57c2012-10-03 00:19:48 +0200846 SSL_set_accept_state(conn->xprt_ctx);
Emeric Brun46591952012-05-18 15:47:34 +0200847
848 /* set fd on SSL session context */
Willy Tarreauf7bc57c2012-10-03 00:19:48 +0200849 SSL_set_fd(conn->xprt_ctx, conn->t.sock.fd);
Emeric Brun46591952012-05-18 15:47:34 +0200850
Emeric Brune1f38db2012-09-03 20:36:47 +0200851 /* set connection pointer */
Willy Tarreauf7bc57c2012-10-03 00:19:48 +0200852 SSL_set_app_data(conn->xprt_ctx, conn);
Emeric Brune1f38db2012-09-03 20:36:47 +0200853
Emeric Brun46591952012-05-18 15:47:34 +0200854 /* leave init state and start handshake */
Willy Tarreau05737472012-09-04 08:03:39 +0200855 conn->flags |= CO_FL_SSL_WAIT_HS | CO_FL_WAIT_L6_CONN;
Willy Tarreau403edff2012-09-06 11:58:37 +0200856
857 sslconns++;
Emeric Brun46591952012-05-18 15:47:34 +0200858 return 0;
859 }
860 /* don't know how to handle such a target */
Willy Tarreau20879a02012-12-03 16:32:10 +0100861 conn->err_code = CO_ER_SSL_NO_TARGET;
Emeric Brun46591952012-05-18 15:47:34 +0200862 return -1;
863}
864
865
866/* This is the callback which is used when an SSL handshake is pending. It
867 * updates the FD status if it wants some polling before being called again.
868 * It returns 0 if it fails in a fatal way or needs to poll to go further,
869 * otherwise it returns non-zero and removes itself from the connection's
870 * flags (the bit is provided in <flag> by the caller).
871 */
872int ssl_sock_handshake(struct connection *conn, unsigned int flag)
873{
874 int ret;
875
Willy Tarreauf7bc57c2012-10-03 00:19:48 +0200876 if (!conn->xprt_ctx)
Emeric Brun46591952012-05-18 15:47:34 +0200877 goto out_error;
878
Emeric Brun674b7432012-11-08 19:21:55 +0100879 /* If we use SSL_do_handshake to process a reneg initiated by
880 * the remote peer, it sometimes returns SSL_ERROR_SSL.
881 * Usually SSL_write and SSL_read are used and process implicitly
882 * the reneg handshake.
883 * Here we use SSL_peek as a workaround for reneg.
884 */
885 if ((conn->flags & CO_FL_CONNECTED) && SSL_renegotiate_pending(conn->xprt_ctx)) {
886 char c;
887
888 ret = SSL_peek(conn->xprt_ctx, &c, 1);
889 if (ret <= 0) {
890 /* handshake may have not been completed, let's find why */
891 ret = SSL_get_error(conn->xprt_ctx, ret);
892 if (ret == SSL_ERROR_WANT_WRITE) {
893 /* SSL handshake needs to write, L4 connection may not be ready */
894 __conn_sock_stop_recv(conn);
895 __conn_sock_poll_send(conn);
896 return 0;
897 }
898 else if (ret == SSL_ERROR_WANT_READ) {
899 /* handshake may have been completed but we have
900 * no more data to read.
901 */
902 if (!SSL_renegotiate_pending(conn->xprt_ctx)) {
903 ret = 1;
904 goto reneg_ok;
905 }
906 /* SSL handshake needs to read, L4 connection is ready */
907 if (conn->flags & CO_FL_WAIT_L4_CONN)
908 conn->flags &= ~CO_FL_WAIT_L4_CONN;
909 __conn_sock_stop_send(conn);
910 __conn_sock_poll_recv(conn);
911 return 0;
912 }
913 else if (ret == SSL_ERROR_SYSCALL) {
914 /* if errno is null, then connection was successfully established */
915 if (!errno && conn->flags & CO_FL_WAIT_L4_CONN)
916 conn->flags &= ~CO_FL_WAIT_L4_CONN;
Willy Tarreau20879a02012-12-03 16:32:10 +0100917 if (!conn->err_code) {
918 if (!((SSL *)conn->xprt_ctx)->packet_length)
919 if (!errno)
920 conn->err_code = CO_ER_SSL_EMPTY;
921 else
922 conn->err_code = CO_ER_SSL_ABORT;
923 else
924 conn->err_code = CO_ER_SSL_HANDSHAKE;
925 }
Emeric Brun674b7432012-11-08 19:21:55 +0100926 goto out_error;
927 }
928 else {
929 /* Fail on all other handshake errors */
930 /* Note: OpenSSL may leave unread bytes in the socket's
931 * buffer, causing an RST to be emitted upon close() on
932 * TCP sockets. We first try to drain possibly pending
933 * data to avoid this as much as possible.
934 */
935 ret = recv(conn->t.sock.fd, trash.str, trash.size, MSG_NOSIGNAL|MSG_DONTWAIT);
Willy Tarreau20879a02012-12-03 16:32:10 +0100936 if (!conn->err_code)
937 conn->err_code = CO_ER_SSL_HANDSHAKE;
Emeric Brun674b7432012-11-08 19:21:55 +0100938 goto out_error;
939 }
940 }
941 /* read some data: consider handshake completed */
942 goto reneg_ok;
943 }
944
Willy Tarreauf7bc57c2012-10-03 00:19:48 +0200945 ret = SSL_do_handshake(conn->xprt_ctx);
Emeric Brun46591952012-05-18 15:47:34 +0200946 if (ret != 1) {
947 /* handshake did not complete, let's find why */
Willy Tarreauf7bc57c2012-10-03 00:19:48 +0200948 ret = SSL_get_error(conn->xprt_ctx, ret);
Emeric Brun46591952012-05-18 15:47:34 +0200949
950 if (ret == SSL_ERROR_WANT_WRITE) {
951 /* SSL handshake needs to write, L4 connection may not be ready */
952 __conn_sock_stop_recv(conn);
953 __conn_sock_poll_send(conn);
954 return 0;
955 }
956 else if (ret == SSL_ERROR_WANT_READ) {
957 /* SSL handshake needs to read, L4 connection is ready */
958 if (conn->flags & CO_FL_WAIT_L4_CONN)
959 conn->flags &= ~CO_FL_WAIT_L4_CONN;
960 __conn_sock_stop_send(conn);
961 __conn_sock_poll_recv(conn);
962 return 0;
963 }
Willy Tarreau89230192012-09-28 20:22:13 +0200964 else if (ret == SSL_ERROR_SYSCALL) {
965 /* if errno is null, then connection was successfully established */
966 if (!errno && conn->flags & CO_FL_WAIT_L4_CONN)
967 conn->flags &= ~CO_FL_WAIT_L4_CONN;
Willy Tarreau20879a02012-12-03 16:32:10 +0100968
969 if (!((SSL *)conn->xprt_ctx)->packet_length)
970 if (!errno)
971 conn->err_code = CO_ER_SSL_EMPTY;
972 else
973 conn->err_code = CO_ER_SSL_ABORT;
974 else
975 conn->err_code = CO_ER_SSL_HANDSHAKE;
Willy Tarreau89230192012-09-28 20:22:13 +0200976 goto out_error;
977 }
Emeric Brun46591952012-05-18 15:47:34 +0200978 else {
979 /* Fail on all other handshake errors */
Willy Tarreau566dc552012-10-19 20:52:18 +0200980 /* Note: OpenSSL may leave unread bytes in the socket's
981 * buffer, causing an RST to be emitted upon close() on
982 * TCP sockets. We first try to drain possibly pending
983 * data to avoid this as much as possible.
984 */
Willy Tarreau19d14ef2012-10-29 16:51:55 +0100985 ret = recv(conn->t.sock.fd, trash.str, trash.size, MSG_NOSIGNAL|MSG_DONTWAIT);
Willy Tarreau20879a02012-12-03 16:32:10 +0100986 if (!conn->err_code)
987 conn->err_code = CO_ER_SSL_HANDSHAKE;
Emeric Brun46591952012-05-18 15:47:34 +0200988 goto out_error;
989 }
990 }
991
Emeric Brun674b7432012-11-08 19:21:55 +0100992reneg_ok:
993
Emeric Brun46591952012-05-18 15:47:34 +0200994 /* Handshake succeeded */
Willy Tarreau3fdb3662012-11-12 00:42:33 +0100995 if (objt_server(conn->target)) {
Willy Tarreauf7bc57c2012-10-03 00:19:48 +0200996 if (!SSL_session_reused(conn->xprt_ctx)) {
Emeric Brun46591952012-05-18 15:47:34 +0200997 /* check if session was reused, if not store current session on server for reuse */
Willy Tarreau3fdb3662012-11-12 00:42:33 +0100998 if (objt_server(conn->target)->ssl_ctx.reused_sess)
999 SSL_SESSION_free(objt_server(conn->target)->ssl_ctx.reused_sess);
Emeric Brun46591952012-05-18 15:47:34 +02001000
Willy Tarreau3fdb3662012-11-12 00:42:33 +01001001 objt_server(conn->target)->ssl_ctx.reused_sess = SSL_get1_session(conn->xprt_ctx);
Emeric Brun46591952012-05-18 15:47:34 +02001002 }
1003 }
1004
1005 /* The connection is now established at both layers, it's time to leave */
1006 conn->flags &= ~(flag | CO_FL_WAIT_L4_CONN | CO_FL_WAIT_L6_CONN);
1007 return 1;
1008
1009 out_error:
Emeric Brun644cde02012-12-14 11:21:13 +01001010 /* Clear openssl global errors stack */
1011 ERR_clear_error();
1012
Emeric Brun9fa89732012-10-04 17:09:56 +02001013 /* free resumed session if exists */
Willy Tarreau3fdb3662012-11-12 00:42:33 +01001014 if (objt_server(conn->target) && objt_server(conn->target)->ssl_ctx.reused_sess) {
1015 SSL_SESSION_free(objt_server(conn->target)->ssl_ctx.reused_sess);
1016 objt_server(conn->target)->ssl_ctx.reused_sess = NULL;
Emeric Brun9fa89732012-10-04 17:09:56 +02001017 }
1018
Emeric Brun46591952012-05-18 15:47:34 +02001019 /* Fail on all other handshake errors */
1020 conn->flags |= CO_FL_ERROR;
Willy Tarreau20879a02012-12-03 16:32:10 +01001021 if (!conn->err_code)
1022 conn->err_code = CO_ER_SSL_HANDSHAKE;
Emeric Brun46591952012-05-18 15:47:34 +02001023 return 0;
1024}
1025
1026/* Receive up to <count> bytes from connection <conn>'s socket and store them
1027 * into buffer <buf>. The caller must ensure that <count> is always smaller
1028 * than the buffer's size. Only one call to recv() is performed, unless the
1029 * buffer wraps, in which case a second call may be performed. The connection's
1030 * flags are updated with whatever special event is detected (error, read0,
1031 * empty). The caller is responsible for taking care of those events and
1032 * avoiding the call if inappropriate. The function does not call the
1033 * connection's polling update function, so the caller is responsible for this.
1034 */
1035static int ssl_sock_to_buf(struct connection *conn, struct buffer *buf, int count)
1036{
1037 int ret, done = 0;
1038 int try = count;
1039
Willy Tarreauf7bc57c2012-10-03 00:19:48 +02001040 if (!conn->xprt_ctx)
Emeric Brun46591952012-05-18 15:47:34 +02001041 goto out_error;
1042
1043 if (conn->flags & CO_FL_HANDSHAKE)
1044 /* a handshake was requested */
1045 return 0;
1046
1047 /* compute the maximum block size we can read at once. */
1048 if (buffer_empty(buf)) {
1049 /* let's realign the buffer to optimize I/O */
1050 buf->p = buf->data;
1051 }
1052 else if (buf->data + buf->o < buf->p &&
1053 buf->p + buf->i < buf->data + buf->size) {
1054 /* remaining space wraps at the end, with a moving limit */
1055 if (try > buf->data + buf->size - (buf->p + buf->i))
1056 try = buf->data + buf->size - (buf->p + buf->i);
1057 }
1058
1059 /* read the largest possible block. For this, we perform only one call
1060 * to recv() unless the buffer wraps and we exactly fill the first hunk,
1061 * in which case we accept to do it once again. A new attempt is made on
1062 * EINTR too.
1063 */
1064 while (try) {
Willy Tarreauf7bc57c2012-10-03 00:19:48 +02001065 ret = SSL_read(conn->xprt_ctx, bi_end(buf), try);
Emeric Brune1f38db2012-09-03 20:36:47 +02001066 if (conn->flags & CO_FL_ERROR) {
1067 /* CO_FL_ERROR may be set by ssl_sock_infocbk */
Emeric Brun644cde02012-12-14 11:21:13 +01001068 goto out_error;
Emeric Brune1f38db2012-09-03 20:36:47 +02001069 }
Emeric Brun46591952012-05-18 15:47:34 +02001070 if (ret > 0) {
1071 buf->i += ret;
1072 done += ret;
1073 if (ret < try)
1074 break;
1075 count -= ret;
1076 try = count;
1077 }
1078 else if (ret == 0) {
Emeric Brun644cde02012-12-14 11:21:13 +01001079 ret = SSL_get_error(conn->xprt_ctx, ret);
1080 if (ret != SSL_ERROR_ZERO_RETURN) {
Emeric Brun1c646862012-12-14 12:33:41 +01001081 /* error on protocol or underlying transport */
1082 if ((ret != SSL_ERROR_SYSCALL)
1083 || (errno && (errno != EAGAIN)))
1084 conn->flags |= CO_FL_ERROR;
1085
Emeric Brun644cde02012-12-14 11:21:13 +01001086 /* Clear openssl global errors stack */
1087 ERR_clear_error();
1088 }
Emeric Brun46591952012-05-18 15:47:34 +02001089 goto read0;
1090 }
1091 else {
Willy Tarreauf7bc57c2012-10-03 00:19:48 +02001092 ret = SSL_get_error(conn->xprt_ctx, ret);
Emeric Brun46591952012-05-18 15:47:34 +02001093 if (ret == SSL_ERROR_WANT_WRITE) {
Emeric Brun8af8dd12012-11-08 17:56:20 +01001094 /* handshake is running, and it needs to enable write */
Emeric Brun46591952012-05-18 15:47:34 +02001095 conn->flags |= CO_FL_SSL_WAIT_HS;
Emeric Brun8af8dd12012-11-08 17:56:20 +01001096 __conn_sock_want_send(conn);
Emeric Brun46591952012-05-18 15:47:34 +02001097 break;
1098 }
1099 else if (ret == SSL_ERROR_WANT_READ) {
Emeric Brun282a76a2012-11-08 18:02:56 +01001100 if (SSL_renegotiate_pending(conn->xprt_ctx)) {
1101 /* handshake is running, and it may need to re-enable read */
1102 conn->flags |= CO_FL_SSL_WAIT_HS;
1103 __conn_sock_want_recv(conn);
1104 break;
1105 }
Emeric Brun46591952012-05-18 15:47:34 +02001106 /* we need to poll for retry a read later */
1107 __conn_data_poll_recv(conn);
1108 break;
1109 }
1110 /* otherwise it's a real error */
1111 goto out_error;
1112 }
1113 }
1114 return done;
1115
1116 read0:
1117 conn_sock_read0(conn);
1118 return done;
1119 out_error:
Emeric Brun644cde02012-12-14 11:21:13 +01001120 /* Clear openssl global errors stack */
1121 ERR_clear_error();
1122
Emeric Brun46591952012-05-18 15:47:34 +02001123 conn->flags |= CO_FL_ERROR;
1124 return done;
1125}
1126
1127
1128/* Send all pending bytes from buffer <buf> to connection <conn>'s socket.
1129 * <flags> may contain MSG_MORE to make the system hold on without sending
1130 * data too fast, but this flag is ignored at the moment.
1131 * Only one call to send() is performed, unless the buffer wraps, in which case
1132 * a second call may be performed. The connection's flags are updated with
1133 * whatever special event is detected (error, empty). The caller is responsible
1134 * for taking care of those events and avoiding the call if inappropriate. The
1135 * function does not call the connection's polling update function, so the caller
1136 * is responsible for this.
1137 */
1138static int ssl_sock_from_buf(struct connection *conn, struct buffer *buf, int flags)
1139{
1140 int ret, try, done;
1141
1142 done = 0;
1143
Willy Tarreauf7bc57c2012-10-03 00:19:48 +02001144 if (!conn->xprt_ctx)
Emeric Brun46591952012-05-18 15:47:34 +02001145 goto out_error;
1146
1147 if (conn->flags & CO_FL_HANDSHAKE)
1148 /* a handshake was requested */
1149 return 0;
1150
1151 /* send the largest possible block. For this we perform only one call
1152 * to send() unless the buffer wraps and we exactly fill the first hunk,
1153 * in which case we accept to do it once again.
1154 */
1155 while (buf->o) {
1156 try = buf->o;
1157 /* outgoing data may wrap at the end */
1158 if (buf->data + try > buf->p)
1159 try = buf->data + try - buf->p;
1160
Willy Tarreauf7bc57c2012-10-03 00:19:48 +02001161 ret = SSL_write(conn->xprt_ctx, bo_ptr(buf), try);
Emeric Brune1f38db2012-09-03 20:36:47 +02001162 if (conn->flags & CO_FL_ERROR) {
1163 /* CO_FL_ERROR may be set by ssl_sock_infocbk */
Emeric Brun644cde02012-12-14 11:21:13 +01001164 goto out_error;
Emeric Brune1f38db2012-09-03 20:36:47 +02001165 }
Emeric Brun46591952012-05-18 15:47:34 +02001166 if (ret > 0) {
1167 buf->o -= ret;
1168 done += ret;
1169
Willy Tarreau5fb38032012-12-16 19:39:09 +01001170 if (likely(buffer_empty(buf)))
Emeric Brun46591952012-05-18 15:47:34 +02001171 /* optimize data alignment in the buffer */
1172 buf->p = buf->data;
1173
1174 /* if the system buffer is full, don't insist */
1175 if (ret < try)
1176 break;
1177 }
1178 else {
Willy Tarreauf7bc57c2012-10-03 00:19:48 +02001179 ret = SSL_get_error(conn->xprt_ctx, ret);
Emeric Brun46591952012-05-18 15:47:34 +02001180 if (ret == SSL_ERROR_WANT_WRITE) {
Emeric Brun282a76a2012-11-08 18:02:56 +01001181 if (SSL_renegotiate_pending(conn->xprt_ctx)) {
1182 /* handshake is running, and it may need to re-enable write */
1183 conn->flags |= CO_FL_SSL_WAIT_HS;
1184 __conn_sock_want_send(conn);
1185 break;
1186 }
Emeric Brun46591952012-05-18 15:47:34 +02001187 /* we need to poll to retry a write later */
1188 __conn_data_poll_send(conn);
1189 break;
1190 }
1191 else if (ret == SSL_ERROR_WANT_READ) {
Emeric Brun8af8dd12012-11-08 17:56:20 +01001192 /* handshake is running, and it needs to enable read */
Emeric Brun46591952012-05-18 15:47:34 +02001193 conn->flags |= CO_FL_SSL_WAIT_HS;
Emeric Brun8af8dd12012-11-08 17:56:20 +01001194 __conn_sock_want_recv(conn);
Emeric Brun46591952012-05-18 15:47:34 +02001195 break;
1196 }
1197 goto out_error;
1198 }
1199 }
1200 return done;
1201
1202 out_error:
Emeric Brun644cde02012-12-14 11:21:13 +01001203 /* Clear openssl global errors stack */
1204 ERR_clear_error();
1205
Emeric Brun46591952012-05-18 15:47:34 +02001206 conn->flags |= CO_FL_ERROR;
1207 return done;
1208}
1209
Emeric Brun46591952012-05-18 15:47:34 +02001210static void ssl_sock_close(struct connection *conn) {
1211
Willy Tarreauf7bc57c2012-10-03 00:19:48 +02001212 if (conn->xprt_ctx) {
1213 SSL_free(conn->xprt_ctx);
1214 conn->xprt_ctx = NULL;
Willy Tarreau403edff2012-09-06 11:58:37 +02001215 sslconns--;
Emeric Brun46591952012-05-18 15:47:34 +02001216 }
Emeric Brun46591952012-05-18 15:47:34 +02001217}
1218
1219/* This function tries to perform a clean shutdown on an SSL connection, and in
1220 * any case, flags the connection as reusable if no handshake was in progress.
1221 */
1222static void ssl_sock_shutw(struct connection *conn, int clean)
1223{
1224 if (conn->flags & CO_FL_HANDSHAKE)
1225 return;
1226 /* no handshake was in progress, try a clean ssl shutdown */
Emeric Brun644cde02012-12-14 11:21:13 +01001227 if (clean && (SSL_shutdown(conn->xprt_ctx) <= 0)) {
1228 /* Clear openssl global errors stack */
1229 ERR_clear_error();
1230 }
Emeric Brun46591952012-05-18 15:47:34 +02001231
1232 /* force flag on ssl to keep session in cache regardless shutdown result */
Willy Tarreauf7bc57c2012-10-03 00:19:48 +02001233 SSL_set_shutdown(conn->xprt_ctx, SSL_SENT_SHUTDOWN);
Emeric Brun46591952012-05-18 15:47:34 +02001234}
1235
Willy Tarreauffc3fcd2012-10-12 20:17:54 +02001236/* used for logging, may be changed for a sample fetch later */
1237const char *ssl_sock_get_cipher_name(struct connection *conn)
1238{
1239 if (!conn->xprt && !conn->xprt_ctx)
1240 return NULL;
1241 return SSL_get_cipher_name(conn->xprt_ctx);
1242}
1243
1244/* used for logging, may be changed for a sample fetch later */
1245const char *ssl_sock_get_proto_version(struct connection *conn)
1246{
1247 if (!conn->xprt && !conn->xprt_ctx)
1248 return NULL;
1249 return SSL_get_version(conn->xprt_ctx);
1250}
1251
Willy Tarreau8d598402012-10-22 17:58:39 +02001252/* Extract a serial from a cert, and copy it to a chunk.
1253 * Returns 1 if serial is found and copied, 0 if no serial found and
1254 * -1 if output is not large enough.
1255 */
1256static int
1257ssl_sock_get_serial(X509 *crt, struct chunk *out)
1258{
1259 ASN1_INTEGER *serial;
1260
1261 serial = X509_get_serialNumber(crt);
1262 if (!serial)
1263 return 0;
1264
1265 if (out->size < serial->length)
1266 return -1;
1267
1268 memcpy(out->str, serial->data, serial->length);
1269 out->len = serial->length;
1270 return 1;
1271}
1272
Emeric Brunce5ad802012-10-22 14:11:22 +02001273
1274/* Copy Date in ASN1_UTCTIME format in struct chunk out.
1275 * Returns 1 if serial is found and copied, 0 if no valid time found
1276 * and -1 if output is not large enough.
1277 */
1278static int
1279ssl_sock_get_time(ASN1_TIME *tm, struct chunk *out)
1280{
1281 if (tm->type == V_ASN1_GENERALIZEDTIME) {
1282 ASN1_GENERALIZEDTIME *gentm = (ASN1_GENERALIZEDTIME *)tm;
1283
1284 if (gentm->length < 12)
1285 return 0;
1286 if (gentm->data[0] != 0x32 || gentm->data[1] != 0x30)
1287 return 0;
1288 if (out->size < gentm->length-2)
1289 return -1;
1290
1291 memcpy(out->str, gentm->data+2, gentm->length-2);
1292 out->len = gentm->length-2;
1293 return 1;
1294 }
1295 else if (tm->type == V_ASN1_UTCTIME) {
1296 ASN1_UTCTIME *utctm = (ASN1_UTCTIME *)tm;
1297
1298 if (utctm->length < 10)
1299 return 0;
1300 if (utctm->data[0] >= 0x35)
1301 return 0;
1302 if (out->size < utctm->length)
1303 return -1;
1304
1305 memcpy(out->str, utctm->data, utctm->length);
1306 out->len = utctm->length;
1307 return 1;
1308 }
1309
1310 return 0;
1311}
1312
Emeric Brun87855892012-10-17 17:39:35 +02001313/* Extract an entry from a X509_NAME and copy its value to an output chunk.
1314 * Returns 1 if entry found, 0 if entry not found, or -1 if output not large enough.
1315 */
1316static int
1317ssl_sock_get_dn_entry(X509_NAME *a, const struct chunk *entry, int pos, struct chunk *out)
1318{
1319 X509_NAME_ENTRY *ne;
1320 int i, j, n;
1321 int cur = 0;
1322 const char *s;
1323 char tmp[128];
1324
1325 out->len = 0;
1326 for (i = 0; i < sk_X509_NAME_ENTRY_num(a->entries); i++) {
1327 if (pos < 0)
1328 j = (sk_X509_NAME_ENTRY_num(a->entries)-1) - i;
1329 else
1330 j = i;
1331
1332 ne = sk_X509_NAME_ENTRY_value(a->entries, j);
1333 n = OBJ_obj2nid(ne->object);
1334 if ((n == NID_undef) || ((s = OBJ_nid2sn(n)) == NULL)) {
1335 i2t_ASN1_OBJECT(tmp, sizeof(tmp), ne->object);
1336 s = tmp;
1337 }
1338
1339 if (chunk_strcasecmp(entry, s) != 0)
1340 continue;
1341
1342 if (pos < 0)
1343 cur--;
1344 else
1345 cur++;
1346
1347 if (cur != pos)
1348 continue;
1349
1350 if (ne->value->length > out->size)
1351 return -1;
1352
1353 memcpy(out->str, ne->value->data, ne->value->length);
1354 out->len = ne->value->length;
1355 return 1;
1356 }
1357
1358 return 0;
1359
1360}
1361
1362/* Extract and format full DN from a X509_NAME and copy result into a chunk
1363 * Returns 1 if dn entries exits, 0 if no dn entry found or -1 if output is not large enough.
1364 */
1365static int
1366ssl_sock_get_dn_oneline(X509_NAME *a, struct chunk *out)
1367{
1368 X509_NAME_ENTRY *ne;
1369 int i, n, ln;
1370 int l = 0;
1371 const char *s;
1372 char *p;
1373 char tmp[128];
1374
1375 out->len = 0;
1376 p = out->str;
1377 for (i = 0; i < sk_X509_NAME_ENTRY_num(a->entries); i++) {
1378 ne = sk_X509_NAME_ENTRY_value(a->entries, i);
1379 n = OBJ_obj2nid(ne->object);
1380 if ((n == NID_undef) || ((s = OBJ_nid2sn(n)) == NULL)) {
1381 i2t_ASN1_OBJECT(tmp, sizeof(tmp), ne->object);
1382 s = tmp;
1383 }
1384 ln = strlen(s);
1385
1386 l += 1 + ln + 1 + ne->value->length;
1387 if (l > out->size)
1388 return -1;
1389 out->len = l;
1390
1391 *(p++)='/';
1392 memcpy(p, s, ln);
1393 p += ln;
1394 *(p++)='=';
1395 memcpy(p, ne->value->data, ne->value->length);
1396 p += ne->value->length;
1397 }
1398
1399 if (!out->len)
1400 return 0;
1401
1402 return 1;
1403}
1404
Willy Tarreau7875d092012-09-10 08:20:03 +02001405/***** Below are some sample fetching functions for ACL/patterns *****/
1406
Emeric Brune64aef12012-09-21 13:15:06 +02001407/* boolean, returns true if client cert was present */
1408static int
Emeric Brun2525b6b2012-10-18 15:59:43 +02001409smp_fetch_ssl_fc_has_crt(struct proxy *px, struct session *l4, void *l7, unsigned int opt,
1410 const struct arg *args, struct sample *smp)
Emeric Brune64aef12012-09-21 13:15:06 +02001411{
Willy Tarreauf2943dc2012-10-26 20:10:28 +02001412 if (!l4 || l4->si[0].conn->xprt != &ssl_sock)
Emeric Brune64aef12012-09-21 13:15:06 +02001413 return 0;
1414
Willy Tarreauf2943dc2012-10-26 20:10:28 +02001415 if (!(l4->si[0].conn->flags & CO_FL_CONNECTED)) {
Emeric Brune64aef12012-09-21 13:15:06 +02001416 smp->flags |= SMP_F_MAY_CHANGE;
1417 return 0;
1418 }
1419
1420 smp->flags = 0;
1421 smp->type = SMP_T_BOOL;
Willy Tarreauf2943dc2012-10-26 20:10:28 +02001422 smp->data.uint = SSL_SOCK_ST_FL_VERIFY_DONE & l4->si[0].conn->xprt_st ? 1 : 0;
Emeric Brune64aef12012-09-21 13:15:06 +02001423
1424 return 1;
1425}
1426
Willy Tarreau8d598402012-10-22 17:58:39 +02001427/* bin, returns serial in a binary chunk */
1428static int
1429smp_fetch_ssl_c_serial(struct proxy *px, struct session *l4, void *l7, unsigned int opt,
1430 const struct arg *args, struct sample *smp)
1431{
1432 X509 *crt = NULL;
1433 int ret = 0;
1434 struct chunk *smp_trash;
1435
Willy Tarreauf2943dc2012-10-26 20:10:28 +02001436 if (!l4 || l4->si[0].conn->xprt != &ssl_sock)
Willy Tarreau8d598402012-10-22 17:58:39 +02001437 return 0;
1438
Willy Tarreauf2943dc2012-10-26 20:10:28 +02001439 if (!(l4->si[0].conn->flags & CO_FL_CONNECTED)) {
Willy Tarreau8d598402012-10-22 17:58:39 +02001440 smp->flags |= SMP_F_MAY_CHANGE;
1441 return 0;
1442 }
1443
1444 /* SSL_get_peer_certificate, it increase X509 * ref count */
Willy Tarreauf2943dc2012-10-26 20:10:28 +02001445 crt = SSL_get_peer_certificate(l4->si[0].conn->xprt_ctx);
Willy Tarreau8d598402012-10-22 17:58:39 +02001446 if (!crt)
1447 goto out;
1448
1449 smp_trash = sample_get_trash_chunk();
1450 if (ssl_sock_get_serial(crt, smp_trash) <= 0)
1451 goto out;
1452
1453 smp->data.str = *smp_trash;
1454 smp->type = SMP_T_BIN;
1455 ret = 1;
1456out:
1457 if (crt)
1458 X509_free(crt);
1459 return ret;
1460}
Emeric Brune64aef12012-09-21 13:15:06 +02001461
Emeric Brunce5ad802012-10-22 14:11:22 +02001462/*str, returns notafter date in ASN1_UTCTIME format */
1463static int
1464smp_fetch_ssl_c_notafter(struct proxy *px, struct session *l4, void *l7, unsigned int opt,
1465 const struct arg *args, struct sample *smp)
1466{
1467 X509 *crt = NULL;
1468 int ret = 0;
1469 struct chunk *smp_trash;
1470
Willy Tarreauf2943dc2012-10-26 20:10:28 +02001471 if (!l4 || l4->si[0].conn->xprt != &ssl_sock)
Emeric Brunce5ad802012-10-22 14:11:22 +02001472 return 0;
1473
Willy Tarreauf2943dc2012-10-26 20:10:28 +02001474 if (!(l4->si[0].conn->flags & CO_FL_CONNECTED)) {
Emeric Brunce5ad802012-10-22 14:11:22 +02001475 smp->flags |= SMP_F_MAY_CHANGE;
1476 return 0;
1477 }
1478
1479 /* SSL_get_peer_certificate, it increase X509 * ref count */
Willy Tarreauf2943dc2012-10-26 20:10:28 +02001480 crt = SSL_get_peer_certificate(l4->si[0].conn->xprt_ctx);
Emeric Brunce5ad802012-10-22 14:11:22 +02001481 if (!crt)
1482 goto out;
1483
1484 smp_trash = sample_get_trash_chunk();
1485 if (ssl_sock_get_time(X509_get_notAfter(crt), smp_trash) <= 0)
1486 goto out;
1487
1488 smp->data.str = *smp_trash;
1489 smp->type = SMP_T_STR;
1490 ret = 1;
1491out:
1492 if (crt)
1493 X509_free(crt);
1494 return ret;
1495}
1496
Emeric Brun87855892012-10-17 17:39:35 +02001497/* str, returns a string of a formatted full dn \C=..\O=..\OU=.. \CN=.. */
1498static int
1499smp_fetch_ssl_c_i_dn(struct proxy *px, struct session *l4, void *l7, unsigned int opt,
1500 const struct arg *args, struct sample *smp)
1501{
1502 X509 *crt = NULL;
1503 X509_NAME *name;
1504 int ret = 0;
1505 struct chunk *smp_trash;
1506
Willy Tarreauf2943dc2012-10-26 20:10:28 +02001507 if (!l4 || l4->si[0].conn->xprt != &ssl_sock)
Emeric Brun87855892012-10-17 17:39:35 +02001508 return 0;
1509
Willy Tarreauf2943dc2012-10-26 20:10:28 +02001510 if (!(l4->si[0].conn->flags & CO_FL_CONNECTED)) {
Emeric Brun87855892012-10-17 17:39:35 +02001511 smp->flags |= SMP_F_MAY_CHANGE;
1512 return 0;
1513 }
1514
1515 /* SSL_get_peer_certificate, it increase X509 * ref count */
Willy Tarreauf2943dc2012-10-26 20:10:28 +02001516 crt = SSL_get_peer_certificate(l4->si[0].conn->xprt_ctx);
Emeric Brun87855892012-10-17 17:39:35 +02001517 if (!crt)
1518 goto out;
1519
1520 name = X509_get_issuer_name(crt);
1521 if (!name)
1522 goto out;
1523
1524 smp_trash = sample_get_trash_chunk();
1525 if (args && args[0].type == ARGT_STR) {
1526 int pos = 1;
1527
1528 if (args[1].type == ARGT_SINT)
1529 pos = args[1].data.sint;
1530 else if (args[1].type == ARGT_UINT)
1531 pos =(int)args[1].data.uint;
1532
1533 if (ssl_sock_get_dn_entry(name, &args[0].data.str, pos, smp_trash) <= 0)
1534 goto out;
1535 }
1536 else if (ssl_sock_get_dn_oneline(name, smp_trash) <= 0)
1537 goto out;
1538
1539 smp->type = SMP_T_STR;
1540 smp->data.str = *smp_trash;
1541 ret = 1;
1542out:
1543 if (crt)
1544 X509_free(crt);
1545 return ret;
1546}
1547
Emeric Brunce5ad802012-10-22 14:11:22 +02001548/*str, returns notbefore date in ASN1_UTCTIME format */
1549static int
1550smp_fetch_ssl_c_notbefore(struct proxy *px, struct session *l4, void *l7, unsigned int opt,
1551 const struct arg *args, struct sample *smp)
1552{
1553 X509 *crt = NULL;
1554 int ret = 0;
1555 struct chunk *smp_trash;
1556
Willy Tarreauf2943dc2012-10-26 20:10:28 +02001557 if (!l4 || l4->si[0].conn->xprt != &ssl_sock)
Emeric Brunce5ad802012-10-22 14:11:22 +02001558 return 0;
1559
Willy Tarreauf2943dc2012-10-26 20:10:28 +02001560 if (!(l4->si[0].conn->flags & CO_FL_CONNECTED)) {
Emeric Brunce5ad802012-10-22 14:11:22 +02001561 smp->flags |= SMP_F_MAY_CHANGE;
1562 return 0;
1563 }
1564
1565 /* SSL_get_peer_certificate, it increase X509 * ref count */
Willy Tarreauf2943dc2012-10-26 20:10:28 +02001566 crt = SSL_get_peer_certificate(l4->si[0].conn->xprt_ctx);
Emeric Brunce5ad802012-10-22 14:11:22 +02001567 if (!crt)
1568 goto out;
1569
1570 smp_trash = sample_get_trash_chunk();
1571 if (ssl_sock_get_time(X509_get_notBefore(crt), smp_trash) <= 0)
1572 goto out;
1573
1574 smp->data.str = *smp_trash;
1575 smp->type = SMP_T_STR;
1576 ret = 1;
1577out:
1578 if (crt)
1579 X509_free(crt);
1580 return ret;
1581}
1582
Emeric Brun87855892012-10-17 17:39:35 +02001583/* str, returns a string of a formatted full dn \C=..\O=..\OU=.. \CN=.. */
1584static int
1585smp_fetch_ssl_c_s_dn(struct proxy *px, struct session *l4, void *l7, unsigned int opt,
1586 const struct arg *args, struct sample *smp)
1587{
1588 X509 *crt = NULL;
1589 X509_NAME *name;
1590 int ret = 0;
1591 struct chunk *smp_trash;
1592
Willy Tarreauf2943dc2012-10-26 20:10:28 +02001593 if (!l4 || l4->si[0].conn->xprt != &ssl_sock)
Emeric Brun87855892012-10-17 17:39:35 +02001594 return 0;
1595
Willy Tarreauf2943dc2012-10-26 20:10:28 +02001596 if (!(l4->si[0].conn->flags & CO_FL_CONNECTED)) {
Emeric Brun87855892012-10-17 17:39:35 +02001597 smp->flags |= SMP_F_MAY_CHANGE;
1598 return 0;
1599 }
1600
1601 /* SSL_get_peer_certificate, it increase X509 * ref count */
Willy Tarreauf2943dc2012-10-26 20:10:28 +02001602 crt = SSL_get_peer_certificate(l4->si[0].conn->xprt_ctx);
Emeric Brun87855892012-10-17 17:39:35 +02001603 if (!crt)
1604 goto out;
1605
1606 name = X509_get_subject_name(crt);
1607 if (!name)
1608 goto out;
1609
1610 smp_trash = sample_get_trash_chunk();
1611 if (args && args[0].type == ARGT_STR) {
1612 int pos = 1;
1613
1614 if (args[1].type == ARGT_SINT)
1615 pos = args[1].data.sint;
1616 else if (args[1].type == ARGT_UINT)
1617 pos =(int)args[1].data.uint;
1618
1619 if (ssl_sock_get_dn_entry(name, &args[0].data.str, pos, smp_trash) <= 0)
1620 goto out;
1621 }
1622 else if (ssl_sock_get_dn_oneline(name, smp_trash) <= 0)
1623 goto out;
1624
1625 smp->type = SMP_T_STR;
1626 smp->data.str = *smp_trash;
1627 ret = 1;
1628out:
1629 if (crt)
1630 X509_free(crt);
1631 return ret;
1632}
Emeric Bruna7359fd2012-10-17 15:03:11 +02001633/* integer, returns the client certificate version */
1634static int
1635smp_fetch_ssl_c_version(struct proxy *px, struct session *l4, void *l7, unsigned int opt,
1636 const struct arg *args, struct sample *smp)
1637{
1638 X509 *crt;
1639
Willy Tarreauf2943dc2012-10-26 20:10:28 +02001640 if (!l4 || l4->si[0].conn->xprt != &ssl_sock)
Emeric Bruna7359fd2012-10-17 15:03:11 +02001641 return 0;
1642
Willy Tarreauf2943dc2012-10-26 20:10:28 +02001643 if (!(l4->si[0].conn->flags & CO_FL_CONNECTED)) {
Emeric Bruna7359fd2012-10-17 15:03:11 +02001644 smp->flags |= SMP_F_MAY_CHANGE;
1645 return 0;
1646 }
1647
1648 /* SSL_get_peer_certificate returns a ptr on allocated X509 struct */
Willy Tarreauf2943dc2012-10-26 20:10:28 +02001649 crt = SSL_get_peer_certificate(l4->si[0].conn->xprt_ctx);
Emeric Bruna7359fd2012-10-17 15:03:11 +02001650 if (!crt)
1651 return 0;
1652
1653 smp->data.uint = (unsigned int)(1 + X509_get_version(crt));
1654 X509_free(crt);
1655 smp->type = SMP_T_UINT;
1656
1657 return 1;
1658}
1659
Emeric Brun7f56e742012-10-19 18:15:40 +02001660/* str, returns the client certificate sig alg */
1661static int
1662smp_fetch_ssl_c_sig_alg(struct proxy *px, struct session *l4, void *l7, unsigned int opt,
1663 const struct arg *args, struct sample *smp)
1664{
1665 X509 *crt;
1666 int nid;
1667
Willy Tarreauf2943dc2012-10-26 20:10:28 +02001668 if (!l4 || l4->si[0].conn->xprt != &ssl_sock)
Emeric Brun7f56e742012-10-19 18:15:40 +02001669 return 0;
1670
Willy Tarreauf2943dc2012-10-26 20:10:28 +02001671 if (!(l4->si[0].conn->flags & CO_FL_CONNECTED)) {
Emeric Brun7f56e742012-10-19 18:15:40 +02001672 smp->flags |= SMP_F_MAY_CHANGE;
1673 return 0;
1674 }
1675
1676 /* SSL_get_peer_certificate increase X509 * ref count */
Willy Tarreauf2943dc2012-10-26 20:10:28 +02001677 crt = SSL_get_peer_certificate(l4->si[0].conn->xprt_ctx);
Emeric Brun7f56e742012-10-19 18:15:40 +02001678 if (!crt)
1679 return 0;
1680
1681 nid = OBJ_obj2nid((ASN1_OBJECT *)(crt->cert_info->signature->algorithm));
1682
1683 smp->data.str.str = (char *)OBJ_nid2sn(nid);
1684 if (!smp->data.str.str)
1685 return 0;
1686
1687 smp->type = SMP_T_CSTR;
1688 smp->data.str.len = strlen(smp->data.str.str);
1689 X509_free(crt);
1690
1691 return 1;
1692}
1693
Emeric Brun521a0112012-10-22 12:22:55 +02001694/* str, returns the client certificate key alg */
1695static int
1696smp_fetch_ssl_c_key_alg(struct proxy *px, struct session *l4, void *l7, unsigned int opt,
1697 const struct arg *args, struct sample *smp)
1698{
1699 X509 *crt;
1700 int nid;
1701
Willy Tarreauf2943dc2012-10-26 20:10:28 +02001702 if (!l4 || l4->si[0].conn->xprt != &ssl_sock)
Emeric Brun521a0112012-10-22 12:22:55 +02001703 return 0;
1704
Willy Tarreauf2943dc2012-10-26 20:10:28 +02001705 if (!(l4->si[0].conn->flags & CO_FL_CONNECTED)) {
Emeric Brun521a0112012-10-22 12:22:55 +02001706 smp->flags |= SMP_F_MAY_CHANGE;
1707 return 0;
1708 }
1709
1710 /* SSL_get_peer_certificate increase X509 * ref count */
Willy Tarreauf2943dc2012-10-26 20:10:28 +02001711 crt = SSL_get_peer_certificate(l4->si[0].conn->xprt_ctx);
Emeric Brun521a0112012-10-22 12:22:55 +02001712 if (!crt)
1713 return 0;
1714
1715 nid = OBJ_obj2nid((ASN1_OBJECT *)(crt->cert_info->key->algor->algorithm));
1716
1717 smp->data.str.str = (char *)OBJ_nid2sn(nid);
1718 if (!smp->data.str.str)
1719 return 0;
1720
1721 smp->type = SMP_T_CSTR;
1722 smp->data.str.len = strlen(smp->data.str.str);
1723 X509_free(crt);
1724
1725 return 1;
1726}
1727
Emeric Brun2525b6b2012-10-18 15:59:43 +02001728/* boolean, returns true if front conn. transport layer is SSL */
Willy Tarreau7875d092012-09-10 08:20:03 +02001729static int
Emeric Brun2525b6b2012-10-18 15:59:43 +02001730smp_fetch_ssl_fc(struct proxy *px, struct session *l4, void *l7, unsigned int opt,
Willy Tarreau7875d092012-09-10 08:20:03 +02001731 const struct arg *args, struct sample *smp)
1732{
1733 smp->type = SMP_T_BOOL;
Willy Tarreauf2943dc2012-10-26 20:10:28 +02001734 smp->data.uint = (l4->si[0].conn->xprt == &ssl_sock);
Willy Tarreau7875d092012-09-10 08:20:03 +02001735 return 1;
1736}
1737
Emeric Brun2525b6b2012-10-18 15:59:43 +02001738/* boolean, returns true if client present a SNI */
Willy Tarreau7875d092012-09-10 08:20:03 +02001739static int
Emeric Brun2525b6b2012-10-18 15:59:43 +02001740smp_fetch_ssl_fc_has_sni(struct proxy *px, struct session *l4, void *l7, unsigned int opt,
1741 const struct arg *args, struct sample *smp)
Willy Tarreau7875d092012-09-10 08:20:03 +02001742{
1743#ifdef SSL_CTRL_SET_TLSEXT_HOSTNAME
1744 smp->type = SMP_T_BOOL;
Willy Tarreauf2943dc2012-10-26 20:10:28 +02001745 smp->data.uint = (l4->si[0].conn->xprt == &ssl_sock) &&
1746 l4->si[0].conn->xprt_ctx &&
1747 SSL_get_servername(l4->si[0].conn->xprt_ctx, TLSEXT_NAMETYPE_host_name) != NULL;
Willy Tarreau7875d092012-09-10 08:20:03 +02001748 return 1;
1749#else
1750 return 0;
1751#endif
1752}
1753
Willy Tarreau8d598402012-10-22 17:58:39 +02001754/* bin, returns serial in a binary chunk */
1755static int
1756smp_fetch_ssl_f_serial(struct proxy *px, struct session *l4, void *l7, unsigned int opt,
1757 const struct arg *args, struct sample *smp)
1758{
1759 X509 *crt = NULL;
1760 int ret = 0;
1761 struct chunk *smp_trash;
1762
Willy Tarreauf2943dc2012-10-26 20:10:28 +02001763 if (!l4 || l4->si[0].conn->xprt != &ssl_sock)
Willy Tarreau8d598402012-10-22 17:58:39 +02001764 return 0;
1765
Willy Tarreauf2943dc2012-10-26 20:10:28 +02001766 if (!(l4->si[0].conn->flags & CO_FL_CONNECTED)) {
Willy Tarreau8d598402012-10-22 17:58:39 +02001767 smp->flags |= SMP_F_MAY_CHANGE;
1768 return 0;
1769 }
1770
Willy Tarreauf2943dc2012-10-26 20:10:28 +02001771 crt = SSL_get_certificate(l4->si[0].conn->xprt_ctx);
Willy Tarreau8d598402012-10-22 17:58:39 +02001772 if (!crt)
1773 goto out;
1774
1775 smp_trash = sample_get_trash_chunk();
1776 if (ssl_sock_get_serial(crt, smp_trash) <= 0)
1777 goto out;
1778
1779 smp->data.str = *smp_trash;
1780 smp->type = SMP_T_BIN;
1781 ret = 1;
1782out:
1783 return ret;
1784}
Emeric Brunce5ad802012-10-22 14:11:22 +02001785/*str, returns notafter date in ASN1_UTCTIME format */
1786static int
1787smp_fetch_ssl_f_notafter(struct proxy *px, struct session *l4, void *l7, unsigned int opt,
1788 const struct arg *args, struct sample *smp)
1789{
1790 X509 *crt = NULL;
1791 int ret = 0;
1792 struct chunk *smp_trash;
1793
Willy Tarreauf2943dc2012-10-26 20:10:28 +02001794 if (!l4 || l4->si[0].conn->xprt != &ssl_sock)
Emeric Brunce5ad802012-10-22 14:11:22 +02001795 return 0;
1796
Willy Tarreauf2943dc2012-10-26 20:10:28 +02001797 if (!(l4->si[0].conn->flags & CO_FL_CONNECTED)) {
Emeric Brunce5ad802012-10-22 14:11:22 +02001798 smp->flags |= SMP_F_MAY_CHANGE;
1799 return 0;
1800 }
1801
Willy Tarreauf2943dc2012-10-26 20:10:28 +02001802 crt = SSL_get_certificate(l4->si[0].conn->xprt_ctx);
Emeric Brunce5ad802012-10-22 14:11:22 +02001803 if (!crt)
1804 goto out;
1805
1806 smp_trash = sample_get_trash_chunk();
1807 if (ssl_sock_get_time(X509_get_notAfter(crt), smp_trash) <= 0)
1808 goto out;
1809
1810 smp->data.str = *smp_trash;
1811 smp->type = SMP_T_STR;
1812 ret = 1;
1813out:
1814 return ret;
1815}
1816
1817/*str, returns notbefore date in ASN1_UTCTIME format */
1818static int
1819smp_fetch_ssl_f_notbefore(struct proxy *px, struct session *l4, void *l7, unsigned int opt,
1820 const struct arg *args, struct sample *smp)
1821{
1822 X509 *crt = NULL;
1823 int ret = 0;
1824 struct chunk *smp_trash;
1825
Willy Tarreauf2943dc2012-10-26 20:10:28 +02001826 if (!l4 || l4->si[0].conn->xprt != &ssl_sock)
Emeric Brunce5ad802012-10-22 14:11:22 +02001827 return 0;
1828
Willy Tarreauf2943dc2012-10-26 20:10:28 +02001829 if (!(l4->si[0].conn->flags & CO_FL_CONNECTED)) {
Emeric Brunce5ad802012-10-22 14:11:22 +02001830 smp->flags |= SMP_F_MAY_CHANGE;
1831 return 0;
1832 }
1833
Willy Tarreauf2943dc2012-10-26 20:10:28 +02001834 crt = SSL_get_certificate(l4->si[0].conn->xprt_ctx);
Emeric Brunce5ad802012-10-22 14:11:22 +02001835 if (!crt)
1836 goto out;
1837
1838 smp_trash = sample_get_trash_chunk();
1839 if (ssl_sock_get_time(X509_get_notBefore(crt), smp_trash) <= 0)
1840 goto out;
1841
1842 smp->data.str = *smp_trash;
1843 smp->type = SMP_T_STR;
1844 ret = 1;
1845out:
1846 return ret;
1847}
Willy Tarreau8d598402012-10-22 17:58:39 +02001848
Emeric Bruna7359fd2012-10-17 15:03:11 +02001849/* integer, returns the frontend certificate version */
1850static int
1851smp_fetch_ssl_f_version(struct proxy *px, struct session *l4, void *l7, unsigned int opt,
1852 const struct arg *args, struct sample *smp)
1853{
1854 X509 *crt;
1855
Willy Tarreauf2943dc2012-10-26 20:10:28 +02001856 if (!l4 || l4->si[0].conn->xprt != &ssl_sock)
Emeric Bruna7359fd2012-10-17 15:03:11 +02001857 return 0;
1858
Willy Tarreauf2943dc2012-10-26 20:10:28 +02001859 if (!(l4->si[0].conn->flags & CO_FL_CONNECTED)) {
Emeric Bruna7359fd2012-10-17 15:03:11 +02001860 smp->flags |= SMP_F_MAY_CHANGE;
1861 return 0;
1862 }
1863
1864 /* SSL_get_certificate returns a ptr on an SSL * internal sub struct */
Willy Tarreauf2943dc2012-10-26 20:10:28 +02001865 crt = SSL_get_certificate(l4->si[0].conn->xprt_ctx);
Emeric Bruna7359fd2012-10-17 15:03:11 +02001866 if (!crt)
1867 return 0;
1868
1869 smp->data.uint = (unsigned int)(1 + X509_get_version(crt));
1870 smp->type = SMP_T_UINT;
1871
1872 return 1;
1873}
1874
Emeric Brun7f56e742012-10-19 18:15:40 +02001875/* str, returns the client certificate sig alg */
1876static int
1877smp_fetch_ssl_f_sig_alg(struct proxy *px, struct session *l4, void *l7, unsigned int opt,
1878 const struct arg *args, struct sample *smp)
1879{
1880 X509 *crt;
1881 int nid;
1882
Willy Tarreauf2943dc2012-10-26 20:10:28 +02001883 if (!l4 || l4->si[0].conn->xprt != &ssl_sock)
Emeric Brun7f56e742012-10-19 18:15:40 +02001884 return 0;
1885
Willy Tarreauf2943dc2012-10-26 20:10:28 +02001886 if (!(l4->si[0].conn->flags & CO_FL_CONNECTED)) {
Emeric Brun7f56e742012-10-19 18:15:40 +02001887 smp->flags |= SMP_F_MAY_CHANGE;
1888 return 0;
1889 }
1890
Willy Tarreauf2943dc2012-10-26 20:10:28 +02001891 crt = SSL_get_certificate(l4->si[0].conn->xprt_ctx);
Emeric Brun7f56e742012-10-19 18:15:40 +02001892 if (!crt)
1893 return 0;
1894
1895 nid = OBJ_obj2nid((ASN1_OBJECT *)(crt->cert_info->signature->algorithm));
1896
1897 smp->data.str.str = (char *)OBJ_nid2sn(nid);
1898 if (!smp->data.str.str)
1899 return 0;
1900
1901 smp->type = SMP_T_CSTR;
1902 smp->data.str.len = strlen(smp->data.str.str);
1903
1904 return 1;
1905}
1906
Emeric Brun521a0112012-10-22 12:22:55 +02001907/* str, returns the client certificate key alg */
1908static int
1909smp_fetch_ssl_f_key_alg(struct proxy *px, struct session *l4, void *l7, unsigned int opt,
1910 const struct arg *args, struct sample *smp)
1911{
1912 X509 *crt;
1913 int nid;
1914
Willy Tarreauf2943dc2012-10-26 20:10:28 +02001915 if (!l4 || l4->si[0].conn->xprt != &ssl_sock)
Emeric Brun521a0112012-10-22 12:22:55 +02001916 return 0;
1917
Willy Tarreauf2943dc2012-10-26 20:10:28 +02001918 if (!(l4->si[0].conn->flags & CO_FL_CONNECTED)) {
Emeric Brun521a0112012-10-22 12:22:55 +02001919 smp->flags |= SMP_F_MAY_CHANGE;
1920 return 0;
1921 }
1922
Willy Tarreauf2943dc2012-10-26 20:10:28 +02001923 crt = SSL_get_certificate(l4->si[0].conn->xprt_ctx);
Emeric Brun521a0112012-10-22 12:22:55 +02001924 if (!crt)
1925 return 0;
1926
1927 nid = OBJ_obj2nid((ASN1_OBJECT *)(crt->cert_info->key->algor->algorithm));
1928
1929 smp->data.str.str = (char *)OBJ_nid2sn(nid);
1930 if (!smp->data.str.str)
1931 return 0;
1932
1933 smp->type = SMP_T_CSTR;
1934 smp->data.str.len = strlen(smp->data.str.str);
1935
1936 return 1;
1937}
1938
Emeric Brun87855892012-10-17 17:39:35 +02001939/* str, returns a string of a formatted full dn \C=..\O=..\OU=.. \CN=.. */
1940static int
1941smp_fetch_ssl_f_i_dn(struct proxy *px, struct session *l4, void *l7, unsigned int opt,
1942 const struct arg *args, struct sample *smp)
1943{
1944 X509 *crt = NULL;
1945 X509_NAME *name;
1946 int ret = 0;
1947 struct chunk *smp_trash;
1948
Willy Tarreauf2943dc2012-10-26 20:10:28 +02001949 if (!l4 || l4->si[0].conn->xprt != &ssl_sock)
Emeric Brun87855892012-10-17 17:39:35 +02001950 return 0;
1951
Willy Tarreauf2943dc2012-10-26 20:10:28 +02001952 if (!(l4->si[0].conn->flags & CO_FL_CONNECTED)) {
Emeric Brun87855892012-10-17 17:39:35 +02001953 smp->flags |= SMP_F_MAY_CHANGE;
1954 return 0;
1955 }
1956
Willy Tarreauf2943dc2012-10-26 20:10:28 +02001957 crt = SSL_get_certificate(l4->si[0].conn->xprt_ctx);
Emeric Brun87855892012-10-17 17:39:35 +02001958 if (!crt)
1959 goto out;
1960
1961 name = X509_get_issuer_name(crt);
1962 if (!name)
1963 goto out;
1964
1965 smp_trash = sample_get_trash_chunk();
1966 if (args && args[0].type == ARGT_STR) {
1967 int pos = 1;
1968
1969 if (args[1].type == ARGT_SINT)
1970 pos = args[1].data.sint;
1971 else if (args[1].type == ARGT_UINT)
1972 pos =(int)args[1].data.uint;
1973
1974 if (ssl_sock_get_dn_entry(name, &args[0].data.str, pos, smp_trash) <= 0)
1975 goto out;
1976 }
1977 else if (ssl_sock_get_dn_oneline(name, smp_trash) <= 0)
1978 goto out;
1979
1980 smp->type = SMP_T_STR;
1981 smp->data.str = *smp_trash;
1982 ret = 1;
1983out:
1984 return ret;
1985}
1986
1987/* str, returns a string of a formatted full dn \C=..\O=..\OU=.. \CN=.. */
1988static int
1989smp_fetch_ssl_f_s_dn(struct proxy *px, struct session *l4, void *l7, unsigned int opt,
1990 const struct arg *args, struct sample *smp)
1991{
1992 X509 *crt = NULL;
1993 X509_NAME *name;
1994 int ret = 0;
1995 struct chunk *smp_trash;
1996
Willy Tarreauf2943dc2012-10-26 20:10:28 +02001997 if (!l4 || l4->si[0].conn->xprt != &ssl_sock)
Emeric Brun87855892012-10-17 17:39:35 +02001998 return 0;
1999
Willy Tarreauf2943dc2012-10-26 20:10:28 +02002000 if (!(l4->si[0].conn->flags & CO_FL_CONNECTED)) {
Emeric Brun87855892012-10-17 17:39:35 +02002001 smp->flags |= SMP_F_MAY_CHANGE;
2002 return 0;
2003 }
2004
Willy Tarreauf2943dc2012-10-26 20:10:28 +02002005 crt = SSL_get_certificate(l4->si[0].conn->xprt_ctx);
Emeric Brun87855892012-10-17 17:39:35 +02002006 if (!crt)
2007 goto out;
2008
2009 name = X509_get_subject_name(crt);
2010 if (!name)
2011 goto out;
2012
2013 smp_trash = sample_get_trash_chunk();
2014 if (args && args[0].type == ARGT_STR) {
2015 int pos = 1;
2016
2017 if (args[1].type == ARGT_SINT)
2018 pos = args[1].data.sint;
2019 else if (args[1].type == ARGT_UINT)
2020 pos =(int)args[1].data.uint;
2021
2022 if (ssl_sock_get_dn_entry(name, &args[0].data.str, pos, smp_trash) <= 0)
2023 goto out;
2024 }
2025 else if (ssl_sock_get_dn_oneline(name, smp_trash) <= 0)
2026 goto out;
2027
2028 smp->type = SMP_T_STR;
2029 smp->data.str = *smp_trash;
2030 ret = 1;
2031out:
2032 return ret;
2033}
2034
Emeric Brun589fcad2012-10-16 14:13:26 +02002035static int
2036smp_fetch_ssl_fc_cipher(struct proxy *px, struct session *l4, void *l7, unsigned int opt,
2037 const struct arg *args, struct sample *smp)
2038{
2039 smp->flags = 0;
2040
Willy Tarreauf2943dc2012-10-26 20:10:28 +02002041 if (!l4 || !l4->si[0].conn->xprt_ctx || l4->si[0].conn->xprt != &ssl_sock)
Emeric Brun589fcad2012-10-16 14:13:26 +02002042 return 0;
2043
Willy Tarreauf2943dc2012-10-26 20:10:28 +02002044 smp->data.str.str = (char *)SSL_get_cipher_name(l4->si[0].conn->xprt_ctx);
Emeric Brun589fcad2012-10-16 14:13:26 +02002045 if (!smp->data.str.str)
2046 return 0;
2047
2048 smp->type = SMP_T_CSTR;
2049 smp->data.str.len = strlen(smp->data.str.str);
2050
2051 return 1;
2052}
2053
2054static int
2055smp_fetch_ssl_fc_alg_keysize(struct proxy *px, struct session *l4, void *l7, unsigned int opt,
2056 const struct arg *args, struct sample *smp)
2057{
2058 smp->flags = 0;
2059
Willy Tarreauf2943dc2012-10-26 20:10:28 +02002060 if (!l4 || !l4->si[0].conn->xprt_ctx || l4->si[0].conn->xprt != &ssl_sock)
Emeric Brun589fcad2012-10-16 14:13:26 +02002061 return 0;
2062
Willy Tarreauf2943dc2012-10-26 20:10:28 +02002063 if (!SSL_get_cipher_bits(l4->si[0].conn->xprt_ctx, (int *)&smp->data.uint))
Emeric Brun589fcad2012-10-16 14:13:26 +02002064 return 0;
2065
2066 smp->type = SMP_T_UINT;
2067
2068 return 1;
2069}
2070
2071static int
2072smp_fetch_ssl_fc_use_keysize(struct proxy *px, struct session *l4, void *l7, unsigned int opt,
2073 const struct arg *args, struct sample *smp)
2074{
2075 smp->flags = 0;
2076
Willy Tarreauf2943dc2012-10-26 20:10:28 +02002077 if (!l4 || !l4->si[0].conn->xprt_ctx || l4->si[0].conn->xprt != &ssl_sock)
Emeric Brun589fcad2012-10-16 14:13:26 +02002078 return 0;
2079
Willy Tarreauf2943dc2012-10-26 20:10:28 +02002080 smp->data.uint = (unsigned int)SSL_get_cipher_bits(l4->si[0].conn->xprt_ctx, NULL);
Emeric Brun589fcad2012-10-16 14:13:26 +02002081 if (!smp->data.uint)
2082 return 0;
2083
2084 smp->type = SMP_T_UINT;
2085
2086 return 1;
2087}
2088
Willy Tarreau6c9a3d52012-10-18 18:57:14 +02002089#ifdef OPENSSL_NPN_NEGOTIATED
Willy Tarreau7875d092012-09-10 08:20:03 +02002090static int
Emeric Brun2525b6b2012-10-18 15:59:43 +02002091smp_fetch_ssl_fc_npn(struct proxy *px, struct session *l4, void *l7, unsigned int opt,
2092 const struct arg *args, struct sample *smp)
Willy Tarreaua33c6542012-10-15 13:19:06 +02002093{
Willy Tarreaua33c6542012-10-15 13:19:06 +02002094 smp->flags = 0;
2095 smp->type = SMP_T_CSTR;
2096
Willy Tarreauf2943dc2012-10-26 20:10:28 +02002097 if (!l4 || !l4->si[0].conn->xprt_ctx || l4->si[0].conn->xprt != &ssl_sock)
Willy Tarreaua33c6542012-10-15 13:19:06 +02002098 return 0;
2099
2100 smp->data.str.str = NULL;
Willy Tarreauf2943dc2012-10-26 20:10:28 +02002101 SSL_get0_next_proto_negotiated(l4->si[0].conn->xprt_ctx,
Willy Tarreaua33c6542012-10-15 13:19:06 +02002102 (const unsigned char **)&smp->data.str.str, (unsigned *)&smp->data.str.len);
2103
2104 if (!smp->data.str.str)
2105 return 0;
2106
2107 return 1;
Willy Tarreaua33c6542012-10-15 13:19:06 +02002108}
Willy Tarreau6c9a3d52012-10-18 18:57:14 +02002109#endif
Willy Tarreaua33c6542012-10-15 13:19:06 +02002110
2111static int
Emeric Brun589fcad2012-10-16 14:13:26 +02002112smp_fetch_ssl_fc_protocol(struct proxy *px, struct session *l4, void *l7, unsigned int opt,
2113 const struct arg *args, struct sample *smp)
2114{
2115 smp->flags = 0;
2116
Willy Tarreauf2943dc2012-10-26 20:10:28 +02002117 if (!l4 || !l4->si[0].conn->xprt_ctx || l4->si[0].conn->xprt != &ssl_sock)
Emeric Brun589fcad2012-10-16 14:13:26 +02002118 return 0;
2119
Willy Tarreauf2943dc2012-10-26 20:10:28 +02002120 smp->data.str.str = (char *)SSL_get_version(l4->si[0].conn->xprt_ctx);
Emeric Brun589fcad2012-10-16 14:13:26 +02002121 if (!smp->data.str.str)
2122 return 0;
2123
2124 smp->type = SMP_T_CSTR;
2125 smp->data.str.len = strlen(smp->data.str.str);
2126
2127 return 1;
2128}
2129
2130static int
Emeric Brunfe68f682012-10-16 14:59:28 +02002131smp_fetch_ssl_fc_session_id(struct proxy *px, struct session *l4, void *l7, unsigned int opt,
2132 const struct arg *args, struct sample *smp)
2133{
2134#if OPENSSL_VERSION_NUMBER > 0x0090800fL
2135 SSL_SESSION *sess;
2136
2137 smp->flags = 0;
2138 smp->type = SMP_T_CBIN;
2139
Willy Tarreauf2943dc2012-10-26 20:10:28 +02002140 if (!l4 || !l4->si[0].conn->xprt_ctx || l4->si[0].conn->xprt != &ssl_sock)
Emeric Brunfe68f682012-10-16 14:59:28 +02002141 return 0;
2142
Willy Tarreauf2943dc2012-10-26 20:10:28 +02002143 sess = SSL_get_session(l4->si[0].conn->xprt_ctx);
Emeric Brunfe68f682012-10-16 14:59:28 +02002144 if (!sess)
2145 return 0;
2146
2147 smp->data.str.str = (char *)SSL_SESSION_get_id(sess, (unsigned int *)&smp->data.str.len);
2148 if (!smp->data.str.str || !&smp->data.str.len)
2149 return 0;
2150
2151 return 1;
2152#else
2153 return 0;
2154#endif
2155}
2156
2157static int
Emeric Brun2525b6b2012-10-18 15:59:43 +02002158smp_fetch_ssl_fc_sni(struct proxy *px, struct session *l4, void *l7, unsigned int opt,
2159 const struct arg *args, struct sample *smp)
Willy Tarreau7875d092012-09-10 08:20:03 +02002160{
2161#ifdef SSL_CTRL_SET_TLSEXT_HOSTNAME
2162 smp->flags = 0;
2163 smp->type = SMP_T_CSTR;
2164
Willy Tarreauf2943dc2012-10-26 20:10:28 +02002165 if (!l4 || !l4->si[0].conn->xprt_ctx || l4->si[0].conn->xprt != &ssl_sock)
Willy Tarreau7875d092012-09-10 08:20:03 +02002166 return 0;
2167
Willy Tarreauf2943dc2012-10-26 20:10:28 +02002168 smp->data.str.str = (char *)SSL_get_servername(l4->si[0].conn->xprt_ctx, TLSEXT_NAMETYPE_host_name);
Willy Tarreau3e394c92012-09-14 23:56:58 +02002169 if (!smp->data.str.str)
2170 return 0;
2171
Willy Tarreau7875d092012-09-10 08:20:03 +02002172 smp->data.str.len = strlen(smp->data.str.str);
2173 return 1;
2174#else
2175 return 0;
2176#endif
2177}
2178
Emeric Brun2525b6b2012-10-18 15:59:43 +02002179/* integer, returns the first verify error in CA chain of client certificate chain. */
Emeric Brunf282a812012-09-21 15:27:54 +02002180static int
Emeric Brun2525b6b2012-10-18 15:59:43 +02002181smp_fetch_ssl_c_ca_err(struct proxy *px, struct session *l4, void *l7, unsigned int opt,
Emeric Brunf282a812012-09-21 15:27:54 +02002182 const struct arg *args, struct sample *smp)
2183{
Willy Tarreauf2943dc2012-10-26 20:10:28 +02002184 if (!l4 || l4->si[0].conn->xprt != &ssl_sock)
Emeric Brunf282a812012-09-21 15:27:54 +02002185 return 0;
2186
Willy Tarreauf2943dc2012-10-26 20:10:28 +02002187 if (!(l4->si[0].conn->flags & CO_FL_CONNECTED)) {
Emeric Brunf282a812012-09-21 15:27:54 +02002188 smp->flags = SMP_F_MAY_CHANGE;
2189 return 0;
2190 }
2191
2192 smp->type = SMP_T_UINT;
Willy Tarreauf2943dc2012-10-26 20:10:28 +02002193 smp->data.uint = (unsigned int)SSL_SOCK_ST_TO_CA_ERROR(l4->si[0].conn->xprt_st);
Emeric Brunf282a812012-09-21 15:27:54 +02002194 smp->flags = 0;
2195
2196 return 1;
2197}
2198
Emeric Brun2525b6b2012-10-18 15:59:43 +02002199/* integer, returns the depth of the first verify error in CA chain of client certificate chain. */
Emeric Brunf282a812012-09-21 15:27:54 +02002200static int
Emeric Brun2525b6b2012-10-18 15:59:43 +02002201smp_fetch_ssl_c_ca_err_depth(struct proxy *px, struct session *l4, void *l7, unsigned int opt,
Emeric Brunf282a812012-09-21 15:27:54 +02002202 const struct arg *args, struct sample *smp)
2203{
Willy Tarreauf2943dc2012-10-26 20:10:28 +02002204 if (!l4 || l4->si[0].conn->xprt != &ssl_sock)
Emeric Brunf282a812012-09-21 15:27:54 +02002205 return 0;
2206
Willy Tarreauf2943dc2012-10-26 20:10:28 +02002207 if (!(l4->si[0].conn->flags & CO_FL_CONNECTED)) {
Emeric Brunf282a812012-09-21 15:27:54 +02002208 smp->flags = SMP_F_MAY_CHANGE;
2209 return 0;
2210 }
2211
2212 smp->type = SMP_T_UINT;
Willy Tarreauf2943dc2012-10-26 20:10:28 +02002213 smp->data.uint = (unsigned int)SSL_SOCK_ST_TO_CAEDEPTH(l4->si[0].conn->xprt_st);
Emeric Brunf282a812012-09-21 15:27:54 +02002214 smp->flags = 0;
2215
2216 return 1;
2217}
2218
Emeric Brun2525b6b2012-10-18 15:59:43 +02002219/* integer, returns the first verify error on client certificate */
Emeric Brunf282a812012-09-21 15:27:54 +02002220static int
Emeric Brun2525b6b2012-10-18 15:59:43 +02002221smp_fetch_ssl_c_err(struct proxy *px, struct session *l4, void *l7, unsigned int opt,
2222 const struct arg *args, struct sample *smp)
Emeric Brunf282a812012-09-21 15:27:54 +02002223{
Willy Tarreauf2943dc2012-10-26 20:10:28 +02002224 if (!l4 || l4->si[0].conn->xprt != &ssl_sock)
Emeric Brunf282a812012-09-21 15:27:54 +02002225 return 0;
2226
Willy Tarreauf2943dc2012-10-26 20:10:28 +02002227 if (!(l4->si[0].conn->flags & CO_FL_CONNECTED)) {
Emeric Brunf282a812012-09-21 15:27:54 +02002228 smp->flags = SMP_F_MAY_CHANGE;
2229 return 0;
2230 }
2231
2232 smp->type = SMP_T_UINT;
Willy Tarreauf2943dc2012-10-26 20:10:28 +02002233 smp->data.uint = (unsigned int)SSL_SOCK_ST_TO_CRTERROR(l4->si[0].conn->xprt_st);
Emeric Brunf282a812012-09-21 15:27:54 +02002234 smp->flags = 0;
2235
2236 return 1;
2237}
2238
Emeric Brun2525b6b2012-10-18 15:59:43 +02002239/* integer, returns the verify result on client cert */
Emeric Brunbaf8ffb2012-09-21 15:27:20 +02002240static int
Emeric Brun2525b6b2012-10-18 15:59:43 +02002241smp_fetch_ssl_c_verify(struct proxy *px, struct session *l4, void *l7, unsigned int opt,
2242 const struct arg *args, struct sample *smp)
Emeric Brunbaf8ffb2012-09-21 15:27:20 +02002243{
Willy Tarreauf2943dc2012-10-26 20:10:28 +02002244 if (!l4 || l4->si[0].conn->xprt != &ssl_sock)
Emeric Brunbaf8ffb2012-09-21 15:27:20 +02002245 return 0;
2246
Willy Tarreauf2943dc2012-10-26 20:10:28 +02002247 if (!(l4->si[0].conn->flags & CO_FL_CONNECTED)) {
Emeric Brunbaf8ffb2012-09-21 15:27:20 +02002248 smp->flags = SMP_F_MAY_CHANGE;
2249 return 0;
2250 }
2251
Willy Tarreauf2943dc2012-10-26 20:10:28 +02002252 if (!l4->si[0].conn->xprt_ctx)
Emeric Brunbaf8ffb2012-09-21 15:27:20 +02002253 return 0;
2254
2255 smp->type = SMP_T_UINT;
Willy Tarreauf2943dc2012-10-26 20:10:28 +02002256 smp->data.uint = (unsigned int)SSL_get_verify_result(l4->si[0].conn->xprt_ctx);
Emeric Brunbaf8ffb2012-09-21 15:27:20 +02002257 smp->flags = 0;
2258
2259 return 1;
2260}
2261
Emeric Brunfb510ea2012-10-05 12:00:26 +02002262/* parse the "ca-file" bind keyword */
2263static int bind_parse_ca_file(char **args, int cur_arg, struct proxy *px, struct bind_conf *conf, char **err)
Emeric Brund94b3fe2012-09-20 18:23:56 +02002264{
2265 if (!*args[cur_arg + 1]) {
2266 if (err)
2267 memprintf(err, "'%s' : missing CAfile path", args[cur_arg]);
2268 return ERR_ALERT | ERR_FATAL;
2269 }
2270
Emeric Brunef42d922012-10-11 16:11:36 +02002271 if ((*args[cur_arg + 1] != '/') && global.ca_base)
2272 memprintf(&conf->ca_file, "%s/%s", global.ca_base, args[cur_arg + 1]);
2273 else
2274 memprintf(&conf->ca_file, "%s", args[cur_arg + 1]);
Emeric Brunc8e8d122012-10-02 18:42:10 +02002275
Emeric Brund94b3fe2012-09-20 18:23:56 +02002276 return 0;
2277}
2278
Willy Tarreau79eeafa2012-09-14 07:53:05 +02002279/* parse the "ciphers" bind keyword */
Willy Tarreau4348fad2012-09-20 16:48:07 +02002280static int bind_parse_ciphers(char **args, int cur_arg, struct proxy *px, struct bind_conf *conf, char **err)
Willy Tarreau79eeafa2012-09-14 07:53:05 +02002281{
2282 if (!*args[cur_arg + 1]) {
Willy Tarreaueb6cead2012-09-20 19:43:14 +02002283 memprintf(err, "'%s' : missing cipher suite", args[cur_arg]);
Willy Tarreau79eeafa2012-09-14 07:53:05 +02002284 return ERR_ALERT | ERR_FATAL;
2285 }
2286
Emeric Brun76d88952012-10-05 15:47:31 +02002287 free(conf->ciphers);
Willy Tarreau4348fad2012-09-20 16:48:07 +02002288 conf->ciphers = strdup(args[cur_arg + 1]);
Willy Tarreau79eeafa2012-09-14 07:53:05 +02002289 return 0;
2290}
2291
2292/* parse the "crt" bind keyword */
Willy Tarreau4348fad2012-09-20 16:48:07 +02002293static int bind_parse_crt(char **args, int cur_arg, struct proxy *px, struct bind_conf *conf, char **err)
Willy Tarreau79eeafa2012-09-14 07:53:05 +02002294{
Emeric Brunc8e8d122012-10-02 18:42:10 +02002295 char path[PATH_MAX];
Willy Tarreau79eeafa2012-09-14 07:53:05 +02002296 if (!*args[cur_arg + 1]) {
Willy Tarreaueb6cead2012-09-20 19:43:14 +02002297 memprintf(err, "'%s' : missing certificate location", args[cur_arg]);
Willy Tarreau79eeafa2012-09-14 07:53:05 +02002298 return ERR_ALERT | ERR_FATAL;
2299 }
2300
Emeric Brunc8e8d122012-10-02 18:42:10 +02002301 if ((*args[cur_arg + 1] != '/' ) && global.crt_base) {
2302 if ((strlen(global.crt_base) + 1 + strlen(args[cur_arg + 1]) + 1) > PATH_MAX) {
2303 memprintf(err, "'%s' : path too long", args[cur_arg]);
2304 return ERR_ALERT | ERR_FATAL;
2305 }
2306 sprintf(path, "%s/%s", global.crt_base, args[cur_arg + 1]);
2307 if (ssl_sock_load_cert(path, conf, px, err) > 0)
2308 return ERR_ALERT | ERR_FATAL;
2309
2310 return 0;
2311 }
2312
Willy Tarreau4348fad2012-09-20 16:48:07 +02002313 if (ssl_sock_load_cert(args[cur_arg + 1], conf, px, err) > 0)
Willy Tarreau79eeafa2012-09-14 07:53:05 +02002314 return ERR_ALERT | ERR_FATAL;
Emeric Brund94b3fe2012-09-20 18:23:56 +02002315
2316 return 0;
2317}
2318
Emeric Brunfb510ea2012-10-05 12:00:26 +02002319/* parse the "crl-file" bind keyword */
2320static int bind_parse_crl_file(char **args, int cur_arg, struct proxy *px, struct bind_conf *conf, char **err)
Emeric Brund94b3fe2012-09-20 18:23:56 +02002321{
Emeric Brun051cdab2012-10-02 19:25:50 +02002322#ifndef X509_V_FLAG_CRL_CHECK
2323 if (err)
2324 memprintf(err, "'%s' : library does not support CRL verify", args[cur_arg]);
2325 return ERR_ALERT | ERR_FATAL;
2326#else
Emeric Brund94b3fe2012-09-20 18:23:56 +02002327 if (!*args[cur_arg + 1]) {
2328 if (err)
2329 memprintf(err, "'%s' : missing CRLfile path", args[cur_arg]);
2330 return ERR_ALERT | ERR_FATAL;
2331 }
Emeric Brun2b58d042012-09-20 17:10:03 +02002332
Emeric Brunef42d922012-10-11 16:11:36 +02002333 if ((*args[cur_arg + 1] != '/') && global.ca_base)
2334 memprintf(&conf->crl_file, "%s/%s", global.ca_base, args[cur_arg + 1]);
2335 else
2336 memprintf(&conf->crl_file, "%s", args[cur_arg + 1]);
Emeric Brunc8e8d122012-10-02 18:42:10 +02002337
Emeric Brun2b58d042012-09-20 17:10:03 +02002338 return 0;
Emeric Brun051cdab2012-10-02 19:25:50 +02002339#endif
Emeric Brun2b58d042012-09-20 17:10:03 +02002340}
2341
2342/* parse the "ecdhe" bind keyword keywords */
2343static int bind_parse_ecdhe(char **args, int cur_arg, struct proxy *px, struct bind_conf *conf, char **err)
2344{
2345#if OPENSSL_VERSION_NUMBER < 0x0090800fL
2346 if (err)
2347 memprintf(err, "'%s' : library does not support elliptic curve Diffie-Hellman (too old)", args[cur_arg]);
2348 return ERR_ALERT | ERR_FATAL;
2349#elif defined(OPENSSL_NO_ECDH)
2350 if (err)
2351 memprintf(err, "'%s' : library does not support elliptic curve Diffie-Hellman (disabled via OPENSSL_NO_ECDH)", args[cur_arg]);
2352 return ERR_ALERT | ERR_FATAL;
2353#else
2354 if (!*args[cur_arg + 1]) {
2355 if (err)
2356 memprintf(err, "'%s' : missing named curve", args[cur_arg]);
2357 return ERR_ALERT | ERR_FATAL;
2358 }
2359
2360 conf->ecdhe = strdup(args[cur_arg + 1]);
Willy Tarreau79eeafa2012-09-14 07:53:05 +02002361
2362 return 0;
Emeric Brun2b58d042012-09-20 17:10:03 +02002363#endif
Willy Tarreau79eeafa2012-09-14 07:53:05 +02002364}
2365
Emeric Brun81c00f02012-09-21 14:31:21 +02002366/* parse the "crt_ignerr" and "ca_ignerr" bind keywords */
2367static int bind_parse_ignore_err(char **args, int cur_arg, struct proxy *px, struct bind_conf *conf, char **err)
2368{
2369 int code;
2370 char *p = args[cur_arg + 1];
2371 unsigned long long *ignerr = &conf->crt_ignerr;
2372
2373 if (!*p) {
2374 if (err)
2375 memprintf(err, "'%s' : missing error IDs list", args[cur_arg]);
2376 return ERR_ALERT | ERR_FATAL;
2377 }
2378
2379 if (strcmp(args[cur_arg], "ca-ignore-err") == 0)
2380 ignerr = &conf->ca_ignerr;
2381
2382 if (strcmp(p, "all") == 0) {
2383 *ignerr = ~0ULL;
2384 return 0;
2385 }
2386
2387 while (p) {
2388 code = atoi(p);
2389 if ((code <= 0) || (code > 63)) {
2390 if (err)
2391 memprintf(err, "'%s' : ID '%d' out of range (1..63) in error IDs list '%s'",
2392 args[cur_arg], code, args[cur_arg + 1]);
2393 return ERR_ALERT | ERR_FATAL;
2394 }
2395 *ignerr |= 1ULL << code;
2396 p = strchr(p, ',');
2397 if (p)
2398 p++;
2399 }
2400
Emeric Brun2cb7ae52012-10-05 14:14:21 +02002401 return 0;
2402}
2403
2404/* parse the "force-sslv3" bind keyword */
2405static int bind_parse_force_sslv3(char **args, int cur_arg, struct proxy *px, struct bind_conf *conf, char **err)
2406{
2407 conf->ssl_options |= BC_SSL_O_USE_SSLV3;
2408 return 0;
2409}
2410
2411/* parse the "force-tlsv10" bind keyword */
2412static int bind_parse_force_tlsv10(char **args, int cur_arg, struct proxy *px, struct bind_conf *conf, char **err)
2413{
2414 conf->ssl_options |= BC_SSL_O_USE_TLSV10;
Emeric Brun2d0c4822012-10-02 13:45:20 +02002415 return 0;
2416}
2417
Emeric Brun2cb7ae52012-10-05 14:14:21 +02002418/* parse the "force-tlsv11" bind keyword */
2419static int bind_parse_force_tlsv11(char **args, int cur_arg, struct proxy *px, struct bind_conf *conf, char **err)
2420{
2421#if SSL_OP_NO_TLSv1_1
2422 conf->ssl_options |= BC_SSL_O_USE_TLSV11;
2423 return 0;
2424#else
2425 if (err)
2426 memprintf(err, "'%s' : library does not support protocol TLSv1.1", args[cur_arg]);
2427 return ERR_ALERT | ERR_FATAL;
2428#endif
2429}
2430
2431/* parse the "force-tlsv12" bind keyword */
2432static int bind_parse_force_tlsv12(char **args, int cur_arg, struct proxy *px, struct bind_conf *conf, char **err)
2433{
2434#if SSL_OP_NO_TLSv1_2
2435 conf->ssl_options |= BC_SSL_O_USE_TLSV12;
2436 return 0;
2437#else
2438 if (err)
2439 memprintf(err, "'%s' : library does not support protocol TLSv1.2", args[cur_arg]);
2440 return ERR_ALERT | ERR_FATAL;
2441#endif
2442}
2443
2444
Emeric Brun2d0c4822012-10-02 13:45:20 +02002445/* parse the "no-tls-tickets" bind keyword */
2446static int bind_parse_no_tls_tickets(char **args, int cur_arg, struct proxy *px, struct bind_conf *conf, char **err)
2447{
Emeric Brun89675492012-10-05 13:48:26 +02002448 conf->ssl_options |= BC_SSL_O_NO_TLS_TICKETS;
Emeric Brun81c00f02012-09-21 14:31:21 +02002449 return 0;
2450}
2451
Emeric Brun2d0c4822012-10-02 13:45:20 +02002452
Emeric Brun9b3009b2012-10-05 11:55:06 +02002453/* parse the "no-sslv3" bind keyword */
2454static int bind_parse_no_sslv3(char **args, int cur_arg, struct proxy *px, struct bind_conf *conf, char **err)
Willy Tarreau79eeafa2012-09-14 07:53:05 +02002455{
Emeric Brun89675492012-10-05 13:48:26 +02002456 conf->ssl_options |= BC_SSL_O_NO_SSLV3;
Willy Tarreau79eeafa2012-09-14 07:53:05 +02002457 return 0;
2458}
2459
Emeric Brun9b3009b2012-10-05 11:55:06 +02002460/* parse the "no-tlsv10" bind keyword */
2461static int bind_parse_no_tlsv10(char **args, int cur_arg, struct proxy *px, struct bind_conf *conf, char **err)
Emeric Brunc0ff4922012-09-28 19:37:02 +02002462{
Emeric Brun89675492012-10-05 13:48:26 +02002463 conf->ssl_options |= BC_SSL_O_NO_TLSV10;
Emeric Brunc0ff4922012-09-28 19:37:02 +02002464 return 0;
2465}
2466
Emeric Brun9b3009b2012-10-05 11:55:06 +02002467/* parse the "no-tlsv11" bind keyword */
2468static int bind_parse_no_tlsv11(char **args, int cur_arg, struct proxy *px, struct bind_conf *conf, char **err)
Emeric Brunc0ff4922012-09-28 19:37:02 +02002469{
Emeric Brun89675492012-10-05 13:48:26 +02002470 conf->ssl_options |= BC_SSL_O_NO_TLSV11;
Emeric Brunc0ff4922012-09-28 19:37:02 +02002471 return 0;
2472}
2473
Emeric Brun9b3009b2012-10-05 11:55:06 +02002474/* parse the "no-tlsv12" bind keyword */
2475static int bind_parse_no_tlsv12(char **args, int cur_arg, struct proxy *px, struct bind_conf *conf, char **err)
Willy Tarreau79eeafa2012-09-14 07:53:05 +02002476{
Emeric Brun89675492012-10-05 13:48:26 +02002477 conf->ssl_options |= BC_SSL_O_NO_TLSV12;
Willy Tarreau79eeafa2012-09-14 07:53:05 +02002478 return 0;
2479}
2480
Willy Tarreau6c9a3d52012-10-18 18:57:14 +02002481/* parse the "npn" bind keyword */
2482static int bind_parse_npn(char **args, int cur_arg, struct proxy *px, struct bind_conf *conf, char **err)
2483{
2484#ifdef OPENSSL_NPN_NEGOTIATED
2485 char *p1, *p2;
2486
2487 if (!*args[cur_arg + 1]) {
2488 memprintf(err, "'%s' : missing the comma-delimited NPN protocol suite", args[cur_arg]);
2489 return ERR_ALERT | ERR_FATAL;
2490 }
2491
2492 free(conf->npn_str);
2493
2494 /* the NPN string is built as a suite of (<len> <name>)* */
2495 conf->npn_len = strlen(args[cur_arg + 1]) + 1;
2496 conf->npn_str = calloc(1, conf->npn_len);
2497 memcpy(conf->npn_str + 1, args[cur_arg + 1], conf->npn_len);
2498
2499 /* replace commas with the name length */
2500 p1 = conf->npn_str;
2501 p2 = p1 + 1;
2502 while (1) {
2503 p2 = memchr(p1 + 1, ',', conf->npn_str + conf->npn_len - (p1 + 1));
2504 if (!p2)
2505 p2 = p1 + 1 + strlen(p1 + 1);
2506
2507 if (p2 - (p1 + 1) > 255) {
2508 *p2 = '\0';
2509 memprintf(err, "'%s' : NPN protocol name too long : '%s'", args[cur_arg], p1 + 1);
2510 return ERR_ALERT | ERR_FATAL;
2511 }
2512
2513 *p1 = p2 - (p1 + 1);
2514 p1 = p2;
2515
2516 if (!*p2)
2517 break;
2518
2519 *(p2++) = '\0';
2520 }
2521 return 0;
2522#else
2523 if (err)
2524 memprintf(err, "'%s' : library does not support TLS NPN extension", args[cur_arg]);
2525 return ERR_ALERT | ERR_FATAL;
2526#endif
2527}
2528
Willy Tarreau79eeafa2012-09-14 07:53:05 +02002529/* parse the "ssl" bind keyword */
Willy Tarreau4348fad2012-09-20 16:48:07 +02002530static int bind_parse_ssl(char **args, int cur_arg, struct proxy *px, struct bind_conf *conf, char **err)
Willy Tarreau79eeafa2012-09-14 07:53:05 +02002531{
Willy Tarreau81796be2012-09-22 19:11:47 +02002532 struct listener *l;
2533
Willy Tarreau4348fad2012-09-20 16:48:07 +02002534 conf->is_ssl = 1;
Emeric Brun76d88952012-10-05 15:47:31 +02002535
2536 if (global.listen_default_ciphers && !conf->ciphers)
2537 conf->ciphers = strdup(global.listen_default_ciphers);
2538
Willy Tarreau81796be2012-09-22 19:11:47 +02002539 list_for_each_entry(l, &conf->listeners, by_bind)
Willy Tarreauf7bc57c2012-10-03 00:19:48 +02002540 l->xprt = &ssl_sock;
Willy Tarreau81796be2012-09-22 19:11:47 +02002541
Willy Tarreau79eeafa2012-09-14 07:53:05 +02002542 return 0;
2543}
2544
Emeric Brund94b3fe2012-09-20 18:23:56 +02002545/* parse the "verify" bind keyword */
2546static int bind_parse_verify(char **args, int cur_arg, struct proxy *px, struct bind_conf *conf, char **err)
2547{
2548 if (!*args[cur_arg + 1]) {
2549 if (err)
2550 memprintf(err, "'%s' : missing verify method", args[cur_arg]);
2551 return ERR_ALERT | ERR_FATAL;
2552 }
2553
2554 if (strcmp(args[cur_arg + 1], "none") == 0)
2555 conf->verify = SSL_VERIFY_NONE;
2556 else if (strcmp(args[cur_arg + 1], "optional") == 0)
2557 conf->verify = SSL_VERIFY_PEER;
2558 else if (strcmp(args[cur_arg + 1], "required") == 0)
2559 conf->verify = SSL_VERIFY_PEER|SSL_VERIFY_FAIL_IF_NO_PEER_CERT;
2560 else {
2561 if (err)
2562 memprintf(err, "'%s' : unknown verify method '%s', only 'none', 'optional', and 'required' are supported\n",
2563 args[cur_arg], args[cur_arg + 1]);
2564 return ERR_ALERT | ERR_FATAL;
2565 }
2566
2567 return 0;
2568}
2569
Willy Tarreau92faadf2012-10-10 23:04:25 +02002570/************** "server" keywords ****************/
2571
Emeric Brunef42d922012-10-11 16:11:36 +02002572/* parse the "ca-file" server keyword */
2573static int srv_parse_ca_file(char **args, int *cur_arg, struct proxy *px, struct server *newsrv, char **err)
2574{
2575 if (!*args[*cur_arg + 1]) {
2576 if (err)
2577 memprintf(err, "'%s' : missing CAfile path", args[*cur_arg]);
2578 return ERR_ALERT | ERR_FATAL;
2579 }
2580
2581 if ((*args[*cur_arg + 1] != '/') && global.ca_base)
2582 memprintf(&newsrv->ssl_ctx.ca_file, "%s/%s", global.ca_base, args[*cur_arg + 1]);
2583 else
2584 memprintf(&newsrv->ssl_ctx.ca_file, "%s", args[*cur_arg + 1]);
2585
2586 return 0;
2587}
2588
Willy Tarreau92faadf2012-10-10 23:04:25 +02002589/* parse the "check-ssl" server keyword */
2590static int srv_parse_check_ssl(char **args, int *cur_arg, struct proxy *px, struct server *newsrv, char **err)
2591{
2592 newsrv->check.use_ssl = 1;
2593 if (global.connect_default_ciphers && !newsrv->ssl_ctx.ciphers)
2594 newsrv->ssl_ctx.ciphers = strdup(global.connect_default_ciphers);
2595 return 0;
2596}
2597
2598/* parse the "ciphers" server keyword */
2599static int srv_parse_ciphers(char **args, int *cur_arg, struct proxy *px, struct server *newsrv, char **err)
2600{
2601 if (!*args[*cur_arg + 1]) {
2602 memprintf(err, "'%s' : missing cipher suite", args[*cur_arg]);
2603 return ERR_ALERT | ERR_FATAL;
2604 }
2605
2606 free(newsrv->ssl_ctx.ciphers);
2607 newsrv->ssl_ctx.ciphers = strdup(args[*cur_arg + 1]);
2608 return 0;
2609}
2610
Emeric Brunef42d922012-10-11 16:11:36 +02002611/* parse the "crl-file" server keyword */
2612static int srv_parse_crl_file(char **args, int *cur_arg, struct proxy *px, struct server *newsrv, char **err)
2613{
2614#ifndef X509_V_FLAG_CRL_CHECK
2615 if (err)
2616 memprintf(err, "'%s' : library does not support CRL verify", args[*cur_arg]);
2617 return ERR_ALERT | ERR_FATAL;
2618#else
2619 if (!*args[*cur_arg + 1]) {
2620 if (err)
2621 memprintf(err, "'%s' : missing CRLfile path", args[*cur_arg]);
2622 return ERR_ALERT | ERR_FATAL;
2623 }
2624
2625 if ((*args[*cur_arg + 1] != '/') && global.ca_base)
2626 memprintf(&newsrv->ssl_ctx.crl_file, "%s/%s", global.ca_base, args[*cur_arg + 1]);
2627 else
2628 memprintf(&newsrv->ssl_ctx.crl_file, "%s", args[*cur_arg + 1]);
2629
2630 return 0;
2631#endif
2632}
2633
Emeric Bruna7aa3092012-10-26 12:58:00 +02002634/* parse the "crt" server keyword */
2635static int srv_parse_crt(char **args, int *cur_arg, struct proxy *px, struct server *newsrv, char **err)
2636{
2637 if (!*args[*cur_arg + 1]) {
2638 if (err)
2639 memprintf(err, "'%s' : missing certificate file path", args[*cur_arg]);
2640 return ERR_ALERT | ERR_FATAL;
2641 }
2642
2643 if ((*args[*cur_arg + 1] != '/') && global.crt_base)
2644 memprintf(&newsrv->ssl_ctx.client_crt, "%s/%s", global.ca_base, args[*cur_arg + 1]);
2645 else
2646 memprintf(&newsrv->ssl_ctx.client_crt, "%s", args[*cur_arg + 1]);
2647
2648 return 0;
2649}
Emeric Brunef42d922012-10-11 16:11:36 +02002650
Willy Tarreau92faadf2012-10-10 23:04:25 +02002651/* parse the "force-sslv3" server keyword */
2652static int srv_parse_force_sslv3(char **args, int *cur_arg, struct proxy *px, struct server *newsrv, char **err)
2653{
2654 newsrv->ssl_ctx.options |= SRV_SSL_O_USE_SSLV3;
2655 return 0;
2656}
2657
2658/* parse the "force-tlsv10" server keyword */
2659static int srv_parse_force_tlsv10(char **args, int *cur_arg, struct proxy *px, struct server *newsrv, char **err)
2660{
2661 newsrv->ssl_ctx.options |= SRV_SSL_O_USE_TLSV10;
2662 return 0;
2663}
2664
2665/* parse the "force-tlsv11" server keyword */
2666static int srv_parse_force_tlsv11(char **args, int *cur_arg, struct proxy *px, struct server *newsrv, char **err)
2667{
2668#if SSL_OP_NO_TLSv1_1
2669 newsrv->ssl_ctx.options |= SRV_SSL_O_USE_TLSV11;
2670 return 0;
2671#else
2672 if (err)
2673 memprintf(err, "'%s' : library does not support protocol TLSv1.1", args[*cur_arg]);
2674 return ERR_ALERT | ERR_FATAL;
2675#endif
2676}
2677
2678/* parse the "force-tlsv12" server keyword */
2679static int srv_parse_force_tlsv12(char **args, int *cur_arg, struct proxy *px, struct server *newsrv, char **err)
2680{
2681#if SSL_OP_NO_TLSv1_2
2682 newsrv->ssl_ctx.options |= SRV_SSL_O_USE_TLSV12;
2683 return 0;
2684#else
2685 if (err)
2686 memprintf(err, "'%s' : library does not support protocol TLSv1.2", args[*cur_arg]);
2687 return ERR_ALERT | ERR_FATAL;
2688#endif
2689}
2690
2691/* parse the "no-sslv3" server keyword */
2692static int srv_parse_no_sslv3(char **args, int *cur_arg, struct proxy *px, struct server *newsrv, char **err)
2693{
2694 newsrv->ssl_ctx.options |= SRV_SSL_O_NO_SSLV3;
2695 return 0;
2696}
2697
2698/* parse the "no-tlsv10" server keyword */
2699static int srv_parse_no_tlsv10(char **args, int *cur_arg, struct proxy *px, struct server *newsrv, char **err)
2700{
2701 newsrv->ssl_ctx.options |= SRV_SSL_O_NO_TLSV10;
2702 return 0;
2703}
2704
2705/* parse the "no-tlsv11" server keyword */
2706static int srv_parse_no_tlsv11(char **args, int *cur_arg, struct proxy *px, struct server *newsrv, char **err)
2707{
2708 newsrv->ssl_ctx.options |= SRV_SSL_O_NO_TLSV11;
2709 return 0;
2710}
2711
2712/* parse the "no-tlsv12" server keyword */
2713static int srv_parse_no_tlsv12(char **args, int *cur_arg, struct proxy *px, struct server *newsrv, char **err)
2714{
2715 newsrv->ssl_ctx.options |= SRV_SSL_O_NO_TLSV12;
2716 return 0;
2717}
2718
Emeric Brunf9c5c472012-10-11 15:28:34 +02002719/* parse the "no-tls-tickets" server keyword */
2720static int srv_parse_no_tls_tickets(char **args, int *cur_arg, struct proxy *px, struct server *newsrv, char **err)
2721{
2722 newsrv->ssl_ctx.options |= SRV_SSL_O_NO_TLS_TICKETS;
2723 return 0;
2724}
2725
Willy Tarreau92faadf2012-10-10 23:04:25 +02002726/* parse the "ssl" server keyword */
2727static int srv_parse_ssl(char **args, int *cur_arg, struct proxy *px, struct server *newsrv, char **err)
2728{
2729 newsrv->use_ssl = 1;
2730 if (global.connect_default_ciphers && !newsrv->ssl_ctx.ciphers)
2731 newsrv->ssl_ctx.ciphers = strdup(global.connect_default_ciphers);
2732 return 0;
2733}
2734
Emeric Brunef42d922012-10-11 16:11:36 +02002735/* parse the "verify" server keyword */
2736static int srv_parse_verify(char **args, int *cur_arg, struct proxy *px, struct server *newsrv, char **err)
2737{
2738 if (!*args[*cur_arg + 1]) {
2739 if (err)
2740 memprintf(err, "'%s' : missing verify method", args[*cur_arg]);
2741 return ERR_ALERT | ERR_FATAL;
2742 }
2743
2744 if (strcmp(args[*cur_arg + 1], "none") == 0)
2745 newsrv->ssl_ctx.verify = SSL_VERIFY_NONE;
2746 else if (strcmp(args[*cur_arg + 1], "required") == 0)
2747 newsrv->ssl_ctx.verify = SSL_VERIFY_PEER;
2748 else {
2749 if (err)
2750 memprintf(err, "'%s' : unknown verify method '%s', only 'none' and 'required' are supported\n",
2751 args[*cur_arg], args[*cur_arg + 1]);
2752 return ERR_ALERT | ERR_FATAL;
2753 }
2754
2755 return 0;
2756}
2757
Willy Tarreau7875d092012-09-10 08:20:03 +02002758/* Note: must not be declared <const> as its list will be overwritten.
2759 * Please take care of keeping this list alphabetically sorted.
2760 */
2761static struct sample_fetch_kw_list sample_fetch_keywords = {{ },{
Emeric Brun2525b6b2012-10-18 15:59:43 +02002762 { "ssl_c_ca_err", smp_fetch_ssl_c_ca_err, 0, NULL, SMP_T_UINT, SMP_CAP_REQ|SMP_CAP_RES },
2763 { "ssl_c_ca_err_depth", smp_fetch_ssl_c_ca_err_depth, 0, NULL, SMP_T_UINT, SMP_CAP_REQ|SMP_CAP_RES },
2764 { "ssl_c_err", smp_fetch_ssl_c_err, 0, NULL, SMP_T_UINT, SMP_CAP_REQ|SMP_CAP_RES },
Emeric Brun87855892012-10-17 17:39:35 +02002765 { "ssl_c_i_dn", smp_fetch_ssl_c_i_dn, ARG2(0,STR,SINT), NULL, SMP_T_STR, SMP_CAP_REQ|SMP_CAP_RES },
Emeric Brun521a0112012-10-22 12:22:55 +02002766 { "ssl_c_key_alg", smp_fetch_ssl_c_key_alg, 0, NULL, SMP_T_STR, SMP_CAP_REQ|SMP_CAP_RES },
Emeric Brunce5ad802012-10-22 14:11:22 +02002767 { "ssl_c_notafter", smp_fetch_ssl_c_notafter, 0, NULL, SMP_T_STR, SMP_CAP_REQ|SMP_CAP_RES },
2768 { "ssl_c_notbefore", smp_fetch_ssl_c_notbefore, 0, NULL, SMP_T_STR, SMP_CAP_REQ|SMP_CAP_RES },
Emeric Brun7f56e742012-10-19 18:15:40 +02002769 { "ssl_c_sig_alg", smp_fetch_ssl_c_sig_alg, 0, NULL, SMP_T_STR, SMP_CAP_REQ|SMP_CAP_RES },
Emeric Brun87855892012-10-17 17:39:35 +02002770 { "ssl_c_s_dn", smp_fetch_ssl_c_s_dn, ARG2(0,STR,SINT), NULL, SMP_T_STR, SMP_CAP_REQ|SMP_CAP_RES },
Willy Tarreau8d598402012-10-22 17:58:39 +02002771 { "ssl_c_serial", smp_fetch_ssl_c_serial, 0, NULL, SMP_T_BIN, SMP_CAP_REQ|SMP_CAP_RES },
Emeric Brun2525b6b2012-10-18 15:59:43 +02002772 { "ssl_c_verify", smp_fetch_ssl_c_verify, 0, NULL, SMP_T_UINT, SMP_CAP_REQ|SMP_CAP_RES },
Emeric Bruna7359fd2012-10-17 15:03:11 +02002773 { "ssl_c_version", smp_fetch_ssl_c_version, 0, NULL, SMP_T_UINT, SMP_CAP_REQ|SMP_CAP_RES },
Emeric Brun87855892012-10-17 17:39:35 +02002774 { "ssl_f_i_dn", smp_fetch_ssl_f_i_dn, ARG2(0,STR,SINT), NULL, SMP_T_STR, SMP_CAP_REQ|SMP_CAP_RES },
Emeric Brun521a0112012-10-22 12:22:55 +02002775 { "ssl_f_key_alg", smp_fetch_ssl_f_key_alg, 0, NULL, SMP_T_STR, SMP_CAP_REQ|SMP_CAP_RES },
Emeric Brunce5ad802012-10-22 14:11:22 +02002776 { "ssl_f_notafter", smp_fetch_ssl_f_notafter, 0, NULL, SMP_T_STR, SMP_CAP_REQ|SMP_CAP_RES },
2777 { "ssl_f_notbefore", smp_fetch_ssl_f_notbefore, 0, NULL, SMP_T_STR, SMP_CAP_REQ|SMP_CAP_RES },
Emeric Brun7f56e742012-10-19 18:15:40 +02002778 { "ssl_f_sig_alg", smp_fetch_ssl_f_sig_alg, 0, NULL, SMP_T_STR, SMP_CAP_REQ|SMP_CAP_RES },
Emeric Brun87855892012-10-17 17:39:35 +02002779 { "ssl_f_s_dn", smp_fetch_ssl_f_s_dn, ARG2(0,STR,SINT), NULL, SMP_T_STR, SMP_CAP_REQ|SMP_CAP_RES },
Willy Tarreau8d598402012-10-22 17:58:39 +02002780 { "ssl_f_serial", smp_fetch_ssl_f_serial, 0, NULL, SMP_T_BIN, SMP_CAP_REQ|SMP_CAP_RES },
Emeric Bruna7359fd2012-10-17 15:03:11 +02002781 { "ssl_f_version", smp_fetch_ssl_f_version, 0, NULL, SMP_T_UINT, SMP_CAP_REQ|SMP_CAP_RES },
Emeric Brun2525b6b2012-10-18 15:59:43 +02002782 { "ssl_fc", smp_fetch_ssl_fc, 0, NULL, SMP_T_BOOL, SMP_CAP_REQ|SMP_CAP_RES },
Emeric Brun589fcad2012-10-16 14:13:26 +02002783 { "ssl_fc_alg_keysize", smp_fetch_ssl_fc_alg_keysize, 0, NULL, SMP_T_UINT, SMP_CAP_REQ|SMP_CAP_RES },
2784 { "ssl_fc_cipher", smp_fetch_ssl_fc_cipher, 0, NULL, SMP_T_CSTR, SMP_CAP_REQ|SMP_CAP_RES },
Emeric Brun2525b6b2012-10-18 15:59:43 +02002785 { "ssl_fc_has_crt", smp_fetch_ssl_fc_has_crt, 0, NULL, SMP_T_BOOL, SMP_CAP_REQ|SMP_CAP_RES },
2786 { "ssl_fc_has_sni", smp_fetch_ssl_fc_has_sni, 0, NULL, SMP_T_BOOL, SMP_CAP_REQ|SMP_CAP_RES },
Willy Tarreaua33c6542012-10-15 13:19:06 +02002787#ifdef OPENSSL_NPN_NEGOTIATED
Emeric Brun2525b6b2012-10-18 15:59:43 +02002788 { "ssl_fc_npn", smp_fetch_ssl_fc_npn, 0, NULL, SMP_T_CSTR, SMP_CAP_REQ|SMP_CAP_RES },
Willy Tarreaua33c6542012-10-15 13:19:06 +02002789#endif
Emeric Brun589fcad2012-10-16 14:13:26 +02002790 { "ssl_fc_protocol", smp_fetch_ssl_fc_protocol, 0, NULL, SMP_T_CSTR, SMP_CAP_REQ|SMP_CAP_RES },
2791 { "ssl_fc_use_keysize", smp_fetch_ssl_fc_use_keysize, 0, NULL, SMP_T_UINT, SMP_CAP_REQ|SMP_CAP_RES },
Emeric Brunfe68f682012-10-16 14:59:28 +02002792 { "ssl_fc_session_id", smp_fetch_ssl_fc_session_id, 0, NULL, SMP_T_CBIN, SMP_CAP_REQ|SMP_CAP_RES },
Emeric Brun2525b6b2012-10-18 15:59:43 +02002793 { "ssl_fc_sni", smp_fetch_ssl_fc_sni, 0, NULL, SMP_T_CSTR, SMP_CAP_REQ|SMP_CAP_RES },
Willy Tarreau7875d092012-09-10 08:20:03 +02002794 { NULL, NULL, 0, 0, 0 },
2795}};
2796
2797/* Note: must not be declared <const> as its list will be overwritten.
2798 * Please take care of keeping this list alphabetically sorted.
2799 */
2800static struct acl_kw_list acl_kws = {{ },{
Emeric Brun2525b6b2012-10-18 15:59:43 +02002801 { "ssl_c_ca_err", acl_parse_int, smp_fetch_ssl_c_ca_err, acl_match_int, ACL_USE_L6REQ_PERMANENT|ACL_MAY_LOOKUP, 0 },
2802 { "ssl_c_ca_err_depth", acl_parse_int, smp_fetch_ssl_c_ca_err_depth, acl_match_int, ACL_USE_L6REQ_PERMANENT|ACL_MAY_LOOKUP, 0 },
2803 { "ssl_c_err", acl_parse_int, smp_fetch_ssl_c_err, acl_match_int, ACL_USE_L6REQ_PERMANENT|ACL_MAY_LOOKUP, 0 },
Emeric Brun87855892012-10-17 17:39:35 +02002804 { "ssl_c_i_dn", acl_parse_str, smp_fetch_ssl_c_i_dn, acl_match_str, ACL_USE_L6REQ_PERMANENT|ACL_MAY_LOOKUP, ARG2(0,STR,SINT) },
Emeric Brun521a0112012-10-22 12:22:55 +02002805 { "ssl_c_key_alg", acl_parse_str, smp_fetch_ssl_c_key_alg, acl_match_str, ACL_USE_L6REQ_PERMANENT|ACL_MAY_LOOKUP, 0 },
Emeric Brunce5ad802012-10-22 14:11:22 +02002806 { "ssl_c_notafter", acl_parse_str, smp_fetch_ssl_c_notafter, acl_match_str, ACL_USE_L6REQ_PERMANENT|ACL_MAY_LOOKUP, 0 },
2807 { "ssl_c_notbefore", acl_parse_str, smp_fetch_ssl_c_notbefore, acl_match_str, ACL_USE_L6REQ_PERMANENT|ACL_MAY_LOOKUP, 0 },
Emeric Brun7f56e742012-10-19 18:15:40 +02002808 { "ssl_c_sig_alg", acl_parse_str, smp_fetch_ssl_c_sig_alg, acl_match_str, ACL_USE_L6REQ_PERMANENT|ACL_MAY_LOOKUP, 0 },
Emeric Brun87855892012-10-17 17:39:35 +02002809 { "ssl_c_s_dn", acl_parse_str, smp_fetch_ssl_c_s_dn, acl_match_str, ACL_USE_L6REQ_PERMANENT|ACL_MAY_LOOKUP, ARG2(0,STR,SINT) },
Willy Tarreau8d598402012-10-22 17:58:39 +02002810 { "ssl_c_serial", acl_parse_bin, smp_fetch_ssl_c_serial, acl_match_bin, ACL_USE_L6REQ_PERMANENT|ACL_MAY_LOOKUP, 0 },
Emeric Brun2525b6b2012-10-18 15:59:43 +02002811 { "ssl_c_verify", acl_parse_int, smp_fetch_ssl_c_verify, acl_match_int, ACL_USE_L6REQ_PERMANENT|ACL_MAY_LOOKUP, 0 },
Emeric Bruna7359fd2012-10-17 15:03:11 +02002812 { "ssl_c_version", acl_parse_int, smp_fetch_ssl_c_version, acl_match_int, ACL_USE_L6REQ_PERMANENT|ACL_MAY_LOOKUP, 0 },
Emeric Brun87855892012-10-17 17:39:35 +02002813 { "ssl_f_i_dn", acl_parse_str, smp_fetch_ssl_f_i_dn, acl_match_str, ACL_USE_L6REQ_PERMANENT|ACL_MAY_LOOKUP, ARG2(0,STR,SINT) },
Emeric Brun521a0112012-10-22 12:22:55 +02002814 { "ssl_f_key_alg", acl_parse_str, smp_fetch_ssl_f_key_alg, acl_match_str, ACL_USE_L6REQ_PERMANENT|ACL_MAY_LOOKUP, 0 },
Emeric Brunce5ad802012-10-22 14:11:22 +02002815 { "ssl_f_notafter", acl_parse_str, smp_fetch_ssl_f_notafter, acl_match_str, ACL_USE_L6REQ_PERMANENT|ACL_MAY_LOOKUP, 0 },
2816 { "ssl_f_notbefore", acl_parse_str, smp_fetch_ssl_f_notbefore, acl_match_str, ACL_USE_L6REQ_PERMANENT|ACL_MAY_LOOKUP, 0 },
Emeric Brun7f56e742012-10-19 18:15:40 +02002817 { "ssl_f_sig_alg", acl_parse_str, smp_fetch_ssl_f_sig_alg, acl_match_str, ACL_USE_L6REQ_PERMANENT|ACL_MAY_LOOKUP, 0 },
Emeric Brun87855892012-10-17 17:39:35 +02002818 { "ssl_f_s_dn", acl_parse_str, smp_fetch_ssl_f_s_dn, acl_match_str, ACL_USE_L6REQ_PERMANENT|ACL_MAY_LOOKUP, ARG2(0,STR,SINT) },
Willy Tarreau8d598402012-10-22 17:58:39 +02002819 { "ssl_f_serial", acl_parse_bin, smp_fetch_ssl_f_serial, acl_match_bin, ACL_USE_L6REQ_PERMANENT|ACL_MAY_LOOKUP, 0 },
Emeric Bruna7359fd2012-10-17 15:03:11 +02002820 { "ssl_f_version", acl_parse_int, smp_fetch_ssl_f_version, acl_match_int, ACL_USE_L6REQ_PERMANENT|ACL_MAY_LOOKUP, 0 },
Emeric Brun2525b6b2012-10-18 15:59:43 +02002821 { "ssl_fc", acl_parse_int, smp_fetch_ssl_fc, acl_match_nothing, ACL_USE_L6REQ_PERMANENT|ACL_MAY_LOOKUP, 0 },
Emeric Brun589fcad2012-10-16 14:13:26 +02002822 { "ssl_fc_alg_keysize", acl_parse_str, smp_fetch_ssl_fc_alg_keysize, acl_match_int, ACL_USE_L6REQ_PERMANENT|ACL_MAY_LOOKUP, 0 },
2823 { "ssl_fc_cipher", acl_parse_str, smp_fetch_ssl_fc_cipher, acl_match_str, ACL_USE_L6REQ_PERMANENT|ACL_MAY_LOOKUP, 0 },
Emeric Brun2525b6b2012-10-18 15:59:43 +02002824 { "ssl_fc_has_crt", acl_parse_int, smp_fetch_ssl_fc_has_crt, acl_match_nothing, ACL_USE_L6REQ_PERMANENT, 0 },
2825 { "ssl_fc_has_sni", acl_parse_int, smp_fetch_ssl_fc_has_sni, acl_match_nothing, ACL_USE_L6REQ_PERMANENT, 0 },
Willy Tarreaua33c6542012-10-15 13:19:06 +02002826#ifdef OPENSSL_NPN_NEGOTIATED
Emeric Brun2525b6b2012-10-18 15:59:43 +02002827 { "ssl_fc_npn", acl_parse_str, smp_fetch_ssl_fc_npn, acl_match_str, ACL_USE_L6REQ_PERMANENT|ACL_MAY_LOOKUP, 0 },
Willy Tarreaua33c6542012-10-15 13:19:06 +02002828#endif
Emeric Brun589fcad2012-10-16 14:13:26 +02002829 { "ssl_fc_protocol", acl_parse_str, smp_fetch_ssl_fc_protocol, acl_match_str, ACL_USE_L6REQ_PERMANENT|ACL_MAY_LOOKUP, 0 },
2830 { "ssl_fc_use_keysize", acl_parse_str, smp_fetch_ssl_fc_use_keysize, acl_match_int, ACL_USE_L6REQ_PERMANENT|ACL_MAY_LOOKUP, 0 },
Emeric Brun2525b6b2012-10-18 15:59:43 +02002831 { "ssl_fc_sni", acl_parse_str, smp_fetch_ssl_fc_sni, acl_match_str, ACL_USE_L6REQ_PERMANENT|ACL_MAY_LOOKUP, 0 },
2832 { "ssl_fc_sni_end", acl_parse_str, smp_fetch_ssl_fc_sni, acl_match_end, ACL_USE_L6REQ_PERMANENT, 0 },
2833 { "ssl_fc_sni_reg", acl_parse_reg, smp_fetch_ssl_fc_sni, acl_match_reg, ACL_USE_L6REQ_PERMANENT, 0 },
Willy Tarreau7875d092012-09-10 08:20:03 +02002834 { NULL, NULL, NULL, NULL },
2835}};
2836
Willy Tarreau79eeafa2012-09-14 07:53:05 +02002837/* Note: must not be declared <const> as its list will be overwritten.
2838 * Please take care of keeping this list alphabetically sorted, doing so helps
2839 * all code contributors.
2840 * Optional keywords are also declared with a NULL ->parse() function so that
2841 * the config parser can report an appropriate error when a known keyword was
2842 * not enabled.
2843 */
Willy Tarreau51fb7652012-09-18 18:24:39 +02002844static struct bind_kw_list bind_kws = { "SSL", { }, {
Emeric Brunfb510ea2012-10-05 12:00:26 +02002845 { "ca-file", bind_parse_ca_file, 1 }, /* set CAfile to process verify on client cert */
Emeric Brun2d0c4822012-10-02 13:45:20 +02002846 { "ca-ignore-err", bind_parse_ignore_err, 1 }, /* set error IDs to ignore on verify depth > 0 */
2847 { "ciphers", bind_parse_ciphers, 1 }, /* set SSL cipher suite */
Emeric Brunfb510ea2012-10-05 12:00:26 +02002848 { "crl-file", bind_parse_crl_file, 1 }, /* set certificat revocation list file use on client cert verify */
Emeric Brun2d0c4822012-10-02 13:45:20 +02002849 { "crt", bind_parse_crt, 1 }, /* load SSL certificates from this location */
2850 { "crt-ignore-err", bind_parse_ignore_err, 1 }, /* set error IDs to ingore on verify depth == 0 */
2851 { "ecdhe", bind_parse_ecdhe, 1 }, /* defines named curve for elliptic curve Diffie-Hellman */
Emeric Brun2cb7ae52012-10-05 14:14:21 +02002852 { "force-sslv3", bind_parse_force_sslv3, 0 }, /* force SSLv3 */
2853 { "force-tlsv10", bind_parse_force_tlsv10, 0 }, /* force TLSv10 */
2854 { "force-tlsv11", bind_parse_force_tlsv11, 0 }, /* force TLSv11 */
2855 { "force-tlsv12", bind_parse_force_tlsv12, 0 }, /* force TLSv12 */
Emeric Brun9b3009b2012-10-05 11:55:06 +02002856 { "no-sslv3", bind_parse_no_sslv3, 0 }, /* disable SSLv3 */
2857 { "no-tlsv10", bind_parse_no_tlsv10, 0 }, /* disable TLSv10 */
2858 { "no-tlsv11", bind_parse_no_tlsv11, 0 }, /* disable TLSv11 */
2859 { "no-tlsv12", bind_parse_no_tlsv12, 0 }, /* disable TLSv12 */
Emeric Brun2d0c4822012-10-02 13:45:20 +02002860 { "no-tls-tickets", bind_parse_no_tls_tickets, 0 }, /* disable session resumption tickets */
Emeric Brun2d0c4822012-10-02 13:45:20 +02002861 { "ssl", bind_parse_ssl, 0 }, /* enable SSL processing */
2862 { "verify", bind_parse_verify, 1 }, /* set SSL verify method */
Willy Tarreau6c9a3d52012-10-18 18:57:14 +02002863 { "npn", bind_parse_npn, 1 }, /* set NPN supported protocols */
Willy Tarreau79eeafa2012-09-14 07:53:05 +02002864 { NULL, NULL, 0 },
2865}};
Emeric Brun46591952012-05-18 15:47:34 +02002866
Willy Tarreau92faadf2012-10-10 23:04:25 +02002867/* Note: must not be declared <const> as its list will be overwritten.
2868 * Please take care of keeping this list alphabetically sorted, doing so helps
2869 * all code contributors.
2870 * Optional keywords are also declared with a NULL ->parse() function so that
2871 * the config parser can report an appropriate error when a known keyword was
2872 * not enabled.
2873 */
2874static struct srv_kw_list srv_kws = { "SSL", { }, {
Emeric Brunef42d922012-10-11 16:11:36 +02002875 { "ca-file", srv_parse_ca_file, 1, 0 }, /* set CAfile to process verify server cert */
Emeric Brunecc91fe2012-10-11 15:05:10 +02002876 { "check-ssl", srv_parse_check_ssl, 0, 0 }, /* enable SSL for health checks */
2877 { "ciphers", srv_parse_ciphers, 1, 0 }, /* select the cipher suite */
Emeric Brunef42d922012-10-11 16:11:36 +02002878 { "crl-file", srv_parse_crl_file, 1, 0 }, /* set certificate revocation list file use on server cert verify */
Emeric Bruna7aa3092012-10-26 12:58:00 +02002879 { "crt", srv_parse_crt, 1, 0 }, /* set client certificate */
Emeric Brunecc91fe2012-10-11 15:05:10 +02002880 { "force-sslv3", srv_parse_force_sslv3, 0, 0 }, /* force SSLv3 */
2881 { "force-tlsv10", srv_parse_force_tlsv10, 0, 0 }, /* force TLSv10 */
2882 { "force-tlsv11", srv_parse_force_tlsv11, 0, 0 }, /* force TLSv11 */
2883 { "force-tlsv12", srv_parse_force_tlsv12, 0, 0 }, /* force TLSv12 */
2884 { "no-sslv3", srv_parse_no_sslv3, 0, 0 }, /* disable SSLv3 */
2885 { "no-tlsv10", srv_parse_no_tlsv10, 0, 0 }, /* disable TLSv10 */
2886 { "no-tlsv11", srv_parse_no_tlsv11, 0, 0 }, /* disable TLSv11 */
2887 { "no-tlsv12", srv_parse_no_tlsv12, 0, 0 }, /* disable TLSv12 */
Emeric Brunf9c5c472012-10-11 15:28:34 +02002888 { "no-tls-tickets", srv_parse_no_tls_tickets, 0, 0 }, /* disable session resumption tickets */
Emeric Brunecc91fe2012-10-11 15:05:10 +02002889 { "ssl", srv_parse_ssl, 0, 0 }, /* enable SSL processing */
Emeric Brunef42d922012-10-11 16:11:36 +02002890 { "verify", srv_parse_verify, 1, 0 }, /* set SSL verify method */
Willy Tarreau92faadf2012-10-10 23:04:25 +02002891 { NULL, NULL, 0, 0 },
2892}};
2893
Willy Tarreauf7bc57c2012-10-03 00:19:48 +02002894/* transport-layer operations for SSL sockets */
2895struct xprt_ops ssl_sock = {
Emeric Brun46591952012-05-18 15:47:34 +02002896 .snd_buf = ssl_sock_from_buf,
2897 .rcv_buf = ssl_sock_to_buf,
2898 .rcv_pipe = NULL,
2899 .snd_pipe = NULL,
2900 .shutr = NULL,
2901 .shutw = ssl_sock_shutw,
2902 .close = ssl_sock_close,
2903 .init = ssl_sock_init,
2904};
2905
2906__attribute__((constructor))
Willy Tarreau92faadf2012-10-10 23:04:25 +02002907static void __ssl_sock_init(void)
2908{
Emeric Brun46591952012-05-18 15:47:34 +02002909 STACK_OF(SSL_COMP)* cm;
2910
2911 SSL_library_init();
2912 cm = SSL_COMP_get_compression_methods();
2913 sk_SSL_COMP_zero(cm);
Willy Tarreau7875d092012-09-10 08:20:03 +02002914 sample_register_fetches(&sample_fetch_keywords);
2915 acl_register_keywords(&acl_kws);
Willy Tarreau79eeafa2012-09-14 07:53:05 +02002916 bind_register_keywords(&bind_kws);
Willy Tarreau92faadf2012-10-10 23:04:25 +02002917 srv_register_keywords(&srv_kws);
Emeric Brun46591952012-05-18 15:47:34 +02002918}
2919
2920/*
2921 * Local variables:
2922 * c-indent-level: 8
2923 * c-basic-offset: 8
2924 * End:
2925 */