Gitiles
Code Review Sign In
git01.mediatek.com / haproxy / e6ce10be85293b4d0e54a6805d081f9e925eaf9e / . / src / ssl_sample.c
blob: 509b0c57567d99446e86bb02262e8718ef97d46c [file] [log] [blame]
William Lallemand15e16942020-05-15 00:25:08 +0200[diff] [blame]1/*
2 * This file contains the sample fetches related to the SSL
3 *
4 * Copyright (C) 2012 EXCELIANCE, Emeric Brun <ebrun@exceliance.fr>
5 * Copyright (C) 2020 HAProxy Technologies, William Lallemand <wlallemand@haproxy.com>
6 *
7 * This program is free software; you can redistribute it and/or
8 * modify it under the terms of the GNU General Public License
9 * as published by the Free Software Foundation; either version
10 * 2 of the License, or (at your option) any later version.
11 */
12
13#define _GNU_SOURCE
14#include <ctype.h>
15#include <dirent.h>
16#include <errno.h>
17#include <fcntl.h>
18#include <stdio.h>
19#include <stdlib.h>
20#include <string.h>
21#include <unistd.h>
22
Willy Tarreau4c7e4b72020-05-27 12:58:42 +0200[diff] [blame]23#include <haproxy/api.h>
Willy Tarreau2741c8c2020-06-02 11:28:02 +0200[diff] [blame]24#include <haproxy/buf-t.h>
Willy Tarreau8efbdfb2020-06-04 11:29:21 +0200[diff] [blame]25#include <haproxy/obj_type.h>
Willy Tarreau6019fab2020-05-27 16:26:00 +0200[diff] [blame]26#include <haproxy/openssl-compat.h>
Willy Tarreaue6ce10b2020-06-04 15:33:47 +0200[diff] [blame^]27#include <haproxy/sample.h>
Willy Tarreaub2bd8652020-06-04 14:21:22 +0200[diff] [blame]28#include <haproxy/ssl_utils.h>
Willy Tarreau48fbcae2020-06-03 18:09:46 +0200[diff] [blame]29#include <haproxy/tools.h>
William Lallemand15e16942020-05-15 00:25:08 +0200[diff] [blame]30
William Lallemand15e16942020-05-15 00:25:08 +0200[diff] [blame]31#include <types/ssl_sock.h>
32
33#include <proto/acl.h>
Willy Tarreauaa74c4e2020-06-04 10:19:23 +0200[diff] [blame]34#include <haproxy/arg.h>
William Lallemand15e16942020-05-15 00:25:08 +0200[diff] [blame]35#include <proto/ssl_sock.h>
William Lallemand15e16942020-05-15 00:25:08 +0200[diff] [blame]36
37
38/***** Below are some sample fetching functions for ACL/patterns *****/
39
40static int
41smp_fetch_ssl_fc_has_early(const struct arg *args, struct sample *smp, const char *kw, void *private)
42{
43 SSL *ssl;
44 struct connection *conn;
45
46 conn = objt_conn(smp->sess->origin);
47 ssl = ssl_sock_get_ssl_object(conn);
48 if (!ssl)
49 return 0;
50
51 smp->flags = 0;
52 smp->data.type = SMP_T_BOOL;
53#ifdef OPENSSL_IS_BORINGSSL
54 {
55 smp->data.u.sint = (SSL_in_early_data(ssl) &&
56 SSL_early_data_accepted(ssl));
57 }
58#else
59 smp->data.u.sint = ((conn->flags & CO_FL_EARLY_DATA) &&
60 (conn->flags & (CO_FL_EARLY_SSL_HS | CO_FL_SSL_WAIT_HS))) ? 1 : 0;
61#endif
62 return 1;
63}
64
65/* boolean, returns true if client cert was present */
66static int
67smp_fetch_ssl_fc_has_crt(const struct arg *args, struct sample *smp, const char *kw, void *private)
68{
69 struct connection *conn;
70 struct ssl_sock_ctx *ctx;
71
72 conn = objt_conn(smp->sess->origin);
73 if (!conn || conn->xprt != &ssl_sock)
74 return 0;
75
76 ctx = conn->xprt_ctx;
77
78 if (conn->flags & CO_FL_WAIT_XPRT) {
79 smp->flags |= SMP_F_MAY_CHANGE;
80 return 0;
81 }
82
83 smp->flags = 0;
84 smp->data.type = SMP_T_BOOL;
85 smp->data.u.sint = SSL_SOCK_ST_FL_VERIFY_DONE & ctx->xprt_st ? 1 : 0;
86
87 return 1;
88}
89
90/* binary, returns a certificate in a binary chunk (der/raw).
91 * The 5th keyword char is used to know if SSL_get_certificate or SSL_get_peer_certificate
92 * should be use.
93 */
94static int
95smp_fetch_ssl_x_der(const struct arg *args, struct sample *smp, const char *kw, void *private)
96{
97 int cert_peer = (kw[4] == 'c') ? 1 : 0;
98 X509 *crt = NULL;
99 int ret = 0;
100 struct buffer *smp_trash;
101 struct connection *conn;
102 SSL *ssl;
103
104 conn = objt_conn(smp->sess->origin);
105 ssl = ssl_sock_get_ssl_object(conn);
106 if (!ssl)
107 return 0;
108
109 if (conn->flags & CO_FL_WAIT_XPRT) {
110 smp->flags |= SMP_F_MAY_CHANGE;
111 return 0;
112 }
113
114 if (cert_peer)
115 crt = SSL_get_peer_certificate(ssl);
116 else
117 crt = SSL_get_certificate(ssl);
118
119 if (!crt)
120 goto out;
121
122 smp_trash = get_trash_chunk();
123 if (ssl_sock_crt2der(crt, smp_trash) <= 0)
124 goto out;
125
126 smp->data.u.str = *smp_trash;
127 smp->data.type = SMP_T_BIN;
128 ret = 1;
129out:
130 /* SSL_get_peer_certificate, it increase X509 * ref count */
131 if (cert_peer && crt)
132 X509_free(crt);
133 return ret;
134}
135
136/* binary, returns serial of certificate in a binary chunk.
137 * The 5th keyword char is used to know if SSL_get_certificate or SSL_get_peer_certificate
138 * should be use.
139 */
140static int
141smp_fetch_ssl_x_serial(const struct arg *args, struct sample *smp, const char *kw, void *private)
142{
143 int cert_peer = (kw[4] == 'c') ? 1 : 0;
144 X509 *crt = NULL;
145 int ret = 0;
146 struct buffer *smp_trash;
147 struct connection *conn;
148 SSL *ssl;
149
150 conn = objt_conn(smp->sess->origin);
151 ssl = ssl_sock_get_ssl_object(conn);
152 if (!ssl)
153 return 0;
154
155 if (conn->flags & CO_FL_WAIT_XPRT) {
156 smp->flags |= SMP_F_MAY_CHANGE;
157 return 0;
158 }
159
160 if (cert_peer)
161 crt = SSL_get_peer_certificate(ssl);
162 else
163 crt = SSL_get_certificate(ssl);
164
165 if (!crt)
166 goto out;
167
168 smp_trash = get_trash_chunk();
169 if (ssl_sock_get_serial(crt, smp_trash) <= 0)
170 goto out;
171
172 smp->data.u.str = *smp_trash;
173 smp->data.type = SMP_T_BIN;
174 ret = 1;
175out:
176 /* SSL_get_peer_certificate, it increase X509 * ref count */
177 if (cert_peer && crt)
178 X509_free(crt);
179 return ret;
180}
181
182/* binary, returns the client certificate's SHA-1 fingerprint (SHA-1 hash of DER-encoded certificate) in a binary chunk.
183 * The 5th keyword char is used to know if SSL_get_certificate or SSL_get_peer_certificate
184 * should be use.
185 */
186static int
187smp_fetch_ssl_x_sha1(const struct arg *args, struct sample *smp, const char *kw, void *private)
188{
189 int cert_peer = (kw[4] == 'c') ? 1 : 0;
190 X509 *crt = NULL;
191 const EVP_MD *digest;
192 int ret = 0;
193 unsigned int len = 0;
194 struct buffer *smp_trash;
195 struct connection *conn;
196 SSL *ssl;
197
198 conn = objt_conn(smp->sess->origin);
199 ssl = ssl_sock_get_ssl_object(conn);
200 if (!ssl)
201 return 0;
202
203 if (conn->flags & CO_FL_WAIT_XPRT) {
204 smp->flags |= SMP_F_MAY_CHANGE;
205 return 0;
206 }
207
208 if (cert_peer)
209 crt = SSL_get_peer_certificate(ssl);
210 else
211 crt = SSL_get_certificate(ssl);
212 if (!crt)
213 goto out;
214
215 smp_trash = get_trash_chunk();
216 digest = EVP_sha1();
217 X509_digest(crt, digest, (unsigned char *) smp_trash->area, &len);
218 smp_trash->data = len;
219 smp->data.u.str = *smp_trash;
220 smp->data.type = SMP_T_BIN;
221 ret = 1;
222out:
223 /* SSL_get_peer_certificate, it increase X509 * ref count */
224 if (cert_peer && crt)
225 X509_free(crt);
226 return ret;
227}
228
229/* string, returns certificate's notafter date in ASN1_UTCTIME format.
230 * The 5th keyword char is used to know if SSL_get_certificate or SSL_get_peer_certificate
231 * should be use.
232 */
233static int
234smp_fetch_ssl_x_notafter(const struct arg *args, struct sample *smp, const char *kw, void *private)
235{
236 int cert_peer = (kw[4] == 'c') ? 1 : 0;
237 X509 *crt = NULL;
238 int ret = 0;
239 struct buffer *smp_trash;
240 struct connection *conn;
241 SSL *ssl;
242
243 conn = objt_conn(smp->sess->origin);
244 ssl = ssl_sock_get_ssl_object(conn);
245 if (!ssl)
246 return 0;
247
248 if (conn->flags & CO_FL_WAIT_XPRT) {
249 smp->flags |= SMP_F_MAY_CHANGE;
250 return 0;
251 }
252
253 if (cert_peer)
254 crt = SSL_get_peer_certificate(ssl);
255 else
256 crt = SSL_get_certificate(ssl);
257 if (!crt)
258 goto out;
259
260 smp_trash = get_trash_chunk();
261 if (ssl_sock_get_time(X509_getm_notAfter(crt), smp_trash) <= 0)
262 goto out;
263
264 smp->data.u.str = *smp_trash;
265 smp->data.type = SMP_T_STR;
266 ret = 1;
267out:
268 /* SSL_get_peer_certificate, it increase X509 * ref count */
269 if (cert_peer && crt)
270 X509_free(crt);
271 return ret;
272}
273
274/* string, returns a string of a formatted full dn \C=..\O=..\OU=.. \CN=.. of certificate's issuer
275 * The 5th keyword char is used to know if SSL_get_certificate or SSL_get_peer_certificate
276 * should be use.
277 */
278static int
279smp_fetch_ssl_x_i_dn(const struct arg *args, struct sample *smp, const char *kw, void *private)
280{
281 int cert_peer = (kw[4] == 'c') ? 1 : 0;
282 X509 *crt = NULL;
283 X509_NAME *name;
284 int ret = 0;
285 struct buffer *smp_trash;
286 struct connection *conn;
287 SSL *ssl;
288
289 conn = objt_conn(smp->sess->origin);
290 ssl = ssl_sock_get_ssl_object(conn);
291 if (!ssl)
292 return 0;
293
294 if (conn->flags & CO_FL_WAIT_XPRT) {
295 smp->flags |= SMP_F_MAY_CHANGE;
296 return 0;
297 }
298
299 if (cert_peer)
300 crt = SSL_get_peer_certificate(ssl);
301 else
302 crt = SSL_get_certificate(ssl);
303 if (!crt)
304 goto out;
305
306 name = X509_get_issuer_name(crt);
307 if (!name)
308 goto out;
309
310 smp_trash = get_trash_chunk();
311 if (args && args[0].type == ARGT_STR && args[0].data.str.data > 0) {
312 int pos = 1;
313
314 if (args[1].type == ARGT_SINT)
315 pos = args[1].data.sint;
316
317 if (ssl_sock_get_dn_entry(name, &args[0].data.str, pos, smp_trash) <= 0)
318 goto out;
319 }
320 else if (args && args[2].type == ARGT_STR && args[2].data.str.data > 0) {
321 if (ssl_sock_get_dn_formatted(name, &args[2].data.str, smp_trash) <= 0)
322 goto out;
323 }
324 else if (ssl_sock_get_dn_oneline(name, smp_trash) <= 0)
325 goto out;
326
327 smp->data.type = SMP_T_STR;
328 smp->data.u.str = *smp_trash;
329 ret = 1;
330out:
331 /* SSL_get_peer_certificate, it increase X509 * ref count */
332 if (cert_peer && crt)
333 X509_free(crt);
334 return ret;
335}
336
337/* string, returns notbefore date in ASN1_UTCTIME format.
338 * The 5th keyword char is used to know if SSL_get_certificate or SSL_get_peer_certificate
339 * should be use.
340 */
341static int
342smp_fetch_ssl_x_notbefore(const struct arg *args, struct sample *smp, const char *kw, void *private)
343{
344 int cert_peer = (kw[4] == 'c') ? 1 : 0;
345 X509 *crt = NULL;
346 int ret = 0;
347 struct buffer *smp_trash;
348 struct connection *conn;
349 SSL *ssl;
350
351 conn = objt_conn(smp->sess->origin);
352 ssl = ssl_sock_get_ssl_object(conn);
353 if (!ssl)
354 return 0;
355
356 if (conn->flags & CO_FL_WAIT_XPRT) {
357 smp->flags |= SMP_F_MAY_CHANGE;
358 return 0;
359 }
360
361 if (cert_peer)
362 crt = SSL_get_peer_certificate(ssl);
363 else
364 crt = SSL_get_certificate(ssl);
365 if (!crt)
366 goto out;
367
368 smp_trash = get_trash_chunk();
369 if (ssl_sock_get_time(X509_getm_notBefore(crt), smp_trash) <= 0)
370 goto out;
371
372 smp->data.u.str = *smp_trash;
373 smp->data.type = SMP_T_STR;
374 ret = 1;
375out:
376 /* SSL_get_peer_certificate, it increase X509 * ref count */
377 if (cert_peer && crt)
378 X509_free(crt);
379 return ret;
380}
381
382/* string, returns a string of a formatted full dn \C=..\O=..\OU=.. \CN=.. of certificate's subject
383 * The 5th keyword char is used to know if SSL_get_certificate or SSL_get_peer_certificate
384 * should be use.
385 */
386static int
387smp_fetch_ssl_x_s_dn(const struct arg *args, struct sample *smp, const char *kw, void *private)
388{
389 int cert_peer = (kw[4] == 'c') ? 1 : 0;
390 X509 *crt = NULL;
391 X509_NAME *name;
392 int ret = 0;
393 struct buffer *smp_trash;
394 struct connection *conn;
395 SSL *ssl;
396
397 conn = objt_conn(smp->sess->origin);
398 ssl = ssl_sock_get_ssl_object(conn);
399 if (!ssl)
400 return 0;
401
402 if (conn->flags & CO_FL_WAIT_XPRT) {
403 smp->flags |= SMP_F_MAY_CHANGE;
404 return 0;
405 }
406
407 if (cert_peer)
408 crt = SSL_get_peer_certificate(ssl);
409 else
410 crt = SSL_get_certificate(ssl);
411 if (!crt)
412 goto out;
413
414 name = X509_get_subject_name(crt);
415 if (!name)
416 goto out;
417
418 smp_trash = get_trash_chunk();
419 if (args && args[0].type == ARGT_STR && args[0].data.str.data > 0) {
420 int pos = 1;
421
422 if (args[1].type == ARGT_SINT)
423 pos = args[1].data.sint;
424
425 if (ssl_sock_get_dn_entry(name, &args[0].data.str, pos, smp_trash) <= 0)
426 goto out;
427 }
428 else if (args && args[2].type == ARGT_STR && args[2].data.str.data > 0) {
429 if (ssl_sock_get_dn_formatted(name, &args[2].data.str, smp_trash) <= 0)
430 goto out;
431 }
432 else if (ssl_sock_get_dn_oneline(name, smp_trash) <= 0)
433 goto out;
434
435 smp->data.type = SMP_T_STR;
436 smp->data.u.str = *smp_trash;
437 ret = 1;
438out:
439 /* SSL_get_peer_certificate, it increase X509 * ref count */
440 if (cert_peer && crt)
441 X509_free(crt);
442 return ret;
443}
444
445/* integer, returns true if current session use a client certificate */
446static int
447smp_fetch_ssl_c_used(const struct arg *args, struct sample *smp, const char *kw, void *private)
448{
449 X509 *crt;
450 struct connection *conn;
451 SSL *ssl;
452
453 conn = objt_conn(smp->sess->origin);
454 ssl = ssl_sock_get_ssl_object(conn);
455 if (!ssl)
456 return 0;
457
458 if (conn->flags & CO_FL_WAIT_XPRT) {
459 smp->flags |= SMP_F_MAY_CHANGE;
460 return 0;
461 }
462
463 /* SSL_get_peer_certificate returns a ptr on allocated X509 struct */
464 crt = SSL_get_peer_certificate(ssl);
465 if (crt) {
466 X509_free(crt);
467 }
468
469 smp->data.type = SMP_T_BOOL;
470 smp->data.u.sint = (crt != NULL);
471 return 1;
472}
473
474/* integer, returns the certificate version
475 * The 5th keyword char is used to know if SSL_get_certificate or SSL_get_peer_certificate
476 * should be use.
477 */
478static int
479smp_fetch_ssl_x_version(const struct arg *args, struct sample *smp, const char *kw, void *private)
480{
481 int cert_peer = (kw[4] == 'c') ? 1 : 0;
482 X509 *crt;
483 struct connection *conn;
484 SSL *ssl;
485
486 conn = objt_conn(smp->sess->origin);
487 ssl = ssl_sock_get_ssl_object(conn);
488 if (!ssl)
489 return 0;
490
491 if (conn->flags & CO_FL_WAIT_XPRT) {
492 smp->flags |= SMP_F_MAY_CHANGE;
493 return 0;
494 }
495
496 if (cert_peer)
497 crt = SSL_get_peer_certificate(ssl);
498 else
499 crt = SSL_get_certificate(ssl);
500 if (!crt)
501 return 0;
502
503 smp->data.u.sint = (unsigned int)(1 + X509_get_version(crt));
504 /* SSL_get_peer_certificate increase X509 * ref count */
505 if (cert_peer)
506 X509_free(crt);
507 smp->data.type = SMP_T_SINT;
508
509 return 1;
510}
511
512/* string, returns the certificate's signature algorithm.
513 * The 5th keyword char is used to know if SSL_get_certificate or SSL_get_peer_certificate
514 * should be use.
515 */
516static int
517smp_fetch_ssl_x_sig_alg(const struct arg *args, struct sample *smp, const char *kw, void *private)
518{
519 int cert_peer = (kw[4] == 'c') ? 1 : 0;
520 X509 *crt;
521 __OPENSSL_110_CONST__ ASN1_OBJECT *algorithm;
522 int nid;
523 struct connection *conn;
524 SSL *ssl;
525
526 conn = objt_conn(smp->sess->origin);
527 ssl = ssl_sock_get_ssl_object(conn);
528 if (!ssl)
529 return 0;
530
531 if (conn->flags & CO_FL_WAIT_XPRT) {
532 smp->flags |= SMP_F_MAY_CHANGE;
533 return 0;
534 }
535
536 if (cert_peer)
537 crt = SSL_get_peer_certificate(ssl);
538 else
539 crt = SSL_get_certificate(ssl);
540 if (!crt)
541 return 0;
542
543 X509_ALGOR_get0(&algorithm, NULL, NULL, X509_get0_tbs_sigalg(crt));
544 nid = OBJ_obj2nid(algorithm);
545
546 smp->data.u.str.area = (char *)OBJ_nid2sn(nid);
547 if (!smp->data.u.str.area) {
548 /* SSL_get_peer_certificate increase X509 * ref count */
549 if (cert_peer)
550 X509_free(crt);
551 return 0;
552 }
553
554 smp->data.type = SMP_T_STR;
555 smp->flags |= SMP_F_CONST;
556 smp->data.u.str.data = strlen(smp->data.u.str.area);
557 /* SSL_get_peer_certificate increase X509 * ref count */
558 if (cert_peer)
559 X509_free(crt);
560
561 return 1;
562}
563
564/* string, returns the certificate's key algorithm.
565 * The 5th keyword char is used to know if SSL_get_certificate or SSL_get_peer_certificate
566 * should be use.
567 */
568static int
569smp_fetch_ssl_x_key_alg(const struct arg *args, struct sample *smp, const char *kw, void *private)
570{
571 int cert_peer = (kw[4] == 'c') ? 1 : 0;
572 X509 *crt;
573 ASN1_OBJECT *algorithm;
574 int nid;
575 struct connection *conn;
576 SSL *ssl;
577
578 conn = objt_conn(smp->sess->origin);
579 ssl = ssl_sock_get_ssl_object(conn);
580 if (!ssl)
581 return 0;
582
583 if (conn->flags & CO_FL_WAIT_XPRT) {
584 smp->flags |= SMP_F_MAY_CHANGE;
585 return 0;
586 }
587
588 if (cert_peer)
589 crt = SSL_get_peer_certificate(ssl);
590 else
591 crt = SSL_get_certificate(ssl);
592 if (!crt)
593 return 0;
594
595 X509_PUBKEY_get0_param(&algorithm, NULL, NULL, NULL, X509_get_X509_PUBKEY(crt));
596 nid = OBJ_obj2nid(algorithm);
597
598 smp->data.u.str.area = (char *)OBJ_nid2sn(nid);
599 if (!smp->data.u.str.area) {
600 /* SSL_get_peer_certificate increase X509 * ref count */
601 if (cert_peer)
602 X509_free(crt);
603 return 0;
604 }
605
606 smp->data.type = SMP_T_STR;
607 smp->flags |= SMP_F_CONST;
608 smp->data.u.str.data = strlen(smp->data.u.str.area);
609 if (cert_peer)
610 X509_free(crt);
611
612 return 1;
613}
614
615/* boolean, returns true if front conn. transport layer is SSL.
616 * This function is also usable on backend conn if the fetch keyword 5th
617 * char is 'b'.
618 */
619static int
620smp_fetch_ssl_fc(const struct arg *args, struct sample *smp, const char *kw, void *private)
621{
622 struct connection *conn;
623
624 if (obj_type(smp->sess->origin) == OBJ_TYPE_CHECK)
625 conn = (kw[4] != 'b') ? cs_conn(__objt_check(smp->sess->origin)->cs) : NULL;
626 else
627 conn = (kw[4] != 'b') ? objt_conn(smp->sess->origin) :
628 smp->strm ? cs_conn(objt_cs(smp->strm->si[1].end)) : NULL;
629
630 smp->data.type = SMP_T_BOOL;
631 smp->data.u.sint = (conn && conn->xprt == &ssl_sock);
632 return 1;
633}
634
635/* boolean, returns true if client present a SNI */
636static int
637smp_fetch_ssl_fc_has_sni(const struct arg *args, struct sample *smp, const char *kw, void *private)
638{
639#ifdef SSL_CTRL_SET_TLSEXT_HOSTNAME
640 struct connection *conn = objt_conn(smp->sess->origin);
641 SSL *ssl = ssl_sock_get_ssl_object(conn);
642
643 smp->data.type = SMP_T_BOOL;
644 smp->data.u.sint = ssl && SSL_get_servername(ssl, TLSEXT_NAMETYPE_host_name) != NULL;
645 return 1;
646#else
647 return 0;
648#endif
649}
650
651/* boolean, returns true if client session has been resumed.
652 * This function is also usable on backend conn if the fetch keyword 5th
653 * char is 'b'.
654 */
655static int
656smp_fetch_ssl_fc_is_resumed(const struct arg *args, struct sample *smp, const char *kw, void *private)
657{
658 struct connection *conn;
659 SSL *ssl;
660
661 if (obj_type(smp->sess->origin) == OBJ_TYPE_CHECK)
662 conn = (kw[4] != 'b') ? cs_conn(__objt_check(smp->sess->origin)->cs) : NULL;
663 else
664 conn = (kw[4] != 'b') ? objt_conn(smp->sess->origin) :
665 smp->strm ? cs_conn(objt_cs(smp->strm->si[1].end)) : NULL;
666
667 ssl = ssl_sock_get_ssl_object(conn);
668
669 smp->data.type = SMP_T_BOOL;
670 smp->data.u.sint = ssl && SSL_session_reused(ssl);
671 return 1;
672}
673
674/* string, returns the used cipher if front conn. transport layer is SSL.
675 * This function is also usable on backend conn if the fetch keyword 5th
676 * char is 'b'.
677 */
678static int
679smp_fetch_ssl_fc_cipher(const struct arg *args, struct sample *smp, const char *kw, void *private)
680{
681 struct connection *conn;
682 SSL *ssl;
683
684 if (obj_type(smp->sess->origin) == OBJ_TYPE_CHECK)
685 conn = (kw[4] != 'b') ? cs_conn(__objt_check(smp->sess->origin)->cs) : NULL;
686 else
687 conn = (kw[4] != 'b') ? objt_conn(smp->sess->origin) :
688 smp->strm ? cs_conn(objt_cs(smp->strm->si[1].end)) : NULL;
689
690 smp->flags = 0;
691 ssl = ssl_sock_get_ssl_object(conn);
692 if (!ssl)
693 return 0;
694
695 smp->data.u.str.area = (char *)SSL_get_cipher_name(ssl);
696 if (!smp->data.u.str.area)
697 return 0;
698
699 smp->data.type = SMP_T_STR;
700 smp->flags |= SMP_F_CONST;
701 smp->data.u.str.data = strlen(smp->data.u.str.area);
702
703 return 1;
704}
705
706/* integer, returns the algoritm's keysize if front conn. transport layer
707 * is SSL.
708 * This function is also usable on backend conn if the fetch keyword 5th
709 * char is 'b'.
710 */
711static int
712smp_fetch_ssl_fc_alg_keysize(const struct arg *args, struct sample *smp, const char *kw, void *private)
713{
714 struct connection *conn;
715 SSL *ssl;
716 int sint;
717
718 if (obj_type(smp->sess->origin) == OBJ_TYPE_CHECK)
719 conn = (kw[4] != 'b') ? cs_conn(__objt_check(smp->sess->origin)->cs) : NULL;
720 else
721 conn = (kw[4] != 'b') ? objt_conn(smp->sess->origin) :
722 smp->strm ? cs_conn(objt_cs(smp->strm->si[1].end)) : NULL;
723
724 smp->flags = 0;
725 ssl = ssl_sock_get_ssl_object(conn);
726 if (!ssl)
727 return 0;
728
729 if (!SSL_get_cipher_bits(ssl, &sint))
730 return 0;
731
732 smp->data.u.sint = sint;
733 smp->data.type = SMP_T_SINT;
734
735 return 1;
736}
737
738/* integer, returns the used keysize if front conn. transport layer is SSL.
739 * This function is also usable on backend conn if the fetch keyword 5th
740 * char is 'b'.
741 */
742static int
743smp_fetch_ssl_fc_use_keysize(const struct arg *args, struct sample *smp, const char *kw, void *private)
744{
745 struct connection *conn;
746 SSL *ssl;
747
748 if (obj_type(smp->sess->origin) == OBJ_TYPE_CHECK)
749 conn = (kw[4] != 'b') ? cs_conn(__objt_check(smp->sess->origin)->cs) : NULL;
750 else
751 conn = (kw[4] != 'b') ? objt_conn(smp->sess->origin) :
752 smp->strm ? cs_conn(objt_cs(smp->strm->si[1].end)) : NULL;
753
754 smp->flags = 0;
755 ssl = ssl_sock_get_ssl_object(conn);
756 if (!ssl)
757 return 0;
758
759 smp->data.u.sint = (unsigned int)SSL_get_cipher_bits(ssl, NULL);
760 if (!smp->data.u.sint)
761 return 0;
762
763 smp->data.type = SMP_T_SINT;
764
765 return 1;
766}
767
768#if defined(OPENSSL_NPN_NEGOTIATED) && !defined(OPENSSL_NO_NEXTPROTONEG)
769static int
770smp_fetch_ssl_fc_npn(const struct arg *args, struct sample *smp, const char *kw, void *private)
771{
772 struct connection *conn;
773 SSL *ssl;
774 unsigned int len = 0;
775
776 smp->flags = SMP_F_CONST;
777 smp->data.type = SMP_T_STR;
778
779 if (obj_type(smp->sess->origin) == OBJ_TYPE_CHECK)
780 conn = (kw[4] != 'b') ? cs_conn(__objt_check(smp->sess->origin)->cs) : NULL;
781 else
782 conn = (kw[4] != 'b') ? objt_conn(smp->sess->origin) :
783 smp->strm ? cs_conn(objt_cs(smp->strm->si[1].end)) : NULL;
784
785 ssl = ssl_sock_get_ssl_object(conn);
786 if (!ssl)
787 return 0;
788
789 smp->data.u.str.area = NULL;
790 SSL_get0_next_proto_negotiated(ssl,
791 (const unsigned char **)&smp->data.u.str.area,
792 &len);
793
794 if (!smp->data.u.str.area)
795 return 0;
796
797 smp->data.u.str.data = len;
798 return 1;
799}
800#endif
801
802#ifdef TLSEXT_TYPE_application_layer_protocol_negotiation
803static int
804smp_fetch_ssl_fc_alpn(const struct arg *args, struct sample *smp, const char *kw, void *private)
805{
806 struct connection *conn;
807 SSL *ssl;
808 unsigned int len = 0;
809
810 smp->flags = SMP_F_CONST;
811 smp->data.type = SMP_T_STR;
812
813 if (obj_type(smp->sess->origin) == OBJ_TYPE_CHECK)
814 conn = (kw[4] != 'b') ? cs_conn(__objt_check(smp->sess->origin)->cs) : NULL;
815 else
816 conn = (kw[4] != 'b') ? objt_conn(smp->sess->origin) :
817 smp->strm ? cs_conn(objt_cs(smp->strm->si[1].end)) : NULL;
818
819 ssl = ssl_sock_get_ssl_object(conn);
820 if (!ssl)
821 return 0;
822
823 smp->data.u.str.area = NULL;
824 SSL_get0_alpn_selected(ssl,
825 (const unsigned char **)&smp->data.u.str.area,
826 &len);
827
828 if (!smp->data.u.str.area)
829 return 0;
830
831 smp->data.u.str.data = len;
832 return 1;
833}
834#endif
835
836/* string, returns the used protocol if front conn. transport layer is SSL.
837 * This function is also usable on backend conn if the fetch keyword 5th
838 * char is 'b'.
839 */
840static int
841smp_fetch_ssl_fc_protocol(const struct arg *args, struct sample *smp, const char *kw, void *private)
842{
843 struct connection *conn;
844 SSL *ssl;
845
846 if (obj_type(smp->sess->origin) == OBJ_TYPE_CHECK)
847 conn = (kw[4] != 'b') ? cs_conn(__objt_check(smp->sess->origin)->cs) : NULL;
848 else
849 conn = (kw[4] != 'b') ? objt_conn(smp->sess->origin) :
850 smp->strm ? cs_conn(objt_cs(smp->strm->si[1].end)) : NULL;
851
852 smp->flags = 0;
853 ssl = ssl_sock_get_ssl_object(conn);
854 if (!ssl)
855 return 0;
856
857 smp->data.u.str.area = (char *)SSL_get_version(ssl);
858 if (!smp->data.u.str.area)
859 return 0;
860
861 smp->data.type = SMP_T_STR;
862 smp->flags = SMP_F_CONST;
863 smp->data.u.str.data = strlen(smp->data.u.str.area);
864
865 return 1;
866}
867
868/* binary, returns the SSL stream id if front conn. transport layer is SSL.
869 * This function is also usable on backend conn if the fetch keyword 5th
870 * char is 'b'.
871 */
872#if HA_OPENSSL_VERSION_NUMBER > 0x0090800fL
873static int
874smp_fetch_ssl_fc_session_id(const struct arg *args, struct sample *smp, const char *kw, void *private)
875{
876 struct connection *conn;
877 SSL_SESSION *ssl_sess;
878 SSL *ssl;
879 unsigned int len = 0;
880
881 smp->flags = SMP_F_CONST;
882 smp->data.type = SMP_T_BIN;
883
884 if (obj_type(smp->sess->origin) == OBJ_TYPE_CHECK)
885 conn = (kw[4] != 'b') ? cs_conn(__objt_check(smp->sess->origin)->cs) : NULL;
886 else
887 conn = (kw[4] != 'b') ? objt_conn(smp->sess->origin) :
888 smp->strm ? cs_conn(objt_cs(smp->strm->si[1].end)) : NULL;
889
890 ssl = ssl_sock_get_ssl_object(conn);
891 if (!ssl)
892 return 0;
893
894 ssl_sess = SSL_get_session(ssl);
895 if (!ssl_sess)
896 return 0;
897
898 smp->data.u.str.area = (char *)SSL_SESSION_get_id(ssl_sess, &len);
899 if (!smp->data.u.str.area || !len)
900 return 0;
901
902 smp->data.u.str.data = len;
903 return 1;
904}
905#endif
906
907
908#if HA_OPENSSL_VERSION_NUMBER >= 0x10100000L
909static int
910smp_fetch_ssl_fc_random(const struct arg *args, struct sample *smp, const char *kw, void *private)
911{
912 struct connection *conn;
913 struct buffer *data;
914 SSL *ssl;
915
916 if (obj_type(smp->sess->origin) == OBJ_TYPE_CHECK)
917 conn = (kw[4] != 'b') ? cs_conn(__objt_check(smp->sess->origin)->cs) : NULL;
918 else
919 conn = (kw[4] != 'b') ? objt_conn(smp->sess->origin) :
920 smp->strm ? cs_conn(objt_cs(smp->strm->si[1].end)) : NULL;
921
922 ssl = ssl_sock_get_ssl_object(conn);
923 if (!ssl)
924 return 0;
925
926 data = get_trash_chunk();
927 if (kw[7] == 'c')
928 data->data = SSL_get_client_random(ssl,
929 (unsigned char *) data->area,
930 data->size);
931 else
932 data->data = SSL_get_server_random(ssl,
933 (unsigned char *) data->area,
934 data->size);
935 if (!data->data)
936 return 0;
937
938 smp->flags = 0;
939 smp->data.type = SMP_T_BIN;
940 smp->data.u.str = *data;
941
942 return 1;
943}
944
945static int
946smp_fetch_ssl_fc_session_key(const struct arg *args, struct sample *smp, const char *kw, void *private)
947{
948 struct connection *conn;
949 SSL_SESSION *ssl_sess;
950 struct buffer *data;
951 SSL *ssl;
952
953 if (obj_type(smp->sess->origin) == OBJ_TYPE_CHECK)
954 conn = (kw[4] != 'b') ? cs_conn(__objt_check(smp->sess->origin)->cs) : NULL;
955 else
956 conn = (kw[4] != 'b') ? objt_conn(smp->sess->origin) :
957 smp->strm ? cs_conn(objt_cs(smp->strm->si[1].end)) : NULL;
958
959 ssl = ssl_sock_get_ssl_object(conn);
960 if (!ssl)
961 return 0;
962
963 ssl_sess = SSL_get_session(ssl);
964 if (!ssl_sess)
965 return 0;
966
967 data = get_trash_chunk();
968 data->data = SSL_SESSION_get_master_key(ssl_sess,
969 (unsigned char *) data->area,
970 data->size);
971 if (!data->data)
972 return 0;
973
974 smp->flags = 0;
975 smp->data.type = SMP_T_BIN;
976 smp->data.u.str = *data;
977
978 return 1;
979}
980#endif
981
982#ifdef SSL_CTRL_SET_TLSEXT_HOSTNAME
983static int
984smp_fetch_ssl_fc_sni(const struct arg *args, struct sample *smp, const char *kw, void *private)
985{
986 struct connection *conn;
987 SSL *ssl;
988
989 smp->flags = SMP_F_CONST;
990 smp->data.type = SMP_T_STR;
991
992 conn = objt_conn(smp->sess->origin);
993 ssl = ssl_sock_get_ssl_object(conn);
994 if (!ssl)
995 return 0;
996
997 smp->data.u.str.area = (char *)SSL_get_servername(ssl, TLSEXT_NAMETYPE_host_name);
998 if (!smp->data.u.str.area)
999 return 0;
1000
1001 smp->data.u.str.data = strlen(smp->data.u.str.area);
1002 return 1;
1003}
1004#endif
1005
1006static int
1007smp_fetch_ssl_fc_cl_bin(const struct arg *args, struct sample *smp, const char *kw, void *private)
1008{
1009 struct connection *conn;
1010 struct ssl_capture *capture;
1011 SSL *ssl;
1012
1013 conn = objt_conn(smp->sess->origin);
1014 ssl = ssl_sock_get_ssl_object(conn);
1015 if (!ssl)
1016 return 0;
1017
1018 capture = SSL_get_ex_data(ssl, ssl_capture_ptr_index);
1019 if (!capture)
1020 return 0;
1021
1022 smp->flags = SMP_F_CONST;
1023 smp->data.type = SMP_T_BIN;
1024 smp->data.u.str.area = capture->ciphersuite;
1025 smp->data.u.str.data = capture->ciphersuite_len;
1026 return 1;
1027}
1028
1029static int
1030smp_fetch_ssl_fc_cl_hex(const struct arg *args, struct sample *smp, const char *kw, void *private)
1031{
1032 struct buffer *data;
1033
1034 if (!smp_fetch_ssl_fc_cl_bin(args, smp, kw, private))
1035 return 0;
1036
1037 data = get_trash_chunk();
1038 dump_binary(data, smp->data.u.str.area, smp->data.u.str.data);
1039 smp->data.type = SMP_T_BIN;
1040 smp->data.u.str = *data;
1041 return 1;
1042}
1043
1044static int
1045smp_fetch_ssl_fc_cl_xxh64(const struct arg *args, struct sample *smp, const char *kw, void *private)
1046{
1047 struct connection *conn;
1048 struct ssl_capture *capture;
1049 SSL *ssl;
1050
1051 conn = objt_conn(smp->sess->origin);
1052 ssl = ssl_sock_get_ssl_object(conn);
1053 if (!ssl)
1054 return 0;
1055
1056 capture = SSL_get_ex_data(ssl, ssl_capture_ptr_index);
1057 if (!capture)
1058 return 0;
1059
1060 smp->data.type = SMP_T_SINT;
1061 smp->data.u.sint = capture->xxh64;
1062 return 1;
1063}
1064
1065static int
1066smp_fetch_ssl_fc_cl_str(const struct arg *args, struct sample *smp, const char *kw, void *private)
1067{
1068#if (HA_OPENSSL_VERSION_NUMBER >= 0x1000200fL)
1069 struct buffer *data;
1070 int i;
1071
1072 if (!smp_fetch_ssl_fc_cl_bin(args, smp, kw, private))
1073 return 0;
1074
1075 data = get_trash_chunk();
1076 for (i = 0; i + 1 < smp->data.u.str.data; i += 2) {
1077 const char *str;
1078 const SSL_CIPHER *cipher;
1079 const unsigned char *bin = (const unsigned char *) smp->data.u.str.area + i;
1080 uint16_t id = (bin[0] << 8) | bin[1];
1081#if defined(OPENSSL_IS_BORINGSSL)
1082 cipher = SSL_get_cipher_by_value(id);
1083#else
1084 struct connection *conn = __objt_conn(smp->sess->origin);
1085 SSL *ssl = ssl_sock_get_ssl_object(conn);
1086 cipher = SSL_CIPHER_find(ssl, bin);
1087#endif
1088 str = SSL_CIPHER_get_name(cipher);
1089 if (!str || strcmp(str, "(NONE)") == 0)
1090 chunk_appendf(data, "%sUNKNOWN(%04x)", i == 0 ? "" : ",", id);
1091 else
1092 chunk_appendf(data, "%s%s", i == 0 ? "" : ",", str);
1093 }
1094 smp->data.type = SMP_T_STR;
1095 smp->data.u.str = *data;
1096 return 1;
1097#else
1098 return smp_fetch_ssl_fc_cl_xxh64(args, smp, kw, private);
1099#endif
1100}
1101
1102#if HA_OPENSSL_VERSION_NUMBER > 0x0090800fL
1103static int
1104smp_fetch_ssl_fc_unique_id(const struct arg *args, struct sample *smp, const char *kw, void *private)
1105{
1106 struct connection *conn;
1107 int finished_len;
1108 struct buffer *finished_trash;
1109 SSL *ssl;
1110
1111 if (obj_type(smp->sess->origin) == OBJ_TYPE_CHECK)
1112 conn = (kw[4] != 'b') ? cs_conn(__objt_check(smp->sess->origin)->cs) : NULL;
1113 else
1114 conn = (kw[4] != 'b') ? objt_conn(smp->sess->origin) :
1115 smp->strm ? cs_conn(objt_cs(smp->strm->si[1].end)) : NULL;
1116
1117 smp->flags = 0;
1118 ssl = ssl_sock_get_ssl_object(conn);
1119 if (!ssl)
1120 return 0;
1121
1122 if (conn->flags & CO_FL_WAIT_XPRT) {
1123 smp->flags |= SMP_F_MAY_CHANGE;
1124 return 0;
1125 }
1126
1127 finished_trash = get_trash_chunk();
1128 if (!SSL_session_reused(ssl))
1129 finished_len = SSL_get_peer_finished(ssl,
1130 finished_trash->area,
1131 finished_trash->size);
1132 else
1133 finished_len = SSL_get_finished(ssl,
1134 finished_trash->area,
1135 finished_trash->size);
1136
1137 if (!finished_len)
1138 return 0;
1139
1140 finished_trash->data = finished_len;
1141 smp->data.u.str = *finished_trash;
1142 smp->data.type = SMP_T_BIN;
1143
1144 return 1;
1145}
1146#endif
1147
1148/* integer, returns the first verify error in CA chain of client certificate chain. */
1149static int
1150smp_fetch_ssl_c_ca_err(const struct arg *args, struct sample *smp, const char *kw, void *private)
1151{
1152 struct connection *conn;
1153 struct ssl_sock_ctx *ctx;
1154
1155 conn = objt_conn(smp->sess->origin);
1156 if (!conn || conn->xprt != &ssl_sock)
1157 return 0;
1158 ctx = conn->xprt_ctx;
1159
1160 if (conn->flags & CO_FL_WAIT_XPRT) {
1161 smp->flags = SMP_F_MAY_CHANGE;
1162 return 0;
1163 }
1164
1165 smp->data.type = SMP_T_SINT;
1166 smp->data.u.sint = (unsigned long long int)SSL_SOCK_ST_TO_CA_ERROR(ctx->xprt_st);
1167 smp->flags = 0;
1168
1169 return 1;
1170}
1171
1172/* integer, returns the depth of the first verify error in CA chain of client certificate chain. */
1173static int
1174smp_fetch_ssl_c_ca_err_depth(const struct arg *args, struct sample *smp, const char *kw, void *private)
1175{
1176 struct connection *conn;
1177 struct ssl_sock_ctx *ctx;
1178
1179 conn = objt_conn(smp->sess->origin);
1180 if (!conn || conn->xprt != &ssl_sock)
1181 return 0;
1182
1183 if (conn->flags & CO_FL_WAIT_XPRT) {
1184 smp->flags = SMP_F_MAY_CHANGE;
1185 return 0;
1186 }
1187 ctx = conn->xprt_ctx;
1188
1189 smp->data.type = SMP_T_SINT;
1190 smp->data.u.sint = (long long int)SSL_SOCK_ST_TO_CAEDEPTH(ctx->xprt_st);
1191 smp->flags = 0;
1192
1193 return 1;
1194}
1195
1196/* integer, returns the first verify error on client certificate */
1197static int
1198smp_fetch_ssl_c_err(const struct arg *args, struct sample *smp, const char *kw, void *private)
1199{
1200 struct connection *conn;
1201 struct ssl_sock_ctx *ctx;
1202
1203 conn = objt_conn(smp->sess->origin);
1204 if (!conn || conn->xprt != &ssl_sock)
1205 return 0;
1206
1207 if (conn->flags & CO_FL_WAIT_XPRT) {
1208 smp->flags = SMP_F_MAY_CHANGE;
1209 return 0;
1210 }
1211
1212 ctx = conn->xprt_ctx;
1213
1214 smp->data.type = SMP_T_SINT;
1215 smp->data.u.sint = (long long int)SSL_SOCK_ST_TO_CRTERROR(ctx->xprt_st);
1216 smp->flags = 0;
1217
1218 return 1;
1219}
1220
1221/* integer, returns the verify result on client cert */
1222static int
1223smp_fetch_ssl_c_verify(const struct arg *args, struct sample *smp, const char *kw, void *private)
1224{
1225 struct connection *conn;
1226 SSL *ssl;
1227
1228 conn = objt_conn(smp->sess->origin);
1229 ssl = ssl_sock_get_ssl_object(conn);
1230 if (!ssl)
1231 return 0;
1232
1233 if (conn->flags & CO_FL_WAIT_XPRT) {
1234 smp->flags = SMP_F_MAY_CHANGE;
1235 return 0;
1236 }
1237
1238 smp->data.type = SMP_T_SINT;
1239 smp->data.u.sint = (long long int)SSL_get_verify_result(ssl);
1240 smp->flags = 0;
1241
1242 return 1;
1243}
1244
1245/* Argument validation functions */
1246
1247/* This function is used to validate the arguments passed to any "x_dn" ssl
1248 * keywords. These keywords support specifying a third parameter that must be
1249 * either empty or the value "rfc2253". Returns 0 on error, non-zero if OK.
1250 */
1251int val_dnfmt(struct arg *arg, char **err_msg)
1252{
1253 if (arg && arg[2].type == ARGT_STR && arg[2].data.str.data > 0 && (strcmp(arg[2].data.str.area, "rfc2253") != 0)) {
1254 memprintf(err_msg, "only rfc2253 or a blank value are currently supported as the format argument.");
1255 return 0;
1256 }
1257 return 1;
1258}
1259
1260/* Note: must not be declared <const> as its list will be overwritten.
1261 * Please take care of keeping this list alphabetically sorted.
1262 */
1263static struct sample_fetch_kw_list sample_fetch_keywords = {ILH, {
1264 { "ssl_bc", smp_fetch_ssl_fc, 0, NULL, SMP_T_BOOL, SMP_USE_L5SRV },
1265 { "ssl_bc_alg_keysize", smp_fetch_ssl_fc_alg_keysize, 0, NULL, SMP_T_SINT, SMP_USE_L5SRV },
1266#ifdef TLSEXT_TYPE_application_layer_protocol_negotiation
1267 { "ssl_bc_alpn", smp_fetch_ssl_fc_alpn, 0, NULL, SMP_T_STR, SMP_USE_L5SRV },
1268#endif
1269 { "ssl_bc_cipher", smp_fetch_ssl_fc_cipher, 0, NULL, SMP_T_STR, SMP_USE_L5SRV },
1270#if defined(OPENSSL_NPN_NEGOTIATED) && !defined(OPENSSL_NO_NEXTPROTONEG)
1271 { "ssl_bc_npn", smp_fetch_ssl_fc_npn, 0, NULL, SMP_T_STR, SMP_USE_L5SRV },
1272#endif
1273 { "ssl_bc_is_resumed", smp_fetch_ssl_fc_is_resumed, 0, NULL, SMP_T_BOOL, SMP_USE_L5SRV },
1274 { "ssl_bc_protocol", smp_fetch_ssl_fc_protocol, 0, NULL, SMP_T_STR, SMP_USE_L5SRV },
1275 { "ssl_bc_unique_id", smp_fetch_ssl_fc_unique_id, 0, NULL, SMP_T_BIN, SMP_USE_L5SRV },
1276 { "ssl_bc_use_keysize", smp_fetch_ssl_fc_use_keysize, 0, NULL, SMP_T_SINT, SMP_USE_L5SRV },
1277#if HA_OPENSSL_VERSION_NUMBER > 0x0090800fL
1278 { "ssl_bc_session_id", smp_fetch_ssl_fc_session_id, 0, NULL, SMP_T_BIN, SMP_USE_L5SRV },
1279#endif
1280#if HA_OPENSSL_VERSION_NUMBER >= 0x10100000L
1281 { "ssl_bc_client_random", smp_fetch_ssl_fc_random, 0, NULL, SMP_T_BIN, SMP_USE_L5SRV },
1282 { "ssl_bc_server_random", smp_fetch_ssl_fc_random, 0, NULL, SMP_T_BIN, SMP_USE_L5SRV },
1283 { "ssl_bc_session_key", smp_fetch_ssl_fc_session_key, 0, NULL, SMP_T_BIN, SMP_USE_L5SRV },
1284#endif
1285 { "ssl_c_ca_err", smp_fetch_ssl_c_ca_err, 0, NULL, SMP_T_SINT, SMP_USE_L5CLI },
1286 { "ssl_c_ca_err_depth", smp_fetch_ssl_c_ca_err_depth, 0, NULL, SMP_T_SINT, SMP_USE_L5CLI },
1287 { "ssl_c_der", smp_fetch_ssl_x_der, 0, NULL, SMP_T_BIN, SMP_USE_L5CLI },
1288 { "ssl_c_err", smp_fetch_ssl_c_err, 0, NULL, SMP_T_SINT, SMP_USE_L5CLI },
1289 { "ssl_c_i_dn", smp_fetch_ssl_x_i_dn, ARG3(0,STR,SINT,STR),val_dnfmt, SMP_T_STR, SMP_USE_L5CLI },
1290 { "ssl_c_key_alg", smp_fetch_ssl_x_key_alg, 0, NULL, SMP_T_STR, SMP_USE_L5CLI },
1291 { "ssl_c_notafter", smp_fetch_ssl_x_notafter, 0, NULL, SMP_T_STR, SMP_USE_L5CLI },
1292 { "ssl_c_notbefore", smp_fetch_ssl_x_notbefore, 0, NULL, SMP_T_STR, SMP_USE_L5CLI },
1293 { "ssl_c_sig_alg", smp_fetch_ssl_x_sig_alg, 0, NULL, SMP_T_STR, SMP_USE_L5CLI },
1294 { "ssl_c_s_dn", smp_fetch_ssl_x_s_dn, ARG3(0,STR,SINT,STR),val_dnfmt, SMP_T_STR, SMP_USE_L5CLI },
1295 { "ssl_c_serial", smp_fetch_ssl_x_serial, 0, NULL, SMP_T_BIN, SMP_USE_L5CLI },
1296 { "ssl_c_sha1", smp_fetch_ssl_x_sha1, 0, NULL, SMP_T_BIN, SMP_USE_L5CLI },
1297 { "ssl_c_used", smp_fetch_ssl_c_used, 0, NULL, SMP_T_BOOL, SMP_USE_L5CLI },
1298 { "ssl_c_verify", smp_fetch_ssl_c_verify, 0, NULL, SMP_T_SINT, SMP_USE_L5CLI },
1299 { "ssl_c_version", smp_fetch_ssl_x_version, 0, NULL, SMP_T_SINT, SMP_USE_L5CLI },
1300 { "ssl_f_der", smp_fetch_ssl_x_der, 0, NULL, SMP_T_BIN, SMP_USE_L5CLI },
1301 { "ssl_f_i_dn", smp_fetch_ssl_x_i_dn, ARG3(0,STR,SINT,STR),val_dnfmt, SMP_T_STR, SMP_USE_L5CLI },
1302 { "ssl_f_key_alg", smp_fetch_ssl_x_key_alg, 0, NULL, SMP_T_STR, SMP_USE_L5CLI },
1303 { "ssl_f_notafter", smp_fetch_ssl_x_notafter, 0, NULL, SMP_T_STR, SMP_USE_L5CLI },
1304 { "ssl_f_notbefore", smp_fetch_ssl_x_notbefore, 0, NULL, SMP_T_STR, SMP_USE_L5CLI },
1305 { "ssl_f_sig_alg", smp_fetch_ssl_x_sig_alg, 0, NULL, SMP_T_STR, SMP_USE_L5CLI },
1306 { "ssl_f_s_dn", smp_fetch_ssl_x_s_dn, ARG3(0,STR,SINT,STR),val_dnfmt, SMP_T_STR, SMP_USE_L5CLI },
1307 { "ssl_f_serial", smp_fetch_ssl_x_serial, 0, NULL, SMP_T_BIN, SMP_USE_L5CLI },
1308 { "ssl_f_sha1", smp_fetch_ssl_x_sha1, 0, NULL, SMP_T_BIN, SMP_USE_L5CLI },
1309 { "ssl_f_version", smp_fetch_ssl_x_version, 0, NULL, SMP_T_SINT, SMP_USE_L5CLI },
1310 { "ssl_fc", smp_fetch_ssl_fc, 0, NULL, SMP_T_BOOL, SMP_USE_L5CLI },
1311 { "ssl_fc_alg_keysize", smp_fetch_ssl_fc_alg_keysize, 0, NULL, SMP_T_SINT, SMP_USE_L5CLI },
1312 { "ssl_fc_cipher", smp_fetch_ssl_fc_cipher, 0, NULL, SMP_T_STR, SMP_USE_L5CLI },
1313 { "ssl_fc_has_crt", smp_fetch_ssl_fc_has_crt, 0, NULL, SMP_T_BOOL, SMP_USE_L5CLI },
1314 { "ssl_fc_has_early", smp_fetch_ssl_fc_has_early, 0, NULL, SMP_T_BOOL, SMP_USE_L5CLI },
1315 { "ssl_fc_has_sni", smp_fetch_ssl_fc_has_sni, 0, NULL, SMP_T_BOOL, SMP_USE_L5CLI },
1316 { "ssl_fc_is_resumed", smp_fetch_ssl_fc_is_resumed, 0, NULL, SMP_T_BOOL, SMP_USE_L5CLI },
1317#if defined(OPENSSL_NPN_NEGOTIATED) && !defined(OPENSSL_NO_NEXTPROTONEG)
1318 { "ssl_fc_npn", smp_fetch_ssl_fc_npn, 0, NULL, SMP_T_STR, SMP_USE_L5CLI },
1319#endif
1320#ifdef TLSEXT_TYPE_application_layer_protocol_negotiation
1321 { "ssl_fc_alpn", smp_fetch_ssl_fc_alpn, 0, NULL, SMP_T_STR, SMP_USE_L5CLI },
1322#endif
1323 { "ssl_fc_protocol", smp_fetch_ssl_fc_protocol, 0, NULL, SMP_T_STR, SMP_USE_L5CLI },
1324#if HA_OPENSSL_VERSION_NUMBER > 0x0090800fL
1325 { "ssl_fc_unique_id", smp_fetch_ssl_fc_unique_id, 0, NULL, SMP_T_BIN, SMP_USE_L5CLI },
1326#endif
1327 { "ssl_fc_use_keysize", smp_fetch_ssl_fc_use_keysize, 0, NULL, SMP_T_SINT, SMP_USE_L5CLI },
1328#if HA_OPENSSL_VERSION_NUMBER > 0x0090800fL
1329 { "ssl_fc_session_id", smp_fetch_ssl_fc_session_id, 0, NULL, SMP_T_BIN, SMP_USE_L5CLI },
1330#endif
1331#if HA_OPENSSL_VERSION_NUMBER >= 0x10100000L
1332 { "ssl_fc_client_random", smp_fetch_ssl_fc_random, 0, NULL, SMP_T_BIN, SMP_USE_L5CLI },
1333 { "ssl_fc_server_random", smp_fetch_ssl_fc_random, 0, NULL, SMP_T_BIN, SMP_USE_L5CLI },
1334 { "ssl_fc_session_key", smp_fetch_ssl_fc_session_key, 0, NULL, SMP_T_BIN, SMP_USE_L5CLI },
1335#endif
1336#ifdef SSL_CTRL_SET_TLSEXT_HOSTNAME
1337 { "ssl_fc_sni", smp_fetch_ssl_fc_sni, 0, NULL, SMP_T_STR, SMP_USE_L5CLI },
1338#endif
1339 { "ssl_fc_cipherlist_bin", smp_fetch_ssl_fc_cl_bin, 0, NULL, SMP_T_STR, SMP_USE_L5CLI },
1340 { "ssl_fc_cipherlist_hex", smp_fetch_ssl_fc_cl_hex, 0, NULL, SMP_T_BIN, SMP_USE_L5CLI },
1341 { "ssl_fc_cipherlist_str", smp_fetch_ssl_fc_cl_str, 0, NULL, SMP_T_STR, SMP_USE_L5CLI },
1342 { "ssl_fc_cipherlist_xxh", smp_fetch_ssl_fc_cl_xxh64, 0, NULL, SMP_T_SINT, SMP_USE_L5CLI },
1343 { NULL, NULL, 0, 0, 0 },
1344}};
1345
1346INITCALL1(STG_REGISTER, sample_register_fetches, &sample_fetch_keywords);
1347
1348/* Note: must not be declared <const> as its list will be overwritten.
1349 * Please take care of keeping this list alphabetically sorted.
1350 */
1351static struct acl_kw_list acl_kws = {ILH, {
1352 { "ssl_fc_sni_end", "ssl_fc_sni", PAT_MATCH_END },
1353 { "ssl_fc_sni_reg", "ssl_fc_sni", PAT_MATCH_REG },
1354 { /* END */ },
1355}};
1356
1357INITCALL1(STG_REGISTER, acl_register_keywords, &acl_kws);