2
* General protocol-agnostic payload-based sample fetches and ACLs
4
* Copyright 2000-2013 Willy Tarreau <w@1wt.eu>
6
* This program is free software; you can redistribute it and/or
7
* modify it under the terms of the GNU General Public License
8
* as published by the Free Software Foundation; either version
9
* 2 of the License, or (at your option) any later version.
16
#include <proto/acl.h>
17
#include <proto/arg.h>
18
#include <proto/channel.h>
19
#include <proto/pattern.h>
20
#include <proto/payload.h>
21
#include <proto/sample.h>
24
/************************************************************************/
25
/* All supported sample fetch functions must be declared here */
26
/************************************************************************/
28
/* wait for more data as long as possible, then return TRUE. This should be
29
* used with content inspection.
32
smp_fetch_wait_end(struct proxy *px, struct session *s, void *l7, unsigned int opt,
33
const struct arg *args, struct sample *smp, const char *kw)
35
if (!(opt & SMP_OPT_FINAL)) {
36
smp->flags |= SMP_F_MAY_CHANGE;
39
smp->type = SMP_T_BOOL;
44
/* return the number of bytes in the request buffer */
46
smp_fetch_len(struct proxy *px, struct session *s, void *l7, unsigned int opt,
47
const struct arg *args, struct sample *smp, const char *kw)
49
struct channel *chn = ((opt & SMP_OPT_DIR) == SMP_OPT_DIR_RES) ? s->rep : s->req;
54
smp->type = SMP_T_UINT;
55
smp->data.uint = chn->buf->i;
56
smp->flags = SMP_F_VOLATILE | SMP_F_MAY_CHANGE;
60
/* returns the type of SSL hello message (mainly used to detect an SSL hello) */
62
smp_fetch_ssl_hello_type(struct proxy *px, struct session *s, void *l7, unsigned int opt,
63
const struct arg *args, struct sample *smp, const char *kw)
68
const unsigned char *data;
73
chn = ((opt & SMP_OPT_DIR) == SMP_OPT_DIR_RES) ? s->rep : s->req;
76
data = (const unsigned char *)chn->buf->p;
81
if ((*data >= 0x14 && *data <= 0x17) || (*data == 0xFF)) {
82
/* SSLv3 header format */
87
if ((data[1] << 16) + data[2] < 0x00030000)
90
/* ssl message len must present handshake type and len */
91
if ((data[3] << 8) + data[4] < 4)
94
/* format introduced with SSLv3 */
96
hs_type = (int)data[5];
97
hs_len = ( data[6] << 16 ) + ( data[7] << 8 ) + data[8];
99
/* not a full handshake */
100
if (bleft < (9 + hs_len))
108
smp->type = SMP_T_UINT;
109
smp->data.uint = hs_type;
110
smp->flags = SMP_F_VOLATILE;
115
smp->flags = SMP_F_MAY_CHANGE;
122
/* Return the version of the SSL protocol in the request. It supports both
123
* SSLv3 (TLSv1) header format for any message, and SSLv2 header format for
124
* the hello message. The SSLv3 format is described in RFC 2246 p49, and the
125
* SSLv2 format is described here, and completed p67 of RFC 2246 :
126
* http://wp.netscape.com/eng/security/SSL_2.html
128
* Note: this decoder only works with non-wrapping data.
131
smp_fetch_req_ssl_ver(struct proxy *px, struct session *s, void *l7, unsigned int opt,
132
const struct arg *args, struct sample *smp, const char *kw)
134
int version, bleft, msg_len;
135
const unsigned char *data;
141
bleft = s->req->buf->i;
145
data = (const unsigned char *)s->req->buf->p;
146
if ((*data >= 0x14 && *data <= 0x17) || (*data == 0xFF)) {
147
/* SSLv3 header format */
151
version = (data[1] << 16) + data[2]; /* version: major, minor */
152
msg_len = (data[3] << 8) + data[4]; /* record length */
154
/* format introduced with SSLv3 */
155
if (version < 0x00030000)
158
/* message length between 1 and 2^14 + 2048 */
159
if (msg_len < 1 || msg_len > ((1<<14) + 2048))
162
bleft -= 5; data += 5;
164
/* SSLv2 header format, only supported for hello (msg type 1) */
165
int rlen, plen, cilen, silen, chlen;
170
/* short header format : 15 bits for length */
171
rlen = ((data[0] & 0x7F) << 8) | data[1];
173
bleft -= 2; data += 2;
177
/* long header format : 14 bits for length + pad length */
178
rlen = ((data[0] & 0x3F) << 8) | data[1];
180
bleft -= 3; data += 2;
189
version = (data[0] << 16) + data[1]; /* version: major, minor */
190
cilen = (data[2] << 8) + data[3]; /* cipher len, multiple of 3 */
191
silen = (data[4] << 8) + data[5]; /* session_id_len: 0 or 16 */
192
chlen = (data[6] << 8) + data[7]; /* 16<=challenge length<=32 */
194
bleft -= 8; data += 8;
197
if (silen && silen != 16)
199
if (chlen < 16 || chlen > 32)
201
if (rlen != 9 + cilen + silen + chlen)
204
/* focus on the remaining data length */
205
msg_len = cilen + silen + chlen + plen;
207
/* We could recursively check that the buffer ends exactly on an SSL
208
* fragment boundary and that a possible next segment is still SSL,
209
* but that's a bit pointless. However, we could still check that
210
* all the part of the request which fits in a buffer is already
213
if (msg_len > buffer_max_len(s->req) + s->req->buf->data - s->req->buf->p)
214
msg_len = buffer_max_len(s->req) + s->req->buf->data - s->req->buf->p;
219
/* OK that's enough. We have at least the whole message, and we have
220
* the protocol version.
222
smp->type = SMP_T_UINT;
223
smp->data.uint = version;
224
smp->flags = SMP_F_VOLATILE;
228
smp->flags = SMP_F_MAY_CHANGE;
233
/* Try to extract the Server Name Indication that may be presented in a TLS
234
* client hello handshake message. The format of the message is the following
235
* (cf RFC5246 + RFC6066) :
237
* - uint8 type = 0x16 (Handshake)
238
* - uint16 version >= 0x0301 (TLSv1)
239
* - uint16 length (frame length)
241
* - uint8 msg_type = 0x01 (ClientHello)
242
* - uint24 length (handshake message length)
244
* - uint16 client_version >= 0x0301 (TLSv1)
245
* - uint8 Random[32] (4 first ones are timestamp)
247
* - uint8 session_id_len (0..32) (SessionID len in bytes)
248
* - uint8 session_id[session_id_len]
250
* - uint16 cipher_len >= 2 (Cipher length in bytes)
251
* - uint16 ciphers[cipher_len/2]
252
* - CompressionMethod :
253
* - uint8 compression_len >= 1 (# of supported methods)
254
* - uint8 compression_methods[compression_len]
255
* - optional client_extension_len (in bytes)
256
* - optional sequence of ClientHelloExtensions (as many bytes as above):
257
* - uint16 extension_type = 0 for server_name
258
* - uint16 extension_len
259
* - opaque extension_data[extension_len]
260
* - uint16 server_name_list_len (# of bytes here)
261
* - opaque server_names[server_name_list_len bytes]
262
* - uint8 name_type = 0 for host_name
264
* - opaque hostname[name_len bytes]
267
smp_fetch_ssl_hello_sni(struct proxy *px, struct session *s, void *l7, unsigned int opt,
268
const struct arg *args, struct sample *smp, const char *kw)
270
int hs_len, ext_len, bleft;
277
chn = ((opt & SMP_OPT_DIR) == SMP_OPT_DIR_RES) ? s->rep : s->req;
280
data = (unsigned char *)chn->buf->p;
282
/* Check for SSL/TLS Handshake */
288
/* Check for SSLv3 or later (SSL version >= 3.0) in the record layer*/
296
hs_len = (data[3] << 8) + data[4];
297
if (hs_len < 1 + 3 + 2 + 32 + 1 + 2 + 2 + 1 + 1 + 2 + 2)
298
goto not_ssl_hello; /* too short to have an extension */
300
data += 5; /* enter TLS handshake */
303
/* Check for a complete client hello starting at <data> */
306
if (data[0] != 0x01) /* msg_type = Client Hello */
309
/* Check the Hello's length */
312
hs_len = (data[1] << 16) + (data[2] << 8) + data[3];
313
if (hs_len < 2 + 32 + 1 + 2 + 2 + 1 + 1 + 2 + 2)
314
goto not_ssl_hello; /* too short to have an extension */
316
/* We want the full handshake here */
321
/* Start of the ClientHello message */
322
if (data[0] < 0x03 || data[1] < 0x01) /* TLSv1 minimum */
325
ext_len = data[34]; /* session_id_len */
326
if (ext_len > 32 || ext_len > (hs_len - 35)) /* check for correct session_id len */
329
/* Jump to cipher suite */
330
hs_len -= 35 + ext_len;
331
data += 35 + ext_len;
333
if (hs_len < 4 || /* minimum one cipher */
334
(ext_len = (data[0] << 8) + data[1]) < 2 || /* minimum 2 bytes for a cipher */
338
/* Jump to the compression methods */
339
hs_len -= 2 + ext_len;
342
if (hs_len < 2 || /* minimum one compression method */
343
data[0] < 1 || data[0] > hs_len) /* minimum 1 bytes for a method */
346
/* Jump to the extensions */
347
hs_len -= 1 + data[0];
350
if (hs_len < 2 || /* minimum one extension list length */
351
(ext_len = (data[0] << 8) + data[1]) > hs_len - 2) /* list too long */
354
hs_len = ext_len; /* limit ourselves to the extension length */
357
while (hs_len >= 4) {
358
int ext_type, name_type, srv_len, name_len;
360
ext_type = (data[0] << 8) + data[1];
361
ext_len = (data[2] << 8) + data[3];
363
if (ext_len > hs_len - 4) /* Extension too long */
366
if (ext_type == 0) { /* Server name */
367
if (ext_len < 2) /* need one list length */
370
srv_len = (data[4] << 8) + data[5];
371
if (srv_len < 4 || srv_len > hs_len - 6)
372
goto not_ssl_hello; /* at least 4 bytes per server name */
375
name_len = (data[7] << 8) + data[8];
377
if (name_type == 0) { /* hostname */
378
smp->type = SMP_T_STR;
379
smp->data.str.str = (char *)data + 9;
380
smp->data.str.len = name_len;
381
smp->flags = SMP_F_VOLATILE | SMP_F_CONST;
386
hs_len -= 4 + ext_len;
389
/* server name not found */
393
smp->flags = SMP_F_MAY_CHANGE;
400
/* Fetch the request RDP cookie identified in <cname>:<clen>, or any cookie if
401
* <clen> is empty (cname is then ignored). It returns the data into sample <smp>
402
* of type SMP_T_CSTR. Note: this decoder only works with non-wrapping data.
405
fetch_rdp_cookie_name(struct session *s, struct sample *smp, const char *cname, int clen)
408
const unsigned char *data;
413
smp->flags = SMP_F_CONST;
414
smp->type = SMP_T_STR;
416
bleft = s->req->buf->i;
420
data = (const unsigned char *)s->req->buf->p + 11;
426
if (strncasecmp((const char *)data, "Cookie:", 7) != 0)
432
while (bleft > 0 && *data == ' ') {
441
if ((data[clen] != '=') ||
442
strncasecmp(cname, (const char *)data, clen) != 0)
448
while (bleft > 0 && *data != '=') {
449
if (*data == '\r' || *data == '\n')
465
/* data points to cookie value */
466
smp->data.str.str = (char *)data;
467
smp->data.str.len = 0;
469
while (bleft > 0 && *data != '\r') {
477
if (data[0] != '\r' || data[1] != '\n')
480
smp->data.str.len = (char *)data - smp->data.str.str;
481
smp->flags = SMP_F_VOLATILE | SMP_F_CONST;
485
smp->flags = SMP_F_MAY_CHANGE | SMP_F_CONST;
490
/* Fetch the request RDP cookie identified in the args, or any cookie if no arg
491
* is passed. It is usable both for ACL and for samples. Note: this decoder
492
* only works with non-wrapping data. Accepts either 0 or 1 argument. Argument
493
* is a string (cookie name), other types will lead to undefined behaviour. The
494
* returned sample has type SMP_T_CSTR.
497
smp_fetch_rdp_cookie(struct proxy *px, struct session *s, void *l7, unsigned int opt,
498
const struct arg *args, struct sample *smp, const char *kw)
500
return fetch_rdp_cookie_name(s, smp, args ? args->data.str.str : NULL, args ? args->data.str.len : 0);
503
/* returns either 1 or 0 depending on whether an RDP cookie is found or not */
505
smp_fetch_rdp_cookie_cnt(struct proxy *px, struct session *s, void *l7, unsigned int opt,
506
const struct arg *args, struct sample *smp, const char *kw)
510
ret = smp_fetch_rdp_cookie(px, s, l7, opt, args, smp, kw);
512
if (smp->flags & SMP_F_MAY_CHANGE)
515
smp->flags = SMP_F_VOLATILE;
516
smp->type = SMP_T_UINT;
517
smp->data.uint = ret;
521
/* extracts part of a payload with offset and length at a given position */
523
smp_fetch_payload_lv(struct proxy *px, struct session *s, void *l7, unsigned int opt,
524
const struct arg *arg_p, struct sample *smp, const char *kw)
526
unsigned int len_offset = arg_p[0].data.uint;
527
unsigned int len_size = arg_p[1].data.uint;
528
unsigned int buf_offset;
529
unsigned int buf_size = 0;
533
/* Format is (len offset, len size, buf offset) or (len offset, len size) */
534
/* by default buf offset == len offset + len size */
535
/* buf offset could be absolute or relative to len offset + len size if prefixed by + or - */
540
chn = ((opt & SMP_OPT_DIR) == SMP_OPT_DIR_RES) ? s->rep : s->req;
545
if (len_offset + len_size > chn->buf->i)
548
for (i = 0; i < len_size; i++) {
549
buf_size = (buf_size << 8) + ((unsigned char *)chn->buf->p)[i + len_offset];
552
/* buf offset may be implicit, absolute or relative */
553
buf_offset = len_offset + len_size;
554
if (arg_p[2].type == ARGT_UINT)
555
buf_offset = arg_p[2].data.uint;
556
else if (arg_p[2].type == ARGT_SINT)
557
buf_offset += arg_p[2].data.sint;
559
if (!buf_size || buf_size > chn->buf->size || buf_offset + buf_size > chn->buf->size) {
560
/* will never match */
565
if (buf_offset + buf_size > chn->buf->i)
568
/* init chunk as read only */
569
smp->type = SMP_T_BIN;
570
smp->flags = SMP_F_VOLATILE | SMP_F_CONST;
571
chunk_initlen(&smp->data.str, chn->buf->p + buf_offset, 0, buf_size);
575
smp->flags = SMP_F_MAY_CHANGE | SMP_F_CONST;
579
/* extracts some payload at a fixed position and length */
581
smp_fetch_payload(struct proxy *px, struct session *s, void *l7, unsigned int opt,
582
const struct arg *arg_p, struct sample *smp, const char *kw)
584
unsigned int buf_offset = arg_p[0].data.uint;
585
unsigned int buf_size = arg_p[1].data.uint;
591
chn = ((opt & SMP_OPT_DIR) == SMP_OPT_DIR_RES) ? s->rep : s->req;
596
if (buf_size > chn->buf->size || buf_offset + buf_size > chn->buf->size) {
597
/* will never match */
602
if (buf_offset + buf_size > chn->buf->i)
605
/* init chunk as read only */
606
smp->type = SMP_T_BIN;
607
smp->flags = SMP_F_VOLATILE | SMP_F_CONST;
608
chunk_initlen(&smp->data.str, chn->buf->p + buf_offset, 0, buf_size ? buf_size : (chn->buf->i - buf_offset));
609
if (!buf_size && !channel_full(chn) && !channel_input_closed(chn))
610
smp->flags |= SMP_F_MAY_CHANGE;
615
smp->flags = SMP_F_MAY_CHANGE | SMP_F_CONST;
619
/* This function is used to validate the arguments passed to a "payload_lv" fetch
620
* keyword. This keyword allows two positive integers and an optional signed one,
621
* with the second one being strictly positive and the third one being greater than
622
* the opposite of the two others if negative. It is assumed that the types are
623
* already the correct ones. Returns 0 on error, non-zero if OK. If <err_msg> is
624
* not NULL, it will be filled with a pointer to an error message in case of
625
* error, that the caller is responsible for freeing. The initial location must
626
* either be freeable or NULL.
628
static int val_payload_lv(struct arg *arg, char **err_msg)
630
if (!arg[1].data.uint) {
631
memprintf(err_msg, "payload length must be > 0");
635
if (arg[2].type == ARGT_SINT &&
636
(int)(arg[0].data.uint + arg[1].data.uint + arg[2].data.sint) < 0) {
637
memprintf(err_msg, "payload offset too negative");
643
/************************************************************************/
644
/* All supported sample and ACL keywords must be declared here. */
645
/************************************************************************/
647
/* Note: must not be declared <const> as its list will be overwritten.
648
* Note: fetches that may return multiple types must be declared as the lowest
649
* common denominator, the type that can be casted into all other ones. For
650
* instance IPv4/IPv6 must be declared IPv4.
652
static struct sample_fetch_kw_list smp_kws = {ILH, {
653
{ "payload", smp_fetch_payload, ARG2(2,UINT,UINT), NULL, SMP_T_BIN, SMP_USE_L6REQ|SMP_USE_L6RES },
654
{ "payload_lv", smp_fetch_payload_lv, ARG3(2,UINT,UINT,SINT), val_payload_lv, SMP_T_BIN, SMP_USE_L6REQ|SMP_USE_L6RES },
655
{ "rdp_cookie", smp_fetch_rdp_cookie, ARG1(0,STR), NULL, SMP_T_STR, SMP_USE_L6REQ },
656
{ "rdp_cookie_cnt", smp_fetch_rdp_cookie_cnt, ARG1(0,STR), NULL, SMP_T_UINT, SMP_USE_L6REQ },
657
{ "rep_ssl_hello_type", smp_fetch_ssl_hello_type, 0, NULL, SMP_T_UINT, SMP_USE_L6RES },
658
{ "req_len", smp_fetch_len, 0, NULL, SMP_T_UINT, SMP_USE_L6REQ },
659
{ "req_ssl_hello_type", smp_fetch_ssl_hello_type, 0, NULL, SMP_T_UINT, SMP_USE_L6REQ },
660
{ "req_ssl_sni", smp_fetch_ssl_hello_sni, 0, NULL, SMP_T_STR, SMP_USE_L6REQ },
661
{ "req_ssl_ver", smp_fetch_req_ssl_ver, 0, NULL, SMP_T_UINT, SMP_USE_L6REQ },
663
{ "req.len", smp_fetch_len, 0, NULL, SMP_T_UINT, SMP_USE_L6REQ },
664
{ "req.payload", smp_fetch_payload, ARG2(2,UINT,UINT), NULL, SMP_T_BIN, SMP_USE_L6REQ },
665
{ "req.payload_lv", smp_fetch_payload_lv, ARG3(2,UINT,UINT,SINT), val_payload_lv, SMP_T_BIN, SMP_USE_L6REQ },
666
{ "req.rdp_cookie", smp_fetch_rdp_cookie, ARG1(0,STR), NULL, SMP_T_STR, SMP_USE_L6REQ },
667
{ "req.rdp_cookie_cnt", smp_fetch_rdp_cookie_cnt, ARG1(0,STR), NULL, SMP_T_UINT, SMP_USE_L6REQ },
668
{ "req.ssl_hello_type", smp_fetch_ssl_hello_type, 0, NULL, SMP_T_UINT, SMP_USE_L6REQ },
669
{ "req.ssl_sni", smp_fetch_ssl_hello_sni, 0, NULL, SMP_T_STR, SMP_USE_L6REQ },
670
{ "req.ssl_ver", smp_fetch_req_ssl_ver, 0, NULL, SMP_T_UINT, SMP_USE_L6REQ },
671
{ "res.len", smp_fetch_len, 0, NULL, SMP_T_UINT, SMP_USE_L6RES },
672
{ "res.payload", smp_fetch_payload, ARG2(2,UINT,UINT), NULL, SMP_T_BIN, SMP_USE_L6RES },
673
{ "res.payload_lv", smp_fetch_payload_lv, ARG3(2,UINT,UINT,SINT), val_payload_lv, SMP_T_BIN, SMP_USE_L6RES },
674
{ "res.ssl_hello_type", smp_fetch_ssl_hello_type, 0, NULL, SMP_T_UINT, SMP_USE_L6RES },
675
{ "wait_end", smp_fetch_wait_end, 0, NULL, SMP_T_BOOL, SMP_USE_INTRN },
680
/* Note: must not be declared <const> as its list will be overwritten.
681
* Please take care of keeping this list alphabetically sorted.
683
static struct acl_kw_list acl_kws = {ILH, {
684
{ "payload", "req.payload", PAT_MATCH_BIN },
685
{ "payload_lv", "req.payload_lv", PAT_MATCH_BIN },
686
{ "req_rdp_cookie", "req.rdp_cookie", PAT_MATCH_STR },
687
{ "req_rdp_cookie_cnt", "req.rdp_cookie_cnt", PAT_MATCH_INT },
688
{ "req_ssl_sni", "req.ssl_sni", PAT_MATCH_STR },
689
{ "req_ssl_ver", "req.ssl_ver", PAT_MATCH_INT, pat_parse_dotted_ver },
690
{ "req.ssl_ver", "req.ssl_ver", PAT_MATCH_INT, pat_parse_dotted_ver },
695
__attribute__((constructor))
696
static void __payload_init(void)
698
sample_register_fetches(&smp_kws);
699
acl_register_keywords(&acl_kws);