@@ -38,6 +38,74 @@
PROXY_PROTOCOL_PARSING_STATE_IGNORE = 1,
} proxy_protocol_parsing_state_t;
+static const uint32_t CRC32C_TABLE[256] =
+{
+ 0x00000000L, 0xF26B8303L, 0xE13B70F7L, 0x1350F3F4L,
+ 0xC79A971FL, 0x35F1141CL, 0x26A1E7E8L, 0xD4CA64EBL,
+ 0x8AD958CFL, 0x78B2DBCCL, 0x6BE22838L, 0x9989AB3BL,
+ 0x4D43CFD0L, 0xBF284CD3L, 0xAC78BF27L, 0x5E133C24L,
+ 0x105EC76FL, 0xE235446CL, 0xF165B798L, 0x030E349BL,
+ 0xD7C45070L, 0x25AFD373L, 0x36FF2087L, 0xC494A384L,
+ 0x9A879FA0L, 0x68EC1CA3L, 0x7BBCEF57L, 0x89D76C54L,
+ 0x5D1D08BFL, 0xAF768BBCL, 0xBC267848L, 0x4E4DFB4BL,
+ 0x20BD8EDEL, 0xD2D60DDDL, 0xC186FE29L, 0x33ED7D2AL,
+ 0xE72719C1L, 0x154C9AC2L, 0x061C6936L, 0xF477EA35L,
+ 0xAA64D611L, 0x580F5512L, 0x4B5FA6E6L, 0xB93425E5L,
+ 0x6DFE410EL, 0x9F95C20DL, 0x8CC531F9L, 0x7EAEB2FAL,
+ 0x30E349B1L, 0xC288CAB2L, 0xD1D83946L, 0x23B3BA45L,
+ 0xF779DEAEL, 0x05125DADL, 0x1642AE59L, 0xE4292D5AL,
+ 0xBA3A117EL, 0x4851927DL, 0x5B016189L, 0xA96AE28AL,
+ 0x7DA08661L, 0x8FCB0562L, 0x9C9BF696L, 0x6EF07595L,
+ 0x417B1DBCL, 0xB3109EBFL, 0xA0406D4BL, 0x522BEE48L,
+ 0x86E18AA3L, 0x748A09A0L, 0x67DAFA54L, 0x95B17957L,
+ 0xCBA24573L, 0x39C9C670L, 0x2A993584L, 0xD8F2B687L,
+ 0x0C38D26CL, 0xFE53516FL, 0xED03A29BL, 0x1F682198L,
+ 0x5125DAD3L, 0xA34E59D0L, 0xB01EAA24L, 0x42752927L,
+ 0x96BF4DCCL, 0x64D4CECFL, 0x77843D3BL, 0x85EFBE38L,
+ 0xDBFC821CL, 0x2997011FL, 0x3AC7F2EBL, 0xC8AC71E8L,
+ 0x1C661503L, 0xEE0D9600L, 0xFD5D65F4L, 0x0F36E6F7L,
+ 0x61C69362L, 0x93AD1061L, 0x80FDE395L, 0x72966096L,
+ 0xA65C047DL, 0x5437877EL, 0x4767748AL, 0xB50CF789L,
+ 0xEB1FCBADL, 0x197448AEL, 0x0A24BB5AL, 0xF84F3859L,
+ 0x2C855CB2L, 0xDEEEDFB1L, 0xCDBE2C45L, 0x3FD5AF46L,
+ 0x7198540DL, 0x83F3D70EL, 0x90A324FAL, 0x62C8A7F9L,
+ 0xB602C312L, 0x44694011L, 0x5739B3E5L, 0xA55230E6L,
+ 0xFB410CC2L, 0x092A8FC1L, 0x1A7A7C35L, 0xE811FF36L,
+ 0x3CDB9BDDL, 0xCEB018DEL, 0xDDE0EB2AL, 0x2F8B6829L,
+ 0x82F63B78L, 0x709DB87BL, 0x63CD4B8FL, 0x91A6C88CL,
+ 0x456CAC67L, 0xB7072F64L, 0xA457DC90L, 0x563C5F93L,
+ 0x082F63B7L, 0xFA44E0B4L, 0xE9141340L, 0x1B7F9043L,
+ 0xCFB5F4A8L, 0x3DDE77ABL, 0x2E8E845FL, 0xDCE5075CL,
+ 0x92A8FC17L, 0x60C37F14L, 0x73938CE0L, 0x81F80FE3L,
+ 0x55326B08L, 0xA759E80BL, 0xB4091BFFL, 0x466298FCL,
+ 0x1871A4D8L, 0xEA1A27DBL, 0xF94AD42FL, 0x0B21572CL,
+ 0xDFEB33C7L, 0x2D80B0C4L, 0x3ED04330L, 0xCCBBC033L,
+ 0xA24BB5A6L, 0x502036A5L, 0x4370C551L, 0xB11B4652L,
+ 0x65D122B9L, 0x97BAA1BAL, 0x84EA524EL, 0x7681D14DL,
+ 0x2892ED69L, 0xDAF96E6AL, 0xC9A99D9EL, 0x3BC21E9DL,
+ 0xEF087A76L, 0x1D63F975L, 0x0E330A81L, 0xFC588982L,
+ 0xB21572C9L, 0x407EF1CAL, 0x532E023EL, 0xA145813DL,
+ 0x758FE5D6L, 0x87E466D5L, 0x94B49521L, 0x66DF1622L,
+ 0x38CC2A06L, 0xCAA7A905L, 0xD9F75AF1L, 0x2B9CD9F2L,
+ 0xFF56BD19L, 0x0D3D3E1AL, 0x1E6DCDEEL, 0xEC064EEDL,
+ 0xC38D26C4L, 0x31E6A5C7L, 0x22B65633L, 0xD0DDD530L,
+ 0x0417B1DBL, 0xF67C32D8L, 0xE52CC12CL, 0x1747422FL,
+ 0x49547E0BL, 0xBB3FFD08L, 0xA86F0EFCL, 0x5A048DFFL,
+ 0x8ECEE914L, 0x7CA56A17L, 0x6FF599E3L, 0x9D9E1AE0L,
+ 0xD3D3E1ABL, 0x21B862A8L, 0x32E8915CL, 0xC083125FL,
+ 0x144976B4L, 0xE622F5B7L, 0xF5720643L, 0x07198540L,
+ 0x590AB964L, 0xAB613A67L, 0xB831C993L, 0x4A5A4A90L,
+ 0x9E902E7BL, 0x6CFBAD78L, 0x7FAB5E8CL, 0x8DC0DD8FL,
+ 0xE330A81AL, 0x115B2B19L, 0x020BD8EDL, 0xF0605BEEL,
+ 0x24AA3F05L, 0xD6C1BC06L, 0xC5914FF2L, 0x37FACCF1L,
+ 0x69E9F0D5L, 0x9B8273D6L, 0x88D28022L, 0x7AB90321L,
+ 0xAE7367CAL, 0x5C18E4C9L, 0x4F48173DL, 0xBD23943EL,
+ 0xF36E6F75L, 0x0105EC76L, 0x12551F82L, 0xE03E9C81L,
+ 0x34F4F86AL, 0xC69F7B69L, 0xD5CF889DL, 0x27A40B9EL,
+ 0x79B737BAL, 0x8BDCB4B9L, 0x988C474DL, 0x6AE7C44EL,
+ 0xBE2DA0A5L, 0x4C4623A6L, 0x5F16D052L, 0xAD7D5351L
+};
+
static const size_t PROXY_PROTOCOL_V2_ADDR_LEN_IPV4 = 12;
static const size_t PROXY_PROTOCOL_V2_ADDR_LEN_IPV6 = 36;
static const size_t PROXY_PROTOCOL_V2_ADDR_LEN_UNIX = 216;
@@ -88,6 +156,17 @@
}
}
+uint32_t
+proxy_protocol_crc32c(const uint8_t *data, int len)
+{
+ uint32_t crc = 0xFFFFFFFF;
+ while (len-- > 0)
+ {
+ crc = (crc >> 8) ^ CRC32C_TABLE[(crc ^ (*data++)) & 0xFF];
+ }
+ return (crc ^ 0xFFFFFFFF);
+}
+
/*
* Parse a port number from a string.
*
@@ -316,6 +395,231 @@
}
/*
+ * Parse a string based TLV and store the value in 'out'.
+ *
+ * @param ppi - The proxy protocol info structure used for memory allocation.
+ * @param out - The output variable to store the parsed value.
+ * @param type_str - A string representation of the TLV type (for logging).
+ * @param len - The length of the TLV value.
+ * @param value - The TLV value.
+ */
+void
+proxy_protocol_parse_string_tlv(struct proxy_protocol_info *ppi, char **out, char *type_str, const uint16_t len, const uint8_t *value)
+{
+ if (len == 0)
+ {
+ msg(M_NONFATAL, "PROXY protocol v2: %s TLV empty", type_str);
+ return;
+ }
+
+ *out = (char *)gc_malloc(8, false, &ppi->gc);
+ memcpy(*out, value, len);
+ (*out)[len] = '\0';
+
+ if (type_str)
+ {
+ msg(M_DEBUG, "PROXY protocol v2: %s TLV: %s", type_str, *out);
+ }
+}
+
+/*
+ * Parse the CRC32C TLV and check if it matches the calculated CRC32C.
+ * If there's a mismatch the parsing state is set to invalid so that the header
+ * is dropped.
+ *
+ * @param len - The length of the TLV value.
+ * @param value - The TLV value.
+ *
+ * @return - true if the CRC32C value matches the calculated CRC32C.
+ */
+bool
+proxy_protocol_parse_crc32c_tlv(const uint16_t len, const uint8_t *value)
+{
+ if (len != 4)
+ {
+ msg(M_NONFATAL, "PROXY protocol v2: CRC32C TLV invalid length");
+ parsing_state = PROXY_PROTOCOL_PARSING_STATE_INVALID;
+ return false;
+ }
+
+ uint32_t expected_crc32c = ntohl(*(uint32_t *)value);
+
+ /* fill with 0s the crc32 field to calculate the actual crc32 */
+ *(uint32_t *)value = 0;
+ uint32_t calculated_crc32c = proxy_protocol_crc32c((const uint8_t *)&header, header_len);
+
+ if (expected_crc32c != calculated_crc32c)
+ {
+ msg(M_NONFATAL, "PROXY protocol v2: CRC32C mismatch, expected: 0x%08x calculated: 0x%08x. Dropping header", expected_crc32c, calculated_crc32c);
+ parsing_state = PROXY_PROTOCOL_PARSING_STATE_INVALID;
+ return false;
+ }
+ msg(M_DEBUG, "PROXY protocol v2: CRC32C match");
+ return true;
+}
+
+/*
+ * Parse the UNIQUE_ID TLV and store the value in ppi->unique_id
+ * (and ppi->unique_id_len).
+ *
+ * @param ppi - The proxy protocol info structure to store the parsed data.
+ * @param len - The length of the TLV value.
+ * @param value - The TLV value.
+ */
+void
+proxy_protocol_parse_uid_tlv(struct proxy_protocol_info *ppi, const uint16_t len, const uint8_t *value)
+{
+ if (len == 0)
+ {
+ msg(M_NONFATAL, "PROXY protocol v2: UNIQUE_ID TLV empty");
+ return;
+ }
+ else if (len > PROXY_PROTOCOL_V2_TLV_UNIQUE_ID_MAX_LEN)
+ {
+ msg(M_NONFATAL, "PROXY protocol v2: UNIQUE_ID TLV too long");
+ return;
+ }
+
+ ppi->unique_id_len = len;
+ memcpy(ppi->unique_id, value, len);
+ msg(M_DEBUG, "PROXY protocol v2: UNIQUE_ID: %.*s", (int)ppi->unique_id_len, ppi->unique_id);
+}
+
+/*
+ * Parse the SSL TLV and store the value in ppi->ssl_client and ppi->ssl_verify.
+ *
+ * @param ppi - The proxy protocol info structure to store the parsed data.
+ * @param len - The length of the TLV value.
+ * @param value - The TLV value.
+ */
+void
+proxy_protocol_parse_ssl_tlv(struct proxy_protocol_info *ppi, const uint16_t len, const uint8_t *value)
+{
+ const struct proxy_protocol_tlv_ssl *ssl = (const struct proxy_protocol_tlv_ssl *)(value);
+
+ if (!ssl->client)
+ {
+ msg(M_NONFATAL, "PROXY protocol v2: SSL TLV invalid");
+ return;
+ }
+
+ if (ssl->client & PROXY_PROTOCOL_V2_CLIENT_SSL)
+ {
+ msg(M_DEBUG, "PROXY protocol v2: client connected over SSL/TLS");
+ }
+ if (ssl->client & PROXY_PROTOCOL_V2_CLIENT_CERT_CONN)
+ {
+ msg(M_DEBUG, "PROXY protocol v2: client provided a certificate over the current connection");
+ }
+ if (ssl->client & PROXY_PROTOCOL_V2_CLIENT_CERT_SESS)
+ {
+ msg(M_DEBUG, "PROXY protocol v2: client provided a certificate at least once over the TLS session this connection belongs to");
+ }
+
+ msg(M_DEBUG, "PROXY protocol v2: client certificate verification stat: %s", ssl->verify ? "failure" : "success");
+ ppi->ssl_client = ssl->client;
+ ppi->ssl_verify = ssl->verify == 0;
+}
+
+/*
+ * Parse a TLV and store the value in the proxy protocol info structure.
+ *
+ * @param ppi - The proxy protocol info structure to store the parsed data.
+ * @param type - The TLV type.
+ * @param len - The length of the TLV value.
+ * @param value - The TLV value.
+ */
+void
+proxy_protocol_parse_tlv(struct proxy_protocol_info *ppi, const uint8_t type, const uint16_t len, const uint8_t *value)
+{
+ switch (type)
+ {
+ case PROXY_PROTOCOL_TLV_TYPE_ALPN:
+ proxy_protocol_parse_string_tlv(ppi, &ppi->alpn, "ALPN", len, value);
+ break;
+
+ case PROXY_PROTOCOL_TLV_TYPE_AUTHORITY:
+ proxy_protocol_parse_string_tlv(ppi, &ppi->authority, "AUTHORITY", len, value);
+ break;
+
+ case PROXY_PROTOCOL_TLV_TYPE_CRC32C:
+ proxy_protocol_parse_crc32c_tlv(len, value);
+ break;
+
+ case PROXY_PROTOCOL_TLV_TYPE_NOOP:
+ break;
+
+ case PROXY_PROTOCOL_TLV_TYPE_UNIQUE_ID:
+ proxy_protocol_parse_uid_tlv(ppi, len, value);
+ break;
+
+ case PROXY_PROTOCOL_TLV_TYPE_SSL:
+ proxy_protocol_parse_ssl_tlv(ppi, len, value);
+ break;
+
+ case PROXY_PROTOCOL_TLV_SUBTYPE_SSL_VERSION:
+ proxy_protocol_parse_string_tlv(ppi, &ppi->ssl_version, "SSL_VERSION", len, value);
+ break;
+
+ case PROXY_PROTOCOL_TLV_SUBTYPE_SSL_CN:
+ proxy_protocol_parse_string_tlv(ppi, &ppi->ssl_cn, "SSL_CN", len, value);
+ break;
+
+ case PROXY_PROTOCOL_TLV_SUBTYPE_SSL_CIPHER:
+ proxy_protocol_parse_string_tlv(ppi, &ppi->ssl_cipher, "SSL_CIPHER", len, value);
+ break;
+
+ case PROXY_PROTOCOL_TLV_SUBTYPE_SSL_SIG_ALG:
+ proxy_protocol_parse_string_tlv(ppi, &ppi->ssl_sig_alg, "SSL_SIG_ALG", len, value);
+ break;
+
+ case PROXY_PROTOCOL_TLV_SUBTYPE_SSL_KEY_ALG:
+ proxy_protocol_parse_string_tlv(ppi, &ppi->ssl_key_alg, "SSL_KEY_ALG", len, value);
+ break;
+
+ case PROXY_PROTOCOL_TLV_TYPE_NETNS:
+ proxy_protocol_parse_string_tlv(ppi, &ppi->netns, "NETNS", len, value);
+ break;
+
+ default:
+ msg(M_NONFATAL, "PROXY protocol v2: unknown TLV type 0x%02x", type);
+ break;
+ }
+}
+
+/*
+ * Parse the TLVs in the PROXY protocol v2 header.
+ *
+ * @param ppi - The proxy protocol info structure to store the parsed data.
+ * @param buf - The buffer containing the TLVs.
+ * @param buf_len - The length of the buffer.
+ *
+ * @return - The number of bytes parsed or -1 if an error occurred.
+ */
+int
+proxy_protocol_parse_tlvs(struct proxy_protocol_info *ppi, const uint8_t *buf,
+ const int buf_len)
+{
+ const uint8_t *end = buf + buf_len;
+ const uint8_t *start = buf;
+
+ ppi->gc = gc_new();
+ while (buf < end && parsing_state == PROXY_PROTOCOL_PARSING_STATE_OK)
+ {
+ const struct proxy_protocol_tlv *tlv = (const struct proxy_protocol_tlv *)buf;
+ uint16_t tlv_len = (tlv->length_hi << 8) | tlv->length_lo;
+ if (buf + sizeof(*tlv) + tlv_len > end)
+ {
+ msg(M_NONFATAL, "PROXY protocol v2: TLV length exceeds buffer size");
+ return -1;
+ }
+ proxy_protocol_parse_tlv(ppi, tlv->type, tlv_len, tlv->value);
+ buf += sizeof(*tlv) + tlv_len;
+ }
+ return (int)(buf - start);
+}
+
+/*
* Parse the PROXY protocol v2 header.
*
* @param ppi - The proxy protocol info structure to store the parsed data.
@@ -435,7 +739,7 @@
{
if ((header.v2.ver_cmd & PROXY_PROTOCOL_V2_VER_MASK) == PROXY_PROTOCOL_V2_VER)
{
- proxy_protocol_parse_v2(ppi);
+ int pos = proxy_protocol_parse_v2(ppi);
if (parsing_state == PROXY_PROTOCOL_PARSING_STATE_IGNORE)
{
msg(M_DEBUG, "PROXY protocol v2: ignoring header");
@@ -445,6 +749,21 @@
{
return false;
}
+
+ if (pos < header_len) /* there's extra TLV data to parse */
+ {
+ pos += proxy_protocol_parse_tlvs(ppi, (uint8_t *)(&header) + pos,
+ header_len - pos);
+ if (parsing_state == PROXY_PROTOCOL_PARSING_STATE_INVALID)
+ {
+ return false;
+ }
+ if (pos < header_len)
+ {
+ msg(M_NONFATAL, "PROXY protocol v2: could not correclty parse TLV data");
+ }
+ }
+
msg(M_DEBUG, "PROXY protocol v2: header parsed");
return true;
}
@@ -60,6 +60,25 @@
#define PROXY_PROTOCOL_V2_TP_STREAM (0x1 << 0)
#define PROXY_PROTOCOL_V2_TP_DGRAM (0x2 << 0)
+#define PROXY_PROTOCOL_TLV_TYPE_ALPN 0x01
+#define PROXY_PROTOCOL_TLV_TYPE_AUTHORITY 0x02
+#define PROXY_PROTOCOL_TLV_TYPE_CRC32C 0x03
+#define PROXY_PROTOCOL_TLV_TYPE_NOOP 0x04
+#define PROXY_PROTOCOL_TLV_TYPE_UNIQUE_ID 0x05
+#define PROXY_PROTOCOL_TLV_TYPE_SSL 0x20
+#define PROXY_PROTOCOL_TLV_SUBTYPE_SSL_VERSION 0x21
+#define PROXY_PROTOCOL_TLV_SUBTYPE_SSL_CN 0x22
+#define PROXY_PROTOCOL_TLV_SUBTYPE_SSL_CIPHER 0x23
+#define PROXY_PROTOCOL_TLV_SUBTYPE_SSL_SIG_ALG 0x24
+#define PROXY_PROTOCOL_TLV_SUBTYPE_SSL_KEY_ALG 0x25
+#define PROXY_PROTOCOL_TLV_TYPE_NETNS 0x30
+
+#define PROXY_PROTOCOL_V2_CLIENT_SSL 0x01
+#define PROXY_PROTOCOL_V2_CLIENT_CERT_CONN 0x02
+#define PROXY_PROTOCOL_V2_CLIENT_CERT_SESS 0x04
+
+#define PROXY_PROTOCOL_V2_TLV_UNIQUE_ID_MAX_LEN 128
+
typedef enum
{
PROXY_PROTOCOL_VERSION_INVALID = -1,
@@ -69,6 +88,22 @@
PROXY_PROTOCOL_VERSION_2,
} proxy_protocol_version_t;
+struct proxy_protocol_tlv
+{
+ uint8_t type;
+ uint8_t length_hi;
+ uint8_t length_lo;
+ uint8_t value[0];
+};
+
+#pragma pack(push, 1)
+struct proxy_protocol_tlv_ssl
+{
+ uint8_t client;
+ uint32_t verify;
+} __attribute__((packed));
+#pragma pack(pop)
+
/* HAProxy PROXY protocol header */
typedef union
{
@@ -115,6 +150,23 @@
int sock_type;
struct openvpn_sockaddr src;
struct openvpn_sockaddr dst;
+
+ /* data extracted from TLVs */
+ char *alpn;
+ char *authority;
+
+ uint8_t unique_id[PROXY_PROTOCOL_V2_TLV_UNIQUE_ID_MAX_LEN + 1];
+ uint16_t unique_id_len;
+
+ uint8_t ssl_client;
+ uint32_t ssl_verify;
+ char *ssl_version;
+ char *ssl_cn;
+ char *ssl_cipher;
+ char *ssl_sig_alg;
+ char *ssl_key_alg;
+
+ char *netns;
};
/*
Attention is currently required from: flichtenheld, plaisthos. Hello plaisthos, flichtenheld, I'd like you to do a code review. Please visit http://gerrit.openvpn.net/c/openvpn/+/686?usp=email to review the following change. Change subject: Add support for TLV parsing in the PROXY protocol ...................................................................... Add support for TLV parsing in the PROXY protocol Version 2 of the PROXY protocol appends extra data in Type-Length-Value vector format at the end of the header. This commit parses and processes or stores the additional information extracted from TLVs. Change-Id: Ia593f72f6baa6e16d2fd9b21b383b709682f9499 Signed-off-by: Ralf Lici <ralflici95@gmail.com> --- M src/openvpn/proxy_protocol.c M src/openvpn/proxy_protocol.h 2 files changed, 372 insertions(+), 1 deletion(-) git pull ssh://gerrit.openvpn.net:29418/openvpn refs/changes/86/686/1