[Openvpn-devel,L] Change in openvpn[master]: Add support for TLV parsing in the PROXY protocol

Message ID 4b41e7fbc7214bc2edc607fad91eb430d960a29f-HTML@gerrit.openvpn.net
State New
Headers show
Series [Openvpn-devel,L] Change in openvpn[master]: Add support for TLV parsing in the PROXY protocol | expand

Commit Message

ordex (Code Review) July 26, 2024, 8:20 a.m. UTC
Attention is currently required from: flichtenheld, plaisthos.

Hello plaisthos, flichtenheld,

I'd like you to do a code review.
Please visit

    http://gerrit.openvpn.net/c/openvpn/+/686?usp=email

to review the following change.


Change subject: Add support for TLV parsing in the PROXY protocol
......................................................................

Add support for TLV parsing in the PROXY protocol

Version 2 of the PROXY protocol appends extra data in Type-Length-Value
vector format at the end of the header. This commit parses and processes
or stores the additional information extracted from TLVs.

Change-Id: Ia593f72f6baa6e16d2fd9b21b383b709682f9499
Signed-off-by: Ralf Lici <ralflici95@gmail.com>
---
M src/openvpn/proxy_protocol.c
M src/openvpn/proxy_protocol.h
2 files changed, 372 insertions(+), 1 deletion(-)



  git pull ssh://gerrit.openvpn.net:29418/openvpn refs/changes/86/686/1

Patch

diff --git a/src/openvpn/proxy_protocol.c b/src/openvpn/proxy_protocol.c
index 10a68c2..7f72313 100644
--- a/src/openvpn/proxy_protocol.c
+++ b/src/openvpn/proxy_protocol.c
@@ -38,6 +38,74 @@ 
     PROXY_PROTOCOL_PARSING_STATE_IGNORE = 1,
 } proxy_protocol_parsing_state_t;
 
+static const uint32_t CRC32C_TABLE[256] =
+{
+    0x00000000L, 0xF26B8303L, 0xE13B70F7L, 0x1350F3F4L,
+    0xC79A971FL, 0x35F1141CL, 0x26A1E7E8L, 0xD4CA64EBL,
+    0x8AD958CFL, 0x78B2DBCCL, 0x6BE22838L, 0x9989AB3BL,
+    0x4D43CFD0L, 0xBF284CD3L, 0xAC78BF27L, 0x5E133C24L,
+    0x105EC76FL, 0xE235446CL, 0xF165B798L, 0x030E349BL,
+    0xD7C45070L, 0x25AFD373L, 0x36FF2087L, 0xC494A384L,
+    0x9A879FA0L, 0x68EC1CA3L, 0x7BBCEF57L, 0x89D76C54L,
+    0x5D1D08BFL, 0xAF768BBCL, 0xBC267848L, 0x4E4DFB4BL,
+    0x20BD8EDEL, 0xD2D60DDDL, 0xC186FE29L, 0x33ED7D2AL,
+    0xE72719C1L, 0x154C9AC2L, 0x061C6936L, 0xF477EA35L,
+    0xAA64D611L, 0x580F5512L, 0x4B5FA6E6L, 0xB93425E5L,
+    0x6DFE410EL, 0x9F95C20DL, 0x8CC531F9L, 0x7EAEB2FAL,
+    0x30E349B1L, 0xC288CAB2L, 0xD1D83946L, 0x23B3BA45L,
+    0xF779DEAEL, 0x05125DADL, 0x1642AE59L, 0xE4292D5AL,
+    0xBA3A117EL, 0x4851927DL, 0x5B016189L, 0xA96AE28AL,
+    0x7DA08661L, 0x8FCB0562L, 0x9C9BF696L, 0x6EF07595L,
+    0x417B1DBCL, 0xB3109EBFL, 0xA0406D4BL, 0x522BEE48L,
+    0x86E18AA3L, 0x748A09A0L, 0x67DAFA54L, 0x95B17957L,
+    0xCBA24573L, 0x39C9C670L, 0x2A993584L, 0xD8F2B687L,
+    0x0C38D26CL, 0xFE53516FL, 0xED03A29BL, 0x1F682198L,
+    0x5125DAD3L, 0xA34E59D0L, 0xB01EAA24L, 0x42752927L,
+    0x96BF4DCCL, 0x64D4CECFL, 0x77843D3BL, 0x85EFBE38L,
+    0xDBFC821CL, 0x2997011FL, 0x3AC7F2EBL, 0xC8AC71E8L,
+    0x1C661503L, 0xEE0D9600L, 0xFD5D65F4L, 0x0F36E6F7L,
+    0x61C69362L, 0x93AD1061L, 0x80FDE395L, 0x72966096L,
+    0xA65C047DL, 0x5437877EL, 0x4767748AL, 0xB50CF789L,
+    0xEB1FCBADL, 0x197448AEL, 0x0A24BB5AL, 0xF84F3859L,
+    0x2C855CB2L, 0xDEEEDFB1L, 0xCDBE2C45L, 0x3FD5AF46L,
+    0x7198540DL, 0x83F3D70EL, 0x90A324FAL, 0x62C8A7F9L,
+    0xB602C312L, 0x44694011L, 0x5739B3E5L, 0xA55230E6L,
+    0xFB410CC2L, 0x092A8FC1L, 0x1A7A7C35L, 0xE811FF36L,
+    0x3CDB9BDDL, 0xCEB018DEL, 0xDDE0EB2AL, 0x2F8B6829L,
+    0x82F63B78L, 0x709DB87BL, 0x63CD4B8FL, 0x91A6C88CL,
+    0x456CAC67L, 0xB7072F64L, 0xA457DC90L, 0x563C5F93L,
+    0x082F63B7L, 0xFA44E0B4L, 0xE9141340L, 0x1B7F9043L,
+    0xCFB5F4A8L, 0x3DDE77ABL, 0x2E8E845FL, 0xDCE5075CL,
+    0x92A8FC17L, 0x60C37F14L, 0x73938CE0L, 0x81F80FE3L,
+    0x55326B08L, 0xA759E80BL, 0xB4091BFFL, 0x466298FCL,
+    0x1871A4D8L, 0xEA1A27DBL, 0xF94AD42FL, 0x0B21572CL,
+    0xDFEB33C7L, 0x2D80B0C4L, 0x3ED04330L, 0xCCBBC033L,
+    0xA24BB5A6L, 0x502036A5L, 0x4370C551L, 0xB11B4652L,
+    0x65D122B9L, 0x97BAA1BAL, 0x84EA524EL, 0x7681D14DL,
+    0x2892ED69L, 0xDAF96E6AL, 0xC9A99D9EL, 0x3BC21E9DL,
+    0xEF087A76L, 0x1D63F975L, 0x0E330A81L, 0xFC588982L,
+    0xB21572C9L, 0x407EF1CAL, 0x532E023EL, 0xA145813DL,
+    0x758FE5D6L, 0x87E466D5L, 0x94B49521L, 0x66DF1622L,
+    0x38CC2A06L, 0xCAA7A905L, 0xD9F75AF1L, 0x2B9CD9F2L,
+    0xFF56BD19L, 0x0D3D3E1AL, 0x1E6DCDEEL, 0xEC064EEDL,
+    0xC38D26C4L, 0x31E6A5C7L, 0x22B65633L, 0xD0DDD530L,
+    0x0417B1DBL, 0xF67C32D8L, 0xE52CC12CL, 0x1747422FL,
+    0x49547E0BL, 0xBB3FFD08L, 0xA86F0EFCL, 0x5A048DFFL,
+    0x8ECEE914L, 0x7CA56A17L, 0x6FF599E3L, 0x9D9E1AE0L,
+    0xD3D3E1ABL, 0x21B862A8L, 0x32E8915CL, 0xC083125FL,
+    0x144976B4L, 0xE622F5B7L, 0xF5720643L, 0x07198540L,
+    0x590AB964L, 0xAB613A67L, 0xB831C993L, 0x4A5A4A90L,
+    0x9E902E7BL, 0x6CFBAD78L, 0x7FAB5E8CL, 0x8DC0DD8FL,
+    0xE330A81AL, 0x115B2B19L, 0x020BD8EDL, 0xF0605BEEL,
+    0x24AA3F05L, 0xD6C1BC06L, 0xC5914FF2L, 0x37FACCF1L,
+    0x69E9F0D5L, 0x9B8273D6L, 0x88D28022L, 0x7AB90321L,
+    0xAE7367CAL, 0x5C18E4C9L, 0x4F48173DL, 0xBD23943EL,
+    0xF36E6F75L, 0x0105EC76L, 0x12551F82L, 0xE03E9C81L,
+    0x34F4F86AL, 0xC69F7B69L, 0xD5CF889DL, 0x27A40B9EL,
+    0x79B737BAL, 0x8BDCB4B9L, 0x988C474DL, 0x6AE7C44EL,
+    0xBE2DA0A5L, 0x4C4623A6L, 0x5F16D052L, 0xAD7D5351L
+};
+
 static const size_t PROXY_PROTOCOL_V2_ADDR_LEN_IPV4 = 12;
 static const size_t PROXY_PROTOCOL_V2_ADDR_LEN_IPV6 = 36;
 static const size_t PROXY_PROTOCOL_V2_ADDR_LEN_UNIX = 216;
@@ -88,6 +156,17 @@ 
     }
 }
 
+uint32_t
+proxy_protocol_crc32c(const uint8_t *data, int len)
+{
+    uint32_t crc = 0xFFFFFFFF;
+    while (len-- > 0)
+    {
+        crc = (crc >> 8) ^ CRC32C_TABLE[(crc ^ (*data++)) & 0xFF];
+    }
+    return (crc ^ 0xFFFFFFFF);
+}
+
 /*
  * Parse a port number from a string.
  *
@@ -316,6 +395,231 @@ 
 }
 
 /*
+ * Parse a string based TLV and store the value in 'out'.
+ *
+ * @param ppi - The proxy protocol info structure used for memory allocation.
+ * @param out - The output variable to store the parsed value.
+ * @param type_str - A string representation of the TLV type (for logging).
+ * @param len - The length of the TLV value.
+ * @param value - The TLV value.
+ */
+void
+proxy_protocol_parse_string_tlv(struct proxy_protocol_info *ppi, char **out, char *type_str, const uint16_t len, const uint8_t *value)
+{
+    if (len == 0)
+    {
+        msg(M_NONFATAL, "PROXY protocol v2: %s TLV empty", type_str);
+        return;
+    }
+
+    *out = (char *)gc_malloc(8, false, &ppi->gc);
+    memcpy(*out, value, len);
+    (*out)[len] = '\0';
+
+    if (type_str)
+    {
+        msg(M_DEBUG, "PROXY protocol v2: %s TLV: %s", type_str, *out);
+    }
+}
+
+/*
+ * Parse the CRC32C TLV and check if it matches the calculated CRC32C.
+ * If there's a mismatch the parsing state is set to invalid so that the header
+ * is dropped.
+ *
+ * @param len - The length of the TLV value.
+ * @param value - The TLV value.
+ *
+ * @return - true if the CRC32C value matches the calculated CRC32C.
+ */
+bool
+proxy_protocol_parse_crc32c_tlv(const uint16_t len, const uint8_t *value)
+{
+    if (len != 4)
+    {
+        msg(M_NONFATAL, "PROXY protocol v2: CRC32C TLV invalid length");
+        parsing_state = PROXY_PROTOCOL_PARSING_STATE_INVALID;
+        return false;
+    }
+
+    uint32_t expected_crc32c = ntohl(*(uint32_t *)value);
+
+    /* fill with 0s the crc32 field to calculate the actual crc32 */
+    *(uint32_t *)value = 0;
+    uint32_t calculated_crc32c = proxy_protocol_crc32c((const uint8_t *)&header, header_len);
+
+    if (expected_crc32c != calculated_crc32c)
+    {
+        msg(M_NONFATAL, "PROXY protocol v2: CRC32C mismatch, expected: 0x%08x calculated: 0x%08x. Dropping header", expected_crc32c, calculated_crc32c);
+        parsing_state = PROXY_PROTOCOL_PARSING_STATE_INVALID;
+        return false;
+    }
+    msg(M_DEBUG, "PROXY protocol v2: CRC32C match");
+    return true;
+}
+
+/*
+ * Parse the UNIQUE_ID TLV and store the value in ppi->unique_id
+ * (and ppi->unique_id_len).
+ *
+ * @param ppi - The proxy protocol info structure to store the parsed data.
+ * @param len - The length of the TLV value.
+ * @param value - The TLV value.
+ */
+void
+proxy_protocol_parse_uid_tlv(struct proxy_protocol_info *ppi, const uint16_t len, const uint8_t *value)
+{
+    if (len == 0)
+    {
+        msg(M_NONFATAL, "PROXY protocol v2: UNIQUE_ID TLV empty");
+        return;
+    }
+    else if (len > PROXY_PROTOCOL_V2_TLV_UNIQUE_ID_MAX_LEN)
+    {
+        msg(M_NONFATAL, "PROXY protocol v2: UNIQUE_ID TLV too long");
+        return;
+    }
+
+    ppi->unique_id_len = len;
+    memcpy(ppi->unique_id, value, len);
+    msg(M_DEBUG, "PROXY protocol v2: UNIQUE_ID: %.*s", (int)ppi->unique_id_len, ppi->unique_id);
+}
+
+/*
+ * Parse the SSL TLV and store the value in ppi->ssl_client and ppi->ssl_verify.
+ *
+ * @param ppi - The proxy protocol info structure to store the parsed data.
+ * @param len - The length of the TLV value.
+ * @param value - The TLV value.
+ */
+void
+proxy_protocol_parse_ssl_tlv(struct proxy_protocol_info *ppi, const uint16_t len, const uint8_t *value)
+{
+    const struct proxy_protocol_tlv_ssl *ssl = (const struct proxy_protocol_tlv_ssl *)(value);
+
+    if (!ssl->client)
+    {
+        msg(M_NONFATAL, "PROXY protocol v2: SSL TLV invalid");
+        return;
+    }
+
+    if (ssl->client & PROXY_PROTOCOL_V2_CLIENT_SSL)
+    {
+        msg(M_DEBUG, "PROXY protocol v2: client connected over SSL/TLS");
+    }
+    if (ssl->client & PROXY_PROTOCOL_V2_CLIENT_CERT_CONN)
+    {
+        msg(M_DEBUG, "PROXY protocol v2: client provided a certificate over the current connection");
+    }
+    if (ssl->client & PROXY_PROTOCOL_V2_CLIENT_CERT_SESS)
+    {
+        msg(M_DEBUG, "PROXY protocol v2: client provided a certificate at least once over the TLS session this connection belongs to");
+    }
+
+    msg(M_DEBUG, "PROXY protocol v2: client certificate verification stat: %s", ssl->verify ? "failure" : "success");
+    ppi->ssl_client = ssl->client;
+    ppi->ssl_verify = ssl->verify == 0;
+}
+
+/*
+ * Parse a TLV and store the value in the proxy protocol info structure.
+ *
+ * @param ppi - The proxy protocol info structure to store the parsed data.
+ * @param type - The TLV type.
+ * @param len - The length of the TLV value.
+ * @param value - The TLV value.
+ */
+void
+proxy_protocol_parse_tlv(struct proxy_protocol_info *ppi, const uint8_t type, const uint16_t len, const uint8_t *value)
+{
+    switch (type)
+    {
+        case PROXY_PROTOCOL_TLV_TYPE_ALPN:
+            proxy_protocol_parse_string_tlv(ppi, &ppi->alpn, "ALPN", len, value);
+            break;
+
+        case PROXY_PROTOCOL_TLV_TYPE_AUTHORITY:
+            proxy_protocol_parse_string_tlv(ppi, &ppi->authority, "AUTHORITY", len, value);
+            break;
+
+        case PROXY_PROTOCOL_TLV_TYPE_CRC32C:
+            proxy_protocol_parse_crc32c_tlv(len, value);
+            break;
+
+        case PROXY_PROTOCOL_TLV_TYPE_NOOP:
+            break;
+
+        case PROXY_PROTOCOL_TLV_TYPE_UNIQUE_ID:
+            proxy_protocol_parse_uid_tlv(ppi, len, value);
+            break;
+
+        case PROXY_PROTOCOL_TLV_TYPE_SSL:
+            proxy_protocol_parse_ssl_tlv(ppi, len, value);
+            break;
+
+        case PROXY_PROTOCOL_TLV_SUBTYPE_SSL_VERSION:
+            proxy_protocol_parse_string_tlv(ppi, &ppi->ssl_version, "SSL_VERSION", len, value);
+            break;
+
+        case PROXY_PROTOCOL_TLV_SUBTYPE_SSL_CN:
+            proxy_protocol_parse_string_tlv(ppi, &ppi->ssl_cn, "SSL_CN", len, value);
+            break;
+
+        case PROXY_PROTOCOL_TLV_SUBTYPE_SSL_CIPHER:
+            proxy_protocol_parse_string_tlv(ppi, &ppi->ssl_cipher, "SSL_CIPHER", len, value);
+            break;
+
+        case PROXY_PROTOCOL_TLV_SUBTYPE_SSL_SIG_ALG:
+            proxy_protocol_parse_string_tlv(ppi, &ppi->ssl_sig_alg, "SSL_SIG_ALG", len, value);
+            break;
+
+        case PROXY_PROTOCOL_TLV_SUBTYPE_SSL_KEY_ALG:
+            proxy_protocol_parse_string_tlv(ppi, &ppi->ssl_key_alg, "SSL_KEY_ALG", len, value);
+            break;
+
+        case PROXY_PROTOCOL_TLV_TYPE_NETNS:
+            proxy_protocol_parse_string_tlv(ppi, &ppi->netns, "NETNS", len, value);
+            break;
+
+        default:
+            msg(M_NONFATAL, "PROXY protocol v2: unknown TLV type 0x%02x", type);
+            break;
+    }
+}
+
+/*
+ * Parse the TLVs in the PROXY protocol v2 header.
+ *
+ * @param ppi - The proxy protocol info structure to store the parsed data.
+ * @param buf - The buffer containing the TLVs.
+ * @param buf_len - The length of the buffer.
+ *
+ * @return - The number of bytes parsed or -1 if an error occurred.
+ */
+int
+proxy_protocol_parse_tlvs(struct proxy_protocol_info *ppi, const uint8_t *buf,
+                          const int buf_len)
+{
+    const uint8_t *end = buf + buf_len;
+    const uint8_t *start = buf;
+
+    ppi->gc = gc_new();
+    while (buf < end && parsing_state == PROXY_PROTOCOL_PARSING_STATE_OK)
+    {
+        const struct proxy_protocol_tlv *tlv = (const struct proxy_protocol_tlv *)buf;
+        uint16_t tlv_len = (tlv->length_hi << 8) | tlv->length_lo;
+        if (buf + sizeof(*tlv) + tlv_len > end)
+        {
+            msg(M_NONFATAL, "PROXY protocol v2: TLV length exceeds buffer size");
+            return -1;
+        }
+        proxy_protocol_parse_tlv(ppi, tlv->type, tlv_len, tlv->value);
+        buf += sizeof(*tlv) + tlv_len;
+    }
+    return (int)(buf - start);
+}
+
+/*
  * Parse the PROXY protocol v2 header.
  *
  * @param ppi - The proxy protocol info structure to store the parsed data.
@@ -435,7 +739,7 @@ 
         {
             if ((header.v2.ver_cmd & PROXY_PROTOCOL_V2_VER_MASK) == PROXY_PROTOCOL_V2_VER)
             {
-                proxy_protocol_parse_v2(ppi);
+                int pos = proxy_protocol_parse_v2(ppi);
                 if (parsing_state == PROXY_PROTOCOL_PARSING_STATE_IGNORE)
                 {
                     msg(M_DEBUG, "PROXY protocol v2: ignoring header");
@@ -445,6 +749,21 @@ 
                 {
                     return false;
                 }
+
+                if (pos < header_len) /* there's extra TLV data to parse */
+                {
+                    pos += proxy_protocol_parse_tlvs(ppi, (uint8_t *)(&header) + pos,
+                                                     header_len - pos);
+                    if (parsing_state == PROXY_PROTOCOL_PARSING_STATE_INVALID)
+                    {
+                        return false;
+                    }
+                    if (pos < header_len)
+                    {
+                        msg(M_NONFATAL, "PROXY protocol v2: could not correclty parse TLV data");
+                    }
+                }
+
                 msg(M_DEBUG, "PROXY protocol v2: header parsed");
                 return true;
             }
diff --git a/src/openvpn/proxy_protocol.h b/src/openvpn/proxy_protocol.h
index 8e9af03..a492f85 100644
--- a/src/openvpn/proxy_protocol.h
+++ b/src/openvpn/proxy_protocol.h
@@ -60,6 +60,25 @@ 
 #define PROXY_PROTOCOL_V2_TP_STREAM (0x1 << 0)
 #define PROXY_PROTOCOL_V2_TP_DGRAM  (0x2 << 0)
 
+#define PROXY_PROTOCOL_TLV_TYPE_ALPN            0x01
+#define PROXY_PROTOCOL_TLV_TYPE_AUTHORITY       0x02
+#define PROXY_PROTOCOL_TLV_TYPE_CRC32C          0x03
+#define PROXY_PROTOCOL_TLV_TYPE_NOOP            0x04
+#define PROXY_PROTOCOL_TLV_TYPE_UNIQUE_ID       0x05
+#define PROXY_PROTOCOL_TLV_TYPE_SSL             0x20
+#define PROXY_PROTOCOL_TLV_SUBTYPE_SSL_VERSION  0x21
+#define PROXY_PROTOCOL_TLV_SUBTYPE_SSL_CN       0x22
+#define PROXY_PROTOCOL_TLV_SUBTYPE_SSL_CIPHER   0x23
+#define PROXY_PROTOCOL_TLV_SUBTYPE_SSL_SIG_ALG  0x24
+#define PROXY_PROTOCOL_TLV_SUBTYPE_SSL_KEY_ALG  0x25
+#define PROXY_PROTOCOL_TLV_TYPE_NETNS           0x30
+
+#define PROXY_PROTOCOL_V2_CLIENT_SSL          0x01
+#define PROXY_PROTOCOL_V2_CLIENT_CERT_CONN    0x02
+#define PROXY_PROTOCOL_V2_CLIENT_CERT_SESS    0x04
+
+#define PROXY_PROTOCOL_V2_TLV_UNIQUE_ID_MAX_LEN 128
+
 typedef enum
 {
     PROXY_PROTOCOL_VERSION_INVALID = -1,
@@ -69,6 +88,22 @@ 
     PROXY_PROTOCOL_VERSION_2,
 } proxy_protocol_version_t;
 
+struct proxy_protocol_tlv
+{
+    uint8_t type;
+    uint8_t length_hi;
+    uint8_t length_lo;
+    uint8_t value[0];
+};
+
+#pragma pack(push, 1)
+struct proxy_protocol_tlv_ssl
+{
+    uint8_t client;
+    uint32_t verify;
+} __attribute__((packed));
+#pragma pack(pop)
+
 /* HAProxy PROXY protocol header */
 typedef union
 {
@@ -115,6 +150,23 @@ 
     int sock_type;
     struct openvpn_sockaddr src;
     struct openvpn_sockaddr dst;
+
+    /* data extracted from TLVs */
+    char *alpn;
+    char *authority;
+
+    uint8_t unique_id[PROXY_PROTOCOL_V2_TLV_UNIQUE_ID_MAX_LEN + 1];
+    uint16_t unique_id_len;
+
+    uint8_t ssl_client;
+    uint32_t ssl_verify;
+    char *ssl_version;
+    char *ssl_cn;
+    char *ssl_cipher;
+    char *ssl_sig_alg;
+    char *ssl_key_alg;
+
+    char *netns;
 };
 
 /*