Merge pull request #5 from kosmas-valianos/sslTLVs

Add parsing support for PP2_TYPE_SSL

Author: kosmas-valianos

src/proxy_protocol.c

@@ -135,6 +135,7 @@ static const char *errors[] = {
     "v2 PROXY protocol header: invalid IPv6 dst IP",
     "v2 PROXY protocol header: invalid TLV vector's length",
     "v2 PROXY protocol header: invalid PP2_TYPE_CRC32C",
+    "v2 PROXY protocol header: invalid PP2_TYPE_SSL",
     "v2 PROXY protocol header: invalid PP2_TYPE_UNIQUE_ID",
     "v2 PROXY protocol header: invalid PP2_TYPE_AWS",
     "v2 PROXY protocol header: invalid PP2_TYPE_AZURE",
@@ -153,7 +154,7 @@ static const char *errors[] = {
 
 const char *pp_strerror(int32_t error)
 {
-    if (error < ERR_PP1_DST_PORT || error > ERR_NULL)
+    if (error < ERR_HEAP_ALLOC || error > ERR_NULL)
     {
         return NULL;
     }
@@ -213,6 +214,27 @@ static uint8_t tlv_array_append_tlv(tlv_array_t *tlv_array, tlv_t *tlv)
     return 1;
 }
 
+static uint8_t tlv_array_append_tlv_new(tlv_array_t *tlv_array, uint8_t type, uint16_t length, const void *value)
+{
+    tlv_t *tlv = tlv_new(type, length, value);
+    if (!tlv || !tlv_array_append_tlv(tlv_array, tlv))
+    {
+        return 0;
+    }
+    return 1;
+}
+
+static uint8_t tlv_array_append_tlv_new_usascii(tlv_array_t *tlv_array, uint8_t type, uint16_t length, const void *value)
+{
+    tlv_t *tlv = tlv_new(type, length + 1, value);
+    if (!tlv || !tlv_array_append_tlv(tlv_array, tlv))
+    {
+        return 0;
+    }
+    tlv->value[length] = '\0';
+    return 1;
+}
+
 static void tlv_array_clear(tlv_array_t *tlv_array)
 {
     uint32_t i;
@@ -652,28 +674,14 @@ static int32_t ppv2_parse(uint8_t *pkt, uint32_t pktlen, pp_info_t *pp_info)
 
         switch (pp2_tlv->type)
         {
-        case PP2_TYPE_ALPN:
-        {
-            tlv_t *tlv = tlv_new(pp2_tlv->type, pp2_tlv_len, pp2_tlv->value);
-            if (!tlv || !tlv_array_append_tlv(&pp_info->tlv_array, tlv))
-            {
-                return ERR_HEAP_ALLOC;
-            }
-            break;
-        }
-        case PP2_TYPE_AUTHORITY:
-        case PP2_TYPE_NETNS:
-        {
-            /* +1 to save it as a string */
-            tlv_t *tlv = tlv_new(pp2_tlv->type, pp2_tlv_len + 1, pp2_tlv->value);
-            if (!tlv || !tlv_array_append_tlv(&pp_info->tlv_array, tlv))
+        case PP2_TYPE_ALPN:      /* Byte sequence */
+        case PP2_TYPE_AUTHORITY: /* UTF8 */
+            if (!tlv_array_append_tlv_new(&pp_info->tlv_array, pp2_tlv->type, pp2_tlv_len, pp2_tlv->value))
             {
                 return ERR_HEAP_ALLOC;
             }
-            tlv->value[pp2_tlv_len] = '\0';
             break;
-        }
-        case PP2_TYPE_CRC32C:
+        case PP2_TYPE_CRC32C: /* 32-bit number */
         {
             if (pp2_tlv_len != sizeof(uint32_t))
             {
@@ -694,29 +702,75 @@ static int32_t ppv2_parse(uint8_t *pkt, uint32_t pktlen, pp_info_t *pp_info)
                 return ERR_PP2_TYPE_CRC32C;
             }
 
-            tlv_t *tlv = tlv_new(pp2_tlv->type, pp2_tlv_len, &crc32c_chksum);
-            if (!tlv || !tlv_array_append_tlv(&pp_info->tlv_array, tlv))
+            if (!tlv_array_append_tlv_new(&pp_info->tlv_array, pp2_tlv->type, pp2_tlv_len, &crc32c_chksum))
             {
                 return ERR_HEAP_ALLOC;
             }
             break;
         }
         case PP2_TYPE_NOOP:
             break;
-        case PP2_TYPE_UNIQUE_ID:
-        {
+        case PP2_TYPE_UNIQUE_ID: /* Byte sequence */
             if (pp2_tlv_len > 128)
             {
                 return ERR_PP2_TYPE_UNIQUE_ID;
             }
-            tlv_t *tlv = tlv_new(pp2_tlv->type, pp2_tlv_len, pp2_tlv->value);
-            if (!tlv || !tlv_array_append_tlv(&pp_info->tlv_array, tlv))
+            if (!tlv_array_append_tlv_new(&pp_info->tlv_array, pp2_tlv->type, pp2_tlv_len, pp2_tlv->value))
             {
                 return ERR_HEAP_ALLOC;
             }
             break;
-        }
         case PP2_TYPE_SSL:
+        {
+            pp2_tlv_ssl_t *pp2_tlv_ssl = (pp2_tlv_ssl_t*)pp2_tlv->value;
+            uint16_t pp2_tlvs_ssl_len = pp2_tlv_len - sizeof(pp2_tlv_ssl->client) - sizeof(pp2_tlv_ssl->verify);
+            uint16_t pp2_sub_tlv_offset = 0;
+            while (pp2_tlvs_ssl_len)
+            {
+                if (!(pp2_tlv_ssl->client & PP2_CLIENT_SSL || pp2_tlv_ssl->client & PP2_CLIENT_CERT_CONN || pp2_tlv_ssl->client & PP2_CLIENT_CERT_SESS))
+                {
+                    break;
+                }
+                if (pp2_sub_tlv_offset > pp2_tlvs_ssl_len)
+                {
+                    return ERR_PP2_TYPE_SSL;
+                }
+                pp2_tlv_t *pp2_sub_tlv_ssl = (pp2_tlv_t * )((uint8_t*) pp2_tlv_ssl->sub_tlv + pp2_sub_tlv_offset);
+                uint16_t pp2_sub_tlv_ssl_len = pp2_sub_tlv_ssl->length_hi << 8 | pp2_sub_tlv_ssl->length_lo;
+                switch (pp2_sub_tlv_ssl->type)
+                {
+                case PP2_SUBTYPE_SSL_VERSION: /* US-ASCII */
+                case PP2_SUBTYPE_SSL_CIPHER:  /* US-ASCII */
+                case PP2_SUBTYPE_SSL_SIG_ALG: /* US-ASCII */
+                case PP2_SUBTYPE_SSL_KEY_ALG: /* US-ASCII */
+                {
+                    /* +1 to save it as a string */
+                    if (!tlv_array_append_tlv_new_usascii(&pp_info->tlv_array, pp2_sub_tlv_ssl->type, pp2_sub_tlv_ssl_len, pp2_sub_tlv_ssl->value))
+                    {
+                        return ERR_HEAP_ALLOC;
+                    }
+                    break;
+                }
+                case PP2_SUBTYPE_SSL_CN: /* UTF8 */
+                    if (!tlv_array_append_tlv_new(&pp_info->tlv_array, pp2_sub_tlv_ssl->type, pp2_sub_tlv_ssl_len, pp2_sub_tlv_ssl->value))
+                    {
+                        return ERR_HEAP_ALLOC;
+                    }
+                    break;
+                default:
+                    return ERR_PP2_TYPE_SSL;
+                }
+
+                pp2_tlvs_ssl_len = pp2_tlvs_ssl_len - 3 - pp2_sub_tlv_ssl_len;
+                pp2_sub_tlv_offset += 3 + pp2_sub_tlv_ssl_len;
+            }
+            break;
+        }
+        case PP2_TYPE_NETNS: /* US-ASCII */
+            if (!tlv_array_append_tlv_new_usascii(&pp_info->tlv_array, pp2_tlv->type, pp2_tlv_len, pp2_tlv->value))
+            {
+                return ERR_HEAP_ALLOC;
+            }
             break;
         case PP2_TYPE_AWS:
         {
@@ -726,15 +780,13 @@ static int32_t ppv2_parse(uint8_t *pkt, uint32_t pktlen, pp_info_t *pp_info)
             }
             pp2_tlv_aws_t *pp2_tlv_aws = (pp2_tlv_aws_t *) pp2_tlv->value;
             /* Connection is done through Private Link/Interface VPC endpoint */
-            if (pp2_tlv_aws->type == PP2_SUBTYPE_AWS_VPCE_ID)
+            if (pp2_tlv_aws->type == PP2_SUBTYPE_AWS_VPCE_ID) /* US-ASCII */
             {
-                /* +1 to save it as a string. Example: \x1vpce-08d2bf15fac5001c9 */
-                tlv_t *tlv = tlv_new(pp2_tlv->type, pp2_tlv_len + 1, pp2_tlv->value);
-                if (!tlv || !tlv_array_append_tlv(&pp_info->tlv_array, tlv))
+                /* Example: \x1vpce-08d2bf15fac5001c9 */
+                if (!tlv_array_append_tlv_new_usascii(&pp_info->tlv_array, pp2_tlv->type, pp2_tlv_len, pp2_tlv->value))
                 {
                     return ERR_HEAP_ALLOC;
                 }
-                tlv->value[pp2_tlv_len] = '\0';
             }
             break;
         }
@@ -746,7 +798,7 @@ static int32_t ppv2_parse(uint8_t *pkt, uint32_t pktlen, pp_info_t *pp_info)
             }
             pp2_tlv_azure_t *pp2_tlv_azure = (pp2_tlv_azure_t *) pp2_tlv->value;
             /* Connection is done through Private Link service */
-            if (pp2_tlv_azure->type == PP2_TYPE_AZURE)
+            if (pp2_tlv_azure->type == PP2_TYPE_AZURE) /* 32-bit number */
             {
                 tlv_t *tlv = tlv_new(pp2_tlv->type, pp2_tlv_len, pp2_tlv->value);
                 if (!tlv || !tlv_array_append_tlv(&pp_info->tlv_array, tlv))

src/proxy_protocol.h

@@ -36,20 +36,21 @@ enum
     ERR_PP2_IPV6_DST_IP      = -10,
     ERR_PP2_TLV_LENGTH       = -11,
     ERR_PP2_TYPE_CRC32C      = -12,
-    ERR_PP2_TYPE_UNIQUE_ID   = -13,
-    ERR_PP2_TYPE_AWS         = -14,
-    ERR_PP2_TYPE_AZURE       = -15,
-    ERR_PP1_CRLF             = -16,
-    ERR_PP1_PROXY            = -17,
-    ERR_PP1_SPACE            = -18,
-    ERR_PP1_TRANSPORT_FAMILY = -19,
-    ERR_PP1_IPV4_SRC_IP      = -20,
-    ERR_PP1_IPV4_DST_IP      = -21,
-    ERR_PP1_IPV6_SRC_IP      = -22,
-    ERR_PP1_IPV6_DST_IP      = -23,
-    ERR_PP1_SRC_PORT         = -24,
-    ERR_PP1_DST_PORT         = -25,
-    ERR_HEAP_ALLOC           = -26,
+    ERR_PP2_TYPE_SSL         = -13,
+    ERR_PP2_TYPE_UNIQUE_ID   = -14,
+    ERR_PP2_TYPE_AWS         = -15,
+    ERR_PP2_TYPE_AZURE       = -16,
+    ERR_PP1_CRLF             = -17,
+    ERR_PP1_PROXY            = -18,
+    ERR_PP1_SPACE            = -19,
+    ERR_PP1_TRANSPORT_FAMILY = -20,
+    ERR_PP1_IPV4_SRC_IP      = -21,
+    ERR_PP1_IPV4_DST_IP      = -22,
+    ERR_PP1_IPV6_SRC_IP      = -23,
+    ERR_PP1_IPV6_DST_IP      = -24,
+    ERR_PP1_SRC_PORT         = -25,
+    ERR_PP1_DST_PORT         = -26,
+    ERR_HEAP_ALLOC           = -27,
 };
 
 /* Type-Length-Value (TLV vectors) */
@@ -69,7 +70,7 @@ enum
 #define PP2_TYPE_AWS            0xEA
 #define PP2_TYPE_AZURE          0xEE
 
-/* PP2_TYPE_SSL subtypes */
+/* PP2_TYPE_SSL <client> bit field  */
 #define PP2_CLIENT_SSL           0x01
 #define PP2_CLIENT_CERT_CONN     0x02
 #define PP2_CLIENT_CERT_SESS     0x04