Miscellaneous

* Add support for the SSL client certificate TLV
* Add support for the SSL-related TLVs for key exchange group and signature
* Add missing unit tests for some types

Author: kosmas-valianos

examples/client_server.c

@@ -10,6 +10,42 @@
 
 #include "../src/proxy_protocol.h"
 
+/* Self-signed EC (prime256v1) X.509 DER certificate, CN=test */
+static const uint8_t client_cert_der[] = {
+    0x30, 0x82, 0x01, 0x72, 0x30, 0x82, 0x01, 0x19, 0xa0, 0x03, 0x02, 0x01,
+    0x02, 0x02, 0x14, 0x27, 0xd1, 0xb7, 0x26, 0x8d, 0xd6, 0x95, 0x5b, 0xda,
+    0xe3, 0x58, 0x8d, 0x19, 0xbe, 0x88, 0x84, 0x32, 0xcc, 0x62, 0xea, 0x30,
+    0x0a, 0x06, 0x08, 0x2a, 0x86, 0x48, 0xce, 0x3d, 0x04, 0x03, 0x02, 0x30,
+    0x0f, 0x31, 0x0d, 0x30, 0x0b, 0x06, 0x03, 0x55, 0x04, 0x03, 0x0c, 0x04,
+    0x74, 0x65, 0x73, 0x74, 0x30, 0x1e, 0x17, 0x0d, 0x32, 0x36, 0x30, 0x33,
+    0x31, 0x31, 0x31, 0x34, 0x34, 0x36, 0x34, 0x39, 0x5a, 0x17, 0x0d, 0x33,
+    0x36, 0x30, 0x33, 0x30, 0x38, 0x31, 0x34, 0x34, 0x36, 0x34, 0x39, 0x5a,
+    0x30, 0x0f, 0x31, 0x0d, 0x30, 0x0b, 0x06, 0x03, 0x55, 0x04, 0x03, 0x0c,
+    0x04, 0x74, 0x65, 0x73, 0x74, 0x30, 0x59, 0x30, 0x13, 0x06, 0x07, 0x2a,
+    0x86, 0x48, 0xce, 0x3d, 0x02, 0x01, 0x06, 0x08, 0x2a, 0x86, 0x48, 0xce,
+    0x3d, 0x03, 0x01, 0x07, 0x03, 0x42, 0x00, 0x04, 0x88, 0x7b, 0xd1, 0x60,
+    0x92, 0x37, 0x00, 0x86, 0x8c, 0x3d, 0x06, 0x42, 0xf4, 0x1b, 0x9f, 0x27,
+    0x9e, 0xca, 0x74, 0xc5, 0xdb, 0xfd, 0x6f, 0x82, 0x39, 0x61, 0x70, 0xb9,
+    0x0b, 0xe8, 0x14, 0x07, 0xc6, 0x30, 0xea, 0xd8, 0xbb, 0x01, 0x05, 0x5f,
+    0x07, 0x6a, 0xe8, 0x1f, 0x2c, 0x4b, 0x43, 0x8f, 0x4d, 0x87, 0xa1, 0xad,
+    0xc6, 0x19, 0x05, 0xae, 0x2b, 0x09, 0x60, 0x55, 0x00, 0x4a, 0xe7, 0xb4,
+    0xa3, 0x53, 0x30, 0x51, 0x30, 0x1d, 0x06, 0x03, 0x55, 0x1d, 0x0e, 0x04,
+    0x16, 0x04, 0x14, 0xf9, 0x84, 0xb4, 0x02, 0xba, 0x3c, 0xa8, 0xa9, 0x19,
+    0x86, 0x9e, 0x3c, 0xe6, 0x77, 0x79, 0x39, 0x9a, 0x7f, 0x1e, 0x53, 0x30,
+    0x1f, 0x06, 0x03, 0x55, 0x1d, 0x23, 0x04, 0x18, 0x30, 0x16, 0x80, 0x14,
+    0xf9, 0x84, 0xb4, 0x02, 0xba, 0x3c, 0xa8, 0xa9, 0x19, 0x86, 0x9e, 0x3c,
+    0xe6, 0x77, 0x79, 0x39, 0x9a, 0x7f, 0x1e, 0x53, 0x30, 0x0f, 0x06, 0x03,
+    0x55, 0x1d, 0x13, 0x01, 0x01, 0xff, 0x04, 0x05, 0x30, 0x03, 0x01, 0x01,
+    0xff, 0x30, 0x0a, 0x06, 0x08, 0x2a, 0x86, 0x48, 0xce, 0x3d, 0x04, 0x03,
+    0x02, 0x03, 0x47, 0x00, 0x30, 0x44, 0x02, 0x20, 0x2a, 0x7e, 0xf8, 0xf6,
+    0x4c, 0x99, 0x27, 0x70, 0x24, 0x9b, 0x51, 0x8f, 0x29, 0x23, 0x9b, 0x41,
+    0x01, 0x93, 0x0f, 0x77, 0x84, 0xba, 0x08, 0x34, 0xee, 0x23, 0xa6, 0xaf,
+    0xe5, 0xdc, 0x7d, 0xf3, 0x02, 0x20, 0x53, 0xf2, 0x42, 0xd6, 0xab, 0xca,
+    0x9a, 0x66, 0xfe, 0x3e, 0x49, 0x77, 0xf6, 0xe4, 0xea, 0xcb, 0xff, 0xde,
+    0x1e, 0xf7, 0x2b, 0x97, 0x40, 0x99, 0xde, 0x2e, 0x9b, 0x15, 0x5c, 0x87,
+    0xb7, 0x7c
+};
+
 int main(void)
 {
     int32_t error = ERR_NULL;
@@ -84,7 +120,7 @@ int main(void)
     pp_info_in_v2.pp2_info.pp2_ssl_info.cert_verified = 1;
     /* Add SSL TLVs */
     /* IMPORTANT: Always clear the pp_info to be passed in pp_create_hdr() because TLVs are allocated in heap. Otherwise memory will be leaked */
-    if (!pp_info_add_ssl(&pp_info_in_v2, "TLSv1.2", "ECDHE-RSA-AES128-GCM-SHA256", "SHA256", "RSA2048", (const uint8_t*) "example.com", 11))
+    if (!pp_info_add_ssl(&pp_info_in_v2, "TLSv1.2", "ECDHE-RSA-AES128-GCM-SHA256", "SHA256", "RSA2048", "secp256r1", "rsa_pss_rsae_sha256", (const uint8_t*) "example.com", 11, client_cert_der, sizeof(client_cert_der)))
     {
         fprintf(stderr, "pp_info_add_ssl() failed\n");
         pp_info_clear(&pp_info_in_v2);
@@ -120,10 +156,11 @@ int main(void)
     }
     else
     {
-        uint16_t length, cn_length;
+        uint16_t length, cn_length, client_cert_length;
         uint32_t linkid;
         const uint8_t *azure_linkid = pp_info_get_azure_linkid(&pp_info_out, &length);
         const uint8_t *cn = pp_info_get_ssl_cn(&pp_info_out, &cn_length);
+        const uint8_t *client_cert = pp_info_get_ssl_client_cert(&pp_info_out, &client_cert_length);
         memcpy(&linkid, azure_linkid, length);
         printf("%d bytes PROXY protocol header:\n"
                "\tAzure Link ID: %u\n"
@@ -132,7 +169,10 @@ int main(void)
                "\tSSL cipher: %s\n"
                "\tSSL sig_alg: %s\n"
                "\tSSL key_alg: %s\n"
+               "\tSSL group: %s\n"
+               "\tSSL sig_scheme: %s\n"
                "\tSSL CN: %.*s\n"
+               "\tSSL client_cert: %s\n"
                "\t%s %s %hu %hu\n",
             rc, linkid,
             /* In case CRC32c is wrong then rc < 0 => pp_strerror(rc) at previous block will print the error */
@@ -141,7 +181,10 @@ int main(void)
             pp_info_get_ssl_cipher(&pp_info_out, &length),
             pp_info_get_ssl_sig_alg(&pp_info_out, &length),
             pp_info_get_ssl_key_alg(&pp_info_out, &length),
+            pp_info_get_ssl_group(&pp_info_out, &length),
+            pp_info_get_ssl_sig_scheme(&pp_info_out, &length),
             cn_length, cn,
+            client_cert ? "present" : "not present",
             pp_info_out.src_addr, pp_info_out.dst_addr,
             pp_info_out.src_port, pp_info_out.dst_port);
     }

src/proxy_protocol.c

@@ -111,11 +111,14 @@ typedef union
 #define PP2_TYPE_NOOP           0x04
 #define PP2_TYPE_UNIQUE_ID      0x05
 #define PP2_TYPE_SSL            0x20
-#define PP2_SUBTYPE_SSL_VERSION 0x21
-#define PP2_SUBTYPE_SSL_CN      0x22
-#define PP2_SUBTYPE_SSL_CIPHER  0x23
-#define PP2_SUBTYPE_SSL_SIG_ALG 0x24
-#define PP2_SUBTYPE_SSL_KEY_ALG 0x25
+#define PP2_SUBTYPE_SSL_VERSION     0x21
+#define PP2_SUBTYPE_SSL_CN          0x22
+#define PP2_SUBTYPE_SSL_CIPHER      0x23
+#define PP2_SUBTYPE_SSL_SIG_ALG     0x24
+#define PP2_SUBTYPE_SSL_KEY_ALG     0x25
+#define PP2_SUBTYPE_SSL_GROUP       0x26
+#define PP2_SUBTYPE_SSL_SIG_SCHEME  0x27
+#define PP2_SUBTYPE_SSL_CLIENT_CERT 0x28
 #define PP2_TYPE_NETNS          0x30
 /* Custom TLVs */
 #define PP2_TYPE_AWS            0xEA
@@ -318,7 +321,7 @@ static void pp_info_add_subtype_ssl(uint8_t *value, uint16_t *index, uint8_t sub
     *index += length;
 }
 
-uint8_t pp_info_add_ssl(pp_info_t *pp_info, const char *version, const char *cipher, const char *sig_alg, const char *key_alg, const uint8_t *cn, uint16_t cn_value_len)
+uint8_t pp_info_add_ssl(pp_info_t *pp_info, const char *version, const char *cipher, const char *sig_alg, const char *key_alg, const char *group, const char *sig_scheme, const uint8_t *cn, uint16_t cn_value_len, const uint8_t *client_cert, uint16_t client_cert_len)
 {
     const pp2_ssl_info_t *pp2_ssl_info = &pp_info->pp2_info.pp2_ssl_info;
     uint8_t client = pp2_ssl_info->ssl | pp2_ssl_info->cert_in_connection << 1 | pp2_ssl_info->cert_in_connection << 2;
@@ -327,16 +330,46 @@ uint8_t pp_info_add_ssl(pp_info_t *pp_info, const char *version, const char *cip
     size_t cipher_value_len = cipher ? strlen(cipher) : 0;
     size_t sig_alg_value_len = sig_alg ? strlen(sig_alg) : 0;
     size_t key_alg_value_len = key_alg ? strlen(key_alg) : 0;
-    size_t length = sizeof(client) + sizeof(verify)
-        + sizeof_pp2_tlv_t + version_value_len
-        + sizeof_pp2_tlv_t + cipher_value_len
-        + sizeof_pp2_tlv_t + sig_alg_value_len
-        + sizeof_pp2_tlv_t + key_alg_value_len
-        + sizeof_pp2_tlv_t + cn_value_len;
+    size_t group_value_len = group ? strlen(group) : 0;
+    size_t sig_scheme_value_len = sig_scheme ? strlen(sig_scheme) : 0;
+    size_t length = sizeof(client) + sizeof(verify);
     uint16_t index = 0;
     uint8_t *value = NULL;
     uint8_t rc;
 
+    if (version_value_len)
+    {
+        length += sizeof_pp2_tlv_t + version_value_len;
+    }
+    if (cipher_value_len)
+    {
+        length += sizeof_pp2_tlv_t + cipher_value_len;
+    }
+    if (sig_alg_value_len)
+    {
+        length += sizeof_pp2_tlv_t + sig_alg_value_len;
+    }
+    if (key_alg_value_len)
+    {
+        length += sizeof_pp2_tlv_t + key_alg_value_len;
+    }
+    if (group_value_len)
+    {
+        length += sizeof_pp2_tlv_t + group_value_len;
+    }
+    if (sig_scheme_value_len)
+    {
+        length += sizeof_pp2_tlv_t + sig_scheme_value_len;
+    }
+    if (cn_value_len && cn)
+    {
+        length += sizeof_pp2_tlv_t + cn_value_len;
+    }
+    if (client_cert_len && client_cert)
+    {
+        length += sizeof_pp2_tlv_t + client_cert_len;
+    }
+
     if (length > UINT16_MAX)
     {
         return 0;
@@ -350,7 +383,10 @@ uint8_t pp_info_add_ssl(pp_info_t *pp_info, const char *version, const char *cip
     pp_info_add_subtype_ssl(value, &index, PP2_SUBTYPE_SSL_CIPHER, (uint16_t) cipher_value_len, cipher);
     pp_info_add_subtype_ssl(value, &index, PP2_SUBTYPE_SSL_SIG_ALG, (uint16_t) sig_alg_value_len, sig_alg);
     pp_info_add_subtype_ssl(value, &index, PP2_SUBTYPE_SSL_KEY_ALG, (uint16_t) key_alg_value_len, key_alg);
+    pp_info_add_subtype_ssl(value, &index, PP2_SUBTYPE_SSL_GROUP, (uint16_t) group_value_len, group);
+    pp_info_add_subtype_ssl(value, &index, PP2_SUBTYPE_SSL_SIG_SCHEME, (uint16_t) sig_scheme_value_len, sig_scheme);
     pp_info_add_subtype_ssl(value, &index, PP2_SUBTYPE_SSL_CN, cn_value_len, cn);
+    pp_info_add_subtype_ssl(value, &index, PP2_SUBTYPE_SSL_CLIENT_CERT, client_cert_len, client_cert);
     rc = tlv_array_append_tlv_new(&pp_info->pp2_info.tlv_array, PP2_TYPE_SSL, (uint16_t) length, value);
     free(value);
     return rc;
@@ -475,6 +511,21 @@ const uint8_t *pp_info_get_ssl_key_alg(const pp_info_t *pp_info, uint16_t *lengt
     return pp_info_get_tlv_value(pp_info, PP2_SUBTYPE_SSL_KEY_ALG, 0, length);
 }
 
+const uint8_t *pp_info_get_ssl_group(const pp_info_t *pp_info, uint16_t *length)
+{
+    return pp_info_get_tlv_value(pp_info, PP2_SUBTYPE_SSL_GROUP, 0, length);
+}
+
+const uint8_t *pp_info_get_ssl_sig_scheme(const pp_info_t *pp_info, uint16_t *length)
+{
+    return pp_info_get_tlv_value(pp_info, PP2_SUBTYPE_SSL_SIG_SCHEME, 0, length);
+}
+
+const uint8_t *pp_info_get_ssl_client_cert(const pp_info_t *pp_info, uint16_t *length)
+{
+    return pp_info_get_tlv_value(pp_info, PP2_SUBTYPE_SSL_CLIENT_CERT, 0, length);
+}
+
 const uint8_t *pp_info_get_netns(const pp_info_t *pp_info, uint16_t *length)
 {
     return pp_info_get_tlv_value(pp_info, PP2_TYPE_NETNS, 0, length);
@@ -1074,12 +1125,15 @@ static int32_t pp2_parse_hdr(const uint8_t *buffer, uint32_t buffer_length, pp_i
                 case PP2_SUBTYPE_SSL_CIPHER:  /* US-ASCII */
                 case PP2_SUBTYPE_SSL_SIG_ALG: /* US-ASCII */
                 case PP2_SUBTYPE_SSL_KEY_ALG: /* US-ASCII */
+                case PP2_SUBTYPE_SSL_GROUP:   /* US-ASCII */
+                case PP2_SUBTYPE_SSL_SIG_SCHEME: /* US-ASCII */
                     if (!tlv_array_append_tlv_new_usascii(&pp_info->pp2_info.tlv_array, pp2_sub_tlv_ssl->type, pp2_sub_tlv_ssl_len, pp2_sub_tlv_ssl->value))
                     {
                         return -ERR_HEAP_ALLOC;
                     }
                     break;
                 case PP2_SUBTYPE_SSL_CN: /* UTF8 */
+                case PP2_SUBTYPE_SSL_CLIENT_CERT: /* raw binary */
                     if (!tlv_array_append_tlv_new(&pp_info->pp2_info.tlv_array, pp2_sub_tlv_ssl->type, pp2_sub_tlv_ssl_len, pp2_sub_tlv_ssl->value))
                     {
                         return -ERR_HEAP_ALLOC;

src/proxy_protocol.h

@@ -140,7 +140,7 @@ typedef struct
 uint8_t pp_info_add_alpn(pp_info_t *pp_info, uint16_t length, const uint8_t *alpn);
 uint8_t pp_info_add_authority(pp_info_t *pp_info, uint16_t length, const uint8_t *host_name);
 uint8_t pp_info_add_unique_id(pp_info_t *pp_info, uint16_t length, const uint8_t *unique_id);
-uint8_t pp_info_add_ssl(pp_info_t *pp_info, const char *version, const char *cipher, const char *sig_alg, const char *key_alg, const uint8_t *cn, uint16_t cn_len);
+uint8_t pp_info_add_ssl(pp_info_t *pp_info, const char *version, const char *cipher, const char *sig_alg, const char *key_alg, const char *group, const char *sig_scheme, const uint8_t *cn, uint16_t cn_len, const uint8_t *client_cert, uint16_t client_cert_len);
 uint8_t pp_info_add_netns(pp_info_t *pp_info, const char *netns);
 uint8_t pp_info_add_aws_vpce_id(pp_info_t *pp_info, const char *vpce_id);
 uint8_t pp_info_add_azure_linkid(pp_info_t *pp_info, uint32_t linkid);
@@ -161,6 +161,9 @@ const uint8_t *pp_info_get_ssl_cn(const pp_info_t *pp_info, uint16_t *length);
 const uint8_t *pp_info_get_ssl_cipher(const pp_info_t *pp_info, uint16_t *length);
 const uint8_t *pp_info_get_ssl_sig_alg(const pp_info_t *pp_info, uint16_t *length);
 const uint8_t *pp_info_get_ssl_key_alg(const pp_info_t *pp_info, uint16_t *length);
+const uint8_t *pp_info_get_ssl_group(const pp_info_t *pp_info, uint16_t *length);
+const uint8_t *pp_info_get_ssl_sig_scheme(const pp_info_t *pp_info, uint16_t *length);
+const uint8_t *pp_info_get_ssl_client_cert(const pp_info_t *pp_info, uint16_t *length);
 const uint8_t *pp_info_get_netns(const pp_info_t *pp_info, uint16_t *length);
 const uint8_t *pp_info_get_aws_vpce_id(const pp_info_t *pp_info, uint16_t *length);
 const uint8_t *pp_info_get_azure_linkid(const pp_info_t *pp_info, uint16_t *length);