MINOR: ssl: add pattern and ACLs fetches 'ssl_fc_protocol', 'ssl_fc_cipher', 'ssl_fc_use_keysize' and 'ssl_fc_alg_keysize'

Some front connection fetches :
- ssl_fc_protocol = protocol name (string)
- ssl_fc_cipher = cipher name (string)
- ssl_fc_use_keysize = symmetric cipher key size used in bits (integer)
- ssl_fc_alg_keysize = symmetric cipher key size supported in bits (integer)

doc/configuration.txt

@@ -8384,6 +8384,14 @@ ssl_fc
   layer and is locally deciphered. This means it has matched a socket declared
   with a "bind" line having the "ssl" option.
 
+ssl_fc_alg_keysize <integer>
+  Returns true when the incoming connection was made over an SSL/TLS transport
+  layer and the symmetric cipher key size supported in bits matches the value.
+
+ssl_fc_cipher <string>
+  returns true when the incoming connection was made over an ssl/tls transport
+  layer and the name of the used cipher matches the string.
+
 ssl_fc_has_crt
   Returns true if a client certificate is present in an incoming connection over
   SSL/TLS transport layer. Useful if 'verify' statement is set to 'optional'.
@@ -8404,6 +8412,10 @@ ssl_fc_npn <string>
   the "bind" line specifies a protocol list. Also, nothing forces the client to
   pick a protocol from this list, any other one may be requested.
 
+ssl_fc_protocol <string>
+  Returns true when the incoming connection was made over an SSL/TLS transport
+  layer and the name of the used protocol matches the string.
+
 ssl_fc_sni <string>
   Returns true when the incoming connection was made over an SSL/TLS transport
   layer which deciphered it and found a Server Name Indication TLS extension
@@ -8435,6 +8447,10 @@ ssl_fc_sni_reg <regex>
   requires that the SSL library is build with support for TLS extensions
   enabled (check haproxy -vv).
 
+ssl_fc_use_keysize <integer>
+  Returns true when the incoming connection was made over an SSL/TLS transport
+  layer and the symmetric cipher key size used in bits matches the value.
+
 wait_end
   Waits for the end of the analysis period to return true. This may be used in
   conjunction with content analysis to avoid returning a wrong verdict early.
@@ -9048,6 +9064,14 @@ The list of currently supported pattern fetch functions is the following :
                and returns 1 if it was made via an SSL/TLS transport layer,
                otherwise zero.
 
+  ssl_fc_alg_keysize
+               Returns the symmetric cipher key size support d in bits when the
+               incoming connection was made over an SSL/TLS transport layer.
+
+  ssl_fc_cipher
+               Returns the name of the used cipher when the incoming connection
+               was made over an SSL/TLS transport layer.
+
   ssl_fc_has_crt
                Returns 1 if a client certificate is present in the front
                connection over SSL/TLS transport layer, otherwise 0.
@@ -9066,6 +9090,10 @@ The list of currently supported pattern fetch functions is the following :
                have been built with support for TLS extensions enabled (check
                haproxy -vv). See also the "npn" bind keyword.
 
+  ssl_fc_protocol
+               Returns the name of the used protocol when the incoming connection
+               was made over an SSL/TLS transport layer.
+
   ssl_fc_sni   This extracts the Server Name Indication field from an incoming
                connection made via an SSL/TLS transport layer and locally
                deciphered by haproxy. The result typically is a string matching
@@ -9073,6 +9101,10 @@ The list of currently supported pattern fetch functions is the following :
                have been built with support for TLS extensions enabled (check
                haproxy -vv).
 
+  ssl_fc_use_keysize
+               Returns the symmetric cipher key size used in bits when the
+               incoming connection was made over an SSL/TLS transport layer.
+
   url          This extracts the request's URL as presented in the request. A
                typical use is with prefetch-capable caches, and with portals
                which need to aggregate multiple information from databases and

src/ssl_sock.c

@@ -1144,6 +1144,60 @@ smp_fetch_ssl_fc_has_sni(struct proxy *px, struct session *l4, void *l7, unsigne
 #endif
 }
 
+static int
+smp_fetch_ssl_fc_cipher(struct proxy *px, struct session *l4, void *l7, unsigned int opt,
+                        const struct arg *args, struct sample *smp)
+{
+	smp->flags = 0;
+
+	if (!l4 || !l4->si[0].conn.xprt_ctx || l4->si[0].conn.xprt != &ssl_sock)
+		return 0;
+
+	smp->data.str.str = (char *)SSL_get_cipher_name(l4->si[0].conn.xprt_ctx);
+	if (!smp->data.str.str)
+		return 0;
+
+	smp->type = SMP_T_CSTR;
+	smp->data.str.len = strlen(smp->data.str.str);
+
+	return 1;
+}
+
+static int
+smp_fetch_ssl_fc_alg_keysize(struct proxy *px, struct session *l4, void *l7, unsigned int opt,
+                             const struct arg *args, struct sample *smp)
+{
+	smp->flags = 0;
+
+	if (!l4 || !l4->si[0].conn.xprt_ctx || l4->si[0].conn.xprt != &ssl_sock)
+		return 0;
+
+	if (!SSL_get_cipher_bits(l4->si[0].conn.xprt_ctx, (int *)&smp->data.uint))
+		return 0;
+
+	smp->type = SMP_T_UINT;
+
+	return 1;
+}
+
+static int
+smp_fetch_ssl_fc_use_keysize(struct proxy *px, struct session *l4, void *l7, unsigned int opt,
+                             const struct arg *args, struct sample *smp)
+{
+	smp->flags = 0;
+
+	if (!l4 || !l4->si[0].conn.xprt_ctx || l4->si[0].conn.xprt != &ssl_sock)
+		return 0;
+
+	smp->data.uint = (unsigned int)SSL_get_cipher_bits(l4->si[0].conn.xprt_ctx, NULL);
+	if (!smp->data.uint)
+		return 0;
+
+	smp->type = SMP_T_UINT;
+
+	return 1;
+}
+
 #ifdef OPENSSL_NPN_NEGOTIATED
 static int
 smp_fetch_ssl_fc_npn(struct proxy *px, struct session *l4, void *l7, unsigned int opt,
@@ -1166,6 +1220,25 @@ smp_fetch_ssl_fc_npn(struct proxy *px, struct session *l4, void *l7, unsigned in
 }
 #endif
 
+static int
+smp_fetch_ssl_fc_protocol(struct proxy *px, struct session *l4, void *l7, unsigned int opt,
+                          const struct arg *args, struct sample *smp)
+{
+	smp->flags = 0;
+
+	if (!l4 || !l4->si[0].conn.xprt_ctx || l4->si[0].conn.xprt != &ssl_sock)
+		return 0;
+
+	smp->data.str.str = (char *)SSL_get_version(l4->si[0].conn.xprt_ctx);
+	if (!smp->data.str.str)
+		return 0;
+
+	smp->type = SMP_T_CSTR;
+	smp->data.str.len = strlen(smp->data.str.str);
+
+	return 1;
+}
+
 static int
 smp_fetch_ssl_fc_sni(struct proxy *px, struct session *l4, void *l7, unsigned int opt,
                      const struct arg *args, struct sample *smp)
@@ -1760,11 +1833,15 @@ static struct sample_fetch_kw_list sample_fetch_keywords = {{ },{
 	{ "ssl_c_err",              smp_fetch_ssl_c_err,          0,    NULL,    SMP_T_UINT, SMP_CAP_REQ|SMP_CAP_RES },
 	{ "ssl_c_verify",           smp_fetch_ssl_c_verify,       0,    NULL,    SMP_T_UINT, SMP_CAP_REQ|SMP_CAP_RES },
 	{ "ssl_fc",                 smp_fetch_ssl_fc,             0,    NULL,    SMP_T_BOOL, SMP_CAP_REQ|SMP_CAP_RES },
+	{ "ssl_fc_alg_keysize",     smp_fetch_ssl_fc_alg_keysize, 0,    NULL,    SMP_T_UINT, SMP_CAP_REQ|SMP_CAP_RES },
+	{ "ssl_fc_cipher",          smp_fetch_ssl_fc_cipher,      0,    NULL,    SMP_T_CSTR, SMP_CAP_REQ|SMP_CAP_RES },
 	{ "ssl_fc_has_crt",         smp_fetch_ssl_fc_has_crt,     0,    NULL,    SMP_T_BOOL, SMP_CAP_REQ|SMP_CAP_RES },
 	{ "ssl_fc_has_sni",         smp_fetch_ssl_fc_has_sni,     0,    NULL,    SMP_T_BOOL, SMP_CAP_REQ|SMP_CAP_RES },
 #ifdef OPENSSL_NPN_NEGOTIATED
 	{ "ssl_fc_npn",             smp_fetch_ssl_fc_npn,         0,    NULL,    SMP_T_CSTR, SMP_CAP_REQ|SMP_CAP_RES },
 #endif
+	{ "ssl_fc_protocol",        smp_fetch_ssl_fc_protocol,    0,    NULL,    SMP_T_CSTR, SMP_CAP_REQ|SMP_CAP_RES },
+	{ "ssl_fc_use_keysize",     smp_fetch_ssl_fc_use_keysize, 0,    NULL,    SMP_T_UINT, SMP_CAP_REQ|SMP_CAP_RES },
 	{ "ssl_fc_sni",             smp_fetch_ssl_fc_sni,         0,    NULL,    SMP_T_CSTR, SMP_CAP_REQ|SMP_CAP_RES },
 	{ NULL, NULL, 0, 0, 0 },
 }};
@@ -1778,11 +1855,15 @@ static struct acl_kw_list acl_kws = {{ },{
 	{ "ssl_c_err",              acl_parse_int, smp_fetch_ssl_c_err,          acl_match_int,     ACL_USE_L6REQ_PERMANENT|ACL_MAY_LOOKUP, 0 },
 	{ "ssl_c_verify",           acl_parse_int, smp_fetch_ssl_c_verify,       acl_match_int,     ACL_USE_L6REQ_PERMANENT|ACL_MAY_LOOKUP, 0 },
 	{ "ssl_fc",                 acl_parse_int, smp_fetch_ssl_fc,             acl_match_nothing, ACL_USE_L6REQ_PERMANENT|ACL_MAY_LOOKUP, 0 },
+	{ "ssl_fc_alg_keysize",     acl_parse_str, smp_fetch_ssl_fc_alg_keysize, acl_match_int,     ACL_USE_L6REQ_PERMANENT|ACL_MAY_LOOKUP, 0 },
+	{ "ssl_fc_cipher",          acl_parse_str, smp_fetch_ssl_fc_cipher,      acl_match_str,     ACL_USE_L6REQ_PERMANENT|ACL_MAY_LOOKUP, 0 },
 	{ "ssl_fc_has_crt",         acl_parse_int, smp_fetch_ssl_fc_has_crt,     acl_match_nothing, ACL_USE_L6REQ_PERMANENT, 0 },
 	{ "ssl_fc_has_sni",         acl_parse_int, smp_fetch_ssl_fc_has_sni,     acl_match_nothing, ACL_USE_L6REQ_PERMANENT, 0 },
 #ifdef OPENSSL_NPN_NEGOTIATED
 	{ "ssl_fc_npn",             acl_parse_str, smp_fetch_ssl_fc_npn,         acl_match_str,     ACL_USE_L6REQ_PERMANENT|ACL_MAY_LOOKUP, 0 },
 #endif
+	{ "ssl_fc_protocol",        acl_parse_str, smp_fetch_ssl_fc_protocol,    acl_match_str,     ACL_USE_L6REQ_PERMANENT|ACL_MAY_LOOKUP, 0 },
+	{ "ssl_fc_use_keysize",     acl_parse_str, smp_fetch_ssl_fc_use_keysize, acl_match_int,     ACL_USE_L6REQ_PERMANENT|ACL_MAY_LOOKUP, 0 },
 	{ "ssl_fc_sni",             acl_parse_str, smp_fetch_ssl_fc_sni,         acl_match_str,     ACL_USE_L6REQ_PERMANENT|ACL_MAY_LOOKUP, 0 },
 	{ "ssl_fc_sni_end",         acl_parse_str, smp_fetch_ssl_fc_sni,         acl_match_end,     ACL_USE_L6REQ_PERMANENT, 0 },
 	{ "ssl_fc_sni_reg",         acl_parse_reg, smp_fetch_ssl_fc_sni,         acl_match_reg,     ACL_USE_L6REQ_PERMANENT, 0 },