MINOR: ssl: Add traces about sigalg extension parsing in clientHello callback

We had to parse the sigAlg extension by hand in order to properly select
the certificate used by the SSL frontends. These traces allow to dump
the allowed sigAlg list sent by the client in its clientHello.

diff --git a/include/haproxy/ssl_trace-t.h b/include/haproxy/ssl_trace-t.h
index 40026971352faade4d9133ca4e648c5c0641756d..3e8dc1c1a0437c3da04117a6cced44b57c0f0742 100644 (file)
--- a/include/haproxy/ssl_trace-t.h
+++ b/include/haproxy/ssl_trace-t.h
@@ -32,6 +32,7 @@ extern struct trace_source trace_ssl;
 #define SSL_EV_CONN_STAPLING       (1ULL << 11)
 #define SSL_EV_CONN_SWITCHCTX_CB   (1ULL << 12)
 #define SSL_EV_CONN_CHOOSE_SNI_CTX (1ULL << 13)
+#define SSL_EV_CONN_SIGALG_EXT     (1ULL << 14)
 
 #define TRACE_SOURCE &trace_ssl
 

diff --git a/src/ssl_clienthello.c b/src/ssl_clienthello.c
index 6ae090a5c770b3674a4775542a9208527b3fa016..eb8a0ee76ccda9d536392566de785a9081c99978 100644 (file)
--- a/src/ssl_clienthello.c
+++ b/src/ssl_clienthello.c
@@ -306,6 +306,7 @@ int ssl_sock_switchctx_cbk(SSL *ssl, int *al, void *arg)
                        TRACE_ERROR("Sigalg parsing error (not even)", SSL_EV_CONN_SWITCHCTX_CB|SSL_EV_CONN_ERR, conn);
                        goto abort;
                }
+               TRACE_DATA("Sigalg extension value", SSL_EV_CONN_SIGALG_EXT, conn, extension_data, &len);
                for (; len > 0; len -= 2) {
                        hash = *extension_data++; /* hash */
                        sign = *extension_data++;

diff --git a/src/ssl_trace.c b/src/ssl_trace.c
index a171692e4e80a183cb06f6fd7dd55199a21cb3aa..4cf044380019fdc75748e4d573dc05e473ef0bca 100644 (file)
--- a/src/ssl_trace.c
+++ b/src/ssl_trace.c
@@ -40,6 +40,7 @@ static const struct trace_event ssl_trace_events[] = {
        { .mask = SSL_EV_CONN_STAPLING,       .name = "sslc_stapling",       .desc = "SSL OCSP stapling callback"},
        { .mask = SSL_EV_CONN_SWITCHCTX_CB,   .name = "sslc_switchctx_cb",   .desc = "SSL switchctx callback"},
        { .mask = SSL_EV_CONN_CHOOSE_SNI_CTX, .name = "sslc_choose_sni_ctx", .desc = "SSL choose sni context"},
+       { .mask = SSL_EV_CONN_SIGALG_EXT,     .name = "sslc_sigalg_ext",     .desc = "SSL sigalg extension parsing"},
        { }
 };
 
@@ -216,5 +217,35 @@ static void ssl_trace(enum trace_level level, uint64_t mask, const struct trace_
                        chunk_appendf(&trace_buf, " crt=\"%s\"", sni_ctx->ckch_inst->ckch_store->path);
                }
        }
+
+       if (mask & SSL_EV_CONN_SIGALG_EXT && src->verbosity > SSL_VERB_ADVANCED) {
+               if (a2 && a3) {
+                       const uint16_t *extension_data = a2;
+                       size_t extension_len = *((size_t*)a3);
+                       int first = 1;
+
+                       chunk_appendf(&trace_buf, " value=");
+
+                       while (extension_len > 1) {
+                               const char *sigalg_name = sigalg2str(ntohs(*extension_data));
+
+                               if (sigalg_name) {
+                                       chunk_appendf(&trace_buf, "%s%s(0x%02X%02X)", first ? "" : ":", sigalg_name,
+                                                     ((uint8_t*)extension_data)[0],
+                                                     ((uint8_t*)extension_data)[1]);
+                               } else {
+                                       chunk_appendf(&trace_buf, "%s0x%02X%02X",
+                                                     first ? "" : ":",
+                                                     ((uint8_t*)extension_data)[0],
+                                                     ((uint8_t*)extension_data)[1]);
+                               }
+
+                               first = 0;
+
+                               extension_len-=sizeof(*extension_data);
+                               ++extension_data;
+                       }
+               }
+       }
 }