MEDIUM: ssl: capture the supported_versions extension from Client Hello

Activate the capture of the TLS supported_versions extension from the
Client Hello. This list is stored in the ssl_capture buffer when the
global option "tune.ssl.capture-cipherlist-size" is enabled.

diff --git a/include/haproxy/ssl_sock-t.h b/include/haproxy/ssl_sock-t.h
index a8c37e6bf20e3c5f6922bccedae62285a8e51d83..2716767fbb9a76e41eafc4eba83bbe6172c5b90c 100644 (file)
--- a/include/haproxy/ssl_sock-t.h
+++ b/include/haproxy/ssl_sock-t.h
@@ -219,6 +219,8 @@ struct ssl_capture {
        uint ec_offset;
        uint ec_formats_offset;
        uchar ec_formats_len;
+       uchar supver_len;
+       uint supver_offset;
        char data[VAR_ARRAY];
 };
 

diff --git a/src/ssl_sock.c b/src/ssl_sock.c
index 146388063b910eb8c37472e7d569d05f5d7df36c..e27f13d850239248d49ed4f3af540566d27dfe57 100644 (file)
--- a/src/ssl_sock.c
+++ b/src/ssl_sock.c
@@ -1598,6 +1598,8 @@ static void ssl_sock_parse_clienthello(struct connection *conn, int write_p, int
        uchar *extensions_end;
        uchar *ec_start = NULL;
        uchar *ec_formats_start = NULL;
+       uchar *supver_start = NULL;      /* supported_versions */
+       uchar supver_len = 0;            /* supported_versions len */
        uchar *list_end;
        ushort protocol_version;
        ushort extension_id;
@@ -1789,6 +1791,19 @@ static void ssl_sock_parse_clienthello(struct connection *conn, int write_p, int
                        ec_formats_start = msg;
                        ec_formats_len = rec_len;
                        break;
+               case 43:
+                       /* supported_versions(43)
+                        * https://datatracker.ietf.org/doc/html/rfc8446#section-4.2.1 */
+                       if (msg + 1 > list_end)
+                               goto store_capture;
+                       rec_len = msg[0];
+                       msg += 1;
+                       if (msg + rec_len > list_end || msg + rec_len < msg)
+                               goto store_capture;
+                       /* Store location/size of the list */
+                       supver_start = msg;
+                       supver_len = rec_len;
+                       break;
                default:
                        break;
                }
@@ -1813,6 +1828,16 @@ static void ssl_sock_parse_clienthello(struct connection *conn, int write_p, int
                capture->ec_formats_len = rec_len;
                offset += rec_len;
        }
+       if (supver_start) {
+               rec_len = supver_len;
+               if (offset + rec_len > global_ssl.capture_buffer_size)
+                       rec_len = global_ssl.capture_buffer_size - offset;
+               memcpy(capture->data + offset, supver_start, rec_len);
+               capture->supver_offset = offset;
+               capture->supver_len = rec_len;
+               offset += rec_len;
+
+       }
 
  store_capture:
        SSL_set_ex_data(ssl, ssl_capture_ptr_index, capture);