From: Remi Tricot-Le Breton <rlebreton@haproxy.com>
Date: Fri, 18 Apr 2025 15:26:57 +0000 (+0200)
Subject: MINOR: ssl: Add traces about sigalg extension parsing in clientHello callback
X-Git-Tag: v3.2-dev13~23
X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=6519cec2ed25d5e7dfa5f97bfd5528d2ae552472;p=thirdparty%2Fhaproxy.git

MINOR: ssl: Add traces about sigalg extension parsing in clientHello callback

We had to parse the sigAlg extension by hand in order to properly select
the certificate used by the SSL frontends. These traces allow to dump
the allowed sigAlg list sent by the client in its clientHello.
---

diff --git a/include/haproxy/ssl_trace-t.h b/include/haproxy/ssl_trace-t.h
index 400269713..3e8dc1c1a 100644
--- a/include/haproxy/ssl_trace-t.h
+++ b/include/haproxy/ssl_trace-t.h
@@ -32,6 +32,7 @@ extern struct trace_source trace_ssl;
 #define SSL_EV_CONN_STAPLING       (1ULL << 11)
 #define SSL_EV_CONN_SWITCHCTX_CB   (1ULL << 12)
 #define SSL_EV_CONN_CHOOSE_SNI_CTX (1ULL << 13)
+#define SSL_EV_CONN_SIGALG_EXT     (1ULL << 14)
 
 #define TRACE_SOURCE &trace_ssl
 
diff --git a/src/ssl_clienthello.c b/src/ssl_clienthello.c
index 6ae090a5c..eb8a0ee76 100644
--- a/src/ssl_clienthello.c
+++ b/src/ssl_clienthello.c
@@ -306,6 +306,7 @@ int ssl_sock_switchctx_cbk(SSL *ssl, int *al, void *arg)
 			TRACE_ERROR("Sigalg parsing error (not even)", SSL_EV_CONN_SWITCHCTX_CB|SSL_EV_CONN_ERR, conn);
 			goto abort;
 		}
+		TRACE_DATA("Sigalg extension value", SSL_EV_CONN_SIGALG_EXT, conn, extension_data, &len);
 		for (; len > 0; len -= 2) {
 			hash = *extension_data++; /* hash */
 			sign = *extension_data++;
diff --git a/src/ssl_trace.c b/src/ssl_trace.c
index a171692e4..4cf044380 100644
--- a/src/ssl_trace.c
+++ b/src/ssl_trace.c
@@ -40,6 +40,7 @@ static const struct trace_event ssl_trace_events[] = {
 	{ .mask = SSL_EV_CONN_STAPLING,       .name = "sslc_stapling",       .desc = "SSL OCSP stapling callback"},
 	{ .mask = SSL_EV_CONN_SWITCHCTX_CB,   .name = "sslc_switchctx_cb",   .desc = "SSL switchctx callback"},
 	{ .mask = SSL_EV_CONN_CHOOSE_SNI_CTX, .name = "sslc_choose_sni_ctx", .desc = "SSL choose sni context"},
+	{ .mask = SSL_EV_CONN_SIGALG_EXT,     .name = "sslc_sigalg_ext",     .desc = "SSL sigalg extension parsing"},
 	{ }
 };
 
@@ -216,5 +217,35 @@ static void ssl_trace(enum trace_level level, uint64_t mask, const struct trace_
 			chunk_appendf(&trace_buf, " crt=\"%s\"", sni_ctx->ckch_inst->ckch_store->path);
 		}
 	}
+
+	if (mask & SSL_EV_CONN_SIGALG_EXT && src->verbosity > SSL_VERB_ADVANCED) {
+		if (a2 && a3) {
+			const uint16_t *extension_data = a2;
+			size_t extension_len = *((size_t*)a3);
+			int first = 1;
+
+			chunk_appendf(&trace_buf, " value=");
+
+			while (extension_len > 1) {
+				const char *sigalg_name = sigalg2str(ntohs(*extension_data));
+
+				if (sigalg_name) {
+					chunk_appendf(&trace_buf, "%s%s(0x%02X%02X)", first ? "" : ":", sigalg_name,
+						      ((uint8_t*)extension_data)[0],
+						      ((uint8_t*)extension_data)[1]);
+				} else {
+					chunk_appendf(&trace_buf, "%s0x%02X%02X",
+						      first ? "" : ":",
+						      ((uint8_t*)extension_data)[0],
+						      ((uint8_t*)extension_data)[1]);
+				}
+
+				first = 0;
+
+				extension_len-=sizeof(*extension_data);
+				++extension_data;
+			}
+		}
+	}
 }