From: William Lallemand <wlallemand@haproxy.com>
Date: Fri, 23 Aug 2024 16:15:52 +0000 (+0200)
Subject: MEDIUM: ssl/sample: add ssl_fc_supported_versions_bin sample fetch
X-Git-Tag: v3.1-dev7~40
X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=ac5c7158f97ab4e1758a1b1a5c7e5d0e1877a54e;p=thirdparty%2Fhaproxy.git

MEDIUM: ssl/sample: add ssl_fc_supported_versions_bin sample fetch

This new sample fetch allow to extract the binary list contained in the
supported_versions (43) TLS extensions.

https://datatracker.ietf.org/doc/html/rfc8446#section-4.2.1
---

diff --git a/doc/configuration.txt b/doc/configuration.txt
index 213febb763..7c5ebb1621 100644
--- a/doc/configuration.txt
+++ b/doc/configuration.txt
@@ -23168,6 +23168,7 @@ ssl_fc_server_random                               binary
 ssl_fc_session_id                                  binary
 ssl_fc_session_key                                 binary
 ssl_fc_sni                                         string
+ssl_fc_supported_versions_bin([<filter_option>])   binary
 ssl_fc_use_keysize                                 integer
 ssl_s_der                                          binary
 ssl_s_chain_der                                    binary
@@ -23911,6 +23912,17 @@ ssl_fc_sni : string
     ssl_fc_sni_end : suffix match
     ssl_fc_sni_reg : regex match
 
+ssl_fc_supported_versions_bin([<filter_option>]) : binary
+  Returns the content of the supported_versions (43) TLS extension presented
+  during the Client Hello. It provides a binary list of 2-bytes versions.
+  TLSv1.3 (0x0304), TLSv1.2 (0x0303).
+
+  This value can return only if the value "tune.ssl.capture-buffer-size" is set
+  greater than 0. Setting <filter_option> allows to filter returned data.
+  Accepted values:
+  0 : return the full list of ciphers (default)
+  1 : exclude GREASE (RFC8701) values from the output
+
 ssl_fc_use_keysize : integer
   Returns the symmetric cipher key size used in bits when the incoming
   connection was made over an SSL/TLS transport layer.
diff --git a/src/ssl_sample.c b/src/ssl_sample.c
index 315e7e72c2..e732c065f6 100644
--- a/src/ssl_sample.c
+++ b/src/ssl_sample.c
@@ -1984,6 +1984,40 @@ smp_fetch_ssl_fc_protocol_hello_id(const struct arg *args, struct sample *smp, c
 	return 1;
 }
 
+static int
+smp_fetch_ssl_fc_supver_bin(const struct arg *args, struct sample *smp, const char *kw, void *private)
+{
+	struct buffer *smp_trash;
+	struct connection *conn;
+	struct ssl_capture *capture;
+	SSL *ssl;
+
+	conn = objt_conn(smp->sess->origin);
+	ssl = ssl_sock_get_ssl_object(conn);
+	if (!ssl)
+		return 0;
+
+	capture = SSL_get_ex_data(ssl, ssl_capture_ptr_index);
+	if (!capture)
+		return 0;
+
+	if (args[0].data.sint) {
+		smp_trash = get_trash_chunk();
+		exclude_tls_grease(capture->data + capture->supver_offset, capture->supver_len, smp_trash);
+		smp->data.u.str.area = smp_trash->area;
+		smp->data.u.str.data = smp_trash->data;
+		smp->flags = SMP_F_VOL_SESS;
+		smp->data.type = SMP_T_BIN;
+	} else {
+		smp->flags = SMP_F_VOL_SESS | SMP_F_CONST;
+		smp->data.type = SMP_T_BIN;
+		smp->data.u.str.area = capture->data + capture->supver_offset;
+		smp->data.u.str.data = capture->supver_len;
+	}
+	return 1;
+}
+
+
 static int
 smp_fetch_ssl_fc_err_str(const struct arg *args, struct sample *smp, const char *kw, void *private)
 {
@@ -2487,6 +2521,7 @@ static struct sample_fetch_kw_list sample_fetch_keywords = {ILH, {
 	{ "ssl_fc_extlist_bin",     smp_fetch_ssl_fc_ext_bin,     ARG1(0,SINT),        NULL,    SMP_T_STR,  SMP_USE_L5CLI },
 	{ "ssl_fc_eclist_bin",      smp_fetch_ssl_fc_ecl_bin,     ARG1(0,SINT),        NULL,    SMP_T_STR,  SMP_USE_L5CLI },
 	{ "ssl_fc_ecformats_bin",   smp_fetch_ssl_fc_ecf_bin,     0,                   NULL,    SMP_T_STR,  SMP_USE_L5CLI },
+	{ "ssl_fc_supported_versions_bin", smp_fetch_ssl_fc_supver_bin, ARG1(0,SINT),  NULL,    SMP_T_BIN,  SMP_USE_L5CLI },
 
 /* SSL server certificate fetches */
 	{ "ssl_s_der",              smp_fetch_ssl_x_der,          0,                   NULL,    SMP_T_BIN,  SMP_USE_L5CLI },