From: William Lallemand <wlallemand@haproxy.com>
Date: Fri, 23 Aug 2024 15:35:10 +0000 (+0200)
Subject: MEDIUM: ssl: capture the supported_versions extension from Client Hello
X-Git-Tag: v3.1-dev7~41
X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=ce7fb6628e0023bbbf4ac2c70350f1c1069ce641;p=thirdparty%2Fhaproxy.git

MEDIUM: ssl: capture the supported_versions extension from Client Hello

Activate the capture of the TLS supported_versions extension from the
Client Hello. This list is stored in the ssl_capture buffer when the
global option "tune.ssl.capture-cipherlist-size" is enabled.
---

diff --git a/include/haproxy/ssl_sock-t.h b/include/haproxy/ssl_sock-t.h
index a8c37e6bf2..2716767fbb 100644
--- a/include/haproxy/ssl_sock-t.h
+++ b/include/haproxy/ssl_sock-t.h
@@ -219,6 +219,8 @@ struct ssl_capture {
 	uint ec_offset;
 	uint ec_formats_offset;
 	uchar ec_formats_len;
+	uchar supver_len;
+	uint supver_offset;
 	char data[VAR_ARRAY];
 };
 
diff --git a/src/ssl_sock.c b/src/ssl_sock.c
index 146388063b..e27f13d850 100644
--- a/src/ssl_sock.c
+++ b/src/ssl_sock.c
@@ -1598,6 +1598,8 @@ static void ssl_sock_parse_clienthello(struct connection *conn, int write_p, int
 	uchar *extensions_end;
 	uchar *ec_start = NULL;
 	uchar *ec_formats_start = NULL;
+	uchar *supver_start = NULL;      /* supported_versions */
+	uchar supver_len = 0;            /* supported_versions len */
 	uchar *list_end;
 	ushort protocol_version;
 	ushort extension_id;
@@ -1789,6 +1791,19 @@ static void ssl_sock_parse_clienthello(struct connection *conn, int write_p, int
 			ec_formats_start = msg;
 			ec_formats_len = rec_len;
 			break;
+		case 43:
+			/* supported_versions(43)
+			 * https://datatracker.ietf.org/doc/html/rfc8446#section-4.2.1 */
+			if (msg + 1 > list_end)
+				goto store_capture;
+			rec_len = msg[0];
+			msg += 1;
+			if (msg + rec_len > list_end || msg + rec_len < msg)
+				goto store_capture;
+			/* Store location/size of the list */
+			supver_start = msg;
+			supver_len = rec_len;
+			break;
 		default:
 			break;
 		}
@@ -1813,6 +1828,16 @@ static void ssl_sock_parse_clienthello(struct connection *conn, int write_p, int
 		capture->ec_formats_len = rec_len;
 		offset += rec_len;
 	}
+	if (supver_start) {
+		rec_len = supver_len;
+		if (offset + rec_len > global_ssl.capture_buffer_size)
+			rec_len = global_ssl.capture_buffer_size - offset;
+		memcpy(capture->data + offset, supver_start, rec_len);
+		capture->supver_offset = offset;
+		capture->supver_len = rec_len;
+		offset += rec_len;
+
+	}
 
  store_capture:
 	SSL_set_ex_data(ssl, ssl_capture_ptr_index, capture);