From: William Lallemand <wlallemand@haproxy.com>
Date: Fri, 23 Aug 2024 18:40:47 +0000 (+0200)
Subject: MEDIUM: ssl: capture the signature_algorithms extension from Client Hello
X-Git-Tag: v3.1-dev7~39
X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=e8fecef0ff9e4caaa9306fcdad7c6d45b1ab10ab;p=thirdparty%2Fhaproxy.git

MEDIUM: ssl: capture the signature_algorithms extension from Client Hello

Activate the capture of the TLS signature_algorithms extension from the
Client Hello. This list is stored in the ssl_capture buffer when the
global option "tune.ssl.capture-cipherlist-size" is enabled.
---

diff --git a/include/haproxy/ssl_sock-t.h b/include/haproxy/ssl_sock-t.h
index 2716767fbb..f864595f75 100644
--- a/include/haproxy/ssl_sock-t.h
+++ b/include/haproxy/ssl_sock-t.h
@@ -221,6 +221,8 @@ struct ssl_capture {
 	uchar ec_formats_len;
 	uchar supver_len;
 	uint supver_offset;
+	ushort sigalgs_len;
+	uint sigalgs_offset;
 	char data[VAR_ARRAY];
 };
 
diff --git a/src/ssl_sock.c b/src/ssl_sock.c
index e27f13d850..ca59958c10 100644
--- a/src/ssl_sock.c
+++ b/src/ssl_sock.c
@@ -1600,6 +1600,8 @@ static void ssl_sock_parse_clienthello(struct connection *conn, int write_p, int
 	uchar *ec_formats_start = NULL;
 	uchar *supver_start = NULL;      /* supported_versions */
 	uchar supver_len = 0;            /* supported_versions len */
+	uchar *sigalgs_start = NULL;
+	ushort sigalgs_len = 0;
 	uchar *list_end;
 	ushort protocol_version;
 	ushort extension_id;
@@ -1791,6 +1793,20 @@ static void ssl_sock_parse_clienthello(struct connection *conn, int write_p, int
 			ec_formats_start = msg;
 			ec_formats_len = rec_len;
 			break;
+		case 13:
+			/* signature_algorithms(13)
+			 * https://datatracker.ietf.org/doc/html/rfc8446#section-4.2.3 */
+			if (msg + 2 > list_end)
+				goto store_capture;
+			rec_len = (msg[0] << 8) + msg[1];
+			msg += 2;
+
+			if (msg + rec_len > list_end || msg + rec_len < msg)
+				goto store_capture;
+			/* Store location/size of the list */
+			sigalgs_start = msg;
+			sigalgs_len = rec_len;
+			break;
 		case 43:
 			/* supported_versions(43)
 			 * https://datatracker.ietf.org/doc/html/rfc8446#section-4.2.1 */
@@ -1836,8 +1852,17 @@ static void ssl_sock_parse_clienthello(struct connection *conn, int write_p, int
 		capture->supver_offset = offset;
 		capture->supver_len = rec_len;
 		offset += rec_len;
-
 	}
+	if (sigalgs_start) {
+		rec_len = sigalgs_len;
+		if (offset + rec_len > global_ssl.capture_buffer_size)
+			rec_len = global_ssl.capture_buffer_size - offset;
+		memcpy(capture->data + offset, sigalgs_start, rec_len);
+		capture->sigalgs_offset = offset;
+		capture->sigalgs_len = rec_len;
+		offset += rec_len;
+	}
+
 
  store_capture:
 	SSL_set_ex_data(ssl, ssl_capture_ptr_index, capture);