MINOR: ssl: Add curves in ssl traces

Dump the ClientHello curves in the SSL traces.

diff --git a/include/haproxy/ssl_trace.h b/include/haproxy/ssl_trace.h
index c7ffd5a52a4d5ce2bde9c409d546145a81c63f7e..b9aec497c3c4d3dd5d4bf0d378f37c1091eb2d97 100644 (file)
--- a/include/haproxy/ssl_trace.h
+++ b/include/haproxy/ssl_trace.h
@@ -23,6 +23,7 @@ extern struct trace_source trace_ssl;
 #define SSL_EV_CONN_CHOOSE_SNI_CTX (1ULL << 13)
 #define SSL_EV_CONN_SIGALG_EXT     (1ULL << 14)
 #define SSL_EV_CONN_CIPHERS_EXT    (1ULL << 15)
+#define SSL_EV_CONN_CURVES_EXT     (1ULL << 16)
 
 
 #define SSL_VERB_CLEAN    1

diff --git a/src/ssl_clienthello.c b/src/ssl_clienthello.c
index daa950626c65148c6b9b0f27e6bedacc1a182b40..131c919c593b83379b2e0d8ab5ae681d57c3ce0a 100644 (file)
--- a/src/ssl_clienthello.c
+++ b/src/ssl_clienthello.c
@@ -346,18 +346,35 @@ int ssl_sock_switchctx_cbk(SSL *ssl, int *al, void *arg)
                has_rsa_sig = 1;
        }
 
-       if ((TRACE_SOURCE)->verbosity > SSL_VERB_ADVANCED &&
-           TRACE_ENABLED(TRACE_LEVEL_DATA, SSL_EV_CONN_CIPHERS_EXT, conn, 0, 0, 0)) {
-               const uint8_t *cipher_suites;
-               size_t len;
+       if ((TRACE_SOURCE)->verbosity > SSL_VERB_ADVANCED) {
+               if (TRACE_ENABLED(TRACE_LEVEL_DATA, SSL_EV_CONN_CIPHERS_EXT, conn, 0, 0, 0)) {
+                       const uint8_t *cipher_suites;
+                       size_t len;
 
 #if defined(OPENSSL_IS_BORINGSSL) || defined(OPENSSL_IS_AWSLC)
-               len = ctx->cipher_suites_len;
-               cipher_suites = ctx->cipher_suites;
+                       len = ctx->cipher_suites_len;
+                       cipher_suites = ctx->cipher_suites;
 #else
-               len = SSL_client_hello_get0_ciphers(ssl, &cipher_suites);
+                       len = SSL_client_hello_get0_ciphers(ssl, &cipher_suites);
 #endif
-               TRACE_DATA("Ciphers value", SSL_EV_CONN_CIPHERS_EXT, conn, ssl, cipher_suites, &len);
+                       TRACE_DATA("Ciphers value", SSL_EV_CONN_CIPHERS_EXT, conn, ssl, cipher_suites, &len);
+               }
+
+               if (TRACE_ENABLED(TRACE_LEVEL_DATA, SSL_EV_CONN_CURVES_EXT, conn, 0, 0, 0)) {
+                       const uint8_t *extension_data;
+                       size_t extension_len;
+
+#if defined(OPENSSL_IS_BORINGSSL) || defined(OPENSSL_IS_AWSLC)
+                       if (SSL_early_callback_ctx_extension_get(ctx, TLSEXT_TYPE_supported_groups,
+                                                                &extension_data, &extension_len)) {
+#else
+                       if (SSL_client_hello_get0_ext(ssl, TLSEXT_TYPE_elliptic_curves,
+                                                     &extension_data, &extension_len)) {
+#endif
+                               if (extension_len)
+                                       TRACE_DATA("Elliptic curves", SSL_EV_CONN_CURVES_EXT, conn, extension_data, &extension_len);
+                       }
+               }
        }
 
        if (has_ecdsa_sig) {  /* in very rare case: has ecdsa sign but not a ECDSA cipher */

diff --git a/src/ssl_trace.c b/src/ssl_trace.c
index 6a1a8a96684a600dad99d744bd6a7a633a7cc768..3967414a1b25912cf67dc88feeb6e7282ac725c0 100644 (file)
--- a/src/ssl_trace.c
+++ b/src/ssl_trace.c
@@ -42,6 +42,7 @@ static const struct trace_event ssl_trace_events[] = {
        { .mask = SSL_EV_CONN_CHOOSE_SNI_CTX, .name = "sslc_choose_sni_ctx", .desc = "SSL choose sni context"},
        { .mask = SSL_EV_CONN_SIGALG_EXT,     .name = "sslc_sigalg_ext",     .desc = "SSL sigalg extension parsing"},
        { .mask = SSL_EV_CONN_CIPHERS_EXT,    .name = "sslc_ciphers_ext",    .desc = "SSL ciphers extension parsing"},
+       { .mask = SSL_EV_CONN_CURVES_EXT,     .name = "sslc_curves_ext",     .desc = "SSL curves extension parsing"},
        { }
 };
 
@@ -275,5 +276,35 @@ static void ssl_trace(enum trace_level level, uint64_t mask, const struct trace_
                        }
                }
        }
+
+       if (mask & SSL_EV_CONN_CURVES_EXT && src->verbosity > SSL_VERB_ADVANCED) {
+               if (a2 && a3) {
+                       const uint16_t *extension_data = a2;
+                       size_t extension_len = *((size_t*)a3);
+                       int first = 1;
+
+                       chunk_appendf(&trace_buf, " value=");
+
+                       while (extension_len > 1) {
+                               const char *curve_name = curveid2str(ntohs(*extension_data));
+
+                               if (curve_name) {
+                                       chunk_appendf(&trace_buf, "%s%s(0x%02X%02X)", first ? "" : ":", curve_name,
+                                                     ((uint8_t*)extension_data)[0],
+                                                     ((uint8_t*)extension_data)[1]);
+                               } else {
+                                       chunk_appendf(&trace_buf, "%s0x%02X%02X",
+                                                     first ? "" : ":",
+                                                     ((uint8_t*)extension_data)[0],
+                                                     ((uint8_t*)extension_data)[1]);
+                               }
+
+                               first = 0;
+
+                               extension_len-=sizeof(*extension_data);
+                               ++extension_data;
+                       }
+               }
+       }
 }