MEDIUM: ssl/sample: add ssl_fc_sigalgs_bin sample fetch

This new sample fetch allow to extract the binary list contained in the
signature_algorithms (13) TLS extensions.

https://datatracker.ietf.org/doc/html/rfc8446#section-4.2.3

diff --git a/doc/configuration.txt b/doc/configuration.txt
index 7c5ebb1621c492ed58c401effa1e0fb5b118e02c..155aa1a9022834826f591f3968c9b69a09e77d89 100644 (file)
--- a/doc/configuration.txt
+++ b/doc/configuration.txt
@@ -23167,6 +23167,7 @@ ssl_fc_server_traffic_secret_0                     string
 ssl_fc_server_random                               binary
 ssl_fc_session_id                                  binary
 ssl_fc_session_key                                 binary
+ssl_fc_sigalgs_bin([<filter_option>])              binary
 ssl_fc_sni                                         string
 ssl_fc_supported_versions_bin([<filter_option>])   binary
 ssl_fc_use_keysize                                 integer
@@ -23884,6 +23885,16 @@ ssl_fc_session_key : binary
   traffic sent using ephemeral ciphers. This requires OpenSSL >= 1.1.0, or
   BoringSSL.
 
+ssl_fc_sigalgs_bin([<filter_option>]) : binary
+  Returns the content of the signatures_algorithms (13) TLS extension presented
+  during the Client Hello. It provides a binary list of 2-bytes algorithms
+  defined in the TLS RFC: https://datatracker.ietf.org/doc/html/rfc8446#section-4.2.3.
+
+  This value can return only if the value "tune.ssl.capture-buffer-size" is set
+  greater than 0. Setting <filter_option> allows to filter returned data.
+  Accepted values:
+  0 : return the full list of ciphers (default)
+  1 : exclude GREASE (RFC8701) values from the output
 
 ssl_fc_sni : string
   This extracts the Server Name Indication TLS extension (SNI) field from an

diff --git a/src/ssl_sample.c b/src/ssl_sample.c
index e732c065f6eda0950946a26b0ba29b9793a0402a..defa913abae7698535e3af3a2a730b8809b241fa 100644 (file)
--- a/src/ssl_sample.c
+++ b/src/ssl_sample.c
@@ -2017,6 +2017,38 @@ smp_fetch_ssl_fc_supver_bin(const struct arg *args, struct sample *smp, const ch
        return 1;
 }
 
+static int
+smp_fetch_ssl_fc_sigalgs_bin(const struct arg *args, struct sample *smp, const char *kw, void *private)
+{
+       struct buffer *smp_trash;
+       struct connection *conn;
+       struct ssl_capture *capture;
+       SSL *ssl;
+
+       conn = objt_conn(smp->sess->origin);
+       ssl = ssl_sock_get_ssl_object(conn);
+       if (!ssl)
+               return 0;
+
+       capture = SSL_get_ex_data(ssl, ssl_capture_ptr_index);
+       if (!capture)
+               return 0;
+
+       if (args[0].data.sint) {
+               smp_trash = get_trash_chunk();
+               exclude_tls_grease(capture->data + capture->sigalgs_offset, capture->sigalgs_len, smp_trash);
+               smp->data.u.str.area = smp_trash->area;
+               smp->data.u.str.data = smp_trash->data;
+               smp->flags = SMP_F_VOL_SESS;
+               smp->data.type = SMP_T_BIN;
+       } else {
+               smp->flags = SMP_F_VOL_SESS | SMP_F_CONST;
+               smp->data.type = SMP_T_BIN;
+               smp->data.u.str.area = capture->data + capture->sigalgs_offset;
+               smp->data.u.str.data = capture->sigalgs_len;
+       }
+       return 1;
+}
 
 static int
 smp_fetch_ssl_fc_err_str(const struct arg *args, struct sample *smp, const char *kw, void *private)
@@ -2522,6 +2554,7 @@ static struct sample_fetch_kw_list sample_fetch_keywords = {ILH, {
        { "ssl_fc_eclist_bin",      smp_fetch_ssl_fc_ecl_bin,     ARG1(0,SINT),        NULL,    SMP_T_STR,  SMP_USE_L5CLI },
        { "ssl_fc_ecformats_bin",   smp_fetch_ssl_fc_ecf_bin,     0,                   NULL,    SMP_T_STR,  SMP_USE_L5CLI },
        { "ssl_fc_supported_versions_bin", smp_fetch_ssl_fc_supver_bin, ARG1(0,SINT),  NULL,    SMP_T_BIN,  SMP_USE_L5CLI },
+       { "ssl_fc_sigalgs_bin",     smp_fetch_ssl_fc_sigalgs_bin, ARG1(0,SINT),        NULL,    SMP_T_BIN,  SMP_USE_L5CLI },
 
 /* SSL server certificate fetches */
        { "ssl_s_der",              smp_fetch_ssl_x_der,          0,                   NULL,    SMP_T_BIN,  SMP_USE_L5CLI },