MINOR: ssl: add fetch 'ssl_fc_session_key' and 'ssl_bc_session_key'

These fetches return the SSL master key of the front/back connection.
This is useful to decrypt traffic encrypted with ephemeral ciphers.

diff --git a/doc/configuration.txt b/doc/configuration.txt
index b865b33b4f7d14cc2fd7c152f7e5c9a36cb07d6d..3bea4d659ef2ca09e252ec193b0df97a98114c95 100644 (file)
--- a/doc/configuration.txt
+++ b/doc/configuration.txt
@@ -14484,6 +14484,12 @@ ssl_bc_session_id : binary
   made over an SSL/TLS transport layer. It is useful to log if we want to know
   if session was reused or not.
 
+ssl_bc_session_key : binary
+  Returns the SSL session master key of the back connection when the outgoing
+  connection was made over an SSL/TLS transport layer. It is useful to decrypt
+  traffic sent using ephemeral ciphers. This requires OpenSSL >= 1.1.0, or
+  BoringSSL.
+
 ssl_bc_use_keysize : integer
   Returns the symmetric cipher key size used in bits when the outgoing
   connection was made over an SSL/TLS transport layer.
@@ -14744,6 +14750,13 @@ ssl_fc_session_id : binary
   a server. It is important to note that some browsers refresh their session ID
   every few minutes.
 
+ssl_fc_session_key : binary
+  Returns the SSL session master key of the front connection when the incoming
+  connection was made over an SSL/TLS transport layer. It is useful to decrypt
+  traffic sent using ephemeral ciphers. This requires OpenSSL >= 1.1.0, or
+  BoringSSL.
+
+
 ssl_fc_sni : string
   This extracts the Server Name Indication TLS extension (SNI) field from an
   incoming connection made via an SSL/TLS transport layer and locally

diff --git a/src/ssl_sock.c b/src/ssl_sock.c
index 248db775571da4058aebb22ff8ebb409d3f22b08..f5252dc666b00cdb40250350ff03ca4f16944fcc 100644 (file)
--- a/src/ssl_sock.c
+++ b/src/ssl_sock.c
@@ -6895,6 +6895,35 @@ smp_fetch_ssl_fc_session_id(const struct arg *args, struct sample *smp, const ch
 #endif
 
 
+#if OPENSSL_VERSION_NUMBER >= 0x10100000L || defined(OPENSSL_IS_BORINGSSL)
+static int
+smp_fetch_ssl_fc_session_key(const struct arg *args, struct sample *smp, const char *kw, void *private)
+{
+       struct connection *conn = (kw[4] != 'b') ? objt_conn(smp->sess->origin) :
+                                           smp->strm ? cs_conn(objt_cs(smp->strm->si[1].end)) : NULL;
+       SSL_SESSION *ssl_sess;
+       struct chunk *data;
+
+       if (!conn || !conn->xprt_ctx || conn->xprt != &ssl_sock)
+               return 0;
+
+       ssl_sess = SSL_get_session(conn->xprt_ctx);
+       if (!ssl_sess)
+               return 0;
+
+       data = get_trash_chunk();
+       data->len = SSL_SESSION_get_master_key(ssl_sess, (unsigned char *)data->str, data->size);
+       if (!data->len)
+               return 0;
+
+       smp->flags = 0;
+       smp->data.type = SMP_T_BIN;
+       smp->data.u.str = *data;
+
+       return 1;
+}
+#endif
+
 #ifdef SSL_CTRL_SET_TLSEXT_HOSTNAME
 static int
 smp_fetch_ssl_fc_sni(const struct arg *args, struct sample *smp, const char *kw, void *private)
@@ -8639,6 +8668,9 @@ static struct sample_fetch_kw_list sample_fetch_keywords = {ILH, {
        { "ssl_bc_use_keysize",     smp_fetch_ssl_fc_use_keysize, 0,                   NULL,    SMP_T_SINT, SMP_USE_L5SRV },
 #if OPENSSL_VERSION_NUMBER > 0x0090800fL
        { "ssl_bc_session_id",      smp_fetch_ssl_fc_session_id,  0,                   NULL,    SMP_T_BIN,  SMP_USE_L5SRV },
+#endif
+#if OPENSSL_VERSION_NUMBER >= 0x10100000L || defined(OPENSSL_IS_BORINGSSL)
+       { "ssl_bc_session_key",     smp_fetch_ssl_fc_session_key, 0,                   NULL,    SMP_T_BIN,  SMP_USE_L5SRV },
 #endif
        { "ssl_c_ca_err",           smp_fetch_ssl_c_ca_err,       0,                   NULL,    SMP_T_SINT, SMP_USE_L5CLI },
        { "ssl_c_ca_err_depth",     smp_fetch_ssl_c_ca_err_depth, 0,                   NULL,    SMP_T_SINT, SMP_USE_L5CLI },
@@ -8686,6 +8718,9 @@ static struct sample_fetch_kw_list sample_fetch_keywords = {ILH, {
 #if OPENSSL_VERSION_NUMBER > 0x0090800fL
        { "ssl_fc_session_id",      smp_fetch_ssl_fc_session_id,  0,                   NULL,    SMP_T_BIN,  SMP_USE_L5CLI },
 #endif
+#if OPENSSL_VERSION_NUMBER >= 0x10100000L || defined(OPENSSL_IS_BORINGSSL)
+       { "ssl_fc_session_key",     smp_fetch_ssl_fc_session_key, 0,                   NULL,    SMP_T_BIN,  SMP_USE_L5CLI },
+#endif
 #ifdef SSL_CTRL_SET_TLSEXT_HOSTNAME
        { "ssl_fc_sni",             smp_fetch_ssl_fc_sni,         0,                   NULL,    SMP_T_STR,  SMP_USE_L5CLI },
 #endif