From: Remi Tricot-Le Breton Date: Tue, 15 Jul 2025 08:45:09 +0000 (+0200) Subject: MINOR: ssl: Add curves in ssl traces X-Git-Tag: v3.3-dev4~56 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=8f2b7872412c0e6b96373ebe825b237deae5917f;p=thirdparty%2Fhaproxy.git MINOR: ssl: Add curves in ssl traces Dump the ClientHello curves in the SSL traces. --- diff --git a/include/haproxy/ssl_trace.h b/include/haproxy/ssl_trace.h index c7ffd5a52..b9aec497c 100644 --- a/include/haproxy/ssl_trace.h +++ b/include/haproxy/ssl_trace.h @@ -23,6 +23,7 @@ extern struct trace_source trace_ssl; #define SSL_EV_CONN_CHOOSE_SNI_CTX (1ULL << 13) #define SSL_EV_CONN_SIGALG_EXT (1ULL << 14) #define SSL_EV_CONN_CIPHERS_EXT (1ULL << 15) +#define SSL_EV_CONN_CURVES_EXT (1ULL << 16) #define SSL_VERB_CLEAN 1 diff --git a/src/ssl_clienthello.c b/src/ssl_clienthello.c index daa950626..131c919c5 100644 --- a/src/ssl_clienthello.c +++ b/src/ssl_clienthello.c @@ -346,18 +346,35 @@ int ssl_sock_switchctx_cbk(SSL *ssl, int *al, void *arg) has_rsa_sig = 1; } - if ((TRACE_SOURCE)->verbosity > SSL_VERB_ADVANCED && - TRACE_ENABLED(TRACE_LEVEL_DATA, SSL_EV_CONN_CIPHERS_EXT, conn, 0, 0, 0)) { - const uint8_t *cipher_suites; - size_t len; + if ((TRACE_SOURCE)->verbosity > SSL_VERB_ADVANCED) { + if (TRACE_ENABLED(TRACE_LEVEL_DATA, SSL_EV_CONN_CIPHERS_EXT, conn, 0, 0, 0)) { + const uint8_t *cipher_suites; + size_t len; #if defined(OPENSSL_IS_BORINGSSL) || defined(OPENSSL_IS_AWSLC) - len = ctx->cipher_suites_len; - cipher_suites = ctx->cipher_suites; + len = ctx->cipher_suites_len; + cipher_suites = ctx->cipher_suites; #else - len = SSL_client_hello_get0_ciphers(ssl, &cipher_suites); + len = SSL_client_hello_get0_ciphers(ssl, &cipher_suites); #endif - TRACE_DATA("Ciphers value", SSL_EV_CONN_CIPHERS_EXT, conn, ssl, cipher_suites, &len); + TRACE_DATA("Ciphers value", SSL_EV_CONN_CIPHERS_EXT, conn, ssl, cipher_suites, &len); + } + + if (TRACE_ENABLED(TRACE_LEVEL_DATA, SSL_EV_CONN_CURVES_EXT, conn, 0, 0, 0)) { + const uint8_t *extension_data; + size_t extension_len; + +#if defined(OPENSSL_IS_BORINGSSL) || defined(OPENSSL_IS_AWSLC) + if (SSL_early_callback_ctx_extension_get(ctx, TLSEXT_TYPE_supported_groups, + &extension_data, &extension_len)) { +#else + if (SSL_client_hello_get0_ext(ssl, TLSEXT_TYPE_elliptic_curves, + &extension_data, &extension_len)) { +#endif + if (extension_len) + TRACE_DATA("Elliptic curves", SSL_EV_CONN_CURVES_EXT, conn, extension_data, &extension_len); + } + } } if (has_ecdsa_sig) { /* in very rare case: has ecdsa sign but not a ECDSA cipher */ diff --git a/src/ssl_trace.c b/src/ssl_trace.c index 6a1a8a966..3967414a1 100644 --- a/src/ssl_trace.c +++ b/src/ssl_trace.c @@ -42,6 +42,7 @@ static const struct trace_event ssl_trace_events[] = { { .mask = SSL_EV_CONN_CHOOSE_SNI_CTX, .name = "sslc_choose_sni_ctx", .desc = "SSL choose sni context"}, { .mask = SSL_EV_CONN_SIGALG_EXT, .name = "sslc_sigalg_ext", .desc = "SSL sigalg extension parsing"}, { .mask = SSL_EV_CONN_CIPHERS_EXT, .name = "sslc_ciphers_ext", .desc = "SSL ciphers extension parsing"}, + { .mask = SSL_EV_CONN_CURVES_EXT, .name = "sslc_curves_ext", .desc = "SSL curves extension parsing"}, { } }; @@ -275,5 +276,35 @@ static void ssl_trace(enum trace_level level, uint64_t mask, const struct trace_ } } } + + if (mask & SSL_EV_CONN_CURVES_EXT && src->verbosity > SSL_VERB_ADVANCED) { + if (a2 && a3) { + const uint16_t *extension_data = a2; + size_t extension_len = *((size_t*)a3); + int first = 1; + + chunk_appendf(&trace_buf, " value="); + + while (extension_len > 1) { + const char *curve_name = curveid2str(ntohs(*extension_data)); + + if (curve_name) { + chunk_appendf(&trace_buf, "%s%s(0x%02X%02X)", first ? "" : ":", curve_name, + ((uint8_t*)extension_data)[0], + ((uint8_t*)extension_data)[1]); + } else { + chunk_appendf(&trace_buf, "%s0x%02X%02X", + first ? "" : ":", + ((uint8_t*)extension_data)[0], + ((uint8_t*)extension_data)[1]); + } + + first = 0; + + extension_len-=sizeof(*extension_data); + ++extension_data; + } + } + } }