From: William Lallemand <wlallemand@haproxy.com>
Date: Fri, 23 Aug 2024 18:53:24 +0000 (+0200)
Subject: MEDIUM: ssl/sample: add ssl_fc_sigalgs_bin sample fetch
X-Git-Tag: v3.1-dev7~38
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=d2fc1ab66e49dffcf342c218a7eee345cac14989;p=thirdparty%2Fhaproxy.git

MEDIUM: ssl/sample: add ssl_fc_sigalgs_bin sample fetch

This new sample fetch allow to extract the binary list contained in the
signature_algorithms (13) TLS extensions.

https://datatracker.ietf.org/doc/html/rfc8446#section-4.2.3
---

diff --git a/doc/configuration.txt b/doc/configuration.txt
index 7c5ebb1621..155aa1a902 100644
--- a/doc/configuration.txt
+++ b/doc/configuration.txt
@@ -23167,6 +23167,7 @@ ssl_fc_server_traffic_secret_0                     string
 ssl_fc_server_random                               binary
 ssl_fc_session_id                                  binary
 ssl_fc_session_key                                 binary
+ssl_fc_sigalgs_bin([<filter_option>])              binary
 ssl_fc_sni                                         string
 ssl_fc_supported_versions_bin([<filter_option>])   binary
 ssl_fc_use_keysize                                 integer
@@ -23884,6 +23885,16 @@ ssl_fc_session_key : binary
   traffic sent using ephemeral ciphers. This requires OpenSSL >= 1.1.0, or
   BoringSSL.
 
+ssl_fc_sigalgs_bin([<filter_option>]) : binary
+  Returns the content of the signatures_algorithms (13) TLS extension presented
+  during the Client Hello. It provides a binary list of 2-bytes algorithms
+  defined in the TLS RFC: https://datatracker.ietf.org/doc/html/rfc8446#section-4.2.3.
+
+  This value can return only if the value "tune.ssl.capture-buffer-size" is set
+  greater than 0. Setting <filter_option> allows to filter returned data.
+  Accepted values:
+  0 : return the full list of ciphers (default)
+  1 : exclude GREASE (RFC8701) values from the output
 
 ssl_fc_sni : string
   This extracts the Server Name Indication TLS extension (SNI) field from an
diff --git a/src/ssl_sample.c b/src/ssl_sample.c
index e732c065f6..defa913aba 100644
--- a/src/ssl_sample.c
+++ b/src/ssl_sample.c
@@ -2017,6 +2017,38 @@ smp_fetch_ssl_fc_supver_bin(const struct arg *args, struct sample *smp, const ch
 	return 1;
 }
 
+static int
+smp_fetch_ssl_fc_sigalgs_bin(const struct arg *args, struct sample *smp, const char *kw, void *private)
+{
+	struct buffer *smp_trash;
+	struct connection *conn;
+	struct ssl_capture *capture;
+	SSL *ssl;
+
+	conn = objt_conn(smp->sess->origin);
+	ssl = ssl_sock_get_ssl_object(conn);
+	if (!ssl)
+		return 0;
+
+	capture = SSL_get_ex_data(ssl, ssl_capture_ptr_index);
+	if (!capture)
+		return 0;
+
+	if (args[0].data.sint) {
+		smp_trash = get_trash_chunk();
+		exclude_tls_grease(capture->data + capture->sigalgs_offset, capture->sigalgs_len, smp_trash);
+		smp->data.u.str.area = smp_trash->area;
+		smp->data.u.str.data = smp_trash->data;
+		smp->flags = SMP_F_VOL_SESS;
+		smp->data.type = SMP_T_BIN;
+	} else {
+		smp->flags = SMP_F_VOL_SESS | SMP_F_CONST;
+		smp->data.type = SMP_T_BIN;
+		smp->data.u.str.area = capture->data + capture->sigalgs_offset;
+		smp->data.u.str.data = capture->sigalgs_len;
+	}
+	return 1;
+}
 
 static int
 smp_fetch_ssl_fc_err_str(const struct arg *args, struct sample *smp, const char *kw, void *private)
@@ -2522,6 +2554,7 @@ static struct sample_fetch_kw_list sample_fetch_keywords = {ILH, {
 	{ "ssl_fc_eclist_bin",      smp_fetch_ssl_fc_ecl_bin,     ARG1(0,SINT),        NULL,    SMP_T_STR,  SMP_USE_L5CLI },
 	{ "ssl_fc_ecformats_bin",   smp_fetch_ssl_fc_ecf_bin,     0,                   NULL,    SMP_T_STR,  SMP_USE_L5CLI },
 	{ "ssl_fc_supported_versions_bin", smp_fetch_ssl_fc_supver_bin, ARG1(0,SINT),  NULL,    SMP_T_BIN,  SMP_USE_L5CLI },
+	{ "ssl_fc_sigalgs_bin",     smp_fetch_ssl_fc_sigalgs_bin, ARG1(0,SINT),        NULL,    SMP_T_BIN,  SMP_USE_L5CLI },
 
 /* SSL server certificate fetches */
 	{ "ssl_s_der",              smp_fetch_ssl_x_der,          0,                   NULL,    SMP_T_BIN,  SMP_USE_L5CLI },