mirrors/haproxy
1
0
Fork 0
mirror of https://git.haproxy.org/git/haproxy.git/ synced 2025-11-24 04:11:02 +01:00
Code Issues Projects Releases Wiki Activity

BUILD: make tune.ssl.keylog available again

Browse Source 
Since commit 04a5a44 ("BUILD: ssl: use HAVE_OPENSSL_KEYLOG instead of
OpenSSL versions") the "tune.ssl.keylog" feature is broken because
HAVE_OPENSSL_KEYLOG does not exist.

Replace this by a HAVE_SSL_KEYLOG which is defined in openssl-compat.h.
Also add an error when not built with the right openssl version.

Must be backported as far as 2.3.
This commit is contained in:
William Lallemand 2021-06-09 16:46:12 +02:00
parent 871ef2ffbc
commit 722180aca8
5 changed files with 25 additions and 15 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

4
include/haproxy/openssl-compat.h
View File

@ -74,6 +74,10 @@
#define HAVE_SSL_SCTL #define HAVE_SSL_SCTL
#endif #endif
#if (HA_OPENSSL_VERSION_NUMBER >= 0x10101000L)
#define HAVE_SSL_KEYLOG
#endif
#if (HA_OPENSSL_VERSION_NUMBER < 0x0090800fL) #if (HA_OPENSSL_VERSION_NUMBER < 0x0090800fL)
/* Functions present in OpenSSL 0.9.8, older not tested */ /* Functions present in OpenSSL 0.9.8, older not tested */
static inline const unsigned char *SSL_SESSION_get_id(const SSL_SESSION *sess, unsigned int *sid_length) static inline const unsigned char *SSL_SESSION_get_id(const SSL_SESSION *sess, unsigned int *sid_length)

2
include/haproxy/ssl_sock-t.h
View File

@ -206,7 +206,7 @@ struct ssl_capture {
char ciphersuite[VAR_ARRAY]; char ciphersuite[VAR_ARRAY];
}; };
#ifdef HAVE_OPENSSL_KEYLOG #ifdef HAVE_SSL_KEYLOG
#define SSL_KEYLOG_MAX_SECRET_SIZE 129 #define SSL_KEYLOG_MAX_SECRET_SIZE 129
struct ssl_keylog { struct ssl_keylog {

12
src/cfgparse-ssl.c
View File

@ -319,7 +319,7 @@ static int ssl_parse_global_capture_cipherlist(char **args, int section_type, st
} }
/* init the SSLKEYLOGFILE pool */ /* init the SSLKEYLOGFILE pool */
#ifdef HAVE_OPENSSL_KEYLOG #ifdef HAVE_SSL_KEYLOG
static int ssl_parse_global_keylog(char **args, int section_type, struct proxy *curpx, static int ssl_parse_global_keylog(char **args, int section_type, struct proxy *curpx,
const struct proxy *defpx, const char *file, int line, const struct proxy *defpx, const char *file, int line,
char **err) char **err)
@ -354,6 +354,14 @@ static int ssl_parse_global_keylog(char **args, int section_type, struct proxy *
return 0; return 0;
} }
#else
static int ssl_parse_global_keylog(char **args, int section_type, struct proxy *curpx,
const struct proxy *defpx, const char *file, int line,
char **err)
{
memprintf(err, "'%s' requires at least OpenSSL 1.1.1.", args[0]);
return -1;
}
#endif #endif
/* parse "ssl.force-private-cache". /* parse "ssl.force-private-cache".
@ -1878,9 +1886,7 @@ static struct cfg_kw_list cfg_kws = {ILH, {
{ CFG_GLOBAL, "tune.ssl.maxrecord", ssl_parse_global_int }, { CFG_GLOBAL, "tune.ssl.maxrecord", ssl_parse_global_int },
{ CFG_GLOBAL, "tune.ssl.ssl-ctx-cache-size", ssl_parse_global_int }, { CFG_GLOBAL, "tune.ssl.ssl-ctx-cache-size", ssl_parse_global_int },
{ CFG_GLOBAL, "tune.ssl.capture-cipherlist-size", ssl_parse_global_capture_cipherlist }, { CFG_GLOBAL, "tune.ssl.capture-cipherlist-size", ssl_parse_global_capture_cipherlist },
#ifdef HAVE_OPENSSL_KEYLOG
{ CFG_GLOBAL, "tune.ssl.keylog", ssl_parse_global_keylog }, { CFG_GLOBAL, "tune.ssl.keylog", ssl_parse_global_keylog },
#endif
{ CFG_GLOBAL, "ssl-default-bind-ciphers", ssl_parse_global_ciphers }, { CFG_GLOBAL, "ssl-default-bind-ciphers", ssl_parse_global_ciphers },
{ CFG_GLOBAL, "ssl-default-server-ciphers", ssl_parse_global_ciphers }, { CFG_GLOBAL, "ssl-default-server-ciphers", ssl_parse_global_ciphers },
#if defined(SSL_CTX_set1_curves_list) #if defined(SSL_CTX_set1_curves_list)

4
src/ssl_sample.c
View File

@ -1189,7 +1189,7 @@ smp_fetch_ssl_fc_cl_xxh64(const struct arg *args, struct sample *smp, const char
} }
/* Dump the SSL keylog, it only works with "tune.ssl.keylog 1" */ /* Dump the SSL keylog, it only works with "tune.ssl.keylog 1" */
#ifdef HAVE_OPENSSL_KEYLOG #ifdef HAVE_SSL_KEYLOG
static int smp_fetch_ssl_x_keylog(const struct arg *args, struct sample *smp, const char *kw, void *private) static int smp_fetch_ssl_x_keylog(const struct arg *args, struct sample *smp, const char *kw, void *private)
{ {
struct connection *conn; struct connection *conn;
@ -1520,7 +1520,7 @@ static struct sample_fetch_kw_list sample_fetch_keywords = {ILH, {
{ "ssl_fc_session_key", smp_fetch_ssl_fc_session_key, 0, NULL, SMP_T_BIN, SMP_USE_L5CLI }, { "ssl_fc_session_key", smp_fetch_ssl_fc_session_key, 0, NULL, SMP_T_BIN, SMP_USE_L5CLI },
#endif #endif
#ifdef HAVE_OPENSSL_KEYLOG #ifdef HAVE_SSL_KEYLOG
{ "ssl_fc_client_early_traffic_secret", smp_fetch_ssl_x_keylog, 0, NULL, SMP_T_STR, SMP_USE_L5CLI }, { "ssl_fc_client_early_traffic_secret", smp_fetch_ssl_x_keylog, 0, NULL, SMP_T_STR, SMP_USE_L5CLI },
{ "ssl_fc_client_handshake_traffic_secret", smp_fetch_ssl_x_keylog, 0, NULL, SMP_T_STR, SMP_USE_L5CLI }, { "ssl_fc_client_handshake_traffic_secret", smp_fetch_ssl_x_keylog, 0, NULL, SMP_T_STR, SMP_USE_L5CLI },
{ "ssl_fc_server_handshake_traffic_secret", smp_fetch_ssl_x_keylog, 0, NULL, SMP_T_STR, SMP_USE_L5CLI }, { "ssl_fc_server_handshake_traffic_secret", smp_fetch_ssl_x_keylog, 0, NULL, SMP_T_STR, SMP_USE_L5CLI },

18
src/ssl_sock.c
View File

@ -127,7 +127,7 @@ struct global_ssl global_ssl = {
.capture_cipherlist = 0, .capture_cipherlist = 0,
.extra_files = SSL_GF_ALL, .extra_files = SSL_GF_ALL,
.extra_files_noext = 0, .extra_files_noext = 0,
#ifdef HAVE_OPENSSL_KEYLOG #ifdef HAVE_SSL_KEYLOG
.keylog = 0 .keylog = 0
#endif #endif
}; };
@ -437,7 +437,7 @@ struct pool_head *pool_head_ssl_capture __read_mostly = NULL;
int ssl_capture_ptr_index = -1; int ssl_capture_ptr_index = -1;
int ssl_app_data_index = -1; int ssl_app_data_index = -1;
#ifdef HAVE_OPENSSL_KEYLOG #ifdef HAVE_SSL_KEYLOG
int ssl_keylog_index = -1; int ssl_keylog_index = -1;
struct pool_head *pool_head_ssl_keylog __read_mostly = NULL; struct pool_head *pool_head_ssl_keylog __read_mostly = NULL;
struct pool_head *pool_head_ssl_keylog_str __read_mostly = NULL; struct pool_head *pool_head_ssl_keylog_str __read_mostly = NULL;
@ -513,7 +513,7 @@ static void ssl_sock_parse_clienthello(struct connection *conn, int write_p, int
int content_type, const void *buf, size_t len, int content_type, const void *buf, size_t len,
SSL *ssl); SSL *ssl);
#ifdef HAVE_OPENSSL_KEYLOG #ifdef HAVE_SSL_KEYLOG
static void ssl_init_keylog(struct connection *conn, int write_p, int version, static void ssl_init_keylog(struct connection *conn, int write_p, int version,
int content_type, const void *buf, size_t len, int content_type, const void *buf, size_t len,
SSL *ssl); SSL *ssl);
@ -558,7 +558,7 @@ static int ssl_sock_register_msg_callbacks(void)
if (!ssl_sock_register_msg_callback(ssl_sock_parse_clienthello)) if (!ssl_sock_register_msg_callback(ssl_sock_parse_clienthello))
return ERR_ABORT; return ERR_ABORT;
} }
#ifdef HAVE_OPENSSL_KEYLOG #ifdef HAVE_SSL_KEYLOG
if (global_ssl.keylog > 0) { if (global_ssl.keylog > 0) {
if (!ssl_sock_register_msg_callback(ssl_init_keylog)) if (!ssl_sock_register_msg_callback(ssl_init_keylog))
return ERR_ABORT; return ERR_ABORT;
@ -1737,7 +1737,7 @@ static void ssl_sock_parse_clienthello(struct connection *conn, int write_p, int
} }
#ifdef HAVE_OPENSSL_KEYLOG #ifdef HAVE_SSL_KEYLOG
static void ssl_init_keylog(struct connection *conn, int write_p, int version, static void ssl_init_keylog(struct connection *conn, int write_p, int version,
int content_type, const void *buf, size_t len, int content_type, const void *buf, size_t len,
SSL *ssl) SSL *ssl)
@ -4147,7 +4147,7 @@ void ssl_set_shctx(SSL_CTX *ctx)
* We only need to copy the secret as there is a sample fetch for the ClientRandom * We only need to copy the secret as there is a sample fetch for the ClientRandom
*/ */
#ifdef HAVE_OPENSSL_KEYLOG #ifdef HAVE_SSL_KEYLOG
void SSL_CTX_keylog(const SSL *ssl, const char *line) void SSL_CTX_keylog(const SSL *ssl, const char *line)
{ {
struct ssl_keylog *keylog; struct ssl_keylog *keylog;
@ -4383,7 +4383,7 @@ static int ssl_sock_prepare_ctx(struct bind_conf *bind_conf, struct ssl_bind_con
#ifdef SSL_CTRL_SET_MSG_CALLBACK #ifdef SSL_CTRL_SET_MSG_CALLBACK
SSL_CTX_set_msg_callback(ctx, ssl_sock_msgcbk); SSL_CTX_set_msg_callback(ctx, ssl_sock_msgcbk);
#endif #endif
#ifdef HAVE_OPENSSL_KEYLOG #ifdef HAVE_SSL_KEYLOG
SSL_CTX_set_keylog_callback(ctx, SSL_CTX_keylog); SSL_CTX_set_keylog_callback(ctx, SSL_CTX_keylog);
#endif #endif
@ -7037,7 +7037,7 @@ static void ssl_sock_capture_free_func(void *parent, void *ptr, CRYPTO_EX_DATA *
pool_free(pool_head_ssl_capture, ptr); pool_free(pool_head_ssl_capture, ptr);
} }
#ifdef HAVE_OPENSSL_KEYLOG #ifdef HAVE_SSL_KEYLOG
static void ssl_sock_keylog_free_func(void *parent, void *ptr, CRYPTO_EX_DATA *ad, int idx, long argl, void *argp) static void ssl_sock_keylog_free_func(void *parent, void *ptr, CRYPTO_EX_DATA *ad, int idx, long argl, void *argp)
{ {
struct ssl_keylog *keylog; struct ssl_keylog *keylog;
@ -7104,7 +7104,7 @@ static void __ssl_sock_init(void)
ssl_app_data_index = SSL_get_ex_new_index(0, NULL, NULL, NULL, NULL); ssl_app_data_index = SSL_get_ex_new_index(0, NULL, NULL, NULL, NULL);
ssl_capture_ptr_index = SSL_get_ex_new_index(0, NULL, NULL, NULL, ssl_sock_capture_free_func); ssl_capture_ptr_index = SSL_get_ex_new_index(0, NULL, NULL, NULL, ssl_sock_capture_free_func);
#ifdef HAVE_OPENSSL_KEYLOG #ifdef HAVE_SSL_KEYLOG
ssl_keylog_index = SSL_get_ex_new_index(0, NULL, NULL, NULL, ssl_sock_keylog_free_func); ssl_keylog_index = SSL_get_ex_new_index(0, NULL, NULL, NULL, ssl_sock_keylog_free_func);
#endif #endif
#ifndef OPENSSL_NO_ENGINE #ifndef OPENSSL_NO_ENGINE