mirror of
https://git.haproxy.org/git/haproxy.git/
synced 2025-08-06 23:27:04 +02:00
MINOR: ssl: Add curves in ssl traces
Dump the ClientHello curves in the SSL traces.
This commit is contained in:
parent
046df68fde
commit
a0829aba7a
@ -23,6 +23,7 @@ extern struct trace_source trace_ssl;
|
||||
#define SSL_EV_CONN_CHOOSE_SNI_CTX (1ULL << 13)
|
||||
#define SSL_EV_CONN_SIGALG_EXT (1ULL << 14)
|
||||
#define SSL_EV_CONN_CIPHERS_EXT (1ULL << 15)
|
||||
#define SSL_EV_CONN_CURVES_EXT (1ULL << 16)
|
||||
|
||||
|
||||
#define SSL_VERB_CLEAN 1
|
||||
|
@ -346,18 +346,35 @@ int ssl_sock_switchctx_cbk(SSL *ssl, int *al, void *arg)
|
||||
has_rsa_sig = 1;
|
||||
}
|
||||
|
||||
if ((TRACE_SOURCE)->verbosity > SSL_VERB_ADVANCED &&
|
||||
TRACE_ENABLED(TRACE_LEVEL_DATA, SSL_EV_CONN_CIPHERS_EXT, conn, 0, 0, 0)) {
|
||||
const uint8_t *cipher_suites;
|
||||
size_t len;
|
||||
if ((TRACE_SOURCE)->verbosity > SSL_VERB_ADVANCED) {
|
||||
if (TRACE_ENABLED(TRACE_LEVEL_DATA, SSL_EV_CONN_CIPHERS_EXT, conn, 0, 0, 0)) {
|
||||
const uint8_t *cipher_suites;
|
||||
size_t len;
|
||||
|
||||
#if defined(OPENSSL_IS_BORINGSSL) || defined(OPENSSL_IS_AWSLC)
|
||||
len = ctx->cipher_suites_len;
|
||||
cipher_suites = ctx->cipher_suites;
|
||||
len = ctx->cipher_suites_len;
|
||||
cipher_suites = ctx->cipher_suites;
|
||||
#else
|
||||
len = SSL_client_hello_get0_ciphers(ssl, &cipher_suites);
|
||||
len = SSL_client_hello_get0_ciphers(ssl, &cipher_suites);
|
||||
#endif
|
||||
TRACE_DATA("Ciphers value", SSL_EV_CONN_CIPHERS_EXT, conn, ssl, cipher_suites, &len);
|
||||
TRACE_DATA("Ciphers value", SSL_EV_CONN_CIPHERS_EXT, conn, ssl, cipher_suites, &len);
|
||||
}
|
||||
|
||||
if (TRACE_ENABLED(TRACE_LEVEL_DATA, SSL_EV_CONN_CURVES_EXT, conn, 0, 0, 0)) {
|
||||
const uint8_t *extension_data;
|
||||
size_t extension_len;
|
||||
|
||||
#if defined(OPENSSL_IS_BORINGSSL) || defined(OPENSSL_IS_AWSLC)
|
||||
if (SSL_early_callback_ctx_extension_get(ctx, TLSEXT_TYPE_supported_groups,
|
||||
&extension_data, &extension_len)) {
|
||||
#else
|
||||
if (SSL_client_hello_get0_ext(ssl, TLSEXT_TYPE_elliptic_curves,
|
||||
&extension_data, &extension_len)) {
|
||||
#endif
|
||||
if (extension_len)
|
||||
TRACE_DATA("Elliptic curves", SSL_EV_CONN_CURVES_EXT, conn, extension_data, &extension_len);
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
if (has_ecdsa_sig) { /* in very rare case: has ecdsa sign but not a ECDSA cipher */
|
||||
|
@ -42,6 +42,7 @@ static const struct trace_event ssl_trace_events[] = {
|
||||
{ .mask = SSL_EV_CONN_CHOOSE_SNI_CTX, .name = "sslc_choose_sni_ctx", .desc = "SSL choose sni context"},
|
||||
{ .mask = SSL_EV_CONN_SIGALG_EXT, .name = "sslc_sigalg_ext", .desc = "SSL sigalg extension parsing"},
|
||||
{ .mask = SSL_EV_CONN_CIPHERS_EXT, .name = "sslc_ciphers_ext", .desc = "SSL ciphers extension parsing"},
|
||||
{ .mask = SSL_EV_CONN_CURVES_EXT, .name = "sslc_curves_ext", .desc = "SSL curves extension parsing"},
|
||||
{ }
|
||||
};
|
||||
|
||||
@ -275,5 +276,35 @@ static void ssl_trace(enum trace_level level, uint64_t mask, const struct trace_
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
if (mask & SSL_EV_CONN_CURVES_EXT && src->verbosity > SSL_VERB_ADVANCED) {
|
||||
if (a2 && a3) {
|
||||
const uint16_t *extension_data = a2;
|
||||
size_t extension_len = *((size_t*)a3);
|
||||
int first = 1;
|
||||
|
||||
chunk_appendf(&trace_buf, " value=");
|
||||
|
||||
while (extension_len > 1) {
|
||||
const char *curve_name = curveid2str(ntohs(*extension_data));
|
||||
|
||||
if (curve_name) {
|
||||
chunk_appendf(&trace_buf, "%s%s(0x%02X%02X)", first ? "" : ":", curve_name,
|
||||
((uint8_t*)extension_data)[0],
|
||||
((uint8_t*)extension_data)[1]);
|
||||
} else {
|
||||
chunk_appendf(&trace_buf, "%s0x%02X%02X",
|
||||
first ? "" : ":",
|
||||
((uint8_t*)extension_data)[0],
|
||||
((uint8_t*)extension_data)[1]);
|
||||
}
|
||||
|
||||
first = 0;
|
||||
|
||||
extension_len-=sizeof(*extension_data);
|
||||
++extension_data;
|
||||
}
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
|
Loading…
Reference in New Issue
Block a user