MEDIUM: ssl/sample: add ssl_fc_supported_versions_bin sample fetch

This new sample fetch allow to extract the binary list contained in the supported_versions (43) TLS extensions. https://datatracker.ietf.org/doc/html/rfc8446#section-4.2.1
2025-09-21 05:41:26 +02:00 · 2024-08-23 18:15:52 +02:00 · 2024-08-23 18:15:52 +02:00 · ac5c7158f9
commit ac5c7158f9
parent ce7fb6628e
2 changed files with 47 additions and 0 deletions
--- a/doc/configuration.txt
+++ b/doc/configuration.txt
@ -23168,6 +23168,7 @@ ssl_fc_server_random                               binary
 ssl_fc_session_id                                  binary
 ssl_fc_session_key                                 binary
 ssl_fc_sni                                         string
+ssl_fc_supported_versions_bin([<filter_option>])   binary
 ssl_fc_use_keysize                                 integer
 ssl_s_der                                          binary
 ssl_s_chain_der                                    binary
@ -23911,6 +23912,17 @@ ssl_fc_sni : string
    ssl_fc_sni_end : suffix match
    ssl_fc_sni_reg : regex match

+ssl_fc_supported_versions_bin([<filter_option>]) : binary
+  Returns the content of the supported_versions (43) TLS extension presented
+  during the Client Hello. It provides a binary list of 2-bytes versions.
+  TLSv1.3 (0x0304), TLSv1.2 (0x0303).
+
+  This value can return only if the value "tune.ssl.capture-buffer-size" is set
+  greater than 0. Setting <filter_option> allows to filter returned data.
+  Accepted values:
+  0 : return the full list of ciphers (default)
+  1 : exclude GREASE (RFC8701) values from the output
+
 ssl_fc_use_keysize : integer
  Returns the symmetric cipher key size used in bits when the incoming
  connection was made over an SSL/TLS transport layer.
--- a/src/ssl_sample.c
+++ b/src/ssl_sample.c
@ -1984,6 +1984,40 @@ smp_fetch_ssl_fc_protocol_hello_id(const struct arg *args, struct sample *smp, c
 	return 1;
 }

+static int
+smp_fetch_ssl_fc_supver_bin(const struct arg *args, struct sample *smp, const char *kw, void *private)
+{
+	struct buffer *smp_trash;
+	struct connection *conn;
+	struct ssl_capture *capture;
+	SSL *ssl;
+
+	conn = objt_conn(smp->sess->origin);
+	ssl = ssl_sock_get_ssl_object(conn);
+	if (!ssl)
+		return 0;
+
+	capture = SSL_get_ex_data(ssl, ssl_capture_ptr_index);
+	if (!capture)
+		return 0;
+
+	if (args[0].data.sint) {
+		smp_trash = get_trash_chunk();
+		exclude_tls_grease(capture->data + capture->supver_offset, capture->supver_len, smp_trash);
+		smp->data.u.str.area = smp_trash->area;
+		smp->data.u.str.data = smp_trash->data;
+		smp->flags = SMP_F_VOL_SESS;
+		smp->data.type = SMP_T_BIN;
+	} else {
+		smp->flags = SMP_F_VOL_SESS | SMP_F_CONST;
+		smp->data.type = SMP_T_BIN;
+		smp->data.u.str.area = capture->data + capture->supver_offset;
+		smp->data.u.str.data = capture->supver_len;
+	}
+	return 1;
+}
+
+
 static int
 smp_fetch_ssl_fc_err_str(const struct arg *args, struct sample *smp, const char *kw, void *private)
 {
@ -2487,6 +2521,7 @@ static struct sample_fetch_kw_list sample_fetch_keywords = {ILH, {
 	{ "ssl_fc_extlist_bin",     smp_fetch_ssl_fc_ext_bin,     ARG1(0,SINT),        NULL,    SMP_T_STR,  SMP_USE_L5CLI },
 	{ "ssl_fc_eclist_bin",      smp_fetch_ssl_fc_ecl_bin,     ARG1(0,SINT),        NULL,    SMP_T_STR,  SMP_USE_L5CLI },
 	{ "ssl_fc_ecformats_bin",   smp_fetch_ssl_fc_ecf_bin,     0,                   NULL,    SMP_T_STR,  SMP_USE_L5CLI },
+	{ "ssl_fc_supported_versions_bin", smp_fetch_ssl_fc_supver_bin, ARG1(0,SINT),  NULL,    SMP_T_BIN,  SMP_USE_L5CLI },

 /* SSL server certificate fetches */
 	{ "ssl_s_der",              smp_fetch_ssl_x_der,          0,                   NULL,    SMP_T_BIN,  SMP_USE_L5CLI },