MEDIUM: ssl/sample: add ssl_fc_sigalgs_bin sample fetch

This new sample fetch allow to extract the binary list contained in the signature_algorithms (13) TLS extensions. https://datatracker.ietf.org/doc/html/rfc8446#section-4.2.3
2025-09-20 13:21:29 +02:00 · 2024-08-23 20:53:24 +02:00 · 2024-08-23 20:53:24 +02:00 · d2fc1ab66e
commit d2fc1ab66e
parent e8fecef0ff
2 changed files with 44 additions and 0 deletions
--- a/doc/configuration.txt
+++ b/doc/configuration.txt
@ -23167,6 +23167,7 @@ ssl_fc_server_traffic_secret_0                     string
 ssl_fc_server_random                               binary
 ssl_fc_session_id                                  binary
 ssl_fc_session_key                                 binary
+ssl_fc_sigalgs_bin([<filter_option>])              binary
 ssl_fc_sni                                         string
 ssl_fc_supported_versions_bin([<filter_option>])   binary
 ssl_fc_use_keysize                                 integer
@ -23884,6 +23885,16 @@ ssl_fc_session_key : binary
  traffic sent using ephemeral ciphers. This requires OpenSSL >= 1.1.0, or
  BoringSSL.

+ssl_fc_sigalgs_bin([<filter_option>]) : binary
+  Returns the content of the signatures_algorithms (13) TLS extension presented
+  during the Client Hello. It provides a binary list of 2-bytes algorithms
+  defined in the TLS RFC: https://datatracker.ietf.org/doc/html/rfc8446#section-4.2.3.
+
+  This value can return only if the value "tune.ssl.capture-buffer-size" is set
+  greater than 0. Setting <filter_option> allows to filter returned data.
+  Accepted values:
+  0 : return the full list of ciphers (default)
+  1 : exclude GREASE (RFC8701) values from the output

 ssl_fc_sni : string
  This extracts the Server Name Indication TLS extension (SNI) field from an
--- a/src/ssl_sample.c
+++ b/src/ssl_sample.c
@ -2017,6 +2017,38 @@ smp_fetch_ssl_fc_supver_bin(const struct arg *args, struct sample *smp, const ch
 	return 1;
 }

+static int
+smp_fetch_ssl_fc_sigalgs_bin(const struct arg *args, struct sample *smp, const char *kw, void *private)
+{
+	struct buffer *smp_trash;
+	struct connection *conn;
+	struct ssl_capture *capture;
+	SSL *ssl;
+
+	conn = objt_conn(smp->sess->origin);
+	ssl = ssl_sock_get_ssl_object(conn);
+	if (!ssl)
+		return 0;
+
+	capture = SSL_get_ex_data(ssl, ssl_capture_ptr_index);
+	if (!capture)
+		return 0;
+
+	if (args[0].data.sint) {
+		smp_trash = get_trash_chunk();
+		exclude_tls_grease(capture->data + capture->sigalgs_offset, capture->sigalgs_len, smp_trash);
+		smp->data.u.str.area = smp_trash->area;
+		smp->data.u.str.data = smp_trash->data;
+		smp->flags = SMP_F_VOL_SESS;
+		smp->data.type = SMP_T_BIN;
+	} else {
+		smp->flags = SMP_F_VOL_SESS | SMP_F_CONST;
+		smp->data.type = SMP_T_BIN;
+		smp->data.u.str.area = capture->data + capture->sigalgs_offset;
+		smp->data.u.str.data = capture->sigalgs_len;
+	}
+	return 1;
+}

 static int
 smp_fetch_ssl_fc_err_str(const struct arg *args, struct sample *smp, const char *kw, void *private)
@ -2522,6 +2554,7 @@ static struct sample_fetch_kw_list sample_fetch_keywords = {ILH, {
 	{ "ssl_fc_eclist_bin",      smp_fetch_ssl_fc_ecl_bin,     ARG1(0,SINT),        NULL,    SMP_T_STR,  SMP_USE_L5CLI },
 	{ "ssl_fc_ecformats_bin",   smp_fetch_ssl_fc_ecf_bin,     0,                   NULL,    SMP_T_STR,  SMP_USE_L5CLI },
 	{ "ssl_fc_supported_versions_bin", smp_fetch_ssl_fc_supver_bin, ARG1(0,SINT),  NULL,    SMP_T_BIN,  SMP_USE_L5CLI },
+	{ "ssl_fc_sigalgs_bin",     smp_fetch_ssl_fc_sigalgs_bin, ARG1(0,SINT),        NULL,    SMP_T_BIN,  SMP_USE_L5CLI },

 /* SSL server certificate fetches */
 	{ "ssl_s_der",              smp_fetch_ssl_x_der,          0,                   NULL,    SMP_T_BIN,  SMP_USE_L5CLI },