mirrors/haproxy
1
0
Fork 0
mirror of https://git.haproxy.org/git/haproxy.git/ synced 2025-08-07 23:56:57 +02:00
Code Issues Projects Releases Wiki Activity

MEDIUM: ssl: capture the signature_algorithms extension from Client Hello

Browse Source 
Activate the capture of the TLS signature_algorithms extension from the
Client Hello. This list is stored in the ssl_capture buffer when the
global option "tune.ssl.capture-cipherlist-size" is enabled.
This commit is contained in:
William Lallemand 2024-08-23 20:40:47 +02:00
parent ac5c7158f9
commit e8fecef0ff
2 changed files with 28 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
include/haproxy/ssl_sock-t.h
View File

@ -221,6 +221,8 @@ struct ssl_capture {
uchar ec_formats_len; uchar ec_formats_len;
uchar supver_len; uchar supver_len;
uint supver_offset; uint supver_offset;
ushort sigalgs_len;
uint sigalgs_offset;
char data[VAR_ARRAY]; char data[VAR_ARRAY];
}; };

27
src/ssl_sock.c
View File

@ -1600,6 +1600,8 @@ static void ssl_sock_parse_clienthello(struct connection *conn, int write_p, int
uchar *ec_formats_start = NULL; uchar *ec_formats_start = NULL;
uchar *supver_start = NULL; /* supported_versions */ uchar *supver_start = NULL; /* supported_versions */
uchar supver_len = 0; /* supported_versions len */ uchar supver_len = 0; /* supported_versions len */
uchar *sigalgs_start = NULL;
ushort sigalgs_len = 0;
uchar *list_end; uchar *list_end;
ushort protocol_version; ushort protocol_version;
ushort extension_id; ushort extension_id;
@ -1791,6 +1793,20 @@ static void ssl_sock_parse_clienthello(struct connection *conn, int write_p, int
ec_formats_start = msg; ec_formats_start = msg;
ec_formats_len = rec_len; ec_formats_len = rec_len;
break; break;
case 13:
/* signature_algorithms(13)
* https://datatracker.ietf.org/doc/html/rfc8446#section-4.2.3 */
if (msg + 2 > list_end)
goto store_capture;
rec_len = (msg[0] << 8) + msg[1];
msg += 2;
if (msg + rec_len > list_end || msg + rec_len < msg)
goto store_capture;
/* Store location/size of the list */
sigalgs_start = msg;
sigalgs_len = rec_len;
break;
case 43: case 43:
/* supported_versions(43) /* supported_versions(43)
* https://datatracker.ietf.org/doc/html/rfc8446#section-4.2.1 */ * https://datatracker.ietf.org/doc/html/rfc8446#section-4.2.1 */
@ -1836,8 +1852,17 @@ static void ssl_sock_parse_clienthello(struct connection *conn, int write_p, int
capture->supver_offset = offset; capture->supver_offset = offset;
capture->supver_len = rec_len; capture->supver_len = rec_len;
offset += rec_len; offset += rec_len;
} }
if (sigalgs_start) {
rec_len = sigalgs_len;
if (offset + rec_len > global_ssl.capture_buffer_size)
rec_len = global_ssl.capture_buffer_size - offset;
memcpy(capture->data + offset, sigalgs_start, rec_len);
capture->sigalgs_offset = offset;
capture->sigalgs_len = rec_len;
offset += rec_len;
}
store_capture: store_capture:
SSL_set_ex_data(ssl, ssl_capture_ptr_index, capture); SSL_set_ex_data(ssl, ssl_capture_ptr_index, capture);