This adds 4 sample fetches:
- ssl_fc_client_random
- ssl_fc_server_random
- ssl_bc_client_random
- ssl_bc_server_random

These fetches retrieve the client or server random value sent during the
handshake.

Their use is to be able to decrypt traffic sent using ephemeral ciphers. 
Tools
like wireshark expect a TLS log file with lines in a few known formats
(https://code.wireshark.org/review/gitweb?p=wireshark.git;a=blob;f=epan/dissectors/packet-tls-utils.c;h=28a51fb1fb029eae5cea52d37ff5b67d9b11950f;hb=HEAD#l5209).
Previously the only format supported using data retrievable from HAProxy 
state
was the one utilizing the Session-ID. However an SSL/TLS session ID is
optional, and thus cannot be relied upon for this purpose.

This change introduces the ability to extract the client random instead 
which
can be used for one of the other formats. The change also adds the 
ability to
extract the server random, just in case it might have some other use, as the
code change to support this was trivial.
---
  doc/configuration.txt | 20 ++++++++++++++++++++
  src/ssl_sock.c        | 35 +++++++++++++++++++++++++++++++++++
  2 files changed, 55 insertions(+)

diff --git a/doc/configuration.txt b/doc/configuration.txt
index 074a7fffe..f1325ea3f 100644
--- a/doc/configuration.txt
+++ b/doc/configuration.txt
@@ -15459,6 +15459,16 @@ ssl_bc_session_id : binary
    made over an SSL/TLS transport layer. It is useful to log if we want 
to know
    if session was reused or not.
  +ssl_bc_client_random : binary
+  Returns the client random of the back connection when the incoming 
connection
+  was made over an SSL/TLS transport layer. It is useful to to decrypt 
traffic
+  sent using ephemeral ciphers. This requires OpenSSL >= 1.1.0, or 
BoringSSL.
+
+ssl_bc_server_random : binary
+  Returns the server random of the back connection when the incoming 
connection
+  was made over an SSL/TLS transport layer. It is useful to to decrypt 
traffic
+  sent using ephemeral ciphers. This requires OpenSSL >= 1.1.0, or 
BoringSSL.
+
  ssl_bc_session_key : binary
    Returns the SSL session master key of the back connection when the 
outgoing
    connection was made over an SSL/TLS transport layer. It is useful to 
decrypt
@@ -15725,6 +15735,16 @@ ssl_fc_session_id : binary
    a server. It is important to note that some browsers refresh their 
session ID
    every few minutes.
  +ssl_fc_client_random : binary
+  Returns the client random of the front connection when the incoming 
connection
+  was made over an SSL/TLS transport layer. It is useful to to decrypt 
traffic
+  sent using ephemeral ciphers. This requires OpenSSL >= 1.1.0, or 
BoringSSL.
+
+ssl_fc_server_random : binary
+  Returns the server random of the front connection when the incoming 
connection
+  was made over an SSL/TLS transport layer. It is useful to to decrypt 
traffic
+  sent using ephemeral ciphers. This requires OpenSSL >= 1.1.0, or 
BoringSSL.
+
  ssl_fc_session_key : binary
    Returns the SSL session master key of the front connection when the 
incoming
    connection was made over an SSL/TLS transport layer. It is useful to 
decrypt
diff --git a/src/ssl_sock.c b/src/ssl_sock.c
index 2eb344dfa..fb7e96bf9 100644
--- a/src/ssl_sock.c
+++ b/src/ssl_sock.c
@@ -7195,6 +7195,37 @@ smp_fetch_ssl_fc_session_id(const struct arg 
*args, struct sample *smp, const ch
    #if HA_OPENSSL_VERSION_NUMBER >= 0x10100000L || 
defined(OPENSSL_IS_BORINGSSL)
+static int
+smp_fetch_ssl_fc_random(const struct arg *args, struct sample *smp, 
const char *kw, void *private)
+{
+       struct connection *conn = (kw[4] != 'b') ? objt_conn(smp->sess->origin) 
:
+                                           smp->strm ? 
cs_conn(objt_cs(smp->strm->si[1].end)) : NULL;
+       struct buffer *data;
+       struct ssl_sock_ctx *ctx;
+
+       if (!conn || !conn->xprt_ctx || conn->xprt != &ssl_sock)
+               return 0;
+       ctx = conn->xprt_ctx;
+
+       data = get_trash_chunk();
+       if (kw[7] == 'c')
+               data->data = SSL_get_client_random(ctx->ssl,
+                                                                               
                        (unsigned char *) data->area,
+                                                                               
                        data->size);
+       else
+               data->data = SSL_get_server_random(ctx->ssl,
+                                                                               
                        (unsigned char *) data->area,
+                                                                               
                        data->size);
+       if (!data->data)
+               return 0;
+
+       smp->flags = 0;
+       smp->data.type = SMP_T_BIN;
+       smp->data.u.str = *data;
+
+       return 1;
+}
+
  static int
  smp_fetch_ssl_fc_session_key(const struct arg *args, struct sample 
*smp, const char *kw, void *private)
  {
@@ -9395,6 +9426,8 @@ static struct sample_fetch_kw_list 
sample_fetch_keywords = {ILH, {
        { "ssl_bc_session_id",      smp_fetch_ssl_fc_session_id,  0, 
          NULL,    SMP_T_BIN,  SMP_USE_L5SRV },
  #endif
  #if HA_OPENSSL_VERSION_NUMBER >= 0x10100000L || 
defined(OPENSSL_IS_BORINGSSL)
+       { "ssl_bc_client_random",   smp_fetch_ssl_fc_random,      0, 
         NULL,    SMP_T_BIN,  SMP_USE_L5SRV },
+       { "ssl_bc_server_random",   smp_fetch_ssl_fc_random,      0, 
         NULL,    SMP_T_BIN,  SMP_USE_L5SRV },
        { "ssl_bc_session_key",     smp_fetch_ssl_fc_session_key, 0, 
          NULL,    SMP_T_BIN,  SMP_USE_L5SRV },
  #endif
        { "ssl_c_ca_err",           smp_fetch_ssl_c_ca_err,       0, 
          NULL,    SMP_T_SINT, SMP_USE_L5CLI },
@@ -9444,6 +9477,8 @@ static struct sample_fetch_kw_list 
sample_fetch_keywords = {ILH, {
        { "ssl_fc_session_id",      smp_fetch_ssl_fc_session_id,  0, 
          NULL,    SMP_T_BIN,  SMP_USE_L5CLI },
  #endif
  #if HA_OPENSSL_VERSION_NUMBER >= 0x10100000L || 
defined(OPENSSL_IS_BORINGSSL)
+       { "ssl_fc_client_random",   smp_fetch_ssl_fc_random,      0, 
         NULL,    SMP_T_BIN,  SMP_USE_L5CLI },
+       { "ssl_fc_server_random",   smp_fetch_ssl_fc_random,      0, 
         NULL,    SMP_T_BIN,  SMP_USE_L5CLI },
        { "ssl_fc_session_key",     smp_fetch_ssl_fc_session_key, 0, 
          NULL,    SMP_T_BIN,  SMP_USE_L5CLI },
  #endif
  #ifdef SSL_CTRL_SET_TLSEXT_HOSTNAME
-- 
2.18.0


Reply via email to