From ddcde195ebb47a9707e97905501959e39808eb9b Mon Sep 17 00:00:00 2001 From: Emmanuel Hocdet Date: Fri, 1 Sep 2017 17:32:08 +0200 Subject: [PATCH] MINOR: ssl: rework smp_fetch_ssl_fc_cl_str without internal ssl use smp_fetch_ssl_fc_cl_str as very limited usage (only work with openssl == 1.0.2 compiled with the option enable-ssl-trace). It use internal cipher.algorithm_ssl attribut and SSL_CIPHER_standard_name (available with ssl-trace). This patch implement this (debug) function in a standard way. It used common SSL_CIPHER_get_name to display cipher name. It work with openssl >= 1.0.2 and boringssl. --- doc/configuration.txt | 5 ++--- include/proto/openssl-compat.h | 5 ----- src/ssl_sock.c | 32 ++++++++++++++------------------ 3 files changed, 16 insertions(+), 26 deletions(-) diff --git a/doc/configuration.txt b/doc/configuration.txt index 7c5c437ce..b55bb0628 100644 --- a/doc/configuration.txt +++ b/doc/configuration.txt @@ -14173,9 +14173,8 @@ ssl_fc_cipherlist_str : string Returns the decoded text form of the client hello cipher list. The maximum number of ciphers returned is according with the value of "tune.ssl.capture-cipherlist-size". Note that this sample-fetch is only - avaible with OpenSSL > 1.0.2 compiled with the option enable-ssl-trace. - If the function is not enabled, this sample-fetch returns the hash - like "ssl_fc_cipherlist_xxh". + avaible with OpenSSL >= 1.0.2. If the function is not enabled, this + sample-fetch returns the hash like "ssl_fc_cipherlist_xxh". ssl_fc_cipherlist_xxh : integer Returns a xxh64 of the cipher list. This hash can be return only is the value diff --git a/include/proto/openssl-compat.h b/include/proto/openssl-compat.h index ea92072e5..8fe1c183c 100644 --- a/include/proto/openssl-compat.h +++ b/include/proto/openssl-compat.h @@ -152,11 +152,6 @@ static inline X509_ALGOR *X509_get0_tbs_sigalg(const X509 *x) #define __OPENSSL_110_CONST__ #endif -#if defined(OPENSSL_IS_BORINGSSL) || defined(LIBRESSL_VERSION_NUMBER) -#undef OPENSSL_NO_SSL_TRACE -#define OPENSSL_NO_SSL_TRACE -#endif - #ifdef OPENSSL_IS_BORINGSSL #define SSL_NO_GENERATE_CERTIFICATES diff --git a/src/ssl_sock.c b/src/ssl_sock.c index de1dd9a23..2241a36e8 100644 --- a/src/ssl_sock.c +++ b/src/ssl_sock.c @@ -6308,32 +6308,28 @@ smp_fetch_ssl_fc_cl_xxh64(const struct arg *args, struct sample *smp, const char static int smp_fetch_ssl_fc_cl_str(const struct arg *args, struct sample *smp, const char *kw, void *private) { -#if (OPENSSL_VERSION_NUMBER >= 0x1000200fL) && !defined(OPENSSL_NO_SSL_TRACE) +#if (OPENSSL_VERSION_NUMBER >= 0x1000200fL) && !defined(LIBRESSL_VERSION_NUMBER) struct chunk *data; - SSL_CIPHER cipher; int i; - const char *str; - unsigned char *bin; if (!smp_fetch_ssl_fc_cl_bin(args, smp, kw, private)) return 0; - /* The cipher algorith must not be SSL_SSLV2, because this - * SSL version seems to not have the same cipher encoding, - * and it is not supported by OpenSSL. Unfortunately, the - * #define SSL_SSLV2, SSL_SSLV3 and others are not available - * with standard defines. We just set the variable to 0, - * ensure that the match with SSL_SSLV2 fails. - */ - cipher.algorithm_ssl = 0; - data = get_trash_chunk(); for (i = 0; i + 1 < smp->data.u.str.len; i += 2) { - bin = (unsigned char *)smp->data.u.str.str + i; - cipher.id = (unsigned int)(bin[0] << 8) | bin[1]; - str = SSL_CIPHER_standard_name(&cipher); - if (!str || strcmp(str, "UNKNOWN") == 0) - chunk_appendf(data, "%sUNKNOWN(%04x)", i == 0 ? "" : ",", (unsigned int)cipher.id); + const char *str; + const SSL_CIPHER *cipher; + const unsigned char *bin = (const unsigned char *)smp->data.u.str.str + i; + uint16_t id = (bin[0] << 8) | bin[1]; +#if defined(OPENSSL_IS_BORINGSSL) + cipher = SSL_get_cipher_by_value(id); +#else + struct connection *conn = objt_conn(smp->sess->origin); + cipher = SSL_CIPHER_find(conn->xprt_ctx, bin); +#endif + str = SSL_CIPHER_get_name(cipher); + if (!str || strcmp(str, "(NONE)") == 0) + chunk_appendf(data, "%sUNKNOWN(%04x)", i == 0 ? "" : ",", id); else chunk_appendf(data, "%s%s", i == 0 ? "" : ",", str); }