Back to home page

Nginx displayed by LXR

Source navigation ]
Diff markup ]
Identifier search ]
general search ]
 
 
Version: nginx-1.15.11 ]​[ nginx-1.14.2 ]​

0001 
0002 /*
0003  * Copyright (C) Nginx, Inc.
0004  */
0005 
0006 
0007 #include <ngx_config.h>
0008 #include <ngx_core.h>
0009 #include <ngx_stream.h>
0010 
0011 
0012 typedef struct {
0013     ngx_flag_t      enabled;
0014 } ngx_stream_ssl_preread_srv_conf_t;
0015 
0016 
0017 typedef struct {
0018     size_t          left;
0019     size_t          size;
0020     size_t          ext;
0021     u_char         *pos;
0022     u_char         *dst;
0023     u_char          buf[4];
0024     u_char          version[2];
0025     ngx_str_t       host;
0026     ngx_str_t       alpn;
0027     ngx_log_t      *log;
0028     ngx_pool_t     *pool;
0029     ngx_uint_t      state;
0030 } ngx_stream_ssl_preread_ctx_t;
0031 
0032 
0033 static ngx_int_t ngx_stream_ssl_preread_handler(ngx_stream_session_t *s);
0034 static ngx_int_t ngx_stream_ssl_preread_parse_record(
0035     ngx_stream_ssl_preread_ctx_t *ctx, u_char *pos, u_char *last);
0036 static ngx_int_t ngx_stream_ssl_preread_protocol_variable(
0037     ngx_stream_session_t *s, ngx_stream_variable_value_t *v, uintptr_t data);
0038 static ngx_int_t ngx_stream_ssl_preread_server_name_variable(
0039     ngx_stream_session_t *s, ngx_stream_variable_value_t *v, uintptr_t data);
0040 static ngx_int_t ngx_stream_ssl_preread_alpn_protocols_variable(
0041     ngx_stream_session_t *s, ngx_stream_variable_value_t *v, uintptr_t data);
0042 static ngx_int_t ngx_stream_ssl_preread_add_variables(ngx_conf_t *cf);
0043 static void *ngx_stream_ssl_preread_create_srv_conf(ngx_conf_t *cf);
0044 static char *ngx_stream_ssl_preread_merge_srv_conf(ngx_conf_t *cf, void *parent,
0045     void *child);
0046 static ngx_int_t ngx_stream_ssl_preread_init(ngx_conf_t *cf);
0047 
0048 
0049 static ngx_command_t  ngx_stream_ssl_preread_commands[] = {
0050 
0051     { ngx_string("ssl_preread"),
0052       NGX_STREAM_MAIN_CONF|NGX_STREAM_SRV_CONF|NGX_CONF_FLAG,
0053       ngx_conf_set_flag_slot,
0054       NGX_STREAM_SRV_CONF_OFFSET,
0055       offsetof(ngx_stream_ssl_preread_srv_conf_t, enabled),
0056       NULL },
0057 
0058       ngx_null_command
0059 };
0060 
0061 
0062 static ngx_stream_module_t  ngx_stream_ssl_preread_module_ctx = {
0063     ngx_stream_ssl_preread_add_variables,   /* preconfiguration */
0064     ngx_stream_ssl_preread_init,            /* postconfiguration */
0065 
0066     NULL,                                   /* create main configuration */
0067     NULL,                                   /* init main configuration */
0068 
0069     ngx_stream_ssl_preread_create_srv_conf, /* create server configuration */
0070     ngx_stream_ssl_preread_merge_srv_conf   /* merge server configuration */
0071 };
0072 
0073 
0074 ngx_module_t  ngx_stream_ssl_preread_module = {
0075     NGX_MODULE_V1,
0076     &ngx_stream_ssl_preread_module_ctx,     /* module context */
0077     ngx_stream_ssl_preread_commands,        /* module directives */
0078     NGX_STREAM_MODULE,                      /* module type */
0079     NULL,                                   /* init master */
0080     NULL,                                   /* init module */
0081     NULL,                                   /* init process */
0082     NULL,                                   /* init thread */
0083     NULL,                                   /* exit thread */
0084     NULL,                                   /* exit process */
0085     NULL,                                   /* exit master */
0086     NGX_MODULE_V1_PADDING
0087 };
0088 
0089 
0090 static ngx_stream_variable_t  ngx_stream_ssl_preread_vars[] = {
0091 
0092     { ngx_string("ssl_preread_protocol"), NULL,
0093       ngx_stream_ssl_preread_protocol_variable, 0, 0, 0 },
0094 
0095     { ngx_string("ssl_preread_server_name"), NULL,
0096       ngx_stream_ssl_preread_server_name_variable, 0, 0, 0 },
0097 
0098     { ngx_string("ssl_preread_alpn_protocols"), NULL,
0099       ngx_stream_ssl_preread_alpn_protocols_variable, 0, 0, 0 },
0100 
0101       ngx_stream_null_variable
0102 };
0103 
0104 
0105 static ngx_int_t
0106 ngx_stream_ssl_preread_handler(ngx_stream_session_t *s)
0107 {
0108     u_char                             *last, *p;
0109     size_t                              len;
0110     ngx_int_t                           rc;
0111     ngx_connection_t                   *c;
0112     ngx_stream_ssl_preread_ctx_t       *ctx;
0113     ngx_stream_ssl_preread_srv_conf_t  *sscf;
0114 
0115     c = s->connection;
0116 
0117     ngx_log_debug0(NGX_LOG_DEBUG_STREAM, c->log, 0, "ssl preread handler");
0118 
0119     sscf = ngx_stream_get_module_srv_conf(s, ngx_stream_ssl_preread_module);
0120 
0121     if (!sscf->enabled) {
0122         return NGX_DECLINED;
0123     }
0124 
0125     if (c->type != SOCK_STREAM) {
0126         return NGX_DECLINED;
0127     }
0128 
0129     if (c->buffer == NULL) {
0130         return NGX_AGAIN;
0131     }
0132 
0133     ctx = ngx_stream_get_module_ctx(s, ngx_stream_ssl_preread_module);
0134     if (ctx == NULL) {
0135         ctx = ngx_pcalloc(c->pool, sizeof(ngx_stream_ssl_preread_ctx_t));
0136         if (ctx == NULL) {
0137             return NGX_ERROR;
0138         }
0139 
0140         ngx_stream_set_ctx(s, ctx, ngx_stream_ssl_preread_module);
0141 
0142         ctx->pool = c->pool;
0143         ctx->log = c->log;
0144         ctx->pos = c->buffer->pos;
0145     }
0146 
0147     p = ctx->pos;
0148     last = c->buffer->last;
0149 
0150     while (last - p >= 5) {
0151 
0152         if ((p[0] & 0x80) && p[2] == 1 && (p[3] == 0 || p[3] == 3)) {
0153             ngx_log_debug0(NGX_LOG_DEBUG_STREAM, ctx->log, 0,
0154                            "ssl preread: version 2 ClientHello");
0155             ctx->version[0] = p[3];
0156             ctx->version[1] = p[4];
0157             return NGX_OK;
0158         }
0159 
0160         if (p[0] != 0x16) {
0161             ngx_log_debug0(NGX_LOG_DEBUG_STREAM, ctx->log, 0,
0162                            "ssl preread: not a handshake");
0163             ngx_stream_set_ctx(s, NULL, ngx_stream_ssl_preread_module);
0164             return NGX_DECLINED;
0165         }
0166 
0167         if (p[1] != 3) {
0168             ngx_log_debug0(NGX_LOG_DEBUG_STREAM, ctx->log, 0,
0169                            "ssl preread: unsupported SSL version");
0170             ngx_stream_set_ctx(s, NULL, ngx_stream_ssl_preread_module);
0171             return NGX_DECLINED;
0172         }
0173 
0174         len = (p[3] << 8) + p[4];
0175 
0176         /* read the whole record before parsing */
0177         if ((size_t) (last - p) < len + 5) {
0178             break;
0179         }
0180 
0181         p += 5;
0182 
0183         rc = ngx_stream_ssl_preread_parse_record(ctx, p, p + len);
0184 
0185         if (rc == NGX_DECLINED) {
0186             ngx_stream_set_ctx(s, NULL, ngx_stream_ssl_preread_module);
0187             return NGX_DECLINED;
0188         }
0189 
0190         if (rc != NGX_AGAIN) {
0191             return rc;
0192         }
0193 
0194         p += len;
0195     }
0196 
0197     ctx->pos = p;
0198 
0199     return NGX_AGAIN;
0200 }
0201 
0202 
0203 static ngx_int_t
0204 ngx_stream_ssl_preread_parse_record(ngx_stream_ssl_preread_ctx_t *ctx,
0205     u_char *pos, u_char *last)
0206 {
0207     size_t   left, n, size, ext;
0208     u_char  *dst, *p;
0209 
0210     enum {
0211         sw_start = 0,
0212         sw_header,          /* handshake msg_type, length */
0213         sw_version,         /* client_version */
0214         sw_random,          /* random */
0215         sw_sid_len,         /* session_id length */
0216         sw_sid,             /* session_id */
0217         sw_cs_len,          /* cipher_suites length */
0218         sw_cs,              /* cipher_suites */
0219         sw_cm_len,          /* compression_methods length */
0220         sw_cm,              /* compression_methods */
0221         sw_ext,             /* extension */
0222         sw_ext_header,      /* extension_type, extension_data length */
0223         sw_sni_len,         /* SNI length */
0224         sw_sni_host_head,   /* SNI name_type, host_name length */
0225         sw_sni_host,        /* SNI host_name */
0226         sw_alpn_len,        /* ALPN length */
0227         sw_alpn_proto_len,  /* ALPN protocol_name length */
0228         sw_alpn_proto_data, /* ALPN protocol_name */
0229         sw_supver_len       /* supported_versions length */
0230     } state;
0231 
0232     ngx_log_debug2(NGX_LOG_DEBUG_STREAM, ctx->log, 0,
0233                    "ssl preread: state %ui left %z", ctx->state, ctx->left);
0234 
0235     state = ctx->state;
0236     size = ctx->size;
0237     left = ctx->left;
0238     ext = ctx->ext;
0239     dst = ctx->dst;
0240     p = ctx->buf;
0241 
0242     for ( ;; ) {
0243         n = ngx_min((size_t) (last - pos), size);
0244 
0245         if (dst) {
0246             dst = ngx_cpymem(dst, pos, n);
0247         }
0248 
0249         pos += n;
0250         size -= n;
0251         left -= n;
0252 
0253         if (size != 0) {
0254             break;
0255         }
0256 
0257         switch (state) {
0258 
0259         case sw_start:
0260             state = sw_header;
0261             dst = p;
0262             size = 4;
0263             left = size;
0264             break;
0265 
0266         case sw_header:
0267             if (p[0] != 1) {
0268                 ngx_log_debug0(NGX_LOG_DEBUG_STREAM, ctx->log, 0,
0269                                "ssl preread: not a client hello");
0270                 return NGX_DECLINED;
0271             }
0272 
0273             state = sw_version;
0274             dst = ctx->version;
0275             size = 2;
0276             left = (p[1] << 16) + (p[2] << 8) + p[3];
0277             break;
0278 
0279         case sw_version:
0280             state = sw_random;
0281             dst = NULL;
0282             size = 32;
0283             break;
0284 
0285         case sw_random:
0286             state = sw_sid_len;
0287             dst = p;
0288             size = 1;
0289             break;
0290 
0291         case sw_sid_len:
0292             state = sw_sid;
0293             dst = NULL;
0294             size = p[0];
0295             break;
0296 
0297         case sw_sid:
0298             state = sw_cs_len;
0299             dst = p;
0300             size = 2;
0301             break;
0302 
0303         case sw_cs_len:
0304             state = sw_cs;
0305             dst = NULL;
0306             size = (p[0] << 8) + p[1];
0307             break;
0308 
0309         case sw_cs:
0310             state = sw_cm_len;
0311             dst = p;
0312             size = 1;
0313             break;
0314 
0315         case sw_cm_len:
0316             state = sw_cm;
0317             dst = NULL;
0318             size = p[0];
0319             break;
0320 
0321         case sw_cm:
0322             if (left == 0) {
0323                 /* no extensions */
0324                 return NGX_OK;
0325             }
0326 
0327             state = sw_ext;
0328             dst = p;
0329             size = 2;
0330             break;
0331 
0332         case sw_ext:
0333             if (left == 0) {
0334                 return NGX_OK;
0335             }
0336 
0337             state = sw_ext_header;
0338             dst = p;
0339             size = 4;
0340             break;
0341 
0342         case sw_ext_header:
0343             if (p[0] == 0 && p[1] == 0 && ctx->host.data == NULL) {
0344                 /* SNI extension */
0345                 state = sw_sni_len;
0346                 dst = p;
0347                 size = 2;
0348                 break;
0349             }
0350 
0351             if (p[0] == 0 && p[1] == 16 && ctx->alpn.data == NULL) {
0352                 /* ALPN extension */
0353                 state = sw_alpn_len;
0354                 dst = p;
0355                 size = 2;
0356                 break;
0357             }
0358 
0359             if (p[0] == 0 && p[1] == 43) {
0360                 /* supported_versions extension */
0361                 state = sw_supver_len;
0362                 dst = p;
0363                 size = 1;
0364                 break;
0365             }
0366 
0367             state = sw_ext;
0368             dst = NULL;
0369             size = (p[2] << 8) + p[3];
0370             break;
0371 
0372         case sw_sni_len:
0373             ext = (p[0] << 8) + p[1];
0374             state = sw_sni_host_head;
0375             dst = p;
0376             size = 3;
0377             break;
0378 
0379         case sw_sni_host_head:
0380             if (p[0] != 0) {
0381                 ngx_log_debug0(NGX_LOG_DEBUG_STREAM, ctx->log, 0,
0382                                "ssl preread: SNI hostname type is not DNS");
0383                 return NGX_DECLINED;
0384             }
0385 
0386             size = (p[1] << 8) + p[2];
0387 
0388             if (ext < 3 + size) {
0389                 ngx_log_debug0(NGX_LOG_DEBUG_STREAM, ctx->log, 0,
0390                                "ssl preread: SNI format error");
0391                 return NGX_DECLINED;
0392             }
0393             ext -= 3 + size;
0394 
0395             ctx->host.data = ngx_pnalloc(ctx->pool, size);
0396             if (ctx->host.data == NULL) {
0397                 return NGX_ERROR;
0398             }
0399 
0400             state = sw_sni_host;
0401             dst = ctx->host.data;
0402             break;
0403 
0404         case sw_sni_host:
0405             ctx->host.len = (p[1] << 8) + p[2];
0406 
0407             ngx_log_debug1(NGX_LOG_DEBUG_STREAM, ctx->log, 0,
0408                            "ssl preread: SNI hostname \"%V\"", &ctx->host);
0409 
0410             state = sw_ext;
0411             dst = NULL;
0412             size = ext;
0413             break;
0414 
0415         case sw_alpn_len:
0416             ext = (p[0] << 8) + p[1];
0417 
0418             ctx->alpn.data = ngx_pnalloc(ctx->pool, ext);
0419             if (ctx->alpn.data == NULL) {
0420                 return NGX_ERROR;
0421             }
0422 
0423             state = sw_alpn_proto_len;
0424             dst = p;
0425             size = 1;
0426             break;
0427 
0428         case sw_alpn_proto_len:
0429             size = p[0];
0430 
0431             if (size == 0) {
0432                 ngx_log_debug0(NGX_LOG_DEBUG_STREAM, ctx->log, 0,
0433                                "ssl preread: ALPN empty protocol");
0434                 return NGX_DECLINED;
0435             }
0436 
0437             if (ext < 1 + size) {
0438                 ngx_log_debug0(NGX_LOG_DEBUG_STREAM, ctx->log, 0,
0439                                "ssl preread: ALPN format error");
0440                 return NGX_DECLINED;
0441             }
0442             ext -= 1 + size;
0443 
0444             state = sw_alpn_proto_data;
0445             dst = ctx->alpn.data + ctx->alpn.len;
0446             break;
0447 
0448         case sw_alpn_proto_data:
0449             ctx->alpn.len += p[0];
0450 
0451             ngx_log_debug1(NGX_LOG_DEBUG_STREAM, ctx->log, 0,
0452                            "ssl preread: ALPN protocols \"%V\"", &ctx->alpn);
0453 
0454             if (ext) {
0455                 ctx->alpn.data[ctx->alpn.len++] = ',';
0456 
0457                 state = sw_alpn_proto_len;
0458                 dst = p;
0459                 size = 1;
0460                 break;
0461             }
0462 
0463             state = sw_ext;
0464             dst = NULL;
0465             size = 0;
0466             break;
0467 
0468         case sw_supver_len:
0469             ngx_log_debug0(NGX_LOG_DEBUG_STREAM, ctx->log, 0,
0470                            "ssl preread: supported_versions");
0471 
0472             /* set TLSv1.3 */
0473             ctx->version[0] = 3;
0474             ctx->version[1] = 4;
0475 
0476             state = sw_ext;
0477             dst = NULL;
0478             size = p[0];
0479             break;
0480         }
0481 
0482         if (left < size) {
0483             ngx_log_debug0(NGX_LOG_DEBUG_STREAM, ctx->log, 0,
0484                            "ssl preread: failed to parse handshake");
0485             return NGX_DECLINED;
0486         }
0487     }
0488 
0489     ctx->state = state;
0490     ctx->size = size;
0491     ctx->left = left;
0492     ctx->ext = ext;
0493     ctx->dst = dst;
0494 
0495     return NGX_AGAIN;
0496 }
0497 
0498 
0499 static ngx_int_t
0500 ngx_stream_ssl_preread_protocol_variable(ngx_stream_session_t *s,
0501     ngx_variable_value_t *v, uintptr_t data)
0502 {
0503     ngx_str_t                      version;
0504     ngx_stream_ssl_preread_ctx_t  *ctx;
0505 
0506     ctx = ngx_stream_get_module_ctx(s, ngx_stream_ssl_preread_module);
0507 
0508     if (ctx == NULL) {
0509         v->not_found = 1;
0510         return NGX_OK;
0511     }
0512 
0513     /* SSL_get_version() format */
0514 
0515     ngx_str_null(&version);
0516 
0517     switch (ctx->version[0]) {
0518     case 0:
0519         switch (ctx->version[1]) {
0520         case 2:
0521             ngx_str_set(&version, "SSLv2");
0522             break;
0523         }
0524         break;
0525     case 3:
0526         switch (ctx->version[1]) {
0527         case 0:
0528             ngx_str_set(&version, "SSLv3");
0529             break;
0530         case 1:
0531             ngx_str_set(&version, "TLSv1");
0532             break;
0533         case 2:
0534             ngx_str_set(&version, "TLSv1.1");
0535             break;
0536         case 3:
0537             ngx_str_set(&version, "TLSv1.2");
0538             break;
0539         case 4:
0540             ngx_str_set(&version, "TLSv1.3");
0541             break;
0542         }
0543     }
0544 
0545     v->valid = 1;
0546     v->no_cacheable = 0;
0547     v->not_found = 0;
0548     v->len = version.len;
0549     v->data = version.data;
0550 
0551     return NGX_OK;
0552 }
0553 
0554 
0555 static ngx_int_t
0556 ngx_stream_ssl_preread_server_name_variable(ngx_stream_session_t *s,
0557     ngx_variable_value_t *v, uintptr_t data)
0558 {
0559     ngx_stream_ssl_preread_ctx_t  *ctx;
0560 
0561     ctx = ngx_stream_get_module_ctx(s, ngx_stream_ssl_preread_module);
0562 
0563     if (ctx == NULL) {
0564         v->not_found = 1;
0565         return NGX_OK;
0566     }
0567 
0568     v->valid = 1;
0569     v->no_cacheable = 0;
0570     v->not_found = 0;
0571     v->len = ctx->host.len;
0572     v->data = ctx->host.data;
0573 
0574     return NGX_OK;
0575 }
0576 
0577 
0578 static ngx_int_t
0579 ngx_stream_ssl_preread_alpn_protocols_variable(ngx_stream_session_t *s,
0580     ngx_variable_value_t *v, uintptr_t data)
0581 {
0582     ngx_stream_ssl_preread_ctx_t  *ctx;
0583 
0584     ctx = ngx_stream_get_module_ctx(s, ngx_stream_ssl_preread_module);
0585 
0586     if (ctx == NULL) {
0587         v->not_found = 1;
0588         return NGX_OK;
0589     }
0590 
0591     v->valid = 1;
0592     v->no_cacheable = 0;
0593     v->not_found = 0;
0594     v->len = ctx->alpn.len;
0595     v->data = ctx->alpn.data;
0596 
0597     return NGX_OK;
0598 }
0599 
0600 
0601 static ngx_int_t
0602 ngx_stream_ssl_preread_add_variables(ngx_conf_t *cf)
0603 {
0604     ngx_stream_variable_t  *var, *v;
0605 
0606     for (v = ngx_stream_ssl_preread_vars; v->name.len; v++) {
0607         var = ngx_stream_add_variable(cf, &v->name, v->flags);
0608         if (var == NULL) {
0609             return NGX_ERROR;
0610         }
0611 
0612         var->get_handler = v->get_handler;
0613         var->data = v->data;
0614     }
0615 
0616     return NGX_OK;
0617 }
0618 
0619 
0620 static void *
0621 ngx_stream_ssl_preread_create_srv_conf(ngx_conf_t *cf)
0622 {
0623     ngx_stream_ssl_preread_srv_conf_t  *conf;
0624 
0625     conf = ngx_pcalloc(cf->pool, sizeof(ngx_stream_ssl_preread_srv_conf_t));
0626     if (conf == NULL) {
0627         return NULL;
0628     }
0629 
0630     conf->enabled = NGX_CONF_UNSET;
0631 
0632     return conf;
0633 }
0634 
0635 
0636 static char *
0637 ngx_stream_ssl_preread_merge_srv_conf(ngx_conf_t *cf, void *parent, void *child)
0638 {
0639     ngx_stream_ssl_preread_srv_conf_t *prev = parent;
0640     ngx_stream_ssl_preread_srv_conf_t *conf = child;
0641 
0642     ngx_conf_merge_value(conf->enabled, prev->enabled, 0);
0643 
0644     return NGX_CONF_OK;
0645 }
0646 
0647 
0648 static ngx_int_t
0649 ngx_stream_ssl_preread_init(ngx_conf_t *cf)
0650 {
0651     ngx_stream_handler_pt        *h;
0652     ngx_stream_core_main_conf_t  *cmcf;
0653 
0654     cmcf = ngx_stream_conf_get_module_main_conf(cf, ngx_stream_core_module);
0655 
0656     h = ngx_array_push(&cmcf->phases[NGX_STREAM_PREREAD_PHASE].handlers);
0657     if (h == NULL) {
0658         return NGX_ERROR;
0659     }
0660 
0661     *h = ngx_stream_ssl_preread_handler;
0662 
0663     return NGX_OK;
0664 }