-
Notifications
You must be signed in to change notification settings - Fork 28
/
nginx-1.24.patch
144 lines (125 loc) · 5.18 KB
/
nginx-1.24.patch
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
diff --git a/src/event/ngx_event_openssl.c b/src/event/ngx_event_openssl.c
index 104e8daf7..e52ffba5b 100644
--- a/src/event/ngx_event_openssl.c
+++ b/src/event/ngx_event_openssl.c
@@ -1758,6 +1758,29 @@ ngx_ssl_set_session(ngx_connection_t *c, ngx_ssl_session_t *session)
return NGX_OK;
}
+int
+ngx_ssl_client_hello_ja3_cb(SSL *s, int *al, void *arg) {
+ ngx_connection_t *c = arg;
+
+ if (c == NULL) {
+ return 1;
+ }
+
+ if (c->ssl == NULL) {
+ return 1;
+ }
+
+ c->ssl->fp_ja3_data.len = SSL_client_hello_get_ja3_data(c->ssl->connection, NULL);
+
+ ngx_log_debug1(NGX_LOG_DEBUG_EVENT, c->log, 0, "ngx_ssl_client_hello_ja3_cb: alloc %d bytes", c->ssl->fp_ja3_data.len);
+
+ c->ssl->fp_ja3_data.data = ngx_pnalloc(c->pool, c->ssl->fp_ja3_data.len);
+ c->ssl->fp_ja3_data.len = SSL_client_hello_get_ja3_data(c->ssl->connection, c->ssl->fp_ja3_data.data);
+
+ ngx_log_debug1(NGX_LOG_DEBUG_EVENT, c->log, 0, "ngx_ssl_client_hello_ja3_cb: used %d bytes", c->ssl->fp_ja3_data.len);
+
+ return 1;
+}
ngx_int_t
ngx_ssl_handshake(ngx_connection_t *c)
@@ -1778,6 +1801,8 @@ ngx_ssl_handshake(ngx_connection_t *c)
ngx_ssl_clear_error(c->log);
+ SSL_CTX_set_client_hello_cb(c->ssl->session_ctx, ngx_ssl_client_hello_ja3_cb, c);
+
n = SSL_do_handshake(c->ssl->connection);
ngx_log_debug1(NGX_LOG_DEBUG_EVENT, c->log, 0, "SSL_do_handshake: %d", n);
diff --git a/src/event/ngx_event_openssl.h b/src/event/ngx_event_openssl.h
index 860ea26dd..b64d80ea2 100644
--- a/src/event/ngx_event_openssl.h
+++ b/src/event/ngx_event_openssl.h
@@ -120,6 +120,11 @@ struct ngx_ssl_connection_s {
unsigned in_ocsp:1;
unsigned early_preread:1;
unsigned write_blocked:1;
+
+ ngx_str_t fp_ja3_data;
+ ngx_str_t fp_ja3_str;
+ ngx_str_t fp_ja3_hash;
+ uint16_t fp_tls_greased;
};
diff --git a/src/http/v2/ngx_http_v2.c b/src/http/v2/ngx_http_v2.c
index ea3f27c07..911808cff 100644
--- a/src/http/v2/ngx_http_v2.c
+++ b/src/http/v2/ngx_http_v2.c
@@ -332,6 +332,14 @@ ngx_http_v2_init(ngx_event_t *rev)
ngx_add_timer(rev, cscf->client_header_timeout);
}
+ h2c->fp_fingerprinted = 0;
+ h2c->fp_settings.data = ngx_pnalloc(c->pool, 32);
+ h2c->fp_settings.len = 0;
+ h2c->fp_priorities.data = ngx_pnalloc(c->pool, 32);
+ h2c->fp_priorities.len = 0;
+ h2c->fp_pseudoheaders.data = ngx_pnalloc(c->pool, 32);
+ h2c->fp_pseudoheaders.len = 0;
+
c->idle = 1;
ngx_reusable_connection(c, 0);
@@ -1382,6 +1390,14 @@ ngx_http_v2_state_headers(ngx_http_v2_connection_t *h2c, u_char *pos,
}
}
+ if (!h2c->fp_fingerprinted && h2c->fp_priorities.len < 32) {
+ h2c->fp_priorities.data[h2c->fp_priorities.len] = (uint8_t)stream->node->id;
+ h2c->fp_priorities.data[h2c->fp_priorities.len+1] = (uint8_t)excl;
+ h2c->fp_priorities.data[h2c->fp_priorities.len+2] = (uint8_t)depend;
+ h2c->fp_priorities.data[h2c->fp_priorities.len+3] = (uint8_t)(weight-1);
+ h2c->fp_priorities.len += 4;
+ }
+
return ngx_http_v2_state_header_block(h2c, pos, end);
rst_stream:
@@ -1799,6 +1815,9 @@ ngx_http_v2_state_process_header(ngx_http_v2_connection_t *h2c, u_char *pos,
}
if (header->name.data[0] == ':') {
+ if (!h2c->fp_fingerprinted && h2c->fp_pseudoheaders.len < 32 && header->name.len > 1)
+ h2c->fp_pseudoheaders.data[h2c->fp_pseudoheaders.len++] = header->name.data[1];
+
rc = ngx_http_v2_pseudo_header(r, header);
if (rc == NGX_OK) {
@@ -2224,6 +2243,12 @@ ngx_http_v2_state_settings_params(ngx_http_v2_connection_t *h2c, u_char *pos,
ngx_log_debug2(NGX_LOG_DEBUG_HTTP, h2c->connection->log, 0,
"http2 setting %ui:%ui", id, value);
+ if (!h2c->fp_fingerprinted && h2c->fp_settings.len < 32) {
+ h2c->fp_settings.data[h2c->fp_settings.len] = (uint8_t)id;
+ *(uint32_t*)(h2c->fp_settings.data + h2c->fp_settings.len + 1) = (uint32_t)value;
+ h2c->fp_settings.len += 5;
+ }
+
switch (id) {
case NGX_HTTP_V2_INIT_WINDOW_SIZE_SETTING:
@@ -2516,6 +2541,9 @@ ngx_http_v2_state_window_update(ngx_http_v2_connection_t *h2c, u_char *pos,
}
h2c->send_window += window;
+ if (!h2c->fp_fingerprinted) {
+ h2c->fp_windowupdate = window;
+ }
while (!ngx_queue_empty(&h2c->waiting)) {
q = ngx_queue_head(&h2c->waiting);
diff --git a/src/http/v2/ngx_http_v2.h b/src/http/v2/ngx_http_v2.h
index 4e252931c..151e58571 100644
--- a/src/http/v2/ngx_http_v2.h
+++ b/src/http/v2/ngx_http_v2.h
@@ -164,6 +164,13 @@ struct ngx_http_v2_connection_s {
unsigned blocked:1;
unsigned goaway:1;
unsigned push_disabled:1;
+
+ unsigned fp_fingerprinted:1;
+ ngx_str_t fp_settings;
+ ngx_uint_t fp_windowupdate;
+ ngx_str_t fp_priorities;
+ ngx_str_t fp_pseudoheaders;
+ ngx_str_t fp_str;
};