-
Notifications
You must be signed in to change notification settings - Fork 29
/
Copy pathnginx-1.22.patch
144 lines (125 loc) · 5.18 KB
/
nginx-1.22.patch
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
diff --git a/src/event/ngx_event_openssl.c b/src/event/ngx_event_openssl.c
index 1e6fc9614..e467b75e6 100644
--- a/src/event/ngx_event_openssl.c
+++ b/src/event/ngx_event_openssl.c
@@ -1710,6 +1710,29 @@ ngx_ssl_set_session(ngx_connection_t *c, ngx_ssl_session_t *session)
return NGX_OK;
}
+int
+ngx_ssl_client_hello_ja3_cb(SSL *s, int *al, void *arg) {
+ ngx_connection_t *c = arg;
+
+ if (c == NULL) {
+ return 1;
+ }
+
+ if (c->ssl == NULL) {
+ return 1;
+ }
+
+ c->ssl->fp_ja3_data.len = SSL_client_hello_get_ja3_data(c->ssl->connection, NULL);
+
+ ngx_log_debug1(NGX_LOG_DEBUG_EVENT, c->log, 0, "ngx_ssl_client_hello_ja3_cb: alloc %d bytes", c->ssl->fp_ja3_data.len);
+
+ c->ssl->fp_ja3_data.data = ngx_pnalloc(c->pool, c->ssl->fp_ja3_data.len);
+ c->ssl->fp_ja3_data.len = SSL_client_hello_get_ja3_data(c->ssl->connection, c->ssl->fp_ja3_data.data);
+
+ ngx_log_debug1(NGX_LOG_DEBUG_EVENT, c->log, 0, "ngx_ssl_client_hello_ja3_cb: used %d bytes", c->ssl->fp_ja3_data.len);
+
+ return 1;
+}
ngx_int_t
ngx_ssl_handshake(ngx_connection_t *c)
@@ -1730,6 +1753,8 @@ ngx_ssl_handshake(ngx_connection_t *c)
ngx_ssl_clear_error(c->log);
+ SSL_CTX_set_client_hello_cb(c->ssl->session_ctx, ngx_ssl_client_hello_ja3_cb, c);
+
n = SSL_do_handshake(c->ssl->connection);
ngx_log_debug1(NGX_LOG_DEBUG_EVENT, c->log, 0, "SSL_do_handshake: %d", n);
diff --git a/src/event/ngx_event_openssl.h b/src/event/ngx_event_openssl.h
index c9e86d9c0..5fb6b3cf3 100644
--- a/src/event/ngx_event_openssl.h
+++ b/src/event/ngx_event_openssl.h
@@ -119,6 +119,11 @@ struct ngx_ssl_connection_s {
unsigned in_ocsp:1;
unsigned early_preread:1;
unsigned write_blocked:1;
+
+ ngx_str_t fp_ja3_data;
+ ngx_str_t fp_ja3_str;
+ ngx_str_t fp_ja3_hash;
+ uint16_t fp_tls_greased;
};
diff --git a/src/http/v2/ngx_http_v2.c b/src/http/v2/ngx_http_v2.c
index 0e45a7b27..8d8f7dfc2 100644
--- a/src/http/v2/ngx_http_v2.c
+++ b/src/http/v2/ngx_http_v2.c
@@ -332,6 +332,14 @@ ngx_http_v2_init(ngx_event_t *rev)
ngx_add_timer(rev, cscf->client_header_timeout);
}
+ h2c->fp_fingerprinted = 0;
+ h2c->fp_settings.data = ngx_pnalloc(c->pool, 32);
+ h2c->fp_settings.len = 0;
+ h2c->fp_priorities.data = ngx_pnalloc(c->pool, 32);
+ h2c->fp_priorities.len = 0;
+ h2c->fp_pseudoheaders.data = ngx_pnalloc(c->pool, 32);
+ h2c->fp_pseudoheaders.len = 0;
+
c->idle = 1;
ngx_reusable_connection(c, 0);
@@ -1382,6 +1390,14 @@ ngx_http_v2_state_headers(ngx_http_v2_connection_t *h2c, u_char *pos,
}
}
+ if (!h2c->fp_fingerprinted && h2c->fp_priorities.len < 32) {
+ h2c->fp_priorities.data[h2c->fp_priorities.len] = (uint8_t)stream->node->id;
+ h2c->fp_priorities.data[h2c->fp_priorities.len+1] = (uint8_t)excl;
+ h2c->fp_priorities.data[h2c->fp_priorities.len+2] = (uint8_t)depend;
+ h2c->fp_priorities.data[h2c->fp_priorities.len+3] = (uint8_t)(weight-1);
+ h2c->fp_priorities.len += 4;
+ }
+
return ngx_http_v2_state_header_block(h2c, pos, end);
rst_stream:
@@ -1804,6 +1820,9 @@ ngx_http_v2_state_process_header(ngx_http_v2_connection_t *h2c, u_char *pos,
}
if (header->name.data[0] == ':') {
+ if (!h2c->fp_fingerprinted && h2c->fp_pseudoheaders.len < 32 && header->name.len > 1)
+ h2c->fp_pseudoheaders.data[h2c->fp_pseudoheaders.len++] = header->name.data[1];
+
rc = ngx_http_v2_pseudo_header(r, header);
if (rc == NGX_OK) {
@@ -2227,6 +2246,12 @@ ngx_http_v2_state_settings_params(ngx_http_v2_connection_t *h2c, u_char *pos,
ngx_log_debug2(NGX_LOG_DEBUG_HTTP, h2c->connection->log, 0,
"http2 setting %ui:%ui", id, value);
+ if (!h2c->fp_fingerprinted && h2c->fp_settings.len < 32) {
+ h2c->fp_settings.data[h2c->fp_settings.len] = (uint8_t)id;
+ *(uint32_t*)(h2c->fp_settings.data + h2c->fp_settings.len + 1) = (uint32_t)value;
+ h2c->fp_settings.len += 5;
+ }
+
switch (id) {
case NGX_HTTP_V2_INIT_WINDOW_SIZE_SETTING:
@@ -2519,6 +2544,9 @@ ngx_http_v2_state_window_update(ngx_http_v2_connection_t *h2c, u_char *pos,
}
h2c->send_window += window;
+ if (!h2c->fp_fingerprinted) {
+ h2c->fp_windowupdate = window;
+ }
while (!ngx_queue_empty(&h2c->waiting)) {
q = ngx_queue_head(&h2c->waiting);
diff --git a/src/http/v2/ngx_http_v2.h b/src/http/v2/ngx_http_v2.h
index 70ee287ae..c57f4f241 100644
--- a/src/http/v2/ngx_http_v2.h
+++ b/src/http/v2/ngx_http_v2.h
@@ -164,6 +164,13 @@ struct ngx_http_v2_connection_s {
unsigned blocked:1;
unsigned goaway:1;
unsigned push_disabled:1;
+
+ unsigned fp_fingerprinted:1;
+ ngx_str_t fp_settings;
+ ngx_uint_t fp_windowupdate;
+ ngx_str_t fp_priorities;
+ ngx_str_t fp_pseudoheaders;
+ ngx_str_t fp_str;
};