blob: a236fc5551dd6c54d2f692ec5f08617a67535b4d [file] [log] [blame]
/*
* Copyright (C) Nginx, Inc.
*/
#include <ngx_config.h>
#include <ngx_core.h>
#include <ngx_stream.h>
typedef struct {
ngx_flag_t enabled;
} ngx_stream_ssl_preread_srv_conf_t;
typedef struct {
size_t left;
size_t size;
size_t ext;
u_char *pos;
u_char *dst;
u_char buf[4];
u_char version[2];
ngx_str_t host;
ngx_str_t alpn;
ngx_log_t *log;
ngx_pool_t *pool;
ngx_uint_t state;
} ngx_stream_ssl_preread_ctx_t;
static ngx_int_t ngx_stream_ssl_preread_handler(ngx_stream_session_t *s);
static ngx_int_t ngx_stream_ssl_preread_parse_record(
ngx_stream_ssl_preread_ctx_t *ctx, u_char *pos, u_char *last);
static ngx_int_t ngx_stream_ssl_preread_protocol_variable(
ngx_stream_session_t *s, ngx_stream_variable_value_t *v, uintptr_t data);
static ngx_int_t ngx_stream_ssl_preread_server_name_variable(
ngx_stream_session_t *s, ngx_stream_variable_value_t *v, uintptr_t data);
static ngx_int_t ngx_stream_ssl_preread_alpn_protocols_variable(
ngx_stream_session_t *s, ngx_stream_variable_value_t *v, uintptr_t data);
static ngx_int_t ngx_stream_ssl_preread_add_variables(ngx_conf_t *cf);
static void *ngx_stream_ssl_preread_create_srv_conf(ngx_conf_t *cf);
static char *ngx_stream_ssl_preread_merge_srv_conf(ngx_conf_t *cf, void *parent,
void *child);
static ngx_int_t ngx_stream_ssl_preread_init(ngx_conf_t *cf);
static ngx_command_t ngx_stream_ssl_preread_commands[] = {
{ ngx_string("ssl_preread"),
NGX_STREAM_MAIN_CONF|NGX_STREAM_SRV_CONF|NGX_CONF_FLAG,
ngx_conf_set_flag_slot,
NGX_STREAM_SRV_CONF_OFFSET,
offsetof(ngx_stream_ssl_preread_srv_conf_t, enabled),
NULL },
ngx_null_command
};
static ngx_stream_module_t ngx_stream_ssl_preread_module_ctx = {
ngx_stream_ssl_preread_add_variables, /* preconfiguration */
ngx_stream_ssl_preread_init, /* postconfiguration */
NULL, /* create main configuration */
NULL, /* init main configuration */
ngx_stream_ssl_preread_create_srv_conf, /* create server configuration */
ngx_stream_ssl_preread_merge_srv_conf /* merge server configuration */
};
ngx_module_t ngx_stream_ssl_preread_module = {
NGX_MODULE_V1,
&ngx_stream_ssl_preread_module_ctx, /* module context */
ngx_stream_ssl_preread_commands, /* module directives */
NGX_STREAM_MODULE, /* module type */
NULL, /* init master */
NULL, /* init module */
NULL, /* init process */
NULL, /* init thread */
NULL, /* exit thread */
NULL, /* exit process */
NULL, /* exit master */
NGX_MODULE_V1_PADDING
};
static ngx_stream_variable_t ngx_stream_ssl_preread_vars[] = {
{ ngx_string("ssl_preread_protocol"), NULL,
ngx_stream_ssl_preread_protocol_variable, 0, 0, 0 },
{ ngx_string("ssl_preread_server_name"), NULL,
ngx_stream_ssl_preread_server_name_variable, 0, 0, 0 },
{ ngx_string("ssl_preread_alpn_protocols"), NULL,
ngx_stream_ssl_preread_alpn_protocols_variable, 0, 0, 0 },
ngx_stream_null_variable
};
static ngx_int_t
ngx_stream_ssl_preread_handler(ngx_stream_session_t *s)
{
u_char *last, *p;
size_t len;
ngx_int_t rc;
ngx_connection_t *c;
ngx_stream_ssl_preread_ctx_t *ctx;
ngx_stream_ssl_preread_srv_conf_t *sscf;
c = s->connection;
ngx_log_debug0(NGX_LOG_DEBUG_STREAM, c->log, 0, "ssl preread handler");
sscf = ngx_stream_get_module_srv_conf(s, ngx_stream_ssl_preread_module);
if (!sscf->enabled) {
return NGX_DECLINED;
}
if (c->type != SOCK_STREAM) {
return NGX_DECLINED;
}
if (c->buffer == NULL) {
return NGX_AGAIN;
}
ctx = ngx_stream_get_module_ctx(s, ngx_stream_ssl_preread_module);
if (ctx == NULL) {
ctx = ngx_pcalloc(c->pool, sizeof(ngx_stream_ssl_preread_ctx_t));
if (ctx == NULL) {
return NGX_ERROR;
}
ngx_stream_set_ctx(s, ctx, ngx_stream_ssl_preread_module);
ctx->pool = c->pool;
ctx->log = c->log;
ctx->pos = c->buffer->pos;
}
p = ctx->pos;
last = c->buffer->last;
while (last - p >= 5) {
if ((p[0] & 0x80) && p[2] == 1 && (p[3] == 0 || p[3] == 3)) {
ngx_log_debug0(NGX_LOG_DEBUG_STREAM, ctx->log, 0,
"ssl preread: version 2 ClientHello");
ctx->version[0] = p[3];
ctx->version[1] = p[4];
return NGX_OK;
}
if (p[0] != 0x16) {
ngx_log_debug0(NGX_LOG_DEBUG_STREAM, ctx->log, 0,
"ssl preread: not a handshake");
ngx_stream_set_ctx(s, NULL, ngx_stream_ssl_preread_module);
return NGX_DECLINED;
}
if (p[1] != 3) {
ngx_log_debug0(NGX_LOG_DEBUG_STREAM, ctx->log, 0,
"ssl preread: unsupported SSL version");
ngx_stream_set_ctx(s, NULL, ngx_stream_ssl_preread_module);
return NGX_DECLINED;
}
len = (p[3] << 8) + p[4];
/* read the whole record before parsing */
if ((size_t) (last - p) < len + 5) {
break;
}
p += 5;
rc = ngx_stream_ssl_preread_parse_record(ctx, p, p + len);
if (rc == NGX_DECLINED) {
ngx_stream_set_ctx(s, NULL, ngx_stream_ssl_preread_module);
return NGX_DECLINED;
}
if (rc != NGX_AGAIN) {
return rc;
}
p += len;
}
ctx->pos = p;
return NGX_AGAIN;
}
static ngx_int_t
ngx_stream_ssl_preread_parse_record(ngx_stream_ssl_preread_ctx_t *ctx,
u_char *pos, u_char *last)
{
size_t left, n, size, ext;
u_char *dst, *p;
enum {
sw_start = 0,
sw_header, /* handshake msg_type, length */
sw_version, /* client_version */
sw_random, /* random */
sw_sid_len, /* session_id length */
sw_sid, /* session_id */
sw_cs_len, /* cipher_suites length */
sw_cs, /* cipher_suites */
sw_cm_len, /* compression_methods length */
sw_cm, /* compression_methods */
sw_ext, /* extension */
sw_ext_header, /* extension_type, extension_data length */
sw_sni_len, /* SNI length */
sw_sni_host_head, /* SNI name_type, host_name length */
sw_sni_host, /* SNI host_name */
sw_alpn_len, /* ALPN length */
sw_alpn_proto_len, /* ALPN protocol_name length */
sw_alpn_proto_data, /* ALPN protocol_name */
sw_supver_len /* supported_versions length */
} state;
ngx_log_debug2(NGX_LOG_DEBUG_STREAM, ctx->log, 0,
"ssl preread: state %ui left %z", ctx->state, ctx->left);
state = ctx->state;
size = ctx->size;
left = ctx->left;
ext = ctx->ext;
dst = ctx->dst;
p = ctx->buf;
for ( ;; ) {
n = ngx_min((size_t) (last - pos), size);
if (dst) {
dst = ngx_cpymem(dst, pos, n);
}
pos += n;
size -= n;
left -= n;
if (size != 0) {
break;
}
switch (state) {
case sw_start:
state = sw_header;
dst = p;
size = 4;
left = size;
break;
case sw_header:
if (p[0] != 1) {
ngx_log_debug0(NGX_LOG_DEBUG_STREAM, ctx->log, 0,
"ssl preread: not a client hello");
return NGX_DECLINED;
}
state = sw_version;
dst = ctx->version;
size = 2;
left = (p[1] << 16) + (p[2] << 8) + p[3];
break;
case sw_version:
state = sw_random;
dst = NULL;
size = 32;
break;
case sw_random:
state = sw_sid_len;
dst = p;
size = 1;
break;
case sw_sid_len:
state = sw_sid;
dst = NULL;
size = p[0];
break;
case sw_sid:
state = sw_cs_len;
dst = p;
size = 2;
break;
case sw_cs_len:
state = sw_cs;
dst = NULL;
size = (p[0] << 8) + p[1];
break;
case sw_cs:
state = sw_cm_len;
dst = p;
size = 1;
break;
case sw_cm_len:
state = sw_cm;
dst = NULL;
size = p[0];
break;
case sw_cm:
if (left == 0) {
/* no extensions */
return NGX_OK;
}
state = sw_ext;
dst = p;
size = 2;
break;
case sw_ext:
if (left == 0) {
return NGX_OK;
}
state = sw_ext_header;
dst = p;
size = 4;
break;
case sw_ext_header:
if (p[0] == 0 && p[1] == 0 && ctx->host.data == NULL) {
/* SNI extension */
state = sw_sni_len;
dst = p;
size = 2;
break;
}
if (p[0] == 0 && p[1] == 16 && ctx->alpn.data == NULL) {
/* ALPN extension */
state = sw_alpn_len;
dst = p;
size = 2;
break;
}
if (p[0] == 0 && p[1] == 43) {
/* supported_versions extension */
state = sw_supver_len;
dst = p;
size = 1;
break;
}
state = sw_ext;
dst = NULL;
size = (p[2] << 8) + p[3];
break;
case sw_sni_len:
ext = (p[0] << 8) + p[1];
state = sw_sni_host_head;
dst = p;
size = 3;
break;
case sw_sni_host_head:
if (p[0] != 0) {
ngx_log_debug0(NGX_LOG_DEBUG_STREAM, ctx->log, 0,
"ssl preread: SNI hostname type is not DNS");
return NGX_DECLINED;
}
size = (p[1] << 8) + p[2];
if (ext < 3 + size) {
ngx_log_debug0(NGX_LOG_DEBUG_STREAM, ctx->log, 0,
"ssl preread: SNI format error");
return NGX_DECLINED;
}
ext -= 3 + size;
ctx->host.data = ngx_pnalloc(ctx->pool, size);
if (ctx->host.data == NULL) {
return NGX_ERROR;
}
state = sw_sni_host;
dst = ctx->host.data;
break;
case sw_sni_host:
ctx->host.len = (p[1] << 8) + p[2];
ngx_log_debug1(NGX_LOG_DEBUG_STREAM, ctx->log, 0,
"ssl preread: SNI hostname \"%V\"", &ctx->host);
state = sw_ext;
dst = NULL;
size = ext;
break;
case sw_alpn_len:
ext = (p[0] << 8) + p[1];
ctx->alpn.data = ngx_pnalloc(ctx->pool, ext);
if (ctx->alpn.data == NULL) {
return NGX_ERROR;
}
state = sw_alpn_proto_len;
dst = p;
size = 1;
break;
case sw_alpn_proto_len:
size = p[0];
if (size == 0) {
ngx_log_debug0(NGX_LOG_DEBUG_STREAM, ctx->log, 0,
"ssl preread: ALPN empty protocol");
return NGX_DECLINED;
}
if (ext < 1 + size) {
ngx_log_debug0(NGX_LOG_DEBUG_STREAM, ctx->log, 0,
"ssl preread: ALPN format error");
return NGX_DECLINED;
}
ext -= 1 + size;
state = sw_alpn_proto_data;
dst = ctx->alpn.data + ctx->alpn.len;
break;
case sw_alpn_proto_data:
ctx->alpn.len += p[0];
ngx_log_debug1(NGX_LOG_DEBUG_STREAM, ctx->log, 0,
"ssl preread: ALPN protocols \"%V\"", &ctx->alpn);
if (ext) {
ctx->alpn.data[ctx->alpn.len++] = ',';
state = sw_alpn_proto_len;
dst = p;
size = 1;
break;
}
state = sw_ext;
dst = NULL;
size = 0;
break;
case sw_supver_len:
ngx_log_debug0(NGX_LOG_DEBUG_STREAM, ctx->log, 0,
"ssl preread: supported_versions");
/* set TLSv1.3 */
ctx->version[0] = 3;
ctx->version[1] = 4;
state = sw_ext;
dst = NULL;
size = p[0];
break;
}
if (left < size) {
ngx_log_debug0(NGX_LOG_DEBUG_STREAM, ctx->log, 0,
"ssl preread: failed to parse handshake");
return NGX_DECLINED;
}
}
ctx->state = state;
ctx->size = size;
ctx->left = left;
ctx->ext = ext;
ctx->dst = dst;
return NGX_AGAIN;
}
static ngx_int_t
ngx_stream_ssl_preread_protocol_variable(ngx_stream_session_t *s,
ngx_variable_value_t *v, uintptr_t data)
{
ngx_str_t version;
ngx_stream_ssl_preread_ctx_t *ctx;
ctx = ngx_stream_get_module_ctx(s, ngx_stream_ssl_preread_module);
if (ctx == NULL) {
v->not_found = 1;
return NGX_OK;
}
/* SSL_get_version() format */
ngx_str_null(&version);
switch (ctx->version[0]) {
case 0:
switch (ctx->version[1]) {
case 2:
ngx_str_set(&version, "SSLv2");
break;
}
break;
case 3:
switch (ctx->version[1]) {
case 0:
ngx_str_set(&version, "SSLv3");
break;
case 1:
ngx_str_set(&version, "TLSv1");
break;
case 2:
ngx_str_set(&version, "TLSv1.1");
break;
case 3:
ngx_str_set(&version, "TLSv1.2");
break;
case 4:
ngx_str_set(&version, "TLSv1.3");
break;
}
}
v->valid = 1;
v->no_cacheable = 0;
v->not_found = 0;
v->len = version.len;
v->data = version.data;
return NGX_OK;
}
static ngx_int_t
ngx_stream_ssl_preread_server_name_variable(ngx_stream_session_t *s,
ngx_variable_value_t *v, uintptr_t data)
{
ngx_stream_ssl_preread_ctx_t *ctx;
ctx = ngx_stream_get_module_ctx(s, ngx_stream_ssl_preread_module);
if (ctx == NULL) {
v->not_found = 1;
return NGX_OK;
}
v->valid = 1;
v->no_cacheable = 0;
v->not_found = 0;
v->len = ctx->host.len;
v->data = ctx->host.data;
return NGX_OK;
}
static ngx_int_t
ngx_stream_ssl_preread_alpn_protocols_variable(ngx_stream_session_t *s,
ngx_variable_value_t *v, uintptr_t data)
{
ngx_stream_ssl_preread_ctx_t *ctx;
ctx = ngx_stream_get_module_ctx(s, ngx_stream_ssl_preread_module);
if (ctx == NULL) {
v->not_found = 1;
return NGX_OK;
}
v->valid = 1;
v->no_cacheable = 0;
v->not_found = 0;
v->len = ctx->alpn.len;
v->data = ctx->alpn.data;
return NGX_OK;
}
static ngx_int_t
ngx_stream_ssl_preread_add_variables(ngx_conf_t *cf)
{
ngx_stream_variable_t *var, *v;
for (v = ngx_stream_ssl_preread_vars; v->name.len; v++) {
var = ngx_stream_add_variable(cf, &v->name, v->flags);
if (var == NULL) {
return NGX_ERROR;
}
var->get_handler = v->get_handler;
var->data = v->data;
}
return NGX_OK;
}
static void *
ngx_stream_ssl_preread_create_srv_conf(ngx_conf_t *cf)
{
ngx_stream_ssl_preread_srv_conf_t *conf;
conf = ngx_pcalloc(cf->pool, sizeof(ngx_stream_ssl_preread_srv_conf_t));
if (conf == NULL) {
return NULL;
}
conf->enabled = NGX_CONF_UNSET;
return conf;
}
static char *
ngx_stream_ssl_preread_merge_srv_conf(ngx_conf_t *cf, void *parent, void *child)
{
ngx_stream_ssl_preread_srv_conf_t *prev = parent;
ngx_stream_ssl_preread_srv_conf_t *conf = child;
ngx_conf_merge_value(conf->enabled, prev->enabled, 0);
return NGX_CONF_OK;
}
static ngx_int_t
ngx_stream_ssl_preread_init(ngx_conf_t *cf)
{
ngx_stream_handler_pt *h;
ngx_stream_core_main_conf_t *cmcf;
cmcf = ngx_stream_conf_get_module_main_conf(cf, ngx_stream_core_module);
h = ngx_array_push(&cmcf->phases[NGX_STREAM_PREREAD_PHASE].handlers);
if (h == NULL) {
return NGX_ERROR;
}
*h = ngx_stream_ssl_preread_handler;
return NGX_OK;
}