Browse Source

Update nginx Strict-SNI Patch

master
Hakase 1 week ago
parent
commit
f9e90d2843
Signed by: Hakase <hakase@hakase.app> GPG Key ID: BB2821A9E0DF48C9
1 changed files with 211 additions and 0 deletions
  1. 211
    0
      nginx_strict-sni_1.15.10.patch

+ 211
- 0
nginx_strict-sni_1.15.10.patch View File

@@ -0,0 +1,211 @@
1
+diff --git a/src/event/ngx_event_openssl.c b/src/event/ngx_event_openssl.c
2
+index bee264c9..f4b7deec 100644
3
+--- a/src/event/ngx_event_openssl.c
4
++++ b/src/event/ngx_event_openssl.c
5
+@@ -2818,6 +2818,9 @@ ngx_ssl_connection_error(ngx_connection_t *c, int sslerr, ngx_err_t err,
6
+     char *text)
7
+ {
8
+     int         n;
9
++#if (defined SSL_R_CALLBACK_FAILED && defined SSL_F_FINAL_SERVER_NAME)
10
++    int         f;
11
++#endif
12
+     ngx_uint_t  level;
13
+ 
14
+     level = NGX_LOG_CRIT;
15
+@@ -2854,6 +2857,24 @@ ngx_ssl_connection_error(ngx_connection_t *c, int sslerr, ngx_err_t err,
16
+ 
17
+         n = ERR_GET_REASON(ERR_peek_error());
18
+ 
19
++        /* Strict SNI Error Patch
20
++         * https://github.com/hakasenyang/openssl-patch/issues/1#issuecomment-427040319
21
++         * https://github.com/hakasenyang/openssl-patch/issues/7#issuecomment-427872934
22
++         */
23
++#if (defined SSL_R_CALLBACK_FAILED && defined SSL_F_FINAL_SERVER_NAME)
24
++        if (n == SSL_R_CALLBACK_FAILED) {
25
++            f = ERR_GET_FUNC(ERR_peek_error());
26
++            if (f == SSL_F_FINAL_SERVER_NAME) {
27
++                while (ERR_peek_error()) {
28
++                    ngx_ssl_error(NGX_LOG_DEBUG, c->log, 0,
29
++                                  "ignoring ssl error at STRICT SNI block");
30
++                }
31
++                ERR_clear_error();
32
++                return;
33
++            }
34
++        }
35
++#endif
36
++
37
+             /* handshake failures */
38
+         if (n == SSL_R_BAD_CHANGE_CIPHER_SPEC                        /*  103 */
39
+ #ifdef SSL_R_NO_SUITABLE_KEY_SHARE
40
+diff --git a/src/http/ngx_http_core_module.c b/src/http/ngx_http_core_module.c
41
+index 5e7152f0..45b271f5 100644
42
+--- a/src/http/ngx_http_core_module.c
43
++++ b/src/http/ngx_http_core_module.c
44
+@@ -441,6 +441,20 @@ static ngx_command_t  ngx_http_core_commands[] = {
45
+       offsetof(ngx_http_core_loc_conf_t, directio_alignment),
46
+       NULL },
47
+ 
48
++    { ngx_string("strict_sni"),
49
++      NGX_HTTP_MAIN_CONF|NGX_CONF_FLAG,
50
++      ngx_conf_set_flag_slot,
51
++      NGX_HTTP_LOC_CONF_OFFSET,
52
++      offsetof(ngx_http_core_loc_conf_t, strict_sni),
53
++      NULL },
54
++
55
++    { ngx_string("strict_sni_header"),
56
++      NGX_HTTP_MAIN_CONF|NGX_CONF_FLAG,
57
++      ngx_conf_set_flag_slot,
58
++      NGX_HTTP_LOC_CONF_OFFSET,
59
++      offsetof(ngx_http_core_loc_conf_t, strict_sni_header),
60
++      NULL },
61
++
62
+     { ngx_string("tcp_nopush"),
63
+       NGX_HTTP_MAIN_CONF|NGX_HTTP_SRV_CONF|NGX_HTTP_LOC_CONF|NGX_CONF_FLAG,
64
+       ngx_conf_set_flag_slot,
65
+@@ -3395,6 +3409,8 @@ ngx_http_core_create_loc_conf(ngx_conf_t *cf)
66
+     clcf->read_ahead = NGX_CONF_UNSET_SIZE;
67
+     clcf->directio = NGX_CONF_UNSET;
68
+     clcf->directio_alignment = NGX_CONF_UNSET;
69
++    clcf->strict_sni = NGX_CONF_UNSET;
70
++    clcf->strict_sni_header = NGX_CONF_UNSET;
71
+     clcf->tcp_nopush = NGX_CONF_UNSET;
72
+     clcf->tcp_nodelay = NGX_CONF_UNSET;
73
+     clcf->send_timeout = NGX_CONF_UNSET_MSEC;
74
+@@ -3623,6 +3639,8 @@ ngx_http_core_merge_loc_conf(ngx_conf_t *cf, void *parent, void *child)
75
+                               NGX_OPEN_FILE_DIRECTIO_OFF);
76
+     ngx_conf_merge_off_value(conf->directio_alignment, prev->directio_alignment,
77
+                               512);
78
++    ngx_conf_merge_value(conf->strict_sni, prev->strict_sni, 0);
79
++    ngx_conf_merge_value(conf->strict_sni_header, prev->strict_sni_header, 0);
80
+     ngx_conf_merge_value(conf->tcp_nopush, prev->tcp_nopush, 0);
81
+     ngx_conf_merge_value(conf->tcp_nodelay, prev->tcp_nodelay, 1);
82
+ 
83
+diff --git a/src/http/ngx_http_core_module.h b/src/http/ngx_http_core_module.h
84
+index 4c6da7c0..04e14d09 100644
85
+--- a/src/http/ngx_http_core_module.h
86
++++ b/src/http/ngx_http_core_module.h
87
+@@ -382,6 +382,8 @@ struct ngx_http_core_loc_conf_s {
88
+     ngx_flag_t    sendfile;                /* sendfile */
89
+     ngx_flag_t    aio;                     /* aio */
90
+     ngx_flag_t    aio_write;               /* aio_write */
91
++    ngx_flag_t    strict_sni;              /* strict_sni */
92
++    ngx_flag_t    strict_sni_header;       /* strict_sni_header */
93
+     ngx_flag_t    tcp_nopush;              /* tcp_nopush */
94
+     ngx_flag_t    tcp_nodelay;             /* tcp_nodelay */
95
+     ngx_flag_t    reset_timedout_connection; /* reset_timedout_connection */
96
+diff --git a/src/http/ngx_http_request.c b/src/http/ngx_http_request.c
97
+index 80c19656..26b7de81 100644
98
+--- a/src/http/ngx_http_request.c
99
++++ b/src/http/ngx_http_request.c
100
+@@ -866,6 +866,10 @@ ngx_http_ssl_servername(ngx_ssl_conn_t *ssl_conn, int *ad, void *arg)
101
+ 
102
+     c = ngx_ssl_get_connection(ssl_conn);
103
+ 
104
++    hc = c->data;
105
++
106
++    clcf = ngx_http_get_module_loc_conf(hc->conf_ctx, ngx_http_core_module);
107
++
108
+     if (c->ssl->handshaked) {
109
+         *ad = SSL_AD_NO_RENEGOTIATION;
110
+         return SSL_TLSEXT_ERR_ALERT_FATAL;
111
+@@ -874,7 +878,7 @@ ngx_http_ssl_servername(ngx_ssl_conn_t *ssl_conn, int *ad, void *arg)
112
+     servername = SSL_get_servername(ssl_conn, TLSEXT_NAMETYPE_host_name);
113
+ 
114
+     if (servername == NULL) {
115
+-        return SSL_TLSEXT_ERR_OK;
116
++        return (clcf->strict_sni) ? SSL_TLSEXT_ERR_ALERT_FATAL : SSL_TLSEXT_ERR_OK;
117
+     }
118
+ 
119
+     ngx_log_debug1(NGX_LOG_DEBUG_HTTP, c->log, 0,
120
+@@ -883,7 +887,7 @@ ngx_http_ssl_servername(ngx_ssl_conn_t *ssl_conn, int *ad, void *arg)
121
+     host.len = ngx_strlen(servername);
122
+ 
123
+     if (host.len == 0) {
124
+-        return SSL_TLSEXT_ERR_OK;
125
++        return (clcf->strict_sni) ? SSL_TLSEXT_ERR_ALERT_FATAL : SSL_TLSEXT_ERR_OK;
126
+     }
127
+ 
128
+     host.data = (u_char *) servername;
129
+@@ -899,8 +903,6 @@ ngx_http_ssl_servername(ngx_ssl_conn_t *ssl_conn, int *ad, void *arg)
130
+         return SSL_TLSEXT_ERR_OK;
131
+     }
132
+ 
133
+-    hc = c->data;
134
+-
135
+     rc = ngx_http_find_virtual_server(c, hc->addr_conf->virtual_names, &host,
136
+                                       NULL, &cscf);
137
+ 
138
+@@ -910,7 +912,7 @@ ngx_http_ssl_servername(ngx_ssl_conn_t *ssl_conn, int *ad, void *arg)
139
+     }
140
+ 
141
+     if (rc == NGX_DECLINED) {
142
+-        return SSL_TLSEXT_ERR_OK;
143
++        return (clcf->strict_sni) ? SSL_TLSEXT_ERR_ALERT_FATAL : SSL_TLSEXT_ERR_OK;
144
+     }
145
+ 
146
+     hc->ssl_servername = ngx_palloc(c->pool, sizeof(ngx_str_t));
147
+@@ -923,8 +925,6 @@ ngx_http_ssl_servername(ngx_ssl_conn_t *ssl_conn, int *ad, void *arg)
148
+ 
149
+     hc->conf_ctx = cscf->ctx;
150
+ 
151
+-    clcf = ngx_http_get_module_loc_conf(hc->conf_ctx, ngx_http_core_module);
152
+-
153
+     ngx_set_connection_log(c, clcf->error_log);
154
+ 
155
+     sscf = ngx_http_get_module_srv_conf(hc->conf_ctx, ngx_http_ssl_module);
156
+@@ -1037,15 +1037,18 @@ failed:
157
+ static void
158
+ ngx_http_process_request_line(ngx_event_t *rev)
159
+ {
160
+-    ssize_t              n;
161
+-    ngx_int_t            rc, rv;
162
+-    ngx_str_t            host;
163
+-    ngx_connection_t    *c;
164
+-    ngx_http_request_t  *r;
165
++    ssize_t                    n;
166
++    ngx_int_t                  rc, rv;
167
++    ngx_str_t                  host;
168
++    ngx_connection_t          *c;
169
++    ngx_http_core_loc_conf_t  *clcf;
170
++    ngx_http_request_t        *r;
171
+ 
172
+     c = rev->data;
173
+     r = c->data;
174
+ 
175
++    clcf = ngx_http_get_module_loc_conf(r, ngx_http_core_module);
176
++
177
+     ngx_log_debug0(NGX_LOG_DEBUG_HTTP, rev->log, 0,
178
+                    "http process request line");
179
+ 
180
+@@ -1161,10 +1164,10 @@ ngx_http_process_request_line(ngx_event_t *rev)
181
+                           ngx_http_client_errors[rc - NGX_HTTP_CLIENT_ERROR]);
182
+ 
183
+             if (rc == NGX_HTTP_PARSE_INVALID_VERSION) {
184
+-                ngx_http_finalize_request(r, NGX_HTTP_VERSION_NOT_SUPPORTED);
185
++                (r->http_connection->ssl && clcf->strict_sni && clcf->strict_sni_header) ? ngx_http_terminate_request(r, 0) : ngx_http_finalize_request(r, NGX_HTTP_VERSION_NOT_SUPPORTED);
186
+ 
187
+             } else {
188
+-                ngx_http_finalize_request(r, NGX_HTTP_BAD_REQUEST);
189
++                (r->http_connection->ssl && clcf->strict_sni && clcf->strict_sni_header) ? ngx_http_terminate_request(r, 0) : ngx_http_finalize_request(r, NGX_HTTP_BAD_REQUEST);
190
+             }
191
+ 
192
+             break;
193
+@@ -1909,6 +1912,9 @@ ngx_http_process_multi_header_lines(ngx_http_request_t *r, ngx_table_elt_t *h,
194
+ ngx_int_t
195
+ ngx_http_process_request_header(ngx_http_request_t *r)
196
+ {
197
++    ngx_http_core_loc_conf_t  *clcf;
198
++    clcf = ngx_http_get_module_loc_conf(r, ngx_http_core_module);
199
++
200
+     if (r->headers_in.server.len == 0
201
+         && ngx_http_set_virtual_server(r, &r->headers_in.server)
202
+            == NGX_ERROR)
203
+@@ -1919,7 +1925,7 @@ ngx_http_process_request_header(ngx_http_request_t *r)
204
+     if (r->headers_in.host == NULL && r->http_version > NGX_HTTP_VERSION_10) {
205
+         ngx_log_error(NGX_LOG_INFO, r->connection->log, 0,
206
+                    "client sent HTTP/1.1 request without \"Host\" header");
207
+-        ngx_http_finalize_request(r, NGX_HTTP_BAD_REQUEST);
208
++        (r->http_connection->ssl && clcf->strict_sni && clcf->strict_sni_header) ? ngx_http_terminate_request(r, 0) : ngx_http_finalize_request(r, NGX_HTTP_BAD_REQUEST);
209
+         return NGX_ERROR;
210
+     }
211
+ 

Loading…
Cancel
Save