Specified variable behavior after typical functional tests. Also off preread module from nginx bootstrap, else error appear

Author: dedok

config

@@ -6,20 +6,21 @@
 ngx_addon_name=ngx_ssl_fingerprint_module
 
 CORE_LIBS="$CORE_LIBS"
-
 CORE_INCS="$CORE_INCS $ngx_addon_dir/src"
 
-STREAM_MODULES="ngx_stream_ssl_fingerprint_preread_module $STREAM_MODULES"
-
 HTTP_MODULES="$HTTP_MODULES ngx_http_ssl_fingerprint_module"
 
-NGX_ADDON_SRCS="$NGX_ADDON_SRCS \
- $ngx_addon_dir/src/nginx_ssl_fingerprint.c \
- $ngx_addon_dir/src/ngx_stream_ssl_fingerprint_preread_module.c \
- $ngx_addon_dir/src/ngx_http_ssl_fingerprint_module.c
- "
+stream_module=""
 
-CFLAGS="$CFLAGS -I$ngx_addon_dir"
+if [ $STREAM_SSL_PREREAD = YES ]; then
+  STREAM_MODULES="ngx_stream_ssl_fingerprint_preread_module $STREAM_MODULES"
+  stream_module="$ngx_addon_dir/src/ngx_stream_ssl_fingerprint_preread_module.c"
+fi
+
+NGX_ADDON_SRCS="$NGX_ADDON_SRCS \
+  $ngx_addon_dir/src/nginx_ssl_fingerprint.c \
+  $ngx_addon_dir/src/ngx_http_ssl_fingerprint_module.c \
+  $stream_module"
 
 have=NGX_JA3_FINGERPRING_MODULE  . auto/have
 

src/nginx_ssl_fingerprint.c

@@ -188,19 +188,33 @@ unsigned char *append_uint32(unsigned char* dst, uint32_t n)
     return dst;
 }
 
+
+/**
+ * Params:
+ *      c and c->ssl should be valid pointers
+ *
+ * Returns:
+ *      NGX_OK - c->ssl->fp_ja3_str is already set
+ *      NGX_ERROR - something went wrong
+ */
 int ngx_ssl_ja3(ngx_connection_t *c)
 {
     u_char *ptr = NULL, *data = NULL;
     size_t num = 0, i;
     uint16_t n, greased = 0;
 
-    if (c == NULL || c->ssl == NULL) {
-        return NGX_DECLINED;
-    }
-
     data = c->ssl->fp_ja3_data.data;
     if (data == NULL) {
-        return NGX_DECLINED;
+        /**
+         *  NOTE:
+         *  If we can't set it in OpenSSL,
+         *  then something defenetly something went wrong.
+         *  Typical production configuration has log level set to error,
+         *  this would help to debug this case, if it happened.
+         */
+        ngx_log_error(NGX_LOG_WARN, c->log, 0,
+                "ngx_ssl_ja3: fp_ja_data == NULL");
+        return NGX_ERROR;
     }
 
     if (c->ssl->fp_ja3_str.data != NULL) {
@@ -212,7 +226,7 @@ int ngx_ssl_ja3(ngx_connection_t *c)
     if (c->ssl->fp_ja3_str.data == NULL) {
         /** Else we break a data stream */
         c->ssl->fp_ja3_str.len = 0;
-        return NGX_DECLINED /** NGX_ERROR? */;
+        return NGX_ERROR;
     }
 
     ngx_log_debug(NGX_LOG_DEBUG_EVENT, c->log, 0, "ngx_ssl_ja3: alloc bytes: [%d]\n", c->ssl->fp_ja3_str.len);
@@ -296,28 +310,33 @@ int ngx_ssl_ja3(ngx_connection_t *c)
     return NGX_OK;
 }
 
+/**
+ * Params:
+ *      c and c->ssl should be valid pointers and tested before.
+ *
+ * Returns:
+ *      NGX_OK - c->ssl->fp_ja3_hash is alread set
+ *      NGX_ERROR - something went wrong
+ */
 int ngx_ssl_ja3_hash(ngx_connection_t *c)
 {
     ngx_md5_t ctx;
     u_char hash_buf[16];
 
-    if (c == NULL
-            || c->ssl == NULL
-            || c->ssl->fp_ja3_hash.len > 0)
-    {
-        return NGX_DECLINED;
+    if (c->ssl->fp_ja3_hash.len > 0) {
+        return NGX_OK;
     }
 
-    if (ngx_ssl_ja3(c) == NGX_DECLINED) {
-        return NGX_DECLINED;
+    if (ngx_ssl_ja3(c) != NGX_OK) {
+        return NGX_ERROR;
     }
 
     c->ssl->fp_ja3_hash.len = 32;
     c->ssl->fp_ja3_hash.data = ngx_pnalloc(c->pool, c->ssl->fp_ja3_hash.len);
     if (c->ssl->fp_ja3_hash.data == NULL) {
-        /** Else we break a stream */
+        /** Else we can break a stream */
         c->ssl->fp_ja3_hash.len = 0;
-        return NGX_DECLINED;
+        return NGX_ERROR;
     }
 
     ngx_log_debug(NGX_LOG_DEBUG_EVENT, c->log, 0, "ngx_ssl_ja3_hash: alloc bytes: [%d]\n", c->ssl->fp_ja3_hash.len);
@@ -330,25 +349,32 @@ int ngx_ssl_ja3_hash(ngx_connection_t *c)
     return NGX_OK;
 }
 
+/**
+ * Params:
+ *      c and h2c should be a valid pointers
+ *
+ * Returns:
+ *      NGX_OK -- h2c->fp_str is set
+ *      NGX_ERROR -- something went wrong
+ */
 int ngx_http2_fingerprint(ngx_connection_t *c, ngx_http_v2_connection_t *h2c)
 {
     unsigned char *pstr = NULL;
     unsigned short n = 0;
     size_t i;
 
-    if (c == NULL || h2c == NULL) {
-        return NGX_DECLINED;
-    }
-
     if (h2c->fp_str.len > 0) {
         return NGX_OK;
     }
 
-    n = 4 + h2c->fp_settings.len * 3 + 10 + h2c->fp_priorities.len * 2 + h2c->fp_pseudoheaders.len * 2;
+    n = 4 + h2c->fp_settings.len * 3
+        + 10 + h2c->fp_priorities.len * 2
+        + h2c->fp_pseudoheaders.len * 2;
+
     h2c->fp_str.data = ngx_pnalloc(c->pool, n);
     if (h2c->fp_str.data == NULL) {
         /** Else we break a stream */
-        return NGX_DECLINED;
+        return NGX_ERROR;
     }
     pstr = h2c->fp_str.data;
 

src/ngx_http_ssl_fingerprint_module.c

@@ -56,18 +56,20 @@ static ngx_int_t
 ngx_http_ssl_greased(ngx_http_request_t *r,
                  ngx_http_variable_value_t *v, uintptr_t data)
 {
-    /* For access.log's map $http2_fingerpring {}:
+    /* For access.log's map $http2_VAR {}:
      * if it's not found, then user could add a defined string */
     v->not_found = 1;
 
-    if (ngx_ssl_ja3(r->connection) != NGX_OK) {
+    if (r->connection->ssl == NULL) {
         return NGX_OK;
     }
 
+    if (ngx_ssl_ja3(r->connection) != NGX_OK) {
+        return NGX_ERROR;
+    }
+
     v->len = 1;
     v->data = (u_char*) (r->connection->ssl->fp_tls_greased ? "1" : "0");
-    v->valid = 1;
-    v->no_cacheable = 1;
     v->not_found = 0;
 
     return NGX_OK;
@@ -77,19 +79,21 @@ static ngx_int_t
 ngx_http_ssl_fingerprint(ngx_http_request_t *r,
                  ngx_http_variable_value_t *v, uintptr_t data)
 {
-    /* For access.log's map $http2_fingerpring {}:
+    /* For access.log's map $VAR {}:
      * if it's not found, then user could add a defined string */
     v->not_found = 1;
 
-    if (ngx_ssl_ja3(r->connection) != NGX_OK) {
+    if (r->connection->ssl == NULL) {
         return NGX_OK;
     }
 
+    if (ngx_ssl_ja3(r->connection) != NGX_OK) {
+        return NGX_ERROR;
+    }
+
     v->data = r->connection->ssl->fp_ja3_str.data;
     v->len = r->connection->ssl->fp_ja3_str.len;
-    v->no_cacheable = 1;
     v->not_found = 0;
-    v->valid = 1;
 
     return NGX_OK;
 }
@@ -98,19 +102,21 @@ static ngx_int_t
 ngx_http_ssl_fingerprint_hash(ngx_http_request_t *r,
                  ngx_http_variable_value_t *v, uintptr_t data)
 {
-    /* For access.log's map $http2_fingerpring {}:
+    /* For access.log's map $VAR {}:
      * if it's not found, then user could add a defined string */
     v->not_found = 1;
 
+    if (r->connection->ssl == NULL) {
+        return NGX_OK;
+    }
+
     if (ngx_ssl_ja3_hash(r->connection) != NGX_OK) {
         return NGX_OK;
     }
 
     v->data = r->connection->ssl->fp_ja3_hash.data;
     v->len = r->connection->ssl->fp_ja3_hash.len;
-    v->no_cacheable = 1;
     v->not_found = 0;
-    v->valid = 1;
 
     return NGX_OK;
 }
@@ -119,7 +125,7 @@ static ngx_int_t
 ngx_http_http2_fingerprint(ngx_http_request_t *r,
                  ngx_http_variable_value_t *v, uintptr_t data)
 {
-    /* For access.log's map $http2_fingerpring {}:
+    /* For access.log's map $VAR {}:
      * if it's not found, then user could add a defined string */
     v->not_found = 1;
 
@@ -130,14 +136,12 @@ ngx_http_http2_fingerprint(ngx_http_request_t *r,
     if (ngx_http2_fingerprint(r->connection, r->stream->connection)
             != NGX_OK)
     {
-        return NGX_OK;
+        return NGX_ERROR;
     }
 
     v->data = r->stream->connection->fp_str.data;
     v->len = r->stream->connection->fp_str.len;
-    v->valid = 1;
     v->not_found = 0;
-    v->no_cacheable = 1;
 
     return NGX_OK;
 }