Supporing the laters versions of: nginx v1.27 patch and openssl v3.4 patch; Fix segfault; speedup sulution by reducting number of allocations per requests;

Author: dedok

patches/nginx-1.27.patch

@@ -0,0 +1,180 @@
+diff --git a/src/event/ngx_event_openssl.c b/src/event/ngx_event_openssl.c
+index 2f68a55de..d069b72ea 100644
+--- a/src/event/ngx_event_openssl.c
++++ b/src/event/ngx_event_openssl.c
+@@ -11,6 +11,7 @@
+ #include <ngx_event.h>
+ 
+ 
++#define NGX_SSL_JA3_BUFFER_SIZE 256 /* = (sizeof(uint16_t) * 128) */
+ #define NGX_SSL_PASSWORD_BUFFER_SIZE  4096
+ 
+ #if (NGX_HAVE_NTLS)
+@@ -1971,6 +1972,40 @@ ngx_ssl_set_session(ngx_connection_t *c, ngx_ssl_session_t *session)
+     return NGX_OK;
+ }
+ 
++int
++ngx_ssl_client_hello_ja3_cb(SSL *s, int *al, void *arg)
++{
++    ngx_connection_t  *c = arg;
++    ngx_str_t         *ja;
++
++    if (c == NULL) {
++        return SSL_CLIENT_HELLO_SUCCESS;
++    }
++
++    if (c->ssl == NULL) {
++        return SSL_CLIENT_HELLO_SUCCESS;
++    }
++
++    ja = &c->ssl->fp_ja3_data;
++    ja->len = NGX_SSL_JA3_BUFFER_SIZE;
++
++    ja->data = ngx_pnalloc(c->pool, c->ssl->fp_ja3_data.len);
++    if (ja->data == NULL) {
++        ja->len = 0;
++        return SSL_CLIENT_HELLO_SUCCESS;
++    }
++
++    ja->len = SSL_client_hello_get_ja3_data(c->ssl->connection, ja->data,
++            NGX_SSL_JA3_BUFFER_SIZE);
++    if (ja->len == 0) {
++        ngx_log_error(NGX_LOG_WARN, c->log, 0, "SSL_client_hello_get_ja3_data "
++                "seems the buffer size is less that number of fileds; "
++                "for this SSL connection can't get a ja3 hash string");
++        ja->data = NULL;
++    }
++
++    return SSL_CLIENT_HELLO_SUCCESS;
++}
+ 
+ ngx_int_t
+ ngx_ssl_handshake(ngx_connection_t *c)
+@@ -1991,6 +2026,9 @@ ngx_ssl_handshake(ngx_connection_t *c)
+ 
+     ngx_ssl_clear_error(c->log);
+ 
++    (void) SSL_CTX_set_client_hello_cb(c->ssl->session_ctx,
++                                ngx_ssl_client_hello_ja3_cb, c);
++
+     n = SSL_do_handshake(c->ssl->connection);
+ 
+     ngx_log_debug1(NGX_LOG_DEBUG_EVENT, c->log, 0, "SSL_do_handshake: %d", n);
+diff --git a/src/event/ngx_event_openssl.h b/src/event/ngx_event_openssl.h
+index 42a01ce62..c4adc270d 100644
+--- a/src/event/ngx_event_openssl.h
++++ b/src/event/ngx_event_openssl.h
+@@ -129,6 +129,11 @@ struct ngx_ssl_connection_s {
+     unsigned                    in_ocsp:1;
+     unsigned                    early_preread:1;
+     unsigned                    write_blocked:1;
++
++    ngx_str_t                   fp_ja3_data;
++    ngx_str_t                   fp_ja3_str;
++    ngx_str_t                   fp_ja3_hash;
++    uint16_t                    fp_tls_greased;
+ };
+ 
+ 
+diff --git a/src/http/v2/ngx_http_v2.c b/src/http/v2/ngx_http_v2.c
+index 0f5bd3de8..1b85e378d 100644
+--- a/src/http/v2/ngx_http_v2.c
++++ b/src/http/v2/ngx_http_v2.c
+@@ -301,6 +301,8 @@ ngx_http_v2_init(ngx_event_t *rev)
+         ngx_add_timer(rev, cscf->client_header_timeout);
+     }
+ 
++    h2c->fp_fingerprinted = 0;
++
+     c->idle = 1;
+     ngx_reusable_connection(c, 0);
+ 
+@@ -1352,6 +1354,14 @@ ngx_http_v2_state_headers(ngx_http_v2_connection_t *h2c, u_char *pos,
+         }
+     }
+ 
++    if (!h2c->fp_fingerprinted && h2c->fp_priorities.len < 32) {
++        h2c->fp_priorities.data[h2c->fp_priorities.len] = (uint8_t)stream->node->id;
++        h2c->fp_priorities.data[h2c->fp_priorities.len+1] = (uint8_t)excl;
++        h2c->fp_priorities.data[h2c->fp_priorities.len+2] = (uint8_t)depend;
++        h2c->fp_priorities.data[h2c->fp_priorities.len+3] = (uint8_t)(weight-1);
++        h2c->fp_priorities.len += 4;
++    }
++
+     return ngx_http_v2_state_header_block(h2c, pos, end);
+ 
+ rst_stream:
+@@ -1775,6 +1785,9 @@ ngx_http_v2_state_process_header(ngx_http_v2_connection_t *h2c, u_char *pos,
+     }
+ 
+     if (header->name.data[0] == ':') {
++        if (!h2c->fp_fingerprinted && h2c->fp_pseudoheaders.len < 32 && header->name.len > 1)
++            h2c->fp_pseudoheaders.data[h2c->fp_pseudoheaders.len++] = header->name.data[1];
++
+         rc = ngx_http_v2_pseudo_header(r, header);
+ 
+         if (rc == NGX_OK) {
+@@ -2194,6 +2207,12 @@ ngx_http_v2_state_settings_params(ngx_http_v2_connection_t *h2c, u_char *pos,
+         ngx_log_debug2(NGX_LOG_DEBUG_HTTP, h2c->connection->log, 0,
+                        "http2 setting %ui:%ui", id, value);
+ 
++        if (!h2c->fp_fingerprinted && h2c->fp_settings.len < 32) {
++            h2c->fp_settings.data[h2c->fp_settings.len] = (uint8_t)id;
++            *(uint32_t*)(h2c->fp_settings.data + h2c->fp_settings.len + 1)  = (uint32_t)value;
++            h2c->fp_settings.len += 5;
++        }
++
+         switch (id) {
+ 
+         case NGX_HTTP_V2_INIT_WINDOW_SIZE_SETTING:
+@@ -2478,6 +2497,9 @@ ngx_http_v2_state_window_update(ngx_http_v2_connection_t *h2c, u_char *pos,
+     }
+ 
+     h2c->send_window += window;
++    if (!h2c->fp_fingerprinted) {
++        h2c->fp_windowupdate = window;
++    }
+ 
+     while (!ngx_queue_empty(&h2c->waiting)) {
+         q = ngx_queue_head(&h2c->waiting);
+diff --git a/src/http/v2/ngx_http_v2.h b/src/http/v2/ngx_http_v2.h
+index 6751b3026..60a68a0fd 100644
+--- a/src/http/v2/ngx_http_v2.h
++++ b/src/http/v2/ngx_http_v2.h
+@@ -17,6 +17,8 @@
+ 
+ #define NGX_HTTP_V2_STATE_BUFFER_SIZE    16
+ 
++#define NGX_FP_V2_BUFFER_SIZE            32
++
+ #define NGX_HTTP_V2_DEFAULT_FRAME_SIZE   (1 << 14)
+ #define NGX_HTTP_V2_MAX_FRAME_SIZE       ((1 << 24) - 1)
+ 
+@@ -121,6 +123,12 @@ typedef struct {
+ } ngx_http_v2_hpack_t;
+ 
+ 
++typedef struct {
++  u_char data[NGX_FP_V2_BUFFER_SIZE];
++  size_t len;
++} ngx_http_v2_fp_fixed_str_t;
++
++
+ struct ngx_http_v2_connection_s {
+     ngx_connection_t                *connection;
+     ngx_http_connection_t           *http_connection;
+@@ -168,6 +176,13 @@ struct ngx_http_v2_connection_s {
+     unsigned                         table_update:1;
+     unsigned                         blocked:1;
+     unsigned                         goaway:1;
++
++    unsigned                         fp_fingerprinted:1;
++    ngx_http_v2_fp_fixed_str_t       fp_settings,
++                                     fp_priorities,
++                                     fp_pseudoheaders;
++    ngx_uint_t                       fp_windowupdate;
++    ngx_str_t                        fp_str;
+ };
+ 
+ 

patches/openssl.openssl-3.4.patch

@@ -0,0 +1,186 @@
+diff --git a/include/openssl/ssl.h.in b/include/openssl/ssl.h.in
+index 4bab2ac767..9732ece423 100644
+--- a/include/openssl/ssl.h.in
++++ b/include/openssl/ssl.h.in
+@@ -1905,6 +1905,8 @@ size_t SSL_client_hello_get0_ciphers(SSL *s, const unsigned char **out);
+ size_t SSL_client_hello_get0_compression_methods(SSL *s,
+                                                  const unsigned char **out);
+ int SSL_client_hello_get1_extensions_present(SSL *s, int **out, size_t *outlen);
++size_t SSL_client_hello_get_ja3_data(SSL *s, unsigned char *data,
++                                     size_t data_size);
+ int SSL_client_hello_get_extension_order(SSL *s, uint16_t *exts,
+                                          size_t *num_exts);
+ int SSL_client_hello_get0_ext(SSL *s, unsigned int type,
+diff --git a/include/openssl/tls1.h b/include/openssl/tls1.h
+index 8e9b110bb3..3a2407b0e4 100644
+--- a/include/openssl/tls1.h
++++ b/include/openssl/tls1.h
+@@ -142,6 +142,13 @@ extern "C" {
+ /* ExtensionType value from RFC7627 */
+ # define TLSEXT_TYPE_extended_master_secret      23
+ 
++/* ExtensionType value from RFC6961 */
++# define TLSEXT_TYPE_status_request_v2           17
++/* ExtensionType value from RFC8449 */
++# define TLSEXT_TYPE_record_size_limit           28
++/* ExtensionType value from RFC7639 */
++# define TLSEXT_TYPE_application_settings        17513
++
+ /* ExtensionType value from RFC8879 */
+ # define TLSEXT_TYPE_compress_certificate        27
+ 
+diff --git a/ssl/ssl_lib.c b/ssl/ssl_lib.c
+index 295b719ff2..429d710fa2 100644
+--- a/ssl/ssl_lib.c
++++ b/ssl/ssl_lib.c
+@@ -6641,6 +6641,101 @@ int SSL_client_hello_get1_extensions_present(SSL *s, int **out, size_t *outlen)
+     return 0;
+ }
+ 
++size_t SSL_client_hello_get_ja3_data(SSL *s, unsigned char *data,
++        size_t data_size)
++{
++    RAW_EXTENSION *ext;
++    PACKET *groups = NULL, *formats = NULL;
++    size_t num = 0, i;
++    unsigned char *ptr = data,
++                  *end = data + data_size;
++    const SSL_CONNECTION *sc = SSL_CONNECTION_FROM_SSL(s);
++
++    if (sc == NULL)
++        return 0;
++
++    if (ossl_unlikely(sc->clienthello == NULL || data == NULL
++                /** just checking that we have at least this */
++                || data_size < 128))
++        return 0;
++
++    /* version */
++    *(uint16_t *) ptr = (uint16_t) sc->clienthello->legacy_version;
++    ptr += sizeof(uint16_t);
++
++    num = PACKET_remaining(&sc->clienthello->ciphersuites);
++    *(uint16_t *) ptr = (uint16_t) num;
++    ptr += sizeof(uint16_t);
++
++    if (ossl_unlikely(ptr + num > end))
++        return 0;
++
++    memcpy(ptr, PACKET_data(&sc->clienthello->ciphersuites), num);
++    ptr += num;
++
++    /* extensions */
++    num = 0;
++    for (i = 0; i < sc->clienthello->pre_proc_exts_len; i++) {
++        ext = sc->clienthello->pre_proc_exts + i;
++        if (ext->present)
++            num++;
++    }
++
++    num = num * 2;
++    if (ossl_unlikely((ptr + num + sizeof(uint16_t)) > end))
++        return 0;
++    *(uint16_t*) ptr = (uint16_t) num;
++    ptr += sizeof(uint16_t);
++
++    for (i = 0; i < sc->clienthello->pre_proc_exts_len; i++) {
++        ext = sc->clienthello->pre_proc_exts + i;
++        if (ext->present) {
++            if (ext->received_order >= num)
++                break;
++            if (ext->type == TLSEXT_TYPE_supported_groups)
++                groups = &ext->data;
++            if (ext->type == TLSEXT_TYPE_ec_point_formats)
++                formats = &ext->data;
++            if (ossl_likely(ext->received_order < data_size)) {
++                *(uint16_t*)(ptr + ext->received_order) = (uint16_t) ext->type;
++            }
++        }
++    }
++
++    ptr += num;
++     /* groups */
++    if (groups) {
++        num = PACKET_remaining(groups);
++        if (ossl_unlikely((ptr + num + sizeof(uint16_t)) > end))
++            return 0;
++        memcpy(ptr, PACKET_data(groups), num);
++        *(uint16_t*) ptr = (uint16_t) num;
++        ptr += num;
++    } else {
++        if (ossl_unlikely(ptr + sizeof(uint16_t) > end))
++            return 0;
++        *(uint16_t *) ptr = (uint16_t) 0;
++        ptr += sizeof(uint16_t);
++    }
++
++    /* formats */
++    if (formats) {
++        num = PACKET_remaining(formats);
++        if (ossl_unlikely((ptr + num + sizeof(uint8_t)) > end))
++            return 0;
++        memcpy(ptr, PACKET_data(formats), num);
++        *(uint8_t *) ptr = (uint8_t) num;
++        ptr += num;
++    } else {
++        if (ossl_unlikely(ptr + sizeof(uint8_t) > end))
++            return 0;
++        *(uint8_t *) ptr = (uint8_t) 0;
++        ptr += sizeof(uint8_t);
++    }
++
++    return ptr - data;
++}
++
+ int SSL_client_hello_get_extension_order(SSL *s, uint16_t *exts, size_t *num_exts)
+ {
+     RAW_EXTENSION *ext;
+diff --git a/ssl/ssl_local.h b/ssl/ssl_local.h
+index 277be3084d..6b3821737f 100644
+--- a/ssl/ssl_local.h
++++ b/ssl/ssl_local.h
+@@ -701,6 +701,9 @@ typedef enum tlsext_index_en {
+     TLSEXT_IDX_compress_certificate,
+     TLSEXT_IDX_early_data,
+     TLSEXT_IDX_certificate_authorities,
++    TLSEXT_IDX_status_request_v2,
++    TLSEXT_IDX_record_size_limit,
++    TLSEXT_IDX_application_settings,
+     TLSEXT_IDX_padding,
+     TLSEXT_IDX_psk,
+     /* Dummy index - must always be the last entry */
+diff --git a/ssl/statem/extensions.c b/ssl/statem/extensions.c
+index 762c7ac0d4..56d2f5ba60 100644
+--- a/ssl/statem/extensions.c
++++ b/ssl/statem/extensions.c
+@@ -413,6 +413,30 @@ static const EXTENSION_DEFINITION ext_defs[] = {
+         tls_construct_certificate_authorities,
+         tls_construct_certificate_authorities, NULL,
+     },
++    {
++        TLSEXT_TYPE_status_request_v2,
++        SSL_EXT_CLIENT_HELLO,
++        NULL,
++        NULL, NULL,
++        NULL,
++        NULL, NULL,
++    },
++    {
++        TLSEXT_TYPE_record_size_limit,
++        SSL_EXT_CLIENT_HELLO,
++        NULL,
++        NULL, NULL,
++        NULL,
++        NULL, NULL,
++    },
++    {
++        TLSEXT_TYPE_application_settings,
++        SSL_EXT_CLIENT_HELLO,
++        NULL,
++        NULL, NULL,
++        NULL,
++        NULL, NULL,
++    },
+     {
+         /* Must be immediately before pre_shared_key */
+         TLSEXT_TYPE_padding,