[fooinha#11] - saves ec values to nginx connection

Author: fooinha

patches/nginx.1.15.11.ssl.extensions.patch

@@ -0,0 +1,172 @@
+diff -r -u ./src/event/ngx_event_openssl.c ../../nginx/src/event/ngx_event_openssl.c
+--- ./src/event/ngx_event_openssl.c	2019-03-31 22:24:03.317031000 +0000
++++ ../../nginx/src/event/ngx_event_openssl.c	2019-03-31 22:29:05.000000000 +0000
+@@ -1599,6 +1599,117 @@
+     return NGX_OK;
+ }
+ 
++/* ----- JA3 HACK START -----------------------------------------------------*/
++#if OPENSSL_VERSION_NUMBER >= 0x10101000L
++
++void
++ngx_SSL_client_features(ngx_connection_t *c) {
++
++    unsigned short                *ciphers_out = NULL;
++    int                           *curves_out = NULL;
++    int                           *point_formats_out = NULL;
++    size_t                         len = 0;
++    SSL                           *s = NULL;
++
++    if (c == NULL) {
++        return;
++    }
++    s = c->ssl->connection;
++
++    /* Cipher suites */
++    c->ssl->ciphers = NULL;
++    c->ssl->ciphers_sz = SSL_get0_raw_cipherlist(s, &ciphers_out);
++    c->ssl->ciphers_sz /= 2;
++
++    if (c->ssl->ciphers_sz && ciphers_out) {
++        len = c->ssl->ciphers_sz * sizeof(unsigned short);
++        c->ssl->ciphers = ngx_pnalloc(c->pool, len);
++        ngx_memcpy(c->ssl->ciphers, ciphers_out, len);
++        OPENSSL_free(ciphers_out);
++    }
++
++    /* Elliptic curve points */
++    c->ssl->curves_sz = SSL_get1_curves(s, NULL);
++    if (c->ssl->curves_sz) {
++        curves_out = OPENSSL_malloc(c->ssl->curves_sz * sizeof(int));
++        if (curves_out != NULL) {
++            SSL_get1_curves(s, curves_out);
++            len = c->ssl->curves_sz * sizeof(unsigned short);
++            c->ssl->curves = ngx_pnalloc(c->pool, len);
++            if (c->ssl->curves != NULL) {
++                for (size_t i = 0; i < c->ssl->curves_sz; i++) {
++                     c->ssl->curves[i] = curves_out[i];
++                }
++            }
++            OPENSSL_free(curves_out);
++        }
++    }
++
++    /* Elliptic curve point formats */
++    c->ssl->point_formats_sz = SSL_get0_ec_point_formats(s, &point_formats_out);
++    if (c->ssl->point_formats_sz && point_formats_out != NULL) {
++        len = c->ssl->point_formats_sz * sizeof(unsigned char);
++        c->ssl->point_formats = ngx_pnalloc(c->pool, len);
++        if (c->ssl->point_formats != NULL) {
++            ngx_memcpy(c->ssl->point_formats, point_formats_out, len);
++        }
++        OPENSSL_free(point_formats_out);
++    }
++}
++
++
++/* should *ALWAYS return 1
++ * # define SSL_CLIENT_HELLO_SUCCESS 1
++ *
++ * otherwise
++ *   A failure in the ClientHello callback terminates the connection.
++ */
++int
++ngx_SSL_early_cb_fn(SSL *s, int *al, void *arg) {
++
++    int                            got_extensions;
++    int                           *ext_out;
++    size_t                         ext_len;
++    ngx_connection_t              *c;
++
++    c = arg;
++
++    if (c == NULL) {
++        return 1;
++    }
++
++    if (c->ssl == NULL) {
++        return 1;
++    }
++
++    c->ssl->version = SSL_version(s);
++
++
++    c->ssl->extensions_size = 0;
++    c->ssl->extensions = NULL;
++
++    got_extensions = SSL_client_hello_get1_extensions_present(s,
++                                                       &ext_out,
++                                                       &ext_len);
++    if (got_extensions) {
++        if (ext_out && ext_len) {
++            c->ssl->extensions =
++                ngx_palloc(c->pool, sizeof(int) * ext_len);
++            if (c->ssl->extensions != NULL) {
++                c->ssl->extensions_size = ext_len;
++                ngx_memcpy(c->ssl->extensions, ext_out, sizeof(int) * ext_len);
++                OPENSSL_free(ext_out);
++            }
++        }
++    }
++
++
++    return 1;
++}
++#endif
++/* ----- JA3 HACK END -------------------------------------------------------*/
++
++
+ 
+ ngx_int_t
+ ngx_ssl_handshake(ngx_connection_t *c)
+@@ -1614,6 +1725,10 @@
+ 
+     ngx_ssl_clear_error(c->log);
+ 
++#if OPENSSL_VERSION_NUMBER >= 0x10101000L
++    SSL_CTX_set_client_hello_cb(c->ssl->session_ctx, ngx_SSL_early_cb_fn, c);
++#endif
++
+     n = SSL_do_handshake(c->ssl->connection);
+ 
+     ngx_log_debug1(NGX_LOG_DEBUG_EVENT, c->log, 0, "SSL_do_handshake: %d", n);
+@@ -1634,6 +1749,12 @@
+ 
+         c->ssl->handshaked = 1;
+ 
++/* ----- JA3 HACK START -----------------------------------------------------*/
++#if OPENSSL_VERSION_NUMBER >= 0x10101000L
++        ngx_SSL_client_features(c);
++#endif
++/* ----- JA3 HACK END -------------------------------------------------------*/
++
+         c->recv = ngx_ssl_recv;
+         c->send = ngx_ssl_write;
+         c->recv_chain = ngx_ssl_recv_chain;
+diff -r -u ./src/event/ngx_event_openssl.h ../../nginx/src/event/ngx_event_openssl.h
+--- ./src/event/ngx_event_openssl.h	2019-03-31 22:24:03.297031000 +0000
++++ ../../nginx/src/event/ngx_event_openssl.h	2019-03-31 22:28:22.000000000 +0000
+@@ -99,6 +99,23 @@
+     unsigned                    in_early:1;
+     unsigned                    early_preread:1;
+     unsigned                    write_blocked:1;
++
++/* ----- JA3 HACK START -----------------------------------------------------*/
++#if OPENSSL_VERSION_NUMBER >= 0x10101000L
++
++    size_t                      ciphers_sz;
++    unsigned short             *ciphers;
++
++    size_t                      extensions_size;
++    unsigned short             *extensions;
++
++    size_t                      curves_sz;
++    unsigned short             *curves;
++
++    size_t                      point_formats_sz;
++    unsigned char              *point_formats;
++#endif
++/* ----- JA3 HACK END -------------------------------------------------------*/
+ };
+ 
+ 

patches/nginx.latest.patch

@@ -1 +1 @@
-nginx.1.15.9.ssl.extensions.patch
+nginx.1.15.11.ssl.extensions.patch

src/ngx_ssl_ja3.c

@@ -134,8 +134,9 @@ ngx_ssl_ja3_detail_print(ngx_pool_t *pool, ngx_ssl_ja3_t *ja3)
                    ja3->ciphers_sz);
 
     for (size_t i = 0; i < ja3->ciphers_sz; ++i) {
-        ngx_log_debug1(NGX_LOG_DEBUG_EVENT,
-                       pool->log, 0, "ssl_ja3: |    cipher: %d",
+        ngx_log_debug2(NGX_LOG_DEBUG_EVENT,
+                       pool->log, 0, "ssl_ja3: |    cipher: 0x%04uxD -> %d",
+                       ja3->ciphers[i],
                        ja3->ciphers[i]
         );
     }
@@ -146,8 +147,9 @@ ngx_ssl_ja3_detail_print(ngx_pool_t *pool, ngx_ssl_ja3_t *ja3)
                    ja3->extensions_sz);
 
     for (size_t i = 0; i < ja3->extensions_sz; ++i) {
-        ngx_log_debug1(NGX_LOG_DEBUG_EVENT,
-                       pool->log, 0, "ssl_ja3: |    extension: %d",
+        ngx_log_debug2(NGX_LOG_DEBUG_EVENT,
+                       pool->log, 0, "ssl_ja3: |    extension: 0x%04uxD -> %d",
+                       ja3->extensions[i],
                        ja3->extensions[i]
         );
     }
@@ -158,8 +160,9 @@ ngx_ssl_ja3_detail_print(ngx_pool_t *pool, ngx_ssl_ja3_t *ja3)
                    ja3->curves_sz);
 
     for (size_t i = 0; i < ja3->curves_sz; ++i) {
-        ngx_log_debug1(NGX_LOG_DEBUG_EVENT,
-                       pool->log, 0, "ssl_ja3: |    curves: %d",
+        ngx_log_debug2(NGX_LOG_DEBUG_EVENT,
+                       pool->log, 0, "ssl_ja3: |    curves: 0x%04uxD -> %d",
+                       ja3->curves[i],
                        ja3->curves[i]
         );
     }
@@ -181,8 +184,7 @@ ngx_ssl_ja3_detail_print(ngx_pool_t *pool, ngx_ssl_ja3_t *ja3)
 void
 ngx_ssl_ja3_fp(ngx_pool_t *pool, ngx_ssl_ja3_t *ja3, ngx_str_t *out)
 {
-    size_t                    len = 0, cur = 0, added = 0;
-    unsigned short            us = 0;
+    size_t                    len = 0, cur = 0;
 
     if (pool == NULL || ja3 == NULL || out == NULL) {
         return;
@@ -231,18 +233,12 @@ ngx_ssl_ja3_fp(ngx_pool_t *pool, ngx_ssl_ja3_t *ja3, ngx_str_t *out)
 
     if (ja3->ciphers_sz) {
         for (size_t i = 0; i < ja3->ciphers_sz; ++i) {
-            us = ntohs(ja3->ciphers[i]);
-            if (!ngx_ssl_ja3_is_ext_greased(us)) {
-                if (added > 0) {
-                    ngx_snprintf(out->data + (cur++), 1, "-");
-                }
-                len = ngx_ssj_ja3_num_digits(us);
-                ngx_snprintf(out->data + cur, len, "%d", us);
-                cur += len;
-                if (added == 0) {
-                    added = 1;
-                }
+            if (i > 0) {
+                ngx_snprintf(out->data + (cur++), 1, "-");
             }
+            len = ngx_ssj_ja3_num_digits(ja3->ciphers[i]);
+            ngx_snprintf(out->data + cur, len, "%d", ja3->ciphers[i]);
+            cur += len;
         }
     }
     ngx_snprintf(out->data + (cur++), 1, ",");
@@ -301,9 +297,6 @@ ngx_ssl_ja3(ngx_connection_t *c, ngx_pool_t *pool, ngx_ssl_ja3_t *ja3) {
 
     ngx_ssl_session_t             *ssl_session;
     SSL                           *ssl;
-    unsigned short                *ciphers_out = NULL;
-    int                           *curves_out = NULL;
-    int                           *point_formats_out = NULL;
     size_t                         len = 0;
     unsigned short                 us = 0;
 
@@ -330,71 +323,59 @@ ngx_ssl_ja3(ngx_connection_t *c, ngx_pool_t *pool, ngx_ssl_ja3_t *ja3) {
 
     /* Cipher suites */
     ja3->ciphers = NULL;
-    ja3->ciphers_sz = SSL_get0_raw_cipherlist(ssl, &ciphers_out);
-    ja3->ciphers_sz /= 2;
+    ja3->ciphers_sz = 0;
 
-    if (ja3->ciphers_sz && ciphers_out) {
-        len = ja3->ciphers_sz * sizeof(unsigned short);
+    if (c->ssl->ciphers && c->ssl->ciphers_sz) {
+        len = c->ssl->ciphers_sz * sizeof(unsigned short);
         ja3->ciphers = ngx_pnalloc(pool, len);
         if (ja3->ciphers == NULL) {
             return NGX_DECLINED;
         }
-        ngx_memcpy(ja3->ciphers, ciphers_out, len);
+        /* Filter out GREASE extensions */
+        for (size_t i = 0; i < c->ssl->ciphers_sz; ++i) {
+            us = ntohs(c->ssl->ciphers[i]);
+            if (! ngx_ssl_ja3_is_ext_greased(us)) {
+                ja3->ciphers[ja3->ciphers_sz++] = us;
+            }
+        }
     }
 
     /* Extensions */
     ja3->extensions = NULL;
     ja3->extensions_sz = 0;
-    if (c->ssl->client_extensions_size && c->ssl->client_extensions) {
-        len = c->ssl->client_extensions_size * sizeof(int);
+    if (c->ssl->extensions_size && c->ssl->extensions) {
+        len = c->ssl->extensions_size * sizeof(int);
         ja3->extensions = ngx_pnalloc(pool, len);
         if (ja3->extensions == NULL) {
             return NGX_DECLINED;
         }
-        for (size_t i = 0; i < c->ssl->client_extensions_size; ++i) {
-            us = ntohs(c->ssl->client_extensions[i]);
-            if (! ngx_ssl_ja3_is_ext_greased(us)) {
-                ja3->extensions[ja3->extensions_sz++] =
-                    c->ssl->client_extensions[i];
+        for (size_t i = 0; i < c->ssl->extensions_size; ++i) {
+            if (! ngx_ssl_ja3_is_ext_greased(c->ssl->extensions[i])) {
+                ja3->extensions[ja3->extensions_sz++] = c->ssl->extensions[i];
             }
         }
     }
 
     /* Elliptic curve points */
-    ja3->curves_sz = SSL_get1_curves(ssl, NULL);
-    if (ja3->curves_sz) {
-        curves_out = OPENSSL_malloc(ja3->curves_sz * sizeof(int));
-        if (curves_out == NULL) {
-            return NGX_DECLINED;
-        }
-
-        SSL_get1_curves(ssl, curves_out);
-
-        len = ja3->curves_sz * sizeof(unsigned short);
+    ja3->curves = c->ssl->curves;
+    ja3->curves_sz = 0;
+    if (c->ssl->curves && c->ssl->curves_sz) {
+        len = c->ssl->curves_sz * sizeof(int);
         ja3->curves = ngx_pnalloc(pool, len);
         if (ja3->curves == NULL) {
             return NGX_DECLINED;
         }
-        for (size_t i = 0; i < ja3->curves_sz; i++) {
-            ja3->curves[i] = ngx_ssl_ja3_nid_to_cid(curves_out[i]);
-        }
-
-        if (curves_out) {
-            OPENSSL_free(curves_out);
+        for (size_t i = 0; i < c->ssl->curves_sz; i++) {
+            us = ntohs(c->ssl->curves[i]);
+            if (! ngx_ssl_ja3_is_ext_greased(us)) {
+                ja3->curves[ja3->curves_sz++] = ngx_ssl_ja3_nid_to_cid(c->ssl->curves[i]);
+            }
         }
     }
 
     /* Elliptic curve point formats */
-    ja3->point_formats_sz = SSL_get0_ec_point_formats(ssl, &point_formats_out);
-    if (ja3->point_formats_sz && point_formats_out != NULL) {
-
-        len = ja3->point_formats_sz * sizeof(unsigned char);
-        ja3->point_formats = ngx_pnalloc(pool, len);
-        if (ja3->point_formats == NULL) {
-            return NGX_DECLINED;
-        }
-        ngx_memcpy(ja3->point_formats, point_formats_out, len);
-    }
+    ja3->point_formats_sz = c->ssl->point_formats_sz;
+    ja3->point_formats = c->ssl->point_formats;
 
     return NGX_OK;
 }

src/ngx_ssl_ja3.h

@@ -35,7 +35,7 @@ typedef struct ngx_ssl_ja3_s {
     unsigned short *ciphers;
 
     size_t          extensions_sz;
-    int            *extensions;
+    unsigned short *extensions;
 
     size_t          curves_sz;
     unsigned short  *curves;