Merge pull request #12 from fooinha/fix/11

saves ec values to nginx connection

Author: fooinha

COPYRIGHT

@@ -0,0 +1,169 @@
+# Copyright
+
+[TOC]
+
+NGINX
+------
+
+```
+-----------------------------------------------------------------------------
+NGINX License
+
+/* 
+ * Copyright (C) 2002-2016 Igor Sysoev
+ * Copyright (C) 2011-2016 Nginx, Inc.
+ * All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ */
+-----------------------------------------------------------------------------
+```
+
+OpenSSL
+-------
+
+```
+  LICENSE ISSUES
+  ==============
+
+  The OpenSSL toolkit stays under a double license, i.e. both the conditions of
+  the OpenSSL License and the original SSLeay license apply to the toolkit.
+  See below for the actual license texts.
+
+  OpenSSL License
+  ---------------
+
+/* ====================================================================
+ * Copyright (c) 1998-2018 The OpenSSL Project.  All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ *
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer. 
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in
+ *    the documentation and/or other materials provided with the
+ *    distribution.
+ *
+ * 3. All advertising materials mentioning features or use of this
+ *    software must display the following acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit. (http://www.openssl.org/)"
+ *
+ * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
+ *    endorse or promote products derived from this software without
+ *    prior written permission. For written permission, please contact
+ *    [email protected].
+ *
+ * 5. Products derived from this software may not be called "OpenSSL"
+ *    nor may "OpenSSL" appear in their names without prior written
+ *    permission of the OpenSSL Project.
+ *
+ * 6. Redistributions of any form whatsoever must retain the following
+ *    acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit (http://www.openssl.org/)"
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
+ * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
+ * PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
+ * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
+ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
+ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
+ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
+ * OF THE POSSIBILITY OF SUCH DAMAGE.
+ * ====================================================================
+ *
+ * This product includes cryptographic software written by Eric Young
+ * ([email protected]).  This product includes software written by Tim
+ * Hudson ([email protected]).
+ *
+ */
+
+ Original SSLeay License
+ -----------------------
+
+/* Copyright (C) 1995-1998 Eric Young ([email protected])
+ * All rights reserved.
+ *
+ * This package is an SSL implementation written
+ * by Eric Young ([email protected]).
+ * The implementation was written so as to conform with Netscapes SSL.
+ * 
+ * This library is free for commercial and non-commercial use as long as
+ * the following conditions are aheared to.  The following conditions
+ * apply to all code found in this distribution, be it the RC4, RSA,
+ * lhash, DES, etc., code; not just the SSL code.  The SSL documentation
+ * included with this distribution is covered by the same copyright terms
+ * except that the holder is Tim Hudson ([email protected]).
+ * 
+ * Copyright remains Eric Young's, and as such any Copyright notices in
+ * the code are not to be removed.
+ * If this package is used in a product, Eric Young should be given attribution
+ * as the author of the parts of the library used.
+ * This can be in the form of a textual message at program startup or
+ * in documentation (online or textual) provided with the package.
+ * 
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 3. All advertising materials mentioning features or use of this software
+ *    must display the following acknowledgement:
+ *    "This product includes cryptographic software written by
+ *     Eric Young ([email protected])"
+ *    The word 'cryptographic' can be left out if the rouines from the library
+ *    being used are not cryptographic related :-).
+ * 4. If you include any Windows specific code (or a derivative thereof) from 
+ *    the apps directory (application code) you must include an acknowledgement:
+ *    "This product includes software written by Tim Hudson ([email protected])"
+ * 
+ * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ * 
+ * The licence and distribution terms for any publically available version or
+ * derivative of this code cannot be changed.  i.e. this code cannot simply be
+ * copied and put under another distribution licence
+ * [including the GNU Public Licence.]
+ */
+
+```

COPYRIGHT.md

@@ -142,6 +142,16 @@ Creating nginx-ssl-ja3
 
 ```
 
+
+
+## Contributors
+
+@**fooinha**  - author
+
+@**Sessa93**
+
+@**bartebor**
+
 ## Fair Warning
 
 **THIS IS NOT PRODUCTION** ready.

README.md

@@ -0,0 +1,162 @@
+diff -r d964b0aee8e7 src/event/ngx_event_openssl.c
+--- a/src/event/ngx_event_openssl.c	Thu May 23 16:49:22 2019 +0300
++++ b/src/event/ngx_event_openssl.c	Sat Jun 01 14:53:52 2019 +0000
+@@ -1588,6 +1588,107 @@
+     return NGX_OK;
+ }
+ 
++/* ----- JA3 HACK START -----------------------------------------------------*/
++#if OPENSSL_VERSION_NUMBER >= 0x10101000L
++
++void
++ngx_SSL_client_features(ngx_connection_t *c) {
++
++    unsigned short                *ciphers_out = NULL;
++    int                           *curves_out = NULL;
++    int                           *point_formats_out = NULL;
++    size_t                         len = 0;
++    SSL                           *s = NULL;
++
++    if (c == NULL) {
++        return;
++    }
++    s = c->ssl->connection;
++
++    /* Cipher suites */
++    c->ssl->ciphers = NULL;
++    c->ssl->ciphers_sz = SSL_get0_raw_cipherlist(s, &ciphers_out);
++    c->ssl->ciphers_sz /= 2;
++
++    if (c->ssl->ciphers_sz && ciphers_out) {
++        len = c->ssl->ciphers_sz * sizeof(unsigned short);
++        c->ssl->ciphers = ngx_pnalloc(c->pool, len);
++        ngx_memcpy(c->ssl->ciphers, ciphers_out, len);
++    }
++
++    /* Elliptic curve points */
++    c->ssl->curves_sz = SSL_get1_curves(s, NULL);
++    if (c->ssl->curves_sz) {
++        curves_out = OPENSSL_malloc(c->ssl->curves_sz * sizeof(int));
++        if (curves_out != NULL) {
++            SSL_get1_curves(s, curves_out);
++            len = c->ssl->curves_sz * sizeof(unsigned short);
++            c->ssl->curves = ngx_pnalloc(c->pool, len);
++            if (c->ssl->curves != NULL) {
++                for (size_t i = 0; i < c->ssl->curves_sz; i++) {
++                     c->ssl->curves[i] = curves_out[i];
++                }
++            }
++            OPENSSL_free(curves_out);
++        }
++    }
++
++    /* Elliptic curve point formats */
++    c->ssl->point_formats_sz = SSL_get0_ec_point_formats(s, &point_formats_out);
++    if (c->ssl->point_formats_sz && point_formats_out != NULL) {
++        len = c->ssl->point_formats_sz * sizeof(unsigned char);
++        c->ssl->point_formats = ngx_pnalloc(c->pool, len);
++        if (c->ssl->point_formats != NULL) {
++            ngx_memcpy(c->ssl->point_formats, point_formats_out, len);
++        }
++    }
++}
++
++/* should *ALWAYS return 1
++ * # define SSL_CLIENT_HELLO_SUCCESS 1
++ *
++ * otherwise
++ *   A failure in the ClientHello callback terminates the connection.
++ */
++int
++ngx_SSL_early_cb_fn(SSL *s, int *al, void *arg) {
++
++    int                            got_extensions;
++    int                           *ext_out;
++    size_t                         ext_len;
++    ngx_connection_t              *c;
++
++    c = arg;
++
++    if (c == NULL) {
++        return 1;
++    }
++
++    if (c->ssl == NULL) {
++        return 1;
++    }
++
++    c->ssl->extensions_size = 0;
++    c->ssl->extensions = NULL;
++    got_extensions = SSL_client_hello_get1_extensions_present(s,
++                                                       &ext_out,
++                                                       &ext_len);
++    if (got_extensions) {
++        if (ext_out && ext_len) {
++            c->ssl->extensions =
++                ngx_palloc(c->pool, sizeof(int) * ext_len);
++            if (c->ssl->extensions != NULL) {
++                c->ssl->extensions_size = ext_len;
++                ngx_memcpy(c->ssl->extensions, ext_out, sizeof(int) * ext_len);
++                OPENSSL_free(ext_out);
++            }
++        }
++    }
++
++    return 1;
++}
++#endif
++/* ----- JA3 HACK END -------------------------------------------------------*/
+ 
+ ngx_int_t
+ ngx_ssl_handshake(ngx_connection_t *c)
+@@ -1603,6 +1704,10 @@
+ 
+     ngx_ssl_clear_error(c->log);
+ 
++#if OPENSSL_VERSION_NUMBER >= 0x10101000L
++    SSL_CTX_set_client_hello_cb(c->ssl->session_ctx, ngx_SSL_early_cb_fn, c);
++#endif
++
+     n = SSL_do_handshake(c->ssl->connection);
+ 
+     ngx_log_debug1(NGX_LOG_DEBUG_EVENT, c->log, 0, "SSL_do_handshake: %d", n);
+@@ -1623,6 +1728,12 @@
+ 
+         c->ssl->handshaked = 1;
+ 
++/* ----- JA3 HACK START -----------------------------------------------------*/
++#if OPENSSL_VERSION_NUMBER >= 0x10101000L
++        ngx_SSL_client_features(c);
++#endif
++/* ----- JA3 HACK END -------------------------------------------------------*/
++
+         c->recv = ngx_ssl_recv;
+         c->send = ngx_ssl_write;
+         c->recv_chain = ngx_ssl_recv_chain;
+diff -r d964b0aee8e7 src/event/ngx_event_openssl.h
+--- a/src/event/ngx_event_openssl.h	Thu May 23 16:49:22 2019 +0300
++++ b/src/event/ngx_event_openssl.h	Sat Jun 01 14:53:52 2019 +0000
+@@ -99,6 +99,23 @@
+     unsigned                    in_early:1;
+     unsigned                    early_preread:1;
+     unsigned                    write_blocked:1;
++
++/* ----- JA3 HACK START -----------------------------------------------------*/
++#if OPENSSL_VERSION_NUMBER >= 0x10101000L
++
++    size_t                      ciphers_sz;
++    unsigned short             *ciphers;
++
++    size_t                      extensions_size;
++    unsigned short             *extensions;
++
++    size_t                      curves_sz;
++    unsigned short             *curves;
++
++    size_t                      point_formats_sz;
++    unsigned char              *point_formats;
++#endif
++/* ----- JA3 HACK END -------------------------------------------------------*/
+ };
+ 
+ 

patches/nginx.1.17.1.ssl.extensions.patch

@@ -1 +1 @@
-nginx.1.15.9.ssl.extensions.patch
+nginx.1.17.1.ssl.extensions.patch