From 89d791dbed7cb8ed99cd039c4996fc972ecdb03c Mon Sep 17 00:00:00 2001 From: Gabriel Clima Date: Fri, 2 May 2025 12:27:54 +0000 Subject: [PATCH 1/4] ngx_http_lua_ffi_ssl_get_client_hello_ext_present() https://github.com/openresty/lua-nginx-module/issues/2413 --- src/ngx_http_lua_ssl_client_helloby.c | 44 +++++++++++++++++++++++++++ 1 file changed, 44 insertions(+) diff --git a/src/ngx_http_lua_ssl_client_helloby.c b/src/ngx_http_lua_ssl_client_helloby.c index 9800f7d41f..12710d17eb 100644 --- a/src/ngx_http_lua_ssl_client_helloby.c +++ b/src/ngx_http_lua_ssl_client_helloby.c @@ -662,6 +662,50 @@ ngx_http_lua_ffi_ssl_get_client_hello_ext(ngx_http_request_t *r, } +int +ngx_http_lua_ffi_ssl_get_client_hello_ext_present(ngx_http_request_t *r, + int **extensions, size_t *extensions_len, char **err) +{ + ngx_ssl_conn_t *ssl_conn; + int got_extensions; + size_t ext_len; + int *ext_out; + /* OPENSSL will allocate memory for us and make the ext_out point to it */ + + + if (r->connection == NULL || r->connection->ssl == NULL) { + *err = "bad request"; + return NGX_ERROR; + } + + ssl_conn = r->connection->ssl->connection; + if (ssl_conn == NULL) { + *err = "bad ssl conn"; + return NGX_ERROR; + } + +#ifdef SSL_ERROR_WANT_CLIENT_HELLO_CB + got_extensions = SSL_client_hello_get1_extensions_present(ssl_conn, &ext_out, &ext_len); + if (!got_extensions || !ext_out || !ext_len) { + *err = "failed SSL_client_hello_get1_extensions_present()"; + return NGX_DECLINED; + } + + *extensions = ngx_palloc(r->pool, sizeof(int) * ext_len); + if (extensions != NULL) { + ngx_memcpy(*extensions, ext_out, sizeof(int) * ext_len); + *extensions_len = ext_len; + } + + OPENSSL_free(ext_out); + return NGX_OK; +#else + *err = "OpenSSL too old to support this function"; + return NGX_ERROR; +#endif +} + + int ngx_http_lua_ffi_ssl_set_protocols(ngx_http_request_t *r, int protocols, char **err) From cc7f2e8dd6200b680b0eaf6777f9c6bace3d74b6 Mon Sep 17 00:00:00 2001 From: Gabriel Clima Date: Fri, 2 May 2025 17:49:38 +0300 Subject: [PATCH 2/4] *extensions != NULL --- src/ngx_http_lua_ssl_client_helloby.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/ngx_http_lua_ssl_client_helloby.c b/src/ngx_http_lua_ssl_client_helloby.c index 12710d17eb..4b45b10470 100644 --- a/src/ngx_http_lua_ssl_client_helloby.c +++ b/src/ngx_http_lua_ssl_client_helloby.c @@ -692,7 +692,7 @@ ngx_http_lua_ffi_ssl_get_client_hello_ext_present(ngx_http_request_t *r, } *extensions = ngx_palloc(r->pool, sizeof(int) * ext_len); - if (extensions != NULL) { + if (*extensions != NULL) { ngx_memcpy(*extensions, ext_out, sizeof(int) * ext_len); *extensions_len = ext_len; } From 8e2c0dfc3c4ada95772c0c9362983af58d6eebd7 Mon Sep 17 00:00:00 2001 From: Gabriel Clima Date: Mon, 5 May 2025 06:45:47 +0000 Subject: [PATCH 3/4] @zhuizhuhaomeng style suggestion --- src/ngx_http_lua_ssl_client_helloby.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/src/ngx_http_lua_ssl_client_helloby.c b/src/ngx_http_lua_ssl_client_helloby.c index 4b45b10470..985b23f550 100644 --- a/src/ngx_http_lua_ssl_client_helloby.c +++ b/src/ngx_http_lua_ssl_client_helloby.c @@ -685,7 +685,8 @@ ngx_http_lua_ffi_ssl_get_client_hello_ext_present(ngx_http_request_t *r, } #ifdef SSL_ERROR_WANT_CLIENT_HELLO_CB - got_extensions = SSL_client_hello_get1_extensions_present(ssl_conn, &ext_out, &ext_len); + got_extensions = SSL_client_hello_get1_extensions_present(ssl_conn, + &ext_out, &ext_len); if (!got_extensions || !ext_out || !ext_len) { *err = "failed SSL_client_hello_get1_extensions_present()"; return NGX_DECLINED; From 35c1131e8ff236978e856a2f2b84bba66a9c8e7e Mon Sep 17 00:00:00 2001 From: Gabriel Clima Date: Mon, 5 May 2025 08:05:27 +0000 Subject: [PATCH 4/4] use r->connection->pool --- src/ngx_http_lua_ssl_client_helloby.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/ngx_http_lua_ssl_client_helloby.c b/src/ngx_http_lua_ssl_client_helloby.c index 985b23f550..26c84345d9 100644 --- a/src/ngx_http_lua_ssl_client_helloby.c +++ b/src/ngx_http_lua_ssl_client_helloby.c @@ -692,7 +692,7 @@ ngx_http_lua_ffi_ssl_get_client_hello_ext_present(ngx_http_request_t *r, return NGX_DECLINED; } - *extensions = ngx_palloc(r->pool, sizeof(int) * ext_len); + *extensions = ngx_palloc(r->connection->pool, sizeof(int) * ext_len); if (*extensions != NULL) { ngx_memcpy(*extensions, ext_out, sizeof(int) * ext_len); *extensions_len = ext_len;