SSL: Add optional custom extension parsing.

src/core/nginx.h

@@ -9,8 +9,8 @@
 #define _NGINX_H_INCLUDED_
 
 
-#define nginx_version      1027002
-#define NGINX_VERSION      "1.27.2"
+#define nginx_version      1027003
+#define NGINX_VERSION      "1.27.3"
 #define NGINX_VER          "nginx/" NGINX_VERSION
 
 #ifdef NGX_BUILD

src/event/ngx_event_openssl.c

@@ -130,6 +130,16 @@ int  ngx_ssl_ticket_keys_index;
 int  ngx_ssl_ocsp_index;
 int  ngx_ssl_index;
 int  ngx_ssl_certificate_name_index;
+int  ngx_ssl_stapling_index;
+int  ngx_ssl_custom_extension_index;
+
+
+void free_custom_extension_data(void *parent, void *ptr, CRYPTO_EX_DATA *ad, int idx, long argl, void *argp) {
+    char *extension_data = (char *)ptr;
+    if (extension_data) {
+        free(extension_data);
+    }
+}
 
 
 ngx_int_t
@@ -215,6 +225,13 @@ ngx_ssl_init(ngx_log_t *log)
     }
 #endif
 
+    ngx_ssl_custom_extension_index = SSL_get_ex_new_index(0, NULL, NULL, NULL, free_custom_extension_data);
+
+    if (ngx_ssl_custom_extension_index == -1) {
+        ngx_ssl_error(NGX_LOG_ALERT, log, 0, "SSL_get_ex_new_index() failed");
+        return NGX_ERROR;
+    }
+
     ngx_ssl_connection_index = SSL_get_ex_new_index(0, NULL, NULL, NULL, NULL);
 
     if (ngx_ssl_connection_index == -1) {
@@ -4911,6 +4928,26 @@ ngx_ssl_check_name(ngx_str_t *name, ASN1_STRING *pattern)
 #endif
 
 
+ngx_int_t
+ngx_ssl_get_custom_extension(ngx_connection_t *c, ngx_pool_t *pool, ngx_str_t *s)
+{    
+    SSL *ssl = c->ssl->connection;
+    if (ssl == NULL) {
+        return NGX_ERROR;
+    }
+
+    const char * extension_data;
+    extension_data = (const char *)SSL_get_ex_data(ssl, ngx_ssl_custom_extension_index);
+    if (extension_data == NULL){
+        extension_data = "";
+    }
+    s->data = (u_char *)extension_data;
+    s->len = strlen(extension_data);
+
+    return NGX_OK;
+}
+
+
 ngx_int_t
 ngx_ssl_get_protocol(ngx_connection_t *c, ngx_pool_t *pool, ngx_str_t *s)
 {

src/event/ngx_event_openssl.h

@@ -277,6 +277,8 @@ ngx_ssl_session_t *ngx_ssl_get0_session(ngx_connection_t *c);
 ngx_int_t ngx_ssl_check_host(ngx_connection_t *c, ngx_str_t *name);
 
 
+ngx_int_t ngx_ssl_get_custom_extension(ngx_connection_t *c, ngx_pool_t *pool,
+    ngx_str_t *s);
 ngx_int_t ngx_ssl_get_protocol(ngx_connection_t *c, ngx_pool_t *pool,
     ngx_str_t *s);
 ngx_int_t ngx_ssl_get_cipher_name(ngx_connection_t *c, ngx_pool_t *pool,
@@ -348,6 +350,8 @@ extern int  ngx_ssl_ticket_keys_index;
 extern int  ngx_ssl_ocsp_index;
 extern int  ngx_ssl_index;
 extern int  ngx_ssl_certificate_name_index;
+extern int  ngx_ssl_stapling_index;
+extern int  ngx_ssl_custom_extension_index;
 
 
 #endif /* _NGX_EVENT_OPENSSL_H_INCLUDED_ */

src/event/quic/ngx_event_quic_ack.c

@@ -631,13 +631,12 @@ ngx_quic_resend_frames(ngx_connection_t *c, ngx_quic_send_ctx_t *ctx)
         case NGX_QUIC_FT_STREAM:
             qs = ngx_quic_find_stream(&qc->streams.tree, f->u.stream.stream_id);
 
-            if (qs) {
-                if (qs->send_state == NGX_QUIC_STREAM_SEND_RESET_SENT
-                    || qs->send_state == NGX_QUIC_STREAM_SEND_RESET_RECVD)
-                {
-                    ngx_quic_free_frame(c, f);
-                    break;
-                }
+            if (qs == NULL
+                || qs->send_state == NGX_QUIC_STREAM_SEND_RESET_SENT
+                || qs->send_state == NGX_QUIC_STREAM_SEND_RESET_RECVD)
+            {
+                ngx_quic_free_frame(c, f);
+                break;
             }
 
             /* fall through */

src/http/modules/ngx_http_ssl_module.c

@@ -36,13 +36,16 @@ static ngx_int_t ngx_http_ssl_variable(ngx_http_request_t *r,
     ngx_http_variable_value_t *v, uintptr_t data);
 
 static ngx_int_t ngx_http_ssl_add_variables(ngx_conf_t *cf);
+static ngx_int_t ngx_http_ssl_add_variable(ngx_conf_t *cf, ngx_http_variable_t  *v);
+
 static void *ngx_http_ssl_create_srv_conf(ngx_conf_t *cf);
 static char *ngx_http_ssl_merge_srv_conf(ngx_conf_t *cf,
     void *parent, void *child);
 
 static ngx_int_t ngx_http_ssl_compile_certificates(ngx_conf_t *cf,
     ngx_http_ssl_srv_conf_t *conf);
 
+static char *ngx_conf_set_custom_extension(ngx_conf_t *cf, ngx_command_t *cmd, void *conf);
 static char *ngx_http_ssl_password_file(ngx_conf_t *cf, ngx_command_t *cmd,
     void *conf);
 static char *ngx_http_ssl_session_cache(ngx_conf_t *cf, ngx_command_t *cmd,
@@ -290,6 +293,13 @@ static ngx_command_t  ngx_http_ssl_commands[] = {
       offsetof(ngx_http_ssl_srv_conf_t, reject_handshake),
       NULL },
 
+    { ngx_string("ssl_custom_extension"),
+      NGX_HTTP_MAIN_CONF|NGX_HTTP_SRV_CONF|NGX_CONF_TAKE2,
+      ngx_conf_set_custom_extension,
+      NGX_HTTP_SRV_CONF_OFFSET,
+      offsetof(ngx_http_ssl_srv_conf_t, custom_extension_type),
+      NULL },
+
       ngx_null_command
 };
 
@@ -584,6 +594,23 @@ ngx_http_ssl_add_variables(ngx_conf_t *cf)
 }
 
 
+static ngx_int_t
+ngx_http_ssl_add_variable(ngx_conf_t *cf, ngx_http_variable_t  *v)
+{
+    ngx_http_variable_t  *var;
+
+    var = ngx_http_add_variable(cf, &v->name, v->flags);
+    if (var == NULL) {
+        return NGX_ERROR;
+    }
+
+    var->get_handler = v->get_handler;
+    var->data = v->data;
+
+    return NGX_OK;
+}
+
+
 static void *
 ngx_http_ssl_create_srv_conf(ngx_conf_t *cf)
 {
@@ -629,11 +656,28 @@ ngx_http_ssl_create_srv_conf(ngx_conf_t *cf)
     sscf->ocsp_cache_zone = NGX_CONF_UNSET_PTR;
     sscf->stapling = NGX_CONF_UNSET;
     sscf->stapling_verify = NGX_CONF_UNSET;
+    sscf->custom_extension_type = NGX_CONF_UNSET_UINT;
 
     return sscf;
 }
 
 
+static int
+parse_custom_extension_callback(SSL *ssl, unsigned int ext_type, unsigned int context,
+                        const unsigned char *in, size_t inlen, X509 *x,
+                        size_t chainidx, int *al, void *parse_arg) {
+    char *extension_data = malloc(inlen + 1);
+    if (extension_data == NULL) {
+        return 0;
+    }
+    memcpy(extension_data, in, inlen);
+    extension_data[inlen] = '\0';
+    SSL_set_ex_data(ssl, ngx_ssl_custom_extension_index, extension_data);
+
+    return 1;
+}
+
+
 static char *
 ngx_http_ssl_merge_srv_conf(ngx_conf_t *cf, void *parent, void *child)
 {
@@ -725,6 +769,19 @@ ngx_http_ssl_merge_srv_conf(ngx_conf_t *cf, void *parent, void *child)
 
     cln->handler = ngx_ssl_cleanup_ctx;
     cln->data = &conf->ssl;
+
+    if(conf->custom_extension_type != NGX_CONF_UNSET_UINT){
+        SSL_CTX_add_custom_ext(
+            conf->ssl.ctx,
+            conf->custom_extension_type,
+            SSL_EXT_CLIENT_HELLO,    
+            NULL,
+            NULL,
+            NULL,
+            parse_custom_extension_callback,
+            NULL
+        );
+    }
 
 #ifdef SSL_CTRL_SET_TLSEXT_HOSTNAME
 
@@ -986,6 +1043,42 @@ ngx_http_ssl_compile_certificates(ngx_conf_t *cf,
 }
 
 
+static char *
+ngx_conf_set_custom_extension(ngx_conf_t *cf, ngx_command_t *cmd, void *conf)
+{
+    char  *p = conf;
+    ngx_int_t   *extension_type;
+    ngx_str_t   var_name, *value;
+
+    extension_type = (ngx_int_t *) (p + cmd->offset);
+
+    if (*extension_type != NGX_CONF_UNSET) {
+        return "is duplicate";
+    }
+
+    value = cf->args->elts;
+
+    *extension_type = ngx_atoi(value[1].data, value[1].len);
+    if (*extension_type == NGX_ERROR) {
+        return "invalid number";
+    }
+
+    var_name = value[2];
+
+    ngx_http_variable_t  var = { 
+        var_name,
+        NULL,
+        ngx_http_ssl_variable,
+        (uintptr_t) ngx_ssl_get_custom_extension,
+        NGX_HTTP_VAR_CHANGEABLE,
+        0
+    };
+    ngx_http_ssl_add_variable(cf, &var);
+
+    return NGX_CONF_OK;
+}
+
+
 static char *
 ngx_http_ssl_password_file(ngx_conf_t *cf, ngx_command_t *cmd, void *conf)
 {

src/http/modules/ngx_http_ssl_module.h

@@ -62,6 +62,7 @@ typedef struct {
     ngx_flag_t                      stapling_verify;
     ngx_str_t                       stapling_file;
     ngx_str_t                       stapling_responder;
+    ngx_uint_t                      custom_extension_type;
 } ngx_http_ssl_srv_conf_t;