Mercurial > hg > nginx
view src/event/quic/ngx_event_quic_openssl_compat.c @ 9204:631ee3c6d38c
Upstream: fixed usage of closed sockets with filter finalization.
When filter finalization is triggered when working with an upstream server,
and error_page redirects request processing to some simple handler,
ngx_http_request_finalize() triggers request termination when the response
is sent. In particular, via the upstream cleanup handler, nginx will close
the upstream connection and the corresponding socket.
Still, this can happen to be with ngx_event_pipe() on stack. While
the code will set p->downstream_error due to NGX_ERROR returned from the
output filter chain by filter finalization, otherwise the error will be
ignored till control returns to ngx_http_upstream_process_request().
And event pipe might try reading from the (already closed) socket, resulting
in "readv() failed (9: Bad file descriptor) while reading upstream" errors
(or even segfaults with SSL).
Such errors were seen with the following configuration:
location /t2 {
proxy_pass http://127.0.0.1:8080/big;
image_filter_buffer 10m;
image_filter resize 150 100;
error_page 415 = /empty;
}
location /empty {
return 204;
}
location /big {
# big enough static file
}
Fix is to clear p->upstream in ngx_http_upstream_finalize_request(),
and ensure that p->upstream is checked in ngx_event_pipe_read_upstream()
and when handling events at ngx_event_pipe() exit.
author | Maxim Dounin <mdounin@mdounin.ru> |
---|---|
date | Tue, 30 Jan 2024 03:20:10 +0300 |
parents | b74f891053c7 |
children |
line wrap: on
line source
/* * Copyright (C) Nginx, Inc. */ #include <ngx_config.h> #include <ngx_core.h> #include <ngx_event.h> #include <ngx_event_quic_connection.h> #if (NGX_QUIC_OPENSSL_COMPAT) #define NGX_QUIC_COMPAT_RECORD_SIZE 1024 #define NGX_QUIC_COMPAT_SSL_TP_EXT 0x39 #define NGX_QUIC_COMPAT_CLIENT_HANDSHAKE "CLIENT_HANDSHAKE_TRAFFIC_SECRET" #define NGX_QUIC_COMPAT_SERVER_HANDSHAKE "SERVER_HANDSHAKE_TRAFFIC_SECRET" #define NGX_QUIC_COMPAT_CLIENT_APPLICATION "CLIENT_TRAFFIC_SECRET_0" #define NGX_QUIC_COMPAT_SERVER_APPLICATION "SERVER_TRAFFIC_SECRET_0" typedef struct { ngx_quic_secret_t secret; ngx_uint_t cipher; } ngx_quic_compat_keys_t; typedef struct { ngx_log_t *log; u_char type; ngx_str_t payload; uint64_t number; ngx_quic_compat_keys_t *keys; enum ssl_encryption_level_t level; } ngx_quic_compat_record_t; struct ngx_quic_compat_s { const SSL_QUIC_METHOD *method; enum ssl_encryption_level_t write_level; uint64_t read_record; ngx_quic_compat_keys_t keys; ngx_str_t tp; ngx_str_t ctp; }; static void ngx_quic_compat_keylog_callback(const SSL *ssl, const char *line); static ngx_int_t ngx_quic_compat_set_encryption_secret(ngx_connection_t *c, ngx_quic_compat_keys_t *keys, enum ssl_encryption_level_t level, const SSL_CIPHER *cipher, const uint8_t *secret, size_t secret_len); static void ngx_quic_compat_cleanup_encryption_secret(void *data); static int ngx_quic_compat_add_transport_params_callback(SSL *ssl, unsigned int ext_type, unsigned int context, const unsigned char **out, size_t *outlen, X509 *x, size_t chainidx, int *al, void *add_arg); static int ngx_quic_compat_parse_transport_params_callback(SSL *ssl, unsigned int ext_type, unsigned int context, const unsigned char *in, size_t inlen, X509 *x, size_t chainidx, int *al, void *parse_arg); static void ngx_quic_compat_message_callback(int write_p, int version, int content_type, const void *buf, size_t len, SSL *ssl, void *arg); static size_t ngx_quic_compat_create_header(ngx_quic_compat_record_t *rec, u_char *out, ngx_uint_t plain); static ngx_int_t ngx_quic_compat_create_record(ngx_quic_compat_record_t *rec, ngx_str_t *res); ngx_int_t ngx_quic_compat_init(ngx_conf_t *cf, SSL_CTX *ctx) { SSL_CTX_set_keylog_callback(ctx, ngx_quic_compat_keylog_callback); if (SSL_CTX_has_client_custom_ext(ctx, NGX_QUIC_COMPAT_SSL_TP_EXT)) { return NGX_OK; } if (SSL_CTX_add_custom_ext(ctx, NGX_QUIC_COMPAT_SSL_TP_EXT, SSL_EXT_CLIENT_HELLO |SSL_EXT_TLS1_3_ENCRYPTED_EXTENSIONS, ngx_quic_compat_add_transport_params_callback, NULL, NULL, ngx_quic_compat_parse_transport_params_callback, NULL) == 0) { ngx_log_error(NGX_LOG_EMERG, cf->log, 0, "SSL_CTX_add_custom_ext() failed"); return NGX_ERROR; } return NGX_OK; } static void ngx_quic_compat_keylog_callback(const SSL *ssl, const char *line) { u_char ch, *p, *start, value; size_t n; ngx_uint_t write; const SSL_CIPHER *cipher; ngx_quic_compat_t *com; ngx_connection_t *c; ngx_quic_connection_t *qc; enum ssl_encryption_level_t level; u_char secret[EVP_MAX_MD_SIZE]; c = ngx_ssl_get_connection(ssl); if (c->type != SOCK_DGRAM) { return; } p = (u_char *) line; for (start = p; *p && *p != ' '; p++); n = p - start; ngx_log_debug2(NGX_LOG_DEBUG_EVENT, c->log, 0, "quic compat secret %*s", n, start); if (n == sizeof(NGX_QUIC_COMPAT_CLIENT_HANDSHAKE) - 1 && ngx_strncmp(start, NGX_QUIC_COMPAT_CLIENT_HANDSHAKE, n) == 0) { level = ssl_encryption_handshake; write = 0; } else if (n == sizeof(NGX_QUIC_COMPAT_SERVER_HANDSHAKE) - 1 && ngx_strncmp(start, NGX_QUIC_COMPAT_SERVER_HANDSHAKE, n) == 0) { level = ssl_encryption_handshake; write = 1; } else if (n == sizeof(NGX_QUIC_COMPAT_CLIENT_APPLICATION) - 1 && ngx_strncmp(start, NGX_QUIC_COMPAT_CLIENT_APPLICATION, n) == 0) { level = ssl_encryption_application; write = 0; } else if (n == sizeof(NGX_QUIC_COMPAT_SERVER_APPLICATION) - 1 && ngx_strncmp(start, NGX_QUIC_COMPAT_SERVER_APPLICATION, n) == 0) { level = ssl_encryption_application; write = 1; } else { return; } if (*p++ == '\0') { return; } for ( /* void */ ; *p && *p != ' '; p++); if (*p++ == '\0') { return; } for (n = 0, start = p; *p; p++) { ch = *p; if (ch >= '0' && ch <= '9') { value = ch - '0'; goto next; } ch = (u_char) (ch | 0x20); if (ch >= 'a' && ch <= 'f') { value = ch - 'a' + 10; goto next; } ngx_log_error(NGX_LOG_EMERG, c->log, 0, "invalid OpenSSL QUIC secret format"); return; next: if ((p - start) % 2) { secret[n++] += value; } else { if (n >= EVP_MAX_MD_SIZE) { ngx_log_error(NGX_LOG_EMERG, c->log, 0, "too big OpenSSL QUIC secret"); return; } secret[n] = (value << 4); } } qc = ngx_quic_get_connection(c); com = qc->compat; cipher = SSL_get_current_cipher(ssl); if (write) { com->method->set_write_secret((SSL *) ssl, level, cipher, secret, n); com->write_level = level; } else { com->method->set_read_secret((SSL *) ssl, level, cipher, secret, n); com->read_record = 0; (void) ngx_quic_compat_set_encryption_secret(c, &com->keys, level, cipher, secret, n); } ngx_explicit_memzero(secret, n); } static ngx_int_t ngx_quic_compat_set_encryption_secret(ngx_connection_t *c, ngx_quic_compat_keys_t *keys, enum ssl_encryption_level_t level, const SSL_CIPHER *cipher, const uint8_t *secret, size_t secret_len) { ngx_int_t key_len; ngx_str_t secret_str; ngx_uint_t i; ngx_quic_md_t key; ngx_quic_hkdf_t seq[2]; ngx_quic_secret_t *peer_secret; ngx_quic_ciphers_t ciphers; ngx_pool_cleanup_t *cln; peer_secret = &keys->secret; keys->cipher = SSL_CIPHER_get_id(cipher); key_len = ngx_quic_ciphers(keys->cipher, &ciphers); if (key_len == NGX_ERROR) { ngx_ssl_error(NGX_LOG_INFO, c->log, 0, "unexpected cipher"); return NGX_ERROR; } key.len = key_len; peer_secret->iv.len = NGX_QUIC_IV_LEN; secret_str.len = secret_len; secret_str.data = (u_char *) secret; ngx_quic_hkdf_set(&seq[0], "tls13 key", &key, &secret_str); ngx_quic_hkdf_set(&seq[1], "tls13 iv", &peer_secret->iv, &secret_str); for (i = 0; i < (sizeof(seq) / sizeof(seq[0])); i++) { if (ngx_quic_hkdf_expand(&seq[i], ciphers.d, c->log) != NGX_OK) { return NGX_ERROR; } } /* register cleanup handler once */ if (peer_secret->ctx) { ngx_quic_crypto_cleanup(peer_secret); } else { cln = ngx_pool_cleanup_add(c->pool, 0); if (cln == NULL) { return NGX_ERROR; } cln->handler = ngx_quic_compat_cleanup_encryption_secret; cln->data = peer_secret; } if (ngx_quic_crypto_init(ciphers.c, peer_secret, &key, 1, c->log) == NGX_ERROR) { return NGX_ERROR; } ngx_explicit_memzero(key.data, key.len); return NGX_OK; } static void ngx_quic_compat_cleanup_encryption_secret(void *data) { ngx_quic_secret_t *secret = data; ngx_quic_crypto_cleanup(secret); } static int ngx_quic_compat_add_transport_params_callback(SSL *ssl, unsigned int ext_type, unsigned int context, const unsigned char **out, size_t *outlen, X509 *x, size_t chainidx, int *al, void *add_arg) { ngx_connection_t *c; ngx_quic_compat_t *com; ngx_quic_connection_t *qc; c = ngx_ssl_get_connection(ssl); if (c->type != SOCK_DGRAM) { return 0; } ngx_log_debug0(NGX_LOG_DEBUG_EVENT, c->log, 0, "quic compat add transport params"); qc = ngx_quic_get_connection(c); com = qc->compat; *out = com->tp.data; *outlen = com->tp.len; return 1; } static int ngx_quic_compat_parse_transport_params_callback(SSL *ssl, unsigned int ext_type, unsigned int context, const unsigned char *in, size_t inlen, X509 *x, size_t chainidx, int *al, void *parse_arg) { u_char *p; ngx_connection_t *c; ngx_quic_compat_t *com; ngx_quic_connection_t *qc; c = ngx_ssl_get_connection(ssl); if (c->type != SOCK_DGRAM) { return 0; } ngx_log_debug0(NGX_LOG_DEBUG_EVENT, c->log, 0, "quic compat parse transport params"); qc = ngx_quic_get_connection(c); com = qc->compat; p = ngx_pnalloc(c->pool, inlen); if (p == NULL) { return 0; } ngx_memcpy(p, in, inlen); com->ctp.data = p; com->ctp.len = inlen; return 1; } int SSL_set_quic_method(SSL *ssl, const SSL_QUIC_METHOD *quic_method) { BIO *rbio, *wbio; ngx_connection_t *c; ngx_quic_compat_t *com; ngx_quic_connection_t *qc; c = ngx_ssl_get_connection(ssl); ngx_log_debug0(NGX_LOG_DEBUG_EVENT, c->log, 0, "quic compat set method"); qc = ngx_quic_get_connection(c); qc->compat = ngx_pcalloc(c->pool, sizeof(ngx_quic_compat_t)); if (qc->compat == NULL) { return 0; } com = qc->compat; com->method = quic_method; rbio = BIO_new(BIO_s_mem()); if (rbio == NULL) { return 0; } wbio = BIO_new(BIO_s_null()); if (wbio == NULL) { return 0; } SSL_set_bio(ssl, rbio, wbio); SSL_set_msg_callback(ssl, ngx_quic_compat_message_callback); /* early data is not supported */ SSL_set_max_early_data(ssl, 0); return 1; } static void ngx_quic_compat_message_callback(int write_p, int version, int content_type, const void *buf, size_t len, SSL *ssl, void *arg) { ngx_uint_t alert; ngx_connection_t *c; ngx_quic_compat_t *com; ngx_quic_connection_t *qc; enum ssl_encryption_level_t level; if (!write_p) { return; } c = ngx_ssl_get_connection(ssl); qc = ngx_quic_get_connection(c); if (qc == NULL) { /* closing */ return; } com = qc->compat; level = com->write_level; switch (content_type) { case SSL3_RT_HANDSHAKE: ngx_log_debug2(NGX_LOG_DEBUG_EVENT, c->log, 0, "quic compat tx %s len:%uz ", ngx_quic_level_name(level), len); if (com->method->add_handshake_data(ssl, level, buf, len) != 1) { goto failed; } break; case SSL3_RT_ALERT: if (len >= 2) { alert = ((u_char *) buf)[1]; ngx_log_debug3(NGX_LOG_DEBUG_EVENT, c->log, 0, "quic compat %s alert:%ui len:%uz ", ngx_quic_level_name(level), alert, len); if (com->method->send_alert(ssl, level, alert) != 1) { goto failed; } } break; } return; failed: ngx_post_event(&qc->close, &ngx_posted_events); } int SSL_provide_quic_data(SSL *ssl, enum ssl_encryption_level_t level, const uint8_t *data, size_t len) { BIO *rbio; size_t n; u_char *p; ngx_str_t res; ngx_connection_t *c; ngx_quic_compat_t *com; ngx_quic_connection_t *qc; ngx_quic_compat_record_t rec; u_char in[NGX_QUIC_COMPAT_RECORD_SIZE + 1]; u_char out[NGX_QUIC_COMPAT_RECORD_SIZE + 1 + SSL3_RT_HEADER_LENGTH + NGX_QUIC_TAG_LEN]; c = ngx_ssl_get_connection(ssl); ngx_log_debug2(NGX_LOG_DEBUG_EVENT, c->log, 0, "quic compat rx %s len:%uz", ngx_quic_level_name(level), len); qc = ngx_quic_get_connection(c); com = qc->compat; rbio = SSL_get_rbio(ssl); while (len) { ngx_memzero(&rec, sizeof(ngx_quic_compat_record_t)); rec.type = SSL3_RT_HANDSHAKE; rec.log = c->log; rec.number = com->read_record++; rec.keys = &com->keys; rec.level = level; if (level == ssl_encryption_initial) { n = ngx_min(len, 65535); rec.payload.len = n; rec.payload.data = (u_char *) data; ngx_quic_compat_create_header(&rec, out, 1); BIO_write(rbio, out, SSL3_RT_HEADER_LENGTH); BIO_write(rbio, data, n); #if defined(NGX_QUIC_DEBUG_CRYPTO) && defined(NGX_QUIC_DEBUG_PACKETS) ngx_log_debug5(NGX_LOG_DEBUG_EVENT, c->log, 0, "quic compat record len:%uz %*xs%*xs", n + SSL3_RT_HEADER_LENGTH, (size_t) SSL3_RT_HEADER_LENGTH, out, n, data); #endif } else { n = ngx_min(len, NGX_QUIC_COMPAT_RECORD_SIZE); p = ngx_cpymem(in, data, n); *p++ = SSL3_RT_HANDSHAKE; rec.payload.len = p - in; rec.payload.data = in; res.data = out; if (ngx_quic_compat_create_record(&rec, &res) != NGX_OK) { return 0; } #if defined(NGX_QUIC_DEBUG_CRYPTO) && defined(NGX_QUIC_DEBUG_PACKETS) ngx_log_debug2(NGX_LOG_DEBUG_EVENT, c->log, 0, "quic compat record len:%uz %xV", res.len, &res); #endif BIO_write(rbio, res.data, res.len); } data += n; len -= n; } return 1; } static size_t ngx_quic_compat_create_header(ngx_quic_compat_record_t *rec, u_char *out, ngx_uint_t plain) { u_char type; size_t len; len = rec->payload.len; if (plain) { type = rec->type; } else { type = SSL3_RT_APPLICATION_DATA; len += NGX_QUIC_TAG_LEN; } out[0] = type; out[1] = 0x03; out[2] = 0x03; out[3] = (len >> 8); out[4] = len; return 5; } static ngx_int_t ngx_quic_compat_create_record(ngx_quic_compat_record_t *rec, ngx_str_t *res) { ngx_str_t ad, out; ngx_quic_secret_t *secret; u_char nonce[NGX_QUIC_IV_LEN]; ad.data = res->data; ad.len = ngx_quic_compat_create_header(rec, ad.data, 0); out.len = rec->payload.len + NGX_QUIC_TAG_LEN; out.data = res->data + ad.len; #ifdef NGX_QUIC_DEBUG_CRYPTO ngx_log_debug2(NGX_LOG_DEBUG_EVENT, rec->log, 0, "quic compat ad len:%uz %xV", ad.len, &ad); #endif secret = &rec->keys->secret; ngx_memcpy(nonce, secret->iv.data, secret->iv.len); ngx_quic_compute_nonce(nonce, sizeof(nonce), rec->number); if (ngx_quic_crypto_seal(secret, &out, nonce, &rec->payload, &ad, rec->log) != NGX_OK) { return NGX_ERROR; } res->len = ad.len + out.len; return NGX_OK; } int SSL_set_quic_transport_params(SSL *ssl, const uint8_t *params, size_t params_len) { ngx_connection_t *c; ngx_quic_compat_t *com; ngx_quic_connection_t *qc; c = ngx_ssl_get_connection(ssl); qc = ngx_quic_get_connection(c); com = qc->compat; com->tp.len = params_len; com->tp.data = (u_char *) params; return 1; } void SSL_get_peer_quic_transport_params(const SSL *ssl, const uint8_t **out_params, size_t *out_params_len) { ngx_connection_t *c; ngx_quic_compat_t *com; ngx_quic_connection_t *qc; c = ngx_ssl_get_connection(ssl); qc = ngx_quic_get_connection(c); com = qc->compat; *out_params = com->ctp.data; *out_params_len = com->ctp.len; } #endif /* NGX_QUIC_OPENSSL_COMPAT */