Re: DTLS patches
All files from this thread
| File Name | File Size | Posted by | Date | ||
|---|---|---|---|---|---|
| 0001-Retain-CAP_NET_BIND_SERVICE-capability-for-udp-privi.patch | 3.5 KB | open | download | shankerwangmiao | 02/21/2018 | Read message |
|
Vladimir Homutov
February 21, 2018 09:14AM
|
On Wed, Feb 21, 2018 at 08:47:37AM -0500, shankerwangmiao wrote:
>
> I have tested this patch in my environment. Before the patch is applied,
> `tcp_nodelay off` needs to be placed in every `server` clause with DTLS
> enabled to work the problem around.
>
Hello,
can you please elaborate about your environment? Do you proxy DTLS
stream directly to backend, or you perform DTLS offload ?
What protocol are you using and which server/client software
before/behind nginx?
I'm attaching refreshed patch against nginx-1.13.9 for those who are
interested to test.
# HG changeset patch
# User Vladimir Homutov <vl@nginx.com>
# Date 1519222093 -10800
# Wed Feb 21 17:08:13 2018 +0300
# Node ID b4b14f20123598d6c4bdff01e3c421e4f180f526
# Parent 88aad69eccef0422719698b54c82e3a020c0fe93
Stream: experimental DTLS support.
With the patch, the "listen" directive in the "stream" block now accepts
both "udp" and "ssl" directives.
The "ssl_protocols" and "proxy_ssl_protocols" directives now accepts "DTLSv1"
and "DTLSv1.2" parameters that enable support of corresponding protocols.
DTLS termination:
stream {
# please enable debug log
error_log logs/error.log debug;
server {
# add 'udp' and 'ssl' simultaneously to the listen directive
listen 127.0.0.1:4443 udp ssl;
# enable DTLSv1 or DTLSv1.2 or both protocols
ssl_protocols DTLSv1;
# setup other SSL options as usually
ssl_certificate ...;
ssl_certificate_key ...;
proxy_pass ...;
}
}
DTLS to backends:
stream {
# please enable debug log
error_log logs/error.log debug;
server {
listen 127.0.0.1:5555 udp;
# enable SSL to proxy
proxy_ssl on;
# enable DTLSv1 or DTLSv1.2 or both protocols
proxy_ssl_protocols DTLSv1;
# setup other proxy SSL options as usually
proxy_ssl_certificate ...;
proxy_ssl_certificate_key ...;
# the backend is a DTLS server
proxy_pass 127.0.0.1:4433;
}
diff --git a/auto/lib/openssl/conf b/auto/lib/openssl/conf
--- a/auto/lib/openssl/conf
+++ b/auto/lib/openssl/conf
@@ -132,4 +132,16 @@ END
exit 1
fi
+ ngx_feature="OpenSSL DTLS support"
+ ngx_feature_name="NGX_OPENSSL_DTLS"
+ ngx_feature_run=no
+ ngx_feature_incs="#include <openssl/ssl.h>"
+ ngx_feature_path=
+ ngx_feature_libs="-lssl -lcrypto $NGX_LIBDL"
+ ngx_feature_test="DTLSv1_listen(NULL, NULL)"
+ . auto/feature
+
+ if [ $ngx_found = yes ]; then
+ have=NGX_SSL_DTLS . auto/have
+ fi
fi
diff --git a/src/event/ngx_event.h b/src/event/ngx_event.h
--- a/src/event/ngx_event.h
+++ b/src/event/ngx_event.h
@@ -507,6 +507,7 @@ void ngx_event_accept(ngx_event_t *ev);
#if !(NGX_WIN32)
void ngx_event_recvmsg(ngx_event_t *ev);
#endif
+ngx_int_t ngx_event_udp_accept(ngx_connection_t *c);
ngx_int_t ngx_trylock_accept_mutex(ngx_cycle_t *cycle);
u_char *ngx_accept_log_error(ngx_log_t *log, u_char *buf, size_t len);
diff --git a/src/event/ngx_event_accept.c b/src/event/ngx_event_accept.c
--- a/src/event/ngx_event_accept.c
+++ b/src/event/ngx_event_accept.c
@@ -644,6 +644,81 @@ ngx_event_recvmsg(ngx_event_t *ev)
ngx_int_t
+ngx_event_udp_accept(ngx_connection_t *c)
+{
+ int on, rc;
+ ngx_socket_t fd;
+
+ fd = ngx_socket(c->listening->sockaddr->sa_family, SOCK_DGRAM, 0);
+ if (fd == (ngx_socket_t) -1) {
+ ngx_log_error(NGX_LOG_ALERT, c->log, ngx_socket_errno,
+ ngx_socket_n " failed");
+ return NGX_ERROR;
+ }
+
+ if (ngx_nonblocking(fd) == -1) {
+ ngx_log_error(NGX_LOG_ALERT, c->log, ngx_socket_errno,
+ ngx_nonblocking_n " failed");
+ goto failed;
+ }
+
+ on = 1;
+ rc = setsockopt(fd, SOL_SOCKET, SO_REUSEADDR, (char *) &on, sizeof(int));
+ if (rc == -1) {
+ ngx_log_error(NGX_LOG_ALERT, c->log, ngx_socket_errno,
+ "setsockopt(SO_REUSEADDR, 1) failed");
+ goto failed;
+ }
+
+#if (NGX_HAVE_REUSEPORT && NGX_FREEBSD)
+ on = 1;
+ rc = setsockopt(fd, SOL_SOCKET, SO_REUSEPORT, (char *) &on, sizeof(int));
+ if (rc == -1) {
+ ngx_log_error(NGX_LOG_ALERT, c->log, ngx_socket_errno,
+ "setsockopt(SO_REUSEPORT, 1) failed");
+ goto failed;
+ }
+#endif
+
+ rc = bind(fd, c->listening->sockaddr, c->listening->socklen);
+ if (-1 == rc) {
+ ngx_log_error(NGX_LOG_EMERG, c->log, ngx_socket_errno,
+ "bind() to %V failed", &c->listening->addr_text);
+ goto failed;
+ }
+
+ if (connect(fd, c->sockaddr, c->socklen) == -1) {
+ ngx_log_error(NGX_LOG_ALERT, c->log, ngx_socket_errno,
+ "connect() failed");
+ goto failed;
+ }
+
+ c->fd = fd;
+ c->shared = 0;
+ c->recv = ngx_udp_recv;
+
+ if (ngx_add_conn && (ngx_event_flags & NGX_USE_EPOLL_EVENT) == 0) {
+ if (ngx_add_conn(c) == NGX_ERROR) {
+ goto failed;
+ }
+ }
+
+ return NGX_OK;
+
+failed:
+
+ if (ngx_close_socket(fd) == -1) {
+ ngx_log_error(NGX_LOG_EMERG, c->log, ngx_socket_errno,
+ ngx_close_socket_n " failed");
+ }
+
+ c->fd = (ngx_socket_t) -1;
+
+ return NGX_ERROR;
+}
+
+
+ngx_int_t
ngx_trylock_accept_mutex(ngx_cycle_t *cycle)
{
if (ngx_shmtx_trylock(&ngx_accept_mutex)) {
diff --git a/src/event/ngx_event_openssl.c b/src/event/ngx_event_openssl.c
--- a/src/event/ngx_event_openssl.c
+++ b/src/event/ngx_event_openssl.c
@@ -69,6 +69,22 @@ static void *ngx_openssl_create_conf(ngx
static char *ngx_openssl_engine(ngx_conf_t *cf, ngx_command_t *cmd, void *conf);
static void ngx_openssl_exit(ngx_cycle_t *cycle);
+#if defined(NGX_HAVE_DTLS)
+static int ngx_dtls_client_hmac(SSL *ssl, u_char res[EVP_MAX_MD_SIZE],
+ unsigned int *rlen);
+static int ngx_dtls_generate_cookie_cb(SSL *ssl, unsigned char *cookie,
+ unsigned int *cookie_len);
+static int ngx_dtls_verify_cookie_cb(SSL *ssl,
+#if OPENSSL_VERSION_NUMBER >= 0x10100000L
+ const
+#endif
+unsigned char *cookie, unsigned int cookie_len);
+static ngx_int_t ngx_dtls_handshake(ngx_connection_t *c);
+
+
+#define COOKIE_SECRET_LENGTH 32
+static u_char ngx_dtls_cookie_secret[COOKIE_SECRET_LENGTH];
+#endif
static ngx_command_t ngx_openssl_commands[] = {
@@ -232,13 +248,71 @@ ngx_ssl_init(ngx_log_t *log)
ngx_int_t
ngx_ssl_create(ngx_ssl_t *ssl, ngx_uint_t protocols, void *data)
{
- ssl->ctx = SSL_CTX_new(SSLv23_method());
+ if (protocols & NGX_SSL_DTLSv1 || protocols & NGX_SSL_DTLSv1_2) {
+
+#if defined(NGX_HAVE_DTLS)
+
+#if OPENSSL_VERSION_NUMBER < 0x10100000L
+
+ if (protocols & NGX_SSL_DTLSv1_2) {
+
+ /* DTLS 1.2 is only supported since 1.0.2 */
+
+ /* DTLSv1_x_method() functions are deprecated in 1.1.0 */
+
+#if OPENSSL_VERSION_NUMBER < 0x10002000L
+
+ /* ancient ... 1.0.2 */
+ ngx_log_error(NGX_LOG_EMERG, ssl->log, 0,
+ "DTLSv1.2 is not supported by "
+ "the used version of OpenSSL");
+ return NGX_ERROR;
+
+#else
+ /* 1.0.2 ... 1.1 */
+ ssl->ctx = SSL_CTX_new(DTLSv1_2_method());
+#endif
+ }
+
+ /* note: either 1.2 or 1.1 methods may be initialized, not both,
+ * preferred is 1.2 if both specified in ssl_protocols
+ */
+
+ if (protocols & NGX_SSL_DTLSv1 && ssl->ctx == NULL) {
+ ssl->ctx = SSL_CTX_new(DTLSv1_method());
+ }
+#else
+ ssl->ctx = SSL_CTX_new(DTLS_method());
+#endif
+
+#else
+ ngx_log_error(NGX_LOG_EMERG, ssl->log, 0,
+ "OpenSSL is built without DTLS support");
+ return NGX_ERROR;
+#endif
+
+ } else {
+ ssl->ctx = SSL_CTX_new(SSLv23_method());
+ }
if (ssl->ctx == NULL) {
ngx_ssl_error(NGX_LOG_EMERG, ssl->log, 0, "SSL_CTX_new() failed");
return NGX_ERROR;
}
+#if defined(NGX_HAVE_DTLS)
+ if (protocols & NGX_SSL_DTLSv1 || protocols & NGX_SSL_DTLSv1_2) {
+
+ SSL_CTX_set_cookie_generate_cb(ssl->ctx, ngx_dtls_generate_cookie_cb);
+ SSL_CTX_set_cookie_verify_cb(ssl->ctx, ngx_dtls_verify_cookie_cb);
+
+ /* TODO: probably this should be rotated regularly */
+ if (!RAND_bytes(ngx_dtls_cookie_secret, COOKIE_SECRET_LENGTH)) {
+ return NGX_ERROR;
+ }
+ }
+#endif
+
if (SSL_CTX_set_ex_data(ssl->ctx, ngx_ssl_server_conf_index, data) == 0) {
ngx_ssl_error(NGX_LOG_EMERG, ssl->log, 0,
"SSL_CTX_set_ex_data() failed");
@@ -1191,6 +1265,7 @@ ngx_ssl_create_connection(ngx_ssl_t *ssl
if (flags & NGX_SSL_CLIENT) {
SSL_set_connect_state(sc->connection);
+ sc->client = 1;
} else {
SSL_set_accept_state(sc->connection);
@@ -1227,6 +1302,19 @@ ngx_ssl_handshake(ngx_connection_t *c)
int n, sslerr;
ngx_err_t err;
+#if defined(NGX_HAVE_DTLS)
+ ngx_int_t rc;
+
+ if (c->type == SOCK_DGRAM && !c->ssl->client
+ && !c->ssl->dtls_cookie_accepted)
+ {
+ rc = ngx_dtls_handshake(c);
+ if (rc != NGX_OK) {
+ return rc;
+ }
+ }
+#endif
+
ngx_ssl_clear_error(c->log);
n = SSL_do_handshake(c->ssl->connection);
@@ -1328,6 +1416,17 @@ ngx_ssl_handshake(ngx_connection_t *c)
return NGX_ERROR;
}
+ if (c->ssl->bio_is_mem) {
+ SSL_set_rfd(c->ssl->connection, c->fd);
+ c->ssl->bio_is_mem = 0;
+
+ /* buffer is consumed by openssl, we don't want to proxy it */
+ c->buffer->pos = c->buffer->last;
+
+ /* continue with handshake with socket */
+ return ngx_ssl_handshake(c);
+ }
+
return NGX_AGAIN;
}
@@ -1391,6 +1490,215 @@ ngx_ssl_handshake_handler(ngx_event_t *e
}
+#if defined(NGX_HAVE_DTLS)
+
+/*
+ * RFC 6347, 4.2.1:
+ *
+ * When responding to a HelloVerifyRequest, the client MUST use the same
+ * parameter values (version, random, session_id, cipher_suites,
+ * compression_method) as it did in the original ClientHello. The
+ * server SHOULD use those values to generate its cookie and verify that
+ * they are correct upon cookie receipt.
+ */
+
+static int
+ngx_dtls_client_hmac(SSL *ssl, u_char res[EVP_MAX_MD_SIZE], unsigned int *rlen)
+{
+ u_char *p;
+ size_t len;
+ ngx_connection_t *c;
+
+ u_char buffer[64];
+
+ c = ngx_ssl_get_connection(ssl);
+
+ p = buffer;
+
+ p = ngx_cpymem(p, c->addr_text.data, c->addr_text.len);
+ p = ngx_sprintf(p, "%d", ngx_inet_get_port(c->sockaddr));
+
+ len = p - buffer;
+
+ HMAC(EVP_sha1(), (const void*) ngx_dtls_cookie_secret,
+ COOKIE_SECRET_LENGTH, (const u_char*) buffer, len, res, rlen);
+
+ return NGX_OK;
+}
+
+
+static int
+ngx_dtls_generate_cookie_cb(SSL *ssl, unsigned char *cookie,
+ unsigned int *cookie_len)
+{
+ unsigned int rlen;
+ u_char res[EVP_MAX_MD_SIZE];
+
+ if (ngx_dtls_client_hmac(ssl, res, &rlen) != NGX_OK) {
+ return 0;
+ }
+
+ ngx_memcpy(cookie, res, rlen);
+ *cookie_len = rlen;
+
+ return 1;
+}
+
+
+static int
+ngx_dtls_verify_cookie_cb(SSL *ssl,
+#if OPENSSL_VERSION_NUMBER >= 0x10100000L
+ const
+#endif
+ unsigned char *cookie, unsigned int cookie_len)
+{
+ unsigned int rlen;
+ u_char res[EVP_MAX_MD_SIZE];
+
+ if (ngx_dtls_client_hmac(ssl, res, &rlen) != NGX_OK) {
+ return 0;
+ }
+
+ if (cookie_len == rlen && ngx_memcmp(res, cookie, rlen) == 0) {
+ return 1;
+ }
+
+ return 0;
+}
+
+
+static ngx_int_t
+ngx_dtls_handshake(ngx_connection_t *c)
+{
+ int n, rd;
+ BIO *rbio, *wbio;
+ ngx_int_t rc;
+#if OPENSSL_VERSION_NUMBER >= 0x10100000L
+ BIO_ADDR *peer;
+#else
+ SSL *ssl;
+ struct sockaddr *peer;
+#endif
+
+ wbio = BIO_new(BIO_s_mem());
+ if (wbio == NULL) {
+ ngx_log_error(NGX_LOG_EMERG, c->log, 0, "BIO_new");
+ return NGX_ERROR;
+ }
+
+ rbio = BIO_new_mem_buf(c->buffer->pos, c->buffer->last - c->buffer->pos);
+ if (rbio == NULL) {
+ ngx_log_error(NGX_LOG_EMERG, c->log, 0, "BIO_new_mem_buf");
+ return NGX_ERROR;
+ }
+
+ BIO_set_mem_eof_return(rbio, -1);
+
+ SSL_set_bio(c->ssl->connection, rbio, wbio);
+
+#if OPENSSL_VERSION_NUMBER >= 0x10100000L
+
+ peer = BIO_ADDR_new();
+
+ if (peer == NULL) {
+ ngx_log_error(NGX_LOG_EMERG, c->log, 0, "BIO_ADDR_new");
+ return NGX_ERROR;
+ }
+
+#else
+
+ peer = ngx_palloc(c->pool, c->socklen);
+ if (peer == NULL) {
+ return NGX_ERROR;
+ }
+
+ ssl = c->ssl->connection;
+ SSL_set_options(ssl, SSL_OP_COOKIE_EXCHANGE);
+
+#endif
+
+ rc = DTLSv1_listen(c->ssl->connection, peer);
+
+#if OPENSSL_VERSION_NUMBER >= 0x10100000L
+ BIO_ADDR_free(peer);
+#endif
+
+ if (rc < 0) {
+ ngx_ssl_error(NGX_LOG_EMERG, c->log, 0,
+ "DTLSv1_listen error %d", rc);
+
+#if OPENSSL_VERSION_NUMBER >= 0x10100000L
+ return NGX_ERROR;
+#else
+ /* no way to distinguish SSL error from NBIO */
+ if (ERR_peek_last_error() != 0) {
+ return NGX_ERROR;
+ }
+
+ /* assume -1 comes from NBIO and act accordingly */
+ rc = 0;
+#endif
+ }
+
+ ngx_log_debug1(NGX_LOG_DEBUG_EVENT, c->log, 0, "DTLSv1_listen: %i", rc);
+
+ if (rc == 0) {
+ /* non-blocking IO: need to send hello-verify request */
+ n = BIO_ctrl_pending(wbio);
+ if (n > 0) {
+ /* openssl provided some data to send */
+ rd = BIO_read(wbio, c->buffer->start, n);
+ if (rd != n) {
+ ngx_log_error(NGX_LOG_EMERG, c->log, 0, "DTLS BIO_read failed");
+ return NGX_ERROR;
+ }
+
+ rc = ngx_udp_send(c, c->buffer->start, n);
+ if (rc != n) {
+ return NGX_ERROR;
+ }
+
+ /* ok, we sent response, session is over,
+ * waiting for helllo with cookie
+ */
+
+ } else {
+ /* renegotiation or other unexpected result */
+ return NGX_ERROR;
+ }
+
+ /* this session is no longer required, new will be created */
+
+ return NGX_ABORT; /* drop this session*/
+ }
+
+ /* rc >= 1: client with a valid cookie */
+
+ /* DTLSv1_listen PEEK'ed the data, SSL_accept() needs to read from start */
+ if (BIO_reset(rbio) != 1) {
+ ngx_log_error(NGX_LOG_ALERT, c->log, 0, "BIO_reset");
+ return NGX_ERROR;
+ }
+
+ if (c->shared) {
+ if (ngx_event_udp_accept(c) != NGX_OK) {
+ return NGX_ERROR;
+ }
+ }
+
+ /* to be reset by handshake when mem buf content is consumed */
+ c->ssl->bio_is_mem = 1;
+
+ /* write BIO is real socket, to start sending server hello */
+ SSL_set_wfd(c->ssl->connection, c->fd);
+
+ c->ssl->dtls_cookie_accepted = 1;
+
+ return NGX_OK;
+}
+
+#endif
+
ssize_t
ngx_ssl_recv_chain(ngx_connection_t *c, ngx_chain_t *cl, off_t limit)
{
diff --git a/src/event/ngx_event_openssl.h b/src/event/ngx_event_openssl.h
--- a/src/event/ngx_event_openssl.h
+++ b/src/event/ngx_event_openssl.h
@@ -50,6 +50,9 @@
#endif
+#if !defined(OPENSSL_NO_DTLS) && OPENSSL_VERSION_NUMBER >= 0x009080dfL
+#define NGX_HAVE_DTLS
+#endif
#define ngx_ssl_session_t SSL_SESSION
#define ngx_ssl_conn_t SSL
@@ -86,6 +89,9 @@ struct ngx_ssl_connection_s {
unsigned no_wait_shutdown:1;
unsigned no_send_shutdown:1;
unsigned handshake_buffer_set:1;
+ unsigned dtls_cookie_accepted:1;
+ unsigned bio_is_mem:1;
+ unsigned client:1;
};
@@ -138,6 +144,8 @@ typedef struct {
#define NGX_SSL_TLSv1_1 0x0010
#define NGX_SSL_TLSv1_2 0x0020
#define NGX_SSL_TLSv1_3 0x0040
+#define NGX_SSL_DTLSv1 0x0080
+#define NGX_SSL_DTLSv1_2 0x0200
#define NGX_SSL_BUFFER 1
diff --git a/src/stream/ngx_stream_core_module.c b/src/stream/ngx_stream_core_module.c
--- a/src/stream/ngx_stream_core_module.c
+++ b/src/stream/ngx_stream_core_module.c
@@ -849,12 +849,6 @@ ngx_stream_core_listen(ngx_conf_t *cf, n
return "\"backlog\" parameter is incompatible with \"udp\"";
}
-#if (NGX_STREAM_SSL)
- if (ls->ssl) {
- return "\"ssl\" parameter is incompatible with \"udp\"";
- }
-#endif
-
if (ls->so_keepalive) {
return "\"so_keepalive\" parameter is incompatible with \"udp\"";
}
diff --git a/src/stream/ngx_stream_proxy_module.c b/src/stream/ngx_stream_proxy_module.c
--- a/src/stream/ngx_stream_proxy_module.c
+++ b/src/stream/ngx_stream_proxy_module.c
@@ -27,6 +27,7 @@ typedef struct {
size_t upload_rate;
size_t download_rate;
ngx_uint_t responses;
+ ngx_uint_t requests;
ngx_uint_t next_upstream_tries;
ngx_flag_t next_upstream;
ngx_flag_t proxy_protocol;
@@ -95,6 +96,8 @@ static void ngx_stream_proxy_ssl_handsha
static ngx_int_t ngx_stream_proxy_ssl_name(ngx_stream_session_t *s);
static ngx_int_t ngx_stream_proxy_set_ssl(ngx_conf_t *cf,
ngx_stream_proxy_srv_conf_t *pscf);
+static char *ngx_stream_proxy_set_ssl_protocols(ngx_conf_t *cf,
+ ngx_command_t *cmd, void *conf);
static ngx_conf_bitmask_t ngx_stream_proxy_ssl_protocols[] = {
@@ -104,6 +107,8 @@ static ngx_conf_bitmask_t ngx_stream_pr
{ ngx_string("TLSv1.1"), NGX_SSL_TLSv1_1 },
{ ngx_string("TLSv1.2"), NGX_SSL_TLSv1_2 },
{ ngx_string("TLSv1.3"), NGX_SSL_TLSv1_3 },
+ { ngx_string("DTLSv1"), NGX_SSL_DTLSv1 },
+ { ngx_string("DTLSv1.2"), NGX_SSL_DTLSv1_2 },
{ ngx_null_string, 0 }
};
@@ -191,6 +196,13 @@ static ngx_command_t ngx_stream_proxy_c
offsetof(ngx_stream_proxy_srv_conf_t, responses),
NULL },
+ { ngx_string("proxy_requests"),
+ NGX_STREAM_MAIN_CONF|NGX_STREAM_SRV_CONF|NGX_CONF_TAKE1,
+ ngx_conf_set_num_slot,
+ NGX_STREAM_SRV_CONF_OFFSET,
+ offsetof(ngx_stream_proxy_srv_conf_t, requests),
+ NULL },
+
{ ngx_string("proxy_next_upstream"),
NGX_STREAM_MAIN_CONF|NGX_STREAM_SRV_CONF|NGX_CONF_FLAG,
ngx_conf_set_flag_slot,
@@ -237,7 +249,7 @@ static ngx_command_t ngx_stream_proxy_c
{ ngx_string("proxy_ssl_protocols"),
NGX_STREAM_MAIN_CONF|NGX_STREAM_SRV_CONF|NGX_CONF_1MORE,
- ngx_conf_set_bitmask_slot,
+ ngx_stream_proxy_set_ssl_protocols,
NGX_STREAM_SRV_CONF_OFFSET,
offsetof(ngx_stream_proxy_srv_conf_t, ssl_protocols),
&ngx_stream_proxy_ssl_protocols },
@@ -398,7 +410,9 @@ ngx_stream_proxy_handler(ngx_stream_sess
return;
}
- if (c->type == SOCK_STREAM) {
+ if (c->type == SOCK_STREAM || (c->type == SOCK_DGRAM && c->ssl)
+ || (c->shared && pscf->requests))
+ {
p = ngx_pnalloc(c->pool, pscf->buffer_size);
if (p == NULL) {
ngx_stream_proxy_finalize(s, NGX_STREAM_INTERNAL_SERVER_ERROR);
@@ -422,6 +436,13 @@ ngx_stream_proxy_handler(ngx_stream_sess
}
}
+ if (c->shared && pscf->requests) {
+ if (ngx_event_udp_accept(c) != NGX_OK) {
+ ngx_stream_proxy_finalize(s, NGX_STREAM_INTERNAL_SERVER_ERROR);
+ return;
+ }
+ }
+
if (u->resolved == NULL) {
uscf = pscf->upstream;
@@ -754,14 +775,16 @@ ngx_stream_proxy_init_upstream(ngx_strea
#if (NGX_STREAM_SSL)
- if (pc->type == SOCK_STREAM && pscf->ssl) {
-
- if (u->proxy_protocol) {
- if (ngx_stream_proxy_send_proxy_protocol(s) != NGX_OK) {
- return;
+ if (pscf->ssl) {
+
+ if (pc->type == SOCK_STREAM) {
+ if (u->proxy_protocol) {
+ if (ngx_stream_proxy_send_proxy_protocol(s) != NGX_OK) {
+ return;
+ }
+
+ u->proxy_protocol = 0;
}
-
- u->proxy_protocol = 0;
}
if (pc->ssl == NULL) {
@@ -1044,6 +1067,8 @@ static void
ngx_stream_proxy_ssl_handshake(ngx_connection_t *pc)
{
long rc;
+ u_char *p;
+ ngx_connection_t *c;
ngx_stream_session_t *s;
ngx_stream_upstream_t *u;
ngx_stream_proxy_srv_conf_t *pscf;
@@ -1083,6 +1108,29 @@ ngx_stream_proxy_ssl_handshake(ngx_conne
ngx_del_timer(pc->write);
}
+ c = s->connection;
+
+ if (c->shared && pscf->requests) {
+
+ if (ngx_event_udp_accept(c) != NGX_OK) {
+ ngx_stream_proxy_finalize(s, NGX_STREAM_INTERNAL_SERVER_ERROR);
+ return;
+ }
+
+ p = ngx_pnalloc(c->pool, pscf->buffer_size);
+ if (p == NULL) {
+ ngx_stream_proxy_finalize(s, NGX_STREAM_INTERNAL_SERVER_ERROR);
+ return;
+ }
+
+ u = s->upstream;
+
+ u->downstream_buf.start = p;
+ u->downstream_buf.end = p + pscf->buffer_size;
+ u->downstream_buf.pos = p;
+ u->downstream_buf.last = p;
+ }
+
ngx_stream_proxy_init_upstream(s);
return;
@@ -1584,8 +1632,11 @@ ngx_stream_proxy_process(ngx_stream_sess
}
}
- if (c->type == SOCK_DGRAM && ++u->responses == pscf->responses)
- {
+ if (c->type == SOCK_DGRAM && from_upstream) {
+ u->responses++;
+ }
+
+ if (c->type == SOCK_DGRAM && u->responses == pscf->responses) {
src->read->ready = 0;
src->read->eof = 1;
}
@@ -1848,6 +1899,7 @@ ngx_stream_proxy_create_srv_conf(ngx_con
conf->upload_rate = NGX_CONF_UNSET_SIZE;
conf->download_rate = NGX_CONF_UNSET_SIZE;
conf->responses = NGX_CONF_UNSET_UINT;
+ conf->requests = NGX_CONF_UNSET_UINT;
conf->next_upstream_tries = NGX_CONF_UNSET_UINT;
conf->next_upstream = NGX_CONF_UNSET;
conf->proxy_protocol = NGX_CONF_UNSET;
@@ -1893,6 +1945,9 @@ ngx_stream_proxy_merge_srv_conf(ngx_conf
ngx_conf_merge_uint_value(conf->responses,
prev->responses, NGX_MAX_INT32_VALUE);
+ ngx_conf_merge_uint_value(conf->requests,
+ prev->requests, NGX_MAX_INT32_VALUE);
+
ngx_conf_merge_uint_value(conf->next_upstream_tries,
prev->next_upstream_tries, 0);
@@ -2019,6 +2074,34 @@ ngx_stream_proxy_set_ssl(ngx_conf_t *cf,
return NGX_OK;
}
+
+static
+char *ngx_stream_proxy_set_ssl_protocols(ngx_conf_t *cf, ngx_command_t *cmd,
+ void *conf)
+{
+ ngx_stream_proxy_srv_conf_t *pscf = conf;
+
+ char *rv;
+
+ rv = ngx_conf_set_bitmask_slot(cf, cmd, conf);
+
+ if (rv != NGX_CONF_OK) {
+ return rv;
+ }
+
+ /* DTLS protocol requires corresponding TLS version to be set */
+
+ if (pscf->ssl_protocols & NGX_SSL_DTLSv1) {
+ pscf->ssl_protocols |= NGX_SSL_TLSv1;
+ }
+
+ if (pscf->ssl_protocols & NGX_SSL_DTLSv1_2) {
+ pscf->ssl_protocols |= NGX_SSL_TLSv1_2;
+ }
+
+ return NGX_CONF_OK;
+}
+
#endif
diff --git a/src/stream/ngx_stream_ssl_module.c b/src/stream/ngx_stream_ssl_module.c
--- a/src/stream/ngx_stream_ssl_module.c
+++ b/src/stream/ngx_stream_ssl_module.c
@@ -34,6 +34,8 @@ static char *ngx_stream_ssl_merge_conf(n
static char *ngx_stream_ssl_password_file(ngx_conf_t *cf, ngx_command_t *cmd,
void *conf);
+static char *ngx_stream_set_ssl_protocols(ngx_conf_t *cf, ngx_command_t *cmd,
+ void *conf);
static char *ngx_stream_ssl_session_cache(ngx_conf_t *cf, ngx_command_t *cmd,
void *conf);
static ngx_int_t ngx_stream_ssl_init(ngx_conf_t *cf);
@@ -46,6 +48,9 @@ static ngx_conf_bitmask_t ngx_stream_ss
{ ngx_string("TLSv1.1"), NGX_SSL_TLSv1_1 },
{ ngx_string("TLSv1.2"), NGX_SSL_TLSv1_2 },
{ ngx_string("TLSv1.3"), NGX_SSL_TLSv1_3 },
+ { ngx_string("DTLSv1"), NGX_SSL_DTLSv1 },
+ { ngx_string("DTLSv1.2"), NGX_SSL_DTLSv1_2 },
+
{ ngx_null_string, 0 }
};
@@ -105,7 +110,7 @@ static ngx_command_t ngx_stream_ssl_com
{ ngx_string("ssl_protocols"),
NGX_STREAM_MAIN_CONF|NGX_STREAM_SRV_CONF|NGX_CONF_1MORE,
- ngx_conf_set_bitmask_slot,
+ ngx_stream_set_ssl_protocols,
NGX_STREAM_SRV_CONF_OFFSET,
offsetof(ngx_stream_ssl_conf_t, protocols),
&ngx_stream_ssl_protocols },
@@ -365,7 +370,8 @@ ngx_stream_ssl_init_connection(ngx_ssl_t
cscf = ngx_stream_get_module_srv_conf(s, ngx_stream_core_module);
- if (cscf->tcp_nodelay && ngx_tcp_nodelay(c) != NGX_OK) {
+ if (c->type == SOCK_STREAM
+ && cscf->tcp_nodelay && ngx_tcp_nodelay(c) != NGX_OK) {
return NGX_ERROR;
}
@@ -389,6 +395,11 @@ ngx_stream_ssl_init_connection(ngx_ssl_t
return NGX_AGAIN;
}
+ if (rc == NGX_ABORT) {
+ /* DTLS handshake sent the cookie to client */
+ return NGX_ERROR;
+ }
+
/* rc == NGX_OK */
return NGX_OK;
@@ -721,6 +732,33 @@ ngx_stream_ssl_password_file(ngx_conf_t
static char *
+ngx_stream_set_ssl_protocols(ngx_conf_t *cf, ngx_command_t *cmd, void *conf)
+{
+ ngx_stream_ssl_conf_t *scf = conf;
+
+ char *rv;
+
+ rv = ngx_conf_set_bitmask_slot(cf, cmd, conf);
+
+ if (rv != NGX_CONF_OK) {
+ return rv;
+ }
+
+ /* DTLS protocol requires corresponding TLS version to be set */
+
+ if (scf->protocols & NGX_SSL_DTLSv1) {
+ scf->protocols |= NGX_SSL_TLSv1;
+ }
+
+ if (scf->protocols & NGX_SSL_DTLSv1_2) {
+ scf->protocols |= NGX_SSL_TLSv1_2;
+ }
+
+ return NGX_CONF_OK;
+}
+
+
+static char *
ngx_stream_ssl_session_cache(ngx_conf_t *cf, ngx_command_t *cmd, void *conf)
{
ngx_stream_ssl_conf_t *scf = conf;
@@ -835,8 +873,13 @@ invalid:
static ngx_int_t
ngx_stream_ssl_init(ngx_conf_t *cf)
{
- ngx_stream_handler_pt *h;
- ngx_stream_core_main_conf_t *cmcf;
+ ngx_uint_t i;
+ ngx_stream_listen_t *ls;
+ ngx_stream_handler_pt *h;
+ ngx_stream_conf_ctx_t *sctx;
+ ngx_stream_ssl_conf_t **sscfp, *sscf;
+ ngx_stream_core_srv_conf_t **cscfp, *cscf;
+ ngx_stream_core_main_conf_t *cmcf;
cmcf = ngx_stream_conf_get_module_main_conf(cf, ngx_stream_core_module);
@@ -847,5 +890,52 @@ ngx_stream_ssl_init(ngx_conf_t *cf)
*h = ngx_stream_ssl_handler;
+ cmcf = ngx_stream_conf_get_module_main_conf(cf, ngx_stream_core_module);
+
+ ls = cmcf->listen.elts;
+
+ for (i = 0; i < cmcf->listen.nelts; i++) {
+ if (ls[i].ssl) {
+ sctx = ls[i].ctx;
+
+ sscfp = (ngx_stream_ssl_conf_t **)sctx->srv_conf;
+ cscfp = (ngx_stream_core_srv_conf_t **)sctx->srv_conf;
+
+ sscf = sscfp[ngx_stream_ssl_module.ctx_index];
+ cscf = cscfp[ngx_stream_core_module.ctx_index];
+
+ if (sscf->certificates == NULL) {
+ ngx_log_error(NGX_LOG_EMERG, cf->log, 0,
+ "no \"ssl_certificate\" is defined "
+ "in server listening on SSL port at %s:%ui",
+ cscf->file_name, cscf->line);
+ return NGX_ERROR;
+ }
+
+ if (ls[i].type == SOCK_DGRAM) {
+ if (!(sscf->protocols & NGX_SSL_DTLSv1
+ || sscf->protocols & NGX_SSL_DTLSv1_2))
+ {
+ ngx_log_error(NGX_LOG_EMERG, cf->log, 0,
+ "\"ssl_protocols\" does not enable DTLS in a "
+ "server listening on UDP SSL port at %s:%ui",
+ cscf->file_name, cscf->line);
+ return NGX_ERROR;
+ }
+
+ } else {
+ if (sscf->protocols & NGX_SSL_DTLSv1
+ || sscf->protocols & NGX_SSL_DTLSv1_2 )
+ {
+ ngx_log_error(NGX_LOG_EMERG, cf->log, 0,
+ "\"ssl_protocols\" includes DTLS in a server "
+ "listening on SSL port at %s:%ui",
+ cscf->file_name, cscf->line);
+ return NGX_ERROR;
+ }
+ }
+ }
+ }
+
return NGX_OK;
}
_______________________________________________
nginx mailing list
nginx@nginx.org
http://mailman.nginx.org/mailman/listinfo/nginx
>
> I have tested this patch in my environment. Before the patch is applied,
> `tcp_nodelay off` needs to be placed in every `server` clause with DTLS
> enabled to work the problem around.
>
Hello,
can you please elaborate about your environment? Do you proxy DTLS
stream directly to backend, or you perform DTLS offload ?
What protocol are you using and which server/client software
before/behind nginx?
I'm attaching refreshed patch against nginx-1.13.9 for those who are
interested to test.
# HG changeset patch
# User Vladimir Homutov <vl@nginx.com>
# Date 1519222093 -10800
# Wed Feb 21 17:08:13 2018 +0300
# Node ID b4b14f20123598d6c4bdff01e3c421e4f180f526
# Parent 88aad69eccef0422719698b54c82e3a020c0fe93
Stream: experimental DTLS support.
With the patch, the "listen" directive in the "stream" block now accepts
both "udp" and "ssl" directives.
The "ssl_protocols" and "proxy_ssl_protocols" directives now accepts "DTLSv1"
and "DTLSv1.2" parameters that enable support of corresponding protocols.
DTLS termination:
stream {
# please enable debug log
error_log logs/error.log debug;
server {
# add 'udp' and 'ssl' simultaneously to the listen directive
listen 127.0.0.1:4443 udp ssl;
# enable DTLSv1 or DTLSv1.2 or both protocols
ssl_protocols DTLSv1;
# setup other SSL options as usually
ssl_certificate ...;
ssl_certificate_key ...;
proxy_pass ...;
}
}
DTLS to backends:
stream {
# please enable debug log
error_log logs/error.log debug;
server {
listen 127.0.0.1:5555 udp;
# enable SSL to proxy
proxy_ssl on;
# enable DTLSv1 or DTLSv1.2 or both protocols
proxy_ssl_protocols DTLSv1;
# setup other proxy SSL options as usually
proxy_ssl_certificate ...;
proxy_ssl_certificate_key ...;
# the backend is a DTLS server
proxy_pass 127.0.0.1:4433;
}
diff --git a/auto/lib/openssl/conf b/auto/lib/openssl/conf
--- a/auto/lib/openssl/conf
+++ b/auto/lib/openssl/conf
@@ -132,4 +132,16 @@ END
exit 1
fi
+ ngx_feature="OpenSSL DTLS support"
+ ngx_feature_name="NGX_OPENSSL_DTLS"
+ ngx_feature_run=no
+ ngx_feature_incs="#include <openssl/ssl.h>"
+ ngx_feature_path=
+ ngx_feature_libs="-lssl -lcrypto $NGX_LIBDL"
+ ngx_feature_test="DTLSv1_listen(NULL, NULL)"
+ . auto/feature
+
+ if [ $ngx_found = yes ]; then
+ have=NGX_SSL_DTLS . auto/have
+ fi
fi
diff --git a/src/event/ngx_event.h b/src/event/ngx_event.h
--- a/src/event/ngx_event.h
+++ b/src/event/ngx_event.h
@@ -507,6 +507,7 @@ void ngx_event_accept(ngx_event_t *ev);
#if !(NGX_WIN32)
void ngx_event_recvmsg(ngx_event_t *ev);
#endif
+ngx_int_t ngx_event_udp_accept(ngx_connection_t *c);
ngx_int_t ngx_trylock_accept_mutex(ngx_cycle_t *cycle);
u_char *ngx_accept_log_error(ngx_log_t *log, u_char *buf, size_t len);
diff --git a/src/event/ngx_event_accept.c b/src/event/ngx_event_accept.c
--- a/src/event/ngx_event_accept.c
+++ b/src/event/ngx_event_accept.c
@@ -644,6 +644,81 @@ ngx_event_recvmsg(ngx_event_t *ev)
ngx_int_t
+ngx_event_udp_accept(ngx_connection_t *c)
+{
+ int on, rc;
+ ngx_socket_t fd;
+
+ fd = ngx_socket(c->listening->sockaddr->sa_family, SOCK_DGRAM, 0);
+ if (fd == (ngx_socket_t) -1) {
+ ngx_log_error(NGX_LOG_ALERT, c->log, ngx_socket_errno,
+ ngx_socket_n " failed");
+ return NGX_ERROR;
+ }
+
+ if (ngx_nonblocking(fd) == -1) {
+ ngx_log_error(NGX_LOG_ALERT, c->log, ngx_socket_errno,
+ ngx_nonblocking_n " failed");
+ goto failed;
+ }
+
+ on = 1;
+ rc = setsockopt(fd, SOL_SOCKET, SO_REUSEADDR, (char *) &on, sizeof(int));
+ if (rc == -1) {
+ ngx_log_error(NGX_LOG_ALERT, c->log, ngx_socket_errno,
+ "setsockopt(SO_REUSEADDR, 1) failed");
+ goto failed;
+ }
+
+#if (NGX_HAVE_REUSEPORT && NGX_FREEBSD)
+ on = 1;
+ rc = setsockopt(fd, SOL_SOCKET, SO_REUSEPORT, (char *) &on, sizeof(int));
+ if (rc == -1) {
+ ngx_log_error(NGX_LOG_ALERT, c->log, ngx_socket_errno,
+ "setsockopt(SO_REUSEPORT, 1) failed");
+ goto failed;
+ }
+#endif
+
+ rc = bind(fd, c->listening->sockaddr, c->listening->socklen);
+ if (-1 == rc) {
+ ngx_log_error(NGX_LOG_EMERG, c->log, ngx_socket_errno,
+ "bind() to %V failed", &c->listening->addr_text);
+ goto failed;
+ }
+
+ if (connect(fd, c->sockaddr, c->socklen) == -1) {
+ ngx_log_error(NGX_LOG_ALERT, c->log, ngx_socket_errno,
+ "connect() failed");
+ goto failed;
+ }
+
+ c->fd = fd;
+ c->shared = 0;
+ c->recv = ngx_udp_recv;
+
+ if (ngx_add_conn && (ngx_event_flags & NGX_USE_EPOLL_EVENT) == 0) {
+ if (ngx_add_conn(c) == NGX_ERROR) {
+ goto failed;
+ }
+ }
+
+ return NGX_OK;
+
+failed:
+
+ if (ngx_close_socket(fd) == -1) {
+ ngx_log_error(NGX_LOG_EMERG, c->log, ngx_socket_errno,
+ ngx_close_socket_n " failed");
+ }
+
+ c->fd = (ngx_socket_t) -1;
+
+ return NGX_ERROR;
+}
+
+
+ngx_int_t
ngx_trylock_accept_mutex(ngx_cycle_t *cycle)
{
if (ngx_shmtx_trylock(&ngx_accept_mutex)) {
diff --git a/src/event/ngx_event_openssl.c b/src/event/ngx_event_openssl.c
--- a/src/event/ngx_event_openssl.c
+++ b/src/event/ngx_event_openssl.c
@@ -69,6 +69,22 @@ static void *ngx_openssl_create_conf(ngx
static char *ngx_openssl_engine(ngx_conf_t *cf, ngx_command_t *cmd, void *conf);
static void ngx_openssl_exit(ngx_cycle_t *cycle);
+#if defined(NGX_HAVE_DTLS)
+static int ngx_dtls_client_hmac(SSL *ssl, u_char res[EVP_MAX_MD_SIZE],
+ unsigned int *rlen);
+static int ngx_dtls_generate_cookie_cb(SSL *ssl, unsigned char *cookie,
+ unsigned int *cookie_len);
+static int ngx_dtls_verify_cookie_cb(SSL *ssl,
+#if OPENSSL_VERSION_NUMBER >= 0x10100000L
+ const
+#endif
+unsigned char *cookie, unsigned int cookie_len);
+static ngx_int_t ngx_dtls_handshake(ngx_connection_t *c);
+
+
+#define COOKIE_SECRET_LENGTH 32
+static u_char ngx_dtls_cookie_secret[COOKIE_SECRET_LENGTH];
+#endif
static ngx_command_t ngx_openssl_commands[] = {
@@ -232,13 +248,71 @@ ngx_ssl_init(ngx_log_t *log)
ngx_int_t
ngx_ssl_create(ngx_ssl_t *ssl, ngx_uint_t protocols, void *data)
{
- ssl->ctx = SSL_CTX_new(SSLv23_method());
+ if (protocols & NGX_SSL_DTLSv1 || protocols & NGX_SSL_DTLSv1_2) {
+
+#if defined(NGX_HAVE_DTLS)
+
+#if OPENSSL_VERSION_NUMBER < 0x10100000L
+
+ if (protocols & NGX_SSL_DTLSv1_2) {
+
+ /* DTLS 1.2 is only supported since 1.0.2 */
+
+ /* DTLSv1_x_method() functions are deprecated in 1.1.0 */
+
+#if OPENSSL_VERSION_NUMBER < 0x10002000L
+
+ /* ancient ... 1.0.2 */
+ ngx_log_error(NGX_LOG_EMERG, ssl->log, 0,
+ "DTLSv1.2 is not supported by "
+ "the used version of OpenSSL");
+ return NGX_ERROR;
+
+#else
+ /* 1.0.2 ... 1.1 */
+ ssl->ctx = SSL_CTX_new(DTLSv1_2_method());
+#endif
+ }
+
+ /* note: either 1.2 or 1.1 methods may be initialized, not both,
+ * preferred is 1.2 if both specified in ssl_protocols
+ */
+
+ if (protocols & NGX_SSL_DTLSv1 && ssl->ctx == NULL) {
+ ssl->ctx = SSL_CTX_new(DTLSv1_method());
+ }
+#else
+ ssl->ctx = SSL_CTX_new(DTLS_method());
+#endif
+
+#else
+ ngx_log_error(NGX_LOG_EMERG, ssl->log, 0,
+ "OpenSSL is built without DTLS support");
+ return NGX_ERROR;
+#endif
+
+ } else {
+ ssl->ctx = SSL_CTX_new(SSLv23_method());
+ }
if (ssl->ctx == NULL) {
ngx_ssl_error(NGX_LOG_EMERG, ssl->log, 0, "SSL_CTX_new() failed");
return NGX_ERROR;
}
+#if defined(NGX_HAVE_DTLS)
+ if (protocols & NGX_SSL_DTLSv1 || protocols & NGX_SSL_DTLSv1_2) {
+
+ SSL_CTX_set_cookie_generate_cb(ssl->ctx, ngx_dtls_generate_cookie_cb);
+ SSL_CTX_set_cookie_verify_cb(ssl->ctx, ngx_dtls_verify_cookie_cb);
+
+ /* TODO: probably this should be rotated regularly */
+ if (!RAND_bytes(ngx_dtls_cookie_secret, COOKIE_SECRET_LENGTH)) {
+ return NGX_ERROR;
+ }
+ }
+#endif
+
if (SSL_CTX_set_ex_data(ssl->ctx, ngx_ssl_server_conf_index, data) == 0) {
ngx_ssl_error(NGX_LOG_EMERG, ssl->log, 0,
"SSL_CTX_set_ex_data() failed");
@@ -1191,6 +1265,7 @@ ngx_ssl_create_connection(ngx_ssl_t *ssl
if (flags & NGX_SSL_CLIENT) {
SSL_set_connect_state(sc->connection);
+ sc->client = 1;
} else {
SSL_set_accept_state(sc->connection);
@@ -1227,6 +1302,19 @@ ngx_ssl_handshake(ngx_connection_t *c)
int n, sslerr;
ngx_err_t err;
+#if defined(NGX_HAVE_DTLS)
+ ngx_int_t rc;
+
+ if (c->type == SOCK_DGRAM && !c->ssl->client
+ && !c->ssl->dtls_cookie_accepted)
+ {
+ rc = ngx_dtls_handshake(c);
+ if (rc != NGX_OK) {
+ return rc;
+ }
+ }
+#endif
+
ngx_ssl_clear_error(c->log);
n = SSL_do_handshake(c->ssl->connection);
@@ -1328,6 +1416,17 @@ ngx_ssl_handshake(ngx_connection_t *c)
return NGX_ERROR;
}
+ if (c->ssl->bio_is_mem) {
+ SSL_set_rfd(c->ssl->connection, c->fd);
+ c->ssl->bio_is_mem = 0;
+
+ /* buffer is consumed by openssl, we don't want to proxy it */
+ c->buffer->pos = c->buffer->last;
+
+ /* continue with handshake with socket */
+ return ngx_ssl_handshake(c);
+ }
+
return NGX_AGAIN;
}
@@ -1391,6 +1490,215 @@ ngx_ssl_handshake_handler(ngx_event_t *e
}
+#if defined(NGX_HAVE_DTLS)
+
+/*
+ * RFC 6347, 4.2.1:
+ *
+ * When responding to a HelloVerifyRequest, the client MUST use the same
+ * parameter values (version, random, session_id, cipher_suites,
+ * compression_method) as it did in the original ClientHello. The
+ * server SHOULD use those values to generate its cookie and verify that
+ * they are correct upon cookie receipt.
+ */
+
+static int
+ngx_dtls_client_hmac(SSL *ssl, u_char res[EVP_MAX_MD_SIZE], unsigned int *rlen)
+{
+ u_char *p;
+ size_t len;
+ ngx_connection_t *c;
+
+ u_char buffer[64];
+
+ c = ngx_ssl_get_connection(ssl);
+
+ p = buffer;
+
+ p = ngx_cpymem(p, c->addr_text.data, c->addr_text.len);
+ p = ngx_sprintf(p, "%d", ngx_inet_get_port(c->sockaddr));
+
+ len = p - buffer;
+
+ HMAC(EVP_sha1(), (const void*) ngx_dtls_cookie_secret,
+ COOKIE_SECRET_LENGTH, (const u_char*) buffer, len, res, rlen);
+
+ return NGX_OK;
+}
+
+
+static int
+ngx_dtls_generate_cookie_cb(SSL *ssl, unsigned char *cookie,
+ unsigned int *cookie_len)
+{
+ unsigned int rlen;
+ u_char res[EVP_MAX_MD_SIZE];
+
+ if (ngx_dtls_client_hmac(ssl, res, &rlen) != NGX_OK) {
+ return 0;
+ }
+
+ ngx_memcpy(cookie, res, rlen);
+ *cookie_len = rlen;
+
+ return 1;
+}
+
+
+static int
+ngx_dtls_verify_cookie_cb(SSL *ssl,
+#if OPENSSL_VERSION_NUMBER >= 0x10100000L
+ const
+#endif
+ unsigned char *cookie, unsigned int cookie_len)
+{
+ unsigned int rlen;
+ u_char res[EVP_MAX_MD_SIZE];
+
+ if (ngx_dtls_client_hmac(ssl, res, &rlen) != NGX_OK) {
+ return 0;
+ }
+
+ if (cookie_len == rlen && ngx_memcmp(res, cookie, rlen) == 0) {
+ return 1;
+ }
+
+ return 0;
+}
+
+
+static ngx_int_t
+ngx_dtls_handshake(ngx_connection_t *c)
+{
+ int n, rd;
+ BIO *rbio, *wbio;
+ ngx_int_t rc;
+#if OPENSSL_VERSION_NUMBER >= 0x10100000L
+ BIO_ADDR *peer;
+#else
+ SSL *ssl;
+ struct sockaddr *peer;
+#endif
+
+ wbio = BIO_new(BIO_s_mem());
+ if (wbio == NULL) {
+ ngx_log_error(NGX_LOG_EMERG, c->log, 0, "BIO_new");
+ return NGX_ERROR;
+ }
+
+ rbio = BIO_new_mem_buf(c->buffer->pos, c->buffer->last - c->buffer->pos);
+ if (rbio == NULL) {
+ ngx_log_error(NGX_LOG_EMERG, c->log, 0, "BIO_new_mem_buf");
+ return NGX_ERROR;
+ }
+
+ BIO_set_mem_eof_return(rbio, -1);
+
+ SSL_set_bio(c->ssl->connection, rbio, wbio);
+
+#if OPENSSL_VERSION_NUMBER >= 0x10100000L
+
+ peer = BIO_ADDR_new();
+
+ if (peer == NULL) {
+ ngx_log_error(NGX_LOG_EMERG, c->log, 0, "BIO_ADDR_new");
+ return NGX_ERROR;
+ }
+
+#else
+
+ peer = ngx_palloc(c->pool, c->socklen);
+ if (peer == NULL) {
+ return NGX_ERROR;
+ }
+
+ ssl = c->ssl->connection;
+ SSL_set_options(ssl, SSL_OP_COOKIE_EXCHANGE);
+
+#endif
+
+ rc = DTLSv1_listen(c->ssl->connection, peer);
+
+#if OPENSSL_VERSION_NUMBER >= 0x10100000L
+ BIO_ADDR_free(peer);
+#endif
+
+ if (rc < 0) {
+ ngx_ssl_error(NGX_LOG_EMERG, c->log, 0,
+ "DTLSv1_listen error %d", rc);
+
+#if OPENSSL_VERSION_NUMBER >= 0x10100000L
+ return NGX_ERROR;
+#else
+ /* no way to distinguish SSL error from NBIO */
+ if (ERR_peek_last_error() != 0) {
+ return NGX_ERROR;
+ }
+
+ /* assume -1 comes from NBIO and act accordingly */
+ rc = 0;
+#endif
+ }
+
+ ngx_log_debug1(NGX_LOG_DEBUG_EVENT, c->log, 0, "DTLSv1_listen: %i", rc);
+
+ if (rc == 0) {
+ /* non-blocking IO: need to send hello-verify request */
+ n = BIO_ctrl_pending(wbio);
+ if (n > 0) {
+ /* openssl provided some data to send */
+ rd = BIO_read(wbio, c->buffer->start, n);
+ if (rd != n) {
+ ngx_log_error(NGX_LOG_EMERG, c->log, 0, "DTLS BIO_read failed");
+ return NGX_ERROR;
+ }
+
+ rc = ngx_udp_send(c, c->buffer->start, n);
+ if (rc != n) {
+ return NGX_ERROR;
+ }
+
+ /* ok, we sent response, session is over,
+ * waiting for helllo with cookie
+ */
+
+ } else {
+ /* renegotiation or other unexpected result */
+ return NGX_ERROR;
+ }
+
+ /* this session is no longer required, new will be created */
+
+ return NGX_ABORT; /* drop this session*/
+ }
+
+ /* rc >= 1: client with a valid cookie */
+
+ /* DTLSv1_listen PEEK'ed the data, SSL_accept() needs to read from start */
+ if (BIO_reset(rbio) != 1) {
+ ngx_log_error(NGX_LOG_ALERT, c->log, 0, "BIO_reset");
+ return NGX_ERROR;
+ }
+
+ if (c->shared) {
+ if (ngx_event_udp_accept(c) != NGX_OK) {
+ return NGX_ERROR;
+ }
+ }
+
+ /* to be reset by handshake when mem buf content is consumed */
+ c->ssl->bio_is_mem = 1;
+
+ /* write BIO is real socket, to start sending server hello */
+ SSL_set_wfd(c->ssl->connection, c->fd);
+
+ c->ssl->dtls_cookie_accepted = 1;
+
+ return NGX_OK;
+}
+
+#endif
+
ssize_t
ngx_ssl_recv_chain(ngx_connection_t *c, ngx_chain_t *cl, off_t limit)
{
diff --git a/src/event/ngx_event_openssl.h b/src/event/ngx_event_openssl.h
--- a/src/event/ngx_event_openssl.h
+++ b/src/event/ngx_event_openssl.h
@@ -50,6 +50,9 @@
#endif
+#if !defined(OPENSSL_NO_DTLS) && OPENSSL_VERSION_NUMBER >= 0x009080dfL
+#define NGX_HAVE_DTLS
+#endif
#define ngx_ssl_session_t SSL_SESSION
#define ngx_ssl_conn_t SSL
@@ -86,6 +89,9 @@ struct ngx_ssl_connection_s {
unsigned no_wait_shutdown:1;
unsigned no_send_shutdown:1;
unsigned handshake_buffer_set:1;
+ unsigned dtls_cookie_accepted:1;
+ unsigned bio_is_mem:1;
+ unsigned client:1;
};
@@ -138,6 +144,8 @@ typedef struct {
#define NGX_SSL_TLSv1_1 0x0010
#define NGX_SSL_TLSv1_2 0x0020
#define NGX_SSL_TLSv1_3 0x0040
+#define NGX_SSL_DTLSv1 0x0080
+#define NGX_SSL_DTLSv1_2 0x0200
#define NGX_SSL_BUFFER 1
diff --git a/src/stream/ngx_stream_core_module.c b/src/stream/ngx_stream_core_module.c
--- a/src/stream/ngx_stream_core_module.c
+++ b/src/stream/ngx_stream_core_module.c
@@ -849,12 +849,6 @@ ngx_stream_core_listen(ngx_conf_t *cf, n
return "\"backlog\" parameter is incompatible with \"udp\"";
}
-#if (NGX_STREAM_SSL)
- if (ls->ssl) {
- return "\"ssl\" parameter is incompatible with \"udp\"";
- }
-#endif
-
if (ls->so_keepalive) {
return "\"so_keepalive\" parameter is incompatible with \"udp\"";
}
diff --git a/src/stream/ngx_stream_proxy_module.c b/src/stream/ngx_stream_proxy_module.c
--- a/src/stream/ngx_stream_proxy_module.c
+++ b/src/stream/ngx_stream_proxy_module.c
@@ -27,6 +27,7 @@ typedef struct {
size_t upload_rate;
size_t download_rate;
ngx_uint_t responses;
+ ngx_uint_t requests;
ngx_uint_t next_upstream_tries;
ngx_flag_t next_upstream;
ngx_flag_t proxy_protocol;
@@ -95,6 +96,8 @@ static void ngx_stream_proxy_ssl_handsha
static ngx_int_t ngx_stream_proxy_ssl_name(ngx_stream_session_t *s);
static ngx_int_t ngx_stream_proxy_set_ssl(ngx_conf_t *cf,
ngx_stream_proxy_srv_conf_t *pscf);
+static char *ngx_stream_proxy_set_ssl_protocols(ngx_conf_t *cf,
+ ngx_command_t *cmd, void *conf);
static ngx_conf_bitmask_t ngx_stream_proxy_ssl_protocols[] = {
@@ -104,6 +107,8 @@ static ngx_conf_bitmask_t ngx_stream_pr
{ ngx_string("TLSv1.1"), NGX_SSL_TLSv1_1 },
{ ngx_string("TLSv1.2"), NGX_SSL_TLSv1_2 },
{ ngx_string("TLSv1.3"), NGX_SSL_TLSv1_3 },
+ { ngx_string("DTLSv1"), NGX_SSL_DTLSv1 },
+ { ngx_string("DTLSv1.2"), NGX_SSL_DTLSv1_2 },
{ ngx_null_string, 0 }
};
@@ -191,6 +196,13 @@ static ngx_command_t ngx_stream_proxy_c
offsetof(ngx_stream_proxy_srv_conf_t, responses),
NULL },
+ { ngx_string("proxy_requests"),
+ NGX_STREAM_MAIN_CONF|NGX_STREAM_SRV_CONF|NGX_CONF_TAKE1,
+ ngx_conf_set_num_slot,
+ NGX_STREAM_SRV_CONF_OFFSET,
+ offsetof(ngx_stream_proxy_srv_conf_t, requests),
+ NULL },
+
{ ngx_string("proxy_next_upstream"),
NGX_STREAM_MAIN_CONF|NGX_STREAM_SRV_CONF|NGX_CONF_FLAG,
ngx_conf_set_flag_slot,
@@ -237,7 +249,7 @@ static ngx_command_t ngx_stream_proxy_c
{ ngx_string("proxy_ssl_protocols"),
NGX_STREAM_MAIN_CONF|NGX_STREAM_SRV_CONF|NGX_CONF_1MORE,
- ngx_conf_set_bitmask_slot,
+ ngx_stream_proxy_set_ssl_protocols,
NGX_STREAM_SRV_CONF_OFFSET,
offsetof(ngx_stream_proxy_srv_conf_t, ssl_protocols),
&ngx_stream_proxy_ssl_protocols },
@@ -398,7 +410,9 @@ ngx_stream_proxy_handler(ngx_stream_sess
return;
}
- if (c->type == SOCK_STREAM) {
+ if (c->type == SOCK_STREAM || (c->type == SOCK_DGRAM && c->ssl)
+ || (c->shared && pscf->requests))
+ {
p = ngx_pnalloc(c->pool, pscf->buffer_size);
if (p == NULL) {
ngx_stream_proxy_finalize(s, NGX_STREAM_INTERNAL_SERVER_ERROR);
@@ -422,6 +436,13 @@ ngx_stream_proxy_handler(ngx_stream_sess
}
}
+ if (c->shared && pscf->requests) {
+ if (ngx_event_udp_accept(c) != NGX_OK) {
+ ngx_stream_proxy_finalize(s, NGX_STREAM_INTERNAL_SERVER_ERROR);
+ return;
+ }
+ }
+
if (u->resolved == NULL) {
uscf = pscf->upstream;
@@ -754,14 +775,16 @@ ngx_stream_proxy_init_upstream(ngx_strea
#if (NGX_STREAM_SSL)
- if (pc->type == SOCK_STREAM && pscf->ssl) {
-
- if (u->proxy_protocol) {
- if (ngx_stream_proxy_send_proxy_protocol(s) != NGX_OK) {
- return;
+ if (pscf->ssl) {
+
+ if (pc->type == SOCK_STREAM) {
+ if (u->proxy_protocol) {
+ if (ngx_stream_proxy_send_proxy_protocol(s) != NGX_OK) {
+ return;
+ }
+
+ u->proxy_protocol = 0;
}
-
- u->proxy_protocol = 0;
}
if (pc->ssl == NULL) {
@@ -1044,6 +1067,8 @@ static void
ngx_stream_proxy_ssl_handshake(ngx_connection_t *pc)
{
long rc;
+ u_char *p;
+ ngx_connection_t *c;
ngx_stream_session_t *s;
ngx_stream_upstream_t *u;
ngx_stream_proxy_srv_conf_t *pscf;
@@ -1083,6 +1108,29 @@ ngx_stream_proxy_ssl_handshake(ngx_conne
ngx_del_timer(pc->write);
}
+ c = s->connection;
+
+ if (c->shared && pscf->requests) {
+
+ if (ngx_event_udp_accept(c) != NGX_OK) {
+ ngx_stream_proxy_finalize(s, NGX_STREAM_INTERNAL_SERVER_ERROR);
+ return;
+ }
+
+ p = ngx_pnalloc(c->pool, pscf->buffer_size);
+ if (p == NULL) {
+ ngx_stream_proxy_finalize(s, NGX_STREAM_INTERNAL_SERVER_ERROR);
+ return;
+ }
+
+ u = s->upstream;
+
+ u->downstream_buf.start = p;
+ u->downstream_buf.end = p + pscf->buffer_size;
+ u->downstream_buf.pos = p;
+ u->downstream_buf.last = p;
+ }
+
ngx_stream_proxy_init_upstream(s);
return;
@@ -1584,8 +1632,11 @@ ngx_stream_proxy_process(ngx_stream_sess
}
}
- if (c->type == SOCK_DGRAM && ++u->responses == pscf->responses)
- {
+ if (c->type == SOCK_DGRAM && from_upstream) {
+ u->responses++;
+ }
+
+ if (c->type == SOCK_DGRAM && u->responses == pscf->responses) {
src->read->ready = 0;
src->read->eof = 1;
}
@@ -1848,6 +1899,7 @@ ngx_stream_proxy_create_srv_conf(ngx_con
conf->upload_rate = NGX_CONF_UNSET_SIZE;
conf->download_rate = NGX_CONF_UNSET_SIZE;
conf->responses = NGX_CONF_UNSET_UINT;
+ conf->requests = NGX_CONF_UNSET_UINT;
conf->next_upstream_tries = NGX_CONF_UNSET_UINT;
conf->next_upstream = NGX_CONF_UNSET;
conf->proxy_protocol = NGX_CONF_UNSET;
@@ -1893,6 +1945,9 @@ ngx_stream_proxy_merge_srv_conf(ngx_conf
ngx_conf_merge_uint_value(conf->responses,
prev->responses, NGX_MAX_INT32_VALUE);
+ ngx_conf_merge_uint_value(conf->requests,
+ prev->requests, NGX_MAX_INT32_VALUE);
+
ngx_conf_merge_uint_value(conf->next_upstream_tries,
prev->next_upstream_tries, 0);
@@ -2019,6 +2074,34 @@ ngx_stream_proxy_set_ssl(ngx_conf_t *cf,
return NGX_OK;
}
+
+static
+char *ngx_stream_proxy_set_ssl_protocols(ngx_conf_t *cf, ngx_command_t *cmd,
+ void *conf)
+{
+ ngx_stream_proxy_srv_conf_t *pscf = conf;
+
+ char *rv;
+
+ rv = ngx_conf_set_bitmask_slot(cf, cmd, conf);
+
+ if (rv != NGX_CONF_OK) {
+ return rv;
+ }
+
+ /* DTLS protocol requires corresponding TLS version to be set */
+
+ if (pscf->ssl_protocols & NGX_SSL_DTLSv1) {
+ pscf->ssl_protocols |= NGX_SSL_TLSv1;
+ }
+
+ if (pscf->ssl_protocols & NGX_SSL_DTLSv1_2) {
+ pscf->ssl_protocols |= NGX_SSL_TLSv1_2;
+ }
+
+ return NGX_CONF_OK;
+}
+
#endif
diff --git a/src/stream/ngx_stream_ssl_module.c b/src/stream/ngx_stream_ssl_module.c
--- a/src/stream/ngx_stream_ssl_module.c
+++ b/src/stream/ngx_stream_ssl_module.c
@@ -34,6 +34,8 @@ static char *ngx_stream_ssl_merge_conf(n
static char *ngx_stream_ssl_password_file(ngx_conf_t *cf, ngx_command_t *cmd,
void *conf);
+static char *ngx_stream_set_ssl_protocols(ngx_conf_t *cf, ngx_command_t *cmd,
+ void *conf);
static char *ngx_stream_ssl_session_cache(ngx_conf_t *cf, ngx_command_t *cmd,
void *conf);
static ngx_int_t ngx_stream_ssl_init(ngx_conf_t *cf);
@@ -46,6 +48,9 @@ static ngx_conf_bitmask_t ngx_stream_ss
{ ngx_string("TLSv1.1"), NGX_SSL_TLSv1_1 },
{ ngx_string("TLSv1.2"), NGX_SSL_TLSv1_2 },
{ ngx_string("TLSv1.3"), NGX_SSL_TLSv1_3 },
+ { ngx_string("DTLSv1"), NGX_SSL_DTLSv1 },
+ { ngx_string("DTLSv1.2"), NGX_SSL_DTLSv1_2 },
+
{ ngx_null_string, 0 }
};
@@ -105,7 +110,7 @@ static ngx_command_t ngx_stream_ssl_com
{ ngx_string("ssl_protocols"),
NGX_STREAM_MAIN_CONF|NGX_STREAM_SRV_CONF|NGX_CONF_1MORE,
- ngx_conf_set_bitmask_slot,
+ ngx_stream_set_ssl_protocols,
NGX_STREAM_SRV_CONF_OFFSET,
offsetof(ngx_stream_ssl_conf_t, protocols),
&ngx_stream_ssl_protocols },
@@ -365,7 +370,8 @@ ngx_stream_ssl_init_connection(ngx_ssl_t
cscf = ngx_stream_get_module_srv_conf(s, ngx_stream_core_module);
- if (cscf->tcp_nodelay && ngx_tcp_nodelay(c) != NGX_OK) {
+ if (c->type == SOCK_STREAM
+ && cscf->tcp_nodelay && ngx_tcp_nodelay(c) != NGX_OK) {
return NGX_ERROR;
}
@@ -389,6 +395,11 @@ ngx_stream_ssl_init_connection(ngx_ssl_t
return NGX_AGAIN;
}
+ if (rc == NGX_ABORT) {
+ /* DTLS handshake sent the cookie to client */
+ return NGX_ERROR;
+ }
+
/* rc == NGX_OK */
return NGX_OK;
@@ -721,6 +732,33 @@ ngx_stream_ssl_password_file(ngx_conf_t
static char *
+ngx_stream_set_ssl_protocols(ngx_conf_t *cf, ngx_command_t *cmd, void *conf)
+{
+ ngx_stream_ssl_conf_t *scf = conf;
+
+ char *rv;
+
+ rv = ngx_conf_set_bitmask_slot(cf, cmd, conf);
+
+ if (rv != NGX_CONF_OK) {
+ return rv;
+ }
+
+ /* DTLS protocol requires corresponding TLS version to be set */
+
+ if (scf->protocols & NGX_SSL_DTLSv1) {
+ scf->protocols |= NGX_SSL_TLSv1;
+ }
+
+ if (scf->protocols & NGX_SSL_DTLSv1_2) {
+ scf->protocols |= NGX_SSL_TLSv1_2;
+ }
+
+ return NGX_CONF_OK;
+}
+
+
+static char *
ngx_stream_ssl_session_cache(ngx_conf_t *cf, ngx_command_t *cmd, void *conf)
{
ngx_stream_ssl_conf_t *scf = conf;
@@ -835,8 +873,13 @@ invalid:
static ngx_int_t
ngx_stream_ssl_init(ngx_conf_t *cf)
{
- ngx_stream_handler_pt *h;
- ngx_stream_core_main_conf_t *cmcf;
+ ngx_uint_t i;
+ ngx_stream_listen_t *ls;
+ ngx_stream_handler_pt *h;
+ ngx_stream_conf_ctx_t *sctx;
+ ngx_stream_ssl_conf_t **sscfp, *sscf;
+ ngx_stream_core_srv_conf_t **cscfp, *cscf;
+ ngx_stream_core_main_conf_t *cmcf;
cmcf = ngx_stream_conf_get_module_main_conf(cf, ngx_stream_core_module);
@@ -847,5 +890,52 @@ ngx_stream_ssl_init(ngx_conf_t *cf)
*h = ngx_stream_ssl_handler;
+ cmcf = ngx_stream_conf_get_module_main_conf(cf, ngx_stream_core_module);
+
+ ls = cmcf->listen.elts;
+
+ for (i = 0; i < cmcf->listen.nelts; i++) {
+ if (ls[i].ssl) {
+ sctx = ls[i].ctx;
+
+ sscfp = (ngx_stream_ssl_conf_t **)sctx->srv_conf;
+ cscfp = (ngx_stream_core_srv_conf_t **)sctx->srv_conf;
+
+ sscf = sscfp[ngx_stream_ssl_module.ctx_index];
+ cscf = cscfp[ngx_stream_core_module.ctx_index];
+
+ if (sscf->certificates == NULL) {
+ ngx_log_error(NGX_LOG_EMERG, cf->log, 0,
+ "no \"ssl_certificate\" is defined "
+ "in server listening on SSL port at %s:%ui",
+ cscf->file_name, cscf->line);
+ return NGX_ERROR;
+ }
+
+ if (ls[i].type == SOCK_DGRAM) {
+ if (!(sscf->protocols & NGX_SSL_DTLSv1
+ || sscf->protocols & NGX_SSL_DTLSv1_2))
+ {
+ ngx_log_error(NGX_LOG_EMERG, cf->log, 0,
+ "\"ssl_protocols\" does not enable DTLS in a "
+ "server listening on UDP SSL port at %s:%ui",
+ cscf->file_name, cscf->line);
+ return NGX_ERROR;
+ }
+
+ } else {
+ if (sscf->protocols & NGX_SSL_DTLSv1
+ || sscf->protocols & NGX_SSL_DTLSv1_2 )
+ {
+ ngx_log_error(NGX_LOG_EMERG, cf->log, 0,
+ "\"ssl_protocols\" includes DTLS in a server "
+ "listening on SSL port at %s:%ui",
+ cscf->file_name, cscf->line);
+ return NGX_ERROR;
+ }
+ }
+ }
+ }
+
return NGX_OK;
}
_______________________________________________
nginx mailing list
nginx@nginx.org
http://mailman.nginx.org/mailman/listinfo/nginx
| Subject | Author | Posted |
|---|---|---|
|
Vladimir Homutov | May 18, 2017 05:26AM |
|
George | May 18, 2017 10:29AM |
|
Vladimir Homutov | May 18, 2017 10:52AM |
|
George | May 18, 2017 07:52PM |
|
shankerwangmiao | February 20, 2018 11:20PM |
|
Vladimir Homutov | February 21, 2018 05:20AM |
|
shankerwangmiao | February 21, 2018 08:47AM |
|
Vladimir Homutov | February 21, 2018 09:14AM |
|
shankerwangmiao | February 21, 2018 09:32AM |
|
shankerwangmiao | February 21, 2018 09:46AM |
|
Vladimir Homutov | February 21, 2018 10:36AM |
|
shankerwangmiao | February 21, 2018 10:56AM |
Sorry, only registered users may post in this forum.
Online Users
Guests:
121
Record Number of Users:
8
on April 13, 2023
Record Number of Guests:
421
on December 02, 2018
This forum is powered by Phorum.
 |
 |
 |
 |
|