File ngx-detect-heartbleed.patch of Package nginx

File ngx-detect-heartbleed.patch of Package nginx (Revision 64)

Currently displaying revision 64, show latest

--- src/event/ngx_event_openssl.c
+++ src/event/ngx_event_openssl.c
@@ -18,6 +18,9 @@ typedef struct {
 static int ngx_ssl_verify_callback(int ok, X509_STORE_CTX *x509_store);
 static void ngx_ssl_info_callback(const ngx_ssl_conn_t *ssl_conn, int where,
     int ret);
+static void ngx_ssl_msg_callback(
+    int write_p, int version, int content_type,
+    const void *buf, size_t len, SSL *ssl, void *log);
 static void ngx_ssl_handshake_handler(ngx_event_t *ev);
 static ngx_int_t ngx_ssl_handle_recv(ngx_connection_t *c, int n);
 static void ngx_ssl_write_handler(ngx_event_t *wev);
@@ -244,6 +247,8 @@ ngx_ssl_create(ngx_ssl_t *ssl, ngx_uint_t protocols, void *data)
     SSL_CTX_set_read_ahead(ssl->ctx, 1);

SSL_CTX_set_info_callback(ssl->ctx, ngx_ssl_info_callback);
+    SSL_CTX_set_msg_callback(ssl->ctx, ngx_ssl_msg_callback);
+    SSL_CTX_set_msg_callback_arg(ssl->ctx, ssl->log);

return NGX_OK;
 }
@@ -532,6 +537,22 @@ ngx_ssl_verify_callback(int ok, X509_STORE_CTX *x509_store)
     return 1;
 }

+static void ngx_ssl_msg_callback(
+    int write_p, int version, int content_type,
+    const void *buf, size_t len, ngx_ssl_conn_t *ssl, void *log)
+{
+  if (write_p == 0 && content_type == TLS1_RT_HEARTBEAT) {
+     unsigned char *p = buf;
+     unsigned int payload;
+
+     payload = (((unsigned int)(p[1])) << 8) | ((unsigned int)(p[2]));
+     if (1 + 2 + payload + 16 > len) {
+         ngx_log_error(NGX_LOG_ALERT, ((ngx_log_t*)log), 0, "Heartbleed attack detected");
+     }
+  }
+
+}
+

static void
 ngx_ssl_info_callback(const ngx_ssl_conn_t *ssl_conn, int where, int ret)