openssl-patch/nginx_strict-sni.patch

diff --git a/src/event/ngx_event_openssl.c b/src/event/ngx_event_openssl.c
index 75129134..a41edeab 100644
--- a/src/event/ngx_event_openssl.c
+++ b/src/event/ngx_event_openssl.c
@@ -1455,6 +1455,14 @@ ngx_ssl_handshake(ngx_connection_t *c)
 
     c->read->error = 1;
 
+#if (!defined SSL_R_CALLBACK_FAILED || !defined SSL_F_FINAL_SERVER_NAME)
+    if (sslerr == SSL_ERROR_SSL) {
+        ERR_peek_error();
+        ERR_clear_error();
+        return NGX_ERROR;
+    }
+#endif
+
     ngx_ssl_connection_error(c, sslerr, err, "SSL_do_handshake() failed");
 
     return NGX_ERROR;
@@ -1568,6 +1576,14 @@ ngx_ssl_try_early_data(ngx_connection_t *c)
 
     c->read->error = 1;
 
+#if (!defined SSL_R_CALLBACK_FAILED || !defined SSL_F_FINAL_SERVER_NAME)
+    if (sslerr == SSL_ERROR_SSL) {
+        ERR_peek_error();
+        ERR_clear_error();
+        return NGX_ERROR;
+    }
+#endif
+
     ngx_ssl_connection_error(c, sslerr, err, "SSL_read_early_data() failed");
 
     return NGX_ERROR;
@@ -2547,6 +2563,9 @@ ngx_ssl_connection_error(ngx_connection_t *c, int sslerr, ngx_err_t err,
     char *text)
 {
     int         n;
+#if (defined SSL_R_CALLBACK_FAILED && defined SSL_F_FINAL_SERVER_NAME)
+    int         f;
+#endif
     ngx_uint_t  level;
 
     level = NGX_LOG_CRIT;
@@ -2583,6 +2602,20 @@ ngx_ssl_connection_error(ngx_connection_t *c, int sslerr, ngx_err_t err,
 
         n = ERR_GET_REASON(ERR_peek_error());
 
+        /* Strict SNI Error Patch
+         * https://github.com/hakasenyang/openssl-patch/issues/1#issuecomment-427040319
+         */
+#if (defined SSL_R_CALLBACK_FAILED && defined SSL_F_FINAL_SERVER_NAME)
+        if (n == SSL_R_CALLBACK_FAILED) {
+            f = ERR_GET_FUNC(ERR_peek_error());
+            if (f == SSL_F_FINAL_SERVER_NAME) {
+                ERR_peek_error();
+                ERR_clear_error();
+                return;
+            }
+        }
+#endif
+
             /* handshake failures */
         if (n == SSL_R_BAD_CHANGE_CIPHER_SPEC                        /*  103 */
 #ifdef SSL_R_NO_SUITABLE_KEY_SHARE
diff --git a/src/http/ngx_http_request.c b/src/http/ngx_http_request.c
index 7dd28b8c..5e5bbed1 100644
--- a/src/http/ngx_http_request.c
+++ b/src/http/ngx_http_request.c
@@ -849,7 +849,7 @@ ngx_http_ssl_servername(ngx_ssl_conn_t *ssl_conn, int *ad, void *arg)
     servername = SSL_get_servername(ssl_conn, TLSEXT_NAMETYPE_host_name);
 
     if (servername == NULL) {
-        return SSL_TLSEXT_ERR_NOACK;
+        return SSL_TLSEXT_ERR_ALERT_FATAL;
     }
 
     c = ngx_ssl_get_connection(ssl_conn);
@@ -864,7 +864,7 @@ ngx_http_ssl_servername(ngx_ssl_conn_t *ssl_conn, int *ad, void *arg)
     host.len = ngx_strlen(servername);
 
     if (host.len == 0) {
-        return SSL_TLSEXT_ERR_NOACK;
+        return SSL_TLSEXT_ERR_ALERT_FATAL;
     }
 
     host.data = (u_char *) servername;
@@ -879,7 +879,7 @@ ngx_http_ssl_servername(ngx_ssl_conn_t *ssl_conn, int *ad, void *arg)
                                      NULL, &cscf)
         != NGX_OK)
     {
-        return SSL_TLSEXT_ERR_NOACK;
+        return SSL_TLSEXT_ERR_ALERT_FATAL;
     }
 
     hc->ssl_servername = ngx_palloc(c->pool, sizeof(ngx_str_t));
Update nginx strict sni patch. 2018-10-07 10:43:09 +00:00			`diff --git a/src/event/ngx_event_openssl.c b/src/event/ngx_event_openssl.c`
Compatibility patch between nginx strict sni and BoringSSL. 2018-10-07 12:56:53 +00:00			`index 75129134..a41edeab 100644`
Update nginx strict sni patch. 2018-10-07 10:43:09 +00:00			`--- a/src/event/ngx_event_openssl.c`
			`+++ b/src/event/ngx_event_openssl.c`
Compatibility patch between nginx strict sni and BoringSSL. 2018-10-07 12:56:53 +00:00			`@@ -1455,6 +1455,14 @@ ngx_ssl_handshake(ngx_connection_t *c)`

			`c->read->error = 1;`

			`+#if (!defined SSL_R_CALLBACK_FAILED \|\| !defined SSL_F_FINAL_SERVER_NAME)`
			`+ if (sslerr == SSL_ERROR_SSL) {`
			`+ ERR_peek_error();`
			`+ ERR_clear_error();`
			`+ return NGX_ERROR;`
			`+ }`
			`+#endif`
			`+`
			`ngx_ssl_connection_error(c, sslerr, err, "SSL_do_handshake() failed");`

			`return NGX_ERROR;`
			`@@ -1568,6 +1576,14 @@ ngx_ssl_try_early_data(ngx_connection_t *c)`

			`c->read->error = 1;`

			`+#if (!defined SSL_R_CALLBACK_FAILED \|\| !defined SSL_F_FINAL_SERVER_NAME)`
			`+ if (sslerr == SSL_ERROR_SSL) {`
			`+ ERR_peek_error();`
			`+ ERR_clear_error();`
			`+ return NGX_ERROR;`
			`+ }`
			`+#endif`
			`+`
			`ngx_ssl_connection_error(c, sslerr, err, "SSL_read_early_data() failed");`

			`return NGX_ERROR;`
			`@@ -2547,6 +2563,9 @@ ngx_ssl_connection_error(ngx_connection_t *c, int sslerr, ngx_err_t err,`
Update nginx strict sni patch. 2018-10-07 10:43:09 +00:00			`char *text)`
			`{`
			`int n;`
Compatibility patch between nginx strict sni and BoringSSL. 2018-10-07 12:56:53 +00:00			`+#if (defined SSL_R_CALLBACK_FAILED && defined SSL_F_FINAL_SERVER_NAME)`
Update nginx strict sni patch. 2018-10-07 10:43:09 +00:00			`+ int f;`
Compatibility patch between nginx strict sni and BoringSSL. 2018-10-07 12:56:53 +00:00			`+#endif`
Update nginx strict sni patch. 2018-10-07 10:43:09 +00:00			`ngx_uint_t level;`
Add Strict-SNI Thanks @JemmyLoveJenny Issue link : https://github.com/hakasenyang/openssl-patch/issues/1#issuecomment-421551872 2018-09-15 12:10:17 +00:00
Update nginx strict sni patch. 2018-10-07 10:43:09 +00:00			`level = NGX_LOG_CRIT;`
Compatibility patch between nginx strict sni and BoringSSL. 2018-10-07 12:56:53 +00:00			`@@ -2583,6 +2602,20 @@ ngx_ssl_connection_error(ngx_connection_t *c, int sslerr, ngx_err_t err,`
Add Strict-SNI Thanks @JemmyLoveJenny Issue link : https://github.com/hakasenyang/openssl-patch/issues/1#issuecomment-421551872 2018-09-15 12:10:17 +00:00
Update nginx strict sni patch. 2018-10-07 10:43:09 +00:00			`n = ERR_GET_REASON(ERR_peek_error());`
Improved patch to nginx strict sni 2018-10-07 11:07:53 +00:00
Update nginx strict sni patch. 2018-10-07 10:43:09 +00:00			`+ /* Strict SNI Error Patch`
			`+ * https://github.com/hakasenyang/openssl-patch/issues/1#issuecomment-427040319`
			`+ */`
Compatibility patch between nginx strict sni and BoringSSL. 2018-10-07 12:56:53 +00:00			`+#if (defined SSL_R_CALLBACK_FAILED && defined SSL_F_FINAL_SERVER_NAME)`
Improved patch to nginx strict sni 2018-10-07 11:07:53 +00:00			`+ if (n == SSL_R_CALLBACK_FAILED) {`
			`+ f = ERR_GET_FUNC(ERR_peek_error());`
			`+ if (f == SSL_F_FINAL_SERVER_NAME) {`
			`+ ERR_peek_error();`
			`+ ERR_clear_error();`
			`+ return;`
			`+ }`
Update nginx strict sni patch. 2018-10-07 10:43:09 +00:00			`+ }`
Compatibility patch between nginx strict sni and BoringSSL. 2018-10-07 12:56:53 +00:00			`+#endif`
Improved patch to nginx strict sni 2018-10-07 11:07:53 +00:00			`+`
Update nginx strict sni patch. 2018-10-07 10:43:09 +00:00			`/* handshake failures */`
			`if (n == SSL_R_BAD_CHANGE_CIPHER_SPEC /* 103 */`
Improved patch to nginx strict sni 2018-10-07 11:07:53 +00:00			`#ifdef SSL_R_NO_SUITABLE_KEY_SHARE`
Fix some missing sources. Issue: https://github.com/hakasenyang/openssl-patch/issues/7#issuecomment-427643975 2018-10-07 10:58:10 +00:00			`diff --git a/src/http/ngx_http_request.c b/src/http/ngx_http_request.c`
			`index 7dd28b8c..5e5bbed1 100644`
			`--- a/src/http/ngx_http_request.c`
			`+++ b/src/http/ngx_http_request.c`
			`@@ -849,7 +849,7 @@ ngx_http_ssl_servername(ngx_ssl_conn_t ssl_conn, int ad, void *arg)`
			`servername = SSL_get_servername(ssl_conn, TLSEXT_NAMETYPE_host_name);`

			`if (servername == NULL) {`
			`- return SSL_TLSEXT_ERR_NOACK;`
			`+ return SSL_TLSEXT_ERR_ALERT_FATAL;`
			`}`

			`c = ngx_ssl_get_connection(ssl_conn);`
			`@@ -864,7 +864,7 @@ ngx_http_ssl_servername(ngx_ssl_conn_t ssl_conn, int ad, void *arg)`
			`host.len = ngx_strlen(servername);`

			`if (host.len == 0) {`
			`- return SSL_TLSEXT_ERR_NOACK;`
			`+ return SSL_TLSEXT_ERR_ALERT_FATAL;`
			`}`

			`host.data = (u_char *) servername;`
			`@@ -879,7 +879,7 @@ ngx_http_ssl_servername(ngx_ssl_conn_t ssl_conn, int ad, void *arg)`
			`NULL, &cscf)`
			`!= NGX_OK)`
			`{`
			`- return SSL_TLSEXT_ERR_NOACK;`
			`+ return SSL_TLSEXT_ERR_ALERT_FATAL;`
			`}`

			`hc->ssl_servername = ngx_palloc(c->pool, sizeof(ngx_str_t));`