[PATCH] SSL: export channel binding values as variables

Steffen Kieß Steffen.Kiess at ipvs.uni-stuttgart.de
Mon May 31 16:00:13 UTC 2021


# HG changeset patch
# User Steffen Kieß <kiess at ki4.de>
# Date 1622475202 -7200
#      Mon May 31 17:33:22 2021 +0200
# Node ID a877e63832c8b373edac1f4ca7d09621204b05b9
# Parent  d61d590ac82643bf7dbc7842e5baced7a9f11480
SSL: export channel binding values as variables.

Export the channel binding values for tls-unique and tls-server-end-point as
ssl_channel_binding_tls_unique and ssl_channel_binding_tls_server_end_point.
The values are hex-encoded and are without the prefix.

See RFC5929 for more information.

diff -r d61d590ac826 -r a877e63832c8 src/event/ngx_event_openssl.c
--- a/src/event/ngx_event_openssl.c	Sun May 30 12:26:00 2021 +0300
+++ b/src/event/ngx_event_openssl.c	Mon May 31 17:33:22 2021 +0200
@@ -12,6 +12,8 @@
 
 #define NGX_SSL_PASSWORD_BUFFER_SIZE  4096
 
+#define NGX_SSL_MAX_CHANNEL_BINDING_SIZE 128
+
 
 typedef struct {
     ngx_uint_t  engine;   /* unsigned  engine:1; */
@@ -4608,6 +4610,104 @@
 
 
 ngx_int_t
+ngx_ssl_get_channel_binding_tls_unique(ngx_connection_t *c, ngx_pool_t *pool,
+    ngx_str_t *s)
+{
+    size_t  len;
+    u_char  buf[NGX_SSL_MAX_CHANNEL_BINDING_SIZE];
+
+    /* https://datatracker.ietf.org/doc/html/rfc5929#section-3.1 */
+    if (SSL_session_reused(c->ssl->connection)) {
+        /* abbreviated handshake, use message sent by the server (i.e. us) */
+        len = SSL_get_finished(c->ssl->connection, buf,
+                               NGX_SSL_MAX_CHANNEL_BINDING_SIZE);
+    } else {
+        /* full handshake, use message sent by the client (i.e. peer) */
+        len = SSL_get_peer_finished(c->ssl->connection, buf,
+                                    NGX_SSL_MAX_CHANNEL_BINDING_SIZE);
+    }
+
+    if (len == 0) {
+        s->len = 0;
+        return NGX_OK;
+    }
+
+    s->len = 2 * len;
+    s->data = ngx_pnalloc(pool, 2 * len);
+    if (s->data == NULL) {
+        return NGX_ERROR;
+    }
+
+    ngx_hex_dump(s->data, buf, len);
+
+    return NGX_OK;
+}
+
+
+ngx_int_t
+ngx_ssl_get_channel_binding_tls_server_end_point(ngx_connection_t *c,
+    ngx_pool_t *pool, ngx_str_t *s)
+{
+    /* required for X509_get_signature_nid support */
+#if OPENSSL_VERSION_NUMBER > 0x10100000L
+    int            algo_nid;
+    X509          *server_cert;
+    const char    *algo_name;
+    const EVP_MD  *algo_type;
+    unsigned int   len;
+    u_char         buf[EVP_MAX_MD_SIZE];
+
+    server_cert = SSL_get_certificate(c->ssl->connection);
+    if (server_cert == NULL) {
+        /* no server certificate */
+        s->len = 0;
+        return NGX_OK;
+    }
+
+    if (!OBJ_find_sigid_algs(X509_get_signature_nid(server_cert), &algo_nid,
+                             NULL)) {
+        ngx_log_error(NGX_LOG_ERR, c->log, 0,
+               "unable to find digest NID for certificate signature algorithm");
+        return NGX_ERROR;
+    }
+
+    /* https://datatracker.ietf.org/doc/html/rfc5929#section-4.1 */
+    if (algo_nid == NID_md5 || algo_nid == NID_sha1) {
+        algo_type = EVP_sha256();
+    } else {
+        algo_type = EVP_get_digestbynid(algo_nid);
+        if (algo_type == NULL) {
+            algo_name = OBJ_nid2sn(algo_nid);
+            ngx_log_error(NGX_LOG_ERR, c->log, 0,
+                          "could not find digest algorithm %s (NID %d)",
+                          algo_name ? algo_name : "(null)", algo_nid);
+            return NGX_ERROR;
+        }
+    }
+
+    if (!X509_digest(server_cert, algo_type, buf, &len)) {
+        ngx_ssl_error(NGX_LOG_ERR, c->log, 0, "X509_digest() failed");
+        return NGX_ERROR;
+    }
+
+    s->len = 2 * len;
+    s->data = ngx_pnalloc(pool, 2 * len);
+    if (s->data == NULL) {
+        return NGX_ERROR;
+    }
+
+    ngx_hex_dump(s->data, buf, len);
+
+    return NGX_OK;
+#else
+    ngx_ssl_error(NGX_LOG_ERR, c->log, 0,
+                  "nginx compiled without X509_get_signature_nid support");
+    return NGX_ERROR;
+#endif
+}
+
+
+ngx_int_t
 ngx_ssl_get_session_reused(ngx_connection_t *c, ngx_pool_t *pool, ngx_str_t *s)
 {
     if (SSL_session_reused(c->ssl->connection)) {
diff -r d61d590ac826 -r a877e63832c8 src/event/ngx_event_openssl.h
--- a/src/event/ngx_event_openssl.h	Sun May 30 12:26:00 2021 +0300
+++ b/src/event/ngx_event_openssl.h	Mon May 31 17:33:22 2021 +0200
@@ -247,6 +247,10 @@
     ngx_str_t *s);
 ngx_int_t ngx_ssl_get_curves(ngx_connection_t *c, ngx_pool_t *pool,
     ngx_str_t *s);
+ngx_int_t ngx_ssl_get_channel_binding_tls_unique(ngx_connection_t *c,
+    ngx_pool_t *pool, ngx_str_t *s);
+ngx_int_t ngx_ssl_get_channel_binding_tls_server_end_point(ngx_connection_t *c,
+    ngx_pool_t *pool, ngx_str_t *s);
 ngx_int_t ngx_ssl_get_session_id(ngx_connection_t *c, ngx_pool_t *pool,
     ngx_str_t *s);
 ngx_int_t ngx_ssl_get_session_reused(ngx_connection_t *c, ngx_pool_t *pool,
diff -r d61d590ac826 -r a877e63832c8 src/http/modules/ngx_http_ssl_module.c
--- a/src/http/modules/ngx_http_ssl_module.c	Sun May 30 12:26:00 2021 +0300
+++ b/src/http/modules/ngx_http_ssl_module.c	Mon May 31 17:33:22 2021 +0200
@@ -350,6 +350,15 @@
     { ngx_string("ssl_curves"), NULL, ngx_http_ssl_variable,
       (uintptr_t) ngx_ssl_get_curves, NGX_HTTP_VAR_CHANGEABLE, 0 },
 
+    { ngx_string("ssl_channel_binding_tls_unique"), NULL, ngx_http_ssl_variable,
+      (uintptr_t) ngx_ssl_get_channel_binding_tls_unique,
+      NGX_HTTP_VAR_CHANGEABLE, 0 },
+
+    { ngx_string("ssl_channel_binding_tls_server_end_point"), NULL,
+      ngx_http_ssl_variable,
+      (uintptr_t) ngx_ssl_get_channel_binding_tls_server_end_point,
+      NGX_HTTP_VAR_CHANGEABLE, 0 },
+
     { ngx_string("ssl_session_id"), NULL, ngx_http_ssl_variable,
       (uintptr_t) ngx_ssl_get_session_id, NGX_HTTP_VAR_CHANGEABLE, 0 },
 
diff -r d61d590ac826 -r a877e63832c8 src/stream/ngx_stream_ssl_module.c
--- a/src/stream/ngx_stream_ssl_module.c	Sun May 30 12:26:00 2021 +0300
+++ b/src/stream/ngx_stream_ssl_module.c	Mon May 31 17:33:22 2021 +0200
@@ -257,6 +257,16 @@
     { ngx_string("ssl_curves"), NULL, ngx_stream_ssl_variable,
       (uintptr_t) ngx_ssl_get_curves, NGX_STREAM_VAR_CHANGEABLE, 0 },
 
+    { ngx_string("ssl_channel_binding_tls_unique"), NULL,
+      ngx_stream_ssl_variable,
+      (uintptr_t) ngx_ssl_get_channel_binding_tls_unique,
+      NGX_STREAM_VAR_CHANGEABLE, 0 },
+
+    { ngx_string("ssl_channel_binding_tls_server_end_point"), NULL,
+      ngx_stream_ssl_variable,
+      (uintptr_t) ngx_ssl_get_channel_binding_tls_server_end_point,
+      NGX_STREAM_VAR_CHANGEABLE, 0 },
+
     { ngx_string("ssl_session_id"), NULL, ngx_stream_ssl_variable,
       (uintptr_t) ngx_ssl_get_session_id, NGX_STREAM_VAR_CHANGEABLE, 0 },
 



More information about the nginx-devel mailing list