[PATCH] SSL: export channel binding values as variables
Steffen Kieß
Steffen.Kiess at ipvs.uni-stuttgart.de
Mon May 31 16:00:13 UTC 2021
# HG changeset patch
# User Steffen Kieß <kiess at ki4.de>
# Date 1622475202 -7200
# Mon May 31 17:33:22 2021 +0200
# Node ID a877e63832c8b373edac1f4ca7d09621204b05b9
# Parent d61d590ac82643bf7dbc7842e5baced7a9f11480
SSL: export channel binding values as variables.
Export the channel binding values for tls-unique and tls-server-end-point as
ssl_channel_binding_tls_unique and ssl_channel_binding_tls_server_end_point.
The values are hex-encoded and are without the prefix.
See RFC5929 for more information.
diff -r d61d590ac826 -r a877e63832c8 src/event/ngx_event_openssl.c
--- a/src/event/ngx_event_openssl.c Sun May 30 12:26:00 2021 +0300
+++ b/src/event/ngx_event_openssl.c Mon May 31 17:33:22 2021 +0200
@@ -12,6 +12,8 @@
#define NGX_SSL_PASSWORD_BUFFER_SIZE 4096
+#define NGX_SSL_MAX_CHANNEL_BINDING_SIZE 128
+
typedef struct {
ngx_uint_t engine; /* unsigned engine:1; */
@@ -4608,6 +4610,104 @@
ngx_int_t
+ngx_ssl_get_channel_binding_tls_unique(ngx_connection_t *c, ngx_pool_t *pool,
+ ngx_str_t *s)
+{
+ size_t len;
+ u_char buf[NGX_SSL_MAX_CHANNEL_BINDING_SIZE];
+
+ /* https://datatracker.ietf.org/doc/html/rfc5929#section-3.1 */
+ if (SSL_session_reused(c->ssl->connection)) {
+ /* abbreviated handshake, use message sent by the server (i.e. us) */
+ len = SSL_get_finished(c->ssl->connection, buf,
+ NGX_SSL_MAX_CHANNEL_BINDING_SIZE);
+ } else {
+ /* full handshake, use message sent by the client (i.e. peer) */
+ len = SSL_get_peer_finished(c->ssl->connection, buf,
+ NGX_SSL_MAX_CHANNEL_BINDING_SIZE);
+ }
+
+ if (len == 0) {
+ s->len = 0;
+ return NGX_OK;
+ }
+
+ s->len = 2 * len;
+ s->data = ngx_pnalloc(pool, 2 * len);
+ if (s->data == NULL) {
+ return NGX_ERROR;
+ }
+
+ ngx_hex_dump(s->data, buf, len);
+
+ return NGX_OK;
+}
+
+
+ngx_int_t
+ngx_ssl_get_channel_binding_tls_server_end_point(ngx_connection_t *c,
+ ngx_pool_t *pool, ngx_str_t *s)
+{
+ /* required for X509_get_signature_nid support */
+#if OPENSSL_VERSION_NUMBER > 0x10100000L
+ int algo_nid;
+ X509 *server_cert;
+ const char *algo_name;
+ const EVP_MD *algo_type;
+ unsigned int len;
+ u_char buf[EVP_MAX_MD_SIZE];
+
+ server_cert = SSL_get_certificate(c->ssl->connection);
+ if (server_cert == NULL) {
+ /* no server certificate */
+ s->len = 0;
+ return NGX_OK;
+ }
+
+ if (!OBJ_find_sigid_algs(X509_get_signature_nid(server_cert), &algo_nid,
+ NULL)) {
+ ngx_log_error(NGX_LOG_ERR, c->log, 0,
+ "unable to find digest NID for certificate signature algorithm");
+ return NGX_ERROR;
+ }
+
+ /* https://datatracker.ietf.org/doc/html/rfc5929#section-4.1 */
+ if (algo_nid == NID_md5 || algo_nid == NID_sha1) {
+ algo_type = EVP_sha256();
+ } else {
+ algo_type = EVP_get_digestbynid(algo_nid);
+ if (algo_type == NULL) {
+ algo_name = OBJ_nid2sn(algo_nid);
+ ngx_log_error(NGX_LOG_ERR, c->log, 0,
+ "could not find digest algorithm %s (NID %d)",
+ algo_name ? algo_name : "(null)", algo_nid);
+ return NGX_ERROR;
+ }
+ }
+
+ if (!X509_digest(server_cert, algo_type, buf, &len)) {
+ ngx_ssl_error(NGX_LOG_ERR, c->log, 0, "X509_digest() failed");
+ return NGX_ERROR;
+ }
+
+ s->len = 2 * len;
+ s->data = ngx_pnalloc(pool, 2 * len);
+ if (s->data == NULL) {
+ return NGX_ERROR;
+ }
+
+ ngx_hex_dump(s->data, buf, len);
+
+ return NGX_OK;
+#else
+ ngx_ssl_error(NGX_LOG_ERR, c->log, 0,
+ "nginx compiled without X509_get_signature_nid support");
+ return NGX_ERROR;
+#endif
+}
+
+
+ngx_int_t
ngx_ssl_get_session_reused(ngx_connection_t *c, ngx_pool_t *pool, ngx_str_t *s)
{
if (SSL_session_reused(c->ssl->connection)) {
diff -r d61d590ac826 -r a877e63832c8 src/event/ngx_event_openssl.h
--- a/src/event/ngx_event_openssl.h Sun May 30 12:26:00 2021 +0300
+++ b/src/event/ngx_event_openssl.h Mon May 31 17:33:22 2021 +0200
@@ -247,6 +247,10 @@
ngx_str_t *s);
ngx_int_t ngx_ssl_get_curves(ngx_connection_t *c, ngx_pool_t *pool,
ngx_str_t *s);
+ngx_int_t ngx_ssl_get_channel_binding_tls_unique(ngx_connection_t *c,
+ ngx_pool_t *pool, ngx_str_t *s);
+ngx_int_t ngx_ssl_get_channel_binding_tls_server_end_point(ngx_connection_t *c,
+ ngx_pool_t *pool, ngx_str_t *s);
ngx_int_t ngx_ssl_get_session_id(ngx_connection_t *c, ngx_pool_t *pool,
ngx_str_t *s);
ngx_int_t ngx_ssl_get_session_reused(ngx_connection_t *c, ngx_pool_t *pool,
diff -r d61d590ac826 -r a877e63832c8 src/http/modules/ngx_http_ssl_module.c
--- a/src/http/modules/ngx_http_ssl_module.c Sun May 30 12:26:00 2021 +0300
+++ b/src/http/modules/ngx_http_ssl_module.c Mon May 31 17:33:22 2021 +0200
@@ -350,6 +350,15 @@
{ ngx_string("ssl_curves"), NULL, ngx_http_ssl_variable,
(uintptr_t) ngx_ssl_get_curves, NGX_HTTP_VAR_CHANGEABLE, 0 },
+ { ngx_string("ssl_channel_binding_tls_unique"), NULL, ngx_http_ssl_variable,
+ (uintptr_t) ngx_ssl_get_channel_binding_tls_unique,
+ NGX_HTTP_VAR_CHANGEABLE, 0 },
+
+ { ngx_string("ssl_channel_binding_tls_server_end_point"), NULL,
+ ngx_http_ssl_variable,
+ (uintptr_t) ngx_ssl_get_channel_binding_tls_server_end_point,
+ NGX_HTTP_VAR_CHANGEABLE, 0 },
+
{ ngx_string("ssl_session_id"), NULL, ngx_http_ssl_variable,
(uintptr_t) ngx_ssl_get_session_id, NGX_HTTP_VAR_CHANGEABLE, 0 },
diff -r d61d590ac826 -r a877e63832c8 src/stream/ngx_stream_ssl_module.c
--- a/src/stream/ngx_stream_ssl_module.c Sun May 30 12:26:00 2021 +0300
+++ b/src/stream/ngx_stream_ssl_module.c Mon May 31 17:33:22 2021 +0200
@@ -257,6 +257,16 @@
{ ngx_string("ssl_curves"), NULL, ngx_stream_ssl_variable,
(uintptr_t) ngx_ssl_get_curves, NGX_STREAM_VAR_CHANGEABLE, 0 },
+ { ngx_string("ssl_channel_binding_tls_unique"), NULL,
+ ngx_stream_ssl_variable,
+ (uintptr_t) ngx_ssl_get_channel_binding_tls_unique,
+ NGX_STREAM_VAR_CHANGEABLE, 0 },
+
+ { ngx_string("ssl_channel_binding_tls_server_end_point"), NULL,
+ ngx_stream_ssl_variable,
+ (uintptr_t) ngx_ssl_get_channel_binding_tls_server_end_point,
+ NGX_STREAM_VAR_CHANGEABLE, 0 },
+
{ ngx_string("ssl_session_id"), NULL, ngx_stream_ssl_variable,
(uintptr_t) ngx_ssl_get_session_id, NGX_STREAM_VAR_CHANGEABLE, 0 },
More information about the nginx-devel
mailing list