[PATCH] Add ssl_client_tls_bind variable

Rob Casey rcasey at gmail.com
Fri Dec 15 07:02:45 UTC 2023


First time caller, long time listener.

This patch introduces the variable $ssl_client_tls_bind which provides the
last Finished message returned by the OpenSSL SSL_get_peer_finished()
function. The value returned by this function may be used in TLS channel
binding operations as described in RFC 5929
<https://datatracker.ietf.org/doc/html/rfc5929> (TLSv1.2) and RFC 9266
<https://datatracker.ietf.org/doc/html/rfc9266> (TLSv1.3). The bytes
returned by this function are base64-encoded for ease-of-use as per
suggestion on Nginx forum thread
<https://forum.nginx.org/read.php?10,286777>.

Rob
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mailman.nginx.org/pipermail/nginx-devel/attachments/20231215/0c4f1dad/attachment.htm>
-------------- next part --------------
# HG changeset patch
# User Rob Casey <rcasey at gmail.com>
# Date 1702623002 0
#      Fri Dec 15 06:50:02 2023 +0000
# Node ID b76f61aaf306ad55604dfa47d572a0dbc1dcab50
# Parent  6c8595b77e667bd58fd28186939ed820f2e55e0e
Added $ssl_client_tls_bind variable.

This variable provides the last Finished message returned by the OpenSSL
SSL_get_peer_finished() function for use in TLS channel binding operations as
described in RFC 5929 (TLSv1.2) and RFC 9266 (TLSv1.3). The bytes returned by
this function are base64-encoded for ease-of-use.

diff -r 6c8595b77e66 -r b76f61aaf306 src/event/ngx_event_openssl.c
--- a/src/event/ngx_event_openssl.c	Tue Dec 12 20:21:12 2023 +0400
+++ b/src/event/ngx_event_openssl.c	Fri Dec 15 06:50:02 2023 +0000
@@ -5943,6 +5943,34 @@
 }
 
 
+ngx_int_t
+ngx_ssl_get_client_tls_bind(ngx_connection_t *c, ngx_pool_t *pool, ngx_str_t *s)
+{
+    ngx_str_t   data;
+    u_char      buf[1024];
+    size_t      n;
+
+    s->len = 0;
+
+    n = SSL_get_peer_finished(c->ssl->connection, buf, sizeof(buf));
+    if (n == 0) {
+        return NGX_OK;
+    }
+    data.len = n;
+    data.data = buf;
+
+    n = ngx_base64_encoded_length(data.len);
+    s->data = ngx_palloc(pool, n);
+    if (s->data == NULL) {
+        return NGX_ERROR;
+    }
+    ngx_encode_base64(s, &data);
+    s->len = n;
+
+    return NGX_OK;
+}
+
+
 static time_t
 ngx_ssl_parse_time(
 #if OPENSSL_VERSION_NUMBER > 0x10100000L
diff -r 6c8595b77e66 -r b76f61aaf306 src/event/ngx_event_openssl.h
--- a/src/event/ngx_event_openssl.h	Tue Dec 12 20:21:12 2023 +0400
+++ b/src/event/ngx_event_openssl.h	Fri Dec 15 06:50:02 2023 +0000
@@ -307,6 +307,8 @@
     ngx_str_t *s);
 ngx_int_t ngx_ssl_get_client_v_remain(ngx_connection_t *c, ngx_pool_t *pool,
     ngx_str_t *s);
+ngx_int_t ngx_ssl_get_client_tls_bind(ngx_connection_t *c, ngx_pool_t *pool,
+    ngx_str_t *s);
 
 
 ngx_int_t ngx_ssl_handshake(ngx_connection_t *c);
diff -r 6c8595b77e66 -r b76f61aaf306 src/http/modules/ngx_http_ssl_module.c
--- a/src/http/modules/ngx_http_ssl_module.c	Tue Dec 12 20:21:12 2023 +0400
+++ b/src/http/modules/ngx_http_ssl_module.c	Fri Dec 15 06:50:02 2023 +0000
@@ -399,6 +399,9 @@
     { ngx_string("ssl_client_v_remain"), NULL, ngx_http_ssl_variable,
       (uintptr_t) ngx_ssl_get_client_v_remain, NGX_HTTP_VAR_CHANGEABLE, 0 },
 
+    { ngx_string("ssl_client_tls_bind"), NULL, ngx_http_ssl_variable,
+      (uintptr_t) ngx_ssl_get_client_tls_bind, NGX_HTTP_VAR_CHANGEABLE, 0 },
+
       ngx_http_null_variable
 };
 
diff -r 6c8595b77e66 -r b76f61aaf306 src/stream/ngx_stream_ssl_module.c
--- a/src/stream/ngx_stream_ssl_module.c	Tue Dec 12 20:21:12 2023 +0400
+++ b/src/stream/ngx_stream_ssl_module.c	Fri Dec 15 06:50:02 2023 +0000
@@ -322,6 +322,9 @@
     { ngx_string("ssl_client_v_remain"), NULL, ngx_stream_ssl_variable,
       (uintptr_t) ngx_ssl_get_client_v_remain, NGX_STREAM_VAR_CHANGEABLE, 0 },
 
+    { ngx_string("ssl_client_tls_bind"), NULL, ngx_stream_ssl_variable,
+      (uintptr_t) ngx_ssl_get_client_tls_bind, NGX_STREAM_VAR_CHANGEABLE, 0 },
+
       ngx_stream_null_variable
 };
 


More information about the nginx-devel mailing list