[PATCH] Add ssl_client_tls_bind variable
Rob Casey
rcasey at gmail.com
Fri Dec 15 07:02:45 UTC 2023
First time caller, long time listener.
This patch introduces the variable $ssl_client_tls_bind which provides the
last Finished message returned by the OpenSSL SSL_get_peer_finished()
function. The value returned by this function may be used in TLS channel
binding operations as described in RFC 5929
<https://datatracker.ietf.org/doc/html/rfc5929> (TLSv1.2) and RFC 9266
<https://datatracker.ietf.org/doc/html/rfc9266> (TLSv1.3). The bytes
returned by this function are base64-encoded for ease-of-use as per
suggestion on Nginx forum thread
<https://forum.nginx.org/read.php?10,286777>.
Rob
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mailman.nginx.org/pipermail/nginx-devel/attachments/20231215/0c4f1dad/attachment.htm>
-------------- next part --------------
# HG changeset patch
# User Rob Casey <rcasey at gmail.com>
# Date 1702623002 0
# Fri Dec 15 06:50:02 2023 +0000
# Node ID b76f61aaf306ad55604dfa47d572a0dbc1dcab50
# Parent 6c8595b77e667bd58fd28186939ed820f2e55e0e
Added $ssl_client_tls_bind variable.
This variable provides the last Finished message returned by the OpenSSL
SSL_get_peer_finished() function for use in TLS channel binding operations as
described in RFC 5929 (TLSv1.2) and RFC 9266 (TLSv1.3). The bytes returned by
this function are base64-encoded for ease-of-use.
diff -r 6c8595b77e66 -r b76f61aaf306 src/event/ngx_event_openssl.c
--- a/src/event/ngx_event_openssl.c Tue Dec 12 20:21:12 2023 +0400
+++ b/src/event/ngx_event_openssl.c Fri Dec 15 06:50:02 2023 +0000
@@ -5943,6 +5943,34 @@
}
+ngx_int_t
+ngx_ssl_get_client_tls_bind(ngx_connection_t *c, ngx_pool_t *pool, ngx_str_t *s)
+{
+ ngx_str_t data;
+ u_char buf[1024];
+ size_t n;
+
+ s->len = 0;
+
+ n = SSL_get_peer_finished(c->ssl->connection, buf, sizeof(buf));
+ if (n == 0) {
+ return NGX_OK;
+ }
+ data.len = n;
+ data.data = buf;
+
+ n = ngx_base64_encoded_length(data.len);
+ s->data = ngx_palloc(pool, n);
+ if (s->data == NULL) {
+ return NGX_ERROR;
+ }
+ ngx_encode_base64(s, &data);
+ s->len = n;
+
+ return NGX_OK;
+}
+
+
static time_t
ngx_ssl_parse_time(
#if OPENSSL_VERSION_NUMBER > 0x10100000L
diff -r 6c8595b77e66 -r b76f61aaf306 src/event/ngx_event_openssl.h
--- a/src/event/ngx_event_openssl.h Tue Dec 12 20:21:12 2023 +0400
+++ b/src/event/ngx_event_openssl.h Fri Dec 15 06:50:02 2023 +0000
@@ -307,6 +307,8 @@
ngx_str_t *s);
ngx_int_t ngx_ssl_get_client_v_remain(ngx_connection_t *c, ngx_pool_t *pool,
ngx_str_t *s);
+ngx_int_t ngx_ssl_get_client_tls_bind(ngx_connection_t *c, ngx_pool_t *pool,
+ ngx_str_t *s);
ngx_int_t ngx_ssl_handshake(ngx_connection_t *c);
diff -r 6c8595b77e66 -r b76f61aaf306 src/http/modules/ngx_http_ssl_module.c
--- a/src/http/modules/ngx_http_ssl_module.c Tue Dec 12 20:21:12 2023 +0400
+++ b/src/http/modules/ngx_http_ssl_module.c Fri Dec 15 06:50:02 2023 +0000
@@ -399,6 +399,9 @@
{ ngx_string("ssl_client_v_remain"), NULL, ngx_http_ssl_variable,
(uintptr_t) ngx_ssl_get_client_v_remain, NGX_HTTP_VAR_CHANGEABLE, 0 },
+ { ngx_string("ssl_client_tls_bind"), NULL, ngx_http_ssl_variable,
+ (uintptr_t) ngx_ssl_get_client_tls_bind, NGX_HTTP_VAR_CHANGEABLE, 0 },
+
ngx_http_null_variable
};
diff -r 6c8595b77e66 -r b76f61aaf306 src/stream/ngx_stream_ssl_module.c
--- a/src/stream/ngx_stream_ssl_module.c Tue Dec 12 20:21:12 2023 +0400
+++ b/src/stream/ngx_stream_ssl_module.c Fri Dec 15 06:50:02 2023 +0000
@@ -322,6 +322,9 @@
{ ngx_string("ssl_client_v_remain"), NULL, ngx_stream_ssl_variable,
(uintptr_t) ngx_ssl_get_client_v_remain, NGX_STREAM_VAR_CHANGEABLE, 0 },
+ { ngx_string("ssl_client_tls_bind"), NULL, ngx_stream_ssl_variable,
+ (uintptr_t) ngx_ssl_get_client_tls_bind, NGX_STREAM_VAR_CHANGEABLE, 0 },
+
ngx_stream_null_variable
};
More information about the nginx-devel
mailing list