First time caller, long time listener. This patch introduces the variable $ssl_client_tls_bind which provides the last Finished message returned by the OpenSSL SSL_get_peer_finished() function. The value returned by this function may be used in TLS channel binding operations as described in RFC 5929 <https://datatracker.ietf.org/doc/html/rfc5929> (TLSv1.2) and RFC 9266 <https://datatracker.ietf.org/doc/html/rfc9266> (TLSv1.3). The bytes returned by this function are base64-encoded for ease-of-use as per suggestion on Nginx forum thread <https://forum.nginx.org/read.php?10,286777>.
Rob
# HG changeset patch # User Rob Casey <rca...@gmail.com> # Date 1702623002 0 # Fri Dec 15 06:50:02 2023 +0000 # Node ID b76f61aaf306ad55604dfa47d572a0dbc1dcab50 # Parent 6c8595b77e667bd58fd28186939ed820f2e55e0e Added $ssl_client_tls_bind variable. This variable provides the last Finished message returned by the OpenSSL SSL_get_peer_finished() function for use in TLS channel binding operations as described in RFC 5929 (TLSv1.2) and RFC 9266 (TLSv1.3). The bytes returned by this function are base64-encoded for ease-of-use. diff -r 6c8595b77e66 -r b76f61aaf306 src/event/ngx_event_openssl.c --- a/src/event/ngx_event_openssl.c Tue Dec 12 20:21:12 2023 +0400 +++ b/src/event/ngx_event_openssl.c Fri Dec 15 06:50:02 2023 +0000 @@ -5943,6 +5943,34 @@ } +ngx_int_t +ngx_ssl_get_client_tls_bind(ngx_connection_t *c, ngx_pool_t *pool, ngx_str_t *s) +{ + ngx_str_t data; + u_char buf[1024]; + size_t n; + + s->len = 0; + + n = SSL_get_peer_finished(c->ssl->connection, buf, sizeof(buf)); + if (n == 0) { + return NGX_OK; + } + data.len = n; + data.data = buf; + + n = ngx_base64_encoded_length(data.len); + s->data = ngx_palloc(pool, n); + if (s->data == NULL) { + return NGX_ERROR; + } + ngx_encode_base64(s, &data); + s->len = n; + + return NGX_OK; +} + + static time_t ngx_ssl_parse_time( #if OPENSSL_VERSION_NUMBER > 0x10100000L diff -r 6c8595b77e66 -r b76f61aaf306 src/event/ngx_event_openssl.h --- a/src/event/ngx_event_openssl.h Tue Dec 12 20:21:12 2023 +0400 +++ b/src/event/ngx_event_openssl.h Fri Dec 15 06:50:02 2023 +0000 @@ -307,6 +307,8 @@ ngx_str_t *s); ngx_int_t ngx_ssl_get_client_v_remain(ngx_connection_t *c, ngx_pool_t *pool, ngx_str_t *s); +ngx_int_t ngx_ssl_get_client_tls_bind(ngx_connection_t *c, ngx_pool_t *pool, + ngx_str_t *s); ngx_int_t ngx_ssl_handshake(ngx_connection_t *c); diff -r 6c8595b77e66 -r b76f61aaf306 src/http/modules/ngx_http_ssl_module.c --- a/src/http/modules/ngx_http_ssl_module.c Tue Dec 12 20:21:12 2023 +0400 +++ b/src/http/modules/ngx_http_ssl_module.c Fri Dec 15 06:50:02 2023 +0000 @@ -399,6 +399,9 @@ { ngx_string("ssl_client_v_remain"), NULL, ngx_http_ssl_variable, (uintptr_t) ngx_ssl_get_client_v_remain, NGX_HTTP_VAR_CHANGEABLE, 0 }, + { ngx_string("ssl_client_tls_bind"), NULL, ngx_http_ssl_variable, + (uintptr_t) ngx_ssl_get_client_tls_bind, NGX_HTTP_VAR_CHANGEABLE, 0 }, + ngx_http_null_variable }; diff -r 6c8595b77e66 -r b76f61aaf306 src/stream/ngx_stream_ssl_module.c --- a/src/stream/ngx_stream_ssl_module.c Tue Dec 12 20:21:12 2023 +0400 +++ b/src/stream/ngx_stream_ssl_module.c Fri Dec 15 06:50:02 2023 +0000 @@ -322,6 +322,9 @@ { ngx_string("ssl_client_v_remain"), NULL, ngx_stream_ssl_variable, (uintptr_t) ngx_ssl_get_client_v_remain, NGX_STREAM_VAR_CHANGEABLE, 0 }, + { ngx_string("ssl_client_tls_bind"), NULL, ngx_stream_ssl_variable, + (uintptr_t) ngx_ssl_get_client_tls_bind, NGX_STREAM_VAR_CHANGEABLE, 0 }, + ngx_stream_null_variable };
_______________________________________________ nginx-devel mailing list nginx-devel@nginx.org https://mailman.nginx.org/mailman/listinfo/nginx-devel