From 99631ab7726b890a92b07622574bdd7021fba3a4 Mon Sep 17 00:00:00 2001 From: willmafh Date: Tue, 25 Feb 2025 18:21:16 +0800 Subject: [PATCH 1/2] SSL: $ssl_sigalg The variable contains the signature algorithm used for signing messages during the handshake. --- src/event/ngx_event_openssl.c | 34 ++++++++++++++++++++++++++ src/event/ngx_event_openssl.h | 2 ++ src/http/modules/ngx_http_ssl_module.c | 3 +++ src/stream/ngx_stream_ssl_module.c | 3 +++ 4 files changed, 42 insertions(+) diff --git a/src/event/ngx_event_openssl.c b/src/event/ngx_event_openssl.c index 0681ca3a2..53e09b0b6 100644 --- a/src/event/ngx_event_openssl.c +++ b/src/event/ngx_event_openssl.c @@ -5847,6 +5847,40 @@ ngx_ssl_get_client_v_remain(ngx_connection_t *c, ngx_pool_t *pool, ngx_str_t *s) } +ngx_int_t +ngx_ssl_get_sigalg(ngx_connection_t *c, ngx_pool_t *pool, ngx_str_t *s) +{ + int nid; + int rc; + const char *sn; + + rc = SSL_get_signature_type_nid(c->ssl->connection, &nid); + + if (rc && nid != NID_undef) { + sn = OBJ_nid2sn(nid); + if (sn == NULL) { + s->len = sizeof("0x0000") - 1; + + s->data = ngx_pnalloc(pool, s->len); + if (s->data == NULL) { + return NGX_ERROR; + } + + ngx_sprintf(s->data, "0x%04xd", nid & 0xffff); + + return NGX_OK; + } + + s->len = ngx_strlen(sn); + s->data = (u_char *) sn; + return NGX_OK; + } + + s->len = 0; + return NGX_OK; +} + + static time_t ngx_ssl_parse_time( #if OPENSSL_VERSION_NUMBER > 0x10100000L diff --git a/src/event/ngx_event_openssl.h b/src/event/ngx_event_openssl.h index 9ad4d177b..98e962851 100644 --- a/src/event/ngx_event_openssl.h +++ b/src/event/ngx_event_openssl.h @@ -335,6 +335,8 @@ ngx_int_t ngx_ssl_get_client_v_end(ngx_connection_t *c, ngx_pool_t *pool, ngx_str_t *s); ngx_int_t ngx_ssl_get_client_v_remain(ngx_connection_t *c, ngx_pool_t *pool, ngx_str_t *s); +ngx_int_t ngx_ssl_get_sigalg(ngx_connection_t *c, ngx_pool_t *pool, + ngx_str_t *s); ngx_int_t ngx_ssl_handshake(ngx_connection_t *c); diff --git a/src/http/modules/ngx_http_ssl_module.c b/src/http/modules/ngx_http_ssl_module.c index dbfe5c08b..67635d2f8 100644 --- a/src/http/modules/ngx_http_ssl_module.c +++ b/src/http/modules/ngx_http_ssl_module.c @@ -408,6 +408,9 @@ static ngx_http_variable_t ngx_http_ssl_vars[] = { { ngx_string("ssl_client_v_remain"), NULL, ngx_http_ssl_variable, (uintptr_t) ngx_ssl_get_client_v_remain, NGX_HTTP_VAR_CHANGEABLE, 0 }, + { ngx_string("ssl_sigalg"), NULL, ngx_http_ssl_variable, + (uintptr_t) ngx_ssl_get_sigalg, NGX_HTTP_VAR_CHANGEABLE, 0 }, + ngx_http_null_variable }; diff --git a/src/stream/ngx_stream_ssl_module.c b/src/stream/ngx_stream_ssl_module.c index 2f1b99624..6d7656670 100644 --- a/src/stream/ngx_stream_ssl_module.c +++ b/src/stream/ngx_stream_ssl_module.c @@ -397,6 +397,9 @@ static ngx_stream_variable_t ngx_stream_ssl_vars[] = { { ngx_string("ssl_client_v_remain"), NULL, ngx_stream_ssl_variable, (uintptr_t) ngx_ssl_get_client_v_remain, NGX_STREAM_VAR_CHANGEABLE, 0 }, + { ngx_string("ssl_sigalg"), NULL, ngx_stream_ssl_variable, + (uintptr_t) ngx_ssl_get_sigalg, NGX_STREAM_VAR_CHANGEABLE, 0 }, + ngx_stream_null_variable }; From f9035f9c5effe26ce0d94403e8fe39a1a135d719 Mon Sep 17 00:00:00 2001 From: willmafh Date: Tue, 25 Feb 2025 18:30:10 +0800 Subject: [PATCH 2/2] SSL: $ssl_peer_sigalg The variable contains the signature algorithm the remote peer used for signing messages during the handshake and at the local side, we can use it to verify the peer's signature. --- src/event/ngx_event_openssl.c | 34 ++++++++++++++++++++++++++ src/event/ngx_event_openssl.h | 2 ++ src/http/modules/ngx_http_ssl_module.c | 3 +++ src/stream/ngx_stream_ssl_module.c | 3 +++ 4 files changed, 42 insertions(+) diff --git a/src/event/ngx_event_openssl.c b/src/event/ngx_event_openssl.c index 53e09b0b6..4f04ea849 100644 --- a/src/event/ngx_event_openssl.c +++ b/src/event/ngx_event_openssl.c @@ -5881,6 +5881,40 @@ ngx_ssl_get_sigalg(ngx_connection_t *c, ngx_pool_t *pool, ngx_str_t *s) } +ngx_int_t +ngx_ssl_get_peer_sigalg(ngx_connection_t *c, ngx_pool_t *pool, ngx_str_t *s) +{ + int nid; + int rc; + const char *sn; + + rc = SSL_get_peer_signature_type_nid(c->ssl->connection, &nid); + + if (rc && nid != NID_undef) { + sn = OBJ_nid2sn(nid); + if (sn == NULL) { + s->len = sizeof("0x0000") - 1; + + s->data = ngx_pnalloc(pool, s->len); + if (s->data == NULL) { + return NGX_ERROR; + } + + ngx_sprintf(s->data, "0x%04xd", nid & 0xffff); + + return NGX_OK; + } + + s->len = ngx_strlen(sn); + s->data = (u_char *) sn; + return NGX_OK; + } + + s->len = 0; + return NGX_OK; +} + + static time_t ngx_ssl_parse_time( #if OPENSSL_VERSION_NUMBER > 0x10100000L diff --git a/src/event/ngx_event_openssl.h b/src/event/ngx_event_openssl.h index 98e962851..600d38cf5 100644 --- a/src/event/ngx_event_openssl.h +++ b/src/event/ngx_event_openssl.h @@ -337,6 +337,8 @@ ngx_int_t ngx_ssl_get_client_v_remain(ngx_connection_t *c, ngx_pool_t *pool, ngx_str_t *s); ngx_int_t ngx_ssl_get_sigalg(ngx_connection_t *c, ngx_pool_t *pool, ngx_str_t *s); +ngx_int_t ngx_ssl_get_peer_sigalg(ngx_connection_t *c, ngx_pool_t *pool, + ngx_str_t *s); ngx_int_t ngx_ssl_handshake(ngx_connection_t *c); diff --git a/src/http/modules/ngx_http_ssl_module.c b/src/http/modules/ngx_http_ssl_module.c index 67635d2f8..de8d666fa 100644 --- a/src/http/modules/ngx_http_ssl_module.c +++ b/src/http/modules/ngx_http_ssl_module.c @@ -411,6 +411,9 @@ static ngx_http_variable_t ngx_http_ssl_vars[] = { { ngx_string("ssl_sigalg"), NULL, ngx_http_ssl_variable, (uintptr_t) ngx_ssl_get_sigalg, NGX_HTTP_VAR_CHANGEABLE, 0 }, + { ngx_string("ssl_peer_sigalg"), NULL, ngx_http_ssl_variable, + (uintptr_t) ngx_ssl_get_peer_sigalg, NGX_HTTP_VAR_CHANGEABLE, 0 }, + ngx_http_null_variable }; diff --git a/src/stream/ngx_stream_ssl_module.c b/src/stream/ngx_stream_ssl_module.c index 6d7656670..5a0cd0d18 100644 --- a/src/stream/ngx_stream_ssl_module.c +++ b/src/stream/ngx_stream_ssl_module.c @@ -400,6 +400,9 @@ static ngx_stream_variable_t ngx_stream_ssl_vars[] = { { ngx_string("ssl_sigalg"), NULL, ngx_stream_ssl_variable, (uintptr_t) ngx_ssl_get_sigalg, NGX_STREAM_VAR_CHANGEABLE, 0 }, + { ngx_string("ssl_peer_sigalg"), NULL, ngx_stream_ssl_variable, + (uintptr_t) ngx_ssl_get_peer_sigalg, NGX_STREAM_VAR_CHANGEABLE, 0 }, + ngx_stream_null_variable };