Mercurial > hg > nginx

diff src/mail/ngx_mail_auth_http_module.c @ 9324:03cdd806c0f2

Find changesets by keywords (author, files, the commit message), revision number or hash, or revset expression.
SSL: added SHA-256 fingerprints. In http and stream modules, the $ssl_client_fingerprint_sha256 variable now provides client certificate SHA-256 fingerprint, in addition to the $ssl_client_fingerprint variable with SHA-1 fingerprint. In mail proxy, the "Auth-SSL-Fingerprint-SHA256" header was added.
author Maxim Dounin <mdounin@mdounin.ru>
date Sat, 31 Aug 2024 00:30:42 +0300
parents 4538c1ffb0f8
children
line wrap: on
line diff
--- a/src/mail/ngx_mail_auth_http_module.c
+++ b/src/mail/ngx_mail_auth_http_module.c
@@ -1213,7 +1213,8 @@ ngx_mail_auth_http_create_request(ngx_ma
     ngx_connection_t          *c;
 #if (NGX_MAIL_SSL)
     ngx_str_t                  protocol, cipher, verify, subject, issuer,
-                               serial, fingerprint, raw_cert, cert;
+                               serial, fingerprint, fingerprint2, raw_cert,
+                               cert;
     ngx_mail_ssl_conf_t       *sslcf;
 #endif
     ngx_mail_core_srv_conf_t  *cscf;
@@ -1275,6 +1276,10 @@ ngx_mail_auth_http_create_request(ngx_ma
             return NULL;
         }
 
+        if (ngx_ssl_get_fingerprint_sha256(c, pool, &fingerprint2) != NGX_OK) {
+            return NULL;
+        }
+
         if (ahcf->pass_client_cert) {
 
             /* certificate itself, if configured */
@@ -1297,6 +1302,7 @@ ngx_mail_auth_http_create_request(ngx_ma
         ngx_str_null(&issuer);
         ngx_str_null(&serial);
         ngx_str_null(&fingerprint);
+        ngx_str_null(&fingerprint2);
         ngx_str_null(&cert);
     }
 
@@ -1360,6 +1366,8 @@ ngx_mail_auth_http_create_request(ngx_ma
                      + sizeof(CRLF) - 1
                + sizeof("Auth-SSL-Fingerprint: ") - 1 + fingerprint.len
                      + sizeof(CRLF) - 1
+               + sizeof("Auth-SSL-Fingerprint-SHA256: ") - 1 + fingerprint2.len
+                     + sizeof(CRLF) - 1
                + sizeof("Auth-SSL-Cert: ") - 1 + cert.len
                      + sizeof(CRLF) - 1;
     }
@@ -1520,6 +1528,13 @@ ngx_mail_auth_http_create_request(ngx_ma
             *b->last++ = CR; *b->last++ = LF;
         }
 
+        if (fingerprint2.len) {
+            b->last = ngx_cpymem(b->last, "Auth-SSL-Fingerprint-SHA256: ",
+                                 sizeof("Auth-SSL-Fingerprint-SHA256: ") - 1);
+            b->last = ngx_copy(b->last, fingerprint2.data, fingerprint2.len);
+            *b->last++ = CR; *b->last++ = LF;
+        }
+
         if (cert.len) {
             b->last = ngx_cpymem(b->last, "Auth-SSL-Cert: ",
                                  sizeof("Auth-SSL-Cert: ") - 1);