[nginx] SSL: improved handling of $ssl_curve and $ssl_curves var...

Mon Apr 14 23:10:32 UTC 2025

details:   http://freenginx.org/hg/nginx/rev/22e6a225f605
branches:  
changeset: 9341:22e6a225f605
user:      Maxim Dounin <mdounin at mdounin.ru>
date:      Tue Apr 15 02:09:29 2025 +0300
description:
SSL: improved handling of $ssl_curve and $ssl_curves variables.

Now both $ssl_curve and $ssl_curves try to use SSL_group_to_name()
if available and no NID is found.  Notably, this makes it possible to
see the name of the X25519MLKEM768 group as supported by OpenSSL 3.5.0.

diffstat:

 src/event/ngx_event_openssl.c |  72 ++++++++++++++++++++++++++++++++++++------
 1 files changed, 61 insertions(+), 11 deletions(-)

diffs (108 lines):

diff --git a/src/event/ngx_event_openssl.c b/src/event/ngx_event_openssl.c
--- a/src/event/ngx_event_openssl.c
+++ b/src/event/ngx_event_openssl.c
@@ -5270,6 +5270,26 @@ ngx_ssl_get_curve(ngx_connection_t *c, n
             return NGX_OK;
         }
 
+#if OPENSSL_VERSION_NUMBER >= 0x30000000L
+        {
+        u_char  *name;
+
+        name = (u_char *) SSL_group_to_name(c->ssl->connection, nid);
+
+        if (name) {
+            s->len = ngx_strlen(name);
+
+            s->data = ngx_pnalloc(pool, s->len);
+            if (s->data == NULL) {
+                return NGX_ERROR;
+            }
+
+            ngx_memcpy(s->data, name, s->len);
+            return NGX_OK;
+        }
+        }
+#endif
+
         s->len = sizeof("0x0000") - 1;
 
         s->data = ngx_pnalloc(pool, s->len);
@@ -5292,10 +5312,13 @@ ngx_ssl_get_curve(ngx_connection_t *c, n
 ngx_int_t
 ngx_ssl_get_curves(ngx_connection_t *c, ngx_pool_t *pool, ngx_str_t *s)
 {
-#ifdef SSL_CTRL_GET_CURVES
+#ifdef SSL_get1_curves
 
     int         *curves, n, i, nid;
     u_char      *p;
+#if OPENSSL_VERSION_NUMBER >= 0x30000000L
+    u_char      *name;
+#endif
     size_t       len;
 
     n = SSL_get1_curves(c->ssl->connection, NULL);
@@ -5316,12 +5339,25 @@ ngx_ssl_get_curves(ngx_connection_t *c, 
     for (i = 0; i < n; i++) {
         nid = curves[i];
 
-        if (nid & TLSEXT_nid_unknown) {
-            len += sizeof("0x0000") - 1;
-
-        } else {
+        if ((nid & TLSEXT_nid_unknown) == 0) {
             len += ngx_strlen(OBJ_nid2sn(nid));
-        }
+            goto next_length;
+        }
+
+#if OPENSSL_VERSION_NUMBER >= 0x30000000L
+
+        name = (u_char *) SSL_group_to_name(c->ssl->connection, nid);
+
+        if (name) {
+            len += ngx_strlen(name);
+            goto next_length;
+        }
+
+#endif
+
+        len += sizeof("0x0000") - 1;
+
+    next_length:
 
         len += sizeof(":") - 1;
     }
@@ -5336,12 +5372,26 @@ ngx_ssl_get_curves(ngx_connection_t *c, 
     for (i = 0; i < n; i++) {
         nid = curves[i];
 
-        if (nid & TLSEXT_nid_unknown) {
-            p = ngx_sprintf(p, "0x%04xd", nid & 0xffff);
-
-        } else {
+        if ((nid & TLSEXT_nid_unknown) == 0) {
             p = ngx_sprintf(p, "%s", OBJ_nid2sn(nid));
-        }
+            goto next_value;
+
+        }
+
+#if OPENSSL_VERSION_NUMBER >= 0x30000000L
+
+        name = (u_char *) SSL_group_to_name(c->ssl->connection, nid);
+
+        if (name) {
+            p = ngx_sprintf(p, "%s", name);
+            goto next_value;
+        }
+
+#endif
+
+        p = ngx_sprintf(p, "0x%04xd", nid & 0xffff);
+
+    next_value:
 
         *p++ = ':';
     }
