[PATCH] SSL: add identity hint config directive

Nate Karstens nate.karstens at garmin.com
Fri Jul 28 18:50:44 UTC 2017 

# HG changeset patch
# User Nate Karstens <nate.karstens at garmin.com>
# Date 1501265943 18000
#      Fri Jul 28 13:19:03 2017 -0500
# Node ID d47b57ebf82c1eedb4236a661b9d786dfd06b468
# Parent  00a1466fe33b8969ef765d8d0547dfbc7c97dd4e
SSL: add identity hint config directive.

Adds the directive "ssl_psk_identity_hint" to the ngx_http_ssl_module.
This allows the user to specify the PSK identity hint given to the
connecting client.

Signed-off-by: Nate Karstens <nate.karstens at garmin.com>

diff -r 00a1466fe33b -r d47b57ebf82c contrib/vim/syntax/nginx.vim
--- a/contrib/vim/syntax/nginx.vim      Fri Jul 28 13:18:15 2017 -0500
+++ b/contrib/vim/syntax/nginx.vim      Fri Jul 28 13:19:03 2017 -0500
@@ -551,6 +551,7 @@ syn keyword ngxDirective contained ssl_p
 syn keyword ngxDirective contained ssl_preread
 syn keyword ngxDirective contained ssl_protocols
 syn keyword ngxDirective contained ssl_psk_file
+syn keyword ngxDirective contained ssl_psk_identity_hint
 syn keyword ngxDirective contained ssl_session_cache
 syn keyword ngxDirective contained ssl_session_ticket_key
 syn keyword ngxDirective contained ssl_session_tickets
diff -r 00a1466fe33b -r d47b57ebf82c src/event/ngx_event_openssl.c
--- a/src/event/ngx_event_openssl.c     Fri Jul 28 13:18:15 2017 -0500
+++ b/src/event/ngx_event_openssl.c     Fri Jul 28 13:19:03 2017 -0500
@@ -3281,7 +3281,8 @@ ngx_ssl_session_ticket_keys(ngx_conf_t *


 ngx_int_t
-ngx_ssl_psk_file(ngx_conf_t *cf, ngx_ssl_t *ssl, ngx_str_t *file)
+ngx_ssl_psk_file(ngx_conf_t *cf, ngx_ssl_t *ssl, ngx_str_t *file,
+    ngx_str_t *identity_hint)
 {
 #if OPENSSL_VERSION_NUMBER >= 0x1000000fL
     if (SSL_CTX_set_ex_data(ssl->ctx, ngx_ssl_psk_index, file) == 0) {
@@ -3290,6 +3291,13 @@ ngx_ssl_psk_file(ngx_conf_t *cf, ngx_ssl
         return NGX_ERROR;
     }

+    if (SSL_CTX_use_psk_identity_hint(ssl->ctx,
+                                      (char *) identity_hint->data) == 0) {
+        ngx_ssl_error(NGX_LOG_ALERT, ssl->log, 0,
+                      "SSL_CTX_use_psk_identity_hint() failed");
+        return NGX_ERROR;
+    }
+
     SSL_CTX_set_psk_server_callback(ssl->ctx, ngx_ssl_psk_callback);
 #endif

diff -r 00a1466fe33b -r d47b57ebf82c src/event/ngx_event_openssl.h
--- a/src/event/ngx_event_openssl.h     Fri Jul 28 13:18:15 2017 -0500
+++ b/src/event/ngx_event_openssl.h     Fri Jul 28 13:19:03 2017 -0500
@@ -171,7 +171,8 @@ ngx_int_t ngx_ssl_session_cache(ngx_ssl_
     ssize_t builtin_session_cache, ngx_shm_zone_t *shm_zone, time_t timeout);
 ngx_int_t ngx_ssl_session_ticket_keys(ngx_conf_t *cf, ngx_ssl_t *ssl,
     ngx_array_t *paths);
-ngx_int_t ngx_ssl_psk_file(ngx_conf_t *cf, ngx_ssl_t *ssl, ngx_str_t *file);
+ngx_int_t ngx_ssl_psk_file(ngx_conf_t *cf, ngx_ssl_t *ssl, ngx_str_t *file,
+    ngx_str_t *identity_hint);
 ngx_int_t ngx_ssl_session_cache_init(ngx_shm_zone_t *shm_zone, void *data);
 ngx_int_t ngx_ssl_create_connection(ngx_ssl_t *ssl, ngx_connection_t *c,
     ngx_uint_t flags);
diff -r 00a1466fe33b -r d47b57ebf82c src/http/modules/ngx_http_ssl_module.c
--- a/src/http/modules/ngx_http_ssl_module.c    Fri Jul 28 13:18:15 2017 -0500
+++ b/src/http/modules/ngx_http_ssl_module.c    Fri Jul 28 13:19:03 2017 -0500
@@ -241,6 +241,13 @@ static ngx_command_t  ngx_http_ssl_comma
       offsetof(ngx_http_ssl_srv_conf_t, psk_file),
       NULL },

+    { ngx_string("ssl_psk_identity_hint"),
+      NGX_HTTP_MAIN_CONF|NGX_HTTP_SRV_CONF|NGX_CONF_TAKE1,
+      ngx_conf_set_str_slot,
+      NGX_HTTP_SRV_CONF_OFFSET,
+      offsetof(ngx_http_ssl_srv_conf_t, psk_identity_hint),
+      NULL },
+
       ngx_null_command
 };

@@ -550,6 +557,7 @@ ngx_http_ssl_create_srv_conf(ngx_conf_t
      *     sscf->stapling_file = { 0, NULL };
      *     sscf->stapling_responder = { 0, NULL };
      *     sscf->psk_file = { 0, NULL };
+     *     sscf->psk_identity_hint = { 0, NULL };
      */

     sscf->enable = NGX_CONF_UNSET;
@@ -632,6 +640,7 @@ ngx_http_ssl_merge_srv_conf(ngx_conf_t *
                          prev->stapling_responder, "");

     ngx_conf_merge_str_value(conf->psk_file, prev->psk_file, "");
+    ngx_conf_merge_str_value(conf->psk_identity_hint, prev->psk_identity_hint, "");

     conf->ssl.log = cf->log;

@@ -813,7 +822,8 @@ ngx_http_ssl_merge_srv_conf(ngx_conf_t *

     }

-    if (ngx_ssl_psk_file(cf, &conf->ssl, &conf->psk_file)
+    if (ngx_ssl_psk_file(cf, &conf->ssl, &conf->psk_file,
+                         &conf->psk_identity_hint)
         != NGX_OK)
     {
         return NGX_CONF_ERROR;
diff -r 00a1466fe33b -r d47b57ebf82c src/http/modules/ngx_http_ssl_module.h
--- a/src/http/modules/ngx_http_ssl_module.h    Fri Jul 28 13:18:15 2017 -0500
+++ b/src/http/modules/ngx_http_ssl_module.h    Fri Jul 28 13:19:03 2017 -0500
@@ -56,6 +56,7 @@ typedef struct {
     ngx_str_t                       stapling_responder;

     ngx_str_t                       psk_file;
+    ngx_str_t                       psk_identity_hint;

     u_char                         *file;
     ngx_uint_t                      line;

________________________________

CONFIDENTIALITY NOTICE: This email and any attachments are for the sole use of the intended recipient(s) and contain information that may be Garmin confidential and/or Garmin legally privileged. If you have received this email in error, please notify the sender by reply email and delete the message. Any disclosure, copying, distribution or use of this communication (including attachments) by someone other than the intended recipient is prohibited. Thank you.

More information about the nginx-devel mailing list