[PATCH 1 of 3] PSK: make server certificates optional

Thu Jun 1 17:21:01 UTC 2017

# HG changeset patch
# User Nate Karstens <nate.karstens at garmin.com>
# Date 1496332504 18000
#      Thu Jun 01 10:55:04 2017 -0500
# Node ID a38066b79d71b6ecb62a9f7618afe2cf3ed8a4f9
# Parent  716852cce9136d977b81a2d1b8b6f9fbca0dce49
PSK: make server certificates optional

Adds the directive "ssl_nocert" to the ngx_http_ssl_module to allow the
user to indicate that the absence of a certificate is intentional. Any
cipher suites that rely on certificates will not function properly.

Servers that only use PSK will error out without this change.

Signed-off-by: Nate Karstens <nate.karstens at garmin.com>

diff -r 716852cce913 -r a38066b79d71 contrib/vim/syntax/nginx.vim

--- a/contrib/vim/syntax/nginx.vim      Thu Jun 01 15:44:23 2017 +0300
+++ b/contrib/vim/syntax/nginx.vim      Thu Jun 01 10:55:04 2017 -0500
@@ -546,6 +546,7 @@
 syn keyword ngxDirective contained ssl_ecdh_curve
 syn keyword ngxDirective contained ssl_engine
 syn keyword ngxDirective contained ssl_handshake_timeout
+syn keyword ngxDirective contained ssl_nocert
 syn keyword ngxDirective contained ssl_password_file
 syn keyword ngxDirective contained ssl_prefer_server_ciphers
 syn keyword ngxDirective contained ssl_preread
diff -r 716852cce913 -r a38066b79d71 src/http/modules/ngx_http_ssl_module.c
--- a/src/http/modules/ngx_http_ssl_module.c    Thu Jun 01 15:44:23 2017 +0300
+++ b/src/http/modules/ngx_http_ssl_module.c    Thu Jun 01 10:55:04 2017 -0500
@@ -101,6 +101,13 @@
       0,
       NULL },

+    { ngx_string("ssl_nocert"),
+      NGX_HTTP_MAIN_CONF|NGX_HTTP_SRV_CONF|NGX_CONF_FLAG,
+      ngx_conf_set_flag_slot,
+      NGX_HTTP_SRV_CONF_OFFSET,
+      offsetof(ngx_http_ssl_srv_conf_t, nocert),
+      NULL },
+
     { ngx_string("ssl_dhparam"),
       NGX_HTTP_MAIN_CONF|NGX_HTTP_SRV_CONF|NGX_CONF_TAKE1,
       ngx_conf_set_str_slot,
@@ -546,6 +553,7 @@
     sscf->buffer_size = NGX_CONF_UNSET_SIZE;
     sscf->verify = NGX_CONF_UNSET_UINT;
     sscf->verify_depth = NGX_CONF_UNSET_UINT;
+    sscf->nocert = NGX_CONF_UNSET;
     sscf->certificates = NGX_CONF_UNSET_PTR;
     sscf->certificate_keys = NGX_CONF_UNSET_PTR;
     sscf->passwords = NGX_CONF_UNSET_PTR;
@@ -595,6 +603,7 @@
     ngx_conf_merge_uint_value(conf->verify, prev->verify, 0);
     ngx_conf_merge_uint_value(conf->verify_depth, prev->verify_depth, 1);

+    ngx_conf_merge_value(conf->nocert, prev->nocert, 0);
     ngx_conf_merge_ptr_value(conf->certificates, prev->certificates, NULL);
     ngx_conf_merge_ptr_value(conf->certificate_keys, prev->certificate_keys,
                          NULL);
@@ -622,50 +631,52 @@

     conf->ssl.log = cf->log;

-    if (conf->enable) {
+       if (!conf->nocert) {
+        if (conf->enable) {

-        if (conf->certificates == NULL) {
-            ngx_log_error(NGX_LOG_EMERG, cf->log, 0,
-                          "no \"ssl_certificate\" is defined for "
-                          "the \"ssl\" directive in %s:%ui",
-                          conf->file, conf->line);
-            return NGX_CONF_ERROR;
-        }
+            if (conf->certificates == NULL) {
+                ngx_log_error(NGX_LOG_EMERG, cf->log, 0,
+                              "no \"ssl_certificate\" is defined for "
+                              "the \"ssl\" directive in %s:%ui",
+                              conf->file, conf->line);
+                return NGX_CONF_ERROR;
+            }

-        if (conf->certificate_keys == NULL) {
-            ngx_log_error(NGX_LOG_EMERG, cf->log, 0,
-                          "no \"ssl_certificate_key\" is defined for "
-                          "the \"ssl\" directive in %s:%ui",
-                          conf->file, conf->line);
-            return NGX_CONF_ERROR;
-        }
+            if (conf->certificate_keys == NULL) {
+                ngx_log_error(NGX_LOG_EMERG, cf->log, 0,
+                              "no \"ssl_certificate_key\" is defined for "
+                              "the \"ssl\" directive in %s:%ui",
+                              conf->file, conf->line);
+                return NGX_CONF_ERROR;
+            }

-        if (conf->certificate_keys->nelts < conf->certificates->nelts) {
-            ngx_log_error(NGX_LOG_EMERG, cf->log, 0,
-                          "no \"ssl_certificate_key\" is defined "
-                          "for certificate \"%V\" and "
-                          "the \"ssl\" directive in %s:%ui",
-                          ((ngx_str_t *) conf->certificates->elts)
-                          + conf->certificates->nelts - 1,
-                          conf->file, conf->line);
-            return NGX_CONF_ERROR;
-        }
+            if (conf->certificate_keys->nelts < conf->certificates->nelts) {
+                ngx_log_error(NGX_LOG_EMERG, cf->log, 0,
+                              "no \"ssl_certificate_key\" is defined "
+                              "for certificate \"%V\" and "
+                              "the \"ssl\" directive in %s:%ui",
+                              ((ngx_str_t *) conf->certificates->elts)
+                              + conf->certificates->nelts - 1,
+                              conf->file, conf->line);
+                return NGX_CONF_ERROR;
+            }

-    } else {
+        } else {

-        if (conf->certificates == NULL) {
-            return NGX_CONF_OK;
-        }
+            if (conf->certificates == NULL) {
+                return NGX_CONF_OK;
+            }

-        if (conf->certificate_keys == NULL
-            || conf->certificate_keys->nelts < conf->certificates->nelts)
-        {
-            ngx_log_error(NGX_LOG_EMERG, cf->log, 0,
-                          "no \"ssl_certificate_key\" is defined "
-                          "for certificate \"%V\"",
-                          ((ngx_str_t *) conf->certificates->elts)
-                          + conf->certificates->nelts - 1);
-            return NGX_CONF_ERROR;
+            if (conf->certificate_keys == NULL
+                || conf->certificate_keys->nelts < conf->certificates->nelts)
+            {
+                ngx_log_error(NGX_LOG_EMERG, cf->log, 0,
+                              "no \"ssl_certificate_key\" is defined "
+                              "for certificate \"%V\"",
+                              ((ngx_str_t *) conf->certificates->elts)
+                              + conf->certificates->nelts - 1);
+                return NGX_CONF_ERROR;
+            }
         }
     }

@@ -704,11 +715,15 @@
     cln->handler = ngx_ssl_cleanup_ctx;
     cln->data = &conf->ssl;

-    if (ngx_ssl_certificates(cf, &conf->ssl, conf->certificates,
-                             conf->certificate_keys, conf->passwords)
-        != NGX_OK)
-    {
-        return NGX_CONF_ERROR;
+    if (conf->certificates && conf->certificate_keys) {
+
+        if (ngx_ssl_certificates(cf, &conf->ssl, conf->certificates,
+                                 conf->certificate_keys, conf->passwords)
+            != NGX_OK)
+        {
+            return NGX_CONF_ERROR;
+        }
+
     }

     if (ngx_ssl_ciphers(cf, &conf->ssl, &conf->ciphers,
diff -r 716852cce913 -r a38066b79d71 src/http/modules/ngx_http_ssl_module.h
--- a/src/http/modules/ngx_http_ssl_module.h    Thu Jun 01 15:44:23 2017 +0300
+++ b/src/http/modules/ngx_http_ssl_module.h    Thu Jun 01 10:55:04 2017 -0500
@@ -32,6 +32,7 @@

     time_t                          session_timeout;

+    ngx_flag_t                      nocert;
     ngx_array_t                    *certificates;
     ngx_array_t                    *certificate_keys;

________________________________

CONFIDENTIALITY NOTICE: This email and any attachments are for the sole use of the intended recipient(s) and contain information that may be Garmin confidential and/or Garmin legally privileged. If you have received this email in error, please notify the sender by reply email and delete the message. Any disclosure, copying, distribution or use of this communication (including attachments) by someone other than the intended recipient is prohibited. Thank you.
