[PATCH] SSL: add PSK identity variable

Maxim Dounin mdounin at mdounin.ru
Mon Aug 21 23:41:59 UTC 2017 

Hello!

On Fri, Jul 28, 2017 at 01:49:13PM -0500, Nate Karstens wrote:

> # HG changeset patch
> # User Nate Karstens <nate.karstens at garmin.com>
> # Date 1501265895 18000
> #      Fri Jul 28 13:18:15 2017 -0500
> # Node ID 00a1466fe33b8969ef765d8d0547dfbc7c97dd4e
> # Parent  9537b7d299131e41a3f5993257000d328e28b117
> SSL: add PSK identity variable.
> 
> Adds the variable $ssl_psk_identity to get the PSK identity
> used in a connnection secured with a PSK cipher suite.
> 
> Signed-off-by: Nate Karstens <nate.karstens at garmin.com>
> 
> diff -r 9537b7d29913 -r 00a1466fe33b src/event/ngx_event_openssl.c
> --- a/src/event/ngx_event_openssl.c     Fri Jul 28 13:17:29 2017 -0500
> +++ b/src/event/ngx_event_openssl.c     Fri Jul 28 13:18:15 2017 -0500
> @@ -4249,6 +4249,22 @@ ngx_ssl_get_client_v_remain(ngx_connecti
>  }
> 
> 
> +ngx_int_t
> +ngx_ssl_get_psk_identity(ngx_connection_t *c, ngx_pool_t *pool, ngx_str_t *s)
> +{

Following ngx_ssl_parse_time() is a helper function for 
ngx_ssl_get_client_v_remain(), so it might be a good idea to put 
this function after ngx_ssl_parse_time().  YMMV.

> +    const char  *identity;
> +
> +    identity = SSL_get_psk_identity(c->ssl->connection);

This needs conditional compilation.

> +
> +    if (identity) {
> +        s->data = (u_char *) identity;
> +        s->len = ngx_strlen(identity);

Directly returning the result of SSL_get_psk_identity() without 
copying it might not be safe.  The pointer returned is allocated in 
the context of the SSL session, and it can be freed at any time 
due to renegotiation (unfortunately, OpenSSL still allows 
renegotiation and provides no way to prevent it).  Instead, the 
value should be copied to memory allocated from the pool.

> +    }
> +
> +    return NGX_OK;
> +}
> +
> +
>  static time_t
>  ngx_ssl_parse_time(
>  #if OPENSSL_VERSION_NUMBER > 0x10100000L
> diff -r 9537b7d29913 -r 00a1466fe33b src/event/ngx_event_openssl.h
> --- a/src/event/ngx_event_openssl.h     Fri Jul 28 13:17:29 2017 -0500
> +++ b/src/event/ngx_event_openssl.h     Fri Jul 28 13:18:15 2017 -0500
> @@ -233,6 +233,8 @@ ngx_int_t ngx_ssl_get_client_v_end(ngx_c
>      ngx_str_t *s);
>  ngx_int_t ngx_ssl_get_client_v_remain(ngx_connection_t *c, ngx_pool_t *pool,
>      ngx_str_t *s);
> +ngx_int_t ngx_ssl_get_psk_identity(ngx_connection_t *c, ngx_pool_t *pool,
> +    ngx_str_t *s);
> 
> 
>  ngx_int_t ngx_ssl_handshake(ngx_connection_t *c);
> diff -r 9537b7d29913 -r 00a1466fe33b src/http/modules/ngx_http_ssl_module.c
> --- a/src/http/modules/ngx_http_ssl_module.c    Fri Jul 28 13:17:29 2017 -0500
> +++ b/src/http/modules/ngx_http_ssl_module.c    Fri Jul 28 13:18:15 2017 -0500
> @@ -336,6 +336,9 @@ static ngx_http_variable_t  ngx_http_ssl
>      { ngx_string("ssl_client_v_remain"), NULL, ngx_http_ssl_variable,
>        (uintptr_t) ngx_ssl_get_client_v_remain, NGX_HTTP_VAR_CHANGEABLE, 0 },
> 
> +    { ngx_string("ssl_psk_identity"), NULL, ngx_http_ssl_variable,
> +      (uintptr_t) ngx_ssl_get_psk_identity, NGX_HTTP_VAR_CHANGEABLE, 0 },
> +
>      { ngx_null_string, NULL, NULL, 0, 0, 0 }
>  };
> 
> 
> ________________________________
> 
> CONFIDENTIALITY NOTICE: This email and any attachments are for the sole use of the intended recipient(s) and contain information that may be Garmin confidential and/or Garmin legally privileged. If you have received this email in error, please notify the sender by reply email and delete the message. Any disclosure, copying, distribution or use of this communication (including attachments) by someone other than the intended recipient is prohibited. Thank you.
> _______________________________________________
> nginx-devel mailing list
> nginx-devel at nginx.org
> http://mailman.nginx.org/mailman/listinfo/nginx-devel

-- 
Maxim Dounin
http://nginx.org/

More information about the nginx-devel mailing list