[PATCH] SSL: add identity hint config directive

Maxim Dounin mdounin at mdounin.ru
Mon Aug 21 23:42:39 UTC 2017


Hello!

On Fri, Jul 28, 2017 at 01:50:44PM -0500, Nate Karstens wrote:

> # HG changeset patch
> # User Nate Karstens <nate.karstens at garmin.com>
> # Date 1501265943 18000
> #      Fri Jul 28 13:19:03 2017 -0500
> # Node ID d47b57ebf82c1eedb4236a661b9d786dfd06b468
> # Parent  00a1466fe33b8969ef765d8d0547dfbc7c97dd4e
> SSL: add identity hint config directive.
> 
> Adds the directive "ssl_psk_identity_hint" to the ngx_http_ssl_module.
> This allows the user to specify the PSK identity hint given to the
> connecting client.
> 
> Signed-off-by: Nate Karstens <nate.karstens at garmin.com>
> 
> diff -r 00a1466fe33b -r d47b57ebf82c contrib/vim/syntax/nginx.vim
> --- a/contrib/vim/syntax/nginx.vim      Fri Jul 28 13:18:15 2017 -0500
> +++ b/contrib/vim/syntax/nginx.vim      Fri Jul 28 13:19:03 2017 -0500
> @@ -551,6 +551,7 @@ syn keyword ngxDirective contained ssl_p
>  syn keyword ngxDirective contained ssl_preread
>  syn keyword ngxDirective contained ssl_protocols
>  syn keyword ngxDirective contained ssl_psk_file
> +syn keyword ngxDirective contained ssl_psk_identity_hint
>  syn keyword ngxDirective contained ssl_session_cache
>  syn keyword ngxDirective contained ssl_session_ticket_key
>  syn keyword ngxDirective contained ssl_session_tickets
> diff -r 00a1466fe33b -r d47b57ebf82c src/event/ngx_event_openssl.c
> --- a/src/event/ngx_event_openssl.c     Fri Jul 28 13:18:15 2017 -0500
> +++ b/src/event/ngx_event_openssl.c     Fri Jul 28 13:19:03 2017 -0500
> @@ -3281,7 +3281,8 @@ ngx_ssl_session_ticket_keys(ngx_conf_t *
> 
> 
>  ngx_int_t
> -ngx_ssl_psk_file(ngx_conf_t *cf, ngx_ssl_t *ssl, ngx_str_t *file)
> +ngx_ssl_psk_file(ngx_conf_t *cf, ngx_ssl_t *ssl, ngx_str_t *file,
> +    ngx_str_t *identity_hint)
>  {
>  #if OPENSSL_VERSION_NUMBER >= 0x1000000fL
>      if (SSL_CTX_set_ex_data(ssl->ctx, ngx_ssl_psk_index, file) == 0) {
> @@ -3290,6 +3291,13 @@ ngx_ssl_psk_file(ngx_conf_t *cf, ngx_ssl
>          return NGX_ERROR;
>      }
> 
> +    if (SSL_CTX_use_psk_identity_hint(ssl->ctx,
> +                                      (char *) identity_hint->data) == 0) {

Style: "== 0)" and "{" should be on their own lines, no need to 
wrap SSL_CTX_use_psk_identity_hint() arguments as they fit into 80 
chars:

    if (SSL_CTX_use_psk_identity_hint(ssl->ctx, (char *) identity_hint->data)
        == 0)
    {

> +        ngx_ssl_error(NGX_LOG_ALERT, ssl->log, 0,
> +                      "SSL_CTX_use_psk_identity_hint() failed");

The NGX_LOG_ALERT logging level is not appropriate here.  As the 
error is fatal and will prevent nginx from starting, it should be 
NGX_LOG_EMERG.

> +        return NGX_ERROR;
> +    }
> +
>      SSL_CTX_set_psk_server_callback(ssl->ctx, ngx_ssl_psk_callback);
>  #endif
> 
> diff -r 00a1466fe33b -r d47b57ebf82c src/event/ngx_event_openssl.h
> --- a/src/event/ngx_event_openssl.h     Fri Jul 28 13:18:15 2017 -0500
> +++ b/src/event/ngx_event_openssl.h     Fri Jul 28 13:19:03 2017 -0500
> @@ -171,7 +171,8 @@ ngx_int_t ngx_ssl_session_cache(ngx_ssl_
>      ssize_t builtin_session_cache, ngx_shm_zone_t *shm_zone, time_t timeout);
>  ngx_int_t ngx_ssl_session_ticket_keys(ngx_conf_t *cf, ngx_ssl_t *ssl,
>      ngx_array_t *paths);
> -ngx_int_t ngx_ssl_psk_file(ngx_conf_t *cf, ngx_ssl_t *ssl, ngx_str_t *file);
> +ngx_int_t ngx_ssl_psk_file(ngx_conf_t *cf, ngx_ssl_t *ssl, ngx_str_t *file,
> +    ngx_str_t *identity_hint);
>  ngx_int_t ngx_ssl_session_cache_init(ngx_shm_zone_t *shm_zone, void *data);
>  ngx_int_t ngx_ssl_create_connection(ngx_ssl_t *ssl, ngx_connection_t *c,
>      ngx_uint_t flags);
> diff -r 00a1466fe33b -r d47b57ebf82c src/http/modules/ngx_http_ssl_module.c
> --- a/src/http/modules/ngx_http_ssl_module.c    Fri Jul 28 13:18:15 2017 -0500
> +++ b/src/http/modules/ngx_http_ssl_module.c    Fri Jul 28 13:19:03 2017 -0500
> @@ -241,6 +241,13 @@ static ngx_command_t  ngx_http_ssl_comma
>        offsetof(ngx_http_ssl_srv_conf_t, psk_file),
>        NULL },
> 
> +    { ngx_string("ssl_psk_identity_hint"),
> +      NGX_HTTP_MAIN_CONF|NGX_HTTP_SRV_CONF|NGX_CONF_TAKE1,
> +      ngx_conf_set_str_slot,
> +      NGX_HTTP_SRV_CONF_OFFSET,
> +      offsetof(ngx_http_ssl_srv_conf_t, psk_identity_hint),
> +      NULL },
> +
>        ngx_null_command
>  };
> 
> @@ -550,6 +557,7 @@ ngx_http_ssl_create_srv_conf(ngx_conf_t
>       *     sscf->stapling_file = { 0, NULL };
>       *     sscf->stapling_responder = { 0, NULL };
>       *     sscf->psk_file = { 0, NULL };
> +     *     sscf->psk_identity_hint = { 0, NULL };
>       */
> 
>      sscf->enable = NGX_CONF_UNSET;
> @@ -632,6 +640,7 @@ ngx_http_ssl_merge_srv_conf(ngx_conf_t *
>                           prev->stapling_responder, "");
> 
>      ngx_conf_merge_str_value(conf->psk_file, prev->psk_file, "");
> +    ngx_conf_merge_str_value(conf->psk_identity_hint, prev->psk_identity_hint, "");

Style: lines should be under 80 chars.

> 
>      conf->ssl.log = cf->log;
> 
> @@ -813,7 +822,8 @@ ngx_http_ssl_merge_srv_conf(ngx_conf_t *
> 
>      }
> 
> -    if (ngx_ssl_psk_file(cf, &conf->ssl, &conf->psk_file)
> +    if (ngx_ssl_psk_file(cf, &conf->ssl, &conf->psk_file,
> +                         &conf->psk_identity_hint)
>          != NGX_OK)
>      {
>          return NGX_CONF_ERROR;
> diff -r 00a1466fe33b -r d47b57ebf82c src/http/modules/ngx_http_ssl_module.h
> --- a/src/http/modules/ngx_http_ssl_module.h    Fri Jul 28 13:18:15 2017 -0500
> +++ b/src/http/modules/ngx_http_ssl_module.h    Fri Jul 28 13:19:03 2017 -0500
> @@ -56,6 +56,7 @@ typedef struct {
>      ngx_str_t                       stapling_responder;
> 
>      ngx_str_t                       psk_file;
> +    ngx_str_t                       psk_identity_hint;
> 
>      u_char                         *file;
>      ngx_uint_t                      line;
> 
> ________________________________
> 
> CONFIDENTIALITY NOTICE: This email and any attachments are for the sole use of the intended recipient(s) and contain information that may be Garmin confidential and/or Garmin legally privileged. If you have received this email in error, please notify the sender by reply email and delete the message. Any disclosure, copying, distribution or use of this communication (including attachments) by someone other than the intended recipient is prohibited. Thank you.
> _______________________________________________
> nginx-devel mailing list
> nginx-devel at nginx.org
> http://mailman.nginx.org/mailman/listinfo/nginx-devel

-- 
Maxim Dounin
http://nginx.org/


More information about the nginx-devel mailing list