[PATCH] SSL: add identity hint config directive
Maxim Dounin
mdounin at mdounin.ru
Mon Aug 21 23:42:39 UTC 2017
Hello!
On Fri, Jul 28, 2017 at 01:50:44PM -0500, Nate Karstens wrote:
> # HG changeset patch
> # User Nate Karstens <nate.karstens at garmin.com>
> # Date 1501265943 18000
> # Fri Jul 28 13:19:03 2017 -0500
> # Node ID d47b57ebf82c1eedb4236a661b9d786dfd06b468
> # Parent 00a1466fe33b8969ef765d8d0547dfbc7c97dd4e
> SSL: add identity hint config directive.
>
> Adds the directive "ssl_psk_identity_hint" to the ngx_http_ssl_module.
> This allows the user to specify the PSK identity hint given to the
> connecting client.
>
> Signed-off-by: Nate Karstens <nate.karstens at garmin.com>
>
> diff -r 00a1466fe33b -r d47b57ebf82c contrib/vim/syntax/nginx.vim
> --- a/contrib/vim/syntax/nginx.vim Fri Jul 28 13:18:15 2017 -0500
> +++ b/contrib/vim/syntax/nginx.vim Fri Jul 28 13:19:03 2017 -0500
> @@ -551,6 +551,7 @@ syn keyword ngxDirective contained ssl_p
> syn keyword ngxDirective contained ssl_preread
> syn keyword ngxDirective contained ssl_protocols
> syn keyword ngxDirective contained ssl_psk_file
> +syn keyword ngxDirective contained ssl_psk_identity_hint
> syn keyword ngxDirective contained ssl_session_cache
> syn keyword ngxDirective contained ssl_session_ticket_key
> syn keyword ngxDirective contained ssl_session_tickets
> diff -r 00a1466fe33b -r d47b57ebf82c src/event/ngx_event_openssl.c
> --- a/src/event/ngx_event_openssl.c Fri Jul 28 13:18:15 2017 -0500
> +++ b/src/event/ngx_event_openssl.c Fri Jul 28 13:19:03 2017 -0500
> @@ -3281,7 +3281,8 @@ ngx_ssl_session_ticket_keys(ngx_conf_t *
>
>
> ngx_int_t
> -ngx_ssl_psk_file(ngx_conf_t *cf, ngx_ssl_t *ssl, ngx_str_t *file)
> +ngx_ssl_psk_file(ngx_conf_t *cf, ngx_ssl_t *ssl, ngx_str_t *file,
> + ngx_str_t *identity_hint)
> {
> #if OPENSSL_VERSION_NUMBER >= 0x1000000fL
> if (SSL_CTX_set_ex_data(ssl->ctx, ngx_ssl_psk_index, file) == 0) {
> @@ -3290,6 +3291,13 @@ ngx_ssl_psk_file(ngx_conf_t *cf, ngx_ssl
> return NGX_ERROR;
> }
>
> + if (SSL_CTX_use_psk_identity_hint(ssl->ctx,
> + (char *) identity_hint->data) == 0) {
Style: "== 0)" and "{" should be on their own lines, no need to
wrap SSL_CTX_use_psk_identity_hint() arguments as they fit into 80
chars:
if (SSL_CTX_use_psk_identity_hint(ssl->ctx, (char *) identity_hint->data)
== 0)
{
> + ngx_ssl_error(NGX_LOG_ALERT, ssl->log, 0,
> + "SSL_CTX_use_psk_identity_hint() failed");
The NGX_LOG_ALERT logging level is not appropriate here. As the
error is fatal and will prevent nginx from starting, it should be
NGX_LOG_EMERG.
> + return NGX_ERROR;
> + }
> +
> SSL_CTX_set_psk_server_callback(ssl->ctx, ngx_ssl_psk_callback);
> #endif
>
> diff -r 00a1466fe33b -r d47b57ebf82c src/event/ngx_event_openssl.h
> --- a/src/event/ngx_event_openssl.h Fri Jul 28 13:18:15 2017 -0500
> +++ b/src/event/ngx_event_openssl.h Fri Jul 28 13:19:03 2017 -0500
> @@ -171,7 +171,8 @@ ngx_int_t ngx_ssl_session_cache(ngx_ssl_
> ssize_t builtin_session_cache, ngx_shm_zone_t *shm_zone, time_t timeout);
> ngx_int_t ngx_ssl_session_ticket_keys(ngx_conf_t *cf, ngx_ssl_t *ssl,
> ngx_array_t *paths);
> -ngx_int_t ngx_ssl_psk_file(ngx_conf_t *cf, ngx_ssl_t *ssl, ngx_str_t *file);
> +ngx_int_t ngx_ssl_psk_file(ngx_conf_t *cf, ngx_ssl_t *ssl, ngx_str_t *file,
> + ngx_str_t *identity_hint);
> ngx_int_t ngx_ssl_session_cache_init(ngx_shm_zone_t *shm_zone, void *data);
> ngx_int_t ngx_ssl_create_connection(ngx_ssl_t *ssl, ngx_connection_t *c,
> ngx_uint_t flags);
> diff -r 00a1466fe33b -r d47b57ebf82c src/http/modules/ngx_http_ssl_module.c
> --- a/src/http/modules/ngx_http_ssl_module.c Fri Jul 28 13:18:15 2017 -0500
> +++ b/src/http/modules/ngx_http_ssl_module.c Fri Jul 28 13:19:03 2017 -0500
> @@ -241,6 +241,13 @@ static ngx_command_t ngx_http_ssl_comma
> offsetof(ngx_http_ssl_srv_conf_t, psk_file),
> NULL },
>
> + { ngx_string("ssl_psk_identity_hint"),
> + NGX_HTTP_MAIN_CONF|NGX_HTTP_SRV_CONF|NGX_CONF_TAKE1,
> + ngx_conf_set_str_slot,
> + NGX_HTTP_SRV_CONF_OFFSET,
> + offsetof(ngx_http_ssl_srv_conf_t, psk_identity_hint),
> + NULL },
> +
> ngx_null_command
> };
>
> @@ -550,6 +557,7 @@ ngx_http_ssl_create_srv_conf(ngx_conf_t
> * sscf->stapling_file = { 0, NULL };
> * sscf->stapling_responder = { 0, NULL };
> * sscf->psk_file = { 0, NULL };
> + * sscf->psk_identity_hint = { 0, NULL };
> */
>
> sscf->enable = NGX_CONF_UNSET;
> @@ -632,6 +640,7 @@ ngx_http_ssl_merge_srv_conf(ngx_conf_t *
> prev->stapling_responder, "");
>
> ngx_conf_merge_str_value(conf->psk_file, prev->psk_file, "");
> + ngx_conf_merge_str_value(conf->psk_identity_hint, prev->psk_identity_hint, "");
Style: lines should be under 80 chars.
>
> conf->ssl.log = cf->log;
>
> @@ -813,7 +822,8 @@ ngx_http_ssl_merge_srv_conf(ngx_conf_t *
>
> }
>
> - if (ngx_ssl_psk_file(cf, &conf->ssl, &conf->psk_file)
> + if (ngx_ssl_psk_file(cf, &conf->ssl, &conf->psk_file,
> + &conf->psk_identity_hint)
> != NGX_OK)
> {
> return NGX_CONF_ERROR;
> diff -r 00a1466fe33b -r d47b57ebf82c src/http/modules/ngx_http_ssl_module.h
> --- a/src/http/modules/ngx_http_ssl_module.h Fri Jul 28 13:18:15 2017 -0500
> +++ b/src/http/modules/ngx_http_ssl_module.h Fri Jul 28 13:19:03 2017 -0500
> @@ -56,6 +56,7 @@ typedef struct {
> ngx_str_t stapling_responder;
>
> ngx_str_t psk_file;
> + ngx_str_t psk_identity_hint;
>
> u_char *file;
> ngx_uint_t line;
>
> ________________________________
>
> CONFIDENTIALITY NOTICE: This email and any attachments are for the sole use of the intended recipient(s) and contain information that may be Garmin confidential and/or Garmin legally privileged. If you have received this email in error, please notify the sender by reply email and delete the message. Any disclosure, copying, distribution or use of this communication (including attachments) by someone other than the intended recipient is prohibited. Thank you.
> _______________________________________________
> nginx-devel mailing list
> nginx-devel at nginx.org
> http://mailman.nginx.org/mailman/listinfo/nginx-devel
--
Maxim Dounin
http://nginx.org/
More information about the nginx-devel
mailing list