[PATCH] [PATCH 4 of 4] SSL: add identity hint config directive

Nate Karstens nate.karstens at garmin.com
Thu Aug 24 02:22:43 UTC 2017 

# HG changeset patch
# User Nate Karstens <nate.karstens at garmin.com>
# Date 1503540237 18000
#      Wed Aug 23 21:03:57 2017 -0500
# Node ID 62b4032371bd45217d40e2f0daf8ecd6956601d8
# Parent  a11e114a2bcde4afb515dd0b70f3ef39693f475a
[PATCH 4 of 4] SSL: add identity hint config directive.

Adds the directive "ssl_psk_identity_hint" to the ngx_http_ssl_module.
This allows the user to specify the PSK identity hint given to the
connecting client.

Signed-off-by: Nate Karstens <nate.karstens at garmin.com>

diff -r a11e114a2bcd -r 62b4032371bd contrib/vim/syntax/nginx.vim
--- a/contrib/vim/syntax/nginx.vim      Wed Aug 23 21:03:31 2017 -0500
+++ b/contrib/vim/syntax/nginx.vim      Wed Aug 23 21:03:57 2017 -0500
@@ -551,6 +551,7 @@ syn keyword ngxDirective contained ssl_p
 syn keyword ngxDirective contained ssl_preread
 syn keyword ngxDirective contained ssl_protocols
 syn keyword ngxDirective contained ssl_psk_file
+syn keyword ngxDirective contained ssl_psk_identity_hint
 syn keyword ngxDirective contained ssl_session_cache
 syn keyword ngxDirective contained ssl_session_ticket_key
 syn keyword ngxDirective contained ssl_session_tickets
diff -r a11e114a2bcd -r 62b4032371bd src/event/ngx_event_openssl.c
--- a/src/event/ngx_event_openssl.c     Wed Aug 23 21:03:31 2017 -0500
+++ b/src/event/ngx_event_openssl.c     Wed Aug 23 21:03:57 2017 -0500
@@ -1177,7 +1177,8 @@ ngx_ssl_ecdh_curve(ngx_conf_t *cf, ngx_s


 ngx_int_t
-ngx_ssl_psk_file(ngx_conf_t *cf, ngx_ssl_t *ssl, ngx_str_t *file)
+ngx_ssl_psk_file(ngx_conf_t *cf, ngx_ssl_t *ssl, ngx_str_t *file,
+    ngx_str_t *identity_hint)
 {
 #ifdef PSK_MAX_IDENTITY_LEN

@@ -1230,6 +1231,14 @@ failed:
         return NGX_ERROR;
     }

+    if (SSL_CTX_use_psk_identity_hint(ssl->ctx, (char *) identity_hint->data)
+        == 0)
+    {
+        ngx_ssl_error(NGX_LOG_EMERG, ssl->log, 0,
+                      "SSL_CTX_use_psk_identity_hint() failed");
+        return NGX_ERROR;
+    }
+
     SSL_CTX_set_psk_server_callback(ssl->ctx, ngx_ssl_psk_callback);

 #endif
diff -r a11e114a2bcd -r 62b4032371bd src/event/ngx_event_openssl.h
--- a/src/event/ngx_event_openssl.h     Wed Aug 23 21:03:31 2017 -0500
+++ b/src/event/ngx_event_openssl.h     Wed Aug 23 21:03:57 2017 -0500
@@ -172,7 +172,8 @@ ngx_int_t ngx_ssl_session_cache(ngx_ssl_
 ngx_int_t ngx_ssl_session_ticket_keys(ngx_conf_t *cf, ngx_ssl_t *ssl,
     ngx_array_t *paths);
 ngx_int_t ngx_ssl_session_cache_init(ngx_shm_zone_t *shm_zone, void *data);
-ngx_int_t ngx_ssl_psk_file(ngx_conf_t *cf, ngx_ssl_t *ssl, ngx_str_t *file);
+ngx_int_t ngx_ssl_psk_file(ngx_conf_t *cf, ngx_ssl_t *ssl, ngx_str_t *file,
+    ngx_str_t *identity_hint);
 ngx_int_t ngx_ssl_create_connection(ngx_ssl_t *ssl, ngx_connection_t *c,
     ngx_uint_t flags);

diff -r a11e114a2bcd -r 62b4032371bd src/http/modules/ngx_http_ssl_module.c
--- a/src/http/modules/ngx_http_ssl_module.c    Wed Aug 23 21:03:31 2017 -0500
+++ b/src/http/modules/ngx_http_ssl_module.c    Wed Aug 23 21:03:57 2017 -0500
@@ -241,6 +241,13 @@ static ngx_command_t  ngx_http_ssl_comma
       offsetof(ngx_http_ssl_srv_conf_t, psk_file),
       NULL },

+    { ngx_string("ssl_psk_identity_hint"),
+      NGX_HTTP_MAIN_CONF|NGX_HTTP_SRV_CONF|NGX_CONF_TAKE1,
+      ngx_conf_set_str_slot,
+      NGX_HTTP_SRV_CONF_OFFSET,
+      offsetof(ngx_http_ssl_srv_conf_t, psk_identity_hint),
+      NULL },
+
       ngx_null_command
 };

@@ -554,6 +561,7 @@ ngx_http_ssl_create_srv_conf(ngx_conf_t
      *     sscf->stapling_file = { 0, NULL };
      *     sscf->stapling_responder = { 0, NULL };
      *     sscf->psk_file = { 0, NULL };
+     *     sscf->psk_identity_hint = { 0, NULL };
      */

     sscf->enable = NGX_CONF_UNSET;
@@ -636,6 +644,8 @@ ngx_http_ssl_merge_srv_conf(ngx_conf_t *
                          prev->stapling_responder, "");

     ngx_conf_merge_str_value(conf->psk_file, prev->psk_file, "");
+    ngx_conf_merge_str_value(conf->psk_identity_hint,
+                         prev->psk_identity_hint, "");

     conf->ssl.log = cf->log;

@@ -817,7 +827,10 @@ ngx_http_ssl_merge_srv_conf(ngx_conf_t *

     }

-    if (ngx_ssl_psk_file(cf, &conf->ssl, &conf->psk_file) != NGX_OK) {
+    if (ngx_ssl_psk_file(cf, &conf->ssl, &conf->psk_file,
+                         &conf->psk_identity_hint)
+        != NGX_OK)
+    {
         return NGX_CONF_ERROR;
     }

diff -r a11e114a2bcd -r 62b4032371bd src/http/modules/ngx_http_ssl_module.h
--- a/src/http/modules/ngx_http_ssl_module.h    Wed Aug 23 21:03:31 2017 -0500
+++ b/src/http/modules/ngx_http_ssl_module.h    Wed Aug 23 21:03:57 2017 -0500
@@ -56,6 +56,7 @@ typedef struct {
     ngx_str_t                       stapling_responder;

     ngx_str_t                       psk_file;
+    ngx_str_t                       psk_identity_hint;

     u_char                         *file;
     ngx_uint_t                      line;

________________________________

CONFIDENTIALITY NOTICE: This email and any attachments are for the sole use of the intended recipient(s) and contain information that may be Garmin confidential and/or Garmin legally privileged. If you have received this email in error, please notify the sender by reply email and delete the message. Any disclosure, copying, distribution or use of this communication (including attachments) by someone other than the intended recipient is prohibited. Thank you.

More information about the nginx-devel mailing list