[PATCH] SSL: add identity hint config directive
Nate Karstens
nate.karstens at garmin.com
Fri Jul 28 18:50:44 UTC 2017
# HG changeset patch
# User Nate Karstens <nate.karstens at garmin.com>
# Date 1501265943 18000
# Fri Jul 28 13:19:03 2017 -0500
# Node ID d47b57ebf82c1eedb4236a661b9d786dfd06b468
# Parent 00a1466fe33b8969ef765d8d0547dfbc7c97dd4e
SSL: add identity hint config directive.
Adds the directive "ssl_psk_identity_hint" to the ngx_http_ssl_module.
This allows the user to specify the PSK identity hint given to the
connecting client.
Signed-off-by: Nate Karstens <nate.karstens at garmin.com>
diff -r 00a1466fe33b -r d47b57ebf82c contrib/vim/syntax/nginx.vim
--- a/contrib/vim/syntax/nginx.vim Fri Jul 28 13:18:15 2017 -0500
+++ b/contrib/vim/syntax/nginx.vim Fri Jul 28 13:19:03 2017 -0500
@@ -551,6 +551,7 @@ syn keyword ngxDirective contained ssl_p
syn keyword ngxDirective contained ssl_preread
syn keyword ngxDirective contained ssl_protocols
syn keyword ngxDirective contained ssl_psk_file
+syn keyword ngxDirective contained ssl_psk_identity_hint
syn keyword ngxDirective contained ssl_session_cache
syn keyword ngxDirective contained ssl_session_ticket_key
syn keyword ngxDirective contained ssl_session_tickets
diff -r 00a1466fe33b -r d47b57ebf82c src/event/ngx_event_openssl.c
--- a/src/event/ngx_event_openssl.c Fri Jul 28 13:18:15 2017 -0500
+++ b/src/event/ngx_event_openssl.c Fri Jul 28 13:19:03 2017 -0500
@@ -3281,7 +3281,8 @@ ngx_ssl_session_ticket_keys(ngx_conf_t *
ngx_int_t
-ngx_ssl_psk_file(ngx_conf_t *cf, ngx_ssl_t *ssl, ngx_str_t *file)
+ngx_ssl_psk_file(ngx_conf_t *cf, ngx_ssl_t *ssl, ngx_str_t *file,
+ ngx_str_t *identity_hint)
{
#if OPENSSL_VERSION_NUMBER >= 0x1000000fL
if (SSL_CTX_set_ex_data(ssl->ctx, ngx_ssl_psk_index, file) == 0) {
@@ -3290,6 +3291,13 @@ ngx_ssl_psk_file(ngx_conf_t *cf, ngx_ssl
return NGX_ERROR;
}
+ if (SSL_CTX_use_psk_identity_hint(ssl->ctx,
+ (char *) identity_hint->data) == 0) {
+ ngx_ssl_error(NGX_LOG_ALERT, ssl->log, 0,
+ "SSL_CTX_use_psk_identity_hint() failed");
+ return NGX_ERROR;
+ }
+
SSL_CTX_set_psk_server_callback(ssl->ctx, ngx_ssl_psk_callback);
#endif
diff -r 00a1466fe33b -r d47b57ebf82c src/event/ngx_event_openssl.h
--- a/src/event/ngx_event_openssl.h Fri Jul 28 13:18:15 2017 -0500
+++ b/src/event/ngx_event_openssl.h Fri Jul 28 13:19:03 2017 -0500
@@ -171,7 +171,8 @@ ngx_int_t ngx_ssl_session_cache(ngx_ssl_
ssize_t builtin_session_cache, ngx_shm_zone_t *shm_zone, time_t timeout);
ngx_int_t ngx_ssl_session_ticket_keys(ngx_conf_t *cf, ngx_ssl_t *ssl,
ngx_array_t *paths);
-ngx_int_t ngx_ssl_psk_file(ngx_conf_t *cf, ngx_ssl_t *ssl, ngx_str_t *file);
+ngx_int_t ngx_ssl_psk_file(ngx_conf_t *cf, ngx_ssl_t *ssl, ngx_str_t *file,
+ ngx_str_t *identity_hint);
ngx_int_t ngx_ssl_session_cache_init(ngx_shm_zone_t *shm_zone, void *data);
ngx_int_t ngx_ssl_create_connection(ngx_ssl_t *ssl, ngx_connection_t *c,
ngx_uint_t flags);
diff -r 00a1466fe33b -r d47b57ebf82c src/http/modules/ngx_http_ssl_module.c
--- a/src/http/modules/ngx_http_ssl_module.c Fri Jul 28 13:18:15 2017 -0500
+++ b/src/http/modules/ngx_http_ssl_module.c Fri Jul 28 13:19:03 2017 -0500
@@ -241,6 +241,13 @@ static ngx_command_t ngx_http_ssl_comma
offsetof(ngx_http_ssl_srv_conf_t, psk_file),
NULL },
+ { ngx_string("ssl_psk_identity_hint"),
+ NGX_HTTP_MAIN_CONF|NGX_HTTP_SRV_CONF|NGX_CONF_TAKE1,
+ ngx_conf_set_str_slot,
+ NGX_HTTP_SRV_CONF_OFFSET,
+ offsetof(ngx_http_ssl_srv_conf_t, psk_identity_hint),
+ NULL },
+
ngx_null_command
};
@@ -550,6 +557,7 @@ ngx_http_ssl_create_srv_conf(ngx_conf_t
* sscf->stapling_file = { 0, NULL };
* sscf->stapling_responder = { 0, NULL };
* sscf->psk_file = { 0, NULL };
+ * sscf->psk_identity_hint = { 0, NULL };
*/
sscf->enable = NGX_CONF_UNSET;
@@ -632,6 +640,7 @@ ngx_http_ssl_merge_srv_conf(ngx_conf_t *
prev->stapling_responder, "");
ngx_conf_merge_str_value(conf->psk_file, prev->psk_file, "");
+ ngx_conf_merge_str_value(conf->psk_identity_hint, prev->psk_identity_hint, "");
conf->ssl.log = cf->log;
@@ -813,7 +822,8 @@ ngx_http_ssl_merge_srv_conf(ngx_conf_t *
}
- if (ngx_ssl_psk_file(cf, &conf->ssl, &conf->psk_file)
+ if (ngx_ssl_psk_file(cf, &conf->ssl, &conf->psk_file,
+ &conf->psk_identity_hint)
!= NGX_OK)
{
return NGX_CONF_ERROR;
diff -r 00a1466fe33b -r d47b57ebf82c src/http/modules/ngx_http_ssl_module.h
--- a/src/http/modules/ngx_http_ssl_module.h Fri Jul 28 13:18:15 2017 -0500
+++ b/src/http/modules/ngx_http_ssl_module.h Fri Jul 28 13:19:03 2017 -0500
@@ -56,6 +56,7 @@ typedef struct {
ngx_str_t stapling_responder;
ngx_str_t psk_file;
+ ngx_str_t psk_identity_hint;
u_char *file;
ngx_uint_t line;
________________________________
CONFIDENTIALITY NOTICE: This email and any attachments are for the sole use of the intended recipient(s) and contain information that may be Garmin confidential and/or Garmin legally privileged. If you have received this email in error, please notify the sender by reply email and delete the message. Any disclosure, copying, distribution or use of this communication (including attachments) by someone other than the intended recipient is prohibited. Thank you.
More information about the nginx-devel
mailing list