[PATCH 3 of 3] PSK: add identity hint config directive
Maxim Dounin
mdounin at mdounin.ru
Thu Jun 29 21:21:51 UTC 2017
Hello!
On Thu, Jun 22, 2017 at 01:24:59PM +0000, Karstens, Nate wrote:
> # HG changeset patch
> # User Nate Karstens <nate.karstens at garmin.com>
> # Date 1498137243 18000
> # Thu Jun 22 08:14:03 2017 -0500
> # Node ID b706695658216c88716904519467a36c1aac7ac9
> # Parent a4635fa4a0cabf5312cda617b8010ea14279ab1c
> PSK: add identity hint config directive
>
> Adds the directive "ssl_psk_identity_hint" to the ngx_http_ssl_module.
> This allows the user to specify the PSK identity hint given to the
> connecting client.
>
> Signed-off-by: Nate Karstens <nate.karstens at garmin.com>
>
> diff -r a4635fa4a0ca -r b70669565821 contrib/vim/syntax/nginx.vim
> --- a/contrib/vim/syntax/nginx.vim Thu Jun 22 08:13:27 2017 -0500
> +++ b/contrib/vim/syntax/nginx.vim Thu Jun 22 08:14:03 2017 -0500
> @@ -551,6 +551,7 @@
> syn keyword ngxDirective contained ssl_preread
> syn keyword ngxDirective contained ssl_protocols
> syn keyword ngxDirective contained ssl_psk_file
> +syn keyword ngxDirective contained ssl_psk_identity_hint
> syn keyword ngxDirective contained ssl_session_cache
> syn keyword ngxDirective contained ssl_session_ticket_key
> syn keyword ngxDirective contained ssl_session_tickets
> diff -r a4635fa4a0ca -r b70669565821 src/http/modules/ngx_http_ssl_module.c
> --- a/src/http/modules/ngx_http_ssl_module.c Thu Jun 22 08:13:27 2017 -0500
> +++ b/src/http/modules/ngx_http_ssl_module.c Thu Jun 22 08:14:03 2017 -0500
> @@ -241,6 +241,13 @@
> offsetof(ngx_http_ssl_srv_conf_t, psk_file),
> NULL },
>
> + { ngx_string("ssl_psk_identity_hint"),
> + NGX_HTTP_MAIN_CONF|NGX_HTTP_SRV_CONF|NGX_CONF_TAKE1,
> + ngx_conf_set_str_slot,
> + NGX_HTTP_SRV_CONF_OFFSET,
> + offsetof(ngx_http_ssl_srv_conf_t, psk_identity_hint),
> + NULL },
> +
> ngx_null_command
> };
>
> @@ -550,6 +557,7 @@
> * sscf->stapling_file = { 0, NULL };
> * sscf->stapling_responder = { 0, NULL };
> * sscf->psk_file = { 0, NULL };
> + * sscf->psk_identity_hint = { 0, NULL };
> */
>
> sscf->enable = NGX_CONF_UNSET;
> @@ -632,6 +640,7 @@
> prev->stapling_responder, "");
>
> ngx_conf_merge_str_value(conf->psk_file, prev->psk_file, "");
> + ngx_conf_merge_str_value(conf->psk_identity_hint, prev->psk_identity_hint, "");
>
> conf->ssl.log = cf->log;
>
> @@ -819,6 +828,15 @@
> return NGX_CONF_ERROR;
> }
>
> + if (conf->psk_identity_hint.len != 0) {
> + if (SSL_CTX_use_psk_identity_hint(conf->ssl.ctx,
> + (char *) conf->psk_identity_hint.data)
> + != 1)
> + {
> + return NGX_CONF_ERROR;
> + }
> + }
Please avoid direct calls of SSL library functions. Instead,
please pass this as a prameter to ngx_ssl_psk_file(), and use
appropriate library calls there.
> +
> return NGX_CONF_OK;
> }
>
> diff -r a4635fa4a0ca -r b70669565821 src/http/modules/ngx_http_ssl_module.h
> --- a/src/http/modules/ngx_http_ssl_module.h Thu Jun 22 08:13:27 2017 -0500
> +++ b/src/http/modules/ngx_http_ssl_module.h Thu Jun 22 08:14:03 2017 -0500
> @@ -56,6 +56,7 @@
> ngx_str_t stapling_responder;
>
> ngx_str_t psk_file;
> + ngx_str_t psk_identity_hint;
>
> u_char *file;
> ngx_uint_t line;
>
> ________________________________
>
> CONFIDENTIALITY NOTICE: This email and any attachments are for the sole use of the intended recipient(s) and contain information that may be Garmin confidential and/or Garmin legally privileged. If you have received this email in error, please notify the sender by reply email and delete the message. Any disclosure, copying, distribution or use of this communication (including attachments) by someone other than the intended recipient is prohibited. Thank you.
> _______________________________________________
> nginx-devel mailing list
> nginx-devel at nginx.org
> http://mailman.nginx.org/mailman/listinfo/nginx-devel
--
Maxim Dounin
http://nginx.org/
More information about the nginx-devel
mailing list