Welcome! Log In Create A New Profile

[PATCH] [PATCH 4 of 4] SSL: add identity hint config directive

Forum List Message List New Topic Print View

Nate Karstens

August 23, 2017 10:24PM

# HG changeset patch
# User Nate Karstens <nate.karstens@garmin.com>
# Date 1503540237 18000
# Wed Aug 23 21:03:57 2017 -0500
# Node ID 62b4032371bd45217d40e2f0daf8ecd6956601d8
# Parent a11e114a2bcde4afb515dd0b70f3ef39693f475a
[PATCH 4 of 4] SSL: add identity hint config directive.

Adds the directive "ssl_psk_identity_hint" to the ngx_http_ssl_module.
This allows the user to specify the PSK identity hint given to the
connecting client.

Signed-off-by: Nate Karstens <nate.karstens@garmin.com>

diff -r a11e114a2bcd -r 62b4032371bd contrib/vim/syntax/nginx.vim
--- a/contrib/vim/syntax/nginx.vim Wed Aug 23 21:03:31 2017 -0500
+++ b/contrib/vim/syntax/nginx.vim Wed Aug 23 21:03:57 2017 -0500
@@ -551,6 +551,7 @@ syn keyword ngxDirective contained ssl_p
syn keyword ngxDirective contained ssl_preread
syn keyword ngxDirective contained ssl_protocols
syn keyword ngxDirective contained ssl_psk_file
+syn keyword ngxDirective contained ssl_psk_identity_hint
syn keyword ngxDirective contained ssl_session_cache
syn keyword ngxDirective contained ssl_session_ticket_key
syn keyword ngxDirective contained ssl_session_tickets
diff -r a11e114a2bcd -r 62b4032371bd src/event/ngx_event_openssl.c
--- a/src/event/ngx_event_openssl.c Wed Aug 23 21:03:31 2017 -0500
+++ b/src/event/ngx_event_openssl.c Wed Aug 23 21:03:57 2017 -0500
@@ -1177,7 +1177,8 @@ ngx_ssl_ecdh_curve(ngx_conf_t *cf, ngx_s

ngx_int_t
-ngx_ssl_psk_file(ngx_conf_t *cf, ngx_ssl_t *ssl, ngx_str_t *file)
+ngx_ssl_psk_file(ngx_conf_t *cf, ngx_ssl_t *ssl, ngx_str_t *file,
+ ngx_str_t *identity_hint)
{
#ifdef PSK_MAX_IDENTITY_LEN

@@ -1230,6 +1231,14 @@ failed:
return NGX_ERROR;
}

+ if (SSL_CTX_use_psk_identity_hint(ssl->ctx, (char *) identity_hint->data)
+ == 0)
+ {
+ ngx_ssl_error(NGX_LOG_EMERG, ssl->log, 0,
+ "SSL_CTX_use_psk_identity_hint() failed");
+ return NGX_ERROR;
+ }
+
SSL_CTX_set_psk_server_callback(ssl->ctx, ngx_ssl_psk_callback);

#endif
diff -r a11e114a2bcd -r 62b4032371bd src/event/ngx_event_openssl.h
--- a/src/event/ngx_event_openssl.h Wed Aug 23 21:03:31 2017 -0500
+++ b/src/event/ngx_event_openssl.h Wed Aug 23 21:03:57 2017 -0500
@@ -172,7 +172,8 @@ ngx_int_t ngx_ssl_session_cache(ngx_ssl_
ngx_int_t ngx_ssl_session_ticket_keys(ngx_conf_t *cf, ngx_ssl_t *ssl,
ngx_array_t *paths);
ngx_int_t ngx_ssl_session_cache_init(ngx_shm_zone_t *shm_zone, void *data);
-ngx_int_t ngx_ssl_psk_file(ngx_conf_t *cf, ngx_ssl_t *ssl, ngx_str_t *file);
+ngx_int_t ngx_ssl_psk_file(ngx_conf_t *cf, ngx_ssl_t *ssl, ngx_str_t *file,
+ ngx_str_t *identity_hint);
ngx_int_t ngx_ssl_create_connection(ngx_ssl_t *ssl, ngx_connection_t *c,
ngx_uint_t flags);

diff -r a11e114a2bcd -r 62b4032371bd src/http/modules/ngx_http_ssl_module.c
--- a/src/http/modules/ngx_http_ssl_module.c Wed Aug 23 21:03:31 2017 -0500
+++ b/src/http/modules/ngx_http_ssl_module.c Wed Aug 23 21:03:57 2017 -0500
@@ -241,6 +241,13 @@ static ngx_command_t ngx_http_ssl_comma
offsetof(ngx_http_ssl_srv_conf_t, psk_file),
NULL },

+ { ngx_string("ssl_psk_identity_hint"),
+ NGX_HTTP_MAIN_CONF|NGX_HTTP_SRV_CONF|NGX_CONF_TAKE1,
+ ngx_conf_set_str_slot,
+ NGX_HTTP_SRV_CONF_OFFSET,
+ offsetof(ngx_http_ssl_srv_conf_t, psk_identity_hint),
+ NULL },
+
ngx_null_command
};

@@ -554,6 +561,7 @@ ngx_http_ssl_create_srv_conf(ngx_conf_t
* sscf->stapling_file = { 0, NULL };
* sscf->stapling_responder = { 0, NULL };
* sscf->psk_file = { 0, NULL };
+ * sscf->psk_identity_hint = { 0, NULL };
*/

sscf->enable = NGX_CONF_UNSET;
@@ -636,6 +644,8 @@ ngx_http_ssl_merge_srv_conf(ngx_conf_t *
prev->stapling_responder, "");

ngx_conf_merge_str_value(conf->psk_file, prev->psk_file, "");
+ ngx_conf_merge_str_value(conf->psk_identity_hint,
+ prev->psk_identity_hint, "");

conf->ssl.log = cf->log;

@@ -817,7 +827,10 @@ ngx_http_ssl_merge_srv_conf(ngx_conf_t *

}

- if (ngx_ssl_psk_file(cf, &conf->ssl, &conf->psk_file) != NGX_OK) {
+ if (ngx_ssl_psk_file(cf, &conf->ssl, &conf->psk_file,
+ &conf->psk_identity_hint)
+ != NGX_OK)
+ {
return NGX_CONF_ERROR;
}

diff -r a11e114a2bcd -r 62b4032371bd src/http/modules/ngx_http_ssl_module.h
--- a/src/http/modules/ngx_http_ssl_module.h Wed Aug 23 21:03:31 2017 -0500
+++ b/src/http/modules/ngx_http_ssl_module.h Wed Aug 23 21:03:57 2017 -0500
@@ -56,6 +56,7 @@ typedef struct {
ngx_str_t stapling_responder;

ngx_str_t psk_file;
+ ngx_str_t psk_identity_hint;

u_char *file;
ngx_uint_t line;

________________________________

CONFIDENTIALITY NOTICE: This email and any attachments are for the sole use of the intended recipient(s) and contain information that may be Garmin confidential and/or Garmin legally privileged. If you have received this email in error, please notify the sender by reply email and delete the message. Any disclosure, copying, distribution or use of this communication (including attachments) by someone other than the intended recipient is prohibited. Thank you.
_______________________________________________
nginx-devel mailing list
nginx-devel@nginx.org
http://mailman.nginx.org/mailman/listinfo/nginx-devel

Reply Quote

RSS

Subject	Author	Views	Posted
[PATCH] [PATCH 4 of 4] SSL: add identity hint config directive	Nate Karstens	703	August 23, 2017 10:24PM
Re: [PATCH] [PATCH 4 of 4] SSL: add identity hint config directive	Maxim Dounin	202	August 31, 2017 10:46AM
RE: [PATCH] [PATCH 4 of 4] SSL: add identity hint config directive	Karstens, Nate	218	September 01, 2017 09:20AM
Re: [PATCH] [PATCH 4 of 4] SSL: add identity hint config directive	Maxim Dounin	277	September 04, 2017 12:02PM
RE: [PATCH] [PATCH 4 of 4] SSL: add identity hint config directive	Karstens, Nate	261	September 06, 2017 09:48AM
Re: [PATCH] [PATCH 4 of 4] SSL: add identity hint config directive	Maxim Dounin	267	September 07, 2017 10:50AM