Hello!

On Fri, Jul 28, 2017 at 01:49:13PM -0500, Nate Karstens wrote:

> # HG changeset patch
> # User Nate Karstens <nate.karstens@garmin.com>
> # Date 1501265895 18000
> # Fri Jul 28 13:18:15 2017 -0500
> # Node ID 00a1466fe33b8969ef765d8d0547dfbc7c97dd4e
> # Parent 9537b7d299131e41a3f5993257000d328e28b117
> SSL: add PSK identity variable.
>
> Adds the variable $ssl_psk_identity to get the PSK identity
> used in a connnection secured with a PSK cipher suite.
>
> Signed-off-by: Nate Karstens <nate.karstens@garmin.com>
>
> diff -r 9537b7d29913 -r 00a1466fe33b src/event/ngx_event_openssl.c
> --- a/src/event/ngx_event_openssl.c Fri Jul 28 13:17:29 2017 -0500
> +++ b/src/event/ngx_event_openssl.c Fri Jul 28 13:18:15 2017 -0500
> @@ -4249,6 +4249,22 @@ ngx_ssl_get_client_v_remain(ngx_connecti
> }
>
>
> +ngx_int_t
> +ngx_ssl_get_psk_identity(ngx_connection_t *c, ngx_pool_t *pool, ngx_str_t *s)
> +{

Following ngx_ssl_parse_time() is a helper function for
ngx_ssl_get_client_v_remain(), so it might be a good idea to put
this function after ngx_ssl_parse_time(). YMMV.

> + const char *identity;
> +
> + identity = SSL_get_psk_identity(c->ssl->connection);

This needs conditional compilation.

> +
> + if (identity) {
> + s->data = (u_char *) identity;
> + s->len = ngx_strlen(identity);

Directly returning the result of SSL_get_psk_identity() without
copying it might not be safe. The pointer returned is allocated in
the context of the SSL session, and it can be freed at any time
due to renegotiation (unfortunately, OpenSSL still allows
renegotiation and provides no way to prevent it). Instead, the
value should be copied to memory allocated from the pool.

> + }
> +
> + return NGX_OK;
> +}
> +
> +
> static time_t
> ngx_ssl_parse_time(
> #if OPENSSL_VERSION_NUMBER > 0x10100000L
> diff -r 9537b7d29913 -r 00a1466fe33b src/event/ngx_event_openssl.h
> --- a/src/event/ngx_event_openssl.h Fri Jul 28 13:17:29 2017 -0500
> +++ b/src/event/ngx_event_openssl.h Fri Jul 28 13:18:15 2017 -0500
> @@ -233,6 +233,8 @@ ngx_int_t ngx_ssl_get_client_v_end(ngx_c
> ngx_str_t *s);
> ngx_int_t ngx_ssl_get_client_v_remain(ngx_connection_t *c, ngx_pool_t *pool,
> ngx_str_t *s);
> +ngx_int_t ngx_ssl_get_psk_identity(ngx_connection_t *c, ngx_pool_t *pool,
> + ngx_str_t *s);
>
>
> ngx_int_t ngx_ssl_handshake(ngx_connection_t *c);
> diff -r 9537b7d29913 -r 00a1466fe33b src/http/modules/ngx_http_ssl_module.c
> --- a/src/http/modules/ngx_http_ssl_module.c Fri Jul 28 13:17:29 2017 -0500
> +++ b/src/http/modules/ngx_http_ssl_module.c Fri Jul 28 13:18:15 2017 -0500
> @@ -336,6 +336,9 @@ static ngx_http_variable_t ngx_http_ssl
> { ngx_string("ssl_client_v_remain"), NULL, ngx_http_ssl_variable,
> (uintptr_t) ngx_ssl_get_client_v_remain, NGX_HTTP_VAR_CHANGEABLE, 0 },
>
> + { ngx_string("ssl_psk_identity"), NULL, ngx_http_ssl_variable,
> + (uintptr_t) ngx_ssl_get_psk_identity, NGX_HTTP_VAR_CHANGEABLE, 0 },
> +
> { ngx_null_string, NULL, NULL, 0, 0, 0 }
> };
>
>
> ________________________________
>
> CONFIDENTIALITY NOTICE: This email and any attachments are for the sole use of the intended recipient(s) and contain information that may be Garmin confidential and/or Garmin legally privileged. If you have received this email in error, please notify the sender by reply email and delete the message. Any disclosure, copying, distribution or use of this communication (including attachments) by someone other than the intended recipient is prohibited. Thank you.
> _______________________________________________
> nginx-devel mailing list
> nginx-devel@nginx.org
> http://mailman.nginx.org/mailman/listinfo/nginx-devel

--
Maxim Dounin
http://nginx.org/
_______________________________________________
nginx-devel mailing list
nginx-devel@nginx.org
http://mailman.nginx.org/mailman/listinfo/nginx-devel