Welcome! Log In Create A New Profile

Advanced

[PATCH] [PATCH 2 of 4] SSL: add support for PSK cipher suites

Nate Karstens
August 23, 2017 10:22PM
# HG changeset patch
# User Nate Karstens <nate.karstens@garmin.com>
# Date 1503540059 18000
# Wed Aug 23 21:00:59 2017 -0500
# Node ID 97953fe374455a04973268c4b2fbadd7ced91ffe
# Parent 17c038b56051f922ec440d40e23e8d1b23d835df
[PATCH 2 of 4] SSL: add support for PSK cipher suites.

Adds support for TLS connections using PSK cipher suites. A new
configuration directive, ssl_psk_file, specifies the file that
contains a list of identities and associated PSKs. Each line of
the file begins with the identity, followed by a colon character
(':'), and ending with the PSK. As required by RFC 4279 section
5.4, PSKs may be entered either as plain text or using hexadecimal
encoding. Hexadecimal PSKs must begin with "{HEX}". PSKs without
this prefix are assumed to be plain text, but they may optionally
begin with "{PLAIN}" to denote this. Some examples:

gary:plain_text_password
min:{PLAIN}another_text_password
cliff:{HEX}ab0123CD

PSK functionality can be easily tested with the OpenSSL s_client
using the "-psk" and "-psk_identity" options.

Signed-off-by: Nate Karstens <nate.karstens@garmin.com>

diff -r 17c038b56051 -r 97953fe37445 contrib/vim/syntax/nginx.vim
--- a/contrib/vim/syntax/nginx.vim Wed Aug 23 21:00:18 2017 -0500
+++ b/contrib/vim/syntax/nginx.vim Wed Aug 23 21:00:59 2017 -0500
@@ -550,6 +550,7 @@ syn keyword ngxDirective contained ssl_p
syn keyword ngxDirective contained ssl_prefer_server_ciphers
syn keyword ngxDirective contained ssl_preread
syn keyword ngxDirective contained ssl_protocols
+syn keyword ngxDirective contained ssl_psk_file
syn keyword ngxDirective contained ssl_session_cache
syn keyword ngxDirective contained ssl_session_ticket_key
syn keyword ngxDirective contained ssl_session_tickets
diff -r 17c038b56051 -r 97953fe37445 src/event/ngx_event_openssl.c
--- a/src/event/ngx_event_openssl.c Wed Aug 23 21:00:18 2017 -0500
+++ b/src/event/ngx_event_openssl.c Wed Aug 23 21:00:59 2017 -0500
@@ -11,6 +11,7 @@


#define NGX_SSL_PASSWORD_BUFFER_SIZE 4096
+#define NGX_SSL_PSK_BUFFER_SIZE 4096


typedef struct {
@@ -24,6 +25,10 @@ static int ngx_ssl_verify_callback(int o
static void ngx_ssl_info_callback(const ngx_ssl_conn_t *ssl_conn, int where,
int ret);
static void ngx_ssl_passwords_cleanup(void *data);
+#ifdef PSK_MAX_IDENTITY_LEN
+static unsigned int ngx_ssl_psk_callback(ngx_ssl_conn_t *ssl_conn,
+ const char *identity, unsigned char *psk, unsigned int max_psk_len);
+#endif
static void ngx_ssl_handshake_handler(ngx_event_t *ev);
static ngx_int_t ngx_ssl_handle_recv(ngx_connection_t *c, int n);
static void ngx_ssl_write_handler(ngx_event_t *wev);
@@ -110,6 +115,7 @@ int ngx_ssl_connection_index;
int ngx_ssl_server_conf_index;
int ngx_ssl_session_cache_index;
int ngx_ssl_session_ticket_keys_index;
+int ngx_ssl_psk_index;
int ngx_ssl_certificate_index;
int ngx_ssl_next_certificate_index;
int ngx_ssl_certificate_name_index;
@@ -195,6 +201,14 @@ ngx_ssl_init(ngx_log_t *log)
return NGX_ERROR;
}

+ ngx_ssl_psk_index = SSL_CTX_get_ex_new_index(0, NULL, NULL, NULL, NULL);
+
+ if (ngx_ssl_psk_index == -1) {
+ ngx_ssl_error(NGX_LOG_ALERT, log, 0,
+ "SSL_CTX_get_ex_new_index() failed");
+ return NGX_ERROR;
+ }
+
ngx_ssl_certificate_index = SSL_CTX_get_ex_new_index(0, NULL, NULL, NULL,
NULL);
if (ngx_ssl_certificate_index == -1) {
@@ -1163,6 +1177,211 @@ ngx_ssl_ecdh_curve(ngx_conf_t *cf, ngx_s


ngx_int_t
+ngx_ssl_psk_file(ngx_conf_t *cf, ngx_ssl_t *ssl, ngx_str_t *file)
+{
+#ifdef PSK_MAX_IDENTITY_LEN
+
+ ngx_fd_t fd;
+ ngx_int_t err;
+ ngx_file_info_t fi;
+
+ err = NGX_OK;
+
+ if (ngx_conf_full_name(cf->cycle, file, 1) != NGX_OK) {
+ return NGX_ERROR;
+ }
+
+ fd = ngx_open_file(file->data, NGX_FILE_RDONLY, NGX_FILE_OPEN, 0);
+ if (fd == NGX_INVALID_FILE) {
+ ngx_ssl_error(NGX_LOG_EMERG, ssl->log, ngx_errno,
+ ngx_open_file_n " \"%V\" failed", file);
+ return NGX_ERROR;
+ }
+
+ if (ngx_fd_info(fd, &fi) == NGX_FILE_ERROR) {
+ ngx_ssl_error(NGX_LOG_EMERG, ssl->log, ngx_errno,
+ ngx_fd_info_n " \"%V\" failed", file);
+ err = NGX_ERROR;
+ goto failed;
+ }
+
+ if (ngx_file_size(&fi) == 0) {
+ ngx_ssl_error(NGX_LOG_EMERG, ssl->log, 0,
+ "PSK file \"%V\" is empty", file);
+ err = NGX_ERROR;
+ goto failed;
+ }
+
+failed:
+
+ if (ngx_close_file(fd) == NGX_FILE_ERROR) {
+ ngx_ssl_error(NGX_LOG_EMERG, ssl->log, ngx_errno,
+ ngx_close_file_n " %V failed", file);
+ err = NGX_ERROR;
+ }
+
+ if (err != NGX_OK) {
+ return err;
+ }
+
+ if (SSL_CTX_set_ex_data(ssl->ctx, ngx_ssl_psk_index, file) == 0) {
+ ngx_ssl_error(NGX_LOG_EMERG, ssl->log, 0,
+ "SSL_CTX_set_ex_data() failed");
+ return NGX_ERROR;
+ }
+
+ SSL_CTX_set_psk_server_callback(ssl->ctx, ngx_ssl_psk_callback);
+
+#endif
+
+ return NGX_OK;
+}
+
+
+#ifdef PSK_MAX_IDENTITY_LEN
+
+static unsigned int
+ngx_ssl_psk_callback(ngx_ssl_conn_t *ssl_conn, const char *identity,
+ unsigned char *psk, unsigned int max_psk_len)
+{
+ u_char *p, *last, *end, *colon;
+ size_t len;
+ ssize_t n;
+ SSL_CTX *ssl_ctx;
+ ngx_fd_t fd;
+ ngx_str_t *file;
+ unsigned int psk_len;
+ ngx_connection_t *c;
+ u_char buf[NGX_SSL_PSK_BUFFER_SIZE];
+
+ psk_len = 0;
+ c = ngx_ssl_get_connection(ssl_conn);
+
+ ssl_ctx = SSL_get_SSL_CTX(ssl_conn);
+ file = SSL_CTX_get_ex_data(ssl_ctx, ngx_ssl_psk_index);
+
+ fd = ngx_open_file(file->data, NGX_FILE_RDONLY, NGX_FILE_OPEN, 0);
+ if (fd == NGX_INVALID_FILE) {
+ ngx_ssl_error(NGX_LOG_ERR, c->log, ngx_errno,
+ ngx_open_file_n " \"%V\" failed", file);
+ return 0;
+ }
+
+ len = 0;
+ last = buf;
+
+ do {
+ n = ngx_read_fd(fd, last, NGX_SSL_PSK_BUFFER_SIZE - len);
+
+ if (n == -1) {
+ ngx_ssl_error(NGX_LOG_ERR, c->log, ngx_errno,
+ ngx_read_fd_n " \"%V\" failed", file);
+ psk_len = 0;
+ goto cleanup;
+ }
+
+ end = last + n;
+
+ if (len && n == 0) {
+ *end++ = LF;
+ }
+
+ for (p = buf; /* void */; p = last) {
+ last = ngx_strlchr(last, end, LF);
+
+ if (last == NULL) {
+ break;
+ }
+
+ len = last++ - p;
+
+ if (len && p[len - 1] == CR) {
+ len--;
+ }
+
+ if (len == 0) {
+ continue;
+ }
+
+ colon = ngx_strlchr(p, p + len, ':');
+
+ if (colon == NULL) {
+ continue;
+ }
+
+ *colon = '\0';
+
+ if (ngx_strcmp(p, identity) != 0) {
+ continue;
+ }
+
+ len -= colon + 1 - p;
+ p = colon + 1;
+
+ if (ngx_strncmp(p, "{HEX}", sizeof("{HEX}") - 1) == 0) {
+
+ p += sizeof("{HEX}") - 1;
+ len -= sizeof("{HEX}") - 1;
+
+ if (len / 2 > max_psk_len) {
+ goto cleanup;
+ }
+
+ if (ngx_hex_decode(psk, p, len) != NGX_OK) {
+ ngx_memzero(psk, len / 2);
+ goto cleanup;
+ }
+
+ psk_len = len / 2;
+
+ goto cleanup;
+
+ } else if (ngx_strncmp(p, "{PLAIN}", sizeof("{PLAIN}") - 1) == 0) {
+ p += sizeof("{PLAIN}") - 1;
+ len -= sizeof("{PLAIN}") - 1;
+ }
+
+ if (len > max_psk_len) {
+ goto cleanup;
+ }
+
+ ngx_memcpy(psk, p, len);
+ psk_len = len;
+
+ goto cleanup;
+ }
+
+ len = end - p;
+
+ if (len == NGX_SSL_PSK_BUFFER_SIZE) {
+ ngx_ssl_error(NGX_LOG_ERR, c->log, 0,
+ "too long line in \"%V\"", file);
+ psk_len = 0;
+ goto cleanup;
+ }
+
+ ngx_memmove(buf, p, len);
+ last = buf + len;
+
+ } while (n != 0);
+
+cleanup:
+
+ if (ngx_close_file(fd) == NGX_FILE_ERROR) {
+ ngx_ssl_error(NGX_LOG_ALERT, c->log, ngx_errno,
+ ngx_close_file_n " %V failed", file);
+ psk_len = 0;
+ }
+
+ ngx_memzero(buf, NGX_SSL_PSK_BUFFER_SIZE);
+
+ return psk_len;
+}
+
+#endif
+
+
+ngx_int_t
ngx_ssl_create_connection(ngx_ssl_t *ssl, ngx_connection_t *c, ngx_uint_t flags)
{
ngx_ssl_connection_t *sc;
diff -r 17c038b56051 -r 97953fe37445 src/event/ngx_event_openssl.h
--- a/src/event/ngx_event_openssl.h Wed Aug 23 21:00:18 2017 -0500
+++ b/src/event/ngx_event_openssl.h Wed Aug 23 21:00:59 2017 -0500
@@ -172,6 +172,7 @@ ngx_int_t ngx_ssl_session_cache(ngx_ssl_
ngx_int_t ngx_ssl_session_ticket_keys(ngx_conf_t *cf, ngx_ssl_t *ssl,
ngx_array_t *paths);
ngx_int_t ngx_ssl_session_cache_init(ngx_shm_zone_t *shm_zone, void *data);
+ngx_int_t ngx_ssl_psk_file(ngx_conf_t *cf, ngx_ssl_t *ssl, ngx_str_t *file);
ngx_int_t ngx_ssl_create_connection(ngx_ssl_t *ssl, ngx_connection_t *c,
ngx_uint_t flags);

@@ -253,6 +254,7 @@ extern int ngx_ssl_connection_index;
extern int ngx_ssl_server_conf_index;
extern int ngx_ssl_session_cache_index;
extern int ngx_ssl_session_ticket_keys_index;
+extern int ngx_ssl_psk_index;
extern int ngx_ssl_certificate_index;
extern int ngx_ssl_next_certificate_index;
extern int ngx_ssl_certificate_name_index;
diff -r 17c038b56051 -r 97953fe37445 src/http/modules/ngx_http_ssl_module.c
--- a/src/http/modules/ngx_http_ssl_module.c Wed Aug 23 21:00:18 2017 -0500
+++ b/src/http/modules/ngx_http_ssl_module.c Wed Aug 23 21:00:59 2017 -0500
@@ -234,6 +234,13 @@ static ngx_command_t ngx_http_ssl_comma
offsetof(ngx_http_ssl_srv_conf_t, stapling_verify),
NULL },

+ { ngx_string("ssl_psk_file"),
+ NGX_HTTP_MAIN_CONF|NGX_HTTP_SRV_CONF|NGX_CONF_TAKE1,
+ ngx_conf_set_str_slot,
+ NGX_HTTP_SRV_CONF_OFFSET,
+ offsetof(ngx_http_ssl_srv_conf_t, psk_file),
+ NULL },
+
ngx_null_command
};

@@ -543,6 +550,7 @@ ngx_http_ssl_create_srv_conf(ngx_conf_t
* sscf->shm_zone = NULL;
* sscf->stapling_file = { 0, NULL };
* sscf->stapling_responder = { 0, NULL };
+ * sscf->psk_file = { 0, NULL };
*/

sscf->enable = NGX_CONF_UNSET;
@@ -624,6 +632,8 @@ ngx_http_ssl_merge_srv_conf(ngx_conf_t *
ngx_conf_merge_str_value(conf->stapling_responder,
prev->stapling_responder, "");

+ ngx_conf_merge_str_value(conf->psk_file, prev->psk_file, "");
+
conf->ssl.log = cf->log;

if (conf->enable) {
@@ -804,6 +814,10 @@ ngx_http_ssl_merge_srv_conf(ngx_conf_t *

}

+ if (ngx_ssl_psk_file(cf, &conf->ssl, &conf->psk_file) != NGX_OK) {
+ return NGX_CONF_ERROR;
+ }
+
return NGX_CONF_OK;
}

diff -r 17c038b56051 -r 97953fe37445 src/http/modules/ngx_http_ssl_module.h
--- a/src/http/modules/ngx_http_ssl_module.h Wed Aug 23 21:00:18 2017 -0500
+++ b/src/http/modules/ngx_http_ssl_module.h Wed Aug 23 21:00:59 2017 -0500
@@ -55,6 +55,8 @@ typedef struct {
ngx_str_t stapling_file;
ngx_str_t stapling_responder;

+ ngx_str_t psk_file;
+
u_char *file;
ngx_uint_t line;
} ngx_http_ssl_srv_conf_t;

________________________________

CONFIDENTIALITY NOTICE: This email and any attachments are for the sole use of the intended recipient(s) and contain information that may be Garmin confidential and/or Garmin legally privileged. If you have received this email in error, please notify the sender by reply email and delete the message. Any disclosure, copying, distribution or use of this communication (including attachments) by someone other than the intended recipient is prohibited. Thank you.
_______________________________________________
nginx-devel mailing list
nginx-devel@nginx.org
http://mailman.nginx.org/mailman/listinfo/nginx-devel
Subject Author Views Posted

[PATCH] [PATCH 2 of 4] SSL: add support for PSK cipher suites

Nate Karstens 806 August 23, 2017 10:22PM

Re: [PATCH] [PATCH 2 of 4] SSL: add support for PSK cipher suites

Maxim Dounin 350 August 31, 2017 10:44AM

RE: [PATCH] [PATCH 2 of 4] SSL: add support for PSK cipher suites

Karstens, Nate 466 September 01, 2017 09:18AM



Sorry, you do not have permission to post/reply in this forum.

Online Users

Guests: 146
Record Number of Users: 8 on April 13, 2023
Record Number of Guests: 500 on July 15, 2024
Powered by nginx      Powered by FreeBSD      PHP Powered      Powered by MariaDB      ipv6 ready