Hello! On Fri, Jul 28, 2017 at 01:50:44PM -0500, Nate Karstens wrote:
> # HG changeset patch > # User Nate Karstens <[email protected]> > # Date 1501265943 18000 > # Fri Jul 28 13:19:03 2017 -0500 > # Node ID d47b57ebf82c1eedb4236a661b9d786dfd06b468 > # Parent 00a1466fe33b8969ef765d8d0547dfbc7c97dd4e > SSL: add identity hint config directive. > > Adds the directive "ssl_psk_identity_hint" to the ngx_http_ssl_module. > This allows the user to specify the PSK identity hint given to the > connecting client. > > Signed-off-by: Nate Karstens <[email protected]> > > diff -r 00a1466fe33b -r d47b57ebf82c contrib/vim/syntax/nginx.vim > --- a/contrib/vim/syntax/nginx.vim Fri Jul 28 13:18:15 2017 -0500 > +++ b/contrib/vim/syntax/nginx.vim Fri Jul 28 13:19:03 2017 -0500 > @@ -551,6 +551,7 @@ syn keyword ngxDirective contained ssl_p > syn keyword ngxDirective contained ssl_preread > syn keyword ngxDirective contained ssl_protocols > syn keyword ngxDirective contained ssl_psk_file > +syn keyword ngxDirective contained ssl_psk_identity_hint > syn keyword ngxDirective contained ssl_session_cache > syn keyword ngxDirective contained ssl_session_ticket_key > syn keyword ngxDirective contained ssl_session_tickets > diff -r 00a1466fe33b -r d47b57ebf82c src/event/ngx_event_openssl.c > --- a/src/event/ngx_event_openssl.c Fri Jul 28 13:18:15 2017 -0500 > +++ b/src/event/ngx_event_openssl.c Fri Jul 28 13:19:03 2017 -0500 > @@ -3281,7 +3281,8 @@ ngx_ssl_session_ticket_keys(ngx_conf_t * > > > ngx_int_t > -ngx_ssl_psk_file(ngx_conf_t *cf, ngx_ssl_t *ssl, ngx_str_t *file) > +ngx_ssl_psk_file(ngx_conf_t *cf, ngx_ssl_t *ssl, ngx_str_t *file, > + ngx_str_t *identity_hint) > { > #if OPENSSL_VERSION_NUMBER >= 0x1000000fL > if (SSL_CTX_set_ex_data(ssl->ctx, ngx_ssl_psk_index, file) == 0) { > @@ -3290,6 +3291,13 @@ ngx_ssl_psk_file(ngx_conf_t *cf, ngx_ssl > return NGX_ERROR; > } > > + if (SSL_CTX_use_psk_identity_hint(ssl->ctx, > + (char *) identity_hint->data) == 0) { Style: "== 0)" and "{" should be on their own lines, no need to wrap SSL_CTX_use_psk_identity_hint() arguments as they fit into 80 chars: if (SSL_CTX_use_psk_identity_hint(ssl->ctx, (char *) identity_hint->data) == 0) { > + ngx_ssl_error(NGX_LOG_ALERT, ssl->log, 0, > + "SSL_CTX_use_psk_identity_hint() failed"); The NGX_LOG_ALERT logging level is not appropriate here. As the error is fatal and will prevent nginx from starting, it should be NGX_LOG_EMERG. > + return NGX_ERROR; > + } > + > SSL_CTX_set_psk_server_callback(ssl->ctx, ngx_ssl_psk_callback); > #endif > > diff -r 00a1466fe33b -r d47b57ebf82c src/event/ngx_event_openssl.h > --- a/src/event/ngx_event_openssl.h Fri Jul 28 13:18:15 2017 -0500 > +++ b/src/event/ngx_event_openssl.h Fri Jul 28 13:19:03 2017 -0500 > @@ -171,7 +171,8 @@ ngx_int_t ngx_ssl_session_cache(ngx_ssl_ > ssize_t builtin_session_cache, ngx_shm_zone_t *shm_zone, time_t timeout); > ngx_int_t ngx_ssl_session_ticket_keys(ngx_conf_t *cf, ngx_ssl_t *ssl, > ngx_array_t *paths); > -ngx_int_t ngx_ssl_psk_file(ngx_conf_t *cf, ngx_ssl_t *ssl, ngx_str_t *file); > +ngx_int_t ngx_ssl_psk_file(ngx_conf_t *cf, ngx_ssl_t *ssl, ngx_str_t *file, > + ngx_str_t *identity_hint); > ngx_int_t ngx_ssl_session_cache_init(ngx_shm_zone_t *shm_zone, void *data); > ngx_int_t ngx_ssl_create_connection(ngx_ssl_t *ssl, ngx_connection_t *c, > ngx_uint_t flags); > diff -r 00a1466fe33b -r d47b57ebf82c src/http/modules/ngx_http_ssl_module.c > --- a/src/http/modules/ngx_http_ssl_module.c Fri Jul 28 13:18:15 2017 -0500 > +++ b/src/http/modules/ngx_http_ssl_module.c Fri Jul 28 13:19:03 2017 -0500 > @@ -241,6 +241,13 @@ static ngx_command_t ngx_http_ssl_comma > offsetof(ngx_http_ssl_srv_conf_t, psk_file), > NULL }, > > + { ngx_string("ssl_psk_identity_hint"), > + NGX_HTTP_MAIN_CONF|NGX_HTTP_SRV_CONF|NGX_CONF_TAKE1, > + ngx_conf_set_str_slot, > + NGX_HTTP_SRV_CONF_OFFSET, > + offsetof(ngx_http_ssl_srv_conf_t, psk_identity_hint), > + NULL }, > + > ngx_null_command > }; > > @@ -550,6 +557,7 @@ ngx_http_ssl_create_srv_conf(ngx_conf_t > * sscf->stapling_file = { 0, NULL }; > * sscf->stapling_responder = { 0, NULL }; > * sscf->psk_file = { 0, NULL }; > + * sscf->psk_identity_hint = { 0, NULL }; > */ > > sscf->enable = NGX_CONF_UNSET; > @@ -632,6 +640,7 @@ ngx_http_ssl_merge_srv_conf(ngx_conf_t * > prev->stapling_responder, ""); > > ngx_conf_merge_str_value(conf->psk_file, prev->psk_file, ""); > + ngx_conf_merge_str_value(conf->psk_identity_hint, > prev->psk_identity_hint, ""); Style: lines should be under 80 chars. > > conf->ssl.log = cf->log; > > @@ -813,7 +822,8 @@ ngx_http_ssl_merge_srv_conf(ngx_conf_t * > > } > > - if (ngx_ssl_psk_file(cf, &conf->ssl, &conf->psk_file) > + if (ngx_ssl_psk_file(cf, &conf->ssl, &conf->psk_file, > + &conf->psk_identity_hint) > != NGX_OK) > { > return NGX_CONF_ERROR; > diff -r 00a1466fe33b -r d47b57ebf82c src/http/modules/ngx_http_ssl_module.h > --- a/src/http/modules/ngx_http_ssl_module.h Fri Jul 28 13:18:15 2017 -0500 > +++ b/src/http/modules/ngx_http_ssl_module.h Fri Jul 28 13:19:03 2017 -0500 > @@ -56,6 +56,7 @@ typedef struct { > ngx_str_t stapling_responder; > > ngx_str_t psk_file; > + ngx_str_t psk_identity_hint; > > u_char *file; > ngx_uint_t line; > > ________________________________ > > CONFIDENTIALITY NOTICE: This email and any attachments are for the sole use > of the intended recipient(s) and contain information that may be Garmin > confidential and/or Garmin legally privileged. If you have received this > email in error, please notify the sender by reply email and delete the > message. Any disclosure, copying, distribution or use of this communication > (including attachments) by someone other than the intended recipient is > prohibited. Thank you. > _______________________________________________ > nginx-devel mailing list > [email protected] > http://mailman.nginx.org/mailman/listinfo/nginx-devel -- Maxim Dounin http://nginx.org/ _______________________________________________ nginx-devel mailing list [email protected] http://mailman.nginx.org/mailman/listinfo/nginx-devel
