From e859096b2c296056cc75d42bbfb9703156ee2971 Mon Sep 17 00:00:00 2001 From: detailyang Date: Wed, 2 Nov 2016 20:01:39 +0800 Subject: [PATCH 01/23] doc: log level constatns add nginx phase --- README.markdown | 2 +- doc/HttpLuaModule.wiki | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/README.markdown b/README.markdown index dcacd59024..e78b9d4f0a 100644 --- a/README.markdown +++ b/README.markdown @@ -3394,7 +3394,7 @@ HTTP status constants Nginx log level constants ------------------------- -**context:** *set_by_lua*, rewrite_by_lua*, access_by_lua*, content_by_lua*, header_filter_by_lua*, body_filter_by_lua*, log_by_lua*, ngx.timer.*, balancer_by_lua*, ssl_certificate_by_lua*, ssl_session_fetch_by_lua*, ssl_session_store_by_lua** +**context:** *init_by_lua*, init_worker_by_lua*, set_by_lua*, rewrite_by_lua*, access_by_lua*, content_by_lua*, header_filter_by_lua*, body_filter_by_lua*, log_by_lua*, ngx.timer.*, balancer_by_lua*, ssl_certificate_by_lua*, ssl_session_fetch_by_lua*, ssl_session_store_by_lua** ```lua diff --git a/doc/HttpLuaModule.wiki b/doc/HttpLuaModule.wiki index a64d141204..96eb9010f5 100644 --- a/doc/HttpLuaModule.wiki +++ b/doc/HttpLuaModule.wiki @@ -2744,7 +2744,7 @@ These constants are usually used in [[#ngx.location.capture|ngx.location.capture == Nginx log level constants == -'''context:''' ''set_by_lua*, rewrite_by_lua*, access_by_lua*, content_by_lua*, header_filter_by_lua*, body_filter_by_lua*, log_by_lua*, ngx.timer.*, balancer_by_lua*, ssl_certificate_by_lua*, ssl_session_fetch_by_lua*, ssl_session_store_by_lua*'' +'''context:''' ''init_by_lua*, init_worker_by_lua*, set_by_lua*, rewrite_by_lua*, access_by_lua*, content_by_lua*, header_filter_by_lua*, body_filter_by_lua*, log_by_lua*, ngx.timer.*, balancer_by_lua*, ssl_certificate_by_lua*, ssl_session_fetch_by_lua*, ssl_session_store_by_lua*'' ngx.STDERR From 2ec655d4ceb68c0f92f2fc5fa4e6a9b98fe67295 Mon Sep 17 00:00:00 2001 From: detailyang Date: Sun, 19 Feb 2017 17:22:35 +0800 Subject: [PATCH 02/23] feature: ssl.create_ctx and tcp:setsslctx Signed-off-by: detailyang --- src/ngx_http_lua_socket_tcp.c | 56 ++++- src/ngx_http_lua_socket_tcp.h | 1 + src/ngx_http_lua_ssl.c | 384 ++++++++++++++++++++++++++++++++++ t/151-ssl-ctx.t | 152 ++++++++++++++ 4 files changed, 592 insertions(+), 1 deletion(-) create mode 100644 t/151-ssl-ctx.t diff --git a/src/ngx_http_lua_socket_tcp.c b/src/ngx_http_lua_socket_tcp.c index 49811168d1..a2ea89220a 100644 --- a/src/ngx_http_lua_socket_tcp.c +++ b/src/ngx_http_lua_socket_tcp.c @@ -183,6 +183,12 @@ enum { } +#if (NGX_HTTP_SSL) + +#define ngx_http_lua_ngx_socket_tcp_mt_key "__ngx_socket_tcp_mt" + +#endif + static char ngx_http_lua_req_socket_metatable_key; static char ngx_http_lua_raw_req_socket_metatable_key; static char ngx_http_lua_tcp_socket_metatable_key; @@ -316,6 +322,19 @@ ngx_http_lua_inject_socket_tcp_api(ngx_log_t *log, lua_State *L) lua_pushvalue(L, -1); lua_setfield(L, -2, "__index"); + +#if (NGX_HTTP_SSL) + +#ifndef NGX_LUA_NO_FFI_API + + /* expose tcp object metatable to global for FFI */ + lua_pushvalue(L, -1); + lua_setglobal(L, ngx_http_lua_ngx_socket_tcp_mt_key); + +#endif /* NGX_LUA_NO_FFI_API */ + +#endif /* NGX_HTTP_SSL */ + lua_rawset(L, LUA_REGISTRYINDEX); /* }}} */ @@ -587,6 +606,12 @@ ngx_http_lua_socket_tcp_connect(lua_State *L) u->conf = llcf; +#if (NGX_HTTP_SSL) + + u->ssl = llcf->ssl; + +#endif + pc = &u->peer; pc->log = r->connection->log; @@ -1200,6 +1225,35 @@ ngx_http_lua_socket_conn_error_retval_handler(ngx_http_request_t *r, #if (NGX_HTTP_SSL) + +#ifndef NGX_LUA_NO_FFI_API + +int +ngx_http_lua_ffi_socket_tcp_setsslctx(ngx_http_request_t *r, + ngx_http_lua_socket_tcp_upstream_t *u, void *cdata_ctx, char **err) +{ + SSL_CTX *ssl_ctx = cdata_ctx; + + ngx_ssl_t *ssl; + + ssl = ngx_pcalloc(r->pool, sizeof(ngx_ssl_t)); + if (ssl == NULL) { + *err = "no memory"; + return NGX_ERROR; + } + + ssl->ctx = ssl_ctx; + ssl->log = u->ssl->log; + ssl->buffer_size = u->ssl->buffer_size; + + u->ssl = ssl; + + return NGX_OK; +} + +#endif /* NGX_LUA_NO_FFI_API */ + + static int ngx_http_lua_socket_tcp_sslhandshake(lua_State *L) { @@ -1286,7 +1340,7 @@ ngx_http_lua_socket_tcp_sslhandshake(lua_State *L) return 1; } - if (ngx_ssl_create_connection(u->conf->ssl, c, + if (ngx_ssl_create_connection(u->ssl, c, NGX_SSL_BUFFER|NGX_SSL_CLIENT) != NGX_OK) { diff --git a/src/ngx_http_lua_socket_tcp.h b/src/ngx_http_lua_socket_tcp.h index dbdee41c6e..2a8e5b84fe 100644 --- a/src/ngx_http_lua_socket_tcp.h +++ b/src/ngx_http_lua_socket_tcp.h @@ -92,6 +92,7 @@ struct ngx_http_lua_socket_tcp_upstream_s { #if (NGX_HTTP_SSL) ngx_str_t ssl_name; + ngx_ssl_t *ssl; #endif unsigned ft_type:16; diff --git a/src/ngx_http_lua_ssl.c b/src/ngx_http_lua_ssl.c index 8ed7b95417..0ef0157d5b 100644 --- a/src/ngx_http_lua_ssl.c +++ b/src/ngx_http_lua_ssl.c @@ -13,6 +13,11 @@ #if (NGX_HTTP_SSL) +#define ngx_http_lua_ssl_check_method(method, method_len, s) \ + (method_len == sizeof(s) - 1 \ + && ngx_strncmp((method), (s), method_len) == 0) + + int ngx_http_lua_ssl_ctx_index = -1; @@ -34,4 +39,383 @@ ngx_http_lua_ssl_init(ngx_log_t *log) } +#ifndef NGX_LUA_NO_FFI_API + + +static ngx_int_t +ngx_http_lua_ssl_ctx_create_method(const SSL_METHOD **ssl_method, + const u_char *method, size_t method_len, char **err) +{ + if (ngx_http_lua_ssl_check_method(method, method_len, + "SSLv23_method")) + { + *ssl_method = SSLv23_method(); + + } else if (ngx_http_lua_ssl_check_method(method, method_len, + "SSLv2_method")) + { + *err = "SSLv2 methods disabled"; + return NGX_ERROR; + + } else if (ngx_http_lua_ssl_check_method(method, method_len, + "SSLv2_server_method")) + { + *err = "SSLv2 methods disabled"; + return NGX_ERROR; + + } else if (ngx_http_lua_ssl_check_method(method, method_len, + "SSLv2_client_method")) + { + *err = "SSLv2 methods disabled"; + return NGX_ERROR; + + } else if (ngx_http_lua_ssl_check_method(method, method_len, + "SSLv3_method")) + { + *err = "SSLv3 methods disabled"; + return NGX_ERROR; + + } else if (ngx_http_lua_ssl_check_method(method, method_len, + "SSLv3_server_method")) + { + *err = "SSLv3 methods disabled"; + return NGX_ERROR; + + } else if (ngx_http_lua_ssl_check_method(method, method_len, + "SSLv3_client_method")) + { + *err = "SSLv3 methods disabled"; + return NGX_ERROR; + + } else if (ngx_http_lua_ssl_check_method(method, method_len, + "SSLv23_server_method")) + { + *ssl_method = SSLv23_server_method(); + + } else if (ngx_http_lua_ssl_check_method(method, method_len, + "SSLv23_client_method")) + { + *ssl_method = SSLv23_client_method(); + + } else if (ngx_http_lua_ssl_check_method(method, method_len, + "TLSv1_method")) + { + *ssl_method = TLSv1_method(); + + } else if (ngx_http_lua_ssl_check_method(method, method_len, + "TLSv1_server_method")) + { + *ssl_method = TLSv1_server_method(); + + } else if (ngx_http_lua_ssl_check_method(method, method_len, + "TLSv1_client_method")) + { + *ssl_method = TLSv1_client_method(); + + } else if (ngx_http_lua_ssl_check_method(method, method_len, + "TLSv1_1_method")) + { + *ssl_method = TLSv1_1_method(); + + } else if (ngx_http_lua_ssl_check_method(method, method_len, + "TLSv1_1_server_method")) + { + *ssl_method = TLSv1_1_server_method(); + + } else if (ngx_http_lua_ssl_check_method(method, method_len, + "TLSv1_1_client_method")) + { + *ssl_method = TLSv1_1_client_method(); + + } else if (ngx_http_lua_ssl_check_method(method, method_len, + "TLSv1_2_method")) + { + *ssl_method = TLSv1_2_method(); + + } else if (ngx_http_lua_ssl_check_method(method, method_len, + "TLSv1_2_server_method")) + { + *ssl_method = TLSv1_2_server_method(); + + } else if (ngx_http_lua_ssl_check_method(method, method_len, + "TLSv1_2_client_method")) + { + *ssl_method = TLSv1_2_client_method(); + + } else { + *err = "Unknown method"; + return NGX_ERROR; + } + + return NGX_OK; +} + + +static void +ngx_http_lua_ssl_info_callback(const ngx_ssl_conn_t *ssl_conn, + int where, int ret) +{ + BIO *rbio, *wbio; + ngx_connection_t *c; + + if (where & SSL_CB_HANDSHAKE_START) { + c = ngx_ssl_get_connection((ngx_ssl_conn_t *) ssl_conn); + + if (c->ssl->handshaked) { + c->ssl->renegotiation = 1; + ngx_log_debug0(NGX_LOG_DEBUG_EVENT, c->log, 0, "SSL renegotiation"); + } + } + + if ((where & SSL_CB_ACCEPT_LOOP) == SSL_CB_ACCEPT_LOOP) { + c = ngx_ssl_get_connection((ngx_ssl_conn_t *) ssl_conn); + + if (!c->ssl->handshake_buffer_set) { + /* + * By default OpenSSL uses 4k buffer during a handshake, + * which is too low for long certificate chains and might + * result in extra round-trips. + * + * To adjust a buffer size we detect that buffering was added + * to write side of the connection by comparing rbio and wbio. + * If they are different, we assume that it's due to buffering + * added to wbio, and set buffer size. + */ + + rbio = SSL_get_rbio((ngx_ssl_conn_t *) ssl_conn); + wbio = SSL_get_wbio((ngx_ssl_conn_t *) ssl_conn); + + if (rbio != wbio) { + (void) BIO_set_write_buffer_size(wbio, NGX_SSL_BUFSIZE); + c->ssl->handshake_buffer_set = 1; + } + } + } +} + + +static void +ngx_http_lua_ssl_ctx_set_default_options(SSL_CTX *ctx) +{ + /* {{{copy nginx ssl secure options */ + +#ifdef SSL_OP_MICROSOFT_SESS_ID_BUG + SSL_CTX_set_options(ctx, SSL_OP_MICROSOFT_SESS_ID_BUG); +#endif + +#ifdef SSL_OP_NETSCAPE_CHALLENGE_BUG + SSL_CTX_set_options(ctx, SSL_OP_NETSCAPE_CHALLENGE_BUG); +#endif + +#ifdef SSL_OP_SSLREF2_REUSE_CERT_TYPE_BUG + SSL_CTX_set_options(ctx, SSL_OP_SSLREF2_REUSE_CERT_TYPE_BUG); +#endif + +#ifdef SSL_OP_MICROSOFT_BIG_SSLV3_BUFFER + SSL_CTX_set_options(ctx, SSL_OP_MICROSOFT_BIG_SSLV3_BUFFER); +#endif + +#ifdef SSL_OP_MSIE_SSLV2_RSA_PADDING + /* this option allow a potential SSL 2.0 rollback (CAN-2005-2969) */ + SSL_CTX_set_options(ctx, SSL_OP_MSIE_SSLV2_RSA_PADDING); +#endif + +#ifdef SSL_OP_SSLEAY_080_CLIENT_DH_BUG + SSL_CTX_set_options(ctx, SSL_OP_SSLEAY_080_CLIENT_DH_BUG); +#endif + +#ifdef SSL_OP_TLS_D5_BUG + SSL_CTX_set_options(ctx, SSL_OP_TLS_D5_BUG); +#endif + +#ifdef SSL_OP_TLS_BLOCK_PADDING_BUG + SSL_CTX_set_options(ctx, SSL_OP_TLS_BLOCK_PADDING_BUG); +#endif + +#ifdef SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS + SSL_CTX_set_options(ctx, SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS); +#endif + + SSL_CTX_set_options(ctx, SSL_OP_SINGLE_DH_USE); + +#ifdef SSL_CTRL_CLEAR_OPTIONS + /* only in 0.9.8m+ */ + SSL_CTX_clear_options(ctx, + SSL_OP_NO_SSLv2|SSL_OP_NO_SSLv3|SSL_OP_NO_TLSv1); +#endif + +#ifdef SSL_OP_NO_TLSv1_1 + SSL_CTX_clear_options(ctx, SSL_OP_NO_TLSv1_1); +#endif + +#ifdef SSL_OP_NO_TLSv1_2 + SSL_CTX_clear_options(ctx, SSL_OP_NO_TLSv1_2); +#endif + +#ifdef SSL_OP_NO_COMPRESSION + SSL_CTX_set_options(ctx, SSL_OP_NO_COMPRESSION); +#endif + +#ifdef SSL_MODE_RELEASE_BUFFERS + SSL_CTX_set_mode(ctx, SSL_MODE_RELEASE_BUFFERS); +#endif + +#ifdef SSL_MODE_NO_AUTO_CHAIN + SSL_CTX_set_mode(ctx, SSL_MODE_NO_AUTO_CHAIN); +#endif + /* }}} */ + + /* Disable SSLv2 in the case when method == SSLv23_method() and the + * cipher list contains SSLv2 ciphers (not the default, should be rare) + * The bundled OpenSSL doesn't have SSLv2 support but the system OpenSSL may + * SSLv3 is disabled because it's susceptible to downgrade attacks + */ + + SSL_CTX_set_options(ctx, SSL_OP_NO_SSLv2); + SSL_CTX_set_options(ctx, SSL_OP_NO_SSLv3); + + /* read as many input bytes as possible (for non-blocking reads) */ + SSL_CTX_set_read_ahead(ctx, 1); + + SSL_CTX_set_info_callback(ctx, ngx_http_lua_ssl_info_callback); +} + + +void * +ngx_http_lua_ffi_ssl_ctx_init(const u_char *method, + size_t method_len, char **err) +{ + const SSL_METHOD *ssl_method; + SSL_CTX *ssl_ctx; + + if (ngx_http_lua_ssl_ctx_create_method(&ssl_method, + method, + method_len, + err) != NGX_OK) + { + return NULL; + } + + ssl_ctx = SSL_CTX_new(ssl_method); + if (ssl_ctx == NULL) { + *err = "SSL_CTX_new() failed"; + ngx_ssl_error(NGX_LOG_ERR, ngx_cycle->log, 0, *err); + return NULL; + } + + ngx_log_debug2(NGX_LOG_DEBUG_HTTP, ngx_cycle->log, 0, + "lua ssl ctx init: %p:%d", ssl_ctx, ssl_ctx->references); + + ngx_http_lua_ssl_ctx_set_default_options(ssl_ctx); + + return ssl_ctx; +} + + +int +ngx_http_lua_ffi_ssl_ctx_set_cert(void *cdata_ctx, void *cdata_cert, char **err) +{ +#ifdef LIBRESSL_VERSION_NUMBER + + *err = "LibreSSL not supported"; + return NGX_ERROR; + +#else + +# if OPENSSL_VERSION_NUMBER < 0x1000205fL + + *err = "at least OpenSSL 1.0.2e required but found " OPENSSL_VERSION_TEXT; + return NGX_ERROR; + +# else + + X509 *x509 = NULL; + SSL_CTX *ssl_ctx = cdata_ctx; + STACK_OF(X509) *cert = cdata_cert; + +#ifdef OPENSSL_IS_BORINGSSL + size_t i; +#else + int i; +#endif + + if (sk_X509_num(cert) < 1) { + *err = "sk_X509_num() failed"; + ngx_ssl_error(NGX_LOG_ERR, ngx_cycle->log, 0, *err); + return NGX_ERROR; + } + + x509 = sk_X509_value(cert, 0); + if (x509 == NULL) { + *err = "sk_X509_value() failed"; + ngx_ssl_error(NGX_LOG_ERR, ngx_cycle->log, 0, *err); + return NGX_ERROR; + } + + if (SSL_CTX_use_certificate(ssl_ctx, x509) == 0) { + *err = "SSL_CTX_use_certificate() failed"; + ngx_ssl_error(NGX_LOG_ERR, ngx_cycle->log, 0, *err); + return NGX_ERROR; + } + + /* read rest of the chain */ + + for (i = 1; i < sk_X509_num(cert); i++) { + + x509 = sk_X509_value(cert, i); + if (x509 == NULL) { + *err = "sk_X509_value() failed"; + ngx_ssl_error(NGX_LOG_ERR, ngx_cycle->log, 0, *err); + return NGX_ERROR; + } + + if (SSL_CTX_add1_chain_cert(ssl_ctx, x509) == 0) { + *err = "SSL_add1_chain_cert() failed"; + ngx_ssl_error(NGX_LOG_ERR, ngx_cycle->log, 0, *err); + return NGX_ERROR; + } + } + + return NGX_OK; + +# endif /* OPENSSL_VERSION_NUMBER < 0x1000205fL */ +#endif +} + + +int +ngx_http_lua_ffi_ssl_ctx_set_priv_key(void *cdata_ctx, void *cdata_key, + char **err) +{ + SSL_CTX *ssl_ctx = cdata_ctx; + EVP_PKEY *key = cdata_key; + + if (!SSL_CTX_use_PrivateKey(ssl_ctx, key)) { + *err = "SSL_CTX_use_PrivateKey() failed"; + ngx_ssl_error(NGX_LOG_ERR, ngx_cycle->log, 0, *err); + return NGX_ERROR; + } + + return NGX_OK; +} + + +void +ngx_http_lua_ffi_ssl_ctx_free(void *cdata) +{ + SSL_CTX *ssl_ctx = cdata; + + ngx_log_debug2(NGX_LOG_DEBUG_HTTP, ngx_cycle->log, + 0, + "lua ssl ctx free: %p:%d", + ssl_ctx, + ssl_ctx->references); + + SSL_CTX_free(ssl_ctx); +} + + +#endif /* NGX_LUA_NO_FFI_API */ + + #endif /* NGX_HTTP_SSL */ diff --git a/t/151-ssl-ctx.t b/t/151-ssl-ctx.t new file mode 100644 index 0000000000..c3ab4d76d8 --- /dev/null +++ b/t/151-ssl-ctx.t @@ -0,0 +1,152 @@ +# vim:set ft= ts=4 sw=4 et fdm=marker: + +use Test::Nginx::Socket::Lua; +use Digest::MD5 qw(md5_hex); + +repeat_each(3); + +# All these tests need to have new openssl +my $NginxBinary = $ENV{'TEST_NGINX_BINARY'} || 'nginx'; +my $openssl_version = eval { `$NginxBinary -V 2>&1` }; + +if ($openssl_version =~ m/built with OpenSSL (0|1\.0\.(?:0|1[^\d]|2[a-d]).*)/) { + plan(skip_all => "too old OpenSSL, need 1.0.2e, was $1"); +} else { + plan tests => repeat_each() * (blocks() + 2); +} + +$ENV{TEST_NGINX_HTML_DIR} ||= html_dir(); + +log_level 'debug'; + +no_long_string(); + +add_block_preprocessor(sub { + my $block = shift; + + if (!defined $block->user_files) { + $block->set_value("user_files", <<'_EOC_'); +>>> defines.lua +local ffi = require "ffi" + +ffi.cdef[[ + void *ngx_http_lua_ffi_ssl_ctx_init(const unsigned char *method, + size_t method_len, char **err); + + void ngx_http_lua_ffi_ssl_ctx_free(void *cdata); + + int ngx_http_lua_ffi_ssl_ctx_set_priv_key(void *cdata_ctx, + void *cdata_key, char **err); + + int ngx_http_lua_ffi_ssl_ctx_set_cert(void *cdata_ctx, + void *cdata_cert, char **err); +]] +_EOC_ + } + + my $http_config = $block->http_config || ''; + $http_config .= <<'_EOC_'; +lua_package_path "$prefix/html/?.lua;;"; +_EOC_ + $block->set_value("http_config", $http_config); +}); + +run_tests(); + +__DATA__ + +=== TEST 1: ssl ctx init and free +--- log_level: debug +--- config + location /t { + content_by_lua_block { + require "defines" + local ffi = require "ffi" + local method = "SSLv23_method" + local errmsg = ffi.new("char *[1]") + local ctx = ffi.C.ngx_http_lua_ffi_ssl_ctx_init(method, #method, errmsg) + if ctx == nil then + ngx.say(ffi.string(errmsg[0])) + return + end + + ffi.C.ngx_http_lua_ffi_ssl_ctx_free(ctx) + } + } +--- request +GET /t +--- ignore_response +--- grep_error_log eval: qr/lua ssl ctx (?:init|free): [0-9A-F]+:\d+/ +--- grep_error_log_out eval +qr/^lua ssl ctx init: ([0-9A-F]+):1 +lua ssl ctx free: ([0-9A-F]+):1 +$/ + + + +=== TEST 2: ssl ctx init - disable ssl protocols method SSLv2 SSLv3 +--- config + location /t { + content_by_lua_block { + require "defines" + local ffi = require "ffi" + local method = "SSLv2_method" + local errmsg = ffi.new("char *[1]") + local ctx = ffi.C.ngx_http_lua_ffi_ssl_ctx_init(method, #method, errmsg) + if ctx == nil then + ngx.say(ffi.string(errmsg[0])) + end + local method = "SSLv3_method" + local ctx = ffi.C.ngx_http_lua_ffi_ssl_ctx_init(method, #method, errmsg) + if ctx == nil then + ngx.say(ffi.string(errmsg[0])) + end + } + } + +--- request +GET /t +--- response_body +SSLv2 methods disabled +SSLv3 methods disabled + + + +=== TEST 3: ssl ctx init - allow ssl protocols method TLSv1 TLSv1.1 TLSv1.2 +--- config + location /t { + content_by_lua_block { + require "defines" + local ffi = require "ffi" + local method = "TLSv1_method" + local errmsg = ffi.new("char *[1]") + local ctx = ffi.C.ngx_http_lua_ffi_ssl_ctx_init(method, #method, errmsg) + if ctx == nil then + ngx.say(ffi.string(errmsg[0])) + else + ngx.say("TLSv1_method ok") + end + method = "TLSv1_1_method" + ctx = ffi.C.ngx_http_lua_ffi_ssl_ctx_init(method, #method, errmsg) + if ctx == nil then + ngx.say(ffi.string(errmsg[0])) + else + ngx.say("TLSv1_1_method ok") + end + method = "TLSv1_2_method" + ctx = ffi.C.ngx_http_lua_ffi_ssl_ctx_init(method, #method, errmsg) + if ctx == nil then + ngx.say(ffi.string(errmsg[0])) + else + ngx.say("TLSv1_2_method ok") + end + } + } + +--- request +GET /t +--- response_body +TLSv1_method ok +TLSv1_1_method ok +TLSv1_2_method ok + From df4387bf006c08bc1c17af4140f413eceb65aaf3 Mon Sep 17 00:00:00 2001 From: detailyang Date: Tue, 21 Feb 2017 10:59:36 +0800 Subject: [PATCH 03/23] tests: remove unused openssl version judge Signed-off-by: detailyang --- t/151-ssl-ctx.t | 10 +--------- 1 file changed, 1 insertion(+), 9 deletions(-) diff --git a/t/151-ssl-ctx.t b/t/151-ssl-ctx.t index c3ab4d76d8..63df3dbb78 100644 --- a/t/151-ssl-ctx.t +++ b/t/151-ssl-ctx.t @@ -5,15 +5,7 @@ use Digest::MD5 qw(md5_hex); repeat_each(3); -# All these tests need to have new openssl -my $NginxBinary = $ENV{'TEST_NGINX_BINARY'} || 'nginx'; -my $openssl_version = eval { `$NginxBinary -V 2>&1` }; - -if ($openssl_version =~ m/built with OpenSSL (0|1\.0\.(?:0|1[^\d]|2[a-d]).*)/) { - plan(skip_all => "too old OpenSSL, need 1.0.2e, was $1"); -} else { - plan tests => repeat_each() * (blocks() + 2); -} +plan tests => repeat_each() * (blocks() + 2); $ENV{TEST_NGINX_HTML_DIR} ||= html_dir(); From 7086ff17cc8a3733cc4423afc68f24edcf7daa22 Mon Sep 17 00:00:00 2001 From: detailyang Date: Sun, 26 Feb 2017 20:58:04 +0800 Subject: [PATCH 04/23] refactor: use protocols as the arg to create_ctx Signed-off-by: detailyang --- src/ngx_http_lua_ssl.c | 264 +-------------- t/151-ssl-ctx.t | 336 +++++++++++++++++--- t/cert/ca-client-server/ca.crt | 18 ++ t/cert/ca-client-server/ca.key | 30 ++ t/cert/ca-client-server/client.cer | 18 ++ t/cert/ca-client-server/client.crt | 18 ++ t/cert/ca-client-server/client.csr | 17 + t/cert/ca-client-server/client.key | 30 ++ t/cert/ca-client-server/client.p12 | Bin 0 -> 2349 bytes t/cert/ca-client-server/client.pfx | Bin 0 -> 2349 bytes t/cert/ca-client-server/client.unsecure.key | 27 ++ t/cert/ca-client-server/ecc-server.crt | 14 + t/cert/ca-client-server/ecc-server.csr | 9 + t/cert/ca-client-server/ecc-server.key | 5 + t/cert/ca-client-server/generate-cert.sh | 39 +++ t/cert/ca-client-server/server.cer | 18 ++ t/cert/ca-client-server/server.crt | 18 ++ t/cert/ca-client-server/server.csr | 17 + t/cert/ca-client-server/server.key | 30 ++ t/cert/ca-client-server/server.unsecure.key | 27 ++ 20 files changed, 631 insertions(+), 304 deletions(-) create mode 100644 t/cert/ca-client-server/ca.crt create mode 100644 t/cert/ca-client-server/ca.key create mode 100644 t/cert/ca-client-server/client.cer create mode 100644 t/cert/ca-client-server/client.crt create mode 100644 t/cert/ca-client-server/client.csr create mode 100644 t/cert/ca-client-server/client.key create mode 100644 t/cert/ca-client-server/client.p12 create mode 100644 t/cert/ca-client-server/client.pfx create mode 100644 t/cert/ca-client-server/client.unsecure.key create mode 100644 t/cert/ca-client-server/ecc-server.crt create mode 100644 t/cert/ca-client-server/ecc-server.csr create mode 100644 t/cert/ca-client-server/ecc-server.key create mode 100755 t/cert/ca-client-server/generate-cert.sh create mode 100644 t/cert/ca-client-server/server.cer create mode 100644 t/cert/ca-client-server/server.crt create mode 100644 t/cert/ca-client-server/server.csr create mode 100644 t/cert/ca-client-server/server.key create mode 100644 t/cert/ca-client-server/server.unsecure.key diff --git a/src/ngx_http_lua_ssl.c b/src/ngx_http_lua_ssl.c index 0ef0157d5b..6668cfc593 100644 --- a/src/ngx_http_lua_ssl.c +++ b/src/ngx_http_lua_ssl.c @@ -42,272 +42,24 @@ ngx_http_lua_ssl_init(ngx_log_t *log) #ifndef NGX_LUA_NO_FFI_API -static ngx_int_t -ngx_http_lua_ssl_ctx_create_method(const SSL_METHOD **ssl_method, - const u_char *method, size_t method_len, char **err) -{ - if (ngx_http_lua_ssl_check_method(method, method_len, - "SSLv23_method")) - { - *ssl_method = SSLv23_method(); - - } else if (ngx_http_lua_ssl_check_method(method, method_len, - "SSLv2_method")) - { - *err = "SSLv2 methods disabled"; - return NGX_ERROR; - - } else if (ngx_http_lua_ssl_check_method(method, method_len, - "SSLv2_server_method")) - { - *err = "SSLv2 methods disabled"; - return NGX_ERROR; - - } else if (ngx_http_lua_ssl_check_method(method, method_len, - "SSLv2_client_method")) - { - *err = "SSLv2 methods disabled"; - return NGX_ERROR; - - } else if (ngx_http_lua_ssl_check_method(method, method_len, - "SSLv3_method")) - { - *err = "SSLv3 methods disabled"; - return NGX_ERROR; - - } else if (ngx_http_lua_ssl_check_method(method, method_len, - "SSLv3_server_method")) - { - *err = "SSLv3 methods disabled"; - return NGX_ERROR; - - } else if (ngx_http_lua_ssl_check_method(method, method_len, - "SSLv3_client_method")) - { - *err = "SSLv3 methods disabled"; - return NGX_ERROR; - - } else if (ngx_http_lua_ssl_check_method(method, method_len, - "SSLv23_server_method")) - { - *ssl_method = SSLv23_server_method(); - - } else if (ngx_http_lua_ssl_check_method(method, method_len, - "SSLv23_client_method")) - { - *ssl_method = SSLv23_client_method(); - - } else if (ngx_http_lua_ssl_check_method(method, method_len, - "TLSv1_method")) - { - *ssl_method = TLSv1_method(); - - } else if (ngx_http_lua_ssl_check_method(method, method_len, - "TLSv1_server_method")) - { - *ssl_method = TLSv1_server_method(); - - } else if (ngx_http_lua_ssl_check_method(method, method_len, - "TLSv1_client_method")) - { - *ssl_method = TLSv1_client_method(); - - } else if (ngx_http_lua_ssl_check_method(method, method_len, - "TLSv1_1_method")) - { - *ssl_method = TLSv1_1_method(); - - } else if (ngx_http_lua_ssl_check_method(method, method_len, - "TLSv1_1_server_method")) - { - *ssl_method = TLSv1_1_server_method(); - - } else if (ngx_http_lua_ssl_check_method(method, method_len, - "TLSv1_1_client_method")) - { - *ssl_method = TLSv1_1_client_method(); - - } else if (ngx_http_lua_ssl_check_method(method, method_len, - "TLSv1_2_method")) - { - *ssl_method = TLSv1_2_method(); - - } else if (ngx_http_lua_ssl_check_method(method, method_len, - "TLSv1_2_server_method")) - { - *ssl_method = TLSv1_2_server_method(); - - } else if (ngx_http_lua_ssl_check_method(method, method_len, - "TLSv1_2_client_method")) - { - *ssl_method = TLSv1_2_client_method(); - - } else { - *err = "Unknown method"; - return NGX_ERROR; - } - - return NGX_OK; -} - - -static void -ngx_http_lua_ssl_info_callback(const ngx_ssl_conn_t *ssl_conn, - int where, int ret) -{ - BIO *rbio, *wbio; - ngx_connection_t *c; - - if (where & SSL_CB_HANDSHAKE_START) { - c = ngx_ssl_get_connection((ngx_ssl_conn_t *) ssl_conn); - - if (c->ssl->handshaked) { - c->ssl->renegotiation = 1; - ngx_log_debug0(NGX_LOG_DEBUG_EVENT, c->log, 0, "SSL renegotiation"); - } - } - - if ((where & SSL_CB_ACCEPT_LOOP) == SSL_CB_ACCEPT_LOOP) { - c = ngx_ssl_get_connection((ngx_ssl_conn_t *) ssl_conn); - - if (!c->ssl->handshake_buffer_set) { - /* - * By default OpenSSL uses 4k buffer during a handshake, - * which is too low for long certificate chains and might - * result in extra round-trips. - * - * To adjust a buffer size we detect that buffering was added - * to write side of the connection by comparing rbio and wbio. - * If they are different, we assume that it's due to buffering - * added to wbio, and set buffer size. - */ - - rbio = SSL_get_rbio((ngx_ssl_conn_t *) ssl_conn); - wbio = SSL_get_wbio((ngx_ssl_conn_t *) ssl_conn); - - if (rbio != wbio) { - (void) BIO_set_write_buffer_size(wbio, NGX_SSL_BUFSIZE); - c->ssl->handshake_buffer_set = 1; - } - } - } -} - - -static void -ngx_http_lua_ssl_ctx_set_default_options(SSL_CTX *ctx) -{ - /* {{{copy nginx ssl secure options */ - -#ifdef SSL_OP_MICROSOFT_SESS_ID_BUG - SSL_CTX_set_options(ctx, SSL_OP_MICROSOFT_SESS_ID_BUG); -#endif - -#ifdef SSL_OP_NETSCAPE_CHALLENGE_BUG - SSL_CTX_set_options(ctx, SSL_OP_NETSCAPE_CHALLENGE_BUG); -#endif - -#ifdef SSL_OP_SSLREF2_REUSE_CERT_TYPE_BUG - SSL_CTX_set_options(ctx, SSL_OP_SSLREF2_REUSE_CERT_TYPE_BUG); -#endif - -#ifdef SSL_OP_MICROSOFT_BIG_SSLV3_BUFFER - SSL_CTX_set_options(ctx, SSL_OP_MICROSOFT_BIG_SSLV3_BUFFER); -#endif - -#ifdef SSL_OP_MSIE_SSLV2_RSA_PADDING - /* this option allow a potential SSL 2.0 rollback (CAN-2005-2969) */ - SSL_CTX_set_options(ctx, SSL_OP_MSIE_SSLV2_RSA_PADDING); -#endif - -#ifdef SSL_OP_SSLEAY_080_CLIENT_DH_BUG - SSL_CTX_set_options(ctx, SSL_OP_SSLEAY_080_CLIENT_DH_BUG); -#endif - -#ifdef SSL_OP_TLS_D5_BUG - SSL_CTX_set_options(ctx, SSL_OP_TLS_D5_BUG); -#endif - -#ifdef SSL_OP_TLS_BLOCK_PADDING_BUG - SSL_CTX_set_options(ctx, SSL_OP_TLS_BLOCK_PADDING_BUG); -#endif - -#ifdef SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS - SSL_CTX_set_options(ctx, SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS); -#endif - - SSL_CTX_set_options(ctx, SSL_OP_SINGLE_DH_USE); - -#ifdef SSL_CTRL_CLEAR_OPTIONS - /* only in 0.9.8m+ */ - SSL_CTX_clear_options(ctx, - SSL_OP_NO_SSLv2|SSL_OP_NO_SSLv3|SSL_OP_NO_TLSv1); -#endif - -#ifdef SSL_OP_NO_TLSv1_1 - SSL_CTX_clear_options(ctx, SSL_OP_NO_TLSv1_1); -#endif - -#ifdef SSL_OP_NO_TLSv1_2 - SSL_CTX_clear_options(ctx, SSL_OP_NO_TLSv1_2); -#endif - -#ifdef SSL_OP_NO_COMPRESSION - SSL_CTX_set_options(ctx, SSL_OP_NO_COMPRESSION); -#endif - -#ifdef SSL_MODE_RELEASE_BUFFERS - SSL_CTX_set_mode(ctx, SSL_MODE_RELEASE_BUFFERS); -#endif - -#ifdef SSL_MODE_NO_AUTO_CHAIN - SSL_CTX_set_mode(ctx, SSL_MODE_NO_AUTO_CHAIN); -#endif - /* }}} */ - - /* Disable SSLv2 in the case when method == SSLv23_method() and the - * cipher list contains SSLv2 ciphers (not the default, should be rare) - * The bundled OpenSSL doesn't have SSLv2 support but the system OpenSSL may - * SSLv3 is disabled because it's susceptible to downgrade attacks - */ - - SSL_CTX_set_options(ctx, SSL_OP_NO_SSLv2); - SSL_CTX_set_options(ctx, SSL_OP_NO_SSLv3); - - /* read as many input bytes as possible (for non-blocking reads) */ - SSL_CTX_set_read_ahead(ctx, 1); - - SSL_CTX_set_info_callback(ctx, ngx_http_lua_ssl_info_callback); -} - - void * -ngx_http_lua_ffi_ssl_ctx_init(const u_char *method, - size_t method_len, char **err) +ngx_http_lua_ffi_ssl_ctx_init(ngx_uint_t protocols, char **err) { - const SSL_METHOD *ssl_method; SSL_CTX *ssl_ctx; + ngx_ssl_t ssl; - if (ngx_http_lua_ssl_ctx_create_method(&ssl_method, - method, - method_len, - err) != NGX_OK) - { + ssl.log = ngx_cycle->log; + if (ngx_ssl_create(&ssl, protocols, NULL) != NGX_OK) { + *err = "failed to create ssl ctx"; + ngx_log_error(NGX_LOG_ERR, ssl.log, 0, *err); return NULL; } - ssl_ctx = SSL_CTX_new(ssl_method); - if (ssl_ctx == NULL) { - *err = "SSL_CTX_new() failed"; - ngx_ssl_error(NGX_LOG_ERR, ngx_cycle->log, 0, *err); - return NULL; - } + ssl_ctx = ssl.ctx; ngx_log_debug2(NGX_LOG_DEBUG_HTTP, ngx_cycle->log, 0, "lua ssl ctx init: %p:%d", ssl_ctx, ssl_ctx->references); - ngx_http_lua_ssl_ctx_set_default_options(ssl_ctx); - return ssl_ctx; } @@ -390,7 +142,7 @@ ngx_http_lua_ffi_ssl_ctx_set_priv_key(void *cdata_ctx, void *cdata_key, SSL_CTX *ssl_ctx = cdata_ctx; EVP_PKEY *key = cdata_key; - if (!SSL_CTX_use_PrivateKey(ssl_ctx, key)) { + if (SSL_CTX_use_PrivateKey(ssl_ctx, key) == 0) { *err = "SSL_CTX_use_PrivateKey() failed"; ngx_ssl_error(NGX_LOG_ERR, ngx_cycle->log, 0, *err); return NGX_ERROR; diff --git a/t/151-ssl-ctx.t b/t/151-ssl-ctx.t index 63df3dbb78..b5a007e35e 100644 --- a/t/151-ssl-ctx.t +++ b/t/151-ssl-ctx.t @@ -1,29 +1,224 @@ # vim:set ft= ts=4 sw=4 et fdm=marker: use Test::Nginx::Socket::Lua; +use Cwd qw(cwd); use Digest::MD5 qw(md5_hex); repeat_each(3); plan tests => repeat_each() * (blocks() + 2); +our $CWD = cwd(); +$ENV{TEST_NGINX_LUA_PACKAGE_PATH} = "$::CWD/lib/?.lua;;"; $ENV{TEST_NGINX_HTML_DIR} ||= html_dir(); +our $TEST_NGINX_LUA_PACKAGE_PATH = $ENV{TEST_NGINX_LUA_PACKAGE_PATH}; +our $TEST_NGINX_HTML_DIR = $ENV{TEST_NGINX_HTML_DIR}; log_level 'debug'; no_long_string(); -add_block_preprocessor(sub { - my $block = shift; +sub read_file { + my $infile = shift; + open my $in, $infile + or die "cannot open $infile for reading: $!"; + my $cert = do { local $/; <$in> }; + close $in; + $cert; +} + +our $clientKey = read_file("t/cert/ca-client-server/client.key"); +our $clientUnsecureKey = read_file("t/cert/ca-client-server/client.unsecure.key"); +our $clientCrt = read_file("t/cert/ca-client-server/client.crt"); +our $clientCrtMd5 = md5_hex($clientCrt); +our $serverKey = read_file("t/cert/ca-client-server/server.key"); +our $serverUnsecureKey = read_file("t/cert/ca-client-server/server.unsecure.key"); +our $serverCrt = read_file("t/cert/ca-client-server/server.crt"); +our $caKey = read_file("t/cert/ca-client-server/ca.key"); +our $caCrt = read_file("t/cert/ca-client-server/ca.crt"); +our $http_config = <<_EOS_; +lua_package_path "\$prefix/html/?.lua;$TEST_NGINX_LUA_PACKAGE_PATH/?.lua;;../lua-resty-lrucache/lib/?.lua;"; + +init_by_lua_block { + local ffi = require "ffi" + + local C = ffi.C + local ffi_str = ffi.string + local getfenv = getfenv + local error = error + local errmsg = ffi.new("char *[1]") + if not pcall(ffi.typeof, "ngx_http_request_t") then + ffi.cdef[[ + struct ngx_http_request_s; + typedef struct ngx_http_request_s ngx_http_request_t; + ]] + end + + ffi.cdef[[ + int + ngx_http_lua_ffi_socket_tcp_setsslctx(ngx_http_request_t *r, + void *u, void *cdata_ctx, char **err); + ]] + + local function check_tcp(tcp) + if not tcp or type(tcp) ~= "table" then + return error("bad tcp argument") + end + + tcp = tcp[1] + if type(tcp) ~= "userdata" then + return error("bad tcp argument") + end + + return tcp + end + + local function setsslctx(tcp, ssl_ctx) + tcp = check_tcp(tcp) + + local r = getfenv(0).__ngx_req + if not r then + return error("no request found") + end + + local rc = C.ngx_http_lua_ffi_socket_tcp_setsslctx(r, tcp, ssl_ctx, errmsg) + if rc ~= 0 then + return false, ffi_str(errmsg[0]) + end + + return true + end + + + local mt = getfenv(0).__ngx_socket_tcp_mt + if mt then + mt = mt.__index + if mt then + mt.setsslctx = setsslctx + end + end + + function read_file(file) + local f = io.open(file, "rb") + local content = f:read("*all") + f:close() + return content + end + + function get_response_body(response) + for k, v in ipairs(response) do + if #v == 0 then + return table.concat(response, "\\r\\n", k + 1) + end + end + + return nil, "CRLF not found" + end + + function https_get(host, port, path, ssl_ctx) + local sock = ngx.socket.tcp() + + local ok, err = sock:connect(host, port) + if not ok then + return nil, err + end + + local ok, err = sock:setsslctx(ssl_ctx) + if not ok then + return nil, err + end + + local sess, err = sock:sslhandshake() + if not sess then + return nil, err + end + + local req = "GET " .. path .. " HTTP/1.0\\r\\nHost: server\\r\\nConnection: close\\r\\n\\r\\n" + local bytes, err = sock:send(req) + if not bytes then + return nil, err + end + + local response = {} + while true do + local line, err, partial = sock:receive() + if not line then + if not partial then + response[#response+1] = partial + end + break + end + + response[#response+1] = line + end + + sock:close() + + return response + end +} + +server { + listen 1983 ssl; + server_name server; + ssl_certificate ../html/server.crt; + ssl_certificate_key ../html/server.unsecure.key; + + ssl on; + ssl_client_certificate ../html/ca.crt; + ssl_verify_client on; + + ssl_protocols TLSv1 TLSv1.1 TLSv1.2; + + ssl_prefer_server_ciphers on; + + server_tokens off; + more_clear_headers Date; + default_type 'text/plain'; + + location / { + content_by_lua_block { + ngx.say("foo") + } + } + + location /protocol { + content_by_lua_block {ngx.say(ngx.var.ssl_protocol)} + } - if (!defined $block->user_files) { - $block->set_value("user_files", <<'_EOC_'); + location /cert { + content_by_lua_block { + ngx.say(ngx.md5(ngx.var.ssl_client_raw_cert)) + } + } +} +_EOS_ +our $user_files = <<_EOS_; +>>> client.key +$clientKey +>>> client.unsecure.key +$clientUnsecureKey +>>> client.crt +$clientCrt +>>> server.key +$serverKey +>>> server.unsecure.key +$serverUnsecureKey +>>> server.crt +$serverCrt +>>> ca.key +$caKey +>>> ca.crt +$caCrt +>>> wrong.crt +OpenResty +>>> wrong.key +OpenResty >>> defines.lua local ffi = require "ffi" ffi.cdef[[ - void *ngx_http_lua_ffi_ssl_ctx_init(const unsigned char *method, - size_t method_len, char **err); + void *ngx_http_lua_ffi_ssl_ctx_init(unsigned int protocols, char **err); void ngx_http_lua_ffi_ssl_ctx_free(void *cdata); @@ -32,15 +227,20 @@ ffi.cdef[[ int ngx_http_lua_ffi_ssl_ctx_set_cert(void *cdata_ctx, void *cdata_cert, char **err); + + void *ngx_http_lua_ffi_parse_pem_cert(const unsigned char *pem, + size_t pem_len, char **err); + + void *ngx_http_lua_ffi_parse_pem_priv_key(const unsigned char *pem, + size_t pem_len, char **err); ]] -_EOC_ - } +_EOS_ + +add_block_preprocessor(sub { + my $block = shift; - my $http_config = $block->http_config || ''; - $http_config .= <<'_EOC_'; -lua_package_path "$prefix/html/?.lua;;"; -_EOC_ $block->set_value("http_config", $http_config); + $block->set_value("user_files", $user_files); }); run_tests(); @@ -54,14 +254,13 @@ __DATA__ content_by_lua_block { require "defines" local ffi = require "ffi" - local method = "SSLv23_method" local errmsg = ffi.new("char *[1]") - local ctx = ffi.C.ngx_http_lua_ffi_ssl_ctx_init(method, #method, errmsg) + local ctx = ffi.C.ngx_http_lua_ffi_ssl_ctx_init(0, errmsg) if ctx == nil then ngx.say(ffi.string(errmsg[0])) return end - + ffi.C.ngx_http_lua_ffi_ssl_ctx_free(ctx) } } @@ -76,61 +275,105 @@ $/ -=== TEST 2: ssl ctx init - disable ssl protocols method SSLv2 SSLv3 +=== TEST 2: ssl ctx - specify ssl protocols method TLSv1 TLSv1.1 TLSv1.2 --- config location /t { content_by_lua_block { require "defines" local ffi = require "ffi" - local method = "SSLv2_method" - local errmsg = ffi.new("char *[1]") - local ctx = ffi.C.ngx_http_lua_ffi_ssl_ctx_init(method, #method, errmsg) - if ctx == nil then - ngx.say(ffi.string(errmsg[0])) - end - local method = "SSLv3_method" - local ctx = ffi.C.ngx_http_lua_ffi_ssl_ctx_init(method, #method, errmsg) - if ctx == nil then - ngx.say(ffi.string(errmsg[0])) + function test_ssl_protocol(protocols) + local errmsg = ffi.new("char *[1]") + local cert_data = read_file("$TEST_NGINX_HTML_DIR/client.crt") + local cert = ffi.C.ngx_http_lua_ffi_parse_pem_cert(cert_data, #cert_data, errmsg) + local pkey_data = read_file("$TEST_NGINX_HTML_DIR/client.unsecure.key") + local priv_key = ffi.C.ngx_http_lua_ffi_parse_pem_priv_key(pkey_data, #pkey_data, errmsg) + + local ssl_ctx = ffi.C.ngx_http_lua_ffi_ssl_ctx_init(protocols, errmsg) + if ssl_ctx == nil then + ngx.say(ffi.string(errmsg[0])) + return + end + + local rc = ffi.C.ngx_http_lua_ffi_ssl_ctx_set_priv_key(ssl_ctx, priv_key, errmsg) + if rc ~= 0 then + ngx.say(ffi.string(errmsg[0])) + return + end + + local rc = ffi.C.ngx_http_lua_ffi_ssl_ctx_set_cert(ssl_ctx, cert, errmsg) + if rc ~= 0 then + ngx.say(ffi.string(errmsg[0])) + return + end + + local response, err = https_get('127.0.0.1', 1983, '/protocol', ssl_ctx) + + if not response then + return err + end + + local body, err = get_response_body(response) + if not body then + return err + end + return body end + + local bit = require "bit" + local bor = bit.bor + --[=[ + _M.PROTOCOL_SSLv2 = 0x0002 + _M.PROTOCOL_SSLv3 = 0x0004 + _M.PROTOCOL_TLSv1 = 0x0008 + _M.PROTOCOL_TLSv1_1 = 0x0010 + _M.PROTOCOL_TLSv1_2 = 0x0020 + ]=] + + ngx.say(test_ssl_protocol(0x0008)) + ngx.say(test_ssl_protocol(0x0010)) + ngx.say(test_ssl_protocol(0x0020)) + ngx.say(test_ssl_protocol(bor(0x0002, 0x0020))) } } --- request GET /t --- response_body -SSLv2 methods disabled -SSLv3 methods disabled +TLSv1 +TLSv1.1 +TLSv1.2 +TLSv1.2 -=== TEST 3: ssl ctx init - allow ssl protocols method TLSv1 TLSv1.1 TLSv1.2 +=== TEST 3: ssl ctx - dismatch priv_key and cert --- config location /t { content_by_lua_block { require "defines" local ffi = require "ffi" - local method = "TLSv1_method" local errmsg = ffi.new("char *[1]") - local ctx = ffi.C.ngx_http_lua_ffi_ssl_ctx_init(method, #method, errmsg) - if ctx == nil then + local cert_data = read_file("$TEST_NGINX_HTML_DIR/server.crt") + local cert = ffi.C.ngx_http_lua_ffi_parse_pem_cert(cert_data, #cert_data, errmsg) + local pkey_data = read_file("$TEST_NGINX_HTML_DIR/client.unsecure.key") + local priv_key = ffi.C.ngx_http_lua_ffi_parse_pem_priv_key(pkey_data, #pkey_data, errmsg) + + local ssl_ctx = ffi.C.ngx_http_lua_ffi_ssl_ctx_init(0, errmsg) + if ssl_ctx == nil then ngx.say(ffi.string(errmsg[0])) - else - ngx.say("TLSv1_method ok") + return end - method = "TLSv1_1_method" - ctx = ffi.C.ngx_http_lua_ffi_ssl_ctx_init(method, #method, errmsg) - if ctx == nil then + + local rc = ffi.C.ngx_http_lua_ffi_ssl_ctx_set_cert(ssl_ctx, cert, errmsg) + if rc ~= 0 then ngx.say(ffi.string(errmsg[0])) - else - ngx.say("TLSv1_1_method ok") + return end - method = "TLSv1_2_method" - ctx = ffi.C.ngx_http_lua_ffi_ssl_ctx_init(method, #method, errmsg) - if ctx == nil then + + local rc = ffi.C.ngx_http_lua_ffi_ssl_ctx_set_priv_key(ssl_ctx, priv_key, errmsg) + if rc ~= 0 then ngx.say(ffi.string(errmsg[0])) - else - ngx.say("TLSv1_2_method ok") + return end } } @@ -138,7 +381,4 @@ SSLv3 methods disabled --- request GET /t --- response_body -TLSv1_method ok -TLSv1_1_method ok -TLSv1_2_method ok - +SSL_CTX_use_PrivateKey() failed diff --git a/t/cert/ca-client-server/ca.crt b/t/cert/ca-client-server/ca.crt new file mode 100644 index 0000000000..a2e89bb7bf --- /dev/null +++ b/t/cert/ca-client-server/ca.crt @@ -0,0 +1,18 @@ +-----BEGIN CERTIFICATE----- +MIIC7TCCAdWgAwIBAgIJAIA8UE7EHDJtMA0GCSqGSIb3DQEBCwUAMA0xCzAJBgNV +BAMMAmNhMB4XDTE3MDIyNjA5NDAzM1oXDTE3MDMyODA5NDAzM1owDTELMAkGA1UE +AwwCY2EwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDYFTCTNG8brZfq +DYvV+BV0EoQBfUqFzrmAhcOGSulbyx3Yr76E08RoftQ3ZQZlfwJQDmCJeItSMeQV +z9KRkTurX3dJNdw81m4UQpAk2yAWxAUHfIp2t4l5kh4gY8IjqjOCSJn4+YMT8vbC +C4Ct2FDQru0fOgfYk70YCONf/VVjXjAZVwMEva8QtDy9eJGHLI1Ycw+7ldoPjFot +Ck39ZAbxc+bDjhOsJaIY8hVQfRJs0LBYDOEgiKJvMJ07JoWGv8gWUUFN8mkHrMZ+ +BZHkCHKJdFHEEp2CfLvXhyJV5UA+ib47tOqR6bGhqvZlgp9MhdiPSv74W74c9S1v +jgao6AfJAgMBAAGjUDBOMB0GA1UdDgQWBBQjCPG1wmhRBZ55P8Uk/IpKLJtEKDAf +BgNVHSMEGDAWgBQjCPG1wmhRBZ55P8Uk/IpKLJtEKDAMBgNVHRMEBTADAQH/MA0G +CSqGSIb3DQEBCwUAA4IBAQClVn+Xm9LHIOFFfNtkB44DXLWrm6DL8QXWSaBWn/Af +mMMY6/Nkb/qUwDuiNSJoC4LguyAcaFtDsahr87RrK+r71jDa7coOM29PwHJIUfX2 +h0d/zYW3OxGmiq64Syb4ptzzdEdGfJfHOdjd3OfyU75dyrb14Wo2pTs/nze28D8L +vfNLD6Mipd6KTHjss3AXS2DW5B7l5CJtGz2yXSDWZIeofW0pK8VZHBEMjHo5BdjP +0geIUDsSUcWXaE9ecpN9QefGehijpIGMlJdLYiSF321PFfmcDlFLV+uKtnHLit/7 +GEYPG71iuceNdCrLPV3ACNAY9fs9bY3R8pPFiokUoxng +-----END CERTIFICATE----- diff --git a/t/cert/ca-client-server/ca.key b/t/cert/ca-client-server/ca.key new file mode 100644 index 0000000000..ea5bc820bd --- /dev/null +++ b/t/cert/ca-client-server/ca.key @@ -0,0 +1,30 @@ +-----BEGIN ENCRYPTED PRIVATE KEY----- +MIIFDjBABgkqhkiG9w0BBQ0wMzAbBgkqhkiG9w0BBQwwDgQIZ4nB/LxpTcQCAggA +MBQGCCqGSIb3DQMHBAiNC9gSkhs5NwSCBMhd7qMnEuhGIA40BGGccXZ1Mmh2+W9H +OevbbNVY2WQd3HIn9Ez0k/NcCsVD4cYxitryMid4EwAkjWT3+wPyfAAD1iz3Y5be +BZERAfiU1Zxe0LdT5JKZPtJ3OOJlqSYv9S3BonIVr3/e0usS1nerZ48clXj1Sbrg +1CYX0UO45rQo4KznflXzPcAYFjV/tetjYbeXG827kbkjQShV+wA7mLauQhfg4wZ7 +DL2199fjJHD09J49NRAFDqn8LGZrb6eNYM8dUAm7jU6iDRI1EGMvbd0jI4t72qeD +/WRXMdp2M2Jke3SNxEG5jPHJtm1+m2X/Nhf28n6MImZpgcYywfTiKU/QGZ0NhUot +Ha13yFrCvyMhgC9P1zpMqwebJJ0xF/ftAjsgaFxetYWvOHwzyOABtHGd1cyUytyA +08DSXaFlgDyRARkGDiKsmUIeQGcLWkih99IanYiL45BfOlHiZnevlTxV4rUHkFb3 +kbVsJUR+XwiG/5Xker0wboplbYajX+Cm5EHrLdN9PlvAd2xBWE1518YLccwpWMkD +582Aux1kcPhQlGbq4QDMWCFstmceD3/0ouTFhSiJyYJRbvgy5XdWgWkK5or6fTkp +9X81x4R4rOEubnjm12zuB5uUUQCQBT16h4rw0QUH1mKWIzarNQTtX2ojxFFl2NRS +PwbY0tzUYueiCIk6tYUN53rP61Tw6+ThKXQFTZwckqPmmVqOzI4OYuEG9zamcw2z +BUV0a1+VBo/OKRpNBPzA1XNCj1uYN6KFLKPcCdS9Vk/KT1SD42kNW3C6JHv2zrAJ +JkVvhxQkXicHbKO45Iby3uO2phJLeXId50JK7xNz/eZqnavkmYJiiR6rZK2Bdrxx +/wxF76oE5eyA9FUz/OXYtw1oCPAIdD/z6g2C89ozszfFW28LbM2GJpPFFcDkJ94i +iwyc2GmBvgQdV9aVYZ1vnWCphZfL4lA3VOCmsiIPWSx+PlxP0JW8Tq4rwvzBsQ9C +gaawM89E8wLXOHphcJtXvLfEkW2asOU1AkDvW5dOsUfyTQXLD66MePLJpX2MpnPk +WTl5oIihrlJhEq/QdSF9pb6YG/LPOR4sqXKQO63FO12ZXUPLwy63JhFva7JvJ6Nv +rj0N6IKmdvGAYVDKPSYgvCcmE0dGET0djRGcvigdkH6CxexshGXtKufZsIMXc83A +BY0sIa6/liPXr3fj3NOtBlDLWv7K0C9yBT53eEJHB7qh/g5aCDdTFeqdmNGb3Tuz +p/s1KXlZ56dULaon/q0Cr0bCZ47iDqSNsQin+k+zZAqUkq+N726DW5etmnT43DV5 +rEOdtmjy0GTVH+zfPkBjA9isCSWUqGRUIGfriZF3rzJqsCrrdGZ54vMfqtMFRQLc +TgbfJ7oJb8fCqzVFxQlwq6OXfFga774Tj8qR/+p+rJyBr50DLHW6zuhNIHMjWhfu +1i59Jl0Wt0+3qFlMYnAFoWfIMrQfTb1addV9V1xutO+lGPUiS153DD0dUAIiQSDY +HpvDf94rPXxYWKtn0lClUDAGJ+74RGnATgyR+ZFK4wAB5D74xFni5fncg5oBZ1xr +vsfgZEYddTJJEF7z8QeUkRZKvXwtQ+nGvn6loNvnxNsFwY9h1Lr+iYR68ONn0xfP +0ME= +-----END ENCRYPTED PRIVATE KEY----- diff --git a/t/cert/ca-client-server/client.cer b/t/cert/ca-client-server/client.cer new file mode 100644 index 0000000000..d223456b18 --- /dev/null +++ b/t/cert/ca-client-server/client.cer @@ -0,0 +1,18 @@ +-----BEGIN CERTIFICATE----- +MIIC5jCCAc4CAQEwDQYJKoZIhvcNAQELBQAwDTELMAkGA1UEAwwCY2EwIBcNMTcw +MjI2MDk0MDMzWhgPMjEwMTAxMjcwOTQwMzNaMGMxCzAJBgNVBAYTAlVTMRMwEQYD +VQQIDApDYWxpZm9ybmlhMRYwFAYDVQQHDA1Nb3VudGFpbiBWaWV3MRYwFAYDVQQK +DA1PcGVuUmVzdHkgSW5jMQ8wDQYDVQQDDAZjbGllbnQwggEiMA0GCSqGSIb3DQEB +AQUAA4IBDwAwggEKAoIBAQDPZVA9LTpDu4mJyJkygqzBe3u79UzdM/U6LSJjD1yp +dlgMPAmFn1TQHL40oTKmzAZupXYwCeLgrsXQVz288pVoWqOVRezJJMlLrf7y9VZw +uG79ld9ocw5Lp4rYJsppvS0qObz1JAmMKgfzWFRXqadFn+0QqomLF9z4xmzoYyZI +HjRMeUU00SUU43Mgfzg8FtkBcDTn1exedZZROsTZwjrl/SYdlDHpgUjLfStSG0m/ +n03TjqdV0Ubo1wZfqENxBWmvgugpbgCW+yksJeg48EI2QavVKXJCNHU0PbwTU1mY +Xh4DCzGlC4kwQ52kfcJCJIlgojEkzG9R0dVRuTDVntu/AgMBAAEwDQYJKoZIhvcN +AQELBQADggEBAJEEoMdt9GtTlbv6498Ww9eqtH4d1rvhmj9X3c+B47JIRf9tuOjF +plIBV8B5WkMCWweD8gINpTlmWqCEGqQcX3pLjSCmi6CtlmtHenETNkgcwNnBzMuG +W7QDGakGMGL/N5cFaV9WGjg3ZnOVI22seahxjj1veQxYO57mxS3Jq0c5lWo7PRqC +hXDYnSweTirukdTlyWALLOvw/NmLQYkvJK1X50ZHQCD5PKoaQfq2fjHPI+LXM+wx +3FwCW9frCRRvLDJX1jqQMAE0OKfCXRoWWZjOv7aEQXYhEYMxedN3XdTqQf3eBYqm +c9cBtzu/lZR5bpRZrstDgTr5ca8wVuQH8D4= +-----END CERTIFICATE----- diff --git a/t/cert/ca-client-server/client.crt b/t/cert/ca-client-server/client.crt new file mode 100644 index 0000000000..d223456b18 --- /dev/null +++ b/t/cert/ca-client-server/client.crt @@ -0,0 +1,18 @@ +-----BEGIN CERTIFICATE----- +MIIC5jCCAc4CAQEwDQYJKoZIhvcNAQELBQAwDTELMAkGA1UEAwwCY2EwIBcNMTcw +MjI2MDk0MDMzWhgPMjEwMTAxMjcwOTQwMzNaMGMxCzAJBgNVBAYTAlVTMRMwEQYD +VQQIDApDYWxpZm9ybmlhMRYwFAYDVQQHDA1Nb3VudGFpbiBWaWV3MRYwFAYDVQQK +DA1PcGVuUmVzdHkgSW5jMQ8wDQYDVQQDDAZjbGllbnQwggEiMA0GCSqGSIb3DQEB +AQUAA4IBDwAwggEKAoIBAQDPZVA9LTpDu4mJyJkygqzBe3u79UzdM/U6LSJjD1yp +dlgMPAmFn1TQHL40oTKmzAZupXYwCeLgrsXQVz288pVoWqOVRezJJMlLrf7y9VZw +uG79ld9ocw5Lp4rYJsppvS0qObz1JAmMKgfzWFRXqadFn+0QqomLF9z4xmzoYyZI +HjRMeUU00SUU43Mgfzg8FtkBcDTn1exedZZROsTZwjrl/SYdlDHpgUjLfStSG0m/ +n03TjqdV0Ubo1wZfqENxBWmvgugpbgCW+yksJeg48EI2QavVKXJCNHU0PbwTU1mY +Xh4DCzGlC4kwQ52kfcJCJIlgojEkzG9R0dVRuTDVntu/AgMBAAEwDQYJKoZIhvcN +AQELBQADggEBAJEEoMdt9GtTlbv6498Ww9eqtH4d1rvhmj9X3c+B47JIRf9tuOjF +plIBV8B5WkMCWweD8gINpTlmWqCEGqQcX3pLjSCmi6CtlmtHenETNkgcwNnBzMuG +W7QDGakGMGL/N5cFaV9WGjg3ZnOVI22seahxjj1veQxYO57mxS3Jq0c5lWo7PRqC +hXDYnSweTirukdTlyWALLOvw/NmLQYkvJK1X50ZHQCD5PKoaQfq2fjHPI+LXM+wx +3FwCW9frCRRvLDJX1jqQMAE0OKfCXRoWWZjOv7aEQXYhEYMxedN3XdTqQf3eBYqm +c9cBtzu/lZR5bpRZrstDgTr5ca8wVuQH8D4= +-----END CERTIFICATE----- diff --git a/t/cert/ca-client-server/client.csr b/t/cert/ca-client-server/client.csr new file mode 100644 index 0000000000..1019a211b5 --- /dev/null +++ b/t/cert/ca-client-server/client.csr @@ -0,0 +1,17 @@ +-----BEGIN CERTIFICATE REQUEST----- +MIICqDCCAZACAQAwYzELMAkGA1UEBhMCVVMxEzARBgNVBAgMCkNhbGlmb3JuaWEx +FjAUBgNVBAcMDU1vdW50YWluIFZpZXcxFjAUBgNVBAoMDU9wZW5SZXN0eSBJbmMx +DzANBgNVBAMMBmNsaWVudDCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEB +AM9lUD0tOkO7iYnImTKCrMF7e7v1TN0z9TotImMPXKl2WAw8CYWfVNAcvjShMqbM +Bm6ldjAJ4uCuxdBXPbzylWhao5VF7MkkyUut/vL1VnC4bv2V32hzDkunitgmymm9 +LSo5vPUkCYwqB/NYVFepp0Wf7RCqiYsX3PjGbOhjJkgeNEx5RTTRJRTjcyB/ODwW +2QFwNOfV7F51llE6xNnCOuX9Jh2UMemBSMt9K1IbSb+fTdOOp1XRRujXBl+oQ3EF +aa+C6CluAJb7KSwl6DjwQjZBq9UpckI0dTQ9vBNTWZheHgMLMaULiTBDnaR9wkIk +iWCiMSTMb1HR1VG5MNWe278CAwEAAaAAMA0GCSqGSIb3DQEBCwUAA4IBAQCCGKQ3 +AnhgWenMrwFFG7HOwfzo7+62UGX9+4JecldZ5dqpyfIWeVoUt5uhFjPBE0tiwskk +W/RKAtcg07pbZnvSfvmCI//iTHBAA+PygoBIyB/7kYJFkMhLYT9XMipxJPAE5T0z +gXFpT9ev14s22KpnLhGM1OlVqXvZ9WK8K23+TZZ/U149gEMRedJPEbd3nWng6dh/ +KBMuCT/zGF85LdY4O21T/lx+IxQy8P7/gVxiP10ipv4MEJ2F6rSobaebHndgozmQ +JTkpImcjDKw1ArYoY/Q28xhjtvIW+ZcqtwIUE6fr/Ak+hNiUg7g7gH0XneV34iXx +CbE1rXX74aArtFXe +-----END CERTIFICATE REQUEST----- diff --git a/t/cert/ca-client-server/client.key b/t/cert/ca-client-server/client.key new file mode 100644 index 0000000000..fdefda61b7 --- /dev/null +++ b/t/cert/ca-client-server/client.key @@ -0,0 +1,30 @@ +-----BEGIN RSA PRIVATE KEY----- +Proc-Type: 4,ENCRYPTED +DEK-Info: DES-EDE3-CBC,4431CCDC1F1ADDDD + +ugTv8ZVb9GX9w46XrjxESBKAwCS8UBTEb542pm3GneZW65sKuiClr1kMYFcNTJbN +8LOfZejwmyh8UuLu7RyfgCunrpKutpisZ+trWTxGG3JxAKwqyHsxUtYkewc72DzM +jt5AoKJ/AFsIP0VtQGpCZq1Irc/u0cH9+8ONw2VYOnDkWh2pP5a0FZqx7+69JeM4 +KUIr1ZknxTYGhU9J/ufmDXJI6lA0o1478TMu/sAtIMBTKxGmbBcnrvlodv7yBm5C +/nQeHe5h6h2RQjsm0aekCKuzslsY4lLarB6B61gCOf+E3QRBAFlk6gItztGWShum +t+zY+THxInBJ5orubHPa+sv3oACoPqRZ4HCrevP68P+cAfnxDQBECQOVMRHQCVQA +O0vU8zZvW65fALTZnVQlKSsofSEZRnObxOtN8mYg5TyvKs1/svnPHbxl6EU7rnsx +NOd7Crlc8qjGS/784xNjBOL+O2wg31HXtC93JszTBZBttpULILP8zRw0wWIQz6Bb +u+sVeesNnDjDS8Fd/rG0Dfw79e4SViB55DlCZo2n/lmha6j1aDafJEEac0YYuHKs +F5DKU+kljX8N2f5Uk8s+HVCWZ8pGHi6xYHnjyYcUsM7uAkXjKASzjyol/Se1pk19 +48MC2EoJyEJ0lmz1iaO+YvTrfRw2rgZRCVU5fiYb6tNWkmwyLbseKtuf1tQefegZ +rN77AOWJi4jJZKWdclXtwT5ylWc6rwDGulfSqU9B/1S5/X22zysmZbKoVt0dCIGv +oewiSoTbjubl+ZUqb+ZQbRyQ05fTMuav0KD5L0b3PQaAzOXA/UJ0PkC/M8aCV3te +kXkLTffdK7BFGldzvkkpNmjuqjb29+hlPCeYvKODNutdjBBz/RydSn9GjQ01pocF +3vEzVDnRnMuLdBhaltcuwvKDPiG0smcp2QRTmstbzNGXpsLoJFYn8qVsGU1L9HFv +1Sx4ho4wYu69t7jzopwGYLzSoqeABZ7TsY9xPy7Nc6qaSwuvy3LOui+64NcQIpq8 +dlNJW5qDzvyFZF6ydbVXdlCy5GPd0Cs09Lw56YQRIudV05evZj0k85Ovjkdg8PnY +mIju8XaCgvKMAOMqQjqU/i/NTWaJ2QfN9m3ff/Yg35j1kkyaSGfi+uKiB4ADikzh +plLDzjtd40tY4LzXg6ODFaN2m7aFXyIRMchoC/7PGFDm56tQV6ozJir68iNwlL8/ +/grHyFBgH5rydJjx7EOS8myeVAQlntLbCBt2XGAS/W+SB42I7oB+scPjAs7NCpA0 +ftVMXNkV1w8UXl0rw4VRFvneeF2iNs8cYfNj2tFmqwpnYqJyx5LJE6j6T6HlUaWz +9BENBSAVKTKTv4wHWbsd/Hb8WpS6BWirMXKji68XScyLVdtIbPWzR81nK/yaB4Q0 +xcje0IJoFNU6Fu/ELleOAMUDJS5gZ/0JY0l6H8gDuJzNKMUXjuP4Ils607ESeBnP +qJ7JpC96Rw+wdbUnzgNORyp7TwYhAp69VvyQ4a/DiiBCQbvg3AB/r9seTAiWNVux +NrqhZm2MYpF+0uqsDZfMMLHVqrN2VG2mHO9JHMMWYir81cgyZSg+eqlILAvs7d7e +-----END RSA PRIVATE KEY----- diff --git a/t/cert/ca-client-server/client.p12 b/t/cert/ca-client-server/client.p12 new file mode 100644 index 0000000000000000000000000000000000000000..afabcf9bfd5440164aab6ebf2ea00cbc00758946 GIT binary patch literal 2349 zcmV+|3DWj3f(a=C0Ru3C2=4|7Duzgg_YDCD0ic2i-~@sQ+%SR&*f4?vj|K@UhDe6@ z4FLxRpn?N{FoFYo0s#Opf&+C12`Yw2hW8Bt2LUh~1_~;MNQUV0+ z66MuM0s;sCfPw=^AfH~HP(_*CU8FC6Md10$z5K~s$b2Q8RmK!miVLlyslJ*F$r1`xYS?(5K_TwEch*$@7|G*U3LOI6BSj9}RHd3#^ft zqdO;*ZLTOML@7ucyo>wcVO&&Nz9h=4?Wa=WN8 zXx8)jD2*ZGfFhYSmF-rxOH(EnvoK9&h3clk8G4VVLuFO1aC*IWeF`$w!J#v`bHolO z+0Kq6>cVRnin;xn$LmC7fvNC{^YlKT-fe$1anpIi!m7rz0g8aLD6;L8IuI)fr zH3MK>*=#mE1?I+)U}lwPF`v021Nm7{gsLhut*s-q^f&+LH_jFcE+alW_`|Y}d{r_d z1eFg!xG^6r8DstX7>`V@U?*XyAbg9_6g?nlvof;NGV$gTsv~LVP{uZ2h*whcpwk|^ zvB(-arV%3(a2Z0Fpp)1wpyjUT@zF@acL>>p9IqxN4`iED5|&m6QQGsS&{0I2VfiI$ zkkdEh9RSccD~QJMhQzVmA3)6QFV__ETI|R#dq2KYNIpA73%M@tFt)3 zmW6ST3J;v^2MK+{X9R)VEJ^3jw(w{jE)64rQL{IZ@5JW~IpJ%^aCS#h3Ag!y+&98A z&5G#OoyX)Dd|0xSY3r%=3Uf3@gcdRIpl0TxUL1K^3VIEGgMZAp4l~4PHNhwL1N$Lt zA40%HezTQ=wA;eZT}fFy?u21mAMlu8r;hmsqr#;35-!5I%z+#?Q*lhUG(d{#zH|}1 zG`oHLlySt(8iyX+Ocr{e?0M!jFoFd^1_>&LNQUj%sN_vC z{D$_WW6bGzQ*xLMF>%gwwT5+H*9(N4?bEY+(C5*q78pKC6kH^+d6mqLELNUA)sl*U zIx{?vY3H{bD;e?k<4E_6R-GDPiz#IqdQW;|k7GgM`WQ2ak~S~sl~HKk=*eRtzw5M7 zI@9~o<08f-bVWM^#3$So_Y(Eg16l5Z=)~uKpIv&rj#(TANsxe_y}vc&(+~#$$0rF$ zL@&`*miYU_xc4Z1^|*~<`HL8ZdNI}0Qsu%2e=0`^n;v;vymt6OY=a5aydi&U!p|~B;5(-Qj8%Dqh3ZW$OZ&(4koSww~uYB83dJiw8RIt zYA5AmauLEc(UqS-^=0IF5h}AG%J5;8PZ!SiwE*NBKx8mq6D6$wk>-V$_0oD!vOV>} zI?$==r=B~GU>DwC&2!}UqLQsizfny5n5C&KDSI4o`J7QAuDotk18g5P;euEFG44CyBN=Bl(G<*MSMJK#PKc9ozAD*QlibRP@kps_#(_ zE0t8I;FQNvqJ(mU!fwsjN{M&m`084T0OhLS$Thkx(QXTGeg@PSg4;!CE8wNzN$Yw< zy4(9~f`2wkTV&xJ^XGuW-paxO!rH1Q1d(!42MY zPYOmGT70t`AnH0^b*Sfbj34Kgljpy_Uu?%;GQT+lvW)E&QTbmc$^gXl&G_Xl>U}-e zB2x`>5$~_9>&JXX(-C*RLLiK;;rquC5Ms~0N+yn*|_Em+2$m$_)cDd5KR#PBgCFe3&DDuzgg_YDCF6)_eB6nI0< zuPDnHUUPr&pmmY))X$~~nJ_UhAutIB1uG5%0vZJX1Qg!>`vm-qT5)%d<(5qa8@24( TbXNojEJHlyR)lC@0s;sCXd_st literal 0 HcmV?d00001 diff --git a/t/cert/ca-client-server/client.pfx b/t/cert/ca-client-server/client.pfx new file mode 100644 index 0000000000000000000000000000000000000000..a71e74a89687761700b93a10e5de7f1fdea9bc75 GIT binary patch literal 2349 zcmV+|3DWj3f(a=C0Ru3C2=4|7Duzgg_YDCD0ic2i-~@sQ+%SR&*f4?vj|K@UhDe6@ z4FLxRpn?N{FoFYo0s#Opf&+C12`Yw2hW8Bt2LUh~1_~;MNQU5<2l z@9~1d0_l7Wts}{;)VmKE*Is0iLgE3X-j9IT-@bH>a^`Z*;jU<3{VAoBW?I{)w$%P#!R(p@}uuA95fJKQws0lw0B8UJ*TJjj1Ggi|WFZckAmC*t``A6qcx2!J6GXLI+BlS38r z^(R;(Rg7TPG%akrAlwlTc}buZ4&b5FKd1B6U!(vzB5Ql>mu;A-utWi zG@*(lh3%BPJ^P<m!VQQW2C`J-nND4;A=u0FuZb_!_4!y7^-u|?IiSwrz;#H zpQI6(fNx$&KQ^W#5mZ^%{2Aa#Ro&u0A@U;Oar!B$-i_}W6)+J$YNXrunvvfzrt|=5 zdmw?Q+b6rzc}~Qb&h{2&V%O$CP{WCFc6D$es8b-@ z#5C~FJ~*MApZ_XdhA`T6g1Nnc4DGM37)KKX+qDl>x4~%N(KxeiSlPY=;=)}Xk(>tF z*Al?=SEf0CuC=@2tSSW}DUN2QFoFd^1_>&LNQUf82Qd;Jr*S3Ofb7W z1@$S((TB4KJ)GK^W`^aKqI-m(iLDI3JsaqI>P=oa#3Kx9GJH#hw9`G3J)vCx797Om z?LT=}0(XiT4PiwjW%mk>GHPqrL6rqb6U}e0O1OVP?*qu{!aUrO4S@#z+&$pN>=pbq zx#J_-Ff#lTIndf+{UU$_P}6*R znh1N?C_LlzqmFUQ3l?3`P}G`t-A2wpWg%ayj+fWmE%i$=EueFhU^-^qx+61=k?73rgSnnm2g zDdug7q3-tMAG=C%_SczJE!!7oy0XHutf(Hpi7c3l12a5w=q1U?j=7zIrCSm1On3*B zGDJ*Jnz01QG&;z;Xz3u6cTQA^LsWkBPSOPjmjb-W5k(f&c0crc+!7Ok2x3(f5xuk; zXNss77U(2xDYni0_VMehiQK(--Rh6bFsv}~M(_?RahNfLqToB{0A}kY4t>@{Qqp-6 zHv0MfV$YPaG{gP=XE-JYk}3~>3zOLcspcYL65^IyyT_-~`+v4D1N!08n=0Wph;;pI zBN1R#yOsf6V^2cJnEbG^m|~t4tdGCx{?t-4uR@3lF7`*yNMgUNYSk4ivw)YLso2p@ z_wqqXLgYQh0ao}v%3qLPL?Q~|fI1?~gw&(Ks0uG=EF#lsmI(N2xn0@H!t>3_9SseN z$ZdTF;3WhZRcV3VQJWui1_% ziE(TW>tHY&9}UK>Icm&w_6YaAh5n7wnV;;;4FCVf81!`^eeo@$H5J|2rV>RQj?ni~Egw-9dRRv8u&%e*auGwB18|w*_awrK+(3 z?pXej`a00Se2385vIhf{8`B-niCQPU56o8OH#J#~Pw?>wl4o~*K1@L3s;#otj;9cc z1akyTDxKQbj#Nf{ukUKU#(U!APkmu-RjeAFMS(FTFe3&DDuzgg_YDCF6)_eB6nI0< zuPDnHUUPr&pmmY))X$~~nJ_UhAutIB1uG5%0vZJX1Qg_QSs)6*u_NDqZV#R7;yMbF TCo=>Hzt Date: Mon, 27 Feb 2017 10:33:38 +0800 Subject: [PATCH 05/23] refactor: remove unsed C macro --- src/ngx_http_lua_ssl.c | 5 ----- 1 file changed, 5 deletions(-) diff --git a/src/ngx_http_lua_ssl.c b/src/ngx_http_lua_ssl.c index 6668cfc593..6cf116a92c 100644 --- a/src/ngx_http_lua_ssl.c +++ b/src/ngx_http_lua_ssl.c @@ -13,11 +13,6 @@ #if (NGX_HTTP_SSL) -#define ngx_http_lua_ssl_check_method(method, method_len, s) \ - (method_len == sizeof(s) - 1 \ - && ngx_strncmp((method), (s), method_len) == 0) - - int ngx_http_lua_ssl_ctx_index = -1; From 6ce2ea5f43fb59ba2f4a87d23d9c111e46384ae8 Mon Sep 17 00:00:00 2001 From: detailyang Date: Mon, 27 Feb 2017 10:34:11 +0800 Subject: [PATCH 06/23] tests: remove duplicated tests --- t/151-ssl-ctx.t | 333 +------------------- t/cert/ca-client-server/ca.crt | 18 -- t/cert/ca-client-server/ca.key | 30 -- t/cert/ca-client-server/client.cer | 18 -- t/cert/ca-client-server/client.crt | 18 -- t/cert/ca-client-server/client.csr | 17 - t/cert/ca-client-server/client.key | 30 -- t/cert/ca-client-server/client.p12 | Bin 2349 -> 0 bytes t/cert/ca-client-server/client.pfx | Bin 2349 -> 0 bytes t/cert/ca-client-server/client.unsecure.key | 27 -- t/cert/ca-client-server/ecc-server.crt | 14 - t/cert/ca-client-server/ecc-server.csr | 9 - t/cert/ca-client-server/ecc-server.key | 5 - t/cert/ca-client-server/generate-cert.sh | 39 --- t/cert/ca-client-server/server.cer | 18 -- t/cert/ca-client-server/server.crt | 18 -- t/cert/ca-client-server/server.csr | 17 - t/cert/ca-client-server/server.key | 30 -- t/cert/ca-client-server/server.unsecure.key | 27 -- 19 files changed, 11 insertions(+), 657 deletions(-) delete mode 100644 t/cert/ca-client-server/ca.crt delete mode 100644 t/cert/ca-client-server/ca.key delete mode 100644 t/cert/ca-client-server/client.cer delete mode 100644 t/cert/ca-client-server/client.crt delete mode 100644 t/cert/ca-client-server/client.csr delete mode 100644 t/cert/ca-client-server/client.key delete mode 100644 t/cert/ca-client-server/client.p12 delete mode 100644 t/cert/ca-client-server/client.pfx delete mode 100644 t/cert/ca-client-server/client.unsecure.key delete mode 100644 t/cert/ca-client-server/ecc-server.crt delete mode 100644 t/cert/ca-client-server/ecc-server.csr delete mode 100644 t/cert/ca-client-server/ecc-server.key delete mode 100755 t/cert/ca-client-server/generate-cert.sh delete mode 100644 t/cert/ca-client-server/server.cer delete mode 100644 t/cert/ca-client-server/server.crt delete mode 100644 t/cert/ca-client-server/server.csr delete mode 100644 t/cert/ca-client-server/server.key delete mode 100644 t/cert/ca-client-server/server.unsecure.key diff --git a/t/151-ssl-ctx.t b/t/151-ssl-ctx.t index b5a007e35e..8dfab68cc3 100644 --- a/t/151-ssl-ctx.t +++ b/t/151-ssl-ctx.t @@ -1,219 +1,23 @@ # vim:set ft= ts=4 sw=4 et fdm=marker: use Test::Nginx::Socket::Lua; -use Cwd qw(cwd); use Digest::MD5 qw(md5_hex); repeat_each(3); -plan tests => repeat_each() * (blocks() + 2); +plan tests => repeat_each() * (blocks()); -our $CWD = cwd(); -$ENV{TEST_NGINX_LUA_PACKAGE_PATH} = "$::CWD/lib/?.lua;;"; $ENV{TEST_NGINX_HTML_DIR} ||= html_dir(); -our $TEST_NGINX_LUA_PACKAGE_PATH = $ENV{TEST_NGINX_LUA_PACKAGE_PATH}; -our $TEST_NGINX_HTML_DIR = $ENV{TEST_NGINX_HTML_DIR}; log_level 'debug'; no_long_string(); -sub read_file { - my $infile = shift; - open my $in, $infile - or die "cannot open $infile for reading: $!"; - my $cert = do { local $/; <$in> }; - close $in; - $cert; -} - -our $clientKey = read_file("t/cert/ca-client-server/client.key"); -our $clientUnsecureKey = read_file("t/cert/ca-client-server/client.unsecure.key"); -our $clientCrt = read_file("t/cert/ca-client-server/client.crt"); -our $clientCrtMd5 = md5_hex($clientCrt); -our $serverKey = read_file("t/cert/ca-client-server/server.key"); -our $serverUnsecureKey = read_file("t/cert/ca-client-server/server.unsecure.key"); -our $serverCrt = read_file("t/cert/ca-client-server/server.crt"); -our $caKey = read_file("t/cert/ca-client-server/ca.key"); -our $caCrt = read_file("t/cert/ca-client-server/ca.crt"); -our $http_config = <<_EOS_; -lua_package_path "\$prefix/html/?.lua;$TEST_NGINX_LUA_PACKAGE_PATH/?.lua;;../lua-resty-lrucache/lib/?.lua;"; - -init_by_lua_block { - local ffi = require "ffi" - - local C = ffi.C - local ffi_str = ffi.string - local getfenv = getfenv - local error = error - local errmsg = ffi.new("char *[1]") - if not pcall(ffi.typeof, "ngx_http_request_t") then - ffi.cdef[[ - struct ngx_http_request_s; - typedef struct ngx_http_request_s ngx_http_request_t; - ]] - end - - ffi.cdef[[ - int - ngx_http_lua_ffi_socket_tcp_setsslctx(ngx_http_request_t *r, - void *u, void *cdata_ctx, char **err); - ]] - - local function check_tcp(tcp) - if not tcp or type(tcp) ~= "table" then - return error("bad tcp argument") - end - - tcp = tcp[1] - if type(tcp) ~= "userdata" then - return error("bad tcp argument") - end - - return tcp - end - - local function setsslctx(tcp, ssl_ctx) - tcp = check_tcp(tcp) - - local r = getfenv(0).__ngx_req - if not r then - return error("no request found") - end - - local rc = C.ngx_http_lua_ffi_socket_tcp_setsslctx(r, tcp, ssl_ctx, errmsg) - if rc ~= 0 then - return false, ffi_str(errmsg[0]) - end - - return true - end - - - local mt = getfenv(0).__ngx_socket_tcp_mt - if mt then - mt = mt.__index - if mt then - mt.setsslctx = setsslctx - end - end - - function read_file(file) - local f = io.open(file, "rb") - local content = f:read("*all") - f:close() - return content - end - - function get_response_body(response) - for k, v in ipairs(response) do - if #v == 0 then - return table.concat(response, "\\r\\n", k + 1) - end - end - - return nil, "CRLF not found" - end - - function https_get(host, port, path, ssl_ctx) - local sock = ngx.socket.tcp() - - local ok, err = sock:connect(host, port) - if not ok then - return nil, err - end - - local ok, err = sock:setsslctx(ssl_ctx) - if not ok then - return nil, err - end - - local sess, err = sock:sslhandshake() - if not sess then - return nil, err - end - - local req = "GET " .. path .. " HTTP/1.0\\r\\nHost: server\\r\\nConnection: close\\r\\n\\r\\n" - local bytes, err = sock:send(req) - if not bytes then - return nil, err - end - - local response = {} - while true do - local line, err, partial = sock:receive() - if not line then - if not partial then - response[#response+1] = partial - end - break - end - - response[#response+1] = line - end - - sock:close() - - return response - end -} - -server { - listen 1983 ssl; - server_name server; - ssl_certificate ../html/server.crt; - ssl_certificate_key ../html/server.unsecure.key; - - ssl on; - ssl_client_certificate ../html/ca.crt; - ssl_verify_client on; - - ssl_protocols TLSv1 TLSv1.1 TLSv1.2; - - ssl_prefer_server_ciphers on; - - server_tokens off; - more_clear_headers Date; - default_type 'text/plain'; - - location / { - content_by_lua_block { - ngx.say("foo") - } - } - - location /protocol { - content_by_lua_block {ngx.say(ngx.var.ssl_protocol)} - } +add_block_preprocessor(sub { + my $block = shift; - location /cert { - content_by_lua_block { - ngx.say(ngx.md5(ngx.var.ssl_client_raw_cert)) - } - } -} -_EOS_ -our $user_files = <<_EOS_; ->>> client.key -$clientKey ->>> client.unsecure.key -$clientUnsecureKey ->>> client.crt -$clientCrt ->>> server.key -$serverKey ->>> server.unsecure.key -$serverUnsecureKey ->>> server.crt -$serverCrt ->>> ca.key -$caKey ->>> ca.crt -$caCrt ->>> wrong.crt -OpenResty ->>> wrong.key -OpenResty + if (!defined $block->user_files) { + $block->set_value("user_files", <<'_EOC_'); >>> defines.lua local ffi = require "ffi" @@ -227,20 +31,15 @@ ffi.cdef[[ int ngx_http_lua_ffi_ssl_ctx_set_cert(void *cdata_ctx, void *cdata_cert, char **err); - - void *ngx_http_lua_ffi_parse_pem_cert(const unsigned char *pem, - size_t pem_len, char **err); - - void *ngx_http_lua_ffi_parse_pem_priv_key(const unsigned char *pem, - size_t pem_len, char **err); ]] -_EOS_ - -add_block_preprocessor(sub { - my $block = shift; +_EOC_ + } + my $http_config = $block->http_config || ''; + $http_config .= <<'_EOC_'; +lua_package_path "$prefix/html/?.lua;;"; +_EOC_ $block->set_value("http_config", $http_config); - $block->set_value("user_files", $user_files); }); run_tests(); @@ -272,113 +71,3 @@ GET /t qr/^lua ssl ctx init: ([0-9A-F]+):1 lua ssl ctx free: ([0-9A-F]+):1 $/ - - - -=== TEST 2: ssl ctx - specify ssl protocols method TLSv1 TLSv1.1 TLSv1.2 ---- config - location /t { - content_by_lua_block { - require "defines" - local ffi = require "ffi" - function test_ssl_protocol(protocols) - local errmsg = ffi.new("char *[1]") - local cert_data = read_file("$TEST_NGINX_HTML_DIR/client.crt") - local cert = ffi.C.ngx_http_lua_ffi_parse_pem_cert(cert_data, #cert_data, errmsg) - local pkey_data = read_file("$TEST_NGINX_HTML_DIR/client.unsecure.key") - local priv_key = ffi.C.ngx_http_lua_ffi_parse_pem_priv_key(pkey_data, #pkey_data, errmsg) - - local ssl_ctx = ffi.C.ngx_http_lua_ffi_ssl_ctx_init(protocols, errmsg) - if ssl_ctx == nil then - ngx.say(ffi.string(errmsg[0])) - return - end - - local rc = ffi.C.ngx_http_lua_ffi_ssl_ctx_set_priv_key(ssl_ctx, priv_key, errmsg) - if rc ~= 0 then - ngx.say(ffi.string(errmsg[0])) - return - end - - local rc = ffi.C.ngx_http_lua_ffi_ssl_ctx_set_cert(ssl_ctx, cert, errmsg) - if rc ~= 0 then - ngx.say(ffi.string(errmsg[0])) - return - end - - local response, err = https_get('127.0.0.1', 1983, '/protocol', ssl_ctx) - - if not response then - return err - end - - local body, err = get_response_body(response) - if not body then - return err - end - return body - end - - local bit = require "bit" - local bor = bit.bor - --[=[ - _M.PROTOCOL_SSLv2 = 0x0002 - _M.PROTOCOL_SSLv3 = 0x0004 - _M.PROTOCOL_TLSv1 = 0x0008 - _M.PROTOCOL_TLSv1_1 = 0x0010 - _M.PROTOCOL_TLSv1_2 = 0x0020 - ]=] - - ngx.say(test_ssl_protocol(0x0008)) - ngx.say(test_ssl_protocol(0x0010)) - ngx.say(test_ssl_protocol(0x0020)) - ngx.say(test_ssl_protocol(bor(0x0002, 0x0020))) - } - } - ---- request -GET /t ---- response_body -TLSv1 -TLSv1.1 -TLSv1.2 -TLSv1.2 - - - -=== TEST 3: ssl ctx - dismatch priv_key and cert ---- config - location /t { - content_by_lua_block { - require "defines" - local ffi = require "ffi" - local errmsg = ffi.new("char *[1]") - local cert_data = read_file("$TEST_NGINX_HTML_DIR/server.crt") - local cert = ffi.C.ngx_http_lua_ffi_parse_pem_cert(cert_data, #cert_data, errmsg) - local pkey_data = read_file("$TEST_NGINX_HTML_DIR/client.unsecure.key") - local priv_key = ffi.C.ngx_http_lua_ffi_parse_pem_priv_key(pkey_data, #pkey_data, errmsg) - - local ssl_ctx = ffi.C.ngx_http_lua_ffi_ssl_ctx_init(0, errmsg) - if ssl_ctx == nil then - ngx.say(ffi.string(errmsg[0])) - return - end - - local rc = ffi.C.ngx_http_lua_ffi_ssl_ctx_set_cert(ssl_ctx, cert, errmsg) - if rc ~= 0 then - ngx.say(ffi.string(errmsg[0])) - return - end - - local rc = ffi.C.ngx_http_lua_ffi_ssl_ctx_set_priv_key(ssl_ctx, priv_key, errmsg) - if rc ~= 0 then - ngx.say(ffi.string(errmsg[0])) - return - end - } - } - ---- request -GET /t ---- response_body -SSL_CTX_use_PrivateKey() failed diff --git a/t/cert/ca-client-server/ca.crt b/t/cert/ca-client-server/ca.crt deleted file mode 100644 index a2e89bb7bf..0000000000 --- a/t/cert/ca-client-server/ca.crt +++ /dev/null @@ -1,18 +0,0 @@ ------BEGIN CERTIFICATE----- -MIIC7TCCAdWgAwIBAgIJAIA8UE7EHDJtMA0GCSqGSIb3DQEBCwUAMA0xCzAJBgNV -BAMMAmNhMB4XDTE3MDIyNjA5NDAzM1oXDTE3MDMyODA5NDAzM1owDTELMAkGA1UE -AwwCY2EwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDYFTCTNG8brZfq -DYvV+BV0EoQBfUqFzrmAhcOGSulbyx3Yr76E08RoftQ3ZQZlfwJQDmCJeItSMeQV -z9KRkTurX3dJNdw81m4UQpAk2yAWxAUHfIp2t4l5kh4gY8IjqjOCSJn4+YMT8vbC -C4Ct2FDQru0fOgfYk70YCONf/VVjXjAZVwMEva8QtDy9eJGHLI1Ycw+7ldoPjFot -Ck39ZAbxc+bDjhOsJaIY8hVQfRJs0LBYDOEgiKJvMJ07JoWGv8gWUUFN8mkHrMZ+ -BZHkCHKJdFHEEp2CfLvXhyJV5UA+ib47tOqR6bGhqvZlgp9MhdiPSv74W74c9S1v -jgao6AfJAgMBAAGjUDBOMB0GA1UdDgQWBBQjCPG1wmhRBZ55P8Uk/IpKLJtEKDAf -BgNVHSMEGDAWgBQjCPG1wmhRBZ55P8Uk/IpKLJtEKDAMBgNVHRMEBTADAQH/MA0G -CSqGSIb3DQEBCwUAA4IBAQClVn+Xm9LHIOFFfNtkB44DXLWrm6DL8QXWSaBWn/Af -mMMY6/Nkb/qUwDuiNSJoC4LguyAcaFtDsahr87RrK+r71jDa7coOM29PwHJIUfX2 -h0d/zYW3OxGmiq64Syb4ptzzdEdGfJfHOdjd3OfyU75dyrb14Wo2pTs/nze28D8L -vfNLD6Mipd6KTHjss3AXS2DW5B7l5CJtGz2yXSDWZIeofW0pK8VZHBEMjHo5BdjP -0geIUDsSUcWXaE9ecpN9QefGehijpIGMlJdLYiSF321PFfmcDlFLV+uKtnHLit/7 -GEYPG71iuceNdCrLPV3ACNAY9fs9bY3R8pPFiokUoxng ------END CERTIFICATE----- diff --git a/t/cert/ca-client-server/ca.key b/t/cert/ca-client-server/ca.key deleted file mode 100644 index ea5bc820bd..0000000000 --- a/t/cert/ca-client-server/ca.key +++ /dev/null @@ -1,30 +0,0 @@ ------BEGIN ENCRYPTED PRIVATE KEY----- -MIIFDjBABgkqhkiG9w0BBQ0wMzAbBgkqhkiG9w0BBQwwDgQIZ4nB/LxpTcQCAggA -MBQGCCqGSIb3DQMHBAiNC9gSkhs5NwSCBMhd7qMnEuhGIA40BGGccXZ1Mmh2+W9H -OevbbNVY2WQd3HIn9Ez0k/NcCsVD4cYxitryMid4EwAkjWT3+wPyfAAD1iz3Y5be -BZERAfiU1Zxe0LdT5JKZPtJ3OOJlqSYv9S3BonIVr3/e0usS1nerZ48clXj1Sbrg -1CYX0UO45rQo4KznflXzPcAYFjV/tetjYbeXG827kbkjQShV+wA7mLauQhfg4wZ7 -DL2199fjJHD09J49NRAFDqn8LGZrb6eNYM8dUAm7jU6iDRI1EGMvbd0jI4t72qeD -/WRXMdp2M2Jke3SNxEG5jPHJtm1+m2X/Nhf28n6MImZpgcYywfTiKU/QGZ0NhUot -Ha13yFrCvyMhgC9P1zpMqwebJJ0xF/ftAjsgaFxetYWvOHwzyOABtHGd1cyUytyA -08DSXaFlgDyRARkGDiKsmUIeQGcLWkih99IanYiL45BfOlHiZnevlTxV4rUHkFb3 -kbVsJUR+XwiG/5Xker0wboplbYajX+Cm5EHrLdN9PlvAd2xBWE1518YLccwpWMkD -582Aux1kcPhQlGbq4QDMWCFstmceD3/0ouTFhSiJyYJRbvgy5XdWgWkK5or6fTkp -9X81x4R4rOEubnjm12zuB5uUUQCQBT16h4rw0QUH1mKWIzarNQTtX2ojxFFl2NRS -PwbY0tzUYueiCIk6tYUN53rP61Tw6+ThKXQFTZwckqPmmVqOzI4OYuEG9zamcw2z -BUV0a1+VBo/OKRpNBPzA1XNCj1uYN6KFLKPcCdS9Vk/KT1SD42kNW3C6JHv2zrAJ -JkVvhxQkXicHbKO45Iby3uO2phJLeXId50JK7xNz/eZqnavkmYJiiR6rZK2Bdrxx -/wxF76oE5eyA9FUz/OXYtw1oCPAIdD/z6g2C89ozszfFW28LbM2GJpPFFcDkJ94i -iwyc2GmBvgQdV9aVYZ1vnWCphZfL4lA3VOCmsiIPWSx+PlxP0JW8Tq4rwvzBsQ9C -gaawM89E8wLXOHphcJtXvLfEkW2asOU1AkDvW5dOsUfyTQXLD66MePLJpX2MpnPk -WTl5oIihrlJhEq/QdSF9pb6YG/LPOR4sqXKQO63FO12ZXUPLwy63JhFva7JvJ6Nv -rj0N6IKmdvGAYVDKPSYgvCcmE0dGET0djRGcvigdkH6CxexshGXtKufZsIMXc83A -BY0sIa6/liPXr3fj3NOtBlDLWv7K0C9yBT53eEJHB7qh/g5aCDdTFeqdmNGb3Tuz -p/s1KXlZ56dULaon/q0Cr0bCZ47iDqSNsQin+k+zZAqUkq+N726DW5etmnT43DV5 -rEOdtmjy0GTVH+zfPkBjA9isCSWUqGRUIGfriZF3rzJqsCrrdGZ54vMfqtMFRQLc -TgbfJ7oJb8fCqzVFxQlwq6OXfFga774Tj8qR/+p+rJyBr50DLHW6zuhNIHMjWhfu -1i59Jl0Wt0+3qFlMYnAFoWfIMrQfTb1addV9V1xutO+lGPUiS153DD0dUAIiQSDY -HpvDf94rPXxYWKtn0lClUDAGJ+74RGnATgyR+ZFK4wAB5D74xFni5fncg5oBZ1xr -vsfgZEYddTJJEF7z8QeUkRZKvXwtQ+nGvn6loNvnxNsFwY9h1Lr+iYR68ONn0xfP -0ME= ------END ENCRYPTED PRIVATE KEY----- diff --git a/t/cert/ca-client-server/client.cer b/t/cert/ca-client-server/client.cer deleted file mode 100644 index d223456b18..0000000000 --- a/t/cert/ca-client-server/client.cer +++ /dev/null @@ -1,18 +0,0 @@ ------BEGIN CERTIFICATE----- -MIIC5jCCAc4CAQEwDQYJKoZIhvcNAQELBQAwDTELMAkGA1UEAwwCY2EwIBcNMTcw -MjI2MDk0MDMzWhgPMjEwMTAxMjcwOTQwMzNaMGMxCzAJBgNVBAYTAlVTMRMwEQYD -VQQIDApDYWxpZm9ybmlhMRYwFAYDVQQHDA1Nb3VudGFpbiBWaWV3MRYwFAYDVQQK -DA1PcGVuUmVzdHkgSW5jMQ8wDQYDVQQDDAZjbGllbnQwggEiMA0GCSqGSIb3DQEB -AQUAA4IBDwAwggEKAoIBAQDPZVA9LTpDu4mJyJkygqzBe3u79UzdM/U6LSJjD1yp -dlgMPAmFn1TQHL40oTKmzAZupXYwCeLgrsXQVz288pVoWqOVRezJJMlLrf7y9VZw -uG79ld9ocw5Lp4rYJsppvS0qObz1JAmMKgfzWFRXqadFn+0QqomLF9z4xmzoYyZI -HjRMeUU00SUU43Mgfzg8FtkBcDTn1exedZZROsTZwjrl/SYdlDHpgUjLfStSG0m/ -n03TjqdV0Ubo1wZfqENxBWmvgugpbgCW+yksJeg48EI2QavVKXJCNHU0PbwTU1mY -Xh4DCzGlC4kwQ52kfcJCJIlgojEkzG9R0dVRuTDVntu/AgMBAAEwDQYJKoZIhvcN -AQELBQADggEBAJEEoMdt9GtTlbv6498Ww9eqtH4d1rvhmj9X3c+B47JIRf9tuOjF -plIBV8B5WkMCWweD8gINpTlmWqCEGqQcX3pLjSCmi6CtlmtHenETNkgcwNnBzMuG -W7QDGakGMGL/N5cFaV9WGjg3ZnOVI22seahxjj1veQxYO57mxS3Jq0c5lWo7PRqC -hXDYnSweTirukdTlyWALLOvw/NmLQYkvJK1X50ZHQCD5PKoaQfq2fjHPI+LXM+wx -3FwCW9frCRRvLDJX1jqQMAE0OKfCXRoWWZjOv7aEQXYhEYMxedN3XdTqQf3eBYqm -c9cBtzu/lZR5bpRZrstDgTr5ca8wVuQH8D4= ------END CERTIFICATE----- diff --git a/t/cert/ca-client-server/client.crt b/t/cert/ca-client-server/client.crt deleted file mode 100644 index d223456b18..0000000000 --- a/t/cert/ca-client-server/client.crt +++ /dev/null @@ -1,18 +0,0 @@ ------BEGIN CERTIFICATE----- -MIIC5jCCAc4CAQEwDQYJKoZIhvcNAQELBQAwDTELMAkGA1UEAwwCY2EwIBcNMTcw -MjI2MDk0MDMzWhgPMjEwMTAxMjcwOTQwMzNaMGMxCzAJBgNVBAYTAlVTMRMwEQYD -VQQIDApDYWxpZm9ybmlhMRYwFAYDVQQHDA1Nb3VudGFpbiBWaWV3MRYwFAYDVQQK -DA1PcGVuUmVzdHkgSW5jMQ8wDQYDVQQDDAZjbGllbnQwggEiMA0GCSqGSIb3DQEB -AQUAA4IBDwAwggEKAoIBAQDPZVA9LTpDu4mJyJkygqzBe3u79UzdM/U6LSJjD1yp -dlgMPAmFn1TQHL40oTKmzAZupXYwCeLgrsXQVz288pVoWqOVRezJJMlLrf7y9VZw -uG79ld9ocw5Lp4rYJsppvS0qObz1JAmMKgfzWFRXqadFn+0QqomLF9z4xmzoYyZI -HjRMeUU00SUU43Mgfzg8FtkBcDTn1exedZZROsTZwjrl/SYdlDHpgUjLfStSG0m/ -n03TjqdV0Ubo1wZfqENxBWmvgugpbgCW+yksJeg48EI2QavVKXJCNHU0PbwTU1mY -Xh4DCzGlC4kwQ52kfcJCJIlgojEkzG9R0dVRuTDVntu/AgMBAAEwDQYJKoZIhvcN -AQELBQADggEBAJEEoMdt9GtTlbv6498Ww9eqtH4d1rvhmj9X3c+B47JIRf9tuOjF -plIBV8B5WkMCWweD8gINpTlmWqCEGqQcX3pLjSCmi6CtlmtHenETNkgcwNnBzMuG -W7QDGakGMGL/N5cFaV9WGjg3ZnOVI22seahxjj1veQxYO57mxS3Jq0c5lWo7PRqC -hXDYnSweTirukdTlyWALLOvw/NmLQYkvJK1X50ZHQCD5PKoaQfq2fjHPI+LXM+wx -3FwCW9frCRRvLDJX1jqQMAE0OKfCXRoWWZjOv7aEQXYhEYMxedN3XdTqQf3eBYqm -c9cBtzu/lZR5bpRZrstDgTr5ca8wVuQH8D4= ------END CERTIFICATE----- diff --git a/t/cert/ca-client-server/client.csr b/t/cert/ca-client-server/client.csr deleted file mode 100644 index 1019a211b5..0000000000 --- a/t/cert/ca-client-server/client.csr +++ /dev/null @@ -1,17 +0,0 @@ ------BEGIN CERTIFICATE REQUEST----- -MIICqDCCAZACAQAwYzELMAkGA1UEBhMCVVMxEzARBgNVBAgMCkNhbGlmb3JuaWEx -FjAUBgNVBAcMDU1vdW50YWluIFZpZXcxFjAUBgNVBAoMDU9wZW5SZXN0eSBJbmMx -DzANBgNVBAMMBmNsaWVudDCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEB -AM9lUD0tOkO7iYnImTKCrMF7e7v1TN0z9TotImMPXKl2WAw8CYWfVNAcvjShMqbM -Bm6ldjAJ4uCuxdBXPbzylWhao5VF7MkkyUut/vL1VnC4bv2V32hzDkunitgmymm9 -LSo5vPUkCYwqB/NYVFepp0Wf7RCqiYsX3PjGbOhjJkgeNEx5RTTRJRTjcyB/ODwW -2QFwNOfV7F51llE6xNnCOuX9Jh2UMemBSMt9K1IbSb+fTdOOp1XRRujXBl+oQ3EF -aa+C6CluAJb7KSwl6DjwQjZBq9UpckI0dTQ9vBNTWZheHgMLMaULiTBDnaR9wkIk -iWCiMSTMb1HR1VG5MNWe278CAwEAAaAAMA0GCSqGSIb3DQEBCwUAA4IBAQCCGKQ3 -AnhgWenMrwFFG7HOwfzo7+62UGX9+4JecldZ5dqpyfIWeVoUt5uhFjPBE0tiwskk -W/RKAtcg07pbZnvSfvmCI//iTHBAA+PygoBIyB/7kYJFkMhLYT9XMipxJPAE5T0z -gXFpT9ev14s22KpnLhGM1OlVqXvZ9WK8K23+TZZ/U149gEMRedJPEbd3nWng6dh/ -KBMuCT/zGF85LdY4O21T/lx+IxQy8P7/gVxiP10ipv4MEJ2F6rSobaebHndgozmQ -JTkpImcjDKw1ArYoY/Q28xhjtvIW+ZcqtwIUE6fr/Ak+hNiUg7g7gH0XneV34iXx -CbE1rXX74aArtFXe ------END CERTIFICATE REQUEST----- diff --git a/t/cert/ca-client-server/client.key b/t/cert/ca-client-server/client.key deleted file mode 100644 index fdefda61b7..0000000000 --- a/t/cert/ca-client-server/client.key +++ /dev/null @@ -1,30 +0,0 @@ ------BEGIN RSA PRIVATE KEY----- -Proc-Type: 4,ENCRYPTED -DEK-Info: DES-EDE3-CBC,4431CCDC1F1ADDDD - -ugTv8ZVb9GX9w46XrjxESBKAwCS8UBTEb542pm3GneZW65sKuiClr1kMYFcNTJbN -8LOfZejwmyh8UuLu7RyfgCunrpKutpisZ+trWTxGG3JxAKwqyHsxUtYkewc72DzM -jt5AoKJ/AFsIP0VtQGpCZq1Irc/u0cH9+8ONw2VYOnDkWh2pP5a0FZqx7+69JeM4 -KUIr1ZknxTYGhU9J/ufmDXJI6lA0o1478TMu/sAtIMBTKxGmbBcnrvlodv7yBm5C -/nQeHe5h6h2RQjsm0aekCKuzslsY4lLarB6B61gCOf+E3QRBAFlk6gItztGWShum -t+zY+THxInBJ5orubHPa+sv3oACoPqRZ4HCrevP68P+cAfnxDQBECQOVMRHQCVQA -O0vU8zZvW65fALTZnVQlKSsofSEZRnObxOtN8mYg5TyvKs1/svnPHbxl6EU7rnsx -NOd7Crlc8qjGS/784xNjBOL+O2wg31HXtC93JszTBZBttpULILP8zRw0wWIQz6Bb -u+sVeesNnDjDS8Fd/rG0Dfw79e4SViB55DlCZo2n/lmha6j1aDafJEEac0YYuHKs -F5DKU+kljX8N2f5Uk8s+HVCWZ8pGHi6xYHnjyYcUsM7uAkXjKASzjyol/Se1pk19 -48MC2EoJyEJ0lmz1iaO+YvTrfRw2rgZRCVU5fiYb6tNWkmwyLbseKtuf1tQefegZ -rN77AOWJi4jJZKWdclXtwT5ylWc6rwDGulfSqU9B/1S5/X22zysmZbKoVt0dCIGv -oewiSoTbjubl+ZUqb+ZQbRyQ05fTMuav0KD5L0b3PQaAzOXA/UJ0PkC/M8aCV3te -kXkLTffdK7BFGldzvkkpNmjuqjb29+hlPCeYvKODNutdjBBz/RydSn9GjQ01pocF -3vEzVDnRnMuLdBhaltcuwvKDPiG0smcp2QRTmstbzNGXpsLoJFYn8qVsGU1L9HFv -1Sx4ho4wYu69t7jzopwGYLzSoqeABZ7TsY9xPy7Nc6qaSwuvy3LOui+64NcQIpq8 -dlNJW5qDzvyFZF6ydbVXdlCy5GPd0Cs09Lw56YQRIudV05evZj0k85Ovjkdg8PnY -mIju8XaCgvKMAOMqQjqU/i/NTWaJ2QfN9m3ff/Yg35j1kkyaSGfi+uKiB4ADikzh -plLDzjtd40tY4LzXg6ODFaN2m7aFXyIRMchoC/7PGFDm56tQV6ozJir68iNwlL8/ -/grHyFBgH5rydJjx7EOS8myeVAQlntLbCBt2XGAS/W+SB42I7oB+scPjAs7NCpA0 -ftVMXNkV1w8UXl0rw4VRFvneeF2iNs8cYfNj2tFmqwpnYqJyx5LJE6j6T6HlUaWz -9BENBSAVKTKTv4wHWbsd/Hb8WpS6BWirMXKji68XScyLVdtIbPWzR81nK/yaB4Q0 -xcje0IJoFNU6Fu/ELleOAMUDJS5gZ/0JY0l6H8gDuJzNKMUXjuP4Ils607ESeBnP -qJ7JpC96Rw+wdbUnzgNORyp7TwYhAp69VvyQ4a/DiiBCQbvg3AB/r9seTAiWNVux -NrqhZm2MYpF+0uqsDZfMMLHVqrN2VG2mHO9JHMMWYir81cgyZSg+eqlILAvs7d7e ------END RSA PRIVATE KEY----- diff --git a/t/cert/ca-client-server/client.p12 b/t/cert/ca-client-server/client.p12 deleted file mode 100644 index afabcf9bfd5440164aab6ebf2ea00cbc00758946..0000000000000000000000000000000000000000 GIT binary patch literal 0 HcmV?d00001 literal 2349 zcmV+|3DWj3f(a=C0Ru3C2=4|7Duzgg_YDCD0ic2i-~@sQ+%SR&*f4?vj|K@UhDe6@ z4FLxRpn?N{FoFYo0s#Opf&+C12`Yw2hW8Bt2LUh~1_~;MNQUV0+ z66MuM0s;sCfPw=^AfH~HP(_*CU8FC6Md10$z5K~s$b2Q8RmK!miVLlyslJ*F$r1`xYS?(5K_TwEch*$@7|G*U3LOI6BSj9}RHd3#^ft zqdO;*ZLTOML@7ucyo>wcVO&&Nz9h=4?Wa=WN8 zXx8)jD2*ZGfFhYSmF-rxOH(EnvoK9&h3clk8G4VVLuFO1aC*IWeF`$w!J#v`bHolO z+0Kq6>cVRnin;xn$LmC7fvNC{^YlKT-fe$1anpIi!m7rz0g8aLD6;L8IuI)fr zH3MK>*=#mE1?I+)U}lwPF`v021Nm7{gsLhut*s-q^f&+LH_jFcE+alW_`|Y}d{r_d z1eFg!xG^6r8DstX7>`V@U?*XyAbg9_6g?nlvof;NGV$gTsv~LVP{uZ2h*whcpwk|^ zvB(-arV%3(a2Z0Fpp)1wpyjUT@zF@acL>>p9IqxN4`iED5|&m6QQGsS&{0I2VfiI$ zkkdEh9RSccD~QJMhQzVmA3)6QFV__ETI|R#dq2KYNIpA73%M@tFt)3 zmW6ST3J;v^2MK+{X9R)VEJ^3jw(w{jE)64rQL{IZ@5JW~IpJ%^aCS#h3Ag!y+&98A z&5G#OoyX)Dd|0xSY3r%=3Uf3@gcdRIpl0TxUL1K^3VIEGgMZAp4l~4PHNhwL1N$Lt zA40%HezTQ=wA;eZT}fFy?u21mAMlu8r;hmsqr#;35-!5I%z+#?Q*lhUG(d{#zH|}1 zG`oHLlySt(8iyX+Ocr{e?0M!jFoFd^1_>&LNQUj%sN_vC z{D$_WW6bGzQ*xLMF>%gwwT5+H*9(N4?bEY+(C5*q78pKC6kH^+d6mqLELNUA)sl*U zIx{?vY3H{bD;e?k<4E_6R-GDPiz#IqdQW;|k7GgM`WQ2ak~S~sl~HKk=*eRtzw5M7 zI@9~o<08f-bVWM^#3$So_Y(Eg16l5Z=)~uKpIv&rj#(TANsxe_y}vc&(+~#$$0rF$ zL@&`*miYU_xc4Z1^|*~<`HL8ZdNI}0Qsu%2e=0`^n;v;vymt6OY=a5aydi&U!p|~B;5(-Qj8%Dqh3ZW$OZ&(4koSww~uYB83dJiw8RIt zYA5AmauLEc(UqS-^=0IF5h}AG%J5;8PZ!SiwE*NBKx8mq6D6$wk>-V$_0oD!vOV>} zI?$==r=B~GU>DwC&2!}UqLQsizfny5n5C&KDSI4o`J7QAuDotk18g5P;euEFG44CyBN=Bl(G<*MSMJK#PKc9ozAD*QlibRP@kps_#(_ zE0t8I;FQNvqJ(mU!fwsjN{M&m`084T0OhLS$Thkx(QXTGeg@PSg4;!CE8wNzN$Yw< zy4(9~f`2wkTV&xJ^XGuW-paxO!rH1Q1d(!42MY zPYOmGT70t`AnH0^b*Sfbj34Kgljpy_Uu?%;GQT+lvW)E&QTbmc$^gXl&G_Xl>U}-e zB2x`>5$~_9>&JXX(-C*RLLiK;;rquC5Ms~0N+yn*|_Em+2$m$_)cDd5KR#PBgCFe3&DDuzgg_YDCF6)_eB6nI0< zuPDnHUUPr&pmmY))X$~~nJ_UhAutIB1uG5%0vZJX1Qg!>`vm-qT5)%d<(5qa8@24( TbXNojEJHlyR)lC@0s;sCXd_st diff --git a/t/cert/ca-client-server/client.pfx b/t/cert/ca-client-server/client.pfx deleted file mode 100644 index a71e74a89687761700b93a10e5de7f1fdea9bc75..0000000000000000000000000000000000000000 GIT binary patch literal 0 HcmV?d00001 literal 2349 zcmV+|3DWj3f(a=C0Ru3C2=4|7Duzgg_YDCD0ic2i-~@sQ+%SR&*f4?vj|K@UhDe6@ z4FLxRpn?N{FoFYo0s#Opf&+C12`Yw2hW8Bt2LUh~1_~;MNQU5<2l z@9~1d0_l7Wts}{;)VmKE*Is0iLgE3X-j9IT-@bH>a^`Z*;jU<3{VAoBW?I{)w$%P#!R(p@}uuA95fJKQws0lw0B8UJ*TJjj1Ggi|WFZckAmC*t``A6qcx2!J6GXLI+BlS38r z^(R;(Rg7TPG%akrAlwlTc}buZ4&b5FKd1B6U!(vzB5Ql>mu;A-utWi zG@*(lh3%BPJ^P<m!VQQW2C`J-nND4;A=u0FuZb_!_4!y7^-u|?IiSwrz;#H zpQI6(fNx$&KQ^W#5mZ^%{2Aa#Ro&u0A@U;Oar!B$-i_}W6)+J$YNXrunvvfzrt|=5 zdmw?Q+b6rzc}~Qb&h{2&V%O$CP{WCFc6D$es8b-@ z#5C~FJ~*MApZ_XdhA`T6g1Nnc4DGM37)KKX+qDl>x4~%N(KxeiSlPY=;=)}Xk(>tF z*Al?=SEf0CuC=@2tSSW}DUN2QFoFd^1_>&LNQUf82Qd;Jr*S3Ofb7W z1@$S((TB4KJ)GK^W`^aKqI-m(iLDI3JsaqI>P=oa#3Kx9GJH#hw9`G3J)vCx797Om z?LT=}0(XiT4PiwjW%mk>GHPqrL6rqb6U}e0O1OVP?*qu{!aUrO4S@#z+&$pN>=pbq zx#J_-Ff#lTIndf+{UU$_P}6*R znh1N?C_LlzqmFUQ3l?3`P}G`t-A2wpWg%ayj+fWmE%i$=EueFhU^-^qx+61=k?73rgSnnm2g zDdug7q3-tMAG=C%_SczJE!!7oy0XHutf(Hpi7c3l12a5w=q1U?j=7zIrCSm1On3*B zGDJ*Jnz01QG&;z;Xz3u6cTQA^LsWkBPSOPjmjb-W5k(f&c0crc+!7Ok2x3(f5xuk; zXNss77U(2xDYni0_VMehiQK(--Rh6bFsv}~M(_?RahNfLqToB{0A}kY4t>@{Qqp-6 zHv0MfV$YPaG{gP=XE-JYk}3~>3zOLcspcYL65^IyyT_-~`+v4D1N!08n=0Wph;;pI zBN1R#yOsf6V^2cJnEbG^m|~t4tdGCx{?t-4uR@3lF7`*yNMgUNYSk4ivw)YLso2p@ z_wqqXLgYQh0ao}v%3qLPL?Q~|fI1?~gw&(Ks0uG=EF#lsmI(N2xn0@H!t>3_9SseN z$ZdTF;3WhZRcV3VQJWui1_% ziE(TW>tHY&9}UK>Icm&w_6YaAh5n7wnV;;;4FCVf81!`^eeo@$H5J|2rV>RQj?ni~Egw-9dRRv8u&%e*auGwB18|w*_awrK+(3 z?pXej`a00Se2385vIhf{8`B-niCQPU56o8OH#J#~Pw?>wl4o~*K1@L3s;#otj;9cc z1akyTDxKQbj#Nf{ukUKU#(U!APkmu-RjeAFMS(FTFe3&DDuzgg_YDCF6)_eB6nI0< zuPDnHUUPr&pmmY))X$~~nJ_UhAutIB1uG5%0vZJX1Qg_QSs)6*u_NDqZV#R7;yMbF TCo=>Hzt Date: Tue, 28 Feb 2017 10:20:32 +0800 Subject: [PATCH 07/23] refactor: remove superfluous variable --- src/ngx_http_lua_ssl.c | 9 +++------ 1 file changed, 3 insertions(+), 6 deletions(-) diff --git a/src/ngx_http_lua_ssl.c b/src/ngx_http_lua_ssl.c index 6cf116a92c..6deacec730 100644 --- a/src/ngx_http_lua_ssl.c +++ b/src/ngx_http_lua_ssl.c @@ -40,7 +40,6 @@ ngx_http_lua_ssl_init(ngx_log_t *log) void * ngx_http_lua_ffi_ssl_ctx_init(ngx_uint_t protocols, char **err) { - SSL_CTX *ssl_ctx; ngx_ssl_t ssl; ssl.log = ngx_cycle->log; @@ -50,12 +49,10 @@ ngx_http_lua_ffi_ssl_ctx_init(ngx_uint_t protocols, char **err) return NULL; } - ssl_ctx = ssl.ctx; + ngx_log_debug2(NGX_LOG_DEBUG_HTTP, ssl.log, 0, + "lua ssl ctx init: %p:%d", ssl.ctx, ssl.ctx->references); - ngx_log_debug2(NGX_LOG_DEBUG_HTTP, ngx_cycle->log, 0, - "lua ssl ctx init: %p:%d", ssl_ctx, ssl_ctx->references); - - return ssl_ctx; + return ssl.ctx; } From 697f0eb068c745ee1bb41262faa451a69ebba212 Mon Sep 17 00:00:00 2001 From: detailyang Date: Tue, 28 Feb 2017 16:08:32 +0800 Subject: [PATCH 08/23] style: combine arguments to one line --- src/ngx_http_lua_ssl.c | 5 +---- 1 file changed, 1 insertion(+), 4 deletions(-) diff --git a/src/ngx_http_lua_ssl.c b/src/ngx_http_lua_ssl.c index 6deacec730..ce76c5a5fd 100644 --- a/src/ngx_http_lua_ssl.c +++ b/src/ngx_http_lua_ssl.c @@ -150,10 +150,7 @@ ngx_http_lua_ffi_ssl_ctx_free(void *cdata) SSL_CTX *ssl_ctx = cdata; ngx_log_debug2(NGX_LOG_DEBUG_HTTP, ngx_cycle->log, - 0, - "lua ssl ctx free: %p:%d", - ssl_ctx, - ssl_ctx->references); + 0, "lua ssl ctx free: %p:%d", ssl_ctx, ssl_ctx->references); SSL_CTX_free(ssl_ctx); } From 040907618b65f1fe332e28079c18f1c1fc973138 Mon Sep 17 00:00:00 2001 From: detailyang Date: Tue, 28 Feb 2017 16:38:35 +0800 Subject: [PATCH 09/23] refactor: expose tcp object metatable to REGISTRY --- src/ngx_http_lua_socket_tcp.c | 7 ++++--- 1 file changed, 4 insertions(+), 3 deletions(-) diff --git a/src/ngx_http_lua_socket_tcp.c b/src/ngx_http_lua_socket_tcp.c index a2ea89220a..3b1b44aa93 100644 --- a/src/ngx_http_lua_socket_tcp.c +++ b/src/ngx_http_lua_socket_tcp.c @@ -327,9 +327,10 @@ ngx_http_lua_inject_socket_tcp_api(ngx_log_t *log, lua_State *L) #ifndef NGX_LUA_NO_FFI_API - /* expose tcp object metatable to global for FFI */ - lua_pushvalue(L, -1); - lua_setglobal(L, ngx_http_lua_ngx_socket_tcp_mt_key); + /* expose tcp object metatable to REGISTRY for FFI */ + lua_pushliteral(L, ngx_http_lua_ngx_socket_tcp_mt_key); + lua_pushvalue(L, -2); + lua_rawset(L, LUA_REGISTRYINDEX); #endif /* NGX_LUA_NO_FFI_API */ From 17c314140d63a3d5ba366f03f59d11f6f40c755c Mon Sep 17 00:00:00 2001 From: detailyang Date: Wed, 8 Mar 2017 14:52:21 +0800 Subject: [PATCH 10/23] refactor: caller should allocate error message buf --- src/ngx_http_lua_ssl.c | 57 ++++++++++++++++++++++++++---------------- 1 file changed, 35 insertions(+), 22 deletions(-) diff --git a/src/ngx_http_lua_ssl.c b/src/ngx_http_lua_ssl.c index ce76c5a5fd..51701fdec8 100644 --- a/src/ngx_http_lua_ssl.c +++ b/src/ngx_http_lua_ssl.c @@ -45,7 +45,6 @@ ngx_http_lua_ffi_ssl_ctx_init(ngx_uint_t protocols, char **err) ssl.log = ngx_cycle->log; if (ngx_ssl_create(&ssl, protocols, NULL) != NGX_OK) { *err = "failed to create ssl ctx"; - ngx_log_error(NGX_LOG_ERR, ssl.log, 0, *err); return NULL; } @@ -57,18 +56,19 @@ ngx_http_lua_ffi_ssl_ctx_init(ngx_uint_t protocols, char **err) int -ngx_http_lua_ffi_ssl_ctx_set_cert(void *cdata_ctx, void *cdata_cert, char **err) +ngx_http_lua_ffi_ssl_ctx_set_cert(void *cdata_ctx, void *cdata_cert, + char **err_buf, size_t err_buf_len) { #ifdef LIBRESSL_VERSION_NUMBER - *err = "LibreSSL not supported"; + *err_buf = "LibreSSL not supported"; return NGX_ERROR; #else # if OPENSSL_VERSION_NUMBER < 0x1000205fL - *err = "at least OpenSSL 1.0.2e required but found " OPENSSL_VERSION_TEXT; + *err_buf = "at least OpenSSL 1.0.2e required but found " OPENSSL_VERSION_TEXT; return NGX_ERROR; # else @@ -77,6 +77,7 @@ ngx_http_lua_ffi_ssl_ctx_set_cert(void *cdata_ctx, void *cdata_cert, char **err) SSL_CTX *ssl_ctx = cdata_ctx; STACK_OF(X509) *cert = cdata_cert; + u_long e; #ifdef OPENSSL_IS_BORINGSSL size_t i; #else @@ -84,22 +85,19 @@ ngx_http_lua_ffi_ssl_ctx_set_cert(void *cdata_ctx, void *cdata_cert, char **err) #endif if (sk_X509_num(cert) < 1) { - *err = "sk_X509_num() failed"; - ngx_ssl_error(NGX_LOG_ERR, ngx_cycle->log, 0, *err); - return NGX_ERROR; + *err_buf = "sk_X509_num() failed"; + goto failed; } x509 = sk_X509_value(cert, 0); if (x509 == NULL) { - *err = "sk_X509_value() failed"; - ngx_ssl_error(NGX_LOG_ERR, ngx_cycle->log, 0, *err); - return NGX_ERROR; + *err_buf = "sk_X509_value() failed"; + goto failed; } if (SSL_CTX_use_certificate(ssl_ctx, x509) == 0) { - *err = "SSL_CTX_use_certificate() failed"; - ngx_ssl_error(NGX_LOG_ERR, ngx_cycle->log, 0, *err); - return NGX_ERROR; + *err_buf = "SSL_CTX_use_certificate() failed"; + goto failed; } /* read rest of the chain */ @@ -108,20 +106,27 @@ ngx_http_lua_ffi_ssl_ctx_set_cert(void *cdata_ctx, void *cdata_cert, char **err) x509 = sk_X509_value(cert, i); if (x509 == NULL) { - *err = "sk_X509_value() failed"; - ngx_ssl_error(NGX_LOG_ERR, ngx_cycle->log, 0, *err); - return NGX_ERROR; + *err_buf = "sk_X509_value() failed"; + goto failed; } if (SSL_CTX_add1_chain_cert(ssl_ctx, x509) == 0) { - *err = "SSL_add1_chain_cert() failed"; - ngx_ssl_error(NGX_LOG_ERR, ngx_cycle->log, 0, *err); - return NGX_ERROR; + *err_buf = "SSL_add1_chain_cert() failed"; + goto failed; } } return NGX_OK; +failed: + + e = ERR_get_error(); + if (e == 0) { + ERR_error_string_n(e, *err_buf, err_buf_len); + } + + return NGX_ERROR; + # endif /* OPENSSL_VERSION_NUMBER < 0x1000205fL */ #endif } @@ -129,14 +134,22 @@ ngx_http_lua_ffi_ssl_ctx_set_cert(void *cdata_ctx, void *cdata_cert, char **err) int ngx_http_lua_ffi_ssl_ctx_set_priv_key(void *cdata_ctx, void *cdata_key, - char **err) + char **err_buf, size_t err_buf_len) { SSL_CTX *ssl_ctx = cdata_ctx; EVP_PKEY *key = cdata_key; + u_long e; + if (SSL_CTX_use_PrivateKey(ssl_ctx, key) == 0) { - *err = "SSL_CTX_use_PrivateKey() failed"; - ngx_ssl_error(NGX_LOG_ERR, ngx_cycle->log, 0, *err); + e = ERR_get_error(); + if (e == 0) { + *err_buf = "SSL_CTX_use_PrivateKey() failed"; + + } else { + ERR_error_string_n(e, *err_buf, err_buf_len); + } + return NGX_ERROR; } From 8b7e0f5c344529d203d92a870ac8b8c58fae68d8 Mon Sep 17 00:00:00 2001 From: detailyang Date: Wed, 8 Mar 2017 14:56:53 +0800 Subject: [PATCH 11/23] style: do not exceed 80 columns in source code --- src/ngx_http_lua_ssl.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/src/ngx_http_lua_ssl.c b/src/ngx_http_lua_ssl.c index 51701fdec8..1c56ff076a 100644 --- a/src/ngx_http_lua_ssl.c +++ b/src/ngx_http_lua_ssl.c @@ -68,7 +68,8 @@ ngx_http_lua_ffi_ssl_ctx_set_cert(void *cdata_ctx, void *cdata_cert, # if OPENSSL_VERSION_NUMBER < 0x1000205fL - *err_buf = "at least OpenSSL 1.0.2e required but found " OPENSSL_VERSION_TEXT; + *err_buf = "at least OpenSSL 1.0.2e required but found " + OPENSSL_VERSION_TEXT; return NGX_ERROR; # else From a30bbf31722b9412537ea0b79f5a43d469714ad0 Mon Sep 17 00:00:00 2001 From: detailyang Date: Wed, 8 Mar 2017 15:15:49 +0800 Subject: [PATCH 12/23] tests: use lua-resty-core to test FFI --- t/151-ssl-ctx.t | 45 ++++++--------------------------------------- 1 file changed, 6 insertions(+), 39 deletions(-) diff --git a/t/151-ssl-ctx.t b/t/151-ssl-ctx.t index 8dfab68cc3..517e1eae46 100644 --- a/t/151-ssl-ctx.t +++ b/t/151-ssl-ctx.t @@ -13,54 +13,21 @@ log_level 'debug'; no_long_string(); -add_block_preprocessor(sub { - my $block = shift; - - if (!defined $block->user_files) { - $block->set_value("user_files", <<'_EOC_'); ->>> defines.lua -local ffi = require "ffi" - -ffi.cdef[[ - void *ngx_http_lua_ffi_ssl_ctx_init(unsigned int protocols, char **err); - - void ngx_http_lua_ffi_ssl_ctx_free(void *cdata); - - int ngx_http_lua_ffi_ssl_ctx_set_priv_key(void *cdata_ctx, - void *cdata_key, char **err); - - int ngx_http_lua_ffi_ssl_ctx_set_cert(void *cdata_ctx, - void *cdata_cert, char **err); -]] -_EOC_ - } - - my $http_config = $block->http_config || ''; - $http_config .= <<'_EOC_'; -lua_package_path "$prefix/html/?.lua;;"; -_EOC_ - $block->set_value("http_config", $http_config); -}); - run_tests(); __DATA__ === TEST 1: ssl ctx init and free --- log_level: debug +--- http_config + lua_package_path "../lua-resty-core/lib/?.lua;;"; --- config location /t { content_by_lua_block { - require "defines" - local ffi = require "ffi" - local errmsg = ffi.new("char *[1]") - local ctx = ffi.C.ngx_http_lua_ffi_ssl_ctx_init(0, errmsg) - if ctx == nil then - ngx.say(ffi.string(errmsg[0])) - return - end - - ffi.C.ngx_http_lua_ffi_ssl_ctx_free(ctx) + local ssl = require "ngx.ssl" + local ssl_ctx, err = ssl.create_ctx({}) + ssl_ctx = nil + collectgarbage("collect") } } --- request From 73c5aa8b70ed96149be9e35587772971928a1797 Mon Sep 17 00:00:00 2001 From: detailyang Date: Sat, 11 Mar 2017 16:33:29 +0800 Subject: [PATCH 13/23] refactor: copy literal string to caller err buffer --- src/ngx_http_lua_ssl.c | 87 +++++++++++++++++++++++++++--------------- 1 file changed, 57 insertions(+), 30 deletions(-) diff --git a/src/ngx_http_lua_ssl.c b/src/ngx_http_lua_ssl.c index 1c56ff076a..3582d7fc48 100644 --- a/src/ngx_http_lua_ssl.c +++ b/src/ngx_http_lua_ssl.c @@ -13,6 +13,10 @@ #if (NGX_HTTP_SSL) +static size_t ngx_http_lua_ssl_get_error(u_long e, u_char *ssl_err_buf, + size_t ssl_err_buf_len, u_char *default_errmsg, size_t default_errmsg_len); + + int ngx_http_lua_ssl_ctx_index = -1; @@ -34,6 +38,31 @@ ngx_http_lua_ssl_init(ngx_log_t *log) } +static size_t +ngx_http_lua_ssl_get_error(u_long e, u_char *ssl_err_buf, + size_t ssl_err_buf_len, u_char *default_errmsg, + size_t default_errmsg_len) +{ + if (e == 0) { + if (ssl_err_buf_len >= default_errmsg_len) { + ssl_err_buf = ngx_copy(ssl_err_buf, + default_errmsg, default_errmsg_len); + return default_errmsg_len; + + } else { + ssl_err_buf = ngx_copy(ssl_err_buf, + default_errmsg, ssl_err_buf_len); + return ssl_err_buf_len; + } + + } + + ERR_error_string_n(e, (char *) ssl_err_buf, ssl_err_buf_len); + + return ngx_strlen(ssl_err_buf); +} + + #ifndef NGX_LUA_NO_FFI_API @@ -57,20 +86,22 @@ ngx_http_lua_ffi_ssl_ctx_init(ngx_uint_t protocols, char **err) int ngx_http_lua_ffi_ssl_ctx_set_cert(void *cdata_ctx, void *cdata_cert, - char **err_buf, size_t err_buf_len) + u_char *err_buf, size_t *err_buf_len) { + char *err; + #ifdef LIBRESSL_VERSION_NUMBER - *err_buf = "LibreSSL not supported"; - return NGX_ERROR; + err = "LibreSSL not supported"; + goto failed; #else # if OPENSSL_VERSION_NUMBER < 0x1000205fL - *err_buf = "at least OpenSSL 1.0.2e required but found " + err = "at least OpenSSL 1.0.2e required but found " OPENSSL_VERSION_TEXT; - return NGX_ERROR; + goto failed; # else @@ -78,7 +109,6 @@ ngx_http_lua_ffi_ssl_ctx_set_cert(void *cdata_ctx, void *cdata_cert, SSL_CTX *ssl_ctx = cdata_ctx; STACK_OF(X509) *cert = cdata_cert; - u_long e; #ifdef OPENSSL_IS_BORINGSSL size_t i; #else @@ -86,18 +116,18 @@ ngx_http_lua_ffi_ssl_ctx_set_cert(void *cdata_ctx, void *cdata_cert, #endif if (sk_X509_num(cert) < 1) { - *err_buf = "sk_X509_num() failed"; + err = "sk_X509_num() failed"; goto failed; } x509 = sk_X509_value(cert, 0); if (x509 == NULL) { - *err_buf = "sk_X509_value() failed"; + err = "sk_X509_value() failed"; goto failed; } if (SSL_CTX_use_certificate(ssl_ctx, x509) == 0) { - *err_buf = "SSL_CTX_use_certificate() failed"; + err = "SSL_CTX_use_certificate() failed"; goto failed; } @@ -107,54 +137,51 @@ ngx_http_lua_ffi_ssl_ctx_set_cert(void *cdata_ctx, void *cdata_cert, x509 = sk_X509_value(cert, i); if (x509 == NULL) { - *err_buf = "sk_X509_value() failed"; + err = "sk_X509_value() failed"; goto failed; } if (SSL_CTX_add1_chain_cert(ssl_ctx, x509) == 0) { - *err_buf = "SSL_add1_chain_cert() failed"; + err = "SSL_add1_chain_cert() failed"; goto failed; } } return NGX_OK; +# endif /* OPENSSL_VERSION_NUMBER < 0x1000205fL */ +#endif failed: - e = ERR_get_error(); - if (e == 0) { - ERR_error_string_n(e, *err_buf, err_buf_len); - } - + *err_buf_len = ngx_http_lua_ssl_get_error(ERR_get_error(), err_buf, + *err_buf_len, (u_char *) err, + ngx_strlen(err)); return NGX_ERROR; - -# endif /* OPENSSL_VERSION_NUMBER < 0x1000205fL */ -#endif } int ngx_http_lua_ffi_ssl_ctx_set_priv_key(void *cdata_ctx, void *cdata_key, - char **err_buf, size_t err_buf_len) + u_char *err_buf, size_t *err_buf_len) { SSL_CTX *ssl_ctx = cdata_ctx; EVP_PKEY *key = cdata_key; - u_long e; + char *err; if (SSL_CTX_use_PrivateKey(ssl_ctx, key) == 0) { - e = ERR_get_error(); - if (e == 0) { - *err_buf = "SSL_CTX_use_PrivateKey() failed"; - - } else { - ERR_error_string_n(e, *err_buf, err_buf_len); - } - - return NGX_ERROR; + err = "SSL_CTX_use_PrivateKey() failed"; + goto failed; } return NGX_OK; + +failed: + + *err_buf_len = ngx_http_lua_ssl_get_error(ERR_get_error(), err_buf, + *err_buf_len, (u_char *)err, + ngx_strlen(err)); + return NGX_ERROR; } From 0b04b543608d4fdd813ab9116dc19e394c12f942 Mon Sep 17 00:00:00 2001 From: detailyang Date: Sat, 11 Mar 2017 16:37:42 +0800 Subject: [PATCH 14/23] travis: use personal lua-resty-core to pass test --- .travis.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.travis.yml b/.travis.yml index c935543265..19ff2b8fe7 100644 --- a/.travis.yml +++ b/.travis.yml @@ -83,7 +83,7 @@ install: - git clone https://github.com/openresty/rds-json-nginx-module.git ../rds-json-nginx-module - git clone https://github.com/openresty/srcache-nginx-module.git ../srcache-nginx-module - git clone https://github.com/openresty/redis2-nginx-module.git ../redis2-nginx-module - - git clone https://github.com/openresty/lua-resty-core.git ../lua-resty-core + - git clone -b lua-ffi-api-sslctx https://github.com/detailyang/lua-resty-core.git ../lua-resty-core - git clone -b v2.1-agentzh https://github.com/openresty/luajit2.git before_script: From 902ec8d215e7c736cb1efffd28d1121106d34c13 Mon Sep 17 00:00:00 2001 From: detailyang Date: Sat, 11 Mar 2017 17:38:10 +0800 Subject: [PATCH 15/23] refactor: use ngx_min to decide the size of msg --- src/ngx_http_lua_ssl.c | 16 +++++----------- 1 file changed, 5 insertions(+), 11 deletions(-) diff --git a/src/ngx_http_lua_ssl.c b/src/ngx_http_lua_ssl.c index 3582d7fc48..679537ee89 100644 --- a/src/ngx_http_lua_ssl.c +++ b/src/ngx_http_lua_ssl.c @@ -43,18 +43,12 @@ ngx_http_lua_ssl_get_error(u_long e, u_char *ssl_err_buf, size_t ssl_err_buf_len, u_char *default_errmsg, size_t default_errmsg_len) { - if (e == 0) { - if (ssl_err_buf_len >= default_errmsg_len) { - ssl_err_buf = ngx_copy(ssl_err_buf, - default_errmsg, default_errmsg_len); - return default_errmsg_len; - - } else { - ssl_err_buf = ngx_copy(ssl_err_buf, - default_errmsg, ssl_err_buf_len); - return ssl_err_buf_len; - } + size_t len; + if (e == 0) { + len = ngx_min(ssl_err_buf_len, default_errmsg_len); + ssl_err_buf = ngx_copy(ssl_err_buf, default_errmsg, len); + return len; } ERR_error_string_n(e, (char *) ssl_err_buf, ssl_err_buf_len); From c94df6dc66ea7b558635d1ee5685d1dcc4d6cc3d Mon Sep 17 00:00:00 2001 From: detailyang Date: Fri, 5 May 2017 22:13:42 +0800 Subject: [PATCH 16/23] style: align function argments --- src/ngx_http_lua_ssl.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/src/ngx_http_lua_ssl.c b/src/ngx_http_lua_ssl.c index 679537ee89..5c0311546f 100644 --- a/src/ngx_http_lua_ssl.c +++ b/src/ngx_http_lua_ssl.c @@ -173,8 +173,8 @@ ngx_http_lua_ffi_ssl_ctx_set_priv_key(void *cdata_ctx, void *cdata_key, failed: *err_buf_len = ngx_http_lua_ssl_get_error(ERR_get_error(), err_buf, - *err_buf_len, (u_char *)err, - ngx_strlen(err)); + *err_buf_len, (u_char *)err, + ngx_strlen(err)); return NGX_ERROR; } From 6e38b4783d6b1210e8ed443095854fb7ad8f8062 Mon Sep 17 00:00:00 2001 From: detailyang Date: Fri, 5 May 2017 22:17:12 +0800 Subject: [PATCH 17/23] style: align function arguemnts (ditto) --- src/ngx_http_lua_ssl.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/src/ngx_http_lua_ssl.c b/src/ngx_http_lua_ssl.c index 5c0311546f..6a60b9e1c4 100644 --- a/src/ngx_http_lua_ssl.c +++ b/src/ngx_http_lua_ssl.c @@ -148,8 +148,8 @@ ngx_http_lua_ffi_ssl_ctx_set_cert(void *cdata_ctx, void *cdata_cert, failed: *err_buf_len = ngx_http_lua_ssl_get_error(ERR_get_error(), err_buf, - *err_buf_len, (u_char *) err, - ngx_strlen(err)); + *err_buf_len, (u_char *) err, + ngx_strlen(err)); return NGX_ERROR; } From 8e06dc5b350b3cf8c8e08327592b41c0e6a60119 Mon Sep 17 00:00:00 2001 From: detailyang Date: Sun, 7 May 2017 22:17:29 +0800 Subject: [PATCH 18/23] tests: remove unused module --- t/151-ssl-ctx.t | 1 - 1 file changed, 1 deletion(-) diff --git a/t/151-ssl-ctx.t b/t/151-ssl-ctx.t index 517e1eae46..2f98de75fd 100644 --- a/t/151-ssl-ctx.t +++ b/t/151-ssl-ctx.t @@ -1,7 +1,6 @@ # vim:set ft= ts=4 sw=4 et fdm=marker: use Test::Nginx::Socket::Lua; -use Digest::MD5 qw(md5_hex); repeat_each(3); From c1059352f41e70eb30ba08df338d9fc7f81ed075 Mon Sep 17 00:00:00 2001 From: detailyang Date: Sun, 7 May 2017 22:18:29 +0800 Subject: [PATCH 19/23] style: align for aesthetic considerations --- src/ngx_http_lua_socket_tcp.h | 2 +- src/ngx_http_lua_ssl.c | 24 +++++++++++++----------- 2 files changed, 14 insertions(+), 12 deletions(-) diff --git a/src/ngx_http_lua_socket_tcp.h b/src/ngx_http_lua_socket_tcp.h index 2a8e5b84fe..1443ab22ec 100644 --- a/src/ngx_http_lua_socket_tcp.h +++ b/src/ngx_http_lua_socket_tcp.h @@ -92,7 +92,7 @@ struct ngx_http_lua_socket_tcp_upstream_s { #if (NGX_HTTP_SSL) ngx_str_t ssl_name; - ngx_ssl_t *ssl; + ngx_ssl_t *ssl; #endif unsigned ft_type:16; diff --git a/src/ngx_http_lua_ssl.c b/src/ngx_http_lua_ssl.c index 6a60b9e1c4..2e05cb9cd6 100644 --- a/src/ngx_http_lua_ssl.c +++ b/src/ngx_http_lua_ssl.c @@ -40,14 +40,14 @@ ngx_http_lua_ssl_init(ngx_log_t *log) static size_t ngx_http_lua_ssl_get_error(u_long e, u_char *ssl_err_buf, - size_t ssl_err_buf_len, u_char *default_errmsg, - size_t default_errmsg_len) + size_t ssl_err_buf_len, u_char *default_errmsg, size_t default_errmsg_len) { size_t len; if (e == 0) { len = ngx_min(ssl_err_buf_len, default_errmsg_len); ssl_err_buf = ngx_copy(ssl_err_buf, default_errmsg, len); + return len; } @@ -71,8 +71,8 @@ ngx_http_lua_ffi_ssl_ctx_init(ngx_uint_t protocols, char **err) return NULL; } - ngx_log_debug2(NGX_LOG_DEBUG_HTTP, ssl.log, 0, - "lua ssl ctx init: %p:%d", ssl.ctx, ssl.ctx->references); + ngx_log_debug2(NGX_LOG_DEBUG_HTTP, ssl.log, 0, "lua ssl ctx init: %p:%d", + ssl.ctx, ssl.ctx->references); return ssl.ctx; } @@ -83,6 +83,7 @@ ngx_http_lua_ffi_ssl_ctx_set_cert(void *cdata_ctx, void *cdata_cert, u_char *err_buf, size_t *err_buf_len) { char *err; + int num; #ifdef LIBRESSL_VERSION_NUMBER @@ -93,8 +94,7 @@ ngx_http_lua_ffi_ssl_ctx_set_cert(void *cdata_ctx, void *cdata_cert, # if OPENSSL_VERSION_NUMBER < 0x1000205fL - err = "at least OpenSSL 1.0.2e required but found " - OPENSSL_VERSION_TEXT; + err = "at least OpenSSL 1.0.2e required but found " OPENSSL_VERSION_TEXT; goto failed; # else @@ -103,13 +103,14 @@ ngx_http_lua_ffi_ssl_ctx_set_cert(void *cdata_ctx, void *cdata_cert, SSL_CTX *ssl_ctx = cdata_ctx; STACK_OF(X509) *cert = cdata_cert; -#ifdef OPENSSL_IS_BORINGSSL +# ifdef OPENSSL_IS_BORINGSSL size_t i; -#else +# else int i; -#endif +# endif - if (sk_X509_num(cert) < 1) { + num = sk_X509_num(cert); + if (num < 1) { err = "sk_X509_num() failed"; goto failed; } @@ -127,7 +128,7 @@ ngx_http_lua_ffi_ssl_ctx_set_cert(void *cdata_ctx, void *cdata_cert, /* read rest of the chain */ - for (i = 1; i < sk_X509_num(cert); i++) { + for (i = 1; i < num; i++) { x509 = sk_X509_value(cert, i); if (x509 == NULL) { @@ -142,6 +143,7 @@ ngx_http_lua_ffi_ssl_ctx_set_cert(void *cdata_ctx, void *cdata_cert, } return NGX_OK; + # endif /* OPENSSL_VERSION_NUMBER < 0x1000205fL */ #endif From 69f841f0bb8cb4694ca5e4f3a31bb60efa662c02 Mon Sep 17 00:00:00 2001 From: detailyang Date: Sun, 7 May 2017 22:19:42 +0800 Subject: [PATCH 20/23] refactor: replace ngx_copy to ngx_memcpy --- src/ngx_http_lua_ssl.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/ngx_http_lua_ssl.c b/src/ngx_http_lua_ssl.c index 2e05cb9cd6..aad7105c81 100644 --- a/src/ngx_http_lua_ssl.c +++ b/src/ngx_http_lua_ssl.c @@ -46,7 +46,7 @@ ngx_http_lua_ssl_get_error(u_long e, u_char *ssl_err_buf, if (e == 0) { len = ngx_min(ssl_err_buf_len, default_errmsg_len); - ssl_err_buf = ngx_copy(ssl_err_buf, default_errmsg, len); + ngx_memcpy(ssl_err_buf, default_errmsg, len); return len; } From f52e7a2a8ecac1200a2c3068da6f16af94abcb65 Mon Sep 17 00:00:00 2001 From: detailyang Date: Wed, 17 May 2017 13:18:23 +0800 Subject: [PATCH 21/23] style: variable name tweaks --- src/ngx_http_lua_ssl.c | 77 +++++++++++++++++++++++------------------- 1 file changed, 42 insertions(+), 35 deletions(-) diff --git a/src/ngx_http_lua_ssl.c b/src/ngx_http_lua_ssl.c index aad7105c81..f016ecc9e5 100644 --- a/src/ngx_http_lua_ssl.c +++ b/src/ngx_http_lua_ssl.c @@ -13,8 +13,8 @@ #if (NGX_HTTP_SSL) -static size_t ngx_http_lua_ssl_get_error(u_long e, u_char *ssl_err_buf, - size_t ssl_err_buf_len, u_char *default_errmsg, size_t default_errmsg_len); +static size_t ngx_http_lua_ssl_get_error(u_long e, u_char *ssl_err, + size_t ssl_err_len, const char *default_err, size_t default_err_len); int ngx_http_lua_ssl_ctx_index = -1; @@ -39,21 +39,21 @@ ngx_http_lua_ssl_init(ngx_log_t *log) static size_t -ngx_http_lua_ssl_get_error(u_long e, u_char *ssl_err_buf, - size_t ssl_err_buf_len, u_char *default_errmsg, size_t default_errmsg_len) +ngx_http_lua_ssl_get_error(u_long e, u_char *ssl_err, + size_t ssl_err_len, const char *default_err, size_t default_err_len) { - size_t len; + size_t len; if (e == 0) { - len = ngx_min(ssl_err_buf_len, default_errmsg_len); - ngx_memcpy(ssl_err_buf, default_errmsg, len); + len = ngx_min(ssl_err_len, default_err_len); + ngx_memcpy(ssl_err, default_err, len); return len; } - ERR_error_string_n(e, (char *) ssl_err_buf, ssl_err_buf_len); + ERR_error_string_n(e, (char *) ssl_err, ssl_err_len); - return ngx_strlen(ssl_err_buf); + return ngx_strlen(ssl_err); } @@ -63,7 +63,7 @@ ngx_http_lua_ssl_get_error(u_long e, u_char *ssl_err_buf, void * ngx_http_lua_ffi_ssl_ctx_init(ngx_uint_t protocols, char **err) { - ngx_ssl_t ssl; + ngx_ssl_t ssl; ssl.log = ngx_cycle->log; if (ngx_ssl_create(&ssl, protocols, NULL) != NGX_OK) { @@ -80,49 +80,52 @@ ngx_http_lua_ffi_ssl_ctx_init(ngx_uint_t protocols, char **err) int ngx_http_lua_ffi_ssl_ctx_set_cert(void *cdata_ctx, void *cdata_cert, - u_char *err_buf, size_t *err_buf_len) + u_char *err, size_t *err_len) { - char *err; int num; + size_t n; + u_long e; + const char *default_err; #ifdef LIBRESSL_VERSION_NUMBER - err = "LibreSSL not supported"; + default_err = "LibreSSL not supported"; goto failed; #else # if OPENSSL_VERSION_NUMBER < 0x1000205fL - err = "at least OpenSSL 1.0.2e required but found " OPENSSL_VERSION_TEXT; + default_err = "at least OpenSSL 1.0.2e required but found " + OPENSSL_VERSION_TEXT; goto failed; # else - X509 *x509 = NULL; - SSL_CTX *ssl_ctx = cdata_ctx; - STACK_OF(X509) *cert = cdata_cert; + X509 *x509 = NULL; + SSL_CTX *ssl_ctx = cdata_ctx; + STACK_OF(X509) *cert = cdata_cert; # ifdef OPENSSL_IS_BORINGSSL - size_t i; + size_t i; # else - int i; + int i; # endif num = sk_X509_num(cert); if (num < 1) { - err = "sk_X509_num() failed"; + default_err = "sk_X509_num() failed"; goto failed; } x509 = sk_X509_value(cert, 0); if (x509 == NULL) { - err = "sk_X509_value() failed"; + default_err = "sk_X509_value() failed"; goto failed; } if (SSL_CTX_use_certificate(ssl_ctx, x509) == 0) { - err = "SSL_CTX_use_certificate() failed"; + default_err = "SSL_CTX_use_certificate() failed"; goto failed; } @@ -132,12 +135,12 @@ ngx_http_lua_ffi_ssl_ctx_set_cert(void *cdata_ctx, void *cdata_cert, x509 = sk_X509_value(cert, i); if (x509 == NULL) { - err = "sk_X509_value() failed"; + default_err = "sk_X509_value() failed"; goto failed; } if (SSL_CTX_add1_chain_cert(ssl_ctx, x509) == 0) { - err = "SSL_add1_chain_cert() failed"; + default_err = "SSL_add1_chain_cert() failed"; goto failed; } } @@ -149,24 +152,27 @@ ngx_http_lua_ffi_ssl_ctx_set_cert(void *cdata_ctx, void *cdata_cert, failed: - *err_buf_len = ngx_http_lua_ssl_get_error(ERR_get_error(), err_buf, - *err_buf_len, (u_char *) err, - ngx_strlen(err)); + e = ERR_get_error(); + n = ngx_strlen(default_err); + *err_len = ngx_http_lua_ssl_get_error(e, err, *err_len, default_err, n); + return NGX_ERROR; } int ngx_http_lua_ffi_ssl_ctx_set_priv_key(void *cdata_ctx, void *cdata_key, - u_char *err_buf, size_t *err_buf_len) + u_char *err, size_t *err_len) { - SSL_CTX *ssl_ctx = cdata_ctx; - EVP_PKEY *key = cdata_key; + SSL_CTX *ssl_ctx = cdata_ctx; + EVP_PKEY *key = cdata_key; - char *err; + size_t n; + u_long e; + const char *default_err; if (SSL_CTX_use_PrivateKey(ssl_ctx, key) == 0) { - err = "SSL_CTX_use_PrivateKey() failed"; + default_err = "SSL_CTX_use_PrivateKey() failed"; goto failed; } @@ -174,9 +180,10 @@ ngx_http_lua_ffi_ssl_ctx_set_priv_key(void *cdata_ctx, void *cdata_key, failed: - *err_buf_len = ngx_http_lua_ssl_get_error(ERR_get_error(), err_buf, - *err_buf_len, (u_char *)err, - ngx_strlen(err)); + e = ERR_get_error(); + n = ngx_strlen(default_err); + *err_len = ngx_http_lua_ssl_get_error(e, err, *err_len, default_err, n); + return NGX_ERROR; } From fb52c37b2132c4eeefdd08c9f41eee1bc416fd8d Mon Sep 17 00:00:00 2001 From: detailyang Date: Fri, 26 May 2017 16:16:08 +0800 Subject: [PATCH 22/23] style: variable declaration in #if block --- src/ngx_http_lua_ssl.c | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/src/ngx_http_lua_ssl.c b/src/ngx_http_lua_ssl.c index f016ecc9e5..5f79db77ce 100644 --- a/src/ngx_http_lua_ssl.c +++ b/src/ngx_http_lua_ssl.c @@ -82,9 +82,6 @@ int ngx_http_lua_ffi_ssl_ctx_set_cert(void *cdata_ctx, void *cdata_cert, u_char *err, size_t *err_len) { - int num; - size_t n; - u_long e; const char *default_err; #ifdef LIBRESSL_VERSION_NUMBER @@ -111,6 +108,9 @@ ngx_http_lua_ffi_ssl_ctx_set_cert(void *cdata_ctx, void *cdata_cert, # else int i; # endif + int num; + size_t n; + u_long e; num = sk_X509_num(cert); if (num < 1) { From 1f1b0909bce4236d195115f3ef2f792652d781ea Mon Sep 17 00:00:00 2001 From: detailyang Date: Thu, 1 Jun 2017 14:58:12 +0800 Subject: [PATCH 23/23] feature: support ciphers, CRL, ca, cert_store --- src/ngx_http_lua_ssl.c | 337 ++++++++++++++++++++++++++++++++++++++++- 1 file changed, 336 insertions(+), 1 deletion(-) diff --git a/src/ngx_http_lua_ssl.c b/src/ngx_http_lua_ssl.c index 5f79db77ce..1a06b2ba5c 100644 --- a/src/ngx_http_lua_ssl.c +++ b/src/ngx_http_lua_ssl.c @@ -78,6 +78,129 @@ ngx_http_lua_ffi_ssl_ctx_init(ngx_uint_t protocols, char **err) } +int +ngx_http_lua_ffi_ssl_ctx_set_cert_store(void *cdata_ctx, void *cdata_store, + int up_ref, unsigned char *err, size_t *err_len) +{ + SSL_CTX *ssl_ctx = cdata_ctx; + X509_STORE *x509_store = cdata_store; + + size_t n; + u_long e; + const char *default_err; + + /* + * Note: If another X509_STORE object is currently set in ctx, + * it will be X509_STORE_free()ed + */ + + SSL_CTX_set_cert_store(ssl_ctx, x509_store); + + if (up_ref == 0) { + return NGX_OK; + } + + /* + * X509_STORE_up_ref() require OpenSSL at least 1.1.0, so we use CRYPTO_add + * to implement X509_STORE_up_ref + */ + + if (CRYPTO_add(&x509_store->references, 1, CRYPTO_LOCK_X509_STORE) < 2) { + default_err = "X509_STORE_up_ref() failed"; + goto failed; + } + + ngx_log_debug2(NGX_LOG_DEBUG_HTTP, ngx_cycle->log, 0, + "lua ssl x509 store up reference: %p:%d", x509_store, + x509_store->references); + + return NGX_OK; + +failed: + + e = ERR_get_error(); + n = ngx_strlen(default_err); + *err_len = ngx_http_lua_ssl_get_error(e, err, *err_len, default_err, n); + + return NGX_ERROR; +} + + +int +ngx_http_lua_ffi_ssl_ctx_add_ca_cert(void *cdata_ctx, const u_char *cert, + size_t size, unsigned char *err, size_t *err_len) +{ + BIO *bio = NULL; + SSL_CTX *ssl_ctx = cdata_ctx; + + X509 *x509; + size_t n; + u_long e; + const char *default_err; + X509_STORE *store; + + bio = BIO_new_mem_buf(cert, size); + if (bio == NULL) { + default_err = "BIO_new_mem_buf() failed"; + goto failed; + } + + store = SSL_CTX_get_cert_store(ssl_ctx); + if (store == NULL) { + + store = X509_STORE_new(); + if (store == NULL) { + default_err = "X509_STORE_new() failed"; + goto failed; + } + + SSL_CTX_set_cert_store(ssl_ctx, store); + } + + for (;;) { + x509 = PEM_read_bio_X509(bio, NULL, NULL, NULL); + if (x509 == NULL) { + n = ERR_peek_last_error(); + + if (ERR_GET_LIB(n) == ERR_LIB_PEM + && ERR_GET_REASON(n) == PEM_R_NO_START_LINE) + { + /* end of file */ + ERR_clear_error(); + break; + } + + default_err = "PEM_read_bio_X509() failed"; + goto failed; + } + + if (!X509_STORE_add_cert(store, x509)) { + X509_free(x509); + default_err = "X509_STORE_add_cert() failed"; + goto failed; + } + + X509_free(x509); + } + + BIO_free_all(bio); + + return NGX_OK; + +failed: + + if(bio != NULL) { + BIO_free_all(bio); + } + + e = ERR_get_error(); + n = ngx_strlen(default_err); + *err_len = ngx_http_lua_ssl_get_error(e, err, *err_len, default_err, n); + + return NGX_ERROR; +} + + int ngx_http_lua_ffi_ssl_ctx_set_cert(void *cdata_ctx, void *cdata_cert, u_char *err, size_t *err_len) @@ -188,10 +311,117 @@ ngx_http_lua_ffi_ssl_ctx_set_priv_key(void *cdata_ctx, void *cdata_key, } +int +ngx_http_lua_ffi_ssl_ctx_set_ciphers(void *cdata_ctx, const char *cipher, + unsigned char *err, size_t *err_len) +{ + SSL_CTX *ssl_ctx = cdata_ctx; + + size_t n; + u_long e; + const char *default_err; + + if (!SSL_CTX_set_cipher_list(ssl_ctx, cipher)) { + default_err = "SSL_CTX_set_cipher_list() failed"; + goto failed; + } + + return NGX_OK; + +failed: + + e = ERR_get_error(); + n = ngx_strlen(default_err); + *err_len = ngx_http_lua_ssl_get_error(e, err, *err_len, default_err, n); + + return NGX_ERROR; +} + + +int +ngx_http_lua_ffi_ssl_ctx_set_crl(void *cdata_ctx, const u_char *crl, + size_t size, unsigned char *err, size_t *err_len) +{ + BIO *bio = NULL; + SSL_CTX *ssl_ctx = cdata_ctx; + + size_t n; + u_long e; + X509_CRL *x509_crl; + X509_STORE *x509_store; + const char *default_err; + + x509_store = SSL_CTX_get_cert_store(ssl_ctx); + if (x509_store == NULL) { + default_err = "ca cert store is empty"; + goto failed; + } + + bio = BIO_new_mem_buf(crl, size); + if (bio == NULL) { + default_err = "BIO_new_mem_buf() failed"; + goto failed; + } + + for (;;) { + x509_crl = PEM_read_bio_X509_CRL(bio, NULL, NULL, NULL); + if (x509_crl == NULL) { + n = ERR_peek_last_error(); + + if (ERR_GET_LIB(n) == ERR_LIB_PEM + && ERR_GET_REASON(n) == PEM_R_NO_START_LINE) + { + ERR_clear_error(); + break; + } + + default_err = "PEM_read_bio_X509_CRL() failed"; + goto failed; + } + + if (!X509_STORE_add_crl(x509_store, x509_crl)) { + X509_CRL_free(x509_crl); + default_err = "X509_STORE_add_crl() failed"; + goto failed; + } + + X509_CRL_free(x509_crl); + } + + X509_STORE_set_flags(x509_store, + X509_V_FLAG_CRL_CHECK | X509_V_FLAG_CRL_CHECK_ALL); + + BIO_free_all(bio); + + return NGX_OK; + +failed: + + if (bio != NULL) { + BIO_free_all(bio); + } + + e = ERR_get_error(); + n = ngx_strlen(default_err); + *err_len = ngx_http_lua_ssl_get_error(e, err, *err_len, default_err, n); + + return NGX_ERROR; +} + + void ngx_http_lua_ffi_ssl_ctx_free(void *cdata) { - SSL_CTX *ssl_ctx = cdata; + SSL_CTX *ssl_ctx = cdata; + + X509_STORE *x509_store; + + x509_store = SSL_CTX_get_cert_store(ssl_ctx); + if (x509_store != NULL) { + ngx_log_debug2(NGX_LOG_DEBUG_HTTP, ngx_cycle->log, 0, + "lua ssl ctx x509 store reference: %p:%d", x509_store, + x509_store->references); + } ngx_log_debug2(NGX_LOG_DEBUG_HTTP, ngx_cycle->log, 0, "lua ssl ctx free: %p:%d", ssl_ctx, ssl_ctx->references); @@ -200,6 +430,111 @@ ngx_http_lua_ffi_ssl_ctx_free(void *cdata) } +X509_STORE * +ngx_http_lua_ffi_ssl_x509_store_init(unsigned char *err, size_t *err_len) +{ + size_t n; + u_long e; + X509_STORE *x509_store; + const char *default_err; + + x509_store = X509_STORE_new(); + if (x509_store == NULL) { + default_err = "X509_STORE_new() failed"; + goto failed; + } + + ngx_log_debug2(NGX_LOG_DEBUG_HTTP, ngx_cycle->log, 0, + "lua ssl x509 store init: %p:%d", x509_store, + x509_store->references); + + return x509_store; + +failed: + + e = ERR_get_error(); + n = ngx_strlen(default_err); + *err_len = ngx_http_lua_ssl_get_error(e, err, *err_len, default_err, n); + + return NULL; +} + + +int +ngx_http_lua_ffi_ssl_x509_store_add_cert(void *cdata_store, const u_char *cert, + size_t size, unsigned char *err, size_t *err_len) +{ + BIO *bio = NULL; + X509_STORE *x509_store = cdata_store; + + X509 *x509; + size_t n; + u_long e; + const char *default_err; + + bio = BIO_new_mem_buf(cert, size); + if (bio == NULL) { + default_err = "BIO_new_mem_buf() failed"; + goto failed; + } + + for (;;) { + x509 = PEM_read_bio_X509(bio, NULL, NULL, NULL); + if (x509 == NULL) { + n = ERR_peek_last_error(); + + if (ERR_GET_LIB(n) == ERR_LIB_PEM + && ERR_GET_REASON(n) == PEM_R_NO_START_LINE) + { + /* end of file */ + ERR_clear_error(); + break; + } + + default_err = "PEM_read_bio_X509() failed"; + goto failed; + } + + if (!X509_STORE_add_cert(x509_store, x509)) { + X509_free(x509); + default_err = "X509_STORE_add_cert() failed"; + goto failed; + } + + X509_free(x509); + } + + BIO_free_all(bio); + + return NGX_OK; + +failed: + + if(bio != NULL) { + BIO_free_all(bio); + } + + e = ERR_get_error(); + n = ngx_strlen(default_err); + *err_len = ngx_http_lua_ssl_get_error(e, err, *err_len, default_err, n); + + return NGX_ERROR; +} + + +void +ngx_http_lua_ffi_ssl_x509_store_free(void *cdata_store) +{ + X509_STORE *x509_store = cdata_store; + + ngx_log_debug2(NGX_LOG_DEBUG_HTTP, ngx_cycle->log, 0, + "lua ssl x509 store free: %p:%d", x509_store, + x509_store->references); + + X509_STORE_free(x509_store); +} + + #endif /* NGX_LUA_NO_FFI_API */