feature: support ssl.create_ctx and tcp:setsslctx

.travis.yml

@@ -82,7 +82,7 @@ install:
   - git clone https://github.com/openresty/rds-json-nginx-module.git ../rds-json-nginx-module
   - git clone https://github.com/openresty/srcache-nginx-module.git ../srcache-nginx-module
   - git clone https://github.com/openresty/redis2-nginx-module.git ../redis2-nginx-module
-  - git clone https://github.com/openresty/lua-resty-core.git ../lua-resty-core
+  - git clone -b lua-ffi-api-sslctx https://github.com/detailyang/lua-resty-core.git ../lua-resty-core
   - git clone -b v2.1-agentzh https://github.com/openresty/luajit2.git
 
 before_script:

src/ngx_http_lua_socket_tcp.c

@@ -183,6 +183,12 @@ enum {
     }
 
 
+#if (NGX_HTTP_SSL)
+
+#define ngx_http_lua_ngx_socket_tcp_mt_key  "__ngx_socket_tcp_mt"
+
+#endif
+
 static char ngx_http_lua_req_socket_metatable_key;
 static char ngx_http_lua_raw_req_socket_metatable_key;
 static char ngx_http_lua_tcp_socket_metatable_key;
@@ -316,6 +322,20 @@ ngx_http_lua_inject_socket_tcp_api(ngx_log_t *log, lua_State *L)
 
     lua_pushvalue(L, -1);
     lua_setfield(L, -2, "__index");
+
+#if (NGX_HTTP_SSL)
+
+#ifndef NGX_LUA_NO_FFI_API
+
+    /* expose tcp object metatable to REGISTRY for FFI */
+    lua_pushliteral(L, ngx_http_lua_ngx_socket_tcp_mt_key);
+    lua_pushvalue(L, -2);
+    lua_rawset(L, LUA_REGISTRYINDEX);
+
+#endif /* NGX_LUA_NO_FFI_API */
+
+#endif /* NGX_HTTP_SSL */
+
     lua_rawset(L, LUA_REGISTRYINDEX);
     /* }}} */
 
@@ -587,6 +607,12 @@ ngx_http_lua_socket_tcp_connect(lua_State *L)
 
     u->conf = llcf;
 
+#if (NGX_HTTP_SSL)
+
+    u->ssl = llcf->ssl;
+
+#endif
+
     pc = &u->peer;
 
     pc->log = r->connection->log;
@@ -1200,6 +1226,35 @@ ngx_http_lua_socket_conn_error_retval_handler(ngx_http_request_t *r,
 
 #if (NGX_HTTP_SSL)
 
+
+#ifndef NGX_LUA_NO_FFI_API
+
+int
+ngx_http_lua_ffi_socket_tcp_setsslctx(ngx_http_request_t *r,
+    ngx_http_lua_socket_tcp_upstream_t *u, void *cdata_ctx, char **err)
+{
+    SSL_CTX   *ssl_ctx = cdata_ctx;
+
+    ngx_ssl_t *ssl;
+
+    ssl = ngx_pcalloc(r->pool, sizeof(ngx_ssl_t));
+    if (ssl == NULL) {
+        *err = "no memory";
+        return NGX_ERROR;
+    }
+
+    ssl->ctx = ssl_ctx;
+    ssl->log = u->ssl->log;
+    ssl->buffer_size = u->ssl->buffer_size;
+
+    u->ssl = ssl;
+
+    return NGX_OK;
+}
+
+#endif /* NGX_LUA_NO_FFI_API */
+
+
 static int
 ngx_http_lua_socket_tcp_sslhandshake(lua_State *L)
 {
@@ -1286,7 +1341,7 @@ ngx_http_lua_socket_tcp_sslhandshake(lua_State *L)
         return 1;
     }
 
-    if (ngx_ssl_create_connection(u->conf->ssl, c,
+    if (ngx_ssl_create_connection(u->ssl, c,
                                   NGX_SSL_BUFFER|NGX_SSL_CLIENT)
         != NGX_OK)
     {

src/ngx_http_lua_socket_tcp.h

@@ -92,6 +92,7 @@ struct ngx_http_lua_socket_tcp_upstream_s {
 
 #if (NGX_HTTP_SSL)
     ngx_str_t                        ssl_name;
+    ngx_ssl_t                       *ssl;
 #endif
 
     unsigned                         ft_type:16;

src/ngx_http_lua_ssl.c

@@ -13,6 +13,10 @@
 #if (NGX_HTTP_SSL)
 
 
+static size_t ngx_http_lua_ssl_get_error(u_long e, u_char *ssl_err,
+    size_t ssl_err_len, const char *default_err, size_t default_err_len);
+
+
 int ngx_http_lua_ssl_ctx_index = -1;
 
 
@@ -34,4 +38,169 @@ ngx_http_lua_ssl_init(ngx_log_t *log)
 }
 
 
+static size_t
+ngx_http_lua_ssl_get_error(u_long e, u_char *ssl_err,
+    size_t ssl_err_len, const char *default_err, size_t default_err_len)
+{
+    size_t             len;
+
+    if (e == 0) {
+        len = ngx_min(ssl_err_len, default_err_len);
+        ngx_memcpy(ssl_err, default_err, len);
+
+        return len;
+    }
+
+    ERR_error_string_n(e, (char *) ssl_err, ssl_err_len);
+
+    return ngx_strlen(ssl_err);
+}
+
+
+#ifndef NGX_LUA_NO_FFI_API
+
+
+void *
+ngx_http_lua_ffi_ssl_ctx_init(ngx_uint_t protocols, char **err)
+{
+    ngx_ssl_t           ssl;
+
+    ssl.log = ngx_cycle->log;
+    if (ngx_ssl_create(&ssl, protocols, NULL) != NGX_OK) {
+        *err = "failed to create ssl ctx";
+        return NULL;
+    }
+
+    ngx_log_debug2(NGX_LOG_DEBUG_HTTP, ssl.log, 0, "lua ssl ctx init: %p:%d",
+                   ssl.ctx, ssl.ctx->references);
+
+    return ssl.ctx;
+}
+
+
+int
+ngx_http_lua_ffi_ssl_ctx_set_cert(void *cdata_ctx, void *cdata_cert,
+    u_char *err, size_t *err_len)
+{
+    const char         *default_err;
+
+#ifdef LIBRESSL_VERSION_NUMBER
+
+    default_err = "LibreSSL not supported";
+    goto failed;
+
+#else
+
+#   if OPENSSL_VERSION_NUMBER < 0x1000205fL
+
+    default_err = "at least OpenSSL 1.0.2e required but found "
+                  OPENSSL_VERSION_TEXT;
+    goto failed;
+
+#   else
+
+    X509               *x509 = NULL;
+    SSL_CTX            *ssl_ctx = cdata_ctx;
+    STACK_OF(X509)     *cert = cdata_cert;
+
+#   ifdef OPENSSL_IS_BORINGSSL
+    size_t              i;
+#   else
+    int                 i;
+#   endif
+    int                 num;
+    size_t              n;
+    u_long              e;
+
+    num = sk_X509_num(cert);
+    if (num < 1) {
+        default_err = "sk_X509_num() failed";
+        goto failed;
+    }
+
+    x509 = sk_X509_value(cert, 0);
+    if (x509 == NULL) {
+        default_err = "sk_X509_value() failed";
+        goto failed;
+    }
+
+    if (SSL_CTX_use_certificate(ssl_ctx, x509) == 0) {
+        default_err = "SSL_CTX_use_certificate() failed";
+        goto failed;
+    }
+
+    /* read rest of the chain */
+
+    for (i = 1; i < num; i++) {
+
+        x509 = sk_X509_value(cert, i);
+        if (x509 == NULL) {
+            default_err = "sk_X509_value() failed";
+            goto failed;
+        }
+
+        if (SSL_CTX_add1_chain_cert(ssl_ctx, x509) == 0) {
+            default_err = "SSL_add1_chain_cert() failed";
+            goto failed;
+        }
+    }
+
+    return NGX_OK;
+
+#   endif  /* OPENSSL_VERSION_NUMBER < 0x1000205fL */
+#endif
+
+failed:
+
+    e = ERR_get_error();
+    n = ngx_strlen(default_err);
+    *err_len = ngx_http_lua_ssl_get_error(e, err, *err_len, default_err, n);
+
+    return NGX_ERROR;
+}
+
+
+int
+ngx_http_lua_ffi_ssl_ctx_set_priv_key(void *cdata_ctx, void *cdata_key,
+    u_char *err, size_t *err_len)
+{
+    SSL_CTX            *ssl_ctx = cdata_ctx;
+    EVP_PKEY           *key = cdata_key;
+
+    size_t              n;
+    u_long              e;
+    const char         *default_err;
+
+    if (SSL_CTX_use_PrivateKey(ssl_ctx, key) == 0) {
+        default_err = "SSL_CTX_use_PrivateKey() failed";
+        goto failed;
+    }
+
+    return NGX_OK;
+
+failed:
+
+    e = ERR_get_error();
+    n = ngx_strlen(default_err);
+    *err_len = ngx_http_lua_ssl_get_error(e, err, *err_len, default_err, n);
+
+    return NGX_ERROR;
+}
+
+
+void
+ngx_http_lua_ffi_ssl_ctx_free(void *cdata)
+{
+    SSL_CTX *ssl_ctx = cdata;
+
+    ngx_log_debug2(NGX_LOG_DEBUG_HTTP, ngx_cycle->log,
+                   0, "lua ssl ctx free: %p:%d", ssl_ctx, ssl_ctx->references);
+
+    SSL_CTX_free(ssl_ctx);
+}
+
+
+#endif /* NGX_LUA_NO_FFI_API */
+
+
 #endif /* NGX_HTTP_SSL */

t/151-ssl-ctx.t

@@ -0,0 +1,39 @@
+# vim:set ft= ts=4 sw=4 et fdm=marker:
+
+use Test::Nginx::Socket::Lua;
+
+repeat_each(3);
+
+plan tests => repeat_each() * (blocks());
+
+$ENV{TEST_NGINX_HTML_DIR} ||= html_dir();
+
+log_level 'debug';
+
+no_long_string();
+
+run_tests();
+
+__DATA__
+
+=== TEST 1: ssl ctx init and free
+--- log_level: debug
+--- http_config
+    lua_package_path "../lua-resty-core/lib/?.lua;;";
+--- config
+    location /t {
+        content_by_lua_block {
+            local ssl = require "ngx.ssl"
+            local ssl_ctx, err = ssl.create_ctx({})
+            ssl_ctx = nil
+            collectgarbage("collect")
+        }
+    }
+--- request
+GET /t
+--- ignore_response
+--- grep_error_log eval: qr/lua ssl ctx (?:init|free): [0-9A-F]+:\d+/
+--- grep_error_log_out eval
+qr/^lua ssl ctx init: ([0-9A-F]+):1
+lua ssl ctx free: ([0-9A-F]+):1
+$/