-
Notifications
You must be signed in to change notification settings - Fork 272
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
feature: add function tcpsock:setclientcert
, reimplemented tcpsock:sslhandshake
with FFI.
#278
Conversation
68ca312
to
3b5e699
Compare
da4f865
to
9e5a7d7
Compare
9e5a7d7
to
d27f2af
Compare
8d4d81b
to
e3c7f85
Compare
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
A couple of comments to get your thoughts @dndx; I have a local branch in which I already made edits that I would like to suggest in this PR, maybe as a new commit that we can squash at merge time, if that sounds good to you.
@thibaultcha Squashing at merge sounds good to me :) |
414879b
to
71d1257
Compare
@dndx |
@spacewander not a problem, I will resolve it today! |
71d1257
to
42710cb
Compare
lib/resty/core/socket/tcp.lua
Outdated
end | ||
|
||
sock.tlshandshake = tlshandshake | ||
sock.sslhandshake = sslhandshake |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@dndx I think it's better to move this module into this file? we can save two set field operations then.
https://github.com/openresty/lua-resty-core/blob/master/lib/resty/core/socket.lua
It's confusing to have both |
a4acb9c
to
00361a0
Compare
@chronolaw would you please rebase to the master ? |
local openssl_error_code = ffi_new("int[1]") | ||
|
||
|
||
local function setclientcert(cosocket, cert, pkey) |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
local function setclientcert(cosocket, cert, pkey) | |
local function set_client_cert(cosocket, cert, pkey) |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This is to keep the style consistent with existing cosocket API function names. e.g. tcpsock:getreusedtimes
lib/resty/core/socket.lua
Outdated
local n = select("#", ...) | ||
if not cosocket or n > 1 then | ||
error("ngx.socket sslhandshake: expecting 1 ~ 5 arguments " .. | ||
"(including the object), but seen " .. (cosocket and 5 + n or 0)) | ||
end |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
local n = select("#", ...) | |
if not cosocket or n > 1 then | |
error("ngx.socket sslhandshake: expecting 1 ~ 5 arguments " .. | |
"(including the object), but seen " .. (cosocket and 5 + n or 0)) | |
end |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I don't think we need this test.
And if you want to test the number, it is
if not cosocket or n > 0
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@chronolaw I think @zhuizhuhaomeng is correct here. Since the Lua implementation of sslhandshake
already takes 5 arguments, it will be incorrect to check not cosocket or n > 1
as that indicates there are 7 arguments passed. It should be not cosocket or n > 0
instead.
lib/resty/core/socket.lua
Outdated
end | ||
|
||
if session_ptr[0] == nil then | ||
return nil |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
should return the error at the same time
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
See my reviews, I think we can remove this if session_ptr[0] == nil then
branch altogether and keep only the assert
below.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Actually, I had a closer look at this logic compared to https://github.com/openresty/lua-nginx-module/blob/master/src/ngx_http_lua_socket_tcp.c#L1935-L1956. The issue is that:
In the original C implementation, when the server did not turn on session reuse, the sslhandshake
function returned a lightuserdata
that is NULL
and did not set the __gc
meta method on it. This is different than returning a Lua nil
value which indicates an error.
Therefore, we should mimic this behavior by returning the session_ptr[0]
cdata
directly and not call ffi.gc
on it. From the user's perspective, the handshake is still a success.
tcpsock:tlshandshake
and tcpsock:sslhandshake
tcpsock:setclientcert
, reimplemented tcpsock:sslhandshake
with FFI.
It just follows the idiom of openresty, like |
It makes test case #31 happy in |
It works like original C function |
f68dc90
to
cdb745d
Compare
…k:sslhandshake` with FFI This adds support for setting client certificate/private key that will be used later for mutual TLS handshake with a server. Also, the `tcpsock:sslhandshake` implementation has been rewritten to use FFI C API to be more performant and easier to maintain. Also see: openresty/lua-resty-core#278 Co-authored-by: Chrono Law <[email protected]>
…k:sslhandshake` with FFI This adds support for setting client certificate/private key that will be used later for mutual TLS handshake with a server. Also, the `tcpsock:sslhandshake` implementation has been rewritten to use FFI C API to be more performant and easier to maintain. Also see: openresty/lua-resty-core#278 Co-authored-by: Chrono Law <[email protected]>
…sslhandshake` with FFI This adds support for setting client certificate/private key that will be used later for mutual TLS handshake with a server. Also, the `tcpsock:sslhandshake` implementation has been rewritten to use FFI C API to be more performant and easier to maintain. Also see: openresty/lua-nginx-module#1602 Co-authored-by: Chrono Law <[email protected]>
cdb745d
to
68bf4bf
Compare
@zhuizhuhaomeng Could you please take another look at this PR? It has been rebased and squashed and now passed all CI tests with it's lua-nginx-module counterpart. |
…k:sslhandshake` with FFI This adds support for setting client certificate/private key that will be used later for mutual TLS handshake with a server. Also, the `tcpsock:sslhandshake` implementation has been rewritten to use FFI C API to be more performant and easier to maintain. Also see: openresty/lua-resty-core#278 Co-authored-by: Chrono Law <[email protected]>
merged with the following patch
|
functions using FFI.
I hereby granted the copyright of the changes in this pull request
to the authors of this lua-resty-core project.
Sister PR: openresty/lua-nginx-module#1602
Note that stream support is intentionally omitted in this PR to keep the size down. I will help porting this over to stream after it is merged.