Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

feature: add function tcpsock:setclientcert, reimplemented tcpsock:sslhandshake with FFI. #278

Closed
wants to merge 1 commit into from

Conversation

dndx
Copy link
Member

@dndx dndx commented Sep 18, 2019

functions using FFI.

I hereby granted the copyright of the changes in this pull request
to the authors of this lua-resty-core project.

Sister PR: openresty/lua-nginx-module#1602

Note that stream support is intentionally omitted in this PR to keep the size down. I will help porting this over to stream after it is merged.

lib/resty/core/socket_tcp.lua Outdated Show resolved Hide resolved
lib/resty/core/socket_tcp.lua Outdated Show resolved Hide resolved
Copy link
Member

@thibaultcha thibaultcha left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

A couple of comments to get your thoughts @dndx; I have a local branch in which I already made edits that I would like to suggest in this PR, maybe as a new commit that we can squash at merge time, if that sounds good to you.

lib/resty/core/socket_tcp.lua Outdated Show resolved Hide resolved
lib/resty/core/socket_tcp.lua Outdated Show resolved Hide resolved
@dndx
Copy link
Member Author

dndx commented Jan 7, 2020

@thibaultcha Squashing at merge sounds good to me :)

README.markdown Outdated Show resolved Hide resolved
@spacewander
Copy link
Member

@dndx
Do you have time to solve the conflict? Thanks!

@dndx
Copy link
Member Author

dndx commented Nov 23, 2020

@spacewander not a problem, I will resolve it today!

end

sock.tlshandshake = tlshandshake
sock.sslhandshake = sslhandshake
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@dndx I think it's better to move this module into this file? we can save two set field operations then.
https://github.com/openresty/lua-resty-core/blob/master/lib/resty/core/socket.lua

@agentzh
Copy link
Member

agentzh commented Dec 15, 2020

It's confusing to have both tlshandshake and sslhandshake.

@chronolaw chronolaw force-pushed the feat/cosocket_tlshandshake branch 11 times, most recently from a4acb9c to 00361a0 Compare March 4, 2022 08:39
@zhuizhuhaomeng
Copy link
Contributor

@chronolaw would you please rebase to the master ?

local openssl_error_code = ffi_new("int[1]")


local function setclientcert(cosocket, cert, pkey)
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
local function setclientcert(cosocket, cert, pkey)
local function set_client_cert(cosocket, cert, pkey)

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This is to keep the style consistent with existing cosocket API function names. e.g. tcpsock:getreusedtimes

lib/resty/core/socket.lua Outdated Show resolved Hide resolved
lib/resty/core/socket.lua Outdated Show resolved Hide resolved
Comment on lines 185 to 189
local n = select("#", ...)
if not cosocket or n > 1 then
error("ngx.socket sslhandshake: expecting 1 ~ 5 arguments " ..
"(including the object), but seen " .. (cosocket and 5 + n or 0))
end
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
local n = select("#", ...)
if not cosocket or n > 1 then
error("ngx.socket sslhandshake: expecting 1 ~ 5 arguments " ..
"(including the object), but seen " .. (cosocket and 5 + n or 0))
end

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I don't think we need this test.
And if you want to test the number, it is
if not cosocket or n > 0

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@chronolaw I think @zhuizhuhaomeng is correct here. Since the Lua implementation of sslhandshake already takes 5 arguments, it will be incorrect to check not cosocket or n > 1 as that indicates there are 7 arguments passed. It should be not cosocket or n > 0 instead.

end

if session_ptr[0] == nil then
return nil
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

should return the error at the same time

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

See my reviews, I think we can remove this if session_ptr[0] == nil then branch altogether and keep only the assert below.

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Actually, I had a closer look at this logic compared to https://github.com/openresty/lua-nginx-module/blob/master/src/ngx_http_lua_socket_tcp.c#L1935-L1956. The issue is that:

In the original C implementation, when the server did not turn on session reuse, the sslhandshake function returned a lightuserdata that is NULL and did not set the __gc meta method on it. This is different than returning a Lua nil value which indicates an error.

Therefore, we should mimic this behavior by returning the session_ptr[0] cdata directly and not call ffi.gc on it. From the user's perspective, the handshake is still a success.

@dndx dndx changed the title feature: implement the tcpsock:tlshandshake and tcpsock:sslhandshake feature: add function tcpsock:setclientcert, reimplemented tcpsock:sslhandshake with FFI. Mar 5, 2022
@chronolaw
Copy link
Contributor

It just follows the idiom of openresty, like settimeout sslhandshake, these APIs don't use '_'.
#278 (comment)

@chronolaw
Copy link
Contributor

It makes test case #31 happy in 129-ssl-socket.t of lua-nginx-module.

#278 (comment)

@chronolaw
Copy link
Contributor

It works like original C function ngx_http_lua_ssl_handshake_retval_handler in ngx_http_lua_socket_tcp.c, just for compatibility.

#278 (comment)

@dndx dndx force-pushed the feat/cosocket_tlshandshake branch from f68dc90 to cdb745d Compare March 7, 2022 05:00
dndx added a commit to dndx/lua-nginx-module that referenced this pull request Mar 7, 2022
…k:sslhandshake` with FFI

This adds support for setting client certificate/private key that will be used later
for mutual TLS handshake with a server. Also, the `tcpsock:sslhandshake`
implementation has been rewritten to use FFI C API to be more performant
and easier to maintain.

Also see: openresty/lua-resty-core#278

Co-authored-by: Chrono Law <[email protected]>
dndx added a commit to dndx/lua-nginx-module that referenced this pull request Mar 7, 2022
…k:sslhandshake` with FFI

This adds support for setting client certificate/private key that will be used later
for mutual TLS handshake with a server. Also, the `tcpsock:sslhandshake`
implementation has been rewritten to use FFI C API to be more performant
and easier to maintain.

Also see: openresty/lua-resty-core#278

Co-authored-by: Chrono Law <[email protected]>
…sslhandshake` with FFI

This adds support for setting client certificate/private key that will be used later
for mutual TLS handshake with a server. Also, the `tcpsock:sslhandshake`
implementation has been rewritten to use FFI C API to be more performant
and easier to maintain.

Also see: openresty/lua-nginx-module#1602

Co-authored-by: Chrono Law <[email protected]>
@dndx
Copy link
Member Author

dndx commented Mar 7, 2022

@zhuizhuhaomeng Could you please take another look at this PR? It has been rebased and squashed and now passed all CI tests with it's lua-nginx-module counterpart.

dndx added a commit to dndx/lua-nginx-module that referenced this pull request Mar 13, 2022
…k:sslhandshake` with FFI

This adds support for setting client certificate/private key that will be used later
for mutual TLS handshake with a server. Also, the `tcpsock:sslhandshake`
implementation has been rewritten to use FFI C API to be more performant
and easier to maintain.

Also see: openresty/lua-resty-core#278

Co-authored-by: Chrono Law <[email protected]>
@zhuizhuhaomeng
Copy link
Contributor

merged with the following patch

--- a/.travis.yml
+++ b/.travis.yml
@@ -65,7 +65,7 @@ install:
   - git clone https://github.com/openresty/openresty.git ../openresty
   - git clone https://github.com/openresty/openresty-devel-utils.git
   - git clone https://github.com/simpl/ngx_devel_kit.git ../ndk-nginx-module
-  - git clone -b feat/cosocket_tlshandshake https://github.com/dndx/lua-nginx-module.git ../lua-nginx-module
+  - git clone https://github.com/dndx/lua-nginx-module.git ../lua-nginx-module
   - git clone https://github.com/openresty/no-pool-nginx.git ../no-pool-nginx
   - git clone https://github.com/openresty/echo-nginx-module.git ../echo-nginx-module
   - git clone https://github.com/openresty/lua-resty-lrucache.git

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

9 participants