Skip to content

Commit 489bcce

Browse files
dndxdndx
committed
feature: TCP cosocket client certificate support. closes openresty#534 
1 parent e3d84b5 commit 489bcce

8 files changed

+732
-8
lines changed

src/ngx_http_lua_socket_tcp.c

+54-6
Original file line numberDiff line numberDiff line change
@@ -22,7 +22,6 @@
2222
static int ngx_http_lua_socket_tcp(lua_State *L);
2323
static int ngx_http_lua_socket_tcp_connect(lua_State *L);
2424
#if (NGX_HTTP_SSL)
25-
static int ngx_http_lua_socket_tcp_sslhandshake(lua_State *L);
2625
static void ngx_http_lua_tls_handshake_handler(ngx_connection_t *c);
2726
static int ngx_http_lua_tls_handshake_retval_handler(ngx_http_request_t *r,
2827
ngx_http_lua_socket_tcp_upstream_t *u, lua_State *L);
@@ -213,9 +212,6 @@ static char ngx_http_lua_upstream_udata_metatable_key;
213212
static char ngx_http_lua_downstream_udata_metatable_key;
214213
static char ngx_http_lua_pool_udata_metatable_key;
215214
static char ngx_http_lua_pattern_udata_metatable_key;
216-
#if (NGX_HTTP_SSL)
217-
static char ngx_http_lua_ssl_session_metatable_key;
218-
#endif
219215

220216

221217
void
@@ -1535,13 +1531,16 @@ int
15351531
ngx_http_lua_ffi_socket_tcp_tlshandshake(ngx_http_request_t *r,
15361532
ngx_http_lua_socket_tcp_upstream_t *u, ngx_ssl_session_t *sess,
15371533
int enable_session_reuse, ngx_str_t *server_name, int verify,
1538-
int ocsp_status_req, const char **errmsg)
1534+
int ocsp_status_req, STACK_OF(X509) *chain, EVP_PKEY *pkey,
1535+
const char **errmsg)
15391536
{
1540-
ngx_int_t rc;
1537+
ngx_int_t rc, i;
15411538
ngx_connection_t *c;
15421539
ngx_http_lua_ctx_t *ctx;
15431540
ngx_http_lua_co_ctx_t *coctx;
15441541
const char *busy_rc;
1542+
ngx_ssl_conn_t *ssl_conn;
1543+
X509 *x509;
15451544

15461545
ngx_log_debug0(NGX_LOG_DEBUG_HTTP, r->connection->log, 0,
15471546
"lua tcp socket tls handshake");
@@ -1597,6 +1596,8 @@ ngx_http_lua_ffi_socket_tcp_tlshandshake(ngx_http_request_t *r,
15971596
return NGX_ERROR;
15981597
}
15991598

1599+
ssl_conn = c->ssl->connection;
1600+
16001601
ctx = ngx_http_get_module_ctx(r, ngx_http_lua_module);
16011602
if (ctx == NULL) {
16021603
return NGX_HTTP_LUA_FFI_NO_REQ_CTX;
@@ -1619,6 +1620,53 @@ ngx_http_lua_ffi_socket_tcp_tlshandshake(ngx_http_request_t *r,
16191620
u->ssl_session_reuse = enable_session_reuse;
16201621
}
16211622

1623+
if (chain != NULL) {
1624+
ngx_http_lua_assert(pkey != NULL); /* ensured by resty.core */
1625+
1626+
if (sk_X509_num(chain) < 1) {
1627+
ERR_clear_error();
1628+
*errmsg = "invalid client certificate chain";
1629+
return NGX_ERROR;
1630+
}
1631+
1632+
x509 = sk_X509_value(chain, 0);
1633+
if (x509 == NULL) {
1634+
ERR_clear_error();
1635+
*errmsg = "lua tls fetch client certificate from chain failed";
1636+
return NGX_ERROR;
1637+
}
1638+
1639+
if (SSL_use_certificate(ssl_conn, x509) == 0) {
1640+
ERR_clear_error();
1641+
*errmsg = "lua tls set client certificate failed";
1642+
return NGX_ERROR;
1643+
}
1644+
1645+
/* read rest of the chain */
1646+
1647+
for (i = 1; i < sk_X509_num(chain); i++) {
1648+
x509 = sk_X509_value(chain, i);
1649+
if (x509 == NULL) {
1650+
ERR_clear_error();
1651+
*errmsg = "lua tls fetch client intermediate certificate "
1652+
"from chain failed";
1653+
return NGX_ERROR;
1654+
}
1655+
1656+
if (SSL_add1_chain_cert(ssl_conn, x509) == 0) {
1657+
ERR_clear_error();
1658+
*errmsg = "lua tls set client intermediate certificate failed";
1659+
return NGX_ERROR;
1660+
}
1661+
}
1662+
1663+
if (SSL_use_PrivateKey(ssl_conn, pkey) == 0) {
1664+
ERR_clear_error();
1665+
*errmsg = "lua ssl set client private key failed";
1666+
return NGX_ERROR;
1667+
}
1668+
}
1669+
16221670
if (server_name != NULL && server_name->data != NULL) {
16231671
ngx_log_debug1(NGX_LOG_DEBUG_HTTP, r->connection->log, 0,
16241672
"lua tls server name: \"%V\"", server_name);

0 commit comments

Comments
 (0)