Skip to content
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.

Commit d618c47

Browse files
committedJan 7, 2020
cleanup
1 parent f995b2e commit d618c47

File tree

2 files changed

+78
-113
lines changed

2 files changed

+78
-113
lines changed
 

‎src/ngx_http_lua_socket_tcp.c

Lines changed: 11 additions & 13 deletions
Original file line numberDiff line numberDiff line change
@@ -1527,6 +1527,7 @@ ngx_http_lua_socket_tcp_check_busy(ngx_http_request_t *r,
15271527
return NULL;
15281528
}
15291529

1530+
15301531
int
15311532
ngx_http_lua_ffi_socket_tcp_tlshandshake(ngx_http_request_t *r,
15321533
ngx_http_lua_socket_tcp_upstream_t *u, ngx_ssl_session_t *sess,
@@ -1568,7 +1569,7 @@ ngx_http_lua_ffi_socket_tcp_tlshandshake(ngx_http_request_t *r,
15681569
}
15691570

15701571
if (u->raw_downstream || u->body_downstream) {
1571-
*errmsg = "not supported for downstream";
1572+
*errmsg = "not supported for downstream sockets";
15721573
return NGX_ERROR;
15731574
}
15741575

@@ -1609,7 +1610,7 @@ ngx_http_lua_ffi_socket_tcp_tlshandshake(ngx_http_request_t *r,
16091610

16101611
if (sess != NULL) {
16111612
if (ngx_ssl_set_session(c, sess) != NGX_OK) {
1612-
*errmsg = "lua tls set session failed";
1613+
*errmsg = "tls set session failed";
16131614
return NGX_ERROR;
16141615
}
16151616

@@ -1632,13 +1633,13 @@ ngx_http_lua_ffi_socket_tcp_tlshandshake(ngx_http_request_t *r,
16321633
x509 = sk_X509_value(chain, 0);
16331634
if (x509 == NULL) {
16341635
ERR_clear_error();
1635-
*errmsg = "lua tls fetch client certificate from chain failed";
1636+
*errmsg = "tls fetch client certificate from chain failed";
16361637
return NGX_ERROR;
16371638
}
16381639

16391640
if (SSL_use_certificate(ssl_conn, x509) == 0) {
16401641
ERR_clear_error();
1641-
*errmsg = "lua tls set client certificate failed";
1642+
*errmsg = "tls set client certificate failed";
16421643
return NGX_ERROR;
16431644
}
16441645

@@ -1648,21 +1649,21 @@ ngx_http_lua_ffi_socket_tcp_tlshandshake(ngx_http_request_t *r,
16481649
x509 = sk_X509_value(chain, i);
16491650
if (x509 == NULL) {
16501651
ERR_clear_error();
1651-
*errmsg = "lua tls fetch client intermediate certificate "
1652-
"from chain failed";
1652+
*errmsg = "tls fetch client intermediate certificate from "
1653+
"chain failed";
16531654
return NGX_ERROR;
16541655
}
16551656

16561657
if (SSL_add1_chain_cert(ssl_conn, x509) == 0) {
16571658
ERR_clear_error();
1658-
*errmsg = "lua tls set client intermediate certificate failed";
1659+
*errmsg = "tls set client intermediate certificate failed";
16591660
return NGX_ERROR;
16601661
}
16611662
}
16621663

16631664
if (SSL_use_PrivateKey(ssl_conn, pkey) == 0) {
16641665
ERR_clear_error();
1665-
*errmsg = "lua ssl set client private key failed";
1666+
*errmsg = "tls set client private key failed";
16661667
return NGX_ERROR;
16671668
}
16681669
}
@@ -1681,7 +1682,7 @@ ngx_http_lua_ffi_socket_tcp_tlshandshake(ngx_http_request_t *r,
16811682
}
16821683

16831684
#else
1684-
*errmsg = "OpenSSL has no SNI support";
1685+
*errmsg = "no TLS extension support";
16851686
return NGX_ERROR;
16861687
#endif
16871688
}
@@ -1724,7 +1725,6 @@ ngx_http_lua_ffi_socket_tcp_tlshandshake(ngx_http_request_t *r,
17241725
u->ssl_name.data = ngx_alloc(server_name->len, ngx_cycle->log);
17251726
if (u->ssl_name.data == NULL) {
17261727
u->ssl_name.len = 0;
1727-
17281728
*errmsg = "no memory";
17291729
return NGX_ERROR;
17301730
}
@@ -1745,7 +1745,7 @@ ngx_http_lua_ffi_socket_tcp_tlshandshake(ngx_http_request_t *r,
17451745
rc = ngx_ssl_handshake(c);
17461746

17471747
ngx_log_debug1(NGX_LOG_DEBUG_HTTP, r->connection->log, 0,
1748-
"ngx_ssl_handshake returned %d", rc);
1748+
"ngx_ssl_handshake returned: %d", rc);
17491749

17501750
if (rc == NGX_AGAIN) {
17511751
if (c->write->timer_set) {
@@ -1777,7 +1777,6 @@ ngx_http_lua_ffi_socket_tcp_tlshandshake(ngx_http_request_t *r,
17771777

17781778
if (rc == NGX_ERROR) {
17791779
*errmsg = u->error_ret;
1780-
17811780
return NGX_ERROR;
17821781
}
17831782

@@ -1891,7 +1890,6 @@ ngx_http_lua_tls_handshake_handler(ngx_connection_t *c)
18911890
}
18921891

18931892

1894-
18951893
int
18961894
ngx_http_lua_ffi_socket_tcp_get_tlshandshake_result(ngx_http_request_t *r,
18971895
ngx_http_lua_socket_tcp_upstream_t *u, ngx_ssl_session_t **sess,

‎t/162-socket-tls-handshake.t

Lines changed: 67 additions & 100 deletions
Original file line numberDiff line numberDiff line change
@@ -6,13 +6,8 @@ repeat_each(2);
66

77
plan tests => repeat_each() * 42;
88

9-
$ENV{TEST_NGINX_HTML_DIR} ||= html_dir();
10-
11-
$ENV{TEST_NGINX_MEMCACHED_PORT} ||= 11211;
129
$ENV{TEST_NGINX_RESOLVER} ||= '8.8.8.8';
13-
$ENV{TEST_NGINX_SERVER_SSL_PORT} ||= 12345;
1410

15-
#log_level 'warn';
1611
log_level 'debug';
1712

1813
no_long_string();
@@ -27,11 +22,6 @@ sub read_file {
2722
$cert;
2823
}
2924

30-
our $DSTRootCertificate = read_file("t/cert/dst-ca.crt");
31-
our $EquifaxRootCertificate = read_file("t/cert/equifax.crt");
32-
our $TestCertificate = read_file("t/cert/test.crt");
33-
our $TestCertificateKey = read_file("t/cert/test.key");
34-
our $TestCRL = read_file("t/cert/test.crl");
3525
our $MTLSCA = read_file("t/cert/mtls_ca.crt");
3626
our $MTLSClient = read_file("t/cert/mtls_client.crt");
3727
our $MTLSClientKey = read_file("t/cert/mtls_client.key");
@@ -44,12 +34,11 @@ our $mtls_http_config = <<"_EOC_";
4434
server {
4535
listen unix:$::HtmlDir/mtls.sock ssl;
4636

47-
ssl_certificate $::HtmlDir/mtls_server.crt;
48-
ssl_certificate_key $::HtmlDir/mtls_server.key;
49-
37+
ssl_certificate $::HtmlDir/mtls_server.crt;
38+
ssl_certificate_key $::HtmlDir/mtls_server.key;
5039
ssl_client_certificate $::HtmlDir/mtls_ca.crt;
51-
ssl_verify_client on;
52-
server_tokens off;
40+
ssl_verify_client on;
41+
server_tokens off;
5342

5443
location / {
5544
return 200 "hello, \$ssl_client_s_dn";
@@ -78,10 +67,8 @@ __DATA__
7867
--- config
7968
server_tokens off;
8069
resolver $TEST_NGINX_RESOLVER ipv6=off;
81-
location /t {
82-
#set $port 5000;
83-
set $port $TEST_NGINX_MEMCACHED_PORT;
8470

71+
location /t {
8572
content_by_lua_block {
8673
-- avoid flushing google in "check leak" testing mode:
8774
local counter = package.loaded.counter
@@ -92,11 +79,13 @@ __DATA__
9279
else
9380
counter = counter + 1
9481
end
82+
9583
package.loaded.counter = counter
9684

9785
do
9886
local sock = ngx.socket.tcp()
9987
sock:settimeout(2000)
88+
10089
local ok, err = sock:connect("www.google.com", 443)
10190
if not ok then
10291
ngx.say("failed to connect: ", err)
@@ -133,10 +122,10 @@ __DATA__
133122
local ok, err = sock:close()
134123
ngx.say("close: ", ok, " ", err)
135124
end -- do
125+
136126
collectgarbage()
137127
}
138128
}
139-
140129
--- request
141130
GET /t
142131
--- response_body_like chop
@@ -162,12 +151,9 @@ SSL reused session
162151

163152
=== TEST 2: bad options table
164153
--- config
165-
server_tokens off;
166154
resolver $TEST_NGINX_RESOLVER ipv6=off;
167-
location /t {
168-
#set $port 5000;
169-
set $port $TEST_NGINX_MEMCACHED_PORT;
170155

156+
location /t {
171157
content_by_lua_block {
172158
local sock = ngx.socket.tcp()
173159
sock:settimeout(7000)
@@ -183,24 +169,21 @@ SSL reused session
183169
local session, err = sock:tlshandshake("foo")
184170
}
185171
}
186-
187172
--- request
188173
GET /t
189174
--- ignore_response
190175
--- error_log eval
191-
qr/\[error\] .* bad options table type/
176+
qr/\[error\] .* bad options arg: table expected/
192177
--- no_error_log
193178
[alert]
194179
--- timeout: 10
195180

196181

197182

198-
=== TEST 3: mutual TLS handshake, upstream is not accessible without client certs
183+
=== TEST 3: mutual TLS handshake, upstream is not accessible without client certs (no options table)
199184
--- http_config eval: $::mtls_http_config
200185
--- config eval
201186
"
202-
server_tokens off;
203-
204187
location /t {
205188
content_by_lua_block {
206189
local sock = ngx.socket.tcp()
@@ -229,7 +212,6 @@ qr/\[error\] .* bad options table type/
229212
}
230213
}
231214
"
232-
233215
--- user_files eval: $::mtls_user_files
234216
--- request
235217
GET /t
@@ -242,12 +224,54 @@ GET /t
242224

243225

244226

245-
=== TEST 4: mutual TLS handshake, upstream is accessible when client certs are supplied
227+
=== TEST 4: mutual TLS handshake, upstream is not accessible without client certs (empty options table)
246228
--- http_config eval: $::mtls_http_config
247229
--- config eval
248230
"
249-
server_tokens off;
231+
location /t {
232+
content_by_lua_block {
233+
local sock = ngx.socket.tcp()
234+
local ok, err = sock:connect('unix:$::HtmlDir/mtls.sock')
235+
if not ok then
236+
ngx.say('failed to connect: ', err)
237+
end
238+
239+
assert(sock:tlshandshake({}))
240+
241+
ngx.say('connected: ', ok)
242+
243+
local req = 'GET /\\r\\n'
250244

245+
local bytes, err = sock:send(req)
246+
if not bytes then
247+
ngx.say('failed to send request: ', err)
248+
return
249+
end
250+
251+
ngx.say('request sent: ', bytes)
252+
253+
ngx.say(sock:receive('*a'))
254+
255+
assert(sock:close())
256+
}
257+
}
258+
"
259+
--- user_files eval: $::mtls_user_files
260+
--- request
261+
GET /t
262+
--- response_body_like: 400 No required SSL certificate was sent
263+
--- no_error_log
264+
[alert]
265+
[error]
266+
[crit]
267+
[emerg]
268+
269+
270+
271+
=== TEST 5: mutual TLS handshake, upstream is accessible with client certs
272+
--- http_config eval: $::mtls_http_config
273+
--- config eval
274+
"
251275
location /t {
252276
content_by_lua_block {
253277
local sock = ngx.socket.tcp()
@@ -269,7 +293,7 @@ GET /t
269293
local chain = assert(ssl.parse_pem_cert(cert_data))
270294
local priv = assert(ssl.parse_pem_priv_key(key_data))
271295

272-
assert(sock:tlshandshake({ client_cert = chain, client_priv_key = priv, }))
296+
assert(sock:tlshandshake({ client_cert = chain, client_priv_key = priv }))
273297

274298
ngx.say('connected: ', ok)
275299

@@ -289,7 +313,6 @@ GET /t
289313
}
290314
}
291315
"
292-
293316
--- user_files eval: $::mtls_user_files
294317
--- request
295318
GET /t
@@ -305,27 +328,24 @@ hello, CN=foo@example.com,O=OpenResty,ST=California,C=US
305328

306329

307330

308-
=== TEST 5: incorrect type of client cert
331+
=== TEST 6: incorrect type of client cert
309332
--- config
310-
server_tokens off;
311-
312333
location /t {
313334
content_by_lua_block {
314335
local sock = ngx.socket.tcp()
315-
local ok, err = sock:connect('127.0.0.1', ngx.var.server_port)
336+
local ok, err = sock:connect("127.0.0.1", ngx.var.server_port)
316337
if not ok then
317-
ngx.say('failed to connect: ', err)
338+
ngx.say("failed to connect: ", err)
318339
end
319340

320-
ok, err = sock:tlshandshake({ client_cert = "doesnt", client_priv_key = "work", })
341+
ok, err = sock:tlshandshake({ client_cert = "doesnt", client_priv_key = "work" })
321342
if not ok then
322-
ngx.say('failed to handshake: ', err)
343+
ngx.say("failed to handshake: ", err)
323344
end
324345

325346
assert(sock:close())
326347
}
327348
}
328-
329349
--- request
330350
GET /t
331351
--- error_code: 500
@@ -334,15 +354,13 @@ GET /t
334354
[crit]
335355
[emerg]
336356
--- error_log
337-
wrong type of client certificate or private key supplied
357+
bad client_cert option type
338358

339359

340360

341-
=== TEST 6: incorrect type of client key
361+
=== TEST 7: incorrect type of client key
342362
--- config eval
343363
"
344-
server_tokens off;
345-
346364
location /t {
347365
content_by_lua_block {
348366
local sock = ngx.socket.tcp()
@@ -359,7 +377,7 @@ wrong type of client certificate or private key supplied
359377

360378
local chain = assert(ssl.parse_pem_cert(cert_data))
361379

362-
ok, err = sock:tlshandshake({ client_cert = chain, client_priv_key = 'work', })
380+
ok, err = sock:tlshandshake({ client_cert = chain, client_priv_key = 'work' })
363381
if not ok then
364382
ngx.say('failed to handshake: ', err)
365383
end
@@ -368,7 +386,6 @@ wrong type of client certificate or private key supplied
368386
}
369387
}
370388
"
371-
372389
--- user_files eval: $::mtls_user_files
373390
--- request
374391
GET /t
@@ -378,15 +395,13 @@ GET /t
378395
[crit]
379396
[emerg]
380397
--- error_log
381-
wrong type of client certificate or private key supplied
398+
bad client_priv_key option type
382399

383400

384401

385-
=== TEST 7: missing private key
402+
=== TEST 8: missing private key
386403
--- config eval
387404
"
388-
server_tokens off;
389-
390405
location /t {
391406
content_by_lua_block {
392407
local sock = ngx.socket.tcp()
@@ -403,7 +418,7 @@ wrong type of client certificate or private key supplied
403418

404419
local chain = assert(ssl.parse_pem_cert(cert_data))
405420

406-
ok, err = sock:tlshandshake({ client_cert = chain, })
421+
ok, err = sock:tlshandshake({ client_cert = chain })
407422
if not ok then
408423
ngx.say('failed to handshake: ', err)
409424
end
@@ -412,7 +427,6 @@ wrong type of client certificate or private key supplied
412427
}
413428
}
414429
"
415-
416430
--- user_files eval: $::mtls_user_files
417431
--- request
418432
GET /t
@@ -423,50 +437,3 @@ GET /t
423437
[emerg]
424438
--- error_log
425439
client certificate supplied without corresponding private key
426-
427-
428-
429-
=== TEST 8: mutual TLS handshake, upstream is not accessible without empty options table
430-
--- http_config eval: $::mtls_http_config
431-
--- config eval
432-
"
433-
server_tokens off;
434-
435-
location /t {
436-
content_by_lua_block {
437-
local sock = ngx.socket.tcp()
438-
local ok, err = sock:connect('unix:$::HtmlDir/mtls.sock')
439-
if not ok then
440-
ngx.say('failed to connect: ', err)
441-
end
442-
443-
assert(sock:tlshandshake({}))
444-
445-
ngx.say('connected: ', ok)
446-
447-
local req = 'GET /\\r\\n'
448-
449-
local bytes, err = sock:send(req)
450-
if not bytes then
451-
ngx.say('failed to send request: ', err)
452-
return
453-
end
454-
455-
ngx.say('request sent: ', bytes)
456-
457-
ngx.say(sock:receive('*a'))
458-
459-
assert(sock:close())
460-
}
461-
}
462-
"
463-
464-
--- user_files eval: $::mtls_user_files
465-
--- request
466-
GET /t
467-
--- response_body_like: 400 No required SSL certificate was sent
468-
--- no_error_log
469-
[alert]
470-
[error]
471-
[crit]
472-
[emerg]

0 commit comments

Comments
 (0)
Please sign in to comment.