openresty · Jan 7, 2020
diff --git a/‎src/ngx_http_lua_socket_tcp.c
Lines changed: 11 additions & 13 deletions b/‎src/ngx_http_lua_socket_tcp.c
Lines changed: 11 additions & 13 deletions
diff --git a/‎t/162-socket-tls-handshake.t
Lines changed: 67 additions & 100 deletions b/‎t/162-socket-tls-handshake.t
Lines changed: 67 additions & 100 deletions
@@ -1527,6 +1527,7 @@ ngx_http_lua_socket_tcp_check_busy(ngx_http_request_t *r,
     return NULL;
 }
 
+
 int
 ngx_http_lua_ffi_socket_tcp_tlshandshake(ngx_http_request_t *r,
     ngx_http_lua_socket_tcp_upstream_t *u, ngx_ssl_session_t *sess,
@@ -1568,7 +1569,7 @@ ngx_http_lua_ffi_socket_tcp_tlshandshake(ngx_http_request_t *r,
     }
 
     if (u->raw_downstream || u->body_downstream) {
-        *errmsg = "not supported for downstream";
+        *errmsg = "not supported for downstream sockets";
         return NGX_ERROR;
     }
 
@@ -1609,7 +1610,7 @@ ngx_http_lua_ffi_socket_tcp_tlshandshake(ngx_http_request_t *r,
 
     if (sess != NULL) {
         if (ngx_ssl_set_session(c, sess) != NGX_OK) {
-            *errmsg = "lua tls set session failed";
+            *errmsg = "tls set session failed";
             return NGX_ERROR;
         }
 
@@ -1632,13 +1633,13 @@ ngx_http_lua_ffi_socket_tcp_tlshandshake(ngx_http_request_t *r,
         x509 = sk_X509_value(chain, 0);
         if (x509 == NULL) {
             ERR_clear_error();
-            *errmsg = "lua tls fetch client certificate from chain failed";
+            *errmsg = "tls fetch client certificate from chain failed";
             return NGX_ERROR;
         }
 
         if (SSL_use_certificate(ssl_conn, x509) == 0) {
             ERR_clear_error();
-            *errmsg = "lua tls set client certificate failed";
+            *errmsg = "tls set client certificate failed";
             return NGX_ERROR;
         }
 
@@ -1648,21 +1649,21 @@ ngx_http_lua_ffi_socket_tcp_tlshandshake(ngx_http_request_t *r,
             x509 = sk_X509_value(chain, i);
             if (x509 == NULL) {
                 ERR_clear_error();
-                *errmsg = "lua tls fetch client intermediate certificate "
-                          "from chain failed";
+                *errmsg = "tls fetch client intermediate certificate from "
+                          "chain failed";
                 return NGX_ERROR;
             }
 
             if (SSL_add1_chain_cert(ssl_conn, x509) == 0) {
                 ERR_clear_error();
-                *errmsg = "lua tls set client intermediate certificate failed";
+                *errmsg = "tls set client intermediate certificate failed";
                 return NGX_ERROR;
             }
         }
 
         if (SSL_use_PrivateKey(ssl_conn, pkey) == 0) {
             ERR_clear_error();
-            *errmsg = "lua ssl set client private key failed";
+            *errmsg = "tls set client private key failed";
             return NGX_ERROR;
         }
     }
@@ -1681,7 +1682,7 @@ ngx_http_lua_ffi_socket_tcp_tlshandshake(ngx_http_request_t *r,
         }
 
 #else
-        *errmsg = "OpenSSL has no SNI support";
+        *errmsg = "no TLS extension support";
         return NGX_ERROR;
 #endif
     }
@@ -1724,7 +1725,6 @@ ngx_http_lua_ffi_socket_tcp_tlshandshake(ngx_http_request_t *r,
             u->ssl_name.data = ngx_alloc(server_name->len, ngx_cycle->log);
             if (u->ssl_name.data == NULL) {
                 u->ssl_name.len = 0;
-
                 *errmsg = "no memory";
                 return NGX_ERROR;
             }
@@ -1745,7 +1745,7 @@ ngx_http_lua_ffi_socket_tcp_tlshandshake(ngx_http_request_t *r,
     rc = ngx_ssl_handshake(c);
 
     ngx_log_debug1(NGX_LOG_DEBUG_HTTP, r->connection->log, 0,
-                   "ngx_ssl_handshake returned %d", rc);
+                   "ngx_ssl_handshake returned: %d", rc);
 
     if (rc == NGX_AGAIN) {
         if (c->write->timer_set) {
@@ -1777,7 +1777,6 @@ ngx_http_lua_ffi_socket_tcp_tlshandshake(ngx_http_request_t *r,
 
     if (rc == NGX_ERROR) {
         *errmsg = u->error_ret;
-
         return NGX_ERROR;
     }
 
@@ -1891,7 +1890,6 @@ ngx_http_lua_tls_handshake_handler(ngx_connection_t *c)
 }
 
 
-
 int
 ngx_http_lua_ffi_socket_tcp_get_tlshandshake_result(ngx_http_request_t *r,
     ngx_http_lua_socket_tcp_upstream_t *u, ngx_ssl_session_t **sess,
 
@@ -6,13 +6,8 @@ repeat_each(2);
 
 plan tests => repeat_each() * 42;
 
-$ENV{TEST_NGINX_HTML_DIR} ||= html_dir();
-
-$ENV{TEST_NGINX_MEMCACHED_PORT} ||= 11211;
 $ENV{TEST_NGINX_RESOLVER} ||= '8.8.8.8';
-$ENV{TEST_NGINX_SERVER_SSL_PORT} ||= 12345;
 
-#log_level 'warn';
 log_level 'debug';
 
 no_long_string();
@@ -27,11 +22,6 @@ sub read_file {
     $cert;
 }
 
-our $DSTRootCertificate = read_file("t/cert/dst-ca.crt");
-our $EquifaxRootCertificate = read_file("t/cert/equifax.crt");
-our $TestCertificate = read_file("t/cert/test.crt");
-our $TestCertificateKey = read_file("t/cert/test.key");
-our $TestCRL = read_file("t/cert/test.crl");
 our $MTLSCA = read_file("t/cert/mtls_ca.crt");
 our $MTLSClient = read_file("t/cert/mtls_client.crt");
 our $MTLSClientKey = read_file("t/cert/mtls_client.key");
@@ -44,12 +34,11 @@ our $mtls_http_config = <<"_EOC_";
 server {
     listen unix:$::HtmlDir/mtls.sock ssl;
 
-    ssl_certificate      $::HtmlDir/mtls_server.crt;
-    ssl_certificate_key  $::HtmlDir/mtls_server.key;
-
+    ssl_certificate        $::HtmlDir/mtls_server.crt;
+    ssl_certificate_key    $::HtmlDir/mtls_server.key;
     ssl_client_certificate $::HtmlDir/mtls_ca.crt;
-    ssl_verify_client on;
-    server_tokens off;
+    ssl_verify_client      on;
+    server_tokens          off;
 
     location / {
         return 200 "hello, \$ssl_client_s_dn";
@@ -78,10 +67,8 @@ __DATA__
 --- config
     server_tokens off;
     resolver $TEST_NGINX_RESOLVER ipv6=off;
-    location /t {
-        #set $port 5000;
-        set $port $TEST_NGINX_MEMCACHED_PORT;
 
+    location /t {
         content_by_lua_block {
             -- avoid flushing google in "check leak" testing mode:
             local counter = package.loaded.counter
@@ -92,11 +79,13 @@ __DATA__
             else
                 counter = counter + 1
             end
+
             package.loaded.counter = counter
 
             do
                 local sock = ngx.socket.tcp()
                 sock:settimeout(2000)
+
                 local ok, err = sock:connect("www.google.com", 443)
                 if not ok then
                     ngx.say("failed to connect: ", err)
@@ -133,10 +122,10 @@ __DATA__
                 local ok, err = sock:close()
                 ngx.say("close: ", ok, " ", err)
             end  -- do
+
             collectgarbage()
         }
     }
-
 --- request
 GET /t
 --- response_body_like chop
@@ -162,12 +151,9 @@ SSL reused session
 
 === TEST 2: bad options table
 --- config
-    server_tokens off;
     resolver $TEST_NGINX_RESOLVER ipv6=off;
-    location /t {
-        #set $port 5000;
-        set $port $TEST_NGINX_MEMCACHED_PORT;
 
+    location /t {
         content_by_lua_block {
             local sock = ngx.socket.tcp()
             sock:settimeout(7000)
@@ -183,24 +169,21 @@ SSL reused session
             local session, err = sock:tlshandshake("foo")
         }
     }
-
 --- request
 GET /t
 --- ignore_response
 --- error_log eval
-qr/\[error\] .* bad options table type/
+qr/\[error\] .* bad options arg: table expected/
 --- no_error_log
 [alert]
 --- timeout: 10
 
 
 
-=== TEST 3: mutual TLS handshake, upstream is not accessible without client certs
+=== TEST 3: mutual TLS handshake, upstream is not accessible without client certs (no options table)
 --- http_config eval: $::mtls_http_config
 --- config eval
 "
-    server_tokens off;
-
     location /t {
         content_by_lua_block {
             local sock = ngx.socket.tcp()
@@ -229,7 +212,6 @@ qr/\[error\] .* bad options table type/
         }
     }
 "
-
 --- user_files eval: $::mtls_user_files
 --- request
 GET /t
@@ -242,12 +224,54 @@ GET /t
 
 
 
-=== TEST 4: mutual TLS handshake, upstream is accessible when client certs are supplied
+=== TEST 4: mutual TLS handshake, upstream is not accessible without client certs (empty options table)
 --- http_config eval: $::mtls_http_config
 --- config eval
 "
-    server_tokens off;
+    location /t {
+        content_by_lua_block {
+            local sock = ngx.socket.tcp()
+            local ok, err = sock:connect('unix:$::HtmlDir/mtls.sock')
+            if not ok then
+                ngx.say('failed to connect: ', err)
+            end
+
+            assert(sock:tlshandshake({}))
+
+            ngx.say('connected: ', ok)
+
+            local req = 'GET /\\r\\n'
 
+            local bytes, err = sock:send(req)
+            if not bytes then
+                ngx.say('failed to send request: ', err)
+                return
+            end
+
+            ngx.say('request sent: ', bytes)
+
+            ngx.say(sock:receive('*a'))
+
+            assert(sock:close())
+        }
+    }
+"
+--- user_files eval: $::mtls_user_files
+--- request
+GET /t
+--- response_body_like: 400 No required SSL certificate was sent
+--- no_error_log
+[alert]
+[error]
+[crit]
+[emerg]
+
+
+
+=== TEST 5: mutual TLS handshake, upstream is accessible with client certs
+--- http_config eval: $::mtls_http_config
+--- config eval
+"
     location /t {
         content_by_lua_block {
             local sock = ngx.socket.tcp()
@@ -269,7 +293,7 @@ GET /t
             local chain = assert(ssl.parse_pem_cert(cert_data))
             local priv = assert(ssl.parse_pem_priv_key(key_data))
 
-            assert(sock:tlshandshake({ client_cert = chain, client_priv_key = priv, }))
+            assert(sock:tlshandshake({ client_cert = chain, client_priv_key = priv }))
 
             ngx.say('connected: ', ok)
 
@@ -289,7 +313,6 @@ GET /t
         }
     }
 "
-
 --- user_files eval: $::mtls_user_files
 --- request
 GET /t
@@ -305,27 +328,24 @@ hello, CN=foo@example.com,O=OpenResty,ST=California,C=US
 
 
 
-=== TEST 5: incorrect type of client cert
+=== TEST 6: incorrect type of client cert
 --- config
-    server_tokens off;
-
     location /t {
         content_by_lua_block {
             local sock = ngx.socket.tcp()
-            local ok, err = sock:connect('127.0.0.1', ngx.var.server_port)
+            local ok, err = sock:connect("127.0.0.1", ngx.var.server_port)
             if not ok then
-                ngx.say('failed to connect: ', err)
+                ngx.say("failed to connect: ", err)
             end
 
-            ok, err = sock:tlshandshake({ client_cert = "doesnt", client_priv_key = "work", })
+            ok, err = sock:tlshandshake({ client_cert = "doesnt", client_priv_key = "work" })
             if not ok then
-                ngx.say('failed to handshake: ', err)
+                ngx.say("failed to handshake: ", err)
             end
 
             assert(sock:close())
         }
     }
-
 --- request
 GET /t
 --- error_code: 500
@@ -334,15 +354,13 @@ GET /t
 [crit]
 [emerg]
 --- error_log
-wrong type of client certificate or private key supplied
+bad client_cert option type
 
 
 
-=== TEST 6: incorrect type of client key
+=== TEST 7: incorrect type of client key
 --- config eval
 "
-    server_tokens off;
-
     location /t {
         content_by_lua_block {
             local sock = ngx.socket.tcp()
@@ -359,7 +377,7 @@ wrong type of client certificate or private key supplied
 
             local chain = assert(ssl.parse_pem_cert(cert_data))
 
-            ok, err = sock:tlshandshake({ client_cert = chain, client_priv_key = 'work', })
+            ok, err = sock:tlshandshake({ client_cert = chain, client_priv_key = 'work' })
             if not ok then
                 ngx.say('failed to handshake: ', err)
             end
@@ -368,7 +386,6 @@ wrong type of client certificate or private key supplied
         }
     }
 "
-
 --- user_files eval: $::mtls_user_files
 --- request
 GET /t
@@ -378,15 +395,13 @@ GET /t
 [crit]
 [emerg]
 --- error_log
-wrong type of client certificate or private key supplied
+bad client_priv_key option type
 
 
 
-=== TEST 7: missing private key
+=== TEST 8: missing private key
 --- config eval
 "
-    server_tokens off;
-
     location /t {
         content_by_lua_block {
             local sock = ngx.socket.tcp()
@@ -403,7 +418,7 @@ wrong type of client certificate or private key supplied
 
             local chain = assert(ssl.parse_pem_cert(cert_data))
 
-            ok, err = sock:tlshandshake({ client_cert = chain, })
+            ok, err = sock:tlshandshake({ client_cert = chain })
             if not ok then
                 ngx.say('failed to handshake: ', err)
             end
@@ -412,7 +427,6 @@ wrong type of client certificate or private key supplied
         }
     }
 "
-
 --- user_files eval: $::mtls_user_files
 --- request
 GET /t
@@ -423,50 +437,3 @@ GET /t
 [emerg]
 --- error_log
 client certificate supplied without corresponding private key
-
-
-
-=== TEST 8: mutual TLS handshake, upstream is not accessible without empty options table
---- http_config eval: $::mtls_http_config
---- config eval
-"
-    server_tokens off;
-
-    location /t {
-        content_by_lua_block {
-            local sock = ngx.socket.tcp()
-            local ok, err = sock:connect('unix:$::HtmlDir/mtls.sock')
-            if not ok then
-                ngx.say('failed to connect: ', err)
-            end
-
-            assert(sock:tlshandshake({}))
-
-            ngx.say('connected: ', ok)
-
-            local req = 'GET /\\r\\n'
-
-            local bytes, err = sock:send(req)
-            if not bytes then
-                ngx.say('failed to send request: ', err)
-                return
-            end
-
-            ngx.say('request sent: ', bytes)
-
-            ngx.say(sock:receive('*a'))
-
-            assert(sock:close())
-        }
-    }
-"
-
---- user_files eval: $::mtls_user_files
---- request
-GET /t
---- response_body_like: 400 No required SSL certificate was sent
---- no_error_log
-[alert]
-[error]
-[crit]
-[emerg]