diff --git a/patches/1.13.6.1/lua-resty-core-0.1.13-ngx_http_lua_ffi_balancer_set_ssl_ctx.patch b/patches/1.13.6.1/lua-resty-core-0.1.13-ngx_http_lua_ffi_balancer_set_ssl_ctx.patch new file mode 100644 index 0000000..38438f9 --- /dev/null +++ b/patches/1.13.6.1/lua-resty-core-0.1.13-ngx_http_lua_ffi_balancer_set_ssl_ctx.patch @@ -0,0 +1,99 @@ +From 59a70761bfda7771fcd675aeea6637055c2b2316 Mon Sep 17 00:00:00 2001 +From: James Callahan +Date: Wed, 21 Mar 2018 11:09:35 +1100 +Subject: [PATCH 1/2] balancer: Add set_ssl_ctx as binding to + ngx_lua_ffi_balancer_set_ssl_ctx + +Signed-off-by: Aapo Talvensaari +--- + lib/lua-resty-core-0.1.13/ngx/balancer.lua | 24 ++++++++++++++++++++++++ + 1 file changed, 24 insertions(+) + +diff --git a/lua-resty-core-0.1.13/lib/ngx/balancer.lua b/lua-resty-core-0.1.13/lib/ngx/balancer.lua +index b947043..b59fb70 100644 +--- a/lua-resty-core-0.1.13/lib/ngx/balancer.lua ++++ b/lua-resty-core-0.1.13/lib/ngx/balancer.lua +@@ -21,6 +21,7 @@ local subsystem = ngx.config.subsystem + local ngx_lua_ffi_balancer_set_current_peer + local ngx_lua_ffi_balancer_set_more_tries + local ngx_lua_ffi_balancer_get_last_failure ++local ngx_lua_ffi_balancer_set_ssl_ctx + local ngx_lua_ffi_balancer_set_timeouts -- used by both stream and http + + +@@ -35,6 +36,9 @@ if subsystem == 'http' then + int ngx_http_lua_ffi_balancer_get_last_failure(ngx_http_request_t *r, + int *status, char **err); + ++ int ngx_http_lua_ffi_balancer_set_ssl_ctx(ngx_http_request_t *r, ++ void* ssl_ctx, char **err); ++ + int ngx_http_lua_ffi_balancer_set_timeouts(ngx_http_request_t *r, + long connect_timeout, long send_timeout, + long read_timeout, char **err); +@@ -49,6 +53,9 @@ if subsystem == 'http' then + ngx_lua_ffi_balancer_get_last_failure = + C.ngx_http_lua_ffi_balancer_get_last_failure + ++ ngx_lua_ffi_balancer_set_ssl_ctx = ++ C.ngx_http_lua_ffi_balancer_set_ssl_ctx ++ + ngx_lua_ffi_balancer_set_timeouts = + C.ngx_http_lua_ffi_balancer_set_timeouts + +@@ -163,6 +170,23 @@ function _M.get_last_failure() + end + + ++if subsystem == 'http' then ++ function _M.set_ssl_ctx(ssl_ctx) ++ local r = getfenv(0).__ngx_req ++ if not r then ++ error("no request found") ++ end ++ ++ local state = ngx_lua_ffi_balancer_set_ssl_ctx(r, ssl_ctx, errmsg) ++ ++ if state == FFI_ERROR then ++ return false, ffi_str(errmsg[0]) ++ end ++ return true ++ end ++end ++ ++ + function _M.set_timeouts(connect_timeout, send_timeout, read_timeout) + local r = getfenv(0).__ngx_req + if not r then +-- +2.17.0 + + +From 124866719034706a2e32eda7be7e0fc978b0035c Mon Sep 17 00:00:00 2001 +From: James Callahan +Date: Wed, 21 Mar 2018 12:20:06 +1100 +Subject: [PATCH 2/2] balancer.set_ssl_ctx: Check that argument is ffi cdata + +Signed-off-by: Aapo Talvensaari +--- + lib/lua-resty-core-0.1.13/ngx/balancer.lua | 4 ++++ + 1 file changed, 4 insertions(+) + +diff --git a/lua-resty-core-0.1.13/lib/ngx/balancer.lua b/lua-resty-core-0.1.13/lib/ngx/balancer.lua +index b59fb70..f6a3eb4 100644 +--- a/lua-resty-core-0.1.13/lib/ngx/balancer.lua ++++ b/lua-resty-core-0.1.13/lib/ngx/balancer.lua +@@ -177,6 +177,10 @@ if subsystem == 'http' then + error("no request found") + end + ++ if type(ssl_ctx) ~= "cdata" then ++ error("ssl context must be an ffi pointer") ++ end ++ + local state = ngx_lua_ffi_balancer_set_ssl_ctx(r, ssl_ctx, errmsg) + + if state == FFI_ERROR then +-- +2.17.0 + diff --git a/patches/1.13.6.1/ngx_lua-0.10.11-ngx_http_lua_ffi_balancer_set_ssl_ctx.patch b/patches/1.13.6.1/ngx_lua-0.10.11-ngx_http_lua_ffi_balancer_set_ssl_ctx.patch new file mode 100644 index 0000000..ed57bde --- /dev/null +++ b/patches/1.13.6.1/ngx_lua-0.10.11-ngx_http_lua_ffi_balancer_set_ssl_ctx.patch @@ -0,0 +1,135 @@ +From 2d3aede0192893f6d5ba6df16e8891bc04f81ed5 Mon Sep 17 00:00:00 2001 +From: James Callahan +Date: Wed, 21 Mar 2018 11:00:42 +1100 +Subject: [PATCH 1/2] balancer: Add ngx_http_lua_ffi_balancer_set_ssl_ctx + +This function allows setting an upstream's SSL_CTX* to a user-provided object + +Signed-off-by: Aapo Talvensaari +--- + src/ngx_http_lua_balancer.c | 80 +++++++++++++++++++++++++++++++++++++ + 1 file changed, 80 insertions(+) + +diff --git a/ngx_lua-0.10.11/src/ngx_http_lua_balancer.c b/ngx_lua-0.10.11/src/ngx_http_lua_balancer.c +index 2fa634eb..60fecd2f 100644 +--- a/ngx_lua-0.10.11/src/ngx_http_lua_balancer.c ++++ b/ngx_lua-0.10.11/src/ngx_http_lua_balancer.c +@@ -758,4 +758,84 @@ ngx_http_lua_ffi_balancer_get_last_failure(ngx_http_request_t *r, + return bp->last_peer_state; + } + ++ ++#if NGX_HTTP_SSL ++ ++int ++ngx_http_lua_ffi_balancer_set_ssl_ctx(ngx_http_request_t *r, ++ SSL_CTX* ssl_ctx, char **err) ++{ ++ ngx_http_lua_ctx_t *ctx; ++ ngx_http_upstream_t *u; ++ ngx_ssl_t *ssl; ++ ngx_pool_cleanup_t *cln; ++ ++ if (r == NULL) { ++ *err = "no request found"; ++ return NGX_ERROR; ++ } ++ ++ u = r->upstream; ++ ++ if (u == NULL) { ++ *err = "no upstream found"; ++ return NGX_ERROR; ++ } ++ ++ ctx = ngx_http_get_module_ctx(r, ngx_http_lua_module); ++ if (ctx == NULL) { ++ *err = "no ctx found"; ++ return NGX_ERROR; ++ } ++ ++ if ((ctx->context & NGX_HTTP_LUA_CONTEXT_BALANCER) == 0) { ++ *err = "API disabled in the current context"; ++ return NGX_ERROR; ++ } ++ ++ ssl = u->conf->ssl; ++ ++ /* Early exit if SSL_CTX* is already correct value */ ++ if (ssl != NULL && ssl->ctx == ssl_ctx) { ++ return NGX_OK; ++ } ++ ++ if (!SSL_CTX_up_ref(ssl_ctx)) { ++ *err = "unable to take reference to SSL_CTX*"; ++ return NGX_ERROR; ++ } ++ ++ if (ssl != NULL) { ++ /* Free old SSL_CTX* */ ++ ngx_ssl_cleanup_ctx(ssl); ++ ++ } else { ++ ssl = ngx_pcalloc(ngx_cycle->pool, sizeof(ngx_ssl_t)); ++ if (ssl == NULL) { ++ *err = "no memory"; ++ SSL_CTX_free(ssl_ctx); ++ return NGX_ERROR; ++ } ++ ++ cln = ngx_pool_cleanup_add(ngx_cycle->pool, 0); ++ if (cln == NULL) { ++ *err = "no memory"; ++ SSL_CTX_free(ssl_ctx); ++ return NGX_ERROR; ++ } ++ ++ cln->handler = ngx_ssl_cleanup_ctx; ++ cln->data = ssl; ++ ++ u->conf->ssl = ssl; ++ ssl->log = ngx_cycle->log; ++ } ++ ++ ssl->ctx = ssl_ctx; ++ ++ return NGX_OK; ++} ++ ++#endif /* NGX_HTTP_SSL */ ++ + #endif /* NGX_LUA_NO_FFI_API */ +-- +2.17.0 + + +From 049c960a4854483751d157a0187710b4f86749ac Mon Sep 17 00:00:00 2001 +From: James Callahan +Date: Wed, 21 Mar 2018 14:25:53 +1100 +Subject: [PATCH 2/2] ngx_http_lua_ffi_balancer_set_ssl_ctx: Support openssl < + 1.1.0 + +Signed-off-by: Aapo Talvensaari +--- + src/ngx_http_lua_balancer.c | 4 ++++ + 1 file changed, 4 insertions(+) + +diff --git a/ngx_lua-0.10.11/src/ngx_http_lua_balancer.c b/ngx_lua-0.10.11/src/ngx_http_lua_balancer.c +index 60fecd2f..9ec3b1a4 100644 +--- a/ngx_lua-0.10.11/src/ngx_http_lua_balancer.c ++++ b/ngx_lua-0.10.11/src/ngx_http_lua_balancer.c +@@ -800,7 +800,11 @@ ngx_http_lua_ffi_balancer_set_ssl_ctx(ngx_http_request_t *r, + return NGX_OK; + } + ++#if OPENSSL_VERSION_NUMBER >= 0x10100000L + if (!SSL_CTX_up_ref(ssl_ctx)) { ++#else ++ if (CRYPTO_add(&ssl_ctx->references, 1, CRYPTO_LOCK_SSL_CTX) < 2) { ++#endif + *err = "unable to take reference to SSL_CTX*"; + return NGX_ERROR; + } +-- +2.17.0 + diff --git a/patches/1.13.6.1/ngx_lua-0.10.11-ngx_http_lua_ffi_get_ssl_pointer.patch b/patches/1.13.6.1/ngx_lua-0.10.11-ngx_http_lua_ffi_get_ssl_pointer.patch new file mode 100644 index 0000000..f226140 --- /dev/null +++ b/patches/1.13.6.1/ngx_lua-0.10.11-ngx_http_lua_ffi_get_ssl_pointer.patch @@ -0,0 +1,186 @@ +From bd85262ff15c7e03ba439fc9540a9a74cfd9ceb8 Mon Sep 17 00:00:00 2001 +From: James Callahan +Date: Thu, 22 Mar 2018 15:02:28 +1100 +Subject: [PATCH 1/2] feature: Add api to fetch raw nginx ssl pointer + +Signed-off-by: Aapo Talvensaari +--- + src/ngx_http_lua_ssl_certby.c | 11 +++++++++++ + 1 file changed, 11 insertions(+) + +diff --git a/ngx_lua-0.10.11/src/ngx_http_lua_ssl_certby.c b/ngx_lua-0.10.11/src/ngx_http_lua_ssl_certby.c +index 95be47f6..f908dc0f 100644 +--- a/ngx_lua-0.10.11/src/ngx_http_lua_ssl_certby.c ++++ b/ngx_lua-0.10.11/src/ngx_http_lua_ssl_certby.c +@@ -1256,6 +1256,17 @@ failed: + } + + ++ngx_ssl_conn_t * ++ngx_http_lua_ffi_get_ssl_pointer(ngx_http_request_t *r) ++{ ++ if (r->connection == NULL || r->connection->ssl == NULL) { ++ return NULL; ++ } ++ ++ return r->connection->ssl->connection; ++} ++ ++ + #endif /* NGX_LUA_NO_FFI_API */ + + +-- +2.17.0 + + +From c91c688dc9ed5047729a6fc572632b4e00eefa3d Mon Sep 17 00:00:00 2001 +From: James Callahan +Date: Thu, 29 Mar 2018 13:06:47 +1100 +Subject: [PATCH 2/2] tests: Add tests for ngx_http_lua_ffi_get_ssl_pointer + +Signed-off-by: Aapo Talvensaari +--- + t/140-ssl-c-api.t | 122 ++++++++++++++++++++++++++++++++++++++++++++++ + 1 file changed, 122 insertions(+) + +diff --git a/ngx_lua-0.10.11/t/140-ssl-c-api.t b/ngx_lua-0.10.11/t/140-ssl-c-api.t +index 8734d147..b1d9d230 100644 +--- a/ngx_lua-0.10.11/t/140-ssl-c-api.t ++++ b/ngx_lua-0.10.11/t/140-ssl-c-api.t +@@ -57,6 +57,8 @@ ffi.cdef[[ + int ngx_http_lua_ffi_set_priv_key(void *r, + void *cdata, char **err); + ++ void *ngx_http_lua_ffi_get_ssl_pointer(void *r); ++ + void ngx_http_lua_ffi_free_cert(void *cdata); + + void ngx_http_lua_ffi_free_priv_key(void *cdata); +@@ -811,3 +813,123 @@ lua ssl server name: "test.com" + --- no_error_log + [error] + [alert] ++ ++ ++ ++=== TEST 6: Raw SSL pointer ++--- http_config ++ server { ++ listen unix:$TEST_NGINX_HTML_DIR/nginx.sock ssl; ++ server_name test.com; ++ ++ ssl_certificate_by_lua_block { ++ collectgarbage() ++ ++ local ffi = require "ffi" ++ require "defines" ++ ++ local r = getfenv(0).__ngx_req ++ if not r then ++ ngx.log(ngx.ERR, "no request found") ++ return ++ end ++ ++ local ssl = ffi.C.ngx_http_lua_ffi_get_ssl_pointer(r); ++ if ssl == nil then ++ ngx.log(ngx.ERR, "failed to retrieve SSL*") ++ return ++ end ++ ++ ffi.cdef[[ ++ const char *SSL_get_servername(const void *, const int); ++ ]] ++ local libssl = ffi.load "ssl" ++ local TLSEXT_NAMETYPE_host_name = 0 ++ local sni = ffi.string(libssl.SSL_get_servername(ssl, TLSEXT_NAMETYPE_host_name)) ++ ngx.log(ngx.INFO, "SNI is ", sni) ++ } ++ ++ ssl_certificate ../../cert/test.crt; ++ ssl_certificate_key ../../cert/test.key; ++ ++ server_tokens off; ++ location /foo { ++ default_type 'text/plain'; ++ content_by_lua_block { ngx.status = 201 ngx.say("foo") ngx.exit(201) } ++ more_clear_headers Date; ++ } ++ } ++--- config ++ server_tokens off; ++ lua_ssl_trusted_certificate ../../cert/test.crt; ++ ++ location /t { ++ content_by_lua_block { ++ do ++ local sock = ngx.socket.tcp() ++ ++ sock:settimeout(2000) ++ ++ local ok, err = sock:connect("unix:$TEST_NGINX_HTML_DIR/nginx.sock") ++ if not ok then ++ ngx.say("failed to connect: ", err) ++ return ++ end ++ ++ ngx.say("connected: ", ok) ++ ++ local sess, err = sock:sslhandshake(nil, "test.com", true) ++ if not sess then ++ ngx.say("failed to do SSL handshake: ", err) ++ return ++ end ++ ++ ngx.say("ssl handshake: ", type(sess)) ++ ++ local req = "GET /foo HTTP/1.0\r\nHost: test.com\r\nConnection: close\r\n\r\n" ++ local bytes, err = sock:send(req) ++ if not bytes then ++ ngx.say("failed to send http request: ", err) ++ return ++ end ++ ++ ngx.say("sent http request: ", bytes, " bytes.") ++ ++ while true do ++ local line, err = sock:receive() ++ if not line then ++ -- ngx.say("failed to receive response status line: ", err) ++ break ++ end ++ ++ ngx.say("received: ", line) ++ end ++ ++ local ok, err = sock:close() ++ ngx.say("close: ", ok, " ", err) ++ end -- do ++ -- collectgarbage() ++ } ++ } ++ ++--- request ++GET /t ++--- response_body ++connected: 1 ++ssl handshake: userdata ++sent http request: 56 bytes. ++received: HTTP/1.1 201 Created ++received: Server: nginx ++received: Content-Type: text/plain ++received: Content-Length: 4 ++received: Connection: close ++received: ++received: foo ++close: 1 nil ++ ++--- error_log ++SNI is test.com ++ ++--- no_error_log ++[error] ++[alert] +-- +2.17.0 + diff --git a/patches/1.13.6.2/lua-resty-core-0.1.15-ngx_lua_ffi_balancer_set_ssl_ctx b/patches/1.13.6.2/lua-resty-core-0.1.15-ngx_lua_ffi_balancer_set_ssl_ctx new file mode 100644 index 0000000..158e1e0 --- /dev/null +++ b/patches/1.13.6.2/lua-resty-core-0.1.15-ngx_lua_ffi_balancer_set_ssl_ctx @@ -0,0 +1,99 @@ +From d109235c4f37a648d503830b368856d85b1b511b Mon Sep 17 00:00:00 2001 +From: James Callahan +Date: Wed, 21 Mar 2018 11:09:35 +1100 +Subject: [PATCH 1/2] balancer: Add set_ssl_ctx as binding to + ngx_lua_ffi_balancer_set_ssl_ctx + +Signed-off-by: Aapo Talvensaari +--- + lib/ngx/balancer.lua | 24 ++++++++++++++++++++++++ + 1 file changed, 24 insertions(+) + +diff --git a/lua-resty-core-0.1.15/lib/ngx/balancer.lua b/lua-resty-core-0.1.15/lib/ngx/balancer.lua +index 1c72e15..7162423 100644 +--- a/lua-resty-core-0.1.15/ngx/balancer.lua ++++ b/lua-resty-core-0.1.15/ngx/balancer.lua +@@ -21,6 +21,7 @@ local subsystem = ngx.config.subsystem + local ngx_lua_ffi_balancer_set_current_peer + local ngx_lua_ffi_balancer_set_more_tries + local ngx_lua_ffi_balancer_get_last_failure ++local ngx_lua_ffi_balancer_set_ssl_ctx + local ngx_lua_ffi_balancer_set_timeouts -- used by both stream and http + + +@@ -35,6 +36,9 @@ if subsystem == 'http' then + int ngx_http_lua_ffi_balancer_get_last_failure(ngx_http_request_t *r, + int *status, char **err); + ++ int ngx_http_lua_ffi_balancer_set_ssl_ctx(ngx_http_request_t *r, ++ void* ssl_ctx, char **err); ++ + int ngx_http_lua_ffi_balancer_set_timeouts(ngx_http_request_t *r, + long connect_timeout, long send_timeout, + long read_timeout, char **err); +@@ -49,6 +53,9 @@ if subsystem == 'http' then + ngx_lua_ffi_balancer_get_last_failure = + C.ngx_http_lua_ffi_balancer_get_last_failure + ++ ngx_lua_ffi_balancer_set_ssl_ctx = ++ C.ngx_http_lua_ffi_balancer_set_ssl_ctx ++ + ngx_lua_ffi_balancer_set_timeouts = + C.ngx_http_lua_ffi_balancer_set_timeouts + +@@ -163,6 +170,23 @@ function _M.get_last_failure() + end + + ++if subsystem == 'http' then ++ function _M.set_ssl_ctx(ssl_ctx) ++ local r = getfenv(0).__ngx_req ++ if not r then ++ error("no request found") ++ end ++ ++ local state = ngx_lua_ffi_balancer_set_ssl_ctx(r, ssl_ctx, errmsg) ++ ++ if state == FFI_ERROR then ++ return false, ffi_str(errmsg[0]) ++ end ++ return true ++ end ++end ++ ++ + function _M.set_timeouts(connect_timeout, send_timeout, read_timeout) + local r = getfenv(0).__ngx_req + if not r then +-- +2.17.0 + + +From 9f52868cec21978bde3185f88035eac71ba0a1b6 Mon Sep 17 00:00:00 2001 +From: James Callahan +Date: Wed, 21 Mar 2018 12:20:06 +1100 +Subject: [PATCH 2/2] balancer.set_ssl_ctx: Check that argument is ffi cdata + +Signed-off-by: Aapo Talvensaari +--- + lib/ngx/balancer.lua | 4 ++++ + 1 file changed, 4 insertions(+) + +diff --git a/lua-resty-core-0.1.15/lib/ngx/balancer.lua b/lua-resty-core-0.1.15/lib/ngx/balancer.lua +index 7162423..6fdb332 100644 +--- a/lua-resty-core-0.1.15/ngx/balancer.lua ++++ b/lua-resty-core-0.1.15/ngx/balancer.lua +@@ -177,6 +177,10 @@ if subsystem == 'http' then + error("no request found") + end + ++ if type(ssl_ctx) ~= "cdata" then ++ error("ssl context must be an ffi pointer") ++ end ++ + local state = ngx_lua_ffi_balancer_set_ssl_ctx(r, ssl_ctx, errmsg) + + if state == FFI_ERROR then +-- +2.17.0 + diff --git a/patches/1.13.6.2/ngx_lua-0.10.13-ngx_http_lua_ffi_balancer_set_ssl_ctx.patch b/patches/1.13.6.2/ngx_lua-0.10.13-ngx_http_lua_ffi_balancer_set_ssl_ctx.patch new file mode 100644 index 0000000..3f2ca9a --- /dev/null +++ b/patches/1.13.6.2/ngx_lua-0.10.13-ngx_http_lua_ffi_balancer_set_ssl_ctx.patch @@ -0,0 +1,135 @@ +From 2bcfce87072ab0cf62ed4283591a7404879fe6a6 Mon Sep 17 00:00:00 2001 +From: James Callahan +Date: Wed, 21 Mar 2018 11:00:42 +1100 +Subject: [PATCH 1/2] balancer: Add ngx_http_lua_ffi_balancer_set_ssl_ctx + +This function allows setting an upstream's SSL_CTX* to a user-provided object + +Signed-off-by: Aapo Talvensaari +--- + src/ngx_http_lua_balancer.c | 80 +++++++++++++++++++++++++++++++++++++ + 1 file changed, 80 insertions(+) + +diff --git a/ngx_lua-0.10.3/src/ngx_http_lua_balancer.c b/ngx_lua-0.10.3/src/ngx_http_lua_balancer.c +index fdf2af31..650c217d 100644 +--- a/ngx_lua-0.10.3/src/ngx_http_lua_balancer.c ++++ b/ngx_lua-0.10.3/src/ngx_http_lua_balancer.c +@@ -760,4 +760,84 @@ ngx_http_lua_ffi_balancer_get_last_failure(ngx_http_request_t *r, + return bp->last_peer_state; + } + ++ ++#if NGX_HTTP_SSL ++ ++int ++ngx_http_lua_ffi_balancer_set_ssl_ctx(ngx_http_request_t *r, ++ SSL_CTX* ssl_ctx, char **err) ++{ ++ ngx_http_lua_ctx_t *ctx; ++ ngx_http_upstream_t *u; ++ ngx_ssl_t *ssl; ++ ngx_pool_cleanup_t *cln; ++ ++ if (r == NULL) { ++ *err = "no request found"; ++ return NGX_ERROR; ++ } ++ ++ u = r->upstream; ++ ++ if (u == NULL) { ++ *err = "no upstream found"; ++ return NGX_ERROR; ++ } ++ ++ ctx = ngx_http_get_module_ctx(r, ngx_http_lua_module); ++ if (ctx == NULL) { ++ *err = "no ctx found"; ++ return NGX_ERROR; ++ } ++ ++ if ((ctx->context & NGX_HTTP_LUA_CONTEXT_BALANCER) == 0) { ++ *err = "API disabled in the current context"; ++ return NGX_ERROR; ++ } ++ ++ ssl = u->conf->ssl; ++ ++ /* Early exit if SSL_CTX* is already correct value */ ++ if (ssl != NULL && ssl->ctx == ssl_ctx) { ++ return NGX_OK; ++ } ++ ++ if (!SSL_CTX_up_ref(ssl_ctx)) { ++ *err = "unable to take reference to SSL_CTX*"; ++ return NGX_ERROR; ++ } ++ ++ if (ssl != NULL) { ++ /* Free old SSL_CTX* */ ++ ngx_ssl_cleanup_ctx(ssl); ++ ++ } else { ++ ssl = ngx_pcalloc(ngx_cycle->pool, sizeof(ngx_ssl_t)); ++ if (ssl == NULL) { ++ *err = "no memory"; ++ SSL_CTX_free(ssl_ctx); ++ return NGX_ERROR; ++ } ++ ++ cln = ngx_pool_cleanup_add(ngx_cycle->pool, 0); ++ if (cln == NULL) { ++ *err = "no memory"; ++ SSL_CTX_free(ssl_ctx); ++ return NGX_ERROR; ++ } ++ ++ cln->handler = ngx_ssl_cleanup_ctx; ++ cln->data = ssl; ++ ++ u->conf->ssl = ssl; ++ ssl->log = ngx_cycle->log; ++ } ++ ++ ssl->ctx = ssl_ctx; ++ ++ return NGX_OK; ++} ++ ++#endif /* NGX_HTTP_SSL */ ++ + #endif /* NGX_LUA_NO_FFI_API */ +-- +2.17.0 + + +From 3df55652c1eea825b4883060c553fa4d619e4b30 Mon Sep 17 00:00:00 2001 +From: James Callahan +Date: Wed, 21 Mar 2018 14:25:53 +1100 +Subject: [PATCH 2/2] ngx_http_lua_ffi_balancer_set_ssl_ctx: Support openssl < + 1.1.0 + +Signed-off-by: Aapo Talvensaari +--- + src/ngx_http_lua_balancer.c | 4 ++++ + 1 file changed, 4 insertions(+) + +diff --git a/ngx_lua-0.10.3/src/ngx_http_lua_balancer.c b/ngx_lua-0.10.3/src/ngx_http_lua_balancer.c +index 650c217d..b320f368 100644 +--- a/ngx_lua-0.10.3/src/ngx_http_lua_balancer.c ++++ b/ngx_lua-0.10.3/src/ngx_http_lua_balancer.c +@@ -802,7 +802,11 @@ ngx_http_lua_ffi_balancer_set_ssl_ctx(ngx_http_request_t *r, + return NGX_OK; + } + ++#if OPENSSL_VERSION_NUMBER >= 0x10100000L + if (!SSL_CTX_up_ref(ssl_ctx)) { ++#else ++ if (CRYPTO_add(&ssl_ctx->references, 1, CRYPTO_LOCK_SSL_CTX) < 2) { ++#endif + *err = "unable to take reference to SSL_CTX*"; + return NGX_ERROR; + } +-- +2.17.0 + diff --git a/patches/1.13.6.2/ngx_lua-0.10.13-ngx_http_lua_ffi_get_ssl_pointer.patch b/patches/1.13.6.2/ngx_lua-0.10.13-ngx_http_lua_ffi_get_ssl_pointer.patch new file mode 100644 index 0000000..24bd687 --- /dev/null +++ b/patches/1.13.6.2/ngx_lua-0.10.13-ngx_http_lua_ffi_get_ssl_pointer.patch @@ -0,0 +1,186 @@ +From 810f861270168a5a33ceb507776000f4ae556764 Mon Sep 17 00:00:00 2001 +From: James Callahan +Date: Thu, 22 Mar 2018 15:02:28 +1100 +Subject: [PATCH 1/2] feature: Add api to fetch raw nginx ssl pointer + +Signed-off-by: Aapo Talvensaari +--- + src/ngx_http_lua_ssl_certby.c | 11 +++++++++++ + 1 file changed, 11 insertions(+) + +diff --git a/ngx_lua-0.10.13/src/ngx_http_lua_ssl_certby.c b/ngx_lua-0.10.13/src/ngx_http_lua_ssl_certby.c +index 453a5c78..310ca214 100644 +--- a/ngx_lua-0.10.13/src/ngx_http_lua_ssl_certby.c ++++ b/ngx_lua-0.10.13/src/ngx_http_lua_ssl_certby.c +@@ -1319,6 +1319,17 @@ failed: + } + + ++ngx_ssl_conn_t * ++ngx_http_lua_ffi_get_ssl_pointer(ngx_http_request_t *r) ++{ ++ if (r->connection == NULL || r->connection->ssl == NULL) { ++ return NULL; ++ } ++ ++ return r->connection->ssl->connection; ++} ++ ++ + #endif /* NGX_LUA_NO_FFI_API */ + + +-- +2.17.0 + + +From 705a2acc513f0f5021027024db08fad4f7349ea8 Mon Sep 17 00:00:00 2001 +From: James Callahan +Date: Thu, 29 Mar 2018 13:06:47 +1100 +Subject: [PATCH 2/2] tests: Add tests for ngx_http_lua_ffi_get_ssl_pointer + +Signed-off-by: Aapo Talvensaari +--- + t/140-ssl-c-api.t | 122 ++++++++++++++++++++++++++++++++++++++++++++++ + 1 file changed, 122 insertions(+) + +diff --git a/t/140-ssl-c-api.t b/t/140-ssl-c-api.t +index 8734d147..b1d9d230 100644 +--- a/t/140-ssl-c-api.t ++++ b/t/140-ssl-c-api.t +@@ -57,6 +57,8 @@ ffi.cdef[[ + int ngx_http_lua_ffi_set_priv_key(void *r, + void *cdata, char **err); + ++ void *ngx_http_lua_ffi_get_ssl_pointer(void *r); ++ + void ngx_http_lua_ffi_free_cert(void *cdata); + + void ngx_http_lua_ffi_free_priv_key(void *cdata); +@@ -811,3 +813,123 @@ lua ssl server name: "test.com" + --- no_error_log + [error] + [alert] ++ ++ ++ ++=== TEST 6: Raw SSL pointer ++--- http_config ++ server { ++ listen unix:$TEST_NGINX_HTML_DIR/nginx.sock ssl; ++ server_name test.com; ++ ++ ssl_certificate_by_lua_block { ++ collectgarbage() ++ ++ local ffi = require "ffi" ++ require "defines" ++ ++ local r = getfenv(0).__ngx_req ++ if not r then ++ ngx.log(ngx.ERR, "no request found") ++ return ++ end ++ ++ local ssl = ffi.C.ngx_http_lua_ffi_get_ssl_pointer(r); ++ if ssl == nil then ++ ngx.log(ngx.ERR, "failed to retrieve SSL*") ++ return ++ end ++ ++ ffi.cdef[[ ++ const char *SSL_get_servername(const void *, const int); ++ ]] ++ local libssl = ffi.load "ssl" ++ local TLSEXT_NAMETYPE_host_name = 0 ++ local sni = ffi.string(libssl.SSL_get_servername(ssl, TLSEXT_NAMETYPE_host_name)) ++ ngx.log(ngx.INFO, "SNI is ", sni) ++ } ++ ++ ssl_certificate ../../cert/test.crt; ++ ssl_certificate_key ../../cert/test.key; ++ ++ server_tokens off; ++ location /foo { ++ default_type 'text/plain'; ++ content_by_lua_block { ngx.status = 201 ngx.say("foo") ngx.exit(201) } ++ more_clear_headers Date; ++ } ++ } ++--- config ++ server_tokens off; ++ lua_ssl_trusted_certificate ../../cert/test.crt; ++ ++ location /t { ++ content_by_lua_block { ++ do ++ local sock = ngx.socket.tcp() ++ ++ sock:settimeout(2000) ++ ++ local ok, err = sock:connect("unix:$TEST_NGINX_HTML_DIR/nginx.sock") ++ if not ok then ++ ngx.say("failed to connect: ", err) ++ return ++ end ++ ++ ngx.say("connected: ", ok) ++ ++ local sess, err = sock:sslhandshake(nil, "test.com", true) ++ if not sess then ++ ngx.say("failed to do SSL handshake: ", err) ++ return ++ end ++ ++ ngx.say("ssl handshake: ", type(sess)) ++ ++ local req = "GET /foo HTTP/1.0\r\nHost: test.com\r\nConnection: close\r\n\r\n" ++ local bytes, err = sock:send(req) ++ if not bytes then ++ ngx.say("failed to send http request: ", err) ++ return ++ end ++ ++ ngx.say("sent http request: ", bytes, " bytes.") ++ ++ while true do ++ local line, err = sock:receive() ++ if not line then ++ -- ngx.say("failed to receive response status line: ", err) ++ break ++ end ++ ++ ngx.say("received: ", line) ++ end ++ ++ local ok, err = sock:close() ++ ngx.say("close: ", ok, " ", err) ++ end -- do ++ -- collectgarbage() ++ } ++ } ++ ++--- request ++GET /t ++--- response_body ++connected: 1 ++ssl handshake: userdata ++sent http request: 56 bytes. ++received: HTTP/1.1 201 Created ++received: Server: nginx ++received: Content-Type: text/plain ++received: Content-Length: 4 ++received: Connection: close ++received: ++received: foo ++close: 1 nil ++ ++--- error_log ++SNI is test.com ++ ++--- no_error_log ++[error] ++[alert] +-- +2.17.0 +