Kong · bungle · May 18, 2018 · May 18, 2018 · May 18, 2018
diff --git a/patches/1.13.6.1/lua-resty-core-0.1.13-ngx_http_lua_ffi_balancer_set_ssl_ctx.patch b/patches/1.13.6.1/lua-resty-core-0.1.13-ngx_http_lua_ffi_balancer_set_ssl_ctx.patch
@@ -0,0 +1,99 @@
+From 59a70761bfda7771fcd675aeea6637055c2b2316 Mon Sep 17 00:00:00 2001
+From: James Callahan <[email protected]>
+Date: Wed, 21 Mar 2018 11:09:35 +1100
+Subject: [PATCH 1/2] balancer: Add set_ssl_ctx as binding to
+ ngx_lua_ffi_balancer_set_ssl_ctx
+
+Signed-off-by: Aapo Talvensaari <[email protected]>
+---
+ lib/lua-resty-core-0.1.13/ngx/balancer.lua | 24 ++++++++++++++++++++++++
+ 1 file changed, 24 insertions(+)
+
+diff --git a/lua-resty-core-0.1.13/lib/ngx/balancer.lua b/lua-resty-core-0.1.13/lib/ngx/balancer.lua
+index b947043..b59fb70 100644
+--- a/lua-resty-core-0.1.13/lib/ngx/balancer.lua
++++ b/lua-resty-core-0.1.13/lib/ngx/balancer.lua
+@@ -21,6 +21,7 @@ local subsystem = ngx.config.subsystem
+ local ngx_lua_ffi_balancer_set_current_peer
+ local ngx_lua_ffi_balancer_set_more_tries
+ local ngx_lua_ffi_balancer_get_last_failure
++local ngx_lua_ffi_balancer_set_ssl_ctx
+ local ngx_lua_ffi_balancer_set_timeouts -- used by both stream and http
+
+
+@@ -35,6 +36,9 @@ if subsystem == 'http' then
+     int ngx_http_lua_ffi_balancer_get_last_failure(ngx_http_request_t *r,
+         int *status, char **err);
+
++    int ngx_http_lua_ffi_balancer_set_ssl_ctx(ngx_http_request_t *r,
++        void* ssl_ctx, char **err);
++
+     int ngx_http_lua_ffi_balancer_set_timeouts(ngx_http_request_t *r,
+         long connect_timeout, long send_timeout,
+         long read_timeout, char **err);
+@@ -49,6 +53,9 @@ if subsystem == 'http' then
+     ngx_lua_ffi_balancer_get_last_failure =
+         C.ngx_http_lua_ffi_balancer_get_last_failure
+
++    ngx_lua_ffi_balancer_set_ssl_ctx =
++        C.ngx_http_lua_ffi_balancer_set_ssl_ctx
++
+     ngx_lua_ffi_balancer_set_timeouts =
+         C.ngx_http_lua_ffi_balancer_set_timeouts
+
+@@ -163,6 +170,23 @@ function _M.get_last_failure()
+ end
+
+
++if subsystem == 'http' then
++    function _M.set_ssl_ctx(ssl_ctx)
++        local r = getfenv(0).__ngx_req
++        if not r then
++            error("no request found")
++        end
++
++        local state = ngx_lua_ffi_balancer_set_ssl_ctx(r, ssl_ctx, errmsg)
++
++        if state == FFI_ERROR then
++            return false, ffi_str(errmsg[0])
++        end
++        return true
++    end
++end
++
++
+ function _M.set_timeouts(connect_timeout, send_timeout, read_timeout)
+     local r = getfenv(0).__ngx_req
+     if not r then
+--
+2.17.0
+
+
+From 124866719034706a2e32eda7be7e0fc978b0035c Mon Sep 17 00:00:00 2001
+From: James Callahan <[email protected]>
+Date: Wed, 21 Mar 2018 12:20:06 +1100
+Subject: [PATCH 2/2] balancer.set_ssl_ctx: Check that argument is ffi cdata
+
+Signed-off-by: Aapo Talvensaari <[email protected]>
+---
+ lib/lua-resty-core-0.1.13/ngx/balancer.lua | 4 ++++
+ 1 file changed, 4 insertions(+)
+
+diff --git a/lua-resty-core-0.1.13/lib/ngx/balancer.lua b/lua-resty-core-0.1.13/lib/ngx/balancer.lua
+index b59fb70..f6a3eb4 100644
+--- a/lua-resty-core-0.1.13/lib/ngx/balancer.lua
++++ b/lua-resty-core-0.1.13/lib/ngx/balancer.lua
+@@ -177,6 +177,10 @@ if subsystem == 'http' then
+             error("no request found")
+         end
+
++        if type(ssl_ctx) ~= "cdata" then
++            error("ssl context must be an ffi pointer")
++        end
++
+         local state = ngx_lua_ffi_balancer_set_ssl_ctx(r, ssl_ctx, errmsg)
+
+         if state == FFI_ERROR then
+--
+2.17.0
+
diff --git a/patches/1.13.6.1/ngx_lua-0.10.11-ngx_http_lua_ffi_balancer_set_ssl_ctx.patch b/patches/1.13.6.1/ngx_lua-0.10.11-ngx_http_lua_ffi_balancer_set_ssl_ctx.patch
@@ -0,0 +1,135 @@
+From 2d3aede0192893f6d5ba6df16e8891bc04f81ed5 Mon Sep 17 00:00:00 2001
+From: James Callahan <[email protected]>
+Date: Wed, 21 Mar 2018 11:00:42 +1100
+Subject: [PATCH 1/2] balancer: Add ngx_http_lua_ffi_balancer_set_ssl_ctx
+
+This function allows setting an upstream's SSL_CTX* to a user-provided object
+
+Signed-off-by: Aapo Talvensaari <[email protected]>
+---
+ src/ngx_http_lua_balancer.c | 80 +++++++++++++++++++++++++++++++++++++
+ 1 file changed, 80 insertions(+)
+
+diff --git a/ngx_lua-0.10.11/src/ngx_http_lua_balancer.c b/ngx_lua-0.10.11/src/ngx_http_lua_balancer.c
+index 2fa634eb..60fecd2f 100644
+--- a/ngx_lua-0.10.11/src/ngx_http_lua_balancer.c
++++ b/ngx_lua-0.10.11/src/ngx_http_lua_balancer.c
+@@ -758,4 +758,84 @@ ngx_http_lua_ffi_balancer_get_last_failure(ngx_http_request_t *r,
+     return bp->last_peer_state;
+ }
+
++
++#if NGX_HTTP_SSL
++
++int
++ngx_http_lua_ffi_balancer_set_ssl_ctx(ngx_http_request_t *r,
++    SSL_CTX* ssl_ctx, char **err)
++{
++    ngx_http_lua_ctx_t  *ctx;
++    ngx_http_upstream_t *u;
++    ngx_ssl_t           *ssl;
++    ngx_pool_cleanup_t  *cln;
++
++    if (r == NULL) {
++        *err = "no request found";
++        return NGX_ERROR;
++    }
++
++    u = r->upstream;
++
++    if (u == NULL) {
++        *err = "no upstream found";
++        return NGX_ERROR;
++    }
++
++    ctx = ngx_http_get_module_ctx(r, ngx_http_lua_module);
++    if (ctx == NULL) {
++        *err = "no ctx found";
++        return NGX_ERROR;
++    }
++
++    if ((ctx->context & NGX_HTTP_LUA_CONTEXT_BALANCER) == 0) {
++        *err = "API disabled in the current context";
++        return NGX_ERROR;
++    }
++
++    ssl = u->conf->ssl;
++
++    /* Early exit if SSL_CTX* is already correct value */
++    if (ssl != NULL && ssl->ctx == ssl_ctx) {
++        return NGX_OK;
++    }
++
++    if (!SSL_CTX_up_ref(ssl_ctx)) {
++        *err = "unable to take reference to SSL_CTX*";
++        return NGX_ERROR;
++    }
++
++    if (ssl != NULL) {
++        /* Free old SSL_CTX* */
++        ngx_ssl_cleanup_ctx(ssl);
++
++    } else {
++        ssl = ngx_pcalloc(ngx_cycle->pool, sizeof(ngx_ssl_t));
++        if (ssl == NULL) {
++            *err = "no memory";
++            SSL_CTX_free(ssl_ctx);
++            return NGX_ERROR;
++        }
++
++        cln = ngx_pool_cleanup_add(ngx_cycle->pool, 0);
++        if (cln == NULL) {
++            *err = "no memory";
++            SSL_CTX_free(ssl_ctx);
++            return NGX_ERROR;
++        }
++
++        cln->handler = ngx_ssl_cleanup_ctx;
++        cln->data = ssl;
++
++        u->conf->ssl = ssl;
++        ssl->log = ngx_cycle->log;
++    }
++
++    ssl->ctx = ssl_ctx;
++
++    return NGX_OK;
++}
++
++#endif /* NGX_HTTP_SSL */
++
+ #endif  /* NGX_LUA_NO_FFI_API */
+--
+2.17.0
+
+
+From 049c960a4854483751d157a0187710b4f86749ac Mon Sep 17 00:00:00 2001
+From: James Callahan <[email protected]>
+Date: Wed, 21 Mar 2018 14:25:53 +1100
+Subject: [PATCH 2/2] ngx_http_lua_ffi_balancer_set_ssl_ctx: Support openssl <
+ 1.1.0
+
+Signed-off-by: Aapo Talvensaari <[email protected]>
+---
+ src/ngx_http_lua_balancer.c | 4 ++++
+ 1 file changed, 4 insertions(+)
+
+diff --git a/ngx_lua-0.10.11/src/ngx_http_lua_balancer.c b/ngx_lua-0.10.11/src/ngx_http_lua_balancer.c
+index 60fecd2f..9ec3b1a4 100644
+--- a/ngx_lua-0.10.11/src/ngx_http_lua_balancer.c
++++ b/ngx_lua-0.10.11/src/ngx_http_lua_balancer.c
+@@ -800,7 +800,11 @@ ngx_http_lua_ffi_balancer_set_ssl_ctx(ngx_http_request_t *r,
+         return NGX_OK;
+     }
+
++#if OPENSSL_VERSION_NUMBER >= 0x10100000L
+     if (!SSL_CTX_up_ref(ssl_ctx)) {
++#else
++    if (CRYPTO_add(&ssl_ctx->references, 1, CRYPTO_LOCK_SSL_CTX) < 2) {
++#endif
+         *err = "unable to take reference to SSL_CTX*";
+         return NGX_ERROR;
+     }
+--
+2.17.0
+