feature: SSL/TLS cosocket API

* added new method sslhandshake() to the stream-typed cosocket objects. * added new configuration directives lua_ssl_trusted_certificate, lua_ssl_verify_depth, lua_ssl_crl, lua_ssl_protocols, and lua_ssl_ciphers. Thanks aviramc for the original patch in #290.
openresty · Jul 22, 2014 · 0a82152 · 0a82152
1 parent 8acc73f
commit 0a82152
Show file tree

Hide file tree

Showing 10 changed files with 2,869 additions and 11 deletions.
diff --git a/src/ngx_http_lua_common.h b/src/ngx_http_lua_common.h
@@ -164,6 +164,15 @@ struct ngx_http_lua_main_conf_s {
 
 
 typedef struct {
+#if (NGX_HTTP_SSL)
+    ngx_ssl_t              *ssl;  /* shared by SSL cosockets */
+    ngx_uint_t              ssl_protocols;
+    ngx_str_t               ssl_ciphers;
+    ngx_uint_t              ssl_verify_depth;
+    ngx_str_t               ssl_trusted_certificate;
+    ngx_str_t               ssl_crl;
+#endif
+
     ngx_flag_t              force_read_body; /* whether force request body to
                                                 be read */
 

diff --git a/src/ngx_http_lua_module.c b/src/ngx_http_lua_module.c
@@ -37,6 +37,10 @@ static char *ngx_http_lua_merge_loc_conf(ngx_conf_t *cf, void *parent,
     void *child);
 static ngx_int_t ngx_http_lua_init(ngx_conf_t *cf);
 static char *ngx_http_lua_lowat_check(ngx_conf_t *cf, void *post, void *data);
+#if (NGX_HTTP_SSL)
+static ngx_int_t ngx_http_lua_set_ssl(ngx_conf_t *cf,
+    ngx_http_lua_loc_conf_t *llcf);
+#endif
 
 
 static ngx_conf_post_t  ngx_http_lua_lowat_post =
@@ -46,6 +50,20 @@ static ngx_conf_post_t  ngx_http_lua_lowat_post =
 static volatile ngx_cycle_t  *ngx_http_lua_prev_cycle = NULL;
 
 
+#if (NGX_HTTP_SSL) && defined(nginx_version) && nginx_version >= 1001013
+
+static ngx_conf_bitmask_t  ngx_http_lua_ssl_protocols[] = {
+    { ngx_string("SSLv2"), NGX_SSL_SSLv2 },
+    { ngx_string("SSLv3"), NGX_SSL_SSLv3 },
+    { ngx_string("TLSv1"), NGX_SSL_TLSv1 },
+    { ngx_string("TLSv1.1"), NGX_SSL_TLSv1_1 },
+    { ngx_string("TLSv1.2"), NGX_SSL_TLSv1_2 },
+    { ngx_null_string, 0 }
+};
+
+#endif
+
+
 static ngx_command_t ngx_http_lua_cmds[] = {
 
     { ngx_string("lua_max_running_timers"),
@@ -366,6 +384,49 @@ static ngx_command_t ngx_http_lua_cmds[] = {
       offsetof(ngx_http_lua_loc_conf_t, use_default_type),
       NULL },
 
+#if (NGX_HTTP_SSL)
+
+#   if defined(nginx_version) && nginx_version >= 1001013
+
+    { ngx_string("lua_ssl_protocols"),
+      NGX_HTTP_MAIN_CONF|NGX_HTTP_SRV_CONF|NGX_HTTP_LOC_CONF|NGX_CONF_1MORE,
+      ngx_conf_set_bitmask_slot,
+      NGX_HTTP_LOC_CONF_OFFSET,
+      offsetof(ngx_http_lua_loc_conf_t, ssl_protocols),
+      &ngx_http_lua_ssl_protocols },
+
+#   endif
+
+    { ngx_string("lua_ssl_ciphers"),
+      NGX_HTTP_MAIN_CONF|NGX_HTTP_SRV_CONF|NGX_HTTP_LOC_CONF|NGX_CONF_TAKE1,
+      ngx_conf_set_str_slot,
+      NGX_HTTP_LOC_CONF_OFFSET,
+      offsetof(ngx_http_lua_loc_conf_t, ssl_ciphers),
+      NULL },
+
+    { ngx_string("lua_ssl_verify_depth"),
+      NGX_HTTP_MAIN_CONF|NGX_HTTP_SRV_CONF|NGX_HTTP_LOC_CONF|NGX_CONF_TAKE1,
+      ngx_conf_set_num_slot,
+      NGX_HTTP_LOC_CONF_OFFSET,
+      offsetof(ngx_http_lua_loc_conf_t, ssl_verify_depth),
+      NULL },
+
+    { ngx_string("lua_ssl_trusted_certificate"),
+      NGX_HTTP_MAIN_CONF|NGX_HTTP_SRV_CONF|NGX_HTTP_LOC_CONF|NGX_CONF_TAKE1,
+      ngx_conf_set_str_slot,
+      NGX_HTTP_LOC_CONF_OFFSET,
+      offsetof(ngx_http_lua_loc_conf_t, ssl_trusted_certificate),
+      NULL },
+
+    { ngx_string("lua_ssl_crl"),
+      NGX_HTTP_MAIN_CONF|NGX_HTTP_SRV_CONF|NGX_HTTP_LOC_CONF|NGX_CONF_TAKE1,
+      ngx_conf_set_str_slot,
+      NGX_HTTP_LOC_CONF_OFFSET,
+      offsetof(ngx_http_lua_loc_conf_t, ssl_crl),
+      NULL },
+
+#endif  /* NGX_HTTP_SSL */
+
     ngx_null_command
 };
 
@@ -650,6 +711,12 @@ ngx_http_lua_create_loc_conf(ngx_conf_t *cf)
      *      conf->body_filter_src = {{ 0, NULL }, NULL, NULL, NULL};
      *      conf->body_filter_src_key = NULL
      *      conf->body_filter_handler = NULL;
+     *
+     *     conf->ssl = 0;
+     *     conf->ssl_protocols = 0;
+     *     conf->ssl_ciphers = { 0, NULL };
+     *     conf->ssl_trusted_certificate = { 0, NULL };
+     *     conf->ssl_crl = { 0, NULL };
      */
 
     conf->force_read_body    = NGX_CONF_UNSET;
@@ -669,6 +736,9 @@ ngx_http_lua_create_loc_conf(ngx_conf_t *cf)
     conf->transform_underscores_in_resp_headers = NGX_CONF_UNSET;
     conf->log_socket_errors = NGX_CONF_UNSET;
 
+#if (NGX_HTTP_SSL)
+    conf->ssl_verify_depth = NGX_CONF_UNSET_UINT;
+#endif
 
     return conf;
 }
@@ -716,6 +786,32 @@ ngx_http_lua_merge_loc_conf(ngx_conf_t *cf, void *parent, void *child)
         conf->body_filter_src_key = prev->body_filter_src_key;
     }
 
+#if (NGX_HTTP_SSL)
+
+#   if defined(nginx_version) && nginx_version >= 1001013
+
+    ngx_conf_merge_bitmask_value(conf->ssl_protocols, prev->ssl_protocols,
+                                 (NGX_CONF_BITMASK_SET|NGX_SSL_SSLv3
+                                  |NGX_SSL_TLSv1|NGX_SSL_TLSv1_1
+                                  |NGX_SSL_TLSv1_2));
+
+#   endif
+
+    ngx_conf_merge_str_value(conf->ssl_ciphers, prev->ssl_ciphers,
+                             "DEFAULT");
+
+    ngx_conf_merge_uint_value(conf->ssl_verify_depth,
+                              prev->ssl_verify_depth, 1);
+    ngx_conf_merge_str_value(conf->ssl_trusted_certificate,
+                             prev->ssl_trusted_certificate, "");
+    ngx_conf_merge_str_value(conf->ssl_crl, prev->ssl_crl, "");
+
+    if (ngx_http_lua_set_ssl(cf, conf) != NGX_OK) {
+        return NGX_CONF_ERROR;
+    }
+
+#endif
+
     ngx_conf_merge_value(conf->force_read_body, prev->force_read_body, 0);
     ngx_conf_merge_value(conf->enable_code_cache, prev->enable_code_cache, 1);
     ngx_conf_merge_value(conf->http10_buffering, prev->http10_buffering, 1);
@@ -751,4 +847,74 @@ ngx_http_lua_merge_loc_conf(ngx_conf_t *cf, void *parent, void *child)
     return NGX_CONF_OK;
 }
 
+
+#if (NGX_HTTP_SSL)
+
+static ngx_int_t
+ngx_http_lua_set_ssl(ngx_conf_t *cf, ngx_http_lua_loc_conf_t *llcf)
+{
+    ngx_pool_cleanup_t  *cln;
+
+    llcf->ssl = ngx_pcalloc(cf->pool, sizeof(ngx_ssl_t));
+    if (llcf->ssl == NULL) {
+        return NGX_ERROR;
+    }
+
+    llcf->ssl->log = cf->log;
+
+    if (ngx_ssl_create(llcf->ssl, llcf->ssl_protocols, NULL) != NGX_OK) {
+        return NGX_ERROR;
+    }
+
+    cln = ngx_pool_cleanup_add(cf->pool, 0);
+    if (cln == NULL) {
+        return NGX_ERROR;
+    }
+
+    cln->handler = ngx_ssl_cleanup_ctx;
+    cln->data = llcf->ssl;
+
+    if (SSL_CTX_set_cipher_list(llcf->ssl->ctx,
+                                (const char *) llcf->ssl_ciphers.data)
+        == 0)
+    {
+        ngx_ssl_error(NGX_LOG_EMERG, cf->log, 0,
+                      "SSL_CTX_set_cipher_list(\"%V\") failed",
+                      &llcf->ssl_ciphers);
+        return NGX_ERROR;
+    }
+
+    if (llcf->ssl_trusted_certificate.len) {
+
+#if defined(nginx_version) && nginx_version >= 1003007
+
+        if (ngx_ssl_trusted_certificate(cf, llcf->ssl,
+                                        &llcf->ssl_trusted_certificate,
+                                        llcf->ssl_verify_depth)
+            != NGX_OK)
+        {
+            return NGX_ERROR;
+        }
+
+#else
+
+        ngx_log_error(NGX_LOG_CRIT, cf->log, 0, "at least nginx 1.3.7 is "
+                      "required for the \"lua_ssl_trusted_certificate\" "
+                      "directive");
+        return NGX_ERROR;
+
+#endif
+    }
+
+    dd("ssl crl: %.*s", (int) llcf->ssl_crl.len, llcf->ssl_crl.data);
+
+    if (ngx_ssl_crl(cf, llcf->ssl, &llcf->ssl_crl) != NGX_OK) {
+        return NGX_ERROR;
+    }
+
+    return NGX_OK;
+}
+
+#endif  /* NGX_HTTP_SSL */
+
 /* vi:set ft=c ts=4 sw=4 et fdm=marker: */