feature: make client cert verify depth optional

Author: ArchangelSDY

src/ngx_stream_lua_ssl_certby.c

@@ -1332,19 +1332,19 @@ ngx_ssl_verify_callback(int ok, X509_STORE_CTX *x509_store)
 
 int
 ngx_stream_lua_ffi_ssl_verify_client(ngx_stream_lua_request_t *r,
-    int depth,
-    void *cdata, char **err)
+    void *cdata, int depth, char **err)
 {
-    ngx_ssl_conn_t         *ssl_conn;
-    STACK_OF(X509)         *chain = cdata;
-    STACK_OF(X509_NAME)    *name_chain = NULL;
-    X509                   *x509 = NULL;
-    X509_NAME              *subject = NULL;
-    X509_STORE             *ca_store = NULL;
+    ngx_ssl_conn_t              *ssl_conn;
+    ngx_stream_ssl_conf_t       *sscf;
+    STACK_OF(X509)              *chain = cdata;
+    STACK_OF(X509_NAME)         *name_chain = NULL;
+    X509                        *x509 = NULL;
+    X509_NAME                   *subject = NULL;
+    X509_STORE                  *ca_store = NULL;
 #ifdef OPENSSL_IS_BORINGSSL
-    size_t                 i;
+    size_t                      i;
 #else
-    int                    i;
+    int                         i;
 #endif
 
     if (r->connection == NULL || r->connection->ssl == NULL) {
@@ -1358,17 +1358,30 @@ ngx_stream_lua_ffi_ssl_verify_client(ngx_stream_lua_request_t *r,
         return NGX_ERROR;
     }
 
-    ca_store = SSL_CTX_get_cert_store(SSL_get_SSL_CTX(ssl_conn));
-    if (ca_store == NULL) {
-        *err = "SSL_CTX_get_cert_store() failed";
-        return NGX_ERROR;
-    }
+    /* enable verify */
 
     SSL_set_verify(ssl_conn, SSL_VERIFY_PEER, ngx_ssl_verify_callback);
 
+    /* set depth */
+
+    if (depth < 0) {
+        sscf = ngx_stream_get_module_srv_conf(r->session,
+            ngx_stream_ssl_module);
+        if (sscf != NULL) {
+            depth = sscf->verify_depth;
+        }
+    }
     SSL_set_verify_depth(ssl_conn, depth);
 
+    /* set CA chain */
+
     if (chain != NULL) {
+        ca_store = SSL_CTX_get_cert_store(SSL_get_SSL_CTX(ssl_conn));
+        if (ca_store == NULL) {
+            *err = "SSL_CTX_get_cert_store() failed";
+            return NGX_ERROR;
+        }
+
         /* construct name chain */
 
         name_chain = sk_X509_NAME_new_null();

t/140-ssl-c-api.t

@@ -62,7 +62,7 @@ ffi.cdef[[
 
     int ngx_stream_lua_ffi_ssl_clear_certs(void *r, char **err);
 
-    int ngx_stream_lua_ffi_ssl_verify_client(void *r, int depth, void *cdata, char **err);
+    int ngx_stream_lua_ffi_ssl_verify_client(void *r, void *cdata, int depth, char **err);
 
 ]]
 _EOC_
@@ -714,7 +714,7 @@ lua ssl server name: "test.com"
                 return
             end
 
-            local rc = ffi.C.ngx_stream_lua_ffi_ssl_verify_client(r, 1, cert, errmsg)
+            local rc = ffi.C.ngx_stream_lua_ffi_ssl_verify_client(r, cert, -1, errmsg)
             if rc ~= 0 then
                 ngx.log(ngx.ERR, "failed to set cdata cert: ",
                         ffi.string(errmsg[0]))
@@ -769,7 +769,7 @@ client certificate subject: [email protected],CN=test.com
                 return
             end
 
-            local rc = ffi.C.ngx_stream_lua_ffi_ssl_verify_client(r, 1, nil, errmsg)
+            local rc = ffi.C.ngx_stream_lua_ffi_ssl_verify_client(r, nil, -1, errmsg)
             if rc ~= 0 then
                 ngx.log(ngx.ERR, "failed to set cdata cert: ",
                         ffi.string(errmsg[0]))
@@ -824,7 +824,7 @@ client certificate subject: [email protected],CN=test.com
                 return
             end
 
-            local rc = ffi.C.ngx_stream_lua_ffi_ssl_verify_client(r, 1, nil, errmsg)
+            local rc = ffi.C.ngx_stream_lua_ffi_ssl_verify_client(r, nil, -1, errmsg)
             if rc ~= 0 then
                 ngx.log(ngx.ERR, "failed to set cdata cert: ",
                         ffi.string(errmsg[0]))