Skip to content

Commit 74000a7

Browse files
committed
feature: make client cert verify depth optional
1 parent 60c5fe6 commit 74000a7

File tree

2 files changed

+32
-19
lines changed

2 files changed

+32
-19
lines changed

src/ngx_stream_lua_ssl_certby.c

Lines changed: 28 additions & 15 deletions
Original file line numberDiff line numberDiff line change
@@ -1332,19 +1332,19 @@ ngx_ssl_verify_callback(int ok, X509_STORE_CTX *x509_store)
13321332

13331333
int
13341334
ngx_stream_lua_ffi_ssl_verify_client(ngx_stream_lua_request_t *r,
1335-
int depth,
1336-
void *cdata, char **err)
1335+
void *cdata, int depth, char **err)
13371336
{
1338-
ngx_ssl_conn_t *ssl_conn;
1339-
STACK_OF(X509) *chain = cdata;
1340-
STACK_OF(X509_NAME) *name_chain = NULL;
1341-
X509 *x509 = NULL;
1342-
X509_NAME *subject = NULL;
1343-
X509_STORE *ca_store = NULL;
1337+
ngx_ssl_conn_t *ssl_conn;
1338+
ngx_stream_ssl_conf_t *sscf;
1339+
STACK_OF(X509) *chain = cdata;
1340+
STACK_OF(X509_NAME) *name_chain = NULL;
1341+
X509 *x509 = NULL;
1342+
X509_NAME *subject = NULL;
1343+
X509_STORE *ca_store = NULL;
13441344
#ifdef OPENSSL_IS_BORINGSSL
1345-
size_t i;
1345+
size_t i;
13461346
#else
1347-
int i;
1347+
int i;
13481348
#endif
13491349

13501350
if (r->connection == NULL || r->connection->ssl == NULL) {
@@ -1358,17 +1358,30 @@ ngx_stream_lua_ffi_ssl_verify_client(ngx_stream_lua_request_t *r,
13581358
return NGX_ERROR;
13591359
}
13601360

1361-
ca_store = SSL_CTX_get_cert_store(SSL_get_SSL_CTX(ssl_conn));
1362-
if (ca_store == NULL) {
1363-
*err = "SSL_CTX_get_cert_store() failed";
1364-
return NGX_ERROR;
1365-
}
1361+
/* enable verify */
13661362

13671363
SSL_set_verify(ssl_conn, SSL_VERIFY_PEER, ngx_ssl_verify_callback);
13681364

1365+
/* set depth */
1366+
1367+
if (depth < 0) {
1368+
sscf = ngx_stream_get_module_srv_conf(r->session,
1369+
ngx_stream_ssl_module);
1370+
if (sscf != NULL) {
1371+
depth = sscf->verify_depth;
1372+
}
1373+
}
13691374
SSL_set_verify_depth(ssl_conn, depth);
13701375

1376+
/* set CA chain */
1377+
13711378
if (chain != NULL) {
1379+
ca_store = SSL_CTX_get_cert_store(SSL_get_SSL_CTX(ssl_conn));
1380+
if (ca_store == NULL) {
1381+
*err = "SSL_CTX_get_cert_store() failed";
1382+
return NGX_ERROR;
1383+
}
1384+
13721385
/* construct name chain */
13731386

13741387
name_chain = sk_X509_NAME_new_null();

t/140-ssl-c-api.t

Lines changed: 4 additions & 4 deletions
Original file line numberDiff line numberDiff line change
@@ -62,7 +62,7 @@ ffi.cdef[[
6262
6363
int ngx_stream_lua_ffi_ssl_clear_certs(void *r, char **err);
6464
65-
int ngx_stream_lua_ffi_ssl_verify_client(void *r, int depth, void *cdata, char **err);
65+
int ngx_stream_lua_ffi_ssl_verify_client(void *r, void *cdata, int depth, char **err);
6666
6767
]]
6868
_EOC_
@@ -714,7 +714,7 @@ lua ssl server name: "test.com"
714714
return
715715
end
716716
717-
local rc = ffi.C.ngx_stream_lua_ffi_ssl_verify_client(r, 1, cert, errmsg)
717+
local rc = ffi.C.ngx_stream_lua_ffi_ssl_verify_client(r, cert, -1, errmsg)
718718
if rc ~= 0 then
719719
ngx.log(ngx.ERR, "failed to set cdata cert: ",
720720
ffi.string(errmsg[0]))
@@ -769,7 +769,7 @@ client certificate subject: [email protected],CN=test.com
769769
return
770770
end
771771
772-
local rc = ffi.C.ngx_stream_lua_ffi_ssl_verify_client(r, 1, nil, errmsg)
772+
local rc = ffi.C.ngx_stream_lua_ffi_ssl_verify_client(r, nil, -1, errmsg)
773773
if rc ~= 0 then
774774
ngx.log(ngx.ERR, "failed to set cdata cert: ",
775775
ffi.string(errmsg[0]))
@@ -824,7 +824,7 @@ client certificate subject: [email protected],CN=test.com
824824
return
825825
end
826826
827-
local rc = ffi.C.ngx_stream_lua_ffi_ssl_verify_client(r, 1, nil, errmsg)
827+
local rc = ffi.C.ngx_stream_lua_ffi_ssl_verify_client(r, nil, -1, errmsg)
828828
if rc ~= 0 then
829829
ngx.log(ngx.ERR, "failed to set cdata cert: ",
830830
ffi.string(errmsg[0]))

0 commit comments

Comments
 (0)