From c00d686a4df76551c831fd4da3e376122663581c Mon Sep 17 00:00:00 2001 From: Archangel_SDY Date: Sat, 14 Mar 2020 01:03:58 +0800 Subject: [PATCH 01/10] feature: add FFI interface to verify SSL client certificate --- src/ngx_stream_lua_ssl_certby.c | 100 ++++++++++++++++++++++++++++++++ 1 file changed, 100 insertions(+) diff --git a/src/ngx_stream_lua_ssl_certby.c b/src/ngx_stream_lua_ssl_certby.c index 13fb3663..a3b38ada 100644 --- a/src/ngx_stream_lua_ssl_certby.c +++ b/src/ngx_stream_lua_ssl_certby.c @@ -1317,4 +1317,104 @@ ngx_stream_lua_ffi_set_priv_key(ngx_stream_lua_request_t *r, } +static int +ngx_ssl_verify_callback(int ok, X509_STORE_CTX *x509_store) +{ + /* + * we never terminate handshake here and user can later use + * $ssl_client_verify to check verification result. + * + * this is consistent with Nginx behavior. + */ + return 1; +} + + +int +ngx_stream_lua_ffi_ssl_verify_client(ngx_stream_lua_request_t *r, + int depth, + void *cdata, char **err) +{ + ngx_ssl_conn_t *ssl_conn; + STACK_OF(X509) *chain = cdata; + STACK_OF(X509_NAME) *name_chain = NULL; + X509 *x509 = NULL; + X509_NAME *subject = NULL; + X509_STORE *ca_store = NULL; +#ifdef OPENSSL_IS_BORINGSSL + size_t i; +#else + int i; +#endif + + if (r->connection == NULL || r->connection->ssl == NULL) { + *err = "bad request"; + return NGX_ERROR; + } + + ssl_conn = r->connection->ssl->connection; + if (ssl_conn == NULL) { + *err = "bad ssl conn"; + return NGX_ERROR; + } + + ca_store = SSL_CTX_get_cert_store(SSL_get_SSL_CTX(ssl_conn)); + if (ca_store == NULL) { + *err = "SSL_CTX_get_cert_store() failed"; + return NGX_ERROR; + } + + SSL_set_verify(ssl_conn, SSL_VERIFY_PEER, ngx_ssl_verify_callback); + + SSL_set_verify_depth(ssl_conn, depth); + + if (chain != NULL) { + /* construct name chain */ + + name_chain = sk_X509_NAME_new_null(); + if (name_chain == NULL) { + *err = "sk_X509_NAME_new_null() failed"; + return NGX_ERROR; + } + + for (i = 0; i < sk_X509_num(chain); i++) { + x509 = sk_X509_value(chain, i); + if (x509 == NULL) { + *err = "sk_X509_value() failed"; + goto failed; + } + + /* add subject to name chain, which will be sent to client */ + subject = X509_NAME_dup(X509_get_subject_name(x509)); + if (subject == NULL) { + *err = "X509_get_subject_name() failed"; + goto failed; + } + + if (!sk_X509_NAME_push(name_chain, subject)) { + *err = "sk_X509_NAME_push() failed"; + X509_NAME_free(subject); + goto failed; + } + + /* add to trusted CA store */ + if (X509_STORE_add_cert(ca_store, x509) == 0) { + *err = "X509_STORE_add_cert() failed"; + goto failed; + } + } + + SSL_set_client_CA_list(ssl_conn, name_chain); + } + + return NGX_OK; + +failed: + + sk_X509_NAME_free(name_chain); + + return NGX_ERROR; +} + + #endif /* NGX_STREAM_SSL */ From 60c5fe6ae9fc1d25a45f39da463086b598ca2158 Mon Sep 17 00:00:00 2001 From: Archangel_SDY Date: Sun, 29 Mar 2020 12:51:53 +0800 Subject: [PATCH 02/10] tests: add unit tests for client certificate verification API --- t/140-ssl-c-api.t | 177 ++++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 177 insertions(+) diff --git a/t/140-ssl-c-api.t b/t/140-ssl-c-api.t index 88ab42df..e84edc95 100644 --- a/t/140-ssl-c-api.t +++ b/t/140-ssl-c-api.t @@ -61,6 +61,9 @@ ffi.cdef[[ void ngx_stream_lua_ffi_free_priv_key(void *cdata); int ngx_stream_lua_ffi_ssl_clear_certs(void *r, char **err); + + int ngx_stream_lua_ffi_ssl_verify_client(void *r, int depth, void *cdata, char **err); + ]] _EOC_ } @@ -675,3 +678,177 @@ lua ssl server name: "test.com" --- no_error_log [error] [alert] + + + +=== TEST 6: verify client with CA certificates +--- stream_config + server { + listen unix:$TEST_NGINX_HTML_DIR/nginx.sock ssl; + + ssl_certificate ../../cert/test2.crt; + ssl_certificate_key ../../cert/test2.key; + + ssl_certificate_by_lua_block { + collectgarbage() + + local ffi = require "ffi" + require "defines" + + local errmsg = ffi.new("char *[1]") + + local r = require "resty.core.base" .get_request() + if not r then + ngx.log(ngx.ERR, "no request found") + return + end + + local f = assert(io.open("t/cert/test.crt", "rb")) + local cert_data = f:read("*all") + f:close() + + local cert = ffi.C.ngx_stream_lua_ffi_parse_pem_cert(cert_data, #cert_data, errmsg) + if not cert then + ngx.log(ngx.ERR, "failed to parse PEM cert: ", + ffi.string(errmsg[0])) + return + end + + local rc = ffi.C.ngx_stream_lua_ffi_ssl_verify_client(r, 1, cert, errmsg) + if rc ~= 0 then + ngx.log(ngx.ERR, "failed to set cdata cert: ", + ffi.string(errmsg[0])) + return + end + } + + content_by_lua_block { + print('client certificate subject: ', ngx.var.ssl_client_s_dn) + ngx.say(ngx.var.ssl_client_verify) + } + } +--- stream_server_config + lua_ssl_trusted_certificate ../../cert/test.crt; + + proxy_pass unix:$TEST_NGINX_HTML_DIR/nginx.sock; + proxy_ssl on; + proxy_ssl_certificate ../../cert/test.crt; + proxy_ssl_certificate_key ../../cert/test.key; + +--- stream_response +SUCCESS + +--- error_log +client certificate subject: emailAddress=agentzh@gmail.com,CN=test.com + +--- no_error_log +[error] +[alert] + + + +=== TEST 7: verify client without CA certificates +--- stream_config + server { + listen unix:$TEST_NGINX_HTML_DIR/nginx.sock ssl; + + ssl_certificate ../../cert/test2.crt; + ssl_certificate_key ../../cert/test2.key; + + ssl_certificate_by_lua_block { + collectgarbage() + + local ffi = require "ffi" + require "defines" + + local errmsg = ffi.new("char *[1]") + + local r = require "resty.core.base" .get_request() + if not r then + ngx.log(ngx.ERR, "no request found") + return + end + + local rc = ffi.C.ngx_stream_lua_ffi_ssl_verify_client(r, 1, nil, errmsg) + if rc ~= 0 then + ngx.log(ngx.ERR, "failed to set cdata cert: ", + ffi.string(errmsg[0])) + return + end + } + + content_by_lua_block { + print('client certificate subject: ', ngx.var.ssl_client_s_dn) + ngx.say(ngx.var.ssl_client_verify) + } + } +--- stream_server_config + lua_ssl_trusted_certificate ../../cert/test.crt; + + proxy_pass unix:$TEST_NGINX_HTML_DIR/nginx.sock; + proxy_ssl on; + proxy_ssl_certificate ../../cert/test.crt; + proxy_ssl_certificate_key ../../cert/test.key; + +--- stream_response +FAILED:self signed certificate + +--- error_log +client certificate subject: emailAddress=agentzh@gmail.com,CN=test.com + +--- no_error_log +[error] +[alert] + + + +=== TEST 8: verify client but client provides no certificate +--- stream_config + server { + listen unix:$TEST_NGINX_HTML_DIR/nginx.sock ssl; + + ssl_certificate ../../cert/test2.crt; + ssl_certificate_key ../../cert/test2.key; + + ssl_certificate_by_lua_block { + collectgarbage() + + local ffi = require "ffi" + require "defines" + + local errmsg = ffi.new("char *[1]") + + local r = require "resty.core.base" .get_request() + if not r then + ngx.log(ngx.ERR, "no request found") + return + end + + local rc = ffi.C.ngx_stream_lua_ffi_ssl_verify_client(r, 1, nil, errmsg) + if rc ~= 0 then + ngx.log(ngx.ERR, "failed to set cdata cert: ", + ffi.string(errmsg[0])) + return + end + } + + content_by_lua_block { + print('client certificate subject: ', ngx.var.ssl_client_s_dn) + ngx.say(ngx.var.ssl_client_verify) + } + } +--- stream_server_config + lua_ssl_trusted_certificate ../../cert/test.crt; + + proxy_pass unix:$TEST_NGINX_HTML_DIR/nginx.sock; + proxy_ssl on; + +--- stream_response +NONE + +--- error_log +client certificate subject: nil + +--- no_error_log +[error] +[alert] From 74000a7e1606519cb2349ce16cf5122051a9ef4f Mon Sep 17 00:00:00 2001 From: Archangel_SDY Date: Sat, 18 Apr 2020 14:00:28 +0800 Subject: [PATCH 03/10] feature: make client cert verify depth optional --- src/ngx_stream_lua_ssl_certby.c | 43 +++++++++++++++++++++------------ t/140-ssl-c-api.t | 8 +++--- 2 files changed, 32 insertions(+), 19 deletions(-) diff --git a/src/ngx_stream_lua_ssl_certby.c b/src/ngx_stream_lua_ssl_certby.c index a3b38ada..7ed0067b 100644 --- a/src/ngx_stream_lua_ssl_certby.c +++ b/src/ngx_stream_lua_ssl_certby.c @@ -1332,19 +1332,19 @@ ngx_ssl_verify_callback(int ok, X509_STORE_CTX *x509_store) int ngx_stream_lua_ffi_ssl_verify_client(ngx_stream_lua_request_t *r, - int depth, - void *cdata, char **err) + void *cdata, int depth, char **err) { - ngx_ssl_conn_t *ssl_conn; - STACK_OF(X509) *chain = cdata; - STACK_OF(X509_NAME) *name_chain = NULL; - X509 *x509 = NULL; - X509_NAME *subject = NULL; - X509_STORE *ca_store = NULL; + ngx_ssl_conn_t *ssl_conn; + ngx_stream_ssl_conf_t *sscf; + STACK_OF(X509) *chain = cdata; + STACK_OF(X509_NAME) *name_chain = NULL; + X509 *x509 = NULL; + X509_NAME *subject = NULL; + X509_STORE *ca_store = NULL; #ifdef OPENSSL_IS_BORINGSSL - size_t i; + size_t i; #else - int i; + int i; #endif if (r->connection == NULL || r->connection->ssl == NULL) { @@ -1358,17 +1358,30 @@ ngx_stream_lua_ffi_ssl_verify_client(ngx_stream_lua_request_t *r, return NGX_ERROR; } - ca_store = SSL_CTX_get_cert_store(SSL_get_SSL_CTX(ssl_conn)); - if (ca_store == NULL) { - *err = "SSL_CTX_get_cert_store() failed"; - return NGX_ERROR; - } + /* enable verify */ SSL_set_verify(ssl_conn, SSL_VERIFY_PEER, ngx_ssl_verify_callback); + /* set depth */ + + if (depth < 0) { + sscf = ngx_stream_get_module_srv_conf(r->session, + ngx_stream_ssl_module); + if (sscf != NULL) { + depth = sscf->verify_depth; + } + } SSL_set_verify_depth(ssl_conn, depth); + /* set CA chain */ + if (chain != NULL) { + ca_store = SSL_CTX_get_cert_store(SSL_get_SSL_CTX(ssl_conn)); + if (ca_store == NULL) { + *err = "SSL_CTX_get_cert_store() failed"; + return NGX_ERROR; + } + /* construct name chain */ name_chain = sk_X509_NAME_new_null(); diff --git a/t/140-ssl-c-api.t b/t/140-ssl-c-api.t index e84edc95..e150d23a 100644 --- a/t/140-ssl-c-api.t +++ b/t/140-ssl-c-api.t @@ -62,7 +62,7 @@ ffi.cdef[[ int ngx_stream_lua_ffi_ssl_clear_certs(void *r, char **err); - int ngx_stream_lua_ffi_ssl_verify_client(void *r, int depth, void *cdata, char **err); + int ngx_stream_lua_ffi_ssl_verify_client(void *r, void *cdata, int depth, char **err); ]] _EOC_ @@ -714,7 +714,7 @@ lua ssl server name: "test.com" return end - local rc = ffi.C.ngx_stream_lua_ffi_ssl_verify_client(r, 1, cert, errmsg) + local rc = ffi.C.ngx_stream_lua_ffi_ssl_verify_client(r, cert, -1, errmsg) if rc ~= 0 then ngx.log(ngx.ERR, "failed to set cdata cert: ", ffi.string(errmsg[0])) @@ -769,7 +769,7 @@ client certificate subject: emailAddress=agentzh@gmail.com,CN=test.com return end - local rc = ffi.C.ngx_stream_lua_ffi_ssl_verify_client(r, 1, nil, errmsg) + local rc = ffi.C.ngx_stream_lua_ffi_ssl_verify_client(r, nil, -1, errmsg) if rc ~= 0 then ngx.log(ngx.ERR, "failed to set cdata cert: ", ffi.string(errmsg[0])) @@ -824,7 +824,7 @@ client certificate subject: emailAddress=agentzh@gmail.com,CN=test.com return end - local rc = ffi.C.ngx_stream_lua_ffi_ssl_verify_client(r, 1, nil, errmsg) + local rc = ffi.C.ngx_stream_lua_ffi_ssl_verify_client(r, nil, -1, errmsg) if rc ~= 0 then ngx.log(ngx.ERR, "failed to set cdata cert: ", ffi.string(errmsg[0])) From c6f30f721733ba3c162d216ed340b92fe2ac15df Mon Sep 17 00:00:00 2001 From: Archangel_SDY Date: Sun, 19 Apr 2020 12:07:47 +0800 Subject: [PATCH 04/10] feature: set default client cert verify depth to 1 --- src/ngx_stream_lua_ssl_certby.c | 3 +++ 1 file changed, 3 insertions(+) diff --git a/src/ngx_stream_lua_ssl_certby.c b/src/ngx_stream_lua_ssl_certby.c index 7ed0067b..9d99c32e 100644 --- a/src/ngx_stream_lua_ssl_certby.c +++ b/src/ngx_stream_lua_ssl_certby.c @@ -1369,6 +1369,9 @@ ngx_stream_lua_ffi_ssl_verify_client(ngx_stream_lua_request_t *r, ngx_stream_ssl_module); if (sscf != NULL) { depth = sscf->verify_depth; + } else { + /* same as the default value of ssl_verify_depth */ + depth = 1; } } SSL_set_verify_depth(ssl_conn, depth); From 707d0e55dbf2944f4d88370a5648c6b22d104f60 Mon Sep 17 00:00:00 2001 From: Archangel_SDY Date: Mon, 20 Apr 2020 19:20:55 +0800 Subject: [PATCH 05/10] tests: use a different cert at server side --- t/140-ssl-c-api.t | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/t/140-ssl-c-api.t b/t/140-ssl-c-api.t index e150d23a..5f119ae7 100644 --- a/t/140-ssl-c-api.t +++ b/t/140-ssl-c-api.t @@ -728,7 +728,7 @@ lua ssl server name: "test.com" } } --- stream_server_config - lua_ssl_trusted_certificate ../../cert/test.crt; + lua_ssl_trusted_certificate ../../cert/test2.crt; proxy_pass unix:$TEST_NGINX_HTML_DIR/nginx.sock; proxy_ssl on; @@ -783,7 +783,7 @@ client certificate subject: emailAddress=agentzh@gmail.com,CN=test.com } } --- stream_server_config - lua_ssl_trusted_certificate ../../cert/test.crt; + lua_ssl_trusted_certificate ../../cert/test2.crt; proxy_pass unix:$TEST_NGINX_HTML_DIR/nginx.sock; proxy_ssl on; @@ -838,7 +838,7 @@ client certificate subject: emailAddress=agentzh@gmail.com,CN=test.com } } --- stream_server_config - lua_ssl_trusted_certificate ../../cert/test.crt; + lua_ssl_trusted_certificate ../../cert/test2.crt; proxy_pass unix:$TEST_NGINX_HTML_DIR/nginx.sock; proxy_ssl on; From 9562c1a443f94ee3a8da1bf95d5d619716910e4b Mon Sep 17 00:00:00 2001 From: Archangel_SDY Date: Tue, 21 Apr 2020 22:27:10 +0800 Subject: [PATCH 06/10] tests: refine and clean up --- t/140-ssl-c-api.t | 19 ++++++++++++------- 1 file changed, 12 insertions(+), 7 deletions(-) diff --git a/t/140-ssl-c-api.t b/t/140-ssl-c-api.t index 5f119ae7..73ed67ad 100644 --- a/t/140-ssl-c-api.t +++ b/t/140-ssl-c-api.t @@ -728,8 +728,6 @@ lua ssl server name: "test.com" } } --- stream_server_config - lua_ssl_trusted_certificate ../../cert/test2.crt; - proxy_pass unix:$TEST_NGINX_HTML_DIR/nginx.sock; proxy_ssl on; proxy_ssl_certificate ../../cert/test.crt; @@ -783,8 +781,6 @@ client certificate subject: emailAddress=agentzh@gmail.com,CN=test.com } } --- stream_server_config - lua_ssl_trusted_certificate ../../cert/test2.crt; - proxy_pass unix:$TEST_NGINX_HTML_DIR/nginx.sock; proxy_ssl on; proxy_ssl_certificate ../../cert/test.crt; @@ -824,7 +820,18 @@ client certificate subject: emailAddress=agentzh@gmail.com,CN=test.com return end - local rc = ffi.C.ngx_stream_lua_ffi_ssl_verify_client(r, nil, -1, errmsg) + local f = assert(io.open("t/cert/test.crt", "rb")) + local cert_data = f:read("*all") + f:close() + + local cert = ffi.C.ngx_stream_lua_ffi_parse_pem_cert(cert_data, #cert_data, errmsg) + if not cert then + ngx.log(ngx.ERR, "failed to parse PEM cert: ", + ffi.string(errmsg[0])) + return + end + + local rc = ffi.C.ngx_stream_lua_ffi_ssl_verify_client(r, cert, 1, errmsg) if rc ~= 0 then ngx.log(ngx.ERR, "failed to set cdata cert: ", ffi.string(errmsg[0])) @@ -838,8 +845,6 @@ client certificate subject: emailAddress=agentzh@gmail.com,CN=test.com } } --- stream_server_config - lua_ssl_trusted_certificate ../../cert/test2.crt; - proxy_pass unix:$TEST_NGINX_HTML_DIR/nginx.sock; proxy_ssl on; From b0421c6b56c7bddf3549cf4e7c960c2262219c23 Mon Sep 17 00:00:00 2001 From: Archangel_SDY Date: Tue, 21 Apr 2020 22:27:24 +0800 Subject: [PATCH 07/10] feature: check context when calling ssl.verify_client --- src/ngx_stream_lua_ssl_certby.c | 12 ++++++++++++ 1 file changed, 12 insertions(+) diff --git a/src/ngx_stream_lua_ssl_certby.c b/src/ngx_stream_lua_ssl_certby.c index 9d99c32e..65be368f 100644 --- a/src/ngx_stream_lua_ssl_certby.c +++ b/src/ngx_stream_lua_ssl_certby.c @@ -1334,6 +1334,7 @@ int ngx_stream_lua_ffi_ssl_verify_client(ngx_stream_lua_request_t *r, void *cdata, int depth, char **err) { + ngx_stream_lua_ctx_t *ctx; ngx_ssl_conn_t *ssl_conn; ngx_stream_ssl_conf_t *sscf; STACK_OF(X509) *chain = cdata; @@ -1347,6 +1348,17 @@ ngx_stream_lua_ffi_ssl_verify_client(ngx_stream_lua_request_t *r, int i; #endif + ctx = ngx_stream_get_module_ctx(r->session, ngx_stream_lua_module); + if (ctx == NULL) { + *err = "no request ctx found"; + return NGX_ERROR; + } + + if (!(ctx->context & NGX_STREAM_LUA_CONTEXT_SSL_CERT)) { + *err = "API disabled in the current context"; + return NGX_ERROR; + } + if (r->connection == NULL || r->connection->ssl == NULL) { *err = "bad request"; return NGX_ERROR; From 59b1157b28f69cd0158f92f75d190039538bfd34 Mon Sep 17 00:00:00 2001 From: Archangel_SDY Date: Tue, 9 Jun 2020 11:22:56 +0800 Subject: [PATCH 08/10] bugfix: set client cert verify store per connection --- src/ngx_stream_lua_ssl_certby.c | 17 ++++++++++++----- 1 file changed, 12 insertions(+), 5 deletions(-) diff --git a/src/ngx_stream_lua_ssl_certby.c b/src/ngx_stream_lua_ssl_certby.c index 65be368f..50b4a219 100644 --- a/src/ngx_stream_lua_ssl_certby.c +++ b/src/ngx_stream_lua_ssl_certby.c @@ -1332,12 +1332,12 @@ ngx_ssl_verify_callback(int ok, X509_STORE_CTX *x509_store) int ngx_stream_lua_ffi_ssl_verify_client(ngx_stream_lua_request_t *r, - void *cdata, int depth, char **err) + void *ca_certs, int depth, char **err) { ngx_stream_lua_ctx_t *ctx; ngx_ssl_conn_t *ssl_conn; ngx_stream_ssl_conf_t *sscf; - STACK_OF(X509) *chain = cdata; + STACK_OF(X509) *chain = ca_certs; STACK_OF(X509_NAME) *name_chain = NULL; X509 *x509 = NULL; X509_NAME *subject = NULL; @@ -1391,9 +1391,9 @@ ngx_stream_lua_ffi_ssl_verify_client(ngx_stream_lua_request_t *r, /* set CA chain */ if (chain != NULL) { - ca_store = SSL_CTX_get_cert_store(SSL_get_SSL_CTX(ssl_conn)); + ca_store = X509_STORE_new(); if (ca_store == NULL) { - *err = "SSL_CTX_get_cert_store() failed"; + *err = "X509_STORE_new() failed"; return NGX_ERROR; } @@ -1402,7 +1402,7 @@ ngx_stream_lua_ffi_ssl_verify_client(ngx_stream_lua_request_t *r, name_chain = sk_X509_NAME_new_null(); if (name_chain == NULL) { *err = "sk_X509_NAME_new_null() failed"; - return NGX_ERROR; + goto failed; } for (i = 0; i < sk_X509_num(chain); i++) { @@ -1432,6 +1432,11 @@ ngx_stream_lua_ffi_ssl_verify_client(ngx_stream_lua_request_t *r, } } + if (SSL_set0_verify_cert_store(ssl_conn, ca_store) == 0) { + *err = "SSL_set0_verify_cert_store() failed"; + goto failed; + } + SSL_set_client_CA_list(ssl_conn, name_chain); } @@ -1439,6 +1444,8 @@ ngx_stream_lua_ffi_ssl_verify_client(ngx_stream_lua_request_t *r, failed: + X509_STORE_free(ca_store); + sk_X509_NAME_free(name_chain); return NGX_ERROR; From 65a37c08d0d9edc057f2093b8ca9b31eca297335 Mon Sep 17 00:00:00 2001 From: Archangel_SDY Date: Wed, 22 Jul 2020 17:06:48 +0800 Subject: [PATCH 09/10] style: address review comments --- src/ngx_stream_lua_ssl_certby.c | 11 +++++++---- 1 file changed, 7 insertions(+), 4 deletions(-) diff --git a/src/ngx_stream_lua_ssl_certby.c b/src/ngx_stream_lua_ssl_certby.c index 50b4a219..7b374ce2 100644 --- a/src/ngx_stream_lua_ssl_certby.c +++ b/src/ngx_stream_lua_ssl_certby.c @@ -1318,7 +1318,7 @@ ngx_stream_lua_ffi_set_priv_key(ngx_stream_lua_request_t *r, static int -ngx_ssl_verify_callback(int ok, X509_STORE_CTX *x509_store) +ngx_stream_lua_ssl_verify_callback(int ok, X509_STORE_CTX *x509_store) { /* * we never terminate handshake here and user can later use @@ -1372,7 +1372,8 @@ ngx_stream_lua_ffi_ssl_verify_client(ngx_stream_lua_request_t *r, /* enable verify */ - SSL_set_verify(ssl_conn, SSL_VERIFY_PEER, ngx_ssl_verify_callback); + SSL_set_verify(ssl_conn, SSL_VERIFY_PEER, + ngx_stream_lua_ssl_verify_callback); /* set depth */ @@ -1381,11 +1382,13 @@ ngx_stream_lua_ffi_ssl_verify_client(ngx_stream_lua_request_t *r, ngx_stream_ssl_module); if (sscf != NULL) { depth = sscf->verify_depth; + } else { /* same as the default value of ssl_verify_depth */ depth = 1; } } + SSL_set_verify_depth(ssl_conn, depth); /* set CA chain */ @@ -1444,10 +1447,10 @@ ngx_stream_lua_ffi_ssl_verify_client(ngx_stream_lua_request_t *r, failed: - X509_STORE_free(ca_store); - sk_X509_NAME_free(name_chain); + X509_STORE_free(ca_store); + return NGX_ERROR; } From 4ef1b3db3d5b9e9f3ca49554e159bfb5ed5c22b4 Mon Sep 17 00:00:00 2001 From: Archangel_SDY Date: Wed, 22 Jul 2020 17:08:54 +0800 Subject: [PATCH 10/10] bugfix: fix memory leak in test cases --- t/140-ssl-c-api.t | 7 +++++++ 1 file changed, 7 insertions(+) diff --git a/t/140-ssl-c-api.t b/t/140-ssl-c-api.t index 73ed67ad..5ab0dccd 100644 --- a/t/140-ssl-c-api.t +++ b/t/140-ssl-c-api.t @@ -720,6 +720,8 @@ lua ssl server name: "test.com" ffi.string(errmsg[0])) return end + + ffi.C.ngx_stream_lua_ffi_free_cert(cert) } content_by_lua_block { @@ -732,6 +734,7 @@ lua ssl server name: "test.com" proxy_ssl on; proxy_ssl_certificate ../../cert/test.crt; proxy_ssl_certificate_key ../../cert/test.key; + proxy_ssl_session_reuse off; --- stream_response SUCCESS @@ -785,6 +788,7 @@ client certificate subject: emailAddress=agentzh@gmail.com,CN=test.com proxy_ssl on; proxy_ssl_certificate ../../cert/test.crt; proxy_ssl_certificate_key ../../cert/test.key; + proxy_ssl_session_reuse off; --- stream_response FAILED:self signed certificate @@ -837,6 +841,8 @@ client certificate subject: emailAddress=agentzh@gmail.com,CN=test.com ffi.string(errmsg[0])) return end + + ffi.C.ngx_stream_lua_ffi_free_cert(cert) } content_by_lua_block { @@ -847,6 +853,7 @@ client certificate subject: emailAddress=agentzh@gmail.com,CN=test.com --- stream_server_config proxy_pass unix:$TEST_NGINX_HTML_DIR/nginx.sock; proxy_ssl on; + proxy_ssl_session_reuse off; --- stream_response NONE