Skip to content

feature: implemented ssl_session_fetch_by_lua* and ssl_session_store_by_lua* #822

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
merged 1 commit into from
Jul 29, 2016
Merged

feature: implemented ssl_session_fetch_by_lua* and ssl_session_store_by_lua* #822

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
3 changes: 3 additions & 0 deletions .gitignore
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -154,6 +154,9 @@ src/timer.[ch]
src/config.[ch]
src/worker.[ch]
src/certby.[ch]
src/storeby.[ch]
src/fetchby.[ch]
src/ssl.[ch]
src/ocsp.c
src/lex.[ch]
src/balancer.[ch]
Expand Down
2 changes: 2 additions & 0 deletions .travis.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -107,6 +107,8 @@ script:
- cd ..
- tar zxf download-cache/openssl-$OPENSSL_VER.tar.gz
- cd openssl-$OPENSSL_VER/
- wget https://raw.githubusercontent.com/openresty/openresty/master/patches/openssl-$OPENSSL_VER-sess_set_get_cb_yield.patch
- patch -p1 < openssl-$OPENSSL_VER-sess_set_get_cb_yield.patch
- ./config shared --prefix=$OPENSSL_PREFIX -DPURIFY > build.log 2>&1 || (cat build.log && exit 1)
- make -j$JOBS > build.log 2>&1 || (cat build.log && exit 1)
- sudo make PATH=$PATH install_sw > build.log 2>&1 || (cat build.log && exit 1)
Expand Down
287 changes: 207 additions & 80 deletions README.markdown
View file
Open in desktop

Large diffs are not rendered by default.

6 changes: 6 additions & 0 deletions config
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -357,6 +357,9 @@ HTTP_LUA_SRCS=" \
$ngx_addon_dir/src/ngx_http_lua_ssl_ocsp.c \
$ngx_addon_dir/src/ngx_http_lua_lex.c \
$ngx_addon_dir/src/ngx_http_lua_balancer.c \
$ngx_addon_dir/src/ngx_http_lua_ssl_session_storeby.c \
$ngx_addon_dir/src/ngx_http_lua_ssl_session_fetchby.c \
$ngx_addon_dir/src/ngx_http_lua_ssl.c \
"

HTTP_LUA_DEPS=" \
Expand Down Expand Up @@ -414,6 +417,9 @@ HTTP_LUA_DEPS=" \
$ngx_addon_dir/src/ngx_http_lua_ssl_certby.h \
$ngx_addon_dir/src/ngx_http_lua_lex.h \
$ngx_addon_dir/src/ngx_http_lua_balancer.h \
$ngx_addon_dir/src/ngx_http_lua_ssl_session_storeby.h \
$ngx_addon_dir/src/ngx_http_lua_ssl_session_fetchby.h \
$ngx_addon_dir/src/ngx_http_lua_ssl.h \
"

CFLAGS="$CFLAGS -DNDK_SET_VAR"
Expand Down
271 changes: 191 additions & 80 deletions doc/HttpLuaModule.wiki
View file
Open in desktop

Large diffs are not rendered by default.

40 changes: 25 additions & 15 deletions src/ngx_http_lua_common.h
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -103,17 +103,19 @@ typedef struct {


/* must be within 16 bit */
#define NGX_HTTP_LUA_CONTEXT_SET 0x001
#define NGX_HTTP_LUA_CONTEXT_REWRITE 0x002
#define NGX_HTTP_LUA_CONTEXT_ACCESS 0x004
#define NGX_HTTP_LUA_CONTEXT_CONTENT 0x008
#define NGX_HTTP_LUA_CONTEXT_LOG 0x010
#define NGX_HTTP_LUA_CONTEXT_HEADER_FILTER 0x020
#define NGX_HTTP_LUA_CONTEXT_BODY_FILTER 0x040
#define NGX_HTTP_LUA_CONTEXT_TIMER 0x080
#define NGX_HTTP_LUA_CONTEXT_INIT_WORKER 0x100
#define NGX_HTTP_LUA_CONTEXT_BALANCER 0x200
#define NGX_HTTP_LUA_CONTEXT_SSL_CERT 0x400
#define NGX_HTTP_LUA_CONTEXT_SET 0x0001
#define NGX_HTTP_LUA_CONTEXT_REWRITE 0x0002
#define NGX_HTTP_LUA_CONTEXT_ACCESS 0x0004
#define NGX_HTTP_LUA_CONTEXT_CONTENT 0x0008
#define NGX_HTTP_LUA_CONTEXT_LOG 0x0010
#define NGX_HTTP_LUA_CONTEXT_HEADER_FILTER 0x0020
#define NGX_HTTP_LUA_CONTEXT_BODY_FILTER 0x0040
#define NGX_HTTP_LUA_CONTEXT_TIMER 0x0080
#define NGX_HTTP_LUA_CONTEXT_INIT_WORKER 0x0100
#define NGX_HTTP_LUA_CONTEXT_BALANCER 0x0200
#define NGX_HTTP_LUA_CONTEXT_SSL_CERT 0x0400
#define NGX_HTTP_LUA_CONTEXT_SSL_SESS_STORE 0x0800
#define NGX_HTTP_LUA_CONTEXT_SSL_SESS_FETCH 0x1000


#ifndef NGX_LUA_NO_FFI_API
Expand Down Expand Up @@ -204,10 +206,18 @@ struct ngx_http_lua_main_conf_s {
union ngx_http_lua_srv_conf_u {
#if (NGX_HTTP_SSL)
struct {
ngx_http_lua_srv_conf_handler_pt cert_handler;
ngx_str_t cert_src;
u_char *cert_src_key;
} ssl;
ngx_http_lua_srv_conf_handler_pt ssl_cert_handler;
ngx_str_t ssl_cert_src;
u_char *ssl_cert_src_key;

ngx_http_lua_srv_conf_handler_pt ssl_sess_store_handler;
ngx_str_t ssl_sess_store_src;
u_char *ssl_sess_store_src_key;

ngx_http_lua_srv_conf_handler_pt ssl_sess_fetch_handler;
ngx_str_t ssl_sess_fetch_src;
u_char *ssl_sess_fetch_src_key;
} srv;
#endif

struct {
Expand Down
13 changes: 11 additions & 2 deletions src/ngx_http_lua_control.c
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -318,11 +318,16 @@ ngx_http_lua_ngx_exit(lua_State *L)
| NGX_HTTP_LUA_CONTEXT_TIMER
| NGX_HTTP_LUA_CONTEXT_HEADER_FILTER
| NGX_HTTP_LUA_CONTEXT_BALANCER
| NGX_HTTP_LUA_CONTEXT_SSL_CERT);
| NGX_HTTP_LUA_CONTEXT_SSL_CERT
| NGX_HTTP_LUA_CONTEXT_SSL_SESS_STORE
| NGX_HTTP_LUA_CONTEXT_SSL_SESS_FETCH);

rc = (ngx_int_t) luaL_checkinteger(L, 1);

if (ctx->context == NGX_HTTP_LUA_CONTEXT_SSL_CERT) {
if (ctx->context & (NGX_HTTP_LUA_CONTEXT_SSL_CERT
| NGX_HTTP_LUA_CONTEXT_SSL_SESS_STORE
| NGX_HTTP_LUA_CONTEXT_SSL_SESS_FETCH))
{

#if (NGX_HTTP_SSL)

Expand All @@ -332,6 +337,10 @@ ngx_http_lua_ngx_exit(lua_State *L)
ngx_log_debug1(NGX_LOG_DEBUG_HTTP, r->connection->log, 0,
"lua exit with code %i", rc);

if (ctx->context == NGX_HTTP_LUA_CONTEXT_SSL_SESS_STORE) {
return 0;
}

return lua_yield(L, 0);

#else
Expand Down
12 changes: 8 additions & 4 deletions src/ngx_http_lua_coroutine.c
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -77,7 +77,8 @@ ngx_http_lua_coroutine_create_helper(lua_State *L, ngx_http_request_t *r,
| NGX_HTTP_LUA_CONTEXT_ACCESS
| NGX_HTTP_LUA_CONTEXT_CONTENT
| NGX_HTTP_LUA_CONTEXT_TIMER
| NGX_HTTP_LUA_CONTEXT_SSL_CERT);
| NGX_HTTP_LUA_CONTEXT_SSL_CERT
| NGX_HTTP_LUA_CONTEXT_SSL_SESS_FETCH);

vm = ngx_http_lua_get_lua_vm(r, ctx);

Expand Down Expand Up @@ -153,7 +154,8 @@ ngx_http_lua_coroutine_resume(lua_State *L)
| NGX_HTTP_LUA_CONTEXT_ACCESS
| NGX_HTTP_LUA_CONTEXT_CONTENT
| NGX_HTTP_LUA_CONTEXT_TIMER
| NGX_HTTP_LUA_CONTEXT_SSL_CERT);
| NGX_HTTP_LUA_CONTEXT_SSL_CERT
| NGX_HTTP_LUA_CONTEXT_SSL_SESS_FETCH);

p_coctx = ctx->cur_co_ctx;
if (p_coctx == NULL) {
Expand Down Expand Up @@ -213,7 +215,8 @@ ngx_http_lua_coroutine_yield(lua_State *L)
| NGX_HTTP_LUA_CONTEXT_ACCESS
| NGX_HTTP_LUA_CONTEXT_CONTENT
| NGX_HTTP_LUA_CONTEXT_TIMER
| NGX_HTTP_LUA_CONTEXT_SSL_CERT);
| NGX_HTTP_LUA_CONTEXT_SSL_CERT
| NGX_HTTP_LUA_CONTEXT_SSL_SESS_FETCH);

coctx = ctx->cur_co_ctx;

Expand Down Expand Up @@ -362,7 +365,8 @@ ngx_http_lua_coroutine_status(lua_State *L)
| NGX_HTTP_LUA_CONTEXT_ACCESS
| NGX_HTTP_LUA_CONTEXT_CONTENT
| NGX_HTTP_LUA_CONTEXT_TIMER
| NGX_HTTP_LUA_CONTEXT_SSL_CERT);
| NGX_HTTP_LUA_CONTEXT_SSL_CERT
| NGX_HTTP_LUA_CONTEXT_SSL_SESS_FETCH);

coctx = ngx_http_lua_get_co_ctx(co, ctx);
if (coctx == NULL) {
Expand Down
105 changes: 97 additions & 8 deletions src/ngx_http_lua_module.c
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -26,6 +26,8 @@
#include "ngx_http_lua_semaphore.h"
#include "ngx_http_lua_balancer.h"
#include "ngx_http_lua_ssl_certby.h"
#include "ngx_http_lua_ssl_session_storeby.h"
#include "ngx_http_lua_ssl_session_fetchby.h"


static void *ngx_http_lua_create_main_conf(ngx_conf_t *cf);
Expand Down Expand Up @@ -525,6 +527,34 @@ static ngx_command_t ngx_http_lua_cmds[] = {
0,
(void *) ngx_http_lua_ssl_cert_handler_file },

{ ngx_string("ssl_session_store_by_lua_block"),
NGX_HTTP_MAIN_CONF|NGX_HTTP_SRV_CONF|NGX_CONF_BLOCK|NGX_CONF_NOARGS,
ngx_http_lua_ssl_sess_store_by_lua_block,
NGX_HTTP_SRV_CONF_OFFSET,
0,
(void *) ngx_http_lua_ssl_sess_store_handler_inline },

{ ngx_string("ssl_session_store_by_lua_file"),
NGX_HTTP_MAIN_CONF|NGX_HTTP_SRV_CONF|NGX_CONF_TAKE1,
ngx_http_lua_ssl_sess_store_by_lua,
NGX_HTTP_SRV_CONF_OFFSET,
0,
(void *) ngx_http_lua_ssl_sess_store_handler_file },

{ ngx_string("ssl_session_fetch_by_lua_block"),
NGX_HTTP_MAIN_CONF|NGX_HTTP_SRV_CONF|NGX_CONF_BLOCK|NGX_CONF_NOARGS,
ngx_http_lua_ssl_sess_fetch_by_lua_block,
NGX_HTTP_SRV_CONF_OFFSET,
0,
(void *) ngx_http_lua_ssl_sess_fetch_handler_inline },

{ ngx_string("ssl_session_fetch_by_lua_file"),
NGX_HTTP_MAIN_CONF|NGX_HTTP_SRV_CONF|NGX_CONF_TAKE1,
ngx_http_lua_ssl_sess_fetch_by_lua,
NGX_HTTP_SRV_CONF_OFFSET,
0,
(void *) ngx_http_lua_ssl_sess_fetch_handler_file },

{ ngx_string("lua_ssl_verify_depth"),
NGX_HTTP_MAIN_CONF|NGX_HTTP_SRV_CONF|NGX_HTTP_LOC_CONF|NGX_CONF_TAKE1,
ngx_conf_set_num_slot,
Expand Down Expand Up @@ -855,9 +885,18 @@ ngx_http_lua_create_srv_conf(ngx_conf_t *cf)
}

/* set by ngx_pcalloc:
* lscf->ssl.cert_handler = NULL;
* lscf->ssl.cert_src = { 0, NULL };
* lscf->ssl.cert_src_key = NULL;
* lscf->srv.ssl_cert_handler = NULL;
* lscf->srv.ssl_cert_src = { 0, NULL };
* lscf->srv.ssl_cert_src_key = NULL;
*
* lscf->srv.ssl_session_store_handler = NULL;
* lscf->srv.ssl_session_store_src = { 0, NULL };
* lscf->srv.ssl_session_store_src_key = NULL;
*
* lscf->srv.ssl_session_fetch_handler = NULL;
* lscf->srv.ssl_session_fetch_src = { 0, NULL };
* lscf->srv.ssl_session_fetch_src_key = NULL;
*
* lscf->balancer.handler = NULL;
* lscf->balancer.src = { 0, NULL };
* lscf->balancer.src_key = NULL;
Expand All @@ -878,13 +917,13 @@ ngx_http_lua_merge_srv_conf(ngx_conf_t *cf, void *parent, void *child)

dd("merge srv conf");

if (conf->ssl.cert_src.len == 0) {
conf->ssl.cert_src = prev->ssl.cert_src;
conf->ssl.cert_src_key = prev->ssl.cert_src_key;
conf->ssl.cert_handler = prev->ssl.cert_handler;
if (conf->srv.ssl_cert_src.len == 0) {
conf->srv.ssl_cert_src = prev->srv.ssl_cert_src;
conf->srv.ssl_cert_src_key = prev->srv.ssl_cert_src_key;
conf->srv.ssl_cert_handler = prev->srv.ssl_cert_handler;
}

if (conf->ssl.cert_src.len) {
if (conf->srv.ssl_cert_src.len) {
sscf = ngx_http_conf_get_module_srv_conf(cf, ngx_http_ssl_module);
if (sscf == NULL || sscf->ssl.ctx == NULL) {
ngx_log_error(NGX_LOG_EMERG, cf->log, 0,
Expand Down Expand Up @@ -913,6 +952,56 @@ ngx_http_lua_merge_srv_conf(ngx_conf_t *cf, void *parent, void *child)

# endif

#endif
}

if (conf->srv.ssl_sess_store_src.len == 0) {
conf->srv.ssl_sess_store_src = prev->srv.ssl_sess_store_src;
conf->srv.ssl_sess_store_src_key = prev->srv.ssl_sess_store_src_key;
conf->srv.ssl_sess_store_handler = prev->srv.ssl_sess_store_handler;
}

if (conf->srv.ssl_sess_store_src.len) {
sscf = ngx_http_conf_get_module_srv_conf(cf, ngx_http_ssl_module);
if (sscf == NULL || sscf->ssl.ctx == NULL) {
ngx_log_error(NGX_LOG_EMERG, cf->log, 0,
"no ssl configured for the server");

return NGX_CONF_ERROR;
}

#ifdef LIBRESSL_VERSION_NUMBER
ngx_log_error(NGX_LOG_EMERG, cf->log, 0,
"LibreSSL does not support ssl_session_store_by_lua*");
return NGX_CONF_ERROR;
#else
SSL_CTX_sess_set_new_cb(sscf->ssl.ctx,
ngx_http_lua_ssl_sess_store_handler);
#endif
}

if (conf->srv.ssl_sess_fetch_src.len == 0) {
conf->srv.ssl_sess_fetch_src = prev->srv.ssl_sess_fetch_src;
conf->srv.ssl_sess_fetch_src_key = prev->srv.ssl_sess_fetch_src_key;
conf->srv.ssl_sess_fetch_handler = prev->srv.ssl_sess_fetch_handler;
}

if (conf->srv.ssl_sess_fetch_src.len) {
sscf = ngx_http_conf_get_module_srv_conf(cf, ngx_http_ssl_module);
if (sscf == NULL || sscf->ssl.ctx == NULL) {
ngx_log_error(NGX_LOG_EMERG, cf->log, 0,
"no ssl configured for the server");

return NGX_CONF_ERROR;
}

#ifdef LIBRESSL_VERSION_NUMBER
ngx_log_error(NGX_LOG_EMERG, cf->log, 0,
"LibreSSL does not support ssl_session_fetch_by_lua*");
return NGX_CONF_ERROR;
#else
SSL_CTX_sess_set_get_cb(sscf->ssl.ctx,
ngx_http_lua_ssl_sess_fetch_handler);
#endif
}

Expand Down
10 changes: 9 additions & 1 deletion src/ngx_http_lua_phase.c
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -84,8 +84,16 @@ ngx_http_lua_ngx_get_phase(lua_State *L)
lua_pushliteral(L, "ssl_cert");
break;

case NGX_HTTP_LUA_CONTEXT_SSL_SESS_STORE:
lua_pushliteral(L, "ssl_session_store");
break;

case NGX_HTTP_LUA_CONTEXT_SSL_SESS_FETCH:
lua_pushliteral(L, "ssl_session_fetch");
break;

default:
return luaL_error(L, "unknown phase: %d", (int) ctx->context);
return luaL_error(L, "unknown phase: %#x", (int) ctx->context);
}

return 1;
Expand Down
3 changes: 2 additions & 1 deletion src/ngx_http_lua_sleep.c
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -56,7 +56,8 @@ ngx_http_lua_ngx_sleep(lua_State *L)
| NGX_HTTP_LUA_CONTEXT_ACCESS
| NGX_HTTP_LUA_CONTEXT_CONTENT
| NGX_HTTP_LUA_CONTEXT_TIMER
| NGX_HTTP_LUA_CONTEXT_SSL_CERT);
| NGX_HTTP_LUA_CONTEXT_SSL_CERT
| NGX_HTTP_LUA_CONTEXT_SSL_SESS_FETCH);

coctx = ctx->cur_co_ctx;
if (coctx == NULL) {
Expand Down
6 changes: 4 additions & 2 deletions src/ngx_http_lua_socket_tcp.c
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -386,7 +386,8 @@ ngx_http_lua_socket_tcp(lua_State *L)
| NGX_HTTP_LUA_CONTEXT_ACCESS
| NGX_HTTP_LUA_CONTEXT_CONTENT
| NGX_HTTP_LUA_CONTEXT_TIMER
| NGX_HTTP_LUA_CONTEXT_SSL_CERT);
| NGX_HTTP_LUA_CONTEXT_SSL_CERT
| NGX_HTTP_LUA_CONTEXT_SSL_SESS_FETCH);

lua_createtable(L, 3 /* narr */, 1 /* nrec */);
lua_pushlightuserdata(L, &ngx_http_lua_tcp_socket_metatable_key);
Expand Down Expand Up @@ -444,7 +445,8 @@ ngx_http_lua_socket_tcp_connect(lua_State *L)
| NGX_HTTP_LUA_CONTEXT_ACCESS
| NGX_HTTP_LUA_CONTEXT_CONTENT
| NGX_HTTP_LUA_CONTEXT_TIMER
| NGX_HTTP_LUA_CONTEXT_SSL_CERT);
| NGX_HTTP_LUA_CONTEXT_SSL_CERT
| NGX_HTTP_LUA_CONTEXT_SSL_SESS_FETCH);

luaL_checktype(L, 1, LUA_TTABLE);

Expand Down
37 changes: 37 additions & 0 deletions src/ngx_http_lua_ssl.c
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,37 @@

/*
* Copyright (C) Yichun Zhang (agentzh)
*/


#ifndef DDEBUG
#define DDEBUG 0
#endif
#include "ddebug.h"


#if (NGX_HTTP_SSL)


int ngx_http_lua_ssl_ctx_index = -1;


ngx_int_t
ngx_http_lua_ssl_init(ngx_log_t *log)
{
if (ngx_http_lua_ssl_ctx_index == -1) {
ngx_http_lua_ssl_ctx_index = SSL_get_ex_new_index(0, NULL, NULL,
NULL, NULL);

if (ngx_http_lua_ssl_ctx_index == -1) {
ngx_ssl_error(NGX_LOG_ALERT, log, 0,
"lua: SSL_get_ex_new_index() for ctx failed");
return NGX_ERROR;
}
}

return NGX_OK;
}


#endif /* NGX_HTTP_SSL */
Loading