From 88e8fddd983e65066d2580544af076b8fce0240d Mon Sep 17 00:00:00 2001 From: Thibault Charbonnier Date: Tue, 26 Jan 2016 15:46:38 -0800 Subject: [PATCH] chore(resty) compatible with OpenResty 1.9.7.* ssl_cert_by_lua is only supported in the form of ssl_cert_by_lua_block This does not yet update the other directives to the newer *by_lua_block syntax. --- .ci/setup_openresty.sh | 16 -- .travis.yml | 2 +- kong-0.6.1-0.rockspec | 1 - kong.yml | 5 +- kong/vendor/ssl.lua | 333 ----------------------------------------- 5 files changed, 4 insertions(+), 353 deletions(-) delete mode 100644 kong/vendor/ssl.lua diff --git a/.ci/setup_openresty.sh b/.ci/setup_openresty.sh index a65e9a521ff..b356cdd56b0 100644 --- a/.ci/setup_openresty.sh +++ b/.ci/setup_openresty.sh @@ -19,22 +19,6 @@ if [ ! "$(ls -A $OPENRESTY_DIR)" ]; then curl https://openresty.org/download/$OPENRESTY_BASE.tar.gz | tar xz pushd $OPENRESTY_BASE - # Download and apply nginx patch - pushd bundle/nginx-* - wget https://raw.githubusercontent.com/openresty/lua-nginx-module/ssl-cert-by-lua/patches/nginx-ssl-cert.patch --no-check-certificate - patch -p1 < nginx-ssl-cert.patch - popd - - # Download `ssl-cert-by-lua` branch - pushd bundle - wget https://github.com/openresty/lua-nginx-module/archive/ssl-cert-by-lua.tar.gz -O ssl-cert-by-lua.tar.gz --no-check-certificate - tar xzf ssl-cert-by-lua.tar.gz - # Replace `ngx_lua-*` with `ssl-cert-by-lua` branch - NGX_LUA=`ls | grep ngx_lua-*` - rm -rf $NGX_LUA - mv lua-nginx-module-ssl-cert-by-lua $NGX_LUA - popd - ./configure \ --prefix=$OPENRESTY_DIR \ --with-luajit=$LUA_DIR \ diff --git a/.travis.yml b/.travis.yml index 226ce18e1d6..35d8a04a655 100644 --- a/.travis.yml +++ b/.travis.yml @@ -13,7 +13,7 @@ env: global: - LUAJIT=2.1 - LUAROCKS=2.3.0 - - OPENRESTY=1.9.3.1 + - OPENRESTY=1.9.7.2 - CASSANDRA=2.2.4 - OPENSSL=1.0.2f - SERF=0.7.0 diff --git a/kong-0.6.1-0.rockspec b/kong-0.6.1-0.rockspec index a921b74259b..849a73c7487 100644 --- a/kong-0.6.1-0.rockspec +++ b/kong-0.6.1-0.rockspec @@ -41,7 +41,6 @@ build = { ["classic"] = "kong/vendor/classic.lua", ["lapp"] = "kong/vendor/lapp.lua", - ["ngx.ssl"] = "kong/vendor/ssl.lua", ["resty_http"] = "kong/vendor/resty_http.lua", ["kong.constants"] = "kong/constants.lua", diff --git a/kong.yml b/kong.yml index b306a44978f..ff94d18185c 100644 --- a/kong.yml +++ b/kong.yml @@ -240,7 +240,9 @@ nginx: | listen {{proxy_listen}}; listen {{proxy_listen_ssl}} ssl; - ssl_certificate_by_lua 'kong.ssl_certificate()'; + ssl_certificate_by_lua_block { + kong.ssl_certificate() + } ssl_certificate {{ssl_cert}}; ssl_certificate_key {{ssl_key}}; @@ -256,7 +258,6 @@ nginx: | # Authenticate the user and load the API info access_by_lua 'kong.access()'; - # Proxy the request # Proxy the request proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; diff --git a/kong/vendor/ssl.lua b/kong/vendor/ssl.lua deleted file mode 100644 index 9f909981664..00000000000 --- a/kong/vendor/ssl.lua +++ /dev/null @@ -1,333 +0,0 @@ --- Copyright (C) 2014 Yichun Zhang - - -local ffi = require "ffi" -local base = require "resty.core.base" - - -local C = ffi.C -local ffi_str = ffi.string -local getfenv = getfenv -local errmsg = base.get_errmsg_ptr() -local get_string_buf = base.get_string_buf -local get_string_buf_size = base.get_string_buf_size -local get_size_ptr = base.get_size_ptr -local FFI_DECLINED = base.FFI_DECLINED -local FFI_OK = base.FFI_OK -local FFI_BUSY = base.FFI_BUSY -local FFI_DECLINED = base.FFI_DECLINED - - -ffi.cdef[[ - -struct ngx_ssl_conn_s; -typedef struct ngx_ssl_conn_s ngx_ssl_conn_t; - -int ngx_http_lua_ffi_ssl_set_der_certificate(ngx_http_request_t *r, - const char *data, size_t len, char **err); - -int ngx_http_lua_ffi_ssl_clear_certs(ngx_http_request_t *r, char **err); - -int ngx_http_lua_ffi_ssl_set_der_private_key(ngx_http_request_t *r, - const char *data, size_t len, char **err); - -int ngx_http_lua_ffi_ssl_raw_server_addr(ngx_http_request_t *r, char **addr, - size_t *addrlen, int *addrtype, char **err); - -int ngx_http_lua_ffi_ssl_server_name(ngx_http_request_t *r, char **name, - size_t *namelen, char **err); - -int ngx_http_lua_ffi_cert_pem_to_der(const unsigned char *pem, size_t pem_len, - unsigned char *der, char **err); - -int ngx_http_lua_ffi_ssl_get_ocsp_responder_from_der_chain( - const char *chain_data, size_t chain_len, char *out, size_t *out_size, - char **err); - -int ngx_http_lua_ffi_ssl_create_ocsp_request(const char *chain_data, - size_t chain_len, unsigned char *out, size_t *out_size, char **err); - -int ngx_http_lua_ffi_ssl_validate_ocsp_response(const unsigned char *resp, - size_t resp_len, const char *chain_data, size_t chain_len, - unsigned char *errbuf, size_t *errbuf_size); - -int ngx_http_lua_ffi_ssl_set_ocsp_status_resp(ngx_http_request_t *r, - const unsigned char *resp, size_t resp_len, char **err); - -int ngx_http_lua_ffi_ssl_get_tls1_version(ngx_http_request_t *r, char **err); -]] - - -local _M = {} - - -local charpp = ffi.new("char*[1]") -local intp = ffi.new("int[1]") - - -function _M.clear_certs(data) - local r = getfenv(0).__ngx_req - if not r then - return error("no request found") - end - - local rc = C.ngx_http_lua_ffi_ssl_clear_certs(r, errmsg) - if rc == FFI_OK then - return true - end - - return nil, ffi_str(errmsg[0]) -end - - -function _M.set_der_cert(data) - local r = getfenv(0).__ngx_req - if not r then - return error("no request found") - end - - local rc = C.ngx_http_lua_ffi_ssl_set_der_certificate(r, data, #data, - errmsg) - if rc == FFI_OK then - return true - end - - return nil, ffi_str(errmsg[0]) -end - - -function _M.set_der_priv_key(data) - local r = getfenv(0).__ngx_req - if not r then - return error("no request found") - end - - local rc = C.ngx_http_lua_ffi_ssl_set_der_private_key(r, data, #data, - errmsg) - if rc == FFI_OK then - return true - end - - return nil, ffi_str(errmsg[0]) -end - - -local addr_types = { - [1] = "unix", - [2] = "inet", - [10] = "inet6", -} - - -function _M.raw_server_addr() - local r = getfenv(0).__ngx_req - if not r then - return error("no request found") - end - - local sizep = get_size_ptr() - - local rc = C.ngx_http_lua_ffi_ssl_raw_server_addr(r, charpp, sizep, - intp, errmsg) - if rc == FFI_OK then - local typ = addr_types[intp[0]] - if not typ then - return nil, nil, "unknown address type: " .. intp[0] - end - return ffi_str(charpp[0], sizep[0]), typ - end - - return nil, nil, ffi_str(errmsg[0]) -end - - -function _M.server_name() - local r = getfenv(0).__ngx_req - if not r then - return error("no request found") - end - - local sizep = get_size_ptr() - - local rc = C.ngx_http_lua_ffi_ssl_server_name(r, charpp, sizep, errmsg) - if rc == FFI_OK then - return ffi_str(charpp[0], sizep[0]) - end - - if rc == FFI_DECLINED then - return nil - end - - return nil, ffi_str(errmsg[0]) -end - - -function _M.cert_pem_to_der(pem) - local r = getfenv(0).__ngx_req - if not r then - return error("no request found") - end - - local outbuf = get_string_buf(#pem) - - local sz = C.ngx_http_lua_ffi_cert_pem_to_der(pem, #pem, outbuf, errmsg) - if sz > 0 then - return ffi_str(outbuf, sz) - end - - return nil, ffi_str(errmsg[0]) -end - - -function _M.get_ocsp_responder_from_der_chain(data, maxlen) - - local buf_size = maxlen - if not buf_size then - buf_size = get_string_buf_size() - end - local buf = get_string_buf(buf_size) - - local sizep = get_size_ptr() - sizep[0] = buf_size - - local rc = C.ngx_http_lua_ffi_ssl_get_ocsp_responder_from_der_chain(data, - #data, buf, sizep, errmsg) - - if rc == FFI_DECLINED then - return nil - end - - if rc == FFI_OK then - return ffi_str(buf, sizep[0]) - end - - if rc == FFI_BUSY then - return ffi_str(buf, sizep[0]), "truncated" - end - - return nil, ffi_str(errmsg[0]) -end - - -function _M.create_ocsp_request(data, maxlen) - - local buf_size = maxlen - if not buf_size then - buf_size = get_string_buf_size() - end - local buf = get_string_buf(buf_size) - - local sizep = get_size_ptr() - sizep[0] = buf_size - - local rc = C.ngx_http_lua_ffi_ssl_create_ocsp_request(data, - #data, buf, sizep, - errmsg) - - if rc == FFI_OK then - return ffi_str(buf, sizep[0]) - end - - if rc == FFI_BUSY then - return nil, ffi_str(errmsg[0]) .. ": " .. tonumber(sizep[0]) - .. " > " .. buf_size - end - - return nil, ffi_str(errmsg[0]) -end - - -function _M.validate_ocsp_response(resp, chain, max_errmsg_len) - - local errbuf_size = max_errmsg_len - if not errbuf_size then - errbuf_size = get_string_buf_size() - end - local errbuf = get_string_buf(errbuf_size) - - local sizep = get_size_ptr() - sizep[0] = errbuf_size - - local rc = C.ngx_http_lua_ffi_ssl_validate_ocsp_response( - resp, #resp, chain, #chain, errbuf, sizep) - - if rc == FFI_OK then - return true - end - - -- rc == FFI_ERROR - - return nil, ffi_str(errbuf, sizep[0]) -end - - -function _M.set_ocsp_status_resp(data) - local r = getfenv(0).__ngx_req - if not r then - return error("no request found") - end - - local rc = C.ngx_http_lua_ffi_ssl_set_ocsp_status_resp(r, data, #data, - errmsg) - - if rc == FFI_DECLINED then - -- no client status req - return true, "no status req" - end - - if rc == FFI_OK then - return true - end - - -- rc == FFI_ERROR - - return nil, ffi_str(errmsg[0]) -end - - -local function get_tls1_version() - - local r = getfenv(0).__ngx_req - if not r then - return error("no request found") - end - - local ver = C.ngx_http_lua_ffi_ssl_get_tls1_version(r, errmsg) - - ver = tonumber(ver) - - if ver >= 0 then - return ver - end - - -- rc == FFI_ERROR - - return nil, ffi_str(errmsg[0]) -end -_M.get_tls1_version = get_tls1_version - - -do - _M.SSL3_VERSION = 0x0300 - _M.TLS1_VERSION = 0x0301 - _M.TLS1_1_VERSION = 0x0302 - _M.TLS1_2_VERSION = 0x0303 - - local map = { - [_M.SSL3_VERSION] = "SSLv3", - [_M.TLS1_VERSION] = "TLSv1", - [_M.TLS1_1_VERSION] = "TLSv1.1", - [_M.TLS1_2_VERSION] = "TLSv1.2", - } - - function _M.get_tls1_version_str() - local ver, err = get_tls1_version() - if not ver then - return nil, err - end - return map[ver] - end -end - - -return _M