From 5f54410791ca9a3a6de5485cc6e2996b7296337c Mon Sep 17 00:00:00 2001
From: spacewander <spacewanderlzx@gmail.com>
Date: Tue, 8 Jun 2021 11:20:01 +0800
Subject: [PATCH] fix(mtls): avoid using stale openssl error code

---
 .../1.19.3/lua-resty-core-tlshandshake.patch  | 30 ++++++-----
 t/cosocket_mtls.t                             | 53 +++++++++++++++++++
 2 files changed, 70 insertions(+), 13 deletions(-)
 create mode 100644 t/cosocket_mtls.t

diff --git a/patch/1.19.3/lua-resty-core-tlshandshake.patch b/patch/1.19.3/lua-resty-core-tlshandshake.patch
index 594fc67..5a8aa87 100644
--- a/patch/1.19.3/lua-resty-core-tlshandshake.patch
+++ b/patch/1.19.3/lua-resty-core-tlshandshake.patch
@@ -29,10 +29,10 @@ index 5472230..7d3ab16 100644
  
 diff --git lib/resty/core/socket/tcp.lua lib/resty/core/socket/tcp.lua
 new file mode 100644
-index 0000000..4b59adb
+index 0000000..89454ad
 --- /dev/null
 +++ lib/resty/core/socket/tcp.lua
-@@ -0,0 +1,273 @@
+@@ -0,0 +1,277 @@
 +-- Copyright (C) by OpenResty Inc.
 +
 +
@@ -224,19 +224,15 @@ index 0000000..4b59adb
 +        error("no request ctx found", 2)
 +    end
 +
-+    while true do
-+        if rc == FFI_ERROR then
-+            if openssl_error_code[0] ~= 0 then
-+                return nil, openssl_error_code[0] .. ": " .. ffi_str(errmsg[0])
-+            end
-+
-+            return nil, ffi_str(errmsg[0])
-+        end
++    if rc == FFI_ERROR then
++        return nil, ffi_str(errmsg[0])
++    end
 +
-+        if rc == FFI_DONE then
-+            return reused_session
-+        end
++    if rc == FFI_DONE then
++        return reused_session
++    end
 +
++    while true do
 +        if rc == FFI_OK then
 +            if reused_session == false then
 +                return true
@@ -260,6 +256,14 @@ index 0000000..4b59adb
 +
 +        rc = ngx_lua_ffi_socket_tcp_get_tlshandshake_result(r, u,
 +                 session_ptr, errmsg, openssl_error_code)
++
++        if rc == FFI_ERROR then
++            if openssl_error_code[0] ~= 0 then
++                return nil, openssl_error_code[0] .. ": " .. ffi_str(errmsg[0])
++            end
++
++            return nil, ffi_str(errmsg[0])
++        end
 +    end
 +end
 +
diff --git a/t/cosocket_mtls.t b/t/cosocket_mtls.t
new file mode 100644
index 0000000..270f644
--- /dev/null
+++ b/t/cosocket_mtls.t
@@ -0,0 +1,53 @@
+use t::APISIX_NGINX 'no_plan';
+
+add_block_preprocessor(sub {
+    my ($block) = @_;
+
+    if (!$block->http_config) {
+        my $http_config = <<'_EOC_';
+    server {
+        listen unix:$TEST_NGINX_HTML_DIR/nginx.sock ssl;
+        server_name admin.apisix.dev;
+        ssl_certificate ../../certs/mtls_server.crt;
+        ssl_certificate_key ../../certs/mtls_server.key;
+        ssl_client_certificate ../../certs/mtls_server.crt;
+        ssl_verify_client on;
+
+        location / {
+            return 200 'ok\n';
+        }
+    }
+
+_EOC_
+
+        $block->set_value("http_config", $http_config);
+    }
+});
+
+run_tests;
+
+__DATA__
+
+=== TEST 1: avoid using stale openssl error code
+--- config
+    location /t {
+        access_by_lua_block {
+            local sock = ngx.socket.tcp()
+            sock:connect("unix:$TEST_NGINX_HTML_DIR/nginx.sock")
+            for i = 1, 2 do
+                local ok, err = sock:tlshandshake({
+                    verify = true,
+                    client_cert_path = "t/certs/mtls_client.crt",
+                    client_priv_key_path = "t/certs/mtls_client.key",
+                })
+                if not ok then
+                    ngx.say(err)
+                end
+            end
+        }
+    }
+--- response_body
+20: unable to get local issuer certificate
+closed
+--- error_log
+[error]