Skip to content

fix(mtls): avoid using stale openssl error code #9

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
merged 1 commit into from
Jun 10, 2021
Merged

fix(mtls): avoid using stale openssl error code #9

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
30 changes: 17 additions & 13 deletions patch/1.19.3/lua-resty-core-tlshandshake.patch
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -29,10 +29,10 @@ index 5472230..7d3ab16 100644

diff --git lib/resty/core/socket/tcp.lua lib/resty/core/socket/tcp.lua
new file mode 100644
index 0000000..4b59adb
index 0000000..89454ad
--- /dev/null
+++ lib/resty/core/socket/tcp.lua
@@ -0,0 +1,273 @@
@@ -0,0 +1,277 @@
+-- Copyright (C) by OpenResty Inc.
+
+
Expand Down Expand Up @@ -224,19 +224,15 @@ index 0000000..4b59adb
+ error("no request ctx found", 2)
+ end
+
+ while true do
+ if rc == FFI_ERROR then
+ if openssl_error_code[0] ~= 0 then
+ return nil, openssl_error_code[0] .. ": " .. ffi_str(errmsg[0])
+ end
+
+ return nil, ffi_str(errmsg[0])
+ end
+ if rc == FFI_ERROR then
+ return nil, ffi_str(errmsg[0])
+ end
+
+ if rc == FFI_DONE then
+ return reused_session
+ end
+ if rc == FFI_DONE then
+ return reused_session
+ end
+
+ while true do
+ if rc == FFI_OK then
+ if reused_session == false then
+ return true
Expand All @@ -260,6 +256,14 @@ index 0000000..4b59adb
+
+ rc = ngx_lua_ffi_socket_tcp_get_tlshandshake_result(r, u,
+ session_ptr, errmsg, openssl_error_code)
+
+ if rc == FFI_ERROR then
+ if openssl_error_code[0] ~= 0 then
+ return nil, openssl_error_code[0] .. ": " .. ffi_str(errmsg[0])
+ end
+
+ return nil, ffi_str(errmsg[0])
+ end
+ end
+end
+
Expand Down
53 changes: 53 additions & 0 deletions t/cosocket_mtls.t
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,53 @@
use t::APISIX_NGINX 'no_plan';

add_block_preprocessor(sub {
my ($block) = @_;

if (!$block->http_config) {
my $http_config = <<'_EOC_';
server {
listen unix:$TEST_NGINX_HTML_DIR/nginx.sock ssl;
server_name admin.apisix.dev;
ssl_certificate ../../certs/mtls_server.crt;
ssl_certificate_key ../../certs/mtls_server.key;
ssl_client_certificate ../../certs/mtls_server.crt;
ssl_verify_client on;

location / {
return 200 'ok\n';
}
}

_EOC_

$block->set_value("http_config", $http_config);
}
});

run_tests;

__DATA__

=== TEST 1: avoid using stale openssl error code
--- config
location /t {
access_by_lua_block {
local sock = ngx.socket.tcp()
sock:connect("unix:$TEST_NGINX_HTML_DIR/nginx.sock")
for i = 1, 2 do
local ok, err = sock:tlshandshake({
verify = true,
client_cert_path = "t/certs/mtls_client.crt",
client_priv_key_path = "t/certs/mtls_client.key",
})
if not ok then
ngx.say(err)
end
end
}
}
--- response_body
20: unable to get local issuer certificate
closed
--- error_log
[error]