feature: add function tcpsock:setclientcert, reimplemented tcpsock:sslhandshake with FFI.
#278
Conversation
dndx
force-pushed
the
feat/cosocket_tlshandshake
branch
from
68ca312
to
3b5e699
Compare
dndx
force-pushed
the
feat/cosocket_tlshandshake
branch
from
da4f865
to
9e5a7d7
Compare
dndx
force-pushed
the
feat/cosocket_tlshandshake
branch
from
9e5a7d7
to
d27f2af
Compare
dndx
force-pushed
the
feat/cosocket_tlshandshake
branch
5 times, most recently
from
8d4d81b
to
e3c7f85
Compare
There was a problem hiding this comment.
A couple of comments to get your thoughts @dndx; I have a local branch in which I already made edits that I would like to suggest in this PR, maybe as a new commit that we can squash at merge time, if that sounds good to you.
|
@thibaultcha Squashing at merge sounds good to me :) |
thibaultcha
force-pushed
the
feat/cosocket_tlshandshake
branch
from
414879b
to
71d1257
Compare
|
@dndx |
|
@spacewander not a problem, I will resolve it today! |
dndx
force-pushed
the
feat/cosocket_tlshandshake
branch
from
71d1257
to
42710cb
Compare
lib/resty/core/socket/tcp.lua
Outdated
| end | ||
|
|
||
| sock.tlshandshake = tlshandshake | ||
| sock.sslhandshake = sslhandshake |
There was a problem hiding this comment.
@dndx I think it's better to move this module into this file? we can save two set field operations then.
https://github.com/openresty/lua-resty-core/blob/master/lib/resty/core/socket.lua
|
It's confusing to have both |
chronolaw
force-pushed
the
feat/cosocket_tlshandshake
branch
11 times, most recently
from
a4acb9c
to
00361a0
Compare
|
@chronolaw would you please rebase to the master ? |
| local openssl_error_code = ffi_new("int[1]") | ||
|
|
||
|
|
||
| local function setclientcert(cosocket, cert, pkey) |
There was a problem hiding this comment.
| local function setclientcert(cosocket, cert, pkey) | |
| local function set_client_cert(cosocket, cert, pkey) |
There was a problem hiding this comment.
This is to keep the style consistent with existing cosocket API function names. e.g. tcpsock:getreusedtimes
lib/resty/core/socket.lua
Outdated
| local n = select("#", ...) | ||
| if not cosocket or n > 1 then | ||
| error("ngx.socket sslhandshake: expecting 1 ~ 5 arguments " .. | ||
| "(including the object), but seen " .. (cosocket and 5 + n or 0)) | ||
| end |
There was a problem hiding this comment.
| local n = select("#", ...) | |
| if not cosocket or n > 1 then | |
| error("ngx.socket sslhandshake: expecting 1 ~ 5 arguments " .. | |
| "(including the object), but seen " .. (cosocket and 5 + n or 0)) | |
| end |
There was a problem hiding this comment.
I don't think we need this test.
And if you want to test the number, it is
if not cosocket or n > 0
There was a problem hiding this comment.
@chronolaw I think @zhuizhuhaomeng is correct here. Since the Lua implementation of sslhandshake already takes 5 arguments, it will be incorrect to check not cosocket or n > 1 as that indicates there are 7 arguments passed. It should be not cosocket or n > 0 instead.
lib/resty/core/socket.lua
Outdated
| end | ||
|
|
||
| if session_ptr[0] == nil then | ||
| return nil |
There was a problem hiding this comment.
should return the error at the same time
There was a problem hiding this comment.
See my reviews, I think we can remove this if session_ptr[0] == nil then branch altogether and keep only the assert below.
There was a problem hiding this comment.
Actually, I had a closer look at this logic compared to https://github.com/openresty/lua-nginx-module/blob/master/src/ngx_http_lua_socket_tcp.c#L1935-L1956. The issue is that:
In the original C implementation, when the server did not turn on session reuse, the sslhandshake function returned a lightuserdata that is NULL and did not set the __gc meta method on it. This is different than returning a Lua nil value which indicates an error.
Therefore, we should mimic this behavior by returning the session_ptr[0] cdata directly and not call ffi.gc on it. From the user's perspective, the handshake is still a success.
dndx
changed the title
tcpsock:tlshandshake and tcpsock:sslhandshaketcpsock:setclientcert, reimplemented tcpsock:sslhandshake with FFI.
|
It just follows the idiom of openresty, like |
|
It makes test case #31 happy in |
|
It works like original C function |
dndx
force-pushed
the
feat/cosocket_tlshandshake
branch
from
f68dc90
to
cdb745d
Compare
…k:sslhandshake` with FFI This adds support for setting client certificate/private key that will be used later for mutual TLS handshake with a server. Also, the `tcpsock:sslhandshake` implementation has been rewritten to use FFI C API to be more performant and easier to maintain. Also see: openresty/lua-resty-core#278 Co-authored-by: Chrono Law <chrono.law@konghq.com>
…k:sslhandshake` with FFI This adds support for setting client certificate/private key that will be used later for mutual TLS handshake with a server. Also, the `tcpsock:sslhandshake` implementation has been rewritten to use FFI C API to be more performant and easier to maintain. Also see: openresty/lua-resty-core#278 Co-authored-by: Chrono Law <chrono.law@konghq.com>
…sslhandshake` with FFI This adds support for setting client certificate/private key that will be used later for mutual TLS handshake with a server. Also, the `tcpsock:sslhandshake` implementation has been rewritten to use FFI C API to be more performant and easier to maintain. Also see: openresty/lua-nginx-module#1602 Co-authored-by: Chrono Law <chrono.law@konghq.com>
dndx
force-pushed
the
feat/cosocket_tlshandshake
branch
from
cdb745d
to
68bf4bf
Compare
|
@zhuizhuhaomeng Could you please take another look at this PR? It has been rebased and squashed and now passed all CI tests with it's lua-nginx-module counterpart. |
…k:sslhandshake` with FFI This adds support for setting client certificate/private key that will be used later for mutual TLS handshake with a server. Also, the `tcpsock:sslhandshake` implementation has been rewritten to use FFI C API to be more performant and easier to maintain. Also see: openresty/lua-resty-core#278 Co-authored-by: Chrono Law <chrono.law@konghq.com>
|
merged with the following patch |
functions using FFI.
I hereby granted the copyright of the changes in this pull request
to the authors of this lua-resty-core project.
Sister PR: openresty/lua-nginx-module#1602
Note that stream support is intentionally omitted in this PR to keep the size down. I will help porting this over to stream after it is merged.