feature: added ssl_certificiate_by_lua* directives to allow controlling downstream SSL handshakes with Lua

.gitignore

@@ -153,6 +153,8 @@ src/uthread.[ch]
 src/timer.[ch]
 src/config.[ch]
 src/worker.[ch]
+src/certby.[ch]
+src/ocsp.c
 src/lex.[ch]
 src/balancer.[ch]
 src/semaphore.[ch]

config

@@ -351,6 +351,8 @@ NGX_ADDON_SRCS="$NGX_ADDON_SRCS \
                 $ngx_addon_dir/src/ngx_http_lua_timer.c \
                 $ngx_addon_dir/src/ngx_http_lua_config.c \
                 $ngx_addon_dir/src/ngx_http_lua_worker.c \
+                $ngx_addon_dir/src/ngx_http_lua_ssl_certby.c \
+                $ngx_addon_dir/src/ngx_http_lua_ssl_ocsp.c \
                 $ngx_addon_dir/src/ngx_http_lua_lex.c \
                 $ngx_addon_dir/src/ngx_http_lua_balancer.c \
                 "
@@ -407,6 +409,7 @@ NGX_ADDON_DEPS="$NGX_ADDON_DEPS \
                 $ngx_addon_dir/src/ngx_http_lua_timer.h \
                 $ngx_addon_dir/src/ngx_http_lua_config.h \
                 $ngx_addon_dir/src/ngx_http_lua_worker.h \
+                $ngx_addon_dir/src/ngx_http_lua_ssl_certby.h \
                 $ngx_addon_dir/src/ngx_http_lua_lex.h \
                 $ngx_addon_dir/src/ngx_http_lua_balancer.h \
                 "

src/ngx_http_lua_common.h

@@ -31,6 +31,11 @@
 #endif
 
 
+#if (!defined OPENSSL_NO_OCSP && defined SSL_CTRL_SET_TLSEXT_STATUS_REQ_CB)
+#   define NGX_HTTP_LUA_USE_OCSP 1
+#endif
+
+
 #ifndef MD5_DIGEST_LENGTH
 #define MD5_DIGEST_LENGTH 16
 #endif
@@ -95,6 +100,7 @@ typedef struct {
 #define NGX_HTTP_LUA_CONTEXT_TIMER          0x080
 #define NGX_HTTP_LUA_CONTEXT_INIT_WORKER    0x100
 #define NGX_HTTP_LUA_CONTEXT_BALANCER       0x200
+#define NGX_HTTP_LUA_CONTEXT_SSL_CERT       0x400
 
 
 #ifndef NGX_LUA_NO_FFI_API
@@ -104,7 +110,7 @@ typedef struct {
 
 
 typedef struct ngx_http_lua_main_conf_s  ngx_http_lua_main_conf_t;
-typedef struct ngx_http_lua_srv_conf_s  ngx_http_lua_srv_conf_t;
+typedef union ngx_http_lua_srv_conf_u  ngx_http_lua_srv_conf_t;
 
 
 typedef struct ngx_http_lua_balancer_peer_data_s
@@ -114,7 +120,7 @@ typedef struct ngx_http_lua_balancer_peer_data_s
 typedef struct ngx_http_lua_semaphore_mm_s  ngx_http_lua_semaphore_mm_t;
 
 
-typedef ngx_int_t (*ngx_http_lua_conf_handler_pt)(ngx_log_t *log,
+typedef ngx_int_t (*ngx_http_lua_main_conf_handler_pt)(ngx_log_t *log,
     ngx_http_lua_main_conf_t *lmcf, lua_State *L);
 typedef ngx_int_t (*ngx_http_lua_srv_conf_handler_pt)(ngx_http_request_t *r,
     ngx_http_lua_srv_conf_t *lmcf, lua_State *L);
@@ -156,11 +162,11 @@ struct ngx_http_lua_main_conf_s {
     ngx_flag_t           postponed_to_rewrite_phase_end;
     ngx_flag_t           postponed_to_access_phase_end;
 
-    ngx_http_lua_conf_handler_pt    init_handler;
-    ngx_str_t                       init_src;
+    ngx_http_lua_main_conf_handler_pt    init_handler;
+    ngx_str_t                            init_src;
 
-    ngx_http_lua_conf_handler_pt    init_worker_handler;
-    ngx_str_t                       init_worker_src;
+    ngx_http_lua_main_conf_handler_pt    init_worker_handler;
+    ngx_str_t                            init_worker_src;
 
     ngx_http_lua_balancer_peer_data_t      *balancer_peer_data;
                     /* balancer_by_lua does not support yielding and
@@ -182,7 +188,15 @@ struct ngx_http_lua_main_conf_s {
 };
 
 
-struct ngx_http_lua_srv_conf_s {
+union ngx_http_lua_srv_conf_u {
+#if (NGX_HTTP_SSL)
+    struct {
+        ngx_http_lua_srv_conf_handler_pt     cert_handler;
+        ngx_str_t                            cert_src;
+        u_char                              *cert_src_key;
+    } ssl;
+#endif
+
     struct {
         ngx_str_t           src;
         u_char             *src_key;

src/ngx_http_lua_contentby.h

@@ -12,7 +12,7 @@
 #include "ngx_http_lua_common.h"
 
 
-ngx_int_t ngx_http_lua_content_by_chunk(lua_State *l, ngx_http_request_t *r);
+ngx_int_t ngx_http_lua_content_by_chunk(lua_State *L, ngx_http_request_t *r);
 void ngx_http_lua_content_wev_handler(ngx_http_request_t *r);
 ngx_int_t ngx_http_lua_content_handler_file(ngx_http_request_t *r);
 ngx_int_t ngx_http_lua_content_handler_inline(ngx_http_request_t *r);

src/ngx_http_lua_control.c

@@ -294,9 +294,9 @@ ngx_http_lua_ngx_redirect(lua_State *L)
 static int
 ngx_http_lua_ngx_exit(lua_State *L)
 {
+    ngx_int_t                    rc;
     ngx_http_request_t          *r;
     ngx_http_lua_ctx_t          *ctx;
-    ngx_int_t                    rc;
 
     if (lua_gettop(L) != 1) {
         return luaL_error(L, "expecting one argument");
@@ -317,10 +317,30 @@ ngx_http_lua_ngx_exit(lua_State *L)
                                | NGX_HTTP_LUA_CONTEXT_CONTENT
                                | NGX_HTTP_LUA_CONTEXT_TIMER
                                | NGX_HTTP_LUA_CONTEXT_HEADER_FILTER
-                               | NGX_HTTP_LUA_CONTEXT_BALANCER);
+                               | NGX_HTTP_LUA_CONTEXT_BALANCER
+                               | NGX_HTTP_LUA_CONTEXT_SSL_CERT);
 
     rc = (ngx_int_t) luaL_checkinteger(L, 1);
 
+    if (ctx->context == NGX_HTTP_LUA_CONTEXT_SSL_CERT) {
+
+#if (NGX_HTTP_SSL)
+
+        ctx->exit_code = rc;
+        ctx->exited = 1;
+
+        ngx_log_debug1(NGX_LOG_DEBUG_HTTP, r->connection->log, 0,
+                       "lua exit with code %i", rc);
+
+        return lua_yield(L, 0);
+
+#else
+
+        return luaL_error(L, "no SSL support");
+
+#endif
+    }
+
     if (ctx->no_abort
         && rc != NGX_ERROR
         && rc != NGX_HTTP_CLOSE
@@ -438,13 +458,33 @@ ngx_http_lua_ffi_exit(ngx_http_request_t *r, int status, u_char *err,
                                        | NGX_HTTP_LUA_CONTEXT_ACCESS
                                        | NGX_HTTP_LUA_CONTEXT_CONTENT
                                        | NGX_HTTP_LUA_CONTEXT_TIMER
-                                       | NGX_HTTP_LUA_CONTEXT_HEADER_FILTER,
+                                       | NGX_HTTP_LUA_CONTEXT_HEADER_FILTER
+                                       | NGX_HTTP_LUA_CONTEXT_SSL_CERT,
                                        err, errlen)
         != NGX_OK)
     {
         return NGX_ERROR;
     }
 
+    if (ctx->context == NGX_HTTP_LUA_CONTEXT_SSL_CERT) {
+
+#if (NGX_HTTP_SSL)
+
+        ctx->exit_code = status;
+        ctx->exited = 1;
+
+        ngx_log_debug1(NGX_LOG_DEBUG_HTTP, r->connection->log, 0,
+                       "lua exit with code %d", status);
+
+        return NGX_OK;
+
+#else
+
+        return NGX_ERROR;
+
+#endif
+    }
+
     if (ctx->no_abort
         && status != NGX_ERROR
         && status != NGX_HTTP_CLOSE

src/ngx_http_lua_coroutine.c

@@ -76,7 +76,8 @@ ngx_http_lua_coroutine_create_helper(lua_State *L, ngx_http_request_t *r,
     ngx_http_lua_check_context(L, ctx, NGX_HTTP_LUA_CONTEXT_REWRITE
                                | NGX_HTTP_LUA_CONTEXT_ACCESS
                                | NGX_HTTP_LUA_CONTEXT_CONTENT
-                               | NGX_HTTP_LUA_CONTEXT_TIMER);
+                               | NGX_HTTP_LUA_CONTEXT_TIMER
+                               | NGX_HTTP_LUA_CONTEXT_SSL_CERT);
 
     vm = ngx_http_lua_get_lua_vm(r, ctx);
 
@@ -151,7 +152,8 @@ ngx_http_lua_coroutine_resume(lua_State *L)
     ngx_http_lua_check_context(L, ctx, NGX_HTTP_LUA_CONTEXT_REWRITE
                                | NGX_HTTP_LUA_CONTEXT_ACCESS
                                | NGX_HTTP_LUA_CONTEXT_CONTENT
-                               | NGX_HTTP_LUA_CONTEXT_TIMER);
+                               | NGX_HTTP_LUA_CONTEXT_TIMER
+                               | NGX_HTTP_LUA_CONTEXT_SSL_CERT);
 
     p_coctx = ctx->cur_co_ctx;
     if (p_coctx == NULL) {
@@ -210,7 +212,8 @@ ngx_http_lua_coroutine_yield(lua_State *L)
     ngx_http_lua_check_context(L, ctx, NGX_HTTP_LUA_CONTEXT_REWRITE
                                | NGX_HTTP_LUA_CONTEXT_ACCESS
                                | NGX_HTTP_LUA_CONTEXT_CONTENT
-                               | NGX_HTTP_LUA_CONTEXT_TIMER);
+                               | NGX_HTTP_LUA_CONTEXT_TIMER
+                               | NGX_HTTP_LUA_CONTEXT_SSL_CERT);
 
     coctx = ctx->cur_co_ctx;
 
@@ -358,7 +361,8 @@ ngx_http_lua_coroutine_status(lua_State *L)
     ngx_http_lua_check_context(L, ctx, NGX_HTTP_LUA_CONTEXT_REWRITE
                                | NGX_HTTP_LUA_CONTEXT_ACCESS
                                | NGX_HTTP_LUA_CONTEXT_CONTENT
-                               | NGX_HTTP_LUA_CONTEXT_TIMER);
+                               | NGX_HTTP_LUA_CONTEXT_TIMER
+                               | NGX_HTTP_LUA_CONTEXT_SSL_CERT);
 
     coctx = ngx_http_lua_get_co_ctx(co, ctx);
     if (coctx == NULL) {

src/ngx_http_lua_directive.c

@@ -24,6 +24,7 @@
 #include "ngx_http_lua_initby.h"
 #include "ngx_http_lua_initworkerby.h"
 #include "ngx_http_lua_shdict.h"
+#include "ngx_http_lua_ssl_certby.h"
 #include "ngx_http_lua_lex.h"
 
 
@@ -1126,7 +1127,7 @@ ngx_http_lua_init_by_lua(ngx_conf_t *cf, ngx_command_t *cmd,
         return NGX_CONF_ERROR;
     }
 
-    lmcf->init_handler = (ngx_http_lua_conf_handler_pt) cmd->post;
+    lmcf->init_handler = (ngx_http_lua_main_conf_handler_pt) cmd->post;
 
     if (cmd->post == ngx_http_lua_init_by_file) {
         name = ngx_http_lua_rebase_path(cf->pool, value[1].data,
@@ -1186,7 +1187,7 @@ ngx_http_lua_init_worker_by_lua(ngx_conf_t *cf, ngx_command_t *cmd,
 
     value = cf->args->elts;
 
-    lmcf->init_worker_handler = (ngx_http_lua_conf_handler_pt) cmd->post;
+    lmcf->init_worker_handler = (ngx_http_lua_main_conf_handler_pt) cmd->post;
 
     if (cmd->post == ngx_http_lua_init_worker_by_file) {
         name = ngx_http_lua_rebase_path(cf->pool, value[1].data,

src/ngx_http_lua_module.c

@@ -25,6 +25,8 @@
 #include "ngx_http_lua_probe.h"
 #include "ngx_http_lua_semaphore.h"
 #include "ngx_http_lua_balancer.h"
+#include "ngx_http_lua_ssl_certby.h"
+#include <openssl/ssl.h>
 
 
 #if !defined(nginx_version) || nginx_version < 8054
@@ -38,6 +40,7 @@ static void *ngx_http_lua_create_srv_conf(ngx_conf_t *cf);
 static char *ngx_http_lua_merge_srv_conf(ngx_conf_t *cf, void *parent,
     void *child);
 static void *ngx_http_lua_create_loc_conf(ngx_conf_t *cf);
+
 static char *ngx_http_lua_merge_loc_conf(ngx_conf_t *cf, void *parent,
     void *child);
 static ngx_int_t ngx_http_lua_init(ngx_conf_t *cf);
@@ -506,6 +509,24 @@ static ngx_command_t ngx_http_lua_cmds[] = {
       offsetof(ngx_http_lua_loc_conf_t, ssl_ciphers),
       NULL },
 
+#if (NGX_HTTP_SSL)
+
+    { ngx_string("ssl_certificate_by_lua_block"),
+      NGX_HTTP_MAIN_CONF|NGX_HTTP_SRV_CONF|NGX_CONF_BLOCK|NGX_CONF_NOARGS,
+      ngx_http_lua_ssl_cert_by_lua_block,
+      NGX_HTTP_SRV_CONF_OFFSET,
+      0,
+      (void *) ngx_http_lua_ssl_cert_handler_inline },
+
+    { ngx_string("ssl_certificate_by_lua_file"),
+      NGX_HTTP_MAIN_CONF|NGX_HTTP_SRV_CONF|NGX_CONF_TAKE1,
+      ngx_http_lua_ssl_cert_by_lua,
+      NGX_HTTP_SRV_CONF_OFFSET,
+      0,
+      (void *) ngx_http_lua_ssl_cert_handler_file },
+
+#endif  /* NGX_HTTP_SSL */
+
     { ngx_string("lua_ssl_verify_depth"),
       NGX_HTTP_MAIN_CONF|NGX_HTTP_SRV_CONF|NGX_HTTP_LOC_CONF|NGX_CONF_TAKE1,
       ngx_conf_set_num_slot,
@@ -840,6 +861,9 @@ ngx_http_lua_create_srv_conf(ngx_conf_t *cf)
     }
 
     /* set by ngx_pcalloc:
+     *      lscf->ssl.cert_handler = NULL;
+     *      lscf->ssl.cert_src = { 0, NULL };
+     *      lscf->ssl.cert_src_key = NULL;
      *      lscf->balancer.handler = NULL;
      *      lscf->balancer.src = { 0, NULL };
      *      lscf->balancer.src_key = NULL;
@@ -852,6 +876,40 @@ ngx_http_lua_create_srv_conf(ngx_conf_t *cf)
 static char *
 ngx_http_lua_merge_srv_conf(ngx_conf_t *cf, void *parent, void *child)
 {
+#if (NGX_HTTP_SSL)
+
+    ngx_http_lua_srv_conf_t *prev = parent;
+    ngx_http_lua_srv_conf_t *conf = child;
+    ngx_http_ssl_srv_conf_t *sscf;
+
+    dd("merge srv conf");
+
+    if (conf->ssl.cert_src.len == 0) {
+        conf->ssl.cert_src = prev->ssl.cert_src;
+        conf->ssl.cert_handler = prev->ssl.cert_handler;
+    }
+
+    if (conf->ssl.cert_src.len) {
+        sscf = ngx_http_conf_get_module_srv_conf(cf, ngx_http_ssl_module);
+        if (sscf == NULL || sscf->ssl.ctx == NULL) {
+            ngx_log_error(NGX_LOG_EMERG, cf->log, 0,
+                          "no ssl configured for the server");
+
+            return NGX_CONF_ERROR;
+        }
+
+#if OPENSSL_VERSION_NUMBER >= 0x1000205fL
+
+        SSL_CTX_set_cert_cb(sscf->ssl.ctx, ngx_http_lua_ssl_cert_handler, NULL);
+
+#else
+
+        return NGX_CONF_ERROR;
+
+#endif
+    }
+
+#endif  /* NGX_HTTP_SSL */
     return NGX_CONF_OK;
 }
 

src/ngx_http_lua_phase.c

@@ -76,6 +76,10 @@ ngx_http_lua_ngx_get_phase(lua_State *L)
         lua_pushliteral(L, "timer");
         break;
 
+    case NGX_HTTP_LUA_CONTEXT_SSL_CERT:
+        lua_pushliteral(L, "ssl_cert");
+        break;
+
     default:
         return luaL_error(L, "unknown phase: %d", (int) ctx->context);
     }

src/ngx_http_lua_semaphore.c

@@ -339,7 +339,8 @@ ngx_http_lua_ffi_semaphore_wait(ngx_http_request_t *r,
     rc = ngx_http_lua_ffi_check_context(ctx, NGX_HTTP_LUA_CONTEXT_REWRITE
                                         | NGX_HTTP_LUA_CONTEXT_ACCESS
                                         | NGX_HTTP_LUA_CONTEXT_CONTENT
-                                        | NGX_HTTP_LUA_CONTEXT_TIMER,
+                                        | NGX_HTTP_LUA_CONTEXT_TIMER
+                                        | NGX_HTTP_LUA_CONTEXT_SSL_CERT,
                                         err, errlen);
 
     if (rc != NGX_OK) {

src/ngx_http_lua_sleep.c

@@ -55,7 +55,8 @@ ngx_http_lua_ngx_sleep(lua_State *L)
     ngx_http_lua_check_context(L, ctx, NGX_HTTP_LUA_CONTEXT_REWRITE
                                | NGX_HTTP_LUA_CONTEXT_ACCESS
                                | NGX_HTTP_LUA_CONTEXT_CONTENT
-                               | NGX_HTTP_LUA_CONTEXT_TIMER);
+                               | NGX_HTTP_LUA_CONTEXT_TIMER
+                               | NGX_HTTP_LUA_CONTEXT_SSL_CERT);
 
     coctx = ctx->cur_co_ctx;
     if (coctx == NULL) {