summaryrefslogtreecommitdiffstats
path: root/server/resty/openssl/auxiliary/nginx.lua
blob: 8adecebd5ad4d8baea9f62d382f239400f709152 (plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
local get_req_ssl, get_req_ssl_ctx
local get_socket_ssl, get_socket_ssl_ctx

local pok, nginx_c = pcall(require, "resty.openssl.auxiliary.nginx_c")

if pok and not os.getenv("CI_SKIP_NGINX_C") then
  get_req_ssl = nginx_c.get_req_ssl
  get_req_ssl_ctx = nginx_c.get_req_ssl_ctx
  get_socket_ssl = nginx_c.get_socket_ssl
  get_socket_ssl_ctx = nginx_c.get_socket_ssl
else
  local ffi = require "ffi"

  ffi.cdef [[
    // Nginx seems to always config _FILE_OFFSET_BITS=64, this should always be 8 byte
    typedef long long off_t;
    typedef unsigned int socklen_t; // windows uses int, same size
    typedef unsigned short in_port_t;

    typedef struct ssl_st SSL;
    typedef struct ssl_ctx_st SSL_CTX;

    typedef long (*ngx_recv_pt)(void *c, void *buf, size_t size);
    typedef long (*ngx_recv_chain_pt)(void *c, void *in,
        off_t limit);
    typedef long (*ngx_send_pt)(void *c, void *buf, size_t size);
    typedef void *(*ngx_send_chain_pt)(void *c, void *in,
        off_t limit);

    typedef struct {
      size_t             len;
      void               *data;
    } ngx_str_t;

    typedef struct {
      SSL             *connection;
      SSL_CTX         *session_ctx;
      // trimmed
    } ngx_ssl_connection_s;
  ]]

  local ngx_version = ngx.config.nginx_version
  if ngx_version == 1017008 or ngx_version == 1019003 or ngx_version == 1019009 
    or ngx_version == 1021004 then
    -- 1.17.8, 1.19.3, 1.19.9, 1.21.4
    -- https://github.com/nginx/nginx/blob/master/src/core/ngx_connection.h
    ffi.cdef [[
    typedef struct {
      ngx_str_t           src_addr;
      ngx_str_t           dst_addr;
      in_port_t           src_port;
      in_port_t           dst_port;
    } ngx_proxy_protocol_t;

    typedef struct {
      void               *data;
      void               *read;
      void               *write;

      int                 fd;

      ngx_recv_pt         recv;
      ngx_send_pt         send;
      ngx_recv_chain_pt   recv_chain;
      ngx_send_chain_pt   send_chain;

      void               *listening;

      off_t               sent;

      void               *log;

      void               *pool;

      int                 type;

      void                *sockaddr;
      socklen_t           socklen;
      ngx_str_t           addr_text;

      // https://github.com/nginx/nginx/commit/be932e81a1531a3ba032febad968fc2006c4fa48
      ngx_proxy_protocol_t  *proxy_protocol;

      ngx_ssl_connection_s  *ssl;
      // trimmed
    } ngx_connection_s;
  ]]
  else
    error("resty.openssl.auxiliary.nginx doesn't support Nginx version " .. ngx_version, 2)
  end

  ffi.cdef [[
    typedef struct {
        ngx_connection_s                     *connection;
        // trimmed
    } ngx_stream_lua_request_s;

    typedef struct {
      unsigned int                     signature;         /* "HTTP" */

      ngx_connection_s                 *connection;
      // trimmed
    } ngx_http_request_s;
  ]]

  local get_request
  do
    local ok, exdata = pcall(require, "thread.exdata")
    if ok and exdata then
      function get_request()
        local r = exdata()
        if r ~= nil then
            return r
        end
      end

    else
      local getfenv = getfenv

      function get_request()
        return getfenv(0).__ngx_req
      end
    end
  end

  local SOCKET_CTX_INDEX = 1

  local NO_C_MODULE_WARNING_MSG_SHOWN = false
  local NO_C_MODULE_WARNING_MSG = "note resty.openssl.auxiliary.nginx is using plain FFI " ..
                                  "and it's only intended to be used in development, " ..
                                  "consider using lua-resty-openssl.aux-module in production."

  local function get_ngx_ssl_from_req()
    if not NO_C_MODULE_WARNING_MSG_SHOWN then
      ngx.log(ngx.WARN, NO_C_MODULE_WARNING_MSG)
      NO_C_MODULE_WARNING_MSG_SHOWN = true
    end

    local c = get_request()
    if ngx.config.subsystem == "stream" then
      c = ffi.cast("ngx_stream_lua_request_s*", c)
    else -- http
      c = ffi.cast("ngx_http_request_s*", c)
    end

    local ngx_ssl = c.connection.ssl
    if ngx_ssl == nil then
      return nil, "c.connection.ssl is nil"
    end
    return ngx_ssl
  end

  get_req_ssl = function()
    local ssl, err = get_ngx_ssl_from_req()
    if err then
      return nil, err
    end

    return ssl.connection
  end

  get_req_ssl_ctx = function()
    local ssl, err = get_ngx_ssl_from_req()
    if err then
      return nil, err
    end

    return ssl.session_ctx
  end

  ffi.cdef[[
    typedef struct ngx_http_lua_socket_tcp_upstream_s
                  ngx_http_lua_socket_tcp_upstream_t;

    typedef struct {
      ngx_connection_s                *connection;
      // trimmed
    } ngx_peer_connection_s;

    typedef
      int (*ngx_http_lua_socket_tcp_retval_handler_masked)(void *r,
      void *u, void *L);

    typedef void (*ngx_http_lua_socket_tcp_upstream_handler_pt_masked)
      (void *r, void *u);


    typedef
        int (*ngx_stream_lua_socket_tcp_retval_handler)(void *r,
            void *u, void *L);

    typedef void (*ngx_stream_lua_socket_tcp_upstream_handler_pt)
        (void *r, void *u);

    typedef struct {
      ngx_stream_lua_socket_tcp_retval_handler            read_prepare_retvals;
      ngx_stream_lua_socket_tcp_retval_handler            write_prepare_retvals;
      ngx_stream_lua_socket_tcp_upstream_handler_pt       read_event_handler;
      ngx_stream_lua_socket_tcp_upstream_handler_pt       write_event_handler;

      void                    *socket_pool;

      void                    *conf;
      void                    *cleanup;
      void                    *request;

      ngx_peer_connection_s            peer;
      // trimmed
    } ngx_stream_lua_socket_tcp_upstream_s;
  ]]

  local ngx_lua_version = ngx.config and
        ngx.config.ngx_lua_version and
        ngx.config.ngx_lua_version

  if ngx_lua_version >= 10019 and ngx_lua_version <= 10021 then
    -- https://github.com/openresty/lua-nginx-module/blob/master/src/ngx_http_lua_socket_tcp.h
    ffi.cdef[[
      typedef struct {
        ngx_http_lua_socket_tcp_retval_handler_masked          read_prepare_retvals;
        ngx_http_lua_socket_tcp_retval_handler_masked          write_prepare_retvals;
        ngx_http_lua_socket_tcp_upstream_handler_pt_masked     read_event_handler;
        ngx_http_lua_socket_tcp_upstream_handler_pt_masked     write_event_handler;

        void                            *udata_queue; // 0.10.19

        void                            *socket_pool;

        void                            *conf;
        void                            *cleanup;
        void                            *request;
        ngx_peer_connection_s            peer;
        // trimmed
      } ngx_http_lua_socket_tcp_upstream_s;
    ]]
  elseif ngx_lua_version < 10019 then
    -- the struct doesn't seem to get changed a long time since birth
    ffi.cdef[[
      typedef struct {
        ngx_http_lua_socket_tcp_retval_handler_masked          read_prepare_retvals;
        ngx_http_lua_socket_tcp_retval_handler_masked          write_prepare_retvals;
        ngx_http_lua_socket_tcp_upstream_handler_pt_masked     read_event_handler;
        ngx_http_lua_socket_tcp_upstream_handler_pt_masked     write_event_handler;

        void                            *socket_pool;

        void                            *conf;
        void                            *cleanup;
        void                            *request;
        ngx_peer_connection_s            peer;
        // trimmed
      } ngx_http_lua_socket_tcp_upstream_s;
    ]]
  else
    error("resty.openssl.auxiliary.nginx doesn't support lua-nginx-module version " .. (ngx_lua_version or "nil"), 2)
  end

  local function get_ngx_ssl_from_socket_ctx(sock)
    if not NO_C_MODULE_WARNING_MSG_SHOWN then
      ngx.log(ngx.WARN, NO_C_MODULE_WARNING_MSG)
      NO_C_MODULE_WARNING_MSG_SHOWN = true
    end

    local u = sock[SOCKET_CTX_INDEX]
    if u == nil then
      return nil, "lua_socket_tcp_upstream_t not found"
    end

    if ngx.config.subsystem == "stream" then
      u = ffi.cast("ngx_stream_lua_socket_tcp_upstream_s*", u)
    else -- http
      u = ffi.cast("ngx_http_lua_socket_tcp_upstream_s*", u)
    end

    local p = u.peer
    if p == nil then
      return nil, "u.peer is nil"
    end

    local uc = p.connection
    if uc == nil then
      return nil, "u.peer.connection is nil"
    end

    local ngx_ssl = uc.ssl
    if ngx_ssl == nil then
      return nil, "u.peer.connection.ssl is nil"
    end
    return ngx_ssl
  end

  get_socket_ssl = function(sock)
    local ssl, err = get_ngx_ssl_from_socket_ctx(sock)
    if err then
      return nil, err
    end

    return ssl.connection
  end

  get_socket_ssl_ctx = function(sock)
    local ssl, err = get_ngx_ssl_from_socket_ctx(sock)
    if err then
      return nil, err
    end

    return ssl.session_ctx
  end

end


return {
  get_req_ssl = get_req_ssl,
  get_req_ssl_ctx = get_req_ssl_ctx,
  get_socket_ssl = get_socket_ssl,
  get_socket_ssl_ctx = get_socket_ssl_ctx,
}