feature: add FFI interface to verify SSL client certificate

ArchangelSDY · ArchangelSDY · commit c00d686a4df7 · 2020-03-29T22:09:15.000+08:00
diff --git a/src/ngx_stream_lua_ssl_certby.c b/src/ngx_stream_lua_ssl_certby.c
@@ -1317,4 +1317,104 @@ ngx_stream_lua_ffi_set_priv_key(ngx_stream_lua_request_t *r,
 }
 
 
+static int
+ngx_ssl_verify_callback(int ok, X509_STORE_CTX *x509_store)
+{
+    /*
+     * we never terminate handshake here and user can later use
+     * $ssl_client_verify to check verification result.
+     *
+     * this is consistent with Nginx behavior.
+     */
+    return 1;
+}
+
+
+int
+ngx_stream_lua_ffi_ssl_verify_client(ngx_stream_lua_request_t *r,
+    int depth,
+    void *cdata, char **err)
+{
+    ngx_ssl_conn_t         *ssl_conn;
+    STACK_OF(X509)         *chain = cdata;
+    STACK_OF(X509_NAME)    *name_chain = NULL;
+    X509                   *x509 = NULL;
+    X509_NAME              *subject = NULL;
+    X509_STORE             *ca_store = NULL;
+#ifdef OPENSSL_IS_BORINGSSL
+    size_t                 i;
+#else
+    int                    i;
+#endif
+
+    if (r->connection == NULL || r->connection->ssl == NULL) {
+        *err = "bad request";
+        return NGX_ERROR;
+    }
+
+    ssl_conn = r->connection->ssl->connection;
+    if (ssl_conn == NULL) {
+        *err = "bad ssl conn";
+        return NGX_ERROR;
+    }
+
+    ca_store = SSL_CTX_get_cert_store(SSL_get_SSL_CTX(ssl_conn));
+    if (ca_store == NULL) {
+        *err = "SSL_CTX_get_cert_store() failed";
+        return NGX_ERROR;
+    }
+
+    SSL_set_verify(ssl_conn, SSL_VERIFY_PEER, ngx_ssl_verify_callback);
+
+    SSL_set_verify_depth(ssl_conn, depth);
+
+    if (chain != NULL) {
+        /* construct name chain */
+
+        name_chain = sk_X509_NAME_new_null();
+        if (name_chain == NULL) {
+            *err = "sk_X509_NAME_new_null() failed";
+            return NGX_ERROR;
+        }
+
+        for (i = 0; i < sk_X509_num(chain); i++) {
+            x509 = sk_X509_value(chain, i);
+            if (x509 == NULL) {
+                *err = "sk_X509_value() failed";
+                goto failed;
+            }
+
+            /* add subject to name chain, which will be sent to client */
+            subject = X509_NAME_dup(X509_get_subject_name(x509));
+            if (subject == NULL) {
+                *err = "X509_get_subject_name() failed";
+                goto failed;
+            }
+
+            if (!sk_X509_NAME_push(name_chain, subject)) {
+                *err = "sk_X509_NAME_push() failed";
+                X509_NAME_free(subject);
+                goto failed;
+            }
+
+            /* add to trusted CA store */
+            if (X509_STORE_add_cert(ca_store, x509) == 0) {
+                *err = "X509_STORE_add_cert() failed";
+                goto failed;
+            }
+        }
+
+        SSL_set_client_CA_list(ssl_conn, name_chain);
+    }
+
+    return NGX_OK;
+
+failed:
+
+    sk_X509_NAME_free(name_chain);
+
+    return NGX_ERROR;
+}
+
+
 #endif /* NGX_STREAM_SSL */
