Skip to content

Commit 33a2fa7

Browse files
nic-6443nic-6443
committed
feat: add api to get hostname of ssl session
Signed-off-by: Nic <[email protected]>
1 parent 9f39eac commit 33a2fa7

File tree

3 files changed

+128
-32
lines changed

3 files changed

+128
-32
lines changed

patch/1.21.4/lua-resty-core-ssl_session_hostname.patch

Lines changed: 77 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,77 @@
1+
diff --git lib/ngx/ssl.lua lib/ngx/ssl.lua
2+
index 8792be0..aa1d0f8 100644
3+
--- lib/ngx/ssl.lua
4+
+++ lib/ngx/ssl.lua
5+
@@ -26,6 +26,7 @@ local ngx_lua_ffi_ssl_set_der_private_key
6+
local ngx_lua_ffi_ssl_raw_server_addr
7+
local ngx_lua_ffi_ssl_server_port
8+
local ngx_lua_ffi_ssl_server_name
9+
+local ngx_lua_ffi_ssl_session_hostname
10+
local ngx_lua_ffi_ssl_raw_client_addr
11+
local ngx_lua_ffi_cert_pem_to_der
12+
local ngx_lua_ffi_priv_key_pem_to_der
13+
@@ -58,6 +59,9 @@ if subsystem == 'http' then
14+
int ngx_http_lua_ffi_ssl_server_name(ngx_http_request_t *r, char **name,
15+
size_t *namelen, char **err);
16+
17+
+ int ngx_http_lua_ffi_ssl_session_hostname(ngx_http_request_t *r, char **name,
18+
+ size_t *namelen, char **err);
19+
+
20+
int ngx_http_lua_ffi_ssl_raw_client_addr(ngx_http_request_t *r, char **addr,
21+
size_t *addrlen, int *addrtype, char **err);
22+
23+
@@ -96,7 +100,7 @@ if subsystem == 'http' then
24+
C.ngx_http_lua_ffi_ssl_set_der_private_key
25+
ngx_lua_ffi_ssl_raw_server_addr = C.ngx_http_lua_ffi_ssl_raw_server_addr
26+
ngx_lua_ffi_ssl_server_port = C.ngx_http_lua_ffi_ssl_server_port
27+
- ngx_lua_ffi_ssl_server_name = C.ngx_http_lua_ffi_ssl_server_name
28+
+ ngx_lua_ffi_ssl_session_hostname = C.ngx_http_lua_ffi_ssl_session_hostname
29+
ngx_lua_ffi_ssl_raw_client_addr = C.ngx_http_lua_ffi_ssl_raw_client_addr
30+
ngx_lua_ffi_cert_pem_to_der = C.ngx_http_lua_ffi_cert_pem_to_der
31+
ngx_lua_ffi_priv_key_pem_to_der = C.ngx_http_lua_ffi_priv_key_pem_to_der
32+
@@ -129,6 +133,9 @@ elseif subsystem == 'stream' then
33+
int ngx_stream_lua_ffi_ssl_server_name(ngx_stream_lua_request_t *r,
34+
char **name, size_t *namelen, char **err);
35+
36+
+ int ngx_stream_lua_ffi_ssl_session_hostname(ngx_stream_lua_request_t *r,
37+
+ char **name, size_t *namelen, char **err);
38+
+
39+
int ngx_stream_lua_ffi_ssl_raw_client_addr(ngx_stream_lua_request_t *r,
40+
char **addr, size_t *addrlen, int *addrtype, char **err);
41+
42+
@@ -168,6 +175,7 @@ elseif subsystem == 'stream' then
43+
ngx_lua_ffi_ssl_raw_server_addr = C.ngx_stream_lua_ffi_ssl_raw_server_addr
44+
ngx_lua_ffi_ssl_server_port = C.ngx_stream_lua_ffi_ssl_server_port
45+
ngx_lua_ffi_ssl_server_name = C.ngx_stream_lua_ffi_ssl_server_name
46+
+ ngx_lua_ffi_ssl_session_hostname = C.ngx_stream_lua_ffi_ssl_session_hostname
47+
ngx_lua_ffi_ssl_raw_client_addr = C.ngx_stream_lua_ffi_ssl_raw_client_addr
48+
ngx_lua_ffi_cert_pem_to_der = C.ngx_stream_lua_ffi_cert_pem_to_der
49+
ngx_lua_ffi_priv_key_pem_to_der = C.ngx_stream_lua_ffi_priv_key_pem_to_der
50+
@@ -299,6 +307,27 @@ function _M.server_name()
51+
end
52+
53+
54+
+function _M.session_hostname()
55+
+ local r = get_request()
56+
+ if not r then
57+
+ error("no request found")
58+
+ end
59+
+
60+
+ local sizep = get_size_ptr()
61+
+
62+
+ local rc = ngx_lua_ffi_ssl_session_hostname(r, charpp, sizep, errmsg)
63+
+ if rc ~= FFI_OK then
64+
+ return nil, ffi_str(errmsg[0])
65+
+ end
66+
+
67+
+ if sizep[0] == 0 then
68+
+ return nil
69+
+ end
70+
+
71+
+ return ffi_str(charpp[0], sizep[0])
72+
+end
73+
+
74+
+
75+
function _M.raw_client_addr()
76+
local r = get_request()
77+
if not r then

patch/1.21.4/nginx-sni_restriction.patch

Lines changed: 0 additions & 32 deletions
This file was deleted.

patch/1.21.4/ngx_lua-ssl_session_hostname.patch

Lines changed: 51 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,51 @@
1+
diff --git src/ngx_http_lua_ssl_certby.c src/ngx_http_lua_ssl_certby.c
2+
index b8e70dde..f00f794f 100644
3+
--- src/ngx_http_lua_ssl_certby.c
4+
+++ src/ngx_http_lua_ssl_certby.c
5+
@@ -870,6 +870,46 @@ ngx_http_lua_ffi_ssl_server_name(ngx_http_request_t *r, char **name,
6+
}
7+
8+
9+
+int
10+
+ngx_http_lua_ffi_ssl_session_hostname(ngx_http_request_t *r, char **name,
11+
+ size_t *namelen, char **err)
12+
+{
13+
+ ngx_ssl_conn_t *ssl_conn;
14+
+
15+
+ if (r->connection == NULL || r->connection->ssl == NULL) {
16+
+ *err = "bad request";
17+
+ return NGX_ERROR;
18+
+ }
19+
+
20+
+ ssl_conn = r->connection->ssl->connection;
21+
+ if (ssl_conn == NULL) {
22+
+ *err = "bad ssl conn";
23+
+ return NGX_ERROR;
24+
+ }
25+
+
26+
+#if (defined(TLS1_3_VERSION) \
27+
+ && !defined(LIBRESSL_VERSION_NUMBER) && !defined(OPENSSL_IS_BORINGSSL)
28+
+
29+
+ /*
30+
+ * SSL_SESSION_get0_hostname() is only available in OpenSSL 1.1.1+,
31+
+ * but servername being negotiated in every TLSv1.3 handshake
32+
+ * is only returned in OpenSSL 1.1.1+ as well
33+
+ */
34+
+
35+
+ *name = (char *) SSL_SESSION_get0_hostname(SSL_get0_session(ssl_conn));
36+
+
37+
+ if (*name) {
38+
+ *namelen = ngx_strlen(*name);
39+
+ return NGX_OK;
40+
+ }
41+
+#endif
42+
+
43+
+ *name = "";
44+
+ *namelen = 0;
45+
+ return NGX_OK;
46+
+}
47+
+
48+
+
49+
int
50+
ngx_http_lua_ffi_ssl_server_port(ngx_http_request_t *r,
51+
unsigned short *server_port, char **err)

0 commit comments

Comments
 (0)