feat: reject bad client TLS request in handshake (#50)

spacewander · web-flow · commit 54c8d1c9d704 · 2022-04-27T10:06:37.000+08:00
Signed-off-by: spacewander &lt;spacewanderlzx@gmail.com&gt;
diff --git a/lib/resty/apisix/patch.lua b/lib/resty/apisix/patch.lua
@@ -0,0 +1,10 @@
+-- This module stores the flags which mark the difference between
+-- APISIX's OpenResty and vanilla OpenResty.
+-- We use flag to distinguish the difference when it is impossible
+-- to distinguish APISIX's OpenResty via additional module methods.
+local _M = {
+    client_cert_verified_in_handshake = true
+}
+
+
+return _M
diff --git a/patch/1.19.9/lua-resty-core-reject-in-handshake.patch b/patch/1.19.9/lua-resty-core-reject-in-handshake.patch
@@ -0,0 +1,48 @@
+diff --git lib/ngx/ssl.lua lib/ngx/ssl.lua
+index b769fd8..89ccabe 100644
+--- lib/ngx/ssl.lua
++++ lib/ngx/ssl.lua
+@@ -85,7 +85,7 @@ if subsystem == 'http' then
+     void ngx_http_lua_ffi_free_priv_key(void *cdata);
+ 
+     int ngx_http_lua_ffi_ssl_verify_client(void *r,
+-        void *cdata, int depth, char **err);
++        void *cdata, int depth, int reject_in_handshake, char **err);
+     ]]
+ 
+     ngx_lua_ffi_ssl_set_der_certificate =
+@@ -155,7 +155,7 @@ elseif subsystem == 'stream' then
+     void ngx_stream_lua_ffi_free_priv_key(void *cdata);
+ 
+     int ngx_stream_lua_ffi_ssl_verify_client(void *r,
+-        void *cdata, int depth, char **err);
++        void *cdata, int depth, int reject_in_handshake, char **err);
+     ]]
+ 
+     ngx_lua_ffi_ssl_set_der_certificate =
+@@ -414,7 +414,7 @@ function _M.set_priv_key(priv_key)
+ end
+ 
+ 
+-function _M.verify_client(ca_certs, depth)
++function _M.verify_client(ca_certs, depth, reject_in_handshake)
+     local r = get_request()
+     if not r then
+         error("no request found")
+@@ -424,7 +424,15 @@ function _M.verify_client(ca_certs, depth)
+         depth = -1
+     end
+ 
+-    local rc = ngx_lua_ffi_ssl_verify_client(r, ca_certs, depth, errmsg)
++    if reject_in_handshake == nil then
++        -- reject by default so we can migrate to the new behavior
++        -- without modifying Lua code
++        reject_in_handshake = true
++    end
++
++    local reject_in_handshake_int = reject_in_handshake and 1 or 0
++    local rc = ngx_lua_ffi_ssl_verify_client(r, ca_certs, depth,
++                                             reject_in_handshake_int, errmsg)
+     if rc == FFI_OK then
+         return true
+     end
diff --git a/patch/1.19.9/ngx_lua-reject-in-handshake.patch b/patch/1.19.9/ngx_lua-reject-in-handshake.patch
@@ -0,0 +1,38 @@
+diff --git src/ngx_http_lua_ssl_certby.c src/ngx_http_lua_ssl_certby.c
+index 6ed2f3f..c46cc91 100644
+--- src/ngx_http_lua_ssl_certby.c
++++ src/ngx_http_lua_ssl_certby.c
+@@ -1346,9 +1346,16 @@ ngx_http_lua_ssl_verify_callback(int ok, X509_STORE_CTX *x509_store)
+ }
+ 
+ 
++static int
++ngx_http_lua_ssl_verify_reject_in_handshake_callback(int ok, X509_STORE_CTX *x509_store)
++{
++    return ok;
++}
++
++
+ int
+ ngx_http_lua_ffi_ssl_verify_client(ngx_http_request_t *r, void *ca_certs,
+-    int depth, char **err)
++    int depth, int reject_in_handshake, char **err)
+ {
+     ngx_http_lua_ctx_t          *ctx;
+     ngx_ssl_conn_t              *ssl_conn;
+@@ -1388,7 +1395,14 @@ ngx_http_lua_ffi_ssl_verify_client(ngx_http_request_t *r, void *ca_certs,
+ 
+     /* enable verify */
+ 
+-    SSL_set_verify(ssl_conn, SSL_VERIFY_PEER, ngx_http_lua_ssl_verify_callback);
++    if (reject_in_handshake) {
++        SSL_set_verify(ssl_conn,
++                       SSL_VERIFY_PEER | SSL_VERIFY_FAIL_IF_NO_PEER_CERT ,
++                       ngx_http_lua_ssl_verify_reject_in_handshake_callback);
++
++    } else {
++        SSL_set_verify(ssl_conn, SSL_VERIFY_PEER, ngx_http_lua_ssl_verify_callback);
++    }
+ 
+     /* set depth */
+ 
diff --git a/patch/1.19.9/ngx_stream_lua-reject-in-handshake.patch b/patch/1.19.9/ngx_stream_lua-reject-in-handshake.patch
@@ -0,0 +1,40 @@
+diff --git src/ngx_stream_lua_ssl_certby.c src/ngx_stream_lua_ssl_certby.c
+index bc1b156..49fa0d3 100644
+--- src/ngx_stream_lua_ssl_certby.c
++++ src/ngx_stream_lua_ssl_certby.c
+@@ -1365,9 +1365,16 @@ ngx_stream_lua_ssl_verify_callback(int ok, X509_STORE_CTX *x509_store)
+ }
+ 
+ 
++static int
++ngx_stream_lua_ssl_verify_reject_in_handshake_callback(int ok, X509_STORE_CTX *x509_store)
++{
++    return ok;
++}
++
++
+ int
+ ngx_stream_lua_ffi_ssl_verify_client(ngx_stream_lua_request_t *r,
+-    void *ca_certs, int depth, char **err)
++    void *ca_certs, int depth, int reject_in_handshake, char **err)
+ {
+     ngx_stream_lua_ctx_t        *ctx;
+     ngx_ssl_conn_t              *ssl_conn;
+@@ -1407,8 +1414,15 @@ ngx_stream_lua_ffi_ssl_verify_client(ngx_stream_lua_request_t *r,
+ 
+     /* enable verify */
+ 
+-    SSL_set_verify(ssl_conn, SSL_VERIFY_PEER,
+-                   ngx_stream_lua_ssl_verify_callback);
++    if (reject_in_handshake) {
++        SSL_set_verify(ssl_conn,
++                       SSL_VERIFY_PEER | SSL_VERIFY_FAIL_IF_NO_PEER_CERT ,
++                       ngx_stream_lua_ssl_verify_reject_in_handshake_callback);
++
++    } else {
++        SSL_set_verify(ssl_conn, SSL_VERIFY_PEER,
++                       ngx_stream_lua_ssl_verify_callback);
++    }
+ 
+     /* set depth */
+ 
