feat: add GM C API enable/disable ntls (#69)

spacewander · web-flow · commit 719d638d34dc · 2022-11-04T16:59:29.000+08:00
diff --git a/lib/resty/apisix/ssl.lua b/lib/resty/apisix/ssl.lua
@@ -14,6 +14,7 @@ ffi.cdef[[
     typedef intptr_t        ngx_flag_t;
     int ngx_http_apisix_set_gm_cert(void *r, void *cdata, char **err, ngx_flag_t type);
     int ngx_http_apisix_set_gm_priv_key(void *r, void *cdata, char **err, ngx_flag_t type);
+    int ngx_http_apisix_enable_ntls(void *r, int enabled);
 ]]
 
 
@@ -62,4 +63,24 @@ function _M.set_gm_priv_key(enc_pkey, sign_pkey)
 end
 
 
+function _M.enable_ntls()
+    local r = get_request()
+    if not r then
+        error("no request found")
+    end
+
+    C.ngx_http_apisix_enable_ntls(r, 1)
+end
+
+
+function _M.disable_ntls()
+    local r = get_request()
+    if not r then
+        error("no request found")
+    end
+
+    C.ngx_http_apisix_enable_ntls(r, 0)
+end
+
+
 return _M
diff --git a/patch/1.21.4/nginx-enable_ntls.patch b/patch/1.21.4/nginx-enable_ntls.patch
@@ -1,14 +1,25 @@
 diff --git src/http/ngx_http_request.c src/http/ngx_http_request.c
-index 013b715..a729693 100644
+index 013b715..96be553 100644
 --- src/http/ngx_http_request.c
 +++ src/http/ngx_http_request.c
-@@ -754,6 +754,11 @@ ngx_http_ssl_handshake(ngx_event_t *rev)
+@@ -8,6 +8,9 @@
+ #include <ngx_config.h>
+ #include <ngx_core.h>
+ #include <ngx_http.h>
++#if (NGX_HTTP_APISIX)
++#include <ngx_http_apisix_module.h>
++#endif
+ 
+ 
+ static void ngx_http_wait_request_handler(ngx_event_t *ev);
+@@ -754,6 +757,12 @@ ngx_http_ssl_handshake(ngx_event_t *rev)
                  return;
              }
  
 +#if (TONGSUO_VERSION_NUMBER && NGX_HTTP_APISIX)
-+            // FIXME: add option later
-+            SSL_enable_ntls(c->ssl->connection);
++            if (ngx_http_apisix_is_ntls_enabled(hc->conf_ctx)) {
++                SSL_enable_ntls(c->ssl->connection);
++            }
 +#endif
 +
              ngx_reusable_connection(c, 0);
diff --git a/src/ngx_http_apisix_module.c b/src/ngx_http_apisix_module.c
@@ -9,12 +9,18 @@
 #define NGX_HTTP_APISIX_SSL_SIGN    2
 
 
+typedef struct {
+    ngx_flag_t      enable_ntls;
+} ngx_http_apisix_main_conf_t;
+
+
 static ngx_str_t remote_addr = ngx_string("remote_addr");
 static ngx_str_t remote_port = ngx_string("remote_port");
 static ngx_str_t realip_remote_addr = ngx_string("realip_remote_addr");
 static ngx_str_t realip_remote_port = ngx_string("realip_remote_port");
 
 
+static void *ngx_http_apisix_create_main_conf(ngx_conf_t *cf);
 static void *ngx_http_apisix_create_loc_conf(ngx_conf_t *cf);
 static char *ngx_http_apisix_merge_loc_conf(ngx_conf_t *cf, void *parent,
     void *child);
@@ -36,7 +42,7 @@ static ngx_http_module_t ngx_http_apisix_module_ctx = {
     NULL,                                    /* preconfiguration */
     NULL,                                    /* postconfiguration */
 
-    NULL,                                    /* create main configuration */
+    ngx_http_apisix_create_main_conf,        /* create main configuration */
     NULL,                                    /* init main configuration */
 
     NULL,                                    /* create server configuration */
@@ -63,6 +69,26 @@ ngx_module_t ngx_http_apisix_module = {
 };
 
 
+static void *
+ngx_http_apisix_create_main_conf(ngx_conf_t *cf)
+{
+    ngx_http_apisix_main_conf_t  *acf;
+
+    acf = ngx_pcalloc(cf->pool, sizeof(ngx_http_apisix_main_conf_t));
+    if (acf == NULL) {
+        return NULL;
+    }
+
+    /*
+     * set by ngx_pcalloc():
+     *
+     *     acf->enable_ntls = 0;
+     */
+
+    return acf;
+}
+
+
 static void *
 ngx_http_apisix_create_loc_conf(ngx_conf_t *cf)
 {
@@ -778,3 +804,24 @@ ngx_http_apisix_set_gm_priv_key(ngx_http_request_t *r,
 
 #endif
 }
+
+
+int
+ngx_http_apisix_enable_ntls(ngx_http_request_t *r, int enabled)
+{
+    ngx_http_apisix_main_conf_t  *acf;
+
+    acf = ngx_http_get_module_main_conf(r, ngx_http_apisix_module);
+    acf->enable_ntls = enabled;
+    return NGX_OK;
+}
+
+
+ngx_flag_t
+ngx_http_apisix_is_ntls_enabled(ngx_http_conf_ctx_t *conf_ctx)
+{
+    ngx_http_apisix_main_conf_t  *acf;
+
+    acf = ngx_http_get_module_main_conf(conf_ctx, ngx_http_apisix_module);
+    return acf->enable_ntls;
+}
diff --git a/src/ngx_http_apisix_module.h b/src/ngx_http_apisix_module.h
@@ -55,5 +55,7 @@ void ngx_http_apisix_mark_request_header_set(ngx_http_request_t *r);
 ngx_int_t ngx_http_apisix_is_header_filter_by_lua_skipped(ngx_http_request_t *r);
 ngx_int_t ngx_http_apisix_is_body_filter_by_lua_skipped(ngx_http_request_t *r);
 
+ngx_flag_t ngx_http_apisix_is_ntls_enabled(ngx_http_conf_ctx_t *conf_ctx);
+
 
 #endif /* _NGX_HTTP_APISIX_H_INCLUDED_ */
diff --git a/t/gm.t b/t/gm.t
