NTLS support for stream.

DavidAlphaFox · May 26, 2023 · fa83ee6 · fa83ee6
1 parent 05a23cc
commit fa83ee6
Show file tree

Hide file tree

Showing 11 changed files with 772 additions and 88 deletions.
diff --git a/auto/modules b/auto/modules
@@ -1462,6 +1462,10 @@ fi
 
 if [ $STREAM != NO ]; then
 
+    if [ $USE_NTLS = YES ]; then
+        have=NGX_STREAM_PROXY_MULTICERT . auto/have
+    fi
+
     if [ $STREAM = YES ]; then
         modules="$modules $STREAM_MODULES"
 

diff --git a/docs/xml/angie/changes.xml b/docs/xml/angie/changes.xml
@@ -22,12 +22,12 @@ the session are routed to the same server.
 
 <change type="feature">
 <para lang="ru">
-поддержка NTLS в HTTP SSL и HTTP proxy модулях при использовании библиотеки
-TongSuo, которую можно включить опцией сборки "--with-ntls" и сконфигурировать
+поддержка NTLS в HTTP и stream модулях при использовании библиотеки TongSuo,
+которую можно включить опцией сборки "--with-ntls" и сконфигурировать
 с помощью соответствующих директив "ssl_ntls" и "proxy_ssl_ntls".
 </para>
 <para lang="en">
-support for NTLS in the HTTP SSL and HTTP proxy modules using TongSuo library,
+support for NTLS in the HTTP and stream modules using TongSuo library,
 that can be enabled via the "--with-ntls" build time option and configured
 with the "ssl_ntls" and "proxy_ssl_ntls" corresponding directives.
 </para>

diff --git a/src/event/ngx_event_openssl.c b/src/event/ngx_event_openssl.c
@@ -6122,6 +6122,84 @@ ngx_ssl_parse_time(
     return time;
 }
 
+#if (NGX_HTTP_PROXY_MULTICERT || NGX_STREAM_PROXY_MULTICERT)
+
+char *
+ngx_ssl_certificate_slot(ngx_conf_t *cf, ngx_command_t *cmd, void *conf)
+{
+    char  *p = conf;
+
+    ngx_str_t     *value, *s;
+    ngx_array_t  **a;
+#if (NGX_HAVE_NTLS)
+    u_char        *data;
+#endif
+
+    a = (ngx_array_t **) (p + cmd->offset);
+
+    if (*a == NGX_CONF_UNSET_PTR) {
+
+        *a = ngx_array_create(cf->pool, 4, sizeof(ngx_str_t));
+        if (*a == NULL) {
+            return NGX_CONF_ERROR;
+        }
+    }
+
+    s = ngx_array_push(*a);
+    if (s == NULL) {
+        return NGX_CONF_ERROR;
+    }
+
+    value = cf->args->elts;
+
+    if (cf->args->nelts == 2) {
+        *s = value[1];
+        return NGX_CONF_OK;
+    }
+
+#if (NGX_HAVE_NTLS)
+
+    /* prefix certificate paths with 'sign:' and 'enc:', null-terminate */
+
+    s->len = sizeof("sign:") - 1 + value[1].len;
+
+    s->data = ngx_pcalloc(cf->pool, s->len + 1);
+    if (s->data == NULL) {
+        return NGX_CONF_ERROR;
+    }
+
+    data = ngx_cpymem(s->data, "sign:", sizeof("sign:") - 1);
+    ngx_memcpy(data, value[1].data, value[1].len);
+
+    s = ngx_array_push(*a);
+    if (s == NULL) {
+        return NGX_CONF_ERROR;
+    }
+
+    s->len = sizeof("enc:") - 1 + value[2].len;
+
+    s->data = ngx_pcalloc(cf->pool, s->len + 1);
+    if (s->data == NULL) {
+        return NGX_CONF_ERROR;
+    }
+
+    data = ngx_cpymem(s->data, "enc:", sizeof("enc:") - 1);
+    ngx_memcpy(data, value[2].data, value[2].len);
+
+    return NGX_CONF_OK;
+
+#else
+
+    ngx_conf_log_error(NGX_LOG_EMERG, cf, 0,
+                       "NTLS support is not enabled, dual certs not supported");
+
+    return NGX_CONF_ERROR;
+
+#endif
+}
+
+#endif
+
 
 static void *
 ngx_openssl_create_conf(ngx_cycle_t *cycle)

diff --git a/src/event/ngx_event_openssl.h b/src/event/ngx_event_openssl.h
@@ -328,6 +328,10 @@ void ngx_cdecl ngx_ssl_error(ngx_uint_t level, ngx_log_t *log, ngx_err_t err,
     char *fmt, ...);
 void ngx_ssl_cleanup_ctx(void *data);
 
+#if (NGX_HTTP_PROXY_MULTICERT || NGX_STREAM_PROXY_MULTICERT)
+char *ngx_ssl_certificate_slot(ngx_conf_t *cf, ngx_command_t *cmd,
+    void *conf);
+#endif
 
 extern int  ngx_ssl_connection_index;
 extern int  ngx_ssl_server_conf_index;

diff --git a/src/http/modules/ngx_http_proxy_module.c b/src/http/modules/ngx_http_proxy_module.c
@@ -755,14 +755,14 @@ static ngx_command_t  ngx_http_proxy_commands[] = {
 
     { ngx_string("proxy_ssl_certificate"),
       NGX_HTTP_MAIN_CONF|NGX_HTTP_SRV_CONF|NGX_HTTP_LOC_CONF|NGX_CONF_TAKE12,
-      ngx_http_ssl_certificate_slot,
+      ngx_ssl_certificate_slot,
       NGX_HTTP_LOC_CONF_OFFSET,
       offsetof(ngx_http_proxy_loc_conf_t, upstream.ssl_certificates),
       NULL },
 
     { ngx_string("proxy_ssl_certificate_key"),
       NGX_HTTP_MAIN_CONF|NGX_HTTP_SRV_CONF|NGX_HTTP_LOC_CONF|NGX_CONF_TAKE12,
-      ngx_http_ssl_certificate_slot,
+      ngx_ssl_certificate_slot,
       NGX_HTTP_LOC_CONF_OFFSET,
       offsetof(ngx_http_proxy_loc_conf_t, upstream.ssl_certificate_keys),
       NULL },

diff --git a/src/http/modules/ngx_http_ssl_module.c b/src/http/modules/ngx_http_ssl_module.c
@@ -115,14 +115,14 @@ static ngx_command_t  ngx_http_ssl_commands[] = {
 
     { ngx_string("ssl_certificate"),
       NGX_HTTP_MAIN_CONF|NGX_HTTP_SRV_CONF|NGX_CONF_TAKE12,
-      ngx_http_ssl_certificate_slot,
+      ngx_ssl_certificate_slot,
       NGX_HTTP_SRV_CONF_OFFSET,
       offsetof(ngx_http_ssl_srv_conf_t, certificates),
       NULL },
 
     { ngx_string("ssl_certificate_key"),
       NGX_HTTP_MAIN_CONF|NGX_HTTP_SRV_CONF|NGX_CONF_TAKE12,
-      ngx_http_ssl_certificate_slot,
+      ngx_ssl_certificate_slot,
       NGX_HTTP_SRV_CONF_OFFSET,
       offsetof(ngx_http_ssl_srv_conf_t, certificate_keys),
       NULL },
@@ -1093,85 +1093,6 @@ ngx_http_ssl_enable(ngx_conf_t *cf, ngx_command_t *cmd, void *conf)
 }
 
 
-#if (NGX_HTTP_PROXY_MULTICERT)
-
-char *
-ngx_http_ssl_certificate_slot(ngx_conf_t *cf, ngx_command_t *cmd, void *conf)
-{
-    char  *p = conf;
-
-    ngx_str_t    *value, *s;
-    ngx_array_t  **a;
-#if (NGX_HAVE_NTLS)
-    u_char       *data;
-#endif
-
-    a = (ngx_array_t **) (p + cmd->offset);
-
-    if (*a == NGX_CONF_UNSET_PTR) {
-
-        *a = ngx_array_create(cf->pool, 4, sizeof(ngx_str_t));
-        if (*a == NULL) {
-            return NGX_CONF_ERROR;
-        }
-    }
-
-    s = ngx_array_push(*a);
-    if (s == NULL) {
-        return NGX_CONF_ERROR;
-    }
-
-    value = cf->args->elts;
-
-    if (cf->args->nelts == 2) {
-        *s = value[1];
-        return NGX_CONF_OK;
-    }
-
-#if (NGX_HAVE_NTLS)
-
-    /* prefix certificate paths with 'sign:' and 'enc:', null-terminate */
-
-    s->len = sizeof("sign:") - 1 + value[1].len;
-
-    s->data = ngx_pcalloc(cf->pool, s->len + 1);
-    if (s->data == NULL) {
-        return NGX_CONF_ERROR;
-    }
-
-    data = ngx_cpymem(s->data, "sign:", sizeof("sign:") - 1);
-    ngx_memcpy(data, value[1].data, value[1].len);
-
-    s = ngx_array_push(*a);
-    if (s == NULL) {
-        return NGX_CONF_ERROR;
-    }
-
-    s->len = sizeof("enc:") - 1 + value[2].len;
-
-    s->data = ngx_pcalloc(cf->pool, s->len + 1);
-    if (s->data == NULL) {
-        return NGX_CONF_ERROR;
-    }
-
-    data = ngx_cpymem(s->data, "enc:", sizeof("enc:") - 1);
-    ngx_memcpy(data, value[2].data, value[2].len);
-
-    return NGX_CONF_OK;
-
-#else
-
-    ngx_conf_log_error(NGX_LOG_EMERG, cf, 0,
-                       "NTLS support is not enabled, dual certs not supported");
-
-    return NGX_CONF_ERROR;
-
-#endif
-}
-
-#endif
-
-
 static char *
 ngx_http_ssl_password_file(ngx_conf_t *cf, ngx_command_t *cmd, void *conf)
 {

diff --git a/src/http/modules/ngx_http_ssl_module.h b/src/http/modules/ngx_http_ssl_module.h
@@ -79,8 +79,6 @@ typedef struct {
 extern ngx_module_t  ngx_http_ssl_module;
 
 #if (NGX_HTTP_PROXY_MULTICERT)
-char *ngx_http_ssl_certificate_slot(ngx_conf_t *cf,
-    ngx_command_t *cmd, void *conf);
 ngx_int_t ngx_http_ssl_compile_certificates(ngx_conf_t *cf,
     ngx_http_ssl_srv_conf_t *conf);
 #endif