Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

fix: the client verify flag might not be set #6906

Merged
merged 4 commits into from
Apr 22, 2022
Merged

fix: the client verify flag might not be set #6906

Show file tree
Hide file tree
Changes from 3 commits
Commits
Show all changes
4 commits
Select commit Hold shift + click to select a range
be966df
fix: the client verify flag might not be set
spacewander Apr 22, 2022
b372b7c
the previous fix is incorrect
spacewander Apr 22, 2022
13825e2
fix wrong param
spacewander Apr 22, 2022
f27ba1b
tweak
spacewander Apr 22, 2022
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
25 changes: 16 additions & 9 deletions apisix/init.lua
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -36,6 +36,7 @@ local get_var = require("resty.ngxvar").fetch
local router = require("apisix.router")
local apisix_upstream = require("apisix.upstream")
local set_upstream = apisix_upstream.set_by_route
local apisix_ssl = require("apisix.ssl")
local upstream_util = require("apisix.utils.upstream")
local xrpc = require("apisix.stream.xrpc")
local ctxdump = require("resty.ctxdump")
Expand Down Expand Up @@ -313,7 +314,13 @@ end


local function verify_tls_client(ctx)
if ctx and ctx.ssl_client_verified then
local matched = router.router_ssl.match_and_set(ctx, true)
membphis marked this conversation as resolved.
Show resolved Hide resolved
if not matched then
return true
membphis marked this conversation as resolved.
Show resolved Hide resolved
end

local matched_ssl = ctx.matched_ssl
if matched_ssl.value.client and apisix_ssl.support_client_verification() then
local res = ngx_var.ssl_client_verify
if res ~= "SUCCESS" then
if res == "NONE" then
Expand Down Expand Up @@ -350,14 +357,14 @@ end
function _M.http_access_phase()
local ngx_ctx = ngx.ctx

if not verify_tls_client(ngx_ctx.api_ctx) then
return core.response.exit(400)
end

-- always fetch table from the table pool, we don't need a reused api_ctx
local api_ctx = core.tablepool.fetch("api_ctx", 0, 32)
ngx_ctx.api_ctx = api_ctx

if not verify_tls_client(ngx_ctx.api_ctx) then
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

we can use api_ctx here

return core.response.exit(400)
end

core.ctx.set_vars_meta(api_ctx)

debug.dynamic_debug(api_ctx)
Expand Down Expand Up @@ -870,15 +877,15 @@ function _M.stream_preread_phase()
local ngx_ctx = ngx.ctx
local api_ctx = ngx_ctx.api_ctx

if not verify_tls_client(ngx_ctx.api_ctx) then
return ngx_exit(1)
end

if not api_ctx then
api_ctx = core.tablepool.fetch("api_ctx", 0, 32)
ngx_ctx.api_ctx = api_ctx
end

if not verify_tls_client(ngx_ctx.api_ctx) then
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

ditto

return ngx_exit(1)
end

core.ctx.set_vars_meta(api_ctx)

local ok, err = router.router_stream.match(api_ctx)
Expand Down
8 changes: 5 additions & 3 deletions apisix/ssl/router/radixtree_sni.lua
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -117,7 +117,7 @@ local function set_pem_ssl_key(sni, cert, pkey)
end


function _M.match_and_set(api_ctx)
function _M.match_and_set(api_ctx, match_only)
local err
if not radixtree_router or
radixtree_router_ver ~= ssl_certificates.conf_version then
Expand Down Expand Up @@ -175,6 +175,10 @@ function _M.match_and_set(api_ctx)
local matched_ssl = api_ctx.matched_ssl
core.log.info("debug - matched: ", core.json.delay_encode(matched_ssl, true))

if match_only then
return true
end

ngx_ssl.clear_certs()

ok, err = set_pem_ssl_key(sni, matched_ssl.value.cert,
Expand Down Expand Up @@ -209,8 +213,6 @@ function _M.match_and_set(api_ctx)
if not ok then
return false, err
end

api_ctx.ssl_client_verified = true
end
end

Expand Down