Bugfix: fix NTLS cert check, move sign/enc certficate to upstream

Update to nginx 1.22.1 (#1719) add reject_handshake, but not fully
consider the NTLS. That's okay if no ssl_certificate is
configured but ssl_sign_certificate and ssl_enc_certificate are
configured when NTLS is enabled.

Move sign_certificate, enc_certificate to upstream to adapt to
nginx 1.22.1.

Add test-nginx-ntls CI.

Author: dongbeiouba

.github/workflows/test-nginx-ntls.yml

@@ -0,0 +1,58 @@
+name: test nginx ntls
+
+on:
+  push:
+    branches: [ master ]
+  pull_request:
+    branches: [ master ]
+
+jobs:
+  build-and-test:
+    runs-on: "ubuntu-20.04"
+    strategy:
+      fail-fast: false
+      matrix:
+        compiler:
+          - { compiler: GNU,  CC: gcc,  CXX: g++}
+          - { compiler: LLVM, CC: clang, CXX: clang++}
+    steps:
+      - uses: actions/checkout@v3
+        with:
+          path: tengine
+      - name: checkout Tongsuo
+        uses: actions/checkout@v3
+        with:
+          repository: Tongsuo-Project/Tongsuo
+          path: Tongsuo
+      - name: build Tongsuo
+        working-directory: Tongsuo
+        env:
+          CC: ${{ matrix.compiler.CC }}
+        run: |
+          ./config --prefix=${RUNNER_TEMP}/tongsuo enable-ntls no-shared
+          make -s -j4
+          make install_sw
+      - name: build Tengine
+        working-directory: tengine
+        env:
+          CC: ${{ matrix.compiler.CC }}
+          CXX: ${{ matrix.compiler.CXX }}
+        run: |
+          ./configure \
+            --add-module=modules/ngx_openssl_ntls \
+            --with-openssl=../Tongsuo \
+            --with-openssl-opt="--api=1.1.1 enable-ntls" \
+            --with-http_ssl_module \
+            --with-stream \
+            --with-stream_ssl_module \
+            --with-stream_sni
+          make -j2
+          sudo make install
+      - name: run test cases
+        working-directory: tengine
+        env:
+          TEST_OPENSSL_BINARY: ${{ runner.temp }}/tongsuo/bin/tongsuo
+          TEST_NGINX_BINARY: /usr/local/nginx/sbin/nginx
+          TEST_NGINX_UNSAFE: yes
+        run: |
+          prove -Itests/nginx-tests/nginx-tests/lib/ modules/ngx_openssl_ntls/t

modules/ngx_openssl_ntls/README.md

@@ -114,4 +114,4 @@ prove -Itests/nginx-tests/nginx-tests/lib/ modules/ngx_openssl_ntls/t -v
 
 ## Reference
 - [Tongsuo website](https://www.tongsuo.net/)
-- [Tongsuo document](https://tongsuo.readthedocs.io/)
+- [Tongsuo document](https://www.yuque.com/tsdoc)

src/http/modules/ngx_http_grpc_module.c

@@ -38,13 +38,6 @@ typedef struct {
     ngx_str_t                  ssl_trusted_certificate;
     ngx_str_t                  ssl_crl;
     ngx_array_t               *ssl_conf_commands;
-
-#if (T_NGX_SSL_NTLS)
-    ngx_str_t                  enc_certificate;
-    ngx_str_t                  enc_certificate_key;
-    ngx_str_t                  sign_certificate;
-    ngx_str_t                  sign_certificate_key;
-#endif
 #endif
 } ngx_http_grpc_loc_conf_t;
 
@@ -468,28 +461,28 @@ static ngx_command_t  ngx_http_grpc_commands[] = {
       NGX_HTTP_MAIN_CONF|NGX_HTTP_SRV_CONF|NGX_HTTP_LOC_CONF|NGX_CONF_TAKE1,
       ngx_conf_set_str_slot,
       NGX_HTTP_LOC_CONF_OFFSET,
-      offsetof(ngx_http_grpc_loc_conf_t, enc_certificate),
+      offsetof(ngx_http_grpc_loc_conf_t, upstream.enc_certificate),
       NULL },
 
     { ngx_string("grpc_ssl_enc_certificate_key"),
       NGX_HTTP_MAIN_CONF|NGX_HTTP_SRV_CONF|NGX_HTTP_LOC_CONF|NGX_CONF_TAKE1,
       ngx_conf_set_str_slot,
       NGX_HTTP_LOC_CONF_OFFSET,
-      offsetof(ngx_http_grpc_loc_conf_t, enc_certificate_key),
+      offsetof(ngx_http_grpc_loc_conf_t, upstream.enc_certificate_key),
       NULL },
 
     { ngx_string("grpc_ssl_sign_certificate"),
       NGX_HTTP_MAIN_CONF|NGX_HTTP_SRV_CONF|NGX_HTTP_LOC_CONF|NGX_CONF_TAKE1,
       ngx_conf_set_str_slot,
       NGX_HTTP_LOC_CONF_OFFSET,
-      offsetof(ngx_http_grpc_loc_conf_t, sign_certificate),
+      offsetof(ngx_http_grpc_loc_conf_t, upstream.sign_certificate),
       NULL },
 
     { ngx_string("grpc_ssl_sign_certificate_key"),
       NGX_HTTP_MAIN_CONF|NGX_HTTP_SRV_CONF|NGX_HTTP_LOC_CONF|NGX_CONF_TAKE1,
       ngx_conf_set_str_slot,
       NGX_HTTP_LOC_CONF_OFFSET,
-      offsetof(ngx_http_grpc_loc_conf_t, sign_certificate_key),
+      offsetof(ngx_http_grpc_loc_conf_t, upstream.sign_certificate_key),
       NULL },
 
 #endif
@@ -4548,14 +4541,14 @@ ngx_http_grpc_merge_loc_conf(ngx_conf_t *cf, void *parent, void *child)
     if (conf->upstream.enable_ntls == NULL) {
         conf->upstream.enable_ntls = prev->upstream.enable_ntls;
     }
-    ngx_conf_merge_str_value(conf->enc_certificate,
-                             prev->enc_certificate, "");
-    ngx_conf_merge_str_value(conf->enc_certificate_key,
-                             prev->enc_certificate_key, "");
-    ngx_conf_merge_str_value(conf->sign_certificate,
-                             prev->sign_certificate, "");
-    ngx_conf_merge_str_value(conf->sign_certificate_key,
-                             prev->sign_certificate_key, "");
+    ngx_conf_merge_str_value(conf->upstream.enc_certificate,
+                             prev->upstream.enc_certificate, "");
+    ngx_conf_merge_str_value(conf->upstream.enc_certificate_key,
+                             prev->upstream.enc_certificate_key, "");
+    ngx_conf_merge_str_value(conf->upstream.sign_certificate,
+                             prev->upstream.sign_certificate, "");
+    ngx_conf_merge_str_value(conf->upstream.sign_certificate_key,
+                             prev->upstream.sign_certificate_key, "");
     conf->upstream.ssl_ciphers = conf->ssl_ciphers;
 #endif
 #endif
@@ -5016,8 +5009,8 @@ ngx_http_grpc_set_ssl(ngx_conf_t *cf, ngx_http_grpc_loc_conf_t *glcf)
         }
 
         if (ngx_ssl_certificate(cf, glcf->upstream.ssl,
-                                &glcf->upstream.ssl_certificate->value,
-                                &glcf->upstream.ssl_certificate_key->value,
+                                &glcf->upstream.enc_certificate->value,
+                                &glcf->upstream.enc_certificate_key->value,
                                 glcf->upstream.ssl_passwords,
                                 SSL_ENC_CERT)
             != NGX_OK)
@@ -5036,8 +5029,8 @@ ngx_http_grpc_set_ssl(ngx_conf_t *cf, ngx_http_grpc_loc_conf_t *glcf)
         }
 
         if (ngx_ssl_certificate(cf, glcf->upstream.ssl,
-                                &glcf->upstream.ssl_certificate->value,
-                                &glcf->upstream.ssl_certificate_key->value,
+                                &glcf->upstream.sign_certificate,
+                                &glcf->upstream.sign_certificate_key,
                                 glcf->upstream.ssl_passwords,
                                 SSL_SIGN_CERT)
             != NGX_OK)

src/http/modules/ngx_http_proxy_module.c

@@ -125,13 +125,6 @@ typedef struct {
     ngx_str_t                      ssl_trusted_certificate;
     ngx_str_t                      ssl_crl;
     ngx_array_t                   *ssl_conf_commands;
-
-#if (T_NGX_SSL_NTLS)
-    ngx_str_t                      enc_certificate;
-    ngx_str_t                      enc_certificate_key;
-    ngx_str_t                      sign_certificate;
-    ngx_str_t                      sign_certificate_key;
-#endif
 #endif
 } ngx_http_proxy_loc_conf_t;
 
@@ -804,28 +797,28 @@ static ngx_command_t  ngx_http_proxy_commands[] = {
       NGX_HTTP_MAIN_CONF|NGX_HTTP_SRV_CONF|NGX_HTTP_LOC_CONF|NGX_CONF_TAKE1,
       ngx_conf_set_str_slot,
       NGX_HTTP_LOC_CONF_OFFSET,
-      offsetof(ngx_http_proxy_loc_conf_t, enc_certificate),
+      offsetof(ngx_http_proxy_loc_conf_t, upstream.enc_certificate),
       NULL },
 
     { ngx_string("proxy_ssl_enc_certificate_key"),
       NGX_HTTP_MAIN_CONF|NGX_HTTP_SRV_CONF|NGX_HTTP_LOC_CONF|NGX_CONF_TAKE1,
       ngx_conf_set_str_slot,
       NGX_HTTP_LOC_CONF_OFFSET,
-      offsetof(ngx_http_proxy_loc_conf_t, enc_certificate_key),
+      offsetof(ngx_http_proxy_loc_conf_t, upstream.enc_certificate_key),
       NULL },
 
     { ngx_string("proxy_ssl_sign_certificate"),
       NGX_HTTP_MAIN_CONF|NGX_HTTP_SRV_CONF|NGX_HTTP_LOC_CONF|NGX_CONF_TAKE1,
       ngx_conf_set_str_slot,
       NGX_HTTP_LOC_CONF_OFFSET,
-      offsetof(ngx_http_proxy_loc_conf_t, sign_certificate),
+      offsetof(ngx_http_proxy_loc_conf_t, upstream.sign_certificate),
       NULL },
 
     { ngx_string("proxy_ssl_sign_certificate_key"),
       NGX_HTTP_MAIN_CONF|NGX_HTTP_SRV_CONF|NGX_HTTP_LOC_CONF|NGX_CONF_TAKE1,
       ngx_conf_set_str_slot,
       NGX_HTTP_LOC_CONF_OFFSET,
-      offsetof(ngx_http_proxy_loc_conf_t, sign_certificate_key),
+      offsetof(ngx_http_proxy_loc_conf_t, upstream.sign_certificate_key),
       NULL },
 #endif
 #endif
@@ -3817,14 +3810,14 @@ ngx_http_proxy_merge_loc_conf(ngx_conf_t *cf, void *parent, void *child)
     if (conf->upstream.enable_ntls == NULL) {
         conf->upstream.enable_ntls = prev->upstream.enable_ntls;
     }
-    ngx_conf_merge_str_value(conf->enc_certificate,
-                             prev->enc_certificate, "");
-    ngx_conf_merge_str_value(conf->enc_certificate_key,
-                             prev->enc_certificate_key, "");
-    ngx_conf_merge_str_value(conf->sign_certificate,
-                             prev->sign_certificate, "");
-    ngx_conf_merge_str_value(conf->sign_certificate_key,
-                             prev->sign_certificate_key, "");
+    ngx_conf_merge_str_value(conf->upstream.enc_certificate,
+                             prev->upstream.enc_certificate, "");
+    ngx_conf_merge_str_value(conf->upstream.enc_certificate_key,
+                             prev->upstream.enc_certificate_key, "");
+    ngx_conf_merge_str_value(conf->upstream.sign_certificate,
+                             prev->upstream.sign_certificate, "");
+    ngx_conf_merge_str_value(conf->upstream.sign_certificate_key,
+                             prev->upstream.sign_certificate_key, "");
     conf->upstream.ssl_ciphers = conf->ssl_ciphers;
 #endif
 #endif
@@ -5063,18 +5056,19 @@ ngx_http_proxy_set_ssl(ngx_conf_t *cf, ngx_http_proxy_loc_conf_t *plcf)
 
 #if (T_NGX_SSL_NTLS)
     plcf->upstream.tls_method = SSL_CTX_get_ssl_method(plcf->upstream.ssl->ctx);
-    if (plcf->enc_certificate.len) {
+    if (plcf->upstream.enc_certificate.len) {
 
-        if (plcf->enc_certificate_key.len == 0) {
+        if (plcf->upstream.enc_certificate_key.len == 0) {
             ngx_log_error(NGX_LOG_EMERG, cf->log, 0,
                           "no \"proxy_ssl_enc_certificate_key\" is defined "
-                          "for certificate \"%V\"", &plcf->enc_certificate);
+                          "for certificate \"%V\"",
+                          &plcf->upstream.enc_certificate);
             return NGX_ERROR;
         }
 
         if (ngx_ssl_certificate(cf, plcf->upstream.ssl,
-                                &plcf->upstream.ssl_certificate->value,
-                                &plcf->upstream.ssl_certificate_key->value,
+                                &plcf->upstream.enc_certificate,
+                                &plcf->upstream.enc_certificate_key,
                                 plcf->upstream.ssl_passwords,
                                 SSL_ENC_CERT)
             != NGX_OK)
@@ -5083,18 +5077,19 @@ ngx_http_proxy_set_ssl(ngx_conf_t *cf, ngx_http_proxy_loc_conf_t *plcf)
         }
     }
 
-    if (plcf->sign_certificate.len) {
+    if (plcf->upstream.sign_certificate.len) {
 
-        if (plcf->sign_certificate_key.len == 0) {
+        if (plcf->upstream.sign_certificate_key.len == 0) {
             ngx_log_error(NGX_LOG_EMERG, cf->log, 0,
                           "no \"proxy_ssl_sign_certificate_key\" is defined "
-                          "for certificate \"%V\"", &plcf->sign_certificate);
+                          "for certificate \"%V\"",
+                          &plcf->upstream.sign_certificate);
             return NGX_ERROR;
         }
 
         if (ngx_ssl_certificate(cf, plcf->upstream.ssl,
-                                &plcf->upstream.ssl_certificate->value,
-                                &plcf->upstream.ssl_certificate_key->value,
+                                &plcf->upstream.sign_certificate,
+                                &plcf->upstream.sign_certificate_key,
                                 plcf->upstream.ssl_passwords,
                                 SSL_SIGN_CERT)
             != NGX_OK)

src/http/modules/ngx_http_ssl_module.c

@@ -843,7 +843,40 @@ ngx_http_ssl_merge_srv_conf(ngx_conf_t *cf, void *parent, void *child)
                               conf->file, conf->line);
                 return NGX_CONF_ERROR;
             }
+#if (T_NGX_SSL_NTLS)
+        } else if (conf->enc_certificate.len != 0 || conf->sign_certificate.len != 0) {
+            if (conf->enc_certificate.len == 0) {
+                ngx_log_error(NGX_LOG_EMERG, cf->log, 0,
+                              "no \"ssl_enc_certificate\" is defined for "
+                              "the \"ssl\" directive in %s:%ui",
+                              conf->file, conf->line);
+                return NGX_CONF_ERROR;
+            }
+
+            if (conf->sign_certificate.len == 0) {
+                ngx_log_error(NGX_LOG_EMERG, cf->log, 0,
+                              "no \"ssl_sign_certificate\" is defined for "
+                              "the \"ssl\" directive in %s:%ui",
+                              conf->file, conf->line);
+                return NGX_CONF_ERROR;
+            }
 
+            if (conf->enc_certificate_key.len == 0) {
+                ngx_log_error(NGX_LOG_EMERG, cf->log, 0,
+                              "no \"ssl_enc_certificate_key\" is defined for "
+                              "the \"ssl\" directive in %s:%ui",
+                              conf->file, conf->line);
+                return NGX_CONF_ERROR;
+            }
+
+            if (conf->sign_certificate_key.len == 0) {
+                ngx_log_error(NGX_LOG_EMERG, cf->log, 0,
+                              "no \"ssl_sign_certificate_key\" is defined for "
+                              "the \"ssl\" directive in %s:%ui",
+                              conf->file, conf->line);
+                return NGX_CONF_ERROR;
+            }
+#endif
         } else if (!conf->reject_handshake) {
             ngx_log_error(NGX_LOG_EMERG, cf->log, 0,
                           "no \"ssl_certificate\" is defined for "
@@ -864,13 +897,8 @@ ngx_http_ssl_merge_srv_conf(ngx_conf_t *cf, void *parent, void *child)
                           + conf->certificates->nelts - 1);
             return NGX_CONF_ERROR;
         }
-
-    } else if (!conf->reject_handshake) {
-        return NGX_CONF_OK;
-    }
-
 #if (T_NGX_SSL_NTLS)
-    if (conf->enc_certificate.len != 0 || conf->sign_certificate.len != 0) {
+    } else if (conf->enc_certificate.len != 0 || conf->sign_certificate.len != 0) {
         if (conf->enc_certificate.len == 0) {
             ngx_log_error(NGX_LOG_EMERG, cf->log, 0,
                           "no \"ssl_enc_certificate\" is defined for "
@@ -902,8 +930,10 @@ ngx_http_ssl_merge_srv_conf(ngx_conf_t *cf, void *parent, void *child)
                           conf->file, conf->line);
             return NGX_CONF_ERROR;
         }
-    }
 #endif
+    } else if (!conf->reject_handshake) {
+        return NGX_CONF_OK;
+    }
 
     if (ngx_ssl_create(&conf->ssl, conf->protocols, conf) != NGX_OK) {
         return NGX_CONF_ERROR;
@@ -1534,9 +1564,19 @@ ngx_http_ssl_init(ngx_conf_t *cf)
                 continue;
             }
 
+#if (T_NGX_SSL_NTLS)
+            if (sscf->sign_certificate.len > 0 || sscf->enc_certificate.len > 0) {
+                continue;
+            }
+#endif
             if (!sscf->reject_handshake) {
                 ngx_log_error(NGX_LOG_EMERG, cf->log, 0,
+#if (T_NGX_SSL_NTLS)
+                              "no \"ssl_certificate\", \"ssl_enc_certificate\" "
+                              "or \"ssl_sign_certificate\" is defined for "
+#else
                               "no \"ssl_certificate\" is defined for "
+#endif
                               "the \"listen ... ssl\" directive in %s:%ui",
                               cscf->file_name, cscf->line);
                 return NGX_ERROR;
@@ -1561,7 +1601,7 @@ ngx_http_ssl_init(ngx_conf_t *cf)
                 if (sscf->sign_certificate.len > 0 || sscf->enc_certificate.len > 0) {
                     continue;
                 }
-#endif              
+#endif
                 ngx_log_error(NGX_LOG_EMERG, cf->log, 0,
 #if (T_NGX_SSL_NTLS)
                               "no \"ssl_certificate\", \"ssl_enc_certificate\" "