feat(tls): add SANs support for both DNS-names and URIs

This adds two new Lua functions (and the corresponding C logic)
to configure custom SANs validation in nginx:
 * `resty.kong.tls.set_upstream_ssl_sans_dnsnames()`
 * `resty.kong.tls.set_upstream_ssl_sans_uris()`

Part of KAG-6247.

Author: lucab

lualib/resty/kong/tls.lua

@@ -23,6 +23,7 @@ local get_phase = ngx.get_phase
 local type = type
 local error = error
 local tostring = tostring
+local concat = table.concat
 local C = ffi.C
 local ffi_cast = ffi.cast
 local SOCKET_CTX_INDEX = 1
@@ -41,6 +42,8 @@ local kong_lua_kong_ffi_set_upstream_client_cert_and_key
 local kong_lua_kong_ffi_set_upstream_ssl_trusted_store
 local kong_lua_kong_ffi_set_upstream_ssl_verify
 local kong_lua_kong_ffi_set_upstream_ssl_verify_depth
+local kong_lua_kong_ffi_set_upstream_ssl_sans_dnsnames
+local kong_lua_kong_ffi_set_upstream_ssl_sans_uris
 local kong_lua_kong_ffi_get_socket_ssl
 local kong_lua_kong_ffi_get_request_ssl
 local kong_lua_kong_ffi_disable_http2_alpn
@@ -60,6 +63,10 @@ if subsystem == "http" then
         int verify);
     int ngx_http_lua_kong_ffi_set_upstream_ssl_verify_depth(ngx_http_request_t *r,
         int depth);
+    int ngx_http_lua_kong_ffi_set_upstream_ssl_sans_dnsnames(ngx_http_request_t *r,
+        const char *input, size_t input_len);
+    int ngx_http_lua_kong_ffi_set_upstream_ssl_sans_uris(ngx_http_request_t *r,
+        const char *input, size_t input_len);
     int ngx_http_lua_kong_ffi_get_socket_ssl(ngx_http_lua_socket_tcp_upstream_t *u,
         void **ssl_conn);
     int ngx_http_lua_kong_ffi_get_request_ssl(ngx_http_request_t *r,
@@ -73,6 +80,8 @@ if subsystem == "http" then
     kong_lua_kong_ffi_set_upstream_ssl_trusted_store = C.ngx_http_lua_kong_ffi_set_upstream_ssl_trusted_store
     kong_lua_kong_ffi_set_upstream_ssl_verify = C.ngx_http_lua_kong_ffi_set_upstream_ssl_verify
     kong_lua_kong_ffi_set_upstream_ssl_verify_depth = C.ngx_http_lua_kong_ffi_set_upstream_ssl_verify_depth
+    kong_lua_kong_ffi_set_upstream_ssl_sans_dnsnames = C.ngx_http_lua_kong_ffi_set_upstream_ssl_sans_dnsnames
+    kong_lua_kong_ffi_set_upstream_ssl_sans_uris = C.ngx_http_lua_kong_ffi_set_upstream_ssl_sans_uris
     kong_lua_kong_ffi_get_socket_ssl = C.ngx_http_lua_kong_ffi_get_socket_ssl
     kong_lua_kong_ffi_get_request_ssl = C.ngx_http_lua_kong_ffi_get_request_ssl
     kong_lua_kong_ffi_disable_http2_alpn = C.ngx_http_lua_ffi_disable_http2_alpn
@@ -94,6 +103,10 @@ elseif subsystem == 'stream' then
         int verify);
     int ngx_stream_lua_kong_ffi_set_upstream_ssl_verify_depth(ngx_stream_lua_request_t *r,
         int depth);
+    int ngx_stream_lua_kong_ffi_set_upstream_ssl_sans_dnsnames(ngx_stream_lua_request_t *r,
+        const char *input, size_t input_len);
+    int ngx_stream_lua_kong_ffi_set_upstream_ssl_sans_uris(ngx_stream_lua_request_t *r,
+        const char *input, size_t input_len);
     int ngx_stream_lua_kong_get_socket_ssl(ngx_stream_lua_socket_tcp_upstream_t *u,
         void **ssl_conn);
     ]])
@@ -104,6 +117,8 @@ elseif subsystem == 'stream' then
     kong_lua_kong_ffi_set_upstream_ssl_trusted_store = C.ngx_stream_lua_kong_ffi_set_upstream_ssl_trusted_store
     kong_lua_kong_ffi_set_upstream_ssl_verify = C.ngx_stream_lua_kong_ffi_set_upstream_ssl_verify
     kong_lua_kong_ffi_set_upstream_ssl_verify_depth = C.ngx_stream_lua_kong_ffi_set_upstream_ssl_verify_depth
+    kong_lua_kong_ffi_set_upstream_ssl_sans_dnsnames = C.ngx_stream_lua_kong_ffi_set_upstream_ssl_sans_dnsnames
+    kong_lua_kong_ffi_set_upstream_ssl_sans_uris = C.ngx_stream_lua_kong_ffi_set_upstream_ssl_sans_uris
     kong_lua_kong_ffi_get_socket_ssl = C.ngx_stream_lua_kong_get_socket_ssl
     kong_lua_kong_ffi_get_request_ssl = function()
         error("API not available for the current subsystem")
@@ -338,6 +353,64 @@ do
         error("unknown return code: " .. tostring(ret))
     end
 
+    function _M.set_upstream_ssl_sans_dnsnames(sans)
+        if not ALLOWED_PHASES[get_phase()] then
+            error("API disabled in the current context", 2)
+        end
+
+        if type(sans) ~= "table" then
+            error("incorrect argument, expects an array, got " ..
+                  type(sans), 2)
+        end
+
+        if #sans == 0 then
+            error("incorrect argument, the value can not be an empty array", 2)
+        end
+
+        local r = get_request()
+
+        local ssl_sans = concat(sans, " ")
+        local ret = kong_lua_kong_ffi_set_upstream_ssl_sans_dnsnames(r, ssl_sans, #ssl_sans)
+        if ret == NGX_OK then
+            return true
+        end
+
+        if ret == NGX_ERROR then
+            return nil, "error while setting upstream SSL dnsnames SANs"
+        end
+
+        error("unknown return code: " .. tostring(ret))
+    end
+
+    function _M.set_upstream_ssl_sans_uris(uris)
+        if not ALLOWED_PHASES[get_phase()] then
+            error("API disabled in the current context", 2)
+        end
+
+        if type(uris) ~= "table" then
+            error("incorrect argument, expects an array, got " ..
+                  type(uris), 2)
+        end
+
+        if #uris == 0 then
+            error("incorrect argument, the value can not be an empty array", 2)
+        end
+
+        local r = get_request()
+
+        local ssl_sans = concat(uris, " ")
+        local ret = kong_lua_kong_ffi_set_upstream_ssl_sans_uris(r, ssl_sans, #ssl_sans)
+        if ret == NGX_OK then
+            return true
+        end
+
+        if ret == NGX_ERROR then
+            return nil, "error while setting upstream SSL URIs SANs"
+        end
+
+        error("unknown return code: " .. tostring(ret))
+    end
+
     function _M.disable_http2_alpn()
         if get_phase() ~= "ssl_client_hello" then
             error("API disabled in the current context")

src/ngx_http_lua_kong_module.h

@@ -44,4 +44,10 @@ ngx_flag_t
 ngx_http_lua_kong_get_next_upstream_mask(ngx_http_request_t *r,
     ngx_flag_t upstream_next);
 
+ngx_str_t *
+ngx_http_lua_kong_ssl_get_upstream_ssl_sans_dnsnames(ngx_http_request_t *r);
+
+ngx_str_t *
+ngx_http_lua_kong_ssl_get_upstream_ssl_sans_uris(ngx_http_request_t *r);
+
 #endif /* _NGX_HTTP_LUA_KONG_MODULE_H_INCLUDED_ */

src/ngx_http_lua_kong_ssl.c

@@ -242,6 +242,93 @@ ngx_http_lua_ffi_disable_http2_alpn(ngx_http_request_t *r, char **err)
     return NGX_OK;
 }
 
+
+int
+ngx_http_lua_kong_ffi_set_upstream_ssl_sans_dnsnames(ngx_http_request_t *r,
+    const char *input, size_t input_len)
+{
+    u_char                      *sans_data;
+    ngx_http_lua_kong_ctx_t     *ctx;
+
+    ctx = ngx_http_lua_kong_get_module_ctx(r);
+    if (ctx == NULL) {
+        return NGX_ERROR;
+    }
+
+    sans_data = ngx_palloc(r->pool, input_len);
+    if (sans_data == NULL) {
+        return NGX_ERROR;
+    }
+
+    ngx_memcpy(sans_data, input, input_len);
+
+    ctx->ssl_ctx.upstream_ssl_sans_dnsnames.data = sans_data;
+    ctx->ssl_ctx.upstream_ssl_sans_dnsnames.len = input_len;
+
+    return NGX_OK;
+}
+
+
+ngx_str_t *
+ngx_http_lua_kong_ssl_get_upstream_ssl_sans_dnsnames(ngx_http_request_t *r)
+{
+    ngx_http_lua_kong_ctx_t     *ctx;
+
+    ctx = ngx_http_lua_kong_get_module_ctx(r);
+    if (ctx == NULL) {
+        return NULL;
+    }
+
+    if (ctx->ssl_ctx.upstream_ssl_sans_dnsnames.len == 0) {
+        return NULL;
+    }
+
+    return &ctx->ssl_ctx.upstream_ssl_sans_dnsnames;
+}
+
+int
+ngx_http_lua_kong_ffi_set_upstream_ssl_sans_uris(ngx_http_request_t *r,
+    const char *input, size_t input_len)
+{
+    u_char                      *sans_data;
+    ngx_http_lua_kong_ctx_t     *ctx;
+
+    ctx = ngx_http_lua_kong_get_module_ctx(r);
+    if (ctx == NULL) {
+        return NGX_ERROR;
+    }
+
+    sans_data = ngx_palloc(r->pool, input_len);
+    if (sans_data == NULL) {
+        return NGX_ERROR;
+    }
+
+    ngx_memcpy(sans_data, input, input_len);
+
+    ctx->ssl_ctx.upstream_ssl_sans_uris.data = sans_data;
+    ctx->ssl_ctx.upstream_ssl_sans_uris.len = input_len;
+
+    return NGX_OK;
+}
+
+
+ngx_str_t *
+ngx_http_lua_kong_ssl_get_upstream_ssl_sans_uris(ngx_http_request_t *r)
+{
+    ngx_http_lua_kong_ctx_t     *ctx;
+
+    ctx = ngx_http_lua_kong_get_module_ctx(r);
+    if (ctx == NULL) {
+        return NULL;
+    }
+
+    if (ctx->ssl_ctx.upstream_ssl_sans_uris.len == 0) {
+        return NULL;
+    }
+
+    return &ctx->ssl_ctx.upstream_ssl_sans_uris;
+}
+
 #endif
 
 

src/ssl/ngx_lua_kong_ssl.h

@@ -24,6 +24,9 @@ typedef struct {
     EVP_PKEY           *upstream_client_private_key;
     X509_STORE         *upstream_trusted_store;
     ngx_uint_t          upstream_ssl_verify_depth;
+    // TODO(lucab): consider changing these two SANs fields into arrays of strings.
+    ngx_str_t           upstream_ssl_sans_dnsnames;
+    ngx_str_t           upstream_ssl_sans_uris;
     unsigned            upstream_ssl_verify:1;
     unsigned            upstream_ssl_verify_set:1;
     unsigned            upstream_ssl_verify_depth_set:1;

stream/src/ngx_stream_lua_kong_module.c

@@ -297,6 +297,90 @@ ngx_stream_lua_kong_get_upstream_ssl_verify(ngx_stream_session_t *s,
 
     return ngx_lua_kong_ssl_get_upstream_ssl_verify(&ctx->ssl_ctx, proxy_ssl_verify);
 }
+
+int
+ngx_stream_lua_kong_ffi_set_upstream_ssl_sans_dnsnames(ngx_stream_lua_request_t *r,
+    const char *input, size_t input_len)
+{
+    u_char                      *sans_data;
+    ngx_stream_lua_kong_ctx_t   *ctx;
+
+    ctx = ngx_stream_lua_kong_get_module_ctx(r);
+    if (ctx == NULL) {
+        return NGX_ERROR;
+    }
+
+    sans_data = ngx_palloc(r->pool, input_len);
+    if (sans_data == NULL) {
+        return NGX_ERROR;
+    }
+
+    ngx_memcpy(sans_data, input, input_len);
+
+    ctx->ssl_ctx.upstream_ssl_sans_dnsnames.data = sans_data;
+    ctx->ssl_ctx.upstream_ssl_sans_dnsnames.len = input_len;
+
+    return NGX_OK;
+}
+
+ngx_str_t *
+ngx_stream_lua_kong_get_upstream_ssl_sans_dnsnames(ngx_stream_session_t *s)
+{
+    ngx_stream_lua_kong_ctx_t   *ctx;
+
+    ctx = ngx_stream_get_module_ctx(s, ngx_stream_lua_kong_module);
+    if (ctx == NULL) {
+        return NULL;
+    }
+
+    if (ctx->ssl_ctx.upstream_ssl_sans_dnsnames.len == 0) {
+        return NULL;
+    }
+
+    return &ctx->ssl_ctx.upstream_ssl_sans_dnsnames;
+}
+
+int
+ngx_stream_lua_kong_ffi_set_upstream_ssl_sans_uris(ngx_stream_lua_request_t *r,
+    const char *input, size_t input_len)
+{
+    u_char                      *sans_data;
+    ngx_stream_lua_kong_ctx_t   *ctx;
+
+    ctx = ngx_stream_lua_kong_get_module_ctx(r);
+    if (ctx == NULL) {
+        return NGX_ERROR;
+    }
+
+    sans_data = ngx_palloc(r->pool, input_len);
+    if (sans_data == NULL) {
+        return NGX_ERROR;
+    }
+
+    ngx_memcpy(sans_data, input, input_len);
+
+    ctx->ssl_ctx.upstream_ssl_sans_uris.data = sans_data;
+    ctx->ssl_ctx.upstream_ssl_sans_uris.len = input_len;
+
+    return NGX_OK;
+}
+
+ngx_str_t *
+ngx_stream_lua_kong_get_upstream_ssl_sans_uris(ngx_stream_session_t *s)
+{
+    ngx_stream_lua_kong_ctx_t   *ctx;
+
+    ctx = ngx_stream_get_module_ctx(s, ngx_stream_lua_kong_module);
+    if (ctx == NULL) {
+        return NULL;
+    }
+
+    if (ctx->ssl_ctx.upstream_ssl_sans_uris.len == 0) {
+        return NULL;
+    }
+
+    return &ctx->ssl_ctx.upstream_ssl_sans_uris;
+}
 #endif
 
 

stream/src/ngx_stream_lua_kong_module.h

@@ -32,6 +32,12 @@ ngx_flag_t
 ngx_stream_lua_kong_get_upstream_ssl_verify(ngx_stream_session_t *s,
     ngx_flag_t proxy_ssl_verify);
 
+ngx_str_t *
+ngx_stream_lua_kong_get_upstream_ssl_sans_dnsnames(ngx_stream_session_t *s);
+
+ngx_str_t *
+ngx_stream_lua_kong_get_upstream_ssl_sans_uris(ngx_stream_session_t *s);
+
 #endif
 
 #endif /* _NGX_STREAM_LUA_KONG_MODULE_H_INCLUDED_ */