feat(ssl): add variable to get upstream ssl certificate and connection (#111)

One customer wants to get ssl certificate information from upstream request, such as

CN for common name
C for country name
ST for state or province name
L for locality name
O for organization
OU for organization unit
And also they want to know if upstream ssl is enabled and get ssl version from upstream request.

So in this PR, we provide ngx.var.kong_ssl_upstream_raw_cert and ngx.var.kong_upstream_ssl_protocol to get ssl certificate with PEM format and tls version for ssl connection, so that in Kong we can get information from those data structures.

With a small fix about a potential double free problem related with bio.

* feat(ssl): add variables to get upstream ssl certificate and tls version

add ssl_upstream_raw_cert and upstream_ssl_protocol as nginx variable
to get upstream ssl certificate and tls version

* feat(ssl): update doc and test cases about getting upstream ssl certificate and connection

Refactor variable name with "kong_*" prefix to prevent potential conflict with Nginx.

* fix(ssl): fix a potential double free problem in bio

---------

Signed-off-by: Walker Zhao <[email protected]>

Author: findns94

README.md

@@ -15,6 +15,8 @@ Table of Contents
     * [lua\_kong\_error\_log\_request\_id](#lua_kong_error_log_request_id)
 * [Variables](#variables)
     * [$kong\_request\_id](#kong_request_id)
+    * [$kong\_upstream\_ssl\_server\_raw\_cert](#kong_upstream_ssl_server_raw_cert)
+    * [$kong\_upstream\_ssl\_protocol](#kong_upstream_ssl_protocol)
 * [Methods](#methods)
     * [resty.kong.tls.disable\_session\_reuse](#restykongtlsdisable_session_reuse)
     * [resty.kong.tls.get\_full\_client\_certificate\_chain](#restykongtlsget_full_client_certificate_chain)
@@ -183,6 +185,22 @@ $kong\_request\_id
 Unique request identifier generated from 16 pseudo-random bytes, in hexadecimal.
 This variable is indexed.
 
+[Back to TOC](#table-of-contents)
+
+$kong\_upstream\_ssl\_server\_raw\_cert
+----------------------------------------------------
+
+Returns the upstream server certificate in the PEM format for an established SSL connection.
+
+[Back to TOC](#table-of-contents)
+
+$kong\_upstream\_ssl\_protocol
+----------------------------------------------------
+
+Returns the protocol of an established SSL connection for an upstream
+HTTP request.
+
+
 [Back to TOC](#table-of-contents)
 
 Methods
@@ -425,6 +443,9 @@ Retrieves the OpenSSL `SSL*` object for the current HTTP request.
 
 On success, this function returns the pointer of type `SSL`. Otherwise `nil` and a string
 describing the error will be returned.
+
+[Back to TOC](#table-of-contents)
+
 resty.kong.tls.disable\_http2\_alpn
 ----------------------------------------------------
 **syntax:** *ok, err = resty.kong.tls.disable\_http2\_alpn()*
@@ -548,6 +569,7 @@ default `log_level` setting from Nginx configuration immediately.
 If this method is called again before the timeout, the log level and timeout will be overwritten.
 
 If we don’t pass timeout to set_log_level(), it will raise a Lua error.
+
 [Back to TOC](#table-of-contents)
 
 resty.kong.log.get\_log\_level

src/ngx_http_lua_kong_var_index.c

@@ -83,6 +83,8 @@ static ngx_str_t default_vars[] = {
     ngx_string("ssl_client_verify"),
     ngx_string("ssl_protocol"),
     ngx_string("ssl_server_name"),
+    ngx_string("kong_upstream_ssl_server_raw_cert"),
+    ngx_string("kong_upstream_ssl_protocol"),
 #endif
 
     ngx_string("upstream_http_connection"),

src/ngx_http_lua_kong_vars.c

@@ -53,12 +53,179 @@ ngx_http_lua_kong_variable_request_id(ngx_http_request_t *r,
 }
 
 
+#if (NGX_SSL)
+static ngx_int_t
+ngx_http_lua_kong_get_ssl_raw_certificate(ngx_connection_t *c, ngx_pool_t *pool, ngx_str_t *s)
+{
+    size_t   len;
+    BIO     *bio;
+    X509    *cert;
+
+    s->len = 0;
+
+    cert = SSL_get_peer_certificate(c->ssl->connection);
+    if (cert == NULL) {
+        return NGX_OK;
+    }
+
+    bio = BIO_new(BIO_s_mem());
+    if (bio == NULL) {
+        ngx_ssl_error(NGX_LOG_ALERT, c->log, 0, "BIO_new() failed");
+        X509_free(cert);
+        return NGX_ERROR;
+    }
+
+    if (PEM_write_bio_X509(bio, cert) == 0) {
+        ngx_ssl_error(NGX_LOG_ALERT, c->log, 0, "PEM_write_bio_X509() failed");
+        goto failed;
+    }
+
+    len = BIO_pending(bio);
+    s->len = len;
+
+    s->data = ngx_pnalloc(pool, len);
+    if (s->data == NULL) {
+        goto failed;
+    }
+
+    BIO_read(bio, s->data, len);
+
+    BIO_free(bio);
+    X509_free(cert);
+
+    return NGX_OK;
+
+failed:
+    BIO_free(bio);
+    X509_free(cert);
+
+    return NGX_ERROR;
+}
+
+
+static ngx_int_t
+ngx_http_lua_kong_get_upstream_raw_certificate(ngx_http_request_t *r, ngx_http_variable_value_t *v,
+    uintptr_t data)
+{
+    ngx_str_t  s;
+
+    ngx_connection_t *uc;
+    ngx_http_upstream_t *u;
+    ngx_peer_connection_t *peer;
+
+    u = r->upstream;
+    if (u == NULL) {
+        goto not_found;
+    }
+
+    peer = &(u->peer);
+    if (peer == NULL) {
+        goto not_found;
+    }
+
+    uc = peer->connection;
+    if (uc == NULL) {
+        goto not_found;
+    }
+
+    if (uc->ssl) {
+        if (ngx_http_lua_kong_get_ssl_raw_certificate(uc, r->pool, &s) != NGX_OK) {
+            return NGX_ERROR;
+        }
+
+        v->len = s.len;
+        v->data = s.data;
+
+        if (v->len) {
+            v->valid = 1;
+            v->no_cacheable = 0;
+            v->not_found = 0;
+
+            return NGX_OK;
+        }
+    }
+
+not_found:
+
+    v->not_found = 1;
+
+    return NGX_OK;
+}
+
+
+static ngx_int_t
+ngx_http_lua_kong_ssl_get_protocol(ngx_connection_t *c, ngx_pool_t *pool, ngx_str_t *s)
+{
+    s->data = (u_char *) SSL_get_version(c->ssl->connection);
+    return NGX_OK;
+}
+
+
+static ngx_int_t
+ngx_http_lua_kong_get_upstream_tls_protocol(ngx_http_request_t *r, ngx_http_variable_value_t *v,
+    uintptr_t data)
+{
+    size_t     len;
+    ngx_str_t  s;
+
+    ngx_connection_t *uc;
+    ngx_http_upstream_t *u;
+    ngx_peer_connection_t *peer;
+
+    u = r->upstream;
+    if (u == NULL) {
+        goto not_found;
+    }
+
+    peer = &(u->peer);
+    if (peer == NULL) {
+        goto not_found;
+    }
+
+    uc = peer->connection;
+    if (uc == NULL) {
+        goto not_found;
+    }
+
+    if (uc->ssl) {
+        (void) ngx_http_lua_kong_ssl_get_protocol(uc, NULL, &s);
+
+        v->data = s.data;
+
+        for (len = 0; v->data[len]; len++) { /* void */ }
+
+        v->len = len;
+        v->valid = 1;
+        v->no_cacheable = 0;
+        v->not_found = 0;
+
+        return NGX_OK;
+    }
+
+not_found:
+
+    v->not_found = 1;
+
+    return NGX_OK;
+}
+#endif /* NGX_SSL */
+
+
 static ngx_http_variable_t  ngx_http_lua_kong_variables[] = {
 
     { ngx_string("kong_request_id"), NULL,
       ngx_http_lua_kong_variable_request_id,
       0, 0, 0 },
-
+#if (NGX_SSL)
+    { ngx_string("kong_upstream_ssl_server_raw_cert"), NULL,
+      ngx_http_lua_kong_get_upstream_raw_certificate,
+      0,
+      NGX_HTTP_VAR_CHANGEABLE, 0 },
+    { ngx_string("kong_upstream_ssl_protocol"), NULL,
+      ngx_http_lua_kong_get_upstream_tls_protocol,
+      0,
+      NGX_HTTP_VAR_CHANGEABLE, 0 },
+#endif
       ngx_http_null_variable
 };
 

src/ssl/ngx_lua_kong_ssl.c

@@ -156,8 +156,7 @@ ngx_lua_kong_ssl_get_full_client_certificate_chain(ngx_connection_t *c,
         ngx_ssl_error(NGX_LOG_ALERT, c->log, 0, "BIO_new() failed");
 
         X509_free(cert);
-        ret = NGX_ERROR;
-        goto done;
+        return NGX_ERROR;
     }
 
     if (PEM_write_bio_X509(bio, cert) == 0) {