feature: add support for ssl.get_req_shared_ssl_ciphers()

Author: chensunny

lib/ngx/ssl.lua

@@ -9,9 +9,15 @@ local ffi = require "ffi"
 local C = ffi.C
 local ffi_str = ffi.string
 local ffi_gc = ffi.gc
+local ffi_copy = ffi.copy
+local ffi_sizeof = ffi.sizeof
+local ffi_typeof = ffi.typeof
+local ffi_new = ffi.new
 local get_request = base.get_request
 local error = error
 local tonumber = tonumber
+local format = string.format
+local concat = table.concat
 local errmsg = base.get_errmsg_ptr()
 local get_string_buf = base.get_string_buf
 local get_size_ptr = base.get_size_ptr
@@ -43,6 +49,7 @@ local ngx_lua_ffi_ssl_client_random
 local ngx_lua_ffi_ssl_export_keying_material
 local ngx_lua_ffi_ssl_export_keying_material_early
 local ngx_lua_ffi_get_req_ssl_pointer
+local ngx_lua_ffi_req_shared_ssl_ciphers
 
 
 if subsystem == 'http' then
@@ -114,6 +121,15 @@ if subsystem == 'http' then
         unsigned char *out, size_t out_size,
         const char *label, size_t llen,
         const unsigned char *ctx, size_t ctxlen, char **err);
+
+    int ngx_http_lua_ffi_req_shared_ssl_ciphers(ngx_http_request_t *r,
+        unsigned short *ciphers, unsigned short *nciphers,
+        int filter_grease, char **err);
+
+    typedef struct {
+        uint16_t nciphers;
+        uint16_t ciphers[?];
+    } ngx_lua_ssl_ciphers;
     ]]
 
     ngx_lua_ffi_ssl_set_der_certificate =
@@ -143,6 +159,8 @@ if subsystem == 'http' then
     ngx_lua_ffi_ssl_export_keying_material_early =
         C.ngx_http_lua_ffi_ssl_export_keying_material_early
     ngx_lua_ffi_get_req_ssl_pointer = C.ngx_http_lua_ffi_get_req_ssl_pointer
+    ngx_lua_ffi_req_shared_ssl_ciphers =
+        C.ngx_http_lua_ffi_req_shared_ssl_ciphers
 
 elseif subsystem == 'stream' then
     ffi.cdef[[
@@ -237,6 +255,37 @@ local charpp = ffi.new("char*[1]")
 local intp = ffi.new("int[1]")
 local ushortp = ffi.new("unsigned short[1]")
 
+do
+    local ciphers_buf = ffi_new("uint16_t [?]", 256)
+
+    function _M.get_req_shared_ssl_ciphers(filter_grease)
+        local r = get_request()
+        if not r then
+            error("no request found")
+        end
+
+        if filter_grease == nil then
+            filter_grease = true  -- Default to filter GREASE
+        end
+
+        ciphers_buf[0] = 255  -- Set max number of ciphers we can hold
+        local filter_flag = filter_grease and 1 or 0
+        local rc = ngx_lua_ffi_req_shared_ssl_ciphers(r, ciphers_buf + 1,
+                                                      ciphers_buf, filter_flag,
+                                                      errmsg)
+        if rc ~= FFI_OK then
+            return nil, ffi_str(errmsg[0])
+        end
+
+        -- Build result table
+        local result = {}
+        for i = 1, ciphers_buf[0] do
+            result[i] = tonumber(ciphers_buf[i])
+        end
+
+        return result
+    end
+end
 
 function _M.clear_certs()
     local r = get_request()

lib/ngx/ssl.md

@@ -32,6 +32,7 @@ Table of Contents
     * [set_priv_key](#set_priv_key)
     * [verify_client](#verify_client)
     * [get_client_random](#get_client_random)
+    * [get_shared_ssl_ciphers](#get_shared_ssl_ciphers)
     * [get_req_ssl_pointer](#get_req_ssl_pointer)
 * [Community](#community)
     * [English Mailing List](#english-mailing-list)
@@ -650,7 +651,6 @@ This function can be called in any context where downstream https is used, but i
 
 [Back to TOC](#table-of-contents)
 
-
 get_req_ssl_pointer
 ------------
 **syntax:** *ssl_ptr, err = ssl.get_req_ssl_pointer()*
@@ -668,6 +668,39 @@ This function was first added in version `0.1.16`.
 
 [Back to TOC](#table-of-contents)
 
+get_req_shared_ssl_ciphers
+-----------
+**syntax:** *ciphers = ssl.get_req_shared_ssl_ciphers(filter_grease?)*
+
+**context:** *any*
+
+Returns an array of cipher IDs that are supported by both the server and client for the current SSL connection.
+
+The optional argument `filter_grease` defaults to `true`. Set it to `false` explicitly if you want to include GREASE cipher values in the results.
+
+Example usage:
+
+```lua
+local ciphers, err = ssl.get_req_shared_ssl_ciphers()
+if ciphers then
+    for i, cipher in ipairs(ciphers) do
+        ngx.log(ngx.INFO, "Cipher: ", cipher)
+    end
+else
+    ngx.log(ngx.ERR, err)
+end
+```
+
+GREASE (Generate Random Extensions And Sustain Extensibility) cipher values are automatically filtered out from the results.
+
+Returns `nil` and an error string on failure.
+
+This function can be called in any context where downstream https is used.
+
+This function was first added in version `0.1.29`.
+
+[Back to TOC](#table-of-contents)
+
 Community
 =========
 

t/ssl.t

@@ -8,7 +8,7 @@ use t::TestCore;
 
 repeat_each(2);
 
-plan tests => repeat_each() * (blocks() * 6 - 1);
+plan tests => repeat_each() * (blocks() * 6 );
 
 no_long_string();
 #no_diff();
@@ -110,8 +110,7 @@ failed to do SSL handshake: handshake failed
 
 --- error_log eval
 ['lua ssl server name: "test.com"',
-qr/routines::no suitable signature algorithm|sslv3 alert handshake failure|routines:OPENSSL_internal:SSLV3_ALERT_HANDSHAKE_FAILURE:SSL alert number 40/]
-
+qr/sslv3 alert handshake failure|SSL alert number 40/]
 --- no_error_log
 [alert]
 [emerg]
@@ -3419,3 +3418,61 @@ SUCCESS
 [error]
 [alert]
 [emerg]
+
+
+
+=== TEST 35: get shared SSL ciphers
+--- http_config
+    lua_package_path "$TEST_NGINX_LUA_PACKAGE_PATH";
+    server {
+        listen unix:$TEST_NGINX_HTML_DIR/nginx.sock ssl;
+        server_name   test.com;
+        ssl_protocols TLSv1.2;
+        ssl_ciphers ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384;
+
+        ssl_certificate_by_lua_block {
+            local ssl = require "ngx.ssl"
+            local ciphers, err = ssl.get_req_shared_ssl_ciphers()
+            if not err and ciphers then
+                ngx.log(ngx.INFO, "shared ciphers count: ", #ciphers)
+                local count = 0
+                for i, cipher_id in ipairs(ciphers) do
+                    count = count + 1
+                    ngx.log(ngx.INFO, string.format("%d: SHARED_CIPHER 0x%04x", i, cipher_id))
+                    if count >= 3 then  -- log only first 3 to avoid too much output
+                        break
+                    end
+                end
+            else
+                ngx.log(ngx.ERR, "failed to get shared ciphers: ", err)
+            end
+        }
+        ssl_certificate ../../cert/test.crt;
+        ssl_certificate_key ../../cert/test.key;
+
+        server_tokens off;
+        location /foo {
+            default_type 'text/plain';
+            content_by_lua_block {ngx.status = 200 ngx.say("foo") ngx.exit(200)}
+            more_clear_headers Date;
+        }
+    }
+--- config
+    location /t {
+        proxy_ssl_protocols TLSv1.2;
+        proxy_ssl_ciphers ECDHE-RSA-AES128-GCM-SHA256;
+        proxy_pass https://unix:$TEST_NGINX_HTML_DIR/nginx.sock:/foo;
+        proxy_ssl_session_reuse off;
+    }
+
+--- request
+GET /t
+--- response_body
+foo
+--- error_log eval
+[qr/shared ciphers count: \d+/,
+qr/1: SHARED_CIPHER 0x/]
+--- no_error_log
+[alert]
+[crit]
+[error]