feature: ngx_http_lua_ffi_ssl_ciphers

[chensunny]

SSL Cipher Enumeration API Enhancement for lua-nginx-module

📝 Summary

This PR enhances the SSL cipher enumeration functionality in the lua-nginx-module by improving the ngx_http_lua_ffi_ssl_ciphers() function and expanding its test coverage. The main focus is on debugging SSL cipher negotiation issues and ensuring proper cipher matching between server-supported and client-provided cipher suites.

Key Changes:

• SSL Cipher API Improvement: Enhanced the ngx_http_lua_ffi_ssl_ciphers() function in ngx_http_lua_ssl_certby.c to provide better cipher enumeration and matching logic
• Build Configuration Update: Modified OpenResty build configuration to use local development version of lua-nginx-module for testing
• Test Case Expansion: Added comprehensive test cases for SSL cipher enumeration scenarios including buffer overflow handling and BoringSSL compatibility

🔗 Related Issues

Closed #1962

🧪 Testing

Main Test Cases Added/Enhanced:

TEST 15: Get supported ciphers

• Purpose: Tests the core SSL cipher enumeration functionality
• Configuration:
  • Server configured with 3 cipher suites: ECDHE-RSA-AES128-GCM-SHA256, ECDHE-ECDSA-AES128-GCM-SHA256, ECDHE-ECDSA-AES256-GCM-SHA384
  • Client proxy configured with 2 cipher suites
• Expected Output: JSON array ["c02f","c02b"] containing hex cipher IDs of matched ciphers
• Validation: Verifies TLSv1.2 cipher negotiation with specific cipher details in error log

TEST 16: SSL cipher API error handling (no SSL)

• Purpose: Tests error handling when SSL context is not available
• Expected Behavior: Returns error code -1 with "bad request" message
• Coverage: Validates proper error handling for non-SSL contexts

TEST 17: Buffer overflow handling

• Purpose: Tests the API's behavior when buffer size is insufficient for all matching ciphers
• Configuration: Limited buffer size to test overflow scenarios
• Expected Output: Truncated cipher list ["c02f"] demonstrating proper buffer management
• Validation: Ensures graceful handling of buffer constraints without crashes

TEST 18: BoringSSL error handling

• Purpose: Tests compatibility layer for BoringSSL environments
• Expected Behavior: Returns appropriate error message for unsupported BoringSSL operations
• Coverage: Ensures clean error reporting for BoringSSL incompatibility

Testing Methodology:

• Unit tests added/updated for SSL cipher enumeration
• Integration tests for various SSL configurations
• Manual testing performed with different OpenSSL versions
• Error handling tests for edge cases
• Buffer overflow and memory safety tests

📝 Additional Notes

Technical Implementation Details:

• The ngx_http_lua_ffi_ssl_ciphers() function now properly handles cipher protocol ID (tp) matching between server-supported ciphers (via SSL_get1_supported_ciphers()) and client ciphers (via SSL_get_client_ciphers())
• Enhanced buffer overflow protection ensures the function returns appropriate error codes when the provided buffer is too small
• Added comprehensive error handling for various SSL context states and OpenSSL version compatibility

Build Configuration Changes:

• Modified util/mirror-tarballs script to use local lua-nginx-module development version via symbolic link
• Commented out stream proxy protocol v2 patch application for compatibility
• Updated Makefile to enable/disable mirror-tarballs script execution as needed

📋 Checklist

• My code follows the OpenResty contributing guidelines
• I have performed a self-review of my code
• I have made corresponding changes to the test documentation
• I have added tests that prove my fix is effective or that my feature works
• New and existing unit tests pass locally with my changes
• SSL cipher enumeration functionality tested across different configurations
• Error handling validated for various edge cases

📘 Deployment Notes

Prerequisites:

• OpenSSL 1.0.2e or later (LibreSSL not supported for cipher operations)
• BoringSSL environments will receive appropriate error messages for unsupported operations

Configuration Considerations:

• Ensure SSL cipher suites are properly configured in server blocks
• Buffer size should be adequate for expected cipher count (default recommendation: 32+ entries)
• Consider cipher suite ordering for optimal performance

🔍 Test Results

SSL Cipher Enumeration Test Summary:

• TEST 15: ✅ Successfully enumerates matching ciphers between server and client
• TEST 16: ✅ Proper error handling for non-SSL contexts
• TEST 17: ✅ Graceful buffer overflow handling with truncated results
• TEST 18: ✅ Clean BoringSSL incompatibility error reporting

Performance Impact:

• Cipher enumeration adds minimal overhead to SSL handshake process
• Memory usage optimized through proper buffer management
• No impact on non-SSL request processing

Compatibility Matrix:

SSL Library	Support Status	Notes
OpenSSL 1.0.2e+	✅ Full Support	Recommended
LibreSSL	❌ Not Supported	Returns appropriate error
BoringSSL	⚠️ Limited	Error handling only

The implementation maintains backward compatibility while providing enhanced debugging capabilities for SSL cipher negotiation troubleshooting.

[zhuizhuhaomeng]

diff --git a/src/ngx_http_lua_ssl_certby.c b/src/ngx_http_lua_ssl_certby.c
index cbba27ec..c87b24e7 100644
--- a/src/ngx_http_lua_ssl_certby.c
+++ b/src/ngx_http_lua_ssl_certby.c
@@ -456,12 +456,8 @@ ngx_http_lua_is_grease_cipher(uint16_t cipher_id)
 {
     /* GREASE values follow pattern: 0x?A?A where ? can be any hex digit */
     /* and both ? must be the same */
-    uint8_t high_byte = (cipher_id >> 8) & 0xFF;
-    uint8_t low_byte = cipher_id & 0xFF;
     /* Check if both bytes follow ?A pattern and high nibbles match */
-    return ((high_byte & 0x0F) == 0x0A) &&
-           ((low_byte & 0x0F) == 0x0A) &&
-           ((high_byte & 0xF0) == (low_byte & 0xF0));
+    return (cipher_id & 0x0F0F) == 0x0A0A;
 }
 
 
@@ -865,7 +861,7 @@ ngx_http_lua_ffi_req_shared_ssl_ciphers(ngx_http_request_t *r,
     ngx_ssl_conn_t         *ssl_conn;
     STACK_OF(SSL_CIPHER)   *sk, *ck;
     int                     sn, cn, i, n;
-    uint16_t                tp;
+    uint16_t                cipher;
 
     if (r == NULL || r->connection == NULL || r->connection->ssl == NULL) {
         *err = "bad request";
@@ -891,16 +887,18 @@ ngx_http_lua_ffi_req_shared_ssl_ciphers(ngx_http_request_t *r,
     }
 
     for (*nciphers = 0, i = 0; i < sn; i++) {
-        tp = SSL_CIPHER_get_protocol_id(sk_SSL_CIPHER_value(sk, i));
-        
+        cipher = SSL_CIPHER_get_protocol_id(sk_SSL_CIPHER_value(sk, i));
+
         /* Skip GREASE ciphers if filtering is enabled */
-        if (filter_grease && ngx_http_lua_is_grease_cipher(tp)) {
+        if (filter_grease && ngx_http_lua_is_grease_cipher(cipher)) {
             continue;
         }
-        
+
         for (n = 0; n < cn; n++) {
-            if (SSL_CIPHER_get_protocol_id(sk_SSL_CIPHER_value(ck, n)) == tp) {
-                ciphers[(*nciphers)++] = tp;
+            if (SSL_CIPHER_get_protocol_id(sk_SSL_CIPHER_value(ck, n))
+                == cipher)
+            {
+                ciphers[(*nciphers)++] = cipher;
                 break;
             }
         }

[mergify]

This pull request is now in conflict :(

[zhuizhuhaomeng]

This PR has been merge through CLI.