feat(ctx) add ctx module to provide OSSL_LIB_CTX context

Author: fffonion

lib/resty/openssl.lua

@@ -200,6 +200,7 @@ end
 if OPENSSL_30 then
   require "resty.openssl.include.evp"
   local provider = require "resty.openssl.provider"
+  local ctx_lib = require "resty.openssl.ctx"
   local fips_provider_ctx
 
   function _M.set_fips_mode(enable, self_test)
@@ -229,7 +230,7 @@ if OPENSSL_30 then
     -- set algorithm in fips mode in default ctx
     -- this deny/allow non-FIPS compliant algorithms to be used from EVP interface
     -- and redirect/remove redirect implementation to fips provider
-    if C.EVP_default_properties_enable_fips(nil, enable and 1 or 0) == 0 then
+    if C.EVP_default_properties_enable_fips(ctx_lib.get_libctx(), enable and 1 or 0) == 0 then
       return false, format_error("openssl.set_fips_mode: EVP_default_properties_enable_fips")
     end
 
@@ -242,7 +243,7 @@ if OPENSSL_30 then
       return false
     end
 
-    return C.EVP_default_properties_is_fips_enabled(nil) == 1
+    return C.EVP_default_properties_is_fips_enabled(ctx_lib.get_libctx()) == 1
   end
 
 else
@@ -268,7 +269,9 @@ function _M.set_default_properties(props)
     return nil, "openssl.set_default_properties is only not supported from OpenSSL 3.0"
   end
 
-  if C.EVP_set_default_properties(props) == 0 then
+  local ctx_lib = require "resty.openssl.ctx"
+
+  if C.EVP_set_default_properties(ctx_lib.get_libctx(), props) == 0 then
     return false, format_error("openssl.EVP_set_default_properties")
   end
 
@@ -298,6 +301,7 @@ local function list_provided(typ)
   local typ_lower = string.lower(typ:sub(5)) -- cut off EVP_
   local typ_ptr = typ .. "*"
   require ("resty.openssl.include.evp." .. typ_lower)
+  local ctx_lib = require "resty.openssl.ctx"
 
   local ret = {}
 
@@ -310,7 +314,7 @@ local function list_provided(typ)
                 table.insert(ret, name .. " @ " .. prov)
               end)
 
-  C[typ .. "_do_all_provided"](nil, fn, nil)
+  C[typ .. "_do_all_provided"](ctx_lib.get_libctx(), fn, nil)
   fn:free()
 
   table.sort(ret)

lib/resty/openssl/auxiliary/ctypes.lua

@@ -19,6 +19,7 @@ return {
     ptr_of_uint = ffi.typeof("unsigned int[1]"),
     ptr_of_size_t = ffi.typeof("size_t[1]"),
     ptr_of_int = ffi.typeof("int[1]"),
+    null = ffi.new("void *"), -- hack wher ngx.null is not available
 
     uchar_array = ffi.typeof("unsigned char[?]"),
 

lib/resty/openssl/cipher.lua

@@ -7,6 +7,7 @@ local ffi_cast = ffi.cast
 require "resty.openssl.include.evp.cipher"
 local evp_macro = require "resty.openssl.include.evp"
 local ctypes = require "resty.openssl.auxiliary.ctypes"
+local ctx_lib = require "resty.openssl.ctx"
 local format_error = require("resty.openssl.err").format_error
 local OPENSSL_10 = require("resty.openssl.version").OPENSSL_10
 local OPENSSL_11_OR_LATER = require("resty.openssl.version").OPENSSL_11_OR_LATER
@@ -41,7 +42,7 @@ function _M.new(typ, properties)
 
   local ctyp
   if OPENSSL_30 then
-    ctyp = C.EVP_CIPHER_fetch(nil, typ, properties)
+    ctyp = C.EVP_CIPHER_fetch(ctx_lib.get_libctx(), typ, properties)
   else
     ctyp = C.EVP_get_cipherbyname(typ)
   end
@@ -269,7 +270,7 @@ function _M:derive(key, salt, count, md, md_properties)
 
   local mdt
   if OPENSSL_30 then
-    mdt = C.EVP_MD_fetch(nil, md or 'sha1', md_properties)
+    mdt = C.EVP_MD_fetch(ctx_lib.get_libctx(), md or 'sha1', md_properties)
   else
     mdt = C.EVP_get_digestbyname(md or 'sha1')
   end

lib/resty/openssl/ctx.lua

@@ -0,0 +1,66 @@
+local ffi = require "ffi"
+local C = ffi.C
+local ffi_gc = ffi.gc
+
+local format_error = require("resty.openssl.err").format_error
+
+ffi.cdef [[
+  typedef struct ossl_lib_ctx_st OSSL_LIB_CTX;
+
+  OSSL_LIB_CTX *OSSL_LIB_CTX_new(void);
+  int OSSL_LIB_CTX_load_config(OSSL_LIB_CTX *ctx, const char *config_file);
+  void OSSL_LIB_CTX_free(OSSL_LIB_CTX *ctx);
+]]
+
+local libcrypto_name
+local ossl_lib_ctx
+
+local lib_patterns = {
+  "%s", "%s.so.3", "%s.so.1.1", "%s.so.1.0"
+}
+
+local function load_library()
+  for _, pattern in ipairs(lib_patterns) do
+    -- true: load to global namespae
+    local pok, _ = pcall(ffi.load, string.format(pattern, "crypto"), true)
+    if pok then
+      libcrypto_name = string.format(pattern, "crypto")
+      ffi.load(string.format(pattern, "ssl"), true)
+
+      return true
+    end
+  end
+
+  return false, "unable to load crypto library"
+end
+
+local function new(context_only, conf_file)
+  local ctx = C.OSSL_LIB_CTX_new()
+  ffi_gc(ctx, C.OSSL_LIB_CTX_free)
+
+  if conf_file and C.OSSL_LIB_CTX_load_config(ctx, conf_file) ~= 1 then
+    return false, format_error("ctx.new")
+  end
+
+  if context_only then
+    ngx.ctx.ossl_lib_ctx = ctx
+  else
+    ossl_lib_ctx = ctx
+  end
+end
+
+local function free(context_only)
+  if context_only then
+    ngx.ctx.ossl_lib_ctx = nil
+  else
+    ossl_lib_ctx = nil
+  end
+end
+
+return {
+  new = new,
+  free = free,
+  load_library = load_library,
+  get_library_name = function() return libcrypto_name end,
+  get_libctx = function() return ngx.ctx.ossl_lib_ctx or ossl_lib_ctx end,
+}

lib/resty/openssl/digest.lua

@@ -5,6 +5,7 @@ local ffi_str = ffi.string
 
 require "resty.openssl.include.evp.md"
 local ctypes = require "resty.openssl.auxiliary.ctypes"
+local ctx_lib = require "resty.openssl.ctx"
 local format_error = require("resty.openssl.err").format_error
 local OPENSSL_10 = require("resty.openssl.version").OPENSSL_10
 local OPENSSL_11_OR_LATER = require("resty.openssl.version").OPENSSL_11_OR_LATER
@@ -35,7 +36,7 @@ function _M.new(typ, properties)
     algo = C.EVP_md_null()
   else
     if OPENSSL_30 then
-      algo = C.EVP_MD_fetch(nil, typ or 'sha1', properties)
+      algo = C.EVP_MD_fetch(ctx_lib.get_libctx(), typ or 'sha1', properties)
     else
       algo = C.EVP_get_digestbyname(typ or 'sha1')
     end

lib/resty/openssl/kdf.lua

@@ -8,6 +8,7 @@ require("resty.openssl.include.evp.md")
 -- used by legacy EVP_PKEY_derive interface
 require("resty.openssl.include.evp.pkey")
 local kdf_macro = require "resty.openssl.include.evp.kdf"
+local ctx_lib = require "resty.openssl.ctx"
 local format_error = require("resty.openssl.err").format_error
 local version_num = require("resty.openssl.version").version_num
 local version_text = require("resty.openssl.version").version_text
@@ -168,7 +169,7 @@ function _M.derive(options)
 
   local md
   if OPENSSL_30 then
-    md = C.EVP_MD_fetch(nil, options.md or 'sha1', options.properties)
+    md = C.EVP_MD_fetch(ctx_lib.get_libctx(), options.md or 'sha1', options.properties)
   else
     md = C.EVP_get_digestbyname(options.md or 'sha1')
   end
@@ -300,7 +301,7 @@ local mt = {__index = _M}
 local kdf_ctx_ptr_ct = ffi.typeof('EVP_KDF_CTX*')
 
 function _M.new(typ, properties)
-  local algo = C.EVP_KDF_fetch(nil, typ, properties)
+  local algo = C.EVP_KDF_fetch(ctx_lib.get_libctx(), typ, properties)
   if algo == nil then
     return nil, format_error(string.format("mac.new: invalid mac type \"%s\"", typ))
   end

lib/resty/openssl/mac.lua

@@ -5,6 +5,7 @@ local ffi_str = ffi.string
 
 require "resty.openssl.include.evp.mac"
 local param_lib = require "resty.openssl.param"
+local ctx_lib = require "resty.openssl.ctx"
 local ctypes = require "resty.openssl.auxiliary.ctypes"
 local format_error = require("resty.openssl.err").format_error
 local OPENSSL_30 = require("resty.openssl.version").OPENSSL_30
@@ -24,7 +25,7 @@ function _M.new(key, typ, cipher, digest, properties)
     return false, "EVP_MAC is only supported from OpenSSL 3.0"
   end
 
-  local algo = C.EVP_MAC_fetch(nil, typ, properties)
+  local algo = C.EVP_MAC_fetch(ctx_lib.get_libctx(), typ, properties)
   if algo == nil then
     return nil, format_error(string.format("mac.new: invalid mac type \"%s\"", typ))
   end

lib/resty/openssl/param.lua

@@ -3,11 +3,11 @@ local C = ffi.C
 local ffi_new = ffi.new
 local ffi_str = ffi.string
 local ffi_cast = ffi.cast
-local null = ngx.null
 
 require "resty.openssl.include.param"
 local format_error = require("resty.openssl.err").format_error
 local bn_lib = require("resty.openssl.bn")
+local null = require("resty.openssl.auxiliary.ctypes").null
 
 local OSSL_PARAM_INTEGER = 1
 local OSSL_PARAM_UNSIGNED_INTEGER = 2

lib/resty/openssl/pkey.lua

@@ -5,7 +5,6 @@ local ffi_new = ffi.new
 local ffi_str = ffi.string
 local ffi_cast = ffi.cast
 local ffi_copy = ffi.copy
-local null = ngx.null
 
 local rsa_macro = require "resty.openssl.include.rsa"
 local dh_macro = require "resty.openssl.include.dh"
@@ -23,6 +22,7 @@ local ec_lib = require "resty.openssl.ec"
 local ecx_lib = require "resty.openssl.ecx"
 local objects_lib = require "resty.openssl.objects"
 local jwk_lib = require "resty.openssl.auxiliary.jwk"
+local ctx_lib = require "resty.openssl.ctx"
 local ctypes = require "resty.openssl.auxiliary.ctypes"
 local format_error = require("resty.openssl.err").format_error
 
@@ -34,6 +34,7 @@ local BORINGSSL = require("resty.openssl.version").BORINGSSL
 local ptr_of_uint = ctypes.ptr_of_uint
 local ptr_of_size_t = ctypes.ptr_of_size_t
 
+local null = ctypes.null
 local load_pem_args = { null, null, null }
 local load_der_args = { null }
 
@@ -665,7 +666,7 @@ local function sign_verify_prepare(self, fint, md_alg, padding, opts)
   local algo
   if md_alg then
     if OPENSSL_30 then
-      algo = C.EVP_MD_fetch(nil, md_alg, nil)
+      algo = C.EVP_MD_fetch(ctx_lib.get_libctx(), md_alg, nil)
     else
       algo = C.EVP_get_digestbyname(md_alg)
     end

lib/resty/openssl/provider.lua

@@ -3,6 +3,8 @@ local C = ffi.C
 
 require "resty.openssl.include.provider"
 local param_lib = require "resty.openssl.param"
+local ctx_lib = require "resty.openssl.ctx"
+local null = require("resty.openssl.auxiliary.ctypes").null
 local OPENSSL_30 = require("resty.openssl.version").OPENSSL_30
 local format_error = require("resty.openssl.err").format_error
 
@@ -17,13 +19,14 @@ local ossl_provider_ctx_ct = ffi.typeof('OSSL_PROVIDER*')
 
 function _M.load(name, try)
   local ctx
+  local libctx = ctx_lib.get_libctx()
   if try then
-    ctx = C.OSSL_PROVIDER_try_load(nil, name)
+    ctx = C.OSSL_PROVIDER_try_load(libctx, name)
     if ctx == nil then
       return nil, format_error("provider.try_load")
     end
   else
-    ctx = C.OSSL_PROVIDER_load(nil, name)
+    ctx = C.OSSL_PROVIDER_load(libctx, name)
     if ctx == nil then
       return nil, format_error("provider.load")
     end
@@ -36,11 +39,11 @@ function _M.load(name, try)
 end
 
 function _M.set_default_search_path(path)
-  C.OSSL_PROVIDER_set_default_search_path(nil, path)
+  C.OSSL_PROVIDER_set_default_search_path(ctx_lib.get_libctx(), path)
 end
 
 function _M.is_available(name)
-  return C.OSSL_PROVIDER_available(nil, name) == 1
+  return C.OSSL_PROVIDER_available(ctx_lib.get_libctx(), name) == 1
 end
 
 function _M.istype(l)
@@ -108,7 +111,7 @@ function _M:get_params(...)
 
   local buffers = {}
   for _, key in ipairs(keys) do
-    buffers[key] = ngx.null
+    buffers[key] = null
   end
   local req, err = param_lib.construct(buffers, key_length, self.param_types)
   if not req then

lib/resty/openssl/x509/init.lua

@@ -17,6 +17,7 @@ local pkey_lib = require("resty.openssl.pkey")
 local util = require "resty.openssl.util"
 local txtnid2nid = require("resty.openssl.objects").txtnid2nid
 local ctypes = require "resty.openssl.auxiliary.ctypes"
+local ctx_lib = require "resty.openssl.ctx"
 local format_error = require("resty.openssl.err").format_error
 local version = require("resty.openssl.version")
 local OPENSSL_10 = version.OPENSSL_10
@@ -329,7 +330,7 @@ local function digest(self, cfunc, typ, properties)
 
   local algo
   if OPENSSL_30 then
-    algo = C.EVP_MD_fetch(nil, typ or 'sha1', properties)
+    algo = C.EVP_MD_fetch(ctx_lib.get_libctx(), typ or 'sha1', properties)
   else
     algo = C.EVP_get_digestbyname(typ or 'sha1')
   end