api7 · shreemaan-abhishek · Feb 6, 2025 · Dec 17, 2024 · Dec 17, 2024 · Dec 17, 2024
diff --git a/patch/1.27.1.1/lua-resty-core-enable_keepalive.patch b/patch/1.27.1.1/lua-resty-core-enable_keepalive.patch
@@ -0,0 +1,144 @@
+diff --git lib/ngx/balancer.lua lib/ngx/balancer.lua
+index 18bdc2c..3a98f53 100644
+--- lib/ngx/balancer.lua
++++ lib/ngx/balancer.lua
+@@ -3,7 +3,7 @@
+
+ local base = require "resty.core.base"
+ base.allows_subsystem('http', 'stream')
+-
++require "resty.core.hash"
+
+ local ffi = require "ffi"
+ local C = ffi.C
+@@ -20,6 +20,7 @@ local error = error
+ local type = type
+ local tonumber = tonumber
+ local max = math.max
++local ngx_crc32_long = ngx.crc32_long
+
+ local subsystem = ngx.config.subsystem
+ local ngx_lua_ffi_balancer_set_current_peer
+@@ -35,8 +36,7 @@ if subsystem == 'http' then
+     ffi.cdef[[
+     int ngx_http_lua_ffi_balancer_set_current_peer(ngx_http_request_t *r,
+         const unsigned char *addr, size_t addr_len, int port,
+-        const unsigned char *host, ssize_t host_len,
+-        char **err);
++        unsigned int cpool_crc32, unsigned int cpool_size, char **err);
+
+     int ngx_http_lua_ffi_balancer_enable_keepalive(ngx_http_request_t *r,
+         unsigned long timeout, unsigned int max_requests, char **err);
+@@ -130,6 +130,7 @@ else
+     error("unknown subsystem: " .. subsystem)
+ end
+
++local DEFAULT_KEEPALIVE_POOL_SIZE = 30
+ local DEFAULT_KEEPALIVE_IDLE_TIMEOUT = 60000
+ local DEFAULT_KEEPALIVE_MAX_REQUESTS = 100
+
+@@ -143,27 +144,61 @@ local peer_state_names = {
+ local _M = { version = base.version }
+
+ if subsystem == "http" then
+-    function _M.set_current_peer(addr, port, host)
++    function _M.set_current_peer(addr, port, opts)
+         local r = get_request()
+         if not r then
+             error("no request found")
+         end
+
++        local pool_crc32
++        local pool_size
++        if opts then
++            if type(opts) ~= "table" then
++                error("bad argument #3 to 'set_current_peer' " ..
++                      "(table expected, got " .. type(opts) .. ")", 2)
++            end
++
++            local pool = opts.pool
++            pool_size = opts.pool_size
++
++            if pool then
++                if type(pool) ~= "string" then
++                    error("bad option 'pool' to 'set_current_peer' " ..
++                          "(string expected, got " .. type(pool) .. ")", 2)
++                end
++
++                pool_crc32 = ngx_crc32_long(pool)
++            end
++
++            if pool_size then
++                if type(pool_size) ~= "number" then
++                    error("bad option 'pool_size' to 'set_current_peer' " ..
++                          "(number expected, got " .. type(pool_size) .. ")", 2)
++
++                elseif pool_size < 1 then
++                    error("bad option 'pool_size' to 'set_current_peer' " ..
++                          "(expected > 0)", 2)
++                end
++            end
++        end
++
+         if not port then
+             port = 0
++
+         elseif type(port) ~= "number" then
+             port = tonumber(port)
+         end
+
+-        if host ~= nil and type(host) ~= "string" then
+-            error("bad argument #3 to 'set_current_peer' "
+-                  .. "(string expected, got " .. type(host) .. ")")
++        if not pool_crc32 then
++            pool_crc32 = 0
+         end
+
+-        local rc = ngx_lua_ffi_balancer_set_current_peer(r, addr, #addr,
+-                                                         port,
+-                                                         host,
+-                                                         host and #host or 0,
++        if not pool_size then
++            pool_size = DEFAULT_KEEPALIVE_POOL_SIZE
++        end
++
++        local rc = ngx_lua_ffi_balancer_set_current_peer(r, addr, #addr, port,
++                                                         pool_crc32, pool_size,
+                                                          errmsg)
+         if rc == FFI_OK then
+             return true
+@@ -172,26 +207,26 @@ if subsystem == "http" then
+         return nil, ffi_str(errmsg[0])
+     end
+ else
+-    function _M.set_current_peer(addr, port, host)
++    function _M.set_current_peer(addr, port, opts)
+         local r = get_request()
+         if not r then
+             error("no request found")
+         end
+
++        if opts then
++            error("bad argument #3 to 'set_current_peer' ('opts' not yet " ..
++                  "implemented in " .. subsystem .. " subsystem)", 2)
++        end
++
+         if not port then
+             port = 0
++
+         elseif type(port) ~= "number" then
+             port = tonumber(port)
+         end
+
+-        if host ~= nil then
+-            error("bad argument #3 to 'set_current_peer' ('host' not yet " ..
+-                  "implemented in " .. subsystem .. " subsystem)", 2)
+-        end
+-
+         local rc = ngx_lua_ffi_balancer_set_current_peer(r, addr, #addr,
+-                                                         port,
+-                                                         errmsg)
++                                                         port, errmsg)
+         if rc == FFI_OK then
+             return true
+         end
diff --git a/patch/1.27.1.1/lua-resty-core-reject-in-handshake.patch b/patch/1.27.1.1/lua-resty-core-reject-in-handshake.patch
@@ -0,0 +1,48 @@
+diff --git lib/ngx/ssl.lua lib/ngx/ssl.lua
+index b696bea..f3b20e0 100644
+--- lib/ngx/ssl.lua
++++ lib/ngx/ssl.lua
+@@ -100,7 +100,7 @@ if subsystem == 'http' then
+     void ngx_http_lua_ffi_free_priv_key(void *cdata);
+
+     int ngx_http_lua_ffi_ssl_verify_client(void *r,
+-        void *client_certs, void *trusted_certs, int depth, char **err);
++        void *client_certs, void *trusted_certs, int depth, int reject_in_handshake, char **err);
+
+     int ngx_http_lua_ffi_ssl_client_random(ngx_http_request_t *r,
+         const unsigned char *out, size_t *outlen, char **err);
+@@ -198,7 +198,7 @@ elseif subsystem == 'stream' then
+     void ngx_stream_lua_ffi_free_priv_key(void *cdata);
+
+     int ngx_stream_lua_ffi_ssl_verify_client(void *r,
+-        void *client_certs, void *trusted_certs, int depth, char **err);
++        void *client_certs, void *trusted_certs, int depth, int reject_in_handshake, char **err);
+
+     int ngx_stream_lua_ffi_ssl_client_random(ngx_stream_lua_request_t *r,
+         unsigned char *out, size_t *outlen, char **err);
+@@ -484,7 +484,7 @@ function _M.set_priv_key(priv_key)
+ end
+
+
+-function _M.verify_client(client_certs, depth, trusted_certs)
++function _M.verify_client(client_certs, depth, trusted_certs, reject_in_handshake)
+     local r = get_request()
+     if not r then
+         error("no request found")
+@@ -494,8 +494,15 @@ function _M.verify_client(client_certs, depth, trusted_certs)
+         depth = -1
+     end
+
++    if reject_in_handshake == nil then
++        -- reject by default so we can migrate to the new behavior
++        -- without modifying Lua code
++        reject_in_handshake = true
++    end
++
++    local reject_in_handshake_int = reject_in_handshake and 1 or 0
+     local rc = ngx_lua_ffi_ssl_verify_client(r, client_certs, trusted_certs,
+-                                             depth, errmsg)
++                                             depth, reject_in_handshake_int, errmsg)
+     if rc == FFI_OK then
+         return true
+     end