feature: added support for OpenSSL 1.1.0.

ghedo · agentzh · commit 7f108923b01e · 2018-01-05T17:02:39.000-08:00
thanks polishment work from Dejiang Zhu and Zexuan Luo.

Signed-off-by: Yichun Zhang (agentzh) &lt;agentzh@gmail.com&gt;
diff --git a/.travis.yml b/.travis.yml
@@ -41,15 +41,15 @@ env:
     - OPENSSL_PREFIX=/opt/ssl
     - OPENSSL_LIB=$OPENSSL_PREFIX/lib
     - OPENSSL_INC=$OPENSSL_PREFIX/include
-    - OPENSSL_VER=1.0.2k
     - LIBDRIZZLE_PREFIX=/opt/drizzle
     - LIBDRIZZLE_INC=$LIBDRIZZLE_PREFIX/include/libdrizzle-1.0
     - LIBDRIZZLE_LIB=$LIBDRIZZLE_PREFIX/lib
     - LD_LIBRARY_PATH=$LUAJIT_LIB:$LD_LIBRARY_PATH
     - DRIZZLE_VER=2011.07.21
     - TEST_NGINX_SLEEP=0.006
   matrix:
-    - NGINX_VERSION=1.13.6
+    - NGINX_VERSION=1.13.6 OPENSSL_VER=1.0.2k OPENSSL_PATCH_VER=1.0.2h
+    #- NGINX_VERSION=1.13.6 OPENSSL_VER=1.1.0c OPENSSL_PATCH_VER=1.1.0c
 
 services:
  - memcache
@@ -112,9 +112,8 @@ script:
   - cd ..
   - tar zxf download-cache/openssl-$OPENSSL_VER.tar.gz
   - cd openssl-$OPENSSL_VER/
-  - if [ ! -f ../download-cache/openssl-1.0.2h-sess_set_get_cb_yield.patch ]; then wget -P ../download-cache https://raw.githubusercontent.com/openresty/openresty/master/patches/openssl-1.0.2h-sess_set_get_cb_yield.patch; fi
-  - patch -p1 < ../download-cache/openssl-1.0.2h-sess_set_get_cb_yield.patch
-  - ./config shared --prefix=$OPENSSL_PREFIX -DPURIFY > build.log 2>&1 || (cat build.log && exit 1)
+  - patch -p1 < ../../openresty/patches/openssl-$OPENSSL_PATCH_VER-sess_set_get_cb_yield.patch
+  - ./config no-threads shared enable-ssl3 enable-ssl3-method -g --prefix=$OPENSSL_PREFIX -DPURIFY > build.log 2>&1 || (cat build.log && exit 1)
   - make -j$JOBS > build.log 2>&1 || (cat build.log && exit 1)
   - sudo make PATH=$PATH install_sw > build.log 2>&1 || (cat build.log && exit 1)
   - cd ..
diff --git a/src/ngx_http_lua_socket_tcp.c b/src/ngx_http_lua_socket_tcp.c
@@ -1368,9 +1368,8 @@ ngx_http_lua_socket_tcp_sslhandshake(lua_State *L)
                     return 2;
                 }
 
-                ngx_log_debug2(NGX_LOG_DEBUG_HTTP, c->log, 0,
-                               "lua ssl set session: %p:%d",
-                               *psession, (*psession)->references);
+                ngx_log_debug1(NGX_LOG_DEBUG_HTTP, c->log, 0,
+                               "lua ssl set session: %p", *psession);
             }
         }
 
@@ -1635,9 +1634,8 @@ ngx_http_lua_ssl_handshake_retval_handler(ngx_http_request_t *r,
     } else {
         *ud = ssl_session;
 
-       ngx_log_debug2(NGX_LOG_DEBUG_HTTP, c->log, 0,
-                      "lua ssl save session: %p:%d", ssl_session,
-                      ssl_session->references);
+       ngx_log_debug1(NGX_LOG_DEBUG_HTTP, c->log, 0,
+                      "lua ssl save session: %p", ssl_session);
 
         /* set up the __gc metamethod */
         lua_pushlightuserdata(L, &ngx_http_lua_ssl_session_metatable_key);
@@ -5444,9 +5442,8 @@ ngx_http_lua_ssl_free_session(lua_State *L)
 
     psession = lua_touserdata(L, 1);
     if (psession && *psession != NULL) {
-        ngx_log_debug2(NGX_LOG_DEBUG_HTTP, ngx_cycle->log, 0,
-                       "lua ssl free session: %p:%d", *psession,
-                       (*psession)->references);
+        ngx_log_debug1(NGX_LOG_DEBUG_HTTP, ngx_cycle->log, 0,
+                       "lua ssl free session: %p", *psession);
 
         ngx_ssl_free_session(*psession);
     }
diff --git a/src/ngx_http_lua_ssl_ocsp.c b/src/ngx_http_lua_ssl_ocsp.c
@@ -468,7 +468,11 @@ ngx_http_lua_ffi_ssl_set_ocsp_status_resp(ngx_http_request_t *r,
         return NGX_ERROR;
     }
 
+#ifdef SSL_CTRL_GET_TLSEXT_STATUS_REQ_TYPE
+    if (SSL_get_tlsext_status_type(ssl_conn) == -1) {
+#else
     if (ssl_conn->tlsext_status_type == -1) {
+#endif
         dd("no ocsp status req from client");
         return NGX_DECLINED;
     }
diff --git a/src/ngx_http_lua_ssl_session_fetchby.c b/src/ngx_http_lua_ssl_session_fetchby.c
@@ -171,8 +171,11 @@ ngx_http_lua_ssl_sess_fetch_by_lua(ngx_conf_t *cf, ngx_command_t *cmd,
 
 /* cached session fetching callback to be set with SSL_CTX_sess_set_get_cb */
 ngx_ssl_session_t *
-ngx_http_lua_ssl_sess_fetch_handler(ngx_ssl_conn_t *ssl_conn, u_char *id,
-    int len, int *copy)
+ngx_http_lua_ssl_sess_fetch_handler(ngx_ssl_conn_t *ssl_conn,
+#if OPENSSL_VERSION_NUMBER >= 0x10100003L
+    const
+#endif
+    u_char *id, int len, int *copy)
 {
     lua_State                       *L;
     ngx_int_t                        rc;
@@ -287,7 +290,7 @@ ngx_http_lua_ssl_sess_fetch_handler(ngx_ssl_conn_t *ssl_conn, u_char *id,
     cctx->exit_code = 1;  /* successful by default */
     cctx->connection = c;
     cctx->request = r;
-    cctx->session_id.data = id;
+    cctx->session_id.data = (u_char *) id;
     cctx->session_id.len = len;
     cctx->entered_sess_fetch_handler = 1;
     cctx->done = 0;
diff --git a/src/ngx_http_lua_ssl_session_fetchby.h b/src/ngx_http_lua_ssl_session_fetchby.h
@@ -25,7 +25,11 @@ char *ngx_http_lua_ssl_sess_fetch_by_lua_block(ngx_conf_t *cf,
     ngx_command_t *cmd, void *conf);
 
 ngx_ssl_session_t *ngx_http_lua_ssl_sess_fetch_handler(
-    ngx_ssl_conn_t *ssl_conn, u_char *id, int len, int *copy);
+    ngx_ssl_conn_t *ssl_conn,
+#if OPENSSL_VERSION_NUMBER >= 0x10100003L
+    const
+#endif
+    u_char *id, int len, int *copy);
 #endif
 
 
diff --git a/src/ngx_http_lua_ssl_session_storeby.c b/src/ngx_http_lua_ssl_session_storeby.c
@@ -172,6 +172,8 @@ int
 ngx_http_lua_ssl_sess_store_handler(ngx_ssl_conn_t *ssl_conn,
     ngx_ssl_session_t *sess)
 {
+    const u_char                    *sess_id;
+    unsigned int                     sess_id_len;
     lua_State                       *L;
     ngx_int_t                        rc;
     ngx_connection_t                *c, *fc = NULL;
@@ -247,11 +249,13 @@ ngx_http_lua_ssl_sess_store_handler(ngx_ssl_conn_t *ssl_conn,
         }
     }
 
+    sess_id = SSL_SESSION_get_id(sess, &sess_id_len);
+
     cctx->connection = c;
     cctx->request = r;
     cctx->session = sess;
-    cctx->session_id.data = sess->session_id;
-    cctx->session_id.len = sess->session_id_length;
+    cctx->session_id.data = (u_char *) sess_id;
+    cctx->session_id.len = sess_id_len;
     cctx->done = 0;
 
     dd("setting cctx");
diff --git a/t/129-ssl-socket.t b/t/129-ssl-socket.t
diff --git a/t/142-ssl-session-store.t b/t/142-ssl-session-store.t
diff --git a/t/143-ssl-session-fetch.t b/t/143-ssl-session-fetch.t

Original file line number	Diff line number	Diff line change
`@@ -468,7 +468,11 @@ ngx_http_lua_ffi_ssl_set_ocsp_status_resp(ngx_http_request_t *r,`
`468`	`468`	`return NGX_ERROR;`
`469`	`469`	`}`
`470`	`470`
	`471`	`+#ifdef SSL_CTRL_GET_TLSEXT_STATUS_REQ_TYPE`
	`472`	`+ if (SSL_get_tlsext_status_type(ssl_conn) == -1) {`
	`473`	`+#else`
`471`	`474`	`if (ssl_conn->tlsext_status_type == -1) {`
	`475`	`+#endif`
`472`	`476`	`dd("no ocsp status req from client");`
`473`	`477`	`return NGX_DECLINED;`
`474`	`478`	`}`