feature: added OpenSSL 1.1.1 support to ssl_session_fetch_by_lua*.

spacewander · thibaultcha · commit a38d9066787f · 2019-06-04T19:19:53.000-07:00
See openresty/openresty#456. Signed-off-by: Thibault Charbonnier <thibaultcha@me.com>
diff --git a/.travis.yml b/.travis.yml
@@ -48,10 +48,9 @@ env:
     - DRIZZLE_VER=2011.07.21
     - TEST_NGINX_SLEEP=0.006
   matrix:
-    - NGINX_VERSION=1.15.8 OPENSSL_VER=1.0.2s OPENSSL_OPT="" OPENSSL_PATCH_VER=1.0.2h
-    - NGINX_VERSION=1.15.8 OPENSSL_VER=1.1.0k OPENSSL_OPT="" OPENSSL_PATCH_VER=1.1.0d
-    # TODO: when adding an OpenSSL version >= 1.1.1, please add "enable-tls1_3"
-    # to $OPENSSL_OPT.
+    - NGINX_VERSION=1.15.8 OPENSSL_VER=1.0.2s OPENSSL_PATCH_VER=1.0.2h
+    - NGINX_VERSION=1.15.8 OPENSSL_VER=1.1.0k OPENSSL_PATCH_VER=1.1.0d
+    - NGINX_VERSION=1.15.8 OPENSSL_VER=1.1.1c OPENSSL_PATCH_VER=""
 
 services:
  - memcache
@@ -116,8 +115,8 @@ script:
   - cd ..
   - tar zxf download-cache/openssl-$OPENSSL_VER.tar.gz
   - cd openssl-$OPENSSL_VER/
-  - patch -p1 < ../../openresty/patches/openssl-$OPENSSL_PATCH_VER-sess_set_get_cb_yield.patch
-  - ./config no-threads shared enable-ssl3 enable-ssl3-method $OPENSSL_OPT -g --prefix=$OPENSSL_PREFIX -DPURIFY > build.log 2>&1 || (cat build.log && exit 1)
+  - if [ -n "$OPENSSL_PATCH_VER" ]; then patch -p1 < ../../openresty/patches/openssl-$OPENSSL_PATCH_VER-sess_set_get_cb_yield.patch; fi
+  - ./config no-threads shared enable-ssl3 enable-ssl3-method -g --prefix=$OPENSSL_PREFIX -DPURIFY > build.log 2>&1 || (cat build.log && exit 1)
   - make -j$JOBS > build.log 2>&1 || (cat build.log && exit 1)
   - sudo make PATH=$PATH install_sw > build.log 2>&1 || (cat build.log && exit 1)
   - cd ..
diff --git a/README.markdown b/README.markdown
@@ -2623,15 +2623,18 @@ But do not forget to comment this line out before publishing your site to the wo
 If you are using the [official pre-built packages](http://openresty.org/en/linux-packages.html) for [OpenResty](https://openresty.org/)
 1.11.2.1 or later, then everything should work out of the box.
 
-If you are using OpenSSL libraries not provided by [OpenResty](https://openresty.org),
-then you need to apply the following patch for OpenSSL 1.0.2h or later:
+If you are not using one of the [OpenSSL
+packages](https://openresty.org/en/linux-packages.html) provided by
+[OpenResty](https://openresty.org), you will need to apply patches to OpenSSL
+1.0.2, up to (and including) 1.1.0:
 
-<https://github.com/openresty/openresty/blob/master/patches/openssl-1.0.2h-sess_set_get_cb_yield.patch>
+<https://openresty.org/en/openssl-patches.html>
 
-If you are not using the NGINX core shipped with [OpenResty](https://openresty.org) 1.11.2.1 or later, then you need to
-apply the following patch to the standard NGINX core 1.11.2 or later:
+Similarly, if you are not using the NGINX core shipped with
+[OpenResty](https://openresty.org) 1.11.2.1 or later, you will need to apply
+patches to the standard NGINX core:
 
-<http://openresty.org/download/nginx-1.11.2-nonblocking_ssl_handshake_hooks.patch>
+<https://openresty.org/en/nginx-ssl-patches.html>
 
 This directive was first introduced in the `v0.10.6` release.
 
diff --git a/doc/HttpLuaModule.wiki b/doc/HttpLuaModule.wiki
@@ -2219,15 +2219,18 @@ But do not forget to comment this line out before publishing your site to the wo
 If you are using the [official pre-built packages](http://openresty.org/en/linux-packages.html) for [OpenResty](https://openresty.org/)
 1.11.2.1 or later, then everything should work out of the box.
 
-If you are using OpenSSL libraries not provided by [OpenResty](https://openresty.org),
-then you need to apply the following patch for OpenSSL 1.0.2h or later:
+If you are not using one of the [OpenSSL
+packages](https://openresty.org/en/linux-packages.html) provided by
+[OpenResty](https://openresty.org), you will need to apply patches to OpenSSL
+1.0.2, up to (and including) 1.1.0:
 
-https://github.com/openresty/openresty/blob/master/patches/openssl-1.0.2h-sess_set_get_cb_yield.patch
+https://openresty.org/en/openssl-patches.html
 
-If you are not using the NGINX core shipped with [OpenResty](https://openresty.org) 1.11.2.1 or later, then you need to
-apply the following patch to the standard NGINX core 1.11.2 or later:
+Similarly, if you are not using the NGINX core shipped with
+[OpenResty](https://openresty.org) 1.11.2.1 or later, you will need to apply
+patches to the standard NGINX core:
 
-http://openresty.org/download/nginx-1.11.2-nonblocking_ssl_handshake_hooks.patch
+https://openresty.org/en/nginx-ssl-patches.html
 
 This directive was first introduced in the <code>v0.10.6</code> release.
 
diff --git a/src/ngx_http_lua_module.c b/src/ngx_http_lua_module.c
@@ -1077,6 +1077,12 @@ ngx_http_lua_merge_srv_conf(ngx_conf_t *cf, void *parent, void *child)
 
             return NGX_CONF_ERROR;
 #else
+#   ifdef HAVE_SSL_CLIENT_HELLO_CB_SUPPORT
+            SSL_CTX_set_client_hello_cb(sscf->ssl.ctx,
+                                        ngx_http_lua_ssl_client_hello_handler,
+                                        NULL);
+#   endif
+
             SSL_CTX_sess_set_get_cb(sscf->ssl.ctx,
                                     ngx_http_lua_ssl_sess_fetch_handler);
 #endif
diff --git a/src/ngx_http_lua_ssl_session_fetchby.c b/src/ngx_http_lua_ssl_session_fetchby.c
@@ -173,16 +173,12 @@ ngx_http_lua_ssl_sess_fetch_by_lua(ngx_conf_t *cf, ngx_command_t *cmd,
 }
 
 
-/* cached session fetching callback to be set with SSL_CTX_sess_set_get_cb */
-ngx_ssl_session_t *
-ngx_http_lua_ssl_sess_fetch_handler(ngx_ssl_conn_t *ssl_conn,
-#if OPENSSL_VERSION_NUMBER >= 0x10100003L
-    const
-#endif
-    u_char *id, int len, int *copy)
+static ngx_int_t
+ngx_http_lua_ssl_sess_fetch_helper(ngx_ssl_conn_t *ssl_conn,
+    const u_char *id, int len)
 {
     lua_State                       *L;
-    ngx_int_t                        rc;
+    ngx_int_t                        rc, res = NGX_ERROR;
     ngx_connection_t                *c, *fc = NULL;
     ngx_http_request_t              *r = NULL;
     ngx_pool_cleanup_t              *cln;
@@ -191,11 +187,6 @@ ngx_http_lua_ssl_sess_fetch_handler(ngx_ssl_conn_t *ssl_conn,
     ngx_http_lua_srv_conf_t         *lscf;
     ngx_http_core_loc_conf_t        *clcf;
 
-    /* set copy to 0 as we expect OpenSSL to handle
-     * the memory of returned session */
-
-    *copy = 0;
-
     c = ngx_ssl_get_connection(ssl_conn);
 
     ngx_log_debug1(NGX_LOG_DEBUG_HTTP, c->log, 0,
@@ -217,17 +208,10 @@ ngx_http_lua_ssl_sess_fetch_handler(ngx_ssl_conn_t *ssl_conn,
                            cctx->exit_code);
 
             dd("lua ssl sess_fetch done, finally");
-            return cctx->session;
+            return NGX_OK;
         }
 
-#ifdef SSL_ERROR_PENDING_SESSION
-        return SSL_magic_pending_session_ptr();
-#else
-        ngx_log_error(NGX_LOG_CRIT, c->log, 0,
-                      "lua: cannot yield in sess get cb: "
-                      "missing async sess get cb support in OpenSSL");
-        return NULL;
-#endif
+        return NGX_AGAIN;
     }
 
     dd("first time");
@@ -329,7 +313,7 @@ ngx_http_lua_ssl_sess_fetch_handler(ngx_ssl_conn_t *ssl_conn,
                        "sess get cb exit code: %d", rc, cctx->exit_code);
 
         c->log->action = "SSL handshaking";
-        return cctx->session;
+        return NGX_OK;
     }
 
     /* rc == NGX_DONE */
@@ -356,12 +340,13 @@ ngx_http_lua_ssl_sess_fetch_handler(ngx_ssl_conn_t *ssl_conn,
 
     *cctx->cleanup = ngx_http_lua_ssl_sess_fetch_aborted;
 
-#ifdef SSL_ERROR_PENDING_SESSION
-    return SSL_magic_pending_session_ptr();
+#if defined(SSL_ERROR_PENDING_SESSION)                                       \
+    || defined(HAVE_SSL_CLIENT_HELLO_CB_SUPPORT)
+
+    return NGX_AGAIN;
+
 #else
-    ngx_log_error(NGX_LOG_CRIT, c->log, 0,
-                  "lua: cannot yield in sess get cb: "
-                  "missing async sess get cb support in OpenSSL");
+    res = NGX_AGAIN;
 
     /* fall through to the "failed" label below */
 #endif
@@ -376,10 +361,125 @@ ngx_http_lua_ssl_sess_fetch_handler(ngx_ssl_conn_t *ssl_conn,
         ngx_http_lua_close_fake_connection(fc);
     }
 
+    return res;
+}
+
+
+#ifdef HAVE_SSL_CLIENT_HELLO_CB_SUPPORT
+int
+ngx_http_lua_ssl_client_hello_handler(ngx_ssl_conn_t *ssl_conn,
+    int *al, void *arg)
+{
+    int                len;
+    ngx_int_t          rc;
+    const u_char      *id;
+
+    len = SSL_client_hello_get0_session_id(ssl_conn, &id);
+
+    if (len <= 0) {
+        return SSL_CLIENT_HELLO_SUCCESS;
+    }
+
+    rc = ngx_http_lua_ssl_sess_fetch_helper(ssl_conn, id, len);
+
+    if (rc == NGX_AGAIN) {
+        return SSL_CLIENT_HELLO_RETRY;
+    }
+
+    return SSL_CLIENT_HELLO_SUCCESS;
+}
+
+
+ngx_ssl_session_t *
+ngx_http_lua_ssl_sess_fetch_handler(ngx_ssl_conn_t *ssl_conn,
+    const u_char *id, int len, int *copy)
+{
+    ngx_connection_t                *c;
+    ngx_http_lua_ssl_ctx_t          *cctx;
+
+    /* set copy to 0 as we expect OpenSSL to handle
+     * the memory of returned session */
+
+    *copy = 0;
+
+    c = ngx_ssl_get_connection(ssl_conn);
+
+    cctx = ngx_http_lua_ssl_get_ctx(c->ssl->connection);
+
+    if (cctx && cctx->done) {
+        return cctx->session;
+    }
+
     return NULL;
 }
 
 
+#else
+
+/* cached session fetching callback to be set with SSL_CTX_sess_set_get_cb */
+ngx_ssl_session_t *
+ngx_http_lua_ssl_sess_fetch_handler(ngx_ssl_conn_t *ssl_conn,
+#if OPENSSL_VERSION_NUMBER >= 0x10100003L
+    const
+#endif
+    u_char *id, int len, int *copy)
+{
+    ngx_int_t                        rc;
+    ngx_connection_t                *c;
+    ngx_http_lua_ssl_ctx_t          *cctx;
+
+    /* set copy to 0 as we expect OpenSSL to handle
+     * the memory of returned session */
+
+    *copy = 0;
+
+    c = ngx_ssl_get_connection(ssl_conn);
+
+    rc = ngx_http_lua_ssl_sess_fetch_helper(ssl_conn, id, len);
+
+    if (rc == NGX_AGAIN) {
+
+#ifdef SSL_ERROR_PENDING_SESSION
+
+        return SSL_magic_pending_session_ptr();
+
+#else
+
+        ngx_log_error(NGX_LOG_CRIT, c->log, 0,
+                      "lua: cannot yield in sess get cb: "
+#   if OPENSSL_VERSION_NUMBER >= 0x1010100fL
+                      "missing support for yielding during SSL handshake in "
+                      "the nginx core; consider using the OpenResty releases "
+                      "from https://openresty.org/en/download.html or apply "
+                      "the nginx core patches yourself (see "
+                      "https://openresty.org/en/nginx-ssl-patches.html)");
+
+#   else
+                      "missing support for yielding during SSL handshake in "
+                      "linked " OPENSSL_VERSION_TEXT "; consider using the "
+                      "OpenResty releases from "
+                      "https://openresty.org/en/download.html or apply "
+                      "the OpenSSL patches yourself (see "
+                      "https://openresty.org/en/openssl-patches.html)");
+#   endif
+
+        return NULL;
+
+#endif
+    }
+
+    if (rc == NGX_ERROR) {
+        return NULL;
+    }
+
+    /* rc == NGX_OK */
+
+    cctx = ngx_http_lua_ssl_get_ctx(c->ssl->connection);
+    return cctx->session;
+}
+#endif
+
+
 static void
 ngx_http_lua_ssl_sess_fetch_done(void *data)
 {
diff --git a/src/ngx_http_lua_ssl_session_fetchby.h b/src/ngx_http_lua_ssl_session_fetchby.h
@@ -30,8 +30,13 @@ ngx_ssl_session_t *ngx_http_lua_ssl_sess_fetch_handler(
     const
 #endif
     u_char *id, int len, int *copy);
+
+#ifdef HAVE_SSL_CLIENT_HELLO_CB_SUPPORT
+int ngx_http_lua_ssl_client_hello_handler(ngx_ssl_conn_t *ssl_conn,
+    int *al, void *arg);
 #endif
 
+#endif /* NGX_HTTP_SSL */
 
 #endif /* _NGX_HTTP_LUA_SSL_SESSION_FETCHBY_H_INCLUDED_ */
 
