mirror of
https://github.com/openresty/openresty
synced 2024-12-21 02:05:51 +01:00
feature: add openssl-3.0.15-sess_set_get_cb_yield.patch.
This commit is contained in:
parent
efc930249e
commit
5ef14281cd
208
patches/openssl-3.0.15-sess_set_get_cb_yield.patch
Normal file
208
patches/openssl-3.0.15-sess_set_get_cb_yield.patch
Normal file
@ -0,0 +1,208 @@
|
||||
diff --git a/include/openssl/bio.h.in b/include/openssl/bio.h.in
|
||||
index cdc395b..9ed3d0e 100644
|
||||
--- a/include/openssl/bio.h.in
|
||||
+++ b/include/openssl/bio.h.in
|
||||
@@ -256,6 +256,8 @@ void BIO_clear_flags(BIO *b, int flags);
|
||||
/* Returned from the accept BIO when an accept would have blocked */
|
||||
# define BIO_RR_ACCEPT 0x03
|
||||
|
||||
+# define BIO_RR_SSL_SESSION_LOOKUP 0x09
|
||||
+
|
||||
/* These are passed by the BIO callback */
|
||||
# define BIO_CB_FREE 0x01
|
||||
# define BIO_CB_READ 0x02
|
||||
diff --git a/include/openssl/ssl.h.in b/include/openssl/ssl.h.in
|
||||
index 105b4a4..d961ae9 100644
|
||||
--- a/include/openssl/ssl.h.in
|
||||
+++ b/include/openssl/ssl.h.in
|
||||
@@ -889,6 +889,7 @@ __owur int SSL_extension_supported(unsigned int ext_type);
|
||||
# define SSL_ASYNC_NO_JOBS 6
|
||||
# define SSL_CLIENT_HELLO_CB 7
|
||||
# define SSL_RETRY_VERIFY 8
|
||||
+# define SSL_SESS_LOOKUP 99
|
||||
|
||||
/* These will only be used when doing non-blocking IO */
|
||||
# define SSL_want_nothing(s) (SSL_want(s) == SSL_NOTHING)
|
||||
@@ -899,6 +900,7 @@ __owur int SSL_extension_supported(unsigned int ext_type);
|
||||
# define SSL_want_async(s) (SSL_want(s) == SSL_ASYNC_PAUSED)
|
||||
# define SSL_want_async_job(s) (SSL_want(s) == SSL_ASYNC_NO_JOBS)
|
||||
# define SSL_want_client_hello_cb(s) (SSL_want(s) == SSL_CLIENT_HELLO_CB)
|
||||
+# define SSL_want_sess_lookup(s) (SSL_want(s) == SSL_SESS_LOOKUP)
|
||||
|
||||
# define SSL_MAC_FLAG_READ_MAC_STREAM 1
|
||||
# define SSL_MAC_FLAG_WRITE_MAC_STREAM 2
|
||||
@@ -1191,6 +1193,8 @@ DECLARE_PEM_rw(SSL_SESSION, SSL_SESSION)
|
||||
# define SSL_ERROR_WANT_ASYNC_JOB 10
|
||||
# define SSL_ERROR_WANT_CLIENT_HELLO_CB 11
|
||||
# define SSL_ERROR_WANT_RETRY_VERIFY 12
|
||||
+# define SSL_ERROR_WANT_SESSION_LOOKUP 99
|
||||
+# define SSL_ERROR_PENDING_SESSION 99 /* BoringSSL compatibility */
|
||||
|
||||
# ifndef OPENSSL_NO_DEPRECATED_3_0
|
||||
# define SSL_CTRL_SET_TMP_DH 3
|
||||
@@ -1700,6 +1704,7 @@ int SSL_SESSION_print(BIO *fp, const SSL_SESSION *ses);
|
||||
int SSL_SESSION_print_keylog(BIO *bp, const SSL_SESSION *x);
|
||||
int SSL_SESSION_up_ref(SSL_SESSION *ses);
|
||||
void SSL_SESSION_free(SSL_SESSION *ses);
|
||||
+SSL_SESSION *SSL_magic_pending_session_ptr(void);
|
||||
__owur int i2d_SSL_SESSION(const SSL_SESSION *in, unsigned char **pp);
|
||||
__owur int SSL_set_session(SSL *to, SSL_SESSION *session);
|
||||
int SSL_CTX_add_session(SSL_CTX *ctx, SSL_SESSION *session);
|
||||
diff --git a/ssl/bio_ssl.c b/ssl/bio_ssl.c
|
||||
index be3159b..4cc5006 100644
|
||||
--- a/ssl/bio_ssl.c
|
||||
+++ b/ssl/bio_ssl.c
|
||||
@@ -138,6 +138,10 @@ static int ssl_read(BIO *b, char *buf, size_t size, size_t *readbytes)
|
||||
BIO_set_retry_special(b);
|
||||
retry_reason = BIO_RR_SSL_X509_LOOKUP;
|
||||
break;
|
||||
+ case SSL_ERROR_WANT_SESSION_LOOKUP:
|
||||
+ BIO_set_retry_special(b);
|
||||
+ retry_reason = BIO_RR_SSL_SESSION_LOOKUP;
|
||||
+ break;
|
||||
case SSL_ERROR_WANT_ACCEPT:
|
||||
BIO_set_retry_special(b);
|
||||
retry_reason = BIO_RR_ACCEPT;
|
||||
@@ -206,6 +210,10 @@ static int ssl_write(BIO *b, const char *buf, size_t size, size_t *written)
|
||||
BIO_set_retry_special(b);
|
||||
retry_reason = BIO_RR_SSL_X509_LOOKUP;
|
||||
break;
|
||||
+ case SSL_ERROR_WANT_SESSION_LOOKUP:
|
||||
+ BIO_set_retry_special(b);
|
||||
+ retry_reason = BIO_RR_SSL_SESSION_LOOKUP;
|
||||
+ break;
|
||||
case SSL_ERROR_WANT_CONNECT:
|
||||
BIO_set_retry_special(b);
|
||||
retry_reason = BIO_RR_CONNECT;
|
||||
@@ -361,6 +369,10 @@ static long ssl_ctrl(BIO *b, int cmd, long num, void *ptr)
|
||||
BIO_set_retry_special(b);
|
||||
BIO_set_retry_reason(b, BIO_RR_SSL_X509_LOOKUP);
|
||||
break;
|
||||
+ case SSL_ERROR_WANT_SESSION_LOOKUP:
|
||||
+ BIO_set_retry_special(b);
|
||||
+ BIO_set_retry_reason(b, BIO_RR_SSL_SESSION_LOOKUP);
|
||||
+ break;
|
||||
default:
|
||||
break;
|
||||
}
|
||||
diff --git a/ssl/ssl_lib.c b/ssl/ssl_lib.c
|
||||
index e628140..d91a6b6 100644
|
||||
--- a/ssl/ssl_lib.c
|
||||
+++ b/ssl/ssl_lib.c
|
||||
@@ -3930,6 +3930,8 @@ int SSL_get_error(const SSL *s, int i)
|
||||
return SSL_ERROR_WANT_ASYNC_JOB;
|
||||
if (SSL_want_client_hello_cb(s))
|
||||
return SSL_ERROR_WANT_CLIENT_HELLO_CB;
|
||||
+ if (SSL_want_sess_lookup(s))
|
||||
+ return SSL_ERROR_WANT_SESSION_LOOKUP;
|
||||
|
||||
if ((s->shutdown & SSL_RECEIVED_SHUTDOWN) &&
|
||||
(s->s3.warn_alert == SSL_AD_CLOSE_NOTIFY))
|
||||
diff --git a/ssl/ssl_sess.c b/ssl/ssl_sess.c
|
||||
index ec937a3..6846301 100644
|
||||
--- a/ssl/ssl_sess.c
|
||||
+++ b/ssl/ssl_sess.c
|
||||
@@ -20,6 +20,8 @@
|
||||
#include "ssl_local.h"
|
||||
#include "statem/statem_local.h"
|
||||
|
||||
+static const char g_pending_session_magic = 0;
|
||||
+
|
||||
static void SSL_SESSION_list_remove(SSL_CTX *ctx, SSL_SESSION *s);
|
||||
static void SSL_SESSION_list_add(SSL_CTX *ctx, SSL_SESSION *s);
|
||||
static int remove_session_lock(SSL_CTX *ctx, SSL_SESSION *c, int lck);
|
||||
@@ -546,6 +548,10 @@ SSL_SESSION *lookup_sess_in_cache(SSL *s, const unsigned char *sess_id,
|
||||
|
||||
ret = s->session_ctx->get_session_cb(s, sess_id, sess_id_len, ©);
|
||||
|
||||
+ if (ret == SSL_magic_pending_session_ptr()) {
|
||||
+ return ret; /* Retry later */
|
||||
+ }
|
||||
+
|
||||
if (ret != NULL) {
|
||||
if (ret->not_resumable) {
|
||||
/* If its not resumable then ignore this session */
|
||||
@@ -640,6 +646,9 @@ int ssl_get_prev_session(SSL *s, CLIENTHELLO_MSG *hello)
|
||||
try_session_cache = 1;
|
||||
ret = lookup_sess_in_cache(s, hello->session_id,
|
||||
hello->session_id_len);
|
||||
+ if (ret == SSL_magic_pending_session_ptr()) {
|
||||
+ return -2; /* Retry later */
|
||||
+ }
|
||||
}
|
||||
break;
|
||||
case SSL_TICKET_NO_DECRYPT:
|
||||
@@ -1089,6 +1098,11 @@ X509 *SSL_SESSION_get0_peer(SSL_SESSION *s)
|
||||
return s->peer;
|
||||
}
|
||||
|
||||
+SSL_SESSION *SSL_magic_pending_session_ptr(void)
|
||||
+{
|
||||
+ return (SSL_SESSION *) &g_pending_session_magic;
|
||||
+}
|
||||
+
|
||||
int SSL_SESSION_set1_id_context(SSL_SESSION *s, const unsigned char *sid_ctx,
|
||||
unsigned int sid_ctx_len)
|
||||
{
|
||||
diff --git a/ssl/statem/statem_srvr.c b/ssl/statem/statem_srvr.c
|
||||
index df7c868..b22adec 100644
|
||||
--- a/ssl/statem/statem_srvr.c
|
||||
+++ b/ssl/statem/statem_srvr.c
|
||||
@@ -1599,6 +1599,7 @@ static int tls_early_post_process_client_hello(SSL *s)
|
||||
STACK_OF(SSL_CIPHER) *scsvs = NULL;
|
||||
CLIENTHELLO_MSG *clienthello = s->clienthello;
|
||||
DOWNGRADE dgrd = DOWNGRADE_NONE;
|
||||
+ PACKET saved_ciphers;
|
||||
|
||||
/* Finished parsing the ClientHello, now we can start processing it */
|
||||
/* Give the ClientHello callback a crack at things */
|
||||
@@ -1695,6 +1696,7 @@ static int tls_early_post_process_client_hello(SSL *s)
|
||||
}
|
||||
|
||||
s->hit = 0;
|
||||
+ saved_ciphers = clienthello->ciphersuites;
|
||||
|
||||
if (!ssl_cache_cipherlist(s, &clienthello->ciphersuites,
|
||||
clienthello->isv2) ||
|
||||
@@ -1794,6 +1796,10 @@ static int tls_early_post_process_client_hello(SSL *s)
|
||||
} else if (i == -1) {
|
||||
/* SSLfatal() already called */
|
||||
goto err;
|
||||
+ } else if (i == -2) {
|
||||
+ clienthello->ciphersuites = saved_ciphers;
|
||||
+ s->rwstate = SSL_SESS_LOOKUP;
|
||||
+ goto retry;
|
||||
} else {
|
||||
/* i == 0 */
|
||||
if (!ssl_get_new_session(s, 1)) {
|
||||
@@ -1801,6 +1807,7 @@ static int tls_early_post_process_client_hello(SSL *s)
|
||||
goto err;
|
||||
}
|
||||
}
|
||||
+ s->rwstate = SSL_NOTHING;
|
||||
}
|
||||
|
||||
if (SSL_IS_TLS13(s)) {
|
||||
@@ -2051,6 +2058,10 @@ static int tls_early_post_process_client_hello(SSL *s)
|
||||
s->clienthello = NULL;
|
||||
|
||||
return 0;
|
||||
+ retry:
|
||||
+ sk_SSL_CIPHER_free(ciphers);
|
||||
+ sk_SSL_CIPHER_free(scsvs);
|
||||
+ return -1;
|
||||
}
|
||||
|
||||
/*
|
||||
diff --git a/util/libssl.num b/util/libssl.num
|
||||
index f055c96..94e060e 100644
|
||||
--- a/util/libssl.num
|
||||
+++ b/util/libssl.num
|
||||
@@ -7,6 +7,7 @@ SSL_copy_session_id 6 3_0_0 EXIST::FUNCTION:
|
||||
SSL_CTX_set_srp_password 7 3_0_0 EXIST::FUNCTION:DEPRECATEDIN_3_0,SRP
|
||||
SSL_shutdown 8 3_0_0 EXIST::FUNCTION:
|
||||
SSL_CTX_set_msg_callback 9 3_0_0 EXIST::FUNCTION:
|
||||
+SSL_magic_pending_session_ptr 10 3_0_0 EXIST::FUNCTION:
|
||||
SSL_SESSION_get0_ticket 11 3_0_0 EXIST::FUNCTION:
|
||||
SSL_get1_supported_ciphers 12 3_0_0 EXIST::FUNCTION:
|
||||
SSL_state_string_long 13 3_0_0 EXIST::FUNCTION:
|
Loading…
Reference in New Issue
Block a user