From c0c2f883e952f16834e7c1e9125c029e1dfc3842 Mon Sep 17 00:00:00 2001
From: "Yichun Zhang (agentzh)" <agentzh@gmail.com>
Date: Sun, 3 Jan 2016 10:21:03 -0800
Subject: [PATCH] feature: applied the ssl_cert_cb_yield patch to the NGINX
 core to allow yielding in OpenSSL's SSL_CTX_set_cert_cb() callbacks (needed
 by ngx_lua's ssl_certificate_by_lua*, for example).

---
 patches/nginx-1.9.7-ssl_cert_cb_yield.patch | 42 +++++++++++++++++++++
 util/mirror-tarballs                        |  4 ++
 2 files changed, 46 insertions(+)
 create mode 100644 patches/nginx-1.9.7-ssl_cert_cb_yield.patch

diff --git a/patches/nginx-1.9.7-ssl_cert_cb_yield.patch b/patches/nginx-1.9.7-ssl_cert_cb_yield.patch
new file mode 100644
index 0000000..e394039
--- /dev/null
+++ b/patches/nginx-1.9.7-ssl_cert_cb_yield.patch
@@ -0,0 +1,42 @@
+# HG changeset patch
+# User Yichun Zhang <agentzh@openresty.org>
+# Date 1451762084 28800
+#      Sat Jan 02 11:14:44 2016 -0800
+# Node ID 449f0461859c16e95bdb18e8be6b94401545d3dd
+# Parent  78b4e10b4367b31367aad3c83c9c3acdd42397c4
+SSL: handled SSL_CTX_set_cert_cb() callback yielding.
+
+OpenSSL 1.0.2+ introduces SSL_CTX_set_cert_cb() to allow custom
+callbacks to serve the SSL certificiates and private keys dynamically
+and lazily. The callbacks may yield for nonblocking I/O or sleeping.
+Here we added support for such usage in NGINX 3rd-party modules
+(like ngx_lua) in NGINX's event handlers for downstream SSL
+connections.
+
+diff -r 78b4e10b4367 -r 449f0461859c src/event/ngx_event_openssl.c
+--- a/src/event/ngx_event_openssl.c	Thu Dec 17 16:39:15 2015 +0300
++++ b/src/event/ngx_event_openssl.c	Sat Jan 02 11:14:44 2016 -0800
+@@ -1210,6 +1210,23 @@
+         return NGX_AGAIN;
+     }
+ 
++#if OPENSSL_VERSION_NUMBER >= 0x10002000L
++    if (sslerr == SSL_ERROR_WANT_X509_LOOKUP) {
++        c->read->handler = ngx_ssl_handshake_handler;
++        c->write->handler = ngx_ssl_handshake_handler;
++
++        if (ngx_handle_read_event(c->read, 0) != NGX_OK) {
++            return NGX_ERROR;
++        }
++
++        if (ngx_handle_write_event(c->write, 0) != NGX_OK) {
++            return NGX_ERROR;
++        }
++
++        return NGX_AGAIN;
++    }
++#endif
++
+     err = (sslerr == SSL_ERROR_SYSCALL) ? ngx_errno : 0;
+ 
+     c->ssl->no_wait_shutdown = 1;
diff --git a/util/mirror-tarballs b/util/mirror-tarballs
index 843210a..afa76ee 100755
--- a/util/mirror-tarballs
+++ b/util/mirror-tarballs
@@ -299,6 +299,10 @@ echo "$info_txt applying the always_enable_cc_feature_tests patch to nginx"
 patch -p1 < $root/patches/nginx-$main_ver-always_enable_cc_feature_tests.patch
 echo
 
+echo "$info_txt applying the ssl_cert_cb_yield.patch patch to nginx"
+patch -p1 < $root/patches/nginx-$main_ver-ssl_cert_cb_yield.patch
+echo
+
 cd .. || exit 1
 
 cp $root/patches/nginx-$main_ver-no_pool.patch ./nginx-no_pool.patch || exit 1