bugfix: failed to build proxy_ssl*.

.travis.yml

@@ -45,12 +45,10 @@ env:
     - LUAJIT_LIB=$LUAJIT_PREFIX/lib
     - LUAJIT_INC=$LUAJIT_PREFIX/include/luajit-2.1
     - LUA_INCLUDE_DIR=$LUAJIT_INC
-    #- PCRE2_PREFIX=/usr/local/openresty/pcre2
-    - PCRE2_PREFIX=/opt/pcre2
+    - PCRE2_PREFIX=/usr/local/openresty/pcre2
     - PCRE2_LIB=$PCRE2_PREFIX/lib
     - PCRE2_INC=$PCRE2_PREFIX/include
-    #- OPENSSL_PREFIX=/usr/local/openresty/openssl3
-    - OPENSSL_PREFIX=/opt/openssl3
+    - OPENSSL_PREFIX=/usr/local/openresty/openssl3
     - OPENSSL_LIB=$OPENSSL_PREFIX/lib
     - OPENSSL_INC=$OPENSSL_PREFIX/include
     - LIBDRIZZLE_PREFIX=/opt/drizzle
@@ -84,8 +82,8 @@ before_install:
 
 install:
   - if [ ! -f download-cache/drizzle7-$DRIZZLE_VER.tar.gz ]; then wget -P download-cache https://github.com/openresty/openresty-deps-prebuild/releases/download/v20230902/drizzle7-$DRIZZLE_VER.tar.gz; fi
-  - if [ -n "$PCRE2_VER" ] && [ ! -f download-cache/pcre2-$PCRE2_VER.tar.gz ]; then wget -P download-cache https://github.com/PCRE2Project/pcre2/releases/download/pcre2-${PCRE2_VER}/pcre2-${PCRE2_VER}.tar.gz; fi
-  - if [ -n "$OPENSSL_VER" ] && [ ! -f download-cache/openssl-$OPENSSL_VER.tar.gz ]; then wget -P download-cache https://github.com/openssl/openssl/releases/download/openssl-$OPENSSL_VER/openssl-$OPENSSL_VER.tar.gz || wget -P download-cache https://www.openssl.org/source/openssl-$OPENSSL_VER.tar.gz || wget -P download-cache https://www.openssl.org/source/old/${OPENSSL_VER//[a-z]/}/openssl-$OPENSSL_VER.tar.gz; fi
+  #- if [ -n "$PCRE2_VER" ] && [ ! -f download-cache/pcre2-$PCRE2_VER.tar.gz ]; then wget -P download-cache https://github.com/PCRE2Project/pcre2/releases/download/pcre2-${PCRE2_VER}/pcre2-${PCRE2_VER}.tar.gz; fi
+  #- if [ -n "$OPENSSL_VER" ] && [ ! -f download-cache/openssl-$OPENSSL_VER.tar.gz ]; then wget -P download-cache https://github.com/openssl/openssl/releases/download/openssl-$OPENSSL_VER/openssl-$OPENSSL_VER.tar.gz || wget -P download-cache https://www.openssl.org/source/openssl-$OPENSSL_VER.tar.gz || wget -P download-cache https://www.openssl.org/source/old/${OPENSSL_VER//[a-z]/}/openssl-$OPENSSL_VER.tar.gz; fi
   - wget https://github.com/openresty/openresty-deps-prebuild/releases/download/v20230902/boringssl-20230902-x64-focal.tar.gz
   - wget https://github.com/openresty/openresty-deps-prebuild/releases/download/v20230902/curl-h3-x64-focal.tar.gz
   - git clone https://github.com/openresty/test-nginx.git
@@ -137,9 +135,9 @@ script:
   - sudo make install-libdrizzle-1.0 > build.log 2>&1 || (cat build.log && exit 1)
   - cd ../mockeagain/ && make CC=$CC -j$JOBS && cd ..
   - cd lua-cjson/ && make -j$JOBS && sudo make install && cd ..
-  - if [ -n "$PCRE2_VER" ]; then tar zxf download-cache/pcre2-$PCRE2_VER.tar.gz; cd pcre2-$PCRE2_VER/; ./configure --prefix=$PCRE2_PREFIX --enable-jit --enable-utf > build.log 2>&1 || (cat build.log && exit 1); make -j$JOBS > build.log 2>&1 || (cat build.log && exit 1); sudo PATH=$PATH make install > build.log 2>&1 || (cat build.log && exit 1); cd ..; fi
-  - if [ -n "$OPENSSL_VER" ]; then tar zxf download-cache/openssl-$OPENSSL_VER.tar.gz; cd openssl-$OPENSSL_VER/; patch -p1 < ../../openresty/patches/openssl-$OPENSSL_PATCH_VER-sess_set_get_cb_yield.patch; ./config shared enable-ssl3 enable-ssl3-method -g --prefix=$OPENSSL_PREFIX --libdir=lib -DPURIFY > build.log 2>&1 || (cat build.log && exit 1); make -j$JOBS > build.log 2>&1 || (cat build.log && exit 1); sudo make PATH=$PATH install_sw > build.log 2>&1 || (cat build.log && exit 1); cd ..; fi
-  - if [ -n "$BORINGSSL" ]; then sudo rm -fr /usr/local/openresty/openssl3/ && sudo mkdir -p /usr/local/openresty/openssl3 && sudo tar -C /usr/local/openresty/openssl3 -xf boringssl-20230902-x64-focal.tar.gz --strip-components=1; fi
+  #- if [ -n "$PCRE2_VER" ]; then tar zxf download-cache/pcre2-$PCRE2_VER.tar.gz; cd pcre2-$PCRE2_VER/; ./configure --prefix=$PCRE2_PREFIX --enable-jit --enable-utf > build.log 2>&1 || (cat build.log && exit 1); make -j$JOBS > build.log 2>&1 || (cat build.log && exit 1); sudo PATH=$PATH make install > build.log 2>&1 || (cat build.log && exit 1); cd ..; fi
+  #- if [ -n "$OPENSSL_VER" ]; then tar zxf download-cache/openssl-$OPENSSL_VER.tar.gz; cd openssl-$OPENSSL_VER/; patch -p1 < ../../openresty/patches/openssl-$OPENSSL_PATCH_VER-sess_set_get_cb_yield.patch; ./config shared enable-ssl3 enable-ssl3-method -g --prefix=$OPENSSL_PREFIX --libdir=lib -DPURIFY > build.log 2>&1 || (cat build.log && exit 1); make -j$JOBS > build.log 2>&1 || (cat build.log && exit 1); sudo make PATH=$PATH install_sw > build.log 2>&1 || (cat build.log && exit 1); cd ..; fi
+  - if [ -n "$BORINGSSL" ]; then sudo rm -fr $OPENSSL_PREFIX && sudo mkdir -p $OPENSSL_PREFIX  && sudo tar -C $OPENSSL_PREFIX -xf boringssl-20230902-x64-focal.tar.gz --strip-components=1; fi
   - export NGX_BUILD_CC=$CC
   - sh util/build-without-ssl.sh $NGINX_VERSION > build.log 2>&1 || (cat build.log && exit 1)
   - sh util/build-with-dd.sh $NGINX_VERSION > build.log 2>&1 || (cat build.log && exit 1)

src/ngx_http_lua_common.h

@@ -24,6 +24,28 @@
 #include <lauxlib.h>
 
 
+
+#if (NGX_HTTP_SSL)
+/* introduce OPENSSL_IS_BORINGSSL and LIBRESSL_VERSION_NUMBER */
+#include <openssl/ssl.h>
+
+#ifdef HAVE_PROXY_SSL_PATCH
+
+#if defined(LIBRESSL_VERSION_NUMBER)
+#define HAVE_LUA_PROXY_SSL  0
+#elif defined(OPENSSL_IS_BORINGSSL)
+#define  HAVE_LUA_PROXY_SSL 0
+#elif defined(SSL_ERROR_WANT_RETRY_VERIFY) &&                                \
+    OPENSSL_VERSION_NUMBER >= 0x30000020uL
+#define  HAVE_LUA_PROXY_SSL 1
+#else
+#define  HAVE_LUA_PROXY_SSL 0
+#endif
+
+#endif /* HAVE_PROXY_SSL_PATCH */
+#endif /* NGX_HTTP_SSL */
+
+
 #if defined(NDK) && NDK
 #include <ndk.h>
 
@@ -393,7 +415,7 @@ struct ngx_http_lua_loc_conf_s {
     ngx_array_t            *ssl_conf_commands;
 #endif
 
-#ifdef HAVE_PROXY_SSL_PATCH
+#if HAVE_LUA_PROXY_SSL
     ngx_http_lua_loc_conf_handler_pt       proxy_ssl_cert_handler;
     ngx_str_t                              proxy_ssl_cert_src;
     u_char                                *proxy_ssl_cert_src_key;

src/ngx_http_lua_control.c

@@ -387,7 +387,7 @@ ngx_http_lua_ffi_exit(ngx_http_request_t *r, int status, u_char *err,
                                        | NGX_HTTP_LUA_CONTEXT_TIMER
                                        | NGX_HTTP_LUA_CONTEXT_HEADER_FILTER
                                        | NGX_HTTP_LUA_CONTEXT_BALANCER
-#ifdef HAVE_PROXY_SSL_PATCH
+#if HAVE_LUA_PROXY_SSL
                                        | NGX_HTTP_LUA_CONTEXT_PROXY_SSL_CERT
                                        | NGX_HTTP_LUA_CONTEXT_PROXY_SSL_VERIFY
 #endif
@@ -402,7 +402,7 @@ ngx_http_lua_ffi_exit(ngx_http_request_t *r, int status, u_char *err,
     }
 
     if (ctx->context & (NGX_HTTP_LUA_CONTEXT_SSL_CERT
-#ifdef HAVE_PROXY_SSL_PATCH
+#if HAVE_LUA_PROXY_SSL
                         | NGX_HTTP_LUA_CONTEXT_PROXY_SSL_CERT
                         | NGX_HTTP_LUA_CONTEXT_PROXY_SSL_VERIFY
 #endif

src/ngx_http_lua_module.c

@@ -33,10 +33,8 @@
 #include "ngx_http_lua_ssl_session_storeby.h"
 #include "ngx_http_lua_ssl_session_fetchby.h"
 
-#ifdef HAVE_PROXY_SSL_PATCH
 #include "ngx_http_lua_proxy_ssl_certby.h"
 #include "ngx_http_lua_proxy_ssl_verifyby.h"
-#endif
 
 #include "ngx_http_lua_headers.h"
 #include "ngx_http_lua_headers_out.h"
@@ -698,7 +696,7 @@ static ngx_command_t ngx_http_lua_cmds[] = {
       0,
       (void *) ngx_http_lua_ssl_sess_fetch_handler_file },
 
-#if HAVE_PROXY_SSL_PATCH
+#if HAVE_LUA_PROXY_SSL
     /* same context as proxy_pass directive */
     { ngx_string("proxy_ssl_certificate_by_lua_block"),
       NGX_HTTP_LOC_CONF|NGX_HTTP_LIF_CONF|NGX_CONF_BLOCK|NGX_CONF_NOARGS,
@@ -1586,7 +1584,7 @@ ngx_http_lua_create_loc_conf(ngx_conf_t *cf)
 #if (nginx_version >= 1019004)
     conf->ssl_conf_commands = NGX_CONF_UNSET_PTR;
 #endif
-#ifdef HAVE_PROXY_SSL_PATCH
+#if HAVE_LUA_PROXY_SSL
     conf->proxy_ssl_cert_src_ref = LUA_REFNIL;
     conf->proxy_ssl_verify_src_ref = LUA_REFNIL;
     conf->upstream_skip_openssl_default_verify = NGX_CONF_UNSET;
@@ -1693,7 +1691,7 @@ ngx_http_lua_merge_loc_conf(ngx_conf_t *cf, void *parent, void *child)
                              NULL);
 #endif
 
-#if HAVE_PROXY_SSL_PATCH
+#if HAVE_LUA_PROXY_SSL
     if (conf->proxy_ssl_cert_src.len == 0) {
         conf->proxy_ssl_cert_src = prev->proxy_ssl_cert_src;
         conf->proxy_ssl_cert_handler = prev->proxy_ssl_cert_handler;

src/ngx_http_lua_proxy_ssl_certby.c

@@ -5,12 +5,12 @@
 #ifndef DDEBUG
 #define DDEBUG 0
 #endif
-#include "ddebug.h"
-
 
-#if (NGX_HTTP_SSL)
+#include "ddebug.h"
+#include "ngx_http_lua_proxy_ssl_certby.h"
 
 
+#if HAVE_LUA_PROXY_SSL
 #include "ngx_http_lua_cache.h"
 #include "ngx_http_lua_initworkerby.h"
 #include "ngx_http_lua_util.h"
@@ -19,8 +19,6 @@
 #include "ngx_http_lua_directive.h"
 #include "ngx_http_lua_ssl.h"
 
-#ifdef HAVE_PROXY_SSL_PATCH
-#include "ngx_http_lua_proxy_ssl_certby.h"
 
 
 static void ngx_http_lua_proxy_ssl_cert_done(void *data);
@@ -32,16 +30,6 @@ static ngx_int_t ngx_http_lua_proxy_ssl_cert_by_chunk(lua_State *L,
 ngx_int_t
 ngx_http_lua_proxy_ssl_cert_set_callback(ngx_conf_t *cf)
 {
-
-#ifdef LIBRESSL_VERSION_NUMBER
-
-    ngx_log_error(NGX_LOG_EMERG, cf->log, 0,
-                  "LibreSSL does not support by proxy_ssl_certificate_by_lua*");
-
-    return NGX_ERROR;
-
-#else
-
     void                      *plcf;
     ngx_http_upstream_conf_t  *ucf;
     ngx_ssl_t                 *ssl;
@@ -63,22 +51,9 @@ ngx_http_lua_proxy_ssl_cert_set_callback(ngx_conf_t *cf)
         return NGX_ERROR;
     }
 
-#if OPENSSL_VERSION_NUMBER >= 0x1000205fL
-
     SSL_CTX_set_cert_cb(ssl->ctx, ngx_http_lua_proxy_ssl_cert_handler, NULL);
 
     return NGX_OK;
-
-#else
-
-    ngx_log_error(NGX_LOG_EMERG, cf->log, 0, "OpenSSL too old to support "
-                  "proxy_ssl_certificate_by_lua*");
-
-    return NGX_ERROR;
-
-#endif
-
-#endif
 }
 
 
@@ -149,16 +124,6 @@ char *
 ngx_http_lua_proxy_ssl_cert_by_lua(ngx_conf_t *cf, ngx_command_t *cmd,
     void *conf)
 {
-#if OPENSSL_VERSION_NUMBER < 0x1000205fL
-
-    ngx_log_error(NGX_LOG_EMERG, cf->log, 0,
-                  "at least OpenSSL 1.0.2e required but found "
-                  OPENSSL_VERSION_TEXT);
-
-    return NGX_CONF_ERROR;
-
-#else
-
     size_t                       chunkname_len;
     u_char                      *chunkname;
     u_char                      *cache_key = NULL;
@@ -227,8 +192,6 @@ ngx_http_lua_proxy_ssl_cert_by_lua(ngx_conf_t *cf, ngx_command_t *cmd,
     llcf->proxy_ssl_cert_src_key = cache_key;
 
     return NGX_CONF_OK;
-
-#endif  /* OPENSSL_VERSION_NUMBER < 0x1000205fL */
 }
 
 
@@ -561,20 +524,6 @@ ngx_http_lua_ffi_proxy_ssl_get_tls1_version(ngx_http_request_t *r, char **err)
 int
 ngx_http_lua_ffi_proxy_ssl_clear_certs(ngx_http_request_t *r, char **err)
 {
-#ifdef LIBRESSL_VERSION_NUMBER
-
-    *err = "LibreSSL not supported";
-    return NGX_ERROR;
-
-#else
-
-#   if OPENSSL_VERSION_NUMBER < 0x1000205fL
-
-    *err = "at least OpenSSL 1.0.2e required but found " OPENSSL_VERSION_TEXT;
-    return NGX_ERROR;
-
-#   else
-
     ngx_http_upstream_t             *u;
     ngx_ssl_conn_t                  *ssl_conn;
     ngx_connection_t                *c;
@@ -599,30 +548,13 @@ ngx_http_lua_ffi_proxy_ssl_clear_certs(ngx_http_request_t *r, char **err)
 
     SSL_certs_clear(ssl_conn);
     return NGX_OK;
-
-#   endif  /* OPENSSL_VERSION_NUMBER < 0x1000205fL */
-#endif
 }
 
 
 int
 ngx_http_lua_ffi_proxy_ssl_set_der_certificate(ngx_http_request_t *r,
     const char *data, size_t len, char **err)
 {
-#ifdef LIBRESSL_VERSION_NUMBER
-
-    *err = "LibreSSL not supported";
-    return NGX_ERROR;
-
-#else
-
-#   if OPENSSL_VERSION_NUMBER < 0x1000205fL
-
-    *err = "at least OpenSSL 1.0.2e required but found " OPENSSL_VERSION_TEXT;
-    return NGX_ERROR;
-
-#   else
-
     ngx_http_upstream_t             *u;
     ngx_ssl_conn_t                  *ssl_conn;
     ngx_connection_t                *c;
@@ -701,9 +633,6 @@ ngx_http_lua_ffi_proxy_ssl_set_der_certificate(ngx_http_request_t *r,
     ERR_clear_error();
 
     return NGX_ERROR;
-
-#   endif  /* OPENSSL_VERSION_NUMBER < 0x1000205fL */
-#endif
 }
 
 
@@ -777,20 +706,6 @@ int
 ngx_http_lua_ffi_proxy_ssl_set_cert(ngx_http_request_t *r,
     void *cdata, char **err)
 {
-#ifdef LIBRESSL_VERSION_NUMBER
-
-    *err = "LibreSSL not supported";
-    return NGX_ERROR;
-
-#else
-
-#   if OPENSSL_VERSION_NUMBER < 0x1000205fL
-
-    *err = "at least OpenSSL 1.0.2e required but found " OPENSSL_VERSION_TEXT;
-    return NGX_ERROR;
-
-#   else
-
 #ifdef OPENSSL_IS_BORINGSSL
     size_t             i;
 #else
@@ -862,9 +777,6 @@ ngx_http_lua_ffi_proxy_ssl_set_cert(ngx_http_request_t *r,
     ERR_clear_error();
 
     return NGX_ERROR;
-
-#   endif  /* OPENSSL_VERSION_NUMBER < 0x1000205fL */
-#endif
 }
 
 
@@ -915,67 +827,4 @@ ngx_http_lua_ffi_proxy_ssl_set_priv_key(ngx_http_request_t *r,
     return NGX_ERROR;
 }
 
-
-#else  /* HAVE_PROXY_SSL_PATCH */
-
-
-int
-ngx_http_lua_ffi_proxy_ssl_get_tls1_version(ngx_http_request_t *r, char **err)
-{
-    *err = "Does not have HAVE_PROXY_SSL_PATCH to support this function";
-
-    return NGX_ERROR;
-}
-
-
-int
-ngx_http_lua_ffi_proxy_ssl_clear_certs(ngx_http_request_t *r, char **err)
-{
-    *err = "Does not have HAVE_PROXY_SSL_PATCH to support this function";
-
-    return NGX_ERROR;
-}
-
-
-int
-ngx_http_lua_ffi_proxy_ssl_set_der_certificate(ngx_http_request_t *r,
-    const char *data, size_t len, char **err)
-{
-    *err = "Does not have HAVE_PROXY_SSL_PATCH to support this function";
-
-    return NGX_ERROR;
-}
-
-
-int
-ngx_http_lua_ffi_proxy_ssl_set_der_private_key(ngx_http_request_t *r,
-    const char *data, size_t len, char **err)
-{
-    *err = "Does not have HAVE_PROXY_SSL_PATCH to support this function";
-
-    return NGX_ERROR;
-}
-
-
-int
-ngx_http_lua_ffi_proxy_ssl_set_cert(ngx_http_request_t *r,
-    void *cdata, char **err)
-{
-    *err = "Does not have HAVE_PROXY_SSL_PATCH to support this function";
-
-    return NGX_ERROR;
-}
-
-
-int
-ngx_http_lua_ffi_proxy_ssl_set_priv_key(ngx_http_request_t *r,
-    void *cdata, char **err)
-{
-    *err = "Does not have HAVE_PROXY_SSL_PATCH to support this function";
-
-    return NGX_ERROR;
-}
-
-
-#endif /* HAVE_PROXY_SSL_PATCH */
-#endif /* NGX_HTTP_SSL */
+#endif /* HAVE_LUA_PROXY_SSL */