From 016a4bf94a1df760c70f4e337d13950ddffaaef5 Mon Sep 17 00:00:00 2001 From: Jon Carl Date: Tue, 18 Jun 2024 20:03:19 -0600 Subject: [PATCH] feat: add ssl patches for coroutines to work in lua ssl blocks Signed-off-by: Jon Carl --- .../patches/ssl_1_ssl_cert_cb_yield.patch | 64 +++++++++++++++++++ .../patches/ssl_2_ssl_sess_cb_yield.patch | 41 ++++++++++++ .../ssl_3_ssl_client_hello_cb_yield.patch | 38 +++++++++++ 3 files changed, 143 insertions(+) create mode 100644 images/nginx-1.25/rootfs/patches/ssl_1_ssl_cert_cb_yield.patch create mode 100644 images/nginx-1.25/rootfs/patches/ssl_2_ssl_sess_cb_yield.patch create mode 100644 images/nginx-1.25/rootfs/patches/ssl_3_ssl_client_hello_cb_yield.patch diff --git a/images/nginx-1.25/rootfs/patches/ssl_1_ssl_cert_cb_yield.patch b/images/nginx-1.25/rootfs/patches/ssl_1_ssl_cert_cb_yield.patch new file mode 100644 index 0000000000..89773c05ef --- /dev/null +++ b/images/nginx-1.25/rootfs/patches/ssl_1_ssl_cert_cb_yield.patch @@ -0,0 +1,64 @@ +# HG changeset patch +# User Yichun Zhang +# Date 1451762084 28800 +# Sat Jan 02 11:14:44 2016 -0800 +# Node ID 449f0461859c16e95bdb18e8be6b94401545d3dd +# Parent 78b4e10b4367b31367aad3c83c9c3acdd42397c4 +SSL: handled SSL_CTX_set_cert_cb() callback yielding. + +OpenSSL 1.0.2+ introduces SSL_CTX_set_cert_cb() to allow custom +callbacks to serve the SSL certificiates and private keys dynamically +and lazily. The callbacks may yield for nonblocking I/O or sleeping. +Here we added support for such usage in NGINX 3rd-party modules +(like ngx_lua) in NGINX's event handlers for downstream SSL +connections. + +diff -r 78b4e10b4367 -r 449f0461859c src/event/ngx_event_openssl.c +--- a/src/event/ngx_event_openssl.c Thu Dec 17 16:39:15 2015 +0300 ++++ b/src/event/ngx_event_openssl.c Sat Jan 02 11:14:44 2016 -0800 +@@ -1445,6 +1445,23 @@ ngx_ssl_handshake(ngx_connection_t *c) + return NGX_AGAIN; + } + ++#if OPENSSL_VERSION_NUMBER >= 0x10002000L ++ if (sslerr == SSL_ERROR_WANT_X509_LOOKUP) { ++ c->read->handler = ngx_ssl_handshake_handler; ++ c->write->handler = ngx_ssl_handshake_handler; ++ ++ if (ngx_handle_read_event(c->read, 0) != NGX_OK) { ++ return NGX_ERROR; ++ } ++ ++ if (ngx_handle_write_event(c->write, 0) != NGX_OK) { ++ return NGX_ERROR; ++ } ++ ++ return NGX_AGAIN; ++ } ++#endif ++ + err = (sslerr == SSL_ERROR_SYSCALL) ? ngx_errno : 0; + + c->ssl->no_wait_shutdown = 1; +@@ -1558,6 +1575,21 @@ ngx_ssl_try_early_data(ngx_connection_t *c) + return NGX_AGAIN; + } + ++ if (sslerr == SSL_ERROR_WANT_X509_LOOKUP) { ++ c->read->handler = ngx_ssl_handshake_handler; ++ c->write->handler = ngx_ssl_handshake_handler; ++ ++ if (ngx_handle_read_event(c->read, 0) != NGX_OK) { ++ return NGX_ERROR; ++ } ++ ++ if (ngx_handle_write_event(c->write, 0) != NGX_OK) { ++ return NGX_ERROR; ++ } ++ ++ return NGX_AGAIN; ++ } ++ + err = (sslerr == SSL_ERROR_SYSCALL) ? ngx_errno : 0; + + c->ssl->no_wait_shutdown = 1; diff --git a/images/nginx-1.25/rootfs/patches/ssl_2_ssl_sess_cb_yield.patch b/images/nginx-1.25/rootfs/patches/ssl_2_ssl_sess_cb_yield.patch new file mode 100644 index 0000000000..ac5fe65eb2 --- /dev/null +++ b/images/nginx-1.25/rootfs/patches/ssl_2_ssl_sess_cb_yield.patch @@ -0,0 +1,41 @@ +diff --git a/src/event/ngx_event_openssl.c b/src/event/ngx_event_openssl.c +--- a/src/event/ngx_event_openssl.c ++++ b/src/event/ngx_event_openssl.c +@@ -1446,7 +1446,12 @@ ngx_ssl_handshake(ngx_connection_t *c) + } + + #if OPENSSL_VERSION_NUMBER >= 0x10002000L +- if (sslerr == SSL_ERROR_WANT_X509_LOOKUP) { ++ if (sslerr == SSL_ERROR_WANT_X509_LOOKUP ++# ifdef SSL_ERROR_PENDING_SESSION ++ || sslerr == SSL_ERROR_PENDING_SESSION ++# endif ++ ) ++ { + c->read->handler = ngx_ssl_handshake_handler; + c->write->handler = ngx_ssl_handshake_handler; + +@@ -1575,6 +1580,23 @@ ngx_ssl_try_early_data(ngx_connection_t *c) + return NGX_AGAIN; + } + ++#ifdef SSL_ERROR_PENDING_SESSION ++ if (sslerr == SSL_ERROR_PENDING_SESSION) { ++ c->read->handler = ngx_ssl_handshake_handler; ++ c->write->handler = ngx_ssl_handshake_handler; ++ ++ if (ngx_handle_read_event(c->read, 0) != NGX_OK) { ++ return NGX_ERROR; ++ } ++ ++ if (ngx_handle_write_event(c->write, 0) != NGX_OK) { ++ return NGX_ERROR; ++ } ++ ++ return NGX_AGAIN; ++ } ++#endif ++ + err = (sslerr == SSL_ERROR_SYSCALL) ? ngx_errno : 0; + + c->ssl->no_wait_shutdown = 1; diff --git a/images/nginx-1.25/rootfs/patches/ssl_3_ssl_client_hello_cb_yield.patch b/images/nginx-1.25/rootfs/patches/ssl_3_ssl_client_hello_cb_yield.patch new file mode 100644 index 0000000000..0e97be9927 --- /dev/null +++ b/images/nginx-1.25/rootfs/patches/ssl_3_ssl_client_hello_cb_yield.patch @@ -0,0 +1,38 @@ +diff --git a/src/event/ngx_event_openssl.c b/src/event/ngx_event_openssl.c +index 8ba30e58..2b2db95c 100644 +--- a/src/event/ngx_event_openssl.c ++++ b/src/event/ngx_event_openssl.c +@@ -1712,6 +1712,9 @@ ngx_ssl_handshake(ngx_connection_t *c) + if (sslerr == SSL_ERROR_WANT_X509_LOOKUP + # ifdef SSL_ERROR_PENDING_SESSION + || sslerr == SSL_ERROR_PENDING_SESSION ++# endif ++# ifdef SSL_ERROR_WANT_CLIENT_HELLO_CB ++ || sslerr == SSL_ERROR_WANT_CLIENT_HELLO_CB + # endif + ) + { +@@ -1889,6 +1892,23 @@ ngx_ssl_try_early_data(ngx_connection_t *c) + } + #endif + ++#ifdef SSL_ERROR_WANT_CLIENT_HELLO_CB ++ if (sslerr == SSL_ERROR_WANT_CLIENT_HELLO_CB) { ++ c->read->handler = ngx_ssl_handshake_handler; ++ c->write->handler = ngx_ssl_handshake_handler; ++ ++ if (ngx_handle_read_event(c->read, 0) != NGX_OK) { ++ return NGX_ERROR; ++ } ++ ++ if (ngx_handle_write_event(c->write, 0) != NGX_OK) { ++ return NGX_ERROR; ++ } ++ ++ return NGX_AGAIN; ++ } ++#endif ++ + err = (sslerr == SSL_ERROR_SYSCALL) ? ngx_errno : 0; + + c->ssl->no_wait_shutdown = 1;