tools/openresty
1
0
Fork 0
mirror of https://github.com/openresty/openresty.git synced 2026-03-13 09:20:35 +08:00
Code Issues Packages Projects Releases Wiki Activity

feature: add support for openssl 3.5.5.

Browse Source
This commit is contained in:
lijunlong
2026-02-02 10:14:12 +08:00
parent ad85d73f5b
commit fe04bbe3f5
1 changed files with 214 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

214
patches/openssl-3.5.5-sess_set_get_cb_yield.patch Normal file
View File

@@ -0,0 +1,214 @@
diff --git a/include/openssl/bio.h.in b/include/openssl/bio.h.in
index ba8e81e..62ccd72 100644
--- a/include/openssl/bio.h.in
+++ b/include/openssl/bio.h.in
@@ -288,6 +288,8 @@ void BIO_clear_flags(BIO *b, int flags);
/* Returned from the accept BIO when an accept would have blocked */
#define BIO_RR_ACCEPT 0x03
+# define BIO_RR_SSL_SESSION_LOOKUP 0x09
+
/* These are passed by the BIO callback */
#define BIO_CB_FREE 0x01
#define BIO_CB_READ 0x02
diff --git a/include/openssl/ssl.h.in b/include/openssl/ssl.h.in
index bdcc685..becc8ec 100644
--- a/include/openssl/ssl.h.in
+++ b/include/openssl/ssl.h.in
@@ -911,6 +911,7 @@ __owur int SSL_extension_supported(unsigned int ext_type);
#define SSL_ASYNC_NO_JOBS 6
#define SSL_CLIENT_HELLO_CB 7
#define SSL_RETRY_VERIFY 8
+#define SSL_SESS_LOOKUP 99
/* These will only be used when doing non-blocking IO */
#define SSL_want_nothing(s) (SSL_want(s) == SSL_NOTHING)
@@ -921,6 +922,7 @@ __owur int SSL_extension_supported(unsigned int ext_type);
#define SSL_want_async(s) (SSL_want(s) == SSL_ASYNC_PAUSED)
#define SSL_want_async_job(s) (SSL_want(s) == SSL_ASYNC_NO_JOBS)
#define SSL_want_client_hello_cb(s) (SSL_want(s) == SSL_CLIENT_HELLO_CB)
+#define SSL_want_sess_lookup(s) (SSL_want(s) == SSL_SESS_LOOKUP)
#define SSL_MAC_FLAG_READ_MAC_STREAM 1
#define SSL_MAC_FLAG_WRITE_MAC_STREAM 2
@@ -1220,6 +1222,8 @@ DECLARE_PEM_rw(SSL_SESSION, SSL_SESSION)
#define SSL_ERROR_WANT_CLIENT_HELLO_CB 11
#define SSL_ERROR_WANT_RETRY_VERIFY 12
+#define SSL_ERROR_WANT_SESSION_LOOKUP 99
+#define SSL_ERROR_PENDING_SESSION 99 /* BoringSSL compatibility */
#ifndef OPENSSL_NO_DEPRECATED_3_0
#define SSL_CTRL_SET_TMP_DH 3
#define SSL_CTRL_SET_TMP_ECDH 4
@@ -1752,10 +1756,12 @@ __owur unsigned int SSL_SESSION_get_compress_id(const SSL_SESSION *s);
#ifndef OPENSSL_NO_STDIO
int SSL_SESSION_print_fp(FILE *fp, const SSL_SESSION *ses);
#endif
+SSL_SESSION *SSL_magic_pending_session_ptr(void);
int SSL_SESSION_print(BIO *fp, const SSL_SESSION *ses);
int SSL_SESSION_print_keylog(BIO *bp, const SSL_SESSION *x);
int SSL_SESSION_up_ref(SSL_SESSION *ses);
void SSL_SESSION_free(SSL_SESSION *ses);
+SSL_SESSION *SSL_magic_pending_session_ptr(void);
__owur int i2d_SSL_SESSION(const SSL_SESSION *in, unsigned char **pp);
__owur int SSL_set_session(SSL *to, SSL_SESSION *session);
int SSL_CTX_add_session(SSL_CTX *ctx, SSL_SESSION *session);
diff --git a/ssl/bio_ssl.c b/ssl/bio_ssl.c
index 1123899..8f826e5 100644
--- a/ssl/bio_ssl.c
+++ b/ssl/bio_ssl.c
@@ -142,6 +142,10 @@ static int ssl_read(BIO *b, char *buf, size_t size, size_t *readbytes)
BIO_set_retry_special(b);
retry_reason = BIO_RR_SSL_X509_LOOKUP;
break;
+ case SSL_ERROR_WANT_SESSION_LOOKUP:
+ BIO_set_retry_special(b);
+ retry_reason = BIO_RR_SSL_SESSION_LOOKUP;
+ break;
case SSL_ERROR_WANT_ACCEPT:
BIO_set_retry_special(b);
retry_reason = BIO_RR_ACCEPT;
@@ -210,6 +214,10 @@ static int ssl_write(BIO *b, const char *buf, size_t size, size_t *written)
BIO_set_retry_special(b);
retry_reason = BIO_RR_SSL_X509_LOOKUP;
break;
+ case SSL_ERROR_WANT_SESSION_LOOKUP:
+ BIO_set_retry_special(b);
+ retry_reason = BIO_RR_SSL_SESSION_LOOKUP;
+ break;
case SSL_ERROR_WANT_CONNECT:
BIO_set_retry_special(b);
retry_reason = BIO_RR_CONNECT;
@@ -375,6 +383,10 @@ static long ssl_ctrl(BIO *b, int cmd, long num, void *ptr)
BIO_set_retry_special(b);
BIO_set_retry_reason(b, BIO_RR_SSL_X509_LOOKUP);
break;
+ case SSL_ERROR_WANT_SESSION_LOOKUP:
+ BIO_set_retry_special(b);
+ BIO_set_retry_reason(b, BIO_RR_SSL_SESSION_LOOKUP);
+ break;
default:
break;
}
diff --git a/ssl/ssl_lib.c b/ssl/ssl_lib.c
index ac77faa..d05b999 100644
--- a/ssl/ssl_lib.c
+++ b/ssl/ssl_lib.c
@@ -4920,6 +4920,8 @@ int ossl_ssl_get_error(const SSL *s, int i, int check_err)
return SSL_ERROR_WANT_ASYNC_JOB;
if (SSL_want_client_hello_cb(s))
return SSL_ERROR_WANT_CLIENT_HELLO_CB;
+ if (SSL_want_sess_lookup(s))
+ return SSL_ERROR_WANT_SESSION_LOOKUP;
if ((sc->shutdown & SSL_RECEIVED_SHUTDOWN) && (sc->s3.warn_alert == SSL_AD_CLOSE_NOTIFY))
return SSL_ERROR_ZERO_RETURN;
diff --git a/ssl/ssl_sess.c b/ssl/ssl_sess.c
index e54fb53..446a87b 100644
--- a/ssl/ssl_sess.c
+++ b/ssl/ssl_sess.c
@@ -21,6 +21,8 @@
#include "ssl_local.h"
#include "statem/statem_local.h"
+static const char g_pending_session_magic = 0;
+
static void SSL_SESSION_list_remove(SSL_CTX *ctx, SSL_SESSION *s);
static void SSL_SESSION_list_add(SSL_CTX *ctx, SSL_SESSION *s);
static int remove_session_lock(SSL_CTX *ctx, SSL_SESSION *c, int lck);
@@ -527,6 +529,10 @@ SSL_SESSION *lookup_sess_in_cache(SSL_CONNECTION *s,
ret = s->session_ctx->get_session_cb(SSL_CONNECTION_GET_USER_SSL(s),
sess_id, sess_id_len, &copy);
+ if (ret == SSL_magic_pending_session_ptr()) {
+ return ret; /* Retry later */
+ }
+
if (ret != NULL) {
if (ret->not_resumable) {
/* If its not resumable then ignore this session */
@@ -623,6 +629,9 @@ int ssl_get_prev_session(SSL_CONNECTION *s, CLIENTHELLO_MSG *hello)
try_session_cache = 1;
ret = lookup_sess_in_cache(s, hello->session_id,
hello->session_id_len);
+ if (ret == SSL_magic_pending_session_ptr()) {
+ return -2; /* Retry later */
+ }
}
break;
case SSL_TICKET_NO_DECRYPT:
@@ -1102,6 +1111,11 @@ EVP_PKEY *SSL_SESSION_get0_peer_rpk(SSL_SESSION *s)
return s->peer_rpk;
}
+SSL_SESSION *SSL_magic_pending_session_ptr(void)
+{
+ return (SSL_SESSION *) &g_pending_session_magic;
+}
+
int SSL_SESSION_set1_id_context(SSL_SESSION *s, const unsigned char *sid_ctx,
unsigned int sid_ctx_len)
{
diff --git a/ssl/statem/statem_srvr.c b/ssl/statem/statem_srvr.c
index 6079176..1ca25a7 100644
--- a/ssl/statem/statem_srvr.c
+++ b/ssl/statem/statem_srvr.c
@@ -1731,6 +1731,7 @@ static int tls_early_post_process_client_hello(SSL_CONNECTION *s)
SSL_CTX *sctx = SSL_CONNECTION_GET_CTX(s);
SSL *ssl = SSL_CONNECTION_GET_SSL(s);
SSL *ussl = SSL_CONNECTION_GET_USER_SSL(s);
+ PACKET saved_ciphers;
/* Finished parsing the ClientHello, now we can start processing it */
/* Give the ClientHello callback a crack at things */
@@ -1813,6 +1814,7 @@ static int tls_early_post_process_client_hello(SSL_CONNECTION *s)
}
s->hit = 0;
+ saved_ciphers = clienthello->ciphersuites;
if (!ssl_cache_cipherlist(s, &clienthello->ciphersuites,
clienthello->isv2)
@@ -1908,6 +1910,10 @@ static int tls_early_post_process_client_hello(SSL_CONNECTION *s)
} else if (i == -1) {
/* SSLfatal() already called */
goto err;
+ } else if (i == -2) {
+ clienthello->ciphersuites = saved_ciphers;
+ s->rwstate = SSL_SESS_LOOKUP;
+ goto retry;
} else {
/* i == 0 */
if (!ssl_get_new_session(s, 1)) {
@@ -1915,6 +1921,7 @@ static int tls_early_post_process_client_hello(SSL_CONNECTION *s)
goto err;
}
}
+ s->rwstate = SSL_NOTHING;
}
if (SSL_CONNECTION_IS_TLS13(s)) {
@@ -2170,6 +2177,11 @@ err:
s->clienthello = NULL;
return 0;
+
+retry:
+ sk_SSL_CIPHER_free(ciphers);
+ sk_SSL_CIPHER_free(scsvs);
+ return -1;
}
/*
diff --git a/util/libssl.num b/util/libssl.num
index dabf3b0..af45a34 100644
--- a/util/libssl.num
+++ b/util/libssl.num
@@ -7,6 +7,7 @@ SSL_copy_session_id 6 3_0_0 EXIST::FUNCTION:
SSL_CTX_set_srp_password 7 3_0_0 EXIST::FUNCTION:DEPRECATEDIN_3_0,SRP
SSL_shutdown 8 3_0_0 EXIST::FUNCTION:
SSL_CTX_set_msg_callback 9 3_0_0 EXIST::FUNCTION:
+SSL_magic_pending_session_ptr 10 3_0_0 EXIST::FUNCTION:
SSL_SESSION_get0_ticket 11 3_0_0 EXIST::FUNCTION:
SSL_get1_supported_ciphers 12 3_0_0 EXIST::FUNCTION:
SSL_state_string_long 13 3_0_0 EXIST::FUNCTION: