packages/openresty-openssl111
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

!1 Init package

Browse Source 
From: @fu_changjie
Reviewed-by: 
Signed-off-by:
This commit is contained in:
openeuler-ci-bot 2021-07-23 11:31:12 +00:00 committed by Gitee
commit c2f88a28d2
5 changed files with 510 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

38
0099-copy-dir.sh.patch Normal file
View File

@ -0,0 +1,38 @@
From 8d777d20ac3d82434c3f1cbd9cdee94c4de8f966 Mon Sep 17 00:00:00 2001
From: fu_changjie <fu_changjie@qq.com>
Date: Fri, 11 Dec 2020 10:28:08 +0800
Subject: [PATCH] copy-dir.sh
---
copy-dir.sh | 19 +++++++++++++++++++
1 file changed, 19 insertions(+)
create mode 100755 copy-dir.sh
diff --git a/copy-dir.sh b/copy-dir.sh
new file mode 100755
index 0000000..b5520d5
--- /dev/null
+++ b/copy-dir.sh
@@ -0,0 +1,19 @@
+dirname=$(basename `pwd`)
+time=$(date +%s)
+
+cd ..
+
+if [[ -f 'asan' || -d 'asan' ]]; then
+ mv asan asan-${time}
+fi
+
+if [[ -f 'debug' || -d 'debug' ]]; then
+ mv debug debug-${time}
+fi
+
+cp -a ${dirname} asan
+cp -a ${dirname} debug
+
+mv asan debug ${dirname}
+
+cd -
--
2.27.0

260
openresty-openssl111.spec Normal file
View File

@ -0,0 +1,260 @@
Name: openresty-openssl111
Version: 1.1.1h
Release: 1%{?dist}
Summary: OpenSSL library for OpenResty
Group: Development/Libraries
# https://www.openssl.org/source/license.html
License: OpenSSL
URL: https://www.openssl.org/
Source0: https://www.openssl.org/source/openssl-%{version}.tar.gz
Patch0: openssl-1.1.1f-sess_set_get_cb_yield.patch
Patch99: 0099-copy-dir.sh.patch
BuildRoot: %{_tmppath}/%{name}-%{version}-%{release}-root-%(%{__id_u} -n)
BuildRequires: gcc, make, perl, libtool
BuildRequires: openresty-zlib-devel >= 1.2.11
Requires: openresty-zlib >= 1.2.11
AutoReqProv: no
%define openssl_prefix /usr/local/openresty/openssl111
%define zlib_prefix /usr/local/openresty/zlib
%define openssl_prefix_asan /usr/local/openresty-asan/openssl111
%define zlib_prefix_asan /usr/local/openresty-asan/zlib
%define openssl_prefix_debug /usr/local/openresty-debug/openssl111
%define zlib_prefix_debug /usr/local/openresty/zlib
%global _default_patch_fuzz 1
# Remove source code from debuginfo package.
%define __debug_install_post \
%{_rpmconfigdir}/find-debuginfo.sh %{?_missing_build_ids_terminate_build:--strict-build-id} %{?_find_debuginfo_opts} "%{_builddir}/%{?buildsubdir}"; \
rm -rf "${RPM_BUILD_ROOT}/usr/src/debug"; \
mkdir -p "${RPM_BUILD_ROOT}/usr/src/debug/openssl-%{version}"; \
mkdir -p "${RPM_BUILD_ROOT}/usr/src/debug/tmp"; \
mkdir -p "${RPM_BUILD_ROOT}/usr/src/debug/builddir"; \
%{nil}
%if 0%{?fedora} >= 27
%undefine _debugsource_packages
%undefine _debuginfo_subpackages
%endif
%if 0%{?rhel} >= 8
%undefine _debugsource_packages
%undefine _debuginfo_subpackages
%endif
%if 0%{?openEuler} >= 2
%undefine _debugsource_packages
%undefine _debuginfo_subpackages
%endif
%description
This OpenSSL library build is specifically for OpenResty uses. It may contain
custom patches from OpenResty.
%package devel
Summary: Development files for OpenResty's OpenSSL library
Group: Development/Libraries
Requires: %{name} = %{version}-%{release}
%description devel
Provides C header and static library for OpenResty's OpenSSL library.
%package asan
Summary: Clang AddressSanitizer Debug version of the OpenSSL library for OpenResty
Group: Development/Libraries
BuildRequires: ccache, gcc, make, perl, clang, compiler-rt, libasan
BuildRequires: openresty-zlib-asan-devel >= 1.2.11-6
Requires: openresty-zlib-asan >= 1.2.11-6
%description asan
This is the clang AddressSanitizer version of the OpenSSL library build for OpenResty uses.
%package asan-devel
Summary: Clang AddressSanitizer version of development files for OpenResty's OpenSSL library
Group: Development/Libraries
Requires: openresty-openssl111-asan = %{version}-%{release}
%description asan-devel
Provides C header and static library for the clang AddressSanitizer version of OpenResty's OpenSSL library. This is the clang AddressSanitizer version.
%package debug
Summary: Debug version of the OpenSSL library for OpenResty
Group: Development/Libraries
Requires: openresty-zlib >= 1.2.11
AutoReqProv: no
%description debug
This is the debug version of the OpenSSL library build for OpenResty uses.
%package debug-devel
Summary: Debug version of development files for OpenResty's OpenSSL library
Group: Development/Libraries
Requires: openresty-openssl111-debug = %{version}-%{release}
%description debug-devel
Provides C header and static library for the debug version of OpenResty's OpenSSL library. This is the debug version.
%prep
%setup -q -n openssl-%{version}
%patch0 -p1
%patch99 -p1
%build
bash ./copy-dir.sh
./config \
shared zlib -g3 \
enable-camellia enable-seed enable-rfc3779 \
enable-cms enable-md2 enable-rc5 \
enable-weak-ssl-ciphers \
enable-ssl3 enable-ssl3-method \
--prefix=%{openssl_prefix} \
--libdir=lib \
-I%{zlib_prefix}/include \
-L%{zlib_prefix}/lib \
-Wl,-rpath,%{zlib_prefix}/lib:%{openssl_prefix}/lib
make CC='ccache gcc -fdiagnostics-color=always' %{?_smp_mflags}
cd asan
export ASAN_OPTIONS=detect_leaks=0
./config \
no-asm \
enable-camellia enable-seed enable-rfc3779 \
enable-cms enable-md2 enable-rc5 \
enable-weak-ssl-ciphers \
enable-ssl3 enable-ssl3-method \
shared zlib -g3 -O1 -DPURIFY \
--prefix=%{openssl_prefix_asan} \
--libdir=lib \
-I%{zlib_prefix_asan}/include \
-L%{zlib_prefix_asan}/lib \
-Wl,-rpath,%{zlib_prefix_asan}/lib:%{openssl_prefix_asan}/lib
#sed -i 's/ -O3 / -O1 -fno-omit-frame-pointer /g' Makefile
#sed -r -i 's/^([ \t]*)LD_LIBRARY_PATH=[^\\ \t]*/\1LD_LIBRARY_PATH=/g' Makefile.shared
make %{?_smp_mflags} \
LD_LIBRARY_PATH= \
CC="ccache clang -fsanitize=address -fcolor-diagnostics -Qunused-arguments"
cd -
cd debug
./config \
no-asm \
enable-camellia enable-seed enable-rfc3779 \
enable-cms enable-md2 enable-rc5 \
enable-weak-ssl-ciphers \
enable-ssl3 enable-ssl3-method \
shared zlib -g3 -O0 -DPURIFY \
--prefix=%{openssl_prefix_debug} \
--libdir=lib \
-I%{zlib_prefix_debug}/include \
-L%{zlib_prefix_debug}/lib \
-Wl,-rpath,%{zlib_prefix_debug}/lib:%{openssl_prefix_debug}/lib
sed -i 's/ -O3 / -O0 /g' Makefile
make CC='ccache gcc -fdiagnostics-color=always' %{?_smp_mflags}
cd -
%install
make install_sw DESTDIR=%{buildroot}
chmod 0755 %{buildroot}%{openssl_prefix}/lib/*.so*
chmod 0755 %{buildroot}%{openssl_prefix}/lib/*/*.so*
rm -rf %{buildroot}%{openssl_prefix}/bin/c_rehash
rm -rf %{buildroot}%{openssl_prefix}/lib/pkgconfig
rm -rf %{buildroot}%{openssl_prefix}/misc
# to silence the check-rpath error
export QA_RPATHS=$[ 0x0002 ]
cd asan
make install_sw DESTDIR=%{buildroot}
chmod +w %{buildroot}%{openssl_prefix_asan}/lib/*.so
chmod +w %{buildroot}%{openssl_prefix_asan}/lib/*/*.so
rm -rf %{buildroot}%{openssl_prefix_asan}/bin/c_rehash
rm -rf %{buildroot}%{openssl_prefix_asan}/lib/pkgconfig
rm -rf %{buildroot}%{openssl_prefix_asan}/misc
cd -
cd debug
make install_sw DESTDIR=%{buildroot}
chmod +w %{buildroot}%{openssl_prefix_debug}/lib/*.so
chmod +w %{buildroot}%{openssl_prefix_debug}/lib/*/*.so
rm -rf %{buildroot}%{openssl_prefix_debug}/bin/c_rehash
rm -rf %{buildroot}%{openssl_prefix_debug}/lib/pkgconfig
rm -rf %{buildroot}%{openssl_prefix_debug}/misc
cd -
%clean
rm -rf %{buildroot}
%files
%defattr(-,root,root,-)
%attr(0755,root,root) %{openssl_prefix}/bin/openssl
%attr(0755,root,root) %{openssl_prefix}/lib/*.so*
%attr(0755,root,root) %{openssl_prefix}/lib/*/*.so*
%files devel
%defattr(-,root,root,-)
%{openssl_prefix}/include/*
%{openssl_prefix}/lib/*.a
%files asan
%defattr(-,root,root,-)
%attr(0755,root,root) %{openssl_prefix_asan}/bin/openssl
%attr(0755,root,root) %{openssl_prefix_asan}/lib/*.so*
%attr(0755,root,root) %{openssl_prefix_asan}/lib/*/*.so*
%files asan-devel
%defattr(-,root,root,-)
%{openssl_prefix_asan}/include/*
%attr(0755,root,root) %{openssl_prefix_asan}/lib/*.a
%files debug
%defattr(-,root,root,-)
%attr(0755,root,root) %{openssl_prefix_debug}/bin/openssl
%attr(0755,root,root) %{openssl_prefix_debug}/lib/*.so*
%attr(0755,root,root) %{openssl_prefix_debug}/lib/*/*.so*
%files debug-devel
%defattr(-,root,root,-)
%{openssl_prefix_debug}/include/*
%attr(0755,root,root) %{openssl_prefix_debug}/lib/*.a
%changelog
* Fri Jul 23 2021 Fu Changjie <fu_changjie@qq.com> 1.1.1h-1
- Package init with openresty-openssl 1.1.1h

4
openresty-openssl111.yaml Normal file
View File

@ -0,0 +1,4 @@
version_control: NA
src_repo: NA
tag_prefix: NA
seperator: NA

208
openssl-1.1.1f-sess_set_get_cb_yield.patch Normal file
View File

@ -0,0 +1,208 @@
diff --git a/include/openssl/bio.h b/include/openssl/bio.h
index ae559a5105..b23f59b1bf 100644
--- a/include/openssl/bio.h
+++ b/include/openssl/bio.h
@@ -216,6 +216,8 @@ void BIO_clear_flags(BIO *b, int flags);
/* Returned from the accept BIO when an accept would have blocked */
# define BIO_RR_ACCEPT 0x03
+# define BIO_RR_SSL_SESSION_LOOKUP 0x09
+
/* These are passed by the BIO callback */
# define BIO_CB_FREE 0x01
# define BIO_CB_READ 0x02
diff --git a/include/openssl/ssl.h b/include/openssl/ssl.h
index 6724ccf2d2..e3a086c3db 100644
--- a/include/openssl/ssl.h
+++ b/include/openssl/ssl.h
@@ -896,6 +896,7 @@ __owur int SSL_extension_supported(unsigned int ext_type);
# define SSL_ASYNC_PAUSED 5
# define SSL_ASYNC_NO_JOBS 6
# define SSL_CLIENT_HELLO_CB 7
+# define SSL_SESS_LOOKUP 99
/* These will only be used when doing non-blocking IO */
# define SSL_want_nothing(s) (SSL_want(s) == SSL_NOTHING)
@@ -905,6 +906,7 @@ __owur int SSL_extension_supported(unsigned int ext_type);
# define SSL_want_async(s) (SSL_want(s) == SSL_ASYNC_PAUSED)
# define SSL_want_async_job(s) (SSL_want(s) == SSL_ASYNC_NO_JOBS)
# define SSL_want_client_hello_cb(s) (SSL_want(s) == SSL_CLIENT_HELLO_CB)
+# define SSL_want_sess_lookup(s) (SSL_want(s) == SSL_SESS_LOOKUP)
# define SSL_MAC_FLAG_READ_MAC_STREAM 1
# define SSL_MAC_FLAG_WRITE_MAC_STREAM 2
@@ -1190,6 +1192,8 @@ DECLARE_PEM_rw(SSL_SESSION, SSL_SESSION)
# define SSL_ERROR_WANT_ASYNC 9
# define SSL_ERROR_WANT_ASYNC_JOB 10
# define SSL_ERROR_WANT_CLIENT_HELLO_CB 11
+# define SSL_ERROR_WANT_SESSION_LOOKUP 99
+# define SSL_ERROR_PENDING_SESSION 99 /* BoringSSL compatibility */
# define SSL_CTRL_SET_TMP_DH 3
# define SSL_CTRL_SET_TMP_ECDH 4
# define SSL_CTRL_SET_TMP_DH_CB 6
@@ -1662,6 +1666,7 @@ int SSL_SESSION_print(BIO *fp, const SSL_SESSION *ses);
int SSL_SESSION_print_keylog(BIO *bp, const SSL_SESSION *x);
int SSL_SESSION_up_ref(SSL_SESSION *ses);
void SSL_SESSION_free(SSL_SESSION *ses);
+SSL_SESSION *SSL_magic_pending_session_ptr(void);
__owur int i2d_SSL_SESSION(SSL_SESSION *in, unsigned char **pp);
__owur int SSL_set_session(SSL *to, SSL_SESSION *session);
int SSL_CTX_add_session(SSL_CTX *ctx, SSL_SESSION *session);
diff --git a/ssl/bio_ssl.c b/ssl/bio_ssl.c
index ab9e6668cd..11a1a6e88f 100644
--- a/ssl/bio_ssl.c
+++ b/ssl/bio_ssl.c
@@ -139,6 +139,10 @@ static int ssl_read(BIO *b, char *buf, size_t size, size_t *readbytes)
BIO_set_retry_special(b);
retry_reason = BIO_RR_SSL_X509_LOOKUP;
break;
+ case SSL_ERROR_WANT_SESSION_LOOKUP:
+ BIO_set_retry_special(b);
+ retry_reason = BIO_RR_SSL_SESSION_LOOKUP;
+ break;
case SSL_ERROR_WANT_ACCEPT:
BIO_set_retry_special(b);
retry_reason = BIO_RR_ACCEPT;
@@ -207,6 +211,10 @@ static int ssl_write(BIO *b, const char *buf, size_t size, size_t *written)
BIO_set_retry_special(b);
retry_reason = BIO_RR_SSL_X509_LOOKUP;
break;
+ case SSL_ERROR_WANT_SESSION_LOOKUP:
+ BIO_set_retry_special(b);
+ retry_reason = BIO_RR_SSL_SESSION_LOOKUP;
+ break;
case SSL_ERROR_WANT_CONNECT:
BIO_set_retry_special(b);
retry_reason = BIO_RR_CONNECT;
@@ -361,6 +369,10 @@ static long ssl_ctrl(BIO *b, int cmd, long num, void *ptr)
BIO_set_retry_special(b);
BIO_set_retry_reason(b, BIO_RR_SSL_X509_LOOKUP);
break;
+ case SSL_ERROR_WANT_SESSION_LOOKUP:
+ BIO_set_retry_special(b);
+ BIO_set_retry_reason(b, BIO_RR_SSL_SESSION_LOOKUP);
+ break;
default:
break;
}
diff --git a/ssl/ssl_lib.c b/ssl/ssl_lib.c
index 7c7e59789c..c443a9f0f8 100644
--- a/ssl/ssl_lib.c
+++ b/ssl/ssl_lib.c
@@ -3618,6 +3618,8 @@ int SSL_get_error(const SSL *s, int i)
return SSL_ERROR_WANT_ASYNC_JOB;
if (SSL_want_client_hello_cb(s))
return SSL_ERROR_WANT_CLIENT_HELLO_CB;
+ if (SSL_want_sess_lookup(s))
+ return SSL_ERROR_WANT_SESSION_LOOKUP;
if ((s->shutdown & SSL_RECEIVED_SHUTDOWN) &&
(s->s3->warn_alert == SSL_AD_CLOSE_NOTIFY))
diff --git a/ssl/ssl_sess.c b/ssl/ssl_sess.c
index 40c157bb42..909e0ca7d2 100644
--- a/ssl/ssl_sess.c
+++ b/ssl/ssl_sess.c
@@ -16,6 +16,8 @@
#include "ssl_local.h"
#include "statem/statem_local.h"
+static const char g_pending_session_magic = 0;
+
static void SSL_SESSION_list_remove(SSL_CTX *ctx, SSL_SESSION *s);
static void SSL_SESSION_list_add(SSL_CTX *ctx, SSL_SESSION *s);
static int remove_session_lock(SSL_CTX *ctx, SSL_SESSION *c, int lck);
@@ -448,6 +450,10 @@ SSL_SESSION *lookup_sess_in_cache(SSL *s, const unsigned char *sess_id,
ret = s->session_ctx->get_session_cb(s, sess_id, sess_id_len, &copy);
+ if (ret == SSL_magic_pending_session_ptr()) {
+ return ret; /* Retry later */
+ }
+
if (ret != NULL) {
tsan_counter(&s->session_ctx->stats.sess_cb_hit);
@@ -536,6 +542,9 @@ int ssl_get_prev_session(SSL *s, CLIENTHELLO_MSG *hello)
try_session_cache = 1;
ret = lookup_sess_in_cache(s, hello->session_id,
hello->session_id_len);
+ if (ret == SSL_magic_pending_session_ptr()) {
+ return -2; /* Retry later */
+ }
}
break;
case SSL_TICKET_NO_DECRYPT:
@@ -952,6 +961,11 @@ X509 *SSL_SESSION_get0_peer(SSL_SESSION *s)
return s->peer;
}
+SSL_SESSION *SSL_magic_pending_session_ptr(void)
+{
+ return (SSL_SESSION *) &g_pending_session_magic;
+}
+
int SSL_SESSION_set1_id_context(SSL_SESSION *s, const unsigned char *sid_ctx,
unsigned int sid_ctx_len)
{
diff --git a/ssl/statem/statem_srvr.c b/ssl/statem/statem_srvr.c
index 14cb27e6db..ec96640fdc 100644
--- a/ssl/statem/statem_srvr.c
+++ b/ssl/statem/statem_srvr.c
@@ -1623,6 +1623,7 @@ static int tls_early_post_process_client_hello(SSL *s)
STACK_OF(SSL_CIPHER) *scsvs = NULL;
CLIENTHELLO_MSG *clienthello = s->clienthello;
DOWNGRADE dgrd = DOWNGRADE_NONE;
+ PACKET saved_ciphers;
/* Finished parsing the ClientHello, now we can start processing it */
/* Give the ClientHello callback a crack at things */
@@ -1730,6 +1731,7 @@ static int tls_early_post_process_client_hello(SSL *s)
}
s->hit = 0;
+ saved_ciphers = clienthello->ciphersuites;
if (!ssl_cache_cipherlist(s, &clienthello->ciphersuites,
clienthello->isv2) ||
@@ -1835,6 +1837,10 @@ static int tls_early_post_process_client_hello(SSL *s)
} else if (i == -1) {
/* SSLfatal() already called */
goto err;
+ } else if (i == -2) {
+ clienthello->ciphersuites = saved_ciphers;
+ s->rwstate = SSL_SESS_LOOKUP;
+ goto retry;
} else {
/* i == 0 */
if (!ssl_get_new_session(s, 1)) {
@@ -1842,6 +1848,7 @@ static int tls_early_post_process_client_hello(SSL *s)
goto err;
}
}
+ s->rwstate = SSL_NOTHING;
}
if (SSL_IS_TLS13(s)) {
@@ -2107,6 +2114,10 @@ static int tls_early_post_process_client_hello(SSL *s)
s->clienthello = NULL;
return 0;
+retry:
+ sk_SSL_CIPHER_free(ciphers);
+ sk_SSL_CIPHER_free(scsvs);
+ return -1;
}
/*
diff --git a/util/libssl.num b/util/libssl.num
index 297522c363..11fffe8435 100644
--- a/util/libssl.num
+++ b/util/libssl.num
@@ -7,6 +7,7 @@ SSL_copy_session_id 6 1_1_0 EXIST::FUNCTION:
SSL_CTX_set_srp_password 7 1_1_0 EXIST::FUNCTION:SRP
SSL_shutdown 8 1_1_0 EXIST::FUNCTION:
SSL_CTX_set_msg_callback 9 1_1_0 EXIST::FUNCTION:
+SSL_magic_pending_session_ptr 10 1_1_0 EXIST::FUNCTION:
SSL_SESSION_get0_ticket 11 1_1_0 EXIST::FUNCTION:
SSL_get1_supported_ciphers 12 1_1_0 EXIST::FUNCTION:
SSL_state_string_long 13 1_1_0 EXIST::FUNCTION:

BIN
openssl-1.1.1h.tar.gz Normal file
View File

Binary file not shown.