diff --git a/.travis.yml b/.travis.yml index 35c4c727..61d606f8 100644 --- a/.travis.yml +++ b/.travis.yml @@ -41,7 +41,7 @@ env: - NGX_BUILD_JOBS=$JOBS - TEST_NGINX_SLEEP=0.006 matrix: - - NGINX_VERSION=1.29.2 OPENSSL_VER=3.5.4 + - NGINX_VERSION=1.29.2 OPENSSL_VER=3.5.4 OPENSSL_PATCH_VER=3.5.4 services: - memcache @@ -54,8 +54,8 @@ before_install: - sudo DEBIAN_FRONTEND=noninteractive apt-get install -y --no-install-recommends openresty-pcre2 openresty-openssl3 openresty-pcre2-dev openresty-openssl3-dev install: - - if [ ! -f download-cache/pcre2-$PCRE2_VER.tar.gz ]; then wget -P download-cache https://downloads.sourceforge.net/project/pcre/pcre2/${PCRE2_VER}/pcre2-${PCRE2_VER}.tar.gz; fi - - if [ ! -f download-cache/openssl-$OPENSSL_VER.tar.gz ]; then wget -P download-cache https://www.openssl.org/source/openssl-$OPENSSL_VER.tar.gz; fi + - if [ -n "$PCRE2_VER" ] && [ ! -f download-cache/pcre2-$PCRE2_VER.tar.gz ]; then wget -P download-cache https://github.com/PCRE2Project/pcre2/releases/download/pcre2-${PCRE2_VER}/pcre2-${PCRE2_VER}.tar.gz; fi + - if [ -n "$OPENSSL_VER" ] && [ ! -f download-cache/openssl-$OPENSSL_VER.tar.gz ]; then wget -P download-cache https://github.com/openssl/openssl/releases/download/openssl-$OPENSSL_VER/openssl-$OPENSSL_VER.tar.gz || wget -P download-cache https://www.openssl.org/source/openssl-$OPENSSL_VER.tar.gz || wget -P download-cache https://www.openssl.org/source/old/${OPENSSL_VER//[a-z]/}/openssl-$OPENSSL_VER.tar.gz; fi - git clone https://github.com/openresty/openresty-devel-utils.git - git clone https://github.com/openresty/lua-cjson.git - git clone https://github.com/openresty/openresty.git ../openresty @@ -78,14 +78,14 @@ script: - sudo ip addr add 10.254.254.1/24 dev lo - sudo ip addr add 10.254.254.2/24 dev lo - sudo ip route add prohibit 0.0.0.1/32 - - tar zxf download-cache/pcre2-$PCRE2_VER.tar.gz; cd pcre2-$PCRE2_VER/; ./configure --prefix=$PCRE2_PREFIX --enable-jit --enable-utf > build.log 2>&1 || (cat build.log && exit 1); make -j$JOBS > build.log 2>&1 || (cat build.log && exit 1); sudo PATH=$PATH make install > build.log 2>&1 || (cat build.log && exit 1); cd ..; + - if [ -n "$PCRE2_VER" ]; then tar zxf download-cache/pcre2-$PCRE2_VER.tar.gz; cd pcre2-$PCRE2_VER/; ./configure --prefix=$PCRE2_PREFIX --enable-jit --enable-utf > build.log 2>&1 || (cat build.log && exit 1); make -j$JOBS > build.log 2>&1 || (cat build.log && exit 1); sudo PATH=$PATH make install > build.log 2>&1 || (cat build.log && exit 1); cd ..; fi - cd luajit2 - make -j$JOBS CCDEBUG=-g Q= PREFIX=$LUAJIT_PREFIX CC=$CC XCFLAGS='-DLUA_USE_APICHECK -DLUA_USE_ASSERT' > build.log 2>&1 || (cat build.log && exit 1) - sudo make install PREFIX=$LUAJIT_PREFIX > build.log 2>&1 || (cat build.log && exit 1) - cd ../test-nginx && sudo cpanm . && cd .. - cd lua-cjson/ && make -j$JOBS && sudo make install && cd .. - cd mockeagain/ && make CC=$CC -j$JOBS && cd .. - - tar zxf download-cache/openssl-$OPENSSL_VER.tar.gz; cd openssl-$OPENSSL_VER/; ./config no-threads shared enable-ssl3 enable-ssl3-method -g --prefix=$OPENSSL_PREFIX -DPURIFY > build.log 2>&1 || (cat build.log && exit 1); make -j$JOBS > build.log 2>&1 || (cat build.log && exit 1); sudo make PATH=$PATH install_sw > build.log 2>&1 || (cat build.log && exit 1) ; cd .. + - if [ -n "$OPENSSL_VER" ]; then tar zxf download-cache/openssl-$OPENSSL_VER.tar.gz; cd openssl-$OPENSSL_VER/; patch -p1 < ../../openresty/patches/openssl-$OPENSSL_PATCH_VER-sess_set_get_cb_yield.patch; ./config shared enable-ssl3 enable-ssl3-method -g --prefix=$OPENSSL_PREFIX --libdir=lib -DPURIFY > build.log 2>&1 || (cat build.log && exit 1); make -j$JOBS > build.log 2>&1 || (cat build.log && exit 1); sudo make PATH=$PATH install_sw > build.log 2>&1 || (cat build.log && exit 1); cd ..; fi - export PATH=$PWD/work/nginx/sbin:$PWD/openresty-devel-utils:$PATH - export NGX_BUILD_CC=$CC - sh util/build.sh $NGINX_VERSION > build.log 2>&1 || (cat build.log && exit 1) diff --git a/src/ngx_stream_lua_proxy_ssl_verifyby.c b/src/ngx_stream_lua_proxy_ssl_verifyby.c index e43d3abb..91c82551 100644 --- a/src/ngx_stream_lua_proxy_ssl_verifyby.c +++ b/src/ngx_stream_lua_proxy_ssl_verifyby.c @@ -32,13 +32,20 @@ ngx_int_t ngx_stream_lua_proxy_ssl_verify_set_callback(ngx_conf_t *cf) { -#ifdef LIBRESSL_VERSION_NUMBER +#if defined(LIBRESSL_VERSION_NUMBER) ngx_log_error(NGX_LOG_EMERG, cf->log, 0, "LibreSSL does not support by proxy_ssl_verify_by_lua*"); return NGX_ERROR; +#elif defined(OPENSSL_IS_BORINGSSL) + + ngx_log_error(NGX_LOG_EMERG, cf->log, 0, + "BoringSSL does not support by proxy_ssl_verify_by_lua*"); + + return NGX_ERROR; + #else ngx_flag_t proxy_ssl = 0; @@ -161,6 +168,22 @@ char * ngx_stream_lua_proxy_ssl_verify_by_lua(ngx_conf_t *cf, ngx_command_t *cmd, void *conf) { +#if defined(LIBRESSL_VERSION_NUMBER) + + ngx_log_error(NGX_LOG_EMERG, cf->log, 0, + "LibreSSL does not support by proxy_ssl_verify_by_lua*"); + + return NGX_CONF_ERROR; + +#elif defined(OPENSSL_IS_BORINGSSL) + + ngx_log_error(NGX_LOG_EMERG, cf->log, 0, + "BoringSSL does not support by proxy_ssl_verify_by_lua*"); + + return NGX_CONF_ERROR; + +#else + #if (!defined SSL_ERROR_WANT_RETRY_VERIFY \ || OPENSSL_VERSION_NUMBER < 0x30000020L) @@ -244,12 +267,30 @@ ngx_stream_lua_proxy_ssl_verify_by_lua(ngx_conf_t *cf, ngx_command_t *cmd, return NGX_CONF_OK; #endif /* SSL_ERROR_WANT_RETRY_VERIFY */ + +#endif } int ngx_stream_lua_proxy_ssl_verify_handler(X509_STORE_CTX *x509_store, void *arg) { +#if defined(LIBRESSL_VERSION_NUMBER) + + ngx_log_debug0(NGX_LOG_DEBUG_STREAM, c->log, 0, + "LibreSSL does not support by proxy_ssl_verify_by_lua*"); + + return 1; + +#elif defined(OPENSSL_IS_BORINGSSL) + + ngx_log_debug0(NGX_LOG_DEBUG_STREAM, c->log, 0, + "BoringSSL does not support by proxy_ssl_verify_by_lua*"); + + return 1; + +#else + lua_State *L; ngx_int_t rc; ngx_connection_t *c; @@ -395,6 +436,8 @@ ngx_stream_lua_proxy_ssl_verify_handler(X509_STORE_CTX *x509_store, void *arg) return 0; /* verify failure or error */ #endif + +#endif } @@ -573,6 +616,20 @@ int ngx_stream_lua_ffi_proxy_ssl_set_verify_result(ngx_stream_lua_request_t *r, int verify_result, char **err) { +#if defined(LIBRESSL_VERSION_NUMBER) + + *err = "LibreSSL does not support this function"; + + return NGX_ERROR; + +#elif defined(OPENSSL_IS_BORINGSSL) + + *err = "BoringSSL does not support this function"; + + return NGX_ERROR; + +#else + #ifdef SSL_ERROR_WANT_RETRY_VERIFY ngx_stream_upstream_t *u; ngx_ssl_conn_t *ssl_conn; @@ -618,6 +675,8 @@ ngx_stream_lua_ffi_proxy_ssl_set_verify_result(ngx_stream_lua_request_t *r, return NGX_ERROR; #endif + +#endif } @@ -625,6 +684,20 @@ int ngx_stream_lua_ffi_proxy_ssl_get_verify_result(ngx_stream_lua_request_t *r, char **err) { +#if defined(LIBRESSL_VERSION_NUMBER) + + *err = "LibreSSL does not support this function"; + + return NGX_ERROR; + +#elif defined(OPENSSL_IS_BORINGSSL) + + *err = "BoringSSL does not support this function"; + + return NGX_ERROR; + +#else + #ifdef SSL_ERROR_WANT_RETRY_VERIFY ngx_stream_upstream_t *u; ngx_ssl_conn_t *ssl_conn; @@ -668,6 +741,8 @@ ngx_stream_lua_ffi_proxy_ssl_get_verify_result(ngx_stream_lua_request_t *r, return NGX_ERROR; #endif + +#endif } @@ -684,6 +759,20 @@ void * ngx_stream_lua_ffi_proxy_ssl_get_verify_cert(ngx_stream_lua_request_t *r, char **err) { +#if defined(LIBRESSL_VERSION_NUMBER) + + *err = "LibreSSL does not support this function"; + + return NGX_ERROR; + +#elif defined(OPENSSL_IS_BORINGSSL) + + *err = "BoringSSL does not support this function"; + + return NGX_ERROR; + +#else + #ifdef SSL_ERROR_WANT_RETRY_VERIFY ngx_stream_upstream_t *u; ngx_ssl_conn_t *ssl_conn; @@ -735,6 +824,8 @@ ngx_stream_lua_ffi_proxy_ssl_get_verify_cert(ngx_stream_lua_request_t *r, return NULL; #endif + +#endif } diff --git a/src/ngx_stream_lua_ssl_client_helloby.c b/src/ngx_stream_lua_ssl_client_helloby.c index cd2d8adc..b6a6229c 100644 --- a/src/ngx_stream_lua_ssl_client_helloby.c +++ b/src/ngx_stream_lua_ssl_client_helloby.c @@ -218,7 +218,7 @@ ngx_stream_lua_ssl_client_hello_handler(ngx_ssl_conn_t *ssl_conn, return -1; } -#if (nginx_version > 1029000) +#if (nginx_version > 1029001) /* see commit 0373fe5d98c1515640 for more details */ rc = ngx_ssl_client_hello_callback(ssl_conn, al, arg); diff --git a/t/138-balancer.t b/t/138-balancer.t index 8991239a..c863c219 100644 --- a/t/138-balancer.t +++ b/t/138-balancer.t @@ -237,7 +237,6 @@ retry counter: 5 --- error_log set more tries: reduced tries due to limit ---- ONLY diff --git a/t/164-proxy-ssl-verify-by.t b/t/164-proxy-ssl-verify-by.t index de58d36a..8436b6bd 100644 --- a/t/164-proxy-ssl-verify-by.t +++ b/t/164-proxy-ssl-verify-by.t @@ -7,10 +7,19 @@ repeat_each(3); my $NginxBinary = $ENV{'TEST_NGINX_BINARY'} || 'nginx'; my $openssl_version = eval { `$NginxBinary -V 2>&1` }; -if ($openssl_version =~ m/built with OpenSSL (0\S*|1\.0\S*|1\.1\.0\S*)/) { - plan(skip_all => "too old OpenSSL, need 1.1.1, was $1"); +if ($openssl_version =~ m/built with OpenSSL (\d+)\.(\d+)\.(\d+)/) { + my ($major, $minor, $patch) = ($1, $2, $3); + + if ($major < 3 || ($major == 3 && $minor == 0 && $patch < 2)) { + plan(skip_all => "too old OpenSSL, need >= 3.0.2, was " . + "$major.$minor.$patch"); + } else { + plan tests => repeat_each() * (blocks() * 6 + 3); + } +} elsif ($openssl_version =~ m/running with BoringSSL/) { + plan(skip_all => "does not support BoringSSL"); } else { - plan tests => repeat_each() * (blocks() * 6 + 5); + die "unknown SSL"; } $ENV{TEST_NGINX_HTML_DIR} ||= html_dir(); @@ -908,7 +917,7 @@ proxy_ssl_verify_by_lua: cert verify callback aborted === TEST 23: cosocket --- stream_config server { - listen *:80; + listen 127.0.0.1:$TEST_NGINX_RAND_PORT_1; return "it works!\n"; } @@ -936,7 +945,7 @@ proxy_ssl_verify_by_lua: cert verify callback aborted local sock = ngx.socket.tcp() sock:settimeout(2000) - local ok, err = sock:connect("127.0.0.1", "80") + local ok, err = sock:connect("127.0.0.1", $TEST_NGINX_RAND_PORT_1) if not ok then ngx.log(ngx.ERR, "failed to connect: ", err) return