diff --git a/0099-copy-dir.sh.patch b/0099-copy-dir.sh.patch new file mode 100644 index 0000000000000000000000000000000000000000..56d4ed0787bb28c18c581d3159d5a458d9540f9c --- /dev/null +++ b/0099-copy-dir.sh.patch @@ -0,0 +1,38 @@ +From 8d777d20ac3d82434c3f1cbd9cdee94c4de8f966 Mon Sep 17 00:00:00 2001 +From: fu_changjie +Date: Fri, 11 Dec 2020 10:28:08 +0800 +Subject: [PATCH] copy-dir.sh + +--- + copy-dir.sh | 19 +++++++++++++++++++ + 1 file changed, 19 insertions(+) + create mode 100755 copy-dir.sh + +diff --git a/copy-dir.sh b/copy-dir.sh +new file mode 100755 +index 0000000..b5520d5 +--- /dev/null ++++ b/copy-dir.sh +@@ -0,0 +1,19 @@ ++dirname=$(basename `pwd`) ++time=$(date +%s) ++ ++cd .. ++ ++if [[ -f 'asan' || -d 'asan' ]]; then ++ mv asan asan-${time} ++fi ++ ++if [[ -f 'debug' || -d 'debug' ]]; then ++ mv debug debug-${time} ++fi ++ ++cp -a ${dirname} asan ++cp -a ${dirname} debug ++ ++mv asan debug ${dirname} ++ ++cd - +-- +2.27.0 + diff --git a/openresty-openssl.spec b/openresty-openssl.spec new file mode 100644 index 0000000000000000000000000000000000000000..1831f67ae20ba1212984a0d141b887e562af176b --- /dev/null +++ b/openresty-openssl.spec @@ -0,0 +1,256 @@ +Name: openresty-openssl +Version: 1.1.0l +Release: 2%{?dist} +Summary: OpenSSL library for OpenResty + +Group: Development/Libraries + +# https://www.openssl.org/source/license.html +License: OpenSSL +URL: https://www.openssl.org/ +Source0: https://www.openssl.org/source/old/1.1.0/openssl-%{version}.tar.gz + +Patch0: openssl-1.1.0d-sess_set_get_cb_yield.patch +Patch1: openssl-1.1.0j-parallel_build_fix.patch +Patch99: 0099-copy-dir.sh.patch + +BuildRoot: %{_tmppath}/%{name}-%{version}-%{release}-root-%(%{__id_u} -n) + +BuildRequires: gcc, make, perl +BuildRequires: openresty-zlib-devel >= 1.2.11 +Requires: openresty-zlib >= 1.2.11 + +AutoReqProv: no + +%define openssl_prefix /usr/local/openresty/openssl +%define zlib_prefix /usr/local/openresty/zlib +%define openssl_prefix_asan /usr/local/openresty-asan/openssl +%define zlib_prefix_asan /usr/local/openresty-asan/zlib +%define openssl_prefix_debug /usr/local/openresty-debug/openssl +%define zlib_prefix_debug /usr/local/openresty/zlib +%global _default_patch_fuzz 1 + +# Remove source code from debuginfo package. +%define __debug_install_post \ + %{_rpmconfigdir}/find-debuginfo.sh %{?_missing_build_ids_terminate_build:--strict-build-id} %{?_find_debuginfo_opts} "%{_builddir}/%{?buildsubdir}"; \ + rm -rf "${RPM_BUILD_ROOT}/usr/src/debug"; \ + mkdir -p "${RPM_BUILD_ROOT}/usr/src/debug/openssl-%{version}"; \ + mkdir -p "${RPM_BUILD_ROOT}/usr/src/debug/tmp"; \ + mkdir -p "${RPM_BUILD_ROOT}/usr/src/debug/builddir"; \ +%{nil} + +%if 0%{?fedora} >= 27 +%undefine _debugsource_packages +%undefine _debuginfo_subpackages +%endif + +%if 0%{?rhel} >= 8 +%undefine _debugsource_packages +%undefine _debuginfo_subpackages +%endif + +%if 0%{?openEuler} >= 2 +%undefine _debugsource_packages +%undefine _debuginfo_subpackages +%endif + +%description +This OpenSSL library build is specifically for OpenResty uses. It may contain +custom patches from OpenResty. + + +%package devel + +Summary: Development files for OpenResty's OpenSSL library +Group: Development/Libraries +Requires: %{name} = %{version}-%{release} + +%description devel +Provides C header and static library for OpenResty's OpenSSL library. + +%package asan +Summary: Clang AddressSanitizer Debug version of the OpenSSL library for OpenResty +Group: Development/Libraries + +BuildRequires: ccache, gcc, make, perl, clang, compiler-rt, libasan +BuildRequires: openresty-zlib-asan-devel >= 1.2.11-6 +Requires: openresty-zlib-asan >= 1.2.11-6 + +AutoReqProv: no + +%description asan +This is the clang AddressSanitizer version of the OpenSSL library build for OpenResty uses. + +%package asan-devel + +Summary: Clang AddressSanitizer version of development files for OpenResty's OpenSSL library +Group: Development/Libraries +Requires: openresty-openssl-asan = %{version}-%{release} + +%description asan-devel +Provides C header and static library for the clang AddressSanitizer version of OpenResty's OpenSSL library. This is the clang AddressSanitizer version. + + +%package debug +Summary: Debug version of the OpenSSL library for OpenResty +Group: Development/Libraries + +AutoReqProv: no + +%description debug +This is the debug version of the OpenSSL library build for OpenResty uses. + +%package debug-devel + +Summary: Debug version of development files for OpenResty's OpenSSL library +Group: Development/Libraries +Requires: openresty-openssl-debug = %{version}-%{release} + +%description debug-devel +Provides C header and static library for the debug version of OpenResty's OpenSSL library. This is the debug version. + +%prep +echo %openEuler + +%setup -q -n openssl-%{version} + +%patch0 -p1 +%patch1 -p1 +%patch99 -p1 + +%build +bash ./copy-dir.sh + +./config \ + shared zlib -g3 \ + enable-ssl3 enable-ssl3-method \ + --prefix=%{openssl_prefix} \ + --libdir=lib \ + -I%{zlib_prefix}/include \ + -L%{zlib_prefix}/lib \ + -Wl,-rpath,%{zlib_prefix}/lib:%{openssl_prefix}/lib + +make CC='ccache gcc -fdiagnostics-color=always' %{?_smp_mflags} + +cd asan +export ASAN_OPTIONS=detect_leaks=0 + +./config \ + no-asm \ + enable-ssl3 enable-ssl3-method \ + shared zlib -g3 -O1 -DPURIFY \ + --prefix=%{openssl_prefix_asan} \ + --libdir=lib \ + -I%{zlib_prefix_asan}/include \ + -L%{zlib_prefix_asan}/lib \ + -Wl,-rpath,%{zlib_prefix_asan}/lib:%{openssl_prefix_asan}/lib + +sed -i 's/ -O3 / -O1 -fno-omit-frame-pointer /g' Makefile +sed -r -i 's/^([ \t]*)LD_LIBRARY_PATH=[^\\ \t]*/\1LD_LIBRARY_PATH=/g' Makefile.shared + +make %{?_smp_mflags} \ + LD_LIBRARY_PATH= \ + CC="ccache clang -fsanitize=address -fcolor-diagnostics -Qunused-arguments" + +cd - + +cd debug +./config \ + no-asm \ + enable-ssl3 enable-ssl3-method \ + shared zlib -g3 -O0 -DPURIFY \ + --prefix=%{openssl_prefix_debug} \ + --libdir=lib \ + -I%{zlib_prefix_debug}/include \ + -L%{zlib_prefix_debug}/lib \ + -Wl,-rpath,%{zlib_prefix_debug}/lib:%{openssl_prefix_debug}/lib + +sed -i 's/ -O3 / -O0 /g' Makefile + +make CC='ccache gcc -fdiagnostics-color=always' %{?_smp_mflags} +cd - + +%install +make install_sw DESTDIR=%{buildroot} + +chmod 0755 %{buildroot}%{openssl_prefix}/lib/*.so* +chmod 0755 %{buildroot}%{openssl_prefix}/lib/*/*.so* + +rm -rf %{buildroot}%{openssl_prefix}/bin/c_rehash +rm -rf %{buildroot}%{openssl_prefix}/lib/pkgconfig +rm -rf %{buildroot}%{openssl_prefix}/misc + +# to silence the check-rpath error +export QA_RPATHS=$[ 0x0002 ] + +cd asan +make install_sw DESTDIR=%{buildroot} + +chmod +w %{buildroot}%{openssl_prefix_asan}/lib/*.so +chmod +w %{buildroot}%{openssl_prefix_asan}/lib/*/*.so + +rm -rf %{buildroot}%{openssl_prefix_asan}/bin/c_rehash +rm -rf %{buildroot}%{openssl_prefix_asan}/lib/pkgconfig +rm -rf %{buildroot}%{openssl_prefix_asan}/misc +cd - + +cd debug +make install_sw DESTDIR=%{buildroot} + +chmod +w %{buildroot}%{openssl_prefix_debug}/lib/*.so +chmod +w %{buildroot}%{openssl_prefix_debug}/lib/*/*.so + +rm -rf %{buildroot}%{openssl_prefix_debug}/bin/c_rehash +rm -rf %{buildroot}%{openssl_prefix_debug}/lib/pkgconfig +rm -rf %{buildroot}%{openssl_prefix_debug}/misc +cd - + +%clean +rm -rf %{buildroot} + + +%files +%defattr(-,root,root,-) + +%attr(0755,root,root) %{openssl_prefix}/bin/openssl +%attr(0755,root,root) %{openssl_prefix}/lib/*.so* +%attr(0755,root,root) %{openssl_prefix}/lib/*/*.so* + + +%files devel +%defattr(-,root,root,-) + +%{openssl_prefix}/include/* +%{openssl_prefix}/lib/*.a + +%files asan +%defattr(-,root,root,-) + +%attr(0755,root,root) %{openssl_prefix_asan}/bin/openssl +%attr(0755,root,root) %{openssl_prefix_asan}/lib/*.so* +%attr(0755,root,root) %{openssl_prefix_asan}/lib/*/*.so* + + +%files asan-devel +%defattr(-,root,root,-) + +%{openssl_prefix_asan}/include/* +%attr(0755,root,root) %{openssl_prefix_asan}/lib/*.a + +%files debug +%defattr(-,root,root,-) + +%attr(0755,root,root) %{openssl_prefix_debug}/bin/openssl +%attr(0755,root,root) %{openssl_prefix_debug}/lib/*.so* +%attr(0755,root,root) %{openssl_prefix_debug}/lib/*/*.so* + + +%files debug-devel +%defattr(-,root,root,-) + +%{openssl_prefix_debug}/include/* +%attr(0755,root,root) %{openssl_prefix_debug}/lib/*.a + +%changelog +* Thu Jul 22 2021 Fu Changjie 1.1.0l-2 +- Package init with openresty-openssl 1.1.0l diff --git a/openresty-openssl.yaml b/openresty-openssl.yaml new file mode 100644 index 0000000000000000000000000000000000000000..00bbaf050db91e87f0ad529e5c29027a1bf150ae --- /dev/null +++ b/openresty-openssl.yaml @@ -0,0 +1,4 @@ +version_control: NA +src_repo: NA +tag_prefix: NA +seperator: NA diff --git a/openssl-1.1.0d-sess_set_get_cb_yield.patch b/openssl-1.1.0d-sess_set_get_cb_yield.patch new file mode 100644 index 0000000000000000000000000000000000000000..88f5f457f33a7b9eb3cdac66cad36ea56646fa29 --- /dev/null +++ b/openssl-1.1.0d-sess_set_get_cb_yield.patch @@ -0,0 +1,218 @@ +diff --git a/include/openssl/bio.h b/include/openssl/bio.h +index 9bc941b25f..4f55f1f825 100644 +--- a/include/openssl/bio.h ++++ b/include/openssl/bio.h +@@ -220,6 +220,8 @@ void BIO_clear_flags(BIO *b, int flags); + /* Returned from the accept BIO when an accept would have blocked */ + # define BIO_RR_ACCEPT 0x03 + ++# define BIO_RR_SSL_SESSION_LOOKUP 0x04 ++ + /* These are passed by the BIO callback */ + # define BIO_CB_FREE 0x01 + # define BIO_CB_READ 0x02 +diff --git a/include/openssl/ssl.h b/include/openssl/ssl.h +index 8d75d53eca..55b896bf79 100644 +--- a/include/openssl/ssl.h ++++ b/include/openssl/ssl.h +@@ -791,6 +791,7 @@ __owur int SSL_extension_supported(unsigned int ext_type); + # define SSL_X509_LOOKUP 4 + # define SSL_ASYNC_PAUSED 5 + # define SSL_ASYNC_NO_JOBS 6 ++# define SSL_SESS_LOOKUP 7 + + /* These will only be used when doing non-blocking IO */ + # define SSL_want_nothing(s) (SSL_want(s) == SSL_NOTHING) +@@ -799,6 +800,7 @@ __owur int SSL_extension_supported(unsigned int ext_type); + # define SSL_want_x509_lookup(s) (SSL_want(s) == SSL_X509_LOOKUP) + # define SSL_want_async(s) (SSL_want(s) == SSL_ASYNC_PAUSED) + # define SSL_want_async_job(s) (SSL_want(s) == SSL_ASYNC_NO_JOBS) ++# define SSL_want_sess_lookup(s) (SSL_want(s) == SSL_SESS_LOOKUP) + + # define SSL_MAC_FLAG_READ_MAC_STREAM 1 + # define SSL_MAC_FLAG_WRITE_MAC_STREAM 2 +@@ -1031,6 +1033,8 @@ DECLARE_PEM_rw(SSL_SESSION, SSL_SESSION) + # define SSL_ERROR_WANT_ACCEPT 8 + # define SSL_ERROR_WANT_ASYNC 9 + # define SSL_ERROR_WANT_ASYNC_JOB 10 ++# define SSL_ERROR_WANT_SESSION_LOOKUP 11 ++# define SSL_ERROR_PENDING_SESSION 11 /* BoringSSL compatibility */ + # define SSL_CTRL_SET_TMP_DH 3 + # define SSL_CTRL_SET_TMP_ECDH 4 + # define SSL_CTRL_SET_TMP_DH_CB 6 +@@ -1426,6 +1430,7 @@ int SSL_SESSION_print(BIO *fp, const SSL_SESSION *ses); + int SSL_SESSION_print_keylog(BIO *bp, const SSL_SESSION *x); + int SSL_SESSION_up_ref(SSL_SESSION *ses); + void SSL_SESSION_free(SSL_SESSION *ses); ++SSL_SESSION *SSL_magic_pending_session_ptr(void); + __owur int i2d_SSL_SESSION(SSL_SESSION *in, unsigned char **pp); + __owur int SSL_set_session(SSL *to, SSL_SESSION *session); + __owur int SSL_CTX_add_session(SSL_CTX *s, SSL_SESSION *c); +diff --git a/ssl/bio_ssl.c b/ssl/bio_ssl.c +index 3dd09cf52d..7ac370fefc 100644 +--- a/ssl/bio_ssl.c ++++ b/ssl/bio_ssl.c +@@ -138,6 +138,10 @@ static int ssl_read(BIO *b, char *out, int outl) + BIO_set_retry_special(b); + retry_reason = BIO_RR_SSL_X509_LOOKUP; + break; ++ case SSL_ERROR_WANT_SESSION_LOOKUP: ++ BIO_set_retry_special(b); ++ retry_reason = BIO_RR_SSL_SESSION_LOOKUP; ++ break; + case SSL_ERROR_WANT_ACCEPT: + BIO_set_retry_special(b); + retry_reason = BIO_RR_ACCEPT; +@@ -210,6 +214,10 @@ static int ssl_write(BIO *b, const char *out, int outl) + BIO_set_retry_special(b); + retry_reason = BIO_RR_SSL_X509_LOOKUP; + break; ++ case SSL_ERROR_WANT_SESSION_LOOKUP: ++ BIO_set_retry_special(b); ++ retry_reason = BIO_RR_SSL_SESSION_LOOKUP; ++ break; + case SSL_ERROR_WANT_CONNECT: + BIO_set_retry_special(b); + retry_reason = BIO_RR_CONNECT; +@@ -363,6 +371,10 @@ static long ssl_ctrl(BIO *b, int cmd, long num, void *ptr) + BIO_set_retry_special(b); + BIO_set_retry_reason(b, BIO_RR_SSL_X509_LOOKUP); + break; ++ case SSL_ERROR_WANT_SESSION_LOOKUP: ++ BIO_set_retry_special(b); ++ BIO_set_retry_reason(b, BIO_RR_SSL_SESSION_LOOKUP); ++ break; + default: + break; + } +diff --git a/ssl/ssl_lib.c b/ssl/ssl_lib.c +index 002b2e5847..373484e16b 100644 +--- a/ssl/ssl_lib.c ++++ b/ssl/ssl_lib.c +@@ -2982,6 +2982,9 @@ int SSL_get_error(const SSL *s, int i) + if (SSL_want_async_job(s)) { + return SSL_ERROR_WANT_ASYNC_JOB; + } ++ if (SSL_want_sess_lookup(s)) { ++ return SSL_ERROR_WANT_SESSION_LOOKUP; ++ } + } + + if (i == 0) { +diff --git a/ssl/ssl_sess.c b/ssl/ssl_sess.c +index 43cb1d371b..99c5e4990f 100644 +--- a/ssl/ssl_sess.c ++++ b/ssl/ssl_sess.c +@@ -40,6 +40,8 @@ + #include + #include "ssl_locl.h" + ++static const char g_pending_session_magic = 0; ++ + static void SSL_SESSION_list_remove(SSL_CTX *ctx, SSL_SESSION *s); + static void SSL_SESSION_list_add(SSL_CTX *ctx, SSL_SESSION *s); + static int remove_session_lock(SSL_CTX *ctx, SSL_SESSION *c, int lck); +@@ -502,6 +504,10 @@ int ssl_get_prev_session(SSL *s, const PACKET *ext, const PACKET *session_id) + PACKET_remaining(session_id), + ©); + ++ if (ret == SSL_magic_pending_session_ptr()) { ++ return -2; /* Retry later */ ++ } ++ + if (ret != NULL) { + s->session_ctx->stats.sess_cb_hit++; + +@@ -886,6 +892,11 @@ X509 *SSL_SESSION_get0_peer(SSL_SESSION *s) + return s->peer; + } + ++SSL_SESSION *SSL_magic_pending_session_ptr(void) ++{ ++ return (SSL_SESSION *) &g_pending_session_magic; ++} ++ + int SSL_SESSION_set1_id_context(SSL_SESSION *s, const unsigned char *sid_ctx, + unsigned int sid_ctx_len) + { +diff --git a/ssl/statem/statem.c b/ssl/statem/statem.c +index 512f1e0941..52a335bee9 100644 +--- a/ssl/statem/statem.c ++++ b/ssl/statem/statem.c +@@ -583,16 +583,18 @@ static SUB_STATE_RETURN read_state_machine(SSL *s) + } + + s->first_packet = 0; +- if (!PACKET_buf_init(&pkt, s->init_msg, len)) { ++ ++ st->read_state = READ_STATE_PROCESS; ++ /* Fall through */ ++ ++ case READ_STATE_PROCESS: ++ if (!PACKET_buf_init(&pkt, s->init_msg, s->init_num)) { + ssl3_send_alert(s, SSL3_AL_FATAL, SSL_AD_INTERNAL_ERROR); + SSLerr(SSL_F_READ_STATE_MACHINE, ERR_R_INTERNAL_ERROR); + return SUB_STATE_ERROR; + } + ret = process_message(s, &pkt); + +- /* Discard the packet data */ +- s->init_num = 0; +- + switch (ret) { + case MSG_PROCESS_ERROR: + return SUB_STATE_ERROR; +@@ -612,6 +614,9 @@ static SUB_STATE_RETURN read_state_machine(SSL *s) + st->read_state = READ_STATE_HEADER; + break; + } ++ ++ /* Discard the packet data */ ++ s->init_num = 0; + break; + + case READ_STATE_POST_PROCESS: +diff --git a/ssl/statem/statem.h b/ssl/statem/statem.h +index 2fca39b0db..b106f4d069 100644 +--- a/ssl/statem/statem.h ++++ b/ssl/statem/statem.h +@@ -60,6 +60,7 @@ typedef enum { + typedef enum { + READ_STATE_HEADER, + READ_STATE_BODY, ++ READ_STATE_PROCESS, + READ_STATE_POST_PROCESS + } READ_STATE; + +diff --git a/ssl/statem/statem_srvr.c b/ssl/statem/statem_srvr.c +index d36d194b0a..bcf0635172 100644 +--- a/ssl/statem/statem_srvr.c ++++ b/ssl/statem/statem_srvr.c +@@ -1165,11 +1165,16 @@ MSG_PROCESS_RETURN tls_process_client_hello(SSL *s, PACKET *pkt) + s->hit = 1; + } else if (i == -1) { + goto err; ++ } else if (i == -2) { ++ s->rwstate = SSL_SESS_LOOKUP; ++ s->statem.read_state_work = WORK_MORE_A; ++ return MSG_PROCESS_ERROR; + } else { + /* i == 0 */ + if (!ssl_get_new_session(s, 1)) + goto err; + } ++ s->rwstate = SSL_NOTHING; + } + + if (ssl_bytes_to_cipher_list(s, &cipher_suites, &(ciphers), +diff --git a/util/libssl.num b/util/libssl.num +index 7b9b3c251c..6e9a26133f 100644 +--- a/util/libssl.num ++++ b/util/libssl.num +@@ -403,5 +403,6 @@ SSL_dane_clear_flags 403 1_1_0 EXIST::FUNCTION: + SSL_SESSION_get0_cipher 404 1_1_0 EXIST::FUNCTION: + SSL_SESSION_get0_id_context 405 1_1_0 EXIST::FUNCTION: + SSL_SESSION_set1_id 406 1_1_0 EXIST::FUNCTION: ++SSL_magic_pending_session_ptr 407 1_1_0 EXIST::FUNCTION: + SSL_COMP_get_id 412 1_1_0d EXIST::FUNCTION: + SSL_COMP_get0_name 413 1_1_0d EXIST::FUNCTION: diff --git a/openssl-1.1.0j-parallel_build_fix.patch b/openssl-1.1.0j-parallel_build_fix.patch new file mode 100644 index 0000000000000000000000000000000000000000..995bc05f21e2bc5942c3a09975f0cecab8c0dfcb --- /dev/null +++ b/openssl-1.1.0j-parallel_build_fix.patch @@ -0,0 +1,21 @@ +diff --git a/Configurations/unix-Makefile.tmpl b/Configurations/unix-Makefile.tmpl +index 11fecc259b..50362d3812 100644 +--- a/Configurations/unix-Makefile.tmpl ++++ b/Configurations/unix-Makefile.tmpl +@@ -77,8 +77,14 @@ + # to. You're welcome. + sub dependmagic { + my $target = shift; +- +- return "$target: build_generated\n\t\$(MAKE) depend && \$(MAKE) _$target\n_$target"; ++ my $magic = <<"_____"; ++$target: build_generated depend ++\t\$(MAKE) _$target ++_$target ++_____ ++ # Remove line ending ++ $magic =~ s|\R$||; ++ return $magic; + } + ''; + -} diff --git a/openssl-1.1.0l.tar.gz b/openssl-1.1.0l.tar.gz new file mode 100644 index 0000000000000000000000000000000000000000..22b52ad717b68b230509c3ab0461e353efd5adc0 Binary files /dev/null and b/openssl-1.1.0l.tar.gz differ