bugfix: nginx_version value correction

.travis.yml

@@ -41,7 +41,7 @@ env:
     - NGX_BUILD_JOBS=$JOBS
     - TEST_NGINX_SLEEP=0.006
   matrix:
-    - NGINX_VERSION=1.29.2 OPENSSL_VER=3.5.4
+    - NGINX_VERSION=1.29.2 OPENSSL_VER=3.5.4 OPENSSL_PATCH_VER=3.5.4
 
 services:
  - memcache
@@ -54,8 +54,8 @@ before_install:
   - sudo DEBIAN_FRONTEND=noninteractive apt-get install -y --no-install-recommends openresty-pcre2 openresty-openssl3 openresty-pcre2-dev openresty-openssl3-dev
 
 install:
-  - if [ ! -f download-cache/pcre2-$PCRE2_VER.tar.gz ]; then wget -P download-cache https://downloads.sourceforge.net/project/pcre/pcre2/${PCRE2_VER}/pcre2-${PCRE2_VER}.tar.gz; fi
-  - if [ ! -f download-cache/openssl-$OPENSSL_VER.tar.gz ]; then wget -P download-cache https://www.openssl.org/source/openssl-$OPENSSL_VER.tar.gz; fi
+  - if [ -n "$PCRE2_VER" ] && [ ! -f download-cache/pcre2-$PCRE2_VER.tar.gz ]; then wget -P download-cache https://github.com/PCRE2Project/pcre2/releases/download/pcre2-${PCRE2_VER}/pcre2-${PCRE2_VER}.tar.gz; fi
+  - if [ -n "$OPENSSL_VER" ] && [ ! -f download-cache/openssl-$OPENSSL_VER.tar.gz ]; then wget -P download-cache https://github.com/openssl/openssl/releases/download/openssl-$OPENSSL_VER/openssl-$OPENSSL_VER.tar.gz || wget -P download-cache https://www.openssl.org/source/openssl-$OPENSSL_VER.tar.gz || wget -P download-cache https://www.openssl.org/source/old/${OPENSSL_VER//[a-z]/}/openssl-$OPENSSL_VER.tar.gz; fi
   - git clone https://github.com/openresty/openresty-devel-utils.git
   - git clone https://github.com/openresty/lua-cjson.git
   - git clone https://github.com/openresty/openresty.git ../openresty
@@ -78,14 +78,14 @@ script:
   - sudo ip addr add 10.254.254.1/24 dev lo
   - sudo ip addr add 10.254.254.2/24 dev lo
   - sudo ip route add prohibit 0.0.0.1/32
-  - tar zxf download-cache/pcre2-$PCRE2_VER.tar.gz; cd pcre2-$PCRE2_VER/; ./configure --prefix=$PCRE2_PREFIX --enable-jit --enable-utf > build.log 2>&1 || (cat build.log && exit 1); make -j$JOBS > build.log 2>&1 || (cat build.log && exit 1); sudo PATH=$PATH make install > build.log 2>&1 || (cat build.log && exit 1); cd ..;
+  - if [ -n "$PCRE2_VER" ]; then tar zxf download-cache/pcre2-$PCRE2_VER.tar.gz; cd pcre2-$PCRE2_VER/; ./configure --prefix=$PCRE2_PREFIX --enable-jit --enable-utf > build.log 2>&1 || (cat build.log && exit 1); make -j$JOBS > build.log 2>&1 || (cat build.log && exit 1); sudo PATH=$PATH make install > build.log 2>&1 || (cat build.log && exit 1); cd ..; fi
   - cd luajit2
   - make -j$JOBS CCDEBUG=-g Q= PREFIX=$LUAJIT_PREFIX CC=$CC XCFLAGS='-DLUA_USE_APICHECK -DLUA_USE_ASSERT' > build.log 2>&1 || (cat build.log && exit 1)
   - sudo make install PREFIX=$LUAJIT_PREFIX > build.log 2>&1 || (cat build.log && exit 1)
   - cd ../test-nginx && sudo cpanm . && cd ..
   - cd lua-cjson/ && make -j$JOBS && sudo make install && cd ..
   - cd mockeagain/ && make CC=$CC -j$JOBS && cd ..
-  - tar zxf download-cache/openssl-$OPENSSL_VER.tar.gz; cd openssl-$OPENSSL_VER/; ./config no-threads shared enable-ssl3 enable-ssl3-method -g --prefix=$OPENSSL_PREFIX -DPURIFY > build.log 2>&1 || (cat build.log && exit 1); make -j$JOBS > build.log 2>&1 || (cat build.log && exit 1); sudo make PATH=$PATH install_sw > build.log 2>&1 || (cat build.log && exit 1) ; cd ..
+  - if [ -n "$OPENSSL_VER" ]; then tar zxf download-cache/openssl-$OPENSSL_VER.tar.gz; cd openssl-$OPENSSL_VER/; patch -p1 < ../../openresty/patches/openssl-$OPENSSL_PATCH_VER-sess_set_get_cb_yield.patch; ./config shared enable-ssl3 enable-ssl3-method -g --prefix=$OPENSSL_PREFIX --libdir=lib -DPURIFY > build.log 2>&1 || (cat build.log && exit 1); make -j$JOBS > build.log 2>&1 || (cat build.log && exit 1); sudo make PATH=$PATH install_sw > build.log 2>&1 || (cat build.log && exit 1); cd ..; fi
   - export PATH=$PWD/work/nginx/sbin:$PWD/openresty-devel-utils:$PATH
   - export NGX_BUILD_CC=$CC
   - sh util/build.sh $NGINX_VERSION > build.log 2>&1 || (cat build.log && exit 1)

src/ngx_stream_lua_proxy_ssl_verifyby.c

@@ -32,13 +32,20 @@ ngx_int_t
 ngx_stream_lua_proxy_ssl_verify_set_callback(ngx_conf_t *cf)
 {
 
-#ifdef LIBRESSL_VERSION_NUMBER
+#if defined(LIBRESSL_VERSION_NUMBER)
 
     ngx_log_error(NGX_LOG_EMERG, cf->log, 0,
                   "LibreSSL does not support by proxy_ssl_verify_by_lua*");
 
     return NGX_ERROR;
 
+#elif defined(OPENSSL_IS_BORINGSSL)
+
+    ngx_log_error(NGX_LOG_EMERG, cf->log, 0,
+                  "BoringSSL does not support by proxy_ssl_verify_by_lua*");
+
+    return NGX_ERROR;
+
 #else
 
     ngx_flag_t           proxy_ssl = 0;
@@ -161,6 +168,22 @@ char *
 ngx_stream_lua_proxy_ssl_verify_by_lua(ngx_conf_t *cf, ngx_command_t *cmd,
     void *conf)
 {
+#if defined(LIBRESSL_VERSION_NUMBER)
+
+    ngx_log_error(NGX_LOG_EMERG, cf->log, 0,
+                  "LibreSSL does not support by proxy_ssl_verify_by_lua*");
+
+    return NGX_CONF_ERROR;
+
+#elif defined(OPENSSL_IS_BORINGSSL)
+
+    ngx_log_error(NGX_LOG_EMERG, cf->log, 0,
+                  "BoringSSL does not support by proxy_ssl_verify_by_lua*");
+
+    return NGX_CONF_ERROR;
+
+#else
+
 #if (!defined SSL_ERROR_WANT_RETRY_VERIFY \
      || OPENSSL_VERSION_NUMBER < 0x30000020L)
 
@@ -244,12 +267,30 @@ ngx_stream_lua_proxy_ssl_verify_by_lua(ngx_conf_t *cf, ngx_command_t *cmd,
     return NGX_CONF_OK;
 
 #endif  /* SSL_ERROR_WANT_RETRY_VERIFY */
+
+#endif
 }
 
 
 int
 ngx_stream_lua_proxy_ssl_verify_handler(X509_STORE_CTX *x509_store, void *arg)
 {
+#if defined(LIBRESSL_VERSION_NUMBER)
+
+    ngx_log_debug0(NGX_LOG_DEBUG_STREAM, c->log, 0,
+        "LibreSSL does not support by proxy_ssl_verify_by_lua*");
+
+    return 1;
+
+#elif defined(OPENSSL_IS_BORINGSSL)
+
+    ngx_log_debug0(NGX_LOG_DEBUG_STREAM, c->log, 0,
+        "BoringSSL does not support by proxy_ssl_verify_by_lua*");
+
+    return 1;
+
+#else
+
     lua_State                          *L;
     ngx_int_t                           rc;
     ngx_connection_t                   *c;
@@ -395,6 +436,8 @@ ngx_stream_lua_proxy_ssl_verify_handler(X509_STORE_CTX *x509_store, void *arg)
 
     return 0;  /* verify failure or error */
 #endif
+
+#endif
 }
 
 
@@ -573,6 +616,20 @@ int
 ngx_stream_lua_ffi_proxy_ssl_set_verify_result(ngx_stream_lua_request_t *r,
     int verify_result, char **err)
 {
+#if defined(LIBRESSL_VERSION_NUMBER)
+
+    *err = "LibreSSL does not support this function";
+
+    return NGX_ERROR;
+
+#elif defined(OPENSSL_IS_BORINGSSL)
+
+    *err = "BoringSSL does not support this function";
+
+    return NGX_ERROR;
+
+#else
+
 #ifdef SSL_ERROR_WANT_RETRY_VERIFY
     ngx_stream_upstream_t           *u;
     ngx_ssl_conn_t                  *ssl_conn;
@@ -618,13 +675,29 @@ ngx_stream_lua_ffi_proxy_ssl_set_verify_result(ngx_stream_lua_request_t *r,
 
     return NGX_ERROR;
 #endif
+
+#endif
 }
 
 
 int
 ngx_stream_lua_ffi_proxy_ssl_get_verify_result(ngx_stream_lua_request_t *r,
     char **err)
 {
+#if defined(LIBRESSL_VERSION_NUMBER)
+
+    *err = "LibreSSL does not support this function";
+
+    return NGX_ERROR;
+
+#elif defined(OPENSSL_IS_BORINGSSL)
+
+    *err = "BoringSSL does not support this function";
+
+    return NGX_ERROR;
+
+#else
+
 #ifdef SSL_ERROR_WANT_RETRY_VERIFY
     ngx_stream_upstream_t           *u;
     ngx_ssl_conn_t                  *ssl_conn;
@@ -668,6 +741,8 @@ ngx_stream_lua_ffi_proxy_ssl_get_verify_result(ngx_stream_lua_request_t *r,
 
     return NGX_ERROR;
 #endif
+
+#endif
 }
 
 
@@ -684,6 +759,20 @@ void *
 ngx_stream_lua_ffi_proxy_ssl_get_verify_cert(ngx_stream_lua_request_t *r,
     char **err)
 {
+#if defined(LIBRESSL_VERSION_NUMBER)
+
+    *err = "LibreSSL does not support this function";
+
+    return NGX_ERROR;
+
+#elif defined(OPENSSL_IS_BORINGSSL)
+
+    *err = "BoringSSL does not support this function";
+
+    return NGX_ERROR;
+
+#else
+
 #ifdef SSL_ERROR_WANT_RETRY_VERIFY
     ngx_stream_upstream_t           *u;
     ngx_ssl_conn_t                  *ssl_conn;
@@ -735,6 +824,8 @@ ngx_stream_lua_ffi_proxy_ssl_get_verify_cert(ngx_stream_lua_request_t *r,
 
     return NULL;
 #endif
+
+#endif
 }
 
 

src/ngx_stream_lua_ssl_client_helloby.c

@@ -218,7 +218,7 @@ ngx_stream_lua_ssl_client_hello_handler(ngx_ssl_conn_t *ssl_conn,
         return -1;
     }
 
-#if (nginx_version > 1029000)
+#if (nginx_version > 1029001)
     /* see commit 0373fe5d98c1515640 for more details */
     rc = ngx_ssl_client_hello_callback(ssl_conn, al, arg);
 

t/138-balancer.t

@@ -237,7 +237,6 @@ retry counter: 5
 
 --- error_log
 set more tries: reduced tries due to limit
---- ONLY
 
 
 

t/164-proxy-ssl-verify-by.t

@@ -7,10 +7,19 @@ repeat_each(3);
 my $NginxBinary = $ENV{'TEST_NGINX_BINARY'} || 'nginx';
 my $openssl_version = eval { `$NginxBinary -V 2>&1` };
 
-if ($openssl_version =~ m/built with OpenSSL (0\S*|1\.0\S*|1\.1\.0\S*)/) {
-    plan(skip_all => "too old OpenSSL, need 1.1.1, was $1");
+if ($openssl_version =~ m/built with OpenSSL (\d+)\.(\d+)\.(\d+)/) {
+    my ($major, $minor, $patch) = ($1, $2, $3);
+
+    if ($major < 3 || ($major == 3 && $minor == 0 && $patch < 2)) {
+        plan(skip_all => "too old OpenSSL, need >= 3.0.2, was " .
+            "$major.$minor.$patch");
+    } else {
+        plan tests => repeat_each() * (blocks() * 6 + 3);
+    }
+} elsif ($openssl_version =~ m/running with BoringSSL/) {
+    plan(skip_all => "does not support BoringSSL");
 } else {
-    plan tests => repeat_each() * (blocks() * 6 + 5);
+    die "unknown SSL";
 }
 
 $ENV{TEST_NGINX_HTML_DIR} ||= html_dir();
@@ -908,7 +917,7 @@ proxy_ssl_verify_by_lua: cert verify callback aborted
 === TEST 23: cosocket
 --- stream_config
     server {
-        listen *:80;
+        listen 127.0.0.1:$TEST_NGINX_RAND_PORT_1;
 
         return "it works!\n";
     }
@@ -936,7 +945,7 @@ proxy_ssl_verify_by_lua: cert verify callback aborted
             local sock = ngx.socket.tcp()
             sock:settimeout(2000)
 
-            local ok, err = sock:connect("127.0.0.1", "80")
+            local ok, err = sock:connect("127.0.0.1", $TEST_NGINX_RAND_PORT_1)
             if not ok then
                 ngx.log(ngx.ERR, "failed to connect: ", err)
                 return