openresty/patches/openssl-1.1.0d-sess_set_get...

219 lines
8.1 KiB
C
Raw Normal View History

diff --git a/include/openssl/bio.h b/include/openssl/bio.h
index 9bc941b25f..4f55f1f825 100644
--- a/include/openssl/bio.h
+++ b/include/openssl/bio.h
@@ -220,6 +220,8 @@ void BIO_clear_flags(BIO *b, int flags);
/* Returned from the accept BIO when an accept would have blocked */
# define BIO_RR_ACCEPT 0x03
+# define BIO_RR_SSL_SESSION_LOOKUP 0x04
+
/* These are passed by the BIO callback */
# define BIO_CB_FREE 0x01
# define BIO_CB_READ 0x02
diff --git a/include/openssl/ssl.h b/include/openssl/ssl.h
index 8d75d53eca..55b896bf79 100644
--- a/include/openssl/ssl.h
+++ b/include/openssl/ssl.h
@@ -791,6 +791,7 @@ __owur int SSL_extension_supported(unsigned int ext_type);
# define SSL_X509_LOOKUP 4
# define SSL_ASYNC_PAUSED 5
# define SSL_ASYNC_NO_JOBS 6
+# define SSL_SESS_LOOKUP 7
/* These will only be used when doing non-blocking IO */
# define SSL_want_nothing(s) (SSL_want(s) == SSL_NOTHING)
@@ -799,6 +800,7 @@ __owur int SSL_extension_supported(unsigned int ext_type);
# define SSL_want_x509_lookup(s) (SSL_want(s) == SSL_X509_LOOKUP)
# define SSL_want_async(s) (SSL_want(s) == SSL_ASYNC_PAUSED)
# define SSL_want_async_job(s) (SSL_want(s) == SSL_ASYNC_NO_JOBS)
+# define SSL_want_sess_lookup(s) (SSL_want(s) == SSL_SESS_LOOKUP)
# define SSL_MAC_FLAG_READ_MAC_STREAM 1
# define SSL_MAC_FLAG_WRITE_MAC_STREAM 2
@@ -1031,6 +1033,8 @@ DECLARE_PEM_rw(SSL_SESSION, SSL_SESSION)
# define SSL_ERROR_WANT_ACCEPT 8
# define SSL_ERROR_WANT_ASYNC 9
# define SSL_ERROR_WANT_ASYNC_JOB 10
+# define SSL_ERROR_WANT_SESSION_LOOKUP 11
+# define SSL_ERROR_PENDING_SESSION 11 /* BoringSSL compatibility */
# define SSL_CTRL_SET_TMP_DH 3
# define SSL_CTRL_SET_TMP_ECDH 4
# define SSL_CTRL_SET_TMP_DH_CB 6
@@ -1426,6 +1430,7 @@ int SSL_SESSION_print(BIO *fp, const SSL_SESSION *ses);
int SSL_SESSION_print_keylog(BIO *bp, const SSL_SESSION *x);
int SSL_SESSION_up_ref(SSL_SESSION *ses);
void SSL_SESSION_free(SSL_SESSION *ses);
+SSL_SESSION *SSL_magic_pending_session_ptr(void);
__owur int i2d_SSL_SESSION(SSL_SESSION *in, unsigned char **pp);
__owur int SSL_set_session(SSL *to, SSL_SESSION *session);
__owur int SSL_CTX_add_session(SSL_CTX *s, SSL_SESSION *c);
diff --git a/ssl/bio_ssl.c b/ssl/bio_ssl.c
index 3dd09cf52d..7ac370fefc 100644
--- a/ssl/bio_ssl.c
+++ b/ssl/bio_ssl.c
@@ -138,6 +138,10 @@ static int ssl_read(BIO *b, char *out, int outl)
BIO_set_retry_special(b);
retry_reason = BIO_RR_SSL_X509_LOOKUP;
break;
+ case SSL_ERROR_WANT_SESSION_LOOKUP:
+ BIO_set_retry_special(b);
+ retry_reason = BIO_RR_SSL_SESSION_LOOKUP;
+ break;
case SSL_ERROR_WANT_ACCEPT:
BIO_set_retry_special(b);
retry_reason = BIO_RR_ACCEPT;
@@ -210,6 +214,10 @@ static int ssl_write(BIO *b, const char *out, int outl)
BIO_set_retry_special(b);
retry_reason = BIO_RR_SSL_X509_LOOKUP;
break;
+ case SSL_ERROR_WANT_SESSION_LOOKUP:
+ BIO_set_retry_special(b);
+ retry_reason = BIO_RR_SSL_SESSION_LOOKUP;
+ break;
case SSL_ERROR_WANT_CONNECT:
BIO_set_retry_special(b);
retry_reason = BIO_RR_CONNECT;
@@ -363,6 +371,10 @@ static long ssl_ctrl(BIO *b, int cmd, long num, void *ptr)
BIO_set_retry_special(b);
BIO_set_retry_reason(b, BIO_RR_SSL_X509_LOOKUP);
break;
+ case SSL_ERROR_WANT_SESSION_LOOKUP:
+ BIO_set_retry_special(b);
+ BIO_set_retry_reason(b, BIO_RR_SSL_SESSION_LOOKUP);
+ break;
default:
break;
}
diff --git a/ssl/ssl_lib.c b/ssl/ssl_lib.c
index 002b2e5847..373484e16b 100644
--- a/ssl/ssl_lib.c
+++ b/ssl/ssl_lib.c
@@ -2982,6 +2982,9 @@ int SSL_get_error(const SSL *s, int i)
if (SSL_want_async_job(s)) {
return SSL_ERROR_WANT_ASYNC_JOB;
}
+ if (SSL_want_sess_lookup(s)) {
+ return SSL_ERROR_WANT_SESSION_LOOKUP;
+ }
}
if (i == 0) {
diff --git a/ssl/ssl_sess.c b/ssl/ssl_sess.c
index 43cb1d371b..99c5e4990f 100644
--- a/ssl/ssl_sess.c
+++ b/ssl/ssl_sess.c
@@ -40,6 +40,8 @@
#include <openssl/engine.h>
#include "ssl_locl.h"
+static const char g_pending_session_magic = 0;
+
static void SSL_SESSION_list_remove(SSL_CTX *ctx, SSL_SESSION *s);
static void SSL_SESSION_list_add(SSL_CTX *ctx, SSL_SESSION *s);
static int remove_session_lock(SSL_CTX *ctx, SSL_SESSION *c, int lck);
@@ -502,6 +504,10 @@ int ssl_get_prev_session(SSL *s, const PACKET *ext, const PACKET *session_id)
PACKET_remaining(session_id),
&copy);
+ if (ret == SSL_magic_pending_session_ptr()) {
+ return -2; /* Retry later */
+ }
+
if (ret != NULL) {
s->session_ctx->stats.sess_cb_hit++;
@@ -886,6 +892,11 @@ X509 *SSL_SESSION_get0_peer(SSL_SESSION *s)
return s->peer;
}
+SSL_SESSION *SSL_magic_pending_session_ptr(void)
+{
+ return (SSL_SESSION *) &g_pending_session_magic;
+}
+
int SSL_SESSION_set1_id_context(SSL_SESSION *s, const unsigned char *sid_ctx,
unsigned int sid_ctx_len)
{
diff --git a/ssl/statem/statem.c b/ssl/statem/statem.c
index 512f1e0941..52a335bee9 100644
--- a/ssl/statem/statem.c
+++ b/ssl/statem/statem.c
@@ -583,16 +583,18 @@ static SUB_STATE_RETURN read_state_machine(SSL *s)
}
s->first_packet = 0;
- if (!PACKET_buf_init(&pkt, s->init_msg, len)) {
+
+ st->read_state = READ_STATE_PROCESS;
+ /* Fall through */
+
+ case READ_STATE_PROCESS:
+ if (!PACKET_buf_init(&pkt, s->init_msg, s->init_num)) {
ssl3_send_alert(s, SSL3_AL_FATAL, SSL_AD_INTERNAL_ERROR);
SSLerr(SSL_F_READ_STATE_MACHINE, ERR_R_INTERNAL_ERROR);
return SUB_STATE_ERROR;
}
ret = process_message(s, &pkt);
- /* Discard the packet data */
- s->init_num = 0;
-
switch (ret) {
case MSG_PROCESS_ERROR:
return SUB_STATE_ERROR;
@@ -612,6 +614,9 @@ static SUB_STATE_RETURN read_state_machine(SSL *s)
st->read_state = READ_STATE_HEADER;
break;
}
+
+ /* Discard the packet data */
+ s->init_num = 0;
break;
case READ_STATE_POST_PROCESS:
diff --git a/ssl/statem/statem.h b/ssl/statem/statem.h
index 2fca39b0db..b106f4d069 100644
--- a/ssl/statem/statem.h
+++ b/ssl/statem/statem.h
@@ -60,6 +60,7 @@ typedef enum {
typedef enum {
READ_STATE_HEADER,
READ_STATE_BODY,
+ READ_STATE_PROCESS,
READ_STATE_POST_PROCESS
} READ_STATE;
diff --git a/ssl/statem/statem_srvr.c b/ssl/statem/statem_srvr.c
index d36d194b0a..bcf0635172 100644
--- a/ssl/statem/statem_srvr.c
+++ b/ssl/statem/statem_srvr.c
@@ -1165,11 +1165,16 @@ MSG_PROCESS_RETURN tls_process_client_hello(SSL *s, PACKET *pkt)
s->hit = 1;
} else if (i == -1) {
goto err;
+ } else if (i == -2) {
+ s->rwstate = SSL_SESS_LOOKUP;
+ s->statem.read_state_work = WORK_MORE_A;
+ return MSG_PROCESS_ERROR;
} else {
/* i == 0 */
if (!ssl_get_new_session(s, 1))
goto err;
}
+ s->rwstate = SSL_NOTHING;
}
if (ssl_bytes_to_cipher_list(s, &cipher_suites, &(ciphers),
diff --git a/util/libssl.num b/util/libssl.num
index 7b9b3c251c..6e9a26133f 100644
--- a/util/libssl.num
+++ b/util/libssl.num
@@ -403,5 +403,6 @@ SSL_dane_clear_flags 403 1_1_0 EXIST::FUNCTION:
SSL_SESSION_get0_cipher 404 1_1_0 EXIST::FUNCTION:
SSL_SESSION_get0_id_context 405 1_1_0 EXIST::FUNCTION:
SSL_SESSION_set1_id 406 1_1_0 EXIST::FUNCTION:
+SSL_magic_pending_session_ptr 407 1_1_0 EXIST::FUNCTION:
SSL_COMP_get_id 412 1_1_0d EXIST::FUNCTION:
SSL_COMP_get0_name 413 1_1_0d EXIST::FUNCTION: