diff options
| author | James An | 2017-04-21 20:37:21 -0400 |
|---|---|---|
| committer | James An | 2017-04-21 20:37:21 -0400 |
| commit | 4045e5c7426b3862e8920bba2a09d771ed4d0fdf (patch) | |
| tree | 3859997686f104e3abe5f835a31ac8396075d19f /openssl-1.1.0.patch | |
| parent | 9717bfbf0ba527bb43e15ce2ca16cc6e318fb567 (diff) | |
| download | aur-openresty-git.tar.gz | |
Forked off from openresty package, added VCS changes to the PKGBUILD, added a patch to fix upstream build incompatibility issues with openssl>=1.1.0.
Diffstat (limited to 'openssl-1.1.0.patch')
| -rw-r--r-- | openssl-1.1.0.patch | 255 |
1 files changed, 255 insertions, 0 deletions
diff --git a/openssl-1.1.0.patch b/openssl-1.1.0.patch new file mode 100644 index 000000000000..c9a8235112ee --- /dev/null +++ b/openssl-1.1.0.patch @@ -0,0 +1,255 @@ +diff --git a/patches/nginx-1.11.2-guarded_SSL_R_NO_CIPHERS_PASSED_not_present_in_OpenSSL_1.1.0.patch b/patches/nginx-1.11.2-guarded_SSL_R_NO_CIPHERS_PASSED_not_present_in_OpenSSL_1.1.0.patch +new file mode 100644 +index 0000000..fd59562 +--- /dev/null ++++ b/patches/nginx-1.11.2-guarded_SSL_R_NO_CIPHERS_PASSED_not_present_in_OpenSSL_1.1.0.patch +@@ -0,0 +1,23 @@ ++# HG changeset patch ++# User Sergey Kandaurov <pluknet@nginx.com> ++# Date 1470653089 -10800 ++# Node ID 1891b2892b68223dcc8f6bec7205d0d8c03682d5 ++# Parent 7d4e33092e2abe92f0b904e5dadad4728eb12257 ++SSL: guarded SSL_R_NO_CIPHERS_PASSED not present in OpenSSL 1.1.0. ++ ++It was removed in OpenSSL 1.1.0 Beta 3 (pre-release 6). It was ++not used since OpenSSL 1.0.1n and 1.0.2b. ++ ++diff -r 7d4e33092e2a -r 1891b2892b68 src/event/ngx_event_openssl.c ++--- a/src/event/ngx_event_openssl.c Thu Aug 04 23:43:10 2016 +0300 +++++ b/src/event/ngx_event_openssl.c Mon Aug 08 13:44:49 2016 +0300 ++@@ -2023,7 +2023,9 @@ ++ || n == SSL_R_ERROR_IN_RECEIVED_CIPHER_LIST /* 151 */ ++ || n == SSL_R_EXCESSIVE_MESSAGE_SIZE /* 152 */ ++ || n == SSL_R_LENGTH_MISMATCH /* 159 */ +++#ifdef SSL_R_NO_CIPHERS_PASSED ++ || n == SSL_R_NO_CIPHERS_PASSED /* 182 */ +++#endif ++ || n == SSL_R_NO_CIPHERS_SPECIFIED /* 183 */ ++ || n == SSL_R_NO_COMPRESSION_SPECIFIED /* 187 */ ++ || n == SSL_R_NO_SHARED_CIPHER /* 193 */ +diff --git a/patches/ngx_http_encrypted_session-0.06-init_cipher_ctx_indirectly.patch b/patches/ngx_http_encrypted_session-0.06-init_cipher_ctx_indirectly.patch +new file mode 100644 +index 0000000..3a1b7d6 +--- /dev/null ++++ b/patches/ngx_http_encrypted_session-0.06-init_cipher_ctx_indirectly.patch +@@ -0,0 +1,119 @@ ++diff --git a/src/ngx_http_encrypted_session_cipher.c b/src/ngx_http_encrypted_session_cipher.c ++index 5c8da81..3f2fed8 100644 ++--- a/src/ngx_http_encrypted_session_cipher.c +++++ b/src/ngx_http_encrypted_session_cipher.c ++@@ -26,7 +26,7 @@ ++ const u_char *in, size_t in_len, ngx_uint_t expires, u_char **dst, ++ size_t *dst_len) ++ { ++- EVP_CIPHER_CTX ctx; +++ EVP_CIPHER_CTX *ctx; ++ const EVP_CIPHER *cipher; ++ u_char *p, *data; ++ int ret; ++@@ -39,7 +39,7 @@ ++ return NGX_ERROR; ++ } ++ ++- EVP_CIPHER_CTX_init(&ctx); +++ EVP_CIPHER_CTX_init(ctx); ++ ++ cipher = EVP_aes_256_cbc(); ++ ++@@ -83,28 +83,28 @@ ++ ++ p += MD5_DIGEST_LENGTH; ++ ++- ret = EVP_EncryptInit(&ctx, cipher, key, iv); +++ ret = EVP_EncryptInit(ctx, cipher, key, iv); ++ if (!ret) { ++ goto evp_error; ++ } ++ ++ /* encrypt the raw input data */ ++ ++- ret = EVP_EncryptUpdate(&ctx, p, &len, data, data_size); +++ ret = EVP_EncryptUpdate(ctx, p, &len, data, data_size); ++ if (!ret) { ++ goto evp_error; ++ } ++ ++ p += len; ++ ++- ret = EVP_EncryptFinal(&ctx, p, &len); +++ ret = EVP_EncryptFinal(ctx, p, &len); ++ if (!ret) { ++ return NGX_ERROR; ++ } ++ ++ /* XXX we should still explicitly release the ctx ++ * or we'll leak memory here */ ++- EVP_CIPHER_CTX_cleanup(&ctx); +++ EVP_CIPHER_CTX_cleanup(ctx); ++ ++ p += len; ++ ++@@ -121,7 +121,7 @@ ++ ++ evp_error: ++ ++- EVP_CIPHER_CTX_cleanup(&ctx); +++ EVP_CIPHER_CTX_cleanup(ctx); ++ ++ return NGX_ERROR; ++ } ++@@ -132,7 +132,7 @@ ++ const u_char *iv, size_t iv_len, const u_char *key, size_t key_len, ++ const u_char *in, size_t in_len, u_char **dst, size_t *dst_len) ++ { ++- EVP_CIPHER_CTX ctx; +++ EVP_CIPHER_CTX *ctx; ++ const EVP_CIPHER *cipher; ++ int ret; ++ size_t block_size, buf_size; ++@@ -152,11 +152,11 @@ ++ ++ digest = in; ++ ++- EVP_CIPHER_CTX_init(&ctx); +++ EVP_CIPHER_CTX_init(ctx); ++ ++ cipher = EVP_aes_256_cbc(); ++ ++- ret = EVP_DecryptInit(&ctx, cipher, key, iv); +++ ret = EVP_DecryptInit(ctx, cipher, key, iv); ++ if (!ret) { ++ goto evp_error; ++ } ++@@ -173,7 +173,7 @@ ++ ++ *dst = p; ++ ++- ret = EVP_DecryptUpdate(&ctx, p, &len, in + MD5_DIGEST_LENGTH, +++ ret = EVP_DecryptUpdate(ctx, p, &len, in + MD5_DIGEST_LENGTH, ++ in_len - MD5_DIGEST_LENGTH); ++ ++ if (!ret) { ++@@ -183,11 +183,11 @@ ++ ++ p += len; ++ ++- ret = EVP_DecryptFinal(&ctx, p, &len); +++ ret = EVP_DecryptFinal(ctx, p, &len); ++ ++ /* XXX we should still explicitly release the ctx ++ * or we'll leak memory here */ ++- EVP_CIPHER_CTX_cleanup(&ctx); +++ EVP_CIPHER_CTX_cleanup(ctx); ++ ++ if (!ret) { ++ ngx_log_debug0(NGX_LOG_DEBUG_HTTP, log, 0, ++@@ -249,7 +249,7 @@ ++ ++ evp_error: ++ ++- EVP_CIPHER_CTX_cleanup(&ctx); +++ EVP_CIPHER_CTX_cleanup(ctx); ++ ++ return NGX_ERROR; ++ } +diff --git a/patches/ngx_lua-0.10.8-support_openssl_1.1.0.patch b/patches/ngx_lua-0.10.8-support_openssl_1.1.0.patch +new file mode 100644 +index 0000000..bcfb25e +--- /dev/null ++++ b/patches/ngx_lua-0.10.8-support_openssl_1.1.0.patch +@@ -0,0 +1,56 @@ ++diff --git a/src/ngx_http_lua_ssl_ocsp.c b/src/ngx_http_lua_ssl_ocsp.c ++index 3904aa8e..71d40e74 100644 ++--- a/src/ngx_http_lua_ssl_ocsp.c +++++ b/src/ngx_http_lua_ssl_ocsp.c ++@@ -468,7 +468,11 @@ ngx_http_lua_ffi_ssl_set_ocsp_status_resp(ngx_http_request_t *r, ++ return NGX_ERROR; ++ } ++ +++#ifdef SSL_CTRL_GET_TLSEXT_STATUS_REQ_TYPE +++ if (SSL_get_tlsext_status_type(ssl_conn) == -1) { +++#else ++ if (ssl_conn->tlsext_status_type == -1) { +++#endif ++ dd("no ocsp status req from client"); ++ return NGX_DECLINED; ++ } ++@@ -490,7 +494,11 @@ ngx_http_lua_ffi_ssl_set_ocsp_status_resp(ngx_http_request_t *r, ++ ++ dd("set ocsp resp: resp_len=%d", (int) resp_len); ++ (void) SSL_set_tlsext_status_ocsp_resp(ssl_conn, p, resp_len); +++#ifdef SSL_CTRL_SET_TLSEXT_STATUS_REQ_TYPE +++ SSL_set_tlsext_status_type(ssl_conn, TLSEXT_STATUSTYPE_ocsp); +++#else ++ ssl_conn->tlsext_status_expected = 1; +++#endif ++ ++ return NGX_OK; ++ ++diff --git a/src/ngx_http_lua_ssl_session_storeby.c b/src/ngx_http_lua_ssl_session_storeby.c ++index b5596bc7..6e132a31 100644 ++--- a/src/ngx_http_lua_ssl_session_storeby.c +++++ b/src/ngx_http_lua_ssl_session_storeby.c ++@@ -172,6 +172,8 @@ int ++ ngx_http_lua_ssl_sess_store_handler(ngx_ssl_conn_t *ssl_conn, ++ ngx_ssl_session_t *sess) ++ { +++ const u_char *sess_id; +++ unsigned int sess_id_len; ++ lua_State *L; ++ ngx_int_t rc; ++ ngx_connection_t *c, *fc = NULL; ++@@ -246,11 +248,12 @@ ngx_http_lua_ssl_sess_store_handler(ngx_ssl_conn_t *ssl_conn, ++ } ++ } ++ +++ sess_id = SSL_SESSION_get_id(sess, &sess_id_len); ++ cctx->connection = c; ++ cctx->request = r; ++ cctx->session = sess; ++- cctx->session_id.data = sess->session_id; ++- cctx->session_id.len = sess->session_id_length; +++ cctx->session_id.data = (u_char *) sess_id; +++ cctx->session_id.len = sess_id_len; ++ cctx->done = 0; ++ ++ dd("setting cctx"); +diff --git a/util/mirror-tarballs b/util/mirror-tarballs +index 2da01f1..cf09f99 100755 +--- a/util/mirror-tarballs ++++ b/util/mirror-tarballs +@@ -335,6 +335,8 @@ echo + + echo "$info_txt applying the safe_resolver_ipv6_option patch for nginx" + patch -p1 < $root/patches/nginx-$main_ver-safe_resolver_ipv6_option.patch || exit 1 ++echo "$info_txt applying the guarded_SSL_R_NO_CIPHERS_PASSED_not_present_in_OpenSSL_1.1.0 patch for nginx" ++patch -p1 < $root/patches/nginx-$main_ver-guarded_SSL_R_NO_CIPHERS_PASSED_not_present_in_OpenSSL_1.1.0.patch || exit 1 + echo + + cp $root/html/index.html docs/html/ || exit 1 +@@ -412,6 +414,12 @@ $root/util/get-tarball "https://github.com/openresty/lua-nginx-module/tarball/v$ + tar -xzf lua-nginx-module-$ver.tar.gz || exit 1 + mv openresty-lua-nginx-module-* ngx_lua-$ver || exit 1 + ++cd ngx_lua-$ver ++echo "applying ngx_lua-$ver-support_openssl_1.1.0.patch" ++patch -p1 < $root/patches/ngx_lua-$ver-support_openssl_1.1.0.patch || exit 1 ++echo ++cd .. ++ + ################################# + + ver=0.06 +@@ -461,6 +469,12 @@ $root/util/get-tarball "https://github.com/openresty/encrypted-session-nginx-mod + tar -xzf encrypted-session-nginx-module-$ver.tar.gz || exit 1 + mv openresty-encrypted-session-nginx-module-* encrypted-session-nginx-module-$ver || exit 1 + ++cd encrypted-session-nginx-module-$ver ++echo "applying ngx_http_encrypted_session-$ver-init_cipher_ctx_indirectly.patch" ++patch -p1 < $root/patches/ngx_http_encrypted_session-$ver-init_cipher_ctx_indirectly.patch || exit 1 ++echo ++cd .. ++ + ################################# + + |