macro to conditional build proxy ssl verify

Author: willmafh

src/ngx_http_lua_common.h

@@ -148,7 +148,10 @@ typedef struct {
 #define NGX_HTTP_LUA_CONTEXT_EXIT_WORKER        0x00002000
 #define NGX_HTTP_LUA_CONTEXT_SSL_CLIENT_HELLO   0x00004000
 #define NGX_HTTP_LUA_CONTEXT_SERVER_REWRITE     0x00008000
+
+#ifdef HAVE_PROXY_SSL_PATCH
 #define NGX_HTTP_LUA_CONTEXT_PROXY_SSL_VERIFY   0x00010000
+#endif
 
 
 #define NGX_HTTP_LUA_FFI_NO_REQ_CTX         -100
@@ -390,12 +393,15 @@ struct ngx_http_lua_loc_conf_s {
     ngx_array_t            *ssl_conf_commands;
 #endif
 
+#ifdef HAVE_PROXY_SSL_PATCH
     ngx_http_lua_loc_conf_handler_pt       proxy_ssl_verify_handler;
     ngx_str_t                              proxy_ssl_verify_src;
     u_char                                *proxy_ssl_verify_src_key;
     u_char                                *proxy_ssl_verify_chunkname;
     int                                    proxy_ssl_verify_src_ref;
     ngx_flag_t                             upstream_skip_openssl_default_verify;
+#endif
+
 #endif
 
     ngx_flag_t              force_read_body; /* whether force request body to

src/ngx_http_lua_control.c

@@ -384,7 +384,9 @@ ngx_http_lua_ffi_exit(ngx_http_request_t *r, int status, u_char *err,
                                        | NGX_HTTP_LUA_CONTEXT_TIMER
                                        | NGX_HTTP_LUA_CONTEXT_HEADER_FILTER
                                        | NGX_HTTP_LUA_CONTEXT_BALANCER
+#ifdef HAVE_PROXY_SSL_PATCH
                                        | NGX_HTTP_LUA_CONTEXT_PROXY_SSL_VERIFY
+#endif
                                        | NGX_HTTP_LUA_CONTEXT_SSL_CLIENT_HELLO
                                        | NGX_HTTP_LUA_CONTEXT_SSL_CERT
                                        | NGX_HTTP_LUA_CONTEXT_SSL_SESS_STORE
@@ -395,8 +397,10 @@ ngx_http_lua_ffi_exit(ngx_http_request_t *r, int status, u_char *err,
         return NGX_ERROR;
     }
 
-    if (ctx->context & (NGX_HTTP_LUA_CONTEXT_PROXY_SSL_VERIFY
-                        | NGX_HTTP_LUA_CONTEXT_SSL_CERT
+    if (ctx->context & (NGX_HTTP_LUA_CONTEXT_SSL_CERT
+#ifdef HAVE_PROXY_SSL_PATCH
+                        | NGX_HTTP_LUA_CONTEXT_PROXY_SSL_VERIFY
+#endif
                         | NGX_HTTP_LUA_CONTEXT_SSL_CLIENT_HELLO
                         | NGX_HTTP_LUA_CONTEXT_SSL_SESS_STORE
                         | NGX_HTTP_LUA_CONTEXT_SSL_SESS_FETCH))

src/ngx_http_lua_module.c

@@ -31,7 +31,11 @@
 #include "ngx_http_lua_ssl_certby.h"
 #include "ngx_http_lua_ssl_session_storeby.h"
 #include "ngx_http_lua_ssl_session_fetchby.h"
+
+#ifdef HAVE_PROXY_SSL_PATCH
 #include "ngx_http_lua_proxy_ssl_verifyby.h"
+#endif
+
 #include "ngx_http_lua_headers.h"
 #include "ngx_http_lua_headers_out.h"
 #if !(NGX_WIN32)
@@ -661,6 +665,7 @@ static ngx_command_t ngx_http_lua_cmds[] = {
       0,
       (void *) ngx_http_lua_ssl_sess_fetch_handler_file },
 
+#ifdef HAVE_PROXY_SSL_PATCH
     /* same context as proxy_pass directive */
     { ngx_string("proxy_ssl_verify_by_lua_block"),
       NGX_HTTP_LOC_CONF|NGX_HTTP_LIF_CONF|NGX_CONF_BLOCK|NGX_CONF_NOARGS,
@@ -682,6 +687,7 @@ static ngx_command_t ngx_http_lua_cmds[] = {
       NGX_HTTP_LOC_CONF_OFFSET,
       offsetof(ngx_http_lua_loc_conf_t, upstream_skip_openssl_default_verify),
       NULL },
+#endif
 
     { ngx_string("lua_ssl_verify_depth"),
       NGX_HTTP_MAIN_CONF|NGX_HTTP_SRV_CONF|NGX_HTTP_LOC_CONF|NGX_CONF_TAKE1,
@@ -1507,8 +1513,10 @@ ngx_http_lua_create_loc_conf(ngx_conf_t *cf)
 #if (nginx_version >= 1019004)
     conf->ssl_conf_commands = NGX_CONF_UNSET_PTR;
 #endif
+#ifdef HAVE_PROXY_SSL_PATCH
     conf->proxy_ssl_verify_src_ref = LUA_REFNIL;
     conf->upstream_skip_openssl_default_verify = NGX_CONF_UNSET;
+#endif
 #endif
 
     return conf;
@@ -1603,6 +1611,7 @@ ngx_http_lua_merge_loc_conf(ngx_conf_t *cf, void *parent, void *child)
                              NULL);
 #endif
 
+#ifdef HAVE_PROXY_SSL_PATCH
     if (conf->proxy_ssl_verify_src.len == 0) {
         conf->proxy_ssl_verify_src = prev->proxy_ssl_verify_src;
         conf->proxy_ssl_verify_handler = prev->proxy_ssl_verify_handler;
@@ -1619,6 +1628,7 @@ ngx_http_lua_merge_loc_conf(ngx_conf_t *cf, void *parent, void *child)
 
     ngx_conf_merge_value(conf->upstream_skip_openssl_default_verify,
                          prev->upstream_skip_openssl_default_verify, 0);
+#endif
 
     if (ngx_http_lua_set_ssl(cf, conf) != NGX_OK) {
         return NGX_CONF_ERROR;

src/ngx_http_lua_proxy_ssl_verifyby.c

@@ -16,10 +16,12 @@
 #include "ngx_http_lua_util.h"
 #include "ngx_http_ssl_module.h"
 #include "ngx_http_lua_contentby.h"
-#include "ngx_http_lua_proxy_ssl_verifyby.h"
 #include "ngx_http_lua_directive.h"
 #include "ngx_http_lua_ssl.h"
 
+#ifdef HAVE_PROXY_SSL_PATCH
+#include "ngx_http_lua_proxy_ssl_verifyby.h"
+
 
 static void ngx_http_lua_proxy_ssl_verify_done(void *data);
 static void ngx_http_lua_proxy_ssl_verify_aborted(void *data);
@@ -708,4 +710,42 @@ ngx_http_lua_ffi_ssl_get_verify_cert(ngx_http_request_t *r, char **err)
 #endif
 }
 
+
+#else  /* HAVE_PROXY_SSL_PATCH */
+
+
+int
+ngx_http_lua_ffi_ssl_set_verify_result(ngx_http_request_t *r,
+    int verify_result, char **err)
+{
+    *err = "Does not have HAVE_PROXY_SSL_PATCH to support this function";
+
+    return NGX_ERROR;
+}
+
+
+int
+ngx_http_lua_ffi_ssl_get_verify_result(ngx_http_request_t *r, char **err)
+{
+    *err = "Does not have HAVE_PROXY_SSL_PATCH to support this function";
+
+    return NGX_ERROR;
+}
+
+
+void
+ngx_http_lua_ffi_ssl_free_verify_cert(void *cdata)
+{
+}
+
+
+void *
+ngx_http_lua_ffi_ssl_get_verify_cert(ngx_http_request_t *r, char **err)
+{
+    *err = "Does not have HAVE_PROXY_SSL_PATCH to support this function";
+
+    return NULL;
+}
+
+#endif /* HAVE_PROXY_SSL_PATCH */
 #endif /* NGX_HTTP_SSL */

src/ngx_http_lua_proxy_ssl_verifyby.h

@@ -10,6 +10,7 @@
 
 
 #if (NGX_HTTP_SSL)
+#ifdef HAVE_PROXY_SSL_PATCH
 
 /* do not introduce ngx_http_proxy_module to pollute ngx_http_lua_module.c */
 extern ngx_module_t  ngx_http_proxy_module;
@@ -31,6 +32,7 @@ int ngx_http_lua_proxy_ssl_verify_handler(X509_STORE_CTX *x509_store,
 
 ngx_int_t ngx_http_lua_proxy_ssl_verify_set_callback(ngx_conf_t *cf);
 
+#endif  /* HAVE_PROXY_SSL_PATCH */
 #endif  /* NGX_HTTP_SSL */
 
 

src/ngx_http_lua_ssl.h

@@ -24,8 +24,10 @@ typedef struct {
 
     ngx_str_t                session_id;
 
+#ifdef HAVE_PROXY_SSL_PATCH
     X509_STORE_CTX          *x509_store;
     ngx_pool_t              *pool;
+#endif
 
     int                      exit_code;  /* exit code for openssl's
                                             set_client_hello_cb or
@@ -36,15 +38,19 @@ typedef struct {
                                            request ctx data in lua
                                            registry */
 
+#ifdef HAVE_PROXY_SSL_PATCH
     /* same size as count field of ngx_http_request_t */
     unsigned                 original_request_count:16;
+#endif
     unsigned                 done:1;
     unsigned                 aborted:1;
 
     unsigned                 entered_client_hello_handler:1;
     unsigned                 entered_cert_handler:1;
     unsigned                 entered_sess_fetch_handler:1;
+#ifdef HAVE_PROXY_SSL_PATCH
     unsigned                 entered_proxy_ssl_verify_handler:1;
+#endif
 } ngx_http_lua_ssl_ctx_t;
 
 

src/ngx_http_lua_util.c

@@ -1682,9 +1682,11 @@ ngx_http_lua_run_thread(lua_State *L, ngx_http_request_t *r,
                 NGX_ERROR : NGX_HTTP_INTERNAL_SERVER_ERROR;
 
 done:
+#ifdef HAVE_PROXY_SSL_PATCH
     if (ctx->context == NGX_HTTP_LUA_CONTEXT_PROXY_SSL_VERIFY) {
         return NGX_OK;
     }
+#endif
 
     if (ctx->entered_content_phase
         && r->connection->fd != (ngx_socket_t) -1)
@@ -2441,9 +2443,11 @@ ngx_http_lua_handle_exit(lua_State *L, ngx_http_request_t *r,
         return ctx->exit_code;
     }
 
+#ifdef HAVE_PROXY_SSL_PATCH
     if (ctx->context == NGX_HTTP_LUA_CONTEXT_PROXY_SSL_VERIFY) {
         return ctx->exit_code;
     }
+#endif
 
 #if 1
     if (!r->header_sent
@@ -3681,9 +3685,11 @@ ngx_http_lua_finalize_request(ngx_http_request_t *r, ngx_int_t rc)
 {
     ngx_http_lua_ctx_t              *ctx;
 #if (NGX_HTTP_SSL)
+#ifdef HAVE_PROXY_SSL_PATCH
     ngx_http_upstream_t             *u;
     ngx_connection_t                *c;
     ngx_http_lua_ssl_ctx_t          *cctx;
+#endif
 #endif
 
     ctx = ngx_http_get_module_ctx(r, ngx_http_lua_module);
@@ -3692,6 +3698,7 @@ ngx_http_lua_finalize_request(ngx_http_request_t *r, ngx_int_t rc)
     }
 
 #if (NGX_HTTP_SSL)
+#ifdef HAVE_PROXY_SSL_PATCH
     u = r->upstream;
     if (u) {
         c = u->peer.connection;
@@ -3714,6 +3721,7 @@ ngx_http_lua_finalize_request(ngx_http_request_t *r, ngx_int_t rc)
             }
         }
     }
+#endif
 #endif
 
     if (r->connection->fd != (ngx_socket_t) -1) {

src/ngx_http_lua_util.h

@@ -32,6 +32,8 @@
 
 #define NGX_HTTP_LUA_ESCAPE_HEADER_VALUE  8
 
+#ifdef HAVE_PROXY_SSL_PATCH
+
 #define NGX_HTTP_LUA_CONTEXT_YIELDABLE (NGX_HTTP_LUA_CONTEXT_REWRITE         \
                                 | NGX_HTTP_LUA_CONTEXT_SERVER_REWRITE        \
                                 | NGX_HTTP_LUA_CONTEXT_ACCESS                \
@@ -42,11 +44,26 @@
                                 | NGX_HTTP_LUA_CONTEXT_SSL_CERT              \
                                 | NGX_HTTP_LUA_CONTEXT_SSL_SESS_FETCH)
 
+#else
+
+#define NGX_HTTP_LUA_CONTEXT_YIELDABLE (NGX_HTTP_LUA_CONTEXT_REWRITE         \
+                                | NGX_HTTP_LUA_CONTEXT_SERVER_REWRITE        \
+                                | NGX_HTTP_LUA_CONTEXT_ACCESS                \
+                                | NGX_HTTP_LUA_CONTEXT_CONTENT               \
+                                | NGX_HTTP_LUA_CONTEXT_TIMER                 \
+                                | NGX_HTTP_LUA_CONTEXT_SSL_CLIENT_HELLO      \
+                                | NGX_HTTP_LUA_CONTEXT_SSL_CERT              \
+                                | NGX_HTTP_LUA_CONTEXT_SSL_SESS_FETCH)
+
+#endif  /* HAVE_PROXY_SSL_PATCH */
+
 
 /* key in Lua vm registry for all the "ngx.ctx" tables */
 #define ngx_http_lua_ctx_tables_key  "ngx_lua_ctx_tables"
 
 
+#ifdef HAVE_PROXY_SSL_PATCH
+
 #define ngx_http_lua_context_name(c)                                         \
     ((c) == NGX_HTTP_LUA_CONTEXT_SET ? "set_by_lua*"                         \
      : (c) == NGX_HTTP_LUA_CONTEXT_REWRITE ? "rewrite_by_lua*"               \
@@ -71,6 +88,32 @@
                                                  "ssl_session_fetch_by_lua*" \
      : "(unknown)")
 
+#else
+
+#define ngx_http_lua_context_name(c)                                         \
+    ((c) == NGX_HTTP_LUA_CONTEXT_SET ? "set_by_lua*"                         \
+     : (c) == NGX_HTTP_LUA_CONTEXT_REWRITE ? "rewrite_by_lua*"               \
+     : (c) == NGX_HTTP_LUA_CONTEXT_SERVER_REWRITE ? "server_rewrite_by_lua*" \
+     : (c) == NGX_HTTP_LUA_CONTEXT_ACCESS ? "access_by_lua*"                 \
+     : (c) == NGX_HTTP_LUA_CONTEXT_CONTENT ? "content_by_lua*"               \
+     : (c) == NGX_HTTP_LUA_CONTEXT_LOG ? "log_by_lua*"                       \
+     : (c) == NGX_HTTP_LUA_CONTEXT_HEADER_FILTER ? "header_filter_by_lua*"   \
+     : (c) == NGX_HTTP_LUA_CONTEXT_BODY_FILTER ? "body_filter_by_lua*"       \
+     : (c) == NGX_HTTP_LUA_CONTEXT_TIMER ? "ngx.timer"                       \
+     : (c) == NGX_HTTP_LUA_CONTEXT_INIT_WORKER ? "init_worker_by_lua*"       \
+     : (c) == NGX_HTTP_LUA_CONTEXT_EXIT_WORKER ? "exit_worker_by_lua*"       \
+     : (c) == NGX_HTTP_LUA_CONTEXT_BALANCER ? "balancer_by_lua*"             \
+     : (c) == NGX_HTTP_LUA_CONTEXT_SSL_CLIENT_HELLO ?                        \
+                                                 "ssl_client_hello_by_lua*"  \
+     : (c) == NGX_HTTP_LUA_CONTEXT_SSL_CERT ? "ssl_certificate_by_lua*"      \
+     : (c) == NGX_HTTP_LUA_CONTEXT_SSL_SESS_STORE ?                          \
+                                                 "ssl_session_store_by_lua*" \
+     : (c) == NGX_HTTP_LUA_CONTEXT_SSL_SESS_FETCH ?                          \
+                                                 "ssl_session_fetch_by_lua*" \
+     : "(unknown)")
+
+#endif  /* HAVE_PROXY_SSL_PATCH */
+
 
 #define ngx_http_lua_check_context(L, ctx, flags)                            \
     if (!((ctx)->context & (flags))) {                                       \