tests: added old OpenSSL clients to test our SSL server features using new OpenSSL versions.

Here we make sure the nginx process is not blocked by pipe reading
operations until the `openssl s_client` completes the SSL handshake.
Also, the `openssl s_client` command is always protected by the
`timeout` command-line utility to avoid hanging forever. We would no
longer need such hacks once we have the nonblocking ngx.pipe Lua API.

Signed-off-by: Yichun Zhang (agentzh) <[email protected]>

Author: spacewander

.travis.yml

@@ -40,6 +40,7 @@ env:
     - TEST_NGINX_SLEEP=0.005
     - TEST_NGINX_RANDOMIZE=1
     - LUACHECK_VER=0.21.1
+    - OLD_OPENSSL_VER=0.9.8o
   matrix:
     - NGINX_VERSION=1.13.6 OPENSSL_VER=1.0.2n OPENSSL_PATCH_VER=1.0.2h
     - NGINX_VERSION=1.13.6 OPENSSL_VER=1.1.0g OPENSSL_PATCH_VER=1.1.0d
@@ -54,6 +55,7 @@ before_install:
 install:
   - if [ ! -d download-cache ]; then mkdir download-cache; fi
   - if [ ! -f download-cache/openssl-$OPENSSL_VER.tar.gz ]; then wget -O download-cache/openssl-$OPENSSL_VER.tar.gz https://www.openssl.org/source/openssl-$OPENSSL_VER.tar.gz; fi
+  - if [ ! -f download-cache/old-openssl-$OLD_OPENSSL_VER.tar.gz ]; then wget -O download-cache/old-openssl-$OLD_OPENSSL_VER.tar.gz https://www.openssl.org/source/openssl-$OLD_OPENSSL_VER.tar.gz; fi
   - if [ ! -f download-cache/pcre-$PCRE_VER.tar.gz ]; then wget -P download-cache http://ftp.cs.stanford.edu/pub/exim/pcre/pcre-$PCRE_VER.tar.gz; fi
   - wget http://nginx.org/download/nginx-${NGINX_VERSION}.tar.gz
   - git clone https://github.com/openresty/openresty.git ../openresty
@@ -88,6 +90,13 @@ script:
   - make -j$JOBS > build.log 2>&1 || (cat build.log && exit 1)
   - sudo PATH=$PATH make install > build.log 2>&1 || (cat build.log && exit 1)
   - cd ..
+  - tar zxf download-cache/old-openssl-$OLD_OPENSSL_VER.tar.gz
+  - cd openssl-$OLD_OPENSSL_VER/
+  - ./config no-asm > build.log 2>&1 || (cat build.log && exit 1)
+  - make -j$JOBS > build.log 2>&1 || (cat build.log && exit 1)
+  - export PATH=$PWD/apps:$PATH
+  - openssl version
+  - cd ..
   - export PATH=$PWD/work/nginx/sbin:$PWD/openresty-devel-utils:$PATH
   - export LD_PRELOAD=$PWD/mockeagain/mockeagain.so
   - export LD_LIBRARY_PATH=$PWD/mockeagain:$LD_LIBRARY_PATH

t/ssl-session-fetch.t

@@ -7,22 +7,25 @@ use File::Basename;
 #worker_connections(10140);
 #workers(1);
 #log_level('warn');
+#master_on();
 
 repeat_each(2);
 
-plan tests => repeat_each() * (blocks() * 6);
+plan tests => repeat_each() * (blocks() * 6 + 1);
 
 our $CWD = cwd();
 
 no_long_string();
 #no_diff();
 
+env_to_nginx("PATH=" . $ENV{'PATH'});
 $ENV{TEST_NGINX_LUA_PACKAGE_PATH} = "$::CWD/lib/?.lua;;";
 $ENV{TEST_NGINX_HTML_DIR} ||= html_dir();
 
 $ENV{TEST_NGINX_MEMCACHED_PORT} ||= 11211;
 $ENV{TEST_NGINX_RESOLVER} ||= '8.8.8.8';
 $ENV{TEST_NGINX_CERT_DIR} ||= dirname(realpath(abs_path(__FILE__)));
+$ENV{TEST_NGINX_SERVER_SSL_PORT} ||= 4443;
 
 run_tests();
 
@@ -398,3 +401,109 @@ $/s,
 [alert]
 [emerg]
 [error]
+
+
+
+=== TEST 5: yield during doing handshake with client which uses low version OpenSSL
+--- no_check_leak
+--- http_config
+    lua_shared_dict done 16k;
+    lua_package_path "$TEST_NGINX_LUA_PACKAGE_PATH/?.lua;;";
+    ssl_session_store_by_lua_block {
+        local ssl = require "ngx.ssl.session"
+
+        local sid = ssl.get_session_id()
+        print("session id: ", sid)
+
+        ngx.shared.done:set("handshake", true)
+    }
+
+    ssl_session_fetch_by_lua_block {
+        local ssl = require "ngx.ssl.session"
+
+        ngx.sleep(0.01) -- yield
+
+        local sid = ssl.get_session_id()
+        print("session id: ", sid)
+        local sess = "==garbage data=="
+        local ok, err = ssl.set_serialized_session(sess)
+        if not ok or err then
+           print("failed to resume session: ", err)
+        end
+
+        -- ngx.shared.done:set("handshake", true)
+    }
+
+    server {
+        listen $TEST_NGINX_SERVER_SSL_PORT ssl;
+        server_name test.com;
+        ssl_session_tickets off;
+        ssl_certificate $TEST_NGINX_CERT_DIR/cert/test.crt;
+        ssl_certificate_key $TEST_NGINX_CERT_DIR/cert/test.key;
+    }
+--- config
+    lua_ssl_trusted_certificate $TEST_NGINX_CERT_DIR/cert/test.crt;
+
+    location /t {
+        set $sess_file $TEST_NGINX_HTML_DIR/sess;
+        set $addr 127.0.0.1:$TEST_NGINX_SERVER_SSL_PORT;
+        content_by_lua_block {
+            ngx.shared.done:delete("handshake")
+            local addr = ngx.var.addr;
+            local sess = ngx.var.sess_file
+            local f, err
+            if not package.loaded.session then
+                f, err = io.popen("echo 'Q' | timeout 3s openssl s_client -connect " .. addr .. " -sess_out " .. sess)
+                package.loaded.session = true
+            else
+                f, err = io.popen("echo 'Q' | timeout 3s openssl s_client -connect " .. addr .. " -sess_in " .. sess)
+            end
+
+            if not f then
+                ngx.say(err)
+                return
+            end
+
+            local step = 0.001
+            while step < 1 do
+                ngx.sleep(step)
+                step = step * 2
+
+                if ngx.shared.done:get("handshake") then
+                    local out = f:read('*a')
+                    ngx.log(ngx.INFO, out)
+                    ngx.say("ok")
+                    f:close()
+                    return
+                end
+            end
+
+            ngx.log(ngx.ERR, "openssl client handshake timeout")
+        }
+    }
+
+--- request
+GET /t
+--- response_body
+ok
+--- error_log eval
+qr/content_by_lua\(nginx\.conf:\d+\):\d+: CONNECTED/
+--- grep_error_log eval
+qr/failed to resume session: failed to de-serialize session|ssl_session_(fetch|store)_by_lua_block:\d+: session id: [a-fA-F\d]+/s
+--- grep_error_log_out eval
+[
+qr/^ssl_session_store_by_lua_block:\d+: session id: [a-fA-F\d]+$/s,
+qr/^ssl_session_fetch_by_lua_block:\d+: session id: [a-fA-F\d]+
+failed to resume session: failed to de-serialize session
+ssl_session_store_by_lua_block:\d+: session id: [a-fA-F\d]+
+$/s,
+qr/ssl_session_fetch_by_lua_block:\d+: session id: [a-fA-F\d]+
+failed to resume session: failed to de-serialize session
+ssl_session_store_by_lua_block:\d+: session id: [a-fA-F\d]+
+$/s,
+]
+
+--- no_error_log
+[alert]
+[emerg]
+[error]

t/ssl.t

@@ -16,8 +16,10 @@ our $CWD = cwd();
 no_long_string();
 #no_diff();
 
+env_to_nginx("PATH=" . $ENV{'PATH'});
 $ENV{TEST_NGINX_LUA_PACKAGE_PATH} = "$::CWD/lib/?.lua;;";
 $ENV{TEST_NGINX_HTML_DIR} ||= html_dir();
+$ENV{TEST_NGINX_SERVER_SSL_PORT} ||= 4443;
 
 run_tests();
 
@@ -2168,3 +2170,98 @@ client ip: 127.0.0.1
 [error]
 [alert]
 [emerg]
+
+
+
+=== TEST 21: yield during doing handshake with client which uses low version OpenSSL
+--- no_check_leak
+--- http_config
+    lua_shared_dict done 16k;
+    lua_package_path "$TEST_NGINX_LUA_PACKAGE_PATH/?.lua;;";
+    server {
+        listen $TEST_NGINX_SERVER_SSL_PORT ssl;
+        server_name test.com;
+        ssl_session_tickets off;
+        ssl_certificate ../../cert/test2.crt;
+        ssl_certificate_key ../../cert/test2.key;
+
+        ssl_certificate_by_lua_block {
+            local ssl = require "ngx.ssl"
+
+            ssl.clear_certs()
+
+            local f = assert(io.open("t/cert/test.crt.der"))
+            local cert_data = f:read("*a")
+            f:close()
+
+            ngx.sleep(0.01) -- yield
+
+            local ok, err = ssl.set_der_cert(cert_data)
+            if not ok then
+                ngx.log(ngx.ERR, "failed to set DER cert: ", err)
+                return
+            end
+
+            local f = assert(io.open("t/cert/test.key.der"))
+            local pkey_data = f:read("*a")
+            f:close()
+
+            local ok, err = ssl.set_der_priv_key(pkey_data)
+            if not ok then
+                ngx.log(ngx.ERR, "failed to set DER cert: ", err)
+                return
+            end
+
+            ngx.shared.done:set("handshake", true)
+        }
+
+        location /foo {
+            content_by_lua_block {
+                ngx.exit(201)
+            }
+        }
+    }
+--- config
+    lua_ssl_trusted_certificate ../../cert/test.crt;
+
+    location /t {
+        content_by_lua_block {
+            ngx.shared.done:delete("handshake")
+            local addr = ngx.var.addr;
+            local f, err = io.popen("echo 'Q' | timeout 3s openssl s_client -connect 127.0.0.1:$TEST_NGINX_SERVER_SSL_PORT")
+            if not f then
+                ngx.say(err)
+                return
+            end
+
+            local step = 0.001
+            while step < 1 do
+                ngx.sleep(step)
+                step = step * 2
+
+                if ngx.shared.done:get("handshake") then
+                    local out = f:read('*a')
+                    ngx.log(ngx.INFO, out)
+                    ngx.say("ok")
+                    f:close()
+                    return
+                end
+            end
+
+            ngx.log(ngx.ERR, "openssl client handshake timeout")
+        }
+    }
+
+--- request
+GET /t
+--- response_body
+ok
+--- error_log eval
+[
+qr/content_by_lua\(nginx\.conf:\d+\):\d+: CONNECTED/,
+'subject=/C=US/ST=California/L=San Francisco/O=OpenResty/OU=OpenResty/CN=test.com/[email protected]',
+]
+
+--- no_error_log
+[error]
+[alert]