macro to conditional build proxy ssl verify

willmafh · willmafh · commit 8e345ddc02a5 · 2025-08-14T14:55:12.000+08:00
diff --git a/src/ngx_stream_lua_common.h b/src/ngx_stream_lua_common.h
@@ -135,7 +135,10 @@
 #define NGX_STREAM_LUA_CONTEXT_PREREAD                              0x0020
 #define NGX_STREAM_LUA_CONTEXT_SSL_CERT                             0x0040
 #define NGX_STREAM_LUA_CONTEXT_SSL_CLIENT_HELLO                     0x0080
+
+#ifdef HAVE_PROXY_SSL_PATCH
 #define NGX_STREAM_LUA_CONTEXT_PROXY_SSL_VERIFY                     0x0100
+#endif
 
 
 #define NGX_STREAM_LUA_FFI_NO_REQ_CTX         -100
@@ -272,13 +275,16 @@ struct ngx_stream_lua_srv_conf_s {
         u_char                                      *ssl_client_hello_src_key;
     } srv;
 
+#ifdef HAVE_PROXY_SSL_PATCH
     struct {
         ngx_stream_lua_srv_conf_handler_pt           proxy_ssl_verify_handler;
         ngx_str_t                                    proxy_ssl_verify_src;
         u_char                                      *proxy_ssl_verify_src_key;
 
         ngx_flag_t  upstream_skip_openssl_default_verify;
     } ups;
+#endif
+
 #endif
 
     ngx_flag_t              enable_code_cache; /* whether to enable
diff --git a/src/ngx_stream_lua_control.c b/src/ngx_stream_lua_control.c
@@ -116,16 +116,20 @@ ngx_stream_lua_ffi_exit(ngx_stream_lua_request_t *r, int status, u_char *err,
         | NGX_STREAM_LUA_CONTEXT_BALANCER
         | NGX_STREAM_LUA_CONTEXT_SSL_CLIENT_HELLO
         | NGX_STREAM_LUA_CONTEXT_SSL_CERT
-        | NGX_STREAM_LUA_CONTEXT_PREREAD
-        | NGX_STREAM_LUA_CONTEXT_PROXY_SSL_VERIFY,
+#ifdef HAVE_PROXY_SSL_PATCH
+        | NGX_STREAM_LUA_CONTEXT_PROXY_SSL_VERIFY
+#endif
+        | NGX_STREAM_LUA_CONTEXT_PREREAD,
         err, errlen) != NGX_OK)
     {
         return NGX_ERROR;
     }
 
     if (ctx->context & (NGX_STREAM_LUA_CONTEXT_SSL_CERT
-                        | NGX_STREAM_LUA_CONTEXT_SSL_CLIENT_HELLO
-                        | NGX_STREAM_LUA_CONTEXT_PROXY_SSL_VERIFY ))
+#ifdef HAVE_PROXY_SSL_PATCH
+                        | NGX_STREAM_LUA_CONTEXT_PROXY_SSL_VERIFY
+#endif
+                        | NGX_STREAM_LUA_CONTEXT_SSL_CLIENT_HELLO ))
     {
 
 #if (NGX_STREAM_SSL)
diff --git a/src/ngx_stream_lua_coroutine.c b/src/ngx_stream_lua_coroutine.c
@@ -205,7 +205,9 @@ ngx_stream_lua_coroutine_resume(lua_State *L)
                                  | NGX_STREAM_LUA_CONTEXT_TIMER
                                  | NGX_STREAM_LUA_CONTEXT_SSL_CLIENT_HELLO
                                  | NGX_STREAM_LUA_CONTEXT_SSL_CERT
+#ifdef HAVE_PROXY_SSL_PATCH
                                  | NGX_STREAM_LUA_CONTEXT_PROXY_SSL_VERIFY
+#endif
                                  | NGX_STREAM_LUA_CONTEXT_PREREAD
                                  );
 
@@ -267,7 +269,9 @@ ngx_stream_lua_coroutine_yield(lua_State *L)
                                  | NGX_STREAM_LUA_CONTEXT_TIMER
                                  | NGX_STREAM_LUA_CONTEXT_SSL_CLIENT_HELLO
                                  | NGX_STREAM_LUA_CONTEXT_SSL_CERT
+#ifdef HAVE_PROXY_SSL_PATCH
                                  | NGX_STREAM_LUA_CONTEXT_PROXY_SSL_VERIFY
+#endif
                                  | NGX_STREAM_LUA_CONTEXT_PREREAD
                                  );
 
@@ -428,7 +432,9 @@ ngx_stream_lua_coroutine_status(lua_State *L)
                                  | NGX_STREAM_LUA_CONTEXT_TIMER
                                  | NGX_STREAM_LUA_CONTEXT_SSL_CLIENT_HELLO
                                  | NGX_STREAM_LUA_CONTEXT_SSL_CERT
+#ifdef HAVE_PROXY_SSL_PATCH
                                  | NGX_STREAM_LUA_CONTEXT_PROXY_SSL_VERIFY
+#endif
                                  | NGX_STREAM_LUA_CONTEXT_PREREAD
                                  );
 
diff --git a/src/ngx_stream_lua_ctx.c b/src/ngx_stream_lua_ctx.c
@@ -97,8 +97,10 @@ ngx_stream_lua_ffi_get_ctx_ref(ngx_stream_lua_request_t *r, int *in_ssl_phase,
     }
 
     *in_ssl_phase = ctx->context & (NGX_STREAM_LUA_CONTEXT_SSL_CERT
-                                    | NGX_STREAM_LUA_CONTEXT_SSL_CLIENT_HELLO
-                                    | NGX_STREAM_LUA_CONTEXT_PROXY_SSL_VERIFY);
+#ifdef HAVE_PROXY_SSL_PATCH
+                                    | NGX_STREAM_LUA_CONTEXT_PROXY_SSL_VERIFY
+#endif
+                                    | NGX_STREAM_LUA_CONTEXT_SSL_CLIENT_HELLO);
     *ssl_ctx_ref = LUA_NOREF;
 
 #if (NGX_STREAM_SSL)
@@ -132,8 +134,10 @@ ngx_stream_lua_ffi_set_ctx_ref(ngx_stream_lua_request_t *r, int ref)
 
 #if (NGX_STREAM_SSL)
     if (ctx->context & (NGX_STREAM_LUA_CONTEXT_SSL_CERT
-                        | NGX_STREAM_LUA_CONTEXT_SSL_CLIENT_HELLO
-                        | NGX_STREAM_LUA_CONTEXT_PROXY_SSL_VERIFY))
+#ifdef HAVE_PROXY_SSL_PATCH
+                        | NGX_STREAM_LUA_CONTEXT_PROXY_SSL_VERIFY
+#endif
+                        | NGX_STREAM_LUA_CONTEXT_SSL_CLIENT_HELLO))
     {
         ssl_ctx = ngx_stream_lua_ssl_get_ctx(r->connection->ssl->connection);
         if (ssl_ctx == NULL) {
diff --git a/src/ngx_stream_lua_module.c b/src/ngx_stream_lua_module.c
@@ -30,7 +30,10 @@
 #include "ngx_stream_lua_semaphore.h"
 #include "ngx_stream_lua_ssl_client_helloby.h"
 #include "ngx_stream_lua_ssl_certby.h"
+
+#ifdef HAVE_PROXY_SSL_PATCH
 #include "ngx_stream_lua_proxy_ssl_verifyby.h"
+#endif
 
 
 #include "ngx_stream_lua_prereadby.h"
@@ -423,6 +426,7 @@ static ngx_command_t ngx_stream_lua_cmds[] = {
       0,
       (void *) ngx_stream_lua_ssl_cert_handler_file },
 
+#ifdef HAVE_PROXY_SSL_PATCH
     /* same context as proxy_pass directive */
     { ngx_string("proxy_ssl_verify_by_lua_block"),
       NGX_STREAM_SRV_CONF|NGX_CONF_BLOCK|NGX_CONF_NOARGS,
@@ -445,6 +449,7 @@ static ngx_command_t ngx_stream_lua_cmds[] = {
       offsetof(ngx_stream_lua_srv_conf_t,
                ups.upstream_skip_openssl_default_verify),
       NULL },
+#endif
 
     { ngx_string("lua_ssl_verify_depth"),
       NGX_STREAM_MAIN_CONF|NGX_STREAM_SRV_CONF|NGX_CONF_TAKE1,
@@ -895,7 +900,9 @@ ngx_stream_lua_create_srv_conf(ngx_conf_t *cf)
     conf->ssl_verify_depth = NGX_CONF_UNSET_UINT;
     conf->ssl_certificates = NGX_CONF_UNSET_PTR;
     conf->ssl_certificate_keys = NGX_CONF_UNSET_PTR;
+#ifdef HAVE_PROXY_SSL_PATCH
     conf->ups.upstream_skip_openssl_default_verify = NGX_CONF_UNSET;
+#endif
 #endif
 
     return conf;
@@ -1030,6 +1037,7 @@ ngx_stream_lua_merge_srv_conf(ngx_conf_t *cf, void *parent, void *child)
                              NULL);
 #endif
 
+#ifdef HAVE_PROXY_SSL_PATCH
     if (conf->ups.proxy_ssl_verify_src.len == 0) {
         conf->ups.proxy_ssl_verify_src = prev->ups.proxy_ssl_verify_src;
         conf->ups.proxy_ssl_verify_handler = prev->ups.proxy_ssl_verify_handler;
@@ -1044,6 +1052,7 @@ ngx_stream_lua_merge_srv_conf(ngx_conf_t *cf, void *parent, void *child)
 
     ngx_conf_merge_value(conf->ups.upstream_skip_openssl_default_verify,
                          prev->ups.upstream_skip_openssl_default_verify, 0);
+#endif
 
     if (ngx_stream_lua_set_ssl(cf, conf) != NGX_OK) {
         return NGX_CONF_ERROR;
diff --git a/src/ngx_stream_lua_phase.c b/src/ngx_stream_lua_phase.c
@@ -66,9 +66,11 @@ ngx_stream_lua_ngx_get_phase(lua_State *L)
         lua_pushliteral(L, "content");
         break;
 
+#ifdef HAVE_PROXY_SSL_PATCH
     case NGX_STREAM_LUA_CONTEXT_PROXY_SSL_VERIFY:
         lua_pushliteral(L, "proxy_ssl_verify");
         break;
+#endif
 
     case NGX_STREAM_LUA_CONTEXT_LOG:
         lua_pushliteral(L, "log");
diff --git a/src/ngx_stream_lua_proxy_ssl_verifyby.c b/src/ngx_stream_lua_proxy_ssl_verifyby.c
@@ -9,6 +9,7 @@
 
 
 #if (NGX_STREAM_SSL)
+#ifdef HAVE_PROXY_SSL_PATCH
 
 #include "ngx_stream_lua_cache.h"
 #include "ngx_stream_lua_initworkerby.h"
@@ -770,4 +771,5 @@ ngx_stream_lua_ffi_ssl_get_verify_cert(ngx_stream_lua_request_t *r, char **err)
 #endif
 }
 
+#endif /* HAVE_PROXY_SSL_PATCH */
 #endif /* NGX_STREAM_SSL */
diff --git a/src/ngx_stream_lua_proxy_ssl_verifyby.h b/src/ngx_stream_lua_proxy_ssl_verifyby.h
@@ -10,6 +10,7 @@
 
 
 #if (NGX_STREAM_SSL)
+#ifdef HAVE_PROXY_SSL_PATCH
 
 /* do not introduce ngx_stream_proxy_module to pollute ngx_stream_lua_module.c */
 extern ngx_module_t  ngx_stream_proxy_module;
@@ -31,6 +32,7 @@ int ngx_stream_lua_proxy_ssl_verify_handler(X509_STORE_CTX *x509_store,
 
 ngx_int_t ngx_stream_lua_proxy_ssl_verify_set_callback(ngx_conf_t *cf);
 
+#endif  /* HAVE_PROXY_SSL_PATCH */
 #endif  /* NGX_STREAM_SSL */
 #endif /* _NGX_STREAM_LUA_PROXY_SSL_VERIFYBY_H_INCLUDED_ */
 
diff --git a/src/ngx_stream_lua_ssl.h b/src/ngx_stream_lua_ssl.h
@@ -32,7 +32,9 @@ typedef struct {
 
     ngx_str_t                session_id;
 
+#ifdef HAVE_PROXY_SSL_PATCH
     X509_STORE_CTX          *x509_store;
+#endif
 
     int                      exit_code;  /* exit code for openssl's
                                             set_client_hello_cb or
@@ -49,7 +51,9 @@ typedef struct {
     unsigned                 entered_client_hello_handler:1;
     unsigned                 entered_cert_handler:1;
     unsigned                 entered_sess_fetch_handler:1;
+#ifdef HAVE_PROXY_SSL_PATCH
     unsigned                 entered_proxy_ssl_verify_handler:1;
+#endif
 } ngx_stream_lua_ssl_ctx_t;
 
 
diff --git a/src/ngx_stream_lua_uthread.c b/src/ngx_stream_lua_uthread.c
@@ -235,7 +235,9 @@ ngx_stream_lua_uthread_kill(lua_State *L)
                                | NGX_STREAM_LUA_CONTEXT_PREREAD
                                | NGX_STREAM_LUA_CONTEXT_SSL_CLIENT_HELLO
                                | NGX_STREAM_LUA_CONTEXT_SSL_CERT
+#ifdef HAVE_PROXY_SSL_PATCH
                                | NGX_STREAM_LUA_CONTEXT_PROXY_SSL_VERIFY
+#endif
                                | NGX_STREAM_LUA_CONTEXT_TIMER);
 
     coctx = ctx->cur_co_ctx;
diff --git a/src/ngx_stream_lua_util.h b/src/ngx_stream_lua_util.h
@@ -72,6 +72,7 @@ extern char ngx_stream_lua_headers_metatable_key;
     (str)->len = sizeof(text) - 1; (str)->data = (u_char *) text
 #endif
 
+#ifdef HAVE_PROXY_SSL_PATCH
 
 #define NGX_STREAM_LUA_CONTEXT_YIELDABLE (NGX_STREAM_LUA_CONTEXT_PREREAD     \
                                 | NGX_STREAM_LUA_CONTEXT_CONTENT             \
@@ -95,6 +96,29 @@ extern char ngx_stream_lua_headers_metatable_key;
                                                  "proxy_ssl_verify_by_lua*"  \
      : "(unknown)")
 
+#else
+
+#define NGX_STREAM_LUA_CONTEXT_YIELDABLE (NGX_STREAM_LUA_CONTEXT_PREREAD     \
+                                | NGX_STREAM_LUA_CONTEXT_CONTENT             \
+                                | NGX_STREAM_LUA_CONTEXT_TIMER               \
+                                | NGX_STREAM_LUA_CONTEXT_SSL_CLIENT_HELLO    \
+                                | NGX_STREAM_LUA_CONTEXT_SSL_CERT)
+
+
+#define ngx_stream_lua_context_name(c)                                       \
+    ((c) == NGX_STREAM_LUA_CONTEXT_CONTENT ? "content_by_lua*"               \
+     : (c) == NGX_STREAM_LUA_CONTEXT_LOG ? "log_by_lua*"                     \
+     : (c) == NGX_STREAM_LUA_CONTEXT_TIMER ? "ngx.timer"                     \
+     : (c) == NGX_STREAM_LUA_CONTEXT_INIT_WORKER ? "init_worker_by_lua*"     \
+     : (c) == NGX_STREAM_LUA_CONTEXT_BALANCER ? "balancer_by_lua*"           \
+     : (c) == NGX_STREAM_LUA_CONTEXT_PREREAD ? "preread_by_lua*"             \
+     : (c) == NGX_STREAM_LUA_CONTEXT_SSL_CLIENT_HELLO ?                      \
+                                                 "ssl_client_hello_by_lua*"  \
+     : (c) == NGX_STREAM_LUA_CONTEXT_SSL_CERT ? "ssl_certificate_by_lua*"    \
+     : "(unknown)")
+
+#endif
+
 
 #define ngx_stream_lua_check_context(L, ctx, flags)                          \
     if (!((ctx)->context & (flags))) {                                       \
diff --git a/src/ngx_stream_lua_variable.c b/src/ngx_stream_lua_variable.c
@@ -49,8 +49,10 @@ ngx_stream_lua_ffi_var_get(ngx_stream_lua_request_t *r, u_char *name_data,
     if ((r)->connection->fd == (ngx_socket_t) -1) {
         ctx = ngx_stream_lua_get_module_ctx(r, ngx_stream_lua_module);
         if (ctx->context & (NGX_STREAM_LUA_CONTEXT_SSL_CERT
-                            | NGX_STREAM_LUA_CONTEXT_SSL_CLIENT_HELLO
-                            | NGX_STREAM_LUA_CONTEXT_PROXY_SSL_VERIFY))
+#ifdef HAVE_PROXY_SSL_PATCH
+                            | NGX_STREAM_LUA_CONTEXT_PROXY_SSL_VERIFY
+#endif
+                            | NGX_STREAM_LUA_CONTEXT_SSL_CLIENT_HELLO))
         {
             cctx = ngx_stream_lua_ssl_get_ctx(r->connection->ssl->connection);
             session = cctx->connection->data;

Original file line number	Diff line number	Diff line change
`@@ -9,6 +9,7 @@`
`9`	`9`
`10`	`10`
`11`	`11`	`#if (NGX_STREAM_SSL)`
	`12`	`+#ifdef HAVE_PROXY_SSL_PATCH`
`12`	`13`
`13`	`14`	`#include "ngx_stream_lua_cache.h"`
`14`	`15`	`#include "ngx_stream_lua_initworkerby.h"`
`@@ -770,4 +771,5 @@ ngx_stream_lua_ffi_ssl_get_verify_cert(ngx_stream_lua_request_t r, char *err)`
`770`	`771`	`#endif`
`771`	`772`	`}`
`772`	`773`
	`774`	`+#endif /* HAVE_PROXY_SSL_PATCH */`
`773`	`775`	`#endif /* NGX_STREAM_SSL */`