From dcfe98a39a709d3066492878ed28e96e36127b49 Mon Sep 17 00:00:00 2001 From: zhengkunwang223 <1paneldev@sina.com> Date: Tue, 6 May 2025 18:55:19 +0800 Subject: [PATCH] feat: add openssl-3.4.1-sess_set_get_cb_yield.patch --- .../1.27.1.2-0-1-focal/build/Dockerfile-bak | 209 ------------------ .../openssl-3.4.1-sess_set_get_cb_yield.patch | 209 ++++++++++++++++++ 2 files changed, 209 insertions(+), 209 deletions(-) delete mode 100644 openresty/1.27.1.2-0-1-focal/build/Dockerfile-bak create mode 100644 openresty/1.27.1.2-0-1-focal/build/tmp/openssl-3.4.1-sess_set_get_cb_yield.patch diff --git a/openresty/1.27.1.2-0-1-focal/build/Dockerfile-bak b/openresty/1.27.1.2-0-1-focal/build/Dockerfile-bak deleted file mode 100644 index bf66cbbe1..000000000 --- a/openresty/1.27.1.2-0-1-focal/build/Dockerfile-bak +++ /dev/null @@ -1,209 +0,0 @@ -ARG RESTY_IMAGE_BASE="ubuntu" -ARG RESTY_IMAGE_TAG="jammy" - -ARG PANEL_OPENRESTY_VERSION -FROM 1panel/openresty:${PANEL_OPENRESTY_VERSION} as panel-openresty - -FROM ${RESTY_IMAGE_BASE}:${RESTY_IMAGE_TAG} - -LABEL maintainer="Evan Wies " - -ARG RESTY_IMAGE_BASE="ubuntu" -ARG RESTY_IMAGE_TAG="jammy" -ARG RESTY_VERSION="1.27.1.1" -ARG RESTY_LUAROCKS_VERSION="3.11.0" -ARG RESTY_OPENSSL_VERSION="1.1.1w" -ARG RESTY_OPENSSL_PATCH_VERSION="1.1.1f" -ARG RESTY_OPENSSL_URL_BASE="https://www.openssl.org/source/old/1.1.1" -ARG RESTY_PCRE_VERSION="8.45" -ARG RESTY_PCRE_BUILD_OPTIONS="--enable-jit" -ARG RESTY_PCRE_SHA256="4e6ce03e0336e8b4a3d6c2b70b1c5e18590a5673a98186da90d4f33c23defc09" -ARG RESTY_J="1" -ARG RESTY_CONFIG_OPTIONS="\ - --with-compat \ - --with-file-aio \ - --with-http_addition_module \ - --with-http_auth_request_module \ - --with-http_dav_module \ - --with-http_flv_module \ - --with-http_geoip_module=dynamic \ - --with-http_gunzip_module \ - --with-http_gzip_static_module \ - --with-http_image_filter_module=dynamic \ - --with-http_mp4_module \ - --with-http_random_index_module \ - --with-http_realip_module \ - --with-http_secure_link_module \ - --with-http_slice_module \ - --with-http_ssl_module \ - --with-http_stub_status_module \ - --with-http_sub_module \ - --with-http_v2_module \ - --with-http_v3_module \ - --with-http_xslt_module=dynamic \ - --with-ipv6 \ - --with-mail \ - --with-mail_ssl_module \ - --with-md5-asm \ - --with-sha1-asm \ - --with-stream \ - --with-stream_ssl_module \ - --with-threads \ - " -ARG RESTY_CONFIG_OPTIONS_MORE -ARG RESTY_LUAJIT_OPTIONS="--with-luajit-xcflags='-DLUAJIT_NUMMODE=2 -DLUAJIT_ENABLE_LUA52COMPAT'" -ARG RESTY_PCRE_OPTIONS="--with-pcre-jit" - -ARG RESTY_ADD_PACKAGE_BUILDDEPS -ARG RESTY_ADD_PACKAGE_RUNDEPS="" -ARG RESTY_EVAL_PRE_CONFIGURE="" -ARG RESTY_EVAL_POST_DOWNLOAD_PRE_CONFIGURE="" -ARG RESTY_EVAL_POST_MAKE="" - -ARG CONTAINER_PACKAGE_URL - - -# These are not intended to be user-specified -ARG _RESTY_CONFIG_DEPS="--with-pcre \ - --with-cc-opt='-DNGX_LUA_ABORT_AT_PANIC -I/usr/local/openresty/pcre/include -I/usr/local/openresty/openssl/include' \ - --with-ld-opt='-L/usr/local/openresty/pcre/lib -L/usr/local/openresty/openssl/lib -Wl,-rpath,/usr/local/openresty/pcre/lib:/usr/local/openresty/openssl/lib' \ - " - -LABEL resty_image_base="${RESTY_IMAGE_BASE}" -LABEL resty_image_tag="${RESTY_IMAGE_TAG}" -LABEL resty_version="${RESTY_VERSION}" -LABEL resty_luarocks_version="${RESTY_LUAROCKS_VERSION}" -LABEL resty_openssl_version="${RESTY_OPENSSL_VERSION}" -LABEL resty_openssl_patch_version="${RESTY_OPENSSL_PATCH_VERSION}" -LABEL resty_openssl_url_base="${RESTY_OPENSSL_URL_BASE}" -LABEL resty_pcre_version="${RESTY_PCRE_VERSION}" -LABEL resty_pcre_build_options="${RESTY_PCRE_BUILD_OPTIONS}" -LABEL resty_pcre_sha256="${RESTY_PCRE_SHA256}" -LABEL resty_config_options="${RESTY_CONFIG_OPTIONS}" -LABEL resty_config_options_more="${RESTY_CONFIG_OPTIONS_MORE}" -LABEL resty_config_deps="${_RESTY_CONFIG_DEPS}" -LABEL resty_add_package_builddeps="${RESTY_ADD_PACKAGE_BUILDDEPS}" -LABEL resty_add_package_rundeps="${RESTY_ADD_PACKAGE_RUNDEPS}" -LABEL resty_eval_pre_configure="${RESTY_EVAL_PRE_CONFIGURE}" -LABEL resty_eval_post_download_pre_configure="${RESTY_EVAL_POST_DOWNLOAD_PRE_CONFIGURE}" -LABEL resty_eval_post_make="${RESTY_EVAL_POST_MAKE}" -LABEL resty_luajit_options="${RESTY_LUAJIT_OPTIONS}" -LABEL resty_pcre_options="${RESTY_PCRE_OPTIONS}" - -COPY tmp /tmp - -RUN sed -i "s|http://archive.ubuntu.com/ubuntu/|${CONTAINER_PACKAGE_URL}|g" /etc/apt/sources.list \ - && sed -i "s|http://security.ubuntu.com/ubuntu/|${CONTAINER_PACKAGE_URL}|g" /etc/apt/sources.list - -RUN DEBIAN_FRONTEND=noninteractive apt-get update \ - && DEBIAN_FRONTEND=noninteractive apt-get install -y --no-install-recommends \ - build-essential \ - ca-certificates \ - curl \ - gettext-base \ - libgd-dev \ - libgeoip-dev \ - libncurses5-dev \ - libperl-dev \ - libreadline-dev \ - libxslt1-dev \ - make \ - perl \ - unzip \ - wget \ - zlib1g-dev \ - ${RESTY_ADD_PACKAGE_BUILDDEPS} \ - ${RESTY_ADD_PACKAGE_RUNDEPS} \ - && cd /tmp \ - && bash /tmp/pre.sh \ - && if [ -n "${RESTY_EVAL_PRE_CONFIGURE}" ]; then eval $(echo ${RESTY_EVAL_PRE_CONFIGURE}); fi \ - # && curl -fSL "${RESTY_OPENSSL_URL_BASE}/openssl-${RESTY_OPENSSL_VERSION}.tar.gz" -o openssl-${RESTY_OPENSSL_VERSION}.tar.gz \ - && tar xzf openssl-${RESTY_OPENSSL_VERSION}.tar.gz \ - && cd openssl-${RESTY_OPENSSL_VERSION} \ - && if [ $(echo ${RESTY_OPENSSL_VERSION} | cut -c 1-5) = "1.1.1" ] ; then \ - echo 'patching OpenSSL 1.1.1 for OpenResty' \ - && curl -s https://raw.githubusercontent.com/openresty/openresty/master/patches/openssl-${RESTY_OPENSSL_PATCH_VERSION}-sess_set_get_cb_yield.patch | patch -p1 ; \ - fi \ - && if [ $(echo ${RESTY_OPENSSL_VERSION} | cut -c 1-5) = "1.1.0" ] ; then \ - echo 'patching OpenSSL 1.1.0 for OpenResty' \ - && curl -s https://raw.githubusercontent.com/openresty/openresty/ed328977028c3ec3033bc25873ee360056e247cd/patches/openssl-1.1.0j-parallel_build_fix.patch | patch -p1 \ - && curl -s https://raw.githubusercontent.com/openresty/openresty/master/patches/openssl-${RESTY_OPENSSL_PATCH_VERSION}-sess_set_get_cb_yield.patch | patch -p1 ; \ - fi \ - && ./config \ - no-threads shared zlib -g \ - enable-ssl3 enable-ssl3-method \ - --prefix=/usr/local/openresty/openssl \ - --libdir=lib \ - -Wl,-rpath,/usr/local/openresty/openssl/lib \ - && make -j${RESTY_J} \ - && make -j${RESTY_J} install_sw \ - && cd /tmp \ - # && curl -fSL https://downloads.sourceforge.net/project/pcre/pcre/${RESTY_PCRE_VERSION}/pcre-${RESTY_PCRE_VERSION}.tar.gz -o pcre-${RESTY_PCRE_VERSION}.tar.gz \ - && echo "${RESTY_PCRE_SHA256} pcre-${RESTY_PCRE_VERSION}.tar.gz" | shasum -a 256 --check \ - && tar xzf pcre-${RESTY_PCRE_VERSION}.tar.gz \ - && cd /tmp/pcre-${RESTY_PCRE_VERSION} \ - && ./configure \ - --prefix=/usr/local/openresty/pcre \ - --disable-cpp \ - --enable-utf \ - --enable-unicode-properties \ - ${RESTY_PCRE_BUILD_OPTIONS} \ - && make -j${RESTY_J} \ - && make -j${RESTY_J} install \ - && cd /tmp \ - # && curl -fSL https://openresty.org/download/openresty-${RESTY_VERSION}.tar.gz -o openresty-${RESTY_VERSION}.tar.gz \ - && tar xzf openresty-${RESTY_VERSION}.tar.gz \ - && cd /tmp/openresty-${RESTY_VERSION} \ - && if [ -n "${RESTY_EVAL_POST_DOWNLOAD_PRE_CONFIGURE}" ]; then eval $(echo ${RESTY_EVAL_POST_DOWNLOAD_PRE_CONFIGURE}); fi \ - && eval ./configure -j${RESTY_J} ${_RESTY_CONFIG_DEPS} ${RESTY_CONFIG_OPTIONS} ${RESTY_CONFIG_OPTIONS_MORE} ${RESTY_LUAJIT_OPTIONS} ${RESTY_PCRE_OPTIONS} \ - && make -j${RESTY_J} \ - && make -j${RESTY_J} install \ - && cd /tmp \ - && rm -rf \ - openssl-${RESTY_OPENSSL_VERSION}.tar.gz openssl-${RESTY_OPENSSL_VERSION} \ - pcre-${RESTY_PCRE_VERSION}.tar.gz pcre-${RESTY_PCRE_VERSION} \ - openresty-${RESTY_VERSION}.tar.gz openresty-${RESTY_VERSION} \ - # && curl -fSL https://luarocks.github.io/luarocks/releases/luarocks-${RESTY_LUAROCKS_VERSION}.tar.gz -o luarocks-${RESTY_LUAROCKS_VERSION}.tar.gz \ - && tar xzf luarocks-${RESTY_LUAROCKS_VERSION}.tar.gz \ - && cd luarocks-${RESTY_LUAROCKS_VERSION} \ - && ./configure \ - --prefix=/usr/local/openresty/luajit \ - --with-lua=/usr/local/openresty/luajit \ - --with-lua-include=/usr/local/openresty/luajit/include/luajit-2.1 \ - && make build \ - && make install \ - && cd /tmp \ - && if [ -n "${RESTY_EVAL_POST_MAKE}" ]; then eval $(echo ${RESTY_EVAL_POST_MAKE}); fi \ - && rm -rf luarocks-${RESTY_LUAROCKS_VERSION} luarocks-${RESTY_LUAROCKS_VERSION}.tar.gz \ - && if [ -n "${RESTY_ADD_PACKAGE_BUILDDEPS}" ]; then DEBIAN_FRONTEND=noninteractive apt-get remove -y --purge ${RESTY_ADD_PACKAGE_BUILDDEPS} ; fi \ - && DEBIAN_FRONTEND=noninteractive apt-get autoremove -y \ - && mkdir -p /var/run/openresty \ - && ln -sf /dev/stdout /usr/local/openresty/nginx/logs/access.log \ - && ln -sf /dev/stderr /usr/local/openresty/nginx/logs/error.log \ - && mkdir -p /usr/local/openresty/1pwaf - - -COPY --from=panel-openresty /usr/local/openresty/1pwaf /usr/local/openresty - -# Add additional binaries into PATH for convenience -ENV PATH=$PATH:/usr/local/openresty/luajit/bin:/usr/local/openresty/nginx/sbin:/usr/local/openresty/bin - -# Add LuaRocks paths -# If OpenResty changes, these may need updating: -# /usr/local/openresty/bin/resty -e 'print(package.path)' -# /usr/local/openresty/bin/resty -e 'print(package.cpath)' -ENV LUA_PATH="/usr/local/openresty/site/lualib/?.ljbc;/usr/local/openresty/site/lualib/?/init.ljbc;/usr/local/openresty/lualib/?.ljbc;/usr/local/openresty/lualib/?/init.ljbc;/usr/local/openresty/site/lualib/?.lua;/usr/local/openresty/site/lualib/?/init.lua;/usr/local/openresty/lualib/?.lua;/usr/local/openresty/lualib/?/init.lua;./?.lua;/usr/local/openresty/luajit/share/luajit-2.1/?.lua;/usr/local/share/lua/5.1/?.lua;/usr/local/share/lua/5.1/?/init.lua;/usr/local/openresty/luajit/share/lua/5.1/?.lua;/usr/local/openresty/luajit/share/lua/5.1/?/init.lua" - -ENV LUA_CPATH="/usr/local/openresty/site/lualib/?.so;/usr/local/openresty/lualib/?.so;./?.so;/usr/local/lib/lua/5.1/?.so;/usr/local/openresty/luajit/lib/lua/5.1/?.so;/usr/local/lib/lua/5.1/loadall.so;/usr/local/openresty/luajit/lib/lua/5.1/?.so" - -RUN bash /tmp/default.sh - -# Copy nginx configuration files -COPY nginx.conf /usr/local/openresty/nginx/conf/nginx.conf -COPY nginx.vh.default.conf /etc/nginx/conf.d/default.conf - -CMD ["/usr/local/openresty/bin/openresty", "-g", "daemon off;"] - -# Use SIGQUIT instead of default SIGTERM to cleanly drain requests -# See https://github.com/openresty/docker-openresty/blob/master/README.md#tips--pitfalls -STOPSIGNAL SIGQUIT \ No newline at end of file diff --git a/openresty/1.27.1.2-0-1-focal/build/tmp/openssl-3.4.1-sess_set_get_cb_yield.patch b/openresty/1.27.1.2-0-1-focal/build/tmp/openssl-3.4.1-sess_set_get_cb_yield.patch new file mode 100644 index 000000000..2c64ace30 --- /dev/null +++ b/openresty/1.27.1.2-0-1-focal/build/tmp/openssl-3.4.1-sess_set_get_cb_yield.patch @@ -0,0 +1,209 @@ +diff --git a/include/openssl/bio.h.in b/include/openssl/bio.h.in +index 440d838..8ff2c5d 100644 +--- a/include/openssl/bio.h.in ++++ b/include/openssl/bio.h.in +@@ -285,6 +285,8 @@ void BIO_clear_flags(BIO *b, int flags); + /* Returned from the accept BIO when an accept would have blocked */ + # define BIO_RR_ACCEPT 0x03 + ++# define BIO_RR_SSL_SESSION_LOOKUP 0x09 ++ + /* These are passed by the BIO callback */ + # define BIO_CB_FREE 0x01 + # define BIO_CB_READ 0x02 +diff --git a/include/openssl/ssl.h.in b/include/openssl/ssl.h.in +index 4bab2ac..b70b4fd 100644 +--- a/include/openssl/ssl.h.in ++++ b/include/openssl/ssl.h.in +@@ -909,6 +909,7 @@ __owur int SSL_extension_supported(unsigned int ext_type); + # define SSL_ASYNC_NO_JOBS 6 + # define SSL_CLIENT_HELLO_CB 7 + # define SSL_RETRY_VERIFY 8 ++# define SSL_SESS_LOOKUP 99 + + /* These will only be used when doing non-blocking IO */ + # define SSL_want_nothing(s) (SSL_want(s) == SSL_NOTHING) +@@ -919,6 +920,7 @@ __owur int SSL_extension_supported(unsigned int ext_type); + # define SSL_want_async(s) (SSL_want(s) == SSL_ASYNC_PAUSED) + # define SSL_want_async_job(s) (SSL_want(s) == SSL_ASYNC_NO_JOBS) + # define SSL_want_client_hello_cb(s) (SSL_want(s) == SSL_CLIENT_HELLO_CB) ++# define SSL_want_sess_lookup(s) (SSL_want(s) == SSL_SESS_LOOKUP) + + # define SSL_MAC_FLAG_READ_MAC_STREAM 1 + # define SSL_MAC_FLAG_WRITE_MAC_STREAM 2 +@@ -1215,6 +1217,8 @@ DECLARE_PEM_rw(SSL_SESSION, SSL_SESSION) + # define SSL_ERROR_WANT_ASYNC_JOB 10 + # define SSL_ERROR_WANT_CLIENT_HELLO_CB 11 + # define SSL_ERROR_WANT_RETRY_VERIFY 12 ++# define SSL_ERROR_WANT_SESSION_LOOKUP 99 ++# define SSL_ERROR_PENDING_SESSION 99 /* BoringSSL compatibility */ + + # ifndef OPENSSL_NO_DEPRECATED_3_0 + # define SSL_CTRL_SET_TMP_DH 3 +@@ -1740,6 +1744,7 @@ int SSL_SESSION_print(BIO *fp, const SSL_SESSION *ses); + int SSL_SESSION_print_keylog(BIO *bp, const SSL_SESSION *x); + int SSL_SESSION_up_ref(SSL_SESSION *ses); + void SSL_SESSION_free(SSL_SESSION *ses); ++SSL_SESSION *SSL_magic_pending_session_ptr(void); + __owur int i2d_SSL_SESSION(const SSL_SESSION *in, unsigned char **pp); + __owur int SSL_set_session(SSL *to, SSL_SESSION *session); + int SSL_CTX_add_session(SSL_CTX *ctx, SSL_SESSION *session); +diff --git a/ssl/bio_ssl.c b/ssl/bio_ssl.c +index ac65a39..3a4ffba 100644 +--- a/ssl/bio_ssl.c ++++ b/ssl/bio_ssl.c +@@ -140,6 +140,10 @@ static int ssl_read(BIO *b, char *buf, size_t size, size_t *readbytes) + BIO_set_retry_special(b); + retry_reason = BIO_RR_SSL_X509_LOOKUP; + break; ++ case SSL_ERROR_WANT_SESSION_LOOKUP: ++ BIO_set_retry_special(b); ++ retry_reason = BIO_RR_SSL_SESSION_LOOKUP; ++ break; + case SSL_ERROR_WANT_ACCEPT: + BIO_set_retry_special(b); + retry_reason = BIO_RR_ACCEPT; +@@ -208,6 +212,10 @@ static int ssl_write(BIO *b, const char *buf, size_t size, size_t *written) + BIO_set_retry_special(b); + retry_reason = BIO_RR_SSL_X509_LOOKUP; + break; ++ case SSL_ERROR_WANT_SESSION_LOOKUP: ++ BIO_set_retry_special(b); ++ retry_reason = BIO_RR_SSL_SESSION_LOOKUP; ++ break; + case SSL_ERROR_WANT_CONNECT: + BIO_set_retry_special(b); + retry_reason = BIO_RR_CONNECT; +@@ -368,6 +376,10 @@ static long ssl_ctrl(BIO *b, int cmd, long num, void *ptr) + BIO_set_retry_special(b); + BIO_set_retry_reason(b, BIO_RR_SSL_X509_LOOKUP); + break; ++ case SSL_ERROR_WANT_SESSION_LOOKUP: ++ BIO_set_retry_special(b); ++ BIO_set_retry_reason(b, BIO_RR_SSL_SESSION_LOOKUP); ++ break; + default: + break; + } +diff --git a/ssl/ssl_lib.c b/ssl/ssl_lib.c +index 295b719..fa25f77 100644 +--- a/ssl/ssl_lib.c ++++ b/ssl/ssl_lib.c +@@ -4713,6 +4713,8 @@ int ossl_ssl_get_error(const SSL *s, int i, int check_err) + return SSL_ERROR_WANT_ASYNC_JOB; + if (SSL_want_client_hello_cb(s)) + return SSL_ERROR_WANT_CLIENT_HELLO_CB; ++ if (SSL_want_sess_lookup(s)) ++ return SSL_ERROR_WANT_SESSION_LOOKUP; + + if ((sc->shutdown & SSL_RECEIVED_SHUTDOWN) && + (sc->s3.warn_alert == SSL_AD_CLOSE_NOTIFY)) +diff --git a/ssl/ssl_sess.c b/ssl/ssl_sess.c +index 69149de..9c1d48f 100644 +--- a/ssl/ssl_sess.c ++++ b/ssl/ssl_sess.c +@@ -20,6 +20,8 @@ + #include "ssl_local.h" + #include "statem/statem_local.h" + ++static const char g_pending_session_magic = 0; ++ + static void SSL_SESSION_list_remove(SSL_CTX *ctx, SSL_SESSION *s); + static void SSL_SESSION_list_add(SSL_CTX *ctx, SSL_SESSION *s); + static int remove_session_lock(SSL_CTX *ctx, SSL_SESSION *c, int lck); +@@ -525,6 +527,10 @@ SSL_SESSION *lookup_sess_in_cache(SSL_CONNECTION *s, + ret = s->session_ctx->get_session_cb(SSL_CONNECTION_GET_USER_SSL(s), + sess_id, sess_id_len, ©); + ++ if (ret == SSL_magic_pending_session_ptr()) { ++ return ret; /* Retry later */ ++ } ++ + if (ret != NULL) { + if (ret->not_resumable) { + /* If its not resumable then ignore this session */ +@@ -619,6 +625,9 @@ int ssl_get_prev_session(SSL_CONNECTION *s, CLIENTHELLO_MSG *hello) + try_session_cache = 1; + ret = lookup_sess_in_cache(s, hello->session_id, + hello->session_id_len); ++ if (ret == SSL_magic_pending_session_ptr()) { ++ return -2; /* Retry later */ ++ } + } + break; + case SSL_TICKET_NO_DECRYPT: +@@ -1094,6 +1103,11 @@ EVP_PKEY *SSL_SESSION_get0_peer_rpk(SSL_SESSION *s) + return s->peer_rpk; + } + ++SSL_SESSION *SSL_magic_pending_session_ptr(void) ++{ ++ return (SSL_SESSION *) &g_pending_session_magic; ++} ++ + int SSL_SESSION_set1_id_context(SSL_SESSION *s, const unsigned char *sid_ctx, + unsigned int sid_ctx_len) + { +diff --git a/ssl/statem/statem_srvr.c b/ssl/statem/statem_srvr.c +index 9f586b5..e42c1e3 100644 +--- a/ssl/statem/statem_srvr.c ++++ b/ssl/statem/statem_srvr.c +@@ -1695,6 +1695,7 @@ static int tls_early_post_process_client_hello(SSL_CONNECTION *s) + SSL_CTX *sctx = SSL_CONNECTION_GET_CTX(s); + SSL *ssl = SSL_CONNECTION_GET_SSL(s); + SSL *ussl = SSL_CONNECTION_GET_USER_SSL(s); ++ PACKET saved_ciphers; + + /* Finished parsing the ClientHello, now we can start processing it */ + /* Give the ClientHello callback a crack at things */ +@@ -1775,6 +1776,7 @@ static int tls_early_post_process_client_hello(SSL_CONNECTION *s) + } + + s->hit = 0; ++ saved_ciphers = clienthello->ciphersuites; + + if (!ssl_cache_cipherlist(s, &clienthello->ciphersuites, + clienthello->isv2) || +@@ -1874,6 +1876,10 @@ static int tls_early_post_process_client_hello(SSL_CONNECTION *s) + } else if (i == -1) { + /* SSLfatal() already called */ + goto err; ++ } else if (i == -2) { ++ clienthello->ciphersuites = saved_ciphers; ++ s->rwstate = SSL_SESS_LOOKUP; ++ goto retry; + } else { + /* i == 0 */ + if (!ssl_get_new_session(s, 1)) { +@@ -1881,6 +1887,7 @@ static int tls_early_post_process_client_hello(SSL_CONNECTION *s) + goto err; + } + } ++ s->rwstate = SSL_NOTHING; + } + + if (SSL_CONNECTION_IS_TLS13(s)) { +@@ -2134,6 +2141,11 @@ static int tls_early_post_process_client_hello(SSL_CONNECTION *s) + s->clienthello = NULL; + + return 0; ++ ++retry: ++ sk_SSL_CIPHER_free(ciphers); ++ sk_SSL_CIPHER_free(scsvs); ++ return -1; + } + + /* +diff --git a/util/libssl.num b/util/libssl.num +index f1daba1..9b36444 100644 +--- a/util/libssl.num ++++ b/util/libssl.num +@@ -7,6 +7,7 @@ SSL_copy_session_id 6 3_0_0 EXIST::FUNCTION: + SSL_CTX_set_srp_password 7 3_0_0 EXIST::FUNCTION:DEPRECATEDIN_3_0,SRP + SSL_shutdown 8 3_0_0 EXIST::FUNCTION: + SSL_CTX_set_msg_callback 9 3_0_0 EXIST::FUNCTION: ++SSL_magic_pending_session_ptr 10 3_0_0 EXIST::FUNCTION: + SSL_SESSION_get0_ticket 11 3_0_0 EXIST::FUNCTION: + SSL_get1_supported_ciphers 12 3_0_0 EXIST::FUNCTION: + SSL_state_string_long 13 3_0_0 EXIST::FUNCTION: