From f2508abdd3013a9cecd3c9493871569cbbb35f0a Mon Sep 17 00:00:00 2001 From: JacobBarthelmeh Date: Thu, 5 Dec 2024 15:44:33 -0700 Subject: [PATCH] update patch to run all CAST when needed --- nginx-1.25.0-wolfssl.patch | 35 +++++++++++++++++++++++++---------- 1 file changed, 25 insertions(+), 10 deletions(-) diff --git a/nginx-1.25.0-wolfssl.patch b/nginx-1.25.0-wolfssl.patch index 3033e7a..51599eb 100644 --- a/nginx-1.25.0-wolfssl.patch +++ b/nginx-1.25.0-wolfssl.patch @@ -71,10 +71,25 @@ index 552ef83..96f0d8e 100644 --with-openssl-opt=OPTIONS set additional build options for OpenSSL diff --git a/src/event/ngx_event_openssl.c b/src/event/ngx_event_openssl.c -index c38aa27..e3c7755 100644 +index c38aa27..ad77a02 100644 --- a/src/event/ngx_event_openssl.c +++ b/src/event/ngx_event_openssl.c -@@ -351,6 +351,8 @@ ngx_ssl_create(ngx_ssl_t *ssl, ngx_uint_t protocols, void *data) +@@ -165,6 +165,14 @@ ngx_ssl_init(ngx_log_t *log) + + #endif + ++#ifdef WOLFSSL_NGINX ++ /* Run all casts on initialization with these FIPS versions to avoid ++ * threaded competition when running them ad hoc */ ++ #if FIPS_VERSION3_GE(5,2,1) && !FIPS_VERSION3_GE(6,0,0) ++ wc_RunAllCast_fips(); ++ #endif ++#endif ++ + #ifndef SSL_OP_NO_COMPRESSION + { + /* +@@ -351,6 +359,8 @@ ngx_ssl_create(ngx_ssl_t *ssl, ngx_uint_t protocols, void *data) } #endif @@ -83,7 +98,7 @@ index c38aa27..e3c7755 100644 #ifdef SSL_CTX_set_min_proto_version SSL_CTX_set_min_proto_version(ssl->ctx, 0); SSL_CTX_set_max_proto_version(ssl->ctx, TLS1_2_VERSION); -@@ -360,6 +362,7 @@ ngx_ssl_create(ngx_ssl_t *ssl, ngx_uint_t protocols, void *data) +@@ -360,6 +370,7 @@ ngx_ssl_create(ngx_ssl_t *ssl, ngx_uint_t protocols, void *data) SSL_CTX_set_min_proto_version(ssl->ctx, 0); SSL_CTX_set_max_proto_version(ssl->ctx, TLS1_3_VERSION); #endif @@ -91,7 +106,7 @@ index c38aa27..e3c7755 100644 #ifdef SSL_OP_NO_COMPRESSION SSL_CTX_set_options(ssl->ctx, SSL_OP_NO_COMPRESSION); -@@ -557,6 +560,12 @@ ngx_ssl_connection_certificate(ngx_connection_t *c, ngx_pool_t *pool, +@@ -557,6 +568,12 @@ ngx_ssl_connection_certificate(ngx_connection_t *c, ngx_pool_t *pool, return NGX_ERROR; } @@ -104,7 +119,7 @@ index c38aa27..e3c7755 100644 if (SSL_use_certificate(c->ssl->connection, x509) == 0) { ngx_ssl_error(NGX_LOG_ERR, c->log, 0, "SSL_use_certificate(\"%s\") failed", cert->data); -@@ -568,7 +577,9 @@ ngx_ssl_connection_certificate(ngx_connection_t *c, ngx_pool_t *pool, +@@ -568,7 +585,9 @@ ngx_ssl_connection_certificate(ngx_connection_t *c, ngx_pool_t *pool, X509_free(x509); #ifdef SSL_set0_chain @@ -115,7 +130,7 @@ index c38aa27..e3c7755 100644 /* * SSL_set0_chain() is only available in OpenSSL 1.0.2+, * but this function is only called via certificate callback, -@@ -581,7 +592,19 @@ ngx_ssl_connection_certificate(ngx_connection_t *c, ngx_pool_t *pool, +@@ -581,7 +600,19 @@ ngx_ssl_connection_certificate(ngx_connection_t *c, ngx_pool_t *pool, sk_X509_pop_free(chain, X509_free); return NGX_ERROR; } @@ -136,7 +151,7 @@ index c38aa27..e3c7755 100644 #endif pkey = ngx_ssl_load_certificate_key(pool, &err, key, passwords); -@@ -3358,6 +3381,27 @@ ngx_ssl_connection_error(ngx_connection_t *c, int sslerr, ngx_err_t err, +@@ -3358,6 +3389,27 @@ ngx_ssl_connection_error(ngx_connection_t *c, int sslerr, ngx_err_t err, int n; ngx_uint_t level; @@ -164,7 +179,7 @@ index c38aa27..e3c7755 100644 level = NGX_LOG_CRIT; if (sslerr == SSL_ERROR_SYSCALL) { -@@ -4577,7 +4621,8 @@ ngx_ssl_ticket_key_callback(ngx_ssl_conn_t *ssl_conn, +@@ -4577,7 +4629,8 @@ ngx_ssl_ticket_key_callback(ngx_ssl_conn_t *ssl_conn, return -1; } @@ -174,7 +189,7 @@ index c38aa27..e3c7755 100644 if (HMAC_Init_ex(hctx, key[0].hmac_key, size, digest, NULL) != 1) { ngx_ssl_error(NGX_LOG_ALERT, c->log, 0, "HMAC_Init_ex() failed"); return -1; -@@ -4620,7 +4665,8 @@ ngx_ssl_ticket_key_callback(ngx_ssl_conn_t *ssl_conn, +@@ -4620,7 +4673,8 @@ ngx_ssl_ticket_key_callback(ngx_ssl_conn_t *ssl_conn, size = 32; } @@ -184,7 +199,7 @@ index c38aa27..e3c7755 100644 if (HMAC_Init_ex(hctx, key[i].hmac_key, size, digest, NULL) != 1) { ngx_ssl_error(NGX_LOG_ALERT, c->log, 0, "HMAC_Init_ex() failed"); return -1; -@@ -5127,6 +5173,14 @@ ngx_ssl_get_curve(ngx_connection_t *c, ngx_pool_t *pool, ngx_str_t *s) +@@ -5127,6 +5181,14 @@ ngx_ssl_get_curve(ngx_connection_t *c, ngx_pool_t *pool, ngx_str_t *s) #endif