David Garske
GitHub
commit
05c72fc757
|
|
@ -71,10 +71,25 @@ index 552ef83..96f0d8e 100644
|
|||
--with-openssl-opt=OPTIONS set additional build options for OpenSSL
|
||||
|
||||
diff --git a/src/event/ngx_event_openssl.c b/src/event/ngx_event_openssl.c
|
||||
index c38aa27..e3c7755 100644
|
||||
index c38aa27..ad77a02 100644
|
||||
--- a/src/event/ngx_event_openssl.c
|
||||
+++ b/src/event/ngx_event_openssl.c
|
||||
@@ -351,6 +351,8 @@ ngx_ssl_create(ngx_ssl_t *ssl, ngx_uint_t protocols, void *data)
|
||||
@@ -165,6 +165,14 @@ ngx_ssl_init(ngx_log_t *log)
|
||||
|
||||
#endif
|
||||
|
||||
+#ifdef WOLFSSL_NGINX
|
||||
+ /* Run all casts on initialization with these FIPS versions to avoid
|
||||
+ * threaded competition when running them ad hoc */
|
||||
+ #if FIPS_VERSION3_GE(5,2,1) && !FIPS_VERSION3_GE(6,0,0)
|
||||
+ wc_RunAllCast_fips();
|
||||
+ #endif
|
||||
+#endif
|
||||
+
|
||||
#ifndef SSL_OP_NO_COMPRESSION
|
||||
{
|
||||
/*
|
||||
@@ -351,6 +359,8 @@ ngx_ssl_create(ngx_ssl_t *ssl, ngx_uint_t protocols, void *data)
|
||||
}
|
||||
#endif
|
||||
|
||||
|
|
@ -83,7 +98,7 @@ index c38aa27..e3c7755 100644
|
|||
#ifdef SSL_CTX_set_min_proto_version
|
||||
SSL_CTX_set_min_proto_version(ssl->ctx, 0);
|
||||
SSL_CTX_set_max_proto_version(ssl->ctx, TLS1_2_VERSION);
|
||||
@@ -360,6 +362,7 @@ ngx_ssl_create(ngx_ssl_t *ssl, ngx_uint_t protocols, void *data)
|
||||
@@ -360,6 +370,7 @@ ngx_ssl_create(ngx_ssl_t *ssl, ngx_uint_t protocols, void *data)
|
||||
SSL_CTX_set_min_proto_version(ssl->ctx, 0);
|
||||
SSL_CTX_set_max_proto_version(ssl->ctx, TLS1_3_VERSION);
|
||||
#endif
|
||||
|
|
@ -91,7 +106,7 @@ index c38aa27..e3c7755 100644
|
|||
|
||||
#ifdef SSL_OP_NO_COMPRESSION
|
||||
SSL_CTX_set_options(ssl->ctx, SSL_OP_NO_COMPRESSION);
|
||||
@@ -557,6 +560,12 @@ ngx_ssl_connection_certificate(ngx_connection_t *c, ngx_pool_t *pool,
|
||||
@@ -557,6 +568,12 @@ ngx_ssl_connection_certificate(ngx_connection_t *c, ngx_pool_t *pool,
|
||||
return NGX_ERROR;
|
||||
}
|
||||
|
||||
|
|
@ -104,7 +119,7 @@ index c38aa27..e3c7755 100644
|
|||
if (SSL_use_certificate(c->ssl->connection, x509) == 0) {
|
||||
ngx_ssl_error(NGX_LOG_ERR, c->log, 0,
|
||||
"SSL_use_certificate(\"%s\") failed", cert->data);
|
||||
@@ -568,7 +577,9 @@ ngx_ssl_connection_certificate(ngx_connection_t *c, ngx_pool_t *pool,
|
||||
@@ -568,7 +585,9 @@ ngx_ssl_connection_certificate(ngx_connection_t *c, ngx_pool_t *pool,
|
||||
X509_free(x509);
|
||||
|
||||
#ifdef SSL_set0_chain
|
||||
|
|
@ -115,7 +130,7 @@ index c38aa27..e3c7755 100644
|
|||
/*
|
||||
* SSL_set0_chain() is only available in OpenSSL 1.0.2+,
|
||||
* but this function is only called via certificate callback,
|
||||
@@ -581,7 +592,19 @@ ngx_ssl_connection_certificate(ngx_connection_t *c, ngx_pool_t *pool,
|
||||
@@ -581,7 +600,19 @@ ngx_ssl_connection_certificate(ngx_connection_t *c, ngx_pool_t *pool,
|
||||
sk_X509_pop_free(chain, X509_free);
|
||||
return NGX_ERROR;
|
||||
}
|
||||
|
|
@ -136,7 +151,7 @@ index c38aa27..e3c7755 100644
|
|||
#endif
|
||||
|
||||
pkey = ngx_ssl_load_certificate_key(pool, &err, key, passwords);
|
||||
@@ -3358,6 +3381,27 @@ ngx_ssl_connection_error(ngx_connection_t *c, int sslerr, ngx_err_t err,
|
||||
@@ -3358,6 +3389,27 @@ ngx_ssl_connection_error(ngx_connection_t *c, int sslerr, ngx_err_t err,
|
||||
int n;
|
||||
ngx_uint_t level;
|
||||
|
||||
|
|
@ -164,7 +179,7 @@ index c38aa27..e3c7755 100644
|
|||
level = NGX_LOG_CRIT;
|
||||
|
||||
if (sslerr == SSL_ERROR_SYSCALL) {
|
||||
@@ -4577,7 +4621,8 @@ ngx_ssl_ticket_key_callback(ngx_ssl_conn_t *ssl_conn,
|
||||
@@ -4577,7 +4629,8 @@ ngx_ssl_ticket_key_callback(ngx_ssl_conn_t *ssl_conn,
|
||||
return -1;
|
||||
}
|
||||
|
||||
|
|
@ -174,7 +189,7 @@ index c38aa27..e3c7755 100644
|
|||
if (HMAC_Init_ex(hctx, key[0].hmac_key, size, digest, NULL) != 1) {
|
||||
ngx_ssl_error(NGX_LOG_ALERT, c->log, 0, "HMAC_Init_ex() failed");
|
||||
return -1;
|
||||
@@ -4620,7 +4665,8 @@ ngx_ssl_ticket_key_callback(ngx_ssl_conn_t *ssl_conn,
|
||||
@@ -4620,7 +4673,8 @@ ngx_ssl_ticket_key_callback(ngx_ssl_conn_t *ssl_conn,
|
||||
size = 32;
|
||||
}
|
||||
|
||||
|
|
@ -184,7 +199,7 @@ index c38aa27..e3c7755 100644
|
|||
if (HMAC_Init_ex(hctx, key[i].hmac_key, size, digest, NULL) != 1) {
|
||||
ngx_ssl_error(NGX_LOG_ALERT, c->log, 0, "HMAC_Init_ex() failed");
|
||||
return -1;
|
||||
@@ -5127,6 +5173,14 @@ ngx_ssl_get_curve(ngx_connection_t *c, ngx_pool_t *pool, ngx_str_t *s)
|
||||
@@ -5127,6 +5181,14 @@ ngx_ssl_get_curve(ngx_connection_t *c, ngx_pool_t *pool, ngx_str_t *s)
|
||||
|
||||
#endif
|
||||
|
||||
|
|
|
|||
Loading…
Reference in New Issue