WolfSSL
/
wolfssl-nginx
mirror of https://github.com/wolfSSL/wolfssl-nginx.git
1
0
Fork 0
Code Issues Releases Wiki Activity

Break out the post-quantum changes into a separate diff for readability.

pull/18/head
Anthony Hu 2021-12-24 13:21:41 -05:00
parent dce32bc288
commit 10fa7c8f58
2 changed files with 58 additions and 166 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

6
README.md
View File

@ -116,7 +116,7 @@ Testing is only supported on Linux with bash.
## Post-Quantum Algorithms
Starting with wolfSSL version 5.1.0 and nginx version 1.21.4, You can now enable the integration of liboqs in wolfSSL thus enabling post-quantum algorithms for your HTTPS connections over TLS 1.3. In this case, the web server will be nginx with wolfSSL and the web client will be curl with wolfSSL.
Starting with wolfSSL version 5.1.0 and nginx version 1.21.4, You can now enable the integration of liboqs in wolfSSL thus enabling post-quantum algorithms for your HTTPS connections over TLS 1.3.
First, you will need to build the OpenQuantumSafe group's liboqs and their fork of OpenSSL to generate the certificate chain that uses the post-quantum FALCON signature scheme. Instructions for that are in wolfSSL git repository's INSTALL file. Note that when you generate your certificates, you will need to add your IP address as a subject alternative name. See here for more details: https://www.openssl.org/docs/manmaster/man5/x509v3_config.html
@ -129,7 +129,7 @@ make check
sudo make install
```
Now, you can continue on with the instructions for building nginx above.
Now, you can continue on with the instructions for building nginx above, but also apply the nginx-1.21.4-pq.patch patch.
Now that all the software is built and installed, you will need to add a section in the nginx.conf file to enable TLS 1.3 and use the correct certificates. Edit `/usr/local/nginx/conf/nginx.conf`. Nginx's install process should have put a default version there. Search for the section with the title `HTTPS server` and replace that section with the following:
@ -163,7 +163,7 @@ You can now execute the nginx web server by doing the following:
sudo /usr/local/nginx/sbin/nginx
```
Check `/usr/local/nginx/logs/error.log` to see if there were any errors and ensure that `/usr/local/nginx/logs/nginx.pid` exists. It is created upon successful launch of the server daemon process.
Check `/usr/local/nginx/logs/error.log` to see if there were any errors and ensure that `/usr/local/nginx/logs/nginx.pid` exists. It is created upon successful launch of the server daemon process.
NOTE: You will need to change the path of the root certificate and use your IP address.

218
nginx-1.21.4-wolfssl.patch
View File

@ -1,7 +1,8 @@
diff --git a/auto/lib/openssl/conf b/auto/lib/openssl/conf
--- a/auto/lib/openssl/conf 2021-12-22 12:04:40.982790023 -0500
+++ b/auto/lib/openssl/conf 2021-12-21 13:12:44.347836218 -0500
@@ -62,8 +62,33 @@
index 4fb52df7..4fe4b4a7 100644
--- a/auto/lib/openssl/conf
+++ b/auto/lib/openssl/conf
@@ -62,8 +62,33 @@ else
ngx_feature_path=
ngx_feature_libs="-lssl -lcrypto $NGX_LIBDL $NGX_LIBPTHREAD"
ngx_feature_test="SSL_CTX_set_options(NULL, 0)"
@ -36,9 +37,10 @@ diff --git a/auto/lib/openssl/conf b/auto/lib/openssl/conf
# FreeBSD port
diff --git a/auto/options b/auto/options
--- a/auto/options 2021-12-22 12:04:40.982790023 -0500
+++ b/auto/options 2021-12-21 13:12:44.347836218 -0500
@@ -149,6 +149,7 @@
index 80be906e..8767aa33 100644
--- a/auto/options
+++ b/auto/options
@@ -149,6 +149,7 @@ PCRE_JIT=NO
USE_OPENSSL=NO
OPENSSL=NONE
@ -46,7 +48,7 @@ diff --git a/auto/options b/auto/options
USE_ZLIB=NO
ZLIB=NONE
@@ -358,6 +359,7 @@
@@ -358,6 +359,7 @@ use the \"--with-mail_ssl_module\" option instead"
--with-pcre-opt=*) PCRE_OPT="$value" ;;
--with-pcre-jit) PCRE_JIT=YES ;;
@ -54,7 +56,7 @@ diff --git a/auto/options b/auto/options
--with-openssl=*) OPENSSL="$value" ;;
--with-openssl-opt=*) OPENSSL_OPT="$value" ;;
@@ -583,6 +585,7 @@
@@ -583,6 +585,7 @@ cat << END
--with-libatomic force libatomic_ops library usage
--with-libatomic=DIR set path to libatomic_ops library sources
@ -63,24 +65,10 @@ diff --git a/auto/options b/auto/options
--with-openssl-opt=OPTIONS set additional build options for OpenSSL
diff --git a/src/event/ngx_event_openssl.c b/src/event/ngx_event_openssl.c
--- a/src/event/ngx_event_openssl.c 2021-12-22 12:04:40.978789957 -0500
+++ b/src/event/ngx_event_openssl.c 2021-12-22 12:13:23.031389526 -0500
@@ -20,10 +20,14 @@
static X509 *ngx_ssl_load_certificate(ngx_pool_t *pool, char **err,
ngx_str_t *cert, STACK_OF(X509) **chain);
+#if !defined(WOLFSSL_NGINX) || !defined(HAVE_LIBOQS)
+/* In the case that HAVE_LIBOQS is defined, these functions are unused as we
+ * call SSL_CTX_use_PrivateKey_file() instead. */
static EVP_PKEY *ngx_ssl_load_certificate_key(ngx_pool_t *pool, char **err,
ngx_str_t *key, ngx_array_t *passwords);
static int ngx_ssl_password_callback(char *buf, int size, int rwflag,
void *userdata);
+#endif
static int ngx_ssl_verify_callback(int ok, X509_STORE_CTX *x509_store);
static void ngx_ssl_info_callback(const ngx_ssl_conn_t *ssl_conn, int where,
int ret);
@@ -353,6 +357,8 @@
index 84afecd0..fe7e328e 100644
--- a/src/event/ngx_event_openssl.c
+++ b/src/event/ngx_event_openssl.c
@@ -353,6 +353,8 @@ ngx_ssl_create(ngx_ssl_t *ssl, ngx_uint_t protocols, void *data)
}
#endif
@ -89,7 +77,7 @@ diff --git a/src/event/ngx_event_openssl.c b/src/event/ngx_event_openssl.c
#ifdef SSL_CTX_set_min_proto_version
SSL_CTX_set_min_proto_version(ssl->ctx, 0);
SSL_CTX_set_max_proto_version(ssl->ctx, TLS1_2_VERSION);
@@ -362,6 +368,7 @@
@@ -362,6 +364,7 @@ ngx_ssl_create(ngx_ssl_t *ssl, ngx_uint_t protocols, void *data)
SSL_CTX_set_min_proto_version(ssl->ctx, 0);
SSL_CTX_set_max_proto_version(ssl->ctx, TLS1_3_VERSION);
#endif
@ -97,7 +85,7 @@ diff --git a/src/event/ngx_event_openssl.c b/src/event/ngx_event_openssl.c
#ifdef SSL_OP_NO_COMPRESSION
SSL_CTX_set_options(ssl->ctx, SSL_OP_NO_COMPRESSION);
@@ -391,6 +398,12 @@
@@ -391,6 +394,12 @@ ngx_ssl_create(ngx_ssl_t *ssl, ngx_uint_t protocols, void *data)
SSL_CTX_set_info_callback(ssl->ctx, ngx_ssl_info_callback);
@ -110,116 +98,11 @@ diff --git a/src/event/ngx_event_openssl.c b/src/event/ngx_event_openssl.c
return NGX_OK;
}
@@ -424,7 +437,9 @@
{
char *err;
X509 *x509;
+#if !defined(WOLFSSL_NGINX) || !defined(HAVE_LIBOQS)
EVP_PKEY *pkey;
+#endif
STACK_OF(X509) *chain;
x509 = ngx_ssl_load_certificate(cf->pool, &err, cert, &chain);
@@ -515,6 +530,20 @@
}
#endif
+#if defined(WOLFSSL_NGINX) && defined(HAVE_LIBOQS)
+ if (ngx_get_full_name(cf->pool, (ngx_str_t *) &ngx_cycle->conf_prefix,
+ key) != NGX_OK) {
+ return NGX_OK;
+ }
+
+ if (SSL_CTX_use_PrivateKey_file(ssl->ctx, (char *)key->data, SSL_FILETYPE_PEM)
+ < 1) {
+ ngx_ssl_error(NGX_LOG_EMERG, ssl->log, 0,
+ "cannot load certificate key \"%s\"",
+ key->data);
+ return NGX_ERROR;
+ }
+#else
pkey = ngx_ssl_load_certificate_key(cf->pool, &err, key, passwords);
if (pkey == NULL) {
if (err != NULL) {
@@ -534,6 +563,7 @@
}
EVP_PKEY_free(pkey);
+#endif
return NGX_OK;
}
@@ -545,7 +575,9 @@
{
char *err;
X509 *x509;
+#if !defined(WOLFSSL_NGINX) || !defined(HAVE_LIBOQS)
EVP_PKEY *pkey;
+#endif
STACK_OF(X509) *chain;
x509 = ngx_ssl_load_certificate(pool, &err, cert, &chain);
@@ -586,6 +618,20 @@
#endif
+#if defined(WOLFSSL_NGINX) && defined(HAVE_LIBOQS)
+ if (ngx_get_full_name(pool, (ngx_str_t *) &ngx_cycle->conf_prefix,
+ key) != NGX_OK) {
+ return NGX_OK;
+ }
+
+ if (SSL_use_PrivateKey_file(c->ssl->connection, (char *)key->data, SSL_FILETYPE_PEM)
+ < 1) {
+ ngx_ssl_error(NGX_LOG_EMERG, c->log, 0,
+ "cannot load certificate key \"%s\"",
+ key->data);
+ return NGX_ERROR;
+ }
+#else
pkey = ngx_ssl_load_certificate_key(pool, &err, key, passwords);
if (pkey == NULL) {
if (err != NULL) {
@@ -605,6 +651,7 @@
}
EVP_PKEY_free(pkey);
+#endif
return NGX_OK;
}
@@ -700,6 +747,7 @@
@@ -864,6 +873,14 @@ ngx_ssl_ciphers(ngx_conf_t *cf, ngx_ssl_t *ssl, ngx_str_t *ciphers,
}
+#if !defined(WOLFSSL_NGINX) || !defined(HAVE_LIBOQS)
static EVP_PKEY *
ngx_ssl_load_certificate_key(ngx_pool_t *pool, char **err,
ngx_str_t *key, ngx_array_t *passwords)
@@ -815,8 +863,10 @@
return pkey;
}
+#endif
+#if !defined(WOLFSSL_NGINX) || !defined(HAVE_LIBOQS)
static int
ngx_ssl_password_callback(char *buf, int size, int rwflag, void *userdata)
{
@@ -843,7 +893,7 @@
return size;
}
-
+#endif
ngx_int_t
ngx_ssl_ciphers(ngx_conf_t *cf, ngx_ssl_t *ssl, ngx_str_t *ciphers,
@@ -865,6 +915,14 @@
ngx_int_t
+ngx_int_t
+ngx_ssl_set_verify_on(ngx_conf_t *cf, ngx_ssl_t *ssl)
+{
+ SSL_CTX_set_verify(ssl->ctx, SSL_VERIFY_PEER, ngx_ssl_verify_callback);
@ -227,11 +110,10 @@ diff --git a/src/event/ngx_event_openssl.c b/src/event/ngx_event_openssl.c
+ return NGX_OK;
+}
+
+ngx_int_t
ngx_int_t
ngx_ssl_client_certificate(ngx_conf_t *cf, ngx_ssl_t *ssl, ngx_str_t *cert,
ngx_int_t depth)
{
@@ -1407,7 +1465,8 @@
@@ -1407,7 +1424,8 @@ ngx_ssl_ecdh_curve(ngx_conf_t *cf, ngx_ssl_t *ssl, ngx_str_t *name)
* maximum interoperability.
*/
@ -241,7 +123,7 @@ diff --git a/src/event/ngx_event_openssl.c b/src/event/ngx_event_openssl.c
/*
* OpenSSL 1.0.2+ allows configuring a curve list instead of a single
@@ -1599,10 +1658,26 @@
@@ -1599,10 +1617,26 @@ static int
ngx_ssl_new_client_session(ngx_ssl_conn_t *ssl_conn, ngx_ssl_session_t *sess)
{
ngx_connection_t *c;
@ -268,7 +150,7 @@ diff --git a/src/event/ngx_event_openssl.c b/src/event/ngx_event_openssl.c
c->ssl->session = sess;
c->ssl->save_session(c);
@@ -1674,7 +1749,9 @@
@@ -1674,7 +1708,9 @@ ngx_ssl_get_session(ngx_connection_t *c)
{
#ifdef TLS1_3_VERSION
if (c->ssl->session) {
@ -278,7 +160,7 @@ diff --git a/src/event/ngx_event_openssl.c b/src/event/ngx_event_openssl.c
return c->ssl->session;
}
#endif
@@ -4357,7 +4434,8 @@
@@ -4357,7 +4393,8 @@ ngx_ssl_session_ticket_key_callback(ngx_ssl_conn_t *ssl_conn,
return -1;
}
@ -288,7 +170,7 @@ diff --git a/src/event/ngx_event_openssl.c b/src/event/ngx_event_openssl.c
if (HMAC_Init_ex(hctx, key[0].hmac_key, size, digest, NULL) != 1) {
ngx_ssl_error(NGX_LOG_ALERT, c->log, 0, "HMAC_Init_ex() failed");
return -1;
@@ -4400,7 +4478,8 @@
@@ -4400,7 +4437,8 @@ ngx_ssl_session_ticket_key_callback(ngx_ssl_conn_t *ssl_conn,
size = 32;
}
@ -299,8 +181,9 @@ diff --git a/src/event/ngx_event_openssl.c b/src/event/ngx_event_openssl.c
ngx_ssl_error(NGX_LOG_ALERT, c->log, 0, "HMAC_Init_ex() failed");
return -1;
diff --git a/src/event/ngx_event_openssl.h b/src/event/ngx_event_openssl.h
--- a/src/event/ngx_event_openssl.h 2021-12-22 12:04:40.978789957 -0500
+++ b/src/event/ngx_event_openssl.h 2021-12-21 13:12:44.347836218 -0500
index 4afdfad4..053999a8 100644
--- a/src/event/ngx_event_openssl.h
+++ b/src/event/ngx_event_openssl.h
@@ -14,6 +14,10 @@
#define OPENSSL_SUPPRESS_DEPRECATED
@ -321,7 +204,7 @@ diff --git a/src/event/ngx_event_openssl.h b/src/event/ngx_event_openssl.h
#define SSL_is_server(s) (s)->server
#endif
@@ -191,6 +195,7 @@
@@ -191,6 +195,7 @@ ngx_int_t ngx_ssl_connection_certificate(ngx_connection_t *c, ngx_pool_t *pool,
ngx_int_t ngx_ssl_ciphers(ngx_conf_t *cf, ngx_ssl_t *ssl, ngx_str_t *ciphers,
ngx_uint_t prefer_server_ciphers);
@ -330,9 +213,10 @@ diff --git a/src/event/ngx_event_openssl.h b/src/event/ngx_event_openssl.h
ngx_str_t *cert, ngx_int_t depth);
ngx_int_t ngx_ssl_trusted_certificate(ngx_conf_t *cf, ngx_ssl_t *ssl,
diff --git a/src/event/ngx_event_openssl_stapling.c b/src/event/ngx_event_openssl_stapling.c
--- a/src/event/ngx_event_openssl_stapling.c 2021-12-22 12:04:40.978789957 -0500
+++ b/src/event/ngx_event_openssl_stapling.c 2021-12-21 13:12:44.347836218 -0500
@@ -379,7 +379,9 @@
index e3fa8c4e..fb8ba0a7 100644
--- a/src/event/ngx_event_openssl_stapling.c
+++ b/src/event/ngx_event_openssl_stapling.c
@@ -379,7 +379,9 @@ ngx_ssl_stapling_issuer(ngx_conf_t *cf, ngx_ssl_t *ssl,
for (i = 0; i < n; i++) {
issuer = sk_X509_value(staple->chain, i);
if (X509_check_issued(issuer, cert) == X509_V_OK) {
@ -344,9 +228,10 @@ diff --git a/src/event/ngx_event_openssl_stapling.c b/src/event/ngx_event_openss
#else
CRYPTO_add(&issuer->references, 1, CRYPTO_LOCK_X509);
diff --git a/src/http/modules/ngx_http_proxy_module.c b/src/http/modules/ngx_http_proxy_module.c
--- a/src/http/modules/ngx_http_proxy_module.c 2021-12-22 12:04:40.974789888 -0500
+++ b/src/http/modules/ngx_http_proxy_module.c 2021-12-21 13:12:44.347836218 -0500
@@ -4988,7 +4988,9 @@
index 7c4061c0..c541b136 100644
--- a/src/http/modules/ngx_http_proxy_module.c
+++ b/src/http/modules/ngx_http_proxy_module.c
@@ -4988,7 +4988,9 @@ ngx_http_proxy_set_ssl(ngx_conf_t *cf, ngx_http_proxy_loc_conf_t *plcf)
"no proxy_ssl_trusted_certificate for proxy_ssl_verify");
return NGX_ERROR;
}
@ -358,9 +243,10 @@ diff --git a/src/http/modules/ngx_http_proxy_module.c b/src/http/modules/ngx_htt
&plcf->ssl_trusted_certificate,
plcf->ssl_verify_depth)
diff --git a/src/http/modules/ngx_http_ssl_module.c b/src/http/modules/ngx_http_ssl_module.c
--- a/src/http/modules/ngx_http_ssl_module.c 2021-12-22 12:04:40.974789888 -0500
+++ b/src/http/modules/ngx_http_ssl_module.c 2021-12-21 13:12:44.347836218 -0500
@@ -14,7 +14,11 @@
index c633f346..2a5c420e 100644
--- a/src/http/modules/ngx_http_ssl_module.c
+++ b/src/http/modules/ngx_http_ssl_module.c
@@ -14,7 +14,11 @@ typedef ngx_int_t (*ngx_ssl_variable_handler_pt)(ngx_connection_t *c,
ngx_pool_t *pool, ngx_str_t *s);
@ -372,7 +258,7 @@ diff --git a/src/http/modules/ngx_http_ssl_module.c b/src/http/modules/ngx_http_
#define NGX_DEFAULT_ECDH_CURVE "auto"
#define NGX_HTTP_ALPN_PROTOS "\x08http/1.1\x08http/1.0\x08http/0.9"
@@ -845,8 +849,10 @@
@@ -845,8 +849,10 @@ ngx_http_ssl_merge_srv_conf(ngx_conf_t *cf, void *parent, void *child)
return NGX_CONF_ERROR;
}
@ -384,8 +270,9 @@ diff --git a/src/http/modules/ngx_http_ssl_module.c b/src/http/modules/ngx_http_
if (conf->shm_zone == NULL) {
conf->shm_zone = prev->shm_zone;
diff --git a/src/mail/ngx_mail_ssl_module.c b/src/mail/ngx_mail_ssl_module.c
--- a/src/mail/ngx_mail_ssl_module.c 2021-12-22 12:04:40.966789753 -0500
+++ b/src/mail/ngx_mail_ssl_module.c 2021-12-21 13:12:44.347836218 -0500
index 2a1043e6..8012fcce 100644
--- a/src/mail/ngx_mail_ssl_module.c
+++ b/src/mail/ngx_mail_ssl_module.c
@@ -10,7 +10,11 @@
#include <ngx_mail.h>
@ -399,9 +286,10 @@ diff --git a/src/mail/ngx_mail_ssl_module.c b/src/mail/ngx_mail_ssl_module.c
diff --git a/src/stream/ngx_stream_proxy_module.c b/src/stream/ngx_stream_proxy_module.c
--- a/src/stream/ngx_stream_proxy_module.c 2021-12-22 12:04:40.958789618 -0500
+++ b/src/stream/ngx_stream_proxy_module.c 2021-12-21 13:12:44.347836218 -0500
@@ -2262,7 +2262,9 @@
index 934e7d8f..c4c0e2e2 100644
--- a/src/stream/ngx_stream_proxy_module.c
+++ b/src/stream/ngx_stream_proxy_module.c
@@ -2262,7 +2262,9 @@ ngx_stream_proxy_set_ssl(ngx_conf_t *cf, ngx_stream_proxy_srv_conf_t *pscf)
"no proxy_ssl_trusted_certificate for proxy_ssl_verify");
return NGX_ERROR;
}
@ -413,9 +301,10 @@ diff --git a/src/stream/ngx_stream_proxy_module.c b/src/stream/ngx_stream_proxy_
&pscf->ssl_trusted_certificate,
pscf->ssl_verify_depth)
diff --git a/src/stream/ngx_stream_ssl_module.c b/src/stream/ngx_stream_ssl_module.c
--- a/src/stream/ngx_stream_ssl_module.c 2021-12-22 12:04:40.958789618 -0500
+++ b/src/stream/ngx_stream_ssl_module.c 2021-12-21 13:12:44.347836218 -0500
@@ -14,7 +14,11 @@
index 530fe8b3..77f59d04 100644
--- a/src/stream/ngx_stream_ssl_module.c
+++ b/src/stream/ngx_stream_ssl_module.c
@@ -14,7 +14,11 @@ typedef ngx_int_t (*ngx_ssl_variable_handler_pt)(ngx_connection_t *c,
ngx_pool_t *pool, ngx_str_t *s);
@ -427,3 +316,6 @@ diff --git a/src/stream/ngx_stream_ssl_module.c b/src/stream/ngx_stream_ssl_modu
#define NGX_DEFAULT_ECDH_CURVE "auto"
--
2.25.1