From 573704535161027425f22106505029ebf7168593 Mon Sep 17 00:00:00 2001 From: JacobBarthelmeh Date: Mon, 6 Jul 2020 11:18:12 -0600 Subject: [PATCH 1/2] add nginx 1.15.7 patch --- nginx-1.15.7-wolfssl.patch | 275 +++++++++++++++++++++++++++++++++++++ 1 file changed, 275 insertions(+) create mode 100644 nginx-1.15.7-wolfssl.patch diff --git a/nginx-1.15.7-wolfssl.patch b/nginx-1.15.7-wolfssl.patch new file mode 100644 index 0000000..e958607 --- /dev/null +++ b/nginx-1.15.7-wolfssl.patch @@ -0,0 +1,275 @@ +diff --git a/auto/lib/openssl/conf b/auto/lib/openssl/conf +index 4fb52df7..4fe4b4a7 100644 +--- a/auto/lib/openssl/conf ++++ b/auto/lib/openssl/conf +@@ -62,8 +62,33 @@ else + ngx_feature_path= + ngx_feature_libs="-lssl -lcrypto $NGX_LIBDL $NGX_LIBPTHREAD" + ngx_feature_test="SSL_CTX_set_options(NULL, 0)" ++ ++ if [ $WOLFSSL != NONE ]; then ++ ngx_feature="wolfSSL library in $WOLFSSL" ++ ngx_feature_path="$WOLFSSL/include/wolfssl $WOLFSSL/include" ++ ++ if [ $NGX_RPATH = YES ]; then ++ ngx_feature_libs="-R$WOLFSSL/lib -L$WOLFSSL/lib -lwolfssl $NGX_LIBDL" ++ else ++ ngx_feature_libs="-L$WOLFSSL/lib -lwolfssl $NGX_LIBDL" ++ fi ++ ++ CORE_INCS="$CORE_INCS $WOLFSSL/include/wolfssl" ++ CFLAGS="$CFLAGS -DWOLFSSL_NGINX" ++ fi ++ + . auto/feature + ++ if [ $WOLFSSL != NONE -a $ngx_found = no ]; then ++cat << END ++ ++$0: error: Could not find wolfSSL at $WOLFSSL/include/wolfssl. ++SSL modules require the wolfSSL library. ++ ++END ++ exit 1 ++ fi ++ + if [ $ngx_found = no ]; then + + # FreeBSD port +diff --git a/auto/options b/auto/options +index d8b421b0..ef1401d4 100644 +--- a/auto/options ++++ b/auto/options +@@ -147,6 +147,7 @@ PCRE_JIT=NO + + USE_OPENSSL=NO + OPENSSL=NONE ++WOLFSSL=NONE + + USE_ZLIB=NO + ZLIB=NONE +@@ -355,6 +356,7 @@ use the \"--with-mail_ssl_module\" option instead" + --with-pcre-opt=*) PCRE_OPT="$value" ;; + --with-pcre-jit) PCRE_JIT=YES ;; + ++ --with-wolfssl=*) WOLFSSL="$value" ;; + --with-openssl=*) OPENSSL="$value" ;; + --with-openssl-opt=*) OPENSSL_OPT="$value" ;; + +@@ -579,6 +581,7 @@ cat << END + --with-libatomic force libatomic_ops library usage + --with-libatomic=DIR set path to libatomic_ops library sources + ++ --with-wolfssl=DIR set path to wolfSSL headers and library + --with-openssl=DIR set path to OpenSSL library sources + --with-openssl-opt=OPTIONS set additional build options for OpenSSL + +diff --git a/src/event/ngx_event_openssl.c b/src/event/ngx_event_openssl.c +index a281fba9..c36196d7 100644 +--- a/src/event/ngx_event_openssl.c ++++ b/src/event/ngx_event_openssl.c +@@ -375,6 +375,10 @@ ngx_ssl_create(ngx_ssl_t *ssl, ngx_uint_t protocols, void *data) + + SSL_CTX_set_info_callback(ssl->ctx, ngx_ssl_info_callback); + ++#ifdef WOLFSSL_NGINX ++ SSL_CTX_set_verify(ssl->ctx, SSL_VERIFY_NONE, NULL); ++#endif ++ + return NGX_OK; + } + +@@ -682,6 +686,14 @@ ngx_ssl_ciphers(ngx_conf_t *cf, ngx_ssl_t *ssl, ngx_str_t *ciphers, + } + + ++ngx_int_t ++ngx_ssl_set_verify_on(ngx_conf_t *cf, ngx_ssl_t *ssl) ++{ ++ SSL_CTX_set_verify(ssl->ctx, SSL_VERIFY_PEER, ngx_ssl_verify_callback); ++ ++ return NGX_OK; ++} ++ + ngx_int_t + ngx_ssl_client_certificate(ngx_conf_t *cf, ngx_ssl_t *ssl, ngx_str_t *cert, + ngx_int_t depth) +@@ -1124,7 +1136,8 @@ ngx_ssl_ecdh_curve(ngx_conf_t *cf, ngx_ssl_t *ssl, ngx_str_t *name) + * maximum interoperability. + */ + +-#if (defined SSL_CTX_set1_curves_list || defined SSL_CTRL_SET_CURVES_LIST) ++#if (defined SSL_CTX_set1_curves_list || defined SSL_CTRL_SET_CURVES_LIST) || \ ++ defined(WOLFSSL_NGINX) + + /* + * OpenSSL 1.0.2+ allows configuring a curve list instead of a single +@@ -3613,7 +3626,8 @@ ngx_ssl_session_ticket_key_callback(ngx_ssl_conn_t *ssl_conn, + return -1; + } + +-#if OPENSSL_VERSION_NUMBER >= 0x10000000L ++#if OPENSSL_VERSION_NUMBER >= 0x10000000L && \ ++ (!defined(WOLFSSL_NGINX) || !defined(HAVE_FIPS)) + if (HMAC_Init_ex(hctx, key[0].hmac_key, size, digest, NULL) != 1) { + ngx_ssl_error(NGX_LOG_ALERT, c->log, 0, "HMAC_Init_ex() failed"); + return -1; +@@ -3657,7 +3671,8 @@ ngx_ssl_session_ticket_key_callback(ngx_ssl_conn_t *ssl_conn, + size = 32; + } + +-#if OPENSSL_VERSION_NUMBER >= 0x10000000L ++#if OPENSSL_VERSION_NUMBER >= 0x10000000L && \ ++ (!defined(WOLFSSL_NGINX) || !defined(HAVE_FIPS)) + if (HMAC_Init_ex(hctx, key[i].hmac_key, size, digest, NULL) != 1) { + ngx_ssl_error(NGX_LOG_ALERT, c->log, 0, "HMAC_Init_ex() failed"); + return -1; +diff --git a/src/event/ngx_event_openssl.h b/src/event/ngx_event_openssl.h +index abd84ccf..18267f82 100644 +--- a/src/event/ngx_event_openssl.h ++++ b/src/event/ngx_event_openssl.h +@@ -12,6 +12,10 @@ + #include + #include + ++#ifdef WOLFSSL_NGINX ++#include ++#include ++#endif + #include + #include + #include +@@ -59,7 +63,7 @@ + #define ngx_ssl_conn_t SSL + + +-#if (OPENSSL_VERSION_NUMBER < 0x10002000L) ++#if (OPENSSL_VERSION_NUMBER < 0x10002000L) && !defined(WOLFSSL_NGINX) + #define SSL_is_server(s) (s)->server + #endif + +@@ -166,6 +170,7 @@ ngx_int_t ngx_ssl_certificate(ngx_conf_t *cf, ngx_ssl_t *ssl, + ngx_str_t *cert, ngx_str_t *key, ngx_array_t *passwords); + ngx_int_t ngx_ssl_ciphers(ngx_conf_t *cf, ngx_ssl_t *ssl, ngx_str_t *ciphers, + ngx_uint_t prefer_server_ciphers); ++ngx_int_t ngx_ssl_set_verify_on(ngx_conf_t *cf, ngx_ssl_t *ssl); + ngx_int_t ngx_ssl_client_certificate(ngx_conf_t *cf, ngx_ssl_t *ssl, + ngx_str_t *cert, ngx_int_t depth); + ngx_int_t ngx_ssl_trusted_certificate(ngx_conf_t *cf, ngx_ssl_t *ssl, +diff --git a/src/event/ngx_event_openssl_stapling.c b/src/event/ngx_event_openssl_stapling.c +index 0bea5e74..aee57868 100644 +--- a/src/event/ngx_event_openssl_stapling.c ++++ b/src/event/ngx_event_openssl_stapling.c +@@ -313,7 +313,9 @@ ngx_ssl_stapling_issuer(ngx_conf_t *cf, ngx_ssl_t *ssl, + for (i = 0; i < n; i++) { + issuer = sk_X509_value(chain, i); + if (X509_check_issued(issuer, cert) == X509_V_OK) { +-#if OPENSSL_VERSION_NUMBER >= 0x10100001L ++#ifdef WOLFSSL_NGINX ++ issuer = X509_dup(issuer); ++#elif OPENSSL_VERSION_NUMBER >= 0x10100001L + X509_up_ref(issuer); + #else + CRYPTO_add(&issuer->references, 1, CRYPTO_LOCK_X509); +diff --git a/src/http/modules/ngx_http_proxy_module.c b/src/http/modules/ngx_http_proxy_module.c +index d6a89221..94c1a34d 100644 +--- a/src/http/modules/ngx_http_proxy_module.c ++++ b/src/http/modules/ngx_http_proxy_module.c +@@ -4306,6 +4306,8 @@ ngx_http_proxy_set_ssl(ngx_conf_t *cf, ngx_http_proxy_loc_conf_t *plcf) + return NGX_ERROR; + } + ++ ngx_ssl_set_verify_on(cf, plcf->upstream.ssl); ++ + if (ngx_ssl_trusted_certificate(cf, plcf->upstream.ssl, + &plcf->ssl_trusted_certificate, + plcf->ssl_verify_depth) +diff --git a/src/http/modules/ngx_http_ssl_module.c b/src/http/modules/ngx_http_ssl_module.c +index 9e243ea0..3bef37b5 100644 +--- a/src/http/modules/ngx_http_ssl_module.c ++++ b/src/http/modules/ngx_http_ssl_module.c +@@ -14,7 +14,11 @@ typedef ngx_int_t (*ngx_ssl_variable_handler_pt)(ngx_connection_t *c, + ngx_pool_t *pool, ngx_str_t *s); + + ++#ifndef WOLFSSL_NGINX + #define NGX_DEFAULT_CIPHERS "HIGH:!aNULL:!MD5" ++#else ++#define NGX_DEFAULT_CIPHERS "ALL" ++#endif + #define NGX_DEFAULT_ECDH_CURVE "auto" + + #define NGX_HTTP_NPN_ADVERTISE "\x08http/1.1" +@@ -780,8 +784,10 @@ ngx_http_ssl_merge_srv_conf(ngx_conf_t *cf, void *parent, void *child) + return NGX_CONF_ERROR; + } + ++#ifndef WOLFSSL_NGINX + ngx_conf_merge_value(conf->builtin_session_cache, + prev->builtin_session_cache, NGX_SSL_NONE_SCACHE); ++#endif + + if (conf->shm_zone == NULL) { + conf->shm_zone = prev->shm_zone; +diff --git a/src/http/ngx_http_request.c b/src/http/ngx_http_request.c +index 7dd28b8c..0bff124d 100644 +--- a/src/http/ngx_http_request.c ++++ b/src/http/ngx_http_request.c +@@ -834,6 +834,12 @@ ngx_http_ssl_handshake_handler(ngx_connection_t *c) + } + + #ifdef SSL_CTRL_SET_TLSEXT_HOSTNAME ++#ifndef SSL_AD_NO_RENEGOTIATION ++#define SSL_AD_NO_RENEGOTIATION 100 ++#endif ++#ifndef SSL_AD_INTERNAL_ERROR ++#define SSL_AD_INTERNAL_ERROR 80 ++#endif + + int + ngx_http_ssl_servername(ngx_ssl_conn_t *ssl_conn, int *ad, void *arg) +diff --git a/src/mail/ngx_mail_ssl_module.c b/src/mail/ngx_mail_ssl_module.c +index 45095979..7b7ae03c 100644 +--- a/src/mail/ngx_mail_ssl_module.c ++++ b/src/mail/ngx_mail_ssl_module.c +@@ -10,7 +10,11 @@ + #include + + ++#ifndef WOLFSSL_NGINX + #define NGX_DEFAULT_CIPHERS "HIGH:!aNULL:!MD5" ++#else ++#define NGX_DEFAULT_CIPHERS "ALL" ++#endif + #define NGX_DEFAULT_ECDH_CURVE "auto" + + +diff --git a/src/stream/ngx_stream_proxy_module.c b/src/stream/ngx_stream_proxy_module.c +index 09493135..b752d2de 100644 +--- a/src/stream/ngx_stream_proxy_module.c ++++ b/src/stream/ngx_stream_proxy_module.c +@@ -2130,6 +2130,8 @@ ngx_stream_proxy_set_ssl(ngx_conf_t *cf, ngx_stream_proxy_srv_conf_t *pscf) + return NGX_ERROR; + } + ++ ngx_ssl_set_verify_on(cf, pscf->ssl); ++ + if (ngx_ssl_trusted_certificate(cf, pscf->ssl, + &pscf->ssl_trusted_certificate, + pscf->ssl_verify_depth) +diff --git a/src/stream/ngx_stream_ssl_module.c b/src/stream/ngx_stream_ssl_module.c +index dcc33e1c..e38eba34 100644 +--- a/src/stream/ngx_stream_ssl_module.c ++++ b/src/stream/ngx_stream_ssl_module.c +@@ -14,7 +14,11 @@ typedef ngx_int_t (*ngx_ssl_variable_handler_pt)(ngx_connection_t *c, + ngx_pool_t *pool, ngx_str_t *s); + + ++#ifndef WOLFSSL_NGINX + #define NGX_DEFAULT_CIPHERS "HIGH:!aNULL:!MD5" ++#else ++#define NGX_DEFAULT_CIPHERS "ALL" ++#endif + #define NGX_DEFAULT_ECDH_CURVE "auto" + + From 879fb2285c159cf5d018ebaf37d82c7c77e7c123 Mon Sep 17 00:00:00 2001 From: JacobBarthelmeh Date: Mon, 1 May 2023 12:34:29 -0700 Subject: [PATCH 2/2] fix for include of options.h with config test --- nginx-1.15.0-wolfssl.patch | 97 +++++++++++++++++++++----------------- nginx-1.15.7-wolfssl.patch | 34 ++++++------- 2 files changed, 71 insertions(+), 60 deletions(-) diff --git a/nginx-1.15.0-wolfssl.patch b/nginx-1.15.0-wolfssl.patch index 65b86b7..51862e4 100644 --- a/nginx-1.15.0-wolfssl.patch +++ b/nginx-1.15.0-wolfssl.patch @@ -1,7 +1,8 @@ -diff -ur nginx-1.15.0/auto/lib/openssl/conf nginx-1.15.0-wolfssl/auto/lib/openssl/conf ---- nginx-1.15.0/auto/lib/openssl/conf 2018-06-05 23:47:25.000000000 +1000 -+++ nginx-1.15.0-wolfssl/auto/lib/openssl/conf 2018-06-14 15:44:59.055897015 +1000 -@@ -62,8 +62,33 @@ +diff --git a/auto/lib/openssl/conf b/auto/lib/openssl/conf +index 4fb52df..5c39915 100644 +--- a/auto/lib/openssl/conf ++++ b/auto/lib/openssl/conf +@@ -62,8 +62,35 @@ else ngx_feature_path= ngx_feature_libs="-lssl -lcrypto $NGX_LIBDL $NGX_LIBPTHREAD" ngx_feature_test="SSL_CTX_set_options(NULL, 0)" @@ -9,6 +10,8 @@ diff -ur nginx-1.15.0/auto/lib/openssl/conf nginx-1.15.0-wolfssl/auto/lib/openss + if [ $WOLFSSL != NONE ]; then + ngx_feature="wolfSSL library in $WOLFSSL" + ngx_feature_path="$WOLFSSL/include/wolfssl $WOLFSSL/include" ++ ngx_feature_incs="#include ++ #include " + + if [ $NGX_RPATH = YES ]; then + ngx_feature_libs="-R$WOLFSSL/lib -L$WOLFSSL/lib -lwolfssl $NGX_LIBDL" @@ -35,10 +38,11 @@ diff -ur nginx-1.15.0/auto/lib/openssl/conf nginx-1.15.0-wolfssl/auto/lib/openss if [ $ngx_found = no ]; then # FreeBSD port -diff -ur nginx-1.15.0/auto/options nginx-1.15.0-wolfssl/auto/options ---- nginx-1.15.0/auto/options 2018-06-05 23:47:25.000000000 +1000 -+++ nginx-1.15.0-wolfssl/auto/options 2018-06-14 15:44:59.055897015 +1000 -@@ -145,6 +145,7 @@ +diff --git a/auto/options b/auto/options +index 59f0449..8d73eac 100644 +--- a/auto/options ++++ b/auto/options +@@ -145,6 +145,7 @@ PCRE_JIT=NO USE_OPENSSL=NO OPENSSL=NONE @@ -46,7 +50,7 @@ diff -ur nginx-1.15.0/auto/options nginx-1.15.0-wolfssl/auto/options USE_ZLIB=NO ZLIB=NONE -@@ -349,6 +350,7 @@ +@@ -349,6 +350,7 @@ use the \"--with-mail_ssl_module\" option instead" --with-pcre-opt=*) PCRE_OPT="$value" ;; --with-pcre-jit) PCRE_JIT=YES ;; @@ -54,7 +58,7 @@ diff -ur nginx-1.15.0/auto/options nginx-1.15.0-wolfssl/auto/options --with-openssl=*) OPENSSL="$value" ;; --with-openssl-opt=*) OPENSSL_OPT="$value" ;; -@@ -569,6 +571,7 @@ +@@ -569,6 +571,7 @@ cat << END --with-libatomic force libatomic_ops library usage --with-libatomic=DIR set path to libatomic_ops library sources @@ -62,10 +66,11 @@ diff -ur nginx-1.15.0/auto/options nginx-1.15.0-wolfssl/auto/options --with-openssl=DIR set path to OpenSSL library sources --with-openssl-opt=OPTIONS set additional build options for OpenSSL -diff -ur nginx-1.15.0/src/event/ngx_event_openssl.c nginx-1.15.0-wolfssl/src/event/ngx_event_openssl.c ---- nginx-1.15.0/src/event/ngx_event_openssl.c 2018-06-05 23:47:25.000000000 +1000 -+++ nginx-1.15.0-wolfssl/src/event/ngx_event_openssl.c 2018-06-14 15:44:59.055897015 +1000 -@@ -346,6 +346,10 @@ +diff --git a/src/event/ngx_event_openssl.c b/src/event/ngx_event_openssl.c +index 88a6dbe..2f4b0c6 100644 +--- a/src/event/ngx_event_openssl.c ++++ b/src/event/ngx_event_openssl.c +@@ -346,6 +346,10 @@ ngx_ssl_create(ngx_ssl_t *ssl, ngx_uint_t protocols, void *data) SSL_CTX_set_info_callback(ssl->ctx, ngx_ssl_info_callback); @@ -76,7 +81,7 @@ diff -ur nginx-1.15.0/src/event/ngx_event_openssl.c nginx-1.15.0-wolfssl/src/eve return NGX_OK; } -@@ -654,6 +658,14 @@ +@@ -654,6 +658,14 @@ ngx_ssl_ciphers(ngx_conf_t *cf, ngx_ssl_t *ssl, ngx_str_t *ciphers, ngx_int_t @@ -91,7 +96,7 @@ diff -ur nginx-1.15.0/src/event/ngx_event_openssl.c nginx-1.15.0-wolfssl/src/eve ngx_ssl_client_certificate(ngx_conf_t *cf, ngx_ssl_t *ssl, ngx_str_t *cert, ngx_int_t depth) { -@@ -1091,7 +1103,8 @@ +@@ -1091,7 +1103,8 @@ ngx_ssl_ecdh_curve(ngx_conf_t *cf, ngx_ssl_t *ssl, ngx_str_t *name) * maximum interoperability. */ @@ -101,7 +106,7 @@ diff -ur nginx-1.15.0/src/event/ngx_event_openssl.c nginx-1.15.0-wolfssl/src/eve /* * OpenSSL 1.0.2+ allows configuring a curve list instead of a single -@@ -3061,7 +3074,8 @@ +@@ -3061,7 +3074,8 @@ ngx_ssl_session_ticket_key_callback(ngx_ssl_conn_t *ssl_conn, return -1; } @@ -111,7 +116,7 @@ diff -ur nginx-1.15.0/src/event/ngx_event_openssl.c nginx-1.15.0-wolfssl/src/eve if (HMAC_Init_ex(hctx, key[0].hmac_key, size, digest, NULL) != 1) { ngx_ssl_error(NGX_LOG_ALERT, c->log, 0, "HMAC_Init_ex() failed"); return -1; -@@ -3105,7 +3119,8 @@ +@@ -3105,7 +3119,8 @@ ngx_ssl_session_ticket_key_callback(ngx_ssl_conn_t *ssl_conn, size = 32; } @@ -121,9 +126,10 @@ diff -ur nginx-1.15.0/src/event/ngx_event_openssl.c nginx-1.15.0-wolfssl/src/eve if (HMAC_Init_ex(hctx, key[i].hmac_key, size, digest, NULL) != 1) { ngx_ssl_error(NGX_LOG_ALERT, c->log, 0, "HMAC_Init_ex() failed"); return -1; -diff -ur nginx-1.15.0/src/event/ngx_event_openssl.h nginx-1.15.0-wolfssl/src/event/ngx_event_openssl.h ---- nginx-1.15.0/src/event/ngx_event_openssl.h 2018-06-05 23:47:25.000000000 +1000 -+++ nginx-1.15.0-wolfssl/src/event/ngx_event_openssl.h 2018-06-14 15:44:59.059897033 +1000 +diff --git a/src/event/ngx_event_openssl.h b/src/event/ngx_event_openssl.h +index 623d851..214f699 100644 +--- a/src/event/ngx_event_openssl.h ++++ b/src/event/ngx_event_openssl.h @@ -12,6 +12,9 @@ #include #include @@ -143,7 +149,7 @@ diff -ur nginx-1.15.0/src/event/ngx_event_openssl.h nginx-1.15.0-wolfssl/src/eve #define SSL_is_server(s) (s)->server #endif -@@ -154,6 +157,7 @@ +@@ -154,6 +157,7 @@ ngx_int_t ngx_ssl_certificate(ngx_conf_t *cf, ngx_ssl_t *ssl, ngx_str_t *cert, ngx_str_t *key, ngx_array_t *passwords); ngx_int_t ngx_ssl_ciphers(ngx_conf_t *cf, ngx_ssl_t *ssl, ngx_str_t *ciphers, ngx_uint_t prefer_server_ciphers); @@ -151,10 +157,11 @@ diff -ur nginx-1.15.0/src/event/ngx_event_openssl.h nginx-1.15.0-wolfssl/src/eve ngx_int_t ngx_ssl_client_certificate(ngx_conf_t *cf, ngx_ssl_t *ssl, ngx_str_t *cert, ngx_int_t depth); ngx_int_t ngx_ssl_trusted_certificate(ngx_conf_t *cf, ngx_ssl_t *ssl, -diff -ur nginx-1.15.0/src/event/ngx_event_openssl_stapling.c nginx-1.15.0-wolfssl/src/event/ngx_event_openssl_stapling.c ---- nginx-1.15.0/src/event/ngx_event_openssl_stapling.c 2018-06-05 23:47:25.000000000 +1000 -+++ nginx-1.15.0-wolfssl/src/event/ngx_event_openssl_stapling.c 2018-06-14 15:44:59.059897033 +1000 -@@ -313,7 +313,9 @@ +diff --git a/src/event/ngx_event_openssl_stapling.c b/src/event/ngx_event_openssl_stapling.c +index 0bea5e7..aee5786 100644 +--- a/src/event/ngx_event_openssl_stapling.c ++++ b/src/event/ngx_event_openssl_stapling.c +@@ -313,7 +313,9 @@ ngx_ssl_stapling_issuer(ngx_conf_t *cf, ngx_ssl_t *ssl, for (i = 0; i < n; i++) { issuer = sk_X509_value(chain, i); if (X509_check_issued(issuer, cert) == X509_V_OK) { @@ -165,10 +172,11 @@ diff -ur nginx-1.15.0/src/event/ngx_event_openssl_stapling.c nginx-1.15.0-wolfss X509_up_ref(issuer); #else CRYPTO_add(&issuer->references, 1, CRYPTO_LOCK_X509); -diff -ur nginx-1.15.0/src/http/modules/ngx_http_proxy_module.c nginx-1.15.0-wolfssl/src/http/modules/ngx_http_proxy_module.c ---- nginx-1.15.0/src/http/modules/ngx_http_proxy_module.c 2018-06-05 23:47:25.000000000 +1000 -+++ nginx-1.15.0-wolfssl/src/http/modules/ngx_http_proxy_module.c 2018-06-14 15:44:59.059897033 +1000 -@@ -4295,6 +4295,8 @@ +diff --git a/src/http/modules/ngx_http_proxy_module.c b/src/http/modules/ngx_http_proxy_module.c +index e7f829d..2760686 100644 +--- a/src/http/modules/ngx_http_proxy_module.c ++++ b/src/http/modules/ngx_http_proxy_module.c +@@ -4295,6 +4295,8 @@ ngx_http_proxy_set_ssl(ngx_conf_t *cf, ngx_http_proxy_loc_conf_t *plcf) return NGX_ERROR; } @@ -177,11 +185,11 @@ diff -ur nginx-1.15.0/src/http/modules/ngx_http_proxy_module.c nginx-1.15.0-wolf if (ngx_ssl_trusted_certificate(cf, plcf->upstream.ssl, &plcf->ssl_trusted_certificate, plcf->ssl_verify_depth) -Only in nginx-1.15.0-wolfssl/src/http/modules: ngx_http_proxy_module.c.orig -diff -ur nginx-1.15.0/src/http/modules/ngx_http_ssl_module.c nginx-1.15.0-wolfssl/src/http/modules/ngx_http_ssl_module.c ---- nginx-1.15.0/src/http/modules/ngx_http_ssl_module.c 2018-06-05 23:47:25.000000000 +1000 -+++ nginx-1.15.0-wolfssl/src/http/modules/ngx_http_ssl_module.c 2018-06-14 15:44:59.059897033 +1000 -@@ -14,7 +14,11 @@ +diff --git a/src/http/modules/ngx_http_ssl_module.c b/src/http/modules/ngx_http_ssl_module.c +index 7e95441..4dd75d4 100644 +--- a/src/http/modules/ngx_http_ssl_module.c ++++ b/src/http/modules/ngx_http_ssl_module.c +@@ -14,7 +14,11 @@ typedef ngx_int_t (*ngx_ssl_variable_handler_pt)(ngx_connection_t *c, ngx_pool_t *pool, ngx_str_t *s); @@ -219,10 +227,11 @@ diff -ur nginx/src/mail/ngx_mail_ssl_module.c nginx-1.15.0-wolfssl/src/mail/ngx_ #define NGX_DEFAULT_ECDH_CURVE "auto" -diff -ur nginx-1.15.0/src/stream/ngx_stream_proxy_module.c nginx-1.15.0-wolfssl/src/stream/ngx_stream_proxy_module.c ---- nginx-1.15.0/src/stream/ngx_stream_proxy_module.c 2018-06-05 23:47:25.000000000 +1000 -+++ nginx-1.15.0-wolfssl/src/stream/ngx_stream_proxy_module.c 2018-06-14 15:44:59.059897033 +1000 -@@ -2038,6 +2038,8 @@ +diff --git a/src/stream/ngx_stream_proxy_module.c b/src/stream/ngx_stream_proxy_module.c +index 792bb77..17fbfc4 100644 +--- a/src/stream/ngx_stream_proxy_module.c ++++ b/src/stream/ngx_stream_proxy_module.c +@@ -2038,6 +2038,8 @@ ngx_stream_proxy_set_ssl(ngx_conf_t *cf, ngx_stream_proxy_srv_conf_t *pscf) return NGX_ERROR; } @@ -231,11 +240,11 @@ diff -ur nginx-1.15.0/src/stream/ngx_stream_proxy_module.c nginx-1.15.0-wolfssl/ if (ngx_ssl_trusted_certificate(cf, pscf->ssl, &pscf->ssl_trusted_certificate, pscf->ssl_verify_depth) -Only in nginx-1.15.0-wolfssl/src/stream: ngx_stream_proxy_module.c.orig -diff -ur nginx-1.15.0/src/stream/ngx_stream_ssl_module.c nginx-1.15.0-wolfssl/src/stream/ngx_stream_ssl_module.c ---- nginx-1.15.0/src/stream/ngx_stream_ssl_module.c 2018-06-05 23:47:25.000000000 +1000 -+++ nginx-1.15.0-wolfssl/src/stream/ngx_stream_ssl_module.c 2018-06-14 15:44:59.059897033 +1000 -@@ -14,7 +14,11 @@ +diff --git a/src/stream/ngx_stream_ssl_module.c b/src/stream/ngx_stream_ssl_module.c +index dcc33e1..e38eba3 100644 +--- a/src/stream/ngx_stream_ssl_module.c ++++ b/src/stream/ngx_stream_ssl_module.c +@@ -14,7 +14,11 @@ typedef ngx_int_t (*ngx_ssl_variable_handler_pt)(ngx_connection_t *c, ngx_pool_t *pool, ngx_str_t *s); diff --git a/nginx-1.15.7-wolfssl.patch b/nginx-1.15.7-wolfssl.patch index e958607..72689f1 100644 --- a/nginx-1.15.7-wolfssl.patch +++ b/nginx-1.15.7-wolfssl.patch @@ -1,8 +1,8 @@ diff --git a/auto/lib/openssl/conf b/auto/lib/openssl/conf -index 4fb52df7..4fe4b4a7 100644 +index 4fb52df..fb8e04c 100644 --- a/auto/lib/openssl/conf +++ b/auto/lib/openssl/conf -@@ -62,8 +62,33 @@ else +@@ -62,8 +62,35 @@ else ngx_feature_path= ngx_feature_libs="-lssl -lcrypto $NGX_LIBDL $NGX_LIBPTHREAD" ngx_feature_test="SSL_CTX_set_options(NULL, 0)" @@ -10,6 +10,8 @@ index 4fb52df7..4fe4b4a7 100644 + if [ $WOLFSSL != NONE ]; then + ngx_feature="wolfSSL library in $WOLFSSL" + ngx_feature_path="$WOLFSSL/include/wolfssl $WOLFSSL/include" ++ ngx_feature_incs="#include " + + if [ $NGX_RPATH = YES ]; then + ngx_feature_libs="-R$WOLFSSL/lib -L$WOLFSSL/lib -lwolfssl $NGX_LIBDL" @@ -37,7 +39,7 @@ index 4fb52df7..4fe4b4a7 100644 # FreeBSD port diff --git a/auto/options b/auto/options -index d8b421b0..ef1401d4 100644 +index d8b421b..ef1401d 100644 --- a/auto/options +++ b/auto/options @@ -147,6 +147,7 @@ PCRE_JIT=NO @@ -65,7 +67,7 @@ index d8b421b0..ef1401d4 100644 --with-openssl-opt=OPTIONS set additional build options for OpenSSL diff --git a/src/event/ngx_event_openssl.c b/src/event/ngx_event_openssl.c -index a281fba9..c36196d7 100644 +index a281fba..c36196d 100644 --- a/src/event/ngx_event_openssl.c +++ b/src/event/ngx_event_openssl.c @@ -375,6 +375,10 @@ ngx_ssl_create(ngx_ssl_t *ssl, ngx_uint_t protocols, void *data) @@ -79,11 +81,10 @@ index a281fba9..c36196d7 100644 return NGX_OK; } -@@ -682,6 +686,14 @@ ngx_ssl_ciphers(ngx_conf_t *cf, ngx_ssl_t *ssl, ngx_str_t *ciphers, - } +@@ -683,6 +687,14 @@ ngx_ssl_ciphers(ngx_conf_t *cf, ngx_ssl_t *ssl, ngx_str_t *ciphers, -+ngx_int_t + ngx_int_t +ngx_ssl_set_verify_on(ngx_conf_t *cf, ngx_ssl_t *ssl) +{ + SSL_CTX_set_verify(ssl->ctx, SSL_VERIFY_PEER, ngx_ssl_verify_callback); @@ -91,9 +92,10 @@ index a281fba9..c36196d7 100644 + return NGX_OK; +} + - ngx_int_t ++ngx_int_t ngx_ssl_client_certificate(ngx_conf_t *cf, ngx_ssl_t *ssl, ngx_str_t *cert, ngx_int_t depth) + { @@ -1124,7 +1136,8 @@ ngx_ssl_ecdh_curve(ngx_conf_t *cf, ngx_ssl_t *ssl, ngx_str_t *name) * maximum interoperability. */ @@ -125,7 +127,7 @@ index a281fba9..c36196d7 100644 ngx_ssl_error(NGX_LOG_ALERT, c->log, 0, "HMAC_Init_ex() failed"); return -1; diff --git a/src/event/ngx_event_openssl.h b/src/event/ngx_event_openssl.h -index abd84ccf..18267f82 100644 +index abd84cc..18267f8 100644 --- a/src/event/ngx_event_openssl.h +++ b/src/event/ngx_event_openssl.h @@ -12,6 +12,10 @@ @@ -157,7 +159,7 @@ index abd84ccf..18267f82 100644 ngx_str_t *cert, ngx_int_t depth); ngx_int_t ngx_ssl_trusted_certificate(ngx_conf_t *cf, ngx_ssl_t *ssl, diff --git a/src/event/ngx_event_openssl_stapling.c b/src/event/ngx_event_openssl_stapling.c -index 0bea5e74..aee57868 100644 +index 0bea5e7..aee5786 100644 --- a/src/event/ngx_event_openssl_stapling.c +++ b/src/event/ngx_event_openssl_stapling.c @@ -313,7 +313,9 @@ ngx_ssl_stapling_issuer(ngx_conf_t *cf, ngx_ssl_t *ssl, @@ -172,7 +174,7 @@ index 0bea5e74..aee57868 100644 #else CRYPTO_add(&issuer->references, 1, CRYPTO_LOCK_X509); diff --git a/src/http/modules/ngx_http_proxy_module.c b/src/http/modules/ngx_http_proxy_module.c -index d6a89221..94c1a34d 100644 +index d6a8922..94c1a34 100644 --- a/src/http/modules/ngx_http_proxy_module.c +++ b/src/http/modules/ngx_http_proxy_module.c @@ -4306,6 +4306,8 @@ ngx_http_proxy_set_ssl(ngx_conf_t *cf, ngx_http_proxy_loc_conf_t *plcf) @@ -185,7 +187,7 @@ index d6a89221..94c1a34d 100644 &plcf->ssl_trusted_certificate, plcf->ssl_verify_depth) diff --git a/src/http/modules/ngx_http_ssl_module.c b/src/http/modules/ngx_http_ssl_module.c -index 9e243ea0..3bef37b5 100644 +index 9e243ea..3bef37b 100644 --- a/src/http/modules/ngx_http_ssl_module.c +++ b/src/http/modules/ngx_http_ssl_module.c @@ -14,7 +14,11 @@ typedef ngx_int_t (*ngx_ssl_variable_handler_pt)(ngx_connection_t *c, @@ -212,7 +214,7 @@ index 9e243ea0..3bef37b5 100644 if (conf->shm_zone == NULL) { conf->shm_zone = prev->shm_zone; diff --git a/src/http/ngx_http_request.c b/src/http/ngx_http_request.c -index 7dd28b8c..0bff124d 100644 +index 7dd28b8..0bff124 100644 --- a/src/http/ngx_http_request.c +++ b/src/http/ngx_http_request.c @@ -834,6 +834,12 @@ ngx_http_ssl_handshake_handler(ngx_connection_t *c) @@ -229,7 +231,7 @@ index 7dd28b8c..0bff124d 100644 int ngx_http_ssl_servername(ngx_ssl_conn_t *ssl_conn, int *ad, void *arg) diff --git a/src/mail/ngx_mail_ssl_module.c b/src/mail/ngx_mail_ssl_module.c -index 45095979..7b7ae03c 100644 +index 4509597..7b7ae03 100644 --- a/src/mail/ngx_mail_ssl_module.c +++ b/src/mail/ngx_mail_ssl_module.c @@ -10,7 +10,11 @@ @@ -245,7 +247,7 @@ index 45095979..7b7ae03c 100644 diff --git a/src/stream/ngx_stream_proxy_module.c b/src/stream/ngx_stream_proxy_module.c -index 09493135..b752d2de 100644 +index 0949313..b752d2d 100644 --- a/src/stream/ngx_stream_proxy_module.c +++ b/src/stream/ngx_stream_proxy_module.c @@ -2130,6 +2130,8 @@ ngx_stream_proxy_set_ssl(ngx_conf_t *cf, ngx_stream_proxy_srv_conf_t *pscf) @@ -258,7 +260,7 @@ index 09493135..b752d2de 100644 &pscf->ssl_trusted_certificate, pscf->ssl_verify_depth) diff --git a/src/stream/ngx_stream_ssl_module.c b/src/stream/ngx_stream_ssl_module.c -index dcc33e1c..e38eba34 100644 +index dcc33e1..e38eba3 100644 --- a/src/stream/ngx_stream_ssl_module.c +++ b/src/stream/ngx_stream_ssl_module.c @@ -14,7 +14,11 @@ typedef ngx_int_t (*ngx_ssl_variable_handler_pt)(ngx_connection_t *c,