WolfSSL
/
wolfssl-nginx
mirror of https://github.com/wolfSSL/wolfssl-nginx.git
1
0
Fork 0
Code Issues Releases Wiki Activity

Improvements to patching

pull/1/head
Sean Parkinson 2017-04-13 10:49:03 +10:00
parent b7971d43b8
commit 586762ed39
7 changed files with 676 additions and 56 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

34
README.md
View File

@ -5,43 +5,47 @@
wolfSSL is supported in Nginx. There are minor changes to the Nginx code base wolfSSL is supported in Nginx. There are minor changes to the Nginx code base
and recompilation is required. and recompilation is required.
The last tested versions: The tested versions:
- wolfSSL 3.10 - wolfSSL 3.11
- Nginx 1.12.0
- Nginx 1.11.13
- Nginx 1.11.10
- Nginx 1.11.7 - Nginx 1.11.7
- Nginx 1.10.3
### Install ### Building
First you will need both Nginx and wolfSSL source code. First you will need Nginx source package and wolfSSL source code.
They can be obtained with the following commands:
- Nginx: git clone https://github.com/nginx/nginx.git
- wolfSSL: git clone https://github.com/wolfSSL/wolfssl.git
Now build and install wolfSSL. The default installation directory is: Now build and install wolfSSL. The default installation directory is:
/usr/local. /usr/local.
To enable wolfSSL support in Nginx the source code must be patched: To enable wolfSSL support in Nginx the source code must be patched:
1. Change into Nginx source directory. 1. Change into the Nginx source directory.
2. Apply patch: git apply <wolfssl-nginx>/nginx.diff 2. Apply patch: patch -p1 < <wolfssl-nginx>/nginx-<nginx-version>-wolfssl.patch
Now rebuild Nginx: Now rebuild Nginx:
1. Configure Nginx with this command (extra options may be added as required): 1. Configure Nginx with this command (extra options may be added as required):
- ./auto/configure --with-wolfssl=/usr/local --with-http_ssl_module - ./configure --with-wolfssl=/usr/local --with-http_ssl_module
2. Build Nginx: make 2. Build Nginx: make
Note: The source package may also be used. In this case the configuration
program is: ./configure
### Testing ### Testing
Nginx has a repository of tests that can be obtained with the following command: Nginx has a repository of tests that can be obtained with the following command:
- git clone https://github.com/nginx/nginx-tests.git - git clone https://github.com/nginx/nginx-tests.git
To run the tests see the README. Tests are expected to pass with exceptions. To run the tests see the README. Tests are expected to pass with exceptions. An example of runnning the tests:
1. Change into nginx-tests directory.
2. Run tests: TEST_NGINX_BINARY=../nginx-<nginx-version>-wolfssl/objs/nginx prove .
There will be skips of SSL tests for the following reasons: There will be skips of SSL tests for the following reasons:
- no multiple certificates (ssl_certificate.t) - no multiple certificates (ssl_certificate.t)
- many not work, leaves coredump (ssl_engine_keys.t) - many not work, leaves coredump (ssl_engine_keys.t)
-There will be failures of SSL tests for the following reasons:
- - no support for setting verification depth
- - no support for certificate authorities in certificate request ("no trusted sent")
Note: the file ssl_ecc.t in wolfssl-nginx can be used with the Nginx test Note: the file ssl_ecc.t in wolfssl-nginx can be used with the Nginx test
system. system.
@ -49,7 +53,7 @@ There are additional tests available in wolfssl-nginx. These are in addition
to the Nginx tests. The OpenSSL's superapp is required for OCSP Stapling to the Nginx tests. The OpenSSL's superapp is required for OCSP Stapling
testing. To test: testing. To test:
1. Change into wolfssl-nginx directory. 1. Change into wolfssl-nginx directory.
2. Run the script: ./test.sh (If not using IPv6 then set HOST to localhost.) 2. Run the script: ./test.sh (If using IPv6 then set IPV6=yes.)
3. When working, the number of FAIL and UNKNOWN will be 0. 3. When working, the number of FAIL and UNKNOWN will be 0.
Testing is only supported on Linux with bash. Testing is only supported on Linux with bash.

212
nginx-1.10.3-wolfssl.patch 100644
View File

@ -0,0 +1,212 @@
diff -ur nginx-1.10.3/auto/lib/openssl/conf nginx-1.10.3-wolfssl/auto/lib/openssl/conf
--- nginx-1.10.3/auto/lib/openssl/conf 2017-02-01 01:01:11.000000000 +1000
+++ nginx-1.10.3-wolfssl/auto/lib/openssl/conf 2017-04-13 10:38:27.614124846 +1000
@@ -53,8 +53,34 @@
ngx_feature_path=
ngx_feature_libs="-lssl -lcrypto $NGX_LIBDL"
ngx_feature_test="SSL_CTX_set_options(NULL, 0)"
+
+ if [ $WOLFSSL != NONE ]; then
+ ngx_feature="wolfSSL library in $WOLFSSL"
+ ngx_feature_path="$WOLFSSL/include/wolfssl $WOLFSSL/include"
+
+ if [ $NGX_RPATH = YES ]; then
+ ngx_feature_libs="-R$WOLFSSL/lib -L$WOLFSSL/lib -lwolfssl $NGX_LIBDL"
+ else
+ ngx_feature_libs="-L$WOLFSSL/lib -lwolfssl $NGX_LIBDL"
+ fi
+
+ CORE_INCS="$CORE_INCS $WOLFSSL/include/wolfssl $WOLFSSL/include"
+ CFLAGS="$CFLAGS -DWOLFSSL_NGINX"
+ fi
+
. auto/feature
+ if [ $WOLFSSL != NONE -a $ngx_found = no ]; then
+cat << END
+
+$0: error: Could not find wolfSSL at $WOLFSSL/include/wolfssl.
+SSL modules require the wolfSSL library.
+
+END
+ exit 1
+ fi
+
+
if [ $ngx_found = no ]; then
# FreeBSD port
diff -ur nginx-1.10.3/auto/options nginx-1.10.3-wolfssl/auto/options
--- nginx-1.10.3/auto/options 2017-02-01 01:01:11.000000000 +1000
+++ nginx-1.10.3-wolfssl/auto/options 2017-04-13 10:38:27.614124846 +1000
@@ -133,6 +133,7 @@
PCRE_CONF_OPT=
PCRE_JIT=NO
+WOLFSSL=NONE
USE_OPENSSL=NO
OPENSSL=NONE
@@ -330,6 +331,7 @@
--with-pcre-opt=*) PCRE_OPT="$value" ;;
--with-pcre-jit) PCRE_JIT=YES ;;
+ --with-wolfssl=*) WOLFSSL="$value" ;;
--with-openssl=*) OPENSSL="$value" ;;
--with-openssl-opt=*) OPENSSL_OPT="$value" ;;
diff -ur nginx-1.10.3/src/event/ngx_event_openssl.c nginx-1.10.3-wolfssl/src/event/ngx_event_openssl.c
--- nginx-1.10.3/src/event/ngx_event_openssl.c 2017-02-01 01:01:11.000000000 +1000
+++ nginx-1.10.3-wolfssl/src/event/ngx_event_openssl.c 2017-04-13 10:38:27.618124865 +1000
@@ -55,7 +55,7 @@
HMAC_CTX *hctx, int enc);
#endif
-#if OPENSSL_VERSION_NUMBER < 0x10002002L
+#if OPENSSL_VERSION_NUMBER < 0x10002002L && !defined(WOLFSSL_NGINX)
static ngx_int_t ngx_ssl_check_name(ngx_str_t *name, ASN1_STRING *str);
#endif
@@ -304,6 +304,10 @@
SSL_CTX_set_info_callback(ssl->ctx, ngx_ssl_info_callback);
+#ifdef WOLFSSL_NGINX
+ SSL_CTX_set_verify(ssl->ctx, SSL_VERIFY_FAIL_IF_NO_PEER_CERT, NULL);
+#endif
+
return NGX_OK;
}
@@ -361,8 +365,6 @@
return NGX_ERROR;
}
- X509_free(x509);
-
/* read rest of the chain */
for ( ;; ) {
@@ -2971,6 +2973,11 @@
ngx_ssl_cleanup_ctx(void *data)
{
ngx_ssl_t *ssl = data;
+ X509 *x509;
+
+ x509 = SSL_CTX_get_ex_data(ssl->ctx, ngx_ssl_certificate_index);
+ if (x509 != NULL)
+ X509_free(x509);
SSL_CTX_free(ssl->ctx);
}
@@ -2986,7 +2993,7 @@
return NGX_ERROR;
}
-#if OPENSSL_VERSION_NUMBER >= 0x10002002L
+#if OPENSSL_VERSION_NUMBER >= 0x10002002L || defined(WOLFSSL_NGINX)
/* X509_check_host() is only available in OpenSSL 1.0.2+ */
@@ -3103,7 +3110,7 @@
}
-#if OPENSSL_VERSION_NUMBER < 0x10002002L
+#if OPENSSL_VERSION_NUMBER < 0x10002002L && !defined(WOLFSSL_NGINX)
static ngx_int_t
ngx_ssl_check_name(ngx_str_t *name, ASN1_STRING *pattern)
diff -ur nginx-1.10.3/src/event/ngx_event_openssl_stapling.c nginx-1.10.3-wolfssl/src/event/ngx_event_openssl_stapling.c
--- nginx-1.10.3/src/event/ngx_event_openssl_stapling.c 2017-02-01 01:01:11.000000000 +1000
+++ nginx-1.10.3-wolfssl/src/event/ngx_event_openssl_stapling.c 2017-04-13 10:38:27.618124865 +1000
@@ -285,7 +285,9 @@
for (i = 0; i < n; i++) {
issuer = sk_X509_value(chain, i);
if (X509_check_issued(issuer, cert) == X509_V_OK) {
-#if OPENSSL_VERSION_NUMBER >= 0x10100001L
+#ifdef WOLFSSL_NGINX
+ issuer = X509_dup(issuer);
+#elif OPENSSL_VERSION_NUMBER >= 0x10100001L
X509_up_ref(issuer);
#else
CRYPTO_add(&issuer->references, 1, CRYPTO_LOCK_X509);
diff -ur nginx-1.10.3/src/http/modules/ngx_http_ssl_module.c nginx-1.10.3-wolfssl/src/http/modules/ngx_http_ssl_module.c
--- nginx-1.10.3/src/http/modules/ngx_http_ssl_module.c 2017-02-01 01:01:11.000000000 +1000
+++ nginx-1.10.3-wolfssl/src/http/modules/ngx_http_ssl_module.c 2017-04-13 10:38:27.622124884 +1000
@@ -14,7 +14,11 @@
ngx_pool_t *pool, ngx_str_t *s);
+#ifndef WOLFSSL_NGINX
#define NGX_DEFAULT_CIPHERS "HIGH:!aNULL:!MD5"
+#else
+#define NGX_DEFAULT_CIPHERS "ALL"
+#endif
#define NGX_DEFAULT_ECDH_CURVE "prime256v1"
#define NGX_HTTP_NPN_ADVERTISE "\x08http/1.1"
diff -ur nginx-1.10.3/src/http/ngx_http_upstream.c nginx-1.10.3-wolfssl/src/http/ngx_http_upstream.c
--- nginx-1.10.3/src/http/ngx_http_upstream.c 2017-02-01 01:01:12.000000000 +1000
+++ nginx-1.10.3-wolfssl/src/http/ngx_http_upstream.c 2017-04-13 10:38:27.618124865 +1000
@@ -1683,7 +1683,12 @@
ngx_log_debug1(NGX_LOG_DEBUG_HTTP, r->connection->log, 0,
"upstream SSL server name: \"%s\"", name.data);
- if (SSL_set_tlsext_host_name(c->ssl->connection, name.data) == 0) {
+#ifdef WOLFSSL_NGINX
+ if (SSL_set_tlsext_host_name(c->ssl->connection, (char *)name.data) == 0)
+#else
+ if (SSL_set_tlsext_host_name(c->ssl->connection, name.data) == 0)
+#endif
+ {
ngx_ssl_error(NGX_LOG_ERR, r->connection->log, 0,
"SSL_set_tlsext_host_name(\"%s\") failed", name.data);
return NGX_ERROR;
diff -ur nginx-1.10.3/src/mail/ngx_mail_ssl_module.c nginx-1.10.3-wolfssl/src/mail/ngx_mail_ssl_module.c
--- nginx-1.10.3/src/mail/ngx_mail_ssl_module.c 2017-02-01 01:01:12.000000000 +1000
+++ nginx-1.10.3-wolfssl/src/mail/ngx_mail_ssl_module.c 2017-04-13 10:38:27.626124904 +1000
@@ -10,7 +10,11 @@
#include <ngx_mail.h>
+#ifndef WOLFSSL_NGINX
#define NGX_DEFAULT_CIPHERS "HIGH:!aNULL:!MD5"
+#else
+#define NGX_DEFAULT_CIPHERS "ALL"
+#endif
#define NGX_DEFAULT_ECDH_CURVE "prime256v1"
diff -ur nginx-1.10.3/src/stream/ngx_stream_proxy_module.c nginx-1.10.3-wolfssl/src/stream/ngx_stream_proxy_module.c
--- nginx-1.10.3/src/stream/ngx_stream_proxy_module.c 2017-02-01 01:01:12.000000000 +1000
+++ nginx-1.10.3-wolfssl/src/stream/ngx_stream_proxy_module.c 2017-04-13 10:38:27.630124924 +1000
@@ -879,8 +879,13 @@
ngx_log_debug1(NGX_LOG_DEBUG_STREAM, s->connection->log, 0,
"upstream SSL server name: \"%s\"", name.data);
+#ifdef WOLFSSL_NGINX
+ if (SSL_set_tlsext_host_name(u->peer.connection->ssl->connection,
+ (char *)name.data) == 0)
+#else
if (SSL_set_tlsext_host_name(u->peer.connection->ssl->connection, name.data)
== 0)
+#endif
{
ngx_ssl_error(NGX_LOG_ERR, s->connection->log, 0,
"SSL_set_tlsext_host_name(\"%s\") failed", name.data);
diff -ur nginx-1.10.3/src/stream/ngx_stream_ssl_module.c nginx-1.10.3-wolfssl/src/stream/ngx_stream_ssl_module.c
--- nginx-1.10.3/src/stream/ngx_stream_ssl_module.c 2017-02-01 01:01:12.000000000 +1000
+++ nginx-1.10.3-wolfssl/src/stream/ngx_stream_ssl_module.c 2017-04-13 10:38:27.630124924 +1000
@@ -10,7 +10,11 @@
#include <ngx_stream.h>
+#ifndef WOLFSSL_NGINX
#define NGX_DEFAULT_CIPHERS "HIGH:!aNULL:!MD5"
+#else
+#define NGX_DEFAULT_CIPHERS "ALL"
+#endif
#define NGX_DEFAULT_ECDH_CURVE "prime256v1"

131
nginx-1.11.10-wolfssl.patch 100644
View File

@ -0,0 +1,131 @@
diff -ur nginx-1.11.10/auto/lib/openssl/conf nginx-1.11.10-wolfssl/auto/lib/openssl/conf
--- nginx-1.11.10/auto/lib/openssl/conf 2017-02-15 01:36:04.000000000 +1000
+++ nginx-1.11.10-wolfssl/auto/lib/openssl/conf 2017-03-03 12:12:59.991555289 +1000
@@ -61,8 +61,33 @@
ngx_feature_path=
ngx_feature_libs="-lssl -lcrypto $NGX_LIBDL"
ngx_feature_test="SSL_CTX_set_options(NULL, 0)"
+
+ if [ $WOLFSSL != NONE ]; then
+ ngx_feature="wolfSSL library in $WOLFSSL"
+ ngx_feature_path="$WOLFSSL/include/wolfssl"
+
+ if [ $NGX_RPATH = YES ]; then
+ ngx_feature_libs="-R$WOLFSSL/lib -L$WOLFSSL/lib -lwolfssl $NGX_LIBDL"
+ else
+ ngx_feature_libs="-L$WOLFSSL/lib -lwolfssl $NGX_LIBDL"
+ fi
+
+ CORE_INCS="$CORE_INCS $WOLFSSL/include/wolfssl"
+ CFLAGS="$CFLAGS -DWOLFSSL_NGINX"
+ fi
+
. auto/feature
+ if [ $WOLFSSL != NONE -a $ngx_found = no ]; then
+cat << END
+
+$0: error: Could not find wolfSSL at $WOLFSSL/include/wolfssl.
+SSL modules require the wolfSSL library.
+
+END
+ exit 1
+ fi
+
if [ $ngx_found = no ]; then
# FreeBSD port
diff -ur nginx-1.11.10/auto/options nginx-1.11.10-wolfssl/auto/options
--- nginx-1.11.10/auto/options 2017-02-15 01:36:04.000000000 +1000
+++ nginx-1.11.10-wolfssl/auto/options 2017-03-03 12:12:59.991555289 +1000
@@ -141,6 +141,7 @@
PCRE_CONF_OPT=
PCRE_JIT=NO
+WOLFSSL=NONE
USE_OPENSSL=NO
OPENSSL=NONE
@@ -345,6 +346,7 @@
--with-pcre-opt=*) PCRE_OPT="$value" ;;
--with-pcre-jit) PCRE_JIT=YES ;;
+ --with-wolfssl=*) WOLFSSL="$value" ;;
--with-openssl=*) OPENSSL="$value" ;;
--with-openssl-opt=*) OPENSSL_OPT="$value" ;;
Only in nginx-1.11.10-wolfssl: Makefile
Only in nginx-1.11.10-wolfssl: objs
diff -ur nginx-1.11.10/src/event/ngx_event_openssl.c nginx-1.11.10-wolfssl/src/event/ngx_event_openssl.c
--- nginx-1.11.10/src/event/ngx_event_openssl.c 2017-02-15 01:36:05.000000000 +1000
+++ nginx-1.11.10-wolfssl/src/event/ngx_event_openssl.c 2017-03-03 12:12:59.991555289 +1000
@@ -340,6 +340,10 @@
SSL_CTX_set_info_callback(ssl->ctx, ngx_ssl_info_callback);
+#ifdef WOLFSSL_NGINX
+ SSL_CTX_set_verify(ssl->ctx, SSL_VERIFY_NONE, NULL);
+#endif
+
return NGX_OK;
}
diff -ur nginx-1.11.10/src/event/ngx_event_openssl_stapling.c nginx-1.11.10-wolfssl/src/event/ngx_event_openssl_stapling.c
--- nginx-1.11.10/src/event/ngx_event_openssl_stapling.c 2017-02-15 01:36:05.000000000 +1000
+++ nginx-1.11.10-wolfssl/src/event/ngx_event_openssl_stapling.c 2017-03-03 12:12:59.991555289 +1000
@@ -313,7 +313,9 @@
for (i = 0; i < n; i++) {
issuer = sk_X509_value(chain, i);
if (X509_check_issued(issuer, cert) == X509_V_OK) {
-#if OPENSSL_VERSION_NUMBER >= 0x10100001L
+#ifdef WOLFSSL_NGINX
+ issuer = X509_dup(issuer);
+#elif OPENSSL_VERSION_NUMBER >= 0x10100001L
X509_up_ref(issuer);
#else
CRYPTO_add(&issuer->references, 1, CRYPTO_LOCK_X509);
diff -ur nginx-1.11.10/src/http/modules/ngx_http_ssl_module.c nginx-1.11.10-wolfssl/src/http/modules/ngx_http_ssl_module.c
--- nginx-1.11.10/src/http/modules/ngx_http_ssl_module.c 2017-02-15 01:36:05.000000000 +1000
+++ nginx-1.11.10-wolfssl/src/http/modules/ngx_http_ssl_module.c 2017-03-03 12:12:59.991555289 +1000
@@ -14,7 +14,11 @@
ngx_pool_t *pool, ngx_str_t *s);
+#ifndef WOLFSSL_NGINX
#define NGX_DEFAULT_CIPHERS "HIGH:!aNULL:!MD5"
+#else
+#define NGX_DEFAULT_CIPHERS "ALL"
+#endif
#define NGX_DEFAULT_ECDH_CURVE "auto"
#define NGX_HTTP_NPN_ADVERTISE "\x08http/1.1"
diff -ur nginx-1.11.10/src/mail/ngx_mail_ssl_module.c nginx-1.11.10-wolfssl/src/mail/ngx_mail_ssl_module.c
--- nginx-1.11.10/src/mail/ngx_mail_ssl_module.c 2017-02-15 01:36:05.000000000 +1000
+++ nginx-1.11.10-wolfssl/src/mail/ngx_mail_ssl_module.c 2017-03-03 12:12:59.991555289 +1000
@@ -10,7 +10,11 @@
#include <ngx_mail.h>
+#ifndef WOLFSSL_NGINX
#define NGX_DEFAULT_CIPHERS "HIGH:!aNULL:!MD5"
+#else
+#define NGX_DEFAULT_CIPHERS "ALL"
+#endif
#define NGX_DEFAULT_ECDH_CURVE "auto"
diff -ur nginx-1.11.10/src/stream/ngx_stream_ssl_module.c nginx-1.11.10-wolfssl/src/stream/ngx_stream_ssl_module.c
--- nginx-1.11.10/src/stream/ngx_stream_ssl_module.c 2017-02-15 01:36:06.000000000 +1000
+++ nginx-1.11.10-wolfssl/src/stream/ngx_stream_ssl_module.c 2017-03-03 12:12:59.991555289 +1000
@@ -14,7 +14,11 @@
ngx_pool_t *pool, ngx_str_t *s);
+#ifndef WOLFSSL_NGINX
#define NGX_DEFAULT_CIPHERS "HIGH:!aNULL:!MD5"
+#else
+#define NGX_DEFAULT_CIPHERS "ALL"
+#endif
#define NGX_DEFAULT_ECDH_CURVE "auto"

139
nginx-1.11.13-wolfssl.patch 100644
View File

@ -0,0 +1,139 @@
diff -ur nginx-1.11.13/auto/lib/openssl/conf nginx-1.11.13-wolfssl/auto/lib/openssl/conf
--- nginx-1.11.13/auto/lib/openssl/conf 2017-04-05 01:01:57.000000000 +1000
+++ nginx-1.11.13-wolfssl/auto/lib/openssl/conf 2017-04-13 09:30:40.072107746 +1000
@@ -61,8 +61,33 @@
ngx_feature_path=
ngx_feature_libs="-lssl -lcrypto $NGX_LIBDL"
ngx_feature_test="SSL_CTX_set_options(NULL, 0)"
+
+ if [ $WOLFSSL != NONE ]; then
+ ngx_feature="wolfSSL library in $WOLFSSL"
+ ngx_feature_path="$WOLFSSL/include/wolfssl"
+
+ if [ $NGX_RPATH = YES ]; then
+ ngx_feature_libs="-R$WOLFSSL/lib -L$WOLFSSL/lib -lwolfssl $NGX_LIBDL"
+ else
+ ngx_feature_libs="-L$WOLFSSL/lib -lwolfssl $NGX_LIBDL"
+ fi
+
+ CORE_INCS="$CORE_INCS $WOLFSSL/include/wolfssl"
+ CFLAGS="$CFLAGS -DWOLFSSL_NGINX"
+ fi
+
. auto/feature
+ if [ $WOLFSSL != NONE -a $ngx_found = no ]; then
+cat << END
+
+$0: error: Could not find wolfSSL at $WOLFSSL/include/wolfssl.
+SSL modules require the wolfSSL library.
+
+END
+ exit 1
+ fi
+
if [ $ngx_found = no ]; then
# FreeBSD port
diff -ur nginx-1.11.13/auto/options nginx-1.11.13-wolfssl/auto/options
--- nginx-1.11.13/auto/options 2017-04-05 01:01:57.000000000 +1000
+++ nginx-1.11.13-wolfssl/auto/options 2017-04-13 09:32:55.964864689 +1000
@@ -143,6 +143,7 @@
USE_OPENSSL=NO
OPENSSL=NONE
+WOLFSSL=NONE
USE_ZLIB=NO
ZLIB=NONE
@@ -345,6 +346,7 @@
--with-pcre-opt=*) PCRE_OPT="$value" ;;
--with-pcre-jit) PCRE_JIT=YES ;;
+ --with-wolfssl=*) WOLFSSL="$value" ;;
--with-openssl=*) OPENSSL="$value" ;;
--with-openssl-opt=*) OPENSSL_OPT="$value" ;;
@@ -563,6 +565,7 @@
--with-libatomic force libatomic_ops library usage
--with-libatomic=DIR set path to libatomic_ops library sources
+ --with-wolfssl=DIR set path to wolfSSL headers and library
--with-openssl=DIR set path to OpenSSL library sources
--with-openssl-opt=OPTIONS set additional build options for OpenSSL
Only in nginx-1.11.13-wolfssl: Makefile
Only in nginx-1.11.13-wolfssl: objs
diff -ur nginx-1.11.13/src/event/ngx_event_openssl.c nginx-1.11.13-wolfssl/src/event/ngx_event_openssl.c
--- nginx-1.11.13/src/event/ngx_event_openssl.c 2017-04-05 01:01:57.000000000 +1000
+++ nginx-1.11.13-wolfssl/src/event/ngx_event_openssl.c 2017-04-13 09:50:15.341436161 +1000
@@ -340,6 +340,10 @@
SSL_CTX_set_info_callback(ssl->ctx, ngx_ssl_info_callback);
+#ifdef WOLFSSL_NGINX
+ SSL_CTX_set_verify(ssl->ctx, SSL_VERIFY_NONE, NULL);
+#endif
+
return NGX_OK;
}
diff -ur nginx-1.11.13/src/event/ngx_event_openssl_stapling.c nginx-1.11.13-wolfssl/src/event/ngx_event_openssl_stapling.c
--- nginx-1.11.13/src/event/ngx_event_openssl_stapling.c 2017-04-05 01:01:57.000000000 +1000
+++ nginx-1.11.13-wolfssl/src/event/ngx_event_openssl_stapling.c 2017-04-13 09:34:30.857357204 +1000
@@ -313,7 +313,9 @@
for (i = 0; i < n; i++) {
issuer = sk_X509_value(chain, i);
if (X509_check_issued(issuer, cert) == X509_V_OK) {
-#if OPENSSL_VERSION_NUMBER >= 0x10100001L
+#ifdef WOLFSSL_NGINX
+ issuer = X509_dup(issuer);
+#elif OPENSSL_VERSION_NUMBER >= 0x10100001L
X509_up_ref(issuer);
#else
CRYPTO_add(&issuer->references, 1, CRYPTO_LOCK_X509);
diff -ur nginx-1.11.13/src/http/modules/ngx_http_ssl_module.c nginx-1.11.13-wolfssl/src/http/modules/ngx_http_ssl_module.c
--- nginx-1.11.13/src/http/modules/ngx_http_ssl_module.c 2017-04-05 01:01:58.000000000 +1000
+++ nginx-1.11.13-wolfssl/src/http/modules/ngx_http_ssl_module.c 2017-04-13 09:35:07.345539975 +1000
@@ -14,7 +14,11 @@
ngx_pool_t *pool, ngx_str_t *s);
+#ifndef WOLFSSL_NGINX
#define NGX_DEFAULT_CIPHERS "HIGH:!aNULL:!MD5"
+#else
+#define NGX_DEFAULT_CIPHERS "ALL"
+#endif
#define NGX_DEFAULT_ECDH_CURVE "auto"
#define NGX_HTTP_NPN_ADVERTISE "\x08http/1.1"
diff -ur nginx-1.11.13/src/mail/ngx_mail_ssl_module.c nginx-1.11.13-wolfssl/src/mail/ngx_mail_ssl_module.c
--- nginx-1.11.13/src/mail/ngx_mail_ssl_module.c 2017-04-05 01:01:58.000000000 +1000
+++ nginx-1.11.13-wolfssl/src/mail/ngx_mail_ssl_module.c 2017-04-13 09:35:28.825646018 +1000
@@ -10,7 +10,11 @@
#include <ngx_mail.h>
+#ifndef WOLFSSL_NGINX
#define NGX_DEFAULT_CIPHERS "HIGH:!aNULL:!MD5"
+#else
+#define NGX_DEFAULT_CIPHERS "ALL"
+#endif
#define NGX_DEFAULT_ECDH_CURVE "auto"
diff -ur nginx-1.11.13/src/stream/ngx_stream_ssl_module.c nginx-1.11.13-wolfssl/src/stream/ngx_stream_ssl_module.c
--- nginx-1.11.13/src/stream/ngx_stream_ssl_module.c 2017-04-05 01:01:58.000000000 +1000
+++ nginx-1.11.13-wolfssl/src/stream/ngx_stream_ssl_module.c 2017-04-13 09:35:48.089740189 +1000
@@ -14,7 +14,11 @@
ngx_pool_t *pool, ngx_str_t *s);
+#ifndef WOLFSSL_NGINX
#define NGX_DEFAULT_CIPHERS "HIGH:!aNULL:!MD5"
+#else
+#define NGX_DEFAULT_CIPHERS "ALL"
+#endif
#define NGX_DEFAULT_ECDH_CURVE "auto"

69
nginx.diff → nginx-1.11.7-wolfssl.patch
View File

@ -1,15 +1,14 @@
diff --git a/auto/lib/openssl/conf b/auto/lib/openssl/conf diff -ur nginx-1.11.7/auto/lib/openssl/conf nginx-1.11.7-wolfssl/auto/lib/openssl/conf
index e7d3795..f65d9d5 100644 --- nginx-1.11.7/auto/lib/openssl/conf 2016-12-14 01:21:24.000000000 +1000
--- a/auto/lib/openssl/conf +++ nginx-1.11.7-wolfssl/auto/lib/openssl/conf 2017-01-17 16:09:53.864946344 +1000
+++ b/auto/lib/openssl/conf @@ -53,8 +53,33 @@
@@ -61,8 +61,33 @@ else
ngx_feature_path= ngx_feature_path=
ngx_feature_libs="-lssl -lcrypto $NGX_LIBDL" ngx_feature_libs="-lssl -lcrypto $NGX_LIBDL"
ngx_feature_test="SSL_CTX_set_options(NULL, 0)" ngx_feature_test="SSL_CTX_set_options(NULL, 0)"
+ +
+ if [ $WOLFSSL != NONE ]; then + if [ $WOLFSSL != NONE ]; then
+ ngx_feature="wolfSSL library in $WOLFSSL" + ngx_feature="wolfSSL library in $WOLFSSL"
+ ngx_feature_path="$WOLFSSL/include/wolfssl $WOLFSSL/include" + ngx_feature_path="$WOLFSSL/include/wolfssl"
+ +
+ if [ $NGX_RPATH = YES ]; then + if [ $NGX_RPATH = YES ]; then
+ ngx_feature_libs="-R$WOLFSSL/lib -L$WOLFSSL/lib -lwolfssl $NGX_LIBDL" + ngx_feature_libs="-R$WOLFSSL/lib -L$WOLFSSL/lib -lwolfssl $NGX_LIBDL"
@ -17,7 +16,7 @@ index e7d3795..f65d9d5 100644
+ ngx_feature_libs="-L$WOLFSSL/lib -lwolfssl $NGX_LIBDL" + ngx_feature_libs="-L$WOLFSSL/lib -lwolfssl $NGX_LIBDL"
+ fi + fi
+ +
+ CORE_INCS="$CORE_INCS $WOLFSSL/include/wolfssl $WOLFSSL/include" + CORE_INCS="$CORE_INCS $WOLFSSL/include/wolfssl"
+ CFLAGS="$CFLAGS -DWOLFSSL_NGINX" + CFLAGS="$CFLAGS -DWOLFSSL_NGINX"
+ fi + fi
+ +
@ -36,11 +35,10 @@ index e7d3795..f65d9d5 100644
if [ $ngx_found = no ]; then if [ $ngx_found = no ]; then
# FreeBSD port # FreeBSD port
diff --git a/auto/options b/auto/options diff -ur nginx-1.11.7/auto/options nginx-1.11.7-wolfssl/auto/options
index 43724b1..b26fd9d 100644 --- nginx-1.11.7/auto/options 2016-12-14 01:21:24.000000000 +1000
--- a/auto/options +++ nginx-1.11.7-wolfssl/auto/options 2017-01-17 16:09:53.864946344 +1000
+++ b/auto/options @@ -141,6 +141,7 @@
@@ -141,6 +141,7 @@ PCRE_OPT=
PCRE_CONF_OPT= PCRE_CONF_OPT=
PCRE_JIT=NO PCRE_JIT=NO
@ -48,7 +46,7 @@ index 43724b1..b26fd9d 100644
USE_OPENSSL=NO USE_OPENSSL=NO
OPENSSL=NONE OPENSSL=NONE
@@ -345,6 +346,7 @@ use the \"--with-mail_ssl_module\" option instead" @@ -345,6 +346,7 @@
--with-pcre-opt=*) PCRE_OPT="$value" ;; --with-pcre-opt=*) PCRE_OPT="$value" ;;
--with-pcre-jit) PCRE_JIT=YES ;; --with-pcre-jit) PCRE_JIT=YES ;;
@ -56,26 +54,24 @@ index 43724b1..b26fd9d 100644
--with-openssl=*) OPENSSL="$value" ;; --with-openssl=*) OPENSSL="$value" ;;
--with-openssl-opt=*) OPENSSL_OPT="$value" ;; --with-openssl-opt=*) OPENSSL_OPT="$value" ;;
diff --git a/src/event/ngx_event_openssl.c b/src/event/ngx_event_openssl.c diff -ur nginx-1.11.7/src/event/ngx_event_openssl.c nginx-1.11.7-wolfssl/src/event/ngx_event_openssl.c
index 3c74b7b..ed58274 100644 --- nginx-1.11.7/src/event/ngx_event_openssl.c 2016-12-14 01:21:24.000000000 +1000
--- a/src/event/ngx_event_openssl.c +++ nginx-1.11.7-wolfssl/src/event/ngx_event_openssl.c 2017-01-18 16:30:54.859646118 +1000
+++ b/src/event/ngx_event_openssl.c @@ -330,6 +330,10 @@
@@ -330,6 +330,10 @@ ngx_ssl_create(ngx_ssl_t *ssl, ngx_uint_t protocols, void *data)
SSL_CTX_set_info_callback(ssl->ctx, ngx_ssl_info_callback); SSL_CTX_set_info_callback(ssl->ctx, ngx_ssl_info_callback);
+#ifdef WOLFSSL_NGINX +#ifdef WOLFSSL_NGINX
+ SSL_CTX_set_verify(ssl->ctx, SSL_VERIFY_FAIL_IF_NO_PEER_CERT, NULL); + SSL_CTX_set_verify(ssl->ctx, SSL_VERIFY_NONE, NULL);
+#endif +#endif
+ +
return NGX_OK; return NGX_OK;
} }
diff --git a/src/event/ngx_event_openssl_stapling.c b/src/event/ngx_event_openssl_stapling.c diff -ur nginx-1.11.7/src/event/ngx_event_openssl_stapling.c nginx-1.11.7-wolfssl/src/event/ngx_event_openssl_stapling.c
index d332c11..bfea170 100644 --- nginx-1.11.7/src/event/ngx_event_openssl_stapling.c 2016-12-14 01:21:24.000000000 +1000
--- a/src/event/ngx_event_openssl_stapling.c +++ nginx-1.11.7-wolfssl/src/event/ngx_event_openssl_stapling.c 2017-01-17 16:09:53.864946344 +1000
+++ b/src/event/ngx_event_openssl_stapling.c @@ -313,7 +313,9 @@
@@ -313,7 +313,9 @@ ngx_ssl_stapling_issuer(ngx_conf_t *cf, ngx_ssl_t *ssl,
for (i = 0; i < n; i++) { for (i = 0; i < n; i++) {
issuer = sk_X509_value(chain, i); issuer = sk_X509_value(chain, i);
if (X509_check_issued(issuer, cert) == X509_V_OK) { if (X509_check_issued(issuer, cert) == X509_V_OK) {
@ -86,11 +82,10 @@ index d332c11..bfea170 100644
X509_up_ref(issuer); X509_up_ref(issuer);
#else #else
CRYPTO_add(&issuer->references, 1, CRYPTO_LOCK_X509); CRYPTO_add(&issuer->references, 1, CRYPTO_LOCK_X509);
diff --git a/src/http/modules/ngx_http_ssl_module.c b/src/http/modules/ngx_http_ssl_module.c diff -ur nginx-1.11.7/src/http/modules/ngx_http_ssl_module.c nginx-1.11.7-wolfssl/src/http/modules/ngx_http_ssl_module.c
index 2771ac1..8197ad3 100644 --- nginx-1.11.7/src/http/modules/ngx_http_ssl_module.c 2016-12-14 01:21:24.000000000 +1000
--- a/src/http/modules/ngx_http_ssl_module.c +++ nginx-1.11.7-wolfssl/src/http/modules/ngx_http_ssl_module.c 2017-01-17 16:09:53.864946344 +1000
+++ b/src/http/modules/ngx_http_ssl_module.c @@ -14,7 +14,11 @@
@@ -14,7 +14,11 @@ typedef ngx_int_t (*ngx_ssl_variable_handler_pt)(ngx_connection_t *c,
ngx_pool_t *pool, ngx_str_t *s); ngx_pool_t *pool, ngx_str_t *s);
@ -102,10 +97,9 @@ index 2771ac1..8197ad3 100644
#define NGX_DEFAULT_ECDH_CURVE "auto" #define NGX_DEFAULT_ECDH_CURVE "auto"
#define NGX_HTTP_NPN_ADVERTISE "\x08http/1.1" #define NGX_HTTP_NPN_ADVERTISE "\x08http/1.1"
diff --git a/src/mail/ngx_mail_ssl_module.c b/src/mail/ngx_mail_ssl_module.c diff -ur nginx-1.11.7/src/mail/ngx_mail_ssl_module.c nginx-1.11.7-wolfssl/src/mail/ngx_mail_ssl_module.c
index fbc9bc7..1fc3504 100644 --- nginx-1.11.7/src/mail/ngx_mail_ssl_module.c 2016-12-14 01:21:25.000000000 +1000
--- a/src/mail/ngx_mail_ssl_module.c +++ nginx-1.11.7-wolfssl/src/mail/ngx_mail_ssl_module.c 2017-01-17 16:09:53.864946344 +1000
+++ b/src/mail/ngx_mail_ssl_module.c
@@ -10,7 +10,11 @@ @@ -10,7 +10,11 @@
#include <ngx_mail.h> #include <ngx_mail.h>
@ -118,11 +112,10 @@ index fbc9bc7..1fc3504 100644
#define NGX_DEFAULT_ECDH_CURVE "auto" #define NGX_DEFAULT_ECDH_CURVE "auto"
diff --git a/src/stream/ngx_stream_ssl_module.c b/src/stream/ngx_stream_ssl_module.c diff -ur nginx-1.11.7/src/stream/ngx_stream_ssl_module.c nginx-1.11.7-wolfssl/src/stream/ngx_stream_ssl_module.c
index fb653c5..236d91c 100644 --- nginx-1.11.7/src/stream/ngx_stream_ssl_module.c 2016-12-14 01:21:25.000000000 +1000
--- a/src/stream/ngx_stream_ssl_module.c +++ nginx-1.11.7-wolfssl/src/stream/ngx_stream_ssl_module.c 2017-01-17 16:09:53.864946344 +1000
+++ b/src/stream/ngx_stream_ssl_module.c @@ -14,7 +14,11 @@
@@ -14,7 +14,11 @@ typedef ngx_int_t (*ngx_ssl_variable_handler_pt)(ngx_connection_t *c,
ngx_pool_t *pool, ngx_str_t *s); ngx_pool_t *pool, ngx_str_t *s);

139
nginx-1.12.0-wolfssl.patch 100644
View File

@ -0,0 +1,139 @@
diff -ur nginx-1.12.0/auto/lib/openssl/conf nginx-1.12.0-wolfssl/auto/lib/openssl/conf
--- nginx-1.12.0/auto/lib/openssl/conf 2017-04-13 00:46:01.000000000 +1000
+++ nginx-1.12.0-wolfssl/auto/lib/openssl/conf 2017-04-13 09:53:49.670278950 +1000
@@ -61,8 +61,33 @@
ngx_feature_path=
ngx_feature_libs="-lssl -lcrypto $NGX_LIBDL"
ngx_feature_test="SSL_CTX_set_options(NULL, 0)"
+
+ if [ $WOLFSSL != NONE ]; then
+ ngx_feature="wolfSSL library in $WOLFSSL"
+ ngx_feature_path="$WOLFSSL/include/wolfssl"
+
+ if [ $NGX_RPATH = YES ]; then
+ ngx_feature_libs="-R$WOLFSSL/lib -L$WOLFSSL/lib -lwolfssl $NGX_LIBDL"
+ else
+ ngx_feature_libs="-L$WOLFSSL/lib -lwolfssl $NGX_LIBDL"
+ fi
+
+ CORE_INCS="$CORE_INCS $WOLFSSL/include/wolfssl"
+ CFLAGS="$CFLAGS -DWOLFSSL_NGINX"
+ fi
+
. auto/feature
+ if [ $WOLFSSL != NONE -a $ngx_found = no ]; then
+cat << END
+
+$0: error: Could not find wolfSSL at $WOLFSSL/include/wolfssl.
+SSL modules require the wolfSSL library.
+
+END
+ exit 1
+ fi
+
if [ $ngx_found = no ]; then
# FreeBSD port
diff -ur nginx-1.12.0/auto/options nginx-1.12.0-wolfssl/auto/options
--- nginx-1.12.0/auto/options 2017-04-13 00:46:01.000000000 +1000
+++ nginx-1.12.0-wolfssl/auto/options 2017-04-13 09:52:52.646047189 +1000
@@ -143,6 +143,7 @@
USE_OPENSSL=NO
OPENSSL=NONE
+WOLFSSL=NONE
USE_ZLIB=NO
ZLIB=NONE
@@ -345,6 +346,7 @@
--with-pcre-opt=*) PCRE_OPT="$value" ;;
--with-pcre-jit) PCRE_JIT=YES ;;
+ --with-wolfssl=*) WOLFSSL="$value" ;;
--with-openssl=*) OPENSSL="$value" ;;
--with-openssl-opt=*) OPENSSL_OPT="$value" ;;
@@ -563,6 +565,7 @@
--with-libatomic force libatomic_ops library usage
--with-libatomic=DIR set path to libatomic_ops library sources
+ --with-wolfssl=DIR set path to wolfSSL headers and library
--with-openssl=DIR set path to OpenSSL library sources
--with-openssl-opt=OPTIONS set additional build options for OpenSSL
Only in nginx-1.12.0-wolfssl: Makefile
Only in nginx-1.12.0-wolfssl: objs
diff -ur nginx-1.12.0/src/event/ngx_event_openssl.c nginx-1.12.0-wolfssl/src/event/ngx_event_openssl.c
--- nginx-1.12.0/src/event/ngx_event_openssl.c 2017-04-13 00:46:01.000000000 +1000
+++ nginx-1.12.0-wolfssl/src/event/ngx_event_openssl.c 2017-04-13 09:54:22.594624149 +1000
@@ -340,6 +340,10 @@
SSL_CTX_set_info_callback(ssl->ctx, ngx_ssl_info_callback);
+#ifdef WOLFSSL_NGINX
+ SSL_CTX_set_verify(ssl->ctx, SSL_VERIFY_NONE, NULL);
+#endif
+
return NGX_OK;
}
diff -ur nginx-1.12.0/src/event/ngx_event_openssl_stapling.c nginx-1.12.0-wolfssl/src/event/ngx_event_openssl_stapling.c
--- nginx-1.12.0/src/event/ngx_event_openssl_stapling.c 2017-04-13 00:46:01.000000000 +1000
+++ nginx-1.12.0-wolfssl/src/event/ngx_event_openssl_stapling.c 2017-04-13 09:54:56.830970748 +1000
@@ -313,7 +313,9 @@
for (i = 0; i < n; i++) {
issuer = sk_X509_value(chain, i);
if (X509_check_issued(issuer, cert) == X509_V_OK) {
-#if OPENSSL_VERSION_NUMBER >= 0x10100001L
+#ifdef WOLFSSL_NGINX
+ issuer = X509_dup(issuer);
+#elif OPENSSL_VERSION_NUMBER >= 0x10100001L
X509_up_ref(issuer);
#else
CRYPTO_add(&issuer->references, 1, CRYPTO_LOCK_X509);
diff -ur nginx-1.12.0/src/http/modules/ngx_http_ssl_module.c nginx-1.12.0-wolfssl/src/http/modules/ngx_http_ssl_module.c
--- nginx-1.12.0/src/http/modules/ngx_http_ssl_module.c 2017-04-13 00:46:02.000000000 +1000
+++ nginx-1.12.0-wolfssl/src/http/modules/ngx_http_ssl_module.c 2017-04-13 09:56:08.267656857 +1000
@@ -14,7 +14,11 @@
ngx_pool_t *pool, ngx_str_t *s);
+#ifndef WOLFSSL_NGINX
#define NGX_DEFAULT_CIPHERS "HIGH:!aNULL:!MD5"
+#else
+#define NGX_DEFAULT_CIPHERS "ALL"
+#endif
#define NGX_DEFAULT_ECDH_CURVE "auto"
#define NGX_HTTP_NPN_ADVERTISE "\x08http/1.1"
diff -ur nginx-1.12.0/src/mail/ngx_mail_ssl_module.c nginx-1.12.0-wolfssl/src/mail/ngx_mail_ssl_module.c
--- nginx-1.12.0/src/mail/ngx_mail_ssl_module.c 2017-04-13 00:46:02.000000000 +1000
+++ nginx-1.12.0-wolfssl/src/mail/ngx_mail_ssl_module.c 2017-04-13 09:56:36.643916645 +1000
@@ -10,7 +10,11 @@
#include <ngx_mail.h>
+#ifndef WOLFSSL_NGINX
#define NGX_DEFAULT_CIPHERS "HIGH:!aNULL:!MD5"
+#else
+#define NGX_DEFAULT_CIPHERS "ALL"
+#endif
#define NGX_DEFAULT_ECDH_CURVE "auto"
diff -ur nginx-1.12.0/src/stream/ngx_stream_ssl_module.c nginx-1.12.0-wolfssl/src/stream/ngx_stream_ssl_module.c
--- nginx-1.12.0/src/stream/ngx_stream_ssl_module.c 2017-04-13 00:46:02.000000000 +1000
+++ nginx-1.12.0-wolfssl/src/stream/ngx_stream_ssl_module.c 2017-04-13 09:57:09.364207951 +1000
@@ -14,7 +14,11 @@
ngx_pool_t *pool, ngx_str_t *s);
+#ifndef WOLFSSL_NGINX
#define NGX_DEFAULT_CIPHERS "HIGH:!aNULL:!MD5"
+#else
+#define NGX_DEFAULT_CIPHERS "ALL"
+#endif
#define NGX_DEFAULT_ECDH_CURVE "auto"

8
ssl_ecc.t
View File

@ -92,7 +92,8 @@ EOF
$t->write_file('certserial', '1000'); $t->write_file('certserial', '1000');
$t->write_file('certindex', ''); $t->write_file('certindex', '');
system("openssl ecparam -genkey -name prime256v1 -out '$d/issuer.key'") == 0 system("openssl ecparam -genkey -name prime256v1 -out '$d/issuer.key' "
. ">>$d/openssl.out 2>&1") == 0
or die "Can't create ECC public key for issuer: $!\n"; or die "Can't create ECC public key for issuer: $!\n";
system('openssl req -x509 -new ' system('openssl req -x509 -new '
. "-config '$d/openssl.conf' -subj '/CN=issuer/' " . "-config '$d/openssl.conf' -subj '/CN=issuer/' "
@ -100,7 +101,8 @@ system('openssl req -x509 -new '
. ">>$d/openssl.out 2>&1") == 0 . ">>$d/openssl.out 2>&1") == 0
or die "Can't create certificate for issuer: $!\n"; or die "Can't create certificate for issuer: $!\n";
system("openssl ecparam -genkey -name prime256v1 -out '$d/subject.key'") == 0 system("openssl ecparam -genkey -name prime256v1 -out '$d/subject.key' "
. ">>$d/openssl.out 2>&1") == 0
or die "Can't create ECC public key for subject: $!\n"; or die "Can't create ECC public key for subject: $!\n";
system("openssl req -new " system("openssl req -new "
. "-config '$d/openssl.conf' -subj '/CN=subject/' " . "-config '$d/openssl.conf' -subj '/CN=subject/' "
@ -116,7 +118,7 @@ system("openssl ca -batch -config '$d/ca.conf' "
foreach my $name ('localhost') { foreach my $name ('localhost') {
system("openssl ecparam -genkey -name prime256v1 " system("openssl ecparam -genkey -name prime256v1 "
. "-out '$d/$name.key'") == 0 . "-out '$d/$name.key' >>$d/openssl.out 2>&1") == 0
or die "Can't create ECC public key for $name: $!\n"; or die "Can't create ECC public key for $name: $!\n";
system('openssl req -x509 -new ' system('openssl req -x509 -new '
. "-config '$d/openssl.conf' -subj '/CN=$name/' " . "-config '$d/openssl.conf' -subj '/CN=$name/' "