From 795e3c9f683ba74367ed8ce20ffe4e61742e3f5e Mon Sep 17 00:00:00 2001 From: Sean Parkinson Date: Mon, 3 Jul 2017 18:34:36 +1000 Subject: [PATCH] Update for Nginx 1.13.2 support in wolfSSL --- README.md | 6 +- conf/nginx.conf | 19 +++ nginx-1.13.2-wolfssl-debug.patch | 15 +++ nginx-1.13.2-wolfssl.patch | 197 +++++++++++++++++++++++++++++++ test.sh | 18 ++- 5 files changed, 249 insertions(+), 6 deletions(-) create mode 100644 nginx-1.13.2-wolfssl-debug.patch create mode 100644 nginx-1.13.2-wolfssl.patch diff --git a/README.md b/README.md index 993ed7f..d3f909c 100644 --- a/README.md +++ b/README.md @@ -7,6 +7,7 @@ and recompilation is required. The tested versions: - wolfSSL 3.11 + - Nginx 1.13.2 - Nginx 1.12.0 - Nginx 1.11.13 - Nginx 1.11.10 @@ -42,9 +43,8 @@ There will be skips of SSL tests for the following reasons: - no multiple certificates (ssl_certificate.t) - many not work, leaves coredump (ssl_engine_keys.t) --There will be failures of SSL tests for the following reasons: -- - no support for setting verification depth -- - no support for certificate authorities in certificate request ("no trusted sent") +No failure of SSL tests are expected. + Note: the file ssl_ecc.t in wolfssl-nginx can be used with the Nginx test system. diff --git a/conf/nginx.conf b/conf/nginx.conf index d289aeb..4e5b832 100644 --- a/conf/nginx.conf +++ b/conf/nginx.conf @@ -99,6 +99,25 @@ http { index index.html; } } + # Using TLS v1.3 + server { + listen 11447 ssl; + server_name localhost; + + ssl_certificate cert.pem; + ssl_certificate_key cert.key; + + ssl_session_cache shared:SSL:1m; + ssl_session_timeout 5m; + + ssl_ciphers TLS13-AES128-GCM-SHA256:TLS13-AES256-GCM-SHA384; + ssl_prefer_server_ciphers on; + + location / { + root html; + index index.html; + } + } # Session ticket server { diff --git a/nginx-1.13.2-wolfssl-debug.patch b/nginx-1.13.2-wolfssl-debug.patch new file mode 100644 index 0000000..5e444c4 --- /dev/null +++ b/nginx-1.13.2-wolfssl-debug.patch @@ -0,0 +1,15 @@ +diff -ur nginx-1.13.2-wolfssl/src/event/ngx_event_openssl.c nginx-1.13.2-wolfssl-debug/src/event/ngx_event_openssl.c +--- nginx-1.13.2-wolfssl/src/event/ngx_event_openssl.c 2017-06-29 10:18:05.421755825 +1000 ++++ nginx-1.13.2-wolfssl-debug/src/event/ngx_event_openssl.c 2017-06-29 10:46:26.172278923 +1000 +@@ -144,6 +144,11 @@ + + #endif + ++#ifdef WOLFSSL_NGINX ++ /* Turn on internal wolfssl debugging to stdout */ ++ wolfSSL_Debugging_ON(); ++#endif ++ + #if OPENSSL_VERSION_NUMBER >= 0x0090800fL + #ifndef SSL_OP_NO_COMPRESSION + { diff --git a/nginx-1.13.2-wolfssl.patch b/nginx-1.13.2-wolfssl.patch new file mode 100644 index 0000000..be6e55e --- /dev/null +++ b/nginx-1.13.2-wolfssl.patch @@ -0,0 +1,197 @@ +diff -ur nginx-1.13.2/auto/lib/openssl/conf nginx-1.13.2-wolfssl/auto/lib/openssl/conf +--- nginx-1.13.2/auto/lib/openssl/conf 2017-06-28 00:44:19.000000000 +1000 ++++ nginx-1.13.2-wolfssl/auto/lib/openssl/conf 2017-06-29 10:18:05.421755825 +1000 +@@ -61,8 +61,33 @@ + ngx_feature_path= + ngx_feature_libs="-lssl -lcrypto $NGX_LIBDL" + ngx_feature_test="SSL_CTX_set_options(NULL, 0)" ++ ++ if [ $WOLFSSL != NONE ]; then ++ ngx_feature="wolfSSL library in $WOLFSSL" ++ ngx_feature_path="$WOLFSSL/include/wolfssl" ++ ++ if [ $NGX_RPATH = YES ]; then ++ ngx_feature_libs="-R$WOLFSSL/lib -L$WOLFSSL/lib -lwolfssl $NGX_LIBDL" ++ else ++ ngx_feature_libs="-L$WOLFSSL/lib -lwolfssl $NGX_LIBDL" ++ fi ++ ++ CORE_INCS="$CORE_INCS $WOLFSSL/include/wolfssl" ++ CFLAGS="$CFLAGS -DWOLFSSL_NGINX" ++ fi ++ + . auto/feature + ++ if [ $WOLFSSL != NONE -a $ngx_found = no ]; then ++cat << END ++ ++$0: error: Could not find wolfSSL at $WOLFSSL/include/wolfssl. ++SSL modules require the wolfSSL library. ++ ++END ++ exit 1 ++ fi ++ + if [ $ngx_found = no ]; then + + # FreeBSD port +diff -ur nginx-1.13.2/auto/options nginx-1.13.2-wolfssl/auto/options +--- nginx-1.13.2/auto/options 2017-06-28 00:44:19.000000000 +1000 ++++ nginx-1.13.2-wolfssl/auto/options 2017-06-29 10:18:05.421755825 +1000 +@@ -143,6 +143,7 @@ + + USE_OPENSSL=NO + OPENSSL=NONE ++WOLFSSL=NONE + + USE_ZLIB=NO + ZLIB=NONE +@@ -345,6 +346,7 @@ + --with-pcre-opt=*) PCRE_OPT="$value" ;; + --with-pcre-jit) PCRE_JIT=YES ;; + ++ --with-wolfssl=*) WOLFSSL="$value" ;; + --with-openssl=*) OPENSSL="$value" ;; + --with-openssl-opt=*) OPENSSL_OPT="$value" ;; + +@@ -563,6 +565,7 @@ + --with-libatomic force libatomic_ops library usage + --with-libatomic=DIR set path to libatomic_ops library sources + ++ --with-wolfssl=DIR set path to wolfSSL headers and library + --with-openssl=DIR set path to OpenSSL library sources + --with-openssl-opt=OPTIONS set additional build options for OpenSSL + +diff -ur nginx-1.13.2/src/event/ngx_event_openssl.c nginx-1.13.2-wolfssl/src/event/ngx_event_openssl.c +--- nginx-1.13.2/src/event/ngx_event_openssl.c 2017-06-28 00:44:20.000000000 +1000 ++++ nginx-1.13.2-wolfssl/src/event/ngx_event_openssl.c 2017-06-29 10:18:05.421755825 +1000 +@@ -346,6 +346,10 @@ + + SSL_CTX_set_info_callback(ssl->ctx, ngx_ssl_info_callback); + ++#ifdef WOLFSSL_NGINX ++ SSL_CTX_set_verify(ssl->ctx, SSL_VERIFY_NONE, NULL); ++#endif ++ + return NGX_OK; + } + +@@ -654,6 +658,14 @@ + + + ngx_int_t ++ngx_ssl_set_verify_on(ngx_conf_t *cf, ngx_ssl_t *ssl) ++{ ++ SSL_CTX_set_verify(ssl->ctx, SSL_VERIFY_PEER, ngx_ssl_verify_callback); ++ ++ return NGX_OK; ++} ++ ++ngx_int_t + ngx_ssl_client_certificate(ngx_conf_t *cf, ngx_ssl_t *ssl, ngx_str_t *cert, + ngx_int_t depth) + { +Only in nginx-1.13.2-wolfssl/src/event: .ngx_event_openssl.c.swp +diff -ur nginx-1.13.2/src/event/ngx_event_openssl.h nginx-1.13.2-wolfssl/src/event/ngx_event_openssl.h +--- nginx-1.13.2/src/event/ngx_event_openssl.h 2017-06-28 00:44:20.000000000 +1000 ++++ nginx-1.13.2-wolfssl/src/event/ngx_event_openssl.h 2017-06-29 10:33:37.484896533 +1000 +@@ -54,7 +54,7 @@ + #define ngx_ssl_conn_t SSL + + +-#if (OPENSSL_VERSION_NUMBER < 0x10002000L) ++#if (OPENSSL_VERSION_NUMBER < 0x10002000L) && !defined(WOLFSSL_NGINX) + #define SSL_is_server(s) (s)->server + #endif + +@@ -153,6 +153,7 @@ + ngx_str_t *cert, ngx_str_t *key, ngx_array_t *passwords); + ngx_int_t ngx_ssl_ciphers(ngx_conf_t *cf, ngx_ssl_t *ssl, ngx_str_t *ciphers, + ngx_uint_t prefer_server_ciphers); ++ngx_int_t ngx_ssl_set_verify_on(ngx_conf_t *cf, ngx_ssl_t *ssl); + ngx_int_t ngx_ssl_client_certificate(ngx_conf_t *cf, ngx_ssl_t *ssl, + ngx_str_t *cert, ngx_int_t depth); + ngx_int_t ngx_ssl_trusted_certificate(ngx_conf_t *cf, ngx_ssl_t *ssl, +diff -ur nginx-1.13.2/src/event/ngx_event_openssl_stapling.c nginx-1.13.2-wolfssl/src/event/ngx_event_openssl_stapling.c +--- nginx-1.13.2/src/event/ngx_event_openssl_stapling.c 2017-06-28 00:44:20.000000000 +1000 ++++ nginx-1.13.2-wolfssl/src/event/ngx_event_openssl_stapling.c 2017-06-29 10:18:05.421755825 +1000 +@@ -313,7 +313,9 @@ + for (i = 0; i < n; i++) { + issuer = sk_X509_value(chain, i); + if (X509_check_issued(issuer, cert) == X509_V_OK) { +-#if OPENSSL_VERSION_NUMBER >= 0x10100001L ++#ifdef WOLFSSL_NGINX ++ issuer = X509_dup(issuer); ++#elif OPENSSL_VERSION_NUMBER >= 0x10100001L + X509_up_ref(issuer); + #else + CRYPTO_add(&issuer->references, 1, CRYPTO_LOCK_X509); +diff -ur nginx-1.13.2/src/http/modules/ngx_http_proxy_module.c nginx-1.13.2-wolfssl/src/http/modules/ngx_http_proxy_module.c +--- nginx-1.13.2/src/http/modules/ngx_http_proxy_module.c 2017-06-28 00:44:20.000000000 +1000 ++++ nginx-1.13.2-wolfssl/src/http/modules/ngx_http_proxy_module.c 2017-06-29 10:18:05.421755825 +1000 +@@ -4373,6 +4373,8 @@ + return NGX_ERROR; + } + ++ ngx_ssl_set_verify_on(cf, plcf->upstream.ssl); ++ + if (ngx_ssl_trusted_certificate(cf, plcf->upstream.ssl, + &plcf->ssl_trusted_certificate, + plcf->ssl_verify_depth) +diff -ur nginx-1.13.2/src/http/modules/ngx_http_ssl_module.c nginx-1.13.2-wolfssl/src/http/modules/ngx_http_ssl_module.c +--- nginx-1.13.2/src/http/modules/ngx_http_ssl_module.c 2017-06-28 00:44:20.000000000 +1000 ++++ nginx-1.13.2-wolfssl/src/http/modules/ngx_http_ssl_module.c 2017-06-29 10:18:05.421755825 +1000 +@@ -14,7 +14,11 @@ + ngx_pool_t *pool, ngx_str_t *s); + + ++#ifndef WOLFSSL_NGINX + #define NGX_DEFAULT_CIPHERS "HIGH:!aNULL:!MD5" ++#else ++#define NGX_DEFAULT_CIPHERS "ALL" ++#endif + #define NGX_DEFAULT_ECDH_CURVE "auto" + + #define NGX_HTTP_NPN_ADVERTISE "\x08http/1.1" +diff -ur nginx-1.13.2/src/mail/ngx_mail_ssl_module.c nginx-1.13.2-wolfssl/src/mail/ngx_mail_ssl_module.c +--- nginx-1.13.2/src/mail/ngx_mail_ssl_module.c 2017-06-28 00:44:21.000000000 +1000 ++++ nginx-1.13.2-wolfssl/src/mail/ngx_mail_ssl_module.c 2017-06-29 10:18:05.421755825 +1000 +@@ -10,7 +10,11 @@ + #include + + ++#ifndef WOLFSSL_NGINX + #define NGX_DEFAULT_CIPHERS "HIGH:!aNULL:!MD5" ++#else ++#define NGX_DEFAULT_CIPHERS "ALL" ++#endif + #define NGX_DEFAULT_ECDH_CURVE "auto" + + +diff -ur nginx-1.13.2/src/stream/ngx_stream_proxy_module.c nginx-1.13.2-wolfssl/src/stream/ngx_stream_proxy_module.c +--- nginx-1.13.2/src/stream/ngx_stream_proxy_module.c 2017-06-28 00:44:22.000000000 +1000 ++++ nginx-1.13.2-wolfssl/src/stream/ngx_stream_proxy_module.c 2017-06-29 10:18:05.421755825 +1000 +@@ -1989,6 +1989,8 @@ + return NGX_ERROR; + } + ++ ngx_ssl_set_verify_on(cf, pscf->ssl); ++ + if (ngx_ssl_trusted_certificate(cf, pscf->ssl, + &pscf->ssl_trusted_certificate, + pscf->ssl_verify_depth) +diff -ur nginx-1.13.2/src/stream/ngx_stream_ssl_module.c nginx-1.13.2-wolfssl/src/stream/ngx_stream_ssl_module.c +--- nginx-1.13.2/src/stream/ngx_stream_ssl_module.c 2017-06-28 00:44:22.000000000 +1000 ++++ nginx-1.13.2-wolfssl/src/stream/ngx_stream_ssl_module.c 2017-06-29 10:18:05.421755825 +1000 +@@ -14,7 +14,11 @@ + ngx_pool_t *pool, ngx_str_t *s); + + ++#ifndef WOLFSSL_NGINX + #define NGX_DEFAULT_CIPHERS "HIGH:!aNULL:!MD5" ++#else ++#define NGX_DEFAULT_CIPHERS "ALL" ++#endif + #define NGX_DEFAULT_ECDH_CURVE "auto" + + diff --git a/test.sh b/test.sh index dcbb2d9..f5bc1b3 100755 --- a/test.sh +++ b/test.sh @@ -9,7 +9,7 @@ if [ "$WOLFSSL_SOURCE" = "" ]; then fi WOLFSSL_CLIENT="./examples/client/client" WOLFSSL_OCSP_CERTS="${WOLFSSL_SOURCE}/certs/ocsp" -NGINX_CONF="./conf" +NGINX_CONF="./conf/nginx.conf" CLIENT_TMP="/tmp/nginx_client.$$" SERVER_TMP="/tmp/nginx_server.$$" OCSP_GOOD="ocsp-good-status.der" @@ -80,9 +80,11 @@ UNKNOWN=0 run_nginx() { # valgrind --leak-check=full echo ${NGINX_BIN} -p ${WN_PATH} \ + -c $NGINX_CONF \ -g "error_log ${WN_ERROR_LOG} debug;" \ ${NGINX_OPTS} ${NGINX_BIN} -p ${WN_PATH} \ + -c $NGINX_CONF \ -g "error_log ${WN_ERROR_LOG} debug;" \ ${NGINX_OPTS} RES=$? @@ -155,11 +157,11 @@ client() { check_log } client_test() { - OPTS="$OPTS -r -g" + OPTS="$OPTS -r" client } stapling_test() { - OPTS="$OPTS -g -C -A ${WOLFSSL_OCSP_CERTS}/root-ca-cert.pem -W 1" + OPTS="$OPTS -C -A ${WOLFSSL_OCSP_CERTS}/root-ca-cert.pem -W 1" client } @@ -236,6 +238,16 @@ echo "# Port: $PORT" OPTS= EXPECT=("SECP256R1" "TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256" "HTTP/1.1 200 OK") client_test +# TLS v1.3 +echo +echo '#' +echo '# TLS v1.3 client connecting to nginx server' +echo '#' +PORT=11447 +echo "# Port: $PORT" +OPTS="-v 4" +EXPECT=("SECP256R1" "TLS_AES_128_GCM_SHA256" "HTTP/1.1 200 OK") +client_test # Session tickets file echo echo '#'