From ac2d0f3cacad721728373c4aee616b2157d4ef9e Mon Sep 17 00:00:00 2001 From: Juliusz Sosinowicz Date: Mon, 28 Oct 2019 16:51:23 +0100 Subject: [PATCH] Support for nginx-1.16.1 --- nginx-1.16.1-wolfssl-debug.patch | 112 +++++++++++ nginx-1.16.1-wolfssl.patch | 308 +++++++++++++++++++++++++++++++ 2 files changed, 420 insertions(+) create mode 100644 nginx-1.16.1-wolfssl-debug.patch create mode 100644 nginx-1.16.1-wolfssl.patch diff --git a/nginx-1.16.1-wolfssl-debug.patch b/nginx-1.16.1-wolfssl-debug.patch new file mode 100644 index 0000000..50f04cd --- /dev/null +++ b/nginx-1.16.1-wolfssl-debug.patch @@ -0,0 +1,112 @@ +diff -ur nginx-1.16.1-wolfssl/src/event/ngx_event_openssl.c nginx-1.16.1-wolfssl-debug/src/event/ngx_event_openssl.c +--- nginx-1.16.1-wolfssl/src/event/ngx_event_openssl.c 2019-10-17 09:01:12.991526380 +1000 ++++ nginx-1.16.1-wolfssl-debug/src/event/ngx_event_openssl.c 2019-10-17 08:32:00.850631120 +1000 +@@ -164,6 +164,11 @@ + + #endif + ++#ifdef WOLFSSL_NGINX ++ /* Turn on internal wolfssl debugging to stdout */ ++ wolfSSL_Debugging_ON(); ++#endif ++ + #if OPENSSL_VERSION_NUMBER >= 0x0090800fL + #ifndef SSL_OP_NO_COMPRESSION + { +@@ -1579,9 +1584,7 @@ + { + #ifdef TLS1_3_VERSION + if (c->ssl->session) { +- #if !defined(WOLFSSL_NGINX) + SSL_SESSION_up_ref(c->ssl->session); +- #endif + return c->ssl->session; + } + #endif +diff -ur nginx-1.16.1-wolfssl/src/event/ngx_event_openssl.c.orig nginx-1.16.1-wolfssl-debug/src/event/ngx_event_openssl.c.orig +--- nginx-1.16.1-wolfssl/src/event/ngx_event_openssl.c.orig 2019-10-17 08:23:11.313946458 +1000 ++++ nginx-1.16.1-wolfssl-debug/src/event/ngx_event_openssl.c.orig 2019-10-17 08:30:33.163460161 +1000 +@@ -384,6 +384,10 @@ + + SSL_CTX_set_info_callback(ssl->ctx, ngx_ssl_info_callback); + ++#ifdef WOLFSSL_NGINX ++ SSL_CTX_set_verify(ssl->ctx, SSL_VERIFY_NONE, NULL); ++#endif ++ + return NGX_OK; + } + +@@ -863,6 +867,14 @@ + + + ngx_int_t ++ngx_ssl_set_verify_on(ngx_conf_t *cf, ngx_ssl_t *ssl) ++{ ++ SSL_CTX_set_verify(ssl->ctx, SSL_VERIFY_PEER, ngx_ssl_verify_callback); ++ ++ return NGX_OK; ++} ++ ++ngx_int_t + ngx_ssl_client_certificate(ngx_conf_t *cf, ngx_ssl_t *ssl, ngx_str_t *cert, + ngx_int_t depth) + { +@@ -1370,7 +1382,8 @@ + * maximum interoperability. + */ + +-#if (defined SSL_CTX_set1_curves_list || defined SSL_CTRL_SET_CURVES_LIST) ++#if (defined SSL_CTX_set1_curves_list || defined SSL_CTRL_SET_CURVES_LIST) || \ ++ defined(WOLFSSL_NGINX) + + /* + * OpenSSL 1.0.2+ allows configuring a curve list instead of a single +@@ -3929,7 +3942,8 @@ + return -1; + } + +-#if OPENSSL_VERSION_NUMBER >= 0x10000000L ++#if OPENSSL_VERSION_NUMBER >= 0x10000000L && \ ++ (!defined(WOLFSSL_NGINX) || !defined(HAVE_FIPS)) + if (HMAC_Init_ex(hctx, key[0].hmac_key, size, digest, NULL) != 1) { + ngx_ssl_error(NGX_LOG_ALERT, c->log, 0, "HMAC_Init_ex() failed"); + return -1; +@@ -3973,7 +3987,8 @@ + size = 32; + } + +-#if OPENSSL_VERSION_NUMBER >= 0x10000000L ++#if OPENSSL_VERSION_NUMBER >= 0x10000000L && \ ++ (!defined(WOLFSSL_NGINX) || !defined(HAVE_FIPS)) + if (HMAC_Init_ex(hctx, key[i].hmac_key, size, digest, NULL) != 1) { + ngx_ssl_error(NGX_LOG_ALERT, c->log, 0, "HMAC_Init_ex() failed"); + return -1; +diff -ur nginx-1.16.1-wolfssl/src/event/ngx_event_openssl.h nginx-1.16.1-wolfssl-debug/src/event/ngx_event_openssl.h +--- nginx-1.16.1-wolfssl/src/event/ngx_event_openssl.h 2019-10-17 09:09:02.955768195 +1000 ++++ nginx-1.16.1-wolfssl-debug/src/event/ngx_event_openssl.h 2019-10-17 08:30:33.163460161 +1000 +@@ -14,7 +14,6 @@ + + #ifdef WOLFSSL_NGINX + #include +-#include + #endif + #include + #include +Only in nginx-1.16.1-wolfssl/src/event: .ngx_event_openssl.h.swp +diff -ur nginx-1.16.1-wolfssl/src/http/ngx_http_request.c nginx-1.16.1-wolfssl-debug/src/http/ngx_http_request.c +--- nginx-1.16.1-wolfssl/src/http/ngx_http_request.c 2019-10-17 08:49:18.234819519 +1000 ++++ nginx-1.16.1-wolfssl-debug/src/http/ngx_http_request.c 2019-10-17 08:30:33.163460161 +1000 +@@ -851,12 +851,6 @@ + + + #ifdef SSL_CTRL_SET_TLSEXT_HOSTNAME +-#ifndef SSL_AD_NO_RENEGOTIATION +-#define SSL_AD_NO_RENEGOTIATION 100 +-#endif +-#ifndef SSL_AD_INTERNAL_ERROR +-#define SSL_AD_INTERNAL_ERROR 80 +-#endif + + int + ngx_http_ssl_servername(ngx_ssl_conn_t *ssl_conn, int *ad, void *arg) diff --git a/nginx-1.16.1-wolfssl.patch b/nginx-1.16.1-wolfssl.patch new file mode 100644 index 0000000..2c26430 --- /dev/null +++ b/nginx-1.16.1-wolfssl.patch @@ -0,0 +1,308 @@ +diff -ur nginx/auto/lib/openssl/conf nginx-1.16.1-wolfssl/auto/lib/openssl/conf +--- nginx/auto/lib/openssl/conf 2019-10-28 17:04:55.111782394 +0100 ++++ nginx-1.16.1-wolfssl/auto/lib/openssl/conf 2019-10-28 16:59:15.481019251 +0100 +@@ -62,8 +62,33 @@ + ngx_feature_path= + ngx_feature_libs="-lssl -lcrypto $NGX_LIBDL $NGX_LIBPTHREAD" + ngx_feature_test="SSL_CTX_set_options(NULL, 0)" ++ ++ if [ $WOLFSSL != NONE ]; then ++ ngx_feature="wolfSSL library in $WOLFSSL" ++ ngx_feature_path="$WOLFSSL/include/wolfssl $WOLFSSL/include" ++ ++ if [ $NGX_RPATH = YES ]; then ++ ngx_feature_libs="-R$WOLFSSL/lib -L$WOLFSSL/lib -lwolfssl $NGX_LIBDL" ++ else ++ ngx_feature_libs="-L$WOLFSSL/lib -lwolfssl $NGX_LIBDL" ++ fi ++ ++ CORE_INCS="$CORE_INCS $WOLFSSL/include/wolfssl" ++ CFLAGS="$CFLAGS -DWOLFSSL_NGINX" ++ fi ++ + . auto/feature + ++ if [ $WOLFSSL != NONE -a $ngx_found = no ]; then ++cat << END ++ ++$0: error: Could not find wolfSSL at $WOLFSSL/include/wolfssl. ++SSL modules require the wolfSSL library. ++ ++END ++ exit 1 ++ fi ++ + if [ $ngx_found = no ]; then + + # FreeBSD port +diff -ur nginx/auto/options nginx-1.16.1-wolfssl/auto/options +--- nginx/auto/options 2019-10-28 17:04:55.111782394 +0100 ++++ nginx-1.16.1-wolfssl/auto/options 2019-10-28 16:59:15.485019190 +0100 +@@ -147,6 +147,7 @@ + + USE_OPENSSL=NO + OPENSSL=NONE ++WOLFSSL=NONE + + USE_ZLIB=NO + ZLIB=NONE +@@ -355,6 +356,7 @@ + --with-pcre-opt=*) PCRE_OPT="$value" ;; + --with-pcre-jit) PCRE_JIT=YES ;; + ++ --with-wolfssl=*) WOLFSSL="$value" ;; + --with-openssl=*) OPENSSL="$value" ;; + --with-openssl-opt=*) OPENSSL_OPT="$value" ;; + +@@ -579,6 +581,7 @@ + --with-libatomic force libatomic_ops library usage + --with-libatomic=DIR set path to libatomic_ops library sources + ++ --with-wolfssl=DIR set path to wolfSSL headers and library + --with-openssl=DIR set path to OpenSSL library sources + --with-openssl-opt=OPTIONS set additional build options for OpenSSL + +Only in nginx: .git +diff -ur nginx/src/event/ngx_event_openssl.c nginx-1.16.1-wolfssl/src/event/ngx_event_openssl.c +--- nginx/src/event/ngx_event_openssl.c 2019-10-28 17:06:07.286673633 +0100 ++++ nginx-1.16.1-wolfssl/src/event/ngx_event_openssl.c 2019-10-28 16:59:15.485019190 +0100 +@@ -384,6 +384,10 @@ + + SSL_CTX_set_info_callback(ssl->ctx, ngx_ssl_info_callback); + ++#ifdef WOLFSSL_NGINX ++ SSL_CTX_set_verify(ssl->ctx, SSL_VERIFY_NONE, NULL); ++#endif ++ + return NGX_OK; + } + +@@ -863,6 +867,14 @@ + + + ngx_int_t ++ngx_ssl_set_verify_on(ngx_conf_t *cf, ngx_ssl_t *ssl) ++{ ++ SSL_CTX_set_verify(ssl->ctx, SSL_VERIFY_PEER, ngx_ssl_verify_callback); ++ ++ return NGX_OK; ++} ++ ++ngx_int_t + ngx_ssl_client_certificate(ngx_conf_t *cf, ngx_ssl_t *ssl, ngx_str_t *cert, + ngx_int_t depth) + { +@@ -1370,7 +1382,8 @@ + * maximum interoperability. + */ + +-#if (defined SSL_CTX_set1_curves_list || defined SSL_CTRL_SET_CURVES_LIST) ++#if (defined SSL_CTX_set1_curves_list || defined SSL_CTRL_SET_CURVES_LIST) || \ ++ defined(WOLFSSL_NGINX) + + /* + * OpenSSL 1.0.2+ allows configuring a curve list instead of a single +@@ -1491,10 +1504,32 @@ + ngx_ssl_new_client_session(ngx_ssl_conn_t *ssl_conn, ngx_ssl_session_t *sess) + { + ngx_connection_t *c; ++#ifdef WOLFSSL_NGINX ++ int len; ++ unsigned char buf[NGX_SSL_MAX_SESSION_SIZE]; ++#endif + + c = ngx_ssl_get_connection(ssl_conn); + + if (c->ssl->save_session) { ++#ifdef WOLFSSL_NGINX ++ len = i2d_SSL_SESSION(sess, NULL); ++ ++ /* do not cache too big session */ ++ if (len > NGX_SSL_MAX_SESSION_SIZE) { ++ return -1; ++ } ++ ++ len = i2d_SSL_SESSION(sess, (unsigned char**) &buf); ++ if (len <= 0) { ++ return -1; ++ } ++ sess = d2i_SSL_SESSION(NULL, (const unsigned char**) &buf, len); ++ if (!sess) { ++ return -1; ++ } ++#endif ++ + c->ssl->session = sess; + + c->ssl->save_session(c); +@@ -1566,7 +1601,9 @@ + { + #ifdef TLS1_3_VERSION + if (c->ssl->session) { ++ #if !defined(WOLFSSL_NGINX) + SSL_SESSION_up_ref(c->ssl->session); ++ #endif + return c->ssl->session; + } + #endif +@@ -3929,7 +3966,8 @@ + return -1; + } + +-#if OPENSSL_VERSION_NUMBER >= 0x10000000L ++#if OPENSSL_VERSION_NUMBER >= 0x10000000L && \ ++ (!defined(WOLFSSL_NGINX) || !defined(HAVE_FIPS)) + if (HMAC_Init_ex(hctx, key[0].hmac_key, size, digest, NULL) != 1) { + ngx_ssl_error(NGX_LOG_ALERT, c->log, 0, "HMAC_Init_ex() failed"); + return -1; +@@ -3973,7 +4011,8 @@ + size = 32; + } + +-#if OPENSSL_VERSION_NUMBER >= 0x10000000L ++#if OPENSSL_VERSION_NUMBER >= 0x10000000L && \ ++ (!defined(WOLFSSL_NGINX) || !defined(HAVE_FIPS)) + if (HMAC_Init_ex(hctx, key[i].hmac_key, size, digest, NULL) != 1) { + ngx_ssl_error(NGX_LOG_ALERT, c->log, 0, "HMAC_Init_ex() failed"); + return -1; +diff -ur nginx/src/event/ngx_event_openssl.h nginx-1.16.1-wolfssl/src/event/ngx_event_openssl.h +--- nginx/src/event/ngx_event_openssl.h 2019-10-28 17:04:55.111782394 +0100 ++++ nginx-1.16.1-wolfssl/src/event/ngx_event_openssl.h 2019-10-28 16:59:15.485019190 +0100 +@@ -12,6 +12,10 @@ + #include + #include + ++#ifdef WOLFSSL_NGINX ++#include ++#include ++#endif + #include + #include + #include +@@ -59,7 +63,7 @@ + #define ngx_ssl_conn_t SSL + + +-#if (OPENSSL_VERSION_NUMBER < 0x10002000L) ++#if (OPENSSL_VERSION_NUMBER < 0x10002000L) && !defined(WOLFSSL_NGINX) + #define SSL_is_server(s) (s)->server + #endif + +@@ -171,6 +175,7 @@ + + ngx_int_t ngx_ssl_ciphers(ngx_conf_t *cf, ngx_ssl_t *ssl, ngx_str_t *ciphers, + ngx_uint_t prefer_server_ciphers); ++ngx_int_t ngx_ssl_set_verify_on(ngx_conf_t *cf, ngx_ssl_t *ssl); + ngx_int_t ngx_ssl_client_certificate(ngx_conf_t *cf, ngx_ssl_t *ssl, + ngx_str_t *cert, ngx_int_t depth); + ngx_int_t ngx_ssl_trusted_certificate(ngx_conf_t *cf, ngx_ssl_t *ssl, +diff -ur nginx/src/event/ngx_event_openssl_stapling.c nginx-1.16.1-wolfssl/src/event/ngx_event_openssl_stapling.c +--- nginx/src/event/ngx_event_openssl_stapling.c 2019-10-28 17:04:55.111782394 +0100 ++++ nginx-1.16.1-wolfssl/src/event/ngx_event_openssl_stapling.c 2019-10-28 16:59:15.485019190 +0100 +@@ -313,7 +313,9 @@ + for (i = 0; i < n; i++) { + issuer = sk_X509_value(chain, i); + if (X509_check_issued(issuer, cert) == X509_V_OK) { +-#if OPENSSL_VERSION_NUMBER >= 0x10100001L ++#ifdef WOLFSSL_NGINX ++ issuer = X509_dup(issuer); ++#elif OPENSSL_VERSION_NUMBER >= 0x10100001L + X509_up_ref(issuer); + #else + CRYPTO_add(&issuer->references, 1, CRYPTO_LOCK_X509); +diff -ur nginx/src/http/modules/ngx_http_proxy_module.c nginx-1.16.1-wolfssl/src/http/modules/ngx_http_proxy_module.c +--- nginx/src/http/modules/ngx_http_proxy_module.c 2019-10-28 17:04:55.111782394 +0100 ++++ nginx-1.16.1-wolfssl/src/http/modules/ngx_http_proxy_module.c 2019-10-28 16:59:15.489019127 +0100 +@@ -4307,6 +4307,8 @@ + return NGX_ERROR; + } + ++ ngx_ssl_set_verify_on(cf, plcf->upstream.ssl); ++ + if (ngx_ssl_trusted_certificate(cf, plcf->upstream.ssl, + &plcf->ssl_trusted_certificate, + plcf->ssl_verify_depth) +diff -ur nginx/src/http/modules/ngx_http_ssl_module.c nginx-1.16.1-wolfssl/src/http/modules/ngx_http_ssl_module.c +--- nginx/src/http/modules/ngx_http_ssl_module.c 2019-10-28 17:06:07.286673633 +0100 ++++ nginx-1.16.1-wolfssl/src/http/modules/ngx_http_ssl_module.c 2019-10-28 16:59:15.489019127 +0100 +@@ -14,7 +14,11 @@ + ngx_pool_t *pool, ngx_str_t *s); + + ++#ifndef WOLFSSL_NGINX + #define NGX_DEFAULT_CIPHERS "HIGH:!aNULL:!MD5" ++#else ++#define NGX_DEFAULT_CIPHERS "ALL" ++#endif + #define NGX_DEFAULT_ECDH_CURVE "auto" + + #define NGX_HTTP_NPN_ADVERTISE "\x08http/1.1" +@@ -810,8 +814,10 @@ + return NGX_CONF_ERROR; + } + ++#ifndef WOLFSSL_NGINX + ngx_conf_merge_value(conf->builtin_session_cache, + prev->builtin_session_cache, NGX_SSL_NONE_SCACHE); ++#endif + + if (conf->shm_zone == NULL) { + conf->shm_zone = prev->shm_zone; +diff -ur nginx/src/http/ngx_http_request.c nginx-1.16.1-wolfssl/src/http/ngx_http_request.c +--- nginx/src/http/ngx_http_request.c 2019-10-28 17:04:55.111782394 +0100 ++++ nginx-1.16.1-wolfssl/src/http/ngx_http_request.c 2019-10-28 16:59:15.485019190 +0100 +@@ -851,6 +851,12 @@ + + + #ifdef SSL_CTRL_SET_TLSEXT_HOSTNAME ++#ifndef SSL_AD_NO_RENEGOTIATION ++#define SSL_AD_NO_RENEGOTIATION 100 ++#endif ++#ifndef SSL_AD_INTERNAL_ERROR ++#define SSL_AD_INTERNAL_ERROR 80 ++#endif + + int + ngx_http_ssl_servername(ngx_ssl_conn_t *ssl_conn, int *ad, void *arg) +diff -ur nginx/src/mail/ngx_mail_ssl_module.c nginx-1.16.1-wolfssl/src/mail/ngx_mail_ssl_module.c +--- nginx/src/mail/ngx_mail_ssl_module.c 2019-10-28 17:04:55.111782394 +0100 ++++ nginx-1.16.1-wolfssl/src/mail/ngx_mail_ssl_module.c 2019-10-28 16:59:15.489019127 +0100 +@@ -10,7 +10,11 @@ + #include + + ++#ifndef WOLFSSL_NGINX + #define NGX_DEFAULT_CIPHERS "HIGH:!aNULL:!MD5" ++#else ++#define NGX_DEFAULT_CIPHERS "ALL" ++#endif + #define NGX_DEFAULT_ECDH_CURVE "auto" + + +diff -ur nginx/src/stream/ngx_stream_proxy_module.c nginx-1.16.1-wolfssl/src/stream/ngx_stream_proxy_module.c +--- nginx/src/stream/ngx_stream_proxy_module.c 2019-10-28 17:04:55.111782394 +0100 ++++ nginx-1.16.1-wolfssl/src/stream/ngx_stream_proxy_module.c 2019-10-28 16:59:15.493019066 +0100 +@@ -2131,6 +2131,8 @@ + return NGX_ERROR; + } + ++ ngx_ssl_set_verify_on(cf, pscf->ssl); ++ + if (ngx_ssl_trusted_certificate(cf, pscf->ssl, + &pscf->ssl_trusted_certificate, + pscf->ssl_verify_depth) +diff -ur nginx/src/stream/ngx_stream_ssl_module.c nginx-1.16.1-wolfssl/src/stream/ngx_stream_ssl_module.c +--- nginx/src/stream/ngx_stream_ssl_module.c 2019-10-28 17:04:55.111782394 +0100 ++++ nginx-1.16.1-wolfssl/src/stream/ngx_stream_ssl_module.c 2019-10-28 16:59:15.493019066 +0100 +@@ -14,7 +14,11 @@ + ngx_pool_t *pool, ngx_str_t *s); + + ++#ifndef WOLFSSL_NGINX + #define NGX_DEFAULT_CIPHERS "HIGH:!aNULL:!MD5" ++#else ++#define NGX_DEFAULT_CIPHERS "ALL" ++#endif + #define NGX_DEFAULT_ECDH_CURVE "auto" + +