From 8e2a3ba73673f826865b2fb0030204c0fdedb068 Mon Sep 17 00:00:00 2001 From: Juliusz Sosinowicz Date: Thu, 9 Nov 2023 11:43:04 +0100 Subject: [PATCH] Add patches for 1.24.0 --- nginx-1.24.0-wolfssl-debug.patch | 31 ++ nginx-1.24.0-wolfssl.patch | 271 +++++++++++ ...9d003886e3a24542855fb60355a417f037de.patch | 425 ++++++++++++++++++ 3 files changed, 727 insertions(+) create mode 100644 nginx-1.24.0-wolfssl-debug.patch create mode 100644 nginx-1.24.0-wolfssl.patch create mode 100644 nginx-tests-patches/2023-04-11-212d9d003886e3a24542855fb60355a417f037de.patch diff --git a/nginx-1.24.0-wolfssl-debug.patch b/nginx-1.24.0-wolfssl-debug.patch new file mode 100644 index 0000000..a7c61a5 --- /dev/null +++ b/nginx-1.24.0-wolfssl-debug.patch @@ -0,0 +1,31 @@ +diff --git a/src/event/ngx_event_openssl.c b/src/event/ngx_event_openssl.c +index 7f9d2c0..8123697 100644 +--- a/src/event/ngx_event_openssl.c ++++ b/src/event/ngx_event_openssl.c +@@ -139,6 +139,13 @@ int ngx_ssl_next_certificate_index; + int ngx_ssl_certificate_name_index; + int ngx_ssl_stapling_index; + ++#ifdef WOLFSSL_NGINX ++void wolfSSL_Log(const int logLevel, const char *const logMessage) ++{ ++ (void)logLevel; ++ ngx_log_stderr(0, "wolfSSL: %s", logMessage); ++} ++#endif + + ngx_int_t + ngx_ssl_init(ngx_log_t *log) +@@ -168,6 +175,12 @@ ngx_ssl_init(ngx_log_t *log) + + #endif + ++#ifdef WOLFSSL_NGINX ++ /* Turn on internal wolfssl debugging to stderr */ ++ wolfSSL_SetLoggingCb(wolfSSL_Log); ++ wolfSSL_Debugging_ON(); ++#endif ++ + #ifndef SSL_OP_NO_COMPRESSION + { + /* diff --git a/nginx-1.24.0-wolfssl.patch b/nginx-1.24.0-wolfssl.patch new file mode 100644 index 0000000..06147ad --- /dev/null +++ b/nginx-1.24.0-wolfssl.patch @@ -0,0 +1,271 @@ +diff --git a/auto/lib/openssl/conf b/auto/lib/openssl/conf +index 4fb52df..6f1d44d 100644 +--- a/auto/lib/openssl/conf ++++ b/auto/lib/openssl/conf +@@ -62,8 +62,39 @@ else + ngx_feature_path= + ngx_feature_libs="-lssl -lcrypto $NGX_LIBDL $NGX_LIBPTHREAD" + ngx_feature_test="SSL_CTX_set_options(NULL, 0)" ++ ++ if [ $WOLFSSL != NONE ]; then ++ ngx_feature="wolfSSL library in $WOLFSSL" ++ ngx_feature_path="$WOLFSSL/include/wolfssl $WOLFSSL/include" ++ ngx_feature_incs=" ++ #ifndef WOLFSSL_USER_SETTINGS ++ #include ++ #endif ++ #include ++ #include " ++ ++ if [ $NGX_RPATH = YES ]; then ++ ngx_feature_libs="-R$WOLFSSL/lib -L$WOLFSSL/lib -lwolfssl $NGX_LIBDL" ++ else ++ ngx_feature_libs="-L$WOLFSSL/lib -lwolfssl $NGX_LIBDL" ++ fi ++ ++ CORE_INCS="$CORE_INCS $WOLFSSL/include/wolfssl" ++ CFLAGS="$CFLAGS -DWOLFSSL_NGINX" ++ fi ++ + . auto/feature + ++ if [ $WOLFSSL != NONE -a $ngx_found = no ]; then ++cat << END ++ ++$0: error: Could not find wolfSSL at $WOLFSSL/include/wolfssl. ++SSL modules require the wolfSSL library. ++ ++END ++ exit 1 ++ fi ++ + if [ $ngx_found = no ]; then + + # FreeBSD port +diff --git a/auto/options b/auto/options +index 48f3a1a..d08a0ed 100644 +--- a/auto/options ++++ b/auto/options +@@ -150,6 +150,7 @@ PCRE2=YES + + USE_OPENSSL=NO + OPENSSL=NONE ++WOLFSSL=NONE + + USE_ZLIB=NO + ZLIB=NONE +@@ -360,6 +361,7 @@ use the \"--with-mail_ssl_module\" option instead" + --with-pcre-jit) PCRE_JIT=YES ;; + --without-pcre2) PCRE2=DISABLED ;; + ++ --with-wolfssl=*) WOLFSSL="$value" ;; + --with-openssl=*) OPENSSL="$value" ;; + --with-openssl-opt=*) OPENSSL_OPT="$value" ;; + +@@ -586,6 +588,7 @@ cat << END + --with-libatomic force libatomic_ops library usage + --with-libatomic=DIR set path to libatomic_ops library sources + ++ --with-wolfssl=DIR set path to wolfSSL headers and library + --with-openssl=DIR set path to OpenSSL library sources + --with-openssl-opt=OPTIONS set additional build options for OpenSSL + +diff --git a/src/event/ngx_event_openssl.c b/src/event/ngx_event_openssl.c +index 104e8da..7f9d2c0 100644 +--- a/src/event/ngx_event_openssl.c ++++ b/src/event/ngx_event_openssl.c +@@ -354,6 +354,8 @@ ngx_ssl_create(ngx_ssl_t *ssl, ngx_uint_t protocols, void *data) + } + #endif + ++#ifndef WOLFSSL_NGINX ++ /* These override the options set above. No need to call this. */ + #ifdef SSL_CTX_set_min_proto_version + SSL_CTX_set_min_proto_version(ssl->ctx, 0); + SSL_CTX_set_max_proto_version(ssl->ctx, TLS1_2_VERSION); +@@ -363,6 +365,7 @@ ngx_ssl_create(ngx_ssl_t *ssl, ngx_uint_t protocols, void *data) + SSL_CTX_set_min_proto_version(ssl->ctx, 0); + SSL_CTX_set_max_proto_version(ssl->ctx, TLS1_3_VERSION); + #endif ++#endif + + #ifdef SSL_OP_NO_COMPRESSION + SSL_CTX_set_options(ssl->ctx, SSL_OP_NO_COMPRESSION); +@@ -560,6 +563,12 @@ ngx_ssl_connection_certificate(ngx_connection_t *c, ngx_pool_t *pool, + return NGX_ERROR; + } + ++#ifdef WOLFSSL_NGINX ++ /* Remove current chain */ ++ if (sk_X509_NAME_num(chain) > 0) ++ wolfSSL_UnloadCertsKeys(c->ssl->connection); ++#endif ++ + if (SSL_use_certificate(c->ssl->connection, x509) == 0) { + ngx_ssl_error(NGX_LOG_ERR, c->log, 0, + "SSL_use_certificate(\"%s\") failed", cert->data); +@@ -571,7 +580,9 @@ ngx_ssl_connection_certificate(ngx_connection_t *c, ngx_pool_t *pool, + X509_free(x509); + + #ifdef SSL_set0_chain +- ++#ifdef WOLFSSL_NGINX ++#error If SSL_set0_chain is defined then reset this function ++#endif + /* + * SSL_set0_chain() is only available in OpenSSL 1.0.2+, + * but this function is only called via certificate callback, +@@ -584,7 +595,19 @@ ngx_ssl_connection_certificate(ngx_connection_t *c, ngx_pool_t *pool, + sk_X509_pop_free(chain, X509_free); + return NGX_ERROR; + } +- ++#endif ++#ifdef WOLFSSL_NGINX ++ { ++ int i; ++ for (i = sk_X509_num(chain) - 1; i > 0; i--) { ++ if (wolfSSL_add0_chain_cert(c->ssl->connection, ++ sk_X509_value(chain, i)) == 0) { ++ sk_X509_pop_free(chain, X509_free); ++ return NGX_ERROR; ++ } ++ } ++ sk_X509_pop_free(chain, X509_free); ++ } + #endif + + pkey = ngx_ssl_load_certificate_key(pool, &err, key, passwords); +@@ -3354,6 +3377,27 @@ ngx_ssl_connection_error(ngx_connection_t *c, int sslerr, ngx_err_t err, + int n; + ngx_uint_t level; + ++#ifdef WOLFSSL_NGINX ++ WOLFSSL_ALERT_HISTORY h; ++ ++ if (c && c->ssl && c->ssl->connection) { ++ wolfSSL_get_alert_history(c->ssl->connection, &h); ++ if (h.last_rx.level == alert_warning || h.last_rx.level == alert_fatal || ++ h.last_tx.level == alert_warning || h.last_tx.level == alert_fatal) { ++ const char *rx_code, *rx_lvl, *tx_code, *tx_lvl; ++ rx_lvl = ((h.last_rx.level == alert_fatal) ? "fatal" : ((h.last_rx.level == alert_warning) ? "warning" : "none")); ++ tx_lvl = ((h.last_tx.level == alert_fatal) ? "fatal" : ((h.last_tx.level == alert_warning) ? "warning" : "none")); ++ rx_code = wolfSSL_alert_desc_string_long(h.last_rx.code); ++ tx_code = wolfSSL_alert_desc_string_long(h.last_tx.code); ++ if (!rx_code) rx_code = "none"; ++ if (!tx_code) tx_code = "none"; ++ ngx_log_error(NGX_LOG_CRIT, c->log, 0, ++ "%s (RX alert: level=%s,code=%s, TX alert: level=%s,code=%s)", ++ text, rx_lvl, rx_code, tx_lvl, tx_code); ++ } ++ } ++#endif ++ + level = NGX_LOG_CRIT; + + if (sslerr == SSL_ERROR_SYSCALL) { +@@ -4573,7 +4617,8 @@ ngx_ssl_ticket_key_callback(ngx_ssl_conn_t *ssl_conn, + return -1; + } + +-#if OPENSSL_VERSION_NUMBER >= 0x10000000L ++#if OPENSSL_VERSION_NUMBER >= 0x10000000L && \ ++ (!defined(WOLFSSL_NGINX) || !defined(HAVE_FIPS)) + if (HMAC_Init_ex(hctx, key[0].hmac_key, size, digest, NULL) != 1) { + ngx_ssl_error(NGX_LOG_ALERT, c->log, 0, "HMAC_Init_ex() failed"); + return -1; +@@ -4616,7 +4661,8 @@ ngx_ssl_ticket_key_callback(ngx_ssl_conn_t *ssl_conn, + size = 32; + } + +-#if OPENSSL_VERSION_NUMBER >= 0x10000000L ++#if OPENSSL_VERSION_NUMBER >= 0x10000000L && \ ++ (!defined(WOLFSSL_NGINX) || !defined(HAVE_FIPS)) + if (HMAC_Init_ex(hctx, key[i].hmac_key, size, digest, NULL) != 1) { + ngx_ssl_error(NGX_LOG_ALERT, c->log, 0, "HMAC_Init_ex() failed"); + return -1; +@@ -5123,6 +5169,14 @@ ngx_ssl_get_curve(ngx_connection_t *c, ngx_pool_t *pool, ngx_str_t *s) + + #endif + ++#ifdef WOLFSSL_NGINX ++ s->data = (u_char*)wolfSSL_get_curve_name(c->ssl->connection); ++ if (s->data != NULL) { ++ s->len = ngx_strlen(s->data); ++ return NGX_OK; ++ } ++#endif ++ + s->len = 0; + return NGX_OK; + } +diff --git a/src/event/ngx_event_openssl.h b/src/event/ngx_event_openssl.h +index 860ea26..23bbd64 100644 +--- a/src/event/ngx_event_openssl.h ++++ b/src/event/ngx_event_openssl.h +@@ -14,6 +14,17 @@ + + #define OPENSSL_SUPPRESS_DEPRECATED + ++#ifdef WOLFSSL_NGINX ++#ifdef HAVE_CONFIG_H ++ #include ++#endif ++ ++#ifndef WOLFSSL_USER_SETTINGS ++ #include ++#endif ++#include ++#include ++#endif + #include + #include + #include +diff --git a/src/http/modules/ngx_http_ssl_module.c b/src/http/modules/ngx_http_ssl_module.c +index 4c4a598..6c495aa 100644 +--- a/src/http/modules/ngx_http_ssl_module.c ++++ b/src/http/modules/ngx_http_ssl_module.c +@@ -14,7 +14,11 @@ typedef ngx_int_t (*ngx_ssl_variable_handler_pt)(ngx_connection_t *c, + ngx_pool_t *pool, ngx_str_t *s); + + ++#ifndef WOLFSSL_NGINX + #define NGX_DEFAULT_CIPHERS "HIGH:!aNULL:!MD5" ++#else ++#define NGX_DEFAULT_CIPHERS "ALL" ++#endif + #define NGX_DEFAULT_ECDH_CURVE "auto" + + #define NGX_HTTP_ALPN_PROTOS "\x08http/1.1\x08http/1.0\x08http/0.9" +diff --git a/src/mail/ngx_mail_ssl_module.c b/src/mail/ngx_mail_ssl_module.c +index 28737ac..71dd780 100644 +--- a/src/mail/ngx_mail_ssl_module.c ++++ b/src/mail/ngx_mail_ssl_module.c +@@ -10,7 +10,11 @@ + #include + + ++#ifndef WOLFSSL_NGINX + #define NGX_DEFAULT_CIPHERS "HIGH:!aNULL:!MD5" ++#else ++#define NGX_DEFAULT_CIPHERS "ALL" ++#endif + #define NGX_DEFAULT_ECDH_CURVE "auto" + + +diff --git a/src/stream/ngx_stream_ssl_module.c b/src/stream/ngx_stream_ssl_module.c +index 1ba1825..ad727c1 100644 +--- a/src/stream/ngx_stream_ssl_module.c ++++ b/src/stream/ngx_stream_ssl_module.c +@@ -14,7 +14,11 @@ typedef ngx_int_t (*ngx_ssl_variable_handler_pt)(ngx_connection_t *c, + ngx_pool_t *pool, ngx_str_t *s); + + ++#ifndef WOLFSSL_NGINX + #define NGX_DEFAULT_CIPHERS "HIGH:!aNULL:!MD5" ++#else ++#define NGX_DEFAULT_CIPHERS "ALL" ++#endif + #define NGX_DEFAULT_ECDH_CURVE "auto" + + diff --git a/nginx-tests-patches/2023-04-11-212d9d003886e3a24542855fb60355a417f037de.patch b/nginx-tests-patches/2023-04-11-212d9d003886e3a24542855fb60355a417f037de.patch new file mode 100644 index 0000000..177827d --- /dev/null +++ b/nginx-tests-patches/2023-04-11-212d9d003886e3a24542855fb60355a417f037de.patch @@ -0,0 +1,425 @@ +diff --git a/README b/README +index f43c586..bd259ca 100644 +--- a/README ++++ b/README +@@ -52,4 +52,12 @@ TEST_NGINX_GLOBALS_STREAM + + Sets additional directives in stream context. + ++TEST_NGINX_GDBSERVER ++ ++ Run Nginx under a gdbserver. ++ ++TEST_NGINX_VALGRIND ++ ++ Run Nginx under valgrind. ++ + Happy testing! +diff --git a/lib/Test/Nginx.pm b/lib/Test/Nginx.pm +index a74fbf1..09855e5 100644 +--- a/lib/Test/Nginx.pm ++++ b/lib/Test/Nginx.pm +@@ -29,6 +29,8 @@ use POSIX qw/ waitpid WNOHANG /; + use Socket qw/ CRLF /; + use Test::More qw//; + ++use Proc::Find qw(find_proc proc_exists); ++ + ############################################################################### + + our $NGINX = defined $ENV{TEST_NGINX_BINARY} ? $ENV{TEST_NGINX_BINARY} +@@ -64,6 +66,8 @@ sub DESTROY { + $self->stop(); + $self->stop_daemons(); + ++print('error logs at: '.$self->{_testdir}."\n"); ++ + if (Test::More->builder->expected_tests) { + local $Test::Nginx::TODO = 'alerts' unless $self->{_alerts}; + +@@ -85,12 +89,15 @@ sub DESTROY { + if (Test::More->builder->expected_tests) { + local $Test::Nginx::TODO; + my $errors = $self->read_file('error.log'); +- $errors = join "\n", $errors =~ /.+Sanitizer.+/gm; ++ $errors = join "\n", $errors =~ /.+(ERROR: AddressSanitizer)|(Direct leak of).+/gm; + Test::More::is($errors, '', 'no sanitizer errors'); + } + + if ($ENV{TEST_NGINX_CATLOG}) { + system("cat $self->{_testdir}/error.log"); ++ if ($ENV{TEST_NGINX_VALGRIND}) { ++ system("cat $self->{_testdir}/valgrind.log"); ++ } + } + if (not $ENV{TEST_NGINX_LEAVE}) { + eval { rmtree($self->{_testdir}); }; +@@ -336,13 +343,42 @@ sub run(;$) { + my $pid = fork(); + die "Unable to fork(): $!\n" unless defined $pid; + ++ if ($ENV{TEST_NGINX_GDBSERVER}) { ++ for (1 .. 300) { ++ last unless proc_exists(name=>'gdbserver'); ++ select undef, undef, undef, 0.1; ++ } ++ } ++ ++ + if ($pid == 0) { + my @globals = $self->{_test_globals} ? + () : ('-g', "pid $testdir/nginx.pid; " + . "error_log $testdir/error.log debug;"); +- exec($NGINX, '-p', "$testdir/", '-c', 'nginx.conf', +- '-e', 'error.log', @globals) +- or die "Unable to exec(): $!\n"; ++ if ($ENV{TEST_NGINX_CATLOG}) { ++ print { *STDERR } "\n"; ++ print { *STDERR } $NGINX . ' '; ++ print { *STDERR } '-p' . ' '; ++ print { *STDERR } $testdir . ' '; ++ print { *STDERR } '-c' . ' '; ++ print { *STDERR } 'nginx.conf' . ' '; ++ print { *STDERR } @globals; ++ print { *STDERR } "\n"; ++ } ++ if ($ENV{TEST_NGINX_VALGRIND}) { ++ exec('valgrind', '--leak-check=full', '--log-file=' . "$testdir/valgrind.log", $NGINX, '-p', "$testdir/", '-c', 'nginx.conf', '-e', '-error.log', @globals), ++ or die "Unable to exec(): $!\n"; ++ } ++ elsif ($ENV{TEST_NGINX_GDBSERVER}) { ++ exec('gdbserver', ':2345', $NGINX, '-p', "$testdir/", '-c', 'nginx.conf', '-e', 'error.log', @globals), ++ or die "Unable to exec(): $!\n"; ++ } ++ else { ++ exec($NGINX, '-p', "$testdir/", '-c', 'nginx.conf', ++ '-e', 'error.log', @globals) ++ or die "Unable to exec(): $!\n"; ++ } ++ + } + + # wait for nginx to start +@@ -426,7 +462,7 @@ sub waitforfile($;$) { + # wait for file to appear + # or specified process to exit + +- for (1 .. 50) { ++ for (1 .. 300) { + return 1 if -e $file; + return 0 if $exited; + $exited = waitpid($pid, WNOHANG) != 0 if $pid; +diff --git a/ssl_certificates.t b/ssl_certificates.t +index a6ec6ad..c9d1ef4 100644 +--- a/ssl_certificates.t ++++ b/ssl_certificates.t +@@ -47,23 +47,16 @@ events { + http { + %%TEST_GLOBALS_HTTP%% + +- ssl_certificate_key rsa.key; +- ssl_certificate rsa.crt; + ssl_ciphers DEFAULT:ECCdraft; + + server { + listen 127.0.0.1:8080 ssl; + server_name localhost; + +- ssl_certificate_key ec.key; +- ssl_certificate ec.crt; +- +- ssl_certificate_key rsa.key; +- ssl_certificate rsa.crt; +- + ssl_certificate_key rsa.key; + ssl_certificate rsa.crt; + } ++ #### wolfSSL does not support using multiple certs on one object currently + } + + EOF +@@ -91,12 +84,11 @@ foreach my $name ('ec', 'rsa') { + or die "Can't create certificate for $name: $!\n"; + } + +-$t->run()->plan(2); ++$t->run()->plan(1); + + ############################################################################### + + like(get_cert('RSA'), qr/CN=rsa/, 'ssl cert RSA'); +-like(get_cert('ECDSA'), qr/CN=ec/, 'ssl cert ECDSA'); + + ############################################################################### + +diff --git a/ssl_curve.t b/ssl_curve.t +index 3b6d27d..b3a32b3 100644 +--- a/ssl_curve.t ++++ b/ssl_curve.t +@@ -82,7 +82,7 @@ $t->try_run('no $ssl_curve')->plan(1); + + ############################################################################### + +-like(get('/curve'), qr/^prime256v1 /m, 'ssl curve'); ++like(get('/curve'), qr/^SECP256R1/m, 'ssl curve'); + + ############################################################################### + +diff --git a/ssl_stapling.t b/ssl_stapling.t +index 06efca1..71d4e7a 100644 +--- a/ssl_stapling.t ++++ b/ssl_stapling.t +@@ -53,18 +53,14 @@ http { + ssl_stapling on; + ssl_trusted_certificate trusted.crt; + +- ssl_certificate ec-end-int.crt; +- ssl_certificate_key ec-end.key; +- +- ssl_certificate end-int.crt; +- ssl_certificate_key end.key; +- + ssl_ciphers DEFAULT:ECCdraft; + + server { + listen 127.0.0.1:8443 ssl; + listen 127.0.0.1:8080; + server_name localhost; ++ ssl_certificate end-int.crt; ++ ssl_certificate_key end.key; + } + + server { +@@ -72,6 +68,8 @@ http { + server_name localhost; + + ssl_stapling_responder http://127.0.0.1:8081/; ++ ssl_certificate end-int.crt; ++ ssl_certificate_key end.key; + } + + server { +@@ -79,32 +77,33 @@ http { + server_name localhost; + + ssl_stapling_verify on; ++ ssl_certificate end-int.crt; ++ ssl_certificate_key end.key; + } + + server { + listen 127.0.0.1:8446 ssl; + server_name localhost; + +- ssl_certificate ec-end.crt; +- ssl_certificate_key ec-end.key; ++ ssl_certificate end-int.crt; ++ ssl_certificate_key end.key; + } + + server { + listen 127.0.0.1:8447 ssl; + server_name localhost; + +- ssl_certificate end-int.crt; +- ssl_certificate_key end.key; +- + ssl_stapling_file %%TESTDIR%%/resp.der; ++ ssl_certificate end-int.crt; ++ ssl_certificate_key end.key; + } + + server { + listen 127.0.0.1:8448 ssl; + server_name localhost; + +- ssl_certificate ec-end-int.crt; +- ssl_certificate_key ec-end.key; ++ ssl_certificate end-int.crt; ++ ssl_certificate_key end.key; + + ssl_stapling_file %%TESTDIR%%/ec-resp.der; + } +@@ -114,7 +113,73 @@ http { + server_name localhost; + + ssl_stapling_responder http://127.0.0.1:8080/; ++ ssl_certificate end-int.crt; ++ ssl_certificate_key end.key; ++ } ++ ++#### ECC servers ++ ++ server { ++ listen 127.0.0.1:8453 ssl; ++ server_name localhost; ++ ssl_certificate ec-end-int.crt; ++ ssl_certificate_key ec-end.key; + } ++ ++ server { ++ listen 127.0.0.1:8454 ssl; ++ server_name localhost; ++ ++ ssl_stapling_responder http://127.0.0.1:8081/; ++ ssl_certificate ec-end-int.crt; ++ ssl_certificate_key ec-end.key; ++ } ++ ++ server { ++ listen 127.0.0.1:8455 ssl; ++ server_name localhost; ++ ++ ssl_stapling_verify on; ++ ssl_certificate ec-end-int.crt; ++ ssl_certificate_key ec-end.key; ++ } ++ ++ server { ++ listen 127.0.0.1:8456 ssl; ++ server_name localhost; ++ ++ ssl_certificate ec-end.crt; ++ ssl_certificate_key ec-end.key; ++ } ++ ++ server { ++ listen 127.0.0.1:8457 ssl; ++ server_name localhost; ++ ++ ssl_stapling_file %%TESTDIR%%/resp.der; ++ ssl_certificate ec-end-int.crt; ++ ssl_certificate_key ec-end.key; ++ } ++ ++ server { ++ listen 127.0.0.1:8458 ssl; ++ server_name localhost; ++ ++ ssl_certificate ec-end-int.crt; ++ ssl_certificate_key ec-end.key; ++ ++ ssl_stapling_file %%TESTDIR%%/ec-resp.der; ++ } ++ ++ server { ++ listen 127.0.0.1:8459 ssl; ++ server_name localhost; ++ ++ ssl_stapling_responder http://127.0.0.1:8080/; ++ ssl_certificate ec-end-int.crt; ++ ssl_certificate_key ec-end.key; ++ } ++ + } + + EOF +@@ -249,12 +314,12 @@ $t->waitforsocket("127.0.0.1:" . port(8081)); + my $version = get_version(); + + staple(8443, 'RSA'); +-staple(8443, 'ECDSA'); ++staple(8453, 'ECDSA'); + staple(8444, 'RSA'); +-staple(8444, 'ECDSA'); +-staple(8445, 'ECDSA'); +-staple(8446, 'ECDSA'); +-staple(8449, 'ECDSA'); ++staple(8454, 'ECDSA'); ++staple(8455, 'ECDSA'); ++staple(8456, 'ECDSA'); ++staple(8459, 'ECDSA'); + + sleep 1; + +@@ -264,8 +329,7 @@ TODO: { + local $TODO = 'broken TLSv1.3 sigalgs in LibreSSL' + if $t->has_module('LibreSSL') && $version > 0x303; + +-ok(staple(8443, 'ECDSA'), 'staple success'); +- ++ok(staple(8453, 'ECDSA'), 'staple success'); + } + + ok(!staple(8444, 'RSA'), 'responder revoked'); +@@ -274,18 +338,18 @@ TODO: { + local $TODO = 'broken TLSv1.3 sigalgs in LibreSSL' + if $t->has_module('LibreSSL') && $version > 0x303; + +-ok(staple(8444, 'ECDSA'), 'responder success'); ++ok(staple(8454, 'ECDSA'), 'responder success'); + + } + +-ok(!staple(8445, 'ECDSA'), 'verify - root not trusted'); ++ok(!staple(8455, 'ECDSA'), 'verify - root not trusted'); + +-ok(staple(8446, 'ECDSA', "$d/int.crt"), 'cert store'); ++ok(staple(8456, 'ECDSA', "$d/int.crt"), 'cert store'); + + is(staple(8447, 'RSA'), '1 1', 'file revoked'); +-is(staple(8448, 'ECDSA'), '1 0', 'file success'); ++is(staple(8458, 'ECDSA'), '1 0', 'file success'); + +-ok(!staple(8449, 'ECDSA'), 'ocsp error'); ++ok(!staple(8459, 'ECDSA'), 'ocsp error'); + + TODO: { + local $TODO = 'broken TLSv1.3 sigalgs in LibreSSL' +diff --git a/ssl_verify_depth.t b/ssl_verify_depth.t +index 4e010cc..b8d1a39 100644 +--- a/ssl_verify_depth.t ++++ b/ssl_verify_depth.t +@@ -47,7 +47,7 @@ http { + ssl_certificate_key localhost.key; + + ssl_verify_client on; +- ssl_client_certificate root-int.crt; ++ ssl_client_certificate root.crt; + + add_header X-Client $ssl_client_s_dn always; + add_header X-Verify $ssl_client_verify always; +@@ -101,6 +101,7 @@ commonName = supplied + + [ myca_extensions ] + basicConstraints = critical,CA:TRUE ++keyUsage = keyCertSign + EOF + + foreach my $name ('root', 'localhost') { +@@ -136,6 +137,9 @@ system("openssl ca -batch -config $d/ca.conf " + + $t->write_file('root-int.crt', $t->read_file('root.crt') + . $t->read_file('int.crt')); ++$t->write_file('end-int.crt', $t->read_file('end.crt') ++ . $t->read_file('int.crt')); ++$t->write_file('end-int.key', $t->read_file('end.key')); + + $t->write_file('t', ''); + $t->run(); +@@ -151,7 +155,7 @@ $t->run(); + + like(get(8080, 'root'), qr/SUCCESS/, 'verify depth 0 - root'); + like(get(8080, 'int'), qr/FAI|SUC/, 'verify depth 0 - no int'); +-like(get(8080, 'end'), qr/FAILED/, 'verify depth 0 - no end'); ++like(get(8080, 'end-int'), qr/FAILED/, 'verify depth 0 - no end'); + + # with verify depth 1 (the default), one signature is + # expected to be checked, so certificates directly signed +@@ -163,14 +167,14 @@ like(get(8080, 'end'), qr/FAILED/, 'verify depth 0 - no end'); + + like(get(8081, 'root'), qr/SUCCESS/, 'verify depth 1 - root'); + like(get(8081, 'int'), qr/SUCCESS/, 'verify depth 1 - int'); +-like(get(8081, 'end'), qr/FAI|SUC/, 'verify depth 1 - no end'); ++like(get(8081, 'end-int'), qr/FAI|SUC/, 'verify depth 1 - no end'); + + # with verify depth 2 it is also possible to validate up to two signatures, + # so chains with one intermediate certificate are allowed + + like(get(8082, 'root'), qr/SUCCESS/, 'verify depth 2 - root'); + like(get(8082, 'int'), qr/SUCCESS/, 'verify depth 2 - int'); +-like(get(8082, 'end'), qr/SUCCESS/, 'verify depth 2 - end'); ++like(get(8082, 'end-int'), qr/SUCCESS/, 'verify depth 2 - end'); + + ############################################################################### +