diff --git a/README.md b/README.md index 849d6c7..5c657bf 100644 --- a/README.md +++ b/README.md @@ -8,6 +8,9 @@ and recompilation is required. The tested versions: - wolfSSL 3.14 - wolfSSL 3.13.0 (with patch applied: wolfssl-3.13.0-nginx.patch) + - Nginx 1.17.5 + - Nginx 1.16.1 + - Nginx 1.15.0 - Nginx 1.14.0 - Nginx 1.13.12 - Nginx 1.13.8 @@ -20,6 +23,7 @@ The tested versions: - Nginx 1.11.10 - Nginx 1.11.7 - Nginx 1.10.3 + - Nginx 1.7.7 ### Building @@ -54,7 +58,10 @@ There will be failures of SSL tests for the following reasons: Note: the file ssl_ecc.t in wolfssl-nginx can be used with the Nginx test system. - +Note: the file ssl_stapling.t.patch can be used to patch the ssl_stapling.t +file in nginx-tests to work with wolfSSL. The version available in the testing +repository uses different certs on the same server. This is not supported +by wolfSSL so this patch moves the certs to separate server instances. There are additional tests available in wolfssl-nginx. These are in addition to the Nginx tests. The OpenSSL's superapp is required for OCSP Stapling diff --git a/conf/cert-ecc-p8.key b/conf/cert-ecc-p8.key index ca03d98..b8a7068 100644 --- a/conf/cert-ecc-p8.key +++ b/conf/cert-ecc-p8.key @@ -1,5 +1,5 @@ ------BEGIN PRIVATE KEY----- +-----BEGIN EC PRIVATE KEY----- MIGHAgEAMBMGByqGSM49AgEGCCqGSM49AwEHBG0wawIBAQQgRbZpAnOcbIWhOFty 6OjHrMQDjVM1BPpsKNw0jeGoCYyhRANCAAS7M6xMJ1BKxkqlBMM83p8223ItzpTq K/rLIAk5LBboYQLpr03TApOaMVuXkiF/8M8Y2pERAjSG6CBYMwuANInY ------END PRIVATE KEY----- +-----END EC PRIVATE KEY----- diff --git a/conf/nginx_tls13.conf b/conf/nginx_tls13.conf index cb38cd2..a18159c 100644 --- a/conf/nginx_tls13.conf +++ b/conf/nginx_tls13.conf @@ -356,6 +356,7 @@ http { proxy_ssl_certificate_key client-key.pem; proxy_ssl_verify on; proxy_ssl_crl crl.pem; + proxy_ssl_protocols TLSv1.3; } } # Proxy using ECDHE cipher suites and CRL @@ -383,6 +384,7 @@ http { proxy_ssl_certificate_key client-key.pem; proxy_ssl_verify on; proxy_ssl_crl crl.pem; + proxy_ssl_protocols TLSv1.3; } } # Proxy using ECDHE and ECDSA cipher suites @@ -410,6 +412,7 @@ http { proxy_ssl_certificate_key client-key.pem; proxy_ssl_verify on; proxy_ssl_session_reuse on; + proxy_ssl_protocols TLSv1.3; } } # Proxy using complete chain @@ -437,6 +440,7 @@ http { proxy_ssl_certificate_key client-key.pem; proxy_ssl_verify on; proxy_ssl_session_reuse on; + proxy_ssl_protocols TLSv1.3; } } # Proxy using incomplete chain @@ -464,6 +468,7 @@ http { proxy_ssl_certificate_key client-key.pem; proxy_ssl_verify on; proxy_ssl_session_reuse on; + proxy_ssl_protocols TLSv1.3; } } @@ -494,6 +499,7 @@ http { proxy_ssl_verify on; proxy_ssl_crl crl-revoked.pem; proxy_ssl_session_reuse on; + proxy_ssl_protocols TLSv1.3; } } # OCSP Stapling diff --git a/nginx-1.15.0-wolfssl.patch b/nginx-1.15.0-wolfssl.patch index eddf485..65b86b7 100644 --- a/nginx-1.15.0-wolfssl.patch +++ b/nginx-1.15.0-wolfssl.patch @@ -193,9 +193,20 @@ diff -ur nginx-1.15.0/src/http/modules/ngx_http_ssl_module.c nginx-1.15.0-wolfss #define NGX_DEFAULT_ECDH_CURVE "auto" #define NGX_HTTP_NPN_ADVERTISE "\x08http/1.1" -diff -ur nginx-1.15.0/src/mail/ngx_mail_ssl_module.c nginx-1.15.0-wolfssl/src/mail/ngx_mail_ssl_module.c ---- nginx-1.15.0/src/mail/ngx_mail_ssl_module.c 2018-06-05 23:47:25.000000000 +1000 -+++ nginx-1.15.0-wolfssl/src/mail/ngx_mail_ssl_module.c 2018-06-14 15:44:59.059897033 +1000 +@@ -766,8 +770,10 @@ + return NGX_CONF_ERROR; + } + ++#ifndef WOLFSSL_NGINX + ngx_conf_merge_value(conf->builtin_session_cache, + prev->builtin_session_cache, NGX_SSL_NONE_SCACHE); ++#endif + + if (conf->shm_zone == NULL) { + conf->shm_zone = prev->shm_zone; +diff -ur nginx/src/mail/ngx_mail_ssl_module.c nginx-1.15.0-wolfssl/src/mail/ngx_mail_ssl_module.c +--- nginx/src/mail/ngx_mail_ssl_module.c 2019-10-22 13:38:25.369054696 +0200 ++++ nginx-1.15.0-wolfssl/src/mail/ngx_mail_ssl_module.c 2019-10-22 13:37:13.938265565 +0200 @@ -10,7 +10,11 @@ #include diff --git a/nginx-1.16.1-wolfssl-debug.patch b/nginx-1.16.1-wolfssl-debug.patch new file mode 100644 index 0000000..6cbe33c --- /dev/null +++ b/nginx-1.16.1-wolfssl-debug.patch @@ -0,0 +1,15 @@ +diff -ur nginx/src/event/ngx_event_openssl.c nginx-debug/src/event/ngx_event_openssl.c +--- nginx/src/event/ngx_event_openssl.c 2019-10-29 17:31:13.468021354 +0100 ++++ nginx-debug/src/event/ngx_event_openssl.c 2019-10-29 17:31:06.152106826 +0100 +@@ -164,6 +164,11 @@ + + #endif + ++#ifdef WOLFSSL_NGINX ++ /* Turn on internal wolfssl debugging to stdout */ ++ wolfSSL_Debugging_ON(); ++#endif ++ + #if OPENSSL_VERSION_NUMBER >= 0x0090800fL + #ifndef SSL_OP_NO_COMPRESSION + { diff --git a/nginx-1.16.1-wolfssl.patch b/nginx-1.16.1-wolfssl.patch new file mode 100644 index 0000000..6c6d518 --- /dev/null +++ b/nginx-1.16.1-wolfssl.patch @@ -0,0 +1,302 @@ +diff -ur nginx/auto/lib/openssl/conf nginx-1.16.1-wolfssl/auto/lib/openssl/conf +--- nginx/auto/lib/openssl/conf 2019-10-28 17:04:55.111782394 +0100 ++++ nginx-1.16.1-wolfssl/auto/lib/openssl/conf 2019-10-28 16:59:15.481019251 +0100 +@@ -62,8 +62,33 @@ + ngx_feature_path= + ngx_feature_libs="-lssl -lcrypto $NGX_LIBDL $NGX_LIBPTHREAD" + ngx_feature_test="SSL_CTX_set_options(NULL, 0)" ++ ++ if [ $WOLFSSL != NONE ]; then ++ ngx_feature="wolfSSL library in $WOLFSSL" ++ ngx_feature_path="$WOLFSSL/include/wolfssl $WOLFSSL/include" ++ ++ if [ $NGX_RPATH = YES ]; then ++ ngx_feature_libs="-R$WOLFSSL/lib -L$WOLFSSL/lib -lwolfssl $NGX_LIBDL" ++ else ++ ngx_feature_libs="-L$WOLFSSL/lib -lwolfssl $NGX_LIBDL" ++ fi ++ ++ CORE_INCS="$CORE_INCS $WOLFSSL/include/wolfssl" ++ CFLAGS="$CFLAGS -DWOLFSSL_NGINX" ++ fi ++ + . auto/feature + ++ if [ $WOLFSSL != NONE -a $ngx_found = no ]; then ++cat << END ++ ++$0: error: Could not find wolfSSL at $WOLFSSL/include/wolfssl. ++SSL modules require the wolfSSL library. ++ ++END ++ exit 1 ++ fi ++ + if [ $ngx_found = no ]; then + + # FreeBSD port +diff -ur nginx/auto/options nginx-1.16.1-wolfssl/auto/options +--- nginx/auto/options 2019-10-28 17:04:55.111782394 +0100 ++++ nginx-1.16.1-wolfssl/auto/options 2019-10-28 16:59:15.485019190 +0100 +@@ -147,6 +147,7 @@ + + USE_OPENSSL=NO + OPENSSL=NONE ++WOLFSSL=NONE + + USE_ZLIB=NO + ZLIB=NONE +@@ -355,6 +356,7 @@ + --with-pcre-opt=*) PCRE_OPT="$value" ;; + --with-pcre-jit) PCRE_JIT=YES ;; + ++ --with-wolfssl=*) WOLFSSL="$value" ;; + --with-openssl=*) OPENSSL="$value" ;; + --with-openssl-opt=*) OPENSSL_OPT="$value" ;; + +@@ -579,6 +581,7 @@ + --with-libatomic force libatomic_ops library usage + --with-libatomic=DIR set path to libatomic_ops library sources + ++ --with-wolfssl=DIR set path to wolfSSL headers and library + --with-openssl=DIR set path to OpenSSL library sources + --with-openssl-opt=OPTIONS set additional build options for OpenSSL + +Only in nginx: .git +diff -ur nginx/src/event/ngx_event_openssl.c nginx-1.16.1-wolfssl/src/event/ngx_event_openssl.c +--- nginx/src/event/ngx_event_openssl.c 2019-10-28 17:06:07.286673633 +0100 ++++ nginx-1.16.1-wolfssl/src/event/ngx_event_openssl.c 2019-10-28 16:59:15.485019190 +0100 +@@ -384,6 +384,10 @@ + + SSL_CTX_set_info_callback(ssl->ctx, ngx_ssl_info_callback); + ++#ifdef WOLFSSL_NGINX ++ SSL_CTX_set_verify(ssl->ctx, SSL_VERIFY_NONE, NULL); ++#endif ++ + return NGX_OK; + } + +@@ -863,6 +867,14 @@ + + + ngx_int_t ++ngx_ssl_set_verify_on(ngx_conf_t *cf, ngx_ssl_t *ssl) ++{ ++ SSL_CTX_set_verify(ssl->ctx, SSL_VERIFY_PEER, ngx_ssl_verify_callback); ++ ++ return NGX_OK; ++} ++ ++ngx_int_t + ngx_ssl_client_certificate(ngx_conf_t *cf, ngx_ssl_t *ssl, ngx_str_t *cert, + ngx_int_t depth) + { +@@ -1370,7 +1382,8 @@ + * maximum interoperability. + */ + +-#if (defined SSL_CTX_set1_curves_list || defined SSL_CTRL_SET_CURVES_LIST) ++#if (defined SSL_CTX_set1_curves_list || defined SSL_CTRL_SET_CURVES_LIST) || \ ++ defined(WOLFSSL_NGINX) + + /* + * OpenSSL 1.0.2+ allows configuring a curve list instead of a single +@@ -1491,10 +1504,26 @@ + ngx_ssl_new_client_session(ngx_ssl_conn_t *ssl_conn, ngx_ssl_session_t *sess) + { + ngx_connection_t *c; ++#ifdef WOLFSSL_NGINX ++ int len; ++#endif + + c = ngx_ssl_get_connection(ssl_conn); + + if (c->ssl->save_session) { ++#ifdef WOLFSSL_NGINX ++ len = i2d_SSL_SESSION(sess, NULL); ++ ++ /* do not cache too big session */ ++ if (len > NGX_SSL_MAX_SESSION_SIZE) { ++ return -1; ++ } ++ ++ if (!(sess = SSL_SESSION_dup(sess))) { ++ return -1; ++ } ++#endif ++ + c->ssl->session = sess; + + c->ssl->save_session(c); +@@ -1566,7 +1595,9 @@ + { + #ifdef TLS1_3_VERSION + if (c->ssl->session) { ++ #if !defined(WOLFSSL_NGINX) + SSL_SESSION_up_ref(c->ssl->session); ++ #endif + return c->ssl->session; + } + #endif +@@ -3929,7 +3960,8 @@ + return -1; + } + +-#if OPENSSL_VERSION_NUMBER >= 0x10000000L ++#if OPENSSL_VERSION_NUMBER >= 0x10000000L && \ ++ (!defined(WOLFSSL_NGINX) || !defined(HAVE_FIPS)) + if (HMAC_Init_ex(hctx, key[0].hmac_key, size, digest, NULL) != 1) { + ngx_ssl_error(NGX_LOG_ALERT, c->log, 0, "HMAC_Init_ex() failed"); + return -1; +@@ -3973,7 +4005,8 @@ + size = 32; + } + +-#if OPENSSL_VERSION_NUMBER >= 0x10000000L ++#if OPENSSL_VERSION_NUMBER >= 0x10000000L && \ ++ (!defined(WOLFSSL_NGINX) || !defined(HAVE_FIPS)) + if (HMAC_Init_ex(hctx, key[i].hmac_key, size, digest, NULL) != 1) { + ngx_ssl_error(NGX_LOG_ALERT, c->log, 0, "HMAC_Init_ex() failed"); + return -1; +diff -ur nginx/src/event/ngx_event_openssl.h nginx-1.16.1-wolfssl/src/event/ngx_event_openssl.h +--- nginx/src/event/ngx_event_openssl.h 2019-10-28 17:04:55.111782394 +0100 ++++ nginx-1.16.1-wolfssl/src/event/ngx_event_openssl.h 2019-10-28 16:59:15.485019190 +0100 +@@ -12,6 +12,10 @@ + #include + #include + ++#ifdef WOLFSSL_NGINX ++#include ++#include ++#endif + #include + #include + #include +@@ -59,7 +63,7 @@ + #define ngx_ssl_conn_t SSL + + +-#if (OPENSSL_VERSION_NUMBER < 0x10002000L) ++#if (OPENSSL_VERSION_NUMBER < 0x10002000L) && !defined(WOLFSSL_NGINX) + #define SSL_is_server(s) (s)->server + #endif + +@@ -171,6 +175,7 @@ + + ngx_int_t ngx_ssl_ciphers(ngx_conf_t *cf, ngx_ssl_t *ssl, ngx_str_t *ciphers, + ngx_uint_t prefer_server_ciphers); ++ngx_int_t ngx_ssl_set_verify_on(ngx_conf_t *cf, ngx_ssl_t *ssl); + ngx_int_t ngx_ssl_client_certificate(ngx_conf_t *cf, ngx_ssl_t *ssl, + ngx_str_t *cert, ngx_int_t depth); + ngx_int_t ngx_ssl_trusted_certificate(ngx_conf_t *cf, ngx_ssl_t *ssl, +diff -ur nginx/src/event/ngx_event_openssl_stapling.c nginx-1.16.1-wolfssl/src/event/ngx_event_openssl_stapling.c +--- nginx/src/event/ngx_event_openssl_stapling.c 2019-10-28 17:04:55.111782394 +0100 ++++ nginx-1.16.1-wolfssl/src/event/ngx_event_openssl_stapling.c 2019-10-28 16:59:15.485019190 +0100 +@@ -313,7 +313,9 @@ + for (i = 0; i < n; i++) { + issuer = sk_X509_value(chain, i); + if (X509_check_issued(issuer, cert) == X509_V_OK) { +-#if OPENSSL_VERSION_NUMBER >= 0x10100001L ++#ifdef WOLFSSL_NGINX ++ issuer = X509_dup(issuer); ++#elif OPENSSL_VERSION_NUMBER >= 0x10100001L + X509_up_ref(issuer); + #else + CRYPTO_add(&issuer->references, 1, CRYPTO_LOCK_X509); +diff -ur nginx/src/http/modules/ngx_http_proxy_module.c nginx-1.16.1-wolfssl/src/http/modules/ngx_http_proxy_module.c +--- nginx/src/http/modules/ngx_http_proxy_module.c 2019-10-28 17:04:55.111782394 +0100 ++++ nginx-1.16.1-wolfssl/src/http/modules/ngx_http_proxy_module.c 2019-10-28 16:59:15.489019127 +0100 +@@ -4307,6 +4307,8 @@ + return NGX_ERROR; + } + ++ ngx_ssl_set_verify_on(cf, plcf->upstream.ssl); ++ + if (ngx_ssl_trusted_certificate(cf, plcf->upstream.ssl, + &plcf->ssl_trusted_certificate, + plcf->ssl_verify_depth) +diff -ur nginx/src/http/modules/ngx_http_ssl_module.c nginx-1.16.1-wolfssl/src/http/modules/ngx_http_ssl_module.c +--- nginx/src/http/modules/ngx_http_ssl_module.c 2019-10-28 17:06:07.286673633 +0100 ++++ nginx-1.16.1-wolfssl/src/http/modules/ngx_http_ssl_module.c 2019-10-28 16:59:15.489019127 +0100 +@@ -14,7 +14,11 @@ + ngx_pool_t *pool, ngx_str_t *s); + + ++#ifndef WOLFSSL_NGINX + #define NGX_DEFAULT_CIPHERS "HIGH:!aNULL:!MD5" ++#else ++#define NGX_DEFAULT_CIPHERS "ALL" ++#endif + #define NGX_DEFAULT_ECDH_CURVE "auto" + + #define NGX_HTTP_NPN_ADVERTISE "\x08http/1.1" +@@ -810,8 +814,10 @@ + return NGX_CONF_ERROR; + } + ++#ifndef WOLFSSL_NGINX + ngx_conf_merge_value(conf->builtin_session_cache, + prev->builtin_session_cache, NGX_SSL_NONE_SCACHE); ++#endif + + if (conf->shm_zone == NULL) { + conf->shm_zone = prev->shm_zone; +diff -ur nginx/src/http/ngx_http_request.c nginx-1.16.1-wolfssl/src/http/ngx_http_request.c +--- nginx/src/http/ngx_http_request.c 2019-10-28 17:04:55.111782394 +0100 ++++ nginx-1.16.1-wolfssl/src/http/ngx_http_request.c 2019-10-28 16:59:15.485019190 +0100 +@@ -851,6 +851,12 @@ + + + #ifdef SSL_CTRL_SET_TLSEXT_HOSTNAME ++#ifndef SSL_AD_NO_RENEGOTIATION ++#define SSL_AD_NO_RENEGOTIATION 100 ++#endif ++#ifndef SSL_AD_INTERNAL_ERROR ++#define SSL_AD_INTERNAL_ERROR 80 ++#endif + + int + ngx_http_ssl_servername(ngx_ssl_conn_t *ssl_conn, int *ad, void *arg) +diff -ur nginx/src/mail/ngx_mail_ssl_module.c nginx-1.16.1-wolfssl/src/mail/ngx_mail_ssl_module.c +--- nginx/src/mail/ngx_mail_ssl_module.c 2019-10-28 17:04:55.111782394 +0100 ++++ nginx-1.16.1-wolfssl/src/mail/ngx_mail_ssl_module.c 2019-10-28 16:59:15.489019127 +0100 +@@ -10,7 +10,11 @@ + #include + + ++#ifndef WOLFSSL_NGINX + #define NGX_DEFAULT_CIPHERS "HIGH:!aNULL:!MD5" ++#else ++#define NGX_DEFAULT_CIPHERS "ALL" ++#endif + #define NGX_DEFAULT_ECDH_CURVE "auto" + + +diff -ur nginx/src/stream/ngx_stream_proxy_module.c nginx-1.16.1-wolfssl/src/stream/ngx_stream_proxy_module.c +--- nginx/src/stream/ngx_stream_proxy_module.c 2019-10-28 17:04:55.111782394 +0100 ++++ nginx-1.16.1-wolfssl/src/stream/ngx_stream_proxy_module.c 2019-10-28 16:59:15.493019066 +0100 +@@ -2131,6 +2131,8 @@ + return NGX_ERROR; + } + ++ ngx_ssl_set_verify_on(cf, pscf->ssl); ++ + if (ngx_ssl_trusted_certificate(cf, pscf->ssl, + &pscf->ssl_trusted_certificate, + pscf->ssl_verify_depth) +diff -ur nginx/src/stream/ngx_stream_ssl_module.c nginx-1.16.1-wolfssl/src/stream/ngx_stream_ssl_module.c +--- nginx/src/stream/ngx_stream_ssl_module.c 2019-10-28 17:04:55.111782394 +0100 ++++ nginx-1.16.1-wolfssl/src/stream/ngx_stream_ssl_module.c 2019-10-28 16:59:15.493019066 +0100 +@@ -14,7 +14,11 @@ + ngx_pool_t *pool, ngx_str_t *s); + + ++#ifndef WOLFSSL_NGINX + #define NGX_DEFAULT_CIPHERS "HIGH:!aNULL:!MD5" ++#else ++#define NGX_DEFAULT_CIPHERS "ALL" ++#endif + #define NGX_DEFAULT_ECDH_CURVE "auto" + + diff --git a/nginx-1.17.5-wolfssl-debug.patch b/nginx-1.17.5-wolfssl-debug.patch new file mode 100644 index 0000000..f2cc585 --- /dev/null +++ b/nginx-1.17.5-wolfssl-debug.patch @@ -0,0 +1,16 @@ +diff -ur nginx-1.17.5-wolfssl/src/event/ngx_event_openssl.c nginx-1.17.5-wolfssl-debug/src/event/ngx_event_openssl.c +--- nginx-1.17.5-wolfssl/src/event/ngx_event_openssl.c 2019-11-04 21:29:39.856200843 +0100 ++++ nginx-1.17.5-wolfssl-debug/src/event/ngx_event_openssl.c 2019-11-04 21:30:29.362010122 +0100 +@@ -165,6 +165,12 @@ + + #endif + ++#ifdef WOLFSSL_NGINX ++ /* Turn on internal wolfssl debugging to stdout */ ++ wolfSSL_Debugging_ON(); ++#endif ++ ++ + #ifndef SSL_OP_NO_COMPRESSION + { + /* diff --git a/nginx-1.17.5-wolfssl.patch b/nginx-1.17.5-wolfssl.patch new file mode 100644 index 0000000..fb732bf --- /dev/null +++ b/nginx-1.17.5-wolfssl.patch @@ -0,0 +1,302 @@ +diff -ur nginx/auto/lib/openssl/conf nginx-1.17.5-wolfssl/auto/lib/openssl/conf +--- nginx/auto/lib/openssl/conf 2019-11-04 21:30:50.293130582 +0100 ++++ nginx-1.17.5-wolfssl/auto/lib/openssl/conf 2019-11-04 21:29:39.848201210 +0100 +@@ -62,8 +62,33 @@ + ngx_feature_path= + ngx_feature_libs="-lssl -lcrypto $NGX_LIBDL $NGX_LIBPTHREAD" + ngx_feature_test="SSL_CTX_set_options(NULL, 0)" ++ ++ if [ $WOLFSSL != NONE ]; then ++ ngx_feature="wolfSSL library in $WOLFSSL" ++ ngx_feature_path="$WOLFSSL/include/wolfssl $WOLFSSL/include" ++ ++ if [ $NGX_RPATH = YES ]; then ++ ngx_feature_libs="-R$WOLFSSL/lib -L$WOLFSSL/lib -lwolfssl $NGX_LIBDL" ++ else ++ ngx_feature_libs="-L$WOLFSSL/lib -lwolfssl $NGX_LIBDL" ++ fi ++ ++ CORE_INCS="$CORE_INCS $WOLFSSL/include/wolfssl" ++ CFLAGS="$CFLAGS -DWOLFSSL_NGINX" ++ fi ++ + . auto/feature + ++ if [ $WOLFSSL != NONE -a $ngx_found = no ]; then ++cat << END ++ ++$0: error: Could not find wolfSSL at $WOLFSSL/include/wolfssl. ++SSL modules require the wolfSSL library. ++ ++END ++ exit 1 ++ fi ++ + if [ $ngx_found = no ]; then + + # FreeBSD port +diff -ur nginx/auto/options nginx-1.17.5-wolfssl/auto/options +--- nginx/auto/options 2019-11-04 21:30:50.293130582 +0100 ++++ nginx-1.17.5-wolfssl/auto/options 2019-11-04 21:29:39.848201210 +0100 +@@ -146,6 +146,7 @@ + + USE_OPENSSL=NO + OPENSSL=NONE ++WOLFSSL=NONE + + USE_ZLIB=NO + ZLIB=NONE +@@ -354,6 +355,7 @@ + --with-pcre-opt=*) PCRE_OPT="$value" ;; + --with-pcre-jit) PCRE_JIT=YES ;; + ++ --with-wolfssl=*) WOLFSSL="$value" ;; + --with-openssl=*) OPENSSL="$value" ;; + --with-openssl-opt=*) OPENSSL_OPT="$value" ;; + +@@ -578,6 +580,7 @@ + --with-libatomic force libatomic_ops library usage + --with-libatomic=DIR set path to libatomic_ops library sources + ++ --with-wolfssl=DIR set path to wolfSSL headers and library + --with-openssl=DIR set path to OpenSSL library sources + --with-openssl-opt=OPTIONS set additional build options for OpenSSL + +Only in nginx: .git +diff -ur nginx/src/event/ngx_event_openssl.c nginx-1.17.5-wolfssl/src/event/ngx_event_openssl.c +--- nginx/src/event/ngx_event_openssl.c 2019-11-04 21:30:50.297130417 +0100 ++++ nginx-1.17.5-wolfssl/src/event/ngx_event_openssl.c 2019-11-04 21:29:39.856200843 +0100 +@@ -383,6 +383,10 @@ + + SSL_CTX_set_info_callback(ssl->ctx, ngx_ssl_info_callback); + ++#ifdef WOLFSSL_NGINX ++ SSL_CTX_set_verify(ssl->ctx, SSL_VERIFY_NONE, NULL); ++#endif ++ + return NGX_OK; + } + +@@ -862,6 +866,14 @@ + + + ngx_int_t ++ngx_ssl_set_verify_on(ngx_conf_t *cf, ngx_ssl_t *ssl) ++{ ++ SSL_CTX_set_verify(ssl->ctx, SSL_VERIFY_PEER, ngx_ssl_verify_callback); ++ ++ return NGX_OK; ++} ++ ++ngx_int_t + ngx_ssl_client_certificate(ngx_conf_t *cf, ngx_ssl_t *ssl, ngx_str_t *cert, + ngx_int_t depth) + { +@@ -1361,7 +1373,8 @@ + * maximum interoperability. + */ + +-#if (defined SSL_CTX_set1_curves_list || defined SSL_CTRL_SET_CURVES_LIST) ++#if (defined SSL_CTX_set1_curves_list || defined SSL_CTRL_SET_CURVES_LIST) || \ ++ defined(WOLFSSL_NGINX) + + /* + * OpenSSL 1.0.2+ allows configuring a curve list instead of a single +@@ -1481,10 +1494,26 @@ + ngx_ssl_new_client_session(ngx_ssl_conn_t *ssl_conn, ngx_ssl_session_t *sess) + { + ngx_connection_t *c; ++#ifdef WOLFSSL_NGINX ++ int len; ++#endif + + c = ngx_ssl_get_connection(ssl_conn); + + if (c->ssl->save_session) { ++#ifdef WOLFSSL_NGINX ++ len = i2d_SSL_SESSION(sess, NULL); ++ ++ /* do not cache too big session */ ++ if (len > NGX_SSL_MAX_SESSION_SIZE) { ++ return -1; ++ } ++ ++ if (!(sess = SSL_SESSION_dup(sess))) { ++ return -1; ++ } ++#endif ++ + c->ssl->session = sess; + + c->ssl->save_session(c); +@@ -1556,7 +1585,9 @@ + { + #ifdef TLS1_3_VERSION + if (c->ssl->session) { ++ #if !defined(WOLFSSL_NGINX) + SSL_SESSION_up_ref(c->ssl->session); ++ #endif + return c->ssl->session; + } + #endif +@@ -3972,7 +4003,8 @@ + return -1; + } + +-#if OPENSSL_VERSION_NUMBER >= 0x10000000L ++#if OPENSSL_VERSION_NUMBER >= 0x10000000L && \ ++ (!defined(WOLFSSL_NGINX) || !defined(HAVE_FIPS)) + if (HMAC_Init_ex(hctx, key[0].hmac_key, size, digest, NULL) != 1) { + ngx_ssl_error(NGX_LOG_ALERT, c->log, 0, "HMAC_Init_ex() failed"); + return -1; +@@ -4016,7 +4048,8 @@ + size = 32; + } + +-#if OPENSSL_VERSION_NUMBER >= 0x10000000L ++#if OPENSSL_VERSION_NUMBER >= 0x10000000L && \ ++ (!defined(WOLFSSL_NGINX) || !defined(HAVE_FIPS)) + if (HMAC_Init_ex(hctx, key[i].hmac_key, size, digest, NULL) != 1) { + ngx_ssl_error(NGX_LOG_ALERT, c->log, 0, "HMAC_Init_ex() failed"); + return -1; +diff -ur nginx/src/event/ngx_event_openssl.h nginx-1.17.5-wolfssl/src/event/ngx_event_openssl.h +--- nginx/src/event/ngx_event_openssl.h 2019-11-04 21:30:50.293130582 +0100 ++++ nginx-1.17.5-wolfssl/src/event/ngx_event_openssl.h 2019-11-04 21:29:39.856200843 +0100 +@@ -12,6 +12,10 @@ + #include + #include + ++#ifdef WOLFSSL_NGINX ++#include ++#include ++#endif + #include + #include + #include +@@ -59,7 +63,7 @@ + #define ngx_ssl_conn_t SSL + + +-#if (OPENSSL_VERSION_NUMBER < 0x10002000L) ++#if (OPENSSL_VERSION_NUMBER < 0x10002000L) && !defined(WOLFSSL_NGINX) + #define SSL_is_server(s) (s)->server + #endif + +@@ -172,6 +176,7 @@ + + ngx_int_t ngx_ssl_ciphers(ngx_conf_t *cf, ngx_ssl_t *ssl, ngx_str_t *ciphers, + ngx_uint_t prefer_server_ciphers); ++ngx_int_t ngx_ssl_set_verify_on(ngx_conf_t *cf, ngx_ssl_t *ssl); + ngx_int_t ngx_ssl_client_certificate(ngx_conf_t *cf, ngx_ssl_t *ssl, + ngx_str_t *cert, ngx_int_t depth); + ngx_int_t ngx_ssl_trusted_certificate(ngx_conf_t *cf, ngx_ssl_t *ssl, +diff -ur nginx/src/event/ngx_event_openssl_stapling.c nginx-1.17.5-wolfssl/src/event/ngx_event_openssl_stapling.c +--- nginx/src/event/ngx_event_openssl_stapling.c 2019-11-04 21:30:50.293130582 +0100 ++++ nginx-1.17.5-wolfssl/src/event/ngx_event_openssl_stapling.c 2019-11-04 21:29:39.856200843 +0100 +@@ -313,7 +313,9 @@ + for (i = 0; i < n; i++) { + issuer = sk_X509_value(chain, i); + if (X509_check_issued(issuer, cert) == X509_V_OK) { +-#if OPENSSL_VERSION_NUMBER >= 0x10100001L ++#ifdef WOLFSSL_NGINX ++ issuer = X509_dup(issuer); ++#elif OPENSSL_VERSION_NUMBER >= 0x10100001L + X509_up_ref(issuer); + #else + CRYPTO_add(&issuer->references, 1, CRYPTO_LOCK_X509); +diff -ur nginx/src/http/modules/ngx_http_proxy_module.c nginx-1.17.5-wolfssl/src/http/modules/ngx_http_proxy_module.c +--- nginx/src/http/modules/ngx_http_proxy_module.c 2019-11-04 21:30:50.293130582 +0100 ++++ nginx-1.17.5-wolfssl/src/http/modules/ngx_http_proxy_module.c 2019-11-04 21:29:39.856200843 +0100 +@@ -4307,6 +4307,8 @@ + return NGX_ERROR; + } + ++ ngx_ssl_set_verify_on(cf, plcf->upstream.ssl); ++ + if (ngx_ssl_trusted_certificate(cf, plcf->upstream.ssl, + &plcf->ssl_trusted_certificate, + plcf->ssl_verify_depth) +diff -ur nginx/src/http/modules/ngx_http_ssl_module.c nginx-1.17.5-wolfssl/src/http/modules/ngx_http_ssl_module.c +--- nginx/src/http/modules/ngx_http_ssl_module.c 2019-11-04 21:30:50.293130582 +0100 ++++ nginx-1.17.5-wolfssl/src/http/modules/ngx_http_ssl_module.c 2019-11-04 21:29:39.856200843 +0100 +@@ -14,7 +14,11 @@ + ngx_pool_t *pool, ngx_str_t *s); + + ++#ifndef WOLFSSL_NGINX + #define NGX_DEFAULT_CIPHERS "HIGH:!aNULL:!MD5" ++#else ++#define NGX_DEFAULT_CIPHERS "ALL" ++#endif + #define NGX_DEFAULT_ECDH_CURVE "auto" + + #define NGX_HTTP_NPN_ADVERTISE "\x08http/1.1" +@@ -810,8 +814,10 @@ + return NGX_CONF_ERROR; + } + ++#ifndef WOLFSSL_NGINX + ngx_conf_merge_value(conf->builtin_session_cache, + prev->builtin_session_cache, NGX_SSL_NONE_SCACHE); ++#endif + + if (conf->shm_zone == NULL) { + conf->shm_zone = prev->shm_zone; +diff -ur nginx/src/http/ngx_http_request.c nginx-1.17.5-wolfssl/src/http/ngx_http_request.c +--- nginx/src/http/ngx_http_request.c 2019-11-04 21:30:50.297130417 +0100 ++++ nginx-1.17.5-wolfssl/src/http/ngx_http_request.c 2019-11-04 21:29:39.856200843 +0100 +@@ -851,6 +851,12 @@ + + + #ifdef SSL_CTRL_SET_TLSEXT_HOSTNAME ++#ifndef SSL_AD_NO_RENEGOTIATION ++#define SSL_AD_NO_RENEGOTIATION 100 ++#endif ++#ifndef SSL_AD_INTERNAL_ERROR ++#define SSL_AD_INTERNAL_ERROR 80 ++#endif + + int + ngx_http_ssl_servername(ngx_ssl_conn_t *ssl_conn, int *ad, void *arg) +diff -ur nginx/src/mail/ngx_mail_ssl_module.c nginx-1.17.5-wolfssl/src/mail/ngx_mail_ssl_module.c +--- nginx/src/mail/ngx_mail_ssl_module.c 2019-11-04 21:30:50.297130417 +0100 ++++ nginx-1.17.5-wolfssl/src/mail/ngx_mail_ssl_module.c 2019-11-04 21:29:39.860200659 +0100 +@@ -10,7 +10,11 @@ + #include + + ++#ifndef WOLFSSL_NGINX + #define NGX_DEFAULT_CIPHERS "HIGH:!aNULL:!MD5" ++#else ++#define NGX_DEFAULT_CIPHERS "ALL" ++#endif + #define NGX_DEFAULT_ECDH_CURVE "auto" + + +diff -ur nginx/src/stream/ngx_stream_proxy_module.c nginx-1.17.5-wolfssl/src/stream/ngx_stream_proxy_module.c +--- nginx/src/stream/ngx_stream_proxy_module.c 2019-11-04 21:30:50.297130417 +0100 ++++ nginx-1.17.5-wolfssl/src/stream/ngx_stream_proxy_module.c 2019-11-04 21:29:39.864200476 +0100 +@@ -2136,6 +2136,8 @@ + return NGX_ERROR; + } + ++ ngx_ssl_set_verify_on(cf, pscf->ssl); ++ + if (ngx_ssl_trusted_certificate(cf, pscf->ssl, + &pscf->ssl_trusted_certificate, + pscf->ssl_verify_depth) +diff -ur nginx/src/stream/ngx_stream_ssl_module.c nginx-1.17.5-wolfssl/src/stream/ngx_stream_ssl_module.c +--- nginx/src/stream/ngx_stream_ssl_module.c 2019-11-04 21:30:50.293130582 +0100 ++++ nginx-1.17.5-wolfssl/src/stream/ngx_stream_ssl_module.c 2019-11-04 21:29:39.864200476 +0100 +@@ -14,7 +14,11 @@ + ngx_pool_t *pool, ngx_str_t *s); + + ++#ifndef WOLFSSL_NGINX + #define NGX_DEFAULT_CIPHERS "HIGH:!aNULL:!MD5" ++#else ++#define NGX_DEFAULT_CIPHERS "ALL" ++#endif + #define NGX_DEFAULT_ECDH_CURVE "auto" + + diff --git a/nginx-1.7.7-wolfssl-debug.patch b/nginx-1.7.7-wolfssl-debug.patch new file mode 100644 index 0000000..6a5a894 --- /dev/null +++ b/nginx-1.7.7-wolfssl-debug.patch @@ -0,0 +1,17 @@ +diff --git a/src/core/nginx.c b/src/core/nginx.c +index c75ee4fd..e7b49f0b 100644 +--- a/src/core/nginx.c ++++ b/src/core/nginx.c +@@ -206,6 +206,11 @@ main(int argc, char *const *argv) + ngx_cycle_t *cycle, init_cycle; + ngx_core_conf_t *ccf; + ++ ++#ifdef WOLFSSL_NGINX ++ (void)wolfSSL_Debugging_ON(); ++#endif ++ + ngx_debug_init(); + + if (ngx_strerror_init() != NGX_OK) { + diff --git a/nginx-1.7.7-wolfssl.patch b/nginx-1.7.7-wolfssl.patch new file mode 100644 index 0000000..46c6e2b --- /dev/null +++ b/nginx-1.7.7-wolfssl.patch @@ -0,0 +1,322 @@ +From 9a58b2ddaa713b312a9d14d6dd563d1df14c8231 Mon Sep 17 00:00:00 2001 +From: Juliusz Sosinowicz +Date: Tue, 1 Dec 2020 13:41:20 +0100 +Subject: [PATCH] wolfSSL Patch for Nginx 1.7.7 + +Build instructions: +- Build wolfSSL (run in wolfSSL directory): +`./configure --enable-nginx` +`make` +`make install` +The default installation directory is `/usr/local`. +- Build Nginx (run in Nginx directory): + - Apply patch: +`patch -p1 < nginx-1.7.7-wolfssl.patch` + - Compile Nginx (some warnings need to be disabled): +`./configure --with-wolfssl=/usr/local --with-http_ssl_module --with-cc-opt='-Wimplicit-fallthrough=0 -Wno-cast-function-type'` +`make` + +Port nginx 1.7.7 to wolfSSL: +- `auto/lib/openssl/conf`: Detect wolfSSL library and setup compilation options +- `auto/options`: Add wolfSSL configure option +- `src/core/nginx.c`: Enable debugging if wolfSSL is compiled with `--enable-debug` +- `src/event/ngx_event_openssl.c`: + - Nginx wants the SSL library to not do any certificate verification by default + - No need to disble renegotiation since wolfSSL has it disabled by default + - Fix TLS tickets callback to return correct values + - Ignore undefined handshake failure codes +- `src/event/ngx_event_openssl.h`: Include wolfSSL options file +- `src/event/ngx_event_openssl_stapling.c`: Use `wolfSSL_X509_up_ref` to increment issuer certificate reference counter +- `src/http/modules/ngx_http_ssl_module.c`: wolfSSL "ALL" provides adequate default ciphers +- `src/http/ngx_http_upstream.c`: Correct type mismatch +- `src/mail/ngx_mail_ssl_module.c`: wolfSSL "ALL" provides adequate default ciphers +- `src/os/unix/ngx_user.c`: `current_salt` not part of `struct crypt_data` in recent glibc version + +nginx-tests remarks: +- All tests in nginx-tests should pass. Some tests test reusing a session but fail on my machine. Manually setting up the server and connecting through Firefox correctly re-uses the session suggesting that the issue is on the client side not the server. I assume that this is an error in my version of Perl (which is the client in the nginx-tests). +- When running nginx-tests with TLS 1.3 then session resumption tests will fail since the tests are not configured for SSL tickets. I tested session reuse manually with Firefox and confirmed that they work. +- nginx 1.7.7 does not do session reuse with TLS 1.3 (when acting as a proxy) because it calls SSL_get1_session too soon. +--- + auto/lib/openssl/conf | 35 ++++++++++++++++++++++---- + auto/options | 3 +++ + src/core/nginx.c | 5 ++++ + src/event/ngx_event_openssl.c | 17 +++++++++++-- + src/event/ngx_event_openssl.h | 3 +++ + src/event/ngx_event_openssl_stapling.c | 8 ++++++ + src/http/modules/ngx_http_ssl_module.c | 4 +++ + src/http/ngx_http_upstream.c | 7 +++++- + src/mail/ngx_mail_ssl_module.c | 4 +++ + src/os/unix/ngx_user.c | 2 ++ + 10 files changed, 80 insertions(+), 8 deletions(-) + +diff --git a/auto/lib/openssl/conf b/auto/lib/openssl/conf +index a65815f6..0796e3ab 100644 +--- a/auto/lib/openssl/conf ++++ b/auto/lib/openssl/conf +@@ -49,11 +49,38 @@ else + ngx_feature="OpenSSL library" + ngx_feature_name="NGX_OPENSSL" + ngx_feature_run=no +- ngx_feature_incs="#include " ++ ngx_feature_incs="#include ++ #include " + ngx_feature_path= + ngx_feature_libs="-lssl -lcrypto" + ngx_feature_test="SSL_library_init()" ++ ++ if [ $WOLFSSL != NONE ]; then ++ ngx_feature="wolfSSL library in $WOLFSSL" ++ ngx_feature_path="$WOLFSSL/include/wolfssl $WOLFSSL/include" ++ ++ if [ $NGX_RPATH = YES ]; then ++ ngx_feature_libs="-R$WOLFSSL/lib -L$WOLFSSL/lib -lwolfssl -lm $NGX_LIBDL" ++ else ++ ngx_feature_libs="-L$WOLFSSL/lib -lwolfssl -lm $NGX_LIBDL" ++ fi ++ ++ CORE_INCS="$CORE_INCS $ngx_feature_path" ++ CFLAGS="$CFLAGS -DWOLFSSL_NGINX" ++ fi ++ + . auto/feature ++ ++ if [ $WOLFSSL != NONE -a $ngx_found = no ]; then ++cat << END ++ ++$0: error: Could not find wolfSSL at $WOLFSSL/include/wolfssl. ++SSL modules require the wolfSSL library. ++ ++END ++ exit 1 ++ fi ++ + + if [ $ngx_found = yes ]; then + have=NGX_SSL . auto/have +@@ -66,10 +93,8 @@ else + + cat << END + +-$0: error: SSL modules require the OpenSSL library. +-You can either do not enable the modules, or install the OpenSSL library +-into the system, or build the OpenSSL library statically from the source +-with nginx by using --with-openssl= option. ++$0: error: Could not find wolfSSL at $WOLFSSL/include/wolfssl. ++SSL modules require the wolfSSL library. + + END + exit 1 +diff --git a/auto/options b/auto/options +index 0d296ac6..7688cad7 100644 +--- a/auto/options ++++ b/auto/options +@@ -121,6 +121,7 @@ PCRE_OPT= + PCRE_CONF_OPT= + PCRE_JIT=NO + ++WOLFSSL=NONE + USE_OPENSSL=NO + OPENSSL=NONE + +@@ -292,6 +293,7 @@ use the \"--without-http_limit_conn_module\" option instead" + --with-pcre-opt=*) PCRE_OPT="$value" ;; + --with-pcre-jit) PCRE_JIT=YES ;; + ++ --with-wolfssl=*) WOLFSSL="$value" ;; + --with-openssl=*) OPENSSL="$value" ;; + --with-openssl-opt=*) OPENSSL_OPT="$value" ;; + +@@ -469,6 +471,7 @@ cat << END + + --with-openssl=DIR set path to OpenSSL library sources + --with-openssl-opt=OPTIONS set additional build options for OpenSSL ++ --with-wolfssl=DIR set path to wolfSSL library + + --with-debug enable debug logging + +diff --git a/src/core/nginx.c b/src/core/nginx.c +index c75ee4fd..e7b49f0b 100644 +--- a/src/core/nginx.c ++++ b/src/core/nginx.c +@@ -206,6 +206,11 @@ main(int argc, char *const *argv) + ngx_cycle_t *cycle, init_cycle; + ngx_core_conf_t *ccf; + ++ ++#ifdef WOLFSSL_NGINX ++ (void)wolfSSL_Debugging_ON(); ++#endif ++ + ngx_debug_init(); + + if (ngx_strerror_init() != NGX_OK) { +diff --git a/src/event/ngx_event_openssl.c b/src/event/ngx_event_openssl.c +index f3456527..065ec5af 100644 +--- a/src/event/ngx_event_openssl.c ++++ b/src/event/ngx_event_openssl.c +@@ -204,6 +204,11 @@ ngx_ssl_create(ngx_ssl_t *ssl, ngx_uint_t protocols, void *data) + return NGX_ERROR; + } + ++#ifdef WOLFSSL_NGINX ++ /* nginx expects that the SSL library doesn't verify certs by default */ ++ SSL_CTX_set_verify(ssl->ctx, WOLFSSL_VERIFY_NONE, NULL); ++#endif ++ + ssl->buffer_size = NGX_SSL_BUFSIZE; + + /* client side options */ +@@ -1096,10 +1101,13 @@ ngx_ssl_handshake(ngx_connection_t *c) + c->recv_chain = ngx_ssl_recv_chain; + c->send_chain = ngx_ssl_send_chain; + ++ /* wolfSSL has renegotiation disabled by default */ ++#ifndef WOLFSSL_NGINX + /* initial handshake done, disable renegotiation (CVE-2009-3555) */ + if (c->ssl->connection->s3) { + c->ssl->connection->s3->flags |= SSL3_FLAGS_NO_RENEGOTIATE_CIPHERS; + } ++#endif + + return NGX_OK; + } +@@ -1844,7 +1852,9 @@ ngx_ssl_connection_error(ngx_connection_t *c, int sslerr, ngx_err_t err, + || n == SSL_R_ERROR_IN_RECEIVED_CIPHER_LIST /* 151 */ + || n == SSL_R_EXCESSIVE_MESSAGE_SIZE /* 152 */ + || n == SSL_R_LENGTH_MISMATCH /* 159 */ ++#ifndef WOLFSSL_NGINX + || n == SSL_R_NO_CIPHERS_PASSED /* 182 */ ++#endif + || n == SSL_R_NO_CIPHERS_SPECIFIED /* 183 */ + || n == SSL_R_NO_COMPRESSION_SPECIFIED /* 187 */ + || n == SSL_R_NO_SHARED_CIPHER /* 193 */ +@@ -1869,6 +1879,7 @@ ngx_ssl_connection_error(ngx_connection_t *c, int sslerr, ngx_err_t err, + #ifdef SSL_R_SCSV_RECEIVED_WHEN_RENEGOTIATING + || n == SSL_R_SCSV_RECEIVED_WHEN_RENEGOTIATING /* 345 */ + #endif ++#ifndef WOLFSSL_NGINX + || n == 1000 /* SSL_R_SSLV3_ALERT_CLOSE_NOTIFY */ + || n == SSL_R_SSLV3_ALERT_UNEXPECTED_MESSAGE /* 1010 */ + || n == SSL_R_SSLV3_ALERT_BAD_RECORD_MAC /* 1020 */ +@@ -1892,7 +1903,9 @@ ngx_ssl_connection_error(ngx_connection_t *c, int sslerr, ngx_err_t err, + || n == SSL_R_TLSV1_ALERT_INSUFFICIENT_SECURITY /* 1071 */ + || n == SSL_R_TLSV1_ALERT_INTERNAL_ERROR /* 1080 */ + || n == SSL_R_TLSV1_ALERT_USER_CANCELLED /* 1090 */ +- || n == SSL_R_TLSV1_ALERT_NO_RENEGOTIATION) /* 1100 */ ++ || n == SSL_R_TLSV1_ALERT_NO_RENEGOTIATION /* 1100 */ ++#endif ++ ) + { + switch (c->log_error) { + +@@ -2798,7 +2811,7 @@ ngx_ssl_session_ticket_key_callback(ngx_ssl_conn_t *ssl_conn, + ngx_ssl_session_ticket_md(), NULL); + ngx_memcpy(name, key[0].name, 16); + +- return 0; ++ return 1; + + } else { + /* decrypt session ticket */ +diff --git a/src/event/ngx_event_openssl.h b/src/event/ngx_event_openssl.h +index 08eff644..e39cce3d 100644 +--- a/src/event/ngx_event_openssl.h ++++ b/src/event/ngx_event_openssl.h +@@ -12,6 +12,9 @@ + #include + #include + ++#ifdef WOLFSSL_NGINX ++#include ++#endif + #include + #include + #include +diff --git a/src/event/ngx_event_openssl_stapling.c b/src/event/ngx_event_openssl_stapling.c +index 2fa06730..afdbab3f 100644 +--- a/src/event/ngx_event_openssl_stapling.c ++++ b/src/event/ngx_event_openssl_stapling.c +@@ -281,7 +281,15 @@ ngx_ssl_stapling_issuer(ngx_conf_t *cf, ngx_ssl_t *ssl) + for (i = 0; i < n; i++) { + issuer = sk_X509_value(chain, i); + if (X509_check_issued(issuer, cert) == X509_V_OK) { ++#ifndef WOLFSSL_NGINX + CRYPTO_add(&issuer->references, 1, CRYPTO_LOCK_X509); ++#else ++ if (wolfSSL_X509_up_ref(issuer) != 1) { ++ ngx_ssl_error(NGX_LOG_EMERG, ssl->log, 0, ++ "wolfSSL_X509_up_ref() failed"); ++ return NGX_ERROR; ++ } ++#endif + + ngx_log_debug1(NGX_LOG_DEBUG_EVENT, ssl->log, 0, + "SSL get issuer: found %p in extra certs", issuer); +diff --git a/src/http/modules/ngx_http_ssl_module.c b/src/http/modules/ngx_http_ssl_module.c +index 4c69091d..5a78efcb 100644 +--- a/src/http/modules/ngx_http_ssl_module.c ++++ b/src/http/modules/ngx_http_ssl_module.c +@@ -14,7 +14,11 @@ typedef ngx_int_t (*ngx_ssl_variable_handler_pt)(ngx_connection_t *c, + ngx_pool_t *pool, ngx_str_t *s); + + ++#ifndef WOLFSSL_NGINX + #define NGX_DEFAULT_CIPHERS "HIGH:!aNULL:!MD5" ++#else ++#define NGX_DEFAULT_CIPHERS "ALL" ++#endif + #define NGX_DEFAULT_ECDH_CURVE "prime256v1" + + #define NGX_HTTP_NPN_ADVERTISE "\x08http/1.1" +diff --git a/src/http/ngx_http_upstream.c b/src/http/ngx_http_upstream.c +index 3e8ce09e..ef80c9ba 100644 +--- a/src/http/ngx_http_upstream.c ++++ b/src/http/ngx_http_upstream.c +@@ -1566,7 +1566,12 @@ ngx_http_upstream_ssl_name(ngx_http_request_t *r, ngx_http_upstream_t *u, + ngx_log_debug1(NGX_LOG_DEBUG_HTTP, r->connection->log, 0, + "upstream SSL server name: \"%s\"", name.data); + +- if (SSL_set_tlsext_host_name(c->ssl->connection, name.data) == 0) { ++#ifdef WOLFSSL_NGINX ++ if (SSL_set_tlsext_host_name(c->ssl->connection, (char *)name.data) == 0) ++#else ++ if (SSL_set_tlsext_host_name(c->ssl->connection, name.data) == 0) ++#endif ++ { + ngx_ssl_error(NGX_LOG_ERR, r->connection->log, 0, + "SSL_set_tlsext_host_name(\"%s\") failed", name.data); + return NGX_ERROR; +diff --git a/src/mail/ngx_mail_ssl_module.c b/src/mail/ngx_mail_ssl_module.c +index f864d991..f43b1ebd 100644 +--- a/src/mail/ngx_mail_ssl_module.c ++++ b/src/mail/ngx_mail_ssl_module.c +@@ -10,7 +10,11 @@ + #include + + ++#ifndef WOLFSSL_NGINX + #define NGX_DEFAULT_CIPHERS "HIGH:!aNULL:!MD5" ++#else ++#define NGX_DEFAULT_CIPHERS "ALL" ++#endif + #define NGX_DEFAULT_ECDH_CURVE "prime256v1" + + +diff --git a/src/os/unix/ngx_user.c b/src/os/unix/ngx_user.c +index 7a71203c..816d5216 100644 +--- a/src/os/unix/ngx_user.c ++++ b/src/os/unix/ngx_user.c +@@ -31,8 +31,10 @@ ngx_libc_crypt(ngx_pool_t *pool, u_char *key, u_char *salt, u_char **encrypted) + struct crypt_data cd; + + cd.initialized = 0; ++#if defined(__GLIBC__) && !defined(CRYPT_DATA_INTERNAL_SIZE) + /* work around the glibc bug */ + cd.current_salt[0] = ~salt[0]; ++#endif + + value = crypt_r((char *) key, (char *) salt, &cd); + +-- +2.25.1 + diff --git a/ssl_stapling.t.patch b/ssl_stapling.t.patch new file mode 100644 index 0000000..debbe14 --- /dev/null +++ b/ssl_stapling.t.patch @@ -0,0 +1,117 @@ +commit 76a0d0fe158ba0bc2d9a71ef3bd8ff52949a10a1 +Author: Juliusz Sosinowicz +Date: Thu Oct 24 11:45:49 2019 +0200 + + different ports for different certs + +diff --git a/ssl_stapling.t b/ssl_stapling.t +index d5b8ff3..ee57012 100644 +--- a/ssl_stapling.t ++++ b/ssl_stapling.t +@@ -53,18 +53,21 @@ http { + ssl_stapling on; + ssl_trusted_certificate trusted.crt; + +- ssl_certificate ec-end-int.crt; +- ssl_certificate_key ec-end.key; +- +- ssl_certificate end-int.crt; +- ssl_certificate_key end.key; +- + ssl_ciphers DEFAULT:ECCdraft; + + server { + listen 127.0.0.1:8443 ssl; + listen 127.0.0.1:8080; + server_name localhost; ++ ssl_certificate end-int.crt; ++ ssl_certificate_key end.key; ++ } ++ server { ++ listen 127.0.0.1:8453 ssl; ++ listen 127.0.0.1:8090; ++ server_name localhost; ++ ssl_certificate ec-end-int.crt; ++ ssl_certificate_key ec-end.key; + } + + server { +@@ -72,6 +75,17 @@ http { + server_name localhost; + + ssl_stapling_responder http://127.0.0.1:8081/; ++ ssl_certificate end-int.crt; ++ ssl_certificate_key end.key; ++ } ++ ++ server { ++ listen 127.0.0.1:8454 ssl; ++ server_name localhost; ++ ++ ssl_stapling_responder http://127.0.0.1:8081/; ++ ssl_certificate ec-end-int.crt; ++ ssl_certificate_key ec-end.key; + } + + server { +@@ -79,6 +93,8 @@ http { + server_name localhost; + + ssl_stapling_verify on; ++ ssl_certificate ec-end-int.crt; ++ ssl_certificate_key ec-end.key; + } + + server { +@@ -87,6 +103,8 @@ http { + + ssl_certificate ec-end.crt; + ssl_certificate_key ec-end.key; ++ ssl_certificate ec-end-int.crt; ++ ssl_certificate_key ec-end.key; + } + + server { +@@ -97,6 +115,8 @@ http { + ssl_certificate_key end.key; + + ssl_stapling_file %%TESTDIR%%/resp.der; ++ ssl_certificate end-int.crt; ++ ssl_certificate_key end.key; + } + + server { +@@ -114,6 +134,8 @@ http { + server_name localhost; + + ssl_stapling_responder http://127.0.0.1:8080/; ++ ssl_certificate ec-end-int.crt; ++ ssl_certificate_key ec-end.key; + } + } + +@@ -249,9 +271,9 @@ $t->waitforsocket("127.0.0.1:" . port(8081)); + my $version = get_version(); + + staple(8443, 'RSA'); +-staple(8443, 'ECDSA'); ++staple(8453, 'ECDSA'); + staple(8444, 'RSA'); +-staple(8444, 'ECDSA'); ++staple(8454, 'ECDSA'); + staple(8445, 'ECDSA'); + staple(8446, 'ECDSA'); + staple(8449, 'ECDSA'); +@@ -259,10 +281,10 @@ staple(8449, 'ECDSA'); + sleep 1; + + ok(!staple(8443, 'RSA'), 'staple revoked'); +-ok(staple(8443, 'ECDSA'), 'staple success'); ++ok(staple(8453, 'ECDSA'), 'staple success'); + + ok(!staple(8444, 'RSA'), 'responder revoked'); +-ok(staple(8444, 'ECDSA'), 'responder success'); ++ok(staple(8454, 'ECDSA'), 'responder success'); + + ok(!staple(8445, 'ECDSA'), 'verify - root not trusted'); + diff --git a/test.sh b/test.sh index 978651d..71e3ffe 100755 --- a/test.sh +++ b/test.sh @@ -219,7 +219,7 @@ echo '#' PORT=11443 echo "# Port: $PORT" OPTS= -EXPECT=("SSL DH size is 2048 bits" "TLS_DHE_RSA_WITH_AES_128_GCM_SHA256" "HTTP/1.1 200 OK" "resume response") +EXPECT=("2048" "TLS_DHE_RSA_WITH_AES_128_GCM_SHA256" "HTTP/1.1 200 OK" "resume response") client_test # Default certificate, DH, verify client echo