From 43134954acae47f5b4bdaeb5ba57215ec6fc798a Mon Sep 17 00:00:00 2001 From: Juliusz Sosinowicz Date: Tue, 22 Oct 2019 13:56:27 +0200 Subject: [PATCH 01/12] Reuse sessions --- nginx-1.15.0-wolfssl.patch | 17 ++++++++++++++--- 1 file changed, 14 insertions(+), 3 deletions(-) diff --git a/nginx-1.15.0-wolfssl.patch b/nginx-1.15.0-wolfssl.patch index eddf485..65b86b7 100644 --- a/nginx-1.15.0-wolfssl.patch +++ b/nginx-1.15.0-wolfssl.patch @@ -193,9 +193,20 @@ diff -ur nginx-1.15.0/src/http/modules/ngx_http_ssl_module.c nginx-1.15.0-wolfss #define NGX_DEFAULT_ECDH_CURVE "auto" #define NGX_HTTP_NPN_ADVERTISE "\x08http/1.1" -diff -ur nginx-1.15.0/src/mail/ngx_mail_ssl_module.c nginx-1.15.0-wolfssl/src/mail/ngx_mail_ssl_module.c ---- nginx-1.15.0/src/mail/ngx_mail_ssl_module.c 2018-06-05 23:47:25.000000000 +1000 -+++ nginx-1.15.0-wolfssl/src/mail/ngx_mail_ssl_module.c 2018-06-14 15:44:59.059897033 +1000 +@@ -766,8 +770,10 @@ + return NGX_CONF_ERROR; + } + ++#ifndef WOLFSSL_NGINX + ngx_conf_merge_value(conf->builtin_session_cache, + prev->builtin_session_cache, NGX_SSL_NONE_SCACHE); ++#endif + + if (conf->shm_zone == NULL) { + conf->shm_zone = prev->shm_zone; +diff -ur nginx/src/mail/ngx_mail_ssl_module.c nginx-1.15.0-wolfssl/src/mail/ngx_mail_ssl_module.c +--- nginx/src/mail/ngx_mail_ssl_module.c 2019-10-22 13:38:25.369054696 +0200 ++++ nginx-1.15.0-wolfssl/src/mail/ngx_mail_ssl_module.c 2019-10-22 13:37:13.938265565 +0200 @@ -10,7 +10,11 @@ #include From aa5ba008069e22267bfc80b68396b629b16d6eb7 Mon Sep 17 00:00:00 2001 From: Juliusz Sosinowicz Date: Thu, 24 Oct 2019 15:04:17 +0200 Subject: [PATCH 02/12] ssl_stapling.t test with RSA and ECC separate --- ssl_stapling.t | 428 +++++++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 428 insertions(+) create mode 100644 ssl_stapling.t diff --git a/ssl_stapling.t b/ssl_stapling.t new file mode 100644 index 0000000..ee57012 --- /dev/null +++ b/ssl_stapling.t @@ -0,0 +1,428 @@ +#!/usr/bin/perl + +# (C) Sergey Kandaurov +# (C) Nginx, Inc. + +# Tests for OCSP stapling. + +############################################################################### + +use warnings; +use strict; + +use Test::More; + +use MIME::Base64 qw/ decode_base64 /; + +BEGIN { use FindBin; chdir($FindBin::Bin); } + +use lib 'lib'; +use Test::Nginx; + +############################################################################### + +select STDERR; $| = 1; +select STDOUT; $| = 1; + +eval { + require Net::SSLeay; + Net::SSLeay::load_error_strings(); + Net::SSLeay::SSLeay_add_ssl_algorithms(); + Net::SSLeay::randomize(); + Net::SSLeay::SSLeay(); + defined &Net::SSLeay::set_tlsext_status_type or die; +}; +plan(skip_all => 'Net::SSLeay not installed or too old') if $@; + +my $t = Test::Nginx->new()->has(qw/http http_ssl/)->has_daemon('openssl'); + +plan(skip_all => 'no OCSP stapling') if $t->has_module('BoringSSL'); + +$t->plan(9)->write_file_expand('nginx.conf', <<'EOF'); + +%%TEST_GLOBALS%% + +daemon off; + +events { +} + +http { + %%TEST_GLOBALS_HTTP%% + + ssl_stapling on; + ssl_trusted_certificate trusted.crt; + + ssl_ciphers DEFAULT:ECCdraft; + + server { + listen 127.0.0.1:8443 ssl; + listen 127.0.0.1:8080; + server_name localhost; + ssl_certificate end-int.crt; + ssl_certificate_key end.key; + } + server { + listen 127.0.0.1:8453 ssl; + listen 127.0.0.1:8090; + server_name localhost; + ssl_certificate ec-end-int.crt; + ssl_certificate_key ec-end.key; + } + + server { + listen 127.0.0.1:8444 ssl; + server_name localhost; + + ssl_stapling_responder http://127.0.0.1:8081/; + ssl_certificate end-int.crt; + ssl_certificate_key end.key; + } + + server { + listen 127.0.0.1:8454 ssl; + server_name localhost; + + ssl_stapling_responder http://127.0.0.1:8081/; + ssl_certificate ec-end-int.crt; + ssl_certificate_key ec-end.key; + } + + server { + listen 127.0.0.1:8445 ssl; + server_name localhost; + + ssl_stapling_verify on; + ssl_certificate ec-end-int.crt; + ssl_certificate_key ec-end.key; + } + + server { + listen 127.0.0.1:8446 ssl; + server_name localhost; + + ssl_certificate ec-end.crt; + ssl_certificate_key ec-end.key; + ssl_certificate ec-end-int.crt; + ssl_certificate_key ec-end.key; + } + + server { + listen 127.0.0.1:8447 ssl; + server_name localhost; + + ssl_certificate end-int.crt; + ssl_certificate_key end.key; + + ssl_stapling_file %%TESTDIR%%/resp.der; + ssl_certificate end-int.crt; + ssl_certificate_key end.key; + } + + server { + listen 127.0.0.1:8448 ssl; + server_name localhost; + + ssl_certificate ec-end-int.crt; + ssl_certificate_key ec-end.key; + + ssl_stapling_file %%TESTDIR%%/ec-resp.der; + } + + server { + listen 127.0.0.1:8449 ssl; + server_name localhost; + + ssl_stapling_responder http://127.0.0.1:8080/; + ssl_certificate ec-end-int.crt; + ssl_certificate_key ec-end.key; + } +} + +EOF + +my $d = $t->testdir(); +my $p = port(8081); + +$t->write_file('openssl.conf', <write_file('ca.conf', <>$d/openssl.out 2>&1") == 0 + or die "Can't create certificate for $name: $!\n"; +} + +foreach my $name ('int', 'end') { + system("openssl req -new " + . "-config $d/openssl.conf -subj /CN=$name/ " + . "-out $d/$name.csr -keyout $d/$name.key " + . ">>$d/openssl.out 2>&1") == 0 + or die "Can't create certificate for $name: $!\n"; +} + +foreach my $name ('ec-end') { + system("openssl ecparam -genkey -out $d/$name.key -name prime256v1 " + . ">>$d/openssl.out 2>&1") == 0 + or die "Can't create EC param: $!\n"; + system("openssl req -new -key $d/$name.key " + . "-config $d/openssl.conf -subj /CN=$name/ " + . "-out $d/$name.csr " + . ">>$d/openssl.out 2>&1") == 0 + or die "Can't create certificate for $name: $!\n"; +} + +$t->write_file('certserial', '1000'); +$t->write_file('certindex', ''); + +system("openssl ca -batch -config $d/ca.conf " + . "-keyfile $d/root.key -cert $d/root.crt " + . "-subj /CN=int/ -in $d/int.csr -out $d/int.crt " + . ">>$d/openssl.out 2>&1") == 0 + or die "Can't sign certificate for int: $!\n"; + +system("openssl ca -batch -config $d/ca.conf " + . "-keyfile $d/int.key -cert $d/int.crt " + . "-subj /CN=ec-end/ -in $d/ec-end.csr -out $d/ec-end.crt " + . ">>$d/openssl.out 2>&1") == 0 + or die "Can't sign certificate for ec-end: $!\n"; + +system("openssl ca -batch -config $d/ca.conf " + . "-keyfile $d/int.key -cert $d/int.crt " + . "-subj /CN=end/ -in $d/end.csr -out $d/end.crt " + . ">>$d/openssl.out 2>&1") == 0 + or die "Can't sign certificate for end: $!\n"; + +# RFC 6960, serialNumber + +system("openssl x509 -in $d/end.crt -serial -noout " + . ">>$d/serial 2>>$d/openssl.out") == 0 + or die "Can't obtain serial for end: $!\n"; + +my $serial = pack("n2", 0x0202, hex $1) if $t->read_file('serial') =~ /(\d+)/; + +system("openssl ca -config $d/ca.conf -revoke $d/end.crt " + . "-keyfile $d/root.key -cert $d/root.crt " + . ">>$d/openssl.out 2>&1") == 0 + or die "Can't revoke end.crt: $!\n"; + +system("openssl ocsp -issuer $d/int.crt -cert $d/end.crt " + . "-reqout $d/req.der >>$d/openssl.out 2>&1") == 0 + or die "Can't create OCSP request: $!\n"; + +system("openssl ocsp -index $d/certindex -CA $d/int.crt " + . "-rsigner $d/root.crt -rkey $d/root.key " + . "-reqin $d/req.der -respout $d/resp.der -ndays 1 " + . ">>$d/openssl.out 2>&1") == 0 + or die "Can't create OCSP response: $!\n"; + +system("openssl ocsp -issuer $d/int.crt -cert $d/ec-end.crt " + . "-reqout $d/ec-req.der >>$d/openssl.out 2>&1") == 0 + or die "Can't create EC OCSP request: $!\n"; + +system("openssl ocsp -index $d/certindex -CA $d/int.crt " + . "-rsigner $d/root.crt -rkey $d/root.key " + . "-reqin $d/ec-req.der -respout $d/ec-resp.der -ndays 1 " + . ">>$d/openssl.out 2>&1") == 0 + or die "Can't create EC OCSP response: $!\n"; + +$t->write_file('trusted.crt', + $t->read_file('int.crt') . $t->read_file('root.crt')); +$t->write_file('end-int.crt', + $t->read_file('end.crt') . $t->read_file('int.crt')); +$t->write_file('ec-end-int.crt', + $t->read_file('ec-end.crt') . $t->read_file('int.crt')); + +$t->run_daemon(\&http_daemon, $t); +$t->run(); + +$t->waitforsocket("127.0.0.1:" . port(8081)); + +############################################################################### + +my $version = get_version(); + +staple(8443, 'RSA'); +staple(8453, 'ECDSA'); +staple(8444, 'RSA'); +staple(8454, 'ECDSA'); +staple(8445, 'ECDSA'); +staple(8446, 'ECDSA'); +staple(8449, 'ECDSA'); + +sleep 1; + +ok(!staple(8443, 'RSA'), 'staple revoked'); +ok(staple(8453, 'ECDSA'), 'staple success'); + +ok(!staple(8444, 'RSA'), 'responder revoked'); +ok(staple(8454, 'ECDSA'), 'responder success'); + +ok(!staple(8445, 'ECDSA'), 'verify - root not trusted'); + +ok(staple(8446, 'ECDSA', "$d/int.crt"), 'cert store'); + +is(staple(8447, 'RSA'), '1 1', 'file revoked'); +is(staple(8448, 'ECDSA'), '1 0', 'file success'); + +ok(!staple(8449, 'ECDSA'), 'ocsp error'); + +############################################################################### + +sub staple { + my ($port, $ciphers, $ca) = @_; + my (@resp); + + my $staple_cb = sub { + my ($ssl, $resp) = @_; + push @resp, !!$resp; + return 1 unless $resp; + my $cert = Net::SSLeay::get_peer_certificate($ssl); + my $certid = eval { Net::SSLeay::OCSP_cert2ids($ssl, $cert) } + or do { die "no OCSP_CERTID for certificate: $@"; }; + + my @res = Net::SSLeay::OCSP_response_results($resp, $certid); + push @resp, $res[0][2]->{'statusType'}; + }; + + my $s; + + eval { + local $SIG{ALRM} = sub { die "timeout\n" }; + local $SIG{PIPE} = sub { die "sigpipe\n" }; + alarm(8); + $s = IO::Socket::INET->new('127.0.0.1:' . port($port)); + alarm(0); + }; + alarm(0); + + if ($@) { + log_in("died: $@"); + return undef; + } + + my $ctx = Net::SSLeay::CTX_new() or die("Failed to create SSL_CTX $!"); + + my $ssleay = Net::SSLeay::SSLeay(); + if ($ssleay < 0x1000200f || $ssleay == 0x20000000) { + Net::SSLeay::CTX_set_cipher_list($ctx, $ciphers) + or die("Failed to set cipher list"); + } else { + # SSL_CTRL_SET_SIGALGS_LIST + $ciphers = 'PSS' if $ciphers eq 'RSA' && $version > 0x0303; + Net::SSLeay::CTX_ctrl($ctx, 98, 0, $ciphers . '+SHA256') + or die("Failed to set sigalgs"); + } + + Net::SSLeay::CTX_load_verify_locations($ctx, $ca || '', ''); + Net::SSLeay::CTX_set_tlsext_status_cb($ctx, $staple_cb); + my $ssl = Net::SSLeay::new($ctx) or die("Failed to create SSL $!"); + Net::SSLeay::set_tlsext_status_type($ssl, + Net::SSLeay::TLSEXT_STATUSTYPE_ocsp()); + Net::SSLeay::set_fd($ssl, fileno($s)); + Net::SSLeay::connect($ssl) or die("ssl connect"); + + return join ' ', @resp; +} + +sub get_version { + my $s; + + eval { + local $SIG{ALRM} = sub { die "timeout\n" }; + local $SIG{PIPE} = sub { die "sigpipe\n" }; + alarm(8); + $s = IO::Socket::INET->new('127.0.0.1:' . port(8443)); + alarm(0); + }; + alarm(0); + + if ($@) { + log_in("died: $@"); + return undef; + } + + my $ctx = Net::SSLeay::CTX_new() or die("Failed to create SSL_CTX $!"); + my $ssl = Net::SSLeay::new($ctx) or die("Failed to create SSL $!"); + Net::SSLeay::set_fd($ssl, fileno($s)); + Net::SSLeay::connect($ssl) or die("ssl connect"); + + Net::SSLeay::version($ssl); +} + +############################################################################### + +sub http_daemon { + my ($t) = shift; + my $server = IO::Socket::INET->new( + Proto => 'tcp', + LocalHost => "127.0.0.1:" . port(8081), + Listen => 5, + Reuse => 1 + ) + or die "Can't create listening socket: $!\n"; + + local $SIG{PIPE} = 'IGNORE'; + + while (my $client = $server->accept()) { + $client->autoflush(1); + + my $headers = ''; + my $uri = ''; + + while (<$client>) { + $headers .= $_; + last if (/^\x0d?\x0a?$/); + } + + $uri = $1 if $headers =~ /^\S+\s+\/([^ ]+)\s+HTTP/i; + next unless $uri; + + $uri =~ s/%([0-9A-Fa-f]{2})/chr(hex($1))/eg; + my $req = decode_base64($uri); + my $resp = index($req, $serial) > 0 ? 'resp' : 'ec-resp'; + + # ocsp dummy handler + + select undef, undef, undef, 0.02; + + $headers = <<"EOF"; +HTTP/1.1 200 OK +Connection: close +Content-Type: application/ocsp-response + +EOF + + print $client $headers . $t->read_file("$resp.der"); + } +} + +############################################################################### From ac2d0f3cacad721728373c4aee616b2157d4ef9e Mon Sep 17 00:00:00 2001 From: Juliusz Sosinowicz Date: Mon, 28 Oct 2019 16:51:23 +0100 Subject: [PATCH 03/12] Support for nginx-1.16.1 --- nginx-1.16.1-wolfssl-debug.patch | 112 +++++++++++ nginx-1.16.1-wolfssl.patch | 308 +++++++++++++++++++++++++++++++ 2 files changed, 420 insertions(+) create mode 100644 nginx-1.16.1-wolfssl-debug.patch create mode 100644 nginx-1.16.1-wolfssl.patch diff --git a/nginx-1.16.1-wolfssl-debug.patch b/nginx-1.16.1-wolfssl-debug.patch new file mode 100644 index 0000000..50f04cd --- /dev/null +++ b/nginx-1.16.1-wolfssl-debug.patch @@ -0,0 +1,112 @@ +diff -ur nginx-1.16.1-wolfssl/src/event/ngx_event_openssl.c nginx-1.16.1-wolfssl-debug/src/event/ngx_event_openssl.c +--- nginx-1.16.1-wolfssl/src/event/ngx_event_openssl.c 2019-10-17 09:01:12.991526380 +1000 ++++ nginx-1.16.1-wolfssl-debug/src/event/ngx_event_openssl.c 2019-10-17 08:32:00.850631120 +1000 +@@ -164,6 +164,11 @@ + + #endif + ++#ifdef WOLFSSL_NGINX ++ /* Turn on internal wolfssl debugging to stdout */ ++ wolfSSL_Debugging_ON(); ++#endif ++ + #if OPENSSL_VERSION_NUMBER >= 0x0090800fL + #ifndef SSL_OP_NO_COMPRESSION + { +@@ -1579,9 +1584,7 @@ + { + #ifdef TLS1_3_VERSION + if (c->ssl->session) { +- #if !defined(WOLFSSL_NGINX) + SSL_SESSION_up_ref(c->ssl->session); +- #endif + return c->ssl->session; + } + #endif +diff -ur nginx-1.16.1-wolfssl/src/event/ngx_event_openssl.c.orig nginx-1.16.1-wolfssl-debug/src/event/ngx_event_openssl.c.orig +--- nginx-1.16.1-wolfssl/src/event/ngx_event_openssl.c.orig 2019-10-17 08:23:11.313946458 +1000 ++++ nginx-1.16.1-wolfssl-debug/src/event/ngx_event_openssl.c.orig 2019-10-17 08:30:33.163460161 +1000 +@@ -384,6 +384,10 @@ + + SSL_CTX_set_info_callback(ssl->ctx, ngx_ssl_info_callback); + ++#ifdef WOLFSSL_NGINX ++ SSL_CTX_set_verify(ssl->ctx, SSL_VERIFY_NONE, NULL); ++#endif ++ + return NGX_OK; + } + +@@ -863,6 +867,14 @@ + + + ngx_int_t ++ngx_ssl_set_verify_on(ngx_conf_t *cf, ngx_ssl_t *ssl) ++{ ++ SSL_CTX_set_verify(ssl->ctx, SSL_VERIFY_PEER, ngx_ssl_verify_callback); ++ ++ return NGX_OK; ++} ++ ++ngx_int_t + ngx_ssl_client_certificate(ngx_conf_t *cf, ngx_ssl_t *ssl, ngx_str_t *cert, + ngx_int_t depth) + { +@@ -1370,7 +1382,8 @@ + * maximum interoperability. + */ + +-#if (defined SSL_CTX_set1_curves_list || defined SSL_CTRL_SET_CURVES_LIST) ++#if (defined SSL_CTX_set1_curves_list || defined SSL_CTRL_SET_CURVES_LIST) || \ ++ defined(WOLFSSL_NGINX) + + /* + * OpenSSL 1.0.2+ allows configuring a curve list instead of a single +@@ -3929,7 +3942,8 @@ + return -1; + } + +-#if OPENSSL_VERSION_NUMBER >= 0x10000000L ++#if OPENSSL_VERSION_NUMBER >= 0x10000000L && \ ++ (!defined(WOLFSSL_NGINX) || !defined(HAVE_FIPS)) + if (HMAC_Init_ex(hctx, key[0].hmac_key, size, digest, NULL) != 1) { + ngx_ssl_error(NGX_LOG_ALERT, c->log, 0, "HMAC_Init_ex() failed"); + return -1; +@@ -3973,7 +3987,8 @@ + size = 32; + } + +-#if OPENSSL_VERSION_NUMBER >= 0x10000000L ++#if OPENSSL_VERSION_NUMBER >= 0x10000000L && \ ++ (!defined(WOLFSSL_NGINX) || !defined(HAVE_FIPS)) + if (HMAC_Init_ex(hctx, key[i].hmac_key, size, digest, NULL) != 1) { + ngx_ssl_error(NGX_LOG_ALERT, c->log, 0, "HMAC_Init_ex() failed"); + return -1; +diff -ur nginx-1.16.1-wolfssl/src/event/ngx_event_openssl.h nginx-1.16.1-wolfssl-debug/src/event/ngx_event_openssl.h +--- nginx-1.16.1-wolfssl/src/event/ngx_event_openssl.h 2019-10-17 09:09:02.955768195 +1000 ++++ nginx-1.16.1-wolfssl-debug/src/event/ngx_event_openssl.h 2019-10-17 08:30:33.163460161 +1000 +@@ -14,7 +14,6 @@ + + #ifdef WOLFSSL_NGINX + #include +-#include + #endif + #include + #include +Only in nginx-1.16.1-wolfssl/src/event: .ngx_event_openssl.h.swp +diff -ur nginx-1.16.1-wolfssl/src/http/ngx_http_request.c nginx-1.16.1-wolfssl-debug/src/http/ngx_http_request.c +--- nginx-1.16.1-wolfssl/src/http/ngx_http_request.c 2019-10-17 08:49:18.234819519 +1000 ++++ nginx-1.16.1-wolfssl-debug/src/http/ngx_http_request.c 2019-10-17 08:30:33.163460161 +1000 +@@ -851,12 +851,6 @@ + + + #ifdef SSL_CTRL_SET_TLSEXT_HOSTNAME +-#ifndef SSL_AD_NO_RENEGOTIATION +-#define SSL_AD_NO_RENEGOTIATION 100 +-#endif +-#ifndef SSL_AD_INTERNAL_ERROR +-#define SSL_AD_INTERNAL_ERROR 80 +-#endif + + int + ngx_http_ssl_servername(ngx_ssl_conn_t *ssl_conn, int *ad, void *arg) diff --git a/nginx-1.16.1-wolfssl.patch b/nginx-1.16.1-wolfssl.patch new file mode 100644 index 0000000..2c26430 --- /dev/null +++ b/nginx-1.16.1-wolfssl.patch @@ -0,0 +1,308 @@ +diff -ur nginx/auto/lib/openssl/conf nginx-1.16.1-wolfssl/auto/lib/openssl/conf +--- nginx/auto/lib/openssl/conf 2019-10-28 17:04:55.111782394 +0100 ++++ nginx-1.16.1-wolfssl/auto/lib/openssl/conf 2019-10-28 16:59:15.481019251 +0100 +@@ -62,8 +62,33 @@ + ngx_feature_path= + ngx_feature_libs="-lssl -lcrypto $NGX_LIBDL $NGX_LIBPTHREAD" + ngx_feature_test="SSL_CTX_set_options(NULL, 0)" ++ ++ if [ $WOLFSSL != NONE ]; then ++ ngx_feature="wolfSSL library in $WOLFSSL" ++ ngx_feature_path="$WOLFSSL/include/wolfssl $WOLFSSL/include" ++ ++ if [ $NGX_RPATH = YES ]; then ++ ngx_feature_libs="-R$WOLFSSL/lib -L$WOLFSSL/lib -lwolfssl $NGX_LIBDL" ++ else ++ ngx_feature_libs="-L$WOLFSSL/lib -lwolfssl $NGX_LIBDL" ++ fi ++ ++ CORE_INCS="$CORE_INCS $WOLFSSL/include/wolfssl" ++ CFLAGS="$CFLAGS -DWOLFSSL_NGINX" ++ fi ++ + . auto/feature + ++ if [ $WOLFSSL != NONE -a $ngx_found = no ]; then ++cat << END ++ ++$0: error: Could not find wolfSSL at $WOLFSSL/include/wolfssl. ++SSL modules require the wolfSSL library. ++ ++END ++ exit 1 ++ fi ++ + if [ $ngx_found = no ]; then + + # FreeBSD port +diff -ur nginx/auto/options nginx-1.16.1-wolfssl/auto/options +--- nginx/auto/options 2019-10-28 17:04:55.111782394 +0100 ++++ nginx-1.16.1-wolfssl/auto/options 2019-10-28 16:59:15.485019190 +0100 +@@ -147,6 +147,7 @@ + + USE_OPENSSL=NO + OPENSSL=NONE ++WOLFSSL=NONE + + USE_ZLIB=NO + ZLIB=NONE +@@ -355,6 +356,7 @@ + --with-pcre-opt=*) PCRE_OPT="$value" ;; + --with-pcre-jit) PCRE_JIT=YES ;; + ++ --with-wolfssl=*) WOLFSSL="$value" ;; + --with-openssl=*) OPENSSL="$value" ;; + --with-openssl-opt=*) OPENSSL_OPT="$value" ;; + +@@ -579,6 +581,7 @@ + --with-libatomic force libatomic_ops library usage + --with-libatomic=DIR set path to libatomic_ops library sources + ++ --with-wolfssl=DIR set path to wolfSSL headers and library + --with-openssl=DIR set path to OpenSSL library sources + --with-openssl-opt=OPTIONS set additional build options for OpenSSL + +Only in nginx: .git +diff -ur nginx/src/event/ngx_event_openssl.c nginx-1.16.1-wolfssl/src/event/ngx_event_openssl.c +--- nginx/src/event/ngx_event_openssl.c 2019-10-28 17:06:07.286673633 +0100 ++++ nginx-1.16.1-wolfssl/src/event/ngx_event_openssl.c 2019-10-28 16:59:15.485019190 +0100 +@@ -384,6 +384,10 @@ + + SSL_CTX_set_info_callback(ssl->ctx, ngx_ssl_info_callback); + ++#ifdef WOLFSSL_NGINX ++ SSL_CTX_set_verify(ssl->ctx, SSL_VERIFY_NONE, NULL); ++#endif ++ + return NGX_OK; + } + +@@ -863,6 +867,14 @@ + + + ngx_int_t ++ngx_ssl_set_verify_on(ngx_conf_t *cf, ngx_ssl_t *ssl) ++{ ++ SSL_CTX_set_verify(ssl->ctx, SSL_VERIFY_PEER, ngx_ssl_verify_callback); ++ ++ return NGX_OK; ++} ++ ++ngx_int_t + ngx_ssl_client_certificate(ngx_conf_t *cf, ngx_ssl_t *ssl, ngx_str_t *cert, + ngx_int_t depth) + { +@@ -1370,7 +1382,8 @@ + * maximum interoperability. + */ + +-#if (defined SSL_CTX_set1_curves_list || defined SSL_CTRL_SET_CURVES_LIST) ++#if (defined SSL_CTX_set1_curves_list || defined SSL_CTRL_SET_CURVES_LIST) || \ ++ defined(WOLFSSL_NGINX) + + /* + * OpenSSL 1.0.2+ allows configuring a curve list instead of a single +@@ -1491,10 +1504,32 @@ + ngx_ssl_new_client_session(ngx_ssl_conn_t *ssl_conn, ngx_ssl_session_t *sess) + { + ngx_connection_t *c; ++#ifdef WOLFSSL_NGINX ++ int len; ++ unsigned char buf[NGX_SSL_MAX_SESSION_SIZE]; ++#endif + + c = ngx_ssl_get_connection(ssl_conn); + + if (c->ssl->save_session) { ++#ifdef WOLFSSL_NGINX ++ len = i2d_SSL_SESSION(sess, NULL); ++ ++ /* do not cache too big session */ ++ if (len > NGX_SSL_MAX_SESSION_SIZE) { ++ return -1; ++ } ++ ++ len = i2d_SSL_SESSION(sess, (unsigned char**) &buf); ++ if (len <= 0) { ++ return -1; ++ } ++ sess = d2i_SSL_SESSION(NULL, (const unsigned char**) &buf, len); ++ if (!sess) { ++ return -1; ++ } ++#endif ++ + c->ssl->session = sess; + + c->ssl->save_session(c); +@@ -1566,7 +1601,9 @@ + { + #ifdef TLS1_3_VERSION + if (c->ssl->session) { ++ #if !defined(WOLFSSL_NGINX) + SSL_SESSION_up_ref(c->ssl->session); ++ #endif + return c->ssl->session; + } + #endif +@@ -3929,7 +3966,8 @@ + return -1; + } + +-#if OPENSSL_VERSION_NUMBER >= 0x10000000L ++#if OPENSSL_VERSION_NUMBER >= 0x10000000L && \ ++ (!defined(WOLFSSL_NGINX) || !defined(HAVE_FIPS)) + if (HMAC_Init_ex(hctx, key[0].hmac_key, size, digest, NULL) != 1) { + ngx_ssl_error(NGX_LOG_ALERT, c->log, 0, "HMAC_Init_ex() failed"); + return -1; +@@ -3973,7 +4011,8 @@ + size = 32; + } + +-#if OPENSSL_VERSION_NUMBER >= 0x10000000L ++#if OPENSSL_VERSION_NUMBER >= 0x10000000L && \ ++ (!defined(WOLFSSL_NGINX) || !defined(HAVE_FIPS)) + if (HMAC_Init_ex(hctx, key[i].hmac_key, size, digest, NULL) != 1) { + ngx_ssl_error(NGX_LOG_ALERT, c->log, 0, "HMAC_Init_ex() failed"); + return -1; +diff -ur nginx/src/event/ngx_event_openssl.h nginx-1.16.1-wolfssl/src/event/ngx_event_openssl.h +--- nginx/src/event/ngx_event_openssl.h 2019-10-28 17:04:55.111782394 +0100 ++++ nginx-1.16.1-wolfssl/src/event/ngx_event_openssl.h 2019-10-28 16:59:15.485019190 +0100 +@@ -12,6 +12,10 @@ + #include + #include + ++#ifdef WOLFSSL_NGINX ++#include ++#include ++#endif + #include + #include + #include +@@ -59,7 +63,7 @@ + #define ngx_ssl_conn_t SSL + + +-#if (OPENSSL_VERSION_NUMBER < 0x10002000L) ++#if (OPENSSL_VERSION_NUMBER < 0x10002000L) && !defined(WOLFSSL_NGINX) + #define SSL_is_server(s) (s)->server + #endif + +@@ -171,6 +175,7 @@ + + ngx_int_t ngx_ssl_ciphers(ngx_conf_t *cf, ngx_ssl_t *ssl, ngx_str_t *ciphers, + ngx_uint_t prefer_server_ciphers); ++ngx_int_t ngx_ssl_set_verify_on(ngx_conf_t *cf, ngx_ssl_t *ssl); + ngx_int_t ngx_ssl_client_certificate(ngx_conf_t *cf, ngx_ssl_t *ssl, + ngx_str_t *cert, ngx_int_t depth); + ngx_int_t ngx_ssl_trusted_certificate(ngx_conf_t *cf, ngx_ssl_t *ssl, +diff -ur nginx/src/event/ngx_event_openssl_stapling.c nginx-1.16.1-wolfssl/src/event/ngx_event_openssl_stapling.c +--- nginx/src/event/ngx_event_openssl_stapling.c 2019-10-28 17:04:55.111782394 +0100 ++++ nginx-1.16.1-wolfssl/src/event/ngx_event_openssl_stapling.c 2019-10-28 16:59:15.485019190 +0100 +@@ -313,7 +313,9 @@ + for (i = 0; i < n; i++) { + issuer = sk_X509_value(chain, i); + if (X509_check_issued(issuer, cert) == X509_V_OK) { +-#if OPENSSL_VERSION_NUMBER >= 0x10100001L ++#ifdef WOLFSSL_NGINX ++ issuer = X509_dup(issuer); ++#elif OPENSSL_VERSION_NUMBER >= 0x10100001L + X509_up_ref(issuer); + #else + CRYPTO_add(&issuer->references, 1, CRYPTO_LOCK_X509); +diff -ur nginx/src/http/modules/ngx_http_proxy_module.c nginx-1.16.1-wolfssl/src/http/modules/ngx_http_proxy_module.c +--- nginx/src/http/modules/ngx_http_proxy_module.c 2019-10-28 17:04:55.111782394 +0100 ++++ nginx-1.16.1-wolfssl/src/http/modules/ngx_http_proxy_module.c 2019-10-28 16:59:15.489019127 +0100 +@@ -4307,6 +4307,8 @@ + return NGX_ERROR; + } + ++ ngx_ssl_set_verify_on(cf, plcf->upstream.ssl); ++ + if (ngx_ssl_trusted_certificate(cf, plcf->upstream.ssl, + &plcf->ssl_trusted_certificate, + plcf->ssl_verify_depth) +diff -ur nginx/src/http/modules/ngx_http_ssl_module.c nginx-1.16.1-wolfssl/src/http/modules/ngx_http_ssl_module.c +--- nginx/src/http/modules/ngx_http_ssl_module.c 2019-10-28 17:06:07.286673633 +0100 ++++ nginx-1.16.1-wolfssl/src/http/modules/ngx_http_ssl_module.c 2019-10-28 16:59:15.489019127 +0100 +@@ -14,7 +14,11 @@ + ngx_pool_t *pool, ngx_str_t *s); + + ++#ifndef WOLFSSL_NGINX + #define NGX_DEFAULT_CIPHERS "HIGH:!aNULL:!MD5" ++#else ++#define NGX_DEFAULT_CIPHERS "ALL" ++#endif + #define NGX_DEFAULT_ECDH_CURVE "auto" + + #define NGX_HTTP_NPN_ADVERTISE "\x08http/1.1" +@@ -810,8 +814,10 @@ + return NGX_CONF_ERROR; + } + ++#ifndef WOLFSSL_NGINX + ngx_conf_merge_value(conf->builtin_session_cache, + prev->builtin_session_cache, NGX_SSL_NONE_SCACHE); ++#endif + + if (conf->shm_zone == NULL) { + conf->shm_zone = prev->shm_zone; +diff -ur nginx/src/http/ngx_http_request.c nginx-1.16.1-wolfssl/src/http/ngx_http_request.c +--- nginx/src/http/ngx_http_request.c 2019-10-28 17:04:55.111782394 +0100 ++++ nginx-1.16.1-wolfssl/src/http/ngx_http_request.c 2019-10-28 16:59:15.485019190 +0100 +@@ -851,6 +851,12 @@ + + + #ifdef SSL_CTRL_SET_TLSEXT_HOSTNAME ++#ifndef SSL_AD_NO_RENEGOTIATION ++#define SSL_AD_NO_RENEGOTIATION 100 ++#endif ++#ifndef SSL_AD_INTERNAL_ERROR ++#define SSL_AD_INTERNAL_ERROR 80 ++#endif + + int + ngx_http_ssl_servername(ngx_ssl_conn_t *ssl_conn, int *ad, void *arg) +diff -ur nginx/src/mail/ngx_mail_ssl_module.c nginx-1.16.1-wolfssl/src/mail/ngx_mail_ssl_module.c +--- nginx/src/mail/ngx_mail_ssl_module.c 2019-10-28 17:04:55.111782394 +0100 ++++ nginx-1.16.1-wolfssl/src/mail/ngx_mail_ssl_module.c 2019-10-28 16:59:15.489019127 +0100 +@@ -10,7 +10,11 @@ + #include + + ++#ifndef WOLFSSL_NGINX + #define NGX_DEFAULT_CIPHERS "HIGH:!aNULL:!MD5" ++#else ++#define NGX_DEFAULT_CIPHERS "ALL" ++#endif + #define NGX_DEFAULT_ECDH_CURVE "auto" + + +diff -ur nginx/src/stream/ngx_stream_proxy_module.c nginx-1.16.1-wolfssl/src/stream/ngx_stream_proxy_module.c +--- nginx/src/stream/ngx_stream_proxy_module.c 2019-10-28 17:04:55.111782394 +0100 ++++ nginx-1.16.1-wolfssl/src/stream/ngx_stream_proxy_module.c 2019-10-28 16:59:15.493019066 +0100 +@@ -2131,6 +2131,8 @@ + return NGX_ERROR; + } + ++ ngx_ssl_set_verify_on(cf, pscf->ssl); ++ + if (ngx_ssl_trusted_certificate(cf, pscf->ssl, + &pscf->ssl_trusted_certificate, + pscf->ssl_verify_depth) +diff -ur nginx/src/stream/ngx_stream_ssl_module.c nginx-1.16.1-wolfssl/src/stream/ngx_stream_ssl_module.c +--- nginx/src/stream/ngx_stream_ssl_module.c 2019-10-28 17:04:55.111782394 +0100 ++++ nginx-1.16.1-wolfssl/src/stream/ngx_stream_ssl_module.c 2019-10-28 16:59:15.493019066 +0100 +@@ -14,7 +14,11 @@ + ngx_pool_t *pool, ngx_str_t *s); + + ++#ifndef WOLFSSL_NGINX + #define NGX_DEFAULT_CIPHERS "HIGH:!aNULL:!MD5" ++#else ++#define NGX_DEFAULT_CIPHERS "ALL" ++#endif + #define NGX_DEFAULT_ECDH_CURVE "auto" + + From f35ee396d48ef933aa29f28ef5b678e401f153fc Mon Sep 17 00:00:00 2001 From: Juliusz Sosinowicz Date: Tue, 29 Oct 2019 17:34:05 +0100 Subject: [PATCH 04/12] Remove tabs and fix debug patch --- nginx-1.16.1-wolfssl-debug.patch | 103 +------------------------------ nginx-1.16.1-wolfssl.patch | 4 +- 2 files changed, 5 insertions(+), 102 deletions(-) diff --git a/nginx-1.16.1-wolfssl-debug.patch b/nginx-1.16.1-wolfssl-debug.patch index 50f04cd..6cbe33c 100644 --- a/nginx-1.16.1-wolfssl-debug.patch +++ b/nginx-1.16.1-wolfssl-debug.patch @@ -1,6 +1,6 @@ -diff -ur nginx-1.16.1-wolfssl/src/event/ngx_event_openssl.c nginx-1.16.1-wolfssl-debug/src/event/ngx_event_openssl.c ---- nginx-1.16.1-wolfssl/src/event/ngx_event_openssl.c 2019-10-17 09:01:12.991526380 +1000 -+++ nginx-1.16.1-wolfssl-debug/src/event/ngx_event_openssl.c 2019-10-17 08:32:00.850631120 +1000 +diff -ur nginx/src/event/ngx_event_openssl.c nginx-debug/src/event/ngx_event_openssl.c +--- nginx/src/event/ngx_event_openssl.c 2019-10-29 17:31:13.468021354 +0100 ++++ nginx-debug/src/event/ngx_event_openssl.c 2019-10-29 17:31:06.152106826 +0100 @@ -164,6 +164,11 @@ #endif @@ -13,100 +13,3 @@ diff -ur nginx-1.16.1-wolfssl/src/event/ngx_event_openssl.c nginx-1.16.1-wolfssl #if OPENSSL_VERSION_NUMBER >= 0x0090800fL #ifndef SSL_OP_NO_COMPRESSION { -@@ -1579,9 +1584,7 @@ - { - #ifdef TLS1_3_VERSION - if (c->ssl->session) { -- #if !defined(WOLFSSL_NGINX) - SSL_SESSION_up_ref(c->ssl->session); -- #endif - return c->ssl->session; - } - #endif -diff -ur nginx-1.16.1-wolfssl/src/event/ngx_event_openssl.c.orig nginx-1.16.1-wolfssl-debug/src/event/ngx_event_openssl.c.orig ---- nginx-1.16.1-wolfssl/src/event/ngx_event_openssl.c.orig 2019-10-17 08:23:11.313946458 +1000 -+++ nginx-1.16.1-wolfssl-debug/src/event/ngx_event_openssl.c.orig 2019-10-17 08:30:33.163460161 +1000 -@@ -384,6 +384,10 @@ - - SSL_CTX_set_info_callback(ssl->ctx, ngx_ssl_info_callback); - -+#ifdef WOLFSSL_NGINX -+ SSL_CTX_set_verify(ssl->ctx, SSL_VERIFY_NONE, NULL); -+#endif -+ - return NGX_OK; - } - -@@ -863,6 +867,14 @@ - - - ngx_int_t -+ngx_ssl_set_verify_on(ngx_conf_t *cf, ngx_ssl_t *ssl) -+{ -+ SSL_CTX_set_verify(ssl->ctx, SSL_VERIFY_PEER, ngx_ssl_verify_callback); -+ -+ return NGX_OK; -+} -+ -+ngx_int_t - ngx_ssl_client_certificate(ngx_conf_t *cf, ngx_ssl_t *ssl, ngx_str_t *cert, - ngx_int_t depth) - { -@@ -1370,7 +1382,8 @@ - * maximum interoperability. - */ - --#if (defined SSL_CTX_set1_curves_list || defined SSL_CTRL_SET_CURVES_LIST) -+#if (defined SSL_CTX_set1_curves_list || defined SSL_CTRL_SET_CURVES_LIST) || \ -+ defined(WOLFSSL_NGINX) - - /* - * OpenSSL 1.0.2+ allows configuring a curve list instead of a single -@@ -3929,7 +3942,8 @@ - return -1; - } - --#if OPENSSL_VERSION_NUMBER >= 0x10000000L -+#if OPENSSL_VERSION_NUMBER >= 0x10000000L && \ -+ (!defined(WOLFSSL_NGINX) || !defined(HAVE_FIPS)) - if (HMAC_Init_ex(hctx, key[0].hmac_key, size, digest, NULL) != 1) { - ngx_ssl_error(NGX_LOG_ALERT, c->log, 0, "HMAC_Init_ex() failed"); - return -1; -@@ -3973,7 +3987,8 @@ - size = 32; - } - --#if OPENSSL_VERSION_NUMBER >= 0x10000000L -+#if OPENSSL_VERSION_NUMBER >= 0x10000000L && \ -+ (!defined(WOLFSSL_NGINX) || !defined(HAVE_FIPS)) - if (HMAC_Init_ex(hctx, key[i].hmac_key, size, digest, NULL) != 1) { - ngx_ssl_error(NGX_LOG_ALERT, c->log, 0, "HMAC_Init_ex() failed"); - return -1; -diff -ur nginx-1.16.1-wolfssl/src/event/ngx_event_openssl.h nginx-1.16.1-wolfssl-debug/src/event/ngx_event_openssl.h ---- nginx-1.16.1-wolfssl/src/event/ngx_event_openssl.h 2019-10-17 09:09:02.955768195 +1000 -+++ nginx-1.16.1-wolfssl-debug/src/event/ngx_event_openssl.h 2019-10-17 08:30:33.163460161 +1000 -@@ -14,7 +14,6 @@ - - #ifdef WOLFSSL_NGINX - #include --#include - #endif - #include - #include -Only in nginx-1.16.1-wolfssl/src/event: .ngx_event_openssl.h.swp -diff -ur nginx-1.16.1-wolfssl/src/http/ngx_http_request.c nginx-1.16.1-wolfssl-debug/src/http/ngx_http_request.c ---- nginx-1.16.1-wolfssl/src/http/ngx_http_request.c 2019-10-17 08:49:18.234819519 +1000 -+++ nginx-1.16.1-wolfssl-debug/src/http/ngx_http_request.c 2019-10-17 08:30:33.163460161 +1000 -@@ -851,12 +851,6 @@ - - - #ifdef SSL_CTRL_SET_TLSEXT_HOSTNAME --#ifndef SSL_AD_NO_RENEGOTIATION --#define SSL_AD_NO_RENEGOTIATION 100 --#endif --#ifndef SSL_AD_INTERNAL_ERROR --#define SSL_AD_INTERNAL_ERROR 80 --#endif - - int - ngx_http_ssl_servername(ngx_ssl_conn_t *ssl_conn, int *ad, void *arg) diff --git a/nginx-1.16.1-wolfssl.patch b/nginx-1.16.1-wolfssl.patch index 2c26430..0e8ca54 100644 --- a/nginx-1.16.1-wolfssl.patch +++ b/nginx-1.16.1-wolfssl.patch @@ -124,11 +124,11 @@ diff -ur nginx/src/event/ngx_event_openssl.c nginx-1.16.1-wolfssl/src/event/ngx_ + + len = i2d_SSL_SESSION(sess, (unsigned char**) &buf); + if (len <= 0) { -+ return -1; ++ return -1; + } + sess = d2i_SSL_SESSION(NULL, (const unsigned char**) &buf, len); + if (!sess) { -+ return -1; ++ return -1; + } +#endif + From 917bab8e029306b320ef87d3f449b18cb6cb35a7 Mon Sep 17 00:00:00 2001 From: Juliusz Sosinowicz Date: Thu, 31 Oct 2019 11:12:02 +0100 Subject: [PATCH 05/12] wolfSSL needs this to identify the key correctly --- conf/cert-ecc-p8.key | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/conf/cert-ecc-p8.key b/conf/cert-ecc-p8.key index ca03d98..b8a7068 100644 --- a/conf/cert-ecc-p8.key +++ b/conf/cert-ecc-p8.key @@ -1,5 +1,5 @@ ------BEGIN PRIVATE KEY----- +-----BEGIN EC PRIVATE KEY----- MIGHAgEAMBMGByqGSM49AgEGCCqGSM49AwEHBG0wawIBAQQgRbZpAnOcbIWhOFty 6OjHrMQDjVM1BPpsKNw0jeGoCYyhRANCAAS7M6xMJ1BKxkqlBMM83p8223ItzpTq K/rLIAk5LBboYQLpr03TApOaMVuXkiF/8M8Y2pERAjSG6CBYMwuANInY ------END PRIVATE KEY----- +-----END EC PRIVATE KEY----- From febaf4b1722ff929cd56295a02c908f4181f04a5 Mon Sep 17 00:00:00 2001 From: Juliusz Sosinowicz Date: Mon, 4 Nov 2019 22:48:48 +0100 Subject: [PATCH 06/12] 1.17.5 patches --- nginx-1.17.5-wolfssl-debug.patch | 16 ++ nginx-1.17.5-wolfssl.patch | 308 +++++++++++++++++++++++++++++++ 2 files changed, 324 insertions(+) create mode 100644 nginx-1.17.5-wolfssl-debug.patch create mode 100644 nginx-1.17.5-wolfssl.patch diff --git a/nginx-1.17.5-wolfssl-debug.patch b/nginx-1.17.5-wolfssl-debug.patch new file mode 100644 index 0000000..f2cc585 --- /dev/null +++ b/nginx-1.17.5-wolfssl-debug.patch @@ -0,0 +1,16 @@ +diff -ur nginx-1.17.5-wolfssl/src/event/ngx_event_openssl.c nginx-1.17.5-wolfssl-debug/src/event/ngx_event_openssl.c +--- nginx-1.17.5-wolfssl/src/event/ngx_event_openssl.c 2019-11-04 21:29:39.856200843 +0100 ++++ nginx-1.17.5-wolfssl-debug/src/event/ngx_event_openssl.c 2019-11-04 21:30:29.362010122 +0100 +@@ -165,6 +165,12 @@ + + #endif + ++#ifdef WOLFSSL_NGINX ++ /* Turn on internal wolfssl debugging to stdout */ ++ wolfSSL_Debugging_ON(); ++#endif ++ ++ + #ifndef SSL_OP_NO_COMPRESSION + { + /* diff --git a/nginx-1.17.5-wolfssl.patch b/nginx-1.17.5-wolfssl.patch new file mode 100644 index 0000000..01f0f8e --- /dev/null +++ b/nginx-1.17.5-wolfssl.patch @@ -0,0 +1,308 @@ +diff -ur nginx/auto/lib/openssl/conf nginx-1.17.5-wolfssl/auto/lib/openssl/conf +--- nginx/auto/lib/openssl/conf 2019-11-04 21:30:50.293130582 +0100 ++++ nginx-1.17.5-wolfssl/auto/lib/openssl/conf 2019-11-04 21:29:39.848201210 +0100 +@@ -62,8 +62,33 @@ + ngx_feature_path= + ngx_feature_libs="-lssl -lcrypto $NGX_LIBDL $NGX_LIBPTHREAD" + ngx_feature_test="SSL_CTX_set_options(NULL, 0)" ++ ++ if [ $WOLFSSL != NONE ]; then ++ ngx_feature="wolfSSL library in $WOLFSSL" ++ ngx_feature_path="$WOLFSSL/include/wolfssl $WOLFSSL/include" ++ ++ if [ $NGX_RPATH = YES ]; then ++ ngx_feature_libs="-R$WOLFSSL/lib -L$WOLFSSL/lib -lwolfssl $NGX_LIBDL" ++ else ++ ngx_feature_libs="-L$WOLFSSL/lib -lwolfssl $NGX_LIBDL" ++ fi ++ ++ CORE_INCS="$CORE_INCS $WOLFSSL/include/wolfssl" ++ CFLAGS="$CFLAGS -DWOLFSSL_NGINX" ++ fi ++ + . auto/feature + ++ if [ $WOLFSSL != NONE -a $ngx_found = no ]; then ++cat << END ++ ++$0: error: Could not find wolfSSL at $WOLFSSL/include/wolfssl. ++SSL modules require the wolfSSL library. ++ ++END ++ exit 1 ++ fi ++ + if [ $ngx_found = no ]; then + + # FreeBSD port +diff -ur nginx/auto/options nginx-1.17.5-wolfssl/auto/options +--- nginx/auto/options 2019-11-04 21:30:50.293130582 +0100 ++++ nginx-1.17.5-wolfssl/auto/options 2019-11-04 21:29:39.848201210 +0100 +@@ -146,6 +146,7 @@ + + USE_OPENSSL=NO + OPENSSL=NONE ++WOLFSSL=NONE + + USE_ZLIB=NO + ZLIB=NONE +@@ -354,6 +355,7 @@ + --with-pcre-opt=*) PCRE_OPT="$value" ;; + --with-pcre-jit) PCRE_JIT=YES ;; + ++ --with-wolfssl=*) WOLFSSL="$value" ;; + --with-openssl=*) OPENSSL="$value" ;; + --with-openssl-opt=*) OPENSSL_OPT="$value" ;; + +@@ -578,6 +580,7 @@ + --with-libatomic force libatomic_ops library usage + --with-libatomic=DIR set path to libatomic_ops library sources + ++ --with-wolfssl=DIR set path to wolfSSL headers and library + --with-openssl=DIR set path to OpenSSL library sources + --with-openssl-opt=OPTIONS set additional build options for OpenSSL + +Only in nginx: .git +diff -ur nginx/src/event/ngx_event_openssl.c nginx-1.17.5-wolfssl/src/event/ngx_event_openssl.c +--- nginx/src/event/ngx_event_openssl.c 2019-11-04 21:30:50.297130417 +0100 ++++ nginx-1.17.5-wolfssl/src/event/ngx_event_openssl.c 2019-11-04 21:29:39.856200843 +0100 +@@ -383,6 +383,10 @@ + + SSL_CTX_set_info_callback(ssl->ctx, ngx_ssl_info_callback); + ++#ifdef WOLFSSL_NGINX ++ SSL_CTX_set_verify(ssl->ctx, SSL_VERIFY_NONE, NULL); ++#endif ++ + return NGX_OK; + } + +@@ -862,6 +866,14 @@ + + + ngx_int_t ++ngx_ssl_set_verify_on(ngx_conf_t *cf, ngx_ssl_t *ssl) ++{ ++ SSL_CTX_set_verify(ssl->ctx, SSL_VERIFY_PEER, ngx_ssl_verify_callback); ++ ++ return NGX_OK; ++} ++ ++ngx_int_t + ngx_ssl_client_certificate(ngx_conf_t *cf, ngx_ssl_t *ssl, ngx_str_t *cert, + ngx_int_t depth) + { +@@ -1361,7 +1373,8 @@ + * maximum interoperability. + */ + +-#if (defined SSL_CTX_set1_curves_list || defined SSL_CTRL_SET_CURVES_LIST) ++#if (defined SSL_CTX_set1_curves_list || defined SSL_CTRL_SET_CURVES_LIST) || \ ++ defined(WOLFSSL_NGINX) + + /* + * OpenSSL 1.0.2+ allows configuring a curve list instead of a single +@@ -1481,10 +1494,32 @@ + ngx_ssl_new_client_session(ngx_ssl_conn_t *ssl_conn, ngx_ssl_session_t *sess) + { + ngx_connection_t *c; ++#ifdef WOLFSSL_NGINX ++ int len; ++ unsigned char buf[NGX_SSL_MAX_SESSION_SIZE]; ++#endif + + c = ngx_ssl_get_connection(ssl_conn); + + if (c->ssl->save_session) { ++#ifdef WOLFSSL_NGINX ++ len = i2d_SSL_SESSION(sess, NULL); ++ ++ /* do not cache too big session */ ++ if (len > NGX_SSL_MAX_SESSION_SIZE) { ++ return -1; ++ } ++ ++ len = i2d_SSL_SESSION(sess, (unsigned char**) &buf); ++ if (len <= 0) { ++ return -1; ++ } ++ sess = d2i_SSL_SESSION(NULL, (const unsigned char**) &buf, len); ++ if (!sess) { ++ return -1; ++ } ++#endif ++ + c->ssl->session = sess; + + c->ssl->save_session(c); +@@ -1556,7 +1591,9 @@ + { + #ifdef TLS1_3_VERSION + if (c->ssl->session) { ++ #if !defined(WOLFSSL_NGINX) + SSL_SESSION_up_ref(c->ssl->session); ++ #endif + return c->ssl->session; + } + #endif +@@ -3972,7 +4009,8 @@ + return -1; + } + +-#if OPENSSL_VERSION_NUMBER >= 0x10000000L ++#if OPENSSL_VERSION_NUMBER >= 0x10000000L && \ ++ (!defined(WOLFSSL_NGINX) || !defined(HAVE_FIPS)) + if (HMAC_Init_ex(hctx, key[0].hmac_key, size, digest, NULL) != 1) { + ngx_ssl_error(NGX_LOG_ALERT, c->log, 0, "HMAC_Init_ex() failed"); + return -1; +@@ -4016,7 +4054,8 @@ + size = 32; + } + +-#if OPENSSL_VERSION_NUMBER >= 0x10000000L ++#if OPENSSL_VERSION_NUMBER >= 0x10000000L && \ ++ (!defined(WOLFSSL_NGINX) || !defined(HAVE_FIPS)) + if (HMAC_Init_ex(hctx, key[i].hmac_key, size, digest, NULL) != 1) { + ngx_ssl_error(NGX_LOG_ALERT, c->log, 0, "HMAC_Init_ex() failed"); + return -1; +diff -ur nginx/src/event/ngx_event_openssl.h nginx-1.17.5-wolfssl/src/event/ngx_event_openssl.h +--- nginx/src/event/ngx_event_openssl.h 2019-11-04 21:30:50.293130582 +0100 ++++ nginx-1.17.5-wolfssl/src/event/ngx_event_openssl.h 2019-11-04 21:29:39.856200843 +0100 +@@ -12,6 +12,10 @@ + #include + #include + ++#ifdef WOLFSSL_NGINX ++#include ++#include ++#endif + #include + #include + #include +@@ -59,7 +63,7 @@ + #define ngx_ssl_conn_t SSL + + +-#if (OPENSSL_VERSION_NUMBER < 0x10002000L) ++#if (OPENSSL_VERSION_NUMBER < 0x10002000L) && !defined(WOLFSSL_NGINX) + #define SSL_is_server(s) (s)->server + #endif + +@@ -172,6 +176,7 @@ + + ngx_int_t ngx_ssl_ciphers(ngx_conf_t *cf, ngx_ssl_t *ssl, ngx_str_t *ciphers, + ngx_uint_t prefer_server_ciphers); ++ngx_int_t ngx_ssl_set_verify_on(ngx_conf_t *cf, ngx_ssl_t *ssl); + ngx_int_t ngx_ssl_client_certificate(ngx_conf_t *cf, ngx_ssl_t *ssl, + ngx_str_t *cert, ngx_int_t depth); + ngx_int_t ngx_ssl_trusted_certificate(ngx_conf_t *cf, ngx_ssl_t *ssl, +diff -ur nginx/src/event/ngx_event_openssl_stapling.c nginx-1.17.5-wolfssl/src/event/ngx_event_openssl_stapling.c +--- nginx/src/event/ngx_event_openssl_stapling.c 2019-11-04 21:30:50.293130582 +0100 ++++ nginx-1.17.5-wolfssl/src/event/ngx_event_openssl_stapling.c 2019-11-04 21:29:39.856200843 +0100 +@@ -313,7 +313,9 @@ + for (i = 0; i < n; i++) { + issuer = sk_X509_value(chain, i); + if (X509_check_issued(issuer, cert) == X509_V_OK) { +-#if OPENSSL_VERSION_NUMBER >= 0x10100001L ++#ifdef WOLFSSL_NGINX ++ issuer = X509_dup(issuer); ++#elif OPENSSL_VERSION_NUMBER >= 0x10100001L + X509_up_ref(issuer); + #else + CRYPTO_add(&issuer->references, 1, CRYPTO_LOCK_X509); +diff -ur nginx/src/http/modules/ngx_http_proxy_module.c nginx-1.17.5-wolfssl/src/http/modules/ngx_http_proxy_module.c +--- nginx/src/http/modules/ngx_http_proxy_module.c 2019-11-04 21:30:50.293130582 +0100 ++++ nginx-1.17.5-wolfssl/src/http/modules/ngx_http_proxy_module.c 2019-11-04 21:29:39.856200843 +0100 +@@ -4307,6 +4307,8 @@ + return NGX_ERROR; + } + ++ ngx_ssl_set_verify_on(cf, plcf->upstream.ssl); ++ + if (ngx_ssl_trusted_certificate(cf, plcf->upstream.ssl, + &plcf->ssl_trusted_certificate, + plcf->ssl_verify_depth) +diff -ur nginx/src/http/modules/ngx_http_ssl_module.c nginx-1.17.5-wolfssl/src/http/modules/ngx_http_ssl_module.c +--- nginx/src/http/modules/ngx_http_ssl_module.c 2019-11-04 21:30:50.293130582 +0100 ++++ nginx-1.17.5-wolfssl/src/http/modules/ngx_http_ssl_module.c 2019-11-04 21:29:39.856200843 +0100 +@@ -14,7 +14,11 @@ + ngx_pool_t *pool, ngx_str_t *s); + + ++#ifndef WOLFSSL_NGINX + #define NGX_DEFAULT_CIPHERS "HIGH:!aNULL:!MD5" ++#else ++#define NGX_DEFAULT_CIPHERS "ALL" ++#endif + #define NGX_DEFAULT_ECDH_CURVE "auto" + + #define NGX_HTTP_NPN_ADVERTISE "\x08http/1.1" +@@ -810,8 +814,10 @@ + return NGX_CONF_ERROR; + } + ++#ifndef WOLFSSL_NGINX + ngx_conf_merge_value(conf->builtin_session_cache, + prev->builtin_session_cache, NGX_SSL_NONE_SCACHE); ++#endif + + if (conf->shm_zone == NULL) { + conf->shm_zone = prev->shm_zone; +diff -ur nginx/src/http/ngx_http_request.c nginx-1.17.5-wolfssl/src/http/ngx_http_request.c +--- nginx/src/http/ngx_http_request.c 2019-11-04 21:30:50.297130417 +0100 ++++ nginx-1.17.5-wolfssl/src/http/ngx_http_request.c 2019-11-04 21:29:39.856200843 +0100 +@@ -851,6 +851,12 @@ + + + #ifdef SSL_CTRL_SET_TLSEXT_HOSTNAME ++#ifndef SSL_AD_NO_RENEGOTIATION ++#define SSL_AD_NO_RENEGOTIATION 100 ++#endif ++#ifndef SSL_AD_INTERNAL_ERROR ++#define SSL_AD_INTERNAL_ERROR 80 ++#endif + + int + ngx_http_ssl_servername(ngx_ssl_conn_t *ssl_conn, int *ad, void *arg) +diff -ur nginx/src/mail/ngx_mail_ssl_module.c nginx-1.17.5-wolfssl/src/mail/ngx_mail_ssl_module.c +--- nginx/src/mail/ngx_mail_ssl_module.c 2019-11-04 21:30:50.297130417 +0100 ++++ nginx-1.17.5-wolfssl/src/mail/ngx_mail_ssl_module.c 2019-11-04 21:29:39.860200659 +0100 +@@ -10,7 +10,11 @@ + #include + + ++#ifndef WOLFSSL_NGINX + #define NGX_DEFAULT_CIPHERS "HIGH:!aNULL:!MD5" ++#else ++#define NGX_DEFAULT_CIPHERS "ALL" ++#endif + #define NGX_DEFAULT_ECDH_CURVE "auto" + + +diff -ur nginx/src/stream/ngx_stream_proxy_module.c nginx-1.17.5-wolfssl/src/stream/ngx_stream_proxy_module.c +--- nginx/src/stream/ngx_stream_proxy_module.c 2019-11-04 21:30:50.297130417 +0100 ++++ nginx-1.17.5-wolfssl/src/stream/ngx_stream_proxy_module.c 2019-11-04 21:29:39.864200476 +0100 +@@ -2136,6 +2136,8 @@ + return NGX_ERROR; + } + ++ ngx_ssl_set_verify_on(cf, pscf->ssl); ++ + if (ngx_ssl_trusted_certificate(cf, pscf->ssl, + &pscf->ssl_trusted_certificate, + pscf->ssl_verify_depth) +diff -ur nginx/src/stream/ngx_stream_ssl_module.c nginx-1.17.5-wolfssl/src/stream/ngx_stream_ssl_module.c +--- nginx/src/stream/ngx_stream_ssl_module.c 2019-11-04 21:30:50.293130582 +0100 ++++ nginx-1.17.5-wolfssl/src/stream/ngx_stream_ssl_module.c 2019-11-04 21:29:39.864200476 +0100 +@@ -14,7 +14,11 @@ + ngx_pool_t *pool, ngx_str_t *s); + + ++#ifndef WOLFSSL_NGINX + #define NGX_DEFAULT_CIPHERS "HIGH:!aNULL:!MD5" ++#else ++#define NGX_DEFAULT_CIPHERS "ALL" ++#endif + #define NGX_DEFAULT_ECDH_CURVE "auto" + + From 9d9c58e0499f9854187aeb125290209443b31d9e Mon Sep 17 00:00:00 2001 From: Juliusz Sosinowicz Date: Tue, 5 Nov 2019 22:44:55 +0100 Subject: [PATCH 07/12] Use SSL_SESSION_dup --- nginx-1.16.1-wolfssl.patch | 16 +++++----------- 1 file changed, 5 insertions(+), 11 deletions(-) diff --git a/nginx-1.16.1-wolfssl.patch b/nginx-1.16.1-wolfssl.patch index 0e8ca54..6c6d518 100644 --- a/nginx-1.16.1-wolfssl.patch +++ b/nginx-1.16.1-wolfssl.patch @@ -102,13 +102,12 @@ diff -ur nginx/src/event/ngx_event_openssl.c nginx-1.16.1-wolfssl/src/event/ngx_ /* * OpenSSL 1.0.2+ allows configuring a curve list instead of a single -@@ -1491,10 +1504,32 @@ +@@ -1491,10 +1504,26 @@ ngx_ssl_new_client_session(ngx_ssl_conn_t *ssl_conn, ngx_ssl_session_t *sess) { ngx_connection_t *c; +#ifdef WOLFSSL_NGINX + int len; -+ unsigned char buf[NGX_SSL_MAX_SESSION_SIZE]; +#endif c = ngx_ssl_get_connection(ssl_conn); @@ -122,12 +121,7 @@ diff -ur nginx/src/event/ngx_event_openssl.c nginx-1.16.1-wolfssl/src/event/ngx_ + return -1; + } + -+ len = i2d_SSL_SESSION(sess, (unsigned char**) &buf); -+ if (len <= 0) { -+ return -1; -+ } -+ sess = d2i_SSL_SESSION(NULL, (const unsigned char**) &buf, len); -+ if (!sess) { ++ if (!(sess = SSL_SESSION_dup(sess))) { + return -1; + } +#endif @@ -135,7 +129,7 @@ diff -ur nginx/src/event/ngx_event_openssl.c nginx-1.16.1-wolfssl/src/event/ngx_ c->ssl->session = sess; c->ssl->save_session(c); -@@ -1566,7 +1601,9 @@ +@@ -1566,7 +1595,9 @@ { #ifdef TLS1_3_VERSION if (c->ssl->session) { @@ -145,7 +139,7 @@ diff -ur nginx/src/event/ngx_event_openssl.c nginx-1.16.1-wolfssl/src/event/ngx_ return c->ssl->session; } #endif -@@ -3929,7 +3966,8 @@ +@@ -3929,7 +3960,8 @@ return -1; } @@ -155,7 +149,7 @@ diff -ur nginx/src/event/ngx_event_openssl.c nginx-1.16.1-wolfssl/src/event/ngx_ if (HMAC_Init_ex(hctx, key[0].hmac_key, size, digest, NULL) != 1) { ngx_ssl_error(NGX_LOG_ALERT, c->log, 0, "HMAC_Init_ex() failed"); return -1; -@@ -3973,7 +4011,8 @@ +@@ -3973,7 +4005,8 @@ size = 32; } From 8ccb7c9e3bc85754dc151a8729dc6c437c64f949 Mon Sep 17 00:00:00 2001 From: Juliusz Sosinowicz Date: Wed, 6 Nov 2019 13:51:01 +0100 Subject: [PATCH 08/12] Use SSL_SESSION_dup --- nginx-1.17.5-wolfssl.patch | 16 +++++----------- test.sh | 2 +- 2 files changed, 6 insertions(+), 12 deletions(-) diff --git a/nginx-1.17.5-wolfssl.patch b/nginx-1.17.5-wolfssl.patch index 01f0f8e..fb732bf 100644 --- a/nginx-1.17.5-wolfssl.patch +++ b/nginx-1.17.5-wolfssl.patch @@ -102,13 +102,12 @@ diff -ur nginx/src/event/ngx_event_openssl.c nginx-1.17.5-wolfssl/src/event/ngx_ /* * OpenSSL 1.0.2+ allows configuring a curve list instead of a single -@@ -1481,10 +1494,32 @@ +@@ -1481,10 +1494,26 @@ ngx_ssl_new_client_session(ngx_ssl_conn_t *ssl_conn, ngx_ssl_session_t *sess) { ngx_connection_t *c; +#ifdef WOLFSSL_NGINX + int len; -+ unsigned char buf[NGX_SSL_MAX_SESSION_SIZE]; +#endif c = ngx_ssl_get_connection(ssl_conn); @@ -122,12 +121,7 @@ diff -ur nginx/src/event/ngx_event_openssl.c nginx-1.17.5-wolfssl/src/event/ngx_ + return -1; + } + -+ len = i2d_SSL_SESSION(sess, (unsigned char**) &buf); -+ if (len <= 0) { -+ return -1; -+ } -+ sess = d2i_SSL_SESSION(NULL, (const unsigned char**) &buf, len); -+ if (!sess) { ++ if (!(sess = SSL_SESSION_dup(sess))) { + return -1; + } +#endif @@ -135,7 +129,7 @@ diff -ur nginx/src/event/ngx_event_openssl.c nginx-1.17.5-wolfssl/src/event/ngx_ c->ssl->session = sess; c->ssl->save_session(c); -@@ -1556,7 +1591,9 @@ +@@ -1556,7 +1585,9 @@ { #ifdef TLS1_3_VERSION if (c->ssl->session) { @@ -145,7 +139,7 @@ diff -ur nginx/src/event/ngx_event_openssl.c nginx-1.17.5-wolfssl/src/event/ngx_ return c->ssl->session; } #endif -@@ -3972,7 +4009,8 @@ +@@ -3972,7 +4003,8 @@ return -1; } @@ -155,7 +149,7 @@ diff -ur nginx/src/event/ngx_event_openssl.c nginx-1.17.5-wolfssl/src/event/ngx_ if (HMAC_Init_ex(hctx, key[0].hmac_key, size, digest, NULL) != 1) { ngx_ssl_error(NGX_LOG_ALERT, c->log, 0, "HMAC_Init_ex() failed"); return -1; -@@ -4016,7 +4054,8 @@ +@@ -4016,7 +4048,8 @@ size = 32; } diff --git a/test.sh b/test.sh index 978651d..71e3ffe 100755 --- a/test.sh +++ b/test.sh @@ -219,7 +219,7 @@ echo '#' PORT=11443 echo "# Port: $PORT" OPTS= -EXPECT=("SSL DH size is 2048 bits" "TLS_DHE_RSA_WITH_AES_128_GCM_SHA256" "HTTP/1.1 200 OK" "resume response") +EXPECT=("2048" "TLS_DHE_RSA_WITH_AES_128_GCM_SHA256" "HTTP/1.1 200 OK" "resume response") client_test # Default certificate, DH, verify client echo From 1b3da473cd3602277c6d9c8003e1dba0c13cf987 Mon Sep 17 00:00:00 2001 From: Juliusz Sosinowicz Date: Wed, 6 Nov 2019 13:51:11 +0100 Subject: [PATCH 09/12] Test with TLS 1.3 --- conf/nginx_tls13.conf | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/conf/nginx_tls13.conf b/conf/nginx_tls13.conf index cb38cd2..a18159c 100644 --- a/conf/nginx_tls13.conf +++ b/conf/nginx_tls13.conf @@ -356,6 +356,7 @@ http { proxy_ssl_certificate_key client-key.pem; proxy_ssl_verify on; proxy_ssl_crl crl.pem; + proxy_ssl_protocols TLSv1.3; } } # Proxy using ECDHE cipher suites and CRL @@ -383,6 +384,7 @@ http { proxy_ssl_certificate_key client-key.pem; proxy_ssl_verify on; proxy_ssl_crl crl.pem; + proxy_ssl_protocols TLSv1.3; } } # Proxy using ECDHE and ECDSA cipher suites @@ -410,6 +412,7 @@ http { proxy_ssl_certificate_key client-key.pem; proxy_ssl_verify on; proxy_ssl_session_reuse on; + proxy_ssl_protocols TLSv1.3; } } # Proxy using complete chain @@ -437,6 +440,7 @@ http { proxy_ssl_certificate_key client-key.pem; proxy_ssl_verify on; proxy_ssl_session_reuse on; + proxy_ssl_protocols TLSv1.3; } } # Proxy using incomplete chain @@ -464,6 +468,7 @@ http { proxy_ssl_certificate_key client-key.pem; proxy_ssl_verify on; proxy_ssl_session_reuse on; + proxy_ssl_protocols TLSv1.3; } } @@ -494,6 +499,7 @@ http { proxy_ssl_verify on; proxy_ssl_crl crl-revoked.pem; proxy_ssl_session_reuse on; + proxy_ssl_protocols TLSv1.3; } } # OCSP Stapling From e8443b16eb202c9fae2c31698f04b5d65b538088 Mon Sep 17 00:00:00 2001 From: Juliusz Sosinowicz Date: Wed, 2 Dec 2020 11:33:53 +0100 Subject: [PATCH 10/12] nginx 1.7.7 patches --- nginx-1.7.7-wolfssl-debug.patch | 17 +++ nginx-1.7.7-wolfssl.patch | 255 ++++++++++++++++++++++++++++++++ 2 files changed, 272 insertions(+) create mode 100644 nginx-1.7.7-wolfssl-debug.patch create mode 100644 nginx-1.7.7-wolfssl.patch diff --git a/nginx-1.7.7-wolfssl-debug.patch b/nginx-1.7.7-wolfssl-debug.patch new file mode 100644 index 0000000..6a5a894 --- /dev/null +++ b/nginx-1.7.7-wolfssl-debug.patch @@ -0,0 +1,17 @@ +diff --git a/src/core/nginx.c b/src/core/nginx.c +index c75ee4fd..e7b49f0b 100644 +--- a/src/core/nginx.c ++++ b/src/core/nginx.c +@@ -206,6 +206,11 @@ main(int argc, char *const *argv) + ngx_cycle_t *cycle, init_cycle; + ngx_core_conf_t *ccf; + ++ ++#ifdef WOLFSSL_NGINX ++ (void)wolfSSL_Debugging_ON(); ++#endif ++ + ngx_debug_init(); + + if (ngx_strerror_init() != NGX_OK) { + diff --git a/nginx-1.7.7-wolfssl.patch b/nginx-1.7.7-wolfssl.patch new file mode 100644 index 0000000..3f905ed --- /dev/null +++ b/nginx-1.7.7-wolfssl.patch @@ -0,0 +1,255 @@ +diff --git a/auto/lib/openssl/conf b/auto/lib/openssl/conf +index a65815f6..82c39a46 100644 +--- a/auto/lib/openssl/conf ++++ b/auto/lib/openssl/conf +@@ -49,11 +49,38 @@ else + ngx_feature="OpenSSL library" + ngx_feature_name="NGX_OPENSSL" + ngx_feature_run=no +- ngx_feature_incs="#include " ++ ngx_feature_incs="#include ++ #include " + ngx_feature_path= + ngx_feature_libs="-lssl -lcrypto" + ngx_feature_test="SSL_library_init()" ++ ++ if [ $WOLFSSL != NONE ]; then ++ ngx_feature="wolfSSL library in $WOLFSSL" ++ ngx_feature_path="$WOLFSSL/include/wolfssl $WOLFSSL/include" ++ ++ if [ $NGX_RPATH = YES ]; then ++ ngx_feature_libs="-R$WOLFSSL/lib -L$WOLFSSL/lib -lwolfssl -lm $NGX_LIBDL" ++ else ++ ngx_feature_libs="-L$WOLFSSL/lib -lwolfssl -lm $NGX_LIBDL" ++ fi ++ ++ CORE_INCS="$CORE_INCS $WOLFSSL/include/wolfssl" ++ CFLAGS="$CFLAGS -DWOLFSSL_NGINX" ++ fi ++ + . auto/feature ++ ++ if [ $WOLFSSL != NONE -a $ngx_found = no ]; then ++cat << END ++ ++$0: error: Could not find wolfSSL at $WOLFSSL/include/wolfssl. ++SSL modules require the wolfSSL library. ++ ++END ++ exit 1 ++ fi ++ + + if [ $ngx_found = yes ]; then + have=NGX_SSL . auto/have +@@ -66,10 +93,8 @@ else + + cat << END + +-$0: error: SSL modules require the OpenSSL library. +-You can either do not enable the modules, or install the OpenSSL library +-into the system, or build the OpenSSL library statically from the source +-with nginx by using --with-openssl= option. ++$0: error: Could not find wolfSSL at $WOLFSSL/include/wolfssl. ++SSL modules require the wolfSSL library. + + END + exit 1 +diff --git a/auto/options b/auto/options +index 0d296ac6..7688cad7 100644 +--- a/auto/options ++++ b/auto/options +@@ -121,6 +121,7 @@ PCRE_OPT= + PCRE_CONF_OPT= + PCRE_JIT=NO + ++WOLFSSL=NONE + USE_OPENSSL=NO + OPENSSL=NONE + +@@ -292,6 +293,7 @@ use the \"--without-http_limit_conn_module\" option instead" + --with-pcre-opt=*) PCRE_OPT="$value" ;; + --with-pcre-jit) PCRE_JIT=YES ;; + ++ --with-wolfssl=*) WOLFSSL="$value" ;; + --with-openssl=*) OPENSSL="$value" ;; + --with-openssl-opt=*) OPENSSL_OPT="$value" ;; + +@@ -469,6 +471,7 @@ cat << END + + --with-openssl=DIR set path to OpenSSL library sources + --with-openssl-opt=OPTIONS set additional build options for OpenSSL ++ --with-wolfssl=DIR set path to wolfSSL library + + --with-debug enable debug logging + +diff --git a/src/event/ngx_event_openssl.c b/src/event/ngx_event_openssl.c +index f3456527..065ec5af 100644 +--- a/src/event/ngx_event_openssl.c ++++ b/src/event/ngx_event_openssl.c +@@ -204,6 +204,11 @@ ngx_ssl_create(ngx_ssl_t *ssl, ngx_uint_t protocols, void *data) + return NGX_ERROR; + } + ++#ifdef WOLFSSL_NGINX ++ /* nginx expects that the SSL library doesn't verify certs by default */ ++ SSL_CTX_set_verify(ssl->ctx, WOLFSSL_VERIFY_NONE, NULL); ++#endif ++ + ssl->buffer_size = NGX_SSL_BUFSIZE; + + /* client side options */ +@@ -1096,10 +1101,13 @@ ngx_ssl_handshake(ngx_connection_t *c) + c->recv_chain = ngx_ssl_recv_chain; + c->send_chain = ngx_ssl_send_chain; + ++ /* wolfSSL has renegotiation disabled by default */ ++#ifndef WOLFSSL_NGINX + /* initial handshake done, disable renegotiation (CVE-2009-3555) */ + if (c->ssl->connection->s3) { + c->ssl->connection->s3->flags |= SSL3_FLAGS_NO_RENEGOTIATE_CIPHERS; + } ++#endif + + return NGX_OK; + } +@@ -1844,7 +1852,9 @@ ngx_ssl_connection_error(ngx_connection_t *c, int sslerr, ngx_err_t err, + || n == SSL_R_ERROR_IN_RECEIVED_CIPHER_LIST /* 151 */ + || n == SSL_R_EXCESSIVE_MESSAGE_SIZE /* 152 */ + || n == SSL_R_LENGTH_MISMATCH /* 159 */ ++#ifndef WOLFSSL_NGINX + || n == SSL_R_NO_CIPHERS_PASSED /* 182 */ ++#endif + || n == SSL_R_NO_CIPHERS_SPECIFIED /* 183 */ + || n == SSL_R_NO_COMPRESSION_SPECIFIED /* 187 */ + || n == SSL_R_NO_SHARED_CIPHER /* 193 */ +@@ -1869,6 +1879,7 @@ ngx_ssl_connection_error(ngx_connection_t *c, int sslerr, ngx_err_t err, + #ifdef SSL_R_SCSV_RECEIVED_WHEN_RENEGOTIATING + || n == SSL_R_SCSV_RECEIVED_WHEN_RENEGOTIATING /* 345 */ + #endif ++#ifndef WOLFSSL_NGINX + || n == 1000 /* SSL_R_SSLV3_ALERT_CLOSE_NOTIFY */ + || n == SSL_R_SSLV3_ALERT_UNEXPECTED_MESSAGE /* 1010 */ + || n == SSL_R_SSLV3_ALERT_BAD_RECORD_MAC /* 1020 */ +@@ -1892,7 +1903,9 @@ ngx_ssl_connection_error(ngx_connection_t *c, int sslerr, ngx_err_t err, + || n == SSL_R_TLSV1_ALERT_INSUFFICIENT_SECURITY /* 1071 */ + || n == SSL_R_TLSV1_ALERT_INTERNAL_ERROR /* 1080 */ + || n == SSL_R_TLSV1_ALERT_USER_CANCELLED /* 1090 */ +- || n == SSL_R_TLSV1_ALERT_NO_RENEGOTIATION) /* 1100 */ ++ || n == SSL_R_TLSV1_ALERT_NO_RENEGOTIATION /* 1100 */ ++#endif ++ ) + { + switch (c->log_error) { + +@@ -2798,7 +2811,7 @@ ngx_ssl_session_ticket_key_callback(ngx_ssl_conn_t *ssl_conn, + ngx_ssl_session_ticket_md(), NULL); + ngx_memcpy(name, key[0].name, 16); + +- return 0; ++ return 1; + + } else { + /* decrypt session ticket */ +diff --git a/src/event/ngx_event_openssl.h b/src/event/ngx_event_openssl.h +index 08eff644..e39cce3d 100644 +--- a/src/event/ngx_event_openssl.h ++++ b/src/event/ngx_event_openssl.h +@@ -12,6 +12,9 @@ + #include + #include + ++#ifdef WOLFSSL_NGINX ++#include ++#endif + #include + #include + #include +diff --git a/src/event/ngx_event_openssl_stapling.c b/src/event/ngx_event_openssl_stapling.c +index 2fa06730..afdbab3f 100644 +--- a/src/event/ngx_event_openssl_stapling.c ++++ b/src/event/ngx_event_openssl_stapling.c +@@ -281,7 +281,15 @@ ngx_ssl_stapling_issuer(ngx_conf_t *cf, ngx_ssl_t *ssl) + for (i = 0; i < n; i++) { + issuer = sk_X509_value(chain, i); + if (X509_check_issued(issuer, cert) == X509_V_OK) { ++#ifndef WOLFSSL_NGINX + CRYPTO_add(&issuer->references, 1, CRYPTO_LOCK_X509); ++#else ++ if (wolfSSL_X509_up_ref(issuer) != 1) { ++ ngx_ssl_error(NGX_LOG_EMERG, ssl->log, 0, ++ "wolfSSL_X509_up_ref() failed"); ++ return NGX_ERROR; ++ } ++#endif + + ngx_log_debug1(NGX_LOG_DEBUG_EVENT, ssl->log, 0, + "SSL get issuer: found %p in extra certs", issuer); +diff --git a/src/http/modules/ngx_http_ssl_module.c b/src/http/modules/ngx_http_ssl_module.c +index 4c69091d..5a78efcb 100644 +--- a/src/http/modules/ngx_http_ssl_module.c ++++ b/src/http/modules/ngx_http_ssl_module.c +@@ -14,7 +14,11 @@ typedef ngx_int_t (*ngx_ssl_variable_handler_pt)(ngx_connection_t *c, + ngx_pool_t *pool, ngx_str_t *s); + + ++#ifndef WOLFSSL_NGINX + #define NGX_DEFAULT_CIPHERS "HIGH:!aNULL:!MD5" ++#else ++#define NGX_DEFAULT_CIPHERS "ALL" ++#endif + #define NGX_DEFAULT_ECDH_CURVE "prime256v1" + + #define NGX_HTTP_NPN_ADVERTISE "\x08http/1.1" +diff --git a/src/http/ngx_http_upstream.c b/src/http/ngx_http_upstream.c +index 3e8ce09e..ef80c9ba 100644 +--- a/src/http/ngx_http_upstream.c ++++ b/src/http/ngx_http_upstream.c +@@ -1566,7 +1566,12 @@ ngx_http_upstream_ssl_name(ngx_http_request_t *r, ngx_http_upstream_t *u, + ngx_log_debug1(NGX_LOG_DEBUG_HTTP, r->connection->log, 0, + "upstream SSL server name: \"%s\"", name.data); + +- if (SSL_set_tlsext_host_name(c->ssl->connection, name.data) == 0) { ++#ifdef WOLFSSL_NGINX ++ if (SSL_set_tlsext_host_name(c->ssl->connection, (char *)name.data) == 0) ++#else ++ if (SSL_set_tlsext_host_name(c->ssl->connection, name.data) == 0) ++#endif ++ { + ngx_ssl_error(NGX_LOG_ERR, r->connection->log, 0, + "SSL_set_tlsext_host_name(\"%s\") failed", name.data); + return NGX_ERROR; +diff --git a/src/mail/ngx_mail_ssl_module.c b/src/mail/ngx_mail_ssl_module.c +index f864d991..f43b1ebd 100644 +--- a/src/mail/ngx_mail_ssl_module.c ++++ b/src/mail/ngx_mail_ssl_module.c +@@ -10,7 +10,11 @@ + #include + + ++#ifndef WOLFSSL_NGINX + #define NGX_DEFAULT_CIPHERS "HIGH:!aNULL:!MD5" ++#else ++#define NGX_DEFAULT_CIPHERS "ALL" ++#endif + #define NGX_DEFAULT_ECDH_CURVE "prime256v1" + + +diff --git a/src/os/unix/ngx_user.c b/src/os/unix/ngx_user.c +index 7a71203c..816d5216 100644 +--- a/src/os/unix/ngx_user.c ++++ b/src/os/unix/ngx_user.c +@@ -31,8 +31,10 @@ ngx_libc_crypt(ngx_pool_t *pool, u_char *key, u_char *salt, u_char **encrypted) + struct crypt_data cd; + + cd.initialized = 0; ++#if defined(__GLIBC__) && !defined(CRYPT_DATA_INTERNAL_SIZE) + /* work around the glibc bug */ + cd.current_salt[0] = ~salt[0]; ++#endif + + value = crypt_r((char *) key, (char *) salt, &cd); + +-- +2.25.1 + From cae1fee7c42172a2f94c52597ea1436badbebdcb Mon Sep 17 00:00:00 2001 From: Juliusz Sosinowicz Date: Wed, 2 Dec 2020 11:47:07 +0100 Subject: [PATCH 11/12] Update README --- README.md | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/README.md b/README.md index 849d6c7..c65db70 100644 --- a/README.md +++ b/README.md @@ -8,6 +8,9 @@ and recompilation is required. The tested versions: - wolfSSL 3.14 - wolfSSL 3.13.0 (with patch applied: wolfssl-3.13.0-nginx.patch) + - Nginx 1.17.5 + - Nginx 1.16.1 + - Nginx 1.15.0 - Nginx 1.14.0 - Nginx 1.13.12 - Nginx 1.13.8 @@ -20,6 +23,7 @@ The tested versions: - Nginx 1.11.10 - Nginx 1.11.7 - Nginx 1.10.3 + - Nginx 1.7.7 ### Building From 717a776b76ad2aa25c3bbaefa51473dfb604d8f0 Mon Sep 17 00:00:00 2001 From: Juliusz Sosinowicz Date: Mon, 14 Dec 2020 16:24:10 +0100 Subject: [PATCH 12/12] Update 1.7.7 patch and remove copyrighted file --- README.md | 5 +- nginx-1.7.7-wolfssl.patch | 71 ++++++- ssl_stapling.t | 428 -------------------------------------- ssl_stapling.t.patch | 117 +++++++++++ 4 files changed, 190 insertions(+), 431 deletions(-) delete mode 100644 ssl_stapling.t create mode 100644 ssl_stapling.t.patch diff --git a/README.md b/README.md index c65db70..5c657bf 100644 --- a/README.md +++ b/README.md @@ -58,7 +58,10 @@ There will be failures of SSL tests for the following reasons: Note: the file ssl_ecc.t in wolfssl-nginx can be used with the Nginx test system. - +Note: the file ssl_stapling.t.patch can be used to patch the ssl_stapling.t +file in nginx-tests to work with wolfSSL. The version available in the testing +repository uses different certs on the same server. This is not supported +by wolfSSL so this patch moves the certs to separate server instances. There are additional tests available in wolfssl-nginx. These are in addition to the Nginx tests. The OpenSSL's superapp is required for OCSP Stapling diff --git a/nginx-1.7.7-wolfssl.patch b/nginx-1.7.7-wolfssl.patch index 3f905ed..46c6e2b 100644 --- a/nginx-1.7.7-wolfssl.patch +++ b/nginx-1.7.7-wolfssl.patch @@ -1,5 +1,56 @@ +From 9a58b2ddaa713b312a9d14d6dd563d1df14c8231 Mon Sep 17 00:00:00 2001 +From: Juliusz Sosinowicz +Date: Tue, 1 Dec 2020 13:41:20 +0100 +Subject: [PATCH] wolfSSL Patch for Nginx 1.7.7 + +Build instructions: +- Build wolfSSL (run in wolfSSL directory): +`./configure --enable-nginx` +`make` +`make install` +The default installation directory is `/usr/local`. +- Build Nginx (run in Nginx directory): + - Apply patch: +`patch -p1 < nginx-1.7.7-wolfssl.patch` + - Compile Nginx (some warnings need to be disabled): +`./configure --with-wolfssl=/usr/local --with-http_ssl_module --with-cc-opt='-Wimplicit-fallthrough=0 -Wno-cast-function-type'` +`make` + +Port nginx 1.7.7 to wolfSSL: +- `auto/lib/openssl/conf`: Detect wolfSSL library and setup compilation options +- `auto/options`: Add wolfSSL configure option +- `src/core/nginx.c`: Enable debugging if wolfSSL is compiled with `--enable-debug` +- `src/event/ngx_event_openssl.c`: + - Nginx wants the SSL library to not do any certificate verification by default + - No need to disble renegotiation since wolfSSL has it disabled by default + - Fix TLS tickets callback to return correct values + - Ignore undefined handshake failure codes +- `src/event/ngx_event_openssl.h`: Include wolfSSL options file +- `src/event/ngx_event_openssl_stapling.c`: Use `wolfSSL_X509_up_ref` to increment issuer certificate reference counter +- `src/http/modules/ngx_http_ssl_module.c`: wolfSSL "ALL" provides adequate default ciphers +- `src/http/ngx_http_upstream.c`: Correct type mismatch +- `src/mail/ngx_mail_ssl_module.c`: wolfSSL "ALL" provides adequate default ciphers +- `src/os/unix/ngx_user.c`: `current_salt` not part of `struct crypt_data` in recent glibc version + +nginx-tests remarks: +- All tests in nginx-tests should pass. Some tests test reusing a session but fail on my machine. Manually setting up the server and connecting through Firefox correctly re-uses the session suggesting that the issue is on the client side not the server. I assume that this is an error in my version of Perl (which is the client in the nginx-tests). +- When running nginx-tests with TLS 1.3 then session resumption tests will fail since the tests are not configured for SSL tickets. I tested session reuse manually with Firefox and confirmed that they work. +- nginx 1.7.7 does not do session reuse with TLS 1.3 (when acting as a proxy) because it calls SSL_get1_session too soon. +--- + auto/lib/openssl/conf | 35 ++++++++++++++++++++++---- + auto/options | 3 +++ + src/core/nginx.c | 5 ++++ + src/event/ngx_event_openssl.c | 17 +++++++++++-- + src/event/ngx_event_openssl.h | 3 +++ + src/event/ngx_event_openssl_stapling.c | 8 ++++++ + src/http/modules/ngx_http_ssl_module.c | 4 +++ + src/http/ngx_http_upstream.c | 7 +++++- + src/mail/ngx_mail_ssl_module.c | 4 +++ + src/os/unix/ngx_user.c | 2 ++ + 10 files changed, 80 insertions(+), 8 deletions(-) + diff --git a/auto/lib/openssl/conf b/auto/lib/openssl/conf -index a65815f6..82c39a46 100644 +index a65815f6..0796e3ab 100644 --- a/auto/lib/openssl/conf +++ b/auto/lib/openssl/conf @@ -49,11 +49,38 @@ else @@ -23,7 +74,7 @@ index a65815f6..82c39a46 100644 + ngx_feature_libs="-L$WOLFSSL/lib -lwolfssl -lm $NGX_LIBDL" + fi + -+ CORE_INCS="$CORE_INCS $WOLFSSL/include/wolfssl" ++ CORE_INCS="$CORE_INCS $ngx_feature_path" + CFLAGS="$CFLAGS -DWOLFSSL_NGINX" + fi + @@ -83,6 +134,22 @@ index 0d296ac6..7688cad7 100644 --with-debug enable debug logging +diff --git a/src/core/nginx.c b/src/core/nginx.c +index c75ee4fd..e7b49f0b 100644 +--- a/src/core/nginx.c ++++ b/src/core/nginx.c +@@ -206,6 +206,11 @@ main(int argc, char *const *argv) + ngx_cycle_t *cycle, init_cycle; + ngx_core_conf_t *ccf; + ++ ++#ifdef WOLFSSL_NGINX ++ (void)wolfSSL_Debugging_ON(); ++#endif ++ + ngx_debug_init(); + + if (ngx_strerror_init() != NGX_OK) { diff --git a/src/event/ngx_event_openssl.c b/src/event/ngx_event_openssl.c index f3456527..065ec5af 100644 --- a/src/event/ngx_event_openssl.c diff --git a/ssl_stapling.t b/ssl_stapling.t deleted file mode 100644 index ee57012..0000000 --- a/ssl_stapling.t +++ /dev/null @@ -1,428 +0,0 @@ -#!/usr/bin/perl - -# (C) Sergey Kandaurov -# (C) Nginx, Inc. - -# Tests for OCSP stapling. - -############################################################################### - -use warnings; -use strict; - -use Test::More; - -use MIME::Base64 qw/ decode_base64 /; - -BEGIN { use FindBin; chdir($FindBin::Bin); } - -use lib 'lib'; -use Test::Nginx; - -############################################################################### - -select STDERR; $| = 1; -select STDOUT; $| = 1; - -eval { - require Net::SSLeay; - Net::SSLeay::load_error_strings(); - Net::SSLeay::SSLeay_add_ssl_algorithms(); - Net::SSLeay::randomize(); - Net::SSLeay::SSLeay(); - defined &Net::SSLeay::set_tlsext_status_type or die; -}; -plan(skip_all => 'Net::SSLeay not installed or too old') if $@; - -my $t = Test::Nginx->new()->has(qw/http http_ssl/)->has_daemon('openssl'); - -plan(skip_all => 'no OCSP stapling') if $t->has_module('BoringSSL'); - -$t->plan(9)->write_file_expand('nginx.conf', <<'EOF'); - -%%TEST_GLOBALS%% - -daemon off; - -events { -} - -http { - %%TEST_GLOBALS_HTTP%% - - ssl_stapling on; - ssl_trusted_certificate trusted.crt; - - ssl_ciphers DEFAULT:ECCdraft; - - server { - listen 127.0.0.1:8443 ssl; - listen 127.0.0.1:8080; - server_name localhost; - ssl_certificate end-int.crt; - ssl_certificate_key end.key; - } - server { - listen 127.0.0.1:8453 ssl; - listen 127.0.0.1:8090; - server_name localhost; - ssl_certificate ec-end-int.crt; - ssl_certificate_key ec-end.key; - } - - server { - listen 127.0.0.1:8444 ssl; - server_name localhost; - - ssl_stapling_responder http://127.0.0.1:8081/; - ssl_certificate end-int.crt; - ssl_certificate_key end.key; - } - - server { - listen 127.0.0.1:8454 ssl; - server_name localhost; - - ssl_stapling_responder http://127.0.0.1:8081/; - ssl_certificate ec-end-int.crt; - ssl_certificate_key ec-end.key; - } - - server { - listen 127.0.0.1:8445 ssl; - server_name localhost; - - ssl_stapling_verify on; - ssl_certificate ec-end-int.crt; - ssl_certificate_key ec-end.key; - } - - server { - listen 127.0.0.1:8446 ssl; - server_name localhost; - - ssl_certificate ec-end.crt; - ssl_certificate_key ec-end.key; - ssl_certificate ec-end-int.crt; - ssl_certificate_key ec-end.key; - } - - server { - listen 127.0.0.1:8447 ssl; - server_name localhost; - - ssl_certificate end-int.crt; - ssl_certificate_key end.key; - - ssl_stapling_file %%TESTDIR%%/resp.der; - ssl_certificate end-int.crt; - ssl_certificate_key end.key; - } - - server { - listen 127.0.0.1:8448 ssl; - server_name localhost; - - ssl_certificate ec-end-int.crt; - ssl_certificate_key ec-end.key; - - ssl_stapling_file %%TESTDIR%%/ec-resp.der; - } - - server { - listen 127.0.0.1:8449 ssl; - server_name localhost; - - ssl_stapling_responder http://127.0.0.1:8080/; - ssl_certificate ec-end-int.crt; - ssl_certificate_key ec-end.key; - } -} - -EOF - -my $d = $t->testdir(); -my $p = port(8081); - -$t->write_file('openssl.conf', <write_file('ca.conf', <>$d/openssl.out 2>&1") == 0 - or die "Can't create certificate for $name: $!\n"; -} - -foreach my $name ('int', 'end') { - system("openssl req -new " - . "-config $d/openssl.conf -subj /CN=$name/ " - . "-out $d/$name.csr -keyout $d/$name.key " - . ">>$d/openssl.out 2>&1") == 0 - or die "Can't create certificate for $name: $!\n"; -} - -foreach my $name ('ec-end') { - system("openssl ecparam -genkey -out $d/$name.key -name prime256v1 " - . ">>$d/openssl.out 2>&1") == 0 - or die "Can't create EC param: $!\n"; - system("openssl req -new -key $d/$name.key " - . "-config $d/openssl.conf -subj /CN=$name/ " - . "-out $d/$name.csr " - . ">>$d/openssl.out 2>&1") == 0 - or die "Can't create certificate for $name: $!\n"; -} - -$t->write_file('certserial', '1000'); -$t->write_file('certindex', ''); - -system("openssl ca -batch -config $d/ca.conf " - . "-keyfile $d/root.key -cert $d/root.crt " - . "-subj /CN=int/ -in $d/int.csr -out $d/int.crt " - . ">>$d/openssl.out 2>&1") == 0 - or die "Can't sign certificate for int: $!\n"; - -system("openssl ca -batch -config $d/ca.conf " - . "-keyfile $d/int.key -cert $d/int.crt " - . "-subj /CN=ec-end/ -in $d/ec-end.csr -out $d/ec-end.crt " - . ">>$d/openssl.out 2>&1") == 0 - or die "Can't sign certificate for ec-end: $!\n"; - -system("openssl ca -batch -config $d/ca.conf " - . "-keyfile $d/int.key -cert $d/int.crt " - . "-subj /CN=end/ -in $d/end.csr -out $d/end.crt " - . ">>$d/openssl.out 2>&1") == 0 - or die "Can't sign certificate for end: $!\n"; - -# RFC 6960, serialNumber - -system("openssl x509 -in $d/end.crt -serial -noout " - . ">>$d/serial 2>>$d/openssl.out") == 0 - or die "Can't obtain serial for end: $!\n"; - -my $serial = pack("n2", 0x0202, hex $1) if $t->read_file('serial') =~ /(\d+)/; - -system("openssl ca -config $d/ca.conf -revoke $d/end.crt " - . "-keyfile $d/root.key -cert $d/root.crt " - . ">>$d/openssl.out 2>&1") == 0 - or die "Can't revoke end.crt: $!\n"; - -system("openssl ocsp -issuer $d/int.crt -cert $d/end.crt " - . "-reqout $d/req.der >>$d/openssl.out 2>&1") == 0 - or die "Can't create OCSP request: $!\n"; - -system("openssl ocsp -index $d/certindex -CA $d/int.crt " - . "-rsigner $d/root.crt -rkey $d/root.key " - . "-reqin $d/req.der -respout $d/resp.der -ndays 1 " - . ">>$d/openssl.out 2>&1") == 0 - or die "Can't create OCSP response: $!\n"; - -system("openssl ocsp -issuer $d/int.crt -cert $d/ec-end.crt " - . "-reqout $d/ec-req.der >>$d/openssl.out 2>&1") == 0 - or die "Can't create EC OCSP request: $!\n"; - -system("openssl ocsp -index $d/certindex -CA $d/int.crt " - . "-rsigner $d/root.crt -rkey $d/root.key " - . "-reqin $d/ec-req.der -respout $d/ec-resp.der -ndays 1 " - . ">>$d/openssl.out 2>&1") == 0 - or die "Can't create EC OCSP response: $!\n"; - -$t->write_file('trusted.crt', - $t->read_file('int.crt') . $t->read_file('root.crt')); -$t->write_file('end-int.crt', - $t->read_file('end.crt') . $t->read_file('int.crt')); -$t->write_file('ec-end-int.crt', - $t->read_file('ec-end.crt') . $t->read_file('int.crt')); - -$t->run_daemon(\&http_daemon, $t); -$t->run(); - -$t->waitforsocket("127.0.0.1:" . port(8081)); - -############################################################################### - -my $version = get_version(); - -staple(8443, 'RSA'); -staple(8453, 'ECDSA'); -staple(8444, 'RSA'); -staple(8454, 'ECDSA'); -staple(8445, 'ECDSA'); -staple(8446, 'ECDSA'); -staple(8449, 'ECDSA'); - -sleep 1; - -ok(!staple(8443, 'RSA'), 'staple revoked'); -ok(staple(8453, 'ECDSA'), 'staple success'); - -ok(!staple(8444, 'RSA'), 'responder revoked'); -ok(staple(8454, 'ECDSA'), 'responder success'); - -ok(!staple(8445, 'ECDSA'), 'verify - root not trusted'); - -ok(staple(8446, 'ECDSA', "$d/int.crt"), 'cert store'); - -is(staple(8447, 'RSA'), '1 1', 'file revoked'); -is(staple(8448, 'ECDSA'), '1 0', 'file success'); - -ok(!staple(8449, 'ECDSA'), 'ocsp error'); - -############################################################################### - -sub staple { - my ($port, $ciphers, $ca) = @_; - my (@resp); - - my $staple_cb = sub { - my ($ssl, $resp) = @_; - push @resp, !!$resp; - return 1 unless $resp; - my $cert = Net::SSLeay::get_peer_certificate($ssl); - my $certid = eval { Net::SSLeay::OCSP_cert2ids($ssl, $cert) } - or do { die "no OCSP_CERTID for certificate: $@"; }; - - my @res = Net::SSLeay::OCSP_response_results($resp, $certid); - push @resp, $res[0][2]->{'statusType'}; - }; - - my $s; - - eval { - local $SIG{ALRM} = sub { die "timeout\n" }; - local $SIG{PIPE} = sub { die "sigpipe\n" }; - alarm(8); - $s = IO::Socket::INET->new('127.0.0.1:' . port($port)); - alarm(0); - }; - alarm(0); - - if ($@) { - log_in("died: $@"); - return undef; - } - - my $ctx = Net::SSLeay::CTX_new() or die("Failed to create SSL_CTX $!"); - - my $ssleay = Net::SSLeay::SSLeay(); - if ($ssleay < 0x1000200f || $ssleay == 0x20000000) { - Net::SSLeay::CTX_set_cipher_list($ctx, $ciphers) - or die("Failed to set cipher list"); - } else { - # SSL_CTRL_SET_SIGALGS_LIST - $ciphers = 'PSS' if $ciphers eq 'RSA' && $version > 0x0303; - Net::SSLeay::CTX_ctrl($ctx, 98, 0, $ciphers . '+SHA256') - or die("Failed to set sigalgs"); - } - - Net::SSLeay::CTX_load_verify_locations($ctx, $ca || '', ''); - Net::SSLeay::CTX_set_tlsext_status_cb($ctx, $staple_cb); - my $ssl = Net::SSLeay::new($ctx) or die("Failed to create SSL $!"); - Net::SSLeay::set_tlsext_status_type($ssl, - Net::SSLeay::TLSEXT_STATUSTYPE_ocsp()); - Net::SSLeay::set_fd($ssl, fileno($s)); - Net::SSLeay::connect($ssl) or die("ssl connect"); - - return join ' ', @resp; -} - -sub get_version { - my $s; - - eval { - local $SIG{ALRM} = sub { die "timeout\n" }; - local $SIG{PIPE} = sub { die "sigpipe\n" }; - alarm(8); - $s = IO::Socket::INET->new('127.0.0.1:' . port(8443)); - alarm(0); - }; - alarm(0); - - if ($@) { - log_in("died: $@"); - return undef; - } - - my $ctx = Net::SSLeay::CTX_new() or die("Failed to create SSL_CTX $!"); - my $ssl = Net::SSLeay::new($ctx) or die("Failed to create SSL $!"); - Net::SSLeay::set_fd($ssl, fileno($s)); - Net::SSLeay::connect($ssl) or die("ssl connect"); - - Net::SSLeay::version($ssl); -} - -############################################################################### - -sub http_daemon { - my ($t) = shift; - my $server = IO::Socket::INET->new( - Proto => 'tcp', - LocalHost => "127.0.0.1:" . port(8081), - Listen => 5, - Reuse => 1 - ) - or die "Can't create listening socket: $!\n"; - - local $SIG{PIPE} = 'IGNORE'; - - while (my $client = $server->accept()) { - $client->autoflush(1); - - my $headers = ''; - my $uri = ''; - - while (<$client>) { - $headers .= $_; - last if (/^\x0d?\x0a?$/); - } - - $uri = $1 if $headers =~ /^\S+\s+\/([^ ]+)\s+HTTP/i; - next unless $uri; - - $uri =~ s/%([0-9A-Fa-f]{2})/chr(hex($1))/eg; - my $req = decode_base64($uri); - my $resp = index($req, $serial) > 0 ? 'resp' : 'ec-resp'; - - # ocsp dummy handler - - select undef, undef, undef, 0.02; - - $headers = <<"EOF"; -HTTP/1.1 200 OK -Connection: close -Content-Type: application/ocsp-response - -EOF - - print $client $headers . $t->read_file("$resp.der"); - } -} - -############################################################################### diff --git a/ssl_stapling.t.patch b/ssl_stapling.t.patch new file mode 100644 index 0000000..debbe14 --- /dev/null +++ b/ssl_stapling.t.patch @@ -0,0 +1,117 @@ +commit 76a0d0fe158ba0bc2d9a71ef3bd8ff52949a10a1 +Author: Juliusz Sosinowicz +Date: Thu Oct 24 11:45:49 2019 +0200 + + different ports for different certs + +diff --git a/ssl_stapling.t b/ssl_stapling.t +index d5b8ff3..ee57012 100644 +--- a/ssl_stapling.t ++++ b/ssl_stapling.t +@@ -53,18 +53,21 @@ http { + ssl_stapling on; + ssl_trusted_certificate trusted.crt; + +- ssl_certificate ec-end-int.crt; +- ssl_certificate_key ec-end.key; +- +- ssl_certificate end-int.crt; +- ssl_certificate_key end.key; +- + ssl_ciphers DEFAULT:ECCdraft; + + server { + listen 127.0.0.1:8443 ssl; + listen 127.0.0.1:8080; + server_name localhost; ++ ssl_certificate end-int.crt; ++ ssl_certificate_key end.key; ++ } ++ server { ++ listen 127.0.0.1:8453 ssl; ++ listen 127.0.0.1:8090; ++ server_name localhost; ++ ssl_certificate ec-end-int.crt; ++ ssl_certificate_key ec-end.key; + } + + server { +@@ -72,6 +75,17 @@ http { + server_name localhost; + + ssl_stapling_responder http://127.0.0.1:8081/; ++ ssl_certificate end-int.crt; ++ ssl_certificate_key end.key; ++ } ++ ++ server { ++ listen 127.0.0.1:8454 ssl; ++ server_name localhost; ++ ++ ssl_stapling_responder http://127.0.0.1:8081/; ++ ssl_certificate ec-end-int.crt; ++ ssl_certificate_key ec-end.key; + } + + server { +@@ -79,6 +93,8 @@ http { + server_name localhost; + + ssl_stapling_verify on; ++ ssl_certificate ec-end-int.crt; ++ ssl_certificate_key ec-end.key; + } + + server { +@@ -87,6 +103,8 @@ http { + + ssl_certificate ec-end.crt; + ssl_certificate_key ec-end.key; ++ ssl_certificate ec-end-int.crt; ++ ssl_certificate_key ec-end.key; + } + + server { +@@ -97,6 +115,8 @@ http { + ssl_certificate_key end.key; + + ssl_stapling_file %%TESTDIR%%/resp.der; ++ ssl_certificate end-int.crt; ++ ssl_certificate_key end.key; + } + + server { +@@ -114,6 +134,8 @@ http { + server_name localhost; + + ssl_stapling_responder http://127.0.0.1:8080/; ++ ssl_certificate ec-end-int.crt; ++ ssl_certificate_key ec-end.key; + } + } + +@@ -249,9 +271,9 @@ $t->waitforsocket("127.0.0.1:" . port(8081)); + my $version = get_version(); + + staple(8443, 'RSA'); +-staple(8443, 'ECDSA'); ++staple(8453, 'ECDSA'); + staple(8444, 'RSA'); +-staple(8444, 'ECDSA'); ++staple(8454, 'ECDSA'); + staple(8445, 'ECDSA'); + staple(8446, 'ECDSA'); + staple(8449, 'ECDSA'); +@@ -259,10 +281,10 @@ staple(8449, 'ECDSA'); + sleep 1; + + ok(!staple(8443, 'RSA'), 'staple revoked'); +-ok(staple(8443, 'ECDSA'), 'staple success'); ++ok(staple(8453, 'ECDSA'), 'staple success'); + + ok(!staple(8444, 'RSA'), 'responder revoked'); +-ok(staple(8444, 'ECDSA'), 'responder success'); ++ok(staple(8454, 'ECDSA'), 'responder success'); + + ok(!staple(8445, 'ECDSA'), 'verify - root not trusted'); +