WolfSSL
/
wolfssl-nginx
mirror of https://github.com/wolfSSL/wolfssl-nginx.git
1
0
Fork 0
Code Issues Releases Wiki Activity

Merge pull request #13 from julek-wolfssl/1.15.0-update 

Update nginx support for wolfSSL master
pull/15/head
Sean Parkinson 2020-12-15 09:48:33 +10:00 committed by GitHub
parent 9c6b8961b8 717a776b76
commit e29abf6a90
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
12 changed files with 1122 additions and 7 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

9
README.md
View File

@ -8,6 +8,9 @@ and recompilation is required.
The tested versions:
- wolfSSL 3.14
- wolfSSL 3.13.0 (with patch applied: wolfssl-3.13.0-nginx.patch)
- Nginx 1.17.5
- Nginx 1.16.1
- Nginx 1.15.0
- Nginx 1.14.0
- Nginx 1.13.12
- Nginx 1.13.8
@ -20,6 +23,7 @@ The tested versions:
- Nginx 1.11.10
- Nginx 1.11.7
- Nginx 1.10.3
- Nginx 1.7.7
### Building
@ -54,7 +58,10 @@ There will be failures of SSL tests for the following reasons:
Note: the file ssl_ecc.t in wolfssl-nginx can be used with the Nginx test
system.
Note: the file ssl_stapling.t.patch can be used to patch the ssl_stapling.t
file in nginx-tests to work with wolfSSL. The version available in the testing
repository uses different certs on the same server. This is not supported
by wolfSSL so this patch moves the certs to separate server instances.
There are additional tests available in wolfssl-nginx. These are in addition
to the Nginx tests. The OpenSSL's superapp is required for OCSP Stapling

4
conf/cert-ecc-p8.key
View File

@ -1,5 +1,5 @@
-----BEGIN PRIVATE KEY-----
-----BEGIN EC PRIVATE KEY-----
MIGHAgEAMBMGByqGSM49AgEGCCqGSM49AwEHBG0wawIBAQQgRbZpAnOcbIWhOFty
6OjHrMQDjVM1BPpsKNw0jeGoCYyhRANCAAS7M6xMJ1BKxkqlBMM83p8223ItzpTq
K/rLIAk5LBboYQLpr03TApOaMVuXkiF/8M8Y2pERAjSG6CBYMwuANInY
-----END PRIVATE KEY-----
-----END EC PRIVATE KEY-----

6
conf/nginx_tls13.conf
View File

@ -356,6 +356,7 @@ http {
proxy_ssl_certificate_key client-key.pem;
proxy_ssl_verify on;
proxy_ssl_crl crl.pem;
proxy_ssl_protocols TLSv1.3;
}
}
# Proxy using ECDHE cipher suites and CRL
@ -383,6 +384,7 @@ http {
proxy_ssl_certificate_key client-key.pem;
proxy_ssl_verify on;
proxy_ssl_crl crl.pem;
proxy_ssl_protocols TLSv1.3;
}
}
# Proxy using ECDHE and ECDSA cipher suites
@ -410,6 +412,7 @@ http {
proxy_ssl_certificate_key client-key.pem;
proxy_ssl_verify on;
proxy_ssl_session_reuse on;
proxy_ssl_protocols TLSv1.3;
}
}
# Proxy using complete chain
@ -437,6 +440,7 @@ http {
proxy_ssl_certificate_key client-key.pem;
proxy_ssl_verify on;
proxy_ssl_session_reuse on;
proxy_ssl_protocols TLSv1.3;
}
}
# Proxy using incomplete chain
@ -464,6 +468,7 @@ http {
proxy_ssl_certificate_key client-key.pem;
proxy_ssl_verify on;
proxy_ssl_session_reuse on;
proxy_ssl_protocols TLSv1.3;
}
}
@ -494,6 +499,7 @@ http {
proxy_ssl_verify on;
proxy_ssl_crl crl-revoked.pem;
proxy_ssl_session_reuse on;
proxy_ssl_protocols TLSv1.3;
}
}
# OCSP Stapling

17
nginx-1.15.0-wolfssl.patch
View File

@ -193,9 +193,20 @@ diff -ur nginx-1.15.0/src/http/modules/ngx_http_ssl_module.c nginx-1.15.0-wolfss
#define NGX_DEFAULT_ECDH_CURVE "auto"
#define NGX_HTTP_NPN_ADVERTISE "\x08http/1.1"
diff -ur nginx-1.15.0/src/mail/ngx_mail_ssl_module.c nginx-1.15.0-wolfssl/src/mail/ngx_mail_ssl_module.c
--- nginx-1.15.0/src/mail/ngx_mail_ssl_module.c 2018-06-05 23:47:25.000000000 +1000
+++ nginx-1.15.0-wolfssl/src/mail/ngx_mail_ssl_module.c 2018-06-14 15:44:59.059897033 +1000
@@ -766,8 +770,10 @@
return NGX_CONF_ERROR;
}
+#ifndef WOLFSSL_NGINX
ngx_conf_merge_value(conf->builtin_session_cache,
prev->builtin_session_cache, NGX_SSL_NONE_SCACHE);
+#endif
if (conf->shm_zone == NULL) {
conf->shm_zone = prev->shm_zone;
diff -ur nginx/src/mail/ngx_mail_ssl_module.c nginx-1.15.0-wolfssl/src/mail/ngx_mail_ssl_module.c
--- nginx/src/mail/ngx_mail_ssl_module.c 2019-10-22 13:38:25.369054696 +0200
+++ nginx-1.15.0-wolfssl/src/mail/ngx_mail_ssl_module.c 2019-10-22 13:37:13.938265565 +0200
@@ -10,7 +10,11 @@
#include <ngx_mail.h>

15
nginx-1.16.1-wolfssl-debug.patch 100644
View File

@ -0,0 +1,15 @@
diff -ur nginx/src/event/ngx_event_openssl.c nginx-debug/src/event/ngx_event_openssl.c
--- nginx/src/event/ngx_event_openssl.c 2019-10-29 17:31:13.468021354 +0100
+++ nginx-debug/src/event/ngx_event_openssl.c 2019-10-29 17:31:06.152106826 +0100
@@ -164,6 +164,11 @@
#endif
+#ifdef WOLFSSL_NGINX
+ /* Turn on internal wolfssl debugging to stdout */
+ wolfSSL_Debugging_ON();
+#endif
+
#if OPENSSL_VERSION_NUMBER >= 0x0090800fL
#ifndef SSL_OP_NO_COMPRESSION
{

302
nginx-1.16.1-wolfssl.patch 100644
View File

@ -0,0 +1,302 @@
diff -ur nginx/auto/lib/openssl/conf nginx-1.16.1-wolfssl/auto/lib/openssl/conf
--- nginx/auto/lib/openssl/conf 2019-10-28 17:04:55.111782394 +0100
+++ nginx-1.16.1-wolfssl/auto/lib/openssl/conf 2019-10-28 16:59:15.481019251 +0100
@@ -62,8 +62,33 @@
ngx_feature_path=
ngx_feature_libs="-lssl -lcrypto $NGX_LIBDL $NGX_LIBPTHREAD"
ngx_feature_test="SSL_CTX_set_options(NULL, 0)"
+
+ if [ $WOLFSSL != NONE ]; then
+ ngx_feature="wolfSSL library in $WOLFSSL"
+ ngx_feature_path="$WOLFSSL/include/wolfssl $WOLFSSL/include"
+
+ if [ $NGX_RPATH = YES ]; then
+ ngx_feature_libs="-R$WOLFSSL/lib -L$WOLFSSL/lib -lwolfssl $NGX_LIBDL"
+ else
+ ngx_feature_libs="-L$WOLFSSL/lib -lwolfssl $NGX_LIBDL"
+ fi
+
+ CORE_INCS="$CORE_INCS $WOLFSSL/include/wolfssl"
+ CFLAGS="$CFLAGS -DWOLFSSL_NGINX"
+ fi
+
. auto/feature
+ if [ $WOLFSSL != NONE -a $ngx_found = no ]; then
+cat << END
+
+$0: error: Could not find wolfSSL at $WOLFSSL/include/wolfssl.
+SSL modules require the wolfSSL library.
+
+END
+ exit 1
+ fi
+
if [ $ngx_found = no ]; then
# FreeBSD port
diff -ur nginx/auto/options nginx-1.16.1-wolfssl/auto/options
--- nginx/auto/options 2019-10-28 17:04:55.111782394 +0100
+++ nginx-1.16.1-wolfssl/auto/options 2019-10-28 16:59:15.485019190 +0100
@@ -147,6 +147,7 @@
USE_OPENSSL=NO
OPENSSL=NONE
+WOLFSSL=NONE
USE_ZLIB=NO
ZLIB=NONE
@@ -355,6 +356,7 @@
--with-pcre-opt=*) PCRE_OPT="$value" ;;
--with-pcre-jit) PCRE_JIT=YES ;;
+ --with-wolfssl=*) WOLFSSL="$value" ;;
--with-openssl=*) OPENSSL="$value" ;;
--with-openssl-opt=*) OPENSSL_OPT="$value" ;;
@@ -579,6 +581,7 @@
--with-libatomic force libatomic_ops library usage
--with-libatomic=DIR set path to libatomic_ops library sources
+ --with-wolfssl=DIR set path to wolfSSL headers and library
--with-openssl=DIR set path to OpenSSL library sources
--with-openssl-opt=OPTIONS set additional build options for OpenSSL
Only in nginx: .git
diff -ur nginx/src/event/ngx_event_openssl.c nginx-1.16.1-wolfssl/src/event/ngx_event_openssl.c
--- nginx/src/event/ngx_event_openssl.c 2019-10-28 17:06:07.286673633 +0100
+++ nginx-1.16.1-wolfssl/src/event/ngx_event_openssl.c 2019-10-28 16:59:15.485019190 +0100
@@ -384,6 +384,10 @@
SSL_CTX_set_info_callback(ssl->ctx, ngx_ssl_info_callback);
+#ifdef WOLFSSL_NGINX
+ SSL_CTX_set_verify(ssl->ctx, SSL_VERIFY_NONE, NULL);
+#endif
+
return NGX_OK;
}
@@ -863,6 +867,14 @@
ngx_int_t
+ngx_ssl_set_verify_on(ngx_conf_t *cf, ngx_ssl_t *ssl)
+{
+ SSL_CTX_set_verify(ssl->ctx, SSL_VERIFY_PEER, ngx_ssl_verify_callback);
+
+ return NGX_OK;
+}
+
+ngx_int_t
ngx_ssl_client_certificate(ngx_conf_t *cf, ngx_ssl_t *ssl, ngx_str_t *cert,
ngx_int_t depth)
{
@@ -1370,7 +1382,8 @@
* maximum interoperability.
*/
-#if (defined SSL_CTX_set1_curves_list || defined SSL_CTRL_SET_CURVES_LIST)
+#if (defined SSL_CTX_set1_curves_list || defined SSL_CTRL_SET_CURVES_LIST) || \
+ defined(WOLFSSL_NGINX)
/*
* OpenSSL 1.0.2+ allows configuring a curve list instead of a single
@@ -1491,10 +1504,26 @@
ngx_ssl_new_client_session(ngx_ssl_conn_t *ssl_conn, ngx_ssl_session_t *sess)
{
ngx_connection_t *c;
+#ifdef WOLFSSL_NGINX
+ int len;
+#endif
c = ngx_ssl_get_connection(ssl_conn);
if (c->ssl->save_session) {
+#ifdef WOLFSSL_NGINX
+ len = i2d_SSL_SESSION(sess, NULL);
+
+ /* do not cache too big session */
+ if (len > NGX_SSL_MAX_SESSION_SIZE) {
+ return -1;
+ }
+
+ if (!(sess = SSL_SESSION_dup(sess))) {
+ return -1;
+ }
+#endif
+
c->ssl->session = sess;
c->ssl->save_session(c);
@@ -1566,7 +1595,9 @@
{
#ifdef TLS1_3_VERSION
if (c->ssl->session) {
+ #if !defined(WOLFSSL_NGINX)
SSL_SESSION_up_ref(c->ssl->session);
+ #endif
return c->ssl->session;
}
#endif
@@ -3929,7 +3960,8 @@
return -1;
}
-#if OPENSSL_VERSION_NUMBER >= 0x10000000L
+#if OPENSSL_VERSION_NUMBER >= 0x10000000L && \
+ (!defined(WOLFSSL_NGINX) || !defined(HAVE_FIPS))
if (HMAC_Init_ex(hctx, key[0].hmac_key, size, digest, NULL) != 1) {
ngx_ssl_error(NGX_LOG_ALERT, c->log, 0, "HMAC_Init_ex() failed");
return -1;
@@ -3973,7 +4005,8 @@
size = 32;
}
-#if OPENSSL_VERSION_NUMBER >= 0x10000000L
+#if OPENSSL_VERSION_NUMBER >= 0x10000000L && \
+ (!defined(WOLFSSL_NGINX) || !defined(HAVE_FIPS))
if (HMAC_Init_ex(hctx, key[i].hmac_key, size, digest, NULL) != 1) {
ngx_ssl_error(NGX_LOG_ALERT, c->log, 0, "HMAC_Init_ex() failed");
return -1;
diff -ur nginx/src/event/ngx_event_openssl.h nginx-1.16.1-wolfssl/src/event/ngx_event_openssl.h
--- nginx/src/event/ngx_event_openssl.h 2019-10-28 17:04:55.111782394 +0100
+++ nginx-1.16.1-wolfssl/src/event/ngx_event_openssl.h 2019-10-28 16:59:15.485019190 +0100
@@ -12,6 +12,10 @@
#include <ngx_config.h>
#include <ngx_core.h>
+#ifdef WOLFSSL_NGINX
+#include <wolfssl/options.h>
+#include <openssl/pem.h>
+#endif
#include <openssl/ssl.h>
#include <openssl/err.h>
#include <openssl/bn.h>
@@ -59,7 +63,7 @@
#define ngx_ssl_conn_t SSL
-#if (OPENSSL_VERSION_NUMBER < 0x10002000L)
+#if (OPENSSL_VERSION_NUMBER < 0x10002000L) && !defined(WOLFSSL_NGINX)
#define SSL_is_server(s) (s)->server
#endif
@@ -171,6 +175,7 @@
ngx_int_t ngx_ssl_ciphers(ngx_conf_t *cf, ngx_ssl_t *ssl, ngx_str_t *ciphers,
ngx_uint_t prefer_server_ciphers);
+ngx_int_t ngx_ssl_set_verify_on(ngx_conf_t *cf, ngx_ssl_t *ssl);
ngx_int_t ngx_ssl_client_certificate(ngx_conf_t *cf, ngx_ssl_t *ssl,
ngx_str_t *cert, ngx_int_t depth);
ngx_int_t ngx_ssl_trusted_certificate(ngx_conf_t *cf, ngx_ssl_t *ssl,
diff -ur nginx/src/event/ngx_event_openssl_stapling.c nginx-1.16.1-wolfssl/src/event/ngx_event_openssl_stapling.c
--- nginx/src/event/ngx_event_openssl_stapling.c 2019-10-28 17:04:55.111782394 +0100
+++ nginx-1.16.1-wolfssl/src/event/ngx_event_openssl_stapling.c 2019-10-28 16:59:15.485019190 +0100
@@ -313,7 +313,9 @@
for (i = 0; i < n; i++) {
issuer = sk_X509_value(chain, i);
if (X509_check_issued(issuer, cert) == X509_V_OK) {
-#if OPENSSL_VERSION_NUMBER >= 0x10100001L
+#ifdef WOLFSSL_NGINX
+ issuer = X509_dup(issuer);
+#elif OPENSSL_VERSION_NUMBER >= 0x10100001L
X509_up_ref(issuer);
#else
CRYPTO_add(&issuer->references, 1, CRYPTO_LOCK_X509);
diff -ur nginx/src/http/modules/ngx_http_proxy_module.c nginx-1.16.1-wolfssl/src/http/modules/ngx_http_proxy_module.c
--- nginx/src/http/modules/ngx_http_proxy_module.c 2019-10-28 17:04:55.111782394 +0100
+++ nginx-1.16.1-wolfssl/src/http/modules/ngx_http_proxy_module.c 2019-10-28 16:59:15.489019127 +0100
@@ -4307,6 +4307,8 @@
return NGX_ERROR;
}
+ ngx_ssl_set_verify_on(cf, plcf->upstream.ssl);
+
if (ngx_ssl_trusted_certificate(cf, plcf->upstream.ssl,
&plcf->ssl_trusted_certificate,
plcf->ssl_verify_depth)
diff -ur nginx/src/http/modules/ngx_http_ssl_module.c nginx-1.16.1-wolfssl/src/http/modules/ngx_http_ssl_module.c
--- nginx/src/http/modules/ngx_http_ssl_module.c 2019-10-28 17:06:07.286673633 +0100
+++ nginx-1.16.1-wolfssl/src/http/modules/ngx_http_ssl_module.c 2019-10-28 16:59:15.489019127 +0100
@@ -14,7 +14,11 @@
ngx_pool_t *pool, ngx_str_t *s);
+#ifndef WOLFSSL_NGINX
#define NGX_DEFAULT_CIPHERS "HIGH:!aNULL:!MD5"
+#else
+#define NGX_DEFAULT_CIPHERS "ALL"
+#endif
#define NGX_DEFAULT_ECDH_CURVE "auto"
#define NGX_HTTP_NPN_ADVERTISE "\x08http/1.1"
@@ -810,8 +814,10 @@
return NGX_CONF_ERROR;
}
+#ifndef WOLFSSL_NGINX
ngx_conf_merge_value(conf->builtin_session_cache,
prev->builtin_session_cache, NGX_SSL_NONE_SCACHE);
+#endif
if (conf->shm_zone == NULL) {
conf->shm_zone = prev->shm_zone;
diff -ur nginx/src/http/ngx_http_request.c nginx-1.16.1-wolfssl/src/http/ngx_http_request.c
--- nginx/src/http/ngx_http_request.c 2019-10-28 17:04:55.111782394 +0100
+++ nginx-1.16.1-wolfssl/src/http/ngx_http_request.c 2019-10-28 16:59:15.485019190 +0100
@@ -851,6 +851,12 @@
#ifdef SSL_CTRL_SET_TLSEXT_HOSTNAME
+#ifndef SSL_AD_NO_RENEGOTIATION
+#define SSL_AD_NO_RENEGOTIATION 100
+#endif
+#ifndef SSL_AD_INTERNAL_ERROR
+#define SSL_AD_INTERNAL_ERROR 80
+#endif
int
ngx_http_ssl_servername(ngx_ssl_conn_t *ssl_conn, int *ad, void *arg)
diff -ur nginx/src/mail/ngx_mail_ssl_module.c nginx-1.16.1-wolfssl/src/mail/ngx_mail_ssl_module.c
--- nginx/src/mail/ngx_mail_ssl_module.c 2019-10-28 17:04:55.111782394 +0100
+++ nginx-1.16.1-wolfssl/src/mail/ngx_mail_ssl_module.c 2019-10-28 16:59:15.489019127 +0100
@@ -10,7 +10,11 @@
#include <ngx_mail.h>
+#ifndef WOLFSSL_NGINX
#define NGX_DEFAULT_CIPHERS "HIGH:!aNULL:!MD5"
+#else
+#define NGX_DEFAULT_CIPHERS "ALL"
+#endif
#define NGX_DEFAULT_ECDH_CURVE "auto"
diff -ur nginx/src/stream/ngx_stream_proxy_module.c nginx-1.16.1-wolfssl/src/stream/ngx_stream_proxy_module.c
--- nginx/src/stream/ngx_stream_proxy_module.c 2019-10-28 17:04:55.111782394 +0100
+++ nginx-1.16.1-wolfssl/src/stream/ngx_stream_proxy_module.c 2019-10-28 16:59:15.493019066 +0100
@@ -2131,6 +2131,8 @@
return NGX_ERROR;
}
+ ngx_ssl_set_verify_on(cf, pscf->ssl);
+
if (ngx_ssl_trusted_certificate(cf, pscf->ssl,
&pscf->ssl_trusted_certificate,
pscf->ssl_verify_depth)
diff -ur nginx/src/stream/ngx_stream_ssl_module.c nginx-1.16.1-wolfssl/src/stream/ngx_stream_ssl_module.c
--- nginx/src/stream/ngx_stream_ssl_module.c 2019-10-28 17:04:55.111782394 +0100
+++ nginx-1.16.1-wolfssl/src/stream/ngx_stream_ssl_module.c 2019-10-28 16:59:15.493019066 +0100
@@ -14,7 +14,11 @@
ngx_pool_t *pool, ngx_str_t *s);
+#ifndef WOLFSSL_NGINX
#define NGX_DEFAULT_CIPHERS "HIGH:!aNULL:!MD5"
+#else
+#define NGX_DEFAULT_CIPHERS "ALL"
+#endif
#define NGX_DEFAULT_ECDH_CURVE "auto"

16
nginx-1.17.5-wolfssl-debug.patch 100644
View File

@ -0,0 +1,16 @@
diff -ur nginx-1.17.5-wolfssl/src/event/ngx_event_openssl.c nginx-1.17.5-wolfssl-debug/src/event/ngx_event_openssl.c
--- nginx-1.17.5-wolfssl/src/event/ngx_event_openssl.c 2019-11-04 21:29:39.856200843 +0100
+++ nginx-1.17.5-wolfssl-debug/src/event/ngx_event_openssl.c 2019-11-04 21:30:29.362010122 +0100
@@ -165,6 +165,12 @@
#endif
+#ifdef WOLFSSL_NGINX
+ /* Turn on internal wolfssl debugging to stdout */
+ wolfSSL_Debugging_ON();
+#endif
+
+
#ifndef SSL_OP_NO_COMPRESSION
{
/*

302
nginx-1.17.5-wolfssl.patch 100644
View File

@ -0,0 +1,302 @@
diff -ur nginx/auto/lib/openssl/conf nginx-1.17.5-wolfssl/auto/lib/openssl/conf
--- nginx/auto/lib/openssl/conf 2019-11-04 21:30:50.293130582 +0100
+++ nginx-1.17.5-wolfssl/auto/lib/openssl/conf 2019-11-04 21:29:39.848201210 +0100
@@ -62,8 +62,33 @@
ngx_feature_path=
ngx_feature_libs="-lssl -lcrypto $NGX_LIBDL $NGX_LIBPTHREAD"
ngx_feature_test="SSL_CTX_set_options(NULL, 0)"
+
+ if [ $WOLFSSL != NONE ]; then
+ ngx_feature="wolfSSL library in $WOLFSSL"
+ ngx_feature_path="$WOLFSSL/include/wolfssl $WOLFSSL/include"
+
+ if [ $NGX_RPATH = YES ]; then
+ ngx_feature_libs="-R$WOLFSSL/lib -L$WOLFSSL/lib -lwolfssl $NGX_LIBDL"
+ else
+ ngx_feature_libs="-L$WOLFSSL/lib -lwolfssl $NGX_LIBDL"
+ fi
+
+ CORE_INCS="$CORE_INCS $WOLFSSL/include/wolfssl"
+ CFLAGS="$CFLAGS -DWOLFSSL_NGINX"
+ fi
+
. auto/feature
+ if [ $WOLFSSL != NONE -a $ngx_found = no ]; then
+cat << END
+
+$0: error: Could not find wolfSSL at $WOLFSSL/include/wolfssl.
+SSL modules require the wolfSSL library.
+
+END
+ exit 1
+ fi
+
if [ $ngx_found = no ]; then
# FreeBSD port
diff -ur nginx/auto/options nginx-1.17.5-wolfssl/auto/options
--- nginx/auto/options 2019-11-04 21:30:50.293130582 +0100
+++ nginx-1.17.5-wolfssl/auto/options 2019-11-04 21:29:39.848201210 +0100
@@ -146,6 +146,7 @@
USE_OPENSSL=NO
OPENSSL=NONE
+WOLFSSL=NONE
USE_ZLIB=NO
ZLIB=NONE
@@ -354,6 +355,7 @@
--with-pcre-opt=*) PCRE_OPT="$value" ;;
--with-pcre-jit) PCRE_JIT=YES ;;
+ --with-wolfssl=*) WOLFSSL="$value" ;;
--with-openssl=*) OPENSSL="$value" ;;
--with-openssl-opt=*) OPENSSL_OPT="$value" ;;
@@ -578,6 +580,7 @@
--with-libatomic force libatomic_ops library usage
--with-libatomic=DIR set path to libatomic_ops library sources
+ --with-wolfssl=DIR set path to wolfSSL headers and library
--with-openssl=DIR set path to OpenSSL library sources
--with-openssl-opt=OPTIONS set additional build options for OpenSSL
Only in nginx: .git
diff -ur nginx/src/event/ngx_event_openssl.c nginx-1.17.5-wolfssl/src/event/ngx_event_openssl.c
--- nginx/src/event/ngx_event_openssl.c 2019-11-04 21:30:50.297130417 +0100
+++ nginx-1.17.5-wolfssl/src/event/ngx_event_openssl.c 2019-11-04 21:29:39.856200843 +0100
@@ -383,6 +383,10 @@
SSL_CTX_set_info_callback(ssl->ctx, ngx_ssl_info_callback);
+#ifdef WOLFSSL_NGINX
+ SSL_CTX_set_verify(ssl->ctx, SSL_VERIFY_NONE, NULL);
+#endif
+
return NGX_OK;
}
@@ -862,6 +866,14 @@
ngx_int_t
+ngx_ssl_set_verify_on(ngx_conf_t *cf, ngx_ssl_t *ssl)
+{
+ SSL_CTX_set_verify(ssl->ctx, SSL_VERIFY_PEER, ngx_ssl_verify_callback);
+
+ return NGX_OK;
+}
+
+ngx_int_t
ngx_ssl_client_certificate(ngx_conf_t *cf, ngx_ssl_t *ssl, ngx_str_t *cert,
ngx_int_t depth)
{
@@ -1361,7 +1373,8 @@
* maximum interoperability.
*/
-#if (defined SSL_CTX_set1_curves_list || defined SSL_CTRL_SET_CURVES_LIST)
+#if (defined SSL_CTX_set1_curves_list || defined SSL_CTRL_SET_CURVES_LIST) || \
+ defined(WOLFSSL_NGINX)
/*
* OpenSSL 1.0.2+ allows configuring a curve list instead of a single
@@ -1481,10 +1494,26 @@
ngx_ssl_new_client_session(ngx_ssl_conn_t *ssl_conn, ngx_ssl_session_t *sess)
{
ngx_connection_t *c;
+#ifdef WOLFSSL_NGINX
+ int len;
+#endif
c = ngx_ssl_get_connection(ssl_conn);
if (c->ssl->save_session) {
+#ifdef WOLFSSL_NGINX
+ len = i2d_SSL_SESSION(sess, NULL);
+
+ /* do not cache too big session */
+ if (len > NGX_SSL_MAX_SESSION_SIZE) {
+ return -1;
+ }
+
+ if (!(sess = SSL_SESSION_dup(sess))) {
+ return -1;
+ }
+#endif
+
c->ssl->session = sess;
c->ssl->save_session(c);
@@ -1556,7 +1585,9 @@
{
#ifdef TLS1_3_VERSION
if (c->ssl->session) {
+ #if !defined(WOLFSSL_NGINX)
SSL_SESSION_up_ref(c->ssl->session);
+ #endif
return c->ssl->session;
}
#endif
@@ -3972,7 +4003,8 @@
return -1;
}
-#if OPENSSL_VERSION_NUMBER >= 0x10000000L
+#if OPENSSL_VERSION_NUMBER >= 0x10000000L && \
+ (!defined(WOLFSSL_NGINX) || !defined(HAVE_FIPS))
if (HMAC_Init_ex(hctx, key[0].hmac_key, size, digest, NULL) != 1) {
ngx_ssl_error(NGX_LOG_ALERT, c->log, 0, "HMAC_Init_ex() failed");
return -1;
@@ -4016,7 +4048,8 @@
size = 32;
}
-#if OPENSSL_VERSION_NUMBER >= 0x10000000L
+#if OPENSSL_VERSION_NUMBER >= 0x10000000L && \
+ (!defined(WOLFSSL_NGINX) || !defined(HAVE_FIPS))
if (HMAC_Init_ex(hctx, key[i].hmac_key, size, digest, NULL) != 1) {
ngx_ssl_error(NGX_LOG_ALERT, c->log, 0, "HMAC_Init_ex() failed");
return -1;
diff -ur nginx/src/event/ngx_event_openssl.h nginx-1.17.5-wolfssl/src/event/ngx_event_openssl.h
--- nginx/src/event/ngx_event_openssl.h 2019-11-04 21:30:50.293130582 +0100
+++ nginx-1.17.5-wolfssl/src/event/ngx_event_openssl.h 2019-11-04 21:29:39.856200843 +0100
@@ -12,6 +12,10 @@
#include <ngx_config.h>
#include <ngx_core.h>
+#ifdef WOLFSSL_NGINX
+#include <wolfssl/options.h>
+#include <openssl/pem.h>
+#endif
#include <openssl/ssl.h>
#include <openssl/err.h>
#include <openssl/bn.h>
@@ -59,7 +63,7 @@
#define ngx_ssl_conn_t SSL
-#if (OPENSSL_VERSION_NUMBER < 0x10002000L)
+#if (OPENSSL_VERSION_NUMBER < 0x10002000L) && !defined(WOLFSSL_NGINX)
#define SSL_is_server(s) (s)->server
#endif
@@ -172,6 +176,7 @@
ngx_int_t ngx_ssl_ciphers(ngx_conf_t *cf, ngx_ssl_t *ssl, ngx_str_t *ciphers,
ngx_uint_t prefer_server_ciphers);
+ngx_int_t ngx_ssl_set_verify_on(ngx_conf_t *cf, ngx_ssl_t *ssl);
ngx_int_t ngx_ssl_client_certificate(ngx_conf_t *cf, ngx_ssl_t *ssl,
ngx_str_t *cert, ngx_int_t depth);
ngx_int_t ngx_ssl_trusted_certificate(ngx_conf_t *cf, ngx_ssl_t *ssl,
diff -ur nginx/src/event/ngx_event_openssl_stapling.c nginx-1.17.5-wolfssl/src/event/ngx_event_openssl_stapling.c
--- nginx/src/event/ngx_event_openssl_stapling.c 2019-11-04 21:30:50.293130582 +0100
+++ nginx-1.17.5-wolfssl/src/event/ngx_event_openssl_stapling.c 2019-11-04 21:29:39.856200843 +0100
@@ -313,7 +313,9 @@
for (i = 0; i < n; i++) {
issuer = sk_X509_value(chain, i);
if (X509_check_issued(issuer, cert) == X509_V_OK) {
-#if OPENSSL_VERSION_NUMBER >= 0x10100001L
+#ifdef WOLFSSL_NGINX
+ issuer = X509_dup(issuer);
+#elif OPENSSL_VERSION_NUMBER >= 0x10100001L
X509_up_ref(issuer);
#else
CRYPTO_add(&issuer->references, 1, CRYPTO_LOCK_X509);
diff -ur nginx/src/http/modules/ngx_http_proxy_module.c nginx-1.17.5-wolfssl/src/http/modules/ngx_http_proxy_module.c
--- nginx/src/http/modules/ngx_http_proxy_module.c 2019-11-04 21:30:50.293130582 +0100
+++ nginx-1.17.5-wolfssl/src/http/modules/ngx_http_proxy_module.c 2019-11-04 21:29:39.856200843 +0100
@@ -4307,6 +4307,8 @@
return NGX_ERROR;
}
+ ngx_ssl_set_verify_on(cf, plcf->upstream.ssl);
+
if (ngx_ssl_trusted_certificate(cf, plcf->upstream.ssl,
&plcf->ssl_trusted_certificate,
plcf->ssl_verify_depth)
diff -ur nginx/src/http/modules/ngx_http_ssl_module.c nginx-1.17.5-wolfssl/src/http/modules/ngx_http_ssl_module.c
--- nginx/src/http/modules/ngx_http_ssl_module.c 2019-11-04 21:30:50.293130582 +0100
+++ nginx-1.17.5-wolfssl/src/http/modules/ngx_http_ssl_module.c 2019-11-04 21:29:39.856200843 +0100
@@ -14,7 +14,11 @@
ngx_pool_t *pool, ngx_str_t *s);
+#ifndef WOLFSSL_NGINX
#define NGX_DEFAULT_CIPHERS "HIGH:!aNULL:!MD5"
+#else
+#define NGX_DEFAULT_CIPHERS "ALL"
+#endif
#define NGX_DEFAULT_ECDH_CURVE "auto"
#define NGX_HTTP_NPN_ADVERTISE "\x08http/1.1"
@@ -810,8 +814,10 @@
return NGX_CONF_ERROR;
}
+#ifndef WOLFSSL_NGINX
ngx_conf_merge_value(conf->builtin_session_cache,
prev->builtin_session_cache, NGX_SSL_NONE_SCACHE);
+#endif
if (conf->shm_zone == NULL) {
conf->shm_zone = prev->shm_zone;
diff -ur nginx/src/http/ngx_http_request.c nginx-1.17.5-wolfssl/src/http/ngx_http_request.c
--- nginx/src/http/ngx_http_request.c 2019-11-04 21:30:50.297130417 +0100
+++ nginx-1.17.5-wolfssl/src/http/ngx_http_request.c 2019-11-04 21:29:39.856200843 +0100
@@ -851,6 +851,12 @@
#ifdef SSL_CTRL_SET_TLSEXT_HOSTNAME
+#ifndef SSL_AD_NO_RENEGOTIATION
+#define SSL_AD_NO_RENEGOTIATION 100
+#endif
+#ifndef SSL_AD_INTERNAL_ERROR
+#define SSL_AD_INTERNAL_ERROR 80
+#endif
int
ngx_http_ssl_servername(ngx_ssl_conn_t *ssl_conn, int *ad, void *arg)
diff -ur nginx/src/mail/ngx_mail_ssl_module.c nginx-1.17.5-wolfssl/src/mail/ngx_mail_ssl_module.c
--- nginx/src/mail/ngx_mail_ssl_module.c 2019-11-04 21:30:50.297130417 +0100
+++ nginx-1.17.5-wolfssl/src/mail/ngx_mail_ssl_module.c 2019-11-04 21:29:39.860200659 +0100
@@ -10,7 +10,11 @@
#include <ngx_mail.h>
+#ifndef WOLFSSL_NGINX
#define NGX_DEFAULT_CIPHERS "HIGH:!aNULL:!MD5"
+#else
+#define NGX_DEFAULT_CIPHERS "ALL"
+#endif
#define NGX_DEFAULT_ECDH_CURVE "auto"
diff -ur nginx/src/stream/ngx_stream_proxy_module.c nginx-1.17.5-wolfssl/src/stream/ngx_stream_proxy_module.c
--- nginx/src/stream/ngx_stream_proxy_module.c 2019-11-04 21:30:50.297130417 +0100
+++ nginx-1.17.5-wolfssl/src/stream/ngx_stream_proxy_module.c 2019-11-04 21:29:39.864200476 +0100
@@ -2136,6 +2136,8 @@
return NGX_ERROR;
}
+ ngx_ssl_set_verify_on(cf, pscf->ssl);
+
if (ngx_ssl_trusted_certificate(cf, pscf->ssl,
&pscf->ssl_trusted_certificate,
pscf->ssl_verify_depth)
diff -ur nginx/src/stream/ngx_stream_ssl_module.c nginx-1.17.5-wolfssl/src/stream/ngx_stream_ssl_module.c
--- nginx/src/stream/ngx_stream_ssl_module.c 2019-11-04 21:30:50.293130582 +0100
+++ nginx-1.17.5-wolfssl/src/stream/ngx_stream_ssl_module.c 2019-11-04 21:29:39.864200476 +0100
@@ -14,7 +14,11 @@
ngx_pool_t *pool, ngx_str_t *s);
+#ifndef WOLFSSL_NGINX
#define NGX_DEFAULT_CIPHERS "HIGH:!aNULL:!MD5"
+#else
+#define NGX_DEFAULT_CIPHERS "ALL"
+#endif
#define NGX_DEFAULT_ECDH_CURVE "auto"

17
nginx-1.7.7-wolfssl-debug.patch 100644
View File

@ -0,0 +1,17 @@
diff --git a/src/core/nginx.c b/src/core/nginx.c
index c75ee4fd..e7b49f0b 100644
--- a/src/core/nginx.c
+++ b/src/core/nginx.c
@@ -206,6 +206,11 @@ main(int argc, char *const *argv)
ngx_cycle_t *cycle, init_cycle;
ngx_core_conf_t *ccf;
+
+#ifdef WOLFSSL_NGINX
+ (void)wolfSSL_Debugging_ON();
+#endif
+
ngx_debug_init();
if (ngx_strerror_init() != NGX_OK) {

322
nginx-1.7.7-wolfssl.patch 100644
View File

@ -0,0 +1,322 @@
From 9a58b2ddaa713b312a9d14d6dd563d1df14c8231 Mon Sep 17 00:00:00 2001
From: Juliusz Sosinowicz <juliusz@wolfssl.com>
Date: Tue, 1 Dec 2020 13:41:20 +0100
Subject: [PATCH] wolfSSL Patch for Nginx 1.7.7
Build instructions:
- Build wolfSSL (run in wolfSSL directory):
`./configure --enable-nginx`
`make`
`make install`
The default installation directory is `/usr/local`.
- Build Nginx (run in Nginx directory):
- Apply patch:
`patch -p1 < nginx-1.7.7-wolfssl.patch`
- Compile Nginx (some warnings need to be disabled):
`./configure --with-wolfssl=/usr/local --with-http_ssl_module --with-cc-opt='-Wimplicit-fallthrough=0 -Wno-cast-function-type'`
`make`
Port nginx 1.7.7 to wolfSSL:
- `auto/lib/openssl/conf`: Detect wolfSSL library and setup compilation options
- `auto/options`: Add wolfSSL configure option
- `src/core/nginx.c`: Enable debugging if wolfSSL is compiled with `--enable-debug`
- `src/event/ngx_event_openssl.c`:
- Nginx wants the SSL library to not do any certificate verification by default
- No need to disble renegotiation since wolfSSL has it disabled by default
- Fix TLS tickets callback to return correct values
- Ignore undefined handshake failure codes
- `src/event/ngx_event_openssl.h`: Include wolfSSL options file
- `src/event/ngx_event_openssl_stapling.c`: Use `wolfSSL_X509_up_ref` to increment issuer certificate reference counter
- `src/http/modules/ngx_http_ssl_module.c`: wolfSSL "ALL" provides adequate default ciphers
- `src/http/ngx_http_upstream.c`: Correct type mismatch
- `src/mail/ngx_mail_ssl_module.c`: wolfSSL "ALL" provides adequate default ciphers
- `src/os/unix/ngx_user.c`: `current_salt` not part of `struct crypt_data` in recent glibc version
nginx-tests remarks:
- All tests in nginx-tests should pass. Some tests test reusing a session but fail on my machine. Manually setting up the server and connecting through Firefox correctly re-uses the session suggesting that the issue is on the client side not the server. I assume that this is an error in my version of Perl (which is the client in the nginx-tests).
- When running nginx-tests with TLS 1.3 then session resumption tests will fail since the tests are not configured for SSL tickets. I tested session reuse manually with Firefox and confirmed that they work.
- nginx 1.7.7 does not do session reuse with TLS 1.3 (when acting as a proxy) because it calls SSL_get1_session too soon.
---
auto/lib/openssl/conf | 35 ++++++++++++++++++++++----
auto/options | 3 +++
src/core/nginx.c | 5 ++++
src/event/ngx_event_openssl.c | 17 +++++++++++--
src/event/ngx_event_openssl.h | 3 +++
src/event/ngx_event_openssl_stapling.c | 8 ++++++
src/http/modules/ngx_http_ssl_module.c | 4 +++
src/http/ngx_http_upstream.c | 7 +++++-
src/mail/ngx_mail_ssl_module.c | 4 +++
src/os/unix/ngx_user.c | 2 ++
10 files changed, 80 insertions(+), 8 deletions(-)
diff --git a/auto/lib/openssl/conf b/auto/lib/openssl/conf
index a65815f6..0796e3ab 100644
--- a/auto/lib/openssl/conf
+++ b/auto/lib/openssl/conf
@@ -49,11 +49,38 @@ else
ngx_feature="OpenSSL library"
ngx_feature_name="NGX_OPENSSL"
ngx_feature_run=no
- ngx_feature_incs="#include <openssl/ssl.h>"
+ ngx_feature_incs="#include <options.h>
+ #include <openssl/ssl.h>"
ngx_feature_path=
ngx_feature_libs="-lssl -lcrypto"
ngx_feature_test="SSL_library_init()"
+
+ if [ $WOLFSSL != NONE ]; then
+ ngx_feature="wolfSSL library in $WOLFSSL"
+ ngx_feature_path="$WOLFSSL/include/wolfssl $WOLFSSL/include"
+
+ if [ $NGX_RPATH = YES ]; then
+ ngx_feature_libs="-R$WOLFSSL/lib -L$WOLFSSL/lib -lwolfssl -lm $NGX_LIBDL"
+ else
+ ngx_feature_libs="-L$WOLFSSL/lib -lwolfssl -lm $NGX_LIBDL"
+ fi
+
+ CORE_INCS="$CORE_INCS $ngx_feature_path"
+ CFLAGS="$CFLAGS -DWOLFSSL_NGINX"
+ fi
+
. auto/feature
+
+ if [ $WOLFSSL != NONE -a $ngx_found = no ]; then
+cat << END
+
+$0: error: Could not find wolfSSL at $WOLFSSL/include/wolfssl.
+SSL modules require the wolfSSL library.
+
+END
+ exit 1
+ fi
+
if [ $ngx_found = yes ]; then
have=NGX_SSL . auto/have
@@ -66,10 +93,8 @@ else
cat << END
-$0: error: SSL modules require the OpenSSL library.
-You can either do not enable the modules, or install the OpenSSL library
-into the system, or build the OpenSSL library statically from the source
-with nginx by using --with-openssl=<path> option.
+$0: error: Could not find wolfSSL at $WOLFSSL/include/wolfssl.
+SSL modules require the wolfSSL library.
END
exit 1
diff --git a/auto/options b/auto/options
index 0d296ac6..7688cad7 100644
--- a/auto/options
+++ b/auto/options
@@ -121,6 +121,7 @@ PCRE_OPT=
PCRE_CONF_OPT=
PCRE_JIT=NO
+WOLFSSL=NONE
USE_OPENSSL=NO
OPENSSL=NONE
@@ -292,6 +293,7 @@ use the \"--without-http_limit_conn_module\" option instead"
--with-pcre-opt=*) PCRE_OPT="$value" ;;
--with-pcre-jit) PCRE_JIT=YES ;;
+ --with-wolfssl=*) WOLFSSL="$value" ;;
--with-openssl=*) OPENSSL="$value" ;;
--with-openssl-opt=*) OPENSSL_OPT="$value" ;;
@@ -469,6 +471,7 @@ cat << END
--with-openssl=DIR set path to OpenSSL library sources
--with-openssl-opt=OPTIONS set additional build options for OpenSSL
+ --with-wolfssl=DIR set path to wolfSSL library
--with-debug enable debug logging
diff --git a/src/core/nginx.c b/src/core/nginx.c
index c75ee4fd..e7b49f0b 100644
--- a/src/core/nginx.c
+++ b/src/core/nginx.c
@@ -206,6 +206,11 @@ main(int argc, char *const *argv)
ngx_cycle_t *cycle, init_cycle;
ngx_core_conf_t *ccf;
+
+#ifdef WOLFSSL_NGINX
+ (void)wolfSSL_Debugging_ON();
+#endif
+
ngx_debug_init();
if (ngx_strerror_init() != NGX_OK) {
diff --git a/src/event/ngx_event_openssl.c b/src/event/ngx_event_openssl.c
index f3456527..065ec5af 100644
--- a/src/event/ngx_event_openssl.c
+++ b/src/event/ngx_event_openssl.c
@@ -204,6 +204,11 @@ ngx_ssl_create(ngx_ssl_t *ssl, ngx_uint_t protocols, void *data)
return NGX_ERROR;
}
+#ifdef WOLFSSL_NGINX
+ /* nginx expects that the SSL library doesn't verify certs by default */
+ SSL_CTX_set_verify(ssl->ctx, WOLFSSL_VERIFY_NONE, NULL);
+#endif
+
ssl->buffer_size = NGX_SSL_BUFSIZE;
/* client side options */
@@ -1096,10 +1101,13 @@ ngx_ssl_handshake(ngx_connection_t *c)
c->recv_chain = ngx_ssl_recv_chain;
c->send_chain = ngx_ssl_send_chain;
+ /* wolfSSL has renegotiation disabled by default */
+#ifndef WOLFSSL_NGINX
/* initial handshake done, disable renegotiation (CVE-2009-3555) */
if (c->ssl->connection->s3) {
c->ssl->connection->s3->flags |= SSL3_FLAGS_NO_RENEGOTIATE_CIPHERS;
}
+#endif
return NGX_OK;
}
@@ -1844,7 +1852,9 @@ ngx_ssl_connection_error(ngx_connection_t *c, int sslerr, ngx_err_t err,
|| n == SSL_R_ERROR_IN_RECEIVED_CIPHER_LIST /* 151 */
|| n == SSL_R_EXCESSIVE_MESSAGE_SIZE /* 152 */
|| n == SSL_R_LENGTH_MISMATCH /* 159 */
+#ifndef WOLFSSL_NGINX
|| n == SSL_R_NO_CIPHERS_PASSED /* 182 */
+#endif
|| n == SSL_R_NO_CIPHERS_SPECIFIED /* 183 */
|| n == SSL_R_NO_COMPRESSION_SPECIFIED /* 187 */
|| n == SSL_R_NO_SHARED_CIPHER /* 193 */
@@ -1869,6 +1879,7 @@ ngx_ssl_connection_error(ngx_connection_t *c, int sslerr, ngx_err_t err,
#ifdef SSL_R_SCSV_RECEIVED_WHEN_RENEGOTIATING
|| n == SSL_R_SCSV_RECEIVED_WHEN_RENEGOTIATING /* 345 */
#endif
+#ifndef WOLFSSL_NGINX
|| n == 1000 /* SSL_R_SSLV3_ALERT_CLOSE_NOTIFY */
|| n == SSL_R_SSLV3_ALERT_UNEXPECTED_MESSAGE /* 1010 */
|| n == SSL_R_SSLV3_ALERT_BAD_RECORD_MAC /* 1020 */
@@ -1892,7 +1903,9 @@ ngx_ssl_connection_error(ngx_connection_t *c, int sslerr, ngx_err_t err,
|| n == SSL_R_TLSV1_ALERT_INSUFFICIENT_SECURITY /* 1071 */
|| n == SSL_R_TLSV1_ALERT_INTERNAL_ERROR /* 1080 */
|| n == SSL_R_TLSV1_ALERT_USER_CANCELLED /* 1090 */
- || n == SSL_R_TLSV1_ALERT_NO_RENEGOTIATION) /* 1100 */
+ || n == SSL_R_TLSV1_ALERT_NO_RENEGOTIATION /* 1100 */
+#endif
+ )
{
switch (c->log_error) {
@@ -2798,7 +2811,7 @@ ngx_ssl_session_ticket_key_callback(ngx_ssl_conn_t *ssl_conn,
ngx_ssl_session_ticket_md(), NULL);
ngx_memcpy(name, key[0].name, 16);
- return 0;
+ return 1;
} else {
/* decrypt session ticket */
diff --git a/src/event/ngx_event_openssl.h b/src/event/ngx_event_openssl.h
index 08eff644..e39cce3d 100644
--- a/src/event/ngx_event_openssl.h
+++ b/src/event/ngx_event_openssl.h
@@ -12,6 +12,9 @@
#include <ngx_config.h>
#include <ngx_core.h>
+#ifdef WOLFSSL_NGINX
+#include <wolfssl/options.h>
+#endif
#include <openssl/ssl.h>
#include <openssl/err.h>
#include <openssl/bn.h>
diff --git a/src/event/ngx_event_openssl_stapling.c b/src/event/ngx_event_openssl_stapling.c
index 2fa06730..afdbab3f 100644
--- a/src/event/ngx_event_openssl_stapling.c
+++ b/src/event/ngx_event_openssl_stapling.c
@@ -281,7 +281,15 @@ ngx_ssl_stapling_issuer(ngx_conf_t *cf, ngx_ssl_t *ssl)
for (i = 0; i < n; i++) {
issuer = sk_X509_value(chain, i);
if (X509_check_issued(issuer, cert) == X509_V_OK) {
+#ifndef WOLFSSL_NGINX
CRYPTO_add(&issuer->references, 1, CRYPTO_LOCK_X509);
+#else
+ if (wolfSSL_X509_up_ref(issuer) != 1) {
+ ngx_ssl_error(NGX_LOG_EMERG, ssl->log, 0,
+ "wolfSSL_X509_up_ref() failed");
+ return NGX_ERROR;
+ }
+#endif
ngx_log_debug1(NGX_LOG_DEBUG_EVENT, ssl->log, 0,
"SSL get issuer: found %p in extra certs", issuer);
diff --git a/src/http/modules/ngx_http_ssl_module.c b/src/http/modules/ngx_http_ssl_module.c
index 4c69091d..5a78efcb 100644
--- a/src/http/modules/ngx_http_ssl_module.c
+++ b/src/http/modules/ngx_http_ssl_module.c
@@ -14,7 +14,11 @@ typedef ngx_int_t (*ngx_ssl_variable_handler_pt)(ngx_connection_t *c,
ngx_pool_t *pool, ngx_str_t *s);
+#ifndef WOLFSSL_NGINX
#define NGX_DEFAULT_CIPHERS "HIGH:!aNULL:!MD5"
+#else
+#define NGX_DEFAULT_CIPHERS "ALL"
+#endif
#define NGX_DEFAULT_ECDH_CURVE "prime256v1"
#define NGX_HTTP_NPN_ADVERTISE "\x08http/1.1"
diff --git a/src/http/ngx_http_upstream.c b/src/http/ngx_http_upstream.c
index 3e8ce09e..ef80c9ba 100644
--- a/src/http/ngx_http_upstream.c
+++ b/src/http/ngx_http_upstream.c
@@ -1566,7 +1566,12 @@ ngx_http_upstream_ssl_name(ngx_http_request_t *r, ngx_http_upstream_t *u,
ngx_log_debug1(NGX_LOG_DEBUG_HTTP, r->connection->log, 0,
"upstream SSL server name: \"%s\"", name.data);
- if (SSL_set_tlsext_host_name(c->ssl->connection, name.data) == 0) {
+#ifdef WOLFSSL_NGINX
+ if (SSL_set_tlsext_host_name(c->ssl->connection, (char *)name.data) == 0)
+#else
+ if (SSL_set_tlsext_host_name(c->ssl->connection, name.data) == 0)
+#endif
+ {
ngx_ssl_error(NGX_LOG_ERR, r->connection->log, 0,
"SSL_set_tlsext_host_name(\"%s\") failed", name.data);
return NGX_ERROR;
diff --git a/src/mail/ngx_mail_ssl_module.c b/src/mail/ngx_mail_ssl_module.c
index f864d991..f43b1ebd 100644
--- a/src/mail/ngx_mail_ssl_module.c
+++ b/src/mail/ngx_mail_ssl_module.c
@@ -10,7 +10,11 @@
#include <ngx_mail.h>
+#ifndef WOLFSSL_NGINX
#define NGX_DEFAULT_CIPHERS "HIGH:!aNULL:!MD5"
+#else
+#define NGX_DEFAULT_CIPHERS "ALL"
+#endif
#define NGX_DEFAULT_ECDH_CURVE "prime256v1"
diff --git a/src/os/unix/ngx_user.c b/src/os/unix/ngx_user.c
index 7a71203c..816d5216 100644
--- a/src/os/unix/ngx_user.c
+++ b/src/os/unix/ngx_user.c
@@ -31,8 +31,10 @@ ngx_libc_crypt(ngx_pool_t *pool, u_char *key, u_char *salt, u_char **encrypted)
struct crypt_data cd;
cd.initialized = 0;
+#if defined(__GLIBC__) && !defined(CRYPT_DATA_INTERNAL_SIZE)
/* work around the glibc bug */
cd.current_salt[0] = ~salt[0];
+#endif
value = crypt_r((char *) key, (char *) salt, &cd);
--
2.25.1

117
ssl_stapling.t.patch 100644
View File

@ -0,0 +1,117 @@
commit 76a0d0fe158ba0bc2d9a71ef3bd8ff52949a10a1
Author: Juliusz Sosinowicz <juliusz@wolfssl.com>
Date: Thu Oct 24 11:45:49 2019 +0200
different ports for different certs
diff --git a/ssl_stapling.t b/ssl_stapling.t
index d5b8ff3..ee57012 100644
--- a/ssl_stapling.t
+++ b/ssl_stapling.t
@@ -53,18 +53,21 @@ http {
ssl_stapling on;
ssl_trusted_certificate trusted.crt;
- ssl_certificate ec-end-int.crt;
- ssl_certificate_key ec-end.key;
-
- ssl_certificate end-int.crt;
- ssl_certificate_key end.key;
-
ssl_ciphers DEFAULT:ECCdraft;
server {
listen 127.0.0.1:8443 ssl;
listen 127.0.0.1:8080;
server_name localhost;
+ ssl_certificate end-int.crt;
+ ssl_certificate_key end.key;
+ }
+ server {
+ listen 127.0.0.1:8453 ssl;
+ listen 127.0.0.1:8090;
+ server_name localhost;
+ ssl_certificate ec-end-int.crt;
+ ssl_certificate_key ec-end.key;
}
server {
@@ -72,6 +75,17 @@ http {
server_name localhost;
ssl_stapling_responder http://127.0.0.1:8081/;
+ ssl_certificate end-int.crt;
+ ssl_certificate_key end.key;
+ }
+
+ server {
+ listen 127.0.0.1:8454 ssl;
+ server_name localhost;
+
+ ssl_stapling_responder http://127.0.0.1:8081/;
+ ssl_certificate ec-end-int.crt;
+ ssl_certificate_key ec-end.key;
}
server {
@@ -79,6 +93,8 @@ http {
server_name localhost;
ssl_stapling_verify on;
+ ssl_certificate ec-end-int.crt;
+ ssl_certificate_key ec-end.key;
}
server {
@@ -87,6 +103,8 @@ http {
ssl_certificate ec-end.crt;
ssl_certificate_key ec-end.key;
+ ssl_certificate ec-end-int.crt;
+ ssl_certificate_key ec-end.key;
}
server {
@@ -97,6 +115,8 @@ http {
ssl_certificate_key end.key;
ssl_stapling_file %%TESTDIR%%/resp.der;
+ ssl_certificate end-int.crt;
+ ssl_certificate_key end.key;
}
server {
@@ -114,6 +134,8 @@ http {
server_name localhost;
ssl_stapling_responder http://127.0.0.1:8080/;
+ ssl_certificate ec-end-int.crt;
+ ssl_certificate_key ec-end.key;
}
}
@@ -249,9 +271,9 @@ $t->waitforsocket("127.0.0.1:" . port(8081));
my $version = get_version();
staple(8443, 'RSA');
-staple(8443, 'ECDSA');
+staple(8453, 'ECDSA');
staple(8444, 'RSA');
-staple(8444, 'ECDSA');
+staple(8454, 'ECDSA');
staple(8445, 'ECDSA');
staple(8446, 'ECDSA');
staple(8449, 'ECDSA');
@@ -259,10 +281,10 @@ staple(8449, 'ECDSA');
sleep 1;
ok(!staple(8443, 'RSA'), 'staple revoked');
-ok(staple(8443, 'ECDSA'), 'staple success');
+ok(staple(8453, 'ECDSA'), 'staple success');
ok(!staple(8444, 'RSA'), 'responder revoked');
-ok(staple(8444, 'ECDSA'), 'responder success');
+ok(staple(8454, 'ECDSA'), 'responder success');
ok(!staple(8445, 'ECDSA'), 'verify - root not trusted');

2
test.sh
View File

@ -219,7 +219,7 @@ echo '#'
PORT=11443
echo "# Port: $PORT"
OPTS=
EXPECT=("SSL DH size is 2048 bits" "TLS_DHE_RSA_WITH_AES_128_GCM_SHA256" "HTTP/1.1 200 OK" "resume response")
EXPECT=("2048" "TLS_DHE_RSA_WITH_AES_128_GCM_SHA256" "HTTP/1.1 200 OK" "resume response")
client_test
# Default certificate, DH, verify client
echo