update patch to run all CAST when needed

2024-12-05 15:44:33 -07:00 · 2024-12-05 15:44:33 -07:00 · f2508abdd3
parent b27f3e51ce
commit f2508abdd3
1 changed files with 25 additions and 10 deletions
--- a/nginx-1.25.0-wolfssl.patch
+++ b/nginx-1.25.0-wolfssl.patch
@ -71,10 +71,25 @@ index 552ef83..96f0d8e 100644
   --with-openssl-opt=OPTIONS         set additional build options for OpenSSL
 
 diff --git a/src/event/ngx_event_openssl.c b/src/event/ngx_event_openssl.c
-index c38aa27..e3c7755 100644
+index c38aa27..ad77a02 100644
 --- a/src/event/ngx_event_openssl.c
 +++ b/src/event/ngx_event_openssl.c
-@@ -351,6 +351,8 @@ ngx_ssl_create(ngx_ssl_t *ssl, ngx_uint_t protocols, void *data)
+@@ -165,6 +165,14 @@ ngx_ssl_init(ngx_log_t *log)
+ 
+ #endif
+ 
+#ifdef WOLFSSL_NGINX
+   /* Run all casts on initialization with these FIPS versions to avoid
+    * threaded competition when running them ad hoc */
+   #if FIPS_VERSION3_GE(5,2,1) && !FIPS_VERSION3_GE(6,0,0)
+      wc_RunAllCast_fips();
+   #endif
+#endif
+
+ #ifndef SSL_OP_NO_COMPRESSION
+     {
+     /*
+@@ -351,6 +359,8 @@ ngx_ssl_create(ngx_ssl_t *ssl, ngx_uint_t protocols, void *data)
     }
 #endif
 
@ -83,7 +98,7 @@ index c38aa27..e3c7755 100644
 #ifdef SSL_CTX_set_min_proto_version
     SSL_CTX_set_min_proto_version(ssl->ctx, 0);
     SSL_CTX_set_max_proto_version(ssl->ctx, TLS1_2_VERSION);
-@@ -360,6 +362,7 @@ ngx_ssl_create(ngx_ssl_t *ssl, ngx_uint_t protocols, void *data)
+@@ -360,6 +370,7 @@ ngx_ssl_create(ngx_ssl_t *ssl, ngx_uint_t protocols, void *data)
     SSL_CTX_set_min_proto_version(ssl->ctx, 0);
     SSL_CTX_set_max_proto_version(ssl->ctx, TLS1_3_VERSION);
 #endif
@ -91,7 +106,7 @@ index c38aa27..e3c7755 100644
 
 #ifdef SSL_OP_NO_COMPRESSION
     SSL_CTX_set_options(ssl->ctx, SSL_OP_NO_COMPRESSION);
-@@ -557,6 +560,12 @@ ngx_ssl_connection_certificate(ngx_connection_t *c, ngx_pool_t *pool,
+@@ -557,6 +568,12 @@ ngx_ssl_connection_certificate(ngx_connection_t *c, ngx_pool_t *pool,
         return NGX_ERROR;
     }
 
@ -104,7 +119,7 @@ index c38aa27..e3c7755 100644
     if (SSL_use_certificate(c->ssl->connection, x509) == 0) {
         ngx_ssl_error(NGX_LOG_ERR, c->log, 0,
                       "SSL_use_certificate(\"%s\") failed", cert->data);
-@@ -568,7 +577,9 @@ ngx_ssl_connection_certificate(ngx_connection_t *c, ngx_pool_t *pool,
+@@ -568,7 +585,9 @@ ngx_ssl_connection_certificate(ngx_connection_t *c, ngx_pool_t *pool,
     X509_free(x509);
 
 #ifdef SSL_set0_chain
@ -115,7 +130,7 @@ index c38aa27..e3c7755 100644
     /*
      * SSL_set0_chain() is only available in OpenSSL 1.0.2+,
      * but this function is only called via certificate callback,
-@@ -581,7 +592,19 @@ ngx_ssl_connection_certificate(ngx_connection_t *c, ngx_pool_t *pool,
+@@ -581,7 +600,19 @@ ngx_ssl_connection_certificate(ngx_connection_t *c, ngx_pool_t *pool,
         sk_X509_pop_free(chain, X509_free);
         return NGX_ERROR;
     }
@ -136,7 +151,7 @@ index c38aa27..e3c7755 100644
 #endif
 
     pkey = ngx_ssl_load_certificate_key(pool, &err, key, passwords);
-@@ -3358,6 +3381,27 @@ ngx_ssl_connection_error(ngx_connection_t *c, int sslerr, ngx_err_t err,
+@@ -3358,6 +3389,27 @@ ngx_ssl_connection_error(ngx_connection_t *c, int sslerr, ngx_err_t err,
     int         n;
     ngx_uint_t  level;
 
@ -164,7 +179,7 @@ index c38aa27..e3c7755 100644
     level = NGX_LOG_CRIT;
 
     if (sslerr == SSL_ERROR_SYSCALL) {
-@@ -4577,7 +4621,8 @@ ngx_ssl_ticket_key_callback(ngx_ssl_conn_t *ssl_conn,
+@@ -4577,7 +4629,8 @@ ngx_ssl_ticket_key_callback(ngx_ssl_conn_t *ssl_conn,
             return -1;
         }
 
@ -174,7 +189,7 @@ index c38aa27..e3c7755 100644
         if (HMAC_Init_ex(hctx, key[0].hmac_key, size, digest, NULL) != 1) {
             ngx_ssl_error(NGX_LOG_ALERT, c->log, 0, "HMAC_Init_ex() failed");
             return -1;
-@@ -4620,7 +4665,8 @@ ngx_ssl_ticket_key_callback(ngx_ssl_conn_t *ssl_conn,
+@@ -4620,7 +4673,8 @@ ngx_ssl_ticket_key_callback(ngx_ssl_conn_t *ssl_conn,
             size = 32;
         }
 
@ -184,7 +199,7 @@ index c38aa27..e3c7755 100644
         if (HMAC_Init_ex(hctx, key[i].hmac_key, size, digest, NULL) != 1) {
             ngx_ssl_error(NGX_LOG_ALERT, c->log, 0, "HMAC_Init_ex() failed");
             return -1;
-@@ -5127,6 +5173,14 @@ ngx_ssl_get_curve(ngx_connection_t *c, ngx_pool_t *pool, ngx_str_t *s)
+@@ -5127,6 +5181,14 @@ ngx_ssl_get_curve(ngx_connection_t *c, ngx_pool_t *pool, ngx_str_t *s)
 
 #endif