diff -ur nginx-1.10.3/auto/lib/openssl/conf nginx-1.10.3-wolfssl/auto/lib/openssl/conf --- nginx-1.10.3/auto/lib/openssl/conf 2017-02-01 01:01:11.000000000 +1000 +++ nginx-1.10.3-wolfssl/auto/lib/openssl/conf 2018-03-15 10:42:00.974532594 +1000 @@ -15,8 +15,16 @@ CORE_INCS="$CORE_INCS $OPENSSL/openssl/include" CORE_DEPS="$CORE_DEPS $OPENSSL/openssl/include/openssl/ssl.h" - CORE_LIBS="$CORE_LIBS $OPENSSL/openssl/lib/ssleay32.lib" - CORE_LIBS="$CORE_LIBS $OPENSSL/openssl/lib/libeay32.lib" + + if [ -f $OPENSSL/ms/do_ms.bat ]; then + # before OpenSSL 1.1.0 + CORE_LIBS="$CORE_LIBS $OPENSSL/openssl/lib/ssleay32.lib" + CORE_LIBS="$CORE_LIBS $OPENSSL/openssl/lib/libeay32.lib" + else + # OpenSSL 1.1.0+ + CORE_LIBS="$CORE_LIBS $OPENSSL/openssl/lib/libssl.lib" + CORE_LIBS="$CORE_LIBS $OPENSSL/openssl/lib/libcrypto.lib" + fi # libeay32.lib requires gdi32.lib CORE_LIBS="$CORE_LIBS gdi32.lib" @@ -49,12 +57,38 @@ ngx_feature="OpenSSL library" ngx_feature_name="NGX_OPENSSL" ngx_feature_run=no - ngx_feature_incs="#include " + ngx_feature_incs="#include + #include " ngx_feature_path= ngx_feature_libs="-lssl -lcrypto $NGX_LIBDL" ngx_feature_test="SSL_CTX_set_options(NULL, 0)" + + if [ $WOLFSSL != NONE ]; then + ngx_feature="wolfSSL library in $WOLFSSL" + ngx_feature_path="$WOLFSSL/include/wolfssl $WOLFSSL/include" + + if [ $NGX_RPATH = YES ]; then + ngx_feature_libs="-R$WOLFSSL/lib -L$WOLFSSL/lib -lwolfssl -lm $NGX_LIBDL" + else + ngx_feature_libs="-L$WOLFSSL/lib -lwolfssl -lm $NGX_LIBDL" + fi + + CORE_INCS="$CORE_INCS $WOLFSSL/include/wolfssl" + CFLAGS="$CFLAGS -DWOLFSSL_NGINX" + fi + . auto/feature + if [ $WOLFSSL != NONE -a $ngx_found = no ]; then +cat << END + +$0: error: Could not find wolfSSL at $WOLFSSL/include/wolfssl. +SSL modules require the wolfSSL library. + +END + exit 1 + fi + if [ $ngx_found = no ]; then # FreeBSD port diff -ur nginx-1.10.3/auto/options nginx-1.10.3-wolfssl/auto/options --- nginx-1.10.3/auto/options 2017-02-01 01:01:11.000000000 +1000 +++ nginx-1.10.3-wolfssl/auto/options 2017-04-13 10:38:27.614124846 +1000 @@ -133,6 +133,7 @@ PCRE_CONF_OPT= PCRE_JIT=NO +WOLFSSL=NONE USE_OPENSSL=NO OPENSSL=NONE @@ -330,6 +331,7 @@ --with-pcre-opt=*) PCRE_OPT="$value" ;; --with-pcre-jit) PCRE_JIT=YES ;; + --with-wolfssl=*) WOLFSSL="$value" ;; --with-openssl=*) OPENSSL="$value" ;; --with-openssl-opt=*) OPENSSL_OPT="$value" ;; diff -ur nginx-1.10.3/src/event/ngx_event_openssl.c nginx-1.10.3-wolfssl/src/event/ngx_event_openssl.c --- nginx-1.10.3/src/event/ngx_event_openssl.c 2017-02-01 01:01:11.000000000 +1000 +++ nginx-1.10.3-wolfssl/src/event/ngx_event_openssl.c 2018-02-02 09:21:43.593980737 +1000 @@ -55,7 +55,7 @@ HMAC_CTX *hctx, int enc); #endif -#if OPENSSL_VERSION_NUMBER < 0x10002002L +#if OPENSSL_VERSION_NUMBER < 0x10002002L && !defined(WOLFSSL_NGINX) static ngx_int_t ngx_ssl_check_name(ngx_str_t *name, ASN1_STRING *str); #endif @@ -304,6 +304,10 @@ SSL_CTX_set_info_callback(ssl->ctx, ngx_ssl_info_callback); +#ifdef WOLFSSL_NGINX + SSL_CTX_set_verify(ssl->ctx, SSL_VERIFY_NONE, NULL); +#endif + return NGX_OK; } @@ -361,8 +365,6 @@ return NGX_ERROR; } - X509_free(x509); - /* read rest of the chain */ for ( ;; ) { @@ -527,6 +529,13 @@ return size; } +ngx_int_t +ngx_ssl_set_verify_on(ngx_conf_t *cf, ngx_ssl_t *ssl) +{ + SSL_CTX_set_verify(ssl->ctx, SSL_VERIFY_PEER, ngx_ssl_verify_callback); + + return NGX_OK; +} ngx_int_t ngx_ssl_client_certificate(ngx_conf_t *cf, ngx_ssl_t *ssl, ngx_str_t *cert, @@ -1019,6 +1028,38 @@ { #if OPENSSL_VERSION_NUMBER >= 0x0090800fL #ifndef OPENSSL_NO_ECDH +#if defined(SSL_CTRL_SET_CURVES_LIST) || defined(WOLFSSL_NGINX) + + /* + * OpenSSL 1.0.2+ allows configuring a curve list instead of a single + * curve previously supported. By default an internal list is used, + * with prime256v1 being preferred by server in OpenSSL 1.0.2b+ + * and X25519 in OpenSSL 1.1.0+. + * + * By default a curve preferred by the client will be used for + * key exchange. The SSL_OP_CIPHER_SERVER_PREFERENCE option can + * be used to prefer server curves instead, similar to what it + * does for ciphers. + */ + + SSL_CTX_set_options(ssl->ctx, SSL_OP_SINGLE_ECDH_USE); + +#if SSL_CTRL_SET_ECDH_AUTO + /* not needed in OpenSSL 1.1.0+ */ + SSL_CTX_set_ecdh_auto(ssl->ctx, 1); +#endif + + if (ngx_strcmp(name->data, "auto") == 0) { + return NGX_OK; + } + + if (SSL_CTX_set1_curves_list(ssl->ctx, (char *) name->data) == 0) { + ngx_ssl_error(NGX_LOG_EMERG, ssl->log, 0, + "SSL_CTX_set1_curves_list(\"%s\") failed", name->data); + return NGX_ERROR; + } + +#else int nid; EC_KEY *ecdh; @@ -1050,6 +1091,7 @@ EC_KEY_free(ecdh); #endif #endif +#endif return NGX_OK; } @@ -2971,6 +3013,11 @@ ngx_ssl_cleanup_ctx(void *data) { ngx_ssl_t *ssl = data; + X509 *x509; + + x509 = SSL_CTX_get_ex_data(ssl->ctx, ngx_ssl_certificate_index); + if (x509 != NULL) + X509_free(x509); SSL_CTX_free(ssl->ctx); } @@ -2986,7 +3033,7 @@ return NGX_ERROR; } -#if OPENSSL_VERSION_NUMBER >= 0x10002002L +#if OPENSSL_VERSION_NUMBER >= 0x10002002L || defined(WOLFSSL_NGINX) /* X509_check_host() is only available in OpenSSL 1.0.2+ */ @@ -3103,7 +3150,7 @@ } -#if OPENSSL_VERSION_NUMBER < 0x10002002L +#if OPENSSL_VERSION_NUMBER < 0x10002002L && !defined(WOLFSSL_NGINX) static ngx_int_t ngx_ssl_check_name(ngx_str_t *name, ASN1_STRING *pattern) diff -ur nginx-1.10.3/src/event/ngx_event_openssl.h nginx-1.10.3-wolfssl/src/event/ngx_event_openssl.h --- nginx-1.10.3/src/event/ngx_event_openssl.h 2017-02-01 01:01:11.000000000 +1000 +++ nginx-1.10.3-wolfssl/src/event/ngx_event_openssl.h 2018-02-02 09:09:01.157341959 +1000 @@ -12,6 +12,9 @@ #include #include +#ifdef WOLFSSL_NGINX +#include +#endif #include #include #include @@ -142,6 +145,7 @@ ngx_int_t ngx_ssl_create(ngx_ssl_t *ssl, ngx_uint_t protocols, void *data); ngx_int_t ngx_ssl_certificate(ngx_conf_t *cf, ngx_ssl_t *ssl, ngx_str_t *cert, ngx_str_t *key, ngx_array_t *passwords); +ngx_int_t ngx_ssl_set_verify_on(ngx_conf_t *cf, ngx_ssl_t *ssl); ngx_int_t ngx_ssl_client_certificate(ngx_conf_t *cf, ngx_ssl_t *ssl, ngx_str_t *cert, ngx_int_t depth); ngx_int_t ngx_ssl_trusted_certificate(ngx_conf_t *cf, ngx_ssl_t *ssl, diff -ur nginx-1.10.3/src/event/ngx_event_openssl_stapling.c nginx-1.10.3-wolfssl/src/event/ngx_event_openssl_stapling.c --- nginx-1.10.3/src/event/ngx_event_openssl_stapling.c 2017-02-01 01:01:11.000000000 +1000 +++ nginx-1.10.3-wolfssl/src/event/ngx_event_openssl_stapling.c 2017-04-13 15:37:15.307255249 +1000 @@ -285,7 +285,9 @@ for (i = 0; i < n; i++) { issuer = sk_X509_value(chain, i); if (X509_check_issued(issuer, cert) == X509_V_OK) { -#if OPENSSL_VERSION_NUMBER >= 0x10100001L +#ifdef WOLFSSL_NGINX + issuer = X509_dup(issuer); +#elif OPENSSL_VERSION_NUMBER >= 0x10100001L X509_up_ref(issuer); #else CRYPTO_add(&issuer->references, 1, CRYPTO_LOCK_X509); diff -ur nginx-1.10.3/src/http/modules/ngx_http_proxy_module.c nginx-1.10.3-wolfssl/src/http/modules/ngx_http_proxy_module.c --- nginx-1.10.3/src/http/modules/ngx_http_proxy_module.c 2017-02-01 01:01:11.000000000 +1000 +++ nginx-1.10.3-wolfssl/src/http/modules/ngx_http_proxy_module.c 2017-04-13 15:37:15.315255307 +1000 @@ -4340,6 +4340,8 @@ return NGX_ERROR; } + ngx_ssl_set_verify_on(cf, plcf->upstream.ssl); + if (ngx_ssl_trusted_certificate(cf, plcf->upstream.ssl, &plcf->ssl_trusted_certificate, plcf->ssl_verify_depth) diff -ur nginx-1.10.3/src/http/modules/ngx_http_ssl_module.c nginx-1.10.3-wolfssl/src/http/modules/ngx_http_ssl_module.c --- nginx-1.10.3/src/http/modules/ngx_http_ssl_module.c 2017-02-01 01:01:11.000000000 +1000 +++ nginx-1.10.3-wolfssl/src/http/modules/ngx_http_ssl_module.c 2017-04-13 15:37:15.315255307 +1000 @@ -14,7 +14,11 @@ ngx_pool_t *pool, ngx_str_t *s); +#ifndef WOLFSSL_NGINX #define NGX_DEFAULT_CIPHERS "HIGH:!aNULL:!MD5" +#else +#define NGX_DEFAULT_CIPHERS "ALL" +#endif #define NGX_DEFAULT_ECDH_CURVE "prime256v1" #define NGX_HTTP_NPN_ADVERTISE "\x08http/1.1" diff -ur nginx-1.10.3/src/http/ngx_http_upstream.c nginx-1.10.3-wolfssl/src/http/ngx_http_upstream.c --- nginx-1.10.3/src/http/ngx_http_upstream.c 2017-02-01 01:01:12.000000000 +1000 +++ nginx-1.10.3-wolfssl/src/http/ngx_http_upstream.c 2017-04-13 15:37:15.307255249 +1000 @@ -1683,7 +1683,12 @@ ngx_log_debug1(NGX_LOG_DEBUG_HTTP, r->connection->log, 0, "upstream SSL server name: \"%s\"", name.data); - if (SSL_set_tlsext_host_name(c->ssl->connection, name.data) == 0) { +#ifdef WOLFSSL_NGINX + if (SSL_set_tlsext_host_name(c->ssl->connection, (char *)name.data) == 0) +#else + if (SSL_set_tlsext_host_name(c->ssl->connection, name.data) == 0) +#endif + { ngx_ssl_error(NGX_LOG_ERR, r->connection->log, 0, "SSL_set_tlsext_host_name(\"%s\") failed", name.data); return NGX_ERROR; diff -ur nginx-1.10.3/src/mail/ngx_mail_ssl_module.c nginx-1.10.3-wolfssl/src/mail/ngx_mail_ssl_module.c --- nginx-1.10.3/src/mail/ngx_mail_ssl_module.c 2017-02-01 01:01:12.000000000 +1000 +++ nginx-1.10.3-wolfssl/src/mail/ngx_mail_ssl_module.c 2017-04-13 15:37:15.319255337 +1000 @@ -10,7 +10,11 @@ #include +#ifndef WOLFSSL_NGINX #define NGX_DEFAULT_CIPHERS "HIGH:!aNULL:!MD5" +#else +#define NGX_DEFAULT_CIPHERS "ALL" +#endif #define NGX_DEFAULT_ECDH_CURVE "prime256v1" diff -ur nginx-1.10.3/src/stream/ngx_stream_proxy_module.c nginx-1.10.3-wolfssl/src/stream/ngx_stream_proxy_module.c --- nginx-1.10.3/src/stream/ngx_stream_proxy_module.c 2017-02-01 01:01:12.000000000 +1000 +++ nginx-1.10.3-wolfssl/src/stream/ngx_stream_proxy_module.c 2017-04-14 09:31:37.567647783 +1000 @@ -879,8 +879,13 @@ ngx_log_debug1(NGX_LOG_DEBUG_STREAM, s->connection->log, 0, "upstream SSL server name: \"%s\"", name.data); +#ifdef WOLFSSL_NGINX + if (SSL_set_tlsext_host_name(u->peer.connection->ssl->connection, + (char *)name.data) == 0) +#else if (SSL_set_tlsext_host_name(u->peer.connection->ssl->connection, name.data) == 0) +#endif { ngx_ssl_error(NGX_LOG_ERR, s->connection->log, 0, "SSL_set_tlsext_host_name(\"%s\") failed", name.data); @@ -1578,6 +1583,8 @@ return NGX_ERROR; } + ngx_ssl_set_verify_on(cf, pscf->ssl); + if (ngx_ssl_trusted_certificate(cf, pscf->ssl, &pscf->ssl_trusted_certificate, pscf->ssl_verify_depth) diff -ur nginx-1.10.3/src/stream/ngx_stream_ssl_module.c nginx-1.10.3-wolfssl/src/stream/ngx_stream_ssl_module.c --- nginx-1.10.3/src/stream/ngx_stream_ssl_module.c 2017-02-01 01:01:12.000000000 +1000 +++ nginx-1.10.3-wolfssl/src/stream/ngx_stream_ssl_module.c 2017-04-13 15:37:15.323255367 +1000 @@ -10,7 +10,11 @@ #include +#ifndef WOLFSSL_NGINX #define NGX_DEFAULT_CIPHERS "HIGH:!aNULL:!MD5" +#else +#define NGX_DEFAULT_CIPHERS "ALL" +#endif #define NGX_DEFAULT_ECDH_CURVE "prime256v1"