diff -ur nginx-1.14.0/auto/lib/openssl/conf nginx-1.14.0-wolfssl/auto/lib/openssl/conf --- nginx-1.14.0/auto/lib/openssl/conf 2018-04-18 01:22:36.000000000 +1000 +++ nginx-1.14.0-wolfssl/auto/lib/openssl/conf 2018-04-18 09:39:51.839852896 +1000 @@ -62,8 +62,33 @@ ngx_feature_path= ngx_feature_libs="-lssl -lcrypto $NGX_LIBDL $NGX_LIBPTHREAD" ngx_feature_test="SSL_CTX_set_options(NULL, 0)" + + if [ $WOLFSSL != NONE ]; then + ngx_feature="wolfSSL library in $WOLFSSL" + ngx_feature_path="$WOLFSSL/include/wolfssl $WOLFSSL/include" + + if [ $NGX_RPATH = YES ]; then + ngx_feature_libs="-R$WOLFSSL/lib -L$WOLFSSL/lib -lwolfssl $NGX_LIBDL" + else + ngx_feature_libs="-L$WOLFSSL/lib -lwolfssl $NGX_LIBDL" + fi + + CORE_INCS="$CORE_INCS $WOLFSSL/include/wolfssl" + CFLAGS="$CFLAGS -DWOLFSSL_NGINX" + fi + . auto/feature + if [ $WOLFSSL != NONE -a $ngx_found = no ]; then +cat << END + +$0: error: Could not find wolfSSL at $WOLFSSL/include/wolfssl. +SSL modules require the wolfSSL library. + +END + exit 1 + fi + if [ $ngx_found = no ]; then # FreeBSD port Only in nginx-1.14.0-wolfssl/auto/lib/openssl: conf.orig diff -ur nginx-1.14.0/auto/options nginx-1.14.0-wolfssl/auto/options --- nginx-1.14.0/auto/options 2018-04-18 01:22:36.000000000 +1000 +++ nginx-1.14.0-wolfssl/auto/options 2018-04-18 09:39:51.839852896 +1000 @@ -145,6 +145,7 @@ USE_OPENSSL=NO OPENSSL=NONE +WOLFSSL=NONE USE_ZLIB=NO ZLIB=NONE @@ -349,6 +350,7 @@ --with-pcre-opt=*) PCRE_OPT="$value" ;; --with-pcre-jit) PCRE_JIT=YES ;; + --with-wolfssl=*) WOLFSSL="$value" ;; --with-openssl=*) OPENSSL="$value" ;; --with-openssl-opt=*) OPENSSL_OPT="$value" ;; @@ -569,6 +571,7 @@ --with-libatomic force libatomic_ops library usage --with-libatomic=DIR set path to libatomic_ops library sources + --with-wolfssl=DIR set path to wolfSSL headers and library --with-openssl=DIR set path to OpenSSL library sources --with-openssl-opt=OPTIONS set additional build options for OpenSSL Only in nginx-1.14.0-wolfssl/auto: options.orig diff -ur nginx-1.14.0/src/event/ngx_event_openssl.c nginx-1.14.0-wolfssl/src/event/ngx_event_openssl.c --- nginx-1.14.0/src/event/ngx_event_openssl.c 2018-04-18 01:22:36.000000000 +1000 +++ nginx-1.14.0-wolfssl/src/event/ngx_event_openssl.c 2018-04-18 09:39:51.839852896 +1000 @@ -346,6 +346,10 @@ SSL_CTX_set_info_callback(ssl->ctx, ngx_ssl_info_callback); +#ifdef WOLFSSL_NGINX + SSL_CTX_set_verify(ssl->ctx, SSL_VERIFY_NONE, NULL); +#endif + return NGX_OK; } @@ -654,6 +658,14 @@ ngx_int_t +ngx_ssl_set_verify_on(ngx_conf_t *cf, ngx_ssl_t *ssl) +{ + SSL_CTX_set_verify(ssl->ctx, SSL_VERIFY_PEER, ngx_ssl_verify_callback); + + return NGX_OK; +} + +ngx_int_t ngx_ssl_client_certificate(ngx_conf_t *cf, ngx_ssl_t *ssl, ngx_str_t *cert, ngx_int_t depth) { @@ -1091,7 +1103,8 @@ * maximum interoperability. */ -#if (defined SSL_CTX_set1_curves_list || defined SSL_CTRL_SET_CURVES_LIST) +#if (defined SSL_CTX_set1_curves_list || defined SSL_CTRL_SET_CURVES_LIST) || \ + defined(WOLFSSL_NGINX) /* * OpenSSL 1.0.2+ allows configuring a curve list instead of a single @@ -3061,7 +3074,8 @@ return -1; } -#if OPENSSL_VERSION_NUMBER >= 0x10000000L +#if OPENSSL_VERSION_NUMBER >= 0x10000000L && \ + (!defined(WOLFSSL_NGINX) || !defined(HAVE_FIPS)) if (HMAC_Init_ex(hctx, key[0].hmac_key, size, digest, NULL) != 1) { ngx_ssl_error(NGX_LOG_ALERT, c->log, 0, "HMAC_Init_ex() failed"); return -1; @@ -3105,7 +3119,8 @@ size = 32; } -#if OPENSSL_VERSION_NUMBER >= 0x10000000L +#if OPENSSL_VERSION_NUMBER >= 0x10000000L && \ + (!defined(WOLFSSL_NGINX) || !defined(HAVE_FIPS)) if (HMAC_Init_ex(hctx, key[i].hmac_key, size, digest, NULL) != 1) { ngx_ssl_error(NGX_LOG_ALERT, c->log, 0, "HMAC_Init_ex() failed"); return -1; diff -ur nginx-1.14.0/src/event/ngx_event_openssl.h nginx-1.14.0-wolfssl/src/event/ngx_event_openssl.h --- nginx-1.14.0/src/event/ngx_event_openssl.h 2018-04-18 01:22:36.000000000 +1000 +++ nginx-1.14.0-wolfssl/src/event/ngx_event_openssl.h 2018-04-18 09:39:51.839852896 +1000 @@ -12,6 +12,9 @@ #include #include +#ifdef WOLFSSL_NGINX +#include +#endif #include #include #include @@ -55,7 +58,7 @@ #define ngx_ssl_conn_t SSL -#if (OPENSSL_VERSION_NUMBER < 0x10002000L) +#if (OPENSSL_VERSION_NUMBER < 0x10002000L) && !defined(WOLFSSL_NGINX) #define SSL_is_server(s) (s)->server #endif @@ -154,6 +157,7 @@ ngx_str_t *cert, ngx_str_t *key, ngx_array_t *passwords); ngx_int_t ngx_ssl_ciphers(ngx_conf_t *cf, ngx_ssl_t *ssl, ngx_str_t *ciphers, ngx_uint_t prefer_server_ciphers); +ngx_int_t ngx_ssl_set_verify_on(ngx_conf_t *cf, ngx_ssl_t *ssl); ngx_int_t ngx_ssl_client_certificate(ngx_conf_t *cf, ngx_ssl_t *ssl, ngx_str_t *cert, ngx_int_t depth); ngx_int_t ngx_ssl_trusted_certificate(ngx_conf_t *cf, ngx_ssl_t *ssl, diff -ur nginx-1.14.0/src/event/ngx_event_openssl_stapling.c nginx-1.14.0-wolfssl/src/event/ngx_event_openssl_stapling.c --- nginx-1.14.0/src/event/ngx_event_openssl_stapling.c 2018-04-18 01:22:36.000000000 +1000 +++ nginx-1.14.0-wolfssl/src/event/ngx_event_openssl_stapling.c 2018-04-18 09:39:51.839852896 +1000 @@ -313,7 +313,9 @@ for (i = 0; i < n; i++) { issuer = sk_X509_value(chain, i); if (X509_check_issued(issuer, cert) == X509_V_OK) { -#if OPENSSL_VERSION_NUMBER >= 0x10100001L +#ifdef WOLFSSL_NGINX + issuer = X509_dup(issuer); +#elif OPENSSL_VERSION_NUMBER >= 0x10100001L X509_up_ref(issuer); #else CRYPTO_add(&issuer->references, 1, CRYPTO_LOCK_X509); diff -ur nginx-1.14.0/src/http/modules/ngx_http_proxy_module.c nginx-1.14.0-wolfssl/src/http/modules/ngx_http_proxy_module.c --- nginx-1.14.0/src/http/modules/ngx_http_proxy_module.c 2018-04-18 01:22:36.000000000 +1000 +++ nginx-1.14.0-wolfssl/src/http/modules/ngx_http_proxy_module.c 2018-04-18 09:39:51.839852896 +1000 @@ -4294,6 +4294,8 @@ return NGX_ERROR; } + ngx_ssl_set_verify_on(cf, plcf->upstream.ssl); + if (ngx_ssl_trusted_certificate(cf, plcf->upstream.ssl, &plcf->ssl_trusted_certificate, plcf->ssl_verify_depth) Only in nginx-1.14.0-wolfssl/src/http/modules: ngx_http_proxy_module.c.orig diff -ur nginx-1.14.0/src/http/modules/ngx_http_ssl_module.c nginx-1.14.0-wolfssl/src/http/modules/ngx_http_ssl_module.c --- nginx-1.14.0/src/http/modules/ngx_http_ssl_module.c 2018-04-18 01:22:36.000000000 +1000 +++ nginx-1.14.0-wolfssl/src/http/modules/ngx_http_ssl_module.c 2018-04-18 09:39:51.839852896 +1000 @@ -14,7 +14,11 @@ ngx_pool_t *pool, ngx_str_t *s); +#ifndef WOLFSSL_NGINX #define NGX_DEFAULT_CIPHERS "HIGH:!aNULL:!MD5" +#else +#define NGX_DEFAULT_CIPHERS "ALL" +#endif #define NGX_DEFAULT_ECDH_CURVE "auto" #define NGX_HTTP_NPN_ADVERTISE "\x08http/1.1" diff -ur nginx-1.14.0/src/mail/ngx_mail_ssl_module.c nginx-1.14.0-wolfssl/src/mail/ngx_mail_ssl_module.c --- nginx-1.14.0/src/mail/ngx_mail_ssl_module.c 2018-04-18 01:22:36.000000000 +1000 +++ nginx-1.14.0-wolfssl/src/mail/ngx_mail_ssl_module.c 2018-04-18 09:39:51.839852896 +1000 @@ -10,7 +10,11 @@ #include +#ifndef WOLFSSL_NGINX #define NGX_DEFAULT_CIPHERS "HIGH:!aNULL:!MD5" +#else +#define NGX_DEFAULT_CIPHERS "ALL" +#endif #define NGX_DEFAULT_ECDH_CURVE "auto" diff -ur nginx-1.14.0/src/stream/ngx_stream_proxy_module.c nginx-1.14.0-wolfssl/src/stream/ngx_stream_proxy_module.c --- nginx-1.14.0/src/stream/ngx_stream_proxy_module.c 2018-04-18 01:22:37.000000000 +1000 +++ nginx-1.14.0-wolfssl/src/stream/ngx_stream_proxy_module.c 2018-04-18 09:39:51.843852910 +1000 @@ -2012,6 +2012,8 @@ return NGX_ERROR; } + ngx_ssl_set_verify_on(cf, pscf->ssl); + if (ngx_ssl_trusted_certificate(cf, pscf->ssl, &pscf->ssl_trusted_certificate, pscf->ssl_verify_depth) Only in nginx-1.14.0-wolfssl/src/stream: ngx_stream_proxy_module.c.orig diff -ur nginx-1.14.0/src/stream/ngx_stream_ssl_module.c nginx-1.14.0-wolfssl/src/stream/ngx_stream_ssl_module.c --- nginx-1.14.0/src/stream/ngx_stream_ssl_module.c 2018-04-18 01:22:37.000000000 +1000 +++ nginx-1.14.0-wolfssl/src/stream/ngx_stream_ssl_module.c 2018-04-18 09:39:51.843852910 +1000 @@ -14,7 +14,11 @@ ngx_pool_t *pool, ngx_str_t *s); +#ifndef WOLFSSL_NGINX #define NGX_DEFAULT_CIPHERS "HIGH:!aNULL:!MD5" +#else +#define NGX_DEFAULT_CIPHERS "ALL" +#endif #define NGX_DEFAULT_ECDH_CURVE "auto"