WolfSSL
/
wolfssl-nginx
mirror of https://github.com/wolfSSL/wolfssl-nginx.git
1
0
Fork 0
Code Issues Releases Wiki Activity
wolfssl-nginx/nginx-1.21.4-wolfssl.patch

430 lines
13 KiB
Diff
Raw Blame History

diff --git a/auto/lib/openssl/conf b/auto/lib/openssl/conf
--- a/auto/lib/openssl/conf 2021-12-22 12:04:40.982790023 -0500
+++ b/auto/lib/openssl/conf 2021-12-21 13:12:44.347836218 -0500
@@ -62,8 +62,33 @@
ngx_feature_path=
ngx_feature_libs="-lssl -lcrypto $NGX_LIBDL $NGX_LIBPTHREAD"
ngx_feature_test="SSL_CTX_set_options(NULL, 0)"
+
+ if [ $WOLFSSL != NONE ]; then
+ ngx_feature="wolfSSL library in $WOLFSSL"
+ ngx_feature_path="$WOLFSSL/include/wolfssl $WOLFSSL/include"
+
+ if [ $NGX_RPATH = YES ]; then
+ ngx_feature_libs="-R$WOLFSSL/lib -L$WOLFSSL/lib -lwolfssl $NGX_LIBDL"
+ else
+ ngx_feature_libs="-L$WOLFSSL/lib -lwolfssl $NGX_LIBDL"
+ fi
+
+ CORE_INCS="$CORE_INCS $WOLFSSL/include/wolfssl"
+ CFLAGS="$CFLAGS -DWOLFSSL_NGINX"
+ fi
+
. auto/feature
+ if [ $WOLFSSL != NONE -a $ngx_found = no ]; then
+cat << END
+
+$0: error: Could not find wolfSSL at $WOLFSSL/include/wolfssl.
+SSL modules require the wolfSSL library.
+
+END
+ exit 1
+ fi
+
if [ $ngx_found = no ]; then
# FreeBSD port
diff --git a/auto/options b/auto/options
--- a/auto/options 2021-12-22 12:04:40.982790023 -0500
+++ b/auto/options 2021-12-21 13:12:44.347836218 -0500
@@ -149,6 +149,7 @@
USE_OPENSSL=NO
OPENSSL=NONE
+WOLFSSL=NONE
USE_ZLIB=NO
ZLIB=NONE
@@ -358,6 +359,7 @@
--with-pcre-opt=*) PCRE_OPT="$value" ;;
--with-pcre-jit) PCRE_JIT=YES ;;
+ --with-wolfssl=*) WOLFSSL="$value" ;;
--with-openssl=*) OPENSSL="$value" ;;
--with-openssl-opt=*) OPENSSL_OPT="$value" ;;
@@ -583,6 +585,7 @@
--with-libatomic force libatomic_ops library usage
--with-libatomic=DIR set path to libatomic_ops library sources
+ --with-wolfssl=DIR set path to wolfSSL headers and library
--with-openssl=DIR set path to OpenSSL library sources
--with-openssl-opt=OPTIONS set additional build options for OpenSSL
diff --git a/src/event/ngx_event_openssl.c b/src/event/ngx_event_openssl.c
--- a/src/event/ngx_event_openssl.c 2021-12-22 12:04:40.978789957 -0500
+++ b/src/event/ngx_event_openssl.c 2021-12-22 12:13:23.031389526 -0500
@@ -20,10 +20,14 @@
static X509 *ngx_ssl_load_certificate(ngx_pool_t *pool, char **err,
ngx_str_t *cert, STACK_OF(X509) **chain);
+#if !defined(WOLFSSL_NGINX) || !defined(HAVE_LIBOQS)
+/* In the case that HAVE_LIBOQS is defined, these functions are unused as we
+ * call SSL_CTX_use_PrivateKey_file() instead. */
static EVP_PKEY *ngx_ssl_load_certificate_key(ngx_pool_t *pool, char **err,
ngx_str_t *key, ngx_array_t *passwords);
static int ngx_ssl_password_callback(char *buf, int size, int rwflag,
void *userdata);
+#endif
static int ngx_ssl_verify_callback(int ok, X509_STORE_CTX *x509_store);
static void ngx_ssl_info_callback(const ngx_ssl_conn_t *ssl_conn, int where,
int ret);
@@ -353,6 +357,8 @@
}
#endif
+#ifndef WOLFSSL_NGINX
+ /* These override the options set above. No need to call this. */
#ifdef SSL_CTX_set_min_proto_version
SSL_CTX_set_min_proto_version(ssl->ctx, 0);
SSL_CTX_set_max_proto_version(ssl->ctx, TLS1_2_VERSION);
@@ -362,6 +368,7 @@
SSL_CTX_set_min_proto_version(ssl->ctx, 0);
SSL_CTX_set_max_proto_version(ssl->ctx, TLS1_3_VERSION);
#endif
+#endif
#ifdef SSL_OP_NO_COMPRESSION
SSL_CTX_set_options(ssl->ctx, SSL_OP_NO_COMPRESSION);
@@ -391,6 +398,12 @@
SSL_CTX_set_info_callback(ssl->ctx, ngx_ssl_info_callback);
+#ifdef WOLFSSL_NGINX
+ SSL_CTX_set_verify(ssl->ctx, SSL_VERIFY_NONE, NULL);
+ wolfSSL_CTX_allow_anon_cipher(ssl->ctx);
+ wolfSSL_CTX_set_group_messages(ssl->ctx);
+#endif
+
return NGX_OK;
}
@@ -424,7 +437,9 @@
{
char *err;
X509 *x509;
+#if !defined(WOLFSSL_NGINX) || !defined(HAVE_LIBOQS)
EVP_PKEY *pkey;
+#endif
STACK_OF(X509) *chain;
x509 = ngx_ssl_load_certificate(cf->pool, &err, cert, &chain);
@@ -515,6 +530,20 @@
}
#endif
+#if defined(WOLFSSL_NGINX) && defined(HAVE_LIBOQS)
+ if (ngx_get_full_name(cf->pool, (ngx_str_t *) &ngx_cycle->conf_prefix,
+ key) != NGX_OK) {
+ return NGX_OK;
+ }
+
+ if (SSL_CTX_use_PrivateKey_file(ssl->ctx, (char *)key->data, SSL_FILETYPE_PEM)
+ < 1) {
+ ngx_ssl_error(NGX_LOG_EMERG, ssl->log, 0,
+ "cannot load certificate key \"%s\"",
+ key->data);
+ return NGX_ERROR;
+ }
+#else
pkey = ngx_ssl_load_certificate_key(cf->pool, &err, key, passwords);
if (pkey == NULL) {
if (err != NULL) {
@@ -534,6 +563,7 @@
}
EVP_PKEY_free(pkey);
+#endif
return NGX_OK;
}
@@ -545,7 +575,9 @@
{
char *err;
X509 *x509;
+#if !defined(WOLFSSL_NGINX) || !defined(HAVE_LIBOQS)
EVP_PKEY *pkey;
+#endif
STACK_OF(X509) *chain;
x509 = ngx_ssl_load_certificate(pool, &err, cert, &chain);
@@ -586,6 +618,20 @@
#endif
+#if defined(WOLFSSL_NGINX) && defined(HAVE_LIBOQS)
+ if (ngx_get_full_name(pool, (ngx_str_t *) &ngx_cycle->conf_prefix,
+ key) != NGX_OK) {
+ return NGX_OK;
+ }
+
+ if (SSL_use_PrivateKey_file(c->ssl->connection, (char *)key->data, SSL_FILETYPE_PEM)
+ < 1) {
+ ngx_ssl_error(NGX_LOG_EMERG, c->log, 0,
+ "cannot load certificate key \"%s\"",
+ key->data);
+ return NGX_ERROR;
+ }
+#else
pkey = ngx_ssl_load_certificate_key(pool, &err, key, passwords);
if (pkey == NULL) {
if (err != NULL) {
@@ -605,6 +651,7 @@
}
EVP_PKEY_free(pkey);
+#endif
return NGX_OK;
}
@@ -700,6 +747,7 @@
}
+#if !defined(WOLFSSL_NGINX) || !defined(HAVE_LIBOQS)
static EVP_PKEY *
ngx_ssl_load_certificate_key(ngx_pool_t *pool, char **err,
ngx_str_t *key, ngx_array_t *passwords)
@@ -815,8 +863,10 @@
return pkey;
}
+#endif
+#if !defined(WOLFSSL_NGINX) || !defined(HAVE_LIBOQS)
static int
ngx_ssl_password_callback(char *buf, int size, int rwflag, void *userdata)
{
@@ -843,7 +893,7 @@
return size;
}
-
+#endif
ngx_int_t
ngx_ssl_ciphers(ngx_conf_t *cf, ngx_ssl_t *ssl, ngx_str_t *ciphers,
@@ -865,6 +915,14 @@
ngx_int_t
+ngx_ssl_set_verify_on(ngx_conf_t *cf, ngx_ssl_t *ssl)
+{
+ SSL_CTX_set_verify(ssl->ctx, SSL_VERIFY_PEER, ngx_ssl_verify_callback);
+
+ return NGX_OK;
+}
+
+ngx_int_t
ngx_ssl_client_certificate(ngx_conf_t *cf, ngx_ssl_t *ssl, ngx_str_t *cert,
ngx_int_t depth)
{
@@ -1407,7 +1465,8 @@
* maximum interoperability.
*/
-#if (defined SSL_CTX_set1_curves_list || defined SSL_CTRL_SET_CURVES_LIST)
+#if (defined SSL_CTX_set1_curves_list || defined SSL_CTRL_SET_CURVES_LIST) || \
+ defined(WOLFSSL_NGINX)
/*
* OpenSSL 1.0.2+ allows configuring a curve list instead of a single
@@ -1599,10 +1658,26 @@
ngx_ssl_new_client_session(ngx_ssl_conn_t *ssl_conn, ngx_ssl_session_t *sess)
{
ngx_connection_t *c;
+#ifdef WOLFSSL_NGINX
+ int len;
+#endif
c = ngx_ssl_get_connection(ssl_conn);
if (c->ssl->save_session) {
+#ifdef WOLFSSL_NGINX
+ len = i2d_SSL_SESSION(sess, NULL);
+
+ /* do not cache too big session */
+ if (len > NGX_SSL_MAX_SESSION_SIZE) {
+ return -1;
+ }
+
+ if (!(sess = SSL_SESSION_dup(sess))) {
+ return -1;
+ }
+#endif
+
c->ssl->session = sess;
c->ssl->save_session(c);
@@ -1674,7 +1749,9 @@
{
#ifdef TLS1_3_VERSION
if (c->ssl->session) {
+ #if !defined(WOLFSSL_NGINX)
SSL_SESSION_up_ref(c->ssl->session);
+ #endif
return c->ssl->session;
}
#endif
@@ -4357,7 +4434,8 @@
return -1;
}
-#if OPENSSL_VERSION_NUMBER >= 0x10000000L
+#if OPENSSL_VERSION_NUMBER >= 0x10000000L && \
+ (!defined(WOLFSSL_NGINX) || !defined(HAVE_FIPS))
if (HMAC_Init_ex(hctx, key[0].hmac_key, size, digest, NULL) != 1) {
ngx_ssl_error(NGX_LOG_ALERT, c->log, 0, "HMAC_Init_ex() failed");
return -1;
@@ -4400,7 +4478,8 @@
size = 32;
}
-#if OPENSSL_VERSION_NUMBER >= 0x10000000L
+#if OPENSSL_VERSION_NUMBER >= 0x10000000L && \
+ (!defined(WOLFSSL_NGINX) || !defined(HAVE_FIPS))
if (HMAC_Init_ex(hctx, key[i].hmac_key, size, digest, NULL) != 1) {
ngx_ssl_error(NGX_LOG_ALERT, c->log, 0, "HMAC_Init_ex() failed");
return -1;
diff --git a/src/event/ngx_event_openssl.h b/src/event/ngx_event_openssl.h
--- a/src/event/ngx_event_openssl.h 2021-12-22 12:04:40.978789957 -0500
+++ b/src/event/ngx_event_openssl.h 2021-12-21 13:12:44.347836218 -0500
@@ -14,6 +14,10 @@
#define OPENSSL_SUPPRESS_DEPRECATED
+#ifdef WOLFSSL_NGINX
+#include <wolfssl/options.h>
+#include <openssl/pem.h>
+#endif
#include <openssl/ssl.h>
#include <openssl/err.h>
#include <openssl/bn.h>
@@ -60,7 +64,7 @@
#define ngx_ssl_conn_t SSL
-#if (OPENSSL_VERSION_NUMBER < 0x10002000L)
+#if (OPENSSL_VERSION_NUMBER < 0x10002000L) && !defined(WOLFSSL_NGINX)
#define SSL_is_server(s) (s)->server
#endif
@@ -191,6 +195,7 @@
ngx_int_t ngx_ssl_ciphers(ngx_conf_t *cf, ngx_ssl_t *ssl, ngx_str_t *ciphers,
ngx_uint_t prefer_server_ciphers);
+ngx_int_t ngx_ssl_set_verify_on(ngx_conf_t *cf, ngx_ssl_t *ssl);
ngx_int_t ngx_ssl_client_certificate(ngx_conf_t *cf, ngx_ssl_t *ssl,
ngx_str_t *cert, ngx_int_t depth);
ngx_int_t ngx_ssl_trusted_certificate(ngx_conf_t *cf, ngx_ssl_t *ssl,
diff --git a/src/event/ngx_event_openssl_stapling.c b/src/event/ngx_event_openssl_stapling.c
--- a/src/event/ngx_event_openssl_stapling.c 2021-12-22 12:04:40.978789957 -0500
+++ b/src/event/ngx_event_openssl_stapling.c 2021-12-21 13:12:44.347836218 -0500
@@ -379,7 +379,9 @@
for (i = 0; i < n; i++) {
issuer = sk_X509_value(staple->chain, i);
if (X509_check_issued(issuer, cert) == X509_V_OK) {
-#if OPENSSL_VERSION_NUMBER >= 0x10100001L
+#ifdef WOLFSSL_NGINX
+ issuer = X509_dup(issuer);
+#elif OPENSSL_VERSION_NUMBER >= 0x10100001L
X509_up_ref(issuer);
#else
CRYPTO_add(&issuer->references, 1, CRYPTO_LOCK_X509);
diff --git a/src/http/modules/ngx_http_proxy_module.c b/src/http/modules/ngx_http_proxy_module.c
--- a/src/http/modules/ngx_http_proxy_module.c 2021-12-22 12:04:40.974789888 -0500
+++ b/src/http/modules/ngx_http_proxy_module.c 2021-12-21 13:12:44.347836218 -0500
@@ -4988,7 +4988,9 @@
"no proxy_ssl_trusted_certificate for proxy_ssl_verify");
return NGX_ERROR;
}
-
+#ifdef WOLFSSL_NGINX
+ ngx_ssl_set_verify_on(cf, plcf->upstream.ssl);
+#endif
if (ngx_ssl_trusted_certificate(cf, plcf->upstream.ssl,
&plcf->ssl_trusted_certificate,
plcf->ssl_verify_depth)
diff --git a/src/http/modules/ngx_http_ssl_module.c b/src/http/modules/ngx_http_ssl_module.c
--- a/src/http/modules/ngx_http_ssl_module.c 2021-12-22 12:04:40.974789888 -0500
+++ b/src/http/modules/ngx_http_ssl_module.c 2021-12-21 13:12:44.347836218 -0500
@@ -14,7 +14,11 @@
ngx_pool_t *pool, ngx_str_t *s);
+#ifndef WOLFSSL_NGINX
#define NGX_DEFAULT_CIPHERS "HIGH:!aNULL:!MD5"
+#else
+#define NGX_DEFAULT_CIPHERS "ALL"
+#endif
#define NGX_DEFAULT_ECDH_CURVE "auto"
#define NGX_HTTP_ALPN_PROTOS "\x08http/1.1\x08http/1.0\x08http/0.9"
@@ -845,8 +849,10 @@
return NGX_CONF_ERROR;
}
+#ifndef WOLFSSL_NGINX
ngx_conf_merge_value(conf->builtin_session_cache,
prev->builtin_session_cache, NGX_SSL_NONE_SCACHE);
+#endif
if (conf->shm_zone == NULL) {
conf->shm_zone = prev->shm_zone;
diff --git a/src/mail/ngx_mail_ssl_module.c b/src/mail/ngx_mail_ssl_module.c
--- a/src/mail/ngx_mail_ssl_module.c 2021-12-22 12:04:40.966789753 -0500
+++ b/src/mail/ngx_mail_ssl_module.c 2021-12-21 13:12:44.347836218 -0500
@@ -10,7 +10,11 @@
#include <ngx_mail.h>
+#ifndef WOLFSSL_NGINX
#define NGX_DEFAULT_CIPHERS "HIGH:!aNULL:!MD5"
+#else
+#define NGX_DEFAULT_CIPHERS "ALL"
+#endif
#define NGX_DEFAULT_ECDH_CURVE "auto"
diff --git a/src/stream/ngx_stream_proxy_module.c b/src/stream/ngx_stream_proxy_module.c
--- a/src/stream/ngx_stream_proxy_module.c 2021-12-22 12:04:40.958789618 -0500
+++ b/src/stream/ngx_stream_proxy_module.c 2021-12-21 13:12:44.347836218 -0500
@@ -2262,7 +2262,9 @@
"no proxy_ssl_trusted_certificate for proxy_ssl_verify");
return NGX_ERROR;
}
-
+#ifdef WOLFSSL_NGINX
+ ngx_ssl_set_verify_on(cf, pscf->ssl);
+#endif
if (ngx_ssl_trusted_certificate(cf, pscf->ssl,
&pscf->ssl_trusted_certificate,
pscf->ssl_verify_depth)
diff --git a/src/stream/ngx_stream_ssl_module.c b/src/stream/ngx_stream_ssl_module.c
--- a/src/stream/ngx_stream_ssl_module.c 2021-12-22 12:04:40.958789618 -0500
+++ b/src/stream/ngx_stream_ssl_module.c 2021-12-21 13:12:44.347836218 -0500
@@ -14,7 +14,11 @@
ngx_pool_t *pool, ngx_str_t *s);
+#ifndef WOLFSSL_NGINX
#define NGX_DEFAULT_CIPHERS "HIGH:!aNULL:!MD5"
+#else
+#define NGX_DEFAULT_CIPHERS "ALL"
+#endif
#define NGX_DEFAULT_ECDH_CURVE "auto"
Reference in New Issue View Git Blame Copy Permalink