nginx-1.10.3-wolfssl.patch

diff -ur nginx-1.10.3/auto/lib/openssl/conf nginx-1.10.3-wolfssl/auto/lib/openssl/conf
--- nginx-1.10.3/auto/lib/openssl/conf	2017-02-01 01:01:11.000000000 +1000
+++ nginx-1.10.3-wolfssl/auto/lib/openssl/conf	2018-03-15 10:42:00.974532594 +1000
@@ -15,8 +15,16 @@
 
             CORE_INCS="$CORE_INCS $OPENSSL/openssl/include"
             CORE_DEPS="$CORE_DEPS $OPENSSL/openssl/include/openssl/ssl.h"
-            CORE_LIBS="$CORE_LIBS $OPENSSL/openssl/lib/ssleay32.lib"
-            CORE_LIBS="$CORE_LIBS $OPENSSL/openssl/lib/libeay32.lib"
+
+            if [ -f $OPENSSL/ms/do_ms.bat ]; then
+                # before OpenSSL 1.1.0
+                CORE_LIBS="$CORE_LIBS $OPENSSL/openssl/lib/ssleay32.lib"
+                CORE_LIBS="$CORE_LIBS $OPENSSL/openssl/lib/libeay32.lib"
+            else
+                # OpenSSL 1.1.0+
+                CORE_LIBS="$CORE_LIBS $OPENSSL/openssl/lib/libssl.lib"
+                CORE_LIBS="$CORE_LIBS $OPENSSL/openssl/lib/libcrypto.lib"
+            fi
 
             # libeay32.lib requires gdi32.lib
             CORE_LIBS="$CORE_LIBS gdi32.lib"
@@ -49,12 +57,38 @@
         ngx_feature="OpenSSL library"
         ngx_feature_name="NGX_OPENSSL"
         ngx_feature_run=no
-        ngx_feature_incs="#include <openssl/ssl.h>"
+        ngx_feature_incs="#include <options.h>
+                          #include <openssl/ssl.h>"
         ngx_feature_path=
         ngx_feature_libs="-lssl -lcrypto $NGX_LIBDL"
         ngx_feature_test="SSL_CTX_set_options(NULL, 0)"
+
+        if [ $WOLFSSL != NONE ]; then
+            ngx_feature="wolfSSL library in $WOLFSSL"
+            ngx_feature_path="$WOLFSSL/include/wolfssl $WOLFSSL/include"
+
+            if [ $NGX_RPATH = YES ]; then
+                ngx_feature_libs="-R$WOLFSSL/lib -L$WOLFSSL/lib -lwolfssl -lm $NGX_LIBDL"
+            else
+                ngx_feature_libs="-L$WOLFSSL/lib -lwolfssl -lm $NGX_LIBDL"
+            fi
+
+            CORE_INCS="$CORE_INCS $WOLFSSL/include/wolfssl"
+            CFLAGS="$CFLAGS -DWOLFSSL_NGINX"
+        fi
+
         . auto/feature
 
+        if [ $WOLFSSL != NONE -a $ngx_found = no ]; then
+cat << END
+
+$0: error: Could not find wolfSSL at $WOLFSSL/include/wolfssl.
+SSL modules require the wolfSSL library.
+
+END
+            exit 1
+        fi
+
         if [ $ngx_found = no ]; then
 
             # FreeBSD port
diff -ur nginx-1.10.3/auto/options nginx-1.10.3-wolfssl/auto/options
--- nginx-1.10.3/auto/options	2017-02-01 01:01:11.000000000 +1000
+++ nginx-1.10.3-wolfssl/auto/options	2017-04-13 10:38:27.614124846 +1000
@@ -133,6 +133,7 @@
 PCRE_CONF_OPT=
 PCRE_JIT=NO
 
+WOLFSSL=NONE
 USE_OPENSSL=NO
 OPENSSL=NONE
 
@@ -330,6 +331,7 @@
         --with-pcre-opt=*)               PCRE_OPT="$value"          ;;
         --with-pcre-jit)                 PCRE_JIT=YES               ;;
 
+        --with-wolfssl=*)                WOLFSSL="$value"           ;;
         --with-openssl=*)                OPENSSL="$value"           ;;
         --with-openssl-opt=*)            OPENSSL_OPT="$value"       ;;
 
diff -ur nginx-1.10.3/src/event/ngx_event_openssl.c nginx-1.10.3-wolfssl/src/event/ngx_event_openssl.c
--- nginx-1.10.3/src/event/ngx_event_openssl.c	2017-02-01 01:01:11.000000000 +1000
+++ nginx-1.10.3-wolfssl/src/event/ngx_event_openssl.c	2018-02-02 09:21:43.593980737 +1000
@@ -55,7 +55,7 @@
     HMAC_CTX *hctx, int enc);
 #endif
 
-#if OPENSSL_VERSION_NUMBER < 0x10002002L
+#if OPENSSL_VERSION_NUMBER < 0x10002002L && !defined(WOLFSSL_NGINX)
 static ngx_int_t ngx_ssl_check_name(ngx_str_t *name, ASN1_STRING *str);
 #endif
 
@@ -304,6 +304,10 @@
 
     SSL_CTX_set_info_callback(ssl->ctx, ngx_ssl_info_callback);
 
+#ifdef WOLFSSL_NGINX
+    SSL_CTX_set_verify(ssl->ctx, SSL_VERIFY_NONE, NULL);
+#endif
+
     return NGX_OK;
 }
 
@@ -361,8 +365,6 @@
         return NGX_ERROR;
     }
 
-    X509_free(x509);
-
     /* read rest of the chain */
 
     for ( ;; ) {
@@ -527,6 +529,13 @@
     return size;
 }
 
+ngx_int_t
+ngx_ssl_set_verify_on(ngx_conf_t *cf, ngx_ssl_t *ssl)
+{
+    SSL_CTX_set_verify(ssl->ctx, SSL_VERIFY_PEER, ngx_ssl_verify_callback);
+
+    return NGX_OK;
+}
 
 ngx_int_t
 ngx_ssl_client_certificate(ngx_conf_t *cf, ngx_ssl_t *ssl, ngx_str_t *cert,
@@ -1019,6 +1028,38 @@
 {
 #if OPENSSL_VERSION_NUMBER >= 0x0090800fL
 #ifndef OPENSSL_NO_ECDH
+#if defined(SSL_CTRL_SET_CURVES_LIST) || defined(WOLFSSL_NGINX)
+
+    /*
+     * OpenSSL 1.0.2+ allows configuring a curve list instead of a single
+     * curve previously supported.  By default an internal list is used,
+     * with prime256v1 being preferred by server in OpenSSL 1.0.2b+
+     * and X25519 in OpenSSL 1.1.0+.
+     *
+     * By default a curve preferred by the client will be used for
+     * key exchange.  The SSL_OP_CIPHER_SERVER_PREFERENCE option can
+     * be used to prefer server curves instead, similar to what it
+     * does for ciphers.
+     */
+
+    SSL_CTX_set_options(ssl->ctx, SSL_OP_SINGLE_ECDH_USE);
+
+#if SSL_CTRL_SET_ECDH_AUTO
+    /* not needed in OpenSSL 1.1.0+ */
+    SSL_CTX_set_ecdh_auto(ssl->ctx, 1);
+#endif
+
+    if (ngx_strcmp(name->data, "auto") == 0) {
+        return NGX_OK;
+    }
+
+    if (SSL_CTX_set1_curves_list(ssl->ctx, (char *) name->data) == 0) {
+        ngx_ssl_error(NGX_LOG_EMERG, ssl->log, 0,
+                      "SSL_CTX_set1_curves_list(\"%s\") failed", name->data);
+        return NGX_ERROR;
+    }
+
+#else
     int      nid;
     EC_KEY  *ecdh;
 
@@ -1050,6 +1091,7 @@
     EC_KEY_free(ecdh);
 #endif
 #endif
+#endif
 
     return NGX_OK;
 }
@@ -2971,6 +3013,11 @@
 ngx_ssl_cleanup_ctx(void *data)
 {
     ngx_ssl_t  *ssl = data;
+    X509       *x509;
+
+    x509 = SSL_CTX_get_ex_data(ssl->ctx, ngx_ssl_certificate_index);
+    if (x509 != NULL)
+        X509_free(x509);
 
     SSL_CTX_free(ssl->ctx);
 }
@@ -2986,7 +3033,7 @@
         return NGX_ERROR;
     }
 
-#if OPENSSL_VERSION_NUMBER >= 0x10002002L
+#if OPENSSL_VERSION_NUMBER >= 0x10002002L || defined(WOLFSSL_NGINX)
 
     /* X509_check_host() is only available in OpenSSL 1.0.2+ */
 
@@ -3103,7 +3150,7 @@
 }
 
 
-#if OPENSSL_VERSION_NUMBER < 0x10002002L
+#if OPENSSL_VERSION_NUMBER < 0x10002002L && !defined(WOLFSSL_NGINX)
 
 static ngx_int_t
 ngx_ssl_check_name(ngx_str_t *name, ASN1_STRING *pattern)
diff -ur nginx-1.10.3/src/event/ngx_event_openssl.h nginx-1.10.3-wolfssl/src/event/ngx_event_openssl.h
--- nginx-1.10.3/src/event/ngx_event_openssl.h	2017-02-01 01:01:11.000000000 +1000
+++ nginx-1.10.3-wolfssl/src/event/ngx_event_openssl.h	2018-02-02 09:09:01.157341959 +1000
@@ -12,6 +12,9 @@
 #include <ngx_config.h>
 #include <ngx_core.h>
 
+#ifdef WOLFSSL_NGINX
+#include <wolfssl/options.h>
+#endif
 #include <openssl/ssl.h>
 #include <openssl/err.h>
 #include <openssl/bn.h>
@@ -142,6 +145,7 @@
 ngx_int_t ngx_ssl_create(ngx_ssl_t *ssl, ngx_uint_t protocols, void *data);
 ngx_int_t ngx_ssl_certificate(ngx_conf_t *cf, ngx_ssl_t *ssl,
     ngx_str_t *cert, ngx_str_t *key, ngx_array_t *passwords);
+ngx_int_t ngx_ssl_set_verify_on(ngx_conf_t *cf, ngx_ssl_t *ssl);
 ngx_int_t ngx_ssl_client_certificate(ngx_conf_t *cf, ngx_ssl_t *ssl,
     ngx_str_t *cert, ngx_int_t depth);
 ngx_int_t ngx_ssl_trusted_certificate(ngx_conf_t *cf, ngx_ssl_t *ssl,
diff -ur nginx-1.10.3/src/event/ngx_event_openssl_stapling.c nginx-1.10.3-wolfssl/src/event/ngx_event_openssl_stapling.c
--- nginx-1.10.3/src/event/ngx_event_openssl_stapling.c	2017-02-01 01:01:11.000000000 +1000
+++ nginx-1.10.3-wolfssl/src/event/ngx_event_openssl_stapling.c	2017-04-13 15:37:15.307255249 +1000
@@ -285,7 +285,9 @@
     for (i = 0; i < n; i++) {
         issuer = sk_X509_value(chain, i);
         if (X509_check_issued(issuer, cert) == X509_V_OK) {
-#if OPENSSL_VERSION_NUMBER >= 0x10100001L
+#ifdef WOLFSSL_NGINX
+            issuer = X509_dup(issuer);
+#elif OPENSSL_VERSION_NUMBER >= 0x10100001L
             X509_up_ref(issuer);
 #else
             CRYPTO_add(&issuer->references, 1, CRYPTO_LOCK_X509);
diff -ur nginx-1.10.3/src/http/modules/ngx_http_proxy_module.c nginx-1.10.3-wolfssl/src/http/modules/ngx_http_proxy_module.c
--- nginx-1.10.3/src/http/modules/ngx_http_proxy_module.c	2017-02-01 01:01:11.000000000 +1000
+++ nginx-1.10.3-wolfssl/src/http/modules/ngx_http_proxy_module.c	2017-04-13 15:37:15.315255307 +1000
@@ -4340,6 +4340,8 @@
             return NGX_ERROR;
         }
 
+        ngx_ssl_set_verify_on(cf, plcf->upstream.ssl);
+
         if (ngx_ssl_trusted_certificate(cf, plcf->upstream.ssl,
                                         &plcf->ssl_trusted_certificate,
                                         plcf->ssl_verify_depth)
diff -ur nginx-1.10.3/src/http/modules/ngx_http_ssl_module.c nginx-1.10.3-wolfssl/src/http/modules/ngx_http_ssl_module.c
--- nginx-1.10.3/src/http/modules/ngx_http_ssl_module.c	2017-02-01 01:01:11.000000000 +1000
+++ nginx-1.10.3-wolfssl/src/http/modules/ngx_http_ssl_module.c	2017-04-13 15:37:15.315255307 +1000
@@ -14,7 +14,11 @@
     ngx_pool_t *pool, ngx_str_t *s);
 
 
+#ifndef WOLFSSL_NGINX
 #define NGX_DEFAULT_CIPHERS     "HIGH:!aNULL:!MD5"
+#else
+#define NGX_DEFAULT_CIPHERS     "ALL"
+#endif
 #define NGX_DEFAULT_ECDH_CURVE  "prime256v1"
 
 #define NGX_HTTP_NPN_ADVERTISE  "\x08http/1.1"
diff -ur nginx-1.10.3/src/http/ngx_http_upstream.c nginx-1.10.3-wolfssl/src/http/ngx_http_upstream.c
--- nginx-1.10.3/src/http/ngx_http_upstream.c	2017-02-01 01:01:12.000000000 +1000
+++ nginx-1.10.3-wolfssl/src/http/ngx_http_upstream.c	2017-04-13 15:37:15.307255249 +1000
@@ -1683,7 +1683,12 @@
     ngx_log_debug1(NGX_LOG_DEBUG_HTTP, r->connection->log, 0,
                    "upstream SSL server name: \"%s\"", name.data);
 
-    if (SSL_set_tlsext_host_name(c->ssl->connection, name.data) == 0) {
+#ifdef WOLFSSL_NGINX
+    if (SSL_set_tlsext_host_name(c->ssl->connection, (char *)name.data) == 0)
+#else
+    if (SSL_set_tlsext_host_name(c->ssl->connection, name.data) == 0)
+#endif
+    {
         ngx_ssl_error(NGX_LOG_ERR, r->connection->log, 0,
                       "SSL_set_tlsext_host_name(\"%s\") failed", name.data);
         return NGX_ERROR;
diff -ur nginx-1.10.3/src/mail/ngx_mail_ssl_module.c nginx-1.10.3-wolfssl/src/mail/ngx_mail_ssl_module.c
--- nginx-1.10.3/src/mail/ngx_mail_ssl_module.c	2017-02-01 01:01:12.000000000 +1000
+++ nginx-1.10.3-wolfssl/src/mail/ngx_mail_ssl_module.c	2017-04-13 15:37:15.319255337 +1000
@@ -10,7 +10,11 @@
 #include <ngx_mail.h>
 
 
+#ifndef WOLFSSL_NGINX
 #define NGX_DEFAULT_CIPHERS     "HIGH:!aNULL:!MD5"
+#else
+#define NGX_DEFAULT_CIPHERS     "ALL"
+#endif
 #define NGX_DEFAULT_ECDH_CURVE  "prime256v1"
 
 
diff -ur nginx-1.10.3/src/stream/ngx_stream_proxy_module.c nginx-1.10.3-wolfssl/src/stream/ngx_stream_proxy_module.c
--- nginx-1.10.3/src/stream/ngx_stream_proxy_module.c	2017-02-01 01:01:12.000000000 +1000
+++ nginx-1.10.3-wolfssl/src/stream/ngx_stream_proxy_module.c	2017-04-14 09:31:37.567647783 +1000
@@ -879,8 +879,13 @@
     ngx_log_debug1(NGX_LOG_DEBUG_STREAM, s->connection->log, 0,
                    "upstream SSL server name: \"%s\"", name.data);
 
+#ifdef WOLFSSL_NGINX
+    if (SSL_set_tlsext_host_name(u->peer.connection->ssl->connection,
+        (char *)name.data) == 0)
+#else
     if (SSL_set_tlsext_host_name(u->peer.connection->ssl->connection, name.data)
         == 0)
+#endif
     {
         ngx_ssl_error(NGX_LOG_ERR, s->connection->log, 0,
                       "SSL_set_tlsext_host_name(\"%s\") failed", name.data);
@@ -1578,6 +1583,8 @@
             return NGX_ERROR;
         }
 
+        ngx_ssl_set_verify_on(cf, pscf->ssl);
+
         if (ngx_ssl_trusted_certificate(cf, pscf->ssl,
                                         &pscf->ssl_trusted_certificate,
                                         pscf->ssl_verify_depth)
diff -ur nginx-1.10.3/src/stream/ngx_stream_ssl_module.c nginx-1.10.3-wolfssl/src/stream/ngx_stream_ssl_module.c
--- nginx-1.10.3/src/stream/ngx_stream_ssl_module.c	2017-02-01 01:01:12.000000000 +1000
+++ nginx-1.10.3-wolfssl/src/stream/ngx_stream_ssl_module.c	2017-04-13 15:37:15.323255367 +1000
@@ -10,7 +10,11 @@
 #include <ngx_stream.h>
 
 
+#ifndef WOLFSSL_NGINX
 #define NGX_DEFAULT_CIPHERS     "HIGH:!aNULL:!MD5"
+#else
+#define NGX_DEFAULT_CIPHERS     "ALL"
+#endif
 #define NGX_DEFAULT_ECDH_CURVE  "prime256v1"