On Sun, Jul 13, 2014 at 7:58 PM, Alex Hunsaker <[email protected]> wrote:
> I've started playing around with boringssl with nginx.
...
> Anyway, I'm please to report everything seems to work!
Please find attached v2.
Changes:
- use <openssl/opensslfeatures.h> for feature detection, its designed
to more or less be comptaible with libressl, so I suspect this patch
might work with libressl as well
- fix depecreated use of RSA_generate_key(), the old patch just ripped
out calling this function
- report an error if you try to set ssl_engine if OPENSSL_NO_ENGINE or
OPENSSL_NO_DYNAMIC_ENGINE, instead of just silently ignoring the
directive.
- include <openssl/rand.h> if OPENSSL_VERSION >= 1.0.2
diff --git a/src/event/ngx_event_openssl.c b/src/event/ngx_event_openssl.c
index d8dd3d3..23a4af9 100644
--- a/src/event/ngx_event_openssl.c
+++ b/src/event/ngx_event_openssl.c
@@ -96,7 +96,14 @@ int ngx_ssl_stapling_index;
ngx_int_t
ngx_ssl_init(ngx_log_t *log)
{
+
+/*
+ * For now assume if openssl does not have engine support it wont have
+ * OPENSSL_config() either
+ */
+#ifndef OPENSSL_NO_ENGINE
OPENSSL_config(NULL);
+#endif
SSL_library_init();
SSL_load_error_strings();
@@ -207,7 +214,10 @@ ngx_ssl_create(ngx_ssl_t *ssl, ngx_uint_t protocols, void *data)
SSL_CTX_set_options(ssl->ctx, SSL_OP_MSIE_SSLV2_RSA_PADDING);
#endif
+#ifdef SSL_OP_SSLEAY_080_CLIENT_DH_BUG
SSL_CTX_set_options(ssl->ctx, SSL_OP_SSLEAY_080_CLIENT_DH_BUG);
+#endif
+
SSL_CTX_set_options(ssl->ctx, SSL_OP_TLS_D5_BUG);
SSL_CTX_set_options(ssl->ctx, SSL_OP_TLS_BLOCK_PADDING_BUG);
@@ -585,7 +595,13 @@ ngx_ssl_rsa512_key_callback(ngx_ssl_conn_t *ssl_conn, int is_export,
if (key_length == 512) {
if (key == NULL) {
- key = RSA_generate_key(512, RSA_F4, NULL, NULL);
+ BIGNUM *e = BN_new();
+ key = RSA_new();
+
+ BN_set_word(e, RSA_F4);
+ RSA_generate_key_ex(key, 512, e, NULL);
+
+ BN_free(e);
}
}
@@ -2806,6 +2822,13 @@ ngx_openssl_create_conf(ngx_cycle_t *cycle)
}
+#if defined(OPENSSL_NO_ENGINE) || defined(OPENSSL_NO_DYANMIC_ENGINE)
+static char *
+ngx_openssl_engine(ngx_conf_t *cf, ngx_command_t *cmd, void *conf)
+{
+ return "not supported by your openssl";
+}
+#else
static char *
ngx_openssl_engine(ngx_conf_t *cf, ngx_command_t *cmd, void *conf)
{
@@ -2844,11 +2867,15 @@ ngx_openssl_engine(ngx_conf_t *cf, ngx_command_t *cmd, void *conf)
return NGX_CONF_OK;
}
+#endif
static void
ngx_openssl_exit(ngx_cycle_t *cycle)
{
EVP_cleanup();
+
+#ifndef OPENSSL_NO_ENGINE
ENGINE_cleanup();
+#endif
}
diff --git a/src/event/ngx_event_openssl.h b/src/event/ngx_event_openssl.h
index b7f8500..f655b69 100644
--- a/src/event/ngx_event_openssl.h
+++ b/src/event/ngx_event_openssl.h
@@ -17,9 +17,20 @@
#include <openssl/conf.h>
#include <openssl/engine.h>
#include <openssl/evp.h>
+
+#ifndef OPENSSL_NO_OCSP
#include <openssl/ocsp.h>
+#endif
+#if OPENSSL_VERSION_NUMBER >= 0x10002000
+#include <openssl/rand.h>
+#endif
+
+#ifdef OPENSSL_IS_BORINGSSL
+#define NGX_SSL_NAME "BoringSSL"
+#else
#define NGX_SSL_NAME "OpenSSL"
+#endif
#define ngx_ssl_session_t SSL_SESSION
diff --git a/src/event/ngx_event_openssl_stapling.c b/src/event/ngx_event_openssl_stapling.c
index 3a3cc7f..98b4cd4 100644
--- a/src/event/ngx_event_openssl_stapling.c
+++ b/src/event/ngx_event_openssl_stapling.c
@@ -11,7 +11,7 @@
#include <ngx_event_connect.h>
-#ifdef SSL_CTRL_SET_TLSEXT_STATUS_REQ_CB
+#if defined(SSL_CTRL_SET_TLSEXT_STATUS_REQ_CB) && !defined(OPENSSL_NO_OCSP)
typedef struct {
_______________________________________________
nginx mailing list
[email protected]
http://mailman.nginx.org/mailman/listinfo/nginx
