PATCH: nginx v1.11.1 supports neverbleed

nginx_neverbleed.diff

diff -ur nginx-1.11.1/auto/modules neverbleed_nginx_patch/nginx-1.11.1/auto/modules
--- nginx-1.11.1/auto/modules   2016-05-31 14:43:50.000000000 +0100
+++ neverbleed_nginx_patch/nginx-1.11.1/auto/modules    2016-06-24 12:10:27.000000000 +0100
@@ -1119,8 +1119,10 @@
     ngx_module_type=CORE
     ngx_module_name=ngx_openssl_module
     ngx_module_incs=
-    ngx_module_deps=src/event/ngx_event_openssl.h
-    ngx_module_srcs="src/event/ngx_event_openssl.c
+    ngx_module_deps="src/event/ngx_event_openssl.h \
+                     src/event/neverbleed.h"
+    ngx_module_srcs="src/event/ngx_event_openssl.c \
+                     src/event/neverbleed.c \
                      src/event/ngx_event_openssl_stapling.c"
     ngx_module_libs=
     ngx_module_link=YES
diff -ur nginx-1.11.1/src/core/nginx.c neverbleed_nginx_patch/nginx-1.11.1/src/core/nginx.c
--- nginx-1.11.1/src/core/nginx.c   2016-05-31 14:43:50.000000000 +0100
+++ neverbleed_nginx_patch/nginx-1.11.1/src/core/nginx.c    2016-06-23 10:45:25.000000000 +0100
@@ -228,7 +228,8 @@
 
     /* STUB */
 #if (NGX_OPENSSL)
-    ngx_ssl_init(log);
+    neverbleed_t nb;
+    ngx_ssl_init(log, &nb);
 #endif
 
     /*
diff -ur nginx-1.11.1/src/event/ngx_event_openssl.c neverbleed_nginx_patch/nginx-1.11.1/src/event/ngx_event_openssl.c
--- nginx-1.11.1/src/event/ngx_event_openssl.c  2016-05-31 14:43:50.000000000 +0100
+++ neverbleed_nginx_patch/nginx-1.11.1/src/event/ngx_event_openssl.c   2016-06-23 10:51:59.000000000 +0100
@@ -8,6 +8,7 @@
 #include <ngx_config.h>
 #include <ngx_core.h>
 #include <ngx_event.h>
+#include <neverbleed.h>
 
 
 #define NGX_SSL_PASSWORD_BUFFER_SIZE  4096
@@ -110,7 +111,7 @@
 
 
 ngx_int_t
-ngx_ssl_init(ngx_log_t *log)
+ngx_ssl_init(ngx_log_t *log, neverbleed_t *nb)
 {
 #if OPENSSL_VERSION_NUMBER >= 0x10100003L
 
@@ -118,6 +119,8 @@
 
 #else
 
+    char errbuf[NEVERBLEED_ERRBUF_SIZE];
+
 #ifndef OPENSSL_IS_BORINGSSL
     OPENSSL_config(NULL);
 #endif
@@ -127,6 +130,13 @@
 
     OpenSSL_add_all_algorithms();
 
+    if (neverbleed_init(nb, errbuf) != 0) {
+        ngx_ssl_error(NGX_LOG_ALERT, log, 0, "neverbleed_init failed");
+        return NGX_ERROR;
+    }
+
+    log->data = nb;
+
 #endif
 
 #if OPENSSL_VERSION_NUMBER >= 0x0090800fL
@@ -543,8 +553,9 @@
 
     for ( ;; ) {
 
-        if (SSL_CTX_use_PrivateKey_file(ssl->ctx, (char *) key->data,
-                                        SSL_FILETYPE_PEM)
+        char errbuf[NEVERBLEED_ERRBUF_SIZE];
+        if (neverbleed_load_private_key_file((neverbleed_t *) ssl->log->data,
+            ssl->ctx, (char *) key->data, errbuf)
             != 0)
         {
             break;
@@ -557,7 +568,8 @@
         }
 
         ngx_ssl_error(NGX_LOG_EMERG, ssl->log, 0,
-                      "SSL_CTX_use_PrivateKey_file(\"%s\") failed", key->data);
+                      "neverbleed_load_private_key_file(\"%s\") failed: %s",
+                        key->data, errbuf);
         return NGX_ERROR;
     }
 
diff -ur nginx-1.11.1/src/event/ngx_event_openssl.h neverbleed_nginx_patch/nginx-1.11.1/src/event/ngx_event_openssl.h
--- nginx-1.11.1/src/event/ngx_event_openssl.h  2016-05-31 14:43:50.000000000 +0100
+++ neverbleed_nginx_patch/nginx-1.11.1/src/event/ngx_event_openssl.h   2016-06-24 12:09:21.000000000 +0100
@@ -11,6 +11,7 @@
 
 #include <ngx_config.h>
 #include <ngx_core.h>
+#include <neverbleed.h>
 
 #include <openssl/ssl.h>
 #include <openssl/err.h>
@@ -55,6 +56,7 @@
 
 
 typedef struct {
+    neverbleed_t               *nb;
     SSL_CTX                    *ctx;
     ngx_log_t                  *log;
     size_t                      buffer_size;
@@ -138,7 +140,7 @@
 #define NGX_SSL_BUFSIZE  16384
 
 
-ngx_int_t ngx_ssl_init(ngx_log_t *log);
+ngx_int_t ngx_ssl_init(ngx_log_t *log, neverbleed_t *nb);
 ngx_int_t ngx_ssl_create(ngx_ssl_t *ssl, ngx_uint_t protocols, void *data);
 ngx_int_t ngx_ssl_certificates(ngx_conf_t *cf, ngx_ssl_t *ssl,
     ngx_array_t *certs, ngx_array_t *keys, ngx_array_t *passwords);