Skip to content

Instantly share code, notes, and snippets.

@matsumotory

matsumotory/add_configure_option

Last active June 23, 2016 16:06
Show Gist options
  • Save matsumotory/c60c057cf7959ea1c4a1 to your computer and use it in GitHub Desktop.
Save matsumotory/c60c057cf7959ea1c4a1 to your computer and use it in GitHub Desktop.
Download ZIP
PATCH: nginx v1.9.9 supports neverbleed
Raw
add_configure_option
--with-cc-opt='-Wno-error'
Raw
nginx.c.patch
--- nginx-1.9.9/src/core/nginx.c 2015-12-09 23:47:21.000000000 +0900
+++ nginx-1.9.9.neverbleed/src/core/nginx.c 2016-02-04 12:28:47.000000000 +0900
@@ -219,7 +219,8 @@
/* STUB */
#if (NGX_OPENSSL)
- ngx_ssl_init(log);
+ neverbleed_t nb;
+ ngx_ssl_init(log, &nb);
#endif
/*
Raw
ngx_event_openssl.c.patch
--- nginx-1.9.9/src/event/ngx_event_openssl.c 2015-12-09 23:47:21.000000000 +0900
+++ nginx-1.9.9.neverbleed/src/event/ngx_event_openssl.c 2016-02-04 12:28:28.000000000 +0900
@@ -8,6 +8,7 @@
#include <ngx_config.h>
#include <ngx_core.h>
#include <ngx_event.h>
+#include <neverbleed.h>
#define NGX_SSL_PASSWORD_BUFFER_SIZE 4096
@@ -106,8 +107,10 @@
ngx_int_t
-ngx_ssl_init(ngx_log_t *log)
+ngx_ssl_init(ngx_log_t *log, neverbleed_t *nb)
{
+ char errbuf[NEVERBLEED_ERRBUF_SIZE];
+
#ifndef OPENSSL_IS_BORINGSSL
OPENSSL_config(NULL);
#endif
@@ -117,6 +120,13 @@
OpenSSL_add_all_algorithms();
+ if (neverbleed_init(nb, errbuf) != 0) {
+ ngx_ssl_error(NGX_LOG_ALERT, log, 0, "neverbleed_init failed");
+ return NGX_ERROR;
+ }
+
+ log->data = nb;
+
#if OPENSSL_VERSION_NUMBER >= 0x0090800fL
#ifndef SSL_OP_NO_COMPRESSION
{
@@ -468,9 +478,9 @@
}
for ( ;; ) {
-
- if (SSL_CTX_use_PrivateKey_file(ssl->ctx, (char *) key->data,
- SSL_FILETYPE_PEM)
+ char errbuf[NEVERBLEED_ERRBUF_SIZE];
+ if (neverbleed_load_private_key_file((neverbleed_t *) ssl->log->data, ssl->ctx, (char *) key->data,
+ errbuf)
!= 0)
{
break;
@@ -483,7 +493,7 @@
}
ngx_ssl_error(NGX_LOG_EMERG, ssl->log, 0,
- "SSL_CTX_use_PrivateKey_file(\"%s\") failed", key->data);
+ "neverbleed_load_private_key_file(\"%s\") failed: %s", key->data, errbuf);
return NGX_ERROR;
}
Raw
ngx_event_openssl.h.patch
--- nginx-1.9.9/src/event/ngx_event_openssl.h 2015-12-09 23:47:21.000000000 +0900
+++ nginx-1.9.9.neverbleed/src/event/ngx_event_openssl.h 2016-02-04 12:30:12.000000000 +0900
@@ -11,6 +11,7 @@
#include <ngx_config.h>
#include <ngx_core.h>
+#include <neverbleed.h>
#include <openssl/ssl.h>
#include <openssl/err.h>
@@ -38,6 +39,7 @@
typedef struct {
+ neverbleed_t *nb;
SSL_CTX *ctx;
ngx_log_t *log;
size_t buffer_size;
@@ -121,7 +123,7 @@
#define NGX_SSL_BUFSIZE 16384
-ngx_int_t ngx_ssl_init(ngx_log_t *log);
+ngx_int_t ngx_ssl_init(ngx_log_t *log, neverbleed_t *nb);
ngx_int_t ngx_ssl_create(ngx_ssl_t *ssl, ngx_uint_t protocols, void *data);
ngx_int_t ngx_ssl_certificate(ngx_conf_t *cf, ngx_ssl_t *ssl,
ngx_str_t *cert, ngx_str_t *key, ngx_array_t *passwords);
Raw
sources.patch
--- nginx-1.9.9/auto/sources 2015-12-09 23:47:21.000000000 +0900
+++ nginx-1.9.9.neverbleed/auto/sources 2016-02-04 12:04:57.000000000 +0900
@@ -84,8 +84,10 @@
OPENSSL_MODULE=ngx_openssl_module
-OPENSSL_DEPS=src/event/ngx_event_openssl.h
+OPENSSL_DEPS="src/event/ngx_event_openssl.h \
+ src/event/neverbleed.h"
OPENSSL_SRCS="src/event/ngx_event_openssl.c \
+ src/event/neverbleed.c \
src/event/ngx_event_openssl_stapling.c"
@matsumotory
Copy link
Author

これに加えて、 https://github.com/h2o/neverbleedneverbleed.cneverbleed.hをnginx-1.9.9/src/event/に入れましょう。

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment