From cc3ab08fde01a05ad2ce3b9a3f4271e271baa93c Mon Sep 17 00:00:00 2001 From: Glenn Strauss Date: Sun, 6 Dec 2020 23:06:42 -0500 Subject: [PATCH] lighttpd: wolfssl complex preproc logic for SNI Signed-off-by: Glenn Strauss --- net/lighttpd/Makefile | 2 +- net/lighttpd/patches/060-wolfssl-SNI.patch | 55 ++++++++++++++++++++++ 2 files changed, 56 insertions(+), 1 deletion(-) create mode 100644 net/lighttpd/patches/060-wolfssl-SNI.patch diff --git a/net/lighttpd/Makefile b/net/lighttpd/Makefile index 559049038..a96215c22 100644 --- a/net/lighttpd/Makefile +++ b/net/lighttpd/Makefile @@ -9,7 +9,7 @@ include $(TOPDIR)/rules.mk PKG_NAME:=lighttpd PKG_VERSION:=1.4.56 -PKG_RELEASE:=4 +PKG_RELEASE:=5 # release candidate ~rcX testing; remove for release #PKG_BUILD_DIR:=$(BUILD_DIR)/$(PKG_NAME)-1.4.56 diff --git a/net/lighttpd/patches/060-wolfssl-SNI.patch b/net/lighttpd/patches/060-wolfssl-SNI.patch new file mode 100644 index 000000000..03468f349 --- /dev/null +++ b/net/lighttpd/patches/060-wolfssl-SNI.patch @@ -0,0 +1,55 @@ +From a43420ba07645acb71f31e95b9c7b4e894794afd Mon Sep 17 00:00:00 2001 +From: Glenn Strauss +Date: Sun, 6 Dec 2020 22:50:49 -0500 +Subject: [PATCH] [mod_wolfssl] add complex preproc logic for SNI + +add complex preproc logic for SNI detection +- HAVE_SNI is not sufficient +- HAVE_LIGHTY is not sufficient (in wolfssl <= 4.5.0) +Instead, use more complex logic wrapping calls to SNI_Callback() +in wolfssl. + +x-ref: + "[lighttpd] -mod-wolfssl inhibited by missing library functionality" + https://github.com/openwrt/packages/issues/14142 + "put all SNI code behind simpler preprocessor directive HAVE_SNI" + https://github.com/wolfSSL/wolfssl/pull/3538 + +Signed-off-by: Glenn Strauss +--- + src/mod_wolfssl.c | 15 ++++++++++++--- + 1 file changed, 12 insertions(+), 3 deletions(-) + +diff --git a/src/mod_wolfssl.c b/src/mod_wolfssl.c +index a22b0ebe..70f7488b 100644 +--- a/src/mod_wolfssl.c ++++ b/src/mod_wolfssl.c +@@ -2041,13 +2041,22 @@ network_init_ssl (server *srv, plugin_config_socket *s, plugin_data *p) + * && (HAVE_STUNNEL || WOLFSSL_NGINX || HAVE_LIGHTY))) + * and sniRecvCb sniRecvCbArg are hidden by *different* set of defines + * in wolfssl/internal.h) +- * Note: SNI callbacks disabled if wolfSSL is not built OPENSSL_ALL ! */ +- #ifdef OPENSSL_ALL /* regretable */ ++ * Note: wolfSSL SNI callbacks members not present unless wolfSSL is ++ * built OPENSSL_ALL or some additional combination of preprocessor ++ * defines. The following should work with more recent wolfSSL versions ++ * (and HAVE_LIGHTY is not sufficient in wolfssl <= 4.5.0) */ ++ #if defined(OPENSSL_ALL) \ ++ || (defined(OPENSSL_EXTRA) \ ++ && (defined(HAVE_STUNNEL) \ ++ || defined(WOLFSSL_NGINX) \ ++ || defined(WOLFSSL_HAPROXY))) ++ #else ++ #undef HAVE_SNI ++ #endif + #ifdef HAVE_SNI + wolfSSL_CTX_set_servername_callback( + s->ssl_ctx, network_ssl_servername_callback); + wolfSSL_CTX_set_servername_arg(s->ssl_ctx, srv); +- #endif /* regretable */ + #else + log_error(srv->errh, __FILE__, __LINE__, + "SSL: WARNING: SNI callbacks *crippled* in wolfSSL library build"); +-- +2.28.0 +