lighttpd: wolfssl complex preproc logic for SNI

Signed-off-by: Glenn Strauss <gstrauss@gluelogic.com>

diff --git a/net/lighttpd/Makefile b/net/lighttpd/Makefile
index 55904903896e24242e4923314d08f2b7ef6b8e39..a96215c22d9774ce9a8533c2671bd83b358d528c 100644 (file)
--- a/net/lighttpd/Makefile
+++ b/net/lighttpd/Makefile
@@ -9,7 +9,7 @@ include $(TOPDIR)/rules.mk
 
 PKG_NAME:=lighttpd
 PKG_VERSION:=1.4.56
-PKG_RELEASE:=4
+PKG_RELEASE:=5
 # release candidate ~rcX testing; remove for release
 #PKG_BUILD_DIR:=$(BUILD_DIR)/$(PKG_NAME)-1.4.56
 

diff --git a/net/lighttpd/patches/060-wolfssl-SNI.patch b/net/lighttpd/patches/060-wolfssl-SNI.patch
new file mode 100644 (file)
index 0000000..03468f3
--- /dev/null
+++ b/net/lighttpd/patches/060-wolfssl-SNI.patch
@@ -0,0 +1,55 @@
+From a43420ba07645acb71f31e95b9c7b4e894794afd Mon Sep 17 00:00:00 2001
+From: Glenn Strauss <gstrauss@gluelogic.com>
+Date: Sun, 6 Dec 2020 22:50:49 -0500
+Subject: [PATCH] [mod_wolfssl] add complex preproc logic for SNI
+
+add complex preproc logic for SNI detection
+- HAVE_SNI is not sufficient
+- HAVE_LIGHTY is not sufficient (in wolfssl <= 4.5.0)
+Instead, use more complex logic wrapping calls to SNI_Callback()
+in wolfssl.
+
+x-ref:
+  "[lighttpd] -mod-wolfssl inhibited by missing library functionality"
+  https://github.com/openwrt/packages/issues/14142
+  "put all SNI code behind simpler preprocessor directive HAVE_SNI"
+  https://github.com/wolfSSL/wolfssl/pull/3538
+
+Signed-off-by: Glenn Strauss <gstrauss@gluelogic.com>
+---
+ src/mod_wolfssl.c | 15 ++++++++++++---
+ 1 file changed, 12 insertions(+), 3 deletions(-)
+
+diff --git a/src/mod_wolfssl.c b/src/mod_wolfssl.c
+index a22b0ebe..70f7488b 100644
+--- a/src/mod_wolfssl.c
++++ b/src/mod_wolfssl.c
+@@ -2041,13 +2041,22 @@ network_init_ssl (server *srv, plugin_config_socket *s, plugin_data *p)
+          *           && (HAVE_STUNNEL || WOLFSSL_NGINX || HAVE_LIGHTY)))
+          * and sniRecvCb sniRecvCbArg are hidden by *different* set of defines
+          * in wolfssl/internal.h)
+-         * Note: SNI callbacks disabled if wolfSSL is not built OPENSSL_ALL ! */
+-       #ifdef OPENSSL_ALL /* regretable */
++         * Note: wolfSSL SNI callbacks members not present unless wolfSSL is
++         * built OPENSSL_ALL or some additional combination of preprocessor
++         * defines.  The following should work with more recent wolfSSL versions
++         * (and HAVE_LIGHTY is not sufficient in wolfssl <= 4.5.0) */
++       #if defined(OPENSSL_ALL) \
++        || (defined(OPENSSL_EXTRA) \
++            && (defined(HAVE_STUNNEL) \
++                || defined(WOLFSSL_NGINX) \
++                || defined(WOLFSSL_HAPROXY)))
++       #else
++       #undef HAVE_SNI
++       #endif
+        #ifdef HAVE_SNI
+         wolfSSL_CTX_set_servername_callback(
+             s->ssl_ctx, network_ssl_servername_callback);
+         wolfSSL_CTX_set_servername_arg(s->ssl_ctx, srv);
+-       #endif             /* regretable */
+        #else
+         log_error(srv->errh, __FILE__, __LINE__,
+           "SSL: WARNING: SNI callbacks *crippled* in wolfSSL library build");
+-- 
+2.28.0
+