5 changed files with 97 additions and 15 deletions
--- a/.gitignore
+++ b/.gitignore
@ -1,2 +1,2 @@
-SOURCES/nginx-1.16.1.tar.gz
+SOURCES/nginx-1.18.0.tar.gz
 SOURCES/poweredby.png
--- a/.nginx.metadata
+++ b/.nginx.metadata
@ -1,2 +1,2 @@
-77ce4d26481b62f7a9d83e399454df0912f01a4b SOURCES/nginx-1.16.1.tar.gz
+47b2c5ccd12e2a7088b03d629ff6b9ab18215180 SOURCES/nginx-1.18.0.tar.gz
 2ec82988cd0d9b1304c95a16b28eff70f0f69abc SOURCES/poweredby.png
--- a/SOURCES/nginx-1.18.0-pkcs11-cert.patch
+++ b/SOURCES/nginx-1.18.0-pkcs11-cert.patch
@ -0,0 +1,76 @@
 diff --git a/src/event/ngx_event_openssl.c b/src/event/ngx_event_openssl.c
 index 0a2f260..606b6e2 100644
 --- a/src/event/ngx_event_openssl.c
 +++ b/src/event/ngx_event_openssl.c
@@ -616,6 +616,71 @@ ngx_ssl_load_certificate(ngx_pool_t *pool, char **err, ngx_str_t *cert,
     X509    *x509, *temp;
     u_long   n;
 +    if (ngx_strncmp(cert->data, "engine:", sizeof("engine:") - 1) == 0) {
 +
 +#ifndef OPENSSL_NO_ENGINE
 +
 +        u_char  *p, *last;
 +        ENGINE  *engine;
 +
 +        p = cert->data + sizeof("engine:") - 1;
 +        last = (u_char *) ngx_strchr(p, ':');
 +
 +        if (last == NULL) {
 +            *err = "invalid syntax";
 +            return NULL;
 +        }
 +
 +        *last = '\0';
 +
 +        engine = ENGINE_by_id((char *) p);
 +
 +        if (engine == NULL) {
 +            *err = "ENGINE_by_id() failed";
 +            return NULL;
 +        }
 +
 +        if (!ENGINE_init(engine)) {
 +            *err = "ENGINE_init() failed";
 +            ENGINE_free(engine);
 +            return NULL;
 +        }
 +
 +        *last++ = ':';
 +
 +        struct {
 +            const char *cert_id;
 +            X509 *cert;
 +        } params = { (char *) last, NULL };
 +
 +        if (!ENGINE_ctrl_cmd(engine, "LOAD_CERT_CTRL", 0, &params, NULL, 1)) {
 +            *err = "ENGINE_ctrl_cmd() failed - Unable to get the certificate";
 +            ENGINE_free(engine);
 +            return NULL;
 +        }
 +
 +        ENGINE_finish(engine);
 +        ENGINE_free(engine);
 +
 +        /* set chain to null */
 +
 +        *chain = sk_X509_new_null();
 +        if (*chain == NULL) {
 +           *err = "sk_X509_new_null() failed";
 +           X509_free(params.cert);
 +           return NULL;
 +        }
 +
 +        return params.cert;
 +
 +#else
 +
 +        *err = "loading \"engine:...\" certificate is not supported";
 +        return NULL;
 +
 +#endif
 +    }
 +
     if (ngx_strncmp(cert->data, "data:", sizeof("data:") - 1) == 0) {
         bio = BIO_new_mem_buf(cert->data + sizeof("data:") - 1,
--- a/SOURCES/nginx.conf
+++ b/SOURCES/nginx.conf
@ -25,7 +25,7 @@ http {
    tcp_nopush          on;
    tcp_nodelay         on;
    keepalive_timeout   65;
-    types_hash_max_size 2048;
+    types_hash_max_size 4096;
    include             /etc/nginx/mime.types;
    default_type        application/octet-stream;
@ -36,17 +36,14 @@ http {
    include /etc/nginx/conf.d/*.conf;
    server {
-        listen       80 default_server;
+        listen       80;
-        listen       [::]:80 default_server;
+        listen       [::]:80;
        server_name  _;
        root         /usr/share/nginx/html;
        # Load configuration files for the default server block.
        include /etc/nginx/default.d/*.conf;
        location / {
        }
        error_page 404 /404.html;
            location = /40x.html {
        }
@ -59,8 +56,8 @@ http {
 # Settings for a TLS enabled server.
 #
 #    server {
-#        listen       443 ssl http2 default_server;
+#        listen       443 ssl http2;
-#        listen       [::]:443 ssl http2 default_server;
+#        listen       [::]:443 ssl http2;
 #        server_name  _;
 #        root         /usr/share/nginx/html;
 #
@ -74,9 +71,6 @@ http {
 #        # Load configuration files for the default server block.
 #        include /etc/nginx/default.d/*.conf;
 #
 #        location / {
 #        }
 #
 #        error_page 404 /404.html;
 #            location = /40x.html {
 #        }
--- a/SPECS/nginx.spec
+++ b/SPECS/nginx.spec
@ -18,8 +18,8 @@
 Name:              nginx
 Epoch:             1
-Version:           1.16.1
+Version:           1.18.0
-Release:           1%{?dist}
+Release:           2%{?dist}
 Summary:           A high performance web server and reverse proxy server
 Group:             System Environment/Daemons
@ -59,6 +59,9 @@ Patch3:            nginx-1.14.1-perl-module-hardening.patch
 # https://bugzilla.redhat.com/show_bug.cgi?id=1643647
 Patch4:            nginx-1.16.0-enable-tls1v3-by-default.patch
 # https://bugzilla.redhat.com/show_bug.cgi?id=1668717
 Patch5:            nginx-1.18.0-pkcs11-cert.patch
 %if 0%{?with_gperftools}
 BuildRequires:     gperftools-devel
 %endif
@ -189,6 +192,7 @@ Requires:          nginx
 %patch2 -p1
 %patch3 -p1
 %patch4 -p1
 %patch5 -p1
 cp %{SOURCE200} %{SOURCE210} %{SOURCE10} %{SOURCE12} .
@ -461,6 +465,14 @@ fi
 %changelog
 * Wed Apr 22 2020 Lubos Uhliarik <luhliari@redhat.com> - 1:1.18.0-2
 - new version 1.18.0
 - Resolves: #1668717 - [RFE] Support loading certificates from hardware token
  (PKCS#11)
 - Increased types_hash_max_size to 4096 in default config
 - Drop location / from default config (rhbz#1564768)
 - Drop default_sever from default config (rhbz#1373822)
 * Thu Aug 29 2019 Lubos Uhliarik <luhliari@redhat.com> - 1:1.16.1-1
 - update to 1.16.1
 - Resolves: #1745697 - CVE-2019-9511 nginx:1.16/nginx: HTTP/2: large amount
`@ -1,2 +1,2 @@`
	`SOURCES/nginx-1.16.1.tar.gz`	`SOURCES/nginx-1.18.0.tar.gz`
	`SOURCES/poweredby.png`	`SOURCES/poweredby.png`
`@ -1,2 +1,2 @@`
	`77ce4d26481b62f7a9d83e399454df0912f01a4b SOURCES/nginx-1.16.1.tar.gz`	`47b2c5ccd12e2a7088b03d629ff6b9ab18215180 SOURCES/nginx-1.18.0.tar.gz`
	`2ec82988cd0d9b1304c95a16b28eff70f0f69abc SOURCES/poweredby.png`	`2ec82988cd0d9b1304c95a16b28eff70f0f69abc SOURCES/poweredby.png`