Compare commits

...

No commits in common. "c8-stream-1.18" and "c8-stream-1.16" have entirely different histories.

5 changed files with 15 additions and 97 deletions

2
.gitignore vendored
View File

@ -1,2 +1,2 @@
SOURCES/nginx-1.18.0.tar.gz SOURCES/nginx-1.16.1.tar.gz
SOURCES/poweredby.png SOURCES/poweredby.png

View File

@ -1,2 +1,2 @@
47b2c5ccd12e2a7088b03d629ff6b9ab18215180 SOURCES/nginx-1.18.0.tar.gz 77ce4d26481b62f7a9d83e399454df0912f01a4b SOURCES/nginx-1.16.1.tar.gz
2ec82988cd0d9b1304c95a16b28eff70f0f69abc SOURCES/poweredby.png 2ec82988cd0d9b1304c95a16b28eff70f0f69abc SOURCES/poweredby.png

View File

@ -1,76 +0,0 @@
diff --git a/src/event/ngx_event_openssl.c b/src/event/ngx_event_openssl.c
index 0a2f260..606b6e2 100644
--- a/src/event/ngx_event_openssl.c
+++ b/src/event/ngx_event_openssl.c
@@ -616,6 +616,71 @@ ngx_ssl_load_certificate(ngx_pool_t *pool, char **err, ngx_str_t *cert,
X509 *x509, *temp;
u_long n;
+ if (ngx_strncmp(cert->data, "engine:", sizeof("engine:") - 1) == 0) {
+
+#ifndef OPENSSL_NO_ENGINE
+
+ u_char *p, *last;
+ ENGINE *engine;
+
+ p = cert->data + sizeof("engine:") - 1;
+ last = (u_char *) ngx_strchr(p, ':');
+
+ if (last == NULL) {
+ *err = "invalid syntax";
+ return NULL;
+ }
+
+ *last = '\0';
+
+ engine = ENGINE_by_id((char *) p);
+
+ if (engine == NULL) {
+ *err = "ENGINE_by_id() failed";
+ return NULL;
+ }
+
+ if (!ENGINE_init(engine)) {
+ *err = "ENGINE_init() failed";
+ ENGINE_free(engine);
+ return NULL;
+ }
+
+ *last++ = ':';
+
+ struct {
+ const char *cert_id;
+ X509 *cert;
+ } params = { (char *) last, NULL };
+
+ if (!ENGINE_ctrl_cmd(engine, "LOAD_CERT_CTRL", 0, &params, NULL, 1)) {
+ *err = "ENGINE_ctrl_cmd() failed - Unable to get the certificate";
+ ENGINE_free(engine);
+ return NULL;
+ }
+
+ ENGINE_finish(engine);
+ ENGINE_free(engine);
+
+ /* set chain to null */
+
+ *chain = sk_X509_new_null();
+ if (*chain == NULL) {
+ *err = "sk_X509_new_null() failed";
+ X509_free(params.cert);
+ return NULL;
+ }
+
+ return params.cert;
+
+#else
+
+ *err = "loading \"engine:...\" certificate is not supported";
+ return NULL;
+
+#endif
+ }
+
if (ngx_strncmp(cert->data, "data:", sizeof("data:") - 1) == 0) {
bio = BIO_new_mem_buf(cert->data + sizeof("data:") - 1,

View File

@ -25,7 +25,7 @@ http {
tcp_nopush on; tcp_nopush on;
tcp_nodelay on; tcp_nodelay on;
keepalive_timeout 65; keepalive_timeout 65;
types_hash_max_size 4096; types_hash_max_size 2048;
include /etc/nginx/mime.types; include /etc/nginx/mime.types;
default_type application/octet-stream; default_type application/octet-stream;
@ -36,14 +36,17 @@ http {
include /etc/nginx/conf.d/*.conf; include /etc/nginx/conf.d/*.conf;
server { server {
listen 80; listen 80 default_server;
listen [::]:80; listen [::]:80 default_server;
server_name _; server_name _;
root /usr/share/nginx/html; root /usr/share/nginx/html;
# Load configuration files for the default server block. # Load configuration files for the default server block.
include /etc/nginx/default.d/*.conf; include /etc/nginx/default.d/*.conf;
location / {
}
error_page 404 /404.html; error_page 404 /404.html;
location = /40x.html { location = /40x.html {
} }
@ -56,8 +59,8 @@ http {
# Settings for a TLS enabled server. # Settings for a TLS enabled server.
# #
# server { # server {
# listen 443 ssl http2; # listen 443 ssl http2 default_server;
# listen [::]:443 ssl http2; # listen [::]:443 ssl http2 default_server;
# server_name _; # server_name _;
# root /usr/share/nginx/html; # root /usr/share/nginx/html;
# #
@ -71,6 +74,9 @@ http {
# # Load configuration files for the default server block. # # Load configuration files for the default server block.
# include /etc/nginx/default.d/*.conf; # include /etc/nginx/default.d/*.conf;
# #
# location / {
# }
#
# error_page 404 /404.html; # error_page 404 /404.html;
# location = /40x.html { # location = /40x.html {
# } # }

View File

@ -18,8 +18,8 @@
Name: nginx Name: nginx
Epoch: 1 Epoch: 1
Version: 1.18.0 Version: 1.16.1
Release: 2%{?dist} Release: 1%{?dist}
Summary: A high performance web server and reverse proxy server Summary: A high performance web server and reverse proxy server
Group: System Environment/Daemons Group: System Environment/Daemons
@ -59,9 +59,6 @@ Patch3: nginx-1.14.1-perl-module-hardening.patch
# https://bugzilla.redhat.com/show_bug.cgi?id=1643647 # https://bugzilla.redhat.com/show_bug.cgi?id=1643647
Patch4: nginx-1.16.0-enable-tls1v3-by-default.patch Patch4: nginx-1.16.0-enable-tls1v3-by-default.patch
# https://bugzilla.redhat.com/show_bug.cgi?id=1668717
Patch5: nginx-1.18.0-pkcs11-cert.patch
%if 0%{?with_gperftools} %if 0%{?with_gperftools}
BuildRequires: gperftools-devel BuildRequires: gperftools-devel
%endif %endif
@ -192,7 +189,6 @@ Requires: nginx
%patch2 -p1 %patch2 -p1
%patch3 -p1 %patch3 -p1
%patch4 -p1 %patch4 -p1
%patch5 -p1
cp %{SOURCE200} %{SOURCE210} %{SOURCE10} %{SOURCE12} . cp %{SOURCE200} %{SOURCE210} %{SOURCE10} %{SOURCE12} .
@ -465,14 +461,6 @@ fi
%changelog %changelog
* Wed Apr 22 2020 Lubos Uhliarik <luhliari@redhat.com> - 1:1.18.0-2
- new version 1.18.0
- Resolves: #1668717 - [RFE] Support loading certificates from hardware token
(PKCS#11)
- Increased types_hash_max_size to 4096 in default config
- Drop location / from default config (rhbz#1564768)
- Drop default_sever from default config (rhbz#1373822)
* Thu Aug 29 2019 Lubos Uhliarik <luhliari@redhat.com> - 1:1.16.1-1 * Thu Aug 29 2019 Lubos Uhliarik <luhliari@redhat.com> - 1:1.16.1-1
- update to 1.16.1 - update to 1.16.1
- Resolves: #1745697 - CVE-2019-9511 nginx:1.16/nginx: HTTP/2: large amount - Resolves: #1745697 - CVE-2019-9511 nginx:1.16/nginx: HTTP/2: large amount