Resolves: RHEL-40622 - openssl 3.2 ENGINE regression in nginx

2024-06-13 18:19:48 +02:00 · 2024-06-13 18:19:48 +02:00 · 34109c0246
commit 34109c0246
parent ea28e26ea5
2 changed files with 133 additions and 1 deletions
--- a/0010-defer-ENGINE_finish-calls-to-a-cleanup.patch
+++ b/0010-defer-ENGINE_finish-calls-to-a-cleanup.patch
@ -0,0 +1,126 @@
+From e0e6437b1f1c723a52ac26a7e700113753331ecd Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Lubo=C5=A1=20Uhliarik?= <luhliari@redhat.com>
+Date: Thu, 13 Jun 2024 17:44:28 +0200
+Subject: [PATCH] defer ENGINE_finish() calls to a cleanup
+
+---
+ src/event/ngx_event_openssl.c | 51 +++++++++++++++++++++++++++--------
+ 1 file changed, 40 insertions(+), 11 deletions(-)
+
+diff --git a/src/event/ngx_event_openssl.c b/src/event/ngx_event_openssl.c
+index fb05ab9..3e06791 100644
+--- a/src/event/ngx_event_openssl.c
+++ b/src/event/ngx_event_openssl.c
+@@ -16,7 +16,7 @@ typedef struct {
+     ngx_uint_t  engine;   /* unsigned  engine:1; */
+ } ngx_openssl_conf_t;
+ 
+-
+static ngx_int_t ngx_ssl_engine_cleanup(void *data);
+ static X509 *ngx_ssl_load_certificate(ngx_pool_t *pool, char **err,
+     ngx_str_t *cert, STACK_OF(X509) **chain);
+ static EVP_PKEY *ngx_ssl_load_certificate_key(ngx_pool_t *pool,
+@@ -144,6 +144,15 @@ int  ngx_ssl_certificate_name_index;
+ int  ngx_ssl_stapling_index;
+ 
+ 
+static ngx_int_t
+ngx_ssl_engine_cleanup(void *data){
+    ENGINE *e = data;
+
+    ENGINE_finish(e);
+
+    return NGX_OK;
+}
+
+ ngx_int_t
+ ngx_ssl_init(ngx_log_t *log)
+ {
+@@ -650,8 +659,9 @@ ngx_ssl_load_certificate(ngx_pool_t *pool, char **err, ngx_str_t *cert,
+ 
+ #ifndef OPENSSL_NO_ENGINE
+ 
+-        u_char  *p, *last;
+-        ENGINE  *engine;
+        u_char              *p, *last;
+        ENGINE              *engine;
+        ngx_pool_cleanup_t  *cln;
+ 
+         p = cert->data + sizeof("engine:") - 1;
+         last = (u_char *) ngx_strchr(p, ':');
+@@ -676,6 +686,16 @@ ngx_ssl_load_certificate(ngx_pool_t *pool, char **err, ngx_str_t *cert,
+             return NULL;
+         }
+ 
+        cln = ngx_pool_cleanup_add(pool, 0);
+        if (cln == NULL) {
+            *err = "failed to add ENGINE cleanup";
+            ENGINE_free(engine);
+            return NULL;
+        }
+
+        cln->handler = ngx_ssl_engine_cleanup;
+        cln->data = engine;
+
+         *last++ = ':';
+ 
+         struct {
+@@ -689,7 +709,6 @@ ngx_ssl_load_certificate(ngx_pool_t *pool, char **err, ngx_str_t *cert,
+             return NULL;
+         }
+ 
+-        ENGINE_finish(engine);
+         ENGINE_free(engine);
+ 
+         /* set chain to null */
+@@ -868,11 +887,13 @@ ngx_ssl_pass_phrase_callback(char *buf, int bufsize, int rwflag, void *u)
+ static EVP_PKEY *
+ ngx_ssl_load_certificate_key(ngx_pool_t *pool, char **err, ngx_str_t *key, ngx_array_t *passwords, ngx_ssl_ppdialog_conf_t *dlg)
+ {
+-    BIO              *bio;
+-    EVP_PKEY         *pkey;
+-    ngx_str_t        *pwd;
+-    ngx_uint_t        tries;
+-    pem_password_cb  *cb;
+    BIO                 *bio;
+    EVP_PKEY            *pkey;
+    ngx_str_t           *pwd;
+    ngx_uint_t          tries;
+    pem_password_cb     *cb;
+    ngx_pool_cleanup_t  *cln;
+
+ 
+     if (ngx_strncmp(key->data, "engine:", sizeof("engine:") - 1) == 0) {
+ 
+@@ -904,18 +925,26 @@ ngx_ssl_load_certificate_key(ngx_pool_t *pool, char **err, ngx_str_t *key, ngx_a
+             return NULL;
+         }
+ 
+        cln = ngx_pool_cleanup_add(pool, 0);
+        if (cln == NULL) {
+            *err = "failed to add ENGINE cleanup";
+            ENGINE_free(engine);
+            return NULL;
+        }
+
+        cln->handler = ngx_ssl_engine_cleanup;
+        cln->data = engine;
+
+         *last++ = ':';
+ 
+         pkey = ENGINE_load_private_key(engine, (char *) last, 0, 0);
+ 
+         if (pkey == NULL) {
+             *err = "ENGINE_load_private_key() failed";
+-            ENGINE_finish(engine);
+             ENGINE_free(engine);
+             return NULL;
+         }
+ 
+-        ENGINE_finish(engine);
+         ENGINE_free(engine);
+ 
+         return pkey;
+-- 
+2.44.0
+
--- a/nginx.spec
+++ b/nginx.spec
@ -56,7 +56,7 @@
 Name:              nginx
 Epoch:             1
 Version:           1.24.0
-Release:           2%{?dist}
+Release:           3%{?dist}

 Summary:           A high performance web server and reverse proxy server
 # BSD License (two clause)
@ -114,6 +114,9 @@ Patch6:            0008-add-ssl-pass-phrase-dialog.patch
 # security fix - https://issues.redhat.com/browse/RHEL-12737
 Patch7:            0009-CVE-2023-44487-HTTP-2-per-iteration-stream-handling.patch

+# downstream patch - https://issues.redhat.com/browse/RHEL-40621
+Patch8:            0010-defer-ENGINE_finish-calls-to-a-cleanup.patch
+
 BuildRequires:     make
 BuildRequires:     gcc
 BuildRequires:     gnupg2
@ -626,6 +629,9 @@ fi


 %changelog
+* Thu Jun 13 2024 Luboš Uhliarik <luhliari@redhat.com> - 1:1.24.0-3
+- Resolves: RHEL-40622 - openssl 3.2 ENGINE regression in nginx
+
 * Thu May 23 2024 Luboš Uhliarik <luhliari@redhat.com> - 1:1.24.0-2
 - Resolves: RHEL-38498 - Nginx seg faults when proxy_ssl_certificate is set