Merge branch 'c9-beta-stream-1.22' into a9-beta-stream-1.22
This commit is contained in:
commit
55ff1f798e
@ -1,8 +1,29 @@
|
||||
From c0f75dac24544bdae1ccfccf3d6a05c1b9243d8a Mon Sep 17 00:00:00 2001
|
||||
From: =?UTF-8?q?Lubo=C5=A1=20Uhliarik?= <luhliari@redhat.com>
|
||||
Date: Thu, 23 May 2024 14:09:05 +0200
|
||||
Subject: [PATCH] Add ssl-pass-phrase-dialog
|
||||
|
||||
---
|
||||
contrib/vim/syntax/nginx.vim | 1 +
|
||||
src/event/ngx_event_openssl.c | 133 ++++++++++++++++++++---
|
||||
src/event/ngx_event_openssl.h | 15 ++-
|
||||
src/http/modules/ngx_http_grpc_module.c | 2 +-
|
||||
src/http/modules/ngx_http_proxy_module.c | 2 +-
|
||||
src/http/modules/ngx_http_ssl_module.c | 76 ++++++++++++-
|
||||
src/http/modules/ngx_http_ssl_module.h | 2 +
|
||||
src/http/modules/ngx_http_uwsgi_module.c | 2 +-
|
||||
src/mail/ngx_mail_ssl_module.c | 68 +++++++++++-
|
||||
src/mail/ngx_mail_ssl_module.h | 2 +
|
||||
src/stream/ngx_stream_proxy_module.c | 2 +-
|
||||
src/stream/ngx_stream_ssl_module.c | 62 ++++++++++-
|
||||
src/stream/ngx_stream_ssl_module.h | 2 +
|
||||
13 files changed, 344 insertions(+), 25 deletions(-)
|
||||
|
||||
diff --git a/contrib/vim/syntax/nginx.vim b/contrib/vim/syntax/nginx.vim
|
||||
index 7d587fc..15b21e2 100644
|
||||
index 6828cd3..9df0a53 100644
|
||||
--- a/contrib/vim/syntax/nginx.vim
|
||||
+++ b/contrib/vim/syntax/nginx.vim
|
||||
@@ -617,6 +617,7 @@ syn keyword ngxDirective contained ssl_ocsp
|
||||
@@ -624,6 +624,7 @@ syn keyword ngxDirective contained ssl_ocsp
|
||||
syn keyword ngxDirective contained ssl_ocsp_cache
|
||||
syn keyword ngxDirective contained ssl_ocsp_responder
|
||||
syn keyword ngxDirective contained ssl_password_file
|
||||
@ -11,7 +32,7 @@ index 7d587fc..15b21e2 100644
|
||||
syn keyword ngxDirective contained ssl_preread
|
||||
syn keyword ngxDirective contained ssl_protocols
|
||||
diff --git a/src/event/ngx_event_openssl.c b/src/event/ngx_event_openssl.c
|
||||
index 104e8da..8cf777e 100644
|
||||
index d6fe5bc..fb05ab9 100644
|
||||
--- a/src/event/ngx_event_openssl.c
|
||||
+++ b/src/event/ngx_event_openssl.c
|
||||
@@ -9,9 +9,8 @@
|
||||
@ -36,7 +57,7 @@ index 104e8da..8cf777e 100644
|
||||
static int ngx_ssl_password_callback(char *buf, int size, int rwflag,
|
||||
void *userdata);
|
||||
static int ngx_ssl_verify_callback(int ok, X509_STORE_CTX *x509_store);
|
||||
@@ -88,6 +87,12 @@ static time_t ngx_ssl_parse_time(
|
||||
@@ -87,6 +86,12 @@ static time_t ngx_ssl_parse_time(
|
||||
#endif
|
||||
ASN1_TIME *asn1time, ngx_log_t *log);
|
||||
|
||||
@ -49,7 +70,7 @@ index 104e8da..8cf777e 100644
|
||||
static void *ngx_openssl_create_conf(ngx_cycle_t *cycle);
|
||||
static char *ngx_openssl_engine(ngx_conf_t *cf, ngx_command_t *cmd, void *conf);
|
||||
static void ngx_openssl_exit(ngx_cycle_t *cycle);
|
||||
@@ -398,7 +403,7 @@ ngx_ssl_create(ngx_ssl_t *ssl, ngx_uint_t protocols, void *data)
|
||||
@@ -404,7 +409,7 @@ ngx_ssl_create(ngx_ssl_t *ssl, ngx_uint_t protocols, void *data)
|
||||
|
||||
ngx_int_t
|
||||
ngx_ssl_certificates(ngx_conf_t *cf, ngx_ssl_t *ssl, ngx_array_t *certs,
|
||||
@ -58,7 +79,7 @@ index 104e8da..8cf777e 100644
|
||||
{
|
||||
ngx_str_t *cert, *key;
|
||||
ngx_uint_t i;
|
||||
@@ -408,7 +413,7 @@ ngx_ssl_certificates(ngx_conf_t *cf, ngx_ssl_t *ssl, ngx_array_t *certs,
|
||||
@@ -414,7 +419,7 @@ ngx_ssl_certificates(ngx_conf_t *cf, ngx_ssl_t *ssl, ngx_array_t *certs,
|
||||
|
||||
for (i = 0; i < certs->nelts; i++) {
|
||||
|
||||
@ -67,7 +88,7 @@ index 104e8da..8cf777e 100644
|
||||
!= NGX_OK)
|
||||
{
|
||||
return NGX_ERROR;
|
||||
@@ -421,12 +426,13 @@ ngx_ssl_certificates(ngx_conf_t *cf, ngx_ssl_t *ssl, ngx_array_t *certs,
|
||||
@@ -427,12 +432,13 @@ ngx_ssl_certificates(ngx_conf_t *cf, ngx_ssl_t *ssl, ngx_array_t *certs,
|
||||
|
||||
ngx_int_t
|
||||
ngx_ssl_certificate(ngx_conf_t *cf, ngx_ssl_t *ssl, ngx_str_t *cert,
|
||||
@ -82,7 +103,7 @@ index 104e8da..8cf777e 100644
|
||||
|
||||
x509 = ngx_ssl_load_certificate(cf->pool, &err, cert, &chain);
|
||||
if (x509 == NULL) {
|
||||
@@ -516,8 +522,19 @@ ngx_ssl_certificate(ngx_conf_t *cf, ngx_ssl_t *ssl, ngx_str_t *cert,
|
||||
@@ -522,8 +528,23 @@ ngx_ssl_certificate(ngx_conf_t *cf, ngx_ssl_t *ssl, ngx_str_t *cert,
|
||||
}
|
||||
#endif
|
||||
|
||||
@ -94,7 +115,11 @@ index 104e8da..8cf777e 100644
|
||||
+ "X509_get_pubkey() failed");
|
||||
+ return NGX_ERROR;
|
||||
+ }
|
||||
+
|
||||
+ if (dlg) {
|
||||
+ dlg->cryptosystem = EVP_PKEY_get_base_id(pubkey);
|
||||
+ }
|
||||
+
|
||||
+ EVP_PKEY_free(pubkey);
|
||||
+
|
||||
+ pkey = ngx_ssl_load_certificate_key(cf->pool, &err, key, passwords, dlg);
|
||||
@ -104,7 +129,7 @@ index 104e8da..8cf777e 100644
|
||||
if (err != NULL) {
|
||||
ngx_ssl_error(NGX_LOG_EMERG, ssl->log, 0,
|
||||
"cannot load certificate key \"%s\": %s",
|
||||
@@ -587,7 +604,7 @@ ngx_ssl_connection_certificate(ngx_connection_t *c, ngx_pool_t *pool,
|
||||
@@ -593,7 +614,7 @@ ngx_ssl_connection_certificate(ngx_connection_t *c, ngx_pool_t *pool,
|
||||
|
||||
#endif
|
||||
|
||||
@ -113,7 +138,7 @@ index 104e8da..8cf777e 100644
|
||||
if (pkey == NULL) {
|
||||
if (err != NULL) {
|
||||
ngx_ssl_error(NGX_LOG_ERR, c->log, 0,
|
||||
@@ -700,10 +717,81 @@ ngx_ssl_load_certificate(ngx_pool_t *pool, char **err, ngx_str_t *cert,
|
||||
@@ -771,10 +792,81 @@ ngx_ssl_load_certificate(ngx_pool_t *pool, char **err, ngx_str_t *cert,
|
||||
return x509;
|
||||
}
|
||||
|
||||
@ -197,7 +222,7 @@ index 104e8da..8cf777e 100644
|
||||
{
|
||||
BIO *bio;
|
||||
EVP_PKEY *pkey;
|
||||
@@ -791,11 +879,26 @@ ngx_ssl_load_certificate_key(ngx_pool_t *pool, char **err,
|
||||
@@ -870,11 +962,26 @@ ngx_ssl_load_certificate_key(ngx_pool_t *pool, char **err,
|
||||
tries = 1;
|
||||
pwd = NULL;
|
||||
cb = NULL;
|
||||
@ -226,7 +251,7 @@ index 104e8da..8cf777e 100644
|
||||
break;
|
||||
}
|
||||
diff --git a/src/event/ngx_event_openssl.h b/src/event/ngx_event_openssl.h
|
||||
index 860ea26..41f4501 100644
|
||||
index eb3288b..b275a38 100644
|
||||
--- a/src/event/ngx_event_openssl.h
|
||||
+++ b/src/event/ngx_event_openssl.h
|
||||
@@ -74,9 +74,19 @@
|
||||
@ -270,10 +295,10 @@ index 860ea26..41f4501 100644
|
||||
ngx_str_t *cert, ngx_str_t *key, ngx_array_t *passwords);
|
||||
|
||||
diff --git a/src/http/modules/ngx_http_grpc_module.c b/src/http/modules/ngx_http_grpc_module.c
|
||||
index dfe49c5..904263d 100644
|
||||
index 864fc4f..c1b5fb4 100644
|
||||
--- a/src/http/modules/ngx_http_grpc_module.c
|
||||
+++ b/src/http/modules/ngx_http_grpc_module.c
|
||||
@@ -4983,7 +4983,7 @@ ngx_http_grpc_set_ssl(ngx_conf_t *cf, ngx_http_grpc_loc_conf_t *glcf)
|
||||
@@ -4925,7 +4925,7 @@ ngx_http_grpc_set_ssl(ngx_conf_t *cf, ngx_http_grpc_loc_conf_t *glcf)
|
||||
if (ngx_ssl_certificate(cf, glcf->upstream.ssl,
|
||||
&glcf->upstream.ssl_certificate->value,
|
||||
&glcf->upstream.ssl_certificate_key->value,
|
||||
@ -283,10 +308,10 @@ index dfe49c5..904263d 100644
|
||||
{
|
||||
return NGX_ERROR;
|
||||
diff --git a/src/http/modules/ngx_http_proxy_module.c b/src/http/modules/ngx_http_proxy_module.c
|
||||
index 9cc202c..2c938d7 100644
|
||||
index 7c4061c..e971396 100644
|
||||
--- a/src/http/modules/ngx_http_proxy_module.c
|
||||
+++ b/src/http/modules/ngx_http_proxy_module.c
|
||||
@@ -5032,7 +5032,7 @@ ngx_http_proxy_set_ssl(ngx_conf_t *cf, ngx_http_proxy_loc_conf_t *plcf)
|
||||
@@ -4974,7 +4974,7 @@ ngx_http_proxy_set_ssl(ngx_conf_t *cf, ngx_http_proxy_loc_conf_t *plcf)
|
||||
if (ngx_ssl_certificate(cf, plcf->upstream.ssl,
|
||||
&plcf->upstream.ssl_certificate->value,
|
||||
&plcf->upstream.ssl_certificate_key->value,
|
||||
@ -296,7 +321,7 @@ index 9cc202c..2c938d7 100644
|
||||
{
|
||||
return NGX_ERROR;
|
||||
diff --git a/src/http/modules/ngx_http_ssl_module.c b/src/http/modules/ngx_http_ssl_module.c
|
||||
index 4c4a598..a147054 100644
|
||||
index e765a50..6af69d1 100644
|
||||
--- a/src/http/modules/ngx_http_ssl_module.c
|
||||
+++ b/src/http/modules/ngx_http_ssl_module.c
|
||||
@@ -17,8 +17,9 @@ typedef ngx_int_t (*ngx_ssl_variable_handler_pt)(ngx_connection_t *c,
|
||||
@ -361,7 +386,7 @@ index 4c4a598..a147054 100644
|
||||
|
||||
ngx_pool_cleanup_t *cln;
|
||||
|
||||
@@ -674,6 +689,9 @@ ngx_http_ssl_merge_srv_conf(ngx_conf_t *cf, void *parent, void *child)
|
||||
@@ -672,6 +687,9 @@ ngx_http_ssl_merge_srv_conf(ngx_conf_t *cf, void *parent, void *child)
|
||||
ngx_conf_merge_str_value(conf->stapling_responder,
|
||||
prev->stapling_responder, "");
|
||||
|
||||
@ -371,7 +396,7 @@ index 4c4a598..a147054 100644
|
||||
conf->ssl.log = cf->log;
|
||||
|
||||
if (conf->enable) {
|
||||
@@ -736,6 +754,30 @@ ngx_http_ssl_merge_srv_conf(ngx_conf_t *cf, void *parent, void *child)
|
||||
@@ -734,6 +752,30 @@ ngx_http_ssl_merge_srv_conf(ngx_conf_t *cf, void *parent, void *child)
|
||||
cln->handler = ngx_ssl_cleanup_ctx;
|
||||
cln->data = &conf->ssl;
|
||||
|
||||
@ -402,7 +427,7 @@ index 4c4a598..a147054 100644
|
||||
#ifdef SSL_CTRL_SET_TLSEXT_HOSTNAME
|
||||
|
||||
if (SSL_CTX_set_tlsext_servername_callback(conf->ssl.ctx,
|
||||
@@ -786,7 +828,7 @@ ngx_http_ssl_merge_srv_conf(ngx_conf_t *cf, void *parent, void *child)
|
||||
@@ -784,7 +826,7 @@ ngx_http_ssl_merge_srv_conf(ngx_conf_t *cf, void *parent, void *child)
|
||||
/* configure certificates */
|
||||
|
||||
if (ngx_ssl_certificates(cf, &conf->ssl, conf->certificates,
|
||||
@ -411,7 +436,7 @@ index 4c4a598..a147054 100644
|
||||
!= NGX_OK)
|
||||
{
|
||||
return NGX_CONF_ERROR;
|
||||
@@ -1335,3 +1377,31 @@ ngx_http_ssl_init(ngx_conf_t *cf)
|
||||
@@ -1333,3 +1375,31 @@ ngx_http_ssl_init(ngx_conf_t *cf)
|
||||
|
||||
return NGX_OK;
|
||||
}
|
||||
@ -457,10 +482,10 @@ index 7ab0f7e..2f83d75 100644
|
||||
|
||||
|
||||
diff --git a/src/http/modules/ngx_http_uwsgi_module.c b/src/http/modules/ngx_http_uwsgi_module.c
|
||||
index e4f721b..61efa99 100644
|
||||
index d46741a..d728874 100644
|
||||
--- a/src/http/modules/ngx_http_uwsgi_module.c
|
||||
+++ b/src/http/modules/ngx_http_uwsgi_module.c
|
||||
@@ -2564,7 +2564,7 @@ ngx_http_uwsgi_set_ssl(ngx_conf_t *cf, ngx_http_uwsgi_loc_conf_t *uwcf)
|
||||
@@ -2461,7 +2461,7 @@ ngx_http_uwsgi_set_ssl(ngx_conf_t *cf, ngx_http_uwsgi_loc_conf_t *uwcf)
|
||||
if (ngx_ssl_certificate(cf, uwcf->upstream.ssl,
|
||||
&uwcf->upstream.ssl_certificate->value,
|
||||
&uwcf->upstream.ssl_certificate_key->value,
|
||||
@ -470,7 +495,7 @@ index e4f721b..61efa99 100644
|
||||
{
|
||||
return NGX_ERROR;
|
||||
diff --git a/src/mail/ngx_mail_ssl_module.c b/src/mail/ngx_mail_ssl_module.c
|
||||
index 28737ac..728181d 100644
|
||||
index 63af775..b3cd38e 100644
|
||||
--- a/src/mail/ngx_mail_ssl_module.c
|
||||
+++ b/src/mail/ngx_mail_ssl_module.c
|
||||
@@ -13,6 +13,7 @@
|
||||
@ -513,7 +538,7 @@ index 28737ac..728181d 100644
|
||||
|
||||
char *mode;
|
||||
ngx_pool_cleanup_t *cln;
|
||||
@@ -388,6 +400,8 @@ ngx_mail_ssl_merge_conf(ngx_conf_t *cf, void *parent, void *child)
|
||||
@@ -386,6 +398,8 @@ ngx_mail_ssl_merge_conf(ngx_conf_t *cf, void *parent, void *child)
|
||||
|
||||
ngx_conf_merge_ptr_value(conf->conf_commands, prev->conf_commands, NULL);
|
||||
|
||||
@ -522,7 +547,7 @@ index 28737ac..728181d 100644
|
||||
|
||||
conf->ssl.log = cf->log;
|
||||
|
||||
@@ -449,6 +463,29 @@ ngx_mail_ssl_merge_conf(ngx_conf_t *cf, void *parent, void *child)
|
||||
@@ -447,6 +461,29 @@ ngx_mail_ssl_merge_conf(ngx_conf_t *cf, void *parent, void *child)
|
||||
cln->handler = ngx_ssl_cleanup_ctx;
|
||||
cln->data = &conf->ssl;
|
||||
|
||||
@ -552,7 +577,7 @@ index 28737ac..728181d 100644
|
||||
#ifdef TLSEXT_TYPE_application_layer_protocol_negotiation
|
||||
SSL_CTX_set_alpn_select_cb(conf->ssl.ctx, ngx_mail_ssl_alpn_select, NULL);
|
||||
#endif
|
||||
@@ -461,7 +498,7 @@ ngx_mail_ssl_merge_conf(ngx_conf_t *cf, void *parent, void *child)
|
||||
@@ -459,7 +496,7 @@ ngx_mail_ssl_merge_conf(ngx_conf_t *cf, void *parent, void *child)
|
||||
}
|
||||
|
||||
if (ngx_ssl_certificates(cf, &conf->ssl, conf->certificates,
|
||||
@ -561,7 +586,7 @@ index 28737ac..728181d 100644
|
||||
!= NGX_OK)
|
||||
{
|
||||
return NGX_CONF_ERROR;
|
||||
@@ -745,3 +782,32 @@ ngx_mail_ssl_conf_command_check(ngx_conf_t *cf, void *post, void *data)
|
||||
@@ -743,3 +780,32 @@ ngx_mail_ssl_conf_command_check(ngx_conf_t *cf, void *post, void *data)
|
||||
return NGX_CONF_OK;
|
||||
#endif
|
||||
}
|
||||
@ -608,10 +633,10 @@ index a0a6113..3d87d50 100644
|
||||
|
||||
|
||||
diff --git a/src/stream/ngx_stream_proxy_module.c b/src/stream/ngx_stream_proxy_module.c
|
||||
index ed275c0..1747aed 100644
|
||||
index 934e7d8..34d0195 100644
|
||||
--- a/src/stream/ngx_stream_proxy_module.c
|
||||
+++ b/src/stream/ngx_stream_proxy_module.c
|
||||
@@ -2305,7 +2305,7 @@ ngx_stream_proxy_set_ssl(ngx_conf_t *cf, ngx_stream_proxy_srv_conf_t *pscf)
|
||||
@@ -2248,7 +2248,7 @@ ngx_stream_proxy_set_ssl(ngx_conf_t *cf, ngx_stream_proxy_srv_conf_t *pscf)
|
||||
if (ngx_ssl_certificate(cf, pscf->ssl,
|
||||
&pscf->ssl_certificate->value,
|
||||
&pscf->ssl_certificate_key->value,
|
||||
@ -621,7 +646,7 @@ index ed275c0..1747aed 100644
|
||||
{
|
||||
return NGX_ERROR;
|
||||
diff --git a/src/stream/ngx_stream_ssl_module.c b/src/stream/ngx_stream_ssl_module.c
|
||||
index 1ba1825..ba70547 100644
|
||||
index f922ac4..66b4b67 100644
|
||||
--- a/src/stream/ngx_stream_ssl_module.c
|
||||
+++ b/src/stream/ngx_stream_ssl_module.c
|
||||
@@ -17,6 +17,8 @@ typedef ngx_int_t (*ngx_ssl_variable_handler_pt)(ngx_connection_t *c,
|
||||
@ -665,7 +690,7 @@ index 1ba1825..ba70547 100644
|
||||
|
||||
ngx_pool_cleanup_t *cln;
|
||||
|
||||
@@ -732,6 +745,8 @@ ngx_stream_ssl_merge_conf(ngx_conf_t *cf, void *parent, void *child)
|
||||
@@ -730,6 +743,8 @@ ngx_stream_ssl_merge_conf(ngx_conf_t *cf, void *parent, void *child)
|
||||
|
||||
ngx_conf_merge_ptr_value(conf->conf_commands, prev->conf_commands, NULL);
|
||||
|
||||
@ -674,7 +699,7 @@ index 1ba1825..ba70547 100644
|
||||
|
||||
conf->ssl.log = cf->log;
|
||||
|
||||
@@ -779,6 +794,23 @@ ngx_stream_ssl_merge_conf(ngx_conf_t *cf, void *parent, void *child)
|
||||
@@ -777,6 +792,23 @@ ngx_stream_ssl_merge_conf(ngx_conf_t *cf, void *parent, void *child)
|
||||
cln->handler = ngx_ssl_cleanup_ctx;
|
||||
cln->data = &conf->ssl;
|
||||
|
||||
@ -698,7 +723,7 @@ index 1ba1825..ba70547 100644
|
||||
#ifdef SSL_CTRL_SET_TLSEXT_HOSTNAME
|
||||
SSL_CTX_set_tlsext_servername_callback(conf->ssl.ctx,
|
||||
ngx_stream_ssl_servername);
|
||||
@@ -823,7 +855,7 @@ ngx_stream_ssl_merge_conf(ngx_conf_t *cf, void *parent, void *child)
|
||||
@@ -821,7 +853,7 @@ ngx_stream_ssl_merge_conf(ngx_conf_t *cf, void *parent, void *child)
|
||||
/* configure certificates */
|
||||
|
||||
if (ngx_ssl_certificates(cf, &conf->ssl, conf->certificates,
|
||||
@ -707,7 +732,7 @@ index 1ba1825..ba70547 100644
|
||||
!= NGX_OK)
|
||||
{
|
||||
return NGX_CONF_ERROR;
|
||||
@@ -1209,3 +1241,31 @@ ngx_stream_ssl_init(ngx_conf_t *cf)
|
||||
@@ -1207,3 +1239,31 @@ ngx_stream_ssl_init(ngx_conf_t *cf)
|
||||
|
||||
return NGX_OK;
|
||||
}
|
||||
@ -752,3 +777,6 @@ index e7c825e..d80daa4 100644
|
||||
} ngx_stream_ssl_conf_t;
|
||||
|
||||
|
||||
--
|
||||
2.44.0
|
||||
|
||||
|
@ -0,0 +1,76 @@
|
||||
From b6aa9504cdfb6391d895dcbddc87b9260ea6968c Mon Sep 17 00:00:00 2001
|
||||
From: =?UTF-8?q?Lubo=C5=A1=20Uhliarik?= <luhliari@redhat.com>
|
||||
Date: Wed, 11 Oct 2023 09:59:23 +0200
|
||||
Subject: [PATCH] CVE-2023-44487 - HTTP/2: per-iteration stream handling limit.
|
||||
|
||||
To ensure that attempts to flood servers with many streams are detected
|
||||
early, a limit of no more than 2 * max_concurrent_streams new streams per one
|
||||
event loop iteration was introduced. This limit is applied even if
|
||||
max_concurrent_streams is not yet reached - for example, if corresponding
|
||||
streams are handled synchronously or reset.
|
||||
|
||||
Further, refused streams are now limited to maximum of max_concurrent_streams
|
||||
and 100, similarly to priority_limit initial value, providing some tolerance
|
||||
to clients trying to open several streams at the connection start, yet
|
||||
low tolerance to flooding attempts.
|
||||
---
|
||||
src/http/v2/ngx_http_v2.c | 15 +++++++++++++++
|
||||
src/http/v2/ngx_http_v2.h | 2 ++
|
||||
2 files changed, 17 insertions(+)
|
||||
|
||||
diff --git a/src/http/v2/ngx_http_v2.c b/src/http/v2/ngx_http_v2.c
|
||||
index 3611a2e..291677a 100644
|
||||
--- a/src/http/v2/ngx_http_v2.c
|
||||
+++ b/src/http/v2/ngx_http_v2.c
|
||||
@@ -361,6 +361,7 @@ ngx_http_v2_read_handler(ngx_event_t *rev)
|
||||
ngx_log_debug0(NGX_LOG_DEBUG_HTTP, c->log, 0, "http2 read handler");
|
||||
|
||||
h2c->blocked = 1;
|
||||
+ h2c->new_streams = 0;
|
||||
|
||||
if (c->close) {
|
||||
c->close = 0;
|
||||
@@ -1320,6 +1321,14 @@ ngx_http_v2_state_headers(ngx_http_v2_connection_t *h2c, u_char *pos,
|
||||
goto rst_stream;
|
||||
}
|
||||
|
||||
+ if (h2c->new_streams++ >= 2 * h2scf->concurrent_streams) {
|
||||
+ ngx_log_error(NGX_LOG_INFO, h2c->connection->log, 0,
|
||||
+ "client sent too many streams at once");
|
||||
+
|
||||
+ status = NGX_HTTP_V2_REFUSED_STREAM;
|
||||
+ goto rst_stream;
|
||||
+ }
|
||||
+
|
||||
if (!h2c->settings_ack
|
||||
&& !(h2c->state.flags & NGX_HTTP_V2_END_STREAM_FLAG)
|
||||
&& h2scf->preread_size < NGX_HTTP_V2_DEFAULT_WINDOW)
|
||||
@@ -1385,6 +1394,12 @@ ngx_http_v2_state_headers(ngx_http_v2_connection_t *h2c, u_char *pos,
|
||||
|
||||
rst_stream:
|
||||
|
||||
+ if (h2c->refused_streams++ > ngx_max(h2scf->concurrent_streams, 100)) {
|
||||
+ ngx_log_error(NGX_LOG_INFO, h2c->connection->log, 0,
|
||||
+ "client sent too many refused streams");
|
||||
+ return ngx_http_v2_connection_error(h2c, NGX_HTTP_V2_NO_ERROR);
|
||||
+ }
|
||||
+
|
||||
if (ngx_http_v2_send_rst_stream(h2c, h2c->state.sid, status) != NGX_OK) {
|
||||
return ngx_http_v2_connection_error(h2c, NGX_HTTP_V2_INTERNAL_ERROR);
|
||||
}
|
||||
diff --git a/src/http/v2/ngx_http_v2.h b/src/http/v2/ngx_http_v2.h
|
||||
index 3492297..6a7aaa6 100644
|
||||
--- a/src/http/v2/ngx_http_v2.h
|
||||
+++ b/src/http/v2/ngx_http_v2.h
|
||||
@@ -125,6 +125,8 @@ struct ngx_http_v2_connection_s {
|
||||
ngx_uint_t processing;
|
||||
ngx_uint_t frames;
|
||||
ngx_uint_t idle;
|
||||
+ ngx_uint_t new_streams;
|
||||
+ ngx_uint_t refused_streams;
|
||||
ngx_uint_t priority_limit;
|
||||
|
||||
ngx_uint_t pushing;
|
||||
--
|
||||
2.31.1
|
||||
|
126
SOURCES/0010-defer-ENGINE_finish-calls-to-a-cleanup.patch
Normal file
126
SOURCES/0010-defer-ENGINE_finish-calls-to-a-cleanup.patch
Normal file
@ -0,0 +1,126 @@
|
||||
From e0e6437b1f1c723a52ac26a7e700113753331ecd Mon Sep 17 00:00:00 2001
|
||||
From: =?UTF-8?q?Lubo=C5=A1=20Uhliarik?= <luhliari@redhat.com>
|
||||
Date: Thu, 13 Jun 2024 17:44:28 +0200
|
||||
Subject: [PATCH] defer ENGINE_finish() calls to a cleanup
|
||||
|
||||
---
|
||||
src/event/ngx_event_openssl.c | 51 +++++++++++++++++++++++++++--------
|
||||
1 file changed, 40 insertions(+), 11 deletions(-)
|
||||
|
||||
diff --git a/src/event/ngx_event_openssl.c b/src/event/ngx_event_openssl.c
|
||||
index fb05ab9..3e06791 100644
|
||||
--- a/src/event/ngx_event_openssl.c
|
||||
+++ b/src/event/ngx_event_openssl.c
|
||||
@@ -16,7 +16,7 @@ typedef struct {
|
||||
ngx_uint_t engine; /* unsigned engine:1; */
|
||||
} ngx_openssl_conf_t;
|
||||
|
||||
-
|
||||
+static ngx_int_t ngx_ssl_engine_cleanup(void *data);
|
||||
static X509 *ngx_ssl_load_certificate(ngx_pool_t *pool, char **err,
|
||||
ngx_str_t *cert, STACK_OF(X509) **chain);
|
||||
static EVP_PKEY *ngx_ssl_load_certificate_key(ngx_pool_t *pool,
|
||||
@@ -144,6 +144,15 @@ int ngx_ssl_certificate_name_index;
|
||||
int ngx_ssl_stapling_index;
|
||||
|
||||
|
||||
+static ngx_int_t
|
||||
+ngx_ssl_engine_cleanup(void *data){
|
||||
+ ENGINE *e = data;
|
||||
+
|
||||
+ ENGINE_finish(e);
|
||||
+
|
||||
+ return NGX_OK;
|
||||
+}
|
||||
+
|
||||
ngx_int_t
|
||||
ngx_ssl_init(ngx_log_t *log)
|
||||
{
|
||||
@@ -650,8 +659,9 @@ ngx_ssl_load_certificate(ngx_pool_t *pool, char **err, ngx_str_t *cert,
|
||||
|
||||
#ifndef OPENSSL_NO_ENGINE
|
||||
|
||||
- u_char *p, *last;
|
||||
- ENGINE *engine;
|
||||
+ u_char *p, *last;
|
||||
+ ENGINE *engine;
|
||||
+ ngx_pool_cleanup_t *cln;
|
||||
|
||||
p = cert->data + sizeof("engine:") - 1;
|
||||
last = (u_char *) ngx_strchr(p, ':');
|
||||
@@ -676,6 +686,16 @@ ngx_ssl_load_certificate(ngx_pool_t *pool, char **err, ngx_str_t *cert,
|
||||
return NULL;
|
||||
}
|
||||
|
||||
+ cln = ngx_pool_cleanup_add(pool, 0);
|
||||
+ if (cln == NULL) {
|
||||
+ *err = "failed to add ENGINE cleanup";
|
||||
+ ENGINE_free(engine);
|
||||
+ return NULL;
|
||||
+ }
|
||||
+
|
||||
+ cln->handler = ngx_ssl_engine_cleanup;
|
||||
+ cln->data = engine;
|
||||
+
|
||||
*last++ = ':';
|
||||
|
||||
struct {
|
||||
@@ -689,7 +709,6 @@ ngx_ssl_load_certificate(ngx_pool_t *pool, char **err, ngx_str_t *cert,
|
||||
return NULL;
|
||||
}
|
||||
|
||||
- ENGINE_finish(engine);
|
||||
ENGINE_free(engine);
|
||||
|
||||
/* set chain to null */
|
||||
@@ -868,11 +887,13 @@ ngx_ssl_pass_phrase_callback(char *buf, int bufsize, int rwflag, void *u)
|
||||
static EVP_PKEY *
|
||||
ngx_ssl_load_certificate_key(ngx_pool_t *pool, char **err, ngx_str_t *key, ngx_array_t *passwords, ngx_ssl_ppdialog_conf_t *dlg)
|
||||
{
|
||||
- BIO *bio;
|
||||
- EVP_PKEY *pkey;
|
||||
- ngx_str_t *pwd;
|
||||
- ngx_uint_t tries;
|
||||
- pem_password_cb *cb;
|
||||
+ BIO *bio;
|
||||
+ EVP_PKEY *pkey;
|
||||
+ ngx_str_t *pwd;
|
||||
+ ngx_uint_t tries;
|
||||
+ pem_password_cb *cb;
|
||||
+ ngx_pool_cleanup_t *cln;
|
||||
+
|
||||
|
||||
if (ngx_strncmp(key->data, "engine:", sizeof("engine:") - 1) == 0) {
|
||||
|
||||
@@ -904,18 +925,26 @@ ngx_ssl_load_certificate_key(ngx_pool_t *pool, char **err, ngx_str_t *key, ngx_a
|
||||
return NULL;
|
||||
}
|
||||
|
||||
+ cln = ngx_pool_cleanup_add(pool, 0);
|
||||
+ if (cln == NULL) {
|
||||
+ *err = "failed to add ENGINE cleanup";
|
||||
+ ENGINE_free(engine);
|
||||
+ return NULL;
|
||||
+ }
|
||||
+
|
||||
+ cln->handler = ngx_ssl_engine_cleanup;
|
||||
+ cln->data = engine;
|
||||
+
|
||||
*last++ = ':';
|
||||
|
||||
pkey = ENGINE_load_private_key(engine, (char *) last, 0, 0);
|
||||
|
||||
if (pkey == NULL) {
|
||||
*err = "ENGINE_load_private_key() failed";
|
||||
- ENGINE_finish(engine);
|
||||
ENGINE_free(engine);
|
||||
return NULL;
|
||||
}
|
||||
|
||||
- ENGINE_finish(engine);
|
||||
ENGINE_free(engine);
|
||||
|
||||
return pkey;
|
||||
--
|
||||
2.44.0
|
||||
|
183
SOURCES/0011-Optimized-chain-link-usage.patch
Normal file
183
SOURCES/0011-Optimized-chain-link-usage.patch
Normal file
@ -0,0 +1,183 @@
|
||||
From f3bcc0bcfb6eda3f4874fe2531d546ba724c518c Mon Sep 17 00:00:00 2001
|
||||
From: =?UTF-8?q?Lubo=C5=A1=20Uhliarik?= <luhliari@redhat.com>
|
||||
Date: Wed, 12 Jun 2024 12:49:28 +0200
|
||||
Subject: [PATCH] Optimized chain link usage
|
||||
|
||||
Previously chain links could sometimes be dropped instead of being reused,
|
||||
which could result in increased memory consumption during long requests.
|
||||
---
|
||||
src/core/ngx_output_chain.c | 10 ++++++++--
|
||||
src/http/modules/ngx_http_grpc_module.c | 5 ++++-
|
||||
.../modules/ngx_http_gunzip_filter_module.c | 18 ++++++++++++++----
|
||||
src/http/modules/ngx_http_gzip_filter_module.c | 10 +++++++---
|
||||
src/http/modules/ngx_http_ssi_filter_module.c | 8 ++++++--
|
||||
src/http/modules/ngx_http_sub_filter_module.c | 8 ++++++--
|
||||
6 files changed, 45 insertions(+), 14 deletions(-)
|
||||
|
||||
diff --git a/src/core/ngx_output_chain.c b/src/core/ngx_output_chain.c
|
||||
index 5c3dbe8..4aa1b02 100644
|
||||
--- a/src/core/ngx_output_chain.c
|
||||
+++ b/src/core/ngx_output_chain.c
|
||||
@@ -121,7 +121,10 @@ ngx_output_chain(ngx_output_chain_ctx_t *ctx, ngx_chain_t *in)
|
||||
|
||||
ngx_debug_point();
|
||||
|
||||
- ctx->in = ctx->in->next;
|
||||
+ cl = ctx->in;
|
||||
+ ctx->in = cl->next;
|
||||
+
|
||||
+ ngx_free_chain(ctx->pool, cl);
|
||||
|
||||
continue;
|
||||
}
|
||||
@@ -207,7 +210,10 @@ ngx_output_chain(ngx_output_chain_ctx_t *ctx, ngx_chain_t *in)
|
||||
/* delete the completed buf from the ctx->in chain */
|
||||
|
||||
if (ngx_buf_size(ctx->in->buf) == 0) {
|
||||
- ctx->in = ctx->in->next;
|
||||
+ cl = ctx->in;
|
||||
+ ctx->in = cl->next;
|
||||
+
|
||||
+ ngx_free_chain(ctx->pool, cl);
|
||||
}
|
||||
|
||||
cl = ngx_alloc_chain_link(ctx->pool);
|
||||
diff --git a/src/http/modules/ngx_http_grpc_module.c b/src/http/modules/ngx_http_grpc_module.c
|
||||
index 53bc547..9f13089 100644
|
||||
--- a/src/http/modules/ngx_http_grpc_module.c
|
||||
+++ b/src/http/modules/ngx_http_grpc_module.c
|
||||
@@ -1230,7 +1230,7 @@ ngx_http_grpc_body_output_filter(void *data, ngx_chain_t *in)
|
||||
ngx_buf_t *b;
|
||||
ngx_int_t rc;
|
||||
ngx_uint_t next, last;
|
||||
- ngx_chain_t *cl, *out, **ll;
|
||||
+ ngx_chain_t *cl, *out, *ln, **ll;
|
||||
ngx_http_upstream_t *u;
|
||||
ngx_http_grpc_ctx_t *ctx;
|
||||
ngx_http_grpc_frame_t *f;
|
||||
@@ -1458,7 +1458,10 @@ ngx_http_grpc_body_output_filter(void *data, ngx_chain_t *in)
|
||||
last = 1;
|
||||
}
|
||||
|
||||
+ ln = in;
|
||||
in = in->next;
|
||||
+
|
||||
+ ngx_free_chain(r->pool, ln);
|
||||
}
|
||||
|
||||
ctx->in = in;
|
||||
diff --git a/src/http/modules/ngx_http_gunzip_filter_module.c b/src/http/modules/ngx_http_gunzip_filter_module.c
|
||||
index c1341f5..5d170a1 100644
|
||||
--- a/src/http/modules/ngx_http_gunzip_filter_module.c
|
||||
+++ b/src/http/modules/ngx_http_gunzip_filter_module.c
|
||||
@@ -333,6 +333,8 @@ static ngx_int_t
|
||||
ngx_http_gunzip_filter_add_data(ngx_http_request_t *r,
|
||||
ngx_http_gunzip_ctx_t *ctx)
|
||||
{
|
||||
+ ngx_chain_t *cl;
|
||||
+
|
||||
if (ctx->zstream.avail_in || ctx->flush != Z_NO_FLUSH || ctx->redo) {
|
||||
return NGX_OK;
|
||||
}
|
||||
@@ -344,8 +346,11 @@ ngx_http_gunzip_filter_add_data(ngx_http_request_t *r,
|
||||
return NGX_DECLINED;
|
||||
}
|
||||
|
||||
- ctx->in_buf = ctx->in->buf;
|
||||
- ctx->in = ctx->in->next;
|
||||
+ cl = ctx->in;
|
||||
+ ctx->in_buf = cl->buf;
|
||||
+ ctx->in = cl->next;
|
||||
+
|
||||
+ ngx_free_chain(r->pool, cl);
|
||||
|
||||
ctx->zstream.next_in = ctx->in_buf->pos;
|
||||
ctx->zstream.avail_in = ctx->in_buf->last - ctx->in_buf->pos;
|
||||
@@ -374,6 +379,7 @@ static ngx_int_t
|
||||
ngx_http_gunzip_filter_get_buf(ngx_http_request_t *r,
|
||||
ngx_http_gunzip_ctx_t *ctx)
|
||||
{
|
||||
+ ngx_chain_t *cl;
|
||||
ngx_http_gunzip_conf_t *conf;
|
||||
|
||||
if (ctx->zstream.avail_out) {
|
||||
@@ -383,8 +389,12 @@ ngx_http_gunzip_filter_get_buf(ngx_http_request_t *r,
|
||||
conf = ngx_http_get_module_loc_conf(r, ngx_http_gunzip_filter_module);
|
||||
|
||||
if (ctx->free) {
|
||||
- ctx->out_buf = ctx->free->buf;
|
||||
- ctx->free = ctx->free->next;
|
||||
+
|
||||
+ cl = ctx->free;
|
||||
+ ctx->out_buf = cl->buf;
|
||||
+ ctx->free = cl->next;
|
||||
+
|
||||
+ ngx_free_chain(r->pool, cl);
|
||||
|
||||
ctx->out_buf->flush = 0;
|
||||
|
||||
diff --git a/src/http/modules/ngx_http_gzip_filter_module.c b/src/http/modules/ngx_http_gzip_filter_module.c
|
||||
index b8c5ccc..1d17a6d 100644
|
||||
--- a/src/http/modules/ngx_http_gzip_filter_module.c
|
||||
+++ b/src/http/modules/ngx_http_gzip_filter_module.c
|
||||
@@ -978,10 +978,14 @@ static void
|
||||
ngx_http_gzip_filter_free_copy_buf(ngx_http_request_t *r,
|
||||
ngx_http_gzip_ctx_t *ctx)
|
||||
{
|
||||
- ngx_chain_t *cl;
|
||||
+ ngx_chain_t *cl, *ln;
|
||||
+
|
||||
+ for (cl = ctx->copied; cl; /* void */) {
|
||||
+ ln = cl;
|
||||
+ cl = cl->next;
|
||||
|
||||
- for (cl = ctx->copied; cl; cl = cl->next) {
|
||||
- ngx_pfree(r->pool, cl->buf->start);
|
||||
+ ngx_pfree(r->pool, ln->buf->start);
|
||||
+ ngx_free_chain(r->pool, ln);
|
||||
}
|
||||
|
||||
ctx->copied = NULL;
|
||||
diff --git a/src/http/modules/ngx_http_ssi_filter_module.c b/src/http/modules/ngx_http_ssi_filter_module.c
|
||||
index 6737965..a55f6e5 100644
|
||||
--- a/src/http/modules/ngx_http_ssi_filter_module.c
|
||||
+++ b/src/http/modules/ngx_http_ssi_filter_module.c
|
||||
@@ -455,9 +455,13 @@ ngx_http_ssi_body_filter(ngx_http_request_t *r, ngx_chain_t *in)
|
||||
while (ctx->in || ctx->buf) {
|
||||
|
||||
if (ctx->buf == NULL) {
|
||||
- ctx->buf = ctx->in->buf;
|
||||
- ctx->in = ctx->in->next;
|
||||
+
|
||||
+ cl = ctx->in;
|
||||
+ ctx->buf = cl->buf;
|
||||
+ ctx->in = cl->next;
|
||||
ctx->pos = ctx->buf->pos;
|
||||
+
|
||||
+ ngx_free_chain(r->pool, cl);
|
||||
}
|
||||
|
||||
if (ctx->state == ssi_start_state) {
|
||||
diff --git a/src/http/modules/ngx_http_sub_filter_module.c b/src/http/modules/ngx_http_sub_filter_module.c
|
||||
index 6d3de59..456bb27 100644
|
||||
--- a/src/http/modules/ngx_http_sub_filter_module.c
|
||||
+++ b/src/http/modules/ngx_http_sub_filter_module.c
|
||||
@@ -335,9 +335,13 @@ ngx_http_sub_body_filter(ngx_http_request_t *r, ngx_chain_t *in)
|
||||
while (ctx->in || ctx->buf) {
|
||||
|
||||
if (ctx->buf == NULL) {
|
||||
- ctx->buf = ctx->in->buf;
|
||||
- ctx->in = ctx->in->next;
|
||||
+
|
||||
+ cl = ctx->in;
|
||||
+ ctx->buf = cl->buf;
|
||||
+ ctx->in = cl->next;
|
||||
ctx->pos = ctx->buf->pos;
|
||||
+
|
||||
+ ngx_free_chain(r->pool, cl);
|
||||
}
|
||||
|
||||
if (ctx->buf->flush || ctx->buf->recycled) {
|
||||
--
|
||||
2.44.0
|
||||
|
@ -56,7 +56,7 @@
|
||||
Name: nginx
|
||||
Epoch: 1
|
||||
Version: 1.22.1
|
||||
Release: 4%{?dist}.alma.1
|
||||
Release: 8%{?dist}.alma.1
|
||||
|
||||
Summary: A high performance web server and reverse proxy server
|
||||
# BSD License (two clause)
|
||||
@ -111,6 +111,15 @@ Patch5: 0007-Enable-TLSv1.3-by-default.patch
|
||||
# https://bugzilla.redhat.com/show_bug.cgi?id=2170808
|
||||
Patch6: 0008-add-ssl-pass-phrase-dialog.patch
|
||||
|
||||
# security fix - https://issues.redhat.com/browse/RHEL-12737
|
||||
Patch7: 0009-CVE-2023-44487-HTTP-2-per-iteration-stream-handling.patch
|
||||
|
||||
# downstream patch - https://issues.redhat.com/browse/RHEL-40621
|
||||
Patch8: 0010-defer-ENGINE_finish-calls-to-a-cleanup.patch
|
||||
|
||||
# upstream patch - https://issues.redhat.com/browse/RHEL-40075
|
||||
Patch9: 0011-Optimized-chain-link-usage.patch
|
||||
|
||||
BuildRequires: make
|
||||
BuildRequires: gcc
|
||||
BuildRequires: gnupg2
|
||||
@ -623,9 +632,21 @@ fi
|
||||
|
||||
|
||||
%changelog
|
||||
* Fri Sep 29 2023 Eduard Abdullin <eabdullin@almalinux.org> - 1:1.22.1-4.alma.1
|
||||
* Tue Oct 01 2024 Eduard Abdullin <eabdullin@almalinux.org> - 1:1.22.1-8.alma.1
|
||||
- Debrand for AlmaLinux
|
||||
|
||||
* Tue Jul 16 2024 Luboš Uhliarik <luhliari@redhat.com> - 1:1.22.1-8
|
||||
- Resolves: RHEL-49349 - nginx worker processes memory leak
|
||||
* Thu Jun 13 2024 Luboš Uhliarik <luhliari@redhat.com> - 1:1.22.1-7
|
||||
- Resolves: RHEL-40621 - openssl 3.2 ENGINE regression in nginx
|
||||
|
||||
* Thu May 23 2024 Luboš Uhliarik <luhliari@redhat.com> - 1:1.22.1-6
|
||||
- Resolves: RHEL-32650 - Nginx seg faults when proxy_ssl_certificate is set
|
||||
|
||||
* Mon Oct 16 2023 Luboš Uhliarik <luhliari@redhat.com> - 1:1.22.1-5
|
||||
- Resolves: RHEL-12737 - nginx:1.22/nginx: HTTP/2: Multiple HTTP/2 enabled web
|
||||
servers are vulnerable to a DDoS attack (Rapid Reset Attack) (CVE-2023-44487)
|
||||
|
||||
* Mon Aug 07 2023 Luboš Uhliarik <luhliari@redhat.com> - 1:1.22.1-4
|
||||
- Resolves: #2170808 - Running nginx with systemctl and entering ssl
|
||||
private key's pass phrase
|
||||
|
Loading…
Reference in New Issue
Block a user