diff --git a/0009-defer-ENGINE_finish-calls-to-a-cleanup.patch b/0009-defer-ENGINE_finish-calls-to-a-cleanup.patch new file mode 100644 index 0000000..3699d83 --- /dev/null +++ b/0009-defer-ENGINE_finish-calls-to-a-cleanup.patch @@ -0,0 +1,126 @@ +From f177201770c75e72ff9c4686b0488a1c4344140c Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Lubo=C5=A1=20Uhliarik?= +Date: Mon, 10 Jun 2024 18:22:34 +0200 +Subject: [PATCH] defer ENGINE_finish() calls to a cleanup + +--- + src/event/ngx_event_openssl.c | 51 +++++++++++++++++++++++++++-------- + 1 file changed, 40 insertions(+), 11 deletions(-) + +diff --git a/src/event/ngx_event_openssl.c b/src/event/ngx_event_openssl.c +index 2b3c576..b3f06ea 100644 +--- a/src/event/ngx_event_openssl.c ++++ b/src/event/ngx_event_openssl.c +@@ -17,7 +17,7 @@ typedef struct { + ngx_uint_t engine; /* unsigned engine:1; */ + } ngx_openssl_conf_t; + +- ++static ngx_int_t ngx_ssl_engine_cleanup(void *data); + static X509 *ngx_ssl_load_certificate(ngx_pool_t *pool, char **err, + ngx_str_t *cert, STACK_OF(X509) **chain); + static EVP_PKEY *ngx_ssl_load_certificate_key(ngx_pool_t *pool, char **err, +@@ -137,6 +137,15 @@ int ngx_ssl_certificate_name_index; + int ngx_ssl_stapling_index; + + ++static ngx_int_t ++ngx_ssl_engine_cleanup(void *data){ ++ ENGINE *e = data; ++ ++ ENGINE_finish(e); ++ ++ return NGX_OK; ++} ++ + ngx_int_t + ngx_ssl_init(ngx_log_t *log) + { +@@ -628,8 +637,9 @@ ngx_ssl_load_certificate(ngx_pool_t *pool, char **err, ngx_str_t *cert, + + #ifndef OPENSSL_NO_ENGINE + +- u_char *p, *last; +- ENGINE *engine; ++ u_char *p, *last; ++ ENGINE *engine; ++ ngx_pool_cleanup_t *cln; + + p = cert->data + sizeof("engine:") - 1; + last = (u_char *) ngx_strchr(p, ':'); +@@ -654,6 +664,16 @@ ngx_ssl_load_certificate(ngx_pool_t *pool, char **err, ngx_str_t *cert, + return NULL; + } + ++ cln = ngx_pool_cleanup_add(pool, 0); ++ if (cln == NULL) { ++ *err = "failed to add ENGINE cleanup"; ++ ENGINE_free(engine); ++ return NULL; ++ } ++ ++ cln->handler = ngx_ssl_engine_cleanup; ++ cln->data = engine; ++ + *last++ = ':'; + + struct { +@@ -667,7 +687,6 @@ ngx_ssl_load_certificate(ngx_pool_t *pool, char **err, ngx_str_t *cert, + return NULL; + } + +- ENGINE_finish(engine); + ENGINE_free(engine); + + /* set chain to null */ +@@ -775,11 +794,13 @@ static EVP_PKEY * + ngx_ssl_load_certificate_key(ngx_pool_t *pool, char **err, + ngx_str_t *key, ngx_array_t *passwords) + { +- BIO *bio; +- EVP_PKEY *pkey; +- ngx_str_t *pwd; +- ngx_uint_t tries; +- pem_password_cb *cb; ++ BIO *bio; ++ EVP_PKEY *pkey; ++ ngx_str_t *pwd; ++ ngx_uint_t tries; ++ pem_password_cb *cb; ++ ngx_pool_cleanup_t *cln; ++ + + if (ngx_strncmp(key->data, "engine:", sizeof("engine:") - 1) == 0) { + +@@ -811,18 +832,26 @@ ngx_ssl_load_certificate_key(ngx_pool_t *pool, char **err, + return NULL; + } + ++ cln = ngx_pool_cleanup_add(pool, 0); ++ if (cln == NULL) { ++ *err = "failed to add ENGINE cleanup"; ++ ENGINE_free(engine); ++ return NULL; ++ } ++ ++ cln->handler = ngx_ssl_engine_cleanup; ++ cln->data = engine; ++ + *last++ = ':'; + + pkey = ENGINE_load_private_key(engine, (char *) last, 0, 0); + + if (pkey == NULL) { + *err = "ENGINE_load_private_key() failed"; +- ENGINE_finish(engine); + ENGINE_free(engine); + return NULL; + } + +- ENGINE_finish(engine); + ENGINE_free(engine); + + return pkey; +-- +2.44.0 + diff --git a/nginx.spec b/nginx.spec index e19249d..e832a28 100644 --- a/nginx.spec +++ b/nginx.spec @@ -41,7 +41,7 @@ Name: nginx Epoch: 2 Version: 1.20.1 -Release: 17%{?dist} +Release: 18%{?dist} Summary: A high performance web server and reverse proxy server # BSD License (two clause) @@ -94,6 +94,9 @@ Patch6: 0007-Enable-TLSv1.3-by-default.patch # security patch - https://issues.redhat.com/browse/RHEL-12518 Patch7: 0008-CVE-2023-44487-HTTP-2-per-iteration-stream-handling.patch +# downstream patch for RHEL - https://issues.redhat.com/browse/RHEL-40371 +Patch8: 0009-defer-ENGINE_finish-calls-to-a-cleanup.patch + BuildRequires: make BuildRequires: gcc BuildRequires: gnupg2 @@ -605,6 +608,9 @@ fi %changelog +* Mon Jun 10 2024 Luboš Uhliarik - 1:1.20.1-18 +- Resolves: RHEL-36755 - openssl 3.2 ENGINE regression + * Thu May 30 2024 Luboš Uhliarik - 2:1.20.1-17 - bump package epoch to resolve RHEL-33939 - Resolves: RHEL-33939 - Update path for nginx broken for existing CS