From 97f68c9c185fe7669922634c7f0a82fc1a8a98c0 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Lubo=C5=A1=20Uhliarik?= <luhliari@redhat.com>
Date: Mon, 10 Jun 2024 18:26:07 +0200
Subject: [PATCH] Resolves: RHEL-36755 - openssl 3.2 ENGINE regression

---
 ...fer-ENGINE_finish-calls-to-a-cleanup.patch | 126 ++++++++++++++++++
 nginx.spec                                    |   8 +-
 2 files changed, 133 insertions(+), 1 deletion(-)
 create mode 100644 0009-defer-ENGINE_finish-calls-to-a-cleanup.patch

diff --git a/0009-defer-ENGINE_finish-calls-to-a-cleanup.patch b/0009-defer-ENGINE_finish-calls-to-a-cleanup.patch
new file mode 100644
index 0000000..3699d83
--- /dev/null
+++ b/0009-defer-ENGINE_finish-calls-to-a-cleanup.patch
@@ -0,0 +1,126 @@
+From f177201770c75e72ff9c4686b0488a1c4344140c Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Lubo=C5=A1=20Uhliarik?= <luhliari@redhat.com>
+Date: Mon, 10 Jun 2024 18:22:34 +0200
+Subject: [PATCH] defer ENGINE_finish() calls to a cleanup
+
+---
+ src/event/ngx_event_openssl.c | 51 +++++++++++++++++++++++++++--------
+ 1 file changed, 40 insertions(+), 11 deletions(-)
+
+diff --git a/src/event/ngx_event_openssl.c b/src/event/ngx_event_openssl.c
+index 2b3c576..b3f06ea 100644
+--- a/src/event/ngx_event_openssl.c
++++ b/src/event/ngx_event_openssl.c
+@@ -17,7 +17,7 @@ typedef struct {
+     ngx_uint_t  engine;   /* unsigned  engine:1; */
+ } ngx_openssl_conf_t;
+ 
+-
++static ngx_int_t ngx_ssl_engine_cleanup(void *data);
+ static X509 *ngx_ssl_load_certificate(ngx_pool_t *pool, char **err,
+     ngx_str_t *cert, STACK_OF(X509) **chain);
+ static EVP_PKEY *ngx_ssl_load_certificate_key(ngx_pool_t *pool, char **err,
+@@ -137,6 +137,15 @@ int  ngx_ssl_certificate_name_index;
+ int  ngx_ssl_stapling_index;
+ 
+ 
++static ngx_int_t
++ngx_ssl_engine_cleanup(void *data){
++    ENGINE *e = data;
++
++    ENGINE_finish(e);
++
++    return NGX_OK;
++}
++
+ ngx_int_t
+ ngx_ssl_init(ngx_log_t *log)
+ {
+@@ -628,8 +637,9 @@ ngx_ssl_load_certificate(ngx_pool_t *pool, char **err, ngx_str_t *cert,
+ 
+ #ifndef OPENSSL_NO_ENGINE
+ 
+-        u_char  *p, *last;
+-        ENGINE  *engine;
++        u_char              *p, *last;
++        ENGINE              *engine;
++        ngx_pool_cleanup_t  *cln;
+ 
+         p = cert->data + sizeof("engine:") - 1;
+         last = (u_char *) ngx_strchr(p, ':');
+@@ -654,6 +664,16 @@ ngx_ssl_load_certificate(ngx_pool_t *pool, char **err, ngx_str_t *cert,
+             return NULL;
+         }
+ 
++        cln = ngx_pool_cleanup_add(pool, 0);
++        if (cln == NULL) {
++            *err = "failed to add ENGINE cleanup";
++            ENGINE_free(engine);
++            return NULL;
++        }
++
++        cln->handler = ngx_ssl_engine_cleanup;
++        cln->data = engine;
++
+         *last++ = ':';
+ 
+         struct {
+@@ -667,7 +687,6 @@ ngx_ssl_load_certificate(ngx_pool_t *pool, char **err, ngx_str_t *cert,
+             return NULL;
+         }
+ 
+-        ENGINE_finish(engine);
+         ENGINE_free(engine);
+ 
+         /* set chain to null */
+@@ -775,11 +794,13 @@ static EVP_PKEY *
+ ngx_ssl_load_certificate_key(ngx_pool_t *pool, char **err,
+     ngx_str_t *key, ngx_array_t *passwords)
+ {
+-    BIO              *bio;
+-    EVP_PKEY         *pkey;
+-    ngx_str_t        *pwd;
+-    ngx_uint_t        tries;
+-    pem_password_cb  *cb;
++    BIO                 *bio;
++    EVP_PKEY            *pkey;
++    ngx_str_t           *pwd;
++    ngx_uint_t          tries;
++    pem_password_cb     *cb;
++    ngx_pool_cleanup_t  *cln;
++
+ 
+     if (ngx_strncmp(key->data, "engine:", sizeof("engine:") - 1) == 0) {
+ 
+@@ -811,18 +832,26 @@ ngx_ssl_load_certificate_key(ngx_pool_t *pool, char **err,
+             return NULL;
+         }
+ 
++        cln = ngx_pool_cleanup_add(pool, 0);
++        if (cln == NULL) {
++            *err = "failed to add ENGINE cleanup";
++            ENGINE_free(engine);
++            return NULL;
++        }
++
++        cln->handler = ngx_ssl_engine_cleanup;
++        cln->data = engine;
++
+         *last++ = ':';
+ 
+         pkey = ENGINE_load_private_key(engine, (char *) last, 0, 0);
+ 
+         if (pkey == NULL) {
+             *err = "ENGINE_load_private_key() failed";
+-            ENGINE_finish(engine);
+             ENGINE_free(engine);
+             return NULL;
+         }
+ 
+-        ENGINE_finish(engine);
+         ENGINE_free(engine);
+ 
+         return pkey;
+-- 
+2.44.0
+
diff --git a/nginx.spec b/nginx.spec
index e19249d..e832a28 100644
--- a/nginx.spec
+++ b/nginx.spec
@@ -41,7 +41,7 @@
 Name:              nginx
 Epoch:             2
 Version:           1.20.1
-Release:           17%{?dist}
+Release:           18%{?dist}
 
 Summary:           A high performance web server and reverse proxy server
 # BSD License (two clause)
@@ -94,6 +94,9 @@ Patch6:            0007-Enable-TLSv1.3-by-default.patch
 # security patch - https://issues.redhat.com/browse/RHEL-12518
 Patch7:            0008-CVE-2023-44487-HTTP-2-per-iteration-stream-handling.patch
 
+# downstream patch for RHEL - https://issues.redhat.com/browse/RHEL-40371
+Patch8:            0009-defer-ENGINE_finish-calls-to-a-cleanup.patch
+
 BuildRequires:     make
 BuildRequires:     gcc
 BuildRequires:     gnupg2
@@ -605,6 +608,9 @@ fi
 
 
 %changelog
+* Mon Jun 10 2024 Luboš Uhliarik <luhliari@redhat.com> - 1:1.20.1-18
+- Resolves: RHEL-36755 - openssl 3.2 ENGINE regression
+
 * Thu May 30 2024 Luboš Uhliarik <luhliari@redhat.com> - 2:1.20.1-17
 - bump package epoch to resolve RHEL-33939
 - Resolves: RHEL-33939 - Update path for nginx broken for existing CS