Resolves: RHEL-36755 - openssl 3.2 ENGINE regression
This commit is contained in:
parent
80ab6cb25c
commit
97f68c9c18
126
0009-defer-ENGINE_finish-calls-to-a-cleanup.patch
Normal file
126
0009-defer-ENGINE_finish-calls-to-a-cleanup.patch
Normal file
@ -0,0 +1,126 @@
|
|||||||
|
From f177201770c75e72ff9c4686b0488a1c4344140c Mon Sep 17 00:00:00 2001
|
||||||
|
From: =?UTF-8?q?Lubo=C5=A1=20Uhliarik?= <luhliari@redhat.com>
|
||||||
|
Date: Mon, 10 Jun 2024 18:22:34 +0200
|
||||||
|
Subject: [PATCH] defer ENGINE_finish() calls to a cleanup
|
||||||
|
|
||||||
|
---
|
||||||
|
src/event/ngx_event_openssl.c | 51 +++++++++++++++++++++++++++--------
|
||||||
|
1 file changed, 40 insertions(+), 11 deletions(-)
|
||||||
|
|
||||||
|
diff --git a/src/event/ngx_event_openssl.c b/src/event/ngx_event_openssl.c
|
||||||
|
index 2b3c576..b3f06ea 100644
|
||||||
|
--- a/src/event/ngx_event_openssl.c
|
||||||
|
+++ b/src/event/ngx_event_openssl.c
|
||||||
|
@@ -17,7 +17,7 @@ typedef struct {
|
||||||
|
ngx_uint_t engine; /* unsigned engine:1; */
|
||||||
|
} ngx_openssl_conf_t;
|
||||||
|
|
||||||
|
-
|
||||||
|
+static ngx_int_t ngx_ssl_engine_cleanup(void *data);
|
||||||
|
static X509 *ngx_ssl_load_certificate(ngx_pool_t *pool, char **err,
|
||||||
|
ngx_str_t *cert, STACK_OF(X509) **chain);
|
||||||
|
static EVP_PKEY *ngx_ssl_load_certificate_key(ngx_pool_t *pool, char **err,
|
||||||
|
@@ -137,6 +137,15 @@ int ngx_ssl_certificate_name_index;
|
||||||
|
int ngx_ssl_stapling_index;
|
||||||
|
|
||||||
|
|
||||||
|
+static ngx_int_t
|
||||||
|
+ngx_ssl_engine_cleanup(void *data){
|
||||||
|
+ ENGINE *e = data;
|
||||||
|
+
|
||||||
|
+ ENGINE_finish(e);
|
||||||
|
+
|
||||||
|
+ return NGX_OK;
|
||||||
|
+}
|
||||||
|
+
|
||||||
|
ngx_int_t
|
||||||
|
ngx_ssl_init(ngx_log_t *log)
|
||||||
|
{
|
||||||
|
@@ -628,8 +637,9 @@ ngx_ssl_load_certificate(ngx_pool_t *pool, char **err, ngx_str_t *cert,
|
||||||
|
|
||||||
|
#ifndef OPENSSL_NO_ENGINE
|
||||||
|
|
||||||
|
- u_char *p, *last;
|
||||||
|
- ENGINE *engine;
|
||||||
|
+ u_char *p, *last;
|
||||||
|
+ ENGINE *engine;
|
||||||
|
+ ngx_pool_cleanup_t *cln;
|
||||||
|
|
||||||
|
p = cert->data + sizeof("engine:") - 1;
|
||||||
|
last = (u_char *) ngx_strchr(p, ':');
|
||||||
|
@@ -654,6 +664,16 @@ ngx_ssl_load_certificate(ngx_pool_t *pool, char **err, ngx_str_t *cert,
|
||||||
|
return NULL;
|
||||||
|
}
|
||||||
|
|
||||||
|
+ cln = ngx_pool_cleanup_add(pool, 0);
|
||||||
|
+ if (cln == NULL) {
|
||||||
|
+ *err = "failed to add ENGINE cleanup";
|
||||||
|
+ ENGINE_free(engine);
|
||||||
|
+ return NULL;
|
||||||
|
+ }
|
||||||
|
+
|
||||||
|
+ cln->handler = ngx_ssl_engine_cleanup;
|
||||||
|
+ cln->data = engine;
|
||||||
|
+
|
||||||
|
*last++ = ':';
|
||||||
|
|
||||||
|
struct {
|
||||||
|
@@ -667,7 +687,6 @@ ngx_ssl_load_certificate(ngx_pool_t *pool, char **err, ngx_str_t *cert,
|
||||||
|
return NULL;
|
||||||
|
}
|
||||||
|
|
||||||
|
- ENGINE_finish(engine);
|
||||||
|
ENGINE_free(engine);
|
||||||
|
|
||||||
|
/* set chain to null */
|
||||||
|
@@ -775,11 +794,13 @@ static EVP_PKEY *
|
||||||
|
ngx_ssl_load_certificate_key(ngx_pool_t *pool, char **err,
|
||||||
|
ngx_str_t *key, ngx_array_t *passwords)
|
||||||
|
{
|
||||||
|
- BIO *bio;
|
||||||
|
- EVP_PKEY *pkey;
|
||||||
|
- ngx_str_t *pwd;
|
||||||
|
- ngx_uint_t tries;
|
||||||
|
- pem_password_cb *cb;
|
||||||
|
+ BIO *bio;
|
||||||
|
+ EVP_PKEY *pkey;
|
||||||
|
+ ngx_str_t *pwd;
|
||||||
|
+ ngx_uint_t tries;
|
||||||
|
+ pem_password_cb *cb;
|
||||||
|
+ ngx_pool_cleanup_t *cln;
|
||||||
|
+
|
||||||
|
|
||||||
|
if (ngx_strncmp(key->data, "engine:", sizeof("engine:") - 1) == 0) {
|
||||||
|
|
||||||
|
@@ -811,18 +832,26 @@ ngx_ssl_load_certificate_key(ngx_pool_t *pool, char **err,
|
||||||
|
return NULL;
|
||||||
|
}
|
||||||
|
|
||||||
|
+ cln = ngx_pool_cleanup_add(pool, 0);
|
||||||
|
+ if (cln == NULL) {
|
||||||
|
+ *err = "failed to add ENGINE cleanup";
|
||||||
|
+ ENGINE_free(engine);
|
||||||
|
+ return NULL;
|
||||||
|
+ }
|
||||||
|
+
|
||||||
|
+ cln->handler = ngx_ssl_engine_cleanup;
|
||||||
|
+ cln->data = engine;
|
||||||
|
+
|
||||||
|
*last++ = ':';
|
||||||
|
|
||||||
|
pkey = ENGINE_load_private_key(engine, (char *) last, 0, 0);
|
||||||
|
|
||||||
|
if (pkey == NULL) {
|
||||||
|
*err = "ENGINE_load_private_key() failed";
|
||||||
|
- ENGINE_finish(engine);
|
||||||
|
ENGINE_free(engine);
|
||||||
|
return NULL;
|
||||||
|
}
|
||||||
|
|
||||||
|
- ENGINE_finish(engine);
|
||||||
|
ENGINE_free(engine);
|
||||||
|
|
||||||
|
return pkey;
|
||||||
|
--
|
||||||
|
2.44.0
|
||||||
|
|
@ -41,7 +41,7 @@
|
|||||||
Name: nginx
|
Name: nginx
|
||||||
Epoch: 2
|
Epoch: 2
|
||||||
Version: 1.20.1
|
Version: 1.20.1
|
||||||
Release: 17%{?dist}
|
Release: 18%{?dist}
|
||||||
|
|
||||||
Summary: A high performance web server and reverse proxy server
|
Summary: A high performance web server and reverse proxy server
|
||||||
# BSD License (two clause)
|
# BSD License (two clause)
|
||||||
@ -94,6 +94,9 @@ Patch6: 0007-Enable-TLSv1.3-by-default.patch
|
|||||||
# security patch - https://issues.redhat.com/browse/RHEL-12518
|
# security patch - https://issues.redhat.com/browse/RHEL-12518
|
||||||
Patch7: 0008-CVE-2023-44487-HTTP-2-per-iteration-stream-handling.patch
|
Patch7: 0008-CVE-2023-44487-HTTP-2-per-iteration-stream-handling.patch
|
||||||
|
|
||||||
|
# downstream patch for RHEL - https://issues.redhat.com/browse/RHEL-40371
|
||||||
|
Patch8: 0009-defer-ENGINE_finish-calls-to-a-cleanup.patch
|
||||||
|
|
||||||
BuildRequires: make
|
BuildRequires: make
|
||||||
BuildRequires: gcc
|
BuildRequires: gcc
|
||||||
BuildRequires: gnupg2
|
BuildRequires: gnupg2
|
||||||
@ -605,6 +608,9 @@ fi
|
|||||||
|
|
||||||
|
|
||||||
%changelog
|
%changelog
|
||||||
|
* Mon Jun 10 2024 Luboš Uhliarik <luhliari@redhat.com> - 1:1.20.1-18
|
||||||
|
- Resolves: RHEL-36755 - openssl 3.2 ENGINE regression
|
||||||
|
|
||||||
* Thu May 30 2024 Luboš Uhliarik <luhliari@redhat.com> - 2:1.20.1-17
|
* Thu May 30 2024 Luboš Uhliarik <luhliari@redhat.com> - 2:1.20.1-17
|
||||||
- bump package epoch to resolve RHEL-33939
|
- bump package epoch to resolve RHEL-33939
|
||||||
- Resolves: RHEL-33939 - Update path for nginx broken for existing CS
|
- Resolves: RHEL-33939 - Update path for nginx broken for existing CS
|
||||||
|
Loading…
Reference in New Issue
Block a user