Resolves: RHEL-36755 - openssl 3.2 ENGINE regression

This commit is contained in:
Luboš Uhliarik 2024-06-10 18:26:07 +02:00
parent 80ab6cb25c
commit 97f68c9c18
2 changed files with 133 additions and 1 deletions

View File

@ -0,0 +1,126 @@
From f177201770c75e72ff9c4686b0488a1c4344140c Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Lubo=C5=A1=20Uhliarik?= <luhliari@redhat.com>
Date: Mon, 10 Jun 2024 18:22:34 +0200
Subject: [PATCH] defer ENGINE_finish() calls to a cleanup
---
src/event/ngx_event_openssl.c | 51 +++++++++++++++++++++++++++--------
1 file changed, 40 insertions(+), 11 deletions(-)
diff --git a/src/event/ngx_event_openssl.c b/src/event/ngx_event_openssl.c
index 2b3c576..b3f06ea 100644
--- a/src/event/ngx_event_openssl.c
+++ b/src/event/ngx_event_openssl.c
@@ -17,7 +17,7 @@ typedef struct {
ngx_uint_t engine; /* unsigned engine:1; */
} ngx_openssl_conf_t;
-
+static ngx_int_t ngx_ssl_engine_cleanup(void *data);
static X509 *ngx_ssl_load_certificate(ngx_pool_t *pool, char **err,
ngx_str_t *cert, STACK_OF(X509) **chain);
static EVP_PKEY *ngx_ssl_load_certificate_key(ngx_pool_t *pool, char **err,
@@ -137,6 +137,15 @@ int ngx_ssl_certificate_name_index;
int ngx_ssl_stapling_index;
+static ngx_int_t
+ngx_ssl_engine_cleanup(void *data){
+ ENGINE *e = data;
+
+ ENGINE_finish(e);
+
+ return NGX_OK;
+}
+
ngx_int_t
ngx_ssl_init(ngx_log_t *log)
{
@@ -628,8 +637,9 @@ ngx_ssl_load_certificate(ngx_pool_t *pool, char **err, ngx_str_t *cert,
#ifndef OPENSSL_NO_ENGINE
- u_char *p, *last;
- ENGINE *engine;
+ u_char *p, *last;
+ ENGINE *engine;
+ ngx_pool_cleanup_t *cln;
p = cert->data + sizeof("engine:") - 1;
last = (u_char *) ngx_strchr(p, ':');
@@ -654,6 +664,16 @@ ngx_ssl_load_certificate(ngx_pool_t *pool, char **err, ngx_str_t *cert,
return NULL;
}
+ cln = ngx_pool_cleanup_add(pool, 0);
+ if (cln == NULL) {
+ *err = "failed to add ENGINE cleanup";
+ ENGINE_free(engine);
+ return NULL;
+ }
+
+ cln->handler = ngx_ssl_engine_cleanup;
+ cln->data = engine;
+
*last++ = ':';
struct {
@@ -667,7 +687,6 @@ ngx_ssl_load_certificate(ngx_pool_t *pool, char **err, ngx_str_t *cert,
return NULL;
}
- ENGINE_finish(engine);
ENGINE_free(engine);
/* set chain to null */
@@ -775,11 +794,13 @@ static EVP_PKEY *
ngx_ssl_load_certificate_key(ngx_pool_t *pool, char **err,
ngx_str_t *key, ngx_array_t *passwords)
{
- BIO *bio;
- EVP_PKEY *pkey;
- ngx_str_t *pwd;
- ngx_uint_t tries;
- pem_password_cb *cb;
+ BIO *bio;
+ EVP_PKEY *pkey;
+ ngx_str_t *pwd;
+ ngx_uint_t tries;
+ pem_password_cb *cb;
+ ngx_pool_cleanup_t *cln;
+
if (ngx_strncmp(key->data, "engine:", sizeof("engine:") - 1) == 0) {
@@ -811,18 +832,26 @@ ngx_ssl_load_certificate_key(ngx_pool_t *pool, char **err,
return NULL;
}
+ cln = ngx_pool_cleanup_add(pool, 0);
+ if (cln == NULL) {
+ *err = "failed to add ENGINE cleanup";
+ ENGINE_free(engine);
+ return NULL;
+ }
+
+ cln->handler = ngx_ssl_engine_cleanup;
+ cln->data = engine;
+
*last++ = ':';
pkey = ENGINE_load_private_key(engine, (char *) last, 0, 0);
if (pkey == NULL) {
*err = "ENGINE_load_private_key() failed";
- ENGINE_finish(engine);
ENGINE_free(engine);
return NULL;
}
- ENGINE_finish(engine);
ENGINE_free(engine);
return pkey;
--
2.44.0

View File

@ -41,7 +41,7 @@
Name: nginx Name: nginx
Epoch: 2 Epoch: 2
Version: 1.20.1 Version: 1.20.1
Release: 17%{?dist} Release: 18%{?dist}
Summary: A high performance web server and reverse proxy server Summary: A high performance web server and reverse proxy server
# BSD License (two clause) # BSD License (two clause)
@ -94,6 +94,9 @@ Patch6: 0007-Enable-TLSv1.3-by-default.patch
# security patch - https://issues.redhat.com/browse/RHEL-12518 # security patch - https://issues.redhat.com/browse/RHEL-12518
Patch7: 0008-CVE-2023-44487-HTTP-2-per-iteration-stream-handling.patch Patch7: 0008-CVE-2023-44487-HTTP-2-per-iteration-stream-handling.patch
# downstream patch for RHEL - https://issues.redhat.com/browse/RHEL-40371
Patch8: 0009-defer-ENGINE_finish-calls-to-a-cleanup.patch
BuildRequires: make BuildRequires: make
BuildRequires: gcc BuildRequires: gcc
BuildRequires: gnupg2 BuildRequires: gnupg2
@ -605,6 +608,9 @@ fi
%changelog %changelog
* Mon Jun 10 2024 Luboš Uhliarik <luhliari@redhat.com> - 1:1.20.1-18
- Resolves: RHEL-36755 - openssl 3.2 ENGINE regression
* Thu May 30 2024 Luboš Uhliarik <luhliari@redhat.com> - 2:1.20.1-17 * Thu May 30 2024 Luboš Uhliarik <luhliari@redhat.com> - 2:1.20.1-17
- bump package epoch to resolve RHEL-33939 - bump package epoch to resolve RHEL-33939
- Resolves: RHEL-33939 - Update path for nginx broken for existing CS - Resolves: RHEL-33939 - Update path for nginx broken for existing CS