From d3764cc0a08c9881bb9041fac518fd10d10bfb52 Mon Sep 17 00:00:00 2001 From: eabdullin Date: Tue, 1 Oct 2024 06:36:59 +0000 Subject: [PATCH] import CS nginx-1.24.0-4.module_el9+1087+9adf8b0f --- SOURCES/0008-add-ssl-pass-phrase-dialog.patch | 80 +++++--- ...fer-ENGINE_finish-calls-to-a-cleanup.patch | 126 ++++++++++++ SOURCES/0011-Optimized-chain-link-usage.patch | 183 ++++++++++++++++++ SPECS/nginx.spec | 17 +- 4 files changed, 379 insertions(+), 27 deletions(-) create mode 100644 SOURCES/0010-defer-ENGINE_finish-calls-to-a-cleanup.patch create mode 100644 SOURCES/0011-Optimized-chain-link-usage.patch diff --git a/SOURCES/0008-add-ssl-pass-phrase-dialog.patch b/SOURCES/0008-add-ssl-pass-phrase-dialog.patch index 6e5986b..b698cc8 100644 --- a/SOURCES/0008-add-ssl-pass-phrase-dialog.patch +++ b/SOURCES/0008-add-ssl-pass-phrase-dialog.patch @@ -1,3 +1,24 @@ +From a8cae4e95ba8b5f38c68f23502f1603af8a76c58 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Lubo=C5=A1=20Uhliarik?= +Date: Thu, 23 May 2024 16:18:35 +0200 +Subject: [PATCH] Add ssl-pass-phrase-dialog + +--- + contrib/vim/syntax/nginx.vim | 1 + + src/event/ngx_event_openssl.c | 133 ++++++++++++++++++++--- + src/event/ngx_event_openssl.h | 15 ++- + src/http/modules/ngx_http_grpc_module.c | 2 +- + src/http/modules/ngx_http_proxy_module.c | 2 +- + src/http/modules/ngx_http_ssl_module.c | 76 ++++++++++++- + src/http/modules/ngx_http_ssl_module.h | 2 + + src/http/modules/ngx_http_uwsgi_module.c | 2 +- + src/mail/ngx_mail_ssl_module.c | 68 +++++++++++- + src/mail/ngx_mail_ssl_module.h | 2 + + src/stream/ngx_stream_proxy_module.c | 2 +- + src/stream/ngx_stream_ssl_module.c | 62 ++++++++++- + src/stream/ngx_stream_ssl_module.h | 2 + + 13 files changed, 344 insertions(+), 25 deletions(-) + diff --git a/contrib/vim/syntax/nginx.vim b/contrib/vim/syntax/nginx.vim index 7d587fc..15b21e2 100644 --- a/contrib/vim/syntax/nginx.vim @@ -11,7 +32,7 @@ index 7d587fc..15b21e2 100644 syn keyword ngxDirective contained ssl_preread syn keyword ngxDirective contained ssl_protocols diff --git a/src/event/ngx_event_openssl.c b/src/event/ngx_event_openssl.c -index 104e8da..8cf777e 100644 +index 7b69f3f..3519831 100644 --- a/src/event/ngx_event_openssl.c +++ b/src/event/ngx_event_openssl.c @@ -9,9 +9,8 @@ @@ -49,7 +70,7 @@ index 104e8da..8cf777e 100644 static void *ngx_openssl_create_conf(ngx_cycle_t *cycle); static char *ngx_openssl_engine(ngx_conf_t *cf, ngx_command_t *cmd, void *conf); static void ngx_openssl_exit(ngx_cycle_t *cycle); -@@ -398,7 +403,7 @@ ngx_ssl_create(ngx_ssl_t *ssl, ngx_uint_t protocols, void *data) +@@ -405,7 +410,7 @@ ngx_ssl_create(ngx_ssl_t *ssl, ngx_uint_t protocols, void *data) ngx_int_t ngx_ssl_certificates(ngx_conf_t *cf, ngx_ssl_t *ssl, ngx_array_t *certs, @@ -58,7 +79,7 @@ index 104e8da..8cf777e 100644 { ngx_str_t *cert, *key; ngx_uint_t i; -@@ -408,7 +413,7 @@ ngx_ssl_certificates(ngx_conf_t *cf, ngx_ssl_t *ssl, ngx_array_t *certs, +@@ -415,7 +420,7 @@ ngx_ssl_certificates(ngx_conf_t *cf, ngx_ssl_t *ssl, ngx_array_t *certs, for (i = 0; i < certs->nelts; i++) { @@ -67,7 +88,7 @@ index 104e8da..8cf777e 100644 != NGX_OK) { return NGX_ERROR; -@@ -421,12 +426,13 @@ ngx_ssl_certificates(ngx_conf_t *cf, ngx_ssl_t *ssl, ngx_array_t *certs, +@@ -428,12 +433,13 @@ ngx_ssl_certificates(ngx_conf_t *cf, ngx_ssl_t *ssl, ngx_array_t *certs, ngx_int_t ngx_ssl_certificate(ngx_conf_t *cf, ngx_ssl_t *ssl, ngx_str_t *cert, @@ -82,7 +103,7 @@ index 104e8da..8cf777e 100644 x509 = ngx_ssl_load_certificate(cf->pool, &err, cert, &chain); if (x509 == NULL) { -@@ -516,8 +522,19 @@ ngx_ssl_certificate(ngx_conf_t *cf, ngx_ssl_t *ssl, ngx_str_t *cert, +@@ -523,8 +529,23 @@ ngx_ssl_certificate(ngx_conf_t *cf, ngx_ssl_t *ssl, ngx_str_t *cert, } #endif @@ -94,7 +115,11 @@ index 104e8da..8cf777e 100644 + "X509_get_pubkey() failed"); + return NGX_ERROR; + } -+ dlg->cryptosystem = EVP_PKEY_get_base_id(pubkey); ++ ++ if (dlg) { ++ dlg->cryptosystem = EVP_PKEY_get_base_id(pubkey); ++ } ++ + EVP_PKEY_free(pubkey); + + pkey = ngx_ssl_load_certificate_key(cf->pool, &err, key, passwords, dlg); @@ -104,7 +129,7 @@ index 104e8da..8cf777e 100644 if (err != NULL) { ngx_ssl_error(NGX_LOG_EMERG, ssl->log, 0, "cannot load certificate key \"%s\": %s", -@@ -587,7 +604,7 @@ ngx_ssl_connection_certificate(ngx_connection_t *c, ngx_pool_t *pool, +@@ -594,7 +615,7 @@ ngx_ssl_connection_certificate(ngx_connection_t *c, ngx_pool_t *pool, #endif @@ -113,7 +138,7 @@ index 104e8da..8cf777e 100644 if (pkey == NULL) { if (err != NULL) { ngx_ssl_error(NGX_LOG_ERR, c->log, 0, -@@ -700,10 +717,81 @@ ngx_ssl_load_certificate(ngx_pool_t *pool, char **err, ngx_str_t *cert, +@@ -772,10 +793,81 @@ ngx_ssl_load_certificate(ngx_pool_t *pool, char **err, ngx_str_t *cert, return x509; } @@ -197,7 +222,7 @@ index 104e8da..8cf777e 100644 { BIO *bio; EVP_PKEY *pkey; -@@ -791,11 +879,26 @@ ngx_ssl_load_certificate_key(ngx_pool_t *pool, char **err, +@@ -871,11 +963,26 @@ ngx_ssl_load_certificate_key(ngx_pool_t *pool, char **err, tries = 1; pwd = NULL; cb = NULL; @@ -226,7 +251,7 @@ index 104e8da..8cf777e 100644 break; } diff --git a/src/event/ngx_event_openssl.h b/src/event/ngx_event_openssl.h -index 860ea26..41f4501 100644 +index 7759e1a..a346792 100644 --- a/src/event/ngx_event_openssl.h +++ b/src/event/ngx_event_openssl.h @@ -74,9 +74,19 @@ @@ -257,7 +282,7 @@ index 860ea26..41f4501 100644 struct ngx_ssl_connection_s { ngx_ssl_conn_t *connection; SSL_CTX *session_ctx; -@@ -184,9 +193,9 @@ ngx_int_t ngx_ssl_init(ngx_log_t *log); +@@ -185,9 +194,9 @@ ngx_int_t ngx_ssl_init(ngx_log_t *log); ngx_int_t ngx_ssl_create(ngx_ssl_t *ssl, ngx_uint_t protocols, void *data); ngx_int_t ngx_ssl_certificates(ngx_conf_t *cf, ngx_ssl_t *ssl, @@ -296,7 +321,7 @@ index 9cc202c..2c938d7 100644 { return NGX_ERROR; diff --git a/src/http/modules/ngx_http_ssl_module.c b/src/http/modules/ngx_http_ssl_module.c -index 4c4a598..a147054 100644 +index f1fae50..ad7e3fe 100644 --- a/src/http/modules/ngx_http_ssl_module.c +++ b/src/http/modules/ngx_http_ssl_module.c @@ -17,8 +17,9 @@ typedef ngx_int_t (*ngx_ssl_variable_handler_pt)(ngx_connection_t *c, @@ -361,7 +386,7 @@ index 4c4a598..a147054 100644 ngx_pool_cleanup_t *cln; -@@ -674,6 +689,9 @@ ngx_http_ssl_merge_srv_conf(ngx_conf_t *cf, void *parent, void *child) +@@ -671,6 +686,9 @@ ngx_http_ssl_merge_srv_conf(ngx_conf_t *cf, void *parent, void *child) ngx_conf_merge_str_value(conf->stapling_responder, prev->stapling_responder, ""); @@ -371,7 +396,7 @@ index 4c4a598..a147054 100644 conf->ssl.log = cf->log; if (conf->enable) { -@@ -736,6 +754,30 @@ ngx_http_ssl_merge_srv_conf(ngx_conf_t *cf, void *parent, void *child) +@@ -733,6 +751,30 @@ ngx_http_ssl_merge_srv_conf(ngx_conf_t *cf, void *parent, void *child) cln->handler = ngx_ssl_cleanup_ctx; cln->data = &conf->ssl; @@ -402,7 +427,7 @@ index 4c4a598..a147054 100644 #ifdef SSL_CTRL_SET_TLSEXT_HOSTNAME if (SSL_CTX_set_tlsext_servername_callback(conf->ssl.ctx, -@@ -786,7 +828,7 @@ ngx_http_ssl_merge_srv_conf(ngx_conf_t *cf, void *parent, void *child) +@@ -783,7 +825,7 @@ ngx_http_ssl_merge_srv_conf(ngx_conf_t *cf, void *parent, void *child) /* configure certificates */ if (ngx_ssl_certificates(cf, &conf->ssl, conf->certificates, @@ -411,7 +436,7 @@ index 4c4a598..a147054 100644 != NGX_OK) { return NGX_CONF_ERROR; -@@ -1335,3 +1377,31 @@ ngx_http_ssl_init(ngx_conf_t *cf) +@@ -1332,3 +1374,31 @@ ngx_http_ssl_init(ngx_conf_t *cf) return NGX_OK; } @@ -470,7 +495,7 @@ index e4f721b..61efa99 100644 { return NGX_ERROR; diff --git a/src/mail/ngx_mail_ssl_module.c b/src/mail/ngx_mail_ssl_module.c -index 28737ac..728181d 100644 +index 01a04c8..066aef8 100644 --- a/src/mail/ngx_mail_ssl_module.c +++ b/src/mail/ngx_mail_ssl_module.c @@ -13,6 +13,7 @@ @@ -513,7 +538,7 @@ index 28737ac..728181d 100644 char *mode; ngx_pool_cleanup_t *cln; -@@ -388,6 +400,8 @@ ngx_mail_ssl_merge_conf(ngx_conf_t *cf, void *parent, void *child) +@@ -385,6 +397,8 @@ ngx_mail_ssl_merge_conf(ngx_conf_t *cf, void *parent, void *child) ngx_conf_merge_ptr_value(conf->conf_commands, prev->conf_commands, NULL); @@ -522,7 +547,7 @@ index 28737ac..728181d 100644 conf->ssl.log = cf->log; -@@ -449,6 +463,29 @@ ngx_mail_ssl_merge_conf(ngx_conf_t *cf, void *parent, void *child) +@@ -446,6 +460,29 @@ ngx_mail_ssl_merge_conf(ngx_conf_t *cf, void *parent, void *child) cln->handler = ngx_ssl_cleanup_ctx; cln->data = &conf->ssl; @@ -552,7 +577,7 @@ index 28737ac..728181d 100644 #ifdef TLSEXT_TYPE_application_layer_protocol_negotiation SSL_CTX_set_alpn_select_cb(conf->ssl.ctx, ngx_mail_ssl_alpn_select, NULL); #endif -@@ -461,7 +498,7 @@ ngx_mail_ssl_merge_conf(ngx_conf_t *cf, void *parent, void *child) +@@ -458,7 +495,7 @@ ngx_mail_ssl_merge_conf(ngx_conf_t *cf, void *parent, void *child) } if (ngx_ssl_certificates(cf, &conf->ssl, conf->certificates, @@ -561,7 +586,7 @@ index 28737ac..728181d 100644 != NGX_OK) { return NGX_CONF_ERROR; -@@ -745,3 +782,32 @@ ngx_mail_ssl_conf_command_check(ngx_conf_t *cf, void *post, void *data) +@@ -742,3 +779,32 @@ ngx_mail_ssl_conf_command_check(ngx_conf_t *cf, void *post, void *data) return NGX_CONF_OK; #endif } @@ -621,7 +646,7 @@ index ed275c0..1747aed 100644 { return NGX_ERROR; diff --git a/src/stream/ngx_stream_ssl_module.c b/src/stream/ngx_stream_ssl_module.c -index 1ba1825..ba70547 100644 +index c692884..a4c14ec 100644 --- a/src/stream/ngx_stream_ssl_module.c +++ b/src/stream/ngx_stream_ssl_module.c @@ -17,6 +17,8 @@ typedef ngx_int_t (*ngx_ssl_variable_handler_pt)(ngx_connection_t *c, @@ -665,7 +690,7 @@ index 1ba1825..ba70547 100644 ngx_pool_cleanup_t *cln; -@@ -732,6 +745,8 @@ ngx_stream_ssl_merge_conf(ngx_conf_t *cf, void *parent, void *child) +@@ -729,6 +742,8 @@ ngx_stream_ssl_merge_conf(ngx_conf_t *cf, void *parent, void *child) ngx_conf_merge_ptr_value(conf->conf_commands, prev->conf_commands, NULL); @@ -674,7 +699,7 @@ index 1ba1825..ba70547 100644 conf->ssl.log = cf->log; -@@ -779,6 +794,23 @@ ngx_stream_ssl_merge_conf(ngx_conf_t *cf, void *parent, void *child) +@@ -776,6 +791,23 @@ ngx_stream_ssl_merge_conf(ngx_conf_t *cf, void *parent, void *child) cln->handler = ngx_ssl_cleanup_ctx; cln->data = &conf->ssl; @@ -698,7 +723,7 @@ index 1ba1825..ba70547 100644 #ifdef SSL_CTRL_SET_TLSEXT_HOSTNAME SSL_CTX_set_tlsext_servername_callback(conf->ssl.ctx, ngx_stream_ssl_servername); -@@ -823,7 +855,7 @@ ngx_stream_ssl_merge_conf(ngx_conf_t *cf, void *parent, void *child) +@@ -820,7 +852,7 @@ ngx_stream_ssl_merge_conf(ngx_conf_t *cf, void *parent, void *child) /* configure certificates */ if (ngx_ssl_certificates(cf, &conf->ssl, conf->certificates, @@ -707,7 +732,7 @@ index 1ba1825..ba70547 100644 != NGX_OK) { return NGX_CONF_ERROR; -@@ -1209,3 +1241,31 @@ ngx_stream_ssl_init(ngx_conf_t *cf) +@@ -1206,3 +1238,31 @@ ngx_stream_ssl_init(ngx_conf_t *cf) return NGX_OK; } @@ -752,3 +777,6 @@ index e7c825e..d80daa4 100644 } ngx_stream_ssl_conf_t; +-- +2.44.0 + diff --git a/SOURCES/0010-defer-ENGINE_finish-calls-to-a-cleanup.patch b/SOURCES/0010-defer-ENGINE_finish-calls-to-a-cleanup.patch new file mode 100644 index 0000000..030c34a --- /dev/null +++ b/SOURCES/0010-defer-ENGINE_finish-calls-to-a-cleanup.patch @@ -0,0 +1,126 @@ +From e0e6437b1f1c723a52ac26a7e700113753331ecd Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Lubo=C5=A1=20Uhliarik?= +Date: Thu, 13 Jun 2024 17:44:28 +0200 +Subject: [PATCH] defer ENGINE_finish() calls to a cleanup + +--- + src/event/ngx_event_openssl.c | 51 +++++++++++++++++++++++++++-------- + 1 file changed, 40 insertions(+), 11 deletions(-) + +diff --git a/src/event/ngx_event_openssl.c b/src/event/ngx_event_openssl.c +index fb05ab9..3e06791 100644 +--- a/src/event/ngx_event_openssl.c ++++ b/src/event/ngx_event_openssl.c +@@ -16,7 +16,7 @@ typedef struct { + ngx_uint_t engine; /* unsigned engine:1; */ + } ngx_openssl_conf_t; + +- ++static ngx_int_t ngx_ssl_engine_cleanup(void *data); + static X509 *ngx_ssl_load_certificate(ngx_pool_t *pool, char **err, + ngx_str_t *cert, STACK_OF(X509) **chain); + static EVP_PKEY *ngx_ssl_load_certificate_key(ngx_pool_t *pool, +@@ -144,6 +144,15 @@ int ngx_ssl_certificate_name_index; + int ngx_ssl_stapling_index; + + ++static ngx_int_t ++ngx_ssl_engine_cleanup(void *data){ ++ ENGINE *e = data; ++ ++ ENGINE_finish(e); ++ ++ return NGX_OK; ++} ++ + ngx_int_t + ngx_ssl_init(ngx_log_t *log) + { +@@ -650,8 +659,9 @@ ngx_ssl_load_certificate(ngx_pool_t *pool, char **err, ngx_str_t *cert, + + #ifndef OPENSSL_NO_ENGINE + +- u_char *p, *last; +- ENGINE *engine; ++ u_char *p, *last; ++ ENGINE *engine; ++ ngx_pool_cleanup_t *cln; + + p = cert->data + sizeof("engine:") - 1; + last = (u_char *) ngx_strchr(p, ':'); +@@ -676,6 +686,16 @@ ngx_ssl_load_certificate(ngx_pool_t *pool, char **err, ngx_str_t *cert, + return NULL; + } + ++ cln = ngx_pool_cleanup_add(pool, 0); ++ if (cln == NULL) { ++ *err = "failed to add ENGINE cleanup"; ++ ENGINE_free(engine); ++ return NULL; ++ } ++ ++ cln->handler = ngx_ssl_engine_cleanup; ++ cln->data = engine; ++ + *last++ = ':'; + + struct { +@@ -689,7 +709,6 @@ ngx_ssl_load_certificate(ngx_pool_t *pool, char **err, ngx_str_t *cert, + return NULL; + } + +- ENGINE_finish(engine); + ENGINE_free(engine); + + /* set chain to null */ +@@ -868,11 +887,13 @@ ngx_ssl_pass_phrase_callback(char *buf, int bufsize, int rwflag, void *u) + static EVP_PKEY * + ngx_ssl_load_certificate_key(ngx_pool_t *pool, char **err, ngx_str_t *key, ngx_array_t *passwords, ngx_ssl_ppdialog_conf_t *dlg) + { +- BIO *bio; +- EVP_PKEY *pkey; +- ngx_str_t *pwd; +- ngx_uint_t tries; +- pem_password_cb *cb; ++ BIO *bio; ++ EVP_PKEY *pkey; ++ ngx_str_t *pwd; ++ ngx_uint_t tries; ++ pem_password_cb *cb; ++ ngx_pool_cleanup_t *cln; ++ + + if (ngx_strncmp(key->data, "engine:", sizeof("engine:") - 1) == 0) { + +@@ -904,18 +925,26 @@ ngx_ssl_load_certificate_key(ngx_pool_t *pool, char **err, ngx_str_t *key, ngx_a + return NULL; + } + ++ cln = ngx_pool_cleanup_add(pool, 0); ++ if (cln == NULL) { ++ *err = "failed to add ENGINE cleanup"; ++ ENGINE_free(engine); ++ return NULL; ++ } ++ ++ cln->handler = ngx_ssl_engine_cleanup; ++ cln->data = engine; ++ + *last++ = ':'; + + pkey = ENGINE_load_private_key(engine, (char *) last, 0, 0); + + if (pkey == NULL) { + *err = "ENGINE_load_private_key() failed"; +- ENGINE_finish(engine); + ENGINE_free(engine); + return NULL; + } + +- ENGINE_finish(engine); + ENGINE_free(engine); + + return pkey; +-- +2.44.0 + diff --git a/SOURCES/0011-Optimized-chain-link-usage.patch b/SOURCES/0011-Optimized-chain-link-usage.patch new file mode 100644 index 0000000..afbd7aa --- /dev/null +++ b/SOURCES/0011-Optimized-chain-link-usage.patch @@ -0,0 +1,183 @@ +From f3bcc0bcfb6eda3f4874fe2531d546ba724c518c Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Lubo=C5=A1=20Uhliarik?= +Date: Wed, 12 Jun 2024 12:49:28 +0200 +Subject: [PATCH] Optimized chain link usage + +Previously chain links could sometimes be dropped instead of being reused, +which could result in increased memory consumption during long requests. +--- + src/core/ngx_output_chain.c | 10 ++++++++-- + src/http/modules/ngx_http_grpc_module.c | 5 ++++- + .../modules/ngx_http_gunzip_filter_module.c | 18 ++++++++++++++---- + src/http/modules/ngx_http_gzip_filter_module.c | 10 +++++++--- + src/http/modules/ngx_http_ssi_filter_module.c | 8 ++++++-- + src/http/modules/ngx_http_sub_filter_module.c | 8 ++++++-- + 6 files changed, 45 insertions(+), 14 deletions(-) + +diff --git a/src/core/ngx_output_chain.c b/src/core/ngx_output_chain.c +index 5c3dbe8..4aa1b02 100644 +--- a/src/core/ngx_output_chain.c ++++ b/src/core/ngx_output_chain.c +@@ -121,7 +121,10 @@ ngx_output_chain(ngx_output_chain_ctx_t *ctx, ngx_chain_t *in) + + ngx_debug_point(); + +- ctx->in = ctx->in->next; ++ cl = ctx->in; ++ ctx->in = cl->next; ++ ++ ngx_free_chain(ctx->pool, cl); + + continue; + } +@@ -207,7 +210,10 @@ ngx_output_chain(ngx_output_chain_ctx_t *ctx, ngx_chain_t *in) + /* delete the completed buf from the ctx->in chain */ + + if (ngx_buf_size(ctx->in->buf) == 0) { +- ctx->in = ctx->in->next; ++ cl = ctx->in; ++ ctx->in = cl->next; ++ ++ ngx_free_chain(ctx->pool, cl); + } + + cl = ngx_alloc_chain_link(ctx->pool); +diff --git a/src/http/modules/ngx_http_grpc_module.c b/src/http/modules/ngx_http_grpc_module.c +index 53bc547..9f13089 100644 +--- a/src/http/modules/ngx_http_grpc_module.c ++++ b/src/http/modules/ngx_http_grpc_module.c +@@ -1230,7 +1230,7 @@ ngx_http_grpc_body_output_filter(void *data, ngx_chain_t *in) + ngx_buf_t *b; + ngx_int_t rc; + ngx_uint_t next, last; +- ngx_chain_t *cl, *out, **ll; ++ ngx_chain_t *cl, *out, *ln, **ll; + ngx_http_upstream_t *u; + ngx_http_grpc_ctx_t *ctx; + ngx_http_grpc_frame_t *f; +@@ -1458,7 +1458,10 @@ ngx_http_grpc_body_output_filter(void *data, ngx_chain_t *in) + last = 1; + } + ++ ln = in; + in = in->next; ++ ++ ngx_free_chain(r->pool, ln); + } + + ctx->in = in; +diff --git a/src/http/modules/ngx_http_gunzip_filter_module.c b/src/http/modules/ngx_http_gunzip_filter_module.c +index c1341f5..5d170a1 100644 +--- a/src/http/modules/ngx_http_gunzip_filter_module.c ++++ b/src/http/modules/ngx_http_gunzip_filter_module.c +@@ -333,6 +333,8 @@ static ngx_int_t + ngx_http_gunzip_filter_add_data(ngx_http_request_t *r, + ngx_http_gunzip_ctx_t *ctx) + { ++ ngx_chain_t *cl; ++ + if (ctx->zstream.avail_in || ctx->flush != Z_NO_FLUSH || ctx->redo) { + return NGX_OK; + } +@@ -344,8 +346,11 @@ ngx_http_gunzip_filter_add_data(ngx_http_request_t *r, + return NGX_DECLINED; + } + +- ctx->in_buf = ctx->in->buf; +- ctx->in = ctx->in->next; ++ cl = ctx->in; ++ ctx->in_buf = cl->buf; ++ ctx->in = cl->next; ++ ++ ngx_free_chain(r->pool, cl); + + ctx->zstream.next_in = ctx->in_buf->pos; + ctx->zstream.avail_in = ctx->in_buf->last - ctx->in_buf->pos; +@@ -374,6 +379,7 @@ static ngx_int_t + ngx_http_gunzip_filter_get_buf(ngx_http_request_t *r, + ngx_http_gunzip_ctx_t *ctx) + { ++ ngx_chain_t *cl; + ngx_http_gunzip_conf_t *conf; + + if (ctx->zstream.avail_out) { +@@ -383,8 +389,12 @@ ngx_http_gunzip_filter_get_buf(ngx_http_request_t *r, + conf = ngx_http_get_module_loc_conf(r, ngx_http_gunzip_filter_module); + + if (ctx->free) { +- ctx->out_buf = ctx->free->buf; +- ctx->free = ctx->free->next; ++ ++ cl = ctx->free; ++ ctx->out_buf = cl->buf; ++ ctx->free = cl->next; ++ ++ ngx_free_chain(r->pool, cl); + + ctx->out_buf->flush = 0; + +diff --git a/src/http/modules/ngx_http_gzip_filter_module.c b/src/http/modules/ngx_http_gzip_filter_module.c +index b8c5ccc..1d17a6d 100644 +--- a/src/http/modules/ngx_http_gzip_filter_module.c ++++ b/src/http/modules/ngx_http_gzip_filter_module.c +@@ -978,10 +978,14 @@ static void + ngx_http_gzip_filter_free_copy_buf(ngx_http_request_t *r, + ngx_http_gzip_ctx_t *ctx) + { +- ngx_chain_t *cl; ++ ngx_chain_t *cl, *ln; ++ ++ for (cl = ctx->copied; cl; /* void */) { ++ ln = cl; ++ cl = cl->next; + +- for (cl = ctx->copied; cl; cl = cl->next) { +- ngx_pfree(r->pool, cl->buf->start); ++ ngx_pfree(r->pool, ln->buf->start); ++ ngx_free_chain(r->pool, ln); + } + + ctx->copied = NULL; +diff --git a/src/http/modules/ngx_http_ssi_filter_module.c b/src/http/modules/ngx_http_ssi_filter_module.c +index 6737965..a55f6e5 100644 +--- a/src/http/modules/ngx_http_ssi_filter_module.c ++++ b/src/http/modules/ngx_http_ssi_filter_module.c +@@ -455,9 +455,13 @@ ngx_http_ssi_body_filter(ngx_http_request_t *r, ngx_chain_t *in) + while (ctx->in || ctx->buf) { + + if (ctx->buf == NULL) { +- ctx->buf = ctx->in->buf; +- ctx->in = ctx->in->next; ++ ++ cl = ctx->in; ++ ctx->buf = cl->buf; ++ ctx->in = cl->next; + ctx->pos = ctx->buf->pos; ++ ++ ngx_free_chain(r->pool, cl); + } + + if (ctx->state == ssi_start_state) { +diff --git a/src/http/modules/ngx_http_sub_filter_module.c b/src/http/modules/ngx_http_sub_filter_module.c +index 6d3de59..456bb27 100644 +--- a/src/http/modules/ngx_http_sub_filter_module.c ++++ b/src/http/modules/ngx_http_sub_filter_module.c +@@ -335,9 +335,13 @@ ngx_http_sub_body_filter(ngx_http_request_t *r, ngx_chain_t *in) + while (ctx->in || ctx->buf) { + + if (ctx->buf == NULL) { +- ctx->buf = ctx->in->buf; +- ctx->in = ctx->in->next; ++ ++ cl = ctx->in; ++ ctx->buf = cl->buf; ++ ctx->in = cl->next; + ctx->pos = ctx->buf->pos; ++ ++ ngx_free_chain(r->pool, cl); + } + + if (ctx->buf->flush || ctx->buf->recycled) { +-- +2.44.0 + diff --git a/SPECS/nginx.spec b/SPECS/nginx.spec index 8504552..7b8dd2a 100644 --- a/SPECS/nginx.spec +++ b/SPECS/nginx.spec @@ -56,7 +56,7 @@ Name: nginx Epoch: 1 Version: 1.24.0 -Release: 1%{?dist} +Release: 4%{?dist} Summary: A high performance web server and reverse proxy server # BSD License (two clause) @@ -114,6 +114,12 @@ Patch6: 0008-add-ssl-pass-phrase-dialog.patch # security fix - https://issues.redhat.com/browse/RHEL-12737 Patch7: 0009-CVE-2023-44487-HTTP-2-per-iteration-stream-handling.patch +# downstream patch - https://issues.redhat.com/browse/RHEL-40621 +Patch8: 0010-defer-ENGINE_finish-calls-to-a-cleanup.patch + +# upstream patch - https://issues.redhat.com/browse/RHEL-40075 +Patch9: 0011-Optimized-chain-link-usage.patch + BuildRequires: make BuildRequires: gcc BuildRequires: gnupg2 @@ -626,6 +632,15 @@ fi %changelog +* Tue Jul 16 2024 Luboš Uhliarik - 1:1.24.0-4 +- Resolves: RHEL-49350 - nginx worker processes memory leak + +* Thu Jun 13 2024 Luboš Uhliarik - 1:1.24.0-3 +- Resolves: RHEL-40622 - openssl 3.2 ENGINE regression in nginx + +* Thu May 23 2024 Luboš Uhliarik - 1:1.24.0-2 +- Resolves: RHEL-38498 - Nginx seg faults when proxy_ssl_certificate is set + * Thu Jan 18 2024 Luboš Uhliarik - 1:1.24.0-1 - new version 1.24.0