import CS nginx-1.24.0-4.module_el9+1087+9adf8b0f
This commit is contained in:
parent
ece00920d6
commit
d3764cc0a0
@ -1,3 +1,24 @@
|
|||||||
|
From a8cae4e95ba8b5f38c68f23502f1603af8a76c58 Mon Sep 17 00:00:00 2001
|
||||||
|
From: =?UTF-8?q?Lubo=C5=A1=20Uhliarik?= <luhliari@redhat.com>
|
||||||
|
Date: Thu, 23 May 2024 16:18:35 +0200
|
||||||
|
Subject: [PATCH] Add ssl-pass-phrase-dialog
|
||||||
|
|
||||||
|
---
|
||||||
|
contrib/vim/syntax/nginx.vim | 1 +
|
||||||
|
src/event/ngx_event_openssl.c | 133 ++++++++++++++++++++---
|
||||||
|
src/event/ngx_event_openssl.h | 15 ++-
|
||||||
|
src/http/modules/ngx_http_grpc_module.c | 2 +-
|
||||||
|
src/http/modules/ngx_http_proxy_module.c | 2 +-
|
||||||
|
src/http/modules/ngx_http_ssl_module.c | 76 ++++++++++++-
|
||||||
|
src/http/modules/ngx_http_ssl_module.h | 2 +
|
||||||
|
src/http/modules/ngx_http_uwsgi_module.c | 2 +-
|
||||||
|
src/mail/ngx_mail_ssl_module.c | 68 +++++++++++-
|
||||||
|
src/mail/ngx_mail_ssl_module.h | 2 +
|
||||||
|
src/stream/ngx_stream_proxy_module.c | 2 +-
|
||||||
|
src/stream/ngx_stream_ssl_module.c | 62 ++++++++++-
|
||||||
|
src/stream/ngx_stream_ssl_module.h | 2 +
|
||||||
|
13 files changed, 344 insertions(+), 25 deletions(-)
|
||||||
|
|
||||||
diff --git a/contrib/vim/syntax/nginx.vim b/contrib/vim/syntax/nginx.vim
|
diff --git a/contrib/vim/syntax/nginx.vim b/contrib/vim/syntax/nginx.vim
|
||||||
index 7d587fc..15b21e2 100644
|
index 7d587fc..15b21e2 100644
|
||||||
--- a/contrib/vim/syntax/nginx.vim
|
--- a/contrib/vim/syntax/nginx.vim
|
||||||
@ -11,7 +32,7 @@ index 7d587fc..15b21e2 100644
|
|||||||
syn keyword ngxDirective contained ssl_preread
|
syn keyword ngxDirective contained ssl_preread
|
||||||
syn keyword ngxDirective contained ssl_protocols
|
syn keyword ngxDirective contained ssl_protocols
|
||||||
diff --git a/src/event/ngx_event_openssl.c b/src/event/ngx_event_openssl.c
|
diff --git a/src/event/ngx_event_openssl.c b/src/event/ngx_event_openssl.c
|
||||||
index 104e8da..8cf777e 100644
|
index 7b69f3f..3519831 100644
|
||||||
--- a/src/event/ngx_event_openssl.c
|
--- a/src/event/ngx_event_openssl.c
|
||||||
+++ b/src/event/ngx_event_openssl.c
|
+++ b/src/event/ngx_event_openssl.c
|
||||||
@@ -9,9 +9,8 @@
|
@@ -9,9 +9,8 @@
|
||||||
@ -49,7 +70,7 @@ index 104e8da..8cf777e 100644
|
|||||||
static void *ngx_openssl_create_conf(ngx_cycle_t *cycle);
|
static void *ngx_openssl_create_conf(ngx_cycle_t *cycle);
|
||||||
static char *ngx_openssl_engine(ngx_conf_t *cf, ngx_command_t *cmd, void *conf);
|
static char *ngx_openssl_engine(ngx_conf_t *cf, ngx_command_t *cmd, void *conf);
|
||||||
static void ngx_openssl_exit(ngx_cycle_t *cycle);
|
static void ngx_openssl_exit(ngx_cycle_t *cycle);
|
||||||
@@ -398,7 +403,7 @@ ngx_ssl_create(ngx_ssl_t *ssl, ngx_uint_t protocols, void *data)
|
@@ -405,7 +410,7 @@ ngx_ssl_create(ngx_ssl_t *ssl, ngx_uint_t protocols, void *data)
|
||||||
|
|
||||||
ngx_int_t
|
ngx_int_t
|
||||||
ngx_ssl_certificates(ngx_conf_t *cf, ngx_ssl_t *ssl, ngx_array_t *certs,
|
ngx_ssl_certificates(ngx_conf_t *cf, ngx_ssl_t *ssl, ngx_array_t *certs,
|
||||||
@ -58,7 +79,7 @@ index 104e8da..8cf777e 100644
|
|||||||
{
|
{
|
||||||
ngx_str_t *cert, *key;
|
ngx_str_t *cert, *key;
|
||||||
ngx_uint_t i;
|
ngx_uint_t i;
|
||||||
@@ -408,7 +413,7 @@ ngx_ssl_certificates(ngx_conf_t *cf, ngx_ssl_t *ssl, ngx_array_t *certs,
|
@@ -415,7 +420,7 @@ ngx_ssl_certificates(ngx_conf_t *cf, ngx_ssl_t *ssl, ngx_array_t *certs,
|
||||||
|
|
||||||
for (i = 0; i < certs->nelts; i++) {
|
for (i = 0; i < certs->nelts; i++) {
|
||||||
|
|
||||||
@ -67,7 +88,7 @@ index 104e8da..8cf777e 100644
|
|||||||
!= NGX_OK)
|
!= NGX_OK)
|
||||||
{
|
{
|
||||||
return NGX_ERROR;
|
return NGX_ERROR;
|
||||||
@@ -421,12 +426,13 @@ ngx_ssl_certificates(ngx_conf_t *cf, ngx_ssl_t *ssl, ngx_array_t *certs,
|
@@ -428,12 +433,13 @@ ngx_ssl_certificates(ngx_conf_t *cf, ngx_ssl_t *ssl, ngx_array_t *certs,
|
||||||
|
|
||||||
ngx_int_t
|
ngx_int_t
|
||||||
ngx_ssl_certificate(ngx_conf_t *cf, ngx_ssl_t *ssl, ngx_str_t *cert,
|
ngx_ssl_certificate(ngx_conf_t *cf, ngx_ssl_t *ssl, ngx_str_t *cert,
|
||||||
@ -82,7 +103,7 @@ index 104e8da..8cf777e 100644
|
|||||||
|
|
||||||
x509 = ngx_ssl_load_certificate(cf->pool, &err, cert, &chain);
|
x509 = ngx_ssl_load_certificate(cf->pool, &err, cert, &chain);
|
||||||
if (x509 == NULL) {
|
if (x509 == NULL) {
|
||||||
@@ -516,8 +522,19 @@ ngx_ssl_certificate(ngx_conf_t *cf, ngx_ssl_t *ssl, ngx_str_t *cert,
|
@@ -523,8 +529,23 @@ ngx_ssl_certificate(ngx_conf_t *cf, ngx_ssl_t *ssl, ngx_str_t *cert,
|
||||||
}
|
}
|
||||||
#endif
|
#endif
|
||||||
|
|
||||||
@ -94,7 +115,11 @@ index 104e8da..8cf777e 100644
|
|||||||
+ "X509_get_pubkey() failed");
|
+ "X509_get_pubkey() failed");
|
||||||
+ return NGX_ERROR;
|
+ return NGX_ERROR;
|
||||||
+ }
|
+ }
|
||||||
|
+
|
||||||
|
+ if (dlg) {
|
||||||
+ dlg->cryptosystem = EVP_PKEY_get_base_id(pubkey);
|
+ dlg->cryptosystem = EVP_PKEY_get_base_id(pubkey);
|
||||||
|
+ }
|
||||||
|
+
|
||||||
+ EVP_PKEY_free(pubkey);
|
+ EVP_PKEY_free(pubkey);
|
||||||
+
|
+
|
||||||
+ pkey = ngx_ssl_load_certificate_key(cf->pool, &err, key, passwords, dlg);
|
+ pkey = ngx_ssl_load_certificate_key(cf->pool, &err, key, passwords, dlg);
|
||||||
@ -104,7 +129,7 @@ index 104e8da..8cf777e 100644
|
|||||||
if (err != NULL) {
|
if (err != NULL) {
|
||||||
ngx_ssl_error(NGX_LOG_EMERG, ssl->log, 0,
|
ngx_ssl_error(NGX_LOG_EMERG, ssl->log, 0,
|
||||||
"cannot load certificate key \"%s\": %s",
|
"cannot load certificate key \"%s\": %s",
|
||||||
@@ -587,7 +604,7 @@ ngx_ssl_connection_certificate(ngx_connection_t *c, ngx_pool_t *pool,
|
@@ -594,7 +615,7 @@ ngx_ssl_connection_certificate(ngx_connection_t *c, ngx_pool_t *pool,
|
||||||
|
|
||||||
#endif
|
#endif
|
||||||
|
|
||||||
@ -113,7 +138,7 @@ index 104e8da..8cf777e 100644
|
|||||||
if (pkey == NULL) {
|
if (pkey == NULL) {
|
||||||
if (err != NULL) {
|
if (err != NULL) {
|
||||||
ngx_ssl_error(NGX_LOG_ERR, c->log, 0,
|
ngx_ssl_error(NGX_LOG_ERR, c->log, 0,
|
||||||
@@ -700,10 +717,81 @@ ngx_ssl_load_certificate(ngx_pool_t *pool, char **err, ngx_str_t *cert,
|
@@ -772,10 +793,81 @@ ngx_ssl_load_certificate(ngx_pool_t *pool, char **err, ngx_str_t *cert,
|
||||||
return x509;
|
return x509;
|
||||||
}
|
}
|
||||||
|
|
||||||
@ -197,7 +222,7 @@ index 104e8da..8cf777e 100644
|
|||||||
{
|
{
|
||||||
BIO *bio;
|
BIO *bio;
|
||||||
EVP_PKEY *pkey;
|
EVP_PKEY *pkey;
|
||||||
@@ -791,11 +879,26 @@ ngx_ssl_load_certificate_key(ngx_pool_t *pool, char **err,
|
@@ -871,11 +963,26 @@ ngx_ssl_load_certificate_key(ngx_pool_t *pool, char **err,
|
||||||
tries = 1;
|
tries = 1;
|
||||||
pwd = NULL;
|
pwd = NULL;
|
||||||
cb = NULL;
|
cb = NULL;
|
||||||
@ -226,7 +251,7 @@ index 104e8da..8cf777e 100644
|
|||||||
break;
|
break;
|
||||||
}
|
}
|
||||||
diff --git a/src/event/ngx_event_openssl.h b/src/event/ngx_event_openssl.h
|
diff --git a/src/event/ngx_event_openssl.h b/src/event/ngx_event_openssl.h
|
||||||
index 860ea26..41f4501 100644
|
index 7759e1a..a346792 100644
|
||||||
--- a/src/event/ngx_event_openssl.h
|
--- a/src/event/ngx_event_openssl.h
|
||||||
+++ b/src/event/ngx_event_openssl.h
|
+++ b/src/event/ngx_event_openssl.h
|
||||||
@@ -74,9 +74,19 @@
|
@@ -74,9 +74,19 @@
|
||||||
@ -257,7 +282,7 @@ index 860ea26..41f4501 100644
|
|||||||
struct ngx_ssl_connection_s {
|
struct ngx_ssl_connection_s {
|
||||||
ngx_ssl_conn_t *connection;
|
ngx_ssl_conn_t *connection;
|
||||||
SSL_CTX *session_ctx;
|
SSL_CTX *session_ctx;
|
||||||
@@ -184,9 +193,9 @@ ngx_int_t ngx_ssl_init(ngx_log_t *log);
|
@@ -185,9 +194,9 @@ ngx_int_t ngx_ssl_init(ngx_log_t *log);
|
||||||
ngx_int_t ngx_ssl_create(ngx_ssl_t *ssl, ngx_uint_t protocols, void *data);
|
ngx_int_t ngx_ssl_create(ngx_ssl_t *ssl, ngx_uint_t protocols, void *data);
|
||||||
|
|
||||||
ngx_int_t ngx_ssl_certificates(ngx_conf_t *cf, ngx_ssl_t *ssl,
|
ngx_int_t ngx_ssl_certificates(ngx_conf_t *cf, ngx_ssl_t *ssl,
|
||||||
@ -296,7 +321,7 @@ index 9cc202c..2c938d7 100644
|
|||||||
{
|
{
|
||||||
return NGX_ERROR;
|
return NGX_ERROR;
|
||||||
diff --git a/src/http/modules/ngx_http_ssl_module.c b/src/http/modules/ngx_http_ssl_module.c
|
diff --git a/src/http/modules/ngx_http_ssl_module.c b/src/http/modules/ngx_http_ssl_module.c
|
||||||
index 4c4a598..a147054 100644
|
index f1fae50..ad7e3fe 100644
|
||||||
--- a/src/http/modules/ngx_http_ssl_module.c
|
--- a/src/http/modules/ngx_http_ssl_module.c
|
||||||
+++ b/src/http/modules/ngx_http_ssl_module.c
|
+++ b/src/http/modules/ngx_http_ssl_module.c
|
||||||
@@ -17,8 +17,9 @@ typedef ngx_int_t (*ngx_ssl_variable_handler_pt)(ngx_connection_t *c,
|
@@ -17,8 +17,9 @@ typedef ngx_int_t (*ngx_ssl_variable_handler_pt)(ngx_connection_t *c,
|
||||||
@ -361,7 +386,7 @@ index 4c4a598..a147054 100644
|
|||||||
|
|
||||||
ngx_pool_cleanup_t *cln;
|
ngx_pool_cleanup_t *cln;
|
||||||
|
|
||||||
@@ -674,6 +689,9 @@ ngx_http_ssl_merge_srv_conf(ngx_conf_t *cf, void *parent, void *child)
|
@@ -671,6 +686,9 @@ ngx_http_ssl_merge_srv_conf(ngx_conf_t *cf, void *parent, void *child)
|
||||||
ngx_conf_merge_str_value(conf->stapling_responder,
|
ngx_conf_merge_str_value(conf->stapling_responder,
|
||||||
prev->stapling_responder, "");
|
prev->stapling_responder, "");
|
||||||
|
|
||||||
@ -371,7 +396,7 @@ index 4c4a598..a147054 100644
|
|||||||
conf->ssl.log = cf->log;
|
conf->ssl.log = cf->log;
|
||||||
|
|
||||||
if (conf->enable) {
|
if (conf->enable) {
|
||||||
@@ -736,6 +754,30 @@ ngx_http_ssl_merge_srv_conf(ngx_conf_t *cf, void *parent, void *child)
|
@@ -733,6 +751,30 @@ ngx_http_ssl_merge_srv_conf(ngx_conf_t *cf, void *parent, void *child)
|
||||||
cln->handler = ngx_ssl_cleanup_ctx;
|
cln->handler = ngx_ssl_cleanup_ctx;
|
||||||
cln->data = &conf->ssl;
|
cln->data = &conf->ssl;
|
||||||
|
|
||||||
@ -402,7 +427,7 @@ index 4c4a598..a147054 100644
|
|||||||
#ifdef SSL_CTRL_SET_TLSEXT_HOSTNAME
|
#ifdef SSL_CTRL_SET_TLSEXT_HOSTNAME
|
||||||
|
|
||||||
if (SSL_CTX_set_tlsext_servername_callback(conf->ssl.ctx,
|
if (SSL_CTX_set_tlsext_servername_callback(conf->ssl.ctx,
|
||||||
@@ -786,7 +828,7 @@ ngx_http_ssl_merge_srv_conf(ngx_conf_t *cf, void *parent, void *child)
|
@@ -783,7 +825,7 @@ ngx_http_ssl_merge_srv_conf(ngx_conf_t *cf, void *parent, void *child)
|
||||||
/* configure certificates */
|
/* configure certificates */
|
||||||
|
|
||||||
if (ngx_ssl_certificates(cf, &conf->ssl, conf->certificates,
|
if (ngx_ssl_certificates(cf, &conf->ssl, conf->certificates,
|
||||||
@ -411,7 +436,7 @@ index 4c4a598..a147054 100644
|
|||||||
!= NGX_OK)
|
!= NGX_OK)
|
||||||
{
|
{
|
||||||
return NGX_CONF_ERROR;
|
return NGX_CONF_ERROR;
|
||||||
@@ -1335,3 +1377,31 @@ ngx_http_ssl_init(ngx_conf_t *cf)
|
@@ -1332,3 +1374,31 @@ ngx_http_ssl_init(ngx_conf_t *cf)
|
||||||
|
|
||||||
return NGX_OK;
|
return NGX_OK;
|
||||||
}
|
}
|
||||||
@ -470,7 +495,7 @@ index e4f721b..61efa99 100644
|
|||||||
{
|
{
|
||||||
return NGX_ERROR;
|
return NGX_ERROR;
|
||||||
diff --git a/src/mail/ngx_mail_ssl_module.c b/src/mail/ngx_mail_ssl_module.c
|
diff --git a/src/mail/ngx_mail_ssl_module.c b/src/mail/ngx_mail_ssl_module.c
|
||||||
index 28737ac..728181d 100644
|
index 01a04c8..066aef8 100644
|
||||||
--- a/src/mail/ngx_mail_ssl_module.c
|
--- a/src/mail/ngx_mail_ssl_module.c
|
||||||
+++ b/src/mail/ngx_mail_ssl_module.c
|
+++ b/src/mail/ngx_mail_ssl_module.c
|
||||||
@@ -13,6 +13,7 @@
|
@@ -13,6 +13,7 @@
|
||||||
@ -513,7 +538,7 @@ index 28737ac..728181d 100644
|
|||||||
|
|
||||||
char *mode;
|
char *mode;
|
||||||
ngx_pool_cleanup_t *cln;
|
ngx_pool_cleanup_t *cln;
|
||||||
@@ -388,6 +400,8 @@ ngx_mail_ssl_merge_conf(ngx_conf_t *cf, void *parent, void *child)
|
@@ -385,6 +397,8 @@ ngx_mail_ssl_merge_conf(ngx_conf_t *cf, void *parent, void *child)
|
||||||
|
|
||||||
ngx_conf_merge_ptr_value(conf->conf_commands, prev->conf_commands, NULL);
|
ngx_conf_merge_ptr_value(conf->conf_commands, prev->conf_commands, NULL);
|
||||||
|
|
||||||
@ -522,7 +547,7 @@ index 28737ac..728181d 100644
|
|||||||
|
|
||||||
conf->ssl.log = cf->log;
|
conf->ssl.log = cf->log;
|
||||||
|
|
||||||
@@ -449,6 +463,29 @@ ngx_mail_ssl_merge_conf(ngx_conf_t *cf, void *parent, void *child)
|
@@ -446,6 +460,29 @@ ngx_mail_ssl_merge_conf(ngx_conf_t *cf, void *parent, void *child)
|
||||||
cln->handler = ngx_ssl_cleanup_ctx;
|
cln->handler = ngx_ssl_cleanup_ctx;
|
||||||
cln->data = &conf->ssl;
|
cln->data = &conf->ssl;
|
||||||
|
|
||||||
@ -552,7 +577,7 @@ index 28737ac..728181d 100644
|
|||||||
#ifdef TLSEXT_TYPE_application_layer_protocol_negotiation
|
#ifdef TLSEXT_TYPE_application_layer_protocol_negotiation
|
||||||
SSL_CTX_set_alpn_select_cb(conf->ssl.ctx, ngx_mail_ssl_alpn_select, NULL);
|
SSL_CTX_set_alpn_select_cb(conf->ssl.ctx, ngx_mail_ssl_alpn_select, NULL);
|
||||||
#endif
|
#endif
|
||||||
@@ -461,7 +498,7 @@ ngx_mail_ssl_merge_conf(ngx_conf_t *cf, void *parent, void *child)
|
@@ -458,7 +495,7 @@ ngx_mail_ssl_merge_conf(ngx_conf_t *cf, void *parent, void *child)
|
||||||
}
|
}
|
||||||
|
|
||||||
if (ngx_ssl_certificates(cf, &conf->ssl, conf->certificates,
|
if (ngx_ssl_certificates(cf, &conf->ssl, conf->certificates,
|
||||||
@ -561,7 +586,7 @@ index 28737ac..728181d 100644
|
|||||||
!= NGX_OK)
|
!= NGX_OK)
|
||||||
{
|
{
|
||||||
return NGX_CONF_ERROR;
|
return NGX_CONF_ERROR;
|
||||||
@@ -745,3 +782,32 @@ ngx_mail_ssl_conf_command_check(ngx_conf_t *cf, void *post, void *data)
|
@@ -742,3 +779,32 @@ ngx_mail_ssl_conf_command_check(ngx_conf_t *cf, void *post, void *data)
|
||||||
return NGX_CONF_OK;
|
return NGX_CONF_OK;
|
||||||
#endif
|
#endif
|
||||||
}
|
}
|
||||||
@ -621,7 +646,7 @@ index ed275c0..1747aed 100644
|
|||||||
{
|
{
|
||||||
return NGX_ERROR;
|
return NGX_ERROR;
|
||||||
diff --git a/src/stream/ngx_stream_ssl_module.c b/src/stream/ngx_stream_ssl_module.c
|
diff --git a/src/stream/ngx_stream_ssl_module.c b/src/stream/ngx_stream_ssl_module.c
|
||||||
index 1ba1825..ba70547 100644
|
index c692884..a4c14ec 100644
|
||||||
--- a/src/stream/ngx_stream_ssl_module.c
|
--- a/src/stream/ngx_stream_ssl_module.c
|
||||||
+++ b/src/stream/ngx_stream_ssl_module.c
|
+++ b/src/stream/ngx_stream_ssl_module.c
|
||||||
@@ -17,6 +17,8 @@ typedef ngx_int_t (*ngx_ssl_variable_handler_pt)(ngx_connection_t *c,
|
@@ -17,6 +17,8 @@ typedef ngx_int_t (*ngx_ssl_variable_handler_pt)(ngx_connection_t *c,
|
||||||
@ -665,7 +690,7 @@ index 1ba1825..ba70547 100644
|
|||||||
|
|
||||||
ngx_pool_cleanup_t *cln;
|
ngx_pool_cleanup_t *cln;
|
||||||
|
|
||||||
@@ -732,6 +745,8 @@ ngx_stream_ssl_merge_conf(ngx_conf_t *cf, void *parent, void *child)
|
@@ -729,6 +742,8 @@ ngx_stream_ssl_merge_conf(ngx_conf_t *cf, void *parent, void *child)
|
||||||
|
|
||||||
ngx_conf_merge_ptr_value(conf->conf_commands, prev->conf_commands, NULL);
|
ngx_conf_merge_ptr_value(conf->conf_commands, prev->conf_commands, NULL);
|
||||||
|
|
||||||
@ -674,7 +699,7 @@ index 1ba1825..ba70547 100644
|
|||||||
|
|
||||||
conf->ssl.log = cf->log;
|
conf->ssl.log = cf->log;
|
||||||
|
|
||||||
@@ -779,6 +794,23 @@ ngx_stream_ssl_merge_conf(ngx_conf_t *cf, void *parent, void *child)
|
@@ -776,6 +791,23 @@ ngx_stream_ssl_merge_conf(ngx_conf_t *cf, void *parent, void *child)
|
||||||
cln->handler = ngx_ssl_cleanup_ctx;
|
cln->handler = ngx_ssl_cleanup_ctx;
|
||||||
cln->data = &conf->ssl;
|
cln->data = &conf->ssl;
|
||||||
|
|
||||||
@ -698,7 +723,7 @@ index 1ba1825..ba70547 100644
|
|||||||
#ifdef SSL_CTRL_SET_TLSEXT_HOSTNAME
|
#ifdef SSL_CTRL_SET_TLSEXT_HOSTNAME
|
||||||
SSL_CTX_set_tlsext_servername_callback(conf->ssl.ctx,
|
SSL_CTX_set_tlsext_servername_callback(conf->ssl.ctx,
|
||||||
ngx_stream_ssl_servername);
|
ngx_stream_ssl_servername);
|
||||||
@@ -823,7 +855,7 @@ ngx_stream_ssl_merge_conf(ngx_conf_t *cf, void *parent, void *child)
|
@@ -820,7 +852,7 @@ ngx_stream_ssl_merge_conf(ngx_conf_t *cf, void *parent, void *child)
|
||||||
/* configure certificates */
|
/* configure certificates */
|
||||||
|
|
||||||
if (ngx_ssl_certificates(cf, &conf->ssl, conf->certificates,
|
if (ngx_ssl_certificates(cf, &conf->ssl, conf->certificates,
|
||||||
@ -707,7 +732,7 @@ index 1ba1825..ba70547 100644
|
|||||||
!= NGX_OK)
|
!= NGX_OK)
|
||||||
{
|
{
|
||||||
return NGX_CONF_ERROR;
|
return NGX_CONF_ERROR;
|
||||||
@@ -1209,3 +1241,31 @@ ngx_stream_ssl_init(ngx_conf_t *cf)
|
@@ -1206,3 +1238,31 @@ ngx_stream_ssl_init(ngx_conf_t *cf)
|
||||||
|
|
||||||
return NGX_OK;
|
return NGX_OK;
|
||||||
}
|
}
|
||||||
@ -752,3 +777,6 @@ index e7c825e..d80daa4 100644
|
|||||||
} ngx_stream_ssl_conf_t;
|
} ngx_stream_ssl_conf_t;
|
||||||
|
|
||||||
|
|
||||||
|
--
|
||||||
|
2.44.0
|
||||||
|
|
||||||
|
126
SOURCES/0010-defer-ENGINE_finish-calls-to-a-cleanup.patch
Normal file
126
SOURCES/0010-defer-ENGINE_finish-calls-to-a-cleanup.patch
Normal file
@ -0,0 +1,126 @@
|
|||||||
|
From e0e6437b1f1c723a52ac26a7e700113753331ecd Mon Sep 17 00:00:00 2001
|
||||||
|
From: =?UTF-8?q?Lubo=C5=A1=20Uhliarik?= <luhliari@redhat.com>
|
||||||
|
Date: Thu, 13 Jun 2024 17:44:28 +0200
|
||||||
|
Subject: [PATCH] defer ENGINE_finish() calls to a cleanup
|
||||||
|
|
||||||
|
---
|
||||||
|
src/event/ngx_event_openssl.c | 51 +++++++++++++++++++++++++++--------
|
||||||
|
1 file changed, 40 insertions(+), 11 deletions(-)
|
||||||
|
|
||||||
|
diff --git a/src/event/ngx_event_openssl.c b/src/event/ngx_event_openssl.c
|
||||||
|
index fb05ab9..3e06791 100644
|
||||||
|
--- a/src/event/ngx_event_openssl.c
|
||||||
|
+++ b/src/event/ngx_event_openssl.c
|
||||||
|
@@ -16,7 +16,7 @@ typedef struct {
|
||||||
|
ngx_uint_t engine; /* unsigned engine:1; */
|
||||||
|
} ngx_openssl_conf_t;
|
||||||
|
|
||||||
|
-
|
||||||
|
+static ngx_int_t ngx_ssl_engine_cleanup(void *data);
|
||||||
|
static X509 *ngx_ssl_load_certificate(ngx_pool_t *pool, char **err,
|
||||||
|
ngx_str_t *cert, STACK_OF(X509) **chain);
|
||||||
|
static EVP_PKEY *ngx_ssl_load_certificate_key(ngx_pool_t *pool,
|
||||||
|
@@ -144,6 +144,15 @@ int ngx_ssl_certificate_name_index;
|
||||||
|
int ngx_ssl_stapling_index;
|
||||||
|
|
||||||
|
|
||||||
|
+static ngx_int_t
|
||||||
|
+ngx_ssl_engine_cleanup(void *data){
|
||||||
|
+ ENGINE *e = data;
|
||||||
|
+
|
||||||
|
+ ENGINE_finish(e);
|
||||||
|
+
|
||||||
|
+ return NGX_OK;
|
||||||
|
+}
|
||||||
|
+
|
||||||
|
ngx_int_t
|
||||||
|
ngx_ssl_init(ngx_log_t *log)
|
||||||
|
{
|
||||||
|
@@ -650,8 +659,9 @@ ngx_ssl_load_certificate(ngx_pool_t *pool, char **err, ngx_str_t *cert,
|
||||||
|
|
||||||
|
#ifndef OPENSSL_NO_ENGINE
|
||||||
|
|
||||||
|
- u_char *p, *last;
|
||||||
|
- ENGINE *engine;
|
||||||
|
+ u_char *p, *last;
|
||||||
|
+ ENGINE *engine;
|
||||||
|
+ ngx_pool_cleanup_t *cln;
|
||||||
|
|
||||||
|
p = cert->data + sizeof("engine:") - 1;
|
||||||
|
last = (u_char *) ngx_strchr(p, ':');
|
||||||
|
@@ -676,6 +686,16 @@ ngx_ssl_load_certificate(ngx_pool_t *pool, char **err, ngx_str_t *cert,
|
||||||
|
return NULL;
|
||||||
|
}
|
||||||
|
|
||||||
|
+ cln = ngx_pool_cleanup_add(pool, 0);
|
||||||
|
+ if (cln == NULL) {
|
||||||
|
+ *err = "failed to add ENGINE cleanup";
|
||||||
|
+ ENGINE_free(engine);
|
||||||
|
+ return NULL;
|
||||||
|
+ }
|
||||||
|
+
|
||||||
|
+ cln->handler = ngx_ssl_engine_cleanup;
|
||||||
|
+ cln->data = engine;
|
||||||
|
+
|
||||||
|
*last++ = ':';
|
||||||
|
|
||||||
|
struct {
|
||||||
|
@@ -689,7 +709,6 @@ ngx_ssl_load_certificate(ngx_pool_t *pool, char **err, ngx_str_t *cert,
|
||||||
|
return NULL;
|
||||||
|
}
|
||||||
|
|
||||||
|
- ENGINE_finish(engine);
|
||||||
|
ENGINE_free(engine);
|
||||||
|
|
||||||
|
/* set chain to null */
|
||||||
|
@@ -868,11 +887,13 @@ ngx_ssl_pass_phrase_callback(char *buf, int bufsize, int rwflag, void *u)
|
||||||
|
static EVP_PKEY *
|
||||||
|
ngx_ssl_load_certificate_key(ngx_pool_t *pool, char **err, ngx_str_t *key, ngx_array_t *passwords, ngx_ssl_ppdialog_conf_t *dlg)
|
||||||
|
{
|
||||||
|
- BIO *bio;
|
||||||
|
- EVP_PKEY *pkey;
|
||||||
|
- ngx_str_t *pwd;
|
||||||
|
- ngx_uint_t tries;
|
||||||
|
- pem_password_cb *cb;
|
||||||
|
+ BIO *bio;
|
||||||
|
+ EVP_PKEY *pkey;
|
||||||
|
+ ngx_str_t *pwd;
|
||||||
|
+ ngx_uint_t tries;
|
||||||
|
+ pem_password_cb *cb;
|
||||||
|
+ ngx_pool_cleanup_t *cln;
|
||||||
|
+
|
||||||
|
|
||||||
|
if (ngx_strncmp(key->data, "engine:", sizeof("engine:") - 1) == 0) {
|
||||||
|
|
||||||
|
@@ -904,18 +925,26 @@ ngx_ssl_load_certificate_key(ngx_pool_t *pool, char **err, ngx_str_t *key, ngx_a
|
||||||
|
return NULL;
|
||||||
|
}
|
||||||
|
|
||||||
|
+ cln = ngx_pool_cleanup_add(pool, 0);
|
||||||
|
+ if (cln == NULL) {
|
||||||
|
+ *err = "failed to add ENGINE cleanup";
|
||||||
|
+ ENGINE_free(engine);
|
||||||
|
+ return NULL;
|
||||||
|
+ }
|
||||||
|
+
|
||||||
|
+ cln->handler = ngx_ssl_engine_cleanup;
|
||||||
|
+ cln->data = engine;
|
||||||
|
+
|
||||||
|
*last++ = ':';
|
||||||
|
|
||||||
|
pkey = ENGINE_load_private_key(engine, (char *) last, 0, 0);
|
||||||
|
|
||||||
|
if (pkey == NULL) {
|
||||||
|
*err = "ENGINE_load_private_key() failed";
|
||||||
|
- ENGINE_finish(engine);
|
||||||
|
ENGINE_free(engine);
|
||||||
|
return NULL;
|
||||||
|
}
|
||||||
|
|
||||||
|
- ENGINE_finish(engine);
|
||||||
|
ENGINE_free(engine);
|
||||||
|
|
||||||
|
return pkey;
|
||||||
|
--
|
||||||
|
2.44.0
|
||||||
|
|
183
SOURCES/0011-Optimized-chain-link-usage.patch
Normal file
183
SOURCES/0011-Optimized-chain-link-usage.patch
Normal file
@ -0,0 +1,183 @@
|
|||||||
|
From f3bcc0bcfb6eda3f4874fe2531d546ba724c518c Mon Sep 17 00:00:00 2001
|
||||||
|
From: =?UTF-8?q?Lubo=C5=A1=20Uhliarik?= <luhliari@redhat.com>
|
||||||
|
Date: Wed, 12 Jun 2024 12:49:28 +0200
|
||||||
|
Subject: [PATCH] Optimized chain link usage
|
||||||
|
|
||||||
|
Previously chain links could sometimes be dropped instead of being reused,
|
||||||
|
which could result in increased memory consumption during long requests.
|
||||||
|
---
|
||||||
|
src/core/ngx_output_chain.c | 10 ++++++++--
|
||||||
|
src/http/modules/ngx_http_grpc_module.c | 5 ++++-
|
||||||
|
.../modules/ngx_http_gunzip_filter_module.c | 18 ++++++++++++++----
|
||||||
|
src/http/modules/ngx_http_gzip_filter_module.c | 10 +++++++---
|
||||||
|
src/http/modules/ngx_http_ssi_filter_module.c | 8 ++++++--
|
||||||
|
src/http/modules/ngx_http_sub_filter_module.c | 8 ++++++--
|
||||||
|
6 files changed, 45 insertions(+), 14 deletions(-)
|
||||||
|
|
||||||
|
diff --git a/src/core/ngx_output_chain.c b/src/core/ngx_output_chain.c
|
||||||
|
index 5c3dbe8..4aa1b02 100644
|
||||||
|
--- a/src/core/ngx_output_chain.c
|
||||||
|
+++ b/src/core/ngx_output_chain.c
|
||||||
|
@@ -121,7 +121,10 @@ ngx_output_chain(ngx_output_chain_ctx_t *ctx, ngx_chain_t *in)
|
||||||
|
|
||||||
|
ngx_debug_point();
|
||||||
|
|
||||||
|
- ctx->in = ctx->in->next;
|
||||||
|
+ cl = ctx->in;
|
||||||
|
+ ctx->in = cl->next;
|
||||||
|
+
|
||||||
|
+ ngx_free_chain(ctx->pool, cl);
|
||||||
|
|
||||||
|
continue;
|
||||||
|
}
|
||||||
|
@@ -207,7 +210,10 @@ ngx_output_chain(ngx_output_chain_ctx_t *ctx, ngx_chain_t *in)
|
||||||
|
/* delete the completed buf from the ctx->in chain */
|
||||||
|
|
||||||
|
if (ngx_buf_size(ctx->in->buf) == 0) {
|
||||||
|
- ctx->in = ctx->in->next;
|
||||||
|
+ cl = ctx->in;
|
||||||
|
+ ctx->in = cl->next;
|
||||||
|
+
|
||||||
|
+ ngx_free_chain(ctx->pool, cl);
|
||||||
|
}
|
||||||
|
|
||||||
|
cl = ngx_alloc_chain_link(ctx->pool);
|
||||||
|
diff --git a/src/http/modules/ngx_http_grpc_module.c b/src/http/modules/ngx_http_grpc_module.c
|
||||||
|
index 53bc547..9f13089 100644
|
||||||
|
--- a/src/http/modules/ngx_http_grpc_module.c
|
||||||
|
+++ b/src/http/modules/ngx_http_grpc_module.c
|
||||||
|
@@ -1230,7 +1230,7 @@ ngx_http_grpc_body_output_filter(void *data, ngx_chain_t *in)
|
||||||
|
ngx_buf_t *b;
|
||||||
|
ngx_int_t rc;
|
||||||
|
ngx_uint_t next, last;
|
||||||
|
- ngx_chain_t *cl, *out, **ll;
|
||||||
|
+ ngx_chain_t *cl, *out, *ln, **ll;
|
||||||
|
ngx_http_upstream_t *u;
|
||||||
|
ngx_http_grpc_ctx_t *ctx;
|
||||||
|
ngx_http_grpc_frame_t *f;
|
||||||
|
@@ -1458,7 +1458,10 @@ ngx_http_grpc_body_output_filter(void *data, ngx_chain_t *in)
|
||||||
|
last = 1;
|
||||||
|
}
|
||||||
|
|
||||||
|
+ ln = in;
|
||||||
|
in = in->next;
|
||||||
|
+
|
||||||
|
+ ngx_free_chain(r->pool, ln);
|
||||||
|
}
|
||||||
|
|
||||||
|
ctx->in = in;
|
||||||
|
diff --git a/src/http/modules/ngx_http_gunzip_filter_module.c b/src/http/modules/ngx_http_gunzip_filter_module.c
|
||||||
|
index c1341f5..5d170a1 100644
|
||||||
|
--- a/src/http/modules/ngx_http_gunzip_filter_module.c
|
||||||
|
+++ b/src/http/modules/ngx_http_gunzip_filter_module.c
|
||||||
|
@@ -333,6 +333,8 @@ static ngx_int_t
|
||||||
|
ngx_http_gunzip_filter_add_data(ngx_http_request_t *r,
|
||||||
|
ngx_http_gunzip_ctx_t *ctx)
|
||||||
|
{
|
||||||
|
+ ngx_chain_t *cl;
|
||||||
|
+
|
||||||
|
if (ctx->zstream.avail_in || ctx->flush != Z_NO_FLUSH || ctx->redo) {
|
||||||
|
return NGX_OK;
|
||||||
|
}
|
||||||
|
@@ -344,8 +346,11 @@ ngx_http_gunzip_filter_add_data(ngx_http_request_t *r,
|
||||||
|
return NGX_DECLINED;
|
||||||
|
}
|
||||||
|
|
||||||
|
- ctx->in_buf = ctx->in->buf;
|
||||||
|
- ctx->in = ctx->in->next;
|
||||||
|
+ cl = ctx->in;
|
||||||
|
+ ctx->in_buf = cl->buf;
|
||||||
|
+ ctx->in = cl->next;
|
||||||
|
+
|
||||||
|
+ ngx_free_chain(r->pool, cl);
|
||||||
|
|
||||||
|
ctx->zstream.next_in = ctx->in_buf->pos;
|
||||||
|
ctx->zstream.avail_in = ctx->in_buf->last - ctx->in_buf->pos;
|
||||||
|
@@ -374,6 +379,7 @@ static ngx_int_t
|
||||||
|
ngx_http_gunzip_filter_get_buf(ngx_http_request_t *r,
|
||||||
|
ngx_http_gunzip_ctx_t *ctx)
|
||||||
|
{
|
||||||
|
+ ngx_chain_t *cl;
|
||||||
|
ngx_http_gunzip_conf_t *conf;
|
||||||
|
|
||||||
|
if (ctx->zstream.avail_out) {
|
||||||
|
@@ -383,8 +389,12 @@ ngx_http_gunzip_filter_get_buf(ngx_http_request_t *r,
|
||||||
|
conf = ngx_http_get_module_loc_conf(r, ngx_http_gunzip_filter_module);
|
||||||
|
|
||||||
|
if (ctx->free) {
|
||||||
|
- ctx->out_buf = ctx->free->buf;
|
||||||
|
- ctx->free = ctx->free->next;
|
||||||
|
+
|
||||||
|
+ cl = ctx->free;
|
||||||
|
+ ctx->out_buf = cl->buf;
|
||||||
|
+ ctx->free = cl->next;
|
||||||
|
+
|
||||||
|
+ ngx_free_chain(r->pool, cl);
|
||||||
|
|
||||||
|
ctx->out_buf->flush = 0;
|
||||||
|
|
||||||
|
diff --git a/src/http/modules/ngx_http_gzip_filter_module.c b/src/http/modules/ngx_http_gzip_filter_module.c
|
||||||
|
index b8c5ccc..1d17a6d 100644
|
||||||
|
--- a/src/http/modules/ngx_http_gzip_filter_module.c
|
||||||
|
+++ b/src/http/modules/ngx_http_gzip_filter_module.c
|
||||||
|
@@ -978,10 +978,14 @@ static void
|
||||||
|
ngx_http_gzip_filter_free_copy_buf(ngx_http_request_t *r,
|
||||||
|
ngx_http_gzip_ctx_t *ctx)
|
||||||
|
{
|
||||||
|
- ngx_chain_t *cl;
|
||||||
|
+ ngx_chain_t *cl, *ln;
|
||||||
|
+
|
||||||
|
+ for (cl = ctx->copied; cl; /* void */) {
|
||||||
|
+ ln = cl;
|
||||||
|
+ cl = cl->next;
|
||||||
|
|
||||||
|
- for (cl = ctx->copied; cl; cl = cl->next) {
|
||||||
|
- ngx_pfree(r->pool, cl->buf->start);
|
||||||
|
+ ngx_pfree(r->pool, ln->buf->start);
|
||||||
|
+ ngx_free_chain(r->pool, ln);
|
||||||
|
}
|
||||||
|
|
||||||
|
ctx->copied = NULL;
|
||||||
|
diff --git a/src/http/modules/ngx_http_ssi_filter_module.c b/src/http/modules/ngx_http_ssi_filter_module.c
|
||||||
|
index 6737965..a55f6e5 100644
|
||||||
|
--- a/src/http/modules/ngx_http_ssi_filter_module.c
|
||||||
|
+++ b/src/http/modules/ngx_http_ssi_filter_module.c
|
||||||
|
@@ -455,9 +455,13 @@ ngx_http_ssi_body_filter(ngx_http_request_t *r, ngx_chain_t *in)
|
||||||
|
while (ctx->in || ctx->buf) {
|
||||||
|
|
||||||
|
if (ctx->buf == NULL) {
|
||||||
|
- ctx->buf = ctx->in->buf;
|
||||||
|
- ctx->in = ctx->in->next;
|
||||||
|
+
|
||||||
|
+ cl = ctx->in;
|
||||||
|
+ ctx->buf = cl->buf;
|
||||||
|
+ ctx->in = cl->next;
|
||||||
|
ctx->pos = ctx->buf->pos;
|
||||||
|
+
|
||||||
|
+ ngx_free_chain(r->pool, cl);
|
||||||
|
}
|
||||||
|
|
||||||
|
if (ctx->state == ssi_start_state) {
|
||||||
|
diff --git a/src/http/modules/ngx_http_sub_filter_module.c b/src/http/modules/ngx_http_sub_filter_module.c
|
||||||
|
index 6d3de59..456bb27 100644
|
||||||
|
--- a/src/http/modules/ngx_http_sub_filter_module.c
|
||||||
|
+++ b/src/http/modules/ngx_http_sub_filter_module.c
|
||||||
|
@@ -335,9 +335,13 @@ ngx_http_sub_body_filter(ngx_http_request_t *r, ngx_chain_t *in)
|
||||||
|
while (ctx->in || ctx->buf) {
|
||||||
|
|
||||||
|
if (ctx->buf == NULL) {
|
||||||
|
- ctx->buf = ctx->in->buf;
|
||||||
|
- ctx->in = ctx->in->next;
|
||||||
|
+
|
||||||
|
+ cl = ctx->in;
|
||||||
|
+ ctx->buf = cl->buf;
|
||||||
|
+ ctx->in = cl->next;
|
||||||
|
ctx->pos = ctx->buf->pos;
|
||||||
|
+
|
||||||
|
+ ngx_free_chain(r->pool, cl);
|
||||||
|
}
|
||||||
|
|
||||||
|
if (ctx->buf->flush || ctx->buf->recycled) {
|
||||||
|
--
|
||||||
|
2.44.0
|
||||||
|
|
@ -56,7 +56,7 @@
|
|||||||
Name: nginx
|
Name: nginx
|
||||||
Epoch: 1
|
Epoch: 1
|
||||||
Version: 1.24.0
|
Version: 1.24.0
|
||||||
Release: 1%{?dist}
|
Release: 4%{?dist}
|
||||||
|
|
||||||
Summary: A high performance web server and reverse proxy server
|
Summary: A high performance web server and reverse proxy server
|
||||||
# BSD License (two clause)
|
# BSD License (two clause)
|
||||||
@ -114,6 +114,12 @@ Patch6: 0008-add-ssl-pass-phrase-dialog.patch
|
|||||||
# security fix - https://issues.redhat.com/browse/RHEL-12737
|
# security fix - https://issues.redhat.com/browse/RHEL-12737
|
||||||
Patch7: 0009-CVE-2023-44487-HTTP-2-per-iteration-stream-handling.patch
|
Patch7: 0009-CVE-2023-44487-HTTP-2-per-iteration-stream-handling.patch
|
||||||
|
|
||||||
|
# downstream patch - https://issues.redhat.com/browse/RHEL-40621
|
||||||
|
Patch8: 0010-defer-ENGINE_finish-calls-to-a-cleanup.patch
|
||||||
|
|
||||||
|
# upstream patch - https://issues.redhat.com/browse/RHEL-40075
|
||||||
|
Patch9: 0011-Optimized-chain-link-usage.patch
|
||||||
|
|
||||||
BuildRequires: make
|
BuildRequires: make
|
||||||
BuildRequires: gcc
|
BuildRequires: gcc
|
||||||
BuildRequires: gnupg2
|
BuildRequires: gnupg2
|
||||||
@ -626,6 +632,15 @@ fi
|
|||||||
|
|
||||||
|
|
||||||
%changelog
|
%changelog
|
||||||
|
* Tue Jul 16 2024 Luboš Uhliarik <luhliari@redhat.com> - 1:1.24.0-4
|
||||||
|
- Resolves: RHEL-49350 - nginx worker processes memory leak
|
||||||
|
|
||||||
|
* Thu Jun 13 2024 Luboš Uhliarik <luhliari@redhat.com> - 1:1.24.0-3
|
||||||
|
- Resolves: RHEL-40622 - openssl 3.2 ENGINE regression in nginx
|
||||||
|
|
||||||
|
* Thu May 23 2024 Luboš Uhliarik <luhliari@redhat.com> - 1:1.24.0-2
|
||||||
|
- Resolves: RHEL-38498 - Nginx seg faults when proxy_ssl_certificate is set
|
||||||
|
|
||||||
* Thu Jan 18 2024 Luboš Uhliarik <luhliari@redhat.com> - 1:1.24.0-1
|
* Thu Jan 18 2024 Luboš Uhliarik <luhliari@redhat.com> - 1:1.24.0-1
|
||||||
- new version 1.24.0
|
- new version 1.24.0
|
||||||
|
|
||||||
|
Loading…
Reference in New Issue
Block a user