import CS nginx-1.24.0-4.module_el9+1087+9adf8b0f

This commit is contained in:
eabdullin 2024-10-01 06:36:59 +00:00
parent ece00920d6
commit d3764cc0a0
4 changed files with 379 additions and 27 deletions

View File

@ -1,3 +1,24 @@
From a8cae4e95ba8b5f38c68f23502f1603af8a76c58 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Lubo=C5=A1=20Uhliarik?= <luhliari@redhat.com>
Date: Thu, 23 May 2024 16:18:35 +0200
Subject: [PATCH] Add ssl-pass-phrase-dialog
---
contrib/vim/syntax/nginx.vim | 1 +
src/event/ngx_event_openssl.c | 133 ++++++++++++++++++++---
src/event/ngx_event_openssl.h | 15 ++-
src/http/modules/ngx_http_grpc_module.c | 2 +-
src/http/modules/ngx_http_proxy_module.c | 2 +-
src/http/modules/ngx_http_ssl_module.c | 76 ++++++++++++-
src/http/modules/ngx_http_ssl_module.h | 2 +
src/http/modules/ngx_http_uwsgi_module.c | 2 +-
src/mail/ngx_mail_ssl_module.c | 68 +++++++++++-
src/mail/ngx_mail_ssl_module.h | 2 +
src/stream/ngx_stream_proxy_module.c | 2 +-
src/stream/ngx_stream_ssl_module.c | 62 ++++++++++-
src/stream/ngx_stream_ssl_module.h | 2 +
13 files changed, 344 insertions(+), 25 deletions(-)
diff --git a/contrib/vim/syntax/nginx.vim b/contrib/vim/syntax/nginx.vim diff --git a/contrib/vim/syntax/nginx.vim b/contrib/vim/syntax/nginx.vim
index 7d587fc..15b21e2 100644 index 7d587fc..15b21e2 100644
--- a/contrib/vim/syntax/nginx.vim --- a/contrib/vim/syntax/nginx.vim
@ -11,7 +32,7 @@ index 7d587fc..15b21e2 100644
syn keyword ngxDirective contained ssl_preread syn keyword ngxDirective contained ssl_preread
syn keyword ngxDirective contained ssl_protocols syn keyword ngxDirective contained ssl_protocols
diff --git a/src/event/ngx_event_openssl.c b/src/event/ngx_event_openssl.c diff --git a/src/event/ngx_event_openssl.c b/src/event/ngx_event_openssl.c
index 104e8da..8cf777e 100644 index 7b69f3f..3519831 100644
--- a/src/event/ngx_event_openssl.c --- a/src/event/ngx_event_openssl.c
+++ b/src/event/ngx_event_openssl.c +++ b/src/event/ngx_event_openssl.c
@@ -9,9 +9,8 @@ @@ -9,9 +9,8 @@
@ -49,7 +70,7 @@ index 104e8da..8cf777e 100644
static void *ngx_openssl_create_conf(ngx_cycle_t *cycle); static void *ngx_openssl_create_conf(ngx_cycle_t *cycle);
static char *ngx_openssl_engine(ngx_conf_t *cf, ngx_command_t *cmd, void *conf); static char *ngx_openssl_engine(ngx_conf_t *cf, ngx_command_t *cmd, void *conf);
static void ngx_openssl_exit(ngx_cycle_t *cycle); static void ngx_openssl_exit(ngx_cycle_t *cycle);
@@ -398,7 +403,7 @@ ngx_ssl_create(ngx_ssl_t *ssl, ngx_uint_t protocols, void *data) @@ -405,7 +410,7 @@ ngx_ssl_create(ngx_ssl_t *ssl, ngx_uint_t protocols, void *data)
ngx_int_t ngx_int_t
ngx_ssl_certificates(ngx_conf_t *cf, ngx_ssl_t *ssl, ngx_array_t *certs, ngx_ssl_certificates(ngx_conf_t *cf, ngx_ssl_t *ssl, ngx_array_t *certs,
@ -58,7 +79,7 @@ index 104e8da..8cf777e 100644
{ {
ngx_str_t *cert, *key; ngx_str_t *cert, *key;
ngx_uint_t i; ngx_uint_t i;
@@ -408,7 +413,7 @@ ngx_ssl_certificates(ngx_conf_t *cf, ngx_ssl_t *ssl, ngx_array_t *certs, @@ -415,7 +420,7 @@ ngx_ssl_certificates(ngx_conf_t *cf, ngx_ssl_t *ssl, ngx_array_t *certs,
for (i = 0; i < certs->nelts; i++) { for (i = 0; i < certs->nelts; i++) {
@ -67,7 +88,7 @@ index 104e8da..8cf777e 100644
!= NGX_OK) != NGX_OK)
{ {
return NGX_ERROR; return NGX_ERROR;
@@ -421,12 +426,13 @@ ngx_ssl_certificates(ngx_conf_t *cf, ngx_ssl_t *ssl, ngx_array_t *certs, @@ -428,12 +433,13 @@ ngx_ssl_certificates(ngx_conf_t *cf, ngx_ssl_t *ssl, ngx_array_t *certs,
ngx_int_t ngx_int_t
ngx_ssl_certificate(ngx_conf_t *cf, ngx_ssl_t *ssl, ngx_str_t *cert, ngx_ssl_certificate(ngx_conf_t *cf, ngx_ssl_t *ssl, ngx_str_t *cert,
@ -82,7 +103,7 @@ index 104e8da..8cf777e 100644
x509 = ngx_ssl_load_certificate(cf->pool, &err, cert, &chain); x509 = ngx_ssl_load_certificate(cf->pool, &err, cert, &chain);
if (x509 == NULL) { if (x509 == NULL) {
@@ -516,8 +522,19 @@ ngx_ssl_certificate(ngx_conf_t *cf, ngx_ssl_t *ssl, ngx_str_t *cert, @@ -523,8 +529,23 @@ ngx_ssl_certificate(ngx_conf_t *cf, ngx_ssl_t *ssl, ngx_str_t *cert,
} }
#endif #endif
@ -94,7 +115,11 @@ index 104e8da..8cf777e 100644
+ "X509_get_pubkey() failed"); + "X509_get_pubkey() failed");
+ return NGX_ERROR; + return NGX_ERROR;
+ } + }
+
+ if (dlg) {
+ dlg->cryptosystem = EVP_PKEY_get_base_id(pubkey); + dlg->cryptosystem = EVP_PKEY_get_base_id(pubkey);
+ }
+
+ EVP_PKEY_free(pubkey); + EVP_PKEY_free(pubkey);
+ +
+ pkey = ngx_ssl_load_certificate_key(cf->pool, &err, key, passwords, dlg); + pkey = ngx_ssl_load_certificate_key(cf->pool, &err, key, passwords, dlg);
@ -104,7 +129,7 @@ index 104e8da..8cf777e 100644
if (err != NULL) { if (err != NULL) {
ngx_ssl_error(NGX_LOG_EMERG, ssl->log, 0, ngx_ssl_error(NGX_LOG_EMERG, ssl->log, 0,
"cannot load certificate key \"%s\": %s", "cannot load certificate key \"%s\": %s",
@@ -587,7 +604,7 @@ ngx_ssl_connection_certificate(ngx_connection_t *c, ngx_pool_t *pool, @@ -594,7 +615,7 @@ ngx_ssl_connection_certificate(ngx_connection_t *c, ngx_pool_t *pool,
#endif #endif
@ -113,7 +138,7 @@ index 104e8da..8cf777e 100644
if (pkey == NULL) { if (pkey == NULL) {
if (err != NULL) { if (err != NULL) {
ngx_ssl_error(NGX_LOG_ERR, c->log, 0, ngx_ssl_error(NGX_LOG_ERR, c->log, 0,
@@ -700,10 +717,81 @@ ngx_ssl_load_certificate(ngx_pool_t *pool, char **err, ngx_str_t *cert, @@ -772,10 +793,81 @@ ngx_ssl_load_certificate(ngx_pool_t *pool, char **err, ngx_str_t *cert,
return x509; return x509;
} }
@ -197,7 +222,7 @@ index 104e8da..8cf777e 100644
{ {
BIO *bio; BIO *bio;
EVP_PKEY *pkey; EVP_PKEY *pkey;
@@ -791,11 +879,26 @@ ngx_ssl_load_certificate_key(ngx_pool_t *pool, char **err, @@ -871,11 +963,26 @@ ngx_ssl_load_certificate_key(ngx_pool_t *pool, char **err,
tries = 1; tries = 1;
pwd = NULL; pwd = NULL;
cb = NULL; cb = NULL;
@ -226,7 +251,7 @@ index 104e8da..8cf777e 100644
break; break;
} }
diff --git a/src/event/ngx_event_openssl.h b/src/event/ngx_event_openssl.h diff --git a/src/event/ngx_event_openssl.h b/src/event/ngx_event_openssl.h
index 860ea26..41f4501 100644 index 7759e1a..a346792 100644
--- a/src/event/ngx_event_openssl.h --- a/src/event/ngx_event_openssl.h
+++ b/src/event/ngx_event_openssl.h +++ b/src/event/ngx_event_openssl.h
@@ -74,9 +74,19 @@ @@ -74,9 +74,19 @@
@ -257,7 +282,7 @@ index 860ea26..41f4501 100644
struct ngx_ssl_connection_s { struct ngx_ssl_connection_s {
ngx_ssl_conn_t *connection; ngx_ssl_conn_t *connection;
SSL_CTX *session_ctx; SSL_CTX *session_ctx;
@@ -184,9 +193,9 @@ ngx_int_t ngx_ssl_init(ngx_log_t *log); @@ -185,9 +194,9 @@ ngx_int_t ngx_ssl_init(ngx_log_t *log);
ngx_int_t ngx_ssl_create(ngx_ssl_t *ssl, ngx_uint_t protocols, void *data); ngx_int_t ngx_ssl_create(ngx_ssl_t *ssl, ngx_uint_t protocols, void *data);
ngx_int_t ngx_ssl_certificates(ngx_conf_t *cf, ngx_ssl_t *ssl, ngx_int_t ngx_ssl_certificates(ngx_conf_t *cf, ngx_ssl_t *ssl,
@ -296,7 +321,7 @@ index 9cc202c..2c938d7 100644
{ {
return NGX_ERROR; return NGX_ERROR;
diff --git a/src/http/modules/ngx_http_ssl_module.c b/src/http/modules/ngx_http_ssl_module.c diff --git a/src/http/modules/ngx_http_ssl_module.c b/src/http/modules/ngx_http_ssl_module.c
index 4c4a598..a147054 100644 index f1fae50..ad7e3fe 100644
--- a/src/http/modules/ngx_http_ssl_module.c --- a/src/http/modules/ngx_http_ssl_module.c
+++ b/src/http/modules/ngx_http_ssl_module.c +++ b/src/http/modules/ngx_http_ssl_module.c
@@ -17,8 +17,9 @@ typedef ngx_int_t (*ngx_ssl_variable_handler_pt)(ngx_connection_t *c, @@ -17,8 +17,9 @@ typedef ngx_int_t (*ngx_ssl_variable_handler_pt)(ngx_connection_t *c,
@ -361,7 +386,7 @@ index 4c4a598..a147054 100644
ngx_pool_cleanup_t *cln; ngx_pool_cleanup_t *cln;
@@ -674,6 +689,9 @@ ngx_http_ssl_merge_srv_conf(ngx_conf_t *cf, void *parent, void *child) @@ -671,6 +686,9 @@ ngx_http_ssl_merge_srv_conf(ngx_conf_t *cf, void *parent, void *child)
ngx_conf_merge_str_value(conf->stapling_responder, ngx_conf_merge_str_value(conf->stapling_responder,
prev->stapling_responder, ""); prev->stapling_responder, "");
@ -371,7 +396,7 @@ index 4c4a598..a147054 100644
conf->ssl.log = cf->log; conf->ssl.log = cf->log;
if (conf->enable) { if (conf->enable) {
@@ -736,6 +754,30 @@ ngx_http_ssl_merge_srv_conf(ngx_conf_t *cf, void *parent, void *child) @@ -733,6 +751,30 @@ ngx_http_ssl_merge_srv_conf(ngx_conf_t *cf, void *parent, void *child)
cln->handler = ngx_ssl_cleanup_ctx; cln->handler = ngx_ssl_cleanup_ctx;
cln->data = &conf->ssl; cln->data = &conf->ssl;
@ -402,7 +427,7 @@ index 4c4a598..a147054 100644
#ifdef SSL_CTRL_SET_TLSEXT_HOSTNAME #ifdef SSL_CTRL_SET_TLSEXT_HOSTNAME
if (SSL_CTX_set_tlsext_servername_callback(conf->ssl.ctx, if (SSL_CTX_set_tlsext_servername_callback(conf->ssl.ctx,
@@ -786,7 +828,7 @@ ngx_http_ssl_merge_srv_conf(ngx_conf_t *cf, void *parent, void *child) @@ -783,7 +825,7 @@ ngx_http_ssl_merge_srv_conf(ngx_conf_t *cf, void *parent, void *child)
/* configure certificates */ /* configure certificates */
if (ngx_ssl_certificates(cf, &conf->ssl, conf->certificates, if (ngx_ssl_certificates(cf, &conf->ssl, conf->certificates,
@ -411,7 +436,7 @@ index 4c4a598..a147054 100644
!= NGX_OK) != NGX_OK)
{ {
return NGX_CONF_ERROR; return NGX_CONF_ERROR;
@@ -1335,3 +1377,31 @@ ngx_http_ssl_init(ngx_conf_t *cf) @@ -1332,3 +1374,31 @@ ngx_http_ssl_init(ngx_conf_t *cf)
return NGX_OK; return NGX_OK;
} }
@ -470,7 +495,7 @@ index e4f721b..61efa99 100644
{ {
return NGX_ERROR; return NGX_ERROR;
diff --git a/src/mail/ngx_mail_ssl_module.c b/src/mail/ngx_mail_ssl_module.c diff --git a/src/mail/ngx_mail_ssl_module.c b/src/mail/ngx_mail_ssl_module.c
index 28737ac..728181d 100644 index 01a04c8..066aef8 100644
--- a/src/mail/ngx_mail_ssl_module.c --- a/src/mail/ngx_mail_ssl_module.c
+++ b/src/mail/ngx_mail_ssl_module.c +++ b/src/mail/ngx_mail_ssl_module.c
@@ -13,6 +13,7 @@ @@ -13,6 +13,7 @@
@ -513,7 +538,7 @@ index 28737ac..728181d 100644
char *mode; char *mode;
ngx_pool_cleanup_t *cln; ngx_pool_cleanup_t *cln;
@@ -388,6 +400,8 @@ ngx_mail_ssl_merge_conf(ngx_conf_t *cf, void *parent, void *child) @@ -385,6 +397,8 @@ ngx_mail_ssl_merge_conf(ngx_conf_t *cf, void *parent, void *child)
ngx_conf_merge_ptr_value(conf->conf_commands, prev->conf_commands, NULL); ngx_conf_merge_ptr_value(conf->conf_commands, prev->conf_commands, NULL);
@ -522,7 +547,7 @@ index 28737ac..728181d 100644
conf->ssl.log = cf->log; conf->ssl.log = cf->log;
@@ -449,6 +463,29 @@ ngx_mail_ssl_merge_conf(ngx_conf_t *cf, void *parent, void *child) @@ -446,6 +460,29 @@ ngx_mail_ssl_merge_conf(ngx_conf_t *cf, void *parent, void *child)
cln->handler = ngx_ssl_cleanup_ctx; cln->handler = ngx_ssl_cleanup_ctx;
cln->data = &conf->ssl; cln->data = &conf->ssl;
@ -552,7 +577,7 @@ index 28737ac..728181d 100644
#ifdef TLSEXT_TYPE_application_layer_protocol_negotiation #ifdef TLSEXT_TYPE_application_layer_protocol_negotiation
SSL_CTX_set_alpn_select_cb(conf->ssl.ctx, ngx_mail_ssl_alpn_select, NULL); SSL_CTX_set_alpn_select_cb(conf->ssl.ctx, ngx_mail_ssl_alpn_select, NULL);
#endif #endif
@@ -461,7 +498,7 @@ ngx_mail_ssl_merge_conf(ngx_conf_t *cf, void *parent, void *child) @@ -458,7 +495,7 @@ ngx_mail_ssl_merge_conf(ngx_conf_t *cf, void *parent, void *child)
} }
if (ngx_ssl_certificates(cf, &conf->ssl, conf->certificates, if (ngx_ssl_certificates(cf, &conf->ssl, conf->certificates,
@ -561,7 +586,7 @@ index 28737ac..728181d 100644
!= NGX_OK) != NGX_OK)
{ {
return NGX_CONF_ERROR; return NGX_CONF_ERROR;
@@ -745,3 +782,32 @@ ngx_mail_ssl_conf_command_check(ngx_conf_t *cf, void *post, void *data) @@ -742,3 +779,32 @@ ngx_mail_ssl_conf_command_check(ngx_conf_t *cf, void *post, void *data)
return NGX_CONF_OK; return NGX_CONF_OK;
#endif #endif
} }
@ -621,7 +646,7 @@ index ed275c0..1747aed 100644
{ {
return NGX_ERROR; return NGX_ERROR;
diff --git a/src/stream/ngx_stream_ssl_module.c b/src/stream/ngx_stream_ssl_module.c diff --git a/src/stream/ngx_stream_ssl_module.c b/src/stream/ngx_stream_ssl_module.c
index 1ba1825..ba70547 100644 index c692884..a4c14ec 100644
--- a/src/stream/ngx_stream_ssl_module.c --- a/src/stream/ngx_stream_ssl_module.c
+++ b/src/stream/ngx_stream_ssl_module.c +++ b/src/stream/ngx_stream_ssl_module.c
@@ -17,6 +17,8 @@ typedef ngx_int_t (*ngx_ssl_variable_handler_pt)(ngx_connection_t *c, @@ -17,6 +17,8 @@ typedef ngx_int_t (*ngx_ssl_variable_handler_pt)(ngx_connection_t *c,
@ -665,7 +690,7 @@ index 1ba1825..ba70547 100644
ngx_pool_cleanup_t *cln; ngx_pool_cleanup_t *cln;
@@ -732,6 +745,8 @@ ngx_stream_ssl_merge_conf(ngx_conf_t *cf, void *parent, void *child) @@ -729,6 +742,8 @@ ngx_stream_ssl_merge_conf(ngx_conf_t *cf, void *parent, void *child)
ngx_conf_merge_ptr_value(conf->conf_commands, prev->conf_commands, NULL); ngx_conf_merge_ptr_value(conf->conf_commands, prev->conf_commands, NULL);
@ -674,7 +699,7 @@ index 1ba1825..ba70547 100644
conf->ssl.log = cf->log; conf->ssl.log = cf->log;
@@ -779,6 +794,23 @@ ngx_stream_ssl_merge_conf(ngx_conf_t *cf, void *parent, void *child) @@ -776,6 +791,23 @@ ngx_stream_ssl_merge_conf(ngx_conf_t *cf, void *parent, void *child)
cln->handler = ngx_ssl_cleanup_ctx; cln->handler = ngx_ssl_cleanup_ctx;
cln->data = &conf->ssl; cln->data = &conf->ssl;
@ -698,7 +723,7 @@ index 1ba1825..ba70547 100644
#ifdef SSL_CTRL_SET_TLSEXT_HOSTNAME #ifdef SSL_CTRL_SET_TLSEXT_HOSTNAME
SSL_CTX_set_tlsext_servername_callback(conf->ssl.ctx, SSL_CTX_set_tlsext_servername_callback(conf->ssl.ctx,
ngx_stream_ssl_servername); ngx_stream_ssl_servername);
@@ -823,7 +855,7 @@ ngx_stream_ssl_merge_conf(ngx_conf_t *cf, void *parent, void *child) @@ -820,7 +852,7 @@ ngx_stream_ssl_merge_conf(ngx_conf_t *cf, void *parent, void *child)
/* configure certificates */ /* configure certificates */
if (ngx_ssl_certificates(cf, &conf->ssl, conf->certificates, if (ngx_ssl_certificates(cf, &conf->ssl, conf->certificates,
@ -707,7 +732,7 @@ index 1ba1825..ba70547 100644
!= NGX_OK) != NGX_OK)
{ {
return NGX_CONF_ERROR; return NGX_CONF_ERROR;
@@ -1209,3 +1241,31 @@ ngx_stream_ssl_init(ngx_conf_t *cf) @@ -1206,3 +1238,31 @@ ngx_stream_ssl_init(ngx_conf_t *cf)
return NGX_OK; return NGX_OK;
} }
@ -752,3 +777,6 @@ index e7c825e..d80daa4 100644
} ngx_stream_ssl_conf_t; } ngx_stream_ssl_conf_t;
--
2.44.0

View File

@ -0,0 +1,126 @@
From e0e6437b1f1c723a52ac26a7e700113753331ecd Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Lubo=C5=A1=20Uhliarik?= <luhliari@redhat.com>
Date: Thu, 13 Jun 2024 17:44:28 +0200
Subject: [PATCH] defer ENGINE_finish() calls to a cleanup
---
src/event/ngx_event_openssl.c | 51 +++++++++++++++++++++++++++--------
1 file changed, 40 insertions(+), 11 deletions(-)
diff --git a/src/event/ngx_event_openssl.c b/src/event/ngx_event_openssl.c
index fb05ab9..3e06791 100644
--- a/src/event/ngx_event_openssl.c
+++ b/src/event/ngx_event_openssl.c
@@ -16,7 +16,7 @@ typedef struct {
ngx_uint_t engine; /* unsigned engine:1; */
} ngx_openssl_conf_t;
-
+static ngx_int_t ngx_ssl_engine_cleanup(void *data);
static X509 *ngx_ssl_load_certificate(ngx_pool_t *pool, char **err,
ngx_str_t *cert, STACK_OF(X509) **chain);
static EVP_PKEY *ngx_ssl_load_certificate_key(ngx_pool_t *pool,
@@ -144,6 +144,15 @@ int ngx_ssl_certificate_name_index;
int ngx_ssl_stapling_index;
+static ngx_int_t
+ngx_ssl_engine_cleanup(void *data){
+ ENGINE *e = data;
+
+ ENGINE_finish(e);
+
+ return NGX_OK;
+}
+
ngx_int_t
ngx_ssl_init(ngx_log_t *log)
{
@@ -650,8 +659,9 @@ ngx_ssl_load_certificate(ngx_pool_t *pool, char **err, ngx_str_t *cert,
#ifndef OPENSSL_NO_ENGINE
- u_char *p, *last;
- ENGINE *engine;
+ u_char *p, *last;
+ ENGINE *engine;
+ ngx_pool_cleanup_t *cln;
p = cert->data + sizeof("engine:") - 1;
last = (u_char *) ngx_strchr(p, ':');
@@ -676,6 +686,16 @@ ngx_ssl_load_certificate(ngx_pool_t *pool, char **err, ngx_str_t *cert,
return NULL;
}
+ cln = ngx_pool_cleanup_add(pool, 0);
+ if (cln == NULL) {
+ *err = "failed to add ENGINE cleanup";
+ ENGINE_free(engine);
+ return NULL;
+ }
+
+ cln->handler = ngx_ssl_engine_cleanup;
+ cln->data = engine;
+
*last++ = ':';
struct {
@@ -689,7 +709,6 @@ ngx_ssl_load_certificate(ngx_pool_t *pool, char **err, ngx_str_t *cert,
return NULL;
}
- ENGINE_finish(engine);
ENGINE_free(engine);
/* set chain to null */
@@ -868,11 +887,13 @@ ngx_ssl_pass_phrase_callback(char *buf, int bufsize, int rwflag, void *u)
static EVP_PKEY *
ngx_ssl_load_certificate_key(ngx_pool_t *pool, char **err, ngx_str_t *key, ngx_array_t *passwords, ngx_ssl_ppdialog_conf_t *dlg)
{
- BIO *bio;
- EVP_PKEY *pkey;
- ngx_str_t *pwd;
- ngx_uint_t tries;
- pem_password_cb *cb;
+ BIO *bio;
+ EVP_PKEY *pkey;
+ ngx_str_t *pwd;
+ ngx_uint_t tries;
+ pem_password_cb *cb;
+ ngx_pool_cleanup_t *cln;
+
if (ngx_strncmp(key->data, "engine:", sizeof("engine:") - 1) == 0) {
@@ -904,18 +925,26 @@ ngx_ssl_load_certificate_key(ngx_pool_t *pool, char **err, ngx_str_t *key, ngx_a
return NULL;
}
+ cln = ngx_pool_cleanup_add(pool, 0);
+ if (cln == NULL) {
+ *err = "failed to add ENGINE cleanup";
+ ENGINE_free(engine);
+ return NULL;
+ }
+
+ cln->handler = ngx_ssl_engine_cleanup;
+ cln->data = engine;
+
*last++ = ':';
pkey = ENGINE_load_private_key(engine, (char *) last, 0, 0);
if (pkey == NULL) {
*err = "ENGINE_load_private_key() failed";
- ENGINE_finish(engine);
ENGINE_free(engine);
return NULL;
}
- ENGINE_finish(engine);
ENGINE_free(engine);
return pkey;
--
2.44.0

View File

@ -0,0 +1,183 @@
From f3bcc0bcfb6eda3f4874fe2531d546ba724c518c Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Lubo=C5=A1=20Uhliarik?= <luhliari@redhat.com>
Date: Wed, 12 Jun 2024 12:49:28 +0200
Subject: [PATCH] Optimized chain link usage
Previously chain links could sometimes be dropped instead of being reused,
which could result in increased memory consumption during long requests.
---
src/core/ngx_output_chain.c | 10 ++++++++--
src/http/modules/ngx_http_grpc_module.c | 5 ++++-
.../modules/ngx_http_gunzip_filter_module.c | 18 ++++++++++++++----
src/http/modules/ngx_http_gzip_filter_module.c | 10 +++++++---
src/http/modules/ngx_http_ssi_filter_module.c | 8 ++++++--
src/http/modules/ngx_http_sub_filter_module.c | 8 ++++++--
6 files changed, 45 insertions(+), 14 deletions(-)
diff --git a/src/core/ngx_output_chain.c b/src/core/ngx_output_chain.c
index 5c3dbe8..4aa1b02 100644
--- a/src/core/ngx_output_chain.c
+++ b/src/core/ngx_output_chain.c
@@ -121,7 +121,10 @@ ngx_output_chain(ngx_output_chain_ctx_t *ctx, ngx_chain_t *in)
ngx_debug_point();
- ctx->in = ctx->in->next;
+ cl = ctx->in;
+ ctx->in = cl->next;
+
+ ngx_free_chain(ctx->pool, cl);
continue;
}
@@ -207,7 +210,10 @@ ngx_output_chain(ngx_output_chain_ctx_t *ctx, ngx_chain_t *in)
/* delete the completed buf from the ctx->in chain */
if (ngx_buf_size(ctx->in->buf) == 0) {
- ctx->in = ctx->in->next;
+ cl = ctx->in;
+ ctx->in = cl->next;
+
+ ngx_free_chain(ctx->pool, cl);
}
cl = ngx_alloc_chain_link(ctx->pool);
diff --git a/src/http/modules/ngx_http_grpc_module.c b/src/http/modules/ngx_http_grpc_module.c
index 53bc547..9f13089 100644
--- a/src/http/modules/ngx_http_grpc_module.c
+++ b/src/http/modules/ngx_http_grpc_module.c
@@ -1230,7 +1230,7 @@ ngx_http_grpc_body_output_filter(void *data, ngx_chain_t *in)
ngx_buf_t *b;
ngx_int_t rc;
ngx_uint_t next, last;
- ngx_chain_t *cl, *out, **ll;
+ ngx_chain_t *cl, *out, *ln, **ll;
ngx_http_upstream_t *u;
ngx_http_grpc_ctx_t *ctx;
ngx_http_grpc_frame_t *f;
@@ -1458,7 +1458,10 @@ ngx_http_grpc_body_output_filter(void *data, ngx_chain_t *in)
last = 1;
}
+ ln = in;
in = in->next;
+
+ ngx_free_chain(r->pool, ln);
}
ctx->in = in;
diff --git a/src/http/modules/ngx_http_gunzip_filter_module.c b/src/http/modules/ngx_http_gunzip_filter_module.c
index c1341f5..5d170a1 100644
--- a/src/http/modules/ngx_http_gunzip_filter_module.c
+++ b/src/http/modules/ngx_http_gunzip_filter_module.c
@@ -333,6 +333,8 @@ static ngx_int_t
ngx_http_gunzip_filter_add_data(ngx_http_request_t *r,
ngx_http_gunzip_ctx_t *ctx)
{
+ ngx_chain_t *cl;
+
if (ctx->zstream.avail_in || ctx->flush != Z_NO_FLUSH || ctx->redo) {
return NGX_OK;
}
@@ -344,8 +346,11 @@ ngx_http_gunzip_filter_add_data(ngx_http_request_t *r,
return NGX_DECLINED;
}
- ctx->in_buf = ctx->in->buf;
- ctx->in = ctx->in->next;
+ cl = ctx->in;
+ ctx->in_buf = cl->buf;
+ ctx->in = cl->next;
+
+ ngx_free_chain(r->pool, cl);
ctx->zstream.next_in = ctx->in_buf->pos;
ctx->zstream.avail_in = ctx->in_buf->last - ctx->in_buf->pos;
@@ -374,6 +379,7 @@ static ngx_int_t
ngx_http_gunzip_filter_get_buf(ngx_http_request_t *r,
ngx_http_gunzip_ctx_t *ctx)
{
+ ngx_chain_t *cl;
ngx_http_gunzip_conf_t *conf;
if (ctx->zstream.avail_out) {
@@ -383,8 +389,12 @@ ngx_http_gunzip_filter_get_buf(ngx_http_request_t *r,
conf = ngx_http_get_module_loc_conf(r, ngx_http_gunzip_filter_module);
if (ctx->free) {
- ctx->out_buf = ctx->free->buf;
- ctx->free = ctx->free->next;
+
+ cl = ctx->free;
+ ctx->out_buf = cl->buf;
+ ctx->free = cl->next;
+
+ ngx_free_chain(r->pool, cl);
ctx->out_buf->flush = 0;
diff --git a/src/http/modules/ngx_http_gzip_filter_module.c b/src/http/modules/ngx_http_gzip_filter_module.c
index b8c5ccc..1d17a6d 100644
--- a/src/http/modules/ngx_http_gzip_filter_module.c
+++ b/src/http/modules/ngx_http_gzip_filter_module.c
@@ -978,10 +978,14 @@ static void
ngx_http_gzip_filter_free_copy_buf(ngx_http_request_t *r,
ngx_http_gzip_ctx_t *ctx)
{
- ngx_chain_t *cl;
+ ngx_chain_t *cl, *ln;
+
+ for (cl = ctx->copied; cl; /* void */) {
+ ln = cl;
+ cl = cl->next;
- for (cl = ctx->copied; cl; cl = cl->next) {
- ngx_pfree(r->pool, cl->buf->start);
+ ngx_pfree(r->pool, ln->buf->start);
+ ngx_free_chain(r->pool, ln);
}
ctx->copied = NULL;
diff --git a/src/http/modules/ngx_http_ssi_filter_module.c b/src/http/modules/ngx_http_ssi_filter_module.c
index 6737965..a55f6e5 100644
--- a/src/http/modules/ngx_http_ssi_filter_module.c
+++ b/src/http/modules/ngx_http_ssi_filter_module.c
@@ -455,9 +455,13 @@ ngx_http_ssi_body_filter(ngx_http_request_t *r, ngx_chain_t *in)
while (ctx->in || ctx->buf) {
if (ctx->buf == NULL) {
- ctx->buf = ctx->in->buf;
- ctx->in = ctx->in->next;
+
+ cl = ctx->in;
+ ctx->buf = cl->buf;
+ ctx->in = cl->next;
ctx->pos = ctx->buf->pos;
+
+ ngx_free_chain(r->pool, cl);
}
if (ctx->state == ssi_start_state) {
diff --git a/src/http/modules/ngx_http_sub_filter_module.c b/src/http/modules/ngx_http_sub_filter_module.c
index 6d3de59..456bb27 100644
--- a/src/http/modules/ngx_http_sub_filter_module.c
+++ b/src/http/modules/ngx_http_sub_filter_module.c
@@ -335,9 +335,13 @@ ngx_http_sub_body_filter(ngx_http_request_t *r, ngx_chain_t *in)
while (ctx->in || ctx->buf) {
if (ctx->buf == NULL) {
- ctx->buf = ctx->in->buf;
- ctx->in = ctx->in->next;
+
+ cl = ctx->in;
+ ctx->buf = cl->buf;
+ ctx->in = cl->next;
ctx->pos = ctx->buf->pos;
+
+ ngx_free_chain(r->pool, cl);
}
if (ctx->buf->flush || ctx->buf->recycled) {
--
2.44.0

View File

@ -56,7 +56,7 @@
Name: nginx Name: nginx
Epoch: 1 Epoch: 1
Version: 1.24.0 Version: 1.24.0
Release: 1%{?dist} Release: 4%{?dist}
Summary: A high performance web server and reverse proxy server Summary: A high performance web server and reverse proxy server
# BSD License (two clause) # BSD License (two clause)
@ -114,6 +114,12 @@ Patch6: 0008-add-ssl-pass-phrase-dialog.patch
# security fix - https://issues.redhat.com/browse/RHEL-12737 # security fix - https://issues.redhat.com/browse/RHEL-12737
Patch7: 0009-CVE-2023-44487-HTTP-2-per-iteration-stream-handling.patch Patch7: 0009-CVE-2023-44487-HTTP-2-per-iteration-stream-handling.patch
# downstream patch - https://issues.redhat.com/browse/RHEL-40621
Patch8: 0010-defer-ENGINE_finish-calls-to-a-cleanup.patch
# upstream patch - https://issues.redhat.com/browse/RHEL-40075
Patch9: 0011-Optimized-chain-link-usage.patch
BuildRequires: make BuildRequires: make
BuildRequires: gcc BuildRequires: gcc
BuildRequires: gnupg2 BuildRequires: gnupg2
@ -626,6 +632,15 @@ fi
%changelog %changelog
* Tue Jul 16 2024 Luboš Uhliarik <luhliari@redhat.com> - 1:1.24.0-4
- Resolves: RHEL-49350 - nginx worker processes memory leak
* Thu Jun 13 2024 Luboš Uhliarik <luhliari@redhat.com> - 1:1.24.0-3
- Resolves: RHEL-40622 - openssl 3.2 ENGINE regression in nginx
* Thu May 23 2024 Luboš Uhliarik <luhliari@redhat.com> - 1:1.24.0-2
- Resolves: RHEL-38498 - Nginx seg faults when proxy_ssl_certificate is set
* Thu Jan 18 2024 Luboš Uhliarik <luhliari@redhat.com> - 1:1.24.0-1 * Thu Jan 18 2024 Luboš Uhliarik <luhliari@redhat.com> - 1:1.24.0-1
- new version 1.24.0 - new version 1.24.0