Compare commits

..

No commits in common. 'c9' and 'c9-beta' have entirely different histories.
c9 ... c9-beta

@ -0,0 +1,126 @@
From f177201770c75e72ff9c4686b0488a1c4344140c Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Lubo=C5=A1=20Uhliarik?= <luhliari@redhat.com>
Date: Mon, 10 Jun 2024 18:22:34 +0200
Subject: [PATCH] defer ENGINE_finish() calls to a cleanup
---
src/event/ngx_event_openssl.c | 51 +++++++++++++++++++++++++++--------
1 file changed, 40 insertions(+), 11 deletions(-)
diff --git a/src/event/ngx_event_openssl.c b/src/event/ngx_event_openssl.c
index 2b3c576..b3f06ea 100644
--- a/src/event/ngx_event_openssl.c
+++ b/src/event/ngx_event_openssl.c
@@ -17,7 +17,7 @@ typedef struct {
ngx_uint_t engine; /* unsigned engine:1; */
} ngx_openssl_conf_t;
-
+static ngx_int_t ngx_ssl_engine_cleanup(void *data);
static X509 *ngx_ssl_load_certificate(ngx_pool_t *pool, char **err,
ngx_str_t *cert, STACK_OF(X509) **chain);
static EVP_PKEY *ngx_ssl_load_certificate_key(ngx_pool_t *pool, char **err,
@@ -137,6 +137,15 @@ int ngx_ssl_certificate_name_index;
int ngx_ssl_stapling_index;
+static ngx_int_t
+ngx_ssl_engine_cleanup(void *data){
+ ENGINE *e = data;
+
+ ENGINE_finish(e);
+
+ return NGX_OK;
+}
+
ngx_int_t
ngx_ssl_init(ngx_log_t *log)
{
@@ -628,8 +637,9 @@ ngx_ssl_load_certificate(ngx_pool_t *pool, char **err, ngx_str_t *cert,
#ifndef OPENSSL_NO_ENGINE
- u_char *p, *last;
- ENGINE *engine;
+ u_char *p, *last;
+ ENGINE *engine;
+ ngx_pool_cleanup_t *cln;
p = cert->data + sizeof("engine:") - 1;
last = (u_char *) ngx_strchr(p, ':');
@@ -654,6 +664,16 @@ ngx_ssl_load_certificate(ngx_pool_t *pool, char **err, ngx_str_t *cert,
return NULL;
}
+ cln = ngx_pool_cleanup_add(pool, 0);
+ if (cln == NULL) {
+ *err = "failed to add ENGINE cleanup";
+ ENGINE_free(engine);
+ return NULL;
+ }
+
+ cln->handler = ngx_ssl_engine_cleanup;
+ cln->data = engine;
+
*last++ = ':';
struct {
@@ -667,7 +687,6 @@ ngx_ssl_load_certificate(ngx_pool_t *pool, char **err, ngx_str_t *cert,
return NULL;
}
- ENGINE_finish(engine);
ENGINE_free(engine);
/* set chain to null */
@@ -775,11 +794,13 @@ static EVP_PKEY *
ngx_ssl_load_certificate_key(ngx_pool_t *pool, char **err,
ngx_str_t *key, ngx_array_t *passwords)
{
- BIO *bio;
- EVP_PKEY *pkey;
- ngx_str_t *pwd;
- ngx_uint_t tries;
- pem_password_cb *cb;
+ BIO *bio;
+ EVP_PKEY *pkey;
+ ngx_str_t *pwd;
+ ngx_uint_t tries;
+ pem_password_cb *cb;
+ ngx_pool_cleanup_t *cln;
+
if (ngx_strncmp(key->data, "engine:", sizeof("engine:") - 1) == 0) {
@@ -811,18 +832,26 @@ ngx_ssl_load_certificate_key(ngx_pool_t *pool, char **err,
return NULL;
}
+ cln = ngx_pool_cleanup_add(pool, 0);
+ if (cln == NULL) {
+ *err = "failed to add ENGINE cleanup";
+ ENGINE_free(engine);
+ return NULL;
+ }
+
+ cln->handler = ngx_ssl_engine_cleanup;
+ cln->data = engine;
+
*last++ = ':';
pkey = ENGINE_load_private_key(engine, (char *) last, 0, 0);
if (pkey == NULL) {
*err = "ENGINE_load_private_key() failed";
- ENGINE_finish(engine);
ENGINE_free(engine);
return NULL;
}
- ENGINE_finish(engine);
ENGINE_free(engine);
return pkey;
--
2.44.0

@ -39,9 +39,9 @@
Name: nginx
Epoch: 1
Epoch: 2
Version: 1.20.1
Release: 16%{?dist}.1
Release: 20%{?dist}
Summary: A high performance web server and reverse proxy server
# BSD License (two clause)
@ -94,8 +94,11 @@ Patch6: 0007-Enable-TLSv1.3-by-default.patch
# security patch - https://issues.redhat.com/browse/RHEL-12518
Patch7: 0008-CVE-2023-44487-HTTP-2-per-iteration-stream-handling.patch
# downstream patch for RHEL - https://issues.redhat.com/browse/RHEL-40371
Patch8: 0009-defer-ENGINE_finish-calls-to-a-cleanup.patch
# upstream patch - https://issues.redhat.com/browse/RHEL-40075
Patch8: 0009-Optimized-chain-link-usage.patch
Patch9: 0010-Optimized-chain-link-usage.patch
BuildRequires: make
BuildRequires: gcc
@ -608,8 +611,16 @@ fi
%changelog
* Tue Jul 16 2024 Luboš Uhliarik <luhliari@redhat.com> - 1:1.20.1-16.1
- Resolves: RHEL-48791 - nginx worker processes memory leak
* Mon Jul 15 2024 Luboš Uhliarik <luhliari@redhat.com> - 2:1.20.1-20
- Resolves: RHEL-40075 - nginx worker processes memory leak
* Mon Jun 10 2024 Luboš Uhliarik <luhliari@redhat.com> - 1:1.20.1-19
- Resolves: RHEL-40371- openssl 3.2 ENGINE regression
* Thu May 30 2024 Luboš Uhliarik <luhliari@redhat.com> - 2:1.20.1-17
- bump package epoch to resolve RHEL-33939
- Resolves: RHEL-33939 - Update path for nginx broken for existing CS
installations
* Mon Oct 16 2023 Luboš Uhliarik <luhliari@redhat.com> - 1:1.20.1-16
- Resolves: RHEL-12518 - nginx: HTTP/2: Multiple HTTP/2 enabled web servers are

Loading…
Cancel
Save