Compare commits
6 Commits
3db21ff1ce
...
474975c123
Author | SHA1 | Date |
---|---|---|
geniuss99 | 474975c123 | |
lijunlong | 9c9495b6f9 | |
geniuss99 | 95f74a2fcf | |
geniuss99 | 279b9b872e | |
geniuss99 | e892c61bc1 | |
geniuss99 | d8b346e27c |
|
@ -0,0 +1,117 @@
|
|||
diff --binary -Nur nginx-1.13.7.1-original/auto/cc/msvc nginx-1.13.7.1-msvc/auto/cc/msvc
|
||||
--- nginx-1.13.7.1-original/auto/cc/msvc 2017-11-21 19:09:44 +0400
|
||||
+++ nginx-1.13.7.1-msvc/auto/cc/msvc 2018-01-07 13:00:37 +0400
|
||||
@@ -13,6 +13,7 @@
|
||||
|
||||
NGX_MSVC_VER=`$NGX_WINE $CC 2>&1 | grep 'Compiler Version' 2>&1 \
|
||||
| sed -e 's/^.* Version \(.*\)/\1/'`
|
||||
+NGX_MSVC_TYPE=`echo $NGX_MSVC_VER | sed -e 's/^.* for \([a-zA-Z0-9]*\)$/\1/'`
|
||||
|
||||
echo " + cl version: $NGX_MSVC_VER"
|
||||
|
||||
@@ -120,11 +121,11 @@
|
||||
|
||||
|
||||
# precompiled headers
|
||||
-CORE_DEPS="$CORE_DEPS $NGX_OBJS/ngx_config.pch"
|
||||
-CORE_LINK="$CORE_LINK $NGX_OBJS/ngx_pch.obj"
|
||||
-NGX_PCH="$NGX_OBJS/ngx_config.pch"
|
||||
-NGX_BUILD_PCH="-Ycngx_config.h -Fp$NGX_OBJS/ngx_config.pch"
|
||||
-NGX_USE_PCH="-Yungx_config.h -Fp$NGX_OBJS/ngx_config.pch"
|
||||
+#CORE_DEPS="$CORE_DEPS $NGX_OBJS/ngx_config.pch"
|
||||
+#CORE_LINK="$CORE_LINK $NGX_OBJS/ngx_pch.obj"
|
||||
+#NGX_PCH="$NGX_OBJS/ngx_config.pch"
|
||||
+#NGX_BUILD_PCH="-Ycngx_config.h -Fp$NGX_OBJS/ngx_config.pch"
|
||||
+#NGX_USE_PCH="-Yungx_config.h -Fp$NGX_OBJS/ngx_config.pch"
|
||||
|
||||
|
||||
# the resource file
|
||||
diff --binary -Nur nginx-1.13.7.1-original/auto/feature nginx-1.13.7.1-msvc/auto/feature
|
||||
--- nginx-1.13.7.1-original/auto/feature 2017-11-21 19:09:44 +0400
|
||||
+++ nginx-1.13.7.1-msvc/auto/feature 2018-01-07 13:13:18 +0400
|
||||
@@ -38,15 +38,19 @@
|
||||
|
||||
END
|
||||
|
||||
-
|
||||
-ngx_test="$CC $CC_TEST_FLAGS $CC_AUX_FLAGS $ngx_feature_inc_path \
|
||||
- -o $NGX_AUTOTEST $NGX_AUTOTEST.c $NGX_TEST_LD_OPT $ngx_feature_libs"
|
||||
+ngx_test=
|
||||
+if [ "$NGX_CC_NAME" = msvc ]; then
|
||||
+ ngx_test="$CC $CC_TEST_FLAGS $CC_AUX_FLAGS $ngx_feature_inc_path \
|
||||
+ $NGX_AUTOTEST.c $ngx_feature_libs -link -out:$NGX_AUTOTEST $NGX_TEST_LD_OPT"
|
||||
+else
|
||||
+ ngx_test="$CC $CC_TEST_FLAGS $CC_AUX_FLAGS $ngx_feature_inc_path \
|
||||
+ -o $NGX_AUTOTEST $NGX_AUTOTEST.c $NGX_TEST_LD_OPT $ngx_feature_libs"
|
||||
+fi
|
||||
|
||||
ngx_feature_inc_path=
|
||||
|
||||
eval "/bin/sh -c \"$ngx_test\" >> $NGX_AUTOCONF_ERR 2>&1"
|
||||
|
||||
-
|
||||
if [ -x $NGX_AUTOTEST ]; then
|
||||
|
||||
case "$ngx_feature_run" in
|
||||
diff --binary -Nur nginx-1.13.7.1-original/auto/lib/openssl/make nginx-1.13.7.1-msvc/auto/lib/openssl/make
|
||||
--- nginx-1.13.7.1-original/auto/lib/openssl/make 2017-11-21 19:09:44 +0400
|
||||
+++ nginx-1.13.7.1-msvc/auto/lib/openssl/make 2018-01-01 17:32:30 +0400
|
||||
@@ -10,7 +10,7 @@
|
||||
cat << END >> $NGX_MAKEFILE
|
||||
|
||||
$OPENSSL/openssl/include/openssl/ssl.h: $NGX_MAKEFILE
|
||||
- \$(MAKE) -f auto/lib/openssl/makefile.msvc \
|
||||
+ \$(MAKE) -f auto/lib/openssl/makefile-$NGX_MSVC_TYPE.msvc \
|
||||
OPENSSL="$OPENSSL" OPENSSL_OPT="$OPENSSL_OPT"
|
||||
|
||||
END
|
||||
diff --binary -Nur nginx-1.13.7.1-original/auto/lib/openssl/makefile-x64.msvc nginx-1.13.7.1-msvc/auto/lib/openssl/makefile-x64.msvc
|
||||
--- nginx-1.13.7.1-original/auto/lib/openssl/makefile-x64.msvc 1970-01-01 04:00:00 +0400
|
||||
+++ nginx-1.13.7.1-msvc/auto/lib/openssl/makefile-x64.msvc 2018-01-10 16:50:39 +0400
|
||||
@@ -0,0 +1,21 @@
|
||||
+
|
||||
+# Copyright (C) Igor Sysoev
|
||||
+# Copyright (C) Nginx, Inc.
|
||||
+
|
||||
+
|
||||
+all:
|
||||
+ cd $(OPENSSL)
|
||||
+
|
||||
+ perl Configure VC-WIN64A no-shared \
|
||||
+ --prefix="%cd%/openssl" \
|
||||
+ --openssldir="%cd%/openssl/ssl" \
|
||||
+ $(OPENSSL_OPT)
|
||||
+
|
||||
+ if exist ms\do_win64a.bat ( \
|
||||
+ ms\do_win64a \
|
||||
+ && $(MAKE) -f ms\nt.mak \
|
||||
+ && $(MAKE) -f ms\nt.mak install \
|
||||
+ ) else ( \
|
||||
+ $(MAKE) \
|
||||
+ && $(MAKE) install_sw \
|
||||
+ )
|
||||
diff --binary -Nur nginx-1.13.7.1-original/auto/lib/openssl/makefile-x86.msvc nginx-1.13.7.1-msvc/auto/lib/openssl/makefile-x86.msvc
|
||||
--- nginx-1.13.7.1-original/auto/lib/openssl/makefile-x86.msvc 1970-01-01 04:00:00 +0400
|
||||
+++ nginx-1.13.7.1-msvc/auto/lib/openssl/makefile-x86.msvc 2018-01-10 16:49:41 +0400
|
||||
@@ -0,0 +1,21 @@
|
||||
+
|
||||
+# Copyright (C) Igor Sysoev
|
||||
+# Copyright (C) Nginx, Inc.
|
||||
+
|
||||
+
|
||||
+all:
|
||||
+ cd $(OPENSSL)
|
||||
+
|
||||
+ perl Configure VC-WIN32 no-shared \
|
||||
+ --prefix="%cd%/openssl" \
|
||||
+ --openssldir="%cd%/openssl/ssl" \
|
||||
+ $(OPENSSL_OPT)
|
||||
+
|
||||
+ if exist ms\do_nasm.bat ( \
|
||||
+ ms\do_nasm \
|
||||
+ && $(MAKE) -f ms\nt.mak \
|
||||
+ && $(MAKE) -f ms\nt.mak install \
|
||||
+ ) else ( \
|
||||
+ $(MAKE) \
|
||||
+ && $(MAKE) install_sw \
|
||||
+ )
|
|
@ -0,0 +1,36 @@
|
|||
commit 5902baf680609f884a1e11ff2b82a0bffb3724cc
|
||||
Author: Sergey Kandaurov <pluknet@nginx.com>
|
||||
Date: Wed Feb 14 15:55:34 2024 +0400
|
||||
|
||||
QUIC: trial packet decryption in response to invalid key update.
|
||||
|
||||
Inspired by RFC 9001, Section 6.3, trial packet decryption with the current
|
||||
keys is now used to avoid a timing side-channel signal. Further, this fixes
|
||||
segfault while accessing missing next keys (ticket #2585).
|
||||
|
||||
diff --git a/src/event/quic/ngx_event_quic_protection.c b/src/event/quic/ngx_event_quic_protection.c
|
||||
index 88e6954cf..8223626b6 100644
|
||||
--- a/src/event/quic/ngx_event_quic_protection.c
|
||||
+++ b/src/event/quic/ngx_event_quic_protection.c
|
||||
@@ -1144,8 +1144,19 @@ ngx_quic_decrypt(ngx_quic_header_t *pkt, uint64_t *largest_pn)
|
||||
key_phase = (pkt->flags & NGX_QUIC_PKT_KPHASE) != 0;
|
||||
|
||||
if (key_phase != pkt->key_phase) {
|
||||
- secret = &pkt->keys->next_key.client;
|
||||
- pkt->key_update = 1;
|
||||
+ if (pkt->keys->next_key.client.ctx != NULL) {
|
||||
+ secret = &pkt->keys->next_key.client;
|
||||
+ pkt->key_update = 1;
|
||||
+
|
||||
+ } else {
|
||||
+ /*
|
||||
+ * RFC 9001, 6.3. Timing of Receive Key Generation.
|
||||
+ *
|
||||
+ * Trial decryption to avoid timing side-channel.
|
||||
+ */
|
||||
+ ngx_log_debug0(NGX_LOG_DEBUG_EVENT, pkt->log, 0,
|
||||
+ "quic next key missing");
|
||||
+ }
|
||||
}
|
||||
}
|
||||
|
|
@ -0,0 +1,27 @@
|
|||
commit 5818f8a6693b3c0d95021f2ee58b69dcf848911c
|
||||
Author: Roman Arutyunyan <arut@nginx.com>
|
||||
Date: Wed Feb 14 15:55:37 2024 +0400
|
||||
|
||||
QUIC: fixed stream cleanup (ticket #2586).
|
||||
|
||||
Stream connection cleanup handler ngx_quic_stream_cleanup_handler() calls
|
||||
ngx_quic_shutdown_stream() after which it resets the pointer from quic stream
|
||||
to the connection (sc->connection = NULL). Previously if this call failed,
|
||||
sc->connection retained the old value, while the connection was freed by the
|
||||
application code. This resulted later in a second attempt to close the freed
|
||||
connection, which lead to allocator double free error.
|
||||
|
||||
The fix is to reset the sc->connection pointer in case of error.
|
||||
|
||||
diff --git a/src/event/quic/ngx_event_quic_streams.c b/src/event/quic/ngx_event_quic_streams.c
|
||||
index df04d0f07..178b805e4 100644
|
||||
--- a/src/event/quic/ngx_event_quic_streams.c
|
||||
+++ b/src/event/quic/ngx_event_quic_streams.c
|
||||
@@ -1097,6 +1097,7 @@ ngx_quic_stream_cleanup_handler(void *data)
|
||||
"quic stream id:0x%xL cleanup", qs->id);
|
||||
|
||||
if (ngx_quic_shutdown_stream(c, NGX_RDWR_SHUTDOWN) != NGX_OK) {
|
||||
+ qs->connection = NULL;
|
||||
goto failed;
|
||||
}
|
||||
|
|
@ -513,6 +513,18 @@ if [ "$answer" = "Y" ]; then
|
|||
fi
|
||||
fi
|
||||
|
||||
answer=`$root/util/ver-ge "$main_ver" 1.25.3`
|
||||
if [ "$answer" = "Y" ]; then
|
||||
answer=`$root/util/ver-ge "$main_ver" 1.25.4`
|
||||
if [ "$answer" = "N" ]; then
|
||||
echo "$info_txt applying the patch for nginx security advisory (CVE-2024-24989)"
|
||||
patch -p1 < $root/patches/nginx-CVE-2024-24989.patch || exit 1
|
||||
echo "$info_txt applying the patch for nginx security advisory (CVE-2024-24990)"
|
||||
patch -p1 < $root/patches/nginx-CVE-2024-24990.patch || exit 1
|
||||
fi
|
||||
fi
|
||||
|
||||
|
||||
echo "$info_txt applying the upstream_timeout_fields patch for nginx"
|
||||
patch -p1 < $root/patches/nginx-$main_ver-upstream_timeout_fields.patch || exit 1
|
||||
echo
|
||||
|
|
Loading…
Reference in New Issue