use redis from openresty fork.

2024-10-13 00:29:41 +00:00 · 2023-11-23 21:42:52 +08:00
8 changed files with 458 additions and 553 deletions
--- a/html/50x.html
+++ b/html/50x.html
--- a/html/index.html
+++ b/html/index.html
--- a/patches/nginx-CVE-2024-24989.patch
+++ b/patches/nginx-CVE-2024-24989.patch
@@ -1,36 +0,0 @@
 commit 5902baf680609f884a1e11ff2b82a0bffb3724cc
 Author: Sergey Kandaurov <pluknet@nginx.com>
 Date:   Wed Feb 14 15:55:34 2024 +0400
    QUIC: trial packet decryption in response to invalid key update.
    Inspired by RFC 9001, Section 6.3, trial packet decryption with the current
    keys is now used to avoid a timing side-channel signal.  Further, this fixes
    segfault while accessing missing next keys (ticket #2585).
 diff --git a/src/event/quic/ngx_event_quic_protection.c b/src/event/quic/ngx_event_quic_protection.c
 index 88e6954cf..8223626b6 100644
 --- a/src/event/quic/ngx_event_quic_protection.c
 +++ b/src/event/quic/ngx_event_quic_protection.c
@@ -1144,8 +1144,19 @@ ngx_quic_decrypt(ngx_quic_header_t *pkt, uint64_t *largest_pn)
         key_phase = (pkt->flags & NGX_QUIC_PKT_KPHASE) != 0;
         if (key_phase != pkt->key_phase) {
 -            secret = &pkt->keys->next_key.client;
 -            pkt->key_update = 1;
 +            if (pkt->keys->next_key.client.ctx != NULL) {
 +                secret = &pkt->keys->next_key.client;
 +                pkt->key_update = 1;
 +
 +            } else {
 +                /*
 +                 * RFC 9001,  6.3. Timing of Receive Key Generation.
 +                 *
 +                 * Trial decryption to avoid timing side-channel.
 +                 */
 +                ngx_log_debug0(NGX_LOG_DEBUG_EVENT, pkt->log, 0,
 +                               "quic next key missing");
 +            }
         }
     }
--- a/patches/nginx-CVE-2024-24990.patch
+++ b/patches/nginx-CVE-2024-24990.patch
@@ -1,27 +0,0 @@
 commit 5818f8a6693b3c0d95021f2ee58b69dcf848911c
 Author: Roman Arutyunyan <arut@nginx.com>
 Date:   Wed Feb 14 15:55:37 2024 +0400
    QUIC: fixed stream cleanup (ticket #2586).
    Stream connection cleanup handler ngx_quic_stream_cleanup_handler() calls
    ngx_quic_shutdown_stream() after which it resets the pointer from quic stream
    to the connection (sc->connection = NULL).  Previously if this call failed,
    sc->connection retained the old value, while the connection was freed by the
    application code.  This resulted later in a second attempt to close the freed
    connection, which lead to allocator double free error.
    The fix is to reset the sc->connection pointer in case of error.
 diff --git a/src/event/quic/ngx_event_quic_streams.c b/src/event/quic/ngx_event_quic_streams.c
 index df04d0f07..178b805e4 100644
 --- a/src/event/quic/ngx_event_quic_streams.c
 +++ b/src/event/quic/ngx_event_quic_streams.c
@@ -1097,6 +1097,7 @@ ngx_quic_stream_cleanup_handler(void *data)
                    "quic stream id:0x%xL cleanup", qs->id);
     if (ngx_quic_shutdown_stream(c, NGX_RDWR_SHUTDOWN) != NGX_OK) {
 +        qs->connection = NULL;
         goto failed;
     }
--- a/t/000-sanity.t
+++ b/t/000-sanity.t
--- a/util/build-win32.sh
+++ b/util/build-win32.sh
@@ -1,13 +1,13 @@
 #!/bin/bash
 PCRE=pcre-8.45
-ZLIB=zlib-1.3
+ZLIB=zlib-1.2.13
-OPENSSL=openssl-1.1.1w
+OPENSSL=openssl-1.1.1t
 JOBS=12
-# wget https://www.openssl.org/source/openssl-1.1.1w.tar.gz
+# wget https://www.openssl.org/source/openssl-1.1.1p.tar.gz
-# wget http://zlib.net/zlib-1.3.tar.gz
+# wget http://zlib.net/zlib-1.2.12.tar.gz
-# wget https://ftp.pcre.org/pub/pcre/pcre-8.45.tar.gz
+# wget https://ftp.pcre.org/pub/pcre/pcre-8.44.tar.gz
 rm -rf objs || exit 1
 mkdir -p objs/lib || exit 1
--- a/util/mirror-tarballs
+++ b/util/mirror-tarballs
@@ -513,18 +513,6 @@ if [ "$answer" = "Y" ]; then
    fi
 fi
 answer=`$root/util/ver-ge "$main_ver" 1.25.3`
 if [ "$answer" = "Y" ]; then
    answer=`$root/util/ver-ge "$main_ver" 1.25.4`
    if [ "$answer" = "N" ]; then
        echo "$info_txt applying the patch for nginx security advisory (CVE-2024-24989)"
        patch -p1 < $root/patches/nginx-CVE-2024-24989.patch || exit 1
        echo "$info_txt applying the patch for nginx security advisory (CVE-2024-24990)"
        patch -p1 < $root/patches/nginx-CVE-2024-24990.patch || exit 1
    fi
 fi
 echo "$info_txt applying the upstream_timeout_fields patch for nginx"
 patch -p1 < $root/patches/nginx-$main_ver-upstream_timeout_fields.patch || exit 1
 echo
@@ -597,7 +585,7 @@ mv openresty-rds-csv-nginx-module-* rds-csv-nginx-module-$ver || exit 1
 #################################
-ver=0.37
+ver=0.36
 $root/util/get-tarball "https://github.com/openresty/headers-more-nginx-module/tarball/v$ver" -O headers-more-nginx-module-$ver.tar.gz || exit 1
 tar -xzf headers-more-nginx-module-$ver.tar.gz || exit 1
 mv openresty-headers-more-nginx-module-* headers-more-nginx-module-$ver || exit 1
@@ -611,7 +599,7 @@ mv openresty-drizzle-nginx-module-* drizzle-nginx-module-$ver || exit 1
 #################################
-ver=0.10.26
+ver=0.10.25
 $root/util/get-tarball "https://github.com/openresty/lua-nginx-module/archive/v$ver.tar.gz" -O lua-nginx-module-$ver.tar.gz || exit 1
 tar -xzf lua-nginx-module-$ver.tar.gz || exit 1
 mv lua-nginx-module-$ver ngx_lua-$ver || exit 1
@@ -625,7 +613,7 @@ mv openresty-lua-upstream-nginx-module-* ngx_lua_upstream-$ver || exit 1
 #################################
-ver=0.0.14
+ver=0.0.13
 $root/util/get-tarball "https://github.com/openresty/stream-lua-nginx-module/tarball/v$ver" -O stream-lua-nginx-module-$ver.tar.gz || exit 1
 tar -xzf stream-lua-nginx-module-$ver.tar.gz || exit 1
 mv openresty-stream-lua-nginx-module-* ngx_stream_lua-$ver || exit 1
@@ -639,7 +627,7 @@ mv openresty-array-var-nginx-module-* array-var-nginx-module-$ver || exit 1
 #################################
-ver=0.20
+ver=0.19
 $root/util/get-tarball "https://github.com/openresty/memc-nginx-module/tarball/v$ver" -O memc-nginx-module-$ver.tar.gz || exit 1
 tar -xzf memc-nginx-module-$ver.tar.gz || exit 1
 mv openresty-memc-nginx-module-* memc-nginx-module-$ver || exit 1
@@ -681,30 +669,10 @@ mv openresty-encrypted-session-nginx-module-* encrypted-session-nginx-module-$ve
 #mv ngx_http_upstream_keepalive-* upstream-keepalive-nginx-module-$ver || exit 1
 #################################
-
+ver=0.4.0.1
-ver=0.3.9
+$root/util/get-tarball "https://github.com/openresty/ngx_http_redis/tarball/v$ver" -O ngx_http_redis-$ver.tar.gz || exit 1
-$root/util/get-tarball "https://people.freebsd.org/~osa/ngx_http_redis-$ver.tar.gz" -O redis-nginx-module-$ver.tar.gz || exit 1
+tar -xzf ngx_http_redis-$ver.tar.gz || exit 1
-tar -xzf redis-nginx-module-$ver.tar.gz || exit 1
+mv openresty-ngx_http_redis-* ngx_http_redis-$ver || exit 1
 mv ngx_http_redis-* redis-nginx-module-$ver || exit 1
 cd redis-nginx-module-$ver
 echo "applying ngx_http_redis-$ver-variables_in_redis_pass.patch"
 patch -p1 < $root/patches/ngx_http_redis-$ver-variables_in_redis_pass.patch || exit 1
 echo
 echo "applying ngx_http_redis-$ver-default_port_fix.patch"
 patch -p1 < $root/patches/ngx_http_redis-$ver-default_port_fix.patch || exit 1
 echo
 answer=`$root/util/ver-ge "$main_ver" 1.23.0`
 if [ "$answer" = "Y" ]; then
 echo
 echo "applying ngx_http_redis-$ver-remove_content_encoding.patch"
 patch -p1 < $root/patches/ngx_http_redis-$ver-remove_content_encoding.patch || exit 1
 echo
 fi
 cd ..
 #################################
@@ -737,7 +705,7 @@ resty_cli=resty-cli-$ver
 #################################
-ver=0.0.8
+ver=0.0.7
 $root/util/get-tarball "https://github.com/openresty/opm/tarball/v$ver" -O opm-$ver.tar.gz || exit 1
 tar -xzf opm-$ver.tar.gz || exit 1
 mv openresty-opm-* opm-$ver || exit 1
@@ -809,7 +777,7 @@ mv openresty-lua-resty-redis-* lua-resty-redis-$ver || exit 1
 #################################
-ver=0.27
+ver=0.26
 $root/util/get-tarball "https://github.com/openresty/lua-resty-mysql/tarball/v$ver" -O "lua-resty-mysql-$ver.tar.gz" || exit 1
 tar -xzf lua-resty-mysql-$ver.tar.gz || exit 1
 mv openresty-lua-resty-mysql-* lua-resty-mysql-$ver || exit 1
@@ -886,7 +854,7 @@ cd ..
 #################################
-ver=0.1.28
+ver=0.1.27
 $root/util/get-tarball "https://github.com/openresty/lua-resty-core/tarball/v$ver" -O "lua-resty-core-$ver.tar.gz" || exit 1
 tar -xzf lua-resty-core-$ver.tar.gz || exit 1
 mv openresty-lua-resty-core-* lua-resty-core-$ver || exit 1
--- a/util/ver
+++ b/util/ver
@@ -1,7 +1,7 @@
 #!/bin/bash
 main_ver=1.25.3
-minor_ver=2
+minor_ver=1
 version=$main_ver.$minor_ver
 echo $version