Changes - j0ke.net Open Build Service

Changes of Revision 3

[-] [+]	Changed	nginx.spec
@@ -15,7 +15,7 @@ Name: nginx Version: 1.4.7 -Release: 1 +Release: 2 Summary: Robust, small and high performance http and reverse proxy server Group: System Environment/Daemons @@ -62,11 +62,7 @@ # etc. Patch1: nginx-conf-0.7.x.patch Patch2: check_1.2.6+.patch - -# syslog patch, use syslog instead of nginx logfiles -#Patch2: nginx-syslog.patch -#Patch3: nginx-unix-sockets.diff -#Patch4: nginx-versiontilt.patch +Patch3: ngx-detect-heartbleed.patch %description Nginx [engine x] is an HTTP(S) server, HTTP(S) reverse proxy and IMAP/POP3 @@ -80,7 +76,7 @@ %patch0 -p0 %patch1 -p0 %patch2 -p1 -# %patch3 -p1 +%patch3 -p0 #%patch4 -p1 %{__tar} zxvf %{SOURCE5} %{__tar} zxvf %{SOURCE9} @@ -216,6 +212,9 @@ %changelog +* Fri Apr 12 2014 Juergen Gotteswinter <jg@internetx.com> - 1.4.7-2 +- added patch to log heartbleed attacks + * Tue Apr 03 2014 Juergen Gotteswinter <jg@internetx.com> - 1.4.7-1 - bump to 1.4.7 x 1 @@ -15,7 +15,7 @@ 2 3 Name: nginx 4 Version: 1.4.7 5 -Release: 1 6 +Release: 2 7 Summary: Robust, small and high performance http and reverse proxy server 8 Group: System Environment/Daemons 9 10 @@ -62,11 +62,7 @@ 11 # etc. 12 Patch1: nginx-conf-0.7.x.patch 13 Patch2: check_1.2.6+.patch 14 - 15 -# syslog patch, use syslog instead of nginx logfiles 16 -#Patch2: nginx-syslog.patch 17 -#Patch3: nginx-unix-sockets.diff 18 -#Patch4: nginx-versiontilt.patch 19 +Patch3: ngx-detect-heartbleed.patch 20 21 %description 22 Nginx [engine x] is an HTTP(S) server, HTTP(S) reverse proxy and IMAP/POP3 23 @@ -80,7 +76,7 @@ 24 %patch0 -p0 25 %patch1 -p0 26 %patch2 -p1 27 -# %patch3 -p1 28 +%patch3 -p0 29 #%patch4 -p1 30 %{__tar} zxvf %{SOURCE5} 31 %{__tar} zxvf %{SOURCE9} 32 @@ -216,6 +212,9 @@ 33 34 35 %changelog 36 +* Fri Apr 12 2014 Juergen Gotteswinter <jg@internetx.com> - 1.4.7-2 37 +- added patch to log heartbleed attacks 38 + 39 * Tue Apr 03 2014 Juergen Gotteswinter <jg@internetx.com> - 1.4.7-1 40 - bump to 1.4.7 41 42
[-] [+]	Added	ngx-detect-heartbleed.patch ^
@@ -0,0 +1,44 @@ +--- src/event/ngx_event_openssl.c ++++ src/event/ngx_event_openssl.c +@@ -18,6 +18,9 @@ typedef struct { + static int ngx_ssl_verify_callback(int ok, X509_STORE_CTX x509_store); + static void ngx_ssl_info_callback(const ngx_ssl_conn_t ssl_conn, int where, + int ret); ++static void ngx_ssl_msg_callback( ++ int write_p, int version, int content_type, ++ const void buf, size_t len, SSL ssl, void log); + static void ngx_ssl_handshake_handler(ngx_event_t ev); + static ngx_int_t ngx_ssl_handle_recv(ngx_connection_t c, int n); + static void ngx_ssl_write_handler(ngx_event_t wev); +@@ -244,6 +247,8 @@ ngx_ssl_create(ngx_ssl_t ssl, ngx_uint_t protocols, void data) + SSL_CTX_set_read_ahead(ssl->ctx, 1); + + SSL_CTX_set_info_callback(ssl->ctx, ngx_ssl_info_callback); ++ SSL_CTX_set_msg_callback(ssl->ctx, ngx_ssl_msg_callback); ++ SSL_CTX_set_msg_callback_arg(ssl->ctx, ssl->log); + + return NGX_OK; + } +@@ -532,6 +537,22 @@ ngx_ssl_verify_callback(int ok, X509_STORE_CTX x509_store) + return 1; + } + ++static void ngx_ssl_msg_callback( ++ int write_p, int version, int content_type, ++ const void buf, size_t len, ngx_ssl_conn_t ssl, void log) ++{ ++ if (write_p == 0 && content_type == TLS1_RT_HEARTBEAT) { ++ unsigned char p = buf; ++ unsigned int payload; ++ ++ payload = (((unsigned int)(p[1])) << 8) \| ((unsigned int)(p[2])); ++ if (1 + 2 + payload + 16 > len) { ++ ngx_log_error(NGX_LOG_ALERT, ((ngx_log_t)log), 0, "Heartbleed attack detected"); ++ } ++ } ++ ++} ++ + + static void + ngx_ssl_info_callback(const ngx_ssl_conn_t *ssl_conn, int where, int ret) \ No newline at end of file