From a6097d4edc9e06c9e4105ba7ede726978efda87d Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?=E8=80=97=E5=AD=90?= <haozi@loli.email>
Date: Fri, 18 Apr 2025 03:53:14 +0800
Subject: [PATCH] fix: remove unnecessary CVE-2025-23419 patch

---
 patches/nginx-1.27.5-CVE-2025-23419.patch | 87 -----------------------
 1 file changed, 87 deletions(-)
 delete mode 100644 patches/nginx-1.27.5-CVE-2025-23419.patch

diff --git a/patches/nginx-1.27.5-CVE-2025-23419.patch b/patches/nginx-1.27.5-CVE-2025-23419.patch
deleted file mode 100644
index dc692bf..0000000
--- a/patches/nginx-1.27.5-CVE-2025-23419.patch
+++ /dev/null
@@ -1,87 +0,0 @@
-diff --git a/src/http/ngx_http_request.c b/src/http/ngx_http_request.c
-index 3cca57cf5..9593b7fb5 100644
---- a/src/http/ngx_http_request.c
-+++ b/src/http/ngx_http_request.c
-@@ -932,6 +932,31 @@ ngx_http_ssl_servername(ngx_ssl_conn_t *ssl_conn, int *ad, void *arg)
-         goto done;
-     }
- 
-+    sscf = ngx_http_get_module_srv_conf(cscf->ctx, ngx_http_ssl_module);
-+
-+#if (defined TLS1_3_VERSION                                                   \
-+     && !defined LIBRESSL_VERSION_NUMBER && !defined OPENSSL_IS_BORINGSSL)
-+
-+    /*
-+     * SSL_SESSION_get0_hostname() is only available in OpenSSL 1.1.1+,
-+     * but servername being negotiated in every TLSv1.3 handshake
-+     * is only returned in OpenSSL 1.1.1+ as well
-+     */
-+
-+    if (sscf->verify) {
-+        const char  *hostname;
-+
-+        hostname = SSL_SESSION_get0_hostname(SSL_get0_session(ssl_conn));
-+
-+        if (hostname != NULL && ngx_strcmp(hostname, servername) != 0) {
-+            c->ssl->handshake_rejected = 1;
-+            *ad = SSL_AD_ACCESS_DENIED;
-+            return SSL_TLSEXT_ERR_ALERT_FATAL;
-+        }
-+    }
-+
-+#endif
-+
-     hc->ssl_servername = ngx_palloc(c->pool, sizeof(ngx_str_t));
-     if (hc->ssl_servername == NULL) {
-         goto error;
-@@ -945,8 +970,6 @@ ngx_http_ssl_servername(ngx_ssl_conn_t *ssl_conn, int *ad, void *arg)
- 
-     ngx_set_connection_log(c, clcf->error_log);
- 
--    sscf = ngx_http_get_module_srv_conf(hc->conf_ctx, ngx_http_ssl_module);
--
-     c->ssl->buffer_size = sscf->buffer_size;
- 
-     if (sscf->ssl.ctx) {
-diff --git a/src/stream/ngx_stream_ssl_module.c b/src/stream/ngx_stream_ssl_module.c
-index ba444776a..6dee106de 100644
---- a/src/stream/ngx_stream_ssl_module.c
-+++ b/src/stream/ngx_stream_ssl_module.c
-@@ -521,12 +521,35 @@ ngx_stream_ssl_servername(ngx_ssl_conn_t *ssl_conn, int *ad, void *arg)
-         goto done;
-     }
- 
-+    sscf = ngx_stream_get_module_srv_conf(cscf->ctx, ngx_stream_ssl_module);
-+
-+#if (defined TLS1_3_VERSION                                                   \
-+     && !defined LIBRESSL_VERSION_NUMBER && !defined OPENSSL_IS_BORINGSSL)
-+
-+    /*
-+     * SSL_SESSION_get0_hostname() is only available in OpenSSL 1.1.1+,
-+     * but servername being negotiated in every TLSv1.3 handshake
-+     * is only returned in OpenSSL 1.1.1+ as well
-+     */
-+
-+    if (sscf->verify) {
-+        const char  *hostname;
-+
-+        hostname = SSL_SESSION_get0_hostname(SSL_get0_session(ssl_conn));
-+
-+        if (hostname != NULL && ngx_strcmp(hostname, servername) != 0) {
-+            c->ssl->handshake_rejected = 1;
-+            *ad = SSL_AD_ACCESS_DENIED;
-+            return SSL_TLSEXT_ERR_ALERT_FATAL;
-+        }
-+    }
-+
-+#endif
-+
-     s->srv_conf = cscf->ctx->srv_conf;
- 
-     ngx_set_connection_log(c, cscf->error_log);
- 
--    sscf = ngx_stream_get_module_srv_conf(s, ngx_stream_ssl_module);
--
-     if (sscf->ssl.ctx) {
-         if (SSL_set_SSL_CTX(ssl_conn, sscf->ssl.ctx) == NULL) {
-             goto error;