<div dir="ltr"><div>Hello Maxim,</div><div><br></div>Ah, well that explains why a patch like this has never been upstreamed, even though it exists in a bunch of places on teh interwebz. Sorry, I didn't do enough archeology here.<div><br></div><div><div>I didn't realize the `init = 1` workaround existed, so thanks for the pointer there. However, it would be ideal if users could use OpenSSL's dynamic engine loading, and avoid authoring an OpenSSL config file.</div><div><br></div></div><div>From the description in the issue you linked, it looks like the patch was removed for OpenSSL 1.0.x compatibility. Would you accept a patch that supplies the init/finish directives only if the OpenSSL version >= 1.1.0?<br></div><div><br></div><div>At this point many distros have OpenSSL 1.1 and a fixed PKCS #11 engine; for example, the patch I submitted worked smoothly with OpenSSL 1.1 and the PKCS #11 engine available on Debian 11, and without any engine config.</div><div><br></div><div>Thanks a bunch,</div><div>Brad</div></div><br><div class="gmail_quote"><div dir="ltr" class="gmail_attr">On Tue, Dec 7, 2021 at 2:28 PM Maxim Dounin <<a href="mailto:mdounin@mdounin.ru">mdounin@mdounin.ru</a>> wrote:<br></div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex">Hello!<br>
<br>
On Tue, Dec 07, 2021 at 11:45:01AM -0500, Bradley Hess wrote:<br>
<br>
> # HG changeset patch<br>
> # User Bradley Hess <<a href="mailto:bdhess@google.com" target="_blank">bdhess@google.com</a>><br>
> # Date 1638894138 18000<br>
> # Tue Dec 07 11:22:18 2021 -0500<br>
> # Node ID c3ec7674556519a9068c4e7a9f6279bbff6c3d31<br>
> # Parent a7a77549265ef46f1f0fdb3897f4beabf9e09c40<br>
> Add ENGINE_init/finish directives around ENGINE_load_private_key.<br>
> <br>
> ENGINE_by_id creates a "structural reference" to an engine; for<br>
> actually performing cryptography, this ought to be a "functional<br>
> reference" per those two topics in the OpenSSL docs:<br>
> <a href="https://www.openssl.org/docs/man1.1.1/man3/ENGINE_load_private_key.html" rel="noreferrer" target="_blank">https://www.openssl.org/docs/man1.1.1/man3/ENGINE_load_private_key.html</a><br>
> <br>
> Unlike the default OpenSSL engine, the OpenSC PKCS #11 engine cannot<br>
> load a private key if it is not first initialized.<br>
> <br>
> diff -r a7a77549265e -r c3ec76745565 src/event/ngx_event_openssl.c<br>
> --- a/src/event/ngx_event_openssl.c Thu Nov 25 22:02:10 2021 +0300<br>
> +++ b/src/event/ngx_event_openssl.c Tue Dec 07 11:22:18 2021 -0500<br>
> @@ -734,16 +734,24 @@<br>
> return NULL;<br>
> }<br>
> <br>
> + if (!ENGINE_init(engine)) {<br>
> + *err = "ENGINE_init() failed";<br>
> + ENGINE_free(engine);<br>
> + return NULL;<br>
> + }<br>
> +<br>
> *last++ = ':';<br>
> <br>
> pkey = ENGINE_load_private_key(engine, (char *) last, 0, 0);<br>
> <br>
> if (pkey == NULL) {<br>
> *err = "ENGINE_load_private_key() failed";<br>
> + ENGINE_finish(engine);<br>
> ENGINE_free(engine);<br>
> return NULL;<br>
> }<br>
> <br>
> + ENGINE_finish(engine);<br>
> ENGINE_free(engine);<br>
> <br>
> return pkey;<br>
<br>
Previously, a similar patch was rejected, because it caused an <br>
immediate segfault for most affected users, see here:<br>
<br>
<a href="http://mailman.nginx.org/pipermail/nginx-devel/2018-May/011149.html" rel="noreferrer" target="_blank">http://mailman.nginx.org/pipermail/nginx-devel/2018-May/011149.html</a><br>
<br>
If you think that things have changed since then, you may want to <br>
elaborate.<br>
<br>
-- <br>
Maxim Dounin<br>
<a href="http://mdounin.ru/" rel="noreferrer" target="_blank">http://mdounin.ru/</a><br>
_______________________________________________<br>
nginx-devel mailing list<br>
<a href="mailto:nginx-devel@nginx.org" target="_blank">nginx-devel@nginx.org</a><br>
<a href="http://mailman.nginx.org/mailman/listinfo/nginx-devel" rel="noreferrer" target="_blank">http://mailman.nginx.org/mailman/listinfo/nginx-devel</a><br>
</blockquote></div>