[PATCH 1 of 1] allow to use engine keyform for server private key

Tue Jul 29 15:40:24 UTC 2014

Hello!

On Tue, Jul 29, 2014 at 07:11:27PM +0400, Dmitrii Pichulin wrote:

> # HG changeset patch
> # User Dmitrii Pichulin
> # Date 1406644835 -14400
> #      Tue Jul 29 18:40:35 2014 +0400
> # Node ID b5f409eef2ed6832eead4c53855f91fb90ee099b
> # Parent  d1bde5c3c5d21368de04a59506a06c1174353a19
> allow to use engine keyform for server private key
> 
> diff -r d1bde5c3c5d2 -r b5f409eef2ed src/event/ngx_event_openssl.c
> --- a/src/event/ngx_event_openssl.c	Mon Jul 28 18:30:19 2014 +0400
> +++ b/src/event/ngx_event_openssl.c	Tue Jul 29 18:40:35 2014 +0400
> @@ -265,8 +265,11 @@
>  ngx_ssl_certificate(ngx_conf_t *cf, ngx_ssl_t *ssl, ngx_str_t *cert,
>      ngx_str_t *key, ngx_array_t *passwords)
>  {
> +    char        *p, *last;
>      BIO         *bio;
>      X509        *x509;
> +    ENGINE      *engine;
> +    EVP_PKEY    *private_key;
>      u_long       n;
>      ngx_str_t   *pwd;
>      ngx_uint_t   tries;
> @@ -352,6 +355,54 @@
>  
>      BIO_free(bio);
>  
> +    if (ngx_strncmp(key->data, "engine:", sizeof("engine:") - 1) == 0) {
> +
> +        p = (char *) key->data + sizeof("engine:") - 1;
> +        last = ngx_strchr(p, ':');
> +
> +        if (last == NULL) {
> +            ngx_conf_log_error(NGX_LOG_EMERG, cf, 0, "invalid syntax: %V", key);
> +            return NGX_ERROR;
> +        }
> +
> +        p[last - p] = '\0';
> +        last++;
> +
> +        engine = ENGINE_by_id(p);
> +
> +        if (engine == NULL) {
> +            ngx_ssl_error(NGX_LOG_EMERG, ssl->log, 0,
> +                          "ENGINE_by_id(\"%s\") failed", p);
> +            return NGX_ERROR;
> +        }
> +
> +        private_key = ENGINE_load_private_key(engine, last, 0, 0);
> +        
> +        if (ENGINE_free(engine) == 0) {
> +            ngx_ssl_error(NGX_LOG_EMERG, ssl->log, 0, "ENGINE_free() failed");
> +            if (private_key)
> +                EVP_PKEY_free(private_key);

Style: curly brackets are always used with if's.

> +            return NGX_ERROR;
> +        }
> +
> +        if (private_key == NULL) {
> +            ngx_ssl_error(NGX_LOG_EMERG, ssl->log, 0,
> +                          "ENGINE_load_private_key(\"%s\") failed", last);
> +            return NGX_ERROR;
> +        }

As previously suggested, it's bad idea to check/log errors after 
calling other functions which may modify error stack.

> +
> +        if (SSL_CTX_use_PrivateKey(ssl->ctx, private_key) == 0) {
> +            ngx_ssl_error(NGX_LOG_EMERG, ssl->log, 0,
> +                          "SSL_CTX_use_PrivateKey_file(\"%s\") failed", last);

Wrong function name logged.

> +            EVP_PKEY_free(private_key);
> +            return NGX_ERROR;
> +        }
> +
> +        EVP_PKEY_free(private_key);
> +
> +        return NGX_OK;
> +    }
> +
>      if (ngx_conf_full_name(cf->cycle, key, 1) != NGX_OK) {
>          return NGX_ERROR;
>      }
> 
> _______________________________________________
> nginx-devel mailing list
> nginx-devel at nginx.org
> http://mailman.nginx.org/mailman/listinfo/nginx-devel

-- 
Maxim Dounin
http://nginx.org/