[PATCH] SSL: Add ENGINE_init() calls before using engines.

Anderson Sasaki ansasaki at redhat.com
Fri Apr 27 15:27:57 UTC 2018


Hello,

> > > In my opinion it would be better to have nginx working with engines in
> > > both scenarios.
> > > And is not a problem to call ENGINE_init() from multiple places, since
> > > the API takes care of this case.
> > 
> > I'll check these statements in your next patch, but for now it
> > seems an odd functionality to me, because we have openssl config
> > and even nginx ssl_engine directive for that.
> 
> Note that the "ssl_engine" directive is not to initialize engines,
> but rather to register an engine as the default one for operations it
> supports.  It is designed to make it possible to work with various
> SSL accelerators.

I believe this patch does not affect the "ssl_engine" directive anymore.
I removed everything I could to make the patch minimal. And changed the log message to be more specific.
I will send the other changes in a new thread.

The patch follows:

# HG changeset patch
# User Anderson Toshiyuki Sasaki <ansasaki at redhat.com>
# Date 1524841096 -7200
#      Fri Apr 27 16:58:16 2018 +0200
# Node ID f5b0a791092224ff5d3eaf4da9a95e6018e7235f
# Parent  46c0c7ef4913011f3f1e073f9ac880b07b1a8154
SSL: Add ENGINE_init() call before loading key.
It is necessary to call ENGINE_init() before using an OpenSSL engine
to get the engine functional reference. Without this, when
ENGINE_load_private_key() is called, the engine is still unitialized.

diff -r 46c0c7ef4913 -r f5b0a7910922 src/event/ngx_event_openssl.c
--- a/src/event/ngx_event_openssl.c	Wed Apr 25 14:57:24 2018 +0300
+++ b/src/event/ngx_event_openssl.c	Fri Apr 27 16:58:16 2018 +0200
@@ -527,6 +527,13 @@
             return NGX_ERROR;
         }
 
+        if (!ENGINE_init(engine)) {
+            ngx_ssl_error(NGX_LOG_EMERG, ssl->log, 0,
+                          "ENGINE_init(engine) failed");
+            ENGINE_free(engine);
+            return NGX_ERROR;
+        }
+
         *last++ = ':';
 
         pkey = ENGINE_load_private_key(engine, (char *) last, 0, 0);


More information about the nginx-devel mailing list