[nginx] SSL: fixed possible segfault with dynamic certificates.

Maxim Dounin mdounin at mdounin.ru
Mon Feb 25 18:35:37 UTC 2019 

details:   https://hg.nginx.org/nginx/rev/48c87377aabd
branches:  
changeset: 7466:48c87377aabd
user:      Maxim Dounin <mdounin at mdounin.ru>
date:      Mon Feb 25 21:16:26 2019 +0300
description:
SSL: fixed possible segfault with dynamic certificates.

A virtual server may have no SSL context if it does not have certificates
defined, so we have to use config of the ngx_http_ssl_module from the
SSL context in the certificate callback.  To do so, it is now passed as
the argument of the callback.

The stream module doesn't really need any changes, but was modified as
well to match http code.

diffstat:

 src/http/modules/ngx_http_ssl_module.c |  2 +-
 src/http/ngx_http_request.c            |  2 +-
 src/stream/ngx_stream_ssl_module.c     |  4 ++--
 3 files changed, 4 insertions(+), 4 deletions(-)

diffs (45 lines):

diff --git a/src/http/modules/ngx_http_ssl_module.c b/src/http/modules/ngx_http_ssl_module.c
--- a/src/http/modules/ngx_http_ssl_module.c
+++ b/src/http/modules/ngx_http_ssl_module.c
@@ -741,7 +741,7 @@ ngx_http_ssl_merge_srv_conf(ngx_conf_t *
 
         /* install callback to lookup certificates */
 
-        SSL_CTX_set_cert_cb(conf->ssl.ctx, ngx_http_ssl_certificate, NULL);
+        SSL_CTX_set_cert_cb(conf->ssl.ctx, ngx_http_ssl_certificate, conf);
 
 #else
         ngx_log_error(NGX_LOG_EMERG, cf->log, 0,
diff --git a/src/http/ngx_http_request.c b/src/http/ngx_http_request.c
--- a/src/http/ngx_http_request.c
+++ b/src/http/ngx_http_request.c
@@ -973,7 +973,7 @@ ngx_http_ssl_certificate(ngx_ssl_conn_t 
 
     r->logged = 1;
 
-    sscf = ngx_http_get_module_srv_conf(r, ngx_http_ssl_module);
+    sscf = arg;
 
     nelts = sscf->certificate_values->nelts;
     certs = sscf->certificate_values->elts;
diff --git a/src/stream/ngx_stream_ssl_module.c b/src/stream/ngx_stream_ssl_module.c
--- a/src/stream/ngx_stream_ssl_module.c
+++ b/src/stream/ngx_stream_ssl_module.c
@@ -434,7 +434,7 @@ ngx_stream_ssl_certificate(ngx_ssl_conn_
 
     s = c->data;
 
-    sslcf = ngx_stream_get_module_srv_conf(s, ngx_stream_ssl_module);
+    sslcf = arg;
 
     nelts = sslcf->certificate_values->nelts;
     certs = sslcf->certificate_values->elts;
@@ -692,7 +692,7 @@ ngx_stream_ssl_merge_conf(ngx_conf_t *cf
 
         /* install callback to lookup certificates */
 
-        SSL_CTX_set_cert_cb(conf->ssl.ctx, ngx_stream_ssl_certificate, NULL);
+        SSL_CTX_set_cert_cb(conf->ssl.ctx, ngx_stream_ssl_certificate, conf);
 
 #else
         ngx_log_error(NGX_LOG_EMERG, cf->log, 0,

More information about the nginx-devel mailing list