[PATCH] Add ENGINE_init/finish directives around ENGINE_load_private_key.

Bradley Hess bdhess at google.com
Tue Dec 7 16:45:01 UTC 2021


# HG changeset patch
# User Bradley Hess <bdhess at google.com>
# Date 1638894138 18000
#      Tue Dec 07 11:22:18 2021 -0500
# Node ID c3ec7674556519a9068c4e7a9f6279bbff6c3d31
# Parent  a7a77549265ef46f1f0fdb3897f4beabf9e09c40
Add ENGINE_init/finish directives around ENGINE_load_private_key.

ENGINE_by_id creates a "structural reference" to an engine; for
actually performing cryptography, this ought to be a "functional
reference" per those two topics in the OpenSSL docs:
https://www.openssl.org/docs/man1.1.1/man3/ENGINE_load_private_key.html

Unlike the default OpenSSL engine, the OpenSC PKCS #11 engine cannot
load a private key if it is not first initialized.

diff -r a7a77549265e -r c3ec76745565 src/event/ngx_event_openssl.c
--- a/src/event/ngx_event_openssl.c Thu Nov 25 22:02:10 2021 +0300
+++ b/src/event/ngx_event_openssl.c Tue Dec 07 11:22:18 2021 -0500
@@ -734,16 +734,24 @@
             return NULL;
         }

+        if (!ENGINE_init(engine)) {
+            *err = "ENGINE_init() failed";
+            ENGINE_free(engine);
+            return NULL;
+        }
+
         *last++ = ':';

         pkey = ENGINE_load_private_key(engine, (char *) last, 0, 0);

         if (pkey == NULL) {
             *err = "ENGINE_load_private_key() failed";
+            ENGINE_finish(engine);
             ENGINE_free(engine);
             return NULL;
         }

+        ENGINE_finish(engine);
         ENGINE_free(engine);

         return pkey;


More information about the nginx-devel mailing list