[PATCH] Add ENGINE_init/finish directives around ENGINE_load_private_key.
Maxim Dounin
mdounin at mdounin.ru
Tue Dec 7 19:27:59 UTC 2021
Hello!
On Tue, Dec 07, 2021 at 11:45:01AM -0500, Bradley Hess wrote:
> # HG changeset patch
> # User Bradley Hess <bdhess at google.com>
> # Date 1638894138 18000
> # Tue Dec 07 11:22:18 2021 -0500
> # Node ID c3ec7674556519a9068c4e7a9f6279bbff6c3d31
> # Parent a7a77549265ef46f1f0fdb3897f4beabf9e09c40
> Add ENGINE_init/finish directives around ENGINE_load_private_key.
>
> ENGINE_by_id creates a "structural reference" to an engine; for
> actually performing cryptography, this ought to be a "functional
> reference" per those two topics in the OpenSSL docs:
> https://www.openssl.org/docs/man1.1.1/man3/ENGINE_load_private_key.html
>
> Unlike the default OpenSSL engine, the OpenSC PKCS #11 engine cannot
> load a private key if it is not first initialized.
>
> diff -r a7a77549265e -r c3ec76745565 src/event/ngx_event_openssl.c
> --- a/src/event/ngx_event_openssl.c Thu Nov 25 22:02:10 2021 +0300
> +++ b/src/event/ngx_event_openssl.c Tue Dec 07 11:22:18 2021 -0500
> @@ -734,16 +734,24 @@
> return NULL;
> }
>
> + if (!ENGINE_init(engine)) {
> + *err = "ENGINE_init() failed";
> + ENGINE_free(engine);
> + return NULL;
> + }
> +
> *last++ = ':';
>
> pkey = ENGINE_load_private_key(engine, (char *) last, 0, 0);
>
> if (pkey == NULL) {
> *err = "ENGINE_load_private_key() failed";
> + ENGINE_finish(engine);
> ENGINE_free(engine);
> return NULL;
> }
>
> + ENGINE_finish(engine);
> ENGINE_free(engine);
>
> return pkey;
Previously, a similar patch was rejected, because it caused an
immediate segfault for most affected users, see here:
http://mailman.nginx.org/pipermail/nginx-devel/2018-May/011149.html
If you think that things have changed since then, you may want to
elaborate.
--
Maxim Dounin
http://mdounin.ru/
More information about the nginx-devel
mailing list