[PATCH] SSL: fixed possible configuration overwrite loading "engine:" keys
Sergey Kandaurov
pluknet at nginx.com
Fri May 3 00:28:17 UTC 2024
# HG changeset patch
# User Sergey Kandaurov <pluknet at nginx.com>
# Date 1714670294 -14400
# Thu May 02 21:18:14 2024 +0400
# Node ID e00aeabf2b29b891891fd150a01c82b0763c57c0
# Parent 49dce50fad40bf09db81ca2a35983ecd7b740e43
SSL: fixed possible configuration overwrite loading "engine:" keys.
When loading certificate keys via ENGINE_load_private_key() in runtime,
it was possible to overwrite configuration on ENGINE_by_id() failure.
OpenSSL documention doesn't describe errors in details, the only reason
I found in the comment to example is when the engine is not available.
diff --git a/src/event/ngx_event_openssl.c b/src/event/ngx_event_openssl.c
--- a/src/event/ngx_event_openssl.c
+++ b/src/event/ngx_event_openssl.c
@@ -764,13 +764,13 @@ ngx_ssl_load_certificate_key(ngx_pool_t
engine = ENGINE_by_id((char *) p);
+ *last++ = ':';
+
if (engine == NULL) {
*err = "ENGINE_by_id() failed";
return NULL;
}
- *last++ = ':';
-
pkey = ENGINE_load_private_key(engine, (char *) last, 0, 0);
if (pkey == NULL) {
More information about the nginx-devel
mailing list