SSL engine support bug
Igor Sysoev
is at rambler-co.ru
Thu Feb 12 19:00:56 MSK 2009
On Thu, Feb 12, 2009 at 04:03:16PM +0100, Marcin Gozdalik wrote:
> I believe I found a bug in the order of initialization of OpenSSL. The RSA
> keys are initialized (RSA_new called) in SSL_CTX_use_certificate_chain_file
> which is called from ngx_ssl_certificate which in turn is called from
> ngx_conf_parse at src/core/ngx_conf_file.c:237. The ssl_engine is however
> parsed in ngx_openssl_init_conf which is called later. Therefore the created
> RSA keys in SSL contexts use the built-in RSA_METHOD and not the one
> provided by loaded engine.
> I don't have enough knowledge of nginx so I can't propose solution but the
> obvious thing would be to change the order of parsing of those directives
> (either load the engine earlier or load the SSL certificate and key later).
Try the attached patch.
--
Igor Sysoev
http://sysoev.ru/en/
-------------- next part --------------
Index: src/event/ngx_event_openssl.c
===================================================================
--- src/event/ngx_event_openssl.c (revision 1822)
+++ src/event/ngx_event_openssl.c (working copy)
@@ -10,7 +10,7 @@
typedef struct {
- ngx_str_t engine;
+ ngx_uint_t engine; /* unsingned engine:1; */
} ngx_openssl_conf_t;
@@ -37,26 +37,17 @@
ngx_rbtree_node_t *node, ngx_rbtree_node_t *sentinel);
static void *ngx_openssl_create_conf(ngx_cycle_t *cycle);
-static char *ngx_openssl_init_conf(ngx_cycle_t *cycle, void *conf);
+static char *ngx_openssl_engine(ngx_conf_t *cf, ngx_command_t *cmd, void *conf);
static void ngx_openssl_exit(ngx_cycle_t *cycle);
-#if !(NGX_SSL_ENGINE)
-static char *ngx_openssl_noengine(ngx_conf_t *cf, ngx_command_t *cmd,
- void *conf);
-#endif
-
static ngx_command_t ngx_openssl_commands[] = {
{ ngx_string("ssl_engine"),
NGX_MAIN_CONF|NGX_DIRECT_CONF|NGX_CONF_TAKE1,
-#if (NGX_SSL_ENGINE)
- ngx_conf_set_str_slot,
-#else
- ngx_openssl_noengine,
-#endif
+ ngx_openssl_engine,
0,
- offsetof(ngx_openssl_conf_t, engine),
+ 0,
NULL },
ngx_null_command
@@ -66,7 +57,7 @@
static ngx_core_module_t ngx_openssl_module_ctx = {
ngx_string("openssl"),
ngx_openssl_create_conf,
- ngx_openssl_init_conf
+ NULL
};
@@ -2113,8 +2104,7 @@
/*
* set by ngx_pcalloc():
*
- * oscf->engine.len = 0;
- * oscf->engine.data = NULL;
+ * oscf->engine = 0;
*/
return oscf;
@@ -2122,53 +2112,51 @@
static char *
-ngx_openssl_init_conf(ngx_cycle_t *cycle, void *conf)
+ngx_openssl_engine(ngx_conf_t *cf, ngx_command_t *cmd, void *conf)
{
#if (NGX_SSL_ENGINE)
ngx_openssl_conf_t *oscf = conf;
- ENGINE *engine;
+ ENGINE *engine;
+ ngx_str_t *value;
- if (oscf->engine.len == 0) {
- return NGX_CONF_OK;
+ if (oscf->engine) {
+ return "is duplicate";
}
- engine = ENGINE_by_id((const char *) oscf->engine.data);
+ oscf->engine = 1;
+ value = cf->args->elts;
+
+ engine = ENGINE_by_id((const char *) value[1].data);
+
if (engine == NULL) {
- ngx_ssl_error(NGX_LOG_WARN, cycle->log, 0,
- "ENGINE_by_id(\"%V\") failed", &oscf->engine);
+ ngx_ssl_error(NGX_LOG_WARN, cf->log, 0,
+ "ENGINE_by_id(\"%V\") failed", &value[1]);
return NGX_CONF_ERROR;
}
if (ENGINE_set_default(engine, ENGINE_METHOD_ALL) == 0) {
- ngx_ssl_error(NGX_LOG_WARN, cycle->log, 0,
+ ngx_ssl_error(NGX_LOG_WARN, cf->log, 0,
"ENGINE_set_default(\"%V\", ENGINE_METHOD_ALL) failed",
- &oscf->engine);
+ &value[1]);
return NGX_CONF_ERROR;
}
ENGINE_free(engine);
-#endif
-
return NGX_CONF_OK;
-}
+#else
-#if !(NGX_SSL_ENGINE)
-
-static char *
-ngx_openssl_noengine(ngx_conf_t *cf, ngx_command_t *cmd, void *conf)
-{
ngx_conf_log_error(NGX_LOG_EMERG, cf, 0,
"\"ssl_engine\" directive is available only in "
"OpenSSL 0.9.7 and higher,");
return NGX_CONF_ERROR;
-}
#endif
+}
static void
More information about the nginx
mailing list