Hi, On Fri, May 03, 2024 at 04:28:17AM +0400, Sergey Kandaurov wrote: > # HG changeset patch > # User Sergey Kandaurov <pluk...@nginx.com> > # Date 1714670294 -14400 > # Thu May 02 21:18:14 2024 +0400 > # Node ID e00aeabf2b29b891891fd150a01c82b0763c57c0 > # Parent 49dce50fad40bf09db81ca2a35983ecd7b740e43 > SSL: fixed possible configuration overwrite loading "engine:" keys. > > When loading certificate keys via ENGINE_load_private_key() in runtime, > it was possible to overwrite configuration on ENGINE_by_id() failure. > OpenSSL documention doesn't describe errors in details, the only reason > I found in the comment to example is when the engine is not available. > > diff --git a/src/event/ngx_event_openssl.c b/src/event/ngx_event_openssl.c > --- a/src/event/ngx_event_openssl.c > +++ b/src/event/ngx_event_openssl.c > @@ -764,13 +764,13 @@ ngx_ssl_load_certificate_key(ngx_pool_t > > engine = ENGINE_by_id((char *) p); > > + *last++ = ':'; > + > if (engine == NULL) { > *err = "ENGINE_by_id() failed"; > return NULL; > } > > - *last++ = ':'; > - > pkey = ENGINE_load_private_key(engine, (char *) last, 0, 0); > > if (pkey == NULL) { > _______________________________________________ > nginx-devel mailing list > nginx-devel@nginx.org > https://mailman.nginx.org/mailman/listinfo/nginx-devel
Looks ok -- Roman Arutyunyan _______________________________________________ nginx-devel mailing list nginx-devel@nginx.org https://mailman.nginx.org/mailman/listinfo/nginx-devel