Re: [PATCH] SSL: fixed possible configuration overwrite loading "engine:" keys

Roman Arutyunyan Fri, 03 May 2024 09:15:59 -0700

Hi,

On Fri, May 03, 2024 at 04:28:17AM +0400, Sergey Kandaurov wrote:
> # HG changeset patch
> # User Sergey Kandaurov <pluk...@nginx.com>
> # Date 1714670294 -14400
> #      Thu May 02 21:18:14 2024 +0400
> # Node ID e00aeabf2b29b891891fd150a01c82b0763c57c0
> # Parent  49dce50fad40bf09db81ca2a35983ecd7b740e43
> SSL: fixed possible configuration overwrite loading "engine:" keys.
> 
> When loading certificate keys via ENGINE_load_private_key() in runtime,
> it was possible to overwrite configuration on ENGINE_by_id() failure.
> OpenSSL documention doesn't describe errors in details, the only reason
> I found in the comment to example is when the engine is not available.
> 
> diff --git a/src/event/ngx_event_openssl.c b/src/event/ngx_event_openssl.c
> --- a/src/event/ngx_event_openssl.c
> +++ b/src/event/ngx_event_openssl.c
> @@ -764,13 +764,13 @@ ngx_ssl_load_certificate_key(ngx_pool_t 
>  
>          engine = ENGINE_by_id((char *) p);
>  
> +        *last++ = ':';
> +
>          if (engine == NULL) {
>              *err = "ENGINE_by_id() failed";
>              return NULL;
>          }
>  
> -        *last++ = ':';
> -
>          pkey = ENGINE_load_private_key(engine, (char *) last, 0, 0);
>  
>          if (pkey == NULL) {
> _______________________________________________
> nginx-devel mailing list
> nginx-devel@nginx.org
> https://mailman.nginx.org/mailman/listinfo/nginx-devel


Looks ok

--
Roman Arutyunyan
_______________________________________________
nginx-devel mailing list
nginx-devel@nginx.org
https://mailman.nginx.org/mailman/listinfo/nginx-devel

Re: [PATCH] SSL: fixed possible configuration overwrite loading "engine:" keys

Reply via email to