[nginx] SSL: fixed possible configuration overwrite loading "engine:" keys.

Sergey Kandaurov Fri, 03 May 2024 09:30:50 -0700

details:   https://hg.nginx.org/nginx/rev/c4792b0f1976
branches:  
changeset: 9245:c4792b0f1976
user:      Sergey Kandaurov <pluk...@nginx.com>
date:      Fri May 03 20:29:01 2024 +0400
description:
SSL: fixed possible configuration overwrite loading "engine:" keys.


When loading certificate keys via ENGINE_load_private_key() in runtime,
it was possible to overwrite configuration on ENGINE_by_id() failure.
OpenSSL documention doesn't describe errors in details, the only reason
I found in the comment to example is when the engine is not available.

diffstat:

 src/event/ngx_event_openssl.c |  4 ++--
 1 files changed, 2 insertions(+), 2 deletions(-)

diffs (19 lines):

diff -r 690f46d3bc1f -r c4792b0f1976 src/event/ngx_event_openssl.c
--- a/src/event/ngx_event_openssl.c     Fri May 03 20:28:32 2024 +0400
+++ b/src/event/ngx_event_openssl.c     Fri May 03 20:29:01 2024 +0400
@@ -764,13 +764,13 @@ ngx_ssl_load_certificate_key(ngx_pool_t 
 
         engine = ENGINE_by_id((char *) p);
 
+        *last++ = ':';
+
         if (engine == NULL) {
             *err = "ENGINE_by_id() failed";
             return NULL;
         }
 
-        *last++ = ':';
-
         pkey = ENGINE_load_private_key(engine, (char *) last, 0, 0);
 
         if (pkey == NULL) {
_______________________________________________
nginx-devel mailing list
nginx-devel@nginx.org
https://mailman.nginx.org/mailman/listinfo/nginx-devel

[nginx] SSL: fixed possible configuration overwrite loading "engine:" keys.

Reply via email to