details: https://hg.nginx.org/nginx/rev/c4792b0f1976 branches: changeset: 9245:c4792b0f1976 user: Sergey Kandaurov <pluk...@nginx.com> date: Fri May 03 20:29:01 2024 +0400 description: SSL: fixed possible configuration overwrite loading "engine:" keys.
When loading certificate keys via ENGINE_load_private_key() in runtime, it was possible to overwrite configuration on ENGINE_by_id() failure. OpenSSL documention doesn't describe errors in details, the only reason I found in the comment to example is when the engine is not available. diffstat: src/event/ngx_event_openssl.c | 4 ++-- 1 files changed, 2 insertions(+), 2 deletions(-) diffs (19 lines): diff -r 690f46d3bc1f -r c4792b0f1976 src/event/ngx_event_openssl.c --- a/src/event/ngx_event_openssl.c Fri May 03 20:28:32 2024 +0400 +++ b/src/event/ngx_event_openssl.c Fri May 03 20:29:01 2024 +0400 @@ -764,13 +764,13 @@ ngx_ssl_load_certificate_key(ngx_pool_t engine = ENGINE_by_id((char *) p); + *last++ = ':'; + if (engine == NULL) { *err = "ENGINE_by_id() failed"; return NULL; } - *last++ = ':'; - pkey = ENGINE_load_private_key(engine, (char *) last, 0, 0); if (pkey == NULL) { _______________________________________________ nginx-devel mailing list nginx-devel@nginx.org https://mailman.nginx.org/mailman/listinfo/nginx-devel