# HG changeset patch
# User Bradley Hess <bdhess@google.com>
# Date 1638894138 18000
# Tue Dec 07 11:22:18 2021 -0500
# Node ID c3ec7674556519a9068c4e7a9f6279bbff6c3d31
# Parent a7a77549265ef46f1f0fdb3897f4beabf9e09c40
Add ENGINE_init/finish directives around ENGINE_load_private_key.

ENGINE_by_id creates a "structural reference" to an engine; for
actually performing cryptography, this ought to be a "functional
reference" per those two topics in the OpenSSL docs:
https://www.openssl.org/docs/man1.1.1/man3/ENGINE_load_private_key.html

Unlike the default OpenSSL engine, the OpenSC PKCS #11 engine cannot
load a private key if it is not first initialized.

diff -r a7a77549265e -r c3ec76745565 src/event/ngx_event_openssl.c
--- a/src/event/ngx_event_openssl.c Thu Nov 25 22:02:10 2021 +0300
+++ b/src/event/ngx_event_openssl.c Tue Dec 07 11:22:18 2021 -0500
@@ -734,16 +734,24 @@
return NULL;
}

+ if (!ENGINE_init(engine)) {
+ *err = "ENGINE_init() failed";
+ ENGINE_free(engine);
+ return NULL;
+ }
+
*last++ = ':';

pkey = ENGINE_load_private_key(engine, (char *) last, 0, 0);

if (pkey == NULL) {
*err = "ENGINE_load_private_key() failed";
+ ENGINE_finish(engine);
ENGINE_free(engine);
return NULL;
}

+ ENGINE_finish(engine);
ENGINE_free(engine);

return pkey;
_______________________________________________
nginx-devel mailing list
nginx-devel@nginx.org
http://mailman.nginx.org/mailman/listinfo/nginx-devel