Welcome! Log In Create A New Profile

Re: [PATCH 1 of 1] allow to use engine keyform for server private key

Forum List Message List New Topic Print View

Maxim Dounin

July 29, 2014 11:42AM

Hello!

On Tue, Jul 29, 2014 at 07:11:27PM +0400, Dmitrii Pichulin wrote:

> # HG changeset patch
> # User Dmitrii Pichulin
> # Date 1406644835 -14400
> # Tue Jul 29 18:40:35 2014 +0400
> # Node ID b5f409eef2ed6832eead4c53855f91fb90ee099b
> # Parent d1bde5c3c5d21368de04a59506a06c1174353a19
> allow to use engine keyform for server private key
>
> diff -r d1bde5c3c5d2 -r b5f409eef2ed src/event/ngx_event_openssl.c
> --- a/src/event/ngx_event_openssl.c Mon Jul 28 18:30:19 2014 +0400
> +++ b/src/event/ngx_event_openssl.c Tue Jul 29 18:40:35 2014 +0400
> @@ -265,8 +265,11 @@
> ngx_ssl_certificate(ngx_conf_t *cf, ngx_ssl_t *ssl, ngx_str_t *cert,
> ngx_str_t *key, ngx_array_t *passwords)
> {
> + char *p, *last;
> BIO *bio;
> X509 *x509;
> + ENGINE *engine;
> + EVP_PKEY *private_key;
> u_long n;
> ngx_str_t *pwd;
> ngx_uint_t tries;
> @@ -352,6 +355,54 @@
>
> BIO_free(bio);
>
> + if (ngx_strncmp(key->data, "engine:", sizeof("engine:") - 1) == 0) {
> +
> + p = (char *) key->data + sizeof("engine:") - 1;
> + last = ngx_strchr(p, ':');
> +
> + if (last == NULL) {
> + ngx_conf_log_error(NGX_LOG_EMERG, cf, 0, "invalid syntax: %V", key);
> + return NGX_ERROR;
> + }
> +
> + p[last - p] = '\0';
> + last++;
> +
> + engine = ENGINE_by_id(p);
> +
> + if (engine == NULL) {
> + ngx_ssl_error(NGX_LOG_EMERG, ssl->log, 0,
> + "ENGINE_by_id(\"%s\") failed", p);
> + return NGX_ERROR;
> + }
> +
> + private_key = ENGINE_load_private_key(engine, last, 0, 0);
> +
> + if (ENGINE_free(engine) == 0) {
> + ngx_ssl_error(NGX_LOG_EMERG, ssl->log, 0, "ENGINE_free() failed");
> + if (private_key)
> + EVP_PKEY_free(private_key);

Style: curly brackets are always used with if's.

> + return NGX_ERROR;
> + }
> +
> + if (private_key == NULL) {
> + ngx_ssl_error(NGX_LOG_EMERG, ssl->log, 0,
> + "ENGINE_load_private_key(\"%s\") failed", last);
> + return NGX_ERROR;
> + }

As previously suggested, it's bad idea to check/log errors after
calling other functions which may modify error stack.

> +
> + if (SSL_CTX_use_PrivateKey(ssl->ctx, private_key) == 0) {
> + ngx_ssl_error(NGX_LOG_EMERG, ssl->log, 0,
> + "SSL_CTX_use_PrivateKey_file(\"%s\") failed", last);

Wrong function name logged.

> + EVP_PKEY_free(private_key);
> + return NGX_ERROR;
> + }
> +
> + EVP_PKEY_free(private_key);
> +
> + return NGX_OK;
> + }
> +
> if (ngx_conf_full_name(cf->cycle, key, 1) != NGX_OK) {
> return NGX_ERROR;
> }
>
> _______________________________________________
> nginx-devel mailing list
> nginx-devel@nginx.org
> http://mailman.nginx.org/mailman/listinfo/nginx-devel

--
Maxim Dounin
http://nginx.org/

_______________________________________________
nginx-devel mailing list
nginx-devel@nginx.org
http://mailman.nginx.org/mailman/listinfo/nginx-devel

Reply Quote

RSS

Subject	Author	Views	Posted
[PATCH] allow to use engine keyform for server private key	Dmitrii Pichulin	2769	July 22, 2014 07:16AM
Re: [PATCH] allow to use engine keyform for server private key	Maxim Dounin	1196	July 22, 2014 10:54AM
[PATCH] allow to use engine keyform for server private key	Dmitrii Pichulin	900	July 23, 2014 10:56AM
Re: [PATCH] allow to use engine keyform for server private key	Maxim Dounin	835	July 27, 2014 10:44PM
[PATCH 0 of 1 ] Questions about ENGINE_load_private_key	Dmitrii Pichulin	1066	July 29, 2014 11:12AM
[PATCH 1 of 1] allow to use engine keyform for server private key	Dmitrii Pichulin	804	July 29, 2014 11:12AM
Re: [PATCH 1 of 1] allow to use engine keyform for server private key	Maxim Dounin	736	July 29, 2014 11:42AM
[PATCH] allow to use engine keyform for server private key	Dmitrii Pichulin	779	July 30, 2014 11:30AM
Re: [PATCH] allow to use engine keyform for server private key	Maxim Dounin	906	July 31, 2014 09:50AM
Re: [PATCH] allow to use engine keyform for server private key	Dmitrii Pichulin	656	August 01, 2014 01:22AM
Re: [PATCH] allow to use engine keyform for server private key	Maxim Dounin	907	August 01, 2014 01:00PM
[PATCH] allow to use engine keyform for server private key	Dmitrii Pichulin	1035	August 04, 2014 03:08AM
Re: [PATCH] allow to use engine keyform for server private key	Dmitrii Pichulin	769	August 11, 2014 12:38AM
Re: [PATCH] allow to use engine keyform for server private key	Maxim Dounin	785	August 11, 2014 08:44PM
Re: [PATCH] allow to use engine keyform for server private key	Dmitrii Pichulin	4334	October 29, 2014 10:48AM
Re: [PATCH] allow to use engine keyform for server private key	Dmitrii Pichulin	738	November 21, 2014 12:22AM
Re: [PATCH] allow to use engine keyform for server private key	Maxim Dounin	923	November 21, 2014 08:10AM
Re: [PATCH] allow to use engine keyform for server private key	Maxim Dounin	982	December 03, 2014 04:26PM
Re: [PATCH] allow to use engine keyform for server private key	Dmitrii Pichulin	740	December 04, 2014 05:58AM
Re: [PATCH] allow to use engine keyform for server private key	Maxim Dounin	1071	December 04, 2014 09:42AM
Re: [PATCH 0 of 1 ] Questions about ENGINE_load_private_key	Maxim Dounin	1114	July 29, 2014 11:34AM

Sorry, you do not have permission to post/reply in this forum.

Online Users

Guests: 172

Record Number of Users: 8 on April 13, 2023

Record Number of Guests: 421 on December 02, 2018