Hi,
On Fri, May 03, 2024 at 04:28:17AM +0400, Sergey Kandaurov wrote:
> # HG changeset patch
> # User Sergey Kandaurov <pluknet@nginx.com>
> # Date 1714670294 -14400
> # Thu May 02 21:18:14 2024 +0400
> # Node ID e00aeabf2b29b891891fd150a01c82b0763c57c0
> # Parent 49dce50fad40bf09db81ca2a35983ecd7b740e43
> SSL: fixed possible configuration overwrite loading "engine:" keys.
>
> When loading certificate keys via ENGINE_load_private_key() in runtime,
> it was possible to overwrite configuration on ENGINE_by_id() failure.
> OpenSSL documention doesn't describe errors in details, the only reason
> I found in the comment to example is when the engine is not available.
>
> diff --git a/src/event/ngx_event_openssl.c b/src/event/ngx_event_openssl.c
> --- a/src/event/ngx_event_openssl.c
> +++ b/src/event/ngx_event_openssl.c
> @@ -764,13 +764,13 @@ ngx_ssl_load_certificate_key(ngx_pool_t
>
> engine = ENGINE_by_id((char *) p);
>
> + *last++ = ':';
> +
> if (engine == NULL) {
> *err = "ENGINE_by_id() failed";
> return NULL;
> }
>
> - *last++ = ':';
> -
> pkey = ENGINE_load_private_key(engine, (char *) last, 0, 0);
>
> if (pkey == NULL) {
> _______________________________________________
> nginx-devel mailing list
> nginx-devel@nginx.org
> https://mailman.nginx.org/mailman/listinfo/nginx-devel
Looks ok
--
Roman Arutyunyan
_______________________________________________
nginx-devel mailing list
nginx-devel@nginx.org
https://mailman.nginx.org/mailman/listinfo/nginx-devel