From: Sergey Kandaurov Date: Fri, 3 May 2024 16:29:01 +0000 (+0400) Subject: SSL: fixed possible configuration overwrite loading "engine:" keys. X-Git-Url: http://git.kaiwu.me/postgresql/log/contrib/postgres_fdw/NGINX-js-1660x332.png%20%22NGINX%20JavaScript%20Banner%22?a=commitdiff_plain;h=6f7494081ae8a56664afb480eff583d639b60ab4;p=nginx.git SSL: fixed possible configuration overwrite loading "engine:" keys. When loading certificate keys via ENGINE_load_private_key() in runtime, it was possible to overwrite configuration on ENGINE_by_id() failure. OpenSSL documention doesn't describe errors in details, the only reason I found in the comment to example is when the engine is not available. --- diff --git a/src/event/ngx_event_openssl.c b/src/event/ngx_event_openssl.c index 89f277fe5..8d1f5695c 100644 --- a/src/event/ngx_event_openssl.c +++ b/src/event/ngx_event_openssl.c @@ -764,13 +764,13 @@ ngx_ssl_load_certificate_key(ngx_pool_t *pool, char **err, engine = ENGINE_by_id((char *) p); + *last++ = ':'; + if (engine == NULL) { *err = "ENGINE_by_id() failed"; return NULL; } - *last++ = ':'; - pkey = ENGINE_load_private_key(engine, (char *) last, 0, 0); if (pkey == NULL) {