diff options
| author | Sergey Kandaurov <pluknet@nginx.com> | 2024-05-03 20:29:01 +0400 |
|---|---|---|
| committer | Sergey Kandaurov <pluknet@nginx.com> | 2024-05-03 20:29:01 +0400 |
| commit | 6f7494081ae8a56664afb480eff583d639b60ab4 (patch) | |
| tree | 6c58c150a6d87aee5cc7d16113fb3bd31200366e /src | |
| parent | a7e3cd52e0a03286267177aa9b88d64232fbaeaf (diff) | |
| download | nginx-6f7494081ae8a56664afb480eff583d639b60ab4.tar.gz nginx-6f7494081ae8a56664afb480eff583d639b60ab4.zip | |
SSL: fixed possible configuration overwrite loading "engine:" keys.
When loading certificate keys via ENGINE_load_private_key() in runtime,
it was possible to overwrite configuration on ENGINE_by_id() failure.
OpenSSL documention doesn't describe errors in details, the only reason
I found in the comment to example is when the engine is not available.
Diffstat (limited to 'src')
| -rw-r--r-- | src/event/ngx_event_openssl.c | 4 |
1 files changed, 2 insertions, 2 deletions
diff --git a/src/event/ngx_event_openssl.c b/src/event/ngx_event_openssl.c index 89f277fe5..8d1f5695c 100644 --- a/src/event/ngx_event_openssl.c +++ b/src/event/ngx_event_openssl.c @@ -764,13 +764,13 @@ ngx_ssl_load_certificate_key(ngx_pool_t *pool, char **err, engine = ENGINE_by_id((char *) p); + *last++ = ':'; + if (engine == NULL) { *err = "ENGINE_by_id() failed"; return NULL; } - *last++ = ':'; - pkey = ENGINE_load_private_key(engine, (char *) last, 0, 0); if (pkey == NULL) { |