Merge b6ac92d28d into ecb809305e

2025-02-25 18:55:26 -06:00 · 2025-02-05 22:59:47 +05:30 · 2025-02-05 22:59:47 +05:30 · 04e63955ae
commit 04e63955ae
parent ecb809305e b6ac92d28d
8 changed files with 58 additions and 49 deletions
--- a/src/event/ngx_event_openssl.c
+++ b/src/event/ngx_event_openssl.c
@ -565,12 +565,13 @@ ngx_ssl_connection_certificate(ngx_connection_t *c, ngx_pool_t *pool,
    ngx_str_t *cert, ngx_str_t *key, ngx_ssl_cache_t *cache,
    ngx_array_t *passwords)
 {
-    char            *err;
-    X509            *x509;
-    u_long           n;
-    EVP_PKEY        *pkey;
-    ngx_uint_t       mask;
-    STACK_OF(X509)  *chain;
+    char               *err;
+    X509               *x509;
+    u_long              n;
+    EVP_PKEY           *pkey;
+    ngx_uint_t          mask;
+    STACK_OF(X509)     *chain;
+    static ngx_array_t  empty_passwords;

    mask = 0;

@ -618,6 +619,16 @@ retry:

 #endif

+    if (passwords == NULL) {
+
+        /*
+         * Make sure OpenSSL's default password callback
+         * won't block on reading from stdin.
+         */
+
+        passwords = &empty_passwords;
+    }
+
    pkey = ngx_ssl_cache_connection_fetch(cache, pool,
                                          NGX_SSL_CACHE_PKEY | mask,
                                          &err, key, passwords);
@ -1108,7 +1119,7 @@ ngx_ssl_read_password_file(ngx_conf_t *cf, ngx_str_t *file)
    ssize_t              n;
    ngx_fd_t             fd;
    ngx_str_t           *pwd;
-    ngx_array_t         *passwords;
+    ngx_array_t         *passwords, *temp_passwords;
    ngx_pool_cleanup_t  *cln;
    u_char               buf[NGX_SSL_PASSWORD_BUFFER_SIZE];

@ -1226,28 +1237,28 @@ cleanup:

    ngx_explicit_memzero(buf, NGX_SSL_PASSWORD_BUFFER_SIZE);

+    if (passwords != NULL) {
+        temp_passwords = passwords;
+        passwords = ngx_palloc(cf->pool, sizeof(ngx_array_t));
+        if (passwords != NULL) {
+            *passwords = *temp_passwords;
+        }
+    }
+
    return passwords;
 }


-ngx_array_t *
+ngx_int_t
 ngx_ssl_preserve_passwords(ngx_conf_t *cf, ngx_array_t *passwords)
 {
    ngx_str_t           *opwd, *pwd;
    ngx_uint_t           i;
-    ngx_array_t         *pwds;
+    ngx_array_t          opwds;
    ngx_pool_cleanup_t  *cln;
-    static ngx_array_t   empty_passwords;

-    if (passwords == NULL) {
-
-        /*
-         * If there are no passwords, an empty array is used
-         * to make sure OpenSSL's default password callback
-         * won't block on reading from stdin.
-         */
-
-        return &empty_passwords;
+    if (passwords == NULL || passwords->pool == cf->pool) {
+        return NGX_OK;
    }

    /*
@ -1256,40 +1267,43 @@ ngx_ssl_preserve_passwords(ngx_conf_t *cf, ngx_array_t *passwords)
     * runtime they have to be copied to the configuration pool.
     */

-    pwds = ngx_array_create(cf->pool, passwords->nelts, sizeof(ngx_str_t));
-    if (pwds == NULL) {
-        return NULL;
+    opwds = *passwords;
+
+    if (ngx_array_init(passwords, cf->pool, opwds.nelts, sizeof(ngx_str_t))
+        != NGX_OK)
+    {
+        return NGX_ERROR;
    }

    cln = ngx_pool_cleanup_add(cf->pool, 0);
    if (cln == NULL) {
-        return NULL;
+        return NGX_ERROR;
    }

    cln->handler = ngx_ssl_passwords_cleanup;
-    cln->data = pwds;
+    cln->data = passwords;

-    opwd = passwords->elts;
+    opwd = opwds.elts;

-    for (i = 0; i < passwords->nelts; i++) {
+    for (i = 0; i < opwds.nelts; i++) {

-        pwd = ngx_array_push(pwds);
+        pwd = ngx_array_push(passwords);
        if (pwd == NULL) {
-            return NULL;
+            return NGX_ERROR;
        }

        pwd->len = opwd[i].len;
        pwd->data = ngx_pnalloc(cf->pool, pwd->len);

        if (pwd->data == NULL) {
-            pwds->nelts--;
-            return NULL;
+            passwords->nelts--;
+            return NGX_ERROR;
        }

        ngx_memcpy(pwd->data, opwd[i].data, opwd[i].len);
    }

-    return pwds;
+    return NGX_OK;
 }


--- a/src/event/ngx_event_openssl.h
+++ b/src/event/ngx_event_openssl.h
@ -248,8 +248,7 @@ void *ngx_ssl_cache_connection_fetch(ngx_ssl_cache_t *cache, ngx_pool_t *pool,
    ngx_uint_t index, char **err, ngx_str_t *path, void *data);

 ngx_array_t *ngx_ssl_read_password_file(ngx_conf_t *cf, ngx_str_t *file);
-ngx_array_t *ngx_ssl_preserve_passwords(ngx_conf_t *cf,
-    ngx_array_t *passwords);
+ngx_int_t ngx_ssl_preserve_passwords(ngx_conf_t *cf, ngx_array_t *passwords);
 ngx_int_t ngx_ssl_dhparam(ngx_conf_t *cf, ngx_ssl_t *ssl, ngx_str_t *file);
 ngx_int_t ngx_ssl_ecdh_curve(ngx_conf_t *cf, ngx_ssl_t *ssl, ngx_str_t *name);
 ngx_int_t ngx_ssl_early_data(ngx_conf_t *cf, ngx_ssl_t *ssl,
--- a/src/http/modules/ngx_http_grpc_module.c
+++ b/src/http/modules/ngx_http_grpc_module.c
@ -5080,9 +5080,9 @@ ngx_http_grpc_set_ssl(ngx_conf_t *cf, ngx_http_grpc_loc_conf_t *glcf)
        if (glcf->upstream.ssl_certificate->lengths
            || glcf->upstream.ssl_certificate_key->lengths)
        {
-            glcf->upstream.ssl_passwords =
-                  ngx_ssl_preserve_passwords(cf, glcf->upstream.ssl_passwords);
-            if (glcf->upstream.ssl_passwords == NULL) {
+            if (ngx_ssl_preserve_passwords(cf, glcf->upstream.ssl_passwords)
+                != NGX_OK)
+            {
                return NGX_ERROR;
            }

--- a/src/http/modules/ngx_http_proxy_module.c
+++ b/src/http/modules/ngx_http_proxy_module.c
@ -5340,9 +5340,9 @@ ngx_http_proxy_set_ssl(ngx_conf_t *cf, ngx_http_proxy_loc_conf_t *plcf)
        if (plcf->upstream.ssl_certificate->lengths
            || plcf->upstream.ssl_certificate_key->lengths)
        {
-            plcf->upstream.ssl_passwords =
-                  ngx_ssl_preserve_passwords(cf, plcf->upstream.ssl_passwords);
-            if (plcf->upstream.ssl_passwords == NULL) {
+            if (ngx_ssl_preserve_passwords(cf, plcf->upstream.ssl_passwords)
+                != NGX_OK)
+            {
                return NGX_ERROR;
            }

--- a/src/http/modules/ngx_http_ssl_module.c
+++ b/src/http/modules/ngx_http_ssl_module.c
@ -988,8 +988,7 @@ found:
        }
    }

-    conf->passwords = ngx_ssl_preserve_passwords(cf, conf->passwords);
-    if (conf->passwords == NULL) {
+    if (ngx_ssl_preserve_passwords(cf, conf->passwords) != NGX_OK) {
        return NGX_ERROR;
    }

--- a/src/http/modules/ngx_http_uwsgi_module.c
+++ b/src/http/modules/ngx_http_uwsgi_module.c
@ -2688,9 +2688,9 @@ ngx_http_uwsgi_set_ssl(ngx_conf_t *cf, ngx_http_uwsgi_loc_conf_t *uwcf)
        if (uwcf->upstream.ssl_certificate->lengths
            || uwcf->upstream.ssl_certificate_key->lengths)
        {
-            uwcf->upstream.ssl_passwords =
-                  ngx_ssl_preserve_passwords(cf, uwcf->upstream.ssl_passwords);
-            if (uwcf->upstream.ssl_passwords == NULL) {
+            if (ngx_ssl_preserve_passwords(cf, uwcf->upstream.ssl_passwords)
+                != NGX_OK)
+            {
                return NGX_ERROR;
            }

--- a/src/stream/ngx_stream_proxy_module.c
+++ b/src/stream/ngx_stream_proxy_module.c
@ -2421,9 +2421,7 @@ ngx_stream_proxy_set_ssl(ngx_conf_t *cf, ngx_stream_proxy_srv_conf_t *pscf)
        if (pscf->ssl_certificate->lengths
            || pscf->ssl_certificate_key->lengths)
        {
-            pscf->ssl_passwords =
-                           ngx_ssl_preserve_passwords(cf, pscf->ssl_passwords);
-            if (pscf->ssl_passwords == NULL) {
+            if (ngx_ssl_preserve_passwords(cf, pscf->ssl_passwords) != NGX_OK) {
                return NGX_ERROR;
            }

--- a/src/stream/ngx_stream_ssl_module.c
+++ b/src/stream/ngx_stream_ssl_module.c
@ -1230,8 +1230,7 @@ found:
        }
    }

-    conf->passwords = ngx_ssl_preserve_passwords(cf, conf->passwords);
-    if (conf->passwords == NULL) {
+    if (ngx_ssl_preserve_passwords(cf, conf->passwords) != NGX_OK) {
        return NGX_ERROR;
    }