IntenseWebs/nginx
3
0
Fork 0
mirror of https://github.com/nginx/nginx.git synced 2025-02-25 18:55:26 -06:00
Code Issues Packages Projects Releases Wiki Activity

Merge b6ac92d28d into ecb809305e

Browse Source
This commit is contained in:
p-pautov 2025-02-05 22:59:47 +05:30 committed by GitHub
commit 04e63955ae
No known key found for this signature in database
GPG Key ID: B5690EEEBB952194
8 changed files with 58 additions and 49 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

64
src/event/ngx_event_openssl.c
View File

@ -571,6 +571,7 @@ ngx_ssl_connection_certificate(ngx_connection_t *c, ngx_pool_t *pool,
EVP_PKEY *pkey; EVP_PKEY *pkey;
ngx_uint_t mask; ngx_uint_t mask;
STACK_OF(X509) *chain; STACK_OF(X509) *chain;
static ngx_array_t empty_passwords;
mask = 0; mask = 0;
@ -618,6 +619,16 @@ retry:
#endif #endif
if (passwords == NULL) {
/*
* Make sure OpenSSL's default password callback
* won't block on reading from stdin.
*/
passwords = &empty_passwords;
}
pkey = ngx_ssl_cache_connection_fetch(cache, pool, pkey = ngx_ssl_cache_connection_fetch(cache, pool,
NGX_SSL_CACHE_PKEY | mask, NGX_SSL_CACHE_PKEY | mask,
&err, key, passwords); &err, key, passwords);
@ -1108,7 +1119,7 @@ ngx_ssl_read_password_file(ngx_conf_t *cf, ngx_str_t *file)
ssize_t n; ssize_t n;
ngx_fd_t fd; ngx_fd_t fd;
ngx_str_t *pwd; ngx_str_t *pwd;
ngx_array_t *passwords; ngx_array_t *passwords, *temp_passwords;
ngx_pool_cleanup_t *cln; ngx_pool_cleanup_t *cln;
u_char buf[NGX_SSL_PASSWORD_BUFFER_SIZE]; u_char buf[NGX_SSL_PASSWORD_BUFFER_SIZE];
@ -1226,28 +1237,28 @@ cleanup:
ngx_explicit_memzero(buf, NGX_SSL_PASSWORD_BUFFER_SIZE); ngx_explicit_memzero(buf, NGX_SSL_PASSWORD_BUFFER_SIZE);
if (passwords != NULL) {
temp_passwords = passwords;
passwords = ngx_palloc(cf->pool, sizeof(ngx_array_t));
if (passwords != NULL) {
*passwords = *temp_passwords;
}
}
return passwords; return passwords;
} }
ngx_array_t * ngx_int_t
ngx_ssl_preserve_passwords(ngx_conf_t *cf, ngx_array_t *passwords) ngx_ssl_preserve_passwords(ngx_conf_t *cf, ngx_array_t *passwords)
{ {
ngx_str_t *opwd, *pwd; ngx_str_t *opwd, *pwd;
ngx_uint_t i; ngx_uint_t i;
ngx_array_t *pwds; ngx_array_t opwds;
ngx_pool_cleanup_t *cln; ngx_pool_cleanup_t *cln;
static ngx_array_t empty_passwords;
if (passwords == NULL) { if (passwords == NULL || passwords->pool == cf->pool) {
return NGX_OK;
/*
* If there are no passwords, an empty array is used
* to make sure OpenSSL's default password callback
* won't block on reading from stdin.
*/
return &empty_passwords;
} }
/* /*
@ -1256,40 +1267,43 @@ ngx_ssl_preserve_passwords(ngx_conf_t *cf, ngx_array_t *passwords)
* runtime they have to be copied to the configuration pool. * runtime they have to be copied to the configuration pool.
*/ */
pwds = ngx_array_create(cf->pool, passwords->nelts, sizeof(ngx_str_t)); opwds = *passwords;
if (pwds == NULL) {
return NULL; if (ngx_array_init(passwords, cf->pool, opwds.nelts, sizeof(ngx_str_t))
!= NGX_OK)
{
return NGX_ERROR;
} }
cln = ngx_pool_cleanup_add(cf->pool, 0); cln = ngx_pool_cleanup_add(cf->pool, 0);
if (cln == NULL) { if (cln == NULL) {
return NULL; return NGX_ERROR;
} }
cln->handler = ngx_ssl_passwords_cleanup; cln->handler = ngx_ssl_passwords_cleanup;
cln->data = pwds; cln->data = passwords;
opwd = passwords->elts; opwd = opwds.elts;
for (i = 0; i < passwords->nelts; i++) { for (i = 0; i < opwds.nelts; i++) {
pwd = ngx_array_push(pwds); pwd = ngx_array_push(passwords);
if (pwd == NULL) { if (pwd == NULL) {
return NULL; return NGX_ERROR;
} }
pwd->len = opwd[i].len; pwd->len = opwd[i].len;
pwd->data = ngx_pnalloc(cf->pool, pwd->len); pwd->data = ngx_pnalloc(cf->pool, pwd->len);
if (pwd->data == NULL) { if (pwd->data == NULL) {
pwds->nelts--; passwords->nelts--;
return NULL; return NGX_ERROR;
} }
ngx_memcpy(pwd->data, opwd[i].data, opwd[i].len); ngx_memcpy(pwd->data, opwd[i].data, opwd[i].len);
} }
return pwds; return NGX_OK;
} }

3
src/event/ngx_event_openssl.h
View File

@ -248,8 +248,7 @@ void *ngx_ssl_cache_connection_fetch(ngx_ssl_cache_t *cache, ngx_pool_t *pool,
ngx_uint_t index, char **err, ngx_str_t *path, void *data); ngx_uint_t index, char **err, ngx_str_t *path, void *data);
ngx_array_t *ngx_ssl_read_password_file(ngx_conf_t *cf, ngx_str_t *file); ngx_array_t *ngx_ssl_read_password_file(ngx_conf_t *cf, ngx_str_t *file);
ngx_array_t *ngx_ssl_preserve_passwords(ngx_conf_t *cf, ngx_int_t ngx_ssl_preserve_passwords(ngx_conf_t *cf, ngx_array_t *passwords);
ngx_array_t *passwords);
ngx_int_t ngx_ssl_dhparam(ngx_conf_t *cf, ngx_ssl_t *ssl, ngx_str_t *file); ngx_int_t ngx_ssl_dhparam(ngx_conf_t *cf, ngx_ssl_t *ssl, ngx_str_t *file);
ngx_int_t ngx_ssl_ecdh_curve(ngx_conf_t *cf, ngx_ssl_t *ssl, ngx_str_t *name); ngx_int_t ngx_ssl_ecdh_curve(ngx_conf_t *cf, ngx_ssl_t *ssl, ngx_str_t *name);
ngx_int_t ngx_ssl_early_data(ngx_conf_t *cf, ngx_ssl_t *ssl, ngx_int_t ngx_ssl_early_data(ngx_conf_t *cf, ngx_ssl_t *ssl,

6
src/http/modules/ngx_http_grpc_module.c
View File

@ -5080,9 +5080,9 @@ ngx_http_grpc_set_ssl(ngx_conf_t *cf, ngx_http_grpc_loc_conf_t *glcf)
if (glcf->upstream.ssl_certificate->lengths if (glcf->upstream.ssl_certificate->lengths
|| glcf->upstream.ssl_certificate_key->lengths) || glcf->upstream.ssl_certificate_key->lengths)
{ {
glcf->upstream.ssl_passwords = if (ngx_ssl_preserve_passwords(cf, glcf->upstream.ssl_passwords)
ngx_ssl_preserve_passwords(cf, glcf->upstream.ssl_passwords); != NGX_OK)
if (glcf->upstream.ssl_passwords == NULL) { {
return NGX_ERROR; return NGX_ERROR;
} }

6
src/http/modules/ngx_http_proxy_module.c
View File

@ -5340,9 +5340,9 @@ ngx_http_proxy_set_ssl(ngx_conf_t *cf, ngx_http_proxy_loc_conf_t *plcf)
if (plcf->upstream.ssl_certificate->lengths if (plcf->upstream.ssl_certificate->lengths
|| plcf->upstream.ssl_certificate_key->lengths) || plcf->upstream.ssl_certificate_key->lengths)
{ {
plcf->upstream.ssl_passwords = if (ngx_ssl_preserve_passwords(cf, plcf->upstream.ssl_passwords)
ngx_ssl_preserve_passwords(cf, plcf->upstream.ssl_passwords); != NGX_OK)
if (plcf->upstream.ssl_passwords == NULL) { {
return NGX_ERROR; return NGX_ERROR;
} }

3
src/http/modules/ngx_http_ssl_module.c
View File

@ -988,8 +988,7 @@ found:
} }
} }
conf->passwords = ngx_ssl_preserve_passwords(cf, conf->passwords); if (ngx_ssl_preserve_passwords(cf, conf->passwords) != NGX_OK) {
if (conf->passwords == NULL) {
return NGX_ERROR; return NGX_ERROR;
} }

6
src/http/modules/ngx_http_uwsgi_module.c
View File

@ -2688,9 +2688,9 @@ ngx_http_uwsgi_set_ssl(ngx_conf_t *cf, ngx_http_uwsgi_loc_conf_t *uwcf)
if (uwcf->upstream.ssl_certificate->lengths if (uwcf->upstream.ssl_certificate->lengths
|| uwcf->upstream.ssl_certificate_key->lengths) || uwcf->upstream.ssl_certificate_key->lengths)
{ {
uwcf->upstream.ssl_passwords = if (ngx_ssl_preserve_passwords(cf, uwcf->upstream.ssl_passwords)
ngx_ssl_preserve_passwords(cf, uwcf->upstream.ssl_passwords); != NGX_OK)
if (uwcf->upstream.ssl_passwords == NULL) { {
return NGX_ERROR; return NGX_ERROR;
} }

4
src/stream/ngx_stream_proxy_module.c
View File

@ -2421,9 +2421,7 @@ ngx_stream_proxy_set_ssl(ngx_conf_t *cf, ngx_stream_proxy_srv_conf_t *pscf)
if (pscf->ssl_certificate->lengths if (pscf->ssl_certificate->lengths
|| pscf->ssl_certificate_key->lengths) || pscf->ssl_certificate_key->lengths)
{ {
pscf->ssl_passwords = if (ngx_ssl_preserve_passwords(cf, pscf->ssl_passwords) != NGX_OK) {
ngx_ssl_preserve_passwords(cf, pscf->ssl_passwords);
if (pscf->ssl_passwords == NULL) {
return NGX_ERROR; return NGX_ERROR;
} }

3
src/stream/ngx_stream_ssl_module.c
View File

@ -1230,8 +1230,7 @@ found:
} }
} }
conf->passwords = ngx_ssl_preserve_passwords(cf, conf->passwords); if (ngx_ssl_preserve_passwords(cf, conf->passwords) != NGX_OK) {
if (conf->passwords == NULL) {
return NGX_ERROR; return NGX_ERROR;
} }