From 1a30d79c429cb1d4438d592db62cbe701e3b4360 Mon Sep 17 00:00:00 2001 From: Maxim Dounin Date: Mon, 25 Feb 2019 21:16:26 +0300 Subject: [PATCH] SSL: fixed possible segfault with dynamic certificates. A virtual server may have no SSL context if it does not have certificates defined, so we have to use config of the ngx_http_ssl_module from the SSL context in the certificate callback. To do so, it is now passed as the argument of the callback. The stream module doesn't really need any changes, but was modified as well to match http code. --- src/http/modules/ngx_http_ssl_module.c | 2 +- src/http/ngx_http_request.c | 2 +- src/stream/ngx_stream_ssl_module.c | 4 ++-- 3 files changed, 4 insertions(+), 4 deletions(-) diff --git a/src/http/modules/ngx_http_ssl_module.c b/src/http/modules/ngx_http_ssl_module.c index 3bf122acb..1b2830d21 100644 --- a/src/http/modules/ngx_http_ssl_module.c +++ b/src/http/modules/ngx_http_ssl_module.c @@ -741,7 +741,7 @@ ngx_http_ssl_merge_srv_conf(ngx_conf_t *cf, void *parent, void *child) /* install callback to lookup certificates */ - SSL_CTX_set_cert_cb(conf->ssl.ctx, ngx_http_ssl_certificate, NULL); + SSL_CTX_set_cert_cb(conf->ssl.ctx, ngx_http_ssl_certificate, conf); #else ngx_log_error(NGX_LOG_EMERG, cf->log, 0, diff --git a/src/http/ngx_http_request.c b/src/http/ngx_http_request.c index 81d546a86..40973b2e2 100644 --- a/src/http/ngx_http_request.c +++ b/src/http/ngx_http_request.c @@ -973,7 +973,7 @@ ngx_http_ssl_certificate(ngx_ssl_conn_t *ssl_conn, void *arg) r->logged = 1; - sscf = ngx_http_get_module_srv_conf(r, ngx_http_ssl_module); + sscf = arg; nelts = sscf->certificate_values->nelts; certs = sscf->certificate_values->elts; diff --git a/src/stream/ngx_stream_ssl_module.c b/src/stream/ngx_stream_ssl_module.c index 9ab2c82be..9266e99aa 100644 --- a/src/stream/ngx_stream_ssl_module.c +++ b/src/stream/ngx_stream_ssl_module.c @@ -434,7 +434,7 @@ ngx_stream_ssl_certificate(ngx_ssl_conn_t *ssl_conn, void *arg) s = c->data; - sslcf = ngx_stream_get_module_srv_conf(s, ngx_stream_ssl_module); + sslcf = arg; nelts = sslcf->certificate_values->nelts; certs = sslcf->certificate_values->elts; @@ -692,7 +692,7 @@ ngx_stream_ssl_merge_conf(ngx_conf_t *cf, void *parent, void *child) /* install callback to lookup certificates */ - SSL_CTX_set_cert_cb(conf->ssl.ctx, ngx_stream_ssl_certificate, NULL); + SSL_CTX_set_cert_cb(conf->ssl.ctx, ngx_stream_ssl_certificate, conf); #else ngx_log_error(NGX_LOG_EMERG, cf->log, 0,