From b6ac92d28dfcdcb8933a09ef077fa5155c375960 Mon Sep 17 00:00:00 2001
From: Pavel Pautov <p.pautov@f5.com>
Date: Thu, 23 Jan 2025 22:07:58 -0800
Subject: [PATCH] SSL: simplify ngx_ssl_preserve_passwords() interface.

---
 src/event/ngx_event_openssl.c            | 28 +++++++-----------------
 src/event/ngx_event_openssl.h            |  3 +--
 src/http/modules/ngx_http_grpc_module.c  |  6 ++---
 src/http/modules/ngx_http_proxy_module.c |  6 ++---
 src/http/modules/ngx_http_ssl_module.c   |  3 +--
 src/http/modules/ngx_http_uwsgi_module.c |  6 ++---
 src/stream/ngx_stream_proxy_module.c     |  4 +---
 src/stream/ngx_stream_ssl_module.c       |  3 +--
 8 files changed, 21 insertions(+), 38 deletions(-)

diff --git a/src/event/ngx_event_openssl.c b/src/event/ngx_event_openssl.c
index 4ec7a5054..7a6934252 100644
--- a/src/event/ngx_event_openssl.c
+++ b/src/event/ngx_event_openssl.c
@@ -1249,24 +1249,16 @@ cleanup:
 }
 
 
-ngx_array_t *
+ngx_int_t
 ngx_ssl_preserve_passwords(ngx_conf_t *cf, ngx_array_t *passwords)
 {
     ngx_str_t           *opwd, *pwd;
     ngx_uint_t           i;
     ngx_array_t          opwds;
     ngx_pool_cleanup_t  *cln;
-    static ngx_array_t   empty_passwords;
 
-    if (passwords == NULL) {
-
-        /*
-         * If there are no passwords, an empty array is used
-         * to make sure OpenSSL's default password callback
-         * won't block on reading from stdin.
-         */
-
-        return &empty_passwords;
+    if (passwords == NULL || passwords->pool == cf->pool) {
+        return NGX_OK;
     }
 
     /*
@@ -1275,21 +1267,17 @@ ngx_ssl_preserve_passwords(ngx_conf_t *cf, ngx_array_t *passwords)
      * runtime they have to be copied to the configuration pool.
      */
 
-    if (passwords->pool == cf->pool || passwords == &empty_passwords) {
-        return passwords;
-    }
-
     opwds = *passwords;
 
     if (ngx_array_init(passwords, cf->pool, opwds.nelts, sizeof(ngx_str_t))
         != NGX_OK)
     {
-        return NULL;
+        return NGX_ERROR;
     }
 
     cln = ngx_pool_cleanup_add(cf->pool, 0);
     if (cln == NULL) {
-        return NULL;
+        return NGX_ERROR;
     }
 
     cln->handler = ngx_ssl_passwords_cleanup;
@@ -1301,7 +1289,7 @@ ngx_ssl_preserve_passwords(ngx_conf_t *cf, ngx_array_t *passwords)
 
         pwd = ngx_array_push(passwords);
         if (pwd == NULL) {
-            return NULL;
+            return NGX_ERROR;
         }
 
         pwd->len = opwd[i].len;
@@ -1309,13 +1297,13 @@ ngx_ssl_preserve_passwords(ngx_conf_t *cf, ngx_array_t *passwords)
 
         if (pwd->data == NULL) {
             passwords->nelts--;
-            return NULL;
+            return NGX_ERROR;
         }
 
         ngx_memcpy(pwd->data, opwd[i].data, opwd[i].len);
     }
 
-    return passwords;
+    return NGX_OK;
 }
 
 
diff --git a/src/event/ngx_event_openssl.h b/src/event/ngx_event_openssl.h
index 9ad4d177b..6213be7d7 100644
--- a/src/event/ngx_event_openssl.h
+++ b/src/event/ngx_event_openssl.h
@@ -248,8 +248,7 @@ void *ngx_ssl_cache_connection_fetch(ngx_ssl_cache_t *cache, ngx_pool_t *pool,
     ngx_uint_t index, char **err, ngx_str_t *path, void *data);
 
 ngx_array_t *ngx_ssl_read_password_file(ngx_conf_t *cf, ngx_str_t *file);
-ngx_array_t *ngx_ssl_preserve_passwords(ngx_conf_t *cf,
-    ngx_array_t *passwords);
+ngx_int_t ngx_ssl_preserve_passwords(ngx_conf_t *cf, ngx_array_t *passwords);
 ngx_int_t ngx_ssl_dhparam(ngx_conf_t *cf, ngx_ssl_t *ssl, ngx_str_t *file);
 ngx_int_t ngx_ssl_ecdh_curve(ngx_conf_t *cf, ngx_ssl_t *ssl, ngx_str_t *name);
 ngx_int_t ngx_ssl_early_data(ngx_conf_t *cf, ngx_ssl_t *ssl,
diff --git a/src/http/modules/ngx_http_grpc_module.c b/src/http/modules/ngx_http_grpc_module.c
index 8e246c3cf..f54f551de 100644
--- a/src/http/modules/ngx_http_grpc_module.c
+++ b/src/http/modules/ngx_http_grpc_module.c
@@ -5080,9 +5080,9 @@ ngx_http_grpc_set_ssl(ngx_conf_t *cf, ngx_http_grpc_loc_conf_t *glcf)
         if (glcf->upstream.ssl_certificate->lengths
             || glcf->upstream.ssl_certificate_key->lengths)
         {
-            glcf->upstream.ssl_passwords =
-                  ngx_ssl_preserve_passwords(cf, glcf->upstream.ssl_passwords);
-            if (glcf->upstream.ssl_passwords == NULL) {
+            if (ngx_ssl_preserve_passwords(cf, glcf->upstream.ssl_passwords)
+                != NGX_OK)
+            {
                 return NGX_ERROR;
             }
 
diff --git a/src/http/modules/ngx_http_proxy_module.c b/src/http/modules/ngx_http_proxy_module.c
index 27c34fef2..a221da8c3 100644
--- a/src/http/modules/ngx_http_proxy_module.c
+++ b/src/http/modules/ngx_http_proxy_module.c
@@ -5340,9 +5340,9 @@ ngx_http_proxy_set_ssl(ngx_conf_t *cf, ngx_http_proxy_loc_conf_t *plcf)
         if (plcf->upstream.ssl_certificate->lengths
             || plcf->upstream.ssl_certificate_key->lengths)
         {
-            plcf->upstream.ssl_passwords =
-                  ngx_ssl_preserve_passwords(cf, plcf->upstream.ssl_passwords);
-            if (plcf->upstream.ssl_passwords == NULL) {
+            if (ngx_ssl_preserve_passwords(cf, plcf->upstream.ssl_passwords)
+                != NGX_OK)
+            {
                 return NGX_ERROR;
             }
 
diff --git a/src/http/modules/ngx_http_ssl_module.c b/src/http/modules/ngx_http_ssl_module.c
index dbfe5c08b..1dd76b1fb 100644
--- a/src/http/modules/ngx_http_ssl_module.c
+++ b/src/http/modules/ngx_http_ssl_module.c
@@ -988,8 +988,7 @@ found:
         }
     }
 
-    conf->passwords = ngx_ssl_preserve_passwords(cf, conf->passwords);
-    if (conf->passwords == NULL) {
+    if (ngx_ssl_preserve_passwords(cf, conf->passwords) != NGX_OK) {
         return NGX_ERROR;
     }
 
diff --git a/src/http/modules/ngx_http_uwsgi_module.c b/src/http/modules/ngx_http_uwsgi_module.c
index 14aae5bf1..d4d0ecc5e 100644
--- a/src/http/modules/ngx_http_uwsgi_module.c
+++ b/src/http/modules/ngx_http_uwsgi_module.c
@@ -2688,9 +2688,9 @@ ngx_http_uwsgi_set_ssl(ngx_conf_t *cf, ngx_http_uwsgi_loc_conf_t *uwcf)
         if (uwcf->upstream.ssl_certificate->lengths
             || uwcf->upstream.ssl_certificate_key->lengths)
         {
-            uwcf->upstream.ssl_passwords =
-                  ngx_ssl_preserve_passwords(cf, uwcf->upstream.ssl_passwords);
-            if (uwcf->upstream.ssl_passwords == NULL) {
+            if (ngx_ssl_preserve_passwords(cf, uwcf->upstream.ssl_passwords)
+                != NGX_OK)
+            {
                 return NGX_ERROR;
             }
 
diff --git a/src/stream/ngx_stream_proxy_module.c b/src/stream/ngx_stream_proxy_module.c
index 7f8bfc4e0..c2185502e 100644
--- a/src/stream/ngx_stream_proxy_module.c
+++ b/src/stream/ngx_stream_proxy_module.c
@@ -2421,9 +2421,7 @@ ngx_stream_proxy_set_ssl(ngx_conf_t *cf, ngx_stream_proxy_srv_conf_t *pscf)
         if (pscf->ssl_certificate->lengths
             || pscf->ssl_certificate_key->lengths)
         {
-            pscf->ssl_passwords =
-                           ngx_ssl_preserve_passwords(cf, pscf->ssl_passwords);
-            if (pscf->ssl_passwords == NULL) {
+            if (ngx_ssl_preserve_passwords(cf, pscf->ssl_passwords) != NGX_OK) {
                 return NGX_ERROR;
             }
 
diff --git a/src/stream/ngx_stream_ssl_module.c b/src/stream/ngx_stream_ssl_module.c
index b84995d61..e7eceebae 100644
--- a/src/stream/ngx_stream_ssl_module.c
+++ b/src/stream/ngx_stream_ssl_module.c
@@ -1207,8 +1207,7 @@ found:
         }
     }
 
-    conf->passwords = ngx_ssl_preserve_passwords(cf, conf->passwords);
-    if (conf->passwords == NULL) {
+    if (ngx_ssl_preserve_passwords(cf, conf->passwords) != NGX_OK) {
         return NGX_ERROR;
     }