Mercurial > hg > nginx

comparison src/event/ngx_event_openssl.c @ 7463:180df83473a4

Find changesets by keywords (author, files, the commit message), revision number or hash, or revset expression.
SSL: passwords support for dynamic certificate loading. Passwords have to be copied to the configuration pool to be used at runtime. Also, to prevent blocking on stdin (with "daemon off;") an empty password list is provided. To make things simpler, password handling was modified to allow an empty array (with 0 elements and elts set to NULL) as an equivalent of an array with 1 empty password.
author Maxim Dounin <mdounin@mdounin.ru>
date Mon, 25 Feb 2019 16:42:23 +0300
parents a68799465b19
children 6708bec13757
comparison
equal deleted inserted replaced
7462:be2af41d3620 7463:180df83473a4
769 pkey = PEM_read_bio_PrivateKey(bio, NULL, cb, pwd); 769 pkey = PEM_read_bio_PrivateKey(bio, NULL, cb, pwd);
770 if (pkey != NULL) { 770 if (pkey != NULL) {
771 break; 771 break;
772 } 772 }
773 773
774 if (--tries) { 774 if (tries-- > 1) {
775 ERR_clear_error(); 775 ERR_clear_error();
776 (void) BIO_reset(bio); 776 (void) BIO_reset(bio);
777 pwd++; 777 pwd++;
778 continue; 778 continue;
779 } 779 }
795 ngx_str_t *pwd = userdata; 795 ngx_str_t *pwd = userdata;
796 796
797 if (rwflag) { 797 if (rwflag) {
798 ngx_log_error(NGX_LOG_ALERT, ngx_cycle->log, 0, 798 ngx_log_error(NGX_LOG_ALERT, ngx_cycle->log, 0,
799 "ngx_ssl_password_callback() is called for encryption"); 799 "ngx_ssl_password_callback() is called for encryption");
800 return 0;
801 }
802
803 if (pwd == NULL) {
800 return 0; 804 return 0;
801 } 805 }
802 806
803 if (pwd->len > (size_t) size) { 807 if (pwd->len > (size_t) size) {
804 ngx_log_error(NGX_LOG_ERR, ngx_cycle->log, 0, 808 ngx_log_error(NGX_LOG_ERR, ngx_cycle->log, 0,
1210 } 1214 }
1211 1215
1212 ngx_explicit_memzero(buf, NGX_SSL_PASSWORD_BUFFER_SIZE); 1216 ngx_explicit_memzero(buf, NGX_SSL_PASSWORD_BUFFER_SIZE);
1213 1217
1214 return passwords; 1218 return passwords;
1219 }
1220
1221
1222 ngx_array_t *
1223 ngx_ssl_preserve_passwords(ngx_conf_t *cf, ngx_array_t *passwords)
1224 {
1225 ngx_str_t *opwd, *pwd;
1226 ngx_uint_t i;
1227 ngx_array_t *pwds;
1228 ngx_pool_cleanup_t *cln;
1229 static ngx_array_t empty_passwords;
1230
1231 if (passwords == NULL) {
1232
1233 /*
1234 * If there are no passwords, an empty array is used
1235 * to make sure OpenSSL's default password callback
1236 * won't block on reading from stdin.
1237 */
1238
1239 return &empty_passwords;
1240 }
1241
1242 /*
1243 * Passwords are normally allocated from the temporary pool
1244 * and cleared after parsing configuration. To be used at
1245 * runtime they have to be copied to the configuration pool.
1246 */
1247
1248 pwds = ngx_array_create(cf->pool, passwords->nelts, sizeof(ngx_str_t));
1249 if (pwds == NULL) {
1250 return NULL;
1251 }
1252
1253 cln = ngx_pool_cleanup_add(cf->pool, 0);
1254 if (cln == NULL) {
1255 return NULL;
1256 }
1257
1258 cln->handler = ngx_ssl_passwords_cleanup;
1259 cln->data = pwds;
1260
1261 opwd = passwords->elts;
1262
1263 for (i = 0; i < passwords->nelts; i++) {
1264
1265 pwd = ngx_array_push(pwds);
1266 if (pwd == NULL) {
1267 return NULL;
1268 }
1269
1270 pwd->len = opwd[i].len;
1271 pwd->data = ngx_pnalloc(cf->pool, pwd->len);
1272
1273 if (pwd->data == NULL) {
1274 pwds->nelts--;
1275 return NULL;
1276 }
1277
1278 ngx_memcpy(pwd->data, opwd[i].data, opwd[i].len);
1279 }
1280
1281 return pwds;
1215 } 1282 }
1216 1283
1217 1284
1218 static void 1285 static void
1219 ngx_ssl_passwords_cleanup(void *data) 1286 ngx_ssl_passwords_cleanup(void *data)