Klaus Demo nginx / 8772a0e
SSL: passwords support for dynamic certificate loading. Passwords have to be copied to the configuration pool to be used at runtime. Also, to prevent blocking on stdin (with "daemon off;") an empty password list is provided. To make things simpler, password handling was modified to allow an empty array (with 0 elements and elts set to NULL) as an equivalent of an array with 1 empty password. Maxim Dounin 7 months ago
4 changed file(s) with 77 addition(s) and 2 deletion(s). Raw diff Collapse all Expand all
770770 break;
771771 }
772772
773 if (--tries) {
773 if (tries-- > 1) {
774774 ERR_clear_error();
775775 (void) BIO_reset(bio);
776776 pwd++;
796796 if (rwflag) {
797797 ngx_log_error(NGX_LOG_ALERT, ngx_cycle->log, 0,
798798 "ngx_ssl_password_callback() is called for encryption");
799 return 0;
800 }
801
802 if (pwd == NULL) {
799803 return 0;
800804 }
801805
12111215 ngx_explicit_memzero(buf, NGX_SSL_PASSWORD_BUFFER_SIZE);
12121216
12131217 return passwords;
1218 }
1219
1220
1221 ngx_array_t *
1222 ngx_ssl_preserve_passwords(ngx_conf_t *cf, ngx_array_t *passwords)
1223 {
1224 ngx_str_t *opwd, *pwd;
1225 ngx_uint_t i;
1226 ngx_array_t *pwds;
1227 ngx_pool_cleanup_t *cln;
1228 static ngx_array_t empty_passwords;
1229
1230 if (passwords == NULL) {
1231
1232 /*
1233 * If there are no passwords, an empty array is used
1234 * to make sure OpenSSL's default password callback
1235 * won't block on reading from stdin.
1236 */
1237
1238 return &empty_passwords;
1239 }
1240
1241 /*
1242 * Passwords are normally allocated from the temporary pool
1243 * and cleared after parsing configuration. To be used at
1244 * runtime they have to be copied to the configuration pool.
1245 */
1246
1247 pwds = ngx_array_create(cf->pool, passwords->nelts, sizeof(ngx_str_t));
1248 if (pwds == NULL) {
1249 return NULL;
1250 }
1251
1252 cln = ngx_pool_cleanup_add(cf->pool, 0);
1253 if (cln == NULL) {
1254 return NULL;
1255 }
1256
1257 cln->handler = ngx_ssl_passwords_cleanup;
1258 cln->data = pwds;
1259
1260 opwd = passwords->elts;
1261
1262 for (i = 0; i < passwords->nelts; i++) {
1263
1264 pwd = ngx_array_push(pwds);
1265 if (pwd == NULL) {
1266 return NULL;
1267 }
1268
1269 pwd->len = opwd[i].len;
1270 pwd->data = ngx_pnalloc(cf->pool, pwd->len);
1271
1272 if (pwd->data == NULL) {
1273 pwds->nelts--;
1274 return NULL;
1275 }
1276
1277 ngx_memcpy(pwd->data, opwd[i].data, opwd[i].len);
1278 }
1279
1280 return pwds;
12141281 }
12151282
12161283
182182 RSA *ngx_ssl_rsa512_key_callback(ngx_ssl_conn_t *ssl_conn, int is_export,
183183 int key_length);
184184 ngx_array_t *ngx_ssl_read_password_file(ngx_conf_t *cf, ngx_str_t *file);
185 ngx_array_t *ngx_ssl_preserve_passwords(ngx_conf_t *cf,
186 ngx_array_t *passwords);
185187 ngx_int_t ngx_ssl_dhparam(ngx_conf_t *cf, ngx_ssl_t *ssl, ngx_str_t *file);
186188 ngx_int_t ngx_ssl_ecdh_curve(ngx_conf_t *cf, ngx_ssl_t *ssl, ngx_str_t *name);
187189 ngx_int_t ngx_ssl_early_data(ngx_conf_t *cf, ngx_ssl_t *ssl,
934934 }
935935 }
936936
937 conf->passwords = ngx_ssl_preserve_passwords(cf, conf->passwords);
938 if (conf->passwords == NULL) {
939 return NGX_ERROR;
940 }
941
937942 return NGX_OK;
938943 }
939944
994994 ngx_log_debug1(NGX_LOG_DEBUG_HTTP, c->log, 0,
995995 "ssl key: \"%s\"", key.data);
996996
997 if (ngx_ssl_connection_certificate(c, r->pool, &cert, &key, NULL)
997 if (ngx_ssl_connection_certificate(c, r->pool, &cert, &key,
998 sscf->passwords)
998999 != NGX_OK)
9991000 {
10001001 goto failed;