mirror/nginx
1
0
Fork 0
mirror of https://github.com/nginx/nginx.git synced 2025-07-21 03:44:05 +08:00
Code Issues Actions Packages Projects Releases Wiki Activity

SSL: avoid using mismatched certificate/key cached pairs.
Some checks failed
buildbot / buildbot (push) Has been cancelled
Details

Browse Source 
This can happen with certificates and certificate keys specified
with variables due to partial cache update in various scenarios:
- cache expiration with only one element of pair evicted
- on-disk update with non-cacheable encrypted keys
- non-atomic on-disk update

The fix is to retry with fresh data on X509_R_KEY_VALUES_MISMATCH.
This commit is contained in:
Sergey Kandaurov 2025-01-08 17:50:33 +04:00 committed by pluknet
parent 454ad0ef33
commit 5d5d9adccf
3 changed files with 34 additions and 5 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

28
src/event/ngx_event_openssl.c
View File

@ -567,10 +567,17 @@ ngx_ssl_connection_certificate(ngx_connection_t *c, ngx_pool_t *pool,
{ {
char *err; char *err;
X509 *x509; X509 *x509;
u_long n;
EVP_PKEY *pkey; EVP_PKEY *pkey;
ngx_uint_t mask;
STACK_OF(X509) *chain; STACK_OF(X509) *chain;
chain = ngx_ssl_cache_connection_fetch(cache, pool, NGX_SSL_CACHE_CERT, mask = 0;
retry:
chain = ngx_ssl_cache_connection_fetch(cache, pool,
NGX_SSL_CACHE_CERT | mask,
&err, cert, NULL); &err, cert, NULL);
if (chain == NULL) { if (chain == NULL) {
if (err != NULL) { if (err != NULL) {
@ -611,7 +618,8 @@ ngx_ssl_connection_certificate(ngx_connection_t *c, ngx_pool_t *pool,
#endif #endif
pkey = ngx_ssl_cache_connection_fetch(cache, pool, NGX_SSL_CACHE_PKEY, pkey = ngx_ssl_cache_connection_fetch(cache, pool,
NGX_SSL_CACHE_PKEY | mask,
&err, key, passwords); &err, key, passwords);
if (pkey == NULL) { if (pkey == NULL) {
if (err != NULL) { if (err != NULL) {
@ -624,9 +632,23 @@ ngx_ssl_connection_certificate(ngx_connection_t *c, ngx_pool_t *pool,
} }
if (SSL_use_PrivateKey(c->ssl->connection, pkey) == 0) { if (SSL_use_PrivateKey(c->ssl->connection, pkey) == 0) {
EVP_PKEY_free(pkey);
/* there can be mismatched pairs on uneven cache update */
n = ERR_peek_last_error();
if (ERR_GET_LIB(n) == ERR_LIB_X509
&& ERR_GET_REASON(n) == X509_R_KEY_VALUES_MISMATCH
&& mask == 0)
{
ERR_clear_error();
mask = NGX_SSL_CACHE_INVALIDATE;
goto retry;
}
ngx_ssl_error(NGX_LOG_ERR, c->log, 0, ngx_ssl_error(NGX_LOG_ERR, c->log, 0,
"SSL_use_PrivateKey(\"%s\") failed", key->data); "SSL_use_PrivateKey(\"%s\") failed", key->data);
EVP_PKEY_free(pkey);
return NGX_ERROR; return NGX_ERROR;
} }

2
src/event/ngx_event_openssl.h
View File

@ -206,6 +206,8 @@ typedef struct {
#define NGX_SSL_CACHE_CRL 2 #define NGX_SSL_CACHE_CRL 2
#define NGX_SSL_CACHE_CA 3 #define NGX_SSL_CACHE_CA 3
#define NGX_SSL_CACHE_INVALIDATE 0x80000000
ngx_int_t ngx_ssl_init(ngx_log_t *log); ngx_int_t ngx_ssl_init(ngx_log_t *log);
ngx_int_t ngx_ssl_create(ngx_ssl_t *ssl, ngx_uint_t protocols, void *data); ngx_int_t ngx_ssl_create(ngx_ssl_t *ssl, ngx_uint_t protocols, void *data);

9
src/event/ngx_event_openssl_cache.c
View File

@ -289,6 +289,7 @@ ngx_ssl_cache_connection_fetch(ngx_ssl_cache_t *cache, ngx_pool_t *pool,
void *value; void *value;
time_t now; time_t now;
uint32_t hash; uint32_t hash;
ngx_uint_t invalidate;
ngx_file_info_t fi; ngx_file_info_t fi;
ngx_ssl_cache_key_t id; ngx_ssl_cache_key_t id;
ngx_ssl_cache_type_t *type; ngx_ssl_cache_type_t *type;
@ -296,6 +297,9 @@ ngx_ssl_cache_connection_fetch(ngx_ssl_cache_t *cache, ngx_pool_t *pool,
*err = NULL; *err = NULL;
invalidate = index & NGX_SSL_CACHE_INVALIDATE;
index &= ~NGX_SSL_CACHE_INVALIDATE;
if (ngx_ssl_cache_init_key(pool, index, path, &id) != NGX_OK) { if (ngx_ssl_cache_init_key(pool, index, path, &id) != NGX_OK) {
return NULL; return NULL;
} }
@ -319,7 +323,7 @@ ngx_ssl_cache_connection_fetch(ngx_ssl_cache_t *cache, ngx_pool_t *pool,
goto found; goto found;
} }
if (now - cn->created <= cache->valid) { if (!invalidate && now - cn->created <= cache->valid) {
goto found; goto found;
} }
@ -329,7 +333,8 @@ ngx_ssl_cache_connection_fetch(ngx_ssl_cache_t *cache, ngx_pool_t *pool,
if (ngx_file_info(id.data, &fi) != NGX_FILE_ERROR) { if (ngx_file_info(id.data, &fi) != NGX_FILE_ERROR) {
if (ngx_file_uniq(&fi) == cn->uniq if (!invalidate
&& ngx_file_uniq(&fi) == cn->uniq
&& ngx_file_mtime(&fi) == cn->mtime) && ngx_file_mtime(&fi) == cn->mtime)
{ {
break; break;