mirror/nginx
1
0
Fork 0
mirror of https://github.com/nginx/nginx.git synced 2025-01-18 09:13:05 +08:00
Code Issues Actions 1 Packages Projects Releases Wiki Activity

SSL: avoid using mismatched certificate/key cached pairs.
Some checks are pending
buildbot / buildbot (push) Waiting to run
Details

Browse Source 
This can happen with certificates and certificate keys specified
with variables due to partial cache update in various scenarios:
- cache expiration with only one element of pair evicted
- on-disk update with non-cacheable encrypted keys
- non-atomic on-disk update

The fix is to retry with fresh data on X509_R_KEY_VALUES_MISMATCH.
This commit is contained in:
Sergey Kandaurov 2025-01-08 17:50:33 +04:00 committed by pluknet
parent 454ad0ef33
commit 5d5d9adccf
3 changed files with 34 additions and 5 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

28
src/event/ngx_event_openssl.c
View File

@ -567,10 +567,17 @@ ngx_ssl_connection_certificate(ngx_connection_t *c, ngx_pool_t *pool,
{
char *err;
X509 *x509;
u_long n;
EVP_PKEY *pkey;
ngx_uint_t mask;
STACK_OF(X509) *chain;
chain = ngx_ssl_cache_connection_fetch(cache, pool, NGX_SSL_CACHE_CERT,
mask = 0;
retry:
chain = ngx_ssl_cache_connection_fetch(cache, pool,
NGX_SSL_CACHE_CERT | mask,
&err, cert, NULL);
if (chain == NULL) {
if (err != NULL) {
@ -611,7 +618,8 @@ ngx_ssl_connection_certificate(ngx_connection_t *c, ngx_pool_t *pool,
#endif
pkey = ngx_ssl_cache_connection_fetch(cache, pool, NGX_SSL_CACHE_PKEY,
pkey = ngx_ssl_cache_connection_fetch(cache, pool,
NGX_SSL_CACHE_PKEY | mask,
&err, key, passwords);
if (pkey == NULL) {
if (err != NULL) {
@ -624,9 +632,23 @@ ngx_ssl_connection_certificate(ngx_connection_t *c, ngx_pool_t *pool,
}
if (SSL_use_PrivateKey(c->ssl->connection, pkey) == 0) {
EVP_PKEY_free(pkey);
/* there can be mismatched pairs on uneven cache update */
n = ERR_peek_last_error();
if (ERR_GET_LIB(n) == ERR_LIB_X509
&& ERR_GET_REASON(n) == X509_R_KEY_VALUES_MISMATCH
&& mask == 0)
{
ERR_clear_error();
mask = NGX_SSL_CACHE_INVALIDATE;
goto retry;
}
ngx_ssl_error(NGX_LOG_ERR, c->log, 0,
"SSL_use_PrivateKey(\"%s\") failed", key->data);
EVP_PKEY_free(pkey);
return NGX_ERROR;
}

2
src/event/ngx_event_openssl.h
View File

@ -206,6 +206,8 @@ typedef struct {
#define NGX_SSL_CACHE_CRL 2
#define NGX_SSL_CACHE_CA 3
#define NGX_SSL_CACHE_INVALIDATE 0x80000000
ngx_int_t ngx_ssl_init(ngx_log_t *log);
ngx_int_t ngx_ssl_create(ngx_ssl_t *ssl, ngx_uint_t protocols, void *data);

9
src/event/ngx_event_openssl_cache.c
View File

@ -289,6 +289,7 @@ ngx_ssl_cache_connection_fetch(ngx_ssl_cache_t *cache, ngx_pool_t *pool,
void *value;
time_t now;
uint32_t hash;
ngx_uint_t invalidate;
ngx_file_info_t fi;
ngx_ssl_cache_key_t id;
ngx_ssl_cache_type_t *type;
@ -296,6 +297,9 @@ ngx_ssl_cache_connection_fetch(ngx_ssl_cache_t *cache, ngx_pool_t *pool,
*err = NULL;
invalidate = index & NGX_SSL_CACHE_INVALIDATE;
index &= ~NGX_SSL_CACHE_INVALIDATE;
if (ngx_ssl_cache_init_key(pool, index, path, &id) != NGX_OK) {
return NULL;
}
@ -319,7 +323,7 @@ ngx_ssl_cache_connection_fetch(ngx_ssl_cache_t *cache, ngx_pool_t *pool,
goto found;
}
if (now - cn->created <= cache->valid) {
if (!invalidate && now - cn->created <= cache->valid) {
goto found;
}
@ -329,7 +333,8 @@ ngx_ssl_cache_connection_fetch(ngx_ssl_cache_t *cache, ngx_pool_t *pool,
if (ngx_file_info(id.data, &fi) != NGX_FILE_ERROR) {
if (ngx_file_uniq(&fi) == cn->uniq
if (!invalidate
&& ngx_file_uniq(&fi) == cn->uniq
&& ngx_file_mtime(&fi) == cn->mtime)
{
break;