[nginx] SSL: avoid using mismatched certificate/key cached pairs.

Thu, 16 Jan 2025 16:38:29 -0800 

details:   
https://github.com/nginx/nginx/commit/5d5d9adccfeaff7d5926737ee5dfa43937fe5899
branches:  master
commit:    5d5d9adccfeaff7d5926737ee5dfa43937fe5899
user:      Sergey Kandaurov <pluk...@nginx.com>
date:      Wed, 8 Jan 2025 17:50:33 +0400
description:
SSL: avoid using mismatched certificate/key cached pairs.

This can happen with certificates and certificate keys specified
with variables due to partial cache update in various scenarios:
- cache expiration with only one element of pair evicted
- on-disk update with non-cacheable encrypted keys
- non-atomic on-disk update

The fix is to retry with fresh data on X509_R_KEY_VALUES_MISMATCH.

---
 src/event/ngx_event_openssl.c       | 28 +++++++++++++++++++++++++---
 src/event/ngx_event_openssl.h       |  2 ++
 src/event/ngx_event_openssl_cache.c |  9 +++++++--
 3 files changed, 34 insertions(+), 5 deletions(-)

diff --git a/src/event/ngx_event_openssl.c b/src/event/ngx_event_openssl.c
index 8963c8124..0681ca3a2 100644
--- a/src/event/ngx_event_openssl.c
+++ b/src/event/ngx_event_openssl.c
@@ -567,10 +567,17 @@ ngx_ssl_connection_certificate(ngx_connection_t *c, 
ngx_pool_t *pool,
 {
     char            *err;
     X509            *x509;
+    u_long           n;
     EVP_PKEY        *pkey;
+    ngx_uint_t       mask;
     STACK_OF(X509)  *chain;
 
-    chain = ngx_ssl_cache_connection_fetch(cache, pool, NGX_SSL_CACHE_CERT,
+    mask = 0;
+
+retry:
+
+    chain = ngx_ssl_cache_connection_fetch(cache, pool,
+                                           NGX_SSL_CACHE_CERT | mask,
                                            &err, cert, NULL);
     if (chain == NULL) {
         if (err != NULL) {
@@ -611,7 +618,8 @@ ngx_ssl_connection_certificate(ngx_connection_t *c, 
ngx_pool_t *pool,
 
 #endif
 
-    pkey = ngx_ssl_cache_connection_fetch(cache, pool, NGX_SSL_CACHE_PKEY,
+    pkey = ngx_ssl_cache_connection_fetch(cache, pool,
+                                          NGX_SSL_CACHE_PKEY | mask,
                                           &err, key, passwords);
     if (pkey == NULL) {
         if (err != NULL) {
@@ -624,9 +632,23 @@ ngx_ssl_connection_certificate(ngx_connection_t *c, 
ngx_pool_t *pool,
     }
 
     if (SSL_use_PrivateKey(c->ssl->connection, pkey) == 0) {
+        EVP_PKEY_free(pkey);
+
+        /* there can be mismatched pairs on uneven cache update */
+
+        n = ERR_peek_last_error();
+
+        if (ERR_GET_LIB(n) == ERR_LIB_X509
+            && ERR_GET_REASON(n) == X509_R_KEY_VALUES_MISMATCH
+            && mask == 0)
+        {
+            ERR_clear_error();
+            mask = NGX_SSL_CACHE_INVALIDATE;
+            goto retry;
+        }
+
         ngx_ssl_error(NGX_LOG_ERR, c->log, 0,
                       "SSL_use_PrivateKey(\"%s\") failed", key->data);
-        EVP_PKEY_free(pkey);
         return NGX_ERROR;
     }
 
diff --git a/src/event/ngx_event_openssl.h b/src/event/ngx_event_openssl.h
index 0713c5671..c9dc50c75 100644
--- a/src/event/ngx_event_openssl.h
+++ b/src/event/ngx_event_openssl.h
@@ -206,6 +206,8 @@ typedef struct {
 #define NGX_SSL_CACHE_CRL   2
 #define NGX_SSL_CACHE_CA    3
 
+#define NGX_SSL_CACHE_INVALIDATE  0x80000000
+
 
 ngx_int_t ngx_ssl_init(ngx_log_t *log);
 ngx_int_t ngx_ssl_create(ngx_ssl_t *ssl, ngx_uint_t protocols, void *data);
diff --git a/src/event/ngx_event_openssl_cache.c 
b/src/event/ngx_event_openssl_cache.c
index eb03e16b2..d62b4c430 100644
--- a/src/event/ngx_event_openssl_cache.c
+++ b/src/event/ngx_event_openssl_cache.c
@@ -289,6 +289,7 @@ ngx_ssl_cache_connection_fetch(ngx_ssl_cache_t *cache, 
ngx_pool_t *pool,
     void                  *value;
     time_t                 now;
     uint32_t               hash;
+    ngx_uint_t             invalidate;
     ngx_file_info_t        fi;
     ngx_ssl_cache_key_t    id;
     ngx_ssl_cache_type_t  *type;
@@ -296,6 +297,9 @@ ngx_ssl_cache_connection_fetch(ngx_ssl_cache_t *cache, 
ngx_pool_t *pool,
 
     *err = NULL;
 
+    invalidate = index & NGX_SSL_CACHE_INVALIDATE;
+    index &= ~NGX_SSL_CACHE_INVALIDATE;
+
     if (ngx_ssl_cache_init_key(pool, index, path, &id) != NGX_OK) {
         return NULL;
     }
@@ -319,7 +323,7 @@ ngx_ssl_cache_connection_fetch(ngx_ssl_cache_t *cache, 
ngx_pool_t *pool,
             goto found;
         }
 
-        if (now - cn->created <= cache->valid) {
+        if (!invalidate && now - cn->created <= cache->valid) {
             goto found;
         }
 
@@ -329,7 +333,8 @@ ngx_ssl_cache_connection_fetch(ngx_ssl_cache_t *cache, 
ngx_pool_t *pool,
 
             if (ngx_file_info(id.data, &fi) != NGX_FILE_ERROR) {
 
-                if (ngx_file_uniq(&fi) == cn->uniq
+                if (!invalidate
+                    && ngx_file_uniq(&fi) == cn->uniq
                     && ngx_file_mtime(&fi) == cn->mtime)
                 {
                     break;
_______________________________________________
nginx-devel mailing list
nginx-devel@nginx.org
https://mailman.nginx.org/mailman/listinfo/nginx-devel

Reply via email to