SSL: ngx_ssl_set_client_hello_callback() error handling.

The function interface is changed to follow a common approach to other functions used to setup SSL_CTX, with an exception of "ngx_conf_t *cf" since it is not bound to nginx configuration. This is required to report and propagate SSL_CTX_set_ex_data() errors, as reminded by Coverity (CID 1668589).
author: Sergey Kandaurov <pluknet@nginx.com> 2025-11-06 17:30:41 +0400
committer: Sergey Kandaurov <s.kandaurov@f5.com> 2025-11-10 20:01:28 +0400
commit: 38a701d88b14f0747003c4e893d9fb13f51639ca (patch)
tree: 02b6dc521ddb85247bde8a4387402a22da2547c2 /src/event
parent: ac99f2808b9ff7bdce91b129539cb1ed30dd1458 (diff)
download: nginx-38a701d88b14f0747003c4e893d9fb13f51639ca.tar.gz
nginx-38a701d88b14f0747003c4e893d9fb13f51639ca.tar.bz2
2 files changed, 20 insertions, 7 deletions
diff --git a/src/event/ngx_event_openssl.c b/src/event/ngx_event_openssl.c
index 5175d7a7e..4f07894ff 100644
--- a/src/event/ngx_event_openssl.c
+++ b/src/event/ngx_event_openssl.c
@@ -1872,21 +1872,34 @@ ngx_ssl_new_client_session(ngx_ssl_conn_t *ssl_conn, ngx_ssl_session_t *sess)
 }
 
 
-void
-ngx_ssl_set_client_hello_callback(SSL_CTX *ssl_ctx,
-    ngx_ssl_client_hello_arg *cb)
+ngx_int_t
+ngx_ssl_set_client_hello_callback(ngx_ssl_t *ssl, ngx_ssl_client_hello_arg *cb)
 {
 #ifdef SSL_CLIENT_HELLO_SUCCESS
 
-    SSL_CTX_set_client_hello_cb(ssl_ctx, ngx_ssl_client_hello_callback, NULL);
-    SSL_CTX_set_ex_data(ssl_ctx, ngx_ssl_client_hello_arg_index, cb);
+    SSL_CTX_set_client_hello_cb(ssl->ctx, ngx_ssl_client_hello_callback, NULL);
+
+    if (SSL_CTX_set_ex_data(ssl->ctx, ngx_ssl_client_hello_arg_index, cb) == 0)
+    {
+        ngx_ssl_error(NGX_LOG_EMERG, ssl->log, 0,
+                      "SSL_CTX_set_ex_data() failed");
+        return NGX_ERROR;
+    }
 
 #elif defined OPENSSL_IS_BORINGSSL
 
     SSL_CTX_set_select_certificate_cb(ssl_ctx, ngx_ssl_select_certificate);
-    SSL_CTX_set_ex_data(ssl_ctx, ngx_ssl_client_hello_arg_index, cb);
+
+    if (SSL_CTX_set_ex_data(ssl->ctx, ngx_ssl_client_hello_arg_index, cb) == 0)
+    {
+        ngx_ssl_error(NGX_LOG_EMERG, ssl->log, 0,
+                      "SSL_CTX_set_ex_data() failed");
+        return NGX_ERROR;
+    }
 
 #endif
+
+    return NGX_OK;
 }
 
 
diff --git a/src/event/ngx_event_openssl.h b/src/event/ngx_event_openssl.h
index ae0e173de..a156c4bb9 100644
--- a/src/event/ngx_event_openssl.h
+++ b/src/event/ngx_event_openssl.h
@@ -286,7 +286,7 @@ ngx_int_t ngx_ssl_session_ticket_keys(ngx_conf_t *cf, ngx_ssl_t *ssl,
     ngx_array_t *paths);
 ngx_int_t ngx_ssl_session_cache_init(ngx_shm_zone_t *shm_zone, void *data);
 
-void ngx_ssl_set_client_hello_callback(SSL_CTX *ssl_ctx,
+ngx_int_t ngx_ssl_set_client_hello_callback(ngx_ssl_t *ssl,
     ngx_ssl_client_hello_arg *cb);
 #ifdef SSL_CLIENT_HELLO_SUCCESS
 int ngx_ssl_client_hello_callback(ngx_ssl_conn_t *ssl_conn, int *ad, void *arg);
author	Sergey Kandaurov <pluknet@nginx.com>	2025-11-06 17:30:41 +0400
committer	Sergey Kandaurov <s.kandaurov@f5.com>	2025-11-10 20:01:28 +0400
commit	38a701d88b14f0747003c4e893d9fb13f51639ca (patch)
tree	02b6dc521ddb85247bde8a4387402a22da2547c2 /src/event
parent	ac99f2808b9ff7bdce91b129539cb1ed30dd1458 (diff)
download	nginx-38a701d88b14f0747003c4e893d9fb13f51639ca.tar.gz nginx-38a701d88b14f0747003c4e893d9fb13f51639ca.tar.bz2