feature: added support for OpenSSL 1.1.0.

EVP_CIPHER_CTX is opaque after OpenSSL 1.1.0.
Replace EVP_CIPHER_CTX_init and EVP_CIPHER_CTX_cleanup with
EVP_CIPHER_CTX_new and EVP_CIPHER_CTX_free.

Signed-off-by: Yichun Zhang (agentzh) <[email protected]>

Author: spacewander

.travis.yml

@@ -17,15 +17,25 @@ env:
     - LUAJIT_INC=$LUAJIT_PREFIX/include/luajit-2.1
     - LUA_INCLUDE_DIR=$LUAJIT_INC
     - LUA_CMODULE_DIR=/lib
+    - OPENSSL_PREFIX=/opt/ssl
+    - OPENSSL_LIB=$OPENSSL_PREFIX/lib
+    - OPENSSL_INC=$OPENSSL_PREFIX/include
+    - PCRE_VER=8.41
+    - PCRE_PREFIX=/opt/pcre
+    - PCRE_LIB=$PCRE_PREFIX/lib
+    - PCRE_INC=$PCRE_PREFIX/include
     - JOBS=3
     - NGX_BUILD_JOBS=$JOBS
   matrix:
-    - NGINX_VERSION=1.9.15
+    - NGINX_VERSION=1.13.6 OPENSSL_VER=1.0.2k
+    - NGINX_VERSION=1.13.6 OPENSSL_VER=1.1.0c
 
 before_install:
   - sudo apt-get install -qq -y axel cpanminus libtest-base-perl libtext-diff-perl liburi-perl libwww-perl libtest-longstring-perl liblist-moreutils-perl > build.log 2>&1 || (cat build.log && exit 1)
 
 install:
+  - if [ ! -f download-cache/pcre-$PCRE_VER.tar.gz ]; then wget -P download-cache http://ftp.cs.stanford.edu/pub/exim/pcre/pcre-$PCRE_VER.tar.gz; fi
+  - if [ ! -f download-cache/openssl-$OPENSSL_VER.tar.gz ]; then wget -P download-cache https://www.openssl.org/source/openssl-$OPENSSL_VER.tar.gz; fi
   - git clone https://github.com/openresty/nginx-devel-utils.git
   - git clone https://github.com/openresty/openresty.git ../openresty
   - git clone https://github.com/openresty/no-pool-nginx.git ../no-pool-nginx
@@ -41,6 +51,18 @@ script:
   - make -j$JOBS CCDEBUG=-g Q= PREFIX=$LUAJIT_PREFIX CC=$CC XCFLAGS='-DLUA_USE_APICHECK -DLUA_USE_ASSERT' > build.log 2>&1 || (cat build.log && exit 1)
   - sudo make install PREFIX=$LUAJIT_PREFIX > build.log 2>&1 || (cat build.log && exit 1)
   - cd ..
+  - tar zxf download-cache/pcre-$PCRE_VER.tar.gz
+  - cd pcre-$PCRE_VER/
+  - ./configure --prefix=$PCRE_PREFIX --enable-jit --enable-utf --enable-unicode-properties > build.log 2>&1 || (cat build.log && exit 1)
+  - make -j$JOBS > build.log 2>&1 || (cat build.log && exit 1)
+  - sudo PATH=$PATH make install > build.log 2>&1 || (cat build.log && exit 1)
+  - cd ..
+  - tar zxf download-cache/openssl-$OPENSSL_VER.tar.gz
+  - cd openssl-$OPENSSL_VER/
+  - ./config no-threads shared -g --prefix=$OPENSSL_PREFIX -DPURIFY > build.log 2>&1 || (cat build.log && exit 1)
+  - make -j$JOBS > build.log 2>&1 || (cat build.log && exit 1)
+  - sudo make PATH=$PATH install_sw > build.log 2>&1 || (cat build.log && exit 1)
+  - cd ..
   - cd test-nginx && sudo cpanm . && cd ..
   - export PATH=$PWD/work/nginx/sbin:$PWD/nginx-devel-utils:$PATH
   - export NGX_BUILD_CC=$CC

src/ngx_http_encrypted_session_cipher.c

@@ -21,12 +21,12 @@ static uint64_t ngx_http_encrypted_session_htonll(uint64_t n);
 
 
 ngx_int_t
-ngx_http_encrypted_session_aes_mac_encrypt(ngx_pool_t *pool, ngx_log_t *log,
-    const u_char *iv, size_t iv_len, const u_char *key, size_t key_len,
-    const u_char *in, size_t in_len, ngx_uint_t expires, u_char **dst,
-    size_t *dst_len)
+ngx_http_encrypted_session_aes_mac_encrypt(
+    ngx_http_encrypted_session_main_conf_t *emcf, ngx_pool_t *pool,
+    ngx_log_t *log, const u_char *iv, size_t iv_len, const u_char *key,
+    size_t key_len, const u_char *in, size_t in_len, ngx_uint_t expires,
+    u_char **dst, size_t *dst_len)
 {
-    EVP_CIPHER_CTX           ctx;
     const EVP_CIPHER        *cipher;
     u_char                  *p, *data;
     int                      ret;
@@ -39,7 +39,15 @@ ngx_http_encrypted_session_aes_mac_encrypt(ngx_pool_t *pool, ngx_log_t *log,
         return NGX_ERROR;
     }
 
-    EVP_CIPHER_CTX_init(&ctx);
+    if (emcf->session_ctx == NULL) {
+        emcf->session_ctx = EVP_CIPHER_CTX_new();
+        if (emcf->session_ctx == NULL) {
+            ngx_log_error(NGX_LOG_ERR, log, 0,
+                          "encrypted_session: aes_mac_encrypt: no memory");
+
+            return NGX_ERROR;
+        }
+    }
 
     cipher = EVP_aes_256_cbc();
 
@@ -53,7 +61,7 @@ ngx_http_encrypted_session_aes_mac_encrypt(ngx_pool_t *pool, ngx_log_t *log,
 
     p = ngx_palloc(pool, buf_size + data_size);
     if (p == NULL) {
-        return NGX_ERROR;
+        goto evp_error;
     }
 
     *dst = p;
@@ -83,25 +91,23 @@ ngx_http_encrypted_session_aes_mac_encrypt(ngx_pool_t *pool, ngx_log_t *log,
 
     p += MD5_DIGEST_LENGTH;
 
-    ret = EVP_EncryptInit(&ctx, cipher, key, iv);
+    ret = EVP_EncryptInit(emcf->session_ctx, cipher, key, iv);
     if (!ret) {
         goto evp_error;
     }
 
     /* encrypt the raw input data */
 
-    ret = EVP_EncryptUpdate(&ctx, p, &len, data, data_size);
+    ret = EVP_EncryptUpdate(emcf->session_ctx, p, &len, data, data_size);
     if (!ret) {
         goto evp_error;
     }
 
     p += len;
 
-    ret = EVP_EncryptFinal(&ctx, p, &len);
+    ret = EVP_EncryptFinal(emcf->session_ctx, p, &len);
 
-    /* XXX we should still explicitly release the ctx
-     * or we'll leak memory here */
-    EVP_CIPHER_CTX_cleanup(&ctx);
+    emcf->reset_cipher_ctx(emcf->session_ctx);
 
     if (!ret) {
         return NGX_ERROR;
@@ -122,18 +128,19 @@ ngx_http_encrypted_session_aes_mac_encrypt(ngx_pool_t *pool, ngx_log_t *log,
 
 evp_error:
 
-    EVP_CIPHER_CTX_cleanup(&ctx);
+    emcf->reset_cipher_ctx(emcf->session_ctx);
 
     return NGX_ERROR;
 }
 
 
 ngx_int_t
-ngx_http_encrypted_session_aes_mac_decrypt(ngx_pool_t *pool, ngx_log_t *log,
-    const u_char *iv, size_t iv_len, const u_char *key, size_t key_len,
-    const u_char *in, size_t in_len, u_char **dst, size_t *dst_len)
+ngx_http_encrypted_session_aes_mac_decrypt(
+    ngx_http_encrypted_session_main_conf_t *emcf, ngx_pool_t *pool,
+    ngx_log_t *log, const u_char *iv, size_t iv_len, const u_char *key,
+    size_t key_len, const u_char *in, size_t in_len, u_char **dst,
+    size_t *dst_len)
 {
-    EVP_CIPHER_CTX           ctx;
     const EVP_CIPHER        *cipher;
     int                      ret;
     size_t                   block_size, buf_size;
@@ -153,11 +160,19 @@ ngx_http_encrypted_session_aes_mac_decrypt(ngx_pool_t *pool, ngx_log_t *log,
 
     digest = in;
 
-    EVP_CIPHER_CTX_init(&ctx);
+    if (emcf->session_ctx == NULL) {
+        emcf->session_ctx = EVP_CIPHER_CTX_new();
+        if (emcf->session_ctx == NULL) {
+            ngx_log_error(NGX_LOG_ERR, log, 0,
+                          "encrypted_session: aes_mac_encrypt: no memory");
+
+            return NGX_ERROR;
+        }
+    }
 
     cipher = EVP_aes_256_cbc();
 
-    ret = EVP_DecryptInit(&ctx, cipher, key, iv);
+    ret = EVP_DecryptInit(emcf->session_ctx, cipher, key, iv);
     if (!ret) {
         goto evp_error;
     }
@@ -169,12 +184,12 @@ ngx_http_encrypted_session_aes_mac_decrypt(ngx_pool_t *pool, ngx_log_t *log,
 
     p = ngx_palloc(pool, buf_size);
     if (p == NULL) {
-        return NGX_ERROR;
+        goto evp_error;
     }
 
     *dst = p;
 
-    ret = EVP_DecryptUpdate(&ctx, p, &len, in + MD5_DIGEST_LENGTH,
+    ret = EVP_DecryptUpdate(emcf->session_ctx, p, &len, in + MD5_DIGEST_LENGTH,
                             in_len - MD5_DIGEST_LENGTH);
 
     if (!ret) {
@@ -184,11 +199,9 @@ ngx_http_encrypted_session_aes_mac_decrypt(ngx_pool_t *pool, ngx_log_t *log,
 
     p += len;
 
-    ret = EVP_DecryptFinal(&ctx, p, &len);
+    ret = EVP_DecryptFinal(emcf->session_ctx, p, &len);
 
-    /* XXX we should still explicitly release the ctx
-     * or we'll leak memory here */
-    EVP_CIPHER_CTX_cleanup(&ctx);
+    emcf->reset_cipher_ctx(emcf->session_ctx);
 
     if (!ret) {
         ngx_log_debug0(NGX_LOG_DEBUG_HTTP, log, 0,
@@ -250,7 +263,7 @@ ngx_http_encrypted_session_aes_mac_decrypt(ngx_pool_t *pool, ngx_log_t *log,
 
 evp_error:
 
-    EVP_CIPHER_CTX_cleanup(&ctx);
+    emcf->reset_cipher_ctx(emcf->session_ctx);
 
     return NGX_ERROR;
 }

src/ngx_http_encrypted_session_cipher.h

@@ -7,18 +7,29 @@
 #include <openssl/evp.h>
 
 
+typedef int (*cipher_ctx_reset_handle) (EVP_CIPHER_CTX *ctx);
+
+
+typedef struct {
+    EVP_CIPHER_CTX                     *session_ctx;
+    cipher_ctx_reset_handle             reset_cipher_ctx;
+} ngx_http_encrypted_session_main_conf_t;
+
+
 enum {
     ngx_http_encrypted_session_key_length = 256 / 8,
     ngx_http_encrypted_session_iv_length = EVP_MAX_IV_LENGTH
 };
 
 
-ngx_int_t ngx_http_encrypted_session_aes_mac_encrypt(ngx_pool_t *pool,
+ngx_int_t ngx_http_encrypted_session_aes_mac_encrypt(
+        ngx_http_encrypted_session_main_conf_t *emcf, ngx_pool_t *pool,
         ngx_log_t *log, const u_char *iv, size_t iv_len, const u_char *key,
         size_t key_len, const u_char *in, size_t in_len,
         ngx_uint_t expires, u_char **dst, size_t *dst_len);
 
-ngx_int_t ngx_http_encrypted_session_aes_mac_decrypt(ngx_pool_t *pool,
+ngx_int_t ngx_http_encrypted_session_aes_mac_decrypt(
+        ngx_http_encrypted_session_main_conf_t *emcf, ngx_pool_t *pool,
         ngx_log_t *log, const u_char *iv, size_t iv_len, const u_char *key,
         size_t key_len, const u_char *in, size_t in_len, u_char **dst,
         size_t *dst_len);

src/ngx_http_encrypted_session_module.c

@@ -31,6 +31,7 @@ static ngx_int_t ngx_http_set_encode_encrypted_session(ngx_http_request_t *r,
 static ngx_int_t ngx_http_set_decode_encrypted_session(ngx_http_request_t *r,
     ngx_str_t *res, ngx_http_variable_value_t *v);
 
+static void ngx_http_encrypted_session_free_cipher_ctx(void *data);
 
 static char *ngx_http_encrypted_session_key(ngx_conf_t *cf, ngx_command_t *cmd,
     void *conf);
@@ -42,6 +43,11 @@ static char *ngx_http_encrypted_session_expires(ngx_conf_t *cf,
     ngx_command_t *cmd, void *conf);
 
 
+static ngx_int_t ngx_http_encrypted_session_init(ngx_conf_t *cf);
+static void *ngx_http_encrypted_session_create_main_conf(ngx_conf_t *cf);
+static char *ngx_http_encrypted_session_init_main_conf(ngx_conf_t *cf,
+    void *conf);
+
 static void *ngx_http_encrypted_session_create_conf(ngx_conf_t *cf);
 
 static char *ngx_http_encrypted_session_merge_conf(ngx_conf_t *cf, void *parent,
@@ -116,10 +122,10 @@ static ngx_command_t  ngx_http_encrypted_session_commands[] = {
 
 static ngx_http_module_t  ngx_http_encrypted_session_module_ctx = {
     NULL,                                    /* preconfiguration */
-    NULL,                                    /* postconfiguration */
+    ngx_http_encrypted_session_init,         /* postconfiguration */
 
-    NULL,                                    /* create main configuration */
-    NULL,                                    /* init main configuration */
+    ngx_http_encrypted_session_create_main_conf, /* create main configuration */
+    ngx_http_encrypted_session_init_main_conf,   /* init main configuration */
 
     NULL,                                    /* create server configuration */
     NULL,                                    /* merge server configuration */
@@ -154,7 +160,9 @@ ngx_http_set_encode_encrypted_session(ngx_http_request_t *r,
     ngx_int_t                rc;
 
     ngx_http_encrypted_session_conf_t      *conf;
+    ngx_http_encrypted_session_main_conf_t *emcf;
 
+    emcf = ngx_http_get_module_main_conf(r, ngx_http_encrypted_session_module);
     conf = ngx_http_get_module_loc_conf(r, ngx_http_encrypted_session_module);
 
     if (conf->key == NULL) {
@@ -168,7 +176,7 @@ ngx_http_set_encode_encrypted_session(ngx_http_request_t *r,
     ngx_log_debug1(NGX_LOG_DEBUG_HTTP, r->connection->log, 0,
                    "encrypted_session: expires=%T", conf->expires);
 
-    rc = ngx_http_encrypted_session_aes_mac_encrypt(r->pool,
+    rc = ngx_http_encrypted_session_aes_mac_encrypt(emcf, r->pool,
             r->connection->log, conf->iv, ngx_http_encrypted_session_iv_length,
             conf->key, ngx_http_encrypted_session_key_length,
             v->data, v->len, (ngx_uint_t) conf->expires, &dst, &len);
@@ -197,7 +205,9 @@ ngx_http_set_decode_encrypted_session(ngx_http_request_t *r,
     ngx_int_t                rc;
 
     ngx_http_encrypted_session_conf_t      *conf;
+    ngx_http_encrypted_session_main_conf_t *emcf;
 
+    emcf = ngx_http_get_module_main_conf(r, ngx_http_encrypted_session_module);
     conf = ngx_http_get_module_loc_conf(r, ngx_http_encrypted_session_module);
 
     if (conf->key == NULL) {
@@ -208,7 +218,7 @@ ngx_http_set_decode_encrypted_session(ngx_http_request_t *r,
         return NGX_ERROR;
     }
 
-    rc = ngx_http_encrypted_session_aes_mac_decrypt(r->pool,
+    rc = ngx_http_encrypted_session_aes_mac_decrypt(emcf, r->pool,
             r->connection->log, conf->iv, ngx_http_encrypted_session_iv_length,
             conf->key, ngx_http_encrypted_session_key_length,
             v->data, v->len, &dst, &len);
@@ -316,6 +326,69 @@ ngx_http_encrypted_session_expires(ngx_conf_t *cf, ngx_command_t *cmd,
 }
 
 
+static void
+ngx_http_encrypted_session_free_cipher_ctx(void *data)
+{
+    ngx_http_encrypted_session_main_conf_t      *emcf = data;
+
+    if (emcf->session_ctx != NULL) {
+        EVP_CIPHER_CTX_free(emcf->session_ctx);
+        emcf->session_ctx = NULL;
+    }
+}
+
+
+static ngx_int_t
+ngx_http_encrypted_session_init(ngx_conf_t *cf)
+{
+    ngx_pool_cleanup_t                        *cln;
+    ngx_http_encrypted_session_main_conf_t    *emcf;
+
+    emcf =
+        ngx_http_conf_get_module_main_conf(cf,
+                                           ngx_http_encrypted_session_module);
+
+    cln = ngx_pool_cleanup_add(cf->pool, 0);
+    if (cln == NULL) {
+        return NGX_ERROR;
+    }
+
+    cln->data = emcf;
+    cln->handler = ngx_http_encrypted_session_free_cipher_ctx;
+    return NGX_OK;
+}
+
+
+static void *
+ngx_http_encrypted_session_create_main_conf(ngx_conf_t *cf)
+{
+    ngx_http_encrypted_session_main_conf_t    *emcf;
+
+    emcf = ngx_pcalloc(cf->pool,
+                       sizeof(ngx_http_encrypted_session_main_conf_t));
+    if (emcf == NULL) {
+        return NULL;
+    }
+
+    return emcf;
+}
+
+
+static char *
+ngx_http_encrypted_session_init_main_conf(ngx_conf_t *cf, void *conf)
+{
+    ngx_http_encrypted_session_main_conf_t *emcf = conf;
+
+#if OPENSSL_VERSION_NUMBER >= 0x1010000fL
+    emcf->reset_cipher_ctx = EVP_CIPHER_CTX_reset;
+#else
+    emcf->reset_cipher_ctx = EVP_CIPHER_CTX_cleanup;
+#endif
+
+    return NGX_CONF_OK;
+}
+
+
 static void *
 ngx_http_encrypted_session_create_conf(ngx_conf_t *cf)
 {