An IV should be generated for each encryption

rcosnita · rcosnita · commit 88e92d6cd531 · 2020-10-28T20:49:23.000+02:00
We now have the ability to decide if the IV is communicated to the client in a non forgeable manner or we only keep it on the server side. Closes openresty#2
diff --git a/src/ngx_http_encrypted_session_module.c b/src/ngx_http_encrypted_session_module.c
@@ -21,7 +21,7 @@ typedef struct {
     u_char              *key;
     u_char              *iv;
     time_t               expires;
-
+    ngx_flag_t          iv_in_content;
 } ngx_http_encrypted_session_conf_t;
 
 
@@ -42,6 +42,8 @@ static char *ngx_http_encrypted_session_iv(ngx_conf_t *cf, ngx_command_t *cmd,
 static char *ngx_http_encrypted_session_expires(ngx_conf_t *cf,
     ngx_command_t *cmd, void *conf);
 
+static char *ngx_http_encrypted_iv_in_content(ngx_conf_t *cf,
+    ngx_command_t *cmd, void *conf);
 
 static ngx_int_t ngx_http_encrypted_session_init(ngx_conf_t *cf);
 static void *ngx_http_encrypted_session_create_main_conf(ngx_conf_t *cf);
@@ -53,7 +55,6 @@ static void *ngx_http_encrypted_session_create_conf(ngx_conf_t *cf);
 static char *ngx_http_encrypted_session_merge_conf(ngx_conf_t *cf, void *parent,
     void *child);
 
-
 static  ndk_set_var_t  ngx_http_set_encode_encrypted_session_filter = {
     NDK_SET_VAR_VALUE,
     (void *) ngx_http_set_encode_encrypted_session,
@@ -115,7 +116,14 @@ static ngx_command_t  ngx_http_encrypted_session_commands[] = {
         0,
         &ngx_http_set_decode_encrypted_session_filter
     },
-
+    { ngx_string("include_iv_in_encrypted_payload"),
+      NGX_HTTP_MAIN_CONF|NGX_HTTP_SRV_CONF|NGX_HTTP_SIF_CONF
+      |NGX_HTTP_LOC_CONF|NGX_HTTP_LIF_CONF|NGX_CONF_NOARGS,
+      ngx_http_encrypted_iv_in_content,
+      NGX_HTTP_LOC_CONF_OFFSET,
+      0,
+      NULL
+    },
     ngx_null_command
 };
 
@@ -360,6 +368,13 @@ ngx_http_encrypted_session_expires(ngx_conf_t *cf, ngx_command_t *cmd,
     return NGX_CONF_OK;
 }
 
+static char *ngx_http_encrypted_iv_in_content(ngx_conf_t *cf,
+   ngx_command_t *cmd, void *conf)
+{
+   ngx_http_encrypted_session_conf_t  *llcf = conf;
+   llcf->iv_in_content = 1;
+   return NGX_CONF_OK;
+}
 
 static void
 ngx_http_encrypted_session_free_cipher_ctx(void *data)
@@ -437,6 +452,7 @@ ngx_http_encrypted_session_create_conf(ngx_conf_t *cf)
     conf->key     = NGX_CONF_UNSET_PTR;
     conf->iv      = NGX_CONF_UNSET_PTR;
     conf->expires = NGX_CONF_UNSET;
+    conf->iv_in_content = NGX_CONF_UNSET;
 
     return conf;
 }
@@ -455,6 +471,7 @@ ngx_http_encrypted_session_merge_conf(ngx_conf_t *cf, void *parent, void *child)
 
     ngx_conf_merge_value(conf->expires, prev->expires,
                          ngx_http_encrypted_session_default_expires);
+    ngx_conf_merge_value(conf->iv_in_content, prev->iv_in_content, 0);
 
     return NGX_CONF_OK;
 }
