Elgato_dark/bunkerweb
1
0
Fork 0
mirror of https://github.com/bunkerity/bunkerweb synced 2026-05-24 09:28:37 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions

Squashed 'src/deps/src/lua-resty-openssl/' changes from e56da6c5f2..a900c5f589

Browse source 
a900c5f589 chore(ci) on PR only run valgrind for changed files
f5526bde54 release: 1.5.1
8b66be6fed chore(tests) update openssl link
94039be57b chore(kdf) fix the outlen type to be size_t
529f0c5ad1 release: 1.5.0
1f7d7b3263 tests(*) unload provider to make valgrind happy
766955521c fix(param) fix issue when gettable schema may be overwritten by settable schema
8c366c22c7 fix(param) save converted value to prevent potential use-after-free
a0711de99c fix(x509.csr) fix potential use-after-free in set_extension and add_extension
407d31ec31 fix(x509.*) fix potential use-after-free when get or set subject_alt_name, info_access and dist_points
e0872dcfa4 chore(x509.*) use const type name
b16f759c28 fix(x509.store) fix potential use-after-free in store:verify and store:check_revocation
48ab401485 tests(ci) catch more GC corner cases
e924ee0454 fix(pkey) fix potential use-after-free in pkey.paramgen (#176)
224fae68ca fix(bn) fix potential use-after-free in bn.new (#177)
a88f1ba307 fix(x509.store) fix the string is not NUL terminated in set_purpose (#174)
d94064cc77 fix(objects): fix a buffer overflow issue in find_sigid_algs. (#175)
7d6d8b5d24 fix(asn1) correct time_t to be 64 bits type (#171)
30bc5b7f45 doc(examples) update comment for raw-sign-and-recover

git-subtree-dir: src/deps/src/lua-resty-openssl
git-subtree-split: a900c5f5897448c181dd58073e51cdeeb3fd0029
This commit is contained in:
Théophile Diot 2024-08-30 11:12:37 +02:00
parent a6a40ab74b
commit 5ec058ee5a
23 changed files with 424 additions and 491 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

46
.github/workflows/tests.yml vendored
View file

@ -136,7 +136,7 @@ jobs:
T=$OPENSSL_PREFIX
mkdir -p $T
if [ "X$OPENSSL_HASH" != "X" ]; then wget https://github.com/openssl/openssl/archive/$OPENSSL_HASH.tar.gz -qO - | tar zxf ; pushd openssl-$OPENSSL_HASH/; fi
if [ "X$OPENSSL_HASH" = "X" ] ; then wget https://www.openssl.org/source/openssl-${{ matrix.openssl }}.tar.gz -qO - | tar zxf -; pushd openssl-${{ matrix.openssl }}/; fi
if [ "X$OPENSSL_HASH" = "X" ] ; then (wget https://github.com/openssl/openssl/releases/download/openssl-${{ matrix.openssl }}/openssl-${{ matrix.openssl }}.tar.gz -qO - || wget https://openssl.org/source/old/1.1.1/openssl-${{ matrix.openssl}}.tar.gz -qO -) | tar zxf -; pushd openssl-${{ matrix.openssl }}/; fi
if [ ! -e $T/include ]; then ./config shared -d --prefix=$T -DPURIFY > build.log 2>&1 || (cat build.log && exit 1); fi
if [ ! -e $T/include ]; then make -j$JOBS > build.log 2>&1 || (cat build.log && exit 1); fi
if [ ! -e $T/include ]; then make PATH=$PATH install_sw > build.log 2>&1 || (cat build.log && exit 1); fi
@ -148,7 +148,7 @@ jobs:
run: |
T=${OPENSSL_PREFIX}.fips
mkdir -p $T
wget https://www.openssl.org/source/openssl-${{ matrix.openssl_fips }}.tar.gz -qO - | tar zxf -; pushd openssl-${{ matrix.openssl_fips }}/
wget https://github.com/openssl/openssl/releases/download/openssl-${{ matrix.openssl_fips }}/openssl-${{ matrix.openssl_fips }}.tar.gz -qO - | tar zxf -; pushd openssl-${{ matrix.openssl_fips }}
if [ -e $OPENSSL_PREFIX/lib64/ossl-modules/fips.so ]; then exit 0; fi
./config shared -d --prefix=$T -DPURIFY enable-fips > build.log 2>&1 || (cat build.log && exit 1)
make -j$JOBS > build.log 2>&1 || (cat build.log && exit 1)
@ -205,22 +205,46 @@ jobs:
export CI_SKIP_KONG_SSL_FUNCS=1
TEST_NGINX_TIMEOUT=10 prove -j$JOBS t/openssl/ssl/ 2>&1
- name: Get changed files
id: changed-files
uses: tj-actions/changed-files@v44
- name: Run Valgrind
if: contains(matrix.extras, 'valgrind')
env:
ALL_CHANGED_FILES: ${{ steps.changed-files.outputs.all_changed_files }}
run: |
files_to_test=""
# if on master branches
if [ "${{ github.ref }}" == "refs/heads/master" ]; then
files_to_test="t"
else
for file in ${ALL_CHANGED_FILES}; do
mod=$(echo "$file" | grep lib/resty | sed 's|^lib/||' | sed 's|/|.|g' | sed 's|\.lua$||')
files_to_test="$files_to_test $(grep -l "${mod}\b" t/**/*.t 2>/dev/null | tr '\n' ' ' | sed 's/ $//')"
done
files_to_test=$(echo "$files_to_test" | tr ' ' '\n' | sort -u | tr '\n' ' ' | sed 's/ $//')
fi
echo "Files to run for valgrind: $files_to_test"
if [ -z "$files_to_test" ]; then return; fi
export LD_LIBRARY_PATH=$LUAJIT_LIB:$LD_LIBRARY_PATH
export TEST_NGINX_VALGRIND='--num-callers=100 -q --tool=memcheck --leak-check=full --show-possibly-lost=no --gen-suppressions=all --suppressions=valgrind.suppress --track-origins=yes' TEST_NGINX_TIMEOUT=60 TEST_NGINX_SLEEP=1
export TEST_NGINX_USE_VALGRIND=1 TEST_NGINX_VALGRIND='--num-callers=100 -q --tool=memcheck --leak-check=full --show-possibly-lost=no --gen-suppressions=all --suppressions=valgrind.suppress --track-origins=yes' TEST_NGINX_TIMEOUT=60 TEST_NGINX_SLEEP=1
export TEST_NGINX_INIT_BY_LUA="debug.sethook(function () collectgarbage() end, 'l') jit.off()"
export PATH=$BASE_PATH/work/nginx/sbin:$PATH
stdbuf -o 0 -e 0 prove -j$JOBS -r t/ 2>&1 | grep -v "Connection refused" | grep -v "Retry connecting after" | tee output.log
stdbuf -o 0 -e 0 prove -j$JOBS -r $files_to_test 2>&1 | grep -v "Connection refused" | grep -v "Retry connecting after" | tee output.log
if grep -q 'insert_a_suppression_name_here' output.log; then echo "Valgrind found problems"; exit 1; fi
echo "Nginx SSL plain FFI"
export CI_SKIP_NGINX_C=1
stdbuf -o 0 -e 0 prove -j$JOBS t/openssl/ssl/ 2>&1 | grep -v "Connection refused" | grep -v "Retry connecting after" | tee output.log
if grep -q 'insert_a_suppression_name_here' output.log; then echo "Valgrind found problems"; exit 1; fi
export CI_SKIP_KONG_SSL_FUNCS=1
stdbuf -o 0 -e 0 prove -j$JOBS t/openssl/ssl/ 2>&1 | grep -v "Connection refused" | grep -v "Retry connecting after" | tee output.log
if grep -q 'insert_a_suppression_name_here' output.log; then echo "Valgrind found problems"; exit 1; fi
if echo "$files_to_test" | grep -q "\bt/openssl/ssl\b"; then
echo "Nginx SSL plain FFI"
export CI_SKIP_NGINX_C=1
stdbuf -o 0 -e 0 prove -j$JOBS t/openssl/ssl/ 2>&1 | grep -v "Connection refused" | grep -v "Retry connecting after" | tee output.log
if grep -q 'insert_a_suppression_name_here' output.log; then echo "Valgrind found problems"; exit 1; fi
export CI_SKIP_KONG_SSL_FUNCS=1
stdbuf -o 0 -e 0 prove -j$JOBS t/openssl/ssl/ 2>&1 | grep -v "Connection refused" | grep -v "Retry connecting after" | tee output.log
if grep -q 'insert_a_suppression_name_here' output.log; then echo "Valgrind found problems"; exit 1; fi
fi
- name: Run FIPS Test
run: |

22
CHANGELOG.md
View file

@ -2,6 +2,24 @@
## [Unreleased]
<a name="1.5.1"></a>
## [1.5.1] - 2024-07-25
<a name="1.5.0"></a>
## [1.5.0] - 2024-07-23
### bug fixes
- **asn1:** correct time_t to be 64 bits type ([#171](https://github.com/fffonion/lua-resty-openssl/issues/171)) [7d6d8b5](https://github.com/fffonion/lua-resty-openssl/commit/7d6d8b5d241374427da2231612e1e4552ff4cf1d)
- **bn:** fix potential use-after-free in bn.new ([#177](https://github.com/fffonion/lua-resty-openssl/issues/177)) [224fae6](https://github.com/fffonion/lua-resty-openssl/commit/224fae68ca8716fbd97a2a94d194237aaa2eaa58)
- **objects:** fix a buffer overflow issue in find_sigid_algs. ([#175](https://github.com/fffonion/lua-resty-openssl/issues/175)) [d94064c](https://github.com/fffonion/lua-resty-openssl/commit/d94064cc7754c744b325fcd2908bfce26915b76e)
- **param:** fix issue when gettable schema may be overwritten by settable schema [7669555](https://github.com/fffonion/lua-resty-openssl/commit/766955521cee5c7ed6a7e64a1439e3ca38c2f958)
- **param:** save converted value to prevent potential use-after-free [8c366c2](https://github.com/fffonion/lua-resty-openssl/commit/8c366c22c796b0b44bc49d4953084a09bcba4e6c)
- **pkey:** fix potential use-after-free in pkey.paramgen ([#176](https://github.com/fffonion/lua-resty-openssl/issues/176)) [e924ee0](https://github.com/fffonion/lua-resty-openssl/commit/e924ee0454e1d95b63f62b660d6c0090bfeabb26)
- **x509.\*:** fix potential use-after-free when get or set subject_alt_name, info_access and dist_points [407d31e](https://github.com/fffonion/lua-resty-openssl/commit/407d31ec31f2fe8cb968b1d7d140f717ef620290)
- **x509.csr:** fix potential use-after-free in set_extension and add_extension [a0711de](https://github.com/fffonion/lua-resty-openssl/commit/a0711de99cf57e6d8fa62f03abba46e02360063d)
- **x509.store:** fix potential use-after-free in store:verify and store:check_revocation [b16f759](https://github.com/fffonion/lua-resty-openssl/commit/b16f759c28ed9929d53516af34804d39f49661bf)
- **x509.store:** fix the string is not NUL terminated in set_purpose ([#174](https://github.com/fffonion/lua-resty-openssl/issues/174)) [a88f1ba](https://github.com/fffonion/lua-resty-openssl/commit/a88f1ba30761e91cc1c2ec1dda3a82f8f4898422)
<a name="1.4.0"></a>
## [1.4.0] - 2024-05-27
### bug fixes
@ -601,7 +619,9 @@
- **x509:** export pubkey [ede4f81](https://github.com/fffonion/lua-resty-openssl/commit/ede4f817cb0fe092ad6f9ab5d6ecdcde864a9fd8)
[Unreleased]: https://github.com/fffonion/lua-resty-openssl/compare/1.4.0...HEAD
[Unreleased]: https://github.com/fffonion/lua-resty-openssl/compare/1.5.1...HEAD
[1.5.1]: https://github.com/fffonion/lua-resty-openssl/compare/1.5.0...1.5.1
[1.5.0]: https://github.com/fffonion/lua-resty-openssl/compare/1.4.0...1.5.0
[1.4.0]: https://github.com/fffonion/lua-resty-openssl/compare/1.3.1...1.4.0
[1.3.1]: https://github.com/fffonion/lua-resty-openssl/compare/1.3.0...1.3.1
[1.3.0]: https://github.com/fffonion/lua-resty-openssl/compare/1.2.1...1.3.0

8
examples/raw-sign-and-recover.lua
View file

@ -1,5 +1,7 @@
local pkey = require("resty.openssl.pkey")
-- sign_raw and verify_recover for RSA keys
local priv = assert(pkey.new())
local pub = assert(pkey.new(priv:to_PEM("public")))
@ -17,6 +19,8 @@ local recovered = assert(pub:verify_recover(signed))
print("Recovered message: " .. recovered)
-- sign_raw and verify_raw for non RSA keys
local priv = assert(pkey.new({
type = "EC",
}))
@ -29,7 +33,5 @@ local signed = assert(priv:sign_raw(hashed))
print("Signed message: " .. ngx.encode_base64(signed))
-- same as nodejs: crypto.publicDecrypt
-- php: openssl_public_decrypt
local verified = assert(pub:verify_raw(signed, hashed, md_alg))
print("Verification result: ", verified)
print("Verification result: ", verified)

2
lib/resty/openssl.lua
View file

@ -24,7 +24,7 @@ try_require_modules()
local _M = {
_VERSION = '1.4.0',
_VERSION = '1.5.1',
}
function _M.load_modules()

11
lib/resty/openssl/bn.lua
View file

@ -57,6 +57,7 @@ local function set_bn(ctx, s, base)
if C.BN_set_word(ctx, s) ~= 1 then
return nil, format_error("set_bn")
end
return ctx
elseif type(s) == 'string' then
if not base or base == 10 then
return set_dec(ctx, s)
@ -65,7 +66,7 @@ local function set_bn(ctx, s, base)
elseif base == 2 then
return set_binary(ctx, s)
elseif base == 0 then
ctx = set_mpi(ctx, s)
return set_mpi(ctx, s)
else
return nil, "set_bn: unsupported base: " .. base
end
@ -73,14 +74,18 @@ local function set_bn(ctx, s, base)
return nil, "set_bn: expect nil, a number or a string at #1"
end
return ctx
-- fall through
return ctx
end
function _M.new(some, base)
local ctx = C.BN_new()
ffi_gc(ctx, C.BN_free)
local ctx, err = set_bn(ctx, some, base)
-- local ctx, err = set_bn(ctx, some, base)
-- The above expression set ctx to a new cdata return by
-- set_bn, the origin cdata would be GC at any time.
local _, err = set_bn(ctx, some, base)
if err then
return nil, "bn.new: " .. err
end

2
lib/resty/openssl/include/asn1.lua
View file

@ -18,7 +18,7 @@ ffi.cdef [[
ASN1_INTEGER *BN_to_ASN1_INTEGER(const BIGNUM *bn, ASN1_INTEGER *ai);
BIGNUM *ASN1_INTEGER_to_BN(const ASN1_INTEGER *ai, BIGNUM *bn);
typedef int time_t;
typedef long time_t;
ASN1_TIME *ASN1_TIME_set(ASN1_TIME *s, time_t t);
int ASN1_INTEGER_set(ASN1_INTEGER *a, long v);

6
lib/resty/openssl/kdf.lua
View file

@ -124,7 +124,7 @@ local options_schema = {
scrypt_p = { TYPE_NUMBER, nil, NID_id_scrypt },
}
local outlen = ctypes.ptr_of_uint64()
local outlen = ctypes.ptr_of_size_t()
function _M.derive(options)
local typ = options.type
@ -337,7 +337,7 @@ function _M:derive(outlen, options, options_count)
end
if self.buf_size and outlen then
return nil, string.format("kdf:derive: this KDF has fixed output size %d, "..
return nil, string.format("kdf:derive: this KDF has fixed output size %d, "..
"it can't be set manually", self.buf_size)
end
@ -374,4 +374,4 @@ function _M:reset()
return true
end
return _M
return _M

4
lib/resty/openssl/objects.lua
View file

@ -57,7 +57,7 @@ local function txtnid2nid(txt_nid)
end
local function find_sigid_algs(nid)
local out = ffi.new("int[0]")
local out = ffi.new("int[1]")
if C.OBJ_find_sigid_algs(nid, out, nil) == 0 then
return 0, "objects.find_sigid_algs: invalid sigid " .. nid
end
@ -71,4 +71,4 @@ return {
txtnid2nid = txtnid2nid,
find_sigid_algs = find_sigid_algs,
create = C.OBJ_create,
}
}

43
lib/resty/openssl/param.lua
View file

@ -20,17 +20,23 @@ local OSSL_PARAM_OCTET_PTR = 7
local alter_type_key = {}
local buf_param_key = {}
local buf_anchor_key = {}
local function construct(buf_t, length, types_map, types_size)
if not length then
length = nkeys(buf_t)
end
local params = ffi_new("OSSL_PARAM[?]", length + 1)
local i = 0
local buf_param
local buf_param, buf_anchored
for key, value in pairs(buf_t) do
if key == buf_anchor_key then
goto continue
end
local typ = types_map[key]
if not typ then
return nil, "param:construct: unknown key \"" .. key .. "\""
@ -69,28 +75,38 @@ local function construct(buf_t, length, types_map, types_size)
ffi_new("unsigned int[1]")
param = C.OSSL_PARAM_construct_uint(key, buf)
elseif typ == OSSL_PARAM_UTF8_STRING then
buf = value and ffi_cast("char *", value) or buf
buf = value ~= nil and ffi_cast("char *", value) or buf
param = C.OSSL_PARAM_construct_utf8_string(key, buf, value and #value or size)
elseif typ == OSSL_PARAM_OCTET_STRING then
buf = value and ffi_cast("char *", value) or buf
buf = value ~= nil and ffi_cast("char *", value) or buf
param = C.OSSL_PARAM_construct_octet_string(key, ffi_cast("void*", buf),
value and #value or size)
elseif typ == OSSL_PARAM_UTF8_PTR then
elseif typ == OSSL_PARAM_UTF8_PTR then -- out only
buf = ffi_new("char*[1]")
param = C.OSSL_PARAM_construct_utf8_ptr(key, buf, 0)
elseif typ == OSSL_PARAM_OCTET_PTR then
elseif typ == OSSL_PARAM_OCTET_PTR then -- out only
buf = ffi_new("char*[1]")
param = C.OSSL_PARAM_construct_octet_ptr(key, ffi_cast("void**", buf), 0)
else
error("type " .. typ .. " is not yet implemented")
end
if not value then -- out
if value == nil then -- out
buf_t[key] = buf
else -- in
-- save value as OSSL_PARAM_construct_* doesn't copy the value
buf_anchored = buf_anchored or {}
buf_anchored[key] = buf
end
params[i] = param
i = i + 1
::continue::
end
buf_t[buf_anchor_key] = buf_anchored
buf_t[buf_param_key] = buf_param
params[length] = C.OSSL_PARAM_construct_end()
@ -112,7 +128,8 @@ local function parse(buf_t, length, types_map, types_size)
if C.OSSL_PARAM_get_BN(param, bn_t) ~= 1 then
return nil, format_error("param:parse: OSSL_PARAM_get_BN")
end
buf_t[key] = bn_lib.dup(bn_t[0])
buf_t[key] = assert(bn_lib.dup(bn_t[0]))
C.BN_free(bn_t[0])
elseif typ == OSSL_PARAM_INTEGER or
typ == OSSL_PARAM_UNSIGNED_INTEGER then
buf_t[key] = tonumber(buf[0])
@ -228,7 +245,7 @@ local function get_params_func(typ, field)
local cf_set = C[typ .. "_set_params"]
local set = function(self, params)
if not param_maps_set[self[field]] then
local ok, err = self:settable_params()
local ok, err = self:settable_params(true) -- only query raw schema to save memory
if not ok then
return false, typ_lower .. ":set_params: " .. err
end
@ -249,8 +266,8 @@ local function get_params_func(typ, field)
local cf_gettable = C[typ .. "_gettable_params"]
local gettable = function(self, raw)
local k = self[field]
if raw and param_maps_set[k] then
return param_maps_set[k]
if raw and param_maps_get[k] then
return param_maps_get[k]
end
local param = cf_gettable(self.ctx)
@ -261,7 +278,7 @@ local function get_params_func(typ, field)
end
local schema, schema_reabale = {}, raw and nil or {}
parse_params_schema(param, schema, schema_reabale)
param_maps_set[k] = schema
param_maps_get[k] = schema
return raw and schema or schema_reabale
end
@ -270,12 +287,12 @@ local function get_params_func(typ, field)
local get_buffer, get_size_map = {}, {}
local get = function(self, key, want_size, want_type)
if not param_maps_get[self[field]] then
local ok, err = self:gettable_params()
local ok, err = self:gettable_params(true) -- only query raw schema to save memory
if not ok then
return false, typ_lower .. ":set_params: " .. err
end
end
local schema = param_maps_set[self[field]]
local schema = param_maps_get[self[field]]
if schema == nil or not schema[key] then -- nil or null
return nil, typ_lower .. ":get_param: unknown key \"" .. key .. "\""
end

5
lib/resty/openssl/pkey.lua
View file

@ -1060,7 +1060,10 @@ function _M.paramgen(config)
return nil, format_error("pkey.paramgen: EVP_PKEY_get0_{key}")
end
return bio_util.read_wrap(write_func, ctx)
-- since ctx is always a internal pointer inside of params (a EVP_PKEY*), thus avoid use tail call
-- here to avoid using `ctx` after `params` is GC collected.
local res, err = bio_util.read_wrap(write_func, ctx)
return res, err
end
return _M

2
lib/resty/openssl/x509/altname.lua
View file

@ -121,7 +121,7 @@ function _M.dup(ctx)
end
return setmetatable({
cast = ffi_cast("GENERAL_NAMES*", dup_ctx),
cast = ffi_cast(general_names_ptr_ct, dup_ctx),
ctx = dup_ctx,
-- don't let lua gc the original stack to keep its elements
_dupped_from = ctx,

42
lib/resty/openssl/x509/csr.lua
View file

@ -168,6 +168,15 @@ local function get_extension(ctx, nid_txt, last_pos)
return nil, nil, format_error("X509v3_get_ext")
end
-- the extension is not duplicated when returned by X509v3_get_ext
-- so we need to copy it
ctx = C.X509_EXTENSION_dup(ctx)
if ctx == nil then
return nil, nil, "X509_EXTENSION_dup() failed"
end
ffi_gc(ctx, C.X509_EXTENSION_free)
return ctx, ext_idx, nil
end
@ -190,13 +199,14 @@ end
local function modify_extension(replace, ctx, nid, toset, crit)
local extensions_ptr = stack_ptr_type()
extensions_ptr[0] = C.X509_REQ_get_extensions(ctx)
local need_cleanup = extensions_ptr[0] ~= nil and
local extension = C.X509_REQ_get_extensions(ctx)
extensions_ptr[0] = extension
local need_cleanup = extension ~= nil and
-- extensions_ptr being nil is fine: it may just because there's no extension yet
-- https://github.com/openssl/openssl/commit/2039ac07b401932fa30a05ade80b3626e189d78a
-- introduces a change that a empty stack instead of NULL will be returned in no extension
-- is found. so we need to double check the number if it's not NULL.
C.OPENSSL_sk_num(extensions_ptr[0]) > 0
C.OPENSSL_sk_num(extension) > 0
local flag
if replace then
@ -208,12 +218,12 @@ local function modify_extension(replace, ctx, nid, toset, crit)
end
local code = C.X509V3_add1_i2d(extensions_ptr, nid, toset, crit and 1 or 0, flag)
-- when the stack is newly allocated, we want to cleanup the newly created stack as well
-- setting the gc handler here as it's mutated in X509V3_add1_i2d if it's pointing to NULL
ffi_gc(extensions_ptr[0], x509_extensions_gc)
if code ~= 1 then
return false, format_error("X509V3_add1_i2d", code)
end
-- when the stack is newly allocated, we want to cleanup the newly created stack as well
-- setting the gc handler here as it's mutated in X509V3_add1_i2d if it's pointing to NULL
ffi_gc(extension, x509_extensions_gc)
if need_cleanup then
-- cleanup old attributes
@ -224,7 +234,7 @@ local function modify_extension(replace, ctx, nid, toset, crit)
end
end
code = C.X509_REQ_add_extensions(ctx, extensions_ptr[0])
code = C.X509_REQ_add_extensions(ctx, extension)
if code ~= 1 then
return false, format_error("X509_REQ_add_extensions", code)
end
@ -250,7 +260,9 @@ function _M:add_extension(extension)
local nid = extension:get_object().nid
local toset = extension_lib.to_data(extension, nid)
return add_extension(self.ctx, nid, toset.ctx, extension:get_critical())
-- avoid tail call return as `toset.ctx` may got GC'ed early
local ok, err = add_extension(self.ctx, nid, toset.ctx, extension:get_critical())
return ok, err
end
function _M:set_extension(extension)
@ -260,7 +272,9 @@ function _M:set_extension(extension)
local nid = extension:get_object().nid
local toset = extension_lib.to_data(extension, nid)
return replace_extension(self.ctx, nid, toset.ctx, extension:get_critical())
-- avoid tail call return as `toset.ctx` may got GC'ed early
local ok, err = replace_extension(self.ctx, nid, toset.ctx, extension:get_critical())
return ok, err
end
function _M:set_extension_critical(nid_txt, crit, last_pos)
@ -277,7 +291,9 @@ function _M:set_extension_critical(nid_txt, crit, last_pos)
local toset = extension_lib.to_data({
ctx = extension
}, nid)
return replace_extension(self.ctx, nid, toset.ctx, crit and 1 or 0)
-- avoid tail call return as `toset.ctx` may got GC'ed early
local ok, err = replace_extension(self.ctx, nid, toset.ctx, crit and 1 or 0)
return ok, err
end
function _M:get_extension_critical(nid_txt, last_pos)
@ -430,8 +446,8 @@ function _M:get_subject_alt_name()
-- since there seems no way to increase ref count for a GENERAL_NAME
-- we left the elements referenced by the new-dup'ed stack
local got_ref = got
ffi_gc(got_ref, stack_lib.gc_of("GENERAL_NAME"))
got = ffi_cast("GENERAL_NAMES*", got_ref)
ffi_gc(got, stack_lib.gc_of("GENERAL_NAME"))
local lib = require("resty.openssl.x509.altname")
-- the internal ptr is returned, ie we need to copy it
return lib.dup(got)
@ -444,7 +460,9 @@ function _M:set_subject_alt_name(toset)
return false, "x509.csr:set_subject_alt_name: expect a x509.altname instance at #1"
end
toset = toset.ctx
return replace_extension(self.ctx, NID_subject_alt_name, toset)
-- avoid tail call return as `toset.ctx` may got GC'ed early
local ok, err = replace_extension(self.ctx, NID_subject_alt_name, toset)
return ok, err
end
-- AUTO GENERATED: EXTENSIONS

3
lib/resty/openssl/x509/extension.lua
View file

@ -204,6 +204,7 @@ end
local NID_subject_alt_name = C.OBJ_sn2nid("subjectAltName")
assert(NID_subject_alt_name ~= 0)
local sk_GENERAL_NAME_free = stack_lib.gc_of("GENERAL_NAME")
function _M.to_data(extension, nid)
if not _M.istype(extension) then
@ -221,8 +222,8 @@ function _M.to_data(extension, nid)
-- Note: here we only free the stack itself not elements
-- since there seems no way to increase ref count for a GENERAL_NAME
-- we left the elements referenced by the new-dup'ed stack
ffi_gc(void_ptr, stack_lib.gc_of("GENERAL_NAME"))
local got = ffi_cast("GENERAL_NAMES*", void_ptr)
ffi_gc(got, sk_GENERAL_NAME_free)
local lib = require("resty.openssl.x509.altname")
-- the internal ptr is returned, ie we need to copy it
return lib.dup(got)

2
lib/resty/openssl/x509/extension/info_access.lua
View file

@ -66,7 +66,7 @@ function _M.dup(ctx)
return setmetatable({
ctx = dup_ctx,
cast = ffi_cast("AUTHORITY_INFO_ACCESS*", dup_ctx),
cast = ffi_cast(authority_info_access_ptr_ct, dup_ctx),
-- don't let lua gc the original stack to keep its elements
_dupped_from = ctx,
_is_shallow_copy = true,

8
lib/resty/openssl/x509/init.lua
View file

@ -688,8 +688,8 @@ function _M:get_subject_alt_name()
-- since there seems no way to increase ref count for a GENERAL_NAME
-- we left the elements referenced by the new-dup'ed stack
local got_ref = got
ffi_gc(got_ref, stack_lib.gc_of("GENERAL_NAME"))
got = ffi_cast("GENERAL_NAMES*", got_ref)
ffi_gc(got, stack_lib.gc_of("GENERAL_NAME"))
local lib = require("resty.openssl.x509.altname")
-- the internal ptr is returned, ie we need to copy it
return lib.dup(got)
@ -742,8 +742,8 @@ function _M:get_issuer_alt_name()
-- since there seems no way to increase ref count for a GENERAL_NAME
-- we left the elements referenced by the new-dup'ed stack
local got_ref = got
ffi_gc(got_ref, stack_lib.gc_of("GENERAL_NAME"))
got = ffi_cast("GENERAL_NAMES*", got_ref)
ffi_gc(got, stack_lib.gc_of("GENERAL_NAME"))
local lib = require("resty.openssl.x509.altname")
-- the internal ptr is returned, ie we need to copy it
return lib.dup(got)
@ -887,8 +887,8 @@ function _M:get_info_access()
-- since there seems no way to increase ref count for a ACCESS_DESCRIPTION
-- we left the elements referenced by the new-dup'ed stack
local got_ref = got
ffi_gc(got_ref, stack_lib.gc_of("ACCESS_DESCRIPTION"))
got = ffi_cast("AUTHORITY_INFO_ACCESS*", got_ref)
ffi_gc(got, stack_lib.gc_of("ACCESS_DESCRIPTION"))
local lib = require("resty.openssl.x509.extension.info_access")
-- the internal ptr is returned, ie we need to copy it
return lib.dup(got)
@ -941,8 +941,8 @@ function _M:get_crl_distribution_points()
-- since there seems no way to increase ref count for a DIST_POINT
-- we left the elements referenced by the new-dup'ed stack
local got_ref = got
ffi_gc(got_ref, stack_lib.gc_of("DIST_POINT"))
got = ffi_cast("OPENSSL_STACK*", got_ref)
ffi_gc(got, stack_lib.gc_of("DIST_POINT"))
local lib = require("resty.openssl.x509.extension.dist_points")
-- the internal ptr is returned, ie we need to copy it
return lib.dup(got)

14
lib/resty/openssl/x509/store.lua
View file

@ -140,7 +140,7 @@ function _M:set_purpose(purpose)
return nil, "x509.store:set_purpose: expect a string at #1"
end
local pchar = ffi.new("char[?]", #purpose, purpose)
local pchar = ffi.new("char[?]", #purpose + 1, purpose)
local idx = C.X509_PURPOSE_get_by_sname(pchar)
idx = tonumber(idx)
@ -217,7 +217,10 @@ function _M:verify(x509, chain, return_chain, properties, verify_method, flags)
return true, nil
end
local ret_chain_ctx = C.X509_STORE_CTX_get0_chain(ctx)
return chain_lib.dup(ret_chain_ctx)
-- returns the internal pointer, dup it and avoid tail call return
-- to avoid ctx being GC'ed early
local res, err = chain_lib.dup(ret_chain_ctx)
return res, err
elseif code == 0 then -- unverified
local vfy_code = C.X509_STORE_CTX_get_error(ctx)
@ -250,7 +253,12 @@ function _M:check_revocation(verified_chain, properties)
return nil, format_error("x509.store:check_revocation: X509_STORE_CTX_init")
end
C.X509_STORE_CTX_set0_verified_chain(ctx, verified_chain.ctx)
local verified_dup = C.X509_chain_up_ref(verified_chain.ctx)
if verified_dup == nil then
return nil, "x509.store:check_revocation: X509_chain_up_ref() failed"
end
C.X509_STORE_CTX_set0_verified_chain(ctx, verified_dup)
-- enables CRL checking for the certificate chain leaf certificate.
-- An error occurs if a suitable CRL cannot be found.

4
lua-resty-openssl-1.4.0-1.rockspec → lua-resty-openssl-1.5.1-1.rockspec
View file

@ -1,8 +1,8 @@
package = "lua-resty-openssl"
version = "1.4.0-1"
version = "1.5.1-1"
source = {
url = "git+https://github.com/fffonion/lua-resty-openssl.git",
tag = "1.4.0"
tag = "1.5.1"
}
description = {
detailed = "FFI-based OpenSSL binding for LuaJIT.",

4
scripts/templates/x509_functions.j2
View file

@ -215,7 +215,9 @@ function _M:set_{{ f.field }}(toset)
return true
{%- else %}
{%- if modname == "x509.csr" %}
return replace_extension(self.ctx, NID_{{ f.field }}, toset)
-- avoid tail call return as `toset.ctx` may got GC'ed early
local ok, err = replace_extension(self.ctx, NID_{{ f.field }}, toset)
return ok, err
{%- else %}
-- x509v3.h: # define X509V3_ADD_REPLACE 2L
if C.X509_add1_ext_i2d(self.ctx, NID_{{ f.field }}, toset, 0, 0x2) ~= 1 then

16
scripts/type_x509.py
View file

@ -124,8 +124,8 @@ Tp+h/rnQjL05vAwjx8+RppBa2EWrAxO+wSN6ucTInUf2luC5dmtQNmb3DQ==
-- since there seems no way to increase ref count for a GENERAL_NAME
-- we left the elements referenced by the new-dup'ed stack
local got_ref = got
ffi_gc(got_ref, stack_lib.gc_of("GENERAL_NAME"))
got = ffi_cast("GENERAL_NAMES*", got_ref)''',
got = ffi_cast("GENERAL_NAMES*", got_ref)
ffi_gc(got, stack_lib.gc_of("GENERAL_NAME"))''',
},
{
@ -139,8 +139,8 @@ Tp+h/rnQjL05vAwjx8+RppBa2EWrAxO+wSN6ucTInUf2luC5dmtQNmb3DQ==
-- since there seems no way to increase ref count for a GENERAL_NAME
-- we left the elements referenced by the new-dup'ed stack
local got_ref = got
ffi_gc(got_ref, stack_lib.gc_of("GENERAL_NAME"))
got = ffi_cast("GENERAL_NAMES*", got_ref)''',
got = ffi_cast("GENERAL_NAMES*", got_ref)
ffi_gc(got, stack_lib.gc_of("GENERAL_NAME"))''',
},
{
@ -161,8 +161,8 @@ Tp+h/rnQjL05vAwjx8+RppBa2EWrAxO+wSN6ucTInUf2luC5dmtQNmb3DQ==
-- since there seems no way to increase ref count for a ACCESS_DESCRIPTION
-- we left the elements referenced by the new-dup'ed stack
local got_ref = got
ffi_gc(got_ref, stack_lib.gc_of("ACCESS_DESCRIPTION"))
got = ffi_cast("AUTHORITY_INFO_ACCESS*", got_ref)''',
got = ffi_cast("AUTHORITY_INFO_ACCESS*", got_ref)
ffi_gc(got, stack_lib.gc_of("ACCESS_DESCRIPTION"))''',
},
{
@ -175,8 +175,8 @@ Tp+h/rnQjL05vAwjx8+RppBa2EWrAxO+wSN6ucTInUf2luC5dmtQNmb3DQ==
-- since there seems no way to increase ref count for a DIST_POINT
-- we left the elements referenced by the new-dup'ed stack
local got_ref = got
ffi_gc(got_ref, stack_lib.gc_of("DIST_POINT"))
got = ffi_cast("OPENSSL_STACK*", got_ref)''',
got = ffi_cast("OPENSSL_STACK*", got_ref)
ffi_gc(got, stack_lib.gc_of("DIST_POINT"))''',
},
]
}

4
scripts/type_x509_req.py
View file

@ -60,8 +60,8 @@ cwIDAQAB
-- since there seems no way to increase ref count for a GENERAL_NAME
-- we left the elements referenced by the new-dup'ed stack
local got_ref = got
ffi_gc(got_ref, stack_lib.gc_of("GENERAL_NAME"))
got = ffi_cast("GENERAL_NAMES*", got_ref)''',
got = ffi_cast("GENERAL_NAMES*", got_ref)
ffi_gc(got, stack_lib.gc_of("GENERAL_NAME"))''',
},
]
}

35
t/openssl/pkcs12.t
View file

@ -29,9 +29,10 @@ __DATA__
--- config
location =/t {
content_by_lua_block {
local p
if require("resty.openssl.version").OPENSSL_3X then
local pro = require "resty.openssl.provider"
myassert(pro.load("legacy"))
p = myassert(pro.load("legacy"))
end
local pkcs12 = require "resty.openssl.pkcs12"
@ -42,6 +43,10 @@ __DATA__
ngx.say(r.key:get_parameters().d:to_hex())
ngx.say(r.cert:get_serial_number():to_hex())
if p then
myassert(p:unload())
end
}
}
--- request
@ -59,9 +64,10 @@ __DATA__
--- config
location =/t {
content_by_lua_block {
local p
if require("resty.openssl.version").OPENSSL_3X then
local pro = require "resty.openssl.provider"
myassert(pro.load("legacy"))
p = myassert(pro.load("legacy"))
end
local pkcs12 = require "resty.openssl.pkcs12"
@ -75,6 +81,10 @@ __DATA__
local r, err = pkcs12.decode(pp)
ngx.say(r == nil)
ngx.say(err)
if p then
myassert(p:unload())
end
}
}
--- request
@ -95,9 +105,10 @@ pkcs12.decode.+mac verify failure.*
--- config
location =/t {
content_by_lua_block {
local p
if require("resty.openssl.version").OPENSSL_3X then
local pro = require "resty.openssl.provider"
myassert(pro.load("legacy"))
p = myassert(pro.load("legacy"))
end
local pkcs12 = require "resty.openssl.pkcs12"
@ -133,6 +144,10 @@ pkcs12.decode.+mac verify failure.*
cert = cert,
}))
ngx.say(#r)
if p then
myassert(p:unload())
end
}
}
--- request
@ -153,9 +168,10 @@ pkcs12.decode.+mac verify failure.*
--- config
location =/t {
content_by_lua_block {
local p
if require("resty.openssl.version").OPENSSL_3X then
local pro = require "resty.openssl.provider"
myassert(pro.load("legacy"))
p = myassert(pro.load("legacy"))
end
local pkcs12 = require "resty.openssl.pkcs12"
@ -183,6 +199,10 @@ pkcs12.decode.+mac verify failure.*
local r, err = pkcs12.decode(p12, "extrapassword")
ngx.say(r == nil)
ngx.say(err)
if p then
myassert(p:unload())
end
}
}
--- request
@ -205,9 +225,10 @@ pkcs12.decode.+mac verify failure.*
--- config
location =/t {
content_by_lua_block {
local p
if require("resty.openssl.version").OPENSSL_3X then
local pro = require "resty.openssl.provider"
myassert(pro.load("legacy"))
p = myassert(pro.load("legacy"))
end
local pkcs12 = require "resty.openssl.pkcs12"
@ -221,6 +242,10 @@ pkcs12.decode.+mac verify failure.*
cacerts = { ca1, ca2 }
}, "test-pkcs12")
ngx.say(r == nil, err)
if p then
myassert(p:unload())
end
}
}
--- request

1
t/openssl/provider.t
View file

@ -137,6 +137,7 @@ true
local p = myassert(pro.load("default"))
local a = assert(p:get_params("name", "version", "buildinfo", "status"))
ngx.say(encode_sorted_json(a))
myassert(p:unload())
}
}
--- request

631
valgrind.suppress
View file

@ -1,109 +1,8 @@
{
<insert_a_suppression_name_here>
Memcheck:Cond
fun:str_fastcmp
fun:lj_str_new
fun:lua_pushlstring
fun:emptybuffer
fun:luaL_pushresult
fun:luaL_gsub
fun:ngx_http_lua_set_path.isra.7.constprop.21
fun:ngx_http_lua_new_state
fun:ngx_http_lua_init_vm
fun:ngx_http_lua_init
fun:ngx_http_block
fun:ngx_conf_handler
fun:ngx_conf_parse
fun:ngx_init_cycle
fun:main
}
{
<insert_a_suppression_name_here>
Memcheck:Param
write(buf)
fun:__write_nocancel
fun:ngx_log_error_core
fun:ngx_resolver_read_response
}
{
<insert_a_suppression_name_here>
Memcheck:Cond
fun:ngx_sprintf_num
fun:ngx_vslprintf
fun:ngx_log_error_core
fun:ngx_resolver_read_response
fun:ngx_epoll_process_events
fun:ngx_process_events_and_timers
fun:ngx_single_process_cycle
fun:main
}
{
<insert_a_suppression_name_here>
Memcheck:Addr1
fun:ngx_vslprintf
fun:ngx_snprintf
fun:ngx_sock_ntop
fun:ngx_event_accept
}
{
<insert_a_suppression_name_here>
Memcheck:Param
write(buf)
fun:__write_nocancel
fun:ngx_log_error_core
fun:ngx_resolver_read_response
fun:ngx_event_process_posted
fun:ngx_process_events_and_timers
fun:ngx_single_process_cycle
fun:main
}
{
<insert_a_suppression_name_here>
Memcheck:Cond
fun:ngx_sprintf_num
fun:ngx_vslprintf
fun:ngx_log_error_core
fun:ngx_resolver_read_response
fun:ngx_event_process_posted
fun:ngx_process_events_and_timers
fun:ngx_single_process_cycle
fun:main
}
{
<insert_a_suppression_name_here>
Memcheck:Leak
fun:malloc
fun:ngx_alloc
obj:*
}
{
<insert_a_suppression_name_here>
exp-sgcheck:SorG
fun:ngx_http_lua_ndk_set_var_get
}
{
<insert_a_suppression_name_here>
exp-sgcheck:SorG
fun:ngx_http_variables_init_vars
fun:ngx_http_block
}
{
<insert_a_suppression_name_here>
exp-sgcheck:SorG
fun:ngx_conf_parse
}
{
<insert_a_suppression_name_here>
exp-sgcheck:SorG
fun:ngx_vslprintf
fun:ngx_log_error_core
}
{
<insert_a_suppression_name_here>
Memcheck:Leak
fun:malloc
fun:ngx_alloc
fun:ngx_calloc
fun:ngx_event_process_init
}
{
@ -111,258 +10,7 @@
Memcheck:Param
epoll_ctl(event)
fun:epoll_ctl
}
{
<insert_a_suppression_name_here>
Memcheck:Leak
fun:malloc
fun:ngx_alloc
fun:ngx_event_process_init
}
{
<insert_a_suppression_name_here>
Memcheck:Cond
fun:ngx_conf_flush_files
fun:ngx_single_process_cycle
}
{
<insert_a_suppression_name_here>
Memcheck:Cond
fun:memcpy
fun:ngx_vslprintf
fun:ngx_log_error_core
fun:ngx_http_charset_header_filter
}
{
<insert_a_suppression_name_here>
Memcheck:Param
socketcall.setsockopt(optval)
fun:setsockopt
fun:drizzle_state_connect
}
{
<insert_a_suppression_name_here>
Memcheck:Leak
fun:malloc
fun:ngx_alloc
fun:ngx_pool_cleanup_add
}
{
<insert_a_suppression_name_here>
Memcheck:Cond
fun:ngx_conf_flush_files
fun:ngx_single_process_cycle
fun:main
}
{
<insert_a_suppression_name_here>
Memcheck:Leak
fun:malloc
fun:ngx_alloc
fun:ngx_palloc_large
fun:ngx_palloc
fun:ngx_array_push
fun:ngx_http_get_variable_index
fun:ngx_http_memc_add_variable
fun:ngx_http_memc_init
fun:ngx_http_block
fun:ngx_conf_parse
fun:ngx_init_cycle
fun:main
}
{
<insert_a_suppression_name_here>
Memcheck:Leak
fun:malloc
fun:ngx_alloc
fun:ngx_event_process_init
fun:ngx_single_process_cycle
fun:main
}
{
<insert_a_suppression_name_here>
Memcheck:Leak
fun:malloc
fun:ngx_alloc
fun:ngx_crc32_table_init
fun:main
}
{
<insert_a_suppression_name_here>
Memcheck:Leak
fun:malloc
fun:ngx_alloc
fun:ngx_event_process_init
fun:ngx_worker_process_init
fun:ngx_worker_process_cycle
fun:ngx_spawn_process
fun:ngx_start_worker_processes
fun:ngx_master_process_cycle
fun:main
}
{
<insert_a_suppression_name_here>
Memcheck:Leak
fun:malloc
fun:ngx_alloc
fun:ngx_palloc_large
fun:ngx_palloc
fun:ngx_pcalloc
fun:ngx_hash_init
fun:ngx_http_variables_init_vars
fun:ngx_http_block
fun:ngx_conf_parse
fun:ngx_init_cycle
fun:main
}
{
<insert_a_suppression_name_here>
Memcheck:Leak
fun:malloc
fun:ngx_alloc
fun:ngx_palloc_large
fun:ngx_palloc
fun:ngx_pcalloc
fun:ngx_http_upstream_drizzle_create_srv_conf
fun:ngx_http_upstream
fun:ngx_conf_parse
fun:ngx_http_block
fun:ngx_conf_parse
fun:ngx_init_cycle
fun:main
}
{
<insert_a_suppression_name_here>
Memcheck:Leak
fun:malloc
fun:ngx_alloc
fun:ngx_palloc_large
fun:ngx_palloc
fun:ngx_pcalloc
fun:ngx_hash_keys_array_init
fun:ngx_http_variables_add_core_vars
fun:ngx_http_core_preconfiguration
fun:ngx_http_block
fun:ngx_conf_parse
fun:ngx_init_cycle
fun:main
}
{
<insert_a_suppression_name_here>
Memcheck:Leak
fun:malloc
fun:ngx_alloc
fun:ngx_palloc_large
fun:ngx_palloc
fun:ngx_array_push
fun:ngx_hash_add_key
fun:ngx_http_add_variable
fun:ngx_http_echo_add_variables
fun:ngx_http_echo_handler_init
fun:ngx_http_block
fun:ngx_conf_parse
fun:ngx_init_cycle
}
{
<insert_a_suppression_name_here>
Memcheck:Leak
fun:malloc
fun:ngx_alloc
fun:ngx_palloc_large
fun:ngx_palloc
fun:ngx_pcalloc
fun:ngx_http_upstream_drizzle_create_srv_conf
fun:ngx_http_core_server
fun:ngx_conf_parse
fun:ngx_http_block
fun:ngx_conf_parse
fun:ngx_init_cycle
fun:main
}
{
<insert_a_suppression_name_here>
Memcheck:Leak
fun:malloc
fun:ngx_alloc
fun:ngx_palloc_large
fun:ngx_palloc
fun:ngx_pcalloc
fun:ngx_http_upstream_drizzle_create_srv_conf
fun:ngx_http_block
fun:ngx_conf_parse
fun:ngx_init_cycle
fun:main
}
{
<insert_a_suppression_name_here>
Memcheck:Leak
fun:malloc
fun:ngx_alloc
fun:ngx_palloc_large
fun:ngx_palloc
fun:ngx_array_push
fun:ngx_hash_add_key
fun:ngx_http_variables_add_core_vars
fun:ngx_http_core_preconfiguration
fun:ngx_http_block
fun:ngx_conf_parse
fun:ngx_init_cycle
fun:main
}
{
<insert_a_suppression_name_here>
Memcheck:Leak
fun:malloc
fun:ngx_alloc
fun:ngx_palloc_large
fun:ngx_palloc
fun:ngx_pcalloc
fun:ngx_init_cycle
fun:main
}
{
<insert_a_suppression_name_here>
Memcheck:Leak
fun:malloc
fun:ngx_alloc
fun:ngx_palloc_large
fun:ngx_palloc
fun:ngx_hash_init
fun:ngx_http_upstream_init_main_conf
fun:ngx_http_block
fun:ngx_conf_parse
fun:ngx_init_cycle
fun:main
}
{
<insert_a_suppression_name_here>
Memcheck:Leak
fun:malloc
fun:ngx_alloc
fun:ngx_palloc_large
fun:ngx_palloc
fun:ngx_pcalloc
fun:ngx_http_drizzle_keepalive_init
fun:ngx_http_upstream_drizzle_init
fun:ngx_http_upstream_init_main_conf
fun:ngx_http_block
fun:ngx_conf_parse
fun:ngx_init_cycle
fun:main
}
{
<insert_a_suppression_name_here>
Memcheck:Leak
fun:malloc
fun:ngx_alloc
fun:ngx_palloc_large
fun:ngx_palloc
fun:ngx_hash_init
fun:ngx_http_variables_init_vars
fun:ngx_http_block
fun:ngx_conf_parse
fun:ngx_init_cycle
fun:main
fun:ngx_epoll_add_event
}
{
<insert_a_suppression_name_here>
@ -377,6 +25,49 @@
fun:_dl_sysdep_start
fun:_dl_start
}
{
<insert_a_suppression_name_here>
Memcheck:Param
epoll_ctl(event)
fun:epoll_ctl
fun:ngx_epoll_init
fun:ngx_event_process_init
}
{
<insert_a_suppression_name_here>
Memcheck:Param
epoll_ctl(event)
fun:epoll_ctl
fun:ngx_epoll_notify_init
fun:ngx_epoll_init
fun:ngx_event_process_init
}
{
<insert_a_suppression_name_here>
Memcheck:Param
epoll_ctl(event)
fun:epoll_ctl
fun:ngx_epoll_add_connection
fun:ngx_event_connect_peer
}
{
<insert_a_suppression_name_here>
Memcheck:Param
epoll_ctl(event)
fun:epoll_ctl
fun:ngx_epoll_test_rdhup
}
{
<insert_a_suppression_name_here>
Memcheck:Param
epoll_pwait(sigmask)
fun:epoll_pwait
}
{
<insert_a_suppression_name_here>
Memcheck:Cond
obj:*
}
{
<insert_a_suppression_name_here>
Memcheck:Leak
@ -394,77 +85,193 @@
fun:ngx_alloc
fun:ngx_set_environment
fun:ngx_worker_process_init
fun:ngx_worker_process_cycle
}
{
<insert_a_suppression_name_here>
Memcheck:Param
sendmsg(msg.msg_iov[0])
fun:__sendmsg_nocancel
fun:ngx_write_channel
fun:ngx_pass_open_channel
fun:ngx_start_worker_processes
}
{
<insert_a_suppression_name_here>
Memcheck:Param
sendmsg(msg.msg_iov[0])
fun:__sendmsg_nocancel
fun:ngx_write_channel
fun:ngx_pass_open_channel
fun:ngx_start_cache_manager_processes
}
{
<insert_a_suppression_name_here>
Memcheck:Param
sendmsg(msg.msg_iov[0])
fun:__sendmsg_nocancel
fun:ngx_write_channel
fun:ngx_pass_open_channel
fun:ngx_start_privileged_agent_processes
}
{
<insert_a_suppression_name_here>
Memcheck:Leak
match-leak-kinds: definite
fun:malloc
fun:CRYPTO_zalloc
fun:SSL_SESSION_new
fun:ssl_get_new_session
fun:tls_construct_client_hello
}
{
<insert_a_suppression_name_here>
Memcheck:Leak
match-leak-kinds: definite
fun:malloc
fun:ssl_session_dup
fun:tls_process_new_session_ticket
}
{
<insert_a_suppression_name_here>
Memcheck:Leak
match-leak-kinds: definite
fun:malloc
fun:ngx_alloc
fun:ngx_event_process_init
fun:ngx_worker_process_init
fun:CRYPTO_malloc
fun:ssl_session_dup
fun:tls_process_new_session_ticket
fun:ossl_statem_client_process_message
fun:read_state_machine
fun:state_machine
fun:ossl_statem_connect
fun:ssl3_read_bytes
fun:ssl3_read_internal
fun:ssl3_read
fun:ssl_read_internal
fun:SSL_read
fun:ngx_ssl_recv
fun:ngx_http_upstream_process_header
fun:ngx_http_upstream_handler
fun:ngx_epoll_process_events
fun:ngx_process_events_and_timers
fun:ngx_single_process_cycle
fun:main
}
{
<insert_a_suppression_name_here>
Memcheck:Leak
match-leak-kinds: definite
fun:malloc
fun:CRYPTO_malloc
fun:CRYPTO_zalloc
fun:SSL_SESSION_new
fun:ssl_get_new_session
fun:tls_construct_client_hello
fun:write_state_machine
fun:state_machine
fun:ossl_statem_connect
fun:SSL_do_handshake
fun:ngx_ssl_handshake
fun:ngx_http_upstream_ssl_init_connection
fun:ngx_http_upstream_send_request_handler
fun:ngx_http_upstream_handler
fun:ngx_epoll_process_events
fun:ngx_process_events_and_timers
fun:ngx_single_process_cycle
fun:main
}
{
<insert_a_suppression_name_here>
Memcheck:Addr1
fun:ngx_http_lua_ngx_echo
fun:ngx_http_lua_ngx_say
fun:lj_BC_FUNCC
fun:lua_resume
fun:ngx_http_lua_run_thread
fun:ngx_http_lua_content_by_chunk
fun:ngx_http_lua_content_handler_inline
fun:ngx_http_lua_content_handler
fun:ngx_http_core_content_phase
fun:ngx_http_core_run_phases
fun:ngx_http_handler
fun:ngx_http_process_request
fun:ngx_http_process_request_headers
fun:ngx_http_process_request_line
fun:ngx_http_wait_request_handler
fun:ngx_epoll_process_events
fun:ngx_process_events_and_timers
fun:ngx_single_process_cycle
Memcheck:Leak
match-leak-kinds: definite
fun:malloc
fun:CRYPTO_malloc
fun:CRYPTO_zalloc
fun:evp_md_new
fun:evp_md_from_algorithm
fun:construct_evp_method
fun:ossl_method_construct_this
fun:algorithm_do_map
fun:algorithm_do_this
fun:ossl_provider_doall_activated
fun:ossl_algorithm_do_all
fun:ossl_method_construct
fun:inner_evp_generic_fetch
fun:evp_generic_fetch
fun:EVP_MD_fetch
fun:ssl_evp_md_fetch
fun:ssl_load_ciphers
fun:SSL_CTX_new_ex
fun:SSL_CTX_new
fun:ngx_ssl_create
fun:ngx_http_lua_set_ssl
fun:ngx_http_lua_merge_loc_conf
fun:ngx_http_merge_servers
fun:ngx_http_block
fun:ngx_conf_handler
fun:ngx_conf_parse
fun:ngx_init_cycle
fun:main
}
{
<insert_a_suppression_name_here>
Memcheck:Param
writev(vector[...])
fun:writev
fun:ngx_writev
fun:ngx_linux_sendfile_chain
fun:ngx_http_write_filter
fun:ngx_http_chunked_body_filter
fun:ngx_http_gzip_body_filter
fun:ngx_http_postpone_filter
fun:ngx_http_ssi_body_filter
fun:ngx_http_charset_body_filter
fun:ngx_http_trailers_filter
fun:ngx_http_lua_capture_body_filter
fun:ngx_output_chain
fun:ngx_http_copy_filter
fun:ngx_http_range_body_filter
fun:ngx_http_output_filter
fun:ngx_http_send_special
fun:ngx_http_lua_send_special
fun:ngx_http_lua_send_chain_link
fun:ngx_http_lua_run_thread
fun:ngx_http_lua_content_by_chunk
fun:ngx_http_lua_content_handler_inline
fun:ngx_http_lua_content_handler
fun:ngx_http_core_content_phase
fun:ngx_http_core_run_phases
fun:ngx_http_handler
fun:ngx_http_process_request
fun:ngx_http_process_request_headers
fun:ngx_http_process_request_line
fun:ngx_http_wait_request_handler
fun:ngx_epoll_process_events
fun:ngx_process_events_and_timers
fun:ngx_single_process_cycle
Memcheck:Leak
match-leak-kinds: definite
fun:malloc
fun:CRYPTO_malloc
fun:CRYPTO_zalloc
fun:evp_cipher_new
fun:evp_cipher_from_algorithm
fun:construct_evp_method
fun:ossl_method_construct_this
fun:algorithm_do_map
fun:algorithm_do_this
fun:ossl_provider_doall_activated
fun:ossl_algorithm_do_all
fun:ossl_method_construct
fun:inner_evp_generic_fetch
fun:evp_generic_fetch
fun:EVP_CIPHER_fetch
fun:ssl_evp_cipher_fetch
fun:ssl_load_ciphers
fun:SSL_CTX_new_ex
fun:SSL_CTX_new
fun:ngx_ssl_create
fun:ngx_http_lua_set_ssl
fun:ngx_http_lua_merge_loc_conf
fun:ngx_http_merge_servers
fun:ngx_http_block
fun:ngx_conf_handler
fun:ngx_conf_parse
fun:ngx_init_cycle
fun:main
}
{
<insert_a_suppression_name_here>
Memcheck:Leak
match-leak-kinds: definite
fun:malloc
fun:CRYPTO_malloc
fun:CRYPTO_zalloc
fun:provider_new
fun:provider_activate_fallbacks
fun:ossl_provider_doall_activated
fun:ossl_algorithm_do_all
fun:ossl_method_construct
fun:inner_evp_generic_fetch
fun:evp_generic_fetch
fun:EVP_CIPHER_fetch
fun:ssl_evp_cipher_fetch
fun:ssl_load_ciphers
fun:SSL_CTX_new_ex
fun:SSL_CTX_new
fun:ngx_ssl_create
fun:ngx_http_lua_set_ssl
fun:ngx_http_lua_merge_loc_conf
fun:ngx_http_merge_servers
fun:ngx_http_block
fun:ngx_conf_handler
fun:ngx_conf_parse
fun:ngx_init_cycle
fun:main
}