Commit Graph

8156 Commits

Author SHA1 Message Date
Roman Arutyunyan
a2a513b93c QUIC: defer stream removal until all its data is acked.
Previously, stream was kept alive until all its data is sent.  This resulted
in disabling retransmission of final part of stream when QUIC connection
was closed right after closing stream connection.
2022-08-22 15:33:23 +04:00
Roman Arutyunyan
dc82bed893 QUIC: reusable mode for main connection.
The connection is automatically switched to this mode by transport layer when
there are no non-cancelable streams.  Currently, cancelable streams are
HTTP/3 encoder/decoder/control streams.
2022-11-29 17:46:46 +04:00
Roman Arutyunyan
a89167c247 QUIC: post close event for connection close.
Previously, close event was used only for close timeout, while read event was
used for posting connection close.
2022-09-07 19:25:13 +04:00
Roman Arutyunyan
62b928a45f QUIC: made ngx_quic_finalize_connecion() more graceful.
Previously, ngx_quic_finalize_connection() closed the connection with NGX_ERROR
code, which resulted in immediate connection closure.  Now the code is NGX_OK,
which provides a more graceful shutdown with a timeout.
2022-08-22 15:28:51 +04:00
Roman Arutyunyan
d3fb12d77f QUIC: treat qc->error == -1 as a missing error.
Previously, zero was used for this purpose.  However, NGX_QUIC_ERR_NO_ERROR is
zero too.  As a result, NGX_QUIC_ERR_NO_ERROR was changed to
NGX_QUIC_ERR_INTERNAL_ERROR when closing a QUIC connection.
2022-09-07 12:37:15 +04:00
Sergey Kandaurov
d3294e61d5 QUIC: fixed computation of nonce with packet numbers beyond 2^32.
Prodded by Yu Zhu.
2022-11-25 15:56:33 +04:00
Jiuzhou Cui
7d73c50a2d HTTP/3: fixed build without NGX_PCRE (broken by 0f5fc7a320db). 2022-11-25 15:07:23 +08:00
Roman Arutyunyan
b015d4965e QUIC: fixed triggering stream read event (ticket #2409).
If a client packet carrying a stream data frame is not acked due to packet loss,
the stream data is retransmitted later by client.  It's also possible that the
retransmitted range is bigger than before due to more stream data being
available by then.  If the original data was read out by the application,
there would be no read event triggered by the retransmitted frame, even though
it contains new data.
2022-11-23 18:50:26 +04:00
Sergey Kandaurov
bc79d773f9 QUIC: fixed C4334 MSVC warning about 32 to 64 bits conversion. 2022-11-22 18:05:37 +04:00
Sergey Kandaurov
fd0b558ac8 QUIC: plug MSVC warning about potentially uninitialized variable. 2022-11-22 18:05:37 +04:00
Sergey Kandaurov
885f50f773 Added shutdown macros for win32 required for QUIC. 2022-11-22 18:05:36 +04:00
Sergey Kandaurov
553eb6a168 QUIC: fixed C4389 MSVC warning about signed/unsigned mismatch. 2022-11-22 18:05:36 +04:00
Sergey Kandaurov
499dbd28be QUIC: avoid using C99 designated initializers.
They are not supported by MSVC till 2012.

SSL_QUIC_METHOD initialization is moved to run-time to preserve portability
among SSL library implementations, which allows to reduce its visibility.
Note using of a static storage to keep SSL_set_quic_method() reference valid.
2022-11-22 18:05:35 +04:00
Sergey Kandaurov
44a901c9e0 QUIC: moved variable declaration to fix build with MSVC 2010.
Previously, ngx_quic_hkdf_t variables used declaration with assignment
in the middle of a function, which is not supported by MSVC 2010.
Fixing this also required to rewrite the ngx_quic_hkdf_set macro
and to switch to an explicit array size.
2022-11-22 18:05:35 +04:00
Sergey Kandaurov
84a51e4de1 QUIC: fixed C4706 warnings with MSVC 2010.
The fix is to avoid assignments within conditional expression.
2022-11-22 18:05:34 +04:00
Sergey Kandaurov
36d80a5269 HTTP/3: fixed server_name regex captures (ticket #2407).
Previously, HTTP/3 stream connection didn't inherit the servername regex
from the main QUIC connection saved when processing SNI and using regular
expressions in server names.  As a result, it didn't execute to set regex
captures when choosing the virtual server while parsing HTTP/3 headers.
2022-11-22 14:10:04 +04:00
Roman Arutyunyan
0da7526615 Set default listen socket type in http.
The type field was added in 7999d3fbb765 at early stages of QUIC implementation
and was not initialized for default listen.  Missing initialization resulted in
default listen socket creation error.
2022-11-01 17:00:35 +04:00
Sergey Kandaurov
3123fac3e7 Merged with the default branch. 2022-10-20 16:41:36 +04:00
Sergey Kandaurov
3cd06a3a9a README: converted to passive voice, LibreSSL support. 2022-10-20 16:30:43 +04:00
Sergey Kandaurov
34500dcac3 QUIC: removed compatibility with older BoringSSL API.
SSL_CIPHER_get_protocol_id() appeared in BoringSSL somewhere between
BORINGSSL_API_VERSION 12 and 13 for compatibility with OpenSSL 1.1.1.
It was adopted without a proper macro test, which remained unnoticed.
This justifies that such old BoringSSL API isn't widely used and its
support can be dropped.

While here, removed SSL_set_quic_use_legacy_codepoint() that became
useless after the default was flipped in BoringSSL over a year ago.
2022-10-20 16:21:07 +04:00
Sergey Kandaurov
ce65faea95 QUIC: support for setting QUIC methods with LibreSSL.
Setting QUIC methods is converted to use C99 designated initializers
for simplicity, as LibreSSL 3.6.0 has different SSL_QUIC_METHOD layout.

Additionally, only set_read_secret/set_write_secret callbacks are set.
Although they are preferred in LibreSSL over set_encryption_secrets,
better be on a safe side as LibreSSL has unexpectedly incompatible
set_encryption_secrets calling convention expressed in passing read
and write secrets split in separate calls, unlike this is documented
in old BoringSSL sources.  To avoid introducing further changes for
the old API, it is simply disabled.
2022-10-20 16:21:06 +04:00
Sergey Kandaurov
1ad1b85feb QUIC: using SSL_set_quic_early_data_enabled() only with QuicTLS.
This function is present in QuicTLS only.  After SSL_READ_EARLY_DATA_SUCCESS
became visible in LibreSSL together with experimental QUIC API, this required
to revise the conditional compilation test to use more narrow macros.
2022-10-20 16:21:06 +04:00
Sergey Kandaurov
00468d71bf QUIC: using native TLSv1.3 cipher suite constants.
After BoringSSL aligned[1] with OpenSSL on TLS1_3_CK_* macros, and
LibreSSL uses OpenSSL naming, our own variants can be dropped now.
Compatibility is preserved with libraries that lack these macros.

Additionally, transition to SSL_CIPHER_get_id() fixes build error
with LibreSSL that doesn't implement SSL_CIPHER_get_protocol_id().

[1] https://boringssl.googlesource.com/boringssl/+/dfddbc4ded
2022-10-20 16:21:05 +04:00
Sergey Kandaurov
fcba3d1458 QUIC: "info" logging level on insufficient client connection ids.
Apparently, this error is reported on NAT rebinding if client didn't
previously send NEW_CONNECTION_ID to supply additional connection ids.
2022-09-30 17:24:47 +04:00
Sergey Kandaurov
e9051af79d README: updated the current status. 2022-09-12 18:37:36 +04:00
Murilo Andrade
4a4572ff4a SSL: logging level of "bad record type" errors.
The SSL_R_BAD_RECORD_TYPE ("bad record type") errors are reported by
OpenSSL 1.1.1 or newer when using TLSv1.3 if the client sends a record
with unknown or unexpected type.  These errors are now logged at the
"info" level.
2022-08-09 17:13:46 -03:00
Maxim Dounin
d87d0f82ca Version bump. 2022-08-30 01:52:51 +03:00
Roman Arutyunyan
5cde1259b2 HTTP/3: skip empty request body buffers (ticket #2374).
When client DATA frame header and its content come in different QUIC packets,
it may happen that only the header is processed by the first
ngx_http_v3_request_body_filter() call.  In this case an empty request body
buffer is added to r->request_body->bufs, which is later reused in a
subsequent ngx_http_v3_request_body_filter() call without being removed from
the body chain.  As a result, rb->request_body->bufs ends up with two copies of
the same buffer.

The fix is to avoid adding empty request body buffers to r->request_body->bufs.
2022-08-03 16:59:51 +04:00
Maxim Dounin
f7ea8c76b5 release-1.23.1 tag 2022-07-19 17:05:27 +03:00
Maxim Dounin
25706769d6 nginx-1.23.1-RELEASE 2022-07-19 17:05:27 +03:00
Maxim Dounin
32e7811014 Updated OpenSSL used for win32 builds. 2022-07-19 17:03:30 +03:00
Maxim Dounin
39b84d7a52 Events: fixed EPOLLRDHUP with FIONREAD (ticket #2367).
When reading exactly rev->available bytes, rev->available might become 0
after FIONREAD usage introduction in efd71d49bde0.  On the next call of
ngx_readv_chain() on systems with EPOLLRDHUP this resulted in return without
any actions, that is, with rev->ready set, and this in turn resulted in no
timers set in event pipe, leading to socket leaks.

Fix is to reset rev->ready in ngx_readv_chain() when returning due to
rev->available being 0 with EPOLLRDHUP, much like it is already done in
ngx_unix_recv().  This ensures that if rev->available will become 0, on
systems with EPOLLRDHUP support appropriate EPOLLRDHUP-specific handling
will happen on the next ngx_readv_chain() call.

While here, also synced ngx_readv_chain() to match ngx_unix_recv() and
reset rev->ready when returning due to rev->available being 0 with kqueue.
This is mostly cosmetic change, as rev->ready is anyway reset when
rev->available is set to 0.
2022-07-15 15:19:32 +03:00
Maxim Dounin
f35475c083 Range filter: clearing of pre-existing Content-Range headers.
Some servers might emit Content-Range header on 200 responses, and this
does not seem to contradict RFC 9110: as per RFC 9110, the Content-Range
header has no meaning for status codes other than 206 and 416.  Previously
this resulted in duplicate Content-Range headers in nginx responses handled
by the range filter.  Fix is to clear pre-existing headers.
2022-07-15 07:01:44 +03:00
Sergey Kandaurov
14341ce237 Resolver: fixed memory leak for the "ipv4=off" case.
This change partially reverts 2a77754cd9fe to properly free rn->query.

Found by Coverity (CID 1507244).
2022-07-14 21:26:54 +04:00
Ruslan Ermilov
5178da4f94 The "ipv4=" parameter of the "resolver" directive.
When set to "off", only IPv6 addresses will be resolved, and no
A queries are ever sent (ticket #2196).
2022-07-12 21:44:02 +04:00
Maxim Dounin
ea46b22dfb SSL: logging levels of various errors added in OpenSSL 1.1.1.
Starting with OpenSSL 1.1.1, various additional errors can be reported
by OpenSSL in case of client-related issues, most notably during TLSv1.3
handshakes.  In particular, SSL_R_BAD_KEY_SHARE ("bad key share"),
SSL_R_BAD_EXTENSION ("bad extension"), SSL_R_BAD_CIPHER ("bad cipher"),
SSL_R_BAD_ECPOINT ("bad ecpoint").  These are now logged at the "info"
level.
2022-07-12 15:55:22 +03:00
Maxim Dounin
d791b4aab4 Upstream: optimized use of SSL contexts (ticket #1234).
To ensure optimal use of memory, SSL contexts for proxying are now
inherited from previous levels as long as relevant proxy_ssl_* directives
are not redefined.

Further, when no proxy_ssl_* directives are redefined in a server block,
we now preserve plcf->upstream.ssl in the "http" section configuration
to inherit it to all servers.

Similar changes made in uwsgi, grpc, and stream proxy.
2022-06-29 02:47:45 +03:00
Maxim Dounin
225a2c1b4a Version bump. 2022-06-29 02:47:38 +03:00
Maxim Dounin
1009f5586c release-1.23.0 tag 2022-06-21 17:25:37 +03:00
Maxim Dounin
2d2d0829a9 nginx-1.23.0-RELEASE 2022-06-21 17:25:36 +03:00
Maxim Dounin
35c2d7a75e Updated OpenSSL used for win32 builds. 2022-06-21 17:09:34 +03:00
Maxim Dounin
295f5b28ae Misc: win32 sources now preserved in release tarballs.
This makes it possible to build nginx under Windows from release tarballs
instead of using source code repository.
2022-06-20 19:30:50 +03:00
Gena Makhomed
ecdbd06617 Contrib: vim syntax, update core and 3rd party module directives.
List of 3rd party modules github repositories are obtained from
https://github.com/freebsd/freebsd-ports/blob/main/www/nginx-devel/Makefile.extmod
2022-06-18 15:54:40 +03:00
Sergey Kandaurov
21506a2f85 Perl: removed unused variables, forgotten in ef6a3a99a81a. 2022-06-14 10:39:58 +04:00
Aleksei Bavshin
f2fcc03d3a Resolver: make TCP write timer event cancelable.
Similar to 70e65bf8dfd7, the change is made to ensure that the ability to
cancel resolver tasks is fully controlled by the caller.  As mentioned in the
referenced commit, it is safe to make this timer cancelable because resolve
tasks can have their own timeouts that are not cancelable.

The scenario where this may become a problem is a periodic background resolve
task (not tied to a specific request or a client connection), which receives a
response with short TTL, large enough to warrant fallback to a TCP query.
With each event loop wakeup, we either have a previously set write timer
instance or schedule a new one.  The non-cancelable write timer can delay or
block graceful shutdown of a worker even if the ngx_resolver_ctx_t->cancelable
flag is set by the API user, and there are no other tasks or connections.

We use the resolver API in this way to maintain the list of upstream server
addresses specified with the 'resolve' parameter, and there could be third-party
modules implementing similar logic.
2022-06-01 20:17:23 -07:00
Vladimir Homutov
30ff077854 QUIC: avoided pool usage in token calculation. 2022-05-31 11:05:22 +04:00
Vladimir Homutov
664cb29f52 QUIC: removed ngx_quic_keys_new().
The ngx_quic_keys_t structure is now exposed.
2022-07-27 17:31:16 +04:00
Vladimir Homutov
93c21be4d6 QUIC: avoided pool usage in ngx_quic_protection.c. 2022-07-27 17:16:40 +04:00
Vladimir Homutov
16bb8459d0 QUIC: fixed-length buffers for secrets. 2022-07-27 17:15:33 +04:00
Sergey Kandaurov
41421e6e55 Merged with the default branch. 2022-07-26 19:54:11 +04:00