Commit Graph

8309 Commits

Author SHA1 Message Date
Sergey Kandaurov
476d6526b2 SSL: a new macro to set default protocol versions.
Some checks failed
buildbot / buildbot (push) Has been cancelled
This simplifies merging protocol values after ea15896 and ebd18ec.

Further, as outlined in ebd18ec18, for libraries preceeding TLSv1.2+
support, only meaningful versions TLSv1 and TLSv1.1 are set by default.

While here, fixed indentation.
2024-11-22 13:47:22 +04:00
Roman Arutyunyan
569948aa12 Mp4: prevent chunk index underflow.
Some checks are pending
buildbot / buildbot (push) Waiting to run
When cropping stsc atom, it's assumed that chunk index is never 0.
Based on this assumption, start_chunk and end_chunk are calculated
by subtracting 1 from it.  If chunk index is zero, start_chunk or
end_chunk may underflow, which will later trigger
"start/end time is out mp4 stco chunks" error.  The change adds an
explicit check for zero chunk index to avoid underflow and report
a proper error.

Zero chunk index is explicitly banned in ISO/IEC 14496-12, 8.7.4
Sample To Chunk Box.  It's also implicitly banned in QuickTime File
Format specification.  Description of chunk offset table references
"Chunk 1" as the first table element.
2024-11-21 16:08:48 +04:00
Roman Arutyunyan
d1a02451c3 Mp4: unordered stsc chunks error for the final chunk.
Currently an error is triggered if any of the chunk runs in stsc are
unordered.  This however does not include the final chunk run, which
ends with trak->chunks + 1.  The previous chunk index can be larger
leading to a 32-bit overflow.  This could allow to skip the validity
check "if (start_sample > n)".  This could later lead to a large
trak->start_chunk/trak->end_chunk, which would be caught later in
ngx_http_mp4_update_stco_atom() or ngx_http_mp4_update_co64_atom().

While there are no implications of the validity check being avoided,
the change still adds a check to ensure the final chunk run is ordered,
to produce a meaningful error and avoid a potential integer overflow.
2024-11-21 16:08:48 +04:00
Roman Arutyunyan
6ec099a378 Mp4: fixed handling an empty run of chunks in stsc atom.
A specially crafted mp4 file with an empty run of chunks in the stsc atom
and a large value for samples per chunk for that run, combined with a
specially crafted request, allowed to store that large value in prev_samples
and later in trak->end_chunk_samples while in ngx_http_mp4_crop_stsc_data().
Later in ngx_http_mp4_update_stsz_atom() this could result in buffer
overread while calculating trak->end_chunk_samples_size.

Now the value of samples per chunk specified for an empty run is ignored.
2024-11-21 16:08:48 +04:00
Nathan Mentze
cb1857407b Fixed missing double quote.
Some checks failed
buildbot / buildbot (push) Has been cancelled
2024-11-20 15:30:05 +04:00
Sergey Kandaurov
0ebc3242d9 SSL: error message default in object caching API.
Some checks are pending
buildbot / buildbot (push) Waiting to run
This change initializes the "err" variable, used to produce a meaningful
diagnostics on error path, to a good safe value.
2024-11-19 21:37:03 +04:00
Andy Pan
7cd60cd475 On DragonFly BSD 5.8+, TCP_KEEPIDLE and TCP_KEEPINTVL are in secs.
Some checks are pending
buildbot / buildbot (push) Waiting to run
2024-11-19 00:30:47 +04:00
Dan Callahan
36ca44f26f Fixed link to contributing guidelines.
Some checks failed
buildbot / buildbot (push) Has been cancelled
Absolute paths in links end up being rooted at github.com.
The contributing guidelines link is broken unless we use the full URL.
Also, remove superfluous "monospace formatting" for the link.
2024-11-12 07:30:08 -08:00
Sergey Kandaurov
d10bf73eba Uwsgi: added create_loc_conf comments. 2024-11-12 17:21:22 +04:00
Sergey Kandaurov
1ac6a18585 SCGI: added create_loc_conf comments. 2024-11-12 17:21:22 +04:00
Sergey Kandaurov
a5e152b3d9 FastCGI: fixed create_loc_conf comments after 05b1a8f1e. 2024-11-12 17:21:22 +04:00
蕭澧邦
ea15896c1a SSL: fixed MSVC compilation after ebd18ec181.
Some checks are pending
buildbot / buildbot (push) Waiting to run
MSVC generates a compilation error in case #if/#endif is used in a macro
parameter.
2024-11-11 22:29:55 +04:00
Mini Hawthorne
29aec5720f Upstream: copy upstream zone DNS valid time during config reload.
Previously, all upstream DNS entries would be immediately re-resolved
on config reload.  With a large number of upstreams, this creates
a spike of DNS resolution requests.  These spikes can overwhelm the
DNS server or cause drops on the network.

This patch retains the TTL of previous resolutions across reloads
by copying each upstream's name's expiry time across configuration
cycles.  As a result, no additional resolutions are needed.
2024-11-07 07:57:42 -08:00
Vladimir Homutov
ea4654550a Upstream: per-upstream resolver.
The "resolver" and "resolver_timeout" directives can now be specified
directly in the "upstream" block.
2024-11-07 07:57:42 -08:00
Ruslan Ermilov
5ebe7a4122 Upstream: pre-resolve servers on reload.
After configuration is reloaded, it may take some time for the
re-resolvable upstream servers to resolve and become available
as peers.  During this time, client requests might get dropped.

Such servers are now pre-resolved using the "cache" of already
resolved peers from the old shared memory zone.
2024-11-07 07:57:42 -08:00
Ruslan Ermilov
1524c5e3fc Core: inheritance of non-reusable shared memory zones.
When re-creating a non-reusable zone, make the pointer to the old zone
available during the new zone initialization.
2024-11-07 07:57:42 -08:00
Dmitry Volyntsev
9fe119b431 Upstream: construct upstream peers from DNS SRV records. 2024-11-07 07:57:42 -08:00
Ruslan Ermilov
db6870e06d Upstream: re-resolvable servers.
Specifying the upstream server by a hostname together with the
"resolve" parameter will make the hostname to be periodically
resolved, and upstream servers added/removed as necessary.

This requires a "resolver" at the "http" configuration block.

The "resolver_timeout" parameter also affects when the failed
DNS requests will be attempted again.  Responses with NXDOMAIN
will be attempted again in 10 seconds.

Upstream has a configuration generation number that is incremented each
time servers are added/removed to the primary/backup list.  This number
is remembered by the peer.init method, and if peer.get detects a change
in configuration, it returns NGX_BUSY.

Each server has a reference counter.  It is incremented by peer.get and
decremented by peer.free.  When a server is removed, it is removed from
the list of servers and is marked as "zombie".  The memory allocated by
a zombie peer is freed only when its reference count becomes zero.

Co-authored-by: Roman Arutyunyan <arut@nginx.com>
Co-authored-by: Sergey Kandaurov <pluknet@nginx.com>
Co-authored-by: Vladimir Homutov <vl@nginx.com>
2024-11-07 07:57:42 -08:00
Sergey Kandaurov
ebd18ec181 SSL: disabled TLSv1 and TLSv1.1 by default.
TLSv1 and TLSv1.1 are formally deprecated and forbidden to negotiate due
to insufficient security reasons outlined in RFC 8996.

TLSv1 and TLSv1.1 are disabled in BoringSSL e95b0cad9 and LibreSSL 3.8.1
in the way they cannot be enabled in nginx configuration.  In OpenSSL 3.0,
they are only permitted at security level 0 (disabled by default).

The support is dropped in Chrome 84, Firefox 78, and deprecated in Safari.

This change disables TLSv1 and TLSv1.1 by default for OpenSSL 1.0.1 and
newer, where TLSv1.2 support is available.  For older library versions,
which do not have alternatives, these protocol versions remain enabled.
2024-10-31 19:49:00 +04:00
jzebor-at-f5
f45c2707ea Updated security policy to include disclosure details. 2024-10-21 19:43:25 +04:00
Thierry Bastian
b394d44cfa Configure: MSVC compatibility with PCRE2 10.43. 2024-10-15 18:18:33 +04:00
nandsky
3f6d94d888 QUIC: prevent deleted stream frame retransmissions.
Since a2a513b93c, stream frames no longer need to be retransmitted after it
was deleted.  The frames which were retransmitted before, could be stream data
frames sent prior to a RESET_STREAM. Such retransmissions are explicitly
prohibited by RFC 9000, Section 19.4.
2024-10-08 19:55:14 +04:00
Sergey Kandaurov
144778aee6 Version bump. 2024-10-08 18:29:01 +04:00
Sergey Kandaurov
e24f7ccc16 nginx-1.27.2-RELEASE 2024-10-02 19:13:19 +04:00
Sergey Kandaurov
0e7c9ddb27 Updated OpenSSL used for win32 builds. 2024-10-02 19:13:19 +04:00
Sergey Kandaurov
5917e9de5a SSL: caching CA certificates.
This can potentially provide a large amount of savings,
because CA certificates can be quite large.

Based on previous work by Mini Hawthorne.
2024-10-01 17:59:24 +04:00
Sergey Kandaurov
61314518de SSL: caching CRLs.
Based on previous work by Mini Hawthorne.
2024-10-01 17:59:24 +04:00
Sergey Kandaurov
7ea2fb6cb1 SSL: caching certificate keys.
EVP_KEY objects are a reference-counted container for key material, shallow
copies and OpenSSL stack management aren't needed as with certificates.

Based on previous work by Mini Hawthorne.
2024-10-01 17:59:24 +04:00
Sergey Kandaurov
78ed123e71 SSL: caching certificates.
Certificate chains are now loaded once.

The certificate cache provides each chain as a unique stack of reference
counted elements.  This shallow copy is required because OpenSSL stacks
aren't reference counted.

Based on previous work by Mini Hawthorne.
2024-10-01 17:59:24 +04:00
Sergey Kandaurov
7d7e8d2cb8 SSL: object caching.
Added ngx_openssl_cache_module, which indexes a type-aware object cache.
It maps an id to a unique instance, and provides references to it, which
are dropped when the cycle's pool is destroyed.

The cache will be used in subsequent patches.

Based on previous work by Mini Hawthorne.
2024-10-01 17:59:24 +04:00
Sergey Kandaurov
f36ff3550a SSL: moved certificate storage out of exdata.
Instead of cross-linking the objects using exdata, pointers to configured
certificates are now stored in ngx_ssl_t, and OCSP staples are now accessed
with rbtree in it.  This allows sharing these objects between SSL contexts.

Based on previous work by Mini Hawthorne.
2024-10-01 17:59:24 +04:00
tzssangglass
51857ce404 Fixed a typo of bpf makefile debug option. 2024-09-24 18:58:30 +04:00
Michael Vernik
b1e07409b1 Added new primary README.md file. 2024-09-20 09:57:11 -07:00
Sergey Kandaurov
18afcda938 SSL: optional ssl_client_certificate for ssl_verify_client.
Starting from TLSv1.1 (as seen since draft-ietf-tls-rfc2246-bis-00),
the "certificate_authorities" field grammar of the CertificateRequest
message was redone to allow no distinguished names.  In TLSv1.3, with
the restructured CertificateRequest message, this can be similarly
done by optionally including the "certificate_authorities" extension.
This allows to avoid sending DNs at all.

In practice, aside from published TLS specifications, all supported
SSL/TLS libraries allow to request client certificates with an empty
DN list for any protocol version.  For instance, when operating in
TLSv1, this results in sending the "certificate_authorities" list as
a zero-length vector, which corresponds to the TLSv1.1 specification.
Such behaviour goes back to SSLeay.

The change relaxes the requirement to specify at least one trusted CA
certificate in the ssl_client_certificate directive, which resulted in
sending DNs of these certificates (closes #142).  Instead, all trusted
CA certificates can be specified now using the ssl_trusted_certificate
directive if needed.  A notable difference that certificates specified
in ssl_trusted_certificate are always loaded remains (see 3648ba7db).

Co-authored-by: Praveen Chaudhary <praveenc@nvidia.com>
2024-09-20 14:43:00 +04:00
Sergey Kandaurov
1a64c196a7 Proxy: proxy_pass_trailers directive.
The directive allows to pass upstream response trailers to client.
2024-09-13 16:47:56 +04:00
Shaikh Yaser
00637cce36 Fixed a typo in win-utf. 2024-09-06 15:35:59 +04:00
Konstantin Pavlov
042b9cc4db Added CI based on GitHub Actions.
Pushes to master and stable branches will result in buildbot-like checks
on multiple OSes and architectures.

Pull requests will be checked on a public Ubuntu GitHub runner.
2024-09-04 20:01:47 +04:00
Maryna Herasimovich
082a3cbe3b Added GitHub templates. 2024-09-04 19:11:12 +04:00
Maryna Herasimovich
da468ec0c0 Added contributing guidelines. 2024-09-03 16:28:45 +04:00
Maryna Herasimovich
3b16b46aae Added security policy. 2024-09-02 20:10:28 +04:00
Maryna Herasimovich
e73ac62294 Added Code of Conduct. 2024-09-02 17:33:50 +04:00
Roman Arutyunyan
6bb4be1a79 Removed C-style comments from LICENSE. 2024-08-30 18:06:39 +04:00
Roman Arutyunyan
863ab647cd Moved LICENSE and README to root. 2024-08-30 18:06:39 +04:00
Roman Arutyunyan
81a933e1f6 Switched GNUmakefile from hg to git. 2024-08-30 18:06:39 +04:00
Roman Arutyunyan
900f4dc48c Removed .hgtags file. 2024-08-30 18:06:39 +04:00
Sergey Kandaurov
fb89d50eeb Stream: OCSP stapling. 2024-08-22 14:57:46 +04:00
Sergey Kandaurov
581cf22673 Stream: client certificate validation with OCSP. 2024-08-22 14:57:45 +04:00
Sergey Kandaurov
48ac1ee9c6 Version bump. 2024-08-20 21:18:30 +04:00
Sergey Kandaurov
a4100450c0 release-1.27.1 tag 2024-08-12 18:21:01 +04:00
Sergey Kandaurov
e06bdbd4a2 nginx-1.27.1-RELEASE 2024-08-12 18:20:52 +04:00