Commit Graph

8032 Commits

Author SHA1 Message Date
Sergey Kandaurov
76adb91913 QUIC: improved ssl_reject_handshake error logging.
The check follows the ngx_ssl_handshake() change in 59e1c73fe02b.
2023-02-23 16:26:38 +04:00
Sergey Kandaurov
d9610b40a6 QUIC: using ngx_ssl_handshake_log(). 2023-02-23 16:17:29 +04:00
Sergey Kandaurov
5149620d6d QUIC: moved "handshake failed" reason to send_alert.
A QUIC handshake failure breaks down into several cases:
- a handshake error which leads to a send_alert call
- an error triggered by the add_handshake_data callback
- internal errors (allocation etc)

Previously, in the first case, only error code was set in the send_alert
callback.  Now the "handshake failed" reason phrase is set there as well.
In the second case, both code and reason are set by add_handshake_data.
In the last case, setting reason phrase is removed: returning NGX_ERROR
now leads to closing the connection with just INTERNAL_ERROR.

Reported by Jiuzhou Cui.
2023-02-23 16:16:56 +04:00
Sergey Kandaurov
1ccba18f00 QUIC: using NGX_QUIC_ERR_CRYPTO macro in ALPN checks.
Patch by Jiuzhou Cui.
2023-02-23 15:49:59 +04:00
Sergey Kandaurov
40af97fdec QUIC: fixed indentation. 2023-02-13 14:01:50 +04:00
Sergey Kandaurov
f36da1dfa6 README: fixed toc.
While here, updated link to mailman.
2023-02-13 13:41:35 +04:00
Sergey Kandaurov
3b57dcecaf README: updated building from sources, added directives reference. 2023-02-08 12:47:35 +04:00
Roman Arutyunyan
b7ccca0eb0 QUIC: fixed broken token in NEW_TOKEN (ticket #2446).
Previously, since 3550b00d9dc8, the token was allocated on stack, to get
rid of pool usage.  Now the token is allocated by ngx_quic_copy_buffer()
in QUIC buffers, also used for STREAM, CRYPTO and ACK frames.
2023-01-31 15:26:33 +04:00
Roman Arutyunyan
341c21c9f6 QUIC: ngx_quic_copy_buffer() function.
The function copies passed data to QUIC buffer chain and returns it.
The chain can be used in ngx_quic_frame_t data field.
2023-01-31 14:12:18 +04:00
Maxim Dounin
c3edcc17b6 QUIC: improved SO_COOKIE configure test.
In nginx source code the inttypes.h include, if available, is used to define
standard integer types.  Changed the SO_COOKIE configure test to follow this.
2023-01-24 02:57:42 +03:00
Sergey Kandaurov
b196429fbe QUIC: defer setting the active flag for client stream events.
Specifically, now it is kept unset until streams are initialized.
Notably, this unbreaks OCSP with client certificates after 35e27117b593.
Previously, the read event could be posted prematurely via ngx_quic_set_event()
e.g., as part of handling a STREAM frame.
2023-01-18 19:20:18 +04:00
Roman Arutyunyan
d76600874c QUIC: relocated ngx_quic_init_streams() for 0-RTT.
Previously, streams were initialized in early keys handler.  However, client
transport parameters may not be available by then.  This happens, for example,
when using QuicTLS.  Now streams are initialized in ngx_quic_crypto_input()
after calling SSL_do_handshake() for both 0-RTT and 1-RTT.
2023-01-10 17:24:10 +04:00
Roman Arutyunyan
0065ba68b0 HTTP/3: insert count block timeout.
Previously, there was no timeout for a request stream blocked on insert count,
which could result in infinite wait.  Now client_header_timeout is set when
stream is first blocked.
2023-01-05 19:03:22 +04:00
Roman Arutyunyan
faa655f211 HTTP/3: trigger 400 (Bad Request) on stream error while blocked.
Previously, stream was closed with NGX_HTTP_CLOSE.  However, in a similar case
when recv() returns eof or error, status 400 is triggered.
2023-01-05 18:15:46 +04:00
Roman Arutyunyan
d929470685 QUIC: set stream error flag on reset.
Now, when RESET_STREAM is sent or received, or when streams are closed,
stream connection error flag is set.  Previously, only stream state was
changed, which resulted in setting the error flag only after calling
recv()/send()/send_chain().  However, there are cases when none of these
functions is called, but it's still important to know if the stream is being
closed.  For example, when an HTTP/3 request stream is blocked on insert count,
receiving RESET_STREAM should trigger stream closure, which was not the case.

The change also fixes ngx_http_upstream_check_broken_connection() and
ngx_http_test_reading() with QUIC streams.
2023-01-10 17:42:40 +04:00
Roman Arutyunyan
77fc6b7fb9 QUIC: automatically add and never delete stream events.
Previously, stream events were added and deleted by ngx_handle_read_event() and
ngx_handle_write_event() in a way similar to level-triggered events.  However,
QUIC stream events are effectively edge-triggered and can stay active all time.
Moreover, the events are now active since the moment a stream is created.
2023-01-10 14:05:18 +04:00
Sergey Kandaurov
1fe0913fcc HTTP/3: fixed $connection_time.
Previously, start_time wasn't set for a new stream.
The fix is to derive it from the parent connection.
Also it's used to simplify tracking keepalive_time.
2023-01-10 17:59:16 +04:00
Roman Arutyunyan
d04f45ac5b HTTP/3: handled insertion reference to a going to be evicted entry.
As per RFC 9204, section 3.2.2, a new entry can reference an entry in the
dynamic table that will be evicted when adding this new entry into the dynamic
table.

Previously, such inserts resulted in use-after-free since the old entry was
evicted before the insertion (ticket #2431).  Now it's evicted after the
insertion.

This change fixes Insert with Name Reference and Duplicate encoder instructions.
2023-01-03 16:24:45 +04:00
Sergey Kandaurov
f5aa66bd30 Merged with the default branch. 2023-01-02 17:10:22 +04:00
Maxim Dounin
9c7a2c7ce4 Updated link to OpenVZ suspend/resume bug. 2022-12-21 14:53:27 +03:00
Valentin Bartenev
641368249c Fixed port ranges support in the listen directive.
Ports difference must be respected when checking addresses for duplicates,
otherwise configurations like this are broken:

  listen 127.0.0.1:6000-6005

It was broken by 4cc2bfeff46c (nginx 1.23.3).
2022-12-18 21:29:02 +03:00
BullerDu
95133893f9 Style. 2022-12-16 01:15:15 +04:00
Sergey Kandaurov
bf5dcc3fb2 Version bump. 2022-12-16 01:15:13 +04:00
Sergey Kandaurov
a1bb12e14e Merged with the default branch. 2022-12-15 19:40:44 +04:00
Maxim Dounin
8e9f7e89b8 release-1.23.3 tag 2022-12-13 18:53:53 +03:00
Maxim Dounin
307123b359 nginx-1.23.3-RELEASE 2022-12-13 18:53:53 +03:00
Maxim Dounin
3a52c79b44 Updated OpenSSL and zlib used for win32 builds. 2022-12-13 03:32:57 +03:00
Maxim Dounin
5eaa67490a Win32: event flags handling edge cases in ngx_wsarecv().
Fixed event flags handling edge cases in ngx_wsarecv() and ngx_wsarecv_chain(),
notably to always reset rev->ready in case of errors (which wasn't the case
after ngx_socket_nread() errors), and after EOF (rev->ready was not cleared
if due to a misconfiguration a zero-sized buffer was used for reading).
2022-12-01 04:22:36 +03:00
Maxim Dounin
39892c6265 SSL: fixed ngx_ssl_recv() to reset c->read->ready after errors.
With this change, behaviour of ngx_ssl_recv() now matches ngx_unix_recv(),
which used to always reset c->read->ready to 0 when returning errors.

This fixes an infinite loop in unbuffered SSL proxying if writing to the
client is blocked and an SSL error happens (ticket #2418).

With this change, the fix for a similar issue in the stream module
(6868:ee3645078759), which used a different approach of explicitly
testing c->read->error instead, is no longer needed and was reverted.
2022-12-01 04:22:31 +03:00
Maxim Dounin
a77cef0995 Removed casts from ngx_memcmp() macro.
Casts are believed to be not needed, since memcmp() has "const void *"
arguments since introduction of the "void" type in C89.  And on pre-C89
platforms nginx is unlikely to compile without warnings anyway, as there
are no casts in memcpy() and memmove() calls.

These casts were added in 1648:89a47f19b9ec without any details on why they
were added, and Igor does not remember details either.  The most plausible
explanation is that they were copied from ngx_strcmp() and were not really
needed even at that time.

Prodded by Alejandro Colomar.
2022-11-30 18:01:53 +03:00
Maxim Dounin
e8da064e0d Fixed alignment of ngx_memmove()/ngx_movemem() macro definitions. 2022-11-30 18:01:43 +03:00
Sergey Kandaurov
765ef1098d SSL: fixed debug logging of SSL_sendfile() return value. 2022-11-24 23:08:30 +04:00
Maxim Dounin
d52e568443 Fixed segfault when switching off master process during upgrade.
Binary upgrades are not supported without master process, but it is,
however, possible, that nginx running with master process is asked
to upgrade binary, and the configuration file as available on disk
at this time includes "master_process off;".

If this happens, listening sockets inherited from the previous binary
will have ls[i].previous set.  But the old cycle on initial process
startup, including startup after binary upgrade, is destroyed by
ngx_init_cycle() once configuration parsing is complete.  As a result,
an attempt to dereference ls[i].previous in ngx_event_process_init()
accesses already freed memory.

Fix is to avoid looking into ls[i].previous if the old cycle is already
freed.

With this change it is also no longer needed to clear ls[i].previous in
worker processes, so the relevant code was removed.
2022-11-23 23:48:53 +03:00
Maxim Dounin
593bb54387 Disabled cloning of sockets without master process (ticket #2403).
Cloning of listening sockets for each worker process does not make sense
when working without master process, and causes some of the connections
not to be accepted if worker_processes is set to more than one and there
are listening sockets configured with the reuseport flag.  Fix is to
disable cloning when master process is disabled.
2022-11-23 23:12:04 +03:00
Maxim Dounin
22223c75c9 Filtering duplicate addresses in listen (ticket #2400).
Due to the glibc bug[1], getaddrinfo("localhost") with AI_ADDRCONFIG
on a typical host with glibc and without IPv6 returns two 127.0.0.1
addresses, and therefore "listen localhost:80;" used to result in
"duplicate ... address and port pair" after 4f9b72a229c1.

Fix is to explicitly filter out duplicate addresses returned during
resolution of a name.

[1] https://sourceware.org/bugzilla/show_bug.cgi?id=14969
2022-11-23 17:30:08 +03:00
Roman Arutyunyan
17066ac860 Process events posted by ngx_close_idle_connections() immediately.
Previously, if an event was posted by a read event handler, called by
ngx_close_idle_connections(), that event was not processed until the next
event loop iteration, which could happen after a timeout.
2022-11-18 19:31:38 +04:00
Ciel Zhao
053e40e5d4 SSI: handling of subrequests from other modules (ticket #1263).
As the SSI parser always uses the context from the main request for storing
variables and blocks, that context should always exist for subrequests using
SSI, even though the main request does not necessarily have SSI enabled.

However, `ngx_http_get_module_ctx(r->main, ...)` is getting NULL in such cases,
resulting in the worker crashing SIGSEGV when accessing its attributes.

This patch links the first initialized context to the main request, and
upgrades it only when main context is initialized.
2022-11-21 17:01:34 +03:00
Maxim Dounin
67e2a69161 Fixed PROXY protocol to use ngx_memcpy()/ngx_memcmp(). 2022-11-08 12:48:21 +03:00
Maxim Dounin
fbe42d4631 Added logging to PROXY protocol write buffer check.
The check is not expected to fail unless there is a bug in the calling
code.  But given the check is here, it should log an alert if it fails
instead of silently closing the connection.
2022-11-08 12:48:19 +03:00
Roman Arutyunyan
7600ca0286 Increased maximum read PROXY protocol header size.
Maximum size for reading the PROXY protocol header is increased to 4096 to
accommodate a bigger number of TLVs, which are supported since cca4c8a715de.

Maximum size for writing the PROXY protocol header is not changed since only
version 1 is currently supported.
2022-11-02 13:46:16 +04:00
Roman Arutyunyan
d7483bf1af Version bump. 2022-11-03 15:52:55 +04:00
Roman Arutyunyan
36f7b31f95 HTTP/3: implement keepalive for hq.
Previously, keepalive timer was deleted in ngx_http_v3_wait_request_handler()
and set in request cleanup handler.  This worked for HTTP/3 connections, but not
for hq connections.  Now keepalive timer is deleted in
ngx_http_v3_init_request_stream() and set in connection cleanup handler,
which works both for HTTP/3 and hq.
2022-10-25 12:52:09 +04:00
Roman Arutyunyan
64ccdf4528 QUIC: application init() callback.
It's called after handshake completion or prior to the first early data stream
creation.  The callback should initialize application-level data before
creating streams.

HTTP/3 callback implementation sets keepalive timer and sends SETTINGS.

Also, this allows to limit max handshake time in ngx_http_v3_init_stream().
2022-11-30 12:51:15 +04:00
Maxim Dounin
09d5305592 release-1.23.2 tag 2022-10-19 10:56:21 +03:00
Maxim Dounin
569f417a7f nginx-1.23.2-RELEASE 2022-10-19 10:56:20 +03:00
Roman Arutyunyan
0d23105373 Mp4: disabled duplicate atoms.
Most atoms should not appear more than once in a container.  Previously,
this was not enforced by the module, which could result in worker process
crash, memory corruption and disclosure.
2022-10-19 10:53:17 +03:00
Sergey Kandaurov
35fce42269 SSL: improved validation of ssl_session_cache and ssl_ocsp_cache.
Now it properly detects invalid shared zone configuration with omitted size.
Previously it used to read outside of the buffer boundary.

Found with AddressSanitizer.
2022-10-17 16:24:53 +04:00
Sergey Kandaurov
5b23fe690f SSL: removed cast not needed after 5ffd76a9ccf3. 2022-10-13 16:18:56 +04:00
Maxim Dounin
4d61d59ae9 SSL: workaround for session timeout handling with TLSv1.3.
OpenSSL with TLSv1.3 updates the session creation time on session
resumption and keeps the session timeout unmodified, making it possible
to maintain the session forever, bypassing client certificate expiration
and revocation.  To make sure session timeouts are actually used, we
now update the session creation time and reduce the session timeout
accordingly.

BoringSSL with TLSv1.3 ignores configured session timeouts and uses a
hardcoded timeout instead, 7 days.  So we update session timeout to
the configured value as soon as a session is created.
2022-10-12 20:14:57 +03:00
Maxim Dounin
02314f0c3c SSL: optimized rotation of session ticket keys.
Instead of syncing keys with shared memory on each ticket operation,
the code now does this only when the worker is going to change expiration
of the current key, or going to switch to a new key: that is, usually
at most once per second.

To do so without races, the code maintains 3 keys: current, previous,
and next.  If a worker will switch to the next key earlier, other workers
will still be able to decrypt new tickets, since they will be encrypted
with the next key.
2022-10-12 20:14:55 +03:00