Commit Graph

8032 Commits

Author SHA1 Message Date
Maxim Dounin
1d572e359a SSL: automatic rotation of session ticket keys.
As long as ssl_session_cache in shared memory is configured, session ticket
keys are now automatically generated in shared memory, and rotated
periodically.  This can be beneficial from forward secrecy point of view,
and also avoids increased CPU usage after configuration reloads.

This also helps BoringSSL to properly resume sessions in configurations
with multiple worker processes and no ssl_session_ticket_key directives,
as BoringSSL tries to automatically rotate session ticket keys and does
this independently in different worker processes, thus breaking session
resumption between worker processes.
2022-10-12 20:14:53 +03:00
Maxim Dounin
3b127da111 SSL: shorter debug messages about session tickets. 2022-10-12 20:14:51 +03:00
Maxim Dounin
2a8e56b1e2 SSL: renamed session ticket key functions and data index.
Previously used names are way too long, renamed to simplify writing code.
2022-10-12 20:14:49 +03:00
Maxim Dounin
6e5120a01d SSL: renamed session ticket key type.
The ngx_ssl_session_ticket_key_t is way too long, renamed to
ngx_ssl_ticket_key_t to simplify writing code.
2022-10-12 20:14:47 +03:00
Maxim Dounin
a5b768c536 SSL: style.
Runtime OCSP functions separated from configuration ones.
2022-10-12 20:14:45 +03:00
Maxim Dounin
3057e6e9ad SSL: explicit clearing of expired sessions.
This reduces lifetime of session keying material in server's memory, and
therefore can be beneficial from forward secrecy point of view.
2022-10-12 20:14:43 +03:00
Maxim Dounin
76876c160f SSL: single allocation in session cache on 32-bit platforms.
Given the present typical SSL session sizes, on 32-bit platforms it is
now beneficial to store all data in a single allocation, since rbtree
node + session id + ASN1 representation of a session takes 256 bytes of
shared memory (36 + 32 + 150 = about 218 bytes plus SNI server name).

Storing all data in a single allocation is beneficial for SNI names up to
about 40 characters long and makes it possible to store about 4000 sessions
in one megabyte (instead of about 3000 sessions now).  This also slightly
simplifies the code.
2022-10-12 20:14:40 +03:00
Maxim Dounin
5c5c449ba0 SSL: explicit session id length checking.
Session ids are not expected to be longer than 32 bytes, but this is
theoretically possible with TLSv1.3, where session ids are essentially
arbitrary and sent as session tickets.  Since on 64-bit platforms we
use fixed 32-byte buffer for session ids, added an explicit length check
to make sure the buffer is large enough.
2022-10-12 20:14:39 +03:00
Maxim Dounin
aeae4c7845 SSL: updated comment about session sizes.
Previous numbers are somewhat outdated, typical ASN1 representations of
sessions are slightly bigger now.
2022-10-12 20:14:37 +03:00
Maxim Dounin
4ea6baf7bc SSL: reduced logging of session cache failures (ticket #621).
Session cache allocations might fail as long as the new session is different
in size from the one least recently used (and freed when the first allocation
fails).  In particular, it might not be possible to allocate space for
sessions with client certificates, since they are noticeably bigger than
normal sessions.

To ensure such allocation failures won't clutter logs, logging level changed
to "warn", and logging is now limited to at most one warning per second.
2022-10-12 20:14:36 +03:00
Maxim Dounin
23ce9baf0e SSL: disabled saving tickets to session cache.
OpenSSL tries to save TLSv1.3 sessions into session cache even when using
tickets for stateless session resumption, "because some applications just
want to know about the creation of a session".  To avoid trashing session
cache with useless data, we do not save such sessions now.
2022-10-12 20:14:34 +03:00
Roman Arutyunyan
f27af85016 Added type cast to ngx_proxy_protocol_parse_uint16().
The cast is added to make ngx_proxy_protocol_parse_uint16() similar to
ngx_proxy_protocol_parse_uint32().
2022-09-27 11:31:16 +04:00
Roman Arutyunyan
50e3ff8a00 PROXY protocol v2 TLV variables.
The variables have prefix $proxy_protocol_tlv_ and are accessible by name
and by type.  Examples are: $proxy_protocol_tlv_0x01, $proxy_protocol_tlv_alpn.
2022-10-12 16:58:16 +04:00
Roman Arutyunyan
68119b4362 Log only the first line of user input on PROXY protocol v1 error.
Previously, all received user input was logged.  If a multi-line text was
received from client and logged, it could reduce log readability and also make
it harder to parse nginx log by scripts.  The change brings to PROXY protocol
the same behavior that exists for HTTP request line in
ngx_http_log_error_handler().
2022-10-10 13:57:31 +04:00
Sergey Kandaurov
5071bc0bcf SSL: silenced GCC warnings when building with BoringSSL.
BoringSSL uses macro stub for SSL_CTX_set_ecdh_auto that expands to 1,
which triggers -Wunused-value "statement with no effect" warnings.
2022-09-08 13:53:49 +04:00
Maxim Dounin
fb0890aee6 Win32: disabled threads support in OpenSSL builds.
Threads are disabled during UNIX builds (see b329c0ab1a48), and also not
needed for Windows builds.

This used to be the default before OpenSSL 1.1.0.
2022-09-07 00:47:31 +03:00
Maxim Dounin
589f78dd88 Win32: fixed build on Windows with OpenSSL 3.0.x (ticket #2379).
SSL_sendfile() expects integer file descriptor as an argument, but nginx
uses OS file handles (HANDLE) to work with files on Windows, and passing
HANDLE instead of an integer correctly results in build failure.  Since
SSL_sendfile() is not expected to work on Windows anyway, the code is now
disabled on Windows with appropriate compile-time checks.
2022-09-07 00:47:17 +03:00
Maxim Dounin
90f1b5fd08 Win32: disabled C4306 warnings with MSVC.
Multiple C4306 warnings (conversion from 'type1' to 'type2' of greater size)
appear during 64-bit compilation with MSVC 2010 (and older) due to extensively
used constructs like "(void *) -1", so they were disabled.

In newer MSVC versions C4306 warnings were replaced with C4312 ones, and
these are not generated for such trivial type casts.
2022-09-07 00:47:07 +03:00
Maxim Dounin
a3016da23f Win32: removed misleading comment about warnings being disabled.
Warnings being disabled are not only from the "-W4" level since e4590dfd97ff.
2022-09-07 00:47:02 +03:00
Maxim Dounin
116a744799 SSL: fixed incorrect usage of #if instead of #ifdef.
In 2014ed60f17f, "#if SSL_CTRL_SET_ECDH_AUTO" test was incorrectly used
instead of "#ifdef SSL_CTRL_SET_ECDH_AUTO".  There is no practical
difference, since SSL_CTRL_SET_ECDH_AUTO evaluates to a non-zero numeric
value when defined, but anyway it's better to correctly test if the value
is defined.
2022-09-07 00:44:10 +03:00
Maxim Dounin
f6a6758ca2 Events: fixed style and wrong error handling in the iocp module. 2022-09-07 00:43:51 +03:00
Roman Arutyunyan
8a1deaca78 HTTP/3: renamed functions.
ngx_http_v3_init() is renamed ngx_http_v3_init_stream().
ngx_http_v3_reset_connection() is renamed to ngx_http_v3_reset_stream().
2022-08-22 14:09:03 +04:00
Roman Arutyunyan
7e3aa23991 QUIC: removed cancelable flag from QUIC and HTTP/3 events.
All these events are created in context of a client connection and are deleted
when the connection is closed.  Setting ev->cancelable could trigger premature
connection closure and a socket leak alert.
2022-11-30 14:09:08 +04:00
Roman Arutyunyan
fed44881d3 QUIC: idle mode for main connection.
Now main QUIC connection for HTTP/3 always has c->idle flag set.  This allows
the connection to receive worker shutdown notification.  It is passed to
application level via a new conf->shutdown() callback.

The HTTP/3 shutdown callback sends GOAWAY to client and gracefully shuts down
the QUIC connection.
2022-10-19 17:45:18 +04:00
Roman Arutyunyan
dd4c31fc34 HTTP/3: unified hq code with regular HTTP/3 code.
The change removes hq-specific request handler.  Now hq requests are handled
by the HTTP/3 request handler.
2022-10-19 17:45:30 +04:00
Roman Arutyunyan
21c34aadf9 QUIC: do not send MAX_STREAMS in shutdown state.
No more streams are expected from client.
2022-09-07 13:12:56 +04:00
Roman Arutyunyan
a2a513b93c QUIC: defer stream removal until all its data is acked.
Previously, stream was kept alive until all its data is sent.  This resulted
in disabling retransmission of final part of stream when QUIC connection
was closed right after closing stream connection.
2022-08-22 15:33:23 +04:00
Roman Arutyunyan
dc82bed893 QUIC: reusable mode for main connection.
The connection is automatically switched to this mode by transport layer when
there are no non-cancelable streams.  Currently, cancelable streams are
HTTP/3 encoder/decoder/control streams.
2022-11-29 17:46:46 +04:00
Roman Arutyunyan
a89167c247 QUIC: post close event for connection close.
Previously, close event was used only for close timeout, while read event was
used for posting connection close.
2022-09-07 19:25:13 +04:00
Roman Arutyunyan
62b928a45f QUIC: made ngx_quic_finalize_connecion() more graceful.
Previously, ngx_quic_finalize_connection() closed the connection with NGX_ERROR
code, which resulted in immediate connection closure.  Now the code is NGX_OK,
which provides a more graceful shutdown with a timeout.
2022-08-22 15:28:51 +04:00
Roman Arutyunyan
d3fb12d77f QUIC: treat qc->error == -1 as a missing error.
Previously, zero was used for this purpose.  However, NGX_QUIC_ERR_NO_ERROR is
zero too.  As a result, NGX_QUIC_ERR_NO_ERROR was changed to
NGX_QUIC_ERR_INTERNAL_ERROR when closing a QUIC connection.
2022-09-07 12:37:15 +04:00
Sergey Kandaurov
d3294e61d5 QUIC: fixed computation of nonce with packet numbers beyond 2^32.
Prodded by Yu Zhu.
2022-11-25 15:56:33 +04:00
Jiuzhou Cui
7d73c50a2d HTTP/3: fixed build without NGX_PCRE (broken by 0f5fc7a320db). 2022-11-25 15:07:23 +08:00
Roman Arutyunyan
b015d4965e QUIC: fixed triggering stream read event (ticket #2409).
If a client packet carrying a stream data frame is not acked due to packet loss,
the stream data is retransmitted later by client.  It's also possible that the
retransmitted range is bigger than before due to more stream data being
available by then.  If the original data was read out by the application,
there would be no read event triggered by the retransmitted frame, even though
it contains new data.
2022-11-23 18:50:26 +04:00
Sergey Kandaurov
bc79d773f9 QUIC: fixed C4334 MSVC warning about 32 to 64 bits conversion. 2022-11-22 18:05:37 +04:00
Sergey Kandaurov
fd0b558ac8 QUIC: plug MSVC warning about potentially uninitialized variable. 2022-11-22 18:05:37 +04:00
Sergey Kandaurov
885f50f773 Added shutdown macros for win32 required for QUIC. 2022-11-22 18:05:36 +04:00
Sergey Kandaurov
553eb6a168 QUIC: fixed C4389 MSVC warning about signed/unsigned mismatch. 2022-11-22 18:05:36 +04:00
Sergey Kandaurov
499dbd28be QUIC: avoid using C99 designated initializers.
They are not supported by MSVC till 2012.

SSL_QUIC_METHOD initialization is moved to run-time to preserve portability
among SSL library implementations, which allows to reduce its visibility.
Note using of a static storage to keep SSL_set_quic_method() reference valid.
2022-11-22 18:05:35 +04:00
Sergey Kandaurov
44a901c9e0 QUIC: moved variable declaration to fix build with MSVC 2010.
Previously, ngx_quic_hkdf_t variables used declaration with assignment
in the middle of a function, which is not supported by MSVC 2010.
Fixing this also required to rewrite the ngx_quic_hkdf_set macro
and to switch to an explicit array size.
2022-11-22 18:05:35 +04:00
Sergey Kandaurov
84a51e4de1 QUIC: fixed C4706 warnings with MSVC 2010.
The fix is to avoid assignments within conditional expression.
2022-11-22 18:05:34 +04:00
Sergey Kandaurov
36d80a5269 HTTP/3: fixed server_name regex captures (ticket #2407).
Previously, HTTP/3 stream connection didn't inherit the servername regex
from the main QUIC connection saved when processing SNI and using regular
expressions in server names.  As a result, it didn't execute to set regex
captures when choosing the virtual server while parsing HTTP/3 headers.
2022-11-22 14:10:04 +04:00
Roman Arutyunyan
0da7526615 Set default listen socket type in http.
The type field was added in 7999d3fbb765 at early stages of QUIC implementation
and was not initialized for default listen.  Missing initialization resulted in
default listen socket creation error.
2022-11-01 17:00:35 +04:00
Sergey Kandaurov
3123fac3e7 Merged with the default branch. 2022-10-20 16:41:36 +04:00
Sergey Kandaurov
3cd06a3a9a README: converted to passive voice, LibreSSL support. 2022-10-20 16:30:43 +04:00
Sergey Kandaurov
34500dcac3 QUIC: removed compatibility with older BoringSSL API.
SSL_CIPHER_get_protocol_id() appeared in BoringSSL somewhere between
BORINGSSL_API_VERSION 12 and 13 for compatibility with OpenSSL 1.1.1.
It was adopted without a proper macro test, which remained unnoticed.
This justifies that such old BoringSSL API isn't widely used and its
support can be dropped.

While here, removed SSL_set_quic_use_legacy_codepoint() that became
useless after the default was flipped in BoringSSL over a year ago.
2022-10-20 16:21:07 +04:00
Sergey Kandaurov
ce65faea95 QUIC: support for setting QUIC methods with LibreSSL.
Setting QUIC methods is converted to use C99 designated initializers
for simplicity, as LibreSSL 3.6.0 has different SSL_QUIC_METHOD layout.

Additionally, only set_read_secret/set_write_secret callbacks are set.
Although they are preferred in LibreSSL over set_encryption_secrets,
better be on a safe side as LibreSSL has unexpectedly incompatible
set_encryption_secrets calling convention expressed in passing read
and write secrets split in separate calls, unlike this is documented
in old BoringSSL sources.  To avoid introducing further changes for
the old API, it is simply disabled.
2022-10-20 16:21:06 +04:00
Sergey Kandaurov
1ad1b85feb QUIC: using SSL_set_quic_early_data_enabled() only with QuicTLS.
This function is present in QuicTLS only.  After SSL_READ_EARLY_DATA_SUCCESS
became visible in LibreSSL together with experimental QUIC API, this required
to revise the conditional compilation test to use more narrow macros.
2022-10-20 16:21:06 +04:00
Sergey Kandaurov
00468d71bf QUIC: using native TLSv1.3 cipher suite constants.
After BoringSSL aligned[1] with OpenSSL on TLS1_3_CK_* macros, and
LibreSSL uses OpenSSL naming, our own variants can be dropped now.
Compatibility is preserved with libraries that lack these macros.

Additionally, transition to SSL_CIPHER_get_id() fixes build error
with LibreSSL that doesn't implement SSL_CIPHER_get_protocol_id().

[1] https://boringssl.googlesource.com/boringssl/+/dfddbc4ded
2022-10-20 16:21:05 +04:00
Sergey Kandaurov
fcba3d1458 QUIC: "info" logging level on insufficient client connection ids.
Apparently, this error is reported on NAT rebinding if client didn't
previously send NEW_CONNECTION_ID to supply additional connection ids.
2022-09-30 17:24:47 +04:00