Commit Graph

7827 Commits

Author SHA1 Message Date
Vladimir Homutov
64c00708fa Limited max udp payload size for outgoing packets.
This allows to avoid problems with packet fragmentation in real networks.
This is a temporary workaround.
2020-06-10 21:37:08 +03:00
Vladimir Homutov
5cef58452d Increased default initial retransmit timeout.
This is a temporary workaround, proper retransmission mechanism based on
quic-recovery rfc draft is yet to be implemented.

Currently hardcoded value is too small for real networks.  The patch
sets static PTO, considering rtt of ~333ms, what gives about 1s.
2020-06-10 21:33:20 +03:00
Vladimir Homutov
d684a69c68 Fixed usage of own/client transport parameters. 2020-06-10 21:23:10 +03:00
Vladimir Homutov
58d1412f0d Stream: fixed processing of zero length UDP packets (ticket #1982). 2020-06-08 11:40:34 +03:00
Sergey Kandaurov
7d8a64a862 Stream ID handling in MAX_STREAM_DATA and STREAM_DATA_BLOCKED. 2020-06-05 20:59:27 +03:00
Sergey Kandaurov
d42fadcf29 Stream ID handling in RESET_STREAM and STOP_SENDING frames. 2020-06-05 20:59:27 +03:00
Sergey Kandaurov
d423541360 Reject invalid STREAM ID with STREAM_STATE_ERROR connection error. 2020-06-05 20:59:26 +03:00
Sergey Kandaurov
facf59bd86 Introduced connection error APPLICATION_ERROR from draft-28. 2020-06-05 13:20:03 +03:00
Sergey Kandaurov
ac73dffb57 Receipt of CONNECTION_CLOSE in 0-RTT is permitted in draft-28. 2020-06-05 13:20:02 +03:00
Sergey Kandaurov
d047ecee95 Treat receipt of NEW_TOKEN as connection error PROTOCOL_VIOLATION. 2020-06-05 13:20:02 +03:00
Maxim Dounin
2d4f04bba0 SSL: added verify callback to ngx_ssl_trusted_certificate().
This ensures that certificate verification is properly logged to debug
log during upstream server certificate verification.  This should help
with debugging various certificate issues.
2020-06-03 19:11:32 +03:00
Roman Arutyunyan
c0003539ac Decoupled validation of Host and :authority for HTTP/2 and HTTP/3.
Previously an error was triggered for HTTP/2 when host with port was passed
by client.
2020-06-02 15:59:14 +03:00
Ruslan Ermilov
9c3ac44de2 Fixed SIGQUIT not removing listening UNIX sockets (closes #753).
Listening UNIX sockets were not removed on graceful shutdown, preventing
the next runs.  The fix is to replace the custom socket closing code in
ngx_master_process_cycle() by the ngx_close_listening_sockets() call.
2020-06-01 22:31:23 +03:00
Ruslan Ermilov
da370de990 Fixed removing of listening UNIX sockets when "changing binary".
When changing binary, sending a SIGTERM to the new binary's master process
should not remove inherited UNIX sockets unless the old binary's master
process has exited.
2020-06-01 20:19:27 +03:00
Sergey Kandaurov
0a11fdbb28 Compatibility with BoringSSL master branch.
Recently BoringSSL introduced SSL_set_quic_early_data_context()
that serves as an additional constrain to enable 0-RTT in QUIC.

Relevant changes:
 * https://boringssl.googlesource.com/boringssl/+/7c52299%5E!/
 * https://boringssl.googlesource.com/boringssl/+/8519432%5E!/
2020-06-01 19:53:13 +03:00
Sergey Kandaurov
5978225722 Fixed transport parameters on a new connection with a valid token.
Previously, the retry transport parameter was sent regardless.
2020-06-01 19:16:44 +03:00
Roman Arutyunyan
22297afd79 Require ":authority" or "Host" in HTTP/3 and HTTP/2 requests.
Also, if both are present, require that they have the same value.  These
requirements are specified in HTTP/3 draft 28.

Current implementation of HTTP/2 treats ":authority" and "Host"
interchangeably.  New checks only make sure at least one of these values is
present in the request.  A similar check existed earlier and was limited only
to HTTP/1.1 in 38c0898b6df7.
2020-05-29 12:42:23 +03:00
Vladimir Homutov
101113a98f Added propagation of the "wildcard" flag to c->listening.
The flags was originally added by 8f038068f4bc, and is propagated correctly
in the stream module.  With QUIC introduction, http module now uses datagram
sockets as well, thus the fix.
2020-05-29 13:29:24 +03:00
Sergey Kandaurov
f45ec755a5 Made NGX_QUIC_DRAFT_VERSION tunable from configure parameters.
Now it can be switched using --with-cc-opt='-DNGX_QUIC_DRAFT_VERSION=28'.
2020-05-29 15:07:46 +03:00
Sergey Kandaurov
7d41fd85b8 QUIC draft-28 transport parameters support.
Draft-27 and draft-28 support can now be enabled interchangeably,
it's based on the compile-time macro NGX_QUIC_DRAFT_VERSION.
2020-05-29 15:06:33 +03:00
Sergey Kandaurov
25f5ab5e2d Introduced macros for building length-value transport parameters. 2020-05-29 13:05:57 +03:00
Sergey Kandaurov
76bbe70406 Renamed max_packet_size to max_udp_payload_size, from draft-28.
No functional changes.
2020-05-29 12:56:08 +03:00
Sergey Kandaurov
49d7ae444f Rejected forbidden transport parameters with TRANSPORT_PARAMETER_ERROR. 2020-05-29 12:55:39 +03:00
Sergey Kandaurov
a4a641fa6c Fixed return codes in ngx_quic_add_handshake_data() callback. 2020-05-29 12:50:20 +03:00
Sergey Kandaurov
5352a71779 README: update after merging 1.19.0. 2020-05-26 20:41:43 +03:00
Sergey Kandaurov
38091071a8 Merged with the default branch. 2020-05-26 20:26:44 +03:00
Gena Makhomed
59a0ceb994 Contrib: vim syntax, update core and 3rd party module directives. 2020-05-26 19:17:11 +03:00
Maxim Dounin
b89a5d5998 Version bump. 2020-05-26 22:03:00 +03:00
Maxim Dounin
bab7ab0477 release-1.19.0 tag 2020-05-26 18:00:20 +03:00
Maxim Dounin
87c8507f20 nginx-1.19.0-RELEASE 2020-05-26 18:00:20 +03:00
Maxim Dounin
f457127cc4 Updated OpenSSL used for win32 builds. 2020-05-25 22:10:37 +03:00
Vladimir Homutov
2360f58a9b Updated README with "Contributing" section and draft details. 2020-05-25 18:37:43 +03:00
Maxim Dounin
4056ce4f4e HTTP/2: invalid connection preface logging (ticket #1981).
Previously, invalid connection preface errors were only logged at debug
level, providing no visible feedback, in particular, when a plain text
HTTP/2 listening socket is erroneously used for HTTP/1.x connections.
Now these are explicitly logged at the info level, much like other
client-related errors.
2020-05-25 18:33:42 +03:00
Sergey Kandaurov
9b87626b0b Fixed format specifiers. 2020-05-23 15:53:08 +03:00
Roman Arutyunyan
5727f9a1e0 OCSP: certificate status cache.
When enabled, certificate status is stored in cache and is used to validate
the certificate in future requests.

New directive ssl_ocsp_cache is added to configure the cache.
2020-05-22 17:25:27 +03:00
Roman Arutyunyan
60438ae395 SSL: client certificate validation with OCSP (ticket #1534).
OCSP validation for client certificates is enabled by the "ssl_ocsp" directive.
OCSP responder can be optionally specified by "ssl_ocsp_responder".

When session is reused, peer chain is not available for validation.
If the verified chain contains certificates from the peer chain not available
at the server, validation will fail.
2020-05-22 17:30:12 +03:00
Roman Arutyunyan
aa94ee82f6 OCSP stapling: iterate over all responder addresses.
Previously only the first responder address was used per each stapling update.
Now, in case of a network or parsing error, next address is used.

This also fixes the issue with unsupported responder address families
(ticket #1330).
2020-05-22 20:35:05 +03:00
Roman Arutyunyan
abdb9aebc6 OCSP stapling: keep extra chain in the staple object. 2020-05-17 14:24:35 +03:00
Roman Arutyunyan
097d8a87b3 HTTP/3: reallocate strings inserted into the dynamic table.
They should always be allocated from the main QUIC connection pool.
2020-05-14 16:02:32 +03:00
Roman Arutyunyan
94764fda6e Fixed client buffer reallocation for HTTP/3.
Preserving pointers within the client buffer is not needed for HTTP/3 because
all data is either allocated from pool or static.  Unlike with HTTP/1, data
typically cannot be referenced directly within the client buffer.  Trying to
preserve NULLs or external pointers lead to broken pointers.

Also, reverted changes in ngx_http_alloc_large_header_buffer() not relevant
for HTTP/3 to minimize diff to mainstream.
2020-05-19 16:20:33 +03:00
Roman Arutyunyan
d6b6b6dfc5 Fixed $request_length for HTTP/3.
New field r->parse_start is introduced to substitute r->request_start and
r->header_name_start for request length accounting.  These fields only work for
this purpose in HTTP/1 because HTTP/1 request line and header line start with
these values.

Also, error logging is now fixed to output the right part of the request.
2020-05-19 15:47:37 +03:00
Roman Arutyunyan
d25937c2b5 HTTP/3: restricted symbols in header names.
As per HTTP/3 draft 27, a request or response containing uppercase header
field names MUST be treated as malformed.  Also, existing rules applied
when parsing HTTP/1 header names are also applied to HTTP/3 header names:

- null character is not allowed
- underscore character may or may not be treated as invalid depending on the
  value of "underscores_in_headers"
- all non-alphanumeric characters with the exception of '-' are treated as
  invalid

Also, the r->locase_header field is now filled while parsing an HTTP/3
header.

Error logging for invalid headers is fixed as well.
2020-05-19 15:34:00 +03:00
Roman Arutyunyan
6abb50658f HTTP/3: split header parser in two functions.
The first one parses pseudo-headers and is analagous to the request line
parser in HTTP/1.  The second one parses regular headers and is analogous to
the header parser in HTTP/1.

Additionally, error handling of client passing malformed uri is now fixed.
2020-05-19 15:29:10 +03:00
Roman Arutyunyan
d69f678e9c HTTP/3: move body parser call out of ngx_http_parse_chunked().
The function ngx_http_parse_chunked() is also called from the proxy module to
parse the upstream response.  It should always parse HTTP/1 body in this case.
2020-05-14 14:49:53 +03:00
Roman Arutyunyan
1c54340e0a HTTP/3: prevent array access by negative index for unknown streams.
Currently there are no such streams, but the function
ngx_http_v3_get_uni_stream() supports them.
2020-05-19 15:41:41 +03:00
Sergey Kandaurov
e0eb261b83 README: documented Retry, 0-RTT, TLSv1.3 configuration. 2020-05-23 14:41:08 +03:00
Vladimir Homutov
74564bdd0d Style.
Rephrased error message and removed trailing space.  Long comments were
shortened/rephrased.
2020-05-21 15:48:39 +03:00
Vladimir Homutov
57696b56e9 Added sending of extra CONNECTION_CLOSE frames.
According to quic-transport draft 28 section 10.3.1:

   When sending CONNECTION_CLOSE, the goal is to ensure that the peer
   will process the frame.  Generally, this means sending the frame in a
   packet with the highest level of packet protection to avoid the
   packet being discarded.  After the handshake is confirmed (see
   Section 4.1.2 of [QUIC-TLS]), an endpoint MUST send any
   CONNECTION_CLOSE frames in a 1-RTT packet.  However, prior to
   confirming the handshake, it is possible that more advanced packet
   protection keys are not available to the peer, so another
   CONNECTION_CLOSE frame MAY be sent in a packet that uses a lower
   packet protection level.
2020-05-22 18:14:35 +03:00
Vladimir Homutov
76605fa07a Added more context to CONNECTION CLOSE frames.
Now it is possible to specify frame type that caused an error
and a human-readable reason phrase.
2020-05-22 18:08:02 +03:00
Vladimir Homutov
4444320473 Fixed retransmission of frames after closing connection.
Frames in sent queues are discarded, as no acknowledgment is expected
if the connection is closing.
2020-05-21 15:41:01 +03:00