- May 21, 2019
-
-
Maxim Dounin authored
-
- Apr 11, 2016
-
-
Sergey Kandaurov authored
-
- May 13, 2019
-
-
Maxim Dounin authored
In ngx_http_range_singlepart_body() special buffers where passed unmodified, including ones after the end of the range. As such, if the last buffer of a response was sent separately as a special buffer, two buffers with b->last_buf set were present in the response. In particular, this might result in a duplicate final chunk when using chunked transfer encoding (normally range filter and chunked transfer encoding are not used together, but this may happen if there are trailers in the response). This also likely to cause problems in HTTP/2. Fix is to skip all special buffers after we've sent the last part of the range requested. These special buffers are not meaningful anyway, since we set b->last_buf in the buffer with the last part of the range, and everything is expected to be flushed due to it. Additionally, ngx_http_next_body_filter() is now called even if no buffers are to be passed to it. This ensures that various write events are properly propagated through the filter chain. In particular, this fixes test failures observed with the above change and aio enabled.
-
Maxim Dounin authored
Filters are not allowed to change incoming chain links, and should allocate their own links if any modifications are needed. Nevertheless ngx_http_range_singlepart_body() modified incoming chain links in some cases, notably at the end of the requested range. No problems caused by this are currently known, mostly because of limited number of possible modifications and the position of the range body filter in the filter chain. Though this behaviour is clearly incorrect and tests demonstrate that it can at least cause some proxy buffers being lost when using proxy_force_ranges, leading to less effective handling of responses. Fix is to always allocate new chain links in ngx_http_range_singlepart_body(). Links are explicitly freed to ensure constant memory usage with long-lived requests.
-
- May 08, 2019
-
-
Roman Arutyunyan authored
Postpone filter is an essential part of subrequest functionality. In absence of it a subrequest response body is sent to the client out of order with respect to the main request header and body, as well as other subrequests. For in-memory subrequests the response is also sent to the client instead of being stored in memory. Currently the postpone filter is automatically enabled if one of the following standard modules which are known to create subrequests is enabled: ssi, slice, addition. However a third-party module that creates subrequests can still be built without the postpone filter or be dynamically loaded in nginx built without it.
-
- Apr 24, 2019
-
-
Ruslan Ermilov authored
-
Ruslan Ermilov authored
-
Ruslan Ermilov authored
If a complex value is expected to be of type size_t, and the compiled value is constant, the constant size_t value is remembered at compile time. The value is accessed through ngx_http_complex_value_size() which either returns the remembered constant or evaluates the expression and parses it as size_t.
-
- Apr 09, 2019
-
-
Vladimir Homutov authored
-
- Apr 24, 2019
-
-
Vladimir Homutov authored
-
- Apr 16, 2019
-
-
Maxim Dounin authored
-
Maxim Dounin authored
-
Maxim Dounin authored
-
- Apr 15, 2019
-
-
Maxim Dounin authored
Previously, ngx_utf8_decode() was called from ngx_utf8_length() with incorrect length, potentially resulting in out-of-bounds read when handling invalid UTF-8 strings. In practice out-of-bounds reads are not possible though, as autoindex, the only user of ngx_utf8_length(), provides null-terminated strings, and ngx_utf8_decode() anyway returns an errors when it sees a null in the middle of an UTF-8 sequence. Reported by Yunbin Liu.
-
Maxim Dounin authored
If OCSP stapling was enabled with dynamic certificate loading, with some OpenSSL versions (1.0.2o and older, 1.1.0h and older; fixed in 1.0.2p, 1.1.0i, 1.1.1) a segmentation fault might happen. The reason is that during an abbreviated handshake the certificate callback is not called, but the certificate status callback was called (https://github.com/openssl/openssl/issues/1662), leading to NULL being returned from SSL_get_certificate(). Fix is to explicitly check SSL_get_certificate() result.
-
Maxim Dounin authored
-
- Apr 09, 2019
-
-
Maxim Dounin authored
-
Maxim Dounin authored
-
- Apr 04, 2019
-
-
Maxim Dounin authored
With CFLAGS set as in 7da71a7b141a, OpenSSL compilation drops various non-important compiler options. To avoid this, a define is added instead - OpenSSL is smart enough to recognize -D... in Configure arguments.
-
Maxim Dounin authored
By default, MSVC uses vc<version>.pdb in the current directory. With the "-Fd" switch it is directed to be in the objs directory instead.
-
Sergey Kandaurov authored
OpenSSL 1.1.0 and above uses BCrypt if available (Windows 7 or higher). This results in an unusable binary on older Windows versions, when building with newer Windows SDK (such as 7.0A). Using CFLAGS to define _WIN32_WINNT allows to set a desired ABI and make sure the binary works with Windows XP. To not mix with other potential CFLAGS uses, it is set in GNUmakefile.
-
Sergey Kandaurov authored
When building OpenSSL 1.1.1b, as used for win32 builds, with tests it takes about twice as long and near ~1GB of additional disk space. Using "no-tests" OpenSSL configuration option allows to skip them. Since such an option is supported since OpenSSL 1.1.1 only, it is residing here and not in configure.
-
- Apr 03, 2019
-
-
Sergey Kandaurov authored
OCSP response uses the DER format and as such needs to be opened in binary-mode. This only has any effect under Win32.
-
- Mar 26, 2019
-
-
Nikolay Morozov authored
If X509_get_issuer_name() or X509_get_subject_name() returned NULL, this could lead to a certificate reference leak. It cannot happen in practice though, since each function returns an internal pointer to a mandatory subfield of the certificate successfully decoded by d2i_X509() during certificate message processing (closes #1751).
-
Sergey Kandaurov authored
-
Maxim Dounin authored
-
Maxim Dounin authored
-
- Mar 06, 2019
-
-
Roman Arutyunyan authored
A range is specified with a dash. For each port in a range a separate listen socket is created. Examples: listen 8080-9000; listen example.com:80-88;
-
- Mar 20, 2019
-
-
Roman Arutyunyan authored
Previously the ngx_inet_resolve_host() function sorted addresses in a way that IPv4 addresses came before IPv6 addresses. This was implemented in eaf95350d75c (1.3.10) along with the introduction of getaddrinfo() which could resolve host names to IPv6 addresses. Since the "listen" directive only used the first address, sorting allowed to preserve "listen" compatibility with the previous behavior and with the behavior of nginx built without IPv6 support. Now "listen" uses all resolved addresses which makes sorting pointless.
-
- Mar 15, 2019
-
-
Roman Arutyunyan authored
Previously only one address was used by the listen directive handler even if host name resolved to multiple addresses. Now a separate listening socket is created for each address.
-
- Mar 09, 2019
-
-
Maxim Dounin authored
This makes it possible to provide certificates directly via variables in ssl_certificate / ssl_certificate_key directives, without using intermediate files.
-
- Mar 08, 2019
-
-
Maxim Dounin authored
It was accidentally introduced in 77436d9951a1 (1.15.9). In MSVC 2015 and more recent MSVC versions it triggers warning C4456 (declaration of 'pkey' hides previous local declaration). Previously, all such warnings were resolved in 2a621245f4cf. Reported by Steve Stevenson.
-
- Mar 05, 2019
-
-
Maxim Dounin authored
Server name callback is always called by OpenSSL, even if server_name extension is not present in ClientHello. As such, checking c->ssl->handshaked before the SSL_get_servername() result should help to more effectively prevent renegotiation in OpenSSL 1.1.0 - 1.1.0g, where neither SSL3_FLAGS_NO_RENEGOTIATE_CIPHERS nor SSL_OP_NO_RENEGOTIATION is available.
-
- Mar 03, 2019
-
-
Maxim Dounin authored
The SSL_OP_NO_CLIENT_RENEGOTIATION option was introduced in LibreSSL 2.5.1. Unlike OpenSSL's SSL_OP_NO_RENEGOTIATION, it only disables client-initiated renegotiation, and hence can be safely used on all SSL contexts.
-
Maxim Dounin authored
If ngx_pool_cleanup_add() fails, we have to clean just created SSL context manually, thus appropriate call added. Additionally, ngx_pool_cleanup_add() moved closer to ngx_ssl_create() in the ngx_http_ssl_module, to make sure there are no leaks due to intermediate code.
-
Maxim Dounin authored
Notably this affects various allocation errors, and should generally improve things if an allocation error actually happens during a callback. Depending on the OpenSSL version, returning an error can result in either SSL_R_CALLBACK_FAILED or SSL_R_CLIENTHELLO_TLSEXT error from SSL_do_handshake(), so both errors were switched to the "info" level.
-
Maxim Dounin authored
OpenSSL 1.1.1 does not save server name to the session if server name callback returns anything but SSL_TLSEXT_ERR_OK, thus breaking the $ssl_server_name variable in resumed sessions. Since $ssl_server_name can be used even if we've selected the default server and there are no other servers, it looks like the only viable solution is to always return SSL_TLSEXT_ERR_OK regardless of the actual result. To fix things in the stream module as well, added a dummy server name callback which always returns SSL_TLSEXT_ERR_OK.
-
Maxim Dounin authored
-
- Feb 26, 2019
-
-
Maxim Dounin authored
-
Maxim Dounin authored
-