Skip to content
Snippets Groups Projects
  1. May 21, 2019
  2. Apr 11, 2016
  3. May 13, 2019
    • Maxim Dounin's avatar
      Range filter: fixed duplicate last buffers. · 2015a548
      Maxim Dounin authored
      In ngx_http_range_singlepart_body() special buffers where passed
      unmodified, including ones after the end of the range.  As such,
      if the last buffer of a response was sent separately as a special
      buffer, two buffers with b->last_buf set were present in the response.
      
      In particular, this might result in a duplicate final chunk when using
      chunked transfer encoding (normally range filter and chunked transfer
      encoding are not used together, but this may happen if there are trailers
      in the response).  This also likely to cause problems in HTTP/2.
      
      Fix is to skip all special buffers after we've sent the last part of
      the range requested.  These special buffers are not meaningful anyway,
      since we set b->last_buf in the buffer with the last part of the range,
      and everything is expected to be flushed due to it.
      
      Additionally, ngx_http_next_body_filter() is now called even
      if no buffers are to be passed to it.  This ensures that various
      write events are properly propagated through the filter chain.  In
      particular, this fixes test failures observed with the above change
      and aio enabled.
      2015a548
    • Maxim Dounin's avatar
      Range filter: fixed loss of incoming chain links. · ce0f3531
      Maxim Dounin authored
      Filters are not allowed to change incoming chain links, and should allocate
      their own links if any modifications are needed.  Nevertheless
      ngx_http_range_singlepart_body() modified incoming chain links in some
      cases, notably at the end of the requested range.
      
      No problems caused by this are currently known, mostly because of
      limited number of possible modifications and the position of the range
      body filter in the filter chain.  Though this behaviour is clearly incorrect
      and tests demonstrate that it can at least cause some proxy buffers being
      lost when using proxy_force_ranges, leading to less effective handling
      of responses.
      
      Fix is to always allocate new chain links in ngx_http_range_singlepart_body().
      Links are explicitly freed to ensure constant memory usage with long-lived
      requests.
      ce0f3531
  4. May 08, 2019
    • Roman Arutyunyan's avatar
      Unconditional compilation of the postpone filter. · a39380a4
      Roman Arutyunyan authored
      Postpone filter is an essential part of subrequest functionality.  In absence
      of it a subrequest response body is sent to the client out of order with
      respect to the main request header and body, as well as other subrequests.
      For in-memory subrequests the response is also sent to the client instead of
      being stored in memory.
      
      Currently the postpone filter is automatically enabled if one of the following
      standard modules which are known to create subrequests is enabled: ssi, slice,
      addition.  However a third-party module that creates subrequests can still be
      built without the postpone filter or be dynamically loaded in nginx built
      without it.
      a39380a4
  5. Apr 24, 2019
  6. Apr 09, 2019
  7. Apr 24, 2019
  8. Apr 16, 2019
  9. Apr 15, 2019
    • Maxim Dounin's avatar
      Fixed incorrect length handling in ngx_utf8_length(). · f09eae2a
      Maxim Dounin authored
      Previously, ngx_utf8_decode() was called from ngx_utf8_length() with
      incorrect length, potentially resulting in out-of-bounds read when
      handling invalid UTF-8 strings.
      
      In practice out-of-bounds reads are not possible though, as autoindex, the
      only user of ngx_utf8_length(), provides null-terminated strings, and
      ngx_utf8_decode() anyway returns an errors when it sees a null in the
      middle of an UTF-8 sequence.
      
      Reported by Yunbin Liu.
      f09eae2a
    • Maxim Dounin's avatar
      OCSP stapling: fixed segfault with dynamic certificate loading. · 5784889f
      Maxim Dounin authored
      If OCSP stapling was enabled with dynamic certificate loading, with some
      OpenSSL versions (1.0.2o and older, 1.1.0h and older; fixed in 1.0.2p,
      1.1.0i, 1.1.1) a segmentation fault might happen.
      
      The reason is that during an abbreviated handshake the certificate
      callback is not called, but the certificate status callback was called
      (https://github.com/openssl/openssl/issues/1662), leading to NULL being
      returned from SSL_get_certificate().
      
      Fix is to explicitly check SSL_get_certificate() result.
      5784889f
    • Maxim Dounin's avatar
      Version bump. · aaa1a570
      Maxim Dounin authored
      aaa1a570
  10. Apr 09, 2019
  11. Apr 04, 2019
    • Maxim Dounin's avatar
      Win32: avoid using CFLAGS, just add define instead. · 09752fce
      Maxim Dounin authored
      With CFLAGS set as in 7da71a7b141a, OpenSSL compilation drops various
      non-important compiler options.  To avoid this, a define is added
      instead - OpenSSL is smart enough to recognize -D... in Configure
      arguments.
      09752fce
    • Maxim Dounin's avatar
      Win32: defined pdb path. · df8cb313
      Maxim Dounin authored
      By default, MSVC uses vc<version>.pdb in the current directory.
      With the "-Fd" switch it is directed to be in the objs directory instead.
      df8cb313
    • Sergey Kandaurov's avatar
      Win32: preserving binary compatibility with Windows XP - Vista. · ce912de8
      Sergey Kandaurov authored
      OpenSSL 1.1.0 and above uses BCrypt if available (Windows 7 or higher).
      This results in an unusable binary on older Windows versions, when building
      with newer Windows SDK (such as 7.0A).  Using CFLAGS to define _WIN32_WINNT
      allows to set a desired ABI and make sure the binary works with Windows XP.
      
      To not mix with other potential CFLAGS uses, it is set in GNUmakefile.
      ce912de8
    • Sergey Kandaurov's avatar
      Win32: skip building OpenSSL tests to conserve time and space. · 7c7d3277
      Sergey Kandaurov authored
      When building OpenSSL 1.1.1b, as used for win32 builds, with tests
      it takes about twice as long and near ~1GB of additional disk space.
      Using "no-tests" OpenSSL configuration option allows to skip them.
      Since such an option is supported since OpenSSL 1.1.1 only, it is
      residing here and not in configure.
      7c7d3277
  12. Apr 03, 2019
  13. Mar 26, 2019
  14. Mar 06, 2019
    • Roman Arutyunyan's avatar
      Listen port ranges. · 912fb44e
      Roman Arutyunyan authored
      A range is specified with a dash.  For each port in a range a separate listen
      socket is created.
      
      Examples:
      
          listen 8080-9000;
          listen example.com:80-88;
      912fb44e
  15. Mar 20, 2019
    • Roman Arutyunyan's avatar
      Removed sorting of getaddrinfo() results. · b92e8ffa
      Roman Arutyunyan authored
      Previously the ngx_inet_resolve_host() function sorted addresses in a way that
      IPv4 addresses came before IPv6 addresses.  This was implemented in eaf95350d75c
      (1.3.10) along with the introduction of getaddrinfo() which could resolve host
      names to IPv6 addresses.  Since the "listen" directive only used the first
      address, sorting allowed to preserve "listen" compatibility with the previous
      behavior and with the behavior of nginx built without IPv6 support.  Now
      "listen" uses all resolved addresses which makes sorting pointless.
      b92e8ffa
  16. Mar 15, 2019
    • Roman Arutyunyan's avatar
      Multiple addresses in "listen". · 4e17b93e
      Roman Arutyunyan authored
      Previously only one address was used by the listen directive handler even if
      host name resolved to multiple addresses.  Now a separate listening socket is
      created for each address.
      4e17b93e
  17. Mar 09, 2019
  18. Mar 08, 2019
    • Maxim Dounin's avatar
      SSL: removed redundant "pkey" variable. · 762d98ab
      Maxim Dounin authored
      It was accidentally introduced in 77436d9951a1 (1.15.9).  In MSVC 2015
      and more recent MSVC versions it triggers warning C4456 (declaration of
      'pkey' hides previous local declaration).  Previously, all such warnings
      were resolved in 2a621245f4cf.
      
      Reported by Steve Stevenson.
      762d98ab
  19. Mar 05, 2019
    • Maxim Dounin's avatar
      SSL: moved c->ssl->handshaked check in server name callback. · 0ad4393e
      Maxim Dounin authored
      Server name callback is always called by OpenSSL, even
      if server_name extension is not present in ClientHello.  As such,
      checking c->ssl->handshaked before the SSL_get_servername() result
      should help to more effectively prevent renegotiation in
      OpenSSL 1.1.0 - 1.1.0g, where neither SSL3_FLAGS_NO_RENEGOTIATE_CIPHERS
      nor SSL_OP_NO_RENEGOTIATION is available.
      0ad4393e
  20. Mar 03, 2019
    • Maxim Dounin's avatar
      SSL: use of the SSL_OP_NO_CLIENT_RENEGOTIATION option. · 0808b04c
      Maxim Dounin authored
      The SSL_OP_NO_CLIENT_RENEGOTIATION option was introduced in LibreSSL 2.5.1.
      Unlike OpenSSL's SSL_OP_NO_RENEGOTIATION, it only disables client-initiated
      renegotiation, and hence can be safely used on all SSL contexts.
      0808b04c
    • Maxim Dounin's avatar
      SSL: fixed potential leak on memory allocation errors. · fe43346d
      Maxim Dounin authored
      If ngx_pool_cleanup_add() fails, we have to clean just created SSL context
      manually, thus appropriate call added.
      
      Additionally, ngx_pool_cleanup_add() moved closer to ngx_ssl_create() in
      the ngx_http_ssl_module, to make sure there are no leaks due to intermediate
      code.
      fe43346d
    • Maxim Dounin's avatar
      SSL: server name callback changed to return fatal errors. · 99d7bb69
      Maxim Dounin authored
      Notably this affects various allocation errors, and should generally
      improve things if an allocation error actually happens during a callback.
      
      Depending on the OpenSSL version, returning an error can result in
      either SSL_R_CALLBACK_FAILED or SSL_R_CLIENTHELLO_TLSEXT error from
      SSL_do_handshake(), so both errors were switched to the "info" level.
      99d7bb69
    • Maxim Dounin's avatar
      SSL: server name callback changed to return SSL_TLSEXT_ERR_OK. · fd97b2a8
      Maxim Dounin authored
      OpenSSL 1.1.1 does not save server name to the session if server name
      callback returns anything but SSL_TLSEXT_ERR_OK, thus breaking
      the $ssl_server_name variable in resumed sessions.
      
      Since $ssl_server_name can be used even if we've selected the default
      server and there are no other servers, it looks like the only viable
      solution is to always return SSL_TLSEXT_ERR_OK regardless of the actual
      result.
      
      To fix things in the stream module as well, added a dummy server name
      callback which always returns SSL_TLSEXT_ERR_OK.
      fd97b2a8
    • Maxim Dounin's avatar
      Version bump. · 4e0c46cf
      Maxim Dounin authored
      4e0c46cf
  21. Feb 26, 2019