Commit Graph

6723 Commits

Author SHA1 Message Date
Maxim Dounin
4e0c46cfe1 Version bump. 2019-03-03 16:47:41 +03:00
Maxim Dounin
16e7120d6c release-1.15.9 tag 2019-02-26 18:29:22 +03:00
Maxim Dounin
3229ec6bcd nginx-1.15.9-RELEASE 2019-02-26 18:29:22 +03:00
Maxim Dounin
6647cbd10b Updated OpenSSL used for win32 builds. 2019-02-26 18:01:30 +03:00
Maxim Dounin
1a30d79c42 SSL: fixed possible segfault with dynamic certificates.
A virtual server may have no SSL context if it does not have certificates
defined, so we have to use config of the ngx_http_ssl_module from the
SSL context in the certificate callback.  To do so, it is now passed as
the argument of the callback.

The stream module doesn't really need any changes, but was modified as
well to match http code.
2019-02-25 21:16:26 +03:00
Maxim Dounin
ecfab06cb2 SSL: adjusted session id context with dynamic certificates.
Dynamic certificates re-introduce problem with incorrect session
reuse (AKA "virtual host confusion", CVE-2014-3616), since there are
no server certificates to generate session id context from.

To prevent this, session id context is now generated from ssl_certificate
directives as specified in the configuration.  This approach prevents
incorrect session reuse in most cases, while still allowing sharing
sessions across multiple machines with ssl_session_ticket_key set as
long as configurations are identical.
2019-02-25 16:42:54 +03:00
Maxim Dounin
fbcb0c8a33 SSL: dynamic certificate loading in the stream module. 2019-02-25 16:42:43 +03:00
Maxim Dounin
8772a0e089 SSL: passwords support for dynamic certificate loading.
Passwords have to be copied to the configuration pool to be used
at runtime.  Also, to prevent blocking on stdin (with "daemon off;")
an empty password list is provided.

To make things simpler, password handling was modified to allow
an empty array (with 0 elements and elts set to NULL) as an equivalent
of an array with 1 empty password.
2019-02-25 16:42:23 +03:00
Maxim Dounin
6e5a731edb SSL: variables support in ssl_certificate and ssl_certificate_key.
To evaluate variables, a request is created in the certificate callback,
and then freed.  To do this without side effects on the stub_status
counters and connection state, an additional function was introduced,
ngx_http_alloc_request().

Only works with OpenSSL 1.0.2+, since there is no SSL_CTX_set_cert_cb()
in older versions.
2019-02-25 16:42:05 +03:00
Maxim Dounin
9ff7ba3d00 SSL: loading of connection-specific certificates. 2019-02-25 16:41:44 +03:00
Maxim Dounin
20c8700ae7 SSL: reworked ngx_ssl_certificate().
This makes it possible to reuse certificate loading at runtime,
as introduced in the following patches.

Additionally, this improves error logging, so nginx will now log
human-friendly messages "cannot load certificate" instead of only
referring to sometimes cryptic names of OpenSSL functions.
2019-02-25 16:41:28 +03:00
Maxim Dounin
2d7faa2311 SSL: removed logging of empty "(SSL:)" in ngx_ssl_error().
The "(SSL:)" snippet currently appears in logs when nginx code uses
ngx_ssl_error() to log an error, but OpenSSL's error queue is empty.
This can happen either because the error wasn't in fact from OpenSSL,
or because OpenSSL did not indicate the error in the error queue
for some reason.

In particular, currently "(SSL:)" can be seen in errors at least in
the following cases:

- When SSL_write() fails due to a syscall error,
  "[info] ... SSL_write() failed (SSL:) (32: Broken pipe)...".

- When loading a certificate with no data in it,
  "[emerg] PEM_read_bio_X509_AUX(...) failed (SSL:)".
  This can easily happen due to an additional empty line before
  the end line, so all lines of the certificate are interpreted
  as header lines.

- When trying to configure an unknown curve,
  "[emerg] SSL_CTX_set1_curves_list("foo") failed (SSL:)".

Likely there are other cases as well.

With this change, "(SSL:...)" will be only added to the error message
if there is something in the error queue.  This is expected to make
logs more readable in the above cases.  Additionally, with this change
it is now possible to use ngx_ssl_error() to log errors when some
of the possible errors are not from OpenSSL and not expected to have
anything in the error queue.
2019-02-25 16:41:15 +03:00
Maxim Dounin
dce5823f59 Style. 2019-02-25 16:41:08 +03:00
Maxim Dounin
d8ccef0215 Slab: removed redundant page calculation (ticket #1721). 2019-02-12 21:51:15 +03:00
Chanhun Jeong
c5c034f66d Upstream: fixed logging of required buffer size (ticket #1722). 2019-02-11 13:36:53 +09:00
Sergey Kandaurov
fc66ccce02 SSL: fixed EVP_DigestFinal_ex() error message. 2019-02-07 19:39:35 +03:00
Maxim Dounin
f7d53c4ae4 SSL: separate checks for errors in ngx_ssl_read_password_file().
Checking multiple errors at once is a bad practice, as in general
it is not guaranteed that an object can be used after the error.
In this particular case, checking errors after multiple allocations
can result in excessive errors being logged when there is no memory
available.
2019-01-31 19:36:51 +03:00
Ruslan Ermilov
80f105b054 SSL: explicitly zero out session ticket keys. 2019-01-31 19:28:07 +03:00
Roman Arutyunyan
94fa2bb4cb Modules compatibility: down flag in ngx_peer_connection_t. 2019-01-31 17:25:03 +03:00
Ruslan Ermilov
34a8b4506a Use %s for errors returned from configuration parsing handlers. 2018-12-25 15:26:58 +03:00
Sergey Kandaurov
097b1121fd Configure: added explicit ngx_binext to the linker output argument.
Unlike with GCC or MSVC, Clang linker doesn't auto-append ".exe" to the name
of the output binary when building on win32.
2019-01-30 19:28:27 +03:00
Sergey Kandaurov
a05e7555ce Removed --test-build-eventport workaround for old FreeBSD versions. 2019-01-28 14:34:02 +00:00
Sergey Kandaurov
f153bcebb5 Fixed portability issues with union sigval.
AIO support in nginx was originally developed against FreeBSD versions 4-6,
where the sival_ptr field was named as sigval_ptr (seemingly by mistake[1]),
which made nginx use the only name available then.  The standard-complaint
name was restored in 2005 (first appeared in FreeBSD 7.0, 2008), retaining
compatibility with previous versions[2][3].  In DragonFly, similar changes
were committed in 2009[4], with backward compatibility recently removed[5].

The change switches to the standard name, retaining compatibility with old
FreeBSD versions.

[1] https://svnweb.freebsd.org/changeset/base/48621
[2] https://svnweb.freebsd.org/changeset/base/152029
[3] https://svnweb.freebsd.org/changeset/base/174003
[4] https://gitweb.dragonflybsd.org/dragonfly.git/commit/3693401
[5] https://gitweb.dragonflybsd.org/dragonfly.git/commit/7875042
2019-01-28 14:33:31 +00:00
Maxim Konovalov
9497cc8c20 Year 2019. 2019-01-28 13:23:37 +03:00
Maxim Dounin
38196b8ba6 Win32: detection of connect() errors in select().
On Windows, connect() errors are only reported via exceptfds descriptor set
from select().  Previously exceptfds was set to NULL, and connect() errors
were not detected at all, so connects to closed ports were waiting till
a timeout occurred.

Since ongoing connect() means that there will be a write event active,
except descriptor set is copied from the write one.  While it is possible
to construct except descriptor set as a concatenation of both read and write
descriptor sets, this looks unneeded.

With this change, connect() errors are properly detected now when using
select().  Note well that it is not possible to detect connect() errors with
WSAPoll() (see https://daniel.haxx.se/blog/2012/10/10/wsapoll-is-broken/).
2019-01-24 22:00:44 +03:00
Maxim Dounin
f2cfcc09a0 Win32: enabled both select and poll on Windows by default.
Since we now have both select and poll on Windows, it is enough to
do not set EVENT_FOUND, auto/modules will enable both automatically.
2019-01-24 22:00:13 +03:00
Maxim Dounin
40b74475d0 Win32: added WSAPoll() support.
WSAPoll() is only available with Windows Vista and newer (and only
available during compilation if _WIN32_WINNT >= 0x0600).  To make
sure the code works with Windows XP, we do not redefine _WIN32_WINNT,
but instead load WSAPoll() dynamically if it is not available during
compilation.

Also, sockets are not guaranteed to be small integers on Windows.
So an index array is used instead of NGX_USE_FD_EVENT to map
events to connections.
2019-01-24 21:51:21 +03:00
Maxim Dounin
c6a0003af1 Win32: properly enabled select on Windows.
Previously, select was compiled in by default, but the NGX_HAVE_SELECT
macro was not set, resulting in iocp being used by default unless
the "--with-select_module" configure option was explicitly specified.
Since the iocp module is not finished and does not work properly, this
effectively meant that the "--with-select_module" option was mandatory.

With the change NGX_HAVE_SELECT is properly set, making "--with-select_module"
optional.  Accordingly, it is removed from misc/GNUmakefile win32 target.
2019-01-24 21:51:00 +03:00
Maxim Dounin
3dcad9c5d6 Events: fixed copying of old events in poll init.
Previously, the code incorrectly assumed "ngx_event_t *" elements
instead of "struct pollfd".

This is mostly cosmetic change, as this code is never called now.
2019-01-24 21:50:37 +03:00
Roman Arutyunyan
12645b46e9 Stream: do not split datagrams when limiting proxy rate.
Previously, when using proxy_upload_rate and proxy_download_rate, the buffer
size for reading from a socket could be reduced as a result of rate limiting.
For connection-oriented protocols this behavior is normal since unread data will
normally be read at the next iteration.  But for datagram-oriented protocols
this is not the case, and unread part of the datagram is lost.

Now buffer size is not limited for datagrams.  Rate limiting still works in this
case by delaying the next reading event.
2018-12-27 19:37:34 +03:00
Roman Arutyunyan
36a0713244 Prevented scheduling events on a shared connection.
A shared connection does not own its file descriptor, which means that
ngx_handle_read_event/ngx_handle_write_event calls should do nothing for it.
Currently the c->shared flag is checked in several places in the stream proxy
module prior to calling these functions.  However it was not done everywhere.
Missing checks could lead to calling
ngx_handle_read_event/ngx_handle_write_event on shared connections.

The problem manifested itself when using proxy_upload_rate and resulted in
either duplicate file descriptor error (e.g. with epoll) or incorrect further
udp packet processing (e.g. with kqueue).

The fix is to set and reset the event active flag in a way that prevents
ngx_handle_read_event/ngx_handle_write_event from scheduling socket events.
2019-01-14 20:36:23 +03:00
Vladimir Homutov
b6b39b2fb9 Added the ngx_http_test_required_predicates() function.
In contrast to ngx_http_test_predicates(), it requires all values to be
non-empty and not equal to "0".
2019-01-17 14:31:04 +03:00
Vladimir Homutov
de20d73ec5 Version bump. 2019-01-17 14:31:01 +03:00
Maxim Dounin
d95e34c558 release-1.15.8 tag 2018-12-25 17:53:03 +03:00
Maxim Dounin
2eedb3ff0c nginx-1.15.8-RELEASE 2018-12-25 17:53:03 +03:00
Vladimir Homutov
910f330ad0 Autoindex: fixed possible integer overflow on 32-bit systems. 2018-12-25 12:59:24 +03:00
Gena Makhomed
8610ddd092 Contrib: vim syntax, update core and 3rd party module directives. 2018-12-24 16:30:10 +02:00
Maxim Dounin
aa741f8727 Win32: removed NGX_DIR_MASK concept.
Previous interface of ngx_open_dir() assumed that passed directory name
has a room for NGX_DIR_MASK at the end (NGX_DIR_MASK_LEN bytes).  While all
direct users of ngx_dir_open() followed this interface, this also implied
similar requirements for indirect uses - in particular, via ngx_walk_tree().

Currently none of ngx_walk_tree() uses provides appropriate space, and
fixing this does not look like a right way to go.  Instead, ngx_dir_open()
interface was changed to not require any additional space and use
appropriate allocations instead.
2018-12-24 21:07:05 +03:00
Sergey Kandaurov
499bb2655e Userid: using stub for AF_UNIX addresses.
Previously, AF_UNIX addresses misbehaved as AF_INET, which typically resulted
in $uid_set composed from the middle of sun_path.
2018-12-24 19:55:00 +03:00
Sergey Kandaurov
2a11bf0f77 SSL: avoid reading on pending SSL_write_early_data().
If SSL_write_early_data() returned SSL_ERROR_WANT_WRITE, stop further reading
using a newly introduced c->ssl->write_blocked flag, as otherwise this would
result in SSL error "ssl3_write_bytes:bad length".  Eventually, normal reading
will be restored by read event posted from successful SSL_write_early_data().

While here, place "SSL_write_early_data: want write" debug on the path.
2018-12-18 15:15:15 +03:00
Maxim Dounin
ce4a23d144 Geo: fixed handling of AF_UNIX client addresses (ticket #1684).
Previously, AF_UNIX client addresses were handled as AF_INET, leading
to unexpected results.
2018-12-14 18:11:06 +03:00
Ruslan Ermilov
cb4dd56771 Upstream: implemented $upstream_bytes_sent. 2018-12-13 17:23:07 +03:00
Roman Arutyunyan
8e2949e56a Resolver: report SRV resolve failure if all A resolves failed.
Previously, if an SRV record was successfully resolved, but all of its A
records failed to resolve, NXDOMAIN was returned to the caller, which is
considered a successful resolve rather than an error.  This could result in
losing the result of a previous successful resolve by the caller.

Now NXDOMAIN is only returned if at least one A resolve completed with this
code.  Otherwise the error state of the first A resolve is returned.
2018-12-11 19:41:22 +03:00
Roman Arutyunyan
746fba0d79 Copy regex unnamed captures to cloned subrequests.
Previously, unnamed regex captures matched in the parent request, were not
available in a cloned subrequest.  Now 3 fields related to unnamed captures
are copied to a cloned subrequest: r->ncaptures, r->captures and
r->captures_data.  Since r->captures cannot be changed by either request after
creating a clone, a new flag r->realloc_captures is introduced to force
reallocation of r->captures.

The issue was reported as a proxy_cache_background_update misbehavior in
http://mailman.nginx.org/pipermail/nginx/2018-December/057251.html.
2018-12-11 13:09:00 +03:00
Roman Arutyunyan
7b7f7c1458 Version bump. 2018-12-11 13:12:35 +03:00
Maxim Dounin
e2673071e4 release-1.15.7 tag 2018-11-27 17:40:21 +03:00
Maxim Dounin
0febe9a095 nginx-1.15.7-RELEASE 2018-11-27 17:40:20 +03:00
Maxim Dounin
abbde03cf6 Updated OpenSSL used for win32 builds. 2018-11-27 17:02:56 +03:00
Maxim Dounin
f4c70589ce Negative size buffers detection.
In the past, there were several security issues which resulted in
worker process memory disclosure due to buffers with negative size.
It looks reasonable to check for such buffers in various places,
much like we already check for zero size buffers.

While here, removed "#if 1 / #endif" around zero size buffer checks.
It looks highly unlikely that we'll disable these checks anytime soon.
2018-11-26 18:29:56 +03:00
Maxim Dounin
f5708e66c7 Mp4: fixed possible pointer overflow on 32-bit platforms.
On 32-bit platforms mp4->buffer_pos might overflow when a large
enough (close to 4 gigabytes) atom is being skipped, resulting in
incorrect memory addesses being read further in the code.  In most
cases this results in harmless errors being logged, though may also
result in a segmentation fault if hitting unmapped pages.

To address this, ngx_mp4_atom_next() now only increments mp4->buffer_pos
up to mp4->buffer_end.  This ensures that overflow cannot happen.
2018-11-21 20:23:16 +03:00