Commit Graph

8271 Commits

Author SHA1 Message Date
Maryna Herasimovich
da468ec0c0 Added contributing guidelines. 2024-09-03 16:28:45 +04:00
Maryna Herasimovich
3b16b46aae Added security policy. 2024-09-02 20:10:28 +04:00
Maryna Herasimovich
e73ac62294 Added Code of Conduct. 2024-09-02 17:33:50 +04:00
Roman Arutyunyan
6bb4be1a79 Removed C-style comments from LICENSE. 2024-08-30 18:06:39 +04:00
Roman Arutyunyan
863ab647cd Moved LICENSE and README to root. 2024-08-30 18:06:39 +04:00
Roman Arutyunyan
81a933e1f6 Switched GNUmakefile from hg to git. 2024-08-30 18:06:39 +04:00
Roman Arutyunyan
900f4dc48c Removed .hgtags file. 2024-08-30 18:06:39 +04:00
Sergey Kandaurov
fb89d50eeb Stream: OCSP stapling. 2024-08-22 14:57:46 +04:00
Sergey Kandaurov
581cf22673 Stream: client certificate validation with OCSP. 2024-08-22 14:57:45 +04:00
Sergey Kandaurov
48ac1ee9c6 Version bump. 2024-08-20 21:18:30 +04:00
Sergey Kandaurov
a4100450c0 release-1.27.1 tag 2024-08-12 18:21:01 +04:00
Sergey Kandaurov
e06bdbd4a2 nginx-1.27.1-RELEASE 2024-08-12 18:20:52 +04:00
Sergey Kandaurov
c165589d09 Updated OpenSSL used for win32 builds. 2024-08-12 18:20:49 +04:00
Roman Arutyunyan
88955b1044 Mp4: rejecting unordered chunks in stsc atom.
Unordered chunks could result in trak->end_chunk smaller than trak->start_chunk
in ngx_http_mp4_crop_stsc_data().  Later in ngx_http_mp4_update_stco_atom()
this caused buffer overread while trying to calculate trak->end_offset.
2024-08-12 18:20:45 +04:00
Roman Arutyunyan
7362d01658 Mp4: fixed buffer underread while updating stsz atom.
While cropping an stsc atom in ngx_http_mp4_crop_stsc_data(), a 32-bit integer
overflow could happen, which could result in incorrect seeking and a very large
value stored in "samples".  This resulted in a large invalid value of
trak->end_chunk_samples.  This value is further used to calculate the value of
trak->end_chunk_samples_size in ngx_http_mp4_update_stsz_atom().  While doing
this, a large invalid value of trak->end_chunk_samples could result in reading
memory before stsz atom start.  This could potentially result in a segfault.
2024-08-12 18:20:43 +04:00
Sergey Kandaurov
0fa8434957 Stream ssl_preread: do not reallocate a parsed SNI host.
We own this memory from the session pool.
2024-08-09 19:12:26 +04:00
Sergey Kandaurov
504c78fc6d QUIC: zero out existing keying material only.
Previously, this used to have extra ngx_explicit_memzero() calls
from within ngx_quic_keys_cleanup(), which might be suboptimal.
2024-08-09 19:12:26 +04:00
Sergey Kandaurov
58b92177e7 QUIC: discarding 0-RTT keys.
For simplicity, this is done on successful decryption of a 1-RTT packet.
2024-08-09 19:12:25 +04:00
Sergey Kandaurov
250baed4ee Typo fixed. 2024-08-09 19:12:23 +04:00
Sergey Kandaurov
6ecc4e3807 Version bump. 2024-08-09 18:01:42 +04:00
Kasei Wang
145b228530 HTTP/2: close connections initialized during graceful shutdown.
In some rare cases, graceful shutdown may happen while initializing an HTTP/2
connection.  Previously, such a connection ignored the shutdown and remained
active.  Now it is gracefully closed prior to processing any streams to
eliminate the shutdown delay.
2024-07-18 17:43:25 +04:00
Roman Arutyunyan
788e462c5b Stream: allow servers with no handler.
Previously handlers were mandatory.  However they are not always needed.
For example, a server configured with ssl_reject_handshake does not need a
handler.  Such servers required a fake handler to pass the check.  Now handler
absence check is moved to runtime.  If handler is missing, the connection is
closed with 500 code.
2024-06-27 17:29:56 +04:00
Sergey Kandaurov
e734df6664 release-1.27.0 tag 2024-05-28 17:22:30 +04:00
Sergey Kandaurov
0ddcae05b6 nginx-1.27.0-RELEASE 2024-05-28 17:19:38 +04:00
Sergey Kandaurov
34bd899287 HTTP/3: fixed handling of zero-length literal field line.
Previously, st->value was passed with NULL data pointer to header handlers.
2024-05-28 17:20:45 +04:00
Roman Arutyunyan
9ddc6a08f4 QUIC: ngx_quic_buffer_t use-after-free protection.
Previously the last chain field of ngx_quic_buffer_t could still reference freed
chains and buffers after calling ngx_quic_free_buffer().  While normally an
ngx_quic_buffer_t object should not be used after freeing, resetting last_chain
field would prevent a potential use-after-free.
2024-05-28 17:19:21 +04:00
Roman Arutyunyan
6f8c520f49 QUIC: ignore CRYPTO frames after handshake completion.
Sending handshake-level CRYPTO frames after the client's Finished message could
lead to memory disclosure and a potential segfault, if those frames are sent in
one packet with the Finished frame.
2024-05-28 17:19:08 +04:00
Roman Arutyunyan
cca5655dd9 HTTP/3: fixed dynamic table overflow.
While inserting a new entry into the dynamic table, first the entry is added,
and then older entries are evicted until table size is within capacity.  After
the first step, the number of entries may temporarily exceed the maximum
calculated from capacity by one entry, which previously caused table overflow.

The easiest way to trigger the issue is to keep adding entries with empty names
and values until first eviction.

The issue was introduced by 987bee4363d1.
2024-05-28 17:18:50 +04:00
Roman Arutyunyan
0fd59c8b56 HTTP/3: decoder stream pre-creation.
Previously a decoder stream was created on demand for sending Section
Acknowledgement, Stream Cancellation and Insert Count Increment.  If conditions
for sending any of these instructions never happen, a decoder stream is not
created at all.  These conditions include client not using the dynamic table and
no streams abandoned by server (RFC 9204, Section 2.2.2.2).  However RFC 9204,
Section 4.2 defines only one condition for not creating a decoder stream:

   An endpoint MAY avoid creating a decoder stream if its decoder sets
   the maximum capacity of the dynamic table to zero.

The change enables pre-creation of the decoder stream at HTTP/3 session
initialization if maximum dynamic table capacity is not zero.  Note that this
value is currently hardcoded to 4096 bytes and is not configurable, so the
stream is now always created.

Also, the change fixes a potential stack overflow when creating a decoder
stream in ngx_http_v3_send_cancel_stream() while draining a request stream by
ngx_drain_connections().  Creating a decoder stream involves calling
ngx_get_connection(), which calls ngx_drain_connections(), which will drain the
same request stream again.  If client's MAX_STREAMS for uni stream is high
enough, these recursive calls will continue until we run out of stack.
Otherwise, decoder stream creation will fail at some point and the request
stream connection will be drained.  This may result in use-after-free, since
this connection could still be referenced up the stack.
2024-05-28 17:18:28 +04:00
Sergey Kandaurov
683e304e8b QUIC: client transport parameter data length checking. 2024-05-28 17:17:19 +04:00
J Carter
71ca978a35 Upstream: variables support in proxy_limit_rate and friends. 2023-11-25 21:57:09 +00:00
Roman Arutyunyan
ea8270c614 Optimized chain link usage (ticket #2614).
Previously chain links could sometimes be dropped instead of being reused,
which could result in increased memory consumption during long requests.

A similar chain link issue in ngx_http_gzip_filter_module was fixed in
da46bfc484ef (1.11.10).

Based on a patch by Sangmin Lee.
2024-05-23 19:15:38 +04:00
Edgar Bonet
efc6a217b9 Configure: fixed building libatomic test.
Using "long *" instead of "AO_t *" leads either to -Wincompatible-pointer-types
or -Wpointer-sign warnings, depending on whether long and size_t are compatible
types (e.g., ILP32 versus LP64 data models).  Notably, -Wpointer-sign warnings
are enabled by default in Clang only, and -Wincompatible-pointer-types is an
error starting from GCC 14.

Signed-off-by: Edgar Bonet <bonet@grenoble.cnrs.fr>
2024-05-16 11:15:10 +02:00
Roman Arutyunyan
489e1e6191 Stream pass: disabled passing from or to udp.
Passing from udp was not possible for the most part due to preread buffer
restriction.  Passing to udp could occasionally work, but the connection would
still be bound to the original listen rbtree, which prevented it from being
deleted on connection closure.
2024-05-03 20:26:05 +04:00
Sergey Kandaurov
6f7494081a SSL: fixed possible configuration overwrite loading "engine:" keys.
When loading certificate keys via ENGINE_load_private_key() in runtime,
it was possible to overwrite configuration on ENGINE_by_id() failure.
OpenSSL documention doesn't describe errors in details, the only reason
I found in the comment to example is when the engine is not available.
2024-05-03 20:29:01 +04:00
Sergey Kandaurov
a7e3cd52e0 HTTP/3: fixed handling of malformed request body length.
Previously, a request body larger than declared in Content-Length resulted in
a 413 status code, because Content-Length was mistakenly used as the maximum
allowed request body, similar to client_max_body_size.  Following the HTTP/3
specification, such requests are now rejected with the 400 error as malformed.
2024-05-03 20:28:32 +04:00
Sergey Kandaurov
3f0fe15a98 Version bump. 2024-05-03 20:28:22 +04:00
Roman Arutyunyan
d8a849ae3c release-1.25.5 tag 2024-04-16 18:29:59 +04:00
Roman Arutyunyan
14f8190ce7 nginx-1.25.5-RELEASE 2024-04-16 18:27:50 +04:00
Roman Arutyunyan
bf3e6538b9 Stream pass: limited the number of passes per connection.
Previously a cycle in pass configuration resulted in stack overflow.
2024-04-11 11:37:30 +04:00
Vladimir Khomutov
92f9968571 QUIC: fixed close timer processing with early data.
The ngx_quic_run() function uses qc->close timer to limit the handshake
duration.  Normally it is removed by ngx_quic_do_init_streams() which is
called once when we are done with initial SSL processing.

The problem happens when the client sends early data and streams are
initialized in the ngx_quic_run() -> ngx_quic_handle_datagram() call.
The order of set/remove timer calls is now reversed; the close timer is
set up and the timer fires when assigned, starting the unexpected connection
close process.

The fix is to skip setting the timer if streams were initialized during
handling of the initial datagram.  The idle timer for quic is set anyway,
and stream-related timeouts are managed by application layer.
2024-04-10 09:38:10 +03:00
Piotr Sikora
e3207a17f0 Configure: allow cross-compiling to Windows using Clang.
Signed-off-by: Piotr Sikora <piotr@aviatrix.com>
2024-02-26 20:00:48 +00:00
Piotr Sikora
b595a68df9 Configure: fixed "make install" when cross-compiling to Windows.
Signed-off-by: Piotr Sikora <piotr@aviatrix.com>
2024-02-26 20:00:46 +00:00
Piotr Sikora
2deded362e Configure: added support for Homebrew on Apple Silicon.
Signed-off-by: Piotr Sikora <piotr@aviatrix.com>
2024-02-26 20:00:43 +00:00
Sergey Kandaurov
6b1bb998c9 Configure: set cache line size for more architectures.
Based on a patch by Piotr Sikora.
2024-03-27 19:36:51 +04:00
Piotr Sikora
1bc19fe2db Detect cache line size at runtime on macOS.
Notably, Apple Silicon CPUs have 128 byte cache line size,
which is twice the default configured for generic aarch64.

Signed-off-by: Piotr Sikora <piotr@aviatrix.com>
2024-02-26 20:00:40 +00:00
Sergey Kandaurov
818f98da1c Configure: fixed Linux crypt_r() test to add libcrypt.
Previously, the resulting binary was successfully linked
because libcrypt was added in a separate test for crypt().

Patch by Piotr Sikora.
2024-02-26 20:00:38 +00:00
Piotr Sikora
eff2ea1d69 Win32: fixed unique file index calculations.
The old code was breaking strict aliasing rules.

Signed-off-by: Piotr Sikora <piotr@aviatrix.com>
2024-02-26 20:00:35 +00:00
Piotr Sikora
2f9e8431e6 Rewrite: fixed "return" directive without response text.
Previously, the response text wasn't initialized and the rewrite module
was sending response body set to NULL.

Found with UndefinedBehaviorSanitizer (pointer-overflow).

Signed-off-by: Piotr Sikora <piotr@aviatrix.com>
2024-02-26 20:00:28 +00:00
Sergey Kandaurov
3d5a356abb Fixed undefined behaviour with IPv4-mapped IPv6 addresses.
Previously, it could result when left-shifting signed integer due to implicit
integer promotion, such that the most significant bit appeared on the sign bit.

In practice, though, this results in the same left value as with an explicit
cast, at least on known compilers, such as GCC and Clang.  The reason is that
in_addr_t, which is equivalent to uint32_t and same as "unsigned int" in ILP32
and LP64 data type models, has the same type width as the intermediate after
integer promotion, so there's no side effects such as sign-extension.  This
explains why adding an explicit cast does not change object files in practice.

Found with UndefinedBehaviorSanitizer (shift).

Based on a patch by Piotr Sikora.
2024-03-18 17:14:30 +04:00