9185:c458cd00bb0b | 14-Nov-2023 |
Sergey Kandaurov |
Adjusted Huffman coding debug logging, missed in 7977:336084ff943b.
Spotted by XingY Wang. |
9184:7ec761f0365f | 26-Oct-2023 |
Vladimir Khomutov |
QUIC: improved packet and frames debug tracing.
Currently, packets generated by ngx_quic_frame_sendto() and ngx_quic_send_early_cc() are not logged, thus making it hard to read logs due to gaps appe
QUIC: improved packet and frames debug tracing.
Currently, packets generated by ngx_quic_frame_sendto() and ngx_quic_send_early_cc() are not logged, thus making it hard to read logs due to gaps appearing in packet numbers sequence.
At frames level, it is handy to see immediately packet number in which they arrived or being sent.
show more ...
|
9183:8b1526a7e383 | 26-Oct-2023 |
Sergey Kandaurov |
Version bump. |
9182:25a2efd97a3e | 24-Oct-2023 |
Maxim Dounin |
release-1.25.3 tag |
Revision tags: release-1.25.3 |
|
9181:294a3d07234f | 24-Oct-2023 |
Maxim Dounin |
nginx-1.25.3-RELEASE |
9180:782535848b3e | 23-Oct-2023 |
Maxim Dounin |
Updated OpenSSL and zlib used for win32 builds. |
9179:ea1f29c2010c | 21-Oct-2023 |
Sergey Kandaurov |
HTTP/2: fixed buffer management with HTTP/2 auto-detection.
As part of normal HTTP/2 processing, incomplete frames are saved in the control state using a fixed size memcpy of NGX_HTTP_V2_STATE_BUFFE
HTTP/2: fixed buffer management with HTTP/2 auto-detection.
As part of normal HTTP/2 processing, incomplete frames are saved in the control state using a fixed size memcpy of NGX_HTTP_V2_STATE_BUFFER_SIZE. For this matter, two state buffers are reserved in the HTTP/2 recv buffer.
As part of HTTP/2 auto-detection on plain TCP connections, initial data is first read into a buffer specified by the client_header_buffer_size directive that doesn't have state reservation. Previously, this made it possible to over-read the buffer as part of saving the state.
The fix is to read the available buffer size rather than a fixed size. Although memcpy of a fixed size can produce a better optimized code, handling of incomplete frames isn't a common execution path, so it was sacrificed for the sake of simplicity of the fix.
show more ...
|
9178:b74f891053c7 | 20-Oct-2023 |
Sergey Kandaurov |
QUIC: explicitly zero out unused keying material. |
9177:22d110af473c | 20-Oct-2023 |
Sergey Kandaurov |
QUIC: removed key field from ngx_quic_secret_t.
It is made local as it is only needed now when creating crypto context.
BoringSSL lacks EVP interface for ChaCha20, providing instead a function for
QUIC: removed key field from ngx_quic_secret_t.
It is made local as it is only needed now when creating crypto context.
BoringSSL lacks EVP interface for ChaCha20, providing instead a function for one-shot encryption, thus hp is still preserved.
Based on a patch by Roman Arutyunyan.
show more ...
|
9176:8dacf87e4007 | 20-Oct-2023 |
Sergey Kandaurov |
QUIC: simplified ngx_quic_ciphers() API.
After conversion to reusable crypto ctx, now there's enough caller context to remove the "level" argument from ngx_quic_ciphers(). |
9175:f7c9cd726298 | 20-Oct-2023 |
Sergey Kandaurov |
QUIC: cleaned up now unused ngx_quic_ciphers() calls. |
9174:31702c53d2db | 20-Oct-2023 |
Sergey Kandaurov |
QUIC: reusing crypto contexts for header protection. |
9173:904a54092d5b | 20-Oct-2023 |
Sergey Kandaurov |
QUIC: common code for crypto open and seal operations. |
9172:4ccb0d973206 | 20-Oct-2023 |
Sergey Kandaurov |
QUIC: reusing crypto contexts for packet protection. |
9171:f98636db77ef | 20-Oct-2023 |
Sergey Kandaurov |
QUIC: renamed protection functions.
Now these functions have names ngx_quic_crypto_XXX():
- ngx_quic_tls_open() -> ngx_quic_crypto_open() - ngx_quic_tls_seal() -> ngx_quic_crypto_seal() - ngx
QUIC: renamed protection functions.
Now these functions have names ngx_quic_crypto_XXX():
- ngx_quic_tls_open() -> ngx_quic_crypto_open() - ngx_quic_tls_seal() -> ngx_quic_crypto_seal() - ngx_quic_tls_hp() -> ngx_quic_crypto_hp()
show more ...
|
9170:c80d111340dc | 20-Oct-2023 |
Sergey Kandaurov |
QUIC: prevented generating ACK frames with discarded keys.
Previously it was possible to generate ACK frames using formally discarded protection keys, in particular, when acknowledging a client Hand
QUIC: prevented generating ACK frames with discarded keys.
Previously it was possible to generate ACK frames using formally discarded protection keys, in particular, when acknowledging a client Handshake packet used to complete the TLS handshake and to discard handshake protection keys. As it happens late in packet processing, it could be possible to generate ACK frames after the keys were already discarded.
ACK frames are generated from ngx_quic_ack_packet(), either using a posted push event, which envolves ngx_quic_generate_ack() as a part of the final packet assembling, or directly in ngx_quic_ack_packet(), such as when there is no room to add a new ACK range or when the received packet is out of order. The added keys availability check is used to avoid generating late ACK frames in both cases.
show more ...
|
9169:60c4e8d3151f | 20-Oct-2023 |
Sergey Kandaurov |
QUIC: added safety belt to prevent using discarded keys.
In addition to triggering alert, it ensures that such packets won't be sent.
With the previous change that marks server keys as discarded by
QUIC: added safety belt to prevent using discarded keys.
In addition to triggering alert, it ensures that such packets won't be sent.
With the previous change that marks server keys as discarded by zeroing the key lengh, it is now an error to send packets with discarded keys. OpenSSL based stacks tolerate such behaviour because key length isn't used in packet protection, but BoringSSL will raise the UNSUPPORTED_KEY_SIZE cipher error. It won't be possible to use discarded keys with reused crypto contexts as it happens in subsequent changes.
show more ...
|
9168:ff98ae7d261e | 31-Aug-2023 |
Sergey Kandaurov |
QUIC: split keys availability checks to read and write sides.
Keys may be released by TLS stack in different times, so it makes sense to check this independently as well. This allows to fine-tune w
QUIC: split keys availability checks to read and write sides.
Keys may be released by TLS stack in different times, so it makes sense to check this independently as well. This allows to fine-tune what key direction is used when checking keys availability.
When discarding, server keys are now marked in addition to client keys.
show more ...
|
9167:3038bd4d7816 | 18-Oct-2023 |
Maxim Dounin |
Core: changed ngx_queue_sort() to use merge sort.
This improves nginx startup times significantly when using very large number of locations due to computational complexity of the sorting algorithm b
Core: changed ngx_queue_sort() to use merge sort.
This improves nginx startup times significantly when using very large number of locations due to computational complexity of the sorting algorithm being used: insertion sort is O(n*n) on average, while merge sort is O(n*log(n)). In particular, in a test configuration with 20k locations total startup time is reduced from 8 seconds to 0.9 seconds.
Prodded by Yusuke Nojima, https://mailman.nginx.org/pipermail/nginx-devel/2023-September/NUL3Y2FPPFSHMPTFTL65KXSXNTX3NQMK.html
show more ...
|
9166:533bc2336df4 | 16-Oct-2023 |
Maxim Dounin |
Core: fixed memory leak on configuration reload with PCRE2.
In ngx_regex_cleanup() allocator wasn't configured when calling pcre2_compile_context_free() and pcre2_match_data_free(), resulting in no
Core: fixed memory leak on configuration reload with PCRE2.
In ngx_regex_cleanup() allocator wasn't configured when calling pcre2_compile_context_free() and pcre2_match_data_free(), resulting in no ngx_free() call and leaked memory. Fix is ensure that allocator is configured for global allocations, so that ngx_free() is actually called to free memory.
Additionally, ngx_regex_compile_context was cleared in ngx_regex_module_init(). It should be either not cleared, so it will be freed by ngx_regex_cleanup(), or properly freed. Fix is to not clear it, so ngx_regex_cleanup() will be able to free it.
Reported by ZhenZhong Wu, https://mailman.nginx.org/pipermail/nginx-devel/2023-September/3Z5FIKUDRN2WBSL3JWTZJ7SXDA6YIWPB.html
show more ...
|
9165:cdda286c0f1b | 10-Oct-2023 |
Maxim Dounin |
HTTP/2: per-iteration stream handling limit.
To ensure that attempts to flood servers with many streams are detected early, a limit of no more than 2 * max_concurrent_streams new streams per one eve
HTTP/2: per-iteration stream handling limit.
To ensure that attempts to flood servers with many streams are detected early, a limit of no more than 2 * max_concurrent_streams new streams per one event loop iteration was introduced. This limit is applied even if max_concurrent_streams is not yet reached - for example, if corresponding streams are handled synchronously or reset.
Further, refused streams are now limited to maximum of max_concurrent_streams and 100, similarly to priority_limit initial value, providing some tolerance to clients trying to open several streams at the connection start, yet low tolerance to flooding attempts.
show more ...
|
9164:3db945fda515 | 22-Sep-2023 |
Vladimir Khomutov |
QUIC: handle callback errors in compat.
The error may be triggered in add_handhshake_data() by incorrect transport parameter sent by client. The expected behaviour in this case is to close connecti
QUIC: handle callback errors in compat.
The error may be triggered in add_handhshake_data() by incorrect transport parameter sent by client. The expected behaviour in this case is to close connection complaining about incorrect parameter. Currently the connection just times out.
show more ...
|
9163:32b5aaebcca5 | 13-Sep-2023 |
Roman Arutyunyan |
Modules compatibility: added QUIC to signature (ticket #2539).
Enabling QUIC changes ngx_connection_t layout, which is why it should be added to the signature. |
9162:f9845e4b5c14 | 14-Sep-2023 |
Roman Arutyunyan |
QUIC: simplified setting close timer when closing connection.
Previously, the timer was never reset due to an explicit check. The check was added in 36b59521a41c as part of connection close simplif
QUIC: simplified setting close timer when closing connection.
Previously, the timer was never reset due to an explicit check. The check was added in 36b59521a41c as part of connection close simplification. The reason was to retain the earliest timeout. However, the timeouts are all the same while QUIC handshake is in progress and resetting the timer for the same value has no performance implications. After handshake completion there's only application level. The change removes the check.
show more ...
|
9161:4939fd04737f | 14-Sep-2023 |
Roman Arutyunyan |
HTTP/3: postponed session creation to init() callback.
Now the session object is assigned to c->data while ngx_http_connection_t object is referenced by its http_connection field, similar to ngx_htt
HTTP/3: postponed session creation to init() callback.
Now the session object is assigned to c->data while ngx_http_connection_t object is referenced by its http_connection field, similar to ngx_http_v2_connection_t and ngx_http_request_t.
The change allows to eliminate v3_session field from ngx_http_connection_t. The field was under NGX_HTTP_V3 macro, which was a source of binary compatibility problems when nginx/module is build with/without HTTP/3 support.
Postponing is essential since c->data should retain the reference to ngx_http_connection_t object throughout QUIC handshake, because SSL callbacks ngx_http_ssl_servername() and ngx_http_ssl_alpn_select() rely on this.
show more ...
|