History log of /nginx/ (Results 51 – 75 of 7285)
Revision (<<< Hide revision tags) (Show revision tags >>>)Date Author Comments
(<<< Hide modified files)
(Show modified files >>>)
9185:c458cd00bb0b14-Nov-2023 Sergey Kandaurov

Adjusted Huffman coding debug logging, missed in 7977:336084ff943b.

Spotted by XingY Wang.

9184:7ec761f0365f26-Oct-2023 Vladimir Khomutov

QUIC: improved packet and frames debug tracing.

Currently, packets generated by ngx_quic_frame_sendto() and
ngx_quic_send_early_cc() are not logged, thus making it hard
to read logs due to gaps appe

QUIC: improved packet and frames debug tracing.

Currently, packets generated by ngx_quic_frame_sendto() and
ngx_quic_send_early_cc() are not logged, thus making it hard
to read logs due to gaps appearing in packet numbers sequence.

At frames level, it is handy to see immediately packet number
in which they arrived or being sent.

show more ...

9183:8b1526a7e38326-Oct-2023 Sergey Kandaurov

Version bump.

9182:25a2efd97a3e24-Oct-2023 Maxim Dounin

release-1.25.3 tag

Revision tags: release-1.25.3
9181:294a3d07234f24-Oct-2023 Maxim Dounin

nginx-1.25.3-RELEASE

9180:782535848b3e23-Oct-2023 Maxim Dounin

Updated OpenSSL and zlib used for win32 builds.

9179:ea1f29c2010c21-Oct-2023 Sergey Kandaurov

HTTP/2: fixed buffer management with HTTP/2 auto-detection.

As part of normal HTTP/2 processing, incomplete frames are saved in the
control state using a fixed size memcpy of NGX_HTTP_V2_STATE_BUFFE

HTTP/2: fixed buffer management with HTTP/2 auto-detection.

As part of normal HTTP/2 processing, incomplete frames are saved in the
control state using a fixed size memcpy of NGX_HTTP_V2_STATE_BUFFER_SIZE.
For this matter, two state buffers are reserved in the HTTP/2 recv buffer.

As part of HTTP/2 auto-detection on plain TCP connections, initial data
is first read into a buffer specified by the client_header_buffer_size
directive that doesn't have state reservation. Previously, this made it
possible to over-read the buffer as part of saving the state.

The fix is to read the available buffer size rather than a fixed size.
Although memcpy of a fixed size can produce a better optimized code,
handling of incomplete frames isn't a common execution path, so it was
sacrificed for the sake of simplicity of the fix.

show more ...

9178:b74f891053c720-Oct-2023 Sergey Kandaurov

QUIC: explicitly zero out unused keying material.

9177:22d110af473c20-Oct-2023 Sergey Kandaurov

QUIC: removed key field from ngx_quic_secret_t.

It is made local as it is only needed now when creating crypto context.

BoringSSL lacks EVP interface for ChaCha20, providing instead
a function for

QUIC: removed key field from ngx_quic_secret_t.

It is made local as it is only needed now when creating crypto context.

BoringSSL lacks EVP interface for ChaCha20, providing instead
a function for one-shot encryption, thus hp is still preserved.

Based on a patch by Roman Arutyunyan.

show more ...

9176:8dacf87e400720-Oct-2023 Sergey Kandaurov

QUIC: simplified ngx_quic_ciphers() API.

After conversion to reusable crypto ctx, now there's enough caller
context to remove the "level" argument from ngx_quic_ciphers().

9175:f7c9cd72629820-Oct-2023 Sergey Kandaurov

QUIC: cleaned up now unused ngx_quic_ciphers() calls.

9174:31702c53d2db20-Oct-2023 Sergey Kandaurov

QUIC: reusing crypto contexts for header protection.

9173:904a54092d5b20-Oct-2023 Sergey Kandaurov

QUIC: common code for crypto open and seal operations.

9172:4ccb0d97320620-Oct-2023 Sergey Kandaurov

QUIC: reusing crypto contexts for packet protection.

9171:f98636db77ef20-Oct-2023 Sergey Kandaurov

QUIC: renamed protection functions.

Now these functions have names ngx_quic_crypto_XXX():

- ngx_quic_tls_open() -> ngx_quic_crypto_open()
- ngx_quic_tls_seal() -> ngx_quic_crypto_seal()
- ngx

QUIC: renamed protection functions.

Now these functions have names ngx_quic_crypto_XXX():

- ngx_quic_tls_open() -> ngx_quic_crypto_open()
- ngx_quic_tls_seal() -> ngx_quic_crypto_seal()
- ngx_quic_tls_hp() -> ngx_quic_crypto_hp()

show more ...

9170:c80d111340dc20-Oct-2023 Sergey Kandaurov

QUIC: prevented generating ACK frames with discarded keys.

Previously it was possible to generate ACK frames using formally discarded
protection keys, in particular, when acknowledging a client Hand

QUIC: prevented generating ACK frames with discarded keys.

Previously it was possible to generate ACK frames using formally discarded
protection keys, in particular, when acknowledging a client Handshake packet
used to complete the TLS handshake and to discard handshake protection keys.
As it happens late in packet processing, it could be possible to generate ACK
frames after the keys were already discarded.

ACK frames are generated from ngx_quic_ack_packet(), either using a posted
push event, which envolves ngx_quic_generate_ack() as a part of the final
packet assembling, or directly in ngx_quic_ack_packet(), such as when there
is no room to add a new ACK range or when the received packet is out of order.
The added keys availability check is used to avoid generating late ACK frames
in both cases.

show more ...

9169:60c4e8d3151f20-Oct-2023 Sergey Kandaurov

QUIC: added safety belt to prevent using discarded keys.

In addition to triggering alert, it ensures that such packets won't be sent.

With the previous change that marks server keys as discarded by

QUIC: added safety belt to prevent using discarded keys.

In addition to triggering alert, it ensures that such packets won't be sent.

With the previous change that marks server keys as discarded by zeroing the
key lengh, it is now an error to send packets with discarded keys. OpenSSL
based stacks tolerate such behaviour because key length isn't used in packet
protection, but BoringSSL will raise the UNSUPPORTED_KEY_SIZE cipher error.
It won't be possible to use discarded keys with reused crypto contexts as it
happens in subsequent changes.

show more ...

9168:ff98ae7d261e31-Aug-2023 Sergey Kandaurov

QUIC: split keys availability checks to read and write sides.

Keys may be released by TLS stack in different times, so it makes sense
to check this independently as well. This allows to fine-tune w

QUIC: split keys availability checks to read and write sides.

Keys may be released by TLS stack in different times, so it makes sense
to check this independently as well. This allows to fine-tune what key
direction is used when checking keys availability.

When discarding, server keys are now marked in addition to client keys.

show more ...

9167:3038bd4d781618-Oct-2023 Maxim Dounin

Core: changed ngx_queue_sort() to use merge sort.

This improves nginx startup times significantly when using very large number
of locations due to computational complexity of the sorting algorithm b

Core: changed ngx_queue_sort() to use merge sort.

This improves nginx startup times significantly when using very large number
of locations due to computational complexity of the sorting algorithm being
used: insertion sort is O(n*n) on average, while merge sort is O(n*log(n)).
In particular, in a test configuration with 20k locations total startup
time is reduced from 8 seconds to 0.9 seconds.

Prodded by Yusuke Nojima,
https://mailman.nginx.org/pipermail/nginx-devel/2023-September/NUL3Y2FPPFSHMPTFTL65KXSXNTX3NQMK.html

show more ...

9166:533bc2336df416-Oct-2023 Maxim Dounin

Core: fixed memory leak on configuration reload with PCRE2.

In ngx_regex_cleanup() allocator wasn't configured when calling
pcre2_compile_context_free() and pcre2_match_data_free(), resulting
in no

Core: fixed memory leak on configuration reload with PCRE2.

In ngx_regex_cleanup() allocator wasn't configured when calling
pcre2_compile_context_free() and pcre2_match_data_free(), resulting
in no ngx_free() call and leaked memory. Fix is ensure that allocator
is configured for global allocations, so that ngx_free() is actually
called to free memory.

Additionally, ngx_regex_compile_context was cleared in
ngx_regex_module_init(). It should be either not cleared, so it will
be freed by ngx_regex_cleanup(), or properly freed. Fix is to
not clear it, so ngx_regex_cleanup() will be able to free it.

Reported by ZhenZhong Wu,
https://mailman.nginx.org/pipermail/nginx-devel/2023-September/3Z5FIKUDRN2WBSL3JWTZJ7SXDA6YIWPB.html

show more ...

9165:cdda286c0f1b10-Oct-2023 Maxim Dounin

HTTP/2: per-iteration stream handling limit.

To ensure that attempts to flood servers with many streams are detected
early, a limit of no more than 2 * max_concurrent_streams new streams per one
eve

HTTP/2: per-iteration stream handling limit.

To ensure that attempts to flood servers with many streams are detected
early, a limit of no more than 2 * max_concurrent_streams new streams per one
event loop iteration was introduced. This limit is applied even if
max_concurrent_streams is not yet reached - for example, if corresponding
streams are handled synchronously or reset.

Further, refused streams are now limited to maximum of max_concurrent_streams
and 100, similarly to priority_limit initial value, providing some tolerance
to clients trying to open several streams at the connection start, yet
low tolerance to flooding attempts.

show more ...

9164:3db945fda51522-Sep-2023 Vladimir Khomutov

QUIC: handle callback errors in compat.

The error may be triggered in add_handhshake_data() by incorrect transport
parameter sent by client. The expected behaviour in this case is to close
connecti

QUIC: handle callback errors in compat.

The error may be triggered in add_handhshake_data() by incorrect transport
parameter sent by client. The expected behaviour in this case is to close
connection complaining about incorrect parameter. Currently the connection
just times out.

show more ...

9163:32b5aaebcca513-Sep-2023 Roman Arutyunyan

Modules compatibility: added QUIC to signature (ticket #2539).

Enabling QUIC changes ngx_connection_t layout, which is why it should be
added to the signature.

9162:f9845e4b5c1414-Sep-2023 Roman Arutyunyan

QUIC: simplified setting close timer when closing connection.

Previously, the timer was never reset due to an explicit check. The check was
added in 36b59521a41c as part of connection close simplif

QUIC: simplified setting close timer when closing connection.

Previously, the timer was never reset due to an explicit check. The check was
added in 36b59521a41c as part of connection close simplification. The reason
was to retain the earliest timeout. However, the timeouts are all the same
while QUIC handshake is in progress and resetting the timer for the same value
has no performance implications. After handshake completion there's only
application level. The change removes the check.

show more ...

9161:4939fd04737f14-Sep-2023 Roman Arutyunyan

HTTP/3: postponed session creation to init() callback.

Now the session object is assigned to c->data while ngx_http_connection_t
object is referenced by its http_connection field, similar to
ngx_htt

HTTP/3: postponed session creation to init() callback.

Now the session object is assigned to c->data while ngx_http_connection_t
object is referenced by its http_connection field, similar to
ngx_http_v2_connection_t and ngx_http_request_t.

The change allows to eliminate v3_session field from ngx_http_connection_t.
The field was under NGX_HTTP_V3 macro, which was a source of binary
compatibility problems when nginx/module is build with/without HTTP/3 support.

Postponing is essential since c->data should retain the reference to
ngx_http_connection_t object throughout QUIC handshake, because SSL callbacks
ngx_http_ssl_servername() and ngx_http_ssl_alpn_select() rely on this.

show more ...

12345678910>>...292