nginx.git, branch release-1.25.3

nginx-1.25.3-RELEASE

2023-10-24T13:46:46+00:00

Updated OpenSSL and zlib used for win32 builds.

2023-10-23T18:50:26+00:00

HTTP/2: fixed buffer management with HTTP/2 auto-detection.

2023-10-21T14:48:24+00:00

As part of normal HTTP/2 processing, incomplete frames are saved in the
control state using a fixed size memcpy of NGX_HTTP_V2_STATE_BUFFER_SIZE.
For this matter, two state buffers are reserved in the HTTP/2 recv buffer.

As part of HTTP/2 auto-detection on plain TCP connections, initial data
is first read into a buffer specified by the client_header_buffer_size
directive that doesn't have state reservation.  Previously, this made it
possible to over-read the buffer as part of saving the state.

The fix is to read the available buffer size rather than a fixed size.
Although memcpy of a fixed size can produce a better optimized code,
handling of incomplete frames isn't a common execution path, so it was
sacrificed for the sake of simplicity of the fix.

QUIC: explicitly zero out unused keying material.

2023-10-20T14:05:07+00:00

QUIC: removed key field from ngx_quic_secret_t.

2023-10-20T14:05:07+00:00

It is made local as it is only needed now when creating crypto context.

BoringSSL lacks EVP interface for ChaCha20, providing instead
a function for one-shot encryption, thus hp is still preserved.

Based on a patch by Roman Arutyunyan.

QUIC: simplified ngx_quic_ciphers() API.

2023-10-20T14:05:07+00:00

After conversion to reusable crypto ctx, now there's enough caller
context to remove the "level" argument from ngx_quic_ciphers().

QUIC: cleaned up now unused ngx_quic_ciphers() calls.

2023-10-20T14:05:07+00:00

QUIC: reusing crypto contexts for header protection.

2023-10-20T14:05:07+00:00

QUIC: common code for crypto open and seal operations.

2023-10-20T14:05:07+00:00

QUIC: reusing crypto contexts for packet protection.

2023-10-20T14:05:07+00:00