nginx.git/src/event/quic, branch release-1.30.0 nginx QUIC: improved error handling in OpenSSL compat layer. 2026-02-27T15:35:04+00:00 user.email 123011167+lukefr09@users.noreply.github.com 2026-02-24T01:33:57+00:00 c67bf9415fca91434f047d6113435e4cc699c859 Previously ngx_quic_compat_create_record() could try to encrypt a TLS record even if encryption context was missing, which resulted in a NULL pointer dereference. The context is created by ngx_quic_compat_set_encryption_secret() called from the OpenSSL keylog callback. If an error occurred in that function, the context could remain missing. This could happen under memory pressure, if an allocation failed inside this function. The fix is to handle errors from ngx_quic_compat_set_encryption_secret() and set qc->error to trigger an error after SSL_do_handshake() return. Also, a check for context is added to ngx_quic_compat_create_record() to avoid other similar issues. 
Previously ngx_quic_compat_create_record() could try to encrypt a TLS
record even if encryption context was missing, which resulted in a NULL
pointer dereference.

The context is created by ngx_quic_compat_set_encryption_secret() called
from the OpenSSL keylog callback.  If an error occurred in that function,
the context could remain missing.  This could happen under memory pressure,
if an allocation failed inside this function.

The fix is to handle errors from ngx_quic_compat_set_encryption_secret()
and set qc->error to trigger an error after SSL_do_handshake() return.
Also, a check for context is added to ngx_quic_compat_create_record()
to avoid other similar issues.
QUIC: worker-bound stateless reset tokens. 2026-02-27T15:30:02+00:00 Roman Arutyunyan arut@nginx.com 2026-02-26T14:36:52+00:00 f72c7453f95143cd413dbc01d1ae9a28c67b39de Previously, it was possible to obtain a stateless reset token for a connection by routing its packet to a wrong worker. This allowed to terminate the connection. The fix is to bind stateless reset token to the worker number. 
Previously, it was possible to obtain a stateless reset token for a
connection by routing its packet to a wrong worker.  This allowed to
terminate the connection.

The fix is to bind stateless reset token to the worker number.
QUIC: fixed bpf compilation with newer Linux kernels. 2026-02-26T16:43:03+00:00 Roman Arutyunyan arut@nginx.com 2024-09-24T10:53:45+00:00 c4d3aed8c7e67e57da60940d1a19fe3c45a9433a QUIC bpf program previously used struct bpf_map_def which was deprecated in [1] (kernel version 5.18) and removed in [2] (kernel 6.1). New-style BTF map definitions were added in [3] (linux kernel 5.3). Switching the program to BTF is however not necessary since nginx has its own relocation procedure which allows referencing the real map structure by its file descriptor allocated earlier. In particular, bpf instruction BPF_LD_IMM64 (0x18/0x0) is substituted with instruction BPF_LD_MAP_FD (0x18/0x1) and map_fd is stored in the imm field, see [4] and [5] for details. To fix compilation, struct bpf_map_def is changed to a known type (int) and "extern" is added to indicate external linkage and reduce object file size. [1] https://github.com/torvalds/linux/commit/93b8952d223af03c51fba0c6258173d2ffbd2cb7 [2] https://github.com/torvalds/linux/commit/dc567045f1590f6460d3e9a6ea6ad5e600b58b84 [3] https://github.com/torvalds/linux/commit/abd29c9314595b1ee5ec6c61d7c49a497ffb30a3 [4] https://github.com/torvalds/linux/blob/master/include/linux/filter.h [5] https://datatracker.ietf.org/doc/rfc9669/ 
QUIC bpf program previously used struct bpf_map_def which was
deprecated in [1] (kernel version 5.18) and removed in [2] (kernel 6.1).
New-style BTF map definitions were added in [3] (linux kernel 5.3).

Switching the program to BTF is however not necessary since nginx has
its own relocation procedure which allows referencing the real map
structure by its file descriptor allocated earlier.  In particular,
bpf instruction BPF_LD_IMM64 (0x18/0x0) is substituted with instruction
BPF_LD_MAP_FD (0x18/0x1) and map_fd is stored in the imm field, see [4]
and [5] for details.

To fix compilation, struct bpf_map_def is changed to a known type (int)
and "extern" is added to indicate external linkage and reduce object
file size.

[1] https://github.com/torvalds/linux/commit/93b8952d223af03c51fba0c6258173d2ffbd2cb7
[2] https://github.com/torvalds/linux/commit/dc567045f1590f6460d3e9a6ea6ad5e600b58b84
[3] https://github.com/torvalds/linux/commit/abd29c9314595b1ee5ec6c61d7c49a497ffb30a3
[4] https://github.com/torvalds/linux/blob/master/include/linux/filter.h
[5] https://datatracker.ietf.org/doc/rfc9669/
QUIC: Stateless Reset rate limiting. 2026-02-26T14:05:07+00:00 Sergey Kandaurov pluknet@nginx.com 2026-02-25T17:09:21+00:00 e6ffe8384ebf1972faac9b031b9ff6182e79cfd6 It uses a bloom filter to limit sending Stateless Reset packets no more than once per second in average for the given address. This allows to address resource asymmetry from precomputed packets, as well as to limit potential Stateless Reset exchange. 
It uses a bloom filter to limit sending Stateless Reset packets no more
than once per second in average for the given address.  This allows to
address resource asymmetry from precomputed packets, as well as to limit
potential Stateless Reset exchange.
QUIC: refactored ngx_quic_address_hash(). 2026-02-26T14:05:07+00:00 Sergey Kandaurov pluknet@nginx.com 2026-02-25T17:07:01+00:00 2f039e6f7233c7fd9ab88888642410352572c089 Now it accepts an optional salt, to be used in a subsequent change. 
Now it accepts an optional salt, to be used in a subsequent change.
QUIC: moved ngx_quic_address_hash(). 2026-02-26T14:05:07+00:00 Sergey Kandaurov pluknet@nginx.com 2026-02-20T15:01:20+00:00 578c91818f1d68797323d6029e17a441a7438506 






QUIC: limited size of generated Stateless Reset packets.
2026-02-26T14:05:07+00:00

Sergey Kandaurov
pluknet@nginx.com

2026-02-20T14:52:56+00:00

4037746c8058cc8b02295e1a4f6f1c1db38b772e

Made sure to send packets smaller than the triggering packet,
following RFC 9000, Section 10.3.3.

Reported-by: cyberspace61





Made sure to send packets smaller than the triggering packet,
following RFC 9000, Section 10.3.3.

Reported-by: cyberspace61







QUIC: adjusted minimum packet size to send Stateless Reset.
2026-02-26T14:05:07+00:00

Sergey Kandaurov
pluknet@nginx.com

2026-02-20T14:59:06+00:00

2c7252dcad9f10e9a5ad39f7bfdf1ef86a307528

Now to be valid, it also assumes the Connection ID we require from a client.





Now to be valid, it also assumes the Connection ID we require from a client.







QUIC: fixed possible segfault on handshake failures.
2025-12-09T17:25:10+00:00

Jan Svojanovsky
jan.svojanovsky@cdn77.com

2025-12-09T11:27:02+00:00

66fde99b1d9113128778125c2f942f1d0f016be5

When using OpenSSL 3.5, the crypto_release_rcd QUIC callback can be
called late, after the QUIC connection was already closed on handshake
failure, resulting in a segmentation fault.  For instance, it happened
if a client Finished message didn't align with a record boundary.





When using OpenSSL 3.5, the crypto_release_rcd QUIC callback can be
called late, after the QUIC connection was already closed on handshake
failure, resulting in a segmentation fault.  For instance, it happened
if a client Finished message didn't align with a record boundary.







SSL: AWS-LC compatibility.
2025-09-25T15:28:36+00:00

Sergey Kandaurov
pluknet@nginx.com

2025-07-30T12:26:21+00:00

93ff1ee12cd33ea978fbc331988ce265b14fbdab