nginx.git/src/event, branch release-1.11.12 nginx Fixed a comment. 2017-03-17T09:09:31+00:00 Ruslan Ermilov ru@nginx.com 2017-03-17T09:09:31+00:00 05f5a7325d939ade37daf1e2d4b34f4e83d49aff 






Cancelable timers are now preserved if there are other timers.
2017-03-07T15:51:15+00:00

Maxim Dounin
mdounin@mdounin.ru

2017-03-07T15:51:15+00:00

1a58418ae76a96c830a0536432e96a9ad051bc58

There is no need to cancel timers early if there are other timers blocking
shutdown anyway.  Preserving such timers allows nginx to continue some
periodic work till the shutdown is actually possible.

With the new approach, timers with ev->cancelable are simply ignored when
checking if there are any timers left during shutdown.





There is no need to cancel timers early if there are other timers blocking
shutdown anyway.  Preserving such timers allows nginx to continue some
periodic work till the shutdown is actually possible.

With the new approach, timers with ev->cancelable are simply ignored when
checking if there are any timers left during shutdown.







Added missing "static" specifiers found by gcc -Wtraditional.
2017-03-06T08:09:47+00:00

Ruslan Ermilov
ru@nginx.com

2017-03-06T08:09:47+00:00

0f89206a1078a216961d974ed5bcf6464b65cbdf












Added missing static specifiers.
2017-03-02T13:46:00+00:00

Eran Kornblau
erankor@gmail.com

2017-03-02T13:46:00+00:00

0759f088a532ec48170ca03d694cc103757a0f4c












SSL: clear error queue after OPENSSL_init_ssl().
2017-02-06T15:38:06+00:00

Sergey Kandaurov
pluknet@nginx.com

2017-02-06T15:38:06+00:00

9af7dc2b44acb388f27e492ddc82116d082d02ab

The function may leave error in the error queue while returning success,
e.g., when taking a DSO reference to itself as of OpenSSL 1.1.0d:
https://git.openssl.org/?p=openssl.git;a=commit;h=4af9f7f

Notably, this fixes alert seen with statically linked OpenSSL on some platforms.

While here, check OPENSSL_init_ssl() return value.





The function may leave error in the error queue while returning success,
e.g., when taking a DSO reference to itself as of OpenSSL 1.1.0d:
https://git.openssl.org/?p=openssl.git;a=commit;h=4af9f7f

Notably, this fixes alert seen with statically linked OpenSSL on some platforms.

While here, check OPENSSL_init_ssl() return value.







Upstream: fixed cache corruption and socket leaks with aio_write.
2017-01-20T18:14:19+00:00

Maxim Dounin
mdounin@mdounin.ru

2017-01-20T18:14:19+00:00

e66073c4d3a3d25b001dee617ee22d2a969ceab2

The ngx_event_pipe() function wasn't called on write events with
wev->delayed set.  As a result, threaded writing results weren't
properly collected in ngx_event_pipe_write_to_downstream() when a
write event was triggered for a completed write.

Further, this wasn't detected, as p->aio was reset by a thread completion
handler, and results were later collected in ngx_event_pipe_read_upstream()
instead of scheduling a new write of additional data.  If this happened
on the last reading from an upstream, last part of the response was never
written to the cache file.

Similar problems might also happen in case of timeouts when writing to
client, as this also results in ngx_event_pipe() not being called on write
events.  In this scenario socket leaks were observed.

Fix is to check if p->writing is set in ngx_event_pipe_read_upstream(), and
therefore collect results of previous write operations in case of read events
as well, similar to how we do so in ngx_event_pipe_write_downstream().
This is enough to fix the wev->delayed case.  Additionally, we now call
ngx_event_pipe() from ngx_http_upstream_process_request() if there are
uncollected write operations (p->writing and !p->aio).  This also fixes
the wev->timedout case.





The ngx_event_pipe() function wasn't called on write events with
wev->delayed set.  As a result, threaded writing results weren't
properly collected in ngx_event_pipe_write_to_downstream() when a
write event was triggered for a completed write.

Further, this wasn't detected, as p->aio was reset by a thread completion
handler, and results were later collected in ngx_event_pipe_read_upstream()
instead of scheduling a new write of additional data.  If this happened
on the last reading from an upstream, last part of the response was never
written to the cache file.

Similar problems might also happen in case of timeouts when writing to
client, as this also results in ngx_event_pipe() not being called on write
events.  In this scenario socket leaks were observed.

Fix is to check if p->writing is set in ngx_event_pipe_read_upstream(), and
therefore collect results of previous write operations in case of read events
as well, similar to how we do so in ngx_event_pipe_write_downstream().
This is enough to fix the wev->delayed case.  Additionally, we now call
ngx_event_pipe() from ngx_http_upstream_process_request() if there are
uncollected write operations (p->writing and !p->aio).  This also fixes
the wev->timedout case.







SSL: support AES256 encryption of tickets.
2016-12-23T14:28:20+00:00

Maxim Dounin
mdounin@mdounin.ru

2016-12-23T14:28:20+00:00

c2d3d82ccbea18f0504fbaceeee6efb62da8d1d8

This implies ticket key size of 80 bytes instead of previously used 48,
as both HMAC and AES keys are 32 bytes now.  When an old 48-byte ticket key
is provided, we fall back to using backward-compatible AES128 encryption.

OpenSSL switched to using AES256 in 1.1.0, and we are providing equivalent
security.  While here, order of HMAC and AES keys was reverted to make
the implementation compatible with keys used by OpenSSL with
SSL_CTX_set_tlsext_ticket_keys().

Prodded by Christian Klinger.





This implies ticket key size of 80 bytes instead of previously used 48,
as both HMAC and AES keys are 32 bytes now.  When an old 48-byte ticket key
is provided, we fall back to using backward-compatible AES128 encryption.

OpenSSL switched to using AES256 in 1.1.0, and we are providing equivalent
security.  While here, order of HMAC and AES keys was reverted to make
the implementation compatible with keys used by OpenSSL with
SSL_CTX_set_tlsext_ticket_keys().

Prodded by Christian Klinger.







SSL: backed out changeset e7cb5deb951d, reimplemented properly.
2016-12-15T16:00:23+00:00

Maxim Dounin
mdounin@mdounin.ru

2016-12-15T16:00:23+00:00

3294292b667ffa9ad55c7bd2e59943bd6eca4a4d

Changeset e7cb5deb951d breaks build on CentOS 5 with "dereferencing
type-punned pointer will break strict-aliasing rules" warning.  It is
backed out.

Instead, to keep builds with BoringSSL happy, type of the "value"
variable changed to "char *", and an explicit cast added before calling
ngx_parse_http_time().





Changeset e7cb5deb951d breaks build on CentOS 5 with "dereferencing
type-punned pointer will break strict-aliasing rules" warning.  It is
backed out.

Instead, to keep builds with BoringSSL happy, type of the "value"
variable changed to "char *", and an explicit cast added before calling
ngx_parse_http_time().







SSL: fix call to BIO_get_mem_data().
2016-12-13T22:19:30+00:00

Piotr Sikora
piotrsikora@google.com

2016-12-13T22:19:30+00:00

592dbcc3151e49f6ee0602812adcaa6ffa885317

Fixes build with BoringSSL.

Signed-off-by: Piotr Sikora <piotrsikora@google.com>





Fixes build with BoringSSL.

Signed-off-by: Piotr Sikora <piotrsikora@google.com>







SSL: $ssl_curves (ticket #1088).
2016-12-05T19:23:23+00:00

Maxim Dounin
mdounin@mdounin.ru

2016-12-05T19:23:23+00:00

551091951a479e2f512062c51bdcc6157a211164

The variable contains a list of curves as supported by the client.
Known curves are listed by their names, unknown ones are shown
in hex, e.g., "0x001d:prime256v1:secp521r1:secp384r1".

Note that OpenSSL uses session data for SSL_get1_curves(), and
it doesn't store full list of curves supported by the client when
serializing a session.  As a result $ssl_curves is only available
for new sessions (and will be empty for reused ones).

The variable is only meaningful when using OpenSSL 1.0.2 and above.
With older versions the variable is empty.





The variable contains a list of curves as supported by the client.
Known curves are listed by their names, unknown ones are shown
in hex, e.g., "0x001d:prime256v1:secp521r1:secp384r1".

Note that OpenSSL uses session data for SSL_get1_curves(), and
it doesn't store full list of curves supported by the client when
serializing a session.  As a result $ssl_curves is only available
for new sessions (and will be empty for reused ones).

The variable is only meaningful when using OpenSSL 1.0.2 and above.
With older versions the variable is empty.