nginx.git/src/event, branch release-1.13.12 nginx Generate error for unsupported IPv6 transparent proxy. 2018-02-22T10:16:21+00:00 Roman Arutyunyan arut@nginx.com 2018-02-22T10:16:21+00:00 dd7dba520c20eb81576cfa5afd4570c50e83c990 On some platforms (for example, Linux with glibc 2.12-2.25) IPv4 transparent proxying is available, but IPv6 transparent proxying is not. The entire feature is enabled in this case and NGX_HAVE_TRANSPARENT_PROXY macro is set to 1. Previously, an attempt to enable transparency for an IPv6 socket was silently ignored in this case and was usually followed by a bind(2) EADDRNOTAVAIL error (ticket #1487). Now the error is generated for unavailable IPv6 transparent proxy. 
On some platforms (for example, Linux with glibc 2.12-2.25) IPv4 transparent
proxying is available, but IPv6 transparent proxying is not.  The entire feature
is enabled in this case and NGX_HAVE_TRANSPARENT_PROXY macro is set to 1.
Previously, an attempt to enable transparency for an IPv6 socket was silently
ignored in this case and was usually followed by a bind(2) EADDRNOTAVAIL error
(ticket #1487).  Now the error is generated for unavailable IPv6 transparent
proxy.
Fixed --test-build-eventport on macOS 10.12 and later. 2018-01-16T10:52:03+00:00 Ruslan Ermilov ru@nginx.com 2018-01-16T10:52:03+00:00 63a4dab7b0c5e99ed273fb51ef0f6e1714d39e56 In macOS 10.12, CLOCK_REALTIME and clockid_t were added, but not timer_t. 
In macOS 10.12, CLOCK_REALTIME and clockid_t were added, but not timer_t.
SSL: include <openssl/hmac.h>. 2017-10-11T22:43:50+00:00 Alessandro Ghedini alessandro@ghedini.me 2017-10-11T22:43:50+00:00 5fee8f76b529e38ec0ba6e7e81e26be3e3e85548 This header carries the definition of HMAC_Init_ex(). In OpenSSL this header is included by <openssl/ssl.h>, but it's not so in BoringSSL. It's probably a good idea to explicitly include this header anyway, regardless of whether it's included by other headers or not. 
This header carries the definition of HMAC_Init_ex(). In OpenSSL this
header is included by <openssl/ssl.h>, but it's not so in BoringSSL.

It's probably a good idea to explicitly include this header anyway,
regardless of whether it's included by other headers or not.
Fixed buffer overread with unix sockets after accept(). 2017-10-04T18:19:33+00:00 Maxim Dounin mdounin@mdounin.ru 2017-10-04T18:19:33+00:00 2e1e65a5c0a9f8ba5b7b3ce848176482ba4da654 Some OSes (notably macOS, NetBSD, and Solaris) allow unix socket addresses larger than struct sockaddr_un. Moreover, some of them (macOS, Solaris) return socklen of the socket address before it was truncated to fit the buffer provided. As such, on these systems socklen must not be used without additional check that it is within the buffer provided. Appropriate checks added to ngx_event_accept() (after accept()), ngx_event_recvmsg() (after recvmsg()), and ngx_set_inherited_sockets() (after getsockname()). We also obtain socket addresses via getsockname() in ngx_connection_local_sockaddr(), but it does not need any checks as it is only used for INET and INET6 sockets (as there can be no wildcard unix sockets). 
Some OSes (notably macOS, NetBSD, and Solaris) allow unix socket addresses
larger than struct sockaddr_un.  Moreover, some of them (macOS, Solaris)
return socklen of the socket address before it was truncated to fit the
buffer provided.  As such, on these systems socklen must not be used without
additional check that it is within the buffer provided.

Appropriate checks added to ngx_event_accept() (after accept()),
ngx_event_recvmsg() (after recvmsg()), and ngx_set_inherited_sockets()
(after getsockname()).

We also obtain socket addresses via getsockname() in
ngx_connection_local_sockaddr(), but it does not need any checks as
it is only used for INET and INET6 sockets (as there can be no
wildcard unix sockets).
SSL: fixed possible use-after-free in $ssl_server_name. 2017-08-22T14:36:12+00:00 Maxim Dounin mdounin@mdounin.ru 2017-08-22T14:36:12+00:00 ed0cc4d52308b75ab217724392994e6828af4fda The $ssl_server_name variable used SSL_get_servername() result directly, but this is not safe: it references a memory allocation in an SSL session, and this memory might be freed at any time due to renegotiation. Instead, copy the name to memory allocated from the pool. 
The $ssl_server_name variable used SSL_get_servername() result directly,
but this is not safe: it references a memory allocation in an SSL
session, and this memory might be freed at any time due to renegotiation.
Instead, copy the name to memory allocated from the pool.
SSL: the $ssl_client_escaped_cert variable (ticket #857). 2017-08-22T12:18:10+00:00 Maxim Dounin mdounin@mdounin.ru 2017-08-22T12:18:10+00:00 50a0f25c60bcc0fb46efcab00985c200c08c2b2f This variable contains URL-encoded client SSL certificate. In contrast to $ssl_client_cert, it doesn't depend on deprecated header continuation. The NGX_ESCAPE_URI_COMPONENT variant of encoding is used, so the resulting variable can be safely used not only in headers, but also as a request argument. The $ssl_client_cert variable should be considered deprecated now. The $ssl_client_raw_cert variable will be eventually renambed back to $ssl_client_cert. 
This variable contains URL-encoded client SSL certificate.  In contrast
to $ssl_client_cert, it doesn't depend on deprecated header continuation.
The NGX_ESCAPE_URI_COMPONENT variant of encoding is used, so the resulting
variable can be safely used not only in headers, but also as a request
argument.

The $ssl_client_cert variable should be considered deprecated now.
The $ssl_client_raw_cert variable will be eventually renambed back
to $ssl_client_cert.
Restored ngx_event_aio_t layout for debug logging. 2017-08-10T19:21:22+00:00 Maxim Dounin mdounin@mdounin.ru 2017-08-10T19:21:22+00:00 dd5ab4a11f5b423482f63c78835c9dddada766fb The "fd" field should be after 3 pointers for ngx_event_ident() to use it. This was broken by ccad84a174e0. While it does not seem to be currently used for aio-related events, it should be a good idea to preserve the correct layout nevertheless. 
The "fd" field should be after 3 pointers for ngx_event_ident() to use it.
This was broken by ccad84a174e0.  While it does not seem to be currently used
for aio-related events, it should be a good idea to preserve the correct
layout nevertheless.
Fixed calls to ngx_open_file() in certain places. 2017-08-09T12:03:27+00:00 Sergey Kandaurov pluknet@nginx.com 2017-08-09T12:03:27+00:00 b986b4314bb4f8fdcbcfe93c89a659d3d18691bc Pass NGX_FILE_OPEN to ngx_open_file() to fix "The parameter is incorrect" error on win32 when using the ssl_session_ticket_key directive or loading a binary geo base. On UNIX, this change is a no-op. 
Pass NGX_FILE_OPEN to ngx_open_file() to fix "The parameter is incorrect"
error on win32 when using the ssl_session_ticket_key directive or loading
a binary geo base.  On UNIX, this change is a no-op.
Style. 2017-08-09T11:59:46+00:00 Sergey Kandaurov pluknet@nginx.com 2017-08-09T11:59:46+00:00 32c7bd5102571ec20e45f620d2916e612e3b2016 






SSL: fixed typo in the error message.
2017-07-25T14:21:59+00:00

Sergey Kandaurov
pluknet@nginx.com

2017-07-25T14:21:59+00:00

9edd64fcd842870ea004664288cadc344c33f0bd