nginx.git/src/event, branch release-1.13.5 nginx SSL: fixed possible use-after-free in $ssl_server_name. 2017-08-22T14:36:12+00:00 Maxim Dounin mdounin@mdounin.ru 2017-08-22T14:36:12+00:00 ed0cc4d52308b75ab217724392994e6828af4fda The $ssl_server_name variable used SSL_get_servername() result directly, but this is not safe: it references a memory allocation in an SSL session, and this memory might be freed at any time due to renegotiation. Instead, copy the name to memory allocated from the pool. 
The $ssl_server_name variable used SSL_get_servername() result directly,
but this is not safe: it references a memory allocation in an SSL
session, and this memory might be freed at any time due to renegotiation.
Instead, copy the name to memory allocated from the pool.
SSL: the $ssl_client_escaped_cert variable (ticket #857). 2017-08-22T12:18:10+00:00 Maxim Dounin mdounin@mdounin.ru 2017-08-22T12:18:10+00:00 50a0f25c60bcc0fb46efcab00985c200c08c2b2f This variable contains URL-encoded client SSL certificate. In contrast to $ssl_client_cert, it doesn't depend on deprecated header continuation. The NGX_ESCAPE_URI_COMPONENT variant of encoding is used, so the resulting variable can be safely used not only in headers, but also as a request argument. The $ssl_client_cert variable should be considered deprecated now. The $ssl_client_raw_cert variable will be eventually renambed back to $ssl_client_cert. 
This variable contains URL-encoded client SSL certificate.  In contrast
to $ssl_client_cert, it doesn't depend on deprecated header continuation.
The NGX_ESCAPE_URI_COMPONENT variant of encoding is used, so the resulting
variable can be safely used not only in headers, but also as a request
argument.

The $ssl_client_cert variable should be considered deprecated now.
The $ssl_client_raw_cert variable will be eventually renambed back
to $ssl_client_cert.
Restored ngx_event_aio_t layout for debug logging. 2017-08-10T19:21:22+00:00 Maxim Dounin mdounin@mdounin.ru 2017-08-10T19:21:22+00:00 dd5ab4a11f5b423482f63c78835c9dddada766fb The "fd" field should be after 3 pointers for ngx_event_ident() to use it. This was broken by ccad84a174e0. While it does not seem to be currently used for aio-related events, it should be a good idea to preserve the correct layout nevertheless. 
The "fd" field should be after 3 pointers for ngx_event_ident() to use it.
This was broken by ccad84a174e0.  While it does not seem to be currently used
for aio-related events, it should be a good idea to preserve the correct
layout nevertheless.
Fixed calls to ngx_open_file() in certain places. 2017-08-09T12:03:27+00:00 Sergey Kandaurov pluknet@nginx.com 2017-08-09T12:03:27+00:00 b986b4314bb4f8fdcbcfe93c89a659d3d18691bc Pass NGX_FILE_OPEN to ngx_open_file() to fix "The parameter is incorrect" error on win32 when using the ssl_session_ticket_key directive or loading a binary geo base. On UNIX, this change is a no-op. 
Pass NGX_FILE_OPEN to ngx_open_file() to fix "The parameter is incorrect"
error on win32 when using the ssl_session_ticket_key directive or loading
a binary geo base.  On UNIX, this change is a no-op.
Style. 2017-08-09T11:59:46+00:00 Sergey Kandaurov pluknet@nginx.com 2017-08-09T11:59:46+00:00 32c7bd5102571ec20e45f620d2916e612e3b2016 






SSL: fixed typo in the error message.
2017-07-25T14:21:59+00:00

Sergey Kandaurov
pluknet@nginx.com

2017-07-25T14:21:59+00:00

9edd64fcd842870ea004664288cadc344c33f0bd












Parenthesized ASCII-related calculations.
2017-07-17T14:23:51+00:00

Valentin Bartenev
vbart@nginx.com

2017-07-17T14:23:51+00:00

9197a3c8741a8832e6f6ed24a72dc5b078d840fd

This also fixes potential undefined behaviour in the range and slice filter
modules, caused by local overflows of signed integers in expressions.





This also fixes potential undefined behaviour in the range and slice filter
modules, caused by local overflows of signed integers in expressions.







Fixed deferred accept with EPOLLRDHUP enabled (ticket #1278).
2017-05-24T10:17:08+00:00

Roman Arutyunyan
arut@nginx.com

2017-05-24T10:17:08+00:00

c83922b18ddc83f654c1d0df48a6ca1ee9938078

Previously, the read event of the accepted connection was marked ready, but not
available.  This made EPOLLRDHUP-related code (for example, in ngx_unix_recv())
expect more data from the socket, leading to unexpected behavior.

For example, if SSL, PROXY protocol and deferred accept were enabled on a listen
socket, the client connection was aborted due to unexpected return value of
c->recv().





Previously, the read event of the accepted connection was marked ready, but not
available.  This made EPOLLRDHUP-related code (for example, in ngx_unix_recv())
expect more data from the socket, leading to unexpected behavior.

For example, if SSL, PROXY protocol and deferred accept were enabled on a listen
socket, the client connection was aborted due to unexpected return value of
c->recv().







SSL: allowed renegotiation in client mode with OpenSSL < 1.1.0.
2017-05-03T12:15:56+00:00

Sergey Kandaurov
pluknet@nginx.com

2017-05-03T12:15:56+00:00

99611988792cbc6a3355bb169bbc797bb6d6310f

In ac9b1df5b246 (1.13.0) we attempted to allow renegotiation in client mode,
but when using OpenSSL 1.0.2 or older versions it was additionally disabled
by SSL3_FLAGS_NO_RENEGOTIATE_CIPHERS.





In ac9b1df5b246 (1.13.0) we attempted to allow renegotiation in client mode,
but when using OpenSSL 1.0.2 or older versions it was additionally disabled
by SSL3_FLAGS_NO_RENEGOTIATE_CIPHERS.







SSL: compatibility with OpenSSL master branch.
2017-04-18T13:08:46+00:00

Sergey Kandaurov
pluknet@nginx.com

2017-04-18T13:08:46+00:00

e8c579a18716395911201d3d5114c03ee018afc9

The SSL_CTRL_SET_CURVES_LIST macro is removed in the OpenSSL master branch.
SSL_CTX_set1_curves_list is preserved as compatibility with previous versions.





The SSL_CTRL_SET_CURVES_LIST macro is removed in the OpenSSL master branch.
SSL_CTX_set1_curves_list is preserved as compatibility with previous versions.