nginx.git/src/event, branch release-1.13.8 nginx SSL: include <openssl/hmac.h>. 2017-10-11T22:43:50+00:00 Alessandro Ghedini alessandro@ghedini.me 2017-10-11T22:43:50+00:00 5fee8f76b529e38ec0ba6e7e81e26be3e3e85548 This header carries the definition of HMAC_Init_ex(). In OpenSSL this header is included by <openssl/ssl.h>, but it's not so in BoringSSL. It's probably a good idea to explicitly include this header anyway, regardless of whether it's included by other headers or not. 
This header carries the definition of HMAC_Init_ex(). In OpenSSL this
header is included by <openssl/ssl.h>, but it's not so in BoringSSL.

It's probably a good idea to explicitly include this header anyway,
regardless of whether it's included by other headers or not.
Fixed buffer overread with unix sockets after accept(). 2017-10-04T18:19:33+00:00 Maxim Dounin mdounin@mdounin.ru 2017-10-04T18:19:33+00:00 2e1e65a5c0a9f8ba5b7b3ce848176482ba4da654 Some OSes (notably macOS, NetBSD, and Solaris) allow unix socket addresses larger than struct sockaddr_un. Moreover, some of them (macOS, Solaris) return socklen of the socket address before it was truncated to fit the buffer provided. As such, on these systems socklen must not be used without additional check that it is within the buffer provided. Appropriate checks added to ngx_event_accept() (after accept()), ngx_event_recvmsg() (after recvmsg()), and ngx_set_inherited_sockets() (after getsockname()). We also obtain socket addresses via getsockname() in ngx_connection_local_sockaddr(), but it does not need any checks as it is only used for INET and INET6 sockets (as there can be no wildcard unix sockets). 
Some OSes (notably macOS, NetBSD, and Solaris) allow unix socket addresses
larger than struct sockaddr_un.  Moreover, some of them (macOS, Solaris)
return socklen of the socket address before it was truncated to fit the
buffer provided.  As such, on these systems socklen must not be used without
additional check that it is within the buffer provided.

Appropriate checks added to ngx_event_accept() (after accept()),
ngx_event_recvmsg() (after recvmsg()), and ngx_set_inherited_sockets()
(after getsockname()).

We also obtain socket addresses via getsockname() in
ngx_connection_local_sockaddr(), but it does not need any checks as
it is only used for INET and INET6 sockets (as there can be no
wildcard unix sockets).
SSL: fixed possible use-after-free in $ssl_server_name. 2017-08-22T14:36:12+00:00 Maxim Dounin mdounin@mdounin.ru 2017-08-22T14:36:12+00:00 ed0cc4d52308b75ab217724392994e6828af4fda The $ssl_server_name variable used SSL_get_servername() result directly, but this is not safe: it references a memory allocation in an SSL session, and this memory might be freed at any time due to renegotiation. Instead, copy the name to memory allocated from the pool. 
The $ssl_server_name variable used SSL_get_servername() result directly,
but this is not safe: it references a memory allocation in an SSL
session, and this memory might be freed at any time due to renegotiation.
Instead, copy the name to memory allocated from the pool.
SSL: the $ssl_client_escaped_cert variable (ticket #857). 2017-08-22T12:18:10+00:00 Maxim Dounin mdounin@mdounin.ru 2017-08-22T12:18:10+00:00 50a0f25c60bcc0fb46efcab00985c200c08c2b2f This variable contains URL-encoded client SSL certificate. In contrast to $ssl_client_cert, it doesn't depend on deprecated header continuation. The NGX_ESCAPE_URI_COMPONENT variant of encoding is used, so the resulting variable can be safely used not only in headers, but also as a request argument. The $ssl_client_cert variable should be considered deprecated now. The $ssl_client_raw_cert variable will be eventually renambed back to $ssl_client_cert. 
This variable contains URL-encoded client SSL certificate.  In contrast
to $ssl_client_cert, it doesn't depend on deprecated header continuation.
The NGX_ESCAPE_URI_COMPONENT variant of encoding is used, so the resulting
variable can be safely used not only in headers, but also as a request
argument.

The $ssl_client_cert variable should be considered deprecated now.
The $ssl_client_raw_cert variable will be eventually renambed back
to $ssl_client_cert.
Restored ngx_event_aio_t layout for debug logging. 2017-08-10T19:21:22+00:00 Maxim Dounin mdounin@mdounin.ru 2017-08-10T19:21:22+00:00 dd5ab4a11f5b423482f63c78835c9dddada766fb The "fd" field should be after 3 pointers for ngx_event_ident() to use it. This was broken by ccad84a174e0. While it does not seem to be currently used for aio-related events, it should be a good idea to preserve the correct layout nevertheless. 
The "fd" field should be after 3 pointers for ngx_event_ident() to use it.
This was broken by ccad84a174e0.  While it does not seem to be currently used
for aio-related events, it should be a good idea to preserve the correct
layout nevertheless.
Fixed calls to ngx_open_file() in certain places. 2017-08-09T12:03:27+00:00 Sergey Kandaurov pluknet@nginx.com 2017-08-09T12:03:27+00:00 b986b4314bb4f8fdcbcfe93c89a659d3d18691bc Pass NGX_FILE_OPEN to ngx_open_file() to fix "The parameter is incorrect" error on win32 when using the ssl_session_ticket_key directive or loading a binary geo base. On UNIX, this change is a no-op. 
Pass NGX_FILE_OPEN to ngx_open_file() to fix "The parameter is incorrect"
error on win32 when using the ssl_session_ticket_key directive or loading
a binary geo base.  On UNIX, this change is a no-op.
Style. 2017-08-09T11:59:46+00:00 Sergey Kandaurov pluknet@nginx.com 2017-08-09T11:59:46+00:00 32c7bd5102571ec20e45f620d2916e612e3b2016 






SSL: fixed typo in the error message.
2017-07-25T14:21:59+00:00

Sergey Kandaurov
pluknet@nginx.com

2017-07-25T14:21:59+00:00

9edd64fcd842870ea004664288cadc344c33f0bd












Parenthesized ASCII-related calculations.
2017-07-17T14:23:51+00:00

Valentin Bartenev
vbart@nginx.com

2017-07-17T14:23:51+00:00

9197a3c8741a8832e6f6ed24a72dc5b078d840fd

This also fixes potential undefined behaviour in the range and slice filter
modules, caused by local overflows of signed integers in expressions.





This also fixes potential undefined behaviour in the range and slice filter
modules, caused by local overflows of signed integers in expressions.







Fixed deferred accept with EPOLLRDHUP enabled (ticket #1278).
2017-05-24T10:17:08+00:00

Roman Arutyunyan
arut@nginx.com

2017-05-24T10:17:08+00:00

c83922b18ddc83f654c1d0df48a6ca1ee9938078

Previously, the read event of the accepted connection was marked ready, but not
available.  This made EPOLLRDHUP-related code (for example, in ngx_unix_recv())
expect more data from the socket, leading to unexpected behavior.

For example, if SSL, PROXY protocol and deferred accept were enabled on a listen
socket, the client connection was aborted due to unexpected return value of
c->recv().





Previously, the read event of the accepted connection was marked ready, but not
available.  This made EPOLLRDHUP-related code (for example, in ngx_unix_recv())
expect more data from the socket, leading to unexpected behavior.

For example, if SSL, PROXY protocol and deferred accept were enabled on a listen
socket, the client connection was aborted due to unexpected return value of
c->recv().