nginx.git/src/event, branch release-1.2.9 nginx Merge of r5082: SSL: retry "sess_id" and "id" allocations. 2013-03-29T17:17:45+00:00 Maxim Dounin mdounin@mdounin.ru 2013-03-29T17:17:45+00:00 e4010d888ffb07e12da2bdfecd9284871be27e52 SSL: retry "sess_id" and "id" allocations. In case of fully populated SSL session cache with no memory left for new allocations, ngx_ssl_new_session() will try to expire the oldest non-expired session and retry, but only in case when slab allocation fails for "cached_sess", not when slab allocation fails for either "sess_id" or "id", which can happen for number of reasons and results in new session not being cached. Patch fixes this by adding retry logic to "sess_id" & "id" allocations. Patch by Piotr Sikora. 
SSL: retry "sess_id" and "id" allocations.

In case of fully populated SSL session cache with no memory left for
new allocations, ngx_ssl_new_session() will try to expire the oldest
non-expired session and retry, but only in case when slab allocation
fails for "cached_sess", not when slab allocation fails for either
"sess_id" or "id", which can happen for number of reasons and results
in new session not being cached.

Patch fixes this by adding retry logic to "sess_id" & "id" allocations.

Patch by Piotr Sikora.
Merge of r5017: fixed null dereference with resolver and poll. 2013-02-11T16:06:39+00:00 Maxim Dounin mdounin@mdounin.ru 2013-02-11T16:06:39+00:00 c9e51955ead69cdd7212043610c4c85082b5a41d Events: fixed null pointer dereference with resolver and poll. A POLLERR signalled by poll() without POLLIN/POLLOUT, as seen on Linux, would generate both read and write events, but there's no write event handler for resolver events. A fix is to only call event handler of an active event. 
Events: fixed null pointer dereference with resolver and poll.

A POLLERR signalled by poll() without POLLIN/POLLOUT, as seen on
Linux, would generate both read and write events, but there's no
write event handler for resolver events.  A fix is to only call
event handler of an active event.
Merge of r5004, r5019-r5025: ssl fixes. 2013-02-11T15:12:06+00:00 Maxim Dounin mdounin@mdounin.ru 2013-02-11T15:12:06+00:00 a901bd695d6e0df434c002bc8bc9f61ca58a01b5 *) SSL: speedup loading of configs with many ssl servers. The patch saves one EC_KEY_generate_key() call per server{} block by informing OpenSSL about SSL_OP_SINGLE_ECDH_USE we are going to use before the SSL_CTX_set_tmp_ecdh() call. For a configuration file with 10k simple server{} blocks with SSL enabled this change reduces startup time from 18s to 5s on a slow test box here. *) SSL: removed conditions that always hold true. *) SSL: resetting of flush flag after the data was written. There is no need to flush next chunk of data if it does not contain a buffer with the flush or last_buf flags set. *) SSL: preservation of flush flag for buffered data. Previously, if SSL buffer was not sent we lost information that the data must be flushed. *) SSL: calculation of buffer size moved closer to its usage. No functional changes. *) SSL: avoid calling SSL_write() with zero data size. According to documentation, calling SSL_write() with num=0 bytes to be sent results in undefined behavior. We don't currently call ngx_ssl_send_chain() with empty chain and buffer. This check handles the case of a chain with total data size that is a multiple of NGX_SSL_BUFSIZE, and with the special buffer at the end. In practice such cases resulted in premature connection close and critical error "SSL_write() failed (SSL:)" in the error log. *) SSL: take into account data in the buffer while limiting output. In some rare cases this can result in a more smooth sending rate. *) SSL: fixed ngx_ssl_handshake() with level-triggered event methods. Missing calls to ngx_handle_write_event() and ngx_handle_read_event() resulted in a CPU hog during SSL handshake if an level-triggered event method (e.g. select) was used. 
*) SSL: speedup loading of configs with many ssl servers.  The patch
   saves one EC_KEY_generate_key() call per server{} block by informing
   OpenSSL about SSL_OP_SINGLE_ECDH_USE we are going to use before
   the SSL_CTX_set_tmp_ecdh() call.

   For a configuration file with 10k simple server{} blocks with SSL
   enabled this change reduces startup time from 18s to 5s on a slow
   test box here.

*) SSL: removed conditions that always hold true.

*) SSL: resetting of flush flag after the data was written.  There is
   no need to flush next chunk of data if it does not contain a buffer
   with the flush or last_buf flags set.

*) SSL: preservation of flush flag for buffered data.  Previously,
   if SSL buffer was not sent we lost information that the data
   must be flushed.

*) SSL: calculation of buffer size moved closer to its usage.
   No functional changes.

*) SSL: avoid calling SSL_write() with zero data size.  According to
   documentation, calling SSL_write() with num=0 bytes to be sent
   results in undefined behavior.

   We don't currently call ngx_ssl_send_chain() with empty chain and
   buffer.  This check handles the case of a chain with total data size
   that is a multiple of NGX_SSL_BUFSIZE, and with the special buffer
   at the end.

   In practice such cases resulted in premature connection close and
   critical error "SSL_write() failed (SSL:)" in the error log.

*) SSL: take into account data in the buffer while limiting output.
   In some rare cases this can result in a more smooth sending rate.

*) SSL: fixed ngx_ssl_handshake() with level-triggered event methods.
   Missing calls to ngx_handle_write_event() and ngx_handle_read_event()
   resulted in a CPU hog during SSL handshake if an level-triggered event
   method (e.g. select) was used.
Merge of r4999, r5003: detect duplicate "events" and "keepalive". 2013-02-11T14:58:25+00:00 Maxim Dounin mdounin@mdounin.ru 2013-02-11T14:58:25+00:00 635dae7cadfdc67f439f7c7cb79a1c7f51285f4e *) Upstream keepalive: detect duplicate "keepalive" directive. A failure to detect duplicate "keepalive" directive resulted in stack exhaustion. *) Events: added check for duplicate "events" directive. 
*) Upstream keepalive: detect duplicate "keepalive" directive.  A
   failure to detect duplicate "keepalive" directive resulted in
   stack exhaustion.

*) Events: added check for duplicate "events" directive.
Merge of r4896: event pipe: fixed handling of buf_to_file data. 2012-11-13T11:24:14+00:00 Maxim Dounin mdounin@mdounin.ru 2012-11-13T11:24:14+00:00 13cda62555b28dd1afb927705eeff0c5f66cdbaf Input filter might free a buffer if there is no data in it, and in case of first buffer (used for cache header and request header, aka p->buf_to_file) this resulted in cache corruption. Buffer memory was reused to read upstream response before headers were written to disk. Fix is to avoid moving pointers in ngx_event_pipe_add_free_buf() to a buffer start if we were asked to free a buffer used by p->buf_to_file. This fixes occasional cache file corruption, usually resulted in "cache file ... has md5 collision" alerts. Reported by Anatoli Marinov. 
Input filter might free a buffer if there is no data in it, and in case
of first buffer (used for cache header and request header, aka p->buf_to_file)
this resulted in cache corruption.  Buffer memory was reused to read upstream
response before headers were written to disk.

Fix is to avoid moving pointers in ngx_event_pipe_add_free_buf() to a buffer
start if we were asked to free a buffer used by p->buf_to_file.

This fixes occasional cache file corruption, usually resulted
in "cache file ... has md5 collision" alerts.

Reported by Anatoli Marinov.
Merge of r4885: ssl_verify_client optional_no_ca. 2012-11-13T10:42:16+00:00 Maxim Dounin mdounin@mdounin.ru 2012-11-13T10:42:16+00:00 71b6604e4465b6aac478f04c3608a6be5c6500e6 SSL: the "ssl_verify_client" directive parameter "optional_no_ca". This parameter allows to don't require certificate to be signed by a trusted CA, e.g. if CA certificate isn't known in advance, like in WebID protocol. Note that it doesn't add any security unless the certificate is actually checked to be trusted by some external means (e.g. by a backend). Patch by Mike Kazantsev, Eric O'Connor. 
SSL: the "ssl_verify_client" directive parameter "optional_no_ca".

This parameter allows to don't require certificate to be signed by
a trusted CA, e.g. if CA certificate isn't known in advance, like in
WebID protocol.

Note that it doesn't add any security unless the certificate is actually
checked to be trusted by some external means (e.g. by a backend).

Patch by Mike Kazantsev, Eric O'Connor.
Merge of r4868, r4869: SSL minor fixes. 2012-11-12T18:00:32+00:00 Maxim Dounin mdounin@mdounin.ru 2012-11-12T18:00:32+00:00 d39777712d97180ff439461813083cbc7892a2a1 *) SSL: fixed compression workaround to remove all methods. Previous code used sk_SSL_COMP_delete(ssl_comp_methods, i) while iterating stack from 0 to n, resulting in removal of only even compression methods. In real life this change is a nop, as there is only one compression method which is enabled by default in OpenSSL. *) SSL: added version checks for ssl compression workaround. The SSL_COMP_get_compression_methods() is only available as an API function in OpenSSL 0.9.8+, require it explicitly to unbreak build with OpenSSL 0.9.7. 
*) SSL: fixed compression workaround to remove all methods.

   Previous code used sk_SSL_COMP_delete(ssl_comp_methods, i) while iterating
   stack from 0 to n, resulting in removal of only even compression methods.

   In real life this change is a nop, as there is only one compression method
   which is enabled by default in OpenSSL.

*) SSL: added version checks for ssl compression workaround.

   The SSL_COMP_get_compression_methods() is only available as an API
   function in OpenSSL 0.9.8+, require it explicitly to unbreak build
   with OpenSSL 0.9.7.
Merge of r4785, r4795, r4811, r4812, r4816, r4822: coverity. 2012-09-24T18:54:28+00:00 Maxim Dounin mdounin@mdounin.ru 2012-09-24T18:54:28+00:00 191e31938e81f2a59a4ba4dc6b3f4f28bc232187 *) Resolver: fixed possible memory leak in ngx_resolver_create(). *) Explicitly ignore returned value from unlink() in ngx_open_tempfile(). *) Explicitly ignore returned value from close() in ngx_event_core_init_conf(). *) Added three missing checks for NULL after ngx_array_push() calls. *) Crypt: fixed handling of corrupted SSHA entries in password file. *) Mark logically dead code with corresponding comment. Found by / prodded by Coverity. 
*) Resolver: fixed possible memory leak in ngx_resolver_create().

*) Explicitly ignore returned value from unlink() in ngx_open_tempfile().

*) Explicitly ignore returned value from close() in ngx_event_core_init_conf().

*) Added three missing checks for NULL after ngx_array_push() calls.

*) Crypt: fixed handling of corrupted SSHA entries in password file.

*) Mark logically dead code with corresponding comment.

Found by / prodded by Coverity.
Merge of r4764: debug_connection with a domain name change. 2012-08-06T17:13:20+00:00 Maxim Dounin mdounin@mdounin.ru 2012-08-06T17:13:20+00:00 f3959db1e773a7d5fef3009f04b1afb2c2d4c744 When "debug_connection" is configured with a domain name, only the first resolved address was used. Now all addresses will be used. 
When "debug_connection" is configured with a domain name, only the first
resolved address was used.  Now all addresses will be used.
Merge of r4760, r4761: -Wmissing-prototypes. 2012-08-06T17:07:28+00:00 Maxim Dounin mdounin@mdounin.ru 2012-08-06T17:07:28+00:00 20ce4fcbbf7c1504cc520905dfde1b2790011e31 Fixed compilation with -Wmissing-prototypes. Added a commented out -Wmissing-prototypes to CFLAGS. It is commented out to not break builds with 3rd party modules. 
Fixed compilation with -Wmissing-prototypes.  Added a commented
out -Wmissing-prototypes to CFLAGS.  It is commented out to not break
builds with 3rd party modules.