nginx.git/src/event, branch release-1.28.3 nginx QUIC: improved error handling in OpenSSL compat layer. 2026-03-24T18:33:23+00:00 user.email 123011167+lukefr09@users.noreply.github.com 2026-02-24T01:33:57+00:00 3986410e12e2b1abc81965dd96598d4c2dd02b00 Previously ngx_quic_compat_create_record() could try to encrypt a TLS record even if encryption context was missing, which resulted in a NULL pointer dereference. The context is created by ngx_quic_compat_set_encryption_secret() called from the OpenSSL keylog callback. If an error occurred in that function, the context could remain missing. This could happen under memory pressure, if an allocation failed inside this function. The fix is to handle errors from ngx_quic_compat_set_encryption_secret() and set qc->error to trigger an error after SSL_do_handshake() return. Also, a check for context is added to ngx_quic_compat_create_record() to avoid other similar issues. 
Previously ngx_quic_compat_create_record() could try to encrypt a TLS
record even if encryption context was missing, which resulted in a NULL
pointer dereference.

The context is created by ngx_quic_compat_set_encryption_secret() called
from the OpenSSL keylog callback.  If an error occurred in that function,
the context could remain missing.  This could happen under memory pressure,
if an allocation failed inside this function.

The fix is to handle errors from ngx_quic_compat_set_encryption_secret()
and set qc->error to trigger an error after SSL_do_handshake() return.
Also, a check for context is added to ngx_quic_compat_create_record()
to avoid other similar issues.
QUIC: worker-bound stateless reset tokens. 2026-03-24T18:33:23+00:00 Roman Arutyunyan arut@nginx.com 2026-02-26T14:36:52+00:00 0fa49c5f7fa03c628c887fe69acbd7da0ec4e585 Previously, it was possible to obtain a stateless reset token for a connection by routing its packet to a wrong worker. This allowed to terminate the connection. The fix is to bind stateless reset token to the worker number. 
Previously, it was possible to obtain a stateless reset token for a
connection by routing its packet to a wrong worker.  This allowed to
terminate the connection.

The fix is to bind stateless reset token to the worker number.
QUIC: Stateless Reset rate limiting. 2026-03-24T18:33:23+00:00 Sergey Kandaurov pluknet@nginx.com 2026-02-25T17:09:21+00:00 7ac4e6b106ea926b57ccef1ec0fe2559dda7dc5c It uses a bloom filter to limit sending Stateless Reset packets no more than once per second in average for the given address. This allows to address resource asymmetry from precomputed packets, as well as to limit potential Stateless Reset exchange. 
It uses a bloom filter to limit sending Stateless Reset packets no more
than once per second in average for the given address.  This allows to
address resource asymmetry from precomputed packets, as well as to limit
potential Stateless Reset exchange.
QUIC: refactored ngx_quic_address_hash(). 2026-03-24T18:33:23+00:00 Sergey Kandaurov pluknet@nginx.com 2026-02-25T17:07:01+00:00 e0c5fd912f1cb37fe7a69a61c9fd95d1ebc33c61 Now it accepts an optional salt, to be used in a subsequent change. 
Now it accepts an optional salt, to be used in a subsequent change.
QUIC: moved ngx_quic_address_hash(). 2026-03-24T18:33:23+00:00 Sergey Kandaurov pluknet@nginx.com 2026-02-20T15:01:20+00:00 caec29ecdbe9484606b3f7274e822ce5a788bc04 






QUIC: limited size of generated Stateless Reset packets.
2026-03-24T18:33:23+00:00

Sergey Kandaurov
pluknet@nginx.com

2026-02-20T14:52:56+00:00

5d1ad15bde9fb13b15626fc732488329499bdd4f

Made sure to send packets smaller than the triggering packet,
following RFC 9000, Section 10.3.3.

Reported-by: cyberspace61





Made sure to send packets smaller than the triggering packet,
following RFC 9000, Section 10.3.3.

Reported-by: cyberspace61







QUIC: adjusted minimum packet size to send Stateless Reset.
2026-03-24T18:33:23+00:00

Sergey Kandaurov
pluknet@nginx.com

2026-02-20T14:59:06+00:00

eadf0aa8bc21bab720f8a9d5b56c211b164c791f

Now to be valid, it also assumes the Connection ID we require from a client.





Now to be valid, it also assumes the Connection ID we require from a client.







SSL: fixed "key values mismatch" with object cache inheritance.
2025-12-23T18:40:33+00:00

Sergey Kandaurov
pluknet@nginx.com

2025-05-29T13:49:48+00:00

592bda7bb6c202e48da8e4181de936f70edff58e

In rare cases, it was possible to get into this error state on reload
with improperly updated file timestamps for certificate and key pairs.

The fix is to retry on X509_R_KEY_VALUES_MISMATCH, similar to 5d5d9adcc.
Additionally, loading SSL certificate is updated to avoid certificates
discarded on retry to appear in ssl->certs and in extra chain.





In rare cases, it was possible to get into this error state on reload
with improperly updated file timestamps for certificate and key pairs.

The fix is to retry on X509_R_KEY_VALUES_MISMATCH, similar to 5d5d9adcc.
Additionally, loading SSL certificate is updated to avoid certificates
discarded on retry to appear in ssl->certs and in extra chain.







Events: compatibility with NetBSD 10.0 in kqueue.
2025-12-23T18:40:33+00:00

Sergey Kandaurov
pluknet@nginx.com

2025-07-10T12:59:05+00:00

8d00372555bc09fd394ffa767e75c9b15b68c27b

The kevent udata field was changed from intptr_t to "void *",
similar to other BSDs and Darwin.

The NGX_KQUEUE_UDATA_T macro is adjusted to reflect that change,
fixing -Werror=int-conversion errors.





The kevent udata field was changed from intptr_t to "void *",
similar to other BSDs and Darwin.

The NGX_KQUEUE_UDATA_T macro is adjusted to reflect that change,
fixing -Werror=int-conversion errors.







Configure: set NGX_KQUEUE_UDATA_T at compile time.
2025-12-23T18:40:33+00:00

Sergey Kandaurov
pluknet@nginx.com

2025-07-10T12:30:35+00:00

089da0a48b68eb5409ce4a4d8fdd01283097d9a2

The NGX_KQUEUE_UDATA_T macro is used to compensate the incompatible
kqueue() API in NetBSD, it doesn't really belong to feature tests.

The change limits the macro visibility to the kqueue event module.
Moving from autotests also simplifies testing a particular NetBSD
version as seen in a subsequent change.





The NGX_KQUEUE_UDATA_T macro is used to compensate the incompatible
kqueue() API in NetBSD, it doesn't really belong to feature tests.

The change limits the macro visibility to the kqueue event module.
Moving from autotests also simplifies testing a particular NetBSD
version as seen in a subsequent change.