nginx.git/src/http, branch release-1.15.9 nginx SSL: fixed possible segfault with dynamic certificates. 2019-02-25T18:16:26+00:00 Maxim Dounin mdounin@mdounin.ru 2019-02-25T18:16:26+00:00 1a30d79c429cb1d4438d592db62cbe701e3b4360 A virtual server may have no SSL context if it does not have certificates defined, so we have to use config of the ngx_http_ssl_module from the SSL context in the certificate callback. To do so, it is now passed as the argument of the callback. The stream module doesn't really need any changes, but was modified as well to match http code. 
A virtual server may have no SSL context if it does not have certificates
defined, so we have to use config of the ngx_http_ssl_module from the
SSL context in the certificate callback.  To do so, it is now passed as
the argument of the callback.

The stream module doesn't really need any changes, but was modified as
well to match http code.
SSL: adjusted session id context with dynamic certificates. 2019-02-25T13:42:54+00:00 Maxim Dounin mdounin@mdounin.ru 2019-02-25T13:42:54+00:00 ecfab06cb20959219c9aadc2ef59507488e4fa99 Dynamic certificates re-introduce problem with incorrect session reuse (AKA "virtual host confusion", CVE-2014-3616), since there are no server certificates to generate session id context from. To prevent this, session id context is now generated from ssl_certificate directives as specified in the configuration. This approach prevents incorrect session reuse in most cases, while still allowing sharing sessions across multiple machines with ssl_session_ticket_key set as long as configurations are identical. 
Dynamic certificates re-introduce problem with incorrect session
reuse (AKA "virtual host confusion", CVE-2014-3616), since there are
no server certificates to generate session id context from.

To prevent this, session id context is now generated from ssl_certificate
directives as specified in the configuration.  This approach prevents
incorrect session reuse in most cases, while still allowing sharing
sessions across multiple machines with ssl_session_ticket_key set as
long as configurations are identical.
SSL: passwords support for dynamic certificate loading. 2019-02-25T13:42:23+00:00 Maxim Dounin mdounin@mdounin.ru 2019-02-25T13:42:23+00:00 8772a0e0892e632c37f3b92b1d287ed9b473cb13 Passwords have to be copied to the configuration pool to be used at runtime. Also, to prevent blocking on stdin (with "daemon off;") an empty password list is provided. To make things simpler, password handling was modified to allow an empty array (with 0 elements and elts set to NULL) as an equivalent of an array with 1 empty password. 
Passwords have to be copied to the configuration pool to be used
at runtime.  Also, to prevent blocking on stdin (with "daemon off;")
an empty password list is provided.

To make things simpler, password handling was modified to allow
an empty array (with 0 elements and elts set to NULL) as an equivalent
of an array with 1 empty password.
SSL: variables support in ssl_certificate and ssl_certificate_key. 2019-02-25T13:42:05+00:00 Maxim Dounin mdounin@mdounin.ru 2019-02-25T13:42:05+00:00 6e5a731edb6c1b8581c4b6fd2a2bf4ec0e768c24 To evaluate variables, a request is created in the certificate callback, and then freed. To do this without side effects on the stub_status counters and connection state, an additional function was introduced, ngx_http_alloc_request(). Only works with OpenSSL 1.0.2+, since there is no SSL_CTX_set_cert_cb() in older versions. 
To evaluate variables, a request is created in the certificate callback,
and then freed.  To do this without side effects on the stub_status
counters and connection state, an additional function was introduced,
ngx_http_alloc_request().

Only works with OpenSSL 1.0.2+, since there is no SSL_CTX_set_cert_cb()
in older versions.
Style. 2019-02-25T13:41:08+00:00 Maxim Dounin mdounin@mdounin.ru 2019-02-25T13:41:08+00:00 dce5823f595bc522df0ae25e3a5a6f63fd07eb2d 






Upstream: fixed logging of required buffer size (ticket #1722).
2019-02-11T04:36:53+00:00

Chanhun Jeong
chanhun.jeong@navercorp.com

2019-02-11T04:36:53+00:00

c5c034f66d55b6836c5c8fa19ab062dbaff009cd












Added the ngx_http_test_required_predicates() function.
2019-01-17T11:31:04+00:00

Vladimir Homutov
vl@nginx.com

2019-01-17T11:31:04+00:00

b6b39b2fb9c66f2a05153bbc4fa770b9e3850491

In contrast to ngx_http_test_predicates(), it requires all values to be
non-empty and not equal to "0".





In contrast to ngx_http_test_predicates(), it requires all values to be
non-empty and not equal to "0".







Autoindex: fixed possible integer overflow on 32-bit systems.
2018-12-25T09:59:24+00:00

Vladimir Homutov
vl@nginx.com

2018-12-25T09:59:24+00:00

910f330ad0caa49fe901e9426ef00d95d45ba32c












Win32: removed NGX_DIR_MASK concept.
2018-12-24T18:07:05+00:00

Maxim Dounin
mdounin@mdounin.ru

2018-12-24T18:07:05+00:00

aa741f87273f2137d9a52080593c5fe6f1d1b0ea

Previous interface of ngx_open_dir() assumed that passed directory name
has a room for NGX_DIR_MASK at the end (NGX_DIR_MASK_LEN bytes).  While all
direct users of ngx_dir_open() followed this interface, this also implied
similar requirements for indirect uses - in particular, via ngx_walk_tree().

Currently none of ngx_walk_tree() uses provides appropriate space, and
fixing this does not look like a right way to go.  Instead, ngx_dir_open()
interface was changed to not require any additional space and use
appropriate allocations instead.





Previous interface of ngx_open_dir() assumed that passed directory name
has a room for NGX_DIR_MASK at the end (NGX_DIR_MASK_LEN bytes).  While all
direct users of ngx_dir_open() followed this interface, this also implied
similar requirements for indirect uses - in particular, via ngx_walk_tree().

Currently none of ngx_walk_tree() uses provides appropriate space, and
fixing this does not look like a right way to go.  Instead, ngx_dir_open()
interface was changed to not require any additional space and use
appropriate allocations instead.







Userid: using stub for AF_UNIX addresses.
2018-12-24T16:55:00+00:00

Sergey Kandaurov
pluknet@nginx.com

2018-12-24T16:55:00+00:00

499bb2655ee16e4659d571b413b1ea54fd19dcd1

Previously, AF_UNIX addresses misbehaved as AF_INET, which typically resulted
in $uid_set composed from the middle of sun_path.





Previously, AF_UNIX addresses misbehaved as AF_INET, which typically resulted
in $uid_set composed from the middle of sun_path.