nginx.git/src/stream, branch release-1.15.11 nginx Multiple addresses in "listen". 2019-03-15T12:45:56+00:00 Roman Arutyunyan arut@nginx.com 2019-03-15T12:45:56+00:00 4e17b93eb6787e99a4023f20f8c391284f86bbf3 Previously only one address was used by the listen directive handler even if host name resolved to multiple addresses. Now a separate listening socket is created for each address. 
Previously only one address was used by the listen directive handler even if
host name resolved to multiple addresses.  Now a separate listening socket is
created for each address.
SSL: fixed potential leak on memory allocation errors. 2019-03-03T13:48:39+00:00 Maxim Dounin mdounin@mdounin.ru 2019-03-03T13:48:39+00:00 fe43346dc3151e80dae0acd751f0a94314dcb91c If ngx_pool_cleanup_add() fails, we have to clean just created SSL context manually, thus appropriate call added. Additionally, ngx_pool_cleanup_add() moved closer to ngx_ssl_create() in the ngx_http_ssl_module, to make sure there are no leaks due to intermediate code. 
If ngx_pool_cleanup_add() fails, we have to clean just created SSL context
manually, thus appropriate call added.

Additionally, ngx_pool_cleanup_add() moved closer to ngx_ssl_create() in
the ngx_http_ssl_module, to make sure there are no leaks due to intermediate
code.
SSL: server name callback changed to return SSL_TLSEXT_ERR_OK. 2019-03-03T13:47:44+00:00 Maxim Dounin mdounin@mdounin.ru 2019-03-03T13:47:44+00:00 fd97b2a80f678b9bf372d9a6537e5d4db51188ae OpenSSL 1.1.1 does not save server name to the session if server name callback returns anything but SSL_TLSEXT_ERR_OK, thus breaking the $ssl_server_name variable in resumed sessions. Since $ssl_server_name can be used even if we've selected the default server and there are no other servers, it looks like the only viable solution is to always return SSL_TLSEXT_ERR_OK regardless of the actual result. To fix things in the stream module as well, added a dummy server name callback which always returns SSL_TLSEXT_ERR_OK. 
OpenSSL 1.1.1 does not save server name to the session if server name
callback returns anything but SSL_TLSEXT_ERR_OK, thus breaking
the $ssl_server_name variable in resumed sessions.

Since $ssl_server_name can be used even if we've selected the default
server and there are no other servers, it looks like the only viable
solution is to always return SSL_TLSEXT_ERR_OK regardless of the actual
result.

To fix things in the stream module as well, added a dummy server name
callback which always returns SSL_TLSEXT_ERR_OK.
SSL: fixed possible segfault with dynamic certificates. 2019-02-25T18:16:26+00:00 Maxim Dounin mdounin@mdounin.ru 2019-02-25T18:16:26+00:00 1a30d79c429cb1d4438d592db62cbe701e3b4360 A virtual server may have no SSL context if it does not have certificates defined, so we have to use config of the ngx_http_ssl_module from the SSL context in the certificate callback. To do so, it is now passed as the argument of the callback. The stream module doesn't really need any changes, but was modified as well to match http code. 
A virtual server may have no SSL context if it does not have certificates
defined, so we have to use config of the ngx_http_ssl_module from the
SSL context in the certificate callback.  To do so, it is now passed as
the argument of the callback.

The stream module doesn't really need any changes, but was modified as
well to match http code.
SSL: adjusted session id context with dynamic certificates. 2019-02-25T13:42:54+00:00 Maxim Dounin mdounin@mdounin.ru 2019-02-25T13:42:54+00:00 ecfab06cb20959219c9aadc2ef59507488e4fa99 Dynamic certificates re-introduce problem with incorrect session reuse (AKA "virtual host confusion", CVE-2014-3616), since there are no server certificates to generate session id context from. To prevent this, session id context is now generated from ssl_certificate directives as specified in the configuration. This approach prevents incorrect session reuse in most cases, while still allowing sharing sessions across multiple machines with ssl_session_ticket_key set as long as configurations are identical. 
Dynamic certificates re-introduce problem with incorrect session
reuse (AKA "virtual host confusion", CVE-2014-3616), since there are
no server certificates to generate session id context from.

To prevent this, session id context is now generated from ssl_certificate
directives as specified in the configuration.  This approach prevents
incorrect session reuse in most cases, while still allowing sharing
sessions across multiple machines with ssl_session_ticket_key set as
long as configurations are identical.
SSL: dynamic certificate loading in the stream module. 2019-02-25T13:42:43+00:00 Maxim Dounin mdounin@mdounin.ru 2019-02-25T13:42:43+00:00 fbcb0c8a33c7168aad3b1474d4cd8cde3486e155 






Stream: do not split datagrams when limiting proxy rate.
2018-12-27T16:37:34+00:00

Roman Arutyunyan
arut@nginx.com

2018-12-27T16:37:34+00:00

12645b46e96426719ce96426239e45cfd93ed90c

Previously, when using proxy_upload_rate and proxy_download_rate, the buffer
size for reading from a socket could be reduced as a result of rate limiting.
For connection-oriented protocols this behavior is normal since unread data will
normally be read at the next iteration.  But for datagram-oriented protocols
this is not the case, and unread part of the datagram is lost.

Now buffer size is not limited for datagrams.  Rate limiting still works in this
case by delaying the next reading event.





Previously, when using proxy_upload_rate and proxy_download_rate, the buffer
size for reading from a socket could be reduced as a result of rate limiting.
For connection-oriented protocols this behavior is normal since unread data will
normally be read at the next iteration.  But for datagram-oriented protocols
this is not the case, and unread part of the datagram is lost.

Now buffer size is not limited for datagrams.  Rate limiting still works in this
case by delaying the next reading event.







Prevented scheduling events on a shared connection.
2019-01-14T17:36:23+00:00

Roman Arutyunyan
arut@nginx.com

2019-01-14T17:36:23+00:00

36a0713244a28266beefd5703521949a5fa994ca

A shared connection does not own its file descriptor, which means that
ngx_handle_read_event/ngx_handle_write_event calls should do nothing for it.
Currently the c->shared flag is checked in several places in the stream proxy
module prior to calling these functions.  However it was not done everywhere.
Missing checks could lead to calling
ngx_handle_read_event/ngx_handle_write_event on shared connections.

The problem manifested itself when using proxy_upload_rate and resulted in
either duplicate file descriptor error (e.g. with epoll) or incorrect further
udp packet processing (e.g. with kqueue).

The fix is to set and reset the event active flag in a way that prevents
ngx_handle_read_event/ngx_handle_write_event from scheduling socket events.





A shared connection does not own its file descriptor, which means that
ngx_handle_read_event/ngx_handle_write_event calls should do nothing for it.
Currently the c->shared flag is checked in several places in the stream proxy
module prior to calling these functions.  However it was not done everywhere.
Missing checks could lead to calling
ngx_handle_read_event/ngx_handle_write_event on shared connections.

The problem manifested itself when using proxy_upload_rate and resulted in
either duplicate file descriptor error (e.g. with epoll) or incorrect further
udp packet processing (e.g. with kqueue).

The fix is to set and reset the event active flag in a way that prevents
ngx_handle_read_event/ngx_handle_write_event from scheduling socket events.







Geo: fixed handling of AF_UNIX client addresses (ticket #1684).
2018-12-14T15:11:06+00:00

Maxim Dounin
mdounin@mdounin.ru

2018-12-14T15:11:06+00:00

ce4a23d144762cfa27c0e4b13f74cada2f7486a8

Previously, AF_UNIX client addresses were handled as AF_INET, leading
to unexpected results.





Previously, AF_UNIX client addresses were handled as AF_INET, leading
to unexpected results.







Negative size buffers detection.
2018-11-26T15:29:56+00:00

Maxim Dounin
mdounin@mdounin.ru

2018-11-26T15:29:56+00:00

f4c70589ce2875b67554113dc7fe6efc581444d6

In the past, there were several security issues which resulted in
worker process memory disclosure due to buffers with negative size.
It looks reasonable to check for such buffers in various places,
much like we already check for zero size buffers.

While here, removed "#if 1 / #endif" around zero size buffer checks.
It looks highly unlikely that we'll disable these checks anytime soon.





In the past, there were several security issues which resulted in
worker process memory disclosure due to buffers with negative size.
It looks reasonable to check for such buffers in various places,
much like we already check for zero size buffers.

While here, removed "#if 1 / #endif" around zero size buffer checks.
It looks highly unlikely that we'll disable these checks anytime soon.