nginx.git/src/stream, branch release-1.26.3 nginx SNI: added restriction for TLSv1.3 cross-SNI session resumption. 2025-02-05T16:40:47+00:00 Sergey Kandaurov pluknet@nginx.com 2025-01-22T14:55:44+00:00 13935cf9fdc3c8d8278c70716417d3b71c36140e In OpenSSL, session resumption always happens in the default SSL context, prior to invoking the SNI callback. Further, unlike in TLSv1.2 and older protocols, SSL_get_servername() returns values received in the resumption handshake, which may be different from the value in the initial handshake. Notably, this makes the restriction added in b720f650b insufficient for sessions resumed with different SNI server name. Considering the example from b720f650b, previously, a client was able to request example.org by presenting a certificate for example.org, then to resume and request example.com. The fix is to reject handshakes resumed with a different server name, if verification of client certificates is enabled in a corresponding server configuration. 
In OpenSSL, session resumption always happens in the default SSL context,
prior to invoking the SNI callback.  Further, unlike in TLSv1.2 and older
protocols, SSL_get_servername() returns values received in the resumption
handshake, which may be different from the value in the initial handshake.
Notably, this makes the restriction added in b720f650b insufficient for
sessions resumed with different SNI server name.

Considering the example from b720f650b, previously, a client was able to
request example.org by presenting a certificate for example.org, then to
resume and request example.com.

The fix is to reject handshakes resumed with a different server name, if
verification of client certificates is enabled in a corresponding server
configuration.
Stream pass: limited the number of passes per connection. 2024-04-11T07:37:30+00:00 Roman Arutyunyan arut@nginx.com 2024-04-11T07:37:30+00:00 bf3e6538b93375e8ac49d3863f74ee7cbe588111 Previously a cycle in pass configuration resulted in stack overflow. 
Previously a cycle in pass configuration resulted in stack overflow.
Fixed undefined behaviour with IPv4-mapped IPv6 addresses. 2024-03-18T13:14:30+00:00 Sergey Kandaurov pluknet@nginx.com 2024-03-18T13:14:30+00:00 3d5a356abb4f06b0f103290bd31a4c146233956b Previously, it could result when left-shifting signed integer due to implicit integer promotion, such that the most significant bit appeared on the sign bit. In practice, though, this results in the same left value as with an explicit cast, at least on known compilers, such as GCC and Clang. The reason is that in_addr_t, which is equivalent to uint32_t and same as "unsigned int" in ILP32 and LP64 data type models, has the same type width as the intermediate after integer promotion, so there's no side effects such as sign-extension. This explains why adding an explicit cast does not change object files in practice. Found with UndefinedBehaviorSanitizer (shift). Based on a patch by Piotr Sikora. 
Previously, it could result when left-shifting signed integer due to implicit
integer promotion, such that the most significant bit appeared on the sign bit.

In practice, though, this results in the same left value as with an explicit
cast, at least on known compilers, such as GCC and Clang.  The reason is that
in_addr_t, which is equivalent to uint32_t and same as "unsigned int" in ILP32
and LP64 data type models, has the same type width as the intermediate after
integer promotion, so there's no side effects such as sign-extension.  This
explains why adding an explicit cast does not change object files in practice.

Found with UndefinedBehaviorSanitizer (shift).

Based on a patch by Piotr Sikora.
Geo: fixed uninitialized memory access. 2024-03-14T14:37:20+00:00 Piotr Sikora piotr@aviatrix.com 2024-03-14T14:37:20+00:00 d3d64cacb3ce96477d354fe17d3b5c6e348f933a While copying ngx_http_variable_value_t structures to geo binary base in ngx_http_geo_copy_values(), and similarly in the stream module, uninitialized parts of these structures are copied as well. These include the "escape" field and possible holes. Calculating crc32 of this data triggers uninitialized memory access. Found with MemorySanitizer. Signed-off-by: Piotr Sikora <piotr@aviatrix.com> 
While copying ngx_http_variable_value_t structures to geo binary base
in ngx_http_geo_copy_values(), and similarly in the stream module,
uninitialized parts of these structures are copied as well.  These
include the "escape" field and possible holes.  Calculating crc32 of
this data triggers uninitialized memory access.

Found with MemorySanitizer.

Signed-off-by: Piotr Sikora <piotr@aviatrix.com>
Stream: $server_name. 2024-03-22T14:39:50+00:00 Sergey Kandaurov pluknet@nginx.com 2024-03-22T14:39:50+00:00 5e79d98a59b6d094145200976077aa7ca34a84d0 






Stream: moved fastopen compatibility check.
2024-01-18T15:12:38+00:00

Roman Arutyunyan
arut@nginx.com

2024-01-18T15:12:38+00:00

45e166b4a4a0e8d0e0f8adeb3438e4745261e8da

The move makes the code look similar to the corresponding code in http module.





The move makes the code look similar to the corresponding code in http module.







Stream: the "setfib" parameter of the "listen" directive.
2024-03-22T10:53:19+00:00

Sergey Kandaurov
pluknet@nginx.com

2024-03-22T10:53:19+00:00

bd190d825ceeacf105a2392d88734f21df35d89a

The FreeBSD SO_SETFIB support.





The FreeBSD SO_SETFIB support.







Stream: the "accept_filter" parameter of the "listen" directive.
2024-03-22T10:53:19+00:00

Sergey Kandaurov
pluknet@nginx.com

2024-03-22T10:53:19+00:00

04b9bfe55d414bfed8a7aefa3162d81af26532b4

The FreeBSD accept filters support.





The FreeBSD accept filters support.







Stream: the "deferred" parameter of the "listen" directive.
2024-03-22T10:53:19+00:00

Sergey Kandaurov
pluknet@nginx.com

2024-03-22T10:53:19+00:00

03eba69013eb4f4499a5c09f72338ab95ce00801

The Linux TCP_DEFER_ACCEPT support.





The Linux TCP_DEFER_ACCEPT support.







Stream: reshuffled ngx_stream_listen_opt_t fields.
2024-03-22T10:53:19+00:00

Sergey Kandaurov
pluknet@nginx.com

2024-03-22T10:53:19+00:00

f00b43167abbf8b34c5e1f9edcf8a71cdce8a70e

In preparation for adding more parameters to the listen directive,
and to be in sync with the corresponding structure in the http module.
No functional changes.





In preparation for adding more parameters to the listen directive,
and to be in sync with the corresponding structure in the http module.
No functional changes.