nginx.git/src, branch release-1.25.0 nginx QUIC: fixed OpenSSL compat layer with OpenSSL master branch. 2023-05-22T20:45:18+00:00 Sergey Kandaurov pluknet@nginx.com 2023-05-22T20:45:18+00:00 05990c6bb0c11710c10639e7332726446a643a8c The layer is enabled as a fallback if the QUIC support is configured and the BoringSSL API wasn't detected, or when using the --with-openssl option, also compatible with QuicTLS and LibreSSL. For the latter, the layer is assumed to be present if QUIC was requested, so it needs to be undefined to prevent QUIC API redefinition as appropriate. A previously used approach to test the TLSEXT_TYPE_quic_transport_parameters macro doesn't work with OpenSSL 3.2 master branch where this macro appeared with incompatible QUIC API. To fix the build there, the test is revised to pass only for QuicTLS and LibreSSL. 
The layer is enabled as a fallback if the QUIC support is configured and the
BoringSSL API wasn't detected, or when using the --with-openssl option, also
compatible with QuicTLS and LibreSSL.  For the latter, the layer is assumed
to be present if QUIC was requested, so it needs to be undefined to prevent
QUIC API redefinition as appropriate.

A previously used approach to test the TLSEXT_TYPE_quic_transport_parameters
macro doesn't work with OpenSSL 3.2 master branch where this macro appeared
with incompatible QUIC API.  To fix the build there, the test is revised to
pass only for QuicTLS and LibreSSL.
QUIC: fixed post-close use-after-free. 2023-05-22T11:59:42+00:00 Roman Arutyunyan arut@nginx.com 2023-05-22T11:59:42+00:00 5ac9da4577d59f88032fcfde31b0b6a9ea9a88bd Previously, ngx_quic_close_connection() could be called in a way that QUIC connection was accessed after the call. In most cases the connection is not closed right away, but close timeout is scheduled. However, it's not always the case. Also, if the close process started earlier for a different reason, calling ngx_quic_close_connection() may actually close the connection. The connection object should not be accessed after that. Now, when possible, return statement is added to eliminate post-close connection object access. In other places ngx_quic_close_connection() is substituted with posting close event. Also, the new way of closing connection in ngx_quic_stream_cleanup_handler() fixes another problem in this function. Previously it passed stream connection instead of QUIC connection to ngx_quic_close_connection(). This could result in incomplete connection shutdown. One consequence of that could be that QUIC streams were freed without shutting down their application contexts. This could result in another use-after-free. Found by Coverity (CID 1530402). 
Previously, ngx_quic_close_connection() could be called in a way that QUIC
connection was accessed after the call.  In most cases the connection is not
closed right away, but close timeout is scheduled.  However, it's not always
the case.  Also, if the close process started earlier for a different reason,
calling ngx_quic_close_connection() may actually close the connection.  The
connection object should not be accessed after that.

Now, when possible, return statement is added to eliminate post-close connection
object access.  In other places ngx_quic_close_connection() is substituted with
posting close event.

Also, the new way of closing connection in ngx_quic_stream_cleanup_handler()
fixes another problem in this function.  Previously it passed stream connection
instead of QUIC connection to ngx_quic_close_connection().  This could result
in incomplete connection shutdown.  One consequence of that could be that QUIC
streams were freed without shutting down their application contexts.  This could
result in another use-after-free.

Found by Coverity (CID 1530402).
QUIC: better sockaddr initialization. 2023-05-21T01:38:45+00:00 Maxim Dounin mdounin@mdounin.ru 2023-05-21T01:38:45+00:00 0400e3d5cea76e4b99cb7ff593404286c463cc82 The qsock->sockaddr field is a ngx_sockaddr_t union, and therefore can hold any sockaddr (and union members, such qsock->sockaddr.sockaddr, can be used to access appropriate variant of the sockaddr). It is better to set it via qsock->sockaddr itself though, and not qsock->sockaddr.sockaddr, so static analyzers won't complain about out-of-bounds access. Prodded by Coverity (CID 1530403). 
The qsock->sockaddr field is a ngx_sockaddr_t union, and therefore can hold
any sockaddr (and union members, such qsock->sockaddr.sockaddr, can be used
to access appropriate variant of the sockaddr).  It is better to set it via
qsock->sockaddr itself though, and not qsock->sockaddr.sockaddr, so static
analyzers won't complain about out-of-bounds access.

Prodded by Coverity (CID 1530403).
Merged with the quic branch. 2023-05-19T17:46:36+00:00 Roman Arutyunyan arut@nginx.com 2023-05-19T17:46:36+00:00 4b0266174814e6cf60a275321121dbaab084ee64 






HTTP/3: removed server push support.
2023-05-12T06:02:10+00:00

Roman Arutyunyan
arut@nginx.com

2023-05-12T06:02:10+00:00

e4edf78bac950213e00bb97ac46ece807f3cc073












Common tree insert function for QUIC and UDP connections.
2023-05-14T08:30:11+00:00

Roman Arutyunyan
arut@nginx.com

2023-05-14T08:30:11+00:00

0a3c79614521d7612b63eff4e09c25ed219fb65b

Previously, ngx_udp_rbtree_insert_value() was used for plain UDP and
ngx_quic_rbtree_insert_value() was used for QUIC.  Because of this it was
impossible to initialize connection tree in ngx_create_listening() since
this function is not aware what kind of listening it creates.

Now ngx_udp_rbtree_insert_value() is used for both QUIC and UDP.  To make
is possible, a generic key field is added to ngx_udp_connection_t.  It keeps
client address for UDP and connection ID for QUIC.





Previously, ngx_udp_rbtree_insert_value() was used for plain UDP and
ngx_quic_rbtree_insert_value() was used for QUIC.  Because of this it was
impossible to initialize connection tree in ngx_create_listening() since
this function is not aware what kind of listening it creates.

Now ngx_udp_rbtree_insert_value() is used for both QUIC and UDP.  To make
is possible, a generic key field is added to ngx_udp_connection_t.  It keeps
client address for UDP and connection ID for QUIC.







Stream: removed QUIC support.
2023-05-14T08:05:35+00:00

Roman Arutyunyan
arut@nginx.com

2023-05-14T08:05:35+00:00

779bfcff5f7544494c7c85ac73f41a033e749528












QUIC: style.
2023-05-11T15:48:01+00:00

Maxim Dounin
mdounin@mdounin.ru

2023-05-11T15:48:01+00:00

089d1f653001419ea9d0b463434a89007ec805bd












HTTP/3: removed "http3" parameter of "listen" directive.
2023-05-11T09:22:10+00:00

Roman Arutyunyan
arut@nginx.com

2023-05-11T09:22:10+00:00

2ce3eeeeb76318e414b62d399da70872d2de23d8

The parameter has been deprecated since c851a2ed5ce8.





The parameter has been deprecated since c851a2ed5ce8.







QUIC: removed "quic_mtu" directive.
2023-05-11T06:37:51+00:00

Roman Arutyunyan
arut@nginx.com

2023-05-11T06:37:51+00:00

6cc803e713698b4b09ab46ccd7ae986faa55c386

The directive used to set the value of the "max_udp_payload_size" transport
parameter.  According to RFC 9000, Section 18.2, the value specifies the size
of buffer for reading incoming datagrams:

    This limit does act as an additional constraint on datagram size in
    the same way as the path MTU, but it is a property of the endpoint
    and not the path; see Section 14. It is expected that this is the
    space an endpoint dedicates to holding incoming packets.

Current QUIC implementation uses the maximum possible buffer size (65527) for
reading datagrams.





The directive used to set the value of the "max_udp_payload_size" transport
parameter.  According to RFC 9000, Section 18.2, the value specifies the size
of buffer for reading incoming datagrams:

    This limit does act as an additional constraint on datagram size in
    the same way as the path MTU, but it is a property of the endpoint
    and not the path; see Section 14. It is expected that this is the
    space an endpoint dedicates to holding incoming packets.

Current QUIC implementation uses the maximum possible buffer size (65527) for
reading datagrams.