mirror of https://github.com/nginx/nginx.git
Compare commits
No commits in common. "master" and "release-1.27.4" have entirely different histories.
master
...
release-1.
|
|
@ -1,41 +0,0 @@
|
|||
---
|
||||
name: F5 CLA
|
||||
on:
|
||||
issue_comment:
|
||||
types: [created]
|
||||
pull_request_target:
|
||||
types: [opened, closed, synchronize]
|
||||
permissions: read-all
|
||||
jobs:
|
||||
f5-cla:
|
||||
name: F5 CLA
|
||||
runs-on: ubuntu-24.04
|
||||
permissions:
|
||||
actions: write
|
||||
pull-requests: write
|
||||
statuses: write
|
||||
steps:
|
||||
- name: Run F5 Contributor License Agreement (CLA) assistant
|
||||
if: (github.event.comment.body == 'recheck' || github.event.comment.body == 'I have hereby read the F5 CLA and agree to its terms') || github.event_name == 'pull_request_target'
|
||||
uses: contributor-assistant/github-action@ca4a40a7d1004f18d9960b404b97e5f30a505a08 # v2.6.1
|
||||
with:
|
||||
# Path to the CLA document.
|
||||
path-to-document: https://github.com/f5/f5-cla/blob/main/docs/f5_cla.md
|
||||
# Custom CLA messages.
|
||||
custom-notsigned-prcomment: '🎉 Thank you for your contribution! It appears you have not yet signed the [F5 Contributor License Agreement (CLA)](https://github.com/f5/f5-cla/blob/main/docs/f5_cla.md), which is required for your changes to be incorporated into an F5 Open Source Software (OSS) project. Please kindly read the [F5 CLA](https://github.com/f5/f5-cla/blob/main/docs/f5_cla.md) and reply on a new comment with the following text to agree:'
|
||||
custom-pr-sign-comment: 'I have hereby read the F5 CLA and agree to its terms'
|
||||
custom-allsigned-prcomment: '✅ All required contributors have signed the F5 CLA for this PR. Thank you!'
|
||||
# Remote repository storing CLA signatures.
|
||||
remote-organization-name: f5
|
||||
remote-repository-name: f5-cla-data
|
||||
# Branch where CLA signatures are stored.
|
||||
branch: main
|
||||
path-to-signatures: signatures/signatures.json
|
||||
# Comma separated list of usernames for maintainers or any other individuals who should not be prompted for a CLA.
|
||||
# NOTE: You will want to edit the usernames to suit your project needs.
|
||||
allowlist: bot*
|
||||
# Do not lock PRs after a merge.
|
||||
lock-pullrequest-aftermerge: false
|
||||
env:
|
||||
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
|
||||
PERSONAL_ACCESS_TOKEN: ${{ secrets.F5_CLA_TOKEN }}
|
||||
|
|
@ -1,3 +0,0 @@
|
|||
/Makefile
|
||||
/objs/
|
||||
/tmp/
|
||||
|
|
@ -26,10 +26,6 @@ ngx_msvc_ver=`echo $NGX_MSVC_VER | sed -e 's/^\([0-9]*\).*/\1/'`
|
|||
|
||||
case "$NGX_MSVC_VER" in
|
||||
|
||||
*ARM64)
|
||||
NGX_MACHINE=arm64
|
||||
;;
|
||||
|
||||
*x64)
|
||||
NGX_MACHINE=amd64
|
||||
;;
|
||||
|
|
|
|||
|
|
@ -12,6 +12,7 @@ if [ $OPENSSL != NONE ]; then
|
|||
|
||||
if [ $USE_OPENSSL_QUIC = YES ]; then
|
||||
have=NGX_QUIC . auto/have
|
||||
have=NGX_QUIC_OPENSSL_COMPAT . auto/have
|
||||
fi
|
||||
|
||||
case "$CC" in
|
||||
|
|
@ -147,18 +148,14 @@ else
|
|||
|
||||
if [ $USE_OPENSSL_QUIC = YES ]; then
|
||||
|
||||
ngx_feature="OpenSSL QUIC API"
|
||||
ngx_feature="OpenSSL QUIC support"
|
||||
ngx_feature_name="NGX_QUIC"
|
||||
ngx_feature_test="SSL_set_quic_tls_cbs(NULL, NULL, NULL)"
|
||||
ngx_feature_test="SSL_set_quic_method(NULL, NULL)"
|
||||
. auto/feature
|
||||
|
||||
if [ $ngx_found = no ]; then
|
||||
ngx_feature="BoringSSL-like QUIC API"
|
||||
ngx_feature_test="SSL_set_quic_method(NULL, NULL)"
|
||||
. auto/feature
|
||||
fi
|
||||
have=NGX_QUIC_OPENSSL_COMPAT . auto/have
|
||||
|
||||
if [ $ngx_found = no ]; then
|
||||
ngx_feature="OpenSSL QUIC compatibility"
|
||||
ngx_feature_test="SSL_CTX_add_custom_ext(NULL, 0, 0,
|
||||
NULL, NULL, NULL, NULL, NULL)"
|
||||
|
|
|
|||
|
|
@ -13,10 +13,6 @@ case "$CC" in
|
|||
OPENSSL_TARGET=VC-WIN64A
|
||||
;;
|
||||
|
||||
arm64)
|
||||
OPENSSL_TARGET=VC-WIN64-ARM
|
||||
;;
|
||||
|
||||
*)
|
||||
OPENSSL_TARGET=VC-WIN32
|
||||
;;
|
||||
|
|
|
|||
|
|
@ -37,7 +37,6 @@ if [ $PCRE_LIBRARY = PCRE2 ]; then
|
|||
pcre2_xclass.c"
|
||||
|
||||
ngx_pcre_test="pcre2_chkdint.c \
|
||||
pcre2_compile_class.c \
|
||||
pcre2_convert.c \
|
||||
pcre2_extuni.c \
|
||||
pcre2_find_bracket.c \
|
||||
|
|
|
|||
|
|
@ -118,19 +118,3 @@ ngx_feature_libs=
|
|||
ngx_feature_test="int32_t lock = 0;
|
||||
if (!OSAtomicCompareAndSwap32Barrier(0, 1, &lock)) return 1"
|
||||
. auto/feature
|
||||
|
||||
|
||||
ngx_feature="TCP_KEEPALIVE"
|
||||
ngx_feature_name="NGX_HAVE_KEEPALIVE_TUNABLE"
|
||||
ngx_feature_run=no
|
||||
ngx_feature_incs="#include <sys/socket.h>
|
||||
#include <netinet/in.h>
|
||||
#include <netinet/tcp.h>"
|
||||
ngx_feature_path=
|
||||
ngx_feature_libs=
|
||||
ngx_feature_test="setsockopt(0, IPPROTO_TCP, TCP_KEEPALIVE, NULL, 0);
|
||||
setsockopt(0, IPPROTO_TCP, TCP_KEEPINTVL, NULL, 0);
|
||||
setsockopt(0, IPPROTO_TCP, TCP_KEEPCNT, NULL, 0)"
|
||||
. auto/feature
|
||||
|
||||
NGX_KEEPALIVE_CHECKED=YES
|
||||
|
|
|
|||
50
auto/unix
50
auto/unix
|
|
@ -129,8 +129,28 @@ if test -z "$NGX_KQUEUE_CHECKED"; then
|
|||
fi
|
||||
|
||||
|
||||
if [ "$NGX_SYSTEM" = "NetBSD" ]; then
|
||||
|
||||
# NetBSD 2.0 incompatibly defines kevent.udata as "intptr_t"
|
||||
|
||||
cat << END >> $NGX_AUTO_CONFIG_H
|
||||
|
||||
#define NGX_KQUEUE_UDATA_T
|
||||
|
||||
END
|
||||
|
||||
else
|
||||
cat << END >> $NGX_AUTO_CONFIG_H
|
||||
|
||||
#define NGX_KQUEUE_UDATA_T (void *)
|
||||
|
||||
END
|
||||
|
||||
fi
|
||||
|
||||
|
||||
ngx_feature="crypt()"
|
||||
ngx_feature_name="NGX_HAVE_CRYPT"
|
||||
ngx_feature_name=
|
||||
ngx_feature_run=no
|
||||
ngx_feature_incs=
|
||||
ngx_feature_path=
|
||||
|
|
@ -142,7 +162,7 @@ ngx_feature_test="crypt(\"test\", \"salt\");"
|
|||
if [ $ngx_found = no ]; then
|
||||
|
||||
ngx_feature="crypt() in libcrypt"
|
||||
ngx_feature_name="NGX_HAVE_CRYPT"
|
||||
ngx_feature_name=
|
||||
ngx_feature_run=no
|
||||
ngx_feature_incs=
|
||||
ngx_feature_path=
|
||||
|
|
@ -488,20 +508,18 @@ ngx_feature_test="setsockopt(0, IPPROTO_TCP, TCP_DEFER_ACCEPT, NULL, 0)"
|
|||
. auto/feature
|
||||
|
||||
|
||||
if test -z "$NGX_KEEPALIVE_CHECKED"; then
|
||||
ngx_feature="TCP_KEEPIDLE"
|
||||
ngx_feature_name="NGX_HAVE_KEEPALIVE_TUNABLE"
|
||||
ngx_feature_run=no
|
||||
ngx_feature_incs="#include <sys/socket.h>
|
||||
#include <netinet/in.h>
|
||||
#include <netinet/tcp.h>"
|
||||
ngx_feature_path=
|
||||
ngx_feature_libs=
|
||||
ngx_feature_test="setsockopt(0, IPPROTO_TCP, TCP_KEEPIDLE, NULL, 0);
|
||||
setsockopt(0, IPPROTO_TCP, TCP_KEEPINTVL, NULL, 0);
|
||||
setsockopt(0, IPPROTO_TCP, TCP_KEEPCNT, NULL, 0)"
|
||||
. auto/feature
|
||||
fi
|
||||
ngx_feature="TCP_KEEPIDLE"
|
||||
ngx_feature_name="NGX_HAVE_KEEPALIVE_TUNABLE"
|
||||
ngx_feature_run=no
|
||||
ngx_feature_incs="#include <sys/socket.h>
|
||||
#include <netinet/in.h>
|
||||
#include <netinet/tcp.h>"
|
||||
ngx_feature_path=
|
||||
ngx_feature_libs=
|
||||
ngx_feature_test="setsockopt(0, IPPROTO_TCP, TCP_KEEPIDLE, NULL, 0);
|
||||
setsockopt(0, IPPROTO_TCP, TCP_KEEPINTVL, NULL, 0);
|
||||
setsockopt(0, IPPROTO_TCP, TCP_KEEPCNT, NULL, 0)"
|
||||
. auto/feature
|
||||
|
||||
|
||||
ngx_feature="TCP_FASTOPEN"
|
||||
|
|
|
|||
|
|
@ -36,6 +36,8 @@ http {
|
|||
listen 80;
|
||||
server_name localhost;
|
||||
|
||||
#charset koi8-r;
|
||||
|
||||
#access_log logs/host.access.log main;
|
||||
|
||||
location / {
|
||||
|
|
|
|||
|
|
@ -5,362 +5,6 @@
|
|||
<change_log title="nginx">
|
||||
|
||||
|
||||
<changes ver="1.29.2" date="2025-10-07">
|
||||
|
||||
<change type="feature">
|
||||
<para lang="ru">
|
||||
теперь nginx можно собрать с AWS-LC.<br/>
|
||||
Спасибо Samuel Chiang.
|
||||
</para>
|
||||
<para lang="en">
|
||||
now nginx can be built with AWS-LC.<br/>
|
||||
Thanks Samuel Chiang.
|
||||
</para>
|
||||
</change>
|
||||
|
||||
<change type="bugfix">
|
||||
<para lang="ru">
|
||||
теперь директива ssl_protocols работает
|
||||
в виртуальном сервере, отличном от сервера по умолчанию,
|
||||
при использовании OpenSSL 1.1.1 и новее.
|
||||
</para>
|
||||
<para lang="en">
|
||||
now the "ssl_protocols" directive works
|
||||
in a virtual server different from the default server
|
||||
when using OpenSSL 1.1.1 or newer.
|
||||
</para>
|
||||
</change>
|
||||
|
||||
<change type="bugfix">
|
||||
<para lang="ru">
|
||||
при использовании TLSv1.3 с OpenSSL и клиентских сертификатов
|
||||
SSL handshake всегда завершался ошибкой
|
||||
при восстановлении сессии с другим значением SNI;
|
||||
ошибка появилась в 1.27.4.
|
||||
</para>
|
||||
<para lang="en">
|
||||
SSL handshake always failed
|
||||
when using TLSv1.3 with OpenSSL and client certificates
|
||||
and resuming a session with a different SNI value;
|
||||
the bug had appeared in 1.27.4.
|
||||
</para>
|
||||
</change>
|
||||
|
||||
<change type="bugfix">
|
||||
<para lang="ru">
|
||||
при использовании QUIC и директивы ssl_reject_handshake
|
||||
в логах могли появляться сообщения
|
||||
"ignoring stale global SSL error";
|
||||
ошибка появилась в 1.29.0.<br/>
|
||||
Спасибо Владимиру Хомутову.
|
||||
</para>
|
||||
<para lang="en">
|
||||
the "ignoring stale global SSL error"
|
||||
alerts might appear in logs
|
||||
when using QUIC and the "ssl_reject_handshake" directive;
|
||||
the bug had appeared in 1.29.0.<br/>
|
||||
Thanks to Vladimir Homutov.
|
||||
</para>
|
||||
</change>
|
||||
|
||||
<change type="bugfix">
|
||||
<para lang="ru">
|
||||
в обработке delta-seconds
|
||||
в строке "Cache-Control" в заголовке ответа бэкенда.
|
||||
</para>
|
||||
<para lang="en">
|
||||
in delta-seconds processing
|
||||
in the "Cache-Control" backend response header line.
|
||||
</para>
|
||||
</change>
|
||||
|
||||
<change type="bugfix">
|
||||
<para lang="ru">
|
||||
команда XCLIENT не использовала кодировку xtext.<br/>
|
||||
Спасибо Igor Morgenstern из Aisle Research.
|
||||
</para>
|
||||
<para lang="en">
|
||||
an XCLIENT command didn't use the xtext encoding.<br/>
|
||||
Thanks to Igor Morgenstern of Aisle Research.
|
||||
</para>
|
||||
</change>
|
||||
|
||||
<change type="bugfix">
|
||||
<para lang="ru">
|
||||
в кешировании SSL-сертификатов во время переконфигурации.
|
||||
</para>
|
||||
<para lang="en">
|
||||
in SSL certificate caching during reconfiguration.
|
||||
</para>
|
||||
</change>
|
||||
|
||||
</changes>
|
||||
|
||||
|
||||
<changes ver="1.29.1" date="2025-08-13">
|
||||
|
||||
<change type="security">
|
||||
<para lang="ru">
|
||||
обработка специально созданного логина/пароля при использовании
|
||||
метода аутентификации "none" в модуле ngx_mail_smtp_module
|
||||
могла приводить к отправке серверу аутентификации
|
||||
части содержимого памяти рабочего процесса (CVE-2025-53859).
|
||||
</para>
|
||||
<para lang="en">
|
||||
processing of a specially crafted login/password when using
|
||||
the "none" authentication method in the ngx_mail_smtp_module
|
||||
might cause worker process memory disclosure
|
||||
to the authentication server (CVE-2025-53859).
|
||||
</para>
|
||||
</change>
|
||||
|
||||
<change type="change">
|
||||
<para lang="ru">
|
||||
теперь сжатие сертификатов в протоколе TLSv1.3 по умолчанию запрещено.
|
||||
</para>
|
||||
<para lang="en">
|
||||
now TLSv1.3 certificate compression is disabled by default.
|
||||
</para>
|
||||
</change>
|
||||
|
||||
<change type="feature">
|
||||
<para lang="ru">
|
||||
директива ssl_certificate_compression.
|
||||
</para>
|
||||
<para lang="en">
|
||||
the "ssl_certificate_compression" directive.
|
||||
</para>
|
||||
</change>
|
||||
|
||||
<change type="feature">
|
||||
<para lang="ru">
|
||||
поддержка 0-RTT в QUIC при использовании OpenSSL 3.5.1 и новее.
|
||||
</para>
|
||||
<para lang="en">
|
||||
support for 0-RTT in QUIC when using OpenSSL 3.5.1 or newer.
|
||||
</para>
|
||||
</change>
|
||||
|
||||
<change type="bugfix">
|
||||
<para lang="ru">
|
||||
при использовании HTTP/2 и директивы early_hints
|
||||
ответ 103 мог буферизироваться.
|
||||
</para>
|
||||
<para lang="en">
|
||||
the 103 response might be buffered
|
||||
when using HTTP/2 and the "early_hints" directive.
|
||||
</para>
|
||||
</change>
|
||||
|
||||
<change type="bugfix">
|
||||
<para lang="ru">
|
||||
в обработке заголовков запроса "Host" и ":authority"
|
||||
с одинаковыми значениями при использовании HTTP/2;
|
||||
ошибка появилась в 1.17.9.
|
||||
</para>
|
||||
<para lang="en">
|
||||
in handling "Host" and ":authority" header lines
|
||||
with equal values when using HTTP/2;
|
||||
the bug had appeared in 1.17.9.
|
||||
</para>
|
||||
</change>
|
||||
|
||||
<change type="bugfix">
|
||||
<para lang="ru">
|
||||
в обработке заголовка запроса "Host" с портом
|
||||
при использовании HTTP/3.
|
||||
</para>
|
||||
<para lang="en">
|
||||
in handling "Host" header lines with a port
|
||||
when using HTTP/3.
|
||||
</para>
|
||||
</change>
|
||||
|
||||
<change type="bugfix">
|
||||
<para lang="ru">
|
||||
nginx не собирался под NetBSD 10.0.
|
||||
</para>
|
||||
<para lang="en">
|
||||
nginx could not be built on NetBSD 10.0.
|
||||
</para>
|
||||
</change>
|
||||
|
||||
<change type="bugfix">
|
||||
<para lang="ru">
|
||||
в работе параметра none директивы smtp_auth.
|
||||
</para>
|
||||
<para lang="en">
|
||||
in the "none" parameter of the "smtp_auth" directive.
|
||||
</para>
|
||||
</change>
|
||||
|
||||
</changes>
|
||||
|
||||
|
||||
<changes ver="1.29.0" date="2025-06-24">
|
||||
|
||||
<change type="feature">
|
||||
<para lang="ru">
|
||||
поддержка ответа с кодом 103 от proxy- и gRPC-бэкендов;
|
||||
директива early_hints.
|
||||
</para>
|
||||
<para lang="en">
|
||||
support for response code 103 from proxy and gRPC backends;
|
||||
the "early_hints" directive.
|
||||
</para>
|
||||
</change>
|
||||
|
||||
<change type="feature">
|
||||
<para lang="ru">
|
||||
возможность загрузки секретных ключей с аппаратных устройств
|
||||
с помощью OpenSSL provider.
|
||||
</para>
|
||||
<para lang="en">
|
||||
loading of secret keys from hardware tokens
|
||||
with OpenSSL provider.
|
||||
</para>
|
||||
</change>
|
||||
|
||||
<change type="feature">
|
||||
<para lang="ru">
|
||||
поддержка параметра so_keepalive директивы listen на macOS.
|
||||
</para>
|
||||
<para lang="en">
|
||||
support for the "so_keepalive" parameter of the "listen" directive on macOS.
|
||||
</para>
|
||||
</change>
|
||||
|
||||
<change type="change">
|
||||
<para lang="ru">
|
||||
уровень логгирования ошибок SSL в QUIC handshake
|
||||
изменён с уровня error на crit для критических ошибок
|
||||
и на info для всех остальных;
|
||||
уровень логгирования неподдерживаемых транспортных параметров QUIC
|
||||
понижен с уровня info до debug.
|
||||
</para>
|
||||
<para lang="en">
|
||||
the logging level of SSL errors in a QUIC handshake
|
||||
has been changed from "error" to "crit" for critical errors,
|
||||
and to "info" for the rest;
|
||||
the logging level of unsupported QUIC transport parameters
|
||||
has been lowered from "info" to "debug".
|
||||
</para>
|
||||
</change>
|
||||
|
||||
<change type="change">
|
||||
<para lang="ru">
|
||||
бинарная версия nginx/Windows теперь использует для сборки Windows SDK 10.
|
||||
</para>
|
||||
<para lang="en">
|
||||
the native nginx/Windows binary release is now built using Windows SDK 10.
|
||||
</para>
|
||||
</change>
|
||||
|
||||
<change type="bugfix">
|
||||
<para lang="ru">
|
||||
nginx не собирался gcc 15,
|
||||
если использовались модули ngx_http_v2_module и ngx_http_v3_module.
|
||||
</para>
|
||||
<para lang="en">
|
||||
nginx could not be built by gcc 15
|
||||
if ngx_http_v2_module or ngx_http_v3_module modules were used.
|
||||
</para>
|
||||
</change>
|
||||
|
||||
<change type="bugfix">
|
||||
<para lang="ru">
|
||||
nginx мог не собираться gcc 14 и новее с оптимизацией -O3 -flto,
|
||||
если использовался модуль ngx_http_v3_module.
|
||||
</para>
|
||||
<para lang="en">
|
||||
nginx might not be built by gcc 14 or newer with -O3 -flto optimization
|
||||
if ngx_http_v3_module was used.
|
||||
</para>
|
||||
</change>
|
||||
|
||||
<change>
|
||||
<para lang="ru">
|
||||
Исправления и улучшения в HTTP/3.
|
||||
</para>
|
||||
<para lang="en">
|
||||
Bugfixes and improvements in HTTP/3.
|
||||
</para>
|
||||
</change>
|
||||
|
||||
</changes>
|
||||
|
||||
|
||||
<changes ver="1.27.5" date="2025-04-16">
|
||||
|
||||
<change type="feature">
|
||||
<para lang="ru">
|
||||
контроль перегрузки CUBIC в соединениях QUIC.
|
||||
</para>
|
||||
<para lang="en">
|
||||
CUBIC congestion control in QUIC connections.
|
||||
</para>
|
||||
</change>
|
||||
|
||||
<change type="change">
|
||||
<para lang="ru">
|
||||
ограничение на максимальный размер кешируемых в разделяемой памяти
|
||||
SSL-сессий поднято до 8192.
|
||||
</para>
|
||||
<para lang="en">
|
||||
the maximum size limit for SSL sessions cached in shared memory
|
||||
has been raised to 8192.
|
||||
</para>
|
||||
</change>
|
||||
|
||||
<change type="bugfix">
|
||||
<para lang="ru">
|
||||
в директивах grpc_ssl_password_file, proxy_ssl_password_file и
|
||||
uwsgi_ssl_password_file
|
||||
при загрузке SSL-сертификатов и зашифрованных ключей из переменных;
|
||||
ошибка появилась в 1.23.1.
|
||||
</para>
|
||||
<para lang="en">
|
||||
in the "grpc_ssl_password_file", "proxy_ssl_password_file", and
|
||||
"uwsgi_ssl_password_file" directives
|
||||
when loading SSL certificates and encrypted keys from variables;
|
||||
the bug had appeared in 1.23.1.
|
||||
</para>
|
||||
</change>
|
||||
|
||||
<change type="bugfix">
|
||||
<para lang="ru">
|
||||
в переменных $ssl_curve и $ssl_curves
|
||||
при использовании подключаемых кривых в OpenSSL.
|
||||
</para>
|
||||
<para lang="en">
|
||||
in the $ssl_curve and $ssl_curves variables
|
||||
when using pluggable curves in OpenSSL.
|
||||
</para>
|
||||
</change>
|
||||
|
||||
<change type="bugfix">
|
||||
<para lang="ru">
|
||||
nginx не собирался с musl libc.<br/>
|
||||
Спасибо Piotr Sikora.
|
||||
</para>
|
||||
<para lang="en">
|
||||
nginx could not be built with musl libc.<br/>
|
||||
Thanks to Piotr Sikora.
|
||||
</para>
|
||||
</change>
|
||||
|
||||
<change>
|
||||
<para lang="ru">
|
||||
Улучшения производительности и исправления в HTTP/3.
|
||||
</para>
|
||||
<para lang="en">
|
||||
Performance improvements and bugfixes in HTTP/3.
|
||||
</para>
|
||||
</change>
|
||||
|
||||
</changes>
|
||||
|
||||
|
||||
<changes ver="1.27.4" date="2025-02-05">
|
||||
|
||||
<change type="security">
|
||||
|
|
@ -8828,7 +8472,7 @@ Thanks to Piotr Sikora.
|
|||
Спасибо Piotr Sikora.
|
||||
</para>
|
||||
<para lang="en">
|
||||
now nginx can be built with BoringSSL and LibreSSL.<br/>
|
||||
now nginx can be build with BoringSSL and LibreSSL.<br/>
|
||||
Thanks to Piotr Sikora.
|
||||
</para>
|
||||
</change>
|
||||
|
|
@ -26111,7 +25755,7 @@ the ECONNABORTED error log level was changed to "error" from "crit".
|
|||
модуль ngx_http_perl_module не собирался без модуля ngx_http_ssi_filter_module.
|
||||
</para>
|
||||
<para lang="en">
|
||||
the ngx_http_perl_module could not be built without
|
||||
the ngx_http_perl_module could not be build without
|
||||
the ngx_http_ssi_filter_module.
|
||||
</para>
|
||||
</change>
|
||||
|
|
|
|||
|
|
@ -6,9 +6,9 @@ TEMP = tmp
|
|||
|
||||
CC = cl
|
||||
OBJS = objs.msvc8
|
||||
OPENSSL = openssl-3.5.4
|
||||
OPENSSL = openssl-3.0.15
|
||||
ZLIB = zlib-1.3.1
|
||||
PCRE = pcre2-10.46
|
||||
PCRE = pcre2-10.39
|
||||
|
||||
|
||||
release: export
|
||||
|
|
@ -76,8 +76,7 @@ win32:
|
|||
--with-stream_realip_module \
|
||||
--with-stream_ssl_preread_module \
|
||||
--with-openssl=$(OBJS)/lib/$(OPENSSL) \
|
||||
--with-openssl-opt="no-asm no-tests no-makedepend \
|
||||
-D_WIN32_WINNT=0x0501" \
|
||||
--with-openssl-opt="no-asm no-tests -D_WIN32_WINNT=0x0501" \
|
||||
--with-http_ssl_module \
|
||||
--with-mail_ssl_module \
|
||||
--with-stream_ssl_module
|
||||
|
|
@ -110,7 +109,7 @@ zip: export
|
|||
cp -p $(OBJS)/lib/$(OPENSSL)/LICENSE.txt \
|
||||
$(TEMP)/$(NGINX)/docs/OpenSSL.LICENSE
|
||||
|
||||
cp -p $(OBJS)/lib/$(PCRE)/LICENCE.md \
|
||||
cp -p $(OBJS)/lib/$(PCRE)/LICENCE \
|
||||
$(TEMP)/$(NGINX)/docs/PCRE.LICENCE
|
||||
|
||||
sed -ne '/^ (C) 1995-20/,/^ jloup@gzip\.org/p' \
|
||||
|
|
|
|||
|
|
@ -3,7 +3,7 @@ make -f misc/GNUmakefile release
|
|||
|
||||
the required tools:
|
||||
*) xsltproc to build CHANGES,
|
||||
*) xslscript.pl ( https://github.com/nginx/xslscript ) to build XSLTs
|
||||
*) xslscript.pl ( http://hg.nginx.org/xslscript ) to build XSLTs
|
||||
from XSLScript sources.
|
||||
|
||||
|
||||
|
|
|
|||
|
|
@ -9,8 +9,8 @@
|
|||
#define _NGINX_H_INCLUDED_
|
||||
|
||||
|
||||
#define nginx_version 1029003
|
||||
#define NGINX_VERSION "1.29.3"
|
||||
#define nginx_version 1027004
|
||||
#define NGINX_VERSION "1.27.4"
|
||||
#define NGINX_VER "nginx/" NGINX_VERSION
|
||||
|
||||
#ifdef NGX_BUILD
|
||||
|
|
|
|||
|
|
@ -94,7 +94,7 @@ typedef intptr_t ngx_flag_t;
|
|||
|
||||
|
||||
#ifndef NGX_ALIGNMENT
|
||||
#define NGX_ALIGNMENT sizeof(uintptr_t) /* platform word */
|
||||
#define NGX_ALIGNMENT sizeof(unsigned long) /* platform word */
|
||||
#endif
|
||||
|
||||
#define ngx_align(d, a) (((d) + (a - 1)) & ~(a - 1))
|
||||
|
|
|
|||
|
|
@ -765,8 +765,6 @@ ngx_configure_listening_sockets(ngx_cycle_t *cycle)
|
|||
|
||||
#if (NGX_HAVE_KEEPALIVE_TUNABLE)
|
||||
|
||||
#if !(NGX_DARWIN)
|
||||
|
||||
if (ls[i].keepidle) {
|
||||
value = ls[i].keepidle;
|
||||
|
||||
|
|
@ -784,8 +782,6 @@ ngx_configure_listening_sockets(ngx_cycle_t *cycle)
|
|||
}
|
||||
}
|
||||
|
||||
#endif
|
||||
|
||||
if (ls[i].keepintvl) {
|
||||
value = ls[i].keepintvl;
|
||||
|
||||
|
|
|
|||
|
|
@ -1494,9 +1494,8 @@ ngx_utf8_cpystrn(u_char *dst, u_char *src, size_t n, size_t len)
|
|||
uintptr_t
|
||||
ngx_escape_uri(u_char *dst, u_char *src, size_t size, ngx_uint_t type)
|
||||
{
|
||||
u_char prefix;
|
||||
uint32_t *escape;
|
||||
ngx_uint_t n;
|
||||
uint32_t *escape;
|
||||
static u_char hex[] = "0123456789ABCDEF";
|
||||
|
||||
/*
|
||||
|
|
@ -1634,36 +1633,11 @@ ngx_escape_uri(u_char *dst, u_char *src, size_t size, ngx_uint_t type)
|
|||
|
||||
/* mail_auth is the same as memcached */
|
||||
|
||||
/* " ", "+", "=", not allowed */
|
||||
|
||||
static uint32_t mail_xtext[] = {
|
||||
0xffffffff, /* 1111 1111 1111 1111 1111 1111 1111 1111 */
|
||||
|
||||
/* ?>=< ;:98 7654 3210 /.-, +*)( '&%$ #"! */
|
||||
0x20000801, /* 0010 0000 0000 0000 0000 1000 0000 0001 */
|
||||
|
||||
/* _^]\ [ZYX WVUT SRQP ONML KJIH GFED CBA@ */
|
||||
0x00000000, /* 0000 0000 0000 0000 0000 0000 0000 0000 */
|
||||
|
||||
/* ~}| {zyx wvut srqp onml kjih gfed cba` */
|
||||
0x80000000, /* 1000 0000 0000 0000 0000 0000 0000 0000 */
|
||||
|
||||
0xffffffff, /* 1111 1111 1111 1111 1111 1111 1111 1111 */
|
||||
0xffffffff, /* 1111 1111 1111 1111 1111 1111 1111 1111 */
|
||||
0xffffffff, /* 1111 1111 1111 1111 1111 1111 1111 1111 */
|
||||
0xffffffff, /* 1111 1111 1111 1111 1111 1111 1111 1111 */
|
||||
};
|
||||
|
||||
static uint32_t *map[] =
|
||||
{ uri, args, uri_component, html, refresh, memcached, memcached,
|
||||
mail_xtext };
|
||||
|
||||
static u_char map_char[] =
|
||||
{ '%', '%', '%', '%', '%', '%', '%', '+' };
|
||||
{ uri, args, uri_component, html, refresh, memcached, memcached };
|
||||
|
||||
|
||||
escape = map[type];
|
||||
prefix = map_char[type];
|
||||
|
||||
if (dst == NULL) {
|
||||
|
||||
|
|
@ -1684,7 +1658,7 @@ ngx_escape_uri(u_char *dst, u_char *src, size_t size, ngx_uint_t type)
|
|||
|
||||
while (size) {
|
||||
if (escape[*src >> 5] & (1U << (*src & 0x1f))) {
|
||||
*dst++ = prefix;
|
||||
*dst++ = '%';
|
||||
*dst++ = hex[*src >> 4];
|
||||
*dst++ = hex[*src & 0xf];
|
||||
src++;
|
||||
|
|
|
|||
|
|
@ -203,7 +203,6 @@ u_char *ngx_utf8_cpystrn(u_char *dst, u_char *src, size_t n, size_t len);
|
|||
#define NGX_ESCAPE_REFRESH 4
|
||||
#define NGX_ESCAPE_MEMCACHED 5
|
||||
#define NGX_ESCAPE_MAIL_AUTH 6
|
||||
#define NGX_ESCAPE_MAIL_XTEXT 7
|
||||
|
||||
#define NGX_UNESCAPE_URI 1
|
||||
#define NGX_UNESCAPE_REDIRECT 2
|
||||
|
|
|
|||
|
|
@ -207,7 +207,7 @@ ngx_thread_pool_exit_handler(void *data, ngx_log_t *log)
|
|||
|
||||
*lock = 0;
|
||||
|
||||
pthread_exit(NULL);
|
||||
pthread_exit(0);
|
||||
}
|
||||
|
||||
|
||||
|
|
|
|||
|
|
@ -10,15 +10,6 @@
|
|||
#include <ngx_event.h>
|
||||
|
||||
|
||||
/* NetBSD up to 10.0 incompatibly defines kevent.udata as "intptr_t" */
|
||||
|
||||
#if (__NetBSD__ && __NetBSD_Version__ < 1000000000)
|
||||
#define NGX_KQUEUE_UDATA_T
|
||||
#else
|
||||
#define NGX_KQUEUE_UDATA_T (void *)
|
||||
#endif
|
||||
|
||||
|
||||
typedef struct {
|
||||
ngx_uint_t changes;
|
||||
ngx_uint_t events;
|
||||
|
|
@ -200,7 +191,7 @@ ngx_kqueue_init(ngx_cycle_t *cycle, ngx_msec_t timer)
|
|||
kev.flags = EV_ADD|EV_ENABLE;
|
||||
kev.fflags = 0;
|
||||
kev.data = timer;
|
||||
kev.udata = NGX_KQUEUE_UDATA_T (uintptr_t) 0;
|
||||
kev.udata = 0;
|
||||
|
||||
ts.tv_sec = 0;
|
||||
ts.tv_nsec = 0;
|
||||
|
|
@ -246,7 +237,7 @@ ngx_kqueue_notify_init(ngx_log_t *log)
|
|||
notify_kev.data = 0;
|
||||
notify_kev.flags = EV_ADD|EV_CLEAR;
|
||||
notify_kev.fflags = 0;
|
||||
notify_kev.udata = NGX_KQUEUE_UDATA_T (uintptr_t) 0;
|
||||
notify_kev.udata = 0;
|
||||
|
||||
if (kevent(ngx_kqueue, ¬ify_kev, 1, NULL, 0, NULL) == -1) {
|
||||
ngx_log_error(NGX_LOG_ALERT, log, ngx_errno,
|
||||
|
|
|
|||
|
|
@ -203,23 +203,6 @@ ngx_event_accept(ngx_event_t *ev)
|
|||
}
|
||||
}
|
||||
|
||||
#if (NGX_HAVE_KEEPALIVE_TUNABLE && NGX_DARWIN)
|
||||
|
||||
/* Darwin doesn't inherit TCP_KEEPALIVE from a listening socket */
|
||||
|
||||
if (ls->keepidle) {
|
||||
if (setsockopt(s, IPPROTO_TCP, TCP_KEEPALIVE,
|
||||
(const void *) &ls->keepidle, sizeof(int))
|
||||
== -1)
|
||||
{
|
||||
ngx_log_error(NGX_LOG_ALERT, ev->log, ngx_socket_errno,
|
||||
"setsockopt(TCP_KEEPALIVE, %d) failed, ignored",
|
||||
ls->keepidle);
|
||||
}
|
||||
}
|
||||
|
||||
#endif
|
||||
|
||||
*log = ls->log;
|
||||
|
||||
c->recv = ngx_recv;
|
||||
|
|
|
|||
|
|
@ -9,10 +9,6 @@
|
|||
#include <ngx_core.h>
|
||||
#include <ngx_event.h>
|
||||
|
||||
#if (NGX_ZLIB && defined TLSEXT_cert_compression_zlib)
|
||||
#include <zlib.h>
|
||||
#endif
|
||||
|
||||
|
||||
#define NGX_SSL_PASSWORD_BUFFER_SIZE 4096
|
||||
|
||||
|
|
@ -23,13 +19,6 @@ typedef struct {
|
|||
|
||||
|
||||
static ngx_inline ngx_int_t ngx_ssl_cert_already_in_hash(void);
|
||||
#if (NGX_ZLIB && defined TLSEXT_cert_compression_zlib)
|
||||
static int ngx_ssl_cert_compression_callback(ngx_ssl_conn_t *ssl_conn,
|
||||
CBB *out, const uint8_t *in, size_t in_len);
|
||||
static void *ngx_ssl_cert_compression_alloc(void *opaque, u_int items,
|
||||
u_int size);
|
||||
static void ngx_ssl_cert_compression_free(void *opaque, void *address);
|
||||
#endif
|
||||
static int ngx_ssl_verify_callback(int ok, X509_STORE_CTX *x509_store);
|
||||
static void ngx_ssl_info_callback(const ngx_ssl_conn_t *ssl_conn, int where,
|
||||
int ret);
|
||||
|
|
@ -56,6 +45,8 @@ static ssize_t ngx_ssl_sendfile(ngx_connection_t *c, ngx_buf_t *file,
|
|||
size_t size);
|
||||
static void ngx_ssl_read_handler(ngx_event_t *rev);
|
||||
static void ngx_ssl_shutdown_handler(ngx_event_t *ev);
|
||||
static void ngx_ssl_connection_error(ngx_connection_t *c, int sslerr,
|
||||
ngx_err_t err, char *text);
|
||||
static void ngx_ssl_clear_error(ngx_log_t *log);
|
||||
|
||||
static ngx_int_t ngx_ssl_session_id_context(ngx_ssl_t *ssl,
|
||||
|
|
@ -139,11 +130,6 @@ int ngx_ssl_ticket_keys_index;
|
|||
int ngx_ssl_ocsp_index;
|
||||
int ngx_ssl_index;
|
||||
int ngx_ssl_certificate_name_index;
|
||||
int ngx_ssl_certificate_comp_index;
|
||||
int ngx_ssl_client_hello_arg_index;
|
||||
|
||||
|
||||
u_char ngx_ssl_session_buffer[NGX_SSL_MAX_SESSION_SIZE];
|
||||
|
||||
|
||||
ngx_int_t
|
||||
|
|
@ -283,21 +269,6 @@ ngx_ssl_init(ngx_log_t *log)
|
|||
return NGX_ERROR;
|
||||
}
|
||||
|
||||
ngx_ssl_certificate_comp_index = X509_get_ex_new_index(0, NULL, NULL, NULL,
|
||||
NULL);
|
||||
if (ngx_ssl_certificate_comp_index == -1) {
|
||||
ngx_ssl_error(NGX_LOG_ALERT, log, 0, "X509_get_ex_new_index() failed");
|
||||
return NGX_ERROR;
|
||||
}
|
||||
|
||||
ngx_ssl_client_hello_arg_index = SSL_CTX_get_ex_new_index(0, NULL, NULL,
|
||||
NULL, NULL);
|
||||
if (ngx_ssl_client_hello_arg_index == -1) {
|
||||
ngx_ssl_error(NGX_LOG_ALERT, log, 0,
|
||||
"SSL_CTX_get_ex_new_index() failed");
|
||||
return NGX_ERROR;
|
||||
}
|
||||
|
||||
return NGX_OK;
|
||||
}
|
||||
|
||||
|
|
@ -415,11 +386,6 @@ ngx_ssl_create(ngx_ssl_t *ssl, ngx_uint_t protocols, void *data)
|
|||
SSL_CTX_set_options(ssl->ctx, SSL_OP_NO_COMPRESSION);
|
||||
#endif
|
||||
|
||||
#ifdef SSL_OP_NO_TX_CERTIFICATE_COMPRESSION
|
||||
SSL_CTX_set_options(ssl->ctx, SSL_OP_NO_TX_CERTIFICATE_COMPRESSION);
|
||||
SSL_CTX_set_options(ssl->ctx, SSL_OP_NO_RX_CERTIFICATE_COMPRESSION);
|
||||
#endif
|
||||
|
||||
#ifdef SSL_OP_NO_ANTI_REPLAY
|
||||
SSL_CTX_set_options(ssl->ctx, SSL_OP_NO_ANTI_REPLAY);
|
||||
#endif
|
||||
|
|
@ -477,18 +443,10 @@ ngx_ssl_certificate(ngx_conf_t *cf, ngx_ssl_t *ssl, ngx_str_t *cert,
|
|||
{
|
||||
char *err;
|
||||
X509 *x509, **elm;
|
||||
u_long n;
|
||||
EVP_PKEY *pkey;
|
||||
ngx_uint_t mask;
|
||||
STACK_OF(X509) *chain;
|
||||
|
||||
mask = 0;
|
||||
elm = NULL;
|
||||
|
||||
retry:
|
||||
|
||||
chain = ngx_ssl_cache_fetch(cf, NGX_SSL_CACHE_CERT | mask,
|
||||
&err, cert, NULL);
|
||||
chain = ngx_ssl_cache_fetch(cf, NGX_SSL_CACHE_CERT, &err, cert, NULL);
|
||||
if (chain == NULL) {
|
||||
if (err != NULL) {
|
||||
ngx_ssl_error(NGX_LOG_EMERG, ssl->log, 0,
|
||||
|
|
@ -528,16 +486,11 @@ retry:
|
|||
}
|
||||
}
|
||||
|
||||
elm = ngx_array_push(&ssl->certs);
|
||||
if (elm == NULL) {
|
||||
elm = ngx_array_push(&ssl->certs);
|
||||
if (elm == NULL) {
|
||||
X509_free(x509);
|
||||
sk_X509_pop_free(chain, X509_free);
|
||||
return NGX_ERROR;
|
||||
}
|
||||
|
||||
} else {
|
||||
X509_free(*elm);
|
||||
X509_free(x509);
|
||||
sk_X509_pop_free(chain, X509_free);
|
||||
return NGX_ERROR;
|
||||
}
|
||||
|
||||
*elm = x509;
|
||||
|
|
@ -560,21 +513,11 @@ retry:
|
|||
}
|
||||
|
||||
#else
|
||||
{
|
||||
int n;
|
||||
|
||||
/* SSL_CTX_set0_chain() is only available in OpenSSL 1.0.2+ */
|
||||
|
||||
#ifdef SSL_CTRL_CLEAR_EXTRA_CHAIN_CERTS
|
||||
/* OpenSSL 1.0.1+ */
|
||||
SSL_CTX_clear_extra_chain_certs(ssl->ctx);
|
||||
#else
|
||||
|
||||
if (ssl->ctx->extra_certs) {
|
||||
sk_X509_pop_free(ssl->ctx->extra_certs, X509_free);
|
||||
ssl->ctx->extra_certs = NULL;
|
||||
}
|
||||
|
||||
#endif
|
||||
|
||||
n = sk_X509_num(chain);
|
||||
|
||||
while (n--) {
|
||||
|
|
@ -590,11 +533,10 @@ retry:
|
|||
}
|
||||
|
||||
sk_X509_free(chain);
|
||||
|
||||
}
|
||||
#endif
|
||||
|
||||
pkey = ngx_ssl_cache_fetch(cf, NGX_SSL_CACHE_PKEY | mask,
|
||||
&err, key, passwords);
|
||||
pkey = ngx_ssl_cache_fetch(cf, NGX_SSL_CACHE_PKEY, &err, key, passwords);
|
||||
if (pkey == NULL) {
|
||||
if (err != NULL) {
|
||||
ngx_ssl_error(NGX_LOG_EMERG, ssl->log, 0,
|
||||
|
|
@ -606,23 +548,9 @@ retry:
|
|||
}
|
||||
|
||||
if (SSL_CTX_use_PrivateKey(ssl->ctx, pkey) == 0) {
|
||||
EVP_PKEY_free(pkey);
|
||||
|
||||
/* there can be mismatched pairs on uneven cache update */
|
||||
|
||||
n = ERR_peek_last_error();
|
||||
|
||||
if (ERR_GET_LIB(n) == ERR_LIB_X509
|
||||
&& ERR_GET_REASON(n) == X509_R_KEY_VALUES_MISMATCH
|
||||
&& mask == 0)
|
||||
{
|
||||
ERR_clear_error();
|
||||
mask = NGX_SSL_CACHE_INVALIDATE;
|
||||
goto retry;
|
||||
}
|
||||
|
||||
ngx_ssl_error(NGX_LOG_EMERG, ssl->log, 0,
|
||||
"SSL_CTX_use_PrivateKey(\"%s\") failed", key->data);
|
||||
EVP_PKEY_free(pkey);
|
||||
return NGX_ERROR;
|
||||
}
|
||||
|
||||
|
|
@ -730,197 +658,6 @@ retry:
|
|||
}
|
||||
|
||||
|
||||
ngx_int_t
|
||||
ngx_ssl_certificate_compression(ngx_conf_t *cf, ngx_ssl_t *ssl,
|
||||
ngx_uint_t enable)
|
||||
{
|
||||
if (!enable) {
|
||||
return NGX_OK;
|
||||
}
|
||||
|
||||
#ifdef SSL_OP_NO_TX_CERTIFICATE_COMPRESSION
|
||||
|
||||
if (SSL_CTX_compress_certs(ssl->ctx, 0) == 0) {
|
||||
ngx_ssl_error(NGX_LOG_WARN, ssl->log, 0,
|
||||
"SSL_CTX_compress_certs() failed, ignored");
|
||||
return NGX_OK;
|
||||
}
|
||||
|
||||
SSL_CTX_clear_options(ssl->ctx, SSL_OP_NO_TX_CERTIFICATE_COMPRESSION);
|
||||
|
||||
#elif (NGX_ZLIB && defined TLSEXT_cert_compression_zlib)
|
||||
|
||||
if (SSL_CTX_add_cert_compression_alg(ssl->ctx, TLSEXT_cert_compression_zlib,
|
||||
ngx_ssl_cert_compression_callback,
|
||||
NULL)
|
||||
== 0)
|
||||
{
|
||||
ngx_ssl_error(NGX_LOG_EMERG, ssl->log, 0,
|
||||
"SSL_CTX_add_cert_compression_alg() failed");
|
||||
return NGX_ERROR;
|
||||
}
|
||||
|
||||
#else
|
||||
|
||||
ngx_log_error(NGX_LOG_WARN, ssl->log, 0,
|
||||
"\"ssl_certificate_compression\" is not supported "
|
||||
"on this platform, ignored");
|
||||
|
||||
#endif
|
||||
|
||||
return NGX_OK;
|
||||
}
|
||||
|
||||
|
||||
#if (NGX_ZLIB && defined TLSEXT_cert_compression_zlib)
|
||||
|
||||
static int
|
||||
ngx_ssl_cert_compression_callback(ngx_ssl_conn_t *ssl_conn, CBB *out,
|
||||
const uint8_t *in, size_t in_len)
|
||||
{
|
||||
int rc;
|
||||
X509 *cert;
|
||||
u_char *p;
|
||||
z_stream zstream;
|
||||
ngx_str_t *comp, tmp;
|
||||
ngx_pool_t *pool;
|
||||
ngx_connection_t *c;
|
||||
|
||||
#ifdef OPENSSL_IS_BORINGSSL
|
||||
{
|
||||
SSL_CTX *ssl_ctx;
|
||||
ngx_ssl_t *ssl;
|
||||
|
||||
/* BoringSSL doesn't have certificate slots, we take the last set */
|
||||
|
||||
ssl_ctx = SSL_get_SSL_CTX(ssl_conn);
|
||||
ssl = SSL_CTX_get_ex_data(ssl_ctx, ngx_ssl_index);
|
||||
cert = ((X509 **) ssl->certs.elts)[ssl->certs.nelts - 1];
|
||||
}
|
||||
#else
|
||||
|
||||
/*
|
||||
* AWS-LC saves leaf certificate in SSL to associate with SSL_CTX,
|
||||
* see https://github.com/aws/aws-lc/commit/e1ba2b3e5
|
||||
*/
|
||||
|
||||
cert = SSL_get_certificate(ssl_conn);
|
||||
|
||||
#endif
|
||||
|
||||
comp = X509_get_ex_data(cert, ngx_ssl_certificate_comp_index);
|
||||
|
||||
if (comp != NULL) {
|
||||
return CBB_add_bytes(out, comp->data, comp->len);
|
||||
}
|
||||
|
||||
c = ngx_ssl_get_connection(ssl_conn);
|
||||
|
||||
pool = ngx_create_pool(256, c->log);
|
||||
if (pool == NULL) {
|
||||
return 0;
|
||||
}
|
||||
|
||||
pool->log = c->log;
|
||||
|
||||
ngx_memzero(&zstream, sizeof(z_stream));
|
||||
|
||||
zstream.zalloc = ngx_ssl_cert_compression_alloc;
|
||||
zstream.zfree = ngx_ssl_cert_compression_free;
|
||||
zstream.opaque = pool;
|
||||
|
||||
rc = deflateInit(&zstream, Z_DEFAULT_COMPRESSION);
|
||||
|
||||
if (rc != Z_OK) {
|
||||
ngx_log_error(NGX_LOG_ALERT, c->log, 0, "deflateInit() failed: %d", rc);
|
||||
goto error;
|
||||
}
|
||||
|
||||
tmp.len = deflateBound(&zstream, in_len);
|
||||
tmp.data = ngx_palloc(pool, tmp.len);
|
||||
if (tmp.data == NULL) {
|
||||
goto error;
|
||||
}
|
||||
|
||||
zstream.next_in = (u_char *) in;
|
||||
zstream.avail_in = in_len;
|
||||
zstream.next_out = tmp.data;
|
||||
zstream.avail_out = tmp.len;
|
||||
|
||||
rc = deflate(&zstream, Z_FINISH);
|
||||
|
||||
if (rc != Z_STREAM_END) {
|
||||
ngx_log_error(NGX_LOG_ALERT, c->log, 0,
|
||||
"deflate(Z_FINISH) failed: %d", rc);
|
||||
goto error;
|
||||
}
|
||||
|
||||
tmp.len -= zstream.avail_out;
|
||||
|
||||
rc = deflateEnd(&zstream);
|
||||
|
||||
if (rc != Z_OK) {
|
||||
ngx_log_error(NGX_LOG_ALERT, c->log, 0, "deflateEnd() failed: %d", rc);
|
||||
goto error;
|
||||
}
|
||||
|
||||
p = ngx_alloc(sizeof(ngx_str_t) + tmp.len, c->log);
|
||||
if (p == NULL) {
|
||||
goto error;
|
||||
}
|
||||
|
||||
comp = (ngx_str_t *) p;
|
||||
|
||||
comp->len = tmp.len;
|
||||
comp->data = p + sizeof(ngx_str_t);
|
||||
|
||||
ngx_memcpy(comp->data, tmp.data, tmp.len);
|
||||
|
||||
if (X509_set_ex_data(cert, ngx_ssl_certificate_comp_index, p) == 0) {
|
||||
ngx_ssl_error(NGX_LOG_ALERT, c->log, 0, "X509_set_ex_data() failed");
|
||||
ngx_free(p);
|
||||
}
|
||||
|
||||
rc = CBB_add_bytes(out, tmp.data, tmp.len);
|
||||
|
||||
ngx_destroy_pool(pool);
|
||||
|
||||
return rc;
|
||||
|
||||
error:
|
||||
|
||||
ngx_destroy_pool(pool);
|
||||
|
||||
return 0;
|
||||
}
|
||||
|
||||
|
||||
static void *
|
||||
ngx_ssl_cert_compression_alloc(void *opaque, u_int items, u_int size)
|
||||
{
|
||||
ngx_pool_t *pool = opaque;
|
||||
|
||||
ngx_log_debug2(NGX_LOG_DEBUG_EVENT, pool->log, 0,
|
||||
"cert compression alloc: n:%ud s:%ud", items, size);
|
||||
|
||||
return ngx_palloc(pool, items * size);
|
||||
}
|
||||
|
||||
|
||||
static void
|
||||
ngx_ssl_cert_compression_free(void *opaque, void *address)
|
||||
{
|
||||
#if 0
|
||||
ngx_pool_t *pool = opaque;
|
||||
|
||||
ngx_log_debug1(NGX_LOG_DEBUG_EVENT, pool->log, 0,
|
||||
"cert compression free: %p", address);
|
||||
#endif
|
||||
}
|
||||
|
||||
#endif
|
||||
|
||||
|
||||
ngx_int_t
|
||||
ngx_ssl_ciphers(ngx_conf_t *cf, ngx_ssl_t *ssl, ngx_str_t *ciphers,
|
||||
ngx_uint_t prefer_server_ciphers)
|
||||
|
|
@ -1575,8 +1312,6 @@ ngx_ssl_passwords_cleanup(void *data)
|
|||
ngx_int_t
|
||||
ngx_ssl_dhparam(ngx_conf_t *cf, ngx_ssl_t *ssl, ngx_str_t *file)
|
||||
{
|
||||
#ifndef OPENSSL_NO_DH
|
||||
|
||||
BIO *bio;
|
||||
|
||||
if (file->len == 0) {
|
||||
|
|
@ -1636,7 +1371,7 @@ ngx_ssl_dhparam(ngx_conf_t *cf, ngx_ssl_t *ssl, ngx_str_t *file)
|
|||
if (SSL_CTX_set0_tmp_dh_pkey(ssl->ctx, dh) != 1) {
|
||||
ngx_ssl_error(NGX_LOG_EMERG, ssl->log, 0,
|
||||
"SSL_CTX_set0_tmp_dh_pkey(\"%s\") failed", file->data);
|
||||
#if (OPENSSL_VERSION_NUMBER >= 0x30000010L)
|
||||
#if (OPENSSL_VERSION_NUMBER >= 0x3000001fL)
|
||||
EVP_PKEY_free(dh);
|
||||
#endif
|
||||
BIO_free(bio);
|
||||
|
|
@ -1647,8 +1382,6 @@ ngx_ssl_dhparam(ngx_conf_t *cf, ngx_ssl_t *ssl, ngx_str_t *file)
|
|||
|
||||
BIO_free(bio);
|
||||
|
||||
#endif
|
||||
|
||||
return NGX_OK;
|
||||
}
|
||||
|
||||
|
|
@ -1872,118 +1605,6 @@ ngx_ssl_new_client_session(ngx_ssl_conn_t *ssl_conn, ngx_ssl_session_t *sess)
|
|||
}
|
||||
|
||||
|
||||
void
|
||||
ngx_ssl_set_client_hello_callback(SSL_CTX *ssl_ctx,
|
||||
ngx_ssl_client_hello_arg *cb)
|
||||
{
|
||||
#ifdef SSL_CLIENT_HELLO_SUCCESS
|
||||
|
||||
SSL_CTX_set_client_hello_cb(ssl_ctx, ngx_ssl_client_hello_callback, NULL);
|
||||
SSL_CTX_set_ex_data(ssl_ctx, ngx_ssl_client_hello_arg_index, cb);
|
||||
|
||||
#elif defined OPENSSL_IS_BORINGSSL
|
||||
|
||||
SSL_CTX_set_select_certificate_cb(ssl_ctx, ngx_ssl_select_certificate);
|
||||
SSL_CTX_set_ex_data(ssl_ctx, ngx_ssl_client_hello_arg_index, cb);
|
||||
|
||||
#endif
|
||||
}
|
||||
|
||||
|
||||
#ifdef SSL_CLIENT_HELLO_SUCCESS
|
||||
|
||||
int
|
||||
ngx_ssl_client_hello_callback(ngx_ssl_conn_t *ssl_conn, int *ad, void *arg)
|
||||
{
|
||||
u_char *p;
|
||||
size_t len;
|
||||
ngx_int_t rc;
|
||||
ngx_str_t host;
|
||||
ngx_connection_t *c;
|
||||
ngx_ssl_client_hello_arg *cb;
|
||||
|
||||
c = ngx_ssl_get_connection(ssl_conn);
|
||||
cb = SSL_CTX_get_ex_data(c->ssl->session_ctx,
|
||||
ngx_ssl_client_hello_arg_index);
|
||||
|
||||
if (SSL_client_hello_get0_ext(ssl_conn, TLSEXT_TYPE_server_name,
|
||||
(const unsigned char **) &p, &len)
|
||||
== 0)
|
||||
{
|
||||
ngx_str_null(&host);
|
||||
goto done;
|
||||
}
|
||||
|
||||
/*
|
||||
* RFC 6066 mandates non-zero HostName length, we follow OpenSSL.
|
||||
* No more than one ServerName is expected.
|
||||
*/
|
||||
|
||||
if (len < 5
|
||||
|| (size_t) (p[0] << 8) + p[1] + 2 != len
|
||||
|| p[2] != TLSEXT_NAMETYPE_host_name
|
||||
|| (size_t) (p[3] << 8) + p[4] + 2 + 3 != len)
|
||||
{
|
||||
*ad = SSL_AD_DECODE_ERROR;
|
||||
return SSL_CLIENT_HELLO_ERROR;
|
||||
}
|
||||
|
||||
len -= 5;
|
||||
p += 5;
|
||||
|
||||
if (len > TLSEXT_MAXLEN_host_name || ngx_strlchr(p, p + len, '\0')) {
|
||||
*ad = SSL_AD_UNRECOGNIZED_NAME;
|
||||
return SSL_CLIENT_HELLO_ERROR;
|
||||
}
|
||||
|
||||
host.len = len;
|
||||
host.data = p;
|
||||
|
||||
done:
|
||||
|
||||
rc = cb->servername(ssl_conn, ad, &host);
|
||||
|
||||
if (rc == SSL_TLSEXT_ERR_ALERT_FATAL) {
|
||||
return SSL_CLIENT_HELLO_ERROR;
|
||||
}
|
||||
|
||||
return SSL_CLIENT_HELLO_SUCCESS;
|
||||
}
|
||||
|
||||
#elif defined OPENSSL_IS_BORINGSSL
|
||||
|
||||
enum ssl_select_cert_result_t ngx_ssl_select_certificate(
|
||||
const SSL_CLIENT_HELLO *client_hello)
|
||||
{
|
||||
int ad;
|
||||
ngx_int_t rc;
|
||||
ngx_ssl_conn_t *ssl_conn;
|
||||
ngx_connection_t *c;
|
||||
ngx_ssl_client_hello_arg *cb;
|
||||
|
||||
ssl_conn = client_hello->ssl;
|
||||
c = ngx_ssl_get_connection(ssl_conn);
|
||||
cb = SSL_CTX_get_ex_data(c->ssl->session_ctx,
|
||||
ngx_ssl_client_hello_arg_index);
|
||||
|
||||
/*
|
||||
* BoringSSL sends a hardcoded "handshake_failure" alert on errors,
|
||||
* we use it to map SSL_AD_INTERNAL_ERROR. To preserve other alert
|
||||
* values, error handling is postponed to the servername callback.
|
||||
*/
|
||||
|
||||
rc = cb->servername(ssl_conn, &ad, NULL);
|
||||
|
||||
if (rc == SSL_TLSEXT_ERR_ALERT_FATAL && ad == SSL_AD_INTERNAL_ERROR) {
|
||||
return ssl_select_cert_error;
|
||||
}
|
||||
|
||||
return ssl_select_cert_success;
|
||||
}
|
||||
|
||||
#endif
|
||||
|
||||
|
||||
ngx_int_t
|
||||
ngx_ssl_create_connection(ngx_ssl_t *ssl, ngx_connection_t *c, ngx_uint_t flags)
|
||||
{
|
||||
|
|
@ -3673,7 +3294,7 @@ ngx_ssl_shutdown_handler(ngx_event_t *ev)
|
|||
}
|
||||
|
||||
|
||||
void
|
||||
static void
|
||||
ngx_ssl_connection_error(ngx_connection_t *c, int sslerr, ngx_err_t err,
|
||||
char *text)
|
||||
{
|
||||
|
|
@ -4268,6 +3889,7 @@ ngx_ssl_new_session(ngx_ssl_conn_t *ssl_conn, ngx_ssl_session_t *sess)
|
|||
ngx_slab_pool_t *shpool;
|
||||
ngx_ssl_sess_id_t *sess_id;
|
||||
ngx_ssl_session_cache_t *cache;
|
||||
u_char buf[NGX_SSL_MAX_SESSION_SIZE];
|
||||
|
||||
#ifdef TLS1_3_VERSION
|
||||
|
||||
|
|
@ -4294,7 +3916,7 @@ ngx_ssl_new_session(ngx_ssl_conn_t *ssl_conn, ngx_ssl_session_t *sess)
|
|||
return 0;
|
||||
}
|
||||
|
||||
p = ngx_ssl_session_buffer;
|
||||
p = buf;
|
||||
i2d_SSL_SESSION(sess, &p);
|
||||
|
||||
session_id = (u_char *) SSL_SESSION_get_id(sess, &session_id_length);
|
||||
|
|
@ -4358,7 +3980,7 @@ ngx_ssl_new_session(ngx_ssl_conn_t *ssl_conn, ngx_ssl_session_t *sess)
|
|||
|
||||
#endif
|
||||
|
||||
ngx_memcpy(sess_id->session, ngx_ssl_session_buffer, len);
|
||||
ngx_memcpy(sess_id->session, buf, len);
|
||||
ngx_memcpy(sess_id->id, session_id, session_id_length);
|
||||
|
||||
hash = ngx_crc32_short(session_id, session_id_length);
|
||||
|
|
@ -4412,11 +4034,12 @@ ngx_ssl_get_cached_session(ngx_ssl_conn_t *ssl_conn,
|
|||
const u_char *p;
|
||||
ngx_shm_zone_t *shm_zone;
|
||||
ngx_slab_pool_t *shpool;
|
||||
ngx_connection_t *c;
|
||||
ngx_rbtree_node_t *node, *sentinel;
|
||||
ngx_ssl_session_t *sess;
|
||||
ngx_ssl_sess_id_t *sess_id;
|
||||
ngx_ssl_session_cache_t *cache;
|
||||
u_char buf[NGX_SSL_MAX_SESSION_SIZE];
|
||||
ngx_connection_t *c;
|
||||
|
||||
hash = ngx_crc32_short((u_char *) (uintptr_t) id, (size_t) len);
|
||||
*copy = 0;
|
||||
|
|
@ -4464,11 +4087,11 @@ ngx_ssl_get_cached_session(ngx_ssl_conn_t *ssl_conn,
|
|||
if (sess_id->expire > ngx_time()) {
|
||||
slen = sess_id->len;
|
||||
|
||||
ngx_memcpy(ngx_ssl_session_buffer, sess_id->session, slen);
|
||||
ngx_memcpy(buf, sess_id->session, slen);
|
||||
|
||||
ngx_shmtx_unlock(&shpool->mutex);
|
||||
|
||||
p = ngx_ssl_session_buffer;
|
||||
p = buf;
|
||||
sess = d2i_SSL_SESSION(NULL, &p, slen);
|
||||
|
||||
return sess;
|
||||
|
|
@ -5131,19 +4754,10 @@ ngx_ssl_cleanup_ctx(void *data)
|
|||
ngx_ssl_t *ssl = data;
|
||||
|
||||
X509 *cert;
|
||||
u_char *p;
|
||||
ngx_uint_t i;
|
||||
|
||||
for (i = 0; i < ssl->certs.nelts; i++) {
|
||||
cert = ((X509 **) ssl->certs.elts)[i];
|
||||
|
||||
p = X509_get_ex_data(cert, ngx_ssl_certificate_comp_index);
|
||||
|
||||
if (p) {
|
||||
ngx_free(p);
|
||||
X509_set_ex_data(cert, ngx_ssl_certificate_comp_index, NULL);
|
||||
}
|
||||
|
||||
X509_free(cert);
|
||||
}
|
||||
|
||||
|
|
@ -5425,8 +5039,7 @@ ngx_ssl_get_curve(ngx_connection_t *c, ngx_pool_t *pool, ngx_str_t *s)
|
|||
{
|
||||
#ifdef SSL_get_negotiated_group
|
||||
|
||||
int nid;
|
||||
const char *name;
|
||||
int nid;
|
||||
|
||||
nid = SSL_get_negotiated_group(c->ssl->connection);
|
||||
|
||||
|
|
@ -5438,20 +5051,14 @@ ngx_ssl_get_curve(ngx_connection_t *c, ngx_pool_t *pool, ngx_str_t *s)
|
|||
return NGX_OK;
|
||||
}
|
||||
|
||||
name = SSL_group_to_name(c->ssl->connection, nid);
|
||||
s->len = sizeof("0x0000") - 1;
|
||||
|
||||
s->len = name ? ngx_strlen(name) : sizeof("0x0000") - 1;
|
||||
s->data = ngx_pnalloc(pool, s->len);
|
||||
if (s->data == NULL) {
|
||||
return NGX_ERROR;
|
||||
}
|
||||
|
||||
if (name) {
|
||||
ngx_memcpy(s->data, name, s->len);
|
||||
|
||||
} else {
|
||||
ngx_sprintf(s->data, "0x%04xd", nid & 0xffff);
|
||||
}
|
||||
ngx_sprintf(s->data, "0x%04xd", nid & 0xffff);
|
||||
|
||||
return NGX_OK;
|
||||
}
|
||||
|
|
@ -5471,7 +5078,6 @@ ngx_ssl_get_curves(ngx_connection_t *c, ngx_pool_t *pool, ngx_str_t *s)
|
|||
int *curves, n, i, nid;
|
||||
u_char *p;
|
||||
size_t len;
|
||||
const char *name;
|
||||
|
||||
n = SSL_get1_curves(c->ssl->connection, NULL);
|
||||
|
||||
|
|
@ -5492,9 +5098,7 @@ ngx_ssl_get_curves(ngx_connection_t *c, ngx_pool_t *pool, ngx_str_t *s)
|
|||
nid = curves[i];
|
||||
|
||||
if (nid & TLSEXT_nid_unknown) {
|
||||
name = SSL_group_to_name(c->ssl->connection, nid);
|
||||
|
||||
len += name ? ngx_strlen(name) : sizeof("0x0000") - 1;
|
||||
len += sizeof("0x0000") - 1;
|
||||
|
||||
} else {
|
||||
len += ngx_strlen(OBJ_nid2sn(nid));
|
||||
|
|
@ -5514,10 +5118,7 @@ ngx_ssl_get_curves(ngx_connection_t *c, ngx_pool_t *pool, ngx_str_t *s)
|
|||
nid = curves[i];
|
||||
|
||||
if (nid & TLSEXT_nid_unknown) {
|
||||
name = SSL_group_to_name(c->ssl->connection, nid);
|
||||
|
||||
p = name ? ngx_cpymem(p, name, ngx_strlen(name))
|
||||
: ngx_sprintf(p, "0x%04xd", nid & 0xffff);
|
||||
p = ngx_sprintf(p, "0x%04xd", nid & 0xffff);
|
||||
|
||||
} else {
|
||||
p = ngx_sprintf(p, "%s", OBJ_nid2sn(nid));
|
||||
|
|
|
|||
|
|
@ -19,13 +19,19 @@
|
|||
#include <openssl/bn.h>
|
||||
#include <openssl/conf.h>
|
||||
#include <openssl/crypto.h>
|
||||
#ifndef OPENSSL_NO_DH
|
||||
#include <openssl/dh.h>
|
||||
#endif
|
||||
#ifndef OPENSSL_NO_ENGINE
|
||||
#include <openssl/engine.h>
|
||||
#endif
|
||||
#include <openssl/evp.h>
|
||||
#if (NGX_QUIC)
|
||||
#ifdef OPENSSL_IS_BORINGSSL
|
||||
#include <openssl/hkdf.h>
|
||||
#include <openssl/chacha.h>
|
||||
#else
|
||||
#include <openssl/kdf.h>
|
||||
#endif
|
||||
#endif
|
||||
#include <openssl/hmac.h>
|
||||
#ifndef OPENSSL_NO_OCSP
|
||||
#include <openssl/ocsp.h>
|
||||
|
|
@ -77,22 +83,6 @@
|
|||
#endif
|
||||
|
||||
|
||||
#ifdef OPENSSL_NO_DEPRECATED_3_4
|
||||
#define SSL_SESSION_get_time(s) SSL_SESSION_get_time_ex(s)
|
||||
#define SSL_SESSION_set_time(s, t) SSL_SESSION_set_time_ex(s, t)
|
||||
#endif
|
||||
|
||||
|
||||
#ifdef OPENSSL_NO_DEPRECATED_3_0
|
||||
#define EVP_CIPHER_CTX_cipher(c) EVP_CIPHER_CTX_get0_cipher(c)
|
||||
#endif
|
||||
|
||||
|
||||
#if (OPENSSL_VERSION_NUMBER < 0x30000000L)
|
||||
#define SSL_group_to_name(s, nid) NULL
|
||||
#endif
|
||||
|
||||
|
||||
typedef struct ngx_ssl_ocsp_s ngx_ssl_ocsp_t;
|
||||
|
||||
|
||||
|
|
@ -143,7 +133,6 @@ struct ngx_ssl_connection_s {
|
|||
unsigned in_ocsp:1;
|
||||
unsigned early_preread:1;
|
||||
unsigned write_blocked:1;
|
||||
unsigned sni_accepted:1;
|
||||
};
|
||||
|
||||
|
||||
|
|
@ -153,7 +142,7 @@ struct ngx_ssl_connection_s {
|
|||
#define NGX_SSL_DFLT_BUILTIN_SCACHE -5
|
||||
|
||||
|
||||
#define NGX_SSL_MAX_SESSION_SIZE 8192
|
||||
#define NGX_SSL_MAX_SESSION_SIZE 4096
|
||||
|
||||
typedef struct ngx_ssl_sess_id_s ngx_ssl_sess_id_t;
|
||||
|
||||
|
|
@ -190,13 +179,6 @@ typedef struct {
|
|||
} ngx_ssl_session_cache_t;
|
||||
|
||||
|
||||
typedef int (*ngx_ssl_servername_pt)(ngx_ssl_conn_t *, int *, void *);
|
||||
|
||||
typedef struct {
|
||||
ngx_ssl_servername_pt servername;
|
||||
} ngx_ssl_client_hello_arg;
|
||||
|
||||
|
||||
#define NGX_SSL_SSLv2 0x0002
|
||||
#define NGX_SSL_SSLv3 0x0004
|
||||
#define NGX_SSL_TLSv1 0x0008
|
||||
|
|
@ -236,8 +218,6 @@ ngx_int_t ngx_ssl_certificate(ngx_conf_t *cf, ngx_ssl_t *ssl,
|
|||
ngx_int_t ngx_ssl_connection_certificate(ngx_connection_t *c, ngx_pool_t *pool,
|
||||
ngx_str_t *cert, ngx_str_t *key, ngx_ssl_cache_t *cache,
|
||||
ngx_array_t *passwords);
|
||||
ngx_int_t ngx_ssl_certificate_compression(ngx_conf_t *cf, ngx_ssl_t *ssl,
|
||||
ngx_uint_t enable);
|
||||
|
||||
ngx_int_t ngx_ssl_ciphers(ngx_conf_t *cf, ngx_ssl_t *ssl, ngx_str_t *ciphers,
|
||||
ngx_uint_t prefer_server_ciphers);
|
||||
|
|
@ -286,15 +266,6 @@ ngx_int_t ngx_ssl_session_ticket_keys(ngx_conf_t *cf, ngx_ssl_t *ssl,
|
|||
ngx_array_t *paths);
|
||||
ngx_int_t ngx_ssl_session_cache_init(ngx_shm_zone_t *shm_zone, void *data);
|
||||
|
||||
void ngx_ssl_set_client_hello_callback(SSL_CTX *ssl_ctx,
|
||||
ngx_ssl_client_hello_arg *cb);
|
||||
#ifdef SSL_CLIENT_HELLO_SUCCESS
|
||||
int ngx_ssl_client_hello_callback(ngx_ssl_conn_t *ssl_conn, int *ad, void *arg);
|
||||
#elif defined OPENSSL_IS_BORINGSSL
|
||||
enum ssl_select_cert_result_t ngx_ssl_select_certificate(
|
||||
const SSL_CLIENT_HELLO *client_hello);
|
||||
#endif
|
||||
|
||||
ngx_int_t ngx_ssl_create_connection(ngx_ssl_t *ssl, ngx_connection_t *c,
|
||||
ngx_uint_t flags);
|
||||
|
||||
|
|
@ -377,8 +348,6 @@ ngx_chain_t *ngx_ssl_send_chain(ngx_connection_t *c, ngx_chain_t *in,
|
|||
off_t limit);
|
||||
void ngx_ssl_free_buffer(ngx_connection_t *c);
|
||||
ngx_int_t ngx_ssl_shutdown(ngx_connection_t *c);
|
||||
void ngx_ssl_connection_error(ngx_connection_t *c, int sslerr, ngx_err_t err,
|
||||
char *text);
|
||||
void ngx_cdecl ngx_ssl_error(ngx_uint_t level, ngx_log_t *log, ngx_err_t err,
|
||||
char *fmt, ...);
|
||||
void ngx_ssl_cleanup_ctx(void *data);
|
||||
|
|
@ -391,11 +360,6 @@ extern int ngx_ssl_ticket_keys_index;
|
|||
extern int ngx_ssl_ocsp_index;
|
||||
extern int ngx_ssl_index;
|
||||
extern int ngx_ssl_certificate_name_index;
|
||||
extern int ngx_ssl_certificate_comp_index;
|
||||
extern int ngx_ssl_client_hello_arg_index;
|
||||
|
||||
|
||||
extern u_char ngx_ssl_session_buffer[NGX_SSL_MAX_SESSION_SIZE];
|
||||
|
||||
|
||||
#endif /* _NGX_EVENT_OPENSSL_H_INCLUDED_ */
|
||||
|
|
|
|||
|
|
@ -8,16 +8,10 @@
|
|||
#include <ngx_core.h>
|
||||
#include <ngx_event.h>
|
||||
|
||||
#ifdef ERR_R_OSSL_STORE_LIB
|
||||
#include <openssl/store.h>
|
||||
#include <openssl/ui.h>
|
||||
#endif
|
||||
|
||||
|
||||
#define NGX_SSL_CACHE_PATH 0
|
||||
#define NGX_SSL_CACHE_DATA 1
|
||||
#define NGX_SSL_CACHE_ENGINE 2
|
||||
#define NGX_SSL_CACHE_STORE 3
|
||||
|
||||
#define NGX_SSL_CACHE_DISABLED (ngx_array_t *) (uintptr_t) -1
|
||||
|
||||
|
|
@ -122,8 +116,6 @@ static void ngx_ssl_cache_node_insert(ngx_rbtree_node_t *temp,
|
|||
static void ngx_ssl_cache_node_free(ngx_rbtree_t *rbtree,
|
||||
ngx_ssl_cache_node_t *cn);
|
||||
|
||||
static ngx_int_t ngx_openssl_cache_init_worker(ngx_cycle_t *cycle);
|
||||
|
||||
|
||||
static ngx_command_t ngx_openssl_cache_commands[] = {
|
||||
|
||||
|
|
@ -152,7 +144,7 @@ ngx_module_t ngx_openssl_cache_module = {
|
|||
NGX_CORE_MODULE, /* module type */
|
||||
NULL, /* init master */
|
||||
NULL, /* init module */
|
||||
ngx_openssl_cache_init_worker, /* init process */
|
||||
NULL, /* init process */
|
||||
NULL, /* init thread */
|
||||
NULL, /* exit thread */
|
||||
NULL, /* exit process */
|
||||
|
|
@ -193,7 +185,6 @@ ngx_ssl_cache_fetch(ngx_conf_t *cf, ngx_uint_t index, char **err,
|
|||
time_t mtime;
|
||||
uint32_t hash;
|
||||
ngx_int_t rc;
|
||||
ngx_uint_t invalidate;
|
||||
ngx_file_uniq_t uniq;
|
||||
ngx_file_info_t fi;
|
||||
ngx_ssl_cache_t *cache, *old_cache;
|
||||
|
|
@ -203,17 +194,10 @@ ngx_ssl_cache_fetch(ngx_conf_t *cf, ngx_uint_t index, char **err,
|
|||
|
||||
*err = NULL;
|
||||
|
||||
invalidate = index & NGX_SSL_CACHE_INVALIDATE;
|
||||
index &= ~NGX_SSL_CACHE_INVALIDATE;
|
||||
|
||||
if (ngx_ssl_cache_init_key(cf->pool, index, path, &id) != NGX_OK) {
|
||||
return NULL;
|
||||
}
|
||||
|
||||
if (id.type == NGX_SSL_CACHE_DATA) {
|
||||
invalidate = 0;
|
||||
}
|
||||
|
||||
cache = (ngx_ssl_cache_t *) ngx_get_conf(cf->cycle->conf_ctx,
|
||||
ngx_openssl_cache_module);
|
||||
|
||||
|
|
@ -223,12 +207,7 @@ ngx_ssl_cache_fetch(ngx_conf_t *cf, ngx_uint_t index, char **err,
|
|||
cn = ngx_ssl_cache_lookup(cache, type, &id, hash);
|
||||
|
||||
if (cn != NULL) {
|
||||
if (!invalidate) {
|
||||
return type->ref(err, cn->value);
|
||||
}
|
||||
|
||||
type->free(cn->value);
|
||||
ngx_rbtree_delete(&cache->rbtree, &cn->node);
|
||||
return type->ref(err, cn->value);
|
||||
}
|
||||
|
||||
value = NULL;
|
||||
|
|
@ -249,7 +228,7 @@ ngx_ssl_cache_fetch(ngx_conf_t *cf, ngx_uint_t index, char **err,
|
|||
|
||||
old_cache = ngx_ssl_cache_get_old_conf(cf->cycle);
|
||||
|
||||
if (old_cache && old_cache->inheritable && !invalidate) {
|
||||
if (old_cache && old_cache->inheritable) {
|
||||
cn = ngx_ssl_cache_lookup(old_cache, type, &id, hash);
|
||||
|
||||
if (cn != NULL) {
|
||||
|
|
@ -465,11 +444,6 @@ ngx_ssl_cache_init_key(ngx_pool_t *pool, ngx_uint_t index, ngx_str_t *path,
|
|||
{
|
||||
id->type = NGX_SSL_CACHE_ENGINE;
|
||||
|
||||
} else if (index == NGX_SSL_CACHE_PKEY
|
||||
&& ngx_strncmp(path->data, "store:", sizeof("store:") - 1) == 0)
|
||||
{
|
||||
id->type = NGX_SSL_CACHE_STORE;
|
||||
|
||||
} else {
|
||||
if (ngx_get_full_name(pool, (ngx_str_t *) &ngx_cycle->conf_prefix, path)
|
||||
!= NGX_OK)
|
||||
|
|
@ -720,7 +694,7 @@ ngx_ssl_cache_pkey_create(ngx_ssl_cache_key_t *id, char **err, void *data)
|
|||
return NULL;
|
||||
}
|
||||
|
||||
pkey = ENGINE_load_private_key(engine, (char *) last, NULL, NULL);
|
||||
pkey = ENGINE_load_private_key(engine, (char *) last, 0, 0);
|
||||
|
||||
if (pkey == NULL) {
|
||||
*err = "ENGINE_load_private_key() failed";
|
||||
|
|
@ -740,6 +714,11 @@ ngx_ssl_cache_pkey_create(ngx_ssl_cache_key_t *id, char **err, void *data)
|
|||
#endif
|
||||
}
|
||||
|
||||
bio = ngx_ssl_cache_create_bio(id, err);
|
||||
if (bio == NULL) {
|
||||
return NULL;
|
||||
}
|
||||
|
||||
cb_data.encrypted = 0;
|
||||
|
||||
if (*passwords) {
|
||||
|
|
@ -755,76 +734,6 @@ ngx_ssl_cache_pkey_create(ngx_ssl_cache_key_t *id, char **err, void *data)
|
|||
cb = NULL;
|
||||
}
|
||||
|
||||
if (id->type == NGX_SSL_CACHE_STORE) {
|
||||
|
||||
#ifdef ERR_R_OSSL_STORE_LIB
|
||||
|
||||
u_char *uri;
|
||||
UI_METHOD *method;
|
||||
OSSL_STORE_CTX *store;
|
||||
OSSL_STORE_INFO *info;
|
||||
|
||||
method = (cb != NULL) ? UI_UTIL_wrap_read_pem_callback(cb, 0) : NULL;
|
||||
uri = id->data + sizeof("store:") - 1;
|
||||
|
||||
store = OSSL_STORE_open((char *) uri, method, pwd, NULL, NULL);
|
||||
|
||||
if (store == NULL) {
|
||||
*err = "OSSL_STORE_open() failed";
|
||||
|
||||
if (method != NULL) {
|
||||
UI_destroy_method(method);
|
||||
}
|
||||
|
||||
return NULL;
|
||||
}
|
||||
|
||||
pkey = NULL;
|
||||
|
||||
while (pkey == NULL && !OSSL_STORE_eof(store)) {
|
||||
info = OSSL_STORE_load(store);
|
||||
|
||||
if (info == NULL) {
|
||||
continue;
|
||||
}
|
||||
|
||||
if (OSSL_STORE_INFO_get_type(info) == OSSL_STORE_INFO_PKEY) {
|
||||
pkey = OSSL_STORE_INFO_get1_PKEY(info);
|
||||
}
|
||||
|
||||
OSSL_STORE_INFO_free(info);
|
||||
}
|
||||
|
||||
OSSL_STORE_close(store);
|
||||
|
||||
if (method != NULL) {
|
||||
UI_destroy_method(method);
|
||||
}
|
||||
|
||||
if (pkey == NULL) {
|
||||
*err = "OSSL_STORE_load() failed";
|
||||
return NULL;
|
||||
}
|
||||
|
||||
if (cb_data.encrypted) {
|
||||
*passwords = NGX_SSL_CACHE_DISABLED;
|
||||
}
|
||||
|
||||
return pkey;
|
||||
|
||||
#else
|
||||
|
||||
*err = "loading \"store:...\" certificate keys is not supported";
|
||||
return NULL;
|
||||
|
||||
#endif
|
||||
}
|
||||
|
||||
bio = ngx_ssl_cache_create_bio(id, err);
|
||||
if (bio == NULL) {
|
||||
return NULL;
|
||||
}
|
||||
|
||||
for ( ;; ) {
|
||||
|
||||
pkey = PEM_read_bio_PrivateKey(bio, NULL, cb, pwd);
|
||||
|
|
@ -1248,20 +1157,3 @@ ngx_ssl_cache_node_insert(ngx_rbtree_node_t *temp,
|
|||
node->right = sentinel;
|
||||
ngx_rbt_red(node);
|
||||
}
|
||||
|
||||
|
||||
static ngx_int_t
|
||||
ngx_openssl_cache_init_worker(ngx_cycle_t *cycle)
|
||||
{
|
||||
#ifdef ERR_R_OSSL_STORE_LIB
|
||||
|
||||
if (ngx_process != NGX_PROCESS_WORKER) {
|
||||
return NGX_OK;
|
||||
}
|
||||
|
||||
UI_set_default_method(UI_null());
|
||||
|
||||
#endif
|
||||
|
||||
return NGX_OK;
|
||||
}
|
||||
|
|
|
|||
|
|
@ -72,7 +72,7 @@ ngx_quic_connstate_dbg(ngx_connection_t *c)
|
|||
|
||||
if (qc) {
|
||||
|
||||
if (qc->error) {
|
||||
if (qc->error != (ngx_uint_t) -1) {
|
||||
p = ngx_slprintf(p, last, "%s", qc->error_app ? " app" : "");
|
||||
p = ngx_slprintf(p, last, " error:%ui", qc->error);
|
||||
|
||||
|
|
@ -135,9 +135,6 @@ ngx_quic_apply_transport_params(ngx_connection_t *c, ngx_quic_tp_t *ctp)
|
|||
if (scid.len != ctp->initial_scid.len
|
||||
|| ngx_memcmp(scid.data, ctp->initial_scid.data, scid.len) != 0)
|
||||
{
|
||||
qc->error = NGX_QUIC_ERR_TRANSPORT_PARAMETER_ERROR;
|
||||
qc->error_reason = "invalid initial_source_connection_id";
|
||||
|
||||
ngx_log_error(NGX_LOG_INFO, c->log, 0,
|
||||
"quic client initial_source_connection_id mismatch");
|
||||
return NGX_ERROR;
|
||||
|
|
@ -260,9 +257,9 @@ ngx_quic_new_connection(ngx_connection_t *c, ngx_quic_conf_t *conf,
|
|||
qc->send_ctx[i].pending_ack = NGX_QUIC_UNSET_PN;
|
||||
}
|
||||
|
||||
qc->send_ctx[0].level = NGX_QUIC_ENCRYPTION_INITIAL;
|
||||
qc->send_ctx[1].level = NGX_QUIC_ENCRYPTION_HANDSHAKE;
|
||||
qc->send_ctx[2].level = NGX_QUIC_ENCRYPTION_APPLICATION;
|
||||
qc->send_ctx[0].level = ssl_encryption_initial;
|
||||
qc->send_ctx[1].level = ssl_encryption_handshake;
|
||||
qc->send_ctx[2].level = ssl_encryption_application;
|
||||
|
||||
ngx_queue_init(&qc->free_frames);
|
||||
|
||||
|
|
@ -311,16 +308,11 @@ ngx_quic_new_connection(ngx_connection_t *c, ngx_quic_conf_t *conf,
|
|||
qc->streams.client_max_streams_uni = qc->tp.initial_max_streams_uni;
|
||||
qc->streams.client_max_streams_bidi = qc->tp.initial_max_streams_bidi;
|
||||
|
||||
qc->congestion.window = ngx_min(10 * NGX_QUIC_MIN_INITIAL_SIZE,
|
||||
ngx_max(2 * NGX_QUIC_MIN_INITIAL_SIZE,
|
||||
qc->congestion.window = ngx_min(10 * qc->tp.max_udp_payload_size,
|
||||
ngx_max(2 * qc->tp.max_udp_payload_size,
|
||||
14720));
|
||||
qc->congestion.ssthresh = (size_t) -1;
|
||||
qc->congestion.mtu = NGX_QUIC_MIN_INITIAL_SIZE;
|
||||
qc->congestion.recovery_start = ngx_current_msec - 1;
|
||||
|
||||
qc->max_frames = (conf->max_concurrent_streams_uni
|
||||
+ conf->max_concurrent_streams_bidi)
|
||||
* conf->stream_buffer_size / 2000;
|
||||
qc->congestion.recovery_start = ngx_current_msec;
|
||||
|
||||
if (pkt->validated && pkt->retried) {
|
||||
qc->tp.retry_scid.len = pkt->dcid.len;
|
||||
|
|
@ -520,7 +512,7 @@ ngx_quic_close_connection(ngx_connection_t *c, ngx_int_t rc)
|
|||
* to terminate the connection immediately.
|
||||
*/
|
||||
|
||||
if (qc->error == 0 && rc == NGX_ERROR) {
|
||||
if (qc->error == (ngx_uint_t) -1) {
|
||||
qc->error = NGX_QUIC_ERR_INTERNAL_ERROR;
|
||||
qc->error_app = 0;
|
||||
}
|
||||
|
|
@ -800,13 +792,13 @@ ngx_quic_handle_packet(ngx_connection_t *c, ngx_quic_conf_t *conf,
|
|||
pkt->dcid.len, &pkt->dcid);
|
||||
|
||||
#if (NGX_DEBUG)
|
||||
if (pkt->level != NGX_QUIC_ENCRYPTION_APPLICATION) {
|
||||
if (pkt->level != ssl_encryption_application) {
|
||||
ngx_log_debug2(NGX_LOG_DEBUG_EVENT, c->log, 0,
|
||||
"quic packet rx scid len:%uz %xV",
|
||||
pkt->scid.len, &pkt->scid);
|
||||
}
|
||||
|
||||
if (pkt->level == NGX_QUIC_ENCRYPTION_INITIAL) {
|
||||
if (pkt->level == ssl_encryption_initial) {
|
||||
ngx_log_debug2(NGX_LOG_DEBUG_EVENT, c->log, 0,
|
||||
"quic address validation token len:%uz %xV",
|
||||
pkt->token.len, &pkt->token);
|
||||
|
|
@ -823,7 +815,7 @@ ngx_quic_handle_packet(ngx_connection_t *c, ngx_quic_conf_t *conf,
|
|||
return NGX_DECLINED;
|
||||
}
|
||||
|
||||
if (pkt->level != NGX_QUIC_ENCRYPTION_APPLICATION) {
|
||||
if (pkt->level != ssl_encryption_application) {
|
||||
|
||||
if (pkt->version != qc->version) {
|
||||
ngx_log_error(NGX_LOG_INFO, c->log, 0,
|
||||
|
|
@ -853,9 +845,7 @@ ngx_quic_handle_packet(ngx_connection_t *c, ngx_quic_conf_t *conf,
|
|||
|
||||
rc = ngx_quic_handle_payload(c, pkt);
|
||||
|
||||
if (rc == NGX_DECLINED
|
||||
&& pkt->level == NGX_QUIC_ENCRYPTION_APPLICATION)
|
||||
{
|
||||
if (rc == NGX_DECLINED && pkt->level == ssl_encryption_application) {
|
||||
if (ngx_quic_handle_stateless_reset(c, pkt) == NGX_OK) {
|
||||
ngx_log_error(NGX_LOG_INFO, c->log, 0,
|
||||
"quic stateless reset packet detected");
|
||||
|
|
@ -876,11 +866,11 @@ ngx_quic_handle_packet(ngx_connection_t *c, ngx_quic_conf_t *conf,
|
|||
return ngx_quic_negotiate_version(c, pkt);
|
||||
}
|
||||
|
||||
if (pkt->level == NGX_QUIC_ENCRYPTION_APPLICATION) {
|
||||
if (pkt->level == ssl_encryption_application) {
|
||||
return ngx_quic_send_stateless_reset(c, conf, pkt);
|
||||
}
|
||||
|
||||
if (pkt->level != NGX_QUIC_ENCRYPTION_INITIAL) {
|
||||
if (pkt->level != ssl_encryption_initial) {
|
||||
ngx_log_debug0(NGX_LOG_DEBUG_EVENT, c->log, 0,
|
||||
"quic expected initial, got handshake");
|
||||
return NGX_ERROR;
|
||||
|
|
@ -963,8 +953,8 @@ ngx_quic_handle_payload(ngx_connection_t *c, ngx_quic_header_t *pkt)
|
|||
|
||||
qc = ngx_quic_get_connection(c);
|
||||
|
||||
qc->error = 0;
|
||||
qc->error_reason = NULL;
|
||||
qc->error = (ngx_uint_t) -1;
|
||||
qc->error_reason = 0;
|
||||
|
||||
c->log->action = "decrypting packet";
|
||||
|
||||
|
|
@ -975,10 +965,10 @@ ngx_quic_handle_payload(ngx_connection_t *c, ngx_quic_header_t *pkt)
|
|||
return NGX_DECLINED;
|
||||
}
|
||||
|
||||
#if (NGX_QUIC_QUICTLS_API)
|
||||
/* QuicTLS provides app read keys before completing handshake */
|
||||
#if !defined (OPENSSL_IS_BORINGSSL)
|
||||
/* OpenSSL provides read keys for an application level before it's ready */
|
||||
|
||||
if (pkt->level == NGX_QUIC_ENCRYPTION_APPLICATION && !c->ssl->handshaked) {
|
||||
if (pkt->level == ssl_encryption_application && !c->ssl->handshaked) {
|
||||
ngx_log_error(NGX_LOG_INFO, c->log, 0,
|
||||
"quic no %s keys ready, ignoring packet",
|
||||
ngx_quic_level_name(pkt->level));
|
||||
|
|
@ -1016,14 +1006,14 @@ ngx_quic_handle_payload(ngx_connection_t *c, ngx_quic_header_t *pkt)
|
|||
}
|
||||
}
|
||||
|
||||
if (pkt->level == NGX_QUIC_ENCRYPTION_HANDSHAKE) {
|
||||
if (pkt->level == ssl_encryption_handshake) {
|
||||
/*
|
||||
* RFC 9001, 4.9.1. Discarding Initial Keys
|
||||
*
|
||||
* The successful use of Handshake packets indicates
|
||||
* that no more Initial packets need to be exchanged
|
||||
*/
|
||||
ngx_quic_discard_ctx(c, NGX_QUIC_ENCRYPTION_INITIAL);
|
||||
ngx_quic_discard_ctx(c, ssl_encryption_initial);
|
||||
|
||||
if (!qc->path->validated) {
|
||||
qc->path->validated = 1;
|
||||
|
|
@ -1032,14 +1022,14 @@ ngx_quic_handle_payload(ngx_connection_t *c, ngx_quic_header_t *pkt)
|
|||
}
|
||||
}
|
||||
|
||||
if (pkt->level == NGX_QUIC_ENCRYPTION_APPLICATION) {
|
||||
if (pkt->level == ssl_encryption_application) {
|
||||
/*
|
||||
* RFC 9001, 4.9.3. Discarding 0-RTT Keys
|
||||
*
|
||||
* After receiving a 1-RTT packet, servers MUST discard
|
||||
* 0-RTT keys within a short time
|
||||
*/
|
||||
ngx_quic_keys_discard(qc->keys, NGX_QUIC_ENCRYPTION_EARLY_DATA);
|
||||
ngx_quic_keys_discard(qc->keys, ssl_encryption_early_data);
|
||||
}
|
||||
|
||||
if (qc->closing) {
|
||||
|
|
@ -1066,7 +1056,7 @@ ngx_quic_handle_payload(ngx_connection_t *c, ngx_quic_header_t *pkt)
|
|||
|
||||
c->log->action = "handling payload";
|
||||
|
||||
if (pkt->level != NGX_QUIC_ENCRYPTION_APPLICATION) {
|
||||
if (pkt->level != ssl_encryption_application) {
|
||||
return ngx_quic_handle_frames(c, pkt);
|
||||
}
|
||||
|
||||
|
|
@ -1091,7 +1081,7 @@ ngx_quic_handle_payload(ngx_connection_t *c, ngx_quic_header_t *pkt)
|
|||
|
||||
|
||||
void
|
||||
ngx_quic_discard_ctx(ngx_connection_t *c, ngx_uint_t level)
|
||||
ngx_quic_discard_ctx(ngx_connection_t *c, enum ssl_encryption_level_t level)
|
||||
{
|
||||
ngx_queue_t *q;
|
||||
ngx_quic_frame_t *f;
|
||||
|
|
@ -1132,7 +1122,7 @@ ngx_quic_discard_ctx(ngx_connection_t *c, ngx_uint_t level)
|
|||
ngx_quic_free_frame(c, f);
|
||||
}
|
||||
|
||||
if (level == NGX_QUIC_ENCRYPTION_INITIAL) {
|
||||
if (level == ssl_encryption_initial) {
|
||||
/* close temporary listener with initial dcid */
|
||||
qsock = ngx_quic_find_socket(c, NGX_QUIC_UNSET_PN);
|
||||
if (qsock) {
|
||||
|
|
|
|||
|
|
@ -12,22 +12,6 @@
|
|||
#include <ngx_core.h>
|
||||
|
||||
|
||||
#if (OPENSSL_VERSION_NUMBER >= 0x30500010L)
|
||||
#define NGX_QUIC_OPENSSL_API 1
|
||||
|
||||
#elif (defined SSL_R_MISSING_QUIC_TRANSPORT_PARAMETERS_EXTENSION)
|
||||
#define NGX_QUIC_QUICTLS_API 1
|
||||
|
||||
#elif (defined OPENSSL_IS_BORINGSSL || defined OPENSSL_IS_AWSLC \
|
||||
|| defined LIBRESSL_VERSION_NUMBER)
|
||||
#define NGX_QUIC_BORINGSSL_API 1
|
||||
|
||||
#else
|
||||
#define NGX_QUIC_BORINGSSL_API 1
|
||||
#define NGX_QUIC_OPENSSL_COMPAT 1
|
||||
#endif
|
||||
|
||||
|
||||
#define NGX_QUIC_MAX_UDP_PAYLOAD_SIZE 65527
|
||||
|
||||
#define NGX_QUIC_DEFAULT_ACK_DELAY_EXPONENT 3
|
||||
|
|
|
|||
|
|
@ -20,10 +20,6 @@
|
|||
/* RFC 9002, 7.6.1. Duration: kPersistentCongestionThreshold */
|
||||
#define NGX_QUIC_PERSISTENT_CONGESTION_THR 3
|
||||
|
||||
/* CUBIC parameters x10 */
|
||||
#define NGX_QUIC_CUBIC_BETA 7
|
||||
#define NGX_QUIC_CUBIC_C 4
|
||||
|
||||
|
||||
/* send time of ACK'ed packets */
|
||||
typedef struct {
|
||||
|
|
@ -33,22 +29,18 @@ typedef struct {
|
|||
} ngx_quic_ack_stat_t;
|
||||
|
||||
|
||||
static ngx_inline ngx_msec_t ngx_quic_time_threshold(ngx_quic_connection_t *qc);
|
||||
static uint64_t ngx_quic_packet_threshold(ngx_quic_send_ctx_t *ctx);
|
||||
static ngx_inline ngx_msec_t ngx_quic_lost_threshold(ngx_quic_connection_t *qc);
|
||||
static void ngx_quic_rtt_sample(ngx_connection_t *c, ngx_quic_ack_frame_t *ack,
|
||||
ngx_uint_t level, ngx_msec_t send_time);
|
||||
enum ssl_encryption_level_t level, ngx_msec_t send_time);
|
||||
static ngx_int_t ngx_quic_handle_ack_frame_range(ngx_connection_t *c,
|
||||
ngx_quic_send_ctx_t *ctx, uint64_t min, uint64_t max,
|
||||
ngx_quic_ack_stat_t *st);
|
||||
static size_t ngx_quic_congestion_cubic(ngx_connection_t *c);
|
||||
static void ngx_quic_drop_ack_ranges(ngx_connection_t *c,
|
||||
ngx_quic_send_ctx_t *ctx, uint64_t pn);
|
||||
static ngx_int_t ngx_quic_detect_lost(ngx_connection_t *c,
|
||||
ngx_quic_ack_stat_t *st);
|
||||
static ngx_msec_t ngx_quic_congestion_cubic_time(ngx_connection_t *c);
|
||||
static ngx_msec_t ngx_quic_pcg_duration(ngx_connection_t *c);
|
||||
static void ngx_quic_persistent_congestion(ngx_connection_t *c);
|
||||
static ngx_msec_t ngx_quic_oldest_sent_packet(ngx_connection_t *c);
|
||||
static void ngx_quic_congestion_lost(ngx_connection_t *c,
|
||||
ngx_quic_frame_t *frame);
|
||||
static void ngx_quic_lost_handler(ngx_event_t *ev);
|
||||
|
|
@ -56,7 +48,7 @@ static void ngx_quic_lost_handler(ngx_event_t *ev);
|
|||
|
||||
/* RFC 9002, 6.1.2. Time Threshold: kTimeThreshold, kGranularity */
|
||||
static ngx_inline ngx_msec_t
|
||||
ngx_quic_time_threshold(ngx_quic_connection_t *qc)
|
||||
ngx_quic_lost_threshold(ngx_quic_connection_t *qc)
|
||||
{
|
||||
ngx_msec_t thr;
|
||||
|
||||
|
|
@ -67,29 +59,6 @@ ngx_quic_time_threshold(ngx_quic_connection_t *qc)
|
|||
}
|
||||
|
||||
|
||||
static uint64_t
|
||||
ngx_quic_packet_threshold(ngx_quic_send_ctx_t *ctx)
|
||||
{
|
||||
uint64_t pkt_thr;
|
||||
ngx_queue_t *q;
|
||||
ngx_quic_frame_t *f;
|
||||
|
||||
if (ngx_queue_empty(&ctx->sent)) {
|
||||
return NGX_QUIC_PKT_THR;
|
||||
}
|
||||
|
||||
q = ngx_queue_head(&ctx->sent);
|
||||
f = ngx_queue_data(q, ngx_quic_frame_t, queue);
|
||||
pkt_thr = (ctx->pnum - f->pnum) / 2;
|
||||
|
||||
if (pkt_thr <= NGX_QUIC_PKT_THR) {
|
||||
return NGX_QUIC_PKT_THR;
|
||||
}
|
||||
|
||||
return pkt_thr;
|
||||
}
|
||||
|
||||
|
||||
ngx_int_t
|
||||
ngx_quic_handle_ack_frame(ngx_connection_t *c, ngx_quic_header_t *pkt,
|
||||
ngx_quic_frame_t *f)
|
||||
|
|
@ -108,7 +77,7 @@ ngx_quic_handle_ack_frame(ngx_connection_t *c, ngx_quic_header_t *pkt,
|
|||
ctx = ngx_quic_get_send_ctx(qc, pkt->level);
|
||||
|
||||
ngx_log_debug1(NGX_LOG_DEBUG_EVENT, c->log, 0,
|
||||
"quic ngx_quic_handle_ack_frame level:%ui", pkt->level);
|
||||
"quic ngx_quic_handle_ack_frame level:%d", pkt->level);
|
||||
|
||||
ack = &f->u.ack;
|
||||
|
||||
|
|
@ -207,7 +176,7 @@ ngx_quic_handle_ack_frame(ngx_connection_t *c, ngx_quic_header_t *pkt,
|
|||
|
||||
static void
|
||||
ngx_quic_rtt_sample(ngx_connection_t *c, ngx_quic_ack_frame_t *ack,
|
||||
ngx_uint_t level, ngx_msec_t send_time)
|
||||
enum ssl_encryption_level_t level, ngx_msec_t send_time)
|
||||
{
|
||||
ngx_msec_t latest_rtt, ack_delay, adjusted_rtt, rttvar_sample;
|
||||
ngx_quic_connection_t *qc;
|
||||
|
|
@ -260,7 +229,7 @@ ngx_quic_handle_ack_frame_range(ngx_connection_t *c, ngx_quic_send_ctx_t *ctx,
|
|||
|
||||
qc = ngx_quic_get_connection(c);
|
||||
|
||||
if (ctx->level == NGX_QUIC_ENCRYPTION_APPLICATION) {
|
||||
if (ctx->level == ssl_encryption_application) {
|
||||
if (ngx_quic_handle_path_mtu(c, qc->path, min, max) != NGX_OK) {
|
||||
return NGX_ERROR;
|
||||
}
|
||||
|
|
@ -344,9 +313,8 @@ ngx_quic_handle_ack_frame_range(ngx_connection_t *c, ngx_quic_send_ctx_t *ctx,
|
|||
void
|
||||
ngx_quic_congestion_ack(ngx_connection_t *c, ngx_quic_frame_t *f)
|
||||
{
|
||||
size_t w_cubic;
|
||||
ngx_uint_t blocked;
|
||||
ngx_msec_t now, timer;
|
||||
ngx_msec_t timer;
|
||||
ngx_quic_congestion_t *cg;
|
||||
ngx_quic_connection_t *qc;
|
||||
|
||||
|
|
@ -361,34 +329,16 @@ ngx_quic_congestion_ack(ngx_connection_t *c, ngx_quic_frame_t *f)
|
|||
return;
|
||||
}
|
||||
|
||||
now = ngx_current_msec;
|
||||
|
||||
blocked = (cg->in_flight >= cg->window) ? 1 : 0;
|
||||
|
||||
cg->in_flight -= f->plen;
|
||||
|
||||
/* prevent recovery_start from wrapping */
|
||||
|
||||
timer = now - cg->recovery_start;
|
||||
|
||||
if ((ngx_msec_int_t) timer < 0) {
|
||||
cg->recovery_start = ngx_quic_oldest_sent_packet(c) - 1;
|
||||
}
|
||||
|
||||
timer = f->send_time - cg->recovery_start;
|
||||
|
||||
if ((ngx_msec_int_t) timer <= 0) {
|
||||
ngx_log_debug3(NGX_LOG_DEBUG_EVENT, c->log, 0,
|
||||
"quic congestion ack rec t:%M win:%uz if:%uz",
|
||||
now, cg->window, cg->in_flight);
|
||||
|
||||
goto done;
|
||||
}
|
||||
|
||||
if (cg->idle) {
|
||||
ngx_log_debug3(NGX_LOG_DEBUG_EVENT, c->log, 0,
|
||||
"quic congestion ack idle t:%M win:%uz if:%uz",
|
||||
now, cg->window, cg->in_flight);
|
||||
"quic congestion ack recovery win:%uz ss:%z if:%uz",
|
||||
cg->window, cg->ssthresh, cg->in_flight);
|
||||
|
||||
goto done;
|
||||
}
|
||||
|
|
@ -396,51 +346,24 @@ ngx_quic_congestion_ack(ngx_connection_t *c, ngx_quic_frame_t *f)
|
|||
if (cg->window < cg->ssthresh) {
|
||||
cg->window += f->plen;
|
||||
|
||||
ngx_log_debug4(NGX_LOG_DEBUG_EVENT, c->log, 0,
|
||||
"quic congestion ack ss t:%M win:%uz ss:%z if:%uz",
|
||||
now, cg->window, cg->ssthresh, cg->in_flight);
|
||||
ngx_log_debug3(NGX_LOG_DEBUG_EVENT, c->log, 0,
|
||||
"quic congestion slow start win:%uz ss:%z if:%uz",
|
||||
cg->window, cg->ssthresh, cg->in_flight);
|
||||
|
||||
} else {
|
||||
cg->window += qc->tp.max_udp_payload_size * f->plen / cg->window;
|
||||
|
||||
/* RFC 9438, 4.2. Window Increase Function */
|
||||
ngx_log_debug3(NGX_LOG_DEBUG_EVENT, c->log, 0,
|
||||
"quic congestion avoidance win:%uz ss:%z if:%uz",
|
||||
cg->window, cg->ssthresh, cg->in_flight);
|
||||
}
|
||||
|
||||
w_cubic = ngx_quic_congestion_cubic(c);
|
||||
/* prevent recovery_start from wrapping */
|
||||
|
||||
if (cg->window < cg->w_prior) {
|
||||
cg->w_est += (uint64_t) cg->mtu * f->plen
|
||||
* 3 * (10 - NGX_QUIC_CUBIC_BETA)
|
||||
/ (10 + NGX_QUIC_CUBIC_BETA) / cg->window;
|
||||
timer = cg->recovery_start - ngx_current_msec + qc->tp.max_idle_timeout * 2;
|
||||
|
||||
} else {
|
||||
cg->w_est += (uint64_t) cg->mtu * f->plen / cg->window;
|
||||
}
|
||||
|
||||
if (w_cubic < cg->w_est) {
|
||||
cg->window = cg->w_est;
|
||||
|
||||
ngx_log_debug4(NGX_LOG_DEBUG_EVENT, c->log, 0,
|
||||
"quic congestion ack reno t:%M win:%uz c:%uz if:%uz",
|
||||
now, cg->window, w_cubic, cg->in_flight);
|
||||
|
||||
} else if (w_cubic > cg->window) {
|
||||
|
||||
if (w_cubic >= cg->window * 3 / 2) {
|
||||
cg->window += cg->mtu / 2;
|
||||
|
||||
} else {
|
||||
cg->window += (uint64_t) cg->mtu * (w_cubic - cg->window)
|
||||
/ cg->window;
|
||||
}
|
||||
|
||||
ngx_log_debug4(NGX_LOG_DEBUG_EVENT, c->log, 0,
|
||||
"quic congestion ack cubic t:%M win:%uz c:%uz if:%uz",
|
||||
now, cg->window, w_cubic, cg->in_flight);
|
||||
|
||||
} else {
|
||||
ngx_log_debug4(NGX_LOG_DEBUG_EVENT, c->log, 0,
|
||||
"quic congestion ack skip t:%M win:%uz c:%uz if:%uz",
|
||||
now, cg->window, w_cubic, cg->in_flight);
|
||||
}
|
||||
if ((ngx_msec_int_t) timer < 0) {
|
||||
cg->recovery_start = ngx_current_msec - qc->tp.max_idle_timeout * 2;
|
||||
}
|
||||
|
||||
done:
|
||||
|
|
@ -451,87 +374,6 @@ done:
|
|||
}
|
||||
|
||||
|
||||
static size_t
|
||||
ngx_quic_congestion_cubic(ngx_connection_t *c)
|
||||
{
|
||||
int64_t w, t, cc;
|
||||
ngx_msec_t now;
|
||||
ngx_quic_congestion_t *cg;
|
||||
ngx_quic_connection_t *qc;
|
||||
|
||||
qc = ngx_quic_get_connection(c);
|
||||
cg = &qc->congestion;
|
||||
|
||||
ngx_quic_congestion_idle(c, cg->idle);
|
||||
|
||||
now = ngx_current_msec;
|
||||
t = (ngx_msec_int_t) (now - cg->k);
|
||||
|
||||
if (t > 1000000) {
|
||||
w = NGX_MAX_SIZE_T_VALUE;
|
||||
goto done;
|
||||
}
|
||||
|
||||
if (t < -1000000) {
|
||||
w = 0;
|
||||
goto done;
|
||||
}
|
||||
|
||||
/*
|
||||
* RFC 9438, Figure 1
|
||||
*
|
||||
* w_cubic = C * (t_msec / 1000) ^ 3 * mtu + w_max
|
||||
*/
|
||||
|
||||
cc = 10000000000ll / (int64_t) cg->mtu / NGX_QUIC_CUBIC_C;
|
||||
w = t * t * t / cc + (int64_t) cg->w_max;
|
||||
|
||||
if (w > NGX_MAX_SIZE_T_VALUE) {
|
||||
w = NGX_MAX_SIZE_T_VALUE;
|
||||
}
|
||||
|
||||
if (w < 0) {
|
||||
w = 0;
|
||||
}
|
||||
|
||||
done:
|
||||
|
||||
ngx_log_debug3(NGX_LOG_DEBUG_EVENT, c->log, 0,
|
||||
"quic cubic t:%L w:%L wm:%uz", t, w, cg->w_max);
|
||||
|
||||
return w;
|
||||
}
|
||||
|
||||
|
||||
void
|
||||
ngx_quic_congestion_idle(ngx_connection_t *c, ngx_uint_t idle)
|
||||
{
|
||||
ngx_msec_t now;
|
||||
ngx_quic_congestion_t *cg;
|
||||
ngx_quic_connection_t *qc;
|
||||
|
||||
qc = ngx_quic_get_connection(c);
|
||||
cg = &qc->congestion;
|
||||
|
||||
ngx_log_debug1(NGX_LOG_DEBUG_EVENT, c->log, 0,
|
||||
"quic congestion idle:%ui", idle);
|
||||
|
||||
if (cg->window >= cg->ssthresh) {
|
||||
/* RFC 9438, 5.8. Behavior for Application-Limited Flows */
|
||||
|
||||
now = ngx_current_msec;
|
||||
|
||||
if (cg->idle) {
|
||||
cg->k += now - cg->idle_start;
|
||||
}
|
||||
|
||||
cg->idle_start = now;
|
||||
}
|
||||
|
||||
cg->idle = idle;
|
||||
}
|
||||
|
||||
|
||||
static void
|
||||
ngx_quic_drop_ack_ranges(ngx_connection_t *c, ngx_quic_send_ctx_t *ctx,
|
||||
uint64_t pn)
|
||||
|
|
@ -593,7 +435,6 @@ ngx_quic_drop_ack_ranges(ngx_connection_t *c, ngx_quic_send_ctx_t *ctx,
|
|||
static ngx_int_t
|
||||
ngx_quic_detect_lost(ngx_connection_t *c, ngx_quic_ack_stat_t *st)
|
||||
{
|
||||
uint64_t pkt_thr;
|
||||
ngx_uint_t i, nlost;
|
||||
ngx_msec_t now, wait, thr, oldest, newest;
|
||||
ngx_queue_t *q;
|
||||
|
|
@ -603,12 +444,11 @@ ngx_quic_detect_lost(ngx_connection_t *c, ngx_quic_ack_stat_t *st)
|
|||
|
||||
qc = ngx_quic_get_connection(c);
|
||||
now = ngx_current_msec;
|
||||
thr = ngx_quic_time_threshold(qc);
|
||||
thr = ngx_quic_lost_threshold(qc);
|
||||
|
||||
#if (NGX_SUPPRESS_WARN)
|
||||
oldest = now;
|
||||
newest = now;
|
||||
#endif
|
||||
/* send time of lost packets across all send contexts */
|
||||
oldest = NGX_TIMER_INFINITE;
|
||||
newest = NGX_TIMER_INFINITE;
|
||||
|
||||
nlost = 0;
|
||||
|
||||
|
|
@ -620,8 +460,6 @@ ngx_quic_detect_lost(ngx_connection_t *c, ngx_quic_ack_stat_t *st)
|
|||
continue;
|
||||
}
|
||||
|
||||
pkt_thr = ngx_quic_packet_threshold(ctx);
|
||||
|
||||
while (!ngx_queue_empty(&ctx->sent)) {
|
||||
|
||||
q = ngx_queue_head(&ctx->sent);
|
||||
|
|
@ -633,27 +471,23 @@ ngx_quic_detect_lost(ngx_connection_t *c, ngx_quic_ack_stat_t *st)
|
|||
|
||||
wait = start->send_time + thr - now;
|
||||
|
||||
ngx_log_debug5(NGX_LOG_DEBUG_EVENT, c->log, 0,
|
||||
"quic detect_lost pnum:%uL thr:%M pthr:%uL wait:%i level:%ui",
|
||||
start->pnum, thr, pkt_thr, (ngx_int_t) wait, start->level);
|
||||
ngx_log_debug4(NGX_LOG_DEBUG_EVENT, c->log, 0,
|
||||
"quic detect_lost pnum:%uL thr:%M wait:%i level:%d",
|
||||
start->pnum, thr, (ngx_int_t) wait, start->level);
|
||||
|
||||
if ((ngx_msec_int_t) wait > 0
|
||||
&& ctx->largest_ack - start->pnum < pkt_thr)
|
||||
&& ctx->largest_ack - start->pnum < NGX_QUIC_PKT_THR)
|
||||
{
|
||||
break;
|
||||
}
|
||||
|
||||
if ((ngx_msec_int_t) (start->send_time - qc->first_rtt) > 0) {
|
||||
if (start->send_time > qc->first_rtt) {
|
||||
|
||||
if (nlost == 0
|
||||
|| (ngx_msec_int_t) (start->send_time - oldest) < 0)
|
||||
{
|
||||
if (oldest == NGX_TIMER_INFINITE || start->send_time < oldest) {
|
||||
oldest = start->send_time;
|
||||
}
|
||||
|
||||
if (nlost == 0
|
||||
|| (ngx_msec_int_t) (start->send_time - newest) > 0)
|
||||
{
|
||||
if (newest == NGX_TIMER_INFINITE || start->send_time > newest) {
|
||||
newest = start->send_time;
|
||||
}
|
||||
|
||||
|
|
@ -674,9 +508,8 @@ ngx_quic_detect_lost(ngx_connection_t *c, ngx_quic_ack_stat_t *st)
|
|||
* latest ACK frame.
|
||||
*/
|
||||
|
||||
if (st && nlost >= 2 && ((ngx_msec_int_t) (st->newest - oldest) < 0
|
||||
|| (ngx_msec_int_t) (st->oldest - newest) > 0))
|
||||
{
|
||||
if (st && nlost >= 2 && (st->newest < oldest || st->oldest > newest)) {
|
||||
|
||||
if (newest - oldest > ngx_quic_pcg_duration(c)) {
|
||||
ngx_quic_persistent_congestion(c);
|
||||
}
|
||||
|
|
@ -714,43 +547,11 @@ ngx_quic_persistent_congestion(ngx_connection_t *c)
|
|||
qc = ngx_quic_get_connection(c);
|
||||
cg = &qc->congestion;
|
||||
|
||||
cg->mtu = qc->path->mtu;
|
||||
cg->recovery_start = ngx_quic_oldest_sent_packet(c) - 1;
|
||||
cg->window = cg->mtu * 2;
|
||||
cg->recovery_start = ngx_current_msec;
|
||||
cg->window = qc->tp.max_udp_payload_size * 2;
|
||||
|
||||
ngx_log_debug2(NGX_LOG_DEBUG_EVENT, c->log, 0,
|
||||
"quic congestion persistent t:%M win:%uz",
|
||||
ngx_current_msec, cg->window);
|
||||
}
|
||||
|
||||
|
||||
static ngx_msec_t
|
||||
ngx_quic_oldest_sent_packet(ngx_connection_t *c)
|
||||
{
|
||||
ngx_msec_t oldest;
|
||||
ngx_uint_t i;
|
||||
ngx_queue_t *q;
|
||||
ngx_quic_frame_t *start;
|
||||
ngx_quic_send_ctx_t *ctx;
|
||||
ngx_quic_connection_t *qc;
|
||||
|
||||
qc = ngx_quic_get_connection(c);
|
||||
oldest = ngx_current_msec;
|
||||
|
||||
for (i = 0; i < NGX_QUIC_SEND_CTX_LAST; i++) {
|
||||
ctx = &qc->send_ctx[i];
|
||||
|
||||
if (!ngx_queue_empty(&ctx->sent)) {
|
||||
q = ngx_queue_head(&ctx->sent);
|
||||
start = ngx_queue_data(q, ngx_quic_frame_t, queue);
|
||||
|
||||
if ((ngx_msec_int_t) (start->send_time - oldest) < 0) {
|
||||
oldest = start->send_time;
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
return oldest;
|
||||
ngx_log_debug1(NGX_LOG_DEBUG_EVENT, c->log, 0,
|
||||
"quic persistent congestion win:%uz", cg->window);
|
||||
}
|
||||
|
||||
|
||||
|
|
@ -787,7 +588,7 @@ ngx_quic_resend_frames(ngx_connection_t *c, ngx_quic_send_ctx_t *ctx)
|
|||
switch (f->type) {
|
||||
case NGX_QUIC_FT_ACK:
|
||||
case NGX_QUIC_FT_ACK_ECN:
|
||||
if (ctx->level == NGX_QUIC_ENCRYPTION_APPLICATION) {
|
||||
if (ctx->level == ssl_encryption_application) {
|
||||
/* force generation of most recent acknowledgment */
|
||||
ctx->send_ack = NGX_QUIC_MAX_ACK_GAP;
|
||||
}
|
||||
|
|
@ -858,7 +659,7 @@ static void
|
|||
ngx_quic_congestion_lost(ngx_connection_t *c, ngx_quic_frame_t *f)
|
||||
{
|
||||
ngx_uint_t blocked;
|
||||
ngx_msec_t now, timer;
|
||||
ngx_msec_t timer;
|
||||
ngx_quic_congestion_t *cg;
|
||||
ngx_quic_connection_t *qc;
|
||||
|
||||
|
|
@ -880,41 +681,26 @@ ngx_quic_congestion_lost(ngx_connection_t *c, ngx_quic_frame_t *f)
|
|||
|
||||
timer = f->send_time - cg->recovery_start;
|
||||
|
||||
now = ngx_current_msec;
|
||||
|
||||
if ((ngx_msec_int_t) timer <= 0) {
|
||||
ngx_log_debug3(NGX_LOG_DEBUG_EVENT, c->log, 0,
|
||||
"quic congestion lost rec t:%M win:%uz if:%uz",
|
||||
now, cg->window, cg->in_flight);
|
||||
"quic congestion lost recovery win:%uz ss:%z if:%uz",
|
||||
cg->window, cg->ssthresh, cg->in_flight);
|
||||
|
||||
goto done;
|
||||
}
|
||||
|
||||
if (f->ignore_loss) {
|
||||
ngx_log_debug3(NGX_LOG_DEBUG_EVENT, c->log, 0,
|
||||
"quic congestion lost ignore t:%M win:%uz if:%uz",
|
||||
now, cg->window, cg->in_flight);
|
||||
cg->recovery_start = ngx_current_msec;
|
||||
cg->window /= 2;
|
||||
|
||||
goto done;
|
||||
if (cg->window < qc->tp.max_udp_payload_size * 2) {
|
||||
cg->window = qc->tp.max_udp_payload_size * 2;
|
||||
}
|
||||
|
||||
/* RFC 9438, 4.6. Multiplicative Decrease */
|
||||
|
||||
cg->mtu = qc->path->mtu;
|
||||
cg->recovery_start = now;
|
||||
cg->w_prior = cg->window;
|
||||
/* RFC 9438, 4.7. Fast Convergence */
|
||||
cg->w_max = (cg->window < cg->w_max)
|
||||
? cg->window * (10 + NGX_QUIC_CUBIC_BETA) / 20 : cg->window;
|
||||
cg->ssthresh = cg->in_flight * NGX_QUIC_CUBIC_BETA / 10;
|
||||
cg->window = ngx_max(cg->ssthresh, cg->mtu * 2);
|
||||
cg->w_est = cg->window;
|
||||
cg->k = now + ngx_quic_congestion_cubic_time(c);
|
||||
cg->idle_start = now;
|
||||
cg->ssthresh = cg->window;
|
||||
|
||||
ngx_log_debug3(NGX_LOG_DEBUG_EVENT, c->log, 0,
|
||||
"quic congestion lost t:%M win:%uz if:%uz",
|
||||
now, cg->window, cg->in_flight);
|
||||
"quic congestion lost win:%uz ss:%z if:%uz",
|
||||
cg->window, cg->ssthresh, cg->in_flight);
|
||||
|
||||
done:
|
||||
|
||||
|
|
@ -924,62 +710,9 @@ done:
|
|||
}
|
||||
|
||||
|
||||
static ngx_msec_t
|
||||
ngx_quic_congestion_cubic_time(ngx_connection_t *c)
|
||||
{
|
||||
int64_t v, x, d, cc;
|
||||
ngx_uint_t n;
|
||||
ngx_quic_congestion_t *cg;
|
||||
ngx_quic_connection_t *qc;
|
||||
|
||||
qc = ngx_quic_get_connection(c);
|
||||
cg = &qc->congestion;
|
||||
|
||||
/*
|
||||
* RFC 9438, Figure 2
|
||||
*
|
||||
* k_msec = ((w_max - cwnd_epoch) / C / mtu) ^ 1/3 * 1000
|
||||
*/
|
||||
|
||||
if (cg->w_max <= cg->window) {
|
||||
return 0;
|
||||
}
|
||||
|
||||
cc = 10000000000ll / (int64_t) cg->mtu / NGX_QUIC_CUBIC_C;
|
||||
v = (int64_t) (cg->w_max - cg->window) * cc;
|
||||
|
||||
/*
|
||||
* Newton-Raphson method for x ^ 3 = v:
|
||||
*
|
||||
* x_next = (2 * x_prev + v / x_prev ^ 2) / 3
|
||||
*/
|
||||
|
||||
x = 5000;
|
||||
|
||||
for (n = 1; n <= 10; n++) {
|
||||
d = (v / x / x - x) / 3;
|
||||
x += d;
|
||||
|
||||
if (ngx_abs(d) <= 100) {
|
||||
break;
|
||||
}
|
||||
}
|
||||
|
||||
if (x > NGX_MAX_SIZE_T_VALUE) {
|
||||
return NGX_MAX_SIZE_T_VALUE;
|
||||
}
|
||||
|
||||
ngx_log_debug2(NGX_LOG_DEBUG_EVENT, c->log, 0,
|
||||
"quic cubic time:%L n:%ui", x, n);
|
||||
|
||||
return x;
|
||||
}
|
||||
|
||||
|
||||
void
|
||||
ngx_quic_set_lost_timer(ngx_connection_t *c)
|
||||
{
|
||||
uint64_t pkt_thr;
|
||||
ngx_uint_t i;
|
||||
ngx_msec_t now;
|
||||
ngx_queue_t *q;
|
||||
|
|
@ -1005,12 +738,10 @@ ngx_quic_set_lost_timer(ngx_connection_t *c)
|
|||
q = ngx_queue_head(&ctx->sent);
|
||||
f = ngx_queue_data(q, ngx_quic_frame_t, queue);
|
||||
w = (ngx_msec_int_t)
|
||||
(f->send_time + ngx_quic_time_threshold(qc) - now);
|
||||
(f->send_time + ngx_quic_lost_threshold(qc) - now);
|
||||
|
||||
if (f->pnum <= ctx->largest_ack) {
|
||||
pkt_thr = ngx_quic_packet_threshold(ctx);
|
||||
|
||||
if (w < 0 || ctx->largest_ack - f->pnum >= pkt_thr) {
|
||||
if (w < 0 || ctx->largest_ack - f->pnum >= NGX_QUIC_PKT_THR) {
|
||||
w = 0;
|
||||
}
|
||||
|
||||
|
|
@ -1073,7 +804,7 @@ ngx_quic_pto(ngx_connection_t *c, ngx_quic_send_ctx_t *ctx)
|
|||
duration = qc->avg_rtt;
|
||||
duration += ngx_max(4 * qc->rttvar, NGX_QUIC_TIME_GRANULARITY);
|
||||
|
||||
if (ctx->level == NGX_QUIC_ENCRYPTION_APPLICATION && c->ssl->handshaked) {
|
||||
if (ctx->level == ssl_encryption_application && c->ssl->handshaked) {
|
||||
duration += qc->ctp.max_ack_delay;
|
||||
}
|
||||
|
||||
|
|
@ -1428,7 +1159,7 @@ ngx_quic_generate_ack(ngx_connection_t *c, ngx_quic_send_ctx_t *ctx)
|
|||
return NGX_OK;
|
||||
}
|
||||
|
||||
if (ctx->level == NGX_QUIC_ENCRYPTION_APPLICATION) {
|
||||
if (ctx->level == ssl_encryption_application) {
|
||||
|
||||
delay = ngx_current_msec - ctx->ack_delay_start;
|
||||
qc = ngx_quic_get_connection(c);
|
||||
|
|
|
|||
|
|
@ -17,7 +17,6 @@ ngx_int_t ngx_quic_handle_ack_frame(ngx_connection_t *c,
|
|||
|
||||
void ngx_quic_congestion_ack(ngx_connection_t *c,
|
||||
ngx_quic_frame_t *frame);
|
||||
void ngx_quic_congestion_idle(ngx_connection_t *c, ngx_uint_t idle);
|
||||
void ngx_quic_resend_frames(ngx_connection_t *c, ngx_quic_send_ctx_t *ctx);
|
||||
void ngx_quic_set_lost_timer(ngx_connection_t *c);
|
||||
void ngx_quic_pto_handler(ngx_event_t *ev);
|
||||
|
|
|
|||
|
|
@ -17,15 +17,6 @@
|
|||
/* #define NGX_QUIC_DEBUG_ALLOC */ /* log frames and bufs alloc */
|
||||
/* #define NGX_QUIC_DEBUG_CRYPTO */
|
||||
|
||||
#define NGX_QUIC_ENCRYPTION_INITIAL 0
|
||||
#define NGX_QUIC_ENCRYPTION_EARLY_DATA 1
|
||||
#define NGX_QUIC_ENCRYPTION_HANDSHAKE 2
|
||||
#define NGX_QUIC_ENCRYPTION_APPLICATION 3
|
||||
#define NGX_QUIC_ENCRYPTION_LAST 4
|
||||
|
||||
#define NGX_QUIC_SEND_CTX_LAST (NGX_QUIC_ENCRYPTION_LAST - 1)
|
||||
|
||||
|
||||
typedef struct ngx_quic_connection_s ngx_quic_connection_t;
|
||||
typedef struct ngx_quic_server_id_s ngx_quic_server_id_t;
|
||||
typedef struct ngx_quic_client_id_s ngx_quic_client_id_t;
|
||||
|
|
@ -55,6 +46,8 @@ typedef struct ngx_quic_keys_s ngx_quic_keys_t;
|
|||
|
||||
#define NGX_QUIC_UNSET_PN (uint64_t) -1
|
||||
|
||||
#define NGX_QUIC_SEND_CTX_LAST (NGX_QUIC_ENCRYPTION_LAST - 1)
|
||||
|
||||
/* 0-RTT and 1-RTT data exist in the same packet number space,
|
||||
* so we have 3 packet number spaces:
|
||||
*
|
||||
|
|
@ -63,9 +56,9 @@ typedef struct ngx_quic_keys_s ngx_quic_keys_t;
|
|||
* 2 - 0-RTT and 1-RTT
|
||||
*/
|
||||
#define ngx_quic_get_send_ctx(qc, level) \
|
||||
((level) == NGX_QUIC_ENCRYPTION_INITIAL) ? &((qc)->send_ctx[0]) \
|
||||
: (((level) == NGX_QUIC_ENCRYPTION_HANDSHAKE) ? &((qc)->send_ctx[1]) \
|
||||
: &((qc)->send_ctx[2]))
|
||||
((level) == ssl_encryption_initial) ? &((qc)->send_ctx[0]) \
|
||||
: (((level) == ssl_encryption_handshake) ? &((qc)->send_ctx[1]) \
|
||||
: &((qc)->send_ctx[2]))
|
||||
|
||||
#define ngx_quic_get_connection(c) \
|
||||
(((c)->udp) ? (((ngx_quic_socket_t *)((c)->udp))->quic) : NULL)
|
||||
|
|
@ -175,14 +168,7 @@ typedef struct {
|
|||
size_t in_flight;
|
||||
size_t window;
|
||||
size_t ssthresh;
|
||||
size_t w_max;
|
||||
size_t w_est;
|
||||
size_t w_prior;
|
||||
size_t mtu;
|
||||
ngx_msec_t recovery_start;
|
||||
ngx_msec_t idle_start;
|
||||
ngx_msec_t k;
|
||||
ngx_uint_t idle; /* unsigned idle:1; */
|
||||
} ngx_quic_congestion_t;
|
||||
|
||||
|
||||
|
|
@ -195,7 +181,7 @@ typedef struct {
|
|||
* are also Initial packets.
|
||||
*/
|
||||
struct ngx_quic_send_ctx_s {
|
||||
ngx_uint_t level;
|
||||
enum ssl_encryption_level_t level;
|
||||
|
||||
ngx_quic_buffer_t crypto;
|
||||
uint64_t crypto_sent;
|
||||
|
|
@ -268,7 +254,6 @@ struct ngx_quic_connection_s {
|
|||
ngx_buf_t *free_shadow_bufs;
|
||||
|
||||
ngx_uint_t nframes;
|
||||
ngx_uint_t max_frames;
|
||||
#ifdef NGX_QUIC_DEBUG_ALLOC
|
||||
ngx_uint_t nbufs;
|
||||
ngx_uint_t nshadowbufs;
|
||||
|
|
@ -286,7 +271,7 @@ struct ngx_quic_connection_s {
|
|||
off_t received;
|
||||
|
||||
ngx_uint_t error;
|
||||
ngx_uint_t error_level;
|
||||
enum ssl_encryption_level_t error_level;
|
||||
ngx_uint_t error_ftype;
|
||||
const char *error_reason;
|
||||
|
||||
|
|
@ -301,17 +286,13 @@ struct ngx_quic_connection_s {
|
|||
unsigned key_phase:1;
|
||||
unsigned validated:1;
|
||||
unsigned client_tp_done:1;
|
||||
|
||||
#if (NGX_QUIC_OPENSSL_API)
|
||||
unsigned read_level:2;
|
||||
unsigned write_level:2;
|
||||
#endif
|
||||
};
|
||||
|
||||
|
||||
ngx_int_t ngx_quic_apply_transport_params(ngx_connection_t *c,
|
||||
ngx_quic_tp_t *ctp);
|
||||
void ngx_quic_discard_ctx(ngx_connection_t *c, ngx_uint_t level);
|
||||
void ngx_quic_discard_ctx(ngx_connection_t *c,
|
||||
enum ssl_encryption_level_t level);
|
||||
void ngx_quic_close_connection(ngx_connection_t *c, ngx_int_t rc);
|
||||
void ngx_quic_shutdown_quic(ngx_connection_t *c);
|
||||
|
||||
|
|
|
|||
|
|
@ -99,7 +99,7 @@ ngx_quic_handle_new_connection_id_frame(ngx_connection_t *c,
|
|||
return NGX_ERROR;
|
||||
}
|
||||
|
||||
frame->level = NGX_QUIC_ENCRYPTION_APPLICATION;
|
||||
frame->level = ssl_encryption_application;
|
||||
frame->type = NGX_QUIC_FT_RETIRE_CONNECTION_ID;
|
||||
frame->u.retire_cid.sequence_number = f->seqnum;
|
||||
|
||||
|
|
@ -452,7 +452,7 @@ ngx_quic_send_server_id(ngx_connection_t *c, ngx_quic_server_id_t *sid)
|
|||
return NGX_ERROR;
|
||||
}
|
||||
|
||||
frame->level = NGX_QUIC_ENCRYPTION_APPLICATION;
|
||||
frame->level = ssl_encryption_application;
|
||||
frame->type = NGX_QUIC_FT_NEW_CONNECTION_ID;
|
||||
frame->u.ncid.seqnum = sid->seqnum;
|
||||
frame->u.ncid.retire = 0;
|
||||
|
|
@ -485,7 +485,7 @@ ngx_quic_free_client_id(ngx_connection_t *c, ngx_quic_client_id_t *cid)
|
|||
return NGX_ERROR;
|
||||
}
|
||||
|
||||
frame->level = NGX_QUIC_ENCRYPTION_APPLICATION;
|
||||
frame->level = ssl_encryption_application;
|
||||
frame->type = NGX_QUIC_FT_RETIRE_CONNECTION_ID;
|
||||
frame->u.retire_cid.sequence_number = cid->seqnum;
|
||||
|
||||
|
|
|
|||
|
|
@ -214,7 +214,7 @@ ngx_quic_alloc_frame(ngx_connection_t *c)
|
|||
"quic reuse frame n:%ui", qc->nframes);
|
||||
#endif
|
||||
|
||||
} else if (qc->nframes < qc->max_frames) {
|
||||
} else if (qc->nframes < 10000) {
|
||||
frame = ngx_palloc(c->pool, sizeof(ngx_quic_frame_t));
|
||||
if (frame == NULL) {
|
||||
return NULL;
|
||||
|
|
|
|||
|
|
@ -40,7 +40,7 @@ ngx_quic_handle_path_challenge_frame(ngx_connection_t *c,
|
|||
ngx_quic_frame_t *fp;
|
||||
ngx_quic_connection_t *qc;
|
||||
|
||||
if (pkt->level != NGX_QUIC_ENCRYPTION_APPLICATION || pkt->path_challenged) {
|
||||
if (pkt->level != ssl_encryption_application || pkt->path_challenged) {
|
||||
ngx_log_debug0(NGX_LOG_DEBUG_EVENT, c->log, 0,
|
||||
"quic ignoring PATH_CHALLENGE");
|
||||
return NGX_OK;
|
||||
|
|
@ -55,7 +55,7 @@ ngx_quic_handle_path_challenge_frame(ngx_connection_t *c,
|
|||
return NGX_ERROR;
|
||||
}
|
||||
|
||||
fp->level = NGX_QUIC_ENCRYPTION_APPLICATION;
|
||||
fp->level = ssl_encryption_application;
|
||||
fp->type = NGX_QUIC_FT_PATH_RESPONSE;
|
||||
fp->u.path_response = *f;
|
||||
|
||||
|
|
@ -93,7 +93,7 @@ ngx_quic_handle_path_challenge_frame(ngx_connection_t *c,
|
|||
return NGX_ERROR;
|
||||
}
|
||||
|
||||
fp->level = NGX_QUIC_ENCRYPTION_APPLICATION;
|
||||
fp->level = ssl_encryption_application;
|
||||
fp->type = NGX_QUIC_FT_PING;
|
||||
|
||||
ngx_quic_queue_frame(qc, fp);
|
||||
|
|
@ -177,17 +177,16 @@ valid:
|
|||
if (rst) {
|
||||
/* prevent old path packets contribution to congestion control */
|
||||
|
||||
ctx = ngx_quic_get_send_ctx(qc, NGX_QUIC_ENCRYPTION_APPLICATION);
|
||||
ctx = ngx_quic_get_send_ctx(qc, ssl_encryption_application);
|
||||
qc->rst_pnum = ctx->pnum;
|
||||
|
||||
ngx_memzero(&qc->congestion, sizeof(ngx_quic_congestion_t));
|
||||
|
||||
qc->congestion.window = ngx_min(10 * NGX_QUIC_MIN_INITIAL_SIZE,
|
||||
ngx_max(2 * NGX_QUIC_MIN_INITIAL_SIZE,
|
||||
qc->congestion.window = ngx_min(10 * qc->tp.max_udp_payload_size,
|
||||
ngx_max(2 * qc->tp.max_udp_payload_size,
|
||||
14720));
|
||||
qc->congestion.ssthresh = (size_t) -1;
|
||||
qc->congestion.mtu = NGX_QUIC_MIN_INITIAL_SIZE;
|
||||
qc->congestion.recovery_start = ngx_current_msec - 1;
|
||||
qc->congestion.recovery_start = ngx_current_msec;
|
||||
|
||||
ngx_quic_init_rtt(qc);
|
||||
}
|
||||
|
|
@ -549,7 +548,7 @@ ngx_quic_validate_path(ngx_connection_t *c, ngx_quic_path_t *path)
|
|||
|
||||
(void) ngx_quic_send_path_challenge(c, path);
|
||||
|
||||
ctx = ngx_quic_get_send_ctx(qc, NGX_QUIC_ENCRYPTION_APPLICATION);
|
||||
ctx = ngx_quic_get_send_ctx(qc, ssl_encryption_application);
|
||||
pto = ngx_max(ngx_quic_pto(c, ctx), 1000);
|
||||
|
||||
path->expires = ngx_current_msec + pto;
|
||||
|
|
@ -579,7 +578,7 @@ ngx_quic_send_path_challenge(ngx_connection_t *c, ngx_quic_path_t *path)
|
|||
return NGX_ERROR;
|
||||
}
|
||||
|
||||
frame->level = NGX_QUIC_ENCRYPTION_APPLICATION;
|
||||
frame->level = ssl_encryption_application;
|
||||
frame->type = NGX_QUIC_FT_PATH_CHALLENGE;
|
||||
|
||||
ngx_memcpy(frame->u.path_challenge.data, path->challenge[n], 8);
|
||||
|
|
@ -767,7 +766,7 @@ ngx_quic_expire_path_validation(ngx_connection_t *c, ngx_quic_path_t *path)
|
|||
ngx_quic_connection_t *qc;
|
||||
|
||||
qc = ngx_quic_get_connection(c);
|
||||
ctx = ngx_quic_get_send_ctx(qc, NGX_QUIC_ENCRYPTION_APPLICATION);
|
||||
ctx = ngx_quic_get_send_ctx(qc, ssl_encryption_application);
|
||||
|
||||
if (++path->tries < NGX_QUIC_PATH_RETRIES) {
|
||||
pto = ngx_max(ngx_quic_pto(c, ctx), 1000) << path->tries;
|
||||
|
|
@ -830,7 +829,7 @@ ngx_quic_expire_path_mtu_delay(ngx_connection_t *c, ngx_quic_path_t *path)
|
|||
ngx_quic_connection_t *qc;
|
||||
|
||||
qc = ngx_quic_get_connection(c);
|
||||
ctx = ngx_quic_get_send_ctx(qc, NGX_QUIC_ENCRYPTION_APPLICATION);
|
||||
ctx = ngx_quic_get_send_ctx(qc, ssl_encryption_application);
|
||||
|
||||
path->tries = 0;
|
||||
|
||||
|
|
@ -876,7 +875,7 @@ ngx_quic_expire_path_mtu_discovery(ngx_connection_t *c, ngx_quic_path_t *path)
|
|||
ngx_quic_connection_t *qc;
|
||||
|
||||
qc = ngx_quic_get_connection(c);
|
||||
ctx = ngx_quic_get_send_ctx(qc, NGX_QUIC_ENCRYPTION_APPLICATION);
|
||||
ctx = ngx_quic_get_send_ctx(qc, ssl_encryption_application);
|
||||
|
||||
if (++path->tries < NGX_QUIC_PATH_RETRIES) {
|
||||
rc = ngx_quic_send_path_mtu_probe(c, path);
|
||||
|
|
@ -922,13 +921,11 @@ ngx_quic_send_path_mtu_probe(ngx_connection_t *c, ngx_quic_path_t *path)
|
|||
return NGX_ERROR;
|
||||
}
|
||||
|
||||
frame->level = NGX_QUIC_ENCRYPTION_APPLICATION;
|
||||
frame->level = ssl_encryption_application;
|
||||
frame->type = NGX_QUIC_FT_PING;
|
||||
frame->ignore_loss = 1;
|
||||
frame->ignore_congestion = 1;
|
||||
|
||||
qc = ngx_quic_get_connection(c);
|
||||
ctx = ngx_quic_get_send_ctx(qc, NGX_QUIC_ENCRYPTION_APPLICATION);
|
||||
ctx = ngx_quic_get_send_ctx(qc, ssl_encryption_application);
|
||||
pnum = ctx->pnum;
|
||||
|
||||
ngx_log_debug4(NGX_LOG_DEBUG_EVENT, c->log, 0,
|
||||
|
|
|
|||
|
|
@ -35,6 +35,8 @@ typedef struct {
|
|||
ngx_str_t payload;
|
||||
uint64_t number;
|
||||
ngx_quic_compat_keys_t *keys;
|
||||
|
||||
enum ssl_encryption_level_t level;
|
||||
} ngx_quic_compat_record_t;
|
||||
|
||||
|
||||
|
|
@ -433,10 +435,11 @@ ngx_quic_compat_message_callback(int write_p, int version, int content_type,
|
|||
|
||||
case SSL3_RT_HANDSHAKE:
|
||||
ngx_log_debug2(NGX_LOG_DEBUG_EVENT, c->log, 0,
|
||||
"quic compat tx level:%d len:%uz", level, len);
|
||||
"quic compat tx %s len:%uz ",
|
||||
ngx_quic_level_name(level), len);
|
||||
|
||||
if (com->method->add_handshake_data(ssl, level, buf, len) != 1) {
|
||||
return;
|
||||
goto failed;
|
||||
}
|
||||
|
||||
break;
|
||||
|
|
@ -446,11 +449,11 @@ ngx_quic_compat_message_callback(int write_p, int version, int content_type,
|
|||
alert = ((u_char *) buf)[1];
|
||||
|
||||
ngx_log_debug3(NGX_LOG_DEBUG_EVENT, c->log, 0,
|
||||
"quic compat level:%d alert:%ui len:%uz",
|
||||
level, alert, len);
|
||||
"quic compat %s alert:%ui len:%uz ",
|
||||
ngx_quic_level_name(level), alert, len);
|
||||
|
||||
if (com->method->send_alert(ssl, level, alert) != 1) {
|
||||
return;
|
||||
goto failed;
|
||||
}
|
||||
}
|
||||
|
||||
|
|
@ -458,6 +461,10 @@ ngx_quic_compat_message_callback(int write_p, int version, int content_type,
|
|||
}
|
||||
|
||||
return;
|
||||
|
||||
failed:
|
||||
|
||||
ngx_post_event(&qc->close, &ngx_posted_events);
|
||||
}
|
||||
|
||||
|
||||
|
|
@ -480,8 +487,8 @@ SSL_provide_quic_data(SSL *ssl, enum ssl_encryption_level_t level,
|
|||
|
||||
c = ngx_ssl_get_connection(ssl);
|
||||
|
||||
ngx_log_debug2(NGX_LOG_DEBUG_EVENT, c->log, 0,
|
||||
"quic compat rx level:%d len:%uz", level, len);
|
||||
ngx_log_debug2(NGX_LOG_DEBUG_EVENT, c->log, 0, "quic compat rx %s len:%uz",
|
||||
ngx_quic_level_name(level), len);
|
||||
|
||||
qc = ngx_quic_get_connection(c);
|
||||
com = qc->compat;
|
||||
|
|
@ -494,6 +501,7 @@ SSL_provide_quic_data(SSL *ssl, enum ssl_encryption_level_t level,
|
|||
rec.log = c->log;
|
||||
rec.number = com->read_record++;
|
||||
rec.keys = &com->keys;
|
||||
rec.level = level;
|
||||
|
||||
if (level == ssl_encryption_initial) {
|
||||
n = ngx_min(len, 65535);
|
||||
|
|
|
|||
|
|
@ -7,6 +7,11 @@
|
|||
#ifndef _NGX_EVENT_QUIC_OPENSSL_COMPAT_H_INCLUDED_
|
||||
#define _NGX_EVENT_QUIC_OPENSSL_COMPAT_H_INCLUDED_
|
||||
|
||||
#if defined SSL_R_MISSING_QUIC_TRANSPORT_PARAMETERS_EXTENSION \
|
||||
|| defined LIBRESSL_VERSION_NUMBER
|
||||
#undef NGX_QUIC_OPENSSL_COMPAT
|
||||
#else
|
||||
|
||||
|
||||
#include <ngx_config.h>
|
||||
#include <ngx_core.h>
|
||||
|
|
@ -48,4 +53,7 @@ int SSL_set_quic_transport_params(SSL *ssl, const uint8_t *params,
|
|||
void SSL_get_peer_quic_transport_params(const SSL *ssl,
|
||||
const uint8_t **out_params, size_t *out_params_len);
|
||||
|
||||
|
||||
#endif /* TLSEXT_TYPE_quic_transport_parameters */
|
||||
|
||||
#endif /* _NGX_EVENT_QUIC_OPENSSL_COMPAT_H_INCLUDED_ */
|
||||
|
|
|
|||
|
|
@ -45,9 +45,9 @@
|
|||
|
||||
|
||||
static ngx_int_t ngx_quic_create_datagrams(ngx_connection_t *c);
|
||||
static void ngx_quic_commit_send(ngx_connection_t *c);
|
||||
static void ngx_quic_revert_send(ngx_connection_t *c,
|
||||
uint64_t preserved_pnum[NGX_QUIC_SEND_CTX_LAST]);
|
||||
static void ngx_quic_commit_send(ngx_connection_t *c, ngx_quic_send_ctx_t *ctx);
|
||||
static void ngx_quic_revert_send(ngx_connection_t *c, ngx_quic_send_ctx_t *ctx,
|
||||
uint64_t pnum);
|
||||
#if ((NGX_HAVE_UDP_SEGMENT) && (NGX_HAVE_MSGHDR_MSG_CONTROL))
|
||||
static ngx_uint_t ngx_quic_allow_segmentation(ngx_connection_t *c);
|
||||
static ngx_int_t ngx_quic_create_segments(ngx_connection_t *c);
|
||||
|
|
@ -55,8 +55,7 @@ static ssize_t ngx_quic_send_segments(ngx_connection_t *c, u_char *buf,
|
|||
size_t len, struct sockaddr *sockaddr, socklen_t socklen, size_t segment);
|
||||
#endif
|
||||
static ssize_t ngx_quic_output_packet(ngx_connection_t *c,
|
||||
ngx_quic_send_ctx_t *ctx, u_char *data, size_t max, size_t min,
|
||||
ngx_uint_t ack_only);
|
||||
ngx_quic_send_ctx_t *ctx, u_char *data, size_t max, size_t min);
|
||||
static void ngx_quic_init_packet(ngx_connection_t *c, ngx_quic_send_ctx_t *ctx,
|
||||
ngx_quic_header_t *pkt, ngx_quic_path_t *path);
|
||||
static ngx_uint_t ngx_quic_get_padding_level(ngx_connection_t *c);
|
||||
|
|
@ -128,11 +127,8 @@ ngx_quic_create_datagrams(ngx_connection_t *c)
|
|||
cg = &qc->congestion;
|
||||
path = qc->path;
|
||||
|
||||
#if (NGX_SUPPRESS_WARN)
|
||||
ngx_memzero(preserved_pnum, sizeof(preserved_pnum));
|
||||
#endif
|
||||
while (cg->in_flight < cg->window) {
|
||||
|
||||
do {
|
||||
p = dst;
|
||||
|
||||
len = ngx_quic_path_limit(c, path, path->mtu);
|
||||
|
|
@ -154,12 +150,16 @@ ngx_quic_create_datagrams(ngx_connection_t *c)
|
|||
|
||||
if (min > len) {
|
||||
/* padding can't be applied - avoid sending the packet */
|
||||
ngx_quic_revert_send(c, preserved_pnum);
|
||||
|
||||
while (i-- > 0) {
|
||||
ctx = &qc->send_ctx[i];
|
||||
ngx_quic_revert_send(c, ctx, preserved_pnum[i]);
|
||||
}
|
||||
|
||||
return NGX_OK;
|
||||
}
|
||||
|
||||
n = ngx_quic_output_packet(c, ctx, p, len, min,
|
||||
cg->in_flight >= cg->window);
|
||||
n = ngx_quic_output_packet(c, ctx, p, len, min);
|
||||
if (n == NGX_ERROR) {
|
||||
return NGX_ERROR;
|
||||
}
|
||||
|
|
@ -180,95 +180,73 @@ ngx_quic_create_datagrams(ngx_connection_t *c)
|
|||
}
|
||||
|
||||
if (n == NGX_AGAIN) {
|
||||
ngx_quic_revert_send(c, preserved_pnum);
|
||||
for (i = 0; i < NGX_QUIC_SEND_CTX_LAST; i++) {
|
||||
ngx_quic_revert_send(c, &qc->send_ctx[i], preserved_pnum[i]);
|
||||
}
|
||||
|
||||
ngx_add_timer(&qc->push, NGX_QUIC_SOCKET_RETRY_DELAY);
|
||||
break;
|
||||
}
|
||||
|
||||
ngx_quic_commit_send(c);
|
||||
for (i = 0; i < NGX_QUIC_SEND_CTX_LAST; i++) {
|
||||
ngx_quic_commit_send(c, &qc->send_ctx[i]);
|
||||
}
|
||||
|
||||
path->sent += len;
|
||||
|
||||
} while (cg->in_flight < cg->window);
|
||||
}
|
||||
|
||||
return NGX_OK;
|
||||
}
|
||||
|
||||
|
||||
static void
|
||||
ngx_quic_commit_send(ngx_connection_t *c)
|
||||
ngx_quic_commit_send(ngx_connection_t *c, ngx_quic_send_ctx_t *ctx)
|
||||
{
|
||||
ngx_uint_t i, idle;
|
||||
ngx_queue_t *q;
|
||||
ngx_quic_frame_t *f;
|
||||
ngx_quic_send_ctx_t *ctx;
|
||||
ngx_quic_congestion_t *cg;
|
||||
ngx_quic_connection_t *qc;
|
||||
|
||||
qc = ngx_quic_get_connection(c);
|
||||
|
||||
cg = &qc->congestion;
|
||||
|
||||
idle = 1;
|
||||
while (!ngx_queue_empty(&ctx->sending)) {
|
||||
|
||||
for (i = 0; i < NGX_QUIC_SEND_CTX_LAST; i++) {
|
||||
ctx = &qc->send_ctx[i];
|
||||
q = ngx_queue_head(&ctx->sending);
|
||||
f = ngx_queue_data(q, ngx_quic_frame_t, queue);
|
||||
|
||||
if (!ngx_queue_empty(&ctx->frames)) {
|
||||
idle = 0;
|
||||
}
|
||||
ngx_queue_remove(q);
|
||||
|
||||
while (!ngx_queue_empty(&ctx->sending)) {
|
||||
if (f->pkt_need_ack && !qc->closing) {
|
||||
ngx_queue_insert_tail(&ctx->sent, q);
|
||||
|
||||
q = ngx_queue_head(&ctx->sending);
|
||||
f = ngx_queue_data(q, ngx_quic_frame_t, queue);
|
||||
cg->in_flight += f->plen;
|
||||
|
||||
ngx_queue_remove(q);
|
||||
|
||||
if (f->pkt_need_ack && !qc->closing) {
|
||||
ngx_queue_insert_tail(&ctx->sent, q);
|
||||
|
||||
cg->in_flight += f->plen;
|
||||
|
||||
} else {
|
||||
ngx_quic_free_frame(c, f);
|
||||
}
|
||||
} else {
|
||||
ngx_quic_free_frame(c, f);
|
||||
}
|
||||
}
|
||||
|
||||
ngx_log_debug1(NGX_LOG_DEBUG_EVENT, c->log, 0,
|
||||
"quic congestion send if:%uz", cg->in_flight);
|
||||
|
||||
ngx_quic_congestion_idle(c, idle);
|
||||
}
|
||||
|
||||
|
||||
static void
|
||||
ngx_quic_revert_send(ngx_connection_t *c, uint64_t pnum[NGX_QUIC_SEND_CTX_LAST])
|
||||
ngx_quic_revert_send(ngx_connection_t *c, ngx_quic_send_ctx_t *ctx,
|
||||
uint64_t pnum)
|
||||
{
|
||||
ngx_uint_t i;
|
||||
ngx_queue_t *q;
|
||||
ngx_quic_send_ctx_t *ctx;
|
||||
ngx_quic_connection_t *qc;
|
||||
ngx_queue_t *q;
|
||||
|
||||
qc = ngx_quic_get_connection(c);
|
||||
while (!ngx_queue_empty(&ctx->sending)) {
|
||||
|
||||
for (i = 0; i < NGX_QUIC_SEND_CTX_LAST; i++) {
|
||||
ctx = &qc->send_ctx[i];
|
||||
|
||||
if (ngx_queue_empty(&ctx->sending)) {
|
||||
continue;
|
||||
}
|
||||
|
||||
do {
|
||||
q = ngx_queue_last(&ctx->sending);
|
||||
ngx_queue_remove(q);
|
||||
ngx_queue_insert_head(&ctx->frames, q);
|
||||
} while (!ngx_queue_empty(&ctx->sending));
|
||||
|
||||
ctx->pnum = pnum[i];
|
||||
q = ngx_queue_last(&ctx->sending);
|
||||
ngx_queue_remove(q);
|
||||
ngx_queue_insert_head(&ctx->frames, q);
|
||||
}
|
||||
|
||||
ngx_quic_congestion_idle(c, 1);
|
||||
ctx->pnum = pnum;
|
||||
}
|
||||
|
||||
|
||||
|
|
@ -294,17 +272,17 @@ ngx_quic_allow_segmentation(ngx_connection_t *c)
|
|||
return 0;
|
||||
}
|
||||
|
||||
ctx = ngx_quic_get_send_ctx(qc, NGX_QUIC_ENCRYPTION_INITIAL);
|
||||
ctx = ngx_quic_get_send_ctx(qc, ssl_encryption_initial);
|
||||
if (!ngx_queue_empty(&ctx->frames)) {
|
||||
return 0;
|
||||
}
|
||||
|
||||
ctx = ngx_quic_get_send_ctx(qc, NGX_QUIC_ENCRYPTION_HANDSHAKE);
|
||||
ctx = ngx_quic_get_send_ctx(qc, ssl_encryption_handshake);
|
||||
if (!ngx_queue_empty(&ctx->frames)) {
|
||||
return 0;
|
||||
}
|
||||
|
||||
ctx = ngx_quic_get_send_ctx(qc, NGX_QUIC_ENCRYPTION_APPLICATION);
|
||||
ctx = ngx_quic_get_send_ctx(qc, ssl_encryption_application);
|
||||
|
||||
bytes = 0;
|
||||
len = ngx_min(qc->path->mtu, NGX_QUIC_MAX_UDP_SEGMENT_BUF);
|
||||
|
|
@ -317,10 +295,6 @@ ngx_quic_allow_segmentation(ngx_connection_t *c)
|
|||
|
||||
bytes += f->len;
|
||||
|
||||
if (qc->congestion.in_flight + bytes >= qc->congestion.window) {
|
||||
return 0;
|
||||
}
|
||||
|
||||
if (bytes > len * 3) {
|
||||
/* require at least ~3 full packets to batch */
|
||||
return 1;
|
||||
|
|
@ -337,19 +311,19 @@ ngx_quic_create_segments(ngx_connection_t *c)
|
|||
size_t len, segsize;
|
||||
ssize_t n;
|
||||
u_char *p, *end;
|
||||
ngx_uint_t nseg, level;
|
||||
uint64_t preserved_pnum;
|
||||
ngx_uint_t nseg;
|
||||
ngx_quic_path_t *path;
|
||||
ngx_quic_send_ctx_t *ctx;
|
||||
ngx_quic_congestion_t *cg;
|
||||
ngx_quic_connection_t *qc;
|
||||
static u_char dst[NGX_QUIC_MAX_UDP_SEGMENT_BUF];
|
||||
static uint64_t preserved_pnum[NGX_QUIC_SEND_CTX_LAST];
|
||||
|
||||
qc = ngx_quic_get_connection(c);
|
||||
cg = &qc->congestion;
|
||||
path = qc->path;
|
||||
|
||||
ctx = ngx_quic_get_send_ctx(qc, NGX_QUIC_ENCRYPTION_APPLICATION);
|
||||
ctx = ngx_quic_get_send_ctx(qc, ssl_encryption_application);
|
||||
|
||||
if (ngx_quic_generate_ack(c, ctx) != NGX_OK) {
|
||||
return NGX_ERROR;
|
||||
|
|
@ -361,8 +335,7 @@ ngx_quic_create_segments(ngx_connection_t *c)
|
|||
|
||||
nseg = 0;
|
||||
|
||||
level = ctx - qc->send_ctx;
|
||||
preserved_pnum[level] = ctx->pnum;
|
||||
preserved_pnum = ctx->pnum;
|
||||
|
||||
for ( ;; ) {
|
||||
|
||||
|
|
@ -370,7 +343,7 @@ ngx_quic_create_segments(ngx_connection_t *c)
|
|||
|
||||
if (len && cg->in_flight + (p - dst) < cg->window) {
|
||||
|
||||
n = ngx_quic_output_packet(c, ctx, p, len, len, 0);
|
||||
n = ngx_quic_output_packet(c, ctx, p, len, len);
|
||||
if (n == NGX_ERROR) {
|
||||
return NGX_ERROR;
|
||||
}
|
||||
|
|
@ -396,18 +369,19 @@ ngx_quic_create_segments(ngx_connection_t *c)
|
|||
}
|
||||
|
||||
if (n == NGX_AGAIN) {
|
||||
ngx_quic_revert_send(c, preserved_pnum);
|
||||
ngx_quic_revert_send(c, ctx, preserved_pnum);
|
||||
|
||||
ngx_add_timer(&qc->push, NGX_QUIC_SOCKET_RETRY_DELAY);
|
||||
break;
|
||||
}
|
||||
|
||||
ngx_quic_commit_send(c);
|
||||
ngx_quic_commit_send(c, ctx);
|
||||
|
||||
path->sent += n;
|
||||
|
||||
p = dst;
|
||||
nseg = 0;
|
||||
preserved_pnum[level] = ctx->pnum;
|
||||
preserved_pnum = ctx->pnum;
|
||||
}
|
||||
}
|
||||
|
||||
|
|
@ -500,7 +474,7 @@ ngx_quic_get_padding_level(ngx_connection_t *c)
|
|||
*/
|
||||
|
||||
qc = ngx_quic_get_connection(c);
|
||||
ctx = ngx_quic_get_send_ctx(qc, NGX_QUIC_ENCRYPTION_INITIAL);
|
||||
ctx = ngx_quic_get_send_ctx(qc, ssl_encryption_initial);
|
||||
|
||||
for (q = ngx_queue_head(&ctx->frames);
|
||||
q != ngx_queue_sentinel(&ctx->frames);
|
||||
|
|
@ -527,7 +501,7 @@ ngx_quic_get_padding_level(ngx_connection_t *c)
|
|||
|
||||
static ssize_t
|
||||
ngx_quic_output_packet(ngx_connection_t *c, ngx_quic_send_ctx_t *ctx,
|
||||
u_char *data, size_t max, size_t min, ngx_uint_t ack_only)
|
||||
u_char *data, size_t max, size_t min)
|
||||
{
|
||||
size_t len, pad, min_payload, max_payload;
|
||||
u_char *p;
|
||||
|
|
@ -591,10 +565,6 @@ ngx_quic_output_packet(ngx_connection_t *c, ngx_quic_send_ctx_t *ctx,
|
|||
{
|
||||
f = ngx_queue_data(q, ngx_quic_frame_t, queue);
|
||||
|
||||
if (ack_only && f->type != NGX_QUIC_FT_ACK) {
|
||||
break;
|
||||
}
|
||||
|
||||
if (len >= max_payload) {
|
||||
break;
|
||||
}
|
||||
|
|
@ -687,10 +657,10 @@ ngx_quic_init_packet(ngx_connection_t *c, ngx_quic_send_ctx_t *ctx,
|
|||
|
||||
pkt->flags = NGX_QUIC_PKT_FIXED_BIT;
|
||||
|
||||
if (ctx->level == NGX_QUIC_ENCRYPTION_INITIAL) {
|
||||
if (ctx->level == ssl_encryption_initial) {
|
||||
pkt->flags |= NGX_QUIC_PKT_LONG | NGX_QUIC_PKT_INITIAL;
|
||||
|
||||
} else if (ctx->level == NGX_QUIC_ENCRYPTION_HANDSHAKE) {
|
||||
} else if (ctx->level == ssl_encryption_handshake) {
|
||||
pkt->flags |= NGX_QUIC_PKT_LONG | NGX_QUIC_PKT_HANDSHAKE;
|
||||
|
||||
} else {
|
||||
|
|
@ -1103,7 +1073,7 @@ ngx_quic_send_new_token(ngx_connection_t *c, ngx_quic_path_t *path)
|
|||
return NGX_ERROR;
|
||||
}
|
||||
|
||||
frame->level = NGX_QUIC_ENCRYPTION_APPLICATION;
|
||||
frame->level = ssl_encryption_application;
|
||||
frame->type = NGX_QUIC_FT_NEW_TOKEN;
|
||||
frame->data = out;
|
||||
frame->u.token.length = token.len;
|
||||
|
|
|
|||
|
|
@ -8,12 +8,6 @@
|
|||
#include <ngx_core.h>
|
||||
#include <ngx_event.h>
|
||||
#include <ngx_event_quic_connection.h>
|
||||
#if (NGX_QUIC_BORINGSSL_EVP_API)
|
||||
#include <openssl/hkdf.h>
|
||||
#include <openssl/chacha.h>
|
||||
#else
|
||||
#include <openssl/kdf.h>
|
||||
#endif
|
||||
|
||||
|
||||
/* RFC 9001, 5.4.1. Header Protection Application: 5-byte mask */
|
||||
|
|
@ -39,7 +33,7 @@ static uint64_t ngx_quic_parse_pn(u_char **pos, ngx_int_t len, u_char *mask,
|
|||
|
||||
static ngx_int_t ngx_quic_crypto_open(ngx_quic_secret_t *s, ngx_str_t *out,
|
||||
const u_char *nonce, ngx_str_t *in, ngx_str_t *ad, ngx_log_t *log);
|
||||
#if !(NGX_QUIC_BORINGSSL_EVP_API)
|
||||
#ifndef OPENSSL_IS_BORINGSSL
|
||||
static ngx_int_t ngx_quic_crypto_common(ngx_quic_secret_t *s, ngx_str_t *out,
|
||||
const u_char *nonce, ngx_str_t *in, ngx_str_t *ad, ngx_log_t *log);
|
||||
#endif
|
||||
|
|
@ -64,7 +58,7 @@ ngx_quic_ciphers(ngx_uint_t id, ngx_quic_ciphers_t *ciphers)
|
|||
switch (id) {
|
||||
|
||||
case TLS1_3_CK_AES_128_GCM_SHA256:
|
||||
#if (NGX_QUIC_BORINGSSL_EVP_API)
|
||||
#ifdef OPENSSL_IS_BORINGSSL
|
||||
ciphers->c = EVP_aead_aes_128_gcm();
|
||||
#else
|
||||
ciphers->c = EVP_aes_128_gcm();
|
||||
|
|
@ -75,7 +69,7 @@ ngx_quic_ciphers(ngx_uint_t id, ngx_quic_ciphers_t *ciphers)
|
|||
break;
|
||||
|
||||
case TLS1_3_CK_AES_256_GCM_SHA384:
|
||||
#if (NGX_QUIC_BORINGSSL_EVP_API)
|
||||
#ifdef OPENSSL_IS_BORINGSSL
|
||||
ciphers->c = EVP_aead_aes_256_gcm();
|
||||
#else
|
||||
ciphers->c = EVP_aes_256_gcm();
|
||||
|
|
@ -86,12 +80,12 @@ ngx_quic_ciphers(ngx_uint_t id, ngx_quic_ciphers_t *ciphers)
|
|||
break;
|
||||
|
||||
case TLS1_3_CK_CHACHA20_POLY1305_SHA256:
|
||||
#if (NGX_QUIC_BORINGSSL_EVP_API)
|
||||
#ifdef OPENSSL_IS_BORINGSSL
|
||||
ciphers->c = EVP_aead_chacha20_poly1305();
|
||||
#else
|
||||
ciphers->c = EVP_chacha20_poly1305();
|
||||
#endif
|
||||
#if (NGX_QUIC_BORINGSSL_EVP_API)
|
||||
#ifdef OPENSSL_IS_BORINGSSL
|
||||
ciphers->hp = (const EVP_CIPHER *) EVP_aead_chacha20_poly1305();
|
||||
#else
|
||||
ciphers->hp = EVP_chacha20();
|
||||
|
|
@ -100,7 +94,7 @@ ngx_quic_ciphers(ngx_uint_t id, ngx_quic_ciphers_t *ciphers)
|
|||
len = 32;
|
||||
break;
|
||||
|
||||
#if !(NGX_QUIC_BORINGSSL_EVP_API)
|
||||
#ifndef OPENSSL_IS_BORINGSSL
|
||||
case TLS1_3_CK_AES_128_CCM_SHA256:
|
||||
ciphers->c = EVP_aes_128_ccm();
|
||||
ciphers->hp = EVP_aes_128_ctr();
|
||||
|
|
@ -131,13 +125,12 @@ ngx_quic_keys_set_initial_secret(ngx_quic_keys_t *keys, ngx_str_t *secret,
|
|||
ngx_quic_secret_t *client, *server;
|
||||
ngx_quic_ciphers_t ciphers;
|
||||
|
||||
static const uint8_t salt[20] = {
|
||||
0x38, 0x76, 0x2c, 0xf7, 0xf5, 0x59, 0x34, 0xb3, 0x4d, 0x17,
|
||||
0x9a, 0xe6, 0xa4, 0xc8, 0x0c, 0xad, 0xcc, 0xbb, 0x7f, 0x0a
|
||||
};
|
||||
static const uint8_t salt[20] =
|
||||
"\x38\x76\x2c\xf7\xf5\x59\x34\xb3\x4d\x17"
|
||||
"\x9a\xe6\xa4\xc8\x0c\xad\xcc\xbb\x7f\x0a";
|
||||
|
||||
client = &keys->secrets[NGX_QUIC_ENCRYPTION_INITIAL].client;
|
||||
server = &keys->secrets[NGX_QUIC_ENCRYPTION_INITIAL].server;
|
||||
client = &keys->secrets[ssl_encryption_initial].client;
|
||||
server = &keys->secrets[ssl_encryption_initial].server;
|
||||
|
||||
/*
|
||||
* RFC 9001, section 5. Packet Protection
|
||||
|
|
@ -269,7 +262,7 @@ static ngx_int_t
|
|||
ngx_hkdf_expand(u_char *out_key, size_t out_len, const EVP_MD *digest,
|
||||
const uint8_t *prk, size_t prk_len, const u_char *info, size_t info_len)
|
||||
{
|
||||
#if (NGX_QUIC_BORINGSSL_EVP_API)
|
||||
#ifdef OPENSSL_IS_BORINGSSL
|
||||
|
||||
if (HKDF_expand(out_key, out_len, digest, prk, prk_len, info, info_len)
|
||||
== 0)
|
||||
|
|
@ -331,7 +324,7 @@ ngx_hkdf_extract(u_char *out_key, size_t *out_len, const EVP_MD *digest,
|
|||
const u_char *secret, size_t secret_len, const u_char *salt,
|
||||
size_t salt_len)
|
||||
{
|
||||
#if (NGX_QUIC_BORINGSSL_EVP_API)
|
||||
#ifdef OPENSSL_IS_BORINGSSL
|
||||
|
||||
if (HKDF_extract(out_key, out_len, digest, secret, secret_len, salt,
|
||||
salt_len)
|
||||
|
|
@ -394,7 +387,7 @@ ngx_quic_crypto_init(const ngx_quic_cipher_t *cipher, ngx_quic_secret_t *s,
|
|||
ngx_quic_md_t *key, ngx_int_t enc, ngx_log_t *log)
|
||||
{
|
||||
|
||||
#if (NGX_QUIC_BORINGSSL_EVP_API)
|
||||
#ifdef OPENSSL_IS_BORINGSSL
|
||||
EVP_AEAD_CTX *ctx;
|
||||
|
||||
ctx = EVP_AEAD_CTX_new(cipher, key->data, key->len,
|
||||
|
|
@ -454,7 +447,7 @@ static ngx_int_t
|
|||
ngx_quic_crypto_open(ngx_quic_secret_t *s, ngx_str_t *out, const u_char *nonce,
|
||||
ngx_str_t *in, ngx_str_t *ad, ngx_log_t *log)
|
||||
{
|
||||
#if (NGX_QUIC_BORINGSSL_EVP_API)
|
||||
#ifdef OPENSSL_IS_BORINGSSL
|
||||
if (EVP_AEAD_CTX_open(s->ctx, out->data, &out->len, out->len, nonce,
|
||||
s->iv.len, in->data, in->len, ad->data, ad->len)
|
||||
!= 1)
|
||||
|
|
@ -474,7 +467,7 @@ ngx_int_t
|
|||
ngx_quic_crypto_seal(ngx_quic_secret_t *s, ngx_str_t *out, const u_char *nonce,
|
||||
ngx_str_t *in, ngx_str_t *ad, ngx_log_t *log)
|
||||
{
|
||||
#if (NGX_QUIC_BORINGSSL_EVP_API)
|
||||
#ifdef OPENSSL_IS_BORINGSSL
|
||||
if (EVP_AEAD_CTX_seal(s->ctx, out->data, &out->len, out->len, nonce,
|
||||
s->iv.len, in->data, in->len, ad->data, ad->len)
|
||||
!= 1)
|
||||
|
|
@ -490,7 +483,7 @@ ngx_quic_crypto_seal(ngx_quic_secret_t *s, ngx_str_t *out, const u_char *nonce,
|
|||
}
|
||||
|
||||
|
||||
#if !(NGX_QUIC_BORINGSSL_EVP_API)
|
||||
#ifndef OPENSSL_IS_BORINGSSL
|
||||
|
||||
static ngx_int_t
|
||||
ngx_quic_crypto_common(ngx_quic_secret_t *s, ngx_str_t *out,
|
||||
|
|
@ -569,7 +562,7 @@ void
|
|||
ngx_quic_crypto_cleanup(ngx_quic_secret_t *s)
|
||||
{
|
||||
if (s->ctx) {
|
||||
#if (NGX_QUIC_BORINGSSL_EVP_API)
|
||||
#ifdef OPENSSL_IS_BORINGSSL
|
||||
EVP_AEAD_CTX_free(s->ctx);
|
||||
#else
|
||||
EVP_CIPHER_CTX_free(s->ctx);
|
||||
|
|
@ -585,7 +578,7 @@ ngx_quic_crypto_hp_init(const EVP_CIPHER *cipher, ngx_quic_secret_t *s,
|
|||
{
|
||||
EVP_CIPHER_CTX *ctx;
|
||||
|
||||
#if (NGX_QUIC_BORINGSSL_EVP_API)
|
||||
#ifdef OPENSSL_IS_BORINGSSL
|
||||
if (cipher == (EVP_CIPHER *) EVP_aead_chacha20_poly1305()) {
|
||||
/* no EVP interface */
|
||||
s->hp_ctx = NULL;
|
||||
|
|
@ -621,7 +614,7 @@ ngx_quic_crypto_hp(ngx_quic_secret_t *s, u_char *out, u_char *in,
|
|||
|
||||
ctx = s->hp_ctx;
|
||||
|
||||
#if (NGX_QUIC_BORINGSSL_EVP_API)
|
||||
#ifdef OPENSSL_IS_BORINGSSL
|
||||
uint32_t cnt;
|
||||
|
||||
if (ctx == NULL) {
|
||||
|
|
@ -662,8 +655,8 @@ ngx_quic_crypto_hp_cleanup(ngx_quic_secret_t *s)
|
|||
|
||||
ngx_int_t
|
||||
ngx_quic_keys_set_encryption_secret(ngx_log_t *log, ngx_uint_t is_write,
|
||||
ngx_quic_keys_t *keys, ngx_uint_t level, const SSL_CIPHER *cipher,
|
||||
const uint8_t *secret, size_t secret_len)
|
||||
ngx_quic_keys_t *keys, enum ssl_encryption_level_t level,
|
||||
const SSL_CIPHER *cipher, const uint8_t *secret, size_t secret_len)
|
||||
{
|
||||
ngx_int_t key_len;
|
||||
ngx_str_t secret_str;
|
||||
|
|
@ -728,8 +721,8 @@ ngx_quic_keys_set_encryption_secret(ngx_log_t *log, ngx_uint_t is_write,
|
|||
|
||||
|
||||
ngx_uint_t
|
||||
ngx_quic_keys_available(ngx_quic_keys_t *keys, ngx_uint_t level,
|
||||
ngx_uint_t is_write)
|
||||
ngx_quic_keys_available(ngx_quic_keys_t *keys,
|
||||
enum ssl_encryption_level_t level, ngx_uint_t is_write)
|
||||
{
|
||||
if (is_write == 0) {
|
||||
return keys->secrets[level].client.ctx != NULL;
|
||||
|
|
@ -740,7 +733,8 @@ ngx_quic_keys_available(ngx_quic_keys_t *keys, ngx_uint_t level,
|
|||
|
||||
|
||||
void
|
||||
ngx_quic_keys_discard(ngx_quic_keys_t *keys, ngx_uint_t level)
|
||||
ngx_quic_keys_discard(ngx_quic_keys_t *keys,
|
||||
enum ssl_encryption_level_t level)
|
||||
{
|
||||
ngx_quic_secret_t *client, *server;
|
||||
|
||||
|
|
@ -770,7 +764,7 @@ ngx_quic_keys_switch(ngx_connection_t *c, ngx_quic_keys_t *keys)
|
|||
{
|
||||
ngx_quic_secrets_t *current, *next, tmp;
|
||||
|
||||
current = &keys->secrets[NGX_QUIC_ENCRYPTION_APPLICATION];
|
||||
current = &keys->secrets[ssl_encryption_application];
|
||||
next = &keys->next_key;
|
||||
|
||||
ngx_quic_crypto_cleanup(¤t->client);
|
||||
|
|
@ -799,7 +793,7 @@ ngx_quic_keys_update(ngx_event_t *ev)
|
|||
qc = ngx_quic_get_connection(c);
|
||||
keys = qc->keys;
|
||||
|
||||
current = &keys->secrets[NGX_QUIC_ENCRYPTION_APPLICATION];
|
||||
current = &keys->secrets[ssl_encryption_application];
|
||||
next = &keys->next_key;
|
||||
|
||||
ngx_log_debug0(NGX_LOG_DEBUG_EVENT, c->log, 0, "quic key update");
|
||||
|
|
@ -964,9 +958,8 @@ ngx_quic_create_retry_packet(ngx_quic_header_t *pkt, ngx_str_t *res)
|
|||
/* 5.8. Retry Packet Integrity */
|
||||
static ngx_quic_md_t key = ngx_quic_md(
|
||||
"\xbe\x0c\x69\x0b\x9f\x66\x57\x5a\x1d\x76\x6b\x54\xe3\x68\xc8\x4e");
|
||||
static const u_char nonce[NGX_QUIC_IV_LEN] = {
|
||||
0x46, 0x15, 0x99, 0xd3, 0x5d, 0x63, 0x2b, 0xf2, 0x23, 0x98, 0x25, 0xbb
|
||||
};
|
||||
static const u_char nonce[NGX_QUIC_IV_LEN] =
|
||||
"\x46\x15\x99\xd3\x5d\x63\x2b\xf2\x23\x98\x25\xbb";
|
||||
static ngx_str_t in = ngx_string("");
|
||||
|
||||
ad.data = res->data;
|
||||
|
|
|
|||
|
|
@ -14,6 +14,8 @@
|
|||
#include <ngx_event_quic_transport.h>
|
||||
|
||||
|
||||
#define NGX_QUIC_ENCRYPTION_LAST ((ssl_encryption_application) + 1)
|
||||
|
||||
/* RFC 5116, 5.1/5.3 and RFC 8439, 2.3/2.5 for all supported ciphers */
|
||||
#define NGX_QUIC_IV_LEN 12
|
||||
#define NGX_QUIC_TAG_LEN 16
|
||||
|
|
@ -22,12 +24,10 @@
|
|||
#define NGX_QUIC_MAX_MD_SIZE 48
|
||||
|
||||
|
||||
#if (defined OPENSSL_IS_BORINGSSL || defined OPENSSL_IS_AWSLC)
|
||||
#define NGX_QUIC_BORINGSSL_EVP_API 1
|
||||
#ifdef OPENSSL_IS_BORINGSSL
|
||||
#define ngx_quic_cipher_t EVP_AEAD
|
||||
#define ngx_quic_crypto_ctx_t EVP_AEAD_CTX
|
||||
#else
|
||||
#define NGX_QUIC_BORINGSSL_EVP_API 0
|
||||
#define ngx_quic_cipher_t EVP_CIPHER
|
||||
#define ngx_quic_crypto_ctx_t EVP_CIPHER_CTX
|
||||
#endif
|
||||
|
|
@ -94,11 +94,13 @@ typedef struct {
|
|||
ngx_int_t ngx_quic_keys_set_initial_secret(ngx_quic_keys_t *keys,
|
||||
ngx_str_t *secret, ngx_log_t *log);
|
||||
ngx_int_t ngx_quic_keys_set_encryption_secret(ngx_log_t *log,
|
||||
ngx_uint_t is_write, ngx_quic_keys_t *keys, ngx_uint_t level,
|
||||
const SSL_CIPHER *cipher, const uint8_t *secret, size_t secret_len);
|
||||
ngx_uint_t ngx_quic_keys_available(ngx_quic_keys_t *keys, ngx_uint_t level,
|
||||
ngx_uint_t is_write);
|
||||
void ngx_quic_keys_discard(ngx_quic_keys_t *keys, ngx_uint_t level);
|
||||
ngx_uint_t is_write, ngx_quic_keys_t *keys,
|
||||
enum ssl_encryption_level_t level, const SSL_CIPHER *cipher,
|
||||
const uint8_t *secret, size_t secret_len);
|
||||
ngx_uint_t ngx_quic_keys_available(ngx_quic_keys_t *keys,
|
||||
enum ssl_encryption_level_t level, ngx_uint_t is_write);
|
||||
void ngx_quic_keys_discard(ngx_quic_keys_t *keys,
|
||||
enum ssl_encryption_level_t level);
|
||||
void ngx_quic_keys_switch(ngx_connection_t *c, ngx_quic_keys_t *keys);
|
||||
void ngx_quic_keys_update(ngx_event_t *ev);
|
||||
void ngx_quic_keys_cleanup(ngx_quic_keys_t *keys);
|
||||
|
|
|
|||
|
|
@ -10,6 +10,13 @@
|
|||
#include <ngx_event_quic_connection.h>
|
||||
|
||||
|
||||
#if defined OPENSSL_IS_BORINGSSL \
|
||||
|| defined LIBRESSL_VERSION_NUMBER \
|
||||
|| NGX_QUIC_OPENSSL_COMPAT
|
||||
#define NGX_QUIC_BORINGSSL_API 1
|
||||
#endif
|
||||
|
||||
|
||||
/*
|
||||
* RFC 9000, 7.5. Cryptographic Message Buffering
|
||||
*
|
||||
|
|
@ -18,343 +25,43 @@
|
|||
#define NGX_QUIC_MAX_BUFFERED 65535
|
||||
|
||||
|
||||
#if (NGX_QUIC_OPENSSL_API)
|
||||
|
||||
static int ngx_quic_cbs_send(ngx_ssl_conn_t *ssl_conn,
|
||||
const unsigned char *data, size_t len, size_t *consumed, void *arg);
|
||||
static int ngx_quic_cbs_recv_rcd(ngx_ssl_conn_t *ssl_conn,
|
||||
const unsigned char **data, size_t *bytes_read, void *arg);
|
||||
static int ngx_quic_cbs_release_rcd(ngx_ssl_conn_t *ssl_conn,
|
||||
size_t bytes_read, void *arg);
|
||||
static int ngx_quic_cbs_yield_secret(ngx_ssl_conn_t *ssl_conn, uint32_t level,
|
||||
int direction, const unsigned char *secret, size_t secret_len, void *arg);
|
||||
static int ngx_quic_cbs_got_transport_params(ngx_ssl_conn_t *ssl_conn,
|
||||
const unsigned char *params, size_t params_len, void *arg);
|
||||
static int ngx_quic_cbs_alert(ngx_ssl_conn_t *ssl_conn, unsigned char alert,
|
||||
void *arg);
|
||||
|
||||
#else /* NGX_QUIC_BORINGSSL_API || NGX_QUIC_QUICTLS_API */
|
||||
|
||||
static ngx_inline ngx_uint_t ngx_quic_map_encryption_level(
|
||||
enum ssl_encryption_level_t ssl_level);
|
||||
|
||||
#if (NGX_QUIC_BORINGSSL_API)
|
||||
static int ngx_quic_set_read_secret(ngx_ssl_conn_t *ssl_conn,
|
||||
enum ssl_encryption_level_t ssl_level, const SSL_CIPHER *cipher,
|
||||
enum ssl_encryption_level_t level, const SSL_CIPHER *cipher,
|
||||
const uint8_t *secret, size_t secret_len);
|
||||
static int ngx_quic_set_write_secret(ngx_ssl_conn_t *ssl_conn,
|
||||
enum ssl_encryption_level_t ssl_level, const SSL_CIPHER *cipher,
|
||||
enum ssl_encryption_level_t level, const SSL_CIPHER *cipher,
|
||||
const uint8_t *secret, size_t secret_len);
|
||||
#else /* NGX_QUIC_QUICTLS_API */
|
||||
#else
|
||||
static int ngx_quic_set_encryption_secrets(ngx_ssl_conn_t *ssl_conn,
|
||||
enum ssl_encryption_level_t ssl_level, const uint8_t *read_secret,
|
||||
enum ssl_encryption_level_t level, const uint8_t *read_secret,
|
||||
const uint8_t *write_secret, size_t secret_len);
|
||||
#endif
|
||||
|
||||
static int ngx_quic_add_handshake_data(ngx_ssl_conn_t *ssl_conn,
|
||||
enum ssl_encryption_level_t ssl_level, const uint8_t *data, size_t len);
|
||||
enum ssl_encryption_level_t level, const uint8_t *data, size_t len);
|
||||
static int ngx_quic_flush_flight(ngx_ssl_conn_t *ssl_conn);
|
||||
static int ngx_quic_send_alert(ngx_ssl_conn_t *ssl_conn,
|
||||
enum ssl_encryption_level_t ssl_level, uint8_t alert);
|
||||
|
||||
#endif
|
||||
|
||||
static ngx_int_t ngx_quic_handshake(ngx_connection_t *c);
|
||||
static ngx_int_t ngx_quic_crypto_provide(ngx_connection_t *c, ngx_uint_t level);
|
||||
|
||||
|
||||
#if (NGX_QUIC_OPENSSL_API)
|
||||
|
||||
static int
|
||||
ngx_quic_cbs_send(ngx_ssl_conn_t *ssl_conn,
|
||||
const unsigned char *data, size_t len, size_t *consumed, void *arg)
|
||||
{
|
||||
ngx_connection_t *c = arg;
|
||||
|
||||
ngx_chain_t *out;
|
||||
unsigned int alpn_len;
|
||||
ngx_quic_frame_t *frame;
|
||||
const unsigned char *alpn_data;
|
||||
ngx_quic_send_ctx_t *ctx;
|
||||
ngx_quic_connection_t *qc;
|
||||
|
||||
ngx_log_debug1(NGX_LOG_DEBUG_EVENT, c->log, 0,
|
||||
"quic ngx_quic_cbs_send len:%uz", len);
|
||||
|
||||
qc = ngx_quic_get_connection(c);
|
||||
|
||||
*consumed = 0;
|
||||
|
||||
SSL_get0_alpn_selected(ssl_conn, &alpn_data, &alpn_len);
|
||||
|
||||
if (alpn_len == 0) {
|
||||
qc->error = NGX_QUIC_ERR_CRYPTO(SSL_AD_NO_APPLICATION_PROTOCOL);
|
||||
qc->error_reason = "missing ALPN extension";
|
||||
|
||||
ngx_log_error(NGX_LOG_INFO, c->log, 0,
|
||||
"quic missing ALPN extension");
|
||||
return 1;
|
||||
}
|
||||
|
||||
if (!qc->client_tp_done) {
|
||||
/* RFC 9001, 8.2. QUIC Transport Parameters Extension */
|
||||
qc->error = NGX_QUIC_ERR_CRYPTO(SSL_AD_MISSING_EXTENSION);
|
||||
qc->error_reason = "missing transport parameters";
|
||||
|
||||
ngx_log_error(NGX_LOG_INFO, c->log, 0,
|
||||
"missing transport parameters");
|
||||
return 1;
|
||||
}
|
||||
|
||||
ctx = ngx_quic_get_send_ctx(qc, qc->write_level);
|
||||
|
||||
out = ngx_quic_copy_buffer(c, (u_char *) data, len);
|
||||
if (out == NGX_CHAIN_ERROR) {
|
||||
qc->error = NGX_QUIC_ERR_INTERNAL_ERROR;
|
||||
return 1;
|
||||
}
|
||||
|
||||
frame = ngx_quic_alloc_frame(c);
|
||||
if (frame == NULL) {
|
||||
qc->error = NGX_QUIC_ERR_INTERNAL_ERROR;
|
||||
return 1;
|
||||
}
|
||||
|
||||
frame->data = out;
|
||||
frame->level = qc->write_level;
|
||||
frame->type = NGX_QUIC_FT_CRYPTO;
|
||||
frame->u.crypto.offset = ctx->crypto_sent;
|
||||
frame->u.crypto.length = len;
|
||||
|
||||
ctx->crypto_sent += len;
|
||||
*consumed = len;
|
||||
|
||||
ngx_quic_queue_frame(qc, frame);
|
||||
|
||||
return 1;
|
||||
}
|
||||
|
||||
|
||||
static int
|
||||
ngx_quic_cbs_recv_rcd(ngx_ssl_conn_t *ssl_conn,
|
||||
const unsigned char **data, size_t *bytes_read, void *arg)
|
||||
{
|
||||
ngx_connection_t *c = arg;
|
||||
|
||||
ngx_buf_t *b;
|
||||
ngx_chain_t *cl;
|
||||
ngx_quic_send_ctx_t *ctx;
|
||||
ngx_quic_connection_t *qc;
|
||||
|
||||
ngx_log_debug0(NGX_LOG_DEBUG_EVENT, c->log, 0,
|
||||
"quic ngx_quic_cbs_recv_rcd");
|
||||
|
||||
qc = ngx_quic_get_connection(c);
|
||||
ctx = ngx_quic_get_send_ctx(qc, qc->read_level);
|
||||
|
||||
for (cl = ctx->crypto.chain; cl; cl = cl->next) {
|
||||
b = cl->buf;
|
||||
|
||||
if (b->sync) {
|
||||
/* hole */
|
||||
|
||||
*bytes_read = 0;
|
||||
|
||||
break;
|
||||
}
|
||||
|
||||
*data = b->pos;
|
||||
*bytes_read = b->last - b->pos;
|
||||
|
||||
break;
|
||||
}
|
||||
|
||||
return 1;
|
||||
}
|
||||
|
||||
|
||||
static int
|
||||
ngx_quic_cbs_release_rcd(ngx_ssl_conn_t *ssl_conn, size_t bytes_read, void *arg)
|
||||
{
|
||||
ngx_connection_t *c = arg;
|
||||
|
||||
ngx_chain_t *cl;
|
||||
ngx_quic_send_ctx_t *ctx;
|
||||
ngx_quic_connection_t *qc;
|
||||
|
||||
ngx_log_debug1(NGX_LOG_DEBUG_EVENT, c->log, 0,
|
||||
"quic ngx_quic_cbs_release_rcd len:%uz", bytes_read);
|
||||
|
||||
qc = ngx_quic_get_connection(c);
|
||||
ctx = ngx_quic_get_send_ctx(qc, qc->read_level);
|
||||
|
||||
cl = ngx_quic_read_buffer(c, &ctx->crypto, bytes_read);
|
||||
if (cl == NGX_CHAIN_ERROR) {
|
||||
qc->error = NGX_QUIC_ERR_INTERNAL_ERROR;
|
||||
return 1;
|
||||
}
|
||||
|
||||
ngx_quic_free_chain(c, cl);
|
||||
|
||||
return 1;
|
||||
}
|
||||
|
||||
|
||||
static int
|
||||
ngx_quic_cbs_yield_secret(ngx_ssl_conn_t *ssl_conn, uint32_t ssl_level,
|
||||
int direction, const unsigned char *secret, size_t secret_len, void *arg)
|
||||
{
|
||||
ngx_connection_t *c = arg;
|
||||
|
||||
ngx_uint_t level;
|
||||
const SSL_CIPHER *cipher;
|
||||
ngx_quic_connection_t *qc;
|
||||
|
||||
ngx_log_debug1(NGX_LOG_DEBUG_EVENT, c->log, 0,
|
||||
"quic ngx_quic_cbs_yield_secret() level:%uD", ssl_level);
|
||||
#ifdef NGX_QUIC_DEBUG_CRYPTO
|
||||
ngx_log_debug4(NGX_LOG_DEBUG_EVENT, c->log, 0,
|
||||
"quic %s secret len:%uz %*xs",
|
||||
direction ? "write" : "read", secret_len,
|
||||
secret_len, secret);
|
||||
#endif
|
||||
|
||||
qc = ngx_quic_get_connection(c);
|
||||
cipher = SSL_get_current_cipher(ssl_conn);
|
||||
|
||||
switch (ssl_level) {
|
||||
case OSSL_RECORD_PROTECTION_LEVEL_NONE:
|
||||
level = NGX_QUIC_ENCRYPTION_INITIAL;
|
||||
break;
|
||||
case OSSL_RECORD_PROTECTION_LEVEL_EARLY:
|
||||
level = NGX_QUIC_ENCRYPTION_EARLY_DATA;
|
||||
break;
|
||||
case OSSL_RECORD_PROTECTION_LEVEL_HANDSHAKE:
|
||||
level = NGX_QUIC_ENCRYPTION_HANDSHAKE;
|
||||
break;
|
||||
default: /* OSSL_RECORD_PROTECTION_LEVEL_APPLICATION */
|
||||
level = NGX_QUIC_ENCRYPTION_APPLICATION;
|
||||
break;
|
||||
}
|
||||
|
||||
if (ngx_quic_keys_set_encryption_secret(c->log, direction, qc->keys, level,
|
||||
cipher, secret, secret_len)
|
||||
!= NGX_OK)
|
||||
{
|
||||
qc->error = NGX_QUIC_ERR_INTERNAL_ERROR;
|
||||
return 1;
|
||||
}
|
||||
|
||||
if (direction) {
|
||||
qc->write_level = level;
|
||||
|
||||
} else {
|
||||
qc->read_level = level;
|
||||
}
|
||||
|
||||
return 1;
|
||||
}
|
||||
|
||||
|
||||
static int
|
||||
ngx_quic_cbs_got_transport_params(ngx_ssl_conn_t *ssl_conn,
|
||||
const unsigned char *params, size_t params_len, void *arg)
|
||||
{
|
||||
ngx_connection_t *c = arg;
|
||||
|
||||
u_char *p, *end;
|
||||
ngx_quic_tp_t ctp;
|
||||
ngx_quic_connection_t *qc;
|
||||
|
||||
ngx_log_debug1(NGX_LOG_DEBUG_EVENT, c->log, 0,
|
||||
"quic ngx_quic_cbs_got_transport_params() len:%uz",
|
||||
params_len);
|
||||
|
||||
qc = ngx_quic_get_connection(c);
|
||||
|
||||
/* defaults for parameters not sent by client */
|
||||
ngx_memcpy(&ctp, &qc->ctp, sizeof(ngx_quic_tp_t));
|
||||
|
||||
p = (u_char *) params;
|
||||
end = p + params_len;
|
||||
|
||||
if (ngx_quic_parse_transport_params(p, end, &ctp, c->log) != NGX_OK) {
|
||||
qc->error = NGX_QUIC_ERR_TRANSPORT_PARAMETER_ERROR;
|
||||
qc->error_reason = "failed to process transport parameters";
|
||||
|
||||
return 1;
|
||||
}
|
||||
|
||||
if (ngx_quic_apply_transport_params(c, &ctp) != NGX_OK) {
|
||||
return 1;
|
||||
}
|
||||
|
||||
qc->client_tp_done = 1;
|
||||
|
||||
return 1;
|
||||
}
|
||||
|
||||
|
||||
static int
|
||||
ngx_quic_cbs_alert(ngx_ssl_conn_t *ssl_conn, unsigned char alert, void *arg)
|
||||
{
|
||||
ngx_connection_t *c = arg;
|
||||
|
||||
ngx_quic_connection_t *qc;
|
||||
|
||||
ngx_log_debug1(NGX_LOG_DEBUG_EVENT, c->log, 0,
|
||||
"quic ngx_quic_cbs_alert() alert:%d", (int) alert);
|
||||
|
||||
/* already closed on regular shutdown */
|
||||
|
||||
qc = ngx_quic_get_connection(c);
|
||||
if (qc == NULL) {
|
||||
return 1;
|
||||
}
|
||||
|
||||
qc->error = NGX_QUIC_ERR_CRYPTO(alert);
|
||||
qc->error_reason = "handshake failed";
|
||||
|
||||
return 1;
|
||||
}
|
||||
|
||||
|
||||
#else /* NGX_QUIC_BORINGSSL_API || NGX_QUIC_QUICTLS_API */
|
||||
|
||||
|
||||
static ngx_inline ngx_uint_t
|
||||
ngx_quic_map_encryption_level(enum ssl_encryption_level_t ssl_level)
|
||||
{
|
||||
switch (ssl_level) {
|
||||
case ssl_encryption_initial:
|
||||
return NGX_QUIC_ENCRYPTION_INITIAL;
|
||||
case ssl_encryption_early_data:
|
||||
return NGX_QUIC_ENCRYPTION_EARLY_DATA;
|
||||
case ssl_encryption_handshake:
|
||||
return NGX_QUIC_ENCRYPTION_HANDSHAKE;
|
||||
default: /* ssl_encryption_application */
|
||||
return NGX_QUIC_ENCRYPTION_APPLICATION;
|
||||
}
|
||||
}
|
||||
enum ssl_encryption_level_t level, uint8_t alert);
|
||||
static ngx_int_t ngx_quic_crypto_input(ngx_connection_t *c, ngx_chain_t *data,
|
||||
enum ssl_encryption_level_t level);
|
||||
|
||||
|
||||
#if (NGX_QUIC_BORINGSSL_API)
|
||||
|
||||
static int
|
||||
ngx_quic_set_read_secret(ngx_ssl_conn_t *ssl_conn,
|
||||
enum ssl_encryption_level_t ssl_level, const SSL_CIPHER *cipher,
|
||||
enum ssl_encryption_level_t level, const SSL_CIPHER *cipher,
|
||||
const uint8_t *rsecret, size_t secret_len)
|
||||
{
|
||||
ngx_uint_t level;
|
||||
ngx_connection_t *c;
|
||||
ngx_quic_connection_t *qc;
|
||||
|
||||
c = ngx_ssl_get_connection(ssl_conn);
|
||||
c = ngx_ssl_get_connection((ngx_ssl_conn_t *) ssl_conn);
|
||||
qc = ngx_quic_get_connection(c);
|
||||
level = ngx_quic_map_encryption_level(ssl_level);
|
||||
|
||||
ngx_log_debug1(NGX_LOG_DEBUG_EVENT, c->log, 0,
|
||||
"quic ngx_quic_set_read_secret() level:%d", ssl_level);
|
||||
"quic ngx_quic_set_read_secret() level:%d", level);
|
||||
#ifdef NGX_QUIC_DEBUG_CRYPTO
|
||||
ngx_log_debug3(NGX_LOG_DEBUG_EVENT, c->log, 0,
|
||||
"quic read secret len:%uz %*xs", secret_len,
|
||||
|
|
@ -365,7 +72,7 @@ ngx_quic_set_read_secret(ngx_ssl_conn_t *ssl_conn,
|
|||
cipher, rsecret, secret_len)
|
||||
!= NGX_OK)
|
||||
{
|
||||
qc->error = NGX_QUIC_ERR_INTERNAL_ERROR;
|
||||
return 0;
|
||||
}
|
||||
|
||||
return 1;
|
||||
|
|
@ -374,19 +81,17 @@ ngx_quic_set_read_secret(ngx_ssl_conn_t *ssl_conn,
|
|||
|
||||
static int
|
||||
ngx_quic_set_write_secret(ngx_ssl_conn_t *ssl_conn,
|
||||
enum ssl_encryption_level_t ssl_level, const SSL_CIPHER *cipher,
|
||||
enum ssl_encryption_level_t level, const SSL_CIPHER *cipher,
|
||||
const uint8_t *wsecret, size_t secret_len)
|
||||
{
|
||||
ngx_uint_t level;
|
||||
ngx_connection_t *c;
|
||||
ngx_quic_connection_t *qc;
|
||||
|
||||
c = ngx_ssl_get_connection(ssl_conn);
|
||||
c = ngx_ssl_get_connection((ngx_ssl_conn_t *) ssl_conn);
|
||||
qc = ngx_quic_get_connection(c);
|
||||
level = ngx_quic_map_encryption_level(ssl_level);
|
||||
|
||||
ngx_log_debug1(NGX_LOG_DEBUG_EVENT, c->log, 0,
|
||||
"quic ngx_quic_set_write_secret() level:%d", ssl_level);
|
||||
"quic ngx_quic_set_write_secret() level:%d", level);
|
||||
#ifdef NGX_QUIC_DEBUG_CRYPTO
|
||||
ngx_log_debug3(NGX_LOG_DEBUG_EVENT, c->log, 0,
|
||||
"quic write secret len:%uz %*xs", secret_len,
|
||||
|
|
@ -397,31 +102,28 @@ ngx_quic_set_write_secret(ngx_ssl_conn_t *ssl_conn,
|
|||
cipher, wsecret, secret_len)
|
||||
!= NGX_OK)
|
||||
{
|
||||
qc->error = NGX_QUIC_ERR_INTERNAL_ERROR;
|
||||
return 0;
|
||||
}
|
||||
|
||||
return 1;
|
||||
}
|
||||
|
||||
#else /* NGX_QUIC_QUICTLS_API */
|
||||
#else
|
||||
|
||||
static int
|
||||
ngx_quic_set_encryption_secrets(ngx_ssl_conn_t *ssl_conn,
|
||||
enum ssl_encryption_level_t ssl_level, const uint8_t *rsecret,
|
||||
enum ssl_encryption_level_t level, const uint8_t *rsecret,
|
||||
const uint8_t *wsecret, size_t secret_len)
|
||||
{
|
||||
ngx_uint_t level;
|
||||
ngx_connection_t *c;
|
||||
const SSL_CIPHER *cipher;
|
||||
ngx_quic_connection_t *qc;
|
||||
|
||||
c = ngx_ssl_get_connection(ssl_conn);
|
||||
c = ngx_ssl_get_connection((ngx_ssl_conn_t *) ssl_conn);
|
||||
qc = ngx_quic_get_connection(c);
|
||||
level = ngx_quic_map_encryption_level(ssl_level);
|
||||
|
||||
ngx_log_debug1(NGX_LOG_DEBUG_EVENT, c->log, 0,
|
||||
"quic ngx_quic_set_encryption_secrets() level:%d",
|
||||
ssl_level);
|
||||
"quic ngx_quic_set_encryption_secrets() level:%d", level);
|
||||
#ifdef NGX_QUIC_DEBUG_CRYPTO
|
||||
ngx_log_debug3(NGX_LOG_DEBUG_EVENT, c->log, 0,
|
||||
"quic read secret len:%uz %*xs", secret_len,
|
||||
|
|
@ -434,11 +136,10 @@ ngx_quic_set_encryption_secrets(ngx_ssl_conn_t *ssl_conn,
|
|||
cipher, rsecret, secret_len)
|
||||
!= NGX_OK)
|
||||
{
|
||||
qc->error = NGX_QUIC_ERR_INTERNAL_ERROR;
|
||||
return 1;
|
||||
return 0;
|
||||
}
|
||||
|
||||
if (level == NGX_QUIC_ENCRYPTION_EARLY_DATA) {
|
||||
if (level == ssl_encryption_early_data) {
|
||||
return 1;
|
||||
}
|
||||
|
||||
|
|
@ -452,7 +153,7 @@ ngx_quic_set_encryption_secrets(ngx_ssl_conn_t *ssl_conn,
|
|||
cipher, wsecret, secret_len)
|
||||
!= NGX_OK)
|
||||
{
|
||||
qc->error = NGX_QUIC_ERR_INTERNAL_ERROR;
|
||||
return 0;
|
||||
}
|
||||
|
||||
return 1;
|
||||
|
|
@ -463,24 +164,24 @@ ngx_quic_set_encryption_secrets(ngx_ssl_conn_t *ssl_conn,
|
|||
|
||||
static int
|
||||
ngx_quic_add_handshake_data(ngx_ssl_conn_t *ssl_conn,
|
||||
enum ssl_encryption_level_t ssl_level, const uint8_t *data, size_t len)
|
||||
enum ssl_encryption_level_t level, const uint8_t *data, size_t len)
|
||||
{
|
||||
u_char *p, *end;
|
||||
size_t client_params_len;
|
||||
ngx_uint_t level;
|
||||
ngx_chain_t *out;
|
||||
unsigned int alpn_len;
|
||||
const uint8_t *client_params;
|
||||
ngx_quic_tp_t ctp;
|
||||
ngx_quic_frame_t *frame;
|
||||
ngx_connection_t *c;
|
||||
const unsigned char *alpn_data;
|
||||
ngx_quic_send_ctx_t *ctx;
|
||||
ngx_quic_connection_t *qc;
|
||||
#if defined(TLSEXT_TYPE_application_layer_protocol_negotiation)
|
||||
unsigned int alpn_len;
|
||||
const unsigned char *alpn_data;
|
||||
#endif
|
||||
|
||||
c = ngx_ssl_get_connection(ssl_conn);
|
||||
c = ngx_ssl_get_connection((ngx_ssl_conn_t *) ssl_conn);
|
||||
qc = ngx_quic_get_connection(c);
|
||||
level = ngx_quic_map_encryption_level(ssl_level);
|
||||
|
||||
ngx_log_debug0(NGX_LOG_DEBUG_EVENT, c->log, 0,
|
||||
"quic ngx_quic_add_handshake_data");
|
||||
|
|
@ -492,20 +193,21 @@ ngx_quic_add_handshake_data(ngx_ssl_conn_t *ssl_conn,
|
|||
* here;
|
||||
*/
|
||||
|
||||
#if defined(TLSEXT_TYPE_application_layer_protocol_negotiation)
|
||||
|
||||
SSL_get0_alpn_selected(ssl_conn, &alpn_data, &alpn_len);
|
||||
|
||||
if (alpn_len == 0) {
|
||||
if (qc->error == 0) {
|
||||
qc->error = NGX_QUIC_ERR_CRYPTO(SSL_AD_NO_APPLICATION_PROTOCOL);
|
||||
qc->error_reason = "missing ALPN extension";
|
||||
qc->error = NGX_QUIC_ERR_CRYPTO(SSL_AD_NO_APPLICATION_PROTOCOL);
|
||||
qc->error_reason = "unsupported protocol in ALPN extension";
|
||||
|
||||
ngx_log_error(NGX_LOG_INFO, c->log, 0,
|
||||
"quic missing ALPN extension");
|
||||
}
|
||||
|
||||
return 1;
|
||||
ngx_log_error(NGX_LOG_INFO, c->log, 0,
|
||||
"quic unsupported protocol in ALPN extension");
|
||||
return 0;
|
||||
}
|
||||
|
||||
#endif
|
||||
|
||||
SSL_get_peer_quic_transport_params(ssl_conn, &client_params,
|
||||
&client_params_len);
|
||||
|
||||
|
|
@ -515,16 +217,12 @@ ngx_quic_add_handshake_data(ngx_ssl_conn_t *ssl_conn,
|
|||
|
||||
if (client_params_len == 0) {
|
||||
/* RFC 9001, 8.2. QUIC Transport Parameters Extension */
|
||||
qc->error = NGX_QUIC_ERR_CRYPTO(SSL_AD_MISSING_EXTENSION);
|
||||
qc->error_reason = "missing transport parameters";
|
||||
|
||||
if (qc->error == 0) {
|
||||
qc->error = NGX_QUIC_ERR_CRYPTO(SSL_AD_MISSING_EXTENSION);
|
||||
qc->error_reason = "missing transport parameters";
|
||||
|
||||
ngx_log_error(NGX_LOG_INFO, c->log, 0,
|
||||
"missing transport parameters");
|
||||
}
|
||||
|
||||
return 1;
|
||||
ngx_log_error(NGX_LOG_INFO, c->log, 0,
|
||||
"missing transport parameters");
|
||||
return 0;
|
||||
}
|
||||
|
||||
p = (u_char *) client_params;
|
||||
|
|
@ -539,11 +237,11 @@ ngx_quic_add_handshake_data(ngx_ssl_conn_t *ssl_conn,
|
|||
qc->error = NGX_QUIC_ERR_TRANSPORT_PARAMETER_ERROR;
|
||||
qc->error_reason = "failed to process transport parameters";
|
||||
|
||||
return 1;
|
||||
return 0;
|
||||
}
|
||||
|
||||
if (ngx_quic_apply_transport_params(c, &ctp) != NGX_OK) {
|
||||
return 1;
|
||||
return 0;
|
||||
}
|
||||
|
||||
qc->client_tp_done = 1;
|
||||
|
|
@ -553,14 +251,12 @@ ngx_quic_add_handshake_data(ngx_ssl_conn_t *ssl_conn,
|
|||
|
||||
out = ngx_quic_copy_buffer(c, (u_char *) data, len);
|
||||
if (out == NGX_CHAIN_ERROR) {
|
||||
qc->error = NGX_QUIC_ERR_INTERNAL_ERROR;
|
||||
return 1;
|
||||
return 0;
|
||||
}
|
||||
|
||||
frame = ngx_quic_alloc_frame(c);
|
||||
if (frame == NULL) {
|
||||
qc->error = NGX_QUIC_ERR_INTERNAL_ERROR;
|
||||
return 1;
|
||||
return 0;
|
||||
}
|
||||
|
||||
frame->data = out;
|
||||
|
|
@ -583,7 +279,7 @@ ngx_quic_flush_flight(ngx_ssl_conn_t *ssl_conn)
|
|||
#if (NGX_DEBUG)
|
||||
ngx_connection_t *c;
|
||||
|
||||
c = ngx_ssl_get_connection(ssl_conn);
|
||||
c = ngx_ssl_get_connection((ngx_ssl_conn_t *) ssl_conn);
|
||||
|
||||
ngx_log_debug0(NGX_LOG_DEBUG_EVENT, c->log, 0,
|
||||
"quic ngx_quic_flush_flight()");
|
||||
|
|
@ -593,17 +289,17 @@ ngx_quic_flush_flight(ngx_ssl_conn_t *ssl_conn)
|
|||
|
||||
|
||||
static int
|
||||
ngx_quic_send_alert(ngx_ssl_conn_t *ssl_conn,
|
||||
enum ssl_encryption_level_t ssl_level, uint8_t alert)
|
||||
ngx_quic_send_alert(ngx_ssl_conn_t *ssl_conn, enum ssl_encryption_level_t level,
|
||||
uint8_t alert)
|
||||
{
|
||||
ngx_connection_t *c;
|
||||
ngx_quic_connection_t *qc;
|
||||
|
||||
c = ngx_ssl_get_connection(ssl_conn);
|
||||
c = ngx_ssl_get_connection((ngx_ssl_conn_t *) ssl_conn);
|
||||
|
||||
ngx_log_debug2(NGX_LOG_DEBUG_EVENT, c->log, 0,
|
||||
"quic ngx_quic_send_alert() level:%d alert:%d",
|
||||
ssl_level, (int) alert);
|
||||
"quic ngx_quic_send_alert() level:%s alert:%d",
|
||||
ngx_quic_level_name(level), (int) alert);
|
||||
|
||||
/* already closed on regular shutdown */
|
||||
|
||||
|
|
@ -618,14 +314,13 @@ ngx_quic_send_alert(ngx_ssl_conn_t *ssl_conn,
|
|||
return 1;
|
||||
}
|
||||
|
||||
#endif
|
||||
|
||||
|
||||
ngx_int_t
|
||||
ngx_quic_handle_crypto_frame(ngx_connection_t *c, ngx_quic_header_t *pkt,
|
||||
ngx_quic_frame_t *frame)
|
||||
{
|
||||
uint64_t last;
|
||||
ngx_chain_t *cl;
|
||||
ngx_quic_send_ctx_t *ctx;
|
||||
ngx_quic_connection_t *qc;
|
||||
ngx_quic_crypto_frame_t *f;
|
||||
|
|
@ -648,13 +343,13 @@ ngx_quic_handle_crypto_frame(ngx_connection_t *c, ngx_quic_header_t *pkt,
|
|||
}
|
||||
|
||||
if (last <= ctx->crypto.offset) {
|
||||
if (pkt->level == NGX_QUIC_ENCRYPTION_INITIAL) {
|
||||
if (pkt->level == ssl_encryption_initial) {
|
||||
/* speeding up handshake completion */
|
||||
|
||||
if (!ngx_queue_empty(&ctx->sent)) {
|
||||
ngx_quic_resend_frames(c, ctx);
|
||||
|
||||
ctx = ngx_quic_get_send_ctx(qc, NGX_QUIC_ENCRYPTION_HANDSHAKE);
|
||||
ctx = ngx_quic_get_send_ctx(qc, ssl_encryption_handshake);
|
||||
while (!ngx_queue_empty(&ctx->sent)) {
|
||||
ngx_quic_resend_frames(c, ctx);
|
||||
}
|
||||
|
|
@ -664,25 +359,43 @@ ngx_quic_handle_crypto_frame(ngx_connection_t *c, ngx_quic_header_t *pkt,
|
|||
return NGX_OK;
|
||||
}
|
||||
|
||||
if (ngx_quic_write_buffer(c, &ctx->crypto, frame->data, f->length,
|
||||
f->offset)
|
||||
== NGX_CHAIN_ERROR)
|
||||
{
|
||||
return NGX_ERROR;
|
||||
if (f->offset == ctx->crypto.offset) {
|
||||
if (ngx_quic_crypto_input(c, frame->data, pkt->level) != NGX_OK) {
|
||||
return NGX_ERROR;
|
||||
}
|
||||
|
||||
ngx_quic_skip_buffer(c, &ctx->crypto, last);
|
||||
|
||||
} else {
|
||||
if (ngx_quic_write_buffer(c, &ctx->crypto, frame->data, f->length,
|
||||
f->offset)
|
||||
== NGX_CHAIN_ERROR)
|
||||
{
|
||||
return NGX_ERROR;
|
||||
}
|
||||
}
|
||||
|
||||
if (ngx_quic_crypto_provide(c, pkt->level) != NGX_OK) {
|
||||
return NGX_ERROR;
|
||||
cl = ngx_quic_read_buffer(c, &ctx->crypto, (uint64_t) -1);
|
||||
|
||||
if (cl) {
|
||||
if (ngx_quic_crypto_input(c, cl, pkt->level) != NGX_OK) {
|
||||
return NGX_ERROR;
|
||||
}
|
||||
|
||||
ngx_quic_free_chain(c, cl);
|
||||
}
|
||||
|
||||
return ngx_quic_handshake(c);
|
||||
return NGX_OK;
|
||||
}
|
||||
|
||||
|
||||
static ngx_int_t
|
||||
ngx_quic_handshake(ngx_connection_t *c)
|
||||
ngx_quic_crypto_input(ngx_connection_t *c, ngx_chain_t *data,
|
||||
enum ssl_encryption_level_t level)
|
||||
{
|
||||
int n, sslerr;
|
||||
ngx_buf_t *b;
|
||||
ngx_chain_t *cl;
|
||||
ngx_ssl_conn_t *ssl_conn;
|
||||
ngx_quic_frame_t *frame;
|
||||
ngx_quic_connection_t *qc;
|
||||
|
|
@ -691,6 +404,16 @@ ngx_quic_handshake(ngx_connection_t *c)
|
|||
|
||||
ssl_conn = c->ssl->connection;
|
||||
|
||||
for (cl = data; cl; cl = cl->next) {
|
||||
b = cl->buf;
|
||||
|
||||
if (!SSL_provide_quic_data(ssl_conn, level, b->pos, b->last - b->pos)) {
|
||||
ngx_ssl_error(NGX_LOG_INFO, c->log, 0,
|
||||
"SSL_provide_quic_data() failed");
|
||||
return NGX_ERROR;
|
||||
}
|
||||
}
|
||||
|
||||
n = SSL_do_handshake(ssl_conn);
|
||||
|
||||
ngx_log_debug1(NGX_LOG_DEBUG_EVENT, c->log, 0, "SSL_do_handshake: %d", n);
|
||||
|
|
@ -701,31 +424,22 @@ ngx_quic_handshake(ngx_connection_t *c)
|
|||
ngx_log_debug1(NGX_LOG_DEBUG_EVENT, c->log, 0, "SSL_get_error: %d",
|
||||
sslerr);
|
||||
|
||||
if (c->ssl->handshake_rejected) {
|
||||
ngx_connection_error(c, 0, "handshake rejected");
|
||||
ERR_clear_error();
|
||||
return NGX_ERROR;
|
||||
}
|
||||
|
||||
if (qc->error) {
|
||||
ngx_connection_error(c, 0, "SSL_do_handshake() failed");
|
||||
ERR_clear_error();
|
||||
return NGX_ERROR;
|
||||
}
|
||||
|
||||
if (sslerr != SSL_ERROR_WANT_READ) {
|
||||
ngx_ssl_connection_error(c, sslerr, 0, "SSL_do_handshake() failed");
|
||||
|
||||
if (c->ssl->handshake_rejected) {
|
||||
ngx_connection_error(c, 0, "handshake rejected");
|
||||
ERR_clear_error();
|
||||
|
||||
return NGX_ERROR;
|
||||
}
|
||||
|
||||
ngx_ssl_error(NGX_LOG_ERR, c->log, 0, "SSL_do_handshake() failed");
|
||||
return NGX_ERROR;
|
||||
}
|
||||
}
|
||||
|
||||
if (qc->error) {
|
||||
ngx_connection_error(c, 0, "SSL_do_handshake() failed");
|
||||
return NGX_ERROR;
|
||||
}
|
||||
|
||||
if (!SSL_is_init_finished(ssl_conn)) {
|
||||
if (ngx_quic_keys_available(qc->keys, NGX_QUIC_ENCRYPTION_EARLY_DATA, 0)
|
||||
if (n <= 0 || SSL_in_init(ssl_conn)) {
|
||||
if (ngx_quic_keys_available(qc->keys, ssl_encryption_early_data, 0)
|
||||
&& qc->client_tp_done)
|
||||
{
|
||||
if (ngx_quic_init_streams(c) != NGX_OK) {
|
||||
|
|
@ -747,7 +461,7 @@ ngx_quic_handshake(ngx_connection_t *c)
|
|||
return NGX_ERROR;
|
||||
}
|
||||
|
||||
frame->level = NGX_QUIC_ENCRYPTION_APPLICATION;
|
||||
frame->level = ssl_encryption_application;
|
||||
frame->type = NGX_QUIC_FT_HANDSHAKE_DONE;
|
||||
ngx_quic_queue_frame(qc, frame);
|
||||
|
||||
|
|
@ -771,7 +485,7 @@ ngx_quic_handshake(ngx_connection_t *c)
|
|||
* An endpoint MUST discard its Handshake keys
|
||||
* when the TLS handshake is confirmed.
|
||||
*/
|
||||
ngx_quic_discard_ctx(c, NGX_QUIC_ENCRYPTION_HANDSHAKE);
|
||||
ngx_quic_discard_ctx(c, ssl_encryption_handshake);
|
||||
|
||||
ngx_quic_discover_path_mtu(c, qc->path);
|
||||
|
||||
|
|
@ -788,97 +502,17 @@ ngx_quic_handshake(ngx_connection_t *c)
|
|||
}
|
||||
|
||||
|
||||
static ngx_int_t
|
||||
ngx_quic_crypto_provide(ngx_connection_t *c, ngx_uint_t level)
|
||||
{
|
||||
#if (NGX_QUIC_BORINGSSL_API || NGX_QUIC_QUICTLS_API)
|
||||
|
||||
ngx_buf_t *b;
|
||||
ngx_chain_t *out, *cl;
|
||||
ngx_quic_send_ctx_t *ctx;
|
||||
ngx_quic_connection_t *qc;
|
||||
enum ssl_encryption_level_t ssl_level;
|
||||
|
||||
qc = ngx_quic_get_connection(c);
|
||||
ctx = ngx_quic_get_send_ctx(qc, level);
|
||||
|
||||
out = ngx_quic_read_buffer(c, &ctx->crypto, (uint64_t) -1);
|
||||
if (out == NGX_CHAIN_ERROR) {
|
||||
return NGX_ERROR;
|
||||
}
|
||||
|
||||
switch (level) {
|
||||
case NGX_QUIC_ENCRYPTION_INITIAL:
|
||||
ssl_level = ssl_encryption_initial;
|
||||
break;
|
||||
case NGX_QUIC_ENCRYPTION_EARLY_DATA:
|
||||
ssl_level = ssl_encryption_early_data;
|
||||
break;
|
||||
case NGX_QUIC_ENCRYPTION_HANDSHAKE:
|
||||
ssl_level = ssl_encryption_handshake;
|
||||
break;
|
||||
default: /* NGX_QUIC_ENCRYPTION_APPLICATION */
|
||||
ssl_level = ssl_encryption_application;
|
||||
break;
|
||||
}
|
||||
|
||||
for (cl = out; cl; cl = cl->next) {
|
||||
b = cl->buf;
|
||||
|
||||
if (!SSL_provide_quic_data(c->ssl->connection, ssl_level, b->pos,
|
||||
b->last - b->pos))
|
||||
{
|
||||
ngx_ssl_error(NGX_LOG_ALERT, c->log, 0,
|
||||
"SSL_provide_quic_data() failed");
|
||||
return NGX_ERROR;
|
||||
}
|
||||
}
|
||||
|
||||
ngx_quic_free_chain(c, out);
|
||||
|
||||
#endif
|
||||
|
||||
return NGX_OK;
|
||||
}
|
||||
|
||||
|
||||
ngx_int_t
|
||||
ngx_quic_init_connection(ngx_connection_t *c)
|
||||
{
|
||||
u_char *p;
|
||||
size_t clen;
|
||||
ssize_t len;
|
||||
ngx_str_t dcid;
|
||||
ngx_ssl_conn_t *ssl_conn;
|
||||
ngx_quic_socket_t *qsock;
|
||||
ngx_quic_connection_t *qc;
|
||||
|
||||
#if (NGX_QUIC_OPENSSL_API)
|
||||
static const OSSL_DISPATCH qtdis[] = {
|
||||
|
||||
{ OSSL_FUNC_SSL_QUIC_TLS_CRYPTO_SEND,
|
||||
(void (*)(void)) ngx_quic_cbs_send },
|
||||
|
||||
{ OSSL_FUNC_SSL_QUIC_TLS_CRYPTO_RECV_RCD,
|
||||
(void (*)(void)) ngx_quic_cbs_recv_rcd },
|
||||
|
||||
{ OSSL_FUNC_SSL_QUIC_TLS_CRYPTO_RELEASE_RCD,
|
||||
(void (*)(void)) ngx_quic_cbs_release_rcd },
|
||||
|
||||
{ OSSL_FUNC_SSL_QUIC_TLS_YIELD_SECRET,
|
||||
(void (*)(void)) ngx_quic_cbs_yield_secret },
|
||||
|
||||
{ OSSL_FUNC_SSL_QUIC_TLS_GOT_TRANSPORT_PARAMS,
|
||||
(void (*)(void)) ngx_quic_cbs_got_transport_params },
|
||||
|
||||
{ OSSL_FUNC_SSL_QUIC_TLS_ALERT,
|
||||
(void (*)(void)) ngx_quic_cbs_alert },
|
||||
|
||||
{ 0, NULL }
|
||||
};
|
||||
#else /* NGX_QUIC_BORINGSSL_API || NGX_QUIC_QUICTLS_API */
|
||||
static SSL_QUIC_METHOD quic_method;
|
||||
#endif
|
||||
u_char *p;
|
||||
size_t clen;
|
||||
ssize_t len;
|
||||
ngx_str_t dcid;
|
||||
ngx_ssl_conn_t *ssl_conn;
|
||||
ngx_quic_socket_t *qsock;
|
||||
ngx_quic_connection_t *qc;
|
||||
static SSL_QUIC_METHOD quic_method;
|
||||
|
||||
qc = ngx_quic_get_connection(c);
|
||||
|
||||
|
|
@ -890,20 +524,6 @@ ngx_quic_init_connection(ngx_connection_t *c)
|
|||
|
||||
ssl_conn = c->ssl->connection;
|
||||
|
||||
#if (NGX_QUIC_OPENSSL_API)
|
||||
|
||||
if (SSL_set_quic_tls_cbs(ssl_conn, qtdis, c) == 0) {
|
||||
ngx_ssl_error(NGX_LOG_ALERT, c->log, 0,
|
||||
"quic SSL_set_quic_tls_cbs() failed");
|
||||
return NGX_ERROR;
|
||||
}
|
||||
|
||||
if (SSL_CTX_get_max_early_data(qc->conf->ssl->ctx)) {
|
||||
SSL_set_quic_tls_early_data_enabled(ssl_conn, 1);
|
||||
}
|
||||
|
||||
#else /* NGX_QUIC_BORINGSSL_API || NGX_QUIC_QUICTLS_API */
|
||||
|
||||
if (!quic_method.send_alert) {
|
||||
#if (NGX_QUIC_BORINGSSL_API)
|
||||
quic_method.set_read_secret = ngx_quic_set_read_secret;
|
||||
|
|
@ -917,17 +537,15 @@ ngx_quic_init_connection(ngx_connection_t *c)
|
|||
}
|
||||
|
||||
if (SSL_set_quic_method(ssl_conn, &quic_method) == 0) {
|
||||
ngx_ssl_error(NGX_LOG_ALERT, c->log, 0,
|
||||
ngx_log_error(NGX_LOG_INFO, c->log, 0,
|
||||
"quic SSL_set_quic_method() failed");
|
||||
return NGX_ERROR;
|
||||
}
|
||||
|
||||
#if (NGX_QUIC_QUICTLS_API)
|
||||
#ifdef OPENSSL_INFO_QUIC
|
||||
if (SSL_CTX_get_max_early_data(qc->conf->ssl->ctx)) {
|
||||
SSL_set_quic_early_data_enabled(ssl_conn, 1);
|
||||
}
|
||||
#endif
|
||||
|
||||
#endif
|
||||
|
||||
qsock = ngx_quic_get_socket(c);
|
||||
|
|
@ -959,23 +577,15 @@ ngx_quic_init_connection(ngx_connection_t *c)
|
|||
"quic transport parameters len:%uz %*xs", len, len, p);
|
||||
#endif
|
||||
|
||||
#if (NGX_QUIC_OPENSSL_API)
|
||||
if (SSL_set_quic_tls_transport_params(ssl_conn, p, len) == 0) {
|
||||
ngx_ssl_error(NGX_LOG_ALERT, c->log, 0,
|
||||
"quic SSL_set_quic_tls_transport_params() failed");
|
||||
return NGX_ERROR;
|
||||
}
|
||||
#else
|
||||
if (SSL_set_quic_transport_params(ssl_conn, p, len) == 0) {
|
||||
ngx_ssl_error(NGX_LOG_ALERT, c->log, 0,
|
||||
ngx_log_error(NGX_LOG_INFO, c->log, 0,
|
||||
"quic SSL_set_quic_transport_params() failed");
|
||||
return NGX_ERROR;
|
||||
}
|
||||
#endif
|
||||
|
||||
#if (defined OPENSSL_IS_BORINGSSL || defined OPENSSL_IS_AWSLC)
|
||||
#ifdef OPENSSL_IS_BORINGSSL
|
||||
if (SSL_set_quic_early_data_context(ssl_conn, p, clen) == 0) {
|
||||
ngx_ssl_error(NGX_LOG_ALERT, c->log, 0,
|
||||
ngx_log_error(NGX_LOG_INFO, c->log, 0,
|
||||
"quic SSL_set_quic_early_data_context() failed");
|
||||
return NGX_ERROR;
|
||||
}
|
||||
|
|
|
|||
|
|
@ -280,7 +280,7 @@ ngx_quic_do_reset_stream(ngx_quic_stream_t *qs, ngx_uint_t err)
|
|||
return NGX_ERROR;
|
||||
}
|
||||
|
||||
frame->level = NGX_QUIC_ENCRYPTION_APPLICATION;
|
||||
frame->level = ssl_encryption_application;
|
||||
frame->type = NGX_QUIC_FT_RESET_STREAM;
|
||||
frame->u.reset_stream.id = qs->id;
|
||||
frame->u.reset_stream.error_code = err;
|
||||
|
|
@ -367,7 +367,7 @@ ngx_quic_shutdown_stream_recv(ngx_connection_t *c)
|
|||
ngx_log_debug1(NGX_LOG_DEBUG_EVENT, pc->log, 0,
|
||||
"quic stream id:0x%xL recv shutdown", qs->id);
|
||||
|
||||
frame->level = NGX_QUIC_ENCRYPTION_APPLICATION;
|
||||
frame->level = ssl_encryption_application;
|
||||
frame->type = NGX_QUIC_FT_STOP_SENDING;
|
||||
frame->u.stop_sending.id = qs->id;
|
||||
frame->u.stop_sending.error_code = qc->conf->stream_close_code;
|
||||
|
|
@ -527,7 +527,7 @@ ngx_quic_reject_stream(ngx_connection_t *c, uint64_t id)
|
|||
return NGX_ERROR;
|
||||
}
|
||||
|
||||
frame->level = NGX_QUIC_ENCRYPTION_APPLICATION;
|
||||
frame->level = ssl_encryption_application;
|
||||
frame->type = NGX_QUIC_FT_RESET_STREAM;
|
||||
frame->u.reset_stream.id = id;
|
||||
frame->u.reset_stream.error_code = code;
|
||||
|
|
@ -540,7 +540,7 @@ ngx_quic_reject_stream(ngx_connection_t *c, uint64_t id)
|
|||
return NGX_ERROR;
|
||||
}
|
||||
|
||||
frame->level = NGX_QUIC_ENCRYPTION_APPLICATION;
|
||||
frame->level = ssl_encryption_application;
|
||||
frame->type = NGX_QUIC_FT_STOP_SENDING;
|
||||
frame->u.stop_sending.id = id;
|
||||
frame->u.stop_sending.error_code = code;
|
||||
|
|
@ -1062,7 +1062,7 @@ ngx_quic_stream_flush(ngx_quic_stream_t *qs)
|
|||
return NGX_ERROR;
|
||||
}
|
||||
|
||||
frame->level = NGX_QUIC_ENCRYPTION_APPLICATION;
|
||||
frame->level = ssl_encryption_application;
|
||||
frame->type = NGX_QUIC_FT_STREAM;
|
||||
frame->data = out;
|
||||
|
||||
|
|
@ -1180,7 +1180,7 @@ ngx_quic_close_stream(ngx_quic_stream_t *qs)
|
|||
return NGX_ERROR;
|
||||
}
|
||||
|
||||
frame->level = NGX_QUIC_ENCRYPTION_APPLICATION;
|
||||
frame->level = ssl_encryption_application;
|
||||
frame->type = NGX_QUIC_FT_MAX_STREAMS;
|
||||
|
||||
if (qs->id & NGX_QUIC_STREAM_UNIDIRECTIONAL) {
|
||||
|
|
@ -1771,7 +1771,7 @@ ngx_quic_update_max_stream_data(ngx_quic_stream_t *qs)
|
|||
return NGX_ERROR;
|
||||
}
|
||||
|
||||
frame->level = NGX_QUIC_ENCRYPTION_APPLICATION;
|
||||
frame->level = ssl_encryption_application;
|
||||
frame->type = NGX_QUIC_FT_MAX_STREAM_DATA;
|
||||
frame->u.max_stream_data.id = qs->id;
|
||||
frame->u.max_stream_data.limit = qs->recv_max_data;
|
||||
|
|
@ -1807,7 +1807,7 @@ ngx_quic_update_max_data(ngx_connection_t *c)
|
|||
return NGX_ERROR;
|
||||
}
|
||||
|
||||
frame->level = NGX_QUIC_ENCRYPTION_APPLICATION;
|
||||
frame->level = ssl_encryption_application;
|
||||
frame->type = NGX_QUIC_FT_MAX_DATA;
|
||||
frame->u.max_data.max_data = qc->streams.recv_max_data;
|
||||
|
||||
|
|
|
|||
|
|
@ -281,7 +281,7 @@ ngx_int_t
|
|||
ngx_quic_parse_packet(ngx_quic_header_t *pkt)
|
||||
{
|
||||
if (!ngx_quic_long_pkt(pkt->flags)) {
|
||||
pkt->level = NGX_QUIC_ENCRYPTION_APPLICATION;
|
||||
pkt->level = ssl_encryption_application;
|
||||
|
||||
if (ngx_quic_parse_short_header(pkt, NGX_QUIC_SERVER_CID_LEN) != NGX_OK)
|
||||
{
|
||||
|
|
@ -468,13 +468,13 @@ ngx_quic_parse_long_header_v1(ngx_quic_header_t *pkt)
|
|||
return NGX_ERROR;
|
||||
}
|
||||
|
||||
pkt->level = NGX_QUIC_ENCRYPTION_INITIAL;
|
||||
pkt->level = ssl_encryption_initial;
|
||||
|
||||
} else if (ngx_quic_pkt_zrtt(pkt->flags)) {
|
||||
pkt->level = NGX_QUIC_ENCRYPTION_EARLY_DATA;
|
||||
pkt->level = ssl_encryption_early_data;
|
||||
|
||||
} else if (ngx_quic_pkt_hs(pkt->flags)) {
|
||||
pkt->level = NGX_QUIC_ENCRYPTION_HANDSHAKE;
|
||||
pkt->level = ssl_encryption_handshake;
|
||||
|
||||
} else {
|
||||
ngx_log_error(NGX_LOG_INFO, pkt->log, 0,
|
||||
|
|
@ -593,7 +593,7 @@ ngx_quic_payload_size(ngx_quic_header_t *pkt, size_t pkt_len)
|
|||
|
||||
/* flags, version, dcid and scid with lengths and zero-length token */
|
||||
len = 5 + 2 + pkt->dcid.len + pkt->scid.len
|
||||
+ (pkt->level == NGX_QUIC_ENCRYPTION_INITIAL ? 1 : 0);
|
||||
+ (pkt->level == ssl_encryption_initial ? 1 : 0);
|
||||
|
||||
if (len > pkt_len) {
|
||||
return 0;
|
||||
|
|
@ -632,7 +632,7 @@ ngx_quic_create_long_header(ngx_quic_header_t *pkt, u_char *out,
|
|||
if (out == NULL) {
|
||||
return 5 + 2 + pkt->dcid.len + pkt->scid.len
|
||||
+ ngx_quic_varint_len(rem_len) + pkt->num_len
|
||||
+ (pkt->level == NGX_QUIC_ENCRYPTION_INITIAL ? 1 : 0);
|
||||
+ (pkt->level == ssl_encryption_initial ? 1 : 0);
|
||||
}
|
||||
|
||||
p = start = out;
|
||||
|
|
@ -647,7 +647,7 @@ ngx_quic_create_long_header(ngx_quic_header_t *pkt, u_char *out,
|
|||
*p++ = pkt->scid.len;
|
||||
p = ngx_cpymem(p, pkt->scid.data, pkt->scid.len);
|
||||
|
||||
if (pkt->level == NGX_QUIC_ENCRYPTION_INITIAL) {
|
||||
if (pkt->level == ssl_encryption_initial) {
|
||||
ngx_quic_build_int(&p, 0);
|
||||
}
|
||||
|
||||
|
|
@ -1773,7 +1773,7 @@ ngx_quic_parse_transport_params(u_char *p, u_char *end, ngx_quic_tp_t *tp,
|
|||
}
|
||||
|
||||
if (rc == NGX_DECLINED) {
|
||||
ngx_log_debug2(NGX_LOG_DEBUG_EVENT, log, 0,
|
||||
ngx_log_error(NGX_LOG_INFO, log, 0,
|
||||
"quic %s transport param id:0x%xL, skipped",
|
||||
(id % 31 == 27) ? "reserved" : "unknown", id);
|
||||
}
|
||||
|
|
|
|||
|
|
@ -47,9 +47,9 @@
|
|||
(ngx_quic_long_pkt(flags) ? 0x0F : 0x1F)
|
||||
|
||||
#define ngx_quic_level_name(lvl) \
|
||||
(lvl == NGX_QUIC_ENCRYPTION_APPLICATION) ? "app" \
|
||||
: (lvl == NGX_QUIC_ENCRYPTION_INITIAL) ? "init" \
|
||||
: (lvl == NGX_QUIC_ENCRYPTION_HANDSHAKE) ? "hs" : "early"
|
||||
(lvl == ssl_encryption_application) ? "app" \
|
||||
: (lvl == ssl_encryption_initial) ? "init" \
|
||||
: (lvl == ssl_encryption_handshake) ? "hs" : "early"
|
||||
|
||||
#define NGX_QUIC_MAX_CID_LEN 20
|
||||
#define NGX_QUIC_SERVER_CID_LEN NGX_QUIC_MAX_CID_LEN
|
||||
|
|
@ -262,7 +262,7 @@ typedef struct ngx_quic_frame_s ngx_quic_frame_t;
|
|||
|
||||
struct ngx_quic_frame_s {
|
||||
ngx_uint_t type;
|
||||
ngx_uint_t level;
|
||||
enum ssl_encryption_level_t level;
|
||||
ngx_queue_t queue;
|
||||
uint64_t pnum;
|
||||
size_t plen;
|
||||
|
|
@ -271,7 +271,6 @@ struct ngx_quic_frame_s {
|
|||
unsigned need_ack:1;
|
||||
unsigned pkt_need_ack:1;
|
||||
unsigned ignore_congestion:1;
|
||||
unsigned ignore_loss:1;
|
||||
|
||||
ngx_chain_t *data;
|
||||
union {
|
||||
|
|
@ -310,7 +309,7 @@ typedef struct {
|
|||
uint8_t flags;
|
||||
uint32_t version;
|
||||
ngx_str_t token;
|
||||
ngx_uint_t level;
|
||||
enum ssl_encryption_level_t level;
|
||||
ngx_uint_t error;
|
||||
|
||||
/* filled in by parser */
|
||||
|
|
|
|||
|
|
@ -245,7 +245,7 @@ ngx_http_addition_merge_conf(ngx_conf_t *cf, void *parent, void *child)
|
|||
if (ngx_http_merge_types(cf, &conf->types_keys, &conf->types,
|
||||
&prev->types_keys, &prev->types,
|
||||
ngx_http_html_default_types)
|
||||
!= NGX_CONF_OK)
|
||||
!= NGX_OK)
|
||||
{
|
||||
return NGX_CONF_ERROR;
|
||||
}
|
||||
|
|
|
|||
|
|
@ -253,8 +253,7 @@ ngx_http_auth_basic_handler(ngx_http_request_t *r)
|
|||
pwd.len = i - passwd;
|
||||
pwd.data = ngx_pnalloc(r->pool, pwd.len + 1);
|
||||
if (pwd.data == NULL) {
|
||||
rc = NGX_HTTP_INTERNAL_SERVER_ERROR;
|
||||
goto cleanup;
|
||||
return NGX_HTTP_INTERNAL_SERVER_ERROR;
|
||||
}
|
||||
|
||||
ngx_cpystrn(pwd.data, &buf[passwd], pwd.len + 1);
|
||||
|
|
|
|||
|
|
@ -1332,12 +1332,6 @@ ngx_http_charset_map(ngx_conf_t *cf, ngx_command_t *dummy, void *conf)
|
|||
table = ctx->table;
|
||||
|
||||
if (ctx->charset->utf8) {
|
||||
if (value[1].len / 2 > NGX_UTF_LEN - 1) {
|
||||
ngx_conf_log_error(NGX_LOG_EMERG, cf, 0,
|
||||
"invalid value \"%V\"", &value[1]);
|
||||
return NGX_CONF_ERROR;
|
||||
}
|
||||
|
||||
p = &table->src2dst[src * NGX_UTF_LEN];
|
||||
|
||||
*p++ = (u_char) (value[1].len / 2);
|
||||
|
|
@ -1564,7 +1558,7 @@ ngx_http_charset_merge_loc_conf(ngx_conf_t *cf, void *parent, void *child)
|
|||
if (ngx_http_merge_types(cf, &conf->types_keys, &conf->types,
|
||||
&prev->types_keys, &prev->types,
|
||||
ngx_http_charset_default_types)
|
||||
!= NGX_CONF_OK)
|
||||
!= NGX_OK)
|
||||
{
|
||||
return NGX_CONF_ERROR;
|
||||
}
|
||||
|
|
|
|||
|
|
@ -3130,7 +3130,7 @@ ngx_http_fastcgi_merge_loc_conf(ngx_conf_t *cf, void *parent, void *child)
|
|||
if (ngx_conf_merge_path_value(cf, &conf->upstream.temp_path,
|
||||
prev->upstream.temp_path,
|
||||
&ngx_http_fastcgi_temp_path)
|
||||
!= NGX_CONF_OK)
|
||||
!= NGX_OK)
|
||||
{
|
||||
return NGX_CONF_ERROR;
|
||||
}
|
||||
|
|
|
|||
|
|
@ -1869,8 +1869,7 @@ ngx_http_grpc_process_header(ngx_http_request_t *r)
|
|||
return NGX_HTTP_UPSTREAM_INVALID_HEADER;
|
||||
}
|
||||
|
||||
if (status < NGX_HTTP_OK && status != NGX_HTTP_EARLY_HINTS)
|
||||
{
|
||||
if (status < NGX_HTTP_OK) {
|
||||
ngx_log_error(NGX_LOG_ERR, r->connection->log, 0,
|
||||
"upstream sent unexpected :status \"%V\"",
|
||||
status_line);
|
||||
|
|
@ -1903,10 +1902,6 @@ ngx_http_grpc_process_header(ngx_http_request_t *r)
|
|||
h->lowcase_key = h->key.data;
|
||||
h->hash = ngx_hash_key(h->key.data, h->key.len);
|
||||
|
||||
if (u->headers_in.status_n == NGX_HTTP_EARLY_HINTS) {
|
||||
continue;
|
||||
}
|
||||
|
||||
hh = ngx_hash_find(&umcf->headers_in_hash, h->hash,
|
||||
h->lowcase_key, h->key.len);
|
||||
|
||||
|
|
@ -1928,17 +1923,6 @@ ngx_http_grpc_process_header(ngx_http_request_t *r)
|
|||
ngx_log_debug0(NGX_LOG_DEBUG_HTTP, r->connection->log, 0,
|
||||
"grpc header done");
|
||||
|
||||
if (u->headers_in.status_n == NGX_HTTP_EARLY_HINTS) {
|
||||
if (ctx->end_stream) {
|
||||
ngx_log_error(NGX_LOG_ERR, r->connection->log, 0,
|
||||
"upstream prematurely closed stream");
|
||||
return NGX_HTTP_UPSTREAM_INVALID_HEADER;
|
||||
}
|
||||
|
||||
ctx->status = 0;
|
||||
return NGX_HTTP_UPSTREAM_EARLY_HINTS;
|
||||
}
|
||||
|
||||
if (ctx->end_stream) {
|
||||
u->headers_in.content_length_n = 0;
|
||||
|
||||
|
|
@ -4429,7 +4413,6 @@ ngx_http_grpc_create_loc_conf(ngx_conf_t *cf)
|
|||
conf->upstream.pass_request_body = 1;
|
||||
conf->upstream.force_ranges = 0;
|
||||
conf->upstream.pass_trailers = 1;
|
||||
conf->upstream.pass_early_hints = 1;
|
||||
conf->upstream.preserve_output = 1;
|
||||
|
||||
conf->headers_source = NGX_CONF_UNSET_PTR;
|
||||
|
|
@ -4526,13 +4509,8 @@ ngx_http_grpc_merge_loc_conf(ngx_conf_t *cf, void *parent, void *child)
|
|||
prev->upstream.ssl_certificate_key, NULL);
|
||||
ngx_conf_merge_ptr_value(conf->upstream.ssl_certificate_cache,
|
||||
prev->upstream.ssl_certificate_cache, NULL);
|
||||
|
||||
if (ngx_http_upstream_merge_ssl_passwords(cf, &conf->upstream,
|
||||
&prev->upstream)
|
||||
!= NGX_OK)
|
||||
{
|
||||
return NGX_CONF_ERROR;
|
||||
}
|
||||
ngx_conf_merge_ptr_value(conf->upstream.ssl_passwords,
|
||||
prev->upstream.ssl_passwords, NULL);
|
||||
|
||||
ngx_conf_merge_ptr_value(conf->ssl_conf_commands,
|
||||
prev->ssl_conf_commands, NULL);
|
||||
|
|
@ -5099,9 +5077,16 @@ ngx_http_grpc_set_ssl(ngx_conf_t *cf, ngx_http_grpc_loc_conf_t *glcf)
|
|||
return NGX_ERROR;
|
||||
}
|
||||
|
||||
if (glcf->upstream.ssl_certificate->lengths == NULL
|
||||
&& glcf->upstream.ssl_certificate_key->lengths == NULL)
|
||||
if (glcf->upstream.ssl_certificate->lengths
|
||||
|| glcf->upstream.ssl_certificate_key->lengths)
|
||||
{
|
||||
glcf->upstream.ssl_passwords =
|
||||
ngx_ssl_preserve_passwords(cf, glcf->upstream.ssl_passwords);
|
||||
if (glcf->upstream.ssl_passwords == NULL) {
|
||||
return NGX_ERROR;
|
||||
}
|
||||
|
||||
} else {
|
||||
if (ngx_ssl_certificate(cf, glcf->upstream.ssl,
|
||||
&glcf->upstream.ssl_certificate->value,
|
||||
&glcf->upstream.ssl_certificate_key->value,
|
||||
|
|
|
|||
|
|
@ -304,7 +304,7 @@ ngx_http_gunzip_filter_inflate_start(ngx_http_request_t *r,
|
|||
{
|
||||
int rc;
|
||||
|
||||
ctx->zstream.next_in = NULL;
|
||||
ctx->zstream.next_in = Z_NULL;
|
||||
ctx->zstream.avail_in = 0;
|
||||
|
||||
ctx->zstream.zalloc = ngx_http_gunzip_filter_alloc;
|
||||
|
|
|
|||
|
|
@ -1115,7 +1115,7 @@ ngx_http_gzip_merge_conf(ngx_conf_t *cf, void *parent, void *child)
|
|||
if (ngx_http_merge_types(cf, &conf->types_keys, &conf->types,
|
||||
&prev->types_keys, &prev->types,
|
||||
ngx_http_html_default_types)
|
||||
!= NGX_CONF_OK)
|
||||
!= NGX_OK)
|
||||
{
|
||||
return NGX_CONF_ERROR;
|
||||
}
|
||||
|
|
|
|||
|
|
@ -490,7 +490,7 @@ ngx_http_index_set_index(ngx_conf_t *cf, ngx_command_t *cmd, void *conf)
|
|||
if (value[i].len == 0) {
|
||||
ngx_conf_log_error(NGX_LOG_EMERG, cf, 0,
|
||||
"index \"%V\" in \"index\" directive is invalid",
|
||||
&value[i]);
|
||||
&value[1]);
|
||||
return NGX_CONF_ERROR;
|
||||
}
|
||||
|
||||
|
|
|
|||
|
|
@ -1888,13 +1888,6 @@ ngx_http_proxy_process_status_line(ngx_http_request_t *r)
|
|||
u->headers_in.status_n, &u->headers_in.status_line);
|
||||
|
||||
if (ctx->status.http_version < NGX_HTTP_VERSION_11) {
|
||||
|
||||
if (ctx->status.code == NGX_HTTP_EARLY_HINTS) {
|
||||
ngx_log_error(NGX_LOG_ERR, r->connection->log, 0,
|
||||
"upstream sent HTTP/1.0 response with early hints");
|
||||
return NGX_HTTP_UPSTREAM_INVALID_HEADER;
|
||||
}
|
||||
|
||||
u->headers_in.connection_close = 1;
|
||||
}
|
||||
|
||||
|
|
@ -1956,14 +1949,6 @@ ngx_http_proxy_process_header(ngx_http_request_t *r)
|
|||
ngx_strlow(h->lowcase_key, h->key.data, h->key.len);
|
||||
}
|
||||
|
||||
ngx_log_debug2(NGX_LOG_DEBUG_HTTP, r->connection->log, 0,
|
||||
"http proxy header: \"%V: %V\"",
|
||||
&h->key, &h->value);
|
||||
|
||||
if (r->upstream->headers_in.status_n == NGX_HTTP_EARLY_HINTS) {
|
||||
continue;
|
||||
}
|
||||
|
||||
hh = ngx_hash_find(&umcf->headers_in_hash, h->hash,
|
||||
h->lowcase_key, h->key.len);
|
||||
|
||||
|
|
@ -1975,6 +1960,10 @@ ngx_http_proxy_process_header(ngx_http_request_t *r)
|
|||
}
|
||||
}
|
||||
|
||||
ngx_log_debug2(NGX_LOG_DEBUG_HTTP, r->connection->log, 0,
|
||||
"http proxy header: \"%V: %V\"",
|
||||
&h->key, &h->value);
|
||||
|
||||
continue;
|
||||
}
|
||||
|
||||
|
|
@ -1985,20 +1974,6 @@ ngx_http_proxy_process_header(ngx_http_request_t *r)
|
|||
ngx_log_debug0(NGX_LOG_DEBUG_HTTP, r->connection->log, 0,
|
||||
"http proxy header done");
|
||||
|
||||
ctx = ngx_http_get_module_ctx(r, ngx_http_proxy_module);
|
||||
|
||||
if (r->upstream->headers_in.status_n == NGX_HTTP_EARLY_HINTS) {
|
||||
ctx->status.code = 0;
|
||||
ctx->status.count = 0;
|
||||
ctx->status.start = NULL;
|
||||
ctx->status.end = NULL;
|
||||
|
||||
r->upstream->process_header =
|
||||
ngx_http_proxy_process_status_line;
|
||||
r->state = 0;
|
||||
return NGX_HTTP_UPSTREAM_EARLY_HINTS;
|
||||
}
|
||||
|
||||
/*
|
||||
* if no "Server" and "Date" in header line,
|
||||
* then add the special empty headers
|
||||
|
|
@ -2046,6 +2021,8 @@ ngx_http_proxy_process_header(ngx_http_request_t *r)
|
|||
* connections alive in case of r->header_only or X-Accel-Redirect
|
||||
*/
|
||||
|
||||
ctx = ngx_http_get_module_ctx(r, ngx_http_proxy_module);
|
||||
|
||||
if (u->headers_in.status_n == NGX_HTTP_NO_CONTENT
|
||||
|| u->headers_in.status_n == NGX_HTTP_NOT_MODIFIED
|
||||
|| ctx->head
|
||||
|
|
@ -3651,10 +3628,10 @@ ngx_http_proxy_create_loc_conf(ngx_conf_t *cf)
|
|||
conf->ssl_conf_commands = NGX_CONF_UNSET_PTR;
|
||||
#endif
|
||||
|
||||
/* the hardcoded values */
|
||||
/* "proxy_cyclic_temp_file" is disabled */
|
||||
conf->upstream.cyclic_temp_file = 0;
|
||||
|
||||
conf->upstream.change_buffering = 1;
|
||||
conf->upstream.pass_early_hints = 1;
|
||||
|
||||
conf->headers_source = NGX_CONF_UNSET_PTR;
|
||||
|
||||
|
|
@ -3867,7 +3844,7 @@ ngx_http_proxy_merge_loc_conf(ngx_conf_t *cf, void *parent, void *child)
|
|||
if (ngx_conf_merge_path_value(cf, &conf->upstream.temp_path,
|
||||
prev->upstream.temp_path,
|
||||
&ngx_http_proxy_temp_path)
|
||||
!= NGX_CONF_OK)
|
||||
!= NGX_OK)
|
||||
{
|
||||
return NGX_CONF_ERROR;
|
||||
}
|
||||
|
|
@ -3999,13 +3976,8 @@ ngx_http_proxy_merge_loc_conf(ngx_conf_t *cf, void *parent, void *child)
|
|||
prev->upstream.ssl_certificate_key, NULL);
|
||||
ngx_conf_merge_ptr_value(conf->upstream.ssl_certificate_cache,
|
||||
prev->upstream.ssl_certificate_cache, NULL);
|
||||
|
||||
if (ngx_http_upstream_merge_ssl_passwords(cf, &conf->upstream,
|
||||
&prev->upstream)
|
||||
!= NGX_OK)
|
||||
{
|
||||
return NGX_CONF_ERROR;
|
||||
}
|
||||
ngx_conf_merge_ptr_value(conf->upstream.ssl_passwords,
|
||||
prev->upstream.ssl_passwords, NULL);
|
||||
|
||||
ngx_conf_merge_ptr_value(conf->ssl_conf_commands,
|
||||
prev->ssl_conf_commands, NULL);
|
||||
|
|
@ -5365,9 +5337,16 @@ ngx_http_proxy_set_ssl(ngx_conf_t *cf, ngx_http_proxy_loc_conf_t *plcf)
|
|||
return NGX_ERROR;
|
||||
}
|
||||
|
||||
if (plcf->upstream.ssl_certificate->lengths == NULL
|
||||
&& plcf->upstream.ssl_certificate_key->lengths == NULL)
|
||||
if (plcf->upstream.ssl_certificate->lengths
|
||||
|| plcf->upstream.ssl_certificate_key->lengths)
|
||||
{
|
||||
plcf->upstream.ssl_passwords =
|
||||
ngx_ssl_preserve_passwords(cf, plcf->upstream.ssl_passwords);
|
||||
if (plcf->upstream.ssl_passwords == NULL) {
|
||||
return NGX_ERROR;
|
||||
}
|
||||
|
||||
} else {
|
||||
if (ngx_ssl_certificate(cf, plcf->upstream.ssl,
|
||||
&plcf->upstream.ssl_certificate->value,
|
||||
&plcf->upstream.ssl_certificate_key->value,
|
||||
|
|
|
|||
|
|
@ -1543,7 +1543,7 @@ ngx_http_scgi_merge_loc_conf(ngx_conf_t *cf, void *parent, void *child)
|
|||
if (ngx_conf_merge_path_value(cf, &conf->upstream.temp_path,
|
||||
prev->upstream.temp_path,
|
||||
&ngx_http_scgi_temp_path)
|
||||
!= NGX_CONF_OK)
|
||||
!= NGX_OK)
|
||||
{
|
||||
return NGX_CONF_ERROR;
|
||||
}
|
||||
|
|
|
|||
|
|
@ -419,13 +419,13 @@ ngx_http_slice_range_variable(ngx_http_request_t *r,
|
|||
return NGX_ERROR;
|
||||
}
|
||||
|
||||
ngx_http_set_ctx(r, ctx, ngx_http_slice_filter_module);
|
||||
|
||||
p = ngx_pnalloc(r->pool, sizeof("bytes=-") - 1 + 2 * NGX_OFF_T_LEN);
|
||||
if (p == NULL) {
|
||||
return NGX_ERROR;
|
||||
}
|
||||
|
||||
ngx_http_set_ctx(r, ctx, ngx_http_slice_filter_module);
|
||||
|
||||
ctx->start = slcf->size * (ngx_http_slice_get_start(r) / slcf->size);
|
||||
|
||||
ctx->range.data = p;
|
||||
|
|
|
|||
|
|
@ -820,7 +820,7 @@ ngx_http_ssi_body_filter(ngx_http_request_t *r, ngx_chain_t *in)
|
|||
}
|
||||
|
||||
for (prm = cmd->params; prm->name.len; prm++) {
|
||||
if (prm->mandatory && params[prm->index] == NULL) {
|
||||
if (prm->mandatory && params[prm->index] == 0) {
|
||||
ngx_log_error(NGX_LOG_ERR, r->connection->log, 0,
|
||||
"mandatory \"%V\" parameter is absent "
|
||||
"in \"%V\" SSI command",
|
||||
|
|
@ -2942,7 +2942,7 @@ ngx_http_ssi_merge_loc_conf(ngx_conf_t *cf, void *parent, void *child)
|
|||
if (ngx_http_merge_types(cf, &conf->types_keys, &conf->types,
|
||||
&prev->types_keys, &prev->types,
|
||||
ngx_http_html_default_types)
|
||||
!= NGX_CONF_OK)
|
||||
!= NGX_OK)
|
||||
{
|
||||
return NGX_CONF_ERROR;
|
||||
}
|
||||
|
|
|
|||
|
|
@ -124,13 +124,6 @@ static ngx_command_t ngx_http_ssl_commands[] = {
|
|||
0,
|
||||
NULL },
|
||||
|
||||
{ ngx_string("ssl_certificate_compression"),
|
||||
NGX_HTTP_MAIN_CONF|NGX_HTTP_SRV_CONF|NGX_CONF_FLAG,
|
||||
ngx_conf_set_flag_slot,
|
||||
NGX_HTTP_SRV_CONF_OFFSET,
|
||||
offsetof(ngx_http_ssl_srv_conf_t, certificate_compression),
|
||||
NULL },
|
||||
|
||||
{ ngx_string("ssl_dhparam"),
|
||||
NGX_HTTP_MAIN_CONF|NGX_HTTP_SRV_CONF|NGX_CONF_TAKE1,
|
||||
ngx_conf_set_str_slot,
|
||||
|
|
@ -628,7 +621,6 @@ ngx_http_ssl_create_srv_conf(ngx_conf_t *cf)
|
|||
*/
|
||||
|
||||
sscf->prefer_server_ciphers = NGX_CONF_UNSET;
|
||||
sscf->certificate_compression = NGX_CONF_UNSET;
|
||||
sscf->early_data = NGX_CONF_UNSET;
|
||||
sscf->reject_handshake = NGX_CONF_UNSET;
|
||||
sscf->buffer_size = NGX_CONF_UNSET_SIZE;
|
||||
|
|
@ -666,9 +658,6 @@ ngx_http_ssl_merge_srv_conf(ngx_conf_t *cf, void *parent, void *child)
|
|||
ngx_conf_merge_value(conf->prefer_server_ciphers,
|
||||
prev->prefer_server_ciphers, 0);
|
||||
|
||||
ngx_conf_merge_value(conf->certificate_compression,
|
||||
prev->certificate_compression, 0);
|
||||
|
||||
ngx_conf_merge_value(conf->early_data, prev->early_data, 0);
|
||||
ngx_conf_merge_value(conf->reject_handshake, prev->reject_handshake, 0);
|
||||
|
||||
|
|
@ -749,10 +738,6 @@ ngx_http_ssl_merge_srv_conf(ngx_conf_t *cf, void *parent, void *child)
|
|||
cln->data = &conf->ssl;
|
||||
|
||||
#ifdef SSL_CTRL_SET_TLSEXT_HOSTNAME
|
||||
{
|
||||
static ngx_ssl_client_hello_arg cb = { ngx_http_ssl_servername };
|
||||
|
||||
ngx_ssl_set_client_hello_callback(conf->ssl.ctx, &cb);
|
||||
|
||||
if (SSL_CTX_set_tlsext_servername_callback(conf->ssl.ctx,
|
||||
ngx_http_ssl_servername)
|
||||
|
|
@ -763,7 +748,7 @@ ngx_http_ssl_merge_srv_conf(ngx_conf_t *cf, void *parent, void *child)
|
|||
"dynamically to an OpenSSL library which has no tlsext support, "
|
||||
"therefore SNI is not available");
|
||||
}
|
||||
}
|
||||
|
||||
#endif
|
||||
|
||||
#ifdef TLSEXT_TYPE_application_layer_protocol_negotiation
|
||||
|
|
@ -807,13 +792,6 @@ ngx_http_ssl_merge_srv_conf(ngx_conf_t *cf, void *parent, void *child)
|
|||
{
|
||||
return NGX_CONF_ERROR;
|
||||
}
|
||||
|
||||
if (ngx_ssl_certificate_compression(cf, &conf->ssl,
|
||||
conf->certificate_compression)
|
||||
!= NGX_OK)
|
||||
{
|
||||
return NGX_CONF_ERROR;
|
||||
}
|
||||
}
|
||||
|
||||
conf->ssl.buffer_size = conf->buffer_size;
|
||||
|
|
@ -910,19 +888,13 @@ ngx_http_ssl_merge_srv_conf(ngx_conf_t *cf, void *parent, void *child)
|
|||
|
||||
if (conf->stapling) {
|
||||
|
||||
if (conf->certificate_compression) {
|
||||
ngx_log_error(NGX_LOG_EMERG, cf->log, 0,
|
||||
"\"ssl_stapling\" is incompatible with "
|
||||
"\"ssl_certificate_compression\"");
|
||||
return NGX_CONF_ERROR;
|
||||
}
|
||||
|
||||
if (ngx_ssl_stapling(cf, &conf->ssl, &conf->stapling_file,
|
||||
&conf->stapling_responder, conf->stapling_verify)
|
||||
!= NGX_OK)
|
||||
{
|
||||
return NGX_CONF_ERROR;
|
||||
}
|
||||
|
||||
}
|
||||
|
||||
if (ngx_ssl_early_data(cf, &conf->ssl, conf->early_data) != NGX_OK) {
|
||||
|
|
|
|||
|
|
@ -18,7 +18,6 @@ typedef struct {
|
|||
ngx_ssl_t ssl;
|
||||
|
||||
ngx_flag_t prefer_server_ciphers;
|
||||
ngx_flag_t certificate_compression;
|
||||
ngx_flag_t early_data;
|
||||
ngx_flag_t reject_handshake;
|
||||
|
||||
|
|
|
|||
|
|
@ -901,7 +901,7 @@ ngx_http_sub_merge_conf(ngx_conf_t *cf, void *parent, void *child)
|
|||
if (ngx_http_merge_types(cf, &conf->types_keys, &conf->types,
|
||||
&prev->types_keys, &prev->types,
|
||||
ngx_http_html_default_types)
|
||||
!= NGX_CONF_OK)
|
||||
!= NGX_OK)
|
||||
{
|
||||
return NGX_CONF_ERROR;
|
||||
}
|
||||
|
|
|
|||
|
|
@ -1803,7 +1803,7 @@ ngx_http_uwsgi_merge_loc_conf(ngx_conf_t *cf, void *parent, void *child)
|
|||
if (ngx_conf_merge_path_value(cf, &conf->upstream.temp_path,
|
||||
prev->upstream.temp_path,
|
||||
&ngx_http_uwsgi_temp_path)
|
||||
!= NGX_CONF_OK)
|
||||
!= NGX_OK)
|
||||
{
|
||||
return NGX_CONF_ERROR;
|
||||
}
|
||||
|
|
@ -1933,13 +1933,8 @@ ngx_http_uwsgi_merge_loc_conf(ngx_conf_t *cf, void *parent, void *child)
|
|||
prev->upstream.ssl_certificate_key, NULL);
|
||||
ngx_conf_merge_ptr_value(conf->upstream.ssl_certificate_cache,
|
||||
prev->upstream.ssl_certificate_cache, NULL);
|
||||
|
||||
if (ngx_http_upstream_merge_ssl_passwords(cf, &conf->upstream,
|
||||
&prev->upstream)
|
||||
!= NGX_OK)
|
||||
{
|
||||
return NGX_CONF_ERROR;
|
||||
}
|
||||
ngx_conf_merge_ptr_value(conf->upstream.ssl_passwords,
|
||||
prev->upstream.ssl_passwords, NULL);
|
||||
|
||||
ngx_conf_merge_ptr_value(conf->ssl_conf_commands,
|
||||
prev->ssl_conf_commands, NULL);
|
||||
|
|
@ -2690,9 +2685,16 @@ ngx_http_uwsgi_set_ssl(ngx_conf_t *cf, ngx_http_uwsgi_loc_conf_t *uwcf)
|
|||
return NGX_ERROR;
|
||||
}
|
||||
|
||||
if (uwcf->upstream.ssl_certificate->lengths == NULL
|
||||
&& uwcf->upstream.ssl_certificate_key->lengths == NULL)
|
||||
if (uwcf->upstream.ssl_certificate->lengths
|
||||
|| uwcf->upstream.ssl_certificate_key->lengths)
|
||||
{
|
||||
uwcf->upstream.ssl_passwords =
|
||||
ngx_ssl_preserve_passwords(cf, uwcf->upstream.ssl_passwords);
|
||||
if (uwcf->upstream.ssl_passwords == NULL) {
|
||||
return NGX_ERROR;
|
||||
}
|
||||
|
||||
} else {
|
||||
if (ngx_ssl_certificate(cf, uwcf->upstream.ssl,
|
||||
&uwcf->upstream.ssl_certificate->value,
|
||||
&uwcf->upstream.ssl_certificate_key->value,
|
||||
|
|
|
|||
|
|
@ -1112,7 +1112,7 @@ ngx_http_xslt_filter_merge_conf(ngx_conf_t *cf, void *parent, void *child)
|
|||
if (ngx_http_merge_types(cf, &conf->types_keys, &conf->types,
|
||||
&prev->types_keys, &prev->types,
|
||||
ngx_http_xslt_default_types)
|
||||
!= NGX_CONF_OK)
|
||||
!= NGX_OK)
|
||||
{
|
||||
return NGX_CONF_ERROR;
|
||||
}
|
||||
|
|
|
|||
|
|
@ -72,7 +72,6 @@ ngx_uint_t ngx_http_max_module;
|
|||
|
||||
|
||||
ngx_http_output_header_filter_pt ngx_http_top_header_filter;
|
||||
ngx_http_output_header_filter_pt ngx_http_top_early_hints_filter;
|
||||
ngx_http_output_body_filter_pt ngx_http_top_body_filter;
|
||||
ngx_http_request_body_filter_pt ngx_http_top_request_body_filter;
|
||||
|
||||
|
|
|
|||
|
|
@ -122,6 +122,7 @@ ngx_int_t ngx_http_parse_chunked(ngx_http_request_t *r, ngx_buf_t *b,
|
|||
|
||||
ngx_http_request_t *ngx_http_create_request(ngx_connection_t *c);
|
||||
ngx_int_t ngx_http_process_request_uri(ngx_http_request_t *r);
|
||||
ngx_int_t ngx_http_process_request_header(ngx_http_request_t *r);
|
||||
void ngx_http_process_request(ngx_http_request_t *r);
|
||||
void ngx_http_update_location_config(ngx_http_request_t *r);
|
||||
void ngx_http_handler(ngx_http_request_t *r);
|
||||
|
|
@ -151,7 +152,6 @@ ngx_int_t ngx_http_read_client_request_body(ngx_http_request_t *r,
|
|||
ngx_int_t ngx_http_read_unbuffered_request_body(ngx_http_request_t *r);
|
||||
|
||||
ngx_int_t ngx_http_send_header(ngx_http_request_t *r);
|
||||
ngx_int_t ngx_http_send_early_hints(ngx_http_request_t *r);
|
||||
ngx_int_t ngx_http_special_response_handler(ngx_http_request_t *r,
|
||||
ngx_int_t error);
|
||||
ngx_int_t ngx_http_filter_finalize_request(ngx_http_request_t *r,
|
||||
|
|
@ -191,7 +191,6 @@ extern ngx_str_t ngx_http_html_default_types[];
|
|||
|
||||
|
||||
extern ngx_http_output_header_filter_pt ngx_http_top_header_filter;
|
||||
extern ngx_http_output_header_filter_pt ngx_http_top_early_hints_filter;
|
||||
extern ngx_http_output_body_filter_pt ngx_http_top_body_filter;
|
||||
extern ngx_http_request_body_filter_pt ngx_http_top_request_body_filter;
|
||||
|
||||
|
|
|
|||
|
|
@ -670,13 +670,6 @@ static ngx_command_t ngx_http_core_commands[] = {
|
|||
offsetof(ngx_http_core_loc_conf_t, etag),
|
||||
NULL },
|
||||
|
||||
{ ngx_string("early_hints"),
|
||||
NGX_HTTP_MAIN_CONF|NGX_HTTP_SRV_CONF|NGX_HTTP_LOC_CONF|NGX_CONF_1MORE,
|
||||
ngx_http_set_predicate_slot,
|
||||
NGX_HTTP_LOC_CONF_OFFSET,
|
||||
offsetof(ngx_http_core_loc_conf_t, early_hints),
|
||||
NULL },
|
||||
|
||||
{ ngx_string("error_page"),
|
||||
NGX_HTTP_MAIN_CONF|NGX_HTTP_SRV_CONF|NGX_HTTP_LOC_CONF|NGX_HTTP_LIF_CONF
|
||||
|NGX_CONF_2MORE,
|
||||
|
|
@ -1864,37 +1857,6 @@ ngx_http_send_header(ngx_http_request_t *r)
|
|||
}
|
||||
|
||||
|
||||
ngx_int_t
|
||||
ngx_http_send_early_hints(ngx_http_request_t *r)
|
||||
{
|
||||
ngx_int_t rc;
|
||||
ngx_http_core_loc_conf_t *clcf;
|
||||
|
||||
if (r->post_action) {
|
||||
return NGX_OK;
|
||||
}
|
||||
|
||||
if (r->header_sent) {
|
||||
ngx_log_error(NGX_LOG_ALERT, r->connection->log, 0,
|
||||
"header already sent");
|
||||
return NGX_ERROR;
|
||||
}
|
||||
|
||||
clcf = ngx_http_get_module_loc_conf(r, ngx_http_core_module);
|
||||
|
||||
rc = ngx_http_test_predicates(r, clcf->early_hints);
|
||||
|
||||
if (rc != NGX_DECLINED) {
|
||||
return rc;
|
||||
}
|
||||
|
||||
ngx_log_debug2(NGX_LOG_DEBUG_HTTP, r->connection->log, 0,
|
||||
"http send early hints \"%V?%V\"", &r->uri, &r->args);
|
||||
|
||||
return ngx_http_top_early_hints_filter(r);
|
||||
}
|
||||
|
||||
|
||||
ngx_int_t
|
||||
ngx_http_output_filter(ngx_http_request_t *r, ngx_chain_t *in)
|
||||
{
|
||||
|
|
@ -2365,7 +2327,6 @@ ngx_http_subrequest(ngx_http_request_t *r,
|
|||
ngx_connection_t *c;
|
||||
ngx_http_request_t *sr;
|
||||
ngx_http_core_srv_conf_t *cscf;
|
||||
ngx_http_posted_request_t *posted;
|
||||
ngx_http_postponed_request_t *pr, *p;
|
||||
|
||||
if (r->subrequests == 0) {
|
||||
|
|
@ -2419,11 +2380,6 @@ ngx_http_subrequest(ngx_http_request_t *r,
|
|||
return NGX_ERROR;
|
||||
}
|
||||
|
||||
posted = ngx_palloc(r->pool, sizeof(ngx_http_posted_request_t));
|
||||
if (posted == NULL) {
|
||||
return NGX_ERROR;
|
||||
}
|
||||
|
||||
cscf = ngx_http_get_module_srv_conf(r, ngx_http_core_module);
|
||||
sr->main_conf = cscf->ctx->main_conf;
|
||||
sr->srv_conf = cscf->ctx->srv_conf;
|
||||
|
|
@ -2482,6 +2438,10 @@ ngx_http_subrequest(ngx_http_request_t *r,
|
|||
}
|
||||
|
||||
if (!sr->background) {
|
||||
if (c->data == r && r->postponed == NULL) {
|
||||
c->data = sr;
|
||||
}
|
||||
|
||||
pr = ngx_palloc(r->pool, sizeof(ngx_http_postponed_request_t));
|
||||
if (pr == NULL) {
|
||||
return NGX_ERROR;
|
||||
|
|
@ -2491,10 +2451,6 @@ ngx_http_subrequest(ngx_http_request_t *r,
|
|||
pr->out = NULL;
|
||||
pr->next = NULL;
|
||||
|
||||
if (c->data == r && r->postponed == NULL) {
|
||||
c->data = sr;
|
||||
}
|
||||
|
||||
if (r->postponed) {
|
||||
for (p = r->postponed; p->next; p = p->next) { /* void */ }
|
||||
p->next = pr;
|
||||
|
|
@ -2542,7 +2498,7 @@ ngx_http_subrequest(ngx_http_request_t *r,
|
|||
ngx_http_update_location_config(sr);
|
||||
}
|
||||
|
||||
return ngx_http_post_request(sr, posted);
|
||||
return ngx_http_post_request(sr, NULL);
|
||||
}
|
||||
|
||||
|
||||
|
|
@ -3675,7 +3631,6 @@ ngx_http_core_create_loc_conf(ngx_conf_t *cf)
|
|||
clcf->chunked_transfer_encoding = NGX_CONF_UNSET;
|
||||
clcf->etag = NGX_CONF_UNSET;
|
||||
clcf->server_tokens = NGX_CONF_UNSET_UINT;
|
||||
clcf->early_hints = NGX_CONF_UNSET_PTR;
|
||||
clcf->types_hash_max_size = NGX_CONF_UNSET_UINT;
|
||||
clcf->types_hash_bucket_size = NGX_CONF_UNSET_UINT;
|
||||
|
||||
|
|
@ -3931,7 +3886,7 @@ ngx_http_core_merge_loc_conf(ngx_conf_t *cf, void *parent, void *child)
|
|||
if (ngx_conf_merge_path_value(cf, &conf->client_body_temp_path,
|
||||
prev->client_body_temp_path,
|
||||
&ngx_http_client_temp_path)
|
||||
!= NGX_CONF_OK)
|
||||
!= NGX_OK)
|
||||
{
|
||||
return NGX_CONF_ERROR;
|
||||
}
|
||||
|
|
@ -3956,8 +3911,6 @@ ngx_http_core_merge_loc_conf(ngx_conf_t *cf, void *parent, void *child)
|
|||
ngx_conf_merge_uint_value(conf->server_tokens, prev->server_tokens,
|
||||
NGX_HTTP_SERVER_TOKENS_ON);
|
||||
|
||||
ngx_conf_merge_ptr_value(conf->early_hints, prev->early_hints, NULL);
|
||||
|
||||
ngx_conf_merge_ptr_value(conf->open_file_cache,
|
||||
prev->open_file_cache, NULL);
|
||||
|
||||
|
|
|
|||
|
|
@ -430,8 +430,6 @@ struct ngx_http_core_loc_conf_s {
|
|||
ngx_http_complex_value_t *disable_symlinks_from;
|
||||
#endif
|
||||
|
||||
ngx_array_t *early_hints; /* early_hints */
|
||||
|
||||
ngx_array_t *error_pages; /* error_page */
|
||||
|
||||
ngx_path_t *client_body_temp_path; /* client_body_temp_path */
|
||||
|
|
|
|||
|
|
@ -13,7 +13,6 @@
|
|||
|
||||
static ngx_int_t ngx_http_header_filter_init(ngx_conf_t *cf);
|
||||
static ngx_int_t ngx_http_header_filter(ngx_http_request_t *r);
|
||||
static ngx_int_t ngx_http_early_hints_filter(ngx_http_request_t *r);
|
||||
|
||||
|
||||
static ngx_http_module_t ngx_http_header_filter_module_ctx = {
|
||||
|
|
@ -51,9 +50,6 @@ static u_char ngx_http_server_string[] = "Server: nginx" CRLF;
|
|||
static u_char ngx_http_server_full_string[] = "Server: " NGINX_VER CRLF;
|
||||
static u_char ngx_http_server_build_string[] = "Server: " NGINX_VER_BUILD CRLF;
|
||||
|
||||
static ngx_str_t ngx_http_early_hints_status_line =
|
||||
ngx_string("HTTP/1.1 103 Early Hints" CRLF);
|
||||
|
||||
|
||||
static ngx_str_t ngx_http_status_lines[] = {
|
||||
|
||||
|
|
@ -629,113 +625,10 @@ ngx_http_header_filter(ngx_http_request_t *r)
|
|||
}
|
||||
|
||||
|
||||
static ngx_int_t
|
||||
ngx_http_early_hints_filter(ngx_http_request_t *r)
|
||||
{
|
||||
size_t len;
|
||||
ngx_buf_t *b;
|
||||
ngx_uint_t i;
|
||||
ngx_chain_t out;
|
||||
ngx_list_part_t *part;
|
||||
ngx_table_elt_t *header;
|
||||
|
||||
if (r != r->main) {
|
||||
return NGX_OK;
|
||||
}
|
||||
|
||||
if (r->http_version < NGX_HTTP_VERSION_11) {
|
||||
return NGX_OK;
|
||||
}
|
||||
|
||||
len = 0;
|
||||
|
||||
part = &r->headers_out.headers.part;
|
||||
header = part->elts;
|
||||
|
||||
for (i = 0; /* void */; i++) {
|
||||
|
||||
if (i >= part->nelts) {
|
||||
if (part->next == NULL) {
|
||||
break;
|
||||
}
|
||||
|
||||
part = part->next;
|
||||
header = part->elts;
|
||||
i = 0;
|
||||
}
|
||||
|
||||
if (header[i].hash == 0) {
|
||||
continue;
|
||||
}
|
||||
|
||||
len += header[i].key.len + sizeof(": ") - 1 + header[i].value.len
|
||||
+ sizeof(CRLF) - 1;
|
||||
}
|
||||
|
||||
if (len == 0) {
|
||||
return NGX_OK;
|
||||
}
|
||||
|
||||
len += ngx_http_early_hints_status_line.len
|
||||
/* the end of the early hints */
|
||||
+ sizeof(CRLF) - 1;
|
||||
|
||||
b = ngx_create_temp_buf(r->pool, len);
|
||||
if (b == NULL) {
|
||||
return NGX_ERROR;
|
||||
}
|
||||
|
||||
b->last = ngx_copy(b->last, ngx_http_early_hints_status_line.data,
|
||||
ngx_http_early_hints_status_line.len);
|
||||
|
||||
part = &r->headers_out.headers.part;
|
||||
header = part->elts;
|
||||
|
||||
for (i = 0; /* void */; i++) {
|
||||
|
||||
if (i >= part->nelts) {
|
||||
if (part->next == NULL) {
|
||||
break;
|
||||
}
|
||||
|
||||
part = part->next;
|
||||
header = part->elts;
|
||||
i = 0;
|
||||
}
|
||||
|
||||
if (header[i].hash == 0) {
|
||||
continue;
|
||||
}
|
||||
|
||||
b->last = ngx_copy(b->last, header[i].key.data, header[i].key.len);
|
||||
*b->last++ = ':'; *b->last++ = ' ';
|
||||
|
||||
b->last = ngx_copy(b->last, header[i].value.data, header[i].value.len);
|
||||
*b->last++ = CR; *b->last++ = LF;
|
||||
}
|
||||
|
||||
ngx_log_debug2(NGX_LOG_DEBUG_HTTP, r->connection->log, 0,
|
||||
"%*s", (size_t) (b->last - b->pos), b->pos);
|
||||
|
||||
/* the end of HTTP early hints */
|
||||
*b->last++ = CR; *b->last++ = LF;
|
||||
|
||||
r->header_size = b->last - b->pos;
|
||||
|
||||
b->flush = 1;
|
||||
|
||||
out.buf = b;
|
||||
out.next = NULL;
|
||||
|
||||
return ngx_http_write_filter(r, &out);
|
||||
}
|
||||
|
||||
|
||||
static ngx_int_t
|
||||
ngx_http_header_filter_init(ngx_conf_t *cf)
|
||||
{
|
||||
ngx_http_top_header_filter = ngx_http_header_filter;
|
||||
ngx_http_top_early_hints_filter = ngx_http_early_hints_filter;
|
||||
|
||||
return NGX_OK;
|
||||
}
|
||||
|
|
|
|||
|
|
@ -29,7 +29,6 @@ static ngx_int_t ngx_http_process_connection(ngx_http_request_t *r,
|
|||
static ngx_int_t ngx_http_process_user_agent(ngx_http_request_t *r,
|
||||
ngx_table_elt_t *h, ngx_uint_t offset);
|
||||
|
||||
static ngx_int_t ngx_http_process_request_header(ngx_http_request_t *r);
|
||||
static ngx_int_t ngx_http_find_virtual_server(ngx_connection_t *c,
|
||||
ngx_http_virtual_names_t *virtual_names, ngx_str_t *host,
|
||||
ngx_http_request_t *r, ngx_http_core_srv_conf_t **cscfp);
|
||||
|
|
@ -891,46 +890,27 @@ ngx_http_ssl_servername(ngx_ssl_conn_t *ssl_conn, int *ad, void *arg)
|
|||
return SSL_TLSEXT_ERR_ALERT_FATAL;
|
||||
}
|
||||
|
||||
if (c->ssl->sni_accepted) {
|
||||
return SSL_TLSEXT_ERR_OK;
|
||||
}
|
||||
|
||||
if (c->ssl->handshake_rejected) {
|
||||
*ad = SSL_AD_UNRECOGNIZED_NAME;
|
||||
return SSL_TLSEXT_ERR_ALERT_FATAL;
|
||||
}
|
||||
|
||||
hc = c->data;
|
||||
|
||||
if (arg != NULL) {
|
||||
host = *(ngx_str_t *) arg;
|
||||
servername = SSL_get_servername(ssl_conn, TLSEXT_NAMETYPE_host_name);
|
||||
|
||||
if (host.data == NULL) {
|
||||
ngx_log_debug0(NGX_LOG_DEBUG_HTTP, c->log, 0,
|
||||
"SSL server name: null");
|
||||
goto done;
|
||||
}
|
||||
|
||||
} else {
|
||||
servername = SSL_get_servername(ssl_conn, TLSEXT_NAMETYPE_host_name);
|
||||
|
||||
if (servername == NULL) {
|
||||
ngx_log_debug0(NGX_LOG_DEBUG_HTTP, c->log, 0,
|
||||
"SSL server name: null");
|
||||
goto done;
|
||||
}
|
||||
|
||||
host.len = ngx_strlen(servername);
|
||||
host.data = (u_char *) servername;
|
||||
if (servername == NULL) {
|
||||
ngx_log_debug0(NGX_LOG_DEBUG_HTTP, c->log, 0,
|
||||
"SSL server name: null");
|
||||
goto done;
|
||||
}
|
||||
|
||||
ngx_log_debug1(NGX_LOG_DEBUG_HTTP, c->log, 0,
|
||||
"SSL server name: \"%V\"", &host);
|
||||
"SSL server name: \"%s\"", servername);
|
||||
|
||||
host.len = ngx_strlen(servername);
|
||||
|
||||
if (host.len == 0) {
|
||||
goto done;
|
||||
}
|
||||
|
||||
host.data = (u_char *) servername;
|
||||
|
||||
rc = ngx_http_validate_host(&host, c->pool, 1);
|
||||
|
||||
if (rc == NGX_ERROR) {
|
||||
|
|
@ -952,6 +932,31 @@ ngx_http_ssl_servername(ngx_ssl_conn_t *ssl_conn, int *ad, void *arg)
|
|||
goto done;
|
||||
}
|
||||
|
||||
sscf = ngx_http_get_module_srv_conf(cscf->ctx, ngx_http_ssl_module);
|
||||
|
||||
#if (defined TLS1_3_VERSION \
|
||||
&& !defined LIBRESSL_VERSION_NUMBER && !defined OPENSSL_IS_BORINGSSL)
|
||||
|
||||
/*
|
||||
* SSL_SESSION_get0_hostname() is only available in OpenSSL 1.1.1+,
|
||||
* but servername being negotiated in every TLSv1.3 handshake
|
||||
* is only returned in OpenSSL 1.1.1+ as well
|
||||
*/
|
||||
|
||||
if (sscf->verify) {
|
||||
const char *hostname;
|
||||
|
||||
hostname = SSL_SESSION_get0_hostname(SSL_get0_session(ssl_conn));
|
||||
|
||||
if (hostname != NULL && ngx_strcmp(hostname, servername) != 0) {
|
||||
c->ssl->handshake_rejected = 1;
|
||||
*ad = SSL_AD_ACCESS_DENIED;
|
||||
return SSL_TLSEXT_ERR_ALERT_FATAL;
|
||||
}
|
||||
}
|
||||
|
||||
#endif
|
||||
|
||||
hc->ssl_servername = ngx_palloc(c->pool, sizeof(ngx_str_t));
|
||||
if (hc->ssl_servername == NULL) {
|
||||
goto error;
|
||||
|
|
@ -965,8 +970,6 @@ ngx_http_ssl_servername(ngx_ssl_conn_t *ssl_conn, int *ad, void *arg)
|
|||
|
||||
ngx_set_connection_log(c, clcf->error_log);
|
||||
|
||||
sscf = ngx_http_get_module_srv_conf(cscf->ctx, ngx_http_ssl_module);
|
||||
|
||||
c->ssl->buffer_size = sscf->buffer_size;
|
||||
|
||||
if (sscf->ssl.ctx) {
|
||||
|
|
@ -1015,7 +1018,6 @@ done:
|
|||
return SSL_TLSEXT_ERR_ALERT_FATAL;
|
||||
}
|
||||
|
||||
c->ssl->sni_accepted = 1;
|
||||
return SSL_TLSEXT_ERR_OK;
|
||||
|
||||
error:
|
||||
|
|
@ -1982,7 +1984,7 @@ ngx_http_process_user_agent(ngx_http_request_t *r, ngx_table_elt_t *h,
|
|||
}
|
||||
|
||||
|
||||
static ngx_int_t
|
||||
ngx_int_t
|
||||
ngx_http_process_request_header(ngx_http_request_t *r)
|
||||
{
|
||||
if (r->headers_in.server.len == 0
|
||||
|
|
|
|||
|
|
@ -74,7 +74,6 @@
|
|||
#define NGX_HTTP_CONTINUE 100
|
||||
#define NGX_HTTP_SWITCHING_PROTOCOLS 101
|
||||
#define NGX_HTTP_PROCESSING 102
|
||||
#define NGX_HTTP_EARLY_HINTS 103
|
||||
|
||||
#define NGX_HTTP_OK 200
|
||||
#define NGX_HTTP_CREATED 201
|
||||
|
|
|
|||
|
|
@ -48,9 +48,6 @@ static void ngx_http_upstream_send_request_handler(ngx_http_request_t *r,
|
|||
static void ngx_http_upstream_read_request_handler(ngx_http_request_t *r);
|
||||
static void ngx_http_upstream_process_header(ngx_http_request_t *r,
|
||||
ngx_http_upstream_t *u);
|
||||
static ngx_int_t ngx_http_upstream_process_early_hints(ngx_http_request_t *r,
|
||||
ngx_http_upstream_t *u);
|
||||
static void ngx_http_upstream_early_hints_writer(ngx_http_request_t *r);
|
||||
static ngx_int_t ngx_http_upstream_test_next(ngx_http_request_t *r,
|
||||
ngx_http_upstream_t *u);
|
||||
static ngx_int_t ngx_http_upstream_intercept_errors(ngx_http_request_t *r,
|
||||
|
|
@ -116,10 +113,6 @@ static ngx_int_t ngx_http_upstream_process_set_cookie(ngx_http_request_t *r,
|
|||
static ngx_int_t
|
||||
ngx_http_upstream_process_cache_control(ngx_http_request_t *r,
|
||||
ngx_table_elt_t *h, ngx_uint_t offset);
|
||||
#if (NGX_HTTP_CACHE)
|
||||
static ngx_int_t ngx_http_upstream_process_delta_seconds(u_char *p,
|
||||
u_char *last);
|
||||
#endif
|
||||
static ngx_int_t ngx_http_upstream_ignore_header_line(ngx_http_request_t *r,
|
||||
ngx_table_elt_t *h, ngx_uint_t offset);
|
||||
static ngx_int_t ngx_http_upstream_process_expires(ngx_http_request_t *r,
|
||||
|
|
@ -1127,7 +1120,7 @@ ngx_http_upstream_cache_send(ngx_http_request_t *r, ngx_http_upstream_t *u)
|
|||
return NGX_ERROR;
|
||||
}
|
||||
|
||||
if (rc == NGX_AGAIN || rc == NGX_HTTP_UPSTREAM_EARLY_HINTS) {
|
||||
if (rc == NGX_AGAIN) {
|
||||
rc = NGX_HTTP_UPSTREAM_INVALID_HEADER;
|
||||
}
|
||||
|
||||
|
|
@ -2537,18 +2530,6 @@ ngx_http_upstream_process_header(ngx_http_request_t *r, ngx_http_upstream_t *u)
|
|||
continue;
|
||||
}
|
||||
|
||||
if (rc == NGX_HTTP_UPSTREAM_EARLY_HINTS) {
|
||||
rc = ngx_http_upstream_process_early_hints(r, u);
|
||||
|
||||
if (rc == NGX_OK) {
|
||||
rc = u->process_header(r);
|
||||
|
||||
if (rc == NGX_AGAIN) {
|
||||
continue;
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
break;
|
||||
}
|
||||
|
||||
|
|
@ -2586,148 +2567,6 @@ ngx_http_upstream_process_header(ngx_http_request_t *r, ngx_http_upstream_t *u)
|
|||
}
|
||||
|
||||
|
||||
static ngx_int_t
|
||||
ngx_http_upstream_process_early_hints(ngx_http_request_t *r,
|
||||
ngx_http_upstream_t *u)
|
||||
{
|
||||
u_char *p;
|
||||
ngx_uint_t i;
|
||||
ngx_list_part_t *part;
|
||||
ngx_table_elt_t *h, *ho;
|
||||
ngx_connection_t *c;
|
||||
|
||||
c = r->connection;
|
||||
|
||||
ngx_log_debug0(NGX_LOG_DEBUG_HTTP, c->log, 0, "http upstream early hints");
|
||||
|
||||
if (u->conf->pass_early_hints) {
|
||||
|
||||
u->early_hints_length += u->buffer.pos - u->buffer.start;
|
||||
|
||||
if (u->early_hints_length <= (off_t) u->conf->buffer_size) {
|
||||
|
||||
part = &u->headers_in.headers.part;
|
||||
h = part->elts;
|
||||
|
||||
for (i = 0; /* void */; i++) {
|
||||
|
||||
if (i >= part->nelts) {
|
||||
if (part->next == NULL) {
|
||||
break;
|
||||
}
|
||||
|
||||
part = part->next;
|
||||
h = part->elts;
|
||||
i = 0;
|
||||
}
|
||||
|
||||
if (ngx_hash_find(&u->conf->hide_headers_hash, h[i].hash,
|
||||
h[i].lowcase_key, h[i].key.len))
|
||||
{
|
||||
continue;
|
||||
}
|
||||
|
||||
ho = ngx_list_push(&r->headers_out.headers);
|
||||
if (ho == NULL) {
|
||||
return NGX_ERROR;
|
||||
}
|
||||
|
||||
*ho = h[i];
|
||||
}
|
||||
|
||||
if (ngx_http_send_early_hints(r) == NGX_ERROR) {
|
||||
return NGX_ERROR;
|
||||
}
|
||||
|
||||
if (c->buffered) {
|
||||
if (ngx_handle_write_event(c->write, 0) != NGX_OK) {
|
||||
return NGX_ERROR;
|
||||
}
|
||||
|
||||
r->write_event_handler = ngx_http_upstream_early_hints_writer;
|
||||
}
|
||||
|
||||
} else {
|
||||
ngx_log_error(NGX_LOG_INFO, c->log, 0,
|
||||
"upstream sent too big early hints");
|
||||
}
|
||||
}
|
||||
|
||||
ngx_http_clean_header(r);
|
||||
|
||||
ngx_memzero(&u->headers_in, sizeof(ngx_http_upstream_headers_in_t));
|
||||
u->headers_in.content_length_n = -1;
|
||||
u->headers_in.last_modified_time = -1;
|
||||
|
||||
if (ngx_list_init(&u->headers_in.headers, r->pool, 8,
|
||||
sizeof(ngx_table_elt_t))
|
||||
!= NGX_OK)
|
||||
{
|
||||
return NGX_ERROR;
|
||||
}
|
||||
|
||||
if (ngx_list_init(&u->headers_in.trailers, r->pool, 2,
|
||||
sizeof(ngx_table_elt_t))
|
||||
!= NGX_OK)
|
||||
{
|
||||
return NGX_ERROR;
|
||||
}
|
||||
|
||||
p = u->buffer.pos;
|
||||
|
||||
u->buffer.pos = u->buffer.start;
|
||||
|
||||
#if (NGX_HTTP_CACHE)
|
||||
|
||||
if (r->cache) {
|
||||
u->buffer.pos += r->cache->header_start;
|
||||
}
|
||||
|
||||
#endif
|
||||
|
||||
u->buffer.last = ngx_movemem(u->buffer.pos, p, u->buffer.last - p);
|
||||
|
||||
return NGX_OK;
|
||||
}
|
||||
|
||||
|
||||
static void
|
||||
ngx_http_upstream_early_hints_writer(ngx_http_request_t *r)
|
||||
{
|
||||
ngx_connection_t *c;
|
||||
ngx_http_upstream_t *u;
|
||||
|
||||
c = r->connection;
|
||||
u = r->upstream;
|
||||
|
||||
ngx_log_debug0(NGX_LOG_DEBUG_HTTP, c->log, 0,
|
||||
"http upstream early hints writer");
|
||||
|
||||
c->log->action = "sending early hints to client";
|
||||
|
||||
if (ngx_http_write_filter(r, NULL) == NGX_ERROR) {
|
||||
ngx_http_upstream_finalize_request(r, u,
|
||||
NGX_HTTP_INTERNAL_SERVER_ERROR);
|
||||
return;
|
||||
}
|
||||
|
||||
if (!c->buffered) {
|
||||
if (!u->store && !r->post_action && !u->conf->ignore_client_abort) {
|
||||
r->write_event_handler =
|
||||
ngx_http_upstream_wr_check_broken_connection;
|
||||
|
||||
} else {
|
||||
r->write_event_handler = ngx_http_request_empty_handler;
|
||||
}
|
||||
}
|
||||
|
||||
if (ngx_handle_write_event(c->write, 0) != NGX_OK) {
|
||||
ngx_http_upstream_finalize_request(r, u,
|
||||
NGX_HTTP_INTERNAL_SERVER_ERROR);
|
||||
}
|
||||
}
|
||||
|
||||
|
||||
static ngx_int_t
|
||||
ngx_http_upstream_test_next(ngx_http_request_t *r, ngx_http_upstream_t *u)
|
||||
{
|
||||
|
|
@ -5070,9 +4909,18 @@ ngx_http_upstream_process_cache_control(ngx_http_request_t *r,
|
|||
}
|
||||
|
||||
if (p) {
|
||||
n = ngx_http_upstream_process_delta_seconds(p + offset, last);
|
||||
n = 0;
|
||||
|
||||
for (p += offset; p < last; p++) {
|
||||
if (*p == ',' || *p == ';' || *p == ' ') {
|
||||
break;
|
||||
}
|
||||
|
||||
if (*p >= '0' && *p <= '9') {
|
||||
n = n * 10 + (*p - '0');
|
||||
continue;
|
||||
}
|
||||
|
||||
if (n == NGX_ERROR) {
|
||||
u->cacheable = 0;
|
||||
return NGX_OK;
|
||||
}
|
||||
|
|
@ -5082,8 +4930,7 @@ ngx_http_upstream_process_cache_control(ngx_http_request_t *r,
|
|||
return NGX_OK;
|
||||
}
|
||||
|
||||
r->cache->valid_sec = ngx_min((ngx_uint_t) ngx_time() + n,
|
||||
NGX_MAX_INT_T_VALUE);
|
||||
r->cache->valid_sec = ngx_time() + n;
|
||||
u->headers_in.expired = 0;
|
||||
}
|
||||
|
||||
|
|
@ -5093,9 +4940,18 @@ extensions:
|
|||
23 - 1);
|
||||
|
||||
if (p) {
|
||||
n = ngx_http_upstream_process_delta_seconds(p + 23, last);
|
||||
n = 0;
|
||||
|
||||
for (p += 23; p < last; p++) {
|
||||
if (*p == ',' || *p == ';' || *p == ' ') {
|
||||
break;
|
||||
}
|
||||
|
||||
if (*p >= '0' && *p <= '9') {
|
||||
n = n * 10 + (*p - '0');
|
||||
continue;
|
||||
}
|
||||
|
||||
if (n == NGX_ERROR) {
|
||||
u->cacheable = 0;
|
||||
return NGX_OK;
|
||||
}
|
||||
|
|
@ -5107,9 +4963,18 @@ extensions:
|
|||
p = ngx_strlcasestrn(start, last, (u_char *) "stale-if-error=", 15 - 1);
|
||||
|
||||
if (p) {
|
||||
n = ngx_http_upstream_process_delta_seconds(p + 15, last);
|
||||
n = 0;
|
||||
|
||||
for (p += 15; p < last; p++) {
|
||||
if (*p == ',' || *p == ';' || *p == ' ') {
|
||||
break;
|
||||
}
|
||||
|
||||
if (*p >= '0' && *p <= '9') {
|
||||
n = n * 10 + (*p - '0');
|
||||
continue;
|
||||
}
|
||||
|
||||
if (n == NGX_ERROR) {
|
||||
u->cacheable = 0;
|
||||
return NGX_OK;
|
||||
}
|
||||
|
|
@ -5123,41 +4988,6 @@ extensions:
|
|||
}
|
||||
|
||||
|
||||
#if (NGX_HTTP_CACHE)
|
||||
|
||||
static ngx_int_t
|
||||
ngx_http_upstream_process_delta_seconds(u_char *p, u_char *last)
|
||||
{
|
||||
ngx_int_t n, cutoff, cutlim;
|
||||
|
||||
cutoff = NGX_MAX_INT_T_VALUE / 10;
|
||||
cutlim = NGX_MAX_INT_T_VALUE % 10;
|
||||
|
||||
n = 0;
|
||||
|
||||
for ( /* void */ ; p < last; p++) {
|
||||
if (*p == ',' || *p == ';' || *p == ' ') {
|
||||
break;
|
||||
}
|
||||
|
||||
if (*p < '0' || *p > '9') {
|
||||
return NGX_ERROR;
|
||||
}
|
||||
|
||||
if (n >= cutoff && (n > cutoff || *p - '0' > cutlim)) {
|
||||
n = NGX_MAX_INT_T_VALUE;
|
||||
break;
|
||||
}
|
||||
|
||||
n = n * 10 + (*p - '0');
|
||||
}
|
||||
|
||||
return n;
|
||||
}
|
||||
|
||||
#endif
|
||||
|
||||
|
||||
static ngx_int_t
|
||||
ngx_http_upstream_process_expires(ngx_http_request_t *r, ngx_table_elt_t *h,
|
||||
ngx_uint_t offset)
|
||||
|
|
@ -7091,61 +6921,6 @@ ngx_http_upstream_hide_headers_hash(ngx_conf_t *cf,
|
|||
}
|
||||
|
||||
|
||||
#if (NGX_HTTP_SSL)
|
||||
|
||||
ngx_int_t
|
||||
ngx_http_upstream_merge_ssl_passwords(ngx_conf_t *cf,
|
||||
ngx_http_upstream_conf_t *conf, ngx_http_upstream_conf_t *prev)
|
||||
{
|
||||
ngx_uint_t preserve;
|
||||
|
||||
ngx_conf_merge_ptr_value(conf->ssl_passwords, prev->ssl_passwords, NULL);
|
||||
|
||||
if (conf->ssl_certificate == NULL
|
||||
|| conf->ssl_certificate->value.len == 0
|
||||
|| conf->ssl_certificate_key == NULL)
|
||||
{
|
||||
return NGX_OK;
|
||||
}
|
||||
|
||||
if (conf->ssl_certificate->lengths == NULL
|
||||
&& conf->ssl_certificate_key->lengths == NULL)
|
||||
{
|
||||
if (conf->ssl_passwords && conf->ssl_passwords->pool == NULL) {
|
||||
/* un-preserve empty password list */
|
||||
conf->ssl_passwords = NULL;
|
||||
}
|
||||
|
||||
return NGX_OK;
|
||||
}
|
||||
|
||||
if (conf->ssl_passwords && conf->ssl_passwords->pool != cf->temp_pool) {
|
||||
/* already preserved */
|
||||
return NGX_OK;
|
||||
}
|
||||
|
||||
preserve = (conf->ssl_passwords == prev->ssl_passwords) ? 1 : 0;
|
||||
|
||||
conf->ssl_passwords = ngx_ssl_preserve_passwords(cf, conf->ssl_passwords);
|
||||
if (conf->ssl_passwords == NULL) {
|
||||
return NGX_ERROR;
|
||||
}
|
||||
|
||||
/*
|
||||
* special handling to keep a preserved ssl_passwords copy
|
||||
* in the previous configuration to inherit it to all children
|
||||
*/
|
||||
|
||||
if (preserve) {
|
||||
prev->ssl_passwords = conf->ssl_passwords;
|
||||
}
|
||||
|
||||
return NGX_OK;
|
||||
}
|
||||
|
||||
#endif
|
||||
|
||||
|
||||
static void *
|
||||
ngx_http_upstream_create_main_conf(ngx_conf_t *cf)
|
||||
{
|
||||
|
|
|
|||
|
|
@ -43,7 +43,6 @@
|
|||
|NGX_HTTP_UPSTREAM_FT_HTTP_429)
|
||||
|
||||
#define NGX_HTTP_UPSTREAM_INVALID_HEADER 40
|
||||
#define NGX_HTTP_UPSTREAM_EARLY_HINTS 41
|
||||
|
||||
|
||||
#define NGX_HTTP_UPSTREAM_IGN_XA_REDIRECT 0x00000002
|
||||
|
|
@ -186,7 +185,6 @@ typedef struct {
|
|||
ngx_flag_t pass_request_headers;
|
||||
ngx_flag_t pass_request_body;
|
||||
ngx_flag_t pass_trailers;
|
||||
ngx_flag_t pass_early_hints;
|
||||
|
||||
ngx_flag_t ignore_client_abort;
|
||||
ngx_flag_t intercept_errors;
|
||||
|
|
@ -356,7 +354,6 @@ struct ngx_http_upstream_s {
|
|||
|
||||
ngx_buf_t buffer;
|
||||
off_t length;
|
||||
off_t early_hints_length;
|
||||
|
||||
ngx_chain_t *out_bufs;
|
||||
ngx_chain_t *busy_bufs;
|
||||
|
|
@ -440,10 +437,6 @@ char *ngx_http_upstream_param_set_slot(ngx_conf_t *cf, ngx_command_t *cmd,
|
|||
ngx_int_t ngx_http_upstream_hide_headers_hash(ngx_conf_t *cf,
|
||||
ngx_http_upstream_conf_t *conf, ngx_http_upstream_conf_t *prev,
|
||||
ngx_str_t *default_hide_headers, ngx_hash_init_t *hash);
|
||||
#if (NGX_HTTP_SSL)
|
||||
ngx_int_t ngx_http_upstream_merge_ssl_passwords(ngx_conf_t *cf,
|
||||
ngx_http_upstream_conf_t *conf, ngx_http_upstream_conf_t *prev);
|
||||
#endif
|
||||
|
||||
|
||||
#define ngx_http_conf_upstream_srv_conf(uscf, module) \
|
||||
|
|
|
|||
|
|
@ -878,6 +878,7 @@ ngx_http_upstream_set_round_robin_peer_session(ngx_peer_connection_t *pc,
|
|||
int len;
|
||||
const u_char *p;
|
||||
ngx_http_upstream_rr_peers_t *peers;
|
||||
u_char buf[NGX_SSL_MAX_SESSION_SIZE];
|
||||
#endif
|
||||
|
||||
peer = rrp->current;
|
||||
|
|
@ -897,12 +898,12 @@ ngx_http_upstream_set_round_robin_peer_session(ngx_peer_connection_t *pc,
|
|||
|
||||
len = peer->ssl_session_len;
|
||||
|
||||
ngx_memcpy(ngx_ssl_session_buffer, peer->ssl_session, len);
|
||||
ngx_memcpy(buf, peer->ssl_session, len);
|
||||
|
||||
ngx_http_upstream_rr_peer_unlock(peers, peer);
|
||||
ngx_http_upstream_rr_peers_unlock(peers);
|
||||
|
||||
p = ngx_ssl_session_buffer;
|
||||
p = buf;
|
||||
ssl_session = d2i_SSL_SESSION(NULL, &p, len);
|
||||
|
||||
rc = ngx_ssl_set_session(pc->connection, ssl_session);
|
||||
|
|
@ -939,6 +940,7 @@ ngx_http_upstream_save_round_robin_peer_session(ngx_peer_connection_t *pc,
|
|||
int len;
|
||||
u_char *p;
|
||||
ngx_http_upstream_rr_peers_t *peers;
|
||||
u_char buf[NGX_SSL_MAX_SESSION_SIZE];
|
||||
#endif
|
||||
|
||||
#if (NGX_HTTP_UPSTREAM_ZONE)
|
||||
|
|
@ -952,10 +954,10 @@ ngx_http_upstream_save_round_robin_peer_session(ngx_peer_connection_t *pc,
|
|||
return;
|
||||
}
|
||||
|
||||
len = i2d_SSL_SESSION(ssl_session, NULL);
|
||||
ngx_log_debug1(NGX_LOG_DEBUG_HTTP, pc->log, 0,
|
||||
"save session: %p", ssl_session);
|
||||
|
||||
ngx_log_debug2(NGX_LOG_DEBUG_HTTP, pc->log, 0,
|
||||
"save session: %p:%d", ssl_session, len);
|
||||
len = i2d_SSL_SESSION(ssl_session, NULL);
|
||||
|
||||
/* do not cache too big session */
|
||||
|
||||
|
|
@ -963,7 +965,7 @@ ngx_http_upstream_save_round_robin_peer_session(ngx_peer_connection_t *pc,
|
|||
return;
|
||||
}
|
||||
|
||||
p = ngx_ssl_session_buffer;
|
||||
p = buf;
|
||||
(void) i2d_SSL_SESSION(ssl_session, &p);
|
||||
|
||||
peer = rrp->current;
|
||||
|
|
@ -993,7 +995,7 @@ ngx_http_upstream_save_round_robin_peer_session(ngx_peer_connection_t *pc,
|
|||
peer->ssl_session_len = len;
|
||||
}
|
||||
|
||||
ngx_memcpy(peer->ssl_session, ngx_ssl_session_buffer, len);
|
||||
ngx_memcpy(peer->ssl_session, buf, len);
|
||||
|
||||
ngx_http_upstream_rr_peer_unlock(peers, peer);
|
||||
ngx_http_upstream_rr_peers_unlock(peers);
|
||||
|
|
@ -1021,6 +1023,8 @@ ngx_http_upstream_save_round_robin_peer_session(ngx_peer_connection_t *pc,
|
|||
ngx_log_debug1(NGX_LOG_DEBUG_HTTP, pc->log, 0,
|
||||
"old session: %p", old_ssl_session);
|
||||
|
||||
/* TODO: may block */
|
||||
|
||||
ngx_ssl_free_session(old_ssl_session);
|
||||
}
|
||||
}
|
||||
|
|
|
|||
|
|
@ -158,7 +158,6 @@ static ngx_int_t ngx_http_v2_construct_request_line(ngx_http_request_t *r);
|
|||
static ngx_int_t ngx_http_v2_cookie(ngx_http_request_t *r,
|
||||
ngx_http_v2_header_t *header);
|
||||
static ngx_int_t ngx_http_v2_construct_cookie_header(ngx_http_request_t *r);
|
||||
static ngx_int_t ngx_http_v2_construct_host_header(ngx_http_request_t *r);
|
||||
static void ngx_http_v2_run_request(ngx_http_request_t *r);
|
||||
static ngx_int_t ngx_http_v2_process_request_body(ngx_http_request_t *r,
|
||||
u_char *pos, size_t size, ngx_uint_t last, ngx_uint_t flush);
|
||||
|
|
@ -3518,40 +3517,44 @@ ngx_http_v2_parse_scheme(ngx_http_request_t *r, ngx_str_t *value)
|
|||
static ngx_int_t
|
||||
ngx_http_v2_parse_authority(ngx_http_request_t *r, ngx_str_t *value)
|
||||
{
|
||||
ngx_int_t rc;
|
||||
ngx_table_elt_t *h;
|
||||
ngx_http_header_t *hh;
|
||||
ngx_http_core_main_conf_t *cmcf;
|
||||
|
||||
if (r->host_start) {
|
||||
ngx_log_error(NGX_LOG_INFO, r->connection->log, 0,
|
||||
"client sent duplicate \":authority\" header");
|
||||
return NGX_DECLINED;
|
||||
static ngx_str_t host = ngx_string("host");
|
||||
|
||||
h = ngx_list_push(&r->headers_in.headers);
|
||||
if (h == NULL) {
|
||||
return NGX_ERROR;
|
||||
}
|
||||
|
||||
r->host_start = value->data;
|
||||
r->host_end = value->data + value->len;
|
||||
h->hash = ngx_hash(ngx_hash(ngx_hash('h', 'o'), 's'), 't');
|
||||
|
||||
rc = ngx_http_validate_host(value, r->pool, 0);
|
||||
h->key.len = host.len;
|
||||
h->key.data = host.data;
|
||||
|
||||
if (rc == NGX_DECLINED) {
|
||||
ngx_log_error(NGX_LOG_INFO, r->connection->log, 0,
|
||||
"client sent invalid \":authority\" header");
|
||||
return NGX_DECLINED;
|
||||
h->value.len = value->len;
|
||||
h->value.data = value->data;
|
||||
|
||||
h->lowcase_key = host.data;
|
||||
|
||||
cmcf = ngx_http_get_module_main_conf(r, ngx_http_core_module);
|
||||
|
||||
hh = ngx_hash_find(&cmcf->headers_in_hash, h->hash,
|
||||
h->lowcase_key, h->key.len);
|
||||
|
||||
if (hh == NULL) {
|
||||
return NGX_ERROR;
|
||||
}
|
||||
|
||||
if (rc == NGX_ERROR) {
|
||||
ngx_http_v2_close_stream(r->stream, NGX_HTTP_INTERNAL_SERVER_ERROR);
|
||||
return NGX_ABORT;
|
||||
}
|
||||
|
||||
if (ngx_http_set_virtual_server(r, value) == NGX_ERROR) {
|
||||
if (hh->handler(r, h, hh->offset) != NGX_OK) {
|
||||
/*
|
||||
* request has been finalized already
|
||||
* in ngx_http_set_virtual_server()
|
||||
* in ngx_http_process_host()
|
||||
*/
|
||||
return NGX_ABORT;
|
||||
}
|
||||
|
||||
r->headers_in.server = *value;
|
||||
|
||||
return NGX_OK;
|
||||
}
|
||||
|
||||
|
|
@ -3722,54 +3725,7 @@ ngx_http_v2_construct_cookie_header(ngx_http_request_t *r)
|
|||
if (hh->handler(r, h, hh->offset) != NGX_OK) {
|
||||
/*
|
||||
* request has been finalized already
|
||||
* in ngx_http_process_header_line()
|
||||
*/
|
||||
return NGX_ERROR;
|
||||
}
|
||||
|
||||
return NGX_OK;
|
||||
}
|
||||
|
||||
|
||||
static ngx_int_t
|
||||
ngx_http_v2_construct_host_header(ngx_http_request_t *r)
|
||||
{
|
||||
ngx_table_elt_t *h;
|
||||
ngx_http_header_t *hh;
|
||||
ngx_http_core_main_conf_t *cmcf;
|
||||
|
||||
static ngx_str_t host = ngx_string("host");
|
||||
|
||||
h = ngx_list_push(&r->headers_in.headers);
|
||||
if (h == NULL) {
|
||||
ngx_http_v2_close_stream(r->stream, NGX_HTTP_INTERNAL_SERVER_ERROR);
|
||||
return NGX_ERROR;
|
||||
}
|
||||
|
||||
h->hash = ngx_hash(ngx_hash(ngx_hash('h', 'o'), 's'), 't');
|
||||
|
||||
h->key.len = host.len;
|
||||
h->key.data = host.data;
|
||||
|
||||
h->value.len = r->host_end - r->host_start;
|
||||
h->value.data = r->host_start;
|
||||
|
||||
h->lowcase_key = host.data;
|
||||
|
||||
cmcf = ngx_http_get_module_main_conf(r, ngx_http_core_module);
|
||||
|
||||
hh = ngx_hash_find(&cmcf->headers_in_hash, h->hash,
|
||||
h->lowcase_key, h->key.len);
|
||||
|
||||
if (hh == NULL) {
|
||||
ngx_http_v2_close_stream(r->stream, NGX_HTTP_INTERNAL_SERVER_ERROR);
|
||||
return NGX_ERROR;
|
||||
}
|
||||
|
||||
if (hh->handler(r, h, hh->offset) != NGX_OK) {
|
||||
/*
|
||||
* request has been finalized already
|
||||
* in ngx_http_process_host()
|
||||
* in ngx_http_process_multi_header_lines()
|
||||
*/
|
||||
return NGX_ERROR;
|
||||
}
|
||||
|
|
@ -3781,7 +3737,6 @@ ngx_http_v2_construct_host_header(ngx_http_request_t *r)
|
|||
static void
|
||||
ngx_http_v2_run_request(ngx_http_request_t *r)
|
||||
{
|
||||
ngx_str_t host;
|
||||
ngx_connection_t *fc;
|
||||
ngx_http_v2_srv_conf_t *h2scf;
|
||||
ngx_http_v2_connection_t *h2c;
|
||||
|
|
@ -3809,78 +3764,24 @@ ngx_http_v2_run_request(ngx_http_request_t *r)
|
|||
|
||||
r->http_state = NGX_HTTP_PROCESS_REQUEST_STATE;
|
||||
|
||||
if (r->headers_in.server.len == 0) {
|
||||
ngx_log_error(NGX_LOG_INFO, fc->log, 0,
|
||||
"client sent neither \":authority\" nor \"Host\" header");
|
||||
if (ngx_http_process_request_header(r) != NGX_OK) {
|
||||
goto failed;
|
||||
}
|
||||
|
||||
if (r->headers_in.content_length_n > 0 && r->stream->in_closed) {
|
||||
ngx_log_error(NGX_LOG_INFO, r->connection->log, 0,
|
||||
"client prematurely closed stream");
|
||||
|
||||
r->stream->skip_data = 1;
|
||||
|
||||
ngx_http_finalize_request(r, NGX_HTTP_BAD_REQUEST);
|
||||
goto failed;
|
||||
}
|
||||
|
||||
if (r->host_end) {
|
||||
|
||||
host.len = r->host_end - r->host_start;
|
||||
host.data = r->host_start;
|
||||
|
||||
if (r->headers_in.host) {
|
||||
if (r->headers_in.host->value.len != host.len
|
||||
|| ngx_memcmp(r->headers_in.host->value.data, host.data,
|
||||
host.len)
|
||||
!= 0)
|
||||
{
|
||||
ngx_log_error(NGX_LOG_INFO, fc->log, 0,
|
||||
"client sent \":authority\" and \"Host\" headers "
|
||||
"with different values");
|
||||
ngx_http_finalize_request(r, NGX_HTTP_BAD_REQUEST);
|
||||
goto failed;
|
||||
}
|
||||
|
||||
} else {
|
||||
/* compatibility for $http_host */
|
||||
|
||||
if (ngx_http_v2_construct_host_header(r) != NGX_OK) {
|
||||
goto failed;
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
if (r->headers_in.content_length) {
|
||||
r->headers_in.content_length_n =
|
||||
ngx_atoof(r->headers_in.content_length->value.data,
|
||||
r->headers_in.content_length->value.len);
|
||||
|
||||
if (r->headers_in.content_length_n == NGX_ERROR) {
|
||||
ngx_log_error(NGX_LOG_INFO, fc->log, 0,
|
||||
"client sent invalid \"Content-Length\" header");
|
||||
ngx_http_finalize_request(r, NGX_HTTP_BAD_REQUEST);
|
||||
goto failed;
|
||||
}
|
||||
|
||||
if (r->headers_in.content_length_n > 0 && r->stream->in_closed) {
|
||||
ngx_log_error(NGX_LOG_INFO, fc->log, 0,
|
||||
"client prematurely closed stream");
|
||||
|
||||
r->stream->skip_data = 1;
|
||||
|
||||
ngx_http_finalize_request(r, NGX_HTTP_BAD_REQUEST);
|
||||
goto failed;
|
||||
}
|
||||
|
||||
} else if (!r->stream->in_closed) {
|
||||
if (r->headers_in.content_length_n == -1 && !r->stream->in_closed) {
|
||||
r->headers_in.chunked = 1;
|
||||
}
|
||||
|
||||
if (r->method == NGX_HTTP_CONNECT) {
|
||||
ngx_log_error(NGX_LOG_INFO, fc->log, 0, "client sent CONNECT method");
|
||||
ngx_http_finalize_request(r, NGX_HTTP_NOT_ALLOWED);
|
||||
goto failed;
|
||||
}
|
||||
|
||||
if (r->method == NGX_HTTP_TRACE) {
|
||||
ngx_log_error(NGX_LOG_INFO, fc->log, 0, "client sent TRACE method");
|
||||
ngx_http_finalize_request(r, NGX_HTTP_NOT_ALLOWED);
|
||||
goto failed;
|
||||
}
|
||||
|
||||
h2c = r->stream->connection;
|
||||
|
||||
h2c->payload_bytes += r->request_length;
|
||||
|
|
|
|||
|
|
@ -213,7 +213,6 @@ struct ngx_http_v2_stream_s {
|
|||
|
||||
ngx_pool_t *pool;
|
||||
|
||||
unsigned initialized:1;
|
||||
unsigned waiting:1;
|
||||
unsigned blocked:1;
|
||||
unsigned exhausted:1;
|
||||
|
|
|
|||
|
|
@ -27,13 +27,8 @@
|
|||
#define NGX_HTTP_V2_NO_TRAILERS (ngx_http_v2_out_frame_t *) -1
|
||||
|
||||
|
||||
static ngx_int_t ngx_http_v2_header_filter(ngx_http_request_t *r);
|
||||
static ngx_int_t ngx_http_v2_early_hints_filter(ngx_http_request_t *r);
|
||||
static ngx_int_t ngx_http_v2_init_stream(ngx_http_request_t *r);
|
||||
|
||||
static ngx_http_v2_out_frame_t *ngx_http_v2_create_headers_frame(
|
||||
ngx_http_request_t *r, u_char *pos, u_char *end, ngx_uint_t fin,
|
||||
ngx_uint_t flush);
|
||||
ngx_http_request_t *r, u_char *pos, u_char *end, ngx_uint_t fin);
|
||||
static ngx_http_v2_out_frame_t *ngx_http_v2_create_trailers_frame(
|
||||
ngx_http_request_t *r);
|
||||
|
||||
|
|
@ -100,7 +95,6 @@ ngx_module_t ngx_http_v2_filter_module = {
|
|||
|
||||
|
||||
static ngx_http_output_header_filter_pt ngx_http_next_header_filter;
|
||||
static ngx_http_output_header_filter_pt ngx_http_next_early_hints_filter;
|
||||
|
||||
|
||||
static ngx_int_t
|
||||
|
|
@ -113,6 +107,7 @@ ngx_http_v2_header_filter(ngx_http_request_t *r)
|
|||
ngx_list_part_t *part;
|
||||
ngx_table_elt_t *header;
|
||||
ngx_connection_t *fc;
|
||||
ngx_http_cleanup_t *cln;
|
||||
ngx_http_v2_stream_t *stream;
|
||||
ngx_http_v2_out_frame_t *frame;
|
||||
ngx_http_v2_connection_t *h2c;
|
||||
|
|
@ -120,11 +115,10 @@ ngx_http_v2_header_filter(ngx_http_request_t *r)
|
|||
ngx_http_core_srv_conf_t *cscf;
|
||||
u_char addr[NGX_SOCKADDR_STRLEN];
|
||||
|
||||
static const u_char nginx[5] = { 0x84, 0xaa, 0x63, 0x55, 0xe7 };
|
||||
static const u_char nginx[5] = "\x84\xaa\x63\x55\xe7";
|
||||
#if (NGX_HTTP_GZIP)
|
||||
static const u_char accept_encoding[12] = {
|
||||
0x8b, 0x84, 0x84, 0x2d, 0x69, 0x5b, 0x05, 0x44, 0x3c, 0x86, 0xaa, 0x6f
|
||||
};
|
||||
static const u_char accept_encoding[12] =
|
||||
"\x8b\x84\x84\x2d\x69\x5b\x05\x44\x3c\x86\xaa\x6f";
|
||||
#endif
|
||||
|
||||
static size_t nginx_ver_len = ngx_http_v2_literal_size(NGINX_VER);
|
||||
|
|
@ -610,203 +604,14 @@ ngx_http_v2_header_filter(ngx_http_request_t *r)
|
|||
fin = r->header_only
|
||||
|| (r->headers_out.content_length_n == 0 && !r->expect_trailers);
|
||||
|
||||
frame = ngx_http_v2_create_headers_frame(r, start, pos, fin, 0);
|
||||
frame = ngx_http_v2_create_headers_frame(r, start, pos, fin);
|
||||
if (frame == NULL) {
|
||||
return NGX_ERROR;
|
||||
}
|
||||
|
||||
ngx_http_v2_queue_blocked_frame(h2c, frame);
|
||||
|
||||
stream->queued++;
|
||||
|
||||
if (ngx_http_v2_init_stream(r) != NGX_OK) {
|
||||
return NGX_ERROR;
|
||||
}
|
||||
|
||||
return ngx_http_v2_filter_send(fc, stream);
|
||||
}
|
||||
|
||||
|
||||
static ngx_int_t
|
||||
ngx_http_v2_early_hints_filter(ngx_http_request_t *r)
|
||||
{
|
||||
u_char *pos, *start, *tmp;
|
||||
size_t len, tmp_len;
|
||||
ngx_uint_t i;
|
||||
ngx_list_part_t *part;
|
||||
ngx_table_elt_t *header;
|
||||
ngx_connection_t *fc;
|
||||
ngx_http_v2_stream_t *stream;
|
||||
ngx_http_v2_out_frame_t *frame;
|
||||
ngx_http_v2_connection_t *h2c;
|
||||
|
||||
stream = r->stream;
|
||||
|
||||
if (!stream) {
|
||||
return ngx_http_next_early_hints_filter(r);
|
||||
}
|
||||
|
||||
if (r != r->main) {
|
||||
return NGX_OK;
|
||||
}
|
||||
|
||||
fc = r->connection;
|
||||
|
||||
if (fc->error) {
|
||||
return NGX_ERROR;
|
||||
}
|
||||
|
||||
len = 0;
|
||||
tmp_len = 0;
|
||||
|
||||
part = &r->headers_out.headers.part;
|
||||
header = part->elts;
|
||||
|
||||
for (i = 0; /* void */; i++) {
|
||||
|
||||
if (i >= part->nelts) {
|
||||
if (part->next == NULL) {
|
||||
break;
|
||||
}
|
||||
|
||||
part = part->next;
|
||||
header = part->elts;
|
||||
i = 0;
|
||||
}
|
||||
|
||||
if (header[i].hash == 0) {
|
||||
continue;
|
||||
}
|
||||
|
||||
if (header[i].key.len > NGX_HTTP_V2_MAX_FIELD) {
|
||||
ngx_log_error(NGX_LOG_CRIT, fc->log, 0,
|
||||
"too long response header name: \"%V\"",
|
||||
&header[i].key);
|
||||
return NGX_ERROR;
|
||||
}
|
||||
|
||||
if (header[i].value.len > NGX_HTTP_V2_MAX_FIELD) {
|
||||
ngx_log_error(NGX_LOG_CRIT, fc->log, 0,
|
||||
"too long response header value: \"%V: %V\"",
|
||||
&header[i].key, &header[i].value);
|
||||
return NGX_ERROR;
|
||||
}
|
||||
|
||||
len += 1 + NGX_HTTP_V2_INT_OCTETS + header[i].key.len
|
||||
+ NGX_HTTP_V2_INT_OCTETS + header[i].value.len;
|
||||
|
||||
if (header[i].key.len > tmp_len) {
|
||||
tmp_len = header[i].key.len;
|
||||
}
|
||||
|
||||
if (header[i].value.len > tmp_len) {
|
||||
tmp_len = header[i].value.len;
|
||||
}
|
||||
}
|
||||
|
||||
if (len == 0) {
|
||||
return NGX_OK;
|
||||
}
|
||||
|
||||
h2c = stream->connection;
|
||||
|
||||
len += h2c->table_update ? 1 : 0;
|
||||
len += 1 + ngx_http_v2_literal_size("418");
|
||||
|
||||
tmp = ngx_palloc(r->pool, tmp_len);
|
||||
pos = ngx_pnalloc(r->pool, len);
|
||||
|
||||
if (pos == NULL || tmp == NULL) {
|
||||
return NGX_ERROR;
|
||||
}
|
||||
|
||||
start = pos;
|
||||
|
||||
if (h2c->table_update) {
|
||||
ngx_log_debug0(NGX_LOG_DEBUG_HTTP, fc->log, 0,
|
||||
"http2 table size update: 0");
|
||||
*pos++ = (1 << 5) | 0;
|
||||
h2c->table_update = 0;
|
||||
}
|
||||
|
||||
ngx_log_debug1(NGX_LOG_DEBUG_HTTP, fc->log, 0,
|
||||
"http2 output header: \":status: %03ui\"",
|
||||
(ngx_uint_t) NGX_HTTP_EARLY_HINTS);
|
||||
|
||||
*pos++ = ngx_http_v2_inc_indexed(NGX_HTTP_V2_STATUS_INDEX);
|
||||
*pos++ = NGX_HTTP_V2_ENCODE_RAW | 3;
|
||||
pos = ngx_sprintf(pos, "%03ui", (ngx_uint_t) NGX_HTTP_EARLY_HINTS);
|
||||
|
||||
part = &r->headers_out.headers.part;
|
||||
header = part->elts;
|
||||
|
||||
for (i = 0; /* void */; i++) {
|
||||
|
||||
if (i >= part->nelts) {
|
||||
if (part->next == NULL) {
|
||||
break;
|
||||
}
|
||||
|
||||
part = part->next;
|
||||
header = part->elts;
|
||||
i = 0;
|
||||
}
|
||||
|
||||
if (header[i].hash == 0) {
|
||||
continue;
|
||||
}
|
||||
|
||||
#if (NGX_DEBUG)
|
||||
if (fc->log->log_level & NGX_LOG_DEBUG_HTTP) {
|
||||
ngx_strlow(tmp, header[i].key.data, header[i].key.len);
|
||||
|
||||
ngx_log_debug3(NGX_LOG_DEBUG_HTTP, fc->log, 0,
|
||||
"http2 output header: \"%*s: %V\"",
|
||||
header[i].key.len, tmp, &header[i].value);
|
||||
}
|
||||
#endif
|
||||
|
||||
*pos++ = 0;
|
||||
|
||||
pos = ngx_http_v2_write_name(pos, header[i].key.data,
|
||||
header[i].key.len, tmp);
|
||||
|
||||
pos = ngx_http_v2_write_value(pos, header[i].value.data,
|
||||
header[i].value.len, tmp);
|
||||
}
|
||||
|
||||
frame = ngx_http_v2_create_headers_frame(r, start, pos, 0, 1);
|
||||
if (frame == NULL) {
|
||||
return NGX_ERROR;
|
||||
}
|
||||
|
||||
ngx_http_v2_queue_blocked_frame(h2c, frame);
|
||||
|
||||
stream->queued++;
|
||||
|
||||
if (ngx_http_v2_init_stream(r) != NGX_OK) {
|
||||
return NGX_ERROR;
|
||||
}
|
||||
|
||||
return ngx_http_v2_filter_send(fc, stream);
|
||||
}
|
||||
|
||||
|
||||
static ngx_int_t
|
||||
ngx_http_v2_init_stream(ngx_http_request_t *r)
|
||||
{
|
||||
ngx_connection_t *fc;
|
||||
ngx_http_cleanup_t *cln;
|
||||
ngx_http_v2_stream_t *stream;
|
||||
|
||||
stream = r->stream;
|
||||
fc = r->connection;
|
||||
|
||||
if (stream->initialized) {
|
||||
return NGX_OK;
|
||||
}
|
||||
|
||||
stream->initialized = 1;
|
||||
stream->queued = 1;
|
||||
|
||||
cln = ngx_http_cleanup_add(r, 0);
|
||||
if (cln == NULL) {
|
||||
|
|
@ -820,13 +625,13 @@ ngx_http_v2_init_stream(ngx_http_request_t *r)
|
|||
fc->need_last_buf = 1;
|
||||
fc->need_flush_buf = 1;
|
||||
|
||||
return NGX_OK;
|
||||
return ngx_http_v2_filter_send(fc, stream);
|
||||
}
|
||||
|
||||
|
||||
static ngx_http_v2_out_frame_t *
|
||||
ngx_http_v2_create_headers_frame(ngx_http_request_t *r, u_char *pos,
|
||||
u_char *end, ngx_uint_t fin, ngx_uint_t flush)
|
||||
u_char *end, ngx_uint_t fin)
|
||||
{
|
||||
u_char type, flags;
|
||||
size_t rest, frame_size;
|
||||
|
|
@ -917,7 +722,6 @@ ngx_http_v2_create_headers_frame(ngx_http_request_t *r, u_char *pos,
|
|||
}
|
||||
|
||||
b->last_buf = fin;
|
||||
b->flush = flush;
|
||||
cl->next = NULL;
|
||||
frame->last = cl;
|
||||
|
||||
|
|
@ -1040,7 +844,7 @@ ngx_http_v2_create_trailers_frame(ngx_http_request_t *r)
|
|||
header[i].value.len, tmp);
|
||||
}
|
||||
|
||||
return ngx_http_v2_create_headers_frame(r, start, pos, 1, 0);
|
||||
return ngx_http_v2_create_headers_frame(r, start, pos, 1);
|
||||
}
|
||||
|
||||
|
||||
|
|
@ -1762,8 +1566,5 @@ ngx_http_v2_filter_init(ngx_conf_t *cf)
|
|||
ngx_http_next_header_filter = ngx_http_top_header_filter;
|
||||
ngx_http_top_header_filter = ngx_http_v2_header_filter;
|
||||
|
||||
ngx_http_next_early_hints_filter = ngx_http_top_early_hints_filter;
|
||||
ngx_http_top_early_hints_filter = ngx_http_v2_early_hints_filter;
|
||||
|
||||
return NGX_OK;
|
||||
}
|
||||
|
|
|
|||
|
|
@ -70,7 +70,7 @@ ngx_http_v3_keepalive_handler(ngx_event_t *ev)
|
|||
|
||||
ngx_log_debug0(NGX_LOG_DEBUG_HTTP, c->log, 0, "http3 keepalive handler");
|
||||
|
||||
ngx_http_v3_shutdown_connection(c, NGX_HTTP_V3_ERR_NO_ERROR,
|
||||
ngx_http_v3_finalize_connection(c, NGX_HTTP_V3_ERR_NO_ERROR,
|
||||
"keepalive timeout");
|
||||
}
|
||||
|
||||
|
|
|
|||
|
|
@ -23,7 +23,7 @@
|
|||
#define NGX_HTTP_V3_HQ_ALPN_PROTO "\x0Ahq-interop"
|
||||
#define NGX_HTTP_V3_HQ_PROTO "hq-interop"
|
||||
|
||||
#define NGX_HTTP_V3_VARLEN_INT_LEN 8
|
||||
#define NGX_HTTP_V3_VARLEN_INT_LEN 4
|
||||
#define NGX_HTTP_V3_PREFIX_INT_LEN 11
|
||||
|
||||
#define NGX_HTTP_V3_STREAM_CONTROL 0x00
|
||||
|
|
|
|||
|
|
@ -20,7 +20,6 @@
|
|||
#define NGX_HTTP_V3_HEADER_METHOD_GET 17
|
||||
#define NGX_HTTP_V3_HEADER_SCHEME_HTTP 22
|
||||
#define NGX_HTTP_V3_HEADER_SCHEME_HTTPS 23
|
||||
#define NGX_HTTP_V3_HEADER_STATUS_103 24
|
||||
#define NGX_HTTP_V3_HEADER_STATUS_200 25
|
||||
#define NGX_HTTP_V3_HEADER_ACCEPT_ENCODING 31
|
||||
#define NGX_HTTP_V3_HEADER_CONTENT_TYPE_TEXT_PLAIN 53
|
||||
|
|
@ -37,7 +36,6 @@ typedef struct {
|
|||
|
||||
|
||||
static ngx_int_t ngx_http_v3_header_filter(ngx_http_request_t *r);
|
||||
static ngx_int_t ngx_http_v3_early_hints_filter(ngx_http_request_t *r);
|
||||
static ngx_int_t ngx_http_v3_body_filter(ngx_http_request_t *r,
|
||||
ngx_chain_t *in);
|
||||
static ngx_chain_t *ngx_http_v3_create_trailers(ngx_http_request_t *r,
|
||||
|
|
@ -77,7 +75,6 @@ ngx_module_t ngx_http_v3_filter_module = {
|
|||
|
||||
|
||||
static ngx_http_output_header_filter_pt ngx_http_next_header_filter;
|
||||
static ngx_http_output_header_filter_pt ngx_http_next_early_hints_filter;
|
||||
static ngx_http_output_body_filter_pt ngx_http_next_body_filter;
|
||||
|
||||
|
||||
|
|
@ -591,150 +588,6 @@ ngx_http_v3_header_filter(ngx_http_request_t *r)
|
|||
}
|
||||
|
||||
|
||||
static ngx_int_t
|
||||
ngx_http_v3_early_hints_filter(ngx_http_request_t *r)
|
||||
{
|
||||
size_t len, n;
|
||||
ngx_buf_t *b;
|
||||
ngx_uint_t i;
|
||||
ngx_chain_t *out, *hl, *cl;
|
||||
ngx_list_part_t *part;
|
||||
ngx_table_elt_t *header;
|
||||
ngx_http_v3_session_t *h3c;
|
||||
|
||||
if (r->http_version != NGX_HTTP_VERSION_30) {
|
||||
return ngx_http_next_early_hints_filter(r);
|
||||
}
|
||||
|
||||
if (r != r->main) {
|
||||
return NGX_OK;
|
||||
}
|
||||
|
||||
len = 0;
|
||||
|
||||
part = &r->headers_out.headers.part;
|
||||
header = part->elts;
|
||||
|
||||
for (i = 0; /* void */; i++) {
|
||||
|
||||
if (i >= part->nelts) {
|
||||
if (part->next == NULL) {
|
||||
break;
|
||||
}
|
||||
|
||||
part = part->next;
|
||||
header = part->elts;
|
||||
i = 0;
|
||||
}
|
||||
|
||||
if (header[i].hash == 0) {
|
||||
continue;
|
||||
}
|
||||
|
||||
len += ngx_http_v3_encode_field_l(NULL, &header[i].key,
|
||||
&header[i].value);
|
||||
}
|
||||
|
||||
if (len == 0) {
|
||||
return NGX_OK;
|
||||
}
|
||||
|
||||
len += ngx_http_v3_encode_field_section_prefix(NULL, 0, 0, 0);
|
||||
|
||||
len += ngx_http_v3_encode_field_ri(NULL, 0, NGX_HTTP_V3_HEADER_STATUS_103);
|
||||
|
||||
ngx_log_debug1(NGX_LOG_DEBUG_HTTP, r->connection->log, 0,
|
||||
"http3 header len:%uz", len);
|
||||
|
||||
b = ngx_create_temp_buf(r->pool, len);
|
||||
if (b == NULL) {
|
||||
return NGX_ERROR;
|
||||
}
|
||||
|
||||
b->last = (u_char *) ngx_http_v3_encode_field_section_prefix(b->last,
|
||||
0, 0, 0);
|
||||
|
||||
ngx_log_debug1(NGX_LOG_DEBUG_HTTP, r->connection->log, 0,
|
||||
"http3 output header: \":status: %03ui\"",
|
||||
(ngx_uint_t) NGX_HTTP_EARLY_HINTS);
|
||||
|
||||
b->last = (u_char *) ngx_http_v3_encode_field_ri(b->last, 0,
|
||||
NGX_HTTP_V3_HEADER_STATUS_103);
|
||||
|
||||
part = &r->headers_out.headers.part;
|
||||
header = part->elts;
|
||||
|
||||
for (i = 0; /* void */; i++) {
|
||||
|
||||
if (i >= part->nelts) {
|
||||
if (part->next == NULL) {
|
||||
break;
|
||||
}
|
||||
|
||||
part = part->next;
|
||||
header = part->elts;
|
||||
i = 0;
|
||||
}
|
||||
|
||||
if (header[i].hash == 0) {
|
||||
continue;
|
||||
}
|
||||
|
||||
ngx_log_debug2(NGX_LOG_DEBUG_HTTP, r->connection->log, 0,
|
||||
"http3 output header: \"%V: %V\"",
|
||||
&header[i].key, &header[i].value);
|
||||
|
||||
b->last = (u_char *) ngx_http_v3_encode_field_l(b->last,
|
||||
&header[i].key,
|
||||
&header[i].value);
|
||||
}
|
||||
|
||||
b->flush = 1;
|
||||
|
||||
cl = ngx_alloc_chain_link(r->pool);
|
||||
if (cl == NULL) {
|
||||
return NGX_ERROR;
|
||||
}
|
||||
|
||||
cl->buf = b;
|
||||
cl->next = NULL;
|
||||
|
||||
n = b->last - b->pos;
|
||||
|
||||
h3c = ngx_http_v3_get_session(r->connection);
|
||||
h3c->payload_bytes += n;
|
||||
|
||||
len = ngx_http_v3_encode_varlen_int(NULL, NGX_HTTP_V3_FRAME_HEADERS)
|
||||
+ ngx_http_v3_encode_varlen_int(NULL, n);
|
||||
|
||||
b = ngx_create_temp_buf(r->pool, len);
|
||||
if (b == NULL) {
|
||||
return NGX_ERROR;
|
||||
}
|
||||
|
||||
b->last = (u_char *) ngx_http_v3_encode_varlen_int(b->last,
|
||||
NGX_HTTP_V3_FRAME_HEADERS);
|
||||
b->last = (u_char *) ngx_http_v3_encode_varlen_int(b->last, n);
|
||||
|
||||
hl = ngx_alloc_chain_link(r->pool);
|
||||
if (hl == NULL) {
|
||||
return NGX_ERROR;
|
||||
}
|
||||
|
||||
hl->buf = b;
|
||||
hl->next = cl;
|
||||
|
||||
out = hl;
|
||||
|
||||
for (cl = out; cl; cl = cl->next) {
|
||||
h3c->total_bytes += cl->buf->last - cl->buf->pos;
|
||||
r->header_size += cl->buf->last - cl->buf->pos;
|
||||
}
|
||||
|
||||
return ngx_http_write_filter(r, out);
|
||||
}
|
||||
|
||||
|
||||
static ngx_int_t
|
||||
ngx_http_v3_body_filter(ngx_http_request_t *r, ngx_chain_t *in)
|
||||
{
|
||||
|
|
@ -992,9 +845,6 @@ ngx_http_v3_filter_init(ngx_conf_t *cf)
|
|||
ngx_http_next_header_filter = ngx_http_top_header_filter;
|
||||
ngx_http_top_header_filter = ngx_http_v3_header_filter;
|
||||
|
||||
ngx_http_next_early_hints_filter = ngx_http_top_early_hints_filter;
|
||||
ngx_http_top_early_hints_filter = ngx_http_v3_early_hints_filter;
|
||||
|
||||
ngx_http_next_body_filter = ngx_http_top_body_filter;
|
||||
ngx_http_top_body_filter = ngx_http_v3_body_filter;
|
||||
|
||||
|
|
|
|||
|
|
@ -623,12 +623,6 @@ ngx_http_v3_parse_literal(ngx_connection_t *c, ngx_http_v3_parse_literal_t *st,
|
|||
}
|
||||
|
||||
if (st->huffman) {
|
||||
if (n > NGX_MAX_INT_T_VALUE / 8) {
|
||||
ngx_log_error(NGX_LOG_INFO, c->log, 0,
|
||||
"client sent too large field line");
|
||||
return NGX_HTTP_V3_ERR_EXCESSIVE_LOAD;
|
||||
}
|
||||
|
||||
n = n * 8 / 5;
|
||||
st->huffstate = 0;
|
||||
}
|
||||
|
|
|
|||
|
|
@ -965,7 +965,7 @@ ngx_http_v3_init_pseudo_headers(ngx_http_request_t *r)
|
|||
|
||||
if (rc == NGX_DECLINED) {
|
||||
ngx_log_error(NGX_LOG_INFO, r->connection->log, 0,
|
||||
"client sent invalid \":authority\" header");
|
||||
"client sent invalid host in request line");
|
||||
goto failed;
|
||||
}
|
||||
|
||||
|
|
@ -1003,7 +1003,6 @@ ngx_http_v3_process_request_header(ngx_http_request_t *r)
|
|||
{
|
||||
ssize_t n;
|
||||
ngx_buf_t *b;
|
||||
ngx_str_t host;
|
||||
ngx_connection_t *c;
|
||||
ngx_http_v3_session_t *h3c;
|
||||
ngx_http_v3_srv_conf_t *h3scf;
|
||||
|
|
@ -1035,13 +1034,11 @@ ngx_http_v3_process_request_header(ngx_http_request_t *r)
|
|||
goto failed;
|
||||
}
|
||||
|
||||
if (r->headers_in.host && r->host_end) {
|
||||
|
||||
host.len = r->host_end - r->host_start;
|
||||
host.data = r->host_start;
|
||||
|
||||
if (r->headers_in.host->value.len != host.len
|
||||
|| ngx_memcmp(r->headers_in.host->value.data, host.data, host.len)
|
||||
if (r->headers_in.host) {
|
||||
if (r->headers_in.host->value.len != r->headers_in.server.len
|
||||
|| ngx_memcmp(r->headers_in.host->value.data,
|
||||
r->headers_in.server.data,
|
||||
r->headers_in.server.len)
|
||||
!= 0)
|
||||
{
|
||||
ngx_log_error(NGX_LOG_INFO, c->log, 0,
|
||||
|
|
@ -1216,7 +1213,7 @@ ngx_http_v3_construct_cookie_header(ngx_http_request_t *r)
|
|||
if (hh->handler(r, h, hh->offset) != NGX_OK) {
|
||||
/*
|
||||
* request has been finalized already
|
||||
* in ngx_http_process_header_line()
|
||||
* in ngx_http_process_multi_header_lines()
|
||||
*/
|
||||
return NGX_ERROR;
|
||||
}
|
||||
|
|
|
|||
|
|
@ -1321,10 +1321,7 @@ ngx_mail_auth_http_create_request(ngx_mail_session_t *s, ngx_pool_t *pool,
|
|||
b->last = ngx_copy(b->last, passwd.data, passwd.len);
|
||||
*b->last++ = CR; *b->last++ = LF;
|
||||
|
||||
if ((s->auth_method == NGX_MAIL_AUTH_APOP
|
||||
|| s->auth_method == NGX_MAIL_AUTH_CRAM_MD5)
|
||||
&& s->salt.len)
|
||||
{
|
||||
if (s->auth_method != NGX_MAIL_AUTH_PLAIN && s->salt.len) {
|
||||
b->last = ngx_cpymem(b->last, "Auth-Salt: ", sizeof("Auth-Salt: ") - 1);
|
||||
b->last = ngx_copy(b->last, s->salt.data, s->salt.len);
|
||||
|
||||
|
|
|
|||
|
|
@ -523,7 +523,7 @@ ngx_mail_starttls_only(ngx_mail_session_t *s, ngx_connection_t *c)
|
|||
ngx_int_t
|
||||
ngx_mail_auth_plain(ngx_mail_session_t *s, ngx_connection_t *c, ngx_uint_t n)
|
||||
{
|
||||
u_char *p, *pos, *last;
|
||||
u_char *p, *last;
|
||||
ngx_str_t *arg, plain;
|
||||
|
||||
arg = s->args.elts;
|
||||
|
|
@ -555,7 +555,7 @@ ngx_mail_auth_plain(ngx_mail_session_t *s, ngx_connection_t *c, ngx_uint_t n)
|
|||
return NGX_MAIL_PARSE_INVALID_COMMAND;
|
||||
}
|
||||
|
||||
pos = p;
|
||||
s->login.data = p;
|
||||
|
||||
while (p < last && *p) { p++; }
|
||||
|
||||
|
|
@ -565,8 +565,7 @@ ngx_mail_auth_plain(ngx_mail_session_t *s, ngx_connection_t *c, ngx_uint_t n)
|
|||
return NGX_MAIL_PARSE_INVALID_COMMAND;
|
||||
}
|
||||
|
||||
s->login.len = p++ - pos;
|
||||
s->login.data = pos;
|
||||
s->login.len = p++ - s->login.data;
|
||||
|
||||
s->passwd.len = last - p;
|
||||
s->passwd.data = p;
|
||||
|
|
@ -584,26 +583,24 @@ ngx_int_t
|
|||
ngx_mail_auth_login_username(ngx_mail_session_t *s, ngx_connection_t *c,
|
||||
ngx_uint_t n)
|
||||
{
|
||||
ngx_str_t *arg, login;
|
||||
ngx_str_t *arg;
|
||||
|
||||
arg = s->args.elts;
|
||||
|
||||
ngx_log_debug1(NGX_LOG_DEBUG_MAIL, c->log, 0,
|
||||
"mail auth login username: \"%V\"", &arg[n]);
|
||||
|
||||
login.data = ngx_pnalloc(c->pool, ngx_base64_decoded_length(arg[n].len));
|
||||
if (login.data == NULL) {
|
||||
s->login.data = ngx_pnalloc(c->pool, ngx_base64_decoded_length(arg[n].len));
|
||||
if (s->login.data == NULL) {
|
||||
return NGX_ERROR;
|
||||
}
|
||||
|
||||
if (ngx_decode_base64(&login, &arg[n]) != NGX_OK) {
|
||||
if (ngx_decode_base64(&s->login, &arg[n]) != NGX_OK) {
|
||||
ngx_log_error(NGX_LOG_INFO, c->log, 0,
|
||||
"client sent invalid base64 encoding in AUTH LOGIN command");
|
||||
return NGX_MAIL_PARSE_INVALID_COMMAND;
|
||||
}
|
||||
|
||||
s->login = login;
|
||||
|
||||
ngx_log_debug1(NGX_LOG_DEBUG_MAIL, c->log, 0,
|
||||
"mail auth login username: \"%V\"", &s->login);
|
||||
|
||||
|
|
@ -614,7 +611,7 @@ ngx_mail_auth_login_username(ngx_mail_session_t *s, ngx_connection_t *c,
|
|||
ngx_int_t
|
||||
ngx_mail_auth_login_password(ngx_mail_session_t *s, ngx_connection_t *c)
|
||||
{
|
||||
ngx_str_t *arg, passwd;
|
||||
ngx_str_t *arg;
|
||||
|
||||
arg = s->args.elts;
|
||||
|
||||
|
|
@ -623,19 +620,18 @@ ngx_mail_auth_login_password(ngx_mail_session_t *s, ngx_connection_t *c)
|
|||
"mail auth login password: \"%V\"", &arg[0]);
|
||||
#endif
|
||||
|
||||
passwd.data = ngx_pnalloc(c->pool, ngx_base64_decoded_length(arg[0].len));
|
||||
if (passwd.data == NULL) {
|
||||
s->passwd.data = ngx_pnalloc(c->pool,
|
||||
ngx_base64_decoded_length(arg[0].len));
|
||||
if (s->passwd.data == NULL) {
|
||||
return NGX_ERROR;
|
||||
}
|
||||
|
||||
if (ngx_decode_base64(&passwd, &arg[0]) != NGX_OK) {
|
||||
if (ngx_decode_base64(&s->passwd, &arg[0]) != NGX_OK) {
|
||||
ngx_log_error(NGX_LOG_INFO, c->log, 0,
|
||||
"client sent invalid base64 encoding in AUTH LOGIN command");
|
||||
return NGX_MAIL_PARSE_INVALID_COMMAND;
|
||||
}
|
||||
|
||||
s->passwd = passwd;
|
||||
|
||||
#if (NGX_DEBUG_MAIL_PASSWD)
|
||||
ngx_log_debug1(NGX_LOG_DEBUG_MAIL, c->log, 0,
|
||||
"mail auth login password: \"%V\"", &s->passwd);
|
||||
|
|
@ -678,26 +674,24 @@ ngx_int_t
|
|||
ngx_mail_auth_cram_md5(ngx_mail_session_t *s, ngx_connection_t *c)
|
||||
{
|
||||
u_char *p, *last;
|
||||
ngx_str_t *arg, login;
|
||||
ngx_str_t *arg;
|
||||
|
||||
arg = s->args.elts;
|
||||
|
||||
ngx_log_debug1(NGX_LOG_DEBUG_MAIL, c->log, 0,
|
||||
"mail auth cram-md5: \"%V\"", &arg[0]);
|
||||
|
||||
login.data = ngx_pnalloc(c->pool, ngx_base64_decoded_length(arg[0].len));
|
||||
if (login.data == NULL) {
|
||||
s->login.data = ngx_pnalloc(c->pool, ngx_base64_decoded_length(arg[0].len));
|
||||
if (s->login.data == NULL) {
|
||||
return NGX_ERROR;
|
||||
}
|
||||
|
||||
if (ngx_decode_base64(&login, &arg[0]) != NGX_OK) {
|
||||
if (ngx_decode_base64(&s->login, &arg[0]) != NGX_OK) {
|
||||
ngx_log_error(NGX_LOG_INFO, c->log, 0,
|
||||
"client sent invalid base64 encoding in AUTH CRAM-MD5 command");
|
||||
return NGX_MAIL_PARSE_INVALID_COMMAND;
|
||||
}
|
||||
|
||||
s->login = login;
|
||||
|
||||
p = s->login.data;
|
||||
last = p + s->login.len;
|
||||
|
||||
|
|
@ -1006,12 +1000,14 @@ ngx_mail_log_error(ngx_log_t *log, u_char *buf, size_t len)
|
|||
len -= p - buf;
|
||||
buf = p;
|
||||
|
||||
if (s->login.len) {
|
||||
p = ngx_snprintf(buf, len, ", login: \"%V\"", &s->login);
|
||||
len -= p - buf;
|
||||
buf = p;
|
||||
if (s->login.len == 0) {
|
||||
return p;
|
||||
}
|
||||
|
||||
p = ngx_snprintf(buf, len, ", login: \"%V\"", &s->login);
|
||||
len -= p - buf;
|
||||
buf = p;
|
||||
|
||||
if (s->proxy == NULL) {
|
||||
return p;
|
||||
}
|
||||
|
|
|
|||
|
|
@ -531,7 +531,6 @@ ngx_mail_proxy_smtp_handler(ngx_event_t *rev)
|
|||
ngx_int_t rc;
|
||||
ngx_str_t line, auth, encoded;
|
||||
ngx_buf_t *b;
|
||||
uintptr_t n;
|
||||
ngx_connection_t *c;
|
||||
ngx_mail_session_t *s;
|
||||
ngx_mail_proxy_conf_t *pcf;
|
||||
|
|
@ -628,10 +627,6 @@ ngx_mail_proxy_smtp_handler(ngx_event_t *rev)
|
|||
CRLF) - 1
|
||||
+ s->connection->addr_text.len + s->login.len + s->host.len;
|
||||
|
||||
n = ngx_escape_uri(NULL, s->login.data, s->login.len,
|
||||
NGX_ESCAPE_MAIL_XTEXT);
|
||||
line.len += n * 2;
|
||||
|
||||
#if (NGX_HAVE_INET6)
|
||||
if (s->connection->sockaddr->sa_family == AF_INET6) {
|
||||
line.len += sizeof("IPV6:") - 1;
|
||||
|
|
@ -659,14 +654,7 @@ ngx_mail_proxy_smtp_handler(ngx_event_t *rev)
|
|||
|
||||
if (s->login.len && !pcf->smtp_auth) {
|
||||
p = ngx_cpymem(p, " LOGIN=", sizeof(" LOGIN=") - 1);
|
||||
|
||||
if (n == 0) {
|
||||
p = ngx_copy(p, s->login.data, s->login.len);
|
||||
|
||||
} else {
|
||||
p = (u_char *) ngx_escape_uri(p, s->login.data, s->login.len,
|
||||
NGX_ESCAPE_MAIL_XTEXT);
|
||||
}
|
||||
p = ngx_copy(p, s->login.data, s->login.len);
|
||||
}
|
||||
|
||||
p = ngx_cpymem(p, " NAME=", sizeof(" NAME=") - 1);
|
||||
|
|
|
|||
|
|
@ -782,9 +782,6 @@ ngx_mail_smtp_mail(ngx_mail_session_t *s, ngx_connection_t *c)
|
|||
|
||||
ngx_str_set(&s->out, smtp_ok);
|
||||
|
||||
ngx_str_null(&s->login);
|
||||
ngx_str_null(&s->passwd);
|
||||
|
||||
return NGX_OK;
|
||||
}
|
||||
|
||||
|
|
|
|||
|
|
@ -97,13 +97,6 @@ static ngx_command_t ngx_mail_ssl_commands[] = {
|
|||
0,
|
||||
NULL },
|
||||
|
||||
{ ngx_string("ssl_certificate_compression"),
|
||||
NGX_MAIL_MAIN_CONF|NGX_MAIL_SRV_CONF|NGX_CONF_FLAG,
|
||||
ngx_conf_set_flag_slot,
|
||||
NGX_MAIL_SRV_CONF_OFFSET,
|
||||
offsetof(ngx_mail_ssl_conf_t, certificate_compression),
|
||||
NULL },
|
||||
|
||||
{ ngx_string("ssl_dhparam"),
|
||||
NGX_MAIL_MAIN_CONF|NGX_MAIL_SRV_CONF|NGX_CONF_TAKE1,
|
||||
ngx_conf_set_str_slot,
|
||||
|
|
@ -321,7 +314,6 @@ ngx_mail_ssl_create_conf(ngx_conf_t *cf)
|
|||
scf->passwords = NGX_CONF_UNSET_PTR;
|
||||
scf->conf_commands = NGX_CONF_UNSET_PTR;
|
||||
scf->prefer_server_ciphers = NGX_CONF_UNSET;
|
||||
scf->certificate_compression = NGX_CONF_UNSET;
|
||||
scf->verify = NGX_CONF_UNSET_UINT;
|
||||
scf->verify_depth = NGX_CONF_UNSET_UINT;
|
||||
scf->builtin_session_cache = NGX_CONF_UNSET;
|
||||
|
|
@ -351,9 +343,6 @@ ngx_mail_ssl_merge_conf(ngx_conf_t *cf, void *parent, void *child)
|
|||
ngx_conf_merge_value(conf->prefer_server_ciphers,
|
||||
prev->prefer_server_ciphers, 0);
|
||||
|
||||
ngx_conf_merge_value(conf->certificate_compression,
|
||||
prev->certificate_compression, 0);
|
||||
|
||||
ngx_conf_merge_bitmask_value(conf->protocols, prev->protocols,
|
||||
(NGX_CONF_BITMASK_SET|NGX_SSL_DEFAULT_PROTOCOLS));
|
||||
|
||||
|
|
@ -457,13 +446,6 @@ ngx_mail_ssl_merge_conf(ngx_conf_t *cf, void *parent, void *child)
|
|||
return NGX_CONF_ERROR;
|
||||
}
|
||||
|
||||
if (ngx_ssl_certificate_compression(cf, &conf->ssl,
|
||||
conf->certificate_compression)
|
||||
!= NGX_OK)
|
||||
{
|
||||
return NGX_CONF_ERROR;
|
||||
}
|
||||
|
||||
if (conf->verify) {
|
||||
|
||||
if (conf->verify != 3
|
||||
|
|
|
|||
|
|
@ -21,7 +21,6 @@
|
|||
|
||||
typedef struct {
|
||||
ngx_flag_t prefer_server_ciphers;
|
||||
ngx_flag_t certificate_compression;
|
||||
|
||||
ngx_ssl_t ssl;
|
||||
|
||||
|
|
|
|||
|
|
@ -52,6 +52,7 @@
|
|||
#include <malloc.h> /* memalign() */
|
||||
#include <limits.h> /* IOV_MAX */
|
||||
#include <sys/ioctl.h>
|
||||
#include <crypt.h>
|
||||
#include <sys/utsname.h> /* uname() */
|
||||
|
||||
#include <dlfcn.h>
|
||||
|
|
@ -60,11 +61,6 @@
|
|||
#include <ngx_auto_config.h>
|
||||
|
||||
|
||||
#if (NGX_HAVE_CRYPT_H)
|
||||
#include <crypt.h>
|
||||
#endif
|
||||
|
||||
|
||||
#if (NGX_HAVE_POSIX_SEM)
|
||||
#include <semaphore.h>
|
||||
#endif
|
||||
|
|
|
|||
|
|
@ -43,7 +43,7 @@ ngx_timezone_update(void)
|
|||
struct tm *t;
|
||||
char buf[4];
|
||||
|
||||
s = time(NULL);
|
||||
s = time(0);
|
||||
|
||||
t = localtime(&s);
|
||||
|
||||
|
|
|
|||
|
|
@ -41,7 +41,7 @@ ngx_libc_crypt(ngx_pool_t *pool, u_char *key, u_char *salt, u_char **encrypted)
|
|||
return NGX_ERROR;
|
||||
}
|
||||
|
||||
#elif (NGX_HAVE_CRYPT)
|
||||
#else
|
||||
|
||||
ngx_int_t
|
||||
ngx_libc_crypt(ngx_pool_t *pool, u_char *key, u_char *salt, u_char **encrypted)
|
||||
|
|
@ -71,14 +71,6 @@ ngx_libc_crypt(ngx_pool_t *pool, u_char *key, u_char *salt, u_char **encrypted)
|
|||
return NGX_ERROR;
|
||||
}
|
||||
|
||||
#else
|
||||
|
||||
ngx_int_t
|
||||
ngx_libc_crypt(ngx_pool_t *pool, u_char *key, u_char *salt, u_char **encrypted)
|
||||
{
|
||||
return NGX_ERROR;
|
||||
}
|
||||
|
||||
#endif
|
||||
|
||||
#endif /* NGX_CRYPT */
|
||||
|
|
|
|||
|
|
@ -108,8 +108,6 @@ static ngx_int_t ngx_stream_proxy_ssl_name(ngx_stream_session_t *s);
|
|||
static ngx_int_t ngx_stream_proxy_ssl_certificate(ngx_stream_session_t *s);
|
||||
static ngx_int_t ngx_stream_proxy_merge_ssl(ngx_conf_t *cf,
|
||||
ngx_stream_proxy_srv_conf_t *conf, ngx_stream_proxy_srv_conf_t *prev);
|
||||
static ngx_int_t ngx_stream_proxy_merge_ssl_passwords(ngx_conf_t *cf,
|
||||
ngx_stream_proxy_srv_conf_t *conf, ngx_stream_proxy_srv_conf_t *prev);
|
||||
static ngx_int_t ngx_stream_proxy_set_ssl(ngx_conf_t *cf,
|
||||
ngx_stream_proxy_srv_conf_t *pscf);
|
||||
|
||||
|
|
@ -2317,9 +2315,7 @@ ngx_stream_proxy_merge_srv_conf(ngx_conf_t *cf, void *parent, void *child)
|
|||
ngx_conf_merge_ptr_value(conf->ssl_certificate_cache,
|
||||
prev->ssl_certificate_cache, NULL);
|
||||
|
||||
if (ngx_stream_proxy_merge_ssl_passwords(cf, conf, prev) != NGX_OK) {
|
||||
return NGX_CONF_ERROR;
|
||||
}
|
||||
ngx_conf_merge_ptr_value(conf->ssl_passwords, prev->ssl_passwords, NULL);
|
||||
|
||||
ngx_conf_merge_ptr_value(conf->ssl_conf_commands,
|
||||
prev->ssl_conf_commands, NULL);
|
||||
|
|
@ -2385,57 +2381,6 @@ ngx_stream_proxy_merge_ssl(ngx_conf_t *cf, ngx_stream_proxy_srv_conf_t *conf,
|
|||
}
|
||||
|
||||
|
||||
static ngx_int_t
|
||||
ngx_stream_proxy_merge_ssl_passwords(ngx_conf_t *cf,
|
||||
ngx_stream_proxy_srv_conf_t *conf, ngx_stream_proxy_srv_conf_t *prev)
|
||||
{
|
||||
ngx_uint_t preserve;
|
||||
|
||||
ngx_conf_merge_ptr_value(conf->ssl_passwords, prev->ssl_passwords, NULL);
|
||||
|
||||
if (conf->ssl_certificate == NULL
|
||||
|| conf->ssl_certificate->value.len == 0
|
||||
|| conf->ssl_certificate_key == NULL)
|
||||
{
|
||||
return NGX_OK;
|
||||
}
|
||||
|
||||
if (conf->ssl_certificate->lengths == NULL
|
||||
&& conf->ssl_certificate_key->lengths == NULL)
|
||||
{
|
||||
if (conf->ssl_passwords && conf->ssl_passwords->pool == NULL) {
|
||||
/* un-preserve empty password list */
|
||||
conf->ssl_passwords = NULL;
|
||||
}
|
||||
|
||||
return NGX_OK;
|
||||
}
|
||||
|
||||
if (conf->ssl_passwords && conf->ssl_passwords->pool != cf->temp_pool) {
|
||||
/* already preserved */
|
||||
return NGX_OK;
|
||||
}
|
||||
|
||||
preserve = (conf->ssl_passwords == prev->ssl_passwords) ? 1 : 0;
|
||||
|
||||
conf->ssl_passwords = ngx_ssl_preserve_passwords(cf, conf->ssl_passwords);
|
||||
if (conf->ssl_passwords == NULL) {
|
||||
return NGX_ERROR;
|
||||
}
|
||||
|
||||
/*
|
||||
* special handling to keep a preserved ssl_passwords copy
|
||||
* in the previous configuration to inherit it to all children
|
||||
*/
|
||||
|
||||
if (preserve) {
|
||||
prev->ssl_passwords = conf->ssl_passwords;
|
||||
}
|
||||
|
||||
return NGX_OK;
|
||||
}
|
||||
|
||||
|
||||
static ngx_int_t
|
||||
ngx_stream_proxy_set_ssl(ngx_conf_t *cf, ngx_stream_proxy_srv_conf_t *pscf)
|
||||
{
|
||||
|
|
@ -2473,9 +2418,16 @@ ngx_stream_proxy_set_ssl(ngx_conf_t *cf, ngx_stream_proxy_srv_conf_t *pscf)
|
|||
return NGX_ERROR;
|
||||
}
|
||||
|
||||
if (pscf->ssl_certificate->lengths == NULL
|
||||
&& pscf->ssl_certificate_key->lengths == NULL)
|
||||
if (pscf->ssl_certificate->lengths
|
||||
|| pscf->ssl_certificate_key->lengths)
|
||||
{
|
||||
pscf->ssl_passwords =
|
||||
ngx_ssl_preserve_passwords(cf, pscf->ssl_passwords);
|
||||
if (pscf->ssl_passwords == NULL) {
|
||||
return NGX_ERROR;
|
||||
}
|
||||
|
||||
} else {
|
||||
if (ngx_ssl_certificate(cf, pscf->ssl,
|
||||
&pscf->ssl_certificate->value,
|
||||
&pscf->ssl_certificate_key->value,
|
||||
|
|
|
|||
|
|
@ -133,13 +133,6 @@ static ngx_command_t ngx_stream_ssl_commands[] = {
|
|||
0,
|
||||
NULL },
|
||||
|
||||
{ ngx_string("ssl_certificate_compression"),
|
||||
NGX_STREAM_MAIN_CONF|NGX_STREAM_SRV_CONF|NGX_CONF_FLAG,
|
||||
ngx_conf_set_flag_slot,
|
||||
NGX_STREAM_SRV_CONF_OFFSET,
|
||||
offsetof(ngx_stream_ssl_srv_conf_t, certificate_compression),
|
||||
NULL },
|
||||
|
||||
{ ngx_string("ssl_dhparam"),
|
||||
NGX_STREAM_MAIN_CONF|NGX_STREAM_SRV_CONF|NGX_CONF_TAKE1,
|
||||
ngx_conf_set_str_slot,
|
||||
|
|
@ -555,46 +548,27 @@ ngx_stream_ssl_servername(ngx_ssl_conn_t *ssl_conn, int *ad, void *arg)
|
|||
return SSL_TLSEXT_ERR_ALERT_FATAL;
|
||||
}
|
||||
|
||||
if (c->ssl->sni_accepted) {
|
||||
return SSL_TLSEXT_ERR_OK;
|
||||
}
|
||||
|
||||
if (c->ssl->handshake_rejected) {
|
||||
*ad = SSL_AD_UNRECOGNIZED_NAME;
|
||||
return SSL_TLSEXT_ERR_ALERT_FATAL;
|
||||
}
|
||||
|
||||
s = c->data;
|
||||
|
||||
if (arg) {
|
||||
host = *(ngx_str_t *) arg;
|
||||
servername = SSL_get_servername(ssl_conn, TLSEXT_NAMETYPE_host_name);
|
||||
|
||||
if (host.data == NULL) {
|
||||
ngx_log_debug0(NGX_LOG_DEBUG_STREAM, c->log, 0,
|
||||
"SSL server name: null");
|
||||
goto done;
|
||||
}
|
||||
|
||||
} else {
|
||||
servername = SSL_get_servername(ssl_conn, TLSEXT_NAMETYPE_host_name);
|
||||
|
||||
if (servername == NULL) {
|
||||
ngx_log_debug0(NGX_LOG_DEBUG_STREAM, c->log, 0,
|
||||
"SSL server name: null");
|
||||
goto done;
|
||||
}
|
||||
|
||||
host.len = ngx_strlen(servername);
|
||||
host.data = (u_char *) servername;
|
||||
if (servername == NULL) {
|
||||
ngx_log_debug0(NGX_LOG_DEBUG_STREAM, c->log, 0,
|
||||
"SSL server name: null");
|
||||
goto done;
|
||||
}
|
||||
|
||||
ngx_log_debug1(NGX_LOG_DEBUG_STREAM, c->log, 0,
|
||||
"SSL server name: \"%V\"", &host);
|
||||
"SSL server name: \"%s\"", servername);
|
||||
|
||||
host.len = ngx_strlen(servername);
|
||||
|
||||
if (host.len == 0) {
|
||||
goto done;
|
||||
}
|
||||
|
||||
host.data = (u_char *) servername;
|
||||
|
||||
rc = ngx_stream_validate_host(&host, c->pool, 1);
|
||||
|
||||
if (rc == NGX_ERROR) {
|
||||
|
|
@ -615,12 +589,35 @@ ngx_stream_ssl_servername(ngx_ssl_conn_t *ssl_conn, int *ad, void *arg)
|
|||
goto done;
|
||||
}
|
||||
|
||||
sscf = ngx_stream_get_module_srv_conf(cscf->ctx, ngx_stream_ssl_module);
|
||||
|
||||
#if (defined TLS1_3_VERSION \
|
||||
&& !defined LIBRESSL_VERSION_NUMBER && !defined OPENSSL_IS_BORINGSSL)
|
||||
|
||||
/*
|
||||
* SSL_SESSION_get0_hostname() is only available in OpenSSL 1.1.1+,
|
||||
* but servername being negotiated in every TLSv1.3 handshake
|
||||
* is only returned in OpenSSL 1.1.1+ as well
|
||||
*/
|
||||
|
||||
if (sscf->verify) {
|
||||
const char *hostname;
|
||||
|
||||
hostname = SSL_SESSION_get0_hostname(SSL_get0_session(ssl_conn));
|
||||
|
||||
if (hostname != NULL && ngx_strcmp(hostname, servername) != 0) {
|
||||
c->ssl->handshake_rejected = 1;
|
||||
*ad = SSL_AD_ACCESS_DENIED;
|
||||
return SSL_TLSEXT_ERR_ALERT_FATAL;
|
||||
}
|
||||
}
|
||||
|
||||
#endif
|
||||
|
||||
s->srv_conf = cscf->ctx->srv_conf;
|
||||
|
||||
ngx_set_connection_log(c, cscf->error_log);
|
||||
|
||||
sscf = ngx_stream_get_module_srv_conf(cscf->ctx, ngx_stream_ssl_module);
|
||||
|
||||
if (sscf->ssl.ctx) {
|
||||
if (SSL_set_SSL_CTX(ssl_conn, sscf->ssl.ctx) == NULL) {
|
||||
goto error;
|
||||
|
|
@ -659,7 +656,6 @@ done:
|
|||
return SSL_TLSEXT_ERR_ALERT_FATAL;
|
||||
}
|
||||
|
||||
c->ssl->sni_accepted = 1;
|
||||
return SSL_TLSEXT_ERR_OK;
|
||||
|
||||
error:
|
||||
|
|
@ -885,7 +881,6 @@ ngx_stream_ssl_create_srv_conf(ngx_conf_t *cf)
|
|||
sscf->passwords = NGX_CONF_UNSET_PTR;
|
||||
sscf->conf_commands = NGX_CONF_UNSET_PTR;
|
||||
sscf->prefer_server_ciphers = NGX_CONF_UNSET;
|
||||
sscf->certificate_compression = NGX_CONF_UNSET;
|
||||
sscf->reject_handshake = NGX_CONF_UNSET;
|
||||
sscf->verify = NGX_CONF_UNSET_UINT;
|
||||
sscf->verify_depth = NGX_CONF_UNSET_UINT;
|
||||
|
|
@ -919,9 +914,6 @@ ngx_stream_ssl_merge_srv_conf(ngx_conf_t *cf, void *parent, void *child)
|
|||
ngx_conf_merge_value(conf->prefer_server_ciphers,
|
||||
prev->prefer_server_ciphers, 0);
|
||||
|
||||
ngx_conf_merge_value(conf->certificate_compression,
|
||||
prev->certificate_compression, 0);
|
||||
|
||||
ngx_conf_merge_value(conf->reject_handshake, prev->reject_handshake, 0);
|
||||
|
||||
ngx_conf_merge_bitmask_value(conf->protocols, prev->protocols,
|
||||
|
|
@ -999,14 +991,8 @@ ngx_stream_ssl_merge_srv_conf(ngx_conf_t *cf, void *parent, void *child)
|
|||
cln->data = &conf->ssl;
|
||||
|
||||
#ifdef SSL_CTRL_SET_TLSEXT_HOSTNAME
|
||||
{
|
||||
static ngx_ssl_client_hello_arg cb = { ngx_stream_ssl_servername };
|
||||
|
||||
ngx_ssl_set_client_hello_callback(conf->ssl.ctx, &cb);
|
||||
|
||||
SSL_CTX_set_tlsext_servername_callback(conf->ssl.ctx,
|
||||
ngx_stream_ssl_servername);
|
||||
}
|
||||
#endif
|
||||
|
||||
#ifdef TLSEXT_TYPE_application_layer_protocol_negotiation
|
||||
|
|
@ -1053,13 +1039,6 @@ ngx_stream_ssl_merge_srv_conf(ngx_conf_t *cf, void *parent, void *child)
|
|||
{
|
||||
return NGX_CONF_ERROR;
|
||||
}
|
||||
|
||||
if (ngx_ssl_certificate_compression(cf, &conf->ssl,
|
||||
conf->certificate_compression)
|
||||
!= NGX_OK)
|
||||
{
|
||||
return NGX_CONF_ERROR;
|
||||
}
|
||||
}
|
||||
|
||||
if (conf->verify) {
|
||||
|
|
@ -1155,19 +1134,13 @@ ngx_stream_ssl_merge_srv_conf(ngx_conf_t *cf, void *parent, void *child)
|
|||
|
||||
if (conf->stapling) {
|
||||
|
||||
if (conf->certificate_compression) {
|
||||
ngx_log_error(NGX_LOG_EMERG, cf->log, 0,
|
||||
"\"ssl_stapling\" is incompatible with "
|
||||
"\"ssl_certificate_compression\"");
|
||||
return NGX_CONF_ERROR;
|
||||
}
|
||||
|
||||
if (ngx_ssl_stapling(cf, &conf->ssl, &conf->stapling_file,
|
||||
&conf->stapling_responder, conf->stapling_verify)
|
||||
!= NGX_OK)
|
||||
{
|
||||
return NGX_CONF_ERROR;
|
||||
}
|
||||
|
||||
}
|
||||
|
||||
if (ngx_ssl_conf_commands(cf, &conf->ssl, conf->conf_commands) != NGX_OK) {
|
||||
|
|
|
|||
|
|
@ -18,7 +18,6 @@ typedef struct {
|
|||
ngx_msec_t handshake_timeout;
|
||||
|
||||
ngx_flag_t prefer_server_ciphers;
|
||||
ngx_flag_t certificate_compression;
|
||||
ngx_flag_t reject_handshake;
|
||||
|
||||
ngx_ssl_t ssl;
|
||||
|
|
|
|||
|
|
@ -911,6 +911,7 @@ ngx_stream_upstream_set_round_robin_peer_session(ngx_peer_connection_t *pc,
|
|||
int len;
|
||||
const u_char *p;
|
||||
ngx_stream_upstream_rr_peers_t *peers;
|
||||
u_char buf[NGX_SSL_MAX_SESSION_SIZE];
|
||||
#endif
|
||||
|
||||
peer = rrp->current;
|
||||
|
|
@ -930,12 +931,12 @@ ngx_stream_upstream_set_round_robin_peer_session(ngx_peer_connection_t *pc,
|
|||
|
||||
len = peer->ssl_session_len;
|
||||
|
||||
ngx_memcpy(ngx_ssl_session_buffer, peer->ssl_session, len);
|
||||
ngx_memcpy(buf, peer->ssl_session, len);
|
||||
|
||||
ngx_stream_upstream_rr_peer_unlock(peers, peer);
|
||||
ngx_stream_upstream_rr_peers_unlock(peers);
|
||||
|
||||
p = ngx_ssl_session_buffer;
|
||||
p = buf;
|
||||
ssl_session = d2i_SSL_SESSION(NULL, &p, len);
|
||||
|
||||
rc = ngx_ssl_set_session(pc->connection, ssl_session);
|
||||
|
|
@ -972,6 +973,7 @@ ngx_stream_upstream_save_round_robin_peer_session(ngx_peer_connection_t *pc,
|
|||
int len;
|
||||
u_char *p;
|
||||
ngx_stream_upstream_rr_peers_t *peers;
|
||||
u_char buf[NGX_SSL_MAX_SESSION_SIZE];
|
||||
#endif
|
||||
|
||||
#if (NGX_STREAM_UPSTREAM_ZONE)
|
||||
|
|
@ -985,10 +987,10 @@ ngx_stream_upstream_save_round_robin_peer_session(ngx_peer_connection_t *pc,
|
|||
return;
|
||||
}
|
||||
|
||||
len = i2d_SSL_SESSION(ssl_session, NULL);
|
||||
ngx_log_debug1(NGX_LOG_DEBUG_STREAM, pc->log, 0,
|
||||
"save session: %p", ssl_session);
|
||||
|
||||
ngx_log_debug2(NGX_LOG_DEBUG_STREAM, pc->log, 0,
|
||||
"save session: %p:%d", ssl_session, len);
|
||||
len = i2d_SSL_SESSION(ssl_session, NULL);
|
||||
|
||||
/* do not cache too big session */
|
||||
|
||||
|
|
@ -996,7 +998,7 @@ ngx_stream_upstream_save_round_robin_peer_session(ngx_peer_connection_t *pc,
|
|||
return;
|
||||
}
|
||||
|
||||
p = ngx_ssl_session_buffer;
|
||||
p = buf;
|
||||
(void) i2d_SSL_SESSION(ssl_session, &p);
|
||||
|
||||
peer = rrp->current;
|
||||
|
|
@ -1026,7 +1028,7 @@ ngx_stream_upstream_save_round_robin_peer_session(ngx_peer_connection_t *pc,
|
|||
peer->ssl_session_len = len;
|
||||
}
|
||||
|
||||
ngx_memcpy(peer->ssl_session, ngx_ssl_session_buffer, len);
|
||||
ngx_memcpy(peer->ssl_session, buf, len);
|
||||
|
||||
ngx_stream_upstream_rr_peer_unlock(peers, peer);
|
||||
ngx_stream_upstream_rr_peers_unlock(peers);
|
||||
|
|
@ -1054,6 +1056,8 @@ ngx_stream_upstream_save_round_robin_peer_session(ngx_peer_connection_t *pc,
|
|||
ngx_log_debug1(NGX_LOG_DEBUG_STREAM, pc->log, 0,
|
||||
"old session: %p", old_ssl_session);
|
||||
|
||||
/* TODO: may block */
|
||||
|
||||
ngx_ssl_free_session(old_ssl_session);
|
||||
}
|
||||
}
|
||||
|
|
|
|||
Loading…
Reference in New Issue