From Nate.Karstens at garmin.com Fri Sep 1 13:17:15 2017 From: Nate.Karstens at garmin.com (Karstens, Nate) Date: Fri, 1 Sep 2017 13:17:15 +0000 Subject: [PATCH] [PATCH 2 of 4] SSL: add support for PSK cipher suites In-Reply-To: <20170831144345.GE93611@mdounin.ru> References: <010419> <97953fe374455a049732.1503541250@OLA-6J5NNS1.ad.garmin.com> <20170831144345.GE93611@mdounin.ru> Message-ID: > In the previous review I've pointed out that the patch needs to adjust severity levels in ngx_ssl_connection_error(): Sorry, I think I got confused with something else. Nate -----Original Message----- From: nginx-devel [mailto:nginx-devel-bounces at nginx.org] On Behalf Of Maxim Dounin Sent: Thursday, August 31, 2017 9:44 AM To: nginx-devel at nginx.org Subject: Re: [PATCH] [PATCH 2 of 4] SSL: add support for PSK cipher suites Hello! On Wed, Aug 23, 2017 at 09:20:50PM -0500, Nate Karstens wrote: > # HG changeset patch > # User Nate Karstens # Date 1503540059 > 18000 > # Wed Aug 23 21:00:59 2017 -0500 > # Node ID 97953fe374455a04973268c4b2fbadd7ced91ffe > # Parent 17c038b56051f922ec440d40e23e8d1b23d835df > [PATCH 2 of 4] SSL: add support for PSK cipher suites. There is no need to include "[PATCH 2 of 4] " into patch summary line. [...] > @@ -1163,6 +1177,211 @@ ngx_ssl_ecdh_curve(ngx_conf_t *cf, ngx_s > > > ngx_int_t > +ngx_ssl_psk_file(ngx_conf_t *cf, ngx_ssl_t *ssl, ngx_str_t *file) { > +#ifdef PSK_MAX_IDENTITY_LEN > + > + ngx_fd_t fd; > + ngx_int_t err; > + ngx_file_info_t fi; Style: there should be two spaces between the longest type and a variable. I've already explained details in one of the previous reviews here: http://mailman.nginx.org/pipermail/nginx-devel/2017-June/010247.html > + > + err = NGX_OK; > + > + if (ngx_conf_full_name(cf->cycle, file, 1) != NGX_OK) { > + return NGX_ERROR; > + } > + > + fd = ngx_open_file(file->data, NGX_FILE_RDONLY, NGX_FILE_OPEN, 0); > + if (fd == NGX_INVALID_FILE) { > + ngx_ssl_error(NGX_LOG_EMERG, ssl->log, ngx_errno, > + ngx_open_file_n " \"%V\" failed", file); > + return NGX_ERROR; > + } > + > + if (ngx_fd_info(fd, &fi) == NGX_FILE_ERROR) { > + ngx_ssl_error(NGX_LOG_EMERG, ssl->log, ngx_errno, > + ngx_fd_info_n " \"%V\" failed", file); > + err = NGX_ERROR; > + goto failed; > + } > + > + if (ngx_file_size(&fi) == 0) { > + ngx_ssl_error(NGX_LOG_EMERG, ssl->log, 0, > + "PSK file \"%V\" is empty", file); > + err = NGX_ERROR; > + goto failed; > + } What's the point in opening the file here? As long the file is being read at run-time, it doesn't seem to make sense. The file can be legitimately created later. Checking ngx_file_size() looks completely wrong as well. It will prevent configurations with no currently configured PSK keys from running if the file size is 0 - but won't do this as long as there is a comment and/or some garbage in the file. > + > +failed: > + > + if (ngx_close_file(fd) == NGX_FILE_ERROR) { > + ngx_ssl_error(NGX_LOG_EMERG, ssl->log, ngx_errno, > + ngx_close_file_n " %V failed", file); > + err = NGX_ERROR; > + } > + > + if (err != NGX_OK) { > + return err; > + } > + > + if (SSL_CTX_set_ex_data(ssl->ctx, ngx_ssl_psk_index, file) == 0) { > + ngx_ssl_error(NGX_LOG_EMERG, ssl->log, 0, > + "SSL_CTX_set_ex_data() failed"); > + return NGX_ERROR; > + } > + > + SSL_CTX_set_psk_server_callback(ssl->ctx, ngx_ssl_psk_callback); > + > +#endif > + > + return NGX_OK; > +} > + > + > +#ifdef PSK_MAX_IDENTITY_LEN > + > +static unsigned int > +ngx_ssl_psk_callback(ngx_ssl_conn_t *ssl_conn, const char *identity, > + unsigned char *psk, unsigned int max_psk_len) { > + u_char *p, *last, *end, *colon; > + size_t len; > + ssize_t n; > + SSL_CTX *ssl_ctx; > + ngx_fd_t fd; > + ngx_str_t *file; > + unsigned int psk_len; > + ngx_connection_t *c; > + u_char buf[NGX_SSL_PSK_BUFFER_SIZE]; Style: there should be two spaces between "ngx_connection_t" and "*c". > + > + psk_len = 0; This looks to early for the psk_len initialization. Rather, I would move the initialization to somewhere near "len = 0; last = buf" below where it will look more logical. > + c = ngx_ssl_get_connection(ssl_conn); > + > + ssl_ctx = SSL_get_SSL_CTX(ssl_conn); > + file = SSL_CTX_get_ex_data(ssl_ctx, ngx_ssl_psk_index); > + > + fd = ngx_open_file(file->data, NGX_FILE_RDONLY, NGX_FILE_OPEN, 0); > + if (fd == NGX_INVALID_FILE) { > + ngx_ssl_error(NGX_LOG_ERR, c->log, ngx_errno, > + ngx_open_file_n " \"%V\" failed", file); > + return 0; > + } > + > + len = 0; > + last = buf; > + > + do { > + n = ngx_read_fd(fd, last, NGX_SSL_PSK_BUFFER_SIZE - len); > + > + if (n == -1) { > + ngx_ssl_error(NGX_LOG_ERR, c->log, ngx_errno, > + ngx_read_fd_n " \"%V\" failed", file); > + psk_len = 0; There is no need to set psk_len to 0 here, as it is already initialized to 0 and never set to anything else except before "goto cleanup". > + goto cleanup; > + } > + > + end = last + n; > + > + if (len && n == 0) { > + *end++ = LF; > + } > + > + for (p = buf; /* void */; p = last) { > + last = ngx_strlchr(last, end, LF); > + > + if (last == NULL) { > + break; > + } > + > + len = last++ - p; > + > + if (len && p[len - 1] == CR) { > + len--; > + } > + > + if (len == 0) { > + continue; > + } > + > + colon = ngx_strlchr(p, p + len, ':'); > + > + if (colon == NULL) { > + continue; > + } > + > + *colon = '\0'; > + > + if (ngx_strcmp(p, identity) != 0) { > + continue; > + } > + > + len -= colon + 1 - p; > + p = colon + 1; > + > + if (ngx_strncmp(p, "{HEX}", sizeof("{HEX}") - 1) == 0) { > + > + p += sizeof("{HEX}") - 1; > + len -= sizeof("{HEX}") - 1; > + > + if (len / 2 > max_psk_len) { > + goto cleanup; > + } > + > + if (ngx_hex_decode(psk, p, len) != NGX_OK) { > + ngx_memzero(psk, len / 2); > + goto cleanup; > + } > + > + psk_len = len / 2; > + > + goto cleanup; > + > + } else if (ngx_strncmp(p, "{PLAIN}", sizeof("{PLAIN}") - 1) == 0) { > + p += sizeof("{PLAIN}") - 1; > + len -= sizeof("{PLAIN}") - 1; > + } > + > + if (len > max_psk_len) { > + goto cleanup; > + } > + > + ngx_memcpy(psk, p, len); > + psk_len = len; > + > + goto cleanup; > + } > + > + len = end - p; > + > + if (len == NGX_SSL_PSK_BUFFER_SIZE) { > + ngx_ssl_error(NGX_LOG_ERR, c->log, 0, > + "too long line in \"%V\"", file); > + psk_len = 0; There is no need to set psk_len here, see above. > + goto cleanup; > + } > + > + ngx_memmove(buf, p, len); > + last = buf + len; > + > + } while (n != 0); > + > +cleanup: > + > + if (ngx_close_file(fd) == NGX_FILE_ERROR) { > + ngx_ssl_error(NGX_LOG_ALERT, c->log, ngx_errno, > + ngx_close_file_n " %V failed", file); > + psk_len = 0; I don't think we should reset psk_len here, this error is not related to the PSK key we already either have at this point, or psk_len is already set to 0. > + } > + > + ngx_memzero(buf, NGX_SSL_PSK_BUFFER_SIZE); > + > + return psk_len; > +} > + > +#endif > + > + > +ngx_int_t > ngx_ssl_create_connection(ngx_ssl_t *ssl, ngx_connection_t *c, > ngx_uint_t flags) { > ngx_ssl_connection_t *sc; In the previous review I've pointed out that the patch needs to adjust severity levels in ngx_ssl_connection_error(): http://mailman.nginx.org/pipermail/nginx-devel/2017-August/010419.html Are there any specific reasons why you've ignored this comment? Just in case, here is the relevant change: @@ -2249,6 +2249,9 @@ ngx_ssl_connection_error(ngx_connection_ || n == SSL_R_NO_COMPRESSION_SPECIFIED /* 187 */ || n == SSL_R_NO_SHARED_CIPHER /* 193 */ || n == SSL_R_RECORD_LENGTH_MISMATCH /* 213 */ +#ifdef SSL_R_PSK_IDENTITY_NOT_FOUND + || n == SSL_R_PSK_IDENTITY_NOT_FOUND /* 223 */ +#endif #ifdef SSL_R_PARSE_TLSEXT || n == SSL_R_PARSE_TLSEXT /* 227 */ #endif > diff -r 17c038b56051 -r 97953fe37445 src/event/ngx_event_openssl.h > --- a/src/event/ngx_event_openssl.h Wed Aug 23 21:00:18 2017 -0500 > +++ b/src/event/ngx_event_openssl.h Wed Aug 23 21:00:59 2017 -0500 > @@ -172,6 +172,7 @@ ngx_int_t ngx_ssl_session_cache(ngx_ssl_ > ngx_int_t ngx_ssl_session_ticket_keys(ngx_conf_t *cf, ngx_ssl_t *ssl, > ngx_array_t *paths); > ngx_int_t ngx_ssl_session_cache_init(ngx_shm_zone_t *shm_zone, void > *data); > +ngx_int_t ngx_ssl_psk_file(ngx_conf_t *cf, ngx_ssl_t *ssl, ngx_str_t > +*file); > ngx_int_t ngx_ssl_create_connection(ngx_ssl_t *ssl, ngx_connection_t *c, > ngx_uint_t flags); > I would rather place it after the ngx_ssl_ecdh_curve() function, similar to how it is placed in the C file. [...] -- Maxim Dounin http://nginx.org/ _______________________________________________ nginx-devel mailing list nginx-devel at nginx.org http://mailman.nginx.org/mailman/listinfo/nginx-devel ________________________________ CONFIDENTIALITY NOTICE: This email and any attachments are for the sole use of the intended recipient(s) and contain information that may be Garmin confidential and/or Garmin legally privileged. If you have received this email in error, please notify the sender by reply email and delete the message. Any disclosure, copying, distribution or use of this communication (including attachments) by someone other than the intended recipient is prohibited. Thank you. From Nate.Karstens at garmin.com Fri Sep 1 13:18:56 2017 From: Nate.Karstens at garmin.com (Karstens, Nate) Date: Fri, 1 Sep 2017 13:18:56 +0000 Subject: [PATCH] [PATCH 4 of 4] SSL: add identity hint config directive In-Reply-To: <20170831144444.GG93611@mdounin.ru> References: <010421> <62b4032371bd45217d40.1503541363@OLA-6J5NNS1.ad.garmin.com> <20170831144444.GG93611@mdounin.ru> Message-ID: Maxim, Your changes look good and test well -- works for me! Thanks for your work on this, and for your patience! Nate -----Original Message----- From: nginx-devel [mailto:nginx-devel-bounces at nginx.org] On Behalf Of Maxim Dounin Sent: Thursday, August 31, 2017 9:45 AM To: nginx-devel at nginx.org Subject: Re: [PATCH] [PATCH 4 of 4] SSL: add identity hint config directive Hello! On Wed, Aug 23, 2017 at 09:22:43PM -0500, Nate Karstens wrote: > # HG changeset patch > # User Nate Karstens # Date 1503540237 > 18000 > # Wed Aug 23 21:03:57 2017 -0500 > # Node ID 62b4032371bd45217d40e2f0daf8ecd6956601d8 > # Parent a11e114a2bcde4afb515dd0b70f3ef39693f475a > [PATCH 4 of 4] SSL: add identity hint config directive. As in previous patches, there should be no "[PATCH 4 of 4] ". Otherwise loos good. Following this and previous patches review, here are all four patches adjusted according to the comments. Please take a look if it works for you. # HG changeset patch # User Nate Karstens # Date 1503540018 18000 # Wed Aug 23 21:00:18 2017 -0500 # Node ID a87e224e8d6b2993dfcd8903bfb0e7eb7fd934fa # Parent c7d4017c8876af6d8570e400320537d7d39e9578 Core: add function to decode hexadecimal strings. Adds functionality to convert a hexadecimal string into binary data. This will be used to decode PSKs stored in hexadecimal representation. Signed-off-by: Nate Karstens diff --git a/src/core/ngx_string.c b/src/core/ngx_string.c --- a/src/core/ngx_string.c +++ b/src/core/ngx_string.c @@ -1118,6 +1118,56 @@ ngx_hex_dump(u_char *dst, u_char *src, s } +ngx_int_t +ngx_hex_decode(u_char *dst, u_char *src, size_t len) { + u_char ch, decoded; + + if (len & 1) { + return NGX_ERROR; + } + + while (len) { + ch = *src++; + len -= 2; + + if (ch >= '0' && ch <= '9') { + decoded = ch - '0'; + goto second; + } + + ch |= 0x20; + + if (ch >= 'a' && ch <= 'f') { + decoded = ch - 'a' + 10; + goto second; + } + + return NGX_ERROR; + + second: + + ch = *src++; + + if (ch >= '0' && ch <= '9') { + *dst++ = (u_char) ((decoded << 4) + ch - '0'); + continue; + } + + ch |= 0x20; + + if (ch >= 'a' && ch <= 'f') { + *dst++ = (u_char) ((decoded << 4) + ch - 'a' + 10); + continue; + } + + return NGX_ERROR; + } + + return NGX_OK; +} + + void ngx_encode_base64(ngx_str_t *dst, ngx_str_t *src) { diff --git a/src/core/ngx_string.h b/src/core/ngx_string.h --- a/src/core/ngx_string.h +++ b/src/core/ngx_string.h @@ -177,6 +177,7 @@ time_t ngx_atotm(u_char *line, size_t n) ngx_int_t ngx_hextoi(u_char *line, size_t n); u_char *ngx_hex_dump(u_char *dst, u_char *src, size_t len); +ngx_int_t ngx_hex_decode(u_char *dst, u_char *src, size_t len); #define ngx_base64_encoded_length(len) (((len + 2) / 3) * 4) # HG changeset patch # User Nate Karstens # Date 1503540059 18000 # Wed Aug 23 21:00:59 2017 -0500 # Node ID d89f77108fa8a20bc1fb9cdbaf43fefbc5e07119 # Parent a87e224e8d6b2993dfcd8903bfb0e7eb7fd934fa SSL: add support for PSK cipher suites. Adds support for TLS connections using PSK cipher suites. A new configuration directive, ssl_psk_file, specifies the file that contains a list of identities and associated PSKs. Each line of the file begins with the identity, followed by a colon character (':'), and ending with the PSK. As required by RFC 4279 section 5.4, PSKs may be entered either as plain text or using hexadecimal encoding. Hexadecimal PSKs must begin with "{HEX}". PSKs without this prefix are assumed to be plain text, but they may optionally begin with "{PLAIN}" to denote this. Some examples: gary:plain_text_password min:{PLAIN}another_text_password cliff:{HEX}ab0123CD PSK functionality can be easily tested with the OpenSSL s_client using the "-psk" and "-psk_identity" options. Signed-off-by: Nate Karstens diff --git a/contrib/vim/syntax/nginx.vim b/contrib/vim/syntax/nginx.vim --- a/contrib/vim/syntax/nginx.vim +++ b/contrib/vim/syntax/nginx.vim @@ -550,6 +550,7 @@ syn keyword ngxDirective contained ssl_p syn keyword ngxDirective contained ssl_prefer_server_ciphers syn keyword ngxDirective contained ssl_preread syn keyword ngxDirective contained ssl_protocols +syn keyword ngxDirective contained ssl_psk_file syn keyword ngxDirective contained ssl_session_cache syn keyword ngxDirective contained ssl_session_ticket_key syn keyword ngxDirective contained ssl_session_tickets diff --git a/src/event/ngx_event_openssl.c b/src/event/ngx_event_openssl.c --- a/src/event/ngx_event_openssl.c +++ b/src/event/ngx_event_openssl.c @@ -11,6 +11,7 @@ #define NGX_SSL_PASSWORD_BUFFER_SIZE 4096 +#define NGX_SSL_PSK_BUFFER_SIZE 4096 typedef struct { @@ -24,6 +25,10 @@ static int ngx_ssl_verify_callback(int o static void ngx_ssl_info_callback(const ngx_ssl_conn_t *ssl_conn, int where, int ret); static void ngx_ssl_passwords_cleanup(void *data); +#ifdef PSK_MAX_IDENTITY_LEN +static unsigned int ngx_ssl_psk_callback(ngx_ssl_conn_t *ssl_conn, + const char *identity, unsigned char *psk, unsigned int +max_psk_len); #endif static void ngx_ssl_handshake_handler(ngx_event_t *ev); static ngx_int_t ngx_ssl_handle_recv(ngx_connection_t *c, int n); static void ngx_ssl_write_handler(ngx_event_t *wev); @@ -110,6 +115,7 @@ int ngx_ssl_connection_index; int ngx_ssl_server_conf_index; int ngx_ssl_session_cache_index; int ngx_ssl_session_ticket_keys_index; +int ngx_ssl_psk_index; int ngx_ssl_certificate_index; int ngx_ssl_next_certificate_index; int ngx_ssl_certificate_name_index; @@ -195,6 +201,14 @@ ngx_ssl_init(ngx_log_t *log) return NGX_ERROR; } + ngx_ssl_psk_index = SSL_CTX_get_ex_new_index(0, NULL, NULL, NULL, + NULL); + + if (ngx_ssl_psk_index == -1) { + ngx_ssl_error(NGX_LOG_ALERT, log, 0, + "SSL_CTX_get_ex_new_index() failed"); + return NGX_ERROR; + } + ngx_ssl_certificate_index = SSL_CTX_get_ex_new_index(0, NULL, NULL, NULL, NULL); if (ngx_ssl_certificate_index == -1) { @@ -1163,6 +1177,170 @@ ngx_ssl_ecdh_curve(ngx_conf_t *cf, ngx_s ngx_int_t +ngx_ssl_psk_file(ngx_conf_t *cf, ngx_ssl_t *ssl, ngx_str_t *file) { +#ifdef PSK_MAX_IDENTITY_LEN + + if (ngx_conf_full_name(cf->cycle, file, 1) != NGX_OK) { + return NGX_ERROR; + } + + if (SSL_CTX_set_ex_data(ssl->ctx, ngx_ssl_psk_index, file) == 0) { + ngx_ssl_error(NGX_LOG_EMERG, ssl->log, 0, + "SSL_CTX_set_ex_data() failed"); + return NGX_ERROR; + } + + SSL_CTX_set_psk_server_callback(ssl->ctx, ngx_ssl_psk_callback); + +#endif + + return NGX_OK; +} + + +#ifdef PSK_MAX_IDENTITY_LEN + +static unsigned int +ngx_ssl_psk_callback(ngx_ssl_conn_t *ssl_conn, const char *identity, + unsigned char *psk, unsigned int max_psk_len) { + u_char *p, *last, *end, *colon; + size_t len; + ssize_t n; + SSL_CTX *ssl_ctx; + ngx_fd_t fd; + ngx_str_t *file; + unsigned int psk_len; + ngx_connection_t *c; + u_char buf[NGX_SSL_PSK_BUFFER_SIZE]; + + c = ngx_ssl_get_connection(ssl_conn); + + ssl_ctx = SSL_get_SSL_CTX(ssl_conn); + file = SSL_CTX_get_ex_data(ssl_ctx, ngx_ssl_psk_index); + + fd = ngx_open_file(file->data, NGX_FILE_RDONLY, NGX_FILE_OPEN, 0); + if (fd == NGX_INVALID_FILE) { + ngx_ssl_error(NGX_LOG_ERR, c->log, ngx_errno, + ngx_open_file_n " \"%V\" failed", file); + return 0; + } + + psk_len = 0; + + len = 0; + last = buf; + + do { + n = ngx_read_fd(fd, last, NGX_SSL_PSK_BUFFER_SIZE - len); + + if (n == -1) { + ngx_ssl_error(NGX_LOG_ERR, c->log, ngx_errno, + ngx_read_fd_n " \"%V\" failed", file); + goto cleanup; + } + + end = last + n; + + if (len && n == 0) { + *end++ = LF; + } + + for (p = buf; /* void */; p = last) { + last = ngx_strlchr(last, end, LF); + + if (last == NULL) { + break; + } + + len = last++ - p; + + if (len && p[len - 1] == CR) { + len--; + } + + if (len == 0) { + continue; + } + + colon = ngx_strlchr(p, p + len, ':'); + + if (colon == NULL) { + continue; + } + + *colon = '\0'; + + if (ngx_strcmp(p, identity) != 0) { + continue; + } + + len -= colon + 1 - p; + p = colon + 1; + + if (ngx_strncmp(p, "{HEX}", sizeof("{HEX}") - 1) == 0) { + + p += sizeof("{HEX}") - 1; + len -= sizeof("{HEX}") - 1; + + if (len / 2 > max_psk_len) { + goto cleanup; + } + + if (ngx_hex_decode(psk, p, len) != NGX_OK) { + ngx_memzero(psk, len / 2); + goto cleanup; + } + + psk_len = len / 2; + + goto cleanup; + + } else if (ngx_strncmp(p, "{PLAIN}", sizeof("{PLAIN}") - 1) == 0) { + p += sizeof("{PLAIN}") - 1; + len -= sizeof("{PLAIN}") - 1; + } + + if (len > max_psk_len) { + goto cleanup; + } + + ngx_memcpy(psk, p, len); + psk_len = len; + + goto cleanup; + } + + len = end - p; + + if (len == NGX_SSL_PSK_BUFFER_SIZE) { + ngx_ssl_error(NGX_LOG_ERR, c->log, 0, + "too long line in \"%V\"", file); + goto cleanup; + } + + ngx_memmove(buf, p, len); + last = buf + len; + + } while (n != 0); + +cleanup: + + if (ngx_close_file(fd) == NGX_FILE_ERROR) { + ngx_ssl_error(NGX_LOG_ALERT, c->log, ngx_errno, + ngx_close_file_n " %V failed", file); + } + + ngx_memzero(buf, NGX_SSL_PSK_BUFFER_SIZE); + + return psk_len; +} + +#endif + + +ngx_int_t ngx_ssl_create_connection(ngx_ssl_t *ssl, ngx_connection_t *c, ngx_uint_t flags) { ngx_ssl_connection_t *sc; @@ -2071,6 +2249,9 @@ ngx_ssl_connection_error(ngx_connection_ || n == SSL_R_NO_COMPRESSION_SPECIFIED /* 187 */ || n == SSL_R_NO_SHARED_CIPHER /* 193 */ || n == SSL_R_RECORD_LENGTH_MISMATCH /* 213 */ +#ifdef SSL_R_PSK_IDENTITY_NOT_FOUND + || n == SSL_R_PSK_IDENTITY_NOT_FOUND /* 223 */ +#endif #ifdef SSL_R_PARSE_TLSEXT || n == SSL_R_PARSE_TLSEXT /* 227 */ #endif diff --git a/src/event/ngx_event_openssl.h b/src/event/ngx_event_openssl.h --- a/src/event/ngx_event_openssl.h +++ b/src/event/ngx_event_openssl.h @@ -167,6 +167,7 @@ RSA *ngx_ssl_rsa512_key_callback(ngx_ssl ngx_array_t *ngx_ssl_read_password_file(ngx_conf_t *cf, ngx_str_t *file); ngx_int_t ngx_ssl_dhparam(ngx_conf_t *cf, ngx_ssl_t *ssl, ngx_str_t *file); ngx_int_t ngx_ssl_ecdh_curve(ngx_conf_t *cf, ngx_ssl_t *ssl, ngx_str_t *name); +ngx_int_t ngx_ssl_psk_file(ngx_conf_t *cf, ngx_ssl_t *ssl, ngx_str_t +*file); ngx_int_t ngx_ssl_session_cache(ngx_ssl_t *ssl, ngx_str_t *sess_ctx, ssize_t builtin_session_cache, ngx_shm_zone_t *shm_zone, time_t timeout); ngx_int_t ngx_ssl_session_ticket_keys(ngx_conf_t *cf, ngx_ssl_t *ssl, @@ -253,6 +254,7 @@ extern int ngx_ssl_connection_index; extern int ngx_ssl_server_conf_index; extern int ngx_ssl_session_cache_index; extern int ngx_ssl_session_ticket_keys_index; +extern int ngx_ssl_psk_index; extern int ngx_ssl_certificate_index; extern int ngx_ssl_next_certificate_index; extern int ngx_ssl_certificate_name_index; diff --git a/src/http/modules/ngx_http_ssl_module.c b/src/http/modules/ngx_http_ssl_module.c --- a/src/http/modules/ngx_http_ssl_module.c +++ b/src/http/modules/ngx_http_ssl_module.c @@ -234,6 +234,13 @@ static ngx_command_t ngx_http_ssl_comma offsetof(ngx_http_ssl_srv_conf_t, stapling_verify), NULL }, + { ngx_string("ssl_psk_file"), + NGX_HTTP_MAIN_CONF|NGX_HTTP_SRV_CONF|NGX_CONF_TAKE1, + ngx_conf_set_str_slot, + NGX_HTTP_SRV_CONF_OFFSET, + offsetof(ngx_http_ssl_srv_conf_t, psk_file), + NULL }, + ngx_null_command }; @@ -543,6 +550,7 @@ ngx_http_ssl_create_srv_conf(ngx_conf_t * sscf->shm_zone = NULL; * sscf->stapling_file = { 0, NULL }; * sscf->stapling_responder = { 0, NULL }; + * sscf->psk_file = { 0, NULL }; */ sscf->enable = NGX_CONF_UNSET; @@ -624,6 +632,8 @@ ngx_http_ssl_merge_srv_conf(ngx_conf_t * ngx_conf_merge_str_value(conf->stapling_responder, prev->stapling_responder, ""); + ngx_conf_merge_str_value(conf->psk_file, prev->psk_file, ""); + conf->ssl.log = cf->log; if (conf->enable) { @@ -804,6 +814,10 @@ ngx_http_ssl_merge_srv_conf(ngx_conf_t * } + if (ngx_ssl_psk_file(cf, &conf->ssl, &conf->psk_file) != NGX_OK) { + return NGX_CONF_ERROR; + } + return NGX_CONF_OK; } diff --git a/src/http/modules/ngx_http_ssl_module.h b/src/http/modules/ngx_http_ssl_module.h --- a/src/http/modules/ngx_http_ssl_module.h +++ b/src/http/modules/ngx_http_ssl_module.h @@ -55,6 +55,8 @@ typedef struct { ngx_str_t stapling_file; ngx_str_t stapling_responder; + ngx_str_t psk_file; + u_char *file; ngx_uint_t line; } ngx_http_ssl_srv_conf_t; # HG changeset patch # User Nate Karstens # Date 1503540211 18000 # Wed Aug 23 21:03:31 2017 -0500 # Node ID 3d2e75b562a3615757d17a00cc54db2d2e90ddd0 # Parent d89f77108fa8a20bc1fb9cdbaf43fefbc5e07119 SSL: add PSK identity variable. Adds the variable $ssl_psk_identity to get the PSK identity used in a connnection secured with a PSK cipher suite. Signed-off-by: Nate Karstens diff --git a/src/event/ngx_event_openssl.c b/src/event/ngx_event_openssl.c --- a/src/event/ngx_event_openssl.c +++ b/src/event/ngx_event_openssl.c @@ -4350,6 +4350,37 @@ ngx_ssl_parse_time( } +ngx_int_t +ngx_ssl_get_psk_identity(ngx_connection_t *c, ngx_pool_t *pool, +ngx_str_t *s) { #ifdef PSK_MAX_IDENTITY_LEN + + size_t len; + const char *identity; + + identity = SSL_get_psk_identity(c->ssl->connection); + + if (identity) { + len = ngx_strlen(identity); + + s->len = len; + s->data = ngx_pnalloc(pool, len); + if (s->data == NULL) { + return NGX_ERROR; + } + + ngx_memcpy(s->data, identity, len); + + return NGX_OK; + } + +#endif + + s->len = 0; + return NGX_OK; +} + + static void * ngx_openssl_create_conf(ngx_cycle_t *cycle) { diff --git a/src/event/ngx_event_openssl.h b/src/event/ngx_event_openssl.h --- a/src/event/ngx_event_openssl.h +++ b/src/event/ngx_event_openssl.h @@ -235,6 +235,8 @@ ngx_int_t ngx_ssl_get_client_v_end(ngx_c ngx_str_t *s); ngx_int_t ngx_ssl_get_client_v_remain(ngx_connection_t *c, ngx_pool_t *pool, ngx_str_t *s); +ngx_int_t ngx_ssl_get_psk_identity(ngx_connection_t *c, ngx_pool_t *pool, + ngx_str_t *s); ngx_int_t ngx_ssl_handshake(ngx_connection_t *c); diff --git a/src/http/modules/ngx_http_ssl_module.c b/src/http/modules/ngx_http_ssl_module.c --- a/src/http/modules/ngx_http_ssl_module.c +++ b/src/http/modules/ngx_http_ssl_module.c @@ -340,6 +340,9 @@ static ngx_http_variable_t ngx_http_ssl { ngx_string("ssl_client_v_remain"), NULL, ngx_http_ssl_variable, (uintptr_t) ngx_ssl_get_client_v_remain, NGX_HTTP_VAR_CHANGEABLE, 0 }, + { ngx_string("ssl_psk_identity"), NULL, ngx_http_ssl_variable, + (uintptr_t) ngx_ssl_get_psk_identity, NGX_HTTP_VAR_CHANGEABLE, 0 + }, + ngx_http_null_variable }; # HG changeset patch # User Nate Karstens # Date 1503540237 18000 # Wed Aug 23 21:03:57 2017 -0500 # Node ID 3876f3a8d4bb1bdaabc61492bf8be838d9dae5fb # Parent 3d2e75b562a3615757d17a00cc54db2d2e90ddd0 SSL: add identity hint config directive. Adds the directive "ssl_psk_identity_hint" to the ngx_http_ssl_module. This allows the user to specify the PSK identity hint given to the connecting client. Signed-off-by: Nate Karstens diff --git a/contrib/vim/syntax/nginx.vim b/contrib/vim/syntax/nginx.vim --- a/contrib/vim/syntax/nginx.vim +++ b/contrib/vim/syntax/nginx.vim @@ -551,6 +551,7 @@ syn keyword ngxDirective contained ssl_p syn keyword ngxDirective contained ssl_preread syn keyword ngxDirective contained ssl_protocols syn keyword ngxDirective contained ssl_psk_file +syn keyword ngxDirective contained ssl_psk_identity_hint syn keyword ngxDirective contained ssl_session_cache syn keyword ngxDirective contained ssl_session_ticket_key syn keyword ngxDirective contained ssl_session_tickets diff --git a/src/event/ngx_event_openssl.c b/src/event/ngx_event_openssl.c --- a/src/event/ngx_event_openssl.c +++ b/src/event/ngx_event_openssl.c @@ -1177,7 +1177,8 @@ ngx_ssl_ecdh_curve(ngx_conf_t *cf, ngx_s ngx_int_t -ngx_ssl_psk_file(ngx_conf_t *cf, ngx_ssl_t *ssl, ngx_str_t *file) +ngx_ssl_psk_file(ngx_conf_t *cf, ngx_ssl_t *ssl, ngx_str_t *file, + ngx_str_t *identity_hint) { #ifdef PSK_MAX_IDENTITY_LEN @@ -1191,6 +1192,14 @@ ngx_ssl_psk_file(ngx_conf_t *cf, ngx_ssl return NGX_ERROR; } + if (SSL_CTX_use_psk_identity_hint(ssl->ctx, (char *) identity_hint->data) + == 0) + { + ngx_ssl_error(NGX_LOG_EMERG, ssl->log, 0, + "SSL_CTX_use_psk_identity_hint() failed"); + return NGX_ERROR; + } + SSL_CTX_set_psk_server_callback(ssl->ctx, ngx_ssl_psk_callback); #endif diff --git a/src/event/ngx_event_openssl.h b/src/event/ngx_event_openssl.h --- a/src/event/ngx_event_openssl.h +++ b/src/event/ngx_event_openssl.h @@ -167,7 +167,8 @@ RSA *ngx_ssl_rsa512_key_callback(ngx_ssl ngx_array_t *ngx_ssl_read_password_file(ngx_conf_t *cf, ngx_str_t *file); ngx_int_t ngx_ssl_dhparam(ngx_conf_t *cf, ngx_ssl_t *ssl, ngx_str_t *file); ngx_int_t ngx_ssl_ecdh_curve(ngx_conf_t *cf, ngx_ssl_t *ssl, ngx_str_t *name); -ngx_int_t ngx_ssl_psk_file(ngx_conf_t *cf, ngx_ssl_t *ssl, ngx_str_t *file); +ngx_int_t ngx_ssl_psk_file(ngx_conf_t *cf, ngx_ssl_t *ssl, ngx_str_t *file, + ngx_str_t *identity_hint); ngx_int_t ngx_ssl_session_cache(ngx_ssl_t *ssl, ngx_str_t *sess_ctx, ssize_t builtin_session_cache, ngx_shm_zone_t *shm_zone, time_t timeout); ngx_int_t ngx_ssl_session_ticket_keys(ngx_conf_t *cf, ngx_ssl_t *ssl, diff --git a/src/http/modules/ngx_http_ssl_module.c b/src/http/modules/ngx_http_ssl_module.c --- a/src/http/modules/ngx_http_ssl_module.c +++ b/src/http/modules/ngx_http_ssl_module.c @@ -241,6 +241,13 @@ static ngx_command_t ngx_http_ssl_comma offsetof(ngx_http_ssl_srv_conf_t, psk_file), NULL }, + { ngx_string("ssl_psk_identity_hint"), + NGX_HTTP_MAIN_CONF|NGX_HTTP_SRV_CONF|NGX_CONF_TAKE1, + ngx_conf_set_str_slot, + NGX_HTTP_SRV_CONF_OFFSET, + offsetof(ngx_http_ssl_srv_conf_t, psk_identity_hint), + NULL }, + ngx_null_command }; @@ -554,6 +561,7 @@ ngx_http_ssl_create_srv_conf(ngx_conf_t * sscf->stapling_file = { 0, NULL }; * sscf->stapling_responder = { 0, NULL }; * sscf->psk_file = { 0, NULL }; + * sscf->psk_identity_hint = { 0, NULL }; */ sscf->enable = NGX_CONF_UNSET; @@ -636,6 +644,8 @@ ngx_http_ssl_merge_srv_conf(ngx_conf_t * prev->stapling_responder, ""); ngx_conf_merge_str_value(conf->psk_file, prev->psk_file, ""); + ngx_conf_merge_str_value(conf->psk_identity_hint, + prev->psk_identity_hint, ""); conf->ssl.log = cf->log; @@ -817,7 +827,10 @@ ngx_http_ssl_merge_srv_conf(ngx_conf_t * } - if (ngx_ssl_psk_file(cf, &conf->ssl, &conf->psk_file) != NGX_OK) { + if (ngx_ssl_psk_file(cf, &conf->ssl, &conf->psk_file, + &conf->psk_identity_hint) + != NGX_OK) + { return NGX_CONF_ERROR; } diff --git a/src/http/modules/ngx_http_ssl_module.h b/src/http/modules/ngx_http_ssl_module.h --- a/src/http/modules/ngx_http_ssl_module.h +++ b/src/http/modules/ngx_http_ssl_module.h @@ -56,6 +56,7 @@ typedef struct { ngx_str_t stapling_responder; ngx_str_t psk_file; + ngx_str_t psk_identity_hint; u_char *file; ngx_uint_t line; -- Maxim Dounin http://nginx.org/ _______________________________________________ nginx-devel mailing list nginx-devel at nginx.org http://mailman.nginx.org/mailman/listinfo/nginx-devel ________________________________ CONFIDENTIALITY NOTICE: This email and any attachments are for the sole use of the intended recipient(s) and contain information that may be Garmin confidential and/or Garmin legally privileged. If you have received this email in error, please notify the sender by reply email and delete the message. Any disclosure, copying, distribution or use of this communication (including attachments) by someone other than the intended recipient is prohibited. Thank you. From xeioex at nginx.com Fri Sep 1 15:51:43 2017 From: xeioex at nginx.com (Dmitry Volyntsev) Date: Fri, 01 Sep 2017 15:51:43 +0000 Subject: [njs] Fixed passing uninitialized value to printf(). Message-ID: details: http://hg.nginx.org/njs/rev/fc92d8af502c branches: changeset: 406:fc92d8af502c user: Dmitry Volyntsev date: Fri Sep 01 18:51:17 2017 +0300 description: Fixed passing uninitialized value to printf(). Previously, njs_ext_console_log() passed an uninitialized value to printf() function in the case of an error. The precison argument was set to 0 in such a case, so well-behaved implementation was able to handle it properly. Setting this value to NULL, just to make sure and to make Coverity Scan happy. diffstat: njs/njs.c | 1 + 1 files changed, 1 insertions(+), 0 deletions(-) diffs (11 lines): diff -r 2a8aa9783fe9 -r fc92d8af502c njs/njs.c --- a/njs/njs.c Thu Aug 31 20:50:25 2017 +0300 +++ b/njs/njs.c Fri Sep 01 18:51:17 2017 +0300 @@ -598,6 +598,7 @@ njs_ext_console_log(njs_vm_t *vm, njs_va nxt_str_t msg; msg.length = 0; + msg.start = NULL; if (nargs >= 2 && njs_value_to_ext_string(vm, &msg, njs_argument(args, 1)) From xeioex at nginx.com Fri Sep 1 15:51:50 2017 From: xeioex at nginx.com (Dmitry Volyntsev) Date: Fri, 01 Sep 2017 15:51:50 +0000 Subject: [njs] Fixed fd leakage in njs_process_file(). Message-ID: details: http://hg.nginx.org/njs/rev/fa735c652e7c branches: changeset: 407:fa735c652e7c user: Dmitry Volyntsev date: Fri Sep 01 18:51:20 2017 +0300 description: Fixed fd leakage in njs_process_file(). Initially, njs_process_file() was not designed to be invoked multiple times. Making it reusable by releasing the resources used. diffstat: njs/njs.c | 29 +++++++++++++++++++++++------ 1 files changed, 23 insertions(+), 6 deletions(-) diffs (72 lines): diff -r fc92d8af502c -r fa735c652e7c njs/njs.c --- a/njs/njs.c Fri Sep 01 18:51:17 2017 +0300 +++ b/njs/njs.c Fri Sep 01 18:51:20 2017 +0300 @@ -335,7 +335,8 @@ njs_process_file(njs_opts_t *opts, njs_v script.start = realloc(NULL, size); if (script.start == NULL) { fprintf(stderr, "alloc failed while reading '%s'\n", file); - return NXT_ERROR; + ret = NXT_ERROR; + goto done; } p = script.start; @@ -351,7 +352,8 @@ njs_process_file(njs_opts_t *opts, njs_v if (n < 0) { fprintf(stderr, "failed to read file: '%s' (%s)\n", file, strerror(errno)); - return NXT_ERROR; + ret = NXT_ERROR; + goto done; } if (p + n > end) { @@ -360,7 +362,8 @@ njs_process_file(njs_opts_t *opts, njs_v script.start = realloc(script.start, size); if (script.start == NULL) { fprintf(stderr, "alloc failed while reading '%s'\n", file); - return NXT_ERROR; + ret = NXT_ERROR; + goto done; } p = script.start + script.length; @@ -376,13 +379,15 @@ njs_process_file(njs_opts_t *opts, njs_v vm = njs_vm_create(vm_options); if (vm == NULL) { fprintf(stderr, "failed to create vm\n"); - return NXT_ERROR; + ret = NXT_ERROR; + goto done; } ret = njs_process_script(vm, opts, &script, &out); if (ret != NXT_OK) { fprintf(stderr, "failed to get retval from VM\n"); - return NXT_ERROR; + ret = NXT_ERROR; + goto done; } if (!opts->disassemble) { @@ -394,7 +399,19 @@ njs_process_file(njs_opts_t *opts, njs_v } } - return NXT_OK; + ret = NXT_OK; + +done: + + if (script.start != NULL) { + free(script.start); + } + + if (fd != STDIN_FILENO) { + close(fd); + } + + return ret; } From xeioex at nginx.com Fri Sep 1 15:51:52 2017 From: xeioex at nginx.com (Dmitry Volyntsev) Date: Fri, 01 Sep 2017 15:51:52 +0000 Subject: [njs] Checking the return value of fstat(). Message-ID: details: http://hg.nginx.org/njs/rev/616370bb1386 branches: changeset: 408:616370bb1386 user: Dmitry Volyntsev date: Fri Sep 01 18:51:20 2017 +0300 description: Checking the return value of fstat(). Just to make sure and to make Coverity Scan happy. diffstat: njs/njs.c | 9 ++++++++- 1 files changed, 8 insertions(+), 1 deletions(-) diffs (26 lines): diff -r fa735c652e7c -r 616370bb1386 njs/njs.c --- a/njs/njs.c Fri Sep 01 18:51:20 2017 +0300 +++ b/njs/njs.c Fri Sep 01 18:51:20 2017 +0300 @@ -323,7 +323,12 @@ njs_process_file(njs_opts_t *opts, njs_v } } - fstat(fd, &sb); + if (fstat(fd, &sb) == -1) { + fprintf(stderr, "fstat(%d) failed while reading '%s' (%s)\n", + fd, file, strerror(errno)); + ret = NXT_ERROR; + goto close_fd; + } size = sizeof(buf); @@ -407,6 +412,8 @@ done: free(script.start); } +close_fd: + if (fd != STDIN_FILENO) { close(fd); } From vinicius.mignot at azion.com Fri Sep 1 18:55:57 2017 From: vinicius.mignot at azion.com (Vinicius Mignot) Date: Fri, 1 Sep 2017 15:55:57 -0300 Subject: File cache inactive queue full Message-ID: <1AE68B7F-4B53-433E-A784-72DBEDABE2BE@azion.com> Hello, I?m facing some problems when file cache is being cleaned by hitting watermark. Some files are not deleted after getting in expiring criteria, they just keep being moved to the head of the inactive queue. After some time, all top positions are filled and no files are removed anymore. I have some guesses and I believe your opinion will be valuable on my quest :) 1. Is it possible that a race condition affects this code? If c->updating ou c->lock_time is changed somewhere else, fcn->updating will keep true, and won?t ever be removed: src/http/ngx_http_file_cache.c 0419 if (!c->node->updating || (ngx_msec_int_t) timer <= 0) { 0420 c->node->updating = 1; 0421 c->node->lock_time = now + c->lock_age; 0422 c->updating = 1; 0423 c->lock_time = c->node->lock_time; 0424 } 1634 if (c->updating && fcn->lock_time == c->lock_time) { 1635 fcn->updating = 0; 1636 } 2. In the ngx_http_upstream_intercept_errors function there is a call to ngx_http_file_cache_free function, but it seems that without a call to file_cache_lock before some parameters may be uninitialized in the ngx_http_cache_t structure passed as parameter. Have you faced any problem like this? Do you have any suggestions about where to look to fix this behavior? I?m using nginx 1.10.3. Thanks! Vinicius. From mdounin at mdounin.ru Sat Sep 2 12:35:11 2017 From: mdounin at mdounin.ru (Maxim Dounin) Date: Sat, 2 Sep 2017 15:35:11 +0300 Subject: File cache inactive queue full In-Reply-To: <1AE68B7F-4B53-433E-A784-72DBEDABE2BE@azion.com> References: <1AE68B7F-4B53-433E-A784-72DBEDABE2BE@azion.com> Message-ID: <20170902123511.GI93611@mdounin.ru> Hello! On Fri, Sep 01, 2017 at 03:55:57PM -0300, Vinicius Mignot wrote: > I?m facing some problems when file cache is being cleaned by > hitting watermark. Some files are not deleted after getting in > expiring criteria, they just keep being moved to the head of the > inactive queue. After some time, all top positions are filled > and no files are removed anymore. This can happen in two basic cases: 1. There is a socket leak somewhere, and leaked connections keep reference counts of relevant cache nodes incremented. As of now, there are some reports of socket leak problem somewhere in HTTP/2 code, see https://trac.nginx.org/nginx/ticket/1163. 2. There are worker crashes. Both cases should be clearly visible in logs. Leaks are reported during worker shutdown, and crashes are reported as they happen. -- Maxim Dounin http://nginx.org/ From ml.software at leenaa.rs Sun Sep 3 20:35:37 2017 From: ml.software at leenaa.rs (Michiel Leenaars) Date: Sun, 03 Sep 2017 22:35:37 +0200 Subject: [PATCH] Add missing mimetypes for ISO/IEC 26300 / OASIS OpenDocument Format, Message-ID: # HG changeset patch # User Michiel Leenaars # Date 1504470448 -7200 # Sun Sep 03 22:27:28 2017 +0200 # Node ID c3048254f47f935210810ce7be283853f5b2a58d # Parent c7d4017c8876af6d8570e400320537d7d39e9578 Add missing mimetypes for ISO/IEC 26300 / OASIS OpenDocument Format, and for older StarOffice files. These are required to serve OpenDocument Format files with the correct mimetypes. The mimetypes are properly registered at IANA: https://www.iana.org/assignments/media-types/media-types.xhtml diff -r c7d4017c8876 -r c3048254f47f conf/mime.types --- a/conf/mime.types Tue Aug 22 21:22:59 2017 +0300 +++ b/conf/mime.types Sun Sep 03 22:27:28 2017 +0200 @@ -68,6 +68,38 @@ application/vnd.openxmlformats-officedocument.spreadsheetml.sheet xlsx; application/vnd.openxmlformats-officedocument.presentationml.presentation pptx; + application/vnd.stardivision.chart sds; + application/vnd.stardivision.calc sdc; + application/vnd.stardivision.writer sdw; + application/vnd.stardivision.writer-global sgl; + application/vnd.stardivision.draw sda; + application/vnd.stardivision.impress sdd; + application/vnd.stardivision.math sdf; + application/vnd.sun.xml.writer sxw; + application/vnd.sun.xml.writer.template stw; + application/vnd.sun.xml.writer.global sxg; + application/vnd.sun.xml.calc sxc; + application/vnd.sun.xml.calc.template stc; + application/vnd.sun.xml.impress sxi; + application/vnd.sun.xml.impress.template sti; + application/vnd.sun.xml.draw sxd; + application/vnd.sun.xml.draw.template std; + application/vnd.sun.xml.math sxm; + application/vnd.oasis.opendocument.text odt; + application/vnd.oasis.opendocument.text-template ott; + application/vnd.oasis.opendocument.text-web oth; + application/vnd.oasis.opendocument.text-master odm; + application/vnd.oasis.opendocument.graphics odg; + application/vnd.oasis.opendocument.graphics-template otg; + application/vnd.oasis.opendocument.presentation odp; + application/vnd.oasis.opendocument.presentation-template otp; + application/vnd.oasis.opendocument.spreadsheet ods; + application/vnd.oasis.opendocument.spreadsheet-template ots; + application/vnd.oasis.opendocument.chart odc; + application/vnd.oasis.opendocument.formula odf; + application/vnd.oasis.opendocument.database odb; + application/vnd.oasis.opendocument.image odi; + audio/midi mid midi kar; audio/mpeg mp3; audio/ogg ogg; @@ -86,4 +118,6 @@ video/x-ms-asf asx asf; video/x-ms-wmv wmv; video/x-msvideo avi; + + } From thomas at glanzmann.de Mon Sep 4 06:25:53 2017 From: thomas at glanzmann.de (Thomas Glanzmann) Date: Mon, 4 Sep 2017 08:25:53 +0200 Subject: Linux KTLS for nginx Message-ID: <20170904062553.GA26866@glanzmann.de> Hello, is someone working on KTLS for nginx, if not will patches for this be accepted? https://netdevconf.org/1.2/papers/ktls.pdf Cheers, Thomas From mdounin at mdounin.ru Mon Sep 4 15:06:31 2017 From: mdounin at mdounin.ru (Maxim Dounin) Date: Mon, 4 Sep 2017 18:06:31 +0300 Subject: Linux KTLS for nginx In-Reply-To: <20170904062553.GA26866@glanzmann.de> References: <20170904062553.GA26866@glanzmann.de> Message-ID: <20170904150630.GM93611@mdounin.ru> Hello! On Mon, Sep 04, 2017 at 08:25:53AM +0200, Thomas Glanzmann wrote: > Hello, > is someone working on KTLS for nginx, if not will patches for this be > accepted? > > https://netdevconf.org/1.2/papers/ktls.pdf The interface suggested looks rather hacky, so I doubt it will be possible to provide something good enough within nginx itself. In particular, code samples in the paper seem to require access to internal OpenSSL structures, which is not possible in OpenSSL 1.1.0+. -- Maxim Dounin http://nginx.org/ From mdounin at mdounin.ru Mon Sep 4 15:56:12 2017 From: mdounin at mdounin.ru (Maxim Dounin) Date: Mon, 4 Sep 2017 18:56:12 +0300 Subject: [PATCH] Add missing mimetypes for ISO/IEC 26300 / OASIS OpenDocument Format, In-Reply-To: References: Message-ID: <20170904155612.GN93611@mdounin.ru> Hello! On Sun, Sep 03, 2017 at 10:35:37PM +0200, Michiel Leenaars wrote: > # HG changeset patch > # User Michiel Leenaars > # Date 1504470448 -7200 > # Sun Sep 03 22:27:28 2017 +0200 > # Node ID c3048254f47f935210810ce7be283853f5b2a58d > # Parent c7d4017c8876af6d8570e400320537d7d39e9578 > Add missing mimetypes for ISO/IEC 26300 / OASIS OpenDocument Format, > and for older StarOffice files. Please also take a look at http://nginx.org/en/docs/contributing_changes.html, there should be a single-line summary as the first line of the commit log. > > These are required to serve OpenDocument Format files with the correct > mimetypes. The mimetypes are properly registered at IANA: > > https://www.iana.org/assignments/media-types/media-types.xhtml > > diff -r c7d4017c8876 -r c3048254f47f conf/mime.types > --- a/conf/mime.types Tue Aug 22 21:22:59 2017 +0300 > +++ b/conf/mime.types Sun Sep 03 22:27:28 2017 +0200 > @@ -68,6 +68,38 @@ > application/vnd.openxmlformats-officedocument.spreadsheetml.sheet xlsx; > application/vnd.openxmlformats-officedocument.presentationml.presentation pptx; > > + application/vnd.stardivision.chart sds; > + application/vnd.stardivision.calc sdc; > + application/vnd.stardivision.writer sdw; > + application/vnd.stardivision.writer-global sgl; > + application/vnd.stardivision.draw sda; > + application/vnd.stardivision.impress sdd; > + application/vnd.stardivision.math sdf; > + application/vnd.sun.xml.writer sxw; > + application/vnd.sun.xml.writer.template stw; > + application/vnd.sun.xml.writer.global sxg; > + application/vnd.sun.xml.calc sxc; > + application/vnd.sun.xml.calc.template stc; > + application/vnd.sun.xml.impress sxi; > + application/vnd.sun.xml.impress.template sti; > + application/vnd.sun.xml.draw sxd; > + application/vnd.sun.xml.draw.template std; > + application/vnd.sun.xml.math sxm; > + application/vnd.oasis.opendocument.text odt; > + application/vnd.oasis.opendocument.text-template ott; > + application/vnd.oasis.opendocument.text-web oth; > + application/vnd.oasis.opendocument.text-master odm; > + application/vnd.oasis.opendocument.graphics odg; > + application/vnd.oasis.opendocument.graphics-template otg; > + application/vnd.oasis.opendocument.presentation odp; > + application/vnd.oasis.opendocument.presentation-template otp; > + application/vnd.oasis.opendocument.spreadsheet ods; > + application/vnd.oasis.opendocument.spreadsheet-template ots; > + application/vnd.oasis.opendocument.chart odc; > + application/vnd.oasis.opendocument.formula odf; > + application/vnd.oasis.opendocument.database odb; > + application/vnd.oasis.opendocument.image odi; > + > audio/midi mid midi kar; > audio/mpeg mp3; > audio/ogg ogg; No, thanks. We generally do not try to include into conf/mime.types all the MIME types in the world, but rather only most popular types commonly used on websites. In particular, this - prevents serving incorrect MIME type for files accidentally having the same extension as one of the types listed; - saves some CPU cycles. If you think that some of these types are popular enough and deserve adding nevertheless, please resend the patch reduced to only these types (and, ideally, providing some motivation). > @@ -86,4 +118,6 @@ > video/x-ms-asf asx asf; > video/x-ms-wmv wmv; > video/x-msvideo avi; > + > + > } Please avoid unrelated whitespace changes. -- Maxim Dounin http://nginx.org/ From mdounin at mdounin.ru Mon Sep 4 16:01:18 2017 From: mdounin at mdounin.ru (Maxim Dounin) Date: Mon, 4 Sep 2017 19:01:18 +0300 Subject: [PATCH] [PATCH 4 of 4] SSL: add identity hint config directive In-Reply-To: References: <010421> <62b4032371bd45217d40.1503541363@OLA-6J5NNS1.ad.garmin.com> <20170831144444.GG93611@mdounin.ru> Message-ID: <20170904160118.GO93611@mdounin.ru> Hello! On Fri, Sep 01, 2017 at 01:18:56PM +0000, Karstens, Nate wrote: > Maxim, > > Your changes look good and test well -- works for me! > > Thanks for your work on this, and for your patience! Thank you for your work, too. Some additionall problems I'v found looking into this: 1. In the previous review, http://mailman.nginx.org/pipermail/nginx-devel/2017-August/010419.html, I've asked to not set callback if file is not empty: : Always configuring a callback is probably not a good idea. : Instead, there should be a check if file is not empty. : : In particular, this will result in cryptic messages like: : : ... [error] ... open() "" failed (SSL:) (2: No such file or directory) while SSL handshaking : : on servers without PSK file configured if a client tries to : use PSK. I think you've probably get me wrong, and instead tried to check the file contents. This is not what I mean, I've asked to check the "file" string to see if it is empty, and do nothing if it is - that is, if there is no PSK file specified in the configuration. There should be something like this in the code, similar to ngx_ssl_dhparam(): @@ -1181,6 +1181,10 @@ ngx_ssl_psk_file(ngx_conf_t *cf, ngx_ssl { #ifdef PSK_MAX_IDENTITY_LEN + if (file->len == 0) { + return NGX_OK; + } + if (ngx_conf_full_name(cf->cycle, file, 1) != NGX_OK) { return NGX_ERROR; } This should prevent configurations without ssl_psk_file configured from trying to use PSK callback and reading the configuration directory in an attempt to find a secret as the code without the check does. 2. Error logging in the ngx_ssl_psk_callback() function is not correct. It uses ngx_ssl_error() function, which is intended to log OpenSSL-specific errors with error details extracted from the OpenSSL error stack. This function uses normal file operations though, and the OpenSSL error stack is always empty. As such, all messages will contain meaningless "(SSL:)" part. To avoid this, errors should be logged using normal ngx_log_error(). Updated patches below. Note well that I'm still not sure if it is good idea to read ssl_psk_file from worker processes instead of reading it once on startup as we do with SSL certificate keys (or, for example, ticket keys). This and the fact that PSK keys are not protected anyhow, neither with additional password nor hashing, implies that PSK keys can be easily compromissed if an attacker is able to read files accessible to nginx user. I'm going to postpone further work on this till at least some feedback from people using it in the real world. # HG changeset patch # User Nate Karstens # Date 1503540018 18000 # Wed Aug 23 21:00:18 2017 -0500 # Node ID a87e224e8d6b2993dfcd8903bfb0e7eb7fd934fa # Parent c7d4017c8876af6d8570e400320537d7d39e9578 Core: add function to decode hexadecimal strings. Adds functionality to convert a hexadecimal string into binary data. This will be used to decode PSKs stored in hexadecimal representation. Signed-off-by: Nate Karstens diff --git a/src/core/ngx_string.c b/src/core/ngx_string.c --- a/src/core/ngx_string.c +++ b/src/core/ngx_string.c @@ -1118,6 +1118,56 @@ ngx_hex_dump(u_char *dst, u_char *src, s } +ngx_int_t +ngx_hex_decode(u_char *dst, u_char *src, size_t len) +{ + u_char ch, decoded; + + if (len & 1) { + return NGX_ERROR; + } + + while (len) { + ch = *src++; + len -= 2; + + if (ch >= '0' && ch <= '9') { + decoded = ch - '0'; + goto second; + } + + ch |= 0x20; + + if (ch >= 'a' && ch <= 'f') { + decoded = ch - 'a' + 10; + goto second; + } + + return NGX_ERROR; + + second: + + ch = *src++; + + if (ch >= '0' && ch <= '9') { + *dst++ = (u_char) ((decoded << 4) + ch - '0'); + continue; + } + + ch |= 0x20; + + if (ch >= 'a' && ch <= 'f') { + *dst++ = (u_char) ((decoded << 4) + ch - 'a' + 10); + continue; + } + + return NGX_ERROR; + } + + return NGX_OK; +} + + void ngx_encode_base64(ngx_str_t *dst, ngx_str_t *src) { diff --git a/src/core/ngx_string.h b/src/core/ngx_string.h --- a/src/core/ngx_string.h +++ b/src/core/ngx_string.h @@ -177,6 +177,7 @@ time_t ngx_atotm(u_char *line, size_t n) ngx_int_t ngx_hextoi(u_char *line, size_t n); u_char *ngx_hex_dump(u_char *dst, u_char *src, size_t len); +ngx_int_t ngx_hex_decode(u_char *dst, u_char *src, size_t len); #define ngx_base64_encoded_length(len) (((len + 2) / 3) * 4) # HG changeset patch # User Nate Karstens # Date 1503540059 18000 # Wed Aug 23 21:00:59 2017 -0500 # Node ID 0cc14a10c863f3d9ba6cb8b6d3769592d619d654 # Parent a87e224e8d6b2993dfcd8903bfb0e7eb7fd934fa SSL: add support for PSK cipher suites. Adds support for TLS connections using PSK cipher suites. A new configuration directive, ssl_psk_file, specifies the file that contains a list of identities and associated PSKs. Each line of the file begins with the identity, followed by a colon character (':'), and ending with the PSK. As required by RFC 4279 section 5.4, PSKs may be entered either as plain text or using hexadecimal encoding. Hexadecimal PSKs must begin with "{HEX}". PSKs without this prefix are assumed to be plain text, but they may optionally begin with "{PLAIN}" to denote this. Some examples: gary:plain_text_password min:{PLAIN}another_text_password cliff:{HEX}ab0123CD PSK functionality can be easily tested with the OpenSSL s_client using the "-psk" and "-psk_identity" options. Signed-off-by: Nate Karstens diff --git a/contrib/vim/syntax/nginx.vim b/contrib/vim/syntax/nginx.vim --- a/contrib/vim/syntax/nginx.vim +++ b/contrib/vim/syntax/nginx.vim @@ -550,6 +550,7 @@ syn keyword ngxDirective contained ssl_p syn keyword ngxDirective contained ssl_prefer_server_ciphers syn keyword ngxDirective contained ssl_preread syn keyword ngxDirective contained ssl_protocols +syn keyword ngxDirective contained ssl_psk_file syn keyword ngxDirective contained ssl_session_cache syn keyword ngxDirective contained ssl_session_ticket_key syn keyword ngxDirective contained ssl_session_tickets diff --git a/src/event/ngx_event_openssl.c b/src/event/ngx_event_openssl.c --- a/src/event/ngx_event_openssl.c +++ b/src/event/ngx_event_openssl.c @@ -11,6 +11,7 @@ #define NGX_SSL_PASSWORD_BUFFER_SIZE 4096 +#define NGX_SSL_PSK_BUFFER_SIZE 4096 typedef struct { @@ -24,6 +25,10 @@ static int ngx_ssl_verify_callback(int o static void ngx_ssl_info_callback(const ngx_ssl_conn_t *ssl_conn, int where, int ret); static void ngx_ssl_passwords_cleanup(void *data); +#ifdef PSK_MAX_IDENTITY_LEN +static unsigned int ngx_ssl_psk_callback(ngx_ssl_conn_t *ssl_conn, + const char *identity, unsigned char *psk, unsigned int max_psk_len); +#endif static void ngx_ssl_handshake_handler(ngx_event_t *ev); static ngx_int_t ngx_ssl_handle_recv(ngx_connection_t *c, int n); static void ngx_ssl_write_handler(ngx_event_t *wev); @@ -110,6 +115,7 @@ int ngx_ssl_connection_index; int ngx_ssl_server_conf_index; int ngx_ssl_session_cache_index; int ngx_ssl_session_ticket_keys_index; +int ngx_ssl_psk_index; int ngx_ssl_certificate_index; int ngx_ssl_next_certificate_index; int ngx_ssl_certificate_name_index; @@ -195,6 +201,14 @@ ngx_ssl_init(ngx_log_t *log) return NGX_ERROR; } + ngx_ssl_psk_index = SSL_CTX_get_ex_new_index(0, NULL, NULL, NULL, NULL); + + if (ngx_ssl_psk_index == -1) { + ngx_ssl_error(NGX_LOG_ALERT, log, 0, + "SSL_CTX_get_ex_new_index() failed"); + return NGX_ERROR; + } + ngx_ssl_certificate_index = SSL_CTX_get_ex_new_index(0, NULL, NULL, NULL, NULL); if (ngx_ssl_certificate_index == -1) { @@ -1163,6 +1177,176 @@ ngx_ssl_ecdh_curve(ngx_conf_t *cf, ngx_s ngx_int_t +ngx_ssl_psk_file(ngx_conf_t *cf, ngx_ssl_t *ssl, ngx_str_t *file) +{ +#ifdef PSK_MAX_IDENTITY_LEN + + if (file->len == 0) { + return NGX_OK; + } + + if (ngx_conf_full_name(cf->cycle, file, 1) != NGX_OK) { + return NGX_ERROR; + } + + if (SSL_CTX_set_ex_data(ssl->ctx, ngx_ssl_psk_index, file) == 0) { + ngx_ssl_error(NGX_LOG_EMERG, ssl->log, 0, + "SSL_CTX_set_ex_data() failed"); + return NGX_ERROR; + } + + SSL_CTX_set_psk_server_callback(ssl->ctx, ngx_ssl_psk_callback); + +#endif + + return NGX_OK; +} + + +#ifdef PSK_MAX_IDENTITY_LEN + +static unsigned int +ngx_ssl_psk_callback(ngx_ssl_conn_t *ssl_conn, const char *identity, + unsigned char *psk, unsigned int max_psk_len) +{ + u_char *p, *last, *end, *colon; + size_t len; + ssize_t n; + SSL_CTX *ssl_ctx; + ngx_fd_t fd; + ngx_str_t *file; + unsigned int psk_len; + ngx_connection_t *c; + u_char buf[NGX_SSL_PSK_BUFFER_SIZE]; + + c = ngx_ssl_get_connection(ssl_conn); + + ngx_log_debug0(NGX_LOG_DEBUG_EVENT, c->log, 0, "ssl psk callback"); + + ssl_ctx = SSL_get_SSL_CTX(ssl_conn); + file = SSL_CTX_get_ex_data(ssl_ctx, ngx_ssl_psk_index); + + fd = ngx_open_file(file->data, NGX_FILE_RDONLY, NGX_FILE_OPEN, 0); + if (fd == NGX_INVALID_FILE) { + ngx_log_error(NGX_LOG_ERR, c->log, ngx_errno, + ngx_open_file_n " \"%V\" failed", file); + return 0; + } + + psk_len = 0; + + len = 0; + last = buf; + + do { + n = ngx_read_fd(fd, last, NGX_SSL_PSK_BUFFER_SIZE - len); + + if (n == -1) { + ngx_log_error(NGX_LOG_ERR, c->log, ngx_errno, + ngx_read_fd_n " \"%V\" failed", file); + goto cleanup; + } + + end = last + n; + + if (len && n == 0) { + *end++ = LF; + } + + for (p = buf; /* void */; p = last) { + last = ngx_strlchr(last, end, LF); + + if (last == NULL) { + break; + } + + len = last++ - p; + + if (len && p[len - 1] == CR) { + len--; + } + + if (len == 0) { + continue; + } + + colon = ngx_strlchr(p, p + len, ':'); + + if (colon == NULL) { + continue; + } + + *colon = '\0'; + + if (ngx_strcmp(p, identity) != 0) { + continue; + } + + len -= colon + 1 - p; + p = colon + 1; + + if (ngx_strncmp(p, "{HEX}", sizeof("{HEX}") - 1) == 0) { + + p += sizeof("{HEX}") - 1; + len -= sizeof("{HEX}") - 1; + + if (len / 2 > max_psk_len) { + goto cleanup; + } + + if (ngx_hex_decode(psk, p, len) != NGX_OK) { + ngx_memzero(psk, len / 2); + goto cleanup; + } + + psk_len = len / 2; + + goto cleanup; + + } else if (ngx_strncmp(p, "{PLAIN}", sizeof("{PLAIN}") - 1) == 0) { + p += sizeof("{PLAIN}") - 1; + len -= sizeof("{PLAIN}") - 1; + } + + if (len > max_psk_len) { + goto cleanup; + } + + ngx_memcpy(psk, p, len); + psk_len = len; + + goto cleanup; + } + + len = end - p; + + if (len == NGX_SSL_PSK_BUFFER_SIZE) { + ngx_log_error(NGX_LOG_ERR, c->log, 0, + "too long line in \"%V\"", file); + goto cleanup; + } + + ngx_memmove(buf, p, len); + last = buf + len; + + } while (n != 0); + +cleanup: + + if (ngx_close_file(fd) == NGX_FILE_ERROR) { + ngx_log_error(NGX_LOG_ALERT, c->log, ngx_errno, + ngx_close_file_n " %V failed", file); + } + + ngx_memzero(buf, NGX_SSL_PSK_BUFFER_SIZE); + + return psk_len; +} + +#endif + + +ngx_int_t ngx_ssl_create_connection(ngx_ssl_t *ssl, ngx_connection_t *c, ngx_uint_t flags) { ngx_ssl_connection_t *sc; @@ -2071,6 +2255,9 @@ ngx_ssl_connection_error(ngx_connection_ || n == SSL_R_NO_COMPRESSION_SPECIFIED /* 187 */ || n == SSL_R_NO_SHARED_CIPHER /* 193 */ || n == SSL_R_RECORD_LENGTH_MISMATCH /* 213 */ +#ifdef SSL_R_PSK_IDENTITY_NOT_FOUND + || n == SSL_R_PSK_IDENTITY_NOT_FOUND /* 223 */ +#endif #ifdef SSL_R_PARSE_TLSEXT || n == SSL_R_PARSE_TLSEXT /* 227 */ #endif diff --git a/src/event/ngx_event_openssl.h b/src/event/ngx_event_openssl.h --- a/src/event/ngx_event_openssl.h +++ b/src/event/ngx_event_openssl.h @@ -167,6 +167,7 @@ RSA *ngx_ssl_rsa512_key_callback(ngx_ssl ngx_array_t *ngx_ssl_read_password_file(ngx_conf_t *cf, ngx_str_t *file); ngx_int_t ngx_ssl_dhparam(ngx_conf_t *cf, ngx_ssl_t *ssl, ngx_str_t *file); ngx_int_t ngx_ssl_ecdh_curve(ngx_conf_t *cf, ngx_ssl_t *ssl, ngx_str_t *name); +ngx_int_t ngx_ssl_psk_file(ngx_conf_t *cf, ngx_ssl_t *ssl, ngx_str_t *file); ngx_int_t ngx_ssl_session_cache(ngx_ssl_t *ssl, ngx_str_t *sess_ctx, ssize_t builtin_session_cache, ngx_shm_zone_t *shm_zone, time_t timeout); ngx_int_t ngx_ssl_session_ticket_keys(ngx_conf_t *cf, ngx_ssl_t *ssl, @@ -253,6 +254,7 @@ extern int ngx_ssl_connection_index; extern int ngx_ssl_server_conf_index; extern int ngx_ssl_session_cache_index; extern int ngx_ssl_session_ticket_keys_index; +extern int ngx_ssl_psk_index; extern int ngx_ssl_certificate_index; extern int ngx_ssl_next_certificate_index; extern int ngx_ssl_certificate_name_index; diff --git a/src/http/modules/ngx_http_ssl_module.c b/src/http/modules/ngx_http_ssl_module.c --- a/src/http/modules/ngx_http_ssl_module.c +++ b/src/http/modules/ngx_http_ssl_module.c @@ -234,6 +234,13 @@ static ngx_command_t ngx_http_ssl_comma offsetof(ngx_http_ssl_srv_conf_t, stapling_verify), NULL }, + { ngx_string("ssl_psk_file"), + NGX_HTTP_MAIN_CONF|NGX_HTTP_SRV_CONF|NGX_CONF_TAKE1, + ngx_conf_set_str_slot, + NGX_HTTP_SRV_CONF_OFFSET, + offsetof(ngx_http_ssl_srv_conf_t, psk_file), + NULL }, + ngx_null_command }; @@ -543,6 +550,7 @@ ngx_http_ssl_create_srv_conf(ngx_conf_t * sscf->shm_zone = NULL; * sscf->stapling_file = { 0, NULL }; * sscf->stapling_responder = { 0, NULL }; + * sscf->psk_file = { 0, NULL }; */ sscf->enable = NGX_CONF_UNSET; @@ -624,6 +632,8 @@ ngx_http_ssl_merge_srv_conf(ngx_conf_t * ngx_conf_merge_str_value(conf->stapling_responder, prev->stapling_responder, ""); + ngx_conf_merge_str_value(conf->psk_file, prev->psk_file, ""); + conf->ssl.log = cf->log; if (conf->enable) { @@ -804,6 +814,10 @@ ngx_http_ssl_merge_srv_conf(ngx_conf_t * } + if (ngx_ssl_psk_file(cf, &conf->ssl, &conf->psk_file) != NGX_OK) { + return NGX_CONF_ERROR; + } + return NGX_CONF_OK; } diff --git a/src/http/modules/ngx_http_ssl_module.h b/src/http/modules/ngx_http_ssl_module.h --- a/src/http/modules/ngx_http_ssl_module.h +++ b/src/http/modules/ngx_http_ssl_module.h @@ -55,6 +55,8 @@ typedef struct { ngx_str_t stapling_file; ngx_str_t stapling_responder; + ngx_str_t psk_file; + u_char *file; ngx_uint_t line; } ngx_http_ssl_srv_conf_t; # HG changeset patch # User Nate Karstens # Date 1503540211 18000 # Wed Aug 23 21:03:31 2017 -0500 # Node ID 396eff1bc17996ae8f4fd9e56f5dd9b72f8ce923 # Parent 0cc14a10c863f3d9ba6cb8b6d3769592d619d654 SSL: add PSK identity variable. Adds the variable $ssl_psk_identity to get the PSK identity used in a connnection secured with a PSK cipher suite. Signed-off-by: Nate Karstens diff --git a/src/event/ngx_event_openssl.c b/src/event/ngx_event_openssl.c --- a/src/event/ngx_event_openssl.c +++ b/src/event/ngx_event_openssl.c @@ -4356,6 +4356,37 @@ ngx_ssl_parse_time( } +ngx_int_t +ngx_ssl_get_psk_identity(ngx_connection_t *c, ngx_pool_t *pool, ngx_str_t *s) +{ +#ifdef PSK_MAX_IDENTITY_LEN + + size_t len; + const char *identity; + + identity = SSL_get_psk_identity(c->ssl->connection); + + if (identity) { + len = ngx_strlen(identity); + + s->len = len; + s->data = ngx_pnalloc(pool, len); + if (s->data == NULL) { + return NGX_ERROR; + } + + ngx_memcpy(s->data, identity, len); + + return NGX_OK; + } + +#endif + + s->len = 0; + return NGX_OK; +} + + static void * ngx_openssl_create_conf(ngx_cycle_t *cycle) { diff --git a/src/event/ngx_event_openssl.h b/src/event/ngx_event_openssl.h --- a/src/event/ngx_event_openssl.h +++ b/src/event/ngx_event_openssl.h @@ -235,6 +235,8 @@ ngx_int_t ngx_ssl_get_client_v_end(ngx_c ngx_str_t *s); ngx_int_t ngx_ssl_get_client_v_remain(ngx_connection_t *c, ngx_pool_t *pool, ngx_str_t *s); +ngx_int_t ngx_ssl_get_psk_identity(ngx_connection_t *c, ngx_pool_t *pool, + ngx_str_t *s); ngx_int_t ngx_ssl_handshake(ngx_connection_t *c); diff --git a/src/http/modules/ngx_http_ssl_module.c b/src/http/modules/ngx_http_ssl_module.c --- a/src/http/modules/ngx_http_ssl_module.c +++ b/src/http/modules/ngx_http_ssl_module.c @@ -340,6 +340,9 @@ static ngx_http_variable_t ngx_http_ssl { ngx_string("ssl_client_v_remain"), NULL, ngx_http_ssl_variable, (uintptr_t) ngx_ssl_get_client_v_remain, NGX_HTTP_VAR_CHANGEABLE, 0 }, + { ngx_string("ssl_psk_identity"), NULL, ngx_http_ssl_variable, + (uintptr_t) ngx_ssl_get_psk_identity, NGX_HTTP_VAR_CHANGEABLE, 0 }, + ngx_http_null_variable }; # HG changeset patch # User Nate Karstens # Date 1503540237 18000 # Wed Aug 23 21:03:57 2017 -0500 # Node ID b9689aaec94bcddbf17c16eb55794782f3badd4e # Parent 396eff1bc17996ae8f4fd9e56f5dd9b72f8ce923 SSL: add identity hint config directive. Adds the directive "ssl_psk_identity_hint" to the ngx_http_ssl_module. This allows the user to specify the PSK identity hint given to the connecting client. Signed-off-by: Nate Karstens diff --git a/contrib/vim/syntax/nginx.vim b/contrib/vim/syntax/nginx.vim --- a/contrib/vim/syntax/nginx.vim +++ b/contrib/vim/syntax/nginx.vim @@ -551,6 +551,7 @@ syn keyword ngxDirective contained ssl_p syn keyword ngxDirective contained ssl_preread syn keyword ngxDirective contained ssl_protocols syn keyword ngxDirective contained ssl_psk_file +syn keyword ngxDirective contained ssl_psk_identity_hint syn keyword ngxDirective contained ssl_session_cache syn keyword ngxDirective contained ssl_session_ticket_key syn keyword ngxDirective contained ssl_session_tickets diff --git a/src/event/ngx_event_openssl.c b/src/event/ngx_event_openssl.c --- a/src/event/ngx_event_openssl.c +++ b/src/event/ngx_event_openssl.c @@ -1177,7 +1177,8 @@ ngx_ssl_ecdh_curve(ngx_conf_t *cf, ngx_s ngx_int_t -ngx_ssl_psk_file(ngx_conf_t *cf, ngx_ssl_t *ssl, ngx_str_t *file) +ngx_ssl_psk_file(ngx_conf_t *cf, ngx_ssl_t *ssl, ngx_str_t *file, + ngx_str_t *identity_hint) { #ifdef PSK_MAX_IDENTITY_LEN @@ -1195,6 +1196,14 @@ ngx_ssl_psk_file(ngx_conf_t *cf, ngx_ssl return NGX_ERROR; } + if (SSL_CTX_use_psk_identity_hint(ssl->ctx, (char *) identity_hint->data) + == 0) + { + ngx_ssl_error(NGX_LOG_EMERG, ssl->log, 0, + "SSL_CTX_use_psk_identity_hint() failed"); + return NGX_ERROR; + } + SSL_CTX_set_psk_server_callback(ssl->ctx, ngx_ssl_psk_callback); #endif diff --git a/src/event/ngx_event_openssl.h b/src/event/ngx_event_openssl.h --- a/src/event/ngx_event_openssl.h +++ b/src/event/ngx_event_openssl.h @@ -167,7 +167,8 @@ RSA *ngx_ssl_rsa512_key_callback(ngx_ssl ngx_array_t *ngx_ssl_read_password_file(ngx_conf_t *cf, ngx_str_t *file); ngx_int_t ngx_ssl_dhparam(ngx_conf_t *cf, ngx_ssl_t *ssl, ngx_str_t *file); ngx_int_t ngx_ssl_ecdh_curve(ngx_conf_t *cf, ngx_ssl_t *ssl, ngx_str_t *name); -ngx_int_t ngx_ssl_psk_file(ngx_conf_t *cf, ngx_ssl_t *ssl, ngx_str_t *file); +ngx_int_t ngx_ssl_psk_file(ngx_conf_t *cf, ngx_ssl_t *ssl, ngx_str_t *file, + ngx_str_t *identity_hint); ngx_int_t ngx_ssl_session_cache(ngx_ssl_t *ssl, ngx_str_t *sess_ctx, ssize_t builtin_session_cache, ngx_shm_zone_t *shm_zone, time_t timeout); ngx_int_t ngx_ssl_session_ticket_keys(ngx_conf_t *cf, ngx_ssl_t *ssl, diff --git a/src/http/modules/ngx_http_ssl_module.c b/src/http/modules/ngx_http_ssl_module.c --- a/src/http/modules/ngx_http_ssl_module.c +++ b/src/http/modules/ngx_http_ssl_module.c @@ -241,6 +241,13 @@ static ngx_command_t ngx_http_ssl_comma offsetof(ngx_http_ssl_srv_conf_t, psk_file), NULL }, + { ngx_string("ssl_psk_identity_hint"), + NGX_HTTP_MAIN_CONF|NGX_HTTP_SRV_CONF|NGX_CONF_TAKE1, + ngx_conf_set_str_slot, + NGX_HTTP_SRV_CONF_OFFSET, + offsetof(ngx_http_ssl_srv_conf_t, psk_identity_hint), + NULL }, + ngx_null_command }; @@ -554,6 +561,7 @@ ngx_http_ssl_create_srv_conf(ngx_conf_t * sscf->stapling_file = { 0, NULL }; * sscf->stapling_responder = { 0, NULL }; * sscf->psk_file = { 0, NULL }; + * sscf->psk_identity_hint = { 0, NULL }; */ sscf->enable = NGX_CONF_UNSET; @@ -636,6 +644,8 @@ ngx_http_ssl_merge_srv_conf(ngx_conf_t * prev->stapling_responder, ""); ngx_conf_merge_str_value(conf->psk_file, prev->psk_file, ""); + ngx_conf_merge_str_value(conf->psk_identity_hint, + prev->psk_identity_hint, ""); conf->ssl.log = cf->log; @@ -817,7 +827,10 @@ ngx_http_ssl_merge_srv_conf(ngx_conf_t * } - if (ngx_ssl_psk_file(cf, &conf->ssl, &conf->psk_file) != NGX_OK) { + if (ngx_ssl_psk_file(cf, &conf->ssl, &conf->psk_file, + &conf->psk_identity_hint) + != NGX_OK) + { return NGX_CONF_ERROR; } diff --git a/src/http/modules/ngx_http_ssl_module.h b/src/http/modules/ngx_http_ssl_module.h --- a/src/http/modules/ngx_http_ssl_module.h +++ b/src/http/modules/ngx_http_ssl_module.h @@ -56,6 +56,7 @@ typedef struct { ngx_str_t stapling_responder; ngx_str_t psk_file; + ngx_str_t psk_identity_hint; u_char *file; ngx_uint_t line; -- Maxim Dounin http://nginx.org/ From ml.software at leenaa.rs Mon Sep 4 21:42:24 2017 From: ml.software at leenaa.rs (Michiel Leenaars) Date: Mon, 4 Sep 2017 23:42:24 +0200 Subject: nginx-devel Digest, Vol 95, Issue 6 In-Reply-To: References: Message-ID: <20170904234224.20fbeefb@mr.leenaa.rs> Dear Maxim, MD> Please also take a look at MD> http://nginx.org/en/docs/contributing_changes.html, there should MD> be a single-line summary as the first line of the commit log. will do, apologies. MD> No, thanks. MD> We generally do not try to include into conf/mime.types all the MD> MIME types in the world, but rather only most popular types MD> commonly used on websites. In particular, this MD> - prevents serving incorrect MIME type for files accidentally MD> having the same extension as one of the types listed; MD> - saves some CPU cycles. NDRO> If you think that some of these types are popular enough and NDRO> deserve adding nevertheless, please resend the patch reduced to NDRO> only these types (and, ideally, providing some motivation). well, ODF is the official document file format used by a number of governments, NATO, as well as by hundreds of millions of users. It is an international 'de jure' standard, including the file extensions and associated mimetypes, which is the default file format of Apache Open Office, LibreOffice, Calligra, NeoOffice (open source office applications), as well as Collabio, Lotus Symphony and (at least in Europe) of Microsoft Office - you can choose between the OOXML formats and ODF upon install. Since the other file formats (including legacy file formats) from that latter office productivity suite are included, and ODF is mature and has been around for over 13 years if I'm correct, I would argue that indeed these are among the most widely spread file formats and that people would blindly expect them to be included by now in all webserver. In fact I did, one of the websites I'm running was unable to correctly serve presentations. Apache has all of these exact same mimetypes in their mimetype catalog, as does Lighttpd, and AFAIK have had them for many years (well before OpenOffice became an Apache project): https://svn.apache.org/repos/asf/httpd/httpd/trunk/docs/conf/mime.types http://redmine.lighttpd.net/projects/1/wiki/mimetype_assigndetails Both also serves up the legacy OpenOffice.org/StarOffice file formats (that predate the ISO/IEC standard), as do applications like Mutt. I have not hear anyone every have any problems with misclassification or collisions, probably because it has been around for so long that everybody knows to avoid those extensions - and would have found out after downloading the first such document from most webservers or opening an attachment. However, I will follow your recommendation and submit two patches - one for the current standard, and one for the legacy file formats. I would argue that the first one is a no-brainer, and the second one is a service to those organisations around the world that together still have many archives online containing StarOffice/OpenOffice.org files. Kind regards, Michiel Leenaars From ml.software at leenaa.rs Mon Sep 4 21:59:48 2017 From: ml.software at leenaa.rs (Michiel Leenaars) Date: Mon, 04 Sep 2017 23:59:48 +0200 Subject: [PATCH] Added OpenDocument Format/ISO 26300 file formats to mime.types Message-ID: # HG changeset patch # User Michiel Leenaars # Date 1504562357 -7200 # Mon Sep 04 23:59:17 2017 +0200 # Node ID b31eb2901b627733dd3d9aaa07ce8071aa7c5dad # Parent c7d4017c8876af6d8570e400320537d7d39e9578 Added OpenDocument Format/ISO 26300 file formats to mime.types ODF is the official document file format used by a number of governments, NATO, as well as by hundreds of millions of users. It is an international 'de jure' standard, including the file extensions and associated mimetypes, which is the default file format of Apache Open Office, LibreOffice, Calligra, NeoOffice (open source office applications), as well as Collabio, Lotus Symphony and (at least in Europe) of Microsoft Office - you can choose between the OOXML formats and ODF upon install. These file format replace the legacy office file formats such as .doc, .wpd and .xls. Apache have had support for exact same mimetypes in their mimetype catalog for quite a number of years, as do several other web server such as Lighttpd: https://svn.apache.org/repos/asf/httpd/httpd/trunk/docs/conf/mime.types http://redmine.lighttpd.net/projects/1/wiki/mimetype_assigndetails The most common use case is a site putting up presentations or documents, or migrating away from one of the servers that supports these mimetypes. Other document file formats diff -r c7d4017c8876 -r b31eb2901b62 conf/mime.types --- a/conf/mime.types Tue Aug 22 21:22:59 2017 +0300 +++ b/conf/mime.types Mon Sep 04 23:59:17 2017 +0200 @@ -68,6 +68,21 @@ application/vnd.openxmlformats-officedocument.spreadsheetml.sheet xlsx; application/vnd.openxmlformats-officedocument.presentationml.presentation pptx; + application/vnd.oasis.opendocument.text odt; + application/vnd.oasis.opendocument.text-template ott; + application/vnd.oasis.opendocument.text-web oth; + application/vnd.oasis.opendocument.text-master odm; + application/vnd.oasis.opendocument.graphics odg; + application/vnd.oasis.opendocument.graphics-template otg; + application/vnd.oasis.opendocument.presentation odp; + application/vnd.oasis.opendocument.presentation-template otp; + application/vnd.oasis.opendocument.spreadsheet ods; + application/vnd.oasis.opendocument.spreadsheet-template ots; + application/vnd.oasis.opendocument.chart odc; + application/vnd.oasis.opendocument.formula odf; + application/vnd.oasis.opendocument.database odb; + application/vnd.oasis.opendocument.image odi; + audio/midi mid midi kar; audio/mpeg mp3; audio/ogg ogg; From ml.software at leenaa.rs Mon Sep 4 22:14:00 2017 From: ml.software at leenaa.rs (Michiel Leenaars) Date: Tue, 05 Sep 2017 00:14:00 +0200 Subject: [PATCH] Added StarOffice/OpenOffice.org File Formats to mime.types Message-ID: <85e82dd57aa77dd95a28.1504563240@mr.leenaa.rs> # HG changeset patch # User Michiel Leenaars # Date 1504563233 -7200 # Tue Sep 05 00:13:53 2017 +0200 # Node ID 85e82dd57aa77dd95a28762c65ffa0824681dcd0 # Parent b31eb2901b627733dd3d9aaa07ce8071aa7c5dad Added StarOffice/OpenOffice.org File Formats to mime.types OpenOffice.org and its commercial sibling StarOffice were the most popular cross-platform office alternative for quite a few years, running on *NIX, Windows, Linux and other OS-es. They were the predecessor to popular open source office suites such as Apache Open Office, LibreOffice, NeoOffice and Lotus Symphony - with many millions of users around the world. This patch adds the family of file formats from those applications to the mimetypes recognised by Nginx. Apache has had these exact same mimetypes in their mimetype catalog for many years, as do other webservers like Lighttpd. The use case is simple: people migrating their static website from another webserver that did support these mime types results in broken user experience. Including these file formats is a service to those individuals and organisations around the world that together still have many archives online containing legacy StarOffice/OpenOffice.org files (note that quite a few other filetypes concern legacy file formats such as RealAudio, Word and RTF). The mimetypes suggested are officially registered at IANA. diff -r b31eb2901b62 -r 85e82dd57aa7 conf/mime.types --- a/conf/mime.types Mon Sep 04 23:59:17 2017 +0200 +++ b/conf/mime.types Tue Sep 05 00:13:53 2017 +0200 @@ -68,6 +68,23 @@ application/vnd.openxmlformats-officedocument.spreadsheetml.sheet xlsx; application/vnd.openxmlformats-officedocument.presentationml.presentation pptx; + application/vnd.stardivision.chart sds; + application/vnd.stardivision.calc sdc; + application/vnd.stardivision.writer sdw; + application/vnd.stardivision.writer-global sgl; + application/vnd.stardivision.draw sda; + application/vnd.stardivision.impress sdd; + application/vnd.stardivision.math sdf; + application/vnd.sun.xml.writer sxw; + application/vnd.sun.xml.writer.template stw; + application/vnd.sun.xml.writer.global sxg; + application/vnd.sun.xml.calc sxc; + application/vnd.sun.xml.calc.template stc; + application/vnd.sun.xml.impress sxi; + application/vnd.sun.xml.impress.template sti; + application/vnd.sun.xml.draw sxd; + application/vnd.sun.xml.draw.template std; + application/vnd.sun.xml.math sxm; application/vnd.oasis.opendocument.text odt; application/vnd.oasis.opendocument.text-template ott; application/vnd.oasis.opendocument.text-web oth; From mdounin at mdounin.ru Tue Sep 5 15:02:05 2017 From: mdounin at mdounin.ru (Maxim Dounin) Date: Tue, 05 Sep 2017 15:02:05 +0000 Subject: [nginx] nginx-1.13.5-RELEASE Message-ID: details: http://hg.nginx.org/nginx/rev/0d45b4cf7c2e branches: changeset: 7095:0d45b4cf7c2e user: Maxim Dounin date: Tue Sep 05 17:59:31 2017 +0300 description: nginx-1.13.5-RELEASE diffstat: docs/xml/nginx/changes.xml | 53 ++++++++++++++++++++++++++++++++++++++++++++++ 1 files changed, 53 insertions(+), 0 deletions(-) diffs (63 lines): diff --git a/docs/xml/nginx/changes.xml b/docs/xml/nginx/changes.xml --- a/docs/xml/nginx/changes.xml +++ b/docs/xml/nginx/changes.xml @@ -5,6 +5,59 @@ + + + + +?????????? $ssl_client_escaped_cert. + + +the $ssl_client_escaped_cert variable. + + + + + +????????? ssl_session_ticket_key ? ???????? include ????????? geo +?? ???????? ?? Windows. + + +the "ssl_session_ticket_key" directive and +the "include" parameter of the "geo" directive did not work on Windows. + + + + + +?? 32-?????? ?????????? +??? ??????? ????? 4 ???????? ? ??????? ?????????? ?????????? +???????????? ???????????? ????? ??????. + + +incorrect response length was returned +on 32-bit platforms when requesting more than 4 gigabytes +with multiple ranges. + + + + + +????????? "expires modified" ? +????????? ?????? If-Range ????????? ??????? +?? ????????? ????? ?????????? ????????? ??????, +???? ?????????????? ????????????? ??? ???????????. + + +the "expires modified" directive and +processing of the "If-Range" request header line +did not use the response last modification time +if proxying without caching was used. + + + + + + From mdounin at mdounin.ru Tue Sep 5 15:02:08 2017 From: mdounin at mdounin.ru (Maxim Dounin) Date: Tue, 05 Sep 2017 15:02:08 +0000 Subject: [nginx] release-1.13.5 tag Message-ID: details: http://hg.nginx.org/nginx/rev/6b6e15bbda92 branches: changeset: 7096:6b6e15bbda92 user: Maxim Dounin date: Tue Sep 05 17:59:31 2017 +0300 description: release-1.13.5 tag diffstat: .hgtags | 1 + 1 files changed, 1 insertions(+), 0 deletions(-) diffs (8 lines): diff --git a/.hgtags b/.hgtags --- a/.hgtags +++ b/.hgtags @@ -417,3 +417,4 @@ 539f7893ecb96bee60965528c8958d7eb2f1ce6b 5be2b25bdc65775a85f18f68a4be4f58c7384415 release-1.13.2 8457ce87640f9bfe6221c4ac4466ced20e03bebe release-1.13.3 bbc642c813c829963ce8197c0ca237ab7601f3d4 release-1.13.4 +0d45b4cf7c2e4e626a5a16e1fe604402ace1cea5 release-1.13.5 From mdounin at mdounin.ru Tue Sep 5 17:09:23 2017 From: mdounin at mdounin.ru (Maxim Dounin) Date: Tue, 5 Sep 2017 20:09:23 +0300 Subject: [PATCH] Added OpenDocument Format/ISO 26300 file formats to mime.types In-Reply-To: References: Message-ID: <20170905170923.GU93611@mdounin.ru> Hello! On Mon, Sep 04, 2017 at 11:59:48PM +0200, Michiel Leenaars wrote: > # HG changeset patch > # User Michiel Leenaars > # Date 1504562357 -7200 > # Mon Sep 04 23:59:17 2017 +0200 > # Node ID b31eb2901b627733dd3d9aaa07ce8071aa7c5dad > # Parent c7d4017c8876af6d8570e400320537d7d39e9578 > Added OpenDocument Format/ISO 26300 file formats to mime.types Style: there should be a relevant prefix here, and a dot after the sentence. For example: changeset: 5337:07ef29f69a54 user: Sergey Kandaurov date: Fri Aug 23 16:24:24 2013 +0400 summary: MIME: added the most common OOXML MIME types (ticket #243). > > ODF is the official document file format used by a number of > governments, NATO, as well as by hundreds of millions of users. It is > an international 'de jure' standard, including the file extensions and > associated mimetypes, which is the default file format of Apache Open > Office, LibreOffice, Calligra, NeoOffice (open source office > applications), as well as Collabio, Lotus Symphony and (at least in > Europe) of Microsoft Office - you can choose between the OOXML formats > and ODF upon install. These file format replace the legacy office file > formats such as .doc, .wpd and .xls. > > Apache have had support for exact same mimetypes in their mimetype catalog for > quite a number of years, as do several other web server such as Lighttpd: > > https://svn.apache.org/repos/asf/httpd/httpd/trunk/docs/conf/mime.types > http://redmine.lighttpd.net/projects/1/wiki/mimetype_assigndetails > > The most common use case is a site putting up presentations or documents, or > migrating away from one of the servers that supports these mimetypes. Other > document file formats Just a side note: this seems to be misedited. > > diff -r c7d4017c8876 -r b31eb2901b62 conf/mime.types > --- a/conf/mime.types Tue Aug 22 21:22:59 2017 +0300 > +++ b/conf/mime.types Mon Sep 04 23:59:17 2017 +0200 > @@ -68,6 +68,21 @@ > application/vnd.openxmlformats-officedocument.spreadsheetml.sheet xlsx; > application/vnd.openxmlformats-officedocument.presentationml.presentation pptx; > > + application/vnd.oasis.opendocument.text odt; Style: first character of the column should be aligned with other entries, not the last one. Also, it probably make sense to re-format existing OOXML types to avoid lines longer than 80 chars, and place them into normal position in the application/ section, see patch below. > + application/vnd.oasis.opendocument.text-template ott; > + application/vnd.oasis.opendocument.text-web oth; > + application/vnd.oasis.opendocument.text-master odm; > + application/vnd.oasis.opendocument.graphics odg; > + application/vnd.oasis.opendocument.graphics-template otg; > + application/vnd.oasis.opendocument.presentation odp; > + application/vnd.oasis.opendocument.presentation-template otp; > + application/vnd.oasis.opendocument.spreadsheet ods; > + application/vnd.oasis.opendocument.spreadsheet-template ots; > + application/vnd.oasis.opendocument.chart odc; > + application/vnd.oasis.opendocument.formula odf; > + application/vnd.oasis.opendocument.database odb; > + application/vnd.oasis.opendocument.image odi; > + > audio/midi mid midi kar; > audio/mpeg mp3; > audio/ogg ogg; Sorry, but no. As per the policy explained in the previous message, we certainly do not need all these extensions here. Most of them are never seen even by users of OpenOffice / LibreOffice. Not to mention that there should be no problem with serving them as application/octet-stream. We can consider adding most common of them - e.g., odt/odp/ods (and may be odg, as Wikipedia lists it among the "most common file extensions used for OpenDocument documents" [1]), similar to what we do with OOXML. Patch below. The patch is rather big due to whitespace changes, without them it is as simple as: application/vnd.ms-excel xls; application/vnd.ms-fontobject eot; application/vnd.ms-powerpoint ppt; + application/vnd.oasis.opendocument.graphics odg; + application/vnd.oasis.opendocument.presentation odp; + application/vnd.oasis.opendocument.spreadsheet ods; + application/vnd.oasis.opendocument.text odt; application/vnd.openxmlformats-officedocument.presentationml.presentation pptx; application/vnd.openxmlformats-officedocument.spreadsheetml.sheet [1] https://en.wikipedia.org/wiki/OpenDocument_technical_specification#Documents # HG changeset patch # User Maxim Dounin # Date 1504629059 -10800 # Tue Sep 05 19:30:59 2017 +0300 # Node ID baa422a3b8db371afe97d8734f858cae8076cf29 # Parent 6b6e15bbda9269d03d66130efd51921dfedd93cb MIME: style. Restored alphabetical order within groups, OOXML types placed to the application/ group and wrapped to avoid lines longer than 80 chars. diff --git a/conf/mime.types b/conf/mime.types --- a/conf/mime.types +++ b/conf/mime.types @@ -16,13 +16,13 @@ types { text/x-component htc; image/png png; + image/svg+xml svg svgz; image/tiff tif tiff; image/vnd.wap.wbmp wbmp; + image/webp webp; image/x-icon ico; image/x-jng jng; image/x-ms-bmp bmp; - image/svg+xml svg svgz; - image/webp webp; application/font-woff woff; application/java-archive jar war ear; @@ -33,12 +33,18 @@ types { application/postscript ps eps ai; application/rtf rtf; application/vnd.apple.mpegurl m3u8; + application/vnd.google-earth.kml+xml kml; + application/vnd.google-earth.kmz kmz; application/vnd.ms-excel xls; application/vnd.ms-fontobject eot; application/vnd.ms-powerpoint ppt; + application/vnd.openxmlformats-officedocument.presentationml.presentation + pptx; + application/vnd.openxmlformats-officedocument.spreadsheetml.sheet + xlsx; + application/vnd.openxmlformats-officedocument.wordprocessingml.document + docx; application/vnd.wap.wmlc wmlc; - application/vnd.google-earth.kml+xml kml; - application/vnd.google-earth.kmz kmz; application/x-7z-compressed 7z; application/x-cocoa cco; application/x-java-archive-diff jardiff; @@ -64,10 +70,6 @@ types { application/octet-stream iso img; application/octet-stream msi msp msm; - application/vnd.openxmlformats-officedocument.wordprocessingml.document docx; - application/vnd.openxmlformats-officedocument.spreadsheetml.sheet xlsx; - application/vnd.openxmlformats-officedocument.presentationml.presentation pptx; - audio/midi mid midi kar; audio/mpeg mp3; audio/ogg ogg; # HG changeset patch # User Maxim Dounin # Date 1504630934 -10800 # Tue Sep 05 20:02:14 2017 +0300 # Node ID 97e138ddbfcb476f583d95ea74ff0eb27e81478a # Parent baa422a3b8db371afe97d8734f858cae8076cf29 MIME: added most common OpenDocument types. Requested by Michiel Leenaars. diff --git a/conf/mime.types b/conf/mime.types --- a/conf/mime.types +++ b/conf/mime.types @@ -1,91 +1,95 @@ types { - text/html html htm shtml; - text/css css; - text/xml xml; - image/gif gif; - image/jpeg jpeg jpg; - application/javascript js; - application/atom+xml atom; - application/rss+xml rss; + text/html html htm shtml; + text/css css; + text/xml xml; + image/gif gif; + image/jpeg jpeg jpg; + application/javascript js; + application/atom+xml atom; + application/rss+xml rss; - text/mathml mml; - text/plain txt; - text/vnd.sun.j2me.app-descriptor jad; - text/vnd.wap.wml wml; - text/x-component htc; + text/mathml mml; + text/plain txt; + text/vnd.sun.j2me.app-descriptor jad; + text/vnd.wap.wml wml; + text/x-component htc; - image/png png; - image/svg+xml svg svgz; - image/tiff tif tiff; - image/vnd.wap.wbmp wbmp; - image/webp webp; - image/x-icon ico; - image/x-jng jng; - image/x-ms-bmp bmp; + image/png png; + image/svg+xml svg svgz; + image/tiff tif tiff; + image/vnd.wap.wbmp wbmp; + image/webp webp; + image/x-icon ico; + image/x-jng jng; + image/x-ms-bmp bmp; - application/font-woff woff; - application/java-archive jar war ear; - application/json json; - application/mac-binhex40 hqx; - application/msword doc; - application/pdf pdf; - application/postscript ps eps ai; - application/rtf rtf; - application/vnd.apple.mpegurl m3u8; - application/vnd.google-earth.kml+xml kml; - application/vnd.google-earth.kmz kmz; - application/vnd.ms-excel xls; - application/vnd.ms-fontobject eot; - application/vnd.ms-powerpoint ppt; + application/font-woff woff; + application/java-archive jar war ear; + application/json json; + application/mac-binhex40 hqx; + application/msword doc; + application/pdf pdf; + application/postscript ps eps ai; + application/rtf rtf; + application/vnd.apple.mpegurl m3u8; + application/vnd.google-earth.kml+xml kml; + application/vnd.google-earth.kmz kmz; + application/vnd.ms-excel xls; + application/vnd.ms-fontobject eot; + application/vnd.ms-powerpoint ppt; + application/vnd.oasis.opendocument.graphics odg; + application/vnd.oasis.opendocument.presentation odp; + application/vnd.oasis.opendocument.spreadsheet ods; + application/vnd.oasis.opendocument.text odt; application/vnd.openxmlformats-officedocument.presentationml.presentation - pptx; + pptx; application/vnd.openxmlformats-officedocument.spreadsheetml.sheet - xlsx; + xlsx; application/vnd.openxmlformats-officedocument.wordprocessingml.document - docx; - application/vnd.wap.wmlc wmlc; - application/x-7z-compressed 7z; - application/x-cocoa cco; - application/x-java-archive-diff jardiff; - application/x-java-jnlp-file jnlp; - application/x-makeself run; - application/x-perl pl pm; - application/x-pilot prc pdb; - application/x-rar-compressed rar; - application/x-redhat-package-manager rpm; - application/x-sea sea; - application/x-shockwave-flash swf; - application/x-stuffit sit; - application/x-tcl tcl tk; - application/x-x509-ca-cert der pem crt; - application/x-xpinstall xpi; - application/xhtml+xml xhtml; - application/xspf+xml xspf; - application/zip zip; + docx; + application/vnd.wap.wmlc wmlc; + application/x-7z-compressed 7z; + application/x-cocoa cco; + application/x-java-archive-diff jardiff; + application/x-java-jnlp-file jnlp; + application/x-makeself run; + application/x-perl pl pm; + application/x-pilot prc pdb; + application/x-rar-compressed rar; + application/x-redhat-package-manager rpm; + application/x-sea sea; + application/x-shockwave-flash swf; + application/x-stuffit sit; + application/x-tcl tcl tk; + application/x-x509-ca-cert der pem crt; + application/x-xpinstall xpi; + application/xhtml+xml xhtml; + application/xspf+xml xspf; + application/zip zip; - application/octet-stream bin exe dll; - application/octet-stream deb; - application/octet-stream dmg; - application/octet-stream iso img; - application/octet-stream msi msp msm; + application/octet-stream bin exe dll; + application/octet-stream deb; + application/octet-stream dmg; + application/octet-stream iso img; + application/octet-stream msi msp msm; - audio/midi mid midi kar; - audio/mpeg mp3; - audio/ogg ogg; - audio/x-m4a m4a; - audio/x-realaudio ra; + audio/midi mid midi kar; + audio/mpeg mp3; + audio/ogg ogg; + audio/x-m4a m4a; + audio/x-realaudio ra; - video/3gpp 3gpp 3gp; - video/mp2t ts; - video/mp4 mp4; - video/mpeg mpeg mpg; - video/quicktime mov; - video/webm webm; - video/x-flv flv; - video/x-m4v m4v; - video/x-mng mng; - video/x-ms-asf asx asf; - video/x-ms-wmv wmv; - video/x-msvideo avi; + video/3gpp 3gpp 3gp; + video/mp2t ts; + video/mp4 mp4; + video/mpeg mpeg mpg; + video/quicktime mov; + video/webm webm; + video/x-flv flv; + video/x-m4v m4v; + video/x-mng mng; + video/x-ms-asf asx asf; + video/x-ms-wmv wmv; + video/x-msvideo avi; } -- Maxim Dounin http://nginx.org/ From mdounin at mdounin.ru Tue Sep 5 17:09:58 2017 From: mdounin at mdounin.ru (Maxim Dounin) Date: Tue, 5 Sep 2017 20:09:58 +0300 Subject: [PATCH] Added StarOffice/OpenOffice.org File Formats to mime.types In-Reply-To: <85e82dd57aa77dd95a28.1504563240@mr.leenaa.rs> References: <85e82dd57aa77dd95a28.1504563240@mr.leenaa.rs> Message-ID: <20170905170958.GV93611@mdounin.ru> Hello! On Tue, Sep 05, 2017 at 12:14:00AM +0200, Michiel Leenaars wrote: > # HG changeset patch > # User Michiel Leenaars > # Date 1504563233 -7200 > # Tue Sep 05 00:13:53 2017 +0200 > # Node ID 85e82dd57aa77dd95a28762c65ffa0824681dcd0 > # Parent b31eb2901b627733dd3d9aaa07ce8071aa7c5dad > Added StarOffice/OpenOffice.org File Formats to mime.types > > OpenOffice.org and its commercial sibling StarOffice were the most popular > cross-platform office alternative for quite a few years, running on *NIX, > Windows, Linux and other OS-es. They were the predecessor to popular open > source office suites such as Apache Open Office, LibreOffice, NeoOffice and > Lotus Symphony - with many millions of users around the world. > > This patch adds the family of file formats from those applications to the > mimetypes recognised by Nginx. Apache has had these exact same mimetypes in > their mimetype catalog for many years, as do other webservers like Lighttpd. > > The use case is simple: people migrating their static website from > another webserver that did support these mime types results in broken > user experience. Including these file formats is a service to those > individuals and organisations around the world that together still have many > archives online containing legacy StarOffice/OpenOffice.org files (note that > quite a few other filetypes concern legacy file formats such as RealAudio, Word > and RTF). The mimetypes suggested are officially registered at IANA. > > diff -r b31eb2901b62 -r 85e82dd57aa7 conf/mime.types > --- a/conf/mime.types Mon Sep 04 23:59:17 2017 +0200 > +++ b/conf/mime.types Tue Sep 05 00:13:53 2017 +0200 > @@ -68,6 +68,23 @@ > application/vnd.openxmlformats-officedocument.spreadsheetml.sheet xlsx; > application/vnd.openxmlformats-officedocument.presentationml.presentation pptx; > > + application/vnd.stardivision.chart sds; > + application/vnd.stardivision.calc sdc; > + application/vnd.stardivision.writer sdw; > + application/vnd.stardivision.writer-global sgl; > + application/vnd.stardivision.draw sda; > + application/vnd.stardivision.impress sdd; > + application/vnd.stardivision.math sdf; > + application/vnd.sun.xml.writer sxw; > + application/vnd.sun.xml.writer.template stw; > + application/vnd.sun.xml.writer.global sxg; > + application/vnd.sun.xml.calc sxc; > + application/vnd.sun.xml.calc.template stc; > + application/vnd.sun.xml.impress sxi; > + application/vnd.sun.xml.impress.template sti; > + application/vnd.sun.xml.draw sxd; > + application/vnd.sun.xml.draw.template std; > + application/vnd.sun.xml.math sxm; > application/vnd.oasis.opendocument.text odt; > application/vnd.oasis.opendocument.text-template ott; > application/vnd.oasis.opendocument.text-web oth; No, thanks. -- Maxim Dounin http://nginx.org/ From Nate.Karstens at garmin.com Wed Sep 6 13:46:06 2017 From: Nate.Karstens at garmin.com (Karstens, Nate) Date: Wed, 6 Sep 2017 13:46:06 +0000 Subject: [PATCH] [PATCH 4 of 4] SSL: add identity hint config directive In-Reply-To: <20170904160118.GO93611@mdounin.ru> References: <010421> <62b4032371bd45217d40.1503541363@OLA-6J5NNS1.ad.garmin.com> <20170831144444.GG93611@mdounin.ru> <20170904160118.GO93611@mdounin.ru> Message-ID: <8090cea0421b4f0fa0292737aff10c3b@garmin.com> Yes, I see what you were saying now, sorry for the confusion. Your updates look good. How do you plan to get additional feedback? Maybe at nginx.conf? Our particular use case is more of an embedded environment, so our security constraints are different from a high traffic web server. Perhaps we can extrapolate the best approach for that environment given what we know? As I see it, we have a few alternatives: 1) Read the file from the PSK worker process (as is being done in the current patch) 2) Read the file when the configuration is loaded and cache results in memory (file only needs to be read by master process) 3) Allow the user to choose between 1 and 2 (using a config file setting) 4) Adding encryption to PSK file (encryption key is loaded when configuration is loaded and PSK file is decrypted by worker process) Can you think of any others? The main disadvantage of the second option is that you have to reload the configuration file whenever a PSK is added/removed/changed, right? Can you help me understand the performance implications of reloading the configuration file? If severe, maybe those performance implications could be mitigated by functionality specific to the environment the server is operating in? For example, in an environment with thousands of users maybe the administrators could institute a policy of updating the PSK file and reloading the configuration only once every 5 minutes? Other, less complicated environments could operate without any additional functionality. Nate -----Original Message----- From: nginx-devel [mailto:nginx-devel-bounces at nginx.org] On Behalf Of Maxim Dounin Sent: Monday, September 04, 2017 11:01 AM To: nginx-devel at nginx.org Subject: Re: [PATCH] [PATCH 4 of 4] SSL: add identity hint config directive Hello! On Fri, Sep 01, 2017 at 01:18:56PM +0000, Karstens, Nate wrote: > Maxim, > > Your changes look good and test well -- works for me! > > Thanks for your work on this, and for your patience! Thank you for your work, too. Some additionall problems I'v found looking into this: 1. In the previous review, http://mailman.nginx.org/pipermail/nginx-devel/2017-August/010419.html, I've asked to not set callback if file is not empty: : Always configuring a callback is probably not a good idea. : Instead, there should be a check if file is not empty. : : In particular, this will result in cryptic messages like: : : ... [error] ... open() "" failed (SSL:) (2: No such file or directory) while SSL handshaking : : on servers without PSK file configured if a client tries to : use PSK. I think you've probably get me wrong, and instead tried to check the file contents. This is not what I mean, I've asked to check the "file" string to see if it is empty, and do nothing if it is - that is, if there is no PSK file specified in the configuration. There should be something like this in the code, similar to ngx_ssl_dhparam(): @@ -1181,6 +1181,10 @@ ngx_ssl_psk_file(ngx_conf_t *cf, ngx_ssl { #ifdef PSK_MAX_IDENTITY_LEN + if (file->len == 0) { + return NGX_OK; + } + if (ngx_conf_full_name(cf->cycle, file, 1) != NGX_OK) { return NGX_ERROR; } This should prevent configurations without ssl_psk_file configured from trying to use PSK callback and reading the configuration directory in an attempt to find a secret as the code without the check does. 2. Error logging in the ngx_ssl_psk_callback() function is not correct. It uses ngx_ssl_error() function, which is intended to log OpenSSL-specific errors with error details extracted from the OpenSSL error stack. This function uses normal file operations though, and the OpenSSL error stack is always empty. As such, all messages will contain meaningless "(SSL:)" part. To avoid this, errors should be logged using normal ngx_log_error(). Updated patches below. Note well that I'm still not sure if it is good idea to read ssl_psk_file from worker processes instead of reading it once on startup as we do with SSL certificate keys (or, for example, ticket keys). This and the fact that PSK keys are not protected anyhow, neither with additional password nor hashing, implies that PSK keys can be easily compromissed if an attacker is able to read files accessible to nginx user. I'm going to postpone further work on this till at least some feedback from people using it in the real world. # HG changeset patch # User Nate Karstens # Date 1503540018 18000 # Wed Aug 23 21:00:18 2017 -0500 # Node ID a87e224e8d6b2993dfcd8903bfb0e7eb7fd934fa # Parent c7d4017c8876af6d8570e400320537d7d39e9578 Core: add function to decode hexadecimal strings. Adds functionality to convert a hexadecimal string into binary data. This will be used to decode PSKs stored in hexadecimal representation. Signed-off-by: Nate Karstens diff --git a/src/core/ngx_string.c b/src/core/ngx_string.c --- a/src/core/ngx_string.c +++ b/src/core/ngx_string.c @@ -1118,6 +1118,56 @@ ngx_hex_dump(u_char *dst, u_char *src, s } +ngx_int_t +ngx_hex_decode(u_char *dst, u_char *src, size_t len) { + u_char ch, decoded; + + if (len & 1) { + return NGX_ERROR; + } + + while (len) { + ch = *src++; + len -= 2; + + if (ch >= '0' && ch <= '9') { + decoded = ch - '0'; + goto second; + } + + ch |= 0x20; + + if (ch >= 'a' && ch <= 'f') { + decoded = ch - 'a' + 10; + goto second; + } + + return NGX_ERROR; + + second: + + ch = *src++; + + if (ch >= '0' && ch <= '9') { + *dst++ = (u_char) ((decoded << 4) + ch - '0'); + continue; + } + + ch |= 0x20; + + if (ch >= 'a' && ch <= 'f') { + *dst++ = (u_char) ((decoded << 4) + ch - 'a' + 10); + continue; + } + + return NGX_ERROR; + } + + return NGX_OK; +} + + void ngx_encode_base64(ngx_str_t *dst, ngx_str_t *src) { diff --git a/src/core/ngx_string.h b/src/core/ngx_string.h --- a/src/core/ngx_string.h +++ b/src/core/ngx_string.h @@ -177,6 +177,7 @@ time_t ngx_atotm(u_char *line, size_t n) ngx_int_t ngx_hextoi(u_char *line, size_t n); u_char *ngx_hex_dump(u_char *dst, u_char *src, size_t len); +ngx_int_t ngx_hex_decode(u_char *dst, u_char *src, size_t len); #define ngx_base64_encoded_length(len) (((len + 2) / 3) * 4) # HG changeset patch # User Nate Karstens # Date 1503540059 18000 # Wed Aug 23 21:00:59 2017 -0500 # Node ID 0cc14a10c863f3d9ba6cb8b6d3769592d619d654 # Parent a87e224e8d6b2993dfcd8903bfb0e7eb7fd934fa SSL: add support for PSK cipher suites. Adds support for TLS connections using PSK cipher suites. A new configuration directive, ssl_psk_file, specifies the file that contains a list of identities and associated PSKs. Each line of the file begins with the identity, followed by a colon character (':'), and ending with the PSK. As required by RFC 4279 section 5.4, PSKs may be entered either as plain text or using hexadecimal encoding. Hexadecimal PSKs must begin with "{HEX}". PSKs without this prefix are assumed to be plain text, but they may optionally begin with "{PLAIN}" to denote this. Some examples: gary:plain_text_password min:{PLAIN}another_text_password cliff:{HEX}ab0123CD PSK functionality can be easily tested with the OpenSSL s_client using the "-psk" and "-psk_identity" options. Signed-off-by: Nate Karstens diff --git a/contrib/vim/syntax/nginx.vim b/contrib/vim/syntax/nginx.vim --- a/contrib/vim/syntax/nginx.vim +++ b/contrib/vim/syntax/nginx.vim @@ -550,6 +550,7 @@ syn keyword ngxDirective contained ssl_p syn keyword ngxDirective contained ssl_prefer_server_ciphers syn keyword ngxDirective contained ssl_preread syn keyword ngxDirective contained ssl_protocols +syn keyword ngxDirective contained ssl_psk_file syn keyword ngxDirective contained ssl_session_cache syn keyword ngxDirective contained ssl_session_ticket_key syn keyword ngxDirective contained ssl_session_tickets diff --git a/src/event/ngx_event_openssl.c b/src/event/ngx_event_openssl.c --- a/src/event/ngx_event_openssl.c +++ b/src/event/ngx_event_openssl.c @@ -11,6 +11,7 @@ #define NGX_SSL_PASSWORD_BUFFER_SIZE 4096 +#define NGX_SSL_PSK_BUFFER_SIZE 4096 typedef struct { @@ -24,6 +25,10 @@ static int ngx_ssl_verify_callback(int o static void ngx_ssl_info_callback(const ngx_ssl_conn_t *ssl_conn, int where, int ret); static void ngx_ssl_passwords_cleanup(void *data); +#ifdef PSK_MAX_IDENTITY_LEN +static unsigned int ngx_ssl_psk_callback(ngx_ssl_conn_t *ssl_conn, + const char *identity, unsigned char *psk, unsigned int +max_psk_len); #endif static void ngx_ssl_handshake_handler(ngx_event_t *ev); static ngx_int_t ngx_ssl_handle_recv(ngx_connection_t *c, int n); static void ngx_ssl_write_handler(ngx_event_t *wev); @@ -110,6 +115,7 @@ int ngx_ssl_connection_index; int ngx_ssl_server_conf_index; int ngx_ssl_session_cache_index; int ngx_ssl_session_ticket_keys_index; +int ngx_ssl_psk_index; int ngx_ssl_certificate_index; int ngx_ssl_next_certificate_index; int ngx_ssl_certificate_name_index; @@ -195,6 +201,14 @@ ngx_ssl_init(ngx_log_t *log) return NGX_ERROR; } + ngx_ssl_psk_index = SSL_CTX_get_ex_new_index(0, NULL, NULL, NULL, + NULL); + + if (ngx_ssl_psk_index == -1) { + ngx_ssl_error(NGX_LOG_ALERT, log, 0, + "SSL_CTX_get_ex_new_index() failed"); + return NGX_ERROR; + } + ngx_ssl_certificate_index = SSL_CTX_get_ex_new_index(0, NULL, NULL, NULL, NULL); if (ngx_ssl_certificate_index == -1) { @@ -1163,6 +1177,176 @@ ngx_ssl_ecdh_curve(ngx_conf_t *cf, ngx_s ngx_int_t +ngx_ssl_psk_file(ngx_conf_t *cf, ngx_ssl_t *ssl, ngx_str_t *file) { +#ifdef PSK_MAX_IDENTITY_LEN + + if (file->len == 0) { + return NGX_OK; + } + + if (ngx_conf_full_name(cf->cycle, file, 1) != NGX_OK) { + return NGX_ERROR; + } + + if (SSL_CTX_set_ex_data(ssl->ctx, ngx_ssl_psk_index, file) == 0) { + ngx_ssl_error(NGX_LOG_EMERG, ssl->log, 0, + "SSL_CTX_set_ex_data() failed"); + return NGX_ERROR; + } + + SSL_CTX_set_psk_server_callback(ssl->ctx, ngx_ssl_psk_callback); + +#endif + + return NGX_OK; +} + + +#ifdef PSK_MAX_IDENTITY_LEN + +static unsigned int +ngx_ssl_psk_callback(ngx_ssl_conn_t *ssl_conn, const char *identity, + unsigned char *psk, unsigned int max_psk_len) { + u_char *p, *last, *end, *colon; + size_t len; + ssize_t n; + SSL_CTX *ssl_ctx; + ngx_fd_t fd; + ngx_str_t *file; + unsigned int psk_len; + ngx_connection_t *c; + u_char buf[NGX_SSL_PSK_BUFFER_SIZE]; + + c = ngx_ssl_get_connection(ssl_conn); + + ngx_log_debug0(NGX_LOG_DEBUG_EVENT, c->log, 0, "ssl psk callback"); + + ssl_ctx = SSL_get_SSL_CTX(ssl_conn); + file = SSL_CTX_get_ex_data(ssl_ctx, ngx_ssl_psk_index); + + fd = ngx_open_file(file->data, NGX_FILE_RDONLY, NGX_FILE_OPEN, 0); + if (fd == NGX_INVALID_FILE) { + ngx_log_error(NGX_LOG_ERR, c->log, ngx_errno, + ngx_open_file_n " \"%V\" failed", file); + return 0; + } + + psk_len = 0; + + len = 0; + last = buf; + + do { + n = ngx_read_fd(fd, last, NGX_SSL_PSK_BUFFER_SIZE - len); + + if (n == -1) { + ngx_log_error(NGX_LOG_ERR, c->log, ngx_errno, + ngx_read_fd_n " \"%V\" failed", file); + goto cleanup; + } + + end = last + n; + + if (len && n == 0) { + *end++ = LF; + } + + for (p = buf; /* void */; p = last) { + last = ngx_strlchr(last, end, LF); + + if (last == NULL) { + break; + } + + len = last++ - p; + + if (len && p[len - 1] == CR) { + len--; + } + + if (len == 0) { + continue; + } + + colon = ngx_strlchr(p, p + len, ':'); + + if (colon == NULL) { + continue; + } + + *colon = '\0'; + + if (ngx_strcmp(p, identity) != 0) { + continue; + } + + len -= colon + 1 - p; + p = colon + 1; + + if (ngx_strncmp(p, "{HEX}", sizeof("{HEX}") - 1) == 0) { + + p += sizeof("{HEX}") - 1; + len -= sizeof("{HEX}") - 1; + + if (len / 2 > max_psk_len) { + goto cleanup; + } + + if (ngx_hex_decode(psk, p, len) != NGX_OK) { + ngx_memzero(psk, len / 2); + goto cleanup; + } + + psk_len = len / 2; + + goto cleanup; + + } else if (ngx_strncmp(p, "{PLAIN}", sizeof("{PLAIN}") - 1) == 0) { + p += sizeof("{PLAIN}") - 1; + len -= sizeof("{PLAIN}") - 1; + } + + if (len > max_psk_len) { + goto cleanup; + } + + ngx_memcpy(psk, p, len); + psk_len = len; + + goto cleanup; + } + + len = end - p; + + if (len == NGX_SSL_PSK_BUFFER_SIZE) { + ngx_log_error(NGX_LOG_ERR, c->log, 0, + "too long line in \"%V\"", file); + goto cleanup; + } + + ngx_memmove(buf, p, len); + last = buf + len; + + } while (n != 0); + +cleanup: + + if (ngx_close_file(fd) == NGX_FILE_ERROR) { + ngx_log_error(NGX_LOG_ALERT, c->log, ngx_errno, + ngx_close_file_n " %V failed", file); + } + + ngx_memzero(buf, NGX_SSL_PSK_BUFFER_SIZE); + + return psk_len; +} + +#endif + + +ngx_int_t ngx_ssl_create_connection(ngx_ssl_t *ssl, ngx_connection_t *c, ngx_uint_t flags) { ngx_ssl_connection_t *sc; @@ -2071,6 +2255,9 @@ ngx_ssl_connection_error(ngx_connection_ || n == SSL_R_NO_COMPRESSION_SPECIFIED /* 187 */ || n == SSL_R_NO_SHARED_CIPHER /* 193 */ || n == SSL_R_RECORD_LENGTH_MISMATCH /* 213 */ +#ifdef SSL_R_PSK_IDENTITY_NOT_FOUND + || n == SSL_R_PSK_IDENTITY_NOT_FOUND /* 223 */ +#endif #ifdef SSL_R_PARSE_TLSEXT || n == SSL_R_PARSE_TLSEXT /* 227 */ #endif diff --git a/src/event/ngx_event_openssl.h b/src/event/ngx_event_openssl.h --- a/src/event/ngx_event_openssl.h +++ b/src/event/ngx_event_openssl.h @@ -167,6 +167,7 @@ RSA *ngx_ssl_rsa512_key_callback(ngx_ssl ngx_array_t *ngx_ssl_read_password_file(ngx_conf_t *cf, ngx_str_t *file); ngx_int_t ngx_ssl_dhparam(ngx_conf_t *cf, ngx_ssl_t *ssl, ngx_str_t *file); ngx_int_t ngx_ssl_ecdh_curve(ngx_conf_t *cf, ngx_ssl_t *ssl, ngx_str_t *name); +ngx_int_t ngx_ssl_psk_file(ngx_conf_t *cf, ngx_ssl_t *ssl, ngx_str_t +*file); ngx_int_t ngx_ssl_session_cache(ngx_ssl_t *ssl, ngx_str_t *sess_ctx, ssize_t builtin_session_cache, ngx_shm_zone_t *shm_zone, time_t timeout); ngx_int_t ngx_ssl_session_ticket_keys(ngx_conf_t *cf, ngx_ssl_t *ssl, @@ -253,6 +254,7 @@ extern int ngx_ssl_connection_index; extern int ngx_ssl_server_conf_index; extern int ngx_ssl_session_cache_index; extern int ngx_ssl_session_ticket_keys_index; +extern int ngx_ssl_psk_index; extern int ngx_ssl_certificate_index; extern int ngx_ssl_next_certificate_index; extern int ngx_ssl_certificate_name_index; diff --git a/src/http/modules/ngx_http_ssl_module.c b/src/http/modules/ngx_http_ssl_module.c --- a/src/http/modules/ngx_http_ssl_module.c +++ b/src/http/modules/ngx_http_ssl_module.c @@ -234,6 +234,13 @@ static ngx_command_t ngx_http_ssl_comma offsetof(ngx_http_ssl_srv_conf_t, stapling_verify), NULL }, + { ngx_string("ssl_psk_file"), + NGX_HTTP_MAIN_CONF|NGX_HTTP_SRV_CONF|NGX_CONF_TAKE1, + ngx_conf_set_str_slot, + NGX_HTTP_SRV_CONF_OFFSET, + offsetof(ngx_http_ssl_srv_conf_t, psk_file), + NULL }, + ngx_null_command }; @@ -543,6 +550,7 @@ ngx_http_ssl_create_srv_conf(ngx_conf_t * sscf->shm_zone = NULL; * sscf->stapling_file = { 0, NULL }; * sscf->stapling_responder = { 0, NULL }; + * sscf->psk_file = { 0, NULL }; */ sscf->enable = NGX_CONF_UNSET; @@ -624,6 +632,8 @@ ngx_http_ssl_merge_srv_conf(ngx_conf_t * ngx_conf_merge_str_value(conf->stapling_responder, prev->stapling_responder, ""); + ngx_conf_merge_str_value(conf->psk_file, prev->psk_file, ""); + conf->ssl.log = cf->log; if (conf->enable) { @@ -804,6 +814,10 @@ ngx_http_ssl_merge_srv_conf(ngx_conf_t * } + if (ngx_ssl_psk_file(cf, &conf->ssl, &conf->psk_file) != NGX_OK) { + return NGX_CONF_ERROR; + } + return NGX_CONF_OK; } diff --git a/src/http/modules/ngx_http_ssl_module.h b/src/http/modules/ngx_http_ssl_module.h --- a/src/http/modules/ngx_http_ssl_module.h +++ b/src/http/modules/ngx_http_ssl_module.h @@ -55,6 +55,8 @@ typedef struct { ngx_str_t stapling_file; ngx_str_t stapling_responder; + ngx_str_t psk_file; + u_char *file; ngx_uint_t line; } ngx_http_ssl_srv_conf_t; # HG changeset patch # User Nate Karstens # Date 1503540211 18000 # Wed Aug 23 21:03:31 2017 -0500 # Node ID 396eff1bc17996ae8f4fd9e56f5dd9b72f8ce923 # Parent 0cc14a10c863f3d9ba6cb8b6d3769592d619d654 SSL: add PSK identity variable. Adds the variable $ssl_psk_identity to get the PSK identity used in a connnection secured with a PSK cipher suite. Signed-off-by: Nate Karstens diff --git a/src/event/ngx_event_openssl.c b/src/event/ngx_event_openssl.c --- a/src/event/ngx_event_openssl.c +++ b/src/event/ngx_event_openssl.c @@ -4356,6 +4356,37 @@ ngx_ssl_parse_time( } +ngx_int_t +ngx_ssl_get_psk_identity(ngx_connection_t *c, ngx_pool_t *pool, +ngx_str_t *s) { #ifdef PSK_MAX_IDENTITY_LEN + + size_t len; + const char *identity; + + identity = SSL_get_psk_identity(c->ssl->connection); + + if (identity) { + len = ngx_strlen(identity); + + s->len = len; + s->data = ngx_pnalloc(pool, len); + if (s->data == NULL) { + return NGX_ERROR; + } + + ngx_memcpy(s->data, identity, len); + + return NGX_OK; + } + +#endif + + s->len = 0; + return NGX_OK; +} + + static void * ngx_openssl_create_conf(ngx_cycle_t *cycle) { diff --git a/src/event/ngx_event_openssl.h b/src/event/ngx_event_openssl.h --- a/src/event/ngx_event_openssl.h +++ b/src/event/ngx_event_openssl.h @@ -235,6 +235,8 @@ ngx_int_t ngx_ssl_get_client_v_end(ngx_c ngx_str_t *s); ngx_int_t ngx_ssl_get_client_v_remain(ngx_connection_t *c, ngx_pool_t *pool, ngx_str_t *s); +ngx_int_t ngx_ssl_get_psk_identity(ngx_connection_t *c, ngx_pool_t *pool, + ngx_str_t *s); ngx_int_t ngx_ssl_handshake(ngx_connection_t *c); diff --git a/src/http/modules/ngx_http_ssl_module.c b/src/http/modules/ngx_http_ssl_module.c --- a/src/http/modules/ngx_http_ssl_module.c +++ b/src/http/modules/ngx_http_ssl_module.c @@ -340,6 +340,9 @@ static ngx_http_variable_t ngx_http_ssl { ngx_string("ssl_client_v_remain"), NULL, ngx_http_ssl_variable, (uintptr_t) ngx_ssl_get_client_v_remain, NGX_HTTP_VAR_CHANGEABLE, 0 }, + { ngx_string("ssl_psk_identity"), NULL, ngx_http_ssl_variable, + (uintptr_t) ngx_ssl_get_psk_identity, NGX_HTTP_VAR_CHANGEABLE, 0 + }, + ngx_http_null_variable }; # HG changeset patch # User Nate Karstens # Date 1503540237 18000 # Wed Aug 23 21:03:57 2017 -0500 # Node ID b9689aaec94bcddbf17c16eb55794782f3badd4e # Parent 396eff1bc17996ae8f4fd9e56f5dd9b72f8ce923 SSL: add identity hint config directive. Adds the directive "ssl_psk_identity_hint" to the ngx_http_ssl_module. This allows the user to specify the PSK identity hint given to the connecting client. Signed-off-by: Nate Karstens diff --git a/contrib/vim/syntax/nginx.vim b/contrib/vim/syntax/nginx.vim --- a/contrib/vim/syntax/nginx.vim +++ b/contrib/vim/syntax/nginx.vim @@ -551,6 +551,7 @@ syn keyword ngxDirective contained ssl_p syn keyword ngxDirective contained ssl_preread syn keyword ngxDirective contained ssl_protocols syn keyword ngxDirective contained ssl_psk_file +syn keyword ngxDirective contained ssl_psk_identity_hint syn keyword ngxDirective contained ssl_session_cache syn keyword ngxDirective contained ssl_session_ticket_key syn keyword ngxDirective contained ssl_session_tickets diff --git a/src/event/ngx_event_openssl.c b/src/event/ngx_event_openssl.c --- a/src/event/ngx_event_openssl.c +++ b/src/event/ngx_event_openssl.c @@ -1177,7 +1177,8 @@ ngx_ssl_ecdh_curve(ngx_conf_t *cf, ngx_s ngx_int_t -ngx_ssl_psk_file(ngx_conf_t *cf, ngx_ssl_t *ssl, ngx_str_t *file) +ngx_ssl_psk_file(ngx_conf_t *cf, ngx_ssl_t *ssl, ngx_str_t *file, + ngx_str_t *identity_hint) { #ifdef PSK_MAX_IDENTITY_LEN @@ -1195,6 +1196,14 @@ ngx_ssl_psk_file(ngx_conf_t *cf, ngx_ssl return NGX_ERROR; } + if (SSL_CTX_use_psk_identity_hint(ssl->ctx, (char *) identity_hint->data) + == 0) + { + ngx_ssl_error(NGX_LOG_EMERG, ssl->log, 0, + "SSL_CTX_use_psk_identity_hint() failed"); + return NGX_ERROR; + } + SSL_CTX_set_psk_server_callback(ssl->ctx, ngx_ssl_psk_callback); #endif diff --git a/src/event/ngx_event_openssl.h b/src/event/ngx_event_openssl.h --- a/src/event/ngx_event_openssl.h +++ b/src/event/ngx_event_openssl.h @@ -167,7 +167,8 @@ RSA *ngx_ssl_rsa512_key_callback(ngx_ssl ngx_array_t *ngx_ssl_read_password_file(ngx_conf_t *cf, ngx_str_t *file); ngx_int_t ngx_ssl_dhparam(ngx_conf_t *cf, ngx_ssl_t *ssl, ngx_str_t *file); ngx_int_t ngx_ssl_ecdh_curve(ngx_conf_t *cf, ngx_ssl_t *ssl, ngx_str_t *name); -ngx_int_t ngx_ssl_psk_file(ngx_conf_t *cf, ngx_ssl_t *ssl, ngx_str_t *file); +ngx_int_t ngx_ssl_psk_file(ngx_conf_t *cf, ngx_ssl_t *ssl, ngx_str_t *file, + ngx_str_t *identity_hint); ngx_int_t ngx_ssl_session_cache(ngx_ssl_t *ssl, ngx_str_t *sess_ctx, ssize_t builtin_session_cache, ngx_shm_zone_t *shm_zone, time_t timeout); ngx_int_t ngx_ssl_session_ticket_keys(ngx_conf_t *cf, ngx_ssl_t *ssl, diff --git a/src/http/modules/ngx_http_ssl_module.c b/src/http/modules/ngx_http_ssl_module.c --- a/src/http/modules/ngx_http_ssl_module.c +++ b/src/http/modules/ngx_http_ssl_module.c @@ -241,6 +241,13 @@ static ngx_command_t ngx_http_ssl_comma offsetof(ngx_http_ssl_srv_conf_t, psk_file), NULL }, + { ngx_string("ssl_psk_identity_hint"), + NGX_HTTP_MAIN_CONF|NGX_HTTP_SRV_CONF|NGX_CONF_TAKE1, + ngx_conf_set_str_slot, + NGX_HTTP_SRV_CONF_OFFSET, + offsetof(ngx_http_ssl_srv_conf_t, psk_identity_hint), + NULL }, + ngx_null_command }; @@ -554,6 +561,7 @@ ngx_http_ssl_create_srv_conf(ngx_conf_t * sscf->stapling_file = { 0, NULL }; * sscf->stapling_responder = { 0, NULL }; * sscf->psk_file = { 0, NULL }; + * sscf->psk_identity_hint = { 0, NULL }; */ sscf->enable = NGX_CONF_UNSET; @@ -636,6 +644,8 @@ ngx_http_ssl_merge_srv_conf(ngx_conf_t * prev->stapling_responder, ""); ngx_conf_merge_str_value(conf->psk_file, prev->psk_file, ""); + ngx_conf_merge_str_value(conf->psk_identity_hint, + prev->psk_identity_hint, ""); conf->ssl.log = cf->log; @@ -817,7 +827,10 @@ ngx_http_ssl_merge_srv_conf(ngx_conf_t * } - if (ngx_ssl_psk_file(cf, &conf->ssl, &conf->psk_file) != NGX_OK) { + if (ngx_ssl_psk_file(cf, &conf->ssl, &conf->psk_file, + &conf->psk_identity_hint) + != NGX_OK) + { return NGX_CONF_ERROR; } diff --git a/src/http/modules/ngx_http_ssl_module.h b/src/http/modules/ngx_http_ssl_module.h --- a/src/http/modules/ngx_http_ssl_module.h +++ b/src/http/modules/ngx_http_ssl_module.h @@ -56,6 +56,7 @@ typedef struct { ngx_str_t stapling_responder; ngx_str_t psk_file; + ngx_str_t psk_identity_hint; u_char *file; ngx_uint_t line; -- Maxim Dounin http://nginx.org/ _______________________________________________ nginx-devel mailing list nginx-devel at nginx.org http://mailman.nginx.org/mailman/listinfo/nginx-devel ________________________________ CONFIDENTIALITY NOTICE: This email and any attachments are for the sole use of the intended recipient(s) and contain information that may be Garmin confidential and/or Garmin legally privileged. If you have received this email in error, please notify the sender by reply email and delete the message. Any disclosure, copying, distribution or use of this communication (including attachments) by someone other than the intended recipient is prohibited. Thank you. From ujaeek at yahoo.co.jp Thu Sep 7 08:31:34 2017 From: ujaeek at yahoo.co.jp (ujaeek at yahoo.co.jp) Date: Thu, 7 Sep 2017 17:31:34 +0900 (JST) Subject: How does nginx cache work ? Message-ID: <449321.15634.qm@web101601.mail.kks.yahoo.co.jp> Hi,? Currently we are modify some nginx proxy cache functions, and I would like to know how nginx cache work? 1. does nginx cache data in memory or read from disk everytime? for example, first I do `GET /example.jpg`, nginx will cache it and save to disk. next time I do `GET /example.jpg`, does nginx read the file from disk then send to client,? or nginx?just send the file from memory to client because nginx?has cached it?in memory ? 2. if nginx save it in memory, what happens if the file is 1GB? does nginx malloc a 1GB memory and save the file? or split the file into many parts, and save it separately using? something like array or linked list? Thanks -------------- next part -------------- An HTML attachment was scrubbed... URL: From zchao1995 at gmail.com Thu Sep 7 08:51:48 2017 From: zchao1995 at gmail.com (Zhang Chao) Date: Thu, 7 Sep 2017 01:51:48 -0700 Subject: How does nginx cache work ? In-Reply-To: <449321.15634.qm@web101601.mail.kks.yahoo.co.jp> References: <449321.15634.qm@web101601.mail.kks.yahoo.co.jp> Message-ID: Hi! according to the function ngx_http_upstream_cache, I think nginx never load the file to memory, instead, it just set a buf, which file is referenced to this file and output it. On 7 September 2017 at 16:31:46, ujaeek at yahoo.co.jp (ujaeek at yahoo.co.jp) wrote: Hi, Currently we are modify some nginx proxy cache functions, and I would like to know how nginx cache work? 1. does nginx cache data in memory or read from disk everytime? for example, first I do `GET /example.jpg`, nginx will cache it and save to disk. next time I do `GET /example.jpg`, does nginx read the file from disk then send to client, or nginx just send the file from memory to client because nginx has cached it in memory ? 2. if nginx save it in memory, what happens if the file is 1GB? does nginx malloc a 1GB memory and save the file? or split the file into many parts, and save it separately using something like array or linked list? Thanks _______________________________________________ nginx-devel mailing list nginx-devel at nginx.org http://mailman.nginx.org/mailman/listinfo/nginx-devel -------------- next part -------------- An HTML attachment was scrubbed... URL: From mdounin at mdounin.ru Thu Sep 7 14:48:47 2017 From: mdounin at mdounin.ru (Maxim Dounin) Date: Thu, 7 Sep 2017 17:48:47 +0300 Subject: [PATCH] [PATCH 4 of 4] SSL: add identity hint config directive In-Reply-To: <8090cea0421b4f0fa0292737aff10c3b@garmin.com> References: <010421> <62b4032371bd45217d40.1503541363@OLA-6J5NNS1.ad.garmin.com> <20170831144444.GG93611@mdounin.ru> <20170904160118.GO93611@mdounin.ru> <8090cea0421b4f0fa0292737aff10c3b@garmin.com> Message-ID: <20170907144847.GG93611@mdounin.ru> Hello! On Wed, Sep 06, 2017 at 01:46:06PM +0000, Karstens, Nate wrote: > Yes, I see what you were saying now, sorry for the confusion. > Your updates look good. > > How do you plan to get additional feedback? Maybe at nginx.conf? > Our particular use case is more of an embedded environment, so > our security constraints are different from a high traffic web > server. Perhaps we can extrapolate the best approach for that > environment given what we know? There are no specific plans, though usually people tend to provide feedback on patches they are interested in. That is, if there are people interested in PSK support, eventually there will be some feedback. > As I see it, we have a few alternatives: > > 1) Read the file from the PSK worker process (as is being done > in the current patch) > 2) Read the file when the configuration is loaded and cache > results in memory (file only needs to be read by master process) > 3) Allow the user to choose between 1 and 2 (using a config file > setting) > 4) Adding encryption to PSK file (encryption key is loaded when > configuration is loaded and PSK file is decrypted by worker > process) > > Can you think of any others? The only alternatives I would consider at this point are (1) and (2). Everything else looks overcomplicated. > The main disadvantage of the second option is that you have to > reload the configuration file whenever a PSK is > added/removed/changed, right? Can you help me understand the > performance implications of reloading the configuration file? If > severe, maybe those performance implications could be mitigated > by functionality specific to the environment the server is > operating in? For example, in an environment with thousands of > users maybe the administrators could institute a policy of > updating the PSK file and reloading the configuration only once > every 5 minutes? Other, less complicated environments could > operate without any additional functionality. Yes, basically this is the only downside of the (1) approach - to change PSK list you need to reload a configuration. This applies to many aspects in nginx though, and I don't actually think that this is a problem. If a particular setup requires changing PSK keys at a high rate, using client certificates might be a better option. And that's why I think it might be better to switch back to (2), which seems to be slightly more secure. -- Maxim Dounin http://nginx.org/ From jeppojeps at gmail.com Fri Sep 8 11:06:46 2017 From: jeppojeps at gmail.com (Antonio Nappa) Date: Fri, 8 Sep 2017 13:06:46 +0200 Subject: remote_port variable is empty in log Message-ID: Hello, Is there a reason why the $remote_port variable of the http module could be empty? I am using it in a custom log format, and from time to time it is empty. Thanks, Antonio -------------- next part -------------- An HTML attachment was scrubbed... URL: From mdounin at mdounin.ru Fri Sep 8 13:08:29 2017 From: mdounin at mdounin.ru (Maxim Dounin) Date: Fri, 8 Sep 2017 16:08:29 +0300 Subject: remote_port variable is empty in log In-Reply-To: References: Message-ID: <20170908130829.GM93611@mdounin.ru> Hello! On Fri, Sep 08, 2017 at 01:06:46PM +0200, Antonio Nappa wrote: > Is there a reason why the $remote_port variable of the http module could be > empty? I am using it in a custom log format, and from time to time it is > empty. There can be multiple possible reasons, including using unix sockets and realip module without port information provided. Note that this is a mailing list for developers. For user-level questions like this one, please use the nginx@ mailing list instead. Thank you. -- Maxim Dounin http://nginx.org/ From arut at nginx.com Mon Sep 11 12:49:47 2017 From: arut at nginx.com (Roman Arutyunyan) Date: Mon, 11 Sep 2017 12:49:47 +0000 Subject: [nginx] Version bump. Message-ID: details: http://hg.nginx.org/nginx/rev/a0e472a2c4f1 branches: changeset: 7097:a0e472a2c4f1 user: Roman Arutyunyan date: Mon Sep 11 15:46:23 2017 +0300 description: Version bump. diffstat: src/core/nginx.h | 4 ++-- 1 files changed, 2 insertions(+), 2 deletions(-) diffs (14 lines): diff -r 6b6e15bbda92 -r a0e472a2c4f1 src/core/nginx.h --- a/src/core/nginx.h Tue Sep 05 17:59:31 2017 +0300 +++ b/src/core/nginx.h Mon Sep 11 15:46:23 2017 +0300 @@ -9,8 +9,8 @@ #define _NGINX_H_INCLUDED_ -#define nginx_version 1013005 -#define NGINX_VERSION "1.13.5" +#define nginx_version 1013006 +#define NGINX_VERSION "1.13.6" #define NGINX_VER "nginx/" NGINX_VERSION #ifdef NGX_BUILD From arut at nginx.com Mon Sep 11 12:49:50 2017 From: arut at nginx.com (Roman Arutyunyan) Date: Mon, 11 Sep 2017 12:49:50 +0000 Subject: [nginx] Stream: relaxed next upstream condition (ticket #1317). Message-ID: details: http://hg.nginx.org/nginx/rev/7bfbf73db920 branches: changeset: 7098:7bfbf73db920 user: Roman Arutyunyan date: Mon Sep 11 15:32:31 2017 +0300 description: Stream: relaxed next upstream condition (ticket #1317). When switching to a next upstream, some buffers could be stuck in the middle of the filter chain. A condition existed that raised an error when this happened. As it turned out, this condition prevented switching to a next upstream if ssl preread was used with the TCP protocol (see the ticket). In fact, the condition does not make sense for TCP, since after successful connection to an upstream switching to another upstream never happens. As for UDP, the issue with stuck buffers is unlikely to happen, but is still possible. Specifically, if a filter delays sending data to upstream. The condition can be relaxed to only check the "buffered" bitmask of the upstream connection. The new condition is simpler and fixes the ticket issue as well. Additionally, the upstream_out chain is now reset for UDP prior to connecting to a new upstream to prevent repeating the client data twice. diffstat: src/stream/ngx_stream_proxy_module.c | 8 ++++++-- 1 files changed, 6 insertions(+), 2 deletions(-) diffs (23 lines): diff -r a0e472a2c4f1 -r 7bfbf73db920 src/stream/ngx_stream_proxy_module.c --- a/src/stream/ngx_stream_proxy_module.c Mon Sep 11 15:46:23 2017 +0300 +++ b/src/stream/ngx_stream_proxy_module.c Mon Sep 11 15:32:31 2017 +0300 @@ -1665,13 +1665,17 @@ ngx_stream_proxy_next_upstream(ngx_strea u = s->upstream; pc = u->peer.connection; - if (u->upstream_out || u->upstream_busy || (pc && pc->buffered)) { + if (pc && pc->buffered) { ngx_log_error(NGX_LOG_ERR, s->connection->log, 0, - "pending buffers on next upstream"); + "buffered data on next upstream"); ngx_stream_proxy_finalize(s, NGX_STREAM_INTERNAL_SERVER_ERROR); return; } + if (s->connection->type == SOCK_DGRAM) { + u->upstream_out = NULL; + } + if (u->peer.sockaddr) { u->peer.free(&u->peer, u->peer.data, NGX_PEER_FAILED); u->peer.sockaddr = NULL; From mdounin at mdounin.ru Mon Sep 11 13:41:52 2017 From: mdounin at mdounin.ru (Maxim Dounin) Date: Mon, 11 Sep 2017 13:41:52 +0000 Subject: [nginx] Trailing space removed. Message-ID: details: http://hg.nginx.org/nginx/rev/019b91bd21cc branches: changeset: 7099:019b91bd21cc user: Maxim Dounin date: Mon Sep 11 16:41:39 2017 +0300 description: Trailing space removed. diffstat: docs/xml/nginx/changes.xml | 2 +- 1 files changed, 1 insertions(+), 1 deletions(-) diffs (12 lines): diff --git a/docs/xml/nginx/changes.xml b/docs/xml/nginx/changes.xml --- a/docs/xml/nginx/changes.xml +++ b/docs/xml/nginx/changes.xml @@ -50,7 +50,7 @@ with multiple ranges. the "expires modified" directive and processing of the "If-Range" request header line -did not use the response last modification time +did not use the response last modification time if proxying without caching was used. From mdounin at mdounin.ru Tue Sep 12 02:46:15 2017 From: mdounin at mdounin.ru (Maxim Dounin) Date: Tue, 12 Sep 2017 05:46:15 +0300 Subject: [PATCH] HTTP/2: signal 0-byte HPACK's dynamic table size In-Reply-To: <7e1e91f9ca063563cb29.1504130134@piotrsikora.sfo.corp.google.com> References: <7e1e91f9ca063563cb29.1504130134@piotrsikora.sfo.corp.google.com> Message-ID: <20170912024615.GC58595@mdounin.ru> Hello! On Wed, Aug 30, 2017 at 02:55:34PM -0700, Piotr Sikora via nginx-devel wrote: > # HG changeset patch > # User Piotr Sikora > # Date 1504129931 25200 > # Wed Aug 30 14:52:11 2017 -0700 > # Node ID 7e1e91f9ca063563cb293136e7b1cede36e63dc6 > # Parent c7d4017c8876af6d8570e400320537d7d39e9578 > HTTP/2: signal 0-byte HPACK's dynamic table size. > > This change lets NGINX talk to clients with SETTINGS_HEADER_TABLE_SIZE > smaller than the default 4KB. Previously, NGINX would ACK the SETTINGS > frame with a small dynamic table size, but it would never send dynamic > table size update, leading to a connection-level COMPRESSION_ERROR. > > Also, it allows clients to release 4KB of memory per connection, since > NGINX doesn't use HPACK's dynamic table when encoding headers, however > clients had to maintain it, since NGINX never signaled that it doesn't > use it. > > Signed-off-by: Piotr Sikora > > diff -r c7d4017c8876 -r 7e1e91f9ca06 src/http/v2/ngx_http_v2.c > --- a/src/http/v2/ngx_http_v2.c > +++ b/src/http/v2/ngx_http_v2.c > @@ -245,6 +245,8 @@ ngx_http_v2_init(ngx_event_t *rev) > > h2c->frame_size = NGX_HTTP_V2_DEFAULT_FRAME_SIZE; > > + h2c->table_update = 1; > + > h2scf = ngx_http_get_module_srv_conf(hc->conf_ctx, ngx_http_v2_module); > > h2c->pool = ngx_create_pool(h2scf->pool_size, h2c->connection->log); > diff -r c7d4017c8876 -r 7e1e91f9ca06 src/http/v2/ngx_http_v2.h > --- a/src/http/v2/ngx_http_v2.h > +++ b/src/http/v2/ngx_http_v2.h > @@ -144,6 +144,7 @@ struct ngx_http_v2_connection_s { > > unsigned closed_nodes:8; > unsigned settings_ack:1; > + unsigned table_update:1; > unsigned blocked:1; > unsigned goaway:1; > }; > diff -r c7d4017c8876 -r 7e1e91f9ca06 src/http/v2/ngx_http_v2_filter_module.c > --- a/src/http/v2/ngx_http_v2_filter_module.c > +++ b/src/http/v2/ngx_http_v2_filter_module.c > @@ -141,6 +141,7 @@ ngx_http_v2_header_filter(ngx_http_reque > ngx_http_v2_out_frame_t *frame; > ngx_http_core_loc_conf_t *clcf; > ngx_http_core_srv_conf_t *cscf; > + ngx_http_v2_connection_t *h2c; > u_char addr[NGX_SOCKADDR_STRLEN]; > > static const u_char nginx[5] = "\x84\xaa\x63\x55\xe7"; > @@ -235,7 +236,11 @@ ngx_http_v2_header_filter(ngx_http_reque > } > } > > - len = status ? 1 : 1 + ngx_http_v2_literal_size("418"); > + h2c = r->stream->connection; > + > + len = h2c->table_update ? 1 : 0; > + > + len += status ? 1 : 1 + ngx_http_v2_literal_size("418"); > > clcf = ngx_http_get_module_loc_conf(r, ngx_http_core_module); > > @@ -423,6 +428,13 @@ ngx_http_v2_header_filter(ngx_http_reque > > start = pos; > > + if (h2c->table_update) { > + ngx_log_debug0(NGX_LOG_DEBUG_HTTP, fc->log, 0, > + "http2 sending dynamic table size update: 0"); > + *pos++ = 32; > + h2c->table_update = 0; > + } > + > ngx_log_debug1(NGX_LOG_DEBUG_HTTP, fc->log, 0, > "http2 output header: \":status: %03ui\"", > r->headers_out.status); Thank you for the patch. I've pushed a change which fixes tests with this patch (http://hg.nginx.org/nginx-tests/rev/24e175025ad8). Unless there are objections, I'll push this patch with the following mostly style changes: --- a/src/http/v2/ngx_http_v2_filter_module.c +++ b/src/http/v2/ngx_http_v2_filter_module.c @@ -139,9 +139,9 @@ ngx_http_v2_header_filter(ngx_http_reque ngx_connection_t *fc; ngx_http_cleanup_t *cln; ngx_http_v2_out_frame_t *frame; + ngx_http_v2_connection_t *h2c; ngx_http_core_loc_conf_t *clcf; ngx_http_core_srv_conf_t *cscf; - ngx_http_v2_connection_t *h2c; u_char addr[NGX_SOCKADDR_STRLEN]; static const u_char nginx[5] = "\x84\xaa\x63\x55\xe7"; @@ -430,8 +430,8 @@ ngx_http_v2_header_filter(ngx_http_reque if (h2c->table_update) { ngx_log_debug0(NGX_LOG_DEBUG_HTTP, fc->log, 0, - "http2 sending dynamic table size update: 0"); - *pos++ = 32; + "http2 table size update: 0"); + *pos++ = (1 << 5) | 0; h2c->table_update = 0; } -- Maxim Dounin http://nginx.org/ From piotrsikora at google.com Tue Sep 12 06:32:11 2017 From: piotrsikora at google.com (Piotr Sikora) Date: Tue, 12 Sep 2017 08:32:11 +0200 Subject: [PATCH] HTTP/2: signal 0-byte HPACK's dynamic table size In-Reply-To: <20170912024615.GC58595@mdounin.ru> References: <7e1e91f9ca063563cb29.1504130134@piotrsikora.sfo.corp.google.com> <20170912024615.GC58595@mdounin.ru> Message-ID: Hey Maxim, > Thank you for the patch. I've pushed a change which fixes tests > with this patch (http://hg.nginx.org/nginx-tests/rev/24e175025ad8). > Unless there are objections, I'll push this patch with the > following mostly style changes: Those changes look fine, thanks. Best regards, Piotr Sikora From mdounin at mdounin.ru Tue Sep 12 14:21:47 2017 From: mdounin at mdounin.ru (Maxim Dounin) Date: Tue, 12 Sep 2017 14:21:47 +0000 Subject: [nginx] HTTP/2: signal 0-byte HPACK's dynamic table size. Message-ID: details: http://hg.nginx.org/nginx/rev/12cadc4669a7 branches: changeset: 7100:12cadc4669a7 user: Piotr Sikora date: Wed Aug 30 14:52:11 2017 -0700 description: HTTP/2: signal 0-byte HPACK's dynamic table size. This change lets NGINX talk to clients with SETTINGS_HEADER_TABLE_SIZE smaller than the default 4KB. Previously, NGINX would ACK the SETTINGS frame with a small dynamic table size, but it would never send dynamic table size update, leading to a connection-level COMPRESSION_ERROR. Also, it allows clients to release 4KB of memory per connection, since NGINX doesn't use HPACK's dynamic table when encoding headers, however clients had to maintain it, since NGINX never signaled that it doesn't use it. Signed-off-by: Piotr Sikora diffstat: src/http/v2/ngx_http_v2.c | 2 ++ src/http/v2/ngx_http_v2.h | 1 + src/http/v2/ngx_http_v2_filter_module.c | 14 +++++++++++++- 3 files changed, 16 insertions(+), 1 deletions(-) diffs (61 lines): diff --git a/src/http/v2/ngx_http_v2.c b/src/http/v2/ngx_http_v2.c --- a/src/http/v2/ngx_http_v2.c +++ b/src/http/v2/ngx_http_v2.c @@ -245,6 +245,8 @@ ngx_http_v2_init(ngx_event_t *rev) h2c->frame_size = NGX_HTTP_V2_DEFAULT_FRAME_SIZE; + h2c->table_update = 1; + h2scf = ngx_http_get_module_srv_conf(hc->conf_ctx, ngx_http_v2_module); h2c->pool = ngx_create_pool(h2scf->pool_size, h2c->connection->log); diff --git a/src/http/v2/ngx_http_v2.h b/src/http/v2/ngx_http_v2.h --- a/src/http/v2/ngx_http_v2.h +++ b/src/http/v2/ngx_http_v2.h @@ -144,6 +144,7 @@ struct ngx_http_v2_connection_s { unsigned closed_nodes:8; unsigned settings_ack:1; + unsigned table_update:1; unsigned blocked:1; unsigned goaway:1; }; diff --git a/src/http/v2/ngx_http_v2_filter_module.c b/src/http/v2/ngx_http_v2_filter_module.c --- a/src/http/v2/ngx_http_v2_filter_module.c +++ b/src/http/v2/ngx_http_v2_filter_module.c @@ -139,6 +139,7 @@ ngx_http_v2_header_filter(ngx_http_reque ngx_connection_t *fc; ngx_http_cleanup_t *cln; ngx_http_v2_out_frame_t *frame; + ngx_http_v2_connection_t *h2c; ngx_http_core_loc_conf_t *clcf; ngx_http_core_srv_conf_t *cscf; u_char addr[NGX_SOCKADDR_STRLEN]; @@ -235,7 +236,11 @@ ngx_http_v2_header_filter(ngx_http_reque } } - len = status ? 1 : 1 + ngx_http_v2_literal_size("418"); + h2c = r->stream->connection; + + len = h2c->table_update ? 1 : 0; + + len += status ? 1 : 1 + ngx_http_v2_literal_size("418"); clcf = ngx_http_get_module_loc_conf(r, ngx_http_core_module); @@ -423,6 +428,13 @@ ngx_http_v2_header_filter(ngx_http_reque start = pos; + if (h2c->table_update) { + ngx_log_debug0(NGX_LOG_DEBUG_HTTP, fc->log, 0, + "http2 table size update: 0"); + *pos++ = (1 << 5) | 0; + h2c->table_update = 0; + } + ngx_log_debug1(NGX_LOG_DEBUG_HTTP, fc->log, 0, "http2 output header: \":status: %03ui\"", r->headers_out.status); From mdounin at mdounin.ru Tue Sep 12 14:23:45 2017 From: mdounin at mdounin.ru (Maxim Dounin) Date: Tue, 12 Sep 2017 17:23:45 +0300 Subject: [PATCH] HTTP/2: signal 0-byte HPACK's dynamic table size In-Reply-To: References: <7e1e91f9ca063563cb29.1504130134@piotrsikora.sfo.corp.google.com> <20170912024615.GC58595@mdounin.ru> Message-ID: <20170912142345.GE58595@mdounin.ru> Hello! On Tue, Sep 12, 2017 at 08:32:11AM +0200, Piotr Sikora via nginx-devel wrote: > Hey Maxim, > > > Thank you for the patch. I've pushed a change which fixes tests > > with this patch (http://hg.nginx.org/nginx-tests/rev/24e175025ad8). > > Unless there are objections, I'll push this patch with the > > following mostly style changes: > > Those changes look fine, thanks. Committed, thanks. http://hg.nginx.org/nginx/rev/12cadc4669a7 -- Maxim Dounin http://nginx.org/ From mdounin at mdounin.ru Wed Sep 13 14:10:41 2017 From: mdounin at mdounin.ru (Maxim Dounin) Date: Wed, 13 Sep 2017 14:10:41 +0000 Subject: [nginx] Style. Message-ID: details: http://hg.nginx.org/nginx/rev/b38a8f0ca4a2 branches: changeset: 7101:b38a8f0ca4a2 user: Maxim Dounin date: Wed Sep 13 15:51:52 2017 +0300 description: Style. diffstat: src/core/ngx_parse_time.c | 5 +++-- 1 files changed, 3 insertions(+), 2 deletions(-) diffs (21 lines): diff --git a/src/core/ngx_parse_time.c b/src/core/ngx_parse_time.c --- a/src/core/ngx_parse_time.c +++ b/src/core/ngx_parse_time.c @@ -44,14 +44,15 @@ ngx_parse_http_time(u_char *value, size_ } } - for (p++; p < end; p++) + for (p++; p < end; p++) { if (*p != ' ') { break; } + } if (end - p < 18) { return NGX_ERROR; - } + } if (fmt != isoc) { if (*p < '0' || *p > '9' || *(p + 1) < '0' || *(p + 1) > '9') { From mdounin at mdounin.ru Wed Sep 13 14:10:44 2017 From: mdounin at mdounin.ru (Maxim Dounin) Date: Wed, 13 Sep 2017 14:10:44 +0000 Subject: [nginx] Fixed reference to time parsing code after 8b6fa4842133. Message-ID: details: http://hg.nginx.org/nginx/rev/63699a40e2ff branches: changeset: 7102:63699a40e2ff user: Maxim Dounin date: Wed Sep 13 15:51:58 2017 +0300 description: Fixed reference to time parsing code after 8b6fa4842133. diffstat: src/core/ngx_times.c | 2 +- 1 files changed, 1 insertions(+), 1 deletions(-) diffs (12 lines): diff --git a/src/core/ngx_times.c b/src/core/ngx_times.c --- a/src/core/ngx_times.c +++ b/src/core/ngx_times.c @@ -320,7 +320,7 @@ ngx_gmtime(time_t t, ngx_tm_t *tp) /* * the algorithm based on Gauss' formula, - * see src/http/ngx_http_parse_time.c + * see src/core/ngx_parse_time.c */ /* days since March 1, 1 BC */ From mdounin at mdounin.ru Wed Sep 13 14:10:46 2017 From: mdounin at mdounin.ru (Maxim Dounin) Date: Wed, 13 Sep 2017 14:10:46 +0000 Subject: [nginx] Fixed ngx_gmtime() on 32-bit platforms with 64-bit time_t. Message-ID: details: http://hg.nginx.org/nginx/rev/644d0457782a branches: changeset: 7103:644d0457782a user: Maxim Dounin date: Wed Sep 13 15:52:01 2017 +0300 description: Fixed ngx_gmtime() on 32-bit platforms with 64-bit time_t. In ngx_gmtime(), instead of casting to ngx_uint_t we now work with time_t directly. This allows using dates after 2038 on 32-bit platforms which use 64-bit time_t, notably NetBSD and OpenBSD. As the code is not able to work with negative time_t values, argument is now set to 0 for negative values. As a positive side effect, this results in Epoch being used for such values instead of a date in distant future. diffstat: src/core/ngx_times.c | 18 ++++++++++-------- 1 files changed, 10 insertions(+), 8 deletions(-) diffs (37 lines): diff --git a/src/core/ngx_times.c b/src/core/ngx_times.c --- a/src/core/ngx_times.c +++ b/src/core/ngx_times.c @@ -300,23 +300,25 @@ void ngx_gmtime(time_t t, ngx_tm_t *tp) { ngx_int_t yday; - ngx_uint_t n, sec, min, hour, mday, mon, year, wday, days, leap; + ngx_uint_t sec, min, hour, mday, mon, year, wday, days, leap; /* the calculation is valid for positive time_t only */ - n = (ngx_uint_t) t; + if (t < 0) { + t = 0; + } - days = n / 86400; + days = t / 86400; + sec = t % 86400; /* January 1, 1970 was Thursday */ wday = (4 + days) % 7; - n %= 86400; - hour = n / 3600; - n %= 3600; - min = n / 60; - sec = n % 60; + hour = sec / 3600; + sec %= 3600; + min = sec / 60; + sec %= 60; /* * the algorithm based on Gauss' formula, From mdounin at mdounin.ru Wed Sep 13 14:10:48 2017 From: mdounin at mdounin.ru (Maxim Dounin) Date: Wed, 13 Sep 2017 14:10:48 +0000 Subject: [nginx] Introduced time truncation to December 31, 9999 (ticket #1368). Message-ID: details: http://hg.nginx.org/nginx/rev/cdbcb73239ee branches: changeset: 7104:cdbcb73239ee user: Maxim Dounin date: Wed Sep 13 15:53:19 2017 +0300 description: Introduced time truncation to December 31, 9999 (ticket #1368). Various buffers are allocated in an assumption that there would be no more than 4 year digits. This might not be true on platforms with 64-bit time_t, as 64-bit time_t is able to represent more than that. Such dates with more than 4 year digits hardly make sense though, as various date formats in use do not allow them anyway. As such, all dates are now truncated by ngx_gmtime() to December 31, 9999. This should have no effect on valid dates, though will prevent potential buffer overflows on invalid ones. diffstat: src/core/ngx_times.c | 10 ++++++++++ 1 files changed, 10 insertions(+), 0 deletions(-) diffs (20 lines): diff --git a/src/core/ngx_times.c b/src/core/ngx_times.c --- a/src/core/ngx_times.c +++ b/src/core/ngx_times.c @@ -311,6 +311,16 @@ ngx_gmtime(time_t t, ngx_tm_t *tp) days = t / 86400; sec = t % 86400; + /* + * no more than 4 year digits supported, + * truncate to December 31, 9999, 23:59:59 + */ + + if (days > 2932896) { + days = 2932896; + sec = 86399; + } + /* January 1, 1970 was Thursday */ wday = (4 + days) % 7; From fares.jaradeh at nuance.com Wed Sep 13 19:09:19 2017 From: fares.jaradeh at nuance.com (Jaradeh, Fares) Date: Wed, 13 Sep 2017 19:09:19 +0000 Subject: Preserving Proxied server original Chunk sizes In-Reply-To: References: Message-ID: Hello I am contacting you for support regarding https://stackoverflow.com/questions/46165415/configure-nginx-proxy-to-preserve-the-chunk-size-sent-from-the-proxied-backend-s While trying to use Nginx-Ingress-controller in K8s, ran into issue related to the behavior of nginx proxy, The proxied backend server (our NGW) is set to return audio in chunks of http to the client with multiparts & Some of our clients (already in the field) have so far expected every single HTTP chunk to contain a full part of an audio segment....ie a single audio segment may not be broken across several HTTP chunks. For our use case, we had to set the proxy_buffering : off so to allow the nginx to send back results as soon as possible to not increase the CPL, But as a side effect, we noticed that the nginx was NOT trying to preserve the chunks sizes sent back by the proxied server (NGW), which would cause clients in the field to break. So a single Audio part that is sent back by the NGW with a single http chunk of size 24838 may be broken into 5 or 6 chunks returned by nginx-proxy to the client with the total size amounting to the same thing.... We suspect this is due to the speed to read/write of the responses on Nginx, and it may read a single chunk in separate calls (example 12000 bytes then another 11000 bytes then another 1838 bytes) and because buffering is OFF...these things are being sent back as independent chunks to the client. We understand that the behavior of nginx is fully compliant with http chunking and that the client app should be better implemented to not assume coupling of chunks and audio segments full parts, BUT, customers app already in the field cannot be helped, Enabling proxy_buffering : on is not an option, as it delay responses until ALL the audio segments are ready (from all chunks) and it breaks the 1chunk to 1 audio segment rule as well. Could you please advise if there is any way to control the nginx buffering to allow it to buffer per Chunk, ir do not send back received data unless a full Http chunk is read.... ? Thank you for you support Regards Fares -------------- next part -------------- An HTML attachment was scrubbed... URL: From mdounin at mdounin.ru Wed Sep 13 19:51:04 2017 From: mdounin at mdounin.ru (Maxim Dounin) Date: Wed, 13 Sep 2017 22:51:04 +0300 Subject: Preserving Proxied server original Chunk sizes In-Reply-To: References: Message-ID: <20170913195103.GK58595@mdounin.ru> Hello! On Wed, Sep 13, 2017 at 07:09:19PM +0000, Jaradeh, Fares wrote: > I am contacting you for support regarding > https://stackoverflow.com/questions/46165415/configure-nginx-proxy-to-preserve-the-chunk-size-sent-from-the-proxied-backend-s [...] This mailing list is dedicated to nginx development. For questions about using nginx please use the nginx@ mailing list instead. See http://nginx.org/en/support.html for more information. Thank you. -- Maxim Dounin http://nginx.org/ From fares.jaradeh at nuance.com Wed Sep 13 19:56:59 2017 From: fares.jaradeh at nuance.com (Jaradeh, Fares) Date: Wed, 13 Sep 2017 19:56:59 +0000 Subject: [EXTERNAL] Re: Preserving Proxied server original Chunk sizes In-Reply-To: <20170913195103.GK58595@mdounin.ru> References: <20170913195103.GK58595@mdounin.ru> Message-ID: Hello, Thank you for replying to confirm my message was received, Would you be able to advise us regarding the issue in attached ... Please note, our chunk sizes are dynamic depending on the request Thank you Fares -----Original Message----- From: nginx-devel [mailto:nginx-devel-bounces at nginx.org] On Behalf Of Maxim Dounin Sent: Wednesday, September 13, 2017 3:51 PM To: nginx-devel at nginx.org Subject: [EXTERNAL] Re: Preserving Proxied server original Chunk sizes Hello! On Wed, Sep 13, 2017 at 07:09:19PM +0000, Jaradeh, Fares wrote: > I am contacting you for support regarding > https://urldefense.proofpoint.com/v2/url?u=https-3A__stackoverflow.com > _questions_46165415_configure-2Dnginx-2Dproxy-2Dto-2Dpreserve-2Dthe-2D > chunk-2Dsize-2Dsent-2Dfrom-2Dthe-2Dproxied-2Dbackend-2Ds&d=DwICAg&c=dj > jh8EKwHtOepW4Bjau0lKhLlu-DxM1dlgP0rrLsOzY&r=hzyZG1oadm3bN7GeqSIg8qI6a6 > lJEPnNOjJY5iD0d1w&m=ZvrthZdjbKlytjVnP_izUy7sTxjmzyMLCeyo_TkfiXc&s=8Usn > jvVLJTkiE2OBN4t1415kzWOpBFMW3Lpc4hn2LOo&e= [...] This mailing list is dedicated to nginx development. For questions about using nginx please use the nginx@ mailing list instead. See https://urldefense.proofpoint.com/v2/url?u=http-3A__nginx.org_en_support.html&d=DwICAg&c=djjh8EKwHtOepW4Bjau0lKhLlu-DxM1dlgP0rrLsOzY&r=hzyZG1oadm3bN7GeqSIg8qI6a6lJEPnNOjJY5iD0d1w&m=ZvrthZdjbKlytjVnP_izUy7sTxjmzyMLCeyo_TkfiXc&s=cArXUByJZlae56EUV_ri_WiVUOCo1AqxOXW-HjYIknk&e= for more information. Thank you. -- Maxim Dounin https://urldefense.proofpoint.com/v2/url?u=http-3A__nginx.org_&d=DwICAg&c=djjh8EKwHtOepW4Bjau0lKhLlu-DxM1dlgP0rrLsOzY&r=hzyZG1oadm3bN7GeqSIg8qI6a6lJEPnNOjJY5iD0d1w&m=ZvrthZdjbKlytjVnP_izUy7sTxjmzyMLCeyo_TkfiXc&s=gqprp8uh21K4xaEsZuNL-K8Yunocdey2m5Km2hy-xws&e= _______________________________________________ nginx-devel mailing list nginx-devel at nginx.org https://urldefense.proofpoint.com/v2/url?u=http-3A__mailman.nginx.org_mailman_listinfo_nginx-2Ddevel&d=DwICAg&c=djjh8EKwHtOepW4Bjau0lKhLlu-DxM1dlgP0rrLsOzY&r=hzyZG1oadm3bN7GeqSIg8qI6a6lJEPnNOjJY5iD0d1w&m=ZvrthZdjbKlytjVnP_izUy7sTxjmzyMLCeyo_TkfiXc&s=r0WC5Dre8WukhPB1owslPpATjC8vWw_viFiARvSBUsA&e= -------------- next part -------------- An embedded message was scrubbed... From: "Jaradeh, Fares" Subject: Preserving Proxied server original Chunk sizes Date: Wed, 13 Sep 2017 19:09:19 +0000 Size: 9304 URL: From mdounin at mdounin.ru Wed Sep 13 20:08:01 2017 From: mdounin at mdounin.ru (Maxim Dounin) Date: Wed, 13 Sep 2017 23:08:01 +0300 Subject: [EXTERNAL] Re: Preserving Proxied server original Chunk sizes In-Reply-To: References: <20170913195103.GK58595@mdounin.ru> Message-ID: <20170913200801.GM58595@mdounin.ru> Hello! On Wed, Sep 13, 2017 at 07:56:59PM +0000, Jaradeh, Fares wrote: > Thank you for replying to confirm my message was received, > > Would you be able to advise us regarding the issue in attached ... > > Please note, our chunk sizes are dynamic depending on the request As previously suggested, please use the nginx@ mailing list for user-level questions. See http://nginx.org/en/support.html for more information. [...] -- Maxim Dounin http://nginx.org/ From arut at nginx.com Thu Sep 14 11:25:16 2017 From: arut at nginx.com (Roman Arutyunyan) Date: Thu, 14 Sep 2017 11:25:16 +0000 Subject: [nginx] Stream: fixed logging UDP upstream timeout. Message-ID: details: http://hg.nginx.org/nginx/rev/0846dd76a487 branches: changeset: 7105:0846dd76a487 user: Roman Arutyunyan date: Tue Sep 12 13:44:04 2017 +0300 description: Stream: fixed logging UDP upstream timeout. Previously, when the first UDP response packet was not received from the proxied server within proxy_timeout, no error message was logged before switching to the next upstream. Additionally, when one of succeeding response packets was not received within the timeout, the timeout error had low severity because it was logged as a client connection error as opposed to upstream connection error. diffstat: src/stream/ngx_stream_proxy_module.c | 6 +++++- 1 files changed, 5 insertions(+), 1 deletions(-) diffs (22 lines): diff -r cdbcb73239ee -r 0846dd76a487 src/stream/ngx_stream_proxy_module.c --- a/src/stream/ngx_stream_proxy_module.c Wed Sep 13 15:53:19 2017 +0300 +++ b/src/stream/ngx_stream_proxy_module.c Tue Sep 12 13:44:04 2017 +0300 @@ -1331,13 +1331,17 @@ ngx_stream_proxy_process_connection(ngx_ return; } + ngx_connection_error(pc, NGX_ETIMEDOUT, "upstream timed out"); + if (u->received == 0) { ngx_stream_proxy_next_upstream(s); return; } + + } else { + ngx_connection_error(c, NGX_ETIMEDOUT, "connection timed out"); } - ngx_connection_error(c, NGX_ETIMEDOUT, "connection timed out"); ngx_stream_proxy_finalize(s, NGX_STREAM_OK); return; } From ru at nginx.com Thu Sep 14 13:31:10 2017 From: ru at nginx.com (Ruslan Ermilov) Date: Thu, 14 Sep 2017 16:31:10 +0300 Subject: [PATCH] Resolver: parse hosts file entries In-Reply-To: <74e7e4b4-3583-990e-2e44-429b16393c79@fastmail.com> References: <56e01788-baca-8c2d-c0ca-de1e02965226@fastmail.com> <24b3710c-c9c6-3995-c076-6adb00ae03a2@fastmail.com> <74e7e4b4-3583-990e-2e44-429b16393c79@fastmail.com> Message-ID: <20170914133110.GB93685@lo0.su> Hi, On Mon, Aug 21, 2017 at 11:44:42PM -0700, Thibault Charbonnier wrote: > In case this patch interests anyone, here is an updated version of it. > > It is fully backwards compatible; as long as the new 'hostsfile' option > is not set, resolvers will behave as usual. > > I believe it delivers on the promised features, but if it is lacking > anything that prevents it from being merged, I would be glad to improve > it (for now, the tests have been written with Test::Nginx only). > > Best, > Thibault I did a quick glance at the previous version of your patch in July. The current version of the patch doesn't look much different, so below are my comments on previous version. I personally don't like the idea of parsing /etc/hosts by nginx. The approach choosen looks like a hack, as obviously editing the /etc/hosts file between configuration reloads won't take any effect, which is controversial. Also with this approach, we would end up with some "middle" behavior between how it's done now (when it's known that nginx does only DNS resolving of hostnames) and if nginx was a standard utility and used the system name resolution service which (if configured) can resolve hostnames via /etc/hosts. In an ideal world, nginx would prefer the latter, but unfortunately we can't afford the blocking behavior of the system's resolving API. Thus, in my opinion, such an approach would raise more questions than answers. As to the implementation, offhand I can see two problems. Using the NGX_MAX_UINT32_VALUE as the maximum value won't work on systems with 32-bit signed time_t. And the more fundamental one: the code creates an rbtree node for each line of /etc/hosts, thus given the following natural contents: 127.0.0.1 localhost ::1 localhost I can't predict which one of the two addresses such a "resolver" would return. > # HG changeset patch > # User Thibault Charbonnier > # Date 1488252201 28800 > # Mon Feb 27 19:23:21 2017 -0800 > # Node ID 558041ef1d70689ccc4c12f2487c3f75e6bbbccc > # Parent a2f5e25d6a283546f76435b9fc3e7e814b092bae > Resolver: parse hosts file entries > > The resolver directive can now take an optional 'hostsfile=' option, > such as: > > resolver 8.8.4.4 hostsfile=/etc/hosts; > > Hosts parsed from the hosts file are considered valid forever. The behavior > tries to be conservative, and only parses the hosts file when the option is > provided, to enforce backwards compatibility. > > Additionally, this patch makes the resolver able to handle a host file > in the > absence of a nameserver, like so: > > resolver hostsfile=/etc/hosts; > > The 'hostsfile' option also honors the 'ipv6' flag of the 'resolver' > directive, as in: > > resolver 8.8.4.4 hostsfile=/etc/hosts ipv6=off; > > diff -r a2f5e25d6a28 -r 558041ef1d70 src/core/ngx_resolver.c > --- a/src/core/ngx_resolver.c Thu Aug 10 22:21:23 2017 +0300 > +++ b/src/core/ngx_resolver.c Mon Feb 27 19:23:21 2017 -0800 > @@ -9,11 +9,12 @@ > #include > #include > > - > -#define NGX_RESOLVER_UDP_SIZE 4096 > - > -#define NGX_RESOLVER_TCP_RSIZE (2 + 65535) > -#define NGX_RESOLVER_TCP_WSIZE 8192 > +#define NGX_RESOLVER_HOSTSFILE_BUFFER_SIZE 4096 > + > +#define NGX_RESOLVER_UDP_SIZE 4096 > + > +#define NGX_RESOLVER_TCP_RSIZE (2 + 65535) > +#define NGX_RESOLVER_TCP_WSIZE 8192 > > > typedef struct { > @@ -122,6 +123,8 @@ > ngx_resolver_node_t *rn); > static void ngx_resolver_srv_names_handler(ngx_resolver_ctx_t *ctx); > static ngx_int_t ngx_resolver_cmp_srvs(const void *one, const void *two); > +static ngx_int_t ngx_resolver_parse_hosts_file(ngx_conf_t *cf, > + ngx_resolver_t *r); > > #if (NGX_HAVE_INET6) > static void ngx_resolver_rbtree_insert_addr6_value(ngx_rbtree_node_t > *temp, > @@ -130,7 +133,6 @@ > struct in6_addr *addr, uint32_t hash); > #endif > > - > ngx_resolver_t * > ngx_resolver_create(ngx_conf_t *cf, ngx_str_t *names, ngx_uint_t n) > { > @@ -246,6 +248,20 @@ > } > #endif > > + if (ngx_strncmp(names[i].data, "hostsfile=", 10) == 0) { > + r->hosts_file.len = names[i].len - 10; > + > + if (r->hosts_file.len == 0) { > + ngx_conf_log_error(NGX_LOG_EMERG, cf, 0, > + "invalid parameter: %V", &names[i]); > + return NULL; > + } > + > + r->hosts_file.data = names[i].data + 10; > + > + continue; > + } > + > ngx_memzero(&u, sizeof(ngx_url_t)); > > u.url = names[i]; > @@ -276,6 +292,13 @@ > } > } > > + if (r->hosts_file.len > 0 > + && ngx_resolver_parse_hosts_file(cf, r) > + != NGX_OK) > + { > + return NULL; > + } > + > return r; > } > > @@ -396,7 +419,7 @@ > } > } > > - if (r->connections.nelts == 0) { > + if (r->connections.nelts == 0 && !r->hosts_file.len) { > return NGX_NO_RESOLVER; > } > > @@ -807,6 +830,13 @@ > #endif > > ngx_rbtree_insert(tree, &rn->node); > + > + if (r->connections.nelts == 0) { > + ctx->quick = 1; > + ctx->state = NGX_RESOLVE_NXDOMAIN; > + ctx->handler(ctx); > + return NGX_OK; > + } > } > > if (ctx->service.len) { > @@ -4652,3 +4682,281 @@ > > return p1 - p2; > } > + > + > +static ngx_int_t > +ngx_resolver_parse_hosts_file(ngx_conf_t *cf, ngx_resolver_t *r) > +{ > + off_t file_size; > + u_char ch; > + u_char *start; > + size_t len; > + ssize_t n, size; > + ngx_int_t rc; > + ngx_buf_t b; > + ngx_fd_t fd; > + ngx_str_t filename, s; > + ngx_file_t file; > + in_addr_t addr; > + ngx_resolver_node_t *rn; > + enum { > + scan_line = 0, > + scan_skipline, > + scan_addr, > + scan_hosts, > + scan_name > + } state; > + > + b.start = NULL; > + s.data = NULL; > + s.len = 0; > + rn = NULL; > + rc = NGX_OK; > + > + filename = r->hosts_file; > + > + fd = ngx_open_file(filename.data, NGX_FILE_RDONLY, NGX_FILE_OPEN, 0); > + if (fd == NGX_INVALID_FILE) { > + ngx_log_error(NGX_LOG_ALERT, cf->log, ngx_errno, > + ngx_open_file_n " \"%s\" failed", filename.data); > + return NGX_ERROR; > + } > + > + ngx_memzero(&file, sizeof(ngx_file_t)); > + > + if (ngx_fd_info(fd, &file.info) == NGX_FILE_ERROR) { > + ngx_log_error(NGX_LOG_ALERT, cf->log, ngx_errno, > + ngx_fd_info_n " \"%s\" failed", filename.data); > + goto fail; > + } > + > + file.fd = fd; > + file.log = cf->log; > + file.name.len = filename.len; > + file.name.data = filename.data; > + file.offset = 0; > + > + b.start = ngx_alloc(NGX_RESOLVER_HOSTSFILE_BUFFER_SIZE, cf->log); > + if (b.start == NULL) { > + goto fail; > + } > + > + b.pos = b.start; > + b.last = b.start; > + b.end = b.last + NGX_RESOLVER_HOSTSFILE_BUFFER_SIZE; > + b.temporary = 1; > + > + start = b.pos; > + state = scan_line; > + file_size = ngx_file_size(&file.info); > + > + for ( ;; ) { > + > + if (b.pos >= b.last) { > + len = b.pos - start; > + > + if (len) { > + ngx_memmove(b.start, start, len); > + } > + > + size = (ssize_t) (file_size - file.offset); > + > + if (size > b.end - (b.start + len)) { > + size = b.end - (b.start + len); > + > + } else if (size == 0) { > + goto done; > + } > + > + n = ngx_read_file(&file, b.start + len, size, file.offset); > + if (n == NGX_ERROR) { > + ngx_log_error(NGX_LOG_ALERT, cf->log, ngx_errno, > + ngx_read_file_n, " \"%s\" failed", > + filename.data); > + goto fail; > + } > + > + if (n != size) { > + ngx_log_error(NGX_LOG_ERR, cf->log, ngx_errno, > + ngx_read_file_n, " returned only %z bytes " > + "instead of %z", n, size); > + goto fail; > + } > + > + b.pos = b.start + len; > + b.last = b.pos + n; > + start = b.start; > + } > + > + ch = *b.pos; > + > + switch (state) { > + > + case scan_line: > + if (ch == ' ') { > + break; > + } > + > + if (ch == '#') { > + state = scan_skipline; > + break; > + } > + > + if (ch != LF && ch != CR) { > + start = b.pos; > + state = scan_addr; > + } > + > + break; > + > + case scan_skipline: > + if (ch == LF || ch == CR) { > + state = scan_line; > + } > + > + break; > + > + case scan_addr: > + if (ch == LF || ch == CR) { > + state = scan_line; > + break; > + } > + > + if (ch == ' ' || ch == '\t') { > + if (s.data) { > + ngx_free(s.data); > + } > + > + s.len = b.pos - start; > + > + s.data = ngx_alloc(s.len, cf->log); > + if (s.data == NULL) { > + goto fail; > + } > + > + ngx_memcpy(s.data, start, s.len); > + > + state = scan_hosts; > + } > + > + break; > + > + case scan_hosts: > + if (ch == LF || ch == CR) { > + state = scan_line; > + break; > + } > + > + if (ch == ' ' || ch == '\t') { > + break; > + } > + > + start = b.pos; > + state = scan_name; > + break; > + > + case scan_name: > + if (ch == ' ' || ch == '\t' || ch == LF || ch == CR) { > + rn = ngx_calloc(sizeof(ngx_resolver_node_t), cf->log); > + if (rn == NULL) { > + goto fail; > + } > + > + rn->nlen = b.pos - start; > + > + rn->name = ngx_alloc(rn->nlen, cf->log); > + if (rn->name == NULL) { > + goto fail; > + } > + > + ngx_memcpy(rn->name, start, rn->nlen); > + > + rn->ttl = NGX_MAX_UINT32_VALUE; > + rn->valid = NGX_MAX_UINT32_VALUE; > + rn->expire = NGX_MAX_UINT32_VALUE; > + rn->node.key = ngx_crc32_short(rn->name, rn->nlen); > + > + if (ngx_strlchr(s.data, > + s.data + s.len, ':') != NULL) > + { > + > +#if (NGX_HAVE_INET6) > + if (!r->ipv6 > + || ngx_inet6_addr(s.data, s.len, > + rn->u6.addr6.s6_addr) != NGX_OK) > + { > +#endif > + > + ngx_resolver_free_node(r, rn); > + state = scan_skipline; > + break; > + > +#if (NGX_HAVE_INET6) > + } > + > + rn->naddrs6 = 1; > +#endif > + > + } else { > + addr = ngx_inet_addr(s.data, s.len); > + if (addr == INADDR_NONE) { > + ngx_resolver_free_node(r, rn); > + state = scan_skipline; > + break; > + } > + > + rn->naddrs = 1; > + rn->u.addr = addr; > + } > + > + ngx_log_error(NGX_LOG_NOTICE, cf->log, 0, > + "host \"%*s\" will resolve to \"%V\" " > + "(hosts file at \"%V\")", > + rn->nlen, rn->name, &s, &filename); > + > + ngx_rbtree_insert(&r->name_rbtree, &rn->node); > + > + ngx_queue_insert_head(&r->name_expire_queue, &rn->queue); > + > + if (ch == LF || ch == CR) { > + state = scan_line; > + break; > + } > + > + state = scan_hosts; > + } > + > + break; > + } > + > + b.pos++; > + } > + > +fail: > + > + rc = NGX_ERROR; > + > +done: > + > + if (s.data) { > + ngx_free(s.data); > + } > + > + if (b.start) { > + ngx_free(b.start); > + } > + > + if (ngx_close_file(fd) == NGX_FILE_ERROR) { > + ngx_log_error(NGX_LOG_ALERT, cf->log, ngx_errno, > + ngx_close_file_n, " \"%s\" failed", > + filename.data); > + rc = NGX_ERROR; > + } > + > + if (rc == NGX_ERROR) { > + return NGX_ERROR; > + } > + > + return NGX_OK; > +} > + > diff -r a2f5e25d6a28 -r 558041ef1d70 src/core/ngx_resolver.h > --- a/src/core/ngx_resolver.h Thu Aug 10 22:21:23 2017 +0300 > +++ b/src/core/ngx_resolver.h Mon Feb 27 19:23:21 2017 -0800 > @@ -146,6 +146,8 @@ > > > struct ngx_resolver_s { > + ngx_str_t hosts_file; > + > /* has to be pointer because of "incomplete type" */ > ngx_event_t *event; > void *dummy; > _______________________________________________ > nginx-devel mailing list > nginx-devel at nginx.org > http://mailman.nginx.org/mailman/listinfo/nginx-devel > -- Ruslan Ermilov Join us at nginx.conf, Sep. 6-8, Portland, OR https://www.nginx.com/nginxconf From mdounin at mdounin.ru Thu Sep 14 17:17:23 2017 From: mdounin at mdounin.ru (Maxim Dounin) Date: Thu, 14 Sep 2017 17:17:23 +0000 Subject: [nginx] HTTP/2: added logging of 400 (Bad Request) reasons. Message-ID: details: http://hg.nginx.org/nginx/rev/d77407baccd1 branches: changeset: 7106:d77407baccd1 user: Maxim Dounin date: Thu Sep 14 19:06:03 2017 +0300 description: HTTP/2: added logging of 400 (Bad Request) reasons. diffstat: src/http/v2/ngx_http_v2.c | 13 +++++++++++++ 1 files changed, 13 insertions(+), 0 deletions(-) diffs (23 lines): diff --git a/src/http/v2/ngx_http_v2.c b/src/http/v2/ngx_http_v2.c --- a/src/http/v2/ngx_http_v2.c +++ b/src/http/v2/ngx_http_v2.c @@ -3337,6 +3337,19 @@ ngx_http_v2_construct_request_line(ngx_h || r->schema_start == NULL || r->unparsed_uri.len == 0) { + if (r->method_name.len == 0) { + ngx_log_error(NGX_LOG_INFO, r->connection->log, 0, + "client sent no :method header"); + + } else if (r->schema_start == NULL) { + ngx_log_error(NGX_LOG_INFO, r->connection->log, 0, + "client sent no :schema header"); + + } else { + ngx_log_error(NGX_LOG_INFO, r->connection->log, 0, + "client sent no :path header"); + } + ngx_http_finalize_request(r, NGX_HTTP_BAD_REQUEST); return NGX_ERROR; } From mdounin at mdounin.ru Thu Sep 14 17:17:26 2017 From: mdounin at mdounin.ru (Maxim Dounin) Date: Thu, 14 Sep 2017 17:17:26 +0000 Subject: [nginx] HTTP/2: fixed debug log about indexed headers. Message-ID: details: http://hg.nginx.org/nginx/rev/d4b031cf32cf branches: changeset: 7107:d4b031cf32cf user: Maxim Dounin date: Thu Sep 14 19:06:05 2017 +0300 description: HTTP/2: fixed debug log about indexed headers. Previously, "get indexed header" message was logged when in fact only header name was obtained using an index, and "get indexed header name" was logged when full header representation (name and value) was obtained using an index. Fixed version logs "get indexed name" and "get indexed header" respectively. diffstat: src/http/v2/ngx_http_v2_table.c | 2 +- 1 files changed, 1 insertions(+), 1 deletions(-) diffs (12 lines): diff --git a/src/http/v2/ngx_http_v2_table.c b/src/http/v2/ngx_http_v2_table.c --- a/src/http/v2/ngx_http_v2_table.c +++ b/src/http/v2/ngx_http_v2_table.c @@ -102,7 +102,7 @@ ngx_http_v2_get_indexed_header(ngx_http_ ngx_log_debug2(NGX_LOG_DEBUG_HTTP, h2c->connection->log, 0, "http2 get indexed %s: %ui", - name_only ? "header" : "header name", index); + name_only ? "name" : "header", index); index--; From mdounin at mdounin.ru Thu Sep 14 17:17:28 2017 From: mdounin at mdounin.ru (Maxim Dounin) Date: Thu, 14 Sep 2017 17:17:28 +0000 Subject: [nginx] HTTP/2: shortened some debug log messages. Message-ID: details: http://hg.nginx.org/nginx/rev/2bf605c6edf7 branches: changeset: 7108:2bf605c6edf7 user: Maxim Dounin date: Thu Sep 14 19:06:06 2017 +0300 description: HTTP/2: shortened some debug log messages. This ensures slightly more readable debug logs on 80-character-wide terminals. diffstat: src/http/v2/ngx_http_v2.c | 10 +++++----- src/http/v2/ngx_http_v2_filter_module.c | 2 +- src/http/v2/ngx_http_v2_table.c | 4 ++-- 3 files changed, 8 insertions(+), 8 deletions(-) diffs (81 lines): diff --git a/src/http/v2/ngx_http_v2.c b/src/http/v2/ngx_http_v2.c --- a/src/http/v2/ngx_http_v2.c +++ b/src/http/v2/ngx_http_v2.c @@ -748,7 +748,7 @@ ngx_http_v2_state_head(ngx_http_v2_conne type = ngx_http_v2_parse_type(head); ngx_log_debug4(NGX_LOG_DEBUG_HTTP, h2c->connection->log, 0, - "process http2 frame type:%ui f:%Xd l:%uz sid:%ui", + "http2 frame type:%ui f:%Xd l:%uz sid:%ui", type, h2c->state.flags, h2c->state.length, h2c->state.sid); if (type >= NGX_HTTP_V2_FRAME_STATES) { @@ -1316,7 +1316,7 @@ ngx_http_v2_state_field_len(ngx_http_v2_ } ngx_log_debug2(NGX_LOG_DEBUG_HTTP, h2c->connection->log, 0, - "http2 hpack %s string length: %i", + "http2 %s string, len:%i", huff ? "encoded" : "raw", len); h2scf = ngx_http_get_module_srv_conf(h2c->http_connection->conf_ctx, @@ -1571,7 +1571,7 @@ ngx_http_v2_state_process_header(ngx_htt if (rc == NGX_OK) { ngx_log_debug2(NGX_LOG_DEBUG_HTTP, r->connection->log, 0, - "http2 pseudo-header: \":%V: %V\"", + "http2 header: \":%V: %V\"", &header->name, &header->value); return ngx_http_v2_state_header_complete(h2c, pos, end); @@ -1647,7 +1647,7 @@ ngx_http_v2_state_process_header(ngx_htt } ngx_log_debug2(NGX_LOG_DEBUG_HTTP, r->connection->log, 0, - "http2 http header: \"%V: %V\"", + "http2 header: \"%V: %V\"", &header->name, &header->value); return ngx_http_v2_state_header_complete(h2c, pos, end); @@ -3375,7 +3375,7 @@ ngx_http_v2_construct_request_line(ngx_h ngx_memcpy(p, ending, sizeof(ending)); ngx_log_debug1(NGX_LOG_DEBUG_HTTP, r->connection->log, 0, - "http2 http request line: \"%V\"", &r->request_line); + "http2 request line: \"%V\"", &r->request_line); return NGX_OK; } diff --git a/src/http/v2/ngx_http_v2_filter_module.c b/src/http/v2/ngx_http_v2_filter_module.c --- a/src/http/v2/ngx_http_v2_filter_module.c +++ b/src/http/v2/ngx_http_v2_filter_module.c @@ -1269,7 +1269,7 @@ ngx_http_v2_flow_control(ngx_http_v2_con ngx_http_v2_stream_t *stream) { ngx_log_debug3(NGX_LOG_DEBUG_HTTP, h2c->connection->log, 0, - "http2:%ui available windows: conn:%uz stream:%z", + "http2:%ui windows: conn:%uz stream:%z", stream->node->id, h2c->send_window, stream->send_window); if (stream->send_window <= 0) { diff --git a/src/http/v2/ngx_http_v2_table.c b/src/http/v2/ngx_http_v2_table.c --- a/src/http/v2/ngx_http_v2_table.c +++ b/src/http/v2/ngx_http_v2_table.c @@ -180,7 +180,7 @@ ngx_http_v2_add_header(ngx_http_v2_conne ngx_http_v2_header_t *entry, **entries; ngx_log_debug2(NGX_LOG_DEBUG_HTTP, h2c->connection->log, 0, - "http2 add header to hpack table: \"%V: %V\"", + "http2 table add: \"%V: %V\"", &header->name, &header->value); if (h2c->hpack.entries == NULL) { @@ -293,7 +293,7 @@ ngx_http_v2_table_account(ngx_http_v2_co size += 32; ngx_log_debug2(NGX_LOG_DEBUG_HTTP, h2c->connection->log, 0, - "http2 hpack table account: %uz free:%uz", + "http2 table account: %uz free:%uz", size, h2c->hpack.free); if (size <= h2c->hpack.free) { From thibaultcha at fastmail.com Sat Sep 16 01:24:45 2017 From: thibaultcha at fastmail.com (Thibault Charbonnier) Date: Fri, 15 Sep 2017 18:24:45 -0700 Subject: [PATCH] Resolver: parse hosts file entries In-Reply-To: <20170914133110.GB93685@lo0.su> References: <56e01788-baca-8c2d-c0ca-de1e02965226@fastmail.com> <24b3710c-c9c6-3995-c076-6adb00ae03a2@fastmail.com> <74e7e4b4-3583-990e-2e44-429b16393c79@fastmail.com> <20170914133110.GB93685@lo0.su> Message-ID: <32bee58a-64ec-a6ce-d7a5-19a5974c2dd8@fastmail.com> Hi, Thank you Ruslan for your answer. On 9/14/17 6:31 AM, Ruslan Ermilov wrote: > I personally don't like the idea of parsing /etc/hosts by nginx. > The approach choosen looks like a hack, as obviously editing the > /etc/hosts file between configuration reloads won't take any effect, > which is controversial. I can understand that and even relate. If this point were to be raised as a blocker during review, I wanted to suggest making the hostnames parsed from /etc/hosts respect the 'valid' option of the nginx resolver. When the parsed records reach this ttl, we could parse the file again, thus limiting I/O to a minimum and still allowing changes to /etc/hosts to take effect somewhat intuitively (since the 'valid' option of the nginx resolver is already known by users). This behavior could simply be documented. > Thus, in my opinion, such an approach would raise more questions than > answers. One could maybe argue that not resolving /etc/hosts raises just as many questions, with different answers? Maybe a compromised approach as suggested above could help alleviate this feeling? Documentation also plays an important role in answering those questions I think? Plus, this feature being disabled by default, if users want to learn its existence or its usage, they would have to read the documentation. The proposed behavior doesn't seem too complicated to document. > As to the implementation, offhand I can see two problems. Using the > NGX_MAX_UINT32_VALUE as the maximum value won't work on systems with > 32-bit signed time_t. Indeed. Although this concern seems to be nullified if we take the approach of using the 'valid' option as ttl? > And the more fundamental one: the code creates > an rbtree node for each line of /etc/hosts, thus given the following > natural contents: > > 127.0.0.1 localhost > ::1 localhost > > I can't predict which one of the two addresses such a "resolver" > would return. Yes. This is an edge-case I have realized shortly after proposing the latest version of the patch, but due to the lack of response, I haven't done anything about it - yet. I believe it would be easy to override any previous node bearing the same hostname with the ones coming after, which is, I think, how this situation is conventionally handled. All in all, I am more than willing to update the patch with any change you deem necessary, but if the nginx team is not convinced of its usefulness regardless, then that is another story. Maybe my above proposals make this feature more suitable for the nginx resolver? Thank you again for your reply! -- Thibault From ru at nginx.com Mon Sep 18 08:11:59 2017 From: ru at nginx.com (Ruslan Ermilov) Date: Mon, 18 Sep 2017 08:11:59 +0000 Subject: [nginx] Removed more remnants of the old pthread implementation. Message-ID: details: http://hg.nginx.org/nginx/rev/4a670c18e5e6 branches: changeset: 7109:4a670c18e5e6 user: Ruslan Ermilov date: Mon Sep 18 11:09:41 2017 +0300 description: Removed more remnants of the old pthread implementation. After e284f3ff6831, ngx_crypt() can no longer return NGX_AGAIN. diffstat: src/http/modules/ngx_http_auth_basic_module.c | 70 +++++--------------------- src/os/unix/ngx_user.c | 10 --- 2 files changed, 15 insertions(+), 65 deletions(-) diffs (155 lines): diff -r 2bf605c6edf7 -r 4a670c18e5e6 src/http/modules/ngx_http_auth_basic_module.c --- a/src/http/modules/ngx_http_auth_basic_module.c Thu Sep 14 19:06:06 2017 +0300 +++ b/src/http/modules/ngx_http_auth_basic_module.c Mon Sep 18 11:09:41 2017 +0300 @@ -15,11 +15,6 @@ typedef struct { - ngx_str_t passwd; -} ngx_http_auth_basic_ctx_t; - - -typedef struct { ngx_http_complex_value_t *realm; ngx_http_complex_value_t user_file; } ngx_http_auth_basic_loc_conf_t; @@ -27,7 +22,7 @@ typedef struct { static ngx_int_t ngx_http_auth_basic_handler(ngx_http_request_t *r); static ngx_int_t ngx_http_auth_basic_crypt_handler(ngx_http_request_t *r, - ngx_http_auth_basic_ctx_t *ctx, ngx_str_t *passwd, ngx_str_t *realm); + ngx_str_t *passwd, ngx_str_t *realm); static ngx_int_t ngx_http_auth_basic_set_realm(ngx_http_request_t *r, ngx_str_t *realm); static void ngx_http_auth_basic_close(ngx_file_t *file); @@ -103,7 +98,6 @@ ngx_http_auth_basic_handler(ngx_http_req ngx_str_t pwd, realm, user_file; ngx_uint_t i, level, login, left, passwd; ngx_file_t file; - ngx_http_auth_basic_ctx_t *ctx; ngx_http_auth_basic_loc_conf_t *alcf; u_char buf[NGX_HTTP_AUTH_BUF_SIZE]; enum { @@ -126,13 +120,6 @@ ngx_http_auth_basic_handler(ngx_http_req return NGX_DECLINED; } - ctx = ngx_http_get_module_ctx(r, ngx_http_auth_basic_module); - - if (ctx) { - return ngx_http_auth_basic_crypt_handler(r, ctx, &ctx->passwd, - &realm); - } - rc = ngx_http_auth_basic_user(r); if (rc == NGX_DECLINED) { @@ -237,8 +224,7 @@ ngx_http_auth_basic_handler(ngx_http_req pwd.len = i - passwd; pwd.data = &buf[passwd]; - return ngx_http_auth_basic_crypt_handler(r, NULL, &pwd, - &realm); + return ngx_http_auth_basic_crypt_handler(r, &pwd, &realm); } break; @@ -276,7 +262,7 @@ ngx_http_auth_basic_handler(ngx_http_req ngx_cpystrn(pwd.data, &buf[passwd], pwd.len + 1); - return ngx_http_auth_basic_crypt_handler(r, NULL, &pwd, &realm); + return ngx_http_auth_basic_crypt_handler(r, &pwd, &realm); } ngx_log_error(NGX_LOG_ERR, r->connection->log, 0, @@ -288,8 +274,8 @@ ngx_http_auth_basic_handler(ngx_http_req static ngx_int_t -ngx_http_auth_basic_crypt_handler(ngx_http_request_t *r, - ngx_http_auth_basic_ctx_t *ctx, ngx_str_t *passwd, ngx_str_t *realm) +ngx_http_auth_basic_crypt_handler(ngx_http_request_t *r, ngx_str_t *passwd, + ngx_str_t *realm) { ngx_int_t rc; u_char *encrypted; @@ -301,48 +287,22 @@ ngx_http_auth_basic_crypt_handler(ngx_ht "rc: %i user: \"%V\" salt: \"%s\"", rc, &r->headers_in.user, passwd->data); - if (rc == NGX_OK) { - if (ngx_strcmp(encrypted, passwd->data) == 0) { - return NGX_OK; - } - - ngx_log_debug1(NGX_LOG_DEBUG_HTTP, r->connection->log, 0, - "encrypted: \"%s\"", encrypted); - - ngx_log_error(NGX_LOG_ERR, r->connection->log, 0, - "user \"%V\": password mismatch", - &r->headers_in.user); - - return ngx_http_auth_basic_set_realm(r, realm); - } - - if (rc == NGX_ERROR) { + if (rc != NGX_OK) { return NGX_HTTP_INTERNAL_SERVER_ERROR; } - /* rc == NGX_AGAIN */ - - if (ctx == NULL) { - ctx = ngx_palloc(r->pool, sizeof(ngx_http_auth_basic_ctx_t)); - if (ctx == NULL) { - return NGX_HTTP_INTERNAL_SERVER_ERROR; - } - - ngx_http_set_ctx(r, ctx, ngx_http_auth_basic_module); - - ctx->passwd.len = passwd->len; - passwd->len++; - - ctx->passwd.data = ngx_pstrdup(r->pool, passwd); - if (ctx->passwd.data == NULL) { - return NGX_HTTP_INTERNAL_SERVER_ERROR; - } - + if (ngx_strcmp(encrypted, passwd->data) == 0) { + return NGX_OK; } - /* TODO: add mutex event */ + ngx_log_debug1(NGX_LOG_DEBUG_HTTP, r->connection->log, 0, + "encrypted: \"%s\"", encrypted); - return rc; + ngx_log_error(NGX_LOG_ERR, r->connection->log, 0, + "user \"%V\": password mismatch", + &r->headers_in.user); + + return ngx_http_auth_basic_set_realm(r, realm); } diff -r 2bf605c6edf7 -r 4a670c18e5e6 src/os/unix/ngx_user.c --- a/src/os/unix/ngx_user.c Thu Sep 14 19:06:06 2017 +0300 +++ b/src/os/unix/ngx_user.c Mon Sep 18 11:09:41 2017 +0300 @@ -9,16 +9,6 @@ #include -/* - * Solaris has thread-safe crypt() - * Linux has crypt_r(); "struct crypt_data" is more than 128K - * FreeBSD needs the mutex to protect crypt() - * - * TODO: - * ngx_crypt_init() to init mutex - */ - - #if (NGX_CRYPT) #if (NGX_HAVE_GNU_CRYPT_R) From mdounin at mdounin.ru Mon Sep 18 13:38:08 2017 From: mdounin at mdounin.ru (Maxim Dounin) Date: Mon, 18 Sep 2017 16:38:08 +0300 Subject: [PATCH] Resolver: parse hosts file entries In-Reply-To: <32bee58a-64ec-a6ce-d7a5-19a5974c2dd8@fastmail.com> References: <56e01788-baca-8c2d-c0ca-de1e02965226@fastmail.com> <24b3710c-c9c6-3995-c076-6adb00ae03a2@fastmail.com> <74e7e4b4-3583-990e-2e44-429b16393c79@fastmail.com> <20170914133110.GB93685@lo0.su> <32bee58a-64ec-a6ce-d7a5-19a5974c2dd8@fastmail.com> Message-ID: <20170918133807.GZ58595@mdounin.ru> Hello! On Fri, Sep 15, 2017 at 06:24:45PM -0700, Thibault Charbonnier wrote: [...] > > Thus, in my opinion, such an approach would raise more questions than > > answers. > > One could maybe argue that not resolving /etc/hosts raises just as many > questions, with different answers? Maybe a compromised approach as > suggested above could help alleviate this feeling? Current answers are quite obvious and intuitive: - All names resolved via resolver are resolved using the DNS servers specified. Nothing more. - If one want to specify static mapping, he/she can use upstream{} blocks to do so. Trying to introduce additional sources of information will inevitable add more questions with not-so-obvious answers. Not to mention that the next step will be to add nsswitch.conf and other sources it supports, as well as source ordering. And this is certainly not something we want to add. So I think the main question here is: why it should be added, if at all? Which problems this feature is expected to resolve? Current answers does not seem to outweight questions added / support costs of this feature. Especially given the fact that code suggested is far from being committable. -- Maxim Dounin http://nginx.org/ From david.freedman at uk.clara.net Tue Sep 19 23:49:13 2017 From: david.freedman at uk.clara.net (David Freedman) Date: Tue, 19 Sep 2017 23:49:13 +0000 Subject: Contrib: http2 per server (was re: [nginx] support http2 per server) Message-ID: <091DFB29-F91A-4C72-B629-20342A542E90@uk.clara.net> Following on from the previous thread on this ( http://mailman.nginx.org/pipermail/nginx-devel/2017-June/010079.html ) , and after discussion with the original author < hongzhidao at gmail.com > , I'd like to present the patches we are using. Please note the following improvements / modifications: 1. Default state is set to off during conf merge, so that existing behaviour of enabling http2 directive on the listener and having it apply to all servers is preserved. 2. Attempts to re-use a connection via the listener to access a server without ssl_h2 enabled (i.e, explicitly set to off) are met with a 421 (Misdirected Request), enforcing the intended switch behavior on the server block, (in response to the comment made in http://mailman.nginx.org/pipermail/nginx-devel/2017-June/010091.html ) This works in much the same way as the ssl verify in that after SNI and in ngx_http_set_virtual_server(), we check for the switch state on the target server. 3. Tests added to the test suite. Patches follow below (decided not to patchbomb as this is across two repositories) , feedback welcome - we'd like to see this feature adopted as it is clearly needed. Patch against main project ------------------------------------- # HG changeset patch # User David Freedman # Date 1504832866 0 # Fri Sep 08 01:07:46 2017 +0000 # Node ID 2806e0ba8e91978ad6ce18ff1605b89bdd7806f4 # Parent 6b6e15bbda9269d03d66130efd51921dfedd93cb Supports selective enabling of http2 for SSL/TLS sites using new ssl_h2 option. diff -r 6b6e15bbda92 -r 2806e0ba8e91 src/http/modules/ngx_http_ssl_module.c --- a/src/http/modules/ngx_http_ssl_module.c Tue Sep 05 17:59:31 2017 +0300 +++ b/src/http/modules/ngx_http_ssl_module.c Fri Sep 08 01:07:46 2017 +0000 @@ -234,6 +234,13 @@ offsetof(ngx_http_ssl_srv_conf_t, stapling_verify), NULL }, + { ngx_string("ssl_h2"), + NGX_HTTP_MAIN_CONF|NGX_HTTP_SRV_CONF|NGX_CONF_FLAG, + ngx_http_ssl_enable, + NGX_HTTP_SRV_CONF_OFFSET, + offsetof(ngx_http_ssl_srv_conf_t, h2), + NULL }, + ngx_null_command }; @@ -354,6 +361,7 @@ #endif #if (NGX_HTTP_V2) ngx_http_connection_t *hc; + ngx_http_ssl_srv_conf_t *sscf; #endif #if (NGX_HTTP_V2 || NGX_DEBUG) ngx_connection_t *c; @@ -372,7 +380,9 @@ #if (NGX_HTTP_V2) hc = c->data; - if (hc->addr_conf->http2) { + sscf = ngx_http_get_module_srv_conf(hc->conf_ctx, ngx_http_ssl_module); + + if (hc->addr_conf->http2 && sscf->h2) { srv = (unsigned char *) NGX_HTTP_V2_ALPN_ADVERTISE NGX_HTTP_NPN_ADVERTISE; srvlen = sizeof(NGX_HTTP_V2_ALPN_ADVERTISE NGX_HTTP_NPN_ADVERTISE) - 1; @@ -416,10 +426,13 @@ #if (NGX_HTTP_V2) { ngx_http_connection_t *hc; + ngx_http_ssl_srv_conf_t *sscf; hc = c->data; - if (hc->addr_conf->http2) { + sscf = ngx_http_get_module_srv_conf(hc->conf_ctx, ngx_http_ssl_module); + + if (hc->addr_conf->http2 && sscf->h2) { *out = (unsigned char *) NGX_HTTP_V2_NPN_ADVERTISE NGX_HTTP_NPN_ADVERTISE; *outlen = sizeof(NGX_HTTP_V2_NPN_ADVERTISE NGX_HTTP_NPN_ADVERTISE) - 1; @@ -559,6 +572,7 @@ sscf->session_ticket_keys = NGX_CONF_UNSET_PTR; sscf->stapling = NGX_CONF_UNSET; sscf->stapling_verify = NGX_CONF_UNSET; + sscf->h2 = NGX_CONF_UNSET; return sscf; } @@ -624,6 +638,8 @@ ngx_conf_merge_str_value(conf->stapling_responder, prev->stapling_responder, ""); + ngx_conf_merge_value(conf->h2, prev->h2, 1); + conf->ssl.log = cf->log; if (conf->enable) { diff -r 6b6e15bbda92 -r 2806e0ba8e91 src/http/modules/ngx_http_ssl_module.h --- a/src/http/modules/ngx_http_ssl_module.h Tue Sep 05 17:59:31 2017 +0300 +++ b/src/http/modules/ngx_http_ssl_module.h Fri Sep 08 01:07:46 2017 +0000 @@ -57,6 +57,9 @@ u_char *file; ngx_uint_t line; + + ngx_flag_t h2; + } ngx_http_ssl_srv_conf_t; diff -r 6b6e15bbda92 -r 2806e0ba8e91 src/http/ngx_http_request.c --- a/src/http/ngx_http_request.c Tue Sep 05 17:59:31 2017 +0300 +++ b/src/http/ngx_http_request.c Fri Sep 08 01:07:46 2017 +0000 @@ -795,6 +795,7 @@ unsigned int len; const unsigned char *data; ngx_http_connection_t *hc; + ngx_http_ssl_srv_conf_t *sscf; hc = c->data; @@ -813,9 +814,15 @@ SSL_get0_next_proto_negotiated(c->ssl->connection, &data, &len); #endif - if (len == 2 && data[0] == 'h' && data[1] == '2') { - ngx_http_v2_init(c->read); - return; + sscf = ngx_http_get_module_srv_conf(hc->conf_ctx, ngx_http_ssl_module); + + if (sscf->h2) { + + if (len == 2 && data[0] == 'h' && data[1] == '2') { + ngx_http_v2_init(c->read); + return; + } + } } } @@ -2106,6 +2113,15 @@ ngx_http_finalize_request(r, NGX_HTTP_MISDIRECTED_REQUEST); return NGX_ERROR; } +#if (NGX_HTTP_V2) + if (hc->addr_conf->http2 && !sscf->h2) { + ngx_log_error(NGX_LOG_INFO, r->connection->log, 0, + "client attempted to request a server name " + "that does not have http2 enabled"); + ngx_http_finalize_request(r, NGX_HTTP_MISDIRECTED_REQUEST); + return NGX_ERROR; + } +#endif } #endif Patch against test suite --------------------------------- # HG changeset patch # User David Freedman # Date 1505862083 0 # Tue Sep 19 23:01:23 2017 +0000 # Node ID b0bcd8bc295f8bf4dc735ea8d3ab44061eb88bdb # Parent f373a718f6463a949e2f0fe88a078425b7ba3b73 Tests: add testing for ssl_h2 (selective http2 over ssl) diff -r f373a718f646 -r b0bcd8bc295f h2_ssl.t --- a/h2_ssl.t Mon Sep 11 20:06:15 2017 +0300 +++ b/h2_ssl.t Tue Sep 19 23:01:23 2017 +0000 @@ -50,6 +50,18 @@ location / { } } + + server { + listen 127.0.0.1:8081 http2 ssl; + server_name localhost; + + ssl_h2 off; + + ssl_certificate_key localhost.key; + ssl_certificate localhost.crt; + + location / { } + } } EOF @@ -80,6 +92,7 @@ open STDERR, ">&", \*OLDERR; plan(skip_all => 'no ALPN/NPN negotiation') unless defined getconn(port(8080)); +plan(skip_all => 'no ALPN/NPN negotiation') if defined getconn(port(8081)); $t->plan(1); ############################################################################### @@ -113,7 +126,7 @@ my $sock = Test::Nginx::HTTP2::new_socket($port, SSL => 1, alpn => 'h2'); $s = Test::Nginx::HTTP2->new($port, socket => $sock) - if $sock->alpn_selected(); + if ($sock->alpn_selected() && $sock->alpn_selected()=~m/h2/); }; return $s if defined $s; @@ -122,7 +135,7 @@ my $sock = Test::Nginx::HTTP2::new_socket($port, SSL => 1, npn => 'h2'); $s = Test::Nginx::HTTP2->new($port, socket => $sock) - if $sock->next_proto_negotiated(); + if ($sock->next_proto_negotiated() && $sock->next_proto_negotiated()=~m/h2/); }; return $s; diff -r f373a718f646 -r b0bcd8bc295f h2_ssl_verify_authority.t --- /dev/null Thu Jan 01 00:00:00 1970 +0000 +++ b/h2_ssl_verify_authority.t Tue Sep 19 23:01:23 2017 +0000 @@ -0,0 +1,153 @@ +#!/usr/bin/perl + +# Tests for HTTP/2 protocol with ssl, ssl_verify_authority + +############################################################################### + +use warnings; +use strict; + +use Test::More; + +BEGIN { use FindBin; chdir($FindBin::Bin); } + +use lib 'lib'; +use Test::Nginx; +use Test::Nginx::HTTP2; + +############################################################################### + +select STDERR; $| = 1; +select STDOUT; $| = 1; + +eval { require IO::Socket::SSL; }; +plan(skip_all => 'IO::Socket::SSL not installed') if $@; +eval { IO::Socket::SSL->can_client_sni() or die; }; +plan(skip_all => 'IO::Socket::SSL with OpenSSL SNI support required') if $@; +eval { IO::Socket::SSL->can_alpn() or die; }; +plan(skip_all => 'OpenSSL ALPN support required') if $@; + +my $t = Test::Nginx->new()->has(qw/http http_ssl sni http_v2/) + ->has_daemon('openssl'); + +$t->write_file_expand('nginx.conf', <<'EOF'); + +%%TEST_GLOBALS%% + +daemon off; + +events { +} + +http { + %%TEST_GLOBALS_HTTP%% + + ssl_certificate_key localhost.key; + ssl_certificate localhost.crt; + + server { + listen 127.0.0.1:8080 ssl http2; + server_name localhost; + + location / { } + } + + server { + listen 127.0.0.1:8080 ssl; + server_name example.com; + + ssl_h2 off; + + location / { } + } +} + +EOF + +$t->write_file('openssl.conf', <testdir(); + +foreach my $name ('localhost') { + system('openssl req -x509 -new ' + . "-config '$d/openssl.conf' -subj '/CN=$name/' " + . "-out '$d/$name.crt' -keyout '$d/$name.key' " + . ">>$d/openssl.out 2>&1") == 0 + or die "Can't create certificate for $name: $!\n"; +} + +$t->write_file('t', 'SEE-THIS'); + +open OLDERR, ">&", \*STDERR; close STDERR; +$t->run(); +open STDERR, ">&", \*OLDERR; + +my $s = get_ssl_socket(); +plan(skip_all => 'no alpn') unless $s->alpn_selected(); +$t->plan(2); + +############################################################################### + +my $sess = get_sess('localhost'); +is(get($sess, 'localhost')->{':status'}, '200', 'ok'); +is(get($sess, 'example.com')->{':status'}, '421', 'misdirected'); +############################################################################### + +sub get_ssl_socket { + my ($sni) = @_; + my $s; + + eval { + local $SIG{ALRM} = sub { die "timeout\n" }; + local $SIG{PIPE} = sub { die "sigpipe\n" }; + alarm(2); + $s = IO::Socket::SSL->new( + Proto => 'tcp', + PeerAddr => '127.0.0.1', + PeerPort => port(8080), + SSL_verify_mode => IO::Socket::SSL::SSL_VERIFY_NONE(), + SSL_alpn_protocols => [ 'h2' ], + SSL_hostname => $sni, + SSL_error_trap => sub { die $_[1] } + ); + alarm(0); + }; + alarm(0); + + if ($@) { + log_in("died: $@"); + return undef; + } + + return $s; +} + +sub get_sess { + my $sni = shift; + my $s = get_ssl_socket($sni); + my $sess = Test::Nginx::HTTP2->new(port(8080), socket => $s); + + return $sess +} + +sub get { + my ($sess, $host) = @_; + + my $sid = $sess->new_stream({ headers => [ + { name => ':method', value => 'GET', mode => 0 }, + { name => ':scheme', value => 'http', mode => 0 }, + { name => ':path', value => '/t', mode => 1 }, + { name => ':authority', value => $host, mode => 1 }]}); + my $frames = $sess->read(all => [{ sid => $sid, fin => 1 }]); + + my ($frame) = grep { $_->{type} eq "HEADERS" } @$frames; + return $frame->{'headers'}; +} + +############################################################################### From pluknet at nginx.com Wed Sep 20 13:21:22 2017 From: pluknet at nginx.com (Sergey Kandaurov) Date: Wed, 20 Sep 2017 16:21:22 +0300 Subject: Heap buffer overflow (read) when using $binary_remote_addr with unix sockets In-Reply-To: References: Message-ID: <3A98A020-EE7F-428A-BFF9-11FF545BFD70@nginx.com> > On 15 Aug 2017, at 13:10, Stephan Dollberg via nginx-devel wrote: > > Hi, > > When using $binary_remote_addr together with unix sockets (without > using X-Real-Ip) there is a heap buffer overread of two bytes. > > The problem is that we only allocate two bytes for c->sockaddr here > http://hg.nginx.org/nginx/file/tip/src/event/ngx_event_accept.c#l167 > but later on assume it to be of size four > http://hg.nginx.org/nginx/file/tip/src/http/ngx_http_variables.c#l1246 > > Thanks, this is a valid report. The reason is that UNIX-domain sockets support is not implemented for $binary_remote_addr. There are actually more issues, we are working on it. -- Sergey Kandaurov From ru at nginx.com Fri Sep 22 10:11:48 2017 From: ru at nginx.com (Ruslan Ermilov) Date: Fri, 22 Sep 2017 10:11:48 +0000 Subject: [nginx] Do not use the obsolete NGX_SOCKADDRLEN macro. Message-ID: details: http://hg.nginx.org/nginx/rev/3b1b81e248bc branches: changeset: 7110:3b1b81e248bc user: Ruslan Ermilov date: Fri Sep 22 13:10:49 2017 +0300 description: Do not use the obsolete NGX_SOCKADDRLEN macro. The change in ac120e797d28 re-used the macro which was made obsolete in adf25b8d0431. diffstat: src/http/modules/ngx_http_upstream_zone_module.c | 2 +- src/stream/ngx_stream_upstream_zone_module.c | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diffs (24 lines): diff -r 4a670c18e5e6 -r 3b1b81e248bc src/http/modules/ngx_http_upstream_zone_module.c --- a/src/http/modules/ngx_http_upstream_zone_module.c Mon Sep 18 11:09:41 2017 +0300 +++ b/src/http/modules/ngx_http_upstream_zone_module.c Fri Sep 22 13:10:49 2017 +0300 @@ -281,7 +281,7 @@ ngx_http_upstream_zone_copy_peer(ngx_htt dst->server.data = NULL; } - dst->sockaddr = ngx_slab_calloc_locked(pool, NGX_SOCKADDRLEN); + dst->sockaddr = ngx_slab_calloc_locked(pool, sizeof(ngx_sockaddr_t)); if (dst->sockaddr == NULL) { goto failed; } diff -r 4a670c18e5e6 -r 3b1b81e248bc src/stream/ngx_stream_upstream_zone_module.c --- a/src/stream/ngx_stream_upstream_zone_module.c Mon Sep 18 11:09:41 2017 +0300 +++ b/src/stream/ngx_stream_upstream_zone_module.c Fri Sep 22 13:10:49 2017 +0300 @@ -278,7 +278,7 @@ ngx_stream_upstream_zone_copy_peer(ngx_s dst->server.data = NULL; } - dst->sockaddr = ngx_slab_calloc_locked(pool, NGX_SOCKADDRLEN); + dst->sockaddr = ngx_slab_calloc_locked(pool, sizeof(ngx_sockaddr_t)); if (dst->sockaddr == NULL) { goto failed; } From ru at nginx.com Fri Sep 22 15:39:07 2017 From: ru at nginx.com (Ruslan Ermilov) Date: Fri, 22 Sep 2017 15:39:07 +0000 Subject: [nginx] Style. Message-ID: details: http://hg.nginx.org/nginx/rev/6d1f3bb72b07 branches: changeset: 7111:6d1f3bb72b07 user: Ruslan Ermilov date: Fri Sep 22 18:37:49 2017 +0300 description: Style. diffstat: src/stream/ngx_stream_variables.c | 2 +- 1 files changed, 1 insertions(+), 1 deletions(-) diffs (12 lines): diff -r 3b1b81e248bc -r 6d1f3bb72b07 src/stream/ngx_stream_variables.c --- a/src/stream/ngx_stream_variables.c Fri Sep 22 13:10:49 2017 +0300 +++ b/src/stream/ngx_stream_variables.c Fri Sep 22 18:37:49 2017 +0300 @@ -460,7 +460,7 @@ ngx_stream_get_variable(ngx_stream_sessi static ngx_int_t ngx_stream_variable_binary_remote_addr(ngx_stream_session_t *s, ngx_stream_variable_value_t *v, uintptr_t data) - { +{ struct sockaddr_in *sin; #if (NGX_HAVE_INET6) struct sockaddr_in6 *sin6; From ru at nginx.com Fri Sep 22 19:50:49 2017 From: ru at nginx.com (Ruslan Ermilov) Date: Fri, 22 Sep 2017 19:50:49 +0000 Subject: [nginx] Modules compatibility: down flag promoted to a bitmask. Message-ID: details: http://hg.nginx.org/nginx/rev/5a3ab1b5804b branches: changeset: 7112:5a3ab1b5804b user: Ruslan Ermilov date: Fri Sep 22 22:49:42 2017 +0300 description: Modules compatibility: down flag promoted to a bitmask. It is to be used as a bitmask with various bits set/reset when appropriate. 63b8b157b776 made a similar change to ngx_http_upstream_rr_peer_t.down and ngx_stream_upstream_rr_peer_t.down. diffstat: src/http/ngx_http_upstream.h | 2 +- src/stream/ngx_stream_upstream.h | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diffs (26 lines): diff -r 6d1f3bb72b07 -r 5a3ab1b5804b src/http/ngx_http_upstream.h --- a/src/http/ngx_http_upstream.h Fri Sep 22 18:37:49 2017 +0300 +++ b/src/http/ngx_http_upstream.h Fri Sep 22 22:49:42 2017 +0300 @@ -98,8 +98,8 @@ typedef struct { ngx_uint_t max_fails; time_t fail_timeout; ngx_msec_t slow_start; + ngx_uint_t down; - unsigned down:1; unsigned backup:1; NGX_COMPAT_BEGIN(6) diff -r 6d1f3bb72b07 -r 5a3ab1b5804b src/stream/ngx_stream_upstream.h --- a/src/stream/ngx_stream_upstream.h Fri Sep 22 18:37:49 2017 +0300 +++ b/src/stream/ngx_stream_upstream.h Fri Sep 22 22:49:42 2017 +0300 @@ -58,8 +58,8 @@ typedef struct { ngx_uint_t max_fails; time_t fail_timeout; ngx_msec_t slow_start; + ngx_uint_t down; - unsigned down:1; unsigned backup:1; NGX_COMPAT_BEGIN(4) From xeioex at nginx.com Tue Sep 26 11:20:06 2017 From: xeioex at nginx.com (Dmitry Volyntsev) Date: Tue, 26 Sep 2017 11:20:06 +0000 Subject: [njs] Fixed realloc() failure handling. Message-ID: details: http://hg.nginx.org/njs/rev/f6b9efd315c5 branches: changeset: 409:f6b9efd315c5 user: Dmitry Volyntsev date: Tue Sep 26 14:19:49 2017 +0300 description: Fixed realloc() failure handling. According to POSIX, if realloc() fails to allocate a new chunk of memory it returns NULL and does not free the original pointer. Using a separate pointer in order to preserve the original one. diffstat: njs/njs.c | 8 +++++--- 1 files changed, 5 insertions(+), 3 deletions(-) diffs (30 lines): diff -r 616370bb1386 -r f6b9efd315c5 njs/njs.c --- a/njs/njs.c Fri Sep 01 18:51:20 2017 +0300 +++ b/njs/njs.c Tue Sep 26 14:19:49 2017 +0300 @@ -300,7 +300,7 @@ njs_process_file(njs_opts_t *opts, njs_v { int fd; char *file; - u_char buf[4096], *p, *end; + u_char buf[4096], *p, *end, *start; size_t size; ssize_t n; njs_vm_t *vm; @@ -364,13 +364,15 @@ njs_process_file(njs_opts_t *opts, njs_v if (p + n > end) { size *= 2; - script.start = realloc(script.start, size); - if (script.start == NULL) { + start = realloc(script.start, size); + if (start == NULL) { fprintf(stderr, "alloc failed while reading '%s'\n", file); ret = NXT_ERROR; goto done; } + script.start = start; + p = script.start + script.length; end = script.start + size; } From ru at nginx.com Wed Sep 27 19:36:45 2017 From: ru at nginx.com (Ruslan Ermilov) Date: Wed, 27 Sep 2017 19:36:45 +0000 Subject: [nginx] Fixed the NGX_UNIX_ADDRSTRLEN macro. Message-ID: details: http://hg.nginx.org/nginx/rev/beeac3302e45 branches: changeset: 7113:beeac3302e45 user: Ruslan Ermilov date: Mon Sep 25 15:19:24 2017 +0300 description: Fixed the NGX_UNIX_ADDRSTRLEN macro. diffstat: src/core/ngx_inet.h | 5 +++-- 1 files changed, 3 insertions(+), 2 deletions(-) diffs (17 lines): diff -r 5a3ab1b5804b -r beeac3302e45 src/core/ngx_inet.h --- a/src/core/ngx_inet.h Fri Sep 22 22:49:42 2017 +0300 +++ b/src/core/ngx_inet.h Mon Sep 25 15:19:24 2017 +0300 @@ -17,10 +17,11 @@ #define NGX_INET6_ADDRSTRLEN \ (sizeof("ffff:ffff:ffff:ffff:ffff:ffff:255.255.255.255") - 1) #define NGX_UNIX_ADDRSTRLEN \ - (sizeof(struct sockaddr_un) - offsetof(struct sockaddr_un, sun_path)) + (sizeof("unix:") - 1 + \ + sizeof(struct sockaddr_un) - offsetof(struct sockaddr_un, sun_path)) #if (NGX_HAVE_UNIX_DOMAIN) -#define NGX_SOCKADDR_STRLEN (sizeof("unix:") - 1 + NGX_UNIX_ADDRSTRLEN) +#define NGX_SOCKADDR_STRLEN NGX_UNIX_ADDRSTRLEN #elif (NGX_HAVE_INET6) #define NGX_SOCKADDR_STRLEN (NGX_INET6_ADDRSTRLEN + sizeof("[]:65535") - 1) #else