From xeioex at nginx.com Sat Jul 1 00:03:51 2023 From: xeioex at nginx.com (Dmitry Volyntsev) Date: Sat, 01 Jul 2023 00:03:51 +0000 Subject: [njs] Tests: fixed benchmark after 57ca02d7404c. Message-ID: details: https://hg.nginx.org/njs/rev/494796d6d7f8 branches: changeset: 2171:494796d6d7f8 user: Dmitry Volyntsev date: Fri Jun 30 17:03:11 2023 -0700 description: Tests: fixed benchmark after 57ca02d7404c. diffstat: src/test/njs_benchmark.c | 15 +++++++++------ 1 files changed, 9 insertions(+), 6 deletions(-) diffs (46 lines): diff -r e85aaeaa7e55 -r 494796d6d7f8 src/test/njs_benchmark.c --- a/src/test/njs_benchmark.c Fri Jun 30 06:38:36 2023 -0700 +++ b/src/test/njs_benchmark.c Fri Jun 30 17:03:11 2023 -0700 @@ -29,6 +29,12 @@ typedef struct { } njs_opts_t; +njs_module_t *njs_benchmark_addon_external_modules[] = { + &njs_unit_test_external_module, + NULL, +}; + + static njs_int_t njs_benchmark_test(njs_vm_t *parent, njs_opts_t *opts, njs_value_t *report, njs_benchmark_test_t *test) @@ -36,7 +42,7 @@ njs_benchmark_test(njs_vm_t *parent, njs u_char *start; njs_vm_t *vm, *nvm; uint64_t ns; - njs_int_t ret, proto_id; + njs_int_t ret; njs_str_t s, *expected; njs_uint_t i, n; njs_bool_t success; @@ -49,6 +55,8 @@ njs_benchmark_test(njs_vm_t *parent, njs njs_vm_opt_init(&options); + options.addons = njs_benchmark_addon_external_modules; + vm = NULL; nvm = NULL; ret = NJS_ERROR; @@ -67,11 +75,6 @@ njs_benchmark_test(njs_vm_t *parent, njs goto done; } - proto_id = njs_externals_shared_init(vm); - if (proto_id < 0) { - goto done; - } - n = test->repeat; expected = &test->result; From mdounin at mdounin.ru Sat Jul 1 00:21:55 2023 From: mdounin at mdounin.ru (=?utf-8?q?Maxim_Dounin?=) Date: Sat, 01 Jul 2023 03:21:55 +0300 Subject: [PATCH 0 of 2] h2_http2.t fixes Message-ID: Hello! Here is a couple of fixes for h2_http2.t to make it work with various old OpenSSL versions. -- Maxim Dounin From mdounin at mdounin.ru Sat Jul 1 00:21:56 2023 From: mdounin at mdounin.ru (=?utf-8?q?Maxim_Dounin?=) Date: Sat, 01 Jul 2023 03:21:56 +0300 Subject: [PATCH 1 of 2] Tests: fixed h2_http2.t when nginx compiled without ALPN support In-Reply-To: References: Message-ID: # HG changeset patch # User Maxim Dounin # Date 1688164311 -10800 # Sat Jul 01 01:31:51 2023 +0300 # Node ID bf9961a4507784b669650e7ef1d3cbacce8c94e1 # Parent 22f45bf99a9e39e02d8ce07532d2cbfc89e7d8d1 Tests: fixed h2_http2.t when nginx compiled without ALPN support. ALPN support is only available with OpenSSL 1.0.2 or newer. diff --git a/h2_http2.t b/h2_http2.t --- a/h2_http2.t +++ b/h2_http2.t @@ -127,9 +127,16 @@ ok(!get_ssl_socket(8443, 'disabled'), 's } +TODO: { +local $TODO = 'OpenSSL too old' + if $t->has_module('OpenSSL') + and not $t->has_feature('openssl:1.0.2'); + is(get_https(8443, 'http2'), 200, 'host to enabled'); is(get_https(8443, 'disabled', 'http2'), 421, 'host to disabled'); +} + # make sure HTTP/2 can be enabled selectively on virtual servers TODO: { From mdounin at mdounin.ru Sat Jul 1 00:21:57 2023 From: mdounin at mdounin.ru (=?utf-8?q?Maxim_Dounin?=) Date: Sat, 01 Jul 2023 03:21:57 +0300 Subject: [PATCH 2 of 2] Tests: adjusted TODO for OpenSSL 1.0.2h and up in h2_http2.t In-Reply-To: References: Message-ID: <5ef10e454094ad5d2315.1688170917@vm-bsd.mdounin.ru> # HG changeset patch # User Maxim Dounin # Date 1688164312 -10800 # Sat Jul 01 01:31:52 2023 +0300 # Node ID 5ef10e454094ad5d231552f0fc2c386e9cc33585 # Parent bf9961a4507784b669650e7ef1d3cbacce8c94e1 Tests: adjusted TODO for OpenSSL 1.0.2h and up in h2_http2.t. OpenSSL uses correct SNI/ALPN callback order (SNI callback before ALPN callback) starting with OpenSSL 1.0.2h, so "sni to enabled" test is expected to succeed starting with OpenSSL 1.0.2h. With this change, the "openssl:..." feature test now supports checking patch level encoded as letters, such as in "openssl:1.0.2h". diff --git a/h2_http2.t b/h2_http2.t --- a/h2_http2.t +++ b/h2_http2.t @@ -151,9 +151,9 @@ ok(!get_ssl_socket(8444), 'default to di TODO: { local $TODO = 'broken ALPN/SNI order in LibreSSL' if $t->has_module('LibreSSL'); -local $TODO = 'OpenSSL too old' +local $TODO = 'broken ALPN/SNI order in OpenSSL before 1.0.2h' if $t->has_module('OpenSSL') - and not $t->has_feature('openssl:1.1.0'); + and not $t->has_feature('openssl:1.0.2h'); is(get_https(8444, 'http2'), 200, 'sni to enabled'); diff --git a/lib/Test/Nginx.pm b/lib/Test/Nginx.pm --- a/lib/Test/Nginx.pm +++ b/lib/Test/Nginx.pm @@ -266,20 +266,22 @@ sub has_feature($) { return 0; } - if ($feature =~ /^(openssl|libressl):([0-9.]+)/) { + if ($feature =~ /^(openssl|libressl):([0-9.]+)([a-z]*)/) { my $library = $1; my $need = $2; + my $patch = $3; $self->{_configure_args} = `$NGINX -V 2>&1` if !defined $self->{_configure_args}; return 0 unless - $self->{_configure_args} =~ /with $library ([0-9.]+)/i; + $self->{_configure_args} + =~ /with $library ([0-9.]+)([a-z]*)/i; - my @v = split(/\./, $1); + my @v = (split(/\./, $1), unpack("C*", $2)); my ($n, $v); - for $n (split(/\./, $need)) { + for $n (split(/\./, $need), unpack("C*", $patch)) { $v = shift @v || 0; return 0 if $n > $v; return 1 if $v > $n; From v.zhestikov at f5.com Sat Jul 1 02:51:11 2023 From: v.zhestikov at f5.com (Vadim Zhestikov) Date: Sat, 01 Jul 2023 02:51:11 +0000 Subject: [njs] Fixed parsing of invalid for statement. Message-ID: details: https://hg.nginx.org/njs/rev/2c532e7c29ac branches: changeset: 2172:2c532e7c29ac user: Vadim Zhestikov date: Fri Jun 30 19:49:45 2023 -0700 description: Fixed parsing of invalid for statement. diffstat: src/njs_parser.c | 16 ++++++++++++++-- src/test/njs_unit_test.c | 3 +++ 2 files changed, 17 insertions(+), 2 deletions(-) diffs (46 lines): diff -r 494796d6d7f8 -r 2c532e7c29ac src/njs_parser.c --- a/src/njs_parser.c Fri Jun 30 17:03:11 2023 -0700 +++ b/src/njs_parser.c Fri Jun 30 19:49:45 2023 -0700 @@ -5491,6 +5491,18 @@ njs_parser_iteration_statement_for(njs_p static njs_int_t +njs_parser_for_var_in_of_expression_chk_fail(njs_parser_t *parser, + njs_lexer_token_t *token, njs_queue_link_t *current) +{ + if (parser->ret != NJS_OK) { + return njs_parser_failed(parser); + } + + return njs_parser_for_var_in_of_expression(parser, token, current); +} + + +static njs_int_t njs_parser_for_expression_map_reparse(njs_parser_t *parser, njs_lexer_token_t *token, njs_queue_link_t *current) { @@ -5517,8 +5529,8 @@ njs_parser_for_expression_map_reparse(nj *text = token->text; - return njs_parser_after(parser, current, text, 1, - njs_parser_for_var_in_of_expression); + return njs_parser_after(parser, current, text, 0, + njs_parser_for_var_in_of_expression_chk_fail); } return njs_parser_stack_pop(parser); diff -r 494796d6d7f8 -r 2c532e7c29ac src/test/njs_unit_test.c --- a/src/test/njs_unit_test.c Fri Jun 30 17:03:11 2023 -0700 +++ b/src/test/njs_unit_test.c Fri Jun 30 19:49:45 2023 -0700 @@ -2975,6 +2975,9 @@ static njs_unit_test_t njs_test[] = { njs_str("for(var``>0; 0 ;) ;"), njs_str("SyntaxError: Unexpected token \"`\" in 1") }, + { njs_str("for(i;;)for(-new+3;;)break;"), + njs_str("SyntaxError: Unexpected token \"+\" in 1") }, + /* switch. */ { njs_str("switch"), From v.zhestikov at f5.com Sat Jul 1 02:51:13 2023 From: v.zhestikov at f5.com (Vadim Zhestikov) Date: Sat, 01 Jul 2023 02:51:13 +0000 Subject: [njs] Improved interactive shell. Message-ID: details: https://hg.nginx.org/njs/rev/0e97da4147da branches: changeset: 2173:0e97da4147da user: Vadim Zhestikov date: Fri Jun 30 19:49:46 2023 -0700 description: Improved interactive shell. diffstat: external/njs_shell.c | 17 ++++++++++++----- 1 files changed, 12 insertions(+), 5 deletions(-) diffs (42 lines): diff -r 2c532e7c29ac -r 0e97da4147da external/njs_shell.c --- a/external/njs_shell.c Fri Jun 30 19:49:45 2023 -0700 +++ b/external/njs_shell.c Fri Jun 30 19:49:46 2023 -0700 @@ -1073,19 +1073,24 @@ njs_cb_line_handler(char *line_in) njs_int_t ret; njs_str_t line; - if (line_in == NULL || strcmp(line_in, ".exit") == 0) { + if (line_in == NULL) { njs_running = NJS_DONE; return; } + line.start = (u_char *) line_in; + line.length = njs_strlen(line.start); + + if (strcmp(line_in, ".exit") == 0) { + njs_running = NJS_DONE; + goto free_line; + } + njs_sigint_count = 0; - line.start = (u_char *) line_in; - line.length = njs_strlen(line.start); - if (line.length == 0) { rl_callback_handler_install(">> ", njs_cb_line_handler); - return; + goto free_line; } add_history((char *) line.start); @@ -1099,6 +1104,8 @@ njs_cb_line_handler(char *line_in) rl_callback_handler_install(">> ", njs_cb_line_handler); } +free_line: + free(line.start); } From xeioex at nginx.com Sat Jul 1 04:03:32 2023 From: xeioex at nginx.com (Dmitry Volyntsev) Date: Sat, 01 Jul 2023 04:03:32 +0000 Subject: [njs] Tests: improved memory sanitizer build. Message-ID: details: https://hg.nginx.org/njs/rev/3386684745b7 branches: changeset: 2174:3386684745b7 user: Dmitry Volyntsev date: Fri Jun 30 21:02:44 2023 -0700 description: Tests: improved memory sanitizer build. Disable webcrypto tests because they required instrumented openssl. diffstat: src/test/njs_unit_test.c | 2 +- 1 files changed, 1 insertions(+), 1 deletions(-) diffs (12 lines): diff -r 0e97da4147da -r 3386684745b7 src/test/njs_unit_test.c --- a/src/test/njs_unit_test.c Fri Jun 30 19:49:46 2023 -0700 +++ b/src/test/njs_unit_test.c Fri Jun 30 21:02:44 2023 -0700 @@ -25090,7 +25090,7 @@ static njs_test_suite_t njs_suites[] = njs_disabled_denormals_tests }, { -#if (NJS_HAVE_OPENSSL) +#if (NJS_HAVE_OPENSSL && !NJS_HAVE_MEMORY_SANITIZER) njs_str("webcrypto"), #else njs_str(""), From xeioex at nginx.com Mon Jul 3 20:34:11 2023 From: xeioex at nginx.com (Dmitry Volyntsev) Date: Mon, 03 Jul 2023 20:34:11 +0000 Subject: [njs] Added njs_vm_external_constructor(). Message-ID: details: https://hg.nginx.org/njs/rev/167f75576f49 branches: changeset: 2175:167f75576f49 user: Dmitry Volyntsev date: Mon Jul 03 12:49:00 2023 -0700 description: Added njs_vm_external_constructor(). The new API allows to add new constructor/prototype pairs. diffstat: external/njs_crypto_module.c | 1 + external/njs_fs_module.c | 1 + external/njs_query_string_module.c | 1 + external/njs_shell.c | 1 + external/njs_webcrypto_module.c | 1 + external/njs_xml_module.c | 1 + external/njs_zlib_module.c | 1 + nginx/ngx_http_js_module.c | 1 + nginx/ngx_js.c | 1 + nginx/ngx_js_fetch.c | 1 + nginx/ngx_stream_js_module.c | 1 + src/njs.h | 18 ++- src/njs_array.c | 2 +- src/njs_array_buffer.c | 2 +- src/njs_async.c | 2 +- src/njs_buffer.c | 13 +- src/njs_builtin.c | 127 ++++---------------- src/njs_date.c | 2 +- src/njs_error.c | 16 +- src/njs_extern.c | 71 +++++++++++ src/njs_function.c | 10 +- src/njs_json.c | 2 +- src/njs_object.c | 16 +- src/njs_parser.c | 6 +- src/njs_promise.c | 12 +- src/njs_regexp.c | 8 +- src/njs_typed_array.c | 6 +- src/njs_value.c | 2 +- src/njs_value.h | 5 +- src/njs_vm.c | 224 ++++++++++++++++++++++++++++++++++-- src/njs_vm.h | 34 ++-- src/njs_vmcode.c | 2 +- src/test/njs_externals_test.c | 113 ++++++++++++++++++- src/test/njs_unit_test.c | 44 +++++++- 34 files changed, 561 insertions(+), 187 deletions(-) diffs (truncated from 1548 to 1000 lines): diff -r 3386684745b7 -r 167f75576f49 external/njs_crypto_module.c --- a/external/njs_crypto_module.c Fri Jun 30 21:02:44 2023 -0700 +++ b/external/njs_crypto_module.c Mon Jul 03 12:49:00 2023 -0700 @@ -287,6 +287,7 @@ static njs_int_t njs_crypto_hmac_prot njs_module_t njs_crypto_module = { .name = njs_str("crypto"), + .preinit = NULL, .init = njs_crypto_init, }; diff -r 3386684745b7 -r 167f75576f49 external/njs_fs_module.c --- a/external/njs_fs_module.c Fri Jun 30 21:02:44 2023 -0700 +++ b/external/njs_fs_module.c Mon Jul 03 12:49:00 2023 -0700 @@ -1407,6 +1407,7 @@ static njs_int_t njs_fs_bytes_written njs_module_t njs_fs_module = { .name = njs_str("fs"), + .preinit = NULL, .init = njs_fs_init, }; diff -r 3386684745b7 -r 167f75576f49 external/njs_query_string_module.c --- a/external/njs_query_string_module.c Fri Jun 30 21:02:44 2023 -0700 +++ b/external/njs_query_string_module.c Mon Jul 03 12:49:00 2023 -0700 @@ -105,6 +105,7 @@ static njs_external_t njs_ext_query_str njs_module_t njs_query_string_module = { .name = njs_str("querystring"), + .preinit = NULL, .init = njs_query_string_init, }; diff -r 3386684745b7 -r 167f75576f49 external/njs_shell.c --- a/external/njs_shell.c Fri Jun 30 21:02:44 2023 -0700 +++ b/external/njs_shell.c Mon Jul 03 12:49:00 2023 -0700 @@ -254,6 +254,7 @@ static njs_vm_ops_t njs_console_ops = { njs_module_t njs_console_module = { .name = njs_str("console"), + .preinit = NULL, .init = njs_externals_init, }; diff -r 3386684745b7 -r 167f75576f49 external/njs_webcrypto_module.c --- a/external/njs_webcrypto_module.c Fri Jun 30 21:02:44 2023 -0700 +++ b/external/njs_webcrypto_module.c Mon Jul 03 12:49:00 2023 -0700 @@ -659,6 +659,7 @@ static njs_external_t njs_ext_webcrypto njs_module_t njs_webcrypto_module = { .name = njs_str("webcrypto"), + .preinit = NULL, .init = njs_webcrypto_init, }; diff -r 3386684745b7 -r 167f75576f49 external/njs_xml_module.c --- a/external/njs_xml_module.c Fri Jun 30 21:02:44 2023 -0700 +++ b/external/njs_xml_module.c Mon Jul 03 12:49:00 2023 -0700 @@ -402,6 +402,7 @@ static njs_external_t njs_ext_xml_attr[ njs_module_t njs_xml_module = { .name = njs_str("xml"), + .preinit = NULL, .init = njs_xml_init, }; diff -r 3386684745b7 -r 167f75576f49 external/njs_zlib_module.c --- a/external/njs_zlib_module.c Fri Jun 30 21:02:44 2023 -0700 +++ b/external/njs_zlib_module.c Mon Jul 03 12:49:00 2023 -0700 @@ -176,6 +176,7 @@ static njs_external_t njs_ext_zlib[] = njs_module_t njs_zlib_module = { .name = njs_str("zlib"), + .preinit = NULL, .init = njs_zlib_init, }; diff -r 3386684745b7 -r 167f75576f49 nginx/ngx_http_js_module.c --- a/nginx/ngx_http_js_module.c Fri Jun 30 21:02:44 2023 -0700 +++ b/nginx/ngx_http_js_module.c Mon Jul 03 12:49:00 2023 -0700 @@ -786,6 +786,7 @@ static njs_vm_meta_t ngx_http_js_metas = njs_module_t ngx_js_http_module = { .name = njs_str("http"), + .preinit = NULL, .init = ngx_js_http_init, }; diff -r 3386684745b7 -r 167f75576f49 nginx/ngx_js.c --- a/nginx/ngx_js.c Fri Jun 30 21:02:44 2023 -0700 +++ b/nginx/ngx_js.c Mon Jul 03 12:49:00 2023 -0700 @@ -165,6 +165,7 @@ static njs_external_t ngx_js_ext_core[] njs_module_t ngx_js_ngx_module = { .name = njs_str("ngx"), + .preinit = NULL, .init = ngx_js_core_init, }; diff -r 3386684745b7 -r 167f75576f49 nginx/ngx_js_fetch.c --- a/nginx/ngx_js_fetch.c Fri Jun 30 21:02:44 2023 -0700 +++ b/nginx/ngx_js_fetch.c Mon Jul 03 12:49:00 2023 -0700 @@ -656,6 +656,7 @@ static njs_int_t ngx_http_js_fetch_he njs_module_t ngx_js_fetch_module = { .name = njs_str("fetch"), + .preinit = NULL, .init = ngx_js_fetch_init, }; diff -r 3386684745b7 -r 167f75576f49 nginx/ngx_stream_js_module.c --- a/nginx/ngx_stream_js_module.c Fri Jun 30 21:02:44 2023 -0700 +++ b/nginx/ngx_stream_js_module.c Mon Jul 03 12:49:00 2023 -0700 @@ -568,6 +568,7 @@ static njs_int_t ngx_stream_js_sessio njs_module_t ngx_js_stream_module = { .name = njs_str("stream"), + .preinit = NULL, .init = ngx_js_stream_init, }; diff -r 3386684745b7 -r 167f75576f49 src/njs.h --- a/src/njs.h Fri Jun 30 21:02:44 2023 -0700 +++ b/src/njs.h Mon Jul 03 12:49:00 2023 -0700 @@ -257,6 +257,7 @@ typedef njs_int_t (*njs_addon_init_pt)(n typedef struct { njs_str_t name; + njs_addon_init_pt preinit; njs_addon_init_pt init; } njs_module_t; @@ -403,6 +404,10 @@ NJS_EXPORT njs_int_t njs_vm_add_path(njs NJS_EXPORT njs_int_t njs_vm_external_prototype(njs_vm_t *vm, const njs_external_t *definition, njs_uint_t n); +NJS_EXPORT njs_int_t njs_vm_external_constructor(njs_vm_t *vm, + const njs_str_t *name, njs_function_native_t native, + const njs_external_t *ctor_props, njs_uint_t ctor_nprops, + const njs_external_t *proto_props, njs_uint_t proto_nprops); NJS_EXPORT njs_int_t njs_vm_external_create(njs_vm_t *vm, njs_value_t *value, njs_int_t proto_id, njs_external_ptr_t external, njs_bool_t shared); NJS_EXPORT njs_external_ptr_t njs_vm_external(njs_vm_t *vm, @@ -417,6 +422,15 @@ NJS_EXPORT njs_int_t njs_value_property_ NJS_EXPORT uintptr_t njs_vm_meta(njs_vm_t *vm, njs_uint_t index); NJS_EXPORT njs_vm_opt_t *njs_vm_options(njs_vm_t *vm); +NJS_EXPORT njs_int_t njs_error_constructor(njs_vm_t *vm, njs_value_t *args, + njs_uint_t nargs, njs_index_t type, njs_value_t *retval); +NJS_EXPORT njs_int_t njs_object_prototype_create_constructor(njs_vm_t *vm, + njs_object_prop_t *prop, njs_value_t *value, njs_value_t *setval, + njs_value_t *retval); +NJS_EXPORT njs_int_t njs_object_prototype_create(njs_vm_t *vm, + njs_object_prop_t *prop, njs_value_t *value, njs_value_t *setval, + njs_value_t *retval); + NJS_EXPORT njs_function_t *njs_vm_function_alloc(njs_vm_t *vm, njs_function_native_t native, njs_bool_t shared, njs_bool_t ctor); @@ -433,7 +447,9 @@ NJS_EXPORT njs_function_t *njs_vm_functi NJS_EXPORT njs_bool_t njs_vm_constructor(njs_vm_t *vm); NJS_EXPORT void njs_vm_throw(njs_vm_t *vm, const njs_value_t *value); -NJS_EXPORT void njs_vm_error2(njs_vm_t *vm, unsigned type, const char *fmt, +NJS_EXPORT void njs_vm_error2(njs_vm_t *vm, unsigned error_type, + const char *fmt, ...); +NJS_EXPORT void njs_vm_error3(njs_vm_t *vm, unsigned type, const char *fmt, ...); NJS_EXPORT void njs_vm_exception_get(njs_vm_t *vm, njs_value_t *retval); NJS_EXPORT njs_mp_t *njs_vm_memory_pool(njs_vm_t *vm); diff -r 3386684745b7 -r 167f75576f49 src/njs_array.c --- a/src/njs_array.c Fri Jun 30 21:02:44 2023 -0700 +++ b/src/njs_array.c Mon Jul 03 12:49:00 2023 -0700 @@ -83,7 +83,7 @@ njs_array_alloc(njs_vm_t *vm, njs_bool_t array->start = array->data; njs_lvlhsh_init(&array->object.hash); array->object.shared_hash = vm->shared->array_instance_hash; - array->object.__proto__ = &vm->prototypes[NJS_OBJ_TYPE_ARRAY].object; + array->object.__proto__ = njs_vm_proto(vm, NJS_OBJ_TYPE_ARRAY); array->object.slots = NULL; array->object.type = NJS_ARRAY; array->object.shared = 0; diff -r 3386684745b7 -r 167f75576f49 src/njs_array_buffer.c --- a/src/njs_array_buffer.c Fri Jun 30 21:02:44 2023 -0700 +++ b/src/njs_array_buffer.c Mon Jul 03 12:49:00 2023 -0700 @@ -33,7 +33,7 @@ njs_array_buffer_alloc(njs_vm_t *vm, uin goto memory_error; } - proto = &vm->prototypes[NJS_OBJ_TYPE_ARRAY_BUFFER].object; + proto = njs_vm_proto(vm, NJS_OBJ_TYPE_ARRAY_BUFFER); njs_lvlhsh_init(&array->object.hash); njs_lvlhsh_init(&array->object.shared_hash); diff -r 3386684745b7 -r 167f75576f49 src/njs_async.c --- a/src/njs_async.c Fri Jun 30 21:02:44 2023 -0700 +++ b/src/njs_async.c Mon Jul 03 12:49:00 2023 -0700 @@ -18,7 +18,7 @@ njs_async_function_frame_invoke(njs_vm_t njs_value_t ctor; njs_promise_capability_t *capability; - njs_set_function(&ctor, &vm->constructors[NJS_OBJ_TYPE_PROMISE]); + njs_set_function(&ctor, &njs_vm_ctor(vm, NJS_OBJ_TYPE_PROMISE)); capability = njs_promise_new_capability(vm, &ctor); if (njs_slow_path(capability == NULL)) { diff -r 3386684745b7 -r 167f75576f49 src/njs_buffer.c --- a/src/njs_buffer.c Fri Jun 30 21:02:44 2023 -0700 +++ b/src/njs_buffer.c Mon Jul 03 12:49:00 2023 -0700 @@ -126,6 +126,7 @@ static njs_external_t njs_ext_buffer[] njs_module_t njs_buffer_module = { .name = njs_str("buffer"), + .preinit = NULL, .init = njs_buffer_init, }; @@ -147,7 +148,7 @@ njs_buffer_set(njs_vm_t *vm, njs_value_t buffer = (njs_array_buffer_t *) &array[1]; - proto = &vm->prototypes[NJS_OBJ_TYPE_ARRAY_BUFFER].object; + proto = njs_vm_proto(vm, NJS_OBJ_TYPE_ARRAY_BUFFER); njs_lvlhsh_init(&buffer->object.hash); njs_lvlhsh_init(&buffer->object.shared_hash); @@ -161,7 +162,7 @@ njs_buffer_set(njs_vm_t *vm, njs_value_t buffer->u.data = (void *) start; buffer->size = size; - proto = &vm->prototypes[NJS_OBJ_TYPE_BUFFER].object; + proto = njs_vm_proto(vm, NJS_OBJ_TYPE_BUFFER); array->type = NJS_OBJ_TYPE_UINT8_ARRAY; njs_lvlhsh_init(&array->object.hash); @@ -197,7 +198,7 @@ njs_buffer_alloc(njs_vm_t *vm, size_t si return NULL; } - array->object.__proto__ = &vm->prototypes[NJS_OBJ_TYPE_BUFFER].object; + array->object.__proto__ = njs_vm_proto(vm, NJS_OBJ_TYPE_BUFFER); return array; } @@ -462,7 +463,7 @@ njs_buffer_from_array_buffer(njs_vm_t *v return NJS_ERROR; } - buffer->object.__proto__ = &vm->prototypes[NJS_OBJ_TYPE_BUFFER].object; + buffer->object.__proto__ = njs_vm_proto(vm, NJS_OBJ_TYPE_BUFFER); buffer->offset = off; buffer->byte_length = len; @@ -943,7 +944,7 @@ njs_buffer_is_buffer(njs_vm_t *vm, njs_v array = njs_buffer_slot_internal(vm, njs_arg(args, nargs, 1)); if (njs_fast_path(array != NULL && array->object.__proto__ - == &vm->prototypes[NJS_OBJ_TYPE_BUFFER].object)) + == njs_vm_proto(vm, NJS_OBJ_TYPE_BUFFER))) { is = 1; } @@ -2184,7 +2185,7 @@ njs_buffer_prototype_slice(njs_vm_t *vm, } array = njs_typed_array(retval); - array->object.__proto__ = &vm->prototypes[NJS_OBJ_TYPE_BUFFER].object; + array->object.__proto__ = njs_vm_proto(vm, NJS_OBJ_TYPE_BUFFER); return NJS_OK; } diff -r 3386684745b7 -r 167f75576f49 src/njs_builtin.c --- a/src/njs_builtin.c Fri Jun 30 21:02:44 2023 -0700 +++ b/src/njs_builtin.c Mon Jul 03 12:49:00 2023 -0700 @@ -115,7 +115,7 @@ njs_object_hash_init(njs_vm_t *vm, njs_l njs_int_t njs_builtin_objects_create(njs_vm_t *vm) { - njs_int_t ret; + njs_int_t ret, index; njs_uint_t i; njs_object_t *object, *string_object; njs_function_t *constructor; @@ -129,6 +129,8 @@ njs_builtin_objects_create(njs_vm_t *vm) return NJS_ERROR; } + vm->shared = shared; + njs_lvlhsh_init(&shared->keywords_hash); njs_lvlhsh_init(&shared->values_hash); @@ -204,34 +206,42 @@ njs_builtin_objects_create(njs_vm_t *vm) return NJS_ERROR; } - prototype = shared->prototypes; + for (i = NJS_OBJ_TYPE_OBJECT; i < NJS_OBJ_TYPE_MAX; i++) { + index = njs_vm_ctor_push(vm); + if (njs_slow_path(index < 0)) { + return NJS_ERROR; + } - for (i = NJS_OBJ_TYPE_OBJECT; i < NJS_OBJ_TYPE_MAX; i++) { - prototype[i] = njs_object_type_init[i]->prototype_value; + njs_assert_msg((njs_uint_t) index == i, + "ctor index should match object type"); - ret = njs_object_hash_init(vm, &prototype[i].object.shared_hash, + prototype = njs_shared_prototype(shared, i); + *prototype = njs_object_type_init[i]->prototype_value; + + ret = njs_object_hash_init(vm, &prototype->object.shared_hash, njs_object_type_init[i]->prototype_props); if (njs_slow_path(ret != NJS_OK)) { return NJS_ERROR; } - prototype[i].object.extensible = 1; + prototype->object.extensible = 1; } - shared->prototypes[NJS_OBJ_TYPE_REGEXP].regexp.pattern = - shared->empty_regexp_pattern; - - constructor = shared->constructors; + prototype = njs_shared_prototype(shared, NJS_OBJ_TYPE_REGEXP); + prototype->regexp.pattern = shared->empty_regexp_pattern; for (i = NJS_OBJ_TYPE_OBJECT; i < NJS_OBJ_TYPE_MAX; i++) { + constructor = njs_shared_ctor(shared, i); + if (njs_object_type_init[i]->constructor_props == NULL) { + njs_memzero(constructor, sizeof(njs_function_t)); continue; } - constructor[i] = njs_object_type_init[i]->constructor; - constructor[i].object.shared = 0; + *constructor = njs_object_type_init[i]->constructor; + constructor->object.shared = 0; - ret = njs_object_hash_init(vm, &constructor[i].object.shared_hash, + ret = njs_object_hash_init(vm, &constructor->object.shared_hash, njs_object_type_init[i]->constructor_props); if (njs_slow_path(ret != NJS_OK)) { return NJS_ERROR; @@ -259,91 +269,6 @@ njs_builtin_objects_create(njs_vm_t *vm) njs_lvlhsh_init(&shared->modules_hash); - vm->shared = shared; - - return NJS_OK; -} - - -njs_int_t -njs_builtin_objects_clone(njs_vm_t *vm, njs_value_t *global) -{ - size_t size; - njs_uint_t i; - njs_object_t *object_prototype, *function_prototype, - *typed_array_prototype, *error_prototype, *async_prototype, - *typed_array_ctor, *error_ctor; - - /* - * Copy both prototypes and constructors arrays by one memcpy() - * because they are stored together. - */ - size = (sizeof(njs_object_prototype_t) + sizeof(njs_function_t)) - * NJS_OBJ_TYPE_MAX; - - memcpy(vm->prototypes, vm->shared->prototypes, size); - - object_prototype = &vm->prototypes[NJS_OBJ_TYPE_OBJECT].object; - - for (i = NJS_OBJ_TYPE_ARRAY; i < NJS_OBJ_TYPE_NORMAL_MAX; i++) { - vm->prototypes[i].object.__proto__ = object_prototype; - } - - typed_array_prototype = &vm->prototypes[NJS_OBJ_TYPE_TYPED_ARRAY].object; - - for (i = NJS_OBJ_TYPE_TYPED_ARRAY_MIN; - i < NJS_OBJ_TYPE_TYPED_ARRAY_MAX; - i++) - { - vm->prototypes[i].object.__proto__ = typed_array_prototype; - } - - vm->prototypes[NJS_OBJ_TYPE_ARRAY_ITERATOR].object.__proto__ = - &vm->prototypes[NJS_OBJ_TYPE_ITERATOR].object; - - vm->prototypes[NJS_OBJ_TYPE_BUFFER].object.__proto__ = - &vm->prototypes[NJS_OBJ_TYPE_UINT8_ARRAY].object; - - error_prototype = &vm->prototypes[NJS_OBJ_TYPE_ERROR].object; - error_prototype->__proto__ = object_prototype; - - for (i = NJS_OBJ_TYPE_EVAL_ERROR; i < NJS_OBJ_TYPE_MAX; i++) { - vm->prototypes[i].object.__proto__ = error_prototype; - } - - function_prototype = &vm->prototypes[NJS_OBJ_TYPE_FUNCTION].object; - - async_prototype = &vm->prototypes[NJS_OBJ_TYPE_ASYNC_FUNCTION].object; - async_prototype->__proto__ = function_prototype; - - for (i = NJS_OBJ_TYPE_OBJECT; i < NJS_OBJ_TYPE_NORMAL_MAX; i++) { - vm->constructors[i].object.__proto__ = function_prototype; - } - - typed_array_ctor = &vm->constructors[NJS_OBJ_TYPE_TYPED_ARRAY].object; - - for (i = NJS_OBJ_TYPE_TYPED_ARRAY_MIN; - i < NJS_OBJ_TYPE_TYPED_ARRAY_MAX; - i++) - { - vm->constructors[i].object.__proto__ = typed_array_ctor; - } - - error_ctor = &vm->constructors[NJS_OBJ_TYPE_ERROR].object; - error_ctor->__proto__ = function_prototype; - - for (i = NJS_OBJ_TYPE_EVAL_ERROR; i < NJS_OBJ_TYPE_MAX; i++) { - vm->constructors[i].object.__proto__ = error_ctor; - } - - vm->global_object.__proto__ = object_prototype; - - njs_set_undefined(global); - njs_set_object(global, &vm->global_object); - - vm->string_object = vm->shared->string_object; - vm->string_object.__proto__ = &vm->prototypes[NJS_OBJ_TYPE_STRING].object; - return NJS_OK; } @@ -838,7 +763,7 @@ njs_builtin_match_native_function(njs_vm /* Constructor from built-in modules (not-mapped to global object). */ for (i = NJS_OBJ_TYPE_HIDDEN_MIN; i < NJS_OBJ_TYPE_HIDDEN_MAX; i++) { - njs_set_object(&value, &vm->constructors[i].object); + njs_set_object(&value, &njs_vm_ctor(vm, i).object); ret = njs_value_property(vm, &value, njs_value_arg(&njs_string_name), &tag); @@ -847,7 +772,7 @@ njs_builtin_match_native_function(njs_vm njs_string_get(&tag, &ctx.match); } - ret = njs_object_traverse(vm, &vm->constructors[i].object, &ctx, + ret = njs_object_traverse(vm, njs_object(&value), &ctx, njs_builtin_traverse); if (ret == NJS_DONE) { @@ -1253,7 +1178,7 @@ njs_top_level_constructor(njs_vm_t *vm, return NJS_DECLINED; } - ctor = &vm->constructors[njs_prop_magic16(self)]; + ctor = &njs_vm_ctor(vm, njs_prop_magic16(self)); njs_set_function(retval, ctor); } diff -r 3386684745b7 -r 167f75576f49 src/njs_date.c --- a/src/njs_date.c Fri Jun 30 21:02:44 2023 -0700 +++ b/src/njs_date.c Mon Jul 03 12:49:00 2023 -0700 @@ -364,7 +364,7 @@ njs_date_alloc(njs_vm_t *vm, double time date->object.extensible = 1; date->object.error_data = 0; date->object.fast_array = 0; - date->object.__proto__ = &vm->prototypes[NJS_OBJ_TYPE_DATE].object; + date->object.__proto__ = njs_vm_proto(vm, NJS_OBJ_TYPE_DATE); date->object.slots = NULL; date->time = time; diff -r 3386684745b7 -r 167f75576f49 src/njs_error.c --- a/src/njs_error.c Fri Jun 30 21:02:44 2023 -0700 +++ b/src/njs_error.c Mon Jul 03 12:49:00 2023 -0700 @@ -76,7 +76,7 @@ njs_throw_error(njs_vm_t *vm, njs_object va_list args; va_start(args, fmt); - njs_throw_error_va(vm, &vm->prototypes[type].object, fmt, args); + njs_throw_error_va(vm, njs_vm_proto(vm, type), fmt, args); va_end(args); } @@ -96,7 +96,7 @@ njs_error_fmt_new(njs_vm_t *vm, njs_valu va_end(args); } - njs_error_new(vm, dst, &vm->prototypes[type].object, buf, p - buf); + njs_error_new(vm, dst, njs_vm_proto(vm, type), buf, p - buf); } @@ -298,7 +298,7 @@ memory_error: } -static njs_int_t +njs_int_t njs_error_constructor(njs_vm_t *vm, njs_value_t *args, njs_uint_t nargs, njs_index_t type, njs_value_t *retval) { @@ -339,7 +339,7 @@ njs_error_constructor(njs_vm_t *vm, njs_ } } - error = njs_error_alloc(vm, &vm->prototypes[type].object, NULL, + error = njs_error_alloc(vm, njs_vm_proto(vm, type), NULL, njs_is_defined(value) ? value : NULL, njs_is_defined(&list) ? &list : NULL); if (njs_slow_path(error == NULL)) { @@ -499,15 +499,13 @@ const njs_object_init_t njs_aggregate_e void njs_memory_error_set(njs_vm_t *vm, njs_value_t *value) { - njs_object_t *object; - njs_object_prototype_t *prototypes; + njs_object_t *object; - prototypes = vm->prototypes; object = &vm->memory_error_object; njs_lvlhsh_init(&object->hash); njs_lvlhsh_init(&object->shared_hash); - object->__proto__ = &prototypes[NJS_OBJ_TYPE_INTERNAL_ERROR].object; + object->__proto__ = njs_vm_proto(vm, NJS_OBJ_TYPE_INTERNAL_ERROR); object->slots = NULL; object->type = NJS_OBJECT; object->shared = 1; @@ -555,7 +553,7 @@ njs_memory_error_prototype_create(njs_vm function = njs_function(value); proto = njs_property_prototype_create(vm, &function->object.hash, - &vm->prototypes[index].object); + njs_vm_proto(vm, index)); if (proto == NULL) { proto = &njs_value_undefined; } diff -r 3386684745b7 -r 167f75576f49 src/njs_extern.c --- a/src/njs_extern.c Fri Jun 30 21:02:44 2023 -0700 +++ b/src/njs_extern.c Mon Jul 03 12:49:00 2023 -0700 @@ -315,6 +315,77 @@ njs_vm_external_prototype(njs_vm_t *vm, } +static njs_int_t +njs_vm_external_constructor_handler(njs_vm_t *vm, njs_object_prop_t *prop, + njs_value_t *value, njs_value_t *setval, njs_value_t *retval) +{ + njs_set_function(retval, &njs_vm_ctor(vm, njs_prop_magic32(prop))); + + return NJS_OK; +} + + +njs_int_t +njs_vm_external_constructor(njs_vm_t *vm, const njs_str_t *name, + njs_function_native_t native, const njs_external_t *ctor_props, + njs_uint_t ctor_nprops, const njs_external_t *proto_props, + njs_uint_t proto_nprops) +{ + njs_int_t ret, index, proto_id; + njs_arr_t **pprotos; + njs_function_t *constructor; + njs_exotic_slots_t *slots; + njs_object_prototype_t *prototype; + + index = njs_vm_ctor_push(vm); + if (njs_slow_path(index < 0)) { + njs_internal_error(vm, "njs_vm_ctor_push() failed"); + return -1; + } + + proto_id = njs_vm_external_prototype(vm, proto_props, proto_nprops); + if (njs_slow_path(proto_id < 0)) { + njs_internal_error(vm, "njs_vm_external_prototype(proto_props) failed"); + return -1; + } + + prototype = njs_shared_prototype(vm->shared, index); + njs_memzero(prototype, sizeof(njs_object_prototype_t)); + prototype->object.type = NJS_OBJECT; + prototype->object.extensible = 1; + + pprotos = njs_arr_item(vm->protos, proto_id); + slots = (*pprotos)->start; + prototype->object.shared_hash = slots->external_shared_hash; + + proto_id = njs_vm_external_prototype(vm, ctor_props, ctor_nprops); + if (njs_slow_path(proto_id < 0)) { + njs_internal_error(vm, "njs_vm_external_prototype(ctor_props) failed"); + return -1; + } + + constructor = njs_shared_ctor(vm->shared, index); + njs_memzero(constructor, sizeof(njs_function_t)); + constructor->object.type = NJS_FUNCTION; + constructor->u.native = native; + constructor->magic8 = index; + constructor->native = 1; + constructor->ctor = 1; + + pprotos = njs_arr_item(vm->protos, proto_id); + slots = (*pprotos)->start; + constructor->object.shared_hash = slots->external_shared_hash; + + ret = njs_vm_bind_handler(vm, name, njs_vm_external_constructor_handler, 0, + index, 1); + if (njs_slow_path(ret != NJS_OK)) { + return NJS_ERROR; + } + + return index; +} + + njs_int_t njs_vm_external_create(njs_vm_t *vm, njs_value_t *value, njs_int_t proto_id, njs_external_ptr_t external, njs_bool_t shared) diff -r 3386684745b7 -r 167f75576f49 src/njs_function.c --- a/src/njs_function.c Fri Jun 30 21:02:44 2023 -0700 +++ b/src/njs_function.c Mon Jul 03 12:49:00 2023 -0700 @@ -46,10 +46,10 @@ njs_function_alloc(njs_vm_t *vm, njs_fun } if (async) { - proto = &vm->prototypes[NJS_OBJ_TYPE_ASYNC_FUNCTION].object; + proto = njs_vm_proto(vm, NJS_OBJ_TYPE_ASYNC_FUNCTION); } else { - proto = &vm->prototypes[NJS_OBJ_TYPE_FUNCTION].object; + proto = njs_vm_proto(vm, NJS_OBJ_TYPE_FUNCTION); } function->object.__proto__ = proto; @@ -84,7 +84,7 @@ njs_vm_function_alloc(njs_vm_t *vm, njs_ function->object.shared = shared; function->u.native = native; function->object.shared_hash = vm->shared->function_instance_hash; - function->object.__proto__ = &vm->prototypes[NJS_OBJ_TYPE_FUNCTION].object; + function->object.__proto__ = njs_vm_proto(vm, NJS_OBJ_TYPE_FUNCTION); function->object.type = NJS_FUNCTION; return function; @@ -212,7 +212,7 @@ njs_function_copy(njs_vm_t *vm, njs_func type = njs_function_object_type(vm, function); - copy->object.__proto__ = &vm->prototypes[type].object; + copy->object.__proto__ = njs_vm_proto(vm, type); copy->object.shared = 0; if (copy->ctor) { @@ -1370,7 +1370,7 @@ njs_function_prototype_bind(njs_vm_t *vm /* Bound functions have no "prototype" property. */ function->object.shared_hash = vm->shared->arrow_instance_hash; - function->object.__proto__ = &vm->prototypes[NJS_OBJ_TYPE_FUNCTION].object; + function->object.__proto__ = njs_vm_proto(vm, NJS_OBJ_TYPE_FUNCTION); function->object.shared = 0; function->context = njs_function(&args[0]); diff -r 3386684745b7 -r 167f75576f49 src/njs_json.c --- a/src/njs_json.c Fri Jun 30 21:02:44 2023 -0700 +++ b/src/njs_json.c Mon Jul 03 12:49:00 2023 -0700 @@ -1979,7 +1979,7 @@ njs_vm_value_dump(njs_vm_t *vm, njs_str_ if (njs_slow_path(vm->top_frame == NULL)) { /* An exception was thrown during compilation. */ - njs_vm_init(vm); + njs_vm_runtime_init(vm); } if (njs_is_valid(&vm->exception)) { diff -r 3386684745b7 -r 167f75576f49 src/njs_object.c --- a/src/njs_object.c Fri Jun 30 21:02:44 2023 -0700 +++ b/src/njs_object.c Mon Jul 03 12:49:00 2023 -0700 @@ -45,7 +45,7 @@ njs_object_alloc(njs_vm_t *vm) if (njs_fast_path(object != NULL)) { njs_lvlhsh_init(&object->hash); njs_lvlhsh_init(&object->shared_hash); - object->__proto__ = &vm->prototypes[NJS_OBJ_TYPE_OBJECT].object; + object->__proto__ = njs_vm_proto(vm, NJS_OBJ_TYPE_OBJECT); object->slots = NULL; object->type = NJS_OBJECT; object->shared = 0; @@ -80,7 +80,7 @@ njs_object_value_copy(njs_vm_t *vm, njs_ if (njs_fast_path(object != NULL)) { memcpy(object, njs_object(value), size); - object->__proto__ = &vm->prototypes[NJS_OBJ_TYPE_OBJECT].object; + object->__proto__ = njs_vm_proto(vm, NJS_OBJ_TYPE_OBJECT); object->shared = 0; value->data.u.object = object; return object; @@ -119,7 +119,7 @@ njs_object_value_alloc(njs_vm_t *vm, njs ov->object.error_data = 0; ov->object.fast_array = 0; - ov->object.__proto__ = &vm->prototypes[prototype_index].object; + ov->object.__proto__ = njs_vm_proto(vm, prototype_index); ov->object.slots = NULL; if (value != NULL) { @@ -1501,7 +1501,7 @@ njs_object_get_prototype_of(njs_vm_t *vm index = njs_primitive_prototype_index(value->type); if (njs_is_symbol(value)) { - njs_set_object(retval, &vm->prototypes[index].object); + njs_set_object(retval, njs_vm_proto(vm, index)); } else { njs_set_object_value(retval, @@ -1843,7 +1843,7 @@ njs_primitive_prototype_get_proto(njs_vm } else { index = njs_primitive_prototype_index(value->type); - proto = &vm->prototypes[index].object; + proto = njs_vm_proto(vm, index); } if (proto != NULL) { @@ -1875,7 +1875,7 @@ njs_object_prototype_create(njs_vm_t *vm function = njs_function(value); index = function - vm->constructors; - if (index >= 0 && index < NJS_OBJ_TYPE_MAX) { + if (index >= 0 && (size_t) index < vm->constructors_size) { proto = njs_property_prototype_create(vm, &function->object.hash, &vm->prototypes[index].object); } @@ -2111,7 +2111,7 @@ njs_object_prototype_create_constructor( prototype = (njs_object_prototype_t *) object; index = prototype - vm->prototypes; - if (index >= 0 && index < NJS_OBJ_TYPE_MAX) { + if (index >= 0 && (size_t) index < vm->constructors_size) { goto found; } @@ -2128,7 +2128,7 @@ njs_object_prototype_create_constructor( found: - njs_set_function(&constructor, &vm->constructors[index]); + njs_set_function(&constructor, &njs_vm_ctor(vm, index)); setval = &constructor; cons = njs_property_constructor_set(vm, &prototype->object.hash, setval); diff -r 3386684745b7 -r 167f75576f49 src/njs_parser.c --- a/src/njs_parser.c Fri Jun 30 21:02:44 2023 -0700 +++ b/src/njs_parser.c Mon Jul 03 12:49:00 2023 -0700 @@ -9199,6 +9199,10 @@ njs_parser_error(njs_vm_t *vm, njs_objec static const njs_value_t file_name = njs_string("fileName"); static const njs_value_t line_number = njs_string("lineNumber"); + if (njs_slow_path(vm->top_frame == NULL)) { + njs_vm_runtime_init(vm); + } + p = msg; end = msg + NJS_MAX_ERROR_STR; @@ -9217,7 +9221,7 @@ njs_parser_error(njs_vm_t *vm, njs_objec p = njs_sprintf(p, end, " in %uD", line); } - njs_error_new(vm, &error, &vm->prototypes[type].object, msg, p - msg); + njs_error_new(vm, &error, njs_vm_proto(vm, type), msg, p - msg); njs_set_number(&value, line); njs_value_property_set(vm, &error, njs_value_arg(&line_number), &value); diff -r 3386684745b7 -r 167f75576f49 src/njs_promise.c --- a/src/njs_promise.c Fri Jun 30 21:02:44 2023 -0700 +++ b/src/njs_promise.c Mon Jul 03 12:49:00 2023 -0700 @@ -131,7 +131,7 @@ njs_promise_alloc(njs_vm_t *vm) promise->object.extensible = 1; promise->object.error_data = 0; promise->object.fast_array = 0; - promise->object.__proto__ = &vm->prototypes[NJS_OBJ_TYPE_PROMISE].object; + promise->object.__proto__ = njs_vm_proto(vm, NJS_OBJ_TYPE_PROMISE); promise->object.slots = NULL; data = (njs_promise_data_t *) ((uint8_t *) promise + sizeof(njs_promise_t)); @@ -265,7 +265,7 @@ njs_promise_create_function(njs_vm_t *vm context = NULL; } - function->object.__proto__ = &vm->prototypes[NJS_OBJ_TYPE_FUNCTION].object; + function->object.__proto__ = njs_vm_proto(vm, NJS_OBJ_TYPE_FUNCTION); function->object.shared_hash = vm->shared->arrow_instance_hash; function->object.type = NJS_FUNCTION; function->object.extensible = 1; @@ -1352,8 +1352,8 @@ njs_promise_perform_all(njs_vm_t *vm, nj if (handler == njs_promise_perform_any_handler) { error = njs_error_alloc(vm, - &vm->prototypes[NJS_OBJ_TYPE_AGGREGATE_ERROR].object, - NULL, &string_any_rejected, &argument); + njs_vm_proto(vm, NJS_OBJ_TYPE_AGGREGATE_ERROR), + NULL, &string_any_rejected, &argument); if (njs_slow_path(error == NULL)) { return NJS_ERROR; } @@ -1730,8 +1730,8 @@ njs_promise_any_reject_element_functions njs_mp_free(vm->mem_pool, context->remaining_elements); error = njs_error_alloc(vm, - &vm->prototypes[NJS_OBJ_TYPE_AGGREGATE_ERROR].object, - NULL, &string_any_rejected, &arr_value); + njs_vm_proto(vm, NJS_OBJ_TYPE_AGGREGATE_ERROR), + NULL, &string_any_rejected, &arr_value); if (njs_slow_path(error == NULL)) { return NJS_ERROR; } diff -r 3386684745b7 -r 167f75576f49 src/njs_regexp.c --- a/src/njs_regexp.c Fri Jun 30 21:02:44 2023 -0700 +++ b/src/njs_regexp.c Mon Jul 03 12:49:00 2023 -0700 @@ -503,7 +503,7 @@ njs_regexp_alloc(njs_vm_t *vm, njs_regex if (njs_fast_path(regexp != NULL)) { njs_lvlhsh_init(®exp->object.hash); regexp->object.shared_hash = vm->shared->regexp_instance_hash; - regexp->object.__proto__ = &vm->prototypes[NJS_OBJ_TYPE_REGEXP].object; + regexp->object.__proto__ = njs_vm_proto(vm, NJS_OBJ_TYPE_REGEXP); regexp->object.slots = NULL; regexp->object.type = NJS_REGEXP; regexp->object.shared = 0; @@ -628,7 +628,7 @@ njs_regexp_prototype_flag(njs_vm_t *vm, } if (njs_slow_path(!njs_is_regexp(this))) { - if (njs_object(this) == &vm->prototypes[NJS_OBJ_TYPE_REGEXP].object) { + if (njs_object(this) == njs_vm_proto(vm, NJS_OBJ_TYPE_REGEXP)) { njs_set_undefined(retval); return NJS_OK; } @@ -679,7 +679,7 @@ njs_regexp_prototype_source(njs_vm_t *vm } if (njs_slow_path(!njs_is_regexp(this))) { - if (njs_object(this) == &vm->prototypes[NJS_OBJ_TYPE_REGEXP].object) { + if (njs_object(this) == njs_vm_proto(vm, NJS_OBJ_TYPE_REGEXP)) { njs_value_assign(retval, &njs_string_empty_regexp); return NJS_OK; } @@ -1553,7 +1553,7 @@ njs_regexp_prototype_symbol_split(njs_vm return ret; } - njs_set_function(&constructor, &vm->constructors[NJS_OBJ_TYPE_REGEXP]); + njs_set_function(&constructor, &njs_vm_ctor(vm, NJS_OBJ_TYPE_REGEXP)); ret = njs_value_species_constructor(vm, rx, &constructor, &constructor); if (njs_slow_path(ret != NJS_OK)) { diff -r 3386684745b7 -r 167f75576f49 src/njs_typed_array.c --- a/src/njs_typed_array.c Fri Jun 30 21:02:44 2023 -0700 +++ b/src/njs_typed_array.c Mon Jul 03 12:49:00 2023 -0700 @@ -180,7 +180,7 @@ njs_typed_array_alloc(njs_vm_t *vm, njs_ njs_lvlhsh_init(&array->object.hash); njs_lvlhsh_init(&array->object.shared_hash); - array->object.__proto__ = &vm->prototypes[type].object; + array->object.__proto__ = njs_vm_proto(vm, type); array->object.type = NJS_TYPED_ARRAY; array->object.extensible = 1; array->object.fast_array = 1; @@ -264,7 +264,7 @@ njs_typed_array_species_create(njs_vm_t array = njs_typed_array(exemplar); - njs_set_function(&constructor, &vm->constructors[array->type]); + njs_set_function(&constructor, &njs_vm_ctor(vm, array->type)); ret = njs_value_species_constructor(vm, exemplar, &constructor, &constructor); @@ -2413,7 +2413,7 @@ njs_data_view_constructor(njs_vm_t *vm, njs_lvlhsh_init(&view->object.hash); njs_lvlhsh_init(&view->object.shared_hash); - view->object.__proto__ = &vm->prototypes[view->type].object; + view->object.__proto__ = njs_vm_proto(vm, view->type); view->object.type = NJS_DATA_VIEW; view->object.extensible = 1; diff -r 3386684745b7 -r 167f75576f49 src/njs_value.c --- a/src/njs_value.c Fri Jun 30 21:02:44 2023 -0700 +++ b/src/njs_value.c Mon Jul 03 12:49:00 2023 -0700 @@ -638,7 +638,7 @@ njs_property_query(njs_vm_t *vm, njs_pro case NJS_NUMBER: case NJS_SYMBOL: index = njs_primitive_prototype_index(value->type); - obj = &vm->prototypes[index].object; + obj = njs_vm_proto(vm, index); break; case NJS_STRING: diff -r 3386684745b7 -r 167f75576f49 src/njs_value.h --- a/src/njs_value.h Fri Jun 30 21:02:44 2023 -0700 +++ b/src/njs_value.h Mon Jul 03 12:49:00 2023 -0700 @@ -625,9 +625,8 @@ typedef struct { ((value)->type >= NJS_OBJECT) -#define njs_has_prototype(vm, value, proto) \ - (((njs_object_prototype_t *) \ - njs_object(value)->__proto__ - (vm)->prototypes) == proto) +#define njs_has_prototype(vm, value, proto_id) \ + (njs_object(value)->__proto__ == njs_vm_proto(vm, proto_id)) #define njs_is_object_value(value) \ diff -r 3386684745b7 -r 167f75576f49 src/njs_vm.c --- a/src/njs_vm.c Fri Jun 30 21:02:44 2023 -0700 +++ b/src/njs_vm.c Mon Jul 03 12:49:00 2023 -0700 @@ -9,6 +9,7 @@ static njs_int_t njs_vm_handle_events(njs_vm_t *vm); +static njs_int_t njs_vm_protos_init(njs_vm_t *vm, njs_value_t *global); const njs_str_t njs_entry_empty = njs_str(""); @@ -78,13 +79,47 @@ njs_vm_create(njs_vm_opt_t *options) vm->trace.data = vm; if (options->init) { - ret = njs_vm_init(vm); + ret = njs_vm_runtime_init(vm); if (njs_slow_path(ret != NJS_OK)) { return NULL; } } for (i = 0; njs_modules[i] != NULL; i++) { + if (njs_modules[i]->preinit == NULL) { + continue; + } + + ret = njs_modules[i]->preinit(vm); + if (njs_slow_path(ret != NJS_OK)) { + return NULL; + } + } + + if (options->addons != NULL) { + addons = options->addons; + for (i = 0; addons[i] != NULL; i++) { + if (addons[i]->preinit == NULL) { + continue; + } + + ret = addons[i]->preinit(vm); + if (njs_slow_path(ret != NJS_OK)) { + return NULL; + } + } + } + + ret = njs_vm_protos_init(vm, &vm->global_value); + if (njs_slow_path(ret != NJS_OK)) { + return NULL; + } + + for (i = 0; njs_modules[i] != NULL; i++) { + if (njs_modules[i]->init == NULL) { + continue; + } + ret = njs_modules[i]->init(vm); if (njs_slow_path(ret != NJS_OK)) { return NULL; @@ -94,6 +129,10 @@ njs_vm_create(njs_vm_opt_t *options) if (options->addons != NULL) { addons = options->addons; for (i = 0; addons[i] != NULL; i++) { + if (addons[i]->init == NULL) { + continue; + } + ret = addons[i]->init(vm); if (njs_slow_path(ret != NJS_OK)) { return NULL; @@ -111,6 +150,51 @@ njs_vm_create(njs_vm_opt_t *options) } +njs_int_t +njs_vm_ctor_push(njs_vm_t *vm) +{ + njs_function_t *ctor; + njs_vm_shared_t *shared; + njs_object_prototype_t *prototype; + + shared = vm->shared; From xeioex at nginx.com Mon Jul 3 20:34:14 2023 From: xeioex at nginx.com (Dmitry Volyntsev) Date: Mon, 03 Jul 2023 20:34:14 +0000 Subject: [njs] Modules: introduced js_shared_dict_zone directive. Message-ID: details: https://hg.nginx.org/njs/rev/ff7eb3c4bf76 branches: changeset: 2176:ff7eb3c4bf76 user: Dmitry Volyntsev date: Mon Jul 03 13:32:41 2023 -0700 description: Modules: introduced js_shared_dict_zone directive. The directive allows to declare a dictionary that is shared among the working processes. A dictionary expects strings as keys. It stores string or number as values. The value type is declared using type= argument of the directive. The default type is string. example.conf: # Declares a shared dictionary of strings of size 1 Mb that # removes key-value after 60 seconds of inactivity. js_shared_dict_zone zone=foo:1M timeout=60s; # Declares a shared dictionary of strings of size 512Kb that # forcibly remove oldest key-value pairs when memory is not enough. js_shared_dict_zone zone=bar:512K timeout=30s evict; # Declares a permanent number shared dictionary of size 32Kb. js_shared_dict_zone zone=num:32k type=number; example.js: function get(r) { r.return(200, ngx.shared.foo.get(r.args.key)); } function set(r) { r.return(200, ngx.shared.foo.set(r.args.key, r.args.value)); } function delete(r) { r.return(200, ngx.shared.bar.delete(r.args.key)); } function increment(r) { r.return(200, ngx.shared.num.incr(r.args.key, 2)); } In collaboration with Artem S. Povalyukhin, Jakub Jirutka and 洪志道 (Hong Zhi Dao). This closes #437 issue on Github. diffstat: nginx/config | 6 +- nginx/ngx_http_js_module.c | 48 +- nginx/ngx_js.c | 34 + nginx/ngx_js.h | 18 + nginx/ngx_js_shared_dict.c | 1586 +++++++++++++++++++++++++++++++++++++++ nginx/ngx_js_shared_dict.h | 19 + nginx/ngx_stream_js_module.c | 48 +- nginx/t/js_shared_dict.t | 299 +++++++ nginx/t/stream_js_shared_dict.t | 188 ++++ ts/ngx_core.d.ts | 150 +++ 10 files changed, 2390 insertions(+), 6 deletions(-) diffs (truncated from 2634 to 1000 lines): diff -r 167f75576f49 -r ff7eb3c4bf76 nginx/config --- a/nginx/config Mon Jul 03 12:49:00 2023 -0700 +++ b/nginx/config Mon Jul 03 13:32:41 2023 -0700 @@ -5,10 +5,12 @@ NJS_LIBXSLT=${NJS_LIBXSLT:-YES} NJS_ZLIB=${NJS_ZLIB:-YES} NJS_DEPS="$ngx_addon_dir/ngx_js.h \ - $ngx_addon_dir/ngx_js_fetch.h" + $ngx_addon_dir/ngx_js_fetch.h \ + $ngx_addon_dir/ngx_js_shared_dict.h" NJS_SRCS="$ngx_addon_dir/ngx_js.c \ $ngx_addon_dir/ngx_js_fetch.c \ - $ngx_addon_dir/ngx_js_regex.c" + $ngx_addon_dir/ngx_js_regex.c \ + $ngx_addon_dir/ngx_js_shared_dict.c" NJS_OPENSSL_LIB= NJS_XSLT_LIB= diff -r 167f75576f49 -r ff7eb3c4bf76 nginx/ngx_http_js_module.c --- a/nginx/ngx_http_js_module.c Mon Jul 03 12:49:00 2023 -0700 +++ b/nginx/ngx_http_js_module.c Mon Jul 03 13:32:41 2023 -0700 @@ -252,10 +252,13 @@ static char *ngx_http_js_set(ngx_conf_t static char *ngx_http_js_var(ngx_conf_t *cf, ngx_command_t *cmd, void *conf); static char *ngx_http_js_content(ngx_conf_t *cf, ngx_command_t *cmd, void *conf); +static char *ngx_http_js_shared_dict_zone(ngx_conf_t *cf, ngx_command_t *cmd, + void *conf); static char *ngx_http_js_body_filter_set(ngx_conf_t *cf, ngx_command_t *cmd, void *conf); static ngx_int_t ngx_http_js_init_conf_vm(ngx_conf_t *cf, ngx_js_loc_conf_t *conf); +static void *ngx_http_js_create_main_conf(ngx_conf_t *cf); static void *ngx_http_js_create_loc_conf(ngx_conf_t *cf); static char *ngx_http_js_merge_loc_conf(ngx_conf_t *cf, void *parent, void *child); @@ -393,6 +396,13 @@ static ngx_command_t ngx_http_js_comman #endif + { ngx_string("js_shared_dict_zone"), + NGX_HTTP_MAIN_CONF|NGX_CONF_1MORE, + ngx_http_js_shared_dict_zone, + 0, + 0, + NULL }, + ngx_null_command }; @@ -401,7 +411,7 @@ static ngx_http_module_t ngx_http_js_mo NULL, /* preconfiguration */ ngx_http_js_init, /* postconfiguration */ - NULL, /* create main configuration */ + ngx_http_js_create_main_conf, /* create main configuration */ NULL, /* init main configuration */ NULL, /* create server configuration */ @@ -775,6 +785,7 @@ static uintptr_t ngx_http_js_uptr[] = { (uintptr_t) ngx_http_js_fetch_timeout, (uintptr_t) ngx_http_js_buffer_size, (uintptr_t) ngx_http_js_max_response_buffer_size, + (uintptr_t) 0 /* main_conf ptr */, }; @@ -798,6 +809,7 @@ njs_module_t *njs_http_js_addon_modules[ */ &ngx_js_ngx_module, &ngx_js_fetch_module, + &ngx_js_shared_dict_module, #ifdef NJS_HAVE_OPENSSL &njs_webcrypto_module, #endif @@ -4149,10 +4161,14 @@ ngx_js_http_init(njs_vm_t *vm) static ngx_int_t ngx_http_js_init_conf_vm(ngx_conf_t *cf, ngx_js_loc_conf_t *conf) { - njs_vm_opt_t options; + njs_vm_opt_t options; + ngx_js_main_conf_t *jmcf; njs_vm_opt_init(&options); + jmcf = ngx_http_conf_get_module_main_conf(cf, ngx_http_js_module); + ngx_http_js_uptr[NGX_JS_MAIN_CONF_INDEX] = (uintptr_t) jmcf; + options.backtrace = 1; options.unhandled_rejection = NJS_VM_OPT_UNHANDLED_REJECTION_THROW; options.ops = &ngx_http_js_ops; @@ -4293,6 +4309,14 @@ ngx_http_js_content(ngx_conf_t *cf, ngx_ static char * +ngx_http_js_shared_dict_zone(ngx_conf_t *cf, ngx_command_t *cmd, + void *conf) +{ + return ngx_js_shared_dict_zone(cf, cmd, conf, &ngx_http_js_module); +} + + +static char * ngx_http_js_body_filter_set(ngx_conf_t *cf, ngx_command_t *cmd, void *conf) { ngx_http_js_loc_conf_t *jlcf = conf; @@ -4331,6 +4355,26 @@ ngx_http_js_body_filter_set(ngx_conf_t * static void * +ngx_http_js_create_main_conf(ngx_conf_t *cf) +{ + ngx_js_main_conf_t *jmcf; + + jmcf = ngx_pcalloc(cf->pool, sizeof(ngx_js_main_conf_t)); + if (jmcf == NULL) { + return NULL; + } + + /* + * set by ngx_pcalloc(): + * + * jmcf->dicts = NULL; + */ + + return jmcf; +} + + +static void * ngx_http_js_create_loc_conf(ngx_conf_t *cf) { ngx_http_js_loc_conf_t *conf = diff -r 167f75576f49 -r ff7eb3c4bf76 nginx/ngx_js.c --- a/nginx/ngx_js.c Mon Jul 03 12:49:00 2023 -0700 +++ b/nginx/ngx_js.c Mon Jul 03 13:32:41 2023 -0700 @@ -32,6 +32,28 @@ static void ngx_js_cleanup_vm(void *data static njs_int_t ngx_js_core_init(njs_vm_t *vm); +static njs_external_t ngx_js_ext_global_shared[] = { + + { + .flags = NJS_EXTERN_PROPERTY | NJS_EXTERN_SYMBOL, + .name.symbol = NJS_SYMBOL_TO_STRING_TAG, + .u.property = { + .value = "GlobalShared", + } + }, + + { + .flags = NJS_EXTERN_SELF, + .u.object = { + .enumerable = 1, + .prop_handler = njs_js_ext_global_shared_prop, + .keys = njs_js_ext_global_shared_keys, + } + }, + +}; + + static njs_external_t ngx_js_ext_core[] = { { @@ -113,6 +135,18 @@ static njs_external_t ngx_js_ext_core[] }, { + .flags = NJS_EXTERN_OBJECT, + .name.string = njs_str("shared"), + .enumerable = 1, + .writable = 1, + .u.object = { + .enumerable = 1, + .properties = ngx_js_ext_global_shared, + .nproperties = njs_nitems(ngx_js_ext_global_shared), + } + }, + + { .flags = NJS_EXTERN_PROPERTY, .name.string = njs_str("prefix"), .enumerable = 1, diff -r 167f75576f49 -r ff7eb3c4bf76 nginx/ngx_js.h --- a/nginx/ngx_js.h Mon Jul 03 12:49:00 2023 -0700 +++ b/nginx/ngx_js.h Mon Jul 03 13:32:41 2023 -0700 @@ -14,6 +14,7 @@ #include #include #include "ngx_js_fetch.h" +#include "ngx_js_shared_dict.h" #define NGX_JS_UNSET 0 @@ -43,6 +44,9 @@ typedef ngx_flag_t (*ngx_external_size_p njs_external_ptr_t e); typedef ngx_ssl_t *(*ngx_external_ssl_pt)(njs_vm_t *vm, njs_external_ptr_t e); + +typedef struct ngx_js_dict_s ngx_js_dict_t; + typedef struct { ngx_str_t name; ngx_str_t path; @@ -51,6 +55,10 @@ typedef struct { } ngx_js_named_path_t; +#define NGX_JS_COMMON_MAIN_CONF \ + ngx_js_dict_t *dicts \ + + #define _NGX_JS_COMMON_LOC_CONF \ njs_vm_t *vm; \ ngx_array_t *imports; \ @@ -81,6 +89,11 @@ typedef struct { typedef struct { + NGX_JS_COMMON_MAIN_CONF; +} ngx_js_main_conf_t; + + +typedef struct { NGX_JS_COMMON_LOC_CONF; } ngx_js_loc_conf_t; @@ -105,6 +118,9 @@ typedef struct { ((ngx_external_size_pt) njs_vm_meta(vm, 8))(vm, e) #define ngx_external_max_response_buffer_size(vm, e) \ ((ngx_external_size_pt) njs_vm_meta(vm, 9))(vm, e) +#define NGX_JS_MAIN_CONF_INDEX 10 +#define ngx_main_conf(vm) \ + ((ngx_js_main_conf_t *) njs_vm_meta(vm, NGX_JS_MAIN_CONF_INDEX)) #define ngx_js_prop(vm, type, value, start, len) \ @@ -134,6 +150,8 @@ ngx_int_t ngx_js_init_conf_vm(ngx_conf_t ngx_js_loc_conf_t *ngx_js_create_conf(ngx_conf_t *cf, size_t size); char * ngx_js_merge_conf(ngx_conf_t *cf, void *parent, void *child, ngx_int_t (*init_vm)(ngx_conf_t *cf, ngx_js_loc_conf_t *conf)); +char *ngx_js_shared_dict_zone(ngx_conf_t *cf, ngx_command_t *cmd, void *conf, + void *tag); njs_int_t ngx_js_ext_string(njs_vm_t *vm, njs_object_prop_t *prop, njs_value_t *value, njs_value_t *setval, njs_value_t *retval); diff -r 167f75576f49 -r ff7eb3c4bf76 nginx/ngx_js_shared_dict.c --- /dev/null Thu Jan 01 00:00:00 1970 +0000 +++ b/nginx/ngx_js_shared_dict.c Mon Jul 03 13:32:41 2023 -0700 @@ -0,0 +1,1586 @@ + +/* + * Copyright (C) Dmitry Volyntsev + * Copyright (C) NGINX, Inc. + */ + + +#include +#include +#include "ngx_js.h" +#include "ngx_js_shared_dict.h" + + +typedef struct { + ngx_rbtree_t rbtree; + ngx_rbtree_node_t sentinel; + ngx_atomic_t rwlock; + + ngx_rbtree_t rbtree_expire; + ngx_rbtree_node_t sentinel_expire; +} ngx_js_dict_sh_t; + + +typedef struct { + ngx_str_node_t sn; + ngx_rbtree_node_t expire; + union { + ngx_str_t value; + double number; + } u; +} ngx_js_dict_node_t; + + +struct ngx_js_dict_s { + ngx_shm_zone_t *shm_zone; + ngx_js_dict_sh_t *sh; + ngx_slab_pool_t *shpool; + + ngx_msec_t timeout; + ngx_flag_t evict; +#define NGX_JS_DICT_TYPE_STRING 0 +#define NGX_JS_DICT_TYPE_NUMBER 1 + ngx_uint_t type; + + ngx_js_dict_t *next; +}; + + +static njs_int_t njs_js_ext_shared_dict_capacity(njs_vm_t *vm, + njs_object_prop_t *prop, njs_value_t *value, njs_value_t *setval, + njs_value_t *retval); +static njs_int_t njs_js_ext_shared_dict_clear(njs_vm_t *vm, njs_value_t *args, + njs_uint_t nargs, njs_index_t flags, njs_value_t *retval); +static njs_int_t njs_js_ext_shared_dict_delete(njs_vm_t *vm, njs_value_t *args, + njs_uint_t nargs, njs_index_t unused, njs_value_t *retval); +static njs_int_t njs_js_ext_shared_dict_free_space(njs_vm_t *vm, + njs_value_t *args, njs_uint_t nargs, njs_index_t unused, + njs_value_t *retval); +static njs_int_t njs_js_ext_shared_dict_get(njs_vm_t *vm, njs_value_t *args, + njs_uint_t nargs, njs_index_t unused, njs_value_t *retval); +static njs_int_t njs_js_ext_shared_dict_has(njs_vm_t *vm, njs_value_t *args, + njs_uint_t nargs, njs_index_t unused, njs_value_t *retval); +static njs_int_t njs_js_ext_shared_dict_keys(njs_vm_t *vm, njs_value_t *args, + njs_uint_t nargs, njs_index_t unused, njs_value_t *retval); +static njs_int_t njs_js_ext_shared_dict_incr(njs_vm_t *vm, njs_value_t *args, + njs_uint_t nargs, njs_index_t unused, njs_value_t *retval); +static njs_int_t njs_js_ext_shared_dict_name(njs_vm_t *vm, + njs_object_prop_t *prop, njs_value_t *value, njs_value_t *setval, + njs_value_t *retval); +static njs_int_t njs_js_ext_shared_dict_pop(njs_vm_t *vm, njs_value_t *args, + njs_uint_t nargs, njs_index_t unused, njs_value_t *retval); +static njs_int_t njs_js_ext_shared_dict_set(njs_vm_t *vm, njs_value_t *args, + njs_uint_t nargs, njs_index_t flags, njs_value_t *retval); +static njs_int_t njs_js_ext_shared_dict_size(njs_vm_t *vm, njs_value_t *args, + njs_uint_t nargs, njs_index_t unused, njs_value_t *retval); +static njs_int_t njs_js_ext_shared_dict_type(njs_vm_t *vm, + njs_object_prop_t *prop, njs_value_t *value, njs_value_t *setval, + njs_value_t *retval); +static ngx_js_dict_node_t *ngx_js_dict_lookup(ngx_js_dict_t *dict, + njs_str_t *key); + +#define NGX_JS_DICT_FLAG_MUST_EXIST 1 +#define NGX_JS_DICT_FLAG_MUST_NOT_EXIST 2 + +static ngx_int_t ngx_js_dict_set(njs_vm_t *vm, ngx_js_dict_t *dict, + njs_str_t *key, njs_value_t *value, unsigned flags); +static ngx_int_t ngx_js_dict_add(ngx_js_dict_t *dict, njs_str_t *key, + njs_value_t *value, ngx_msec_t now); +static ngx_int_t ngx_js_dict_update(ngx_js_dict_t *dict, + ngx_js_dict_node_t *node, njs_value_t *value, ngx_msec_t now); +static ngx_int_t ngx_js_dict_get(njs_vm_t *vm, ngx_js_dict_t *dict, + njs_str_t *key, njs_value_t *retval); +static ngx_int_t ngx_js_dict_incr(ngx_js_dict_t *dict, njs_str_t *key, + njs_value_t *delta, njs_value_t *init, double *value); +static ngx_int_t ngx_js_dict_delete(njs_vm_t *vm, ngx_js_dict_t *dict, + njs_str_t *key, njs_value_t *retval); +static ngx_int_t ngx_js_dict_copy_value_locked(njs_vm_t *vm, + ngx_js_dict_t *dict, ngx_js_dict_node_t *node, njs_value_t *retval); + +static void ngx_js_dict_expire(ngx_js_dict_t *dict, ngx_msec_t now); +static void ngx_js_dict_evict(ngx_js_dict_t *dict, ngx_int_t count); + +static njs_int_t ngx_js_dict_shared_error_name(njs_vm_t *vm, + njs_object_prop_t *prop, njs_value_t *value, njs_value_t *setval, + njs_value_t *retval); + +static ngx_int_t ngx_js_dict_init_zone(ngx_shm_zone_t *shm_zone, void *data); +static njs_int_t ngx_js_shared_dict_preinit(njs_vm_t *vm); +static njs_int_t ngx_js_shared_dict_init(njs_vm_t *vm); + + +static njs_external_t ngx_js_ext_shared_dict[] = { + + { + .flags = NJS_EXTERN_PROPERTY | NJS_EXTERN_SYMBOL, + .name.symbol = NJS_SYMBOL_TO_STRING_TAG, + .u.property = { + .value = "SharedDict", + } + }, + + { + .flags = NJS_EXTERN_METHOD, + .name.string = njs_str("add"), + .writable = 1, + .configurable = 1, + .enumerable = 1, + .u.method = { + .native = njs_js_ext_shared_dict_set, + .magic8 = NGX_JS_DICT_FLAG_MUST_NOT_EXIST, + } + }, + + { + .flags = NJS_EXTERN_PROPERTY, + .name.string = njs_str("capacity"), + .enumerable = 1, + .u.property = { + .handler = njs_js_ext_shared_dict_capacity, + } + }, + + { + .flags = NJS_EXTERN_METHOD, + .name.string = njs_str("clear"), + .writable = 1, + .configurable = 1, + .enumerable = 1, + .u.method = { + .native = njs_js_ext_shared_dict_clear, + } + }, + + { + .flags = NJS_EXTERN_METHOD, + .name.string = njs_str("freeSpace"), + .writable = 1, + .configurable = 1, + .enumerable = 1, + .u.method = { + .native = njs_js_ext_shared_dict_free_space, + } + }, + + { + .flags = NJS_EXTERN_METHOD, + .name.string = njs_str("delete"), + .writable = 1, + .configurable = 1, + .enumerable = 1, + .u.method = { + .native = njs_js_ext_shared_dict_delete, + } + }, + + { + .flags = NJS_EXTERN_METHOD, + .name.string = njs_str("incr"), + .writable = 1, + .configurable = 1, + .enumerable = 1, + .u.method = { + .native = njs_js_ext_shared_dict_incr, + } + }, + + { + .flags = NJS_EXTERN_METHOD, + .name.string = njs_str("get"), + .writable = 1, + .configurable = 1, + .enumerable = 1, + .u.method = { + .native = njs_js_ext_shared_dict_get, + } + }, + + { + .flags = NJS_EXTERN_METHOD, + .name.string = njs_str("has"), + .writable = 1, + .configurable = 1, + .enumerable = 1, + .u.method = { + .native = njs_js_ext_shared_dict_has, + } + }, + + { + .flags = NJS_EXTERN_METHOD, + .name.string = njs_str("keys"), + .writable = 1, + .configurable = 1, + .enumerable = 1, + .u.method = { + .native = njs_js_ext_shared_dict_keys, + } + }, + + { + .flags = NJS_EXTERN_PROPERTY, + .name.string = njs_str("name"), + .enumerable = 1, + .u.property = { + .handler = njs_js_ext_shared_dict_name, + } + }, + + { + .flags = NJS_EXTERN_METHOD, + .name.string = njs_str("pop"), + .writable = 1, + .configurable = 1, + .enumerable = 1, + .u.method = { + .native = njs_js_ext_shared_dict_pop, + } + }, + + { + .flags = NJS_EXTERN_METHOD, + .name.string = njs_str("replace"), + .writable = 1, + .configurable = 1, + .enumerable = 1, + .u.method = { + .native = njs_js_ext_shared_dict_set, + .magic8 = NGX_JS_DICT_FLAG_MUST_EXIST, + } + }, + + { + .flags = NJS_EXTERN_METHOD, + .name.string = njs_str("set"), + .writable = 1, + .configurable = 1, + .enumerable = 1, + .u.method = { + .native = njs_js_ext_shared_dict_set, + } + }, + + { + .flags = NJS_EXTERN_METHOD, + .name.string = njs_str("size"), + .writable = 1, + .configurable = 1, + .enumerable = 1, + .u.method = { + .native = njs_js_ext_shared_dict_size, + } + }, + + { + .flags = NJS_EXTERN_PROPERTY, + .name.string = njs_str("type"), + .enumerable = 1, + .u.property = { + .handler = njs_js_ext_shared_dict_type, + } + }, + +}; + + +static njs_external_t ngx_js_ext_error_ctor_props[] = { + + { + .flags = NJS_EXTERN_PROPERTY, + .name.string = njs_str("name"), + .enumerable = 1, + .u.property = { + .handler = ngx_js_dict_shared_error_name, + } + }, + + { + .flags = NJS_EXTERN_PROPERTY, + .name.string = njs_str("prototype"), + .enumerable = 1, + .u.property = { + .handler = njs_object_prototype_create, + } + }, + +}; + + +static njs_external_t ngx_js_ext_error_proto_props[] = { + + { + .flags = NJS_EXTERN_PROPERTY, + .name.string = njs_str("name"), + .enumerable = 1, + .u.property = { + .handler = ngx_js_dict_shared_error_name, + } + }, + + { + .flags = NJS_EXTERN_PROPERTY, + .name.string = njs_str("prototype"), + .enumerable = 1, + .u.property = { + .handler = njs_object_prototype_create, + } + }, + +}; + + +static njs_int_t ngx_js_shared_dict_proto_id; +static njs_int_t ngx_js_shared_dict_error_id; + + +njs_module_t ngx_js_shared_dict_module = { + .name = njs_str("shared_dict"), + .preinit = ngx_js_shared_dict_preinit, + .init = ngx_js_shared_dict_init, +}; + + +njs_int_t +njs_js_ext_global_shared_prop(njs_vm_t *vm, njs_object_prop_t *prop, + njs_value_t *value, njs_value_t *setval, njs_value_t *retval) +{ + njs_int_t ret; + njs_str_t name; + ngx_js_dict_t *dict; + ngx_shm_zone_t *shm_zone; + ngx_js_main_conf_t *conf; + + ret = njs_vm_prop_name(vm, prop, &name); + if (ret != NJS_OK) { + return NJS_ERROR; + } + + conf = ngx_main_conf(vm); + + for (dict = conf->dicts; dict != NULL; dict = dict->next) { + shm_zone = dict->shm_zone; + + if (shm_zone->shm.name.len == name.length + && ngx_strncmp(shm_zone->shm.name.data, name.start, + name.length) + == 0) + { + ret = njs_vm_external_create(vm, retval, + ngx_js_shared_dict_proto_id, + shm_zone, 0); + if (ret != NJS_OK) { + njs_vm_internal_error(vm, "sharedDict creation failed"); + return NJS_ERROR; + } + + return NJS_OK; + } + } + + njs_value_null_set(retval); + + return NJS_DECLINED; +} + + +njs_int_t +njs_js_ext_global_shared_keys(njs_vm_t *vm, njs_value_t *unused, + njs_value_t *keys) +{ + njs_int_t rc; + njs_value_t *value; + ngx_js_dict_t *dict; + ngx_shm_zone_t *shm_zone; + ngx_js_main_conf_t *conf; + + conf = ngx_main_conf(vm); + + rc = njs_vm_array_alloc(vm, keys, 4); + if (rc != NJS_OK) { + return NJS_ERROR; + } + + for (dict = conf->dicts; dict != NULL; dict = dict->next) { + shm_zone = dict->shm_zone; + + value = njs_vm_array_push(vm, keys); + if (value == NULL) { + return NJS_ERROR; + } + + rc = njs_vm_value_string_set(vm, value, shm_zone->shm.name.data, + shm_zone->shm.name.len); + if (rc != NJS_OK) { + return NJS_ERROR; + } + } + + return NJS_OK; +} + + +static njs_int_t +njs_js_ext_shared_dict_capacity(njs_vm_t *vm, njs_object_prop_t *prop, + njs_value_t *value, njs_value_t *setval, njs_value_t *retval) +{ + ngx_shm_zone_t *shm_zone; + + shm_zone = njs_vm_external(vm, ngx_js_shared_dict_proto_id, value); + if (shm_zone == NULL) { + njs_value_undefined_set(retval); + return NJS_DECLINED; + } + + njs_value_number_set(retval, shm_zone->shm.size); + + return NJS_OK; +} + + +static njs_int_t +njs_js_ext_shared_dict_clear(njs_vm_t *vm, njs_value_t *args, njs_uint_t nargs, + njs_index_t unused, njs_value_t *retval) +{ + ngx_js_dict_t *dict; + ngx_shm_zone_t *shm_zone; + + shm_zone = njs_vm_external(vm, ngx_js_shared_dict_proto_id, + njs_argument(args, 0)); + if (shm_zone == NULL) { + njs_vm_type_error(vm, "\"this\" is not a shared dict"); + return NJS_ERROR; + } + + dict = shm_zone->data; + + ngx_rwlock_wlock(&dict->sh->rwlock); + + ngx_js_dict_evict(dict, 0x7fffffff /* INT_MAX */); + + ngx_rwlock_unlock(&dict->sh->rwlock); + + njs_value_undefined_set(retval); + + return NJS_OK; +} + + +static njs_int_t +njs_js_ext_shared_dict_free_space(njs_vm_t *vm, njs_value_t *args, + njs_uint_t nargs, njs_index_t unused, njs_value_t *retval) +{ + size_t bytes; + ngx_js_dict_t *dict; + ngx_shm_zone_t *shm_zone; + + shm_zone = njs_vm_external(vm, ngx_js_shared_dict_proto_id, + njs_argument(args, 0)); + if (shm_zone == NULL) { + njs_vm_type_error(vm, "\"this\" is not a shared dict"); + return NJS_ERROR; + } + + dict = shm_zone->data; + + ngx_rwlock_rlock(&dict->sh->rwlock); + bytes = dict->shpool->pfree * ngx_pagesize; + ngx_rwlock_unlock(&dict->sh->rwlock); + + njs_value_number_set(retval, bytes); + + return NJS_OK; +} + + +static njs_int_t +njs_js_ext_shared_dict_delete(njs_vm_t *vm, njs_value_t *args, njs_uint_t nargs, + njs_index_t unused, njs_value_t *retval) +{ + ngx_int_t rc; + njs_str_t key; + ngx_shm_zone_t *shm_zone; + + shm_zone = njs_vm_external(vm, ngx_js_shared_dict_proto_id, + njs_argument(args, 0)); + if (shm_zone == NULL) { + njs_vm_type_error(vm, "\"this\" is not a shared dict"); + return NJS_ERROR; + } + + if (ngx_js_string(vm, njs_arg(args, nargs, 1), &key) != NGX_OK) { + return NJS_ERROR; + } + + rc = ngx_js_dict_delete(vm, shm_zone->data, &key, NULL); + + njs_value_boolean_set(retval, rc == NGX_OK); + + return NJS_OK; +} + + +static njs_int_t +njs_js_ext_shared_dict_get(njs_vm_t *vm, njs_value_t *args, njs_uint_t nargs, + njs_index_t unused, njs_value_t *retval) +{ + ngx_int_t rc; + njs_str_t key; + ngx_shm_zone_t *shm_zone; + + shm_zone = njs_vm_external(vm, ngx_js_shared_dict_proto_id, + njs_argument(args, 0)); + if (shm_zone == NULL) { + njs_vm_type_error(vm, "\"this\" is not a shared dict"); + return NJS_ERROR; + } + + if (ngx_js_string(vm, njs_arg(args, nargs, 1), &key) != NGX_OK) { + return NJS_ERROR; + } + + rc = ngx_js_dict_get(vm, shm_zone->data, &key, retval); + if (njs_slow_path(rc == NGX_ERROR)) { + njs_vm_error(vm, "failed to get value from shared dict"); + return NJS_ERROR; + } + + return NJS_OK; +} + + +static njs_int_t +njs_js_ext_shared_dict_has(njs_vm_t *vm, njs_value_t *args, njs_uint_t nargs, + njs_index_t unused, njs_value_t *retval) +{ + njs_str_t key; + ngx_msec_t now; + ngx_time_t *tp; + ngx_js_dict_t *dict; + ngx_shm_zone_t *shm_zone; + ngx_js_dict_node_t *node; + + shm_zone = njs_vm_external(vm, ngx_js_shared_dict_proto_id, + njs_argument(args, 0)); + if (shm_zone == NULL) { + njs_vm_type_error(vm, "\"this\" is not a shared dict"); + return NJS_ERROR; + } + + if (ngx_js_string(vm, njs_arg(args, nargs, 1), &key) != NGX_OK) { + return NJS_ERROR; + } + + dict = shm_zone->data; + + ngx_rwlock_rlock(&dict->sh->rwlock); + + node = ngx_js_dict_lookup(dict, &key); + + if (node != NULL && dict->timeout) { + tp = ngx_timeofday(); + now = tp->sec * 1000 + tp->msec; + + if (now >= node->expire.key) { + node = NULL; + } + } + + ngx_rwlock_unlock(&dict->sh->rwlock); + + njs_value_boolean_set(retval, node != NULL); + + return NJS_OK; +} + + +static njs_int_t +njs_js_ext_shared_dict_keys(njs_vm_t *vm, njs_value_t *args, njs_uint_t nargs, + njs_index_t unused, njs_value_t *retval) +{ + njs_int_t rc; + ngx_int_t max_count; + njs_value_t *value; + ngx_rbtree_t *rbtree; + ngx_js_dict_t *dict; + ngx_shm_zone_t *shm_zone; + ngx_rbtree_node_t *rn; + ngx_js_dict_node_t *node; + + shm_zone = njs_vm_external(vm, ngx_js_shared_dict_proto_id, + njs_argument(args, 0)); + if (shm_zone == NULL) { + njs_vm_type_error(vm, "\"this\" is not a shared dict"); + return NJS_ERROR; + } + + dict = shm_zone->data; + + max_count = 1024; + + if (nargs > 1) { + if (ngx_js_integer(vm, njs_arg(args, nargs, 1), &max_count) != NGX_OK) { + return NJS_ERROR; + } + } + + rc = njs_vm_array_alloc(vm, retval, 8); + if (rc != NJS_OK) { + return NJS_ERROR; + } + + ngx_rwlock_rlock(&dict->sh->rwlock); + + rbtree = &dict->sh->rbtree; + + if (rbtree->root == rbtree->sentinel) { + goto done; + } + + for (rn = ngx_rbtree_min(rbtree->root, rbtree->sentinel); + rn != NULL; + rn = ngx_rbtree_next(rbtree, rn)) + { + if (max_count-- == 0) { + break; + } + + node = (ngx_js_dict_node_t *) rn; + + value = njs_vm_array_push(vm, retval); + if (value == NULL) { + goto fail; + } + + rc = njs_vm_value_string_set(vm, value, node->sn.str.data, + node->sn.str.len); + if (rc != NJS_OK) { + goto fail; + } + } + +done: + + ngx_rwlock_unlock(&dict->sh->rwlock); + + return NJS_OK; + +fail: + + ngx_rwlock_unlock(&dict->sh->rwlock); + + return NJS_ERROR; +} + + +static njs_int_t +njs_js_ext_shared_dict_incr(njs_vm_t *vm, njs_value_t *args, njs_uint_t nargs, + njs_index_t unused, njs_value_t *retval) +{ + double value; + ngx_int_t rc; + njs_str_t key; + njs_value_t *delta, *init; + ngx_js_dict_t *dict; + ngx_shm_zone_t *shm_zone; + njs_opaque_value_t lvalue; + + shm_zone = njs_vm_external(vm, ngx_js_shared_dict_proto_id, + njs_argument(args, 0)); + if (shm_zone == NULL) { + njs_vm_type_error(vm, "\"this\" is not a shared dict"); + return NJS_ERROR; + } + + dict = shm_zone->data; + + if (dict->type != NGX_JS_DICT_TYPE_NUMBER) { + njs_vm_type_error(vm, "shared dict is not a number dict"); + return NJS_ERROR; + } + + if (ngx_js_string(vm, njs_arg(args, nargs, 1), &key) != NGX_OK) { + return NJS_ERROR; + } + + delta = njs_arg(args, nargs, 2); + if (!njs_value_is_number(delta)) { + njs_vm_type_error(vm, "delta is not a number"); + return NJS_ERROR; + } + + init = njs_lvalue_arg(njs_value_arg(&lvalue), args, nargs, 3); + if (!njs_value_is_number(init) && !njs_value_is_undefined(init)) { + njs_vm_type_error(vm, "init value is not a number"); + return NJS_ERROR; + } + + if (njs_value_is_undefined(init)) { + njs_value_number_set(init, 0); + } + + rc = ngx_js_dict_incr(shm_zone->data, &key, delta, init, &value); + if (rc == NGX_ERROR) { + njs_vm_error(vm, "failed to increment value in shared dict"); + return NJS_ERROR; + } + + njs_value_number_set(retval, value); + + return NJS_OK; +} + + +static njs_int_t +njs_js_ext_shared_dict_name(njs_vm_t *vm, njs_object_prop_t *prop, + njs_value_t *value, njs_value_t *setval, njs_value_t *retval) +{ + ngx_shm_zone_t *shm_zone; + + shm_zone = njs_vm_external(vm, ngx_js_shared_dict_proto_id, value); + if (shm_zone == NULL) { + njs_value_undefined_set(retval); + return NJS_DECLINED; + } + + return njs_vm_value_string_set(vm, retval, shm_zone->shm.name.data, + shm_zone->shm.name.len); +} + + +static njs_int_t From arut at nginx.com Thu Jul 6 13:57:13 2023 From: arut at nginx.com (=?iso-8859-1?q?Roman_Arutyunyan?=) Date: Thu, 06 Jul 2023 17:57:13 +0400 Subject: [PATCH 0 of 4] QUIC path MTU discovery In-Reply-To: References: Message-ID: Updated PMTUD: - Eliminated getting local interface MTU. This was too intrusive and platform- dependent. - Added timeout (1 sec) before each PMTUD iteration to reduce PMTUD traffic in short connections. - Size search reimplemented. MTU is increased by 256 bytes until failure, after which binary search is used. Real life MTU will be around 1500, while initial payload size is 1200. Doing binary search from 65k down to 1500 will produce a lot of failed syscalls and useless traffic. Ascending from 1200 to a first failre will be quick. -- Roman Arutyunyan From arut at nginx.com Thu Jul 6 13:57:14 2023 From: arut at nginx.com (=?iso-8859-1?q?Roman_Arutyunyan?=) Date: Thu, 06 Jul 2023 17:57:14 +0400 Subject: [PATCH 1 of 4] QUIC: removed path->limited flag In-Reply-To: References: Message-ID: # HG changeset patch # User Roman Arutyunyan # Date 1688651341 -14400 # Thu Jul 06 17:49:01 2023 +0400 # Node ID df01e8582189126cd5defd8f4bb021fec1a1a35a # Parent 77c1418916f7817a0d020f28d8a08f278a12fe43 QUIC: removed path->limited flag. Its value is the opposite of path->validated. diff --git a/src/event/quic/ngx_event_quic.c b/src/event/quic/ngx_event_quic.c --- a/src/event/quic/ngx_event_quic.c +++ b/src/event/quic/ngx_event_quic.c @@ -1013,7 +1013,6 @@ ngx_quic_handle_payload(ngx_connection_t if (!qc->path->validated) { qc->path->validated = 1; - qc->path->limited = 0; ngx_quic_path_dbg(c, "in handshake", qc->path); ngx_post_event(&qc->push, &ngx_posted_events); } diff --git a/src/event/quic/ngx_event_quic_connection.h b/src/event/quic/ngx_event_quic_connection.h --- a/src/event/quic/ngx_event_quic_connection.h +++ b/src/event/quic/ngx_event_quic_connection.h @@ -101,7 +101,6 @@ struct ngx_quic_path_s { u_char text[NGX_SOCKADDR_STRLEN]; unsigned validated:1; unsigned validating:1; - unsigned limited:1; }; diff --git a/src/event/quic/ngx_event_quic_migration.c b/src/event/quic/ngx_event_quic_migration.c --- a/src/event/quic/ngx_event_quic_migration.c +++ b/src/event/quic/ngx_event_quic_migration.c @@ -168,7 +168,6 @@ valid: path->validated = 1; path->validating = 0; - path->limited = 0; ngx_quic_set_path_timer(c); @@ -208,8 +207,6 @@ ngx_quic_new_path(ngx_connection_t *c, path->cid = cid; cid->used = 1; - path->limited = 1; - path->seqnum = qc->path_seqnum++; path->sockaddr = &path->sa.sockaddr; @@ -665,7 +662,6 @@ ngx_quic_path_validation_handler(ngx_eve path->validated = 0; path->validating = 0; - path->limited = 1; /* RFC 9000, 9.3.2. On-Path Address Spoofing diff --git a/src/event/quic/ngx_event_quic_migration.h b/src/event/quic/ngx_event_quic_migration.h --- a/src/event/quic/ngx_event_quic_migration.h +++ b/src/event/quic/ngx_event_quic_migration.h @@ -18,11 +18,10 @@ #define NGX_QUIC_PATH_BACKUP 2 #define ngx_quic_path_dbg(c, msg, path) \ - ngx_log_debug7(NGX_LOG_DEBUG_EVENT, c->log, 0, \ - "quic path seq:%uL %s sent:%O recvd:%O state:%s%s%s", \ + ngx_log_debug6(NGX_LOG_DEBUG_EVENT, c->log, 0, \ + "quic path seq:%uL %s sent:%O recvd:%O state:%s%s", \ path->seqnum, msg, path->sent, path->received, \ - path->limited ? "L" : "", path->validated ? "V": "N", \ - path->validating ? "R": ""); + path->validated ? "V": "N", path->validating ? "R": ""); ngx_int_t ngx_quic_handle_path_challenge_frame(ngx_connection_t *c, ngx_quic_header_t *pkt, ngx_quic_path_challenge_frame_t *f); diff --git a/src/event/quic/ngx_event_quic_output.c b/src/event/quic/ngx_event_quic_output.c --- a/src/event/quic/ngx_event_quic_output.c +++ b/src/event/quic/ngx_event_quic_output.c @@ -281,7 +281,7 @@ ngx_quic_allow_segmentation(ngx_connecti return 0; } - if (qc->path->limited) { + if (!qc->path->validated) { /* don't even try to be faster on non-validated paths */ return 0; } @@ -1278,7 +1278,7 @@ ngx_quic_path_limit(ngx_connection_t *c, { off_t max; - if (path->limited) { + if (!path->validated) { max = path->received * 3; max = (path->sent >= max) ? 0 : max - path->sent; diff --git a/src/event/quic/ngx_event_quic_socket.c b/src/event/quic/ngx_event_quic_socket.c --- a/src/event/quic/ngx_event_quic_socket.c +++ b/src/event/quic/ngx_event_quic_socket.c @@ -82,7 +82,6 @@ ngx_quic_open_sockets(ngx_connection_t * if (pkt->validated) { qc->path->validated = 1; - qc->path->limited = 0; } ngx_quic_path_dbg(c, "set active", qc->path); From arut at nginx.com Thu Jul 6 13:57:15 2023 From: arut at nginx.com (=?iso-8859-1?q?Roman_Arutyunyan?=) Date: Thu, 06 Jul 2023 17:57:15 +0400 Subject: [PATCH 2 of 4] QUIC: removed explicit packet padding for certain frames In-Reply-To: References: Message-ID: # HG changeset patch # User Roman Arutyunyan # Date 1688628647 -14400 # Thu Jul 06 11:30:47 2023 +0400 # Node ID f98ff9b62d2bccac10b603b8183eca2ff0f4183e # Parent df01e8582189126cd5defd8f4bb021fec1a1a35a QUIC: removed explicit packet padding for certain frames. The frames for which the padding is removed are PATH_CHALLENGE and PATH_RESPONSE, which are sent separately by ngx_quic_frame_sendto(). diff --git a/src/event/quic/ngx_event_quic_output.c b/src/event/quic/ngx_event_quic_output.c --- a/src/event/quic/ngx_event_quic_output.c +++ b/src/event/quic/ngx_event_quic_output.c @@ -525,7 +525,7 @@ ngx_quic_output_packet(ngx_connection_t ssize_t flen; ngx_str_t res; ngx_int_t rc; - ngx_uint_t nframes, expand; + ngx_uint_t nframes; ngx_msec_t now; ngx_queue_t *q; ngx_quic_frame_t *f; @@ -560,7 +560,6 @@ ngx_quic_output_packet(ngx_connection_t nframes = 0; p = src; len = 0; - expand = 0; for (q = ngx_queue_head(&ctx->frames); q != ngx_queue_sentinel(&ctx->frames); @@ -568,33 +567,6 @@ ngx_quic_output_packet(ngx_connection_t { f = ngx_queue_data(q, ngx_quic_frame_t, queue); - if (!expand && (f->type == NGX_QUIC_FT_PATH_RESPONSE - || f->type == NGX_QUIC_FT_PATH_CHALLENGE)) - { - /* - * RFC 9000, 8.2.1. Initiating Path Validation - * - * An endpoint MUST expand datagrams that contain a - * PATH_CHALLENGE frame to at least the smallest allowed - * maximum datagram size of 1200 bytes... - * - * (same applies to PATH_RESPONSE frames) - */ - - if (max < 1200) { - /* expanded packet will not fit */ - break; - } - - if (min < 1200) { - min = 1200; - - min_payload = ngx_quic_payload_size(&pkt, min); - } - - expand = 1; - } - if (len >= max_payload) { break; } From arut at nginx.com Thu Jul 6 13:57:16 2023 From: arut at nginx.com (=?iso-8859-1?q?Roman_Arutyunyan?=) Date: Thu, 06 Jul 2023 17:57:16 +0400 Subject: [PATCH 3 of 4] QUIC: allowed ngx_quic_frame_sendto() to return NGX_AGAIN In-Reply-To: References: Message-ID: # HG changeset patch # User Roman Arutyunyan # Date 1679920727 -14400 # Mon Mar 27 16:38:47 2023 +0400 # Node ID a1ea543d009311765144351b2557c00c8e6445bf # Parent f98ff9b62d2bccac10b603b8183eca2ff0f4183e QUIC: allowed ngx_quic_frame_sendto() to return NGX_AGAIN. Previously, NGX_AGAIN returned by ngx_send() was treated by ngx_quic_frame_sendto() as error, which triggered errors in its callers. However, a blocked socket is not an error. Now NGX_AGAIN is passed as is to the ngx_quic_frame_sendto() callers, which can safely ignore it. diff --git a/src/event/quic/ngx_event_quic_migration.c b/src/event/quic/ngx_event_quic_migration.c --- a/src/event/quic/ngx_event_quic_migration.c +++ b/src/event/quic/ngx_event_quic_migration.c @@ -46,7 +46,7 @@ ngx_quic_handle_path_challenge_frame(ngx * An endpoint MUST expand datagrams that contain a PATH_RESPONSE frame * to at least the smallest allowed maximum datagram size of 1200 bytes. */ - if (ngx_quic_frame_sendto(c, &frame, 1200, pkt->path) != NGX_OK) { + if (ngx_quic_frame_sendto(c, &frame, 1200, pkt->path) == NGX_ERROR) { return NGX_ERROR; } @@ -544,13 +544,13 @@ ngx_quic_send_path_challenge(ngx_connect */ /* same applies to PATH_RESPONSE frames */ - if (ngx_quic_frame_sendto(c, &frame, 1200, path) != NGX_OK) { + if (ngx_quic_frame_sendto(c, &frame, 1200, path) == NGX_ERROR) { return NGX_ERROR; } ngx_memcpy(frame.u.path_challenge.data, path->challenge2, 8); - if (ngx_quic_frame_sendto(c, &frame, 1200, path) != NGX_OK) { + if (ngx_quic_frame_sendto(c, &frame, 1200, path) == NGX_ERROR) { return NGX_ERROR; } diff --git a/src/event/quic/ngx_event_quic_output.c b/src/event/quic/ngx_event_quic_output.c --- a/src/event/quic/ngx_event_quic_output.c +++ b/src/event/quic/ngx_event_quic_output.c @@ -1236,7 +1236,7 @@ ngx_quic_frame_sendto(ngx_connection_t * sent = ngx_quic_send(c, res.data, res.len, path->sockaddr, path->socklen); if (sent < 0) { - return NGX_ERROR; + return sent; } path->sent += sent; From arut at nginx.com Thu Jul 6 13:57:17 2023 From: arut at nginx.com (=?iso-8859-1?q?Roman_Arutyunyan?=) Date: Thu, 06 Jul 2023 17:57:17 +0400 Subject: [PATCH 4 of 4] QUIC: path MTU discovery In-Reply-To: References: Message-ID: <1a49fd5d2013b6c8d502.1688651837@arut-laptop> # HG changeset patch # User Roman Arutyunyan # Date 1688481216 -14400 # Tue Jul 04 18:33:36 2023 +0400 # Node ID 1a49fd5d2013b6c8d50263499e6ced440927e949 # Parent a1ea543d009311765144351b2557c00c8e6445bf QUIC: path MTU discovery. MTU selection starts by stepping up until the first failure. Then binary search is used to find the path MTU. diff --git a/src/core/ngx_connection.c b/src/core/ngx_connection.c --- a/src/core/ngx_connection.c +++ b/src/core/ngx_connection.c @@ -1583,6 +1583,10 @@ ngx_connection_error(ngx_connection_t *c } #endif + if (err == NGX_EMSGSIZE && c->log_error == NGX_ERROR_IGNORE_EMSGSIZE) { + return 0; + } + if (err == 0 || err == NGX_ECONNRESET #if (NGX_WIN32) @@ -1600,6 +1604,7 @@ ngx_connection_error(ngx_connection_t *c { switch (c->log_error) { + case NGX_ERROR_IGNORE_EMSGSIZE: case NGX_ERROR_IGNORE_EINVAL: case NGX_ERROR_IGNORE_ECONNRESET: case NGX_ERROR_INFO: diff --git a/src/core/ngx_connection.h b/src/core/ngx_connection.h --- a/src/core/ngx_connection.h +++ b/src/core/ngx_connection.h @@ -97,7 +97,8 @@ typedef enum { NGX_ERROR_ERR, NGX_ERROR_INFO, NGX_ERROR_IGNORE_ECONNRESET, - NGX_ERROR_IGNORE_EINVAL + NGX_ERROR_IGNORE_EINVAL, + NGX_ERROR_IGNORE_EMSGSIZE } ngx_connection_log_error_e; diff --git a/src/event/quic/ngx_event_quic.c b/src/event/quic/ngx_event_quic.c --- a/src/event/quic/ngx_event_quic.c +++ b/src/event/quic/ngx_event_quic.c @@ -149,11 +149,6 @@ ngx_quic_apply_transport_params(ngx_conn ngx_log_error(NGX_LOG_INFO, c->log, 0, "quic maximum packet size is invalid"); return NGX_ERROR; - - } else if (ctp->max_udp_payload_size > ngx_quic_max_udp_payload(c)) { - ctp->max_udp_payload_size = ngx_quic_max_udp_payload(c); - ngx_log_debug0(NGX_LOG_DEBUG_EVENT, c->log, 0, - "quic client maximum packet size truncated"); } if (ctp->active_connection_id_limit < 2) { @@ -286,7 +281,7 @@ ngx_quic_new_connection(ngx_connection_t qc->path_validation.log = c->log; qc->path_validation.data = c; - qc->path_validation.handler = ngx_quic_path_validation_handler; + qc->path_validation.handler = ngx_quic_path_handler; qc->conf = conf; @@ -297,7 +292,7 @@ ngx_quic_new_connection(ngx_connection_t ctp = &qc->ctp; /* defaults to be used before actual client parameters are received */ - ctp->max_udp_payload_size = ngx_quic_max_udp_payload(c); + ctp->max_udp_payload_size = NGX_QUIC_MAX_UDP_PAYLOAD_SIZE; ctp->ack_delay_exponent = NGX_QUIC_DEFAULT_ACK_DELAY_EXPONENT; ctp->max_ack_delay = NGX_QUIC_DEFAULT_MAX_ACK_DELAY; ctp->active_connection_id_limit = 2; diff --git a/src/event/quic/ngx_event_quic_ack.c b/src/event/quic/ngx_event_quic_ack.c --- a/src/event/quic/ngx_event_quic_ack.c +++ b/src/event/quic/ngx_event_quic_ack.c @@ -229,6 +229,12 @@ ngx_quic_handle_ack_frame_range(ngx_conn qc = ngx_quic_get_connection(c); + if (ctx->level == ssl_encryption_application) { + if (ngx_quic_handle_path_mtu_ack(c, qc->path, min, max) != NGX_OK) { + return NGX_ERROR; + } + } + st->max_pn = NGX_TIMER_INFINITE; found = 0; diff --git a/src/event/quic/ngx_event_quic_connection.h b/src/event/quic/ngx_event_quic_connection.h --- a/src/event/quic/ngx_event_quic_connection.h +++ b/src/event/quic/ngx_event_quic_connection.h @@ -66,6 +66,14 @@ typedef struct ngx_quic_keys_s ng #define ngx_quic_get_socket(c) ((ngx_quic_socket_t *)((c)->udp)) +typedef enum { + NGX_QUIC_PATH_IDLE = 0, + NGX_QUIC_PATH_VALIDATING, + NGX_QUIC_PATH_WAITING, + NGX_QUIC_PATH_DISCOVERING_MTU +} ngx_quic_path_state_e; + + struct ngx_quic_client_id_s { ngx_queue_t queue; uint64_t seqnum; @@ -89,18 +97,22 @@ struct ngx_quic_path_s { ngx_sockaddr_t sa; socklen_t socklen; ngx_quic_client_id_t *cid; + ngx_quic_path_state_e state; ngx_msec_t expires; ngx_uint_t tries; ngx_uint_t tag; + size_t mtu; + size_t mtud; + size_t max_mtu; off_t sent; off_t received; u_char challenge1[8]; u_char challenge2[8]; uint64_t seqnum; + uint64_t mtu_pnum[NGX_QUIC_PATH_RETRIES]; ngx_str_t addr_text; u_char text[NGX_SOCKADDR_STRLEN]; - unsigned validated:1; - unsigned validating:1; + ngx_uint_t validated; /* unsigned validated:1; */ }; diff --git a/src/event/quic/ngx_event_quic_migration.c b/src/event/quic/ngx_event_quic_migration.c --- a/src/event/quic/ngx_event_quic_migration.c +++ b/src/event/quic/ngx_event_quic_migration.c @@ -10,6 +10,11 @@ #include +#define NGX_QUIC_PATH_MTU_DELAY 1000 +#define NGX_QUIC_PATH_MTU_STEP 256 +#define NGX_QUIC_PATH_MTU_PRECISION 16 + + static void ngx_quic_set_connection_path(ngx_connection_t *c, ngx_quic_path_t *path); static ngx_int_t ngx_quic_validate_path(ngx_connection_t *c, @@ -17,7 +22,15 @@ static ngx_int_t ngx_quic_validate_path( static ngx_int_t ngx_quic_send_path_challenge(ngx_connection_t *c, ngx_quic_path_t *path); static void ngx_quic_set_path_timer(ngx_connection_t *c); +static ngx_int_t ngx_quic_expire_path_validation(ngx_connection_t *c, + ngx_quic_path_t *path); +static ngx_int_t ngx_quic_expire_path_mtu_delay(ngx_connection_t *c, + ngx_quic_path_t *path); +static ngx_int_t ngx_quic_expire_path_mtu_discovery(ngx_connection_t *c, + ngx_quic_path_t *path); static ngx_quic_path_t *ngx_quic_get_path(ngx_connection_t *c, ngx_uint_t tag); +static ngx_int_t ngx_quic_send_path_mtu_probe(ngx_connection_t *c, + ngx_quic_path_t *path); ngx_int_t @@ -97,7 +110,7 @@ ngx_quic_handle_path_response_frame(ngx_ { path = ngx_queue_data(q, ngx_quic_path_t, queue); - if (!path->validating) { + if (path->state != NGX_QUIC_PATH_VALIDATING) { continue; } @@ -136,6 +149,9 @@ valid: { /* address did not change */ rst = 0; + + path->mtu = prev->mtu; + path->max_mtu = prev->max_mtu; } } @@ -167,9 +183,8 @@ valid: ngx_quic_path_dbg(c, "is validated", path); path->validated = 1; - path->validating = 0; - ngx_quic_set_path_timer(c); + ngx_quic_discover_path_mtu(c, path); return NGX_OK; } @@ -217,6 +232,8 @@ ngx_quic_new_path(ngx_connection_t *c, path->addr_text.len = ngx_sock_ntop(sockaddr, socklen, path->text, NGX_SOCKADDR_STRLEN, 1); + path->mtu = NGX_QUIC_MIN_INITIAL_SIZE; + ngx_log_debug2(NGX_LOG_DEBUG_EVENT, c->log, 0, "quic path seq:%uL created addr:%V", path->seqnum, &path->addr_text); @@ -464,7 +481,7 @@ ngx_quic_handle_migration(ngx_connection ngx_quic_set_connection_path(c, next); - if (!next->validated && !next->validating) { + if (!next->validated && next->state != NGX_QUIC_PATH_VALIDATING) { if (ngx_quic_validate_path(c, next) != NGX_OK) { return NGX_ERROR; } @@ -492,7 +509,6 @@ ngx_quic_validate_path(ngx_connection_t ngx_log_debug1(NGX_LOG_DEBUG_EVENT, c->log, 0, "quic initiated validation of path seq:%uL", path->seqnum); - path->validating = 1; path->tries = 0; if (RAND_bytes(path->challenge1, 8) != 1) { @@ -511,6 +527,7 @@ ngx_quic_validate_path(ngx_connection_t pto = ngx_max(ngx_quic_pto(c, ctx), 1000); path->expires = ngx_current_msec + pto; + path->state = NGX_QUIC_PATH_VALIDATING; ngx_quic_set_path_timer(c); @@ -558,6 +575,42 @@ ngx_quic_send_path_challenge(ngx_connect } +void +ngx_quic_discover_path_mtu(ngx_connection_t *c, ngx_quic_path_t *path) +{ + ngx_quic_connection_t *qc; + + qc = ngx_quic_get_connection(c); + + if (path->max_mtu) { + if (path->max_mtu - path->mtu <= NGX_QUIC_PATH_MTU_PRECISION) { + path->state = NGX_QUIC_PATH_IDLE; + ngx_quic_set_path_timer(c); + return; + } + + path->mtud = (path->mtu + path->max_mtu) / 2; + + } else { + path->mtud = path->mtu + NGX_QUIC_PATH_MTU_STEP; + + if (path->mtud >= qc->ctp.max_udp_payload_size) { + path->mtud = qc->ctp.max_udp_payload_size; + path->max_mtu = qc->ctp.max_udp_payload_size; + } + } + + path->state = NGX_QUIC_PATH_WAITING; + path->expires = ngx_current_msec + NGX_QUIC_PATH_MTU_DELAY; + + ngx_log_debug2(NGX_LOG_DEBUG_EVENT, c->log, 0, + "quic path seq:%uL schedule mtu:%uz", + path->seqnum, path->mtud); + + ngx_quic_set_path_timer(c); +} + + static void ngx_quic_set_path_timer(ngx_connection_t *c) { @@ -578,7 +631,7 @@ ngx_quic_set_path_timer(ngx_connection_t { path = ngx_queue_data(q, ngx_quic_path_t, queue); - if (!path->validating) { + if (path->state == NGX_QUIC_PATH_IDLE) { continue; } @@ -600,22 +653,18 @@ ngx_quic_set_path_timer(ngx_connection_t void -ngx_quic_path_validation_handler(ngx_event_t *ev) +ngx_quic_path_handler(ngx_event_t *ev) { ngx_msec_t now; ngx_queue_t *q; - ngx_msec_int_t left, next, pto; - ngx_quic_path_t *path, *bkp; + ngx_msec_int_t left; + ngx_quic_path_t *path; ngx_connection_t *c; - ngx_quic_send_ctx_t *ctx; ngx_quic_connection_t *qc; c = ev->data; qc = ngx_quic_get_connection(c); - ctx = ngx_quic_get_send_ctx(qc, ssl_encryption_application); - - next = -1; now = ngx_current_msec; q = ngx_queue_head(&qc->paths); @@ -625,83 +674,274 @@ ngx_quic_path_validation_handler(ngx_eve path = ngx_queue_data(q, ngx_quic_path_t, queue); q = ngx_queue_next(q); - if (!path->validating) { + if (path->state == NGX_QUIC_PATH_IDLE) { continue; } left = path->expires - now; if (left > 0) { - - if (next == -1 || left < next) { - next = left; - } - - continue; - } - - if (++path->tries < NGX_QUIC_PATH_RETRIES) { - pto = ngx_max(ngx_quic_pto(c, ctx), 1000) << path->tries; - - path->expires = ngx_current_msec + pto; - - if (next == -1 || pto < next) { - next = pto; - } - - /* retransmit */ - (void) ngx_quic_send_path_challenge(c, path); - continue; } - ngx_log_debug1(NGX_LOG_DEBUG_EVENT, ev->log, 0, - "quic path seq:%uL validation failed", path->seqnum); + switch (path->state) { + case NGX_QUIC_PATH_VALIDATING: + if (ngx_quic_expire_path_validation(c, path) != NGX_OK) { + goto failed; + } + + break; + + case NGX_QUIC_PATH_WAITING: + if (ngx_quic_expire_path_mtu_delay(c, path) != NGX_OK) { + goto failed; + } + + break; + + case NGX_QUIC_PATH_DISCOVERING_MTU: + if (ngx_quic_expire_path_mtu_discovery(c, path) != NGX_OK) { + goto failed; + } + + break; + + default: + break; + } + } + + ngx_quic_set_path_timer(c); + + return; - /* found expired path */ +failed: + + ngx_quic_close_connection(c, NGX_ERROR); +} + + +static ngx_int_t +ngx_quic_expire_path_validation(ngx_connection_t *c, ngx_quic_path_t *path) +{ + ngx_msec_int_t pto; + ngx_quic_path_t *bkp; + ngx_quic_send_ctx_t *ctx; + ngx_quic_connection_t *qc; - path->validated = 0; - path->validating = 0; + qc = ngx_quic_get_connection(c); + ctx = ngx_quic_get_send_ctx(qc, ssl_encryption_application); + + if (++path->tries < NGX_QUIC_PATH_RETRIES) { + pto = ngx_max(ngx_quic_pto(c, ctx), 1000) << path->tries; + path->expires = ngx_current_msec + pto; + + (void) ngx_quic_send_path_challenge(c, path); + + return NGX_OK; + } + + ngx_log_debug1(NGX_LOG_DEBUG_EVENT, c->log, 0, + "quic path seq:%uL validation failed", path->seqnum); + + /* found expired path */ + + path->validated = 0; - /* RFC 9000, 9.3.2. On-Path Address Spoofing - * - * To protect the connection from failing due to such a spurious - * migration, an endpoint MUST revert to using the last validated - * peer address when validation of a new peer address fails. - */ - - if (qc->path == path) { - /* active path validation failed */ - - bkp = ngx_quic_get_path(c, NGX_QUIC_PATH_BACKUP); + /* RFC 9000, 9.3.2. On-Path Address Spoofing + * + * To protect the connection from failing due to such a spurious + * migration, an endpoint MUST revert to using the last validated + * peer address when validation of a new peer address fails. + */ - if (bkp == NULL) { - qc->error = NGX_QUIC_ERR_NO_VIABLE_PATH; - qc->error_reason = "no viable path"; - ngx_quic_close_connection(c, NGX_ERROR); - return; - } + if (qc->path == path) { + /* active path validation failed */ + + bkp = ngx_quic_get_path(c, NGX_QUIC_PATH_BACKUP); - qc->path = bkp; - qc->path->tag = NGX_QUIC_PATH_ACTIVE; - - ngx_quic_set_connection_path(c, qc->path); - - ngx_log_error(NGX_LOG_INFO, c->log, 0, - "quic path seq:%uL addr:%V is restored from backup", - qc->path->seqnum, &qc->path->addr_text); - - ngx_quic_path_dbg(c, "is active", qc->path); + if (bkp == NULL) { + qc->error = NGX_QUIC_ERR_NO_VIABLE_PATH; + qc->error_reason = "no viable path"; + return NGX_ERROR; } - if (ngx_quic_free_path(c, path) != NGX_OK) { - ngx_quic_close_connection(c, NGX_ERROR); - return; + qc->path = bkp; + qc->path->tag = NGX_QUIC_PATH_ACTIVE; + + ngx_quic_set_connection_path(c, qc->path); + + ngx_log_error(NGX_LOG_INFO, c->log, 0, + "quic path seq:%uL addr:%V is restored from backup", + qc->path->seqnum, &qc->path->addr_text); + + ngx_quic_path_dbg(c, "is active", qc->path); + } + + return ngx_quic_free_path(c, path); +} + + +static ngx_int_t +ngx_quic_expire_path_mtu_delay(ngx_connection_t *c, ngx_quic_path_t *path) +{ + ngx_int_t rc; + ngx_uint_t i; + ngx_msec_t pto; + ngx_quic_send_ctx_t *ctx; + ngx_quic_connection_t *qc; + + qc = ngx_quic_get_connection(c); + ctx = ngx_quic_get_send_ctx(qc, ssl_encryption_application); + + path->tries = 0; + + for ( ;; ) { + + for (i = 0; i < NGX_QUIC_PATH_RETRIES; i++) { + path->mtu_pnum[i] = NGX_QUIC_UNSET_PN; + } + + rc = ngx_quic_send_path_mtu_probe(c, path); + + if (rc == NGX_ERROR) { + return NGX_ERROR; + } + + if (rc == NGX_OK) { + pto = ngx_quic_pto(c, ctx); + path->expires = ngx_current_msec + pto; + path->state = NGX_QUIC_PATH_DISCOVERING_MTU; + return NGX_OK; + } + + /* rc == NGX_DECLINED */ + + path->max_mtu = path->mtud; + + if (path->max_mtu - path->mtu <= NGX_QUIC_PATH_MTU_PRECISION) { + path->state = NGX_QUIC_PATH_IDLE; + return NGX_OK; + } + + path->mtud = (path->mtu + path->max_mtu) / 2; + } +} + + +static ngx_int_t +ngx_quic_expire_path_mtu_discovery(ngx_connection_t *c, ngx_quic_path_t *path) +{ + ngx_int_t rc; + ngx_msec_int_t pto; + ngx_quic_send_ctx_t *ctx; + ngx_quic_connection_t *qc; + + qc = ngx_quic_get_connection(c); + ctx = ngx_quic_get_send_ctx(qc, ssl_encryption_application); + + if (++path->tries < NGX_QUIC_PATH_RETRIES) { + pto = ngx_quic_pto(c, ctx) << path->tries; + path->expires = ngx_current_msec + pto; + + rc = ngx_quic_send_path_mtu_probe(c, path); + if (rc != NGX_DECLINED) { + return rc; } } - if (next != -1) { - ngx_add_timer(&qc->path_validation, next); + ngx_log_debug2(NGX_LOG_DEBUG_EVENT, c->log, 0, + "quic path seq:%uL expired mtu:%uz", + path->seqnum, path->mtud); + + path->max_mtu = path->mtud; + + ngx_quic_discover_path_mtu(c, path); + + return NGX_OK; +} + + +static ngx_int_t +ngx_quic_send_path_mtu_probe(ngx_connection_t *c, ngx_quic_path_t *path) +{ + ngx_int_t rc; + ngx_uint_t log_error; + ngx_quic_frame_t frame; + ngx_quic_send_ctx_t *ctx; + ngx_quic_connection_t *qc; + + ngx_memzero(&frame, sizeof(ngx_quic_frame_t)); + + frame.level = ssl_encryption_application; + frame.type = NGX_QUIC_FT_PING; + + qc = ngx_quic_get_connection(c); + ctx = ngx_quic_get_send_ctx(qc, ssl_encryption_application); + path->mtu_pnum[path->tries] = ctx->pnum; + + ngx_log_debug4(NGX_LOG_DEBUG_EVENT, c->log, 0, + "quic path seq:%uL send probe " + "mtu:%uz pnum:%uL tries:%ui", + path->seqnum, path->mtud, ctx->pnum, path->tries); + + log_error = c->log_error; + c->log_error = NGX_ERROR_IGNORE_EMSGSIZE; + + rc = ngx_quic_frame_sendto(c, &frame, path->mtud, path); + c->log_error = log_error; + + if (rc == NGX_ERROR) { + if (c->write->error) { + c->write->error = 0; + + ngx_log_debug2(NGX_LOG_DEBUG_EVENT, c->log, 0, + "quic path seq:%uL rejected mtu:%uz", + path->seqnum, path->mtud); + + return NGX_DECLINED; + } + + return NGX_ERROR; } + + return NGX_OK; } + + +ngx_int_t +ngx_quic_handle_path_mtu_ack(ngx_connection_t *c, ngx_quic_path_t *path, + uint64_t min, uint64_t max) +{ + uint64_t pnum; + ngx_uint_t i; + + if (path->state != NGX_QUIC_PATH_DISCOVERING_MTU) { + return NGX_OK; + } + + for (i = 0; i < NGX_QUIC_PATH_RETRIES; i++) { + pnum = path->mtu_pnum[i]; + + if (pnum == NGX_QUIC_UNSET_PN) { + break; + } + + if (pnum < min || pnum > max) { + continue; + } + + path->mtu = path->mtud; + + ngx_log_debug2(NGX_LOG_DEBUG_EVENT, c->log, 0, + "quic path seq:%uL ack mtu:%uz", + path->seqnum, path->mtu); + + ngx_quic_discover_path_mtu(c, path); + + break; + } + + return NGX_OK; +} diff --git a/src/event/quic/ngx_event_quic_migration.h b/src/event/quic/ngx_event_quic_migration.h --- a/src/event/quic/ngx_event_quic_migration.h +++ b/src/event/quic/ngx_event_quic_migration.h @@ -18,10 +18,10 @@ #define NGX_QUIC_PATH_BACKUP 2 #define ngx_quic_path_dbg(c, msg, path) \ - ngx_log_debug6(NGX_LOG_DEBUG_EVENT, c->log, 0, \ - "quic path seq:%uL %s sent:%O recvd:%O state:%s%s", \ + ngx_log_debug7(NGX_LOG_DEBUG_EVENT, c->log, 0, \ + "quic path seq:%uL %s tx:%O rx:%O valid:%d st:%d mtu:%uz", \ path->seqnum, msg, path->sent, path->received, \ - path->validated ? "V": "N", path->validating ? "R": ""); + path->validated, path->state, path->mtu); ngx_int_t ngx_quic_handle_path_challenge_frame(ngx_connection_t *c, ngx_quic_header_t *pkt, ngx_quic_path_challenge_frame_t *f); @@ -36,6 +36,10 @@ ngx_int_t ngx_quic_set_path(ngx_connecti ngx_int_t ngx_quic_handle_migration(ngx_connection_t *c, ngx_quic_header_t *pkt); -void ngx_quic_path_validation_handler(ngx_event_t *ev); +void ngx_quic_path_handler(ngx_event_t *ev); + +void ngx_quic_discover_path_mtu(ngx_connection_t *c, ngx_quic_path_t *path); +ngx_int_t ngx_quic_handle_path_mtu_ack(ngx_connection_t *c, + ngx_quic_path_t *path, uint64_t min, uint64_t max); #endif /* _NGX_EVENT_QUIC_MIGRATION_H_INCLUDED_ */ diff --git a/src/event/quic/ngx_event_quic_output.c b/src/event/quic/ngx_event_quic_output.c --- a/src/event/quic/ngx_event_quic_output.c +++ b/src/event/quic/ngx_event_quic_output.c @@ -10,9 +10,6 @@ #include -#define NGX_QUIC_MAX_UDP_PAYLOAD_OUT 1252 -#define NGX_QUIC_MAX_UDP_PAYLOAD_OUT6 1232 - #define NGX_QUIC_MAX_UDP_SEGMENT_BUF 65487 /* 65K - IPv6 header */ #define NGX_QUIC_MAX_SEGMENTS 64 /* UDP_MAX_SEGMENTS */ @@ -61,21 +58,6 @@ static size_t ngx_quic_path_limit(ngx_co size_t size); -size_t -ngx_quic_max_udp_payload(ngx_connection_t *c) -{ - /* TODO: path MTU discovery */ - -#if (NGX_HAVE_INET6) - if (c->sockaddr->sa_family == AF_INET6) { - return NGX_QUIC_MAX_UDP_PAYLOAD_OUT6; - } -#endif - - return NGX_QUIC_MAX_UDP_PAYLOAD_OUT; -} - - ngx_int_t ngx_quic_output(ngx_connection_t *c) { @@ -142,10 +124,7 @@ ngx_quic_create_datagrams(ngx_connection p = dst; - len = ngx_min(qc->ctp.max_udp_payload_size, - NGX_QUIC_MAX_UDP_PAYLOAD_SIZE); - - len = ngx_quic_path_limit(c, path, len); + len = ngx_quic_path_limit(c, path, path->mtu); pad = ngx_quic_get_padding_level(c); @@ -299,9 +278,7 @@ ngx_quic_allow_segmentation(ngx_connecti ctx = ngx_quic_get_send_ctx(qc, ssl_encryption_application); bytes = 0; - - len = ngx_min(qc->ctp.max_udp_payload_size, - NGX_QUIC_MAX_UDP_SEGMENT_BUF); + len = ngx_min(qc->path->mtu, NGX_QUIC_MAX_UDP_SEGMENT_BUF); for (q = ngx_queue_head(&ctx->frames); q != ngx_queue_sentinel(&ctx->frames); @@ -345,8 +322,7 @@ ngx_quic_create_segments(ngx_connection_ return NGX_ERROR; } - segsize = ngx_min(qc->ctp.max_udp_payload_size, - NGX_QUIC_MAX_UDP_SEGMENT_BUF); + segsize = ngx_min(path->mtu, NGX_QUIC_MAX_UDP_SEGMENT_BUF); p = dst; end = dst + sizeof(dst); diff --git a/src/event/quic/ngx_event_quic_output.h b/src/event/quic/ngx_event_quic_output.h --- a/src/event/quic/ngx_event_quic_output.h +++ b/src/event/quic/ngx_event_quic_output.h @@ -12,8 +12,6 @@ #include -size_t ngx_quic_max_udp_payload(ngx_connection_t *c); - ngx_int_t ngx_quic_output(ngx_connection_t *c); ngx_int_t ngx_quic_negotiate_version(ngx_connection_t *c, diff --git a/src/event/quic/ngx_event_quic_ssl.c b/src/event/quic/ngx_event_quic_ssl.c --- a/src/event/quic/ngx_event_quic_ssl.c +++ b/src/event/quic/ngx_event_quic_ssl.c @@ -494,6 +494,8 @@ ngx_quic_crypto_input(ngx_connection_t * */ ngx_quic_discard_ctx(c, ssl_encryption_handshake); + ngx_quic_discover_path_mtu(c, qc->path); + /* start accepting clients on negotiated number of server ids */ if (ngx_quic_create_sockets(c) != NGX_OK) { return NGX_ERROR; diff --git a/src/os/unix/ngx_errno.h b/src/os/unix/ngx_errno.h --- a/src/os/unix/ngx_errno.h +++ b/src/os/unix/ngx_errno.h @@ -54,6 +54,7 @@ typedef int ngx_err_t; #define NGX_ENOMOREFILES 0 #define NGX_ELOOP ELOOP #define NGX_EBADF EBADF +#define NGX_EMSGSIZE EMSGSIZE #if (NGX_HAVE_OPENAT) #define NGX_EMLINK EMLINK From xeioex at nginx.com Thu Jul 6 16:30:23 2023 From: xeioex at nginx.com (Dmitry Volyntsev) Date: Thu, 06 Jul 2023 16:30:23 +0000 Subject: [njs] Version 0.8.0. Message-ID: details: https://hg.nginx.org/njs/rev/0ed1952588ab branches: changeset: 2177:0ed1952588ab user: Dmitry Volyntsev date: Wed Jul 05 17:49:50 2023 -0700 description: Version 0.8.0. diffstat: CHANGES | 76 +++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ 1 files changed, 76 insertions(+), 0 deletions(-) diffs (83 lines): diff -r ff7eb3c4bf76 -r 0ed1952588ab CHANGES --- a/CHANGES Mon Jul 03 13:32:41 2023 -0700 +++ b/CHANGES Wed Jul 05 17:49:50 2023 -0700 @@ -1,3 +1,79 @@ +Changes with njs 0.8.0 6 Jul 2023 + + nginx modules: + + *) Change: removed special treatment of forbidden headers in Fetch API + introduced in 0.7.10. + + *) Change: removed deprecated since 0.5.0 r.requestBody and + r.responseBody in HTTP module. + + *) Change: throwing an exception in r.internalRedirect() while + filtering in HTTP module. + + *) Feature: introduced global nginx properties. + ngx.build - an optional nginx build name, corresponds to + --build=name argument of configure script, by default is "". + ngx.conf_file_path - the file path to current nginx configuration + file. + ngx.error_log_path - the file path to current error log file. + ngx.prefix - the directory that keeps server files. + ngx.version - the nginx version as a string, for example: "1.25.0". + ngx.version_number - the nginx version as a number, for example: + 1025000. + ngx.worker_id - corresponds to an nginx internal worker id. + The value is between 0 and worker_processes - 1. + + *) Feature: introduced js_shared_dict_zone directive. + The directive allows to declare a dictionary that is shared among the + working processes. + + *) Improvement: added compile-time options to disable njs modules. + For example to disable libxslt related code: + NJS_LIBXSLT=NO ./configure .. --add-module=/path/to/njs/module + + *) Bugfix: fixed r.status setter when filtering in HTTP module. + + *) Bugfix: fixed setting of Location header in HTTP module. + + Core: + + *) Change: native methods are provided with retval argument. + This change breaks compatibility with C extension for njs + requiring to modify the code. + + *) Change: non-compliant deprecated String methods were removed. + The following methods were removed: String.bytesFrom(), + String.prototype.fromBytes(), String.prototype.fromUTF8(), + String.prototype.toBytes(), String.prototype.toUTF8(), + String.prototype.toString(encoding). + + *) Change: removed support for building with GNU readline. + + *) Feature: added Array.from(), Array.prototype.toSorted(), + Array.prototype.toSpliced(), Array.prototype.toReversed(). + + *) Feature: added %TypedArray%.prototype.toSorted(), + %TypedArray%.prototype.toSpliced(), + %TypedArray%.prototype.toReversed(). + + *) Feature: added CryptoKey properties in WebCrypto. + The following properties for CryptoKey were added: + algorithm, extractable, type, usages. + + *) Bugfix: fixed retval of crypto.getRandomValues(). + + *) Bugfix: fixed evaluation of computed property names with function + expressions. + + *) Bugfix: fixed implicit name for a function expression declared in + arrays. + + *) Bugfix: fixed parsing of for-in loops. + + *) Bugfix: fixed Date.parse() with ISO-8601 format and UTC time + offset. + Changes with njs 0.7.12 10 Apr 2023 nginx modules: From xeioex at nginx.com Thu Jul 6 16:30:25 2023 From: xeioex at nginx.com (Dmitry Volyntsev) Date: Thu, 06 Jul 2023 16:30:25 +0000 Subject: [njs] Added tag 0.8.0 for changeset 0ed1952588ab Message-ID: details: https://hg.nginx.org/njs/rev/034ad86967b6 branches: changeset: 2178:034ad86967b6 user: Dmitry Volyntsev date: Thu Jul 06 09:10:47 2023 -0700 description: Added tag 0.8.0 for changeset 0ed1952588ab diffstat: .hgtags | 1 + 1 files changed, 1 insertions(+), 0 deletions(-) diffs (8 lines): diff -r 0ed1952588ab -r 034ad86967b6 .hgtags --- a/.hgtags Wed Jul 05 17:49:50 2023 -0700 +++ b/.hgtags Thu Jul 06 09:10:47 2023 -0700 @@ -62,3 +62,4 @@ 0000000000000000000000000000000000000000 3a1b46d51f040f5e7b9b81c3b2b312a2d272f0a3 0.7.10 26dd3824b9f343e2768609c1b673f788e3a5e154 0.7.11 a1faa64d4972020413fd168e2b542bcc150819c0 0.7.12 +0ed1952588ab1e0e1c18425fe7923b2b76f38a65 0.8.0 From arut at nginx.com Fri Jul 7 07:58:13 2023 From: arut at nginx.com (Roman Arutyunyan) Date: Fri, 7 Jul 2023 11:58:13 +0400 Subject: [PATCH 4 of 4] QUIC: path MTU discovery In-Reply-To: <1a49fd5d2013b6c8d502.1688651837@arut-laptop> References: <1a49fd5d2013b6c8d502.1688651837@arut-laptop> Message-ID: <20230707075813.eigmowojyp7gya2d@N00W24XTQX> On Thu, Jul 06, 2023 at 05:57:17PM +0400, Roman Arutyunyan wrote: > # HG changeset patch > # User Roman Arutyunyan > # Date 1688481216 -14400 > # Tue Jul 04 18:33:36 2023 +0400 > # Node ID 1a49fd5d2013b6c8d50263499e6ced440927e949 > # Parent a1ea543d009311765144351b2557c00c8e6445bf > QUIC: path MTU discovery. > > MTU selection starts by stepping up until the first failure. Then binary >in search is used to find the path MTU. [..] As an alternative, the ascending part can be changed from additive to multiplicative, which would work better on the off chance MTU is really high. diff --git a/src/event/quic/ngx_event_quic_migration.c b/src/event/quic/ngx_event_quic_migration.c --- a/src/event/quic/ngx_event_quic_migration.c +++ b/src/event/quic/ngx_event_quic_migration.c @@ -11,7 +11,6 @@ #define NGX_QUIC_PATH_MTU_DELAY 1000 -#define NGX_QUIC_PATH_MTU_STEP 256 #define NGX_QUIC_PATH_MTU_PRECISION 16 @@ -592,7 +591,7 @@ ngx_quic_discover_path_mtu(ngx_connectio path->mtud = (path->mtu + path->max_mtu) / 2; } else { - path->mtud = path->mtu + NGX_QUIC_PATH_MTU_STEP; + path->mtud = path->mtu * 2; if (path->mtud >= qc->ctp.max_udp_payload_size) { path->mtud = qc->ctp.max_udp_payload_size; -- Roman Arutyunyan From eero.aaltonen at vaisala.com Fri Jul 7 15:02:14 2023 From: eero.aaltonen at vaisala.com (eero.aaltonen at vaisala.com) Date: Fri, 7 Jul 2023 18:02:14 +0300 Subject: [RFC][PATCH 0/1] Add option to use directory for trusted CAs Message-ID: <20230707150215.406702-1-eero.aaltonen@vaisala.com> From: Eero Aaltonen I was looking for an option to configure the trusted CAs using a directory, equivalent to the OpenSSL -CApath option. The option seemed to be missing, so here's a minimal working example of what I would like to accomplish. The current version is still missing code to populate the list used for SSL_CTX_set_client_CA_list, but enough to actually verify a certificate chain using CAs in the 'ssl_client_ca_dir' specified directory. Comments appreciated. -- Eero Eero Aaltonen (1): WIP: SSL: add ssl_client_ca_dir option for trusted CAs src/event/ngx_event_openssl.c | 24 +++++++++++++++++------- src/event/ngx_event_openssl.h | 2 +- src/http/modules/ngx_http_grpc_module.c | 1 + src/http/modules/ngx_http_proxy_module.c | 1 + src/http/modules/ngx_http_ssl_module.c | 15 +++++++++++++-- src/http/modules/ngx_http_ssl_module.h | 1 + src/http/modules/ngx_http_uwsgi_module.c | 1 + src/mail/ngx_mail_ssl_module.c | 5 +++-- src/stream/ngx_stream_proxy_module.c | 1 + src/stream/ngx_stream_ssl_module.c | 5 +++-- src/stream/ngx_stream_ssl_module.h | 1 + 11 files changed, 43 insertions(+), 14 deletions(-) -- 2.25.1 From eero.aaltonen at vaisala.com Fri Jul 7 15:02:15 2023 From: eero.aaltonen at vaisala.com (eero.aaltonen at vaisala.com) Date: Fri, 7 Jul 2023 18:02:15 +0300 Subject: [RFC][PATCH 1/1] Add option to use directory for trusted CAs In-Reply-To: <20230707150215.406702-1-eero.aaltonen@vaisala.com> References: <20230707150215.406702-1-eero.aaltonen@vaisala.com> Message-ID: <20230707150215.406702-2-eero.aaltonen@vaisala.com> From: Eero Aaltonen Allow configuring trusted CAs to a directory with certificates and hash symlinks generated with `openssl rehash`. Signed-off-by: Eero Aaltonen --- src/event/ngx_event_openssl.c | 24 +++++++++++++++++------- src/event/ngx_event_openssl.h | 2 +- src/http/modules/ngx_http_grpc_module.c | 1 + src/http/modules/ngx_http_proxy_module.c | 1 + src/http/modules/ngx_http_ssl_module.c | 15 +++++++++++++-- src/http/modules/ngx_http_ssl_module.h | 1 + src/http/modules/ngx_http_uwsgi_module.c | 1 + src/mail/ngx_mail_ssl_module.c | 5 +++-- src/stream/ngx_stream_proxy_module.c | 1 + src/stream/ngx_stream_ssl_module.c | 5 +++-- src/stream/ngx_stream_ssl_module.h | 1 + 11 files changed, 43 insertions(+), 14 deletions(-) diff --git a/src/event/ngx_event_openssl.c b/src/event/ngx_event_openssl.c index d762d6b..3da406c 100644 --- a/src/event/ngx_event_openssl.c +++ b/src/event/ngx_event_openssl.c @@ -870,24 +870,31 @@ ngx_ssl_ciphers(ngx_conf_t *cf, ngx_ssl_t *ssl, ngx_str_t *ciphers, ngx_int_t ngx_ssl_client_certificate(ngx_conf_t *cf, ngx_ssl_t *ssl, ngx_str_t *cert, - ngx_int_t depth) + ngx_str_t *ca_dir, ngx_int_t depth) { STACK_OF(X509_NAME) *list; + char *ca_file = NULL; + char *ca_path = NULL; SSL_CTX_set_verify(ssl->ctx, SSL_VERIFY_PEER, ngx_ssl_verify_callback); SSL_CTX_set_verify_depth(ssl->ctx, depth); - if (cert->len == 0) { + if (cert->len == 0 && ca_dir->len == 0) { return NGX_OK; } - if (ngx_conf_full_name(cf->cycle, cert, 1) != NGX_OK) { - return NGX_ERROR; + if (ca_dir->len != 0) { + ca_path = ca_dir->data; + } + if (cert->len != 0) { + ca_file = cert->data; + if (ngx_conf_full_name(cf->cycle, cert, 1) != NGX_OK) { + return NGX_ERROR; + } } - if (SSL_CTX_load_verify_locations(ssl->ctx, (char *) cert->data, NULL) - == 0) + if (SSL_CTX_load_verify_locations(ssl->ctx, ca_file, ca_path) == 0) { ngx_ssl_error(NGX_LOG_EMERG, ssl->log, 0, "SSL_CTX_load_verify_locations(\"%s\") failed", @@ -902,6 +909,10 @@ ngx_ssl_client_certificate(ngx_conf_t *cf, ngx_ssl_t *ssl, ngx_str_t *cert, ERR_clear_error(); + if (cert->len == 0) { // TODO: load CAs from ca_dir? + return NGX_OK; + } + list = SSL_load_client_CA_file((char *) cert->data); if (list == NULL) { @@ -915,7 +926,6 @@ ngx_ssl_client_certificate(ngx_conf_t *cf, ngx_ssl_t *ssl, ngx_str_t *cert, return NGX_OK; } - ngx_int_t ngx_ssl_trusted_certificate(ngx_conf_t *cf, ngx_ssl_t *ssl, ngx_str_t *cert, ngx_int_t depth) diff --git a/src/event/ngx_event_openssl.h b/src/event/ngx_event_openssl.h index 329760d..0a3481e 100644 --- a/src/event/ngx_event_openssl.h +++ b/src/event/ngx_event_openssl.h @@ -179,7 +179,7 @@ ngx_int_t ngx_ssl_connection_certificate(ngx_connection_t *c, ngx_pool_t *pool, ngx_int_t ngx_ssl_ciphers(ngx_conf_t *cf, ngx_ssl_t *ssl, ngx_str_t *ciphers, ngx_uint_t prefer_server_ciphers); ngx_int_t ngx_ssl_client_certificate(ngx_conf_t *cf, ngx_ssl_t *ssl, - ngx_str_t *cert, ngx_int_t depth); + ngx_str_t *cert, ngx_str_t *ca_dir, ngx_int_t depth); ngx_int_t ngx_ssl_trusted_certificate(ngx_conf_t *cf, ngx_ssl_t *ssl, ngx_str_t *cert, ngx_int_t depth); ngx_int_t ngx_ssl_crl(ngx_conf_t *cf, ngx_ssl_t *ssl, ngx_str_t *crl); diff --git a/src/http/modules/ngx_http_grpc_module.c b/src/http/modules/ngx_http_grpc_module.c index 53bc547..d5728e6 100644 --- a/src/http/modules/ngx_http_grpc_module.c +++ b/src/http/modules/ngx_http_grpc_module.c @@ -35,6 +35,7 @@ typedef struct { ngx_uint_t ssl_protocols; ngx_str_t ssl_ciphers; ngx_uint_t ssl_verify_depth; + ngx_str_t ssl_ca_dir; ngx_str_t ssl_trusted_certificate; ngx_str_t ssl_crl; ngx_str_t ssl_certificate; diff --git a/src/http/modules/ngx_http_proxy_module.c b/src/http/modules/ngx_http_proxy_module.c index a63c3ed..6dda907 100644 --- a/src/http/modules/ngx_http_proxy_module.c +++ b/src/http/modules/ngx_http_proxy_module.c @@ -122,6 +122,7 @@ typedef struct { ngx_uint_t ssl_protocols; ngx_str_t ssl_ciphers; ngx_uint_t ssl_verify_depth; + ngx_str_t ssl_ca_dir; ngx_str_t ssl_trusted_certificate; ngx_str_t ssl_crl; ngx_str_t ssl_certificate; diff --git a/src/http/modules/ngx_http_ssl_module.c b/src/http/modules/ngx_http_ssl_module.c index a47d696..c80b614 100644 --- a/src/http/modules/ngx_http_ssl_module.c +++ b/src/http/modules/ngx_http_ssl_module.c @@ -182,6 +182,13 @@ static ngx_command_t ngx_http_ssl_commands[] = { offsetof(ngx_http_ssl_srv_conf_t, client_certificate), NULL }, + { ngx_string("ssl_client_ca_dir"), + NGX_HTTP_MAIN_CONF|NGX_HTTP_SRV_CONF|NGX_CONF_TAKE1, + ngx_conf_set_str_slot, + NGX_HTTP_SRV_CONF_OFFSET, + offsetof(ngx_http_ssl_srv_conf_t, client_ca_dir), + NULL }, + { ngx_string("ssl_trusted_certificate"), NGX_HTTP_MAIN_CONF|NGX_HTTP_SRV_CONF|NGX_CONF_TAKE1, ngx_conf_set_str_slot, @@ -609,6 +616,7 @@ ngx_http_ssl_create_srv_conf(ngx_conf_t *cf) * sscf->dhparam = { 0, NULL }; * sscf->ecdh_curve = { 0, NULL }; * sscf->client_certificate = { 0, NULL }; + * sscf->client_ca_dir = { 0, NULL }; * sscf->trusted_certificate = { 0, NULL }; * sscf->crl = { 0, NULL }; * sscf->ciphers = { 0, NULL }; @@ -690,6 +698,8 @@ ngx_http_ssl_merge_srv_conf(ngx_conf_t *cf, void *parent, void *child) ngx_conf_merge_str_value(conf->client_certificate, prev->client_certificate, ""); + ngx_conf_merge_str_value(conf->client_ca_dir, + prev->client_ca_dir, ""); ngx_conf_merge_str_value(conf->trusted_certificate, prev->trusted_certificate, ""); ngx_conf_merge_str_value(conf->crl, prev->crl, ""); @@ -840,14 +850,15 @@ ngx_http_ssl_merge_srv_conf(ngx_conf_t *cf, void *parent, void *child) if (conf->verify) { - if (conf->client_certificate.len == 0 && conf->verify != 3) { + if (conf->verify != 3 && conf->client_certificate.len == 0 && conf->client_ca_dir.len == 0) { ngx_log_error(NGX_LOG_EMERG, cf->log, 0, - "no ssl_client_certificate for ssl_verify_client"); + "ssl_verify_client needs ssl_client_certificate or ssl_client_ca_dir"); return NGX_CONF_ERROR; } if (ngx_ssl_client_certificate(cf, &conf->ssl, &conf->client_certificate, + &conf->client_ca_dir, conf->verify_depth) != NGX_OK) { diff --git a/src/http/modules/ngx_http_ssl_module.h b/src/http/modules/ngx_http_ssl_module.h index 7ab0f7e..e90b79b 100644 --- a/src/http/modules/ngx_http_ssl_module.h +++ b/src/http/modules/ngx_http_ssl_module.h @@ -43,6 +43,7 @@ typedef struct { ngx_str_t dhparam; ngx_str_t ecdh_curve; ngx_str_t client_certificate; + ngx_str_t client_ca_dir; ngx_str_t trusted_certificate; ngx_str_t crl; diff --git a/src/http/modules/ngx_http_uwsgi_module.c b/src/http/modules/ngx_http_uwsgi_module.c index 1334f44..7e13a08 100644 --- a/src/http/modules/ngx_http_uwsgi_module.c +++ b/src/http/modules/ngx_http_uwsgi_module.c @@ -52,6 +52,7 @@ typedef struct { ngx_uint_t ssl_protocols; ngx_str_t ssl_ciphers; ngx_uint_t ssl_verify_depth; + ngx_str_t ssl_ca_dir; ngx_str_t ssl_trusted_certificate; ngx_str_t ssl_crl; ngx_str_t ssl_certificate; diff --git a/src/mail/ngx_mail_ssl_module.c b/src/mail/ngx_mail_ssl_module.c index 7eae83e..062d4d7 100644 --- a/src/mail/ngx_mail_ssl_module.c +++ b/src/mail/ngx_mail_ssl_module.c @@ -403,14 +403,15 @@ ngx_mail_ssl_merge_conf(ngx_conf_t *cf, void *parent, void *child) if (conf->verify) { - if (conf->client_certificate.len == 0 && conf->verify != 3) { + if (conf->verify != 3 && conf->client_certificate.len == 0 && conf->client_ca_dir.len == 0) { ngx_log_error(NGX_LOG_EMERG, cf->log, 0, - "no ssl_client_certificate for ssl_verify_client"); + "ssl_verify_client needs ssl_client_certificate or ssl_client_ca_dir"); return NGX_CONF_ERROR; } if (ngx_ssl_client_certificate(cf, &conf->ssl, &conf->client_certificate, + &conf->client_ca_dir, conf->verify_depth) != NGX_OK) { diff --git a/src/stream/ngx_stream_proxy_module.c b/src/stream/ngx_stream_proxy_module.c index 01cda7a..1ad4ceb 100644 --- a/src/stream/ngx_stream_proxy_module.c +++ b/src/stream/ngx_stream_proxy_module.c @@ -44,6 +44,7 @@ typedef struct { ngx_flag_t ssl_verify; ngx_uint_t ssl_verify_depth; + ngx_str_t ssl_ca_dir; ngx_str_t ssl_trusted_certificate; ngx_str_t ssl_crl; ngx_str_t ssl_certificate; diff --git a/src/stream/ngx_stream_ssl_module.c b/src/stream/ngx_stream_ssl_module.c index d8c0471..adaa825 100644 --- a/src/stream/ngx_stream_ssl_module.c +++ b/src/stream/ngx_stream_ssl_module.c @@ -761,14 +761,15 @@ ngx_stream_ssl_merge_conf(ngx_conf_t *cf, void *parent, void *child) if (conf->verify) { - if (conf->client_certificate.len == 0 && conf->verify != 3) { + if (conf->verify != 3 && conf->client_certificate.len == 0 && conf->client_ca_dir.len == 0) { ngx_log_error(NGX_LOG_EMERG, cf->log, 0, - "no ssl_client_certificate for ssl_verify_client"); + "ssl_verify_client needs ssl_client_certificate or ssl_client_ca_dir"); return NGX_CONF_ERROR; } if (ngx_ssl_client_certificate(cf, &conf->ssl, &conf->client_certificate, + &conf->client_ca_dir, conf->verify_depth) != NGX_OK) { diff --git a/src/stream/ngx_stream_ssl_module.h b/src/stream/ngx_stream_ssl_module.h index c6e24be..607146e 100644 --- a/src/stream/ngx_stream_ssl_module.h +++ b/src/stream/ngx_stream_ssl_module.h @@ -40,6 +40,7 @@ typedef struct { ngx_str_t dhparam; ngx_str_t ecdh_curve; ngx_str_t client_certificate; + ngx_str_t client_ca_dir; ngx_str_t trusted_certificate; ngx_str_t crl; -- 2.25.1 From mdounin at mdounin.ru Fri Jul 7 16:59:00 2023 From: mdounin at mdounin.ru (Maxim Dounin) Date: Fri, 7 Jul 2023 19:59:00 +0300 Subject: [RFC][PATCH 0/1] Add option to use directory for trusted CAs In-Reply-To: <20230707150215.406702-1-eero.aaltonen@vaisala.com> References: <20230707150215.406702-1-eero.aaltonen@vaisala.com> Message-ID: Hello! On Fri, Jul 07, 2023 at 06:02:14PM +0300, Eero Aaltonen via nginx-devel wrote: > From: Eero Aaltonen > > I was looking for an option to configure the trusted CAs using a directory, > equivalent to the OpenSSL -CApath option. The option seemed to be missing, so > here's a minimal working example of what I would like to accomplish. > > The current version is still missing code to populate the list used for > SSL_CTX_set_client_CA_list, but enough to actually verify a certificate chain > using CAs in the 'ssl_client_ca_dir' specified directory. > > Comments appreciated. The option to configure CAs using a directory is missing intentionally, as loading relevant CA certificates into memory is expected to be more efficient than checking things on disk on each connection. If you are nevertheless interested in configuring a directory, consider using ssl_conf_command with VerifyCAPath/ClientCAPath (https://nginx.org/r/ssl_conf_command, https://nginx.org/r/proxy_ssl_conf_command)). -- Maxim Dounin http://mdounin.ru/ From mdounin at mdounin.ru Fri Jul 7 23:21:51 2023 From: mdounin at mdounin.ru (Maxim Dounin) Date: Sat, 8 Jul 2023 02:21:51 +0300 Subject: Fixing the well Documented Nginx Alias Traversal Vulnerability? In-Reply-To: References: Message-ID: Hello! On Thu, Jul 06, 2023 at 12:05:25PM -0400, Jonathan Leitschuh wrote: > Hi Nginx Team, > > My name is Jonathan Leitschuh. I'm a Senior Software Security Researcher > for the Open Source Security Foundation: Project Alpha-Omega > . “Alpha” works with the > maintainers of the most critical open source projects to help them identify > and fix security vulnerabilities, and improve their security posture. > “Omega” identified at least 10,000 widely deployed OSS projects where it > can apply automated security analysis, scoring, and remediation guidance to > their open source maintainer communities. > > Earlier today, on Twitter, I saw this discussion regarding > the long-standing the NGinx Alias traversal vulnerability: > https://twitter.com/infosec_au/status/1676072447156834304?s=20 > > In particular, this discussion centered on this, this recent blog post > published on the 3rd of this month. > https://labs.hakaioffsec.com/nginx-alias-traversal/ > > In that blog post, the researchers detail how, due to misconfiguration and > failing to specify the `/` character in the correct place can lead to path > traversal vulnerabilities. > > > > This vulnerability was previously discussed by Detectify in a blog post in > 2020: > https://blog.detectify.com/2020/11/10/common-nginx-misconfigurations/ > > This research originated with Orange Tsai back in 2018: > https://i.blackhat.com/us-18/Wed-August-8/us-18-Orange-Tsai-Breaking-Parser-Logic-Take-Your-Path-Normalization-Off-And-Pop-0days-Out-2.pdf > > The recent hakaioffsec blog also identifies this case where the > vulnerability also appears: > > > My question to both the Nginx Security team, and the Nginx Developers, why > not fix this vulnerability in Nginx itself such that it's safe by default, > but users can opt-in to the vulnerable behaviour if they so desire through > an explicit flag? Surely it would be fairly straightforward to identify > these vulnerable configurations and fix them for the user, or fail closed > (safe)? > > If you need evidence of the impact this vulnerability can have, the > above hakaioffsec blog post details how this vulnerability resulted in > a US$6000 bounty from BitWarden. > > This GitHub search, proposed by the above blog post, returns 2.2k results > on GitHub: > > https://github.com/search?q=%2Flocation+%5C%2F%5B_.a-zA-Z0-9-%5C%2F%5D*%5B%5E%5C%2F%5D%5B%5Cs%5D%5C%7B%5B%5Cs%5Cn%5D*alias+%5C%2F%5B_.a-zA-Z0-9-%5C%2F%5D*%5C%2F%3B%2F+&type=code > > I'm curious what is currently preventing this from being fixed upstream to > prevent end-users from accidentally implementing vulnerable configurations > like this. Thank you for your message. Indeed, the misconfiguration in question is a well-known one. Gixy, a tool to detect various nginx misconfigurations, tries to detect it at least since 2017: https://github.com/yandex/gixy/blob/master/docs/en/plugins/aliastraversal.md The root cause as I see it is that nginx locations (and alias) work with prefix strings, while unaware people often expect them to work with path components (directories) instead. Note the "Achieving Impact Without a Slash on Alias" section in the article you've referenced: a configuration like location /img { alias /var/images; } makes it possible to access "/var/images_confidential" via a request to "/img_confidential". This is because locations works on prefix strings, and due to lack of trailing "/" in the location prefix it does match "/img_confidential" request, and maps it to the file system according to the configuration. Similarly, the same misconfiguration can happen even without the "alias" directive at all. Consider the configuration: location / { deny all; } location /images { allow all; } In contrast to some might (incorrectly) assume, a request to "/images_confidential" will be allowed, and will return content as per the configuration. Unfortunately, I don't think there is an easy fix. Changing the way how nginx locations work would be a major change, and will break a lot of valid configurations where prefix matching is intentionally used. Meanwhile, it surely deserves some additional warnings/notes in the documentation, to emphasize the actual behaviour and potential pitfalls. Hopefully it would be enough to at least reduce the amount of such misconfigurations. If you think there is an easy fix, feel free to provide suggestions. (It looks like you aren't subscribed to nginx-devel@, so the message did not reach the mailing list: it only accepts messages from subscribers. I've preserved it in Cc: though, so we can continue discussion there, with more developers involved.) -- Maxim Dounin http://mdounin.ru/ From andrew.zv at gmail.com Sun Jul 9 08:57:20 2023 From: andrew.zv at gmail.com (andrey zverev) Date: Sun, 9 Jul 2023 10:57:20 +0200 Subject: rbtree redundant assignment Message-ID: Hello, everyone! I found a very strange thing in the ngx_rbtree_delete function. It seems that there is redundant assignment under the following if statement: if (subst->parent == node) { temp->parent = subst; Could someone please explain to me why this assignment is needed if temp was taken as subst->right before? Because it was a child of subst, it means temp had subst as its parent. -------------- next part -------------- An HTML attachment was scrubbed... URL: From mdounin at mdounin.ru Sun Jul 9 12:24:57 2023 From: mdounin at mdounin.ru (Maxim Dounin) Date: Sun, 9 Jul 2023 15:24:57 +0300 Subject: rbtree redundant assignment In-Reply-To: References: Message-ID: Hello! On Sun, Jul 09, 2023 at 10:57:20AM +0200, andrey zverev wrote: > Hello, everyone! > > I found a very strange thing in the ngx_rbtree_delete function. It seems > that there is redundant assignment under the following if statement: > > if (subst->parent == node) { > temp->parent = subst; > > Could someone please explain to me why this assignment is needed if temp > was taken as subst->right before? Because it was a child of subst, it means > temp had subst as its parent. If subst->right (and therefore temp) is the sentinel, this won't be the case, and an explicit assignment is needed. Just in case, "Introduction to Algorithms" by Cormen et al. might be a good source to refer here. -- Maxim Dounin http://mdounin.ru/ From mdounin at mdounin.ru Sun Jul 9 21:24:25 2023 From: mdounin at mdounin.ru (=?utf-8?q?Maxim_Dounin?=) Date: Mon, 10 Jul 2023 00:24:25 +0300 Subject: [PATCH] Tests: enabled TLSv1 in ssl_sni_reneg.t Message-ID: <85188791cd9cf688a294.1688937865@vm-bsd.mdounin.ru> # HG changeset patch # User Maxim Dounin # Date 1688521184 -10800 # Wed Jul 05 04:39:44 2023 +0300 # Node ID 85188791cd9cf688a29401e31221551345b76ff4 # Parent c5767845481fc1d7df3e56b604fc4afdeab7be85 Tests: enabled TLSv1 in ssl_sni_reneg.t. This fixes running the test with OpenSSL before 1.0.1, where TLSv1.2 support was introduced. diff --git a/ssl_sni_reneg.t b/ssl_sni_reneg.t --- a/ssl_sni_reneg.t +++ b/ssl_sni_reneg.t @@ -41,7 +41,7 @@ http { ssl_certificate_key localhost.key; ssl_certificate localhost.crt; - ssl_protocols TLSv1.2; + ssl_protocols TLSv1 TLSv1.1 TLSv1.2; server { listen 127.0.0.1:8443 ssl; From mdounin at mdounin.ru Sun Jul 9 21:24:56 2023 From: mdounin at mdounin.ru (=?utf-8?q?Maxim_Dounin?=) Date: Mon, 10 Jul 2023 00:24:56 +0300 Subject: [PATCH] Tests: enabled TLSv1 in uwsgi SSL tests Message-ID: # HG changeset patch # User Maxim Dounin # Date 1688937878 -10800 # Mon Jul 10 00:24:38 2023 +0300 # Node ID cab7d252c0d3445eef3f582d2879ac5fc3202019 # Parent 85188791cd9cf688a29401e31221551345b76ff4 Tests: enabled TLSv1 in uwsgi SSL tests. In uWSGI starting with 2.0.17.1, TLSv1 is disabled by default. It is now re-enabled to make it possible to run tests with OpenSSL before 1.0.1, where TLSv1.1 and TLSv1.2 support was introduced. diff --git a/uwsgi_ssl.t b/uwsgi_ssl.t --- a/uwsgi_ssl.t +++ b/uwsgi_ssl.t @@ -98,6 +98,11 @@ if ($uwsgihelp !~ /--wsgi-file/) { push @uwsgiopts, '--plugin', 'python3'; } +if ($uwsgihelp =~ /--ssl-enable-tlsv1/) { + # uwsgi disables TLSv1 by default since 2.0.17.1 + push @uwsgiopts, '--ssl-enable-tlsv1'; +} + open OLDERR, ">&", \*STDERR; close STDERR; $t->run_daemon('uwsgi', @uwsgiopts, '--ssl-socket', '127.0.0.1:' . port(8081) . ",$crt,$key", diff --git a/uwsgi_ssl_verify.t b/uwsgi_ssl_verify.t --- a/uwsgi_ssl_verify.t +++ b/uwsgi_ssl_verify.t @@ -144,6 +144,11 @@ if ($uwsgihelp !~ /--wsgi-file/) { push @uwsgiopts, '--plugin', 'python3'; } +if ($uwsgihelp =~ /--ssl-enable-tlsv1/) { + # uwsgi disables TLSv1 by default since 2.0.17.1 + push @uwsgiopts, '--ssl-enable-tlsv1'; +} + open OLDERR, ">&", \*STDERR; close STDERR; $t->run_daemon('uwsgi', @uwsgiopts, '--ssl-socket', '127.0.0.1:' . port(8081) . ",$crt1,$key1", From pluknet at nginx.com Mon Jul 10 16:23:42 2023 From: pluknet at nginx.com (Sergey Kandaurov) Date: Mon, 10 Jul 2023 20:23:42 +0400 Subject: [PATCH 1 of 2] Tests: fixed h2_http2.t when nginx compiled without ALPN support In-Reply-To: References:

Message-ID: > On 1 Jul 2023, at 04:21, Maxim Dounin wrote: > > # HG changeset patch > # User Maxim Dounin > # Date 1688164311 -10800 > # Sat Jul 01 01:31:51 2023 +0300 > # Node ID bf9961a4507784b669650e7ef1d3cbacce8c94e1 > # Parent 22f45bf99a9e39e02d8ce07532d2cbfc89e7d8d1 > Tests: fixed h2_http2.t when nginx compiled without ALPN support. > > ALPN support is only available with OpenSSL 1.0.2 or newer. > > diff --git a/h2_http2.t b/h2_http2.t > --- a/h2_http2.t > +++ b/h2_http2.t > @@ -127,9 +127,16 @@ ok(!get_ssl_socket(8443, 'disabled'), 's > > } > > +TODO: { > +local $TODO = 'OpenSSL too old' > + if $t->has_module('OpenSSL') > + and not $t->has_feature('openssl:1.0.2'); > + > is(get_https(8443, 'http2'), 200, 'host to enabled'); > is(get_https(8443, 'disabled', 'http2'), 421, 'host to disabled'); > > +} > + > # make sure HTTP/2 can be enabled selectively on virtual servers > Looks good, tnx. This got unnoticed since OpenSSL 1.0.1 no longer present in buildbot. Personally I stopped using it in manual tests as it doesn't seem to be correctly configured so cannot be built on Apple M1. -- Sergey Kandaurov From pluknet at nginx.com Mon Jul 10 16:23:44 2023 From: pluknet at nginx.com (Sergey Kandaurov) Date: Mon, 10 Jul 2023 20:23:44 +0400 Subject: [PATCH 2 of 2] Tests: adjusted TODO for OpenSSL 1.0.2h and up in h2_http2.t In-Reply-To: <5ef10e454094ad5d2315.1688170917@vm-bsd.mdounin.ru> References: <5ef10e454094ad5d2315.1688170917@vm-bsd.mdounin.ru> Message-ID: <7AC74D5E-8095-4D18-B303-6C5B1F6E20B3@nginx.com> > On 1 Jul 2023, at 04:21, Maxim Dounin wrote: > > # HG changeset patch > # User Maxim Dounin > # Date 1688164312 -10800 > # Sat Jul 01 01:31:52 2023 +0300 > # Node ID 5ef10e454094ad5d231552f0fc2c386e9cc33585 > # Parent bf9961a4507784b669650e7ef1d3cbacce8c94e1 > Tests: adjusted TODO for OpenSSL 1.0.2h and up in h2_http2.t. > > OpenSSL uses correct SNI/ALPN callback order (SNI callback before ALPN > callback) starting with OpenSSL 1.0.2h, so "sni to enabled" test > is expected to succeed starting with OpenSSL 1.0.2h. > > With this change, the "openssl:..." feature test now supports checking > patch level encoded as letters, such as in "openssl:1.0.2h". > > diff --git a/h2_http2.t b/h2_http2.t > --- a/h2_http2.t > +++ b/h2_http2.t > @@ -151,9 +151,9 @@ ok(!get_ssl_socket(8444), 'default to di > TODO: { > local $TODO = 'broken ALPN/SNI order in LibreSSL' > if $t->has_module('LibreSSL'); > -local $TODO = 'OpenSSL too old' > +local $TODO = 'broken ALPN/SNI order in OpenSSL before 1.0.2h' > if $t->has_module('OpenSSL') > - and not $t->has_feature('openssl:1.1.0'); > + and not $t->has_feature('openssl:1.0.2h'); > > is(get_https(8444, 'http2'), 200, 'sni to enabled'); > > diff --git a/lib/Test/Nginx.pm b/lib/Test/Nginx.pm > --- a/lib/Test/Nginx.pm > +++ b/lib/Test/Nginx.pm > @@ -266,20 +266,22 @@ sub has_feature($) { > return 0; > } > > - if ($feature =~ /^(openssl|libressl):([0-9.]+)/) { > + if ($feature =~ /^(openssl|libressl):([0-9.]+)([a-z]*)/) { > my $library = $1; > my $need = $2; > + my $patch = $3; > > $self->{_configure_args} = `$NGINX -V 2>&1` > if !defined $self->{_configure_args}; > > return 0 unless > - $self->{_configure_args} =~ /with $library ([0-9.]+)/i; > + $self->{_configure_args} > + =~ /with $library ([0-9.]+)([a-z]*)/i; Note that patch versions with capital letters may now be captured which cannot be specified in has_feature(), should never happen though. > > - my @v = split(/\./, $1); > + my @v = (split(/\./, $1), unpack("C*", $2)); > my ($n, $v); > > - for $n (split(/\./, $need)) { > + for $n (split(/\./, $need), unpack("C*", $patch)) { > $v = shift @v || 0; > return 0 if $n > $v; > return 1 if $v > $n; Looks good. -- Sergey Kandaurov From pluknet at nginx.com Tue Jul 11 11:49:12 2023 From: pluknet at nginx.com (Sergey Kandaurov) Date: Tue, 11 Jul 2023 15:49:12 +0400 Subject: [PATCH] Tests: enabled TLSv1 in ssl_sni_reneg.t In-Reply-To: <85188791cd9cf688a294.1688937865@vm-bsd.mdounin.ru> References: <85188791cd9cf688a294.1688937865@vm-bsd.mdounin.ru> Message-ID: <38927C24-43FA-43CB-86A2-3192457639B8@nginx.com> > On 10 Jul 2023, at 01:24, Maxim Dounin wrote: > > # HG changeset patch > # User Maxim Dounin > # Date 1688521184 -10800 > # Wed Jul 05 04:39:44 2023 +0300 > # Node ID 85188791cd9cf688a29401e31221551345b76ff4 > # Parent c5767845481fc1d7df3e56b604fc4afdeab7be85 > Tests: enabled TLSv1 in ssl_sni_reneg.t. > > This fixes running the test with OpenSSL before 1.0.1, where TLSv1.2 > support was introduced. > > diff --git a/ssl_sni_reneg.t b/ssl_sni_reneg.t > --- a/ssl_sni_reneg.t > +++ b/ssl_sni_reneg.t > @@ -41,7 +41,7 @@ http { > > ssl_certificate_key localhost.key; > ssl_certificate localhost.crt; > - ssl_protocols TLSv1.2; > + ssl_protocols TLSv1 TLSv1.1 TLSv1.2; > > server { > listen 127.0.0.1:8443 ssl; Looks good per se. Though it doesn't answer how to best handle this in general after disabling TLSv1 and TLSv1.1 by default (see ticket #1911), which means unusable default configurations with OpenSSL < 1.0.1. Updating affected configurations to turn it back might be painful (nginx-tests is a good such example). Disabling TLSv1/TLSv1.1 is a reason to also drop support for old OpenSSL versions before 1.0.1 altogether, that is 0.9.8 and 1.0.0. (Another option might be to keep TLSv1/TLSv1.1 enabled by default iff the library doesn't support TLSv1.2 and above.) For the record, date of the last commit in OpenSSL git branches and the corresponding date of branch support removal in nginx: 0.9.6 2005-05 2009-06 4y 0.9.7 2008-10 2016-04 7y6m 0.9.8 2015-12 n/a 7y+ 1.0.0 2016-02 n/a 7y+ [+] still counting -- Sergey Kandaurov From pluknet at nginx.com Tue Jul 11 11:49:50 2023 From: pluknet at nginx.com (Sergey Kandaurov) Date: Tue, 11 Jul 2023 15:49:50 +0400 Subject: [PATCH] Tests: enabled TLSv1 in uwsgi SSL tests In-Reply-To: References: Message-ID: <4CF7B3BA-9758-406C-AA29-96BE3CBEBCB5@nginx.com> > On 10 Jul 2023, at 01:24, Maxim Dounin wrote: > > # HG changeset patch > # User Maxim Dounin > # Date 1688937878 -10800 > # Mon Jul 10 00:24:38 2023 +0300 > # Node ID cab7d252c0d3445eef3f582d2879ac5fc3202019 > # Parent 85188791cd9cf688a29401e31221551345b76ff4 > Tests: enabled TLSv1 in uwsgi SSL tests. > > In uWSGI starting with 2.0.17.1, TLSv1 is disabled by default. It is > now re-enabled to make it possible to run tests with OpenSSL before 1.0.1, > where TLSv1.1 and TLSv1.2 support was introduced. > > diff --git a/uwsgi_ssl.t b/uwsgi_ssl.t > --- a/uwsgi_ssl.t > +++ b/uwsgi_ssl.t > @@ -98,6 +98,11 @@ if ($uwsgihelp !~ /--wsgi-file/) { > push @uwsgiopts, '--plugin', 'python3'; > } > > +if ($uwsgihelp =~ /--ssl-enable-tlsv1/) { > + # uwsgi disables TLSv1 by default since 2.0.17.1 > + push @uwsgiopts, '--ssl-enable-tlsv1'; > +} > + > open OLDERR, ">&", \*STDERR; close STDERR; > $t->run_daemon('uwsgi', @uwsgiopts, > '--ssl-socket', '127.0.0.1:' . port(8081) . ",$crt,$key", > diff --git a/uwsgi_ssl_verify.t b/uwsgi_ssl_verify.t > --- a/uwsgi_ssl_verify.t > +++ b/uwsgi_ssl_verify.t > @@ -144,6 +144,11 @@ if ($uwsgihelp !~ /--wsgi-file/) { > push @uwsgiopts, '--plugin', 'python3'; > } > > +if ($uwsgihelp =~ /--ssl-enable-tlsv1/) { > + # uwsgi disables TLSv1 by default since 2.0.17.1 > + push @uwsgiopts, '--ssl-enable-tlsv1'; > +} > + > open OLDERR, ">&", \*STDERR; close STDERR; > $t->run_daemon('uwsgi', @uwsgiopts, > '--ssl-socket', '127.0.0.1:' . port(8081) . ",$crt1,$key1", Looks good. -- Sergey Kandaurov From mdounin at mdounin.ru Tue Jul 11 23:42:47 2023 From: mdounin at mdounin.ru (Maxim Dounin) Date: Wed, 12 Jul 2023 02:42:47 +0300 Subject: [PATCH 1 of 2] Tests: fixed h2_http2.t when nginx compiled without ALPN support In-Reply-To: References:

Message-ID: Hello! On Mon, Jul 10, 2023 at 08:23:42PM +0400, Sergey Kandaurov wrote: > > On 1 Jul 2023, at 04:21, Maxim Dounin wrote: > > > > # HG changeset patch > > # User Maxim Dounin > > # Date 1688164311 -10800 > > # Sat Jul 01 01:31:51 2023 +0300 > > # Node ID bf9961a4507784b669650e7ef1d3cbacce8c94e1 > > # Parent 22f45bf99a9e39e02d8ce07532d2cbfc89e7d8d1 > > Tests: fixed h2_http2.t when nginx compiled without ALPN support. > > > > ALPN support is only available with OpenSSL 1.0.2 or newer. > > > > diff --git a/h2_http2.t b/h2_http2.t > > --- a/h2_http2.t > > +++ b/h2_http2.t > > @@ -127,9 +127,16 @@ ok(!get_ssl_socket(8443, 'disabled'), 's > > > > } > > > > +TODO: { > > +local $TODO = 'OpenSSL too old' > > + if $t->has_module('OpenSSL') > > + and not $t->has_feature('openssl:1.0.2'); > > + > > is(get_https(8443, 'http2'), 200, 'host to enabled'); > > is(get_https(8443, 'disabled', 'http2'), 421, 'host to disabled'); > > > > +} > > + > > # make sure HTTP/2 can be enabled selectively on virtual servers > > > > Looks good, tnx. Pushed to http://mdounin.ru/hg/nginx-tests, thanks. > This got unnoticed since OpenSSL 1.0.1 no longer present in buildbot. > Personally I stopped using it in manual tests as it doesn't seem to be > correctly configured so cannot be built on Apple M1. I usually test non-trivial SSL-related changes with all supported OpenSSL branches, hence it was caught. -- Maxim Dounin http://mdounin.ru/ From mdounin at mdounin.ru Tue Jul 11 23:42:57 2023 From: mdounin at mdounin.ru (Maxim Dounin) Date: Wed, 12 Jul 2023 02:42:57 +0300 Subject: [PATCH 2 of 2] Tests: adjusted TODO for OpenSSL 1.0.2h and up in h2_http2.t In-Reply-To: <7AC74D5E-8095-4D18-B303-6C5B1F6E20B3@nginx.com> References: <5ef10e454094ad5d2315.1688170917@vm-bsd.mdounin.ru> <7AC74D5E-8095-4D18-B303-6C5B1F6E20B3@nginx.com> Message-ID: Hello! On Mon, Jul 10, 2023 at 08:23:44PM +0400, Sergey Kandaurov wrote: > > On 1 Jul 2023, at 04:21, Maxim Dounin wrote: > > > > # HG changeset patch > > # User Maxim Dounin > > # Date 1688164312 -10800 > > # Sat Jul 01 01:31:52 2023 +0300 > > # Node ID 5ef10e454094ad5d231552f0fc2c386e9cc33585 > > # Parent bf9961a4507784b669650e7ef1d3cbacce8c94e1 > > Tests: adjusted TODO for OpenSSL 1.0.2h and up in h2_http2.t. > > > > OpenSSL uses correct SNI/ALPN callback order (SNI callback before ALPN > > callback) starting with OpenSSL 1.0.2h, so "sni to enabled" test > > is expected to succeed starting with OpenSSL 1.0.2h. > > > > With this change, the "openssl:..." feature test now supports checking > > patch level encoded as letters, such as in "openssl:1.0.2h". > > > > diff --git a/h2_http2.t b/h2_http2.t > > --- a/h2_http2.t > > +++ b/h2_http2.t > > @@ -151,9 +151,9 @@ ok(!get_ssl_socket(8444), 'default to di > > TODO: { > > local $TODO = 'broken ALPN/SNI order in LibreSSL' > > if $t->has_module('LibreSSL'); > > -local $TODO = 'OpenSSL too old' > > +local $TODO = 'broken ALPN/SNI order in OpenSSL before 1.0.2h' > > if $t->has_module('OpenSSL') > > - and not $t->has_feature('openssl:1.1.0'); > > + and not $t->has_feature('openssl:1.0.2h'); > > > > is(get_https(8444, 'http2'), 200, 'sni to enabled'); > > > > diff --git a/lib/Test/Nginx.pm b/lib/Test/Nginx.pm > > --- a/lib/Test/Nginx.pm > > +++ b/lib/Test/Nginx.pm > > @@ -266,20 +266,22 @@ sub has_feature($) { > > return 0; > > } > > > > - if ($feature =~ /^(openssl|libressl):([0-9.]+)/) { > > + if ($feature =~ /^(openssl|libressl):([0-9.]+)([a-z]*)/) { > > my $library = $1; > > my $need = $2; > > + my $patch = $3; > > > > $self->{_configure_args} = `$NGINX -V 2>&1` > > if !defined $self->{_configure_args}; > > > > return 0 unless > > - $self->{_configure_args} =~ /with $library ([0-9.]+)/i; > > + $self->{_configure_args} > > + =~ /with $library ([0-9.]+)([a-z]*)/i; > > Note that patch versions with capital letters may now be captured > which cannot be specified in has_feature(), should never happen though. I don't think it matters. And, even if some library will report patch level with capital letters, there will be no practical difference anyway, as capital letters will be interpreted identically to no letters at all. > > > > - my @v = split(/\./, $1); > > + my @v = (split(/\./, $1), unpack("C*", $2)); > > my ($n, $v); > > > > - for $n (split(/\./, $need)) { > > + for $n (split(/\./, $need), unpack("C*", $patch)) { > > $v = shift @v || 0; > > return 0 if $n > $v; > > return 1 if $v > $n; > > Looks good. Pushed to http://mdounin.ru/hg/nginx-tests, thanks. -- Maxim Dounin http://mdounin.ru/ From mdounin at mdounin.ru Tue Jul 11 23:43:10 2023 From: mdounin at mdounin.ru (Maxim Dounin) Date: Wed, 12 Jul 2023 02:43:10 +0300 Subject: [PATCH] Tests: enabled TLSv1 in uwsgi SSL tests In-Reply-To: <4CF7B3BA-9758-406C-AA29-96BE3CBEBCB5@nginx.com> References: <4CF7B3BA-9758-406C-AA29-96BE3CBEBCB5@nginx.com> Message-ID: Hello! On Tue, Jul 11, 2023 at 03:49:50PM +0400, Sergey Kandaurov wrote: > > On 10 Jul 2023, at 01:24, Maxim Dounin wrote: > > > > # HG changeset patch > > # User Maxim Dounin > > # Date 1688937878 -10800 > > # Mon Jul 10 00:24:38 2023 +0300 > > # Node ID cab7d252c0d3445eef3f582d2879ac5fc3202019 > > # Parent 85188791cd9cf688a29401e31221551345b76ff4 > > Tests: enabled TLSv1 in uwsgi SSL tests. > > > > In uWSGI starting with 2.0.17.1, TLSv1 is disabled by default. It is > > now re-enabled to make it possible to run tests with OpenSSL before 1.0.1, > > where TLSv1.1 and TLSv1.2 support was introduced. > > > > diff --git a/uwsgi_ssl.t b/uwsgi_ssl.t > > --- a/uwsgi_ssl.t > > +++ b/uwsgi_ssl.t > > @@ -98,6 +98,11 @@ if ($uwsgihelp !~ /--wsgi-file/) { > > push @uwsgiopts, '--plugin', 'python3'; > > } > > > > +if ($uwsgihelp =~ /--ssl-enable-tlsv1/) { > > + # uwsgi disables TLSv1 by default since 2.0.17.1 > > + push @uwsgiopts, '--ssl-enable-tlsv1'; > > +} > > + > > open OLDERR, ">&", \*STDERR; close STDERR; > > $t->run_daemon('uwsgi', @uwsgiopts, > > '--ssl-socket', '127.0.0.1:' . port(8081) . ",$crt,$key", > > diff --git a/uwsgi_ssl_verify.t b/uwsgi_ssl_verify.t > > --- a/uwsgi_ssl_verify.t > > +++ b/uwsgi_ssl_verify.t > > @@ -144,6 +144,11 @@ if ($uwsgihelp !~ /--wsgi-file/) { > > push @uwsgiopts, '--plugin', 'python3'; > > } > > > > +if ($uwsgihelp =~ /--ssl-enable-tlsv1/) { > > + # uwsgi disables TLSv1 by default since 2.0.17.1 > > + push @uwsgiopts, '--ssl-enable-tlsv1'; > > +} > > + > > open OLDERR, ">&", \*STDERR; close STDERR; > > $t->run_daemon('uwsgi', @uwsgiopts, > > '--ssl-socket', '127.0.0.1:' . port(8081) . ",$crt1,$key1", > > Looks good. Pushed to http://mdounin.ru/hg/nginx-tests, thanks. -- Maxim Dounin http://mdounin.ru/ From mdounin at mdounin.ru Tue Jul 11 23:43:55 2023 From: mdounin at mdounin.ru (Maxim Dounin) Date: Wed, 12 Jul 2023 02:43:55 +0300 Subject: [PATCH] Tests: enabled TLSv1 in ssl_sni_reneg.t In-Reply-To: <38927C24-43FA-43CB-86A2-3192457639B8@nginx.com> References: <85188791cd9cf688a294.1688937865@vm-bsd.mdounin.ru> <38927C24-43FA-43CB-86A2-3192457639B8@nginx.com> Message-ID: Hello! On Tue, Jul 11, 2023 at 03:49:12PM +0400, Sergey Kandaurov wrote: > > On 10 Jul 2023, at 01:24, Maxim Dounin wrote: > > > > # HG changeset patch > > # User Maxim Dounin > > # Date 1688521184 -10800 > > # Wed Jul 05 04:39:44 2023 +0300 > > # Node ID 85188791cd9cf688a29401e31221551345b76ff4 > > # Parent c5767845481fc1d7df3e56b604fc4afdeab7be85 > > Tests: enabled TLSv1 in ssl_sni_reneg.t. > > > > This fixes running the test with OpenSSL before 1.0.1, where TLSv1.2 > > support was introduced. > > > > diff --git a/ssl_sni_reneg.t b/ssl_sni_reneg.t > > --- a/ssl_sni_reneg.t > > +++ b/ssl_sni_reneg.t > > @@ -41,7 +41,7 @@ http { > > > > ssl_certificate_key localhost.key; > > ssl_certificate localhost.crt; > > - ssl_protocols TLSv1.2; > > + ssl_protocols TLSv1 TLSv1.1 TLSv1.2; > > > > server { > > listen 127.0.0.1:8443 ssl; > > Looks good per se. Pushed to http://mdounin.ru/hg/nginx-tests, thanks. > Though it doesn't answer how to best handle this in general > after disabling TLSv1 and TLSv1.1 by default (see ticket #1911), > which means unusable default configurations with OpenSSL < 1.0.1. > Updating affected configurations to turn it back might be painful > (nginx-tests is a good such example). Yep, that's something to consider if/when we'll decide to disable TLSv1 and TLSv1.1 by default. > Disabling TLSv1/TLSv1.1 is a reason to also drop support for old > OpenSSL versions before 1.0.1 altogether, that is 0.9.8 and 1.0.0. > (Another option might be to keep TLSv1/TLSv1.1 enabled by default > iff the library doesn't support TLSv1.2 and above.) > > For the record, date of the last commit in OpenSSL git branches > and the corresponding date of branch support removal in nginx: > > 0.9.6 2005-05 2009-06 4y > 0.9.7 2008-10 2016-04 7y6m > 0.9.8 2015-12 n/a 7y+ > 1.0.0 2016-02 n/a 7y+ > > [+] still counting I tend to think we can more or less safely drop anything below OpenSSL 1.0.2 now: last release on the OpenSSL 1.0.1 branch, OpenSSL 1.0.1u, was at 2016-09-22, so in terms of dates it's not really different from the OpenSSL 1.0.0 branch. Also, OpenSSL releases from the 1.0.1 branch are no longer present in any supported OSes I'm aware of. On the other hand, support for OpenSSL at least back to 0.9.8zh does not seem to be a major issue. -- Maxim Dounin http://mdounin.ru/ From xeioex at nginx.com Wed Jul 12 05:51:53 2023 From: xeioex at nginx.com (Dmitry Volyntsev) Date: Wed, 12 Jul 2023 05:51:53 +0000 Subject: [njs] Version bump. Message-ID: details: https://hg.nginx.org/njs/rev/ac56314cc3be branches: changeset: 2179:ac56314cc3be user: Dmitry Volyntsev date: Mon Jul 10 17:57:45 2023 -0700 description: Version bump. diffstat: src/njs.h | 4 ++-- 1 files changed, 2 insertions(+), 2 deletions(-) diffs (14 lines): diff -r 034ad86967b6 -r ac56314cc3be src/njs.h --- a/src/njs.h Thu Jul 06 09:10:47 2023 -0700 +++ b/src/njs.h Mon Jul 10 17:57:45 2023 -0700 @@ -11,8 +11,8 @@ #include -#define NJS_VERSION "0.8.0" -#define NJS_VERSION_NUMBER 0x000800 +#define NJS_VERSION "0.8.1" +#define NJS_VERSION_NUMBER 0x000801 #include From xeioex at nginx.com Wed Jul 12 05:51:55 2023 From: xeioex at nginx.com (Dmitry Volyntsev) Date: Wed, 12 Jul 2023 05:51:55 +0000 Subject: [njs] HTTP: fixed setting of Date header. Message-ID: details: https://hg.nginx.org/njs/rev/a35035c52201 branches: changeset: 2180:a35035c52201 user: Dmitry Volyntsev date: Tue Jul 11 19:12:34 2023 -0700 description: HTTP: fixed setting of Date header. Previously, r.headersOut['Date'] setter did not update r->headers_out.date. As a result a client might get two Date headers. diffstat: nginx/ngx_http_js_module.c | 36 ++++++++++++++++++++++++++++++++++++ nginx/t/js_headers.t | 22 ++++++++++++++++++++-- 2 files changed, 56 insertions(+), 2 deletions(-) diffs (138 lines): diff -r ac56314cc3be -r a35035c52201 nginx/ngx_http_js_module.c --- a/nginx/ngx_http_js_module.c Mon Jul 10 17:57:45 2023 -0700 +++ b/nginx/ngx_http_js_module.c Tue Jul 11 19:12:34 2023 -0700 @@ -125,6 +125,9 @@ static njs_int_t ngx_http_js_content_len static njs_int_t ngx_http_js_content_type122(njs_vm_t *vm, ngx_http_request_t *r, ngx_list_t *headers, njs_str_t *name, njs_value_t *setval, njs_value_t *retval); +static njs_int_t ngx_http_js_date122(njs_vm_t *vm, ngx_http_request_t *r, + ngx_list_t *headers, njs_str_t *name, njs_value_t *setval, + njs_value_t *retval); static njs_int_t ngx_http_js_location122(njs_vm_t *vm, ngx_http_request_t *r, ngx_list_t *headers, njs_str_t *name, njs_value_t *setval, njs_value_t *retval); @@ -222,6 +225,9 @@ static njs_int_t ngx_http_js_content_len static njs_int_t ngx_http_js_content_type(njs_vm_t *vm, ngx_http_request_t *r, unsigned flags, njs_str_t *name, njs_value_t *setval, njs_value_t *retval); +static njs_int_t ngx_http_js_date(njs_vm_t *vm, ngx_http_request_t *r, + unsigned flags, njs_str_t *name, njs_value_t *setval, + njs_value_t *retval); static njs_int_t ngx_http_js_location(njs_vm_t *vm, ngx_http_request_t *r, unsigned flags, njs_str_t *name, njs_value_t *setval, njs_value_t *retval); @@ -1526,6 +1532,7 @@ ngx_http_js_ext_header_out(njs_vm_t *vm, { njs_str("Content-Type"), ngx_http_js_content_type122 }, { njs_str("Content-Length"), ngx_http_js_content_length122 }, { njs_str("Content-Encoding"), ngx_http_js_content_encoding122 }, + { njs_str("Date"), ngx_http_js_date122 }, { njs_str("Etag"), ngx_http_js_header_single }, { njs_str("Expires"), ngx_http_js_header_single }, { njs_str("Last-Modified"), ngx_http_js_header_single }, @@ -1538,6 +1545,7 @@ ngx_http_js_ext_header_out(njs_vm_t *vm, { njs_str("Content-Encoding"), 0, ngx_http_js_content_encoding }, { njs_str("Content-Length"), 0, ngx_http_js_content_length }, { njs_str("Content-Type"), 0, ngx_http_js_content_type }, + { njs_str("Date"), 0, ngx_http_js_date }, { njs_str("Etag"), NJS_HEADER_SINGLE, ngx_http_js_header_out }, { njs_str("Expires"), NJS_HEADER_SINGLE, ngx_http_js_header_out }, { njs_str("Last-Modified"), NJS_HEADER_SINGLE, ngx_http_js_header_out }, @@ -1955,6 +1963,14 @@ ngx_http_js_content_type122(njs_vm_t *vm static njs_int_t +ngx_http_js_date122(njs_vm_t *vm, ngx_http_request_t *r, + ngx_list_t *headers, njs_str_t *v, njs_value_t *setval, njs_value_t *retval) +{ + return ngx_http_js_date(vm, r, 0, v, setval, retval); +} + + +static njs_int_t ngx_http_js_location122(njs_vm_t *vm, ngx_http_request_t *r, ngx_list_t *headers, njs_str_t *v, njs_value_t *setval, njs_value_t *retval) { @@ -3961,6 +3977,26 @@ ngx_http_js_content_type(njs_vm_t *vm, n static njs_int_t +ngx_http_js_date(njs_vm_t *vm, ngx_http_request_t *r, unsigned flags, + njs_str_t *v, njs_value_t *setval, njs_value_t *retval) +{ + njs_int_t rc; + ngx_table_elt_t *h; + + rc = ngx_http_js_header_out_special(vm, r, v, setval, retval, &h); + if (rc == NJS_ERROR) { + return NJS_ERROR; + } + + if (setval != NULL || retval == NULL) { + r->headers_out.date = h; + } + + return NJS_OK; +} + + +static njs_int_t ngx_http_js_location(njs_vm_t *vm, ngx_http_request_t *r, unsigned flags, njs_str_t *v, njs_value_t *setval, njs_value_t *retval) { diff -r ac56314cc3be -r a35035c52201 nginx/t/js_headers.t --- a/nginx/t/js_headers.t Mon Jul 10 17:57:45 2023 -0700 +++ b/nginx/t/js_headers.t Tue Jul 11 19:12:34 2023 -0700 @@ -84,6 +84,10 @@ http { js_content test.content_encoding_arr; } + location /date { + js_content test.date; + } + location /location { js_content test.location; } @@ -245,6 +249,11 @@ EOF r.return(200); } + function date(r) { + r.headersOut['Date'] = 'Sun, 09 Sep 2001 01:46:40 GMT'; + r.return(200); + } + function location(r) { if (njs.version_number >= 0x000705) { var lc = r.headersOut['Location']; @@ -437,12 +446,13 @@ EOF hdr_in, raw_hdr_in, hdr_sorted_keys, foo_in, ifoo_in, hdr_out, raw_hdr_out, hdr_out_array, hdr_out_single, hdr_out_set_cookie, ihdr_out, hdr_out_special_set, - copy_subrequest_hdrs, subrequest, location, location_sr}; + copy_subrequest_hdrs, subrequest, date, location, + location_sr}; EOF -$t->try_run('no njs')->plan(44); +$t->try_run('no njs')->plan(45); ############################################################################### @@ -590,6 +600,14 @@ unlike(http_get('/location_sr'), qr/Loca } +TODO: { +local $TODO = 'not yet' unless has_version('0.8.1'); + +like(http_get('/date'), qr/Date: Sun, 09 Sep 2001 01:46:40 GMT/, + 'set date'); + +} + ############################################################################### sub has_version { From xeioex at nginx.com Wed Jul 12 05:51:57 2023 From: xeioex at nginx.com (Dmitry Volyntsev) Date: Wed, 12 Jul 2023 05:51:57 +0000 Subject: [njs] HTTP: fixed setting of Last-Modified header. Message-ID: details: https://hg.nginx.org/njs/rev/3af6c729b7cb branches: changeset: 2181:3af6c729b7cb user: Dmitry Volyntsev date: Tue Jul 11 22:50:44 2023 -0700 description: HTTP: fixed setting of Last-Modified header. Previously, r.headersOut['Last-Modified'] setter did not update r->headers_out.last_modified. As a result a client might get two Last-Modified headers. diffstat: nginx/ngx_http_js_module.c | 38 ++++++++++++++++++++++++++++++++++++-- nginx/t/js_headers.t | 18 +++++++++++++++--- 2 files changed, 51 insertions(+), 5 deletions(-) diffs (136 lines): diff -r a35035c52201 -r 3af6c729b7cb nginx/ngx_http_js_module.c --- a/nginx/ngx_http_js_module.c Tue Jul 11 19:12:34 2023 -0700 +++ b/nginx/ngx_http_js_module.c Tue Jul 11 22:50:44 2023 -0700 @@ -128,6 +128,9 @@ static njs_int_t ngx_http_js_content_typ static njs_int_t ngx_http_js_date122(njs_vm_t *vm, ngx_http_request_t *r, ngx_list_t *headers, njs_str_t *name, njs_value_t *setval, njs_value_t *retval); +static njs_int_t ngx_http_js_last_modified122(njs_vm_t *vm, + ngx_http_request_t *r, ngx_list_t *headers, njs_str_t *name, + njs_value_t *setval, njs_value_t *retval); static njs_int_t ngx_http_js_location122(njs_vm_t *vm, ngx_http_request_t *r, ngx_list_t *headers, njs_str_t *name, njs_value_t *setval, njs_value_t *retval); @@ -228,6 +231,9 @@ static njs_int_t ngx_http_js_content_typ static njs_int_t ngx_http_js_date(njs_vm_t *vm, ngx_http_request_t *r, unsigned flags, njs_str_t *name, njs_value_t *setval, njs_value_t *retval); +static njs_int_t ngx_http_js_last_modified(njs_vm_t *vm, ngx_http_request_t *r, + unsigned flags, njs_str_t *name, njs_value_t *setval, + njs_value_t *retval); static njs_int_t ngx_http_js_location(njs_vm_t *vm, ngx_http_request_t *r, unsigned flags, njs_str_t *name, njs_value_t *setval, njs_value_t *retval); @@ -1535,7 +1541,7 @@ ngx_http_js_ext_header_out(njs_vm_t *vm, { njs_str("Date"), ngx_http_js_date122 }, { njs_str("Etag"), ngx_http_js_header_single }, { njs_str("Expires"), ngx_http_js_header_single }, - { njs_str("Last-Modified"), ngx_http_js_header_single }, + { njs_str("Last-Modified"), ngx_http_js_last_modified122 }, { njs_str("Location"), ngx_http_js_location122 }, { njs_str("Set-Cookie"), ngx_http_js_header_array }, { njs_str("Retry-After"), ngx_http_js_header_single }, @@ -1548,7 +1554,7 @@ ngx_http_js_ext_header_out(njs_vm_t *vm, { njs_str("Date"), 0, ngx_http_js_date }, { njs_str("Etag"), NJS_HEADER_SINGLE, ngx_http_js_header_out }, { njs_str("Expires"), NJS_HEADER_SINGLE, ngx_http_js_header_out }, - { njs_str("Last-Modified"), NJS_HEADER_SINGLE, ngx_http_js_header_out }, + { njs_str("Last-Modified"), 0, ngx_http_js_last_modified }, { njs_str("Location"), 0, ngx_http_js_location }, { njs_str("Set-Cookie"), NJS_HEADER_ARRAY, ngx_http_js_header_out }, { njs_str("Retry-After"), NJS_HEADER_SINGLE, ngx_http_js_header_out }, @@ -1971,6 +1977,14 @@ ngx_http_js_date122(njs_vm_t *vm, ngx_ht static njs_int_t +ngx_http_js_last_modified122(njs_vm_t *vm, ngx_http_request_t *r, + ngx_list_t *headers, njs_str_t *v, njs_value_t *setval, njs_value_t *retval) +{ + return ngx_http_js_last_modified(vm, r, 0, v, setval, retval); +} + + +static njs_int_t ngx_http_js_location122(njs_vm_t *vm, ngx_http_request_t *r, ngx_list_t *headers, njs_str_t *v, njs_value_t *setval, njs_value_t *retval) { @@ -3997,6 +4011,26 @@ ngx_http_js_date(njs_vm_t *vm, ngx_http_ static njs_int_t +ngx_http_js_last_modified(njs_vm_t *vm, ngx_http_request_t *r, unsigned flags, + njs_str_t *v, njs_value_t *setval, njs_value_t *retval) +{ + njs_int_t rc; + ngx_table_elt_t *h; + + rc = ngx_http_js_header_out_special(vm, r, v, setval, retval, &h); + if (rc == NJS_ERROR) { + return NJS_ERROR; + } + + if (setval != NULL || retval == NULL) { + r->headers_out.last_modified = h; + } + + return NJS_OK; +} + + +static njs_int_t ngx_http_js_location(njs_vm_t *vm, ngx_http_request_t *r, unsigned flags, njs_str_t *v, njs_value_t *setval, njs_value_t *retval) { diff -r a35035c52201 -r 3af6c729b7cb nginx/t/js_headers.t --- a/nginx/t/js_headers.t Tue Jul 11 19:12:34 2023 -0700 +++ b/nginx/t/js_headers.t Tue Jul 11 22:50:44 2023 -0700 @@ -88,6 +88,10 @@ http { js_content test.date; } + location /last_modified { + js_content test.last_modified; + } + location /location { js_content test.location; } @@ -254,6 +258,11 @@ EOF r.return(200); } + function last_modified(r) { + r.headersOut['Last-Modified'] = 'Sun, 09 Sep 2001 01:46:40 GMT'; + r.return(200); + } + function location(r) { if (njs.version_number >= 0x000705) { var lc = r.headersOut['Location']; @@ -446,13 +455,13 @@ EOF hdr_in, raw_hdr_in, hdr_sorted_keys, foo_in, ifoo_in, hdr_out, raw_hdr_out, hdr_out_array, hdr_out_single, hdr_out_set_cookie, ihdr_out, hdr_out_special_set, - copy_subrequest_hdrs, subrequest, date, location, - location_sr}; + copy_subrequest_hdrs, subrequest, date, last_modified, + location, location_sr}; EOF -$t->try_run('no njs')->plan(45); +$t->try_run('no njs')->plan(46); ############################################################################### @@ -605,6 +614,9 @@ local $TODO = 'not yet' unless has_versi like(http_get('/date'), qr/Date: Sun, 09 Sep 2001 01:46:40 GMT/, 'set date'); +like(http_get('/last_modified'), + qr/Last-Modified: Sun, 09 Sep 2001 01:46:40 GMT/, + 'set Last-Modified'); } From pluknet at nginx.com Wed Jul 12 11:33:16 2023 From: pluknet at nginx.com (Sergey Kandaurov) Date: Wed, 12 Jul 2023 11:33:16 +0000 Subject: [nginx] HTTP/3: fixed $body_bytes_sent. Message-ID: details: https://hg.nginx.org/nginx/rev/f91dc350be9f branches: changeset: 9133:f91dc350be9f user: Sergey Kandaurov date: Wed Jul 12 15:27:35 2023 +0400 description: HTTP/3: fixed $body_bytes_sent. diffstat: src/http/v3/ngx_http_v3_filter_module.c | 1 + 1 files changed, 1 insertions(+), 0 deletions(-) diffs (11 lines): diff -r 77c1418916f7 -r f91dc350be9f src/http/v3/ngx_http_v3_filter_module.c --- a/src/http/v3/ngx_http_v3_filter_module.c Thu Jun 08 14:58:01 2023 +0400 +++ b/src/http/v3/ngx_http_v3_filter_module.c Wed Jul 12 15:27:35 2023 +0400 @@ -581,6 +581,7 @@ ngx_http_v3_header_filter(ngx_http_reque for (cl = out; cl; cl = cl->next) { h3c->total_bytes += cl->buf->last - cl->buf->pos; + r->header_size += cl->buf->last - cl->buf->pos; } return ngx_http_write_filter(r, out); From vesa.jaaskelainen at vaisala.com Wed Jul 12 14:07:03 2023 From: vesa.jaaskelainen at vaisala.com (=?UTF-8?q?Vesa=20J=C3=A4=C3=A4skel=C3=A4inen?=) Date: Wed, 12 Jul 2023 17:07:03 +0300 Subject: [PATCH 0/4] SSL: Add support for loading X.509 certificates from openssl engine Message-ID: <20230712140707.364629-1-vesa.jaaskelainen@vaisala.com> (I hope this goes properly out as I had major issues with hg email so combined hg export + git send-email) It is convenient to keep X.509 certificates related to key pairs stored in openssl engine within the engine. Implementation uses 'LOAD_CERT_CTRL' extension to fetch certificate from the engine. This extension is not supported by all engines and in those cases it should report with an error. Configuration is similar to what it is for 'ssl_certificate_key'. First certificate must match with ssl_certificate_key's key pair rest of the certificiates are added to the certificate chain. Example configuration with libp11's pkcs11 engine: ssl_certificate "engine:pkcs11:pkcs11:token=mytoken;object=mykey engine:pkcs11:pkcs11:token=mytoken;object=int-ca"; ssl_certificate_key "engine:pkcs11:pkcs11:token=mytoken;object=mykey?pin-value=mypin"; Tested the loading with two pkcs11 implementations SoftHSMv2 and with OP-TEE's PKCS11 Trusted Application running on Embedded Linux device. First three commits is the main beef and in order to make it more flexible added also last commit allowing intermediate certificates loaded from file system. Separator of space is used as there was already existing use of array for ssl_certificate configuration. Thanks, Vesa Jääskeläinen From vesa.jaaskelainen at vaisala.com Wed Jul 12 14:07:04 2023 From: vesa.jaaskelainen at vaisala.com (=?UTF-8?q?Vesa=20J=C3=A4=C3=A4skel=C3=A4inen?=) Date: Wed, 12 Jul 2023 17:07:04 +0300 Subject: [PATCH 1/4] SSL: Add support for loading X.509 certificate from openssl engine In-Reply-To: <20230712140707.364629-1-vesa.jaaskelainen@vaisala.com> References: <20230712140707.364629-1-vesa.jaaskelainen@vaisala.com> Message-ID: <20230712140707.364629-2-vesa.jaaskelainen@vaisala.com> # HG changeset patch # User Vesa Jääskeläinen # Date 1689169151 -10800 # Wed Jul 12 16:39:11 2023 +0300 # Node ID 57f9cc8ef8ce24385ebb7bb4cf3150299bc8ed91 # Parent f91dc350be9f4a6bf1379a32a210afece7b0d75e SSL: Add support for loading X.509 certificate from openssl engine It is convenient to keep X.509 certificates related to key pairs stored in openssl engine within the engine. Implementation uses 'LOAD_CERT_CTRL' extension to fetch certificate from the engine. This extension is not supported by all engines and in those cases it should report with an error. Configuration is similar to what it is for 'ssl_certificate_key'. Example configuration with libp11's pkcs11 engine: ssl_certificate "engine:pkcs11:pkcs11:token=mytoken;object=mykey"; ssl_certificate_key "engine:pkcs11:pkcs11:token=mytoken;object=mykey?pin-value=mypin"; diff -r f91dc350be9f -r 57f9cc8ef8ce src/event/ngx_event_openssl.c --- a/src/event/ngx_event_openssl.c Wed Jul 12 15:27:35 2023 +0400 +++ b/src/event/ngx_event_openssl.c Wed Jul 12 16:39:11 2023 +0300 @@ -607,6 +607,24 @@ return NGX_OK; } +static X509 * +ngx_ssl_engine_load_certificate(ENGINE *engine, const char * cert_id) +{ + struct { + const char * cert_id; + X509 * cert; + } load_cert; + + load_cert.cert_id = cert_id; + load_cert.cert = NULL; + + /* Note: if certificate is found -- X509 object's ownership is transferred. */ + if (!ENGINE_ctrl_cmd(engine, "LOAD_CERT_CTRL", 0, &load_cert, NULL, 0)) { + return NULL; + } + + return load_cert.cert; +} static X509 * ngx_ssl_load_certificate(ngx_pool_t *pool, char **err, ngx_str_t *cert, @@ -616,6 +634,50 @@ X509 *x509, *temp; u_long n; + if (ngx_strncmp(cert->data, "engine:", sizeof("engine:") - 1) == 0) { + +#ifndef OPENSSL_NO_ENGINE + + u_char *p, *last; + ENGINE *engine; + + p = cert->data + sizeof("engine:") - 1; + last = (u_char *) ngx_strchr(p, ':'); + + if (last == NULL) { + *err = "invalid syntax"; + return NULL; + } + + *last = '\0'; + + engine = ENGINE_by_id((char *) p); + + if (engine == NULL) { + *err = "ENGINE_by_id() failed"; + return NULL; + } + + *last++ = ':'; + + x509 = ngx_ssl_engine_load_certificate(engine, (char *) last); + + if (x509 == NULL) { + *err = "ngx_ssl_engine_load_certificate() failed"; + return NULL; + } + + ENGINE_free(engine); + return x509; + +#else + + *err = "loading \"engine:...\" certificate is not supported"; + return NULL; + +#endif + } + if (ngx_strncmp(cert->data, "data:", sizeof("data:") - 1) == 0) { bio = BIO_new_mem_buf(cert->data + sizeof("data:") - 1, From vesa.jaaskelainen at vaisala.com Wed Jul 12 14:07:05 2023 From: vesa.jaaskelainen at vaisala.com (=?UTF-8?q?Vesa=20J=C3=A4=C3=A4skel=C3=A4inen?=) Date: Wed, 12 Jul 2023 17:07:05 +0300 Subject: [PATCH 2/4] Core: Add ngx_strtok_r() In-Reply-To: <20230712140707.364629-1-vesa.jaaskelainen@vaisala.com> References: <20230712140707.364629-1-vesa.jaaskelainen@vaisala.com> Message-ID: <20230712140707.364629-3-vesa.jaaskelainen@vaisala.com> # HG changeset patch # User Vesa Jääskeläinen # Date 1689169165 -10800 # Wed Jul 12 16:39:25 2023 +0300 # Node ID 7226cadb2d145a1feb5313c50eaadd87c6e49f51 # Parent 57f9cc8ef8ce24385ebb7bb4cf3150299bc8ed91 Core: Add ngx_strtok_r() Add wrapper define for strtok_r(). diff -r 57f9cc8ef8ce -r 7226cadb2d14 src/core/ngx_string.h --- a/src/core/ngx_string.h Wed Jul 12 16:39:11 2023 +0300 +++ b/src/core/ngx_string.h Wed Jul 12 16:39:25 2023 +0300 @@ -63,6 +63,8 @@ size_t ngx_strnlen(u_char *p, size_t n); #define ngx_strchr(s1, c) strchr((const char *) s1, (int) c) +#define ngx_strtok_r(str, delim, saveptr) \ + strtok_r((char *) str, (const char *) delim, (char **) saveptr) static ngx_inline u_char * ngx_strlchr(u_char *p, u_char *last, u_char c) From vesa.jaaskelainen at vaisala.com Wed Jul 12 14:07:06 2023 From: vesa.jaaskelainen at vaisala.com (=?UTF-8?q?Vesa=20J=C3=A4=C3=A4skel=C3=A4inen?=) Date: Wed, 12 Jul 2023 17:07:06 +0300 Subject: [PATCH 3/4] SSL: Add support for loading X.509 certificate chain from openssl engine In-Reply-To: <20230712140707.364629-1-vesa.jaaskelainen@vaisala.com> References: <20230712140707.364629-1-vesa.jaaskelainen@vaisala.com> Message-ID: <20230712140707.364629-4-vesa.jaaskelainen@vaisala.com> # HG changeset patch # User Vesa Jääskeläinen # Date 1689169177 -10800 # Wed Jul 12 16:39:37 2023 +0300 # Node ID 30f709bbbd5a0754f1926a1a347348b68a1c487e # Parent 7226cadb2d145a1feb5313c50eaadd87c6e49f51 SSL: Add support for loading X.509 certificate chain from openssl engine Certificates within engine is often specified by URI, in order to support specifying certificate chain use space as delimeter. First certificate must match with ssl_certificate_key's key pair rest of the certificiates are added to the certificate chain. Code supports loading from different engines but normal case is expected to be from same engine. Example configuration with libp11's pkcs11 engine: ssl_certificate "engine:pkcs11:pkcs11:token=mytoken;object=mykey engine:pkcs11:pkcs11:token=mytoken;object=int-ca"; ssl_certificate_key "engine:pkcs11:pkcs11:token=mytoken;object=mykey?pin-value=mypin"; diff -r 7226cadb2d14 -r 30f709bbbd5a src/event/ngx_event_openssl.c --- a/src/event/ngx_event_openssl.c Wed Jul 12 16:39:25 2023 +0300 +++ b/src/event/ngx_event_openssl.c Wed Jul 12 16:39:37 2023 +0300 @@ -638,14 +638,25 @@ #ifndef OPENSSL_NO_ENGINE - u_char *p, *last; + u_char *p, *last, *cert_config, *saveptr; ENGINE *engine; - p = cert->data + sizeof("engine:") - 1; + /* + * Certificates within engine is often specified by URI, in order to + * support specifying certificate chain use space as delimeter. + */ + + cert_config = ngx_pstrdup(pool, cert); + + /* just add terminator at next delimeter */ + (void) ngx_strtok_r(cert_config, " \t\r\n", &saveptr); + + p = cert_config + sizeof("engine:") - 1; last = (u_char *) ngx_strchr(p, ':'); if (last == NULL) { *err = "invalid syntax"; + ngx_pfree(pool, cert_config); return NULL; } @@ -655,6 +666,7 @@ if (engine == NULL) { *err = "ENGINE_by_id() failed"; + ngx_pfree(pool, cert_config); return NULL; } @@ -664,12 +676,91 @@ if (x509 == NULL) { *err = "ngx_ssl_engine_load_certificate() failed"; + ngx_pfree(pool, cert_config); return NULL; } ENGINE_free(engine); + engine = NULL; + + *chain = sk_X509_new_null(); + if (*chain == NULL) { + *err = "sk_X509_new_null() failed"; + X509_free(x509); + ngx_pfree(pool, cert_config); + return NULL; + } + + /* load certificate chain if defined */ + for ( ;; ) { + ngx_str_t chain_cert = ngx_null_string; + + p = (u_char *) ngx_strtok_r(NULL, " \t\r\n", &saveptr); + if (!p) { + break; + } + + ngx_str_set(&chain_cert, p); + + if (ngx_strncmp(chain_cert.data, "engine:", sizeof("engine:") - 1) + == 0) { + p = chain_cert.data + sizeof("engine:") - 1; + last = (u_char *) ngx_strchr(p, ':'); + + if (last == NULL) { + *err = "invalid syntax"; + X509_free(x509); + sk_X509_pop_free(*chain, X509_free); + ngx_pfree(pool, cert_config); + return NULL; + } + + *last = '\0'; + + engine = ENGINE_by_id((char *) p); + + if (engine == NULL) { + *err = "ENGINE_by_id() failed"; + X509_free(x509); + sk_X509_pop_free(*chain, X509_free); + ngx_pfree(pool, cert_config); + return NULL; + } + + *last++ = ':'; + + temp = ngx_ssl_engine_load_certificate(engine, (char *) last); + + if (temp == NULL) { + *err = "ngx_ssl_engine_load_certificate() failed for chain certificate"; + X509_free(x509); + sk_X509_pop_free(*chain, X509_free); + ENGINE_free(engine); + ngx_pfree(pool, cert_config); + return NULL; + } + + if (sk_X509_push(*chain, temp) == 0) { + *err = "sk_X509_push() failed"; + X509_free(x509); + sk_X509_pop_free(*chain, X509_free); + ENGINE_free(engine); + ngx_pfree(pool, cert_config); + return NULL; + } + + ENGINE_free(engine); + engine = NULL; + } else { + *err = "loading \"engine:...\" certificate from different sources is not supported"; + X509_free(x509); + sk_X509_pop_free(*chain, X509_free); + return NULL; + } + } + + ngx_pfree(pool, cert_config); return x509; - #else *err = "loading \"engine:...\" certificate is not supported"; From vesa.jaaskelainen at vaisala.com Wed Jul 12 14:07:07 2023 From: vesa.jaaskelainen at vaisala.com (=?UTF-8?q?Vesa=20J=C3=A4=C3=A4skel=C3=A4inen?=) Date: Wed, 12 Jul 2023 17:07:07 +0300 Subject: [PATCH 4/4] SSL: Improve X.509 certificate loading from openssl engine with file source In-Reply-To: <20230712140707.364629-1-vesa.jaaskelainen@vaisala.com> References: <20230712140707.364629-1-vesa.jaaskelainen@vaisala.com> Message-ID: <20230712140707.364629-5-vesa.jaaskelainen@vaisala.com> # HG changeset patch # User Vesa Jääskeläinen # Date 1689169189 -10800 # Wed Jul 12 16:39:49 2023 +0300 # Node ID 86d27e14c696e6c444b59063abb1e10fc31dfae6 # Parent 30f709bbbd5a0754f1926a1a347348b68a1c487e SSL: Improve X.509 certificate loading from openssl engine with file source In some cases key pair and its certificate are stored in engine but intermediate certificates are not. Add support for loading from the file system the rest of the chain. As a side effect of using space as separator and when loading additional certificates for chain parts from file system it cannot handle spaces in the path. Example configuration with libp11's pkcs11 engine: ssl_certificate "engine:pkcs11:pkcs11:token=mytoken;object=mykey /etc/ssl/certs/intermediate-ca.pem"; ssl_certificate_key "engine:pkcs11:pkcs11:token=mytoken;object=mykey?pin-value=mypin"; diff -r 30f709bbbd5a -r 86d27e14c696 src/event/ngx_event_openssl.c --- a/src/event/ngx_event_openssl.c Wed Jul 12 16:39:37 2023 +0300 +++ b/src/event/ngx_event_openssl.c Wed Jul 12 16:39:49 2023 +0300 @@ -626,13 +626,48 @@ return load_cert.cert; } +static ngx_int_t +ngx_ssl_bio_load_certificate_chain(BIO *bio, STACK_OF(X509) **chain, char **err) +{ + X509 *temp; + u_long n; + + for ( ;; ) { + + temp = PEM_read_bio_X509(bio, NULL, NULL, NULL); + if (temp == NULL) { + n = ERR_peek_last_error(); + + if (ERR_GET_LIB(n) == ERR_LIB_PEM + && ERR_GET_REASON(n) == PEM_R_NO_START_LINE) + { + /* end of file */ + ERR_clear_error(); + break; + } + + /* some real error */ + + *err = "PEM_read_bio_X509() failed"; + return NGX_ERROR; + } + + if (sk_X509_push(*chain, temp) == 0) { + *err = "sk_X509_push() failed"; + return NGX_ERROR; + } + } + + return NGX_OK; +} + static X509 * ngx_ssl_load_certificate(ngx_pool_t *pool, char **err, ngx_str_t *cert, STACK_OF(X509) **chain) { - BIO *bio; - X509 *x509, *temp; - u_long n; + BIO *bio; + X509 *x509, *temp; + ngx_int_t ret; if (ngx_strncmp(cert->data, "engine:", sizeof("engine:") - 1) == 0) { @@ -644,6 +679,9 @@ /* * Certificates within engine is often specified by URI, in order to * support specifying certificate chain use space as delimeter. + * + * As a side effect loading additional certificates for chain from file + * system it cannot handle spaces in the path. */ cert_config = ngx_pstrdup(pool, cert); @@ -752,10 +790,49 @@ ENGINE_free(engine); engine = NULL; } else { - *err = "loading \"engine:...\" certificate from different sources is not supported"; - X509_free(x509); - sk_X509_pop_free(*chain, X509_free); - return NULL; + ngx_str_t cert_name = chain_cert; + + if (ngx_get_full_name(pool, + (ngx_str_t *) &ngx_cycle->conf_prefix, + &cert_name) + != NGX_OK) + { + *err = "ngx_get_full_name() failed"; + X509_free(x509); + sk_X509_pop_free(*chain, X509_free); + ngx_pfree(pool, cert_config); + return NULL; + } + + bio = BIO_new_file((char *) cert_name.data, "r"); + if (bio == NULL) { + *err = "BIO_new_file() failed"; + if (cert_name.data != chain_cert.data) { + /* new allocation -- free it */ + ngx_pfree(pool, cert_name.data); + } + X509_free(x509); + sk_X509_pop_free(*chain, X509_free); + ngx_pfree(pool, cert_config); + return NULL; + } + + if (cert_name.data != chain_cert.data) { + /* new allocation -- free it */ + ngx_pfree(pool, cert_name.data); + } + ngx_str_null(&cert_name); + + ret = ngx_ssl_bio_load_certificate_chain(bio, chain, err); + if (ret != NGX_OK) { + BIO_free(bio); + X509_free(x509); + sk_X509_pop_free(*chain, X509_free); + ngx_pfree(pool, cert_config); + return NULL; + } + + BIO_free(bio); } } @@ -813,36 +890,12 @@ return NULL; } - for ( ;; ) { - - temp = PEM_read_bio_X509(bio, NULL, NULL, NULL); - if (temp == NULL) { - n = ERR_peek_last_error(); - - if (ERR_GET_LIB(n) == ERR_LIB_PEM - && ERR_GET_REASON(n) == PEM_R_NO_START_LINE) - { - /* end of file */ - ERR_clear_error(); - break; - } - - /* some real error */ - - *err = "PEM_read_bio_X509() failed"; - BIO_free(bio); - X509_free(x509); - sk_X509_pop_free(*chain, X509_free); - return NULL; - } - - if (sk_X509_push(*chain, temp) == 0) { - *err = "sk_X509_push() failed"; - BIO_free(bio); - X509_free(x509); - sk_X509_pop_free(*chain, X509_free); - return NULL; - } + ret = ngx_ssl_bio_load_certificate_chain(bio, chain, err); + if (ret != NGX_OK) { + BIO_free(bio); + X509_free(x509); + sk_X509_pop_free(*chain, X509_free); + return NULL; } BIO_free(bio); From mdounin at mdounin.ru Thu Jul 13 00:48:42 2023 From: mdounin at mdounin.ru (Maxim Dounin) Date: Thu, 13 Jul 2023 03:48:42 +0300 Subject: [PATCH 0/4] SSL: Add support for loading X.509 certificates from openssl engine In-Reply-To: <20230712140707.364629-1-vesa.jaaskelainen@vaisala.com> References: <20230712140707.364629-1-vesa.jaaskelainen@vaisala.com> Message-ID: Hello! On Wed, Jul 12, 2023 at 05:07:03PM +0300, Vesa Jääskeläinen via nginx-devel wrote: > (I hope this goes properly out as I had major issues with hg email so > combined hg export + git send-email) > > It is convenient to keep X.509 certificates related to key pairs stored in > openssl engine within the engine. > > Implementation uses 'LOAD_CERT_CTRL' extension to fetch certificate from > the engine. This extension is not supported by all engines and in those > cases it should report with an error. > > Configuration is similar to what it is for 'ssl_certificate_key'. > > First certificate must match with ssl_certificate_key's key pair rest of > the certificiates are added to the certificate chain. > > Example configuration with libp11's pkcs11 engine: > > ssl_certificate "engine:pkcs11:pkcs11:token=mytoken;object=mykey > engine:pkcs11:pkcs11:token=mytoken;object=int-ca"; > ssl_certificate_key "engine:pkcs11:pkcs11:token=mytoken;object=mykey?pin-value=mypin"; > > Tested the loading with two pkcs11 implementations SoftHSMv2 and with > OP-TEE's PKCS11 Trusted Application running on Embedded Linux device. > > First three commits is the main beef and in order to make it more flexible > added also last commit allowing intermediate certificates loaded from file > system. > > Separator of space is used as there was already existing use of array for > ssl_certificate configuration. Just in case, a similar proposal was previously discussed here: https://mailman.nginx.org/pipermail/nginx-devel/2020-April/013130.html https://mailman.nginx.org/pipermail/nginx-devel/2020-May/013142.html Notably, the review is here: https://mailman.nginx.org/pipermail/nginx-devel/2020-May/013152.html I'm additionally sceptical about this given that engine interface is deprecated by OpenSSL. -- Maxim Dounin http://mdounin.ru/ From vesa.jaaskelainen at vaisala.com Thu Jul 13 07:38:02 2023 From: vesa.jaaskelainen at vaisala.com (=?UTF-8?B?VmVzYSBKw6TDpHNrZWzDpGluZW4=?=) Date: Thu, 13 Jul 2023 10:38:02 +0300 Subject: [PATCH 0/4] SSL: Add support for loading X.509 certificates from openssl engine In-Reply-To: References: <20230712140707.364629-1-vesa.jaaskelainen@vaisala.com> Message-ID: Hi Maxim, On 13.7.2023 3.48, Maxim Dounin wrote: > Hello! > > On Wed, Jul 12, 2023 at 05:07:03PM +0300, Vesa Jääskeläinen via nginx-devel wrote: > >> (I hope this goes properly out as I had major issues with hg email so >> combined hg export + git send-email) >> >> It is convenient to keep X.509 certificates related to key pairs stored in >> openssl engine within the engine. >> >> Implementation uses 'LOAD_CERT_CTRL' extension to fetch certificate from >> the engine. This extension is not supported by all engines and in those >> cases it should report with an error. >> >> Configuration is similar to what it is for 'ssl_certificate_key'. >> >> First certificate must match with ssl_certificate_key's key pair rest of >> the certificiates are added to the certificate chain. >> >> Example configuration with libp11's pkcs11 engine: >> >> ssl_certificate "engine:pkcs11:pkcs11:token=mytoken;object=mykey >> engine:pkcs11:pkcs11:token=mytoken;object=int-ca"; >> ssl_certificate_key "engine:pkcs11:pkcs11:token=mytoken;object=mykey?pin-value=mypin"; >> >> Tested the loading with two pkcs11 implementations SoftHSMv2 and with >> OP-TEE's PKCS11 Trusted Application running on Embedded Linux device. >> >> First three commits is the main beef and in order to make it more flexible >> added also last commit allowing intermediate certificates loaded from file >> system. >> >> Separator of space is used as there was already existing use of array for >> ssl_certificate configuration. > Just in case, a similar proposal was previously discussed here: > > https://mailman.nginx.org/pipermail/nginx-devel/2020-April/013130.html > https://mailman.nginx.org/pipermail/nginx-devel/2020-May/013142.html > > Notably, the review is here: > > https://mailman.nginx.org/pipermail/nginx-devel/2020-May/013152.html > > I'm additionally sceptical about this given that engine interface > is deprecated by OpenSSL. Thanks for the links. The provider interface in OpenSSL 3 is yet to be matured for PKCS11 usage. libp11 so far seems to have stayed with "legacy" engine and just adapted for OpenSSL 3. Then there is new project that is still in development phase but looks promising: https://github.com/latchset/pkcs11-provider But before that provider implementation matures and is available in distributions it takes one or more major LTS releases. While waiting for that it would be nice to have the support. What is interesting that the CMD extension is already being integrated to other software like curl, wpa-supplicant/hostapd, stunnel, ppp, M2Crypto -- so I would say the feature is there to stay for a while. Even not documented as official openssl "extension" it is there and is being used. Now openssl also has "store" API which can be extended with different schemes too but in example libp11 does not today support that. https://www.openssl.org/docs/man1.1.1/man7/ossl_store.html https://www.openssl.org/docs/man1.1.1/man3/OSSL_STORE_LOADER.html Now the Nginx is already using the "legacy" interface so if it is enable why not then support the certificate loading when it is available. I believe these can even coexist. provider::