| Age | Commit message (Collapse) | Author | Files | Lines |
|---|
|
Replace the usage of uint8_t in structures to represent boolean values
with our nxt_bool_t type.
This will result in no change in structure layout as the nxt_bool_t is
now a uint8_t, same as what it's replacing.
Even though it's essentially the same type, it makes it much clearer as
to what its purpose is.
This was largely done with the following script from Alex, with some
manual conversions
$ grep -rl 'uint8_t.*1 bit' src/ \
| xargs sed -i '/uint8_t.*1 bit/{s/uint8_t /nxt_bool_t /;s/; *\/\*.*/;/}'
This doesn't convert the non-uint8_t booleans, they will be handled
separately.
Reviewed-by: Alejandro Colomar <alx@nginx.com>
Signed-off-by: Andrew Clayton <a.clayton@nginx.com>
|
|
The casts are unnecessary, since memcmp(3)'s arguments are 'void *'.
It might have been necessary in the times of K&R, where 'void *' didn't
exist. Nowadays, it's unnecessary, and _very_ unsafe, since casts can
hide all classes of bugs by silencing most compiler warnings.
The changes from nxt_memcmp() to memcmp(3) were scripted:
$ find src/ -type f \
| grep '\.[ch]$' \
| xargs sed -i 's/nxt_memcmp/memcmp/'
Reviewed-by: Andrew Clayton <a.clayton@nginx.com>
Signed-off-by: Alejandro Colomar <alx@nginx.com>
|
|
Link: <https://www.openssl.org/docs/man3.0/man7/migration_guide.html>
Cc: Andy Postnikov <apostnikov@gmail.com>
Cc: Andrew Clayton <a.clayton@nginx.com>
Signed-off-by: Remi Collet <remi@remirepo.net>
Signed-off-by: Alejandro Colomar <alx@nginx.com>
|
|
If we don't call SSL_CTX_set_cipher_list(), then it uses the
system's default.
Link: <https://fedoraproject.org/wiki/Changes/CryptoPolicy>
Link: <https://docs.fedoraproject.org/en-US/packaging-guidelines/CryptoPolicies/>
Link: <https://www.redhat.com/en/blog/consistent-security-crypto-policies-red-hat-enterprise-linux-8>
Signed-off-by: Remi Collet <remi@remirepo.net>
Acked-by: Andrei Belov <defan@nginx.com>
[ alx: add changelog and tweak commit message ]
Signed-off-by: Alejandro Colomar <alx@nginx.com>
|
|
A new behaviour was introduced in OpenSSL 1.1.1e, when a peer does not send
close_notify before closing the connection. Previously, it was to return
SSL_ERROR_SYSCALL with errno 0, known since at least OpenSSL 0.9.7, and is
handled gracefully in unitd. Now it returns SSL_ERROR_SSL with a distinct
reason SSL_R_UNEXPECTED_EOF_WHILE_READING ("unexpected eof while reading").
This leads to critical errors seen in nginx within various routines such as
SSL_do_handshake(), SSL_read(), SSL_shutdown(). The behaviour was restored
in OpenSSL 1.1.1f, but presents in OpenSSL 3.0 by default.
Use of the SSL_OP_IGNORE_UNEXPECTED_EOF option added in OpenSSL 3.0 allows
setting a compatible behaviour to return SSL_ERROR_ZERO_RETURN:
https://git.openssl.org/?p=openssl.git;a=commitdiff;h=09b90e0
See for additional details: https://github.com/openssl/openssl/issues/11381
|
|
The macro is used to suppress deprecation warnings with OpenSSL 3.0.
Unlike OPENSSL_API_COMPAT, it works well with OpenSSL built with no-deprecated.
In particular, it doesn't unhide various macros in OpenSSL includes, which are
meant to be hidden under OPENSSL_NO_DEPRECATED.
|
|
The previous commit added more generic APIs for handling
NXT_CONF_VALUE_ARRAY and non-NXT_CONF_VALUE_ARRAY together.
Modify calling code to remove special cases for arrays and
non-arrays, taking special care that the path for non arrays is
logically equivalent to the previous special cased code.
Use the now-generic array code only.
|
|
Compared to the previous implementation based on OpenSSL, the new implementation
has these advantages:
1. Strict and reliable detection of invalid strings, including strings with
less than 4 bytes of garbage at the end;
2. Allows to use Base64 strings without '=' padding.
|
|
The bug has been introduced in 0bca988e9541.
|
|
Deduplicated code and improved style.
No functional changes.
|
|
|
|
When a client sends no SNI is a common situation. But currently the server
processes it as an error and returns SSL_TLSEXT_ERR_ALERT_FATAL causing
termination of a current TLS session. The problem occurs if configuration has
more than one certificate bundle in a listener.
This fix changes the return code to SSL_TLSEXT_ERR_OK and the log level of a
message.
|
|
To support TLS sessions, Unit uses the OpenSSL built-in session cache; the
cache_size option defines the number sessions to store. To disable the feather,
the option must be zero.
|
|
To perform various configuration operations on SSL_CTX, OpenSSL provides
SSL_CONF_cmd(). Specifically, to configure ciphers for a listener,
"CipherString" and "Ciphersuites" file commands are used:
https://www.openssl.org/docs/man1.1.1/man3/SSL_CONF_cmd.html
This feature can be configured in the "tls/conf_commands" section.
|
|
A crash was caused by an incorrect timer handler nxt_h1p_idle_timeout() if
SSL_shutdown() returned SSL_ERROR_WANT_READ/SSL_ERROR_WANT_WRITE.
The flag SSL_RECEIVED_SHUTDOWN is used to avoid getting SSL_ERROR_WANT_READ, so
the server won't wait for a close notification from a client.
For SSL_ERROR_WANT_WRITE, a correct timer handler is set up.
|
|
The certificate is selected by matching the arriving SNI to the common name and
the alternatives names. If no certificate matches the name, the first bundle in
the array is chosen.
|
|
This is a workaround for an issue in OpenSSL 1.1.1, where the /dev/random and
/dev/urandom files remain open after all listening sockets were removed:
- https://github.com/openssl/openssl/issues/7419
|
|
An immediate return statement on connection errors was mistakenly added to the
beginning of nxt_openssl_conn_io_shutdown() in ecd3c5bbf7d8, breaking the TLS
connection finalization procedure. As a result, a TLS connection was left
unfinalized if it had been closed prematurely or a fatal protocol error had
occurred, which caused memory and socket descriptor leakage.
Moreover, in some cases (notably, on handshake errors in tests with kqueue on
macOS) the read event was triggered later and nxt_h1p_conn_error() was called
the second time; after the change in af93c866b4f0, the latter call crashed the
router process in an attempt to remove a connection from the idle queue twice.
|
|
This closes #370 in GitHub.
|
|
Before this fix EWOULDBLOCK error was fatal for SSL write operation.
This closes #325 issue on GitHub.
|
|
After event is delivered from the kernel its further processing is blocked.
Non-ready TSL I/O operation should mark connection I/O state as not ready
to unblock events and to allow their further processing. Otherwise
the connection hangs.
|
|
|
|
This closes #182 issue on GitHub.
Thanks to 洪志道 (Hong Zhi Dao).
|
|
LibreSSL uses high OPENSSL_VERSION_NUMBER, but has no SSL_CTX_add0_chain_cert().
|
|
|
|
|
|
|
|
|
|
to nxt_conn_...
|
|
|
|
|
|
|
|
|
|
|
