nginx 1.25.3

chronolaw · Oct 25, 2023 · b064ab9 · b064ab9
1 parent 51a7ff9
commit b064ab9
Show file tree

Hide file tree

Showing 32 changed files with 652 additions and 394 deletions.
diff --git a/nginx/CHANGES b/nginx/CHANGES
@@ -1,4 +1,24 @@
 
+Changes with nginx 1.25.3                                        24 Oct 2023
+
+    *) Change: improved detection of misbehaving clients when using HTTP/2.
+
+    *) Feature: startup speedup when using a large number of locations.
+       Thanks to Yusuke Nojima.
+
+    *) Bugfix: a segmentation fault might occur in a worker process when
+       using HTTP/2 without SSL; the bug had appeared in 1.25.1.
+
+    *) Bugfix: the "Status" backend response header line with an empty
+       reason phrase was handled incorrectly.
+
+    *) Bugfix: memory leak during reconfiguration when using the PCRE2
+       library.
+       Thanks to ZhenZhong Wu.
+
+    *) Bugfixes and improvements in HTTP/3.
+
+
 Changes with nginx 1.25.2                                        15 Aug 2023
 
     *) Feature: path MTU discovery when using HTTP/3.

diff --git a/nginx/CHANGES.ru b/nginx/CHANGES.ru
@@ -1,4 +1,26 @@
 
+Изменения в nginx 1.25.3                                          24.10.2023
+
+    *) Изменение: улучшено детектирование некорректного поведения клиентов
+       при использовании HTTP/2.
+
+    *) Добавление: уменьшение времени запуска при использовании большого
+       количества location'ов.
+       Спасибо Yusuke Nojima.
+
+    *) Исправление: при использовании HTTP/2 без SSL в рабочем процессе мог
+       произойти segmentation fault; ошибка появилась в 1.25.1.
+
+    *) Исправление: строка "Status" в заголовке ответа бэкенда с пустой
+       поясняющей фразой обрабатывалась некорректно.
+
+    *) Исправление: утечки памяти во время переконфигурации при
+       использовании библиотеки PCRE2.
+       Спасибо ZhenZhong Wu.
+
+    *) Исправления и улучшения в HTTP/3.
+
+
 Изменения в nginx 1.25.2                                          15.08.2023
 
     *) Добавление: path MTU discovery при использовании HTTP/3.

diff --git a/nginx/src/core/nginx.h b/nginx/src/core/nginx.h
@@ -9,8 +9,8 @@
 #define _NGINX_H_INCLUDED_
 
 
-#define nginx_version      1025002
-#define NGINX_VERSION      "1.25.2"
+#define nginx_version      1025003
+#define NGINX_VERSION      "1.25.3"
 #define NGINX_VER          "nginx/" NGINX_VERSION
 
 #ifdef NGX_BUILD

diff --git a/nginx/src/core/ngx_module.h b/nginx/src/core/ngx_module.h
@@ -107,7 +107,12 @@
 #endif
 
 #define NGX_MODULE_SIGNATURE_17  "0"
+
+#if (NGX_QUIC || NGX_COMPAT)
+#define NGX_MODULE_SIGNATURE_18  "1"
+#else
 #define NGX_MODULE_SIGNATURE_18  "0"
+#endif
 
 #if (NGX_HAVE_OPENAT)
 #define NGX_MODULE_SIGNATURE_19  "1"

diff --git a/nginx/src/core/ngx_queue.c b/nginx/src/core/ngx_queue.c
@@ -9,6 +9,10 @@
 #include <ngx_core.h>
 
 
+static void ngx_queue_merge(ngx_queue_t *queue, ngx_queue_t *tail,
+    ngx_int_t (*cmp)(const ngx_queue_t *, const ngx_queue_t *));
+
+
 /*
  * find the middle queue element if the queue has odd number of elements
  * or the first element of the queue's second part otherwise
@@ -45,36 +49,58 @@ ngx_queue_middle(ngx_queue_t *queue)
 }
 
 
-/* the stable insertion sort */
+/* the stable merge sort */
 
 void
 ngx_queue_sort(ngx_queue_t *queue,
     ngx_int_t (*cmp)(const ngx_queue_t *, const ngx_queue_t *))
 {
-    ngx_queue_t  *q, *prev, *next;
+    ngx_queue_t  *q, tail;
 
     q = ngx_queue_head(queue);
 
     if (q == ngx_queue_last(queue)) {
         return;
     }
 
-    for (q = ngx_queue_next(q); q != ngx_queue_sentinel(queue); q = next) {
+    q = ngx_queue_middle(queue);
+
+    ngx_queue_split(queue, q, &tail);
+
+    ngx_queue_sort(queue, cmp);
+    ngx_queue_sort(&tail, cmp);
+
+    ngx_queue_merge(queue, &tail, cmp);
+}
+
 
-        prev = ngx_queue_prev(q);
-        next = ngx_queue_next(q);
+static void
+ngx_queue_merge(ngx_queue_t *queue, ngx_queue_t *tail,
+    ngx_int_t (*cmp)(const ngx_queue_t *, const ngx_queue_t *))
+{
+    ngx_queue_t  *q1, *q2;
 
-        ngx_queue_remove(q);
+    q1 = ngx_queue_head(queue);
+    q2 = ngx_queue_head(tail);
 
-        do {
-            if (cmp(prev, q) <= 0) {
-                break;
-            }
+    for ( ;; ) {
+        if (q1 == ngx_queue_sentinel(queue)) {
+            ngx_queue_add(queue, tail);
+            break;
+        }
 
-            prev = ngx_queue_prev(prev);
+        if (q2 == ngx_queue_sentinel(tail)) {
+            break;
+        }
+
+        if (cmp(q1, q2) <= 0) {
+            q1 = ngx_queue_next(q1);
+            continue;
+        }
 
-        } while (prev != ngx_queue_sentinel(queue));
+        ngx_queue_remove(q2);
+        ngx_queue_insert_before(q1, q2);
 
-        ngx_queue_insert_after(prev, q);
+        q2 = ngx_queue_head(tail);
     }
 }
diff --git a/nginx/src/core/ngx_queue.h b/nginx/src/core/ngx_queue.h
@@ -47,6 +47,9 @@ struct ngx_queue_s {
     (h)->prev = x
 
 
+#define ngx_queue_insert_before   ngx_queue_insert_tail
+
+
 #define ngx_queue_head(h)                                                     \
     (h)->next
 

diff --git a/nginx/src/core/ngx_regex.c b/nginx/src/core/ngx_regex.c
@@ -600,6 +600,8 @@ ngx_regex_cleanup(void *data)
      * the new cycle, these will be re-allocated.
      */
 
+    ngx_regex_malloc_init(NULL);
+
     if (ngx_regex_compile_context) {
         pcre2_compile_context_free(ngx_regex_compile_context);
         ngx_regex_compile_context = NULL;
@@ -611,6 +613,8 @@ ngx_regex_cleanup(void *data)
         ngx_regex_match_data_size = 0;
     }
 
+    ngx_regex_malloc_done();
+
 #endif
 }
 
@@ -706,9 +710,6 @@ ngx_regex_module_init(ngx_cycle_t *cycle)
     ngx_regex_malloc_done();
 
     ngx_regex_studies = NULL;
-#if (NGX_PCRE2)
-    ngx_regex_compile_context = NULL;
-#endif
 
     return NGX_OK;
 }

diff --git a/nginx/src/event/quic/ngx_event_quic.c b/nginx/src/event/quic/ngx_event_quic.c
@@ -211,6 +211,8 @@ ngx_quic_run(ngx_connection_t *c, ngx_quic_conf_t *conf)
     qc = ngx_quic_get_connection(c);
 
     ngx_add_timer(c->read, qc->tp.max_idle_timeout);
+    ngx_add_timer(&qc->close, qc->conf->handshake_timeout);
+
     ngx_quic_connstate_dbg(c);
 
     c->read->handler = ngx_quic_input_handler;
@@ -283,6 +285,10 @@ ngx_quic_new_connection(ngx_connection_t *c, ngx_quic_conf_t *conf,
     qc->path_validation.data = c;
     qc->path_validation.handler = ngx_quic_path_handler;
 
+    qc->key_update.log = c->log;
+    qc->key_update.data = c;
+    qc->key_update.handler = ngx_quic_keys_update;
+
     qc->conf = conf;
 
     if (ngx_quic_init_transport_params(&qc->tp, conf) != NGX_OK) {
@@ -329,6 +335,7 @@ ngx_quic_new_connection(ngx_connection_t *c, ngx_quic_conf_t *conf,
     qc->validated = pkt->validated;
 
     if (ngx_quic_open_sockets(c, qc, pkt) != NGX_OK) {
+        ngx_quic_keys_cleanup(qc->keys);
         return NULL;
     }
 
@@ -414,7 +421,7 @@ ngx_quic_input_handler(ngx_event_t *rev)
     if (c->close) {
         c->close = 0;
 
-        if (!ngx_exiting) {
+        if (!ngx_exiting || !qc->streams.initialized) {
             qc->error = NGX_QUIC_ERR_NO_ERROR;
             qc->error_reason = "graceful shutdown";
             ngx_quic_close_connection(c, NGX_ERROR);
@@ -481,6 +488,10 @@ ngx_quic_close_connection(ngx_connection_t *c, ngx_int_t rc)
             ngx_quic_free_frames(c, &qc->send_ctx[i].sent);
         }
 
+        if (qc->close.timer_set) {
+            ngx_del_timer(&qc->close);
+        }
+
         if (rc == NGX_DONE) {
 
             /*
@@ -505,9 +516,6 @@ ngx_quic_close_connection(ngx_connection_t *c, ngx_int_t rc)
              *  to terminate the connection immediately.
              */
 
-            qc->error_level = c->ssl ? SSL_quic_read_level(c->ssl->connection)
-                                     : ssl_encryption_initial;
-
             if (qc->error == (ngx_uint_t) -1) {
                 qc->error = NGX_QUIC_ERR_INTERNAL_ERROR;
                 qc->error_app = 0;
@@ -520,17 +528,19 @@ ngx_quic_close_connection(ngx_connection_t *c, ngx_int_t rc)
                            qc->error_app ? "app " : "", qc->error,
                            qc->error_reason ? qc->error_reason : "");
 
-            if (rc == NGX_OK) {
-                ctx = ngx_quic_get_send_ctx(qc, qc->error_level);
-                ngx_add_timer(&qc->close, 3 * ngx_quic_pto(c, ctx));
-            }
+            for (i = 0; i < NGX_QUIC_SEND_CTX_LAST; i++) {
+                ctx = &qc->send_ctx[i];
 
-            (void) ngx_quic_send_cc(c);
+                if (!ngx_quic_keys_available(qc->keys, ctx->level, 1)) {
+                    continue;
+                }
 
-            if (qc->error_level == ssl_encryption_handshake) {
-                /* for clients that might not have handshake keys */
-                qc->error_level = ssl_encryption_initial;
+                qc->error_level = ctx->level;
                 (void) ngx_quic_send_cc(c);
+
+                if (rc == NGX_OK) {
+                    ngx_add_timer(&qc->close, 3 * ngx_quic_pto(c, ctx));
+                }
             }
         }
 
@@ -562,6 +572,10 @@ ngx_quic_close_connection(ngx_connection_t *c, ngx_int_t rc)
         ngx_delete_posted_event(&qc->push);
     }
 
+    if (qc->key_update.posted) {
+        ngx_delete_posted_event(&qc->key_update);
+    }
+
     if (qc->close.timer_set) {
         return;
     }
@@ -572,6 +586,8 @@ ngx_quic_close_connection(ngx_connection_t *c, ngx_int_t rc)
 
     ngx_quic_close_sockets(c);
 
+    ngx_quic_keys_cleanup(qc->keys);
+
     ngx_log_debug0(NGX_LOG_DEBUG_EVENT, c->log, 0, "quic close completed");
 
     /* may be tested from SSL callback during SSL shutdown */
@@ -946,7 +962,7 @@ ngx_quic_handle_payload(ngx_connection_t *c, ngx_quic_header_t *pkt)
 
     c->log->action = "decrypting packet";
 
-    if (!ngx_quic_keys_available(qc->keys, pkt->level)) {
+    if (!ngx_quic_keys_available(qc->keys, pkt->level, 0)) {
         ngx_log_error(NGX_LOG_INFO, c->log, 0,
                       "quic no %s keys, ignoring packet",
                       ngx_quic_level_name(pkt->level));
@@ -956,10 +972,7 @@ ngx_quic_handle_payload(ngx_connection_t *c, ngx_quic_header_t *pkt)
 #if !defined (OPENSSL_IS_BORINGSSL)
     /* OpenSSL provides read keys for an application level before it's ready */
 
-    if (pkt->level == ssl_encryption_application
-        && SSL_quic_read_level(c->ssl->connection)
-           < ssl_encryption_application)
-    {
+    if (pkt->level == ssl_encryption_application && !c->ssl->handshaked) {
         ngx_log_error(NGX_LOG_INFO, c->log, 0,
                       "quic no %s keys ready, ignoring packet",
                       ngx_quic_level_name(pkt->level));
@@ -1055,7 +1068,9 @@ ngx_quic_handle_payload(ngx_connection_t *c, ngx_quic_header_t *pkt)
         return rc;
     }
 
-    return ngx_quic_keys_update(c, qc->keys);
+    ngx_post_event(&qc->key_update, &ngx_posted_events);
+
+    return NGX_OK;
 }
 
 
@@ -1070,7 +1085,9 @@ ngx_quic_discard_ctx(ngx_connection_t *c, enum ssl_encryption_level_t level)
 
     qc = ngx_quic_get_connection(c);
 
-    if (!ngx_quic_keys_available(qc->keys, level)) {
+    if (!ngx_quic_keys_available(qc->keys, level, 0)
+        && !ngx_quic_keys_available(qc->keys, level, 1))
+    {
         return;
     }
 
@@ -1100,7 +1117,7 @@ ngx_quic_discard_ctx(ngx_connection_t *c, enum ssl_encryption_level_t level)
     }
 
     if (level == ssl_encryption_initial) {
-        /* close temporary listener with odcid */
+        /* close temporary listener with initial dcid */
         qsock = ngx_quic_find_socket(c, NGX_QUIC_UNSET_PN);
         if (qsock) {
             ngx_quic_close_socket(c, qsock);

diff --git a/nginx/src/event/quic/ngx_event_quic.h b/nginx/src/event/quic/ngx_event_quic.h
@@ -67,7 +67,8 @@ typedef struct {
     ngx_flag_t                     retry;
     ngx_flag_t                     gso_enabled;
     ngx_flag_t                     disable_active_migration;
-    ngx_msec_t                     timeout;
+    ngx_msec_t                     handshake_timeout;
+    ngx_msec_t                     idle_timeout;
     ngx_str_t                      host_key;
     size_t                         stream_buffer_size;
     ngx_uint_t                     max_concurrent_streams_bidi;

diff --git a/nginx/src/event/quic/ngx_event_quic_ack.c b/nginx/src/event/quic/ngx_event_quic_ack.c
@@ -907,6 +907,10 @@ ngx_quic_ack_packet(ngx_connection_t *c, ngx_quic_header_t *pkt)
                    " nranges:%ui", pkt->pn, (int64_t) ctx->largest_range,
                    ctx->first_range, ctx->nranges);
 
+    if (!ngx_quic_keys_available(qc->keys, ctx->level, 1)) {
+        return NGX_OK;
+    }
+
     prev_pending = ctx->pending_ack;
 
     if (pkt->need_ack) {

diff --git a/nginx/src/event/quic/ngx_event_quic_connection.h b/nginx/src/event/quic/ngx_event_quic_connection.h
@@ -230,6 +230,8 @@ struct ngx_quic_connection_s {
     ngx_event_t                       pto;
     ngx_event_t                       close;
     ngx_event_t                       path_validation;
+    ngx_event_t                       key_update;
+
     ngx_msec_t                        last_cc;
 
     ngx_msec_t                        first_rtt;

diff --git a/nginx/src/event/quic/ngx_event_quic_migration.c b/nginx/src/event/quic/ngx_event_quic_migration.c
@@ -518,9 +518,7 @@ ngx_quic_validate_path(ngx_connection_t *c, ngx_quic_path_t *path)
         return NGX_ERROR;
     }
 
-    if (ngx_quic_send_path_challenge(c, path) != NGX_OK) {
-        return NGX_ERROR;
-    }
+    (void) ngx_quic_send_path_challenge(c, path);
 
     ctx = ngx_quic_get_send_ctx(qc, ssl_encryption_application);
     pto = ngx_max(ngx_quic_pto(c, ctx), 1000);