Script 'mail_helper' called by obssrc Hello community, here is the log from the commit of package nginx for openSUSE:Factory checked in at 2021-09-03 21:25:25 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:Factory/nginx (Old) and /work/SRC/openSUSE:Factory/.nginx.new.1899 (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "nginx" Fri Sep 3 21:25:25 2021 rev:69 rq:915419 version:1.21.2 Changes: -------- --- /work/SRC/openSUSE:Factory/nginx/nginx.changes 2021-07-12 01:24:41.501390414 +0200 +++ /work/SRC/openSUSE:Factory/.nginx.new.1899/nginx.changes 2021-09-03 21:25:26.486119132 +0200 @@ -1,0 +2,20 @@ +Wed Sep 1 07:09:54 UTC 2021 - ???????? ???????????? <i...@ilya.pp.ua> + +- Updated to 1.21.2 + * https://nginx.org/en/CHANGES + * Now nginx rejects HTTP/1.0 requests with the "Transfer-Encoding" header line. + * Export ciphers are no longer supported. + * Added OpenSSL 3.0 compatibility. + * Added the "Auth-SSL-Protocol" and "Auth-SSL-Cipher" header lines + are now passed to the mail proxy authentication server. + * Added request body filters API now permits buffering of the data being processed. + * Fixed backend SSL connections in the stream module might hang after an SSL handshake. + * Fixed the security level, which is available in OpenSSL 1.1.0 or newer, + did not affect loading of the server certificates when set + with "@SECLEVEL=N" in the "ssl_ciphers" directive. + * Fixed SSL connections with gRPC backends might hang if select, poll, + or /dev/poll methods were used. + * Fixed when using HTTP/2 client request body was always written to + disk if the "Content-Length" header line was not present in the request. + +------------------------------------------------------------------- Old: ---- nginx-1.21.1.tar.gz nginx-1.21.1.tar.gz.asc New: ---- nginx-1.21.2.tar.gz nginx-1.21.2.tar.gz.asc ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ nginx.spec ++++++ --- /var/tmp/diff_new_pack.5zxZKS/_old 2021-09-03 21:25:27.702121852 +0200 +++ /var/tmp/diff_new_pack.5zxZKS/_new 2021-09-03 21:25:27.706121861 +0200 @@ -23,7 +23,7 @@ %bcond_with ngx_google_perftools # Name: nginx -Version: 1.21.1 +Version: 1.21.2 Release: 0 Summary: A HTTP server and IMAP/POP3 proxy server License: BSD-2-Clause ++++++ nginx-1.21.1.tar.gz -> nginx-1.21.2.tar.gz ++++++ diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/nginx-1.21.1/CHANGES new/nginx-1.21.2/CHANGES --- old/nginx-1.21.1/CHANGES 2021-07-06 16:59:22.000000000 +0200 +++ new/nginx-1.21.2/CHANGES 2021-08-31 17:13:56.000000000 +0200 @@ -1,4 +1,35 @@ +Changes with nginx 1.21.2 31 Aug 2021 + + *) Change: now nginx rejects HTTP/1.0 requests with the + "Transfer-Encoding" header line. + + *) Change: export ciphers are no longer supported. + + *) Feature: OpenSSL 3.0 compatibility. + + *) Feature: the "Auth-SSL-Protocol" and "Auth-SSL-Cipher" header lines + are now passed to the mail proxy authentication server. + Thanks to Rob Mueller. + + *) Feature: request body filters API now permits buffering of the data + being processed. + + *) Bugfix: backend SSL connections in the stream module might hang after + an SSL handshake. + + *) Bugfix: the security level, which is available in OpenSSL 1.1.0 or + newer, did not affect loading of the server certificates when set + with "@SECLEVEL=N" in the "ssl_ciphers" directive. + + *) Bugfix: SSL connections with gRPC backends might hang if select, + poll, or /dev/poll methods were used. + + *) Bugfix: when using HTTP/2 client request body was always written to + disk if the "Content-Length" header line was not present in the + request. + + Changes with nginx 1.21.1 06 Jul 2021 *) Change: now nginx always returns an error for the CONNECT method. diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/nginx-1.21.1/CHANGES.ru new/nginx-1.21.2/CHANGES.ru --- old/nginx-1.21.1/CHANGES.ru 2021-07-06 16:59:20.000000000 +0200 +++ new/nginx-1.21.2/CHANGES.ru 2021-08-31 17:13:53.000000000 +0200 @@ -1,4 +1,35 @@ +?????????????????? ?? nginx 1.21.2 31.08.2021 + + *) ??????????????????: ???????????? nginx ???????????????????? ????????????, ???????? ?? ?????????????? ???? + ?????????????????? HTTP/1.0 ???????????????????????? ???????????? ?????????????????? "Transfer-Encoding". + + *) ??????????????????: ???????????????????? ?????????? ???????????? ???? ????????????????????????????. + + *) ????????????????????: ?????????????????????????? ?? OpenSSL 3.0. + + *) ????????????????????: ???????????? ?????????????? ???????????????????????????? ?????????????????? ????????????-?????????????? + ???????????????????? ???????????? ?????????????????? "Auth-SSL-Protocol" ?? "Auth-SSL-Cipher". + ?????????????? Rob Mueller. + + *) ????????????????????: API ?????? ?????????????????? ???????? ?????????????? ???????????? ?????????????????? + ???????????????????????????? ???????????????????????????? ????????????. + + *) ??????????????????????: SSL-???????????????????? ?? ???????????????? ?? ???????????? stream ?????????? ???????????????? + ?????????? SSL handshake. + + *) ??????????????????????: ?????????????? ????????????????????????, ?????????????????? ?? OpenSSL 1.1.0 ?? ??????????, + ???? ???????????????????? ?????? ???????????????? ???????????????????????? ??????????????, ???????? ?????? ?????????? ?????????? + "@SECLEVEL=N" ?? ?????????????????? ssl_ciphers. + + *) ??????????????????????: SSL-???????????????????? ?? gRPC-?????????????????? ?????????? ????????????????, ???????? + ???????????????????????????? ???????????? select, poll ?????? /dev/poll. + + *) ??????????????????????: ?????? ?????????????????????????? HTTP/2 ???????? ?????????????? ???????????? + ???????????????????????? ???? ????????, ???????? ?? ?????????????? ???? ???????? ???????????? ?????????????????? + "Content-Length". + + ?????????????????? ?? nginx 1.21.1 06.07.2021 *) ??????????????????: ???????????? nginx ?????? ???????????? CONNECT ???????????? ???????????????????? ????????????. diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/nginx-1.21.1/html/50x.html new/nginx-1.21.2/html/50x.html --- old/nginx-1.21.1/html/50x.html 2021-07-06 16:59:17.000000000 +0200 +++ new/nginx-1.21.2/html/50x.html 2021-08-31 17:13:47.000000000 +0200 @@ -3,11 +3,9 @@ <head> <title>Error</title> <style> - body { - width: 35em; - margin: 0 auto; - font-family: Tahoma, Verdana, Arial, sans-serif; - } +html { color-scheme: light dark; } +body { width: 35em; margin: 0 auto; +font-family: Tahoma, Verdana, Arial, sans-serif; } </style> </head> <body> diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/nginx-1.21.1/html/index.html new/nginx-1.21.2/html/index.html --- old/nginx-1.21.1/html/index.html 2021-07-06 16:59:17.000000000 +0200 +++ new/nginx-1.21.2/html/index.html 2021-08-31 17:13:47.000000000 +0200 @@ -3,11 +3,9 @@ <head> <title>Welcome to nginx!</title> <style> - body { - width: 35em; - margin: 0 auto; - font-family: Tahoma, Verdana, Arial, sans-serif; - } +html { color-scheme: light dark; } +body { width: 35em; margin: 0 auto; +font-family: Tahoma, Verdana, Arial, sans-serif; } </style> </head> <body> diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/nginx-1.21.1/src/core/nginx.h new/nginx-1.21.2/src/core/nginx.h --- old/nginx-1.21.1/src/core/nginx.h 2021-07-06 16:59:17.000000000 +0200 +++ new/nginx-1.21.2/src/core/nginx.h 2021-08-31 17:13:47.000000000 +0200 @@ -9,8 +9,8 @@ #define _NGINX_H_INCLUDED_ -#define nginx_version 1021001 -#define NGINX_VERSION "1.21.1" +#define nginx_version 1021002 +#define NGINX_VERSION "1.21.2" #define NGINX_VER "nginx/" NGINX_VERSION #ifdef NGX_BUILD diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/nginx-1.21.1/src/event/ngx_event_openssl.c new/nginx-1.21.2/src/event/ngx_event_openssl.c --- old/nginx-1.21.1/src/event/ngx_event_openssl.c 2021-07-06 16:59:17.000000000 +0200 +++ new/nginx-1.21.2/src/event/ngx_event_openssl.c 2021-08-31 17:13:47.000000000 +0200 @@ -299,11 +299,6 @@ SSL_CTX_set_options(ssl->ctx, SSL_OP_MICROSOFT_BIG_SSLV3_BUFFER); #endif -#ifdef SSL_OP_MSIE_SSLV2_RSA_PADDING - /* this option allow a potential SSL 2.0 rollback (CAN-2005-2969) */ - SSL_CTX_set_options(ssl->ctx, SSL_OP_MSIE_SSLV2_RSA_PADDING); -#endif - #ifdef SSL_OP_SSLEAY_080_CLIENT_DH_BUG SSL_CTX_set_options(ssl->ctx, SSL_OP_SSLEAY_080_CLIENT_DH_BUG); #endif @@ -378,6 +373,10 @@ SSL_CTX_set_options(ssl->ctx, SSL_OP_NO_CLIENT_RENEGOTIATION); #endif +#ifdef SSL_OP_IGNORE_UNEXPECTED_EOF + SSL_CTX_set_options(ssl->ctx, SSL_OP_IGNORE_UNEXPECTED_EOF); +#endif + #ifdef SSL_MODE_RELEASE_BUFFERS SSL_CTX_set_mode(ssl->ctx, SSL_MODE_RELEASE_BUFFERS); #endif @@ -859,11 +858,6 @@ SSL_CTX_set_options(ssl->ctx, SSL_OP_CIPHER_SERVER_PREFERENCE); } -#if (OPENSSL_VERSION_NUMBER < 0x10100001L && !defined LIBRESSL_VERSION_NUMBER) - /* a temporary 512-bit RSA key is required for export versions of MSIE */ - SSL_CTX_set_tmp_rsa_callback(ssl->ctx, ngx_ssl_rsa512_key_callback); -#endif - return NGX_OK; } @@ -1116,28 +1110,6 @@ } -RSA * -ngx_ssl_rsa512_key_callback(ngx_ssl_conn_t *ssl_conn, int is_export, - int key_length) -{ - static RSA *key; - - if (key_length != 512) { - return NULL; - } - -#if (OPENSSL_VERSION_NUMBER < 0x10100003L && !defined OPENSSL_NO_DEPRECATED) - - if (key == NULL) { - key = RSA_generate_key(512, RSA_F4, NULL, NULL); - } - -#endif - - return key; -} - - ngx_array_t * ngx_ssl_read_password_file(ngx_conf_t *cf, ngx_str_t *file) { @@ -1350,7 +1322,6 @@ ngx_int_t ngx_ssl_dhparam(ngx_conf_t *cf, ngx_ssl_t *ssl, ngx_str_t *file) { - DH *dh; BIO *bio; if (file->len == 0) { @@ -1368,6 +1339,10 @@ return NGX_ERROR; } +#ifdef SSL_CTX_set_tmp_dh + { + DH *dh; + dh = PEM_read_bio_DHparams(bio, NULL, NULL, NULL); if (dh == NULL) { ngx_ssl_error(NGX_LOG_EMERG, ssl->log, 0, @@ -1376,9 +1351,42 @@ return NGX_ERROR; } - SSL_CTX_set_tmp_dh(ssl->ctx, dh); + if (SSL_CTX_set_tmp_dh(ssl->ctx, dh) != 1) { + ngx_ssl_error(NGX_LOG_EMERG, ssl->log, 0, + "SSL_CTX_set_tmp_dh(\"%s\") failed", file->data); + DH_free(dh); + BIO_free(bio); + return NGX_ERROR; + } DH_free(dh); + } +#else + { + EVP_PKEY *dh; + + /* + * PEM_read_bio_DHparams() and SSL_CTX_set_tmp_dh() + * are deprecated in OpenSSL 3.0 + */ + + dh = PEM_read_bio_Parameters(bio, NULL); + if (dh == NULL) { + ngx_ssl_error(NGX_LOG_EMERG, ssl->log, 0, + "PEM_read_bio_Parameters(\"%s\") failed", file->data); + BIO_free(bio); + return NGX_ERROR; + } + + if (SSL_CTX_set0_tmp_dh_pkey(ssl->ctx, dh) != 1) { + ngx_ssl_error(NGX_LOG_EMERG, ssl->log, 0, + "SSL_CTX_set0_tmp_dh_pkey(\%s\") failed", file->data); + BIO_free(bio); + return NGX_ERROR; + } + } +#endif + BIO_free(bio); return NGX_OK; @@ -1740,6 +1748,9 @@ c->recv_chain = ngx_ssl_recv_chain; c->send_chain = ngx_ssl_send_chain; + c->read->ready = 1; + c->write->ready = 1; + #ifndef SSL_OP_NO_RENEGOTIATION #if OPENSSL_VERSION_NUMBER < 0x10100000L #ifdef SSL3_FLAGS_NO_RENEGOTIATE_CIPHERS @@ -1885,6 +1896,9 @@ c->recv_chain = ngx_ssl_recv_chain; c->send_chain = ngx_ssl_send_chain; + c->read->ready = 1; + c->write->ready = 1; + rc = ngx_ssl_ocsp_validate(c); if (rc == NGX_ERROR) { @@ -3234,7 +3248,7 @@ for ( ;; ) { - n = ERR_peek_error_line_data(NULL, NULL, &data, &flags); + n = ERR_peek_error_data(&data, &flags); if (n == 0) { break; diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/nginx-1.21.1/src/event/ngx_event_openssl.h new/nginx-1.21.2/src/event/ngx_event_openssl.h --- old/nginx-1.21.1/src/event/ngx_event_openssl.h 2021-07-06 16:59:17.000000000 +0200 +++ new/nginx-1.21.2/src/event/ngx_event_openssl.h 2021-08-31 17:13:47.000000000 +0200 @@ -12,6 +12,8 @@ #include <ngx_config.h> #include <ngx_core.h> +#define OPENSSL_SUPPRESS_DEPRECATED + #include <openssl/ssl.h> #include <openssl/err.h> #include <openssl/bn.h> @@ -27,7 +29,6 @@ #include <openssl/ocsp.h> #endif #include <openssl/rand.h> -#include <openssl/rsa.h> #include <openssl/x509.h> #include <openssl/x509v3.h> @@ -64,6 +65,16 @@ #endif +#if (OPENSSL_VERSION_NUMBER >= 0x30000000L && !defined SSL_get_peer_certificate) +#define SSL_get_peer_certificate(s) SSL_get1_peer_certificate(s) +#endif + + +#if (OPENSSL_VERSION_NUMBER < 0x30000000L && !defined ERR_peek_error_data) +#define ERR_peek_error_data(d, f) ERR_peek_error_line_data(NULL, NULL, d, f) +#endif + + typedef struct ngx_ssl_ocsp_s ngx_ssl_ocsp_t; @@ -196,8 +207,6 @@ ngx_int_t ngx_ssl_ocsp_get_status(ngx_connection_t *c, const char **s); void ngx_ssl_ocsp_cleanup(ngx_connection_t *c); ngx_int_t ngx_ssl_ocsp_cache_init(ngx_shm_zone_t *shm_zone, void *data); -RSA *ngx_ssl_rsa512_key_callback(ngx_ssl_conn_t *ssl_conn, int is_export, - int key_length); ngx_array_t *ngx_ssl_read_password_file(ngx_conf_t *cf, ngx_str_t *file); ngx_array_t *ngx_ssl_preserve_passwords(ngx_conf_t *cf, ngx_array_t *passwords); diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/nginx-1.21.1/src/http/modules/ngx_http_grpc_module.c new/nginx-1.21.2/src/http/modules/ngx_http_grpc_module.c --- old/nginx-1.21.1/src/http/modules/ngx_http_grpc_module.c 2021-07-06 16:59:17.000000000 +0200 +++ new/nginx-1.21.2/src/http/modules/ngx_http_grpc_module.c 2021-08-31 17:13:47.000000000 +0200 @@ -4896,6 +4896,12 @@ cln->handler = ngx_ssl_cleanup_ctx; cln->data = glcf->upstream.ssl; + if (ngx_ssl_ciphers(cf, glcf->upstream.ssl, &glcf->ssl_ciphers, 0) + != NGX_OK) + { + return NGX_ERROR; + } + if (glcf->upstream.ssl_certificate) { if (glcf->upstream.ssl_certificate_key == NULL) { @@ -4927,12 +4933,6 @@ } } - if (ngx_ssl_ciphers(cf, glcf->upstream.ssl, &glcf->ssl_ciphers, 0) - != NGX_OK) - { - return NGX_ERROR; - } - if (glcf->upstream.ssl_verify) { if (glcf->ssl_trusted_certificate.len == 0) { ngx_log_error(NGX_LOG_EMERG, cf->log, 0, diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/nginx-1.21.1/src/http/modules/ngx_http_proxy_module.c new/nginx-1.21.2/src/http/modules/ngx_http_proxy_module.c --- old/nginx-1.21.1/src/http/modules/ngx_http_proxy_module.c 2021-07-06 16:59:17.000000000 +0200 +++ new/nginx-1.21.2/src/http/modules/ngx_http_proxy_module.c 2021-08-31 17:13:47.000000000 +0200 @@ -4944,6 +4944,12 @@ cln->handler = ngx_ssl_cleanup_ctx; cln->data = plcf->upstream.ssl; + if (ngx_ssl_ciphers(cf, plcf->upstream.ssl, &plcf->ssl_ciphers, 0) + != NGX_OK) + { + return NGX_ERROR; + } + if (plcf->upstream.ssl_certificate) { if (plcf->upstream.ssl_certificate_key == NULL) { @@ -4975,12 +4981,6 @@ } } - if (ngx_ssl_ciphers(cf, plcf->upstream.ssl, &plcf->ssl_ciphers, 0) - != NGX_OK) - { - return NGX_ERROR; - } - if (plcf->upstream.ssl_verify) { if (plcf->ssl_trusted_certificate.len == 0) { ngx_log_error(NGX_LOG_EMERG, cf->log, 0, diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/nginx-1.21.1/src/http/modules/ngx_http_ssl_module.c new/nginx-1.21.2/src/http/modules/ngx_http_ssl_module.c --- old/nginx-1.21.1/src/http/modules/ngx_http_ssl_module.c 2021-07-06 16:59:17.000000000 +0200 +++ new/nginx-1.21.2/src/http/modules/ngx_http_ssl_module.c 2021-08-31 17:13:47.000000000 +0200 @@ -797,6 +797,13 @@ ngx_http_ssl_npn_advertised, NULL); #endif + if (ngx_ssl_ciphers(cf, &conf->ssl, &conf->ciphers, + conf->prefer_server_ciphers) + != NGX_OK) + { + return NGX_CONF_ERROR; + } + if (ngx_http_ssl_compile_certificates(cf, conf) != NGX_OK) { return NGX_CONF_ERROR; } @@ -829,13 +836,6 @@ } } - if (ngx_ssl_ciphers(cf, &conf->ssl, &conf->ciphers, - conf->prefer_server_ciphers) - != NGX_OK) - { - return NGX_CONF_ERROR; - } - conf->ssl.buffer_size = conf->buffer_size; if (conf->verify) { diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/nginx-1.21.1/src/http/modules/ngx_http_uwsgi_module.c new/nginx-1.21.2/src/http/modules/ngx_http_uwsgi_module.c --- old/nginx-1.21.1/src/http/modules/ngx_http_uwsgi_module.c 2021-07-06 16:59:17.000000000 +0200 +++ new/nginx-1.21.2/src/http/modules/ngx_http_uwsgi_module.c 2021-08-31 17:13:47.000000000 +0200 @@ -2432,6 +2432,12 @@ cln->handler = ngx_ssl_cleanup_ctx; cln->data = uwcf->upstream.ssl; + if (ngx_ssl_ciphers(cf, uwcf->upstream.ssl, &uwcf->ssl_ciphers, 0) + != NGX_OK) + { + return NGX_ERROR; + } + if (uwcf->upstream.ssl_certificate) { if (uwcf->upstream.ssl_certificate_key == NULL) { @@ -2463,12 +2469,6 @@ } } - if (ngx_ssl_ciphers(cf, uwcf->upstream.ssl, &uwcf->ssl_ciphers, 0) - != NGX_OK) - { - return NGX_ERROR; - } - if (uwcf->upstream.ssl_verify) { if (uwcf->ssl_trusted_certificate.len == 0) { ngx_log_error(NGX_LOG_EMERG, cf->log, 0, diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/nginx-1.21.1/src/http/ngx_http_request.c new/nginx-1.21.2/src/http/ngx_http_request.c --- old/nginx-1.21.1/src/http/ngx_http_request.c 2021-07-06 16:59:17.000000000 +0200 +++ new/nginx-1.21.2/src/http/ngx_http_request.c 2021-08-31 17:13:47.000000000 +0200 @@ -1983,6 +1983,14 @@ } if (r->headers_in.transfer_encoding) { + if (r->http_version < NGX_HTTP_VERSION_11) { + ngx_log_error(NGX_LOG_INFO, r->connection->log, 0, + "client sent HTTP/1.0 request with " + "\"Transfer-Encoding\" header"); + ngx_http_finalize_request(r, NGX_HTTP_BAD_REQUEST); + return NGX_ERROR; + } + if (r->headers_in.transfer_encoding->value.len == 7 && ngx_strncasecmp(r->headers_in.transfer_encoding->value.data, (u_char *) "chunked", 7) == 0) diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/nginx-1.21.1/src/http/ngx_http_request.h new/nginx-1.21.2/src/http/ngx_http_request.h --- old/nginx-1.21.1/src/http/ngx_http_request.h 2021-07-06 16:59:17.000000000 +0200 +++ new/nginx-1.21.2/src/http/ngx_http_request.h 2021-08-31 17:13:47.000000000 +0200 @@ -302,6 +302,9 @@ ngx_chain_t *busy; ngx_http_chunked_t *chunked; ngx_http_client_body_handler_pt post_handler; + unsigned filter_need_buffering:1; + unsigned last_sent:1; + unsigned last_saved:1; } ngx_http_request_body_t; diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/nginx-1.21.1/src/http/ngx_http_request_body.c new/nginx-1.21.2/src/http/ngx_http_request_body.c --- old/nginx-1.21.1/src/http/ngx_http_request_body.c 2021-07-06 16:59:17.000000000 +0200 +++ new/nginx-1.21.2/src/http/ngx_http_request_body.c 2021-08-31 17:13:47.000000000 +0200 @@ -62,11 +62,16 @@ /* * set by ngx_pcalloc(): * + * rb->temp_file = NULL; * rb->bufs = NULL; * rb->buf = NULL; * rb->free = NULL; * rb->busy = NULL; * rb->chunked = NULL; + * rb->received = 0; + * rb->filter_need_buffering = 0; + * rb->last_sent = 0; + * rb->last_saved = 0; */ rb->rest = -1; @@ -144,7 +149,7 @@ } } - if (rb->rest == 0) { + if (rb->rest == 0 && rb->last_saved) { /* the whole request body was pre-read */ r->request_body_no_buffering = 0; post_handler(r); @@ -172,6 +177,10 @@ size += preread; } + if (size == 0) { + size++; + } + } else { size = clcf->client_body_buffer_size; } @@ -270,6 +279,7 @@ size_t size; ssize_t n; ngx_int_t rc; + ngx_uint_t flush; ngx_chain_t out; ngx_connection_t *c; ngx_http_request_body_t *rb; @@ -277,12 +287,17 @@ c = r->connection; rb = r->request_body; + flush = 1; ngx_log_debug0(NGX_LOG_DEBUG_HTTP, c->log, 0, "http read client request body"); for ( ;; ) { for ( ;; ) { + if (rb->rest == 0) { + break; + } + if (rb->buf->last == rb->buf->end) { /* update chains */ @@ -306,12 +321,25 @@ return NGX_AGAIN; } + if (rb->filter_need_buffering) { + clcf = ngx_http_get_module_loc_conf(r, + ngx_http_core_module); + ngx_add_timer(c->read, clcf->client_body_timeout); + + if (ngx_handle_read_event(c->read, 0) != NGX_OK) { + return NGX_HTTP_INTERNAL_SERVER_ERROR; + } + + return NGX_AGAIN; + } + ngx_log_error(NGX_LOG_ALERT, c->log, 0, "busy buffers after request body flush"); return NGX_HTTP_INTERNAL_SERVER_ERROR; } + flush = 0; rb->buf->pos = rb->buf->start; rb->buf->last = rb->buf->start; } @@ -323,6 +351,10 @@ size = (size_t) rest; } + if (size == 0) { + break; + } + n = c->recv(c, rb->buf->last, size); ngx_log_debug1(NGX_LOG_DEBUG_HTTP, c->log, 0, @@ -347,6 +379,7 @@ /* pass buffer to request body filter chain */ + flush = 0; out.buf = rb->buf; out.next = NULL; @@ -368,11 +401,19 @@ ngx_log_debug1(NGX_LOG_DEBUG_HTTP, c->log, 0, "http client request body rest %O", rb->rest); - if (rb->rest == 0) { + if (flush) { + rc = ngx_http_request_body_filter(r, NULL); + + if (rc != NGX_OK) { + return rc; + } + } + + if (rb->rest == 0 && rb->last_saved) { break; } - if (!c->read->ready) { + if (!c->read->ready || rb->rest == 0) { clcf = ngx_http_get_module_loc_conf(r, ngx_http_core_module); ngx_add_timer(c->read, clcf->client_body_timeout); @@ -939,15 +980,32 @@ rb = r->request_body; + out = NULL; + ll = &out; + if (rb->rest == -1) { ngx_log_debug0(NGX_LOG_DEBUG_HTTP, r->connection->log, 0, "http request body content length filter"); rb->rest = r->headers_in.content_length_n; - } - out = NULL; - ll = &out; + if (rb->rest == 0) { + + tl = ngx_chain_get_free_buf(r->pool, &rb->free); + if (tl == NULL) { + return NGX_HTTP_INTERNAL_SERVER_ERROR; + } + + b = tl->buf; + + ngx_memzero(b, sizeof(ngx_buf_t)); + + b->last_buf = 1; + + *ll = tl; + ll = &tl->next; + } + } for (cl = in; cl; cl = cl->next) { @@ -1011,6 +1069,9 @@ rb = r->request_body; + out = NULL; + ll = &out; + if (rb->rest == -1) { ngx_log_debug0(NGX_LOG_DEBUG_HTTP, r->connection->log, 0, @@ -1027,9 +1088,6 @@ rb->rest = cscf->large_client_header_buffers.size; } - out = NULL; - ll = &out; - for (cl = in; cl; cl = cl->next) { b = NULL; @@ -1186,15 +1244,16 @@ ngx_http_request_body_save_filter(ngx_http_request_t *r, ngx_chain_t *in) { ngx_buf_t *b; - ngx_chain_t *cl; + ngx_chain_t *cl, *tl, **ll; ngx_http_request_body_t *rb; rb = r->request_body; -#if (NGX_DEBUG) + ll = &rb->bufs; -#if 0 for (cl = rb->bufs; cl; cl = cl->next) { + +#if 0 ngx_log_debug7(NGX_LOG_DEBUG_EVENT, r->connection->log, 0, "http body old buf t:%d f:%d %p, pos %p, size: %z " "file: %O, size: %O", @@ -1203,10 +1262,13 @@ cl->buf->last - cl->buf->pos, cl->buf->file_pos, cl->buf->file_last - cl->buf->file_pos); - } #endif + ll = &cl->next; + } + for (cl = in; cl; cl = cl->next) { + ngx_log_debug7(NGX_LOG_DEBUG_EVENT, r->connection->log, 0, "http body new buf t:%d f:%d %p, pos %p, size: %z " "file: %O, size: %O", @@ -1215,16 +1277,32 @@ cl->buf->last - cl->buf->pos, cl->buf->file_pos, cl->buf->file_last - cl->buf->file_pos); - } -#endif + if (cl->buf->last_buf) { - /* TODO: coalesce neighbouring buffers */ + if (rb->last_saved) { + ngx_log_error(NGX_LOG_ALERT, r->connection->log, 0, + "duplicate last buf in save filter"); + *ll = NULL; + return NGX_HTTP_INTERNAL_SERVER_ERROR; + } - if (ngx_chain_add_copy(r->pool, &rb->bufs, in) != NGX_OK) { - return NGX_HTTP_INTERNAL_SERVER_ERROR; + rb->last_saved = 1; + } + + tl = ngx_alloc_chain_link(r->pool); + if (tl == NULL) { + *ll = NULL; + return NGX_HTTP_INTERNAL_SERVER_ERROR; + } + + tl->buf = cl->buf; + *ll = tl; + ll = &tl->next; } + *ll = NULL; + if (r->request_body_no_buffering) { return NGX_OK; } @@ -1240,10 +1318,18 @@ return NGX_OK; } - /* rb->rest == 0 */ + if (!rb->last_saved) { + return NGX_OK; + } if (rb->temp_file || r->request_body_in_file_only) { + if (rb->bufs && rb->bufs->buf->in_file) { + ngx_log_error(NGX_LOG_ALERT, r->connection->log, 0, + "body already in file"); + return NGX_HTTP_INTERNAL_SERVER_ERROR; + } + if (ngx_http_write_request_body(r) != NGX_OK) { return NGX_HTTP_INTERNAL_SERVER_ERROR; } diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/nginx-1.21.1/src/http/ngx_http_upstream.c new/nginx-1.21.2/src/http/ngx_http_upstream.c --- old/nginx-1.21.1/src/http/ngx_http_upstream.c 2021-07-06 16:59:17.000000000 +0200 +++ new/nginx-1.21.2/src/http/ngx_http_upstream.c 2021-08-31 17:13:47.000000000 +0200 @@ -2113,6 +2113,10 @@ c->tcp_nopush = NGX_TCP_NOPUSH_UNSET; } + if (c->read->ready) { + ngx_post_event(c->read, &ngx_posted_events); + } + return; } diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/nginx-1.21.1/src/http/v2/ngx_http_v2.c new/nginx-1.21.2/src/http/v2/ngx_http_v2.c --- old/nginx-1.21.1/src/http/v2/ngx_http_v2.c 2021-07-06 16:59:17.000000000 +0200 +++ new/nginx-1.21.2/src/http/v2/ngx_http_v2.c 2021-08-31 17:13:47.000000000 +0200 @@ -173,7 +173,7 @@ static void ngx_http_v2_run_request(ngx_http_request_t *r); static void ngx_http_v2_run_request_handler(ngx_event_t *ev); static ngx_int_t ngx_http_v2_process_request_body(ngx_http_request_t *r, - u_char *pos, size_t size, ngx_uint_t last); + u_char *pos, size_t size, ngx_uint_t last, ngx_uint_t flush); static ngx_int_t ngx_http_v2_filter_request_body(ngx_http_request_t *r); static void ngx_http_v2_read_client_request_body_handler(ngx_http_request_t *r); @@ -1092,7 +1092,7 @@ ngx_http_v2_state_read_data(ngx_http_v2_connection_t *h2c, u_char *pos, u_char *end) { - size_t size; + size_t size, window; ngx_buf_t *buf; ngx_int_t rc; ngx_connection_t *fc; @@ -1140,13 +1140,40 @@ h2c->payload_bytes += size; if (r->request_body) { - rc = ngx_http_v2_process_request_body(r, pos, size, stream->in_closed); + rc = ngx_http_v2_process_request_body(r, pos, size, + stream->in_closed, 0); - if (rc != NGX_OK) { + if (rc != NGX_OK && rc != NGX_AGAIN) { stream->skip_data = 1; ngx_http_finalize_request(r, rc); } + if (rc == NGX_AGAIN && !stream->no_flow_control) { + buf = r->request_body->buf; + window = buf->end - buf->last; + + window -= h2c->state.length - size; + + if (window < stream->recv_window) { + ngx_log_error(NGX_LOG_ALERT, h2c->connection->log, 0, + "http2 negative window update"); + return ngx_http_v2_connection_error(h2c, + NGX_HTTP_V2_INTERNAL_ERROR); + } + + if (window > stream->recv_window) { + if (ngx_http_v2_send_window_update(h2c, stream->node->id, + window - stream->recv_window) + == NGX_ERROR) + { + return ngx_http_v2_connection_error(h2c, + NGX_HTTP_V2_INTERNAL_ERROR); + } + + stream->recv_window = window; + } + } + ngx_http_run_posted_requests(fc); } else if (size) { @@ -4027,16 +4054,30 @@ return NGX_OK; } + rb->rest = 1; + + /* set rb->filter_need_buffering */ + + rc = ngx_http_top_request_body_filter(r, NULL); + + if (rc != NGX_OK) { + stream->skip_data = 1; + return rc; + } + h2scf = ngx_http_get_module_srv_conf(r, ngx_http_v2_module); clcf = ngx_http_get_module_loc_conf(r, ngx_http_core_module); len = r->headers_in.content_length_n; - if (r->request_body_no_buffering && !stream->in_closed) { + if (len < 0 || len > (off_t) clcf->client_body_buffer_size) { + len = clcf->client_body_buffer_size; - if (len < 0 || len > (off_t) clcf->client_body_buffer_size) { - len = clcf->client_body_buffer_size; - } + } else { + len++; + } + + if (r->request_body_no_buffering || rb->filter_need_buffering) { /* * We need a room to store data up to the stream's initial window size, @@ -4050,57 +4091,54 @@ if (len > NGX_HTTP_V2_MAX_WINDOW) { len = NGX_HTTP_V2_MAX_WINDOW; } - - rb->buf = ngx_create_temp_buf(r->pool, (size_t) len); - - } else if (len >= 0 && len <= (off_t) clcf->client_body_buffer_size - && !r->request_body_in_file_only) - { - rb->buf = ngx_create_temp_buf(r->pool, (size_t) len); - - } else { - rb->buf = ngx_calloc_buf(r->pool); - - if (rb->buf != NULL) { - rb->buf->sync = 1; - } } + rb->buf = ngx_create_temp_buf(r->pool, (size_t) len); + if (rb->buf == NULL) { stream->skip_data = 1; return NGX_HTTP_INTERNAL_SERVER_ERROR; } - rb->rest = 1; - buf = stream->preread; if (stream->in_closed) { - r->request_body_no_buffering = 0; + if (!rb->filter_need_buffering) { + r->request_body_no_buffering = 0; + } if (buf) { rc = ngx_http_v2_process_request_body(r, buf->pos, - buf->last - buf->pos, 1); + buf->last - buf->pos, 1, 0); ngx_pfree(r->pool, buf->start); + + } else { + rc = ngx_http_v2_process_request_body(r, NULL, 0, 1, 0); + } + + if (rc != NGX_AGAIN) { return rc; } - return ngx_http_v2_process_request_body(r, NULL, 0, 1); + r->read_event_handler = ngx_http_v2_read_client_request_body_handler; + r->write_event_handler = ngx_http_request_empty_handler; + + return NGX_AGAIN; } if (buf) { rc = ngx_http_v2_process_request_body(r, buf->pos, - buf->last - buf->pos, 0); + buf->last - buf->pos, 0, 0); ngx_pfree(r->pool, buf->start); - if (rc != NGX_OK) { + if (rc != NGX_OK && rc != NGX_AGAIN) { stream->skip_data = 1; return rc; } } - if (r->request_body_no_buffering) { + if (r->request_body_no_buffering || rb->filter_need_buffering) { size = (size_t) len - h2scf->preread_size; } else { @@ -4142,9 +4180,9 @@ static ngx_int_t ngx_http_v2_process_request_body(ngx_http_request_t *r, u_char *pos, - size_t size, ngx_uint_t last) + size_t size, ngx_uint_t last, ngx_uint_t flush) { - ngx_buf_t *buf; + size_t n; ngx_int_t rc; ngx_connection_t *fc; ngx_http_request_body_t *rb; @@ -4152,77 +4190,128 @@ fc = r->connection; rb = r->request_body; - buf = rb->buf; - if (size) { - if (buf->sync) { - buf->pos = buf->start = pos; - buf->last = buf->end = pos + size; + ngx_log_debug0(NGX_LOG_DEBUG_HTTP, fc->log, 0, + "http2 process request body"); - r->request_body_in_file_only = 1; + if (size == 0 && !last && !flush) { + return NGX_AGAIN; + } - } else { - if (size > (size_t) (buf->end - buf->last)) { - ngx_log_error(NGX_LOG_INFO, fc->log, 0, - "client intended to send body data " - "larger than declared"); + for ( ;; ) { + for ( ;; ) { + if (rb->buf->last == rb->buf->end && size) { - return NGX_HTTP_BAD_REQUEST; + if (r->request_body_no_buffering) { + + /* should never happen due to flow control */ + + ngx_log_error(NGX_LOG_ALERT, fc->log, 0, + "no space in http2 body buffer"); + + return NGX_HTTP_INTERNAL_SERVER_ERROR; + } + + /* update chains */ + + ngx_log_error(NGX_LOG_DEBUG, fc->log, 0, + "http2 body update chains"); + + rc = ngx_http_v2_filter_request_body(r); + + if (rc != NGX_OK) { + return rc; + } + + if (rb->busy != NULL) { + ngx_log_error(NGX_LOG_ALERT, fc->log, 0, + "busy buffers after request body flush"); + return NGX_HTTP_INTERNAL_SERVER_ERROR; + } + + rb->buf->pos = rb->buf->start; + rb->buf->last = rb->buf->start; } - buf->last = ngx_cpymem(buf->last, pos, size); - } - } + /* copy body data to the buffer */ - if (last) { - rb->rest = 0; + n = rb->buf->end - rb->buf->last; - if (fc->read->timer_set) { - ngx_del_timer(fc->read); - } + if (n > size) { + n = size; + } - if (r->request_body_no_buffering) { - ngx_post_event(fc->read, &ngx_posted_events); - return NGX_OK; - } + if (n > 0) { + rb->buf->last = ngx_cpymem(rb->buf->last, pos, n); + } - rc = ngx_http_v2_filter_request_body(r); + ngx_log_debug1(NGX_LOG_DEBUG_HTTP, fc->log, 0, + "http2 request body recv %uz", n); - if (rc != NGX_OK) { - return rc; - } + pos += n; + size -= n; + + if (size == 0 && last) { + rb->rest = 0; + } + + if (r->request_body_no_buffering) { + break; + } + + /* pass buffer to request body filter chain */ - if (buf->sync) { - /* prevent reusing this buffer in the upstream module */ - rb->buf = NULL; + rc = ngx_http_v2_filter_request_body(r); + + if (rc != NGX_OK) { + return rc; + } + + if (rb->rest == 0) { + break; + } + + if (size == 0) { + break; + } } - if (r->headers_in.chunked) { - r->headers_in.content_length_n = rb->received; + ngx_log_debug1(NGX_LOG_DEBUG_HTTP, fc->log, 0, + "http2 request body rest %O", rb->rest); + + if (rb->rest == 0 && rb->last_saved) { + break; } - r->read_event_handler = ngx_http_block_reading; - rb->post_handler(r); + if (size == 0) { + clcf = ngx_http_get_module_loc_conf(r, ngx_http_core_module); + ngx_add_timer(fc->read, clcf->client_body_timeout); - return NGX_OK; - } + if (r->request_body_no_buffering) { + ngx_post_event(fc->read, &ngx_posted_events); + return NGX_AGAIN; + } - if (size == 0) { - return NGX_OK; + return NGX_AGAIN; + } } - clcf = ngx_http_get_module_loc_conf(r, ngx_http_core_module); - ngx_add_timer(fc->read, clcf->client_body_timeout); + if (fc->read->timer_set) { + ngx_del_timer(fc->read); + } if (r->request_body_no_buffering) { ngx_post_event(fc->read, &ngx_posted_events); return NGX_OK; } - if (buf->sync) { - return ngx_http_v2_filter_request_body(r); + if (r->headers_in.chunked) { + r->headers_in.content_length_n = rb->received; } + r->read_event_handler = ngx_http_block_reading; + rb->post_handler(r); + return NGX_OK; } @@ -4239,7 +4328,7 @@ rb = r->request_body; buf = rb->buf; - if (buf->pos == buf->last && rb->rest) { + if (buf->pos == buf->last && (rb->rest || rb->last_sent)) { cl = NULL; goto update; } @@ -4302,6 +4391,7 @@ } b->last_buf = 1; + rb->last_sent = 1; } b->tag = (ngx_buf_tag_t) &ngx_http_v2_filter_request_body; @@ -4321,7 +4411,12 @@ static void ngx_http_v2_read_client_request_body_handler(ngx_http_request_t *r) { - ngx_connection_t *fc; + size_t window; + ngx_buf_t *buf; + ngx_int_t rc; + ngx_connection_t *fc; + ngx_http_v2_stream_t *stream; + ngx_http_v2_connection_t *h2c; fc = r->connection; @@ -4347,6 +4442,63 @@ ngx_http_finalize_request(r, NGX_HTTP_CLIENT_CLOSED_REQUEST); return; } + + rc = ngx_http_v2_process_request_body(r, NULL, 0, r->stream->in_closed, 1); + + if (rc != NGX_OK && rc != NGX_AGAIN) { + r->stream->skip_data = 1; + ngx_http_finalize_request(r, rc); + return; + } + + if (rc == NGX_OK) { + return; + } + + if (r->request_body->rest == 0) { + return; + } + + stream = r->stream; + h2c = stream->connection; + + buf = r->request_body->buf; + window = buf->end - buf->start; + + if (h2c->state.stream == stream) { + window -= h2c->state.length; + } + + if (window <= stream->recv_window) { + if (window < stream->recv_window) { + ngx_log_error(NGX_LOG_ALERT, r->connection->log, 0, + "http2 negative window update"); + + stream->skip_data = 1; + + ngx_http_finalize_request(r, NGX_HTTP_INTERNAL_SERVER_ERROR); + return; + } + + return; + } + + if (ngx_http_v2_send_window_update(h2c, stream->node->id, + window - stream->recv_window) + == NGX_ERROR) + { + stream->skip_data = 1; + ngx_http_finalize_request(r, NGX_HTTP_INTERNAL_SERVER_ERROR); + return; + } + + stream->recv_window = window; + + if (ngx_http_v2_send_output_queue(h2c) == NGX_ERROR) { + stream->skip_data = 1; + ngx_http_finalize_request(r, NGX_HTTP_INTERNAL_SERVER_ERROR); + return; + } } @@ -4364,6 +4516,9 @@ stream = r->stream; fc = r->connection; + ngx_log_debug0(NGX_LOG_DEBUG_HTTP, fc->log, 0, + "http2 read unbuffered request body"); + if (fc->read->timedout) { if (stream->recv_window) { stream->skip_data = 1; @@ -4387,10 +4542,14 @@ return rc; } - if (!r->request_body->rest) { + if (r->request_body->rest == 0 && r->request_body->last_saved) { return NGX_OK; } + if (r->request_body->rest == 0) { + return NGX_AGAIN; + } + if (r->request_body->busy != NULL) { return NGX_AGAIN; } diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/nginx-1.21.1/src/mail/ngx_mail_auth_http_module.c new/nginx-1.21.2/src/mail/ngx_mail_auth_http_module.c --- old/nginx-1.21.1/src/mail/ngx_mail_auth_http_module.c 2021-07-06 16:59:17.000000000 +0200 +++ new/nginx-1.21.2/src/mail/ngx_mail_auth_http_module.c 2021-08-31 17:13:47.000000000 +0200 @@ -1137,8 +1137,8 @@ ngx_str_t login, passwd; ngx_connection_t *c; #if (NGX_MAIL_SSL) - ngx_str_t verify, subject, issuer, serial, fingerprint, - raw_cert, cert; + ngx_str_t protocol, cipher, verify, subject, issuer, + serial, fingerprint, raw_cert, cert; ngx_mail_ssl_conf_t *sslcf; #endif ngx_mail_core_srv_conf_t *cscf; @@ -1155,6 +1155,25 @@ #if (NGX_MAIL_SSL) + if (c->ssl) { + + if (ngx_ssl_get_protocol(c, pool, &protocol) != NGX_OK) { + return NULL; + } + + protocol.len = ngx_strlen(protocol.data); + + if (ngx_ssl_get_cipher_name(c, pool, &cipher) != NGX_OK) { + return NULL; + } + + cipher.len = ngx_strlen(cipher.data); + + } else { + ngx_str_null(&protocol); + ngx_str_null(&cipher); + } + sslcf = ngx_mail_get_module_srv_conf(s, ngx_mail_ssl_module); if (c->ssl && sslcf->verify) { @@ -1252,6 +1271,10 @@ if (c->ssl) { len += sizeof("Auth-SSL: on" CRLF) - 1 + + sizeof("Auth-SSL-Protocol: ") - 1 + protocol.len + + sizeof(CRLF) - 1 + + sizeof("Auth-SSL-Cipher: ") - 1 + cipher.len + + sizeof(CRLF) - 1 + sizeof("Auth-SSL-Verify: ") - 1 + verify.len + sizeof(CRLF) - 1 + sizeof("Auth-SSL-Subject: ") - 1 + subject.len @@ -1373,6 +1396,20 @@ b->last = ngx_cpymem(b->last, "Auth-SSL: on" CRLF, sizeof("Auth-SSL: on" CRLF) - 1); + if (protocol.len) { + b->last = ngx_cpymem(b->last, "Auth-SSL-Protocol: ", + sizeof("Auth-SSL-Protocol: ") - 1); + b->last = ngx_copy(b->last, protocol.data, protocol.len); + *b->last++ = CR; *b->last++ = LF; + } + + if (cipher.len) { + b->last = ngx_cpymem(b->last, "Auth-SSL-Cipher: ", + sizeof("Auth-SSL-Cipher: ") - 1); + b->last = ngx_copy(b->last, cipher.data, cipher.len); + *b->last++ = CR; *b->last++ = LF; + } + if (verify.len) { b->last = ngx_cpymem(b->last, "Auth-SSL-Verify: ", sizeof("Auth-SSL-Verify: ") - 1); diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/nginx-1.21.1/src/mail/ngx_mail_ssl_module.c new/nginx-1.21.2/src/mail/ngx_mail_ssl_module.c --- old/nginx-1.21.1/src/mail/ngx_mail_ssl_module.c 2021-07-06 16:59:17.000000000 +0200 +++ new/nginx-1.21.2/src/mail/ngx_mail_ssl_module.c 2021-08-31 17:13:47.000000000 +0200 @@ -394,6 +394,13 @@ cln->handler = ngx_ssl_cleanup_ctx; cln->data = &conf->ssl; + if (ngx_ssl_ciphers(cf, &conf->ssl, &conf->ciphers, + conf->prefer_server_ciphers) + != NGX_OK) + { + return NGX_CONF_ERROR; + } + if (ngx_ssl_certificates(cf, &conf->ssl, conf->certificates, conf->certificate_keys, conf->passwords) != NGX_OK) @@ -430,13 +437,6 @@ } } - if (ngx_ssl_ciphers(cf, &conf->ssl, &conf->ciphers, - conf->prefer_server_ciphers) - != NGX_OK) - { - return NGX_CONF_ERROR; - } - if (ngx_ssl_dhparam(cf, &conf->ssl, &conf->dhparam) != NGX_OK) { return NGX_CONF_ERROR; } diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/nginx-1.21.1/src/os/unix/ngx_atomic.h new/nginx-1.21.2/src/os/unix/ngx_atomic.h --- old/nginx-1.21.1/src/os/unix/ngx_atomic.h 2021-07-06 16:59:17.000000000 +0200 +++ new/nginx-1.21.2/src/os/unix/ngx_atomic.h 2021-08-31 17:13:47.000000000 +0200 @@ -38,6 +38,39 @@ #define ngx_cpu_pause() +#elif (NGX_HAVE_GCC_ATOMIC) + +/* GCC 4.1 builtin atomic operations */ + +#define NGX_HAVE_ATOMIC_OPS 1 + +typedef long ngx_atomic_int_t; +typedef unsigned long ngx_atomic_uint_t; + +#if (NGX_PTR_SIZE == 8) +#define NGX_ATOMIC_T_LEN (sizeof("-9223372036854775808") - 1) +#else +#define NGX_ATOMIC_T_LEN (sizeof("-2147483648") - 1) +#endif + +typedef volatile ngx_atomic_uint_t ngx_atomic_t; + + +#define ngx_atomic_cmp_set(lock, old, set) \ + __sync_bool_compare_and_swap(lock, old, set) + +#define ngx_atomic_fetch_add(value, add) \ + __sync_fetch_and_add(value, add) + +#define ngx_memory_barrier() __sync_synchronize() + +#if ( __i386__ || __i386 || __amd64__ || __amd64 ) +#define ngx_cpu_pause() __asm__ ("pause") +#else +#define ngx_cpu_pause() +#endif + + #elif (NGX_DARWIN_ATOMIC) /* @@ -88,39 +121,6 @@ typedef volatile ngx_atomic_uint_t ngx_atomic_t; -#elif (NGX_HAVE_GCC_ATOMIC) - -/* GCC 4.1 builtin atomic operations */ - -#define NGX_HAVE_ATOMIC_OPS 1 - -typedef long ngx_atomic_int_t; -typedef unsigned long ngx_atomic_uint_t; - -#if (NGX_PTR_SIZE == 8) -#define NGX_ATOMIC_T_LEN (sizeof("-9223372036854775808") - 1) -#else -#define NGX_ATOMIC_T_LEN (sizeof("-2147483648") - 1) -#endif - -typedef volatile ngx_atomic_uint_t ngx_atomic_t; - - -#define ngx_atomic_cmp_set(lock, old, set) \ - __sync_bool_compare_and_swap(lock, old, set) - -#define ngx_atomic_fetch_add(value, add) \ - __sync_fetch_and_add(value, add) - -#define ngx_memory_barrier() __sync_synchronize() - -#if ( __i386__ || __i386 || __amd64__ || __amd64 ) -#define ngx_cpu_pause() __asm__ ("pause") -#else -#define ngx_cpu_pause() -#endif - - #elif ( __i386__ || __i386 ) typedef int32_t ngx_atomic_int_t; diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/nginx-1.21.1/src/stream/ngx_stream_proxy_module.c new/nginx-1.21.2/src/stream/ngx_stream_proxy_module.c --- old/nginx-1.21.1/src/stream/ngx_stream_proxy_module.c 2021-07-06 16:59:17.000000000 +0200 +++ new/nginx-1.21.2/src/stream/ngx_stream_proxy_module.c 2021-08-31 17:13:47.000000000 +0200 @@ -2185,6 +2185,10 @@ cln->handler = ngx_ssl_cleanup_ctx; cln->data = pscf->ssl; + if (ngx_ssl_ciphers(cf, pscf->ssl, &pscf->ssl_ciphers, 0) != NGX_OK) { + return NGX_ERROR; + } + if (pscf->ssl_certificate) { if (pscf->ssl_certificate_key == NULL) { @@ -2216,10 +2220,6 @@ } } - if (ngx_ssl_ciphers(cf, pscf->ssl, &pscf->ssl_ciphers, 0) != NGX_OK) { - return NGX_ERROR; - } - if (pscf->ssl_verify) { if (pscf->ssl_trusted_certificate.len == 0) { ngx_log_error(NGX_LOG_EMERG, cf->log, 0, diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/nginx-1.21.1/src/stream/ngx_stream_ssl_module.c new/nginx-1.21.2/src/stream/ngx_stream_ssl_module.c --- old/nginx-1.21.1/src/stream/ngx_stream_ssl_module.c 2021-07-06 16:59:17.000000000 +0200 +++ new/nginx-1.21.2/src/stream/ngx_stream_ssl_module.c 2021-08-31 17:13:47.000000000 +0200 @@ -720,6 +720,13 @@ ngx_stream_ssl_servername); #endif + if (ngx_ssl_ciphers(cf, &conf->ssl, &conf->ciphers, + conf->prefer_server_ciphers) + != NGX_OK) + { + return NGX_CONF_ERROR; + } + if (ngx_stream_ssl_compile_certificates(cf, conf) != NGX_OK) { return NGX_CONF_ERROR; } @@ -752,13 +759,6 @@ } } - if (ngx_ssl_ciphers(cf, &conf->ssl, &conf->ciphers, - conf->prefer_server_ciphers) - != NGX_OK) - { - return NGX_CONF_ERROR; - } - if (conf->verify) { if (conf->client_certificate.len == 0 && conf->verify != 3) {
