Merge branch 'nginx' (nginx-1.15.10).
Change-Id: I1a962edc518d77d07fda7b5214a13307d8f8c33a
Signed-off-by: Piotr Sikora <piotrsikora@google.com>
diff --git a/.hgtags b/.hgtags
index 1228a94..358085a 100644
--- a/.hgtags
+++ b/.hgtags
@@ -435,3 +435,4 @@
051a039ce1c7e09144de4a4846669ec7116cecea release-1.15.7
ee551e3f6dba336c0d875e266d7d55385f379b42 release-1.15.8
d2fd76709909767fc727a5b4affcf1dc9ca488a7 release-1.15.9
+75f5c7f628411c79c7044102049f7ab4f7a246e7 release-1.15.10
diff --git a/BUILD b/BUILD
index a830a04..f5a7115 100644
--- a/BUILD
+++ b/BUILD
@@ -1537,5 +1537,5 @@
preinst = "@nginx_pkgoss//:debian_preinst",
prerm = "@nginx_pkgoss//:debian_prerm",
section = "httpd",
- version = "1.15.9",
+ version = "1.15.10",
)
diff --git a/build.bzl b/build.bzl
index 5f00eb8..47c40e0 100644
--- a/build.bzl
+++ b/build.bzl
@@ -673,9 +673,9 @@
name = "nginx_pkgoss",
build_file_content = _PKGOSS_BUILD_FILE.format(nginx = nginx) +
_PKGOSS_BUILD_FILE_TAIL,
- commit = "894beef672e913605c6b93be022933c9ca22cd7b", # nginx-1.15.9
+ commit = "022bf685d71de5701faf171e1e7ceeb38adcb390", # nginx-1.15.10
remote = "https://nginx.googlesource.com/nginx-pkgoss",
- shallow_since = "1551190491 +0300",
+ shallow_since = "1553609229 +0300",
)
def nginx_repositories_zlib(bind):
diff --git a/docs/xml/nginx/changes.xml b/docs/xml/nginx/changes.xml
index e7dcf95..de93e32 100644
--- a/docs/xml/nginx/changes.xml
+++ b/docs/xml/nginx/changes.xml
@@ -5,6 +5,66 @@
<change_log title="nginx">
+<changes ver="1.15.10" date="2019-03-26">
+
+<change type="change">
+<para lang="ru">
+теперь при использовании имени хоста в директиве listen
+nginx создаёт listen-сокеты для всех адресов,
+соответствующих этому имени
+(ранее использовался только первый адрес).
+</para>
+<para lang="en">
+when using a hostname in the "listen" directive
+nginx now creates listening sockets
+for all addresses the hostname resolves to
+(previously, only the first address was used).
+</para>
+</change>
+
+<change type="feature">
+<para lang="ru">
+диапазоны портов в директиве listen.
+</para>
+<para lang="en">
+port ranges in the "listen" directive.
+</para>
+</change>
+
+<change type="feature">
+<para lang="ru">
+возможность загрузки SSL-сертификатов и секретных ключей из переменных.
+</para>
+<para lang="en">
+loading of SSL certificates and secret keys from variables.
+</para>
+</change>
+
+<change type="workaround">
+<para lang="ru">
+переменная $ssl_server_name могла быть пустой
+при использовании OpenSSL 1.1.1.
+</para>
+<para lang="en">
+the $ssl_server_name variable might be empty
+when using OpenSSL 1.1.1.
+</para>
+</change>
+
+<change type="bugfix">
+<para lang="ru">
+nginx/Windows не собирался с Visual Studio 2015 и новее;
+ошибка появилась в 1.15.9.
+</para>
+<para lang="en">
+nginx/Windows could not be built with Visual Studio 2015 or newer;
+the bug had appeared in 1.15.9.
+</para>
+</change>
+
+</changes>
+
+
<changes ver="1.15.9" date="2019-02-26">
<change type="feature">
diff --git a/src/core/nginx.h b/src/core/nginx.h
index 2795d87..bec0f81 100644
--- a/src/core/nginx.h
+++ b/src/core/nginx.h
@@ -13,8 +13,8 @@
#define NGINX_NAME "nginx"
#endif
-#define nginx_version 1015009
-#define NGINX_VERSION "1.15.9"
+#define nginx_version 1015010
+#define NGINX_VERSION "1.15.10"
#define NGINX_VER NGINX_NAME "/" NGINX_VERSION
#ifdef NGX_BUILD
diff --git a/src/core/ngx_inet.c b/src/core/ngx_inet.c
index db48b93..4228504 100644
--- a/src/core/ngx_inet.c
+++ b/src/core/ngx_inet.c
@@ -12,6 +12,8 @@
static ngx_int_t ngx_parse_unix_domain_url(ngx_pool_t *pool, ngx_url_t *u);
static ngx_int_t ngx_parse_inet_url(ngx_pool_t *pool, ngx_url_t *u);
static ngx_int_t ngx_parse_inet6_url(ngx_pool_t *pool, ngx_url_t *u);
+static ngx_int_t ngx_inet_add_addr(ngx_pool_t *pool, ngx_url_t *u,
+ struct sockaddr *sockaddr, socklen_t socklen, ngx_uint_t total);
in_addr_t
@@ -780,13 +782,10 @@
static ngx_int_t
ngx_parse_inet_url(ngx_pool_t *pool, ngx_url_t *u)
{
- u_char *p, *host, *port, *last, *uri, *args;
- size_t len;
- ngx_int_t n;
- struct sockaddr_in *sin;
-#if (NGX_HAVE_INET6)
- struct sockaddr_in6 *sin6;
-#endif
+ u_char *host, *port, *last, *uri, *args, *dash;
+ size_t len;
+ ngx_int_t n;
+ struct sockaddr_in *sin;
u->socklen = sizeof(struct sockaddr_in);
sin = (struct sockaddr_in *) &u->sockaddr;
@@ -831,6 +830,25 @@
len = last - port;
+ if (u->listen) {
+ dash = ngx_strlchr(port, last, '-');
+
+ if (dash) {
+ dash++;
+
+ n = ngx_atoi(dash, last - dash);
+
+ if (n < 1 || n > 65535) {
+ u->err = "invalid port";
+ return NGX_ERROR;
+ }
+
+ u->last_port = (in_port_t) n;
+
+ len = dash - port - 1;
+ }
+ }
+
n = ngx_atoi(port, len);
if (n < 1 || n > 65535) {
@@ -838,10 +856,15 @@
return NGX_ERROR;
}
+ if (u->last_port && n > u->last_port) {
+ u->err = "invalid port range";
+ return NGX_ERROR;
+ }
+
u->port = (in_port_t) n;
sin->sin_port = htons((in_port_t) n);
- u->port_text.len = len;
+ u->port_text.len = last - port;
u->port_text.data = port;
last = port - 1;
@@ -853,31 +876,69 @@
/* test value as port only */
- n = ngx_atoi(host, last - host);
+ len = last - host;
+
+ dash = ngx_strlchr(host, last, '-');
+
+ if (dash) {
+ dash++;
+
+ n = ngx_atoi(dash, last - dash);
+
+ if (n == NGX_ERROR) {
+ goto no_port;
+ }
+
+ if (n < 1 || n > 65535) {
+ u->err = "invalid port";
+
+ } else {
+ u->last_port = (in_port_t) n;
+ }
+
+ len = dash - host - 1;
+ }
+
+ n = ngx_atoi(host, len);
if (n != NGX_ERROR) {
+ if (u->err) {
+ return NGX_ERROR;
+ }
+
if (n < 1 || n > 65535) {
u->err = "invalid port";
return NGX_ERROR;
}
+ if (u->last_port && n > u->last_port) {
+ u->err = "invalid port range";
+ return NGX_ERROR;
+ }
+
u->port = (in_port_t) n;
sin->sin_port = htons((in_port_t) n);
+ sin->sin_addr.s_addr = INADDR_ANY;
u->port_text.len = last - host;
u->port_text.data = host;
u->wildcard = 1;
- return NGX_OK;
+ return ngx_inet_add_addr(pool, u, &u->sockaddr.sockaddr,
+ u->socklen, 1);
}
}
}
+no_port:
+
+ u->err = NULL;
u->no_port = 1;
u->port = u->default_port;
sin->sin_port = htons(u->default_port);
+ u->last_port = 0;
}
len = last - host;
@@ -893,7 +954,7 @@
if (u->listen && len == 1 && *host == '*') {
sin->sin_addr.s_addr = INADDR_ANY;
u->wildcard = 1;
- return NGX_OK;
+ return ngx_inet_add_addr(pool, u, &u->sockaddr.sockaddr, u->socklen, 1);
}
sin->sin_addr.s_addr = ngx_inet_addr(host, len);
@@ -904,33 +965,7 @@
u->wildcard = 1;
}
- u->naddrs = 1;
-
- u->addrs = ngx_pcalloc(pool, sizeof(ngx_addr_t));
- if (u->addrs == NULL) {
- return NGX_ERROR;
- }
-
- sin = ngx_pcalloc(pool, sizeof(struct sockaddr_in));
- if (sin == NULL) {
- return NGX_ERROR;
- }
-
- ngx_memcpy(sin, &u->sockaddr, sizeof(struct sockaddr_in));
-
- u->addrs[0].sockaddr = (struct sockaddr *) sin;
- u->addrs[0].socklen = sizeof(struct sockaddr_in);
-
- p = ngx_pnalloc(pool, u->host.len + sizeof(":65535") - 1);
- if (p == NULL) {
- return NGX_ERROR;
- }
-
- u->addrs[0].name.len = ngx_sprintf(p, "%V:%d",
- &u->host, u->port) - p;
- u->addrs[0].name.data = p;
-
- return NGX_OK;
+ return ngx_inet_add_addr(pool, u, &u->sockaddr.sockaddr, u->socklen, 1);
}
if (u->no_resolve) {
@@ -944,29 +979,7 @@
u->family = u->addrs[0].sockaddr->sa_family;
u->socklen = u->addrs[0].socklen;
ngx_memcpy(&u->sockaddr, u->addrs[0].sockaddr, u->addrs[0].socklen);
-
- switch (u->family) {
-
-#if (NGX_HAVE_INET6)
- case AF_INET6:
- sin6 = (struct sockaddr_in6 *) &u->sockaddr;
-
- if (IN6_IS_ADDR_UNSPECIFIED(&sin6->sin6_addr)) {
- u->wildcard = 1;
- }
-
- break;
-#endif
-
- default: /* AF_INET */
- sin = (struct sockaddr_in *) &u->sockaddr;
-
- if (sin->sin_addr.s_addr == INADDR_ANY) {
- u->wildcard = 1;
- }
-
- break;
- }
+ u->wildcard = ngx_inet_wildcard(&u->sockaddr.sockaddr);
return NGX_OK;
}
@@ -976,7 +989,7 @@
ngx_parse_inet6_url(ngx_pool_t *pool, ngx_url_t *u)
{
#if (NGX_HAVE_INET6)
- u_char *p, *host, *port, *last, *uri;
+ u_char *p, *host, *port, *last, *uri, *dash;
size_t len;
ngx_int_t n;
struct sockaddr_in6 *sin6;
@@ -1022,6 +1035,25 @@
len = last - port;
+ if (u->listen) {
+ dash = ngx_strlchr(port, last, '-');
+
+ if (dash) {
+ dash++;
+
+ n = ngx_atoi(dash, last - dash);
+
+ if (n < 1 || n > 65535) {
+ u->err = "invalid port";
+ return NGX_ERROR;
+ }
+
+ u->last_port = (in_port_t) n;
+
+ len = dash - port - 1;
+ }
+ }
+
n = ngx_atoi(port, len);
if (n < 1 || n > 65535) {
@@ -1029,10 +1061,15 @@
return NGX_ERROR;
}
+ if (u->last_port && n > u->last_port) {
+ u->err = "invalid port range";
+ return NGX_ERROR;
+ }
+
u->port = (in_port_t) n;
sin6->sin6_port = htons((in_port_t) n);
- u->port_text.len = len;
+ u->port_text.len = last - port;
u->port_text.data = port;
} else {
@@ -1061,33 +1098,8 @@
}
u->family = AF_INET6;
- u->naddrs = 1;
- u->addrs = ngx_pcalloc(pool, sizeof(ngx_addr_t));
- if (u->addrs == NULL) {
- return NGX_ERROR;
- }
-
- sin6 = ngx_pcalloc(pool, sizeof(struct sockaddr_in6));
- if (sin6 == NULL) {
- return NGX_ERROR;
- }
-
- ngx_memcpy(sin6, &u->sockaddr, sizeof(struct sockaddr_in6));
-
- u->addrs[0].sockaddr = (struct sockaddr *) sin6;
- u->addrs[0].socklen = sizeof(struct sockaddr_in6);
-
- p = ngx_pnalloc(pool, u->host.len + sizeof(":65535") - 1);
- if (p == NULL) {
- return NGX_ERROR;
- }
-
- u->addrs[0].name.len = ngx_sprintf(p, "%V:%d",
- &u->host, u->port) - p;
- u->addrs[0].name.data = p;
-
- return NGX_OK;
+ return ngx_inet_add_addr(pool, u, &u->sockaddr.sockaddr, u->socklen, 1);
#else
@@ -1104,15 +1116,9 @@
ngx_int_t
ngx_inet_resolve_host(ngx_pool_t *pool, ngx_url_t *u)
{
- u_char *p, *host;
- size_t len;
- in_port_t port;
- ngx_uint_t i;
- struct addrinfo hints, *res, *rp;
- struct sockaddr_in *sin;
- struct sockaddr_in6 *sin6;
-
- port = htons(u->port);
+ u_char *host;
+ ngx_uint_t n;
+ struct addrinfo hints, *res, *rp;
host = ngx_alloc(u->host.len + 1, pool->log);
if (host == NULL) {
@@ -1136,7 +1142,7 @@
ngx_free(host);
- for (i = 0, rp = res; rp != NULL; rp = rp->ai_next) {
+ for (n = 0, rp = res; rp != NULL; rp = rp->ai_next) {
switch (rp->ai_family) {
@@ -1148,92 +1154,33 @@
continue;
}
- i++;
+ n++;
}
- if (i == 0) {
+ if (n == 0) {
u->err = "host not found";
goto failed;
}
/* MP: ngx_shared_palloc() */
- u->addrs = ngx_pcalloc(pool, i * sizeof(ngx_addr_t));
- if (u->addrs == NULL) {
- goto failed;
- }
-
- u->naddrs = i;
-
- i = 0;
-
- /* AF_INET addresses first */
-
for (rp = res; rp != NULL; rp = rp->ai_next) {
- if (rp->ai_family != AF_INET) {
+ switch (rp->ai_family) {
+
+ case AF_INET:
+ case AF_INET6:
+ break;
+
+ default:
continue;
}
- sin = ngx_pcalloc(pool, rp->ai_addrlen);
- if (sin == NULL) {
+ if (ngx_inet_add_addr(pool, u, rp->ai_addr, rp->ai_addrlen, n)
+ != NGX_OK)
+ {
goto failed;
}
-
- ngx_memcpy(sin, rp->ai_addr, rp->ai_addrlen);
-
- sin->sin_port = port;
-
- u->addrs[i].sockaddr = (struct sockaddr *) sin;
- u->addrs[i].socklen = rp->ai_addrlen;
-
- len = NGX_INET_ADDRSTRLEN + sizeof(":65535") - 1;
-
- p = ngx_pnalloc(pool, len);
- if (p == NULL) {
- goto failed;
- }
-
- len = ngx_sock_ntop((struct sockaddr *) sin, rp->ai_addrlen, p, len, 1);
-
- u->addrs[i].name.len = len;
- u->addrs[i].name.data = p;
-
- i++;
- }
-
- for (rp = res; rp != NULL; rp = rp->ai_next) {
-
- if (rp->ai_family != AF_INET6) {
- continue;
- }
-
- sin6 = ngx_pcalloc(pool, rp->ai_addrlen);
- if (sin6 == NULL) {
- goto failed;
- }
-
- ngx_memcpy(sin6, rp->ai_addr, rp->ai_addrlen);
-
- sin6->sin6_port = port;
-
- u->addrs[i].sockaddr = (struct sockaddr *) sin6;
- u->addrs[i].socklen = rp->ai_addrlen;
-
- len = NGX_INET6_ADDRSTRLEN + sizeof("[]:65535") - 1;
-
- p = ngx_pnalloc(pool, len);
- if (p == NULL) {
- goto failed;
- }
-
- len = ngx_sock_ntop((struct sockaddr *) sin6, rp->ai_addrlen, p,
- len, 1);
-
- u->addrs[i].name.len = len;
- u->addrs[i].name.data = p;
-
- i++;
}
freeaddrinfo(res);
@@ -1250,21 +1197,19 @@
ngx_int_t
ngx_inet_resolve_host(ngx_pool_t *pool, ngx_url_t *u)
{
- u_char *p, *host;
- size_t len;
- in_port_t port;
- in_addr_t in_addr;
- ngx_uint_t i;
+ u_char *host;
+ ngx_uint_t i, n;
struct hostent *h;
- struct sockaddr_in *sin;
+ struct sockaddr_in sin;
/* AF_INET only */
- port = htons(u->port);
+ ngx_memzero(&sin, sizeof(struct sockaddr_in));
- in_addr = ngx_inet_addr(u->host.data, u->host.len);
+ sin.sin_family = AF_INET;
+ sin.sin_addr.s_addr = ngx_inet_addr(u->host.data, u->host.len);
- if (in_addr == INADDR_NONE) {
+ if (sin.sin_addr.s_addr == INADDR_NONE) {
host = ngx_alloc(u->host.len + 1, pool->log);
if (host == NULL) {
return NGX_ERROR;
@@ -1281,76 +1226,31 @@
return NGX_ERROR;
}
- for (i = 0; h->h_addr_list[i] != NULL; i++) { /* void */ }
+ for (n = 0; h->h_addr_list[n] != NULL; n++) { /* void */ }
/* MP: ngx_shared_palloc() */
- u->addrs = ngx_pcalloc(pool, i * sizeof(ngx_addr_t));
- if (u->addrs == NULL) {
- return NGX_ERROR;
- }
+ for (i = 0; i < n; i++) {
+ sin.sin_addr.s_addr = *(in_addr_t *) (h->h_addr_list[i]);
- u->naddrs = i;
-
- for (i = 0; i < u->naddrs; i++) {
-
- sin = ngx_pcalloc(pool, sizeof(struct sockaddr_in));
- if (sin == NULL) {
+ if (ngx_inet_add_addr(pool, u, (struct sockaddr *) &sin,
+ sizeof(struct sockaddr_in), n)
+ != NGX_OK)
+ {
return NGX_ERROR;
}
-
- sin->sin_family = AF_INET;
- sin->sin_port = port;
- sin->sin_addr.s_addr = *(in_addr_t *) (h->h_addr_list[i]);
-
- u->addrs[i].sockaddr = (struct sockaddr *) sin;
- u->addrs[i].socklen = sizeof(struct sockaddr_in);
-
- len = NGX_INET_ADDRSTRLEN + sizeof(":65535") - 1;
-
- p = ngx_pnalloc(pool, len);
- if (p == NULL) {
- return NGX_ERROR;
- }
-
- len = ngx_sock_ntop((struct sockaddr *) sin,
- sizeof(struct sockaddr_in), p, len, 1);
-
- u->addrs[i].name.len = len;
- u->addrs[i].name.data = p;
}
} else {
/* MP: ngx_shared_palloc() */
- u->addrs = ngx_pcalloc(pool, sizeof(ngx_addr_t));
- if (u->addrs == NULL) {
+ if (ngx_inet_add_addr(pool, u, (struct sockaddr *) &sin,
+ sizeof(struct sockaddr_in), 1)
+ != NGX_OK)
+ {
return NGX_ERROR;
}
-
- sin = ngx_pcalloc(pool, sizeof(struct sockaddr_in));
- if (sin == NULL) {
- return NGX_ERROR;
- }
-
- u->naddrs = 1;
-
- sin->sin_family = AF_INET;
- sin->sin_port = port;
- sin->sin_addr.s_addr = in_addr;
-
- u->addrs[0].sockaddr = (struct sockaddr *) sin;
- u->addrs[0].socklen = sizeof(struct sockaddr_in);
-
- p = ngx_pnalloc(pool, u->host.len + sizeof(":65535") - 1);
- if (p == NULL) {
- return NGX_ERROR;
- }
-
- u->addrs[0].name.len = ngx_sprintf(p, "%V:%d",
- &u->host, ntohs(port)) - p;
- u->addrs[0].name.data = p;
}
return NGX_OK;
@@ -1359,6 +1259,67 @@
#endif /* NGX_HAVE_GETADDRINFO && NGX_HAVE_INET6 */
+static ngx_int_t
+ngx_inet_add_addr(ngx_pool_t *pool, ngx_url_t *u, struct sockaddr *sockaddr,
+ socklen_t socklen, ngx_uint_t total)
+{
+ u_char *p;
+ size_t len;
+ ngx_uint_t i, nports;
+ ngx_addr_t *addr;
+ struct sockaddr *sa;
+
+ nports = u->last_port ? u->last_port - u->port + 1 : 1;
+
+ if (u->addrs == NULL) {
+ u->addrs = ngx_palloc(pool, total * nports * sizeof(ngx_addr_t));
+ if (u->addrs == NULL) {
+ return NGX_ERROR;
+ }
+ }
+
+ for (i = 0; i < nports; i++) {
+ sa = ngx_pcalloc(pool, socklen);
+ if (sa == NULL) {
+ return NGX_ERROR;
+ }
+
+ ngx_memcpy(sa, sockaddr, socklen);
+
+ ngx_inet_set_port(sa, u->port + i);
+
+ switch (sa->sa_family) {
+
+#if (NGX_HAVE_INET6)
+ case AF_INET6:
+ len = NGX_INET6_ADDRSTRLEN + sizeof("[]:65536") - 1;
+ break;
+#endif
+
+ default: /* AF_INET */
+ len = NGX_INET_ADDRSTRLEN + sizeof(":65535") - 1;
+ }
+
+ p = ngx_pnalloc(pool, len);
+ if (p == NULL) {
+ return NGX_ERROR;
+ }
+
+ len = ngx_sock_ntop(sa, socklen, p, len, 1);
+
+ addr = &u->addrs[u->naddrs++];
+
+ addr->sockaddr = sa;
+ addr->socklen = socklen;
+
+ addr->name.len = len;
+ addr->name.data = p;
+ }
+
+ return NGX_OK;
+}
+
+
ngx_int_t
ngx_cmp_sockaddr(struct sockaddr *sa1, socklen_t slen1,
struct sockaddr *sa2, socklen_t slen2, ngx_uint_t cmp_port)
@@ -1495,3 +1456,40 @@
break;
}
}
+
+
+ngx_uint_t
+ngx_inet_wildcard(struct sockaddr *sa)
+{
+ struct sockaddr_in *sin;
+#if (NGX_HAVE_INET6)
+ struct sockaddr_in6 *sin6;
+#endif
+
+ switch (sa->sa_family) {
+
+ case AF_INET:
+ sin = (struct sockaddr_in *) sa;
+
+ if (sin->sin_addr.s_addr == INADDR_ANY) {
+ return 1;
+ }
+
+ break;
+
+#if (NGX_HAVE_INET6)
+
+ case AF_INET6:
+ sin6 = (struct sockaddr_in6 *) sa;
+
+ if (IN6_IS_ADDR_UNSPECIFIED(&sin6->sin6_addr)) {
+ return 1;
+ }
+
+ break;
+
+#endif
+ }
+
+ return 0;
+}
diff --git a/src/core/ngx_inet.h b/src/core/ngx_inet.h
index a3b392e..19050fc 100644
--- a/src/core/ngx_inet.h
+++ b/src/core/ngx_inet.h
@@ -86,6 +86,7 @@
in_port_t port;
in_port_t default_port;
+ in_port_t last_port;
int family;
unsigned listen:1;
@@ -125,6 +126,7 @@
struct sockaddr *sa2, socklen_t slen2, ngx_uint_t cmp_port);
in_port_t ngx_inet_get_port(struct sockaddr *sa);
void ngx_inet_set_port(struct sockaddr *sa, in_port_t port);
+ngx_uint_t ngx_inet_wildcard(struct sockaddr *sa);
#endif /* _NGX_INET_H_INCLUDED_ */
diff --git a/src/event/ngx_event_openssl.c b/src/event/ngx_event_openssl.c
index b42b145..6530954 100644
--- a/src/event/ngx_event_openssl.c
+++ b/src/event/ngx_event_openssl.c
@@ -368,6 +368,10 @@
SSL_CTX_set_options(ssl->ctx, SSL_OP_NO_ANTI_REPLAY);
#endif
+#ifdef SSL_OP_NO_CLIENT_RENEGOTIATION
+ SSL_CTX_set_options(ssl->ctx, SSL_OP_NO_CLIENT_RENEGOTIATION);
+#endif
+
#ifdef SSL_MODE_RELEASE_BUFFERS
SSL_CTX_set_mode(ssl->ctx, SSL_MODE_RELEASE_BUFFERS);
#endif
@@ -607,23 +611,29 @@
X509 *x509, *temp;
u_long n;
- if (ngx_get_full_name(pool, (ngx_str_t *) &ngx_cycle->conf_prefix, cert)
- != NGX_OK)
- {
- *err = NULL;
- return NULL;
- }
+ if (ngx_strncmp(cert->data, "data:", sizeof("data:") - 1) == 0) {
- /*
- * we can't use SSL_CTX_use_certificate_chain_file() as it doesn't
- * allow to access certificate later from SSL_CTX, so we reimplement
- * it here
- */
+ bio = BIO_new_mem_buf(cert->data + sizeof("data:") - 1,
+ cert->len - (sizeof("data:") - 1));
+ if (bio == NULL) {
+ *err = "BIO_new_mem_buf() failed";
+ return NULL;
+ }
- bio = BIO_new_file((char *) cert->data, "r");
- if (bio == NULL) {
- *err = "BIO_new_file() failed";
- return NULL;
+ } else {
+
+ if (ngx_get_full_name(pool, (ngx_str_t *) &ngx_cycle->conf_prefix, cert)
+ != NGX_OK)
+ {
+ *err = NULL;
+ return NULL;
+ }
+
+ bio = BIO_new_file((char *) cert->data, "r");
+ if (bio == NULL) {
+ *err = "BIO_new_file() failed";
+ return NULL;
+ }
}
/* certificate itself */
@@ -697,9 +707,8 @@
#ifndef OPENSSL_NO_ENGINE
- u_char *p, *last;
- ENGINE *engine;
- EVP_PKEY *pkey;
+ u_char *p, *last;
+ ENGINE *engine;
p = key->data + sizeof("engine:") - 1;
last = (u_char *) ngx_strchr(p, ':');
@@ -740,17 +749,29 @@
#endif
}
- if (ngx_get_full_name(pool, (ngx_str_t *) &ngx_cycle->conf_prefix, key)
- != NGX_OK)
- {
- *err = NULL;
- return NULL;
- }
+ if (ngx_strncmp(key->data, "data:", sizeof("data:") - 1) == 0) {
- bio = BIO_new_file((char *) key->data, "r");
- if (bio == NULL) {
- *err = "BIO_new_file() failed";
- return NULL;
+ bio = BIO_new_mem_buf(key->data + sizeof("data:") - 1,
+ key->len - (sizeof("data:") - 1));
+ if (bio == NULL) {
+ *err = "BIO_new_mem_buf() failed";
+ return NULL;
+ }
+
+ } else {
+
+ if (ngx_get_full_name(pool, (ngx_str_t *) &ngx_cycle->conf_prefix, key)
+ != NGX_OK)
+ {
+ *err = NULL;
+ return NULL;
+ }
+
+ bio = BIO_new_file((char *) key->data, "r");
+ if (bio == NULL) {
+ *err = "BIO_new_file() failed";
+ return NULL;
+ }
}
if (passwords) {
@@ -2878,9 +2899,15 @@
|| n == SSL_R_NO_COMPRESSION_SPECIFIED /* 187 */
|| n == SSL_R_NO_SHARED_CIPHER /* 193 */
|| n == SSL_R_RECORD_LENGTH_MISMATCH /* 213 */
+#ifdef SSL_R_CLIENTHELLO_TLSEXT
+ || n == SSL_R_CLIENTHELLO_TLSEXT /* 226 */
+#endif
#ifdef SSL_R_PARSE_TLSEXT
|| n == SSL_R_PARSE_TLSEXT /* 227 */
#endif
+#ifdef SSL_R_CALLBACK_FAILED
+ || n == SSL_R_CALLBACK_FAILED /* 234 */
+#endif
|| n == SSL_R_UNEXPECTED_MESSAGE /* 244 */
|| n == SSL_R_UNEXPECTED_RECORD /* 245 */
|| n == SSL_R_UNKNOWN_ALERT_TYPE /* 246 */
diff --git a/src/http/modules/ngx_http_grpc_module.c b/src/http/modules/ngx_http_grpc_module.c
index 18478b9..f59ecbd 100644
--- a/src/http/modules/ngx_http_grpc_module.c
+++ b/src/http/modules/ngx_http_grpc_module.c
@@ -4650,6 +4650,7 @@
cln = ngx_pool_cleanup_add(cf->pool, 0);
if (cln == NULL) {
+ ngx_ssl_cleanup_ctx(glcf->upstream.ssl);
return NGX_ERROR;
}
diff --git a/src/http/modules/ngx_http_proxy_module.c b/src/http/modules/ngx_http_proxy_module.c
index 09c6b53..3aa3c7f 100644
--- a/src/http/modules/ngx_http_proxy_module.c
+++ b/src/http/modules/ngx_http_proxy_module.c
@@ -4301,6 +4301,7 @@
cln = ngx_pool_cleanup_add(cf->pool, 0);
if (cln == NULL) {
+ ngx_ssl_cleanup_ctx(plcf->upstream.ssl);
return NGX_ERROR;
}
diff --git a/src/http/modules/ngx_http_ssl_module.c b/src/http/modules/ngx_http_ssl_module.c
index c184606..9adce1b 100644
--- a/src/http/modules/ngx_http_ssl_module.c
+++ b/src/http/modules/ngx_http_ssl_module.c
@@ -698,6 +698,15 @@
return NGX_CONF_ERROR;
}
+ cln = ngx_pool_cleanup_add(cf->pool, 0);
+ if (cln == NULL) {
+ ngx_ssl_cleanup_ctx(&conf->ssl);
+ return NGX_CONF_ERROR;
+ }
+
+ cln->handler = ngx_ssl_cleanup_ctx;
+ cln->data = &conf->ssl;
+
#ifdef SSL_CTRL_SET_TLSEXT_HOSTNAME
/*
@@ -736,14 +745,6 @@
ngx_http_ssl_npn_advertised, NULL);
#endif
- cln = ngx_pool_cleanup_add(cf->pool, 0);
- if (cln == NULL) {
- return NGX_CONF_ERROR;
- }
-
- cln->handler = ngx_ssl_cleanup_ctx;
- cln->data = &conf->ssl;
-
if (ngx_http_ssl_compile_certificates(cf, conf) != NGX_OK) {
return NGX_CONF_ERROR;
}
diff --git a/src/http/modules/ngx_http_uwsgi_module.c b/src/http/modules/ngx_http_uwsgi_module.c
index 8b09110..56dc236 100644
--- a/src/http/modules/ngx_http_uwsgi_module.c
+++ b/src/http/modules/ngx_http_uwsgi_module.c
@@ -2359,6 +2359,7 @@
cln = ngx_pool_cleanup_add(cf->pool, 0);
if (cln == NULL) {
+ ngx_ssl_cleanup_ctx(uwcf->upstream.ssl);
return NGX_ERROR;
}
diff --git a/src/http/ngx_http.c b/src/http/ngx_http.c
index 5e20226..79ef9c6 100644
--- a/src/http/ngx_http.c
+++ b/src/http/ngx_http.c
@@ -1157,7 +1157,7 @@
}
}
- sa = &lsopt->sockaddr.sockaddr;
+ sa = lsopt->sockaddr;
p = ngx_inet_get_port(sa);
port = cmcf->ports->elts;
@@ -1209,8 +1209,8 @@
for (i = 0; i < port->addrs.nelts; i++) {
- if (ngx_cmp_sockaddr(&lsopt->sockaddr.sockaddr, lsopt->socklen,
- &addr[i].opt.sockaddr.sockaddr,
+ if (ngx_cmp_sockaddr(lsopt->sockaddr, lsopt->socklen,
+ addr[i].opt.sockaddr,
addr[i].opt.socklen, 0)
!= NGX_OK)
{
@@ -1239,7 +1239,8 @@
if (addr[i].opt.set) {
ngx_conf_log_error(NGX_LOG_EMERG, cf, 0,
- "duplicate listen options for %s", addr[i].opt.addr);
+ "duplicate listen options for %V",
+ &addr[i].opt.addr_text);
return NGX_ERROR;
}
@@ -1252,7 +1253,8 @@
if (default_server) {
ngx_conf_log_error(NGX_LOG_EMERG, cf, 0,
- "a duplicate default server for %s", addr[i].opt.addr);
+ "a duplicate default server for %V",
+ &addr[i].opt.addr_text);
return NGX_ERROR;
}
@@ -1305,8 +1307,8 @@
if (lsopt->http2 && lsopt->ssl) {
ngx_conf_log_error(NGX_LOG_WARN, cf, 0,
"nginx was built with OpenSSL that lacks ALPN "
- "and NPN support, HTTP/2 is not enabled for %s",
- lsopt->addr);
+ "and NPN support, HTTP/2 is not enabled for %V",
+ &lsopt->addr_text);
}
#endif
@@ -1354,7 +1356,8 @@
for (i = 0; i < addr->servers.nelts; i++) {
if (server[i] == cscf) {
ngx_conf_log_error(NGX_LOG_EMERG, cf, 0,
- "a duplicate listen %s", addr->opt.addr);
+ "a duplicate listen %V",
+ &addr->opt.addr_text);
return NGX_ERROR;
}
}
@@ -1471,15 +1474,15 @@
if (rc == NGX_DECLINED) {
ngx_log_error(NGX_LOG_EMERG, cf->log, 0,
- "invalid server name or wildcard \"%V\" on %s",
- &name[n].name, addr->opt.addr);
+ "invalid server name or wildcard \"%V\" on %V",
+ &name[n].name, &addr->opt.addr_text);
return NGX_ERROR;
}
if (rc == NGX_BUSY) {
ngx_log_error(NGX_LOG_WARN, cf->log, 0,
- "conflicting server name \"%V\" on %s, ignored",
- &name[n].name, addr->opt.addr);
+ "conflicting server name \"%V\" on %V, ignored",
+ &name[n].name, &addr->opt.addr_text);
}
}
}
@@ -1700,8 +1703,7 @@
ngx_http_core_loc_conf_t *clcf;
ngx_http_core_srv_conf_t *cscf;
- ls = ngx_create_listening(cf, &addr->opt.sockaddr.sockaddr,
- addr->opt.socklen);
+ ls = ngx_create_listening(cf, addr->opt.sockaddr, addr->opt.socklen);
if (ls == NULL) {
return NULL;
}
@@ -1791,7 +1793,7 @@
for (i = 0; i < hport->naddrs; i++) {
- sin = &addr[i].opt.sockaddr.sockaddr_in;
+ sin = (struct sockaddr_in *) addr[i].opt.sockaddr;
addrs[i].addr = sin->sin_addr.s_addr;
addrs[i].conf.default_server = addr[i].default_server;
#if (NGX_HTTP_SSL)
@@ -1856,7 +1858,7 @@
for (i = 0; i < hport->naddrs; i++) {
- sin6 = &addr[i].opt.sockaddr.sockaddr_in6;
+ sin6 = (struct sockaddr_in6 *) addr[i].opt.sockaddr;
addrs6[i].addr6 = sin6->sin6_addr;
addrs6[i].conf.default_server = addr[i].default_server;
#if (NGX_HTTP_SSL)
diff --git a/src/http/ngx_http_core_module.c b/src/http/ngx_http_core_module.c
index b9afec6..2c0af62 100644
--- a/src/http/ngx_http_core_module.c
+++ b/src/http/ngx_http_core_module.c
@@ -2715,6 +2715,8 @@
{
char *rv;
void *mconf;
+ size_t len;
+ u_char *p;
ngx_uint_t i;
ngx_conf_t pcf;
ngx_http_module_t *module;
@@ -2802,7 +2804,14 @@
if (rv == NGX_CONF_OK && !cscf->listen) {
ngx_memzero(&lsopt, sizeof(ngx_http_listen_opt_t));
- sin = &lsopt.sockaddr.sockaddr_in;
+ p = ngx_pcalloc(cf->pool, sizeof(struct sockaddr_in));
+ if (p == NULL) {
+ return NGX_CONF_ERROR;
+ }
+
+ lsopt.sockaddr = (struct sockaddr *) p;
+
+ sin = (struct sockaddr_in *) p;
sin->sin_family = AF_INET;
#if (NGX_WIN32)
@@ -2825,8 +2834,16 @@
#endif
lsopt.wildcard = 1;
- (void) ngx_sock_ntop(&lsopt.sockaddr.sockaddr, lsopt.socklen,
- lsopt.addr, NGX_SOCKADDR_STRLEN, 1);
+ len = NGX_INET_ADDRSTRLEN + sizeof(":65535") - 1;
+
+ p = ngx_pnalloc(cf->pool, len);
+ if (p == NULL) {
+ return NGX_CONF_ERROR;
+ }
+
+ lsopt.addr_text.data = p;
+ lsopt.addr_text.len = ngx_sock_ntop(lsopt.sockaddr, lsopt.socklen, p,
+ len, 1);
if (ngx_http_add_listen(cf, cscf, &lsopt) != NGX_OK) {
return NGX_CONF_ERROR;
@@ -3779,9 +3796,6 @@
ngx_memzero(&lsopt, sizeof(ngx_http_listen_opt_t));
- ngx_memcpy(&lsopt.sockaddr.sockaddr, &u.sockaddr, u.socklen);
-
- lsopt.socklen = u.socklen;
lsopt.backlog = NGX_LISTEN_BACKLOG;
lsopt.rcvbuf = -1;
lsopt.sndbuf = -1;
@@ -3791,14 +3805,10 @@
#if (NGX_HAVE_TCP_FASTOPEN)
lsopt.fastopen = -1;
#endif
- lsopt.wildcard = u.wildcard;
#if (NGX_HAVE_INET6)
lsopt.ipv6only = 1;
#endif
- (void) ngx_sock_ntop(&lsopt.sockaddr.sockaddr, lsopt.socklen, lsopt.addr,
- NGX_SOCKADDR_STRLEN, 1);
-
for (n = 2; n < cf->args->nelts; n++) {
if (ngx_strcmp(value[n].data, "default_server") == 0
@@ -3923,34 +3933,22 @@
if (ngx_strncmp(value[n].data, "ipv6only=o", 10) == 0) {
#if (NGX_HAVE_INET6 && defined IPV6_V6ONLY)
- struct sockaddr *sa;
+ if (ngx_strcmp(&value[n].data[10], "n") == 0) {
+ lsopt.ipv6only = 1;
- sa = &lsopt.sockaddr.sockaddr;
-
- if (sa->sa_family == AF_INET6) {
-
- if (ngx_strcmp(&value[n].data[10], "n") == 0) {
- lsopt.ipv6only = 1;
-
- } else if (ngx_strcmp(&value[n].data[10], "ff") == 0) {
- lsopt.ipv6only = 0;
-
- } else {
- ngx_conf_log_error(NGX_LOG_EMERG, cf, 0,
- "invalid ipv6only flags \"%s\"",
- &value[n].data[9]);
- return NGX_CONF_ERROR;
- }
-
- lsopt.set = 1;
- lsopt.bind = 1;
+ } else if (ngx_strcmp(&value[n].data[10], "ff") == 0) {
+ lsopt.ipv6only = 0;
} else {
ngx_conf_log_error(NGX_LOG_EMERG, cf, 0,
- "ipv6only is not supported "
- "on addr \"%s\", ignored", lsopt.addr);
+ "invalid ipv6only flags \"%s\"",
+ &value[n].data[9]);
+ return NGX_CONF_ERROR;
}
+ lsopt.set = 1;
+ lsopt.bind = 1;
+
continue;
#else
ngx_conf_log_error(NGX_LOG_EMERG, cf, 0,
@@ -4106,11 +4104,18 @@
return NGX_CONF_ERROR;
}
- if (ngx_http_add_listen(cf, cscf, &lsopt) == NGX_OK) {
- return NGX_CONF_OK;
+ for (n = 0; n < u.naddrs; n++) {
+ lsopt.sockaddr = u.addrs[n].sockaddr;
+ lsopt.socklen = u.addrs[n].socklen;
+ lsopt.addr_text = u.addrs[n].name;
+ lsopt.wildcard = ngx_inet_wildcard(lsopt.sockaddr);
+
+ if (ngx_http_add_listen(cf, cscf, &lsopt) != NGX_OK) {
+ return NGX_CONF_ERROR;
+ }
}
- return NGX_CONF_ERROR;
+ return NGX_CONF_OK;
}
diff --git a/src/http/ngx_http_core_module.h b/src/http/ngx_http_core_module.h
index f53b5f2..aa77156 100644
--- a/src/http/ngx_http_core_module.h
+++ b/src/http/ngx_http_core_module.h
@@ -65,8 +65,9 @@
typedef struct {
- ngx_sockaddr_t sockaddr;
+ struct sockaddr *sockaddr;
socklen_t socklen;
+ ngx_str_t addr_text;
unsigned set:1;
unsigned default_server:1;
@@ -100,8 +101,6 @@
#if (NGX_HAVE_DEFERRED_ACCEPT && defined SO_ACCEPTFILTER)
char *accept_filter;
#endif
-
- u_char addr[NGX_SOCKADDR_STRLEN + 1];
} ngx_http_listen_opt_t;
diff --git a/src/http/ngx_http_request.c b/src/http/ngx_http_request.c
index 3762aef..51618c2 100644
--- a/src/http/ngx_http_request.c
+++ b/src/http/ngx_http_request.c
@@ -1005,6 +1005,7 @@
int
ngx_http_ssl_servername(ngx_ssl_conn_t *ssl_conn, int *ad, void *arg)
{
+ ngx_int_t rc;
ngx_str_t host;
const char *servername;
ngx_connection_t *c;
@@ -1013,6 +1014,13 @@
ngx_http_core_loc_conf_t *clcf;
ngx_http_core_srv_conf_t *cscf;
+ c = ngx_ssl_get_connection(ssl_conn);
+
+ if (c->ssl->handshaked) {
+ *ad = SSL_AD_NO_RENEGOTIATION;
+ return SSL_TLSEXT_ERR_ALERT_FATAL;
+ }
+
#if defined(OPENSSL_IS_BORINGSSL) || defined(SSL_CLIENT_HELLO_CB)
if (arg != NULL) {
servername = (const char *) arg;
@@ -1021,13 +1029,7 @@
servername = SSL_get_servername(ssl_conn, TLSEXT_NAMETYPE_host_name);
if (servername == NULL) {
- return SSL_TLSEXT_ERR_NOACK;
- }
-
- c = ngx_ssl_get_connection(ssl_conn);
-
- if (c->ssl->handshaked) {
- return SSL_TLSEXT_ERR_NOACK;
+ return SSL_TLSEXT_ERR_OK;
}
ngx_log_debug1(NGX_LOG_DEBUG_HTTP, c->log, 0,
@@ -1036,27 +1038,40 @@
host.len = ngx_strlen(servername);
if (host.len == 0) {
- return SSL_TLSEXT_ERR_NOACK;
+ return SSL_TLSEXT_ERR_OK;
}
host.data = (u_char *) servername;
- if (ngx_http_validate_host(&host, c->pool, 1) != NGX_OK) {
- return SSL_TLSEXT_ERR_NOACK;
+ rc = ngx_http_validate_host(&host, c->pool, 1);
+
+ if (rc == NGX_ERROR) {
+ *ad = SSL_AD_INTERNAL_ERROR;
+ return SSL_TLSEXT_ERR_ALERT_FATAL;
+ }
+
+ if (rc == NGX_DECLINED) {
+ return SSL_TLSEXT_ERR_OK;
}
hc = c->data;
- if (ngx_http_find_virtual_server(c, hc->addr_conf->virtual_names, &host,
- NULL, &cscf)
- != NGX_OK)
- {
- return SSL_TLSEXT_ERR_NOACK;
+ rc = ngx_http_find_virtual_server(c, hc->addr_conf->virtual_names, &host,
+ NULL, &cscf);
+
+ if (rc == NGX_ERROR) {
+ *ad = SSL_AD_INTERNAL_ERROR;
+ return SSL_TLSEXT_ERR_ALERT_FATAL;
+ }
+
+ if (rc == NGX_DECLINED) {
+ return SSL_TLSEXT_ERR_OK;
}
hc->ssl_servername = ngx_palloc(c->pool, sizeof(ngx_str_t));
if (hc->ssl_servername == NULL) {
- return SSL_TLSEXT_ERR_NOACK;
+ *ad = SSL_AD_INTERNAL_ERROR;
+ return SSL_TLSEXT_ERR_ALERT_FATAL;
}
*hc->ssl_servername = host;
diff --git a/src/mail/ngx_mail.c b/src/mail/ngx_mail.c
index 5fd5fa0..f17c2cc 100644
--- a/src/mail/ngx_mail.c
+++ b/src/mail/ngx_mail.c
@@ -231,7 +231,7 @@
ngx_mail_conf_port_t *port;
ngx_mail_conf_addr_t *addr;
- sa = &listen->sockaddr.sockaddr;
+ sa = listen->sockaddr;
p = ngx_inet_get_port(sa);
port = ports->elts;
@@ -316,7 +316,7 @@
continue;
}
- ls = ngx_create_listening(cf, &addr[i].opt.sockaddr.sockaddr,
+ ls = ngx_create_listening(cf, addr[i].opt.sockaddr,
addr[i].opt.socklen);
if (ls == NULL) {
return NGX_CONF_ERROR;
@@ -384,12 +384,9 @@
ngx_mail_add_addrs(ngx_conf_t *cf, ngx_mail_port_t *mport,
ngx_mail_conf_addr_t *addr)
{
- u_char *p;
- size_t len;
ngx_uint_t i;
ngx_mail_in_addr_t *addrs;
struct sockaddr_in *sin;
- u_char buf[NGX_SOCKADDR_STRLEN];
mport->addrs = ngx_pcalloc(cf->pool,
mport->naddrs * sizeof(ngx_mail_in_addr_t));
@@ -401,26 +398,14 @@
for (i = 0; i < mport->naddrs; i++) {
- sin = &addr[i].opt.sockaddr.sockaddr_in;
+ sin = (struct sockaddr_in *) addr[i].opt.sockaddr;
addrs[i].addr = sin->sin_addr.s_addr;
addrs[i].conf.ctx = addr[i].opt.ctx;
#if (NGX_MAIL_SSL)
addrs[i].conf.ssl = addr[i].opt.ssl;
#endif
-
- len = ngx_sock_ntop(&addr[i].opt.sockaddr.sockaddr, addr[i].opt.socklen,
- buf, NGX_SOCKADDR_STRLEN, 1);
-
- p = ngx_pnalloc(cf->pool, len);
- if (p == NULL) {
- return NGX_ERROR;
- }
-
- ngx_memcpy(p, buf, len);
-
- addrs[i].conf.addr_text.len = len;
- addrs[i].conf.addr_text.data = p;
+ addrs[i].conf.addr_text = addr[i].opt.addr_text;
}
return NGX_OK;
@@ -433,12 +418,9 @@
ngx_mail_add_addrs6(ngx_conf_t *cf, ngx_mail_port_t *mport,
ngx_mail_conf_addr_t *addr)
{
- u_char *p;
- size_t len;
ngx_uint_t i;
ngx_mail_in6_addr_t *addrs6;
struct sockaddr_in6 *sin6;
- u_char buf[NGX_SOCKADDR_STRLEN];
mport->addrs = ngx_pcalloc(cf->pool,
mport->naddrs * sizeof(ngx_mail_in6_addr_t));
@@ -450,26 +432,14 @@
for (i = 0; i < mport->naddrs; i++) {
- sin6 = &addr[i].opt.sockaddr.sockaddr_in6;
+ sin6 = (struct sockaddr_in6 *) addr[i].opt.sockaddr;
addrs6[i].addr6 = sin6->sin6_addr;
addrs6[i].conf.ctx = addr[i].opt.ctx;
#if (NGX_MAIL_SSL)
addrs6[i].conf.ssl = addr[i].opt.ssl;
#endif
-
- len = ngx_sock_ntop(&addr[i].opt.sockaddr.sockaddr, addr[i].opt.socklen,
- buf, NGX_SOCKADDR_STRLEN, 1);
-
- p = ngx_pnalloc(cf->pool, len);
- if (p == NULL) {
- return NGX_ERROR;
- }
-
- ngx_memcpy(p, buf, len);
-
- addrs6[i].conf.addr_text.len = len;
- addrs6[i].conf.addr_text.data = p;
+ addrs6[i].conf.addr_text = addr[i].opt.addr_text;
}
return NGX_OK;
diff --git a/src/mail/ngx_mail.h b/src/mail/ngx_mail.h
index 6ecfefc..d904f25 100644
--- a/src/mail/ngx_mail.h
+++ b/src/mail/ngx_mail.h
@@ -27,8 +27,9 @@
typedef struct {
- ngx_sockaddr_t sockaddr;
+ struct sockaddr *sockaddr;
socklen_t socklen;
+ ngx_str_t addr_text;
/* server ctx */
ngx_mail_conf_ctx_t *ctx;
diff --git a/src/mail/ngx_mail_core_module.c b/src/mail/ngx_mail_core_module.c
index dd4e980..e16d702 100644
--- a/src/mail/ngx_mail_core_module.c
+++ b/src/mail/ngx_mail_core_module.c
@@ -297,8 +297,8 @@
ngx_str_t *value, size;
ngx_url_t u;
- ngx_uint_t i, m;
- ngx_mail_listen_t *ls;
+ ngx_uint_t i, n, m;
+ ngx_mail_listen_t *ls, *als;
ngx_mail_module_t *module;
ngx_mail_core_main_conf_t *cmcf;
@@ -323,36 +323,16 @@
cmcf = ngx_mail_conf_get_module_main_conf(cf, ngx_mail_core_module);
- ls = cmcf->listen.elts;
-
- for (i = 0; i < cmcf->listen.nelts; i++) {
-
- if (ngx_cmp_sockaddr(&ls[i].sockaddr.sockaddr, ls[i].socklen,
- (struct sockaddr *) &u.sockaddr, u.socklen, 1)
- != NGX_OK)
- {
- continue;
- }
-
- ngx_conf_log_error(NGX_LOG_EMERG, cf, 0,
- "duplicate \"%V\" address and port pair", &u.url);
- return NGX_CONF_ERROR;
- }
-
- ls = ngx_array_push(&cmcf->listen);
+ ls = ngx_array_push_n(&cmcf->listen, u.naddrs);
if (ls == NULL) {
return NGX_CONF_ERROR;
}
ngx_memzero(ls, sizeof(ngx_mail_listen_t));
- ngx_memcpy(&ls->sockaddr.sockaddr, &u.sockaddr, u.socklen);
-
- ls->socklen = u.socklen;
ls->backlog = NGX_LISTEN_BACKLOG;
ls->rcvbuf = -1;
ls->sndbuf = -1;
- ls->wildcard = u.wildcard;
ls->ctx = cf->ctx;
#if (NGX_HAVE_INET6)
@@ -434,35 +414,20 @@
if (ngx_strncmp(value[i].data, "ipv6only=o", 10) == 0) {
#if (NGX_HAVE_INET6 && defined IPV6_V6ONLY)
- size_t len;
- u_char buf[NGX_SOCKADDR_STRLEN];
+ if (ngx_strcmp(&value[i].data[10], "n") == 0) {
+ ls->ipv6only = 1;
- if (ls->sockaddr.sockaddr.sa_family == AF_INET6) {
-
- if (ngx_strcmp(&value[i].data[10], "n") == 0) {
- ls->ipv6only = 1;
-
- } else if (ngx_strcmp(&value[i].data[10], "ff") == 0) {
- ls->ipv6only = 0;
-
- } else {
- ngx_conf_log_error(NGX_LOG_EMERG, cf, 0,
- "invalid ipv6only flags \"%s\"",
- &value[i].data[9]);
- return NGX_CONF_ERROR;
- }
-
- ls->bind = 1;
+ } else if (ngx_strcmp(&value[i].data[10], "ff") == 0) {
+ ls->ipv6only = 0;
} else {
- len = ngx_sock_ntop(&ls->sockaddr.sockaddr, ls->socklen, buf,
- NGX_SOCKADDR_STRLEN, 1);
-
ngx_conf_log_error(NGX_LOG_EMERG, cf, 0,
- "ipv6only is not supported "
- "on addr \"%*s\", ignored", len, buf);
+ "invalid ipv6only flags \"%s\"",
+ &value[i].data[9]);
+ return NGX_CONF_ERROR;
}
+ ls->bind = 1;
continue;
#else
ngx_conf_log_error(NGX_LOG_EMERG, cf, 0,
@@ -588,6 +553,32 @@
return NGX_CONF_ERROR;
}
+ als = cmcf->listen.elts;
+
+ for (n = 0; n < u.naddrs; n++) {
+ ls[n] = ls[0];
+
+ ls[n].sockaddr = u.addrs[n].sockaddr;
+ ls[n].socklen = u.addrs[n].socklen;
+ ls[n].addr_text = u.addrs[n].name;
+ ls[n].wildcard = ngx_inet_wildcard(ls[n].sockaddr);
+
+ for (i = 0; i < cmcf->listen.nelts - u.naddrs + n; i++) {
+
+ if (ngx_cmp_sockaddr(als[i].sockaddr, als[i].socklen,
+ ls[n].sockaddr, ls[n].socklen, 1)
+ != NGX_OK)
+ {
+ continue;
+ }
+
+ ngx_conf_log_error(NGX_LOG_EMERG, cf, 0,
+ "duplicate \"%V\" address and port pair",
+ &ls[n].addr_text);
+ return NGX_CONF_ERROR;
+ }
+ }
+
return NGX_CONF_OK;
}
diff --git a/src/mail/ngx_mail_ssl_module.c b/src/mail/ngx_mail_ssl_module.c
index 10e982e..5544f75 100644
--- a/src/mail/ngx_mail_ssl_module.c
+++ b/src/mail/ngx_mail_ssl_module.c
@@ -370,6 +370,7 @@
cln = ngx_pool_cleanup_add(cf->pool, 0);
if (cln == NULL) {
+ ngx_ssl_cleanup_ctx(&conf->ssl);
return NGX_CONF_ERROR;
}
diff --git a/src/stream/ngx_stream.c b/src/stream/ngx_stream.c
index 4abe387..7835675 100644
--- a/src/stream/ngx_stream.c
+++ b/src/stream/ngx_stream.c
@@ -387,7 +387,7 @@
ngx_stream_conf_port_t *port;
ngx_stream_conf_addr_t *addr;
- sa = &listen->sockaddr.sockaddr;
+ sa = listen->sockaddr;
p = ngx_inet_get_port(sa);
port = ports->elts;
@@ -476,7 +476,7 @@
continue;
}
- ls = ngx_create_listening(cf, &addr[i].opt.sockaddr.sockaddr,
+ ls = ngx_create_listening(cf, addr[i].opt.sockaddr,
addr[i].opt.socklen);
if (ls == NULL) {
return NGX_CONF_ERROR;
@@ -551,12 +551,9 @@
ngx_stream_add_addrs(ngx_conf_t *cf, ngx_stream_port_t *stport,
ngx_stream_conf_addr_t *addr)
{
- u_char *p;
- size_t len;
ngx_uint_t i;
struct sockaddr_in *sin;
ngx_stream_in_addr_t *addrs;
- u_char buf[NGX_SOCKADDR_STRLEN];
stport->addrs = ngx_pcalloc(cf->pool,
stport->naddrs * sizeof(ngx_stream_in_addr_t));
@@ -568,7 +565,7 @@
for (i = 0; i < stport->naddrs; i++) {
- sin = &addr[i].opt.sockaddr.sockaddr_in;
+ sin = (struct sockaddr_in *) addr[i].opt.sockaddr;
addrs[i].addr = sin->sin_addr.s_addr;
addrs[i].conf.ctx = addr[i].opt.ctx;
@@ -576,19 +573,7 @@
addrs[i].conf.ssl = addr[i].opt.ssl;
#endif
addrs[i].conf.proxy_protocol = addr[i].opt.proxy_protocol;
-
- len = ngx_sock_ntop(&addr[i].opt.sockaddr.sockaddr, addr[i].opt.socklen,
- buf, NGX_SOCKADDR_STRLEN, 1);
-
- p = ngx_pnalloc(cf->pool, len);
- if (p == NULL) {
- return NGX_ERROR;
- }
-
- ngx_memcpy(p, buf, len);
-
- addrs[i].conf.addr_text.len = len;
- addrs[i].conf.addr_text.data = p;
+ addrs[i].conf.addr_text = addr[i].opt.addr_text;
}
return NGX_OK;
@@ -601,12 +586,9 @@
ngx_stream_add_addrs6(ngx_conf_t *cf, ngx_stream_port_t *stport,
ngx_stream_conf_addr_t *addr)
{
- u_char *p;
- size_t len;
ngx_uint_t i;
struct sockaddr_in6 *sin6;
ngx_stream_in6_addr_t *addrs6;
- u_char buf[NGX_SOCKADDR_STRLEN];
stport->addrs = ngx_pcalloc(cf->pool,
stport->naddrs * sizeof(ngx_stream_in6_addr_t));
@@ -618,7 +600,7 @@
for (i = 0; i < stport->naddrs; i++) {
- sin6 = &addr[i].opt.sockaddr.sockaddr_in6;
+ sin6 = (struct sockaddr_in6 *) addr[i].opt.sockaddr;
addrs6[i].addr6 = sin6->sin6_addr;
addrs6[i].conf.ctx = addr[i].opt.ctx;
@@ -626,19 +608,7 @@
addrs6[i].conf.ssl = addr[i].opt.ssl;
#endif
addrs6[i].conf.proxy_protocol = addr[i].opt.proxy_protocol;
-
- len = ngx_sock_ntop(&addr[i].opt.sockaddr.sockaddr, addr[i].opt.socklen,
- buf, NGX_SOCKADDR_STRLEN, 1);
-
- p = ngx_pnalloc(cf->pool, len);
- if (p == NULL) {
- return NGX_ERROR;
- }
-
- ngx_memcpy(p, buf, len);
-
- addrs6[i].conf.addr_text.len = len;
- addrs6[i].conf.addr_text.data = p;
+ addrs6[i].conf.addr_text = addr[i].opt.addr_text;
}
return NGX_OK;
diff --git a/src/stream/ngx_stream.h b/src/stream/ngx_stream.h
index 09d2459..57e73e0 100644
--- a/src/stream/ngx_stream.h
+++ b/src/stream/ngx_stream.h
@@ -41,8 +41,9 @@
typedef struct {
- ngx_sockaddr_t sockaddr;
+ struct sockaddr *sockaddr;
socklen_t socklen;
+ ngx_str_t addr_text;
/* server ctx */
ngx_stream_conf_ctx_t *ctx;
diff --git a/src/stream/ngx_stream_core_module.c b/src/stream/ngx_stream_core_module.c
index 3c4027b..9b6afe9 100644
--- a/src/stream/ngx_stream_core_module.c
+++ b/src/stream/ngx_stream_core_module.c
@@ -577,7 +577,7 @@
ngx_str_t *value, size;
ngx_url_t u;
- ngx_uint_t i, backlog;
+ ngx_uint_t i, n, backlog;
ngx_stream_listen_t *ls, *als;
ngx_stream_core_main_conf_t *cmcf;
@@ -602,21 +602,17 @@
cmcf = ngx_stream_conf_get_module_main_conf(cf, ngx_stream_core_module);
- ls = ngx_array_push(&cmcf->listen);
+ ls = ngx_array_push_n(&cmcf->listen, u.naddrs);
if (ls == NULL) {
return NGX_CONF_ERROR;
}
ngx_memzero(ls, sizeof(ngx_stream_listen_t));
- ngx_memcpy(&ls->sockaddr.sockaddr, &u.sockaddr, u.socklen);
-
- ls->socklen = u.socklen;
ls->backlog = NGX_LISTEN_BACKLOG;
ls->rcvbuf = -1;
ls->sndbuf = -1;
ls->type = SOCK_STREAM;
- ls->wildcard = u.wildcard;
ls->ctx = cf->ctx;
#if (NGX_HAVE_INET6)
@@ -688,35 +684,20 @@
if (ngx_strncmp(value[i].data, "ipv6only=o", 10) == 0) {
#if (NGX_HAVE_INET6 && defined IPV6_V6ONLY)
- size_t len;
- u_char buf[NGX_SOCKADDR_STRLEN];
+ if (ngx_strcmp(&value[i].data[10], "n") == 0) {
+ ls->ipv6only = 1;
- if (ls->sockaddr.sockaddr.sa_family == AF_INET6) {
-
- if (ngx_strcmp(&value[i].data[10], "n") == 0) {
- ls->ipv6only = 1;
-
- } else if (ngx_strcmp(&value[i].data[10], "ff") == 0) {
- ls->ipv6only = 0;
-
- } else {
- ngx_conf_log_error(NGX_LOG_EMERG, cf, 0,
- "invalid ipv6only flags \"%s\"",
- &value[i].data[9]);
- return NGX_CONF_ERROR;
- }
-
- ls->bind = 1;
+ } else if (ngx_strcmp(&value[i].data[10], "ff") == 0) {
+ ls->ipv6only = 0;
} else {
- len = ngx_sock_ntop(&ls->sockaddr.sockaddr, ls->socklen, buf,
- NGX_SOCKADDR_STRLEN, 1);
-
ngx_conf_log_error(NGX_LOG_EMERG, cf, 0,
- "ipv6only is not supported "
- "on addr \"%*s\", ignored", len, buf);
+ "invalid ipv6only flags \"%s\"",
+ &value[i].data[9]);
+ return NGX_CONF_ERROR;
}
+ ls->bind = 1;
continue;
#else
ngx_conf_log_error(NGX_LOG_EMERG, cf, 0,
@@ -882,21 +863,31 @@
als = cmcf->listen.elts;
- for (i = 0; i < cmcf->listen.nelts - 1; i++) {
- if (ls->type != als[i].type) {
- continue;
- }
+ for (n = 0; n < u.naddrs; n++) {
+ ls[n] = ls[0];
- if (ngx_cmp_sockaddr(&als[i].sockaddr.sockaddr, als[i].socklen,
- &ls->sockaddr.sockaddr, ls->socklen, 1)
- != NGX_OK)
- {
- continue;
- }
+ ls[n].sockaddr = u.addrs[n].sockaddr;
+ ls[n].socklen = u.addrs[n].socklen;
+ ls[n].addr_text = u.addrs[n].name;
+ ls[n].wildcard = ngx_inet_wildcard(ls[n].sockaddr);
- ngx_conf_log_error(NGX_LOG_EMERG, cf, 0,
- "duplicate \"%V\" address and port pair", &u.url);
- return NGX_CONF_ERROR;
+ for (i = 0; i < cmcf->listen.nelts - u.naddrs + n; i++) {
+ if (ls[n].type != als[i].type) {
+ continue;
+ }
+
+ if (ngx_cmp_sockaddr(als[i].sockaddr, als[i].socklen,
+ ls[n].sockaddr, ls[n].socklen, 1)
+ != NGX_OK)
+ {
+ continue;
+ }
+
+ ngx_conf_log_error(NGX_LOG_EMERG, cf, 0,
+ "duplicate \"%V\" address and port pair",
+ &ls[n].addr_text);
+ return NGX_CONF_ERROR;
+ }
}
return NGX_CONF_OK;
diff --git a/src/stream/ngx_stream_proxy_module.c b/src/stream/ngx_stream_proxy_module.c
index d7bdec2..127c8a4 100644
--- a/src/stream/ngx_stream_proxy_module.c
+++ b/src/stream/ngx_stream_proxy_module.c
@@ -2096,6 +2096,7 @@
cln = ngx_pool_cleanup_add(cf->pool, 0);
if (cln == NULL) {
+ ngx_ssl_cleanup_ctx(pscf->ssl);
return NGX_ERROR;
}
diff --git a/src/stream/ngx_stream_ssl_module.c b/src/stream/ngx_stream_ssl_module.c
index 9266e99..ec9524e 100644
--- a/src/stream/ngx_stream_ssl_module.c
+++ b/src/stream/ngx_stream_ssl_module.c
@@ -22,6 +22,9 @@
static ngx_int_t ngx_stream_ssl_init_connection(ngx_ssl_t *ssl,
ngx_connection_t *c);
static void ngx_stream_ssl_handshake_handler(ngx_connection_t *c);
+#ifdef SSL_CTRL_SET_TLSEXT_HOSTNAME
+int ngx_stream_ssl_servername(ngx_ssl_conn_t *ssl_conn, int *ad, void *arg);
+#endif
#ifdef SSL_R_CERT_CB_ERROR
static int ngx_stream_ssl_certificate(ngx_ssl_conn_t *ssl_conn, void *arg);
#endif
@@ -414,6 +417,17 @@
}
+#ifdef SSL_CTRL_SET_TLSEXT_HOSTNAME
+
+int
+ngx_stream_ssl_servername(ngx_ssl_conn_t *ssl_conn, int *ad, void *arg)
+{
+ return SSL_TLSEXT_ERR_OK;
+}
+
+#endif
+
+
#ifdef SSL_R_CERT_CB_ERROR
int
@@ -676,12 +690,18 @@
cln = ngx_pool_cleanup_add(cf->pool, 0);
if (cln == NULL) {
+ ngx_ssl_cleanup_ctx(&conf->ssl);
return NGX_CONF_ERROR;
}
cln->handler = ngx_ssl_cleanup_ctx;
cln->data = &conf->ssl;
+#ifdef SSL_CTRL_SET_TLSEXT_HOSTNAME
+ SSL_CTX_set_tlsext_servername_callback(conf->ssl.ctx,
+ ngx_stream_ssl_servername);
+#endif
+
if (ngx_stream_ssl_compile_certificates(cf, conf) != NGX_OK) {
return NGX_CONF_ERROR;
}