nginx: src/event/quic/ngx_event_quic

annotate src/event/quic/ngx_event_quic_tokens.h @ 9300:5be23505292b default tip

SSI: fixed incorrect or duplicate stub output. Following 3518:eb3aaf8bd2a9 (0.8.37), r->request_output is only set if there are data in the first buffer sent in the subrequest. As a result, following the change mentioned this flag cannot be used to prevent duplicate ngx_http_ssi_stub_output() calls, since it is not set if there was already some output, but the first buffer was empty. Still, when there are multiple subrequests, even an empty subrequest response might be delayed by the postpone filter, leading to a second call of ngx_http_ssi_stub_output() during finalization from ngx_http_writer() the subreqest buffers are released by the postpone filter. Since r->request_output is not set after the first call, this resulted in duplicate stub output. Additionally, checking only the first buffer might be wrong in some unusual cases. For example, the first buffer might be empty if $r->flush() is called before printing any data in the embedded Perl module. Depending on the postpone_output value and corresponding sizes, this issue can result in either duplicate or unexpected stub output, or "zero size buf in writer" alerts. Following 8124:f5515e727656 (1.23.4), it became slightly easier to reproduce the issue, as empty static files and empty cache items now result in a response with an empty buffer. Before the change, an empty proxied response can be used to reproduce the issue. Fix is check all buffers and set r->request_output if any non-empty buffers are sent. This ensures that all unusual cases of non-empty responses are covered, and also that r->request_output will be set after the first stub output, preventing duplicate output. Reported by Jan Gassen.

author	Maxim Dounin <mdounin@mdounin.ru>
date	Thu, 04 Jul 2024 17:41:28 +0300
parents	77c1418916f7
children

rev	line source
8752 e19723c40d28 QUIC: separate files for tokens related processing. Vladimir Homutov <vl@nginx.com> parents: diff changeset	1
e19723c40d28 QUIC: separate files for tokens related processing. Vladimir Homutov <vl@nginx.com> parents: diff changeset	2 /*
e19723c40d28 QUIC: separate files for tokens related processing. Vladimir Homutov <vl@nginx.com> parents: diff changeset	3 * Copyright (C) Nginx, Inc.
e19723c40d28 QUIC: separate files for tokens related processing. Vladimir Homutov <vl@nginx.com> parents: diff changeset	4 */
e19723c40d28 QUIC: separate files for tokens related processing. Vladimir Homutov <vl@nginx.com> parents: diff changeset	5
e19723c40d28 QUIC: separate files for tokens related processing. Vladimir Homutov <vl@nginx.com> parents: diff changeset	6
e19723c40d28 QUIC: separate files for tokens related processing. Vladimir Homutov <vl@nginx.com> parents: diff changeset	7 #ifndef _NGX_EVENT_QUIC_TOKENS_H_INCLUDED_
e19723c40d28 QUIC: separate files for tokens related processing. Vladimir Homutov <vl@nginx.com> parents: diff changeset	8 #define _NGX_EVENT_QUIC_TOKENS_H_INCLUDED_
e19723c40d28 QUIC: separate files for tokens related processing. Vladimir Homutov <vl@nginx.com> parents: diff changeset	9
e19723c40d28 QUIC: separate files for tokens related processing. Vladimir Homutov <vl@nginx.com> parents: diff changeset	10
e19723c40d28 QUIC: separate files for tokens related processing. Vladimir Homutov <vl@nginx.com> parents: diff changeset	11 #include <ngx_config.h>
e19723c40d28 QUIC: separate files for tokens related processing. Vladimir Homutov <vl@nginx.com> parents: diff changeset	12 #include <ngx_core.h>
e19723c40d28 QUIC: separate files for tokens related processing. Vladimir Homutov <vl@nginx.com> parents: diff changeset	13
e19723c40d28 QUIC: separate files for tokens related processing. Vladimir Homutov <vl@nginx.com> parents: diff changeset	14
9026 3550b00d9dc8 QUIC: avoided pool usage in token calculation. Vladimir Homutov <vl@nginx.com> parents: 8763 diff changeset	15 #define NGX_QUIC_MAX_TOKEN_SIZE 64
3550b00d9dc8 QUIC: avoided pool usage in token calculation. Vladimir Homutov <vl@nginx.com> parents: 8763 diff changeset	16 /* SHA-1(addr)=20 + sizeof(time_t) + retry(1) + odcid.len(1) + odcid */
3550b00d9dc8 QUIC: avoided pool usage in token calculation. Vladimir Homutov <vl@nginx.com> parents: 8763 diff changeset	17
9132 77c1418916f7 QUIC: use AEAD to encrypt address validation tokens. Roman Arutyunyan <arut@nginx.com> parents: 9026 diff changeset	18 #define NGX_QUIC_AES_256_GCM_IV_LEN 12
77c1418916f7 QUIC: use AEAD to encrypt address validation tokens. Roman Arutyunyan <arut@nginx.com> parents: 9026 diff changeset	19 #define NGX_QUIC_AES_256_GCM_TAG_LEN 16
9026 3550b00d9dc8 QUIC: avoided pool usage in token calculation. Vladimir Homutov <vl@nginx.com> parents: 8763 diff changeset	20
9132 77c1418916f7 QUIC: use AEAD to encrypt address validation tokens. Roman Arutyunyan <arut@nginx.com> parents: 9026 diff changeset	21 #define NGX_QUIC_TOKEN_BUF_SIZE (NGX_QUIC_AES_256_GCM_IV_LEN \
9026 3550b00d9dc8 QUIC: avoided pool usage in token calculation. Vladimir Homutov <vl@nginx.com> parents: 8763 diff changeset	22 + NGX_QUIC_MAX_TOKEN_SIZE \
9132 77c1418916f7 QUIC: use AEAD to encrypt address validation tokens. Roman Arutyunyan <arut@nginx.com> parents: 9026 diff changeset	23 + NGX_QUIC_AES_256_GCM_TAG_LEN)
9026 3550b00d9dc8 QUIC: avoided pool usage in token calculation. Vladimir Homutov <vl@nginx.com> parents: 8763 diff changeset	24
3550b00d9dc8 QUIC: avoided pool usage in token calculation. Vladimir Homutov <vl@nginx.com> parents: 8763 diff changeset	25
8752 e19723c40d28 QUIC: separate files for tokens related processing. Vladimir Homutov <vl@nginx.com> parents: diff changeset	26 ngx_int_t ngx_quic_new_sr_token(ngx_connection_t c, ngx_str_t cid,
e19723c40d28 QUIC: separate files for tokens related processing. Vladimir Homutov <vl@nginx.com> parents: diff changeset	27 u_char secret, u_char token);
9026 3550b00d9dc8 QUIC: avoided pool usage in token calculation. Vladimir Homutov <vl@nginx.com> parents: 8763 diff changeset	28 ngx_int_t ngx_quic_new_token(ngx_log_t log, struct sockaddr sockaddr,
8763 4117aa7fa38e QUIC: connection migration. Vladimir Homutov <vl@nginx.com> parents: 8752 diff changeset	29 socklen_t socklen, u_char key, ngx_str_t token, ngx_str_t *odcid,
4117aa7fa38e QUIC: connection migration. Vladimir Homutov <vl@nginx.com> parents: 8752 diff changeset	30 time_t expires, ngx_uint_t is_retry);
8752 e19723c40d28 QUIC: separate files for tokens related processing. Vladimir Homutov <vl@nginx.com> parents: diff changeset	31 ngx_int_t ngx_quic_validate_token(ngx_connection_t *c,
e19723c40d28 QUIC: separate files for tokens related processing. Vladimir Homutov <vl@nginx.com> parents: diff changeset	32 u_char key, ngx_quic_header_t pkt);
e19723c40d28 QUIC: separate files for tokens related processing. Vladimir Homutov <vl@nginx.com> parents: diff changeset	33
e19723c40d28 QUIC: separate files for tokens related processing. Vladimir Homutov <vl@nginx.com> parents: diff changeset	34 #endif /* _NGX_EVENT_QUIC_TOKENS_H_INCLUDED_ */

Mercurial > hg > nginx

annotate src/event/quic/ngx_event_quic_tokens.h @ 9300:5be23505292b default tip