New upstream version release-1.27.3

2024-09-30 QUIC: prevent deleted stream frame retransmissions.
2024-10-09 Configure: MSVC compatibility with PCRE2 10.43.
2024-10-09 SSL: disabled TLSv1 and TLSv1.1 by default.
2014-02-15 Upstream: re-resolvable servers.
2016-03-17 Upstream: construct upstream peers from DNS SRV records.2017-11-03 Core: inheritance of non-reusable shared memory zones.
2017-11-03 Upstream: pre-resolve servers on reload.
2019-10-18 Upstream: per-upstream resolver.
2023-07-12 Upstream: copy upstream zone DNS valid time during config reload.
2024-11-03 SSL: fixed MSVC compilation after ebd18ec1812b.
2024-10-08 FastCGI: fixed create_loc_conf comments after 05b1a8f1e.
2024-10-08 SCGI: added create_loc_conf comments.
2024-10-08 Uwsgi: added create_loc_conf comments.
2024-10-15 On DragonFly BSD 5.8+, TCP_KEEPIDLE and TCP_KEEPINTVL are in secs.
2024-10-28 SSL: error message default in object caching API.
2024-11-20 Fixed missing double quote.
2024-09-23 Mp4: fixed handling an empty run of chunks in stsc atom.
2024-10-02 Mp4: unordered stsc chunks error for the final chunk.
2024-10-22 Mp4: prevent chunk index underflow.
2024-11-18 SSL: a new macro to set default protocol versions.
2024-11-22 QUIC: prevented BIO leak in case of error.
2024-11-21 Upstream: disallow empty path in proxy_store and friends.
2024-10-07 QUIC: constified nonce parameter of crypto functions.
2024-10-07 QUIC: got rid of memory copy when initializing constant values.
2024-11-11 Realip: allowed square brackets with portless IPv6 address.
2024-10-23 Mail: handling of LOGIN IMAP command untagged response.

auto/lib/pcre/make

@@ -36,7 +36,8 @@ if [ $PCRE_LIBRARY = PCRE2 ]; then
                        pcre2_valid_utf.c \
                        pcre2_xclass.c"
 
-        ngx_pcre_test="pcre2_convert.c \
+        ngx_pcre_test="pcre2_chkdint.c \
+                       pcre2_convert.c \
                        pcre2_extuni.c \
                        pcre2_find_bracket.c \
                        pcre2_script_run.c \

src/core/ngx_cycle.c

@@ -38,7 +38,7 @@ static ngx_connection_t  dumb;
 ngx_cycle_t *
 ngx_init_cycle(ngx_cycle_t *old_cycle)
 {
-    void                *rv;
+    void                *rv, *data;
     char               **senv;
     ngx_uint_t           i, n;
     ngx_log_t           *log;
@@ -438,6 +438,8 @@ ngx_init_cycle(ngx_cycle_t *old_cycle)
         opart = &old_cycle->shared_memory.part;
         oshm_zone = opart->elts;
 
+        data = NULL;
+
         for (n = 0; /* void */ ; n++) {
 
             if (n >= opart->nelts) {
@@ -461,9 +463,13 @@ ngx_init_cycle(ngx_cycle_t *old_cycle)
                 continue;
             }
 
+            if (shm_zone[i].tag == oshm_zone[n].tag && shm_zone[i].noreuse) {
+                data = oshm_zone[n].data;
+                break;
+            }
+
             if (shm_zone[i].tag == oshm_zone[n].tag
-                && shm_zone[i].shm.size == oshm_zone[n].shm.size
-                && !shm_zone[i].noreuse)
+                && shm_zone[i].shm.size == oshm_zone[n].shm.size)
             {
                 shm_zone[i].shm.addr = oshm_zone[n].shm.addr;
 #if (NGX_WIN32)
@@ -490,7 +496,7 @@ ngx_init_cycle(ngx_cycle_t *old_cycle)
             goto failed;
         }
 
-        if (shm_zone[i].init(&shm_zone[i], NULL) != NGX_OK) {
+        if (shm_zone[i].init(&shm_zone[i], data) != NGX_OK) {
             goto failed;
         }
 

src/core/ngx_inet.c

@@ -639,7 +639,11 @@ ngx_parse_addr_port(ngx_pool_t *pool, ngx_addr_t *addr, u_char *text,
 
         p = ngx_strlchr(text, last, ']');
 
-        if (p == NULL || p == last - 1 || *++p != ':') {
+        if (p == last - 1) {
+            return ngx_parse_addr(pool, addr, text + 1, len - 2);
+        }
+
+        if (p == NULL || *++p != ':') {
             return NGX_DECLINED;
         }
 

src/event/ngx_event_openssl.c

@@ -1347,7 +1347,7 @@ ngx_ssl_dhparam(ngx_conf_t *cf, ngx_ssl_t *ssl, ngx_str_t *file)
 
     if (SSL_CTX_set0_tmp_dh_pkey(ssl->ctx, dh) != 1) {
         ngx_ssl_error(NGX_LOG_EMERG, ssl->log, 0,
-                      "SSL_CTX_set0_tmp_dh_pkey(\%s\") failed", file->data);
+                      "SSL_CTX_set0_tmp_dh_pkey(\"%s\") failed", file->data);
 #if (OPENSSL_VERSION_NUMBER >= 0x3000001fL)
         EVP_PKEY_free(dh);
 #endif

src/event/ngx_event_openssl.h

@@ -187,6 +187,13 @@ typedef struct {
 #define NGX_SSL_TLSv1_3  0x0040
 
 
+#if (defined SSL_OP_NO_TLSv1_2 || defined SSL_OP_NO_TLSv1_3)
+#define NGX_SSL_DEFAULT_PROTOCOLS  (NGX_SSL_TLSv1_2|NGX_SSL_TLSv1_3)
+#else
+#define NGX_SSL_DEFAULT_PROTOCOLS  (NGX_SSL_TLSv1|NGX_SSL_TLSv1_1)
+#endif
+
+
 #define NGX_SSL_BUFFER   1
 #define NGX_SSL_CLIENT   2
 

src/event/ngx_event_openssl_cache.c

@@ -138,6 +138,8 @@ ngx_ssl_cache_fetch(ngx_conf_t *cf, ngx_uint_t index, char **err,
     ngx_ssl_cache_type_t  *type;
     ngx_ssl_cache_node_t  *cn;
 
+    *err = NULL;
+
     if (ngx_ssl_cache_init_key(cf->pool, index, path, &id) != NGX_OK) {
         return NULL;
     }
@@ -183,6 +185,8 @@ ngx_ssl_cache_connection_fetch(ngx_pool_t *pool, ngx_uint_t index, char **err,
 {
     ngx_ssl_cache_key_t  id;
 
+    *err = NULL;
+
     if (ngx_ssl_cache_init_key(pool, index, path, &id) != NGX_OK) {
         return NULL;
     }

src/event/quic/ngx_event_quic_ack.c

@@ -631,13 +631,12 @@ ngx_quic_resend_frames(ngx_connection_t *c, ngx_quic_send_ctx_t *ctx)
         case NGX_QUIC_FT_STREAM:
             qs = ngx_quic_find_stream(&qc->streams.tree, f->u.stream.stream_id);
 
-            if (qs) {
-                if (qs->send_state == NGX_QUIC_STREAM_SEND_RESET_SENT
-                    || qs->send_state == NGX_QUIC_STREAM_SEND_RESET_RECVD)
-                {
-                    ngx_quic_free_frame(c, f);
-                    break;
-                }
+            if (qs == NULL
+                || qs->send_state == NGX_QUIC_STREAM_SEND_RESET_SENT
+                || qs->send_state == NGX_QUIC_STREAM_SEND_RESET_RECVD)
+            {
+                ngx_quic_free_frame(c, f);
+                break;
             }
 
             /* fall through */

src/event/quic/ngx_event_quic_openssl_compat.c

@@ -391,6 +391,7 @@ SSL_set_quic_method(SSL *ssl, const SSL_QUIC_METHOD *quic_method)
 
     wbio = BIO_new(BIO_s_null());
     if (wbio == NULL) {
+        BIO_free(rbio);
         return 0;
     }
 

src/event/quic/ngx_event_quic_protection.c

@@ -18,6 +18,9 @@
 #define NGX_QUIC_INITIAL_CIPHER       TLS1_3_CK_AES_128_GCM_SHA256
 
 
+#define ngx_quic_md(str)     { sizeof(str) - 1, str }
+
+
 static ngx_int_t ngx_hkdf_expand(u_char *out_key, size_t out_len,
     const EVP_MD *digest, const u_char *prk, size_t prk_len,
     const u_char *info, size_t info_len);
@@ -29,10 +32,10 @@ static uint64_t ngx_quic_parse_pn(u_char **pos, ngx_int_t len, u_char *mask,
     uint64_t *largest_pn);
 
 static ngx_int_t ngx_quic_crypto_open(ngx_quic_secret_t *s, ngx_str_t *out,
-    u_char *nonce, ngx_str_t *in, ngx_str_t *ad, ngx_log_t *log);
+    const u_char *nonce, ngx_str_t *in, ngx_str_t *ad, ngx_log_t *log);
 #ifndef OPENSSL_IS_BORINGSSL
 static ngx_int_t ngx_quic_crypto_common(ngx_quic_secret_t *s, ngx_str_t *out,
-    u_char *nonce, ngx_str_t *in, ngx_str_t *ad, ngx_log_t *log);
+    const u_char *nonce, ngx_str_t *in, ngx_str_t *ad, ngx_log_t *log);
 #endif
 
 static ngx_int_t ngx_quic_crypto_hp_init(const EVP_CIPHER *cipher,
@@ -441,7 +444,7 @@ ngx_quic_crypto_init(const ngx_quic_cipher_t *cipher, ngx_quic_secret_t *s,
 
 
 static ngx_int_t
-ngx_quic_crypto_open(ngx_quic_secret_t *s, ngx_str_t *out, u_char *nonce,
+ngx_quic_crypto_open(ngx_quic_secret_t *s, ngx_str_t *out, const u_char *nonce,
     ngx_str_t *in, ngx_str_t *ad, ngx_log_t *log)
 {
 #ifdef OPENSSL_IS_BORINGSSL
@@ -461,7 +464,7 @@ ngx_quic_crypto_open(ngx_quic_secret_t *s, ngx_str_t *out, u_char *nonce,
 
 
 ngx_int_t
-ngx_quic_crypto_seal(ngx_quic_secret_t *s, ngx_str_t *out, u_char *nonce,
+ngx_quic_crypto_seal(ngx_quic_secret_t *s, ngx_str_t *out, const u_char *nonce,
     ngx_str_t *in, ngx_str_t *ad, ngx_log_t *log)
 {
 #ifdef OPENSSL_IS_BORINGSSL
@@ -483,8 +486,8 @@ ngx_quic_crypto_seal(ngx_quic_secret_t *s, ngx_str_t *out, u_char *nonce,
 #ifndef OPENSSL_IS_BORINGSSL
 
 static ngx_int_t
-ngx_quic_crypto_common(ngx_quic_secret_t *s, ngx_str_t *out, u_char *nonce,
-    ngx_str_t *in, ngx_str_t *ad, ngx_log_t *log)
+ngx_quic_crypto_common(ngx_quic_secret_t *s, ngx_str_t *out,
+    const u_char *nonce, ngx_str_t *in, ngx_str_t *ad, ngx_log_t *log)
 {
     int                     len, enc;
     ngx_quic_crypto_ctx_t  *ctx;
@@ -606,7 +609,8 @@ ngx_quic_crypto_hp(ngx_quic_secret_t *s, u_char *out, u_char *in,
 {
     int              outlen;
     EVP_CIPHER_CTX  *ctx;
-    u_char           zero[NGX_QUIC_HP_LEN] = {0};
+
+    static const u_char zero[NGX_QUIC_HP_LEN];
 
     ctx = s->hp_ctx;
 
@@ -948,16 +952,15 @@ ngx_quic_create_retry_packet(ngx_quic_header_t *pkt, ngx_str_t *res)
 {
     u_char              *start;
     ngx_str_t            ad, itag;
-    ngx_quic_md_t        key;
     ngx_quic_secret_t    secret;
     ngx_quic_ciphers_t   ciphers;
 
     /* 5.8.  Retry Packet Integrity */
-    static u_char     key_data[16] =
-        "\xbe\x0c\x69\x0b\x9f\x66\x57\x5a\x1d\x76\x6b\x54\xe3\x68\xc8\x4e";
-    static u_char     nonce[NGX_QUIC_IV_LEN] =
+    static ngx_quic_md_t  key = ngx_quic_md(
+        "\xbe\x0c\x69\x0b\x9f\x66\x57\x5a\x1d\x76\x6b\x54\xe3\x68\xc8\x4e");
+    static const u_char   nonce[NGX_QUIC_IV_LEN] =
         "\x46\x15\x99\xd3\x5d\x63\x2b\xf2\x23\x98\x25\xbb";
-    static ngx_str_t  in = ngx_string("");
+    static ngx_str_t      in = ngx_string("");
 
     ad.data = res->data;
     ad.len = ngx_quic_create_retry_itag(pkt, ad.data, &start);
@@ -974,8 +977,6 @@ ngx_quic_create_retry_packet(ngx_quic_header_t *pkt, ngx_str_t *res)
         return NGX_ERROR;
     }
 
-    key.len = sizeof(key_data);
-    ngx_memcpy(key.data, key_data, sizeof(key_data));
     secret.iv.len = NGX_QUIC_IV_LEN;
 
     if (ngx_quic_crypto_init(ciphers.c, &secret, &key, 1, pkt->log)

src/event/quic/ngx_event_quic_protection.h

@@ -111,7 +111,7 @@ ngx_int_t ngx_quic_ciphers(ngx_uint_t id, ngx_quic_ciphers_t *ciphers);
 ngx_int_t ngx_quic_crypto_init(const ngx_quic_cipher_t *cipher,
     ngx_quic_secret_t *s, ngx_quic_md_t *key, ngx_int_t enc, ngx_log_t *log);
 ngx_int_t ngx_quic_crypto_seal(ngx_quic_secret_t *s, ngx_str_t *out,
-    u_char *nonce, ngx_str_t *in, ngx_str_t *ad, ngx_log_t *log);
+    const u_char *nonce, ngx_str_t *in, ngx_str_t *ad, ngx_log_t *log);
 void ngx_quic_crypto_cleanup(ngx_quic_secret_t *s);
 ngx_int_t ngx_quic_hkdf_expand(ngx_quic_hkdf_t *hkdf, const EVP_MD *digest,
     ngx_log_t *log);

src/http/modules/ngx_http_fastcgi_module.c

@@ -2877,7 +2877,7 @@ ngx_http_fastcgi_create_loc_conf(ngx_conf_t *cf)
      *     conf->upstream.store_lengths = NULL;
      *     conf->upstream.store_values = NULL;
      *
-     *     conf->index.len = { 0, NULL };
+     *     conf->index = { 0, NULL };
      */
 
     conf->upstream.store = NGX_CONF_UNSET;
@@ -3781,6 +3781,11 @@ ngx_http_fastcgi_store(ngx_conf_t *cf, ngx_command_t *cmd, void *conf)
         return NGX_CONF_OK;
     }
 
+    if (value[1].len == 0) {
+        ngx_conf_log_error(NGX_LOG_EMERG, cf, 0, "empty path");
+        return NGX_CONF_ERROR;
+    }
+
 #if (NGX_HTTP_CACHE)
     if (flcf->upstream.cache > 0) {
         return "is incompatible with \"fastcgi_cache\"";

src/http/modules/ngx_http_grpc_module.c

@@ -4476,9 +4476,7 @@ ngx_http_grpc_merge_loc_conf(ngx_conf_t *cf, void *parent, void *child)
                               prev->upstream.ssl_session_reuse, 1);
 
     ngx_conf_merge_bitmask_value(conf->ssl_protocols, prev->ssl_protocols,
-                                 (NGX_CONF_BITMASK_SET
-                                  |NGX_SSL_TLSv1|NGX_SSL_TLSv1_1
-                                  |NGX_SSL_TLSv1_2|NGX_SSL_TLSv1_3));
+                              (NGX_CONF_BITMASK_SET|NGX_SSL_DEFAULT_PROTOCOLS));
 
     ngx_conf_merge_str_value(conf->ssl_ciphers, prev->ssl_ciphers,
                              "DEFAULT");

src/http/modules/ngx_http_mp4_module.c

@@ -3176,7 +3176,10 @@ ngx_http_mp4_crop_stsc_data(ngx_http_mp4_file_t *mp4,
 
         start_sample -= n;
 
-        prev_samples = samples;
+        if (next_chunk > chunk) {
+            prev_samples = samples;
+        }
+
         chunk = next_chunk;
         samples = ngx_mp4_get_32value(entry->samples);
         id = ngx_mp4_get_32value(entry->id);
@@ -3186,6 +3189,13 @@ ngx_http_mp4_crop_stsc_data(ngx_http_mp4_file_t *mp4,
 
     next_chunk = trak->chunks + 1;
 
+    if (next_chunk < chunk) {
+        ngx_log_error(NGX_LOG_ERR, mp4->file.log, 0,
+                      "unordered mp4 stsc chunks in \"%s\"",
+                      mp4->file.name.data);
+        return NGX_ERROR;
+    }
+
     ngx_log_debug4(NGX_LOG_DEBUG_HTTP, mp4->file.log, 0,
                    "sample:%uD, chunk:%uD, chunks:%uD, samples:%uD",
                    start_sample, chunk, next_chunk - chunk, samples);
@@ -3211,6 +3221,12 @@ ngx_http_mp4_crop_stsc_data(ngx_http_mp4_file_t *mp4,
         return NGX_ERROR;
     }
 
+    if (chunk == 0) {
+        ngx_log_error(NGX_LOG_ERR, mp4->file.log, 0,
+                      "zero chunk in \"%s\"", mp4->file.name.data);
+        return NGX_ERROR;
+    }
+
     target_chunk = chunk - 1;
     target_chunk += start_sample / samples;
     chunk_samples = start_sample % samples;

src/http/modules/ngx_http_proxy_module.c

@@ -3943,9 +3943,7 @@ ngx_http_proxy_merge_loc_conf(ngx_conf_t *cf, void *parent, void *child)
                               prev->upstream.ssl_session_reuse, 1);
 
     ngx_conf_merge_bitmask_value(conf->ssl_protocols, prev->ssl_protocols,
-                                 (NGX_CONF_BITMASK_SET
-                                  |NGX_SSL_TLSv1|NGX_SSL_TLSv1_1
-                                  |NGX_SSL_TLSv1_2|NGX_SSL_TLSv1_3));
+                              (NGX_CONF_BITMASK_SET|NGX_SSL_DEFAULT_PROTOCOLS));
 
     ngx_conf_merge_str_value(conf->ssl_ciphers, prev->ssl_ciphers,
                              "DEFAULT");
@@ -4945,6 +4943,11 @@ ngx_http_proxy_store(ngx_conf_t *cf, ngx_command_t *cmd, void *conf)
         return NGX_CONF_OK;
     }
 
+    if (value[1].len == 0) {
+        ngx_conf_log_error(NGX_LOG_EMERG, cf, 0, "empty path");
+        return NGX_CONF_ERROR;
+    }
+
 #if (NGX_HTTP_CACHE)
     if (plcf->upstream.cache > 0) {
         return "is incompatible with \"proxy_cache\"";

src/http/modules/ngx_http_scgi_module.c

@@ -1283,6 +1283,21 @@ ngx_http_scgi_create_loc_conf(ngx_conf_t *cf)
         return NULL;
     }
 
+    /*
+     * set by ngx_pcalloc():
+     *
+     *     conf->upstream.bufs.num = 0;
+     *     conf->upstream.ignore_headers = 0;
+     *     conf->upstream.next_upstream = 0;
+     *     conf->upstream.cache_zone = NULL;
+     *     conf->upstream.cache_use_stale = 0;
+     *     conf->upstream.cache_methods = 0;
+     *     conf->upstream.temp_path = NULL;
+     *     conf->upstream.hide_headers_hash = { NULL, 0 };
+     *     conf->upstream.store_lengths = NULL;
+     *     conf->upstream.store_values = NULL;
+     */
+
     conf->upstream.store = NGX_CONF_UNSET;
     conf->upstream.store_access = NGX_CONF_UNSET_UINT;
     conf->upstream.next_upstream_tries = NGX_CONF_UNSET_UINT;
@@ -1980,6 +1995,11 @@ ngx_http_scgi_store(ngx_conf_t *cf, ngx_command_t *cmd, void *conf)
         return NGX_CONF_OK;
     }
 
+    if (value[1].len == 0) {
+        ngx_conf_log_error(NGX_LOG_EMERG, cf, 0, "empty path");
+        return NGX_CONF_ERROR;
+    }
+
 #if (NGX_HTTP_CACHE)
     if (scf->upstream.cache > 0) {
         return "is incompatible with \"scgi_cache\"";

src/http/modules/ngx_http_ssl_module.c

@@ -652,9 +652,7 @@ ngx_http_ssl_merge_srv_conf(ngx_conf_t *cf, void *parent, void *child)
     ngx_conf_merge_value(conf->reject_handshake, prev->reject_handshake, 0);
 
     ngx_conf_merge_bitmask_value(conf->protocols, prev->protocols,
-                         (NGX_CONF_BITMASK_SET
-                          |NGX_SSL_TLSv1|NGX_SSL_TLSv1_1
-                          |NGX_SSL_TLSv1_2|NGX_SSL_TLSv1_3));
+                         (NGX_CONF_BITMASK_SET|NGX_SSL_DEFAULT_PROTOCOLS));
 
     ngx_conf_merge_size_value(conf->buffer_size, prev->buffer_size,
                          NGX_SSL_BUFSIZE);