Merge remote-tracking branch 'upstream/master'

RekGRpth · Nov 26, 2024 · 73463b3 · 73463b3
2 parents 2512db1 + e7bd255
commit 73463b3
Show file tree

Hide file tree

Showing 5 changed files with 138 additions and 16 deletions.
diff --git a/docs/xml/nginx/changes.xml b/docs/xml/nginx/changes.xml
@@ -5,6 +5,99 @@
 <change_log title="nginx">
 
 
+<changes ver="1.27.3" date="2024-11-26">
+
+<change type="feature">
+<para lang="ru">
+директива server в блоке upstream поддерживает
+параметр resolve.
+</para>
+<para lang="en">
+the "server" directive in the "upstream" block supports
+the "resolve" parameter.
+</para>
+</change>
+
+<change type="feature">
+<para lang="ru">
+директивы resolver и resolver_timeout в блоке upstream.
+</para>
+<para lang="en">
+the "resolver" and "resolver_timeout" directives in the "upstream" block.
+</para>
+</change>
+
+<change type="feature">
+<para lang="ru">
+поддержка SmarterMail-специфичного режима
+IMAP LOGIN с нетегированным ответом CAPABILITY
+в почтовом прокси-сервере.
+</para>
+<para lang="en">
+SmarterMail specific mode support
+for IMAP LOGIN with untagged CAPABILITY response
+in the mail proxy module.
+</para>
+</change>
+
+<change type="change">
+<para lang="ru">
+теперь протоколы TLSv1 и TLSv1.1 по умолчанию запрещены.
+</para>
+<para lang="en">
+now TLSv1 and TLSv1.1 protocols are disabled by default.
+</para>
+</change>
+
+<change type="change">
+<para lang="ru">
+IPv6-адрес в квадратных скобках без порта теперь можно указывать
+в директивах proxy_bind, fastcgi_bind, grpc_bind, memcached_bind,
+scgi_bind и uwsgi_bind,
+а также как адрес клиента в модуле ngx_http_realip_module.
+</para>
+<para lang="en">
+an IPv6 address in square brackets and no port can be specified
+in the "proxy_bind", "fastcgi_bind", "grpc_bind", "memcached_bind",
+"scgi_bind", and "uwsgi_bind" directives,
+and as client address in ngx_http_realip_module.
+</para>
+</change>
+
+<change type="bugfix">
+<para lang="ru">
+в модуле ngx_http_mp4_module.<br/>
+Спасибо Nils Bars.
+</para>
+<para lang="en">
+in the ngx_http_mp4_module.<br/>
+Thanks to Nils Bars.
+</para>
+</change>
+
+<change type="bugfix">
+<para lang="ru">
+параметр so_keepalive директивы listen
+мог работать некорректно на DragonFly BSD.
+</para>
+<para lang="en">
+the "so_keepalive" parameter of the "listen" directive
+might be handled incorrectly on DragonFly BSD.
+</para>
+</change>
+
+<change type="bugfix">
+<para lang="ru">
+в директиве proxy_store.
+</para>
+<para lang="en">
+in the "proxy_store" directive.
+</para>
+</change>
+
+</changes>
+
+
 <changes ver="1.27.2" date="2024-10-02">
 
 <change type="feature">

diff --git a/src/core/ngx_inet.c b/src/core/ngx_inet.c
@@ -639,7 +639,11 @@ ngx_parse_addr_port(ngx_pool_t *pool, ngx_addr_t *addr, u_char *text,
 
         p = ngx_strlchr(text, last, ']');
 
-        if (p == NULL || p == last - 1 || *++p != ':') {
+        if (p == last - 1) {
+            return ngx_parse_addr(pool, addr, text + 1, len - 2);
+        }
+
+        if (p == NULL || *++p != ':') {
             return NGX_DECLINED;
         }
 

diff --git a/src/event/quic/ngx_event_quic_protection.c b/src/event/quic/ngx_event_quic_protection.c
@@ -18,6 +18,9 @@
 #define NGX_QUIC_INITIAL_CIPHER       TLS1_3_CK_AES_128_GCM_SHA256
 
 
+#define ngx_quic_md(str)     { sizeof(str) - 1, str }
+
+
 static ngx_int_t ngx_hkdf_expand(u_char *out_key, size_t out_len,
     const EVP_MD *digest, const u_char *prk, size_t prk_len,
     const u_char *info, size_t info_len);
@@ -29,10 +32,10 @@ static uint64_t ngx_quic_parse_pn(u_char **pos, ngx_int_t len, u_char *mask,
     uint64_t *largest_pn);
 
 static ngx_int_t ngx_quic_crypto_open(ngx_quic_secret_t *s, ngx_str_t *out,
-    u_char *nonce, ngx_str_t *in, ngx_str_t *ad, ngx_log_t *log);
+    const u_char *nonce, ngx_str_t *in, ngx_str_t *ad, ngx_log_t *log);
 #ifndef OPENSSL_IS_BORINGSSL
 static ngx_int_t ngx_quic_crypto_common(ngx_quic_secret_t *s, ngx_str_t *out,
-    u_char *nonce, ngx_str_t *in, ngx_str_t *ad, ngx_log_t *log);
+    const u_char *nonce, ngx_str_t *in, ngx_str_t *ad, ngx_log_t *log);
 #endif
 
 static ngx_int_t ngx_quic_crypto_hp_init(const EVP_CIPHER *cipher,
@@ -441,7 +444,7 @@ ngx_quic_crypto_init(const ngx_quic_cipher_t *cipher, ngx_quic_secret_t *s,
 
 
 static ngx_int_t
-ngx_quic_crypto_open(ngx_quic_secret_t *s, ngx_str_t *out, u_char *nonce,
+ngx_quic_crypto_open(ngx_quic_secret_t *s, ngx_str_t *out, const u_char *nonce,
     ngx_str_t *in, ngx_str_t *ad, ngx_log_t *log)
 {
 #ifdef OPENSSL_IS_BORINGSSL
@@ -461,7 +464,7 @@ ngx_quic_crypto_open(ngx_quic_secret_t *s, ngx_str_t *out, u_char *nonce,
 
 
 ngx_int_t
-ngx_quic_crypto_seal(ngx_quic_secret_t *s, ngx_str_t *out, u_char *nonce,
+ngx_quic_crypto_seal(ngx_quic_secret_t *s, ngx_str_t *out, const u_char *nonce,
     ngx_str_t *in, ngx_str_t *ad, ngx_log_t *log)
 {
 #ifdef OPENSSL_IS_BORINGSSL
@@ -483,8 +486,8 @@ ngx_quic_crypto_seal(ngx_quic_secret_t *s, ngx_str_t *out, u_char *nonce,
 #ifndef OPENSSL_IS_BORINGSSL
 
 static ngx_int_t
-ngx_quic_crypto_common(ngx_quic_secret_t *s, ngx_str_t *out, u_char *nonce,
-    ngx_str_t *in, ngx_str_t *ad, ngx_log_t *log)
+ngx_quic_crypto_common(ngx_quic_secret_t *s, ngx_str_t *out,
+    const u_char *nonce, ngx_str_t *in, ngx_str_t *ad, ngx_log_t *log)
 {
     int                     len, enc;
     ngx_quic_crypto_ctx_t  *ctx;
@@ -606,7 +609,8 @@ ngx_quic_crypto_hp(ngx_quic_secret_t *s, u_char *out, u_char *in,
 {
     int              outlen;
     EVP_CIPHER_CTX  *ctx;
-    u_char           zero[NGX_QUIC_HP_LEN] = {0};
+
+    static const u_char zero[NGX_QUIC_HP_LEN];
 
     ctx = s->hp_ctx;
 
@@ -948,16 +952,15 @@ ngx_quic_create_retry_packet(ngx_quic_header_t *pkt, ngx_str_t *res)
 {
     u_char              *start;
     ngx_str_t            ad, itag;
-    ngx_quic_md_t        key;
     ngx_quic_secret_t    secret;
     ngx_quic_ciphers_t   ciphers;
 
     /* 5.8.  Retry Packet Integrity */
-    static u_char     key_data[16] =
-        "\xbe\x0c\x69\x0b\x9f\x66\x57\x5a\x1d\x76\x6b\x54\xe3\x68\xc8\x4e";
-    static u_char     nonce[NGX_QUIC_IV_LEN] =
+    static ngx_quic_md_t  key = ngx_quic_md(
+        "\xbe\x0c\x69\x0b\x9f\x66\x57\x5a\x1d\x76\x6b\x54\xe3\x68\xc8\x4e");
+    static const u_char   nonce[NGX_QUIC_IV_LEN] =
         "\x46\x15\x99\xd3\x5d\x63\x2b\xf2\x23\x98\x25\xbb";
-    static ngx_str_t  in = ngx_string("");
+    static ngx_str_t      in = ngx_string("");
 
     ad.data = res->data;
     ad.len = ngx_quic_create_retry_itag(pkt, ad.data, &start);
@@ -974,8 +977,6 @@ ngx_quic_create_retry_packet(ngx_quic_header_t *pkt, ngx_str_t *res)
         return NGX_ERROR;
     }
 
-    key.len = sizeof(key_data);
-    ngx_memcpy(key.data, key_data, sizeof(key_data));
     secret.iv.len = NGX_QUIC_IV_LEN;
 
     if (ngx_quic_crypto_init(ciphers.c, &secret, &key, 1, pkt->log)

diff --git a/src/event/quic/ngx_event_quic_protection.h b/src/event/quic/ngx_event_quic_protection.h
@@ -111,7 +111,7 @@ ngx_int_t ngx_quic_ciphers(ngx_uint_t id, ngx_quic_ciphers_t *ciphers);
 ngx_int_t ngx_quic_crypto_init(const ngx_quic_cipher_t *cipher,
     ngx_quic_secret_t *s, ngx_quic_md_t *key, ngx_int_t enc, ngx_log_t *log);
 ngx_int_t ngx_quic_crypto_seal(ngx_quic_secret_t *s, ngx_str_t *out,
-    u_char *nonce, ngx_str_t *in, ngx_str_t *ad, ngx_log_t *log);
+    const u_char *nonce, ngx_str_t *in, ngx_str_t *ad, ngx_log_t *log);
 void ngx_quic_crypto_cleanup(ngx_quic_secret_t *s);
 ngx_int_t ngx_quic_hkdf_expand(ngx_quic_hkdf_t *hkdf, const EVP_MD *digest,
     ngx_log_t *log);

diff --git a/src/mail/ngx_mail_proxy_module.c b/src/mail/ngx_mail_proxy_module.c
@@ -1019,12 +1019,36 @@ ngx_mail_proxy_read_response(ngx_mail_session_t *s, ngx_uint_t state)
             break;
 
         case ngx_imap_passwd:
+
+            /*
+             * untagged CAPABILITY response (draft-crispin-imapv-16),
+             * known to be sent by SmarterMail and Gmail
+             */
+
+            if (p[0] == '*' && p[1] == ' ') {
+                p += 2;
+
+                while (p < b->last - 1) {
+                    if (p[0] == CR && p[1] == LF) {
+                        p += 2;
+                        break;
+                    }
+
+                    p++;
+                }
+
+                if (b->last - p < 4) {
+                    return NGX_AGAIN;
+                }
+            }
+
             if (ngx_strncmp(p, s->tag.data, s->tag.len) == 0) {
                 p += s->tag.len;
                 if (p[0] == 'O' && p[1] == 'K') {
                     return NGX_OK;
                 }
             }
+
             break;
         }