This memory leak was found by running the Valgrind testing mode against
lua-resty-core's `ssl-session-fetch.t` test suite:
TEST 5: yield during doing handshake with client which uses low version OpenSSL
==16956== 64 (32 direct, 32 indirect) bytes in 1 blocks are definitely lost in loss record 5 of 15
==16956== at 0x4C2B002: malloc (vg_replace_malloc.c:298)
==16956== by 0x5FFC868: CRYPTO_malloc (mem.c:222)
==16956== by 0x5FFC96F: CRYPTO_zalloc (mem.c:230)
==16956== by 0x603C54A: OPENSSL_sk_new_reserve (stack.c:209)
==16956== by 0x603C597: OPENSSL_sk_new_null (stack.c:118)
==16956== by 0x5C94A86: sk_SSL_CIPHER_new_null (ssl.h:960)
==16956== by 0x5C94A86: bytes_to_cipher_list (ssl_lib.c:5361)
==16956== by 0x5CB52E9: tls_early_post_process_client_hello (statem_srvr.c:1713)
==16956== by 0x5CB52E9: tls_post_process_client_hello (statem_srvr.c:2231)
==16956== by 0x5CB6F39: ossl_statem_server_post_process_message (statem_srvr.c:1218)
==16956== by 0x5CA4C11: read_state_machine (statem.c:664)
==16956== by 0x5CA4C11: state_machine (statem.c:434)
==16956== by 0x5CA538A: ossl_statem_accept (statem.c:255)
==16956== by 0x5C91759: SSL_do_handshake (ssl_lib.c:3609)
==16956== by 0x45456B: ngx_ssl_handshake (ngx_event_openssl.c:1606)
==16956== by 0x4698D3: ngx_http_ssl_handshake (ngx_http_request.c:751)
==16956== by 0x44ECA8: ngx_epoll_process_events (ngx_epoll_module.c:901)
==16956== by 0x443E94: ngx_process_events_and_timers (ngx_event.c:257)
==16956== by 0x44DC25: ngx_single_process_cycle (ngx_process_cycle.c:333)
==16956== by 0x4236AB: main (nginx.c:382)
==16956==
{
<insert_a_suppression_name_here>
Memcheck:Leak
match-leak-kinds: definite
fun:malloc
fun:CRYPTO_malloc
fun:CRYPTO_zalloc
fun:OPENSSL_sk_new_reserve
fun:OPENSSL_sk_new_null
fun:sk_SSL_CIPHER_new_null
fun:bytes_to_cipher_list
fun:tls_early_post_process_client_hello
fun:tls_post_process_client_hello
fun:ossl_statem_server_post_process_message
fun:read_state_machine
fun:state_machine
fun:ossl_statem_accept
fun:SSL_do_handshake
fun:ngx_ssl_handshake
fun:ngx_http_ssl_handshake
fun:ngx_epoll_process_events
fun:ngx_process_events_and_timers
fun:ngx_single_process_cycle
fun:main
}
==16956== 368 (32 direct, 336 indirect) bytes in 1 blocks are definitely lost in loss record 8 of 15
==16956== at 0x4C2B002: malloc (vg_replace_malloc.c:298)
==16956== by 0x5FFC868: CRYPTO_malloc (mem.c:222)
==16956== by 0x5FFC96F: CRYPTO_zalloc (mem.c:230)
==16956== by 0x603C54A: OPENSSL_sk_new_reserve (stack.c:209)
==16956== by 0x603C597: OPENSSL_sk_new_null (stack.c:118)
==16956== by 0x5C94A79: sk_SSL_CIPHER_new_null (ssl.h:960)
==16956== by 0x5C94A79: bytes_to_cipher_list (ssl_lib.c:5360)
==16956== by 0x5CB52E9: tls_early_post_process_client_hello (statem_srvr.c:1713)
==16956== by 0x5CB52E9: tls_post_process_client_hello (statem_srvr.c:2231)
==16956== by 0x5CB6F39: ossl_statem_server_post_process_message (statem_srvr.c:1218)
==16956== by 0x5CA4C11: read_state_machine (statem.c:664)
==16956== by 0x5CA4C11: state_machine (statem.c:434)
==16956== by 0x5CA538A: ossl_statem_accept (statem.c:255)
==16956== by 0x5C91759: SSL_do_handshake (ssl_lib.c:3609)
==16956== by 0x45456B: ngx_ssl_handshake (ngx_event_openssl.c:1606)
==16956== by 0x4698D3: ngx_http_ssl_handshake (ngx_http_request.c:751)
==16956== by 0x44ECA8: ngx_epoll_process_events (ngx_epoll_module.c:901)
==16956== by 0x443E94: ngx_process_events_and_timers (ngx_event.c:257)
==16956== by 0x44DC25: ngx_single_process_cycle (ngx_process_cycle.c:333)
==16956== by 0x4236AB: main (nginx.c:382)
==16956==
{
<insert_a_suppression_name_here>
Memcheck:Leak
match-leak-kinds: definite
fun:malloc
fun:CRYPTO_malloc
fun:CRYPTO_zalloc
fun:OPENSSL_sk_new_reserve
fun:OPENSSL_sk_new_null
fun:sk_SSL_CIPHER_new_null
fun:bytes_to_cipher_list
fun:tls_early_post_process_client_hello
fun:tls_post_process_client_hello
fun:ossl_statem_server_post_process_message
fun:read_state_machine
fun:state_machine
fun:ossl_statem_accept
fun:SSL_do_handshake
fun:ngx_ssl_handshake
fun:ngx_http_ssl_handshake
fun:ngx_epoll_process_events
fun:ngx_process_events_and_timers
fun:ngx_single_process_cycle
fun:main
}
When `reuseport` is enabled in the `listen` directive, Nginx will create
a listening fd for each worker process in the master process.
These fds will be inherited by the worker processes, but most of them
are unused. For example, considering we have 32 listening ip:port
configurations and 64 worker processes, each worker process will inherit
2048 (32 * 64) listening fds, but only 32 fds are used. By closing the
unused fds, this change could save up to 2016 (32 * 63) fds in a worker
process.
It doesn't affect the listening socket, since there is only one used fd
which associates to the socket with or without this change.
Co-authored-by: Thibault Charbonnier <thibaultcha@me.com>
Previously, we used the OpenSSL 1.1.1 ClientHello callback to do ssl
session fetching non-blockingly. However, this way cannot handle an edge
case: the ssl session resumption via session ticket might fail, and the
client fallbacks to session ID resumption. The ClientHello callback is
run too early to know if the client will fallback to use session ID
resumption.
Therefore, we have to take back the OpenSSL sess_set_get_cb_yield patch
and upgrade it to adapt OpenSSL 1.1.1.
Thanks Yongjian Xu and crasyangel for their help.
See 08e9e50.
Signed-off-by: Thibault Charbonnier <thibaultcha@me.com>
Its naming is now aligned with the `ssl_cert_cb_yield` patch.
See 08e9e50 for details on why this renaming was reverted for the 1.15.8
version of this patch.
This reverts commit 9e834398de.
Support for OpenSSL 1.1.1 will come with the 1.17.1 series of NGINX
patches. Since no other 1.15.8.* releases are planned, we are reverting
the state of the 1.15.8 patches to that of the 1.15.8.1 release.
The patch was also renamed from `ssl_pending_session.patch` to
`ssl_sess_cb_yield.patch` (similarly to the existing
`ssl_cert_cb_yield.patch` one).
Signed-off-by: Thibault Charbonnier <thibaultcha@me.com>
This is to make the nginx ASAN or Valgrind clean in daemon mode. It is
also meaningful when we have more sophisticated cleanup work needed in
the configuration initialization phase and handlers like init_by_lua*.
bugfix: nginx patch: moved the include of resolv.h to after ngx_config.h to avoid compilation failures on FreeBSD.
bugfix: patch: updated safe_resolver_ipv6_option.patch with new offsets to avoid confusing patch while applying.
Signed-off-by: Yichun Zhang (agentzh) <agentzh@gmail.com>
This can enable the use of system-level nameserver configurations of
/etc/resolv.conf, for example, in nginx's own nonblocking DNS resolver.
Signed-off-by: Yichun Zhang (agentzh) <agentzh@gmail.com>
3rd-party modules can register a custom interception hook to ngx_http_core_main_conf_t.intercept_log_handler.
Signed-off-by: Yichun Zhang (agentzh) <agentzh@gmail.com>
* upgraded ngx_lua to 0.9.18rc1 to support Win32 LuaJIT DLL.
* upgraded lua-redis-parser to 0.11rc1 for better Win32 support.
* upgraded lua-rds-parser to 0.06rc2 for better Win32 support.
* upgraded ngx_rds_csv to 0.07rc1 for better Win32 support.
* upgraded lua-resty-cli to 0.04rc1 for better Win32 support.
* upgraded lua-resty-core to 0.1.2.
* applied a patch to LuaJIT to add "!/lualib/" to the default Lua
package search paths.
* upgraded lua-cjson to 2.1.0.3rc2 for better Win32 support and
a suppressed gcc warning.
* use OpenResty's nginx tarballs extracted directly from the official nginx
code repos, because we need the win32 support which is excluded in the
official nginx release tarballs. Our nginx release tarballs are
generated by the util/package-nginx.sh script.
* added the util/package-win32.sh script to generate the Win32 OpenResty
binary distribution file.
* applied a patch to always enable C compiler feature tests in nginx's
own build system because the MinGW gcc compiler on Win32 is also
powerful enough to support advanced features like variadic macros.
* added document README-win32.
* util/dist-check: do a partial uninstallation before installing
anything new.
* added util/build-win32.sh to build OpenResty on Win32 using the
MinGW/MSYS toolchain.
* ./configure: added support for building on Win32 using the MinGW/MSYS
toolchain.
root
lijunlong
Thibault Charbonnier
Yichun Zhang (agentzh)
Datong Sun
spacewander
Thibault Charbonnier
Yuansheng
Yichun Zhang (agentzh)