nginx 1.28.1 fixes #9711

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Draft

julek-wolfssl wants to merge 29 commits into wolfSSL:master from julek-wolfssl:nginx-1.28.0

.github/workflows/nginx.yml

-Original file line number
+Diff line change
@@ Expand Up / @@ -12,6 +12,10 @@ concurrency: @@
       cancel-in-progress: true
     # END OF COMMON SECTION
+    # clang has better sanitizer support
+    env:
+      CC: clang
     jobs:
       build_wolfssl:
         name: Build wolfSSL
@@ Expand All / @@ -31,7 +35,8 @@ jobs: @@
             uses: wolfSSL/actions-build-autotools-project@v1
             with:
               path: wolfssl
-              configure: --enable-nginx ${{ env.wolf_debug_flags }}
+              configure: >-
+                --enable-nginx --enable-curve25519 --enable-ed25519 ${{ env.wolf_debug_flags }}
               install: true
           - name: tar build-dir
@@ Expand All / @@ -50,6 +55,41 @@ jobs: @@
           matrix:
             include:
               # in general we want to pass all tests that match *ssl*
+              - ref: 1.28.1
+                test-ref: 0fccfcef1278263416043e0bbb3e0116b84026e4
+                # Following tests pass with sanitizer on
+                sanitize-ok: >-
+                  h2_ssl_proxy_cache.t h2_ssl.t h2_ssl_variables.t
+                  h2_ssl_verify_client.t mail_imap_ssl.t mail_ssl_session_reuse.t
+                  mail_ssl.t proxy_ssl_certificate_cache.t
+                  proxy_ssl_certificate_empty.t proxy_ssl_certificate.t
+                  proxy_ssl_certificate_vars.t proxy_ssl_name.t ssl_cache_reload.t
+                  ssl_certificate_aux.t ssl_certificate_cache.t
+                  ssl_certificate_chain.t ssl_certificates.t ssl_certificate.t
+                  ssl_client_escaped_cert.t ssl_crl.t ssl_curve.t ssl_ocsp.t
+                  ssl_password_file.t ssl_proxy_upgrade.t ssl_reject_handshake.t
+                  ssl_session_reuse.t ssl_session_ticket_key.t ssl_sni_protocols.t
+                  ssl_sni_reneg.t ssl_sni_sessions.t ssl_sni.t ssl_stapling.t ssl.t
+                  ssl_verify_client.t ssl_verify_client_trusted.t ssl_verify_depth.t
+                  stream_proxy_ssl_certificate_cache.t stream_proxy_ssl_certificate.t
+                  stream_proxy_ssl_certificate_vars.t
+                  stream_proxy_ssl_name_complex.t stream_proxy_ssl_name.t
+                  stream_ssl_alpn.t stream_ssl_certificate_cache.t
+                  stream_ssl_certificate.t stream_ssl_ocsp.t stream_ssl_preread_alpn.t
+                  stream_ssl_preread_protocol.t stream_ssl_preread.t
+                  stream_ssl_reject_handshake.t stream_ssl_session_reuse.t
+                  stream_ssl_sni_protocols.t stream_ssl_stapling.t stream_ssl.t
+                  stream_ssl_variables.t stream_ssl_verify_client.t
+                  stream_upstream_zone_ssl.t upstream_zone_ssl.t
+                  uwsgi_ssl_certificate.t uwsgi_ssl_certificate_vars.t
+                # Following tests do not pass with sanitizer on (with OpenSSL too)
+                sanitize-not-ok: >-
+                  grpc_ssl.t h2_proxy_request_buffering_ssl.t h2_proxy_ssl.t
+                  proxy_request_buffering_ssl.t proxy_ssl_conf_command.t
+                  proxy_ssl_keepalive.t proxy_ssl.t proxy_ssl_verify.t ssl_cache.t
+                  stream_proxy_protocol_ssl.t stream_proxy_ssl_conf_command.t
+                  stream_proxy_ssl.t stream_proxy_ssl_verify.t
               - ref: 1.25.0
                 test-ref: 5b2894ea1afd01a26c589ce11f310df118e42592
                 # Following tests pass with sanitizer on
@@ Expand Down Expand Up / @@ -120,35 +160,26 @@ jobs: @@
           - name: untar build-dir
             run: tar -xf build-dir.tgz
-          - name: Install dependencies
-            run: |
-              sudo cpan -iT Proc::Find
+          - name: Openssl version
+            run: openssl version -a
-          # Locking in the version of SSLeay used with testing
-          - name: Download and install Net::SSLeay 1.94 manually
-            run: |
-              curl -LO https://www.cpan.org/modules/by-module/Net/CHRISN/Net-SSLeay-1.94.tar.gz
-              tar -xzf Net-SSLeay-1.94.tar.gz
-              cd Net-SSLeay-1.94
-              perl Makefile.PL
-              make
-              sudo make install
+          - name: Setup Perl environment
+            uses: shogo82148/actions-setup-perl@v1
+            with:
+              perl-version: '5.38.2'
           # SSL version 2.091 changes '' return to undef causing test case to fail.
           # Locking in the test version to use as 2.090
-          - name: Download and install IO::Socket::SSL 2.090 manually
+          - name: Install dependencies
             run: |
-              curl -LO https://www.cpan.org/modules/by-module/IO/IO-Socket-SSL-2.090.tar.gz
-              tar -xzf IO-Socket-SSL-2.090.tar.gz
-              cd IO-Socket-SSL-2.090
-              perl Makefile.PL
-              make
-              sudo make install
+              cpanm --notest Proc::Find Net::SSLeay@1.94 IO::Socket::SSL@2.090
           - name: Checkout wolfssl-nginx
             uses: actions/checkout@v4
             with:
-              repository: wolfssl/wolfssl-nginx
+    # TODO fix this
+              repository: julek-wolfssl/wolfssl-nginx
+              ref: 1.28.0
               path: wolfssl-nginx
           - name: Checkout nginx
@@ Expand Down Expand Up / @@ -211,37 +242,31 @@ jobs: @@
             run: |
               echo "nginx_c_flags=-O0" >> $GITHUB_ENV
-          - name: workaround high-entropy ASLR
-            # not needed after either an update to llvm or runner is done
-            run: sudo sysctl vm.mmap_rnd_bits=28
           - name: Build nginx with sanitizer
             working-directory: nginx
             run: |
               ./auto/configure --with-wolfssl=$GITHUB_WORKSPACE/build-dir --with-http_ssl_module \
                 --with-stream --with-stream_ssl_module --with-stream_ssl_preread_module \
                 --with-http_v2_module --with-mail --with-mail_ssl_module \
-                --with-cc-opt='-fsanitize=address -DNGX_DEBUG_PALLOC=1 -g3 ${{ env.nginx_c_flags }}' \
+                --with-cc-opt='-fsanitize=address -DNGX_DEBUG_PALLOC=1 -g3 \
+                ${{ env.nginx_c_flags }}' \
                 --with-ld-opt='-fsanitize=address ${{ env.nginx_c_flags }}'
               make -j
           - name: Confirm nginx built with wolfSSL
             working-directory: nginx
             run: ldd objs/nginx | grep wolfssl
-          - if: ${{ runner.debug }}
-            name: Run nginx-tests with sanitizer (debug)
+          - name: Create LSAN suppression file
             working-directory: nginx-tests
             run: |
-              LD_LIBRARY_PATH=$LD_LIBRARY_PATH:$GITHUB_WORKSPACE/build-dir/lib \
-              TMPDIR=$GITHUB_WORKSPACE TEST_NGINX_VERBOSE=y TEST_NGINX_CATLOG=y \
-              TEST_NGINX_BINARY=../nginx/objs/nginx prove -v ${{ matrix.sanitize-ok }}
+              echo "leak:ngx_worker_process_init" > lsan.supp
           - if: ${{ !runner.debug }}
             name: Run nginx-tests with sanitizer
             working-directory: nginx-tests
             run: |
               LD_LIBRARY_PATH=$LD_LIBRARY_PATH:$GITHUB_WORKSPACE/build-dir/lib \
+                LSAN_OPTIONS=suppressions=$GITHUB_WORKSPACE/nginx-tests/lsan.supp \
                 TMPDIR=$GITHUB_WORKSPACE TEST_NGINX_BINARY=../nginx/objs/nginx \
                 prove ${{ matrix.sanitize-ok }}

.wolfssl_known_macro_extras

-Original file line number
+Diff line change
@@ Expand Up / @@ -357,6 +357,7 @@ NO_ASM @@
     NO_ASN_OLD_TYPE_NAMES
     NO_CAMELLIA_CBC
     NO_CERT
+    NO_CERT_IN_TICKET
     NO_CIPHER_SUITE_ALIASES
     NO_CLIENT_CACHE
     NO_CLOCK_SPEEDUP
@@ Expand Down @@

configure.ac

-Original file line number
+Diff line change
@@ Expand Up @@
        test "$ENABLED_OPENRESTY" = "yes" || test "$ENABLED_RSYSLOG" = "yes" || \
        test "$ENABLED_KRB" = "yes" || test "$ENABLED_CHRONY" = "yes" || \
        test "$ENABLED_FFMPEG" = "yes" || test "$ENABLED_STRONGSWAN" = "yes" || \
-       test "$ENABLED_OPENLDAP" = "yes" || test "x$ENABLED_MOSQUITTO" = "xyes" || test "$ENABLED_HITCH" = "yes"
+       test "$ENABLED_OPENLDAP" = "yes" || test "x$ENABLED_MOSQUITTO" = "xyes" || \
+       test "$ENABLED_HITCH" = "yes" || test "$ENABLED_NGINX" = "yes"
     then
         ENABLED_OPENSSLALL="yes"
     fi
@@ Expand Down @@

src/bio.c

-Original file line number
+Diff line change
@@ Expand Up / @@ -1938,6 +1938,8 @@ int wolfSSL_BIO_get_len(WOLFSSL_BIO *bio) @@
                 len = BAD_FUNC_ARG;
             if (len == 0) {
                 len = wolfssl_file_len(file, &memSz);
+                if (len == WC_NO_ERR_TRACE(WOLFSSL_BAD_FILETYPE))
+                    len = 0;
             }
             if (len == 0) {
                 len = (int)memSz;
@@ Expand Down @@

src/crl.c

-Original file line number
+Diff line change
@@ Expand Up @@
         return ret;
     }
+    #ifdef OPENSSL_ALL
+    int wolfSSL_X509_CRL_up_ref(WOLFSSL_X509_CRL* crl)
+    {
+        int ret;
+        if (crl == NULL)
+            return WOLFSSL_FAILURE;
+        wolfSSL_RefInc(&crl->ref, &ret);
+    #ifdef WOLFSSL_REFCNT_ERROR_RETURN
+        if (ret != 0) {
+            WOLFSSL_MSG("Failed to lock x509 mutex");
+            return WOLFSSL_FAILURE;
+        }
+    #else
+        (void)ret;
+    #endif
+        return WOLFSSL_SUCCESS;
+    }
+    #endif
     /* returns WOLFSSL_SUCCESS on success. Does not take ownership of newcrl */
     int wolfSSL_X509_STORE_add_crl(WOLFSSL_X509_STORE *store, WOLFSSL_X509_CRL *newcrl)
     {
@@ Expand Down @@

src/dtls.c

-Original file line number
+Diff line change
@@ Expand Up @@
             if (!IsAtLeastTLSv1_3(it->pv))
                 *resume = TRUE;
         }
-        if (it != NULL)
-            ForceZero(it, sizeof(InternalTicket));
+        /* `it` points into tempTicket on successful decryption so clearing it will
+         * also satisfy the WOLFSSL_CHECK_MEM_ZERO check. */
+        ForceZero(tempTicket, SESSION_TICKET_LEN);
         return 0;
     }
     #endif /* HAVE_SESSION_TICKET */
@@ Expand Down @@

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

nginx 1.28.1 fixes #9711

Uh oh!

Diff view

Diff view

There are no files selected for viewing

Uh oh!

Uh oh!

nginx 1.28.1 fixes #9711

Are you sure you want to change the base?

Uh oh!

nginx 1.28.1 fixes #9711

Uh oh!

Uh oh!

Diff view

Diff view

There are no files selected for viewing

Uh oh!

Uh oh!