nginx 1.28.1 fixes

.github/workflows/nginx.yml

@@ -12,6 +12,10 @@ concurrency:
   cancel-in-progress: true
 # END OF COMMON SECTION
 
+# clang has better sanitizer support
+env:
+  CC: clang
+
 jobs:
   build_wolfssl:
     name: Build wolfSSL
@@ -31,7 +35,8 @@ jobs:
         uses: wolfSSL/actions-build-autotools-project@v1
         with:
           path: wolfssl
-          configure: --enable-nginx ${{ env.wolf_debug_flags }}
+          configure: >-
+            --enable-nginx --enable-curve25519 --enable-ed25519 ${{ env.wolf_debug_flags }}
           install: true
 
       - name: tar build-dir
@@ -50,6 +55,41 @@ jobs:
       matrix:
         include:
           # in general we want to pass all tests that match *ssl*
+          - ref: 1.28.1
+            test-ref: 0fccfcef1278263416043e0bbb3e0116b84026e4
+            # Following tests pass with sanitizer on
+            sanitize-ok: >-
+              h2_ssl_proxy_cache.t h2_ssl.t h2_ssl_variables.t
+              h2_ssl_verify_client.t mail_imap_ssl.t mail_ssl_session_reuse.t
+              mail_ssl.t proxy_ssl_certificate_cache.t
+              proxy_ssl_certificate_empty.t proxy_ssl_certificate.t
+              proxy_ssl_certificate_vars.t proxy_ssl_name.t ssl_cache_reload.t
+              ssl_certificate_aux.t ssl_certificate_cache.t
+              ssl_certificate_chain.t ssl_certificates.t ssl_certificate.t
+              ssl_client_escaped_cert.t ssl_crl.t ssl_curve.t ssl_ocsp.t
+              ssl_password_file.t ssl_proxy_upgrade.t ssl_reject_handshake.t
+              ssl_session_reuse.t ssl_session_ticket_key.t ssl_sni_protocols.t
+              ssl_sni_reneg.t ssl_sni_sessions.t ssl_sni.t ssl_stapling.t ssl.t
+              ssl_verify_client.t ssl_verify_client_trusted.t ssl_verify_depth.t
+              stream_proxy_ssl_certificate_cache.t stream_proxy_ssl_certificate.t
+              stream_proxy_ssl_certificate_vars.t
+              stream_proxy_ssl_name_complex.t stream_proxy_ssl_name.t
+              stream_ssl_alpn.t stream_ssl_certificate_cache.t
+              stream_ssl_certificate.t stream_ssl_ocsp.t stream_ssl_preread_alpn.t
+              stream_ssl_preread_protocol.t stream_ssl_preread.t
+              stream_ssl_reject_handshake.t stream_ssl_session_reuse.t
+              stream_ssl_sni_protocols.t stream_ssl_stapling.t stream_ssl.t
+              stream_ssl_variables.t stream_ssl_verify_client.t
+              stream_upstream_zone_ssl.t upstream_zone_ssl.t
+              uwsgi_ssl_certificate.t uwsgi_ssl_certificate_vars.t
+            # Following tests do not pass with sanitizer on (with OpenSSL too)
+            sanitize-not-ok: >-
+              grpc_ssl.t h2_proxy_request_buffering_ssl.t h2_proxy_ssl.t
+              proxy_request_buffering_ssl.t proxy_ssl_conf_command.t
+              proxy_ssl_keepalive.t proxy_ssl.t proxy_ssl_verify.t ssl_cache.t
+              stream_proxy_protocol_ssl.t stream_proxy_ssl_conf_command.t
+              stream_proxy_ssl.t stream_proxy_ssl_verify.t
+
           - ref: 1.25.0
             test-ref: 5b2894ea1afd01a26c589ce11f310df118e42592
             # Following tests pass with sanitizer on
@@ -120,30 +160,19 @@ jobs:
       - name: untar build-dir
         run: tar -xf build-dir.tgz
 
-      - name: Install dependencies
-        run: |
-          sudo cpan -iT Proc::Find
+      - name: Openssl version
+        run: openssl version -a
 
-      # Locking in the version of SSLeay used with testing
-      - name: Download and install Net::SSLeay 1.94 manually
-        run: |
-          curl -LO https://www.cpan.org/modules/by-module/Net/CHRISN/Net-SSLeay-1.94.tar.gz
-          tar -xzf Net-SSLeay-1.94.tar.gz
-          cd Net-SSLeay-1.94
-          perl Makefile.PL
-          make
-          sudo make install
+      - name: Setup Perl environment
+        uses: shogo82148/actions-setup-perl@v1
+        with:
+          perl-version: '5.38.2'
 
       # SSL version 2.091 changes '' return to undef causing test case to fail.
       # Locking in the test version to use as 2.090
-      - name: Download and install IO::Socket::SSL 2.090 manually
+      - name: Install dependencies
         run: |
-          curl -LO https://www.cpan.org/modules/by-module/IO/IO-Socket-SSL-2.090.tar.gz
-          tar -xzf IO-Socket-SSL-2.090.tar.gz
-          cd IO-Socket-SSL-2.090
-          perl Makefile.PL
-          make
-          sudo make install
+          cpanm --notest Proc::Find Net::SSLeay@1.94 IO::Socket::SSL@2.090
 
       - name: Checkout wolfssl-nginx
         uses: actions/checkout@v4
@@ -211,37 +240,31 @@ jobs:
         run: |
           echo "nginx_c_flags=-O0" >> $GITHUB_ENV
 
-      - name: workaround high-entropy ASLR
-        # not needed after either an update to llvm or runner is done
-        run: sudo sysctl vm.mmap_rnd_bits=28
-
       - name: Build nginx with sanitizer
         working-directory: nginx
         run: |
           ./auto/configure --with-wolfssl=$GITHUB_WORKSPACE/build-dir --with-http_ssl_module \
             --with-stream --with-stream_ssl_module --with-stream_ssl_preread_module \
             --with-http_v2_module --with-mail --with-mail_ssl_module \
-            --with-cc-opt='-fsanitize=address -DNGX_DEBUG_PALLOC=1 -g3 ${{ env.nginx_c_flags }}' \
+            --with-cc-opt='-fsanitize=address -DNGX_DEBUG_PALLOC=1 -g3 \
+            ${{ env.nginx_c_flags }}' \
             --with-ld-opt='-fsanitize=address ${{ env.nginx_c_flags }}'
           make -j
 
       - name: Confirm nginx built with wolfSSL
         working-directory: nginx
         run: ldd objs/nginx | grep wolfssl
 
-      - if: ${{ runner.debug }}
-        name: Run nginx-tests with sanitizer (debug)
+      - name: Create LSAN suppression file
         working-directory: nginx-tests
         run: |
-          LD_LIBRARY_PATH=$LD_LIBRARY_PATH:$GITHUB_WORKSPACE/build-dir/lib \
-          TMPDIR=$GITHUB_WORKSPACE TEST_NGINX_VERBOSE=y TEST_NGINX_CATLOG=y \
-          TEST_NGINX_BINARY=../nginx/objs/nginx prove -v ${{ matrix.sanitize-ok }}
+          echo "leak:ngx_worker_process_init" > lsan.supp
 
       - if: ${{ !runner.debug }}
         name: Run nginx-tests with sanitizer
         working-directory: nginx-tests
         run: |
           LD_LIBRARY_PATH=$LD_LIBRARY_PATH:$GITHUB_WORKSPACE/build-dir/lib \
+            LSAN_OPTIONS=suppressions=$GITHUB_WORKSPACE/nginx-tests/lsan.supp \
             TMPDIR=$GITHUB_WORKSPACE TEST_NGINX_BINARY=../nginx/objs/nginx \
             prove ${{ matrix.sanitize-ok }}
-

.wolfssl_known_macro_extras

@@ -218,6 +218,7 @@ ECDHE_SIZE
 ENABLE_SECURE_SOCKETS_LOGS
 ESP32
 ESP8266
+ESPIPE
 ESP_ENABLE_WOLFSSH
 ESP_IDF_VERSION
 ESP_IDF_VERSION_MAJOR
@@ -361,6 +362,7 @@ NO_ASM
 NO_ASN_OLD_TYPE_NAMES
 NO_CAMELLIA_CBC
 NO_CERT
+NO_CERT_IN_TICKET
 NO_CIPHER_SUITE_ALIASES
 NO_CLIENT_CACHE
 NO_CLOCK_SPEEDUP

configure.ac

@@ -2681,7 +2681,8 @@ if test "$ENABLED_LIBWEBSOCKETS" = "yes" || test "$ENABLED_OPENVPN" = "yes" || \
    test "$ENABLED_OPENRESTY" = "yes" || test "$ENABLED_RSYSLOG" = "yes" || \
    test "$ENABLED_KRB" = "yes" || test "$ENABLED_CHRONY" = "yes" || \
    test "$ENABLED_FFMPEG" = "yes" || test "$ENABLED_STRONGSWAN" = "yes" || \
-   test "$ENABLED_OPENLDAP" = "yes" || test "x$ENABLED_MOSQUITTO" = "xyes" || test "$ENABLED_HITCH" = "yes"
+   test "$ENABLED_OPENLDAP" = "yes" || test "x$ENABLED_MOSQUITTO" = "xyes" || \
+   test "$ENABLED_HITCH" = "yes" || test "$ENABLED_NGINX" = "yes"
 then
     ENABLED_OPENSSLALL="yes"
 fi

src/bio.c

@@ -1938,6 +1938,8 @@ int wolfSSL_BIO_get_len(WOLFSSL_BIO *bio)
             len = BAD_FUNC_ARG;
         if (len == 0) {
             len = wolfssl_file_len(file, &memSz);
+            if (len == WC_NO_ERR_TRACE(WOLFSSL_BAD_FILETYPE))
+                len = 0;
         }
         if (len == 0) {
             len = (int)memSz;

src/crl.c

@@ -1128,6 +1128,28 @@ WOLFSSL_X509_CRL* wolfSSL_X509_CRL_dup(const WOLFSSL_X509_CRL* crl)
     return ret;
 }
 
+#ifdef OPENSSL_ALL
+int wolfSSL_X509_CRL_up_ref(WOLFSSL_X509_CRL* crl)
+{
+    int ret;
+
+    if (crl == NULL)
+        return WOLFSSL_FAILURE;
+
+    wolfSSL_RefInc(&crl->ref, &ret);
+#ifdef WOLFSSL_REFCNT_ERROR_RETURN
+    if (ret != 0) {
+        WOLFSSL_MSG("Failed to lock x509 mutex");
+        return WOLFSSL_FAILURE;
+    }
+#else
+    (void)ret;
+#endif
+
+    return WOLFSSL_SUCCESS;
+}
+#endif
+
 /* returns WOLFSSL_SUCCESS on success. Does not take ownership of newcrl */
 int wolfSSL_X509_STORE_add_crl(WOLFSSL_X509_STORE *store, WOLFSSL_X509_CRL *newcrl)
 {

src/dtls.c

@@ -403,8 +403,9 @@ static int TlsTicketIsValid(const WOLFSSL* ssl, WolfSSL_ConstVector exts,
         if (!IsAtLeastTLSv1_3(it->pv))
             *resume = TRUE;
     }
-    if (it != NULL)
-        ForceZero(it, sizeof(InternalTicket));
+    /* `it` points into tempTicket on successful decryption so clearing it will
+     * also satisfy the WOLFSSL_CHECK_MEM_ZERO check. */
+    ForceZero(tempTicket, SESSION_TICKET_LEN);
     return 0;
 }
 #endif /* HAVE_SESSION_TICKET */