Skip to content
nginx Tests

Fix NULL derefs, buffer overflow, and i2d contract in EVP/OCSP/X509 #10337

Sign in to view logs

Fix NULL derefs, buffer overflow, and i2d contract in EVP/OCSP/X509

Fix NULL derefs, buffer overflow, and i2d contract in EVP/OCSP/X509 #10337

Workflow file for this run

.github/workflows/nginx.yml at 7bf63e9
name: nginx Tests
# START OF COMMON SECTION
on:
push:
branches: [ 'master', 'main', 'release/**' ]
pull_request:
branches: [ '*' ]
concurrency:
group: ${{ github.workflow }}-${{ github.ref }}
cancel-in-progress: true
# END OF COMMON SECTION
# clang has better sanitizer support
env:
CC: clang
jobs:
build_wolfssl:
name: Build wolfSSL
if: github.repository_owner == 'wolfssl'
# Just to keep it the same as the testing target
runs-on: ubuntu-24.04
# This should be a safe limit for the tests to run.
timeout-minutes: 4
steps:
- if: ${{ runner.debug }}
name: Enable wolfSSL debug logging
run: |
# We don't use --enable-debug since it makes the logs too loud
echo "wolf_debug_flags= CFLAGS='-g3 -O0'" >> $GITHUB_ENV
- name: Build wolfSSL
uses: wolfSSL/actions-build-autotools-project@v1
with:
path: wolfssl
configure: >-
--enable-nginx --enable-curve25519 --enable-ed25519 ${{ env.wolf_debug_flags }}
install: true
- name: tar build-dir
run: tar -zcf build-dir.tgz build-dir
- name: Upload built lib
uses: actions/upload-artifact@v4
with:
name: wolf-install-nginx
path: build-dir.tgz
retention-days: 5
nginx_check:
strategy:
fail-fast: false
matrix:
include:
# in general we want to pass all tests that match *ssl*
- ref: 1.28.1
test-ref: 0fccfcef1278263416043e0bbb3e0116b84026e4
# Following tests pass with sanitizer on
sanitize-ok: >-
h2_ssl_proxy_cache.t h2_ssl.t h2_ssl_variables.t
h2_ssl_verify_client.t mail_imap_ssl.t mail_ssl_session_reuse.t
mail_ssl.t proxy_ssl_certificate_cache.t
proxy_ssl_certificate_empty.t proxy_ssl_certificate.t
proxy_ssl_certificate_vars.t proxy_ssl_name.t ssl_cache_reload.t
ssl_certificate_aux.t ssl_certificate_cache.t
ssl_certificate_chain.t ssl_certificates.t ssl_certificate.t
ssl_client_escaped_cert.t ssl_crl.t ssl_curve.t ssl_ocsp.t
ssl_password_file.t ssl_proxy_upgrade.t ssl_reject_handshake.t
ssl_session_reuse.t ssl_session_ticket_key.t ssl_sni_protocols.t
ssl_sni_reneg.t ssl_sni_sessions.t ssl_sni.t ssl_stapling.t ssl.t
ssl_verify_client.t ssl_verify_client_trusted.t ssl_verify_depth.t
stream_proxy_ssl_certificate_cache.t stream_proxy_ssl_certificate.t
stream_proxy_ssl_certificate_vars.t
stream_proxy_ssl_name_complex.t stream_proxy_ssl_name.t
stream_ssl_alpn.t stream_ssl_certificate_cache.t
stream_ssl_certificate.t stream_ssl_ocsp.t stream_ssl_preread_alpn.t
stream_ssl_preread_protocol.t stream_ssl_preread.t
stream_ssl_reject_handshake.t stream_ssl_session_reuse.t
stream_ssl_sni_protocols.t stream_ssl_stapling.t stream_ssl.t
stream_ssl_variables.t stream_ssl_verify_client.t
stream_upstream_zone_ssl.t upstream_zone_ssl.t
uwsgi_ssl_certificate.t uwsgi_ssl_certificate_vars.t
# Following tests do not pass with sanitizer on (with OpenSSL too)
sanitize-not-ok: >-
grpc_ssl.t h2_proxy_request_buffering_ssl.t h2_proxy_ssl.t
proxy_request_buffering_ssl.t proxy_ssl_conf_command.t
proxy_ssl_keepalive.t proxy_ssl.t proxy_ssl_verify.t ssl_cache.t
stream_proxy_protocol_ssl.t stream_proxy_ssl_conf_command.t
stream_proxy_ssl.t stream_proxy_ssl_verify.t
- ref: 1.25.0
test-ref: 5b2894ea1afd01a26c589ce11f310df118e42592
# Following tests pass with sanitizer on
sanitize-ok: >-
h2_ssl_proxy_cache.t h2_ssl.t h2_ssl_variables.t h2_ssl_verify_client.t
mail_imap_ssl.t mail_ssl_conf_command.t mail_ssl_session_reuse.t
mail_ssl.t proxy_ssl_certificate_empty.t proxy_ssl_certificate.t
proxy_ssl_certificate_vars.t proxy_ssl_conf_command.t proxy_ssl_name.t
ssl_certificate_chain.t ssl_certificate_perl.t ssl_certificates.t
ssl_certificate.t ssl_client_escaped_cert.t ssl_conf_command.t
ssl_crl.t ssl_curve.t ssl_engine_keys.t ssl_ocsp.t ssl_password_file.t
ssl_proxy_protocol.t ssl_proxy_upgrade.t ssl_reject_handshake.t
ssl_session_reuse.t ssl_session_ticket_key.t ssl_sni_reneg.t
ssl_sni_sessions.t ssl_sni.t ssl_stapling.t ssl.t ssl_verify_client.t
ssl_verify_depth.t stream_proxy_ssl_certificate.t stream_proxy_ssl_certificate_vars.t
stream_proxy_ssl_conf_command.t stream_proxy_ssl_name_complex.t
stream_proxy_ssl_name.t stream_ssl_certificate.t stream_ssl_conf_command.t
stream_ssl_preread_alpn.t stream_ssl_preread_protocol.t stream_ssl_preread.t
stream_ssl_realip.t stream_ssl_session_reuse.t stream_ssl.t stream_ssl_variables.t
stream_ssl_verify_client.t stream_upstream_zone_ssl.t upstream_zone_ssl.t
uwsgi_ssl_certificate.t uwsgi_ssl_certificate_vars.t uwsgi_ssl.t
uwsgi_ssl_verify.t
# Following tests do not pass with sanitizer on (with OpenSSL too)
sanitize-not-ok: >-
grpc_ssl.t h2_proxy_request_buffering_ssl.t h2_proxy_ssl.t
proxy_request_buffering_ssl.t proxy_ssl_keepalive.t proxy_ssl.t
proxy_ssl_verify.t stream_proxy_protocol_ssl.t stream_proxy_ssl.t
stream_proxy_ssl_verify.t stream_ssl_alpn.t
- ref: 1.24.0
test-ref: 212d9d003886e3a24542855fb60355a417f037de
# Following tests pass with sanitizer on
sanitize-ok: >-
h2_ssl_proxy_cache.t h2_ssl.t h2_ssl_variables.t h2_ssl_verify_client.t
mail_imap_ssl.t mail_ssl_conf_command.t mail_ssl_session_reuse.t mail_ssl.t
proxy_ssl_certificate_empty.t proxy_ssl_certificate.t proxy_ssl_certificate_vars.t
proxy_ssl_name.t ssl_certificate_chain.t ssl_certificate_perl.t ssl_certificates.t
ssl_certificate.t ssl_client_escaped_cert.t ssl_conf_command.t ssl_crl.t
ssl_engine_keys.t ssl_ocsp.t ssl_password_file.t ssl_proxy_protocol.t
ssl_proxy_upgrade.t ssl_reject_handshake.t ssl_session_reuse.t
ssl_session_ticket_key.t ssl_sni_reneg.t ssl_sni_sessions.t ssl_sni.t
ssl_stapling.t ssl.t ssl_verify_client.t stream_proxy_ssl_certificate.t
stream_proxy_ssl_certificate_vars.t stream_proxy_ssl_name_complex.t
stream_proxy_ssl_name.t stream_ssl_alpn.t stream_ssl_certificate.t
stream_ssl_conf_command.t stream_ssl_preread_alpn.t stream_ssl_preread_protocol.t
stream_ssl_preread.t stream_ssl_realip.t stream_ssl_session_reuse.t stream_ssl.t
stream_ssl_variables.t stream_ssl_verify_client.t stream_upstream_zone_ssl.t
upstream_zone_ssl.t uwsgi_ssl_certificate.t uwsgi_ssl_certificate_vars.t
uwsgi_ssl.t uwsgi_ssl_verify.t
# Following tests do not pass with sanitizer on (with OpenSSL too)
sanitize-not-ok: >-
grpc_ssl.t h2_proxy_request_buffering_ssl.t h2_proxy_ssl.t
proxy_request_buffering_ssl.t proxy_ssl_conf_command.t proxy_ssl_keepalive.t
proxy_ssl.t proxy_ssl_verify.t ssl_curve.t ssl_verify_depth.t
stream_proxy_protocol_ssl.t stream_proxy_ssl_conf_command.t stream_proxy_ssl.t
stream_proxy_ssl_verify.t
name: ${{ matrix.ref }}
if: github.repository_owner == 'wolfssl'
runs-on: ubuntu-24.04
# This should be a safe limit for the tests to run.
timeout-minutes: 6
needs: build_wolfssl
steps:
- name: Download lib
uses: actions/download-artifact@v4
with:
name: wolf-install-nginx
- name: untar build-dir
run: tar -xf build-dir.tgz
- name: Openssl version
run: openssl version -a
- name: Setup Perl environment
uses: shogo82148/actions-setup-perl@v1
with:
perl-version: '5.38.2'
# SSL version 2.091 changes '' return to undef causing test case to fail.
# Locking in the test version to use as 2.090
- name: Install dependencies
run: |
cpanm --notest Proc::Find Net::SSLeay@1.94 IO::Socket::SSL@2.090
- name: Checkout wolfssl-nginx
uses: actions/checkout@v4
with:
repository: wolfssl/wolfssl-nginx
path: wolfssl-nginx
- name: Checkout nginx
uses: actions/checkout@v4
with:
repository: nginx/nginx
path: nginx
ref: release-${{ matrix.ref }}
- name: Apply nginx patch
working-directory: nginx
run: patch -p1 < ../wolfssl-nginx/nginx-${{ matrix.ref }}-wolfssl.patch
- if: ${{ runner.debug }}
name: Apply nginx debug patch
working-directory: nginx
run: patch -p1 < ../wolfssl-nginx/nginx-${{ matrix.ref }}-wolfssl-debug.patch
- name: Checkout nginx-tests
uses: actions/checkout@v4
with:
repository: nginx/nginx-tests
path: nginx-tests
ref: ${{ matrix.test-ref }}
- name: Apply nginx-tests patch
working-directory: nginx-tests
run: patch -p1 < ../wolfssl-nginx/nginx-tests-patches/*${{ matrix.test-ref }}.patch
- name: Build nginx without sanitizer
working-directory: nginx
run: |
./auto/configure --with-wolfssl=$GITHUB_WORKSPACE/build-dir --with-http_ssl_module \
--with-stream --with-stream_ssl_module --with-stream_ssl_preread_module \
--with-http_v2_module --with-mail --with-mail_ssl_module
make -j
- name: Confirm nginx built with wolfSSL
working-directory: nginx
run: ldd objs/nginx | grep wolfssl
- if: ${{ runner.debug }}
name: Run nginx-tests without sanitizer (debug)
working-directory: nginx-tests
run: |
LD_LIBRARY_PATH=$LD_LIBRARY_PATH:$GITHUB_WORKSPACE/build-dir/lib \
TMPDIR=$GITHUB_WORKSPACE TEST_NGINX_VERBOSE=y TEST_NGINX_CATLOG=y \
TEST_NGINX_BINARY=../nginx/objs/nginx prove -v ${{ matrix.sanitize-not-ok }}
- if: ${{ !runner.debug }}
name: Run nginx-tests without sanitizer
working-directory: nginx-tests
run: |
LD_LIBRARY_PATH=$LD_LIBRARY_PATH:$GITHUB_WORKSPACE/build-dir/lib \
TMPDIR=$GITHUB_WORKSPACE TEST_NGINX_BINARY=../nginx/objs/nginx \
prove ${{ matrix.sanitize-not-ok }}
- if: ${{ runner.debug }}
name: Enable wolfSSL debug logging
run: |
echo "nginx_c_flags=-O0" >> $GITHUB_ENV
- name: Build nginx with sanitizer
working-directory: nginx
run: |
./auto/configure --with-wolfssl=$GITHUB_WORKSPACE/build-dir --with-http_ssl_module \
--with-stream --with-stream_ssl_module --with-stream_ssl_preread_module \
--with-http_v2_module --with-mail --with-mail_ssl_module \
--with-cc-opt='-fsanitize=address -DNGX_DEBUG_PALLOC=1 -g3 ${{ env.nginx_c_flags }}' \
--with-ld-opt='-fsanitize=address ${{ env.nginx_c_flags }}'
make -j
- name: Confirm nginx built with wolfSSL
working-directory: nginx
run: ldd objs/nginx | grep wolfssl
- name: Create LSAN suppression file
working-directory: nginx-tests
run: |
echo "leak:ngx_worker_process_init" > lsan.supp
- if: ${{ !runner.debug }}
name: Run nginx-tests with sanitizer
working-directory: nginx-tests
run: |
LD_LIBRARY_PATH=$LD_LIBRARY_PATH:$GITHUB_WORKSPACE/build-dir/lib \
LSAN_OPTIONS=suppressions=$GITHUB_WORKSPACE/nginx-tests/lsan.supp \
TMPDIR=$GITHUB_WORKSPACE TEST_NGINX_BINARY=../nginx/objs/nginx \
prove ${{ matrix.sanitize-ok }}