| Commit message (Collapse) | Author | Age | Files | Lines |
|
|
|
|
|
|
| |
I used to have a separate set of options when comparing the
NSS and OpenSSL ciphers. These differed between tests, sometimes
being just a difference in order. This just made the tests
hard to understand.
|
| |
|
|
|
|
|
|
|
| |
The AESGCM test was duplicated. Remove one.
Two different tests were in test_AES_no_ECDH. I broke one out
separately.
|
|
|
|
|
|
|
|
| |
Similar patch was provided by Vitezslav Cizek <vcizek@suse.com>
Heavily modified by Rob Crittenden <rcritten@redhat.com>
https://fedorahosted.org/mod_nss/ticket/15
|
|
|
|
|
|
|
|
|
|
|
| |
- Drop the check that NSSProxyNickname be required
- Add basic reverse proxy test case
- Don't send SSL alert on SNI lookup failure
- Fail for colons in credentials with FakeBasicAuth
- Always call SSL_ShutdownServerSessionIDCache() in ModuleKill
- Document some python dependencies needed by make check
- Add cipher test for ECDH+aRSA
- Quote gcm and sha384 config values when comparing them
|
|
|
|
|
|
|
|
| |
This was incorrectly a required value when it is a completely
optional setting. Remove it from the check completely and add
a log entry when it is set.
https://bugzilla.redhat.com/show_bug.cgi?id=874847
|
|
|
|
|
|
|
|
| |
Fetches https://www.google.com and just looks for a 200 response.
This adds implicit requirement that the test machine has Internet
access so I might have to remove this eventually, but it at
least exercises that code in a positive test case.
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
The guard of NSS_IsInitialized() was too strict because of the
way Apache loads and unloads modules. We need to clean up the
SessionIDCache thread locking when a SIGHUP is received otherwise
a crash will occur.
Note that this also eliminates a rather huge memory leak when
the server is reloaded with a SIGHUP.
https://bugzilla.redhat.com/show_bug.cgi?id=1277613
https://bugzilla.redhat.com/show_bug.cgi?id=1295976
https://fedorahosted.org/mod_nss/ticket/16
|
|
|
|
|
|
| |
Update gencert to do a better job parsing arguments so I can
pass in a --test flag to generate a special test-only user
certificate to test colons in the DN.
|
|
|
|
|
| |
We will eventually want to use mod_auth_basic's AuthBasicFake
but this will do for now.
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
RFC 6066 section 3 says "It is NOT RECOMMENDED to
send a warning-level unrecognized_name(112) alert,
because the client's behavior in response to warning-level
alerts is unpredictable."
To maintain compatibility with mod_ssl, we will not send
any alert (neither warning- nor fatal-level),
i.e. we take the second action suggested in RFC.
"If the server understood the ClientHello extension
but does not recognize the server name, the server
SHOULD take one of two actions: either abort the handshake by
sending a fatal-level unrecognized_name(112) alert or
continue the handshake."
This is based on mod_ssl commit r1684462
|
| |
|
| |
|
| |
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Issues reported from valgrind.
The invalid read came from using SNI hostInfo data directly. Just
use the copy we apr_strndup() instead and all is well.
The SNI hostInfo values were leaking. I had removed the calls
to SECITEM_FreweItem at some point and forgotten to re-add them.
mc->semid was not explicitly initialized so could have blown up
if the compiler didn't automatically set it to 0. Explicitly set
it to make warning go away (and to be safe).
|
|
|
|
|
| |
Use the %p option to generate separate logs for each process
with valgrind.
|
| |
|
| |
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Add a note to the table to indicate that the handhake is complete
so we don't set the extension every time data is read or written.
Drop NSSHandshakeCallback() as it didn't do anything and is replaced
by the proxy callback.
Extend the checks around calling SetURL to match those in mod_ssl:
- a hostname is available
- not SSLv3
- not an IP address
|
| |
|
|
|
|
|
| |
Apache doesn't like running as root and this ends up hanging
the build process.
|
| |
|
| |
|
|
|
|
|
|
|
|
|
|
|
| |
I need to generate config.h because Apache ships its own
autotools-generated config.h which redefines a lot of
variables like PACKAGE_NAME, PACKAGE_TARBALL, etc.
By having my own configh I can reset things before the compiler
complains. The downside is that compile-time options are hidden
in a config file instead of being defined on the gcc
command-line.
|
|
|
|
|
|
|
| |
Most of these are unused variable. There is one adding an extra
set of parens.
The bug is using the wrong index variable, i instead of j.
|
| |
|
|
|
|
| |
Contributed by Stanislav Tokos
|
| |
|
|
|
|
| |
make check was failing in Fedora rawhide
|
| |
|
|
|
|
| |
Check the permissions to see if the key file is readable.
|
| |
|
| |
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
python for OpenSSL is in quite a sad state with several competing
mid-level implementations which provide different feature sets.
The httplib client provides access to the negotiated cipher and
protocol but not SNI (and it has lousy hostname checking).
The urllib3 client provides SNI and is generally better but doesn't
give any details on the connection.
So I'm using both. The original one is used for basic server testing
and the urllib3 one is used just for SNI testing.
Also:
- Indent the test configuration to make it more readable
- Add separate config file for SNI testing
- Add a CGI configuration and script to test CGI variables
- Change client cipher test to use AES256-SHA instead of RC4
- Add a commented-out valgrind option in start for future
debuggers
- Change the VirtualServers to *:port and use ServerName
- Add per-VH document roots so SNI can be more easily tested
|
|
|
|
|
|
|
|
| |
Uses a hash table to pair up server names and nicknames and
a lookup is done during the handshake to determine which
nickname to be used, and therefore which VirtualHost.
Based heavily on patch from Stanislav Tokos <stokos@suse.de>
|
| |
|
|
|
|
|
|
|
| |
I don't want to assume these ciphers are available in
every distro so I'm bending over backwards a bit to
check for availablility and get the defines right
for the python cipher tests.
|
|
|
|
|
| |
When retrieving the negotiated cipher the string was being leaked
and the wrong free was being used for subject and issuer.
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Based heavily on patch submitted by Stanislav Tokos <stokos@suse.de>
==30687== Invalid read of size 1
==30687== at 0x4C2D902: memmove (in
/usr/lib64/valgrind/vgpreload_memcheck-amd64-linux.so)
==30687== by 0x9D0A844: nss_var_lookup_nss_cert_PEM (string3.h:58)
==30687== by 0x9D0AF58: nss_var_lookup_nss_cert
(nss_engine_vars.c:437)
==30687== by 0x9D0B411: nss_var_lookup (nss_engine_vars.c:339)
==30687== by 0x9D08813: nss_hook_Fixup (nss_engine_kernel.c:878)
==30687== by 0x146FE9: ap_run_fixups (in /usr/sbin/httpd2-prefork)
==30687== by 0x15B2C7: ap_process_request (in
/usr/sbin/httpd2-prefork)
==30687== by 0x158137: ??? (in /usr/sbin/httpd2-prefork)
==30687== by 0x153C52: ap_run_process_connection (in
/usr/sbin/httpd2-prefork)
==30687== by 0x1602DD: ??? (in /usr/sbin/httpd2-prefork)
==30687== by 0x160585: ??? (in /usr/sbin/httpd2-prefork)
==30687== by 0x1610AC: ap_mpm_run (in /usr/sbin/httpd2-prefork)
==30687== Address 0xf8cbc11 is 0 bytes after a block of size 1,745
alloc'd
==30687== at 0x4C29F09: malloc (in
/usr/lib64/valgrind/vgpreload_memcheck-amd64-linux.so)
==30687== by 0xAD0573F: PORT_Alloc_Util (in
/usr/lib64/libnssutil3.so)
==30687== by 0xACFE179: NSSBase64_EncodeItem_Util (in
/usr/lib64/libnssutil3.so)
==30687== by 0xACFE1DA: BTOA_DataToAscii_Util (in
/usr/lib64/libnssutil3.so)
==30687== by 0x9D0A7EC: nss_var_lookup_nss_cert_PEM
(nss_engine_vars.c:569)
==30687== by 0x9D0AF58: nss_var_lookup_nss_cert
(nss_engine_vars.c:437)
==30687== by 0x9D0B411: nss_var_lookup (nss_engine_vars.c:339)
==30687== by 0x9D08813: nss_hook_Fixup (nss_engine_kernel.c:878)
==30687== by 0x146FE9: ap_run_fixups (in /usr/sbin/httpd2-prefork)
==30687== by 0x15B2C7: ap_process_request (in
/usr/sbin/httpd2-prefork)
==30687== by 0x158137: ??? (in /usr/sbin/httpd2-prefork)
==30687== by 0x153C52: ap_run_process_connection (in
/usr/sbin/httpd2-prefork)
|
|
|
|
| |
Also add test for AESGCM
|
| |
|
| |
|
|
|
|
|
|
|
|
|
| |
A cipher value could be -1, 0 or 1 meaning completely disabled,
disabled and enabled. A -1 passed to SSL_CipherPrefSet() could
cause a cipher to actually be enabled. Now pass PR_TRUE if
the cipher is enabled otherwise pass PR_FALSE.
Fix CVE-2015-5244
|
| |
|
| |
|
| |
|
| |
|