[Secure Coding] master: Fixed broken ascii (40444c2)
by Eric Christensen
Repository : http://git.fedorahosted.org/git/?p=secure-coding.git
On branch : master
>---------------------------------------------------------------
commit 40444c2c1c47f7dae22b41ed30c7ad806945ec4f
Author: Eric Christensen <echriste(a)redhat.com>
Date: Wed May 28 13:49:41 2014 -0400
Fixed broken ascii
>---------------------------------------------------------------
Securing_TLS/en-US/mod_ssl.xml | 4 ++--
1 files changed, 2 insertions(+), 2 deletions(-)
diff --git a/Securing_TLS/en-US/mod_ssl.xml b/Securing_TLS/en-US/mod_ssl.xml
index dd0e061..b656bd3 100644
--- a/Securing_TLS/en-US/mod_ssl.xml
+++ b/Securing_TLS/en-US/mod_ssl.xml
@@ -154,8 +154,8 @@ SSLCertificateKeyFile /etc/pki/tls/private/localhost.key
#SSLRequire ( %{SSL_CIPHER} !~ m/^(EXP|NULL)/ \
# and %{SSL_CLIENT_S_DN_O} eq "Snake Oil, Ltd." \
# and %{SSL_CLIENT_S_DN_OU} in {"Staff", "CA", "Dev"} \
-# and %{TIME_WDAY} >= 1 and %{TIME_WDAY} <= 5 \
-# and %{TIME_HOUR} >= 8 and %{TIME_HOUR} <= 20 ) \
+# and %{TIME_WDAY} >= 1 and %{TIME_WDAY} <= 5 \
+# and %{TIME_HOUR} >= 8 and %{TIME_HOUR} <= 20 ) \
# or %{REMOTE_ADDR} =~ m/^192\.76\.162\.[0-9]+$/
#</Location>
9 years, 11 months
[Secure Coding] master: Added intro and default ssl.conf file (3aacde3)
by Eric Christensen
Repository : http://git.fedorahosted.org/git/?p=secure-coding.git
On branch : master
>---------------------------------------------------------------
commit 3aacde3a8b6783ea9ce6e2cae78f82a709909b31
Author: Eric Christensen <echriste(a)redhat.com>
Date: Wed May 28 11:52:53 2014 -0400
Added intro and default ssl.conf file
>---------------------------------------------------------------
Securing_TLS/en-US/mod_ssl.xml | 243 ++++++++++++++++++++++++++++++++++++----
1 files changed, 223 insertions(+), 20 deletions(-)
diff --git a/Securing_TLS/en-US/mod_ssl.xml b/Securing_TLS/en-US/mod_ssl.xml
index 36febc1..dd0e061 100644
--- a/Securing_TLS/en-US/mod_ssl.xml
+++ b/Securing_TLS/en-US/mod_ssl.xml
@@ -3,31 +3,234 @@
<!ENTITY % BOOK_ENTITIES SYSTEM "Securing_TLS.ent">
%BOOK_ENTITIES;
]>
-<chapter id="chap-Fedora_Security_Team-Securing_TLS-Test_Chapter">
- <title>Test Chapter</title>
+<chapter id="chap-Fedora_Security_Team-Securing_TLS-mod_ssl">
+ <title>mod_ssl</title>
<para>
- This is a test paragraph
+ <application>Apache</application> web server utilizes <application>mod_ssl</application> to utilize OpenSSL for cryptography. Configuration is handled by the <filename>/etc/httpd/conf.d/ssl.conf</filename> file and can be modified to support a wide range of ciphers and protocols.
</para>
- <section id="sect-Fedora_Security_Team-Securing_TLS-Test_Chapter-Test_Section_1">
- <title>Test Section 1</title>
+ <section id="sect-Fedora_Security_Team-Securing_TLS-mod_ssl-configuration">
+ <title>Configuration</title>
<para>
- This is a test paragraph in a section
- </para>
- </section>
+ <application>mod_ssl</application>'s configuration file, by default, appears as such:
+<screen>
+#
+# When we also provide SSL we have to listen to the
+# the HTTPS port in addition.
+#
+Listen 443 https
- <section id="sect-Fedora_Security_Team-Securing_TLS-Test_Chapter-Test_Section_2">
- <title>Test Section 2</title>
- <para>
- This is a test paragraph in Section 2
- <orderedlist>
- <listitem>
- <para>
- This is a test listitem.
- </para>
- </listitem>
- </orderedlist>
+##
+## SSL Global Context
+##
+## All SSL configuration in this context applies both to
+## the main server and all SSL-enabled virtual hosts.
+##
+
+# Pass Phrase Dialog:
+# Configure the pass phrase gathering process.
+# The filtering dialog program (`builtin' is a internal
+# terminal dialog) has to provide the pass phrase on stdout.
+SSLPassPhraseDialog exec:/usr/libexec/httpd-ssl-pass-dialog
+
+# Inter-Process Session Cache:
+# Configure the SSL Session Cache: First the mechanism
+# to use and second the expiring timeout (in seconds).
+SSLSessionCache shmcb:/run/httpd/sslcache(512000)
+SSLSessionCacheTimeout 300
+
+# Pseudo Random Number Generator (PRNG):
+# Configure one or more sources to seed the PRNG of the
+# SSL library. The seed data should be of good random quality.
+# WARNING! On some platforms /dev/random blocks if not enough entropy
+# is available. This means you then cannot use the /dev/random device
+# because it would lead to very long connection times (as long as
+# it requires to make more entropy available). But usually those
+# platforms additionally provide a /dev/urandom device which doesn't
+# block. So, if available, use this one instead. Read the mod_ssl User
+# Manual for more details.
+SSLRandomSeed startup file:/dev/urandom 256
+SSLRandomSeed connect builtin
+#SSLRandomSeed startup file:/dev/random 512
+#SSLRandomSeed connect file:/dev/random 512
+#SSLRandomSeed connect file:/dev/urandom 512
+
+#
+# Use "SSLCryptoDevice" to enable any supported hardware
+# accelerators. Use "openssl engine -v" to list supported
+# engine names. NOTE: If you enable an accelerator and the
+# server does not start, consult the error logs and ensure
+# your accelerator is functioning properly.
+#
+SSLCryptoDevice builtin
+#SSLCryptoDevice ubsec
+
+##
+## SSL Virtual Host Context
+##
+
+<VirtualHost _default_:443>
+
+# General setup for the virtual host, inherited from global configuration
+#DocumentRoot "/var/www/html"
+#ServerName www.example.com:443
+
+# Use separate log files for the SSL virtual host; note that LogLevel
+# is not inherited from httpd.conf.
+ErrorLog logs/ssl_error_log
+TransferLog logs/ssl_access_log
+LogLevel warn
+
+# SSL Engine Switch:
+# Enable/Disable SSL for this virtual host.
+SSLEngine on
+
+# SSL Protocol support:
+# List the enable protocol levels with which clients will be able to
+# connect. Disable SSLv2 access by default:
+SSLProtocol all -SSLv2
+
+# SSL Cipher Suite:
+# List the ciphers that the client is permitted to negotiate.
+# See the mod_ssl documentation for a complete list.
+SSLCipherSuite HIGH:MEDIUM:!aNULL:!MD5
+
+# Speed-optimized SSL Cipher configuration:
+# If speed is your main concern (on busy HTTPS servers e.g.),
+# you might want to force clients to specific, performance
+# optimized ciphers. In this case, prepend those ciphers
+# to the SSLCipherSuite list, and enable SSLHonorCipherOrder.
+# Caveat: by giving precedence to RC4-SHA and AES128-SHA
+# (as in the example below), most connections will no longer
+# have perfect forward secrecy - if the server's key is
+# compromised, captures of past or future traffic must be
+# considered compromised, too.
+#SSLCipherSuite RC4-SHA:AES128-SHA:HIGH:MEDIUM:!aNULL:!MD5
+#SSLHonorCipherOrder on
+
+# Server Certificate:
+# Point SSLCertificateFile at a PEM encoded certificate. If
+# the certificate is encrypted, then you will be prompted for a
+# pass phrase. Note that a kill -HUP will prompt again. A new
+# certificate can be generated using the genkey(1) command.
+SSLCertificateFile /etc/pki/tls/certs/localhost.crt
+
+# Server Private Key:
+# If the key is not combined with the certificate, use this
+# directive to point at the key file. Keep in mind that if
+# you've both a RSA and a DSA private key you can configure
+# both in parallel (to also allow the use of DSA ciphers, etc.)
+SSLCertificateKeyFile /etc/pki/tls/private/localhost.key
+
+# Server Certificate Chain:
+# Point SSLCertificateChainFile at a file containing the
+# concatenation of PEM encoded CA certificates which form the
+# certificate chain for the server certificate. Alternatively
+# the referenced file can be the same as SSLCertificateFile
+# when the CA certificates are directly appended to the server
+# certificate for convinience.
+#SSLCertificateChainFile /etc/pki/tls/certs/server-chain.crt
+
+# Certificate Authority (CA):
+# Set the CA certificate verification path where to find CA
+# certificates for client authentication or alternatively one
+# huge file containing all of them (file must be PEM encoded)
+#SSLCACertificateFile /etc/pki/tls/certs/ca-bundle.crt
+
+# Client Authentication (Type):
+# Client certificate verification type and depth. Types are
+# none, optional, require and optional_no_ca. Depth is a
+# number which specifies how deeply to verify the certificate
+# issuer chain before deciding the certificate is not valid.
+#SSLVerifyClient require
+#SSLVerifyDepth 10
+
+# Access Control:
+# With SSLRequire you can do per-directory access control based
+# on arbitrary complex boolean expressions containing server
+# variable checks and other lookup directives. The syntax is a
+# mixture between C and Perl. See the mod_ssl documentation
+# for more details.
+#<Location />
+#SSLRequire ( %{SSL_CIPHER} !~ m/^(EXP|NULL)/ \
+# and %{SSL_CLIENT_S_DN_O} eq "Snake Oil, Ltd." \
+# and %{SSL_CLIENT_S_DN_OU} in {"Staff", "CA", "Dev"} \
+# and %{TIME_WDAY} >= 1 and %{TIME_WDAY} <= 5 \
+# and %{TIME_HOUR} >= 8 and %{TIME_HOUR} <= 20 ) \
+# or %{REMOTE_ADDR} =~ m/^192\.76\.162\.[0-9]+$/
+#</Location>
+
+# SSL Engine Options:
+# Set various options for the SSL engine.
+# o FakeBasicAuth:
+# Translate the client X.509 into a Basic Authorisation. This means that
+# the standard Auth/DBMAuth methods can be used for access control. The
+# user name is the `one line' version of the client's X.509 certificate.
+# Note that no password is obtained from the user. Every entry in the user
+# file needs this password: `xxj31ZMTZzkVA'.
+# o ExportCertData:
+# This exports two additional environment variables: SSL_CLIENT_CERT and
+# SSL_SERVER_CERT. These contain the PEM-encoded certificates of the
+# server (always existing) and the client (only existing when client
+# authentication is used). This can be used to import the certificates
+# into CGI scripts.
+# o StdEnvVars:
+# This exports the standard SSL/TLS related `SSL_* ' environment variables.
+# Per default this exportation is switched off for performance reasons,
+# because the extraction step is an expensive operation and is usually
+# useless for serving static content. So one usually enables the
+# exportation for CGI and SSI requests only.
+# o StrictRequire:
+# This denies access when "SSLRequireSSL" or "SSLRequire" applied even
+# under a "Satisfy any" situation, i.e. when it applies access is denied
+# and no other module can change it.
+# o OptRenegotiate:
+# This enables optimized SSL connection renegotiation handling when SSL
+# directives are used in per-directory context.
+#SSLOptions +FakeBasicAuth +ExportCertData +StrictRequire
+<Files ~ "\.(cgi|shtml|phtml|php3?)$">
+ SSLOptions +StdEnvVars
+</Files%#62;
+<Directory "/var/www/cgi-bin">
+ SSLOptions +StdEnvVars
+</Directory>
+
+# SSL Protocol Adjustments:
+# The safe and default but still SSL/TLS standard compliant shutdown
+# approach is that mod_ssl sends the close notify alert but doesn't wait for
+# the close notify alert from client. When you need a different shutdown
+# approach you can use one of the following variables:
+# o ssl-unclean-shutdown:
+# This forces an unclean shutdown when the connection is closed, i.e. no
+# SSL close notify alert is send or allowed to received. This violates
+# the SSL/TLS standard but is needed for some brain-dead browsers. Use
+# this when you receive I/O errors because of the standard approach where
+# mod_ssl sends the close notify alert.
+# o ssl-accurate-shutdown:
+# This forces an accurate shutdown when the connection is closed, i.e. a
+# SSL close notify alert is send and mod_ssl waits for the close notify
+# alert of the client. This is 100% SSL/TLS standard compliant, but in
+# practice often causes hanging connections with brain-dead browsers. Use
+# this only for browsers where you know that their SSL implementation
+# works correctly.
+# Notice: Most problems of broken clients are also related to the HTTP
+# keep-alive facility, so you usually additionally want to disable
+# keep-alive for those clients, too. Use variable "nokeepalive" for this.
+# Similarly, one has to force some clients to use HTTP/1.0 to workaround
+# their broken HTTP/1.1 implementation. Use variables "downgrade-1.0" and
+# "force-response-1.0" for this.
+BrowserMatch "MSIE [2-5]" \
+ nokeepalive ssl-unclean-shutdown \
+ downgrade-1.0 force-response-1.0
+
+# Per-Server Logging:
+# The home of a custom SSL log file. Use this when you want a
+# compact non-error SSL logfile on a virtual host basis.
+CustomLog logs/ssl_request_log \
+ "%t %h %{SSL_PROTOCOL}x %{SSL_CIPHER}x \"%r\" %b"
+
+</VirtualHost>
+</screen>
</para>
</section>
-
</chapter>
9 years, 11 months
[Secure Coding] master: Removed duplicate file (537169f)
by Eric Christensen
Repository : http://git.fedorahosted.org/git/?p=secure-coding.git
On branch : master
>---------------------------------------------------------------
commit 537169f66d544c37a64debfe348ad672a9c39c49
Author: Eric Christensen <echriste(a)redhat.com>
Date: Wed May 28 11:21:40 2014 -0400
Removed duplicate file
>---------------------------------------------------------------
Securing_TLS/en-US/dovecot | 33 ---------------------------------
1 files changed, 0 insertions(+), 33 deletions(-)
diff --git a/Securing_TLS/en-US/dovecot b/Securing_TLS/en-US/dovecot
deleted file mode 100644
index 36febc1..0000000
--- a/Securing_TLS/en-US/dovecot
+++ /dev/null
@@ -1,33 +0,0 @@
-<?xml version='1.0' encoding='utf-8' ?>
-<!DOCTYPE chapter PUBLIC "-//OASIS//DTD DocBook XML V4.5//EN" "http://www.oasis-open.org/docbook/xml/4.5/docbookx.dtd" [
-<!ENTITY % BOOK_ENTITIES SYSTEM "Securing_TLS.ent">
-%BOOK_ENTITIES;
-]>
-<chapter id="chap-Fedora_Security_Team-Securing_TLS-Test_Chapter">
- <title>Test Chapter</title>
- <para>
- This is a test paragraph
- </para>
- <section id="sect-Fedora_Security_Team-Securing_TLS-Test_Chapter-Test_Section_1">
- <title>Test Section 1</title>
- <para>
- This is a test paragraph in a section
- </para>
- </section>
-
- <section id="sect-Fedora_Security_Team-Securing_TLS-Test_Chapter-Test_Section_2">
- <title>Test Section 2</title>
- <para>
- This is a test paragraph in Section 2
- <orderedlist>
- <listitem>
- <para>
- This is a test listitem.
- </para>
- </listitem>
- </orderedlist>
- </para>
- </section>
-
-</chapter>
-
9 years, 11 months
[Secure Coding] master: Added blank chapters for topics we want to cover. (001aa4a)
by Eric Christensen
Repository : http://git.fedorahosted.org/git/?p=secure-coding.git
On branch : master
>---------------------------------------------------------------
commit 001aa4af3af934cd2c8896d5dcdf381591ff6e12
Author: Eric Christensen <echriste(a)redhat.com>
Date: Wed May 28 11:10:17 2014 -0400
Added blank chapters for topics we want to cover.
>---------------------------------------------------------------
Securing_TLS/en-US/{Chapter.xml => GnuTLS.xml} | 0
Securing_TLS/en-US/{Chapter.xml => NSS.xml} | 0
Securing_TLS/en-US/{Chapter.xml => OpenSSL.xml} | 0
Securing_TLS/en-US/{Chapter.xml => dovecot} | 0
Securing_TLS/en-US/{Chapter.xml => dovecot.xml} | 0
Securing_TLS/en-US/{Chapter.xml => freeradius.xml} | 0
Securing_TLS/en-US/{Chapter.xml => mod_nss.xml} | 0
Securing_TLS/en-US/{Chapter.xml => mod_ssl.xml} | 0
Securing_TLS/en-US/{Chapter.xml => tomcat.xml} | 0
9 files changed, 0 insertions(+), 0 deletions(-)
diff --git a/Securing_TLS/en-US/Chapter.xml b/Securing_TLS/en-US/GnuTLS.xml
similarity index 100%
copy from Securing_TLS/en-US/Chapter.xml
copy to Securing_TLS/en-US/GnuTLS.xml
diff --git a/Securing_TLS/en-US/Chapter.xml b/Securing_TLS/en-US/NSS.xml
similarity index 100%
copy from Securing_TLS/en-US/Chapter.xml
copy to Securing_TLS/en-US/NSS.xml
diff --git a/Securing_TLS/en-US/Chapter.xml b/Securing_TLS/en-US/OpenSSL.xml
similarity index 100%
copy from Securing_TLS/en-US/Chapter.xml
copy to Securing_TLS/en-US/OpenSSL.xml
diff --git a/Securing_TLS/en-US/Chapter.xml b/Securing_TLS/en-US/dovecot
similarity index 100%
copy from Securing_TLS/en-US/Chapter.xml
copy to Securing_TLS/en-US/dovecot
diff --git a/Securing_TLS/en-US/Chapter.xml b/Securing_TLS/en-US/dovecot.xml
similarity index 100%
copy from Securing_TLS/en-US/Chapter.xml
copy to Securing_TLS/en-US/dovecot.xml
diff --git a/Securing_TLS/en-US/Chapter.xml b/Securing_TLS/en-US/freeradius.xml
similarity index 100%
copy from Securing_TLS/en-US/Chapter.xml
copy to Securing_TLS/en-US/freeradius.xml
diff --git a/Securing_TLS/en-US/Chapter.xml b/Securing_TLS/en-US/mod_nss.xml
similarity index 100%
copy from Securing_TLS/en-US/Chapter.xml
copy to Securing_TLS/en-US/mod_nss.xml
diff --git a/Securing_TLS/en-US/Chapter.xml b/Securing_TLS/en-US/mod_ssl.xml
similarity index 100%
copy from Securing_TLS/en-US/Chapter.xml
copy to Securing_TLS/en-US/mod_ssl.xml
diff --git a/Securing_TLS/en-US/Chapter.xml b/Securing_TLS/en-US/tomcat.xml
similarity index 100%
copy from Securing_TLS/en-US/Chapter.xml
copy to Securing_TLS/en-US/tomcat.xml
9 years, 11 months
[Secure Coding] master: Changed from article to a book (c5afb3f)
by Eric Christensen
Repository : http://git.fedorahosted.org/git/?p=secure-coding.git
On branch : master
>---------------------------------------------------------------
commit c5afb3fe278eecdac1f43c14956242d99321b8db
Author: Eric Christensen <echriste(a)redhat.com>
Date: Wed May 28 11:05:21 2014 -0400
Changed from article to a book
>---------------------------------------------------------------
.../en-US/{Article_Info.xml => Book_Info.xml} | 6 ++--
Securing_TLS/en-US/Chapter.xml | 33 ++++++++++++++++++++
Securing_TLS/en-US/Preface.xml | 13 ++++++++
Securing_TLS/en-US/Securing_TLS.xml | 13 +++----
Securing_TLS/publican.cfg | 8 ++--
5 files changed, 59 insertions(+), 14 deletions(-)
diff --git a/Securing_TLS/en-US/Article_Info.xml b/Securing_TLS/en-US/Book_Info.xml
similarity index 82%
rename from Securing_TLS/en-US/Article_Info.xml
rename to Securing_TLS/en-US/Book_Info.xml
index a8e059c..25fe7f3 100644
--- a/Securing_TLS/en-US/Article_Info.xml
+++ b/Securing_TLS/en-US/Book_Info.xml
@@ -1,9 +1,9 @@
<?xml version='1.0' encoding='utf-8' ?>
-<!DOCTYPE articleinfo PUBLIC "-//OASIS//DTD DocBook XML V4.5//EN" "http://www.oasis-open.org/docbook/xml/4.5/docbookx.dtd" [
+<!DOCTYPE bookinfo PUBLIC "-//OASIS//DTD DocBook XML V4.5//EN" "http://www.oasis-open.org/docbook/xml/4.5/docbookx.dtd" [
<!ENTITY % BOOK_ENTITIES SYSTEM "Securing_TLS.ent">
%BOOK_ENTITIES;
]>
-<articleinfo id="arti-Fedora_Security_Team-Securing_TLS-Securing_TLS">
+<bookinfo id="book-Fedora_Security_Team-Securing_TLS-Securing_TLS">
<title>Securing TLS</title>
<subtitle>Enter a short description here.</subtitle>
<productname>Fedora Security Team</productname>
@@ -24,5 +24,5 @@
</corpauthor>
<xi:include href="Common_Content/Legal_Notice.xml" xmlns:xi="http://www.w3.org/2001/XInclude" />
<xi:include href="Author_Group.xml" xmlns:xi="http://www.w3.org/2001/XInclude" />
-</articleinfo>
+</bookinfo>
diff --git a/Securing_TLS/en-US/Chapter.xml b/Securing_TLS/en-US/Chapter.xml
new file mode 100644
index 0000000..36febc1
--- /dev/null
+++ b/Securing_TLS/en-US/Chapter.xml
@@ -0,0 +1,33 @@
+<?xml version='1.0' encoding='utf-8' ?>
+<!DOCTYPE chapter PUBLIC "-//OASIS//DTD DocBook XML V4.5//EN" "http://www.oasis-open.org/docbook/xml/4.5/docbookx.dtd" [
+<!ENTITY % BOOK_ENTITIES SYSTEM "Securing_TLS.ent">
+%BOOK_ENTITIES;
+]>
+<chapter id="chap-Fedora_Security_Team-Securing_TLS-Test_Chapter">
+ <title>Test Chapter</title>
+ <para>
+ This is a test paragraph
+ </para>
+ <section id="sect-Fedora_Security_Team-Securing_TLS-Test_Chapter-Test_Section_1">
+ <title>Test Section 1</title>
+ <para>
+ This is a test paragraph in a section
+ </para>
+ </section>
+
+ <section id="sect-Fedora_Security_Team-Securing_TLS-Test_Chapter-Test_Section_2">
+ <title>Test Section 2</title>
+ <para>
+ This is a test paragraph in Section 2
+ <orderedlist>
+ <listitem>
+ <para>
+ This is a test listitem.
+ </para>
+ </listitem>
+ </orderedlist>
+ </para>
+ </section>
+
+</chapter>
+
diff --git a/Securing_TLS/en-US/Preface.xml b/Securing_TLS/en-US/Preface.xml
new file mode 100644
index 0000000..9fe15e4
--- /dev/null
+++ b/Securing_TLS/en-US/Preface.xml
@@ -0,0 +1,13 @@
+<?xml version='1.0' encoding='utf-8' ?>
+<!DOCTYPE preface PUBLIC "-//OASIS//DTD DocBook XML V4.5//EN" "http://www.oasis-open.org/docbook/xml/4.5/docbookx.dtd" [
+<!ENTITY % BOOK_ENTITIES SYSTEM "Securing_TLS.ent">
+%BOOK_ENTITIES;
+]>
+<preface id="pref-Fedora_Security_Team-Securing_TLS-Preface">
+ <title>Preface</title>
+ <xi:include href="Common_Content/Conventions.xml" xmlns:xi="http://www.w3.org/2001/XInclude" />
+ <xi:include href="Feedback.xml" xmlns:xi="http://www.w3.org/2001/XInclude"><xi:fallback xmlns:xi="http://www.w3.org/2001/XInclude"><xi:include href="Common_Content/Feedback.xml" xmlns:xi="http://www.w3.org/2001/XInclude" />
+ </xi:fallback>
+ </xi:include>
+</preface>
+
diff --git a/Securing_TLS/en-US/Securing_TLS.xml b/Securing_TLS/en-US/Securing_TLS.xml
index 7e6ae9a..2e80080 100644
--- a/Securing_TLS/en-US/Securing_TLS.xml
+++ b/Securing_TLS/en-US/Securing_TLS.xml
@@ -1,14 +1,13 @@
<?xml version='1.0' encoding='utf-8' ?>
-<!DOCTYPE article PUBLIC "-//OASIS//DTD DocBook XML V4.5//EN" "http://www.oasis-open.org/docbook/xml/4.5/docbookx.dtd" [
+<!DOCTYPE book PUBLIC "-//OASIS//DTD DocBook XML V4.5//EN" "http://www.oasis-open.org/docbook/xml/4.5/docbookx.dtd" [
<!ENTITY % BOOK_ENTITIES SYSTEM "Securing_TLS.ent">
%BOOK_ENTITIES;
]>
-<article>
- <xi:include href="Article_Info.xml" xmlns:xi="http://www.w3.org/2001/XInclude" />
- <para>
- This is a test paragraph
- </para>
+<book>
+ <xi:include href="Book_Info.xml" xmlns:xi="http://www.w3.org/2001/XInclude" />
+ <xi:include href="Preface.xml" xmlns:xi="http://www.w3.org/2001/XInclude" />
+ <xi:include href="Chapter.xml" xmlns:xi="http://www.w3.org/2001/XInclude" />
<xi:include href="Revision_History.xml" xmlns:xi="http://www.w3.org/2001/XInclude" />
<index />
-</article>
+</book>
diff --git a/Securing_TLS/publican.cfg b/Securing_TLS/publican.cfg
index 646e599..3e94942 100644
--- a/Securing_TLS/publican.cfg
+++ b/Securing_TLS/publican.cfg
@@ -1,8 +1,8 @@
# Config::Simple 4.59
-# Wed May 28 10:59:04 2014
+# Wed May 28 11:03:40 2014
-xml_lang: "en-US"
-dtdver: "4.5"
-type: Article
+type: Book
brand: fedora
+dtdver: "4.5"
+xml_lang: "en-US"
9 years, 11 months
[Secure Coding] master: Merge branch 'master' of git+ssh://git.fedorahosted.org/git/secure-coding (8341df7)
by Eric Christensen
Repository : http://git.fedorahosted.org/git/?p=secure-coding.git
On branch : master
>---------------------------------------------------------------
commit 8341df782d8f94f60539c0a2d3682ab843bb22f4
Merge: 7ada5ed 13faeec
Author: Eric Christensen <echriste(a)redhat.com>
Date: Wed May 28 11:00:16 2014 -0400
Merge branch 'master' of git+ssh://git.fedorahosted.org/git/secure-coding
>---------------------------------------------------------------
defensive-coding/Makefile | 2 +-
defensive-coding/en-US/C-Allocators.xml | 7 +-
defensive-coding/en-US/Defensive_Coding.xml | 3 +
defensive-coding/en-US/Features-TLS.xml | 11 +++
defensive-coding/en-US/Go.xml | 90 ++++++++++++++++++
defensive-coding/en-US/Tasks-Packaging.xml | 131 +++++++++++++++++++++++++++
defensive-coding/en-US/Vala.xml | 53 +++++++++++
defensive-coding/src/.gitignore | 1 +
defensive-coding/src/Go-Error_Handling.go | 48 ++++++++++
defensive-coding/src/src.mk | 6 ++
10 files changed, 348 insertions(+), 4 deletions(-)
diff --git a/defensive-coding/Makefile b/defensive-coding/Makefile
index 6220afc..2090dad 100644
--- a/defensive-coding/Makefile
+++ b/defensive-coding/Makefile
@@ -9,7 +9,7 @@ build: build-src build-manual
build-snippets:
mkdir -p en-US/snippets
python scripts/split-snippets.py . \
- src/*.c src/*.cpp src/*.java src/*.py
+ src/*.c src/*.cpp src/*.java src/*.py src/*.go
build-manual: build-snippets
publican build --formats=html,epub,pdf --langs=en-US
diff --git a/defensive-coding/en-US/C-Allocators.xml b/defensive-coding/en-US/C-Allocators.xml
index 1bff610..87d2682 100644
--- a/defensive-coding/en-US/C-Allocators.xml
+++ b/defensive-coding/en-US/C-Allocators.xml
@@ -29,7 +29,7 @@
realloc(ptr, size);</literal> is wrong because the memory
pointed to by <literal>ptr</literal> leaks in case of an error.
</para>
- <section>
+ <section id="sect-Defensive_Coding-C-Use-After-Free">
<title>Use-after-free errors</title>
<para>
After <function>free</function>, the pointer is invalid.
@@ -140,7 +140,7 @@
</para>
</section>
- <section>
+ <section id="sect-Defensive_Coding-C-Allocators-Custom">
<title>Custom memory allocators</title>
<para>
Custom memory allocates come in two forms: replacements for
@@ -176,7 +176,8 @@
allocators. In micro-benchmarks, pool allocators can show
huge wins, and size-specific pools can reduce internal
fragmentation. But often, utilization of individual pools
- is poor, and
+ is poor, and external fragmentation increases the overall
+ memory usage.
</para>
</listitem>
</itemizedlist>
diff --git a/defensive-coding/en-US/Defensive_Coding.xml b/defensive-coding/en-US/Defensive_Coding.xml
index b8ca3de..ee96c8d 100644
--- a/defensive-coding/en-US/Defensive_Coding.xml
+++ b/defensive-coding/en-US/Defensive_Coding.xml
@@ -8,6 +8,8 @@
<xi:include href="CXX.xml" xmlns:xi="http://www.w3.org/2001/XInclude" />
<xi:include href="Java.xml" xmlns:xi="http://www.w3.org/2001/XInclude" />
<xi:include href="Python.xml" xmlns:xi="http://www.w3.org/2001/XInclude" />
+ <xi:include href="Go.xml" xmlns:xi="http://www.w3.org/2001/XInclude" />
+ <xi:include href="Vala.xml" xmlns:xi="http://www.w3.org/2001/XInclude" />
</part>
<part>
<title>Specific Programming Tasks</title>
@@ -18,6 +20,7 @@
<xi:include href="Tasks-Processes.xml" xmlns:xi="http://www.w3.org/2001/XInclude" />
<xi:include href="Tasks-Serialization.xml" xmlns:xi="http://www.w3.org/2001/XInclude" />
<xi:include href="Tasks-Cryptography.xml" xmlns:xi="http://www.w3.org/2001/XInclude" />
+ <xi:include href="Tasks-Packaging.xml" xmlns:xi="http://www.w3.org/2001/XInclude" />
</part>
<part>
<title>Implementing Security Features</title>
diff --git a/defensive-coding/en-US/Features-TLS.xml b/defensive-coding/en-US/Features-TLS.xml
index 936910d..5d9e39d 100644
--- a/defensive-coding/en-US/Features-TLS.xml
+++ b/defensive-coding/en-US/Features-TLS.xml
@@ -186,6 +186,17 @@
verify</command> result in an exit status of zero.
</para>
<para>
+ OpenSSL command-line commands, such as <command>openssl
+ genrsa</command>, do not ensure that physical entropy is used
+ for key generation—they obtain entropy from
+ <filename>/dev/urandom</filename> and other sources, but not
+ from <filename>/dev/random</filename>. This can result in
+ weak keys if the system lacks a proper entropy source (e.g., a
+ virtual machine with solid state storage). Depending on local
+ policies, keys generated by these OpenSSL tools should not be
+ used in high-value, critical functions.
+ </para>
+ <para>
The OpenSSL server and client applications (<command>openssl
s_client</command> and <command>openssl s_server</command>)
are debugging tools and should <emphasis>never</emphasis> be
diff --git a/defensive-coding/en-US/Go.xml b/defensive-coding/en-US/Go.xml
new file mode 100644
index 0000000..0e44d5e
--- /dev/null
+++ b/defensive-coding/en-US/Go.xml
@@ -0,0 +1,90 @@
+<?xml version='1.0' encoding='utf-8' ?>
+<!DOCTYPE chapter PUBLIC "-//OASIS//DTD DocBook XML V4.5//EN" "http://www.oasis-open.org/docbook/xml/4.5/docbookx.dtd" [
+]>
+<chapter id="chap-Defensive_Coding-Go">
+<title>The Go Programming Language</title>
+<para>
+ This chapter contains language-specific recommendations for Go.
+</para>
+<section id="chap-Defensive_Coding-Go-Memory_Safety">
+ <title>Memory safety</title>
+ <para>
+ Go provides memory safety, but only if the program is not executed
+ in parallel (that is, <envar>GOMAXPROCS</envar> is not larger than
+ <literal>1</literal>). The reason is that interface values and
+ slices consist of multiple words are not updated atomically.
+ Another thread of execution can observe an inconsistent pairing
+ between type information and stored value (for interfaces) or
+ pointer and length (for slices), and such inconsistency can lead
+ to a memory safety violation.
+ </para>
+ <para>
+ Code which does not run in parallel and does not use the
+ <literal>unsafe</literal> package (or other packages which expose
+ unsafe constructs) is memory-safe. For example, invalid casts and
+ out-of-range subscripting cause panics and run time.
+ </para>
+ <para>
+ Keep in mind that finalization can introduce parallelism because
+ finalizers are executed concurrently, potentially interleaved with
+ the rest of the program.
+ </para>
+</section>
+<section id="chap-Defensive_Coding-Go-Error_Handling">
+ <title>Error handling</title>
+ <para>
+ Only a few common operations (such as pointer dereference, integer
+ division, array subscripting) trigger exceptions in Go, called
+ <emphasis>panics</emphasis>. Most interfaces in the standard
+ library use a separate return value of type
+ <literal>error</literal> to signal error.
+ </para>
+ <para>
+ Not checking error return values can lead to incorrect operation
+ and data loss (especially in the case of writes, using interfaces
+ such as <literal>io.Writer</literal>).
+ </para>
+ <para>
+ The correct way to check error return values depends on the
+ function or method being called. In the majority of cases, the
+ first step after calling a function should be an error check
+ against the <literal>nil</literal> value, handling any encountered
+ error. See <xref
+ linkend="ex-Defensive_Coding-Go-Error_Handling-Regular"/> for
+ details.
+ </para>
+ <example id="ex-Defensive_Coding-Go-Error_Handling-Regular">
+ <title>Regular error handling in Go</title>
+ <xi:include href="snippets/Go-Error_Handling-Regular.xml"
+ xmlns:xi="http://www.w3.org/2001/XInclude" />
+ </example>
+ <para>
+ However, with <literal>io.Reader</literal>,
+ <literal>io.ReaderAt</literal> and related interfaces, it is
+ necessary to check for a non-zero number of read bytes first, as
+ shown in <xref
+ linkend="ex-Defensive_Coding-Go-Error_Handling-IO"/>. If this
+ pattern is not followed, data loss may occur. This is due to the
+ fact that the <literal>io.Reader</literal> interface permits
+ returning both data and an error at the same time.
+ </para>
+ <example id="ex-Defensive_Coding-Go-Error_Handling-IO">
+ <title>Read error handling in Go</title>
+ <xi:include href="snippets/Go-Error_Handling-IO.xml"
+ xmlns:xi="http://www.w3.org/2001/XInclude" />
+ </example>
+</section>
+<section id="chap-Defensive_Coding-Go-Garbage_Collector">
+ <title>Garbage Collector</title>
+ <para>
+ Older Go releases (before Go 1.3) use a conservative garbage
+ collector without blacklisting. This means that data blobs can
+ cause retention of unrelated data structures because the data is
+ conservatively interpreted as pointers. This phenomenon can be
+ triggered accidentally on 32-bit architectures and is more likely
+ to occur if the heap grows larger. On 64-bit architectures, it
+ may be possible to trigger it deliberately—it is unlikely to occur
+ spontaneously.
+ </para>
+</section>
+</chapter>
diff --git a/defensive-coding/en-US/Tasks-Packaging.xml b/defensive-coding/en-US/Tasks-Packaging.xml
new file mode 100644
index 0000000..95bfbc6
--- /dev/null
+++ b/defensive-coding/en-US/Tasks-Packaging.xml
@@ -0,0 +1,131 @@
+<?xml version='1.0' encoding='utf-8' ?>
+<!DOCTYPE chapter PUBLIC "-//OASIS//DTD DocBook XML V4.5//EN" "http://www.oasis-open.org/docbook/xml/4.5/docbookx.dtd" [
+]>
+<chapter id="chap-Defensive_Coding-Tasks-Packaging">
+ <title>RPM packaging</title>
+ <para>
+ This chapter deals with security-related concerns around RPM
+ packaging. It has to be read in conjunction with
+ distribution-specific packaging guidelines.
+ </para>
+ <section id="sect-Defensive_Coding-Tasks-Packaging-Certificates">
+ <title>Generating X.509 self-signed certificates during
+ installation</title>
+ <para>
+ Some applications need X.509 certificates for authentication
+ purposes. For example, a single private/public key pair could
+ be used to define cluster membership, enabling authentication
+ and encryption of all intra-cluster communication. (Lack of
+ certification from a CA matters less in such a context.) For
+ such use, generating the key pair at package installation time
+ when preparing system images for use in the cluster is
+ reasonable. For other use cases, it is necessary to generate
+ the key pair before the service is started for the first time.
+ </para>
+ <important>
+ <para>
+ The way the key is generated may not be suitable for key
+ material of critical value. (<command>openssl
+ genrsa</command> uses, but does not require, entropy from a
+ physical source of randomness, among other things.) Such keys
+ should be stored in a hardware security module if possible,
+ and generated from random bits reserved for this purpose
+ derived from a non-deterministic physical source.
+ </para>
+ </important>
+ <para>
+ In the spec file, we define two RPM variables which contain the
+ names of the files used to store the private and public key, and
+ the user name for the service:
+ </para>
+ <informalexample>
+ <programlisting language="RPM Spec">
+# Name of the user owning the file with the private key
+%define tlsuser %{name}
+# Name of the directory which contains the key and certificate files
+%define tlsdir %{_sysconfdir}/%{name}
+%define tlskey %{tlsdir}/%{name}.key
+%define tlscert %{tlsdir}/%{name}.crt
+ </programlisting>
+ </informalexample>
+ <para>
+ These variables likely need adjustment based on the needs of the
+ package.
+ </para>
+ <para>
+ Typically, the file with the private key needs to be owned by
+ the system user which needs to read it,
+ <literal>%{tlsuser}</literal> (not <literal>root</literal>). In
+ order to avoid races, if the <emphasis>directory</emphasis>
+ <literal>%{tlsdir}</literal> is <emphasis>owned by the services
+ user</emphasis>, you should use the code in <xref
+ linkend="ex-Defensive_Coding-Packaging-Certificates-Owned"/>.
+ The invocation of <application>su</application> with the
+ <option>-s /bin/bash</option> argument is necessary in case the
+ login shell for the user has been disabled.
+ </para>
+ <example id="ex-Defensive_Coding-Packaging-Certificates-Owned">
+ <title>Creating a key pair in a user-owned directory</title>
+ <programlisting language="Bash">
+%post
+if [ $1 -eq 1 ] ; then
+ if ! test -e %{tlskey} ; then
+ su -s /bin/bash \
+ -c "umask 077 && openssl genrsa -out %{tlskey} 2048 2>/dev/null" \
+ %{tlsuser}
+ fi
+ if ! test -e %{tlscert} ; then
+ cn="Automatically generated certificate for the %{tlsuser} service"
+ req_args="-key %{tlskey} -out %{tlscert} -days 7305 -subj \"/CN=$cn/\""
+ su -s /bin/bash \
+ -c "openssl req -new -x509 -extensions usr_cert $req_args" \
+ %{tlsuser}
+ fi
+fi
+
+%files
+%dir %attr(0755,%{tlsuser},%{tlsuser]) %{tlsdir}
+%ghost %attr(0600,%{tlsuser},%{tlsuser}) %{tlskey}
+%ghost %attr(0644,%{tlsuser},%{tlsuser}) %{tlscert}
+ </programlisting>
+ </example>
+ <para>
+ If the <emphasis>directory</emphasis>
+ <literal>%{tlsdir}</literal> <emphasis>is owned by</emphasis>
+ <literal>root</literal>, use the code in <xref
+ linkend="ex-Defensive_Coding-Packaging-Certificates-Unowned"/>.
+ </para>
+ <example id="ex-Defensive_Coding-Packaging-Certificates-Unowned">
+ <title>Creating a key pair in a <literal>root</literal>-owned directory</title>
+ <programlisting language="Bash">
+%post
+if [ $1 -eq 1 ] ; then
+ if ! test -e %{tlskey} ; then
+ (umask 077 && openssl genrsa -out %{tlskey} 2048 2>/dev/null)
+ chown %{tlsuser} %{tlskey}
+ fi
+ if ! test -e %{tlscert} ; then
+ cn="Automatically generated certificate for the %{tlsuser} service"
+ openssl req -new -x509 -extensions usr_cert \
+ -key %{tlskey} -out %{tlscert} -days 7305 -subj "/CN=$cn/"
+ fi
+fi
+
+%files
+%dir %attr(0755,%{root},%{root}]) %{tlsdir}
+%ghost %attr(0600,%{tlsuser},%{tlsuser}) %{tlskey}
+%ghost %attr(0644,%{root},%{root}) %{tlscert}
+ </programlisting>
+ </example>
+ <para>
+ In order for this to work, the package which generates the keys
+ must require the <application>openssl</application> package. If
+ the user which owns the key file is generated by a different
+ package, the package generating the certificate must specify a
+ <literal>Requires(pre):</literal> on the package which creates
+ the user. This ensures that the user account will exist when it
+ is needed for the <application>su</application> or
+ <application>chmod</application> invocation.
+ </para>
+ </section>
+</chapter>
diff --git a/defensive-coding/en-US/Vala.xml b/defensive-coding/en-US/Vala.xml
new file mode 100644
index 0000000..3dea943
--- /dev/null
+++ b/defensive-coding/en-US/Vala.xml
@@ -0,0 +1,53 @@
+<?xml version='1.0' encoding='utf-8' ?>
+<!DOCTYPE section PUBLIC "-//OASIS//DTD DocBook XML V4.5//EN" "http://www.oasis-open.org/docbook/xml/4.5/docbookx.dtd" [
+]>
+<chapter id="chap-Defensive_Coding-Vala">
+<title>The Vala Programming Language</title>
+<para>
+ Vala is a programming language mainly targeted at GNOME developers.
+</para>
+<para>
+ Its syntax is inspired by C# (and thus, indirectly, by Java). But
+ unlike C# and Java, Vala does not attempt to provide memory safety:
+ Vala is compiled to C, and the C code is compiled with GCC using
+ typical compiler flags. Basic operations like integer arithmetic
+ are directly mapped to C constructs. As a results, the
+ recommendations in <xref linkend="chap-Defensive_Coding-C"/> apply.
+</para>
+<para>
+ In particular, the following Vala language constructs can result in
+ undefined behavior at run time:
+</para>
+<itemizedlist>
+ <listitem>
+ <para>
+ Integer arithmetic, as described in <xref
+ linkend="sect-Defensive_Coding-C-Arithmetic"/>.
+ </para>
+ </listitem>
+ <listitem>
+ <para>
+ Pointer arithmetic, string subscripting and the
+ <literal>substring</literal> method on strings (the
+ <literal>string</literal> class in the
+ <literal>glib-2.0</literal> package) are not range-checked. It
+ is the responsibility of the calling code to ensure that the
+ arguments being passed are valid. This applies even to cases
+ (like <literal>substring</literal>) where the implementation
+ would have range information to check the validity of indexes.
+ See <xref linkend="sect-Defensive_Coding-C-Pointers"/>.
+ </para>
+ </listitem>
+ <listitem>
+ <para>
+ Similarly, Vala only performs garbage collection (through
+ reference counting) for <literal>GObject</literal> values. For
+ plain C pointers (such as strings), the programmer has to ensure
+ that storage is deallocated once it is no longer needed (to
+ avoid memory leaks), and that storage is not being deallocated
+ while it is still being used (see <xref
+ linkend="sect-Defensive_Coding-C-Use-After-Free"/>).
+ </para>
+ </listitem>
+</itemizedlist>
+</chapter>
diff --git a/defensive-coding/src/.gitignore b/defensive-coding/src/.gitignore
index 4adbfe5..335a122 100644
--- a/defensive-coding/src/.gitignore
+++ b/defensive-coding/src/.gitignore
@@ -4,5 +4,6 @@
/TLS-Client-OpenSSL
/XML-Parser-Expat
/XML-Parser-Qt
+/Go-Error_Handling
*.class
*.o
diff --git a/defensive-coding/src/Go-Error_Handling.go b/defensive-coding/src/Go-Error_Handling.go
new file mode 100644
index 0000000..d546018
--- /dev/null
+++ b/defensive-coding/src/Go-Error_Handling.go
@@ -0,0 +1,48 @@
+package main
+
+import "io"
+
+//+ Go Error_Handling-Regular
+type Processor interface {
+ Process(buf []byte) (message string, err error)
+}
+
+type ErrorHandler interface {
+ Handle(err error)
+}
+
+func RegularError(buf []byte, processor Processor,
+ handler ErrorHandler) (message string, err error) {
+ message, err = processor.Process(buf)
+ if err != nil {
+ handler.Handle(err)
+ return "", err
+ }
+ return
+}
+//-
+
+//+ Go Error_Handling-IO
+func IOError(r io.Reader, buf []byte, processor Processor,
+ handler ErrorHandler) (message string, err error) {
+ n, err := r.Read(buf)
+ // First check for available data.
+ if n > 0 {
+ message, err = processor.Process(buf[0:n])
+ // Regular error handling.
+ if err != nil {
+ handler.Handle(err)
+ return "", err
+ }
+ }
+ // Then handle any error.
+ if err != nil {
+ handler.Handle(err)
+ return "", err
+ }
+ return
+}
+//-
+
+func main() {
+}
diff --git a/defensive-coding/src/src.mk b/defensive-coding/src/src.mk
index d47fc09..18bd592 100644
--- a/defensive-coding/src/src.mk
+++ b/defensive-coding/src/src.mk
@@ -2,10 +2,12 @@
CC = gcc
CXX = g++
+GCCGO = gccgo
CWARNFLAGS = -Wall -W -Wno-unused-parameter -Werror=implicit-function-declaration
CXXWARNFLAGS = -Wall -W
CFLAGS = -std=gnu99 -O2 $(CWARNFLAGS) -g
CXXFLAGS = -std=c++03 -O2 $(CXXWARNFLAGS) -g
+GOFLAGS = -O2 -Wall -W
LDFLAGS = -g
# List files which should only be compiled for syntax checking.
@@ -41,6 +43,7 @@ compile_and_link += XML-Parser-Expat
LIBS_XML-Parser-Expat = -lexpat
compile_and_link += XML-Parser-Qt
LIBS_XML-Parser-Qt = -lQtCore -lQtXml
+compile_and_link += Go-Error_Handling
# Define preprocessor symbols if certain functions exist.
CHECK_FUNCTION = crypto/X509_check_host/-DHAVE_X509_CHECK_HOST \
@@ -68,6 +71,9 @@ src/%.class: src/%.java
src/%: src/%.o
$(CXX) $(LDFLAGS) $^ -o $@ $(LIBS_$(notdir $@))
+src/%: src/%.go
+ $(GCCGO) $(GOFLAGS) $(LDFLAGS) -o $@ $^
+
src/TLS-Client-GNUTLS: src/tcp_connect.o
src/TLS-Client-OpenSSL: src/tcp_connect.o src/x509_check_host.o
src/TLS-Client-NSS: src/tcp_connect.o
9 years, 11 months
[Secure Coding] master: Starting new guide for Securing TLS (7ada5ed)
by Eric Christensen
Repository : http://git.fedorahosted.org/git/?p=secure-coding.git
On branch : master
>---------------------------------------------------------------
commit 7ada5ed0d763a0756e2646812f752803b2af553d
Author: Eric Christensen <echriste(a)redhat.com>
Date: Wed May 28 10:59:23 2014 -0400
Starting new guide for Securing TLS
>---------------------------------------------------------------
Diff suppressed because of size. To see it, use:
git diff --patch-with-stat --no-color --find-copies-harder --ignore-space-at-eol ^7ada5ed0d763a0756e2646812f752803b2af553d~1 7ada5ed0d763a0756e2646812f752803b2af553d
9 years, 11 months
[Secure Coding] master: Add chapter on Go (13faeec)
by fweimer@fedoraproject.org
Repository : http://git.fedorahosted.org/git/?p=secure-coding.git
On branch : master
>---------------------------------------------------------------
commit 13faeec63da544dd64c453a5fd810f7b6d758dbd
Author: Florian Weimer <fweimer(a)redhat.com>
Date: Mon May 26 14:58:01 2014 +0200
Add chapter on Go
>---------------------------------------------------------------
defensive-coding/Makefile | 2 +-
defensive-coding/en-US/Defensive_Coding.xml | 1 +
defensive-coding/en-US/Go.xml | 90 +++++++++++++++++++++++++++
defensive-coding/src/.gitignore | 1 +
defensive-coding/src/Go-Error_Handling.go | 48 ++++++++++++++
defensive-coding/src/src.mk | 6 ++
6 files changed, 147 insertions(+), 1 deletions(-)
diff --git a/defensive-coding/Makefile b/defensive-coding/Makefile
index 6220afc..2090dad 100644
--- a/defensive-coding/Makefile
+++ b/defensive-coding/Makefile
@@ -9,7 +9,7 @@ build: build-src build-manual
build-snippets:
mkdir -p en-US/snippets
python scripts/split-snippets.py . \
- src/*.c src/*.cpp src/*.java src/*.py
+ src/*.c src/*.cpp src/*.java src/*.py src/*.go
build-manual: build-snippets
publican build --formats=html,epub,pdf --langs=en-US
diff --git a/defensive-coding/en-US/Defensive_Coding.xml b/defensive-coding/en-US/Defensive_Coding.xml
index a9baeb3..ee96c8d 100644
--- a/defensive-coding/en-US/Defensive_Coding.xml
+++ b/defensive-coding/en-US/Defensive_Coding.xml
@@ -8,6 +8,7 @@
<xi:include href="CXX.xml" xmlns:xi="http://www.w3.org/2001/XInclude" />
<xi:include href="Java.xml" xmlns:xi="http://www.w3.org/2001/XInclude" />
<xi:include href="Python.xml" xmlns:xi="http://www.w3.org/2001/XInclude" />
+ <xi:include href="Go.xml" xmlns:xi="http://www.w3.org/2001/XInclude" />
<xi:include href="Vala.xml" xmlns:xi="http://www.w3.org/2001/XInclude" />
</part>
<part>
diff --git a/defensive-coding/en-US/Go.xml b/defensive-coding/en-US/Go.xml
new file mode 100644
index 0000000..0e44d5e
--- /dev/null
+++ b/defensive-coding/en-US/Go.xml
@@ -0,0 +1,90 @@
+<?xml version='1.0' encoding='utf-8' ?>
+<!DOCTYPE chapter PUBLIC "-//OASIS//DTD DocBook XML V4.5//EN" "http://www.oasis-open.org/docbook/xml/4.5/docbookx.dtd" [
+]>
+<chapter id="chap-Defensive_Coding-Go">
+<title>The Go Programming Language</title>
+<para>
+ This chapter contains language-specific recommendations for Go.
+</para>
+<section id="chap-Defensive_Coding-Go-Memory_Safety">
+ <title>Memory safety</title>
+ <para>
+ Go provides memory safety, but only if the program is not executed
+ in parallel (that is, <envar>GOMAXPROCS</envar> is not larger than
+ <literal>1</literal>). The reason is that interface values and
+ slices consist of multiple words are not updated atomically.
+ Another thread of execution can observe an inconsistent pairing
+ between type information and stored value (for interfaces) or
+ pointer and length (for slices), and such inconsistency can lead
+ to a memory safety violation.
+ </para>
+ <para>
+ Code which does not run in parallel and does not use the
+ <literal>unsafe</literal> package (or other packages which expose
+ unsafe constructs) is memory-safe. For example, invalid casts and
+ out-of-range subscripting cause panics and run time.
+ </para>
+ <para>
+ Keep in mind that finalization can introduce parallelism because
+ finalizers are executed concurrently, potentially interleaved with
+ the rest of the program.
+ </para>
+</section>
+<section id="chap-Defensive_Coding-Go-Error_Handling">
+ <title>Error handling</title>
+ <para>
+ Only a few common operations (such as pointer dereference, integer
+ division, array subscripting) trigger exceptions in Go, called
+ <emphasis>panics</emphasis>. Most interfaces in the standard
+ library use a separate return value of type
+ <literal>error</literal> to signal error.
+ </para>
+ <para>
+ Not checking error return values can lead to incorrect operation
+ and data loss (especially in the case of writes, using interfaces
+ such as <literal>io.Writer</literal>).
+ </para>
+ <para>
+ The correct way to check error return values depends on the
+ function or method being called. In the majority of cases, the
+ first step after calling a function should be an error check
+ against the <literal>nil</literal> value, handling any encountered
+ error. See <xref
+ linkend="ex-Defensive_Coding-Go-Error_Handling-Regular"/> for
+ details.
+ </para>
+ <example id="ex-Defensive_Coding-Go-Error_Handling-Regular">
+ <title>Regular error handling in Go</title>
+ <xi:include href="snippets/Go-Error_Handling-Regular.xml"
+ xmlns:xi="http://www.w3.org/2001/XInclude" />
+ </example>
+ <para>
+ However, with <literal>io.Reader</literal>,
+ <literal>io.ReaderAt</literal> and related interfaces, it is
+ necessary to check for a non-zero number of read bytes first, as
+ shown in <xref
+ linkend="ex-Defensive_Coding-Go-Error_Handling-IO"/>. If this
+ pattern is not followed, data loss may occur. This is due to the
+ fact that the <literal>io.Reader</literal> interface permits
+ returning both data and an error at the same time.
+ </para>
+ <example id="ex-Defensive_Coding-Go-Error_Handling-IO">
+ <title>Read error handling in Go</title>
+ <xi:include href="snippets/Go-Error_Handling-IO.xml"
+ xmlns:xi="http://www.w3.org/2001/XInclude" />
+ </example>
+</section>
+<section id="chap-Defensive_Coding-Go-Garbage_Collector">
+ <title>Garbage Collector</title>
+ <para>
+ Older Go releases (before Go 1.3) use a conservative garbage
+ collector without blacklisting. This means that data blobs can
+ cause retention of unrelated data structures because the data is
+ conservatively interpreted as pointers. This phenomenon can be
+ triggered accidentally on 32-bit architectures and is more likely
+ to occur if the heap grows larger. On 64-bit architectures, it
+ may be possible to trigger it deliberately—it is unlikely to occur
+ spontaneously.
+ </para>
+</section>
+</chapter>
diff --git a/defensive-coding/src/.gitignore b/defensive-coding/src/.gitignore
index 4adbfe5..335a122 100644
--- a/defensive-coding/src/.gitignore
+++ b/defensive-coding/src/.gitignore
@@ -4,5 +4,6 @@
/TLS-Client-OpenSSL
/XML-Parser-Expat
/XML-Parser-Qt
+/Go-Error_Handling
*.class
*.o
diff --git a/defensive-coding/src/Go-Error_Handling.go b/defensive-coding/src/Go-Error_Handling.go
new file mode 100644
index 0000000..d546018
--- /dev/null
+++ b/defensive-coding/src/Go-Error_Handling.go
@@ -0,0 +1,48 @@
+package main
+
+import "io"
+
+//+ Go Error_Handling-Regular
+type Processor interface {
+ Process(buf []byte) (message string, err error)
+}
+
+type ErrorHandler interface {
+ Handle(err error)
+}
+
+func RegularError(buf []byte, processor Processor,
+ handler ErrorHandler) (message string, err error) {
+ message, err = processor.Process(buf)
+ if err != nil {
+ handler.Handle(err)
+ return "", err
+ }
+ return
+}
+//-
+
+//+ Go Error_Handling-IO
+func IOError(r io.Reader, buf []byte, processor Processor,
+ handler ErrorHandler) (message string, err error) {
+ n, err := r.Read(buf)
+ // First check for available data.
+ if n > 0 {
+ message, err = processor.Process(buf[0:n])
+ // Regular error handling.
+ if err != nil {
+ handler.Handle(err)
+ return "", err
+ }
+ }
+ // Then handle any error.
+ if err != nil {
+ handler.Handle(err)
+ return "", err
+ }
+ return
+}
+//-
+
+func main() {
+}
diff --git a/defensive-coding/src/src.mk b/defensive-coding/src/src.mk
index d47fc09..18bd592 100644
--- a/defensive-coding/src/src.mk
+++ b/defensive-coding/src/src.mk
@@ -2,10 +2,12 @@
CC = gcc
CXX = g++
+GCCGO = gccgo
CWARNFLAGS = -Wall -W -Wno-unused-parameter -Werror=implicit-function-declaration
CXXWARNFLAGS = -Wall -W
CFLAGS = -std=gnu99 -O2 $(CWARNFLAGS) -g
CXXFLAGS = -std=c++03 -O2 $(CXXWARNFLAGS) -g
+GOFLAGS = -O2 -Wall -W
LDFLAGS = -g
# List files which should only be compiled for syntax checking.
@@ -41,6 +43,7 @@ compile_and_link += XML-Parser-Expat
LIBS_XML-Parser-Expat = -lexpat
compile_and_link += XML-Parser-Qt
LIBS_XML-Parser-Qt = -lQtCore -lQtXml
+compile_and_link += Go-Error_Handling
# Define preprocessor symbols if certain functions exist.
CHECK_FUNCTION = crypto/X509_check_host/-DHAVE_X509_CHECK_HOST \
@@ -68,6 +71,9 @@ src/%.class: src/%.java
src/%: src/%.o
$(CXX) $(LDFLAGS) $^ -o $@ $(LIBS_$(notdir $@))
+src/%: src/%.go
+ $(GCCGO) $(GOFLAGS) $(LDFLAGS) -o $@ $^
+
src/TLS-Client-GNUTLS: src/tcp_connect.o
src/TLS-Client-OpenSSL: src/tcp_connect.o src/x509_check_host.o
src/TLS-Client-NSS: src/tcp_connect.o
9 years, 11 months
[Secure Coding] master: Add a short chapter on Vala (2988ebd)
by fweimer@fedoraproject.org
Repository : http://git.fedorahosted.org/git/?p=secure-coding.git
On branch : master
>---------------------------------------------------------------
commit 2988ebd27e73444ca8b9c197fa35e8be7e92a620
Author: Florian Weimer <fweimer(a)redhat.com>
Date: Mon May 26 11:46:16 2014 +0200
Add a short chapter on Vala
>---------------------------------------------------------------
defensive-coding/en-US/Defensive_Coding.xml | 1 +
defensive-coding/en-US/Vala.xml | 53 +++++++++++++++++++++++++++
2 files changed, 54 insertions(+), 0 deletions(-)
diff --git a/defensive-coding/en-US/Defensive_Coding.xml b/defensive-coding/en-US/Defensive_Coding.xml
index 7ca3f46..a9baeb3 100644
--- a/defensive-coding/en-US/Defensive_Coding.xml
+++ b/defensive-coding/en-US/Defensive_Coding.xml
@@ -8,6 +8,7 @@
<xi:include href="CXX.xml" xmlns:xi="http://www.w3.org/2001/XInclude" />
<xi:include href="Java.xml" xmlns:xi="http://www.w3.org/2001/XInclude" />
<xi:include href="Python.xml" xmlns:xi="http://www.w3.org/2001/XInclude" />
+ <xi:include href="Vala.xml" xmlns:xi="http://www.w3.org/2001/XInclude" />
</part>
<part>
<title>Specific Programming Tasks</title>
diff --git a/defensive-coding/en-US/Vala.xml b/defensive-coding/en-US/Vala.xml
new file mode 100644
index 0000000..3dea943
--- /dev/null
+++ b/defensive-coding/en-US/Vala.xml
@@ -0,0 +1,53 @@
+<?xml version='1.0' encoding='utf-8' ?>
+<!DOCTYPE section PUBLIC "-//OASIS//DTD DocBook XML V4.5//EN" "http://www.oasis-open.org/docbook/xml/4.5/docbookx.dtd" [
+]>
+<chapter id="chap-Defensive_Coding-Vala">
+<title>The Vala Programming Language</title>
+<para>
+ Vala is a programming language mainly targeted at GNOME developers.
+</para>
+<para>
+ Its syntax is inspired by C# (and thus, indirectly, by Java). But
+ unlike C# and Java, Vala does not attempt to provide memory safety:
+ Vala is compiled to C, and the C code is compiled with GCC using
+ typical compiler flags. Basic operations like integer arithmetic
+ are directly mapped to C constructs. As a results, the
+ recommendations in <xref linkend="chap-Defensive_Coding-C"/> apply.
+</para>
+<para>
+ In particular, the following Vala language constructs can result in
+ undefined behavior at run time:
+</para>
+<itemizedlist>
+ <listitem>
+ <para>
+ Integer arithmetic, as described in <xref
+ linkend="sect-Defensive_Coding-C-Arithmetic"/>.
+ </para>
+ </listitem>
+ <listitem>
+ <para>
+ Pointer arithmetic, string subscripting and the
+ <literal>substring</literal> method on strings (the
+ <literal>string</literal> class in the
+ <literal>glib-2.0</literal> package) are not range-checked. It
+ is the responsibility of the calling code to ensure that the
+ arguments being passed are valid. This applies even to cases
+ (like <literal>substring</literal>) where the implementation
+ would have range information to check the validity of indexes.
+ See <xref linkend="sect-Defensive_Coding-C-Pointers"/>.
+ </para>
+ </listitem>
+ <listitem>
+ <para>
+ Similarly, Vala only performs garbage collection (through
+ reference counting) for <literal>GObject</literal> values. For
+ plain C pointers (such as strings), the programmer has to ensure
+ that storage is deallocated once it is no longer needed (to
+ avoid memory leaks), and that storage is not being deallocated
+ while it is still being used (see <xref
+ linkend="sect-Defensive_Coding-C-Use-After-Free"/>).
+ </para>
+ </listitem>
+</itemizedlist>
+</chapter>
9 years, 11 months
[Secure Coding] master: sect-Defensive_Coding-C-Use-After-Free: New section ID (199b3ed)
by fweimer@fedoraproject.org
Repository : http://git.fedorahosted.org/git/?p=secure-coding.git
On branch : master
>---------------------------------------------------------------
commit 199b3edb08f9ff5531dba1910e6a3d76e56c5006
Author: Florian Weimer <fweimer(a)redhat.com>
Date: Mon May 26 11:33:41 2014 +0200
sect-Defensive_Coding-C-Use-After-Free: New section ID
>---------------------------------------------------------------
defensive-coding/en-US/C-Allocators.xml | 2 +-
1 files changed, 1 insertions(+), 1 deletions(-)
diff --git a/defensive-coding/en-US/C-Allocators.xml b/defensive-coding/en-US/C-Allocators.xml
index 58c89ee..87d2682 100644
--- a/defensive-coding/en-US/C-Allocators.xml
+++ b/defensive-coding/en-US/C-Allocators.xml
@@ -29,7 +29,7 @@
realloc(ptr, size);</literal> is wrong because the memory
pointed to by <literal>ptr</literal> leaks in case of an error.
</para>
- <section>
+ <section id="sect-Defensive_Coding-C-Use-After-Free">
<title>Use-after-free errors</title>
<para>
After <function>free</function>, the pointer is invalid.
9 years, 11 months