OpenSSL file transfer failed

This commit is contained in:
Gerhard Rieger 2021-01-10 13:32:27 +01:00
parent 4124e733c6
commit 6b9736472c
5 changed files with 325 additions and 6 deletions

10
CHANGES
View file

@ -4,6 +4,16 @@ Corrections:
Thanks to Wang Mingyu and others for sending a patch or reporting this Thanks to Wang Mingyu and others for sending a patch or reporting this
issue. issue.
Under certain conditions OpenSSL stream connections, in particular bulk
data transfer in unidirectional mode, failed during transfer or near
its with Connection reset by peer on receiver side.
This happened with Socat versions 1.7.3.3 to 1.7.4.0. Reasons were
lazy SSL shutdown handling on the sender side in combination with
SSL_MODE_AUTO_RETRY turned off.
Fix: After SSH_shutdown but before socket shutdown call SSL_read()
Test: OPENSSL_STREAM_TO_SERVER
Fixes Red Hat issue 1870279.
####################### V 1.7.4.0: ####################### V 1.7.4.0:
Security: Security:

298
test.sh
View file

@ -45,6 +45,7 @@ case "X$val_t" in
esac esac
MICROS=${S}${uS} MICROS=${S}${uS}
MICROS=${MICROS##0000}; MICROS=${MICROS##00}; MICROS=${MICROS##0} MICROS=${MICROS##0000}; MICROS=${MICROS##00}; MICROS=${MICROS##0}
#echo MICROS=$MICROS >&2
# #
_MICROS=$((MICROS+999999)); SECONDs="${_MICROS%??????}" _MICROS=$((MICROS+999999)); SECONDs="${_MICROS%??????}"
[ -z "$SECONDs" ] && SECONDs=0 [ -z "$SECONDs" ] && SECONDs=0
@ -4437,11 +4438,12 @@ TESTADDR=$(eval echo $TESTTMPL)
PEERADDR=$(eval echo $PEERTMPL) PEERADDR=$(eval echo $PEERTMPL)
WAITCMD=$(eval echo $WAITTMPL) WAITCMD=$(eval echo $WAITTMPL)
TESTKEYW=${TESTADDR%%:*} TESTKEYW=${TESTADDR%%:*}
feat=$(tolower $FEAT)
# does our address implementation support halfclose? # does our address implementation support halfclose?
NAME=${NAMEKEYW}_HALFCLOSE NAME=${NAMEKEYW}_HALFCLOSE
case "$TESTS" in case "$TESTS" in
*%$N%*|*%functions%*|*%$FEAT%*|*%socket%*|*%halfclose%*|*%$NAME%*) *%$N%*|*%functions%*|*%$feat%*|*%socket%*|*%halfclose%*|*%$NAME%*)
TEST="$NAME: $TESTKEYW half close" TEST="$NAME: $TESTKEYW half close"
# have a "peer" socat "peer" that executes "$OD_C" and see if EOF on the # have a "peer" socat "peer" that executes "$OD_C" and see if EOF on the
# connecting socat brings the result of od # connecting socat brings the result of od
@ -5241,7 +5243,7 @@ TEST="$NAME: for bug with address options on both stdin/out in unidirectional mo
if ! eval $NUMCOND; then :; else if ! eval $NUMCOND; then :; else
tf="$td/test$N.stdout" tf="$td/test$N.stdout"
te="$td/test$N.stderr" te="$td/test$N.stderr"
ff="$td/file$N" ff="$td/test$N.file"
printf "test $F_n $TEST... " $N printf "test $F_n $TEST... " $N
>"$ff" >"$ff"
#$TRACE $SOCAT $opts -u /dev/null -,setlk <"$ff" 2>"$te" #$TRACE $SOCAT $opts -u /dev/null -,setlk <"$ff" 2>"$te"
@ -14672,6 +14674,297 @@ PORT=$((PORT+1))
N=$((N+1)) N=$((N+1))
# File transfer with OpenSSL stream connection was incomplete
# Test file transfer from client to server
NAME=OPENSSL_STREAM_TO_SERVER
case "$TESTS" in
*%$N%*|*%functions%*|*%bugs%*|*%openssl%*|*%tcp%*|*%socket%*|*%$NAME%*)
TEST="$NAME: OpenSSL stream from client to server"
# Start a unidirectional OpenSSL server and stream receiver
# Start a unidirectional OpenSSL client that connects to the server and sends
# data
# Test succeeded when the data received and stored by server is the same as
# sent by the client
if ! eval $NUMCOND; then :;
elif ! a=$(testfeats ip4 tcp openssl); then
$PRINTF "test $F_n $TEST... ${YELLOW}$a not available${NORMAL}\n" $N
numCANT=$((numCANT+1))
listCANT="$listCANT $N"
elif ! a=$(testaddrs openssl-listen openssl-connect); then
$PRINTF "test $F_n $TEST... ${YELLOW}$a not available${NORMAL}\n" $N
numCANT=$((numCANT+1))
listCANT="$listCANT $N"
elif ! runsip4 >/dev/null; then
$PRINTF "test $F_n $TEST... ${YELLOW}IPv4 not available${NORMAL}\n" $N
numCANT=$((numCANT+1))
listCANT="$listCANT $N"
else
gentestcert testsrv
ti="$td/test$N.datain"
to="$td/test$N.dataout"
te="$td/test$N.stderr"
tdiff="$td/test$N.diff"
da="test$N $(date) $RANDOM"
CMD0="$TRACE $SOCAT $opts -u OPENSSL-LISTEN:$PORT,$REUSEADDR,cert=testsrv.pem,verify=0 CREAT:$to"
CMD1="$TRACE $SOCAT $opts -u OPEN:$ti OPENSSL-CONNECT:$LOCALHOST:$PORT,cafile=testsrv.crt"
printf "test $F_n $TEST... " $N
i=0; while [ $i -lt 100000 ]; do printf "%9u %9u %9u %9u %9u %9u %9u %9u %9u %9u\n" $i $i $i $i $i $i $i $i $i $i; let i+=100; done >$ti
$CMD0 >/dev/null 2>"${te}0" &
pid0=$!
waittcp4port $PORT 1
$CMD1 >"${tf}1" 2>"${te}1"
rc1=$?
usleep $MICROS
kill $pid0 2>/dev/null; wait
if [ $rc1 -ne 0 ]; then
$PRINTF "$FAILED\n"
echo "$CMD0 &" >&2
cat "${te}0" >&2
echo "$CMD1" >&2
cat "${te}1" >&2
numFAIL=$((numFAIL+1))
listFAIL="$listFAIL $N"
elif diff $ti $to >$tdiff; then
$PRINTF "$OK\n"
numOK=$((numOK+1))
else
$PRINTF "$FAILED\n"
echo "$CMD0 &" >&2
cat "${te}0" >&2
echo "$CMD1" >&2
cat "${te}1" >&2
echo "diff:" >&2
head -n 2 $tdiff >&2
echo ... >&2
numFAIL=$((numFAIL+1))
listFAIL="$listFAIL $N"
fi
fi # NUMCOND
;;
esac
PORT=$((PORT+1))
N=$((N+1))
# File transfer with OpenSSL stream connection was incomplete
# Test file transfer from server to client
NAME=OPENSSL_STREAM_TO_CLIENT
case "$TESTS" in
*%$N%*|*%functions%*|*%bugs%*|*%openssl%*|*%tcp%*|*%socket%*|*%$NAME%*)
TEST="$NAME: OpenSSL stream from server to client"
# Start a unidirectional OpenSSL server and stream sender
# Start a unidirectional OpenSSL client that connects to the server and receives
# data
# Test succeeded when the data received and stored by client is the same as
# sent by the server
if ! eval $NUMCOND; then :;
elif ! a=$(testfeats ip4 tcp openssl); then
$PRINTF "test $F_n $TEST... ${YELLOW}$a not available${NORMAL}\n" $N
numCANT=$((numCANT+1))
listCANT="$listCANT $N"
elif ! a=$(testaddrs openssl-listen openssl-connect); then
$PRINTF "test $F_n $TEST... ${YELLOW}$a not available${NORMAL}\n" $N
numCANT=$((numCANT+1))
listCANT="$listCANT $N"
elif ! runsip4 >/dev/null; then
$PRINTF "test $F_n $TEST... ${YELLOW}IPv4 not available${NORMAL}\n" $N
numCANT=$((numCANT+1))
listCANT="$listCANT $N"
else
gentestcert testsrv
ti="$td/test$N.datain"
to="$td/test$N.dataout"
te="$td/test$N.stderr"
tdiff="$td/test$N.diff"
da="test$N $(date) $RANDOM"
CMD0="$TRACE $SOCAT $opts -U OPENSSL-LISTEN:$PORT,$REUSEADDR,cert=testsrv.pem,verify=0 OPEN:$ti"
CMD1="$TRACE $SOCAT $opts -u OPENSSL-CONNECT:$LOCALHOST:$PORT,cafile=testsrv.crt CREAT:$to"
printf "test $F_n $TEST... " $N
i=0; while [ $i -lt 100000 ]; do printf "%9u %9u %9u %9u %9u %9u %9u %9u %9u %9u\n" $i $i $i $i $i $i $i $i $i $i; let i+=100; done >$ti
$CMD0 >/dev/null 2>"${te}0" &
pid0=$!
waittcp4port $PORT 1
$CMD1 >"${tf}1" 2>"${te}1"
rc1=$?
usleep $MICROS
kill $pid0 2>/dev/null; wait
if [ $rc1 -ne 0 ]; then
$PRINTF "$FAILED\n"
echo "$CMD0 &" >&2
cat "${te}0" >&2
echo "$CMD1" >&2
cat "${te}1" >&2
numFAIL=$((numFAIL+1))
listFAIL="$listFAIL $N"
elif diff $ti $to >$tdiff; then
$PRINTF "$OK\n"
numOK=$((numOK+1))
else
$PRINTF "$FAILED\n"
echo "$CMD0 &" >&2
cat "${te}0" >&2
echo "$CMD1" >&2
cat "${te}1" >&2
echo "diff:" >&2
head -n 2 $tdiff >&2
echo ... >&2
numFAIL=$((numFAIL+1))
listFAIL="$listFAIL $N"
fi
fi # NUMCOND
;;
esac
PORT=$((PORT+1))
N=$((N+1))
# Test file transfer from client to server using DTLS
NAME=OPENSSL_DTLS_TO_SERVER
case "$TESTS" in
*%$N%*|*%functions%*|*%bugs%*|*%openssl%*|*%dtls%*|*%udp%*|*%socket%*|*%$NAME%*)
TEST="$NAME: OpenSSL DTLS transfer from client to server"
# Start a unidirectional OpenSSL DTLS server/receiver
# Start a unidirectional OpenSSL DTLS client that connects to the server and
# sends data
# Test succeeded when the data received and stored by server is the same as
# sent by the client
if ! eval $NUMCOND; then :;
elif ! a=$(testfeats ip4 udp openssl); then
$PRINTF "test $F_n $TEST... ${YELLOW}$a not available${NORMAL}\n" $N
numCANT=$((numCANT+1))
listCANT="$listCANT $N"
elif ! a=$(testaddrs openssl-dtls-listen openssl-dtls-connect); then
$PRINTF "test $F_n $TEST... ${YELLOW}$a not available${NORMAL}\n" $N
numCANT=$((numCANT+1))
listCANT="$listCANT $N"
elif ! runsip4 >/dev/null; then
$PRINTF "test $F_n $TEST... ${YELLOW}IPv4 not available${NORMAL}\n" $N
numCANT=$((numCANT+1))
listCANT="$listCANT $N"
elif [[ $(openssl version |awk '{print($2);}') =~ 0.9.8[a-c] ]]; then
$PRINTF "test $F_n $TEST... ${YELLOW}openssl s_client might hang${NORMAL}\n" $N
numCANT=$((numCANT+1))
listCANT="$listCANT $N"
else
gentestcert testsrv
ti="$td/test$N.datain"
to="$td/test$N.dataout"
te="$td/test$N.stderr"
tdiff="$td/test$N.diff"
da="test$N $(date) $RANDOM"
CMD0="$TRACE $SOCAT $opts -u OPENSSL-DTLS-LISTEN:$PORT,cert=testsrv.pem,verify=0 CREAT:$to"
CMD1="$TRACE $SOCAT $opts -u OPEN:$ti OPENSSL-DTLS-CONNECT:$LOCALHOST:$PORT,cafile=testsrv.crt"
printf "test $F_n $TEST... " $N
i=0; while [ $i -lt 100000 ]; do printf "%9u %9u %9u %9u %9u %9u %9u %9u %9u %9u\n" $i $i $i $i $i $i $i $i $i $i; let i+=100; done >$ti
$CMD0 >/dev/null 2>"${te}0" &
pid0=$!
waitudp4port $PORT 1
$CMD1 >"${tf}1" 2>"${te}1"
rc1=$?
usleep $MICROS
kill $pid0 2>/dev/null; wait
if [ $rc1 -ne 0 ]; then
$PRINTF "$FAILED\n"
echo "$CMD0 &" >&2
cat "${te}0" >&2
echo "$CMD1" >&2
cat "${te}1" >&2
numFAIL=$((numFAIL+1))
listFAIL="$listFAIL $N"
elif diff $ti $to >$tdiff; then
$PRINTF "$OK\n"
numOK=$((numOK+1))
else
$PRINTF "$FAILED\n"
echo "$CMD0 &" >&2
cat "${te}0" >&2
echo "$CMD1" >&2
cat "${te}1" >&2
echo "diff:" >&2
head -n 2 $tdiff >&2
echo ... >&2
numFAIL=$((numFAIL+1))
listFAIL="$listFAIL $N"
fi
fi # NUMCOND
;;
esac
PORT=$((PORT+1))
N=$((N+1))
# Test file transfer from server to client using DTLS
NAME=OPENSSL_DTLS_TO_CLIENT
case "$TESTS" in
*%$N%*|*%functions%*|*%bugs%*|*%openssl%*|*%dtls%*|*%udp%*|*%socket%*|*%$NAME%*)
TEST="$NAME: OpenSSL DTLS transfer from server to client"
# Start a unidirectional OpenSSL DTLS server/sender
# Start a unidirectional OpenSSL DTLS client that connects to the server and
# receives data
# Test succeeded when the data received and stored by client is the same as
# sent by the server
if ! eval $NUMCOND; then :;
elif ! a=$(testfeats ip4 udp openssl); then
$PRINTF "test $F_n $TEST... ${YELLOW}$a not available${NORMAL}\n" $N
numCANT=$((numCANT+1))
listCANT="$listCANT $N"
elif ! a=$(testaddrs openssl-dtls-listen openssl-dtls-connect); then
$PRINTF "test $F_n $TEST... ${YELLOW}$a not available${NORMAL}\n" $N
numCANT=$((numCANT+1))
listCANT="$listCANT $N"
elif ! runsip4 >/dev/null; then
$PRINTF "test $F_n $TEST... ${YELLOW}IPv4 not available${NORMAL}\n" $N
numCANT=$((numCANT+1))
listCANT="$listCANT $N"
elif [[ $(openssl version |awk '{print($2);}') =~ 0.9.8[a-c] ]]; then
$PRINTF "test $F_n $TEST... ${YELLOW}openssl s_client might hang${NORMAL}\n" $N
numCANT=$((numCANT+1))
listCANT="$listCANT $N"
else
gentestcert testsrv
ti="$td/test$N.datain"
to="$td/test$N.dataout"
te="$td/test$N.stderr"
tdiff="$td/test$N.diff"
da="test$N $(date) $RANDOM"
CMD0="$TRACE $SOCAT $opts -U OPENSSL-DTLS-LISTEN:$PORT,cert=testsrv.pem,verify=0 OPEN:$ti"
CMD1="$TRACE $SOCAT $opts -u OPENSSL-DTLS-CONNECT:$LOCALHOST:$PORT,cafile=testsrv.crt CREAT:$to"
printf "test $F_n $TEST... " $N
i=0; while [ $i -lt 100000 ]; do printf "%9u %9u %9u %9u %9u %9u %9u %9u %9u %9u\n" $i $i $i $i $i $i $i $i $i $i; let i+=100; done >$ti
$CMD0 >/dev/null 2>"${te}0" &
pid0=$!
waitudp4port $PORT 1
$CMD1 >"${tf}1" 2>"${te}1"
rc1=$?
usleep $MICROS
kill $pid0 2>/dev/null; wait
if [ $rc1 -ne 0 ]; then
$PRINTF "$FAILED\n"
echo "$CMD0 &" >&2
cat "${te}0" >&2
echo "$CMD1" >&2
cat "${te}1" >&2
numFAIL=$((numFAIL+1))
listFAIL="$listFAIL $N"
elif diff $ti $to >$tdiff; then
$PRINTF "$OK\n"
numOK=$((numOK+1))
else
$PRINTF "$FAILED\n"
echo "$CMD0 &" >&2
cat "${te}0" >&2
echo "$CMD1" >&2
cat "${te}1" >&2
echo "diff:" >&2
head -n 2 $tdiff >&2
echo ... >&2
numFAIL=$((numFAIL+1))
listFAIL="$listFAIL $N"
fi
fi # NUMCOND
;;
esac
PORT=$((PORT+1))
N=$((N+1))
################################################################################## ##################################################################################
#================================================================================= #=================================================================================
# here come tests that might affect your systems integrity. Put normal tests # here come tests that might affect your systems integrity. Put normal tests
@ -14768,6 +15061,7 @@ wait
exit exit
#==============================================================================
# test template # test template
# give a description of what is tested (a bugfix, a new feature...) # give a description of what is tested (a bugfix, a new feature...)

View file

@ -1303,7 +1303,7 @@ cont_out:
mode = SSL_CTX_get_mode(ctx); mode = SSL_CTX_get_mode(ctx);
if (mode & SSL_MODE_AUTO_RETRY) { if (mode & SSL_MODE_AUTO_RETRY) {
Info("SSL_CTX mode has SSL_MODE_AUTO_RETRY set. Correcting.."); Info("SSL_CTX mode has SSL_MODE_AUTO_RETRY set. Correcting..");
Debug1("SSL_CTX_clean_mode(%p, SSL_MODE_AUTO_RETRY)", ctx); Debug1("SSL_CTX_clear_mode(%p, SSL_MODE_AUTO_RETRY)", ctx);
SSL_CTX_clear_mode(ctx, SSL_MODE_AUTO_RETRY); SSL_CTX_clear_mode(ctx, SSL_MODE_AUTO_RETRY);
} }
} }
@ -2023,5 +2023,19 @@ ssize_t xiowrite_openssl(struct single *pipe, const void *buff, size_t bufsiz) {
return ret; return ret;
} }
int xioshutdown_openssl(struct single *sfd, int how)
{
int rc;
if ((rc = sycSSL_shutdown(sfd->para.openssl.ssl)) < 0) {
Warn1("xioshutdown_openssl(): SSL_shutdown() -> %d", rc);
}
if (sfd->tag == XIO_TAG_WRONLY) {
char buff[1];
/* give peer time to read all data before closing socket */
xioread_openssl(sfd, buff, 1);
}
return 0;
}
#endif /* WITH_OPENSSL */ #endif /* WITH_OPENSSL */

View file

@ -51,7 +51,7 @@ extern int
const char *opt_commonname, const char *opt_commonname,
SSL_CTX *ctx, int level); SSL_CTX *ctx, int level);
extern int xioclose_openssl(xiofile_t *xfd); extern int xioclose_openssl(xiofile_t *xfd);
extern int xioshutdown_openssl(xiofile_t *xfd, int how); extern int xioshutdown_openssl(struct single *sfd, int how);
extern ssize_t xioread_openssl(struct single *file, void *buff, size_t bufsiz); extern ssize_t xioread_openssl(struct single *file, void *buff, size_t bufsiz);
extern ssize_t xiopending_openssl(struct single *pipe); extern ssize_t xiopending_openssl(struct single *pipe);
extern ssize_t xiowrite_openssl(struct single *file, const void *buff, size_t bufsiz); extern ssize_t xiowrite_openssl(struct single *file, const void *buff, size_t bufsiz);

View file

@ -8,6 +8,8 @@
#include "xiosysincludes.h" #include "xiosysincludes.h"
#include "xioopen.h" #include "xioopen.h"
#include "xio-openssl.h"
static pid_t socat_kill_pid; /* here we pass the pid to be killed in sighandler */ static pid_t socat_kill_pid; /* here we pass the pid to be killed in sighandler */
static void signal_kill_pid(int dummy) { static void signal_kill_pid(int dummy) {
@ -68,8 +70,7 @@ int xioshutdown(xiofile_t *sock, int how) {
; ;
#if WITH_OPENSSL #if WITH_OPENSSL
} else if ((sock->stream.dtype & XIODATA_MASK) == XIODATA_OPENSSL) { } else if ((sock->stream.dtype & XIODATA_MASK) == XIODATA_OPENSSL) {
sycSSL_shutdown (sock->stream.para.openssl.ssl); xioshutdown_openssl(&sock->stream, how);
/*! what about half/full close? */
#endif /* WITH_OPENSSL */ #endif /* WITH_OPENSSL */
} else if ((sock->stream.dtype & XIODATA_MASK) == XIODATA_PIPE) { } else if ((sock->stream.dtype & XIODATA_MASK) == XIODATA_PIPE) {