mirror of
https://repo.or.cz/socat.git
synced 2025-01-08 22:12:33 +00:00
OpenSSL file transfer failed
This commit is contained in:
parent
4124e733c6
commit
6b9736472c
5 changed files with 325 additions and 6 deletions
10
CHANGES
10
CHANGES
|
@ -4,6 +4,16 @@ Corrections:
|
|||
Thanks to Wang Mingyu and others for sending a patch or reporting this
|
||||
issue.
|
||||
|
||||
Under certain conditions OpenSSL stream connections, in particular bulk
|
||||
data transfer in unidirectional mode, failed during transfer or near
|
||||
its with Connection reset by peer on receiver side.
|
||||
This happened with Socat versions 1.7.3.3 to 1.7.4.0. Reasons were
|
||||
lazy SSL shutdown handling on the sender side in combination with
|
||||
SSL_MODE_AUTO_RETRY turned off.
|
||||
Fix: After SSH_shutdown but before socket shutdown call SSL_read()
|
||||
Test: OPENSSL_STREAM_TO_SERVER
|
||||
Fixes Red Hat issue 1870279.
|
||||
|
||||
####################### V 1.7.4.0:
|
||||
|
||||
Security:
|
||||
|
|
298
test.sh
298
test.sh
|
@ -45,6 +45,7 @@ case "X$val_t" in
|
|||
esac
|
||||
MICROS=${S}${uS}
|
||||
MICROS=${MICROS##0000}; MICROS=${MICROS##00}; MICROS=${MICROS##0}
|
||||
#echo MICROS=$MICROS >&2
|
||||
#
|
||||
_MICROS=$((MICROS+999999)); SECONDs="${_MICROS%??????}"
|
||||
[ -z "$SECONDs" ] && SECONDs=0
|
||||
|
@ -4437,11 +4438,12 @@ TESTADDR=$(eval echo $TESTTMPL)
|
|||
PEERADDR=$(eval echo $PEERTMPL)
|
||||
WAITCMD=$(eval echo $WAITTMPL)
|
||||
TESTKEYW=${TESTADDR%%:*}
|
||||
feat=$(tolower $FEAT)
|
||||
|
||||
# does our address implementation support halfclose?
|
||||
NAME=${NAMEKEYW}_HALFCLOSE
|
||||
case "$TESTS" in
|
||||
*%$N%*|*%functions%*|*%$FEAT%*|*%socket%*|*%halfclose%*|*%$NAME%*)
|
||||
*%$N%*|*%functions%*|*%$feat%*|*%socket%*|*%halfclose%*|*%$NAME%*)
|
||||
TEST="$NAME: $TESTKEYW half close"
|
||||
# have a "peer" socat "peer" that executes "$OD_C" and see if EOF on the
|
||||
# connecting socat brings the result of od
|
||||
|
@ -5241,7 +5243,7 @@ TEST="$NAME: for bug with address options on both stdin/out in unidirectional mo
|
|||
if ! eval $NUMCOND; then :; else
|
||||
tf="$td/test$N.stdout"
|
||||
te="$td/test$N.stderr"
|
||||
ff="$td/file$N"
|
||||
ff="$td/test$N.file"
|
||||
printf "test $F_n $TEST... " $N
|
||||
>"$ff"
|
||||
#$TRACE $SOCAT $opts -u /dev/null -,setlk <"$ff" 2>"$te"
|
||||
|
@ -14672,6 +14674,297 @@ PORT=$((PORT+1))
|
|||
N=$((N+1))
|
||||
|
||||
|
||||
# File transfer with OpenSSL stream connection was incomplete
|
||||
# Test file transfer from client to server
|
||||
NAME=OPENSSL_STREAM_TO_SERVER
|
||||
case "$TESTS" in
|
||||
*%$N%*|*%functions%*|*%bugs%*|*%openssl%*|*%tcp%*|*%socket%*|*%$NAME%*)
|
||||
TEST="$NAME: OpenSSL stream from client to server"
|
||||
# Start a unidirectional OpenSSL server and stream receiver
|
||||
# Start a unidirectional OpenSSL client that connects to the server and sends
|
||||
# data
|
||||
# Test succeeded when the data received and stored by server is the same as
|
||||
# sent by the client
|
||||
if ! eval $NUMCOND; then :;
|
||||
elif ! a=$(testfeats ip4 tcp openssl); then
|
||||
$PRINTF "test $F_n $TEST... ${YELLOW}$a not available${NORMAL}\n" $N
|
||||
numCANT=$((numCANT+1))
|
||||
listCANT="$listCANT $N"
|
||||
elif ! a=$(testaddrs openssl-listen openssl-connect); then
|
||||
$PRINTF "test $F_n $TEST... ${YELLOW}$a not available${NORMAL}\n" $N
|
||||
numCANT=$((numCANT+1))
|
||||
listCANT="$listCANT $N"
|
||||
elif ! runsip4 >/dev/null; then
|
||||
$PRINTF "test $F_n $TEST... ${YELLOW}IPv4 not available${NORMAL}\n" $N
|
||||
numCANT=$((numCANT+1))
|
||||
listCANT="$listCANT $N"
|
||||
else
|
||||
gentestcert testsrv
|
||||
ti="$td/test$N.datain"
|
||||
to="$td/test$N.dataout"
|
||||
te="$td/test$N.stderr"
|
||||
tdiff="$td/test$N.diff"
|
||||
da="test$N $(date) $RANDOM"
|
||||
CMD0="$TRACE $SOCAT $opts -u OPENSSL-LISTEN:$PORT,$REUSEADDR,cert=testsrv.pem,verify=0 CREAT:$to"
|
||||
CMD1="$TRACE $SOCAT $opts -u OPEN:$ti OPENSSL-CONNECT:$LOCALHOST:$PORT,cafile=testsrv.crt"
|
||||
printf "test $F_n $TEST... " $N
|
||||
i=0; while [ $i -lt 100000 ]; do printf "%9u %9u %9u %9u %9u %9u %9u %9u %9u %9u\n" $i $i $i $i $i $i $i $i $i $i; let i+=100; done >$ti
|
||||
$CMD0 >/dev/null 2>"${te}0" &
|
||||
pid0=$!
|
||||
waittcp4port $PORT 1
|
||||
$CMD1 >"${tf}1" 2>"${te}1"
|
||||
rc1=$?
|
||||
usleep $MICROS
|
||||
kill $pid0 2>/dev/null; wait
|
||||
if [ $rc1 -ne 0 ]; then
|
||||
$PRINTF "$FAILED\n"
|
||||
echo "$CMD0 &" >&2
|
||||
cat "${te}0" >&2
|
||||
echo "$CMD1" >&2
|
||||
cat "${te}1" >&2
|
||||
numFAIL=$((numFAIL+1))
|
||||
listFAIL="$listFAIL $N"
|
||||
elif diff $ti $to >$tdiff; then
|
||||
$PRINTF "$OK\n"
|
||||
numOK=$((numOK+1))
|
||||
else
|
||||
$PRINTF "$FAILED\n"
|
||||
echo "$CMD0 &" >&2
|
||||
cat "${te}0" >&2
|
||||
echo "$CMD1" >&2
|
||||
cat "${te}1" >&2
|
||||
echo "diff:" >&2
|
||||
head -n 2 $tdiff >&2
|
||||
echo ... >&2
|
||||
numFAIL=$((numFAIL+1))
|
||||
listFAIL="$listFAIL $N"
|
||||
fi
|
||||
fi # NUMCOND
|
||||
;;
|
||||
esac
|
||||
PORT=$((PORT+1))
|
||||
N=$((N+1))
|
||||
|
||||
# File transfer with OpenSSL stream connection was incomplete
|
||||
# Test file transfer from server to client
|
||||
NAME=OPENSSL_STREAM_TO_CLIENT
|
||||
case "$TESTS" in
|
||||
*%$N%*|*%functions%*|*%bugs%*|*%openssl%*|*%tcp%*|*%socket%*|*%$NAME%*)
|
||||
TEST="$NAME: OpenSSL stream from server to client"
|
||||
# Start a unidirectional OpenSSL server and stream sender
|
||||
# Start a unidirectional OpenSSL client that connects to the server and receives
|
||||
# data
|
||||
# Test succeeded when the data received and stored by client is the same as
|
||||
# sent by the server
|
||||
if ! eval $NUMCOND; then :;
|
||||
elif ! a=$(testfeats ip4 tcp openssl); then
|
||||
$PRINTF "test $F_n $TEST... ${YELLOW}$a not available${NORMAL}\n" $N
|
||||
numCANT=$((numCANT+1))
|
||||
listCANT="$listCANT $N"
|
||||
elif ! a=$(testaddrs openssl-listen openssl-connect); then
|
||||
$PRINTF "test $F_n $TEST... ${YELLOW}$a not available${NORMAL}\n" $N
|
||||
numCANT=$((numCANT+1))
|
||||
listCANT="$listCANT $N"
|
||||
elif ! runsip4 >/dev/null; then
|
||||
$PRINTF "test $F_n $TEST... ${YELLOW}IPv4 not available${NORMAL}\n" $N
|
||||
numCANT=$((numCANT+1))
|
||||
listCANT="$listCANT $N"
|
||||
else
|
||||
gentestcert testsrv
|
||||
ti="$td/test$N.datain"
|
||||
to="$td/test$N.dataout"
|
||||
te="$td/test$N.stderr"
|
||||
tdiff="$td/test$N.diff"
|
||||
da="test$N $(date) $RANDOM"
|
||||
CMD0="$TRACE $SOCAT $opts -U OPENSSL-LISTEN:$PORT,$REUSEADDR,cert=testsrv.pem,verify=0 OPEN:$ti"
|
||||
CMD1="$TRACE $SOCAT $opts -u OPENSSL-CONNECT:$LOCALHOST:$PORT,cafile=testsrv.crt CREAT:$to"
|
||||
printf "test $F_n $TEST... " $N
|
||||
i=0; while [ $i -lt 100000 ]; do printf "%9u %9u %9u %9u %9u %9u %9u %9u %9u %9u\n" $i $i $i $i $i $i $i $i $i $i; let i+=100; done >$ti
|
||||
$CMD0 >/dev/null 2>"${te}0" &
|
||||
pid0=$!
|
||||
waittcp4port $PORT 1
|
||||
$CMD1 >"${tf}1" 2>"${te}1"
|
||||
rc1=$?
|
||||
usleep $MICROS
|
||||
kill $pid0 2>/dev/null; wait
|
||||
if [ $rc1 -ne 0 ]; then
|
||||
$PRINTF "$FAILED\n"
|
||||
echo "$CMD0 &" >&2
|
||||
cat "${te}0" >&2
|
||||
echo "$CMD1" >&2
|
||||
cat "${te}1" >&2
|
||||
numFAIL=$((numFAIL+1))
|
||||
listFAIL="$listFAIL $N"
|
||||
elif diff $ti $to >$tdiff; then
|
||||
$PRINTF "$OK\n"
|
||||
numOK=$((numOK+1))
|
||||
else
|
||||
$PRINTF "$FAILED\n"
|
||||
echo "$CMD0 &" >&2
|
||||
cat "${te}0" >&2
|
||||
echo "$CMD1" >&2
|
||||
cat "${te}1" >&2
|
||||
echo "diff:" >&2
|
||||
head -n 2 $tdiff >&2
|
||||
echo ... >&2
|
||||
numFAIL=$((numFAIL+1))
|
||||
listFAIL="$listFAIL $N"
|
||||
fi
|
||||
fi # NUMCOND
|
||||
;;
|
||||
esac
|
||||
PORT=$((PORT+1))
|
||||
N=$((N+1))
|
||||
|
||||
# Test file transfer from client to server using DTLS
|
||||
NAME=OPENSSL_DTLS_TO_SERVER
|
||||
case "$TESTS" in
|
||||
*%$N%*|*%functions%*|*%bugs%*|*%openssl%*|*%dtls%*|*%udp%*|*%socket%*|*%$NAME%*)
|
||||
TEST="$NAME: OpenSSL DTLS transfer from client to server"
|
||||
# Start a unidirectional OpenSSL DTLS server/receiver
|
||||
# Start a unidirectional OpenSSL DTLS client that connects to the server and
|
||||
# sends data
|
||||
# Test succeeded when the data received and stored by server is the same as
|
||||
# sent by the client
|
||||
if ! eval $NUMCOND; then :;
|
||||
elif ! a=$(testfeats ip4 udp openssl); then
|
||||
$PRINTF "test $F_n $TEST... ${YELLOW}$a not available${NORMAL}\n" $N
|
||||
numCANT=$((numCANT+1))
|
||||
listCANT="$listCANT $N"
|
||||
elif ! a=$(testaddrs openssl-dtls-listen openssl-dtls-connect); then
|
||||
$PRINTF "test $F_n $TEST... ${YELLOW}$a not available${NORMAL}\n" $N
|
||||
numCANT=$((numCANT+1))
|
||||
listCANT="$listCANT $N"
|
||||
elif ! runsip4 >/dev/null; then
|
||||
$PRINTF "test $F_n $TEST... ${YELLOW}IPv4 not available${NORMAL}\n" $N
|
||||
numCANT=$((numCANT+1))
|
||||
listCANT="$listCANT $N"
|
||||
elif [[ $(openssl version |awk '{print($2);}') =~ 0.9.8[a-c] ]]; then
|
||||
$PRINTF "test $F_n $TEST... ${YELLOW}openssl s_client might hang${NORMAL}\n" $N
|
||||
numCANT=$((numCANT+1))
|
||||
listCANT="$listCANT $N"
|
||||
else
|
||||
gentestcert testsrv
|
||||
ti="$td/test$N.datain"
|
||||
to="$td/test$N.dataout"
|
||||
te="$td/test$N.stderr"
|
||||
tdiff="$td/test$N.diff"
|
||||
da="test$N $(date) $RANDOM"
|
||||
CMD0="$TRACE $SOCAT $opts -u OPENSSL-DTLS-LISTEN:$PORT,cert=testsrv.pem,verify=0 CREAT:$to"
|
||||
CMD1="$TRACE $SOCAT $opts -u OPEN:$ti OPENSSL-DTLS-CONNECT:$LOCALHOST:$PORT,cafile=testsrv.crt"
|
||||
printf "test $F_n $TEST... " $N
|
||||
i=0; while [ $i -lt 100000 ]; do printf "%9u %9u %9u %9u %9u %9u %9u %9u %9u %9u\n" $i $i $i $i $i $i $i $i $i $i; let i+=100; done >$ti
|
||||
$CMD0 >/dev/null 2>"${te}0" &
|
||||
pid0=$!
|
||||
waitudp4port $PORT 1
|
||||
$CMD1 >"${tf}1" 2>"${te}1"
|
||||
rc1=$?
|
||||
usleep $MICROS
|
||||
kill $pid0 2>/dev/null; wait
|
||||
if [ $rc1 -ne 0 ]; then
|
||||
$PRINTF "$FAILED\n"
|
||||
echo "$CMD0 &" >&2
|
||||
cat "${te}0" >&2
|
||||
echo "$CMD1" >&2
|
||||
cat "${te}1" >&2
|
||||
numFAIL=$((numFAIL+1))
|
||||
listFAIL="$listFAIL $N"
|
||||
elif diff $ti $to >$tdiff; then
|
||||
$PRINTF "$OK\n"
|
||||
numOK=$((numOK+1))
|
||||
else
|
||||
$PRINTF "$FAILED\n"
|
||||
echo "$CMD0 &" >&2
|
||||
cat "${te}0" >&2
|
||||
echo "$CMD1" >&2
|
||||
cat "${te}1" >&2
|
||||
echo "diff:" >&2
|
||||
head -n 2 $tdiff >&2
|
||||
echo ... >&2
|
||||
numFAIL=$((numFAIL+1))
|
||||
listFAIL="$listFAIL $N"
|
||||
fi
|
||||
fi # NUMCOND
|
||||
;;
|
||||
esac
|
||||
PORT=$((PORT+1))
|
||||
N=$((N+1))
|
||||
|
||||
# Test file transfer from server to client using DTLS
|
||||
NAME=OPENSSL_DTLS_TO_CLIENT
|
||||
case "$TESTS" in
|
||||
*%$N%*|*%functions%*|*%bugs%*|*%openssl%*|*%dtls%*|*%udp%*|*%socket%*|*%$NAME%*)
|
||||
TEST="$NAME: OpenSSL DTLS transfer from server to client"
|
||||
# Start a unidirectional OpenSSL DTLS server/sender
|
||||
# Start a unidirectional OpenSSL DTLS client that connects to the server and
|
||||
# receives data
|
||||
# Test succeeded when the data received and stored by client is the same as
|
||||
# sent by the server
|
||||
if ! eval $NUMCOND; then :;
|
||||
elif ! a=$(testfeats ip4 udp openssl); then
|
||||
$PRINTF "test $F_n $TEST... ${YELLOW}$a not available${NORMAL}\n" $N
|
||||
numCANT=$((numCANT+1))
|
||||
listCANT="$listCANT $N"
|
||||
elif ! a=$(testaddrs openssl-dtls-listen openssl-dtls-connect); then
|
||||
$PRINTF "test $F_n $TEST... ${YELLOW}$a not available${NORMAL}\n" $N
|
||||
numCANT=$((numCANT+1))
|
||||
listCANT="$listCANT $N"
|
||||
elif ! runsip4 >/dev/null; then
|
||||
$PRINTF "test $F_n $TEST... ${YELLOW}IPv4 not available${NORMAL}\n" $N
|
||||
numCANT=$((numCANT+1))
|
||||
listCANT="$listCANT $N"
|
||||
elif [[ $(openssl version |awk '{print($2);}') =~ 0.9.8[a-c] ]]; then
|
||||
$PRINTF "test $F_n $TEST... ${YELLOW}openssl s_client might hang${NORMAL}\n" $N
|
||||
numCANT=$((numCANT+1))
|
||||
listCANT="$listCANT $N"
|
||||
else
|
||||
gentestcert testsrv
|
||||
ti="$td/test$N.datain"
|
||||
to="$td/test$N.dataout"
|
||||
te="$td/test$N.stderr"
|
||||
tdiff="$td/test$N.diff"
|
||||
da="test$N $(date) $RANDOM"
|
||||
CMD0="$TRACE $SOCAT $opts -U OPENSSL-DTLS-LISTEN:$PORT,cert=testsrv.pem,verify=0 OPEN:$ti"
|
||||
CMD1="$TRACE $SOCAT $opts -u OPENSSL-DTLS-CONNECT:$LOCALHOST:$PORT,cafile=testsrv.crt CREAT:$to"
|
||||
printf "test $F_n $TEST... " $N
|
||||
i=0; while [ $i -lt 100000 ]; do printf "%9u %9u %9u %9u %9u %9u %9u %9u %9u %9u\n" $i $i $i $i $i $i $i $i $i $i; let i+=100; done >$ti
|
||||
$CMD0 >/dev/null 2>"${te}0" &
|
||||
pid0=$!
|
||||
waitudp4port $PORT 1
|
||||
$CMD1 >"${tf}1" 2>"${te}1"
|
||||
rc1=$?
|
||||
usleep $MICROS
|
||||
kill $pid0 2>/dev/null; wait
|
||||
if [ $rc1 -ne 0 ]; then
|
||||
$PRINTF "$FAILED\n"
|
||||
echo "$CMD0 &" >&2
|
||||
cat "${te}0" >&2
|
||||
echo "$CMD1" >&2
|
||||
cat "${te}1" >&2
|
||||
numFAIL=$((numFAIL+1))
|
||||
listFAIL="$listFAIL $N"
|
||||
elif diff $ti $to >$tdiff; then
|
||||
$PRINTF "$OK\n"
|
||||
numOK=$((numOK+1))
|
||||
else
|
||||
$PRINTF "$FAILED\n"
|
||||
echo "$CMD0 &" >&2
|
||||
cat "${te}0" >&2
|
||||
echo "$CMD1" >&2
|
||||
cat "${te}1" >&2
|
||||
echo "diff:" >&2
|
||||
head -n 2 $tdiff >&2
|
||||
echo ... >&2
|
||||
numFAIL=$((numFAIL+1))
|
||||
listFAIL="$listFAIL $N"
|
||||
fi
|
||||
fi # NUMCOND
|
||||
;;
|
||||
esac
|
||||
PORT=$((PORT+1))
|
||||
N=$((N+1))
|
||||
|
||||
|
||||
##################################################################################
|
||||
#=================================================================================
|
||||
# here come tests that might affect your systems integrity. Put normal tests
|
||||
|
@ -14768,6 +15061,7 @@ wait
|
|||
|
||||
exit
|
||||
|
||||
#==============================================================================
|
||||
# test template
|
||||
|
||||
# give a description of what is tested (a bugfix, a new feature...)
|
||||
|
|
|
@ -1303,7 +1303,7 @@ cont_out:
|
|||
mode = SSL_CTX_get_mode(ctx);
|
||||
if (mode & SSL_MODE_AUTO_RETRY) {
|
||||
Info("SSL_CTX mode has SSL_MODE_AUTO_RETRY set. Correcting..");
|
||||
Debug1("SSL_CTX_clean_mode(%p, SSL_MODE_AUTO_RETRY)", ctx);
|
||||
Debug1("SSL_CTX_clear_mode(%p, SSL_MODE_AUTO_RETRY)", ctx);
|
||||
SSL_CTX_clear_mode(ctx, SSL_MODE_AUTO_RETRY);
|
||||
}
|
||||
}
|
||||
|
@ -2023,5 +2023,19 @@ ssize_t xiowrite_openssl(struct single *pipe, const void *buff, size_t bufsiz) {
|
|||
return ret;
|
||||
}
|
||||
|
||||
int xioshutdown_openssl(struct single *sfd, int how)
|
||||
{
|
||||
int rc;
|
||||
|
||||
if ((rc = sycSSL_shutdown(sfd->para.openssl.ssl)) < 0) {
|
||||
Warn1("xioshutdown_openssl(): SSL_shutdown() -> %d", rc);
|
||||
}
|
||||
if (sfd->tag == XIO_TAG_WRONLY) {
|
||||
char buff[1];
|
||||
/* give peer time to read all data before closing socket */
|
||||
xioread_openssl(sfd, buff, 1);
|
||||
}
|
||||
return 0;
|
||||
}
|
||||
|
||||
#endif /* WITH_OPENSSL */
|
||||
|
|
|
@ -51,7 +51,7 @@ extern int
|
|||
const char *opt_commonname,
|
||||
SSL_CTX *ctx, int level);
|
||||
extern int xioclose_openssl(xiofile_t *xfd);
|
||||
extern int xioshutdown_openssl(xiofile_t *xfd, int how);
|
||||
extern int xioshutdown_openssl(struct single *sfd, int how);
|
||||
extern ssize_t xioread_openssl(struct single *file, void *buff, size_t bufsiz);
|
||||
extern ssize_t xiopending_openssl(struct single *pipe);
|
||||
extern ssize_t xiowrite_openssl(struct single *file, const void *buff, size_t bufsiz);
|
||||
|
|
|
@ -8,6 +8,8 @@
|
|||
#include "xiosysincludes.h"
|
||||
#include "xioopen.h"
|
||||
|
||||
#include "xio-openssl.h"
|
||||
|
||||
static pid_t socat_kill_pid; /* here we pass the pid to be killed in sighandler */
|
||||
|
||||
static void signal_kill_pid(int dummy) {
|
||||
|
@ -68,8 +70,7 @@ int xioshutdown(xiofile_t *sock, int how) {
|
|||
;
|
||||
#if WITH_OPENSSL
|
||||
} else if ((sock->stream.dtype & XIODATA_MASK) == XIODATA_OPENSSL) {
|
||||
sycSSL_shutdown (sock->stream.para.openssl.ssl);
|
||||
/*! what about half/full close? */
|
||||
xioshutdown_openssl(&sock->stream, how);
|
||||
#endif /* WITH_OPENSSL */
|
||||
|
||||
} else if ((sock->stream.dtype & XIODATA_MASK) == XIODATA_PIPE) {
|
||||
|
|
Loading…
Reference in a new issue