The branch master has been updated via 4442061532fb1a98c22609bf37303b77716df624 (commit) via de5b3a8645a3b2dd22fa8866e64488eb2b69777d (commit) from d47eb76cd5fef2495c23705733d7034370063556 (commit)
- Log ----------------------------------------------------------------- commit 4442061532fb1a98c22609bf37303b77716df624 Author: Andy Polyakov <ap...@openssl.org> Date: Thu Apr 12 10:05:22 2018 +0200 TLSProxy/Proxy.pm: straighten inner loop termination logic. Original condition was susceptible to race condition... Reviewed-by: Bernd Edlinger <bernd.edlin...@hotmail.de> Reviewed-by: Richard Levitte <levi...@openssl.org> (Merged from https://github.com/openssl/openssl/pull/5933) commit de5b3a8645a3b2dd22fa8866e64488eb2b69777d Author: Andy Polyakov <ap...@openssl.org> Date: Wed Apr 11 23:16:52 2018 +0200 TLSProxy/Proxy.pm: bind s_server to loopback interface. Bind even test/ssltest_old.c to loopback interface. This allows to avoid unnecessary alerts from Windows and Mac OS X firewalls. Reviewed-by: Bernd Edlinger <bernd.edlin...@hotmail.de> Reviewed-by: Richard Levitte <levi...@openssl.org> (Merged from https://github.com/openssl/openssl/pull/5933) ----------------------------------------------------------------------- Summary of changes: test/ssltest_old.c | 3 +- util/perl/TLSProxy/Proxy.pm | 126 +++++++++++++++++++++++--------------------- 2 files changed, 69 insertions(+), 60 deletions(-) diff --git a/test/ssltest_old.c b/test/ssltest_old.c index 9469485..34705c3 100644 --- a/test/ssltest_old.c +++ b/test/ssltest_old.c @@ -1836,7 +1836,8 @@ int doit_localhost(SSL *s_ssl, SSL *c_ssl, int family, long count, int err_in_client = 0; int err_in_server = 0; - acpt = BIO_new_accept("0"); + acpt = BIO_new_accept(family == BIO_FAMILY_IPV4 ? "127.0.0.1:0" + : "[::1]:0"); if (acpt == NULL) goto err; BIO_set_accept_ip_family(acpt, family); diff --git a/util/perl/TLSProxy/Proxy.pm b/util/perl/TLSProxy/Proxy.pm index 752b572..9e9764d 100644 --- a/util/perl/TLSProxy/Proxy.pm +++ b/util/perl/TLSProxy/Proxy.pm @@ -23,9 +23,50 @@ use TLSProxy::CertificateVerify; use TLSProxy::ServerKeyExchange; use TLSProxy::NewSessionTicket; -my $have_IPv6 = 0; +my $have_IPv6; my $IP_factory; +BEGIN +{ + # IO::Socket::IP is on the core module list, IO::Socket::INET6 isn't. + # However, IO::Socket::INET6 is older and is said to be more widely + # deployed for the moment, and may have less bugs, so we try the latter + # first, then fall back on the core modules. Worst case scenario, we + # fall back to IO::Socket::INET, only supports IPv4. + eval { + require IO::Socket::INET6; + my $s = IO::Socket::INET6->new( + LocalAddr => "::1", + LocalPort => 0, + Listen=>1, + ); + $s or die "\n"; + $s->close(); + }; + if ($@ eq "") { + $IP_factory = sub { IO::Socket::INET6->new(@_); }; + $have_IPv6 = 1; + } else { + eval { + require IO::Socket::IP; + my $s = IO::Socket::IP->new( + LocalAddr => "::1", + LocalPort => 0, + Listen=>1, + ); + $s or die "\n"; + $s->close(); + }; + if ($@ eq "") { + $IP_factory = sub { IO::Socket::IP->new(@_); }; + $have_IPv6 = 1; + } else { + $IP_factory = sub { IO::Socket::INET->new(@_); }; + $have_IPv6 = 0; + } + } +} + my $is_tls13 = 0; my $ciphersuite = undef; @@ -39,8 +80,7 @@ sub new my $self = { #Public read/write - proxy_addr => "localhost", - server_addr => "localhost", + proxy_addr => $have_IPv6 ? "[::1]" : "127.0.0.1", filter => $filter, serverflags => "", clientflags => "", @@ -67,43 +107,6 @@ sub new message_list => [], }; - # IO::Socket::IP is on the core module list, IO::Socket::INET6 isn't. - # However, IO::Socket::INET6 is older and is said to be more widely - # deployed for the moment, and may have less bugs, so we try the latter - # first, then fall back on the code modules. Worst case scenario, we - # fall back to IO::Socket::INET, only supports IPv4. - eval { - require IO::Socket::INET6; - my $s = IO::Socket::INET6->new( - LocalAddr => "::1", - LocalPort => 0, - Listen=>1, - ); - $s or die "\n"; - $s->close(); - }; - if ($@ eq "") { - $IP_factory = sub { IO::Socket::INET6->new(@_); }; - $have_IPv6 = 1; - } else { - eval { - require IO::Socket::IP; - my $s = IO::Socket::IP->new( - LocalAddr => "::1", - LocalPort => 0, - Listen=>1, - ); - $s or die "\n"; - $s->close(); - }; - if ($@ eq "") { - $IP_factory = sub { IO::Socket::IP->new(@_); }; - $have_IPv6 = 1; - } else { - $IP_factory = sub { IO::Socket::INET->new(@_); }; - } - } - # Create the Proxy socket my $proxaddr = $self->{proxy_addr}; $proxaddr =~ s/[\[\]]//g; # Remove [ and ] @@ -113,11 +116,16 @@ sub new Proto => "tcp", Listen => SOMAXCONN, ); - $self->{proxy_sock} = $IP_factory->(@proxyargs); - if ($self->{proxy_sock}) { - $self->{proxy_port} = $self->{proxy_sock}->sockport(); - print "Proxy started on port ".$self->{proxy_port}."\n"; + if (my $sock = $IP_factory->(@proxyargs)) { + $self->{proxy_sock} = $sock; + $self->{proxy_port} = $sock->sockport(); + $self->{proxy_addr} = $sock->sockhost(); + $self->{proxy_addr} =~ s/(.*:.*)/[$1]/; + print "Proxy started on port ", + "$self->{proxy_addr}:$self->{proxy_port}\n"; + # use same address for s_server + $self->{server_addr} = $self->{proxy_addr}; } else { warn "Failed creating proxy socket (".$proxaddr.",0): $!\n"; } @@ -212,11 +220,9 @@ sub start my $execcmd = $self->execute ." s_server -max_protocol TLSv1.3 -no_comp -rev -engine ossltest" - ." -accept 0 -cert ".$self->cert." -cert2 ".$self->cert + ." -accept $self->{server_addr}:0" + ." -cert ".$self->cert." -cert2 ".$self->cert ." -naccept ".$self->serverconnects; - unless ($self->supports_IPv6) { - $execcmd .= " -4"; - } if ($self->ciphers ne "") { $execcmd .= " -cipher ".$self->ciphers; } @@ -286,7 +292,7 @@ sub start $self->{serverpid} = $pid; print STDERR "Server responds on ", - $self->{server_addr}, ":", $self->{server_port}, "\n"; + "$self->{server_addr}:$self->{server_port}\n"; # Connect right away... $self->connect_to_server(); @@ -301,11 +307,8 @@ sub clientstart if ($self->execute) { my $pid; my $execcmd = $self->execute - ." s_client -max_protocol TLSv1.3 -engine ossltest -connect " - .($self->proxy_addr).":".($self->proxy_port); - unless ($self->supports_IPv6) { - $execcmd .= " -4"; - } + ." s_client -max_protocol TLSv1.3 -engine ossltest" + ." -connect $self->{proxy_addr}:$self->{proxy_port}"; if ($self->cipherc ne "") { $execcmd .= " -cipher ".$self->cipherc; } @@ -315,6 +318,9 @@ sub clientstart if ($self->clientflags ne "") { $execcmd .= " ".$self->clientflags; } + if ($self->clientflags !~ m/-(no)?servername/) { + $execcmd .= " -servername localhost"; + } if (defined $self->sessionfile) { $execcmd .= " -ign_eof"; } @@ -363,12 +369,14 @@ sub clientstart $fdset = IO::Select->new($server_sock, $client_sock); my @ready; my $ctr = 0; + my $sessionfile = $self->{sessionfile}; local $SIG{PIPE} = "IGNORE"; - while($fdset->count - && (!(TLSProxy::Message->end) - || (defined $self->sessionfile() - && (-s $self->sessionfile()) == 0)) - && $ctr < 10) { + while($fdset->count && $ctr < 10) { + if (defined($sessionfile)) { + # s_client got -ign_eof and won't be exiting voluntarily, so we + # look for data *and* check on session file... + last if TLSProxy::Message->success() && -s $sessionfile; + } if (!(@ready = $fdset->can_read(1))) { $ctr++; next; _____ openssl-commits mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-commits