Bug #125218 for Net-SSLeay: libnet-ssleay-perl/1.85: Testsuite fails against openssl 1.1.1 (current beta)

Thu Apr 26 16:34:25 2018 sebastian [...] breakpoint.cc - Ticket created

Subject:	libnet-ssleay-perl/1.85: Testsuite fails against openssl 1.1.1 (current beta)
Date:	Thu, 26 Apr 2018 22:21:16 +0200
To:	bug-Net-SSLeay [...] rt.cpan.org
From:	Sebastian Andrzej Siewior <sebastian [...] breakpoint.cc>

Hi, The testuite of libnet-ssleay-perl/1.85 fails against openssl 1.1.1 (current beta). This is t/local/07_sslecho.t I refer here to. The SSL_read() and SSL_write() wrapper need to handle a possible retry. The man-page for both function [0] says that it might need to be retried with the same arguments. With the following hunk: diff --git a/SSLeay.xs b/SSLeay.xs --- a/SSLeay.xs +++ b/SSLeay.xs @@ -1999,7 +1999,17 @@ SSL_read(s,max=32768) int got; PPCODE: New(0, buf, max, char); - got = SSL_read(s, buf, max); + + do { + int err; + + got = SSL_read(s, buf, max); + if (got > 0) + break; + err = SSL_get_error(s, got); + if (err != SSL_ERROR_WANT_READ) + break; + } while (1); /* If in list context, return 2-item list: * first return value: data gotten, or undef on error (got<0) @@ -2051,10 +2061,20 @@ SSL_write(s,buf) SSL * s PREINIT: STRLEN len; + int err; + int ret; INPUT: char * buf = SvPV( ST(1), len); CODE: - RETVAL = SSL_write (s, buf, (int)len); + do { + ret = SSL_write (s, buf, (int)len); + if (ret > 0) + break; + err = SSL_get_error(s, ret); + if (err != SSL_ERROR_WANT_WRITE) + break; + } while (1); + RETVAL = ret; OUTPUT: RETVAL @@ -2083,8 +2103,20 @@ SSL_write_partial(s,from,count,buf) if (len < 0) { croak("from beyound end of buffer"); RETVAL = -1; - } else - RETVAL = SSL_write (s, &(buf[from]), (count<=len)?count:len); + } else { + int ret; + int err; + + do { + ret = SSL_write (s, &(buf[from]), (count<=len)?count:len); + if (ret > 0) + break; + err = SSL_get_error(s, ret); + if (err != SSL_ERROR_WANT_WRITE) + break; + } while (1); + RETVAL = ret; + } OUTPUT: RETVAL I was able to let the test-suite continue a little further. As per upstream [1] this was always the case it worked by coincidence before. The next thing is that step 24 within 07_sslecho.t blocks forever. As it turns out one side does "shutdown $s, 2;" (around line 170) while the other does a read+write operation. In "older" openssl is seems to just work but in the newer one SIGPIPE is received and this seems to stall/block the test case. By adding: index 5e16b04b55ea..c60afccc0051 100644 --- a/t/local/07_sslecho.t +++ b/t/local/07_sslecho.t @@ -14,6 +14,7 @@ BEGIN { } plan tests => 78; +$SIG{'PIPE'} = 'IGNORE'; my $sock; my $pid; ( it does not stall anymore but complains about the return value from write: ok 21 - get_cipher ok 22 - get_shared_ciphers ok 23 - ssl_read_all not ok 24 - ssl_write_all # Failed test 'ssl_write_all' # at t/local/07_sslecho.t line 88. ok 25 - new This should be okay since the other side never reads anything and just shutdowns the socket. Upstream recommends to use SSL_shutdown() instead of operating on sockets directly. I'm forwanding this from the Debian bug [2] I reported but received no feedback so far. [0] https://manpages.debian.org/stretch/libssl-doc/SSL_read.3ssl.en.html#WARNING [1] https://github.com/openssl/openssl/issues/5637#issuecomment-381364019 [2] https://bugs.debian.org/895959 Sebastian

Wed Aug 01 09:11:20 2018 ppisar [...] redhat.com - Correspondence added

Dne Čt 26.dub.2018 16:34:25, sebastian@breakpoint.cc napsal(a): Show quoted text

> The testuite of libnet-ssleay-perl/1.85 fails against openssl 1.1.1 > (current beta). This is t/local/07_sslecho.t I refer here to. > > The SSL_read() and SSL_write() wrapper need to handle a possible > retry. > The man-page for both function [0] says that it might need to be > retried > with the same arguments. With the following hunk: >

Funnily, SSL_read() can return SSL_ERROR_WANT_WRITE and SSL_write() can return SSL_ERROR_WANT_READ. But I don't understand when it can happen (buffered BIO only?) and what remedy should be used. The patch obviously does not handle them. Show quoted text

> The next thing is that step 24 within 07_sslecho.t blocks forever. As > it > turns out one side does "shutdown $s, 2;" (around line 170) while the > other does a read+write operation. In "older" openssl is seems to just > work but in the newer one SIGPIPE is received and this seems to > stall/block the test case. By adding: > > index 5e16b04b55ea..c60afccc0051 100644 > --- a/t/local/07_sslecho.t > +++ b/t/local/07_sslecho.t > @@ -14,6 +14,7 @@ BEGIN { > } > > plan tests => 78; > +$SIG{'PIPE'} = 'IGNORE'; >

How is it possible an operation on a TCP socket generates a SIGPIPE? This should happen only on pipes. Does OpenSSL use some pipes underneath? Here the the SIGPIPE is received by the child performing ssl_read_all() when the TCP client closes TCP connection just after sending the data. I don't think application should expect and handle SIGPIPE in this case.

Wed Aug 01 09:11:22 2018 The RT System itself - Status changed from 'new' to 'open'

Wed Aug 01 09:26:17 2018 ppisar [...] redhat.com - Correspondence added

Dne St 01.srp.2018 09:11:20, ppisar napsal(a): Show quoted text

> How is it possible an operation on a TCP socket generates a SIGPIPE? > This should happen only on pipes. Does OpenSSL use some pipes > underneath? >

Now I found in socket(7) that the SIGPIPE is generated on a write to any half-closed connection-oriented socket. Not only for pipes.

Thu Aug 02 10:35:56 2018 ppisar [...] redhat.com - Correspondence added

Dne Čt 26.dub.2018 16:34:25, sebastian@breakpoint.cc napsal(a): Show quoted text

> it does not stall anymore but complains about the return value from > write: > > ok 21 - get_cipher > ok 22 - get_shared_ciphers > ok 23 - ssl_read_all > not ok 24 - ssl_write_all > # Failed test 'ssl_write_all' > # at t/local/07_sslecho.t line 88. > ok 25 - new > > This should be okay since the other side never reads anything and just > shutdowns the socket. Upstream recommends to use SSL_shutdown() > instead > of operating on sockets directly.

Adding SSL_shutdown everywhere where appropriate (e.g. into sslcat()) fixes some t/local/07_sslecho.t subtest failures but causes new ones. I think the issue is many of the tests including sslcat() function would violate TLS <= 1.2 if they use SSL_shutdown(). TLS 1.2 RFC mandates that if a peer receives close_notify event it must also send close_notify and must not send any other data. TLS 1.3 changed that and allowed closing only one direction of the connection and still keeping sending the other direction. But how to write a code that conforms both of the protocols is unknown to me. A tempting solution is not using SSL_shutdown() at all, but that returns us to the issues with the current patch and it also goes against TLS 1.3 that recommends sending close_notify events to prevent from an attacker from spoofing premature end of a stream.

Fri Aug 10 11:09:00 2018 ppisar [...] redhat.com - Correspondence added

Dne Čt 26.dub.2018 16:34:25, sebastian@breakpoint.cc napsal(a): Show quoted text

> The testuite of libnet-ssleay-perl/1.85 fails against openssl 1.1.1 > (current beta).

After talking to OpenSSL developers I implemented the attached fix. It includes Sebastian's patch and it adapts the tests rather than the library. That means that most of the OpenSSL changes will be visible to Net::SSLeay users. E.g. SIGPIPE in a server where data are only received and no proper two-way TLS shutdown is performed. E.g. undef returned from Net::SSLeay::read() after the TLS session is closed. E.g. not working session resumption if the client does not employ session ticket callback. The fix also adds wrappers for SSL_CTX_set_num_tickets() functions introduced in OpenSSL 1.1.1.

Subject:

0001-Adapt-to-OpenSSL-1.1.1.patch

From b01291bf88dd84529c93973da7c275e0ffe5cc1f Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Petr=20P=C3=ADsa=C5=99?= <ppisar@redhat.com> Date: Fri, 3 Aug 2018 14:30:22 +0200 Subject: [PATCH] Adapt to OpenSSL 1.1.1 MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit OpenSSL 1.1.1 defaults to TLS 1.3 that handles session tickets and session shutdowns differently. This leads to failing various Net-SSLeay tests that exhibits use cases that are not possible with OpenSSL 1.1.1 anymore or where the library behaves differently. Since Net-SSLeay is a low-level wrapper, Net-SSLeay will be corrected in tests. Higher-level code as IO::Socket::SSL and other Net::SSLeay applications need to be adjusted on case-to-case basis. This patche changes: - Retry SSL_read() and SSL_write() (by sebastian [...] breakpoint.cc) - Disable session tickets in t/local/07_sslecho.t. - Adaps t/local/36_verify.t to a session end when Net::SSLeay::read() returns undef. https://rt.cpan.org/Public/Bug/Display.html?id=125218 https://github.com/openssl/openssl/issues/5637 https://github.com/openssl/openssl/issues/6904 Signed-off-by: Petr PÃsaÅ <ppisar@redhat.com> --- SSLeay.xs | 56 ++++++++++++++++++++++++++++++++++++++++++++++++---- lib/Net/SSLeay.pod | 46 ++++++++++++++++++++++++++++++++++++++++++ t/local/07_sslecho.t | 15 ++++++++++++-- t/local/36_verify.t | 2 +- 4 files changed, 112 insertions(+), 7 deletions(-) diff --git a/SSLeay.xs b/SSLeay.xs index bf148c0..5aed4d7 100644 --- a/SSLeay.xs +++ b/SSLeay.xs @@ -1999,7 +1999,17 @@ SSL_read(s,max=32768) int got; PPCODE: New(0, buf, max, char); - got = SSL_read(s, buf, max); + + do { + int err; + + got = SSL_read(s, buf, max); + if (got > 0) + break; + err = SSL_get_error(s, got); + if (err != SSL_ERROR_WANT_READ && err != SSL_ERROR_WANT_WRITE) + break; + } while (1); /* If in list context, return 2-item list: * first return value: data gotten, or undef on error (got<0) @@ -2051,10 +2061,20 @@ SSL_write(s,buf) SSL * s PREINIT: STRLEN len; + int err; + int ret; INPUT: char * buf = SvPV( ST(1), len); CODE: - RETVAL = SSL_write (s, buf, (int)len); + do { + ret = SSL_write (s, buf, (int)len); + if (ret > 0) + break; + err = SSL_get_error(s, ret); + if (err != SSL_ERROR_WANT_READ && err != SSL_ERROR_WANT_WRITE) + break; + } while (1); + RETVAL = ret; OUTPUT: RETVAL @@ -2083,8 +2103,20 @@ SSL_write_partial(s,from,count,buf) if (len < 0) { croak("from beyound end of buffer"); RETVAL = -1; - } else - RETVAL = SSL_write (s, &(buf[from]), (count<=len)?count:len); + } else { + int ret; + int err; + + do { + ret = SSL_write (s, &(buf[from]), (count<=len)?count:len); + if (ret > 0) + break; + err = SSL_get_error(s, ret); + if (err != SSL_ERROR_WANT_READ && err != SSL_ERROR_WANT_WRITE) + break; + } while (1); + RETVAL = ret; + } OUTPUT: RETVAL @@ -6957,4 +6989,20 @@ SSL_export_keying_material(ssl, outlen, label, p) #endif +#if OPENSSL_VERSION_NUMBER >= 0x1010100fL + +int +SSL_CTX_set_num_tickets(SSL_CTX *ctx,size_t num_tickets) + +size_t +SSL_CTX_get_num_tickets(SSL_CTX *ctx) + +int +SSL_set_num_tickets(SSL *ssl,size_t num_tickets) + +size_t +SSL_get_num_tickets(SSL *ssl) + +#endif + #define REM_EOF "/* EOF - SSLeay.xs */" diff --git a/lib/Net/SSLeay.pod b/lib/Net/SSLeay.pod index 2e1aae3..bca7be4 100644 --- a/lib/Net/SSLeay.pod +++ b/lib/Net/SSLeay.pod @@ -4437,6 +4437,52 @@ getticket($ssl,$ticket,$data) -> $return_value This function is based on the OpenSSL function SSL_set_session_ticket_ext_cb. +=item * CTX_set_num_tickets + +B<COMPATIBILITY:> not available in Net-SSLeay-1.85 and before; requires at least OpenSSL 1.1.1 + +Set number of session tickets that will be sent to a client. + + my $rv = Net::SSLeay::CTX_set_num_tickets($ctx, $number_of_tickets); + # $ctx - value corresponding to openssl's SSL_CTX structure + # $number_of_tickets - number of tickets to send + # returns: 1 on success, 0 on failure + +Set to zero if you do not no want to support a session resumption. + +=item * CTX_get_num_tickets + +B<COMPATIBILITY:> not available in Net-SSLeay-1.85 and before; requires at least OpenSSL 1.1.1 + +Get number of session tickets that will be sent to a client. + + my $number_of_tickets = Net::SSLeay::CTX_get_num_tickets($ctx); + # $ctx - value corresponding to openssl's SSL_CTX structure + # returns: number of tickets to send + +=item * set_num_tickets + +B<COMPATIBILITY:> not available in Net-SSLeay-1.85 and before; requires at least OpenSSL 1.1.1 + +Set number of session tickets that will be sent to a client. + + my $rv = Net::SSLeay::set_num_tickets($ssl, $number_of_tickets); + # $ssl - value corresponding to openssl's SSL structure + # $number_of_tickets - number of tickets to send + # returns: 1 on success, 0 on failure + +Set to zero if you do not no want to support a session resumption. + +=item * get_num_tickets + +B<COMPATIBILITY:> not available in Net-SSLeay-1.85 and before; requires at least OpenSSL 1.1.1 + +Get number of session tickets that will be sent to a client. + + my $number_of_tickets = Net::SSLeay::get_num_tickets($ctx); + # $ctx - value corresponding to openssl's SSL structure + # returns: number of tickets to send + =item * set_shutdown Sets the shutdown state of $ssl to $mode. diff --git a/t/local/07_sslecho.t b/t/local/07_sslecho.t index 5e16b04..5dc946a 100644 --- a/t/local/07_sslecho.t +++ b/t/local/07_sslecho.t @@ -13,7 +13,8 @@ BEGIN { plan skip_all => "fork() not supported on $^O" unless $Config{d_fork}; } -plan tests => 78; +plan tests => 79; +$SIG{'PIPE'} = 'IGNORE'; my $sock; my $pid; @@ -61,6 +62,16 @@ Net::SSLeay::library_init(); ok(Net::SSLeay::CTX_set_cipher_list($ctx, 'ALL'), 'CTX_set_cipher_list'); my ($dummy, $errs) = Net::SSLeay::set_cert_and_key($ctx, $cert_pem, $key_pem); ok($errs eq '', "set_cert_and_key: $errs"); + SKIP: { + skip 'Disabling session tickets requires OpenSSL >= 1.1.1', 1 + unless (&Net::SSLeay::OPENSSL_VERSION_NUMBER >= 0x1010100f); + # TLS 1.3 server sends session tickets after a handhake as part of + # the SSL_accept(). If a client finishes all its job including closing + # TCP connectino before a server sends the tickets, SSL_accept() fails + # with SSL_ERROR_SYSCALL and EPIPE errno and the server receives + # SIGPIPE signal. <https://github.com/openssl/openssl/issues/6904> + ok(Net::SSLeay::CTX_set_num_tickets($ctx, 0), 'Session tickets disabled'); + } $pid = fork(); BAIL_OUT("failed to fork: $!") unless defined $pid; @@ -351,7 +362,7 @@ waitpid $pid, 0; push @results, [ $? == 0, 'server exited with 0' ]; END { - Test::More->builder->current_test(51); + Test::More->builder->current_test(52); for my $t (@results) { ok( $t->[0], $t->[1] ); } diff --git a/t/local/36_verify.t b/t/local/36_verify.t index 92afc52..e55b138 100644 --- a/t/local/36_verify.t +++ b/t/local/36_verify.t @@ -282,7 +282,7 @@ sub run_server # Termination request or other message from client my $msg = Net::SSLeay::read($ssl); - if ($msg eq 'end') + if (defined $msg and $msg eq 'end') { Net::SSLeay::write($ssl, 'end'); exit (0); -- 2.14.4

Tue Aug 14 11:41:34 2018 ppisar [...] redhat.com - Correspondence added

Dne Pá 10.srp.2018 11:09:00, ppisar napsal(a): Show quoted text

> E.g. SIGPIPE in a server where data are only received and no proper > two-way TLS shutdown is performed. >

Due to this I randomly experienced a failure in t/local/36_verify.t: # Failed test 'Verify callback result and get_verify_result are equal' # at t/local/36_verify.t line 111. # got: '-1' # expected: '0' # Failed test 'Verify result is X509_V_ERR_NO_EXPLICIT_POLICY' # at t/local/36_verify.t line 118. # got: '-1' # expected: '43' Bailout called. Further testing stopped: failed to connect to server: Connection refused FAILED--Further testing stopped: failed to connect to server: Connection refused Attached patch adds the same SIGPIPE workaround as the previous patch added into t/local/07_sslecho.t.

Subject:

Net-SSLeay-1.85-Avoid-SIGPIPE-in-t-local-36_verify.t.patch

From 173cd9c1340f1f5231625a1dd4ecaea10c207622 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Petr=20P=C3=ADsa=C5=99?= <ppisar@redhat.com> Date: Tue, 14 Aug 2018 16:55:52 +0200 Subject: [PATCH] Avoid SIGPIPE in t/local/36_verify.t MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit t/local/36_verify.t fails randomly with OpenSSL 1.1.1: # Failed test 'Verify callback result and get_verify_result are equal' # at t/local/36_verify.t line 111. # got: '-1' # expected: '0' # Failed test 'Verify result is X509_V_ERR_NO_EXPLICIT_POLICY' # at t/local/36_verify.t line 118. # got: '-1' # expected: '43' Bailout called. Further testing stopped: failed to connect to server: Connection refused FAILED--Further testing stopped: failed to connect to server: Connection refused I believe this because TLSv1.3 server can generate SIGPIPE if a client disconnects too soon. Signed-off-by: Petr PÃsaÅ <ppisar@redhat.com> --- t/local/36_verify.t | 10 ++++++++++ 1 file changed, 10 insertions(+) diff --git a/t/local/36_verify.t b/t/local/36_verify.t index e55b138..2837288 100644 --- a/t/local/36_verify.t +++ b/t/local/36_verify.t @@ -266,10 +266,20 @@ sub run_server return if $pid != 0; + $SIG{'PIPE'} = 'IGNORE'; my $ctx = Net::SSLeay::CTX_new(); Net::SSLeay::set_cert_and_key($ctx, $cert_pem, $key_pem); my $ret = Net::SSLeay::CTX_check_private_key($ctx); BAIL_OUT("Server: CTX_check_private_key failed: $cert_pem, $key_pem") unless $ret == 1; + if (&Net::SSLeay::OPENSSL_VERSION_NUMBER >= 0x1010100f) { + # TLS 1.3 server sends session tickets after a handhake as part of + # the SSL_accept(). If a client finishes all its job including closing + # TCP connectino before a server sends the tickets, SSL_accept() fails + # with SSL_ERROR_SYSCALL and EPIPE errno and the server receives + # SIGPIPE signal. <https://github.com/openssl/openssl/issues/6904> + my $ret = Net::SSLeay::CTX_set_num_tickets($ctx, 0); + BAIL_OUT("Session tickets disabled") unless $ret; + } while (1) { -- 2.14.4

Tue Aug 14 11:58:39 2018 chrisn [...] cpan.org - Correspondence added

RT-Send-CC:

ppisar [...] redhat.com

Thanks to both of you for persisting with this --- we'll take a look at all of the attached patches, with a view to merging them sometime this week.

Tue Aug 14 11:58:40 2018 chrisn [...] cpan.org - Taken

Wed Aug 15 07:01:58 2018 ppisar [...] redhat.com - Correspondence added

Dne Čt 26.dub.2018 16:34:25, sebastian@breakpoint.cc napsal(a): Show quoted text

> The SSL_read() and SSL_write() wrapper need to handle a possible > retry.

This change breaks IO-Socket-SSL-1.85 t/core.t test that does if ($CAN_NONBLOCK) { $client->blocking(0); $client->read($buffer, 20, 0); is( $SSL_ERROR, SSL_WANT_READ, "Server Nonblocking Check 1"); } and hangs by a busy-wait in the $client->read() instead of returning with $SSL_ERROR==SSL_WABT_READ. IO::Socket::SSL has extensive documentation on the non-blocking mode and it looks like Net::SSLeay should not hide the retry. Instead Net::SSLeay should move the retry to test and and blocking functions like ssl_read_all().

Wed Aug 15 11:24:15 2018 ppisar [...] redhat.com - Correspondence added

Dne St 15.srp.2018 07:01:58, ppisar napsal(a): Show quoted text

> Dne Čt 26.dub.2018 16:34:25, sebastian@breakpoint.cc napsal(a):

> > The SSL_read() and SSL_write() wrapper need to handle a possible > > retry.

> > This change breaks IO-Socket-SSL-1.85 t/core.t test that does >

Attached patch moves the retry handling from read()/write() to ssl_read_all(). ssl_write_all() seems already doing that. IO-Socket-SSL-1.85 t/core.t passes now. This patch is meant to be applied on top of the previous one. Though there are still other IO-Socket-SSL-1.85 tests that fail or hang (e.g. t/sni.t). Still needs more work.

Subject:

Net-SSLeay-1.85-Move-SSL_ERROR_WANT_READ-SSL_ERROR_WANT_WRITE-retry-.patch

From e0b42b0120b941b5675e4071445424dc8a1230e1 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Petr=20P=C3=ADsa=C5=99?= <ppisar@redhat.com> Date: Wed, 15 Aug 2018 14:46:52 +0200 Subject: [PATCH] Move SSL_ERROR_WANT_READ/SSL_ERROR_WANT_WRITE retry from read()/write() up MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Original OpenSSL 1.1.1 fix broke IO-Socket-SSL-2.058's t/core.t test because it tests non-blocking socket operations and expects to see SSL_ERROR_WANT_READ/SSL_ERROR_WANT_WRITE errors and to handle them byt itself. This patch purifies Net::SSLeay::{read,write}() to behave exactly as underlying OpenSSL functions. The retry is moved to Net::SSLeay::ssl_read_all. All relevant Net::SSLeay::{read,write}() calls in tests are changed into Net::SSLea::ssl_{read,write}_all(). All applications should implement the retry themsleves or use ssl_*_all() instead. Signed-off-by: Petr PÃsaÅ <ppisar@redhat.com> --- SSLeay.xs | 28 +++++++--------------------- lib/Net/SSLeay.pm | 22 +++++++++++++++------- t/local/07_sslecho.t | 12 ++++++------ t/local/36_verify.t | 9 +++++---- 4 files changed, 33 insertions(+), 38 deletions(-) diff --git a/SSLeay.xs b/SSLeay.xs index 5aed4d7..7cb6eab 100644 --- a/SSLeay.xs +++ b/SSLeay.xs @@ -1997,19 +1997,13 @@ SSL_read(s,max=32768) PREINIT: char *buf; int got; + int succeeded = 1; PPCODE: New(0, buf, max, char); - do { - int err; - - got = SSL_read(s, buf, max); - if (got > 0) - break; - err = SSL_get_error(s, got); - if (err != SSL_ERROR_WANT_READ && err != SSL_ERROR_WANT_WRITE) - break; - } while (1); + got = SSL_read(s, buf, max); + if (got <= 0 && SSL_ERROR_ZERO_RETURN != SSL_get_error(s, got)) + succeeded = 0; /* If in list context, return 2-item list: * first return value: data gotten, or undef on error (got<0) @@ -2017,13 +2011,13 @@ SSL_read(s,max=32768) */ if (GIMME_V==G_ARRAY) { EXTEND(SP, 2); - PUSHs(sv_2mortal(got>=0 ? newSVpvn(buf, got) : newSV(0))); + PUSHs(sv_2mortal(succeeded ? newSVpvn(buf, got) : newSV(0))); PUSHs(sv_2mortal(newSViv(got))); /* If in scalar or void context, return data gotten, or undef on error. */ } else { EXTEND(SP, 1); - PUSHs(sv_2mortal(got>=0 ? newSVpvn(buf, got) : newSV(0))); + PUSHs(sv_2mortal(succeeded ? newSVpvn(buf, got) : newSV(0))); } Safefree(buf); @@ -2066,15 +2060,7 @@ SSL_write(s,buf) INPUT: char * buf = SvPV( ST(1), len); CODE: - do { - ret = SSL_write (s, buf, (int)len); - if (ret > 0) - break; - err = SSL_get_error(s, ret); - if (err != SSL_ERROR_WANT_READ && err != SSL_ERROR_WANT_WRITE) - break; - } while (1); - RETVAL = ret; + RETVAL = SSL_write (s, buf, (int)len); OUTPUT: RETVAL diff --git a/lib/Net/SSLeay.pm b/lib/Net/SSLeay.pm index 3adf12c..afc6c8f 100644 --- a/lib/Net/SSLeay.pm +++ b/lib/Net/SSLeay.pm @@ -579,14 +579,22 @@ sub debug_read { sub ssl_read_all { my ($ssl,$how_much) = @_; $how_much = 2000000000 unless $how_much; - my ($got, $errs); + my ($got, $rv, $errs); my $reply = ''; while ($how_much > 0) { - $got = Net::SSLeay::read($ssl, + ($got, $rv) = Net::SSLeay::read($ssl, ($how_much > 32768) ? 32768 : $how_much ); - last if $errs = print_errs('SSL_read'); + if (! defined $got) { + my $err = Net::SSLeay::get_error($ssl, $rv); + if ($err != Net::SSLeay::ERROR_WANT_READ() and + $err != Net::SSLeay::ERROR_WANT_WRITE()) { + $errs = print_errs('SSL_read'); + last; + } + next; + } $how_much -= blength($got); debug_read(\$reply, \$got) if $trace>1; last if $got eq ''; # EOF @@ -839,14 +847,14 @@ sub ssl_read_until ($;$$) { $found = index($match, $delim); if ($found > -1) { - #$got = Net::SSLeay::read($ssl, $found+$len_delim); + #$got = Net::SSLeay::ssl_read_all($ssl, $found+$len_delim); #read up to the end of the delimiter - $got = Net::SSLeay::read($ssl, + $got = Net::SSLeay::ssl_read_all($ssl, $found + $len_delim - ((blength($match)) - (blength($got)))); $done = 1; } else { - $got = Net::SSLeay::read($ssl, $peek_length); + $got = Net::SSLeay::ssl_read_all($ssl, $peek_length); $done = 1 if ($peek_length == $max_length - blength($reply)); } @@ -857,7 +865,7 @@ sub ssl_read_until ($;$$) { } } else { while (!defined $max_length || length $reply < $max_length) { - $got = Net::SSLeay::read($ssl,1); # one by one + $got = Net::SSLeay::ssl_read_all($ssl,1); # one by one last if print_errs('SSL_read'); debug_read(\$reply, \$got) if $trace>1; last if $got eq ''; diff --git a/t/local/07_sslecho.t b/t/local/07_sslecho.t index 74e317a..7f19027 100644 --- a/t/local/07_sslecho.t +++ b/t/local/07_sslecho.t @@ -134,10 +134,10 @@ my @results; push @results, [ Net::SSLeay::get_cipher($ssl), 'get_cipher' ]; - push @results, [ Net::SSLeay::write($ssl, $msg), 'write' ]; + push @results, [ Net::SSLeay::ssl_write_all($ssl, $msg), 'write' ]; shutdown($s, 1); - my ($got) = Net::SSLeay::read($ssl); + my $got = Net::SSLeay::ssl_read_all($ssl); push @results, [ $got eq uc($msg), 'read' ]; Net::SSLeay::free($ssl); @@ -177,7 +177,7 @@ my @results; Net::SSLeay::set_fd($ssl, fileno($s)); Net::SSLeay::connect($ssl); - Net::SSLeay::write($ssl, $msg); + Net::SSLeay::ssl_write_all($ssl, $msg); shutdown $s, 2; close $s; @@ -231,15 +231,15 @@ my @results; Net::SSLeay::set_fd($ssl3, $s3); Net::SSLeay::connect($ssl1); - Net::SSLeay::write($ssl1, $msg); + Net::SSLeay::ssl_write_all($ssl1, $msg); shutdown $s1, 2; Net::SSLeay::connect($ssl2); - Net::SSLeay::write($ssl2, $msg); + Net::SSLeay::ssl_write_all($ssl2, $msg); shutdown $s2, 2; Net::SSLeay::connect($ssl3); - Net::SSLeay::write($ssl3, $msg); + Net::SSLeay::ssl_write_all($ssl3, $msg); shutdown $s3, 2; close $s1; diff --git a/t/local/36_verify.t b/t/local/36_verify.t index 2837288..b04be13 100644 --- a/t/local/36_verify.t +++ b/t/local/36_verify.t @@ -252,8 +252,9 @@ sub client { Net::SSLeay::set_fd($ssl, $cl); Net::SSLeay::connect($ssl); my $end = "end"; - Net::SSLeay::write($ssl, $end); - ok($end eq Net::SSLeay::read($ssl), 'Successful termination'); + Net::SSLeay::ssl_write_all($ssl, $end); + Net::SSLeay::shutdown($ssl); + ok($end eq Net::SSLeay::ssl_read_all($ssl), 'Successful termination'); return; } @@ -291,10 +292,10 @@ sub run_server next unless $ret == 1; # Termination request or other message from client - my $msg = Net::SSLeay::read($ssl); + my $msg = Net::SSLeay::ssl_read_all($ssl); if (defined $msg and $msg eq 'end') { - Net::SSLeay::write($ssl, 'end'); + Net::SSLeay::ssl_write_all($ssl, 'end'); exit (0); } } -- 2.14.4

Thu Aug 16 05:04:53 2018 github [...] trace.city-fan.org - Correspondence added

On Wed Aug 15 11:24:15 2018, ppisar wrote: Show quoted text

> Though there are still other IO-Socket-SSL-1.85 tests that fail or > hang (e.g. t/sni.t). Still needs more work.

As it stands, this patch set appears to break IO::Socket::SSL's t/nonblock.t tests 13 and 26 ([client] multiple write attempts) on older OpenSSL versions, e.g. on Fedora 28 (OpenSSL 1.1.0h): t/nonblock.t ...................... 1..27 ok # [server] Server Initialization # connect in progress ok # [client] client tcp connect ok # [server] tcp accept # wrote 9 bytes ok # [client] write plain text ok # [server] received plain text ok # [server] upgrade to_client to IO::Socket::SSL ok # [client] upgrade client to IO::Socket::SSL # SSL wants a read first # SSL wants a read first ok # [server] ssl accept handshake done ok # [client] connected ok # [client] nonblocking connect with 2 attempts # sndbuf=16384 ok # [server] received client message # read 30000 (1 r/w attempts) # $!=Connection reset by peer $SSL_ERROR=SSL write error (5) send=269670 # connection closed ok # [client] syswrite not ok # [client] multiple write attempts ok # [client] 30000 bytes send # connect in progress ok # [client] client tcp connect # wrote 9 bytes ok # [client] write plain text ok # [server] tcp accept ok # [server] received plain text ok # [server] upgrade to_client to IO::Socket::SSL ok # [client] upgrade client to IO::Socket::SSL # SSL wants a read first # SSL wants a read first ok # [server] ssl accept handshake done ok # [server] nonblocking accept_SSL with 2 attempts ok # [client] connected # sndbuf=16384 ok # [server] received client message # read 30000 (2 r/w attempts) # $!=Connection reset by peer $SSL_ERROR=SSL write error (5) send=269580 # connection closed ok # [client] syswrite not ok # [client] multiple write attempts ok # [client] 30000 bytes send Failed 2/27 subtests

Thu Aug 16 11:05:07 2018 RADIATOR [...] cpan.org - Correspondence added

On Wed 15.elokuu 2018 11:24:15, ppisar wrote: Show quoted text

> Attached patch moves the retry handling from read()/write() to > ssl_read_all(). ssl_write_all() seems already doing that. IO-Socket- > SSL-1.85 t/core.t passes now. This patch is meant to be applied on top > of the previous one. > > Though there are still other IO-Socket-SSL-1.85 tests that fail or > hang (e.g. t/sni.t). Still needs more work.

I created a patch that combines: 0001-Adapt-to-OpenSSL-1.1.1.patch Net-SSLeay-1.85-Avoid-SIGPIPE-in-t-local-36_verify.t.patch Net-SSLeay-1.85-Move-SSL_ERROR_WANT_READ-SSL_ERROR_WANT_WRITE-retry-.patch It also changes version check to 1.1.1-pre7 (this is where *_get/set_num_tickets was added) so that it's easier to test the changes as of today with current pre-release OpenSSL.

Subject:

Net-SSLeay-combo-2018-08-16.patch

diff --git a/SSLeay.xs b/SSLeay.xs index 630f09e..b3d684c 100644 --- a/SSLeay.xs +++ b/SSLeay.xs @@ -1996,9 +1996,13 @@ SSL_read(s,max=32768) PREINIT: char *buf; int got; + int succeeded = 1; PPCODE: New(0, buf, max, char); + got = SSL_read(s, buf, max); + if (got <= 0 && SSL_ERROR_ZERO_RETURN != SSL_get_error(s, got)) + succeeded = 0; /* If in list context, return 2-item list: * first return value: data gotten, or undef on error (got<0) @@ -2006,13 +2010,13 @@ SSL_read(s,max=32768) */ if (GIMME_V==G_ARRAY) { EXTEND(SP, 2); - PUSHs(sv_2mortal(got>=0 ? newSVpvn(buf, got) : newSV(0))); + PUSHs(sv_2mortal(succeeded ? newSVpvn(buf, got) : newSV(0))); PUSHs(sv_2mortal(newSViv(got))); /* If in scalar or void context, return data gotten, or undef on error. */ } else { EXTEND(SP, 1); - PUSHs(sv_2mortal(got>=0 ? newSVpvn(buf, got) : newSV(0))); + PUSHs(sv_2mortal(succeeded ? newSVpvn(buf, got) : newSV(0))); } Safefree(buf); @@ -2050,6 +2054,8 @@ SSL_write(s,buf) SSL * s PREINIT: STRLEN len; + int err; + int ret; INPUT: char * buf = SvPV( ST(1), len); CODE: @@ -2082,8 +2088,20 @@ SSL_write_partial(s,from,count,buf) if (len < 0) { croak("from beyound end of buffer"); RETVAL = -1; - } else - RETVAL = SSL_write (s, &(buf[from]), (count<=len)?count:len); + } else { + int ret; + int err; + + do { + ret = SSL_write (s, &(buf[from]), (count<=len)?count:len); + if (ret > 0) + break; + err = SSL_get_error(s, ret); + if (err != SSL_ERROR_WANT_READ && err != SSL_ERROR_WANT_WRITE) + break; + } while (1); + RETVAL = ret; + } OUTPUT: RETVAL @@ -6959,4 +6977,20 @@ SSL_export_keying_material(ssl, outlen, label, p) #endif +#if OPENSSL_VERSION_NUMBER >= 0x10101007L + +int +SSL_CTX_set_num_tickets(SSL_CTX *ctx,size_t num_tickets) + +size_t +SSL_CTX_get_num_tickets(SSL_CTX *ctx) + +int +SSL_set_num_tickets(SSL *ssl,size_t num_tickets) + +size_t +SSL_get_num_tickets(SSL *ssl) + +#endif + #define REM_EOF "/* EOF - SSLeay.xs */" diff --git a/lib/Net/SSLeay.pm b/lib/Net/SSLeay.pm index b3d64bb..8e64090 100644 --- a/lib/Net/SSLeay.pm +++ b/lib/Net/SSLeay.pm @@ -578,14 +578,22 @@ sub debug_read { sub ssl_read_all { my ($ssl,$how_much) = @_; $how_much = 2000000000 unless $how_much; - my ($got, $errs); + my ($got, $rv, $errs); my $reply = ''; while ($how_much > 0) { - $got = Net::SSLeay::read($ssl, + ($got, $rv) = Net::SSLeay::read($ssl, ($how_much > 32768) ? 32768 : $how_much ); - last if $errs = print_errs('SSL_read'); + if (! defined $got) { + my $err = Net::SSLeay::get_error($ssl, $rv); + if ($err != Net::SSLeay::ERROR_WANT_READ() and + $err != Net::SSLeay::ERROR_WANT_WRITE()) { + $errs = print_errs('SSL_read'); + last; + } + next; + } $how_much -= blength($got); debug_read(\$reply, \$got) if $trace>1; last if $got eq ''; # EOF @@ -838,14 +846,14 @@ sub ssl_read_until ($;$$) { $found = index($match, $delim); if ($found > -1) { - #$got = Net::SSLeay::read($ssl, $found+$len_delim); + #$got = Net::SSLeay::ssl_read_all($ssl, $found+$len_delim); #read up to the end of the delimiter - $got = Net::SSLeay::read($ssl, + $got = Net::SSLeay::ssl_read_all($ssl, $found + $len_delim - ((blength($match)) - (blength($got)))); $done = 1; } else { - $got = Net::SSLeay::read($ssl, $peek_length); + $got = Net::SSLeay::ssl_read_all($ssl, $peek_length); $done = 1 if ($peek_length == $max_length - blength($reply)); } @@ -856,7 +864,7 @@ sub ssl_read_until ($;$$) { } } else { while (!defined $max_length || length $reply < $max_length) { - $got = Net::SSLeay::read($ssl,1); # one by one + $got = Net::SSLeay::ssl_read_all($ssl,1); # one by one last if print_errs('SSL_read'); debug_read(\$reply, \$got) if $trace>1; last if $got eq ''; diff --git a/lib/Net/SSLeay.pod b/lib/Net/SSLeay.pod index 4d56405..17924e6 100644 --- a/lib/Net/SSLeay.pod +++ b/lib/Net/SSLeay.pod @@ -4445,6 +4445,52 @@ getticket($ssl,$ticket,$data) -> $return_value This function is based on the OpenSSL function SSL_set_session_ticket_ext_cb. +=item * CTX_set_num_tickets + +B<COMPATIBILITY:> not available in Net-SSLeay-1.85 and before; requires at least OpenSSL 1.1.1 + +Set number of session tickets that will be sent to a client. + + my $rv = Net::SSLeay::CTX_set_num_tickets($ctx, $number_of_tickets); + # $ctx - value corresponding to openssl's SSL_CTX structure + # $number_of_tickets - number of tickets to send + # returns: 1 on success, 0 on failure + +Set to zero if you do not no want to support a session resumption. + +=item * CTX_get_num_tickets + +B<COMPATIBILITY:> not available in Net-SSLeay-1.85 and before; requires at least OpenSSL 1.1.1 + +Get number of session tickets that will be sent to a client. + + my $number_of_tickets = Net::SSLeay::CTX_get_num_tickets($ctx); + # $ctx - value corresponding to openssl's SSL_CTX structure + # returns: number of tickets to send + +=item * set_num_tickets + +B<COMPATIBILITY:> not available in Net-SSLeay-1.85 and before; requires at least OpenSSL 1.1.1 + +Set number of session tickets that will be sent to a client. + + my $rv = Net::SSLeay::set_num_tickets($ssl, $number_of_tickets); + # $ssl - value corresponding to openssl's SSL structure + # $number_of_tickets - number of tickets to send + # returns: 1 on success, 0 on failure + +Set to zero if you do not no want to support a session resumption. + +=item * get_num_tickets + +B<COMPATIBILITY:> not available in Net-SSLeay-1.85 and before; requires at least OpenSSL 1.1.1 + +Get number of session tickets that will be sent to a client. + + my $number_of_tickets = Net::SSLeay::get_num_tickets($ctx); + # $ctx - value corresponding to openssl's SSL structure + # returns: number of tickets to send + =item * set_shutdown Sets the shutdown state of $ssl to $mode. diff --git a/t/local/07_sslecho.t b/t/local/07_sslecho.t index 5e16b04..d68176e 100644 --- a/t/local/07_sslecho.t +++ b/t/local/07_sslecho.t @@ -13,7 +13,8 @@ BEGIN { plan skip_all => "fork() not supported on $^O" unless $Config{d_fork}; } -plan tests => 78; +plan tests => 79; +$SIG{'PIPE'} = 'IGNORE'; my $sock; my $pid; @@ -61,6 +62,16 @@ Net::SSLeay::library_init(); ok(Net::SSLeay::CTX_set_cipher_list($ctx, 'ALL'), 'CTX_set_cipher_list'); my ($dummy, $errs) = Net::SSLeay::set_cert_and_key($ctx, $cert_pem, $key_pem); ok($errs eq '', "set_cert_and_key: $errs"); + SKIP: { + skip 'Disabling session tickets requires OpenSSL >= 1.1.1', 1 + unless (&Net::SSLeay::OPENSSL_VERSION_NUMBER >= 0x10101007); + # TLS 1.3 server sends session tickets after a handhake as part of + # the SSL_accept(). If a client finishes all its job including closing + # TCP connectino before a server sends the tickets, SSL_accept() fails + # with SSL_ERROR_SYSCALL and EPIPE errno and the server receives + # SIGPIPE signal. <https://github.com/openssl/openssl/issues/6904> + ok(Net::SSLeay::CTX_set_num_tickets($ctx, 0), 'Session tickets disabled'); + } $pid = fork(); BAIL_OUT("failed to fork: $!") unless defined $pid; @@ -123,10 +134,10 @@ my @results; push @results, [ Net::SSLeay::get_cipher($ssl), 'get_cipher' ]; - push @results, [ Net::SSLeay::write($ssl, $msg), 'write' ]; + push @results, [ Net::SSLeay::ssl_write_all($ssl, $msg), 'write' ]; shutdown($s, 1); - my ($got) = Net::SSLeay::read($ssl); + my $got = Net::SSLeay::ssl_read_all($ssl); push @results, [ $got eq uc($msg), 'read' ]; Net::SSLeay::free($ssl); @@ -166,7 +177,7 @@ my @results; Net::SSLeay::set_fd($ssl, fileno($s)); Net::SSLeay::connect($ssl); - Net::SSLeay::write($ssl, $msg); + Net::SSLeay::ssl_write_all($ssl, $msg); shutdown $s, 2; close $s; @@ -220,15 +231,15 @@ my @results; Net::SSLeay::set_fd($ssl3, $s3); Net::SSLeay::connect($ssl1); - Net::SSLeay::write($ssl1, $msg); + Net::SSLeay::ssl_write_all($ssl1, $msg); shutdown $s1, 2; Net::SSLeay::connect($ssl2); - Net::SSLeay::write($ssl2, $msg); + Net::SSLeay::ssl_write_all($ssl2, $msg); shutdown $s2, 2; Net::SSLeay::connect($ssl3); - Net::SSLeay::write($ssl3, $msg); + Net::SSLeay::ssl_write_all($ssl3, $msg); shutdown $s3, 2; close $s1; @@ -351,7 +362,7 @@ waitpid $pid, 0; push @results, [ $? == 0, 'server exited with 0' ]; END { - Test::More->builder->current_test(51); + Test::More->builder->current_test(52); for my $t (@results) { ok( $t->[0], $t->[1] ); } diff --git a/t/local/36_verify.t b/t/local/36_verify.t index 92afc52..73c3e1a 100644 --- a/t/local/36_verify.t +++ b/t/local/36_verify.t @@ -252,8 +252,9 @@ sub client { Net::SSLeay::set_fd($ssl, $cl); Net::SSLeay::connect($ssl); my $end = "end"; - Net::SSLeay::write($ssl, $end); - ok($end eq Net::SSLeay::read($ssl), 'Successful termination'); + Net::SSLeay::ssl_write_all($ssl, $end); + Net::SSLeay::shutdown($ssl); + ok($end eq Net::SSLeay::ssl_read_all($ssl), 'Successful termination'); return; } @@ -266,10 +267,20 @@ sub run_server return if $pid != 0; + $SIG{'PIPE'} = 'IGNORE'; my $ctx = Net::SSLeay::CTX_new(); Net::SSLeay::set_cert_and_key($ctx, $cert_pem, $key_pem); my $ret = Net::SSLeay::CTX_check_private_key($ctx); BAIL_OUT("Server: CTX_check_private_key failed: $cert_pem, $key_pem") unless $ret == 1; + if (&Net::SSLeay::OPENSSL_VERSION_NUMBER >= 0x10101007) { + # TLS 1.3 server sends session tickets after a handhake as part of + # the SSL_accept(). If a client finishes all its job including closing + # TCP connectino before a server sends the tickets, SSL_accept() fails + # with SSL_ERROR_SYSCALL and EPIPE errno and the server receives + # SIGPIPE signal. <https://github.com/openssl/openssl/issues/6904> + my $ret = Net::SSLeay::CTX_set_num_tickets($ctx, 0); + BAIL_OUT("Session tickets disabled") unless $ret; + } while (1) { @@ -281,10 +292,10 @@ sub run_server next unless $ret == 1; # Termination request or other message from client - my $msg = Net::SSLeay::read($ssl); - if ($msg eq 'end') + my $msg = Net::SSLeay::ssl_read_all($ssl); + if (defined $msg and $msg eq 'end') { - Net::SSLeay::write($ssl, 'end'); + Net::SSLeay::ssl_write_all($ssl, 'end'); exit (0); } }

Fri Aug 17 07:23:31 2018 ppisar [...] redhat.com - Correspondence added

Dne Čt 16.srp.2018 05:04:53, github@trace.city-fan.org napsal(a): Show quoted text

> On Wed Aug 15 11:24:15 2018, ppisar wrote:

> > Though there are still other IO-Socket-SSL-1.85 tests that fail or > > hang (e.g. t/sni.t). Still needs more work.

> > As it stands, this patch set appears to break IO::Socket::SSL's > t/nonblock.t tests 13 and 26 ([client] multiple write attempts) on > older OpenSSL versions, e.g. on Fedora 28 (OpenSSL 1.1.0h): >

That's because the test uses Net::SSLeay::write_partial() and expects non-blocking behavior. The fix is the same as in the previous reverting patch, to revert the SSL_ERROR_WANT_READ/SSL_ERROR_WANT_WRITE retry in write_partial(). Attached patch does that and documents it.

Subject:

Net-SSLeay-1.85-Move-SSL_ERROR_WANT_READ-SSL_ERROR_WANT_WRITE-retry-from_write_partial.patch

From 122c80853a9bd66f21699fc79a689b3028d00d3b Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Petr=20P=C3=ADsa=C5=99?= <ppisar@redhat.com> Date: Fri, 17 Aug 2018 13:08:44 +0200 Subject: [PATCH] Move SSL_ERROR_WANT_READ/SSL_ERROR_WANT_WRITE retry from write_partial() MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Original OpenSSL 1.1.1 fix broke IO-Socket-SSL-2.058's t/nonblock.t test because it tests non-blocking socket operations and expects to see SSL_ERROR_WANT_WRITE errors and to handle them byt itself. This patch purifies Net::SSLeay::write_partial() to behave exactly as underlying OpenSSL SSL_write() function. The retry is already presented in Net::SSLeay::ssl_write_all(). All applications should implement the retry themsleves or use ssl_*_all() instead. Signed-off-by: Petr PÃsaÅ <ppisar@redhat.com> --- SSLeay.xs | 16 ++-------------- lib/Net/SSLeay.pod | 3 ++- 2 files changed, 4 insertions(+), 15 deletions(-) diff --git a/SSLeay.xs b/SSLeay.xs index 7cb6eab..fc7677f 100644 --- a/SSLeay.xs +++ b/SSLeay.xs @@ -2089,20 +2089,8 @@ SSL_write_partial(s,from,count,buf) if (len < 0) { croak("from beyound end of buffer"); RETVAL = -1; - } else { - int ret; - int err; - - do { - ret = SSL_write (s, &(buf[from]), (count<=len)?count:len); - if (ret > 0) - break; - err = SSL_get_error(s, ret); - if (err != SSL_ERROR_WANT_READ && err != SSL_ERROR_WANT_WRITE) - break; - } while (1); - RETVAL = ret; - } + } else + RETVAL = SSL_write (s, &(buf[from]), (count<=len)?count:len); OUTPUT: RETVAL diff --git a/lib/Net/SSLeay.pod b/lib/Net/SSLeay.pod index bca7be4..8b5f738 100644 --- a/lib/Net/SSLeay.pod +++ b/lib/Net/SSLeay.pod @@ -4819,7 +4819,8 @@ Check openssl doc L<http://www.openssl.org/docs/ssl/SSL_write.html|http://www.op B<NOTE:> Does not exactly correspond to any low level API function -Writes a fragment of data in $data from the buffer $data into the specified $ssl connection. +Writes a fragment of data in $data from the buffer $data into the specified +$ssl connection. This is a non-blocking function like L<Net::SSLeay::write()>. my $rv = Net::SSLeay::write_partial($ssl, $from, $count, $data); # $ssl - value corresponding to openssl's SSL structure -- 2.14.4

Fri Aug 17 08:15:17 2018 ppisar [...] redhat.com - Correspondence added

I'm playing with IO-Socket-SSL on top of this patched Net-SSLeay and after some tweaks all IO-Socket-SSL tests passes except three of them: t/npn.t -- NPN does not work for unknown reason t/session_ticket.t -- TLSv1.3 tickets needs to use SSL_CTX_sess_set_new_cb() that is not yet provided by Net-SSLeay. t/sni_verify.t -- server dies with SIGPIPE because tickets send to closes TCP socket, trivial to fix with a proper SSL_shutdown in t/sni_verify.t. I opened a ticket for IO-Socket-SSL (CPAN RT#126899). I think we should add SSL_CTX_sess_set_new_cb() wrapper into Net-SSLeay.

Fri Aug 17 08:16:46 2018 ppisar [...] redhat.com - Dependency by ticket #126899 added

Fri Aug 17 10:16:23 2018 RADIATOR [...] cpan.org - Correspondence added

On pe 17.elokuu 2018 08:15:17, ppisar wrote: Show quoted text

> I'm playing with IO-Socket-SSL on top of this patched Net-SSLeay and > after some tweaks all IO-Socket-SSL tests passes except three of them: > > t/npn.t -- NPN does not work for unknown reason > t/session_ticket.t -- TLSv1.3 tickets needs to use > SSL_CTX_sess_set_new_cb() that is not yet provided by Net-SSLeay. > t/sni_verify.t -- server dies with SIGPIPE because tickets send to > closes TCP socket, trivial to fix with a proper SSL_shutdown in > t/sni_verify.t. > > I opened a ticket for IO-Socket-SSL (CPAN RT#126899). > > I think we should add SSL_CTX_sess_set_new_cb() wrapper into Net- > SSLeay.

Ok, sounds good. I guess that in addition to new_cb() the two others callbacks, remove_cb() and get_cb() should be added too for completeness sake. -- Heikki

Fri Aug 17 10:24:42 2018 github [...] trace.city-fan.org - Correspondence added

On Fri Aug 17 07:23:31 2018, ppisar wrote: Show quoted text

> Dne Čt 16.srp.2018 05:04:53, github@trace.city-fan.org napsal(a):

> > On Wed Aug 15 11:24:15 2018, ppisar wrote:

> > > Though there are still other IO-Socket-SSL-1.85 tests that fail or > > > hang (e.g. t/sni.t). Still needs more work.

> > > > As it stands, this patch set appears to break IO::Socket::SSL's > > t/nonblock.t tests 13 and 26 ([client] multiple write attempts) on > > older OpenSSL versions, e.g. on Fedora 28 (OpenSSL 1.1.0h): > >

> That's because the test uses Net::SSLeay::write_partial() and expects > non-blocking behavior. The fix is the same as in the previous > reverting patch, to revert the > SSL_ERROR_WANT_READ/SSL_ERROR_WANT_WRITE retry in write_partial(). > > Attached patch does that and documents it.

Much better, thanks.

Thu Aug 23 16:29:51 2018 dam [...] cpan.org - Correspondence added

I am trying to patch the Debian package of Net-SSLeay and I can't get the tests to succeed. I tried: 1. Net-SSLeay-combo-2018-08-16.patch plus Net-SSLeay-combo-2018-08-16.patch 2. all five patches from fedora's perl-Net-SSLeay-1.85-7.fc30.src.rpm and still: Test Summary Report ------------------- t/local/07_sslecho.t (Wstat: 11 Tests: 52 Failed: 14) Failed tests: 3, 10-11, 17-18, 24-25, 31-32, 38-39, 45-46 52 Non-zero wait status: 11 Parse errors: Bad plan. You planned 79 tests but ran 52. t/local/08_pipe.t (Wstat: 512 Tests: 11 Failed: 3) Failed tests: 4, 9-10 Non-zero exit status: 2 t/local/09_ctx_new.t (Wstat: 512 Tests: 40 Failed: 2) Failed tests: 26, 28 Non-zero exit status: 2 t/local/36_verify.t (Wstat: 2048 Tests: 79 Failed: 8) Failed tests: 32-33, 41, 53-55, 68, 77 Non-zero exit status: 8 t/local/64_ticket_sharing.t (Wstat: 65280 Tests: 0 Failed: 0) Non-zero exit status: 255 Parse errors: Bad plan. You planned 15 tests but ran 0. Files=32, Tests=2933, 4 wallclock secs ( 0.25 usr 0.06 sys + 2.95 cusr 0.38 csys = 3.64 CPU) Result: FAIL Failed 5/32 test programs. 27/2933 subtests failed. What am I doing wrong?

Thu Aug 23 16:31:40 2018 dam [...] cpan.org - Cc DAM added

Fri Aug 24 04:28:45 2018 github [...] trace.city-fan.org - Correspondence added

On Thu Aug 23 16:29:51 2018, DAM wrote: Show quoted text

> I am trying to patch the Debian package of Net-SSLeay and I can't get > the tests to succeed. > > I tried: > 1. Net-SSLeay-combo-2018-08-16.patch plus Net-SSLeay-combo-2018-08- > 16.patch > 2. all five patches from fedora's perl-Net-SSLeay-1.85-7.fc30.src.rpm > > and still: > > Test Summary Report > ------------------- > t/local/07_sslecho.t (Wstat: 11 Tests: 52 Failed: 14) > Failed tests: 3, 10-11, 17-18, 24-25, 31-32, 38-39, 45-46 > 52 > Non-zero wait status: 11 > Parse errors: Bad plan. You planned 79 tests but ran 52. > t/local/08_pipe.t (Wstat: 512 Tests: 11 Failed: 3) > Failed tests: 4, 9-10 > Non-zero exit status: 2 > t/local/09_ctx_new.t (Wstat: 512 Tests: 40 Failed: 2) > Failed tests: 26, 28 > Non-zero exit status: 2 > t/local/36_verify.t (Wstat: 2048 Tests: 79 Failed: 8) > Failed tests: 32-33, 41, 53-55, 68, 77 > Non-zero exit status: 8 > t/local/64_ticket_sharing.t (Wstat: 65280 Tests: 0 Failed: 0) > Non-zero exit status: 255 > Parse errors: Bad plan. You planned 15 tests but ran 0. > Files=32, Tests=2933, 4 wallclock secs ( 0.25 usr 0.06 sys + 2.95 > cusr 0.38 csys = 3.64 CPU) > Result: FAIL > Failed 5/32 test programs. 27/2933 subtests failed. > > What am I doing wrong?

You may need to patch openssl too: https://bugzilla.redhat.com/show_bug.cgi?id=1614884 https://bugzilla.redhat.com/show_bug.cgi?id=1615098

Fri Aug 24 10:05:55 2018 RADIATOR [...] cpan.org - Correspondence added

On pe 17.elokuu 2018 10:16:23, RADIATOR wrote: Show quoted text

> Ok, sounds good. I guess that in addition to new_cb() the two others > callbacks, remove_cb() and get_cb() should be added too for > completeness sake.

Github issue now exists to track this: https://github.com/radiator-software/p5-net-ssleay/issues/38 -- Heikki

Fri Aug 24 18:25:26 2018 gregoa [...] cpan.org - Cc GREGOA added

Tue Sep 04 12:11:11 2018 RADIATOR [...] cpan.org - Correspondence added

On pe 24.elokuu 2018 10:05:55, RADIATOR wrote: Show quoted text

> Github issue now exists to track this: > https://github.com/radiator-software/p5-net-ssleay/issues/38

SSL_CTX_set_num_tickets and other changes were merged separately to github master. What is remaining from the patches posted here are changes to Net::SSLeay:read(), related convenience function and tests. For these, a pull request now exists in github. This pull request also enables OpenSSL 1.1.1-pre9 with Travis CI. https://github.com/radiator-software/p5-net-ssleay/pull/56 Please see if the above pull request still looks valid. I'd say the changes to Net::SSLeay::read() and convenience are the main changes. Thanks, -- Heikki Vatiainen

Wed Sep 05 05:40:53 2018 RADIATOR [...] cpan.org - Correspondence added

On Tue 04.Sep 2018 12:11:11, RADIATOR wrote: Show quoted text

> For these, a pull request now exists in github. This pull request > also enables OpenSSL 1.1.1-pre9 with Travis CI. > > https://github.com/radiator-software/p5-net-ssleay/pull/56

This was just merged to master. In case more work related to this needs to be done, please create another RT ticket or github issue. -- Heikki

Wed Sep 05 05:41:04 2018 RADIATOR [...] cpan.org - Status changed from 'open' to 'patched'

Sat Oct 27 14:17:44 2018 SREZIC [...] cpan.org - Cc SREZIC added

Sun Dec 16 11:32:26 2018 chrisn [...] cpan.org - Status changed from 'patched' to 'resolved'

Sun Dec 16 11:32:27 2018 chrisn [...] cpan.org - Fixed in 1.86_06 added