Skip Menu |
 

This queue is for tickets about the Net-SSLeay CPAN distribution.

Report information
The Basics
Id: 116118
Status: resolved
Priority: 0/
Queue: Net-SSLeay

People
Owner: Nobody in particular
Requestors: Steffen_Ullrich [...] genua.de
Cc:
AdminCc:

Bug Information
Severity: (no value)
Broken in: (no value)
Fixed in: (no value)



Subject: Support for cross context session ticket sharing using SSL_CTX_set_tlsext_ticket_key_cb
MIME-Version: 1.0
X-Mailer: MIME-tools 5.504 (Entity 5.504)
X-RT-Interface: Web
Message-ID: <rt-4.0.18-15634-1468427967-1007.0-0-0 [...] rt.cpan.org>
X-RT-Original-Encoding: utf-8
Content-Type: multipart/mixed; boundary="----------=_1468427967-15634-2"
X-RT-Encrypt: 0
X-RT-Sign: 0
Content-Length: 0
Content-Disposition: inline
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: binary
Content-Length: 551
Download (untitled) / with headers
text/plain 551b
The attached patch includes support for cross context (and cross process) session sharing using the stateless TLS session tickets. It uses the SSL_CTX_set_tlsext_ticket_key_cb function to manage the encryption and decryption of the tickets but provides a more simplified interface. To not conflict with the OpenSSL name in case the more complex interface will be implemented ever the current simplified interface is called slightly different: CTX_set_tlsext_ticket_*get*key_cb. The patch includes the code, test and documentation. Regards, Steffen
Subject: SSLeay.patch
MIME-Version: 1.0
Content-Type: text/x-patch; name="SSLeay.patch"
X-Mailer: MIME-tools 5.504 (Entity 5.504)
Content-Disposition: inline; filename="SSLeay.patch"
Content-Transfer-Encoding: binary
Content-Length: 14662
Download SSLeay.patch
text/x-diff 14.3k

Message body is not shown because it is too large.

MIME-Version: 1.0
X-Spam-Flag: NO
X-Virus-Scanned: Debian amavisd-new at bestpractical.com
content-type: text/plain; charset="utf-8"
X-Source-Sender: 135.35.96.58.static.exetel.com.au (zulu.localnet) [58.96.35.135]:41607
X-RT-Original-Encoding: utf-8
X-Spam-Score: -5.255
X-Source-Cap: bWlrZW07bWlrZW07Z2F0b3I0MTI5Lmhvc3RnYXRvci5jb20=
Received: from localhost (localhost [127.0.0.1]) by hipster.bestpractical.com (Postfix) with ESMTP id CA91E2402CC for <cpan-bug+Net-SSLeay [...] hipster.bestpractical.com>; Wed, 13 Jul 2016 20:31:25 -0400 (EDT)
Received: from hipster.bestpractical.com ([127.0.0.1]) by localhost (hipster.bestpractical.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id mtvAiV-tRxpk for <cpan-bug+Net-SSLeay [...] hipster.bestpractical.com>; Wed, 13 Jul 2016 20:31:24 -0400 (EDT)
Received: from la.mx.develooper.com (x1.develooper.com [207.171.7.70]) by hipster.bestpractical.com (Postfix) with SMTP id 4AC7C2400AD for <bug-Net-SSLeay [...] rt.cpan.org>; Wed, 13 Jul 2016 20:31:24 -0400 (EDT)
Received: (qmail 4794 invoked by alias); 14 Jul 2016 00:31:23 -0000
Received: from gateway33.websitewelcome.com (HELO gateway33.websitewelcome.com) (192.185.145.23) by la.mx.develooper.com (qpsmtpd/0.28) with ESMTP; Wed, 13 Jul 2016 17:31:19 -0700
Received: from cm1.websitewelcome.com (cm.websitewelcome.com [192.185.0.102]) by gateway33.websitewelcome.com (Postfix) with ESMTP id 23D001082B489 for <bug-Net-SSLeay [...] rt.cpan.org>; Wed, 13 Jul 2016 19:31:16 -0500 (CDT)
Received: from gator4129.hostgator.com ([192.185.4.141]) by cm1.websitewelcome.com with id JQXE1t01632ZDfC01QXGLo; Wed, 13 Jul 2016 19:31:16 -0500
Received: from 135.35.96.58.static.exetel.com.au ([58.96.35.135]:41607 helo=zulu.localnet) by gator4129.hostgator.com with esmtpsa (TLSv1.2:DHE-RSA-AES256-GCM-SHA384:256) (Exim 4.86_1) (envelope-from <mikem [...] airspayce.com>) id 1bNUYc-0000jU-Ge for bug-Net-SSLeay [...] rt.cpan.org; Wed, 13 Jul 2016 19:31:14 -0500
Delivered-To: cpan-bug+Net-SSLeay [...] hipster.bestpractical.com
Subject: Re: [rt.cpan.org #116118] Support for cross context session ticket sharing using SSL_CTX_set_tlsext_ticket_key_cb
X-Spam-Check-BY: la.mx.develooper.com
Date: Thu, 14 Jul 2016 10:31:11 +1000
X-Spam-Level:
X-Bwhitelist: no
To: bug-Net-SSLeay [...] rt.cpan.org
Content-Transfer-Encoding: 7Bit
X-Source:
X-Source-Args:
In-Reply-To: <rt-4.0.18-15634-1468427967-1805.116118-4-0 [...] rt.cpan.org>
X-Spam-Status: No, score=-5.255 tagged_above=-99.9 required=10 tests=[AWL=0.645, BAYES_00=-1.9, FROM_OUR_RT=-4, RCVD_IN_DNSWL_NONE=-0.0001] autolearn=ham
X-Source-Dir:
X-RT-Interface: API
References: <RT-Ticket-116118 [...] rt.cpan.org> <rt-4.0.18-15634-1468427967-1805.116118-4-0 [...] rt.cpan.org>
Message-ID: <12799868.aps3rtI2mA [...] zulu>
X-Source-Auth: mikem [...] airspayce.com
X-Antiabuse: This header was added to track abuse, please include it with any abuse report
X-Antiabuse: Primary Hostname - gator4129.hostgator.com
X-Antiabuse: Original Domain - rt.cpan.org
X-Antiabuse: Originator/Caller UID/GID - [47 12] / [47 12]
X-Antiabuse: Sender Address Domain - airspayce.com
Organization: AirSpayce Pty Ltd
X-Source-Ip: 58.96.35.135
User-Agent: KMail/4.11.5 (Linux/3.12.57-44-desktop; KDE/4.11.5; i686; ; )
Return-Path: <mikem [...] airspayce.com>
X-RT-Mail-Extension: net-ssleay
X-Original-To: cpan-bug+Net-SSLeay [...] hipster.bestpractical.com
X-Exim-ID: 1bNUYc-0000jU-Ge
X-Email-Count: 5
From: Mike McCauley <mikem [...] airspayce.com>
RT-Message-ID: <rt-4.0.18-7447-1468456286-1137.116118-0-0 [...] rt.cpan.org>
Content-Length: 1447
Download (untitled) / with headers
text/plain 1.4k
Hi Steffen, thanks. Happy to consider this. I notice that SSL_CTX_set_tlsext_ticket_getkey_cb() is declared as returning a long but does not actually return anything. Cheers. On Wednesday, July 13, 2016 12:39:29 PM you wrote: Show quoted text
> Wed Jul 13 12:39:27 2016: Request 116118 was acted upon. > Transaction: Ticket created by SULLR > Queue: Net-SSLeay > Subject: Support for cross context session ticket sharing using > SSL_CTX_set_tlsext_ticket_key_cb > Broken in: (no value) > Severity: (no value) > Owner: Nobody > Requestors: Steffen_Ullrich@genua.de > Status: new > Ticket <URL: https://rt.cpan.org/Ticket/Display.html?id=116118 > > > > The attached patch includes support for cross context (and cross process) > session sharing using the stateless TLS session tickets. It uses the > SSL_CTX_set_tlsext_ticket_key_cb function to manage the encryption and > decryption of the tickets but provides a more simplified interface. > > To not conflict with the OpenSSL name in case the more complex interface > will be implemented ever the current simplified interface is called > slightly different: CTX_set_tlsext_ticket_*get*key_cb. > > The patch includes the code, test and documentation. > > Regards, > Steffen
-- Mike McCauley VK4AMM mikem@airspayce.com Airspayce Pty Ltd 9 Bulbul Place Currumbin Waters QLD 4223 Australia http://www.airspayce.com Phone +61 7 5598-7474
MIME-Version: 1.0
In-Reply-To: <rt-4.0.18-7447-1468456286-1137.116118-0-0 [...] rt.cpan.org>
X-Mailer: MIME-tools 5.504 (Entity 5.504)
X-RT-Interface: Web
References: <RT-Ticket-116118 [...] rt.cpan.org> <rt-4.0.18-15634-1468427967-1805.116118-4-0 [...] rt.cpan.org> <12799868.aps3rtI2mA [...] zulu> <rt-4.0.18-7447-1468456286-1137.116118-0-0 [...] rt.cpan.org>
Content-Type: multipart/mixed; boundary="----------=_1468487660-2898-5"
Message-ID: <rt-4.0.18-2898-1468487660-592.116118-0-0 [...] rt.cpan.org>
X-RT-Original-Encoding: utf-8
X-RT-Encrypt: 0
X-RT-Sign: 0
Content-Length: 0
Content-Disposition: inline
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: binary
X-RT-Original-Encoding: utf-8
Content-Length: 533
Download (untitled) / with headers
text/plain 533b
Show quoted text
> I notice that SSL_CTX_set_tlsext_ticket_getkey_cb() is declared as > returning a > long but does not actually return anything.
Thanks for finding this. This should be void too. The attached new patch fixes this but apart from that there are no changes to the previous patch. Support for this is also incorporated into IO::Socket::SSL now (https://github.com/noxxi/p5-io-socket-ssl/commit/7e5d3647b2) and I've successfully used it in some internal project to enable session reuse over multiple worker processes. Regards, Steffen
MIME-Version: 1.0
Subject: SSLeay.patch
X-Mailer: MIME-tools 5.504 (Entity 5.504)
Content-Type: text/x-patch; name="SSLeay.patch"
Content-Disposition: inline; filename="SSLeay.patch"
Content-Transfer-Encoding: binary
Content-Length: 14664
Download SSLeay.patch
text/x-diff 14.3k

Message body is not shown because it is too large.

MIME-Version: 1.0
X-Spam-Flag: NO
X-Virus-Scanned: Debian amavisd-new at bestpractical.com
content-type: text/plain; charset="utf-8"
X-Source-Sender: 135.35.96.58.static.exetel.com.au (zulu.localnet) [58.96.35.135]:45159
X-RT-Original-Encoding: utf-8
X-Spam-Score: -5.259
X-Source-Cap: bWlrZW07bWlrZW07Z2F0b3I0MTI5Lmhvc3RnYXRvci5jb20=
Received: from localhost (localhost [127.0.0.1]) by hipster.bestpractical.com (Postfix) with ESMTP id 4AC852400AF for <cpan-bug+Net-SSLeay [...] hipster.bestpractical.com>; Thu, 14 Jul 2016 07:21:01 -0400 (EDT)
Received: from hipster.bestpractical.com ([127.0.0.1]) by localhost (hipster.bestpractical.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id mk7QT2HFU0vY for <cpan-bug+Net-SSLeay [...] hipster.bestpractical.com>; Thu, 14 Jul 2016 07:20:59 -0400 (EDT)
Received: from la.mx.develooper.com (x1.develooper.com [207.171.7.70]) by hipster.bestpractical.com (Postfix) with SMTP id 6DF712400AE for <bug-Net-SSLeay [...] rt.cpan.org>; Thu, 14 Jul 2016 07:20:58 -0400 (EDT)
Received: (qmail 25366 invoked by alias); 14 Jul 2016 11:20:57 -0000
Received: from gateway21.websitewelcome.com (HELO gateway21.websitewelcome.com) (192.185.45.2) by la.mx.develooper.com (qpsmtpd/0.28) with ESMTP; Thu, 14 Jul 2016 04:20:54 -0700
Received: from cm4.websitewelcome.com (unknown [108.167.139.16]) by gateway21.websitewelcome.com (Postfix) with ESMTP id 3246E31AB399 for <bug-Net-SSLeay [...] rt.cpan.org>; Thu, 14 Jul 2016 06:20:51 -0500 (CDT)
Received: from gator4129.hostgator.com ([192.185.4.141]) by cm4.websitewelcome.com with id JbLq1t00B32ZDfC01bLrzz; Thu, 14 Jul 2016 06:20:51 -0500
Received: from 135.35.96.58.static.exetel.com.au ([58.96.35.135]:45159 helo=zulu.localnet) by gator4129.hostgator.com with esmtpsa (TLSv1.2:DHE-RSA-AES256-GCM-SHA384:256) (Exim 4.86_1) (envelope-from <mikem [...] airspayce.com>) id 1bNehF-000S2K-KU for bug-Net-SSLeay [...] rt.cpan.org; Thu, 14 Jul 2016 06:20:49 -0500
Delivered-To: cpan-bug+Net-SSLeay [...] hipster.bestpractical.com
Subject: Re: [rt.cpan.org #116118] Support for cross context session ticket sharing using SSL_CTX_set_tlsext_ticket_key_cb
X-Spam-Check-BY: la.mx.develooper.com
Date: Thu, 14 Jul 2016 21:20:47 +1000
X-Spam-Level:
X-Bwhitelist: no
To: bug-Net-SSLeay [...] rt.cpan.org
Content-Transfer-Encoding: 7Bit
X-Source:
X-Source-Args:
In-Reply-To: <rt-4.0.18-2898-1468487661-1900.116118-5-0 [...] rt.cpan.org>
X-Spam-Status: No, score=-5.259 tagged_above=-99.9 required=10 tests=[AWL=0.641, BAYES_00=-1.9, FROM_OUR_RT=-4, RCVD_IN_DNSWL_NONE=-0.0001] autolearn=ham
X-Source-Dir:
X-RT-Interface: API
References: <RT-Ticket-116118 [...] rt.cpan.org> <rt-4.0.18-7447-1468456286-1137.116118-5-0 [...] rt.cpan.org> <rt-4.0.18-2898-1468487661-1900.116118-5-0 [...] rt.cpan.org>
Message-ID: <2985402.t4cExA5Qgg [...] zulu>
X-Source-Auth: mikem [...] airspayce.com
X-Antiabuse: This header was added to track abuse, please include it with any abuse report
X-Antiabuse: Primary Hostname - gator4129.hostgator.com
X-Antiabuse: Original Domain - rt.cpan.org
X-Antiabuse: Originator/Caller UID/GID - [47 12] / [47 12]
X-Antiabuse: Sender Address Domain - airspayce.com
Organization: AirSpayce Pty Ltd
X-Source-Ip: 58.96.35.135
User-Agent: KMail/4.11.5 (Linux/3.12.57-44-desktop; KDE/4.11.5; i686; ; )
Return-Path: <mikem [...] airspayce.com>
X-RT-Mail-Extension: net-ssleay
X-Original-To: cpan-bug+Net-SSLeay [...] hipster.bestpractical.com
X-Exim-ID: 1bNehF-000S2K-KU
X-Email-Count: 1
From: Mike McCauley <mikem [...] airspayce.com>
RT-Message-ID: <rt-4.0.18-3847-1468495262-792.116118-0-0 [...] rt.cpan.org>
Content-Length: 2461
Download (untitled) / with headers
text/plain 2.4k
Hi Steffen, thanks for the update. Compiles OK now. Alas I find that with openssl-1.1.0 I get a segfault in t/local/64_ticket_sharing.t and with /openssl-1.0.0 I get: t/local/64_ticket_sharing.t ............ 1/15 error:00000001:lib(0):func(0):reason(1) at t/local/64_ticket_sharing.t line 228. # Looks like you planned 15 tests but ran 8. # Looks like your test exited with 255 just after 8. t/local/64_ticket_sharing.t ............ Dubious, test returned 255 (wstat 65280, 0xff00) and with openssl-0.9.8i+extensions I get # Failed test 'handshake with reuse' # at t/local/64_ticket_sharing.t line 40. # got: 'full' # expected: 'reuse' # Failed test 'handshake again with reuse' # at t/local/64_ticket_sharing.t line 41. # got: 'full' # expected: 'reuse' # Failed test 'reuse session with server1' # at t/local/64_ticket_sharing.t line 65. # got: 'full' # expected: 'reuse' # Failed test 'reuse session with server2' # at t/local/64_ticket_sharing.t line 66. # got: 'full' # expected: 'reuse' # Failed test 'reuse session with server2' # at t/local/64_ticket_sharing.t line 90. # got: 'full' # expected: 'reuse' # Failed test 'callback was called 2 times' # at t/local/64_ticket_sharing.t line 91. # got: '1' # expected: '2' # Failed test 'first with the old key name' # at t/local/64_ticket_sharing.t line 92. # got: undef # expected: 'secret' Too late for me to investigate further tonight. More tomorrow. Cheers. On Thursday, July 14, 2016 05:14:22 AM you wrote: Show quoted text
> Queue: Net-SSLeay > Ticket <URL: https://rt.cpan.org/Ticket/Display.html?id=116118 > >
> > I notice that SSL_CTX_set_tlsext_ticket_getkey_cb() is declared as > > returning a > > long but does not actually return anything.
> > Thanks for finding this. This should be void too. > The attached new patch fixes this but apart from that there are no changes > to the previous patch. Support for this is also incorporated into > IO::Socket::SSL now > (https://github.com/noxxi/p5-io-socket-ssl/commit/7e5d3647b2) and I've > successfully used it in some internal project to enable session reuse over > multiple worker processes. > > Regards, > Steffen
-- Mike McCauley VK4AMM mikem@airspayce.com Airspayce Pty Ltd 9 Bulbul Place Currumbin Waters QLD 4223 Australia http://www.airspayce.com Phone +61 7 5598-7474
MIME-Version: 1.0
In-Reply-To: <rt-4.0.18-3847-1468495262-792.116118-0-0 [...] rt.cpan.org>
X-Mailer: MIME-tools 5.504 (Entity 5.504)
X-RT-Interface: Web
References: <RT-Ticket-116118 [...] rt.cpan.org> <rt-4.0.18-7447-1468456286-1137.116118-5-0 [...] rt.cpan.org> <rt-4.0.18-2898-1468487661-1900.116118-5-0 [...] rt.cpan.org> <2985402.t4cExA5Qgg [...] zulu> <rt-4.0.18-3847-1468495262-792.116118-0-0 [...] rt.cpan.org>
Content-Type: multipart/mixed; boundary="----------=_1468515673-15102-5"
Message-ID: <rt-4.0.18-15102-1468515673-1220.116118-0-0 [...] rt.cpan.org>
X-RT-Original-Encoding: utf-8
X-RT-Encrypt: 0
X-RT-Sign: 0
Content-Length: 0
Content-Disposition: inline
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: binary
X-RT-Original-Encoding: utf-8
Content-Length: 1742
Download (untitled) / with headers
text/plain 1.7k
Am Do 14. Jul 2016, 07:21:02, mikem@airspayce.com schrieb: Show quoted text
> Hi Steffen, > > thanks for the update. Compiles OK now. > > Alas I find that with openssl-1.1.0 I get a segfault in > t/local/64_ticket_sharing.t
This looks for me like a bug in openssl-1.1.0 which corrupts some memory when SSL_CTX_set_mode is used with SSL_MODE_ACCEPT_MOVING_WRITE_BUFFER|SSL_MODE_ENABLE_PARTIAL_WRITE at least when BIO are used. This does not seem to affect IO::Socket::SSL which does not make use BIO but it might affect AnyEvent::TLS. Anyway, this SSL_CTX_set_mode is not needed for this test so I removed this line from the test. Show quoted text
> and with openssl-0.9.8i+extensions > I get > > # Failed test 'handshake with reuse' > # at t/local/64_ticket_sharing.t line 40. > # got: 'full' > # expected: 'reuse'
This happened because 0.9.8 by default uses an SSL 2.0 record and thus does not support TLS extensions. Fixed by explicitly using a TLS 1.0 context. Show quoted text
> and with /openssl-1.0.0 I get: > > t/local/64_ticket_sharing.t ............ 1/15 > error:00000001:lib(0):func(0):reason(1) at t/local/64_ticket_sharing.t line
OpenSSL 1.0.0 (tried 1.0.0t) is really weird. Looks like SSL_do_handshake and the handshake on the wire are kind of broken if session ticket key callback indicates that a renew of the ticket should be done. In this case SSL_do_handshake will indicate that it still requires more data, the key callback will be called multiple times to generate a new ticket and on the wire one can see several unexpected Encrypted Handshake Message and also an unexpected repeated Change Cipher Spec message. I handle this behavior as special case in the test now. Attached is the new patch, with the reworked test. Regards, Steffen
MIME-Version: 1.0
Subject: SSLeay.patch
X-Mailer: MIME-tools 5.504 (Entity 5.504)
Content-Type: text/x-patch; name="SSLeay.patch"
Content-Disposition: inline; filename="SSLeay.patch"
Content-Transfer-Encoding: binary
Content-Length: 15717
Download SSLeay.patch
text/x-diff 15.3k

Message body is not shown because it is too large.

MIME-Version: 1.0
In-Reply-To: <rt-4.0.18-15102-1468515673-1220.116118-0-0 [...] rt.cpan.org>
X-Mailer: MIME-tools 5.504 (Entity 5.504)
Content-Disposition: inline
X-RT-Interface: Web
References: <RT-Ticket-116118 [...] rt.cpan.org> <rt-4.0.18-7447-1468456286-1137.116118-5-0 [...] rt.cpan.org> <rt-4.0.18-2898-1468487661-1900.116118-5-0 [...] rt.cpan.org> <2985402.t4cExA5Qgg [...] zulu> <rt-4.0.18-3847-1468495262-792.116118-0-0 [...] rt.cpan.org> <rt-4.0.18-15102-1468515673-1220.116118-0-0 [...] rt.cpan.org>
Content-Type: text/plain; charset="utf-8"
Message-ID: <rt-4.0.18-15959-1468523710-1630.116118-0-0 [...] rt.cpan.org>
Content-Transfer-Encoding: binary
X-RT-Original-Encoding: utf-8
X-RT-Encrypt: 0
X-RT-Sign: 0
Content-Length: 384
Download (untitled) / with headers
text/plain 384b
Am Do 14. Jul 2016, 13:01:13, SULLR schrieb: Show quoted text
> ... > This looks for me like a bug in openssl-1.1.0
Fortunately this is not a bug in OpenSSL. I just used SSL_CTX_set_mode instead of SSL_set_mode on the SSL object and the code only crashed with 1.1.0 although it was invalid was all the others too. No further changes to the patch needed since I've remove the use of SSL_CTX_set_mode.
MIME-Version: 1.0
X-Spam-Flag: NO
X-Virus-Scanned: Debian amavisd-new at bestpractical.com
content-type: text/plain; charset="utf-8"
X-Source-Sender: 135.35.96.58.static.exetel.com.au (zulu.localnet) [58.96.35.135]:47061
X-RT-Original-Encoding: utf-8
X-Spam-Score: -5.263
X-Source-Cap: bWlrZW07bWlrZW07Z2F0b3I0MTI5Lmhvc3RnYXRvci5jb20=
Received: from localhost (localhost [127.0.0.1]) by hipster.bestpractical.com (Postfix) with ESMTP id C01A32403A4 for <cpan-bug+Net-SSLeay [...] hipster.bestpractical.com>; Fri, 15 Jul 2016 01:41:28 -0400 (EDT)
Received: from hipster.bestpractical.com ([127.0.0.1]) by localhost (hipster.bestpractical.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id zhnwKDkqzAJ0 for <cpan-bug+Net-SSLeay [...] hipster.bestpractical.com>; Fri, 15 Jul 2016 01:41:27 -0400 (EDT)
Received: from la.mx.develooper.com (x1.develooper.com [207.171.7.70]) by hipster.bestpractical.com (Postfix) with SMTP id 3AAB424039E for <bug-Net-SSLeay [...] rt.cpan.org>; Fri, 15 Jul 2016 01:41:27 -0400 (EDT)
Received: (qmail 28883 invoked by alias); 15 Jul 2016 05:41:26 -0000
Received: from gateway31.websitewelcome.com (HELO gateway31.websitewelcome.com) (192.185.144.28) by la.mx.develooper.com (qpsmtpd/0.28) with ESMTP; Thu, 14 Jul 2016 22:41:24 -0700
Received: from cm7.websitewelcome.com (cm7.websitewelcome.com [108.167.139.20]) by gateway31.websitewelcome.com (Postfix) with ESMTP id A366C134750E0 for <bug-Net-SSLeay [...] rt.cpan.org>; Fri, 15 Jul 2016 00:41:15 -0500 (CDT)
Received: from gator4129.hostgator.com ([192.185.4.141]) by cm7.websitewelcome.com with id JthE1t00L32ZDfC01thFAG; Fri, 15 Jul 2016 00:41:15 -0500
Received: from 135.35.96.58.static.exetel.com.au ([58.96.35.135]:47061 helo=zulu.localnet) by gator4129.hostgator.com with esmtpsa (TLSv1.2:DHE-RSA-AES256-GCM-SHA384:256) (Exim 4.86_1) (envelope-from <mikem [...] airspayce.com>) id 1bNvsA-000NIz-5c for bug-Net-SSLeay [...] rt.cpan.org; Fri, 15 Jul 2016 00:41:14 -0500
Delivered-To: cpan-bug+Net-SSLeay [...] hipster.bestpractical.com
Subject: Re: [rt.cpan.org #116118] Support for cross context session ticket sharing using SSL_CTX_set_tlsext_ticket_key_cb
X-Spam-Check-BY: la.mx.develooper.com
Date: Fri, 15 Jul 2016 15:41:12 +1000
X-Spam-Level:
X-Bwhitelist: no
To: bug-Net-SSLeay [...] rt.cpan.org
Content-Transfer-Encoding: 7Bit
X-Source:
X-Source-Args:
In-Reply-To: <rt-4.0.18-15102-1468515673-1151.116118-5-0 [...] rt.cpan.org>
X-Spam-Status: No, score=-5.263 tagged_above=-99.9 required=10 tests=[AWL=0.637, BAYES_00=-1.9, FROM_OUR_RT=-4, RCVD_IN_DNSWL_NONE=-0.0001] autolearn=ham
X-Source-Dir:
X-RT-Interface: API
References: <RT-Ticket-116118 [...] rt.cpan.org> <rt-4.0.18-3847-1468495262-792.116118-5-0 [...] rt.cpan.org> <rt-4.0.18-15102-1468515673-1151.116118-5-0 [...] rt.cpan.org>
Message-ID: <1626946.NejBA9N0py [...] zulu>
X-Source-Auth: mikem [...] airspayce.com
X-Antiabuse: This header was added to track abuse, please include it with any abuse report
X-Antiabuse: Primary Hostname - gator4129.hostgator.com
X-Antiabuse: Original Domain - rt.cpan.org
X-Antiabuse: Originator/Caller UID/GID - [47 12] / [47 12]
X-Antiabuse: Sender Address Domain - airspayce.com
Organization: AirSpayce Pty Ltd
X-Source-Ip: 58.96.35.135
User-Agent: KMail/4.11.5 (Linux/3.12.57-44-desktop; KDE/4.11.5; i686; ; )
Return-Path: <mikem [...] airspayce.com>
X-RT-Mail-Extension: net-ssleay
X-Original-To: cpan-bug+Net-SSLeay [...] hipster.bestpractical.com
X-Exim-ID: 1bNvsA-000NIz-5c
X-Email-Count: 7
From: Mike McCauley <mikem [...] airspayce.com>
RT-Message-ID: <rt-4.0.18-31446-1468561289-199.116118-0-0 [...] rt.cpan.org>
Content-Length: 2972
Download (untitled) / with headers
text/plain 2.9k
Hi Steffen, Thanks thats much better, but: openssl-1.0.0d and openssl-1.0.0, where I get: mikem@zulu:/usr/local/projects/net-ssleay/trunk$ perl -I blib/lib -I blib/arch/ t/local/64_ticket_sharing.t 1..15 ok 1 - initial handshake is full ok 2 - another full handshake ok 3 - handshake with reuse ok 4 - handshake again with reuse ok 5 - handshake with server2 is full ok 6 - initial full handshake with server1 ok 7 - reuse session with server1 ok 8 - reuse session with server2 error:00000001:lib(0):func(0):reason(1) at t/local/64_ticket_sharing.t line 262. # Looks like you planned 15 tests but ran 8. # Looks like your test exited with 255 just after 8. all else is good, including openssl-1.1.0, openssl-0.9.8i+extensions and libressl-2.4.1, and many other 1.0.x Cheers. On Thursday, July 14, 2016 01:01:14 PM Steffen Ullrich via RT wrote: Show quoted text
> Queue: Net-SSLeay > Ticket <URL: https://rt.cpan.org/Ticket/Display.html?id=116118 > > > Am Do 14. Jul 2016, 07:21:02, mikem@airspayce.com schrieb:
> > Hi Steffen, > > > > thanks for the update. Compiles OK now. > > > > Alas I find that with openssl-1.1.0 I get a segfault in > > t/local/64_ticket_sharing.t
> > This looks for me like a bug in openssl-1.1.0 which corrupts some memory > when SSL_CTX_set_mode is used with > SSL_MODE_ACCEPT_MOVING_WRITE_BUFFER|SSL_MODE_ENABLE_PARTIAL_WRITE at least > when BIO are used. This does not seem to affect IO::Socket::SSL which does > not make use BIO but it might affect AnyEvent::TLS. Anyway, this > SSL_CTX_set_mode is not needed for this test so I removed this line from > the test.
> > and with openssl-0.9.8i+extensions > > I get > > > > # Failed test 'handshake with reuse' > > # at t/local/64_ticket_sharing.t line 40. > > # got: 'full' > > # expected: 'reuse'
> > This happened because 0.9.8 by default uses an SSL 2.0 record and thus does > not support TLS extensions. Fixed by explicitly using a TLS 1.0 context. >
> > and with /openssl-1.0.0 I get: > > > > t/local/64_ticket_sharing.t ............ 1/15 > > error:00000001:lib(0):func(0):reason(1) at t/local/64_ticket_sharing.t > > line
> > OpenSSL 1.0.0 (tried 1.0.0t) is really weird. Looks like SSL_do_handshake > and the handshake on the wire are kind of broken if session ticket key > callback indicates that a renew of the ticket should be done. In this case > SSL_do_handshake will indicate that it still requires more data, the key > callback will be called multiple times to generate a new ticket and on the > wire one can see several unexpected Encrypted Handshake Message and also an > unexpected repeated Change Cipher Spec message. I handle this behavior as > special case in the test now. > > Attached is the new patch, with the reworked test. > > Regards, > Steffen
-- Mike McCauley VK4AMM mikem@airspayce.com Airspayce Pty Ltd 9 Bulbul Place Currumbin Waters QLD 4223 Australia http://www.airspayce.com Phone +61 7 5598-7474
MIME-Version: 1.0
In-Reply-To: <rt-4.0.18-31446-1468561289-199.116118-0-0 [...] rt.cpan.org>
X-Mailer: MIME-tools 5.504 (Entity 5.504)
X-RT-Interface: Web
References: <RT-Ticket-116118 [...] rt.cpan.org> <rt-4.0.18-3847-1468495262-792.116118-5-0 [...] rt.cpan.org> <rt-4.0.18-15102-1468515673-1151.116118-5-0 [...] rt.cpan.org> <1626946.NejBA9N0py [...] zulu> <rt-4.0.18-31446-1468561289-199.116118-0-0 [...] rt.cpan.org>
Content-Type: multipart/mixed; boundary="----------=_1468563573-4050-2"
Message-ID: <rt-4.0.18-4050-1468563573-803.116118-0-0 [...] rt.cpan.org>
X-RT-Original-Encoding: utf-8
X-RT-Encrypt: 0
X-RT-Sign: 0
Content-Length: 0
Content-Disposition: inline
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: binary
X-RT-Original-Encoding: utf-8
Content-Length: 574
Download (untitled) / with headers
text/plain 574b
Am Fr 15. Jul 2016, 01:41:29, mikem@airspayce.com schrieb: Show quoted text
> ... > ok 8 - reuse session with server2 > error:00000001:lib(0):func(0):reason(1) at t/local/64_ticket_sharing.t
That's not funny anymore. It looks like that while support for SSL_CTX_set_tlsext_ticket_key_cb was added with 0.9.8 already it was unstable...broken in various ways in the 1.0.0. versions. In the specific case of 1.0.0d the client could not handle the session ticket created by the server which caused this error. Therefore I've enabled the feature now only for 1.0.1 and better. Regards, Steffen
MIME-Version: 1.0
Subject: SSLeay.patch
X-Mailer: MIME-tools 5.504 (Entity 5.504)
Content-Type: text/x-patch; name="SSLeay.patch"
Content-Disposition: inline; filename="SSLeay.patch"
Content-Transfer-Encoding: binary
Content-Length: 16257
Download SSLeay.patch
text/x-diff 15.8k

Message body is not shown because it is too large.

MIME-Version: 1.0
X-Spam-Flag: NO
X-Virus-Scanned: Debian amavisd-new at bestpractical.com
content-type: text/plain; charset="utf-8"
X-Source-Sender: 135.35.96.58.static.exetel.com.au (zulu.localnet) [58.96.35.135]:47320
X-RT-Original-Encoding: utf-8
X-Spam-Score: -5.266
X-Source-Cap: bWlrZW07bWlrZW07Z2F0b3I0MTI5Lmhvc3RnYXRvci5jb20=
Received: from localhost (localhost [127.0.0.1]) by hipster.bestpractical.com (Postfix) with ESMTP id 4C40E240378 for <cpan-bug+Net-SSLeay [...] hipster.bestpractical.com>; Fri, 15 Jul 2016 02:36:19 -0400 (EDT)
Received: from hipster.bestpractical.com ([127.0.0.1]) by localhost (hipster.bestpractical.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id DAXXaFi7Mr69 for <cpan-bug+Net-SSLeay [...] hipster.bestpractical.com>; Fri, 15 Jul 2016 02:36:18 -0400 (EDT)
Received: from la.mx.develooper.com (x1.develooper.com [207.171.7.70]) by hipster.bestpractical.com (Postfix) with SMTP id ACB16240279 for <bug-Net-SSLeay [...] rt.cpan.org>; Fri, 15 Jul 2016 02:36:03 -0400 (EDT)
Received: (qmail 30339 invoked by alias); 15 Jul 2016 06:36:03 -0000
Received: from gateway20.websitewelcome.com (HELO gateway20.websitewelcome.com) (192.185.64.36) by la.mx.develooper.com (qpsmtpd/0.28) with ESMTP; Thu, 14 Jul 2016 23:36:01 -0700
Received: from cm3.websitewelcome.com (unknown [108.167.139.23]) by gateway20.websitewelcome.com (Postfix) with ESMTP id 75518D866325E for <bug-Net-SSLeay [...] rt.cpan.org>; Fri, 15 Jul 2016 01:35:57 -0500 (CDT)
Received: from gator4129.hostgator.com ([192.185.4.141]) by cm3.websitewelcome.com with id Jubw1t00P32ZDfC01ubxMo; Fri, 15 Jul 2016 01:35:57 -0500
Received: from 135.35.96.58.static.exetel.com.au ([58.96.35.135]:47320 helo=zulu.localnet) by gator4129.hostgator.com with esmtpsa (TLSv1.2:DHE-RSA-AES256-GCM-SHA384:256) (Exim 4.86_1) (envelope-from <mikem [...] airspayce.com>) id 1bNwj5-000FE5-U9 for bug-Net-SSLeay [...] rt.cpan.org; Fri, 15 Jul 2016 01:35:56 -0500
Delivered-To: cpan-bug+Net-SSLeay [...] hipster.bestpractical.com
Subject: Re: [rt.cpan.org #116118] Support for cross context session ticket sharing using SSL_CTX_set_tlsext_ticket_key_cb
X-Spam-Check-BY: la.mx.develooper.com
Date: Fri, 15 Jul 2016 16:35:52 +1000
X-Spam-Level:
X-Bwhitelist: no
To: bug-Net-SSLeay [...] rt.cpan.org
Content-Transfer-Encoding: 7Bit
X-Source:
X-Source-Args:
In-Reply-To: <rt-4.0.18-4050-1468563573-1814.116118-5-0 [...] rt.cpan.org>
X-Spam-Status: No, score=-5.266 tagged_above=-99.9 required=10 tests=[AWL=0.634, BAYES_00=-1.9, FROM_OUR_RT=-4, RCVD_IN_DNSWL_NONE=-0.0001] autolearn=ham
X-Source-Dir:
X-RT-Interface: API
References: <RT-Ticket-116118 [...] rt.cpan.org> <rt-4.0.18-31446-1468561289-199.116118-5-0 [...] rt.cpan.org> <rt-4.0.18-4050-1468563573-1814.116118-5-0 [...] rt.cpan.org>
Message-ID: <1730411.YBCtjMxrH0 [...] zulu>
X-Source-Auth: mikem [...] airspayce.com
X-Antiabuse: This header was added to track abuse, please include it with any abuse report
X-Antiabuse: Primary Hostname - gator4129.hostgator.com
X-Antiabuse: Original Domain - rt.cpan.org
X-Antiabuse: Originator/Caller UID/GID - [47 12] / [47 12]
X-Antiabuse: Sender Address Domain - airspayce.com
Organization: AirSpayce Pty Ltd
X-Source-Ip: 58.96.35.135
User-Agent: KMail/4.11.5 (Linux/3.12.57-44-desktop; KDE/4.11.5; i686; ; )
Return-Path: <mikem [...] airspayce.com>
X-RT-Mail-Extension: net-ssleay
X-Original-To: cpan-bug+Net-SSLeay [...] hipster.bestpractical.com
X-Exim-ID: 1bNwj5-000FE5-U9
X-Email-Count: 1
From: Mike McCauley <mikem [...] airspayce.com>
RT-Message-ID: <rt-4.0.18-32444-1468564580-1147.116118-0-0 [...] rt.cpan.org>
Content-Length: 1021
Download (untitled) / with headers
text/plain 1021b
Hi Steffen, thanks thats all good now. Pushed to SVN version 470 Cheers. On Friday, July 15, 2016 02:19:34 AM you wrote: Show quoted text
> Queue: Net-SSLeay > Ticket <URL: https://rt.cpan.org/Ticket/Display.html?id=116118 > > > Am Fr 15. Jul 2016, 01:41:29, mikem@airspayce.com schrieb:
> > ... > > ok 8 - reuse session with server2 > > error:00000001:lib(0):func(0):reason(1) at t/local/64_ticket_sharing.t
> > That's not funny anymore. It looks like that while support for > SSL_CTX_set_tlsext_ticket_key_cb was added with 0.9.8 already it was > unstable...broken in various ways in the 1.0.0. versions. In the specific > case of 1.0.0d the client could not handle the session ticket created by > the server which caused this error. Therefore I've enabled the feature now > only for 1.0.1 and better. > > Regards, > Steffen
-- Mike McCauley VK4AMM mikem@airspayce.com Airspayce Pty Ltd 9 Bulbul Place Currumbin Waters QLD 4223 Australia http://www.airspayce.com Phone +61 7 5598-7474
MIME-Version: 1.0
In-Reply-To: <rt-4.0.18-32444-1468564580-1147.116118-0-0 [...] rt.cpan.org>
X-Mailer: MIME-tools 5.504 (Entity 5.504)
X-RT-Interface: Web
References: <RT-Ticket-116118 [...] rt.cpan.org> <rt-4.0.18-31446-1468561289-199.116118-5-0 [...] rt.cpan.org> <rt-4.0.18-4050-1468563573-1814.116118-5-0 [...] rt.cpan.org> <1730411.YBCtjMxrH0 [...] zulu> <rt-4.0.18-32444-1468564580-1147.116118-0-0 [...] rt.cpan.org>
Content-Type: multipart/mixed; boundary="----------=_1471952098-21143-2"
Message-ID: <rt-4.0.18-21143-1471952098-477.116118-0-0 [...] rt.cpan.org>
X-RT-Original-Encoding: utf-8
X-RT-Encrypt: 0
X-RT-Sign: 0
Content-Length: 0
Content-Disposition: inline
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: binary
X-RT-Original-Encoding: utf-8
Content-Length: 689
Download (untitled) / with headers
text/plain 689b
Am Fr 15. Jul 2016, 02:36:20, mikem@airspayce.com schrieb: Show quoted text
> Hi Steffen, > > thanks thats all good now. >
Hi Mike, while writing a test for IO::Socket::SSL I've noticed some very weird behavior, like unexpected changes in the control flow of the Perl program which seemed to be triggered by the ticket key callback. Turns out that these effects were caused by missing cleanups in the XS code, i.e. PUTBACK, FREETMPS and LEAVE :( The attached patch resolves this issue. I've tested it with openssl versions 1.0.2g, 1.0.2c, 1.1.0 and 1.0.1. I don't expect any problems with other versions since the code is basically doing the same as before, only with proper cleanups at the right time.
MIME-Version: 1.0
Subject: SSLeay.patch
X-Mailer: MIME-tools 5.504 (Entity 5.504)
Content-Type: text/x-patch; name="SSLeay.patch"
Content-Disposition: inline; filename="SSLeay.patch"
Content-Transfer-Encoding: binary
Content-Length: 3026
Download SSLeay.patch
text/x-diff 2.9k
Index: SSLeay.xs =================================================================== --- SSLeay.xs (revision 478) +++ SSLeay.xs (working copy) @@ -1256,12 +1256,11 @@ ){ dSP; - int count; + int count,usable_rv_count; SV *cb_func, *cb_data; - SV *sv_name, *sv_key; STRLEN svlen; - unsigned char *key; /* key[0..15] aes, key[16..32] hmac */ - unsigned char *name; + unsigned char key[32]; /* key[0..15] aes, key[16..32] hmac */ + unsigned char name[16]; SSL_CTX *ctx = SSL_get_SSL_CTX(ssl); PR1("STARTED: tlsext_ticket_key_cb_invoke\n"); @@ -1274,6 +1273,7 @@ ENTER; SAVETMPS; PUSHMARK(SP); + XPUSHs(sv_2mortal(newSVsv(cb_data))); if (!enc) { @@ -1283,29 +1283,50 @@ /* call as getkey(data) -> (key,current_name) */ } + PUTBACK; - PUTBACK; count = call_sv( cb_func, G_ARRAY ); SPAGAIN; - if (count>0) sv_name = POPs; - if (count>1) sv_key = POPs; - if (!enc && ( !count || !SvOK(sv_key) )) { + if (count>2) + croak("too much return values - only (name,key) should be returned"); + + usable_rv_count = 0; + if (count>0) { + SV *sname = POPs; + if (SvOK(sname)) { + unsigned char *pname = SvPV(sname,svlen); + if (svlen > 16) + croak("name must be at at most 16 bytes, got %d",svlen); + if (svlen == 0) + croak("name should not be empty"); + memset(name, 0, 16); + memcpy(name,pname,svlen); + usable_rv_count++; + } + } + if (count>1) { + SV *skey = POPs; + if (SvOK(skey)) { + unsigned char *pkey = SvPV(skey,svlen); + if (svlen != 32) + croak("key must be exactly 32 random bytes, got %d",svlen); + memcpy(key,pkey,32); + usable_rv_count++; + } + } + + PUTBACK; + FREETMPS; + LEAVE; + + if (!enc && usable_rv_count == 0) { TRACE(2,"no key returned for ticket"); return 0; } - - if (count != 2) + if (usable_rv_count != 2) croak("key functions needs to return (key,name)"); - key = SvPV(sv_key,svlen); - if (svlen < 32) - croak("key must be at least 32 random bytes, got %d",svlen); - name = SvPV(sv_name,svlen); - if (svlen != 16) - croak("name should be exactly 16 characters, got %d",svlen); - if (svlen == 0) - croak("name should not be empty"); if (enc) { /* encrypt ticket information with given key */ @@ -1312,18 +1333,14 @@ RAND_bytes(iv, 16); EVP_EncryptInit_ex(ectx, EVP_aes_128_cbc(), NULL, key, iv); HMAC_Init_ex(hctx,key+16,16,EVP_sha256(),NULL); - memset(key_name, 0, 16); - memcpy(key_name,name,svlen); + memcpy(key_name,name,16); return 1; + } else { - unsigned char new_name[16]; - memset(new_name, 0, sizeof(new_name)); - memcpy(new_name,name,svlen); - HMAC_Init_ex(hctx,key+16,16,EVP_sha256(),NULL); EVP_DecryptInit_ex(ectx, EVP_aes_128_cbc(), NULL, key, iv); - if (memcmp(new_name,key_name,16) == 0) + if (memcmp(name,key_name,16) == 0) return 1; /* current key was used */ else return 2; /* different key was used, need to be renewed */
MIME-Version: 1.0 (1.0)
X-Spam-Flag: NO
X-Virus-Scanned: Debian amavisd-new at bestpractical.com
content-type: text/plain; charset="utf-8"
X-Source-Sender: 73.138.62.81.dynamic.wline.res.cust.swisscom.ch ([172.29.12.5]) [81.62.138.73]:52129
X-RT-Original-Encoding: utf-8
X-Spam-Score: -5.899
X-Source-Cap: bWlrZW07bWlrZW07Z2F0b3I0MTI5Lmhvc3RnYXRvci5jb20=
Received: from localhost (localhost [127.0.0.1]) by hipster.bestpractical.com (Postfix) with ESMTP id 7A8D4240341 for <cpan-bug+Net-SSLeay [...] hipster.bestpractical.com>; Tue, 23 Aug 2016 09:45:32 -0400 (EDT)
Received: from hipster.bestpractical.com ([127.0.0.1]) by localhost (hipster.bestpractical.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id R+GJNGYs7Ppr for <cpan-bug+Net-SSLeay [...] hipster.bestpractical.com>; Tue, 23 Aug 2016 09:45:29 -0400 (EDT)
Received: from la.mx.develooper.com (x1.develooper.com [207.171.7.70]) by hipster.bestpractical.com (Postfix) with SMTP id 5BBB4240328 for <bug-Net-SSLeay [...] rt.cpan.org>; Tue, 23 Aug 2016 09:45:29 -0400 (EDT)
Received: (qmail 2369 invoked by alias); 23 Aug 2016 13:45:28 -0000
Received: from gateway34.websitewelcome.com (HELO gateway34.websitewelcome.com) (192.185.148.109) by la.mx.develooper.com (qpsmtpd/0.28) with ESMTP; Tue, 23 Aug 2016 06:45:25 -0700
Received: from cm6.websitewelcome.com (cm6.websitewelcome.com [108.167.139.19]) by gateway34.websitewelcome.com (Postfix) with ESMTP id D7ED45C127FFC for <bug-Net-SSLeay [...] rt.cpan.org>; Tue, 23 Aug 2016 08:45:21 -0500 (CDT)
Received: from gator4129.hostgator.com ([192.185.4.141]) by cm6.websitewelcome.com with id adlL1t00i32ZDfC01dlMvN; Tue, 23 Aug 2016 08:45:21 -0500
Received: from 73.138.62.81.dynamic.wline.res.cust.swisscom.ch ([81.62.138.73]:52129 helo=[172.29.12.5]) by gator4129.hostgator.com with esmtpsa (TLSv1:ECDHE-RSA-AES256-SHA:256) (Exim 4.86_1) (envelope-from <mikem [...] airspayce.com>) id 1bcC12-000QJU-1j for bug-Net-SSLeay [...] rt.cpan.org; Tue, 23 Aug 2016 08:45:20 -0500
Delivered-To: cpan-bug+Net-SSLeay [...] hipster.bestpractical.com
Subject: Re: [rt.cpan.org #116118] Support for cross context session ticket sharing using SSL_CTX_set_tlsext_ticket_key_cb
X-Spam-Check-BY: la.mx.develooper.com
Date: Tue, 23 Aug 2016 15:45:17 +0200
X-Spam-Level:
X-Bwhitelist: no
To: bug-Net-SSLeay [...] rt.cpan.org
Content-Transfer-Encoding: quoted-printable
X-Source:
X-Source-Args:
In-Reply-To: <rt-4.0.18-21143-1471952098-1076.116118-5-0 [...] rt.cpan.org>
X-Spam-Status: No, score=-5.899 tagged_above=-99.9 required=10 tests=[BAYES_00=-1.9, FROM_OUR_RT=-4, MIME_QP_LONG_LINE=0.001, RCVD_IN_DNSWL_NONE=-0.0001] autolearn=ham
X-Mailer: iPhone Mail (13G35)
X-Source-Dir:
X-RT-Interface: API
References: <RT-Ticket-116118 [...] rt.cpan.org> <rt-4.0.18-31446-1468561289-199.116118-5-0 [...] rt.cpan.org> <rt-4.0.18-4050-1468563573-1814.116118-5-0 [...] rt.cpan.org> <1730411.YBCtjMxrH0 [...] zulu> <rt-4.0.18-32444-1468564580-1147.116118-5-0 [...] rt.cpan.org> <rt-4.0.18-21143-1471952098-1076.116118-5-0 [...] rt.cpan.org>
Message-ID: <5AC97F01-E42F-4CA8-B57A-8699A5DC9747 [...] airspayce.com>
X-Source-Auth: mikem [...] airspayce.com
X-Antiabuse: This header was added to track abuse, please include it with any abuse report
X-Antiabuse: Primary Hostname - gator4129.hostgator.com
X-Antiabuse: Original Domain - rt.cpan.org
X-Antiabuse: Originator/Caller UID/GID - [47 12] / [47 12]
X-Antiabuse: Sender Address Domain - airspayce.com
X-Source-Ip: 81.62.138.73
Return-Path: <mikem [...] airspayce.com>
X-RT-Mail-Extension: net-ssleay
X-Original-To: cpan-bug+Net-SSLeay [...] hipster.bestpractical.com
X-Exim-ID: 1bcC12-000QJU-1j
X-Email-Count: 1
From: Mike McCauley <mikem [...] airspayce.com>
RT-Message-ID: <rt-4.0.18-27919-1471959933-144.116118-0-0 [...] rt.cpan.org>
Content-Length: 3790
Download (untitled) / with headers
text/plain 3.7k
Thanks Steffens I'm travelling at the moment and won't get a chance to patch this until October Cheers Sent from my iPhone Show quoted text
> On 23 Aug 2016, at 1:34 PM, Steffen Ullrich via RT <bug-Net-SSLeay@rt.cpan.org> wrote: > > Queue: Net-SSLeay > Ticket <URL: https://rt.cpan.org/Ticket/Display.html?id=116118 > > > Am Fr 15. Jul 2016, 02:36:20, mikem@airspayce.com schrieb:
>> Hi Steffen, >> >> thanks thats all good now.
> > Hi Mike, > while writing a test for IO::Socket::SSL I've noticed some very weird behavior, like unexpected changes in the control flow of the Perl program which seemed to be triggered by the ticket key callback. Turns out that these effects were caused by missing cleanups in the XS code, i.e. PUTBACK, FREETMPS and LEAVE :( > > The attached patch resolves this issue. I've tested it with openssl versions 1.0.2g, 1.0.2c, 1.1.0 and 1.0.1. I don't expect any problems with other versions since the code is basically doing the same as before, only with proper cleanups at the right time. > Index: SSLeay.xs =================================================================== --- SSLeay.xs (revision 478) +++ SSLeay.xs (working copy) @@ -1256,12 +1256,11 @@ ){ dSP; - int count; + int count,usable_rv_count; SV *cb_func, *cb_data; - SV *sv_name, *sv_key; STRLEN svlen; - unsigned char *key; /* key[0..15] aes, key[16..32] hmac */ - unsigned char *name; + unsigned char key[32]; /* key[0..15] aes, key[16..32] hmac */ + unsigned char name[16]; SSL_CTX *ctx = SSL_get_SSL_CTX(ssl); PR1("STARTED: tlsext_ticket_key_cb_invoke\n"); @@ -1274,6 +1273,7 @@ ENTER; SAVETMPS; PUSHMARK(SP); + XPUSHs(sv_2mortal(newSVsv(cb_data))); if (!enc) { @@ -1283,29 +1283,50 @@ /* call as getkey(data) -> (key,current_name) */ } + PUTBACK; - PUTBACK; count = call_sv( cb_func, G_ARRAY ); SPAGAIN; - if (count>0) sv_name = POPs; - if (count>1) sv_key = POPs; - if (!enc && ( !count || !SvOK(sv_key) )) { + if (count>2) + croak("too much return values - only (name,key) should be returned"); + + usable_rv_count = 0; + if (count>0) { + SV *sname = POPs; + if (SvOK(sname)) { + unsigned char *pname = SvPV(sname,svlen); + if (svlen > 16) + croak("name must be at at most 16 bytes, got %d",svlen); + if (svlen == 0) + croak("name should not be empty"); + memset(name, 0, 16); + memcpy(name,pname,svlen); + usable_rv_count++; + } + } + if (count>1) { + SV *skey = POPs; + if (SvOK(skey)) { + unsigned char *pkey = SvPV(skey,svlen); + if (svlen != 32) + croak("key must be exactly 32 random bytes, got %d",svlen); + memcpy(key,pkey,32); + usable_rv_count++; + } + } + + PUTBACK; + FREETMPS; + LEAVE; + + if (!enc && usable_rv_count == 0) { TRACE(2,"no key returned for ticket"); return 0; } - - if (count != 2) + if (usable_rv_count != 2) croak("key functions needs to return (key,name)"); - key = SvPV(sv_key,svlen); - if (svlen < 32) - croak("key must be at least 32 random bytes, got %d",svlen); - name = SvPV(sv_name,svlen); - if (svlen != 16) - croak("name should be exactly 16 characters, got %d",svlen); - if (svlen == 0) - croak("name should not be empty"); if (enc) { /* encrypt ticket information with given key */ @@ -1312,18 +1333,14 @@ RAND_bytes(iv, 16); EVP_EncryptInit_ex(ectx, EVP_aes_128_cbc(), NULL, key, iv); HMAC_Init_ex(hctx,key+16,16,EVP_sha256(),NULL); - memset(key_name, 0, 16); - memcpy(key_name,name,svlen); + memcpy(key_name,name,16); return 1; + } else { - unsigned char new_name[16]; - memset(new_name, 0, sizeof(new_name)); - memcpy(new_name,name,svlen); - HMAC_Init_ex(hctx,key+16,16,EVP_sha256(),NULL); EVP_DecryptInit_ex(ectx, EVP_aes_128_cbc(), NULL, key, iv); - if (memcmp(new_name,key_name,16) == 0) + if (memcmp(name,key_name,16) == 0) return 1; /* current key was used */ else return 2; /* different key was used, need to be renewed */
MIME-Version: 1.0
In-Reply-To: <rt-4.0.18-27919-1471959933-144.116118-0-0 [...] rt.cpan.org>
X-Mailer: MIME-tools 5.504 (Entity 5.504)
Content-Disposition: inline
X-RT-Interface: Web
References: <RT-Ticket-116118 [...] rt.cpan.org> <rt-4.0.18-31446-1468561289-199.116118-5-0 [...] rt.cpan.org> <rt-4.0.18-4050-1468563573-1814.116118-5-0 [...] rt.cpan.org> <1730411.YBCtjMxrH0 [...] zulu> <rt-4.0.18-32444-1468564580-1147.116118-5-0 [...] rt.cpan.org> <rt-4.0.18-21143-1471952098-1076.116118-5-0 [...] rt.cpan.org> <5AC97F01-E42F-4CA8-B57A-8699A5DC9747 [...] airspayce.com> <rt-4.0.18-27919-1471959933-144.116118-0-0 [...] rt.cpan.org>
Content-Type: text/plain; charset="utf-8"
Message-ID: <rt-4.0.18-14221-1483479325-1503.116118-0-0 [...] rt.cpan.org>
Content-Transfer-Encoding: binary
X-RT-Original-Encoding: utf-8
X-RT-Encrypt: 0
X-RT-Sign: 0
Content-Length: 534
Download (untitled) / with headers
text/plain 534b
Am Di 23. Aug 2016, 09:45:33, mikem@airspayce.com schrieb: Show quoted text
> Thanks Steffens > I'm travelling at the moment and won't get a chance to patch this > until October
Hi Mike, unfortunately Net::SSLeay 1.79 was released without my latest patch which means that the feature is still not official usable from IO::Socket::SSL and the related tests will fail. I'm using this patch for several month in production without problems now. It would be nice if you could make a release in the next time which includes this patch. Regards, Steffen
MIME-Version: 1.0
X-Spam-Flag: NO
X-Virus-Scanned: Debian amavisd-new at bestpractical.com
content-type: text/plain; charset="utf-8"
X-Source-Sender: 135.35.96.58.static.exetel.com.au (zulu.localnet) [58.96.35.135]:39896
X-RT-Original-Encoding: utf-8
X-Spam-Score: -5.368
X-Source-Cap: bWlrZW07bWlrZW07Z2F0b3I0MTI5Lmhvc3RnYXRvci5jb20=
Received: from localhost (localhost [127.0.0.1]) by hipster.bestpractical.com (Postfix) with ESMTP id 573CC240305 for <cpan-bug+Net-SSLeay [...] hipster.bestpractical.com>; Wed, 4 Jan 2017 16:41:09 -0500 (EST)
Received: from hipster.bestpractical.com ([127.0.0.1]) by localhost (hipster.bestpractical.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id wfLS7pJWH1Qr for <cpan-bug+Net-SSLeay [...] hipster.bestpractical.com>; Wed, 4 Jan 2017 16:41:07 -0500 (EST)
Received: from la.mx.develooper.com (x1.develooper.com [207.171.7.70]) by hipster.bestpractical.com (Postfix) with SMTP id DA4F724021A for <bug-Net-SSLeay [...] rt.cpan.org>; Wed, 4 Jan 2017 16:41:06 -0500 (EST)
Received: (qmail 27146 invoked by alias); 4 Jan 2017 21:41:06 -0000
Received: from gateway30.websitewelcome.com (HELO gateway30.websitewelcome.com) (50.116.126.1) by la.mx.develooper.com (qpsmtpd/0.28) with ESMTP; Wed, 04 Jan 2017 13:41:02 -0800
Received: from cm6.websitewelcome.com (cm6.websitewelcome.com [108.167.139.19]) by gateway30.websitewelcome.com (Postfix) with ESMTP id 82AF58AB66 for <bug-Net-SSLeay [...] rt.cpan.org>; Wed, 4 Jan 2017 15:40:58 -0600 (CST)
Received: from gator4129.hostgator.com ([192.185.4.141]) by cm6.websitewelcome.com with id UMgx1u00J32ZDfC01MgyfC; Wed, 04 Jan 2017 15:40:58 -0600
Received: from 135.35.96.58.static.exetel.com.au ([58.96.35.135]:39896 helo=zulu.localnet) by gator4129.hostgator.com with esmtpsa (TLSv1.2:ECDHE-RSA-AES256-GCM-SHA384:256) (Exim 4.87) (envelope-from <mikem [...] airspayce.com>) id 1cOtIm-000GhN-WC for bug-Net-SSLeay [...] rt.cpan.org; Wed, 04 Jan 2017 15:40:57 -0600
Delivered-To: cpan-bug+Net-SSLeay [...] hipster.bestpractical.com
Subject: Re: [rt.cpan.org #116118] Support for cross context session ticket sharing using SSL_CTX_set_tlsext_ticket_key_cb
X-Spam-Check-BY: la.mx.develooper.com
Date: Thu, 05 Jan 2017 07:40:54 +1000
X-Spam-Level:
X-Bwhitelist: no
To: bug-Net-SSLeay [...] rt.cpan.org
Content-Transfer-Encoding: 7Bit
X-Source:
X-Source-Args:
In-Reply-To: <rt-4.0.18-14221-1483479325-1686.116118-5-0 [...] rt.cpan.org>
X-Spam-Status: No, score=-5.368 tagged_above=-99.9 required=10 tests=[AWL=0.532, BAYES_00=-1.9, FROM_OUR_RT=-4] autolearn=ham
X-Source-Dir:
X-RT-Interface: API
References: <RT-Ticket-116118 [...] rt.cpan.org> <rt-4.0.18-27919-1471959933-144.116118-5-0 [...] rt.cpan.org> <rt-4.0.18-14221-1483479325-1686.116118-5-0 [...] rt.cpan.org>
Message-ID: <1846080.UcglGVN2Sc [...] zulu>
X-Source-Auth: mikem [...] airspayce.com
X-Antiabuse: This header was added to track abuse, please include it with any abuse report
X-Antiabuse: Primary Hostname - gator4129.hostgator.com
X-Antiabuse: Original Domain - rt.cpan.org
X-Antiabuse: Originator/Caller UID/GID - [47 12] / [47 12]
X-Antiabuse: Sender Address Domain - airspayce.com
Organization: AirSpayce Pty Ltd
X-Source-Ip: 58.96.35.135
User-Agent: KMail/4.14.10 (Linux/3.16.7-42-desktop; KDE/4.14.9; i686; ; )
Return-Path: <mikem [...] airspayce.com>
X-RT-Mail-Extension: net-ssleay
X-Original-To: cpan-bug+Net-SSLeay [...] hipster.bestpractical.com
X-Exim-ID: 1cOtIm-000GhN-WC
X-Email-Count: 2
From: Mike McCauley <mikem [...] airspayce.com>
RT-Message-ID: <rt-4.0.18-25068-1483566070-1529.116118-0-0 [...] rt.cpan.org>
Content-Length: 1043
Hi Steffen, Sorry, I dont know what happened there. Your patch is now in the new version 1.80. Cheers. On Tuesday, January 03, 2017 04:35:27 PM Steffen Ullrich via RT wrote: Show quoted text
> Queue: Net-SSLeay > Ticket <URL: https://rt.cpan.org/Ticket/Display.html?id=116118 > > > Am Di 23. Aug 2016, 09:45:33, mikem@airspayce.com schrieb:
> > Thanks Steffens > > > > I'm travelling at the moment and won't get a chance to patch this > > > > until October
> > Hi Mike, > unfortunately Net::SSLeay 1.79 was released without my latest patch which > means that the feature is still not official usable from IO::Socket::SSL > and the related tests will fail. I'm using this patch for several month in > production without problems now. It would be nice if you could make a > release in the next time which includes this patch. > > Regards, > Steffen
-- Mike McCauley VK4AMM mikem@airspayce.com Airspayce Pty Ltd 9 Bulbul Place Currumbin Waters QLD 4223 Australia http://www.airspayce.com Phone +61 7 5598-7474
MIME-Version: 1.0
In-Reply-To: <rt-4.0.18-25068-1483566070-1529.116118-0-0 [...] rt.cpan.org>
X-Mailer: MIME-tools 5.504 (Entity 5.504)
Content-Disposition: inline
X-RT-Interface: Web
References: <RT-Ticket-116118 [...] rt.cpan.org> <rt-4.0.18-27919-1471959933-144.116118-5-0 [...] rt.cpan.org> <rt-4.0.18-14221-1483479325-1686.116118-5-0 [...] rt.cpan.org> <1846080.UcglGVN2Sc [...] zulu> <rt-4.0.18-25068-1483566070-1529.116118-0-0 [...] rt.cpan.org>
Content-Type: text/plain; charset="utf-8"
Message-ID: <rt-4.0.18-18724-1483643391-1058.116118-0-0 [...] rt.cpan.org>
Content-Transfer-Encoding: binary
X-RT-Original-Encoding: utf-8
X-RT-Encrypt: 0
X-RT-Sign: 0
Content-Length: 367
Download (untitled) / with headers
text/plain 367b
Am Mi 04. Jan 2017, 16:41:10, mikem@airspayce.com schrieb: Show quoted text
> Hi Steffen, > > Sorry, I dont know what happened there. Your patch is now in the new > version > 1.80. > > Cheers.
Thanks for the quick response. Tests now run successfully and I've released a new version of IO::Socket::SL which enables this feature when used with Net::SSLeay>= 1.80. Regards, Steffen


This service is sponsored and maintained by Best Practical Solutions and runs on Perl.org infrastructure.

Please report any issues with rt.cpan.org to rt-cpan-admin@bestpractical.com.