Improve XMPP protocol support for starttls on s_client #2

clopez · 2013-05-27T22:38:29Z

I submit this patches time ago to the openssl mailing list but got not answer.
I have rebased the patches on top of current master and I'm retrying submitting it here with the hope that it will caught more attention.

This pull request fixes the support for XMPP on openssl s_client. A number of reports on Internet complain about this. Examples:

* Some XMPP Servers (OpenFire) use double quotes. * This makes s_client starttls work with this servers. * Tested with OpenFire servers from http://xmpp.net/ :: openssl s_client -connect coderollers.com:5222 -starttls xmpp

* When the host used in "-connect" is not what the remote XMPP server expects the server will return an error like this: <stream:error> <host-unknown xmlns='urn:ietf:params:xml:ns:xmpp-streams'/> </stream:error> * But the actual code will stay on the loop forever because the stop condition "/stream:features>" will never happen, * Make this more robust: The stop condition should be that BIO_read failed * Test if for example with :: openssl s_client -connect random.jabb3r.net:5222 -starttls xmpp

…npage

* Many XMPP servers are configured with multiple domains (virtual hosts) * In order to establish successfully the TLS connection you have to specify which virtual host you are trying to connect. * Test this, for example with :: * Fail: openssl s_client -connect talk.google.com:5222 -starttls xmpp * Works: openssl s_client -connect talk.google.com:5222 -starttls xmpp -xmpphost gmail.com

benlaurie · 2013-09-05T16:30:34Z

Merged.

(cherry picked from commit a74bee5)

Previous commit 7bb196a attempted to "fix" a problem with the way SSL_shutdown() behaved whilst in mid-handshake. The original behaviour had SSL_shutdown() return immediately having taken no action if called mid- handshake with a return value of 1 (meaning everything was shutdown successfully). In fact the shutdown has not been successful. Commit 7bb196a changed that to send a close_notify anyway and then return. This seems to be causing some problems for some applications so perhaps a better (much simpler) approach is revert to the previous behaviour (no attempt at a shutdown), but return -1 (meaning the shutdown was not successful). This also fixes a bug where SSL_shutdown always returns 0 when shutdown *very* early in the handshake (i.e. we are still using SSLv23_method). Reviewed-by: Viktor Dukhovni <[email protected]>

Previous commit f73c737 attempted to "fix" a problem with the way SSL_shutdown() behaved whilst in mid-handshake. The original behaviour had SSL_shutdown() return immediately having taken no action if called mid- handshake with a return value of 1 (meaning everything was shutdown successfully). In fact the shutdown has not been successful. Commit f73c737 changed that to send a close_notify anyway and then return. This seems to be causing some problems for some applications so perhaps a better (much simpler) approach is revert to the previous behaviour (no attempt at a shutdown), but return -1 (meaning the shutdown was not successful). This also fixes a bug where SSL_shutdown always returns 0 when shutdown *very* early in the handshake (i.e. we are still using SSLv23_method). Reviewed-by: Viktor Dukhovni <[email protected]>

Added functions to create, delete a set of cert/key and PKCS#12, which can be used to manage a lot of auth-client key sets. Revert some unnecessary changes Revert some unnecessary changes openssl#2 Pair-Bag total manage capability added to CA.pl

Fixes openssl#2 and openssl#3 and openssl#22 Updates `Configure` script to disable QUIC with `no-bulk` and `no-ec` Updates build.info doc docs Fixes an issue with extension defintions and `no-quic`

Here the undefined value "npa" passed to a function WPACKET_sub_memcpy_u16(pkt, npa, npalen). However the value is not really used, because "npalen" is zero, but the call statememt itself is considered an invalid operation by the new sanitizer. The original sanitizer error report was: ==49175==WARNING: MemorySanitizer: use-of-uninitialized-value #0 0x55a276b29d6f in tls_construct_stoc_next_proto_neg /home/runner/work/openssl/openssl/ssl/statem/extensions_srvr.c:1518:21 openssl#1 0x55a276b15d7d in tls_construct_extensions /home/runner/work/openssl/openssl/ssl/statem/extensions.c:909:15 openssl#2 0x55a276b513dc in tls_construct_server_hello /home/runner/work/openssl/openssl/ssl/statem/statem_srvr.c:2471:10 openssl#3 0x55a276b2e160 in write_state_machine /home/runner/work/openssl/openssl/ssl/statem/statem.c:896:26 openssl#4 0x55a276b2e160 in state_machine /home/runner/work/openssl/openssl/ssl/statem/statem.c:490:21 openssl#5 0x55a276b2f562 in ossl_statem_accept /home/runner/work/openssl/openssl/ssl/statem/statem.c:309:12 openssl#6 0x55a276a9f867 in SSL_do_handshake /home/runner/work/openssl/openssl/ssl/ssl_lib.c:4890:19 openssl#7 0x55a276a9f605 in SSL_accept /home/runner/work/openssl/openssl/ssl/ssl_lib.c:2169:12 openssl#8 0x55a276a3d4db in create_bare_ssl_connection /home/runner/work/openssl/openssl/test/helpers/ssltestlib.c:1281:24 openssl#9 0x55a276a3d7cb in create_ssl_connection /home/runner/work/openssl/openssl/test/helpers/ssltestlib.c:1350:10 openssl#10 0x55a276a64c0b in test_npn /home/runner/work/openssl/openssl/test/sslapitest.c:12266:14 openssl#11 0x55a276b9fc20 in run_tests /home/runner/work/openssl/openssl/test/testutil/driver.c:377:21 openssl#12 0x55a276ba0b10 in main /home/runner/work/openssl/openssl/test/testutil/main.c:31:15

Here the undefined value "npa" passed to a function WPACKET_sub_memcpy_u16(pkt, npa, npalen). However the value is not really used, because "npalen" is zero, but the call statememt itself is considered an invalid operation by the new sanitizer. The original sanitizer error report was: ==49175==WARNING: MemorySanitizer: use-of-uninitialized-value #0 0x55a276b29d6f in tls_construct_stoc_next_proto_neg /home/runner/work/openssl/openssl/ssl/statem/extensions_srvr.c:1518:21 #1 0x55a276b15d7d in tls_construct_extensions /home/runner/work/openssl/openssl/ssl/statem/extensions.c:909:15 #2 0x55a276b513dc in tls_construct_server_hello /home/runner/work/openssl/openssl/ssl/statem/statem_srvr.c:2471:10 #3 0x55a276b2e160 in write_state_machine /home/runner/work/openssl/openssl/ssl/statem/statem.c:896:26 #4 0x55a276b2e160 in state_machine /home/runner/work/openssl/openssl/ssl/statem/statem.c:490:21 #5 0x55a276b2f562 in ossl_statem_accept /home/runner/work/openssl/openssl/ssl/statem/statem.c:309:12 #6 0x55a276a9f867 in SSL_do_handshake /home/runner/work/openssl/openssl/ssl/ssl_lib.c:4890:19 #7 0x55a276a9f605 in SSL_accept /home/runner/work/openssl/openssl/ssl/ssl_lib.c:2169:12 #8 0x55a276a3d4db in create_bare_ssl_connection /home/runner/work/openssl/openssl/test/helpers/ssltestlib.c:1281:24 #9 0x55a276a3d7cb in create_ssl_connection /home/runner/work/openssl/openssl/test/helpers/ssltestlib.c:1350:10 #10 0x55a276a64c0b in test_npn /home/runner/work/openssl/openssl/test/sslapitest.c:12266:14 #11 0x55a276b9fc20 in run_tests /home/runner/work/openssl/openssl/test/testutil/driver.c:377:21 #12 0x55a276ba0b10 in main /home/runner/work/openssl/openssl/test/testutil/main.c:31:15 Reviewed-by: Saša Nedvědický <[email protected]> Reviewed-by: Tomas Mraz <[email protected]> (Merged from #26269)

Here the undefined value "npa" passed to a function WPACKET_sub_memcpy_u16(pkt, npa, npalen). However the value is not really used, because "npalen" is zero, but the call statememt itself is considered an invalid operation by the new sanitizer. The original sanitizer error report was: ==49175==WARNING: MemorySanitizer: use-of-uninitialized-value #0 0x55a276b29d6f in tls_construct_stoc_next_proto_neg /home/runner/work/openssl/openssl/ssl/statem/extensions_srvr.c:1518:21 #1 0x55a276b15d7d in tls_construct_extensions /home/runner/work/openssl/openssl/ssl/statem/extensions.c:909:15 #2 0x55a276b513dc in tls_construct_server_hello /home/runner/work/openssl/openssl/ssl/statem/statem_srvr.c:2471:10 #3 0x55a276b2e160 in write_state_machine /home/runner/work/openssl/openssl/ssl/statem/statem.c:896:26 #4 0x55a276b2e160 in state_machine /home/runner/work/openssl/openssl/ssl/statem/statem.c:490:21 #5 0x55a276b2f562 in ossl_statem_accept /home/runner/work/openssl/openssl/ssl/statem/statem.c:309:12 #6 0x55a276a9f867 in SSL_do_handshake /home/runner/work/openssl/openssl/ssl/ssl_lib.c:4890:19 #7 0x55a276a9f605 in SSL_accept /home/runner/work/openssl/openssl/ssl/ssl_lib.c:2169:12 #8 0x55a276a3d4db in create_bare_ssl_connection /home/runner/work/openssl/openssl/test/helpers/ssltestlib.c:1281:24 #9 0x55a276a3d7cb in create_ssl_connection /home/runner/work/openssl/openssl/test/helpers/ssltestlib.c:1350:10 #10 0x55a276a64c0b in test_npn /home/runner/work/openssl/openssl/test/sslapitest.c:12266:14 #11 0x55a276b9fc20 in run_tests /home/runner/work/openssl/openssl/test/testutil/driver.c:377:21 #12 0x55a276ba0b10 in main /home/runner/work/openssl/openssl/test/testutil/main.c:31:15 Reviewed-by: Saša Nedvědický <[email protected]> Reviewed-by: Tomas Mraz <[email protected]> (Merged from #26269) (cherry picked from commit e63e889)

Here the undefined value "npa" was passed to a function WPACKET_sub_memcpy_u16(pkt, npa, npalen). However the value is not really used, because "npalen" is zero, but the call statememt itself is considered an invalid operation by the new sanitizer. The original sanitizer error report was: ==49175==WARNING: MemorySanitizer: use-of-uninitialized-value #0 0x55a276b29d6f in tls_construct_stoc_next_proto_neg /home/runner/work/openssl/openssl/ssl/statem/extensions_srvr.c:1518:21 openssl#1 0x55a276b15d7d in tls_construct_extensions /home/runner/work/openssl/openssl/ssl/statem/extensions.c:909:15 openssl#2 0x55a276b513dc in tls_construct_server_hello /home/runner/work/openssl/openssl/ssl/statem/statem_srvr.c:2471:10 openssl#3 0x55a276b2e160 in write_state_machine /home/runner/work/openssl/openssl/ssl/statem/statem.c:896:26 openssl#4 0x55a276b2e160 in state_machine /home/runner/work/openssl/openssl/ssl/statem/statem.c:490:21 openssl#5 0x55a276b2f562 in ossl_statem_accept /home/runner/work/openssl/openssl/ssl/statem/statem.c:309:12 openssl#6 0x55a276a9f867 in SSL_do_handshake /home/runner/work/openssl/openssl/ssl/ssl_lib.c:4890:19 openssl#7 0x55a276a9f605 in SSL_accept /home/runner/work/openssl/openssl/ssl/ssl_lib.c:2169:12 openssl#8 0x55a276a3d4db in create_bare_ssl_connection /home/runner/work/openssl/openssl/test/helpers/ssltestlib.c:1281:24 openssl#9 0x55a276a3d7cb in create_ssl_connection /home/runner/work/openssl/openssl/test/helpers/ssltestlib.c:1350:10 openssl#10 0x55a276a64c0b in test_npn /home/runner/work/openssl/openssl/test/sslapitest.c:12266:14 openssl#11 0x55a276b9fc20 in run_tests /home/runner/work/openssl/openssl/test/testutil/driver.c:377:21 openssl#12 0x55a276ba0b10 in main /home/runner/work/openssl/openssl/test/testutil/main.c:31:15 Reviewed-by: Saša Nedvědický <[email protected]> Reviewed-by: Tomas Mraz <[email protected]> (Merged from openssl#26269) (cherry picked from commit e63e889)

Patch-name: 0010-Add-changes-to-ectest-and-eccurve.patch Patch-id: 10 Patch-status: | # # Instead of replacing ectest.c and ec_curve.c, add the changes as a patch so # # that new modifications made to these files by upstream are not lost. From-dist-git-commit: 4334bc837fbc64d14890fdc51679a80770d498ce commit openssl#2: Patch-name: 0011-Remove-EC-curves.patch Patch-id: 11 Patch-status: | # # remove unsupported EC curves From-dist-git-commit: 4334bc837fbc64d14890fdc51679a80770d498ce

clopez added 4 commits May 27, 2013 23:47

Add "xmpp" to the list of supported starttls protocols on s_client ma…

097b069

…npage

benlaurie closed this Sep 5, 2013

snhenson pushed a commit that referenced this pull request Apr 8, 2014

VMS build fix #2.

a74bee5

snhenson pushed a commit that referenced this pull request Apr 8, 2014

VMS build fix #2.

6ef9d9b

(cherry picked from commit a74bee5)

Tatsuya-Nonogaki added a commit to Tatsuya-Nonogaki/openssl that referenced this pull request Mar 22, 2016

Revert some unnecessary changes openssl#2

7118e8c

elitetony mentioned this pull request Apr 27, 2016

openssl-1.1.0-pre5 OCSP_SINGLERESP_add1_ext_i2d add SCT data error #1001

Closed

oathupdate mentioned this pull request Apr 29, 2016

there is a core dump in openss 1.0.1 e #1010

Closed

tmshort mentioned this pull request May 13, 2016

Fix session ticket and SNI (1.0.2) #1065

Closed

elitetony mentioned this pull request Jun 13, 2016

openssl-1.1.0-pre5 coredumped #1205

Closed

ealloradai mentioned this pull request Jul 15, 2016

Strange behaviour of OpenSSL cms sign on large files #1302

Closed

tmshort mentioned this pull request Sep 27, 2016

Failed tests on OpenSSL 1.1.0b with enable-ec_nistp_64_gcc_128 and/or enable-ssl-trace #1623

Closed

glftpd mentioned this pull request Nov 12, 2016

openssl version command hangs with 1.1.0c and no-dso option #1899

Closed

kingcpro mentioned this pull request Nov 24, 2016

Core dump cased by libcrypto.so.1.0.2h (openssl-1.0.2h) #1995

Closed

rainerjung mentioned this pull request Mar 19, 2017

Crash in test during ossltest_destroy() for OpenSSL 1.1.0e on Linux x86_64. #2987

Closed

lyuboasenov mentioned this pull request Apr 26, 2017

X509_sign fails with segmentation fault #3315

Closed

fxdupont mentioned this pull request Jun 6, 2017

pkey_ecd_digestsign must check privkey #3618

Closed

eastyu mentioned this pull request Jun 17, 2017

SSL_CTX_new function call makes a segment fault #3706

Closed

lonewasp mentioned this pull request Jun 20, 2017

SIGSEGV in subcall from FIPS_drbg_generate() #3721

Closed

speedingdaemon mentioned this pull request Jul 14, 2017

Using OpenSSL with LKL's non-blocking sockets #3937

Closed

paulidale mentioned this pull request Jul 18, 2017

Rand seed #3956

Closed

caikun mentioned this pull request Jul 20, 2017

ssleay_rand_bytes get the Arithmetic exception crash #3978

Closed

anil9811 mentioned this pull request Sep 27, 2024

Openssl API "X509_verify_cert" is failing with openssl3.0 but working in openssl1.1.1. Can we know reasons why it is failing in openssl3.0? #25555

Open

harshbhavsar30 mentioned this pull request Nov 18, 2024

KAT for CTR-DRBG Failing - Generated bytes not matching with expected bytes from test Vector #25953

Closed

uchina1 mentioned this pull request Dec 5, 2024

Segmentation fault in X509_ACERT_sign_ctx #26107

Closed

mcollard0 mentioned this pull request Mar 7, 2025

Build errors on Openssl 1.1.1, details within. #27000

Closed

HeliC829 mentioned this pull request Mar 9, 2025

RISC-V: Provide optimized SHA-256 implementation using Zbb extension #27011

Closed

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Improve XMPP protocol support for starttls on s_client #2

Improve XMPP protocol support for starttls on s_client #2

clopez commented May 27, 2013

benlaurie commented Sep 5, 2013

Improve XMPP protocol support for starttls on s_client #2

Improve XMPP protocol support for starttls on s_client #2

Conversation

clopez commented May 27, 2013

benlaurie commented Sep 5, 2013