From de5b3a8645a3b2dd22fa8866e64488eb2b69777d Mon Sep 17 00:00:00 2001 From: Andy Polyakov Date: Wed, 11 Apr 2018 23:16:52 +0200 Subject: [PATCH] TLSProxy/Proxy.pm: bind s_server to loopback interface. Bind even test/ssltest_old.c to loopback interface. This allows to avoid unnecessary alerts from Windows and Mac OS X firewalls. Reviewed-by: Bernd Edlinger Reviewed-by: Richard Levitte (Merged from https://github.com/openssl/openssl/pull/5933) --- test/ssltest_old.c | 3 +- util/perl/TLSProxy/Proxy.pm | 114 +++++++++++++++++++----------------- 2 files changed, 62 insertions(+), 55 deletions(-) diff --git a/test/ssltest_old.c b/test/ssltest_old.c index 946948534a..34705c3472 100644 --- a/test/ssltest_old.c +++ b/test/ssltest_old.c @@ -1836,7 +1836,8 @@ int doit_localhost(SSL *s_ssl, SSL *c_ssl, int family, long count, int err_in_client = 0; int err_in_server = 0; - acpt = BIO_new_accept("0"); + acpt = BIO_new_accept(family == BIO_FAMILY_IPV4 ? "127.0.0.1:0" + : "[::1]:0"); if (acpt == NULL) goto err; BIO_set_accept_ip_family(acpt, family); diff --git a/util/perl/TLSProxy/Proxy.pm b/util/perl/TLSProxy/Proxy.pm index 752b572b8c..ea2c7a689e 100644 --- a/util/perl/TLSProxy/Proxy.pm +++ b/util/perl/TLSProxy/Proxy.pm @@ -23,9 +23,50 @@ use TLSProxy::CertificateVerify; use TLSProxy::ServerKeyExchange; use TLSProxy::NewSessionTicket; -my $have_IPv6 = 0; +my $have_IPv6; my $IP_factory; +BEGIN +{ + # IO::Socket::IP is on the core module list, IO::Socket::INET6 isn't. + # However, IO::Socket::INET6 is older and is said to be more widely + # deployed for the moment, and may have less bugs, so we try the latter + # first, then fall back on the core modules. Worst case scenario, we + # fall back to IO::Socket::INET, only supports IPv4. + eval { + require IO::Socket::INET6; + my $s = IO::Socket::INET6->new( + LocalAddr => "::1", + LocalPort => 0, + Listen=>1, + ); + $s or die "\n"; + $s->close(); + }; + if ($@ eq "") { + $IP_factory = sub { IO::Socket::INET6->new(@_); }; + $have_IPv6 = 1; + } else { + eval { + require IO::Socket::IP; + my $s = IO::Socket::IP->new( + LocalAddr => "::1", + LocalPort => 0, + Listen=>1, + ); + $s or die "\n"; + $s->close(); + }; + if ($@ eq "") { + $IP_factory = sub { IO::Socket::IP->new(@_); }; + $have_IPv6 = 1; + } else { + $IP_factory = sub { IO::Socket::INET->new(@_); }; + $have_IPv6 = 0; + } + } +} + my $is_tls13 = 0; my $ciphersuite = undef; @@ -39,8 +80,7 @@ sub new my $self = { #Public read/write - proxy_addr => "localhost", - server_addr => "localhost", + proxy_addr => $have_IPv6 ? "[::1]" : "127.0.0.1", filter => $filter, serverflags => "", clientflags => "", @@ -67,43 +107,6 @@ sub new message_list => [], }; - # IO::Socket::IP is on the core module list, IO::Socket::INET6 isn't. - # However, IO::Socket::INET6 is older and is said to be more widely - # deployed for the moment, and may have less bugs, so we try the latter - # first, then fall back on the code modules. Worst case scenario, we - # fall back to IO::Socket::INET, only supports IPv4. - eval { - require IO::Socket::INET6; - my $s = IO::Socket::INET6->new( - LocalAddr => "::1", - LocalPort => 0, - Listen=>1, - ); - $s or die "\n"; - $s->close(); - }; - if ($@ eq "") { - $IP_factory = sub { IO::Socket::INET6->new(@_); }; - $have_IPv6 = 1; - } else { - eval { - require IO::Socket::IP; - my $s = IO::Socket::IP->new( - LocalAddr => "::1", - LocalPort => 0, - Listen=>1, - ); - $s or die "\n"; - $s->close(); - }; - if ($@ eq "") { - $IP_factory = sub { IO::Socket::IP->new(@_); }; - $have_IPv6 = 1; - } else { - $IP_factory = sub { IO::Socket::INET->new(@_); }; - } - } - # Create the Proxy socket my $proxaddr = $self->{proxy_addr}; $proxaddr =~ s/[\[\]]//g; # Remove [ and ] @@ -113,11 +116,16 @@ sub new Proto => "tcp", Listen => SOMAXCONN, ); - $self->{proxy_sock} = $IP_factory->(@proxyargs); - if ($self->{proxy_sock}) { - $self->{proxy_port} = $self->{proxy_sock}->sockport(); - print "Proxy started on port ".$self->{proxy_port}."\n"; + if (my $sock = $IP_factory->(@proxyargs)) { + $self->{proxy_sock} = $sock; + $self->{proxy_port} = $sock->sockport(); + $self->{proxy_addr} = $sock->sockhost(); + $self->{proxy_addr} =~ s/(.*:.*)/[$1]/; + print "Proxy started on port ", + "$self->{proxy_addr}:$self->{proxy_port}\n"; + # use same address for s_server + $self->{server_addr} = $self->{proxy_addr}; } else { warn "Failed creating proxy socket (".$proxaddr.",0): $!\n"; } @@ -212,11 +220,9 @@ sub start my $execcmd = $self->execute ." s_server -max_protocol TLSv1.3 -no_comp -rev -engine ossltest" - ." -accept 0 -cert ".$self->cert." -cert2 ".$self->cert + ." -accept $self->{server_addr}:0" + ." -cert ".$self->cert." -cert2 ".$self->cert ." -naccept ".$self->serverconnects; - unless ($self->supports_IPv6) { - $execcmd .= " -4"; - } if ($self->ciphers ne "") { $execcmd .= " -cipher ".$self->ciphers; } @@ -286,7 +292,7 @@ sub start $self->{serverpid} = $pid; print STDERR "Server responds on ", - $self->{server_addr}, ":", $self->{server_port}, "\n"; + "$self->{server_addr}:$self->{server_port}\n"; # Connect right away... $self->connect_to_server(); @@ -301,11 +307,8 @@ sub clientstart if ($self->execute) { my $pid; my $execcmd = $self->execute - ." s_client -max_protocol TLSv1.3 -engine ossltest -connect " - .($self->proxy_addr).":".($self->proxy_port); - unless ($self->supports_IPv6) { - $execcmd .= " -4"; - } + ." s_client -max_protocol TLSv1.3 -engine ossltest" + ." -connect $self->{proxy_addr}:$self->{proxy_port}"; if ($self->cipherc ne "") { $execcmd .= " -cipher ".$self->cipherc; } @@ -315,6 +318,9 @@ sub clientstart if ($self->clientflags ne "") { $execcmd .= " ".$self->clientflags; } + if ($self->clientflags !~ m/-(no)?servername/) { + $execcmd .= " -servername localhost"; + } if (defined $self->sessionfile) { $execcmd .= " -ign_eof"; } -- 2.25.1