5.0.0 OpenSSL compatibility issue: blocking SSL_peek() returns SSL_ERROR_WANT_READ. #4593
Comments
|
Thanks, will try later. FWIW, my application still tolerates OpenSSL 1.0.2 on the assumption that some distributors would backport fixes (possibly under paid support contract) - and formally, this SSL_MODE_AUTO_RETRY was not set in earlier OpenSSL versions either, but for some reason, this issue never cropped up with OpenSSL 1.0.2 either in my testing. I did not dig deeper because OpenSSL 1.1.1 clearly documents this default mode and 1.0.2 is end-of-life. |
|
I can't test since the branch you refer to identifies as 4.1.0 and has an insufficient API, missing, for instance, sk_GENERAL_NAME_free(). I'll be happy to re-test if you point me at some 5.0.0 or newer branch. |
|
Hi @mandree, please check that you are correctly checking out the branch. It includes the 5.0 release as well as the API you mentioned. Please try again and let me know if you managed to make progress. |
|
@mandree I would just like to ask, is this issue in relation to a specific project you are working on? |
@julek-wolfssl I just did git clone https://github.com/julek-wolfssl/wolfssl.git which led me to commit ec4841e (HEAD -> master, origin/master, origin/HEAD) I've now looked specifically for the AUTO_RETRY and got the issue-4593 branch... wasn't clear to me. then fetchmail (from GItlab's branch corresponding ltrace is a bit more concise |
|
@mandree could you run your test against the master wolfSSL branch with |
|
@julek-wolfssl tried it with wolfssl as of 4e1c39b. wolfSSL identifies as 5.0.1 and I've confirmed that the option landed in CFLAGS, fetchmail 6.4.25 with the two Still no joy. wolfSSL debug output first, which shows that the read takes place. relevant This is the output with OpenSSL 1.1.1l (Lima) - note it reads more chunks. Is there something special that wolfSSL read 5 then 250 bytes, and OpenSSL read 5 then 266 bytes? Is the difference related to recvfrom() vs read()? Other than that, with a zero flags argument these should behave identically. |
|
@julek-wolfssl I have toyed with my code and have it read and cache 1 byte when SSL_peek() returns SSL_ERROR_WANT_READ, then things seem to work. Not sure what is the difference here inside wolfSSL, with that code in place, I get this ltrace -S: |
|
Note that for all output above, fetchmail calls SSL_CTX_set_mode(), but wolfSSL 5.0.0 refuses that code with "Not implemented", the master branch at rev shown above accepts it, but somehow does not heed it. I still need to force this one-byte read. |
|
On another server (imap.gmx.net) that I am trying, I find that the CAPABILITY received from the server is shorter, and that seems to pose no problem, SSL_peek then returns 222. So might this be some buffer sizhe rounding/retry issue? This is on imap.gmx.net, where SSL_peek() returns 222: |
|
Apparently there are handshaking differences. This is the wolfSSL debug output for imap.gmx.net - note that the failing server makes wolfSSL log "received record layer msg -> got app DATA" above, while the working one makes wolfSSL log "received record layer msg -> got app DATA": |
|
Hi @mandree , is it possible for you to provide the full wolfSSL logs of a faulty connection (possibly intertwined with fetchmail logs to show where the error occurs)? I have some ideas on why this might still be an issue for fetchmail but I would need the full logs to confirm. If you do not wish to upload the logs here, you may email them to support@wolfssl.com. The shorter read from wolfSSL may be from fewer extensions being set in the ClientHello which are then replied to in the ServerHello.
Could you check what mode is fetchmail trying to set? If it is |
|
@julek-wolfssl now trying wolfSSL master as of 5910ada, and fetchmail 6.4.26 (branch legacy_6x) with Note 1: I have figured the error is TLS 1.3 specific and will not happen with TLS 1.2 or 1.1 (add Note 2: in wolfSSL's configure, I cannot pass the auto retry flag with For the log below: then running fetchmail locally under ltrace yields: and this is the latter part with |
|
@mandree I've found an issue with how we're currently implementing the auto retry logic. It should only retry reads and writes for handshake messages. The way that I have solved this in a working branch is with: I recommend applying this patch to your version of wolfSSL so that fetchmail will still receive WANT_{READ|WRITE} when not in a handshake. |
|
@julek-wolfssl this is going in the wrong direction. An application that uses blocking I/O (breaking free with alarm(some_timeout_value); and a SIGALRM handler) and that sets the SSL_MODE_AUTO_RETRY mode should never see a WANT_READ or WANT_WRITE code because it will not implement retry logic. |
|
You are correct @mandree. I will need to run |
upstream changes: ----------------- fetchmail-6.4.26 (released 2021-12-26, 31661 LoC): # FIXES: * When using wolfSSL 5.0.0, work around a bug that appears to hit wolfSSL when receiving handshake records while still in SSL_peek(). Workaround is to read 1 byte and cache it, then call SSL_peek() again. This affects only some servers. wolfSSL/wolfssl#4593 # TRANSLATIONS: language translations were updated by this fine person: * sr: Мирослав Николић (Miroslav Nikolić) [Serbian]
|
Hi @mandree, I have compiled and tried running the version of fetchmail you specified (e7ee3344792931d8d9439cc0f79dbcc726580187) with wolfSSL but I am receiving the error that I am not logged in. Is it possible for you to provide the full logs to support@wolfssl.com? My build configuration: I see that you pushed a fix in 6a5484e03e903d3e74d7b6ca8927d616548a6d8c regarding the incorrect retrying of the non-blocking socket. You will be pleased to know that this is fixed in #4807 and will be included in the next fix. |
Hi Juliusz, You do not need to be able to log in to see the error. Just trying to negotiate a TLS 1.3 session with fetchmail will be sufficient.
NOTE: it is critically required to I am trying this wolfSSL: |
|
Hi @mandree, thank you for your patience. I think that I have finally replicated your error. wolfSSL is returning a |
|
@julek-wolfssl Thank you. Could you let me know (I guess Github will do that implicitly) once committed? My expectation is that if I am using the OpenSSL API, and my application calls SSL_CTX_set_mode(...SSL_MODE_AUTO_RETRY...) that the application will never see SSL_ERROR_WANT_READ on blocking stream (TCP socket) I/O. |
|
@mandree I will let you know. Its difficult to follow all the possible paths taken in OpenSSL, but in my understanding, |
BREAKING CHANGES: * Bump wolfSSL minimum required version to 5.1.1 to pull in security fix. FIXES: * When using wolfSSL 5.0.0, work around a bug that appears to hit wolfSSL when receiving handshake records while still in SSL_peek(). Workaround is to read 1 byte and cache it, then call SSL_peek() again. This affects only some servers. wolfSSL/wolfssl#4593 TRANSLATIONS: language translations were updated by this fine people: * es: Cristian Othón Martínez Vera [Spanish] * ro: Remus-Gabriel Chelu [Romanian] * sr: Мирослав Николић (Miroslav Nikolić) [Serbian] MFH: 2022Q1
BREAKING CHANGES: * Bump wolfSSL minimum required version to 5.1.1 to pull in security fix. FIXES: * When using wolfSSL 5.0.0, work around a bug that appears to hit wolfSSL when receiving handshake records while still in SSL_peek(). Workaround is to read 1 byte and cache it, then call SSL_peek() again. This affects only some servers. wolfSSL/wolfssl#4593 TRANSLATIONS: language translations were updated by this fine people: * es: Cristian Othón Martínez Vera [Spanish] * ro: Remus-Gabriel Chelu [Romanian] * sr: Мирослав Николић (Miroslav Nikolić) [Serbian] MFH: 2022Q1 PR: 262362 Approved by: Corey Halpin (maintainer) (cherry picked from commit e1839db)
|
@mandree I'm closing this issue for now. Feel free to open if you feel this matter is not resolved. |
|
Ah well, what can I say. Branch master, commit a9cc1ca, still breaks... same way. OK, I admit I am playing dumb here, and do NOT #define OPENSSL_COMPATIBLE_DEFAULTS. And do note if I run |
- Update from version 6.4.19 to 6.4.32
- Update of rootfile not required
- Changelog - range of security and bug fixes
fetchmail-6.4.32 (released 2022-07-30, 31696 LoC):
# FIXES:
* Use configure to find rst2html, some systems install it only with .py suffix,
others only without, and some install both.
* Update README.maintainer
# TRANSLATIONS: language translations were updated by these fine people:
(in alphabetical order of language codes so as not to prefer people):
* cs: Petr Pisar [Czech]
* es: Cristian Othón Martínez Vera [Spanish]
* ja: Takeshi Hamasaki [Japanese]
* pl: Jakub Bogusz [Polish]
* ro: Remus-Gabriel Chelu [Romanian]
* sq: Besnik Bleta [Albanian]
* sv: Göran Uddeborg [Swedish]
fetchmail-6.4.31 (released 2022-07-16, 31694 LoC):
# BUG FIXES:
* Try to fix ./configure --with-ssl=... for systems that have multiple OpenSSL
versions installed. Issues reported by Dennis Putnam.
* The netrc parser now reports its errors to syslog or logfile when appropriate,
previously it would always log to stderr.
* Add error checking to .netrc parser.
# CHANGES:
* manpage: use .UR/.UE macros instead of .URL for URIs.
* manpage: fix contractions. Found with FreeBSD's igor tool.
* manpage: HTML now built with pandoc -> python-docutils
(manServer.pl was dropped)
fetchmail-6.4.30 (released 2022-04-26, 31666 LoC):
# BREAKING CHANGES:
* Bump wolfSSL minimum required version to 5.2.0 to pull in security fix.
# CHANGES:
* Using OpenSSL 1.* before 1.1.1n elicits a compile-time warning.
* Using OpenSSL 3.* before 3.0.2 elicits a compile-time warning.
* configure.ac was tweaked in order to hopefully fix cross-compilation issues
report, and different patch suggested, by Fabrice Fontaine,
https://gitlab.com/fetchmail/fetchmail/-/merge_requests/42
# TRANSLATIONS: language translations were updated by this fine person:
* ro: Remus-Gabriel Chelu [Romanian]
fetchmail-6.4.29 (released 2022-03-20, 31661 LoC):
# TRANSLATIONS: language translations were updated by this fine person:
* vi: Trần Ngọc Quân [Vietnamese]
fetchmail-6.4.28 (released 2022-03-05, 31661 LoC):
# DOCUMENTATION:
* Fix a typo in the manual page, courtesy of Jeremy Petch.
# TRANSLATIONS: language translations were updated by this fine person:
* es: Cristian Othón Martínez Vera [Spanish]
fetchmail-6.4.27 (released 2022-01-26, 31661 LoC):
# BREAKING CHANGES:
* Bump wolfSSL minimum required version to 5.1.1 to pull in security fix.
# TRANSLATIONS: language translations were updated by this fine person:
* ro: Remus-Gabriel Chelu [Romanian]
fetchmail-6.4.26 (released 2021-12-26, 31661 LoC):
# FIXES:
* When using wolfSSL 5.0.0, work around a bug that appears to hit wolfSSL when
receiving handshake records while still in SSL_peek(). Workaround is to read
1 byte and cache it, then call SSL_peek() again.
This affects only some servers. wolfSSL/wolfssl#4593
# TRANSLATIONS: language translations were updated by this fine person:
* sr: Мирослав Николић (Miroslav Nikolić) [Serbian]
fetchmail-6.4.25 (released 2021-12-10, 31653 LoC):
# BREAKING CHANGES:
* Since distributions continue patching for LibreSSL use, which cannot be
linked legally, block out LibreSSL in configure.ac and socket.c, and
refer to COPYING, unless on OpenBSD (which ships it in the base system).
OpenSSL and wolfSSL 5 can be used. SSL-related documentation was updated, do
re-read COPYING, INSTALL, README, README.packaging, README.SSL.
* Bump OpenSSL version requirement to 1.0.2f in order to safely remove
the obsolete OpenSSL flag SSL_OP_SINGLE_DH_USE. This blocks out 1.0.2e and
older 1.0.2 versions. 1.0.2f was a security fix release, and 1.0.2u is
publicly available from https://www.openssl.org/source/old/1.0.2/
* Some of the configure.ac fiddling MIGHT have broken cross-compilation
again. The maintainer does not test cross-compiling fetchmail; if you
have difficulties, try setting PKG_CONFIG_LIBDIR to the pkg-config path
containing your target/host libraries, or see if --with-ssl-prefix or
--with-wolfssl-prefix, or overriding LDFLAGS/LIBS/CPPFLAGS, can help.
Feedback solicited on compliant systems that are before end-of-life.
# BUG FIXES:
* 6.4.24's workaround for OpenSSL 1.0.2's X509_V_FLAG_TRUSTED_FIRST flag
contained a typo and would not kick in properly.
* Library and/or rpath setting from configure.ac was fixed.
# ADDITIONS:
* Added an example systemd unit file and instructions to contrib/systemd/
which runs fetchmail as a daemon with 5-minute poll intervals.
Courteously contributed by Barak A. Pearlmutter, Debian Bug#981464.
* fetchmail can now be used with wolfSSL 5's OpenSSL compatibility layer,
see INSTALL and README.SSL. This is considered experimental.
Feedback solicited.
# CHANGES:
* The getstats.py dist-tool now counts lines of .ac and .am files.
* ./configure --with-ssl now supports pkg-config module names, too. See INSTALL.
# TRANSLATIONS: language translations were updated by these fine people:
(in reverse alphabetical order of language codes so as not to prefer people):
* sv: Göran Uddeborg [Swedish]
* sq: Besnik Bleta [Albanian]
* pl: Jakub Bogusz [Polish]
* ja: Takeshi Hamasaki [Japanese]
* fr: Frédéric Marchal [French]
* eo: Keith Bowes [Esperanto]
* cs: Petr Pisar [Czech]
fetchmail-6.4.24 (released 2021-11-20, 30218 LoC):
# OPENSSL AND LICENSING NOTE:
> see fetchmail-6.4.22 below, and the file COPYING.
Note that distribution of packages linked with LibreSSL is not feasible
due to a missing GPLv2 clause 2(b) exception.
# COMPATIBILITY:
* Bison 3.8 dropped yytoknum altogether, breaking compilation due to a
warning workaround. Remove the cast of yytoknum to void. This may cause
a compiler warning to reappear with older Bison versions.
* OpenSSL 1.0.2: Workaround for systems that keep the expired DST Root CA X3
certificate in its trust store because OpenSSL by default prefers the
untrusted certificate and fails. Fetchmail now sets the
X509_V_FLAG_TRUSTED_FIRST flag (on OpenSSL 1.0.2 only).
This is workaround #2 from the OpenSSL Blog. For details, see both:
https://www.openssl.org/blog/blog/2021/09/13/LetsEncryptRootCertExpire/
https://letsencrypt.org/docs/dst-root-ca-x3-expiration-september-2021/
NOTE: OpenSSL 1.0.2 is end of life, it is assumed that the OpenSSL library
is kept up to date by a distributor or via OpenSSL support contract.
Where this is not the case, please upgrade to a supported OpenSSL version.
# DOCUMENTATION:
* The manual page was revised after re-checking with mandoc -Tlint, aspell,
igor. Some more revisions were made for clarity.
# TRANSLATIONS: language translations were updated by these fine people:
* sv: Göran Uddeborg [Swedish]
* pl: Jakub Bogusz [Polish]
* fr: Frédéric Marchal [French]
* cs: Petr Pisar [Czech]
* eo: Keith Bowes [Esperanto]
* ja: Takeshi Hamasaki [Japanese]
fetchmail-6.4.23 (released 2021-10-31, 30206 LoC):
# USABILITY:
* For common ssh-based IMAP PREAUTH setups (i. e. those that use a plugin
- no matter its contents - and that set auth ssh), change the STARTTLS
error message to suggest sslproto '' instead.
This is a commonly reported issue after the CVE-2021-39272 fix in 6.4.22.
Fixes Redhat Bugzilla 2008160. Fixes GitLab #39.
# TRANSLATIONS: language translations were updated by these fine people:
* ja: Takeshi Hamasaki [Japanese]
* sr: Мирослав Николић (Miroslav Nikolić) [Serbian]
fetchmail-6.4.22 (released 2021-09-13, 30201 LoC):
# OPENSSL AND LICENSING NOTE:
* fetchmail 6.4.22 is compatible with OpenSSL 1.1.1 and 3.0.0.
OpenSSL's licensing changed between these releases from dual OpenSSL/SSLeay
license to Apache License v2.0, which is considered incompatible with GPL v2
by the FSF. For implications and details, see the file COPYING.
# SECURITY FIXES:
* CVE-2021-39272: fetchmail-SA-2021-02: On IMAP connections, without --ssl and
with nonempty --sslproto, meaning that fetchmail is to enforce TLS, and when
the server or an attacker sends a PREAUTH greeting, fetchmail used to continue
an unencrypted connection. Now, log the error and abort the connection.
--Recommendation for servers that support SSL/TLS-wrapped or "implicit" mode on
a dedicated port (default 993): use --ssl, or the ssl user option in an rcfile.
--Reported by: Andrew C. Aitchison, based on the USENIX Security 21 paper "Why
TLS is better without STARTTLS - A Security Analysis of STARTTLS in the Email
Context" by Damian Poddebniak, Fabian Ising, Hanno Böck, and Sebastian
Schinzel. The paper did not mention fetchmail.
* On IMAP and POP3 connections, --auth ssh no longer prevents STARTTLS
negotiation.
* On IMAP connections, fetchmail does not permit overriding a server-side
LOGINDISABLED with --auth password any more.
* On POP3 connections, the possibility for RPA authentication (by probing with
an AUTH command without arguments) no longer prevents STARTTLS negotiation.
* For POP3 connections, only attempt RPA if the authentication type is "any".
# BUG FIXES:
* On IMAP connections, when AUTHENTICATE EXTERNAL fails and we have received the
tagged (= final) response, do not send "*".
* On IMAP connections, AUTHENTICATE EXTERNAL without username will properly send
a "=" for protocol compliance.
* On IMAP connections, AUTHENTICATE EXTERNAL will now check if the server
advertised SASL-IR (RFC-4959) support and otherwise refuse (fetchmail <= 6.4
has not supported and does not support the separate challenge/response with
command continuation)
* On IMAP connections, when --auth external is requested but not advertised by
the server, log a proper error message.
* Fetchmail no longer crashes when attempting a connection with --plugin "" or
--plugout "".
* Fetchmail no longer leaks memory when processing the arguments of --plugin or
--plugout on connections.
* On POP3 connections, the CAPAbilities parser is now caseblind.
* Fix segfault on configurations with "defaults ... no envelope". Reported by
Bjørn Mork. Fixes Debian Bug#992400. This is a regression in fetchmail 6.4.3
and happened when plugging memory leaks, which did not account for that the
envelope parameter is special when set as "no envelope". The segfault happens
in a constant strlen(-1), triggered by trusted local input => no vulnerability.
* Fix program abort (SIGABRT) with "internal error" when invalid sslproto is
given with OpenSSL 1.1.0 API compatible SSL implementations.
# CHANGES:
* IMAP: When fetchmail is in not-authenticated state and the server volunteers
CAPABILITY information, use it and do not re-probe. (After STARTTLS, fetchmail
must and will re-probe explicitly.)
* For typical POP3/IMAP ports 110, 143, 993, 995, if port and --ssl option
do not match, emit a warning and continue. Closes Gitlab #31.
(cherry-picked from 6.5 beta branch "legacy_6x")
* fetchmail.man and README.SSL were updated in line with RFC-8314/8996/8997
recommendations to prefer Implicit TLS (--ssl/ssl) and TLS v1.2 or newer,
placing --sslproto tls1.2+ more prominently.
The defaults shall not change between 6.4.X releases for compatibility.
# TRANSLATIONS: language translations were updated by these fine people:
* sq: Besnik Bleta [Albanian]
* cs: Petr Pisar [Czech]
* eo: Keith Bowes [Esperanto]
* fr: Frédéric Marchal [French]
* pl: Jakub Bogusz [Polish]
* sv: Göran Uddeborg [Swedish]
fetchmail-6.4.21 (released 2021-08-09, 30042 LoC):
# REGRESSION FIX:
* The new security fix in 6.4.20 for CVE-2021-36386 caused truncation of
messages logged to buffered outputs, from --logfile and --syslog.
This also caused lines in the logfile to run into one another because
the fragment containing the '\n' line-end character was usually lost.
Reason is that on all modern systems (with <stdarg.h> header and vsnprintf()
interface), the length of log message fragments was added up twice, so
that these ended too deep into a freshly allocated buffer, after the '\0'
byte. Unbuffered outputs flushed the fragments right away, which masked the
bug.
fetchmail-6.4.20 (released 2021-07-28, 30042 LoC):
# SECURITY FIX:
* When a log message exceeds c. 2 kByte in size, for instance, with very long
header contents, and depending on verbosity option, fetchmail can crash or
misreport each first log message that requires a buffer reallocation.
fetchmail then reallocates memory and re-runs vsnprintf() without another
call to va_start(), so it reads garbage. The exact impact depends on
many factors around the compiler and operating system configurations used and
the implementation details of the stdarg.h interfaces of the two functions
mentioned before. To fix CVE-2021-36386.
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org>
Reviewed-by: Peter Müller <peter.mueller@ipfire.org>
I found a difference between OpenSSL proper (1.0.2, 1.1.1, 3.0) and wolfSSL 5.0.0.
My code uses a default setting (blocking I/O) and connects, and then calls
SSL_peek()right away. This works in OpenSSL without a hitch, but wolfSSL returns0andSSL_get_error()returnsSSL_ERROR_WANT_READ.This incompatibility makes wolfSSL unsuitable as OpenSSL drop-in replacement because it's not bug compatible.
OpenSSL 1.1.1 documents "If
SSL_MODE_AUTO_RETRYhas been switched off and a non-application data record has been processed, the read function can return and set the error toSSL_ERROR_WANT_READ." - but I am not disablingSSL_MODE_AUTO_RETRY.The text was updated successfully, but these errors were encountered: