Bug 1135761 – network:libisds fails to build due to curl forcing libopenssl to write to a dead socket

Bug 1135761 - network:libisds fails to build due to curl forcing libopenssl to write to a dead socket


Summary:	network:libisds fails to build due to curl forcing libopenssl to write to a d...

Status:	RESOLVED FIXED

Classification:	openSUSE
Product:	openSUSE Tumbleweed
Classification:	openSUSE
Component:	Network
Version:	Current
Hardware:	Other Other

Priority:	P5 - None Severity: Normal (vote)
Target Milestone:	---
Assigned To:	Vítězslav Čížek
QA Contact:	E-mail List

URL:
Whiteboard:	obs:running:11891:moderate
Keywords:

Depends on:
Blocks:
	Show dependency tree / graph

Create test case

Clone This Bug

Reported:	2019-05-21 11:08 UTC by Jiri Slaby
Modified:	2020-02-06 20:20 UTC (History)
CC List:	2 users (show)

See Also:
Found By:	---
Services Priority:
Business Priority:
Blocker:	---
Marketing QA Status:	---
IT Deployment:	---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Jiri Slaby 2019-05-21 11:08:51 UTC

network:libisds does not build as the build dies while running make check:
> FAIL: certificate_user_password_authentication
> ==============================================
>
> Disabling server identity verification. That was your decision.
> Connection accepted
> TLS handshake failed: Certificate is required.
> Disabling server identity verification. That was your decision.
> Connection accepted
> Client sent certificate: subject `C=CZ,CN=The Server', issuer `C=CZ,CN=The Authority', serial 0x55eb09ea03dc5d51, RSA key 2048 bits, signed using RSA-SHA256, activated `2015-09-05 15:27:39 UTC', expires `2065-08-23 15:27:43 UTC', pin-sha256="93S4S1wHWCn7JAHy0aOEGwkdFMhK2/A4QepU5TkZlz0="
> Client's certificate is valid.
> Client is not authorized: Client's distinguished name `CN=The Server,C=CZ' does not match required name `CN=The Client,C=CZ'.
> TLS handshake failed: Error in the certificate.

It only silently dies. This happens only inside KVM (i.e. on OBS). Running the test under gdb reveals that the process receives SIGPIPE:

> Program received signal SIGPIPE, Broken pipe.
> #0  0x00007ffff7b9b734 in __GI___libc_write (fd=4, buf=buf@entry=0x5555555e3f73, nbytes=nbytes@entry=24) at ../sysdeps/unix/sysv/linux/write.c:26
> #1  0x00007ffff77c1895 in sock_write (b=0x5555555d6d90, in=0x5555555e3f73 "\027\003\003", inl=24) at crypto/bio/bss_sock.c:114
> #2  0x00007ffff77bcbba in bwrite_conv (bio=<optimized out>, data=<optimized out>, datal=<optimized out>, written=0x7fffffffcc10) at crypto/bio/bio_meth.c:77
> #3  0x00007ffff77bbc13 in bio_write_intern (written=0x7fffffffcc10, dlen=24, data=0x5555555e3f73, b=0x5555555d6d90) at crypto/bio/bio_lib.c:343
> #4  bio_write_intern (b=0x5555555d6d90, data=0x5555555e3f73, dlen=24, written=0x7fffffffcc10) at crypto/bio/bio_lib.c:320
> #5  0x00007ffff77bc0b3 in BIO_write (b=<optimized out>, data=<optimized out>, dlen=<optimized out>) at crypto/bio/bio_lib.c:363
> #6  0x00007ffff704aff7 in ssl3_write_pending (s=s@entry=0x5555555da9c0, type=type@entry=21, buf=buf@entry=0x5555555d9140 "\001", len=len@entry=2, written=written@entry=0x7fffffffdd80) at ssl/record/rec_layer_s3.c:1146
> #7  0x00007ffff704bf41 in do_ssl3_write (s=s@entry=0x5555555da9c0, type=type@entry=21, buf=0x5555555d9140 "\001", pipelens=pipelens@entry=0x7fffffffdd78, numpipes=numpipes@entry=1, create_empty_fragment=create_empty_fragment@entry=0, written=0x7fffffffdd80) at ssl/record/rec_layer_s3.c:1107
> #8  0x00007ffff70559a9 in ssl3_dispatch_alert (s=0x5555555da9c0) at ssl/s3_msg.c:78
> #9  0x00007ffff7053ab5 in ssl3_shutdown (s=0x5555555da9c0) at ssl/s3_lib.c:4418
> #10 0x00007ffff705ebdf in SSL_shutdown (s=0x5555555da9c0) at ssl/ssl_lib.c:2074
> #11 0x00007ffff7a857e5 in ossl_close (connssl=<optimized out>) at vtls/openssl.c:1256
> #12 0x00007ffff7a85851 in Curl_ossl_close (conn=0x5555555d02e0, sockindex=<optimized out>) at vtls/openssl.c:1273
> #13 0x00007ffff7a3ea8e in conn_shutdown (conn=0x5555555d02e0) at url.c:684
> #14 Curl_disconnect (data=0x5555555b63d0, dead_connection=true, conn=0x5555555d02e0) at url.c:822
> #15 Curl_disconnect (data=data@entry=0x5555555b63d0, conn=conn@entry=0x5555555d02e0, dead_connection=dead_connection@entry=true) at url.c:778
> #16 0x00007ffff7a533ff in multi_done (data=data@entry=0x5555555b63d0, status=status@entry=CURLE_RECV_ERROR, premature=<optimized out>, premature@entry=true) at multi.c:627
> #17 0x00007ffff7a5496c in multi_runsingle (multi=multi@entry=0x5555555ae920, now=..., data=data@entry=0x5555555b63d0) at multi.c:1917
> #18 0x00007ffff7a55059 in curl_multi_perform (multi=multi@entry=0x5555555ae920, running_handles=running_handles@entry=0x7fffffffe184) at multi.c:2138
> #19 0x00007ffff7a4bcea in easy_transfer (multi=0x5555555ae920) at easy.c:625
> #20 easy_perform (events=false, data=0x5555555b63d0) at easy.c:719
> #21 curl_easy_perform (data=0x5555555b63d0) at easy.c:738
> #22 0x00007ffff7fbbb87 in http (context=context@entry=0x5555555ab7e0, url=url@entry=0x5555555af270 "https://127.0.0.1:34893/certds/DS/dz", use_get=use_get@entry=false, request=0x5555555b7af0, request_length=179, response=response@entry=0x7fffffffe390, response_length=0x7fffffffe398, mime_type=0x7fffffffe380, http_code=0x7fffffffe388, response_otp_headers=0x0, charset=0x0) at soap.c:912
> #23 0x00007ffff7fbc767 in http (use_get=false, charset=0x0, response_otp_headers=<optimized out>, http_code=0x7fffffffe388, mime_type=0x7fffffffe380, response_length=0x7fffffffe398, response=0x7fffffffe390, request_length=<optimized out>, request=<optimized out>, url=0x5555555af270 "https://127.0.0.1:34893/certds/DS/dz", context=0x5555555ab7e0) at soap.c:578
> #24 _isds_soap (context=context@entry=0x5555555ab7e0, file=file@entry=0x7ffff7fbefc2 "DS/dz", request=request@entry=0x5555555afa80, response_document=response_document@entry=0x0, response_node_list=response_node_list@entry=0x0, raw_response=raw_response@entry=0x0, raw_response_length=0x0) at soap.c:1226
> #25 0x00007ffff7fa5956 in isds_login (context=0x5555555ab7e0, url=0x5555555ac0f0 "https://127.0.0.1:34893/", username=0x555555560088 "douglas", password=0x555555560090 "42", pki_credentials=0x7fffffffe520, otp=<optimized out>) at isds.c:1459
> #26 0x00005555555580d2 in test_login (error=IE_SECURITY, context=0x5555555ab7e0, url=<optimized out>, username=<optimized out>, password=<optimized out>, pki_credentials=<optimized out>, otp=0x0) at certificate_user_password_authentication.c:37
> #27 0x0000555555557aa7 in main () at certificate_user_password_authentication.c:127

I.e. openssl tried to write to a dead socket (from lsof):
> certifica 8963 abuild    4u     sock    0,9      0t0  31810 protocol: TCP

To me, it seems that curl should not invoke openssl when the socket is dead already.

Comment 1 Jiri Slaby 2019-05-21 11:22:42 UTC

And enabling curl debug:
[   76s] upload completely sent off: 179 out of 179 bytes
[   76s] OpenSSL SSL_read: SSL_ERROR_SYSCALL, errno 104
[   76s] Closing connection 0
[   76s] (304) (OUT), TLS Unknown, Unknown (21):
[   76s] 
[   76s] Program received signal SIGPIPE, Broken pipe.

errno 104 is ECONNRESET.

Comment 2 Jiri Slaby 2019-05-22 11:15:56 UTC

Downgrading curl does *not* help.

Downgrading openssl-1_1 does help!

Revision 6 of openssl-1_1 broke isds' build:
https://build.opensuse.org/package/rdiff/openSUSE:Factory/openssl-1_1?linkrev=base&rev=6

I.e. the update from 1.1.0h to 1.1.1b.

So linking revision 5 and making curl and isds build against it makes it build again:
https://build.suse.de/project/monitor/home:jirislaby:isds

Any idea -- the update was huge?

Comment 3 Vítězslav Čížek 2019-05-22 11:35:51 UTC

(In reply to Jiri Slaby from comment #2)
> I.e. the update from 1.1.0h to 1.1.1b.
> 
> Any idea -- the update was huge?

It's a big change indeed. It took 8 months to fix packages broken by the update in the staging
.
The main difference is TLS 1.3. OpenSSL 1.1.1 implements TLS 1.3 and uses it by default.

(In reply to Jiri Slaby from comment #0)
> network:libisds does not build as the build dies while running make check:
> > FAIL: certificate_user_password_authentication

The client user authentication is performed after the handshake in TLS 1.3. I think the failure has to do something with that.

I'll have a look later today.

Comment 4 Pedro Monreal Gonzalez 2019-05-22 18:48:16 UTC

Builds fine disabling openssl-backend:
-  --enable-openssl-backend
+  --disable-openssl-backend

Note that it uses gpgme by default, see https://repo.or.cz/w/libisds.git/blob/HEAD:/NEWS

I'll submit the fix now.

Comment 5 Pedro Monreal Gonzalez 2019-05-22 19:01:02 UTC

Submitted:
https://build.opensuse.org/request/show/704823

Comment 6 Jiri Slaby 2019-05-24 08:29:42 UTC

So fixed as of now.

Comment 7 Swamp Workflow Management 2020-01-29 11:00:06 UTC

This is an autogenerated message for OBS integration:
This bug (1135761) was mentioned in
https://build.opensuse.org/request/show/768268 15.1 / libisds

Comment 8 Swamp Workflow Management 2020-02-04 14:15:20 UTC

openSUSE-RU-2020:0161-1: An update that has one recommended fix can now be installed.

Category: recommended (moderate)
Bug References: 1135761
CVE References: 
Sources used:
openSUSE Leap 15.1 (src):    libisds-0.11-lp151.2.3.1

Comment 9 Swamp Workflow Management 2020-02-06 20:20:41 UTC

openSUSE-RU-2020:0177-1: An update that has one recommended fix can now be installed.

Category: recommended (moderate)
Bug References: 1135761
CVE References: 
Sources used:
openSUSE Backports SLE-15-SP1 (src):    libisds-0.11-bp151.5.3.1