1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
|
Description: sslh doens't take -v INT anymore; it takes --verbose
Forwarded: not yet
Origin: vendor
Author: Don Armstrong <don@debian.org>
--- a/t
+++ b/t
@@ -9,6 +9,7 @@
use strict;
use IO::Socket::INET6;
use IO::Socket::INET;
+use Socket qw/MSG_DONTWAIT/;
use Test::More qw/no_plan/;
use File::Temp qw(tempdir);
# Because nothing else in Debian uses Conf::Libconfig, and I
@@ -17,10 +18,14 @@
my %used_ports;
+# The error verbose options are already set, enable these as well during testing
+my $verbose_opts = "--verbose-config=1 --verbose-connections=1 --verbose-packets=1 --verbose-probe-info=1";
+
+
sub get_unused_port {
my $sock = IO::Socket::INET->new(
Listen => 1,
- LocalAddr => 'localhost',
+ LocalAddr => '127.0.0.1',
ReuseAddr => 1,
);
my $port = $sock->sockport();
@@ -34,15 +39,15 @@
my $conf =
{protocols =>
- [{ name => "ssh", host => "localhost"},#, fork => 1, transparent => 1},
- { name => "socks5", host => "localhost", },
- { name => "http", host => "localhost", , },
- { name => "tinc", host => "localhost", , },
- { name => "openvpn", host => "localhost",, },
- { name => "xmpp", host => "localhost", },
- { name => "adb", host => "localhost"},
- { name => "syslog", host => "localhost"},
- { name => "regex", host => "localhost",
+ [{ name => "ssh", host => "127.0.0.1"},#, fork => 1, transparent => 1},
+ { name => "socks5", host => "127.0.0.1", },
+ { name => "http", host => "127.0.0.1", , },
+ { name => "tinc", host => "127.0.0.1", , },
+ { name => "openvpn", host => "127.0.0.1",, },
+ { name => "xmpp", host => "127.0.0.1", },
+ { name => "adb", host => "127.0.0.1"},
+ { name => "syslog", host => "127.0.0.1"},
+ { name => "regex", host => "127.0.0.1",
regex_patterns => [ "^foo", "^bar"],
minlength => 4,
test_patterns => [{pattern => "foo", result => "ssh"},
@@ -50,12 +55,12 @@
{pattern => "bar", result => "ssh"},
{pattern => "barr", result => "regex"},
{pattern => "barrr", result => "regex"},],},
- { name => "tls", host => "localhost", , alpn_protocols => [ "alpn1", "alpn2" ], sni_hostnames => [ "sni1" ], },
- { name => "tls", host => "localhost", alpn_protocols => [ "alpn1", "alpn2" ], sni_hostnames => [ "sni2", "sni3" ], },
- { name => "tls", host => "localhost", alpn_protocols => [ "alpn3" ], },
- { name => "tls", host => "localhost", sni_hostnames => [ "sni3" ], },
- { name => "tls", host => "localhost", },
- { name => "anyprot", host => "localhost", }],
+ { name => "tls", host => "127.0.0.1", , alpn_protocols => [ "alpn1", "alpn2" ], sni_hostnames => [ "sni1" ], },
+ { name => "tls", host => "127.0.0.1", alpn_protocols => [ "alpn1", "alpn2" ], sni_hostnames => [ "sni2", "sni3" ], },
+ { name => "tls", host => "127.0.0.1", alpn_protocols => [ "alpn3" ], },
+ { name => "tls", host => "127.0.0.1", sni_hostnames => [ "sni3" ], },
+ { name => "tls", host => "127.0.0.1", },
+ { name => "anyprot", host => "127.0.0.1", }],
};
my $no_listen = get_unused_port(); # Port on which no-one listens
@@ -129,7 +134,7 @@
sub test_probe {
my (%opts) = @_;
- my $cnx = new IO::Socket::INET(PeerHost => "localhost:$sslh_port");
+ my $cnx = new IO::Socket::INET(PeerHost => "127.0.0.1:$sslh_port");
warn "Unable to open socket to $sslh_port $!\n" unless $cnx;
return unless $cnx;
@@ -181,7 +186,7 @@
data => "GET index.html HTTP/1.1",
no_frag => 1 },
'tls' => {
- # Packet with SNI and ALPN (`openssl s_client -connect localhost:443 -alpn alpn1 -servername sni1`)
+ # Packet with SNI and ALPN (`openssl s_client -connect 127.0.0.1:443 -alpn alpn1 -servername sni1`)
data_sni_alpn => "\x16\x03\x01\x00\xc4\x01\x00\x00\xc0\x03\x03\x03\x19\x01\x00\x40\x14\x13\xcc\x1b\x94\xad\x20\x5d\x13\x1a\x8d\xd2\x65\x23\x70\xde\xd1\x3c\x5d\x05\x19\xcb\x27\x0d\x7c\x2c\x89\x00\x00\x38\xc0\x2c\xc0\x30\x00\x9f\xcc\xa9\xcc\xa8\xcc\xaa\xc0\x2b\xc0\x2f\x00\x9e\xc0\x24\xc0\x28\x00\x6b\xc0\x23\xc0\x27\x00\x67\xc0\x0a\xc0\x14\x00\x39\xc0\x09\xc0\x13\x00\x33\x00\x9d\x00\x9c\x00\x3d\x00\x3c\x00\x35\x00\x2f\x00\xff\x01\x00\x00\x5f\x00\x00\x00\x09\x00\x07\x00\x00\x04\$sni\x00\x0b\x00\x04\x03\x00\x01\x02\x00\x0a\x00\x0a\x00\x08\x00\x1d\x00\x17\x00\x19\x00\x18\x00\x23\x00\x00\x00\x0d\x00\x20\x00\x1e\x06\x01\x06\x02\x06\x03\x05\x01\x05\x02\x05\x03\x04\x01\x04\x02\x04\x03\x03\x01\x03\x02\x03\x03\x02\x01\x02\x02\x02\x03\x00\x10\x00\x08\x00\x06\x05\$alpn\x00\x16\x00\x00\x00\x17\x00\x00hello sni/alpn",
# Packet with SNI alone
data_sni => "\x16\x03\x01\x00\xb8\x01\x00\x00\xb4\x03\x03\x97\xe4\xe9\xad\x86\xe1\x21\xfd\xc4\x5b\x27\x0e\xad\x4b\x55\xc2\x50\xe4\x1c\x86\x2f\x37\x25\xde\xe8\x9c\x59\xfc\x1b\xa9\x37\x32\x00\x00\x38\xc0\x2c\xc0\x30\x00\x9f\xcc\xa9\xcc\xa8\xcc\xaa\xc0\x2b\xc0\x2f\x00\x9e\xc0\x24\xc0\x28\x00\x6b\xc0\x23\xc0\x27\x00\x67\xc0\x0a\xc0\x14\x00\x39\xc0\x09\xc0\x13\x00\x33\x00\x9d\x00\x9c\x00\x3d\x00\x3c\x00\x35\x00\x2f\x00\xff\x01\x00\x00\x53\x00\x00\x00\x09\x00\x07\x00\x00\x04\$sni\x00\x0b\x00\x04\x03\x00\x01\x02\x00\x0a\x00\x0a\x00\x08\x00\x1d\x00\x17\x00\x19\x00\x18\x00\x23\x00\x00\x00\x0d\x00\x20\x00\x1e\x06\x01\x06\x02\x06\x03\x05\x01\x05\x02\x05\x03\x04\x01\x04\x02\x04\x03\x03\x01\x03\x02\x03\x03\x02\x01\x02\x02\x02\x03\x00\x16\x00\x00\x00\x17\x00\x00hello sni",
@@ -268,7 +273,10 @@
# Configuration file for testing (use both by sslh under
# test and the test script `t`)
-verbose: 4;
+verbose-config: 1
+verbose-connections: 1
+verbose-packets: 1
+verbose-probe-info: 1
foreground: true;
inetd: false;
numeric: true;
@@ -283,39 +291,39 @@
# Options:
listen:
(
- { host: "localhost"; port: "$sslh_port"; keepalive: true; },
- { host: "localhost"; port: "$sslh_port2"; keepalive: true; },
- { host: "localhost"; is_udp: true; port: "$sslh_port3"; }
+ { host: "127.0.0.1"; port: "$sslh_port"; keepalive: true; },
+ { host: "127.0.0.1"; port: "$sslh_port2"; keepalive: true; }
+ # { host: "127.0.0.1"; is_udp: true; port: "$sslh_port3"; }
);
protocols:
(
- { name: "ssh"; host: "localhost"; port: "$conf->{protocols}[0]{port}"; },
- { name: "socks5"; host: "localhost"; port: "$conf->{protocols}[1]{port}"; },
- { name: "http"; host: "localhost"; port: "$conf->{protocols}[2]{port}"; },
- { name: "tinc"; host: "localhost"; port: "$conf->{protocols}[3]{port}"; },
- { name: "openvpn"; host: "localhost"; port: "$conf->{protocols}[4]{port}"; },
- { name: "xmpp"; host: "localhost"; port: "$conf->{protocols}[5]{port}"; },
- { name: "adb"; host: "localhost"; port: "$conf->{protocols}[6]{port}"; },
- { name: "syslog"; host: "localhost"; port: "$conf->{protocols}[7]{port}"; },
- { name: "regex"; host: "localhost"; port: "$conf->{protocols}[8]{port}";
+ { name: "ssh"; host: "127.0.0.1"; port: "$conf->{protocols}[0]{port}"; },
+ { name: "socks5"; host: "127.0.0.1"; port: "$conf->{protocols}[1]{port}"; },
+ { name: "http"; host: "127.0.0.1"; port: "$conf->{protocols}[2]{port}"; },
+ { name: "tinc"; host: "127.0.0.1"; port: "$conf->{protocols}[3]{port}"; },
+ { name: "openvpn"; host: "127.0.0.1"; port: "$conf->{protocols}[4]{port}"; },
+ { name: "xmpp"; host: "127.0.0.1"; port: "$conf->{protocols}[5]{port}"; },
+ { name: "adb"; host: "127.0.0.1"; port: "$conf->{protocols}[6]{port}"; },
+ { name: "syslog"; host: "127.0.0.1"; port: "$conf->{protocols}[7]{port}"; },
+ { name: "regex"; host: "127.0.0.1"; port: "$conf->{protocols}[8]{port}";
regex_patterns: [ "^foo", "^bar" ];
minlength: 4;
- test_patterns: ( # this is used by the test script, not by sslh
- { pattern: "foo"; result: "ssh"; }, # After timeout
- { pattern: "fooo"; result: "regex"; },
- { pattern: "bar"; result: "ssh"; },
- { pattern: "barr"; result: "regex"; },
- { pattern: "barrrr"; result: "regex"; }
- );
+# test_patterns: ( # this is used by the test script, not by sslh
+# { pattern: "foo"; result: "ssh"; }, # After timeout
+# { pattern: "fooo"; result: "regex"; },
+# { pattern: "bar"; result: "ssh"; },
+# { pattern: "barr"; result: "regex"; },
+# { pattern: "barrrr"; result: "regex"; }
+# );
},
- { name: "tls"; host: "localhost"; port: "$conf->{protocols}[9]{port}"; alpn_protocols: [ "alpn1", "alpn2" ]; sni_hostnames: [ "sni1" ]; },
- { name: "tls"; host: "localhost"; port: "$conf->{protocols}[10]{port}"; alpn_protocols: [ "alpn1", "alpn2" ]; sni_hostnames: [ "sni2", "sni3" ]; },
- { name: "tls"; host: "localhost"; port: "$conf->{protocols}[11]{port}"; alpn_protocols: [ "alpn3" ]; },
- { name: "tls"; host: "localhost"; port: "$conf->{protocols}[12]{port}"; sni_hostnames: [ "sni3" ]; },
- { name: "tls"; host: "localhost"; port: "$conf->{protocols}[13]{port}"; },
- { name: "anyprot"; host: "localhost"; port: "$conf->{protocols}[14]{port}"; }
+ { name: "tls"; host: "127.0.0.1"; port: "$conf->{protocols}[9]{port}"; alpn_protocols: [ "alpn1", "alpn2" ]; sni_hostnames: [ "sni1" ]; },
+ { name: "tls"; host: "127.0.0.1"; port: "$conf->{protocols}[10]{port}"; alpn_protocols: [ "alpn1", "alpn2" ]; sni_hostnames: [ "sni2", "sni3" ]; },
+ { name: "tls"; host: "127.0.0.1"; port: "$conf->{protocols}[11]{port}"; alpn_protocols: [ "alpn3" ]; },
+ { name: "tls"; host: "127.0.0.1"; port: "$conf->{protocols}[12]{port}"; sni_hostnames: [ "sni3" ]; },
+ { name: "tls"; host: "127.0.0.1"; port: "$conf->{protocols}[13]{port}"; },
+ { name: "anyprot"; host: "127.0.0.1"; port: "$conf->{protocols}[14]{port}"; }
);
on_timeout: "ssh";
@@ -332,7 +340,7 @@
my ($sslh_pid, $valgrind);
if (!($sslh_pid = fork)) {
my $user = (getpwuid $<)[0]; # Run under current username
- my $cmd = "./$binary -v 4 -f -u $user -F test.cfg";
+ my $cmd = "./$binary -f -u $user -F test.cfg";
#$valgrind = 1;
#$cmd = "valgrind --leak-check=full $cmd";
verbose_exec $cmd;
@@ -349,7 +357,7 @@
# Test: Shy SSH connection
if ($SSH_SHY_CNX) {
print "***Test: Shy SSH connection\n";
- my $cnx_h = new IO::Socket::INET(PeerHost => "localhost:$sslh_port");
+ my $cnx_h = new IO::Socket::INET(PeerHost => "127.0.0.1:$sslh_port");
warn "Unable to connect to sslh_port:$sslh_port $!\n" unless $cnx_h;
if (defined $cnx_h) {
sleep 13;
@@ -362,20 +370,24 @@
# Test: One SSL half-started then one SSH
if ($SSL_MIX_SSH) {
print "***Test: One SSL half-started then one SSH\n";
- my $cnx_l = new IO::Socket::INET(PeerHost => "localhost:$sslh_port");
+ my $cnx_l = new IO::Socket::INET(PeerHost => "127.0.0.1:$sslh_port");
warn "Unable to connect to sslh_port $sslh_port: $!\n" unless $cnx_l;
if (defined $cnx_l) {
print $cnx_l $ssl_test_data;
- my $cnx_h= new IO::Socket::INET(PeerHost => "localhost:$sslh_port");
+ my $cnx_h= new IO::Socket::INET(PeerHost => "127.0.0.1:$sslh_port");
warn "Unable to connect to sslh_port $sslh_port: $!\n" unless $cnx_h;
if (defined $cnx_h) {
- sleep 3;
- print $cnx_h $test_data;
+ warn("going to print data to $cnx_h");
+ $cnx_h->send($test_data);
+ warn("printed data to $cnx_h");
+ # sleep 3;
my $data_h = <$cnx_h>;
+ warn("waiting for data at $cnx_h");
my_is($data_h, "ssh: $test_data", "$binary: SSH during SSL being established");
}
my $data;
my $n = sysread $cnx_l, $data, 1024;
+ warn("reading data from tls");
my_is($data, "tls: $ssl_test_data", "$binary: SSL connection interrupted by SSH");
}
}
@@ -383,11 +395,11 @@
# Test: One SSH half-started then one SSL
if ($SSH_MIX_SSL) {
print "***Test: One SSH half-started then one SSL\n";
- my $cnx_h = new IO::Socket::INET(PeerHost => "localhost:$sslh_port");
+ my $cnx_h = new IO::Socket::INET(PeerHost => "127.0.0.1:$sslh_port");
warn "Unable to open sslh_port:$sslh_port $!\n" unless $cnx_h;
if (defined $cnx_h) {
- sleep 3;
- my $cnx_l = new IO::Socket::INET(PeerHost => "localhost:$sslh_port");
+ # sleep 3;
+ my $cnx_l = new IO::Socket::INET(PeerHost => "127.0.0.1:$sslh_port");
warn "$!\n" unless $cnx_l;
if (defined $cnx_l) {
print $cnx_l $ssl_test_data;
@@ -404,7 +416,7 @@
# Test: Drop connection without writing anything
if ($DROP_CNX) {
print "***Test: Connect but don't write anything\n";
- my $cnx_h = new IO::Socket::INET(PeerHost => "localhost:$sslh_port");
+ my $cnx_h = new IO::Socket::INET(PeerHost => "127.0.0.1:$sslh_port");
warn "$!\n" unless $cnx_h;
if ($cnx_h) {
close $cnx_h;
@@ -434,13 +446,13 @@
print "***Test: Connecting to non-existant server\n";
my $sslh_pid;
if (!($sslh_pid = fork)) {
- exec "./sslh-select -v 3 -f -u $user --listen localhost:$sslh_port --ssh localhost:$no_listen --tls localhost:$no_listen -P $pidfile";
+ exec "./sslh-select $verbose_opts -f -u $user --listen 127.0.0.1:$sslh_port --ssh 127.0.0.1:$no_listen --tls 127.0.0.1:$no_listen -P $pidfile";
}
warn "spawned $sslh_pid\n";
sleep 1;
- my $cnx_h = new IO::Socket::INET(PeerHost => "localhost:$sslh_port");
+ my $cnx_h = new IO::Socket::INET(PeerHost => "127.0.0.1:$sslh_port");
warn "$!\n" unless $cnx_h;
if (defined $cnx_h) {
sleep 1;
@@ -467,7 +479,7 @@
print "***Test: No hostname in address\n";
my $sslh_pid;
if (!($sslh_pid = fork)) {
- exec "./sslh-select -v 3 -f -u $user --listen $sslh_port --ssh $ssh_address --tls $ssl_address -P $pidfile";
+ exec "./sslh-select $verbose_opts -f -u $user --listen $sslh_port --ssh $ssh_address --tls $ssl_address -P $pidfile";
}
warn "spawned $sslh_pid\n";
waitpid $sslh_pid, 0;
@@ -481,7 +493,7 @@
print "***Test: Changing to non-existant username\n";
my $sslh_pid;
if (!($sslh_pid = fork)) {
- exec "./sslh-select -v 3 -f -u ${user}_doesnt_exist --listen localhost:$no_listen --ssh $ssh_address --tls $ssl_address -P $pidfile";
+ exec "./sslh-select $verbose_opts -f -u ${user}_doesnt_exist --listen 127.0.0.1:$no_listen --ssh $ssh_address --tls $ssl_address -P $pidfile";
}
warn "spawned $sslh_pid\n";
waitpid $sslh_pid, 0;
@@ -495,7 +507,7 @@
print "***Test: Can't open PID file\n";
my $sslh_pid;
if (!($sslh_pid = fork)) {
- exec "./sslh-select -v 3 -f -u $user --listen localhost:$no_listen --ssh $ssh_address --tls $ssl_address -P /dont_exist/$pidfile";
+ exec "./sslh-select $verbose_opts -f -u $user --listen 127.0.0.1:$no_listen --ssh $ssh_address --tls $ssl_address -P /dont_exist/$pidfile";
# You don't have a /dont_exist/ directory, do you?!
}
warn "spawned $sslh_pid\n";
@@ -511,7 +523,7 @@
my $sslh_pid;
if (!($sslh_pid = fork)) {
my $user = (getpwuid $<)[0]; # Run under current username
- exec "./sslh-select -v 3 -f -u $user --listen blahblah.nonexistent:9000 --ssh $ssh_address --tls $ssl_address -P $pidfile";
+ exec "./sslh-select $verbose_opts -f -u $user --listen blahblah.nonexistent:9000 --ssh $ssh_address --tls $ssl_address -P $pidfile";
}
warn "spawned $sslh_pid\n";
waitpid $sslh_pid, 0;
@@ -527,17 +539,17 @@
if (!($sslh_pid = fork)) {
my $user = (getpwuid $<)[0]; # Run under current username
# This doesn't test --inetd
- exec "./sslh-select -v 3 -f -u $user -P $pidfile".
+ exec "./sslh-select $verbose_opts -f -u $user -P $pidfile".
" -n --timeout 10 -C /tmp".
" --syslog-facility auth --on-timeout ssh".
- " --listen localhost:$no_listen --ssh $ssh_address --tls $ssl_address".
- " --openvpn localhost:$no_listen".
- " --tinc localhost:$no_listen".
- " --xmpp localhost:$no_listen".
- " --http localhost:$no_listen".
- " --adb localhost:$no_listen".
- " --socks5 localhost:$no_listen".
- " --anyprot localhost:$no_listen";
+ " --listen 127.0.0.1:$no_listen --ssh $ssh_address --tls $ssl_address".
+ " --openvpn 127.0.0.1:$no_listen".
+ " --tinc 127.0.0.1:$no_listen".
+ " --xmpp 127.0.0.1:$no_listen".
+ " --http 127.0.0.1:$no_listen".
+ " --adb 127.0.0.1:$no_listen".
+ " --socks5 127.0.0.1:$no_listen".
+ " --anyprot 127.0.0.1:$no_listen";
exit 0;
}
warn "spawned $sslh_pid\n";
@@ -555,10 +567,10 @@
if (!($sslh_pid = fork)) {
my $user = (getpwuid $<)[0]; # Run under current username
# This doesn't test --inetd
- exec "./sslh-select -v 3 -f -u $user -P $pidfile".
+ exec "./sslh-select $verbose_opts -f -u $user -P $pidfile".
" -n --timeout 10 -C /tmp".
" --fakeoption".
- " --anyprot localhost:$no_listen";
+ " --anyprot 127.0.0.1:$no_listen";
exit 0;
}
warn "spawned $sslh_pid\n";
|
