mirror of
https://repo.or.cz/socat.git
synced 2024-12-22 23:42:34 +00:00
OpenSSL server could be crashed by client cert with IPv6 address in SubjectAltname
This commit is contained in:
parent
e9c055b750
commit
1477334905
3 changed files with 72 additions and 9 deletions
7
CHANGES
7
CHANGES
|
@ -13,6 +13,13 @@ Corrections:
|
||||||
A VSOCK warning message was generated with all listening addresses
|
A VSOCK warning message was generated with all listening addresses
|
||||||
instead of only with VSOCK-LISTEN
|
instead of only with VSOCK-LISTEN
|
||||||
|
|
||||||
|
When an OPENSSL-CONNECT client presented a certificate with IPv6
|
||||||
|
subject alternate name and the OPENSSL-LISTEN server had no commonname
|
||||||
|
option, the server crashed with SIGSEGV in xioip6_pton().
|
||||||
|
Test: OPENSSL_CLIENT_IP6_CN
|
||||||
|
Red Hat bug 1981308
|
||||||
|
Thanks to Vlad Slepukhin for reporting this issue and providing a patch
|
||||||
|
|
||||||
Testing:
|
Testing:
|
||||||
Prevent the TIMESTAMP tests from sporadically failing due do seconds
|
Prevent the TIMESTAMP tests from sporadically failing due do seconds
|
||||||
overflow
|
overflow
|
||||||
|
|
54
test.sh
54
test.sh
|
@ -15040,6 +15040,60 @@ PORT=$((PORT+1))
|
||||||
N=$((N+1))
|
N=$((N+1))
|
||||||
|
|
||||||
|
|
||||||
|
# Bug fix, OpenSSL server could be crashed by client cert with IPv6 address in SubjectAltname
|
||||||
|
NAME=OPENSSL_CLIENT_IP6_CN
|
||||||
|
case "$TESTS" in
|
||||||
|
*%$N%*|*%functions%*|*%bugs%*|*%openssl%*|*%ip6%*|*%socket%*|*%$NAME%*)
|
||||||
|
TEST="$NAME: Test if OpenSSL server may be crashed by client cert with IPv6 address"
|
||||||
|
# Socat 1.7.4.1 had a bug that caused OpenSSL server to crash with SIGSEGV when
|
||||||
|
# it checked a client certificate containing IPv6 address in SubjectAltName and
|
||||||
|
# no openssl-commonname option was given
|
||||||
|
if ! eval $NUMCOND; then :;
|
||||||
|
elif ! testfeats openssl >/dev/null; then
|
||||||
|
$PRINTF "test $F_n $TEST... ${YELLOW}OPENSSL not available${NORMAL}\n" $N
|
||||||
|
numCANT=$((numCANT+1))
|
||||||
|
listCANT="$listCANT $N"
|
||||||
|
elif ! testfeats tcp ip4 >/dev/null || ! runsip4 >/dev/null; then
|
||||||
|
$PRINTF "test $F_n $TEST... ${YELLOW}TCP/IPv4 not available${NORMAL}\n" $N
|
||||||
|
numCANT=$((numCANT+1))
|
||||||
|
listCANT="$listCANT $N"
|
||||||
|
else
|
||||||
|
gentestcert testsrv
|
||||||
|
gentestaltcert testalt
|
||||||
|
tf="$td/test$N.stdout"
|
||||||
|
te="$td/test$N.stderr"
|
||||||
|
tdiff="$td/test$N.diff"
|
||||||
|
da="test$N $(date) $RANDOM"
|
||||||
|
CMD0="$TRACE $SOCAT $opts -u OPENSSL-LISTEN:$PORT,reuseaddr,cert=./testsrv.pem,cafile=./testalt.crt -"
|
||||||
|
CMD1="$TRACE $SOCAT $opts -u - OPENSSL-CONNECT:localhost:$PORT,cafile=testsrv.crt,cert=testalt.pem,verify=0"
|
||||||
|
printf "test $F_n $TEST... " $N
|
||||||
|
$CMD0 >/dev/null >"${tf}0" 2>"${te}0" &
|
||||||
|
pid0=$!
|
||||||
|
waittcp4port $PORT 1
|
||||||
|
echo "$da" |$CMD1 2>"${te}1"
|
||||||
|
rc1=$?
|
||||||
|
kill $pid0 2>/dev/null; wait
|
||||||
|
if [ $rc1 -eq 0 ] && echo "$da" |diff - "${tf}0" >$tdiff; then
|
||||||
|
$PRINTF "$OK\n"
|
||||||
|
numOK=$((numOK+1))
|
||||||
|
else
|
||||||
|
$PRINTF "$FAILED\n"
|
||||||
|
echo "$CMD0 &" >&2
|
||||||
|
cat "${te}0" >&2
|
||||||
|
echo "$CMD1" >&2
|
||||||
|
cat "${te}1" >&2
|
||||||
|
numFAIL=$((numFAIL+1))
|
||||||
|
listFAIL="$listFAIL $N"
|
||||||
|
fi
|
||||||
|
fi # NUMCOND
|
||||||
|
;;
|
||||||
|
esac
|
||||||
|
PORT=$((PORT+1))
|
||||||
|
N=$((N+1))
|
||||||
|
|
||||||
|
|
||||||
|
# end of common tests
|
||||||
|
|
||||||
##################################################################################
|
##################################################################################
|
||||||
#=================================================================================
|
#=================================================================================
|
||||||
# here come tests that might affect your systems integrity. Put normal tests
|
# here come tests that might affect your systems integrity. Put normal tests
|
||||||
|
|
|
@ -1775,6 +1775,7 @@ static int openssl_handle_peer_certificate(struct single *xfd,
|
||||||
#if WITH_IP6
|
#if WITH_IP6
|
||||||
case 16: /* IPv6 */
|
case 16: /* IPv6 */
|
||||||
inet_ntop(AF_INET6, data, aBuffer, sizeof(aBuffer));
|
inet_ntop(AF_INET6, data, aBuffer, sizeof(aBuffer));
|
||||||
|
if (peername != NULL) {
|
||||||
xioip6_pton(peername, &ip6bin);
|
xioip6_pton(peername, &ip6bin);
|
||||||
if (memcmp(data, &ip6bin, sizeof(ip6bin)) == 0) {
|
if (memcmp(data, &ip6bin, sizeof(ip6bin)) == 0) {
|
||||||
Debug2("subjectAltName \"%s\" matches peername \"%s\"",
|
Debug2("subjectAltName \"%s\" matches peername \"%s\"",
|
||||||
|
@ -1784,6 +1785,7 @@ static int openssl_handle_peer_certificate(struct single *xfd,
|
||||||
Info2("subjectAltName \"%s\" does not match peername \"%s\"",
|
Info2("subjectAltName \"%s\" does not match peername \"%s\"",
|
||||||
aBuffer, peername);
|
aBuffer, peername);
|
||||||
}
|
}
|
||||||
|
}
|
||||||
break;
|
break;
|
||||||
#endif
|
#endif
|
||||||
}
|
}
|
||||||
|
|
Loading…
Reference in a new issue