diff --git a/CHANGES b/CHANGES index 7b9125b..d8a75fe 100644 --- a/CHANGES +++ b/CHANGES @@ -75,6 +75,10 @@ corrections: could lead to sporadic data loss when both fork option and exec address were used. Thanks to Tetsuya Sodo for reporting this problem and sending a patch + + OpenSSL server failed with "no shared cipher" when using cipher aNULL. + Fixed by providing temporary DH parameters. Thanks to Philip Rowlands + for drawing my attention to this issue. docu mentions option so-bindtodev but correct name is so-bindtodevice. Thanks to Jim Zimmerman for reporting. diff --git a/test.sh b/test.sh index a82f9db..9bbfb78 100755 --- a/test.sh +++ b/test.sh @@ -10912,6 +10912,50 @@ fi # NUMCOND esac N=$((N+1)) + +NAME=OPENSSL_ANULL +case "$TESTS" in +*%functions%*|*%openssl%*|*%tcp%*|*%tcp4%*|*%ip4%*|*%$NAME%*) +TEST="$NAME: OpenSSL server with cipher aNULL " +if ! eval $NUMCOND; then :; +elif ! testaddrs openssl >/dev/null; then + $PRINTF "test $F_n $TEST... ${YELLOW}OPENSSL not available${NORMAL}\n" $N + numCANT=$((numCANT+1)) +elif ! testaddrs listen tcp ip4 >/dev/null || ! runsip4 >/dev/null; then + $PRINTF "test $F_n $TEST... ${YELLOW}TCP/IPv4 not available${NORMAL}\n" $N + numCANT=$((numCANT+1)) +else +tf="$td/test$N.stdout" +te="$td/test$N.stderr" +tdiff="$td/test$N.diff" +da="test$N $(date) $RANDOM" +CMD2="$SOCAT $opts OPENSSL-LISTEN:$PORT,reuseaddr,$SOCAT_EGD,ciphers=aNULL,verify=0 pipe" +CMD="$SOCAT $opts - openssl:$LOCALHOST:$PORT,ciphers=aNULL,verify=0,$SOCAT_EGD" +printf "test $F_n $TEST... " $N +eval "$CMD2 2>\"${te}1\" &" +pid=$! # background process id +waittcp4port $PORT +echo "$da" |$CMD >$tf 2>"${te}2" +if ! echo "$da" |diff - "$tf" >"$tdiff"; then + $PRINTF "$FAILED: $SOCAT:\n" + echo "$CMD2 &" + echo "$CMD" + cat "${te}1" + cat "${te}2" + cat "$tdiff" + numFAIL=$((numFAIL+1)) +else + $PRINTF "$OK\n" + if [ -n "$debug" ]; then cat "${te}1" "${te}2"; fi + numOK=$((numOK+1)) +fi +kill $pid 2>/dev/null +wait +fi ;; # NUMCOND, feats +esac +PORT=$((PORT+1)) +N=$((N+1)) + # socat up to 1.7.2.0 and 2.0.0-b4 had a bug in xioscan_readline() that could # be exploited diff --git a/xio-openssl.c b/xio-openssl.c index c713de0..ca40257 100644 --- a/xio-openssl.c +++ b/xio-openssl.c @@ -869,6 +869,50 @@ int /*ERR_clear_error;*/ return STAT_RETRYLATER; } + + { + static unsigned char dh512_p[] = { + 0xDA,0x58,0x3C,0x16,0xD9,0x85,0x22,0x89,0xD0,0xE4,0xAF,0x75, + 0x6F,0x4C,0xCA,0x92,0xDD,0x4B,0xE5,0x33,0xB8,0x04,0xFB,0x0F, + 0xED,0x94,0xEF,0x9C,0x8A,0x44,0x03,0xED,0x57,0x46,0x50,0xD3, + 0x69,0x99,0xDB,0x29,0xD7,0x76,0x27,0x6B,0xA2,0xD3,0xD4,0x12, + 0xE2,0x18,0xF4,0xDD,0x1E,0x08,0x4C,0xF6,0xD8,0x00,0x3E,0x7C, + 0x47,0x74,0xE8,0x33, + }; + static unsigned char dh512_g[] = { + 0x02, + }; + DH *dh; + unsigned long err; + + if ((dh = DH_new()) == NULL) { + while (err = ERR_get_error()) { + Warn1("DH_new(): %s", + ERR_error_string(err, NULL)); + } + Error("DH_new() failed"); + } else { + dh->p = BN_bin2bn(dh512_p, sizeof(dh512_p), NULL); + dh->g = BN_bin2bn(dh512_g, sizeof(dh512_g), NULL); + if ((dh->p == NULL) || (dh->g == NULL)) { + while (err = ERR_get_error()) { + Warn1("BN_bin2bn(): %s", + ERR_error_string(err, NULL)); + } + Error("BN_bin2bn() failed"); + } else { + if (SSL_CTX_set_tmp_dh(*ctx, dh) <= 0) { + while (err = ERR_get_error()) { + Warn1("SSL_CTX_set_tmp_dh(%p, %p): %s", + ERR_error_string(err, NULL)); + } + Error2("SSL_CTX_set_tmp_dh(%p, %p) failed", *ctx, dh); + } + /*! OPENSSL_free(dh->p,g)? doc does not tell so */ + } + DH_free(dh); + } + } if (opt_cafile != NULL || opt_capath != NULL) { if (sycSSL_CTX_load_verify_locations(*ctx, opt_cafile, opt_capath) != 1) {