mirror of
https://repo.or.cz/socat.git
synced 2024-12-23 07:52:32 +00:00
OPENSSL-LISTEN failed with "no shared cipher" when using cipher aNULL
This commit is contained in:
parent
f6b2e0b167
commit
6e790adc5b
3 changed files with 92 additions and 0 deletions
4
CHANGES
4
CHANGES
|
@ -76,6 +76,10 @@ corrections:
|
||||||
were used. Thanks to Tetsuya Sodo for reporting this problem and
|
were used. Thanks to Tetsuya Sodo for reporting this problem and
|
||||||
sending a patch
|
sending a patch
|
||||||
|
|
||||||
|
OpenSSL server failed with "no shared cipher" when using cipher aNULL.
|
||||||
|
Fixed by providing temporary DH parameters. Thanks to Philip Rowlands
|
||||||
|
for drawing my attention to this issue.
|
||||||
|
|
||||||
docu mentions option so-bindtodev but correct name is so-bindtodevice.
|
docu mentions option so-bindtodev but correct name is so-bindtodevice.
|
||||||
Thanks to Jim Zimmerman for reporting.
|
Thanks to Jim Zimmerman for reporting.
|
||||||
|
|
||||||
|
|
44
test.sh
44
test.sh
|
@ -10913,6 +10913,50 @@ esac
|
||||||
N=$((N+1))
|
N=$((N+1))
|
||||||
|
|
||||||
|
|
||||||
|
NAME=OPENSSL_ANULL
|
||||||
|
case "$TESTS" in
|
||||||
|
*%functions%*|*%openssl%*|*%tcp%*|*%tcp4%*|*%ip4%*|*%$NAME%*)
|
||||||
|
TEST="$NAME: OpenSSL server with cipher aNULL "
|
||||||
|
if ! eval $NUMCOND; then :;
|
||||||
|
elif ! testaddrs openssl >/dev/null; then
|
||||||
|
$PRINTF "test $F_n $TEST... ${YELLOW}OPENSSL not available${NORMAL}\n" $N
|
||||||
|
numCANT=$((numCANT+1))
|
||||||
|
elif ! testaddrs listen tcp ip4 >/dev/null || ! runsip4 >/dev/null; then
|
||||||
|
$PRINTF "test $F_n $TEST... ${YELLOW}TCP/IPv4 not available${NORMAL}\n" $N
|
||||||
|
numCANT=$((numCANT+1))
|
||||||
|
else
|
||||||
|
tf="$td/test$N.stdout"
|
||||||
|
te="$td/test$N.stderr"
|
||||||
|
tdiff="$td/test$N.diff"
|
||||||
|
da="test$N $(date) $RANDOM"
|
||||||
|
CMD2="$SOCAT $opts OPENSSL-LISTEN:$PORT,reuseaddr,$SOCAT_EGD,ciphers=aNULL,verify=0 pipe"
|
||||||
|
CMD="$SOCAT $opts - openssl:$LOCALHOST:$PORT,ciphers=aNULL,verify=0,$SOCAT_EGD"
|
||||||
|
printf "test $F_n $TEST... " $N
|
||||||
|
eval "$CMD2 2>\"${te}1\" &"
|
||||||
|
pid=$! # background process id
|
||||||
|
waittcp4port $PORT
|
||||||
|
echo "$da" |$CMD >$tf 2>"${te}2"
|
||||||
|
if ! echo "$da" |diff - "$tf" >"$tdiff"; then
|
||||||
|
$PRINTF "$FAILED: $SOCAT:\n"
|
||||||
|
echo "$CMD2 &"
|
||||||
|
echo "$CMD"
|
||||||
|
cat "${te}1"
|
||||||
|
cat "${te}2"
|
||||||
|
cat "$tdiff"
|
||||||
|
numFAIL=$((numFAIL+1))
|
||||||
|
else
|
||||||
|
$PRINTF "$OK\n"
|
||||||
|
if [ -n "$debug" ]; then cat "${te}1" "${te}2"; fi
|
||||||
|
numOK=$((numOK+1))
|
||||||
|
fi
|
||||||
|
kill $pid 2>/dev/null
|
||||||
|
wait
|
||||||
|
fi ;; # NUMCOND, feats
|
||||||
|
esac
|
||||||
|
PORT=$((PORT+1))
|
||||||
|
N=$((N+1))
|
||||||
|
|
||||||
|
|
||||||
# socat up to 1.7.2.0 and 2.0.0-b4 had a bug in xioscan_readline() that could
|
# socat up to 1.7.2.0 and 2.0.0-b4 had a bug in xioscan_readline() that could
|
||||||
# be exploited
|
# be exploited
|
||||||
# to overflow a heap based buffer (socat security advisory 3)
|
# to overflow a heap based buffer (socat security advisory 3)
|
||||||
|
|
|
@ -870,6 +870,50 @@ int
|
||||||
return STAT_RETRYLATER;
|
return STAT_RETRYLATER;
|
||||||
}
|
}
|
||||||
|
|
||||||
|
{
|
||||||
|
static unsigned char dh512_p[] = {
|
||||||
|
0xDA,0x58,0x3C,0x16,0xD9,0x85,0x22,0x89,0xD0,0xE4,0xAF,0x75,
|
||||||
|
0x6F,0x4C,0xCA,0x92,0xDD,0x4B,0xE5,0x33,0xB8,0x04,0xFB,0x0F,
|
||||||
|
0xED,0x94,0xEF,0x9C,0x8A,0x44,0x03,0xED,0x57,0x46,0x50,0xD3,
|
||||||
|
0x69,0x99,0xDB,0x29,0xD7,0x76,0x27,0x6B,0xA2,0xD3,0xD4,0x12,
|
||||||
|
0xE2,0x18,0xF4,0xDD,0x1E,0x08,0x4C,0xF6,0xD8,0x00,0x3E,0x7C,
|
||||||
|
0x47,0x74,0xE8,0x33,
|
||||||
|
};
|
||||||
|
static unsigned char dh512_g[] = {
|
||||||
|
0x02,
|
||||||
|
};
|
||||||
|
DH *dh;
|
||||||
|
unsigned long err;
|
||||||
|
|
||||||
|
if ((dh = DH_new()) == NULL) {
|
||||||
|
while (err = ERR_get_error()) {
|
||||||
|
Warn1("DH_new(): %s",
|
||||||
|
ERR_error_string(err, NULL));
|
||||||
|
}
|
||||||
|
Error("DH_new() failed");
|
||||||
|
} else {
|
||||||
|
dh->p = BN_bin2bn(dh512_p, sizeof(dh512_p), NULL);
|
||||||
|
dh->g = BN_bin2bn(dh512_g, sizeof(dh512_g), NULL);
|
||||||
|
if ((dh->p == NULL) || (dh->g == NULL)) {
|
||||||
|
while (err = ERR_get_error()) {
|
||||||
|
Warn1("BN_bin2bn(): %s",
|
||||||
|
ERR_error_string(err, NULL));
|
||||||
|
}
|
||||||
|
Error("BN_bin2bn() failed");
|
||||||
|
} else {
|
||||||
|
if (SSL_CTX_set_tmp_dh(*ctx, dh) <= 0) {
|
||||||
|
while (err = ERR_get_error()) {
|
||||||
|
Warn1("SSL_CTX_set_tmp_dh(%p, %p): %s",
|
||||||
|
ERR_error_string(err, NULL));
|
||||||
|
}
|
||||||
|
Error2("SSL_CTX_set_tmp_dh(%p, %p) failed", *ctx, dh);
|
||||||
|
}
|
||||||
|
/*! OPENSSL_free(dh->p,g)? doc does not tell so */
|
||||||
|
}
|
||||||
|
DH_free(dh);
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
if (opt_cafile != NULL || opt_capath != NULL) {
|
if (opt_cafile != NULL || opt_capath != NULL) {
|
||||||
if (sycSSL_CTX_load_verify_locations(*ctx, opt_cafile, opt_capath) != 1) {
|
if (sycSSL_CTX_load_verify_locations(*ctx, opt_cafile, opt_capath) != 1) {
|
||||||
int result;
|
int result;
|
||||||
|
|
Loading…
Reference in a new issue