mirror of
https://repo.or.cz/socat.git
synced 2025-01-10 14:52:32 +00:00
OPENSSL-LISTEN failed with "no shared cipher" when using cipher aNULL
This commit is contained in:
parent
f6b2e0b167
commit
6e790adc5b
3 changed files with 92 additions and 0 deletions
4
CHANGES
4
CHANGES
|
@ -76,6 +76,10 @@ corrections:
|
|||
were used. Thanks to Tetsuya Sodo for reporting this problem and
|
||||
sending a patch
|
||||
|
||||
OpenSSL server failed with "no shared cipher" when using cipher aNULL.
|
||||
Fixed by providing temporary DH parameters. Thanks to Philip Rowlands
|
||||
for drawing my attention to this issue.
|
||||
|
||||
docu mentions option so-bindtodev but correct name is so-bindtodevice.
|
||||
Thanks to Jim Zimmerman for reporting.
|
||||
|
||||
|
|
44
test.sh
44
test.sh
|
@ -10913,6 +10913,50 @@ esac
|
|||
N=$((N+1))
|
||||
|
||||
|
||||
NAME=OPENSSL_ANULL
|
||||
case "$TESTS" in
|
||||
*%functions%*|*%openssl%*|*%tcp%*|*%tcp4%*|*%ip4%*|*%$NAME%*)
|
||||
TEST="$NAME: OpenSSL server with cipher aNULL "
|
||||
if ! eval $NUMCOND; then :;
|
||||
elif ! testaddrs openssl >/dev/null; then
|
||||
$PRINTF "test $F_n $TEST... ${YELLOW}OPENSSL not available${NORMAL}\n" $N
|
||||
numCANT=$((numCANT+1))
|
||||
elif ! testaddrs listen tcp ip4 >/dev/null || ! runsip4 >/dev/null; then
|
||||
$PRINTF "test $F_n $TEST... ${YELLOW}TCP/IPv4 not available${NORMAL}\n" $N
|
||||
numCANT=$((numCANT+1))
|
||||
else
|
||||
tf="$td/test$N.stdout"
|
||||
te="$td/test$N.stderr"
|
||||
tdiff="$td/test$N.diff"
|
||||
da="test$N $(date) $RANDOM"
|
||||
CMD2="$SOCAT $opts OPENSSL-LISTEN:$PORT,reuseaddr,$SOCAT_EGD,ciphers=aNULL,verify=0 pipe"
|
||||
CMD="$SOCAT $opts - openssl:$LOCALHOST:$PORT,ciphers=aNULL,verify=0,$SOCAT_EGD"
|
||||
printf "test $F_n $TEST... " $N
|
||||
eval "$CMD2 2>\"${te}1\" &"
|
||||
pid=$! # background process id
|
||||
waittcp4port $PORT
|
||||
echo "$da" |$CMD >$tf 2>"${te}2"
|
||||
if ! echo "$da" |diff - "$tf" >"$tdiff"; then
|
||||
$PRINTF "$FAILED: $SOCAT:\n"
|
||||
echo "$CMD2 &"
|
||||
echo "$CMD"
|
||||
cat "${te}1"
|
||||
cat "${te}2"
|
||||
cat "$tdiff"
|
||||
numFAIL=$((numFAIL+1))
|
||||
else
|
||||
$PRINTF "$OK\n"
|
||||
if [ -n "$debug" ]; then cat "${te}1" "${te}2"; fi
|
||||
numOK=$((numOK+1))
|
||||
fi
|
||||
kill $pid 2>/dev/null
|
||||
wait
|
||||
fi ;; # NUMCOND, feats
|
||||
esac
|
||||
PORT=$((PORT+1))
|
||||
N=$((N+1))
|
||||
|
||||
|
||||
# socat up to 1.7.2.0 and 2.0.0-b4 had a bug in xioscan_readline() that could
|
||||
# be exploited
|
||||
# to overflow a heap based buffer (socat security advisory 3)
|
||||
|
|
|
@ -870,6 +870,50 @@ int
|
|||
return STAT_RETRYLATER;
|
||||
}
|
||||
|
||||
{
|
||||
static unsigned char dh512_p[] = {
|
||||
0xDA,0x58,0x3C,0x16,0xD9,0x85,0x22,0x89,0xD0,0xE4,0xAF,0x75,
|
||||
0x6F,0x4C,0xCA,0x92,0xDD,0x4B,0xE5,0x33,0xB8,0x04,0xFB,0x0F,
|
||||
0xED,0x94,0xEF,0x9C,0x8A,0x44,0x03,0xED,0x57,0x46,0x50,0xD3,
|
||||
0x69,0x99,0xDB,0x29,0xD7,0x76,0x27,0x6B,0xA2,0xD3,0xD4,0x12,
|
||||
0xE2,0x18,0xF4,0xDD,0x1E,0x08,0x4C,0xF6,0xD8,0x00,0x3E,0x7C,
|
||||
0x47,0x74,0xE8,0x33,
|
||||
};
|
||||
static unsigned char dh512_g[] = {
|
||||
0x02,
|
||||
};
|
||||
DH *dh;
|
||||
unsigned long err;
|
||||
|
||||
if ((dh = DH_new()) == NULL) {
|
||||
while (err = ERR_get_error()) {
|
||||
Warn1("DH_new(): %s",
|
||||
ERR_error_string(err, NULL));
|
||||
}
|
||||
Error("DH_new() failed");
|
||||
} else {
|
||||
dh->p = BN_bin2bn(dh512_p, sizeof(dh512_p), NULL);
|
||||
dh->g = BN_bin2bn(dh512_g, sizeof(dh512_g), NULL);
|
||||
if ((dh->p == NULL) || (dh->g == NULL)) {
|
||||
while (err = ERR_get_error()) {
|
||||
Warn1("BN_bin2bn(): %s",
|
||||
ERR_error_string(err, NULL));
|
||||
}
|
||||
Error("BN_bin2bn() failed");
|
||||
} else {
|
||||
if (SSL_CTX_set_tmp_dh(*ctx, dh) <= 0) {
|
||||
while (err = ERR_get_error()) {
|
||||
Warn1("SSL_CTX_set_tmp_dh(%p, %p): %s",
|
||||
ERR_error_string(err, NULL));
|
||||
}
|
||||
Error2("SSL_CTX_set_tmp_dh(%p, %p) failed", *ctx, dh);
|
||||
}
|
||||
/*! OPENSSL_free(dh->p,g)? doc does not tell so */
|
||||
}
|
||||
DH_free(dh);
|
||||
}
|
||||
}
|
||||
|
||||
if (opt_cafile != NULL || opt_capath != NULL) {
|
||||
if (sycSSL_CTX_load_verify_locations(*ctx, opt_cafile, opt_capath) != 1) {
|
||||
int result;
|
||||
|
|
Loading…
Reference in a new issue