From 0b472d59d260e11395a478ac09f75b35db49f8ab Mon Sep 17 00:00:00 2001 From: Gerhard Rieger Date: Tue, 22 Nov 2011 10:42:38 +0100 Subject: [PATCH] OPENSSL-LISTEN failed with "no shared cipher" when using cipher aNULL --- CHANGES | 4 ++++ test.sh | 44 ++++++++++++++++++++++++++++++++++++++++++++ xio-openssl.c | 46 +++++++++++++++++++++++++++++++++++++++++++++- 3 files changed, 93 insertions(+), 1 deletion(-) diff --git a/CHANGES b/CHANGES index 9ed9651..0fa0a9c 100644 --- a/CHANGES +++ b/CHANGES @@ -49,6 +49,10 @@ corrections: were used. Thanks to Tetsuya Sodo for reporting this problem and sending a patch + OpenSSL server failed with "no shared cipher" when using cipher aNULL. + Fixed by providing temporary DH parameters. Thanks to Philip Rowlands + for drawing my attention to this issue. + ####################### V 1.7.1.3: security: diff --git a/test.sh b/test.sh index 87b532e..4206973 100755 --- a/test.sh +++ b/test.sh @@ -10484,6 +10484,50 @@ esac N=$((N+1)) +NAME=OPENSSL_ANULL +case "$TESTS" in +*%functions%*|*%openssl%*|*%tcp%*|*%tcp4%*|*%ip4%*|*%$NAME%*) +TEST="$NAME: OpenSSL server with cipher aNULL " +if ! eval $NUMCOND; then :; +elif ! testaddrs openssl >/dev/null; then + $PRINTF "test $F_n $TEST... ${YELLOW}OPENSSL not available${NORMAL}\n" $N + numCANT=$((numCANT+1)) +elif ! testaddrs listen tcp ip4 >/dev/null || ! runsip4 >/dev/null; then + $PRINTF "test $F_n $TEST... ${YELLOW}TCP/IPv4 not available${NORMAL}\n" $N + numCANT=$((numCANT+1)) +else +tf="$td/test$N.stdout" +te="$td/test$N.stderr" +tdiff="$td/test$N.diff" +da="test$N $(date) $RANDOM" +CMD2="$SOCAT $opts OPENSSL-LISTEN:$PORT,reuseaddr,$SOCAT_EGD,ciphers=aNULL,verify=0 pipe" +CMD="$SOCAT $opts - openssl:$LOCALHOST:$PORT,ciphers=aNULL,verify=0,$SOCAT_EGD" +printf "test $F_n $TEST... " $N +eval "$CMD2 2>\"${te}1\" &" +pid=$! # background process id +waittcp4port $PORT +echo "$da" |$CMD >$tf 2>"${te}2" +if ! echo "$da" |diff - "$tf" >"$tdiff"; then + $PRINTF "$FAILED: $SOCAT:\n" + echo "$CMD2 &" + echo "$CMD" + cat "${te}1" + cat "${te}2" + cat "$tdiff" + numFAIL=$((numFAIL+1)) +else + $PRINTF "$OK\n" + if [ -n "$debug" ]; then cat "${te}1" "${te}2"; fi + numOK=$((numOK+1)) +fi +kill $pid 2>/dev/null +wait +fi ;; # NUMCOND, feats +esac +PORT=$((PORT+1)) +N=$((N+1)) + + ############################################################################### # here come tests that might affect your systems integrity. Put normal tests # before this paragraph. diff --git a/xio-openssl.c b/xio-openssl.c index e4d37b6..51a4287 100644 --- a/xio-openssl.c +++ b/xio-openssl.c @@ -1,5 +1,5 @@ /* source: xio-openssl.c */ -/* Copyright Gerhard Rieger 2002-2009 */ +/* Copyright Gerhard Rieger 2002-2011 */ /* Published under the GNU General Public License V.2, see file COPYING */ /* this file contains the implementation of the openssl addresses */ @@ -739,6 +739,50 @@ int return STAT_RETRYLATER; } + { + static unsigned char dh512_p[] = { + 0xDA,0x58,0x3C,0x16,0xD9,0x85,0x22,0x89,0xD0,0xE4,0xAF,0x75, + 0x6F,0x4C,0xCA,0x92,0xDD,0x4B,0xE5,0x33,0xB8,0x04,0xFB,0x0F, + 0xED,0x94,0xEF,0x9C,0x8A,0x44,0x03,0xED,0x57,0x46,0x50,0xD3, + 0x69,0x99,0xDB,0x29,0xD7,0x76,0x27,0x6B,0xA2,0xD3,0xD4,0x12, + 0xE2,0x18,0xF4,0xDD,0x1E,0x08,0x4C,0xF6,0xD8,0x00,0x3E,0x7C, + 0x47,0x74,0xE8,0x33, + }; + static unsigned char dh512_g[] = { + 0x02, + }; + DH *dh; + unsigned long err; + + if ((dh = DH_new()) == NULL) { + while (err = ERR_get_error()) { + Warn1("DH_new(): %s", + ERR_error_string(err, NULL)); + } + Error("DH_new() failed"); + } else { + dh->p = BN_bin2bn(dh512_p, sizeof(dh512_p), NULL); + dh->g = BN_bin2bn(dh512_g, sizeof(dh512_g), NULL); + if ((dh->p == NULL) || (dh->g == NULL)) { + while (err = ERR_get_error()) { + Warn1("BN_bin2bn(): %s", + ERR_error_string(err, NULL)); + } + Error("BN_bin2bn() failed"); + } else { + if (SSL_CTX_set_tmp_dh(*ctx, dh) <= 0) { + while (err = ERR_get_error()) { + Warn1("SSL_CTX_set_tmp_dh(%p, %p): %s", + ERR_error_string(err, NULL)); + } + Error2("SSL_CTX_set_tmp_dh(%p, %p) failed", *ctx, dh); + } + /*! OPENSSL_free(dh->p,g)? doc does not tell so */ + } + DH_free(dh); + } + } + if (opt_cafile != NULL || opt_capath != NULL) { if (sycSSL_CTX_load_verify_locations(*ctx, opt_cafile, opt_capath) != 1) { int result;