Merge pull request #1759 from drwetter/fix_1754_3.0

Fix run_freak() when sslv2 server hello is empty (3.0 branch)
This commit is contained in:
Dirk Wetter 2020-10-28 15:05:51 +01:00 committed by GitHub
commit 0cf5a49762
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23

View File

@ -1250,6 +1250,10 @@ strip_inconsistent_ciphers() {
return 0 return 0
} }
count_chars() {
echo $(wc -c <<< "$1")
}
newline_to_spaces() { newline_to_spaces() {
tr '\n' ' ' <<< "$1" | sed 's/ $//' tr '\n' ' ' <<< "$1" | sed 's/ $//'
} }
@ -12769,19 +12773,18 @@ parse_tls_serverhello() {
# 1,4,6,7: see return value of parse_sslv2_serverhello() # 1,4,6,7: see return value of parse_sslv2_serverhello()
sslv2_sockets() { sslv2_sockets() {
local ret local ret
local client_hello cipher_suites len_client_hello local cipher_suites="$1"
local client_hello len_client_hello
local len_ciph_suites_byte len_ciph_suites local len_ciph_suites_byte len_ciph_suites
local server_hello sock_reply_file2 local server_hello sock_reply_file2
local -i response_len server_hello_len local -i response_len server_hello_len
local parse_complete=false local parse_complete=false
# this could be empty so swe use '==' # this could be empty so we use '=='
if [[ "$2" == true ]]; then if [[ "$2" == true ]]; then
parse_complete=true parse_complete=true
fi fi
if [[ -n "$1" ]]; then if [[ -z "$cipher_suites" ]]; then
cipher_suites="$1"
else
cipher_suites=" cipher_suites="
05,00,80, # 1st cipher 9 cipher specs, only classical V2 ciphers are used here, see FIXME below 05,00,80, # 1st cipher 9 cipher specs, only classical V2 ciphers are used here, see FIXME below
03,00,80, # 2nd there are v3 in v2!!! : https://tools.ietf.org/html/rfc6101#appendix-E 03,00,80, # 2nd there are v3 in v2!!! : https://tools.ietf.org/html/rfc6101#appendix-E
@ -12824,22 +12827,24 @@ sslv2_sockets() {
sockread_serverhello 32768 sockread_serverhello 32768
if "$parse_complete"; then if "$parse_complete"; then
server_hello=$(hexdump -v -e '16/1 "%02X"' "$SOCK_REPLY_FILE") if [[ -s "$SOCK_REPLY_FILE" ]]; then
server_hello_len=2+$(hex2dec "${server_hello:1:3}") server_hello=$(hexdump -v -e '16/1 "%02X"' "$SOCK_REPLY_FILE")
response_len=$(wc -c "$SOCK_REPLY_FILE" | awk '{ print $1 }') server_hello_len=$((2 + $(hex2dec "${server_hello:1:3}") ))
for (( 1; response_len < server_hello_len; 1 )); do response_len=$(count_chars "$SOCK_REPLY_FILE")
sock_reply_file2=${SOCK_REPLY_FILE}.2 for (( 1; response_len < server_hello_len; 1 )); do
mv "$SOCK_REPLY_FILE" "$sock_reply_file2" sock_reply_file2=${SOCK_REPLY_FILE}.2
mv "$SOCK_REPLY_FILE" "$sock_reply_file2"
debugme echo -n "requesting more server hello data... " debugme echo -n "requesting more server hello data... "
socksend "" $USLEEP_SND socksend "" $USLEEP_SND
sockread_serverhello 32768 sockread_serverhello 32768
[[ ! -s "$SOCK_REPLY_FILE" ]] && break [[ ! -s "$SOCK_REPLY_FILE" ]] && break
cat "$SOCK_REPLY_FILE" >> "$sock_reply_file2" cat "$SOCK_REPLY_FILE" >> "$sock_reply_file2"
mv "$sock_reply_file2" "$SOCK_REPLY_FILE" mv "$sock_reply_file2" "$SOCK_REPLY_FILE"
response_len=$(wc -c "$SOCK_REPLY_FILE" | awk '{ print $1 }') response_len=$(count_chars "$SOCK_REPLY_FILE")
done done
fi
fi fi
debugme echo "reading server hello... " debugme echo "reading server hello... "
if [[ "$DEBUG" -ge 4 ]]; then if [[ "$DEBUG" -ge 4 ]]; then
@ -12855,6 +12860,7 @@ sslv2_sockets() {
return $ret return $ret
} }
# arg1: supported groups extension # arg1: supported groups extension
# arg2: "all" - process full response (including Certificate and certificate_status handshake messages) # arg2: "all" - process full response (including Certificate and certificate_status handshake messages)
# "ephemeralkey" - extract the server's ephemeral key (if any) # "ephemeralkey" - extract the server's ephemeral key (if any)
@ -15081,7 +15087,6 @@ run_freak() {
else else
nr_supported_ciphers=$(count_ciphers $(actually_supported_osslciphers $exportrsa_cipher_list)) nr_supported_ciphers=$(count_ciphers $(actually_supported_osslciphers $exportrsa_cipher_list))
fi fi
#echo "========= ${PIPESTATUS[*]}
case $nr_supported_ciphers in case $nr_supported_ciphers in
0) prln_local_problem "$OPENSSL doesn't have any EXPORT RSA ciphers configured" 0) prln_local_problem "$OPENSSL doesn't have any EXPORT RSA ciphers configured"
@ -15099,7 +15104,9 @@ run_freak() {
tls_sockets "03" "$exportrsa_tls_cipher_list_hex, 00,ff" tls_sockets "03" "$exportrsa_tls_cipher_list_hex, 00,ff"
sclient_success=$? sclient_success=$?
[[ $sclient_success -eq 2 ]] && sclient_success=0 [[ $sclient_success -eq 2 ]] && sclient_success=0
if [[ $sclient_success -ne 0 ]]; then
# TLS handshake failed with ciphers above. Now we check SSLv2 -- unless we know it's not available
if [[ $sclient_success -ne 0 ]] && [[ $(has_server_protocol ssl2) -ne 1 ]]; then
sslv2_sockets "$exportrsa_ssl2_cipher_list_hex" "true" sslv2_sockets "$exportrsa_ssl2_cipher_list_hex" "true"
if [[ $? -eq 3 ]] && [[ "$V2_HELLO_CIPHERSPEC_LENGTH" -ne 0 ]]; then if [[ $? -eq 3 ]] && [[ "$V2_HELLO_CIPHERSPEC_LENGTH" -ne 0 ]]; then
exportrsa_ssl2_cipher_list_hex="$(strip_spaces "${exportrsa_ssl2_cipher_list_hex//,/}")" exportrsa_ssl2_cipher_list_hex="$(strip_spaces "${exportrsa_ssl2_cipher_list_hex//,/}")"
@ -15912,7 +15919,8 @@ run_rc4() {
return 0 return 0
fi fi
# get a list of all the cipher suites to test # Get a list of all the cipher suites to test. #FIXME: This is rather ineffective as RC4 ciphers won't change.
# We should instead build a fixed list here like @ other functions
if "$using_sockets" || [[ $OSSL_VER_MAJOR -lt 1 ]]; then if "$using_sockets" || [[ $OSSL_VER_MAJOR -lt 1 ]]; then
for (( i=0; i < TLS_NR_CIPHERS; i++ )); do for (( i=0; i < TLS_NR_CIPHERS; i++ )); do
if [[ "${TLS_CIPHER_RFC_NAME[i]}" =~ RC4 ]] && ( "$using_sockets" || "${TLS_CIPHER_OSSL_SUPPORTED[i]}" ); then if [[ "${TLS_CIPHER_RFC_NAME[i]}" =~ RC4 ]] && ( "$using_sockets" || "${TLS_CIPHER_OSSL_SUPPORTED[i]}" ); then
@ -15967,7 +15975,7 @@ run_rc4() {
done < <($OPENSSL ciphers $OSSL_CIPHERS_S -V 'ALL:COMPLEMENTOFALL:@STRENGTH' 2>>$ERRFILE) done < <($OPENSSL ciphers $OSSL_CIPHERS_S -V 'ALL:COMPLEMENTOFALL:@STRENGTH' 2>>$ERRFILE)
fi fi
if "$using_sockets" && [[ -n "$sslv2_ciphers_hex" ]]; then if "$using_sockets" && [[ -n "$sslv2_ciphers_hex" ]] && [[ $(has_server_protocol ssl2) -ne 1 ]]; then
sslv2_sockets "${sslv2_ciphers_hex:2}" "true" sslv2_sockets "${sslv2_ciphers_hex:2}" "true"
if [[ $? -eq 3 ]] && [[ "$V2_HELLO_CIPHERSPEC_LENGTH" -ne 0 ]]; then if [[ $? -eq 3 ]] && [[ "$V2_HELLO_CIPHERSPEC_LENGTH" -ne 0 ]]; then
supported_sslv2_ciphers="$(grep "Supported cipher: " "$TEMPDIR/$NODEIP.parse_sslv2_serverhello.txt")" supported_sslv2_ciphers="$(grep "Supported cipher: " "$TEMPDIR/$NODEIP.parse_sslv2_serverhello.txt")"
@ -15980,7 +15988,7 @@ run_rc4() {
fi fi
done done
fi fi
elif "$HAS_SSL2" && [[ -n "$sslv2_ciphers_ossl" ]]; then elif "$HAS_SSL2" && [[ -n "$sslv2_ciphers_ossl" ]] && [[ $(has_server_protocol ssl2) -ne 1 ]]; then
$OPENSSL s_client -cipher "${sslv2_ciphers_ossl:1}" $STARTTLS $BUGS -connect $NODEIP:$PORT $PROXY -ssl2 >$TMPFILE 2>$ERRFILE </dev/null $OPENSSL s_client -cipher "${sslv2_ciphers_ossl:1}" $STARTTLS $BUGS -connect $NODEIP:$PORT $PROXY -ssl2 >$TMPFILE 2>$ERRFILE </dev/null
sclient_connect_successful $? "$TMPFILE" sclient_connect_successful $? "$TMPFILE"
if [[ $? -eq 0 ]]; then if [[ $? -eq 0 ]]; then