Last active
March 19, 2017 07:48
-
-
Save markrwilliams/ff25334d544fcb10cb6231697b518b3b to your computer and use it in GitHub Desktop.
OpenSSL incomplete handshake SSL_ERROR_SSL -> SSL_ERROR_SYSCALL
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
client |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
import os | |
import sys | |
from subprocess import check_call, CalledProcessError | |
HERE = os.path.dirname(__file__) | |
def build_openssl(): | |
check_call(['git', 'clean', '-fxdq']) | |
check_call(['./config']) | |
check_call(['make', '-j', '4', 'build_libs']) | |
def build_canary(): | |
check_call(['make', 'clean'], cwd=HERE) | |
check_call(['make', 'OPENSSL={}'.format(os.getcwd())], cwd=HERE) | |
def run_canary(): | |
check_call(['./client'], cwd=HERE) | |
try: | |
build_openssl() | |
build_canary() | |
except CalledProcessError: | |
sys.exit(125) | |
else: | |
run_canary() | |
finally: | |
check_call(['git', 'reset', '--hard', '-q']) | |
check_call(['git', 'clean', '-fxdq']) |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
/* | |
Reproduce the disconnect-without-handshake behavior of | |
twisted.protocols.test.test_tls.TLSProducerTests.registerProducerAfterConnectionLost. | |
Written in C so that it compiles against versions of OpenSSL 1.1.0 | |
(such as 1.1.0-pre[123]) that do not implement the API cryptogaphy.io | |
requires of 1.1.0. | |
*/ | |
#include <assert.h> | |
#include <openssl/bio.h> | |
#include <openssl/err.h> | |
#include <openssl/ssl.h> | |
#include <string.h> | |
#include <stdio.h> | |
void | |
report_library_error() | |
{ | |
unsigned long error; | |
error = ERR_get_error(); | |
printf("%ld %s %s %s\n", | |
error, | |
ERR_lib_error_string(error), | |
ERR_func_error_string(error), | |
ERR_reason_error_string(error)); | |
} | |
void | |
report_library_error_and_die() | |
{ | |
report_library_error(); | |
exit(1); | |
} | |
void | |
consider_ssl_err(int ssl_err) | |
{ | |
switch(ssl_err) { | |
case SSL_ERROR_NONE: | |
puts("SSL_ERROR_NONE"); | |
break; | |
case SSL_ERROR_ZERO_RETURN: | |
puts("SSL_ERROR_ZERO_RETURN"); | |
break; | |
case SSL_ERROR_WANT_READ: | |
puts("SSL_ERROR_WANT_READ"); | |
break; | |
case SSL_ERROR_WANT_WRITE: | |
puts("SSL_ERROR_WANT_WRITE"); | |
break; | |
case SSL_ERROR_WANT_CONNECT: | |
puts("SSL_ERROR_WANT_CONNECT"); | |
break; | |
case SSL_ERROR_WANT_ACCEPT: | |
puts("SSL_ERROR_WANT_ACCEPT"); | |
break; | |
case SSL_ERROR_WANT_X509_LOOKUP: | |
puts("SSL_ERROR_WANT_X509_LOOKUP"); | |
break; | |
case SSL_ERROR_SYSCALL: | |
puts("SSL_ERROR_SYSCALL"); | |
report_library_error(); | |
break; | |
case SSL_ERROR_SSL: | |
puts("SSL_ERROR_SSL"); | |
report_library_error(); | |
break; | |
default: | |
printf("unknown error code: %d\n", ssl_err); | |
break; | |
} | |
} | |
int | |
main(int argc, char *argv[]) | |
{ | |
SSL_CTX *ctx; | |
BIO *rbio, *wbio; | |
SSL *ssl; | |
int ret, ssl_err; | |
char buf[1024]; | |
SSL_library_init(); | |
SSL_load_error_strings(); | |
ERR_load_BIO_strings(); | |
OpenSSL_add_all_algorithms(); | |
if (!(ctx = SSL_CTX_new(SSLv23_client_method()))) { | |
report_library_error_and_die(); | |
} | |
if (!(ssl = SSL_new(ctx))) { | |
report_library_error_and_die(); | |
} | |
rbio = BIO_new(BIO_s_mem()); | |
wbio = BIO_new(BIO_s_mem()); | |
SSL_set_bio(ssl, rbio, wbio); | |
SSL_set_connect_state(ssl); | |
assert((ret = SSL_do_handshake(ssl)) < 1); | |
assert(SSL_get_error(ssl, ret) == SSL_ERROR_WANT_READ); | |
assert(BIO_read(rbio, buf, sizeof(buf)) < 1); | |
assert(BIO_should_retry(rbio)); | |
assert(BIO_set_mem_eof_return(rbio, 0)); | |
ret = SSL_read(ssl, buf, sizeof(buf)); | |
ssl_err = SSL_get_error(ssl, ret); | |
if (argc > 1 && !(strncmp(argv[1], "-v", 2))) { | |
consider_ssl_err(ssl_err); | |
} | |
return ssl_err != SSL_ERROR_SSL; | |
} |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
CFLAGS = -I${OPENSSL}/include -ldl -lpthread | |
LOADLIBES = ${OPENSSL}/libssl.a ${OPENSSL}/libcrypto.a | |
all: client | |
.PHONY : clean | |
clean: | |
-rm -f client |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Run
bisect.py
from an OpenSSL checkout: