Check in configure for SSLv3_*_METHOD

CHANGES

@@ -41,6 +41,15 @@ porting:
 	Made struct ip subject to configure.
 	Thanks to SP for reporting this issue.
 
+	Socat failed to compile with OpenSSL version 1.0.2d where
+	SSLv3_server_method and SSLv3_client_method are no longer defined.
+	Thanks to Mischa ter Smitten for reporting this issue and providing
+	a patch.
+
+	configure checked for OpenSSL EC_KEY assuming it is a define but it
+	is a type, thus OpenSSL ECDHE ciphers failed even on Linux.
+	Thanks to Andrey Arapov for reporting this bug.
+
 testing:
 	socks4echo.sh and socks4a-echo.sh hung with new bash with read -n
 

config.h.in

@@ -450,6 +450,9 @@
 #undef HAVE_DTLSv1_client_method
 #undef HAVE_DTLSv1_server_method
 
+/* Define if you have the EC_KEY type */
+#undef HAVE_TYPE_EC_KEY
+
 /* Define if you have the flock function */
 #undef HAVE_FLOCK
 

configure.in

@@ -1462,6 +1462,18 @@ AC_CHECK_FUNC(TLSv1_2_server_method, AC_DEFINE(HAVE_TLSv1_2_server_method), AC_C
 AC_CHECK_FUNC(DTLSv1_client_method, AC_DEFINE(HAVE_DTLSv1_client_method), AC_CHECK_LIB(crypt, DTLSv1_client_method, [LIBS=-lcrypt $LIBS]))
 AC_CHECK_FUNC(DTLSv1_server_method, AC_DEFINE(HAVE_DTLSv1_server_method), AC_CHECK_LIB(crypt, DTLSv1_server_method, [LIBS=-lcrypt $LIBS]))
 
+AC_MSG_CHECKING(for type EC_KEY)
+AC_CACHE_VAL(sc_cv_type_EC_TYPE,
+[AC_TRY_COMPILE([#include <openssl/ec.h>
+],[EC_KEY *s;],
+[sc_cv_type_EC_KEY=yes],
+[sc_cv_type_EC_KEY=no])])
+if test $sc_cv_type_EC_KEY = yes; then
+   AC_DEFINE(HAVE_TYPE_EC_KEY)
+fi
+AC_MSG_RESULT($sc_cv_type_EC_KEY)
+
+
 dnl Run time checks
 
 

sslcls.c

@@ -55,6 +55,7 @@ const SSL_METHOD *sycSSLv2_server_method(void) {
 }
 #endif
 
+#if HAVE_SSLv3_client_method
 const SSL_METHOD *sycSSLv3_client_method(void) {
    const SSL_METHOD *result;
    Debug("SSLv3_client_method()");
@@ -62,7 +63,9 @@ const SSL_METHOD *sycSSLv3_client_method(void) {
    Debug1("SSLv3_client_method() -> %p", result);
    return result;
 }
+#endif
 
+#if HAVE_SSLv3_server_method
 const SSL_METHOD *sycSSLv3_server_method(void) {
    const SSL_METHOD *result;
    Debug("SSLv3_server_method()");
@@ -70,6 +73,7 @@ const SSL_METHOD *sycSSLv3_server_method(void) {
    Debug1("SSLv3_server_method() -> %p", result);
    return result;
 }
+#endif
 
 const SSL_METHOD *sycSSLv23_client_method(void) {
    const SSL_METHOD *result;

test.sh

@@ -2275,6 +2275,16 @@ gentestdsacert () {
     cat $name-dsa.pem $name-dh.pem $name.key $name.crt >$name.pem
 }
 
+# generate a test EC key and certificate
+gentesteccert () {
+    local name="$1"
+    if [ -s $name.key -a -s $name.crt -a -s $name.pem ]; then return; fi
+    openssl ecparam -name secp521r1 -out $name-ec.pem >/dev/null 2>&1
+    chmod 0400 $name-ec.pem
+    openssl req -newkey ec:$name-ec.pem -keyout $name.key -nodes -x509 -config $TESTCERT_CONF -out $name.crt -days 3653 >/dev/null 2>&1
+    cat $name-ec.pem $name.key $name.crt >$name.pem
+}
+
 gentestcert6 () {
     local name="$1"
     if [ -s $name.key -a -s $name.crt -a -s $name.pem ]; then return; fi
@@ -12486,6 +12496,62 @@ esac
 N=$((N+1))
 
 
+# OpenSSL ECDHE ciphers were introduced in socat 1.7.3.0 but in the same release
+# they were broken by a porting effort. This test checks if OpenSSL ECDHE works
+NAME=OPENSSL_ECDHE
+case "$TESTS" in
+*%$N%*|*%functions%*|*%bugs%*|*%openssl%*|*%socket%*|*%$NAME%*)
+TEST="$NAME: test OpenSSL ECDHE"
+# generate a ECDHE key, start an OpenSSL server, connect with a client and try to
+# pass data
+if ! eval $NUMCOND; then :; else
+tf="$td/test$N.stdout"
+te="$td/test$N.stderr"
+tdiff="$td/test$N.diff"
+da="test$N $(date) $RANDOM"
+TESTSRV=./testsrvec
+gentesteccert $TESTSRV
+CMD0="$TRACE $SOCAT $opts OPENSSL-LISTEN:$PORT,reuseaddr,cert=testsrvec.crt,key=$TESTSRV.pem,verify=0 PIPE"
+CMD1="$TRACE $SOCAT $opts - OPENSSL-CONNECT:$LOCALHOST:$PORT,cipher=ECDHE-ECDSA-AES256-GCM-SHA384,cafile=$TESTSRV.crt"
+printf "test $F_n $TEST... " $N
+$CMD0 >/dev/null 2>"${te}0" &
+pid0=$!
+waittcp4port $PORT 1
+echo "$da" |$CMD1 >"${tf}1" 2>"${te}1"
+rc1=$?
+kill $pid0 2>/dev/null; wait
+if [ $rc1 -ne 0 ]; then
+    $PRINTF "$FAILED\n"
+    echo "failure symptom: client error" >&2
+    echo "server and stderr:" >&2
+    echo "$CMD0 &"
+    cat "${te}0"
+    echo "client and stderr:" >&2
+    echo "$CMD1"
+    cat "${te}1"
+    numFAIL=$((numFAIL+1))
+    listFAIL="$listFAIL $N"
+elif echo "$da" |diff - "${tf}1" >"$tdiff"; then
+    $PRINTF "$OK\n"
+    numOK=$((numOK+1))
+else
+    $PRINTF "$FAILED\n"
+    echo "server and stderr:" >&2
+    echo "$CMD1"
+    cat "${te}1"
+    echo "client and stderr:" >&2
+    echo "$CMD0 &"
+    cat "${te}0"
+    numFAIL=$((numFAIL+1))
+    listFAIL="$listFAIL $N"
+fi
+fi # NUMCOND
+ ;;
+esac
+PORT=$((PORT+1))
+N=$((N+1))
+
+
 ##################################################################################
 #=================================================================================
 # here come tests that might affect your systems integrity. Put normal tests

xio-openssl.c

@@ -967,7 +967,7 @@ int
       }
    }
 
-#if defined(EC_KEY)	/* not on Openindiana 5.11 */
+#if HAVE_TYPE_EC_KEY	/* not on Openindiana 5.11 */
    {
       /* see http://openssl.6102.n7.nabble.com/Problem-with-cipher-suite-ECDHE-ECDSA-AES256-SHA384-td42229.html */
       int	 nid;
@@ -989,7 +989,7 @@ int
 
       SSL_CTX_set_tmp_ecdh(*ctx, ecdh);
    }
-#endif /* !defined(EC_KEY) */
+#endif /* HAVE_TYPE_EC_KEY */
 
 #if OPENSSL_VERSION_NUMBER >= 0x00908000L
    if (opt_compress) {