diff --git a/CHANGES b/CHANGES index 63945da..4ee2a76 100644 --- a/CHANGES +++ b/CHANGES @@ -41,6 +41,15 @@ porting: Made struct ip subject to configure. Thanks to SP for reporting this issue. + Socat failed to compile with OpenSSL version 1.0.2d where + SSLv3_server_method and SSLv3_client_method are no longer defined. + Thanks to Mischa ter Smitten for reporting this issue and providing + a patch. + + configure checked for OpenSSL EC_KEY assuming it is a define but it + is a type, thus OpenSSL ECDHE ciphers failed even on Linux. + Thanks to Andrey Arapov for reporting this bug. + testing: socks4echo.sh and socks4a-echo.sh hung with new bash with read -n diff --git a/config.h.in b/config.h.in index a3be40d..d60b08e 100644 --- a/config.h.in +++ b/config.h.in @@ -450,6 +450,9 @@ #undef HAVE_DTLSv1_client_method #undef HAVE_DTLSv1_server_method +/* Define if you have the EC_KEY type */ +#undef HAVE_TYPE_EC_KEY + /* Define if you have the flock function */ #undef HAVE_FLOCK diff --git a/configure.in b/configure.in index 0c8d5fa..03fb8e1 100644 --- a/configure.in +++ b/configure.in @@ -1462,6 +1462,18 @@ AC_CHECK_FUNC(TLSv1_2_server_method, AC_DEFINE(HAVE_TLSv1_2_server_method), AC_C AC_CHECK_FUNC(DTLSv1_client_method, AC_DEFINE(HAVE_DTLSv1_client_method), AC_CHECK_LIB(crypt, DTLSv1_client_method, [LIBS=-lcrypt $LIBS])) AC_CHECK_FUNC(DTLSv1_server_method, AC_DEFINE(HAVE_DTLSv1_server_method), AC_CHECK_LIB(crypt, DTLSv1_server_method, [LIBS=-lcrypt $LIBS])) +AC_MSG_CHECKING(for type EC_KEY) +AC_CACHE_VAL(sc_cv_type_EC_TYPE, +[AC_TRY_COMPILE([#include +],[EC_KEY *s;], +[sc_cv_type_EC_KEY=yes], +[sc_cv_type_EC_KEY=no])]) +if test $sc_cv_type_EC_KEY = yes; then + AC_DEFINE(HAVE_TYPE_EC_KEY) +fi +AC_MSG_RESULT($sc_cv_type_EC_KEY) + + dnl Run time checks diff --git a/sslcls.c b/sslcls.c index db8f02f..4ec054e 100644 --- a/sslcls.c +++ b/sslcls.c @@ -55,6 +55,7 @@ const SSL_METHOD *sycSSLv2_server_method(void) { } #endif +#if HAVE_SSLv3_client_method const SSL_METHOD *sycSSLv3_client_method(void) { const SSL_METHOD *result; Debug("SSLv3_client_method()"); @@ -62,7 +63,9 @@ const SSL_METHOD *sycSSLv3_client_method(void) { Debug1("SSLv3_client_method() -> %p", result); return result; } +#endif +#if HAVE_SSLv3_server_method const SSL_METHOD *sycSSLv3_server_method(void) { const SSL_METHOD *result; Debug("SSLv3_server_method()"); @@ -70,6 +73,7 @@ const SSL_METHOD *sycSSLv3_server_method(void) { Debug1("SSLv3_server_method() -> %p", result); return result; } +#endif const SSL_METHOD *sycSSLv23_client_method(void) { const SSL_METHOD *result; diff --git a/test.sh b/test.sh index 45d0646..cba4c11 100755 --- a/test.sh +++ b/test.sh @@ -2275,6 +2275,16 @@ gentestdsacert () { cat $name-dsa.pem $name-dh.pem $name.key $name.crt >$name.pem } +# generate a test EC key and certificate +gentesteccert () { + local name="$1" + if [ -s $name.key -a -s $name.crt -a -s $name.pem ]; then return; fi + openssl ecparam -name secp521r1 -out $name-ec.pem >/dev/null 2>&1 + chmod 0400 $name-ec.pem + openssl req -newkey ec:$name-ec.pem -keyout $name.key -nodes -x509 -config $TESTCERT_CONF -out $name.crt -days 3653 >/dev/null 2>&1 + cat $name-ec.pem $name.key $name.crt >$name.pem +} + gentestcert6 () { local name="$1" if [ -s $name.key -a -s $name.crt -a -s $name.pem ]; then return; fi @@ -12486,6 +12496,62 @@ esac N=$((N+1)) +# OpenSSL ECDHE ciphers were introduced in socat 1.7.3.0 but in the same release +# they were broken by a porting effort. This test checks if OpenSSL ECDHE works +NAME=OPENSSL_ECDHE +case "$TESTS" in +*%$N%*|*%functions%*|*%bugs%*|*%openssl%*|*%socket%*|*%$NAME%*) +TEST="$NAME: test OpenSSL ECDHE" +# generate a ECDHE key, start an OpenSSL server, connect with a client and try to +# pass data +if ! eval $NUMCOND; then :; else +tf="$td/test$N.stdout" +te="$td/test$N.stderr" +tdiff="$td/test$N.diff" +da="test$N $(date) $RANDOM" +TESTSRV=./testsrvec +gentesteccert $TESTSRV +CMD0="$TRACE $SOCAT $opts OPENSSL-LISTEN:$PORT,reuseaddr,cert=testsrvec.crt,key=$TESTSRV.pem,verify=0 PIPE" +CMD1="$TRACE $SOCAT $opts - OPENSSL-CONNECT:$LOCALHOST:$PORT,cipher=ECDHE-ECDSA-AES256-GCM-SHA384,cafile=$TESTSRV.crt" +printf "test $F_n $TEST... " $N +$CMD0 >/dev/null 2>"${te}0" & +pid0=$! +waittcp4port $PORT 1 +echo "$da" |$CMD1 >"${tf}1" 2>"${te}1" +rc1=$? +kill $pid0 2>/dev/null; wait +if [ $rc1 -ne 0 ]; then + $PRINTF "$FAILED\n" + echo "failure symptom: client error" >&2 + echo "server and stderr:" >&2 + echo "$CMD0 &" + cat "${te}0" + echo "client and stderr:" >&2 + echo "$CMD1" + cat "${te}1" + numFAIL=$((numFAIL+1)) + listFAIL="$listFAIL $N" +elif echo "$da" |diff - "${tf}1" >"$tdiff"; then + $PRINTF "$OK\n" + numOK=$((numOK+1)) +else + $PRINTF "$FAILED\n" + echo "server and stderr:" >&2 + echo "$CMD1" + cat "${te}1" + echo "client and stderr:" >&2 + echo "$CMD0 &" + cat "${te}0" + numFAIL=$((numFAIL+1)) + listFAIL="$listFAIL $N" +fi +fi # NUMCOND + ;; +esac +PORT=$((PORT+1)) +N=$((N+1)) + + ################################################################################## #================================================================================= # here come tests that might affect your systems integrity. Put normal tests diff --git a/xio-openssl.c b/xio-openssl.c index cf0ec49..89a9a9a 100644 --- a/xio-openssl.c +++ b/xio-openssl.c @@ -967,7 +967,7 @@ int } } -#if defined(EC_KEY) /* not on Openindiana 5.11 */ +#if HAVE_TYPE_EC_KEY /* not on Openindiana 5.11 */ { /* see http://openssl.6102.n7.nabble.com/Problem-with-cipher-suite-ECDHE-ECDSA-AES256-SHA384-td42229.html */ int nid; @@ -989,7 +989,7 @@ int SSL_CTX_set_tmp_ecdh(*ctx, ecdh); } -#endif /* !defined(EC_KEY) */ +#endif /* HAVE_TYPE_EC_KEY */ #if OPENSSL_VERSION_NUMBER >= 0x00908000L if (opt_compress) {