Check in configure for SSLv3_*_METHOD

This commit is contained in:
Gerhard Rieger 2016-12-10 21:51:27 +01:00
parent de80846643
commit 0061ca1334
6 changed files with 96 additions and 2 deletions

View file

@ -41,6 +41,15 @@ porting:
Made struct ip subject to configure. Made struct ip subject to configure.
Thanks to SP for reporting this issue. Thanks to SP for reporting this issue.
Socat failed to compile with OpenSSL version 1.0.2d where
SSLv3_server_method and SSLv3_client_method are no longer defined.
Thanks to Mischa ter Smitten for reporting this issue and providing
a patch.
configure checked for OpenSSL EC_KEY assuming it is a define but it
is a type, thus OpenSSL ECDHE ciphers failed even on Linux.
Thanks to Andrey Arapov for reporting this bug.
testing: testing:
socks4echo.sh and socks4a-echo.sh hung with new bash with read -n socks4echo.sh and socks4a-echo.sh hung with new bash with read -n

View file

@ -450,6 +450,9 @@
#undef HAVE_DTLSv1_client_method #undef HAVE_DTLSv1_client_method
#undef HAVE_DTLSv1_server_method #undef HAVE_DTLSv1_server_method
/* Define if you have the EC_KEY type */
#undef HAVE_TYPE_EC_KEY
/* Define if you have the flock function */ /* Define if you have the flock function */
#undef HAVE_FLOCK #undef HAVE_FLOCK

View file

@ -1462,6 +1462,18 @@ AC_CHECK_FUNC(TLSv1_2_server_method, AC_DEFINE(HAVE_TLSv1_2_server_method), AC_C
AC_CHECK_FUNC(DTLSv1_client_method, AC_DEFINE(HAVE_DTLSv1_client_method), AC_CHECK_LIB(crypt, DTLSv1_client_method, [LIBS=-lcrypt $LIBS])) AC_CHECK_FUNC(DTLSv1_client_method, AC_DEFINE(HAVE_DTLSv1_client_method), AC_CHECK_LIB(crypt, DTLSv1_client_method, [LIBS=-lcrypt $LIBS]))
AC_CHECK_FUNC(DTLSv1_server_method, AC_DEFINE(HAVE_DTLSv1_server_method), AC_CHECK_LIB(crypt, DTLSv1_server_method, [LIBS=-lcrypt $LIBS])) AC_CHECK_FUNC(DTLSv1_server_method, AC_DEFINE(HAVE_DTLSv1_server_method), AC_CHECK_LIB(crypt, DTLSv1_server_method, [LIBS=-lcrypt $LIBS]))
AC_MSG_CHECKING(for type EC_KEY)
AC_CACHE_VAL(sc_cv_type_EC_TYPE,
[AC_TRY_COMPILE([#include <openssl/ec.h>
],[EC_KEY *s;],
[sc_cv_type_EC_KEY=yes],
[sc_cv_type_EC_KEY=no])])
if test $sc_cv_type_EC_KEY = yes; then
AC_DEFINE(HAVE_TYPE_EC_KEY)
fi
AC_MSG_RESULT($sc_cv_type_EC_KEY)
dnl Run time checks dnl Run time checks

View file

@ -55,6 +55,7 @@ const SSL_METHOD *sycSSLv2_server_method(void) {
} }
#endif #endif
#if HAVE_SSLv3_client_method
const SSL_METHOD *sycSSLv3_client_method(void) { const SSL_METHOD *sycSSLv3_client_method(void) {
const SSL_METHOD *result; const SSL_METHOD *result;
Debug("SSLv3_client_method()"); Debug("SSLv3_client_method()");
@ -62,7 +63,9 @@ const SSL_METHOD *sycSSLv3_client_method(void) {
Debug1("SSLv3_client_method() -> %p", result); Debug1("SSLv3_client_method() -> %p", result);
return result; return result;
} }
#endif
#if HAVE_SSLv3_server_method
const SSL_METHOD *sycSSLv3_server_method(void) { const SSL_METHOD *sycSSLv3_server_method(void) {
const SSL_METHOD *result; const SSL_METHOD *result;
Debug("SSLv3_server_method()"); Debug("SSLv3_server_method()");
@ -70,6 +73,7 @@ const SSL_METHOD *sycSSLv3_server_method(void) {
Debug1("SSLv3_server_method() -> %p", result); Debug1("SSLv3_server_method() -> %p", result);
return result; return result;
} }
#endif
const SSL_METHOD *sycSSLv23_client_method(void) { const SSL_METHOD *sycSSLv23_client_method(void) {
const SSL_METHOD *result; const SSL_METHOD *result;

66
test.sh
View file

@ -2275,6 +2275,16 @@ gentestdsacert () {
cat $name-dsa.pem $name-dh.pem $name.key $name.crt >$name.pem cat $name-dsa.pem $name-dh.pem $name.key $name.crt >$name.pem
} }
# generate a test EC key and certificate
gentesteccert () {
local name="$1"
if [ -s $name.key -a -s $name.crt -a -s $name.pem ]; then return; fi
openssl ecparam -name secp521r1 -out $name-ec.pem >/dev/null 2>&1
chmod 0400 $name-ec.pem
openssl req -newkey ec:$name-ec.pem -keyout $name.key -nodes -x509 -config $TESTCERT_CONF -out $name.crt -days 3653 >/dev/null 2>&1
cat $name-ec.pem $name.key $name.crt >$name.pem
}
gentestcert6 () { gentestcert6 () {
local name="$1" local name="$1"
if [ -s $name.key -a -s $name.crt -a -s $name.pem ]; then return; fi if [ -s $name.key -a -s $name.crt -a -s $name.pem ]; then return; fi
@ -12486,6 +12496,62 @@ esac
N=$((N+1)) N=$((N+1))
# OpenSSL ECDHE ciphers were introduced in socat 1.7.3.0 but in the same release
# they were broken by a porting effort. This test checks if OpenSSL ECDHE works
NAME=OPENSSL_ECDHE
case "$TESTS" in
*%$N%*|*%functions%*|*%bugs%*|*%openssl%*|*%socket%*|*%$NAME%*)
TEST="$NAME: test OpenSSL ECDHE"
# generate a ECDHE key, start an OpenSSL server, connect with a client and try to
# pass data
if ! eval $NUMCOND; then :; else
tf="$td/test$N.stdout"
te="$td/test$N.stderr"
tdiff="$td/test$N.diff"
da="test$N $(date) $RANDOM"
TESTSRV=./testsrvec
gentesteccert $TESTSRV
CMD0="$TRACE $SOCAT $opts OPENSSL-LISTEN:$PORT,reuseaddr,cert=testsrvec.crt,key=$TESTSRV.pem,verify=0 PIPE"
CMD1="$TRACE $SOCAT $opts - OPENSSL-CONNECT:$LOCALHOST:$PORT,cipher=ECDHE-ECDSA-AES256-GCM-SHA384,cafile=$TESTSRV.crt"
printf "test $F_n $TEST... " $N
$CMD0 >/dev/null 2>"${te}0" &
pid0=$!
waittcp4port $PORT 1
echo "$da" |$CMD1 >"${tf}1" 2>"${te}1"
rc1=$?
kill $pid0 2>/dev/null; wait
if [ $rc1 -ne 0 ]; then
$PRINTF "$FAILED\n"
echo "failure symptom: client error" >&2
echo "server and stderr:" >&2
echo "$CMD0 &"
cat "${te}0"
echo "client and stderr:" >&2
echo "$CMD1"
cat "${te}1"
numFAIL=$((numFAIL+1))
listFAIL="$listFAIL $N"
elif echo "$da" |diff - "${tf}1" >"$tdiff"; then
$PRINTF "$OK\n"
numOK=$((numOK+1))
else
$PRINTF "$FAILED\n"
echo "server and stderr:" >&2
echo "$CMD1"
cat "${te}1"
echo "client and stderr:" >&2
echo "$CMD0 &"
cat "${te}0"
numFAIL=$((numFAIL+1))
listFAIL="$listFAIL $N"
fi
fi # NUMCOND
;;
esac
PORT=$((PORT+1))
N=$((N+1))
################################################################################## ##################################################################################
#================================================================================= #=================================================================================
# here come tests that might affect your systems integrity. Put normal tests # here come tests that might affect your systems integrity. Put normal tests

View file

@ -967,7 +967,7 @@ int
} }
} }
#if defined(EC_KEY) /* not on Openindiana 5.11 */ #if HAVE_TYPE_EC_KEY /* not on Openindiana 5.11 */
{ {
/* see http://openssl.6102.n7.nabble.com/Problem-with-cipher-suite-ECDHE-ECDSA-AES256-SHA384-td42229.html */ /* see http://openssl.6102.n7.nabble.com/Problem-with-cipher-suite-ECDHE-ECDSA-AES256-SHA384-td42229.html */
int nid; int nid;
@ -989,7 +989,7 @@ int
SSL_CTX_set_tmp_ecdh(*ctx, ecdh); SSL_CTX_set_tmp_ecdh(*ctx, ecdh);
} }
#endif /* !defined(EC_KEY) */ #endif /* HAVE_TYPE_EC_KEY */
#if OPENSSL_VERSION_NUMBER >= 0x00908000L #if OPENSSL_VERSION_NUMBER >= 0x00908000L
if (opt_compress) { if (opt_compress) {