mirror of
https://repo.or.cz/socat.git
synced 2024-12-23 07:52:32 +00:00
Check in configure for SSLv3_*_METHOD
This commit is contained in:
parent
de80846643
commit
0061ca1334
6 changed files with 96 additions and 2 deletions
9
CHANGES
9
CHANGES
|
@ -41,6 +41,15 @@ porting:
|
||||||
Made struct ip subject to configure.
|
Made struct ip subject to configure.
|
||||||
Thanks to SP for reporting this issue.
|
Thanks to SP for reporting this issue.
|
||||||
|
|
||||||
|
Socat failed to compile with OpenSSL version 1.0.2d where
|
||||||
|
SSLv3_server_method and SSLv3_client_method are no longer defined.
|
||||||
|
Thanks to Mischa ter Smitten for reporting this issue and providing
|
||||||
|
a patch.
|
||||||
|
|
||||||
|
configure checked for OpenSSL EC_KEY assuming it is a define but it
|
||||||
|
is a type, thus OpenSSL ECDHE ciphers failed even on Linux.
|
||||||
|
Thanks to Andrey Arapov for reporting this bug.
|
||||||
|
|
||||||
testing:
|
testing:
|
||||||
socks4echo.sh and socks4a-echo.sh hung with new bash with read -n
|
socks4echo.sh and socks4a-echo.sh hung with new bash with read -n
|
||||||
|
|
||||||
|
|
|
@ -450,6 +450,9 @@
|
||||||
#undef HAVE_DTLSv1_client_method
|
#undef HAVE_DTLSv1_client_method
|
||||||
#undef HAVE_DTLSv1_server_method
|
#undef HAVE_DTLSv1_server_method
|
||||||
|
|
||||||
|
/* Define if you have the EC_KEY type */
|
||||||
|
#undef HAVE_TYPE_EC_KEY
|
||||||
|
|
||||||
/* Define if you have the flock function */
|
/* Define if you have the flock function */
|
||||||
#undef HAVE_FLOCK
|
#undef HAVE_FLOCK
|
||||||
|
|
||||||
|
|
12
configure.in
12
configure.in
|
@ -1462,6 +1462,18 @@ AC_CHECK_FUNC(TLSv1_2_server_method, AC_DEFINE(HAVE_TLSv1_2_server_method), AC_C
|
||||||
AC_CHECK_FUNC(DTLSv1_client_method, AC_DEFINE(HAVE_DTLSv1_client_method), AC_CHECK_LIB(crypt, DTLSv1_client_method, [LIBS=-lcrypt $LIBS]))
|
AC_CHECK_FUNC(DTLSv1_client_method, AC_DEFINE(HAVE_DTLSv1_client_method), AC_CHECK_LIB(crypt, DTLSv1_client_method, [LIBS=-lcrypt $LIBS]))
|
||||||
AC_CHECK_FUNC(DTLSv1_server_method, AC_DEFINE(HAVE_DTLSv1_server_method), AC_CHECK_LIB(crypt, DTLSv1_server_method, [LIBS=-lcrypt $LIBS]))
|
AC_CHECK_FUNC(DTLSv1_server_method, AC_DEFINE(HAVE_DTLSv1_server_method), AC_CHECK_LIB(crypt, DTLSv1_server_method, [LIBS=-lcrypt $LIBS]))
|
||||||
|
|
||||||
|
AC_MSG_CHECKING(for type EC_KEY)
|
||||||
|
AC_CACHE_VAL(sc_cv_type_EC_TYPE,
|
||||||
|
[AC_TRY_COMPILE([#include <openssl/ec.h>
|
||||||
|
],[EC_KEY *s;],
|
||||||
|
[sc_cv_type_EC_KEY=yes],
|
||||||
|
[sc_cv_type_EC_KEY=no])])
|
||||||
|
if test $sc_cv_type_EC_KEY = yes; then
|
||||||
|
AC_DEFINE(HAVE_TYPE_EC_KEY)
|
||||||
|
fi
|
||||||
|
AC_MSG_RESULT($sc_cv_type_EC_KEY)
|
||||||
|
|
||||||
|
|
||||||
dnl Run time checks
|
dnl Run time checks
|
||||||
|
|
||||||
|
|
||||||
|
|
4
sslcls.c
4
sslcls.c
|
@ -55,6 +55,7 @@ const SSL_METHOD *sycSSLv2_server_method(void) {
|
||||||
}
|
}
|
||||||
#endif
|
#endif
|
||||||
|
|
||||||
|
#if HAVE_SSLv3_client_method
|
||||||
const SSL_METHOD *sycSSLv3_client_method(void) {
|
const SSL_METHOD *sycSSLv3_client_method(void) {
|
||||||
const SSL_METHOD *result;
|
const SSL_METHOD *result;
|
||||||
Debug("SSLv3_client_method()");
|
Debug("SSLv3_client_method()");
|
||||||
|
@ -62,7 +63,9 @@ const SSL_METHOD *sycSSLv3_client_method(void) {
|
||||||
Debug1("SSLv3_client_method() -> %p", result);
|
Debug1("SSLv3_client_method() -> %p", result);
|
||||||
return result;
|
return result;
|
||||||
}
|
}
|
||||||
|
#endif
|
||||||
|
|
||||||
|
#if HAVE_SSLv3_server_method
|
||||||
const SSL_METHOD *sycSSLv3_server_method(void) {
|
const SSL_METHOD *sycSSLv3_server_method(void) {
|
||||||
const SSL_METHOD *result;
|
const SSL_METHOD *result;
|
||||||
Debug("SSLv3_server_method()");
|
Debug("SSLv3_server_method()");
|
||||||
|
@ -70,6 +73,7 @@ const SSL_METHOD *sycSSLv3_server_method(void) {
|
||||||
Debug1("SSLv3_server_method() -> %p", result);
|
Debug1("SSLv3_server_method() -> %p", result);
|
||||||
return result;
|
return result;
|
||||||
}
|
}
|
||||||
|
#endif
|
||||||
|
|
||||||
const SSL_METHOD *sycSSLv23_client_method(void) {
|
const SSL_METHOD *sycSSLv23_client_method(void) {
|
||||||
const SSL_METHOD *result;
|
const SSL_METHOD *result;
|
||||||
|
|
66
test.sh
66
test.sh
|
@ -2275,6 +2275,16 @@ gentestdsacert () {
|
||||||
cat $name-dsa.pem $name-dh.pem $name.key $name.crt >$name.pem
|
cat $name-dsa.pem $name-dh.pem $name.key $name.crt >$name.pem
|
||||||
}
|
}
|
||||||
|
|
||||||
|
# generate a test EC key and certificate
|
||||||
|
gentesteccert () {
|
||||||
|
local name="$1"
|
||||||
|
if [ -s $name.key -a -s $name.crt -a -s $name.pem ]; then return; fi
|
||||||
|
openssl ecparam -name secp521r1 -out $name-ec.pem >/dev/null 2>&1
|
||||||
|
chmod 0400 $name-ec.pem
|
||||||
|
openssl req -newkey ec:$name-ec.pem -keyout $name.key -nodes -x509 -config $TESTCERT_CONF -out $name.crt -days 3653 >/dev/null 2>&1
|
||||||
|
cat $name-ec.pem $name.key $name.crt >$name.pem
|
||||||
|
}
|
||||||
|
|
||||||
gentestcert6 () {
|
gentestcert6 () {
|
||||||
local name="$1"
|
local name="$1"
|
||||||
if [ -s $name.key -a -s $name.crt -a -s $name.pem ]; then return; fi
|
if [ -s $name.key -a -s $name.crt -a -s $name.pem ]; then return; fi
|
||||||
|
@ -12486,6 +12496,62 @@ esac
|
||||||
N=$((N+1))
|
N=$((N+1))
|
||||||
|
|
||||||
|
|
||||||
|
# OpenSSL ECDHE ciphers were introduced in socat 1.7.3.0 but in the same release
|
||||||
|
# they were broken by a porting effort. This test checks if OpenSSL ECDHE works
|
||||||
|
NAME=OPENSSL_ECDHE
|
||||||
|
case "$TESTS" in
|
||||||
|
*%$N%*|*%functions%*|*%bugs%*|*%openssl%*|*%socket%*|*%$NAME%*)
|
||||||
|
TEST="$NAME: test OpenSSL ECDHE"
|
||||||
|
# generate a ECDHE key, start an OpenSSL server, connect with a client and try to
|
||||||
|
# pass data
|
||||||
|
if ! eval $NUMCOND; then :; else
|
||||||
|
tf="$td/test$N.stdout"
|
||||||
|
te="$td/test$N.stderr"
|
||||||
|
tdiff="$td/test$N.diff"
|
||||||
|
da="test$N $(date) $RANDOM"
|
||||||
|
TESTSRV=./testsrvec
|
||||||
|
gentesteccert $TESTSRV
|
||||||
|
CMD0="$TRACE $SOCAT $opts OPENSSL-LISTEN:$PORT,reuseaddr,cert=testsrvec.crt,key=$TESTSRV.pem,verify=0 PIPE"
|
||||||
|
CMD1="$TRACE $SOCAT $opts - OPENSSL-CONNECT:$LOCALHOST:$PORT,cipher=ECDHE-ECDSA-AES256-GCM-SHA384,cafile=$TESTSRV.crt"
|
||||||
|
printf "test $F_n $TEST... " $N
|
||||||
|
$CMD0 >/dev/null 2>"${te}0" &
|
||||||
|
pid0=$!
|
||||||
|
waittcp4port $PORT 1
|
||||||
|
echo "$da" |$CMD1 >"${tf}1" 2>"${te}1"
|
||||||
|
rc1=$?
|
||||||
|
kill $pid0 2>/dev/null; wait
|
||||||
|
if [ $rc1 -ne 0 ]; then
|
||||||
|
$PRINTF "$FAILED\n"
|
||||||
|
echo "failure symptom: client error" >&2
|
||||||
|
echo "server and stderr:" >&2
|
||||||
|
echo "$CMD0 &"
|
||||||
|
cat "${te}0"
|
||||||
|
echo "client and stderr:" >&2
|
||||||
|
echo "$CMD1"
|
||||||
|
cat "${te}1"
|
||||||
|
numFAIL=$((numFAIL+1))
|
||||||
|
listFAIL="$listFAIL $N"
|
||||||
|
elif echo "$da" |diff - "${tf}1" >"$tdiff"; then
|
||||||
|
$PRINTF "$OK\n"
|
||||||
|
numOK=$((numOK+1))
|
||||||
|
else
|
||||||
|
$PRINTF "$FAILED\n"
|
||||||
|
echo "server and stderr:" >&2
|
||||||
|
echo "$CMD1"
|
||||||
|
cat "${te}1"
|
||||||
|
echo "client and stderr:" >&2
|
||||||
|
echo "$CMD0 &"
|
||||||
|
cat "${te}0"
|
||||||
|
numFAIL=$((numFAIL+1))
|
||||||
|
listFAIL="$listFAIL $N"
|
||||||
|
fi
|
||||||
|
fi # NUMCOND
|
||||||
|
;;
|
||||||
|
esac
|
||||||
|
PORT=$((PORT+1))
|
||||||
|
N=$((N+1))
|
||||||
|
|
||||||
|
|
||||||
##################################################################################
|
##################################################################################
|
||||||
#=================================================================================
|
#=================================================================================
|
||||||
# here come tests that might affect your systems integrity. Put normal tests
|
# here come tests that might affect your systems integrity. Put normal tests
|
||||||
|
|
|
@ -967,7 +967,7 @@ int
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
#if defined(EC_KEY) /* not on Openindiana 5.11 */
|
#if HAVE_TYPE_EC_KEY /* not on Openindiana 5.11 */
|
||||||
{
|
{
|
||||||
/* see http://openssl.6102.n7.nabble.com/Problem-with-cipher-suite-ECDHE-ECDSA-AES256-SHA384-td42229.html */
|
/* see http://openssl.6102.n7.nabble.com/Problem-with-cipher-suite-ECDHE-ECDSA-AES256-SHA384-td42229.html */
|
||||||
int nid;
|
int nid;
|
||||||
|
@ -989,7 +989,7 @@ int
|
||||||
|
|
||||||
SSL_CTX_set_tmp_ecdh(*ctx, ecdh);
|
SSL_CTX_set_tmp_ecdh(*ctx, ecdh);
|
||||||
}
|
}
|
||||||
#endif /* !defined(EC_KEY) */
|
#endif /* HAVE_TYPE_EC_KEY */
|
||||||
|
|
||||||
#if OPENSSL_VERSION_NUMBER >= 0x00908000L
|
#if OPENSSL_VERSION_NUMBER >= 0x00908000L
|
||||||
if (opt_compress) {
|
if (opt_compress) {
|
||||||
|
|
Loading…
Reference in a new issue