tmp - Debian OpenSSL1.1 patch

This commit is contained in:
Gerhard Rieger 2016-12-05 12:05:02 +01:00
parent aed0fcd79e
commit 0638d245f8
5 changed files with 76 additions and 28 deletions

View file

@ -1,3 +1,8 @@
porting:
Changes to make socat compile with OpenSSL 1.1.
Thanks to Sebastian Andrzej Siewior e.a. from the Debian team for
providing the base patch.
Debian Bug#828550
####################### V 1.7.3.1: ####################### V 1.7.3.1:

View file

@ -447,6 +447,15 @@
#undef HAVE_DTLSv1_client_method #undef HAVE_DTLSv1_client_method
#undef HAVE_DTLSv1_server_method #undef HAVE_DTLSv1_server_method
/* Define if you have the OpenSSL RAND_egd function */
#undef HAVE_RAND_egd
/* Define if you have the OpenSSL DH_set0_pqg function */
#undef HAVE_DH_set0_pqg
/* Define if you have the OpenSSL ASN1_STRING_get0_data function */
#undef HAVE_ASN1_STRING_get0_data
/* Define if you have the flock function */ /* Define if you have the flock function */
#undef HAVE_FLOCK #undef HAVE_FLOCK

View file

@ -1450,6 +1450,9 @@ AC_CHECK_FUNC(TLSv1_2_client_method, AC_DEFINE(HAVE_TLSv1_2_client_method), AC_C
AC_CHECK_FUNC(TLSv1_2_server_method, AC_DEFINE(HAVE_TLSv1_2_server_method), AC_CHECK_LIB(crypt, TLSv1_2_server_method, [LIBS=-lcrypt $LIBS])) AC_CHECK_FUNC(TLSv1_2_server_method, AC_DEFINE(HAVE_TLSv1_2_server_method), AC_CHECK_LIB(crypt, TLSv1_2_server_method, [LIBS=-lcrypt $LIBS]))
AC_CHECK_FUNC(DTLSv1_client_method, AC_DEFINE(HAVE_DTLSv1_client_method), AC_CHECK_LIB(crypt, DTLSv1_client_method, [LIBS=-lcrypt $LIBS])) AC_CHECK_FUNC(DTLSv1_client_method, AC_DEFINE(HAVE_DTLSv1_client_method), AC_CHECK_LIB(crypt, DTLSv1_client_method, [LIBS=-lcrypt $LIBS]))
AC_CHECK_FUNC(DTLSv1_server_method, AC_DEFINE(HAVE_DTLSv1_server_method), AC_CHECK_LIB(crypt, DTLSv1_server_method, [LIBS=-lcrypt $LIBS])) AC_CHECK_FUNC(DTLSv1_server_method, AC_DEFINE(HAVE_DTLSv1_server_method), AC_CHECK_LIB(crypt, DTLSv1_server_method, [LIBS=-lcrypt $LIBS]))
AC_CHECK_FUNC(RAND_egd, AC_DEFINE(HAVE_RAND_egd), AC_CHECK_LIB(crypt, RAND_egd, [LIBS=-lcrypt $LIBS]))
AC_CHECK_FUNC(DH_set0_pqg, AC_DEFINE(HAVE_DH_set0_pqg), AC_CHECK_LIB(crypt, DH_set0_pqg, [LIBS=-lcrypt $LIBS]))
AC_CHECK_FUNC(ASN1_STRING_get0_data, AC_DEFINE(HAVE_ASN1_STRING_get0_data), AC_CHECK_LIB(crypt, ASN1_STRING_get0_data, [LIBS=-lcrypt $LIBS]))
dnl Run time checks dnl Run time checks

View file

@ -331,6 +331,7 @@ void sycSSL_free(SSL *ssl) {
return; return;
} }
#if !defined(OPENSSL_NO_EGD) && HAVE_RAND_egd
int sycRAND_egd(const char *path) { int sycRAND_egd(const char *path) {
int result; int result;
Debug1("RAND_egd(\"%s\")", path); Debug1("RAND_egd(\"%s\")", path);
@ -338,6 +339,7 @@ int sycRAND_egd(const char *path) {
Debug1("RAND_egd() -> %d", result); Debug1("RAND_egd() -> %d", result);
return result; return result;
} }
#endif
DH *sycPEM_read_bio_DHparams(BIO *bp, DH **x, pem_password_cb *cb, void *u) { DH *sycPEM_read_bio_DHparams(BIO *bp, DH **x, pem_password_cb *cb, void *u) {
DH *result; DH *result;

View file

@ -878,7 +878,11 @@ int
} }
if (opt_egd) { if (opt_egd) {
#if !defined(OPENSSL_NO_EGD) && HAVE_RAND_egd
sycRAND_egd(opt_egd); sycRAND_egd(opt_egd);
#else
Debug("RAND_egd() is not available by OpenSSL");
#endif
} }
if (opt_pseudo) { if (opt_pseudo) {
@ -936,24 +940,37 @@ int
0x02, 0x02,
}; };
DH *dh; DH *dh;
BIGNUM *p = NULL, *g = NULL;
unsigned long err; unsigned long err;
if ((dh = DH_new()) == NULL) { dh = DH_new();
p = BN_bin2bn(dh2048_p, sizeof(dh2048_p), NULL);
g = BN_bin2bn(dh2048_g, sizeof(dh2048_g), NULL);
if (!dh || !p || !g) {
if (dh)
DH_free(dh);
if (p)
BN_free(p);
if (g)
BN_free(g);
while (err = ERR_get_error()) { while (err = ERR_get_error()) {
Warn1("DH_new(): %s", Warn1("dh2048 setup(): %s",
ERR_error_string(err, NULL)); ERR_error_string(err, NULL));
} }
Error("DH_new() failed"); Error("dh2048 setup failed");
} else { goto cont_out;
dh->p = BN_bin2bn(dh2048_p, sizeof(dh2048_p), NULL);
dh->g = BN_bin2bn(dh2048_g, sizeof(dh2048_g), NULL);
if ((dh->p == NULL) || (dh->g == NULL)) {
while (err = ERR_get_error()) {
Warn1("BN_bin2bn(): %s",
ERR_error_string(err, NULL));
} }
Error("BN_bin2bn() failed"); #if HAVE_DH_set0_pqg
} else { if (!DH_set0_pqg(dh, p, NULL, g)) {
DH_free(dh);
BN_free(p);
BN_free(g);
goto cont_out;
}
#else
dh->p = p;
dh->g = g;
#endif /* HAVE_DH_set0_pqg */
if (sycSSL_CTX_set_tmp_dh(*ctx, dh) <= 0) { if (sycSSL_CTX_set_tmp_dh(*ctx, dh) <= 0) {
while (err = ERR_get_error()) { while (err = ERR_get_error()) {
Warn3("SSL_CTX_set_tmp_dh(%p, %p): %s", *ctx, dh, Warn3("SSL_CTX_set_tmp_dh(%p, %p): %s", *ctx, dh,
@ -961,10 +978,10 @@ int
} }
Error2("SSL_CTX_set_tmp_dh(%p, %p) failed", *ctx, dh); Error2("SSL_CTX_set_tmp_dh(%p, %p) failed", *ctx, dh);
} }
/*! OPENSSL_free(dh->p,g)? doc does not tell so */ /* p & g are freed by DH_free() once attached */
}
DH_free(dh); DH_free(dh);
} cont_out:
;
} }
#if defined(EC_KEY) /* not on Openindiana 5.11 */ #if defined(EC_KEY) /* not on Openindiana 5.11 */
@ -1103,7 +1120,11 @@ static int openssl_SSL_ERROR_SSL(int level, const char *funcname) {
while (e = ERR_get_error()) { while (e = ERR_get_error()) {
Debug1("ERR_get_error(): %lx", e); Debug1("ERR_get_error(): %lx", e);
if (e == ((ERR_LIB_RAND<<24)| if (e == ((ERR_LIB_RAND<<24)|
#if defined(RAND_F_RAND_BYTES)
(RAND_F_RAND_BYTES<<12)|
#else
(RAND_F_SSLEAY_RAND_BYTES<<12)| (RAND_F_SSLEAY_RAND_BYTES<<12)|
#endif
(RAND_R_PRNG_NOT_SEEDED)) /*0x24064064*/) { (RAND_R_PRNG_NOT_SEEDED)) /*0x24064064*/) {
Error("too few entropy; use options \"egd\" or \"pseudo\""); Error("too few entropy; use options \"egd\" or \"pseudo\"");
stat = STAT_NORETRY; stat = STAT_NORETRY;
@ -1236,13 +1257,17 @@ static int openssl_setenv_cert_fields(const char *field, X509_NAME *name) {
X509_NAME_ENTRY *entry; X509_NAME_ENTRY *entry;
ASN1_OBJECT *obj; ASN1_OBJECT *obj;
ASN1_STRING *data; ASN1_STRING *data;
unsigned char *text; const unsigned char *text;
int nid; int nid;
entry = X509_NAME_get_entry(name, i); entry = X509_NAME_get_entry(name, i);
obj = X509_NAME_ENTRY_get_object(entry); obj = X509_NAME_ENTRY_get_object(entry);
data = X509_NAME_ENTRY_get_data(entry); data = X509_NAME_ENTRY_get_data(entry);
nid = OBJ_obj2nid(obj); nid = OBJ_obj2nid(obj);
#if HAVE_ASN1_STRING_get0_data
text = ASN1_STRING_get0_data(data);
#else
text = ASN1_STRING_data(data); text = ASN1_STRING_data(data);
#endif
Debug3("SSL peer cert %s entry: %s=\"%s\"", (field[0]?field:"subject"), OBJ_nid2ln(nid), text); Debug3("SSL peer cert %s entry: %s=\"%s\"", (field[0]?field:"subject"), OBJ_nid2ln(nid), text);
if (field != NULL && field[0] != '\0') { if (field != NULL && field[0] != '\0') {
xiosetenv3("OPENSSL_X509", field, OBJ_nid2ln(nid), (const char *)text, 2, " // "); xiosetenv3("OPENSSL_X509", field, OBJ_nid2ln(nid), (const char *)text, 2, " // ");
@ -1306,7 +1331,7 @@ static bool openssl_check_peername(X509_NAME *name, const char *peername) {
int ind = -1; int ind = -1;
X509_NAME_ENTRY *entry; X509_NAME_ENTRY *entry;
ASN1_STRING *data; ASN1_STRING *data;
unsigned char *text; const unsigned char *text;
ind = X509_NAME_get_index_by_NID(name, NID_commonName, -1); ind = X509_NAME_get_index_by_NID(name, NID_commonName, -1);
if (ind < 0) { if (ind < 0) {
Info("no COMMONNAME field in peer certificate"); Info("no COMMONNAME field in peer certificate");
@ -1314,7 +1339,11 @@ static bool openssl_check_peername(X509_NAME *name, const char *peername) {
} }
entry = X509_NAME_get_entry(name, ind); entry = X509_NAME_get_entry(name, ind);
data = X509_NAME_ENTRY_get_data(entry); data = X509_NAME_ENTRY_get_data(entry);
#if HAVE_ASN1_STRING_get0_data
text = ASN1_STRING_get0_data(data);
#else
text = ASN1_STRING_data(data); text = ASN1_STRING_data(data);
#endif
return openssl_check_name((const char *)text, peername); return openssl_check_name((const char *)text, peername);
} }