From 14f3e4fed8f258c579eb1e51adfa3cd3080a5bcb Mon Sep 17 00:00:00 2001 From: Gerhard Rieger Date: Sun, 10 Feb 2019 13:16:42 +0100 Subject: [PATCH] Disable option openssl-method --- CHANGES | 6 ++++++ config.h.in | 5 +++++ configure.in | 14 ++++++++++++++ doc/socat.yo | 10 +++++----- sslcls.c | 4 ++++ test.sh | 14 ++++++++++---- xio-openssl.c | 11 ++++++++--- xioopts.c | 4 ++++ 8 files changed, 56 insertions(+), 12 deletions(-) diff --git a/CHANGES b/CHANGES index 44215e4..de9ddb6 100644 --- a/CHANGES +++ b/CHANGES @@ -55,6 +55,12 @@ corrections: TCP6:127.0.0.1:80 Thanks to Nicolas Fournil for reporting this issue. +porting: + OpenSSL functions TLS1_client_method() and similar are + deprecated. Socat now uses recommended TLS_client_method(). The old + functions and dependend option openssl-method can still be + used when configuring socat with --enable-openssl-method + testing: test.sh: Show a warning when phase-1 (insecure phase) of a security test fails diff --git a/config.h.in b/config.h.in index 60cd280..6b22502 100644 --- a/config.h.in +++ b/config.h.in @@ -433,6 +433,10 @@ /* Define if you have the HAVE_SSL_CTX_set_default_verify_paths function */ #undef HAVE_SSL_CTX_set_default_verify_paths +/* Define if you have the TLS client and server method functions. not in old openssl? */ +#undef HAVE_TLS_client_method +#undef HAVE_TLS_server_method + /* Define if you have the SSLv3 client and server method functions. not in new openssl */ #undef HAVE_SSLv3_client_method #undef HAVE_SSLv3_server_method @@ -625,6 +629,7 @@ #undef WITH_PTY #undef WITH_EXT2 #undef WITH_OPENSSL +#undef WITH_OPENSSL_METHOD #define WITH_STREAMS 1 #undef WITH_FIPS #undef OPENSSL_FIPS diff --git a/configure.in b/configure.in index fba0957..df8079a 100644 --- a/configure.in +++ b/configure.in @@ -568,6 +568,16 @@ if test -n "$WITH_OPENSSL"; then fi fi +if test -n "$WITH_OPENSSL"; then +AC_MSG_CHECKING(whether to include OpenSSL method option) +AC_ARG_ENABLE(openssl-method, [ --enable-openssl-method enable OpenSSL method option], + [case "$enableval" in + no) AC_MSG_RESULT(no);; + *) AC_DEFINE(WITH_OPENSSL_METHOD) WITH_OPENSSL_METHOD=1; AC_MSG_RESULT(yes);; + esac], + [AC_MSG_RESULT(no)]) +fi + # check for fips support AC_MSG_CHECKING(whether to include openssl fips support) AC_ARG_ENABLE(fips, [ --enable-fips enable OpenSSL FIPS support], @@ -1425,6 +1435,9 @@ AC_CHECK_FUNC(SSLv2_server_method, AC_DEFINE(HAVE_SSLv2_server_method), AC_CHECK dnl AC_CHECK_FUNC(SSL_CTX_set_default_verify_paths, AC_DEFINE(HAVE_SSL_CTX_set_default_verify_paths)) +AC_CHECK_FUNC(TLS_client_method, AC_DEFINE(HAVE_TLS_client_method), AC_CHECK_LIB(crypt, TLS_client_method, [LIBS=-lcrypt $LIBS])) +AC_CHECK_FUNC(TLS_server_method, AC_DEFINE(HAVE_TLS_server_method), AC_CHECK_LIB(crypt, TLS_server_method, [LIBS=-lcrypt $LIBS])) +if test -n "$WITH_OPENSSL_METHOD"; then AC_CHECK_FUNC(SSLv3_client_method, AC_DEFINE(HAVE_SSLv3_client_method), AC_CHECK_LIB(crypt, SSLv3_client_method, [LIBS=-lcrypt $LIBS])) AC_CHECK_FUNC(SSLv3_server_method, AC_DEFINE(HAVE_SSLv3_server_method), AC_CHECK_LIB(crypt, SSLv3_server_method, [LIBS=-lcrypt $LIBS])) AC_CHECK_FUNC(SSLv23_client_method, AC_DEFINE(HAVE_SSLv23_client_method), AC_CHECK_LIB(crypt, SSLv23_client_method, [LIBS=-lcrypt $LIBS])) @@ -1437,6 +1450,7 @@ AC_CHECK_FUNC(TLSv1_2_client_method, AC_DEFINE(HAVE_TLSv1_2_client_method), AC_C AC_CHECK_FUNC(TLSv1_2_server_method, AC_DEFINE(HAVE_TLSv1_2_server_method), AC_CHECK_LIB(crypt, TLSv1_2_server_method, [LIBS=-lcrypt $LIBS])) AC_CHECK_FUNC(DTLSv1_client_method, AC_DEFINE(HAVE_DTLSv1_client_method), AC_CHECK_LIB(crypt, DTLSv1_client_method, [LIBS=-lcrypt $LIBS])) AC_CHECK_FUNC(DTLSv1_server_method, AC_DEFINE(HAVE_DTLSv1_server_method), AC_CHECK_LIB(crypt, DTLSv1_server_method, [LIBS=-lcrypt $LIBS])) +fi # $WITH_OPENSSL_METHOD AC_CHECK_FUNC(RAND_egd, AC_DEFINE(HAVE_RAND_egd), AC_CHECK_LIB(crypt, RAND_egd, [LIBS=-lcrypt $LIBS])) AC_CHECK_FUNC(DH_set0_pqg, AC_DEFINE(HAVE_DH_set0_pqg), AC_CHECK_LIB(crypt, DH_set0_pqg, [LIBS=-lcrypt $LIBS])) AC_CHECK_FUNC(ASN1_STRING_get0_data, AC_DEFINE(HAVE_ASN1_STRING_get0_data), AC_CHECK_LIB(crypt, ASN1_STRING_get0_data, [LIBS=-lcrypt $LIBS])) diff --git a/doc/socat.yo b/doc/socat.yo index 2839887..7c6edf5 100644 --- a/doc/socat.yo +++ b/doc/socat.yo @@ -506,7 +506,6 @@ label(ADDRESS_OPENSSL_CONNECT)dit(bf(tt(OPENSSL::))) Option groups: link(FD)(GROUP_FD),link(SOCKET)(GROUP_SOCKET),link(IP4)(GROUP_IP4),link(IP6)(GROUP_IP6),link(TCP)(GROUP_TCP),link(OPENSSL)(GROUP_OPENSSL),link(RETRY)(GROUP_RETRY) nl() Useful options: link(cipher)(OPTION_OPENSSL_CIPHERLIST), - link(method)(OPTION_OPENSSL_METHOD), link(verify)(OPTION_OPENSSL_VERIFY), link(commonname)(OPTION_OPENSSL_COMMONNAME) link(cafile)(OPTION_OPENSSL_CAFILE), @@ -535,7 +534,6 @@ label(ADDRESS_OPENSSL_LISTEN)dit(bf(tt(OPENSSL-LISTEN:))) Useful options: link(pf)(OPTION_PROTOCOL_FAMILY), link(cipher)(OPTION_OPENSSL_CIPHERLIST), - link(method)(OPTION_OPENSSL_METHOD), link(verify)(OPTION_OPENSSL_VERIFY), link(commonname)(OPTION_OPENSSL_COMMONNAME) link(cafile)(OPTION_OPENSSL_CAFILE), @@ -2633,17 +2631,19 @@ label(OPTION_OPENSSL_CIPHERLIST)dit(bf(tt(cipher=))) Note that the peer must support the selected property, or the negotiation will fail. label(OPTION_OPENSSL_METHOD)dit(bf(tt(method=))) + This option is based on deprecated functions and is only available when + socat() was build with option tt(--with-openssl-method). Sets the protocol version to be used. Valid strings (not case sensitive) are: startdit() dit(tt(SSL2)) Select SSL protocol version 2. dit(tt(SSL3)) Select SSL protocol version 3. - dit(tt(SSL23)) Select the best available SSL or TLS protocol. This is the default when - this option is not provided. + dit(tt(SSL23)) Select the best available SSL or TLS protocol. dit(tt(TLS1)) Select TLS protocol version 1. dit(tt(TLS1.1)) Select TLS protocol version 1.1. dit(tt(TLS1.2)) Select TLS protocol version 1.2. - dit(tt(DTLS1)) Select DTLS protocol version 1. + When this option is not provided OpenSSL negotiates the mothod with its + peer. enddit() label(OPTION_OPENSSL_VERIFY)dit(bf(tt(verify=))) Controls check of the peer's certificate. Default is 1 (true). Disabling diff --git a/sslcls.c b/sslcls.c index 8964663..f9ce389 100644 --- a/sslcls.c +++ b/sslcls.c @@ -91,6 +91,7 @@ const SSL_METHOD *sycSSLv23_server_method(void) { return result; } +#if HAVE_TLSv1_client_method const SSL_METHOD *sycTLSv1_client_method(void) { const SSL_METHOD *result; Debug("TLSv1_client_method()"); @@ -98,7 +99,9 @@ const SSL_METHOD *sycTLSv1_client_method(void) { Debug1("TLSv1_client_method() -> %p", result); return result; } +#endif +#if HAVE_TLSv1_server_method const SSL_METHOD *sycTLSv1_server_method(void) { const SSL_METHOD *result; Debug("TLSv1_server_method()"); @@ -106,6 +109,7 @@ const SSL_METHOD *sycTLSv1_server_method(void) { Debug1("TLSv1_server_method() -> %p", result); return result; } +#endif #if HAVE_TLSv1_1_client_method const SSL_METHOD *sycTLSv1_1_client_method(void) { diff --git a/test.sh b/test.sh index a41c61c..e9a77d3 100755 --- a/test.sh +++ b/test.sh @@ -12411,14 +12411,17 @@ if ! eval $NUMCOND; then :; elif ! testaddrs openssl >/dev/null; then $PRINTF "test $F_n $TEST... ${YELLOW}OPENSSL not available${NORMAL}\n" $N numCANT=$((numCANT+1)) +elif ! socat -hhh |grep -q "^[[:space:]]*openssl-method[[:space:]]"; then + $PRINTF "test $F_n $TEST... ${YELLOW}Option openssl-method not available${NORMAL}\n" $N + numCANT=$((numCANT+1)) else gentestcert testsrv tf="$td/test$N.stdout" te="$td/test$N.stderr" tdiff="$td/test$N.diff" da="test$N $(date) $RANDOM" -CMD0="$SOCAT $opts OPENSSL-LISTEN:$PORT,reuseaddr,method=$method,cert=testsrv.pem,verify=0 PIPE" -CMD1="$SOCAT $opts - OPENSSL-CONNECT:$LOCALHOST:$PORT,method=$method,verify=0" +CMD0="$SOCAT $opts OPENSSL-LISTEN:$PORT,reuseaddr,openssl-method=$method,cert=testsrv.pem,verify=0 PIPE" +CMD1="$SOCAT $opts - OPENSSL-CONNECT:$LOCALHOST:$PORT,opensslmethod=$method,verify=0" printf "test $F_n $TEST... " $N if [ "$method" = DTLS1 -a "$(echo -e "$OPENSSL_VERSION\n1.0.2" |sort -V |tail -n 1)" = "$OPENSSL_VERSION_GOOD" ]; then $PRINTF "${YELLOW}might hang, skipping${NORMAL}\n" @@ -12468,14 +12471,17 @@ if ! eval $NUMCOND; then :; elif ! testaddrs openssl >/dev/null; then $PRINTF "test $F_n $TEST... ${YELLOW}OPENSSL not available${NORMAL}\n" $N numCANT=$((numCANT+1)) +elif ! socat -hhh |grep -q "^[[:space:]]*openssl-method[[:space:]]"; then + $PRINTF "test $F_n $TEST... ${YELLOW}Option openssl-method not available${NORMAL}\n" $N + numCANT=$((numCANT+1)) else gentestcert testsrv tf="$td/test$N.stdout" te="$td/test$N.stderr" tdiff="$td/test$N.diff" da="test$N $(date) $RANDOM" -CMD0="$SOCAT $opts OPENSSL-LISTEN:$PORT,reuseaddr,method=$method,cert=testsrv.pem,verify=0 PIPE" -CMD1="$SOCAT $opts - OPENSSL-CONNECT:$LOCALHOST:$PORT,method=$method,verify=0" +CMD0="$SOCAT $opts OPENSSL-LISTEN:$PORT,reuseaddr,openssl-method=$method,cert=testsrv.pem,verify=0 PIPE" +CMD1="$SOCAT $opts - OPENSSL-CONNECT:$LOCALHOST:$PORT,openssl-method=$method,verify=0" printf "test $F_n $TEST... " $N if [ "$method" = DTLS1 -a "$(echo -e "$OPENSSL_VERSION\n1.0.2" |sort -V |tail -n 1)" = "$OPENSSL_VERSION_GOOD" ]; then $PRINTF "${YELLOW}might hang, skipping${NORMAL}\n" diff --git a/xio-openssl.c b/xio-openssl.c index e931983..c9ec557 100644 --- a/xio-openssl.c +++ b/xio-openssl.c @@ -101,7 +101,9 @@ const struct addrdesc addr_openssl_listen = { /* both client and server */ const struct optdesc opt_openssl_cipherlist = { "openssl-cipherlist", "ciphers", OPT_OPENSSL_CIPHERLIST, GROUP_OPENSSL, PH_SPEC, TYPE_STRING, OFUNC_SPEC }; +#if WITH_OPENSSL_METHOD const struct optdesc opt_openssl_method = { "openssl-method", "method", OPT_OPENSSL_METHOD, GROUP_OPENSSL, PH_SPEC, TYPE_STRING, OFUNC_SPEC }; +#endif const struct optdesc opt_openssl_verify = { "openssl-verify", "verify", OPT_OPENSSL_VERIFY, GROUP_OPENSSL, PH_SPEC, TYPE_BOOL, OFUNC_SPEC }; const struct optdesc opt_openssl_certificate = { "openssl-certificate", "cert", OPT_OPENSSL_CERTIFICATE, GROUP_OPENSSL, PH_SPEC, TYPE_FILENAME, OFUNC_SPEC }; const struct optdesc opt_openssl_key = { "openssl-key", "key", OPT_OPENSSL_KEY, GROUP_OPENSSL, PH_SPEC, TYPE_FILENAME, OFUNC_SPEC }; @@ -806,7 +808,9 @@ int Error1("openssl-method=\"%s\": method unknown or not provided by library", me_str); } } else { -#if HAVE_SSLv23_client_method +#if HAVE_TLS_client_method + method = TLS_client_method(); +#elif HAVE_SSLv23_client_method method = sycSSLv23_client_method(); #elif HAVE_TLSv1_2_client_method method = sycTLSv1_2_client_method(); @@ -826,7 +830,6 @@ int if (me_str != 0) { if (false) { ; /* for canonical reasons */ - #if HAVE_SSLv2_server_method } else if (!strcasecmp(me_str, "SSL2")) { method = sycSSLv2_server_method(); @@ -859,7 +862,9 @@ int Error1("openssl-method=\"%s\": method unknown or not provided by library", me_str); } } else { -#if HAVE_SSLv23_server_method +#if HAVE_TLS_server_method + method = TLS_server_method(); +#elif HAVE_SSLv23_server_method method = sycSSLv23_server_method(); #elif HAVE_TLSv1_2_server_method method = sycTLSv1_2_server_method(); diff --git a/xioopts.c b/xioopts.c index 2194d9d..47ba047 100644 --- a/xioopts.c +++ b/xioopts.c @@ -879,7 +879,9 @@ const struct optname optionnames[] = { #ifdef IP_ADD_MEMBERSHIP IF_IP ("membership", &opt_ip_add_membership) #endif +#if WITH_OPENSSL_METHOD IF_OPENSSL("method", &opt_openssl_method) +#endif IF_TERMIOS("min", &opt_vmin) IF_ANY ("mode", &opt_perm) #ifdef TCP_MAXSEG @@ -1109,7 +1111,9 @@ const struct optname optionnames[] = { IF_OPENSSL("openssl-fips", &opt_openssl_fips) #endif IF_OPENSSL("openssl-key", &opt_openssl_key) +#if WITH_OPENSSL_METHOD IF_OPENSSL("openssl-method", &opt_openssl_method) +#endif IF_OPENSSL("openssl-pseudo", &opt_openssl_pseudo) IF_OPENSSL("openssl-verify", &opt_openssl_verify) IF_TERMIOS("opost", &opt_opost)