Disable option openssl-method

2024-12-22 15:32:35 +00:00 · 2019-02-10 13:16:42 +01:00 · 2019-02-10 13:16:42 +01:00 · 14f3e4fed8
commit 14f3e4fed8
parent 181228cf53
8 changed files with 56 additions and 12 deletions
--- a/6
+++ b/6
@ -55,6 +55,12 @@ corrections:
 	TCP6:127.0.0.1:80
 	Thanks to Nicolas Fournil for reporting this issue.

+porting:
+	OpenSSL functions TLS1_client_method() and similar are 
+	deprecated. Socat now uses recommended TLS_client_method(). The old
+	functions and dependend option openssl-method can still be
+	used when configuring socat with --enable-openssl-method
+
 testing:
 	test.sh: Show a warning when phase-1 (insecure phase) of a security
 	test fails
--- a/config.h.in
+++ b/config.h.in
@ -433,6 +433,10 @@
 /* Define if you have the HAVE_SSL_CTX_set_default_verify_paths function */
 #undef HAVE_SSL_CTX_set_default_verify_paths

+/* Define if you have the TLS client and server method functions. not in old openssl? */
+#undef HAVE_TLS_client_method
+#undef HAVE_TLS_server_method
+
 /* Define if you have the SSLv3 client and server method functions. not in new openssl */
 #undef HAVE_SSLv3_client_method
 #undef HAVE_SSLv3_server_method
@ -625,6 +629,7 @@
 #undef WITH_PTY
 #undef WITH_EXT2
 #undef WITH_OPENSSL
+#undef WITH_OPENSSL_METHOD
 #define WITH_STREAMS 1
 #undef WITH_FIPS
 #undef OPENSSL_FIPS
--- a/configure.in
+++ b/configure.in
@ -568,6 +568,16 @@ if test -n "$WITH_OPENSSL"; then
  fi
 fi

+if test -n "$WITH_OPENSSL"; then
+AC_MSG_CHECKING(whether to include OpenSSL method option)
+AC_ARG_ENABLE(openssl-method, [  --enable-openssl-method       enable OpenSSL method option],
+	      [case "$enableval" in
+	       no) AC_MSG_RESULT(no);;
+	       *) AC_DEFINE(WITH_OPENSSL_METHOD) WITH_OPENSSL_METHOD=1; AC_MSG_RESULT(yes);;
+	       esac],
+	       [AC_MSG_RESULT(no)])
+fi
+
 # check for fips support
 AC_MSG_CHECKING(whether to include openssl fips support)
 AC_ARG_ENABLE(fips, [  --enable-fips          enable OpenSSL FIPS support],
@ -1425,6 +1435,9 @@ AC_CHECK_FUNC(SSLv2_server_method, AC_DEFINE(HAVE_SSLv2_server_method), AC_CHECK
 dnl 
 AC_CHECK_FUNC(SSL_CTX_set_default_verify_paths, AC_DEFINE(HAVE_SSL_CTX_set_default_verify_paths))

+AC_CHECK_FUNC(TLS_client_method, AC_DEFINE(HAVE_TLS_client_method), AC_CHECK_LIB(crypt, TLS_client_method, [LIBS=-lcrypt $LIBS]))
+AC_CHECK_FUNC(TLS_server_method, AC_DEFINE(HAVE_TLS_server_method), AC_CHECK_LIB(crypt, TLS_server_method, [LIBS=-lcrypt $LIBS]))
+if test -n "$WITH_OPENSSL_METHOD"; then
 AC_CHECK_FUNC(SSLv3_client_method, AC_DEFINE(HAVE_SSLv3_client_method), AC_CHECK_LIB(crypt, SSLv3_client_method, [LIBS=-lcrypt $LIBS]))
 AC_CHECK_FUNC(SSLv3_server_method, AC_DEFINE(HAVE_SSLv3_server_method), AC_CHECK_LIB(crypt, SSLv3_server_method, [LIBS=-lcrypt $LIBS]))
 AC_CHECK_FUNC(SSLv23_client_method, AC_DEFINE(HAVE_SSLv23_client_method), AC_CHECK_LIB(crypt, SSLv23_client_method, [LIBS=-lcrypt $LIBS]))
@ -1437,6 +1450,7 @@ AC_CHECK_FUNC(TLSv1_2_client_method, AC_DEFINE(HAVE_TLSv1_2_client_method), AC_C
 AC_CHECK_FUNC(TLSv1_2_server_method, AC_DEFINE(HAVE_TLSv1_2_server_method), AC_CHECK_LIB(crypt, TLSv1_2_server_method, [LIBS=-lcrypt $LIBS]))
 AC_CHECK_FUNC(DTLSv1_client_method, AC_DEFINE(HAVE_DTLSv1_client_method), AC_CHECK_LIB(crypt, DTLSv1_client_method, [LIBS=-lcrypt $LIBS]))
 AC_CHECK_FUNC(DTLSv1_server_method, AC_DEFINE(HAVE_DTLSv1_server_method), AC_CHECK_LIB(crypt, DTLSv1_server_method, [LIBS=-lcrypt $LIBS]))
+fi # $WITH_OPENSSL_METHOD
 AC_CHECK_FUNC(RAND_egd, AC_DEFINE(HAVE_RAND_egd), AC_CHECK_LIB(crypt, RAND_egd, [LIBS=-lcrypt $LIBS]))
 AC_CHECK_FUNC(DH_set0_pqg, AC_DEFINE(HAVE_DH_set0_pqg), AC_CHECK_LIB(crypt, DH_set0_pqg, [LIBS=-lcrypt $LIBS]))
 AC_CHECK_FUNC(ASN1_STRING_get0_data, AC_DEFINE(HAVE_ASN1_STRING_get0_data), AC_CHECK_LIB(crypt, ASN1_STRING_get0_data, [LIBS=-lcrypt $LIBS]))
--- a/doc/socat.yo
+++ b/doc/socat.yo
@ -506,7 +506,6 @@ label(ADDRESS_OPENSSL_CONNECT)dit(bf(tt(OPENSSL:<host>:<port>)))
   Option groups: link(FD)(GROUP_FD),link(SOCKET)(GROUP_SOCKET),link(IP4)(GROUP_IP4),link(IP6)(GROUP_IP6),link(TCP)(GROUP_TCP),link(OPENSSL)(GROUP_OPENSSL),link(RETRY)(GROUP_RETRY) nl()
   Useful options:
   link(cipher)(OPTION_OPENSSL_CIPHERLIST),
-   link(method)(OPTION_OPENSSL_METHOD),
   link(verify)(OPTION_OPENSSL_VERIFY),
   link(commonname)(OPTION_OPENSSL_COMMONNAME)
   link(cafile)(OPTION_OPENSSL_CAFILE),
@ -535,7 +534,6 @@ label(ADDRESS_OPENSSL_LISTEN)dit(bf(tt(OPENSSL-LISTEN:<port>)))
   Useful options:
   link(pf)(OPTION_PROTOCOL_FAMILY),
   link(cipher)(OPTION_OPENSSL_CIPHERLIST),
-   link(method)(OPTION_OPENSSL_METHOD),
   link(verify)(OPTION_OPENSSL_VERIFY),
   link(commonname)(OPTION_OPENSSL_COMMONNAME)
   link(cafile)(OPTION_OPENSSL_CAFILE),
@ -2633,17 +2631,19 @@ label(OPTION_OPENSSL_CIPHERLIST)dit(bf(tt(cipher=<cipherlist>)))
   Note that the peer must support the selected property, or the negotiation
   will fail.
 label(OPTION_OPENSSL_METHOD)dit(bf(tt(method=<ssl-method>)))
+   This option is based on deprecated functions and is only available when
+   socat() was build with option tt(--with-openssl-method).
   Sets the protocol version to be used. Valid strings (not case sensitive)
   are:  
   startdit()
   dit(tt(SSL2)) Select SSL protocol version 2.
   dit(tt(SSL3)) Select SSL protocol version 3.
-   dit(tt(SSL23)) Select the best available SSL or TLS protocol. This is the default when
-   this option is not provided.
+   dit(tt(SSL23)) Select the best available SSL or TLS protocol.
   dit(tt(TLS1)) Select TLS protocol version 1.
   dit(tt(TLS1.1)) Select TLS protocol version 1.1.
   dit(tt(TLS1.2)) Select TLS protocol version 1.2.
-   dit(tt(DTLS1)) Select DTLS protocol version 1.
+   When this option is not provided OpenSSL negotiates the mothod with its
+   peer.
   enddit()
 label(OPTION_OPENSSL_VERIFY)dit(bf(tt(verify=<bool>)))
   Controls check of the peer's certificate. Default is 1 (true). Disabling
--- a/sslcls.c
+++ b/sslcls.c
@ -91,6 +91,7 @@ const SSL_METHOD *sycSSLv23_server_method(void) {
   return result;
 }

+#if HAVE_TLSv1_client_method
 const SSL_METHOD *sycTLSv1_client_method(void) {
   const SSL_METHOD *result;
   Debug("TLSv1_client_method()");
@ -98,7 +99,9 @@ const SSL_METHOD *sycTLSv1_client_method(void) {
   Debug1("TLSv1_client_method() -> %p", result);
   return result;
 }
+#endif

+#if HAVE_TLSv1_server_method
 const SSL_METHOD *sycTLSv1_server_method(void) {
   const SSL_METHOD *result;
   Debug("TLSv1_server_method()");
@ -106,6 +109,7 @@ const SSL_METHOD *sycTLSv1_server_method(void) {
   Debug1("TLSv1_server_method() -> %p", result);
   return result;
 }
+#endif

 #if HAVE_TLSv1_1_client_method
 const SSL_METHOD *sycTLSv1_1_client_method(void) {
--- a/test.sh
+++ b/test.sh
@ -12411,14 +12411,17 @@ if ! eval $NUMCOND; then :;
 elif ! testaddrs openssl >/dev/null; then
    $PRINTF "test $F_n $TEST... ${YELLOW}OPENSSL not available${NORMAL}\n" $N
    numCANT=$((numCANT+1))
+elif ! socat -hhh |grep -q "^[[:space:]]*openssl-method[[:space:]]"; then
+    $PRINTF "test $F_n $TEST... ${YELLOW}Option openssl-method not available${NORMAL}\n" $N
+    numCANT=$((numCANT+1))
 else
 gentestcert testsrv
 tf="$td/test$N.stdout"
 te="$td/test$N.stderr"
 tdiff="$td/test$N.diff"
 da="test$N $(date) $RANDOM"
-CMD0="$SOCAT $opts OPENSSL-LISTEN:$PORT,reuseaddr,method=$method,cert=testsrv.pem,verify=0 PIPE"
-CMD1="$SOCAT $opts - OPENSSL-CONNECT:$LOCALHOST:$PORT,method=$method,verify=0"
+CMD0="$SOCAT $opts OPENSSL-LISTEN:$PORT,reuseaddr,openssl-method=$method,cert=testsrv.pem,verify=0 PIPE"
+CMD1="$SOCAT $opts - OPENSSL-CONNECT:$LOCALHOST:$PORT,opensslmethod=$method,verify=0"
 printf "test $F_n $TEST... " $N
 if [ "$method" = DTLS1 -a "$(echo -e "$OPENSSL_VERSION\n1.0.2" |sort -V |tail -n 1)" = "$OPENSSL_VERSION_GOOD" ]; then
    $PRINTF "${YELLOW}might hang, skipping${NORMAL}\n"
@ -12468,14 +12471,17 @@ if ! eval $NUMCOND; then :;
 elif ! testaddrs openssl >/dev/null; then
    $PRINTF "test $F_n $TEST... ${YELLOW}OPENSSL not available${NORMAL}\n" $N
    numCANT=$((numCANT+1))
+elif ! socat -hhh |grep -q "^[[:space:]]*openssl-method[[:space:]]"; then
+    $PRINTF "test $F_n $TEST... ${YELLOW}Option openssl-method not available${NORMAL}\n" $N
+    numCANT=$((numCANT+1))
 else
 gentestcert testsrv
 tf="$td/test$N.stdout"
 te="$td/test$N.stderr"
 tdiff="$td/test$N.diff"
 da="test$N $(date) $RANDOM"
-CMD0="$SOCAT $opts OPENSSL-LISTEN:$PORT,reuseaddr,method=$method,cert=testsrv.pem,verify=0 PIPE"
-CMD1="$SOCAT $opts - OPENSSL-CONNECT:$LOCALHOST:$PORT,method=$method,verify=0"
+CMD0="$SOCAT $opts OPENSSL-LISTEN:$PORT,reuseaddr,openssl-method=$method,cert=testsrv.pem,verify=0 PIPE"
+CMD1="$SOCAT $opts - OPENSSL-CONNECT:$LOCALHOST:$PORT,openssl-method=$method,verify=0"
 printf "test $F_n $TEST... " $N
 if [ "$method" = DTLS1 -a "$(echo -e "$OPENSSL_VERSION\n1.0.2" |sort -V |tail -n 1)" = "$OPENSSL_VERSION_GOOD" ]; then
    $PRINTF "${YELLOW}might hang, skipping${NORMAL}\n"
--- a/xio-openssl.c
+++ b/xio-openssl.c
@ -101,7 +101,9 @@ const struct addrdesc addr_openssl_listen = {

 /* both client and server */
 const struct optdesc opt_openssl_cipherlist = { "openssl-cipherlist", "ciphers", OPT_OPENSSL_CIPHERLIST, GROUP_OPENSSL, PH_SPEC, TYPE_STRING, OFUNC_SPEC };
+#if WITH_OPENSSL_METHOD
 const struct optdesc opt_openssl_method     = { "openssl-method",     "method",  OPT_OPENSSL_METHOD,     GROUP_OPENSSL, PH_SPEC, TYPE_STRING, OFUNC_SPEC };
+#endif
 const struct optdesc opt_openssl_verify     = { "openssl-verify",     "verify",  OPT_OPENSSL_VERIFY,     GROUP_OPENSSL, PH_SPEC, TYPE_BOOL,   OFUNC_SPEC };
 const struct optdesc opt_openssl_certificate = { "openssl-certificate", "cert",  OPT_OPENSSL_CERTIFICATE, GROUP_OPENSSL, PH_SPEC, TYPE_FILENAME, OFUNC_SPEC };
 const struct optdesc opt_openssl_key         = { "openssl-key",         "key",   OPT_OPENSSL_KEY,         GROUP_OPENSSL, PH_SPEC, TYPE_FILENAME, OFUNC_SPEC };
@ -806,7 +808,9 @@ int
 	    Error1("openssl-method=\"%s\": method unknown or not provided by library", me_str);
 	 }
      } else {
-#if   HAVE_SSLv23_client_method
+#if   HAVE_TLS_client_method
+	 method = TLS_client_method();
+#elif HAVE_SSLv23_client_method
 	 method = sycSSLv23_client_method();
 #elif HAVE_TLSv1_2_client_method
 	 method = sycTLSv1_2_client_method();
@ -826,7 +830,6 @@ int
      if (me_str != 0) {
 	 if (false) {
 	    ;	/* for canonical reasons */
-
 #if HAVE_SSLv2_server_method
 	 } else if (!strcasecmp(me_str, "SSL2")) {
 	    method = sycSSLv2_server_method();
@ -859,7 +862,9 @@ int
 	    Error1("openssl-method=\"%s\": method unknown or not provided by library", me_str);
 	 }
      } else {
-#if   HAVE_SSLv23_server_method
+#if   HAVE_TLS_server_method
+	 method = TLS_server_method();
+#elif HAVE_SSLv23_server_method
 	 method = sycSSLv23_server_method();
 #elif HAVE_TLSv1_2_server_method
 	 method = sycTLSv1_2_server_method();
--- a/xioopts.c
+++ b/xioopts.c
@ -879,7 +879,9 @@ const struct optname optionnames[] = {
 #ifdef IP_ADD_MEMBERSHIP
 	IF_IP     ("membership",	&opt_ip_add_membership)
 #endif
+#if WITH_OPENSSL_METHOD
 	IF_OPENSSL("method",	&opt_openssl_method)
+#endif
 	IF_TERMIOS("min",	&opt_vmin)
 	IF_ANY    ("mode",	&opt_perm)
 #ifdef TCP_MAXSEG
@ -1109,7 +1111,9 @@ const struct optname optionnames[] = {
 	IF_OPENSSL("openssl-fips",	&opt_openssl_fips)
 #endif
 	IF_OPENSSL("openssl-key",	&opt_openssl_key)
+#if WITH_OPENSSL_METHOD
 	IF_OPENSSL("openssl-method",	&opt_openssl_method)
+#endif
 	IF_OPENSSL("openssl-pseudo",	&opt_openssl_pseudo)
 	IF_OPENSSL("openssl-verify",	&opt_openssl_verify)
 	IF_TERMIOS("opost",	&opt_opost)