From 4c9898446d431b2d01f6e86244b32bae7a9b4807 Mon Sep 17 00:00:00 2001 From: Gerhard Rieger Date: Sun, 4 Dec 2011 15:14:34 +0100 Subject: [PATCH] Ubuntu Oneiric: OpenSSL w/o SSLv2, bsd/libutil.h, unused vars --- CHANGES | 3 +++ config.h.in | 9 +++++++++ configure.in | 14 +++++++++----- fdname.c | 5 ++--- filan.c | 5 ++--- sslcls.c | 40 ++++++++++++++++++++++------------------ sslcls.h | 20 ++++++++++---------- sysincludes.h | 4 +++- test.sh | 15 +++++++++++++-- xio-exec.c | 8 +++----- xio-listen.c | 8 +------- xio-named.c | 6 +----- xio-openssl.c | 26 +++++++++++++++++++------- xio-socket.c | 4 ---- xio-udp.c | 2 -- xioopts.c | 3 +-- 16 files changed, 98 insertions(+), 74 deletions(-) diff --git a/CHANGES b/CHANGES index 840c177..a7726d4 100644 --- a/CHANGES +++ b/CHANGES @@ -98,6 +98,9 @@ porting: fixed sa_family_t compile error on DragonFly. Thanks to Tony Young for reporting this issue and sending a patch. + Ubuntu Oneiric: OpenSSL no longer provides SSLv2 functions; libutil.sh + is now bsd/libutil.h; compiler warns on vars that is only written to + new features: added option max-children that limits the number of concurrent child processes. Thanks to Sam Liddicott for providing the patch. diff --git a/config.h.in b/config.h.in index 62b947a..aff0ddf 100644 --- a/config.h.in +++ b/config.h.in @@ -263,6 +263,9 @@ /* Define if you have the header file. (NetBSD, OpenBSD: openpty()) */ #undef HAVE_UTIL_H +/* Define if you have the header file. */ +#undef HAVE_BSD_LIBUTIL_H + /* Define if you have the header file. (FreeBSD: openpty()) */ #undef HAVE_LIBUTIL_H @@ -382,6 +385,12 @@ /* Define if you have the unsetenv function. not on HP-UX */ #undef HAVE_UNSETENV +/* Define if you have the SSLv2_client_method function. not in new openssl */ +#undef HAVE_SSLv2_client_method + +/* Define if you have the SSLv2_server_method function. not in new openssl */ +#undef HAVE_SSLv2_server_method + /* Define if you have the flock function */ #undef HAVE_FLOCK diff --git a/configure.in b/configure.in index ba9fc73..45cb88a 100644 --- a/configure.in +++ b/configure.in @@ -77,7 +77,7 @@ AC_CHECK_HEADERS(termios.h linux/if_tun.h) AC_CHECK_HEADERS(net/if_dl.h) AC_CHECK_HEADERS(linux/types.h linux/errqueue.h) AC_CHECK_HEADERS(sys/utsname.h sys/select.h sys/file.h) -AC_CHECK_HEADERS(util.h libutil.h sys/stropts.h regex.h) +AC_CHECK_HEADERS(util.h bsd/libutil.h libutil.h sys/stropts.h regex.h) AC_CHECK_HEADERS(linux/fs.h linux/ext2_fs.h) dnl Checks for setgrent, getgrent and endgrent. @@ -537,12 +537,12 @@ fi # check for fips support AC_MSG_CHECKING(whether to include openssl fips support) -AC_ARG_ENABLE(fips, [ --disable-fips disable OpenSSL FIPS support], +AC_ARG_ENABLE(fips, [ --enable-fips enable OpenSSL FIPS support], [ case "$enableval" in - no) AC_MSG_RESULT(no); WITH_FIPS= ;; - *) AC_MSG_RESULT(yes); WITH_FIPS=1 ;; + yes) AC_MSG_RESULT(yes); WITH_FIPS=1 ;; + *) AC_MSG_RESULT(no); WITH_FIPS= ;; esac], - [ AC_MSG_RESULT(yes); WITH_FIPS=1 ]) + [ AC_MSG_RESULT(no); WITH_FIPS= ]) if test -n "$WITH_FIPS"; then if test -n "$WITH_OPENSSL"; then @@ -1274,6 +1274,10 @@ AC_CHECK_FUNC(setenv, AC_DEFINE(HAVE_SETENV), dnl Search for unsetenv() AC_CHECK_FUNC(unsetenv, AC_DEFINE(HAVE_UNSETENV)) +dnl Search for SSLv2_client_method, SSLv2_server_method +AC_CHECK_FUNC(SSLv3_client_method, AC_DEFINE(HAVE_SSLv3_client_method), AC_CHECK_LIB(crypt, SSLv3_client_method, [LIBS=-lcrypt $LIBS])) +AC_CHECK_FUNC(SSLv2_server_method, AC_DEFINE(HAVE_SSLv2_server_method), AC_CHECK_LIB(crypt, SSLv2_server_method, [LIBS=-lcrypt $LIBS])) + dnl Run time checks diff --git a/fdname.c b/fdname.c index bc15103..8542a2b 100644 --- a/fdname.c +++ b/fdname.c @@ -1,5 +1,5 @@ /* source: fdname.c */ -/* Copyright Gerhard Rieger 2003-2008 */ +/* Copyright Gerhard Rieger 2003-2011 */ /* Published under the GNU General Public License V.2, see file COPYING */ /* the subroutine sockname prints the basic info about the address of a socket @@ -103,7 +103,6 @@ static int procgetfdname(int fd, char *filepath, size_t pathsize) { int statname(const char *file, int fd, int filetype, FILE *outfile) { char filepath[PATH_MAX]; - int result; filepath[0] = '\0'; #if HAVE_PROC_DIR_FD @@ -144,7 +143,7 @@ int statname(const char *file, int fd, int filetype, FILE *outfile) { case (S_IFSOCK>>12): /* 12, socket */ #if _WITH_SOCKET if (fd >= 0) { - result = sockname(fd, outfile); + sockname(fd, outfile); } else if (file) { fprintf(outfile, "socket %s", file); } else { diff --git a/filan.c b/filan.c index 0293aa2..634cd1a 100644 --- a/filan.c +++ b/filan.c @@ -215,7 +215,6 @@ int filan_stat( #endif /* !HAVE_STAT64 */ , int statfd, int dynfd, FILE *outfile) { char stdevstr[8]; - int result; /* print header */ if (!headprinted) { @@ -374,7 +373,7 @@ int filan_stat( case (S_IFIFO): /* 1, FIFO */ break; case (S_IFCHR): /* 2, character device */ - result = cdevan(statfd, outfile); + cdevan(statfd, outfile); break; case (S_IFDIR): /* 4, directory */ break; @@ -387,7 +386,7 @@ int filan_stat( #ifdef S_IFSOCK case (S_IFSOCK): /* 12, socket */ #if _WITH_SOCKET - result = sockan(statfd, outfile); + sockan(statfd, outfile); #else Warn("SOCKET support not compiled in"); return -1; diff --git a/sslcls.c b/sslcls.c index d6ae006..9fe7fb8 100644 --- a/sslcls.c +++ b/sslcls.c @@ -1,5 +1,5 @@ /* source: sslcls.c */ -/* Copyright Gerhard Rieger 2001-2010 */ +/* Copyright Gerhard Rieger 2001-2011 */ /* Published under the GNU General Public License V.2, see file COPYING */ /* explicit system call and C library trace function, for those who miss strace @@ -35,71 +35,75 @@ int sycSSL_library_init(void) { return result; } -SSL_METHOD *sycSSLv2_client_method(void) { - SSL_METHOD *result; +#if HAVE_SSLv2_client_method +const SSL_METHOD *sycSSLv2_client_method(void) { + const SSL_METHOD *result; Debug("SSLv2_client_method()"); result = SSLv2_client_method(); Debug1("SSLv2_client_method() -> %p", result); return result; } +#endif -SSL_METHOD *sycSSLv2_server_method(void) { - SSL_METHOD *result; +#if HAVE_SSLv2_server_method +const SSL_METHOD *sycSSLv2_server_method(void) { + const SSL_METHOD *result; Debug("SSLv2_server_method()"); result = SSLv2_server_method(); Debug1("SSLv2_server_method() -> %p", result); return result; } +#endif -SSL_METHOD *sycSSLv3_client_method(void) { - SSL_METHOD *result; +const SSL_METHOD *sycSSLv3_client_method(void) { + const SSL_METHOD *result; Debug("SSLv3_client_method()"); result = SSLv3_client_method(); Debug1("SSLv3_client_method() -> %p", result); return result; } -SSL_METHOD *sycSSLv3_server_method(void) { - SSL_METHOD *result; +const SSL_METHOD *sycSSLv3_server_method(void) { + const SSL_METHOD *result; Debug("SSLv3_server_method()"); result = SSLv3_server_method(); Debug1("SSLv3_server_method() -> %p", result); return result; } -SSL_METHOD *sycSSLv23_client_method(void) { - SSL_METHOD *result; +const SSL_METHOD *sycSSLv23_client_method(void) { + const SSL_METHOD *result; Debug("SSLv23_client_method()"); result = SSLv23_client_method(); Debug1("SSLv23_client_method() -> %p", result); return result; } -SSL_METHOD *sycSSLv23_server_method(void) { - SSL_METHOD *result; +const SSL_METHOD *sycSSLv23_server_method(void) { + const SSL_METHOD *result; Debug("SSLv23_server_method()"); result = SSLv23_server_method(); Debug1("SSLv23_server_method() -> %p", result); return result; } -SSL_METHOD *sycTLSv1_client_method(void) { - SSL_METHOD *result; +const SSL_METHOD *sycTLSv1_client_method(void) { + const SSL_METHOD *result; Debug("TLSv1_client_method()"); result = TLSv1_client_method(); Debug1("TLSv1_client_method() -> %p", result); return result; } -SSL_METHOD *sycTLSv1_server_method(void) { - SSL_METHOD *result; +const SSL_METHOD *sycTLSv1_server_method(void) { + const SSL_METHOD *result; Debug("TLSv1_server_method()"); result = TLSv1_server_method(); Debug1("TLSv1_server_method() -> %p", result); return result; } -SSL_CTX *sycSSL_CTX_new(SSL_METHOD *method) { +SSL_CTX *sycSSL_CTX_new(const SSL_METHOD *method) { SSL_CTX *result; Debug1("SSL_CTX_new(%p)", method); result = SSL_CTX_new(method); diff --git a/sslcls.h b/sslcls.h index 0ae00c4..b324fff 100644 --- a/sslcls.h +++ b/sslcls.h @@ -1,5 +1,5 @@ /* source: sslcls.h */ -/* Copyright Gerhard Rieger 2001-2010 */ +/* Copyright Gerhard Rieger 2001-2011 */ /* Published under the GNU General Public License V.2, see file COPYING */ #ifndef __sslcls_h_included @@ -10,15 +10,15 @@ void sycSSL_load_error_strings(void); int sycSSL_library_init(void); -SSL_METHOD *sycSSLv2_client_method(void); -SSL_METHOD *sycSSLv2_server_method(void); -SSL_METHOD *sycSSLv3_client_method(void); -SSL_METHOD *sycSSLv3_server_method(void); -SSL_METHOD *sycSSLv23_client_method(void); -SSL_METHOD *sycSSLv23_server_method(void); -SSL_METHOD *sycTLSv1_client_method(void); -SSL_METHOD *sycTLSv1_server_method(void); -SSL_CTX *sycSSL_CTX_new(SSL_METHOD *method); +const SSL_METHOD *sycSSLv2_client_method(void); +const SSL_METHOD *sycSSLv2_server_method(void); +const SSL_METHOD *sycSSLv3_client_method(void); +const SSL_METHOD *sycSSLv3_server_method(void); +const SSL_METHOD *sycSSLv23_client_method(void); +const SSL_METHOD *sycSSLv23_server_method(void); +const SSL_METHOD *sycTLSv1_client_method(void); +const SSL_METHOD *sycTLSv1_server_method(void); +SSL_CTX *sycSSL_CTX_new(const SSL_METHOD *method); SSL *sycSSL_new(SSL_CTX *ctx); int sycSSL_CTX_load_verify_locations(SSL_CTX *ctx, const char *CAfile, const char *CApath); diff --git a/sysincludes.h b/sysincludes.h index 0136d12..62ff117 100644 --- a/sysincludes.h +++ b/sysincludes.h @@ -149,7 +149,9 @@ #if HAVE_UTIL_H #include /* NetBSD, OpenBSD openpty() */ #endif -#if HAVE_LIBUTIL_H +#if HAVE_BSD_LIBUTIL_H +#include /* FreeBSD openpty() */ +#elif HAVE_LIBUTIL_H #include /* FreeBSD openpty() */ #endif #if HAVE_SYS_STROPTS_H diff --git a/test.sh b/test.sh index ef16675..eca571a 100755 --- a/test.sh +++ b/test.sh @@ -1744,6 +1744,8 @@ runstcp4 () { pid=$! usleep $MICROS kill "$pid" 2>/dev/null + wait + usleep $MICROS test ! -s "$td/tcp4.stderr" } @@ -1753,8 +1755,9 @@ runstcp6 () { # PORT="$1" $SOCAT /dev/null TCP6-LISTEN:$PORT 2>"$td/tcp6.stderr" & pid=$! - usleep $MICROS kill "$pid" 2>/dev/null + wait + usleep $MICROS test ! -s "$td/tcp6.stderr" } @@ -1766,6 +1769,8 @@ runsudp4 () { pid=$! usleep $MICROS kill "$pid" 2>/dev/null + wait + usleep $MICROS test ! -s "$td/udp4.stderr" } @@ -1777,6 +1782,8 @@ runsudp6 () { pid=$! usleep $MICROS kill "$pid" 2>/dev/null + wait + usleep $MICROS test ! -s "$td/udp6.stderr" } @@ -1787,6 +1794,8 @@ runssctp4 () { pid=$! usleep $MICROS kill "$pid" 2>/dev/null + wait + usleep $MICROS test ! -s "$td/sctp4.stderr" } @@ -1797,6 +1806,8 @@ runssctp6 () { pid=$! usleep $MICROS kill "$pid" 2>/dev/null + wait + usleep $MICROS test ! -s "$td/sctp6.stderr" } @@ -3867,7 +3878,7 @@ TEST="$NAME: $TESTKEYW half close" # have a "peer" socat "peer" that executes "$OD_C" and see if EOF on the # connecting socat brings the result of od if ! eval $NUMCOND; then :; -elif [ "$FEAT" != ';' -a ! testaddrs "$FEAT" >/dev/null; then +elif [ "$FEAT" != ',' ] && ! testaddrs "$FEAT" >/dev/null; then $PRINTF "test $F_n $TEST... ${YELLOW}$FEAT not available${NORMAL}\n" $N numCANT=$((numCANT+1)) elif ! runs$RUNS; then diff --git a/xio-exec.c b/xio-exec.c index 7a6958c..1b1c8d5 100644 --- a/xio-exec.c +++ b/xio-exec.c @@ -1,5 +1,5 @@ /* source: xio-exec.c */ -/* Copyright Gerhard Rieger 2001-2008 */ +/* Copyright Gerhard Rieger 2001-2011 */ /* Published under the GNU General Public License V.2, see file COPYING */ /* this file contains the source for opening addresses of exec type */ @@ -54,7 +54,7 @@ static int xioopen_exec(int argc, const char *argv[], struct opt *opts, NULL } ; char **pargv = NULL; - int pargc, i; + int pargc; size_t len; const char *strp; char *token; /*! */ @@ -62,14 +62,12 @@ static int xioopen_exec(int argc, const char *argv[], struct opt *opts, char *path = NULL; char *tmp; int numleft; - int result; /*! Close(something) */ /* parse command line */ Debug1("child: args = \"%s\"", argv[1]); pargv = Malloc(8*sizeof(char *)); if (pargv == NULL) return STAT_RETRYLATER; - i = 0; len = strlen(argv[1])+1; strp = argv[1]; token = Malloc(len); /*! */ @@ -125,7 +123,7 @@ static int xioopen_exec(int argc, const char *argv[], struct opt *opts, Dup2(duptostderr, 2); } Notice1("execvp'ing \"%s\"", token); - result = Execvp(token, pargv); + Execvp(token, pargv); /* here we come only if execvp() failed */ switch (pargc) { case 1: Error3("execvp(\"%s\", \"%s\"): %s", token, pargv[0], strerror(errno)); break; diff --git a/xio-listen.c b/xio-listen.c index 6e4713b..2eba80d 100644 --- a/xio-listen.c +++ b/xio-listen.c @@ -54,13 +54,7 @@ int successful establishment of tcp connection */ result = _xioopen_listen(xfd, xioflags, (struct sockaddr *)us, uslen, - opts, pf, socktype, proto, -#if WITH_RETRY - (xfd->retry||xfd->forever)?E_INFO:E_ERROR -#else - E_ERROR -#endif /* WITH_RETRY */ - ); + opts, pf, socktype, proto, level); /*! not sure if we should try again on retry/forever */ switch (result) { case STAT_OK: break; diff --git a/xio-named.c b/xio-named.c index 892cc96..c445043 100644 --- a/xio-named.c +++ b/xio-named.c @@ -1,5 +1,5 @@ /* source: xio-named.c */ -/* Copyright Gerhard Rieger 2001-2008 */ +/* Copyright Gerhard Rieger 2001-2011 */ /* Published under the GNU General Public License V.2, see file COPYING */ /* this file contains the source for filesystem entry functions */ @@ -96,7 +96,6 @@ int _xioopen_named_early(int argc, const char *argv[], xiofile_t *xfd, int groups, bool *exists, struct opt *opts) { const char *path = argv[1]; - unsigned int iogroups = 0; #if HAVE_STAT64 struct stat64 statbuf; #else @@ -120,10 +119,8 @@ int _xioopen_named_early(int argc, const char *argv[], xiofile_t *xfd, Error2("stat(\"%s\"): %s", path, strerror(errno)); return STAT_RETRYLATER; } - iogroups = GROUP_REG; *exists = false; } else { - iogroups = _groupbits(statbuf.st_mode); *exists = true; } @@ -135,7 +132,6 @@ int _xioopen_named_early(int argc, const char *argv[], xiofile_t *xfd, Info1("\"%s\" already exists; removing it", path); if (Unlink(path) < 0) { Error2("unlink(\"%s\"): %s", path, strerror(errno)); - *exists = true; } else { *exists = false; } diff --git a/xio-openssl.c b/xio-openssl.c index 19f3f33..2fda933 100644 --- a/xio-openssl.c +++ b/xio-openssl.c @@ -690,7 +690,7 @@ int SSL_CTX **ctx) { bool opt_fips = false; - SSL_METHOD *method; + const SSL_METHOD *method; char *me_str = NULL; /* method string */ char *ci_str = NULL; /* cipher string */ char *opt_key = NULL; /* file name of client private key */ @@ -747,8 +747,14 @@ int if (!server) { if (me_str != 0) { if (!strcasecmp(me_str, "SSLv2") || !strcasecmp(me_str, "SSL2")) { +#if HAVE_SSLv2_client_method method = sycSSLv2_client_method(); - } else if (!strcasecmp(me_str, "SSLv3") || !strcasecmp(me_str, "SSL3")) { +#else + Error1("OpenSSL method \"%s\" not provided by library", me_str); + method = sycSSLv23_server_method(); +#endif + } else + if (!strcasecmp(me_str, "SSLv3") || !strcasecmp(me_str, "SSL3")) { method = sycSSLv3_client_method(); } else if (!strcasecmp(me_str, "SSLv23") || !strcasecmp(me_str, "SSL23") || !strcasecmp(me_str, "SSL")) { @@ -758,16 +764,22 @@ int method = sycTLSv1_client_method(); } else { Error1("openssl-method=\"%s\": unknown method", me_str); - method = sycSSLv23_client_method()/*!*/; + method = sycSSLv23_client_method(); } } else { - method = sycSSLv23_client_method()/*!*/; + method = sycSSLv23_client_method(); } } else /* server */ { if (me_str != 0) { if (!strcasecmp(me_str, "SSLv2") || !strcasecmp(me_str, "SSL2")) { +#if HAVE_SSLv2_server_method method = sycSSLv2_server_method(); - } else if (!strcasecmp(me_str, "SSLv3") || !strcasecmp(me_str, "SSL3")) { +#else + Error1("OpenSSL method \"%s\" not provided by library", me_str); + method = sycSSLv23_server_method(); +#endif + } else + if (!strcasecmp(me_str, "SSLv3") || !strcasecmp(me_str, "SSL3")) { method = sycSSLv3_server_method(); } else if (!strcasecmp(me_str, "SSLv23") || !strcasecmp(me_str, "SSL23") || !strcasecmp(me_str, "SSL")) { @@ -777,10 +789,10 @@ int method = sycTLSv1_server_method(); } else { Error1("openssl-method=\"%s\": unknown method", me_str); - method = sycSSLv23_server_method()/*!*/; + method = sycSSLv23_server_method(); } } else { - method = sycSSLv23_server_method()/*!*/; + method = sycSSLv23_server_method(); } } diff --git a/xio-socket.c b/xio-socket.c index 75799ac..4044af7 100644 --- a/xio-socket.c +++ b/xio-socket.c @@ -736,7 +736,6 @@ int _xioopen_connect(struct single *xfd, struct sockaddr *us, size_t uslen, union sockaddr_union sin, *sinp; unsigned short *port, i, N; div_t dv; - bool problem; /* prepare sockaddr for bind probing */ if (us) { @@ -784,7 +783,6 @@ int _xioopen_connect(struct single *xfd, struct sockaddr *us, size_t uslen, } dv = div(random(), IPPORT_RESERVED-XIO_IPPORT_LOWER); i = N = XIO_IPPORT_LOWER + dv.rem; - problem = false; do { /* loop over lowport bind() attempts */ *port = htons(i); if (Bind(xfd->fd, (struct sockaddr *)sinp, sizeof(*sinp)) < 0) { @@ -1187,7 +1185,6 @@ int _xioopen_dgram_recvfrom(struct single *xfd, int xioflags, struct opt *opts, int pf, int socktype, int proto, int level) { char *rangename; - socklen_t salen; bool dofork = false; pid_t pid; /* mostly int; only used with fork */ char infobuff[256]; @@ -1312,7 +1309,6 @@ int _xioopen_dgram_recvfrom(struct single *xfd, int xioflags, struct msghdr msgh = {0}; socket_init(pf, pa); - salen = sizeof(struct sockaddr); if (drop) { char *dummy[2]; diff --git a/xio-udp.c b/xio-udp.c index 082870a..5086308 100644 --- a/xio-udp.c +++ b/xio-udp.c @@ -462,7 +462,6 @@ int xioopen_udp_recvfrom(int argc, const char *argv[], struct opt *opts, int pf, int socktype, int ipproto) { union sockaddr_union us; socklen_t uslen = sizeof(us); - bool needbind = false; int result; if (argc != 2) { @@ -510,7 +509,6 @@ int xioopen_udp_recvfrom(int argc, const char *argv[], struct opt *opts, case PF_INET6: us.ip6.sin6_addr = la.ip6.sin6_addr; break; #endif } - needbind = true; } } diff --git a/xioopts.c b/xioopts.c index 0b66e9a..7cface3 100644 --- a/xioopts.c +++ b/xioopts.c @@ -2828,7 +2828,7 @@ int retropt_bind(struct opt *opts, const char portsep[] = ":"; const char *ends[] = { portsep, NULL }; const char *nests[] = { "[", "]", NULL }; - bool addrallowed, portallowed; + bool portallowed; char *bindname, *bindp; char hostname[512], *hostp = hostname, *portp = NULL; size_t hostlen = sizeof(hostname)-1; @@ -2864,7 +2864,6 @@ int retropt_bind(struct opt *opts, #if WITH_IP6 case AF_INET6: #endif /*WITH_IP6 */ - addrallowed = true; portallowed = (feats>=2); nestlex((const char **)&bindp, &hostp, &hostlen, ends, NULL, NULL, nests, true, false, false);