control: tags -1 patch
On 2016-06-26 12:24:09 [+0200], Kurt Roeckx wrote:
> Source: socat
> Version: 1.7.3.1-1
>
> OpenSSL 1.1.0 is about to released. During a rebuild of all packages using
> OpenSSL this package fail to build. A log of that build can be found at:
> https://breakpoint.cc/openssl-1.1-rebuild-2016-05-29/Attempted/socat_1.7.3.1-1_amd64-20160529-1537
The patch attached fixes it and is against socat socat version 2 beta 8.
Should it not make in time into unstable I can prepare a patch against
1.7.3.1.
> Kurt
Sebastian
>From 25885d9f1193580ec16cffaf6657f5fcaffa9987 Mon Sep 17 00:00:00 2001
From: Sebastian Andrzej Siewior <sebast...@breakpoint.cc>
Date: Mon, 29 Aug 2016 19:25:15 +0000
Subject: [PATCH] socat-2: port to openssl 1.1.0
TLSv1_server_method() and frieds are deprecated and could be removed in a
future release. It is reommended to use SSLv23_server_method() to get the
highest possible SSL/TLS version (unless explicit disable via OpenSSL flag).
TLSv1_server_method() will not allow to use TLS1.2 even if available.
It is believed that using the same DH parameters on every server is subject to
computation attacks, see weakdh.org
OpenSSL's EGD interface is optional (and disabled by default).
Signed-off-by: Sebastian Andrzej Siewior <sebast...@breakpoint.cc>
---
sslcls.c | 6 +++++
xio-openssl.c | 81 ++++++++++++++++++++++++++++++++++++++---------------------
2 files changed, 59 insertions(+), 28 deletions(-)
diff --git a/sslcls.c b/sslcls.c
index 260202a..449370d 100644
--- a/sslcls.c
+++ b/sslcls.c
@@ -364,11 +364,17 @@ void sycSSL_free(SSL *ssl) {
}
int sycRAND_egd(const char *path) {
+#ifdef OPENSSL_NO_EGD
+ Debug("RAND_egd() is not available by OpenSSL");
+ return -1;
+
+#else
int result;
Debug1("RAND_egd(\"%s\")", path);
result = RAND_egd(path);
Debug1("RAND_egd() -> %d", result);
return result;
+#endif
}
DH *sycPEM_read_bio_DHparams(BIO *bp, DH **x, pem_password_cb *cb, void *u) {
diff --git a/xio-openssl.c b/xio-openssl.c
index c7f283c..d77a486 100644
--- a/xio-openssl.c
+++ b/xio-openssl.c
@@ -1069,35 +1069,48 @@ int
0x02,
};
DH *dh;
+ BIGNUM *p = NULL, *g = NULL;
unsigned long err;
- if ((dh = DH_new()) == NULL) {
- while (err = ERR_get_error()) {
- Warn1("DH_new(): %s",
- ERR_error_string(err, NULL));
- }
- Error("DH_new() failed");
- } else {
- dh->p = BN_bin2bn(dh2048_p, sizeof(dh2048_p), NULL);
- dh->g = BN_bin2bn(dh2048_g, sizeof(dh2048_g), NULL);
- if ((dh->p == NULL) || (dh->g == NULL)) {
- while (err = ERR_get_error()) {
- Warn1("BN_bin2bn(): %s",
- ERR_error_string(err, NULL));
- }
- Error("BN_bin2bn() failed");
- } else {
- if (sycSSL_CTX_set_tmp_dh(*ctx, dh) <= 0) {
- while (err = ERR_get_error()) {
- Warn3("SSL_CTX_set_tmp_dh(%p, %p): %s", *ctx, dh,
- ERR_error_string(err, NULL));
- }
- Error2("SSL_CTX_set_tmp_dh(%p, %p) failed", *ctx, dh);
- }
- /*! OPENSSL_free(dh->p,g)? doc does not tell so */
- }
- DH_free(dh);
+ dh = DH_new();
+ p = BN_bin2bn(dh2048_p, sizeof(dh2048_p), NULL);
+ g = BN_bin2bn(dh2048_g, sizeof(dh2048_g), NULL);
+ if (!dh || !p || !g) {
+ if (dh)
+ DH_free(dh);
+ if (p)
+ BN_free(p);
+ if (g)
+ BN_free(g);
+ while (err = ERR_get_error()) {
+ Warn1("dh2048 setup(): %s",
+ ERR_error_string(err, NULL));
+ }
+ Error("dh2048 setup failed");
+ goto cont_out;
+ }
+#if OPENSSL_VERSION_NUMBER < 0x10100000
+ dh->p = p;
+ dh->g = g;
+#else
+ if (!DH_set0_pqg(dh, p, NULL, g)) {
+ DH_free(dh);
+ BN_free(p);
+ BN_free(g);
+ goto cont_out;
}
+#endif
+ if (sycSSL_CTX_set_tmp_dh(*ctx, dh) <= 0) {
+ while (err = ERR_get_error()) {
+ Warn3("SSL_CTX_set_tmp_dh(%p, %p): %s", *ctx, dh,
+ ERR_error_string(err, NULL));
+ }
+ Error2("SSL_CTX_set_tmp_dh(%p, %p) failed", *ctx, dh);
+ }
+ /* p & g are freed by DH_free() once attached */
+ DH_free(dh);
+cont_out:
+ ;
}
#if defined(EC_KEY) /* not on Openindiana 5.11 */
@@ -1236,7 +1249,11 @@ static int openssl_SSL_ERROR_SSL(int level, const char *funcname) {
while (e = ERR_get_error()) {
Debug1("ERR_get_error(): %lx", e);
if (e == ((ERR_LIB_RAND<<24)|
+#if OPENSSL_VERSION_NUMBER < 0x10100000
(RAND_F_SSLEAY_RAND_BYTES<<12)|
+#else
+ (RAND_F_RAND_BYTES<<12)|
+#endif
(RAND_R_PRNG_NOT_SEEDED)) /*0x24064064*/) {
Error("too few entropy; use options \"egd\" or \"pseudo\"");
stat = STAT_NORETRY;
@@ -1388,7 +1405,7 @@ static bool openssl_check_peername(X509_NAME *name, const char *peername) {
int ind = -1;
X509_NAME_ENTRY *entry;
ASN1_STRING *data;
- unsigned char *text;
+ const unsigned char *text;
ind = X509_NAME_get_index_by_NID(name, NID_commonName, -1);
if (ind < 0) {
Info("no COMMONNAME field in peer certificate");
@@ -1396,7 +1413,11 @@ static bool openssl_check_peername(X509_NAME *name, const char *peername) {
}
entry = X509_NAME_get_entry(name, ind);
data = X509_NAME_ENTRY_get_data(entry);
+#if OPENSSL_VERSION_NUMBER < 0x10100000
text = ASN1_STRING_data(data);
+#else
+ text = ASN1_STRING_get0_data(data);
+#endif
return openssl_check_name((const char *)text, peername);
}
@@ -1442,13 +1463,17 @@ static int openssl_setenv_cert_fields(const char *field, X509_NAME *name) {
X509_NAME_ENTRY *entry;
ASN1_OBJECT *obj;
ASN1_STRING *data;
- unsigned char *text;
+ const unsigned char *text;
int nid;
entry = X509_NAME_get_entry(name, i);
obj = X509_NAME_ENTRY_get_object(entry);
data = X509_NAME_ENTRY_get_data(entry);
nid = OBJ_obj2nid(obj);
+#if OPENSSL_VERSION_NUMBER < 0x10100000
text = ASN1_STRING_data(data);
+#else
+ text = ASN1_STRING_get0_data(data);
+#endif
Debug3("SSL peer cert %s entry: %s=\"%s\"", (field[0]?field:"subject"), OBJ_nid2ln(nid), text);
if (field != NULL && field[0] != '\0') {
xiosetenv3("OPENSSL_X509", field, OBJ_nid2ln(nid), (const char *)text, 2, " // ");
--
2.9.3
