Bug#828550: socat: FTBFS with openssl 1.1.0

[Gerhard Rieger]

Hello,

there are plans but no schedule for a stable version 2 release. Do not
rely on it.

A new version 1 reelase with important bug fixes (but not security
related) is intended within the next few weeks.

Please find attached the patch for OpenSSL 1.1 for Socat 1.7.3.1,
modified again...

Regards
Gerhard


Am 25.11.2016 um 10:10 schrieb László Böszörményi (GCS):
> Hi,
> 
> On Thu, Nov 24, 2016 at 9:12 PM, Gerhard Rieger
>  wrote:
>> find attached the adapted patch to socat-2.0.0-b9. Please check if it
>> works for you!
>  Any plans for a stable tagged 2.0.0 release? I still have 1.7.3.1 for
> the next stable Debian release with the adopted patch, attached. The
> only notable change that if OpenSSL 1.1+ is used for compilation, I
> have to print that egd is not supported by the OpenSSL version - you
> protected the function only, but not its call.
> 
> Thanks,
> Laszlo/GCS
> 

diff --git CHANGES CHANGES
index ab611ff..6293ca8 100644
--- CHANGES
+++ CHANGES
@@ -1,3 +1,8 @@
+porting:
+	Changes to make socat compile with OpenSSL 1.1. 
+	Thanks to Sebastian Andrzej Siewior e.a. from the Debian team for
+	providing the base patch.
+	Debian Bug#828550
 
 ### V 1.7.3.1:
 
diff --git config.h.in config.h.in
index 3f28702..ed821c0 100644
--- config.h.in
+++ config.h.in
@@ -447,6 +447,15 @@
 #undef HAVE_DTLSv1_client_method
 #undef HAVE_DTLSv1_server_method
 
+/* Define if you have the OpenSSL RAND_egd function */
+#undef HAVE_RAND_egd
+
+/* Define if you have the OpenSSL DH_set0_pqg function */
+#undef HAVE_DH_set0_pqg
+
+/* Define if you have the OpenSSL ASN1_STRING_get0_data function */
+#undef HAVE_ASN1_STRING_get0_data
+
 /* Define if you have the flock function */
 #undef HAVE_FLOCK
 
diff --git configure.in configure.in
index e1b7f4c..84939f3 100644
--- configure.in
+++ configure.in
@@ -1450,6 +1450,9 @@ AC_CHECK_FUNC(TLSv1_2_client_method, AC_DEFINE(HAVE_TLSv1_2_client_method), AC_C
 AC_CHECK_FUNC(TLSv1_2_server_method, AC_DEFINE(HAVE_TLSv1_2_server_method), AC_CHECK_LIB(crypt, TLSv1_2_server_method, [LIBS=-lcrypt $LIBS]))
 AC_CHECK_FUNC(DTLSv1_client_method, AC_DEFINE(HAVE_DTLSv1_client_method), AC_CHECK_LIB(crypt, DTLSv1_client_method, [LIBS=-lcrypt $LIBS]))
 AC_CHECK_FUNC(DTLSv1_server_method, AC_DEFINE(HAVE_DTLSv1_server_method), AC_CHECK_LIB(crypt, DTLSv1_server_method, [LIBS=-lcrypt $LIBS]))
+AC_CHECK_FUNC(RAND_egd, AC_DEFINE(HAVE_RAND_egd), AC_CHECK_LIB(crypt, RAND_egd, [LIBS=-lcrypt $LIBS]))
+AC_CHECK_FUNC(DH_set0_pqg, AC_DEFINE(HAVE_DH_set0_pqg), AC_CHECK_LIB(crypt, DH_set0_pqg, [LIBS=-lcrypt $LIBS]))
+AC_CHECK_FUNC(ASN1_STRING_get0_data, AC_DEFINE(HAVE_ASN1_STRING_get0_data), AC_CHECK_LIB(crypt, ASN1_STRING_get0_data, [LIBS=-lcrypt $LIBS]))
 
 dnl Run time checks
 
diff --git sslcls.c sslcls.c
index 6ddc077..1e2ec6a 100644
--- sslcls.c
+++ sslcls.c
@@ -331,6 +331,7 @@ void sycSSL_free(SSL *ssl) {
return;
 }
 
+#if !defined(OPENSSL_NO_EGD) && HAVE_RAND_egd
 int sycRAND_egd(const char *path) {
int result;
Debug1("RAND_egd(\"%s\")", path);
@@ -338,6 +339,7 @@ int sycRAND_egd(const char *path) {
Debug1("RAND_egd() -> %d", result);
return result;
 }
+#endif
 
 DH *sycPEM_read_bio_DHparams(BIO *bp, DH **x, pem_password_cb *cb, void *u) {
DH *result;
diff --git xio-openssl.c xio-openssl.c
index b7e95c1..1e06d28 100644
--- xio-openssl.c
+++ xio-openssl.c
@@ -878,7 +878,11 @@ int
}
 
if (opt_egd) {
+#if !defined(OPENSSL_NO_EGD) && HAVE_RAND_egd
   sycRAND_egd(opt_egd);
+#else
+  Debug("RAND_egd() is not available by OpenSSL");
+#endif
}
 
if (opt_pseudo) {
@@ -936,35 +940,48 @@ int
 	 0x02,
   };
   DH *dh;
+  BIGNUM *p = NULL, *g = NULL;
   unsigned long err;
 
-  if ((dh = DH_new()) == NULL) {
-	 while (err = ERR_get_error()) {
-	Warn1("DH_new(): %s",
-		   ERR_error_string(err, NULL));
-	 }
-	 Error("DH_new() failed");
-  } else {
-	 dh->p = BN_bin2bn(dh2048_p, sizeof(dh2048_p), NULL);
-	 dh->g = BN_bin2bn(dh2048_g, sizeof(dh2048_g), NULL);
-	 if ((dh->p == NULL) || (dh->g == NULL)) {
-	while (err = ERR_get_error()) {
-	   Warn1("BN_bin2bn(): %s",
-		 ERR_error_string(err, NULL));
-	}
-	Error("BN_bin2bn() failed");
-	 } else {
-	if (sycSSL_CTX_set_tmp_dh(*ctx, dh) <= 0) {
-	   while (err = ERR_get_error()) {
-		  Warn3("SSL_CTX_set_tmp_dh(%p, %p): %s", *ctx, dh,
-			ERR_error_string(err, NULL));
-	   }
-	   Error2("SSL_CTX_set_tmp_dh(%p, %p) failed", *ctx, dh);
-	}
-	/*! OPENSSL_free(dh->p,g)? doc does not tell so */
-	 }
-	 DH_free(dh);
+  dh = DH_new();
+  p = BN_bin2bn(dh2048_p, sizeof(dh2048_p), NULL);
+  g = BN_bin2bn(dh2048_g, sizeof(dh2048_g), NULL);
+  if (!dh || !p || !g) {
+ if (dh)
+DH_free(dh);
+ if (p)
+BN_free(p);
+ if (g)
+BN_free(g);
+ while (err = ERR_get_error()) {
+Warn1("dh2048 setup(): %s",
+  

Bug#828550: socat: FTBFS with openssl 1.1.0

[GCS]

Hi,

On Thu, Nov 24, 2016 at 9:12 PM, Gerhard Rieger
 wrote:
> find attached the adapted patch to socat-2.0.0-b9. Please check if it
> works for you!
 Any plans for a stable tagged 2.0.0 release? I still have 1.7.3.1 for
the next stable Debian release with the adopted patch, attached. The
only notable change that if OpenSSL 1.1+ is used for compilation, I
have to print that egd is not supported by the OpenSSL version - you
protected the function only, but not its call.

Thanks,
Laszlo/GCS
Description: fix build with OpenSSL 1.1.0+
 Makes compilation work with both OpenSSL 1.0 and 1.1 versions.
Bug-Debian: https://bugs.debian.org/828550
Origin: Sebastian Andrzej Siewior 
Author: Gerhard Rieger 
Last-Update: 2016-11-24

---

--- socat-1.7.3.1.orig/CHANGES
+++ socat-1.7.3.1/CHANGES
@@ -1,3 +1,8 @@
+porting:
+	Changes to make socat compile with OpenSSL 1.1. 
+	Thanks to Sebastian Andrzej Siewior e.a. from the Debian team for
+	providing the base patch.
+	Debian Bug#828550
 
 ### V 1.7.3.1:
 
--- socat-1.7.3.1.orig/config.h.in
+++ socat-1.7.3.1/config.h.in
@@ -447,6 +447,15 @@
 #undef HAVE_DTLSv1_client_method
 #undef HAVE_DTLSv1_server_method
 
+/* Define if you have the OpenSSL RAND_egd function */
+#undef HAVE_RAND_egd
+
+/* Define if you have the OpenSSL DH_set0_pqg function */
+#undef HAVE_DH_set0_pqg
+
+/* Define if you have the OpenSSL ASN1_STRING_get0_data function */
+#undef HAVE_ASN1_STRING_get0_data
+
 /* Define if you have the flock function */
 #undef HAVE_FLOCK
 
--- socat-1.7.3.1.orig/configure.in
+++ socat-1.7.3.1/configure.in
@@ -1450,6 +1450,9 @@ AC_CHECK_FUNC(TLSv1_2_client_method, AC_
 AC_CHECK_FUNC(TLSv1_2_server_method, AC_DEFINE(HAVE_TLSv1_2_server_method), AC_CHECK_LIB(crypt, TLSv1_2_server_method, [LIBS=-lcrypt $LIBS]))
 AC_CHECK_FUNC(DTLSv1_client_method, AC_DEFINE(HAVE_DTLSv1_client_method), AC_CHECK_LIB(crypt, DTLSv1_client_method, [LIBS=-lcrypt $LIBS]))
 AC_CHECK_FUNC(DTLSv1_server_method, AC_DEFINE(HAVE_DTLSv1_server_method), AC_CHECK_LIB(crypt, DTLSv1_server_method, [LIBS=-lcrypt $LIBS]))
+AC_CHECK_FUNC(RAND_egd, AC_DEFINE(HAVE_RAND_egd), AC_CHECK_LIB(crypt, RAND_egd, [LIBS=-lcrypt $LIBS]))
+AC_CHECK_FUNC(DH_set0_pqg, AC_DEFINE(HAVE_DH_set0_pqg), AC_CHECK_LIB(crypt, DH_set0_pqg, [LIBS=-lcrypt $LIBS]))
+AC_CHECK_FUNC(ASN1_STRING_get0_data, AC_DEFINE(HAVE_ASN1_STRING_get0_data), AC_CHECK_LIB(crypt, ASN1_STRING_get0_data, [LIBS=-lcrypt $LIBS]))
 
 dnl Run time checks
 
--- socat-1.7.3.1.orig/sslcls.c
+++ socat-1.7.3.1/sslcls.c
@@ -331,6 +331,7 @@ void sycSSL_free(SSL *ssl) {
return;
 }
 
+#ifndef OPENSSL_NO_EGD
 int sycRAND_egd(const char *path) {
int result;
Debug1("RAND_egd(\"%s\")", path);
@@ -338,6 +339,7 @@ int sycRAND_egd(const char *path) {
Debug1("RAND_egd() -> %d", result);
return result;
 }
+#endif
 
 DH *sycPEM_read_bio_DHparams(BIO *bp, DH **x, pem_password_cb *cb, void *u) {
DH *result;
--- socat-1.7.3.1.orig/xio-openssl.c
+++ socat-1.7.3.1/xio-openssl.c
@@ -878,7 +878,11 @@ int
}
 
if (opt_egd) {
+#ifndef OPENSSL_NO_EGD
   sycRAND_egd(opt_egd);
+#else
+  Debug("RAND_egd() is not available by OpenSSL");
+#endif
}
 
if (opt_pseudo) {
@@ -936,35 +936,48 @@ int
 	 0x02,
   };
   DH *dh;
+  BIGNUM *p = NULL, *g = NULL;
   unsigned long err;
 
-  if ((dh = DH_new()) == NULL) {
-	 while (err = ERR_get_error()) {
-	Warn1("DH_new(): %s",
-		   ERR_error_string(err, NULL));
-	 }
-	 Error("DH_new() failed");
-  } else {
-	 dh->p = BN_bin2bn(dh2048_p, sizeof(dh2048_p), NULL);
-	 dh->g = BN_bin2bn(dh2048_g, sizeof(dh2048_g), NULL);
-	 if ((dh->p == NULL) || (dh->g == NULL)) {
-	while (err = ERR_get_error()) {
-	   Warn1("BN_bin2bn(): %s",
-		 ERR_error_string(err, NULL));
-	}
-	Error("BN_bin2bn() failed");
-	 } else {
-	if (sycSSL_CTX_set_tmp_dh(*ctx, dh) <= 0) {
-	   while (err = ERR_get_error()) {
-		  Warn3("SSL_CTX_set_tmp_dh(%p, %p): %s", *ctx, dh,
-			ERR_error_string(err, NULL));
-	   }
-	   Error2("SSL_CTX_set_tmp_dh(%p, %p) failed", *ctx, dh);
-	}
-	/*! OPENSSL_free(dh->p,g)? doc does not tell so */
-	 }
-	 DH_free(dh);
-  }
+  dh = DH_new();
+  p = BN_bin2bn(dh2048_p, sizeof(dh2048_p), NULL);
+  g = BN_bin2bn(dh2048_g, sizeof(dh2048_g), NULL);
+  if (!dh || !p || !g) {
+ if (dh)
+DH_free(dh);
+ if (p)
+BN_free(p);
+ if (g)
+BN_free(g);
+ while (err = ERR_get_error()) {
+Warn1("dh2048 setup(): %s",
+  ERR_error_string(err, NULL));
+ }
+ Error("dh2048 setup failed");
+ goto cont_out;
+  }
+#if !HAVE_DH_set0_pqg
+  dh->p = p;
+  dh->g = g;
+#else
+  if (!DH_set0_pqg(dh, p, NULL, g)) {
+	  DH_free(dh);
+	  BN_free(p);
+	  BN_free(g);
+	  goto cont_out;
+  }
+#endif /* HAVE_DH_set0_pqg */
+  

Bug#828550: socat: FTBFS with openssl 1.1.0

[Gerhard Rieger]

Hello,

find attached the adapted patch to socat-2.0.0-b9. Please check if it
works for you!

Regards
Gerhard


Am 19.11.2016 um 15:24 schrieb László Böszörményi (GCS):
> Hi Gerhard,
> 
> On Sat, Nov 5, 2016 at 9:46 PM, Gerhard Rieger  
> wrote:
>> sorry for not replying so long, this was due to private issues I have.
>> I intend to test for the new functions in autoconf and have the
>> preprocessor conditionals check for these results instead of
>> OPENSSL_VERSION_NUMBER.
>  This is just a friendly ping if you have time for this issue or
> should I use the other patch from Sebastian?
> 
> Kind regards,
> Laszlo/GCS
> 

diff --git a/CHANGES b/CHANGES
index 24526b0..f8d613f 100644
--- a/CHANGES
+++ b/CHANGES
@@ -1,4 +1,10 @@
 
+porting:
+	Changes to make socat compile with OpenSSL 1.1. 
+	Thanks to Sebastian Andrzej Siewior e.a. from the Debian team for
+	providing the base patch.
+	Debian Bug#828550
+
 ### V 2.0.0-b9:
 
 security:
diff --git a/config.h.in b/config.h.in
index 9058bf8..a5e063e 100644
--- a/config.h.in
+++ b/config.h.in
@@ -447,6 +447,15 @@
 #undef HAVE_DTLSv1_client_method
 #undef HAVE_DTLSv1_server_method
 
+/* Define if you have the OpenSSL RAND_egd function */
+#undef HAVE_RAND_egd
+
+/* Define if you have the OpenSSL DH_set0_pqg function */
+#undef HAVE_DH_set0_pqg
+
+/* Define if you have the OpenSSL ASN1_STRING_get0_data function */
+#undef HAVE_ASN1_STRING_get0_data
+
 
 /* Define if you have the flock function */
 #undef HAVE_FLOCK
diff --git a/configure.in b/configure.in
index 1d2e76f..3c83c7c 100644
--- a/configure.in
+++ b/configure.in
@@ -1467,6 +1467,9 @@ AC_CHECK_FUNC(TLSv1_2_client_method, AC_DEFINE(HAVE_TLSv1_2_client_method), AC_C
 AC_CHECK_FUNC(TLSv1_2_server_method, AC_DEFINE(HAVE_TLSv1_2_server_method), AC_CHECK_LIB(crypt, TLSv1_2_server_method, [LIBS=-lcrypt $LIBS]))
 AC_CHECK_FUNC(DTLSv1_client_method, AC_DEFINE(HAVE_DTLSv1_client_method), AC_CHECK_LIB(crypt, DTLSv1_client_method, [LIBS=-lcrypt $LIBS]))
 AC_CHECK_FUNC(DTLSv1_server_method, AC_DEFINE(HAVE_DTLSv1_server_method), AC_CHECK_LIB(crypt, DTLSv1_server_method, [LIBS=-lcrypt $LIBS]))
+AC_CHECK_FUNC(RAND_egd, AC_DEFINE(HAVE_RAND_egd), AC_CHECK_LIB(crypt, RAND_egd, [LIBS=-lcrypt $LIBS]))
+AC_CHECK_FUNC(DH_set0_pqg, AC_DEFINE(HAVE_DH_set0_pqg), AC_CHECK_LIB(crypt, DH_set0_pqg, [LIBS=-lcrypt $LIBS]))
+AC_CHECK_FUNC(ASN1_STRING_get0_data, AC_DEFINE(HAVE_ASN1_STRING_get0_data), AC_CHECK_LIB(crypt, ASN1_STRING_get0_data, [LIBS=-lcrypt $LIBS]))
 
 dnl Run time checks
 
diff --git a/sslcls.c b/sslcls.c
index ea4c303..cfcfd86 100644
--- a/sslcls.c
+++ b/sslcls.c
@@ -347,6 +347,7 @@ void sycSSL_free(SSL *ssl) {
return;
 }
 
+#ifndef OPENSSL_NO_EGD
 int sycRAND_egd(const char *path) {
int result;
Debug1("RAND_egd(\"%s\")", path);
@@ -354,6 +355,7 @@ int sycRAND_egd(const char *path) {
Debug1("RAND_egd() -> %d", result);
return result;
 }
+#endif
 
 DH *sycPEM_read_bio_DHparams(BIO *bp, DH **x, pem_password_cb *cb, void *u) {
DH *result;
diff --git a/xio-openssl.c b/xio-openssl.c
index c7f283c..6fe5b8a 100644
--- a/xio-openssl.c
+++ b/xio-openssl.c
@@ -1069,35 +1069,48 @@ int
 	 0x02,
   };
   DH *dh;
+  BIGNUM *p = NULL, *g = NULL;
   unsigned long err;
 
-  if ((dh = DH_new()) == NULL) {
-	 while (err = ERR_get_error()) {
-	Warn1("DH_new(): %s",
-		  ERR_error_string(err, NULL));
-	 }
-	 Error("DH_new() failed");
-  } else {
-	 dh->p = BN_bin2bn(dh2048_p, sizeof(dh2048_p), NULL);
-	 dh->g = BN_bin2bn(dh2048_g, sizeof(dh2048_g), NULL);
-	 if ((dh->p == NULL) || (dh->g == NULL)) {
-	while (err = ERR_get_error()) {
-	   Warn1("BN_bin2bn(): %s",
-		 ERR_error_string(err, NULL));
-	}
-	Error("BN_bin2bn() failed");
-	 } else {
-	if (sycSSL_CTX_set_tmp_dh(*ctx, dh) <= 0) {
-	   while (err = ERR_get_error()) {
-		  Warn3("SSL_CTX_set_tmp_dh(%p, %p): %s", *ctx, dh,
-			ERR_error_string(err, NULL));
-	   }
-	   Error2("SSL_CTX_set_tmp_dh(%p, %p) failed", *ctx, dh);
-	}
-	/*! OPENSSL_free(dh->p,g)? doc does not tell so */
-	 }
-	 DH_free(dh);
+  dh = DH_new();
+  p = BN_bin2bn(dh2048_p, sizeof(dh2048_p), NULL);
+  g = BN_bin2bn(dh2048_g, sizeof(dh2048_g), NULL);
+  if (!dh || !p || !g) {
+ if (dh)
+DH_free(dh);
+ if (p)
+BN_free(p);
+ if (g)
+BN_free(g);
+ while (err = ERR_get_error()) {
+Warn1("dh2048 setup(): %s",
+  ERR_error_string(err, NULL));
+ }
+ Error("dh2048 setup failed");
+ goto cont_out;
+  }
+#if !HAVE_DH_set0_pqg
+  dh->p = p;
+  dh->g = g;
+#else
+  if (!DH_set0_pqg(dh, p, NULL, g)) {
+	  DH_free(dh);
+	  BN_free(p);
+	  BN_free(g);
+	  goto cont_out;
+  }
+#endif /* HAVE_DH_set0_pqg */
+  if (sycSSL_CTX_set_tmp_dh(*ctx, dh) <= 0) {
+ while (err = ERR_get_error()) {
+

Bug#828550: socat: FTBFS with openssl 1.1.0

[GCS]

Hi Gerhard,

On Sat, Nov 5, 2016 at 9:46 PM, Gerhard Rieger  wrote:
> sorry for not replying so long, this was due to private issues I have.
> I intend to test for the new functions in autoconf and have the
> preprocessor conditionals check for these results instead of
> OPENSSL_VERSION_NUMBER.
 This is just a friendly ping if you have time for this issue or
should I use the other patch from Sebastian?

Kind regards,
Laszlo/GCS

Bug#828550: socat: FTBFS with openssl 1.1.0

[Gerhard Rieger]

Hello,

sorry for not replying so long, this was due to private issues I have.
I intend to test for the new functions in autoconf and have the
preprocessor conditionals check for these results instead of
OPENSSL_VERSION_NUMBER.

Regards
Gerhard


Am 03.11.2016 um 22:38 schrieb Sandro Tosi:
> On Thu, Nov 3, 2016 at 3:59 PM, László Böszörményi (GCS)  
> wrote:
>> On Thu, Nov 3, 2016 at 8:42 PM, Sandro Tosi  wrote:
>>> On Mon, 5 Sep 2016 10:53:05 +0200 Gerhard Rieger
>>>  wrote:
 Thank you, I will check!
>>>
>>> hey Gerhard, do you have a plan to look at this soon (now that openssl
>>> 1.1.0 bugs are RC)? thanks!
>>  Anything wrong with Sebastian Andrzej Siewior's patch? I plan to use
>> if no one objects.
> 
> not from me (but i dont know anything about it :) ) i was just
> checking if there was some problem that prevented Gerhard to update
> the pkg. László if you have time and can prepare an updated pkg that'd
> be great!
> 
> Thanks,
> 

Bug#828550: socat: FTBFS with openssl 1.1.0

[Sandro Tosi]

On Thu, Nov 3, 2016 at 3:59 PM, László Böszörményi (GCS)  
wrote:
> On Thu, Nov 3, 2016 at 8:42 PM, Sandro Tosi  wrote:
>> On Mon, 5 Sep 2016 10:53:05 +0200 Gerhard Rieger
>>  wrote:
>>> Thank you, I will check!
>>
>> hey Gerhard, do you have a plan to look at this soon (now that openssl
>> 1.1.0 bugs are RC)? thanks!
>  Anything wrong with Sebastian Andrzej Siewior's patch? I plan to use
> if no one objects.

not from me (but i dont know anything about it :) ) i was just
checking if there was some problem that prevented Gerhard to update
the pkg. László if you have time and can prepare an updated pkg that'd
be great!

Thanks,
-- 
Sandro "morph" Tosi
My website: http://sandrotosi.me/
Me at Debian: http://wiki.debian.org/SandroTosi
G+: https://plus.google.com/u/0/+SandroTosi

Bug#828550: socat: FTBFS with openssl 1.1.0

[GCS]

On Thu, Nov 3, 2016 at 8:42 PM, Sandro Tosi  wrote:
> On Mon, 5 Sep 2016 10:53:05 +0200 Gerhard Rieger
>  wrote:
>> Thank you, I will check!
>
> hey Gerhard, do you have a plan to look at this soon (now that openssl
> 1.1.0 bugs are RC)? thanks!
 Anything wrong with Sebastian Andrzej Siewior's patch? I plan to use
if no one objects.

Laszlo/GCS

Bug#828550: socat: FTBFS with openssl 1.1.0

[Sandro Tosi]

On Mon, 5 Sep 2016 10:53:05 +0200 Gerhard Rieger
 wrote:
> Thank you, I will check!

hey Gerhard, do you have a plan to look at this soon (now that openssl
1.1.0 bugs are RC)? thanks!

Bug#828550: socat: FTBFS with openssl 1.1.0

[Gerhard Rieger]

Thank you, I will check!

Rergards
Gerhard


Am 29.08.2016 um 21:37 schrieb Sebastian Andrzej Siewior:
> control: tags -1 patch
> 
> On 2016-06-26 12:24:09 [+0200], Kurt Roeckx wrote:
>> Source: socat
>> Version: 1.7.3.1-1
>>
>> OpenSSL 1.1.0 is about to released.  During a rebuild of all packages using
>> OpenSSL this package fail to build.  A log of that build can be found at:
>> https://breakpoint.cc/openssl-1.1-rebuild-2016-05-29/Attempted/socat_1.7.3.1-1_amd64-20160529-1537
> 
> The patch attached fixes it and is against socat socat version 2 beta 8.
> Should it not make in time into unstable I can prepare a patch against
> 1.7.3.1.
> 
>> Kurt
> 
> Sebastian
> 

Bug#828550: socat: FTBFS with openssl 1.1.0

[Sebastian Andrzej Siewior]

control: tags -1 patch

On 2016-06-26 12:24:09 [+0200], Kurt Roeckx wrote:
> Source: socat
> Version: 1.7.3.1-1
> 
> OpenSSL 1.1.0 is about to released.  During a rebuild of all packages using
> OpenSSL this package fail to build.  A log of that build can be found at:
> https://breakpoint.cc/openssl-1.1-rebuild-2016-05-29/Attempted/socat_1.7.3.1-1_amd64-20160529-1537

The patch attached fixes it and is against socat socat version 2 beta 8.
Should it not make in time into unstable I can prepare a patch against
1.7.3.1.

> Kurt

Sebastian
>From 25885d9f1193580ec16cffaf6657f5fcaffa9987 Mon Sep 17 00:00:00 2001
From: Sebastian Andrzej Siewior 
Date: Mon, 29 Aug 2016 19:25:15 +
Subject: [PATCH] socat-2: port to openssl 1.1.0

TLSv1_server_method() and frieds are deprecated and could be removed in a
future release. It is reommended to use SSLv23_server_method() to get the
highest possible SSL/TLS version (unless explicit disable via OpenSSL flag).
TLSv1_server_method() will not allow to use TLS1.2 even if available.

It is believed that using the same DH parameters on every server is subject to
computation attacks, see weakdh.org

OpenSSL's EGD interface is optional (and disabled by default).

Signed-off-by: Sebastian Andrzej Siewior 
---
 sslcls.c  |  6 +
 xio-openssl.c | 81 ++-
 2 files changed, 59 insertions(+), 28 deletions(-)

diff --git a/sslcls.c b/sslcls.c
index 260202a..449370d 100644
--- a/sslcls.c
+++ b/sslcls.c
@@ -364,11 +364,17 @@ void sycSSL_free(SSL *ssl) {
 }
 
 int sycRAND_egd(const char *path) {
+#ifdef OPENSSL_NO_EGD
+   Debug("RAND_egd() is not available by OpenSSL");
+   return -1;
+
+#else
int result;
Debug1("RAND_egd(\"%s\")", path);
result = RAND_egd(path);
Debug1("RAND_egd() -> %d", result);
return result;
+#endif
 }
 
 DH *sycPEM_read_bio_DHparams(BIO *bp, DH **x, pem_password_cb *cb, void *u) {
diff --git a/xio-openssl.c b/xio-openssl.c
index c7f283c..d77a486 100644
--- a/xio-openssl.c
+++ b/xio-openssl.c
@@ -1069,35 +1069,48 @@ int
 	 0x02,
   };
   DH *dh;
+  BIGNUM *p = NULL, *g = NULL;
   unsigned long err;
 
-  if ((dh = DH_new()) == NULL) {
-	 while (err = ERR_get_error()) {
-	Warn1("DH_new(): %s",
-		  ERR_error_string(err, NULL));
-	 }
-	 Error("DH_new() failed");
-  } else {
-	 dh->p = BN_bin2bn(dh2048_p, sizeof(dh2048_p), NULL);
-	 dh->g = BN_bin2bn(dh2048_g, sizeof(dh2048_g), NULL);
-	 if ((dh->p == NULL) || (dh->g == NULL)) {
-	while (err = ERR_get_error()) {
-	   Warn1("BN_bin2bn(): %s",
-		 ERR_error_string(err, NULL));
-	}
-	Error("BN_bin2bn() failed");
-	 } else {
-	if (sycSSL_CTX_set_tmp_dh(*ctx, dh) <= 0) {
-	   while (err = ERR_get_error()) {
-		  Warn3("SSL_CTX_set_tmp_dh(%p, %p): %s", *ctx, dh,
-			ERR_error_string(err, NULL));
-	   }
-	   Error2("SSL_CTX_set_tmp_dh(%p, %p) failed", *ctx, dh);
-	}
-	/*! OPENSSL_free(dh->p,g)? doc does not tell so */
-	 }
-	 DH_free(dh);
+  dh = DH_new();
+  p = BN_bin2bn(dh2048_p, sizeof(dh2048_p), NULL);
+  g = BN_bin2bn(dh2048_g, sizeof(dh2048_g), NULL);
+  if (!dh || !p || !g) {
+ if (dh)
+DH_free(dh);
+ if (p)
+BN_free(p);
+ if (g)
+BN_free(g);
+ while (err = ERR_get_error()) {
+Warn1("dh2048 setup(): %s",
+  ERR_error_string(err, NULL));
+ }
+ Error("dh2048 setup failed");
+ goto cont_out;
+  }
+#if OPENSSL_VERSION_NUMBER < 0x1010
+  dh->p = p;
+  dh->g = g;
+#else
+  if (!DH_set0_pqg(dh, p, NULL, g)) {
+	  DH_free(dh);
+	  BN_free(p);
+	  BN_free(g);
+	  goto cont_out;
   }
+#endif
+  if (sycSSL_CTX_set_tmp_dh(*ctx, dh) <= 0) {
+ while (err = ERR_get_error()) {
+Warn3("SSL_CTX_set_tmp_dh(%p, %p): %s", *ctx, dh,
+  ERR_error_string(err, NULL));
+ }
+ Error2("SSL_CTX_set_tmp_dh(%p, %p) failed", *ctx, dh);
+  }
+  /* p & g are freed by DH_free() once attached */
+  DH_free(dh);
+cont_out:
+  ;
}
 
 #if defined(EC_KEY)  /* not on Openindiana 5.11 */
@@ -1236,7 +1249,11 @@ static int openssl_SSL_ERROR_SSL(int level, const char *funcname) {
while (e = ERR_get_error()) {
   Debug1("ERR_get_error(): %lx", e);
   if (e == ((ERR_LIB_RAND<<24)|
+#if OPENSSL_VERSION_NUMBER < 0x1010
 		(RAND_F_SSLEAY_RAND_BYTES<<12)|
+#else
+		(RAND_F_RAND_BYTES<<12)|
+#endif
 		(RAND_R_PRNG_NOT_SEEDED)) /*0x24064064*/) {
 	 Error("too few entropy; use options \"egd\" or \"pseudo\"");
 	 stat = STAT_NORETRY;
@@ -1388,7 +1405,7 @@ static bool openssl_check_peername(X509_NAME *name, const char *peername) {
int ind = -1;
X509_NAME_ENTRY *entry;
ASN1_STRING *data;
-   unsigned char *text;
+   const unsigned char *text;
ind = X509_NAME_get_index_by_NID(name, NID_commonName, 

Bug#828550: socat: FTBFS with openssl 1.1.0

[Kurt Roeckx]

Source: socat
Version: 1.7.3.1-1
Severity: important
Control: block 827061 by -1

Hi,

OpenSSL 1.1.0 is about to released.  During a rebuild of all packages using
OpenSSL this package fail to build.  A log of that build can be found at:
https://breakpoint.cc/openssl-1.1-rebuild-2016-05-29/Attempted/socat_1.7.3.1-1_amd64-20160529-1537

On https://wiki.openssl.org/index.php/1.1_API_Changes you can see various of the
reasons why it might fail.  There are also updated man pages at
https://www.openssl.org/docs/manmaster/ that should contain useful information.

There is a libssl-dev package available in experimental that contains a recent
snapshot, I suggest you try building against that to see if everything works.

If you have problems making things work, feel free to contact us.


Kurt