Bug#828550: socat: FTBFS with openssl 1.1.0
Hello, there are plans but no schedule for a stable version 2 release. Do not rely on it. A new version 1 reelase with important bug fixes (but not security related) is intended within the next few weeks. Please find attached the patch for OpenSSL 1.1 for Socat 1.7.3.1, modified again... Regards Gerhard Am 25.11.2016 um 10:10 schrieb László Böszörményi (GCS): > Hi, > > On Thu, Nov 24, 2016 at 9:12 PM, Gerhard Rieger >wrote: >> find attached the adapted patch to socat-2.0.0-b9. Please check if it >> works for you! > Any plans for a stable tagged 2.0.0 release? I still have 1.7.3.1 for > the next stable Debian release with the adopted patch, attached. The > only notable change that if OpenSSL 1.1+ is used for compilation, I > have to print that egd is not supported by the OpenSSL version - you > protected the function only, but not its call. > > Thanks, > Laszlo/GCS > diff --git CHANGES CHANGES index ab611ff..6293ca8 100644 --- CHANGES +++ CHANGES @@ -1,3 +1,8 @@ +porting: + Changes to make socat compile with OpenSSL 1.1. + Thanks to Sebastian Andrzej Siewior e.a. from the Debian team for + providing the base patch. + Debian Bug#828550 ### V 1.7.3.1: diff --git config.h.in config.h.in index 3f28702..ed821c0 100644 --- config.h.in +++ config.h.in @@ -447,6 +447,15 @@ #undef HAVE_DTLSv1_client_method #undef HAVE_DTLSv1_server_method +/* Define if you have the OpenSSL RAND_egd function */ +#undef HAVE_RAND_egd + +/* Define if you have the OpenSSL DH_set0_pqg function */ +#undef HAVE_DH_set0_pqg + +/* Define if you have the OpenSSL ASN1_STRING_get0_data function */ +#undef HAVE_ASN1_STRING_get0_data + /* Define if you have the flock function */ #undef HAVE_FLOCK diff --git configure.in configure.in index e1b7f4c..84939f3 100644 --- configure.in +++ configure.in @@ -1450,6 +1450,9 @@ AC_CHECK_FUNC(TLSv1_2_client_method, AC_DEFINE(HAVE_TLSv1_2_client_method), AC_C AC_CHECK_FUNC(TLSv1_2_server_method, AC_DEFINE(HAVE_TLSv1_2_server_method), AC_CHECK_LIB(crypt, TLSv1_2_server_method, [LIBS=-lcrypt $LIBS])) AC_CHECK_FUNC(DTLSv1_client_method, AC_DEFINE(HAVE_DTLSv1_client_method), AC_CHECK_LIB(crypt, DTLSv1_client_method, [LIBS=-lcrypt $LIBS])) AC_CHECK_FUNC(DTLSv1_server_method, AC_DEFINE(HAVE_DTLSv1_server_method), AC_CHECK_LIB(crypt, DTLSv1_server_method, [LIBS=-lcrypt $LIBS])) +AC_CHECK_FUNC(RAND_egd, AC_DEFINE(HAVE_RAND_egd), AC_CHECK_LIB(crypt, RAND_egd, [LIBS=-lcrypt $LIBS])) +AC_CHECK_FUNC(DH_set0_pqg, AC_DEFINE(HAVE_DH_set0_pqg), AC_CHECK_LIB(crypt, DH_set0_pqg, [LIBS=-lcrypt $LIBS])) +AC_CHECK_FUNC(ASN1_STRING_get0_data, AC_DEFINE(HAVE_ASN1_STRING_get0_data), AC_CHECK_LIB(crypt, ASN1_STRING_get0_data, [LIBS=-lcrypt $LIBS])) dnl Run time checks diff --git sslcls.c sslcls.c index 6ddc077..1e2ec6a 100644 --- sslcls.c +++ sslcls.c @@ -331,6 +331,7 @@ void sycSSL_free(SSL *ssl) { return; } +#if !defined(OPENSSL_NO_EGD) && HAVE_RAND_egd int sycRAND_egd(const char *path) { int result; Debug1("RAND_egd(\"%s\")", path); @@ -338,6 +339,7 @@ int sycRAND_egd(const char *path) { Debug1("RAND_egd() -> %d", result); return result; } +#endif DH *sycPEM_read_bio_DHparams(BIO *bp, DH **x, pem_password_cb *cb, void *u) { DH *result; diff --git xio-openssl.c xio-openssl.c index b7e95c1..1e06d28 100644 --- xio-openssl.c +++ xio-openssl.c @@ -878,7 +878,11 @@ int } if (opt_egd) { +#if !defined(OPENSSL_NO_EGD) && HAVE_RAND_egd sycRAND_egd(opt_egd); +#else + Debug("RAND_egd() is not available by OpenSSL"); +#endif } if (opt_pseudo) { @@ -936,35 +940,48 @@ int 0x02, }; DH *dh; + BIGNUM *p = NULL, *g = NULL; unsigned long err; - if ((dh = DH_new()) == NULL) { - while (err = ERR_get_error()) { - Warn1("DH_new(): %s", - ERR_error_string(err, NULL)); - } - Error("DH_new() failed"); - } else { - dh->p = BN_bin2bn(dh2048_p, sizeof(dh2048_p), NULL); - dh->g = BN_bin2bn(dh2048_g, sizeof(dh2048_g), NULL); - if ((dh->p == NULL) || (dh->g == NULL)) { - while (err = ERR_get_error()) { - Warn1("BN_bin2bn(): %s", - ERR_error_string(err, NULL)); - } - Error("BN_bin2bn() failed"); - } else { - if (sycSSL_CTX_set_tmp_dh(*ctx, dh) <= 0) { - while (err = ERR_get_error()) { - Warn3("SSL_CTX_set_tmp_dh(%p, %p): %s", *ctx, dh, - ERR_error_string(err, NULL)); - } - Error2("SSL_CTX_set_tmp_dh(%p, %p) failed", *ctx, dh); - } - /*! OPENSSL_free(dh->p,g)? doc does not tell so */ - } - DH_free(dh); + dh = DH_new(); + p = BN_bin2bn(dh2048_p, sizeof(dh2048_p), NULL); + g = BN_bin2bn(dh2048_g, sizeof(dh2048_g), NULL); + if (!dh || !p || !g) { + if (dh) +DH_free(dh); + if (p) +BN_free(p); + if (g) +BN_free(g); + while (err = ERR_get_error()) { +Warn1("dh2048 setup(): %s", +
Bug#828550: socat: FTBFS with openssl 1.1.0
Hi, On Thu, Nov 24, 2016 at 9:12 PM, Gerhard Riegerwrote: > find attached the adapted patch to socat-2.0.0-b9. Please check if it > works for you! Any plans for a stable tagged 2.0.0 release? I still have 1.7.3.1 for the next stable Debian release with the adopted patch, attached. The only notable change that if OpenSSL 1.1+ is used for compilation, I have to print that egd is not supported by the OpenSSL version - you protected the function only, but not its call. Thanks, Laszlo/GCS Description: fix build with OpenSSL 1.1.0+ Makes compilation work with both OpenSSL 1.0 and 1.1 versions. Bug-Debian: https://bugs.debian.org/828550 Origin: Sebastian Andrzej Siewior Author: Gerhard Rieger Last-Update: 2016-11-24 --- --- socat-1.7.3.1.orig/CHANGES +++ socat-1.7.3.1/CHANGES @@ -1,3 +1,8 @@ +porting: + Changes to make socat compile with OpenSSL 1.1. + Thanks to Sebastian Andrzej Siewior e.a. from the Debian team for + providing the base patch. + Debian Bug#828550 ### V 1.7.3.1: --- socat-1.7.3.1.orig/config.h.in +++ socat-1.7.3.1/config.h.in @@ -447,6 +447,15 @@ #undef HAVE_DTLSv1_client_method #undef HAVE_DTLSv1_server_method +/* Define if you have the OpenSSL RAND_egd function */ +#undef HAVE_RAND_egd + +/* Define if you have the OpenSSL DH_set0_pqg function */ +#undef HAVE_DH_set0_pqg + +/* Define if you have the OpenSSL ASN1_STRING_get0_data function */ +#undef HAVE_ASN1_STRING_get0_data + /* Define if you have the flock function */ #undef HAVE_FLOCK --- socat-1.7.3.1.orig/configure.in +++ socat-1.7.3.1/configure.in @@ -1450,6 +1450,9 @@ AC_CHECK_FUNC(TLSv1_2_client_method, AC_ AC_CHECK_FUNC(TLSv1_2_server_method, AC_DEFINE(HAVE_TLSv1_2_server_method), AC_CHECK_LIB(crypt, TLSv1_2_server_method, [LIBS=-lcrypt $LIBS])) AC_CHECK_FUNC(DTLSv1_client_method, AC_DEFINE(HAVE_DTLSv1_client_method), AC_CHECK_LIB(crypt, DTLSv1_client_method, [LIBS=-lcrypt $LIBS])) AC_CHECK_FUNC(DTLSv1_server_method, AC_DEFINE(HAVE_DTLSv1_server_method), AC_CHECK_LIB(crypt, DTLSv1_server_method, [LIBS=-lcrypt $LIBS])) +AC_CHECK_FUNC(RAND_egd, AC_DEFINE(HAVE_RAND_egd), AC_CHECK_LIB(crypt, RAND_egd, [LIBS=-lcrypt $LIBS])) +AC_CHECK_FUNC(DH_set0_pqg, AC_DEFINE(HAVE_DH_set0_pqg), AC_CHECK_LIB(crypt, DH_set0_pqg, [LIBS=-lcrypt $LIBS])) +AC_CHECK_FUNC(ASN1_STRING_get0_data, AC_DEFINE(HAVE_ASN1_STRING_get0_data), AC_CHECK_LIB(crypt, ASN1_STRING_get0_data, [LIBS=-lcrypt $LIBS])) dnl Run time checks --- socat-1.7.3.1.orig/sslcls.c +++ socat-1.7.3.1/sslcls.c @@ -331,6 +331,7 @@ void sycSSL_free(SSL *ssl) { return; } +#ifndef OPENSSL_NO_EGD int sycRAND_egd(const char *path) { int result; Debug1("RAND_egd(\"%s\")", path); @@ -338,6 +339,7 @@ int sycRAND_egd(const char *path) { Debug1("RAND_egd() -> %d", result); return result; } +#endif DH *sycPEM_read_bio_DHparams(BIO *bp, DH **x, pem_password_cb *cb, void *u) { DH *result; --- socat-1.7.3.1.orig/xio-openssl.c +++ socat-1.7.3.1/xio-openssl.c @@ -878,7 +878,11 @@ int } if (opt_egd) { +#ifndef OPENSSL_NO_EGD sycRAND_egd(opt_egd); +#else + Debug("RAND_egd() is not available by OpenSSL"); +#endif } if (opt_pseudo) { @@ -936,35 +936,48 @@ int 0x02, }; DH *dh; + BIGNUM *p = NULL, *g = NULL; unsigned long err; - if ((dh = DH_new()) == NULL) { - while (err = ERR_get_error()) { - Warn1("DH_new(): %s", - ERR_error_string(err, NULL)); - } - Error("DH_new() failed"); - } else { - dh->p = BN_bin2bn(dh2048_p, sizeof(dh2048_p), NULL); - dh->g = BN_bin2bn(dh2048_g, sizeof(dh2048_g), NULL); - if ((dh->p == NULL) || (dh->g == NULL)) { - while (err = ERR_get_error()) { - Warn1("BN_bin2bn(): %s", - ERR_error_string(err, NULL)); - } - Error("BN_bin2bn() failed"); - } else { - if (sycSSL_CTX_set_tmp_dh(*ctx, dh) <= 0) { - while (err = ERR_get_error()) { - Warn3("SSL_CTX_set_tmp_dh(%p, %p): %s", *ctx, dh, - ERR_error_string(err, NULL)); - } - Error2("SSL_CTX_set_tmp_dh(%p, %p) failed", *ctx, dh); - } - /*! OPENSSL_free(dh->p,g)? doc does not tell so */ - } - DH_free(dh); - } + dh = DH_new(); + p = BN_bin2bn(dh2048_p, sizeof(dh2048_p), NULL); + g = BN_bin2bn(dh2048_g, sizeof(dh2048_g), NULL); + if (!dh || !p || !g) { + if (dh) +DH_free(dh); + if (p) +BN_free(p); + if (g) +BN_free(g); + while (err = ERR_get_error()) { +Warn1("dh2048 setup(): %s", + ERR_error_string(err, NULL)); + } + Error("dh2048 setup failed"); + goto cont_out; + } +#if !HAVE_DH_set0_pqg + dh->p = p; + dh->g = g; +#else + if (!DH_set0_pqg(dh, p, NULL, g)) { + DH_free(dh); + BN_free(p); + BN_free(g); + goto cont_out; + } +#endif /* HAVE_DH_set0_pqg */ +
Bug#828550: socat: FTBFS with openssl 1.1.0
Hello, find attached the adapted patch to socat-2.0.0-b9. Please check if it works for you! Regards Gerhard Am 19.11.2016 um 15:24 schrieb László Böszörményi (GCS): > Hi Gerhard, > > On Sat, Nov 5, 2016 at 9:46 PM, Gerhard Rieger> wrote: >> sorry for not replying so long, this was due to private issues I have. >> I intend to test for the new functions in autoconf and have the >> preprocessor conditionals check for these results instead of >> OPENSSL_VERSION_NUMBER. > This is just a friendly ping if you have time for this issue or > should I use the other patch from Sebastian? > > Kind regards, > Laszlo/GCS > diff --git a/CHANGES b/CHANGES index 24526b0..f8d613f 100644 --- a/CHANGES +++ b/CHANGES @@ -1,4 +1,10 @@ +porting: + Changes to make socat compile with OpenSSL 1.1. + Thanks to Sebastian Andrzej Siewior e.a. from the Debian team for + providing the base patch. + Debian Bug#828550 + ### V 2.0.0-b9: security: diff --git a/config.h.in b/config.h.in index 9058bf8..a5e063e 100644 --- a/config.h.in +++ b/config.h.in @@ -447,6 +447,15 @@ #undef HAVE_DTLSv1_client_method #undef HAVE_DTLSv1_server_method +/* Define if you have the OpenSSL RAND_egd function */ +#undef HAVE_RAND_egd + +/* Define if you have the OpenSSL DH_set0_pqg function */ +#undef HAVE_DH_set0_pqg + +/* Define if you have the OpenSSL ASN1_STRING_get0_data function */ +#undef HAVE_ASN1_STRING_get0_data + /* Define if you have the flock function */ #undef HAVE_FLOCK diff --git a/configure.in b/configure.in index 1d2e76f..3c83c7c 100644 --- a/configure.in +++ b/configure.in @@ -1467,6 +1467,9 @@ AC_CHECK_FUNC(TLSv1_2_client_method, AC_DEFINE(HAVE_TLSv1_2_client_method), AC_C AC_CHECK_FUNC(TLSv1_2_server_method, AC_DEFINE(HAVE_TLSv1_2_server_method), AC_CHECK_LIB(crypt, TLSv1_2_server_method, [LIBS=-lcrypt $LIBS])) AC_CHECK_FUNC(DTLSv1_client_method, AC_DEFINE(HAVE_DTLSv1_client_method), AC_CHECK_LIB(crypt, DTLSv1_client_method, [LIBS=-lcrypt $LIBS])) AC_CHECK_FUNC(DTLSv1_server_method, AC_DEFINE(HAVE_DTLSv1_server_method), AC_CHECK_LIB(crypt, DTLSv1_server_method, [LIBS=-lcrypt $LIBS])) +AC_CHECK_FUNC(RAND_egd, AC_DEFINE(HAVE_RAND_egd), AC_CHECK_LIB(crypt, RAND_egd, [LIBS=-lcrypt $LIBS])) +AC_CHECK_FUNC(DH_set0_pqg, AC_DEFINE(HAVE_DH_set0_pqg), AC_CHECK_LIB(crypt, DH_set0_pqg, [LIBS=-lcrypt $LIBS])) +AC_CHECK_FUNC(ASN1_STRING_get0_data, AC_DEFINE(HAVE_ASN1_STRING_get0_data), AC_CHECK_LIB(crypt, ASN1_STRING_get0_data, [LIBS=-lcrypt $LIBS])) dnl Run time checks diff --git a/sslcls.c b/sslcls.c index ea4c303..cfcfd86 100644 --- a/sslcls.c +++ b/sslcls.c @@ -347,6 +347,7 @@ void sycSSL_free(SSL *ssl) { return; } +#ifndef OPENSSL_NO_EGD int sycRAND_egd(const char *path) { int result; Debug1("RAND_egd(\"%s\")", path); @@ -354,6 +355,7 @@ int sycRAND_egd(const char *path) { Debug1("RAND_egd() -> %d", result); return result; } +#endif DH *sycPEM_read_bio_DHparams(BIO *bp, DH **x, pem_password_cb *cb, void *u) { DH *result; diff --git a/xio-openssl.c b/xio-openssl.c index c7f283c..6fe5b8a 100644 --- a/xio-openssl.c +++ b/xio-openssl.c @@ -1069,35 +1069,48 @@ int 0x02, }; DH *dh; + BIGNUM *p = NULL, *g = NULL; unsigned long err; - if ((dh = DH_new()) == NULL) { - while (err = ERR_get_error()) { - Warn1("DH_new(): %s", - ERR_error_string(err, NULL)); - } - Error("DH_new() failed"); - } else { - dh->p = BN_bin2bn(dh2048_p, sizeof(dh2048_p), NULL); - dh->g = BN_bin2bn(dh2048_g, sizeof(dh2048_g), NULL); - if ((dh->p == NULL) || (dh->g == NULL)) { - while (err = ERR_get_error()) { - Warn1("BN_bin2bn(): %s", - ERR_error_string(err, NULL)); - } - Error("BN_bin2bn() failed"); - } else { - if (sycSSL_CTX_set_tmp_dh(*ctx, dh) <= 0) { - while (err = ERR_get_error()) { - Warn3("SSL_CTX_set_tmp_dh(%p, %p): %s", *ctx, dh, - ERR_error_string(err, NULL)); - } - Error2("SSL_CTX_set_tmp_dh(%p, %p) failed", *ctx, dh); - } - /*! OPENSSL_free(dh->p,g)? doc does not tell so */ - } - DH_free(dh); + dh = DH_new(); + p = BN_bin2bn(dh2048_p, sizeof(dh2048_p), NULL); + g = BN_bin2bn(dh2048_g, sizeof(dh2048_g), NULL); + if (!dh || !p || !g) { + if (dh) +DH_free(dh); + if (p) +BN_free(p); + if (g) +BN_free(g); + while (err = ERR_get_error()) { +Warn1("dh2048 setup(): %s", + ERR_error_string(err, NULL)); + } + Error("dh2048 setup failed"); + goto cont_out; + } +#if !HAVE_DH_set0_pqg + dh->p = p; + dh->g = g; +#else + if (!DH_set0_pqg(dh, p, NULL, g)) { + DH_free(dh); + BN_free(p); + BN_free(g); + goto cont_out; + } +#endif /* HAVE_DH_set0_pqg */ + if (sycSSL_CTX_set_tmp_dh(*ctx, dh) <= 0) { + while (err = ERR_get_error()) { +
Bug#828550: socat: FTBFS with openssl 1.1.0
Hi Gerhard, On Sat, Nov 5, 2016 at 9:46 PM, Gerhard Riegerwrote: > sorry for not replying so long, this was due to private issues I have. > I intend to test for the new functions in autoconf and have the > preprocessor conditionals check for these results instead of > OPENSSL_VERSION_NUMBER. This is just a friendly ping if you have time for this issue or should I use the other patch from Sebastian? Kind regards, Laszlo/GCS
Bug#828550: socat: FTBFS with openssl 1.1.0
Hello, sorry for not replying so long, this was due to private issues I have. I intend to test for the new functions in autoconf and have the preprocessor conditionals check for these results instead of OPENSSL_VERSION_NUMBER. Regards Gerhard Am 03.11.2016 um 22:38 schrieb Sandro Tosi: > On Thu, Nov 3, 2016 at 3:59 PM, László Böszörményi (GCS)> wrote: >> On Thu, Nov 3, 2016 at 8:42 PM, Sandro Tosi wrote: >>> On Mon, 5 Sep 2016 10:53:05 +0200 Gerhard Rieger >>> wrote: Thank you, I will check! >>> >>> hey Gerhard, do you have a plan to look at this soon (now that openssl >>> 1.1.0 bugs are RC)? thanks! >> Anything wrong with Sebastian Andrzej Siewior's patch? I plan to use >> if no one objects. > > not from me (but i dont know anything about it :) ) i was just > checking if there was some problem that prevented Gerhard to update > the pkg. László if you have time and can prepare an updated pkg that'd > be great! > > Thanks, >
Bug#828550: socat: FTBFS with openssl 1.1.0
On Thu, Nov 3, 2016 at 3:59 PM, László Böszörményi (GCS)wrote: > On Thu, Nov 3, 2016 at 8:42 PM, Sandro Tosi wrote: >> On Mon, 5 Sep 2016 10:53:05 +0200 Gerhard Rieger >> wrote: >>> Thank you, I will check! >> >> hey Gerhard, do you have a plan to look at this soon (now that openssl >> 1.1.0 bugs are RC)? thanks! > Anything wrong with Sebastian Andrzej Siewior's patch? I plan to use > if no one objects. not from me (but i dont know anything about it :) ) i was just checking if there was some problem that prevented Gerhard to update the pkg. László if you have time and can prepare an updated pkg that'd be great! Thanks, -- Sandro "morph" Tosi My website: http://sandrotosi.me/ Me at Debian: http://wiki.debian.org/SandroTosi G+: https://plus.google.com/u/0/+SandroTosi
Bug#828550: socat: FTBFS with openssl 1.1.0
On Thu, Nov 3, 2016 at 8:42 PM, Sandro Tosiwrote: > On Mon, 5 Sep 2016 10:53:05 +0200 Gerhard Rieger > wrote: >> Thank you, I will check! > > hey Gerhard, do you have a plan to look at this soon (now that openssl > 1.1.0 bugs are RC)? thanks! Anything wrong with Sebastian Andrzej Siewior's patch? I plan to use if no one objects. Laszlo/GCS
Bug#828550: socat: FTBFS with openssl 1.1.0
On Mon, 5 Sep 2016 10:53:05 +0200 Gerhard Riegerwrote: > Thank you, I will check! hey Gerhard, do you have a plan to look at this soon (now that openssl 1.1.0 bugs are RC)? thanks!
Bug#828550: socat: FTBFS with openssl 1.1.0
Thank you, I will check! Rergards Gerhard Am 29.08.2016 um 21:37 schrieb Sebastian Andrzej Siewior: > control: tags -1 patch > > On 2016-06-26 12:24:09 [+0200], Kurt Roeckx wrote: >> Source: socat >> Version: 1.7.3.1-1 >> >> OpenSSL 1.1.0 is about to released. During a rebuild of all packages using >> OpenSSL this package fail to build. A log of that build can be found at: >> https://breakpoint.cc/openssl-1.1-rebuild-2016-05-29/Attempted/socat_1.7.3.1-1_amd64-20160529-1537 > > The patch attached fixes it and is against socat socat version 2 beta 8. > Should it not make in time into unstable I can prepare a patch against > 1.7.3.1. > >> Kurt > > Sebastian >
Bug#828550: socat: FTBFS with openssl 1.1.0
control: tags -1 patch On 2016-06-26 12:24:09 [+0200], Kurt Roeckx wrote: > Source: socat > Version: 1.7.3.1-1 > > OpenSSL 1.1.0 is about to released. During a rebuild of all packages using > OpenSSL this package fail to build. A log of that build can be found at: > https://breakpoint.cc/openssl-1.1-rebuild-2016-05-29/Attempted/socat_1.7.3.1-1_amd64-20160529-1537 The patch attached fixes it and is against socat socat version 2 beta 8. Should it not make in time into unstable I can prepare a patch against 1.7.3.1. > Kurt Sebastian >From 25885d9f1193580ec16cffaf6657f5fcaffa9987 Mon Sep 17 00:00:00 2001 From: Sebastian Andrzej SiewiorDate: Mon, 29 Aug 2016 19:25:15 + Subject: [PATCH] socat-2: port to openssl 1.1.0 TLSv1_server_method() and frieds are deprecated and could be removed in a future release. It is reommended to use SSLv23_server_method() to get the highest possible SSL/TLS version (unless explicit disable via OpenSSL flag). TLSv1_server_method() will not allow to use TLS1.2 even if available. It is believed that using the same DH parameters on every server is subject to computation attacks, see weakdh.org OpenSSL's EGD interface is optional (and disabled by default). Signed-off-by: Sebastian Andrzej Siewior --- sslcls.c | 6 + xio-openssl.c | 81 ++- 2 files changed, 59 insertions(+), 28 deletions(-) diff --git a/sslcls.c b/sslcls.c index 260202a..449370d 100644 --- a/sslcls.c +++ b/sslcls.c @@ -364,11 +364,17 @@ void sycSSL_free(SSL *ssl) { } int sycRAND_egd(const char *path) { +#ifdef OPENSSL_NO_EGD + Debug("RAND_egd() is not available by OpenSSL"); + return -1; + +#else int result; Debug1("RAND_egd(\"%s\")", path); result = RAND_egd(path); Debug1("RAND_egd() -> %d", result); return result; +#endif } DH *sycPEM_read_bio_DHparams(BIO *bp, DH **x, pem_password_cb *cb, void *u) { diff --git a/xio-openssl.c b/xio-openssl.c index c7f283c..d77a486 100644 --- a/xio-openssl.c +++ b/xio-openssl.c @@ -1069,35 +1069,48 @@ int 0x02, }; DH *dh; + BIGNUM *p = NULL, *g = NULL; unsigned long err; - if ((dh = DH_new()) == NULL) { - while (err = ERR_get_error()) { - Warn1("DH_new(): %s", - ERR_error_string(err, NULL)); - } - Error("DH_new() failed"); - } else { - dh->p = BN_bin2bn(dh2048_p, sizeof(dh2048_p), NULL); - dh->g = BN_bin2bn(dh2048_g, sizeof(dh2048_g), NULL); - if ((dh->p == NULL) || (dh->g == NULL)) { - while (err = ERR_get_error()) { - Warn1("BN_bin2bn(): %s", - ERR_error_string(err, NULL)); - } - Error("BN_bin2bn() failed"); - } else { - if (sycSSL_CTX_set_tmp_dh(*ctx, dh) <= 0) { - while (err = ERR_get_error()) { - Warn3("SSL_CTX_set_tmp_dh(%p, %p): %s", *ctx, dh, - ERR_error_string(err, NULL)); - } - Error2("SSL_CTX_set_tmp_dh(%p, %p) failed", *ctx, dh); - } - /*! OPENSSL_free(dh->p,g)? doc does not tell so */ - } - DH_free(dh); + dh = DH_new(); + p = BN_bin2bn(dh2048_p, sizeof(dh2048_p), NULL); + g = BN_bin2bn(dh2048_g, sizeof(dh2048_g), NULL); + if (!dh || !p || !g) { + if (dh) +DH_free(dh); + if (p) +BN_free(p); + if (g) +BN_free(g); + while (err = ERR_get_error()) { +Warn1("dh2048 setup(): %s", + ERR_error_string(err, NULL)); + } + Error("dh2048 setup failed"); + goto cont_out; + } +#if OPENSSL_VERSION_NUMBER < 0x1010 + dh->p = p; + dh->g = g; +#else + if (!DH_set0_pqg(dh, p, NULL, g)) { + DH_free(dh); + BN_free(p); + BN_free(g); + goto cont_out; } +#endif + if (sycSSL_CTX_set_tmp_dh(*ctx, dh) <= 0) { + while (err = ERR_get_error()) { +Warn3("SSL_CTX_set_tmp_dh(%p, %p): %s", *ctx, dh, + ERR_error_string(err, NULL)); + } + Error2("SSL_CTX_set_tmp_dh(%p, %p) failed", *ctx, dh); + } + /* p & g are freed by DH_free() once attached */ + DH_free(dh); +cont_out: + ; } #if defined(EC_KEY) /* not on Openindiana 5.11 */ @@ -1236,7 +1249,11 @@ static int openssl_SSL_ERROR_SSL(int level, const char *funcname) { while (e = ERR_get_error()) { Debug1("ERR_get_error(): %lx", e); if (e == ((ERR_LIB_RAND<<24)| +#if OPENSSL_VERSION_NUMBER < 0x1010 (RAND_F_SSLEAY_RAND_BYTES<<12)| +#else + (RAND_F_RAND_BYTES<<12)| +#endif (RAND_R_PRNG_NOT_SEEDED)) /*0x24064064*/) { Error("too few entropy; use options \"egd\" or \"pseudo\""); stat = STAT_NORETRY; @@ -1388,7 +1405,7 @@ static bool openssl_check_peername(X509_NAME *name, const char *peername) { int ind = -1; X509_NAME_ENTRY *entry; ASN1_STRING *data; - unsigned char *text; + const unsigned char *text; ind = X509_NAME_get_index_by_NID(name, NID_commonName,
Bug#828550: socat: FTBFS with openssl 1.1.0
Source: socat Version: 1.7.3.1-1 Severity: important Control: block 827061 by -1 Hi, OpenSSL 1.1.0 is about to released. During a rebuild of all packages using OpenSSL this package fail to build. A log of that build can be found at: https://breakpoint.cc/openssl-1.1-rebuild-2016-05-29/Attempted/socat_1.7.3.1-1_amd64-20160529-1537 On https://wiki.openssl.org/index.php/1.1_API_Changes you can see various of the reasons why it might fail. There are also updated man pages at https://www.openssl.org/docs/manmaster/ that should contain useful information. There is a libssl-dev package available in experimental that contains a recent snapshot, I suggest you try building against that to see if everything works. If you have problems making things work, feel free to contact us. Kurt