From 0b69f005df461d1b307888d89b781222779e61ec Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Marek=20Beh=C3=BAn?= Date: Wed, 7 Oct 2015 17:47:24 +0200 Subject: [PATCH] Check for OPENSSL_NO_COMP and OPENSSL_NO_EGD LibreSSL has compression disabled by default, and removed support for EGD (entropy generating daemon) completely. --- sslcls.c | 4 +++- sslcls.h | 6 +++++- xio-openssl.c | 24 ++++++++++++++++++------ xio-openssl.h | 4 +++- xioopts.c | 8 ++++++-- xioopts.h | 4 +++- 6 files changed, 38 insertions(+), 12 deletions(-) diff --git a/sslcls.c b/sslcls.c index 6ddc077..fcd1151 100644 --- a/sslcls.c +++ b/sslcls.c @@ -331,6 +331,7 @@ void sycSSL_free(SSL *ssl) { return; } +#ifndef OPENSSL_NO_EGD int sycRAND_egd(const char *path) { int result; Debug1("RAND_egd(\"%s\")", path); @@ -338,6 +339,7 @@ int sycRAND_egd(const char *path) { Debug1("RAND_egd() -> %d", result); return result; } +#endif DH *sycPEM_read_bio_DHparams(BIO *bp, DH **x, pem_password_cb *cb, void *u) { DH *result; @@ -375,7 +377,7 @@ int sycFIPS_mode_set(int onoff) { } #endif /* WITH_FIPS */ -#if OPENSSL_VERSION_NUMBER >= 0x00908000L +#if OPENSSL_VERSION_NUMBER >= 0x00908000L && !defined(OPENSSL_NO_COMP) const COMP_METHOD *sycSSL_get_current_compression(SSL *ssl) { const COMP_METHOD *result; Debug1("SSL_get_current_compression(%p)", ssl); diff --git a/sslcls.h b/sslcls.h index aece28a..5a4f8b1 100644 --- a/sslcls.h +++ b/sslcls.h @@ -47,7 +47,9 @@ X509 *sycSSL_get_peer_certificate(SSL *ssl); int sycSSL_shutdown(SSL *ssl); void sycSSL_CTX_free(SSL_CTX *ctx); void sycSSL_free(SSL *ssl); +#ifndef OPENSSL_NO_EGD int sycRAND_egd(const char *path); +#endif DH *sycPEM_read_bio_DHparams(BIO *bp, DH **x, pem_password_cb *cb, void *u); @@ -55,7 +57,7 @@ BIO *sycBIO_new_file(const char *filename, const char *mode); int sycFIPS_mode_set(int onoff); -#if OPENSSL_VERSION_NUMBER >= 0x00908000L +#if OPENSSL_VERSION_NUMBER >= 0x00908000L && !defined(OPENSSL_NO_COMP) const COMP_METHOD *sycSSL_get_current_compression(SSL *ssl); const COMP_METHOD *sycSSL_get_current_expansion(SSL *ssl); const char *sycSSL_COMP_get_name(const COMP_METHOD *comp); @@ -98,7 +100,9 @@ const char *sycSSL_COMP_get_name(const COMP_METHOD *comp); #define sycSSL_shutdown(s) SSL_shutdown(s) #define sycSSL_CTX_free(c) SSL_CTX_free(c) #define sycSSL_free(s) SSL_free(s) +#ifndef OPENSSL_NO_EGD #define sycRAND_egd(p) RAND_egd(p) +#endif #define sycPEM_read_bio_DHparams(b,x,p,u) PEM_read_bio_DHparams(b,x,p,u) diff --git a/xio-openssl.c b/xio-openssl.c index 665430d..74ca472 100644 --- a/xio-openssl.c +++ b/xio-openssl.c @@ -108,9 +108,11 @@ const struct optdesc opt_openssl_key = { "openssl-key", "key", const struct optdesc opt_openssl_dhparam = { "openssl-dhparam", "dh", OPT_OPENSSL_DHPARAM, GROUP_OPENSSL, PH_SPEC, TYPE_FILENAME, OFUNC_SPEC }; const struct optdesc opt_openssl_cafile = { "openssl-cafile", "cafile", OPT_OPENSSL_CAFILE, GROUP_OPENSSL, PH_SPEC, TYPE_FILENAME, OFUNC_SPEC }; const struct optdesc opt_openssl_capath = { "openssl-capath", "capath", OPT_OPENSSL_CAPATH, GROUP_OPENSSL, PH_SPEC, TYPE_FILENAME, OFUNC_SPEC }; +#ifndef OPENSSL_NO_EGD const struct optdesc opt_openssl_egd = { "openssl-egd", "egd", OPT_OPENSSL_EGD, GROUP_OPENSSL, PH_SPEC, TYPE_FILENAME, OFUNC_SPEC }; +#endif const struct optdesc opt_openssl_pseudo = { "openssl-pseudo", "pseudo", OPT_OPENSSL_PSEUDO, GROUP_OPENSSL, PH_SPEC, TYPE_BOOL, OFUNC_SPEC }; -#if OPENSSL_VERSION_NUMBER >= 0x00908000L +#if OPENSSL_VERSION_NUMBER >= 0x00908000L && !defined(OPENSSL_NO_COMP) const struct optdesc opt_openssl_compress = { "openssl-compress", "compress", OPT_OPENSSL_COMPRESS, GROUP_OPENSSL, PH_SPEC, TYPE_STRING, OFUNC_SPEC }; #endif #if WITH_FIPS @@ -147,7 +149,7 @@ int xio_reset_fips_mode(void) { static void openssl_conn_loginfo(SSL *ssl) { Notice1("SSL connection using %s", SSL_get_cipher(ssl)); -#if OPENSSL_VERSION_NUMBER >= 0x00908000L +#if OPENSSL_VERSION_NUMBER >= 0x00908000L && !defined(OPENSSL_NO_COMP) { const COMP_METHOD *comp, *expansion; @@ -651,7 +653,7 @@ int _xioopen_openssl_listen(struct single *xfd, #endif /* WITH_LISTEN */ -#if OPENSSL_VERSION_NUMBER >= 0x00908000L +#if OPENSSL_VERSION_NUMBER >= 0x00908000L && !defined(OPENSSL_NO_COMP) /* In OpenSSL 0.9.7 compression methods could be added using * SSL_COMP_add_compression_method(3), but the implemntation is not compatible * with the standard (RFC3749). @@ -722,8 +724,10 @@ int char *opt_dhparam = NULL; /* file name of DH params */ char *opt_cafile = NULL; /* certificate authority file */ char *opt_capath = NULL; /* certificate authority directory */ +#ifndef OPENSSL_NO_EGD char *opt_egd = NULL; /* entropy gathering daemon socket path */ -#if OPENSSL_VERSION_NUMBER >= 0x00908000L +#endif +#if OPENSSL_VERSION_NUMBER >= 0x00908000L && !defined(OPENSSL_NO_COMP) char *opt_compress = NULL; /* compression method */ #endif bool opt_pseudo = false; /* use pseudo entropy if nothing else */ @@ -741,9 +745,11 @@ int retropt_string(opts, OPT_OPENSSL_CAPATH, &opt_capath); retropt_string(opts, OPT_OPENSSL_KEY, &opt_key); retropt_string(opts, OPT_OPENSSL_DHPARAM, &opt_dhparam); +#ifndef OPENSSL_NO_EGD retropt_string(opts, OPT_OPENSSL_EGD, &opt_egd); +#endif retropt_bool(opts,OPT_OPENSSL_PSEUDO, &opt_pseudo); -#if OPENSSL_VERSION_NUMBER >= 0x00908000L +#if OPENSSL_VERSION_NUMBER >= 0x00908000L && !defined(OPENSSL_NO_COMP) retropt_string(opts, OPT_OPENSSL_COMPRESS, &opt_compress); #endif #if WITH_FIPS @@ -877,9 +883,11 @@ int } } +#ifndef OPENSSL_NO_EGD if (opt_egd) { sycRAND_egd(opt_egd); } +#endif if (opt_pseudo) { long int randdata; @@ -984,7 +992,7 @@ int } #endif /* !defined(EC_KEY) */ -#if OPENSSL_VERSION_NUMBER >= 0x00908000L +#if OPENSSL_VERSION_NUMBER >= 0x00908000L && !defined(OPENSSL_NO_COMP) if (opt_compress) { int result; result = openssl_setup_compression(*ctx, opt_compress); @@ -1098,7 +1106,11 @@ static int openssl_SSL_ERROR_SSL(int level, const char *funcname) { if (e == ((ERR_LIB_RAND<<24)| (RAND_F_SSLEAY_RAND_BYTES<<12)| (RAND_R_PRNG_NOT_SEEDED)) /*0x24064064*/) { +#ifdef OPENSSL_NO_EGD + Error("too few entropy; use option \"pseudo\""); +#else Error("too few entropy; use options \"egd\" or \"pseudo\""); +#endif stat = STAT_NORETRY; } else { Msg2(level, "%s(): %s", funcname, ERR_error_string(e, buf)); diff --git a/xio-openssl.h b/xio-openssl.h index 9cad8f4..bfe69ee 100644 --- a/xio-openssl.h +++ b/xio-openssl.h @@ -21,9 +21,11 @@ extern const struct optdesc opt_openssl_key; extern const struct optdesc opt_openssl_dhparam; extern const struct optdesc opt_openssl_cafile; extern const struct optdesc opt_openssl_capath; +#ifndef OPENSSL_NO_EGD extern const struct optdesc opt_openssl_egd; +#endif extern const struct optdesc opt_openssl_pseudo; -#if OPENSSL_VERSION_NUMBER >= 0x00908000L +#if OPENSSL_VERSION_NUMBER >= 0x00908000L && !defined(OPENSSL_NO_COMP) extern const struct optdesc opt_openssl_compress; #endif #if WITH_FIPS diff --git a/xioopts.c b/xioopts.c index 3b0f300..e50c26c 100644 --- a/xioopts.c +++ b/xioopts.c @@ -296,7 +296,7 @@ const struct optname optionnames[] = { #if WITH_EXT2 && defined(EXT2_COMPR_FL) IF_ANY ("compr", &opt_ext2_compr) #endif -#if OPENSSL_VERSION_NUMBER >= 0x00908000L +#if OPENSSL_VERSION_NUMBER >= 0x00908000L && !defined(OPENSSL_NO_COMP) IF_OPENSSL("compress", &opt_openssl_compress) #endif #ifdef TCP_CONN_ABORT_THRESHOLD /* HP_UX */ @@ -412,7 +412,9 @@ const struct optname optionnames[] = { #ifdef ECHOPRT IF_TERMIOS("echoprt", &opt_echoprt) #endif +#ifndef OPENSSL_NO_EGD IF_OPENSSL("egd", &opt_openssl_egd) +#endif IF_ANY ("end-close", &opt_end_close) IF_TERMIOS("eof", &opt_veof) IF_TERMIOS("eol", &opt_veol) @@ -1098,11 +1100,13 @@ const struct optname optionnames[] = { IF_OPENSSL("openssl-certificate", &opt_openssl_certificate) IF_OPENSSL("openssl-cipherlist", &opt_openssl_cipherlist) IF_OPENSSL("openssl-commonname", &opt_openssl_commonname) -#if OPENSSL_VERSION_NUMBER >= 0x00908000L +#if OPENSSL_VERSION_NUMBER >= 0x00908000L && !defined(OPENSSL_NO_COMP) IF_OPENSSL("openssl-compress", &opt_openssl_compress) #endif IF_OPENSSL("openssl-dhparam", &opt_openssl_dhparam) +#ifndef OPENSSL_NO_EGD IF_OPENSSL("openssl-egd", &opt_openssl_egd) +#endif #if WITH_FIPS IF_OPENSSL("openssl-fips", &opt_openssl_fips) #endif diff --git a/xioopts.h b/xioopts.h index ebcf315..305e018 100644 --- a/xioopts.h +++ b/xioopts.h @@ -474,11 +474,13 @@ enum e_optcode { OPT_OPENSSL_CERTIFICATE, OPT_OPENSSL_CIPHERLIST, OPT_OPENSSL_COMMONNAME, -#if OPENSSL_VERSION_NUMBER >= 0x00908000L +#if OPENSSL_VERSION_NUMBER >= 0x00908000L && !defined(OPENSSL_NO_COMP) OPT_OPENSSL_COMPRESS, #endif OPT_OPENSSL_DHPARAM, +#ifndef OPENSSL_NO_EGD OPT_OPENSSL_EGD, +#endif OPT_OPENSSL_FIPS, OPT_OPENSSL_KEY, OPT_OPENSSL_METHOD, -- 2.5.3