From 89441bfc635015be1a43f4d278e486d37a4d338d Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Marek=20Beh=C3=BAn?= Date: Mon, 9 Nov 2015 16:34:23 +0100 Subject: [PATCH] Check for OPENSSL_NO_COMP and OPENSSL_NO_EGD for 2.0.0b8 LibreSSL has compression disabled by default, and removed support for EGD (entropy generating daemon) completely. --- sslcls.c | 4 +++- sslcls.h | 4 +++- xio-openssl.c | 24 ++++++++++++++++++------ xio-openssl.h | 4 +++- xioopts.c | 8 ++++++-- xioopts.h | 4 +++- 6 files changed, 36 insertions(+), 12 deletions(-) diff --git a/sslcls.c b/sslcls.c index ea4c303..1e9f0a8 100644 --- a/sslcls.c +++ b/sslcls.c @@ -347,6 +347,7 @@ void sycSSL_free(SSL *ssl) { return; } +#ifndef OPENSSL_NO_EGD int sycRAND_egd(const char *path) { int result; Debug1("RAND_egd(\"%s\")", path); @@ -354,6 +355,7 @@ int sycRAND_egd(const char *path) { Debug1("RAND_egd() -> %d", result); return result; } +#endif DH *sycPEM_read_bio_DHparams(BIO *bp, DH **x, pem_password_cb *cb, void *u) { DH *result; @@ -391,7 +393,7 @@ int sycFIPS_mode_set(int onoff) { } #endif /* WITH_FIPS */ -#if OPENSSL_VERSION_NUMBER >= 0x00908000L +#if OPENSSL_VERSION_NUMBER >= 0x00908000L && !defined(OPENSSL_NO_COMP) const COMP_METHOD *sycSSL_get_current_compression(SSL *ssl) { const COMP_METHOD *result; Debug1("SSL_get_current_compression(%p)", ssl); diff --git a/sslcls.h b/sslcls.h index 152fe5b..9fd8ef2 100644 --- a/sslcls.h +++ b/sslcls.h @@ -49,7 +49,9 @@ X509 *sycSSL_get_peer_certificate(SSL *ssl); int sycSSL_shutdown(SSL *ssl); void sycSSL_CTX_free(SSL_CTX *ctx); void sycSSL_free(SSL *ssl); +#ifndef OPENSSL_NO_EGD int sycRAND_egd(const char *path); +#endif DH *sycPEM_read_bio_DHparams(BIO *bp, DH **x, pem_password_cb *cb, void *u); @@ -57,7 +59,7 @@ BIO *sycBIO_new_file(const char *filename, const char *mode); int sycFIPS_mode_set(int onoff); -#if OPENSSL_VERSION_NUMBER >= 0x00908000L +#if OPENSSL_VERSION_NUMBER >= 0x00908000L && !defined(OPENSSL_NO_COMP) const COMP_METHOD *sycSSL_get_current_compression(SSL *ssl); const COMP_METHOD *sycSSL_get_current_expansion(SSL *ssl); const char *sycSSL_COMP_get_name(const COMP_METHOD *comp); diff --git a/xio-openssl.c b/xio-openssl.c index a86870c..8bb677d 100644 --- a/xio-openssl.c +++ b/xio-openssl.c @@ -181,9 +181,11 @@ const struct optdesc opt_openssl_key = { "openssl-key", "key", const struct optdesc opt_openssl_dhparam = { "openssl-dhparam", "dh", OPT_OPENSSL_DHPARAM, GROUP_OPENSSL, PH_SPEC, TYPE_FILENAME, OFUNC_SPEC }; const struct optdesc opt_openssl_cafile = { "openssl-cafile", "cafile", OPT_OPENSSL_CAFILE, GROUP_OPENSSL, PH_SPEC, TYPE_FILENAME, OFUNC_SPEC }; const struct optdesc opt_openssl_capath = { "openssl-capath", "capath", OPT_OPENSSL_CAPATH, GROUP_OPENSSL, PH_SPEC, TYPE_FILENAME, OFUNC_SPEC }; +#ifndef OPENSSL_NO_EGD const struct optdesc opt_openssl_egd = { "openssl-egd", "egd", OPT_OPENSSL_EGD, GROUP_OPENSSL, PH_SPEC, TYPE_FILENAME, OFUNC_SPEC }; +#endif const struct optdesc opt_openssl_pseudo = { "openssl-pseudo", "pseudo", OPT_OPENSSL_PSEUDO, GROUP_OPENSSL, PH_SPEC, TYPE_BOOL, OFUNC_SPEC }; -#if OPENSSL_VERSION_NUMBER >= 0x00908000L +#if OPENSSL_VERSION_NUMBER >= 0x00908000L && !defined(OPENSSL_NO_COMP) const struct optdesc opt_openssl_compress = { "openssl-compress", "compress", OPT_OPENSSL_COMPRESS, GROUP_OPENSSL, PH_SPEC, TYPE_STRING, OFUNC_SPEC }; #endif #if WITH_FIPS @@ -220,7 +222,7 @@ int xio_reset_fips_mode(void) { static void openssl_conn_loginfo(SSL *ssl) { Notice1("SSL connection using %s", SSL_get_cipher(ssl)); -#if OPENSSL_VERSION_NUMBER >= 0x00908000L +#if OPENSSL_VERSION_NUMBER >= 0x00908000L && !defined(OPENSSL_NO_COMP) { const COMP_METHOD *comp, *expansion; @@ -786,7 +788,7 @@ int _xioopen_openssl_listen(struct single *xfd, #endif /* WITH_LISTEN */ -#if OPENSSL_VERSION_NUMBER >= 0x00908000L +#if OPENSSL_VERSION_NUMBER >= 0x00908000L && !defined(OPENSSL_NO_COMP) /* In OpenSSL 0.9.7 compression methods could be added using * SSL_COMP_add_compression_method(3), but the implemntation is not compatible * with the standard (RFC3749). @@ -857,8 +859,10 @@ int char *opt_dhparam = NULL; /* file name of DH params */ char *opt_cafile = NULL; /* certificate authority file */ char *opt_capath = NULL; /* certificate authority directory */ +#ifndef OPENSSL_NO_EGD char *opt_egd = NULL; /* entropy gathering daemon socket path */ -#if OPENSSL_VERSION_NUMBER >= 0x00908000L +#endif +#if OPENSSL_VERSION_NUMBER >= 0x00908000L && !defined(OPENSSL_NO_COMP) char *opt_compress = NULL; /* compression method */ #endif bool opt_pseudo = false; /* use pseudo entropy if nothing else */ @@ -875,9 +879,11 @@ int retropt_string(opts, OPT_OPENSSL_CAPATH, &opt_capath); retropt_string(opts, OPT_OPENSSL_KEY, &opt_key); retropt_string(opts, OPT_OPENSSL_DHPARAM, &opt_dhparam); +#ifndef OPENSSL_NO_EGD retropt_string(opts, OPT_OPENSSL_EGD, &opt_egd); +#endif retropt_bool(opts,OPT_OPENSSL_PSEUDO, &opt_pseudo); -#if OPENSSL_VERSION_NUMBER >= 0x00908000L +#if OPENSSL_VERSION_NUMBER >= 0x00908000L && !defined(OPENSSL_NO_COMP) retropt_string(opts, OPT_OPENSSL_COMPRESS, &opt_compress); #endif #if WITH_FIPS @@ -1010,9 +1016,11 @@ int } } +#ifndef OPENSSL_NO_EGD if (opt_egd) { sycRAND_egd(opt_egd); } +#endif if (opt_pseudo) { long int randdata; @@ -1117,7 +1125,7 @@ int } #endif /* !defined(EC_KEY) */ -#if OPENSSL_VERSION_NUMBER >= 0x00908000L +#if OPENSSL_VERSION_NUMBER >= 0x00908000L && !defined(OPENSSL_NO_COMP) if (opt_compress) { int result; result = openssl_setup_compression(*ctx, opt_compress); @@ -1231,7 +1239,11 @@ static int openssl_SSL_ERROR_SSL(int level, const char *funcname) { if (e == ((ERR_LIB_RAND<<24)| (RAND_F_SSLEAY_RAND_BYTES<<12)| (RAND_R_PRNG_NOT_SEEDED)) /*0x24064064*/) { +#ifdef OPENSSL_NO_EGD + Error("too few entropy; use option \"pseudo\""); +#else Error("too few entropy; use options \"egd\" or \"pseudo\""); +#endif stat = STAT_NORETRY; } else { Msg2(level, "%s(): %s", funcname, ERR_error_string(e, buf)); diff --git a/xio-openssl.h b/xio-openssl.h index 62586fc..f10ee0c 100644 --- a/xio-openssl.h +++ b/xio-openssl.h @@ -21,9 +21,11 @@ extern const struct optdesc opt_openssl_key; extern const struct optdesc opt_openssl_dhparam; extern const struct optdesc opt_openssl_cafile; extern const struct optdesc opt_openssl_capath; +#ifndef OPENSSL_NO_EGD extern const struct optdesc opt_openssl_egd; +#endif extern const struct optdesc opt_openssl_pseudo; -#if OPENSSL_VERSION_NUMBER >= 0x00908000L +#if OPENSSL_VERSION_NUMBER >= 0x00908000L && !defined(OPENSSL_NO_COMP) extern const struct optdesc opt_openssl_compress; #endif #if WITH_FIPS diff --git a/xioopts.c b/xioopts.c index 6c231f4..9a56298 100644 --- a/xioopts.c +++ b/xioopts.c @@ -303,7 +303,7 @@ const struct optname optionnames[] = { #if WITH_EXT2 && defined(EXT2_COMPR_FL) IF_ANY ("compr", &opt_ext2_compr) #endif -#if OPENSSL_VERSION_NUMBER >= 0x00908000L +#if OPENSSL_VERSION_NUMBER >= 0x00908000L && !defined(OPENSSL_NO_COMP) IF_OPENSSL("compress", &opt_openssl_compress) #endif #ifdef TCP_CONN_ABORT_THRESHOLD /* HP_UX */ @@ -419,7 +419,9 @@ const struct optname optionnames[] = { #ifdef ECHOPRT IF_TERMIOS("echoprt", &opt_echoprt) #endif +#ifndef OPENSSL_NO_EGD IF_OPENSSL("egd", &opt_openssl_egd) +#endif IF_ANY ("end-close", &opt_end_close) IF_TERMIOS("eof", &opt_veof) IF_TERMIOS("eol", &opt_veol) @@ -1062,11 +1064,13 @@ const struct optname optionnames[] = { IF_OPENSSL("openssl-certificate", &opt_openssl_certificate) IF_OPENSSL("openssl-cipherlist", &opt_openssl_cipherlist) IF_OPENSSL("openssl-commonname", &opt_openssl_commonname) -#if OPENSSL_VERSION_NUMBER >= 0x00908000L +#if OPENSSL_VERSION_NUMBER >= 0x00908000L && !defined(OPENSSL_NO_COMP) IF_OPENSSL("openssl-compress", &opt_openssl_compress) #endif IF_OPENSSL("openssl-dhparam", &opt_openssl_dhparam) +#ifndef OPENSSL_NO_EGD IF_OPENSSL("openssl-egd", &opt_openssl_egd) +#endif #if WITH_FIPS IF_OPENSSL("openssl-fips", &opt_openssl_fips) #endif diff --git a/xioopts.h b/xioopts.h index 2a165f5..37d6883 100644 --- a/xioopts.h +++ b/xioopts.h @@ -478,11 +478,13 @@ enum e_optcode { OPT_OPENSSL_CERTIFICATE, OPT_OPENSSL_CIPHERLIST, OPT_OPENSSL_COMMONNAME, -#if OPENSSL_VERSION_NUMBER >= 0x00908000L +#if OPENSSL_VERSION_NUMBER >= 0x00908000L && !defined(OPENSSL_NO_COMP) OPT_OPENSSL_COMPRESS, #endif OPT_OPENSSL_DHPARAM, +#ifndef OPENSSL_NO_EGD OPT_OPENSSL_EGD, +#endif OPT_OPENSSL_FIPS, OPT_OPENSSL_KEY, OPT_OPENSSL_METHOD, -- 2.4.10