openssl 1.1.1 minor patches to build on SCO OpenServer 5.0.7

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



It was necessary to apply 5 minor patches to openssl 1.1.1n to build it for
SCO OpenServer 5.0.7.  One patch fixing a missing #ifdef AF_INET6 is
already applied to current development for this base version.

The reason for the build is to get TLS1.3 capability on an ancient system.
As it is well-known that TLS1.3 is not going to fix the security issues
on SCO OpenServer 5.0.7, so there's likly no real value to opening a
discussion on that matter.

Is the project interested in receiving the patches?  The curl project has
accepted various patches against SCO OpenServer 5.0.7 for similar issues.

To pull this off, it was necessary to build perl 5.10.1.  At the moment,
all tests are broken (probably requiring some perl modules needed to
support them).  That should be doable, as builds of latest revisions of
of many CPAN perl modules related to build and test have successfully
built for perl 5.8.8 on this system.

The main challenge left to resolve is to build an entropy source for the
system (probably EGD), but, informal tests seem to show that TLS1.3 is
functional after using a Configure command like:

         ./Configure \
           --prefix="${PKG_PRFX}" \
           --openssldir="${PKG_PRFX}/openssl" \
           sco5-gcc \
           no-threads \
           no-asm \
           no-comp \
           shared \
           -D_REENTRANT \
           PERL=/usr/local/bin/perl \
           HASHBANGPERL=/usr/local/bin/perl

The test involved creating a random number source file from another
system's /dev/urandom, and then using it in lieu of a local entropy
source.

$ scp $APP:rnd1 .

Proof-of-concept, as this is unfamiliar territory, was to test with
the SCO-provided openssl:

$ openssl s_client -crlf -rand rnd1 -connect tls13.cloudflare.com:443
...
5120 semi-random bytes loaded
CONNECTED(00000003)
...
SSL-Session:
    Protocol  : TLSv1
    Cipher    : AES128-SHA
...

Apparently some DNS issues are left to resolve in the new build also,
but using an IP address:

$ uname -mrsv
SCO_SV 3.2 5.0.7 i386

$ ./apps/openssl version -b -f -o -p -r -v
OpenSSL 1.1.1n  15 Mar 2022
built on: Fri May 13 04:28:57 2022 UTC
platform: sco5-gcc
options:  bn(64,32) rc4(int) des(long) idea(int) blowfish(ptr)
compiler: gcc -fPIC -O3 -fomit-frame-pointer  -DOPENSSL_PIC -DNDEBUG -D_REENTRANT
Seeding source: os-specific

$ ./apps/openssl s_client -crlf -rand rnd1 -connect 104.16.132.229:443
CONNECTED(00000003)
...
SSL-Session:
    Protocol  : TLSv1.3
    Cipher    : TLS_AES_256_GCM_SHA384
...

All patches are trivial and all but the define OPENSSL_SYS_SCO5 and SHUT_*
patches piggy back onto other #ifdefs, so it seems somewhat reasonable to
think they might be acceptable for a merge.

A synopsis of the patches:

---------------------------------------------------------------------------
openssl-1.1.1n-i686-pc-sco3.2v5.0.7-1.patch
  #ifdef AF_INET6
---------------------------------------------------------------------------

--- openssl-1.1.1n/apps/s_socket.c.orig 2022-03-15 09:37:47.000000000 -0500
+++ openssl-1.1.1n/apps/s_socket.c      2022-04-26 22:05:51.000000000 -0500
@@ -160,7 +160,9 @@
     if (*sock == INVALID_SOCKET) {
         if (bindaddr != NULL && !found) {
             BIO_printf(bio_err, "Can't bind %saddress for %s%s%s\n",
+#ifdef AF_INET6
                        BIO_ADDRINFO_family(res) == AF_INET6 ? "IPv6 " :
+#endif
                        BIO_ADDRINFO_family(res) == AF_INET ? "IPv4 " :
                        BIO_ADDRINFO_family(res) == AF_UNIX ? "unix " : "",
                        bindhost != NULL ? bindhost : "",
@@ -239,6 +241,7 @@
     sock_protocol = BIO_ADDRINFO_protocol(res);
     sock_address = BIO_ADDRINFO_address(res);
     next = BIO_ADDRINFO_next(res);
+#ifdef AF_INET6
     if (sock_family == AF_INET6)
         sock_options |= BIO_SOCK_V6_ONLY;
     if (next != NULL
@@ -257,6 +260,7 @@
             sock_options &= ~BIO_SOCK_V6_ONLY;
         }
     }
+#endif

     asock = BIO_socket(sock_family, sock_type, sock_protocol, 0);
     if (asock == INVALID_SOCKET && sock_family_fallback != AF_UNSPEC) {

---------------------------------------------------------------------------
openssl-1.1.1n-i686-pc-sco3.2v5.0.7-2.patch
  define OPENSSL_SYS_SCO5
---------------------------------------------------------------------------

--- openssl-1.1.1n/include/openssl/e_os2.h.orig 2022-03-15 09:37:47.000000000 -0500
+++ openssl-1.1.1n/include/openssl/e_os2.h      2022-04-27 06:39:40.000000000 -0500
@@ -119,6 +119,9 @@
 #  if defined(_AIX) && !defined(OPENSSL_SYS_AIX)
 #   define OPENSSL_SYS_AIX
 #  endif
+#  if defined(_SCO_DS) && !defined(OPENSSL_SYS_SCO5)
+#   define OPENSSL_SYS_SCO5
+#  endif
 # endif

 /* -------------------------------- VOS ----------------------------------- */

---------------------------------------------------------------------------
openssl-1.1.1n-i686-pc-sco3.2v5.0.7-3.patch
 typedef unsigned int socklen_t;
---------------------------------------------------------------------------

--- openssl-1.1.1n/crypto/bio/bio_local.h.orig  2022-03-15 09:37:47.000000000 -0500
+++ openssl-1.1.1n/crypto/bio/bio_local.h       2022-04-26 22:20:18.000000000 -0500
@@ -134,7 +134,7 @@
 };

 #ifndef OPENSSL_NO_SOCK
-# ifdef OPENSSL_SYS_VMS
+# if defined(OPENSSL_SYS_VMS) || defined(OPENSSL_SYS_SCO5)
 typedef unsigned int socklen_t;
 # endif

openssl-1.1.1n-i686-pc-sco3.2v5.0.7-4.patch
  he_fallback_address, *he_fallback_addresses[]

--- openssl-1.1.1n/crypto/bio/b_addr.c.orig     2022-03-15 09:37:47.000000000 -0500
+++ openssl-1.1.1n/crypto/bio/b_addr.c  2022-04-26 22:25:32.000000000 -0500
@@ -744,7 +744,7 @@
 # pragma pointer_size 32
 #endif
         /* Windows doesn't seem to have in_addr_t */
-#if defined(OPENSSL_SYS_WINDOWS) || defined(OPENSSL_SYS_MSDOS)
+#if defined(OPENSSL_SYS_WINDOWS) || defined(OPENSSL_SYS_MSDOS) || defined(OPENSSL_SYS_SCO5)
         static uint32_t he_fallback_address;
         static const char *he_fallback_addresses[] =
             { (char *)&he_fallback_address, NULL };

---------------------------------------------------------------------------
openssl-1.1.1n-i686-pc-sco3.2v5.0.7-5.patch
  SHUT_RD, SHUT_WR, SHUT_RDWR
---------------------------------------------------------------------------

--- openssl-1.1.1n/apps/ocsp.c.orig     2022-03-15 09:37:47.000000000 -0500
+++ openssl-1.1.1n/apps/ocsp.c  2022-04-26 22:35:40.000000000 -0500
@@ -64,6 +64,22 @@
 # define LOG_ERR       2
 #endif

+/*
+ * shutdown() flags for systems that don't define them
+ */
+
+#ifndef SHUT_RD
+#define SHUT_RD 0x00
+#endif
+
+#ifndef SHUT_WR
+#define SHUT_WR 0x01
+#endif
+
+#ifndef SHUT_RDWR
+#define SHUT_RDWR 0x02
+#endif
+
 #if defined(OPENSSL_SYS_VXWORKS)
 /* not supported */
 int setpgid(pid_t pid, pid_t pgid)

---------------------------------------------------------------------------

I have made a branch on github, so that's how I know the first patch is not
needed.  Feedback?

--

Kevin R. Bulgrien



[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[Index of Archives]     [Linux ARM Kernel]     [Linux ARM]     [Linux Omap]     [Fedora ARM]     [IETF Annouce]     [Security]     [Bugtraq]     [Linux]     [Linux OMAP]     [Linux MIPS]     [ECOS]     [Asterisk Internet PBX]     [Linux API]

  Powered by Linux