I'm building OpenVPN on Linux
cd /home/src/openvpn
git log | head
commit 1394192b210cb3c6624a7419bcf3ff966742e79b
Author: Gert Doering <[email protected]>
Date: Sat Apr 14 09:26:17 2018 +0200
Fix potential double-free() in Interactive Service
(CVE-2018-9336)
Malformed input data on the service pipe towards the
OpenVPN interactive
service (normally used by the OpenVPN GUI to request
openvpn instances
from the service) can result in a double free() in the
error handling code.
For SSL prereqs, I built & installed both
OpenSSL 1.0.2o 27 Mar 2018
installed into
/opt/ssl10
and
OpenSSL 1.1.0h 27 Mar 2018
installed into
/opt/ssl11
If I build OpenVPN with OpenSSL version 1.0.0,
cd /home/src/openvpn
autoreconf -fi
export OPENSSL_CFLAGS="-I/usr/local/include -I/opt/ssl10/include
-I/usr/include"
export OPENSSL_LIBS="-L/opt/ssl10/lib64 -Wl,-rpath,/opt/ssl10/lib64
-lssl -lcrypto"
./configure --with-crypto-library=openssl --enable-shared
--disable-static --prefix=/opt/openvpn --libdir=/opt/openvpn/lib64
make
make install
it builds & runs with no error, linked to the right version OpenSSL libs,
ldd /opt/openvpn/sbin/openvpn | egrep "ssl|crypto"
libssl.so.1.0.0 => /opt/ssl10/lib64/libssl.so.1.0.0
(0x00007fdc4bf6a000)
libcrypto.so.1.0.0 => /opt/ssl10/lib64/libcrypto.so.1.0.0
(0x00007fdc4baf1000)
/opt/openvpn/sbin/openvpn
OpenVPN 2.5_git [git:master/1394192b210cb3c6]
x86_64-pc-linux-gnu [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [AEAD] built on May 31
2018
library versions: OpenSSL 1.0.2o 27 Mar 2018, LZO 2.10
...
When I switch to the OpenSSL version 1.1.1 libs, changing only the _FLAGS/_LIBS
spec,
- export OPENSSL_CFLAGS="-I/usr/local/include
-I/opt/ssl11/include -I/usr/include"
- export OPENSSL_LIBS="-L/opt/ssl11/lib64
-Wl,-rpath,/opt/ssl11/lib64 -lssl -lcrypto"
+ export OPENSSL_CFLAGS="-I/usr/local/include
-I/opt/ssl11/include -I/usr/include"
+ export OPENSSL_LIBS="-L/opt/ssl11/lib64
-Wl,-rpath,/opt/ssl11/lib64 -lssl -lcrypto"
if still configures OK, but `make` dies,
...
/usr/bin/gcc-8 -DHAVE_CONFIG_H -I. -I../.. -I../../include
-I../../include -I../../src/compat -O3 -Wall -fstack-protector-strong
-funwind-tables -fasynchronous-unwind-tables -fmessage-length=0
-grecord-gcc-switches -D_FORTIFY_SOURCE=2 -I/usr/local/include
-I/opt/ssl11/include -I/usr/include
-DPLUGIN_LIBDIR=\"/opt/openvpn/lib64/openvpn/plugins\" -Wall
-Wno-unused-parameter -Wno-unused-function -O3 -Wall -fstack-protector-strong
-funwind-tables -fasynchronous-unwind-tables -fmessage-length=0
-grecord-gcc-switches -fPIC -DPIC -D_GNU_SOURCE -fno-strict-aliasing -Wall
-std=c99 -MT ssl_openssl.o -MD -MP -MF .deps/ssl_openssl.Tpo -c -o
ssl_openssl.o ssl_openssl.c
socket.c: In function ‘print_link_socket_actual_ex’:
socket.c:2772:14: warning: unused variable ‘ifname’ [-Wunused-variable]
char ifname[IF_NAMESIZE] = "[undef]";
^~~~~~
ssl_openssl.c: In function ‘tls_init_lib’:
ssl_openssl.c:74:5: warning: implicit declaration of function
‘SSL_library_init’; did you mean ‘SSL_in_init’?
[-Wimplicit-function-declaration]
SSL_library_init();
^~~~~~~~~~~~~~~~
SSL_in_init
ssl_openssl.c:76:5: warning: implicit declaration of function
‘SSL_load_error_strings’; did you mean ‘ERR_lib_error_string’?
[-Wimplicit-function-declaration]
SSL_load_error_strings();
^~~~~~~~~~~~~~~~~~~~~~
ERR_lib_error_string
mv -f .deps/route.Tpo .deps/route.Po
/usr/bin/gcc-8 -DHAVE_CONFIG_H -I. -I../.. -I../../include
-I../../include -I../../src/compat -O3 -Wall -fstack-protector-strong
-funwind-tables -fasynchronous-unwind-tables -fmessage-length=0
-grecord-gcc-switches -D_FORTIFY_SOURCE=2 -I/usr/local/include
-I/opt/ssl11/include -I/usr/include
-DPLUGIN_LIBDIR=\"/opt/openvpn/lib64/openvpn/plugins\" -Wall
-Wno-unused-parameter -Wno-unused-function -O3 -Wall -fstack-protector-strong
-funwind-tables -fasynchronous-unwind-tables -fmessage-length=0
-grecord-gcc-switches -fPIC -DPIC -D_GNU_SOURCE -fno-strict-aliasing -Wall
-std=c99 -MT ssl_mbedtls.o -MD -MP -MF .deps/ssl_mbedtls.Tpo -c -o
ssl_mbedtls.o ssl_mbedtls.c
ssl_openssl.c:78:5: warning: implicit declaration of function
‘OpenSSL_add_all_algorithms’; did you mean ‘OpenSSL_add_ssl_algorithms’?
[-Wimplicit-function-declaration]
OpenSSL_add_all_algorithms();
^~~~~~~~~~~~~~~~~~~~~~~~~~
OpenSSL_add_ssl_algorithms
ssl_openssl.c: In function ‘tls_free_lib’:
ssl_openssl.c:87:5: warning: implicit declaration of function
‘EVP_cleanup’; did you mean ‘EVP_PBE_cleanup’? [-Wimplicit-function-declaration]
EVP_cleanup();
^~~~~~~~~~~
EVP_PBE_cleanup
ssl_openssl.c:89:5: warning: implicit declaration of function
‘ERR_free_strings’; did you mean ‘ERR_load_strings’?
[-Wimplicit-function-declaration]
ERR_free_strings();
^~~~~~~~~~~~~~~~
ERR_load_strings
ssl_openssl.c: In function ‘tls_ctx_check_cert_time’:
ssl_openssl.c:476:25: warning: implicit declaration of function
‘X509_get_notBefore’; did you mean ‘X509_getm_notBefore’?
[-Wimplicit-function-declaration]
ret = X509_cmp_time(X509_get_notBefore(cert), NULL);
^~~~~~~~~~~~~~~~~~
X509_getm_notBefore
ssl_openssl.c:476:25: warning: passing argument 1 of ‘X509_cmp_time’
makes pointer from integer without a cast [-Wint-conversion]
ret = X509_cmp_time(X509_get_notBefore(cert), NULL);
^~~~~~~~~~~~~~~~~~~~~~~~
In file included from /opt/ssl11/include/openssl/pem.h:17,
from /opt/ssl11/include/openssl/ssl.h:55,
from ssl_openssl.h:32,
from ssl_backend.h:36,
from ssl_openssl.c:44:
/opt/ssl11/include/openssl/x509.h:474:36: note: expected ‘const
ASN1_TIME *’ {aka ‘const struct asn1_string_st *’} but argument is of type ‘int’
int X509_cmp_time(const ASN1_TIME *s, time_t *t);
~~~~~~~~~~~~~~~~~^
ssl_openssl.c:486:25: warning: implicit declaration of function
‘X509_get_notAfter’; did you mean ‘X509_getm_notAfter’?
[-Wimplicit-function-declaration]
ret = X509_cmp_time(X509_get_notAfter(cert), NULL);
^~~~~~~~~~~~~~~~~
X509_getm_notAfter
ssl_openssl.c:486:25: warning: passing argument 1 of ‘X509_cmp_time’
makes pointer from integer without a cast [-Wint-conversion]
ret = X509_cmp_time(X509_get_notAfter(cert), NULL);
^~~~~~~~~~~~~~~~~~~~~~~
In file included from /opt/ssl11/include/openssl/pem.h:17,
from /opt/ssl11/include/openssl/ssl.h:55,
from ssl_openssl.h:32,
from ssl_backend.h:36,
from ssl_openssl.c:44:
/opt/ssl11/include/openssl/x509.h:474:36: note: expected ‘const
ASN1_TIME *’ {aka ‘const struct asn1_string_st *’} but argument is of type ‘int’
int X509_cmp_time(const ASN1_TIME *s, time_t *t);
~~~~~~~~~~~~~~~~~^
In file included from errlevel.h:27,
from ssl_openssl.c:39:
ssl_openssl.c: In function ‘tls_ctx_load_dh_params’:
ssl_openssl.c:542:13: warning: implicit declaration of function
‘DH_size’; did you mean ‘dysize’? [-Wimplicit-function-declaration]
8 * DH_size(dh));
^~~~~~~
error.h:151:67: note: in definition of macro ‘msg’
#define msg(flags, ...) do { if (msg_test(flags)) {x_msg((flags),
__VA_ARGS__);} EXIT_FATAL(flags); } while (false)
^~~~~~~~~~~
ssl_openssl.c:544:5: warning: implicit declaration of function
‘DH_free’; did you mean ‘gc_free’? [-Wimplicit-function-declaration]
DH_free(dh);
^~~~~~~
gc_free
ssl_openssl.c: In function ‘tls_ctx_load_ecdh_params’:
ssl_openssl.c:570:9: warning: implicit declaration of function
‘SSL_CTX_set_ecdh_auto’; did you mean ‘SSL_CTX_set_dh_auto’?
[-Wimplicit-function-declaration]
SSL_CTX_set_ecdh_auto(ctx->ctx, 1);
^~~~~~~~~~~~~~~~~~~~~
SSL_CTX_set_dh_auto
ssl_openssl.c: In function ‘openvpn_extkey_rsa_finish’:
ssl_openssl.c:1041:30: warning: implicit declaration of function
‘RSA_get_method’; did you mean ‘SSL_get_ssl_method’?
[-Wimplicit-function-declaration]
const RSA_METHOD *meth = RSA_get_method(rsa);
^~~~~~~~~~~~~~
SSL_get_ssl_method
ssl_openssl.c:1041:30: warning: initialization of ‘const RSA_METHOD *’
{aka ‘const struct rsa_meth_st *’} from ‘int’ makes pointer from integer
without a cast [-Wint-conversion]
ssl_openssl.c:1042:5: warning: implicit declaration of function
‘RSA_meth_free’; did you mean ‘BIO_meth_free’? [-Wimplicit-function-declaration]
RSA_meth_free((RSA_METHOD *)meth);
^~~~~~~~~~~~~
BIO_meth_free
ssl_openssl.c: In function ‘rsa_priv_enc’:
ssl_openssl.c:1079:24: warning: implicit declaration of function
‘RSA_size’; did you mean ‘HMAC_size’? [-Wimplicit-function-declaration]
unsigned int len = RSA_size(rsa);
^~~~~~~~
HMAC_size
ssl_openssl.c:1082:20: error: ‘RSA_PKCS1_PADDING’ undeclared (first use
in this function); did you mean ‘i2d_PKCS12_SAFEBAG’?
if (padding != RSA_PKCS1_PADDING)
^~~~~~~~~~~~~~~~~
i2d_PKCS12_SAFEBAG
ssl_openssl.c:1082:20: note: each undeclared identifier is reported
only once for each function it appears in
mv -f .deps/ssl_mbedtls.Tpo .deps/ssl_mbedtls.Po
/usr/bin/gcc-8 -DHAVE_CONFIG_H -I. -I../.. -I../../include
-I../../include -I../../src/compat -O3 -Wall -fstack-protector-strong
-funwind-tables -fasynchronous-unwind-tables -fmessage-length=0
-grecord-gcc-switches -D_FORTIFY_SOURCE=2 -I/usr/local/include
-I/opt/ssl11/include -I/usr/include
-DPLUGIN_LIBDIR=\"/opt/openvpn/lib64/openvpn/plugins\" -Wall
-Wno-unused-parameter -Wno-unused-function -O3 -Wall -fstack-protector-strong
-funwind-tables -fasynchronous-unwind-tables -fmessage-length=0
-grecord-gcc-switches -fPIC -DPIC -D_GNU_SOURCE -fno-strict-aliasing -Wall
-std=c99 -MT ssl_verify.o -MD -MP -MF .deps/ssl_verify.Tpo -c -o ssl_verify.o
ssl_verify.c
In file included from ssl_openssl.c:55:
openssl_compat.h:661:46: error: ‘RSA_F_RSA_EAY_PRIVATE_ENCRYPT’
undeclared (first use in this function); did you mean
‘RSA_F_RSA_OSSL_PRIVATE_ENCRYPT’?
#define RSA_F_RSA_OSSL_PRIVATE_ENCRYPT
RSA_F_RSA_EAY_PRIVATE_ENCRYPT
^~~~~~~~~~~~~~~~~~~~~~~~~~~~~
/opt/ssl11/include/openssl/err.h:29:59: note: in definition of macro
‘ERR_PUT_error’
# define ERR_PUT_error(a,b,c,d,e) ERR_put_error(a,b,c,d,e)
^
ssl_openssl.c:1084:9: note: in expansion of macro ‘RSAerr’
RSAerr(RSA_F_RSA_OSSL_PRIVATE_ENCRYPT,
RSA_R_UNKNOWN_PADDING_TYPE);
^~~~~~
ssl_openssl.c:1084:16: note: in expansion of macro
‘RSA_F_RSA_OSSL_PRIVATE_ENCRYPT’
RSAerr(RSA_F_RSA_OSSL_PRIVATE_ENCRYPT,
RSA_R_UNKNOWN_PADDING_TYPE);
^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
ssl_openssl.c:1084:48: error: ‘RSA_R_UNKNOWN_PADDING_TYPE’ undeclared
(first use in this function); did you mean ‘SSL_R_UNKNOWN_ALERT_TYPE’?
RSAerr(RSA_F_RSA_OSSL_PRIVATE_ENCRYPT,
RSA_R_UNKNOWN_PADDING_TYPE);
^~~~~~~~~~~~~~~~~~~~~~~~~~
/opt/ssl11/include/openssl/err.h:29:61: note: in definition of macro
‘ERR_PUT_error’
# define ERR_PUT_error(a,b,c,d,e) ERR_put_error(a,b,c,d,e)
^
ssl_openssl.c:1084:9: note: in expansion of macro ‘RSAerr’
RSAerr(RSA_F_RSA_OSSL_PRIVATE_ENCRYPT,
RSA_R_UNKNOWN_PADDING_TYPE);
^~~~~~
ssl_openssl.c: In function ‘tls_ctx_use_external_rsa_key’:
ssl_openssl.c:1106:16: warning: implicit declaration of function
‘RSA_meth_new’; did you mean ‘BIO_meth_new’? [-Wimplicit-function-declaration]
rsa_meth = RSA_meth_new("OpenVPN external private key RSA Method",
^~~~~~~~~~~~
BIO_meth_new
ssl_openssl.c:1107:29: error: ‘RSA_METHOD_FLAG_NO_CHECK’ undeclared
(first use in this function); did you mean ‘SSL_SECOP_SIGALG_CHECK’?
RSA_METHOD_FLAG_NO_CHECK);
^~~~~~~~~~~~~~~~~~~~~~~~
SSL_SECOP_SIGALG_CHECK
ssl_openssl.c:1109:5: warning: implicit declaration of function
‘RSA_meth_set_pub_enc’; did you mean ‘BIO_meth_set_puts’?
[-Wimplicit-function-declaration]
RSA_meth_set_pub_enc(rsa_meth, rsa_pub_enc);
^~~~~~~~~~~~~~~~~~~~
BIO_meth_set_puts
ssl_openssl.c:1110:5: warning: implicit declaration of function
‘RSA_meth_set_pub_dec’; did you mean ‘BIO_meth_set_puts’?
[-Wimplicit-function-declaration]
RSA_meth_set_pub_dec(rsa_meth, rsa_pub_dec);
^~~~~~~~~~~~~~~~~~~~
BIO_meth_set_puts
ssl_openssl.c:1111:5: warning: implicit declaration of function
‘RSA_meth_set_priv_enc’; did you mean ‘BIO_meth_set_write’?
[-Wimplicit-function-declaration]
RSA_meth_set_priv_enc(rsa_meth, rsa_priv_enc);
^~~~~~~~~~~~~~~~~~~~~
BIO_meth_set_write
ssl_openssl.c:1112:5: warning: implicit declaration of function
‘RSA_meth_set_priv_dec’; did you mean ‘BIO_meth_set_write’?
[-Wimplicit-function-declaration]
RSA_meth_set_priv_dec(rsa_meth, rsa_priv_dec);
^~~~~~~~~~~~~~~~~~~~~
BIO_meth_set_write
ssl_openssl.c:1113:5: warning: implicit declaration of function
‘RSA_meth_set_init’; did you mean ‘EVP_MD_meth_set_init’?
[-Wimplicit-function-declaration]
RSA_meth_set_init(rsa_meth, NULL);
^~~~~~~~~~~~~~~~~
EVP_MD_meth_set_init
ssl_openssl.c:1114:5: warning: implicit declaration of function
‘RSA_meth_set_finish’; did you mean ‘BIO_meth_set_gets’?
[-Wimplicit-function-declaration]
RSA_meth_set_finish(rsa_meth, openvpn_extkey_rsa_finish);
^~~~~~~~~~~~~~~~~~~
BIO_meth_set_gets
ssl_openssl.c:1115:5: warning: implicit declaration of function
‘RSA_meth_set0_app_data’; did you mean ‘SSL_CTX_set_app_data’?
[-Wimplicit-function-declaration]
RSA_meth_set0_app_data(rsa_meth, NULL);
^~~~~~~~~~~~~~~~~~~~~~
SSL_CTX_set_app_data
ssl_openssl.c:1118:11: warning: implicit declaration of function
‘RSA_new’; did you mean ‘SSL_new’? [-Wimplicit-function-declaration]
rsa = RSA_new();
^~~~~~~
SSL_new
ssl_openssl.c:1118:9: warning: assignment to ‘RSA *’ {aka ‘struct
rsa_st *’} from ‘int’ makes pointer from integer without a cast
[-Wint-conversion]
rsa = RSA_new();
^
ssl_openssl.c:1128:5: warning: implicit declaration of function
‘RSA_get0_key’; did you mean ‘SSL_get0_dane’? [-Wimplicit-function-declaration]
RSA_get0_key(pub_rsa, &n, &e, NULL);
^~~~~~~~~~~~
SSL_get0_dane
ssl_openssl.c:1129:5: warning: implicit declaration of function
‘RSA_set0_key’; did you mean ‘SSL_set_bio’? [-Wimplicit-function-declaration]
RSA_set0_key(rsa, BN_dup(n), BN_dup(e), NULL);
^~~~~~~~~~~~
SSL_set_bio
ssl_openssl.c:1129:23: warning: implicit declaration of function
‘BN_dup’; did you mean ‘OBJ_dup’? [-Wimplicit-function-declaration]
RSA_set0_key(rsa, BN_dup(n), BN_dup(e), NULL);
^~~~~~
OBJ_dup
ssl_openssl.c:1130:5: warning: implicit declaration of function
‘RSA_set_flags’; did you mean ‘BIO_set_flags’? [-Wimplicit-function-declaration]
RSA_set_flags(rsa, RSA_flags(rsa) | RSA_FLAG_EXT_PKEY);
^~~~~~~~~~~~~
BIO_set_flags
ssl_openssl.c:1130:24: warning: implicit declaration of function
‘RSA_flags’; did you mean ‘ifr_flags’? [-Wimplicit-function-declaration]
RSA_set_flags(rsa, RSA_flags(rsa) | RSA_FLAG_EXT_PKEY);
^~~~~~~~~
ifr_flags
ssl_openssl.c:1130:41: error: ‘RSA_FLAG_EXT_PKEY’ undeclared (first use
in this function); did you mean ‘SSL_F_SSL_SET_PKEY’?
RSA_set_flags(rsa, RSA_flags(rsa) | RSA_FLAG_EXT_PKEY);
^~~~~~~~~~~~~~~~~
SSL_F_SSL_SET_PKEY
ssl_openssl.c:1131:10: warning: implicit declaration of function
‘RSA_set_method’; did you mean ‘SSL_set_ssl_method’?
[-Wimplicit-function-declaration]
if (!RSA_set_method(rsa, rsa_meth))
^~~~~~~~~~~~~~
SSL_set_ssl_method
ssl_openssl.c:1144:5: warning: implicit declaration of function
‘RSA_free’; did you mean ‘SSL_free’? [-Wimplicit-function-declaration]
RSA_free(rsa); /* doesn't necessarily free, just decrements
refcount */
^~~~~~~~
SSL_free
ssl_openssl.c: In function ‘print_details’:
ssl_openssl.c:1889:34: warning: implicit declaration of function
‘RSA_bits’ [-Wimplicit-function-declaration]
RSA_bits(rsa));
^~~~~~~~
ssl_openssl.c:1895:34: warning: implicit declaration of function
‘DSA_bits’ [-Wimplicit-function-declaration]
DSA_bits(dsa));
^~~~~~~~
ssl_openssl.c: In function ‘get_ssl_library_version’:
ssl_openssl.c:2040:12: warning: implicit declaration of function
‘SSLeay_version’; did you mean ‘SSL_version’? [-Wimplicit-function-declaration]
return SSLeay_version(SSLEAY_VERSION);
^~~~~~~~~~~~~~
SSL_version
ssl_openssl.c:2040:27: error: ‘SSLEAY_VERSION’ undeclared (first use in
this function); did you mean ‘SSL2_VERSION’?
return SSLeay_version(SSLEAY_VERSION);
^~~~~~~~~~~~~~
SSL2_VERSION
ssl_openssl.c:2041:1: warning: control reaches end of non-void function
[-Wreturn-type]
}
^
make[3]: *** [Makefile:717: ssl_openssl.o] Error 1
make[3]: *** Waiting for unfinished jobs....
mv -f .deps/ssl_verify.Tpo .deps/ssl_verify.Po
mv -f .deps/socket.Tpo .deps/socket.Po
mv -f .deps/ssl.Tpo .deps/ssl.Po
mv -f .deps/options.Tpo .deps/options.Po
make[3]: Leaving directory '/usr/local/src/openvpn/src/openvpn'
make[2]: *** [Makefile:429: all-recursive] Error 1
make[2]: Leaving directory '/usr/local/src/openvpn/src'
make[1]: *** [Makefile:614: all-recursive] Error 1
make[1]: Leaving directory '/usr/local/src/openvpn'
make: *** [Makefile:502: all] Error 2
It looks like the OpenVPN build is still trying to use the OpenSSL 1.0.0
symbols which are deprecated in 1.1.0.
I build all sorts of other apps with these OpenSSL 1.1.0 libs/includes, and
everything works great, so I'm sure it's not a problem with the OpenSSL build.
What do you need to do to build OpenVPN with OpenSSL 1.1.0?
- AC
------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot
_______________________________________________
Openvpn-devel mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/openvpn-devel
