Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

HAVE_OPENSSL_EC not set when building with local OpenSSL #2420

Closed
andywebber opened this issue Jan 5, 2022 · 3 comments
Closed

HAVE_OPENSSL_EC not set when building with local OpenSSL #2420

andywebber opened this issue Jan 5, 2022 · 3 comments
Assignees

Comments

@andywebber
Copy link

@andywebber andywebber commented Jan 5, 2022

HAVE_OPENSSL_EC doesn't get checked and set when building with a local version of OpenSSL, and the default is no EC support. As a consequence, scripts like ssl_cert.nse will display certs with elliptic curve keys as type "other" rather than as type "ec". This is becuase lua structures won't get populated in nse_ssl_cert.cc https://github.com/nmap/nmap/blob/e8df904e7e9455e0d8a246b40392c9766b2703eb/nse_ssl_cert.cc#L577 and hence won't be available in nse lua scripts.
The root cause appears to be that the check at https://github.com/nmap/nmap/blob/e8df904e7e9455e0d8a246b40392c9766b2703eb/configure.ac#L399 is not reached because it is inside the if at
https://github.com/nmap/nmap/blob/e8df904e7e9455e0d8a246b40392c9766b2703eb/configure.ac#L366 which requires that $specialssldir is zero length, but it would be non-zero length if "--with-openssl" is specified, for example as "--with-openssl=/usr/local".
This particularly applies if the desire is to build nmap with static libraries and hence not wanting to put the local libraries and includes into the system default serach paths.
A hacky workaround is to explicitly add
#define HAVE_OPENSSL_EC 1
to nmap_config.h after running ./configure
Reproduction: Environment: Oracle Linux 7.9. Downloaded and built openssl 1.1.1m from openssl source tarball and "make install" to /usr/local. Downloaded nmap 7.92 source tarball,
$ ./configure --with-openssl=/usr/local --with-localdirs
$ grep HAVE_OPENSSL_EC nmap_config.h
/* #undef HAVE_OPENSSL_EC */'
$ grep EVP_PKEY_get1_EC_KEY /usr/local/lib64/libcrypto.so
000000000017be90 T EVP_PKEY_get1_EC_KEY

@nnposter nnposter self-assigned this Jan 28, 2022
@nnposter
Copy link

@nnposter nnposter commented Jan 28, 2022

Thank you for reporting the issue, including the root cause, which is extremely helpful. I am in the middle of sketching a fix.

@nnposter
Copy link

@nnposter nnposter commented Jan 30, 2022

If possible, please test the referenced PR (#2436) and report back.

@nnposter nnposter added the Linux label Jan 31, 2022
@andywebber
Copy link
Author

@andywebber andywebber commented Feb 1, 2022

All good.
I brought in that commit, make distclean, autoconf, ./configure with various options for local OpenSSL and they all resulted in HAVE_OPENSSL_EC being set correctly in nmap_config.h. Furthermore, the subsequent makes all worked as expected too.
Fix looks good to me. Thanks!

@nmap nmap deleted a comment Apr 11, 2022
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
Development

No branches or pull requests

2 participants