Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

HAVE_OPENSSL_EC not set when building with local OpenSSL #2420

Closed
andywebber opened this issue Jan 5, 2022 · 3 comments
Closed

HAVE_OPENSSL_EC not set when building with local OpenSSL #2420

andywebber opened this issue Jan 5, 2022 · 3 comments
Assignees
@nnposter
Labels
bug Linux Nmap

Comments

@andywebber
Copy link

HAVE_OPENSSL_EC doesn't get checked and set when building with a local version of OpenSSL, and the default is no EC support. As a consequence, scripts like ssl_cert.nse will display certs with elliptic curve keys as type "other" rather than as type "ec". This is becuase lua structures won't get populated in nse_ssl_cert.cc

nmap/nse_ssl_cert.cc

Line 577 in e8df904

#ifdef HAVE_OPENSSL_EC
and hence won't be available in nse lua scripts.
The root cause appears to be that the check at

nmap/configure.ac

Line 399 in e8df904

AC_CHECK_LIB(crypto, EVP_PKEY_get1_EC_KEY,
is not reached because it is inside the if at

nmap/configure.ac

Line 366 in e8df904

if test "$use_openssl" = "yes" -a -z "$specialssldir"; then
which requires that $specialssldir is zero length, but it would be non-zero length if "--with-openssl" is specified, for example as "--with-openssl=/usr/local".
This particularly applies if the desire is to build nmap with static libraries and hence not wanting to put the local libraries and includes into the system default serach paths.
A hacky workaround is to explicitly add
#define HAVE_OPENSSL_EC 1
to nmap_config.h after running ./configure
Reproduction: Environment: Oracle Linux 7.9. Downloaded and built openssl 1.1.1m from openssl source tarball and "make install" to /usr/local. Downloaded nmap 7.92 source tarball,
$ ./configure --with-openssl=/usr/local --with-localdirs
$ grep HAVE_OPENSSL_EC nmap_config.h
/* #undef HAVE_OPENSSL_EC */'
$ grep EVP_PKEY_get1_EC_KEY /usr/local/lib64/libcrypto.so
000000000017be90 T EVP_PKEY_get1_EC_KEY
@nnposter nnposter self-assigned this Jan 28, 2022
@nnposter
Copy link

Thank you for reporting the issue, including the root cause, which is extremely helpful. I am in the middle of sketching a fix.

@nnposter nnposter mentioned this issue Jan 30, 2022
Closed
@nnposter
Copy link

If possible, please test the referenced PR (#2436) and report back.

@nnposter nnposter added the Linux label Jan 31, 2022
@andywebber
Copy link
Author

andywebber commented Feb 1, 2022
edited

All good.
I brought in that commit, make distclean, autoconf, ./configure with various options for local OpenSSL and they all resulted in HAVE_OPENSSL_EC being set correctly in nmap_config.h. Furthermore, the subsequent makes all worked as expected too.
Fix looks good to me. Thanks!

@nmap nmap deleted a comment Apr 11, 2022
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@nnposter nnposter

Labels
bug Linux Nmap
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

Verify OpenSSL even if custom location is requested
2 participants
@andywebber @nnposter