HAVE_OPENSSL_EC doesn't get checked and set when building with a local version of OpenSSL, and the default is no EC support. As a consequence, scripts like ssl_cert.nse will display certs with elliptic curve keys as type "other" rather than as type "ec". This is becuase lua structures won't get populated in nse_ssl_cert.cc https://github.com/nmap/nmap/blob/e8df904e7e9455e0d8a246b40392c9766b2703eb/nse_ssl_cert.cc#L577 and hence won't be available in nse lua scripts.
The root cause appears to be that the check at https://github.com/nmap/nmap/blob/e8df904e7e9455e0d8a246b40392c9766b2703eb/configure.ac#L399 is not reached because it is inside the if at https://github.com/nmap/nmap/blob/e8df904e7e9455e0d8a246b40392c9766b2703eb/configure.ac#L366 which requires that $specialssldir is zero length, but it would be non-zero length if "--with-openssl" is specified, for example as "--with-openssl=/usr/local".
This particularly applies if the desire is to build nmap with static libraries and hence not wanting to put the local libraries and includes into the system default serach paths.
A hacky workaround is to explicitly add #define HAVE_OPENSSL_EC 1
to nmap_config.h after running ./configure
Reproduction: Environment: Oracle Linux 7.9. Downloaded and built openssl 1.1.1m from openssl source tarball and "make install" to /usr/local. Downloaded nmap 7.92 source tarball, $ ./configure --with-openssl=/usr/local --with-localdirs $ grep HAVE_OPENSSL_EC nmap_config.h /* #undef HAVE_OPENSSL_EC */' $ grep EVP_PKEY_get1_EC_KEY /usr/local/lib64/libcrypto.so 000000000017be90 T EVP_PKEY_get1_EC_KEY
The text was updated successfully, but these errors were encountered:
All good.
I brought in that commit, make distclean, autoconf, ./configure with various options for local OpenSSL and they all resulted in HAVE_OPENSSL_EC being set correctly in nmap_config.h. Furthermore, the subsequent makes all worked as expected too.
Fix looks good to me. Thanks!
HAVE_OPENSSL_EC doesn't get checked and set when building with a local version of OpenSSL, and the default is no EC support. As a consequence, scripts like ssl_cert.nse will display certs with elliptic curve keys as type "other" rather than as type "ec". This is becuase lua structures won't get populated in nse_ssl_cert.cc https://github.com/nmap/nmap/blob/e8df904e7e9455e0d8a246b40392c9766b2703eb/nse_ssl_cert.cc#L577 and hence won't be available in nse lua scripts.
The root cause appears to be that the check at https://github.com/nmap/nmap/blob/e8df904e7e9455e0d8a246b40392c9766b2703eb/configure.ac#L399 is not reached because it is inside the if at
https://github.com/nmap/nmap/blob/e8df904e7e9455e0d8a246b40392c9766b2703eb/configure.ac#L366 which requires that $specialssldir is zero length, but it would be non-zero length if "--with-openssl" is specified, for example as "--with-openssl=/usr/local".
This particularly applies if the desire is to build nmap with static libraries and hence not wanting to put the local libraries and includes into the system default serach paths.
A hacky workaround is to explicitly add
#define HAVE_OPENSSL_EC 1
to nmap_config.h after running ./configure
Reproduction: Environment: Oracle Linux 7.9. Downloaded and built openssl 1.1.1m from openssl source tarball and "make install" to /usr/local. Downloaded nmap 7.92 source tarball,
$ ./configure --with-openssl=/usr/local --with-localdirs
$ grep HAVE_OPENSSL_EC nmap_config.h
/* #undef HAVE_OPENSSL_EC */'
$ grep EVP_PKEY_get1_EC_KEY /usr/local/lib64/libcrypto.so
000000000017be90 T EVP_PKEY_get1_EC_KEY
The text was updated successfully, but these errors were encountered: