mir/sudo
2
0
Fork 0
mirror of https://github.com/sudo-project/sudo.git synced 2025-08-22 01:49:11 +00:00
Code Issues Releases Wiki Activity

LibreSSL and older OpenSSL don't support SSL_CTX_set_ciphersuites().

Browse Source 
Add a configure test and skip TLS 1.3 setup if it is missing.
We still accept the tls_ciphers13 config setting but it will be ignored.
This commit is contained in:
Todd C. Miller 2019-11-15 13:19:28 -07:00
parent 68480b0959
commit 690f145d3f
6 changed files with 72 additions and 19 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

13
INSTALL
View File

@ -545,14 +545,15 @@ Authentication options:
--enable-gcrypt[=DIR]
Use GNU crypt's SHA-2 message digest functions instead of the
ones bundled with sudo (or in the system's C library).
If specified, DIR should contain include and lib directories
with gcrypt.h and libgcrypt respectively.
If specified, DIR should contain the GNU crypt include and
lib directories.
--enable-openssl[=DIR]
Use OpenSSL's SHA-2 message digest functions instead of the
ones bundled with sudo (or in the system's C library).
If specified, DIR should contain include and lib directories
with openssl/sha.h and libcrypto respectively.
Use OpenSSL's TLS and SHA-2 message digest functions.
By default, sudo does not support TLS and will use either its
own SHA-2 functions or the ones in the system's C library.
If specified, DIR should contain the OpenSSL include and
lib directories.
Development options:
--enable-env-debug

3
config.h.in
View File

@ -715,6 +715,9 @@
/* Define to 1 if you have the <spawn.h> header file. */
#undef HAVE_SPAWN_H
/* Define to 1 if you have the `SSL_CTX_set_ciphersuites' function. */
#undef HAVE_SSL_CTX_SET_CIPHERSUITES
/* Define to 1 to enable SSSD support. */
#undef HAVE_SSSD

50
configure vendored
View File

@ -743,8 +743,8 @@ COMPAT_TEST_PROGS
LOCALEDIR_SUFFIX
SUDO_NLS
LIBPTHREAD
LIBTLS
LIBMD
OPENSSL_LIBS
LIBINTL
LIBRT
LIBDL
@ -3082,6 +3082,7 @@ $as_echo "$as_me: Configuring Sudo version $PACKAGE_VERSION" >&6;}
#
@ -3153,7 +3154,7 @@ PSMAN=0
SEMAN=0
LIBINTL=
LIBMD=
OPENSSL_LIBS=
LIBTLS=
ZLIB=
ZLIB_SRC=
AUTH_OBJS=
@ -6430,8 +6431,7 @@ if test "${enable_openssl+set}" = set; then :
enableval=$enable_openssl; case $enableval in
no) ;;
*) LIBMD="-lcrypto"
OPENSSL_LIBS="-lcrypto -lssl"
DIGEST=digest_openssl.lo
LIBTLS="-lssl -lcrypto"
$as_echo "#define HAVE_OPENSSL 1" >>confdefs.h
if test "$enableval" != "yes"; then
@ -21529,6 +21529,47 @@ cat >>confdefs.h <<_ACEOF
_ACEOF
fi
{ $as_echo "$as_me:${as_lineno-$LINENO}: checking for SSL_CTX_set_ciphersuites in -lssl" >&5
$as_echo_n "checking for SSL_CTX_set_ciphersuites in -lssl... " >&6; }
if ${ac_cv_lib_ssl_SSL_CTX_set_ciphersuitescrypto+:} false; then :
$as_echo_n "(cached) " >&6
else
ac_check_lib_save_LIBS=$LIBS
LIBS="-lssl crypto $LIBS"
cat confdefs.h - <<_ACEOF >conftest.$ac_ext
/* end confdefs.h. */
/* Override any GCC internal prototype to avoid an error.
Use char because int might match the return type of a GCC
builtin and then its argument prototype would still apply. */
#ifdef __cplusplus
extern "C"
#endif
char SSL_CTX_set_ciphersuites ();
int
main ()
{
return SSL_CTX_set_ciphersuites ();
;
return 0;
}
_ACEOF
if ac_fn_c_try_link "$LINENO"; then :
ac_cv_lib_ssl_SSL_CTX_set_ciphersuitescrypto=yes
else
ac_cv_lib_ssl_SSL_CTX_set_ciphersuitescrypto=no
fi
rm -f core conftest.err conftest.$ac_objext \
conftest$ac_exeext conftest.$ac_ext
LIBS=$ac_check_lib_save_LIBS
fi
{ $as_echo "$as_me:${as_lineno-$LINENO}: result: $ac_cv_lib_ssl_SSL_CTX_set_ciphersuitescrypto" >&5
$as_echo "$ac_cv_lib_ssl_SSL_CTX_set_ciphersuitescrypto" >&6; }
if test "x$ac_cv_lib_ssl_SSL_CTX_set_ciphersuitescrypto" = xyes; then :
$as_echo "#define HAVE_SSL_CTX_SET_CIPHERSUITES 1" >>confdefs.h
fi
OLIBS="$LIBS"
@ -29425,5 +29466,6 @@ fi

13
configure.ac
View File

@ -94,6 +94,7 @@ AC_SUBST([LIBDL])
AC_SUBST([LIBRT])
AC_SUBST([LIBINTL])
AC_SUBST([LIBMD])
AC_SUBST([LIBTLS])
AC_SUBST([LIBPTHREAD])
AC_SUBST([SUDO_NLS])
AC_SUBST([LOCALEDIR_SUFFIX])
@ -231,6 +232,7 @@ PSMAN=0
SEMAN=0
LIBINTL=
LIBMD=
LIBTLS=
ZLIB=
ZLIB_SRC=
AUTH_OBJS=
@ -1485,11 +1487,11 @@ AC_ARG_ENABLE(werror,
])
AC_ARG_ENABLE(openssl,
[AS_HELP_STRING([--enable-openssl], [Use OpenSSL's message digest functions instead of sudo's])],
[AS_HELP_STRING([--enable-openssl], [Use OpenSSL's TLS and sha2 functions])],
[ case $enableval in
no) ;;
*) LIBMD="-lcrypto"
DIGEST=digest_openssl.lo
LIBTLS="-lssl -lcrypto"
AC_DEFINE(HAVE_OPENSSL)
if test "$enableval" != "yes"; then
AX_APPEND_FLAG([-I${enableval}/include], [CPPFLAGS])
@ -2890,6 +2892,10 @@ AC_INCLUDES_DEFAULT
#include <$ac_header_dirent>
])
dnl
dnl Check for SSL_CTX_set_ciphersuites supported by OpenSSL 1.1 and higher
dnl
AC_CHECK_LIB(ssl, SSL_CTX_set_ciphersuites, [AC_DEFINE(HAVE_SSL_CTX_SET_CIPHERSUITES)], [], [crypto])
dnl
dnl If socket(2) not in libc, check -lsocket and -linet
dnl May need to link with *both* -lnsl and -lsocket due to unresolved symbols
dnl
@ -4650,8 +4656,9 @@ AH_TEMPLATE(HAVE_KINFO_PROC_44BSD, [Define to 1 if your system has a 4.4BSD-styl
AH_TEMPLATE(HAVE_KINFO_PROC_FREEBSD, [Define to 1 if your system has a FreeBSD-style kinfo_proc struct.])
AH_TEMPLATE(HAVE_KINFO_PROC2_NETBSD, [Define to 1 if your system has a NetBSD-style kinfo_proc2 struct.])
AH_TEMPLATE(HAVE_KINFO_PROC_OPENBSD, [Define to 1 if your system has an OpenBSD-style kinfo_proc struct.])
AH_TEMPLATE(HAVE_OPENSSL, [Define to 1 if you are using OpenSSL's sha2 functions.])
AH_TEMPLATE(HAVE_OPENSSL, [Define to 1 if you are using OpenSSL's TLS and sha2 functions.])
AH_TEMPLATE(HAVE_GCRYPT, [Define to 1 if you are using gcrypt's sha2 functions.])
AH_TEMPLATE(HAVE_SSL_CTX_SET_CIPHERSUITES, [Define to 1 if you have the `SSL_CTX_set_ciphersuites' function.])
dnl
dnl Bits to copy verbatim into config.h.in
dnl

8
logsrvd/Makefile.in
View File

@ -40,7 +40,7 @@ INSTALL_BACKUP = @INSTALL_BACKUP@
# Libraries
LT_LIBS = $(top_builddir)/lib/iolog/libsudo_iolog.la
LIBS = $(LT_LIBS)
LIBS = $(LT_LIBS) @LIBTLS@
# C preprocessor defines
CPPDEFS = -D_PATH_SUDO_LOGSRVD_CONF=\"$(sysconfdir)/sudo_logsrvd.conf\" \
@ -72,8 +72,6 @@ PIE_LDFLAGS = @PIE_LDFLAGS@
SSP_CFLAGS = @SSP_CFLAGS@
SSP_LDFLAGS = @SSP_LDFLAGS@
OPENSSL_LIBS = @OPENSSL_LIBS@
# cppcheck options, usually set in the top-level Makefile
CPPCHECK_OPTS = -q --force --enable=warning,performance,portability --suppress=constStatement --error-exitcode=1 --inline-suppr -Dva_copy=va_copy -U__cplusplus -UQUAD_MAX -UQUAD_MIN -UUQUAD_MAX -U_POSIX_HOST_NAME_MAX -U_POSIX_PATH_MAX -U__NBBY -DNSIG=64
@ -147,10 +145,10 @@ Makefile: $(srcdir)/Makefile.in
ifile=$<; rm -f $@; pvs-studio --cfg $(PVS_CFG) --sourcetree-root $(top_srcdir) --skip-cl-exe yes --source-file $${ifile%i}c --i-file $< --output-file $@
sudo_logsrvd: $(LOGSRVD_OBJS) $(LT_LIBS)
$(LIBTOOL) $(LTFLAGS) --mode=link $(CC) -o $@ $(LOGSRVD_OBJS) $(LDFLAGS) $(ASAN_LDFLAGS) $(PIE_LDFLAGS) $(SSP_LDFLAGS) $(LIBS) $(OPENSSL_LIBS)
$(LIBTOOL) $(LTFLAGS) --mode=link $(CC) -o $@ $(LOGSRVD_OBJS) $(LDFLAGS) $(ASAN_LDFLAGS) $(PIE_LDFLAGS) $(SSP_LDFLAGS) $(LIBS)
sudo_sendlog: $(SENDLOG_OBJS) $(LT_LIBS)
$(LIBTOOL) $(LTFLAGS) --mode=link $(CC) -o $@ $(SENDLOG_OBJS) $(LDFLAGS) $(ASAN_LDFLAGS) $(PIE_LDFLAGS) $(SSP_LDFLAGS) $(LIBS) $(OPENSSL_LIBS)
$(LIBTOOL) $(LTFLAGS) --mode=link $(CC) -o $@ $(SENDLOG_OBJS) $(LDFLAGS) $(ASAN_LDFLAGS) $(PIE_LDFLAGS) $(SSP_LDFLAGS) $(LIBS)
GENERATED = log_server.pb-c.h log_server.pb-c.c

4
logsrvd/logsrvd.c
View File

@ -974,6 +974,7 @@ init_tls_ciphersuites(SSL_CTX *ctx, const struct logsrvd_tls_config *tls_config)
}
}
# if defined(HAVE_SSL_CTX_SET_CIPHERSUITES)
if (tls_config->ciphers_v13) {
/* try to set TLSv1.3 ciphersuite list from config */
if (SSL_CTX_set_ciphersuites(ctx, tls_config->ciphers_v13)) {
@ -998,6 +999,7 @@ init_tls_ciphersuites(SSL_CTX *ctx, const struct logsrvd_tls_config *tls_config)
LOGSRVD_DEFAULT_CIPHER_LST13);
}
}
# endif
debug_return_bool(true);
}
@ -1119,7 +1121,7 @@ bad:
good:
debug_return_ptr(ctx);
}
#endif
#endif /* HAVE_OPENSSL */
/*
* Allocate a new connection closure.