diff --git a/INSTALL b/INSTALL index c282a729c..bc6be1c62 100644 --- a/INSTALL +++ b/INSTALL @@ -545,14 +545,15 @@ Authentication options: --enable-gcrypt[=DIR] Use GNU crypt's SHA-2 message digest functions instead of the ones bundled with sudo (or in the system's C library). - If specified, DIR should contain include and lib directories - with gcrypt.h and libgcrypt respectively. + If specified, DIR should contain the GNU crypt include and + lib directories. --enable-openssl[=DIR] - Use OpenSSL's SHA-2 message digest functions instead of the - ones bundled with sudo (or in the system's C library). - If specified, DIR should contain include and lib directories - with openssl/sha.h and libcrypto respectively. + Use OpenSSL's TLS and SHA-2 message digest functions. + By default, sudo does not support TLS and will use either its + own SHA-2 functions or the ones in the system's C library. + If specified, DIR should contain the OpenSSL include and + lib directories. Development options: --enable-env-debug diff --git a/config.h.in b/config.h.in index 536416f88..02214844b 100644 --- a/config.h.in +++ b/config.h.in @@ -715,6 +715,9 @@ /* Define to 1 if you have the header file. */ #undef HAVE_SPAWN_H +/* Define to 1 if you have the `SSL_CTX_set_ciphersuites' function. */ +#undef HAVE_SSL_CTX_SET_CIPHERSUITES + /* Define to 1 to enable SSSD support. */ #undef HAVE_SSSD diff --git a/configure b/configure index 8fd21244b..734a0ac48 100755 --- a/configure +++ b/configure @@ -743,8 +743,8 @@ COMPAT_TEST_PROGS LOCALEDIR_SUFFIX SUDO_NLS LIBPTHREAD +LIBTLS LIBMD -OPENSSL_LIBS LIBINTL LIBRT LIBDL @@ -3082,6 +3082,7 @@ $as_echo "$as_me: Configuring Sudo version $PACKAGE_VERSION" >&6;} + # @@ -3153,7 +3154,7 @@ PSMAN=0 SEMAN=0 LIBINTL= LIBMD= -OPENSSL_LIBS= +LIBTLS= ZLIB= ZLIB_SRC= AUTH_OBJS= @@ -6430,8 +6431,7 @@ if test "${enable_openssl+set}" = set; then : enableval=$enable_openssl; case $enableval in no) ;; *) LIBMD="-lcrypto" - OPENSSL_LIBS="-lcrypto -lssl" - DIGEST=digest_openssl.lo + LIBTLS="-lssl -lcrypto" $as_echo "#define HAVE_OPENSSL 1" >>confdefs.h if test "$enableval" != "yes"; then @@ -21529,6 +21529,47 @@ cat >>confdefs.h <<_ACEOF _ACEOF +fi + +{ $as_echo "$as_me:${as_lineno-$LINENO}: checking for SSL_CTX_set_ciphersuites in -lssl" >&5 +$as_echo_n "checking for SSL_CTX_set_ciphersuites in -lssl... " >&6; } +if ${ac_cv_lib_ssl_SSL_CTX_set_ciphersuitescrypto+:} false; then : + $as_echo_n "(cached) " >&6 +else + ac_check_lib_save_LIBS=$LIBS +LIBS="-lssl crypto $LIBS" +cat confdefs.h - <<_ACEOF >conftest.$ac_ext +/* end confdefs.h. */ + +/* Override any GCC internal prototype to avoid an error. + Use char because int might match the return type of a GCC + builtin and then its argument prototype would still apply. */ +#ifdef __cplusplus +extern "C" +#endif +char SSL_CTX_set_ciphersuites (); +int +main () +{ +return SSL_CTX_set_ciphersuites (); + ; + return 0; +} +_ACEOF +if ac_fn_c_try_link "$LINENO"; then : + ac_cv_lib_ssl_SSL_CTX_set_ciphersuitescrypto=yes +else + ac_cv_lib_ssl_SSL_CTX_set_ciphersuitescrypto=no +fi +rm -f core conftest.err conftest.$ac_objext \ + conftest$ac_exeext conftest.$ac_ext +LIBS=$ac_check_lib_save_LIBS +fi +{ $as_echo "$as_me:${as_lineno-$LINENO}: result: $ac_cv_lib_ssl_SSL_CTX_set_ciphersuitescrypto" >&5 +$as_echo "$ac_cv_lib_ssl_SSL_CTX_set_ciphersuitescrypto" >&6; } +if test "x$ac_cv_lib_ssl_SSL_CTX_set_ciphersuitescrypto" = xyes; then : + $as_echo "#define HAVE_SSL_CTX_SET_CIPHERSUITES 1" >>confdefs.h + fi OLIBS="$LIBS" @@ -29425,5 +29466,6 @@ fi + diff --git a/configure.ac b/configure.ac index f0912d175..e047033d5 100644 --- a/configure.ac +++ b/configure.ac @@ -94,6 +94,7 @@ AC_SUBST([LIBDL]) AC_SUBST([LIBRT]) AC_SUBST([LIBINTL]) AC_SUBST([LIBMD]) +AC_SUBST([LIBTLS]) AC_SUBST([LIBPTHREAD]) AC_SUBST([SUDO_NLS]) AC_SUBST([LOCALEDIR_SUFFIX]) @@ -231,6 +232,7 @@ PSMAN=0 SEMAN=0 LIBINTL= LIBMD= +LIBTLS= ZLIB= ZLIB_SRC= AUTH_OBJS= @@ -1485,11 +1487,11 @@ AC_ARG_ENABLE(werror, ]) AC_ARG_ENABLE(openssl, -[AS_HELP_STRING([--enable-openssl], [Use OpenSSL's message digest functions instead of sudo's])], +[AS_HELP_STRING([--enable-openssl], [Use OpenSSL's TLS and sha2 functions])], [ case $enableval in no) ;; *) LIBMD="-lcrypto" - DIGEST=digest_openssl.lo + LIBTLS="-lssl -lcrypto" AC_DEFINE(HAVE_OPENSSL) if test "$enableval" != "yes"; then AX_APPEND_FLAG([-I${enableval}/include], [CPPFLAGS]) @@ -2890,6 +2892,10 @@ AC_INCLUDES_DEFAULT #include <$ac_header_dirent> ]) dnl +dnl Check for SSL_CTX_set_ciphersuites supported by OpenSSL 1.1 and higher +dnl +AC_CHECK_LIB(ssl, SSL_CTX_set_ciphersuites, [AC_DEFINE(HAVE_SSL_CTX_SET_CIPHERSUITES)], [], [crypto]) +dnl dnl If socket(2) not in libc, check -lsocket and -linet dnl May need to link with *both* -lnsl and -lsocket due to unresolved symbols dnl @@ -4650,8 +4656,9 @@ AH_TEMPLATE(HAVE_KINFO_PROC_44BSD, [Define to 1 if your system has a 4.4BSD-styl AH_TEMPLATE(HAVE_KINFO_PROC_FREEBSD, [Define to 1 if your system has a FreeBSD-style kinfo_proc struct.]) AH_TEMPLATE(HAVE_KINFO_PROC2_NETBSD, [Define to 1 if your system has a NetBSD-style kinfo_proc2 struct.]) AH_TEMPLATE(HAVE_KINFO_PROC_OPENBSD, [Define to 1 if your system has an OpenBSD-style kinfo_proc struct.]) -AH_TEMPLATE(HAVE_OPENSSL, [Define to 1 if you are using OpenSSL's sha2 functions.]) +AH_TEMPLATE(HAVE_OPENSSL, [Define to 1 if you are using OpenSSL's TLS and sha2 functions.]) AH_TEMPLATE(HAVE_GCRYPT, [Define to 1 if you are using gcrypt's sha2 functions.]) +AH_TEMPLATE(HAVE_SSL_CTX_SET_CIPHERSUITES, [Define to 1 if you have the `SSL_CTX_set_ciphersuites' function.]) dnl dnl Bits to copy verbatim into config.h.in dnl diff --git a/logsrvd/Makefile.in b/logsrvd/Makefile.in index 955ed646f..f5bc9b98f 100644 --- a/logsrvd/Makefile.in +++ b/logsrvd/Makefile.in @@ -40,7 +40,7 @@ INSTALL_BACKUP = @INSTALL_BACKUP@ # Libraries LT_LIBS = $(top_builddir)/lib/iolog/libsudo_iolog.la -LIBS = $(LT_LIBS) +LIBS = $(LT_LIBS) @LIBTLS@ # C preprocessor defines CPPDEFS = -D_PATH_SUDO_LOGSRVD_CONF=\"$(sysconfdir)/sudo_logsrvd.conf\" \ @@ -72,8 +72,6 @@ PIE_LDFLAGS = @PIE_LDFLAGS@ SSP_CFLAGS = @SSP_CFLAGS@ SSP_LDFLAGS = @SSP_LDFLAGS@ -OPENSSL_LIBS = @OPENSSL_LIBS@ - # cppcheck options, usually set in the top-level Makefile CPPCHECK_OPTS = -q --force --enable=warning,performance,portability --suppress=constStatement --error-exitcode=1 --inline-suppr -Dva_copy=va_copy -U__cplusplus -UQUAD_MAX -UQUAD_MIN -UUQUAD_MAX -U_POSIX_HOST_NAME_MAX -U_POSIX_PATH_MAX -U__NBBY -DNSIG=64 @@ -147,10 +145,10 @@ Makefile: $(srcdir)/Makefile.in ifile=$<; rm -f $@; pvs-studio --cfg $(PVS_CFG) --sourcetree-root $(top_srcdir) --skip-cl-exe yes --source-file $${ifile%i}c --i-file $< --output-file $@ sudo_logsrvd: $(LOGSRVD_OBJS) $(LT_LIBS) - $(LIBTOOL) $(LTFLAGS) --mode=link $(CC) -o $@ $(LOGSRVD_OBJS) $(LDFLAGS) $(ASAN_LDFLAGS) $(PIE_LDFLAGS) $(SSP_LDFLAGS) $(LIBS) $(OPENSSL_LIBS) + $(LIBTOOL) $(LTFLAGS) --mode=link $(CC) -o $@ $(LOGSRVD_OBJS) $(LDFLAGS) $(ASAN_LDFLAGS) $(PIE_LDFLAGS) $(SSP_LDFLAGS) $(LIBS) sudo_sendlog: $(SENDLOG_OBJS) $(LT_LIBS) - $(LIBTOOL) $(LTFLAGS) --mode=link $(CC) -o $@ $(SENDLOG_OBJS) $(LDFLAGS) $(ASAN_LDFLAGS) $(PIE_LDFLAGS) $(SSP_LDFLAGS) $(LIBS) $(OPENSSL_LIBS) + $(LIBTOOL) $(LTFLAGS) --mode=link $(CC) -o $@ $(SENDLOG_OBJS) $(LDFLAGS) $(ASAN_LDFLAGS) $(PIE_LDFLAGS) $(SSP_LDFLAGS) $(LIBS) GENERATED = log_server.pb-c.h log_server.pb-c.c diff --git a/logsrvd/logsrvd.c b/logsrvd/logsrvd.c index d09b197d4..2e9c379cc 100644 --- a/logsrvd/logsrvd.c +++ b/logsrvd/logsrvd.c @@ -974,6 +974,7 @@ init_tls_ciphersuites(SSL_CTX *ctx, const struct logsrvd_tls_config *tls_config) } } +# if defined(HAVE_SSL_CTX_SET_CIPHERSUITES) if (tls_config->ciphers_v13) { /* try to set TLSv1.3 ciphersuite list from config */ if (SSL_CTX_set_ciphersuites(ctx, tls_config->ciphers_v13)) { @@ -998,6 +999,7 @@ init_tls_ciphersuites(SSL_CTX *ctx, const struct logsrvd_tls_config *tls_config) LOGSRVD_DEFAULT_CIPHER_LST13); } } +# endif debug_return_bool(true); } @@ -1119,7 +1121,7 @@ bad: good: debug_return_ptr(ctx); } -#endif +#endif /* HAVE_OPENSSL */ /* * Allocate a new connection closure.