2
0
mirror of https://github.com/sudo-project/sudo.git synced 2025-08-22 01:49:11 +00:00

LibreSSL and older OpenSSL don't support SSL_CTX_set_ciphersuites().

Add a configure test and skip TLS 1.3 setup if it is missing.
We still accept the tls_ciphers13 config setting but it will be ignored.
This commit is contained in:
Todd C. Miller 2019-11-15 13:19:28 -07:00
parent 68480b0959
commit 690f145d3f
6 changed files with 72 additions and 19 deletions

13
INSTALL
View File

@ -545,14 +545,15 @@ Authentication options:
--enable-gcrypt[=DIR] --enable-gcrypt[=DIR]
Use GNU crypt's SHA-2 message digest functions instead of the Use GNU crypt's SHA-2 message digest functions instead of the
ones bundled with sudo (or in the system's C library). ones bundled with sudo (or in the system's C library).
If specified, DIR should contain include and lib directories If specified, DIR should contain the GNU crypt include and
with gcrypt.h and libgcrypt respectively. lib directories.
--enable-openssl[=DIR] --enable-openssl[=DIR]
Use OpenSSL's SHA-2 message digest functions instead of the Use OpenSSL's TLS and SHA-2 message digest functions.
ones bundled with sudo (or in the system's C library). By default, sudo does not support TLS and will use either its
If specified, DIR should contain include and lib directories own SHA-2 functions or the ones in the system's C library.
with openssl/sha.h and libcrypto respectively. If specified, DIR should contain the OpenSSL include and
lib directories.
Development options: Development options:
--enable-env-debug --enable-env-debug

View File

@ -715,6 +715,9 @@
/* Define to 1 if you have the <spawn.h> header file. */ /* Define to 1 if you have the <spawn.h> header file. */
#undef HAVE_SPAWN_H #undef HAVE_SPAWN_H
/* Define to 1 if you have the `SSL_CTX_set_ciphersuites' function. */
#undef HAVE_SSL_CTX_SET_CIPHERSUITES
/* Define to 1 to enable SSSD support. */ /* Define to 1 to enable SSSD support. */
#undef HAVE_SSSD #undef HAVE_SSSD

50
configure vendored
View File

@ -743,8 +743,8 @@ COMPAT_TEST_PROGS
LOCALEDIR_SUFFIX LOCALEDIR_SUFFIX
SUDO_NLS SUDO_NLS
LIBPTHREAD LIBPTHREAD
LIBTLS
LIBMD LIBMD
OPENSSL_LIBS
LIBINTL LIBINTL
LIBRT LIBRT
LIBDL LIBDL
@ -3082,6 +3082,7 @@ $as_echo "$as_me: Configuring Sudo version $PACKAGE_VERSION" >&6;}
# #
@ -3153,7 +3154,7 @@ PSMAN=0
SEMAN=0 SEMAN=0
LIBINTL= LIBINTL=
LIBMD= LIBMD=
OPENSSL_LIBS= LIBTLS=
ZLIB= ZLIB=
ZLIB_SRC= ZLIB_SRC=
AUTH_OBJS= AUTH_OBJS=
@ -6430,8 +6431,7 @@ if test "${enable_openssl+set}" = set; then :
enableval=$enable_openssl; case $enableval in enableval=$enable_openssl; case $enableval in
no) ;; no) ;;
*) LIBMD="-lcrypto" *) LIBMD="-lcrypto"
OPENSSL_LIBS="-lcrypto -lssl" LIBTLS="-lssl -lcrypto"
DIGEST=digest_openssl.lo
$as_echo "#define HAVE_OPENSSL 1" >>confdefs.h $as_echo "#define HAVE_OPENSSL 1" >>confdefs.h
if test "$enableval" != "yes"; then if test "$enableval" != "yes"; then
@ -21529,6 +21529,47 @@ cat >>confdefs.h <<_ACEOF
_ACEOF _ACEOF
fi
{ $as_echo "$as_me:${as_lineno-$LINENO}: checking for SSL_CTX_set_ciphersuites in -lssl" >&5
$as_echo_n "checking for SSL_CTX_set_ciphersuites in -lssl... " >&6; }
if ${ac_cv_lib_ssl_SSL_CTX_set_ciphersuitescrypto+:} false; then :
$as_echo_n "(cached) " >&6
else
ac_check_lib_save_LIBS=$LIBS
LIBS="-lssl crypto $LIBS"
cat confdefs.h - <<_ACEOF >conftest.$ac_ext
/* end confdefs.h. */
/* Override any GCC internal prototype to avoid an error.
Use char because int might match the return type of a GCC
builtin and then its argument prototype would still apply. */
#ifdef __cplusplus
extern "C"
#endif
char SSL_CTX_set_ciphersuites ();
int
main ()
{
return SSL_CTX_set_ciphersuites ();
;
return 0;
}
_ACEOF
if ac_fn_c_try_link "$LINENO"; then :
ac_cv_lib_ssl_SSL_CTX_set_ciphersuitescrypto=yes
else
ac_cv_lib_ssl_SSL_CTX_set_ciphersuitescrypto=no
fi
rm -f core conftest.err conftest.$ac_objext \
conftest$ac_exeext conftest.$ac_ext
LIBS=$ac_check_lib_save_LIBS
fi
{ $as_echo "$as_me:${as_lineno-$LINENO}: result: $ac_cv_lib_ssl_SSL_CTX_set_ciphersuitescrypto" >&5
$as_echo "$ac_cv_lib_ssl_SSL_CTX_set_ciphersuitescrypto" >&6; }
if test "x$ac_cv_lib_ssl_SSL_CTX_set_ciphersuitescrypto" = xyes; then :
$as_echo "#define HAVE_SSL_CTX_SET_CIPHERSUITES 1" >>confdefs.h
fi fi
OLIBS="$LIBS" OLIBS="$LIBS"
@ -29425,5 +29466,6 @@ fi

View File

@ -94,6 +94,7 @@ AC_SUBST([LIBDL])
AC_SUBST([LIBRT]) AC_SUBST([LIBRT])
AC_SUBST([LIBINTL]) AC_SUBST([LIBINTL])
AC_SUBST([LIBMD]) AC_SUBST([LIBMD])
AC_SUBST([LIBTLS])
AC_SUBST([LIBPTHREAD]) AC_SUBST([LIBPTHREAD])
AC_SUBST([SUDO_NLS]) AC_SUBST([SUDO_NLS])
AC_SUBST([LOCALEDIR_SUFFIX]) AC_SUBST([LOCALEDIR_SUFFIX])
@ -231,6 +232,7 @@ PSMAN=0
SEMAN=0 SEMAN=0
LIBINTL= LIBINTL=
LIBMD= LIBMD=
LIBTLS=
ZLIB= ZLIB=
ZLIB_SRC= ZLIB_SRC=
AUTH_OBJS= AUTH_OBJS=
@ -1485,11 +1487,11 @@ AC_ARG_ENABLE(werror,
]) ])
AC_ARG_ENABLE(openssl, AC_ARG_ENABLE(openssl,
[AS_HELP_STRING([--enable-openssl], [Use OpenSSL's message digest functions instead of sudo's])], [AS_HELP_STRING([--enable-openssl], [Use OpenSSL's TLS and sha2 functions])],
[ case $enableval in [ case $enableval in
no) ;; no) ;;
*) LIBMD="-lcrypto" *) LIBMD="-lcrypto"
DIGEST=digest_openssl.lo LIBTLS="-lssl -lcrypto"
AC_DEFINE(HAVE_OPENSSL) AC_DEFINE(HAVE_OPENSSL)
if test "$enableval" != "yes"; then if test "$enableval" != "yes"; then
AX_APPEND_FLAG([-I${enableval}/include], [CPPFLAGS]) AX_APPEND_FLAG([-I${enableval}/include], [CPPFLAGS])
@ -2890,6 +2892,10 @@ AC_INCLUDES_DEFAULT
#include <$ac_header_dirent> #include <$ac_header_dirent>
]) ])
dnl dnl
dnl Check for SSL_CTX_set_ciphersuites supported by OpenSSL 1.1 and higher
dnl
AC_CHECK_LIB(ssl, SSL_CTX_set_ciphersuites, [AC_DEFINE(HAVE_SSL_CTX_SET_CIPHERSUITES)], [], [crypto])
dnl
dnl If socket(2) not in libc, check -lsocket and -linet dnl If socket(2) not in libc, check -lsocket and -linet
dnl May need to link with *both* -lnsl and -lsocket due to unresolved symbols dnl May need to link with *both* -lnsl and -lsocket due to unresolved symbols
dnl dnl
@ -4650,8 +4656,9 @@ AH_TEMPLATE(HAVE_KINFO_PROC_44BSD, [Define to 1 if your system has a 4.4BSD-styl
AH_TEMPLATE(HAVE_KINFO_PROC_FREEBSD, [Define to 1 if your system has a FreeBSD-style kinfo_proc struct.]) AH_TEMPLATE(HAVE_KINFO_PROC_FREEBSD, [Define to 1 if your system has a FreeBSD-style kinfo_proc struct.])
AH_TEMPLATE(HAVE_KINFO_PROC2_NETBSD, [Define to 1 if your system has a NetBSD-style kinfo_proc2 struct.]) AH_TEMPLATE(HAVE_KINFO_PROC2_NETBSD, [Define to 1 if your system has a NetBSD-style kinfo_proc2 struct.])
AH_TEMPLATE(HAVE_KINFO_PROC_OPENBSD, [Define to 1 if your system has an OpenBSD-style kinfo_proc struct.]) AH_TEMPLATE(HAVE_KINFO_PROC_OPENBSD, [Define to 1 if your system has an OpenBSD-style kinfo_proc struct.])
AH_TEMPLATE(HAVE_OPENSSL, [Define to 1 if you are using OpenSSL's sha2 functions.]) AH_TEMPLATE(HAVE_OPENSSL, [Define to 1 if you are using OpenSSL's TLS and sha2 functions.])
AH_TEMPLATE(HAVE_GCRYPT, [Define to 1 if you are using gcrypt's sha2 functions.]) AH_TEMPLATE(HAVE_GCRYPT, [Define to 1 if you are using gcrypt's sha2 functions.])
AH_TEMPLATE(HAVE_SSL_CTX_SET_CIPHERSUITES, [Define to 1 if you have the `SSL_CTX_set_ciphersuites' function.])
dnl dnl
dnl Bits to copy verbatim into config.h.in dnl Bits to copy verbatim into config.h.in
dnl dnl

View File

@ -40,7 +40,7 @@ INSTALL_BACKUP = @INSTALL_BACKUP@
# Libraries # Libraries
LT_LIBS = $(top_builddir)/lib/iolog/libsudo_iolog.la LT_LIBS = $(top_builddir)/lib/iolog/libsudo_iolog.la
LIBS = $(LT_LIBS) LIBS = $(LT_LIBS) @LIBTLS@
# C preprocessor defines # C preprocessor defines
CPPDEFS = -D_PATH_SUDO_LOGSRVD_CONF=\"$(sysconfdir)/sudo_logsrvd.conf\" \ CPPDEFS = -D_PATH_SUDO_LOGSRVD_CONF=\"$(sysconfdir)/sudo_logsrvd.conf\" \
@ -72,8 +72,6 @@ PIE_LDFLAGS = @PIE_LDFLAGS@
SSP_CFLAGS = @SSP_CFLAGS@ SSP_CFLAGS = @SSP_CFLAGS@
SSP_LDFLAGS = @SSP_LDFLAGS@ SSP_LDFLAGS = @SSP_LDFLAGS@
OPENSSL_LIBS = @OPENSSL_LIBS@
# cppcheck options, usually set in the top-level Makefile # cppcheck options, usually set in the top-level Makefile
CPPCHECK_OPTS = -q --force --enable=warning,performance,portability --suppress=constStatement --error-exitcode=1 --inline-suppr -Dva_copy=va_copy -U__cplusplus -UQUAD_MAX -UQUAD_MIN -UUQUAD_MAX -U_POSIX_HOST_NAME_MAX -U_POSIX_PATH_MAX -U__NBBY -DNSIG=64 CPPCHECK_OPTS = -q --force --enable=warning,performance,portability --suppress=constStatement --error-exitcode=1 --inline-suppr -Dva_copy=va_copy -U__cplusplus -UQUAD_MAX -UQUAD_MIN -UUQUAD_MAX -U_POSIX_HOST_NAME_MAX -U_POSIX_PATH_MAX -U__NBBY -DNSIG=64
@ -147,10 +145,10 @@ Makefile: $(srcdir)/Makefile.in
ifile=$<; rm -f $@; pvs-studio --cfg $(PVS_CFG) --sourcetree-root $(top_srcdir) --skip-cl-exe yes --source-file $${ifile%i}c --i-file $< --output-file $@ ifile=$<; rm -f $@; pvs-studio --cfg $(PVS_CFG) --sourcetree-root $(top_srcdir) --skip-cl-exe yes --source-file $${ifile%i}c --i-file $< --output-file $@
sudo_logsrvd: $(LOGSRVD_OBJS) $(LT_LIBS) sudo_logsrvd: $(LOGSRVD_OBJS) $(LT_LIBS)
$(LIBTOOL) $(LTFLAGS) --mode=link $(CC) -o $@ $(LOGSRVD_OBJS) $(LDFLAGS) $(ASAN_LDFLAGS) $(PIE_LDFLAGS) $(SSP_LDFLAGS) $(LIBS) $(OPENSSL_LIBS) $(LIBTOOL) $(LTFLAGS) --mode=link $(CC) -o $@ $(LOGSRVD_OBJS) $(LDFLAGS) $(ASAN_LDFLAGS) $(PIE_LDFLAGS) $(SSP_LDFLAGS) $(LIBS)
sudo_sendlog: $(SENDLOG_OBJS) $(LT_LIBS) sudo_sendlog: $(SENDLOG_OBJS) $(LT_LIBS)
$(LIBTOOL) $(LTFLAGS) --mode=link $(CC) -o $@ $(SENDLOG_OBJS) $(LDFLAGS) $(ASAN_LDFLAGS) $(PIE_LDFLAGS) $(SSP_LDFLAGS) $(LIBS) $(OPENSSL_LIBS) $(LIBTOOL) $(LTFLAGS) --mode=link $(CC) -o $@ $(SENDLOG_OBJS) $(LDFLAGS) $(ASAN_LDFLAGS) $(PIE_LDFLAGS) $(SSP_LDFLAGS) $(LIBS)
GENERATED = log_server.pb-c.h log_server.pb-c.c GENERATED = log_server.pb-c.h log_server.pb-c.c

View File

@ -974,6 +974,7 @@ init_tls_ciphersuites(SSL_CTX *ctx, const struct logsrvd_tls_config *tls_config)
} }
} }
# if defined(HAVE_SSL_CTX_SET_CIPHERSUITES)
if (tls_config->ciphers_v13) { if (tls_config->ciphers_v13) {
/* try to set TLSv1.3 ciphersuite list from config */ /* try to set TLSv1.3 ciphersuite list from config */
if (SSL_CTX_set_ciphersuites(ctx, tls_config->ciphers_v13)) { if (SSL_CTX_set_ciphersuites(ctx, tls_config->ciphers_v13)) {
@ -998,6 +999,7 @@ init_tls_ciphersuites(SSL_CTX *ctx, const struct logsrvd_tls_config *tls_config)
LOGSRVD_DEFAULT_CIPHER_LST13); LOGSRVD_DEFAULT_CIPHER_LST13);
} }
} }
# endif
debug_return_bool(true); debug_return_bool(true);
} }
@ -1119,7 +1121,7 @@ bad:
good: good:
debug_return_ptr(ctx); debug_return_ptr(ctx);
} }
#endif #endif /* HAVE_OPENSSL */
/* /*
* Allocate a new connection closure. * Allocate a new connection closure.