mirror of
https://github.com/sudo-project/sudo.git
synced 2025-08-22 01:49:11 +00:00
LibreSSL and older OpenSSL don't support SSL_CTX_set_ciphersuites().
Add a configure test and skip TLS 1.3 setup if it is missing. We still accept the tls_ciphers13 config setting but it will be ignored.
This commit is contained in:
parent
68480b0959
commit
690f145d3f
13
INSTALL
13
INSTALL
@ -545,14 +545,15 @@ Authentication options:
|
|||||||
--enable-gcrypt[=DIR]
|
--enable-gcrypt[=DIR]
|
||||||
Use GNU crypt's SHA-2 message digest functions instead of the
|
Use GNU crypt's SHA-2 message digest functions instead of the
|
||||||
ones bundled with sudo (or in the system's C library).
|
ones bundled with sudo (or in the system's C library).
|
||||||
If specified, DIR should contain include and lib directories
|
If specified, DIR should contain the GNU crypt include and
|
||||||
with gcrypt.h and libgcrypt respectively.
|
lib directories.
|
||||||
|
|
||||||
--enable-openssl[=DIR]
|
--enable-openssl[=DIR]
|
||||||
Use OpenSSL's SHA-2 message digest functions instead of the
|
Use OpenSSL's TLS and SHA-2 message digest functions.
|
||||||
ones bundled with sudo (or in the system's C library).
|
By default, sudo does not support TLS and will use either its
|
||||||
If specified, DIR should contain include and lib directories
|
own SHA-2 functions or the ones in the system's C library.
|
||||||
with openssl/sha.h and libcrypto respectively.
|
If specified, DIR should contain the OpenSSL include and
|
||||||
|
lib directories.
|
||||||
|
|
||||||
Development options:
|
Development options:
|
||||||
--enable-env-debug
|
--enable-env-debug
|
||||||
|
@ -715,6 +715,9 @@
|
|||||||
/* Define to 1 if you have the <spawn.h> header file. */
|
/* Define to 1 if you have the <spawn.h> header file. */
|
||||||
#undef HAVE_SPAWN_H
|
#undef HAVE_SPAWN_H
|
||||||
|
|
||||||
|
/* Define to 1 if you have the `SSL_CTX_set_ciphersuites' function. */
|
||||||
|
#undef HAVE_SSL_CTX_SET_CIPHERSUITES
|
||||||
|
|
||||||
/* Define to 1 to enable SSSD support. */
|
/* Define to 1 to enable SSSD support. */
|
||||||
#undef HAVE_SSSD
|
#undef HAVE_SSSD
|
||||||
|
|
||||||
|
50
configure
vendored
50
configure
vendored
@ -743,8 +743,8 @@ COMPAT_TEST_PROGS
|
|||||||
LOCALEDIR_SUFFIX
|
LOCALEDIR_SUFFIX
|
||||||
SUDO_NLS
|
SUDO_NLS
|
||||||
LIBPTHREAD
|
LIBPTHREAD
|
||||||
|
LIBTLS
|
||||||
LIBMD
|
LIBMD
|
||||||
OPENSSL_LIBS
|
|
||||||
LIBINTL
|
LIBINTL
|
||||||
LIBRT
|
LIBRT
|
||||||
LIBDL
|
LIBDL
|
||||||
@ -3082,6 +3082,7 @@ $as_echo "$as_me: Configuring Sudo version $PACKAGE_VERSION" >&6;}
|
|||||||
|
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
#
|
#
|
||||||
@ -3153,7 +3154,7 @@ PSMAN=0
|
|||||||
SEMAN=0
|
SEMAN=0
|
||||||
LIBINTL=
|
LIBINTL=
|
||||||
LIBMD=
|
LIBMD=
|
||||||
OPENSSL_LIBS=
|
LIBTLS=
|
||||||
ZLIB=
|
ZLIB=
|
||||||
ZLIB_SRC=
|
ZLIB_SRC=
|
||||||
AUTH_OBJS=
|
AUTH_OBJS=
|
||||||
@ -6430,8 +6431,7 @@ if test "${enable_openssl+set}" = set; then :
|
|||||||
enableval=$enable_openssl; case $enableval in
|
enableval=$enable_openssl; case $enableval in
|
||||||
no) ;;
|
no) ;;
|
||||||
*) LIBMD="-lcrypto"
|
*) LIBMD="-lcrypto"
|
||||||
OPENSSL_LIBS="-lcrypto -lssl"
|
LIBTLS="-lssl -lcrypto"
|
||||||
DIGEST=digest_openssl.lo
|
|
||||||
$as_echo "#define HAVE_OPENSSL 1" >>confdefs.h
|
$as_echo "#define HAVE_OPENSSL 1" >>confdefs.h
|
||||||
|
|
||||||
if test "$enableval" != "yes"; then
|
if test "$enableval" != "yes"; then
|
||||||
@ -21529,6 +21529,47 @@ cat >>confdefs.h <<_ACEOF
|
|||||||
_ACEOF
|
_ACEOF
|
||||||
|
|
||||||
|
|
||||||
|
fi
|
||||||
|
|
||||||
|
{ $as_echo "$as_me:${as_lineno-$LINENO}: checking for SSL_CTX_set_ciphersuites in -lssl" >&5
|
||||||
|
$as_echo_n "checking for SSL_CTX_set_ciphersuites in -lssl... " >&6; }
|
||||||
|
if ${ac_cv_lib_ssl_SSL_CTX_set_ciphersuitescrypto+:} false; then :
|
||||||
|
$as_echo_n "(cached) " >&6
|
||||||
|
else
|
||||||
|
ac_check_lib_save_LIBS=$LIBS
|
||||||
|
LIBS="-lssl crypto $LIBS"
|
||||||
|
cat confdefs.h - <<_ACEOF >conftest.$ac_ext
|
||||||
|
/* end confdefs.h. */
|
||||||
|
|
||||||
|
/* Override any GCC internal prototype to avoid an error.
|
||||||
|
Use char because int might match the return type of a GCC
|
||||||
|
builtin and then its argument prototype would still apply. */
|
||||||
|
#ifdef __cplusplus
|
||||||
|
extern "C"
|
||||||
|
#endif
|
||||||
|
char SSL_CTX_set_ciphersuites ();
|
||||||
|
int
|
||||||
|
main ()
|
||||||
|
{
|
||||||
|
return SSL_CTX_set_ciphersuites ();
|
||||||
|
;
|
||||||
|
return 0;
|
||||||
|
}
|
||||||
|
_ACEOF
|
||||||
|
if ac_fn_c_try_link "$LINENO"; then :
|
||||||
|
ac_cv_lib_ssl_SSL_CTX_set_ciphersuitescrypto=yes
|
||||||
|
else
|
||||||
|
ac_cv_lib_ssl_SSL_CTX_set_ciphersuitescrypto=no
|
||||||
|
fi
|
||||||
|
rm -f core conftest.err conftest.$ac_objext \
|
||||||
|
conftest$ac_exeext conftest.$ac_ext
|
||||||
|
LIBS=$ac_check_lib_save_LIBS
|
||||||
|
fi
|
||||||
|
{ $as_echo "$as_me:${as_lineno-$LINENO}: result: $ac_cv_lib_ssl_SSL_CTX_set_ciphersuitescrypto" >&5
|
||||||
|
$as_echo "$ac_cv_lib_ssl_SSL_CTX_set_ciphersuitescrypto" >&6; }
|
||||||
|
if test "x$ac_cv_lib_ssl_SSL_CTX_set_ciphersuitescrypto" = xyes; then :
|
||||||
|
$as_echo "#define HAVE_SSL_CTX_SET_CIPHERSUITES 1" >>confdefs.h
|
||||||
|
|
||||||
fi
|
fi
|
||||||
|
|
||||||
OLIBS="$LIBS"
|
OLIBS="$LIBS"
|
||||||
@ -29425,5 +29466,6 @@ fi
|
|||||||
|
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
|
13
configure.ac
13
configure.ac
@ -94,6 +94,7 @@ AC_SUBST([LIBDL])
|
|||||||
AC_SUBST([LIBRT])
|
AC_SUBST([LIBRT])
|
||||||
AC_SUBST([LIBINTL])
|
AC_SUBST([LIBINTL])
|
||||||
AC_SUBST([LIBMD])
|
AC_SUBST([LIBMD])
|
||||||
|
AC_SUBST([LIBTLS])
|
||||||
AC_SUBST([LIBPTHREAD])
|
AC_SUBST([LIBPTHREAD])
|
||||||
AC_SUBST([SUDO_NLS])
|
AC_SUBST([SUDO_NLS])
|
||||||
AC_SUBST([LOCALEDIR_SUFFIX])
|
AC_SUBST([LOCALEDIR_SUFFIX])
|
||||||
@ -231,6 +232,7 @@ PSMAN=0
|
|||||||
SEMAN=0
|
SEMAN=0
|
||||||
LIBINTL=
|
LIBINTL=
|
||||||
LIBMD=
|
LIBMD=
|
||||||
|
LIBTLS=
|
||||||
ZLIB=
|
ZLIB=
|
||||||
ZLIB_SRC=
|
ZLIB_SRC=
|
||||||
AUTH_OBJS=
|
AUTH_OBJS=
|
||||||
@ -1485,11 +1487,11 @@ AC_ARG_ENABLE(werror,
|
|||||||
])
|
])
|
||||||
|
|
||||||
AC_ARG_ENABLE(openssl,
|
AC_ARG_ENABLE(openssl,
|
||||||
[AS_HELP_STRING([--enable-openssl], [Use OpenSSL's message digest functions instead of sudo's])],
|
[AS_HELP_STRING([--enable-openssl], [Use OpenSSL's TLS and sha2 functions])],
|
||||||
[ case $enableval in
|
[ case $enableval in
|
||||||
no) ;;
|
no) ;;
|
||||||
*) LIBMD="-lcrypto"
|
*) LIBMD="-lcrypto"
|
||||||
DIGEST=digest_openssl.lo
|
LIBTLS="-lssl -lcrypto"
|
||||||
AC_DEFINE(HAVE_OPENSSL)
|
AC_DEFINE(HAVE_OPENSSL)
|
||||||
if test "$enableval" != "yes"; then
|
if test "$enableval" != "yes"; then
|
||||||
AX_APPEND_FLAG([-I${enableval}/include], [CPPFLAGS])
|
AX_APPEND_FLAG([-I${enableval}/include], [CPPFLAGS])
|
||||||
@ -2890,6 +2892,10 @@ AC_INCLUDES_DEFAULT
|
|||||||
#include <$ac_header_dirent>
|
#include <$ac_header_dirent>
|
||||||
])
|
])
|
||||||
dnl
|
dnl
|
||||||
|
dnl Check for SSL_CTX_set_ciphersuites supported by OpenSSL 1.1 and higher
|
||||||
|
dnl
|
||||||
|
AC_CHECK_LIB(ssl, SSL_CTX_set_ciphersuites, [AC_DEFINE(HAVE_SSL_CTX_SET_CIPHERSUITES)], [], [crypto])
|
||||||
|
dnl
|
||||||
dnl If socket(2) not in libc, check -lsocket and -linet
|
dnl If socket(2) not in libc, check -lsocket and -linet
|
||||||
dnl May need to link with *both* -lnsl and -lsocket due to unresolved symbols
|
dnl May need to link with *both* -lnsl and -lsocket due to unresolved symbols
|
||||||
dnl
|
dnl
|
||||||
@ -4650,8 +4656,9 @@ AH_TEMPLATE(HAVE_KINFO_PROC_44BSD, [Define to 1 if your system has a 4.4BSD-styl
|
|||||||
AH_TEMPLATE(HAVE_KINFO_PROC_FREEBSD, [Define to 1 if your system has a FreeBSD-style kinfo_proc struct.])
|
AH_TEMPLATE(HAVE_KINFO_PROC_FREEBSD, [Define to 1 if your system has a FreeBSD-style kinfo_proc struct.])
|
||||||
AH_TEMPLATE(HAVE_KINFO_PROC2_NETBSD, [Define to 1 if your system has a NetBSD-style kinfo_proc2 struct.])
|
AH_TEMPLATE(HAVE_KINFO_PROC2_NETBSD, [Define to 1 if your system has a NetBSD-style kinfo_proc2 struct.])
|
||||||
AH_TEMPLATE(HAVE_KINFO_PROC_OPENBSD, [Define to 1 if your system has an OpenBSD-style kinfo_proc struct.])
|
AH_TEMPLATE(HAVE_KINFO_PROC_OPENBSD, [Define to 1 if your system has an OpenBSD-style kinfo_proc struct.])
|
||||||
AH_TEMPLATE(HAVE_OPENSSL, [Define to 1 if you are using OpenSSL's sha2 functions.])
|
AH_TEMPLATE(HAVE_OPENSSL, [Define to 1 if you are using OpenSSL's TLS and sha2 functions.])
|
||||||
AH_TEMPLATE(HAVE_GCRYPT, [Define to 1 if you are using gcrypt's sha2 functions.])
|
AH_TEMPLATE(HAVE_GCRYPT, [Define to 1 if you are using gcrypt's sha2 functions.])
|
||||||
|
AH_TEMPLATE(HAVE_SSL_CTX_SET_CIPHERSUITES, [Define to 1 if you have the `SSL_CTX_set_ciphersuites' function.])
|
||||||
dnl
|
dnl
|
||||||
dnl Bits to copy verbatim into config.h.in
|
dnl Bits to copy verbatim into config.h.in
|
||||||
dnl
|
dnl
|
||||||
|
@ -40,7 +40,7 @@ INSTALL_BACKUP = @INSTALL_BACKUP@
|
|||||||
|
|
||||||
# Libraries
|
# Libraries
|
||||||
LT_LIBS = $(top_builddir)/lib/iolog/libsudo_iolog.la
|
LT_LIBS = $(top_builddir)/lib/iolog/libsudo_iolog.la
|
||||||
LIBS = $(LT_LIBS)
|
LIBS = $(LT_LIBS) @LIBTLS@
|
||||||
|
|
||||||
# C preprocessor defines
|
# C preprocessor defines
|
||||||
CPPDEFS = -D_PATH_SUDO_LOGSRVD_CONF=\"$(sysconfdir)/sudo_logsrvd.conf\" \
|
CPPDEFS = -D_PATH_SUDO_LOGSRVD_CONF=\"$(sysconfdir)/sudo_logsrvd.conf\" \
|
||||||
@ -72,8 +72,6 @@ PIE_LDFLAGS = @PIE_LDFLAGS@
|
|||||||
SSP_CFLAGS = @SSP_CFLAGS@
|
SSP_CFLAGS = @SSP_CFLAGS@
|
||||||
SSP_LDFLAGS = @SSP_LDFLAGS@
|
SSP_LDFLAGS = @SSP_LDFLAGS@
|
||||||
|
|
||||||
OPENSSL_LIBS = @OPENSSL_LIBS@
|
|
||||||
|
|
||||||
# cppcheck options, usually set in the top-level Makefile
|
# cppcheck options, usually set in the top-level Makefile
|
||||||
CPPCHECK_OPTS = -q --force --enable=warning,performance,portability --suppress=constStatement --error-exitcode=1 --inline-suppr -Dva_copy=va_copy -U__cplusplus -UQUAD_MAX -UQUAD_MIN -UUQUAD_MAX -U_POSIX_HOST_NAME_MAX -U_POSIX_PATH_MAX -U__NBBY -DNSIG=64
|
CPPCHECK_OPTS = -q --force --enable=warning,performance,portability --suppress=constStatement --error-exitcode=1 --inline-suppr -Dva_copy=va_copy -U__cplusplus -UQUAD_MAX -UQUAD_MIN -UUQUAD_MAX -U_POSIX_HOST_NAME_MAX -U_POSIX_PATH_MAX -U__NBBY -DNSIG=64
|
||||||
|
|
||||||
@ -147,10 +145,10 @@ Makefile: $(srcdir)/Makefile.in
|
|||||||
ifile=$<; rm -f $@; pvs-studio --cfg $(PVS_CFG) --sourcetree-root $(top_srcdir) --skip-cl-exe yes --source-file $${ifile%i}c --i-file $< --output-file $@
|
ifile=$<; rm -f $@; pvs-studio --cfg $(PVS_CFG) --sourcetree-root $(top_srcdir) --skip-cl-exe yes --source-file $${ifile%i}c --i-file $< --output-file $@
|
||||||
|
|
||||||
sudo_logsrvd: $(LOGSRVD_OBJS) $(LT_LIBS)
|
sudo_logsrvd: $(LOGSRVD_OBJS) $(LT_LIBS)
|
||||||
$(LIBTOOL) $(LTFLAGS) --mode=link $(CC) -o $@ $(LOGSRVD_OBJS) $(LDFLAGS) $(ASAN_LDFLAGS) $(PIE_LDFLAGS) $(SSP_LDFLAGS) $(LIBS) $(OPENSSL_LIBS)
|
$(LIBTOOL) $(LTFLAGS) --mode=link $(CC) -o $@ $(LOGSRVD_OBJS) $(LDFLAGS) $(ASAN_LDFLAGS) $(PIE_LDFLAGS) $(SSP_LDFLAGS) $(LIBS)
|
||||||
|
|
||||||
sudo_sendlog: $(SENDLOG_OBJS) $(LT_LIBS)
|
sudo_sendlog: $(SENDLOG_OBJS) $(LT_LIBS)
|
||||||
$(LIBTOOL) $(LTFLAGS) --mode=link $(CC) -o $@ $(SENDLOG_OBJS) $(LDFLAGS) $(ASAN_LDFLAGS) $(PIE_LDFLAGS) $(SSP_LDFLAGS) $(LIBS) $(OPENSSL_LIBS)
|
$(LIBTOOL) $(LTFLAGS) --mode=link $(CC) -o $@ $(SENDLOG_OBJS) $(LDFLAGS) $(ASAN_LDFLAGS) $(PIE_LDFLAGS) $(SSP_LDFLAGS) $(LIBS)
|
||||||
|
|
||||||
GENERATED = log_server.pb-c.h log_server.pb-c.c
|
GENERATED = log_server.pb-c.h log_server.pb-c.c
|
||||||
|
|
||||||
|
@ -974,6 +974,7 @@ init_tls_ciphersuites(SSL_CTX *ctx, const struct logsrvd_tls_config *tls_config)
|
|||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
|
# if defined(HAVE_SSL_CTX_SET_CIPHERSUITES)
|
||||||
if (tls_config->ciphers_v13) {
|
if (tls_config->ciphers_v13) {
|
||||||
/* try to set TLSv1.3 ciphersuite list from config */
|
/* try to set TLSv1.3 ciphersuite list from config */
|
||||||
if (SSL_CTX_set_ciphersuites(ctx, tls_config->ciphers_v13)) {
|
if (SSL_CTX_set_ciphersuites(ctx, tls_config->ciphers_v13)) {
|
||||||
@ -998,6 +999,7 @@ init_tls_ciphersuites(SSL_CTX *ctx, const struct logsrvd_tls_config *tls_config)
|
|||||||
LOGSRVD_DEFAULT_CIPHER_LST13);
|
LOGSRVD_DEFAULT_CIPHER_LST13);
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
# endif
|
||||||
|
|
||||||
debug_return_bool(true);
|
debug_return_bool(true);
|
||||||
}
|
}
|
||||||
@ -1119,7 +1121,7 @@ bad:
|
|||||||
good:
|
good:
|
||||||
debug_return_ptr(ctx);
|
debug_return_ptr(ctx);
|
||||||
}
|
}
|
||||||
#endif
|
#endif /* HAVE_OPENSSL */
|
||||||
|
|
||||||
/*
|
/*
|
||||||
* Allocate a new connection closure.
|
* Allocate a new connection closure.
|
||||||
|
Loading…
x
Reference in New Issue
Block a user