mirror of
https://github.com/sudo-project/sudo.git
synced 2025-08-22 09:57:41 +00:00
LibreSSL and older OpenSSL don't support SSL_CTX_set_ciphersuites().
Add a configure test and skip TLS 1.3 setup if it is missing. We still accept the tls_ciphers13 config setting but it will be ignored.
This commit is contained in:
Todd C. Miller
parent
68480b0959
commit
690f145d3f
13
INSTALL
13
INSTALL
@ -545,14 +545,15 @@ Authentication options:
|
||||
--enable-gcrypt[=DIR]
|
||||
Use GNU crypt's SHA-2 message digest functions instead of the
|
||||
ones bundled with sudo (or in the system's C library).
|
||||
If specified, DIR should contain include and lib directories
|
||||
with gcrypt.h and libgcrypt respectively.
|
||||
If specified, DIR should contain the GNU crypt include and
|
||||
lib directories.
|
||||
|
||||
--enable-openssl[=DIR]
|
||||
Use OpenSSL's SHA-2 message digest functions instead of the
|
||||
ones bundled with sudo (or in the system's C library).
|
||||
If specified, DIR should contain include and lib directories
|
||||
with openssl/sha.h and libcrypto respectively.
|
||||
Use OpenSSL's TLS and SHA-2 message digest functions.
|
||||
By default, sudo does not support TLS and will use either its
|
||||
own SHA-2 functions or the ones in the system's C library.
|
||||
If specified, DIR should contain the OpenSSL include and
|
||||
lib directories.
|
||||
|
||||
Development options:
|
||||
--enable-env-debug
|
||||
|
||||
@ -715,6 +715,9 @@
|
||||
/* Define to 1 if you have the <spawn.h> header file. */
|
||||
#undef HAVE_SPAWN_H
|
||||
|
||||
/* Define to 1 if you have the `SSL_CTX_set_ciphersuites' function. */
|
||||
#undef HAVE_SSL_CTX_SET_CIPHERSUITES
|
||||
|
||||
/* Define to 1 to enable SSSD support. */
|
||||
#undef HAVE_SSSD
|
||||
|
||||
|
||||
50
configure
vendored
50
configure
vendored
@ -743,8 +743,8 @@ COMPAT_TEST_PROGS
|
||||
LOCALEDIR_SUFFIX
|
||||
SUDO_NLS
|
||||
LIBPTHREAD
|
||||
LIBTLS
|
||||
LIBMD
|
||||
OPENSSL_LIBS
|
||||
LIBINTL
|
||||
LIBRT
|
||||
LIBDL
|
||||
@ -3082,6 +3082,7 @@ $as_echo "$as_me: Configuring Sudo version $PACKAGE_VERSION" >&6;}
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
#
|
||||
@ -3153,7 +3154,7 @@ PSMAN=0
|
||||
SEMAN=0
|
||||
LIBINTL=
|
||||
LIBMD=
|
||||
OPENSSL_LIBS=
|
||||
LIBTLS=
|
||||
ZLIB=
|
||||
ZLIB_SRC=
|
||||
AUTH_OBJS=
|
||||
@ -6430,8 +6431,7 @@ if test "${enable_openssl+set}" = set; then :
|
||||
enableval=$enable_openssl; case $enableval in
|
||||
no) ;;
|
||||
*) LIBMD="-lcrypto"
|
||||
OPENSSL_LIBS="-lcrypto -lssl"
|
||||
DIGEST=digest_openssl.lo
|
||||
LIBTLS="-lssl -lcrypto"
|
||||
$as_echo "#define HAVE_OPENSSL 1" >>confdefs.h
|
||||
|
||||
if test "$enableval" != "yes"; then
|
||||
@ -21529,6 +21529,47 @@ cat >>confdefs.h <<_ACEOF
|
||||
_ACEOF
|
||||
|
||||
|
||||
fi
|
||||
|
||||
{ $as_echo "$as_me:${as_lineno-$LINENO}: checking for SSL_CTX_set_ciphersuites in -lssl" >&5
|
||||
$as_echo_n "checking for SSL_CTX_set_ciphersuites in -lssl... " >&6; }
|
||||
if ${ac_cv_lib_ssl_SSL_CTX_set_ciphersuitescrypto+:} false; then :
|
||||
$as_echo_n "(cached) " >&6
|
||||
else
|
||||
ac_check_lib_save_LIBS=$LIBS
|
||||
LIBS="-lssl crypto $LIBS"
|
||||
cat confdefs.h - <<_ACEOF >conftest.$ac_ext
|
||||
/* end confdefs.h. */
|
||||
|
||||
/* Override any GCC internal prototype to avoid an error.
|
||||
Use char because int might match the return type of a GCC
|
||||
builtin and then its argument prototype would still apply. */
|
||||
#ifdef __cplusplus
|
||||
extern "C"
|
||||
#endif
|
||||
char SSL_CTX_set_ciphersuites ();
|
||||
int
|
||||
main ()
|
||||
{
|
||||
return SSL_CTX_set_ciphersuites ();
|
||||
;
|
||||
return 0;
|
||||
}
|
||||
_ACEOF
|
||||
if ac_fn_c_try_link "$LINENO"; then :
|
||||
ac_cv_lib_ssl_SSL_CTX_set_ciphersuitescrypto=yes
|
||||
else
|
||||
ac_cv_lib_ssl_SSL_CTX_set_ciphersuitescrypto=no
|
||||
fi
|
||||
rm -f core conftest.err conftest.$ac_objext \
|
||||
conftest$ac_exeext conftest.$ac_ext
|
||||
LIBS=$ac_check_lib_save_LIBS
|
||||
fi
|
||||
{ $as_echo "$as_me:${as_lineno-$LINENO}: result: $ac_cv_lib_ssl_SSL_CTX_set_ciphersuitescrypto" >&5
|
||||
$as_echo "$ac_cv_lib_ssl_SSL_CTX_set_ciphersuitescrypto" >&6; }
|
||||
if test "x$ac_cv_lib_ssl_SSL_CTX_set_ciphersuitescrypto" = xyes; then :
|
||||
$as_echo "#define HAVE_SSL_CTX_SET_CIPHERSUITES 1" >>confdefs.h
|
||||
|
||||
fi
|
||||
|
||||
OLIBS="$LIBS"
|
||||
@ -29425,5 +29466,6 @@ fi
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
13
configure.ac
13
configure.ac
@ -94,6 +94,7 @@ AC_SUBST([LIBDL])
|
||||
AC_SUBST([LIBRT])
|
||||
AC_SUBST([LIBINTL])
|
||||
AC_SUBST([LIBMD])
|
||||
AC_SUBST([LIBTLS])
|
||||
AC_SUBST([LIBPTHREAD])
|
||||
AC_SUBST([SUDO_NLS])
|
||||
AC_SUBST([LOCALEDIR_SUFFIX])
|
||||
@ -231,6 +232,7 @@ PSMAN=0
|
||||
SEMAN=0
|
||||
LIBINTL=
|
||||
LIBMD=
|
||||
LIBTLS=
|
||||
ZLIB=
|
||||
ZLIB_SRC=
|
||||
AUTH_OBJS=
|
||||
@ -1485,11 +1487,11 @@ AC_ARG_ENABLE(werror,
|
||||
])
|
||||
|
||||
AC_ARG_ENABLE(openssl,
|
||||
[AS_HELP_STRING([--enable-openssl], [Use OpenSSL's message digest functions instead of sudo's])],
|
||||
[AS_HELP_STRING([--enable-openssl], [Use OpenSSL's TLS and sha2 functions])],
|
||||
[ case $enableval in
|
||||
no) ;;
|
||||
*) LIBMD="-lcrypto"
|
||||
DIGEST=digest_openssl.lo
|
||||
LIBTLS="-lssl -lcrypto"
|
||||
AC_DEFINE(HAVE_OPENSSL)
|
||||
if test "$enableval" != "yes"; then
|
||||
AX_APPEND_FLAG([-I${enableval}/include], [CPPFLAGS])
|
||||
@ -2890,6 +2892,10 @@ AC_INCLUDES_DEFAULT
|
||||
#include <$ac_header_dirent>
|
||||
])
|
||||
dnl
|
||||
dnl Check for SSL_CTX_set_ciphersuites supported by OpenSSL 1.1 and higher
|
||||
dnl
|
||||
AC_CHECK_LIB(ssl, SSL_CTX_set_ciphersuites, [AC_DEFINE(HAVE_SSL_CTX_SET_CIPHERSUITES)], [], [crypto])
|
||||
dnl
|
||||
dnl If socket(2) not in libc, check -lsocket and -linet
|
||||
dnl May need to link with *both* -lnsl and -lsocket due to unresolved symbols
|
||||
dnl
|
||||
@ -4650,8 +4656,9 @@ AH_TEMPLATE(HAVE_KINFO_PROC_44BSD, [Define to 1 if your system has a 4.4BSD-styl
|
||||
AH_TEMPLATE(HAVE_KINFO_PROC_FREEBSD, [Define to 1 if your system has a FreeBSD-style kinfo_proc struct.])
|
||||
AH_TEMPLATE(HAVE_KINFO_PROC2_NETBSD, [Define to 1 if your system has a NetBSD-style kinfo_proc2 struct.])
|
||||
AH_TEMPLATE(HAVE_KINFO_PROC_OPENBSD, [Define to 1 if your system has an OpenBSD-style kinfo_proc struct.])
|
||||
AH_TEMPLATE(HAVE_OPENSSL, [Define to 1 if you are using OpenSSL's sha2 functions.])
|
||||
AH_TEMPLATE(HAVE_OPENSSL, [Define to 1 if you are using OpenSSL's TLS and sha2 functions.])
|
||||
AH_TEMPLATE(HAVE_GCRYPT, [Define to 1 if you are using gcrypt's sha2 functions.])
|
||||
AH_TEMPLATE(HAVE_SSL_CTX_SET_CIPHERSUITES, [Define to 1 if you have the `SSL_CTX_set_ciphersuites' function.])
|
||||
dnl
|
||||
dnl Bits to copy verbatim into config.h.in
|
||||
dnl
|
||||
|
||||
@ -40,7 +40,7 @@ INSTALL_BACKUP = @INSTALL_BACKUP@
|
||||
|
||||
# Libraries
|
||||
LT_LIBS = $(top_builddir)/lib/iolog/libsudo_iolog.la
|
||||
LIBS = $(LT_LIBS)
|
||||
LIBS = $(LT_LIBS) @LIBTLS@
|
||||
|
||||
# C preprocessor defines
|
||||
CPPDEFS = -D_PATH_SUDO_LOGSRVD_CONF=\"$(sysconfdir)/sudo_logsrvd.conf\" \
|
||||
@ -72,8 +72,6 @@ PIE_LDFLAGS = @PIE_LDFLAGS@
|
||||
SSP_CFLAGS = @SSP_CFLAGS@
|
||||
SSP_LDFLAGS = @SSP_LDFLAGS@
|
||||
|
||||
OPENSSL_LIBS = @OPENSSL_LIBS@
|
||||
|
||||
# cppcheck options, usually set in the top-level Makefile
|
||||
CPPCHECK_OPTS = -q --force --enable=warning,performance,portability --suppress=constStatement --error-exitcode=1 --inline-suppr -Dva_copy=va_copy -U__cplusplus -UQUAD_MAX -UQUAD_MIN -UUQUAD_MAX -U_POSIX_HOST_NAME_MAX -U_POSIX_PATH_MAX -U__NBBY -DNSIG=64
|
||||
|
||||
@ -147,10 +145,10 @@ Makefile: $(srcdir)/Makefile.in
|
||||
ifile=$<; rm -f $@; pvs-studio --cfg $(PVS_CFG) --sourcetree-root $(top_srcdir) --skip-cl-exe yes --source-file $${ifile%i}c --i-file $< --output-file $@
|
||||
|
||||
sudo_logsrvd: $(LOGSRVD_OBJS) $(LT_LIBS)
|
||||
$(LIBTOOL) $(LTFLAGS) --mode=link $(CC) -o $@ $(LOGSRVD_OBJS) $(LDFLAGS) $(ASAN_LDFLAGS) $(PIE_LDFLAGS) $(SSP_LDFLAGS) $(LIBS) $(OPENSSL_LIBS)
|
||||
$(LIBTOOL) $(LTFLAGS) --mode=link $(CC) -o $@ $(LOGSRVD_OBJS) $(LDFLAGS) $(ASAN_LDFLAGS) $(PIE_LDFLAGS) $(SSP_LDFLAGS) $(LIBS)
|
||||
|
||||
sudo_sendlog: $(SENDLOG_OBJS) $(LT_LIBS)
|
||||
$(LIBTOOL) $(LTFLAGS) --mode=link $(CC) -o $@ $(SENDLOG_OBJS) $(LDFLAGS) $(ASAN_LDFLAGS) $(PIE_LDFLAGS) $(SSP_LDFLAGS) $(LIBS) $(OPENSSL_LIBS)
|
||||
$(LIBTOOL) $(LTFLAGS) --mode=link $(CC) -o $@ $(SENDLOG_OBJS) $(LDFLAGS) $(ASAN_LDFLAGS) $(PIE_LDFLAGS) $(SSP_LDFLAGS) $(LIBS)
|
||||
|
||||
GENERATED = log_server.pb-c.h log_server.pb-c.c
|
||||
|
||||
|
||||
@ -974,6 +974,7 @@ init_tls_ciphersuites(SSL_CTX *ctx, const struct logsrvd_tls_config *tls_config)
|
||||
}
|
||||
}
|
||||
|
||||
# if defined(HAVE_SSL_CTX_SET_CIPHERSUITES)
|
||||
if (tls_config->ciphers_v13) {
|
||||
/* try to set TLSv1.3 ciphersuite list from config */
|
||||
if (SSL_CTX_set_ciphersuites(ctx, tls_config->ciphers_v13)) {
|
||||
@ -998,6 +999,7 @@ init_tls_ciphersuites(SSL_CTX *ctx, const struct logsrvd_tls_config *tls_config)
|
||||
LOGSRVD_DEFAULT_CIPHER_LST13);
|
||||
}
|
||||
}
|
||||
# endif
|
||||
|
||||
debug_return_bool(true);
|
||||
}
|
||||
@ -1119,7 +1121,7 @@ bad:
|
||||
good:
|
||||
debug_return_ptr(ctx);
|
||||
}
|
||||
#endif
|
||||
#endif /* HAVE_OPENSSL */
|
||||
|
||||
/*
|
||||
* Allocate a new connection closure.
|
||||
|
||||
Loading…
x
Reference in New Issue
Block a user