From a96b9a1373b5e0881a30b2d7a95d576ad52ebf8a Mon Sep 17 00:00:00 2001 From: "Todd C. Miller" Date: Mon, 16 Nov 2020 14:39:52 -0700 Subject: [PATCH] Newer LibreSSL has SSL_CTX_set_ciphersuites but it is not enabled. Add a check for the function declaration in openssl/ssl.h. --- config.h.in | 3 ++- configure | 20 +++++++++++++++++++- configure.ac | 10 +++++++++- 3 files changed, 30 insertions(+), 3 deletions(-) diff --git a/config.h.in b/config.h.in index d8df9dd6b..45f54445b 100644 --- a/config.h.in +++ b/config.h.in @@ -767,7 +767,8 @@ /* Define to 1 if you have the `SSL_CTX_get0_certificate' function. */ #undef HAVE_SSL_CTX_GET0_CERTIFICATE -/* Define to 1 if you have the `SSL_CTX_set_ciphersuites' function. */ +/* Define to 1 if you have the `SSL_CTX_set_ciphersuites' function or macro. + */ #undef HAVE_SSL_CTX_SET_CIPHERSUITES /* Define to 1 if you have the `SSL_CTX_set_min_proto_version' function or diff --git a/configure b/configure index c823d62f7..f0a4f4849 100755 --- a/configure +++ b/configure @@ -22004,7 +22004,7 @@ fi OLIBS="$LIBS" LIBS="$LIBS $LIBTLS" - for ac_func in X509_STORE_CTX_get0_cert ASN1_STRING_get0_data SSL_CTX_get0_certificate SSL_CTX_set_ciphersuites TLS_client_method TLS_server_method + for ac_func in X509_STORE_CTX_get0_cert ASN1_STRING_get0_data SSL_CTX_get0_certificate TLS_client_method TLS_server_method do : as_ac_var=`$as_echo "ac_cv_func_$ac_func" | $as_tr_sh` ac_fn_c_check_func "$LINENO" "$ac_func" "$as_ac_var" @@ -22025,6 +22025,23 @@ done if test "x$ac_cv_have_decl_SSL_CTX_set_min_proto_version" = xyes; then : $as_echo "#define HAVE_SSL_CTX_SET_MIN_PROTO_VERSION 1" >>confdefs.h +fi + + # LibreSSL TLS 1.3 support may not be enabled, check for declaration too. + ac_fn_c_check_func "$LINENO" "SSL_CTX_set_ciphersuites" "ac_cv_func_SSL_CTX_set_ciphersuites" +if test "x$ac_cv_func_SSL_CTX_set_ciphersuites" = xyes; then : + + ac_fn_c_check_decl "$LINENO" "SSL_CTX_set_ciphersuites" "ac_cv_have_decl_SSL_CTX_set_ciphersuites" " + $ac_includes_default + #include + +" +if test "x$ac_cv_have_decl_SSL_CTX_set_ciphersuites" = xyes; then : + $as_echo "#define HAVE_SSL_CTX_SET_CIPHERSUITES 1" >>confdefs.h + +fi + + fi LIBS="$OLIBS" @@ -30526,5 +30543,6 @@ fi + diff --git a/configure.ac b/configure.ac index 3245174e5..fdb6bc98f 100644 --- a/configure.ac +++ b/configure.ac @@ -3065,12 +3065,19 @@ if test "${enable_openssl-no}" != no; then OLIBS="$LIBS" LIBS="$LIBS $LIBTLS" - AC_CHECK_FUNCS([X509_STORE_CTX_get0_cert ASN1_STRING_get0_data SSL_CTX_get0_certificate SSL_CTX_set_ciphersuites TLS_client_method TLS_server_method]) + AC_CHECK_FUNCS([X509_STORE_CTX_get0_cert ASN1_STRING_get0_data SSL_CTX_get0_certificate TLS_client_method TLS_server_method]) # SSL_CTX_set_min_proto_version may be a macro AC_CHECK_DECL([SSL_CTX_set_min_proto_version], [AC_DEFINE(HAVE_SSL_CTX_SET_MIN_PROTO_VERSION)], [], [ AC_INCLUDES_DEFAULT #include ]) + # LibreSSL TLS 1.3 support may not be enabled, check for declaration too. + AC_CHECK_FUNC([SSL_CTX_set_ciphersuites], [ + AC_CHECK_DECL([SSL_CTX_set_ciphersuites], [AC_DEFINE(HAVE_SSL_CTX_SET_CIPHERSUITES)], [], [ + AC_INCLUDES_DEFAULT + #include + ]) + ]) LIBS="$OLIBS" elif test "${enable_gcrypt-no}" != no; then # Use gcrypt's sha2 functions @@ -4964,6 +4971,7 @@ AH_TEMPLATE(HAVE_KINFO_PROC_OPENBSD, [Define to 1 if your system has an OpenBSD- AH_TEMPLATE(HAVE_OPENSSL, [Define to 1 if you are using OpenSSL's TLS and sha2 functions.]) AH_TEMPLATE(HAVE_GCRYPT, [Define to 1 if you are using gcrypt's sha2 functions.]) AH_TEMPLATE(HAVE_SSL_CTX_SET_MIN_PROTO_VERSION, [Define to 1 if you have the `SSL_CTX_set_min_proto_version' function or macro.]) +AH_TEMPLATE(HAVE_SSL_CTX_SET_CIPHERSUITES, [Define to 1 if you have the `SSL_CTX_set_ciphersuites' function or macro.]) AH_TEMPLATE(SUDOERS_LOG_CLIENT, [Define to 1 to compile support for sudo_logsrvd in the sudoers plugin.]) AH_TEMPLATE(HAVE_FALLTHROUGH_ATTRIBUTE, [Define to 1 if the compiler supports the fallthrough attribute.])