Add support for building on OpenSSL 1.0.2.

This adds compatibility defines for some OpenSSL 1.1.x functions.

aclocal.m4

@@ -1,6 +1,6 @@
-# generated automatically by aclocal 1.15.1 -*- Autoconf -*-
+# generated automatically by aclocal 1.16.1 -*- Autoconf -*-
 
-# Copyright (C) 1996-2017 Free Software Foundation, Inc.
+# Copyright (C) 1996-2018 Free Software Foundation, Inc.
 
 # This file is free software; the Free Software Foundation
 # gives unlimited permission to copy and/or distribute it,
@@ -12,7 +12,7 @@
 # PARTICULAR PURPOSE.
 
 m4_ifndef([AC_CONFIG_MACRO_DIRS], [m4_defun([_AM_CONFIG_MACRO_DIRS], [])m4_defun([AC_CONFIG_MACRO_DIRS], [_AM_CONFIG_MACRO_DIRS($@)])])
-# Copyright (C) 1999-2017 Free Software Foundation, Inc.
+# Copyright (C) 1999-2018 Free Software Foundation, Inc.
 #
 # This file is free software; the Free Software Foundation
 # gives unlimited permission to copy and/or distribute it,
@@ -45,7 +45,6 @@ AC_DEFUN([AM_PATH_PYTHON],
  [
   dnl Find a Python interpreter.  Python versions prior to 2.0 are not
   dnl supported. (2.0 was released on October 16, 2000).
-  dnl FIXME: Remove the need to hard-code Python versions here.
   m4_define_default([_AM_PYTHON_INTERPRETER_LIST],
 [python python2 python3 dnl
  python3.9 python3.8 python3.7 python3.6 python3.5 python3.4 python3.3 dnl
@@ -251,7 +250,7 @@ for i in list(range(0, 4)): minverhex = (minverhex << 8) + minver[[i]]
 sys.exit(sys.hexversion < minverhex)"
   AS_IF([AM_RUN_LOG([$1 -c "$prog"])], [$3], [$4])])
 
-# Copyright (C) 2001-2017 Free Software Foundation, Inc.
+# Copyright (C) 2001-2018 Free Software Foundation, Inc.
 #
 # This file is free software; the Free Software Foundation
 # gives unlimited permission to copy and/or distribute it,

autogen.sh

@@ -4,7 +4,7 @@
 # If the user hasn't chosen one themselves, we do here.
 if [ "`/usr/bin/uname 2>&1`" = "OpenBSD" ]; then
     if [ X"$AUTOMAKE_VERSION" = X"" ]; then
-	AUTOMAKE_VERSION=1.15; export AUTOMAKE_VERSION
+	AUTOMAKE_VERSION=1.16; export AUTOMAKE_VERSION
     fi
     if [ X"$AUTOCONF_VERSION" = X"" ]; then
 	AUTOCONF_VERSION=2.69; export AUTOCONF_VERSION

config.h.in

@@ -57,6 +57,9 @@
 /* Define to 1 if you have the `arc4random_uniform' function. */
 #undef HAVE_ARC4RANDOM_UNIFORM
 
+/* Define to 1 if you have the `ASN1_STRING_get0_data' function. */
+#undef HAVE_ASN1_STRING_GET0_DATA
+
 /* Define to 1 if you have the `asprintf' function. */
 #undef HAVE_ASPRINTF
 
@@ -724,6 +727,9 @@
 /* Define to 1 if you have the `SSL_CTX_set_ciphersuites' function. */
 #undef HAVE_SSL_CTX_SET_CIPHERSUITES
 
+/* Define to 1 if you have the `SSL_CTX_set_min_proto_version' function. */
+#undef HAVE_SSL_CTX_SET_MIN_PROTO_VERSION
+
 /* Define to 1 to enable SSSD support. */
 #undef HAVE_SSSD
 
@@ -873,6 +879,12 @@
 /* Define to 1 if you have the <sys/types.h> header file. */
 #undef HAVE_SYS_TYPES_H
 
+/* Define to 1 if you have the `TLS_client_method' function. */
+#undef HAVE_TLS_CLIENT_METHOD
+
+/* Define to 1 if you have the `TLS_server_method' function. */
+#undef HAVE_TLS_SERVER_METHOD
+
 /* Define to 1 if you have the `ttyslot' function. */
 #undef HAVE_TTYSLOT
 
@@ -918,6 +930,9 @@
 /* Define to 1 if you have the <wordexp.h> header file. */
 #undef HAVE_WORDEXP_H
 
+/* Define to 1 if you have the `X509_STORE_CTX_get0_cert' function. */
+#undef HAVE_X509_STORE_CTX_GET0_CERT
+
 /* Define to 1 if you have the <zlib.h> header file. */
 #undef HAVE_ZLIB_H
 

configure

@@ -21985,13 +21985,96 @@ _ACEOF
 
 fi
 
-{ $as_echo "$as_me:${as_lineno-$LINENO}: checking for SSL_CTX_set_ciphersuites in -lssl" >&5
-$as_echo_n "checking for SSL_CTX_set_ciphersuites in -lssl... " >&6; }
-if ${ac_cv_lib_ssl_SSL_CTX_set_ciphersuitescrypto+:} false; then :
+if test "${enable_openssl-no}" != no; then
+    { $as_echo "$as_me:${as_lineno-$LINENO}: checking for X509_STORE_CTX_get0_cert in -lcrypto" >&5
+$as_echo_n "checking for X509_STORE_CTX_get0_cert in -lcrypto... " >&6; }
+if ${ac_cv_lib_crypto_X509_STORE_CTX_get0_cert+:} false; then :
   $as_echo_n "(cached) " >&6
 else
   ac_check_lib_save_LIBS=$LIBS
-LIBS="-lssl crypto $LIBS"
+LIBS="-lcrypto  $LIBS"
+cat confdefs.h - <<_ACEOF >conftest.$ac_ext
+/* end confdefs.h.  */
+
+/* Override any GCC internal prototype to avoid an error.
+   Use char because int might match the return type of a GCC
+   builtin and then its argument prototype would still apply.  */
+#ifdef __cplusplus
+extern "C"
+#endif
+char X509_STORE_CTX_get0_cert ();
+int
+main ()
+{
+return X509_STORE_CTX_get0_cert ();
+  ;
+  return 0;
+}
+_ACEOF
+if ac_fn_c_try_link "$LINENO"; then :
+  ac_cv_lib_crypto_X509_STORE_CTX_get0_cert=yes
+else
+  ac_cv_lib_crypto_X509_STORE_CTX_get0_cert=no
+fi
+rm -f core conftest.err conftest.$ac_objext \
+    conftest$ac_exeext conftest.$ac_ext
+LIBS=$ac_check_lib_save_LIBS
+fi
+{ $as_echo "$as_me:${as_lineno-$LINENO}: result: $ac_cv_lib_crypto_X509_STORE_CTX_get0_cert" >&5
+$as_echo "$ac_cv_lib_crypto_X509_STORE_CTX_get0_cert" >&6; }
+if test "x$ac_cv_lib_crypto_X509_STORE_CTX_get0_cert" = xyes; then :
+  $as_echo "#define HAVE_X509_STORE_CTX_GET0_CERT 1" >>confdefs.h
+
+fi
+
+    { $as_echo "$as_me:${as_lineno-$LINENO}: checking for ASN1_STRING_get0_data in -lcrypto" >&5
+$as_echo_n "checking for ASN1_STRING_get0_data in -lcrypto... " >&6; }
+if ${ac_cv_lib_crypto_ASN1_STRING_get0_data+:} false; then :
+  $as_echo_n "(cached) " >&6
+else
+  ac_check_lib_save_LIBS=$LIBS
+LIBS="-lcrypto  $LIBS"
+cat confdefs.h - <<_ACEOF >conftest.$ac_ext
+/* end confdefs.h.  */
+
+/* Override any GCC internal prototype to avoid an error.
+   Use char because int might match the return type of a GCC
+   builtin and then its argument prototype would still apply.  */
+#ifdef __cplusplus
+extern "C"
+#endif
+char ASN1_STRING_get0_data ();
+int
+main ()
+{
+return ASN1_STRING_get0_data ();
+  ;
+  return 0;
+}
+_ACEOF
+if ac_fn_c_try_link "$LINENO"; then :
+  ac_cv_lib_crypto_ASN1_STRING_get0_data=yes
+else
+  ac_cv_lib_crypto_ASN1_STRING_get0_data=no
+fi
+rm -f core conftest.err conftest.$ac_objext \
+    conftest$ac_exeext conftest.$ac_ext
+LIBS=$ac_check_lib_save_LIBS
+fi
+{ $as_echo "$as_me:${as_lineno-$LINENO}: result: $ac_cv_lib_crypto_ASN1_STRING_get0_data" >&5
+$as_echo "$ac_cv_lib_crypto_ASN1_STRING_get0_data" >&6; }
+if test "x$ac_cv_lib_crypto_ASN1_STRING_get0_data" = xyes; then :
+  $as_echo "#define HAVE_ASN1_STRING_GET0_DATA 1" >>confdefs.h
+
+fi
+
+    { $as_echo "$as_me:${as_lineno-$LINENO}: checking for SSL_CTX_set_ciphersuites in -lssl" >&5
+$as_echo_n "checking for SSL_CTX_set_ciphersuites in -lssl... " >&6; }
+if ${ac_cv_lib_ssl_SSL_CTX_set_ciphersuites_lcrypto+:} false; then :
+  $as_echo_n "(cached) " >&6
+else
+  ac_check_lib_save_LIBS=$LIBS
+LIBS="-lssl -lcrypto $LIBS"
 cat confdefs.h - <<_ACEOF >conftest.$ac_ext
 /* end confdefs.h.  */
 
@@ -22011,21 +22094,145 @@ return SSL_CTX_set_ciphersuites ();
 }
 _ACEOF
 if ac_fn_c_try_link "$LINENO"; then :
-  ac_cv_lib_ssl_SSL_CTX_set_ciphersuitescrypto=yes
+  ac_cv_lib_ssl_SSL_CTX_set_ciphersuites_lcrypto=yes
 else
-  ac_cv_lib_ssl_SSL_CTX_set_ciphersuitescrypto=no
+  ac_cv_lib_ssl_SSL_CTX_set_ciphersuites_lcrypto=no
 fi
 rm -f core conftest.err conftest.$ac_objext \
     conftest$ac_exeext conftest.$ac_ext
 LIBS=$ac_check_lib_save_LIBS
 fi
-{ $as_echo "$as_me:${as_lineno-$LINENO}: result: $ac_cv_lib_ssl_SSL_CTX_set_ciphersuitescrypto" >&5
-$as_echo "$ac_cv_lib_ssl_SSL_CTX_set_ciphersuitescrypto" >&6; }
-if test "x$ac_cv_lib_ssl_SSL_CTX_set_ciphersuitescrypto" = xyes; then :
+{ $as_echo "$as_me:${as_lineno-$LINENO}: result: $ac_cv_lib_ssl_SSL_CTX_set_ciphersuites_lcrypto" >&5
+$as_echo "$ac_cv_lib_ssl_SSL_CTX_set_ciphersuites_lcrypto" >&6; }
+if test "x$ac_cv_lib_ssl_SSL_CTX_set_ciphersuites_lcrypto" = xyes; then :
   $as_echo "#define HAVE_SSL_CTX_SET_CIPHERSUITES 1" >>confdefs.h
 
 fi
 
+    { $as_echo "$as_me:${as_lineno-$LINENO}: checking for SSL_CTX_set_min_proto_version in -lssl" >&5
+$as_echo_n "checking for SSL_CTX_set_min_proto_version in -lssl... " >&6; }
+if ${ac_cv_lib_ssl_SSL_CTX_set_min_proto_version_lcrypto+:} false; then :
+  $as_echo_n "(cached) " >&6
+else
+  ac_check_lib_save_LIBS=$LIBS
+LIBS="-lssl -lcrypto $LIBS"
+cat confdefs.h - <<_ACEOF >conftest.$ac_ext
+/* end confdefs.h.  */
+
+/* Override any GCC internal prototype to avoid an error.
+   Use char because int might match the return type of a GCC
+   builtin and then its argument prototype would still apply.  */
+#ifdef __cplusplus
+extern "C"
+#endif
+char SSL_CTX_set_min_proto_version ();
+int
+main ()
+{
+return SSL_CTX_set_min_proto_version ();
+  ;
+  return 0;
+}
+_ACEOF
+if ac_fn_c_try_link "$LINENO"; then :
+  ac_cv_lib_ssl_SSL_CTX_set_min_proto_version_lcrypto=yes
+else
+  ac_cv_lib_ssl_SSL_CTX_set_min_proto_version_lcrypto=no
+fi
+rm -f core conftest.err conftest.$ac_objext \
+    conftest$ac_exeext conftest.$ac_ext
+LIBS=$ac_check_lib_save_LIBS
+fi
+{ $as_echo "$as_me:${as_lineno-$LINENO}: result: $ac_cv_lib_ssl_SSL_CTX_set_min_proto_version_lcrypto" >&5
+$as_echo "$ac_cv_lib_ssl_SSL_CTX_set_min_proto_version_lcrypto" >&6; }
+if test "x$ac_cv_lib_ssl_SSL_CTX_set_min_proto_version_lcrypto" = xyes; then :
+  $as_echo "#define HAVE_SSL_CTX_SET_MIN_PROTO_VERSION 1" >>confdefs.h
+
+fi
+
+    { $as_echo "$as_me:${as_lineno-$LINENO}: checking for TLS_client_method in -lssl" >&5
+$as_echo_n "checking for TLS_client_method in -lssl... " >&6; }
+if ${ac_cv_lib_ssl_TLS_client_method_lcrypto+:} false; then :
+  $as_echo_n "(cached) " >&6
+else
+  ac_check_lib_save_LIBS=$LIBS
+LIBS="-lssl -lcrypto $LIBS"
+cat confdefs.h - <<_ACEOF >conftest.$ac_ext
+/* end confdefs.h.  */
+
+/* Override any GCC internal prototype to avoid an error.
+   Use char because int might match the return type of a GCC
+   builtin and then its argument prototype would still apply.  */
+#ifdef __cplusplus
+extern "C"
+#endif
+char TLS_client_method ();
+int
+main ()
+{
+return TLS_client_method ();
+  ;
+  return 0;
+}
+_ACEOF
+if ac_fn_c_try_link "$LINENO"; then :
+  ac_cv_lib_ssl_TLS_client_method_lcrypto=yes
+else
+  ac_cv_lib_ssl_TLS_client_method_lcrypto=no
+fi
+rm -f core conftest.err conftest.$ac_objext \
+    conftest$ac_exeext conftest.$ac_ext
+LIBS=$ac_check_lib_save_LIBS
+fi
+{ $as_echo "$as_me:${as_lineno-$LINENO}: result: $ac_cv_lib_ssl_TLS_client_method_lcrypto" >&5
+$as_echo "$ac_cv_lib_ssl_TLS_client_method_lcrypto" >&6; }
+if test "x$ac_cv_lib_ssl_TLS_client_method_lcrypto" = xyes; then :
+  $as_echo "#define HAVE_TLS_CLIENT_METHOD 1" >>confdefs.h
+
+fi
+
+    { $as_echo "$as_me:${as_lineno-$LINENO}: checking for TLS_server_method in -lssl" >&5
+$as_echo_n "checking for TLS_server_method in -lssl... " >&6; }
+if ${ac_cv_lib_ssl_TLS_server_method_lcrypto+:} false; then :
+  $as_echo_n "(cached) " >&6
+else
+  ac_check_lib_save_LIBS=$LIBS
+LIBS="-lssl -lcrypto $LIBS"
+cat confdefs.h - <<_ACEOF >conftest.$ac_ext
+/* end confdefs.h.  */
+
+/* Override any GCC internal prototype to avoid an error.
+   Use char because int might match the return type of a GCC
+   builtin and then its argument prototype would still apply.  */
+#ifdef __cplusplus
+extern "C"
+#endif
+char TLS_server_method ();
+int
+main ()
+{
+return TLS_server_method ();
+  ;
+  return 0;
+}
+_ACEOF
+if ac_fn_c_try_link "$LINENO"; then :
+  ac_cv_lib_ssl_TLS_server_method_lcrypto=yes
+else
+  ac_cv_lib_ssl_TLS_server_method_lcrypto=no
+fi
+rm -f core conftest.err conftest.$ac_objext \
+    conftest$ac_exeext conftest.$ac_ext
+LIBS=$ac_check_lib_save_LIBS
+fi
+{ $as_echo "$as_me:${as_lineno-$LINENO}: result: $ac_cv_lib_ssl_TLS_server_method_lcrypto" >&5
+$as_echo "$ac_cv_lib_ssl_TLS_server_method_lcrypto" >&6; }
+if test "x$ac_cv_lib_ssl_TLS_server_method_lcrypto" = xyes; then :
+  $as_echo "#define HAVE_TLS_SERVER_METHOD 1" >>confdefs.h
+
+fi
+
+fi
 OLIBS="$LIBS"
 LIBS="${LIBS} ${NET_LIBS}"
 ac_fn_c_check_func "$LINENO" "socket" "ac_cv_func_socket"
@@ -29995,6 +30202,12 @@ fi
 
 
 
+
+
+
+
+
+
 
 
 

configure.ac

@@ -2955,9 +2955,16 @@ AC_INCLUDES_DEFAULT
 #include <$ac_header_dirent>
 ])
 dnl
-dnl Check for SSL_CTX_set_ciphersuites supported by OpenSSL 1.1 and higher
+dnl Check for functions only present in OpenSSL 1.1 and above
 dnl
-AC_CHECK_LIB(ssl, SSL_CTX_set_ciphersuites, [AC_DEFINE(HAVE_SSL_CTX_SET_CIPHERSUITES)], [], [crypto])
+if test "${enable_openssl-no}" != no; then
+    AC_CHECK_LIB(crypto, X509_STORE_CTX_get0_cert, [AC_DEFINE(HAVE_X509_STORE_CTX_GET0_CERT)])
+    AC_CHECK_LIB(crypto, ASN1_STRING_get0_data, [AC_DEFINE(HAVE_ASN1_STRING_GET0_DATA)])
+    AC_CHECK_LIB(ssl, SSL_CTX_set_ciphersuites, [AC_DEFINE(HAVE_SSL_CTX_SET_CIPHERSUITES)], [], [-lcrypto])
+    AC_CHECK_LIB(ssl, SSL_CTX_set_min_proto_version, [AC_DEFINE(HAVE_SSL_CTX_SET_MIN_PROTO_VERSION)], [], [-lcrypto])
+    AC_CHECK_LIB(ssl, TLS_client_method, [AC_DEFINE(HAVE_TLS_CLIENT_METHOD)], [], [-lcrypto])
+    AC_CHECK_LIB(ssl, TLS_server_method, [AC_DEFINE(HAVE_TLS_SERVER_METHOD)], [], [-lcrypto])
+fi
 dnl
 dnl If socket(2) not in libc, check -lsocket and -linet
 dnl May need to link with *both* -lnsl and -lsocket due to unresolved symbols
@@ -4736,7 +4743,13 @@ AH_TEMPLATE(HAVE_KINFO_PROC2_NETBSD, [Define to 1 if your system has a NetBSD-st
 AH_TEMPLATE(HAVE_KINFO_PROC_OPENBSD, [Define to 1 if your system has an OpenBSD-style kinfo_proc struct.])
 AH_TEMPLATE(HAVE_OPENSSL, [Define to 1 if you are using OpenSSL's TLS and sha2 functions.])
 AH_TEMPLATE(HAVE_GCRYPT, [Define to 1 if you are using gcrypt's sha2 functions.])
+AH_TEMPLATE(HAVE_X509_STORE_CTX_GET0_CERT, [Define to 1 if you have the `X509_STORE_CTX_get0_cert' function.])
+AH_TEMPLATE(HAVE_ASN1_STRING_GET0_DATA, [Define to 1 if you have the `ASN1_STRING_get0_data' function.])
 AH_TEMPLATE(HAVE_SSL_CTX_SET_CIPHERSUITES, [Define to 1 if you have the `SSL_CTX_set_ciphersuites' function.])
+AH_TEMPLATE(HAVE_SSL_CTX_SET_MIN_PROTO_VERSION, [Define to 1 if you have the `SSL_CTX_set_min_proto_version' function.])
+AH_TEMPLATE(HAVE_TLS_CLIENT_METHOD, [Define to 1 if you have the `TLS_client_method' function.])
+AH_TEMPLATE(HAVE_TLS_SERVER_METHOD, [Define to 1 if you have the `TLS_server_method' function.])
+
 dnl
 dnl Bits to copy verbatim into config.h.in
 dnl

include/sudo_compat.h

@@ -390,6 +390,24 @@ int getdomainname(char *, size_t);
 # endif
 #endif /* __hpux && !__LP64__ */
 
+/*
+ * Compatibility defines for OpenSSL 1.0.2 (not needed for 1.1.x)
+ */
+#if defined(HAVE_OPENSSL)
+# ifndef HAVE_X509_STORE_CTX_GET0_CERT
+#  define X509_STORE_CTX_get0_cert(x)   ((x)->cert)
+# endif
+# ifndef HAVE_ASN1_STRING_GET0_DATA
+#  define ASN1_STRING_get0_data(x)      ASN1_STRING_data(x)
+# endif
+# ifndef HAVE_TLS_CLIENT_METHOD
+#  define TLS_client_method()           SSLv23_client_method()
+# endif
+# ifndef HAVE_TLS_SERVER_METHOD
+#  define TLS_server_method()           SSLv23_server_method()
+# endif
+#endif /* HAVE_OPENSSL */
+
 /*
  * Functions "missing" from libc.
  * All libc replacements are prefixed with "sudo_" to avoid namespace issues.

logsrvd/logsrvd.c

@@ -1205,12 +1205,17 @@ init_tls_server_context(void)
     }
     
     /* audit server supports TLS ver1.2 or higher */
+#ifdef HAVE_SSL_CTX_SET_MIN_PROTO_VERSION
     if (!SSL_CTX_set_min_proto_version(ctx, TLS1_2_VERSION)) {
         sudo_debug_printf(SUDO_DEBUG_ERROR|SUDO_DEBUG_LINENO,
             "unable to restrict min. protocol version: %s",
             ERR_error_string(ERR_get_error(), NULL));
         goto bad;
     }
+#else
+    SSL_CTX_set_options(ctx,
+	SSL_OP_NO_SSLv2|SSL_OP_NO_SSLv3|SSL_OP_NO_TLSv1|SSL_OP_NO_TLSv1_1);
+#endif
 
     goto good;
 

logsrvd/sendlog.c

@@ -145,6 +145,17 @@ init_tls_client_context(const char *ca_bundle_file, const char *cert_file, const
             ERR_error_string(ERR_get_error(), NULL));
         goto bad;
     }
+#ifdef HAVE_SSL_CTX_SET_MIN_PROTO_VERSION
+    if (!SSL_CTX_set_min_proto_version(ctx, TLS1_2_VERSION)) {
+        sudo_debug_printf(SUDO_DEBUG_ERROR|SUDO_DEBUG_LINENO,
+            "unable to restrict min. protocol version: %s",
+            ERR_error_string(ERR_get_error(), NULL));
+        goto bad;
+    }
+#else
+    SSL_CTX_set_options(ctx,
+        SSL_OP_NO_SSLv2|SSL_OP_NO_SSLv3|SSL_OP_NO_TLSv1|SSL_OP_NO_TLSv1_1);
+#endif
 
     if (cert_file) {
         if (!SSL_CTX_use_certificate_chain_file(ctx, cert_file)) {

plugins/sudoers/iolog_client.c

@@ -286,6 +286,18 @@ tls_init(struct client_closure *closure, bool peer_auth)
             ERR_error_string(ERR_get_error(), NULL));
         goto bad;
     }
+#ifdef HAVE_SSL_CTX_SET_MIN_PROTO_VERSION
+    if (!SSL_CTX_set_min_proto_version(closure->ssl_ctx, TLS1_2_VERSION)) {
+        sudo_debug_printf(SUDO_DEBUG_ERROR|SUDO_DEBUG_LINENO,
+            "unable to restrict min. protocol version: %s",
+            ERR_error_string(ERR_get_error(), NULL));
+        goto bad;
+    }
+#else
+    SSL_CTX_set_options(closure->ssl_ctx,
+        SSL_OP_NO_SSLv2|SSL_OP_NO_SSLv3|SSL_OP_NO_TLSv1|SSL_OP_NO_TLSv1_1);
+#endif
+
     /* sets the location of the CA bundle file for verification purposes */
     if (SSL_CTX_load_verify_locations(closure->ssl_ctx,
         closure->log_details->ca_bundle, NULL) <= 0) {