mir/sudo
2
0
Fork 0
mirror of https://github.com/sudo-project/sudo.git synced 2025-08-22 09:57:41 +00:00
Code Issues Releases Wiki Activity

Add support for building on OpenSSL 1.0.2.

Browse Source 
This adds compatibility defines for some OpenSSL 1.1.x functions.
This commit is contained in:
Todd C. Miller 2020-01-21 13:27:40 -07:00
parent a755c658a5
commit dde86e585f
9 changed files with 303 additions and 17 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

9
aclocal.m4 vendored
View File

@ -1,6 +1,6 @@
# generated automatically by aclocal 1.15.1 -*- Autoconf -*- # generated automatically by aclocal 1.16.1 -*- Autoconf -*-
# Copyright (C) 1996-2017 Free Software Foundation, Inc. # Copyright (C) 1996-2018 Free Software Foundation, Inc.
# This file is free software; the Free Software Foundation # This file is free software; the Free Software Foundation
# gives unlimited permission to copy and/or distribute it, # gives unlimited permission to copy and/or distribute it,
@ -12,7 +12,7 @@
# PARTICULAR PURPOSE. # PARTICULAR PURPOSE.
m4_ifndef([AC_CONFIG_MACRO_DIRS], [m4_defun([_AM_CONFIG_MACRO_DIRS], [])m4_defun([AC_CONFIG_MACRO_DIRS], [_AM_CONFIG_MACRO_DIRS($@)])]) m4_ifndef([AC_CONFIG_MACRO_DIRS], [m4_defun([_AM_CONFIG_MACRO_DIRS], [])m4_defun([AC_CONFIG_MACRO_DIRS], [_AM_CONFIG_MACRO_DIRS($@)])])
# Copyright (C) 1999-2017 Free Software Foundation, Inc. # Copyright (C) 1999-2018 Free Software Foundation, Inc.
# #
# This file is free software; the Free Software Foundation # This file is free software; the Free Software Foundation
# gives unlimited permission to copy and/or distribute it, # gives unlimited permission to copy and/or distribute it,
@ -45,7 +45,6 @@ AC_DEFUN([AM_PATH_PYTHON],
[ [
dnl Find a Python interpreter. Python versions prior to 2.0 are not dnl Find a Python interpreter. Python versions prior to 2.0 are not
dnl supported. (2.0 was released on October 16, 2000). dnl supported. (2.0 was released on October 16, 2000).
dnl FIXME: Remove the need to hard-code Python versions here.
m4_define_default([_AM_PYTHON_INTERPRETER_LIST], m4_define_default([_AM_PYTHON_INTERPRETER_LIST],
[python python2 python3 dnl [python python2 python3 dnl
python3.9 python3.8 python3.7 python3.6 python3.5 python3.4 python3.3 dnl python3.9 python3.8 python3.7 python3.6 python3.5 python3.4 python3.3 dnl
@ -251,7 +250,7 @@ for i in list(range(0, 4)): minverhex = (minverhex << 8) + minver[[i]]
sys.exit(sys.hexversion < minverhex)" sys.exit(sys.hexversion < minverhex)"
AS_IF([AM_RUN_LOG([$1 -c "$prog"])], [$3], [$4])]) AS_IF([AM_RUN_LOG([$1 -c "$prog"])], [$3], [$4])])
# Copyright (C) 2001-2017 Free Software Foundation, Inc. # Copyright (C) 2001-2018 Free Software Foundation, Inc.
# #
# This file is free software; the Free Software Foundation # This file is free software; the Free Software Foundation
# gives unlimited permission to copy and/or distribute it, # gives unlimited permission to copy and/or distribute it,

2
autogen.sh
View File

@ -4,7 +4,7 @@
# If the user hasn't chosen one themselves, we do here. # If the user hasn't chosen one themselves, we do here.
if [ "`/usr/bin/uname 2>&1`" = "OpenBSD" ]; then if [ "`/usr/bin/uname 2>&1`" = "OpenBSD" ]; then
if [ X"$AUTOMAKE_VERSION" = X"" ]; then if [ X"$AUTOMAKE_VERSION" = X"" ]; then
AUTOMAKE_VERSION=1.15; export AUTOMAKE_VERSION AUTOMAKE_VERSION=1.16; export AUTOMAKE_VERSION
fi fi
if [ X"$AUTOCONF_VERSION" = X"" ]; then if [ X"$AUTOCONF_VERSION" = X"" ]; then
AUTOCONF_VERSION=2.69; export AUTOCONF_VERSION AUTOCONF_VERSION=2.69; export AUTOCONF_VERSION

15
config.h.in
View File

@ -57,6 +57,9 @@
/* Define to 1 if you have the `arc4random_uniform' function. */ /* Define to 1 if you have the `arc4random_uniform' function. */
#undef HAVE_ARC4RANDOM_UNIFORM #undef HAVE_ARC4RANDOM_UNIFORM
/* Define to 1 if you have the `ASN1_STRING_get0_data' function. */
#undef HAVE_ASN1_STRING_GET0_DATA
/* Define to 1 if you have the `asprintf' function. */ /* Define to 1 if you have the `asprintf' function. */
#undef HAVE_ASPRINTF #undef HAVE_ASPRINTF
@ -724,6 +727,9 @@
/* Define to 1 if you have the `SSL_CTX_set_ciphersuites' function. */ /* Define to 1 if you have the `SSL_CTX_set_ciphersuites' function. */
#undef HAVE_SSL_CTX_SET_CIPHERSUITES #undef HAVE_SSL_CTX_SET_CIPHERSUITES
/* Define to 1 if you have the `SSL_CTX_set_min_proto_version' function. */
#undef HAVE_SSL_CTX_SET_MIN_PROTO_VERSION
/* Define to 1 to enable SSSD support. */ /* Define to 1 to enable SSSD support. */
#undef HAVE_SSSD #undef HAVE_SSSD
@ -873,6 +879,12 @@
/* Define to 1 if you have the <sys/types.h> header file. */ /* Define to 1 if you have the <sys/types.h> header file. */
#undef HAVE_SYS_TYPES_H #undef HAVE_SYS_TYPES_H
/* Define to 1 if you have the `TLS_client_method' function. */
#undef HAVE_TLS_CLIENT_METHOD
/* Define to 1 if you have the `TLS_server_method' function. */
#undef HAVE_TLS_SERVER_METHOD
/* Define to 1 if you have the `ttyslot' function. */ /* Define to 1 if you have the `ttyslot' function. */
#undef HAVE_TTYSLOT #undef HAVE_TTYSLOT
@ -918,6 +930,9 @@
/* Define to 1 if you have the <wordexp.h> header file. */ /* Define to 1 if you have the <wordexp.h> header file. */
#undef HAVE_WORDEXP_H #undef HAVE_WORDEXP_H
/* Define to 1 if you have the `X509_STORE_CTX_get0_cert' function. */
#undef HAVE_X509_STORE_CTX_GET0_CERT
/* Define to 1 if you have the <zlib.h> header file. */ /* Define to 1 if you have the <zlib.h> header file. */
#undef HAVE_ZLIB_H #undef HAVE_ZLIB_H

231
configure vendored
View File

@ -21985,13 +21985,96 @@ _ACEOF
fi fi
{ $as_echo "$as_me:${as_lineno-$LINENO}: checking for SSL_CTX_set_ciphersuites in -lssl" >&5 if test "${enable_openssl-no}" != no; then
$as_echo_n "checking for SSL_CTX_set_ciphersuites in -lssl... " >&6; } { $as_echo "$as_me:${as_lineno-$LINENO}: checking for X509_STORE_CTX_get0_cert in -lcrypto" >&5
if ${ac_cv_lib_ssl_SSL_CTX_set_ciphersuitescrypto+:} false; then : $as_echo_n "checking for X509_STORE_CTX_get0_cert in -lcrypto... " >&6; }
if ${ac_cv_lib_crypto_X509_STORE_CTX_get0_cert+:} false; then :
$as_echo_n "(cached) " >&6 $as_echo_n "(cached) " >&6
else else
ac_check_lib_save_LIBS=$LIBS ac_check_lib_save_LIBS=$LIBS
LIBS="-lssl crypto $LIBS" LIBS="-lcrypto $LIBS"
cat confdefs.h - <<_ACEOF >conftest.$ac_ext
/* end confdefs.h. */
/* Override any GCC internal prototype to avoid an error.
Use char because int might match the return type of a GCC
builtin and then its argument prototype would still apply. */
#ifdef __cplusplus
extern "C"
#endif
char X509_STORE_CTX_get0_cert ();
int
main ()
{
return X509_STORE_CTX_get0_cert ();
;
return 0;
}
_ACEOF
if ac_fn_c_try_link "$LINENO"; then :
ac_cv_lib_crypto_X509_STORE_CTX_get0_cert=yes
else
ac_cv_lib_crypto_X509_STORE_CTX_get0_cert=no
fi
rm -f core conftest.err conftest.$ac_objext \
conftest$ac_exeext conftest.$ac_ext
LIBS=$ac_check_lib_save_LIBS
fi
{ $as_echo "$as_me:${as_lineno-$LINENO}: result: $ac_cv_lib_crypto_X509_STORE_CTX_get0_cert" >&5
$as_echo "$ac_cv_lib_crypto_X509_STORE_CTX_get0_cert" >&6; }
if test "x$ac_cv_lib_crypto_X509_STORE_CTX_get0_cert" = xyes; then :
$as_echo "#define HAVE_X509_STORE_CTX_GET0_CERT 1" >>confdefs.h
fi
{ $as_echo "$as_me:${as_lineno-$LINENO}: checking for ASN1_STRING_get0_data in -lcrypto" >&5
$as_echo_n "checking for ASN1_STRING_get0_data in -lcrypto... " >&6; }
if ${ac_cv_lib_crypto_ASN1_STRING_get0_data+:} false; then :
$as_echo_n "(cached) " >&6
else
ac_check_lib_save_LIBS=$LIBS
LIBS="-lcrypto $LIBS"
cat confdefs.h - <<_ACEOF >conftest.$ac_ext
/* end confdefs.h. */
/* Override any GCC internal prototype to avoid an error.
Use char because int might match the return type of a GCC
builtin and then its argument prototype would still apply. */
#ifdef __cplusplus
extern "C"
#endif
char ASN1_STRING_get0_data ();
int
main ()
{
return ASN1_STRING_get0_data ();
;
return 0;
}
_ACEOF
if ac_fn_c_try_link "$LINENO"; then :
ac_cv_lib_crypto_ASN1_STRING_get0_data=yes
else
ac_cv_lib_crypto_ASN1_STRING_get0_data=no
fi
rm -f core conftest.err conftest.$ac_objext \
conftest$ac_exeext conftest.$ac_ext
LIBS=$ac_check_lib_save_LIBS
fi
{ $as_echo "$as_me:${as_lineno-$LINENO}: result: $ac_cv_lib_crypto_ASN1_STRING_get0_data" >&5
$as_echo "$ac_cv_lib_crypto_ASN1_STRING_get0_data" >&6; }
if test "x$ac_cv_lib_crypto_ASN1_STRING_get0_data" = xyes; then :
$as_echo "#define HAVE_ASN1_STRING_GET0_DATA 1" >>confdefs.h
fi
{ $as_echo "$as_me:${as_lineno-$LINENO}: checking for SSL_CTX_set_ciphersuites in -lssl" >&5
$as_echo_n "checking for SSL_CTX_set_ciphersuites in -lssl... " >&6; }
if ${ac_cv_lib_ssl_SSL_CTX_set_ciphersuites_lcrypto+:} false; then :
$as_echo_n "(cached) " >&6
else
ac_check_lib_save_LIBS=$LIBS
LIBS="-lssl -lcrypto $LIBS"
cat confdefs.h - <<_ACEOF >conftest.$ac_ext cat confdefs.h - <<_ACEOF >conftest.$ac_ext
/* end confdefs.h. */ /* end confdefs.h. */
@ -22011,21 +22094,145 @@ return SSL_CTX_set_ciphersuites ();
} }
_ACEOF _ACEOF
if ac_fn_c_try_link "$LINENO"; then : if ac_fn_c_try_link "$LINENO"; then :
ac_cv_lib_ssl_SSL_CTX_set_ciphersuitescrypto=yes ac_cv_lib_ssl_SSL_CTX_set_ciphersuites_lcrypto=yes
else else
ac_cv_lib_ssl_SSL_CTX_set_ciphersuitescrypto=no ac_cv_lib_ssl_SSL_CTX_set_ciphersuites_lcrypto=no
fi fi
rm -f core conftest.err conftest.$ac_objext \ rm -f core conftest.err conftest.$ac_objext \
conftest$ac_exeext conftest.$ac_ext conftest$ac_exeext conftest.$ac_ext
LIBS=$ac_check_lib_save_LIBS LIBS=$ac_check_lib_save_LIBS
fi fi
{ $as_echo "$as_me:${as_lineno-$LINENO}: result: $ac_cv_lib_ssl_SSL_CTX_set_ciphersuitescrypto" >&5 { $as_echo "$as_me:${as_lineno-$LINENO}: result: $ac_cv_lib_ssl_SSL_CTX_set_ciphersuites_lcrypto" >&5
$as_echo "$ac_cv_lib_ssl_SSL_CTX_set_ciphersuitescrypto" >&6; } $as_echo "$ac_cv_lib_ssl_SSL_CTX_set_ciphersuites_lcrypto" >&6; }
if test "x$ac_cv_lib_ssl_SSL_CTX_set_ciphersuitescrypto" = xyes; then : if test "x$ac_cv_lib_ssl_SSL_CTX_set_ciphersuites_lcrypto" = xyes; then :
$as_echo "#define HAVE_SSL_CTX_SET_CIPHERSUITES 1" >>confdefs.h $as_echo "#define HAVE_SSL_CTX_SET_CIPHERSUITES 1" >>confdefs.h
fi fi
{ $as_echo "$as_me:${as_lineno-$LINENO}: checking for SSL_CTX_set_min_proto_version in -lssl" >&5
$as_echo_n "checking for SSL_CTX_set_min_proto_version in -lssl... " >&6; }
if ${ac_cv_lib_ssl_SSL_CTX_set_min_proto_version_lcrypto+:} false; then :
$as_echo_n "(cached) " >&6
else
ac_check_lib_save_LIBS=$LIBS
LIBS="-lssl -lcrypto $LIBS"
cat confdefs.h - <<_ACEOF >conftest.$ac_ext
/* end confdefs.h. */
/* Override any GCC internal prototype to avoid an error.
Use char because int might match the return type of a GCC
builtin and then its argument prototype would still apply. */
#ifdef __cplusplus
extern "C"
#endif
char SSL_CTX_set_min_proto_version ();
int
main ()
{
return SSL_CTX_set_min_proto_version ();
;
return 0;
}
_ACEOF
if ac_fn_c_try_link "$LINENO"; then :
ac_cv_lib_ssl_SSL_CTX_set_min_proto_version_lcrypto=yes
else
ac_cv_lib_ssl_SSL_CTX_set_min_proto_version_lcrypto=no
fi
rm -f core conftest.err conftest.$ac_objext \
conftest$ac_exeext conftest.$ac_ext
LIBS=$ac_check_lib_save_LIBS
fi
{ $as_echo "$as_me:${as_lineno-$LINENO}: result: $ac_cv_lib_ssl_SSL_CTX_set_min_proto_version_lcrypto" >&5
$as_echo "$ac_cv_lib_ssl_SSL_CTX_set_min_proto_version_lcrypto" >&6; }
if test "x$ac_cv_lib_ssl_SSL_CTX_set_min_proto_version_lcrypto" = xyes; then :
$as_echo "#define HAVE_SSL_CTX_SET_MIN_PROTO_VERSION 1" >>confdefs.h
fi
{ $as_echo "$as_me:${as_lineno-$LINENO}: checking for TLS_client_method in -lssl" >&5
$as_echo_n "checking for TLS_client_method in -lssl... " >&6; }
if ${ac_cv_lib_ssl_TLS_client_method_lcrypto+:} false; then :
$as_echo_n "(cached) " >&6
else
ac_check_lib_save_LIBS=$LIBS
LIBS="-lssl -lcrypto $LIBS"
cat confdefs.h - <<_ACEOF >conftest.$ac_ext
/* end confdefs.h. */
/* Override any GCC internal prototype to avoid an error.
Use char because int might match the return type of a GCC
builtin and then its argument prototype would still apply. */
#ifdef __cplusplus
extern "C"
#endif
char TLS_client_method ();
int
main ()
{
return TLS_client_method ();
;
return 0;
}
_ACEOF
if ac_fn_c_try_link "$LINENO"; then :
ac_cv_lib_ssl_TLS_client_method_lcrypto=yes
else
ac_cv_lib_ssl_TLS_client_method_lcrypto=no
fi
rm -f core conftest.err conftest.$ac_objext \
conftest$ac_exeext conftest.$ac_ext
LIBS=$ac_check_lib_save_LIBS
fi
{ $as_echo "$as_me:${as_lineno-$LINENO}: result: $ac_cv_lib_ssl_TLS_client_method_lcrypto" >&5
$as_echo "$ac_cv_lib_ssl_TLS_client_method_lcrypto" >&6; }
if test "x$ac_cv_lib_ssl_TLS_client_method_lcrypto" = xyes; then :
$as_echo "#define HAVE_TLS_CLIENT_METHOD 1" >>confdefs.h
fi
{ $as_echo "$as_me:${as_lineno-$LINENO}: checking for TLS_server_method in -lssl" >&5
$as_echo_n "checking for TLS_server_method in -lssl... " >&6; }
if ${ac_cv_lib_ssl_TLS_server_method_lcrypto+:} false; then :
$as_echo_n "(cached) " >&6
else
ac_check_lib_save_LIBS=$LIBS
LIBS="-lssl -lcrypto $LIBS"
cat confdefs.h - <<_ACEOF >conftest.$ac_ext
/* end confdefs.h. */
/* Override any GCC internal prototype to avoid an error.
Use char because int might match the return type of a GCC
builtin and then its argument prototype would still apply. */
#ifdef __cplusplus
extern "C"
#endif
char TLS_server_method ();
int
main ()
{
return TLS_server_method ();
;
return 0;
}
_ACEOF
if ac_fn_c_try_link "$LINENO"; then :
ac_cv_lib_ssl_TLS_server_method_lcrypto=yes
else
ac_cv_lib_ssl_TLS_server_method_lcrypto=no
fi
rm -f core conftest.err conftest.$ac_objext \
conftest$ac_exeext conftest.$ac_ext
LIBS=$ac_check_lib_save_LIBS
fi
{ $as_echo "$as_me:${as_lineno-$LINENO}: result: $ac_cv_lib_ssl_TLS_server_method_lcrypto" >&5
$as_echo "$ac_cv_lib_ssl_TLS_server_method_lcrypto" >&6; }
if test "x$ac_cv_lib_ssl_TLS_server_method_lcrypto" = xyes; then :
$as_echo "#define HAVE_TLS_SERVER_METHOD 1" >>confdefs.h
fi
fi
OLIBS="$LIBS" OLIBS="$LIBS"
LIBS="${LIBS} ${NET_LIBS}" LIBS="${LIBS} ${NET_LIBS}"
ac_fn_c_check_func "$LINENO" "socket" "ac_cv_func_socket" ac_fn_c_check_func "$LINENO" "socket" "ac_cv_func_socket"
@ -29995,6 +30202,12 @@ fi

17
configure.ac
View File

@ -2955,9 +2955,16 @@ AC_INCLUDES_DEFAULT
#include <$ac_header_dirent> #include <$ac_header_dirent>
]) ])
dnl dnl
dnl Check for SSL_CTX_set_ciphersuites supported by OpenSSL 1.1 and higher dnl Check for functions only present in OpenSSL 1.1 and above
dnl dnl
AC_CHECK_LIB(ssl, SSL_CTX_set_ciphersuites, [AC_DEFINE(HAVE_SSL_CTX_SET_CIPHERSUITES)], [], [crypto]) if test "${enable_openssl-no}" != no; then
AC_CHECK_LIB(crypto, X509_STORE_CTX_get0_cert, [AC_DEFINE(HAVE_X509_STORE_CTX_GET0_CERT)])
AC_CHECK_LIB(crypto, ASN1_STRING_get0_data, [AC_DEFINE(HAVE_ASN1_STRING_GET0_DATA)])
AC_CHECK_LIB(ssl, SSL_CTX_set_ciphersuites, [AC_DEFINE(HAVE_SSL_CTX_SET_CIPHERSUITES)], [], [-lcrypto])
AC_CHECK_LIB(ssl, SSL_CTX_set_min_proto_version, [AC_DEFINE(HAVE_SSL_CTX_SET_MIN_PROTO_VERSION)], [], [-lcrypto])
AC_CHECK_LIB(ssl, TLS_client_method, [AC_DEFINE(HAVE_TLS_CLIENT_METHOD)], [], [-lcrypto])
AC_CHECK_LIB(ssl, TLS_server_method, [AC_DEFINE(HAVE_TLS_SERVER_METHOD)], [], [-lcrypto])
fi
dnl dnl
dnl If socket(2) not in libc, check -lsocket and -linet dnl If socket(2) not in libc, check -lsocket and -linet
dnl May need to link with *both* -lnsl and -lsocket due to unresolved symbols dnl May need to link with *both* -lnsl and -lsocket due to unresolved symbols
@ -4736,7 +4743,13 @@ AH_TEMPLATE(HAVE_KINFO_PROC2_NETBSD, [Define to 1 if your system has a NetBSD-st
AH_TEMPLATE(HAVE_KINFO_PROC_OPENBSD, [Define to 1 if your system has an OpenBSD-style kinfo_proc struct.]) AH_TEMPLATE(HAVE_KINFO_PROC_OPENBSD, [Define to 1 if your system has an OpenBSD-style kinfo_proc struct.])
AH_TEMPLATE(HAVE_OPENSSL, [Define to 1 if you are using OpenSSL's TLS and sha2 functions.]) AH_TEMPLATE(HAVE_OPENSSL, [Define to 1 if you are using OpenSSL's TLS and sha2 functions.])
AH_TEMPLATE(HAVE_GCRYPT, [Define to 1 if you are using gcrypt's sha2 functions.]) AH_TEMPLATE(HAVE_GCRYPT, [Define to 1 if you are using gcrypt's sha2 functions.])
AH_TEMPLATE(HAVE_X509_STORE_CTX_GET0_CERT, [Define to 1 if you have the `X509_STORE_CTX_get0_cert' function.])
AH_TEMPLATE(HAVE_ASN1_STRING_GET0_DATA, [Define to 1 if you have the `ASN1_STRING_get0_data' function.])
AH_TEMPLATE(HAVE_SSL_CTX_SET_CIPHERSUITES, [Define to 1 if you have the `SSL_CTX_set_ciphersuites' function.]) AH_TEMPLATE(HAVE_SSL_CTX_SET_CIPHERSUITES, [Define to 1 if you have the `SSL_CTX_set_ciphersuites' function.])
AH_TEMPLATE(HAVE_SSL_CTX_SET_MIN_PROTO_VERSION, [Define to 1 if you have the `SSL_CTX_set_min_proto_version' function.])
AH_TEMPLATE(HAVE_TLS_CLIENT_METHOD, [Define to 1 if you have the `TLS_client_method' function.])
AH_TEMPLATE(HAVE_TLS_SERVER_METHOD, [Define to 1 if you have the `TLS_server_method' function.])
dnl dnl
dnl Bits to copy verbatim into config.h.in dnl Bits to copy verbatim into config.h.in
dnl dnl

18
include/sudo_compat.h
View File

@ -390,6 +390,24 @@ int getdomainname(char *, size_t);
# endif # endif
#endif /* __hpux && !__LP64__ */ #endif /* __hpux && !__LP64__ */
/*
* Compatibility defines for OpenSSL 1.0.2 (not needed for 1.1.x)
*/
#if defined(HAVE_OPENSSL)
# ifndef HAVE_X509_STORE_CTX_GET0_CERT
# define X509_STORE_CTX_get0_cert(x) ((x)->cert)
# endif
# ifndef HAVE_ASN1_STRING_GET0_DATA
# define ASN1_STRING_get0_data(x) ASN1_STRING_data(x)
# endif
# ifndef HAVE_TLS_CLIENT_METHOD
# define TLS_client_method() SSLv23_client_method()
# endif
# ifndef HAVE_TLS_SERVER_METHOD
# define TLS_server_method() SSLv23_server_method()
# endif
#endif /* HAVE_OPENSSL */
/* /*
* Functions "missing" from libc. * Functions "missing" from libc.
* All libc replacements are prefixed with "sudo_" to avoid namespace issues. * All libc replacements are prefixed with "sudo_" to avoid namespace issues.

5
logsrvd/logsrvd.c
View File

@ -1205,12 +1205,17 @@ init_tls_server_context(void)
} }
/* audit server supports TLS ver1.2 or higher */ /* audit server supports TLS ver1.2 or higher */
#ifdef HAVE_SSL_CTX_SET_MIN_PROTO_VERSION
if (!SSL_CTX_set_min_proto_version(ctx, TLS1_2_VERSION)) { if (!SSL_CTX_set_min_proto_version(ctx, TLS1_2_VERSION)) {
sudo_debug_printf(SUDO_DEBUG_ERROR|SUDO_DEBUG_LINENO, sudo_debug_printf(SUDO_DEBUG_ERROR|SUDO_DEBUG_LINENO,
"unable to restrict min. protocol version: %s", "unable to restrict min. protocol version: %s",
ERR_error_string(ERR_get_error(), NULL)); ERR_error_string(ERR_get_error(), NULL));
goto bad; goto bad;
} }
#else
SSL_CTX_set_options(ctx,
SSL_OP_NO_SSLv2|SSL_OP_NO_SSLv3|SSL_OP_NO_TLSv1|SSL_OP_NO_TLSv1_1);
#endif
goto good; goto good;

11
logsrvd/sendlog.c
View File

@ -145,6 +145,17 @@ init_tls_client_context(const char *ca_bundle_file, const char *cert_file, const
ERR_error_string(ERR_get_error(), NULL)); ERR_error_string(ERR_get_error(), NULL));
goto bad; goto bad;
} }
#ifdef HAVE_SSL_CTX_SET_MIN_PROTO_VERSION
if (!SSL_CTX_set_min_proto_version(ctx, TLS1_2_VERSION)) {
sudo_debug_printf(SUDO_DEBUG_ERROR|SUDO_DEBUG_LINENO,
"unable to restrict min. protocol version: %s",
ERR_error_string(ERR_get_error(), NULL));
goto bad;
}
#else
SSL_CTX_set_options(ctx,
SSL_OP_NO_SSLv2|SSL_OP_NO_SSLv3|SSL_OP_NO_TLSv1|SSL_OP_NO_TLSv1_1);
#endif
if (cert_file) { if (cert_file) {
if (!SSL_CTX_use_certificate_chain_file(ctx, cert_file)) { if (!SSL_CTX_use_certificate_chain_file(ctx, cert_file)) {

12
plugins/sudoers/iolog_client.c
View File

@ -286,6 +286,18 @@ tls_init(struct client_closure *closure, bool peer_auth)
ERR_error_string(ERR_get_error(), NULL)); ERR_error_string(ERR_get_error(), NULL));
goto bad; goto bad;
} }
#ifdef HAVE_SSL_CTX_SET_MIN_PROTO_VERSION
if (!SSL_CTX_set_min_proto_version(closure->ssl_ctx, TLS1_2_VERSION)) {
sudo_debug_printf(SUDO_DEBUG_ERROR|SUDO_DEBUG_LINENO,
"unable to restrict min. protocol version: %s",
ERR_error_string(ERR_get_error(), NULL));
goto bad;
}
#else
SSL_CTX_set_options(closure->ssl_ctx,
SSL_OP_NO_SSLv2|SSL_OP_NO_SSLv3|SSL_OP_NO_TLSv1|SSL_OP_NO_TLSv1_1);
#endif
/* sets the location of the CA bundle file for verification purposes */ /* sets the location of the CA bundle file for verification purposes */
if (SSL_CTX_load_verify_locations(closure->ssl_ctx, if (SSL_CTX_load_verify_locations(closure->ssl_ctx,
closure->log_details->ca_bundle, NULL) <= 0) { closure->log_details->ca_bundle, NULL) <= 0) {