Check for OpenSSL defines before trying to use them.

The SSL_OP_NO_TLSv1_1 and SSL_OP_NO_TLSv1_2 defines did not exist prior
to OpenSSL version 1.0.1. A recent commit attempts to, by default, set
these options, which can cause problems on systems with older OpenSSL
installations.

This commit adds a configure script check for those defines and will not
attempt to make use of those if they do not exist. We will print a
warning urging the user to upgrade their OpenSSL installation if those
defines are not present.

Change-Id: I6a2eb9a43fd0738b404d8f6f2cf4b5c22d9d752d
changes/99/2199/2
Mark Michelson 9 years ago
parent c0a8ecc8c0
commit 3b426a8b09

108
configure vendored

@ -651,6 +651,8 @@ PBX_MSG_NOSIGNAL
PBX_IXJUSER
GMIME_LIBS
GMIME_CFLAGS
PBX_SSL_OP_NO_TLSV1_2
PBX_SSL_OP_NO_TLSV1_1
OPENH323_BUILD
OPENH323_SUFFIX
OPENH323_LIBDIR
@ -13695,7 +13697,7 @@ else
We can't simply define LARGE_OFF_T to be 9223372036854775807,
since some C++ compilers masquerading as C compilers
incorrectly reject 9223372036854775807. */
#define LARGE_OFF_T (((off_t) 1 << 62) - 1 + ((off_t) 1 << 62))
#define LARGE_OFF_T ((((off_t) 1 << 31) << 31) - 1 + (((off_t) 1 << 31) << 31))
int off_t_is_large[(LARGE_OFF_T % 2147483629 == 721
&& LARGE_OFF_T % 2147483647 == 1)
? 1 : -1];
@ -13741,7 +13743,7 @@ else
We can't simply define LARGE_OFF_T to be 9223372036854775807,
since some C++ compilers masquerading as C compilers
incorrectly reject 9223372036854775807. */
#define LARGE_OFF_T (((off_t) 1 << 62) - 1 + ((off_t) 1 << 62))
#define LARGE_OFF_T ((((off_t) 1 << 31) << 31) - 1 + (((off_t) 1 << 31) << 31))
int off_t_is_large[(LARGE_OFF_T % 2147483629 == 721
&& LARGE_OFF_T % 2147483647 == 1)
? 1 : -1];
@ -13765,7 +13767,7 @@ rm -f core conftest.err conftest.$ac_objext conftest.$ac_ext
We can't simply define LARGE_OFF_T to be 9223372036854775807,
since some C++ compilers masquerading as C compilers
incorrectly reject 9223372036854775807. */
#define LARGE_OFF_T (((off_t) 1 << 62) - 1 + ((off_t) 1 << 62))
#define LARGE_OFF_T ((((off_t) 1 << 31) << 31) - 1 + (((off_t) 1 << 31) << 31))
int off_t_is_large[(LARGE_OFF_T % 2147483629 == 721
&& LARGE_OFF_T % 2147483647 == 1)
? 1 : -1];
@ -13810,7 +13812,7 @@ else
We can't simply define LARGE_OFF_T to be 9223372036854775807,
since some C++ compilers masquerading as C compilers
incorrectly reject 9223372036854775807. */
#define LARGE_OFF_T (((off_t) 1 << 62) - 1 + ((off_t) 1 << 62))
#define LARGE_OFF_T ((((off_t) 1 << 31) << 31) - 1 + (((off_t) 1 << 31) << 31))
int off_t_is_large[(LARGE_OFF_T % 2147483629 == 721
&& LARGE_OFF_T % 2147483647 == 1)
? 1 : -1];
@ -13834,7 +13836,7 @@ rm -f core conftest.err conftest.$ac_objext conftest.$ac_ext
We can't simply define LARGE_OFF_T to be 9223372036854775807,
since some C++ compilers masquerading as C compilers
incorrectly reject 9223372036854775807. */
#define LARGE_OFF_T (((off_t) 1 << 62) - 1 + ((off_t) 1 << 62))
#define LARGE_OFF_T ((((off_t) 1 << 31) << 31) - 1 + (((off_t) 1 << 31) << 31))
int off_t_is_large[(LARGE_OFF_T % 2147483629 == 721
&& LARGE_OFF_T % 2147483647 == 1)
? 1 : -1];
@ -30763,6 +30765,102 @@ rm -f core conftest.err conftest.$ac_objext conftest.$ac_ext
fi
if test "$PBX_OPENSSL" = "1";
then
if test "x${PBX_SSL_OP_NO_TLSV1_1}" != "x1"; then
{ $as_echo "$as_me:${as_lineno-$LINENO}: checking for SSL_OP_NO_TLSv1_1 in openssl/ssl.h" >&5
$as_echo_n "checking for SSL_OP_NO_TLSv1_1 in openssl/ssl.h... " >&6; }
saved_cppflags="${CPPFLAGS}"
if test "x${SSL_OP_NO_TLSV1_1_DIR}" != "x"; then
SSL_OP_NO_TLSV1_1_INCLUDE="-I${SSL_OP_NO_TLSV1_1_DIR}/include"
fi
CPPFLAGS="${CPPFLAGS} ${SSL_OP_NO_TLSV1_1_INCLUDE}"
cat confdefs.h - <<_ACEOF >conftest.$ac_ext
/* end confdefs.h. */
#include <openssl/ssl.h>
int
main ()
{
#if defined(SSL_OP_NO_TLSv1_1)
int foo = 0;
#else
int foo = bar;
#endif
0
;
return 0;
}
_ACEOF
if ac_fn_c_try_compile "$LINENO"; then :
{ $as_echo "$as_me:${as_lineno-$LINENO}: result: yes" >&5
$as_echo "yes" >&6; }
PBX_SSL_OP_NO_TLSV1_1=1
$as_echo "#define HAVE_SSL_OP_NO_TLSV1_1 1" >>confdefs.h
else
{ $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5
$as_echo "no" >&6; }
fi
rm -f core conftest.err conftest.$ac_objext conftest.$ac_ext
CPPFLAGS="${saved_cppflags}"
fi
if test "x${PBX_SSL_OP_NO_TLSV1_2}" != "x1"; then
{ $as_echo "$as_me:${as_lineno-$LINENO}: checking for SSL_OP_NO_TLSv1_2 in openssl/ssl.h" >&5
$as_echo_n "checking for SSL_OP_NO_TLSv1_2 in openssl/ssl.h... " >&6; }
saved_cppflags="${CPPFLAGS}"
if test "x${SSL_OP_NO_TLSV1_2_DIR}" != "x"; then
SSL_OP_NO_TLSV1_2_INCLUDE="-I${SSL_OP_NO_TLSV1_2_DIR}/include"
fi
CPPFLAGS="${CPPFLAGS} ${SSL_OP_NO_TLSV1_2_INCLUDE}"
cat confdefs.h - <<_ACEOF >conftest.$ac_ext
/* end confdefs.h. */
#include <openssl/ssl.h>
int
main ()
{
#if defined(SSL_OP_NO_TLSv1_2)
int foo = 0;
#else
int foo = bar;
#endif
0
;
return 0;
}
_ACEOF
if ac_fn_c_try_compile "$LINENO"; then :
{ $as_echo "$as_me:${as_lineno-$LINENO}: result: yes" >&5
$as_echo "yes" >&6; }
PBX_SSL_OP_NO_TLSV1_2=1
$as_echo "#define HAVE_SSL_OP_NO_TLSV1_2 1" >>confdefs.h
else
{ $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5
$as_echo "no" >&6; }
fi
rm -f core conftest.err conftest.$ac_objext conftest.$ac_ext
CPPFLAGS="${saved_cppflags}"
fi
fi
if test "x${PBX_SRTP}" != "x1" -a "${USE_SRTP}" != "no"; then
pbxlibdir=""

@ -2302,6 +2302,12 @@ then
AST_C_DECLARE_CHECK([OPENSSL_ECDH_AUTO], [SSL_CTX_set_ecdh_auto], [openssl/ssl.h])
fi
if test "$PBX_OPENSSL" = "1";
then
AST_C_DEFINE_CHECK([SSL_OP_NO_TLSV1_1], [SSL_OP_NO_TLSv1_1], [openssl/ssl.h])
AST_C_DEFINE_CHECK([SSL_OP_NO_TLSV1_2], [SSL_OP_NO_TLSv1_2], [openssl/ssl.h])
fi
AST_EXT_LIB_CHECK([SRTP], [srtp], [srtp_init], [srtp/srtp.h])
if test "$PBX_SRTP" = "1";

@ -832,6 +832,12 @@
/* Define to 1 if you have the ISDN SS7 library. */
#undef HAVE_SS7
/* Define if your system has the SSL_OP_NO_TLSV1_1 headers. */
#undef HAVE_SSL_OP_NO_TLSV1_1
/* Define if your system has the SSL_OP_NO_TLSV1_2 headers. */
#undef HAVE_SSL_OP_NO_TLSV1_2
/* Define to 1 if `stat' has the bug that it succeeds when given the
zero-length file name argument. */
#undef HAVE_STAT_EMPTY_STRING_BUG

@ -875,12 +875,17 @@ static int __ssl_setup(struct ast_tls_config *cfg, int client)
if (ast_test_flag(&cfg->flags, AST_SSL_DISABLE_TLSV1)) {
ssl_opts |= SSL_OP_NO_TLSv1;
}
#if defined(HAVE_SSL_OP_NO_TLSV1_1) && defined(HAVE_SSL_OP_NO_TLSV1_2)
if (ast_test_flag(&cfg->flags, AST_SSL_DISABLE_TLSV11)) {
ssl_opts |= SSL_OP_NO_TLSv1_1;
}
if (ast_test_flag(&cfg->flags, AST_SSL_DISABLE_TLSV12)) {
ssl_opts |= SSL_OP_NO_TLSv1_2;
}
#else
ast_log(LOG_WARNING, "Your version of OpenSSL leaves you potentially vulnerable "
"to the SSL BEAST attack. Please upgrade to OpenSSL 1.0.1 or later\n");
#endif
SSL_CTX_set_options(cfg->ssl_ctx, ssl_opts);

Loading…
Cancel
Save