[asterisk-bugs] [JIRA] (ASTERISK-28933) res_pjsip.so fails to load when bundled pjproject is compiled without libssl

Walter Doekes (JIRA) noreply at issues.asterisk.org
Thu Jun 4 10:20:25 CDT 2020 

Walter Doekes created ASTERISK-28933:
----------------------------------------

             Summary: res_pjsip.so fails to load when bundled pjproject is compiled without libssl
                 Key: ASTERISK-28933
                 URL: https://issues.asterisk.org/jira/browse/ASTERISK-28933
             Project: Asterisk
          Issue Type: Bug
      Security Level: None
          Components: Resources/res_pjsip
    Affects Versions: 13.33.0
            Reporter: Walter Doekes


Hi!

This is really a theoretical issue. I wasn't planning on running a machine without libssl. But because this machine was so clean, I happened to notice this:

If you compile libasteriskpj.so without libssl-dev, you get fewer symbols:
{noformat}
$ diff <(nm -D pj-13-with-ssl.so | awk '/ T /{print $3}') <(nm -D pj-13-without-ssl.so | awk '/ T /{print $3}') | awk '/^</{print $2}'
pjsip_tls_setting_wipe_keys
pjsip_tls_transport_lis_start
pjsip_tls_transport_restart
pjsip_tls_transport_start
pjsip_tls_transport_start2
pj_ssl_cert_info_dump
pj_ssl_cert_load_from_buffer
pj_ssl_cert_load_from_files
pj_ssl_cert_load_from_files2
pj_ssl_cert_wipe_keys
pj_ssl_cipher_get_availables
pj_ssl_cipher_id
pj_ssl_cipher_is_supported
pj_ssl_cipher_name
pj_ssl_curve_get_availables
pj_ssl_curve_id
pj_ssl_curve_is_supported
pj_ssl_curve_name
pj_ssl_sock_close
pj_ssl_sock_create
pj_ssl_sock_get_info
pj_ssl_sock_get_user_data
pj_ssl_sock_renegotiate
pj_ssl_sock_send
pj_ssl_sock_sendto
pj_ssl_sock_set_certificate
pj_ssl_sock_set_user_data
pj_ssl_sock_start_accept
pj_ssl_sock_start_accept2
pj_ssl_sock_start_connect
pj_ssl_sock_start_connect2
pj_ssl_sock_start_read
pj_ssl_sock_start_read2
pj_ssl_sock_start_recvfrom
pj_ssl_sock_start_recvfrom2
pj_turn_sock_tls_cfg_default
pj_turn_sock_tls_cfg_dup
pj_turn_sock_tls_cfg_wipe_keys
{noformat}
These are only built when:
{noformat}
#if defined(PJ_HAS_SSL_SOCK) && PJ_HAS_SSL_SOCK!=0                              
{noformat}
And that is not the case when there is no libssl-dev nor libgnutls-dev.

The relevant functions are (only) called here:
{noformat}
$ wgrep asterisk-rw-13.git/ -E '^pjsip_tls_setting_wipe_keys|pjsip_tls_transport_lis_start|pjsip_tls_transport_restart|pjsip_tls_transport_start|pjsip_tls_transport_start2|pj_ssl_cert_info_dump|pj_ssl_cert_load_from_buffer|pj_ssl_cert_load_from_files|pj_ssl_cert_load_from_files2|pj_ssl_cert_wipe_keys|pj_ssl_cipher_get_availables|pj_ssl_cipher_id|pj_ssl_cipher_is_supported|pj_ssl_cipher_name|pj_ssl_curve_get_availables|pj_ssl_curve_id|pj_ssl_curve_is_supported|pj_ssl_curve_name|pj_ssl_sock_close|pj_ssl_sock_create|pj_ssl_sock_get_info|pj_ssl_sock_get_user_data|pj_ssl_sock_renegotiate|pj_ssl_sock_send|pj_ssl_sock_sendto|pj_ssl_sock_set_certificate|pj_ssl_sock_set_user_data|pj_ssl_sock_start_accept|pj_ssl_sock_start_accept2|pj_ssl_sock_start_connect|pj_ssl_sock_start_connect2|pj_ssl_sock_start_read|pj_ssl_sock_start_read2|pj_ssl_sock_start_recvfrom|pj_ssl_sock_start_recvfrom2|pj_turn_sock_tls_cfg_default|pj_turn_sock_tls_cfg_dup|pj_turn_sock_tls_cfg_wipe_keys$' | grep -vF /third-party/

asterisk-rw-13.git/res/res_pjsip/config_transport.c:			res = pjsip_tls_transport_start2(ast_sip_get_pjsip_endpoint(), &temp_state->state->tls,
asterisk-rw-13.git/res/res_pjsip/config_transport.c:	if (pj_ssl_cipher_get_availables(ciphers, &cipher_num)) {
asterisk-rw-13.git/res/res_pjsip/config_transport.c:		const char *pos_name = pj_ssl_cipher_name(ciphers[pos]);
asterisk-rw-13.git/res/res_pjsip/config_transport.c:	if (pj_ssl_cipher_is_supported(cipher)) {
asterisk-rw-13.git/res/res_pjsip/config_transport.c:		ast_str_append(&str, 0, "%s", pj_ssl_cipher_name(ciphers[idx]));
asterisk-rw-13.git/res/res_pjsip/config_transport.c:	if (pj_ssl_cipher_get_availables(ciphers, &cipher_num) || !cipher_num) {
{noformat}
That is, only {{res/res_pjsip/config_transport.c}} and only:
{noformat}
pjsip_tls_transport_start2
pj_ssl_cipher_get_availables
pj_ssl_cipher_name
pj_ssl_cipher_is_supported
{noformat}
And could be fixed with something like:
{noformat}
diff --git a/res/res_pjsip/config_transport.c b/res/res_pjsip/config_transport.c
index d2993401fc..6596a87643 100644
--- a/res/res_pjsip/config_transport.c
+++ b/res/res_pjsip/config_transport.c
@@ -618,6 +618,7 @@ static int transport_apply(const struct ast_sorcery *sorcery, void *obj)
 			res = pjsip_tcp_transport_start3(ast_sip_get_pjsip_endpoint(), &cfg,
 				&temp_state->state->factory);
 		}
+#ifdef HAVE_OPENSSL
 	} else if (transport->type == AST_TRANSPORT_TLS) {
 		static int option = 1;
 
@@ -648,6 +649,7 @@ static int transport_apply(const struct ast_sorcery *sorcery, void *obj)
 				&temp_state->state->host, NULL, transport->async_operations,
 				&temp_state->state->factory);
 		}
+#endif
 	} else if ((transport->type == AST_TRANSPORT_WS) || (transport->type == AST_TRANSPORT_WSS)) {
 		if (transport->cos || transport->tos) {
 			ast_log(LOG_WARNING, "TOS and COS values ignored for websocket transport\n");
@@ -977,6 +979,7 @@ static int tls_method_to_str(const void *obj, const intptr_t *args, char **buf)
 	return 0;
 }
 
+#ifdef HAVE_OPENSSL
 /*! \brief Helper function which turns a cipher name into an identifier */
 static pj_ssl_cipher cipher_name_to_id(const char *name)
 {
@@ -997,6 +1000,7 @@ static pj_ssl_cipher cipher_name_to_id(const char *name)
 
 	return 0;
 }
+#endif
 
 /*!
  * \internal
@@ -1010,6 +1014,7 @@ static pj_ssl_cipher cipher_name_to_id(const char *name)
  */
 static int transport_cipher_add(struct ast_sip_transport_state *state, const char *name)
 {
+#ifdef HAVE_OPENSSL
 	pj_ssl_cipher cipher;
 	int idx;
 
@@ -1033,10 +1038,10 @@ static int transport_cipher_add(struct ast_sip_transport_state *state, const cha
 		}
 		state->ciphers[state->tls.ciphers_num++] = cipher;
 		return 0;
-	} else {
+	}
+#endif
 		ast_log(LOG_ERROR, "Cipher '%s' is unsupported\n", name);
 		return -1;
-	}
 }
 
 /*! \brief Custom handler for TLS cipher setting */
@@ -1079,7 +1084,13 @@ static void cipher_to_str(char **buf, const pj_ssl_cipher *ciphers, unsigned int
 	}
 
 	for (idx = 0; idx < cipher_num; ++idx) {
-		ast_str_append(&str, 0, "%s", pj_ssl_cipher_name(ciphers[idx]));
+		ast_str_append(&str, 0, "%s",
+#ifdef HAVE_OPENSSL
+                pj_ssl_cipher_name(ciphers[idx])
+#else
+                "<OPENSSL_MISSING>"
+#endif
+                );
 		if (idx < cipher_num - 1) {
 			ast_str_append(&str, 0, ", ");
 		}
@@ -1118,7 +1129,11 @@ static char *handle_pjsip_list_ciphers(struct ast_cli_entry *e, int cmd, struct
 		return NULL;
 	}
 
-	if (pj_ssl_cipher_get_availables(ciphers, &cipher_num) || !cipher_num) {
+	if (
+#ifdef HAVE_OPENSSL
+            pj_ssl_cipher_get_availables(ciphers, &cipher_num) ||
+#endif
+            !cipher_num) {
 		buf = NULL;
 	} else {
 		cipher_to_str(&buf, ciphers, cipher_num);
{noformat}
(Although that would break the possibility for someone to use gnutls; if that works, which I'm not sure does.)

In any case, without the above patch, res_pjsip.so fails to load because of the missing symbols.

So either we should mandate libssl-dev (or libgnutls-dev?) or apply something like above.



--
This message was sent by Atlassian JIRA
(v6.2#6252)

More information about the asterisk-bugs mailing list