[asterisk-bugs] [JIRA] (ASTERISK-28933) res_pjsip.so fails to load when bundled pjproject is compiled without libssl

Asterisk Team (JIRA) noreply at issues.asterisk.org
Thu Jun 4 10:20:25 CDT 2020 

    [ https://issues.asterisk.org/jira/browse/ASTERISK-28933?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=251024#comment-251024 ] 

Asterisk Team commented on ASTERISK-28933:
------------------------------------------

Thanks for creating a report! The issue has entered the triage process. That means the issue will wait in this status until a Bug Marshal has an opportunity to review the issue. Once the issue has been reviewed you will receive comments regarding the next steps towards resolution.

A good first step is for you to review the [Asterisk Issue Guidelines|https://wiki.asterisk.org/wiki/display/AST/Asterisk+Issue+Guidelines] if you haven't already. The guidelines detail what is expected from an Asterisk issue report.

Then, if you are submitting a patch, please review the [Patch Contribution Process|https://wiki.asterisk.org/wiki/display/AST/Patch+Contribution+Process].

Please note that once your issue enters an open state it has been accepted. As Asterisk is an open source project there is no guarantee or timeframe on when your issue will be looked into. If you need expedient resolution you will need to find and pay a suitable developer. Asking for an update on your issue will not yield any progress on it and will not result in a response. All updates are posted to the issue when they occur.

> res_pjsip.so fails to load when bundled pjproject is compiled without libssl
> ----------------------------------------------------------------------------
>
>                 Key: ASTERISK-28933
>                 URL: https://issues.asterisk.org/jira/browse/ASTERISK-28933
>             Project: Asterisk
>          Issue Type: Bug
>      Security Level: None
>          Components: Resources/res_pjsip
>    Affects Versions: 13.33.0
>            Reporter: Walter Doekes
>
> Hi!
> This is really a theoretical issue. I wasn't planning on running a machine without libssl. But because this machine was so clean, I happened to notice this:
> If you compile libasteriskpj.so without libssl-dev, you get fewer symbols:
> {noformat}
> $ diff <(nm -D pj-13-with-ssl.so | awk '/ T /{print $3}') <(nm -D pj-13-without-ssl.so | awk '/ T /{print $3}') | awk '/^</{print $2}'
> pjsip_tls_setting_wipe_keys
> pjsip_tls_transport_lis_start
> pjsip_tls_transport_restart
> pjsip_tls_transport_start
> pjsip_tls_transport_start2
> pj_ssl_cert_info_dump
> pj_ssl_cert_load_from_buffer
> pj_ssl_cert_load_from_files
> pj_ssl_cert_load_from_files2
> pj_ssl_cert_wipe_keys
> pj_ssl_cipher_get_availables
> pj_ssl_cipher_id
> pj_ssl_cipher_is_supported
> pj_ssl_cipher_name
> pj_ssl_curve_get_availables
> pj_ssl_curve_id
> pj_ssl_curve_is_supported
> pj_ssl_curve_name
> pj_ssl_sock_close
> pj_ssl_sock_create
> pj_ssl_sock_get_info
> pj_ssl_sock_get_user_data
> pj_ssl_sock_renegotiate
> pj_ssl_sock_send
> pj_ssl_sock_sendto
> pj_ssl_sock_set_certificate
> pj_ssl_sock_set_user_data
> pj_ssl_sock_start_accept
> pj_ssl_sock_start_accept2
> pj_ssl_sock_start_connect
> pj_ssl_sock_start_connect2
> pj_ssl_sock_start_read
> pj_ssl_sock_start_read2
> pj_ssl_sock_start_recvfrom
> pj_ssl_sock_start_recvfrom2
> pj_turn_sock_tls_cfg_default
> pj_turn_sock_tls_cfg_dup
> pj_turn_sock_tls_cfg_wipe_keys
> {noformat}
> These are only built when:
> {noformat}
> #if defined(PJ_HAS_SSL_SOCK) && PJ_HAS_SSL_SOCK!=0                              
> {noformat}
> And that is not the case when there is no libssl-dev nor libgnutls-dev.
> The relevant functions are (only) called here:
> {noformat}
> $ wgrep asterisk-rw-13.git/ -E '^pjsip_tls_setting_wipe_keys|pjsip_tls_transport_lis_start|pjsip_tls_transport_restart|pjsip_tls_transport_start|pjsip_tls_transport_start2|pj_ssl_cert_info_dump|pj_ssl_cert_load_from_buffer|pj_ssl_cert_load_from_files|pj_ssl_cert_load_from_files2|pj_ssl_cert_wipe_keys|pj_ssl_cipher_get_availables|pj_ssl_cipher_id|pj_ssl_cipher_is_supported|pj_ssl_cipher_name|pj_ssl_curve_get_availables|pj_ssl_curve_id|pj_ssl_curve_is_supported|pj_ssl_curve_name|pj_ssl_sock_close|pj_ssl_sock_create|pj_ssl_sock_get_info|pj_ssl_sock_get_user_data|pj_ssl_sock_renegotiate|pj_ssl_sock_send|pj_ssl_sock_sendto|pj_ssl_sock_set_certificate|pj_ssl_sock_set_user_data|pj_ssl_sock_start_accept|pj_ssl_sock_start_accept2|pj_ssl_sock_start_connect|pj_ssl_sock_start_connect2|pj_ssl_sock_start_read|pj_ssl_sock_start_read2|pj_ssl_sock_start_recvfrom|pj_ssl_sock_start_recvfrom2|pj_turn_sock_tls_cfg_default|pj_turn_sock_tls_cfg_dup|pj_turn_sock_tls_cfg_wipe_keys$' | grep -vF /third-party/
> asterisk-rw-13.git/res/res_pjsip/config_transport.c:			res = pjsip_tls_transport_start2(ast_sip_get_pjsip_endpoint(), &temp_state->state->tls,
> asterisk-rw-13.git/res/res_pjsip/config_transport.c:	if (pj_ssl_cipher_get_availables(ciphers, &cipher_num)) {
> asterisk-rw-13.git/res/res_pjsip/config_transport.c:		const char *pos_name = pj_ssl_cipher_name(ciphers[pos]);
> asterisk-rw-13.git/res/res_pjsip/config_transport.c:	if (pj_ssl_cipher_is_supported(cipher)) {
> asterisk-rw-13.git/res/res_pjsip/config_transport.c:		ast_str_append(&str, 0, "%s", pj_ssl_cipher_name(ciphers[idx]));
> asterisk-rw-13.git/res/res_pjsip/config_transport.c:	if (pj_ssl_cipher_get_availables(ciphers, &cipher_num) || !cipher_num) {
> {noformat}
> That is, only {{res/res_pjsip/config_transport.c}} and only:
> {noformat}
> pjsip_tls_transport_start2
> pj_ssl_cipher_get_availables
> pj_ssl_cipher_name
> pj_ssl_cipher_is_supported
> {noformat}
> And could be fixed with something like:
> {noformat}
> diff --git a/res/res_pjsip/config_transport.c b/res/res_pjsip/config_transport.c
> index d2993401fc..6596a87643 100644
> --- a/res/res_pjsip/config_transport.c
> +++ b/res/res_pjsip/config_transport.c
> @@ -618,6 +618,7 @@ static int transport_apply(const struct ast_sorcery *sorcery, void *obj)
>  			res = pjsip_tcp_transport_start3(ast_sip_get_pjsip_endpoint(), &cfg,
>  				&temp_state->state->factory);
>  		}
> +#ifdef HAVE_OPENSSL
>  	} else if (transport->type == AST_TRANSPORT_TLS) {
>  		static int option = 1;
>  
> @@ -648,6 +649,7 @@ static int transport_apply(const struct ast_sorcery *sorcery, void *obj)
>  				&temp_state->state->host, NULL, transport->async_operations,
>  				&temp_state->state->factory);
>  		}
> +#endif
>  	} else if ((transport->type == AST_TRANSPORT_WS) || (transport->type == AST_TRANSPORT_WSS)) {
>  		if (transport->cos || transport->tos) {
>  			ast_log(LOG_WARNING, "TOS and COS values ignored for websocket transport\n");
> @@ -977,6 +979,7 @@ static int tls_method_to_str(const void *obj, const intptr_t *args, char **buf)
>  	return 0;
>  }
>  
> +#ifdef HAVE_OPENSSL
>  /*! \brief Helper function which turns a cipher name into an identifier */
>  static pj_ssl_cipher cipher_name_to_id(const char *name)
>  {
> @@ -997,6 +1000,7 @@ static pj_ssl_cipher cipher_name_to_id(const char *name)
>  
>  	return 0;
>  }
> +#endif
>  
>  /*!
>   * \internal
> @@ -1010,6 +1014,7 @@ static pj_ssl_cipher cipher_name_to_id(const char *name)
>   */
>  static int transport_cipher_add(struct ast_sip_transport_state *state, const char *name)
>  {
> +#ifdef HAVE_OPENSSL
>  	pj_ssl_cipher cipher;
>  	int idx;
>  
> @@ -1033,10 +1038,10 @@ static int transport_cipher_add(struct ast_sip_transport_state *state, const cha
>  		}
>  		state->ciphers[state->tls.ciphers_num++] = cipher;
>  		return 0;
> -	} else {
> +	}
> +#endif
>  		ast_log(LOG_ERROR, "Cipher '%s' is unsupported\n", name);
>  		return -1;
> -	}
>  }
>  
>  /*! \brief Custom handler for TLS cipher setting */
> @@ -1079,7 +1084,13 @@ static void cipher_to_str(char **buf, const pj_ssl_cipher *ciphers, unsigned int
>  	}
>  
>  	for (idx = 0; idx < cipher_num; ++idx) {
> -		ast_str_append(&str, 0, "%s", pj_ssl_cipher_name(ciphers[idx]));
> +		ast_str_append(&str, 0, "%s",
> +#ifdef HAVE_OPENSSL
> +                pj_ssl_cipher_name(ciphers[idx])
> +#else
> +                "<OPENSSL_MISSING>"
> +#endif
> +                );
>  		if (idx < cipher_num - 1) {
>  			ast_str_append(&str, 0, ", ");
>  		}
> @@ -1118,7 +1129,11 @@ static char *handle_pjsip_list_ciphers(struct ast_cli_entry *e, int cmd, struct
>  		return NULL;
>  	}
>  
> -	if (pj_ssl_cipher_get_availables(ciphers, &cipher_num) || !cipher_num) {
> +	if (
> +#ifdef HAVE_OPENSSL
> +            pj_ssl_cipher_get_availables(ciphers, &cipher_num) ||
> +#endif
> +            !cipher_num) {
>  		buf = NULL;
>  	} else {
>  		cipher_to_str(&buf, ciphers, cipher_num);
> {noformat}
> (Although that would break the possibility for someone to use gnutls; if that works, which I'm not sure does.)
> In any case, without the above patch, res_pjsip.so fails to load because of the missing symbols.
> So either we should mandate libssl-dev (or libgnutls-dev?) or apply something like above.



--
This message was sent by Atlassian JIRA
(v6.2#6252)

More information about the asterisk-bugs mailing list