[asterisk-bugs] [JIRA] (ASTERISK-28933) res_pjsip.so fails to load when bundled pjproject is compiled without libssl

Walter Doekes (JIRA) noreply at issues.asterisk.org
Thu Jun 4 15:50:25 CDT 2020 

    [ https://issues.asterisk.org/jira/browse/ASTERISK-28933?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=251034#comment-251034 ] 

Walter Doekes commented on ASTERISK-28933:
------------------------------------------

Nope. Does not help.

{noformat}
$ grep -i ssl config.log | LC_ALL=C sort -u
  $ ./configure --enable-dev-mode --disable-asteriskssl --without-ssl
#define HAVE_PJ_SSL_CERT_LOAD_FROM_FILES2 1
AST_ASTERISKSSL='no'
OPENSSL='/usr/bin/openssl'
OPENSSL_BIO_METHOD_DIR=''
OPENSSL_BIO_METHOD_INCLUDE=''
OPENSSL_BIO_METHOD_LIB=''
OPENSSL_DIR=''
OPENSSL_INCLUDE=''
OPENSSL_LIB=''
OPENSSL_SRTP_DIR=''
OPENSSL_SRTP_INCLUDE=''
OPENSSL_SRTP_LIB=''
PBX_OPENSSL='-1'
PBX_OPENSSL_BIO_METHOD='0'
PBX_OPENSSL_SRTP='0'
PBX_PJ_SSL_CERT_LOAD_FROM_FILES2=''
PJPROJECT_CONFIGURE_OPTS=' --disable-ssl'
PJ_SSL_CERT_LOAD_FROM_FILES2_DIR=''
PJ_SSL_CERT_LOAD_FROM_FILES2_INCLUDE=''
PJ_SSL_CERT_LOAD_FROM_FILES2_LIB=''
ac_cv_path_OPENSSL=/usr/bin/openssl
configure:21518: gcc -o conftest -g -O2  -DUSE_SYSTEM_IMAP  conftest.c -lm  -lcrypto -lssl -lc-client  >&5
configure:21663: gcc -o conftest -g -O2  -DUSE_SYSTEM_CCLIENT  conftest.c -lm  -lcrypto -lssl -lc-client  >&5
configure:21734: gcc -o conftest -g -O2  -DUSE_SYSTEM_CCLIENT  conftest.c -lm  -lcrypto -lssl -lc-client4  >&5
configure:7779: checking for openssl
configure:7797: found /usr/bin/openssl
configure:7810: result: /usr/bin/openssl
| #define HAVE_PJ_SSL_CERT_LOAD_FROM_FILES2 1
{noformat}
{noformat}
$ grep -i tls config.log | LC_ALL=C sort -u
#define HAVE_PJSIP_TLS_TRANSPORT_PROTO 1
PBX_PJSIP_TLS_TRANSPORT_PROTO=''
PJSIP_TLS_TRANSPORT_PROTO_DIR=''
PJSIP_TLS_TRANSPORT_PROTO_INCLUDE=''
PJSIP_TLS_TRANSPORT_PROTO_LIB=''
| #define HAVE_PJSIP_TLS_TRANSPORT_PROTO 1
{noformat}
{noformat}
$ nm res/res_pjsip.so | grep ssl
                 U pj_ssl_cipher_get_availables
                 U pj_ssl_cipher_is_supported
                 U pj_ssl_cipher_name
{noformat}
{noformat}
$ git branch
* 16
$ git describe --always
6a0c472374
{noformat}


> res_pjsip.so fails to load when bundled pjproject is compiled without libssl
> ----------------------------------------------------------------------------
>
>                 Key: ASTERISK-28933
>                 URL: https://issues.asterisk.org/jira/browse/ASTERISK-28933
>             Project: Asterisk
>          Issue Type: Bug
>      Security Level: None
>          Components: Resources/res_pjsip
>    Affects Versions: 13.33.0
>            Reporter: Walter Doekes
>            Assignee: Walter Doekes
>
> Hi!
> This is really a theoretical issue. I wasn't planning on running a machine without libssl. But because this machine was so clean, I happened to notice this:
> If you compile libasteriskpj.so without libssl-dev, you get fewer symbols:
> {noformat}
> $ diff <(nm -D pj-13-with-ssl.so | awk '/ T /{print $3}') <(nm -D pj-13-without-ssl.so | awk '/ T /{print $3}') | awk '/^</{print $2}'
> pjsip_tls_setting_wipe_keys
> pjsip_tls_transport_lis_start
> pjsip_tls_transport_restart
> pjsip_tls_transport_start
> pjsip_tls_transport_start2
> pj_ssl_cert_info_dump
> pj_ssl_cert_load_from_buffer
> pj_ssl_cert_load_from_files
> pj_ssl_cert_load_from_files2
> pj_ssl_cert_wipe_keys
> pj_ssl_cipher_get_availables
> pj_ssl_cipher_id
> pj_ssl_cipher_is_supported
> pj_ssl_cipher_name
> pj_ssl_curve_get_availables
> pj_ssl_curve_id
> pj_ssl_curve_is_supported
> pj_ssl_curve_name
> pj_ssl_sock_close
> pj_ssl_sock_create
> pj_ssl_sock_get_info
> pj_ssl_sock_get_user_data
> pj_ssl_sock_renegotiate
> pj_ssl_sock_send
> pj_ssl_sock_sendto
> pj_ssl_sock_set_certificate
> pj_ssl_sock_set_user_data
> pj_ssl_sock_start_accept
> pj_ssl_sock_start_accept2
> pj_ssl_sock_start_connect
> pj_ssl_sock_start_connect2
> pj_ssl_sock_start_read
> pj_ssl_sock_start_read2
> pj_ssl_sock_start_recvfrom
> pj_ssl_sock_start_recvfrom2
> pj_turn_sock_tls_cfg_default
> pj_turn_sock_tls_cfg_dup
> pj_turn_sock_tls_cfg_wipe_keys
> {noformat}
> These are only built when:
> {noformat}
> #if defined(PJ_HAS_SSL_SOCK) && PJ_HAS_SSL_SOCK!=0                              
> {noformat}
> And that is not the case when there is no libssl-dev nor libgnutls-dev.
> The relevant functions are (only) called here:
> {noformat}
> $ wgrep asterisk-rw-13.git/ -E '^pjsip_tls_setting_wipe_keys|pjsip_tls_transport_lis_start|pjsip_tls_transport_restart|pjsip_tls_transport_start|pjsip_tls_transport_start2|pj_ssl_cert_info_dump|pj_ssl_cert_load_from_buffer|pj_ssl_cert_load_from_files|pj_ssl_cert_load_from_files2|pj_ssl_cert_wipe_keys|pj_ssl_cipher_get_availables|pj_ssl_cipher_id|pj_ssl_cipher_is_supported|pj_ssl_cipher_name|pj_ssl_curve_get_availables|pj_ssl_curve_id|pj_ssl_curve_is_supported|pj_ssl_curve_name|pj_ssl_sock_close|pj_ssl_sock_create|pj_ssl_sock_get_info|pj_ssl_sock_get_user_data|pj_ssl_sock_renegotiate|pj_ssl_sock_send|pj_ssl_sock_sendto|pj_ssl_sock_set_certificate|pj_ssl_sock_set_user_data|pj_ssl_sock_start_accept|pj_ssl_sock_start_accept2|pj_ssl_sock_start_connect|pj_ssl_sock_start_connect2|pj_ssl_sock_start_read|pj_ssl_sock_start_read2|pj_ssl_sock_start_recvfrom|pj_ssl_sock_start_recvfrom2|pj_turn_sock_tls_cfg_default|pj_turn_sock_tls_cfg_dup|pj_turn_sock_tls_cfg_wipe_keys$' | grep -vF /third-party/
> asterisk-rw-13.git/res/res_pjsip/config_transport.c:			res = pjsip_tls_transport_start2(ast_sip_get_pjsip_endpoint(), &temp_state->state->tls,
> asterisk-rw-13.git/res/res_pjsip/config_transport.c:	if (pj_ssl_cipher_get_availables(ciphers, &cipher_num)) {
> asterisk-rw-13.git/res/res_pjsip/config_transport.c:		const char *pos_name = pj_ssl_cipher_name(ciphers[pos]);
> asterisk-rw-13.git/res/res_pjsip/config_transport.c:	if (pj_ssl_cipher_is_supported(cipher)) {
> asterisk-rw-13.git/res/res_pjsip/config_transport.c:		ast_str_append(&str, 0, "%s", pj_ssl_cipher_name(ciphers[idx]));
> asterisk-rw-13.git/res/res_pjsip/config_transport.c:	if (pj_ssl_cipher_get_availables(ciphers, &cipher_num) || !cipher_num) {
> {noformat}
> That is, only {{res/res_pjsip/config_transport.c}} and only:
> {noformat}
> pjsip_tls_transport_start2
> pj_ssl_cipher_get_availables
> pj_ssl_cipher_name
> pj_ssl_cipher_is_supported
> {noformat}
> And could be fixed with something like:
> {noformat}
> diff --git a/res/res_pjsip/config_transport.c b/res/res_pjsip/config_transport.c
> index d2993401fc..6596a87643 100644
> --- a/res/res_pjsip/config_transport.c
> +++ b/res/res_pjsip/config_transport.c
> @@ -618,6 +618,7 @@ static int transport_apply(const struct ast_sorcery *sorcery, void *obj)
>  			res = pjsip_tcp_transport_start3(ast_sip_get_pjsip_endpoint(), &cfg,
>  				&temp_state->state->factory);
>  		}
> +#ifdef HAVE_OPENSSL
>  	} else if (transport->type == AST_TRANSPORT_TLS) {
>  		static int option = 1;
>  
> @@ -648,6 +649,7 @@ static int transport_apply(const struct ast_sorcery *sorcery, void *obj)
>  				&temp_state->state->host, NULL, transport->async_operations,
>  				&temp_state->state->factory);
>  		}
> +#endif
>  	} else if ((transport->type == AST_TRANSPORT_WS) || (transport->type == AST_TRANSPORT_WSS)) {
>  		if (transport->cos || transport->tos) {
>  			ast_log(LOG_WARNING, "TOS and COS values ignored for websocket transport\n");
> @@ -977,6 +979,7 @@ static int tls_method_to_str(const void *obj, const intptr_t *args, char **buf)
>  	return 0;
>  }
>  
> +#ifdef HAVE_OPENSSL
>  /*! \brief Helper function which turns a cipher name into an identifier */
>  static pj_ssl_cipher cipher_name_to_id(const char *name)
>  {
> @@ -997,6 +1000,7 @@ static pj_ssl_cipher cipher_name_to_id(const char *name)
>  
>  	return 0;
>  }
> +#endif
>  
>  /*!
>   * \internal
> @@ -1010,6 +1014,7 @@ static pj_ssl_cipher cipher_name_to_id(const char *name)
>   */
>  static int transport_cipher_add(struct ast_sip_transport_state *state, const char *name)
>  {
> +#ifdef HAVE_OPENSSL
>  	pj_ssl_cipher cipher;
>  	int idx;
>  
> @@ -1033,10 +1038,10 @@ static int transport_cipher_add(struct ast_sip_transport_state *state, const cha
>  		}
>  		state->ciphers[state->tls.ciphers_num++] = cipher;
>  		return 0;
> -	} else {
> +	}
> +#endif
>  		ast_log(LOG_ERROR, "Cipher '%s' is unsupported\n", name);
>  		return -1;
> -	}
>  }
>  
>  /*! \brief Custom handler for TLS cipher setting */
> @@ -1079,7 +1084,13 @@ static void cipher_to_str(char **buf, const pj_ssl_cipher *ciphers, unsigned int
>  	}
>  
>  	for (idx = 0; idx < cipher_num; ++idx) {
> -		ast_str_append(&str, 0, "%s", pj_ssl_cipher_name(ciphers[idx]));
> +		ast_str_append(&str, 0, "%s",
> +#ifdef HAVE_OPENSSL
> +                pj_ssl_cipher_name(ciphers[idx])
> +#else
> +                "<OPENSSL_MISSING>"
> +#endif
> +                );
>  		if (idx < cipher_num - 1) {
>  			ast_str_append(&str, 0, ", ");
>  		}
> @@ -1118,7 +1129,11 @@ static char *handle_pjsip_list_ciphers(struct ast_cli_entry *e, int cmd, struct
>  		return NULL;
>  	}
>  
> -	if (pj_ssl_cipher_get_availables(ciphers, &cipher_num) || !cipher_num) {
> +	if (
> +#ifdef HAVE_OPENSSL
> +            pj_ssl_cipher_get_availables(ciphers, &cipher_num) ||
> +#endif
> +            !cipher_num) {
>  		buf = NULL;
>  	} else {
>  		cipher_to_str(&buf, ciphers, cipher_num);
> {noformat}
> (Although that would break the possibility for someone to use gnutls; if that works, which I'm not sure does.)
> In any case, without the above patch, res_pjsip.so fails to load because of the missing symbols.
> So either we should mandate libssl-dev (or libgnutls-dev?) or apply something like above.



--
This message was sent by Atlassian JIRA
(v6.2#6252)

More information about the asterisk-bugs mailing list