[asterisk-bugs] [JIRA] (ASTERISK-28933) res_pjsip.so fails to load when bundled pjproject is compiled without libssl
Asterisk Team (JIRA)
noreply at issues.asterisk.org
Thu Nov 12 06:54:15 CST 2020
[ https://issues.asterisk.org/jira/browse/ASTERISK-28933?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Asterisk Team updated ASTERISK-28933:
-------------------------------------
Target Release Version/s: 16.15.0
> res_pjsip.so fails to load when bundled pjproject is compiled without libssl
> ----------------------------------------------------------------------------
>
> Key: ASTERISK-28933
> URL: https://issues.asterisk.org/jira/browse/ASTERISK-28933
> Project: Asterisk
> Issue Type: Bug
> Security Level: None
> Components: Resources/res_pjsip
> Affects Versions: 13.33.0
> Reporter: Walter Doekes
> Assignee: Unassigned
> Labels: patch
> Target Release: 16.15.0
>
> Attachments: no_libssl.patch
>
>
> Hi!
> This is really a theoretical issue. I wasn't planning on running a machine without libssl. But because this machine was so clean, I happened to notice this:
> If you compile libasteriskpj.so without libssl-dev, you get fewer symbols:
> {noformat}
> $ diff <(nm -D pj-13-with-ssl.so | awk '/ T /{print $3}') <(nm -D pj-13-without-ssl.so | awk '/ T /{print $3}') | awk '/^</{print $2}'
> pjsip_tls_setting_wipe_keys
> pjsip_tls_transport_lis_start
> pjsip_tls_transport_restart
> pjsip_tls_transport_start
> pjsip_tls_transport_start2
> pj_ssl_cert_info_dump
> pj_ssl_cert_load_from_buffer
> pj_ssl_cert_load_from_files
> pj_ssl_cert_load_from_files2
> pj_ssl_cert_wipe_keys
> pj_ssl_cipher_get_availables
> pj_ssl_cipher_id
> pj_ssl_cipher_is_supported
> pj_ssl_cipher_name
> pj_ssl_curve_get_availables
> pj_ssl_curve_id
> pj_ssl_curve_is_supported
> pj_ssl_curve_name
> pj_ssl_sock_close
> pj_ssl_sock_create
> pj_ssl_sock_get_info
> pj_ssl_sock_get_user_data
> pj_ssl_sock_renegotiate
> pj_ssl_sock_send
> pj_ssl_sock_sendto
> pj_ssl_sock_set_certificate
> pj_ssl_sock_set_user_data
> pj_ssl_sock_start_accept
> pj_ssl_sock_start_accept2
> pj_ssl_sock_start_connect
> pj_ssl_sock_start_connect2
> pj_ssl_sock_start_read
> pj_ssl_sock_start_read2
> pj_ssl_sock_start_recvfrom
> pj_ssl_sock_start_recvfrom2
> pj_turn_sock_tls_cfg_default
> pj_turn_sock_tls_cfg_dup
> pj_turn_sock_tls_cfg_wipe_keys
> {noformat}
> These are only built when:
> {noformat}
> #if defined(PJ_HAS_SSL_SOCK) && PJ_HAS_SSL_SOCK!=0
> {noformat}
> And that is not the case when there is no libssl-dev nor libgnutls-dev.
> The relevant functions are (only) called here:
> {noformat}
> $ wgrep asterisk-rw-13.git/ -E '^pjsip_tls_setting_wipe_keys|pjsip_tls_transport_lis_start|pjsip_tls_transport_restart|pjsip_tls_transport_start|pjsip_tls_transport_start2|pj_ssl_cert_info_dump|pj_ssl_cert_load_from_buffer|pj_ssl_cert_load_from_files|pj_ssl_cert_load_from_files2|pj_ssl_cert_wipe_keys|pj_ssl_cipher_get_availables|pj_ssl_cipher_id|pj_ssl_cipher_is_supported|pj_ssl_cipher_name|pj_ssl_curve_get_availables|pj_ssl_curve_id|pj_ssl_curve_is_supported|pj_ssl_curve_name|pj_ssl_sock_close|pj_ssl_sock_create|pj_ssl_sock_get_info|pj_ssl_sock_get_user_data|pj_ssl_sock_renegotiate|pj_ssl_sock_send|pj_ssl_sock_sendto|pj_ssl_sock_set_certificate|pj_ssl_sock_set_user_data|pj_ssl_sock_start_accept|pj_ssl_sock_start_accept2|pj_ssl_sock_start_connect|pj_ssl_sock_start_connect2|pj_ssl_sock_start_read|pj_ssl_sock_start_read2|pj_ssl_sock_start_recvfrom|pj_ssl_sock_start_recvfrom2|pj_turn_sock_tls_cfg_default|pj_turn_sock_tls_cfg_dup|pj_turn_sock_tls_cfg_wipe_keys$' | grep -vF /third-party/
> asterisk-rw-13.git/res/res_pjsip/config_transport.c: res = pjsip_tls_transport_start2(ast_sip_get_pjsip_endpoint(), &temp_state->state->tls,
> asterisk-rw-13.git/res/res_pjsip/config_transport.c: if (pj_ssl_cipher_get_availables(ciphers, &cipher_num)) {
> asterisk-rw-13.git/res/res_pjsip/config_transport.c: const char *pos_name = pj_ssl_cipher_name(ciphers[pos]);
> asterisk-rw-13.git/res/res_pjsip/config_transport.c: if (pj_ssl_cipher_is_supported(cipher)) {
> asterisk-rw-13.git/res/res_pjsip/config_transport.c: ast_str_append(&str, 0, "%s", pj_ssl_cipher_name(ciphers[idx]));
> asterisk-rw-13.git/res/res_pjsip/config_transport.c: if (pj_ssl_cipher_get_availables(ciphers, &cipher_num) || !cipher_num) {
> {noformat}
> That is, only {{res/res_pjsip/config_transport.c}} and only:
> {noformat}
> pjsip_tls_transport_start2
> pj_ssl_cipher_get_availables
> pj_ssl_cipher_name
> pj_ssl_cipher_is_supported
> {noformat}
> And could be fixed with something like:
> {noformat}
> diff --git a/res/res_pjsip/config_transport.c b/res/res_pjsip/config_transport.c
> index d2993401fc..6596a87643 100644
> --- a/res/res_pjsip/config_transport.c
> +++ b/res/res_pjsip/config_transport.c
> @@ -618,6 +618,7 @@ static int transport_apply(const struct ast_sorcery *sorcery, void *obj)
> res = pjsip_tcp_transport_start3(ast_sip_get_pjsip_endpoint(), &cfg,
> &temp_state->state->factory);
> }
> +#ifdef HAVE_OPENSSL
> } else if (transport->type == AST_TRANSPORT_TLS) {
> static int option = 1;
>
> @@ -648,6 +649,7 @@ static int transport_apply(const struct ast_sorcery *sorcery, void *obj)
> &temp_state->state->host, NULL, transport->async_operations,
> &temp_state->state->factory);
> }
> +#endif
> } else if ((transport->type == AST_TRANSPORT_WS) || (transport->type == AST_TRANSPORT_WSS)) {
> if (transport->cos || transport->tos) {
> ast_log(LOG_WARNING, "TOS and COS values ignored for websocket transport\n");
> @@ -977,6 +979,7 @@ static int tls_method_to_str(const void *obj, const intptr_t *args, char **buf)
> return 0;
> }
>
> +#ifdef HAVE_OPENSSL
> /*! \brief Helper function which turns a cipher name into an identifier */
> static pj_ssl_cipher cipher_name_to_id(const char *name)
> {
> @@ -997,6 +1000,7 @@ static pj_ssl_cipher cipher_name_to_id(const char *name)
>
> return 0;
> }
> +#endif
>
> /*!
> * \internal
> @@ -1010,6 +1014,7 @@ static pj_ssl_cipher cipher_name_to_id(const char *name)
> */
> static int transport_cipher_add(struct ast_sip_transport_state *state, const char *name)
> {
> +#ifdef HAVE_OPENSSL
> pj_ssl_cipher cipher;
> int idx;
>
> @@ -1033,10 +1038,10 @@ static int transport_cipher_add(struct ast_sip_transport_state *state, const cha
> }
> state->ciphers[state->tls.ciphers_num++] = cipher;
> return 0;
> - } else {
> + }
> +#endif
> ast_log(LOG_ERROR, "Cipher '%s' is unsupported\n", name);
> return -1;
> - }
> }
>
> /*! \brief Custom handler for TLS cipher setting */
> @@ -1079,7 +1084,13 @@ static void cipher_to_str(char **buf, const pj_ssl_cipher *ciphers, unsigned int
> }
>
> for (idx = 0; idx < cipher_num; ++idx) {
> - ast_str_append(&str, 0, "%s", pj_ssl_cipher_name(ciphers[idx]));
> + ast_str_append(&str, 0, "%s",
> +#ifdef HAVE_OPENSSL
> + pj_ssl_cipher_name(ciphers[idx])
> +#else
> + "<OPENSSL_MISSING>"
> +#endif
> + );
> if (idx < cipher_num - 1) {
> ast_str_append(&str, 0, ", ");
> }
> @@ -1118,7 +1129,11 @@ static char *handle_pjsip_list_ciphers(struct ast_cli_entry *e, int cmd, struct
> return NULL;
> }
>
> - if (pj_ssl_cipher_get_availables(ciphers, &cipher_num) || !cipher_num) {
> + if (
> +#ifdef HAVE_OPENSSL
> + pj_ssl_cipher_get_availables(ciphers, &cipher_num) ||
> +#endif
> + !cipher_num) {
> buf = NULL;
> } else {
> cipher_to_str(&buf, ciphers, cipher_num);
> {noformat}
> (Although that would break the possibility for someone to use gnutls; if that works, which I'm not sure does.)
> In any case, without the above patch, res_pjsip.so fails to load because of the missing symbols.
> So either we should mandate libssl-dev (or libgnutls-dev?) or apply something like above.
--
This message was sent by Atlassian JIRA
(v6.2#6252)
More information about the asterisk-bugs
mailing list