[Asterisk-code-review] Check for OpenSSL defines before trying to use them. (asterisk[certified/13.1])
Joshua Colp
asteriskteam at digium.com
Fri Feb 5 09:38:17 CST 2016
Joshua Colp has submitted this change and it was merged.
Change subject: Check for OpenSSL defines before trying to use them.
......................................................................
Check for OpenSSL defines before trying to use them.
The SSL_OP_NO_TLSv1_1 and SSL_OP_NO_TLSv1_2 defines did not exist prior
to OpenSSL version 1.0.1. A recent commit attempts to, by default, set
these options, which can cause problems on systems with older OpenSSL
installations.
This commit adds a configure script check for those defines and will not
attempt to make use of those if they do not exist. We will print a
warning urging the user to upgrade their OpenSSL installation if those
defines are not present.
Change-Id: I6a2eb9a43fd0738b404d8f6f2cf4b5c22d9d752d
---
M configure
M configure.ac
M include/asterisk/autoconfig.h.in
M main/tcptls.c
4 files changed, 116 insertions(+), 1 deletion(-)
Approvals:
Mark Michelson: Looks good to me, but someone else must approve
Anonymous Coward #1000019: Verified
Joshua Colp: Looks good to me, approved
diff --git a/configure b/configure
index 823e3cb..411e07c 100755
--- a/configure
+++ b/configure
@@ -1,5 +1,5 @@
#! /bin/sh
-# From configure.ac Revision: 425965 .
+# From configure.ac Revision.
# Guess values for system-dependent variables and create Makefiles.
# Generated by GNU Autoconf 2.69 for asterisk trunk.
#
@@ -651,6 +651,8 @@
PBX_IXJUSER
GMIME_LIBS
GMIME_CFLAGS
+PBX_SSL_OP_NO_TLSV1_2
+PBX_SSL_OP_NO_TLSV1_1
OPENH323_BUILD
OPENH323_SUFFIX
OPENH323_LIBDIR
@@ -29852,6 +29854,102 @@
fi
+if test "$PBX_OPENSSL" = "1";
+then
+
+ if test "x${PBX_SSL_OP_NO_TLSV1_1}" != "x1"; then
+ { $as_echo "$as_me:${as_lineno-$LINENO}: checking for SSL_OP_NO_TLSv1_1 in openssl/ssl.h" >&5
+$as_echo_n "checking for SSL_OP_NO_TLSv1_1 in openssl/ssl.h... " >&6; }
+ saved_cppflags="${CPPFLAGS}"
+ if test "x${SSL_OP_NO_TLSV1_1_DIR}" != "x"; then
+ SSL_OP_NO_TLSV1_1_INCLUDE="-I${SSL_OP_NO_TLSV1_1_DIR}/include"
+ fi
+ CPPFLAGS="${CPPFLAGS} ${SSL_OP_NO_TLSV1_1_INCLUDE}"
+
+ cat confdefs.h - <<_ACEOF >conftest.$ac_ext
+/* end confdefs.h. */
+ #include <openssl/ssl.h>
+int
+main ()
+{
+#if defined(SSL_OP_NO_TLSv1_1)
+ int foo = 0;
+ #else
+ int foo = bar;
+ #endif
+ 0
+
+ ;
+ return 0;
+}
+_ACEOF
+if ac_fn_c_try_compile "$LINENO"; then :
+ { $as_echo "$as_me:${as_lineno-$LINENO}: result: yes" >&5
+$as_echo "yes" >&6; }
+ PBX_SSL_OP_NO_TLSV1_1=1
+
+$as_echo "#define HAVE_SSL_OP_NO_TLSV1_1 1" >>confdefs.h
+
+
+
+else
+ { $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5
+$as_echo "no" >&6; }
+
+fi
+rm -f core conftest.err conftest.$ac_objext conftest.$ac_ext
+ CPPFLAGS="${saved_cppflags}"
+ fi
+
+
+
+ if test "x${PBX_SSL_OP_NO_TLSV1_2}" != "x1"; then
+ { $as_echo "$as_me:${as_lineno-$LINENO}: checking for SSL_OP_NO_TLSv1_2 in openssl/ssl.h" >&5
+$as_echo_n "checking for SSL_OP_NO_TLSv1_2 in openssl/ssl.h... " >&6; }
+ saved_cppflags="${CPPFLAGS}"
+ if test "x${SSL_OP_NO_TLSV1_2_DIR}" != "x"; then
+ SSL_OP_NO_TLSV1_2_INCLUDE="-I${SSL_OP_NO_TLSV1_2_DIR}/include"
+ fi
+ CPPFLAGS="${CPPFLAGS} ${SSL_OP_NO_TLSV1_2_INCLUDE}"
+
+ cat confdefs.h - <<_ACEOF >conftest.$ac_ext
+/* end confdefs.h. */
+ #include <openssl/ssl.h>
+int
+main ()
+{
+#if defined(SSL_OP_NO_TLSv1_2)
+ int foo = 0;
+ #else
+ int foo = bar;
+ #endif
+ 0
+
+ ;
+ return 0;
+}
+_ACEOF
+if ac_fn_c_try_compile "$LINENO"; then :
+ { $as_echo "$as_me:${as_lineno-$LINENO}: result: yes" >&5
+$as_echo "yes" >&6; }
+ PBX_SSL_OP_NO_TLSV1_2=1
+
+$as_echo "#define HAVE_SSL_OP_NO_TLSV1_2 1" >>confdefs.h
+
+
+
+else
+ { $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5
+$as_echo "no" >&6; }
+
+fi
+rm -f core conftest.err conftest.$ac_objext conftest.$ac_ext
+ CPPFLAGS="${saved_cppflags}"
+ fi
+
+
+fi
+
if test "x${PBX_SRTP}" != "x1" -a "${USE_SRTP}" != "no"; then
pbxlibdir=""
diff --git a/configure.ac b/configure.ac
index 0b45e45..3a5b0a5 100644
--- a/configure.ac
+++ b/configure.ac
@@ -2265,6 +2265,12 @@
AST_EXT_LIB_CHECK([OPENSSL_EC], [ssl], [EC_KEY_new_by_curve_name], [openssl/ec.h], [-lcrypto])
fi
+if test "$PBX_OPENSSL" = "1";
+then
+ AST_C_DEFINE_CHECK([SSL_OP_NO_TLSV1_1], [SSL_OP_NO_TLSv1_1], [openssl/ssl.h])
+ AST_C_DEFINE_CHECK([SSL_OP_NO_TLSV1_2], [SSL_OP_NO_TLSv1_2], [openssl/ssl.h])
+fi
+
AST_EXT_LIB_CHECK([SRTP], [srtp], [srtp_init], [srtp/srtp.h])
if test "$PBX_SRTP" = "1";
diff --git a/include/asterisk/autoconfig.h.in b/include/asterisk/autoconfig.h.in
index 2752613..ad48c58 100644
--- a/include/asterisk/autoconfig.h.in
+++ b/include/asterisk/autoconfig.h.in
@@ -816,6 +816,12 @@
/* Define to 1 if you have the ISDN SS7 library. */
#undef HAVE_SS7
+/* Define if your system has the SSL_OP_NO_TLSV1_1 headers. */
+#undef HAVE_SSL_OP_NO_TLSV1_1
+
+/* Define if your system has the SSL_OP_NO_TLSV1_2 headers. */
+#undef HAVE_SSL_OP_NO_TLSV1_2
+
/* Define to 1 if `stat' has the bug that it succeeds when given the
zero-length file name argument. */
#undef HAVE_STAT_EMPTY_STRING_BUG
diff --git a/main/tcptls.c b/main/tcptls.c
index 2f51912..7a90fde 100644
--- a/main/tcptls.c
+++ b/main/tcptls.c
@@ -811,12 +811,17 @@
if (ast_test_flag(&cfg->flags, AST_SSL_DISABLE_TLSV1)) {
ssl_opts |= SSL_OP_NO_TLSv1;
}
+#if defined(HAVE_SSL_OP_NO_TLSV1_1) && defined(HAVE_SSL_OP_NO_TLSV1_2)
if (ast_test_flag(&cfg->flags, AST_SSL_DISABLE_TLSV11)) {
ssl_opts |= SSL_OP_NO_TLSv1_1;
}
if (ast_test_flag(&cfg->flags, AST_SSL_DISABLE_TLSV12)) {
ssl_opts |= SSL_OP_NO_TLSv1_2;
}
+#else
+ ast_log(LOG_WARNING, "Your version of OpenSSL leaves you potentially vulnerable "
+ "to the SSL BEAST attack. Please upgrade to OpenSSL 1.0.1 or later\n");
+#endif
SSL_CTX_set_options(cfg->ssl_ctx, ssl_opts);
--
To view, visit https://gerrit.asterisk.org/2205
To unsubscribe, visit https://gerrit.asterisk.org/settings
Gerrit-MessageType: merged
Gerrit-Change-Id: I6a2eb9a43fd0738b404d8f6f2cf4b5c22d9d752d
Gerrit-PatchSet: 1
Gerrit-Project: asterisk
Gerrit-Branch: certified/13.1
Gerrit-Owner: Joshua Colp <jcolp at digium.com>
Gerrit-Reviewer: Anonymous Coward #1000019
Gerrit-Reviewer: Joshua Colp <jcolp at digium.com>
Gerrit-Reviewer: Mark Michelson <mmichelson at digium.com>
More information about the asterisk-code-review
mailing list