From: Mark Michelson Date: Thu, 4 Feb 2016 22:17:55 +0000 (-0600) Subject: Check for OpenSSL defines before trying to use them. X-Git-Tag: certified/13.1-cert4~7 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=59ccc89054dd3f8e535f2c183a68955c87af0e10;p=thirdparty%2Fasterisk.git Check for OpenSSL defines before trying to use them. The SSL_OP_NO_TLSv1_1 and SSL_OP_NO_TLSv1_2 defines did not exist prior to OpenSSL version 1.0.1. A recent commit attempts to, by default, set these options, which can cause problems on systems with older OpenSSL installations. This commit adds a configure script check for those defines and will not attempt to make use of those if they do not exist. We will print a warning urging the user to upgrade their OpenSSL installation if those defines are not present. Change-Id: I6a2eb9a43fd0738b404d8f6f2cf4b5c22d9d752d --- diff --git a/configure b/configure index 823e3cbb9e..411e07cdd6 100755 --- a/configure +++ b/configure @@ -1,5 +1,5 @@ #! /bin/sh -# From configure.ac Revision: 425965 . +# From configure.ac Revision. # Guess values for system-dependent variables and create Makefiles. # Generated by GNU Autoconf 2.69 for asterisk trunk. # @@ -651,6 +651,8 @@ PBX_MSG_NOSIGNAL PBX_IXJUSER GMIME_LIBS GMIME_CFLAGS +PBX_SSL_OP_NO_TLSV1_2 +PBX_SSL_OP_NO_TLSV1_1 OPENH323_BUILD OPENH323_SUFFIX OPENH323_LIBDIR @@ -29850,6 +29852,102 @@ _ACEOF fi +fi + +if test "$PBX_OPENSSL" = "1"; +then + + if test "x${PBX_SSL_OP_NO_TLSV1_1}" != "x1"; then + { $as_echo "$as_me:${as_lineno-$LINENO}: checking for SSL_OP_NO_TLSv1_1 in openssl/ssl.h" >&5 +$as_echo_n "checking for SSL_OP_NO_TLSv1_1 in openssl/ssl.h... " >&6; } + saved_cppflags="${CPPFLAGS}" + if test "x${SSL_OP_NO_TLSV1_1_DIR}" != "x"; then + SSL_OP_NO_TLSV1_1_INCLUDE="-I${SSL_OP_NO_TLSV1_1_DIR}/include" + fi + CPPFLAGS="${CPPFLAGS} ${SSL_OP_NO_TLSV1_1_INCLUDE}" + + cat confdefs.h - <<_ACEOF >conftest.$ac_ext +/* end confdefs.h. */ + #include +int +main () +{ +#if defined(SSL_OP_NO_TLSv1_1) + int foo = 0; + #else + int foo = bar; + #endif + 0 + + ; + return 0; +} +_ACEOF +if ac_fn_c_try_compile "$LINENO"; then : + { $as_echo "$as_me:${as_lineno-$LINENO}: result: yes" >&5 +$as_echo "yes" >&6; } + PBX_SSL_OP_NO_TLSV1_1=1 + +$as_echo "#define HAVE_SSL_OP_NO_TLSV1_1 1" >>confdefs.h + + + +else + { $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5 +$as_echo "no" >&6; } + +fi +rm -f core conftest.err conftest.$ac_objext conftest.$ac_ext + CPPFLAGS="${saved_cppflags}" + fi + + + + if test "x${PBX_SSL_OP_NO_TLSV1_2}" != "x1"; then + { $as_echo "$as_me:${as_lineno-$LINENO}: checking for SSL_OP_NO_TLSv1_2 in openssl/ssl.h" >&5 +$as_echo_n "checking for SSL_OP_NO_TLSv1_2 in openssl/ssl.h... " >&6; } + saved_cppflags="${CPPFLAGS}" + if test "x${SSL_OP_NO_TLSV1_2_DIR}" != "x"; then + SSL_OP_NO_TLSV1_2_INCLUDE="-I${SSL_OP_NO_TLSV1_2_DIR}/include" + fi + CPPFLAGS="${CPPFLAGS} ${SSL_OP_NO_TLSV1_2_INCLUDE}" + + cat confdefs.h - <<_ACEOF >conftest.$ac_ext +/* end confdefs.h. */ + #include +int +main () +{ +#if defined(SSL_OP_NO_TLSv1_2) + int foo = 0; + #else + int foo = bar; + #endif + 0 + + ; + return 0; +} +_ACEOF +if ac_fn_c_try_compile "$LINENO"; then : + { $as_echo "$as_me:${as_lineno-$LINENO}: result: yes" >&5 +$as_echo "yes" >&6; } + PBX_SSL_OP_NO_TLSV1_2=1 + +$as_echo "#define HAVE_SSL_OP_NO_TLSV1_2 1" >>confdefs.h + + + +else + { $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5 +$as_echo "no" >&6; } + +fi +rm -f core conftest.err conftest.$ac_objext conftest.$ac_ext + CPPFLAGS="${saved_cppflags}" + fi + + fi diff --git a/configure.ac b/configure.ac index 0b45e454bd..3a5b0a56b0 100644 --- a/configure.ac +++ b/configure.ac @@ -2265,6 +2265,12 @@ then AST_EXT_LIB_CHECK([OPENSSL_EC], [ssl], [EC_KEY_new_by_curve_name], [openssl/ec.h], [-lcrypto]) fi +if test "$PBX_OPENSSL" = "1"; +then + AST_C_DEFINE_CHECK([SSL_OP_NO_TLSV1_1], [SSL_OP_NO_TLSv1_1], [openssl/ssl.h]) + AST_C_DEFINE_CHECK([SSL_OP_NO_TLSV1_2], [SSL_OP_NO_TLSv1_2], [openssl/ssl.h]) +fi + AST_EXT_LIB_CHECK([SRTP], [srtp], [srtp_init], [srtp/srtp.h]) if test "$PBX_SRTP" = "1"; diff --git a/include/asterisk/autoconfig.h.in b/include/asterisk/autoconfig.h.in index 2752613716..ad48c5859e 100644 --- a/include/asterisk/autoconfig.h.in +++ b/include/asterisk/autoconfig.h.in @@ -816,6 +816,12 @@ /* Define to 1 if you have the ISDN SS7 library. */ #undef HAVE_SS7 +/* Define if your system has the SSL_OP_NO_TLSV1_1 headers. */ +#undef HAVE_SSL_OP_NO_TLSV1_1 + +/* Define if your system has the SSL_OP_NO_TLSV1_2 headers. */ +#undef HAVE_SSL_OP_NO_TLSV1_2 + /* Define to 1 if `stat' has the bug that it succeeds when given the zero-length file name argument. */ #undef HAVE_STAT_EMPTY_STRING_BUG diff --git a/main/tcptls.c b/main/tcptls.c index 2f5191202b..7a90fde1f0 100644 --- a/main/tcptls.c +++ b/main/tcptls.c @@ -811,12 +811,17 @@ static int __ssl_setup(struct ast_tls_config *cfg, int client) if (ast_test_flag(&cfg->flags, AST_SSL_DISABLE_TLSV1)) { ssl_opts |= SSL_OP_NO_TLSv1; } +#if defined(HAVE_SSL_OP_NO_TLSV1_1) && defined(HAVE_SSL_OP_NO_TLSV1_2) if (ast_test_flag(&cfg->flags, AST_SSL_DISABLE_TLSV11)) { ssl_opts |= SSL_OP_NO_TLSv1_1; } if (ast_test_flag(&cfg->flags, AST_SSL_DISABLE_TLSV12)) { ssl_opts |= SSL_OP_NO_TLSv1_2; } +#else + ast_log(LOG_WARNING, "Your version of OpenSSL leaves you potentially vulnerable " + "to the SSL BEAST attack. Please upgrade to OpenSSL 1.0.1 or later\n"); +#endif SSL_CTX_set_options(cfg->ssl_ctx, ssl_opts);