Check for broken OpenSSL versions at configure time

Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>

diff --git a/configure.ac b/configure.ac
index ee8d4dcfb9f72839ef774484f3182e07f6c38c53..f4ee7dc79492c92c96680994062219270f04866d 100644 (file)
--- a/configure.ac
+++ b/configure.ac
@@ -388,6 +388,7 @@ case "$ssl_library" in
        AC_SUBST(SSL_LIBRARY, [gnutls])
        AC_SUBST(SSL_LIBS, ['$(GNUTLS_LIBS)'])
        AC_SUBST(SSL_CFLAGS, ['$(GNUTLS_CFLAGS)'])
+       check_openssl_dtls=no
        ;;
     openssl)
        AC_DEFINE(OPENCONNECT_OPENSSL, 1)
@@ -396,6 +397,7 @@ case "$ssl_library" in
        AC_SUBST(SSL_LIBS, ['$(OPENSSL_LIBS)'])
        AC_SUBST(SSL_CFLAGS, ['$(OPENSSL_CFLAGS)'])
        AC_SUBST(SYMVER_PRINT_ERR, ["openconnect_print_err_cb;"])
+       check_openssl_dtls=yes
        ;;
     both)
        # GnuTLS for TCP, OpenSSL for DTLS
@@ -407,6 +409,7 @@ case "$ssl_library" in
        AC_SUBST(DTLS_SSL_LIBS, ['$(OPENSSL_LIBS)'])
        AC_SUBST(DTLS_SSL_CFLAGS, ['$(OPENSSL_CFLAGS)'])
        AC_SUBST(SYMVER_PRINT_ERR, ["openconnect_print_err_cb;"])
+       check_openssl_dtls=yes
        ;;
     *)
        AC_MSG_ERROR([Neither OpenSSL nor GnuTLS selected for SSL.])
@@ -415,6 +418,30 @@ esac
 AM_CONDITIONAL(OPENCONNECT_GNUTLS,  [ test "$ssl_library" != "openssl" ])
 AM_CONDITIONAL(OPENCONNECT_OPENSSL, [ test "$ssl_library" = "openssl" ])
 
+AC_ARG_WITH([openssl-version-check],
+       AS_HELP_STRING([--without-openssl-version-check],
+       [Do not check for known-broken OpenSSL versions]))
+if test "$with_openssl_version_check" = "no"; then
+   check_openssl_dtls=no
+fi
+
+if test "$check_openssl_dtls" = "yes"; then
+       AC_MSG_CHECKING([for known-broken versions of OpenSSL])
+       AC_COMPILE_IFELSE([AC_LANG_PROGRAM([#include <openssl/opensslv.h>],[#if \
+                                   (OPENSSL_VERSION_NUMBER == 0x10002000L || \
+                                   (OPENSSL_VERSION_NUMBER >= 0x100000b0L && OPENSSL_VERSION_NUMBER <= 0x100000c0L) || \
+                                   (OPENSSL_VERSION_NUMBER >= 0x10001040L && OPENSSL_VERSION_NUMBER <= 0x10001060L))
+                               #error Bad OpenSSL
+                               #endif
+                               ])],
+                         [AC_MSG_RESULT(no)],
+                         [AC_MSG_RESULT(yes)
+                          AC_ERROR([This version of OpenSSL is known to be broken with Cisco DTLS.
+See http://rt.openssl.org/Ticket/Display.html?id=2984&user=guest&pass=guest
+Add --without-openssl-version-check to configure args to avoid this check, or
+perhaps consider building with GnuTLS instead.])])
+fi
+
 # Needs to happen after we default to static/shared libraries based on OpenSSL
 AC_PROG_LIBTOOL
 if test "$use_openbsd_libtool" = "true" && test -x /usr/bin/libtool; then

diff --git a/dtls.c b/dtls.c
index 221e7482b8553d4375da609d81f981a70e8da4ac..6eeb686a26ce3a689fa7962276da8dcc94d58d52 100644 (file)
--- a/dtls.c
+++ b/dtls.c
@@ -116,19 +116,6 @@ int RAND_bytes(char *buf, int len)
 extern void dtls1_stop_timer(SSL *);
 #endif
 
-#if !defined(NO_BROKEN_DTLS_CHECK) && (OPENSSL_VERSION_NUMBER == 0x10002000L || \
-    (OPENSSL_VERSION_NUMBER >= 0x100000b0L && OPENSSL_VERSION_NUMBER <= 0x100000c0L) || \
-    (OPENSSL_VERSION_NUMBER >= 0x10001040L && OPENSSL_VERSION_NUMBER <= 0x10001060L))
-/*
- * If you've fixed the bug in your version of OpenSSL by applying the patch from
- * http://rt.openssl.org/Ticket/Display.html?id=2984&user=guest&pass=guest then
- * you can happily define NO_BROKEN_DTLS_CHECK to avoid this #error. Note that
- * GnuTLS from 3.0.21 onwards has DTLS support so perhaps you should be using
- * that instead?
- */
-#error This version of OpenSSL is known to be broken with Cisco DTLS.
-#endif
-
 static int start_dtls_handshake(struct openconnect_info *vpninfo, int dtls_fd)
 {
        STACK_OF(SSL_CIPHER) *ciphers;