From: David Woodhouse <David.Woodhouse@intel.com>
Date: Fri, 31 May 2013 13:54:46 +0000 (+0100)
Subject: Check for broken OpenSSL versions at configure time
X-Git-Tag: v5.01~5
X-Git-Url: https://www.infradead.org/git/?a=commitdiff_plain;h=a899e355aa223d1872367c813637ebdf43558ef9;p=users%2Fdwmw2%2Fopenconnect.git

Check for broken OpenSSL versions at configure time

Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>
---

diff --git a/configure.ac b/configure.ac
index ee8d4dcf..f4ee7dc7 100644
--- a/configure.ac
+++ b/configure.ac
@@ -388,6 +388,7 @@ case "$ssl_library" in
 	AC_SUBST(SSL_LIBRARY, [gnutls])
 	AC_SUBST(SSL_LIBS, ['$(GNUTLS_LIBS)'])
 	AC_SUBST(SSL_CFLAGS, ['$(GNUTLS_CFLAGS)'])
+	check_openssl_dtls=no
 	;;
     openssl)
 	AC_DEFINE(OPENCONNECT_OPENSSL, 1)
@@ -396,6 +397,7 @@ case "$ssl_library" in
 	AC_SUBST(SSL_LIBS, ['$(OPENSSL_LIBS)'])
 	AC_SUBST(SSL_CFLAGS, ['$(OPENSSL_CFLAGS)'])
 	AC_SUBST(SYMVER_PRINT_ERR, ["openconnect_print_err_cb;"])
+	check_openssl_dtls=yes
 	;;
     both)
 	# GnuTLS for TCP, OpenSSL for DTLS
@@ -407,6 +409,7 @@ case "$ssl_library" in
 	AC_SUBST(DTLS_SSL_LIBS, ['$(OPENSSL_LIBS)'])
 	AC_SUBST(DTLS_SSL_CFLAGS, ['$(OPENSSL_CFLAGS)'])
 	AC_SUBST(SYMVER_PRINT_ERR, ["openconnect_print_err_cb;"])
+	check_openssl_dtls=yes
 	;;
     *)
 	AC_MSG_ERROR([Neither OpenSSL nor GnuTLS selected for SSL.])
@@ -415,6 +418,30 @@ esac
 AM_CONDITIONAL(OPENCONNECT_GNUTLS,  [ test "$ssl_library" != "openssl" ])
 AM_CONDITIONAL(OPENCONNECT_OPENSSL, [ test "$ssl_library" = "openssl" ])
 
+AC_ARG_WITH([openssl-version-check],
+	AS_HELP_STRING([--without-openssl-version-check],
+	[Do not check for known-broken OpenSSL versions]))
+if test "$with_openssl_version_check" = "no"; then
+   check_openssl_dtls=no
+fi
+
+if test "$check_openssl_dtls" = "yes"; then
+	AC_MSG_CHECKING([for known-broken versions of OpenSSL])
+	AC_COMPILE_IFELSE([AC_LANG_PROGRAM([#include <openssl/opensslv.h>],[#if \
+				    (OPENSSL_VERSION_NUMBER == 0x10002000L || \
+				    (OPENSSL_VERSION_NUMBER >= 0x100000b0L && OPENSSL_VERSION_NUMBER <= 0x100000c0L) || \
+				    (OPENSSL_VERSION_NUMBER >= 0x10001040L && OPENSSL_VERSION_NUMBER <= 0x10001060L))
+				#error Bad OpenSSL
+				#endif
+				])],
+			  [AC_MSG_RESULT(no)],
+			  [AC_MSG_RESULT(yes)
+			   AC_ERROR([This version of OpenSSL is known to be broken with Cisco DTLS.
+See http://rt.openssl.org/Ticket/Display.html?id=2984&user=guest&pass=guest
+Add --without-openssl-version-check to configure args to avoid this check, or
+perhaps consider building with GnuTLS instead.])])
+fi
+
 # Needs to happen after we default to static/shared libraries based on OpenSSL
 AC_PROG_LIBTOOL
 if test "$use_openbsd_libtool" = "true" && test -x /usr/bin/libtool; then
diff --git a/dtls.c b/dtls.c
index 221e7482..6eeb686a 100644
--- a/dtls.c
+++ b/dtls.c
@@ -116,19 +116,6 @@ int RAND_bytes(char *buf, int len)
 extern void dtls1_stop_timer(SSL *);
 #endif
 
-#if !defined(NO_BROKEN_DTLS_CHECK) && (OPENSSL_VERSION_NUMBER == 0x10002000L || \
-    (OPENSSL_VERSION_NUMBER >= 0x100000b0L && OPENSSL_VERSION_NUMBER <= 0x100000c0L) || \
-    (OPENSSL_VERSION_NUMBER >= 0x10001040L && OPENSSL_VERSION_NUMBER <= 0x10001060L))
-/*
- * If you've fixed the bug in your version of OpenSSL by applying the patch from
- * http://rt.openssl.org/Ticket/Display.html?id=2984&user=guest&pass=guest then
- * you can happily define NO_BROKEN_DTLS_CHECK to avoid this #error. Note that
- * GnuTLS from 3.0.21 onwards has DTLS support so perhaps you should be using
- * that instead?
- */
-#error This version of OpenSSL is known to be broken with Cisco DTLS.
-#endif
-
 static int start_dtls_handshake(struct openconnect_info *vpninfo, int dtls_fd)
 {
 	STACK_OF(SSL_CIPHER) *ciphers;