[asterisk-bugs] [JIRA] (ASTERISK-27910) [patch] res_rtp_asterisk: Allow OpenSSL configured with no-deprecated.

Alexander Traud (JIRA) noreply at issues.asterisk.org
Fri Jun 8 14:51:54 CDT 2018 

Alexander Traud created ASTERISK-27910:
------------------------------------------

             Summary: [patch] res_rtp_asterisk: Allow OpenSSL configured with no-deprecated.
                 Key: ASTERISK-27910
                 URL: https://issues.asterisk.org/jira/browse/ASTERISK-27910
             Project: Asterisk
          Issue Type: Improvement
      Security Level: None
          Components: Resources/res_rtp_asterisk
    Affects Versions: 15.4.0, 13.21.0
            Reporter: Alexander Traud
            Severity: Minor


When OpenSSL is built from source, options can be configured. One option is to build without anything deprecated. This is the best option to test forward compatibility. However, this reveals that Asterisk did not include the used OpenSSL headers correctly. In case of the module {{res_rtp_asterisk}}, the header {{openssl/dh.h}} (Asterisk 13) and {{openssl/bn.h}} (Asterisk 15) was missing.

*Steps to reproduce* (Ubuntu 18.04 LTS){code}
sudo apt install build-essential pkg-config libedit-dev libjansson-dev libsqlite3-dev uuid-dev libxslt1-dev
sudo apt install libssl-dev
cd ~/Downloads
wget www.openssl.org/source/openssl-1.1.0h.tar.gz
tar -zxf ./openssl-*.tar.gz
cd ./openssl-*
./config shared no-deprecated
make
export SSL_HOME=$PWD
cd ~/Downloads
wget downloads.asterisk.org/pub/telephony/asterisk/asterisk-13-current.tar.gz
tar -zxf ./asterisk-*.tar.gz
cd ./asterisk-*
LDFLAGS="-Wl,-rpath $SSL_HOME" ./configure --with-crypto=$SSL_HOME --with-ssl=$SSL_HOME
make{code}OpenSSL headers in the system were required {{sudo apt install libssl-dev}} because in Asterisk {{--with-ssl}} does not work correctly, yet. See ASTERISK-27865 and its section Notes whether this is still needed. 

This issue was caused by Commit [04d3785|https://github.com/asterisk/asterisk/commit/04d3785a798e984a5f5d43ec5f124a9b30a58b9e#diff-a618fa70209ab9240777e52ccf1d62b4] (ASTERISK-27395) and Commit [85212f2|https://github.com/asterisk/asterisk/commit/85212f2799bfda8b40f9261de6a874e0f7c77428#diff-a618fa70209ab9240777e52ccf1d62b4] (ASTERISK-25659). Consequently, I introduced this issue myself. I thought, OpenSSL uses a swallow header concept like PJProject - you include a header and it includes near to everything. However, instead, I should have looked up the man page for each symbol used. That way, I would have learned about the required header.

Anyway, the attached patch adds just the header, which the compiler asks for. The change does not update the whole list of headers (or the list of OpenSSL headers). This is because the module {{res_rtp_asterisk}} is large and [iwyu|https://issues.asterisk.org/jira/browse/ASTERISK-25591] reports a tremendous number of missing headers. Furthermore, the change is already complex enough because {{openssl/dh.h}} is not part of OpenSSL when configured with {{no-dh}}, see ASTERISK-27876.

The attached patch removes HAVE_OPENSSL_EC, because that guard was too broad (included DH and EC related code) and was done via the script {{./configure}} instead directly via the OpenSSL configuration. The patch guards only that part which must be guarded, when OpenSSL was configured with no-ec or no-ecdh. Finally, that patch enables the named-curves X25519 (since OpenSSL 1.1.0) and X448 (since OpenSSL 1.1.1), because {{SSL_CTRL_SET_ECDH_AUTO}} got enabled on default, that symbol got removed and {{SSL_CTX_ctrl}} returns an error now. Because of that, just the named-curve P-256 was set, which disabled X25519 (and X448).



--
This message was sent by Atlassian JIRA
(v6.2#6252)

More information about the asterisk-bugs mailing list