[asterisk-bugs] [JIRA] (ASTERISK-27910) [patch] res_rtp_asterisk: Allow OpenSSL configured with no-deprecated.

Tue Jun 12 07:19:56 CDT 2018

     [ https://issues.asterisk.org/jira/browse/ASTERISK-27910?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]

Joshua Colp updated ASTERISK-27910:
-----------------------------------

    Status: Open  (was: Triage)

> [patch] res_rtp_asterisk: Allow OpenSSL configured with no-deprecated.
> ----------------------------------------------------------------------
>
>                 Key: ASTERISK-27910
>                 URL: https://issues.asterisk.org/jira/browse/ASTERISK-27910
>             Project: Asterisk
>          Issue Type: Improvement
>      Security Level: None
>          Components: Resources/res_rtp_asterisk
>    Affects Versions: 13.21.0, 15.4.0
>            Reporter: Alexander Traud
>            Severity: Minor
>              Labels: patch
>         Attachments: no-deprecated_rtp_13.patch, no-deprecated_rtp_15.patch
>
>
> When OpenSSL is built from source, options can be configured. One option is to build without anything deprecated. This is the best option to test forward compatibility. However, this reveals that Asterisk did not include the used OpenSSL headers correctly. In case of the module {{res_rtp_asterisk}}, the header {{openssl/dh.h}} (Asterisk 13) and {{openssl/bn.h}} (Asterisk 15) was missing.
> *Steps to reproduce* (Ubuntu 18.04 LTS){code}
> sudo apt install build-essential pkg-config libedit-dev libjansson-dev libsqlite3-dev uuid-dev libxslt1-dev
> sudo apt install libssl-dev
> cd ~/Downloads
> wget www.openssl.org/source/openssl-1.1.0h.tar.gz
> tar -zxf ./openssl-*.tar.gz
> cd ./openssl-*
> ./config shared no-deprecated
> make
> export SSL_HOME=$PWD
> cd ~/Downloads
> wget downloads.asterisk.org/pub/telephony/asterisk/asterisk-13-current.tar.gz
> tar -zxf ./asterisk-*.tar.gz
> cd ./asterisk-*
> LDFLAGS="-Wl,-rpath $SSL_HOME" ./configure --with-crypto=$SSL_HOME --with-ssl=$SSL_HOME
> make{code}OpenSSL headers in the system were required {{sudo apt install libssl-dev}} because in Asterisk {{--with-ssl}} does not work correctly, yet. See ASTERISK-27865 and its section Notes whether this is still needed. 
> This issue was caused by Commit [04d3785|https://github.com/asterisk/asterisk/commit/04d3785a798e984a5f5d43ec5f124a9b30a58b9e#diff-a618fa70209ab9240777e52ccf1d62b4] (ASTERISK-27395) and Commit [85212f2|https://github.com/asterisk/asterisk/commit/85212f2799bfda8b40f9261de6a874e0f7c77428#diff-a618fa70209ab9240777e52ccf1d62b4] (ASTERISK-25659). Consequently, I introduced this issue myself. I thought, OpenSSL uses a swallow header concept like PJProject - you include a header and it includes near to everything. However, instead, I should have looked up the man page for each symbol used. That way, I would have learned about the required header.
> Anyway, the attached patch adds just the header, which the compiler asks for. The change does not update the whole list of headers (or the list of OpenSSL headers). This is because the module {{res_rtp_asterisk}} is large and [iwyu|https://issues.asterisk.org/jira/browse/ASTERISK-25591] reports a tremendous number of missing headers. Furthermore, the change is already complex enough because {{openssl/dh.h}} is not part of OpenSSL when configured with {{no-dh}}, see ASTERISK-27876.
> The attached patch removes HAVE_OPENSSL_EC, because that guard was too broad (included DH and EC related code) and was done via the script {{./configure}} instead directly via the OpenSSL configuration. The patch guards only that part which must be guarded, when OpenSSL was configured with no-ec or no-ecdh. Finally, that patch enables the named-curves X25519 (since OpenSSL 1.1.0) and X448 (since OpenSSL 1.1.1), because {{SSL_CTRL_SET_ECDH_AUTO}} got enabled on default, that symbol got removed and {{SSL_CTX_ctrl}} returns an error now. Because of that, just the named-curve P-256 was set, which disabled X25519 (and X448).


--
This message was sent by Atlassian JIRA
(v6.2#6252)