[Asterisk-code-review] tcptls: Allow OpenSSL configured with no-dh. (asterisk[master])

Joshua Colp asteriskteam at digium.com
Wed Jun 6 04:36:13 CDT 2018 

Joshua Colp has submitted this change and it was merged. ( https://gerrit.asterisk.org/9054 )

Change subject: tcptls: Allow OpenSSL configured with no-dh.
......................................................................

tcptls: Allow OpenSSL configured with no-dh.

Additionally, this change allows auto-negotiation of the elliptic curve/group
for servers, not only with OpenSSL 1.0.2 but also with OpenSSL 1.1.0 and newer.
This enables X25519 (since OpenSSL 1.1.0) and X448 (since OpenSSL 1.1.1) as a
side-effect.

ASTERISK-27876

Change-Id: I62c2aba4a630aefc231b71f646207e8c027d9497
---
M main/tcptls.c
1 file changed, 5 insertions(+), 4 deletions(-)

Approvals:
  Joshua Colp: Looks good to me, but someone else must approve; Approved for Submit
  George Joseph: Looks good to me, approved



diff --git a/main/tcptls.c b/main/tcptls.c
index 8ffeabb..d6dfcf0 100644
--- a/main/tcptls.c
+++ b/main/tcptls.c
@@ -454,8 +454,7 @@
 		}
 	}
 
-#ifdef HAVE_OPENSSL_EC
-
+#ifndef OPENSSL_NO_DH
 	if (!ast_strlen_zero(cfg->pvtfile)) {
 		BIO *bio = BIO_new_file(cfg->pvtfile, "r");
 		if (bio != NULL) {
@@ -471,12 +470,15 @@
 			BIO_free(bio);
 		}
 	}
+#endif
+
 	#ifndef SSL_CTRL_SET_ECDH_AUTO
 		#define SSL_CTRL_SET_ECDH_AUTO 94
 	#endif
 	/* SSL_CTX_set_ecdh_auto(cfg->ssl_ctx, on); requires OpenSSL 1.0.2 which wraps: */
 	if (SSL_CTX_ctrl(cfg->ssl_ctx, SSL_CTRL_SET_ECDH_AUTO, 1, NULL)) {
 		ast_verb(2, "TLS/SSL ECDH initialized (automatic), faster PFS ciphers enabled\n");
+#if !defined(OPENSSL_NO_ECDH) && (OPENSSL_VERSION_NUMBER >= 0x10000000L) && (OPENSSL_VERSION_NUMBER < 0x10100000L)
 	} else {
 		/* enables AES-128 ciphers, to get AES-256 use NID_secp384r1 */
 		EC_KEY *ecdh = EC_KEY_new_by_curve_name(NID_X9_62_prime256v1);
@@ -486,9 +488,8 @@
 			}
 			EC_KEY_free(ecdh);
 		}
+#endif
 	}
-
-#endif /* #ifdef HAVE_OPENSSL_EC */
 
 	ast_verb(2, "TLS/SSL certificate ok\n");	/* We should log which one that is ok. This message doesn't really make sense in production use */
 	return 1;

-- 
To view, visit https://gerrit.asterisk.org/9054
To unsubscribe, visit https://gerrit.asterisk.org/settings

Gerrit-Project: asterisk
Gerrit-Branch: master
Gerrit-MessageType: merged
Gerrit-Change-Id: I62c2aba4a630aefc231b71f646207e8c027d9497
Gerrit-Change-Number: 9054
Gerrit-PatchSet: 1
Gerrit-Owner: Alexander Traud <pabstraud at compuserve.com>
Gerrit-Reviewer: Alexander Traud <pabstraud at compuserve.com>
Gerrit-Reviewer: George Joseph <gjoseph at digium.com>
Gerrit-Reviewer: Jenkins2
Gerrit-Reviewer: Joshua Colp <jcolp at digium.com>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.digium.com/pipermail/asterisk-code-review/attachments/20180606/f3dfdf0d/attachment-0001.html>

More information about the asterisk-code-review mailing list