[Asterisk-code-review] res rtp asterisk: Allow OpenSSL configured with no-deprecated. (asterisk[15])

Tue Jun 12 10:02:31 CDT 2018

Jenkins2 has submitted this change and it was merged. ( https://gerrit.asterisk.org/9148 )

Change subject: res_rtp_asterisk: Allow OpenSSL configured with no-deprecated.
......................................................................

res_rtp_asterisk: Allow OpenSSL configured with no-deprecated.

Furthermore, allow OpenSSL configured with no-dh. Additionally, this change
allows auto-negotiation of the elliptic curve/group for servers, not only with
OpenSSL 1.0.2 but also with OpenSSL 1.1.0 and newer. This enables X25519
(since OpenSSL 1.1.0) and X448 (since OpenSSL 1.1.1) as a side-effect.

ASTERISK-27910

Change-Id: I5b0dd47c5194ee17f830f869d629d7ef212cf537
---
M configure
M configure.ac
M include/asterisk/autoconfig.h.in
M res/res_rtp_asterisk.c
4 files changed, 24 insertions(+), 132 deletions(-)

Approvals:
  Joshua Colp: Looks good to me, but someone else must approve
  George Joseph: Looks good to me, approved
  Jenkins2: Approved for Submit

diff --git a/configure b/configure
index f4b27ee..164da11 100755
--- a/configure
+++ b/configure
@@ -1142,10 +1142,6 @@
 DAHDI_DIR
 DAHDI_INCLUDE
 DAHDI_LIB
-PBX_OPENSSL_EC
-OPENSSL_EC_DIR
-OPENSSL_EC_INCLUDE
-OPENSSL_EC_LIB
 PBX_OPENSSL_SRTP
 OPENSSL_SRTP_DIR
 OPENSSL_SRTP_INCLUDE
@@ -9660,18 +9656,6 @@
 OPENSSL_SRTP_DIR=${CRYPTO_DIR}
 
 PBX_OPENSSL_SRTP=0
-
-
-
-
-
-
-
-OPENSSL_EC_DESCRIP="OpenSSL Elliptic Curve Support"
-OPENSSL_EC_OPTION=crypto
-OPENSSL_EC_DIR=${CRYPTO_DIR}
-
-PBX_OPENSSL_EC=0
 
 
 
@@ -31270,106 +31254,6 @@
          PBX_OPENSSL_SRTP=1
          cat >>confdefs.h <<_ACEOF
 #define HAVE_OPENSSL_SRTP 1
-_ACEOF
-
-      fi
-   fi
-fi
-
-
-fi
-
-if test "$PBX_OPENSSL" = "1";
-then
-
-if test "x${PBX_OPENSSL_EC}" != "x1" -a "${USE_OPENSSL_EC}" != "no"; then
-   pbxlibdir=""
-   # if --with-OPENSSL_EC=DIR has been specified, use it.
-   if test "x${OPENSSL_EC_DIR}" != "x"; then
-      if test -d ${OPENSSL_EC_DIR}/lib; then
-         pbxlibdir="-L${OPENSSL_EC_DIR}/lib"
-      else
-         pbxlibdir="-L${OPENSSL_EC_DIR}"
-      fi
-   fi
-
-      ast_ext_lib_check_save_CFLAGS="${CFLAGS}"
-      CFLAGS="${CFLAGS} "
-      { $as_echo "$as_me:${as_lineno-$LINENO}: checking for EC_KEY_new_by_curve_name in -lssl" >&5
-$as_echo_n "checking for EC_KEY_new_by_curve_name in -lssl... " >&6; }
-if ${ac_cv_lib_ssl_EC_KEY_new_by_curve_name+:} false; then :
-  $as_echo_n "(cached) " >&6
-else
-  ac_check_lib_save_LIBS=$LIBS
-LIBS="-lssl ${pbxlibdir} -lcrypto $LIBS"
-cat confdefs.h - <<_ACEOF >conftest.$ac_ext
-/* end confdefs.h.  */
-
-/* Override any GCC internal prototype to avoid an error.
-   Use char because int might match the return type of a GCC
-   builtin and then its argument prototype would still apply.  */
-#ifdef __cplusplus
-extern "C"
-#endif
-char EC_KEY_new_by_curve_name ();
-int
-main ()
-{
-return EC_KEY_new_by_curve_name ();
-  ;
-  return 0;
-}
-_ACEOF
-if ac_fn_c_try_link "$LINENO"; then :
-  ac_cv_lib_ssl_EC_KEY_new_by_curve_name=yes
-else
-  ac_cv_lib_ssl_EC_KEY_new_by_curve_name=no
-fi
-rm -f core conftest.err conftest.$ac_objext \
-    conftest$ac_exeext conftest.$ac_ext
-LIBS=$ac_check_lib_save_LIBS
-fi
-{ $as_echo "$as_me:${as_lineno-$LINENO}: result: $ac_cv_lib_ssl_EC_KEY_new_by_curve_name" >&5
-$as_echo "$ac_cv_lib_ssl_EC_KEY_new_by_curve_name" >&6; }
-if test "x$ac_cv_lib_ssl_EC_KEY_new_by_curve_name" = xyes; then :
-  AST_OPENSSL_EC_FOUND=yes
-else
-  AST_OPENSSL_EC_FOUND=no
-fi
-
-      CFLAGS="${ast_ext_lib_check_save_CFLAGS}"
-
-
-   # now check for the header.
-   if test "${AST_OPENSSL_EC_FOUND}" = "yes"; then
-      OPENSSL_EC_LIB="${pbxlibdir} -lssl -lcrypto"
-      # if --with-OPENSSL_EC=DIR has been specified, use it.
-      if test "x${OPENSSL_EC_DIR}" != "x"; then
-         OPENSSL_EC_INCLUDE="-I${OPENSSL_EC_DIR}/include"
-      fi
-      OPENSSL_EC_INCLUDE="${OPENSSL_EC_INCLUDE} "
-
-         # check for the header
-         ast_ext_lib_check_saved_CPPFLAGS="${CPPFLAGS}"
-         CPPFLAGS="${CPPFLAGS} ${OPENSSL_EC_INCLUDE}"
-         ac_fn_c_check_header_mongrel "$LINENO" "openssl/ec.h" "ac_cv_header_openssl_ec_h" "$ac_includes_default"
-if test "x$ac_cv_header_openssl_ec_h" = xyes; then :
-  OPENSSL_EC_HEADER_FOUND=1
-else
-  OPENSSL_EC_HEADER_FOUND=0
-fi
-
-
-         CPPFLAGS="${ast_ext_lib_check_saved_CPPFLAGS}"
-
-      if test "x${OPENSSL_EC_HEADER_FOUND}" = "x0" ; then
-         OPENSSL_EC_LIB=""
-         OPENSSL_EC_INCLUDE=""
-      else
-
-         PBX_OPENSSL_EC=1
-         cat >>confdefs.h <<_ACEOF
-#define HAVE_OPENSSL_EC 1
 _ACEOF
 
       fi
diff --git a/configure.ac b/configure.ac
index 41177b0..47d250d 100644
--- a/configure.ac
+++ b/configure.ac
@@ -461,7 +461,6 @@
 AST_EXT_LIB_SETUP([CRYPT], [password and data encryption], [crypt])
 AST_EXT_LIB_SETUP([CRYPTO], [OpenSSL Cryptography], [crypto])
 AST_EXT_LIB_SETUP_OPTIONAL([OPENSSL_SRTP], [OpenSSL SRTP Extension Support], [CRYPTO], [crypto])
-AST_EXT_LIB_SETUP_OPTIONAL([OPENSSL_EC], [OpenSSL Elliptic Curve Support], [CRYPTO], [crypto])
 AST_EXT_LIB_SETUP([DAHDI], [DAHDI], [dahdi])
 AST_EXT_LIB_SETUP([FFMPEG], [Ffmpeg and avcodec], [avcodec])
 AST_EXT_LIB_SETUP([GSM], [External GSM], [gsm], [, use 'internal' GSM otherwise])
@@ -2554,11 +2553,6 @@
 then
         AST_CHECK_OSPTK([4], [0], [0])
         AST_EXT_LIB_CHECK([OPENSSL_SRTP], [ssl], [SSL_CTX_set_tlsext_use_srtp], [openssl/ssl.h], [-lcrypto])
-fi
-
-if test "$PBX_OPENSSL" = "1";
-then
-	AST_EXT_LIB_CHECK([OPENSSL_EC], [ssl], [EC_KEY_new_by_curve_name], [openssl/ec.h], [-lcrypto])
 fi
 
 AST_EXT_LIB_CHECK([SRTP], [srtp2], [srtp_init], [srtp2/srtp.h], [], [], [2])
diff --git a/include/asterisk/autoconfig.h.in b/include/asterisk/autoconfig.h.in
index 68eb6d1..ff82b67 100644
--- a/include/asterisk/autoconfig.h.in
+++ b/include/asterisk/autoconfig.h.in
@@ -573,9 +573,6 @@
 /* Define to 1 if you have the OpenSSL Secure Sockets Layer library. */
 #undef HAVE_OPENSSL
 
-/* Define to 1 if CRYPTO has the OpenSSL Elliptic Curve Support feature. */
-#undef HAVE_OPENSSL_EC
-
 /* Define to 1 if CRYPTO has the OpenSSL SRTP Extension Support feature. */
 #undef HAVE_OPENSSL_SRTP
 
diff --git a/res/res_rtp_asterisk.c b/res/res_rtp_asterisk.c
index e28e58b..2104ce3 100644
--- a/res/res_rtp_asterisk.c
+++ b/res/res_rtp_asterisk.c
@@ -41,9 +41,17 @@
 #include <fcntl.h>
 
 #ifdef HAVE_OPENSSL_SRTP
+#include <openssl/opensslconf.h>
+#include <openssl/opensslv.h>
 #include <openssl/ssl.h>
 #include <openssl/err.h>
 #include <openssl/bio.h>
+#if !defined(OPENSSL_NO_ECDH) && (OPENSSL_VERSION_NUMBER >= 0x10000000L)
+#include <openssl/bn.h>
+#endif
+#ifndef OPENSSL_NO_DH
+#include <openssl/dh.h>
+#endif
 #endif
 
 #ifdef HAVE_PJPROJECT
@@ -1656,12 +1664,13 @@
 	X509 *certificate;
 };
 
-#ifdef HAVE_OPENSSL_EC
-
 static void configure_dhparams(const struct ast_rtp *rtp, const struct ast_rtp_dtls_cfg *dtls_cfg)
 {
+#if !defined(OPENSSL_NO_ECDH) && (OPENSSL_VERSION_NUMBER >= 0x10000000L) && (OPENSSL_VERSION_NUMBER < 0x10100000L)
 	EC_KEY *ecdh;
+#endif
 
+#ifndef OPENSSL_NO_DH
 	if (!ast_strlen_zero(dtls_cfg->pvtfile)) {
 		BIO *bio = BIO_new_file(dtls_cfg->pvtfile, "r");
 		if (bio) {
@@ -1678,7 +1687,9 @@
 			BIO_free(bio);
 		}
 	}
+#endif /* !OPENSSL_NO_DH */
 
+#if !defined(OPENSSL_NO_ECDH) && (OPENSSL_VERSION_NUMBER >= 0x10000000L) && (OPENSSL_VERSION_NUMBER < 0x10100000L)
 	/* enables AES-128 ciphers, to get AES-256 use NID_secp384r1 */
 	ecdh = EC_KEY_new_by_curve_name(NID_X9_62_prime256v1);
 	if (ecdh) {
@@ -1695,7 +1706,10 @@
 		}
 		EC_KEY_free(ecdh);
 	}
+#endif /* !OPENSSL_NO_ECDH */
 }
+
+#if !defined(OPENSSL_NO_ECDH) && (OPENSSL_VERSION_NUMBER >= 0x10000000L)
 
 static int create_ephemeral_ec_keypair(EVP_PKEY **keypair)
 {
@@ -1772,10 +1786,17 @@
 	 * Validity period - Current Chrome & Firefox make it 31 days starting
 	 * with yesterday at the current time, so we will do the same.
 	 */
+#if OPENSSL_VERSION_NUMBER < 0x10100000L
 	if (!X509_time_adj_ex(X509_get_notBefore(cert), -1, 0, NULL)
 	   || !X509_time_adj_ex(X509_get_notAfter(cert), 30, 0, NULL)) {
 		goto error;
 	}
+#else
+	if (!X509_time_adj_ex(X509_getm_notBefore(cert), -1, 0, NULL)
+	   || !X509_time_adj_ex(X509_getm_notAfter(cert), 30, 0, NULL)) {
+		goto error;
+	}
+#endif
 
 	/* Set the name and issuer */
 	if (!(name = X509_get_subject_name(cert))
@@ -1830,10 +1851,6 @@
 
 #else
 
-static void configure_dhparams(const struct ast_rtp *rtp, const struct ast_rtp_dtls_cfg *dtls_cfg)
-{
-}
-
 static int create_certificate_ephemeral(struct ast_rtp_instance *instance,
 										const struct ast_rtp_dtls_cfg *dtls_cfg,
 										struct dtls_cert_info *cert_info)
@@ -1842,7 +1859,7 @@
 	return -1;
 }
 
-#endif /* HAVE_OPENSSL_EC */
+#endif /* !OPENSSL_NO_ECDH */
 
 static int create_certificate_from_file(struct ast_rtp_instance *instance,
 										const struct ast_rtp_dtls_cfg *dtls_cfg,

-- 
To view, visit https://gerrit.asterisk.org/9148
To unsubscribe, visit https://gerrit.asterisk.org/settings

Gerrit-Project: asterisk
Gerrit-Branch: 15
Gerrit-MessageType: merged
Gerrit-Change-Id: I5b0dd47c5194ee17f830f869d629d7ef212cf537
Gerrit-Change-Number: 9148
Gerrit-PatchSet: 1
Gerrit-Owner: Alexander Traud <pabstraud at compuserve.com>
Gerrit-Reviewer: George Joseph <gjoseph at digium.com>
Gerrit-Reviewer: Jenkins2
Gerrit-Reviewer: Joshua Colp <jcolp at digium.com>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.digium.com/pipermail/asterisk-code-review/attachments/20180612/f84302a7/attachment-0001.html>
