[Asterisk-code-review] res rtp asterisk: Instead of ./configure use OPENSSL NO SRTP. (asterisk[master])

Joshua Colp asteriskteam at digium.com
Thu Jun 14 11:27:24 CDT 2018


Joshua Colp has submitted this change and it was merged. ( https://gerrit.asterisk.org/9184 )

Change subject: res_rtp_asterisk: Instead of ./configure use OPENSSL_NO_SRTP.
......................................................................

res_rtp_asterisk: Instead of ./configure use OPENSSL_NO_SRTP.

Previously, Asterisk used its script ./configure, to test whether OpenSSL was
built with no-srtp (or was simply too old). However, the header file
<openssl/opensslconf.h> is the preferred way to detect the local configuration
of OpenSSL.

As a positive side-effect the script ./configure does not interleave the
detection of the Open Settlement Protocol Toolkit (OSPTK) with the detection of
individual features of OpenSSL anymore.

Change-Id: I3c77c7b00b2ffa2e935632097fa057b9fdf480c0
---
M configure
M configure.ac
M res/res_rtp_asterisk.c
3 files changed, 23 insertions(+), 118 deletions(-)

Approvals:
  George Joseph: Looks good to me, but someone else must approve
  Joshua Colp: Looks good to me, approved; Approved for Submit



diff --git a/configure b/configure
index c542c19..e5b3d70 100755
--- a/configure
+++ b/configure
@@ -30763,102 +30763,6 @@
 		fi
 	fi
 
-
-if test "x${PBX_OPENSSL_SRTP}" != "x1" -a "${USE_OPENSSL_SRTP}" != "no"; then
-   pbxlibdir=""
-   # if --with-OPENSSL_SRTP=DIR has been specified, use it.
-   if test "x${OPENSSL_SRTP_DIR}" != "x"; then
-      if test -d ${OPENSSL_SRTP_DIR}/lib; then
-         pbxlibdir="-L${OPENSSL_SRTP_DIR}/lib"
-      else
-         pbxlibdir="-L${OPENSSL_SRTP_DIR}"
-      fi
-   fi
-
-      ast_ext_lib_check_save_CFLAGS="${CFLAGS}"
-      CFLAGS="${CFLAGS} "
-      { $as_echo "$as_me:${as_lineno-$LINENO}: checking for SSL_CTX_set_tlsext_use_srtp in -lssl" >&5
-$as_echo_n "checking for SSL_CTX_set_tlsext_use_srtp in -lssl... " >&6; }
-if ${ac_cv_lib_ssl_SSL_CTX_set_tlsext_use_srtp+:} false; then :
-  $as_echo_n "(cached) " >&6
-else
-  ac_check_lib_save_LIBS=$LIBS
-LIBS="-lssl ${pbxlibdir} -lcrypto $LIBS"
-cat confdefs.h - <<_ACEOF >conftest.$ac_ext
-/* end confdefs.h.  */
-
-/* Override any GCC internal prototype to avoid an error.
-   Use char because int might match the return type of a GCC
-   builtin and then its argument prototype would still apply.  */
-#ifdef __cplusplus
-extern "C"
-#endif
-char SSL_CTX_set_tlsext_use_srtp ();
-int
-main ()
-{
-return SSL_CTX_set_tlsext_use_srtp ();
-  ;
-  return 0;
-}
-_ACEOF
-if ac_fn_c_try_link "$LINENO"; then :
-  ac_cv_lib_ssl_SSL_CTX_set_tlsext_use_srtp=yes
-else
-  ac_cv_lib_ssl_SSL_CTX_set_tlsext_use_srtp=no
-fi
-rm -f core conftest.err conftest.$ac_objext \
-    conftest$ac_exeext conftest.$ac_ext
-LIBS=$ac_check_lib_save_LIBS
-fi
-{ $as_echo "$as_me:${as_lineno-$LINENO}: result: $ac_cv_lib_ssl_SSL_CTX_set_tlsext_use_srtp" >&5
-$as_echo "$ac_cv_lib_ssl_SSL_CTX_set_tlsext_use_srtp" >&6; }
-if test "x$ac_cv_lib_ssl_SSL_CTX_set_tlsext_use_srtp" = xyes; then :
-  AST_OPENSSL_SRTP_FOUND=yes
-else
-  AST_OPENSSL_SRTP_FOUND=no
-fi
-
-      CFLAGS="${ast_ext_lib_check_save_CFLAGS}"
-
-
-   # now check for the header.
-   if test "${AST_OPENSSL_SRTP_FOUND}" = "yes"; then
-      OPENSSL_SRTP_LIB="${pbxlibdir} -lssl -lcrypto"
-      # if --with-OPENSSL_SRTP=DIR has been specified, use it.
-      if test "x${OPENSSL_SRTP_DIR}" != "x"; then
-         OPENSSL_SRTP_INCLUDE="-I${OPENSSL_SRTP_DIR}/include"
-      fi
-      OPENSSL_SRTP_INCLUDE="${OPENSSL_SRTP_INCLUDE} "
-
-         # check for the header
-         ast_ext_lib_check_saved_CPPFLAGS="${CPPFLAGS}"
-         CPPFLAGS="${CPPFLAGS} ${OPENSSL_SRTP_INCLUDE}"
-         ac_fn_c_check_header_mongrel "$LINENO" "openssl/ssl.h" "ac_cv_header_openssl_ssl_h" "$ac_includes_default"
-if test "x$ac_cv_header_openssl_ssl_h" = xyes; then :
-  OPENSSL_SRTP_HEADER_FOUND=1
-else
-  OPENSSL_SRTP_HEADER_FOUND=0
-fi
-
-
-         CPPFLAGS="${ast_ext_lib_check_saved_CPPFLAGS}"
-
-      if test "x${OPENSSL_SRTP_HEADER_FOUND}" = "x0" ; then
-         OPENSSL_SRTP_LIB=""
-         OPENSSL_SRTP_INCLUDE=""
-      else
-
-         PBX_OPENSSL_SRTP=1
-         cat >>confdefs.h <<_ACEOF
-#define HAVE_OPENSSL_SRTP 1
-_ACEOF
-
-      fi
-   fi
-fi
-
-
 fi
 
 
diff --git a/configure.ac b/configure.ac
index 158cf43..5da5afa 100644
--- a/configure.ac
+++ b/configure.ac
@@ -2518,7 +2518,6 @@
 if test "$PBX_OPENSSL" = "1";
 then
         AST_CHECK_OSPTK([4], [0], [0])
-        AST_EXT_LIB_CHECK([OPENSSL_SRTP], [ssl], [SSL_CTX_set_tlsext_use_srtp], [openssl/ssl.h], [-lcrypto])
 fi
 
 AST_EXT_LIB_CHECK([SRTP], [srtp2], [srtp_init], [srtp2/srtp.h], [], [], [2])
diff --git a/res/res_rtp_asterisk.c b/res/res_rtp_asterisk.c
index 2104ce3..f6e26d6 100644
--- a/res/res_rtp_asterisk.c
+++ b/res/res_rtp_asterisk.c
@@ -40,9 +40,10 @@
 #include <signal.h>
 #include <fcntl.h>
 
-#ifdef HAVE_OPENSSL_SRTP
+#ifdef HAVE_OPENSSL
 #include <openssl/opensslconf.h>
 #include <openssl/opensslv.h>
+#if !defined(OPENSSL_NO_SRTP) && (OPENSSL_VERSION_NUMBER >= 0x10001000L)
 #include <openssl/ssl.h>
 #include <openssl/err.h>
 #include <openssl/bio.h>
@@ -51,6 +52,7 @@
 #endif
 #ifndef OPENSSL_NO_DH
 #include <openssl/dh.h>
+#endif
 #endif
 #endif
 
@@ -275,7 +277,7 @@
 	enum ast_media_type stream_type;
 };
 
-#ifdef HAVE_OPENSSL_SRTP
+#if !defined(OPENSSL_NO_SRTP) && (OPENSSL_VERSION_NUMBER >= 0x10001000L)
 struct dtls_details {
 	SSL *ssl;         /*!< SSL session */
 	BIO *read_bio;    /*!< Memory buffer for reading */
@@ -417,7 +419,7 @@
 	unsigned int ice_num_components; /*!< The number of ICE components */
 #endif
 
-#ifdef HAVE_OPENSSL_SRTP
+#if !defined(OPENSSL_NO_SRTP) && (OPENSSL_VERSION_NUMBER >= 0x10001000L)
 	SSL_CTX *ssl_ctx; /*!< SSL context */
 	enum ast_rtp_dtls_verify dtls_verify; /*!< What to verify */
 	enum ast_srtp_suite suite;   /*!< SRTP crypto suite */
@@ -494,7 +496,7 @@
 	/* VP8: sequence number for the RTCP FIR FCI */
 	int firseq;
 
-#ifdef HAVE_OPENSSL_SRTP
+#if !defined(OPENSSL_NO_SRTP) && (OPENSSL_VERSION_NUMBER >= 0x10001000L)
 	struct dtls_details dtls; /*!< DTLS state information */
 #endif
 
@@ -562,7 +564,7 @@
 static int ast_rtp_extension_enable(struct ast_rtp_instance *instance, enum ast_rtp_extension extension);
 static int ast_rtp_bundle(struct ast_rtp_instance *child, struct ast_rtp_instance *parent);
 
-#ifdef HAVE_OPENSSL_SRTP
+#if !defined(OPENSSL_NO_SRTP) && (OPENSSL_VERSION_NUMBER >= 0x10001000L)
 static int ast_rtp_activate(struct ast_rtp_instance *instance);
 static void dtls_srtp_check_pending(struct ast_rtp_instance *instance, struct ast_rtp *rtp, int rtcp);
 static void dtls_srtp_start_timeout_timer(struct ast_rtp_instance *instance, struct ast_rtp *rtp, int rtcp);
@@ -1581,7 +1583,7 @@
 };
 #endif
 
-#ifdef HAVE_OPENSSL_SRTP
+#if !defined(OPENSSL_NO_SRTP) && (OPENSSL_VERSION_NUMBER >= 0x10001000L)
 static int dtls_verify_callback(int preverify_ok, X509_STORE_CTX *ctx)
 {
 	/* We don't want to actually verify the certificate so just accept what they have provided */
@@ -2259,7 +2261,7 @@
 #ifdef HAVE_PJPROJECT
 	.ice = &ast_rtp_ice,
 #endif
-#ifdef HAVE_OPENSSL_SRTP
+#if !defined(OPENSSL_NO_SRTP) && (OPENSSL_VERSION_NUMBER >= 0x10001000L)
 	.dtls = &ast_rtp_dtls,
 	.activate = ast_rtp_activate,
 #endif
@@ -2271,7 +2273,7 @@
 	.bundle = ast_rtp_bundle,
 };
 
-#ifdef HAVE_OPENSSL_SRTP
+#if !defined(OPENSSL_NO_SRTP) && (OPENSSL_VERSION_NUMBER >= 0x10001000L)
 /*! \pre instance is locked */
 static void dtls_perform_handshake(struct ast_rtp_instance *instance, struct dtls_details *dtls, int rtcp)
 {
@@ -2305,7 +2307,7 @@
 }
 #endif
 
-#ifdef HAVE_OPENSSL_SRTP
+#if !defined(OPENSSL_NO_SRTP) && (OPENSSL_VERSION_NUMBER >= 0x10001000L)
 static void dtls_perform_setup(struct dtls_details *dtls)
 {
 	if (!dtls->ssl || !SSL_is_init_finished(dtls->ssl)) {
@@ -2349,7 +2351,7 @@
 		}
 	}
 
-#ifdef HAVE_OPENSSL_SRTP
+#if !defined(OPENSSL_NO_SRTP) && (OPENSSL_VERSION_NUMBER >= 0x10001000L)
 
 	dtls_perform_setup(&rtp->dtls);
 	dtls_perform_handshake(instance, &rtp->dtls, 0);
@@ -2483,7 +2485,7 @@
 	return 1;
 }
 
-#ifdef HAVE_OPENSSL_SRTP
+#if !defined(OPENSSL_NO_SRTP) && (OPENSSL_VERSION_NUMBER >= 0x10001000L)
 /*! \pre instance is locked */
 static int dtls_srtp_handle_timeout(struct ast_rtp_instance *instance, int rtcp)
 {
@@ -2817,7 +2819,7 @@
 	   return len;
 	}
 
-#ifdef HAVE_OPENSSL_SRTP
+#if !defined(OPENSSL_NO_SRTP) && (OPENSSL_VERSION_NUMBER >= 0x10001000L)
 	/* If this is an SSL packet pass it to OpenSSL for processing. RFC section for first byte value:
 	 * https://tools.ietf.org/html/rfc5764#section-5.1.2 */
 	if ((*in >= 20) && (*in <= 63)) {
@@ -3514,7 +3516,7 @@
 	}
 #endif
 
-#ifdef HAVE_OPENSSL_SRTP
+#if !defined(OPENSSL_NO_SRTP) && (OPENSSL_VERSION_NUMBER >= 0x10001000L)
 	rtp->rekeyid = -1;
 	rtp->dtls.timeout_timer = -1;
 #endif
@@ -3530,7 +3532,7 @@
 	struct timespec ts = { .tv_sec = wait.tv_sec, .tv_nsec = wait.tv_usec * 1000, };
 #endif
 
-#ifdef HAVE_OPENSSL_SRTP
+#if !defined(OPENSSL_NO_SRTP) && (OPENSSL_VERSION_NUMBER >= 0x10001000L)
 	ast_rtp_dtls_stop(instance);
 #endif
 
@@ -6727,7 +6729,7 @@
 					return;
 				}
 				rtp->rtcp->s = -1;
-#ifdef HAVE_OPENSSL_SRTP
+#if !defined(OPENSSL_NO_SRTP) && (OPENSSL_VERSION_NUMBER >= 0x10001000L)
 				rtp->rtcp->dtls.timeout_timer = -1;
 #endif
 				rtp->rtcp->schedid = -1;
@@ -6790,7 +6792,7 @@
 					rtp_add_candidates_to_ice(instance, rtp, &rtp->rtcp->us, ast_sockaddr_port(&rtp->rtcp->us), AST_RTP_ICE_COMPONENT_RTCP, TRANSPORT_SOCKET_RTCP);
 				}
 #endif
-#ifdef HAVE_OPENSSL_SRTP
+#if !defined(OPENSSL_NO_SRTP) && (OPENSSL_VERSION_NUMBER >= 0x10001000L)
 				dtls_setup_rtcp(instance);
 #endif
 			} else {
@@ -6810,7 +6812,7 @@
 				rtp->rtcp->s = rtp->s;
 				ast_rtp_instance_get_remote_address(instance, &addr);
 				ast_sockaddr_copy(&rtp->rtcp->them, &addr);
-#ifdef HAVE_OPENSSL_SRTP
+#if !defined(OPENSSL_NO_SRTP) && (OPENSSL_VERSION_NUMBER >= 0x10001000L)
 				if (rtp->rtcp->dtls.ssl && rtp->rtcp->dtls.ssl != rtp->dtls.ssl) {
 					SSL_free(rtp->rtcp->dtls.ssl);
 				}
@@ -6838,7 +6840,7 @@
 				if (rtp->rtcp->s > -1 && rtp->rtcp->s != rtp->s) {
 					close(rtp->rtcp->s);
 				}
-#ifdef HAVE_OPENSSL_SRTP
+#if !defined(OPENSSL_NO_SRTP) && (OPENSSL_VERSION_NUMBER >= 0x10001000L)
 				ao2_unlock(instance);
 				dtls_srtp_stop_timeout_timer(instance, rtp, 1);
 				ao2_lock(instance);
@@ -7090,7 +7092,7 @@
 	struct ast_rtp *rtp = ast_rtp_instance_get_data(instance);
 	struct ast_sockaddr addr = { {0,} };
 
-#ifdef HAVE_OPENSSL_SRTP
+#if !defined(OPENSSL_NO_SRTP) && (OPENSSL_VERSION_NUMBER >= 0x10001000L)
 	ao2_unlock(instance);
 	AST_SCHED_DEL_UNREF(rtp->sched, rtp->rekeyid, ao2_ref(instance, -1));
 
@@ -7310,7 +7312,7 @@
 
 	AST_VECTOR_APPEND(&parent_rtp->ssrc_mapping, mapping);
 
-#ifdef HAVE_OPENSSL_SRTP
+#if !defined(OPENSSL_NO_SRTP) && (OPENSSL_VERSION_NUMBER >= 0x10001000L)
 	/* If DTLS-SRTP is already in use then add the local SSRC to it, otherwise it will get added once DTLS
 	 * negotiation has been completed.
 	 */
@@ -7331,7 +7333,7 @@
 	return 0;
 }
 
-#ifdef HAVE_OPENSSL_SRTP
+#if !defined(OPENSSL_NO_SRTP) && (OPENSSL_VERSION_NUMBER >= 0x10001000L)
 /*! \pre instance is locked */
 static int ast_rtp_activate(struct ast_rtp_instance *instance)
 {

-- 
To view, visit https://gerrit.asterisk.org/9184
To unsubscribe, visit https://gerrit.asterisk.org/settings

Gerrit-Project: asterisk
Gerrit-Branch: master
Gerrit-MessageType: merged
Gerrit-Change-Id: I3c77c7b00b2ffa2e935632097fa057b9fdf480c0
Gerrit-Change-Number: 9184
Gerrit-PatchSet: 3
Gerrit-Owner: Alexander Traud <pabstraud at compuserve.com>
Gerrit-Reviewer: George Joseph <gjoseph at digium.com>
Gerrit-Reviewer: Jenkins2
Gerrit-Reviewer: Joshua Colp <jcolp at digium.com>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.digium.com/pipermail/asterisk-code-review/attachments/20180614/8c8f54c4/attachment-0001.html>


More information about the asterisk-code-review mailing list