<p>Alexander Traud has uploaded this change for <strong>review</strong>.</p><p><a href="https://gerrit.asterisk.org/9147">View Change</a></p><pre style="font-family: monospace,monospace; white-space: pre-wrap;">res_rtp_asterisk: Allow OpenSSL configured with no-deprecated.<br><br>Furthermore, allow OpenSSL configured with no-dh. Additionally, this change<br>allows auto-negotiation of the elliptic curve/group for servers, not only with<br>OpenSSL 1.0.2 but also with OpenSSL 1.1.0 and newer. This enables X25519<br>(since OpenSSL 1.1.0) and X448 (since OpenSSL 1.1.1) as a side-effect.<br><br>ASTERISK-27910<br><br>Change-Id: I5b0dd47c5194ee17f830f869d629d7ef212cf537<br>---<br>M configure<br>M configure.ac<br>M include/asterisk/autoconfig.h.in<br>M res/res_rtp_asterisk.c<br>4 files changed, 24 insertions(+), 132 deletions(-)<br><br></pre><pre style="font-family: monospace,monospace; white-space: pre-wrap;">git pull ssh://gerrit.asterisk.org:29418/asterisk refs/changes/47/9147/1</pre><pre style="font-family: monospace,monospace; white-space: pre-wrap;">diff --git a/configure b/configure<br>index 30aabfd..c542c19 100755<br>--- a/configure<br>+++ b/configure<br>@@ -1132,10 +1132,6 @@<br> DAHDI_DIR<br> DAHDI_INCLUDE<br> DAHDI_LIB<br>-PBX_OPENSSL_EC<br>-OPENSSL_EC_DIR<br>-OPENSSL_EC_INCLUDE<br>-OPENSSL_EC_LIB<br> PBX_OPENSSL_SRTP<br> OPENSSL_SRTP_DIR<br> OPENSSL_SRTP_INCLUDE<br>@@ -9607,18 +9603,6 @@<br> OPENSSL_SRTP_DIR=${CRYPTO_DIR}<br> <br> PBX_OPENSSL_SRTP=0<br>-<br>-<br>-<br>-<br>-<br>-<br>-<br>-OPENSSL_EC_DESCRIP="OpenSSL Elliptic Curve Support"<br>-OPENSSL_EC_OPTION=crypto<br>-OPENSSL_EC_DIR=${CRYPTO_DIR}<br>-<br>-PBX_OPENSSL_EC=0<br> <br> <br> <br>@@ -30868,106 +30852,6 @@<br> PBX_OPENSSL_SRTP=1<br> cat >>confdefs.h <<_ACEOF<br> #define HAVE_OPENSSL_SRTP 1<br>-_ACEOF<br>-<br>- fi<br>- fi<br>-fi<br>-<br>-<br>-fi<br>-<br>-if test "$PBX_OPENSSL" = "1";<br>-then<br>-<br>-if test "x${PBX_OPENSSL_EC}" != "x1" -a "${USE_OPENSSL_EC}" != "no"; then<br>- pbxlibdir=""<br>- # if --with-OPENSSL_EC=DIR has been specified, use it.<br>- if test "x${OPENSSL_EC_DIR}" != "x"; then<br>- if test -d ${OPENSSL_EC_DIR}/lib; then<br>- pbxlibdir="-L${OPENSSL_EC_DIR}/lib"<br>- else<br>- pbxlibdir="-L${OPENSSL_EC_DIR}"<br>- fi<br>- fi<br>-<br>- ast_ext_lib_check_save_CFLAGS="${CFLAGS}"<br>- CFLAGS="${CFLAGS} "<br>- { $as_echo "$as_me:${as_lineno-$LINENO}: checking for EC_KEY_new_by_curve_name in -lssl" >&5<br>-$as_echo_n "checking for EC_KEY_new_by_curve_name in -lssl... " >&6; }<br>-if ${ac_cv_lib_ssl_EC_KEY_new_by_curve_name+:} false; then :<br>- $as_echo_n "(cached) " >&6<br>-else<br>- ac_check_lib_save_LIBS=$LIBS<br>-LIBS="-lssl ${pbxlibdir} -lcrypto $LIBS"<br>-cat confdefs.h - <<_ACEOF >conftest.$ac_ext<br>-/* end confdefs.h. */<br>-<br>-/* Override any GCC internal prototype to avoid an error.<br>- Use char because int might match the return type of a GCC<br>- builtin and then its argument prototype would still apply. */<br>-#ifdef __cplusplus<br>-extern "C"<br>-#endif<br>-char EC_KEY_new_by_curve_name ();<br>-int<br>-main ()<br>-{<br>-return EC_KEY_new_by_curve_name ();<br>- ;<br>- return 0;<br>-}<br>-_ACEOF<br>-if ac_fn_c_try_link "$LINENO"; then :<br>- ac_cv_lib_ssl_EC_KEY_new_by_curve_name=yes<br>-else<br>- ac_cv_lib_ssl_EC_KEY_new_by_curve_name=no<br>-fi<br>-rm -f core conftest.err conftest.$ac_objext \<br>- conftest$ac_exeext conftest.$ac_ext<br>-LIBS=$ac_check_lib_save_LIBS<br>-fi<br>-{ $as_echo "$as_me:${as_lineno-$LINENO}: result: $ac_cv_lib_ssl_EC_KEY_new_by_curve_name" >&5<br>-$as_echo "$ac_cv_lib_ssl_EC_KEY_new_by_curve_name" >&6; }<br>-if test "x$ac_cv_lib_ssl_EC_KEY_new_by_curve_name" = xyes; then :<br>- AST_OPENSSL_EC_FOUND=yes<br>-else<br>- AST_OPENSSL_EC_FOUND=no<br>-fi<br>-<br>- CFLAGS="${ast_ext_lib_check_save_CFLAGS}"<br>-<br>-<br>- # now check for the header.<br>- if test "${AST_OPENSSL_EC_FOUND}" = "yes"; then<br>- OPENSSL_EC_LIB="${pbxlibdir} -lssl -lcrypto"<br>- # if --with-OPENSSL_EC=DIR has been specified, use it.<br>- if test "x${OPENSSL_EC_DIR}" != "x"; then<br>- OPENSSL_EC_INCLUDE="-I${OPENSSL_EC_DIR}/include"<br>- fi<br>- OPENSSL_EC_INCLUDE="${OPENSSL_EC_INCLUDE} "<br>-<br>- # check for the header<br>- ast_ext_lib_check_saved_CPPFLAGS="${CPPFLAGS}"<br>- CPPFLAGS="${CPPFLAGS} ${OPENSSL_EC_INCLUDE}"<br>- ac_fn_c_check_header_mongrel "$LINENO" "openssl/ec.h" "ac_cv_header_openssl_ec_h" "$ac_includes_default"<br>-if test "x$ac_cv_header_openssl_ec_h" = xyes; then :<br>- OPENSSL_EC_HEADER_FOUND=1<br>-else<br>- OPENSSL_EC_HEADER_FOUND=0<br>-fi<br>-<br>-<br>- CPPFLAGS="${ast_ext_lib_check_saved_CPPFLAGS}"<br>-<br>- if test "x${OPENSSL_EC_HEADER_FOUND}" = "x0" ; then<br>- OPENSSL_EC_LIB=""<br>- OPENSSL_EC_INCLUDE=""<br>- else<br>-<br>- PBX_OPENSSL_EC=1<br>- cat >>confdefs.h <<_ACEOF<br>-#define HAVE_OPENSSL_EC 1<br> _ACEOF<br> <br> fi<br>diff --git a/configure.ac b/configure.ac<br>index d0d4c67..158cf43 100644<br>--- a/configure.ac<br>+++ b/configure.ac<br>@@ -460,7 +460,6 @@<br> AST_EXT_LIB_SETUP([CRYPT], [password and data encryption], [crypt])<br> AST_EXT_LIB_SETUP([CRYPTO], [OpenSSL Cryptography], [crypto])<br> AST_EXT_LIB_SETUP_OPTIONAL([OPENSSL_SRTP], [OpenSSL SRTP Extension Support], [CRYPTO], [crypto])<br>-AST_EXT_LIB_SETUP_OPTIONAL([OPENSSL_EC], [OpenSSL Elliptic Curve Support], [CRYPTO], [crypto])<br> AST_EXT_LIB_SETUP([DAHDI], [DAHDI], [dahdi])<br> AST_EXT_LIB_SETUP([FFMPEG], [Ffmpeg and avcodec], [avcodec])<br> AST_EXT_LIB_SETUP([GSM], [External GSM], [gsm], [, use 'internal' GSM otherwise])<br>@@ -2520,11 +2519,6 @@<br> then<br> AST_CHECK_OSPTK([4], [0], [0])<br> AST_EXT_LIB_CHECK([OPENSSL_SRTP], [ssl], [SSL_CTX_set_tlsext_use_srtp], [openssl/ssl.h], [-lcrypto])<br>-fi<br>-<br>-if test "$PBX_OPENSSL" = "1";<br>-then<br>- AST_EXT_LIB_CHECK([OPENSSL_EC], [ssl], [EC_KEY_new_by_curve_name], [openssl/ec.h], [-lcrypto])<br> fi<br> <br> AST_EXT_LIB_CHECK([SRTP], [srtp2], [srtp_init], [srtp2/srtp.h], [], [], [2])<br>diff --git a/include/asterisk/autoconfig.h.in b/include/asterisk/autoconfig.h.in<br>index 17ac89a..39d2e80 100644<br>--- a/include/asterisk/autoconfig.h.in<br>+++ b/include/asterisk/autoconfig.h.in<br>@@ -573,9 +573,6 @@<br> /* Define to 1 if you have the OpenSSL Secure Sockets Layer library. */<br> #undef HAVE_OPENSSL<br> <br>-/* Define to 1 if CRYPTO has the OpenSSL Elliptic Curve Support feature. */<br>-#undef HAVE_OPENSSL_EC<br>-<br> /* Define to 1 if CRYPTO has the OpenSSL SRTP Extension Support feature. */<br> #undef HAVE_OPENSSL_SRTP<br> <br>diff --git a/res/res_rtp_asterisk.c b/res/res_rtp_asterisk.c<br>index e28e58b..2104ce3 100644<br>--- a/res/res_rtp_asterisk.c<br>+++ b/res/res_rtp_asterisk.c<br>@@ -41,9 +41,17 @@<br> #include <fcntl.h><br> <br> #ifdef HAVE_OPENSSL_SRTP<br>+#include <openssl/opensslconf.h><br>+#include <openssl/opensslv.h><br> #include <openssl/ssl.h><br> #include <openssl/err.h><br> #include <openssl/bio.h><br>+#if !defined(OPENSSL_NO_ECDH) && (OPENSSL_VERSION_NUMBER >= 0x10000000L)<br>+#include <openssl/bn.h><br>+#endif<br>+#ifndef OPENSSL_NO_DH<br>+#include <openssl/dh.h><br>+#endif<br> #endif<br> <br> #ifdef HAVE_PJPROJECT<br>@@ -1656,12 +1664,13 @@<br> X509 *certificate;<br> };<br> <br>-#ifdef HAVE_OPENSSL_EC<br>-<br> static void configure_dhparams(const struct ast_rtp *rtp, const struct ast_rtp_dtls_cfg *dtls_cfg)<br> {<br>+#if !defined(OPENSSL_NO_ECDH) && (OPENSSL_VERSION_NUMBER >= 0x10000000L) && (OPENSSL_VERSION_NUMBER < 0x10100000L)<br> EC_KEY *ecdh;<br>+#endif<br> <br>+#ifndef OPENSSL_NO_DH<br> if (!ast_strlen_zero(dtls_cfg->pvtfile)) {<br> BIO *bio = BIO_new_file(dtls_cfg->pvtfile, "r");<br> if (bio) {<br>@@ -1678,7 +1687,9 @@<br> BIO_free(bio);<br> }<br> }<br>+#endif /* !OPENSSL_NO_DH */<br> <br>+#if !defined(OPENSSL_NO_ECDH) && (OPENSSL_VERSION_NUMBER >= 0x10000000L) && (OPENSSL_VERSION_NUMBER < 0x10100000L)<br> /* enables AES-128 ciphers, to get AES-256 use NID_secp384r1 */<br> ecdh = EC_KEY_new_by_curve_name(NID_X9_62_prime256v1);<br> if (ecdh) {<br>@@ -1695,7 +1706,10 @@<br> }<br> EC_KEY_free(ecdh);<br> }<br>+#endif /* !OPENSSL_NO_ECDH */<br> }<br>+<br>+#if !defined(OPENSSL_NO_ECDH) && (OPENSSL_VERSION_NUMBER >= 0x10000000L)<br> <br> static int create_ephemeral_ec_keypair(EVP_PKEY **keypair)<br> {<br>@@ -1772,10 +1786,17 @@<br> * Validity period - Current Chrome & Firefox make it 31 days starting<br> * with yesterday at the current time, so we will do the same.<br> */<br>+#if OPENSSL_VERSION_NUMBER < 0x10100000L<br> if (!X509_time_adj_ex(X509_get_notBefore(cert), -1, 0, NULL)<br> || !X509_time_adj_ex(X509_get_notAfter(cert), 30, 0, NULL)) {<br> goto error;<br> }<br>+#else<br>+ if (!X509_time_adj_ex(X509_getm_notBefore(cert), -1, 0, NULL)<br>+ || !X509_time_adj_ex(X509_getm_notAfter(cert), 30, 0, NULL)) {<br>+ goto error;<br>+ }<br>+#endif<br> <br> /* Set the name and issuer */<br> if (!(name = X509_get_subject_name(cert))<br>@@ -1830,10 +1851,6 @@<br> <br> #else<br> <br>-static void configure_dhparams(const struct ast_rtp *rtp, const struct ast_rtp_dtls_cfg *dtls_cfg)<br>-{<br>-}<br>-<br> static int create_certificate_ephemeral(struct ast_rtp_instance *instance,<br> const struct ast_rtp_dtls_cfg *dtls_cfg,<br> struct dtls_cert_info *cert_info)<br>@@ -1842,7 +1859,7 @@<br> return -1;<br> }<br> <br>-#endif /* HAVE_OPENSSL_EC */<br>+#endif /* !OPENSSL_NO_ECDH */<br> <br> static int create_certificate_from_file(struct ast_rtp_instance *instance,<br> const struct ast_rtp_dtls_cfg *dtls_cfg,<br></pre><p>To view, visit <a href="https://gerrit.asterisk.org/9147">change 9147</a>. To unsubscribe, visit <a href="https://gerrit.asterisk.org/settings">settings</a>.</p><div itemscope itemtype="http://schema.org/EmailMessage"><div itemscope itemprop="action" itemtype="http://schema.org/ViewAction"><link itemprop="url" href="https://gerrit.asterisk.org/9147"/><meta itemprop="name" content="View Change"/></div></div>
<div style="display:none"> Gerrit-Project: asterisk </div>
<div style="display:none"> Gerrit-Branch: master </div>
<div style="display:none"> Gerrit-MessageType: newchange </div>
<div style="display:none"> Gerrit-Change-Id: I5b0dd47c5194ee17f830f869d629d7ef212cf537 </div>
<div style="display:none"> Gerrit-Change-Number: 9147 </div>
<div style="display:none"> Gerrit-PatchSet: 1 </div>
<div style="display:none"> Gerrit-Owner: Alexander Traud <pabstraud@compuserve.com> </div>