<p>Alexander Traud has uploaded this change for <strong>review</strong>.</p><p><a href="https://gerrit.asterisk.org/9149">View Change</a></p><pre style="font-family: monospace,monospace; white-space: pre-wrap;">res_rtp_asterisk: Allow OpenSSL configured with no-deprecated.<br><br>Furthermore, allow OpenSSL configured with no-dh. Additionally, this change<br>allows auto-negotiation of the elliptic curve/group for servers, not only with<br>OpenSSL 1.0.2 but also with OpenSSL 1.1.0 and newer. This enables X25519<br>(since OpenSSL 1.1.0) and X448 (since OpenSSL 1.1.1) as a side-effect.<br><br>ASTERISK-27910<br><br>Change-Id: I5b0dd47c5194ee17f830f869d629d7ef212cf537<br>---<br>M configure<br>M configure.ac<br>M include/asterisk/autoconfig.h.in<br>M res/res_rtp_asterisk.c<br>4 files changed, 10 insertions(+), 130 deletions(-)<br><br></pre><pre style="font-family: monospace,monospace; white-space: pre-wrap;">git pull ssh://gerrit.asterisk.org:29418/asterisk refs/changes/49/9149/1</pre><pre style="font-family: monospace,monospace; white-space: pre-wrap;">diff --git a/configure b/configure<br>index 370ceea..a7862c9 100755<br>--- a/configure<br>+++ b/configure<br>@@ -1118,10 +1118,6 @@<br> DAHDI_DIR<br> DAHDI_INCLUDE<br> DAHDI_LIB<br>-PBX_OPENSSL_EC<br>-OPENSSL_EC_DIR<br>-OPENSSL_EC_INCLUDE<br>-OPENSSL_EC_LIB<br> PBX_OPENSSL_SRTP<br> OPENSSL_SRTP_DIR<br> OPENSSL_SRTP_INCLUDE<br>@@ -9589,18 +9585,6 @@<br> OPENSSL_SRTP_DIR=${CRYPTO_DIR}<br> <br> PBX_OPENSSL_SRTP=0<br>-<br>-<br>-<br>-<br>-<br>-<br>-<br>-OPENSSL_EC_DESCRIP="OpenSSL Elliptic Curve Support"<br>-OPENSSL_EC_OPTION=crypto<br>-OPENSSL_EC_DIR=${CRYPTO_DIR}<br>-<br>-PBX_OPENSSL_EC=0<br> <br> <br> <br>@@ -30575,106 +30559,6 @@<br> PBX_OPENSSL_SRTP=1<br> cat >>confdefs.h <<_ACEOF<br> #define HAVE_OPENSSL_SRTP 1<br>-_ACEOF<br>-<br>- fi<br>- fi<br>-fi<br>-<br>-<br>-fi<br>-<br>-if test "$PBX_OPENSSL" = "1";<br>-then<br>-<br>-if test "x${PBX_OPENSSL_EC}" != "x1" -a "${USE_OPENSSL_EC}" != "no"; then<br>- pbxlibdir=""<br>- # if --with-OPENSSL_EC=DIR has been specified, use it.<br>- if test "x${OPENSSL_EC_DIR}" != "x"; then<br>- if test -d ${OPENSSL_EC_DIR}/lib; then<br>- pbxlibdir="-L${OPENSSL_EC_DIR}/lib"<br>- else<br>- pbxlibdir="-L${OPENSSL_EC_DIR}"<br>- fi<br>- fi<br>-<br>- ast_ext_lib_check_save_CFLAGS="${CFLAGS}"<br>- CFLAGS="${CFLAGS} "<br>- { $as_echo "$as_me:${as_lineno-$LINENO}: checking for EC_KEY_new_by_curve_name in -lssl" >&5<br>-$as_echo_n "checking for EC_KEY_new_by_curve_name in -lssl... " >&6; }<br>-if ${ac_cv_lib_ssl_EC_KEY_new_by_curve_name+:} false; then :<br>- $as_echo_n "(cached) " >&6<br>-else<br>- ac_check_lib_save_LIBS=$LIBS<br>-LIBS="-lssl ${pbxlibdir} -lcrypto $LIBS"<br>-cat confdefs.h - <<_ACEOF >conftest.$ac_ext<br>-/* end confdefs.h. */<br>-<br>-/* Override any GCC internal prototype to avoid an error.<br>- Use char because int might match the return type of a GCC<br>- builtin and then its argument prototype would still apply. */<br>-#ifdef __cplusplus<br>-extern "C"<br>-#endif<br>-char EC_KEY_new_by_curve_name ();<br>-int<br>-main ()<br>-{<br>-return EC_KEY_new_by_curve_name ();<br>- ;<br>- return 0;<br>-}<br>-_ACEOF<br>-if ac_fn_c_try_link "$LINENO"; then :<br>- ac_cv_lib_ssl_EC_KEY_new_by_curve_name=yes<br>-else<br>- ac_cv_lib_ssl_EC_KEY_new_by_curve_name=no<br>-fi<br>-rm -f core conftest.err conftest.$ac_objext \<br>- conftest$ac_exeext conftest.$ac_ext<br>-LIBS=$ac_check_lib_save_LIBS<br>-fi<br>-{ $as_echo "$as_me:${as_lineno-$LINENO}: result: $ac_cv_lib_ssl_EC_KEY_new_by_curve_name" >&5<br>-$as_echo "$ac_cv_lib_ssl_EC_KEY_new_by_curve_name" >&6; }<br>-if test "x$ac_cv_lib_ssl_EC_KEY_new_by_curve_name" = xyes; then :<br>- AST_OPENSSL_EC_FOUND=yes<br>-else<br>- AST_OPENSSL_EC_FOUND=no<br>-fi<br>-<br>- CFLAGS="${ast_ext_lib_check_save_CFLAGS}"<br>-<br>-<br>- # now check for the header.<br>- if test "${AST_OPENSSL_EC_FOUND}" = "yes"; then<br>- OPENSSL_EC_LIB="${pbxlibdir} -lssl -lcrypto"<br>- # if --with-OPENSSL_EC=DIR has been specified, use it.<br>- if test "x${OPENSSL_EC_DIR}" != "x"; then<br>- OPENSSL_EC_INCLUDE="-I${OPENSSL_EC_DIR}/include"<br>- fi<br>- OPENSSL_EC_INCLUDE="${OPENSSL_EC_INCLUDE} "<br>-<br>- # check for the header<br>- ast_ext_lib_check_saved_CPPFLAGS="${CPPFLAGS}"<br>- CPPFLAGS="${CPPFLAGS} ${OPENSSL_EC_INCLUDE}"<br>- ac_fn_c_check_header_mongrel "$LINENO" "openssl/ec.h" "ac_cv_header_openssl_ec_h" "$ac_includes_default"<br>-if test "x$ac_cv_header_openssl_ec_h" = xyes; then :<br>- OPENSSL_EC_HEADER_FOUND=1<br>-else<br>- OPENSSL_EC_HEADER_FOUND=0<br>-fi<br>-<br>-<br>- CPPFLAGS="${ast_ext_lib_check_saved_CPPFLAGS}"<br>-<br>- if test "x${OPENSSL_EC_HEADER_FOUND}" = "x0" ; then<br>- OPENSSL_EC_LIB=""<br>- OPENSSL_EC_INCLUDE=""<br>- else<br>-<br>- PBX_OPENSSL_EC=1<br>- cat >>confdefs.h <<_ACEOF<br>-#define HAVE_OPENSSL_EC 1<br> _ACEOF<br> <br> fi<br>diff --git a/configure.ac b/configure.ac<br>index 5abbd4f..fe5ab57 100644<br>--- a/configure.ac<br>+++ b/configure.ac<br>@@ -461,7 +461,6 @@<br> AST_EXT_LIB_SETUP([CRYPT], [password and data encryption], [crypt])<br> AST_EXT_LIB_SETUP([CRYPTO], [OpenSSL Cryptography], [crypto])<br> AST_EXT_LIB_SETUP_OPTIONAL([OPENSSL_SRTP], [OpenSSL SRTP Extension Support], [CRYPTO], [crypto])<br>-AST_EXT_LIB_SETUP_OPTIONAL([OPENSSL_EC], [OpenSSL Elliptic Curve Support], [CRYPTO], [crypto])<br> AST_EXT_LIB_SETUP([DAHDI], [DAHDI], [dahdi])<br> AST_EXT_LIB_SETUP([FFMPEG], [Ffmpeg and avcodec], [avcodec])<br> AST_EXT_LIB_SETUP([GSM], [External GSM], [gsm], [, use 'internal' GSM otherwise])<br>@@ -2506,11 +2505,6 @@<br> then<br> AST_CHECK_OSPTK([4], [0], [0])<br> AST_EXT_LIB_CHECK([OPENSSL_SRTP], [ssl], [SSL_CTX_set_tlsext_use_srtp], [openssl/ssl.h], [-lcrypto])<br>-fi<br>-<br>-if test "$PBX_OPENSSL" = "1";<br>-then<br>- AST_EXT_LIB_CHECK([OPENSSL_EC], [ssl], [EC_KEY_new_by_curve_name], [openssl/ec.h], [-lcrypto])<br> fi<br> <br> AST_EXT_LIB_CHECK([SRTP], [srtp2], [srtp_init], [srtp2/srtp.h], [], [], [2])<br>diff --git a/include/asterisk/autoconfig.h.in b/include/asterisk/autoconfig.h.in<br>index 0eed5a3..bd4713a 100644<br>--- a/include/asterisk/autoconfig.h.in<br>+++ b/include/asterisk/autoconfig.h.in<br>@@ -549,9 +549,6 @@<br> /* Define to 1 if you have the OpenSSL Secure Sockets Layer library. */<br> #undef HAVE_OPENSSL<br> <br>-/* Define to 1 if CRYPTO has the OpenSSL Elliptic Curve Support feature. */<br>-#undef HAVE_OPENSSL_EC<br>-<br> /* Define to 1 if CRYPTO has the OpenSSL SRTP Extension Support feature. */<br> #undef HAVE_OPENSSL_SRTP<br> <br>diff --git a/res/res_rtp_asterisk.c b/res/res_rtp_asterisk.c<br>index 8bf6664..f979763 100644<br>--- a/res/res_rtp_asterisk.c<br>+++ b/res/res_rtp_asterisk.c<br>@@ -43,9 +43,14 @@<br> #include <fcntl.h><br> <br> #ifdef HAVE_OPENSSL_SRTP<br>+#include <openssl/opensslconf.h><br>+#include <openssl/opensslv.h><br> #include <openssl/ssl.h><br> #include <openssl/err.h><br> #include <openssl/bio.h><br>+#ifndef OPENSSL_NO_DH<br>+#include <openssl/dh.h><br>+#endif<br> #endif<br> <br> #ifdef HAVE_PJPROJECT<br>@@ -1610,7 +1615,7 @@<br> {<br> struct ast_rtp *rtp = ast_rtp_instance_get_data(instance);<br> int res;<br>-#ifdef HAVE_OPENSSL_EC<br>+#if !defined(OPENSSL_NO_ECDH) && (OPENSSL_VERSION_NUMBER >= 0x10000000L) && (OPENSSL_VERSION_NUMBER < 0x10100000L)<br> EC_KEY *ecdh;<br> #endif<br> <br>@@ -1638,8 +1643,7 @@<br> <br> SSL_CTX_set_read_ahead(rtp->ssl_ctx, 1);<br> <br>-#ifdef HAVE_OPENSSL_EC<br>-<br>+#ifndef OPENSSL_NO_DH<br> if (!ast_strlen_zero(dtls_cfg->pvtfile)) {<br> BIO *bio = BIO_new_file(dtls_cfg->pvtfile, "r");<br> if (bio != NULL) {<br>@@ -1656,6 +1660,8 @@<br> BIO_free(bio);<br> }<br> }<br>+#endif /* !OPENSSL_NO_DH */<br>+#if !defined(OPENSSL_NO_ECDH) && (OPENSSL_VERSION_NUMBER >= 0x10000000L) && (OPENSSL_VERSION_NUMBER < 0x10100000L)<br> /* enables AES-128 ciphers, to get AES-256 use NID_secp384r1 */<br> ecdh = EC_KEY_new_by_curve_name(NID_X9_62_prime256v1);<br> if (ecdh != NULL) {<br>@@ -1672,8 +1678,7 @@<br> }<br> EC_KEY_free(ecdh);<br> }<br>-<br>-#endif /* #ifdef HAVE_OPENSSL_EC */<br>+#endif /* !OPENSSL_NO_ECDH */<br> <br> rtp->dtls_verify = dtls_cfg->verify;<br> <br></pre><p>To view, visit <a href="https://gerrit.asterisk.org/9149">change 9149</a>. To unsubscribe, visit <a href="https://gerrit.asterisk.org/settings">settings</a>.</p><div itemscope itemtype="http://schema.org/EmailMessage"><div itemscope itemprop="action" itemtype="http://schema.org/ViewAction"><link itemprop="url" href="https://gerrit.asterisk.org/9149"/><meta itemprop="name" content="View Change"/></div></div>
<div style="display:none"> Gerrit-Project: asterisk </div>
<div style="display:none"> Gerrit-Branch: 13 </div>
<div style="display:none"> Gerrit-MessageType: newchange </div>
<div style="display:none"> Gerrit-Change-Id: I5b0dd47c5194ee17f830f869d629d7ef212cf537 </div>
<div style="display:none"> Gerrit-Change-Number: 9149 </div>
<div style="display:none"> Gerrit-PatchSet: 1 </div>
<div style="display:none"> Gerrit-Owner: Alexander Traud <pabstraud@compuserve.com> </div>