[asterisk-dev] Deprecating res_crypto and replacement

Joshua C. Colp jcolp at sangoma.com
Tue Mar 29 18:09:48 CDT 2022 

On Tue, Mar 29, 2022 at 7:46 PM Philip Prindeville <
philipp_subx at redfish-solutions.com> wrote:

> Hi,
>
> I'm working on replacing res_crypto for a variety of reasons.  It's a poor
> API that's inflexible.  It uses cryptographically deprecated methods and
> key sizes.  It doesn't support ECC.  It isn't forward compatible with
> Openssl-3.0.  It doesn't have any test case coverage. etc.
>

My opinion is that a minimum of changes should be done to allow res_crypto
to continue to exist. It's not a module that is really used except in
legacy things and func_aes. I'm not even sure how much func_aes is used
really. The only time res_crypto has really been used is in legacy modules
that did their own crypto kind of thing. I don't think updating res_crypto
for the sake of it is worthwhile as of this time.


>
> I've identified that:
>
> func/func_aes
> chan/chan_iax2
> pbx/pbx_dundi
> pbx/dundi-parser
>
> use res_crypto.  Is there out-of-tree stuff that requires it as well?
>
> Anyway, I'm working on the requirements for the replacement here:
>
> https://wiki.asterisk.org/wiki/pages/viewpage.action?pageId=49153311


The page is not accessible.


>
> And feedback is appreciated.
>

Both chan_iax2 and pbx_dundi are effectively in a maintenance mode. The
chan_iax2 module sees some changes as a result of community members still
using it, but few. The pbx_dundi module never sees changes. I would be
extremely hesitant in any changes to them to take advantage of any changes
for the sake of it due to the possibility of regressions, and also any
protocol changes that would have to occur if they were expanded for more
recent cryptography. The func_aes module would be the only thing I could
vaguely see using any improvements but there's nothing to say that it
couldn't just be changed to not use res_crypto.

-- 
Joshua C. Colp
Asterisk Technical Lead
Sangoma Technologies
Check us out at www.sangoma.com and www.asterisk.org
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.digium.com/pipermail/asterisk-dev/attachments/20220329/e3b2f328/attachment.html>

More information about the asterisk-dev mailing list