[Asterisk-code-review] res rtp asterisk: Enable Forward Secrecy (PFS) for DTLS. (asterisk[11])
Anonymous Coward
asteriskteam at digium.com
Thu Jul 14 09:55:10 CDT 2016
Anonymous Coward #1000019 has submitted this change and it was merged.
Change subject: res_rtp_asterisk: Enable Forward Secrecy (PFS) for DTLS.
......................................................................
res_rtp_asterisk: Enable Forward Secrecy (PFS) for DTLS.
Since July 2014, TLS based protocols (SIP over TLS, Secure WebSockets, HTTPS)
support PFS thanks to ASTERISK-23905. In July 2015, the same feature was added
for DTLS. The source code from main/tcptls.c should have been re-used to ease
security audits. Therefore, this change rolls back the change from July 2015 and
re-uses the code from July 2014. This has the additional benefits to work under
CentOS 7 and enabling not just ECDHE but DHE based cipher suites as well.
ASTERISK-25659 #close
Reported by: StefanEng86, urbaniak, pay123
Tested by: sarumjanuch, traud
patches:
res_rtp_asterisk.patch submitted by sarumjanuch
dtls_centos_step_1.patch submitted by traud
dtls_centos_step_2.patch submitted by traud
Change-Id: I537cadf4421f092a613146b230f2c0ee1be28d5c
---
M CHANGES
M configure
M configure.ac
M include/asterisk/autoconfig.h.in
M res/res_rtp_asterisk.c
5 files changed, 55 insertions(+), 79 deletions(-)
Approvals:
George Joseph: Looks good to me, but someone else must approve
Anonymous Coward #1000019: Verified
Joshua Colp: Looks good to me, approved
diff --git a/CHANGES b/CHANGES
index 2d50722..9f62f95 100644
--- a/CHANGES
+++ b/CHANGES
@@ -9,6 +9,28 @@
==============================================================================
------------------------------------------------------------------------------
+--- Functionality changes since Asterisk 11.24 -------------------------------
+------------------------------------------------------------------------------
+
+res_rtp_asterisk
+------------------
+ * The DTLS part in Asterisk now supports Perfect Forward Secrecy (PFS).
+ Enabling PFS is attempted by default, and is dependent on the configuration
+ of the module using TLS.
+ - Ephemeral ECDH (ECDHE) is enabled by default. To disable it, do not
+ specify a ECDHE cipher suite in sip.conf, for example:
+ dtlscipher=AES128-SHA
+ - Ephemeral DH (DHE) is disabled by default. To enable it, add DH parameters
+ into the private key file, e.g., sip.conf dtlsprivatekey. For example:
+ openssl dhparam -out ./dh.pem 2048
+ - Because clients expect the server to prefer PFS, and because OpenSSL sorts
+ its cipher suites by bit strength, see "openssl ciphers -v DEFAULT".
+ Consider re-ordering your cipher suites in the respective configuration
+ file. For example:
+ dtlscipher=ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256
+ which forces PFS and requires at least DTLS 1.2.
+
+------------------------------------------------------------------------------
--- Functionality changes since Asterisk 11.21 -------------------------------
------------------------------------------------------------------------------
diff --git a/configure b/configure
index 1598f29..c86e94a 100755
--- a/configure
+++ b/configure
@@ -1056,10 +1056,6 @@
DAHDI_DIR
DAHDI_INCLUDE
DAHDI_LIB
-PBX_OPENSSL_ECDH_AUTO
-OPENSSL_ECDH_AUTO_DIR
-OPENSSL_ECDH_AUTO_INCLUDE
-OPENSSL_ECDH_AUTO_LIB
PBX_OPENSSL_SRTP
OPENSSL_SRTP_DIR
OPENSSL_SRTP_INCLUDE
@@ -8520,18 +8516,6 @@
OPENSSL_SRTP_DIR=${CRYPTO_DIR}
PBX_OPENSSL_SRTP=0
-
-
-
-
-
-
-
-OPENSSL_ECDH_AUTO_DESCRIP="OpenSSL Auto ECDH Support"
-OPENSSL_ECDH_AUTO_OPTION=crypto
-OPENSSL_ECDH_AUTO_DIR=${CRYPTO_DIR}
-
-PBX_OPENSSL_ECDH_AUTO=0
@@ -28474,53 +28458,6 @@
fi
fi
-
-fi
-
-if test "$PBX_OPENSSL" = "1";
-then
-
- if test "x${PBX_OPENSSL_ECDH_AUTO}" != "x1" -a "${USE_OPENSSL_ECDH_AUTO}" != "no"; then
- { $as_echo "$as_me:${as_lineno-$LINENO}: checking for SSL_CTX_set_ecdh_auto declared in openssl/ssl.h" >&5
-$as_echo_n "checking for SSL_CTX_set_ecdh_auto declared in openssl/ssl.h... " >&6; }
- saved_cppflags="${CPPFLAGS}"
- if test "x${OPENSSL_ECDH_AUTO_DIR}" != "x"; then
- OPENSSL_ECDH_AUTO_INCLUDE="-I${OPENSSL_ECDH_AUTO_DIR}/include"
- fi
- CPPFLAGS="${CPPFLAGS} ${OPENSSL_ECDH_AUTO_INCLUDE}"
-
- cat confdefs.h - <<_ACEOF >conftest.$ac_ext
-/* end confdefs.h. */
- #include <openssl/ssl.h>
-int
-main ()
-{
-#if !defined(SSL_CTX_set_ecdh_auto)
- (void) SSL_CTX_set_ecdh_auto;
- #endif
-
- ;
- return 0;
-}
-_ACEOF
-if ac_fn_c_try_compile "$LINENO"; then :
- { $as_echo "$as_me:${as_lineno-$LINENO}: result: yes" >&5
-$as_echo "yes" >&6; }
- PBX_OPENSSL_ECDH_AUTO=1
-
-$as_echo "#define HAVE_OPENSSL_ECDH_AUTO 1" >>confdefs.h
-
-
-
-else
- { $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5
-$as_echo "no" >&6; }
-
-fi
-rm -f core conftest.err conftest.$ac_objext conftest.$ac_ext
-
- CPPFLAGS="${saved_cppflags}"
- fi
fi
diff --git a/configure.ac b/configure.ac
index 09cce24..c420f16 100644
--- a/configure.ac
+++ b/configure.ac
@@ -392,7 +392,6 @@
AST_EXT_LIB_SETUP([CURSES], [curses], [curses])
AST_EXT_LIB_SETUP([CRYPTO], [OpenSSL Cryptography], [crypto])
AST_EXT_LIB_SETUP_OPTIONAL([OPENSSL_SRTP], [OpenSSL SRTP Extension Support], [CRYPTO], [crypto])
-AST_EXT_LIB_SETUP_OPTIONAL([OPENSSL_ECDH_AUTO], [OpenSSL Auto ECDH Support], [CRYPTO], [crypto])
AST_EXT_LIB_SETUP([DAHDI], [DAHDI], [dahdi])
AST_EXT_LIB_SETUP([FFMPEG], [Ffmpeg and avcodec], [avcodec])
AST_EXT_LIB_SETUP([GSM], [External GSM], [gsm], [, use 'internal' GSM otherwise])
@@ -2227,11 +2226,6 @@
then
AST_CHECK_OSPTK([4], [0], [0])
AST_EXT_LIB_CHECK([OPENSSL_SRTP], [ssl], [SSL_CTX_set_tlsext_use_srtp], [openssl/ssl.h], [-lcrypto])
-fi
-
-if test "$PBX_OPENSSL" = "1";
-then
- AST_C_DECLARE_CHECK([OPENSSL_ECDH_AUTO], [SSL_CTX_set_ecdh_auto], [openssl/ssl.h])
fi
if test "$PBX_OPENSSL" = "1";
diff --git a/include/asterisk/autoconfig.h.in b/include/asterisk/autoconfig.h.in
index 21c66d7..bf22b92 100644
--- a/include/asterisk/autoconfig.h.in
+++ b/include/asterisk/autoconfig.h.in
@@ -530,9 +530,6 @@
/* Define to 1 if you have the OpenSSL Secure Sockets Layer library. */
#undef HAVE_OPENSSL
-/* Define if your system has SSL_CTX_set_ecdh_auto declared. */
-#undef HAVE_OPENSSL_ECDH_AUTO
-
/* Define to 1 if CRYPTO has the OpenSSL SRTP Extension Support feature. */
#undef HAVE_OPENSSL_SRTP
diff --git a/res/res_rtp_asterisk.c b/res/res_rtp_asterisk.c
index 36ce117..b89c2e2 100644
--- a/res/res_rtp_asterisk.c
+++ b/res/res_rtp_asterisk.c
@@ -1285,7 +1285,7 @@
{
struct ast_rtp *rtp = ast_rtp_instance_get_data(instance);
int res;
-#ifndef HAVE_OPENSSL_ECDH_AUTO
+#ifdef HAVE_OPENSSL_EC
EC_KEY *ecdh;
#endif
@@ -1309,15 +1309,41 @@
SSL_CTX_set_read_ahead(rtp->ssl_ctx, 1);
-#ifdef HAVE_OPENSSL_ECDH_AUTO
- SSL_CTX_set_ecdh_auto(rtp->ssl_ctx, 1);
-#else
+#ifdef HAVE_OPENSSL_EC
+
+ if (!ast_strlen_zero(dtls_cfg->pvtfile)) {
+ BIO *bio = BIO_new_file(dtls_cfg->pvtfile, "r");
+ if (bio != NULL) {
+ DH *dh = PEM_read_bio_DHparams(bio, NULL, NULL, NULL);
+ if (dh != NULL) {
+ if (SSL_CTX_set_tmp_dh(rtp->ssl_ctx, dh)) {
+ long options = SSL_OP_CIPHER_SERVER_PREFERENCE |
+ SSL_OP_SINGLE_DH_USE | SSL_OP_SINGLE_ECDH_USE;
+ options = SSL_CTX_set_options(rtp->ssl_ctx, options);
+ ast_verb(2, "DTLS DH initialized, PFS enabled\n");
+ }
+ DH_free(dh);
+ }
+ BIO_free(bio);
+ }
+ }
+ /* enables AES-128 ciphers, to get AES-256 use NID_secp384r1 */
ecdh = EC_KEY_new_by_curve_name(NID_X9_62_prime256v1);
- if (ecdh) {
- SSL_CTX_set_tmp_ecdh(rtp->ssl_ctx, ecdh);
+ if (ecdh != NULL) {
+ if (SSL_CTX_set_tmp_ecdh(rtp->ssl_ctx, ecdh)) {
+ #ifndef SSL_CTRL_SET_ECDH_AUTO
+ #define SSL_CTRL_SET_ECDH_AUTO 94
+ #endif
+ /* SSL_CTX_set_ecdh_auto(rtp->ssl_ctx, on); requires OpenSSL 1.0.2 which wraps: */
+ if (SSL_CTX_ctrl(rtp->ssl_ctx, SSL_CTRL_SET_ECDH_AUTO, 1, NULL)) {
+ ast_verb(2, "DTLS ECDH initialized (automatic), faster PFS enabled\n");
+ } else {
+ ast_verb(2, "DTLS ECDH initialized (secp256r1), faster PFS enabled\n");
+ }
EC_KEY_free(ecdh);
}
-#endif
+
+#endif /* #ifdef HAVE_OPENSSL_EC */
rtp->dtls_verify = dtls_cfg->verify;
--
To view, visit https://gerrit.asterisk.org/3068
To unsubscribe, visit https://gerrit.asterisk.org/settings
Gerrit-MessageType: merged
Gerrit-Change-Id: I537cadf4421f092a613146b230f2c0ee1be28d5c
Gerrit-PatchSet: 4
Gerrit-Project: asterisk
Gerrit-Branch: 11
Gerrit-Owner: Alexander Traud <pabstraud at compuserve.com>
Gerrit-Reviewer: Alexander Traud <pabstraud at compuserve.com>
Gerrit-Reviewer: Anonymous Coward #1000019
Gerrit-Reviewer: George Joseph <gjoseph at digium.com>
Gerrit-Reviewer: Joshua Colp <jcolp at digium.com>
Gerrit-Reviewer: Richard Mudgett <rmudgett at digium.com>
More information about the asterisk-code-review
mailing list