<p>Joshua Colp <strong>merged</strong> this change.</p><p><a href="https://gerrit.asterisk.org/9185">View Change</a></p><div style="white-space:pre-wrap">Approvals:
George Joseph: Looks good to me, but someone else must approve
Joshua Colp: Looks good to me, approved; Approved for Submit
</div><pre style="font-family: monospace,monospace; white-space: pre-wrap;">res_rtp_asterisk: Instead of ./configure use OPENSSL_NO_SRTP.<br><br>Previously, Asterisk used its script ./configure, to test whether OpenSSL was<br>built with no-srtp (or was simply too old). However, the header file<br><openssl/opensslconf.h> is the preferred way to detect the local configuration<br>of OpenSSL.<br><br>As a positive side-effect the script ./configure does not interleave the<br>detection of the Open Settlement Protocol Toolkit (OSPTK) with the detection of<br>individual features of OpenSSL anymore.<br><br>Change-Id: I3c77c7b00b2ffa2e935632097fa057b9fdf480c0<br>---<br>M configure<br>M configure.ac<br>M res/res_rtp_asterisk.c<br>3 files changed, 21 insertions(+), 116 deletions(-)<br><br></pre><pre style="font-family: monospace,monospace; white-space: pre-wrap;">diff --git a/configure b/configure<br>index a7862c9..91fe316 100755<br>--- a/configure<br>+++ b/configure<br>@@ -30470,102 +30470,6 @@<br> fi<br> fi<br> <br>-<br>-if test "x${PBX_OPENSSL_SRTP}" != "x1" -a "${USE_OPENSSL_SRTP}" != "no"; then<br>- pbxlibdir=""<br>- # if --with-OPENSSL_SRTP=DIR has been specified, use it.<br>- if test "x${OPENSSL_SRTP_DIR}" != "x"; then<br>- if test -d ${OPENSSL_SRTP_DIR}/lib; then<br>- pbxlibdir="-L${OPENSSL_SRTP_DIR}/lib"<br>- else<br>- pbxlibdir="-L${OPENSSL_SRTP_DIR}"<br>- fi<br>- fi<br>-<br>- ast_ext_lib_check_save_CFLAGS="${CFLAGS}"<br>- CFLAGS="${CFLAGS} "<br>- { $as_echo "$as_me:${as_lineno-$LINENO}: checking for SSL_CTX_set_tlsext_use_srtp in -lssl" >&5<br>-$as_echo_n "checking for SSL_CTX_set_tlsext_use_srtp in -lssl... " >&6; }<br>-if ${ac_cv_lib_ssl_SSL_CTX_set_tlsext_use_srtp+:} false; then :<br>- $as_echo_n "(cached) " >&6<br>-else<br>- ac_check_lib_save_LIBS=$LIBS<br>-LIBS="-lssl ${pbxlibdir} -lcrypto $LIBS"<br>-cat confdefs.h - <<_ACEOF >conftest.$ac_ext<br>-/* end confdefs.h. */<br>-<br>-/* Override any GCC internal prototype to avoid an error.<br>- Use char because int might match the return type of a GCC<br>- builtin and then its argument prototype would still apply. */<br>-#ifdef __cplusplus<br>-extern "C"<br>-#endif<br>-char SSL_CTX_set_tlsext_use_srtp ();<br>-int<br>-main ()<br>-{<br>-return SSL_CTX_set_tlsext_use_srtp ();<br>- ;<br>- return 0;<br>-}<br>-_ACEOF<br>-if ac_fn_c_try_link "$LINENO"; then :<br>- ac_cv_lib_ssl_SSL_CTX_set_tlsext_use_srtp=yes<br>-else<br>- ac_cv_lib_ssl_SSL_CTX_set_tlsext_use_srtp=no<br>-fi<br>-rm -f core conftest.err conftest.$ac_objext \<br>- conftest$ac_exeext conftest.$ac_ext<br>-LIBS=$ac_check_lib_save_LIBS<br>-fi<br>-{ $as_echo "$as_me:${as_lineno-$LINENO}: result: $ac_cv_lib_ssl_SSL_CTX_set_tlsext_use_srtp" >&5<br>-$as_echo "$ac_cv_lib_ssl_SSL_CTX_set_tlsext_use_srtp" >&6; }<br>-if test "x$ac_cv_lib_ssl_SSL_CTX_set_tlsext_use_srtp" = xyes; then :<br>- AST_OPENSSL_SRTP_FOUND=yes<br>-else<br>- AST_OPENSSL_SRTP_FOUND=no<br>-fi<br>-<br>- CFLAGS="${ast_ext_lib_check_save_CFLAGS}"<br>-<br>-<br>- # now check for the header.<br>- if test "${AST_OPENSSL_SRTP_FOUND}" = "yes"; then<br>- OPENSSL_SRTP_LIB="${pbxlibdir} -lssl -lcrypto"<br>- # if --with-OPENSSL_SRTP=DIR has been specified, use it.<br>- if test "x${OPENSSL_SRTP_DIR}" != "x"; then<br>- OPENSSL_SRTP_INCLUDE="-I${OPENSSL_SRTP_DIR}/include"<br>- fi<br>- OPENSSL_SRTP_INCLUDE="${OPENSSL_SRTP_INCLUDE} "<br>-<br>- # check for the header<br>- ast_ext_lib_check_saved_CPPFLAGS="${CPPFLAGS}"<br>- CPPFLAGS="${CPPFLAGS} ${OPENSSL_SRTP_INCLUDE}"<br>- ac_fn_c_check_header_mongrel "$LINENO" "openssl/ssl.h" "ac_cv_header_openssl_ssl_h" "$ac_includes_default"<br>-if test "x$ac_cv_header_openssl_ssl_h" = xyes; then :<br>- OPENSSL_SRTP_HEADER_FOUND=1<br>-else<br>- OPENSSL_SRTP_HEADER_FOUND=0<br>-fi<br>-<br>-<br>- CPPFLAGS="${ast_ext_lib_check_saved_CPPFLAGS}"<br>-<br>- if test "x${OPENSSL_SRTP_HEADER_FOUND}" = "x0" ; then<br>- OPENSSL_SRTP_LIB=""<br>- OPENSSL_SRTP_INCLUDE=""<br>- else<br>-<br>- PBX_OPENSSL_SRTP=1<br>- cat >>confdefs.h <<_ACEOF<br>-#define HAVE_OPENSSL_SRTP 1<br>-_ACEOF<br>-<br>- fi<br>- fi<br>-fi<br>-<br>-<br> fi<br> <br> <br>diff --git a/configure.ac b/configure.ac<br>index fe5ab57..b6ded90 100644<br>--- a/configure.ac<br>+++ b/configure.ac<br>@@ -2504,7 +2504,6 @@<br> if test "$PBX_OPENSSL" = "1";<br> then<br> AST_CHECK_OSPTK([4], [0], [0])<br>- AST_EXT_LIB_CHECK([OPENSSL_SRTP], [ssl], [SSL_CTX_set_tlsext_use_srtp], [openssl/ssl.h], [-lcrypto])<br> fi<br> <br> AST_EXT_LIB_CHECK([SRTP], [srtp2], [srtp_init], [srtp2/srtp.h], [], [], [2])<br>diff --git a/res/res_rtp_asterisk.c b/res/res_rtp_asterisk.c<br>index f979763..1a1307f 100644<br>--- a/res/res_rtp_asterisk.c<br>+++ b/res/res_rtp_asterisk.c<br>@@ -42,14 +42,16 @@<br> #include <signal.h><br> #include <fcntl.h><br> <br>-#ifdef HAVE_OPENSSL_SRTP<br>+#ifdef HAVE_OPENSSL<br> #include <openssl/opensslconf.h><br> #include <openssl/opensslv.h><br>+#if !defined(OPENSSL_NO_SRTP) && (OPENSSL_VERSION_NUMBER >= 0x10001000L)<br> #include <openssl/ssl.h><br> #include <openssl/err.h><br> #include <openssl/bio.h><br> #ifndef OPENSSL_NO_DH<br> #include <openssl/dh.h><br>+#endif<br> #endif<br> #endif<br> <br>@@ -268,7 +270,7 @@<br> enum ast_media_type stream_type;<br> };<br> <br>-#ifdef HAVE_OPENSSL_SRTP<br>+#if !defined(OPENSSL_NO_SRTP) && (OPENSSL_VERSION_NUMBER >= 0x10001000L)<br> struct dtls_details {<br> SSL *ssl; /*!< SSL session */<br> BIO *read_bio; /*!< Memory buffer for reading */<br>@@ -391,7 +393,7 @@<br> unsigned int ice_num_components; /*!< The number of ICE components */<br> #endif<br> <br>-#ifdef HAVE_OPENSSL_SRTP<br>+#if !defined(OPENSSL_NO_SRTP) && (OPENSSL_VERSION_NUMBER >= 0x10001000L)<br> SSL_CTX *ssl_ctx; /*!< SSL context */<br> enum ast_rtp_dtls_verify dtls_verify; /*!< What to verify */<br> enum ast_srtp_suite suite; /*!< SRTP crypto suite */<br>@@ -468,7 +470,7 @@<br> /* VP8: sequence number for the RTCP FIR FCI */<br> int firseq;<br> <br>-#ifdef HAVE_OPENSSL_SRTP<br>+#if !defined(OPENSSL_NO_SRTP) && (OPENSSL_VERSION_NUMBER >= 0x10001000L)<br> struct dtls_details dtls; /*!< DTLS state information */<br> #endif<br> <br>@@ -522,7 +524,7 @@<br> static int ast_rtp_qos_set(struct ast_rtp_instance *instance, int tos, int cos, const char* desc);<br> static int ast_rtp_sendcng(struct ast_rtp_instance *instance, int level);<br> <br>-#ifdef HAVE_OPENSSL_SRTP<br>+#if !defined(OPENSSL_NO_SRTP) && (OPENSSL_VERSION_NUMBER >= 0x10001000L)<br> static int ast_rtp_activate(struct ast_rtp_instance *instance);<br> static void dtls_srtp_check_pending(struct ast_rtp_instance *instance, struct ast_rtp *rtp, int rtcp);<br> static void dtls_srtp_start_timeout_timer(struct ast_rtp_instance *instance, struct ast_rtp *rtp, int rtcp);<br>@@ -1541,7 +1543,7 @@<br> };<br> #endif<br> <br>-#ifdef HAVE_OPENSSL_SRTP<br>+#if !defined(OPENSSL_NO_SRTP) && (OPENSSL_VERSION_NUMBER >= 0x10001000L)<br> static int dtls_verify_callback(int preverify_ok, X509_STORE_CTX *ctx)<br> {<br> /* We don't want to actually verify the certificate so just accept what they have provided */<br>@@ -1997,13 +1999,13 @@<br> #ifdef HAVE_PJPROJECT<br> .ice = &ast_rtp_ice,<br> #endif<br>-#ifdef HAVE_OPENSSL_SRTP<br>+#if !defined(OPENSSL_NO_SRTP) && (OPENSSL_VERSION_NUMBER >= 0x10001000L)<br> .dtls = &ast_rtp_dtls,<br> .activate = ast_rtp_activate,<br> #endif<br> };<br> <br>-#ifdef HAVE_OPENSSL_SRTP<br>+#if !defined(OPENSSL_NO_SRTP) && (OPENSSL_VERSION_NUMBER >= 0x10001000L)<br> /*! \pre instance is locked */<br> static void dtls_perform_handshake(struct ast_rtp_instance *instance, struct dtls_details *dtls, int rtcp)<br> {<br>@@ -2064,7 +2066,7 @@<br> }<br> }<br> <br>-#ifdef HAVE_OPENSSL_SRTP<br>+#if !defined(OPENSSL_NO_SRTP) && (OPENSSL_VERSION_NUMBER >= 0x10001000L)<br> dtls_perform_handshake(instance, &rtp->dtls, 0);<br> <br> if (rtp->rtcp && rtp->rtcp->type == AST_RTP_INSTANCE_RTCP_STANDARD) {<br>@@ -2195,7 +2197,7 @@<br> return 1;<br> }<br> <br>-#ifdef HAVE_OPENSSL_SRTP<br>+#if !defined(OPENSSL_NO_SRTP) && (OPENSSL_VERSION_NUMBER >= 0x10001000L)<br> /*! \pre instance is locked */<br> static int dtls_srtp_handle_timeout(struct ast_rtp_instance *instance, int rtcp)<br> {<br>@@ -2519,7 +2521,7 @@<br> return len;<br> }<br> <br>-#ifdef HAVE_OPENSSL_SRTP<br>+#if !defined(OPENSSL_NO_SRTP) && (OPENSSL_VERSION_NUMBER >= 0x10001000L)<br> /* If this is an SSL packet pass it to OpenSSL for processing. RFC section for first byte value:<br> * https://tools.ietf.org/html/rfc5764#section-5.1.2 */<br> if ((*in >= 20) && (*in <= 63)) {<br>@@ -3223,7 +3225,7 @@<br> /* Record any information we may need */<br> rtp->sched = sched;<br> <br>-#ifdef HAVE_OPENSSL_SRTP<br>+#if !defined(OPENSSL_NO_SRTP) && (OPENSSL_VERSION_NUMBER >= 0x10001000L)<br> rtp->rekeyid = -1;<br> rtp->dtls.timeout_timer = -1;<br> #endif<br>@@ -3244,7 +3246,7 @@<br> struct timespec ts = { .tv_sec = wait.tv_sec, .tv_nsec = wait.tv_usec * 1000, };<br> #endif<br> <br>-#ifdef HAVE_OPENSSL_SRTP<br>+#if !defined(OPENSSL_NO_SRTP) && (OPENSSL_VERSION_NUMBER >= 0x10001000L)<br> ast_rtp_dtls_stop(instance);<br> #endif<br> <br>@@ -5859,7 +5861,7 @@<br> return;<br> }<br> rtp->rtcp->s = -1;<br>-#ifdef HAVE_OPENSSL_SRTP<br>+#if !defined(OPENSSL_NO_SRTP) && (OPENSSL_VERSION_NUMBER >= 0x10001000L)<br> rtp->rtcp->dtls.timeout_timer = -1;<br> #endif<br> rtp->rtcp->schedid = -1;<br>@@ -5922,7 +5924,7 @@<br> rtp_add_candidates_to_ice(instance, rtp, &rtp->rtcp->us, ast_sockaddr_port(&rtp->rtcp->us), AST_RTP_ICE_COMPONENT_RTCP, TRANSPORT_SOCKET_RTCP);<br> }<br> #endif<br>-#ifdef HAVE_OPENSSL_SRTP<br>+#if !defined(OPENSSL_NO_SRTP) && (OPENSSL_VERSION_NUMBER >= 0x10001000L)<br> dtls_setup_rtcp(instance);<br> #endif<br> } else {<br>@@ -5942,7 +5944,7 @@<br> rtp->rtcp->s = rtp->s;<br> ast_rtp_instance_get_remote_address(instance, &addr);<br> ast_sockaddr_copy(&rtp->rtcp->them, &addr);<br>-#ifdef HAVE_OPENSSL_SRTP<br>+#if !defined(OPENSSL_NO_SRTP) && (OPENSSL_VERSION_NUMBER >= 0x10001000L)<br> if (rtp->rtcp->dtls.ssl && rtp->rtcp->dtls.ssl != rtp->dtls.ssl) {<br> SSL_free(rtp->rtcp->dtls.ssl);<br> }<br>@@ -5970,7 +5972,7 @@<br> if (rtp->rtcp->s > -1 && rtp->rtcp->s != rtp->s) {<br> close(rtp->rtcp->s);<br> }<br>-#ifdef HAVE_OPENSSL_SRTP<br>+#if !defined(OPENSSL_NO_SRTP) && (OPENSSL_VERSION_NUMBER >= 0x10001000L)<br> ao2_unlock(instance);<br> dtls_srtp_stop_timeout_timer(instance, rtp, 1);<br> ao2_lock(instance);<br>@@ -6212,7 +6214,7 @@<br> struct ast_rtp *rtp = ast_rtp_instance_get_data(instance);<br> struct ast_sockaddr addr = { {0,} };<br> <br>-#ifdef HAVE_OPENSSL_SRTP<br>+#if !defined(OPENSSL_NO_SRTP) && (OPENSSL_VERSION_NUMBER >= 0x10001000L)<br> ao2_unlock(instance);<br> AST_SCHED_DEL_UNREF(rtp->sched, rtp->rekeyid, ao2_ref(instance, -1));<br> <br>@@ -6307,7 +6309,7 @@<br> return res;<br> }<br> <br>-#ifdef HAVE_OPENSSL_SRTP<br>+#if !defined(OPENSSL_NO_SRTP) && (OPENSSL_VERSION_NUMBER >= 0x10001000L)<br> static void dtls_perform_setup(struct dtls_details *dtls)<br> {<br> if (!dtls->ssl || !SSL_is_init_finished(dtls->ssl)) {<br></pre><p>To view, visit <a href="https://gerrit.asterisk.org/9185">change 9185</a>. To unsubscribe, visit <a href="https://gerrit.asterisk.org/settings">settings</a>.</p><div itemscope itemtype="http://schema.org/EmailMessage"><div itemscope itemprop="action" itemtype="http://schema.org/ViewAction"><link itemprop="url" href="https://gerrit.asterisk.org/9185"/><meta itemprop="name" content="View Change"/></div></div>
<div style="display:none"> Gerrit-Project: asterisk </div>
<div style="display:none"> Gerrit-Branch: 13 </div>
<div style="display:none"> Gerrit-MessageType: merged </div>
<div style="display:none"> Gerrit-Change-Id: I3c77c7b00b2ffa2e935632097fa057b9fdf480c0 </div>
<div style="display:none"> Gerrit-Change-Number: 9185 </div>
<div style="display:none"> Gerrit-PatchSet: 2 </div>
<div style="display:none"> Gerrit-Owner: Alexander Traud <pabstraud@compuserve.com> </div>
<div style="display:none"> Gerrit-Reviewer: George Joseph <gjoseph@digium.com> </div>
<div style="display:none"> Gerrit-Reviewer: Jenkins2 </div>
<div style="display:none"> Gerrit-Reviewer: Joshua Colp <jcolp@digium.com> </div>