mirror of
https://github.com/asterisk/asterisk.git
synced 2025-09-04 11:58:52 +00:00
res_rtp_asterisk: Enable Forward Secrecy (PFS) for DTLS.
Since July 2014, TLS based protocols (SIP over TLS, Secure WebSockets, HTTPS) support PFS thanks to ASTERISK-23905. In July 2015, the same feature was added for DTLS. The source code from main/tcptls.c should have been re-used to ease security audits. Therefore, this change rolls back the change from July 2015 and re-uses the code from July 2014. This has the additional benefits to work under CentOS 7 and enabling not just ECDHE but DHE based cipher suites as well. ASTERISK-25659 #close Reported by: StefanEng86, urbaniak, pay123 Tested by: sarumjanuch, traud patches: res_rtp_asterisk.patch submitted by sarumjanuch dtls_centos_step_1.patch submitted by traud dtls_centos_step_2.patch submitted by traud Change-Id: I537cadf4421f092a613146b230f2c0ee1be28d5c
This commit is contained in:
Alexander Traud
73
configure
vendored
73
configure
vendored
@@ -1116,10 +1116,6 @@ PBX_DAHDI
|
||||
DAHDI_DIR
|
||||
DAHDI_INCLUDE
|
||||
DAHDI_LIB
|
||||
PBX_OPENSSL_ECDH_AUTO
|
||||
OPENSSL_ECDH_AUTO_DIR
|
||||
OPENSSL_ECDH_AUTO_INCLUDE
|
||||
OPENSSL_ECDH_AUTO_LIB
|
||||
PBX_OPENSSL_EC
|
||||
OPENSSL_EC_DIR
|
||||
OPENSSL_EC_INCLUDE
|
||||
@@ -8779,18 +8775,6 @@ PBX_OPENSSL_EC=0
|
||||
|
||||
|
||||
|
||||
OPENSSL_ECDH_AUTO_DESCRIP="OpenSSL Auto ECDH Support"
|
||||
OPENSSL_ECDH_AUTO_OPTION=crypto
|
||||
OPENSSL_ECDH_AUTO_DIR=${CRYPTO_DIR}
|
||||
|
||||
PBX_OPENSSL_ECDH_AUTO=0
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
DAHDI_DESCRIP="DAHDI"
|
||||
DAHDI_OPTION="dahdi"
|
||||
PBX_DAHDI=0
|
||||
@@ -13639,7 +13623,7 @@ else
|
||||
We can't simply define LARGE_OFF_T to be 9223372036854775807,
|
||||
since some C++ compilers masquerading as C compilers
|
||||
incorrectly reject 9223372036854775807. */
|
||||
#define LARGE_OFF_T (((off_t) 1 << 62) - 1 + ((off_t) 1 << 62))
|
||||
#define LARGE_OFF_T ((((off_t) 1 << 31) << 31) - 1 + (((off_t) 1 << 31) << 31))
|
||||
int off_t_is_large[(LARGE_OFF_T % 2147483629 == 721
|
||||
&& LARGE_OFF_T % 2147483647 == 1)
|
||||
? 1 : -1];
|
||||
@@ -13685,7 +13669,7 @@ else
|
||||
We can't simply define LARGE_OFF_T to be 9223372036854775807,
|
||||
since some C++ compilers masquerading as C compilers
|
||||
incorrectly reject 9223372036854775807. */
|
||||
#define LARGE_OFF_T (((off_t) 1 << 62) - 1 + ((off_t) 1 << 62))
|
||||
#define LARGE_OFF_T ((((off_t) 1 << 31) << 31) - 1 + (((off_t) 1 << 31) << 31))
|
||||
int off_t_is_large[(LARGE_OFF_T % 2147483629 == 721
|
||||
&& LARGE_OFF_T % 2147483647 == 1)
|
||||
? 1 : -1];
|
||||
@@ -13709,7 +13693,7 @@ rm -f core conftest.err conftest.$ac_objext conftest.$ac_ext
|
||||
We can't simply define LARGE_OFF_T to be 9223372036854775807,
|
||||
since some C++ compilers masquerading as C compilers
|
||||
incorrectly reject 9223372036854775807. */
|
||||
#define LARGE_OFF_T (((off_t) 1 << 62) - 1 + ((off_t) 1 << 62))
|
||||
#define LARGE_OFF_T ((((off_t) 1 << 31) << 31) - 1 + (((off_t) 1 << 31) << 31))
|
||||
int off_t_is_large[(LARGE_OFF_T % 2147483629 == 721
|
||||
&& LARGE_OFF_T % 2147483647 == 1)
|
||||
? 1 : -1];
|
||||
@@ -13754,7 +13738,7 @@ else
|
||||
We can't simply define LARGE_OFF_T to be 9223372036854775807,
|
||||
since some C++ compilers masquerading as C compilers
|
||||
incorrectly reject 9223372036854775807. */
|
||||
#define LARGE_OFF_T (((off_t) 1 << 62) - 1 + ((off_t) 1 << 62))
|
||||
#define LARGE_OFF_T ((((off_t) 1 << 31) << 31) - 1 + (((off_t) 1 << 31) << 31))
|
||||
int off_t_is_large[(LARGE_OFF_T % 2147483629 == 721
|
||||
&& LARGE_OFF_T % 2147483647 == 1)
|
||||
? 1 : -1];
|
||||
@@ -13778,7 +13762,7 @@ rm -f core conftest.err conftest.$ac_objext conftest.$ac_ext
|
||||
We can't simply define LARGE_OFF_T to be 9223372036854775807,
|
||||
since some C++ compilers masquerading as C compilers
|
||||
incorrectly reject 9223372036854775807. */
|
||||
#define LARGE_OFF_T (((off_t) 1 << 62) - 1 + ((off_t) 1 << 62))
|
||||
#define LARGE_OFF_T ((((off_t) 1 << 31) << 31) - 1 + (((off_t) 1 << 31) << 31))
|
||||
int off_t_is_large[(LARGE_OFF_T % 2147483629 == 721
|
||||
&& LARGE_OFF_T % 2147483647 == 1)
|
||||
? 1 : -1];
|
||||
@@ -31225,53 +31209,6 @@ _ACEOF
|
||||
fi
|
||||
|
||||
|
||||
fi
|
||||
|
||||
if test "$PBX_OPENSSL" = "1";
|
||||
then
|
||||
|
||||
if test "x${PBX_OPENSSL_ECDH_AUTO}" != "x1" -a "${USE_OPENSSL_ECDH_AUTO}" != "no"; then
|
||||
{ $as_echo "$as_me:${as_lineno-$LINENO}: checking for SSL_CTX_set_ecdh_auto declared in openssl/ssl.h" >&5
|
||||
$as_echo_n "checking for SSL_CTX_set_ecdh_auto declared in openssl/ssl.h... " >&6; }
|
||||
saved_cppflags="${CPPFLAGS}"
|
||||
if test "x${OPENSSL_ECDH_AUTO_DIR}" != "x"; then
|
||||
OPENSSL_ECDH_AUTO_INCLUDE="-I${OPENSSL_ECDH_AUTO_DIR}/include"
|
||||
fi
|
||||
CPPFLAGS="${CPPFLAGS} ${OPENSSL_ECDH_AUTO_INCLUDE}"
|
||||
|
||||
cat confdefs.h - <<_ACEOF >conftest.$ac_ext
|
||||
/* end confdefs.h. */
|
||||
#include <openssl/ssl.h>
|
||||
int
|
||||
main ()
|
||||
{
|
||||
#if !defined(SSL_CTX_set_ecdh_auto)
|
||||
(void) SSL_CTX_set_ecdh_auto;
|
||||
#endif
|
||||
|
||||
;
|
||||
return 0;
|
||||
}
|
||||
_ACEOF
|
||||
if ac_fn_c_try_compile "$LINENO"; then :
|
||||
{ $as_echo "$as_me:${as_lineno-$LINENO}: result: yes" >&5
|
||||
$as_echo "yes" >&6; }
|
||||
PBX_OPENSSL_ECDH_AUTO=1
|
||||
|
||||
$as_echo "#define HAVE_OPENSSL_ECDH_AUTO 1" >>confdefs.h
|
||||
|
||||
|
||||
|
||||
else
|
||||
{ $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5
|
||||
$as_echo "no" >&6; }
|
||||
|
||||
fi
|
||||
rm -f core conftest.err conftest.$ac_objext conftest.$ac_ext
|
||||
|
||||
CPPFLAGS="${saved_cppflags}"
|
||||
fi
|
||||
|
||||
fi
|
||||
|
||||
if test "$PBX_OPENSSL" = "1";
|
||||
|
||||
Reference in New Issue
Block a user