diff options
author | Mark Duncan <mark@syon.co.jp> | 2015-07-28 19:33:39 +0900 |
---|---|---|
committer | Mark Duncan <mark@syon.co.jp> | 2015-07-29 11:24:49 +0900 |
commit | 1d081ec9707159287b1a4a0bb52a78a81663ad32 (patch) | |
tree | 4d5b105c666ed2158feeef8b257f62a728398218 | |
parent | 309dd2a4090ccdd1ea31d8d5415a645daddd3883 (diff) |
res/res_rtp_asterisk: Add ECDH support
This will add ECDH support to Asterisk. It will
detect auto ECDH support in OpenSSL
(1.0.2b and above) during ./configure. If this is
available, it will use it,
otherwise it will fall back to prime256v1 (this
behavior is consistent with
other projects such as Apache and nginx).
This fixes WebRTC being broken in Firefox 38+ due
to Firefox now only supporting
ciphers with perfect forward secrecy.
ASTERISK-25265 #close
Change-Id: I8c13b33a2a79c0bde2e69e4ba6afa5ab9351465b
-rwxr-xr-x | configure | 63 | ||||
-rw-r--r-- | configure.ac | 6 | ||||
-rw-r--r-- | include/asterisk/autoconfig.h.in | 4 | ||||
-rw-r--r-- | res/res_rtp_asterisk.c | 9 |
4 files changed, 80 insertions, 2 deletions
@@ -1097,6 +1097,10 @@ PBX_DAHDI DAHDI_DIR DAHDI_INCLUDE DAHDI_LIB +PBX_OPENSSL_ECDH_AUTO +OPENSSL_ECDH_AUTO_DIR +OPENSSL_ECDH_AUTO_INCLUDE +OPENSSL_ECDH_AUTO_LIB PBX_OPENSSL_EC OPENSSL_EC_DIR OPENSSL_EC_INCLUDE @@ -8706,6 +8710,18 @@ PBX_OPENSSL_EC=0 +OPENSSL_ECDH_AUTO_DESCRIP="OpenSSL Auto ECDH Support" +OPENSSL_ECDH_AUTO_OPTION=crypto +OPENSSL_ECDH_AUTO_DIR=${CRYPTO_DIR} + +PBX_OPENSSL_ECDH_AUTO=0 + + + + + + + DAHDI_DESCRIP="DAHDI" DAHDI_OPTION="dahdi" PBX_DAHDI=0 @@ -30529,6 +30545,53 @@ fi fi +if test "$PBX_OPENSSL" = "1"; +then + + if test "x${PBX_OPENSSL_ECDH_AUTO}" != "x1" -a "${USE_OPENSSL_ECDH_AUTO}" != "no"; then + { $as_echo "$as_me:${as_lineno-$LINENO}: checking for SSL_CTX_set_ecdh_auto declared in openssl/ssl.h" >&5 +$as_echo_n "checking for SSL_CTX_set_ecdh_auto declared in openssl/ssl.h... " >&6; } + saved_cppflags="${CPPFLAGS}" + if test "x${OPENSSL_ECDH_AUTO_DIR}" != "x"; then + OPENSSL_ECDH_AUTO_INCLUDE="-I${OPENSSL_ECDH_AUTO_DIR}/include" + fi + CPPFLAGS="${CPPFLAGS} ${OPENSSL_ECDH_AUTO_INCLUDE}" + + cat confdefs.h - <<_ACEOF >conftest.$ac_ext +/* end confdefs.h. */ + #include <openssl/ssl.h> +int +main () +{ +#if !defined(SSL_CTX_set_ecdh_auto) + (void) SSL_CTX_set_ecdh_auto; + #endif + + ; + return 0; +} +_ACEOF +if ac_fn_c_try_compile "$LINENO"; then : + { $as_echo "$as_me:${as_lineno-$LINENO}: result: yes" >&5 +$as_echo "yes" >&6; } + PBX_OPENSSL_ECDH_AUTO=1 + +$as_echo "#define HAVE_OPENSSL_ECDH_AUTO 1" >>confdefs.h + + + +else + { $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5 +$as_echo "no" >&6; } + +fi +rm -f core conftest.err conftest.$ac_objext conftest.$ac_ext + + CPPFLAGS="${saved_cppflags}" + fi + +fi + if test "x${PBX_SRTP}" != "x1" -a "${USE_SRTP}" != "no"; then pbxlibdir="" diff --git a/configure.ac b/configure.ac index c09d30a7f..50a7c7341 100644 --- a/configure.ac +++ b/configure.ac @@ -414,6 +414,7 @@ AST_EXT_LIB_SETUP([CRYPT], [password and data encryption], [crypt]) AST_EXT_LIB_SETUP([CRYPTO], [OpenSSL Cryptography], [crypto]) AST_EXT_LIB_SETUP_OPTIONAL([OPENSSL_SRTP], [OpenSSL SRTP Extension Support], [CRYPTO], [crypto]) AST_EXT_LIB_SETUP_OPTIONAL([OPENSSL_EC], [OpenSSL Elliptic Curve Support], [CRYPTO], [crypto]) +AST_EXT_LIB_SETUP_OPTIONAL([OPENSSL_ECDH_AUTO], [OpenSSL Auto ECDH Support], [CRYPTO], [crypto]) AST_EXT_LIB_SETUP([DAHDI], [DAHDI], [dahdi]) AST_EXT_LIB_SETUP([FFMPEG], [Ffmpeg and avcodec], [avcodec]) AST_EXT_LIB_SETUP([GSM], [External GSM], [gsm], [, use 'internal' GSM otherwise]) @@ -2288,6 +2289,11 @@ then AST_EXT_LIB_CHECK([OPENSSL_EC], [ssl], [EC_KEY_new_by_curve_name], [openssl/ec.h], [-lcrypto]) fi +if test "$PBX_OPENSSL" = "1"; +then + AST_C_DECLARE_CHECK([OPENSSL_ECDH_AUTO], [SSL_CTX_set_ecdh_auto], [openssl/ssl.h]) +fi + AST_EXT_LIB_CHECK([SRTP], [srtp], [srtp_init], [srtp/srtp.h]) if test "$PBX_SRTP" = "1"; diff --git a/include/asterisk/autoconfig.h.in b/include/asterisk/autoconfig.h.in index 6b41a8c9a..965b329de 100644 --- a/include/asterisk/autoconfig.h.in +++ b/include/asterisk/autoconfig.h.in @@ -548,6 +548,9 @@ /* Define to 1 if CRYPTO has the OpenSSL Elliptic Curve Support feature. */ #undef HAVE_OPENSSL_EC +/* Define if your system has SSL_CTX_set_ecdh_auto declared. */ +#undef HAVE_OPENSSL_ECDH_AUTO + /* Define to 1 if CRYPTO has the OpenSSL SRTP Extension Support feature. */ #undef HAVE_OPENSSL_SRTP @@ -1376,4 +1379,3 @@ #undef volatile #endif - diff --git a/res/res_rtp_asterisk.c b/res/res_rtp_asterisk.c index 53e9b29c2..7e507c9a5 100644 --- a/res/res_rtp_asterisk.c +++ b/res/res_rtp_asterisk.c @@ -1288,6 +1288,13 @@ static int ast_rtp_dtls_set_configuration(struct ast_rtp_instance *instance, con SSL_CTX_set_read_ahead(rtp->ssl_ctx, 1); +#ifdef HAVE_OPENSSL_ECDH_AUTO + SSL_CTX_set_ecdh_auto(rtp->ssl_ctx, 1); +#else + SSL_CTX_set_tmp_ecdh(rtp->ssl_ctx, + EC_KEY_new_by_curve_name(NID_X9_62_prime256v1)); +#endif + rtp->dtls_verify = dtls_cfg->verify; SSL_CTX_set_verify(rtp->ssl_ctx, (rtp->dtls_verify & AST_RTP_DTLS_VERIFY_FINGERPRINT) || (rtp->dtls_verify & AST_RTP_DTLS_VERIFY_CERTIFICATE) ? @@ -1641,7 +1648,7 @@ static void ast_rtp_on_ice_complete(pj_ice_sess *ice, pj_status_t status) update_address_with_ice_candidate(rtp, AST_RTP_ICE_COMPONENT_RTCP, &rtp->rtcp->them); } } - + #ifdef HAVE_OPENSSL_SRTP dtls_perform_handshake(instance, &rtp->dtls, 0); |