diff options
| author | Alexander Traud <pabstraud@compuserve.com> | 2016-06-22 14:13:39 +0200 |
|---|---|---|
| committer | Alexander Traud <pabstraud@compuserve.com> | 2016-07-13 11:48:21 -0500 |
| commit | 332beb27d86c8e1a6220c2ccfc9e54b57d299e02 (patch) | |
| tree | 2c226080a97a88328cceda38194e3598ae6d4005 /res/res_rtp_asterisk.c | |
| parent | 8cea01ab1b3e07282487d7efe1888f290cc4280a (diff) | |
res_rtp_asterisk: Enable Forward Secrecy (PFS) for DTLS.
Since July 2014, TLS based protocols (SIP over TLS, Secure WebSockets, HTTPS)
support PFS thanks to ASTERISK-23905. In July 2015, the same feature was added
for DTLS. The source code from main/tcptls.c should have been re-used to ease
security audits. Therefore, this change rolls back the change from July 2015 and
re-uses the code from July 2014. This has the additional benefits to work under
CentOS 7 and enabling not just ECDHE but DHE based cipher suites as well.
ASTERISK-25659 #close
Reported by: StefanEng86, urbaniak, pay123
Tested by: sarumjanuch, traud
patches:
res_rtp_asterisk.patch submitted by sarumjanuch
dtls_centos_step_1.patch submitted by traud
dtls_centos_step_2.patch submitted by traud
Change-Id: I537cadf4421f092a613146b230f2c0ee1be28d5c
Diffstat (limited to 'res/res_rtp_asterisk.c')
| -rw-r--r-- | res/res_rtp_asterisk.c | 41 |
1 files changed, 34 insertions, 7 deletions
diff --git a/res/res_rtp_asterisk.c b/res/res_rtp_asterisk.c index feab1ca80..8055e877f 100644 --- a/res/res_rtp_asterisk.c +++ b/res/res_rtp_asterisk.c @@ -1340,7 +1340,7 @@ static int ast_rtp_dtls_set_configuration(struct ast_rtp_instance *instance, con { struct ast_rtp *rtp = ast_rtp_instance_get_data(instance); int res; -#ifndef HAVE_OPENSSL_ECDH_AUTO +#ifdef HAVE_OPENSSL_EC EC_KEY *ecdh; #endif @@ -1368,15 +1368,42 @@ static int ast_rtp_dtls_set_configuration(struct ast_rtp_instance *instance, con SSL_CTX_set_read_ahead(rtp->ssl_ctx, 1); -#ifdef HAVE_OPENSSL_ECDH_AUTO - SSL_CTX_set_ecdh_auto(rtp->ssl_ctx, 1); -#else +#ifdef HAVE_OPENSSL_EC + + if (!ast_strlen_zero(dtls_cfg->pvtfile)) { + BIO *bio = BIO_new_file(dtls_cfg->pvtfile, "r"); + if (bio != NULL) { + DH *dh = PEM_read_bio_DHparams(bio, NULL, NULL, NULL); + if (dh != NULL) { + if (SSL_CTX_set_tmp_dh(rtp->ssl_ctx, dh)) { + long options = SSL_OP_CIPHER_SERVER_PREFERENCE | + SSL_OP_SINGLE_DH_USE | SSL_OP_SINGLE_ECDH_USE; + options = SSL_CTX_set_options(rtp->ssl_ctx, options); + ast_verb(2, "DTLS DH initialized, PFS enabled\n"); + } + DH_free(dh); + } + BIO_free(bio); + } + } + /* enables AES-128 ciphers, to get AES-256 use NID_secp384r1 */ ecdh = EC_KEY_new_by_curve_name(NID_X9_62_prime256v1); - if (ecdh) { - SSL_CTX_set_tmp_ecdh(rtp->ssl_ctx, ecdh); + if (ecdh != NULL) { + if (SSL_CTX_set_tmp_ecdh(rtp->ssl_ctx, ecdh)) { + #ifndef SSL_CTRL_SET_ECDH_AUTO + #define SSL_CTRL_SET_ECDH_AUTO 94 + #endif + /* SSL_CTX_set_ecdh_auto(rtp->ssl_ctx, on); requires OpenSSL 1.0.2 which wraps: */ + if (SSL_CTX_ctrl(rtp->ssl_ctx, SSL_CTRL_SET_ECDH_AUTO, 1, NULL)) { + ast_verb(2, "DTLS ECDH initialized (automatic), faster PFS enabled\n"); + } else { + ast_verb(2, "DTLS ECDH initialized (secp256r1), faster PFS enabled\n"); + } + } EC_KEY_free(ecdh); } -#endif + +#endif /* #ifdef HAVE_OPENSSL_EC */ rtp->dtls_verify = dtls_cfg->verify; |