Summary:ASTERISK-27910: [patch] res_rtp_asterisk: Allow OpenSSL configured with no-deprecated.
Reporter:Alexander Traud (traud)Labels:patch
Date Opened:2018-06-08 14:50:56Date Closed:2018-06-12 10:03:36
Versions:13.21.0 15.4.0 Frequency of
Environment:Attachments:( 0) no-deprecated_rtp_13.patch
( 1) no-deprecated_rtp_15.patch
Description:When OpenSSL is built from source, options can be configured. One option is to build without anything deprecated. This is the best option to test forward compatibility. However, this reveals that Asterisk did not include the used OpenSSL headers correctly. In case of the module {{res_rtp_asterisk}}, the header {{openssl/dh.h}} (Asterisk 13) and {{openssl/bn.h}} (Asterisk 15) was missing.

*Steps to reproduce* (Ubuntu 18.04 LTS){code}
sudo apt install build-essential pkg-config libedit-dev libjansson-dev libsqlite3-dev uuid-dev libxslt1-dev
sudo apt install libssl-dev
cd ~/Downloads
wget www.openssl.org/source/openssl-1.1.0h.tar.gz
tar -zxf ./openssl-*.tar.gz
cd ./openssl-*
./config shared no-deprecated
export SSL_HOME=$PWD
cd ~/Downloads
wget downloads.asterisk.org/pub/telephony/asterisk/asterisk-13-current.tar.gz
tar -zxf ./asterisk-*.tar.gz
cd ./asterisk-*
LDFLAGS="-Wl,-rpath $SSL_HOME" ./configure --with-crypto=$SSL_HOME --with-ssl=$SSL_HOME
make{code}OpenSSL headers in the system were required {{sudo apt install libssl-dev}} because in Asterisk {{--with-ssl}} does not work correctly, yet. See ASTERISK-27865 and its section Notes whether this is still needed.

This issue was caused by Commit [04d3785|https://github.com/asterisk/asterisk/commit/04d3785a798e984a5f5d43ec5f124a9b30a58b9e#diff-a618fa70209ab9240777e52ccf1d62b4] (ASTERISK-27395) and Commit [85212f2|https://github.com/asterisk/asterisk/commit/85212f2799bfda8b40f9261de6a874e0f7c77428#diff-a618fa70209ab9240777e52ccf1d62b4] (ASTERISK-25659). Consequently, I introduced this issue myself. I thought, OpenSSL uses a swallow header concept like PJProject - you include a header and it includes near to everything. However, instead, I should have looked up the man page for each symbol used. That way, I would have learned about the required header.

Anyway, the attached patch adds just the header, which the compiler asks for. The change does not update the whole list of headers (or the list of OpenSSL headers). This is because the module {{res_rtp_asterisk}} is large and [iwyu|https://issues.asterisk.org/jira/browse/ASTERISK-25591] reports a tremendous number of missing headers. Furthermore, the change is already complex enough because {{openssl/dh.h}} is not part of OpenSSL when configured with {{no-dh}}, see ASTERISK-27876.

The attached patch removes HAVE_OPENSSL_EC, because that guard was too broad (included DH and EC related code) and was done via the script {{./configure}} instead directly via the OpenSSL configuration. The patch guards only that part which must be guarded, when OpenSSL was configured with no-ec or no-ecdh. Finally, that patch enables the named-curves X25519 (since OpenSSL 1.1.0) and X448 (since OpenSSL 1.1.1), because {{SSL_CTRL_SET_ECDH_AUTO}} got enabled on default, that symbol got removed and {{SSL_CTX_ctrl}} returns an error now. Because of that, just the named-curve P-256 was set, which disabled X25519 (and X448).
Comments:By: Asterisk Team (asteriskteam) 2018-06-08 14:50:58.472-0500

Thanks for creating a report! The issue has entered the triage process. That means the issue will wait in this status until a Bug Marshal has an opportunity to review the issue. Once the issue has been reviewed you will receive comments regarding the next steps towards resolution.

A good first step is for you to review the [Asterisk Issue Guidelines|https://wiki.asterisk.org/wiki/display/AST/Asterisk+Issue+Guidelines] if you haven't already. The guidelines detail what is expected from an Asterisk issue report.

Then, if you are submitting a patch, please review the [Patch Contribution Process|https://wiki.asterisk.org/wiki/display/AST/Patch+Contribution+Process].

By: Friendly Automation (friendly-automation) 2018-06-12 10:03:37.469-0500

Change 9148 merged by Jenkins2:
res_rtp_asterisk: Allow OpenSSL configured with no-deprecated.


By: Friendly Automation (friendly-automation) 2018-06-12 10:05:54.493-0500

Change 9147 merged by Jenkins2:
res_rtp_asterisk: Allow OpenSSL configured with no-deprecated.


By: Friendly Automation (friendly-automation) 2018-06-12 10:07:51.614-0500

Change 9149 merged by Jenkins2:
res_rtp_asterisk: Allow OpenSSL configured with no-deprecated.