Skip site navigation (1)Skip section navigation (2)
Date:      Fri, 12 Feb 2016 20:29:01 +0000 (UTC)
From:      Guido Falsi <madpilot@FreeBSD.org>
To:        ports-committers@freebsd.org, svn-ports-all@freebsd.org, svn-ports-branches@freebsd.org
Subject:   svn commit: r408754 - in branches/2016Q1/net: asterisk asterisk/files asterisk11 asterisk13
Message-ID:  <201602122029.u1CKT1Q0023360@repo.freebsd.org>

next in thread | raw e-mail | index | archive | help
Author: madpilot
Date: Fri Feb 12 20:29:01 2016
New Revision: 408754
URL: https://svnweb.freebsd.org/changeset/ports/408754

Log:
  MFH: r408743
  
  - Update net/asterisk11 to 11.21.2, which provides a fix for the
    old OpenSSL included in 9.x
  - Backport the fis to net/asterisk (asterisk 1.8)
  - net/asterisk13 already includes this fix, so remove my workaround
  
  While here, asterisk 1.8 reached EOL on 2015-10-21, so DEPRECATE
  it and add an expiration time.
  
  Approved by:		ports-secteam (feld)

Modified:
  branches/2016Q1/net/asterisk/Makefile
  branches/2016Q1/net/asterisk/files/patch-AST-2016-001
  branches/2016Q1/net/asterisk/files/patch-configure
  branches/2016Q1/net/asterisk11/Makefile
  branches/2016Q1/net/asterisk11/distinfo
  branches/2016Q1/net/asterisk13/Makefile
Directory Properties:
  branches/2016Q1/   (props changed)

Modified: branches/2016Q1/net/asterisk/Makefile
==============================================================================
--- branches/2016Q1/net/asterisk/Makefile	Fri Feb 12 20:22:15 2016	(r408753)
+++ branches/2016Q1/net/asterisk/Makefile	Fri Feb 12 20:29:01 2016	(r408754)
@@ -3,7 +3,7 @@
 
 PORTNAME=	asterisk
 PORTVERSION=	1.8.32.3
-PORTREVISION=	5
+PORTREVISION=	6
 CATEGORIES=	net
 MASTER_SITES=	http://downloads.asterisk.org/pub/telephony/%SUBDIR%/:main,g729
 MASTER_SITE_SUBDIR=	asterisk/:main \
@@ -20,6 +20,9 @@ LICENSE_FILE=	${WRKSRC}/LICENSE
 
 EXTRACT_ONLY:=	${DISTNAME}${EXTRACT_SUFX}
 
+DEPRECATED=	Aterisk 1.8 reached EOL on 2015-10-21
+EXPIRATION_DATE=	2015-04-30
+
 ONLY_FOR_ARCHS=	i386 amd64 powerpc sparc64
 
 USES=		alias bison cpe gmake shebangfix
@@ -223,9 +226,6 @@ post-patch:
 	@${REINPLACE_CMD} -e '/#define HAVE_SYSINFO 1/d' ${WRKSRC}/configure
 	@${REINPLACE_CMD} -e '/%%LIBSYSINFO%%/d' ${WRKSRC}/main/Makefile
 .endif
-.if ${OPSYS} == FreeBSD && (${OSVERSION} < 1000015 && !(defined(WITH_OPENSSL_PORT) || (!defined(WITH_OPENSSL_BASE) && exists(${LOCALBASE}/lib/libcrypto.so))))
-	@${REINPLACE_CMD} -e 's/SSL_OP_NO_TLSv1[_12]*;/0;/' ${WRKSRC}/main/tcptls.c
-.endif
 
 .if exists(${FILESDIR}/.asterisk.makeopts)
 USER_MAKEOPTS_FILE=${FILESDIR}/.asterisk.makeopts

Modified: branches/2016Q1/net/asterisk/files/patch-AST-2016-001
==============================================================================
--- branches/2016Q1/net/asterisk/files/patch-AST-2016-001	Fri Feb 12 20:22:15 2016	(r408753)
+++ branches/2016Q1/net/asterisk/files/patch-AST-2016-001	Fri Feb 12 20:29:01 2016	(r408754)
@@ -1,6 +1,4 @@
-diff --git a/configs/http.conf.sample b/configs/http.conf.sample
-index 1a7f4fd..9a06fcf 100644
---- configs/http.conf.sample
+--- configs/http.conf.sample.orig	2014-06-12 16:05:50 UTC
 +++ configs/http.conf.sample
 @@ -67,10 +67,31 @@ bindaddr=127.0.0.1
  ; If no path is given for tlscertfile or tlsprivatekey, default is to look in current
@@ -34,9 +32,7 @@ index 1a7f4fd..9a06fcf 100644
  ; The post_mappings section maps URLs to real paths on the filesystem.  If a
  ; POST is done from within an authenticated manager session to one of the
  ; configured POST mappings, then any files in the POST will be placed in the
-diff --git a/include/asterisk/tcptls.h b/include/asterisk/tcptls.h
-index f3f5e1f..eb7166f 100644
---- include/asterisk/tcptls.h
+--- include/asterisk/tcptls.h.orig	2014-06-13 04:58:51 UTC
 +++ include/asterisk/tcptls.h
 @@ -79,7 +79,15 @@ enum ast_ssl_flags {
  	/*! Use SSLv3 for outgoing client connections */
@@ -55,9 +51,7 @@ index f3f5e1f..eb7166f 100644
  };
  
  struct ast_tls_config {
-diff --git a/main/http.c b/main/http.c
-index 9bebbe7..4bfa985 100644
---- main/http.c
+--- main/http.c.orig	2014-06-13 04:58:51 UTC
 +++ main/http.c
 @@ -1118,10 +1118,13 @@ static int __ast_http_load(int reload)
  	}
@@ -83,11 +77,9 @@ index 9bebbe7..4bfa985 100644
  				&& !ast_tls_read_conf(&http_tls_cfg, &https_desc, v->name, v->value)) {
  				continue;
  			}
-diff --git a/main/tcptls.c b/main/tcptls.c
-index a5a2af6..f73c2aa 100644
---- main/tcptls.c
+--- main/tcptls.c.orig	2015-04-08 16:53:07 UTC
 +++ main/tcptls.c
-@@ -749,6 +749,7 @@ static int __ssl_setup(struct ast_tls_config *cfg, int client)
+@@ -749,6 +749,7 @@ static int __ssl_setup(struct ast_tls_co
  	return 0;
  #else
  	int disable_ssl = 0;
@@ -95,35 +87,41 @@ index a5a2af6..f73c2aa 100644
  
  	if (!cfg->enabled)
  		return 0;
-@@ -793,11 +794,24 @@ static int __ssl_setup(struct ast_tls_config *cfg, int client)
+@@ -793,12 +794,30 @@ static int __ssl_setup(struct ast_tls_co
  	 * them. SSLv23_*_method supports TLSv1+.
  	 */
  	if (disable_ssl) {
 -		long ssl_opts;
 +		ssl_opts |= SSL_OP_NO_SSLv2 | SSL_OP_NO_SSLv3;
 +	}
-+
-+	if (ast_test_flag(&cfg->flags, AST_SSL_SERVER_CIPHER_ORDER)) {
-+		ssl_opts |= SSL_OP_CIPHER_SERVER_PREFERENCE;
-+	}
  
 -		ssl_opts = SSL_OP_NO_SSLv2 | SSL_OP_NO_SSLv3;
 -		SSL_CTX_set_options(cfg->ssl_ctx, ssl_opts);
++	if (ast_test_flag(&cfg->flags, AST_SSL_SERVER_CIPHER_ORDER)) {
++		ssl_opts |= SSL_OP_CIPHER_SERVER_PREFERENCE;
+ 	}
+ 
 +	if (ast_test_flag(&cfg->flags, AST_SSL_DISABLE_TLSV1)) {
 +		ssl_opts |= SSL_OP_NO_TLSv1;
- 	}
++	}
++#if defined(HAVE_SSL_OP_NO_TLSV1_1) && defined(HAVE_SSL_OP_NO_TLSV1_2)
 +	if (ast_test_flag(&cfg->flags, AST_SSL_DISABLE_TLSV11)) {
 +		ssl_opts |= SSL_OP_NO_TLSv1_1;
 +	}
 +	if (ast_test_flag(&cfg->flags, AST_SSL_DISABLE_TLSV12)) {
 +		ssl_opts |= SSL_OP_NO_TLSv1_2;
 +	}
++#else
++	ast_log(LOG_WARNING, "Your version of OpenSSL leaves you potentially vulnerable "
++			"to the SSL BEAST attack. Please upgrade to OpenSSL 1.0.1 or later\n");
++#endif
 +
 +	SSL_CTX_set_options(cfg->ssl_ctx, ssl_opts);
- 
++
  	SSL_CTX_set_verify(cfg->ssl_ctx,
  		ast_test_flag(&cfg->flags, AST_SSL_VERIFY_CLIENT) ? SSL_VERIFY_PEER | SSL_VERIFY_FAIL_IF_NO_PEER_CERT : SSL_VERIFY_NONE,
-@@ -1109,6 +1123,14 @@ int ast_tls_read_conf(struct ast_tls_config *tls_cfg, struct ast_tcptls_session_
+ 		NULL);
+@@ -1109,6 +1128,14 @@ int ast_tls_read_conf(struct ast_tls_con
  			ast_clear_flag(&tls_cfg->flags, AST_SSL_TLSV1_CLIENT);
  			ast_clear_flag(&tls_cfg->flags, AST_SSL_SSLV3_CLIENT);
  		}
@@ -138,3 +136,18 @@ index a5a2af6..f73c2aa 100644
  	} else {
  		return -1;
  	}
+--- include/asterisk/autoconfig.h.in.orig	2014-06-20 23:12:25 UTC
++++ include/asterisk/autoconfig.h.in
+@@ -752,6 +752,12 @@
+ /* Define to 1 if you have the ISDN SS7 library. */
+ #undef HAVE_SS7
+ 
++/* Define if your system has the SSL_OP_NO_TLSV1_1 headers. */
++#undef HAVE_SSL_OP_NO_TLSV1_1
++
++/* Define if your system has the SSL_OP_NO_TLSV1_2 headers. */
++#undef HAVE_SSL_OP_NO_TLSV1_2
++
+ /* Define to 1 if `stat' has the bug that it succeeds when given the
+    zero-length file name argument. */
+ #undef HAVE_STAT_EMPTY_STRING_BUG

Modified: branches/2016Q1/net/asterisk/files/patch-configure
==============================================================================
--- branches/2016Q1/net/asterisk/files/patch-configure	Fri Feb 12 20:22:15 2016	(r408753)
+++ branches/2016Q1/net/asterisk/files/patch-configure	Fri Feb 12 20:29:01 2016	(r408754)
@@ -1,6 +1,15 @@
 --- configure.orig	2014-08-17 22:31:23 UTC
 +++ configure
-@@ -4698,9 +4698,9 @@ astetcdir='${sysconfdir}/asterisk'
+@@ -632,6 +632,8 @@ CONFIG_GMIME
+ AIS_LIB
+ AIS_INCLUDE
+ PBX_AIS
++PBX_SSL_OP_NO_TLSV1_2
++PBX_SSL_OP_NO_TLSV1_1
+ OPENH323_BUILD
+ OPENH323_SUFFIX
+ OPENH323_LIBDIR
+@@ -4698,9 +4700,9 @@ astetcdir='${sysconfdir}/asterisk'
  astheaderdir='${includedir}/asterisk'
  astlibdir='${libdir}/asterisk'
  astmandir='${mandir}'
@@ -12,7 +21,7 @@
  astkeydir='${astvarlibdir}'
  astspooldir='${localstatedir}/spool/asterisk'
  astlogdir='${localstatedir}/log/asterisk'
-@@ -4723,8 +4723,6 @@ esac
+@@ -4723,8 +4725,6 @@ esac
  case "${host_os}" in
       freebsd*)
       ac_default_prefix=/usr/local
@@ -21,7 +30,7 @@
       ;;
       openbsd*)
       ac_default_prefix=/usr/local
-@@ -18470,6 +18468,8 @@ $as_echo_n "checking if \"struct ifaddrs
+@@ -18470,6 +18470,8 @@ $as_echo_n "checking if \"struct ifaddrs
  
  	cat confdefs.h - <<_ACEOF >conftest.$ac_ext
  /* end confdefs.h.  */
@@ -30,7 +39,7 @@
   #include <ifaddrs.h>
  int
  main ()
-@@ -26245,7 +26245,7 @@ $as_echo "${OPENH323_BUILD}" >&6; }
+@@ -26245,7 +26247,7 @@ $as_echo "${OPENH323_BUILD}" >&6; }
  
  	fi
  
@@ -39,7 +48,7 @@
  
  	if test "${HAS_OPENH323:-unset}" != "unset"; then
  	   { $as_echo "$as_me:${as_lineno-$LINENO}: checking OpenH323 installation validity" >&5
-@@ -26343,13 +26343,13 @@ if test "x${PBX_LUA}" != "x1" -a "${USE_
+@@ -26343,13 +26345,13 @@ if test "x${PBX_LUA}" != "x1" -a "${USE_
        ast_ext_lib_check_save_CFLAGS="${CFLAGS}"
        CFLAGS="${CFLAGS} "
        as_ac_Lib=`$as_echo "ac_cv_lib_lua5.2_${pbxfuncname}" | $as_tr_sh`
@@ -56,7 +65,7 @@
  cat confdefs.h - <<_ACEOF >conftest.$ac_ext
  /* end confdefs.h.  */
  
-@@ -26391,18 +26391,18 @@ fi
+@@ -26391,18 +26393,18 @@ fi
  
     # now check for the header.
     if test "${AST_LUA_FOUND}" = "yes"; then
@@ -78,7 +87,7 @@
  if test "x$ac_cv_header_lua5_2_lua_h" = xyes; then :
    LUA_HEADER_FOUND=1
  else
-@@ -26455,13 +26455,13 @@ if test "x${PBX_LUA}" != "x1" -a "${USE_
+@@ -26455,13 +26457,13 @@ if test "x${PBX_LUA}" != "x1" -a "${USE_
        ast_ext_lib_check_save_CFLAGS="${CFLAGS}"
        CFLAGS="${CFLAGS} "
        as_ac_Lib=`$as_echo "ac_cv_lib_lua5.1_${pbxfuncname}" | $as_tr_sh`
@@ -95,7 +104,7 @@
  cat confdefs.h - <<_ACEOF >conftest.$ac_ext
  /* end confdefs.h.  */
  
-@@ -26503,18 +26503,18 @@ fi
+@@ -26503,18 +26505,18 @@ fi
  
     # now check for the header.
     if test "${AST_LUA_FOUND}" = "yes"; then
@@ -117,3 +126,106 @@
  if test "x$ac_cv_header_lua5_1_lua_h" = xyes; then :
    LUA_HEADER_FOUND=1
  else
+@@ -27879,6 +27881,102 @@ $as_echo "no" >&6; }
+ 
+ fi
+ 
++if test "$PBX_OPENSSL" = "1";
++then
++
++    if test "x${PBX_SSL_OP_NO_TLSV1_1}" != "x1"; then
++	{ $as_echo "$as_me:${as_lineno-$LINENO}: checking for SSL_OP_NO_TLSv1_1 in openssl/ssl.h" >&5
++$as_echo_n "checking for SSL_OP_NO_TLSv1_1 in openssl/ssl.h... " >&6; }
++	saved_cppflags="${CPPFLAGS}"
++	if test "x${SSL_OP_NO_TLSV1_1_DIR}" != "x"; then
++	    SSL_OP_NO_TLSV1_1_INCLUDE="-I${SSL_OP_NO_TLSV1_1_DIR}/include"
++	fi
++	CPPFLAGS="${CPPFLAGS} ${SSL_OP_NO_TLSV1_1_INCLUDE}"
++
++	cat confdefs.h - <<_ACEOF >conftest.$ac_ext
++/* end confdefs.h.  */
++ #include <openssl/ssl.h>
++int
++main ()
++{
++#if defined(SSL_OP_NO_TLSv1_1)
++				int foo = 0;
++			        #else
++			        int foo = bar;
++			        #endif
++				0
++
++  ;
++  return 0;
++
++_ACEOF
++if ac_fn_c_try_compile "$LINENO"; then :
++     { $as_echo "$as_me:${as_lineno-$LINENO}: result: yes" >&5
++$as_echo "yes" >&6; }
++		PBX_SSL_OP_NO_TLSV1_1=1
++
++$as_echo "#define HAVE_SSL_OP_NO_TLSV1_1 1" >>confdefs.h
++
++
++
++else
++     { $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5
++$as_echo "no" >&6; }
++
++fi
++rm -f core conftest.err conftest.$ac_objext conftest.$ac_ext
++	CPPFLAGS="${saved_cppflags}"
++    fi
++
++
++
++    if test "x${PBX_SSL_OP_NO_TLSV1_2}" != "x1"; then
++	{ $as_echo "$as_me:${as_lineno-$LINENO}: checking for SSL_OP_NO_TLSv1_2 in openssl/ssl.h" >&5
++$as_echo_n "checking for SSL_OP_NO_TLSv1_2 in openssl/ssl.h... " >&6; }
++	saved_cppflags="${CPPFLAGS}"
++	if test "x${SSL_OP_NO_TLSV1_2_DIR}" != "x"; then
++	    SSL_OP_NO_TLSV1_2_INCLUDE="-I${SSL_OP_NO_TLSV1_2_DIR}/include"
++	fi
++	CPPFLAGS="${CPPFLAGS} ${SSL_OP_NO_TLSV1_2_INCLUDE}"
++
++	cat confdefs.h - <<_ACEOF >conftest.$ac_ext
++/* end confdefs.h.  */
++ #include <openssl/ssl.h>
++int
++main ()
++{
++if defined(SSL_OP_NO_TLSv1_2)
++				int foo = 0;
++			        #else
++			        int foo = bar;
++			        #endif
++				0
++
++  ;
++  return 0;
++}
++_ACEOF
++if ac_fn_c_try_compile "$LINENO"; then :
++    { $as_echo "$as_me:${as_lineno-$LINENO}: result: yes" >&5
++$as_echo "yes" >&6; }
++		PBX_SSL_OP_NO_TLSV1_2=1
++
++$as_echo "#define HAVE_SSL_OP_NO_TLSV1_2 1" >>confdefs.h
++
++
++
++else
++     { $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5
++$as_echo "no" >&6; }
++
++fi
++rm -f core conftest.err conftest.$ac_objext conftest.$ac_ext
++	CPPFLAGS="${saved_cppflags}"
++    fi
++
++
++fi
++
+ 
+ if test "x${PBX_SRTP}" != "x1" -a "${USE_SRTP}" != "no"; then
+    pbxlibdir=""

Modified: branches/2016Q1/net/asterisk11/Makefile
==============================================================================
--- branches/2016Q1/net/asterisk11/Makefile	Fri Feb 12 20:22:15 2016	(r408753)
+++ branches/2016Q1/net/asterisk11/Makefile	Fri Feb 12 20:29:01 2016	(r408754)
@@ -1,7 +1,7 @@
 # $FreeBSD$
 
 PORTNAME=	asterisk
-PORTVERSION=	11.21.1
+PORTVERSION=	11.21.2
 CATEGORIES=	net
 MASTER_SITES=	http://downloads.asterisk.org/pub/telephony/%SUBDIR%/:main,g729
 MASTER_SITE_SUBDIR=	asterisk/:main \
@@ -227,9 +227,6 @@ post-patch:
 	@${REINPLACE_CMD} -e '/#define HAVE_SYSINFO 1/d' ${WRKSRC}/configure
 	@${REINPLACE_CMD} -e '/%%LIBSYSINFO%%/d' ${WRKSRC}/main/Makefile
 .endif
-.if ${OPSYS} == FreeBSD && (${OSVERSION} < 1000015 && !(defined(WITH_OPENSSL_PORT) || (!defined(WITH_OPENSSL_BASE) && exists(${LOCALBASE}/lib/libcrypto.so))))
-	@${REINPLACE_CMD} -e 's/SSL_OP_NO_TLSv1[_12]*;/0;/' ${WRKSRC}/main/tcptls.c
-.endif
 
 .if exists(${FILESDIR}/.asterisk.makeopts)
 USER_MAKEOPTS_FILE=${FILESDIR}/.asterisk.makeopts

Modified: branches/2016Q1/net/asterisk11/distinfo
==============================================================================
--- branches/2016Q1/net/asterisk11/distinfo	Fri Feb 12 20:22:15 2016	(r408753)
+++ branches/2016Q1/net/asterisk11/distinfo	Fri Feb 12 20:29:01 2016	(r408754)
@@ -1,5 +1,5 @@
-SHA256 (asterisk-11.21.1.tar.gz) = d02afbdda172a6bb98883350d64f83ce865fcea01642a05067ca2c916c3a1ee5
-SIZE (asterisk-11.21.1.tar.gz) = 34867941
+SHA256 (asterisk-11.21.2.tar.gz) = 9f4408ecda81efccbc0ce6728a7c53fa1528c527ea65d81a165e830c9f91bcac
+SIZE (asterisk-11.21.2.tar.gz) = 34867025
 SHA256 (asterisk-core-sounds-en-g729-1.4.27.tar.gz) = f5d21ca8305b29ea84fb4603c65c041483ea3a9cd0bf313eb4f098342a29af5f
 SIZE (asterisk-core-sounds-en-g729-1.4.27.tar.gz) = 1408055
 SHA256 (asterisk-moh-opsound-g729-2.03.tar.gz) = 0147ca9a97f0c550227aacb7793499057c4d2c64e021c95f93722f27d5549585

Modified: branches/2016Q1/net/asterisk13/Makefile
==============================================================================
--- branches/2016Q1/net/asterisk13/Makefile	Fri Feb 12 20:22:15 2016	(r408753)
+++ branches/2016Q1/net/asterisk13/Makefile	Fri Feb 12 20:29:01 2016	(r408754)
@@ -2,6 +2,7 @@
 
 PORTNAME=	asterisk
 PORTVERSION=	13.7.1
+PORTREVISION=	1
 CATEGORIES=	net
 MASTER_SITES=	http://downloads.asterisk.org/pub/telephony/%SUBDIR%/:main,g729
 MASTER_SITE_SUBDIR=	asterisk/:main \
@@ -249,9 +250,6 @@ post-patch:
 	@${REINPLACE_CMD} -e '/#define HAVE_SYSINFO 1/d' ${WRKSRC}/configure
 	@${REINPLACE_CMD} -e '/%%LIBSYSINFO%%/d' ${WRKSRC}/main/Makefile
 .endif
-.if ${OPSYS} == FreeBSD && (${OSVERSION} < 1000015 && !(defined(WITH_OPENSSL_PORT) || (!defined(WITH_OPENSSL_BASE) && exists(${LOCALBASE}/lib/libcrypto.so))))
-	@${REINPLACE_CMD} -e 's/SSL_OP_NO_TLSv1[_12]*;/0;/' ${WRKSRC}/main/tcptls.c
-.endif
 
 .if exists(${FILESDIR}/.asterisk.makeopts)
 USER_MAKEOPTS_FILE=${FILESDIR}/.asterisk.makeopts



Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?201602122029.u1CKT1Q0023360>