diff options
| author | Guido Falsi <madpilot@FreeBSD.org> | 2016-02-04 11:43:38 +0000 |
|---|---|---|
| committer | Guido Falsi <madpilot@FreeBSD.org> | 2016-02-04 11:43:38 +0000 |
| commit | 5047b7d692f0051b0df5b77ee5eda018f3d1e161 (patch) | |
| tree | 21458049557669b1b278a69d3ff95081f32c8411 | |
| parent | 9b881ea46bd601fe6afcf009ac6653d38c571e8d (diff) | |
| download | ports-5047b7d692f0051b0df5b77ee5eda018f3d1e161.tar.gz ports-5047b7d692f0051b0df5b77ee5eda018f3d1e161.zip | |
Notes
| -rw-r--r-- | net/asterisk/Makefile | 5 | ||||
| -rw-r--r-- | net/asterisk/files/patch-AST-2016-001 | 140 | ||||
| -rw-r--r-- | net/asterisk/files/patch-AST-2016-002 | 18 | ||||
| -rw-r--r-- | net/asterisk/files/patch-AST-2016-003 | 28 | ||||
| -rw-r--r-- | net/asterisk11/Makefile | 6 | ||||
| -rw-r--r-- | net/asterisk11/distinfo | 4 | ||||
| -rw-r--r-- | net/asterisk13/Makefile | 6 | ||||
| -rw-r--r-- | net/asterisk13/distinfo | 4 |
8 files changed, 202 insertions, 9 deletions
diff --git a/net/asterisk/Makefile b/net/asterisk/Makefile index a2b93ac9eeeb..f3e554401d1c 100644 --- a/net/asterisk/Makefile +++ b/net/asterisk/Makefile @@ -3,7 +3,7 @@ PORTNAME= asterisk PORTVERSION= 1.8.32.3 -PORTREVISION= 4 +PORTREVISION= 5 CATEGORIES= net MASTER_SITES= http://downloads.asterisk.org/pub/telephony/%SUBDIR%/:main,g729 MASTER_SITE_SUBDIR= asterisk/:main \ @@ -223,6 +223,9 @@ post-patch: @${REINPLACE_CMD} -e '/#define HAVE_SYSINFO 1/d' ${WRKSRC}/configure @${REINPLACE_CMD} -e '/%%LIBSYSINFO%%/d' ${WRKSRC}/main/Makefile .endif +.if ${OPSYS} == FreeBSD && (${OSVERSION} < 1000015 && !(defined(WITH_OPENSSL_PORT) || (!defined(WITH_OPENSSL_BASE) && exists(${LOCALBASE}/lib/libcrypto.so)))) + @${REINPLACE_CMD} -e 's/SSL_OP_NO_TLSv1[_12]*;/0;/' ${WRKSRC}/main/tcptls.c +.endif .if exists(${FILESDIR}/.asterisk.makeopts) USER_MAKEOPTS_FILE=${FILESDIR}/.asterisk.makeopts diff --git a/net/asterisk/files/patch-AST-2016-001 b/net/asterisk/files/patch-AST-2016-001 new file mode 100644 index 000000000000..95b4302d09cd --- /dev/null +++ b/net/asterisk/files/patch-AST-2016-001 @@ -0,0 +1,140 @@ +diff --git a/configs/http.conf.sample b/configs/http.conf.sample +index 1a7f4fd..9a06fcf 100644 +--- configs/http.conf.sample ++++ configs/http.conf.sample +@@ -67,10 +67,31 @@ bindaddr=127.0.0.1 + ; If no path is given for tlscertfile or tlsprivatekey, default is to look in current + ; directory. If no tlsprivatekey is given, default is to search tlscertfile for private key. + ; ++; + ; To produce a certificate you can e.g. use openssl. This places both the cert and + ; private in same .pem file. + ; openssl req -new -x509 -days 365 -nodes -out /tmp/foo.pem -keyout /tmp/foo.pem + ; ++; tlscipher= ; The list of allowed ciphers ++; ; if none are specified the following cipher ++; ; list will be used instead: ++; ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384: ++; ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256: ++; kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA: ++; ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384: ++; ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA: ++; DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA: ++; AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA: ++; AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH: ++; !EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA ++; ++; tlsdisablev1=yes ; Disable TLSv1 support - if not set this defaults to "yes" ++; tlsdisablev11=yes ; Disable TLSv1.1 support - if not set this defaults to "no" ++; tlsdisablev12=yes ; Disable TLSv1.2 support - if not set this defaults to "no" ++; ++; tlsservercipherorder=yes ; Use the server preference order instead of the client order ++; ; Defaults to "yes" ++; + ; The post_mappings section maps URLs to real paths on the filesystem. If a + ; POST is done from within an authenticated manager session to one of the + ; configured POST mappings, then any files in the POST will be placed in the +diff --git a/include/asterisk/tcptls.h b/include/asterisk/tcptls.h +index f3f5e1f..eb7166f 100644 +--- include/asterisk/tcptls.h ++++ include/asterisk/tcptls.h +@@ -79,7 +79,15 @@ enum ast_ssl_flags { + /*! Use SSLv3 for outgoing client connections */ + AST_SSL_SSLV3_CLIENT = (1 << 4), + /*! Use TLSv1 for outgoing client connections */ +- AST_SSL_TLSV1_CLIENT = (1 << 5) ++ AST_SSL_TLSV1_CLIENT = (1 << 5), ++ /*! Use server cipher order instead of the client order */ ++ AST_SSL_SERVER_CIPHER_ORDER = (1 << 6), ++ /*! Disable TLSv1 support */ ++ AST_SSL_DISABLE_TLSV1 = (1 << 7), ++ /*! Disable TLSv1.1 support */ ++ AST_SSL_DISABLE_TLSV11 = (1 << 8), ++ /*! Disable TLSv1.2 support */ ++ AST_SSL_DISABLE_TLSV12 = (1 << 9), + }; + + struct ast_tls_config { +diff --git a/main/http.c b/main/http.c +index 9bebbe7..4bfa985 100644 +--- main/http.c ++++ main/http.c +@@ -1118,10 +1118,13 @@ static int __ast_http_load(int reload) + } + http_tls_cfg.pvtfile = ast_strdup(""); + ++ /* Apply modern intermediate settings according to the Mozilla OpSec team as of July 30th, 2015 but disable TLSv1 */ ++ ast_set_flag(&http_tls_cfg.flags, AST_SSL_DISABLE_TLSV1 | AST_SSL_SERVER_CIPHER_ORDER); ++ + if (http_tls_cfg.cipher) { + ast_free(http_tls_cfg.cipher); + } +- http_tls_cfg.cipher = ast_strdup(""); ++ http_tls_cfg.cipher = ast_strdup("ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA"); + + AST_RWLIST_WRLOCK(&uri_redirects); + while ((redirect = AST_RWLIST_REMOVE_HEAD(&uri_redirects, entry))) { +@@ -1146,8 +1149,6 @@ static int __ast_http_load(int reload) + && strcasecmp(v->name, "tlsdontverifyserver") + && strcasecmp(v->name, "tlsclientmethod") + && strcasecmp(v->name, "sslclientmethod") +- && strcasecmp(v->name, "tlscipher") +- && strcasecmp(v->name, "sslcipher") + && !ast_tls_read_conf(&http_tls_cfg, &https_desc, v->name, v->value)) { + continue; + } +diff --git a/main/tcptls.c b/main/tcptls.c +index a5a2af6..f73c2aa 100644 +--- main/tcptls.c ++++ main/tcptls.c +@@ -749,6 +749,7 @@ static int __ssl_setup(struct ast_tls_config *cfg, int client) + return 0; + #else + int disable_ssl = 0; ++ long ssl_opts = 0; + + if (!cfg->enabled) + return 0; +@@ -793,11 +794,24 @@ static int __ssl_setup(struct ast_tls_config *cfg, int client) + * them. SSLv23_*_method supports TLSv1+. + */ + if (disable_ssl) { +- long ssl_opts; ++ ssl_opts |= SSL_OP_NO_SSLv2 | SSL_OP_NO_SSLv3; ++ } ++ ++ if (ast_test_flag(&cfg->flags, AST_SSL_SERVER_CIPHER_ORDER)) { ++ ssl_opts |= SSL_OP_CIPHER_SERVER_PREFERENCE; ++ } + +- ssl_opts = SSL_OP_NO_SSLv2 | SSL_OP_NO_SSLv3; +- SSL_CTX_set_options(cfg->ssl_ctx, ssl_opts); ++ if (ast_test_flag(&cfg->flags, AST_SSL_DISABLE_TLSV1)) { ++ ssl_opts |= SSL_OP_NO_TLSv1; + } ++ if (ast_test_flag(&cfg->flags, AST_SSL_DISABLE_TLSV11)) { ++ ssl_opts |= SSL_OP_NO_TLSv1_1; ++ } ++ if (ast_test_flag(&cfg->flags, AST_SSL_DISABLE_TLSV12)) { ++ ssl_opts |= SSL_OP_NO_TLSv1_2; ++ } ++ ++ SSL_CTX_set_options(cfg->ssl_ctx, ssl_opts); + + SSL_CTX_set_verify(cfg->ssl_ctx, + ast_test_flag(&cfg->flags, AST_SSL_VERIFY_CLIENT) ? SSL_VERIFY_PEER | SSL_VERIFY_FAIL_IF_NO_PEER_CERT : SSL_VERIFY_NONE, +@@ -1109,6 +1123,14 @@ int ast_tls_read_conf(struct ast_tls_config *tls_cfg, struct ast_tcptls_session_ + ast_clear_flag(&tls_cfg->flags, AST_SSL_TLSV1_CLIENT); + ast_clear_flag(&tls_cfg->flags, AST_SSL_SSLV3_CLIENT); + } ++ } else if (!strcasecmp(varname, "tlsservercipherorder")) { ++ ast_set2_flag(&tls_cfg->flags, ast_true(value), AST_SSL_SERVER_CIPHER_ORDER); ++ } else if (!strcasecmp(varname, "tlsdisablev1")) { ++ ast_set2_flag(&tls_cfg->flags, ast_true(value), AST_SSL_DISABLE_TLSV1); ++ } else if (!strcasecmp(varname, "tlsdisablev11")) { ++ ast_set2_flag(&tls_cfg->flags, ast_true(value), AST_SSL_DISABLE_TLSV11); ++ } else if (!strcasecmp(varname, "tlsdisablev12")) { ++ ast_set2_flag(&tls_cfg->flags, ast_true(value), AST_SSL_DISABLE_TLSV12); + } else { + return -1; + } diff --git a/net/asterisk/files/patch-AST-2016-002 b/net/asterisk/files/patch-AST-2016-002 new file mode 100644 index 000000000000..75ca85aeacf8 --- /dev/null +++ b/net/asterisk/files/patch-AST-2016-002 @@ -0,0 +1,18 @@ +diff --git a/channels/chan_sip.c b/channels/chan_sip.c +index 5de304a..277eec7 100644 +--- channels/chan_sip.c ++++ channels/chan_sip.c +@@ -3771,6 +3771,13 @@ static int retrans_pkt(const void *data) + } + + /* For non-invites, a maximum of 4 secs */ ++ if (INT_MAX / pkt->timer_a < pkt->timer_t1) { ++ /* ++ * Uh Oh, we will have an integer overflow. ++ * Recalculate previous timeout time instead. ++ */ ++ pkt->timer_a = pkt->timer_a / 2; ++ } + siptimer_a = pkt->timer_t1 * pkt->timer_a; /* Double each time */ + if (pkt->method != SIP_INVITE && siptimer_a > 4000) { + siptimer_a = 4000; diff --git a/net/asterisk/files/patch-AST-2016-003 b/net/asterisk/files/patch-AST-2016-003 new file mode 100644 index 000000000000..537e5055ac98 --- /dev/null +++ b/net/asterisk/files/patch-AST-2016-003 @@ -0,0 +1,28 @@ +diff --git a/main/udptl.c b/main/udptl.c +index a8244e8..6960487 100644 +--- main/udptl.c ++++ main/udptl.c +@@ -231,16 +231,15 @@ static int decode_open_type(uint8_t *buf, unsigned int limit, unsigned int *len, + if (decode_length(buf, limit, len, &octet_cnt) != 0) + return -1; + +- if (octet_cnt > 0) { +- /* Make sure the buffer contains at least the number of bits requested */ +- if ((*len + octet_cnt) > limit) +- return -1; +- +- *p_num_octets = octet_cnt; +- *p_object = &buf[*len]; +- *len += octet_cnt; ++ /* Make sure the buffer contains at least the number of bits requested */ ++ if ((*len + octet_cnt) > limit) { ++ return -1; + } + ++ *p_num_octets = octet_cnt; ++ *p_object = &buf[*len]; ++ *len += octet_cnt; ++ + return 0; + } + /*- End of function --------------------------------------------------------*/ diff --git a/net/asterisk11/Makefile b/net/asterisk11/Makefile index 3d8ba9177b55..1bec3a7c8c53 100644 --- a/net/asterisk11/Makefile +++ b/net/asterisk11/Makefile @@ -1,8 +1,7 @@ # $FreeBSD$ PORTNAME= asterisk -PORTVERSION= 11.21.0 -PORTREVISION= 1 +PORTVERSION= 11.21.1 CATEGORIES= net MASTER_SITES= http://downloads.asterisk.org/pub/telephony/%SUBDIR%/:main,g729 MASTER_SITE_SUBDIR= asterisk/:main \ @@ -228,6 +227,9 @@ post-patch: @${REINPLACE_CMD} -e '/#define HAVE_SYSINFO 1/d' ${WRKSRC}/configure @${REINPLACE_CMD} -e '/%%LIBSYSINFO%%/d' ${WRKSRC}/main/Makefile .endif +.if ${OPSYS} == FreeBSD && (${OSVERSION} < 1000015 && !(defined(WITH_OPENSSL_PORT) || (!defined(WITH_OPENSSL_BASE) && exists(${LOCALBASE}/lib/libcrypto.so)))) + @${REINPLACE_CMD} -e 's/SSL_OP_NO_TLSv1[_12]*;/0;/' ${WRKSRC}/main/tcptls.c +.endif .if exists(${FILESDIR}/.asterisk.makeopts) USER_MAKEOPTS_FILE=${FILESDIR}/.asterisk.makeopts diff --git a/net/asterisk11/distinfo b/net/asterisk11/distinfo index 02fece0f427e..6dbd63114ecc 100644 --- a/net/asterisk11/distinfo +++ b/net/asterisk11/distinfo @@ -1,5 +1,5 @@ -SHA256 (asterisk-11.21.0.tar.gz) = 14e525c104633bf49a4122bda93d9fcbc166e4caa1217efbdab2efeebee16b6e -SIZE (asterisk-11.21.0.tar.gz) = 34875184 +SHA256 (asterisk-11.21.1.tar.gz) = d02afbdda172a6bb98883350d64f83ce865fcea01642a05067ca2c916c3a1ee5 +SIZE (asterisk-11.21.1.tar.gz) = 34867941 SHA256 (asterisk-core-sounds-en-g729-1.4.27.tar.gz) = f5d21ca8305b29ea84fb4603c65c041483ea3a9cd0bf313eb4f098342a29af5f SIZE (asterisk-core-sounds-en-g729-1.4.27.tar.gz) = 1408055 SHA256 (asterisk-moh-opsound-g729-2.03.tar.gz) = 0147ca9a97f0c550227aacb7793499057c4d2c64e021c95f93722f27d5549585 diff --git a/net/asterisk13/Makefile b/net/asterisk13/Makefile index 0e51bc96b9bb..57050727927e 100644 --- a/net/asterisk13/Makefile +++ b/net/asterisk13/Makefile @@ -1,8 +1,7 @@ # $FreeBSD$ PORTNAME= asterisk -PORTVERSION= 13.7.0 -PORTREVISION= 1 +PORTVERSION= 13.7.1 CATEGORIES= net MASTER_SITES= http://downloads.asterisk.org/pub/telephony/%SUBDIR%/:main,g729 MASTER_SITE_SUBDIR= asterisk/:main \ @@ -249,6 +248,9 @@ post-patch: @${REINPLACE_CMD} -e '/#define HAVE_SYSINFO 1/d' ${WRKSRC}/configure @${REINPLACE_CMD} -e '/%%LIBSYSINFO%%/d' ${WRKSRC}/main/Makefile .endif +.if ${OPSYS} == FreeBSD && (${OSVERSION} < 1000015 && !(defined(WITH_OPENSSL_PORT) || (!defined(WITH_OPENSSL_BASE) && exists(${LOCALBASE}/lib/libcrypto.so)))) + @${REINPLACE_CMD} -e 's/SSL_OP_NO_TLSv1[_12]*;/0;/' ${WRKSRC}/main/tcptls.c +.endif .if exists(${FILESDIR}/.asterisk.makeopts) USER_MAKEOPTS_FILE=${FILESDIR}/.asterisk.makeopts diff --git a/net/asterisk13/distinfo b/net/asterisk13/distinfo index 04688cf4c954..d9c0b1d0590f 100644 --- a/net/asterisk13/distinfo +++ b/net/asterisk13/distinfo @@ -1,5 +1,5 @@ -SHA256 (asterisk-13.7.0.tar.gz) = d04c783e18a41de5fd6d8dc375533633995ea5a11437df727f0f6a32bfdbcd7a -SIZE (asterisk-13.7.0.tar.gz) = 32198169 +SHA256 (asterisk-13.7.1.tar.gz) = f96bb621da63e1d1814cdd25cd92a6ebb976655938d25e4f6e53196411e5804d +SIZE (asterisk-13.7.1.tar.gz) = 32176324 SHA256 (asterisk-core-sounds-en-g729-1.4.27.tar.gz) = f5d21ca8305b29ea84fb4603c65c041483ea3a9cd0bf313eb4f098342a29af5f SIZE (asterisk-core-sounds-en-g729-1.4.27.tar.gz) = 1408055 SHA256 (asterisk-moh-opsound-g729-2.03.tar.gz) = 0147ca9a97f0c550227aacb7793499057c4d2c64e021c95f93722f27d5549585 |