4 files changed, 190 insertions, 1 deletions

diff --git a/net/asterisk/Makefile b/net/asterisk/Makefile
index a2b93ac9eeeb..f3e554401d1c 100644
--- a/net/asterisk/Makefile
+++ b/net/asterisk/Makefile
@@ -3,7 +3,7 @@
 
 PORTNAME=	asterisk
 PORTVERSION=	1.8.32.3
-PORTREVISION=	4
+PORTREVISION=	5
 CATEGORIES=	net
 MASTER_SITES=	http://downloads.asterisk.org/pub/telephony/%SUBDIR%/:main,g729
 MASTER_SITE_SUBDIR=	asterisk/:main \
@@ -223,6 +223,9 @@ post-patch:
 	@${REINPLACE_CMD} -e '/#define HAVE_SYSINFO 1/d' ${WRKSRC}/configure
 	@${REINPLACE_CMD} -e '/%%LIBSYSINFO%%/d' ${WRKSRC}/main/Makefile
 .endif
+.if ${OPSYS} == FreeBSD && (${OSVERSION} < 1000015 && !(defined(WITH_OPENSSL_PORT) || (!defined(WITH_OPENSSL_BASE) && exists(${LOCALBASE}/lib/libcrypto.so))))
+	@${REINPLACE_CMD} -e 's/SSL_OP_NO_TLSv1[_12]*;/0;/' ${WRKSRC}/main/tcptls.c
+.endif
 
 .if exists(${FILESDIR}/.asterisk.makeopts)
 USER_MAKEOPTS_FILE=${FILESDIR}/.asterisk.makeopts
diff --git a/net/asterisk/files/patch-AST-2016-001 b/net/asterisk/files/patch-AST-2016-001
new file mode 100644
index 000000000000..95b4302d09cd
--- /dev/null
+++ b/net/asterisk/files/patch-AST-2016-001
@@ -0,0 +1,140 @@
+diff --git a/configs/http.conf.sample b/configs/http.conf.sample
+index 1a7f4fd..9a06fcf 100644
+--- configs/http.conf.sample
++++ configs/http.conf.sample
+@@ -67,10 +67,31 @@ bindaddr=127.0.0.1
+ ; If no path is given for tlscertfile or tlsprivatekey, default is to look in current
+ ; directory. If no tlsprivatekey is given, default is to search tlscertfile for private key.
+ ;
++;
+ ; To produce a certificate you can e.g. use openssl. This places both the cert and
+ ; private in same .pem file.
+ ; openssl req -new -x509 -days 365 -nodes -out /tmp/foo.pem -keyout /tmp/foo.pem
+ ;
++; tlscipher=                             ; The list of allowed ciphers
++;                                        ; if none are specified the following cipher
++;                                        ; list will be used instead:
++; ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:
++; ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:
++; kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:
++; ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:
++; ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:
++; DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:
++; AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:
++; AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:
++; !EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA
++;
++; tlsdisablev1=yes                ; Disable TLSv1 support - if not set this defaults to "yes"
++; tlsdisablev11=yes               ; Disable TLSv1.1 support - if not set this defaults to "no"
++; tlsdisablev12=yes               ; Disable TLSv1.2 support - if not set this defaults to "no"
++;
++; tlsservercipherorder=yes        ; Use the server preference order instead of the client order
++;                                 ; Defaults to "yes"
++;
+ ; The post_mappings section maps URLs to real paths on the filesystem.  If a
+ ; POST is done from within an authenticated manager session to one of the
+ ; configured POST mappings, then any files in the POST will be placed in the
+diff --git a/include/asterisk/tcptls.h b/include/asterisk/tcptls.h
+index f3f5e1f..eb7166f 100644
+--- include/asterisk/tcptls.h
++++ include/asterisk/tcptls.h
+@@ -79,7 +79,15 @@ enum ast_ssl_flags {
+ 	/*! Use SSLv3 for outgoing client connections */
+ 	AST_SSL_SSLV3_CLIENT = (1 << 4),
+ 	/*! Use TLSv1 for outgoing client connections */
+-	AST_SSL_TLSV1_CLIENT = (1 << 5)
++	AST_SSL_TLSV1_CLIENT = (1 << 5),
++	/*! Use server cipher order instead of the client order */
++	AST_SSL_SERVER_CIPHER_ORDER = (1 << 6),
++	/*! Disable TLSv1 support */
++	AST_SSL_DISABLE_TLSV1 = (1 << 7),
++	/*! Disable TLSv1.1 support */
++	AST_SSL_DISABLE_TLSV11 = (1 << 8),
++	/*! Disable TLSv1.2 support */
++	AST_SSL_DISABLE_TLSV12 = (1 << 9),
+ };
+ 
+ struct ast_tls_config {
+diff --git a/main/http.c b/main/http.c
+index 9bebbe7..4bfa985 100644
+--- main/http.c
++++ main/http.c
+@@ -1118,10 +1118,13 @@ static int __ast_http_load(int reload)
+ 	}
+ 	http_tls_cfg.pvtfile = ast_strdup("");
+ 
++	/* Apply modern intermediate settings according to the Mozilla OpSec team as of July 30th, 2015 but disable TLSv1 */
++	ast_set_flag(&http_tls_cfg.flags, AST_SSL_DISABLE_TLSV1 | AST_SSL_SERVER_CIPHER_ORDER);
++
+ 	if (http_tls_cfg.cipher) {
+ 		ast_free(http_tls_cfg.cipher);
+ 	}
+-	http_tls_cfg.cipher = ast_strdup("");
++	http_tls_cfg.cipher = ast_strdup("ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA");
+ 
+ 	AST_RWLIST_WRLOCK(&uri_redirects);
+ 	while ((redirect = AST_RWLIST_REMOVE_HEAD(&uri_redirects, entry))) {
+@@ -1146,8 +1149,6 @@ static int __ast_http_load(int reload)
+ 				&& strcasecmp(v->name, "tlsdontverifyserver")
+ 				&& strcasecmp(v->name, "tlsclientmethod")
+ 				&& strcasecmp(v->name, "sslclientmethod")
+-				&& strcasecmp(v->name, "tlscipher")
+-				&& strcasecmp(v->name, "sslcipher")
+ 				&& !ast_tls_read_conf(&http_tls_cfg, &https_desc, v->name, v->value)) {
+ 				continue;
+ 			}
+diff --git a/main/tcptls.c b/main/tcptls.c
+index a5a2af6..f73c2aa 100644
+--- main/tcptls.c
++++ main/tcptls.c
+@@ -749,6 +749,7 @@ static int __ssl_setup(struct ast_tls_config *cfg, int client)
+ 	return 0;
+ #else
+ 	int disable_ssl = 0;
++	long ssl_opts = 0;
+ 
+ 	if (!cfg->enabled)
+ 		return 0;
+@@ -793,11 +794,24 @@ static int __ssl_setup(struct ast_tls_config *cfg, int client)
+ 	 * them. SSLv23_*_method supports TLSv1+.
+ 	 */
+ 	if (disable_ssl) {
+-		long ssl_opts;
++		ssl_opts |= SSL_OP_NO_SSLv2 | SSL_OP_NO_SSLv3;
++	}
++
++	if (ast_test_flag(&cfg->flags, AST_SSL_SERVER_CIPHER_ORDER)) {
++		ssl_opts |= SSL_OP_CIPHER_SERVER_PREFERENCE;
++	}
+ 
+-		ssl_opts = SSL_OP_NO_SSLv2 | SSL_OP_NO_SSLv3;
+-		SSL_CTX_set_options(cfg->ssl_ctx, ssl_opts);
++	if (ast_test_flag(&cfg->flags, AST_SSL_DISABLE_TLSV1)) {
++		ssl_opts |= SSL_OP_NO_TLSv1;
+ 	}
++	if (ast_test_flag(&cfg->flags, AST_SSL_DISABLE_TLSV11)) {
++		ssl_opts |= SSL_OP_NO_TLSv1_1;
++	}
++	if (ast_test_flag(&cfg->flags, AST_SSL_DISABLE_TLSV12)) {
++		ssl_opts |= SSL_OP_NO_TLSv1_2;
++	}
++
++	SSL_CTX_set_options(cfg->ssl_ctx, ssl_opts);
+ 
+ 	SSL_CTX_set_verify(cfg->ssl_ctx,
+ 		ast_test_flag(&cfg->flags, AST_SSL_VERIFY_CLIENT) ? SSL_VERIFY_PEER | SSL_VERIFY_FAIL_IF_NO_PEER_CERT : SSL_VERIFY_NONE,
+@@ -1109,6 +1123,14 @@ int ast_tls_read_conf(struct ast_tls_config *tls_cfg, struct ast_tcptls_session_
+ 			ast_clear_flag(&tls_cfg->flags, AST_SSL_TLSV1_CLIENT);
+ 			ast_clear_flag(&tls_cfg->flags, AST_SSL_SSLV3_CLIENT);
+ 		}
++	} else if (!strcasecmp(varname, "tlsservercipherorder")) {
++		ast_set2_flag(&tls_cfg->flags, ast_true(value), AST_SSL_SERVER_CIPHER_ORDER);
++	} else if (!strcasecmp(varname, "tlsdisablev1")) {
++		ast_set2_flag(&tls_cfg->flags, ast_true(value), AST_SSL_DISABLE_TLSV1);
++	} else if (!strcasecmp(varname, "tlsdisablev11")) {
++		ast_set2_flag(&tls_cfg->flags, ast_true(value), AST_SSL_DISABLE_TLSV11);
++	} else if (!strcasecmp(varname, "tlsdisablev12")) {
++		ast_set2_flag(&tls_cfg->flags, ast_true(value), AST_SSL_DISABLE_TLSV12);
+ 	} else {
+ 		return -1;
+ 	}
diff --git a/net/asterisk/files/patch-AST-2016-002 b/net/asterisk/files/patch-AST-2016-002
new file mode 100644
index 000000000000..75ca85aeacf8
--- /dev/null
+++ b/net/asterisk/files/patch-AST-2016-002
@@ -0,0 +1,18 @@
+diff --git a/channels/chan_sip.c b/channels/chan_sip.c
+index 5de304a..277eec7 100644
+--- channels/chan_sip.c
++++ channels/chan_sip.c
+@@ -3771,6 +3771,13 @@ static int retrans_pkt(const void *data)
+ 			}
+ 
+ 			/* For non-invites, a maximum of 4 secs */
++			if (INT_MAX / pkt->timer_a < pkt->timer_t1) {
++				/*
++				 * Uh Oh, we will have an integer overflow.
++				 * Recalculate previous timeout time instead.
++				 */
++				pkt->timer_a = pkt->timer_a / 2;
++			}
+ 			siptimer_a = pkt->timer_t1 * pkt->timer_a;	/* Double each time */
+ 			if (pkt->method != SIP_INVITE && siptimer_a > 4000) {
+ 				siptimer_a = 4000;
diff --git a/net/asterisk/files/patch-AST-2016-003 b/net/asterisk/files/patch-AST-2016-003
new file mode 100644
index 000000000000..537e5055ac98
--- /dev/null
+++ b/net/asterisk/files/patch-AST-2016-003
@@ -0,0 +1,28 @@
+diff --git a/main/udptl.c b/main/udptl.c
+index a8244e8..6960487 100644
+--- main/udptl.c
++++ main/udptl.c
+@@ -231,16 +231,15 @@ static int decode_open_type(uint8_t *buf, unsigned int limit, unsigned int *len,
+ 	if (decode_length(buf, limit, len, &octet_cnt) != 0)
+ 		return -1;
+ 
+-	if (octet_cnt > 0) {
+-		/* Make sure the buffer contains at least the number of bits requested */
+-		if ((*len + octet_cnt) > limit)
+-			return -1;
+-
+-		*p_num_octets = octet_cnt;
+-		*p_object = &buf[*len];
+-		*len += octet_cnt;
++	/* Make sure the buffer contains at least the number of bits requested */
++	if ((*len + octet_cnt) > limit) {
++		return -1;
+ 	}
+ 
++	*p_num_octets = octet_cnt;
++	*p_object = &buf[*len];
++	*len += octet_cnt;
++
+ 	return 0;
+ }
+ /*- End of function --------------------------------------------------------*/