diff options
| author | Guido Falsi <madpilot@FreeBSD.org> | 2016-02-12 17:30:29 +0000 |
|---|---|---|
| committer | Guido Falsi <madpilot@FreeBSD.org> | 2016-02-12 17:30:29 +0000 |
| commit | 664d7dd0593e06eead417dcda7c4c8f3e0dc5684 (patch) | |
| tree | e62a2887770ad5608f415cea549bc9e861e39c4c /net | |
| parent | d3fead365bc13c74486e2c57a1fd6713bf9e2453 (diff) | |
| download | ports-664d7dd0593e06eead417dcda7c4c8f3e0dc5684.tar.gz ports-664d7dd0593e06eead417dcda7c4c8f3e0dc5684.zip | |
- Update net/asterisk11 to 11.21.2, which provides a fix for the
old OpenSSL included in 9.x
- Backport the fis to net/asterisk (asterisk 1.8)
- net/asterisk13 already includes this fix, so remove my workaround
While here, asterisk 1.8 reached EOL on 2015-10-21, so DEPRECATE
it and add an expiration time.
MFH: 2016Q1
Notes
Notes:
svn path=/head/; revision=408743
Diffstat (limited to 'net')
| -rw-r--r-- | net/asterisk/Makefile | 8 | ||||
| -rw-r--r-- | net/asterisk/files/patch-AST-2016-001 | 55 | ||||
| -rw-r--r-- | net/asterisk/files/patch-configure | 128 | ||||
| -rw-r--r-- | net/asterisk11/Makefile | 5 | ||||
| -rw-r--r-- | net/asterisk11/distinfo | 4 | ||||
| -rw-r--r-- | net/asterisk13/Makefile | 4 |
6 files changed, 162 insertions, 42 deletions
diff --git a/net/asterisk/Makefile b/net/asterisk/Makefile index f3e554401d1c..296bf29c856c 100644 --- a/net/asterisk/Makefile +++ b/net/asterisk/Makefile @@ -3,7 +3,7 @@ PORTNAME= asterisk PORTVERSION= 1.8.32.3 -PORTREVISION= 5 +PORTREVISION= 6 CATEGORIES= net MASTER_SITES= http://downloads.asterisk.org/pub/telephony/%SUBDIR%/:main,g729 MASTER_SITE_SUBDIR= asterisk/:main \ @@ -20,6 +20,9 @@ LICENSE_FILE= ${WRKSRC}/LICENSE EXTRACT_ONLY:= ${DISTNAME}${EXTRACT_SUFX} +DEPRECATED= Aterisk 1.8 reached EOL on 2015-10-21 +EXPIRATION_DATE= 2015-04-30 + ONLY_FOR_ARCHS= i386 amd64 powerpc sparc64 USES= alias bison cpe gmake shebangfix @@ -223,9 +226,6 @@ post-patch: @${REINPLACE_CMD} -e '/#define HAVE_SYSINFO 1/d' ${WRKSRC}/configure @${REINPLACE_CMD} -e '/%%LIBSYSINFO%%/d' ${WRKSRC}/main/Makefile .endif -.if ${OPSYS} == FreeBSD && (${OSVERSION} < 1000015 && !(defined(WITH_OPENSSL_PORT) || (!defined(WITH_OPENSSL_BASE) && exists(${LOCALBASE}/lib/libcrypto.so)))) - @${REINPLACE_CMD} -e 's/SSL_OP_NO_TLSv1[_12]*;/0;/' ${WRKSRC}/main/tcptls.c -.endif .if exists(${FILESDIR}/.asterisk.makeopts) USER_MAKEOPTS_FILE=${FILESDIR}/.asterisk.makeopts diff --git a/net/asterisk/files/patch-AST-2016-001 b/net/asterisk/files/patch-AST-2016-001 index 95b4302d09cd..8888a9214f7a 100644 --- a/net/asterisk/files/patch-AST-2016-001 +++ b/net/asterisk/files/patch-AST-2016-001 @@ -1,6 +1,4 @@ -diff --git a/configs/http.conf.sample b/configs/http.conf.sample -index 1a7f4fd..9a06fcf 100644 ---- configs/http.conf.sample +--- configs/http.conf.sample.orig 2014-06-12 16:05:50 UTC +++ configs/http.conf.sample @@ -67,10 +67,31 @@ bindaddr=127.0.0.1 ; If no path is given for tlscertfile or tlsprivatekey, default is to look in current @@ -34,9 +32,7 @@ index 1a7f4fd..9a06fcf 100644 ; The post_mappings section maps URLs to real paths on the filesystem. If a ; POST is done from within an authenticated manager session to one of the ; configured POST mappings, then any files in the POST will be placed in the -diff --git a/include/asterisk/tcptls.h b/include/asterisk/tcptls.h -index f3f5e1f..eb7166f 100644 ---- include/asterisk/tcptls.h +--- include/asterisk/tcptls.h.orig 2014-06-13 04:58:51 UTC +++ include/asterisk/tcptls.h @@ -79,7 +79,15 @@ enum ast_ssl_flags { /*! Use SSLv3 for outgoing client connections */ @@ -55,9 +51,7 @@ index f3f5e1f..eb7166f 100644 }; struct ast_tls_config { -diff --git a/main/http.c b/main/http.c -index 9bebbe7..4bfa985 100644 ---- main/http.c +--- main/http.c.orig 2014-06-13 04:58:51 UTC +++ main/http.c @@ -1118,10 +1118,13 @@ static int __ast_http_load(int reload) } @@ -83,11 +77,9 @@ index 9bebbe7..4bfa985 100644 && !ast_tls_read_conf(&http_tls_cfg, &https_desc, v->name, v->value)) { continue; } -diff --git a/main/tcptls.c b/main/tcptls.c -index a5a2af6..f73c2aa 100644 ---- main/tcptls.c +--- main/tcptls.c.orig 2015-04-08 16:53:07 UTC +++ main/tcptls.c -@@ -749,6 +749,7 @@ static int __ssl_setup(struct ast_tls_config *cfg, int client) +@@ -749,6 +749,7 @@ static int __ssl_setup(struct ast_tls_co return 0; #else int disable_ssl = 0; @@ -95,35 +87,41 @@ index a5a2af6..f73c2aa 100644 if (!cfg->enabled) return 0; -@@ -793,11 +794,24 @@ static int __ssl_setup(struct ast_tls_config *cfg, int client) +@@ -793,12 +794,30 @@ static int __ssl_setup(struct ast_tls_co * them. SSLv23_*_method supports TLSv1+. */ if (disable_ssl) { - long ssl_opts; + ssl_opts |= SSL_OP_NO_SSLv2 | SSL_OP_NO_SSLv3; + } -+ -+ if (ast_test_flag(&cfg->flags, AST_SSL_SERVER_CIPHER_ORDER)) { -+ ssl_opts |= SSL_OP_CIPHER_SERVER_PREFERENCE; -+ } - ssl_opts = SSL_OP_NO_SSLv2 | SSL_OP_NO_SSLv3; - SSL_CTX_set_options(cfg->ssl_ctx, ssl_opts); ++ if (ast_test_flag(&cfg->flags, AST_SSL_SERVER_CIPHER_ORDER)) { ++ ssl_opts |= SSL_OP_CIPHER_SERVER_PREFERENCE; + } + + if (ast_test_flag(&cfg->flags, AST_SSL_DISABLE_TLSV1)) { + ssl_opts |= SSL_OP_NO_TLSv1; - } ++ } ++#if defined(HAVE_SSL_OP_NO_TLSV1_1) && defined(HAVE_SSL_OP_NO_TLSV1_2) + if (ast_test_flag(&cfg->flags, AST_SSL_DISABLE_TLSV11)) { + ssl_opts |= SSL_OP_NO_TLSv1_1; + } + if (ast_test_flag(&cfg->flags, AST_SSL_DISABLE_TLSV12)) { + ssl_opts |= SSL_OP_NO_TLSv1_2; + } ++#else ++ ast_log(LOG_WARNING, "Your version of OpenSSL leaves you potentially vulnerable " ++ "to the SSL BEAST attack. Please upgrade to OpenSSL 1.0.1 or later\n"); ++#endif + + SSL_CTX_set_options(cfg->ssl_ctx, ssl_opts); - ++ SSL_CTX_set_verify(cfg->ssl_ctx, ast_test_flag(&cfg->flags, AST_SSL_VERIFY_CLIENT) ? SSL_VERIFY_PEER | SSL_VERIFY_FAIL_IF_NO_PEER_CERT : SSL_VERIFY_NONE, -@@ -1109,6 +1123,14 @@ int ast_tls_read_conf(struct ast_tls_config *tls_cfg, struct ast_tcptls_session_ + NULL); +@@ -1109,6 +1128,14 @@ int ast_tls_read_conf(struct ast_tls_con ast_clear_flag(&tls_cfg->flags, AST_SSL_TLSV1_CLIENT); ast_clear_flag(&tls_cfg->flags, AST_SSL_SSLV3_CLIENT); } @@ -138,3 +136,18 @@ index a5a2af6..f73c2aa 100644 } else { return -1; } +--- include/asterisk/autoconfig.h.in.orig 2014-06-20 23:12:25 UTC ++++ include/asterisk/autoconfig.h.in +@@ -752,6 +752,12 @@ + /* Define to 1 if you have the ISDN SS7 library. */ + #undef HAVE_SS7 + ++/* Define if your system has the SSL_OP_NO_TLSV1_1 headers. */ ++#undef HAVE_SSL_OP_NO_TLSV1_1 ++ ++/* Define if your system has the SSL_OP_NO_TLSV1_2 headers. */ ++#undef HAVE_SSL_OP_NO_TLSV1_2 ++ + /* Define to 1 if `stat' has the bug that it succeeds when given the + zero-length file name argument. */ + #undef HAVE_STAT_EMPTY_STRING_BUG diff --git a/net/asterisk/files/patch-configure b/net/asterisk/files/patch-configure index 8daab1e7736f..f250130bf6c5 100644 --- a/net/asterisk/files/patch-configure +++ b/net/asterisk/files/patch-configure @@ -1,6 +1,15 @@ --- configure.orig 2014-08-17 22:31:23 UTC +++ configure -@@ -4698,9 +4698,9 @@ astetcdir='${sysconfdir}/asterisk' +@@ -632,6 +632,8 @@ CONFIG_GMIME + AIS_LIB + AIS_INCLUDE + PBX_AIS ++PBX_SSL_OP_NO_TLSV1_2 ++PBX_SSL_OP_NO_TLSV1_1 + OPENH323_BUILD + OPENH323_SUFFIX + OPENH323_LIBDIR +@@ -4698,9 +4700,9 @@ astetcdir='${sysconfdir}/asterisk' astheaderdir='${includedir}/asterisk' astlibdir='${libdir}/asterisk' astmandir='${mandir}' @@ -12,7 +21,7 @@ astkeydir='${astvarlibdir}' astspooldir='${localstatedir}/spool/asterisk' astlogdir='${localstatedir}/log/asterisk' -@@ -4723,8 +4723,6 @@ esac +@@ -4723,8 +4725,6 @@ esac case "${host_os}" in freebsd*) ac_default_prefix=/usr/local @@ -21,7 +30,7 @@ ;; openbsd*) ac_default_prefix=/usr/local -@@ -18470,6 +18468,8 @@ $as_echo_n "checking if \"struct ifaddrs +@@ -18470,6 +18470,8 @@ $as_echo_n "checking if \"struct ifaddrs cat confdefs.h - <<_ACEOF >conftest.$ac_ext /* end confdefs.h. */ @@ -30,7 +39,7 @@ #include <ifaddrs.h> int main () -@@ -26245,7 +26245,7 @@ $as_echo "${OPENH323_BUILD}" >&6; } +@@ -26245,7 +26247,7 @@ $as_echo "${OPENH323_BUILD}" >&6; } fi @@ -39,7 +48,7 @@ if test "${HAS_OPENH323:-unset}" != "unset"; then { $as_echo "$as_me:${as_lineno-$LINENO}: checking OpenH323 installation validity" >&5 -@@ -26343,13 +26343,13 @@ if test "x${PBX_LUA}" != "x1" -a "${USE_ +@@ -26343,13 +26345,13 @@ if test "x${PBX_LUA}" != "x1" -a "${USE_ ast_ext_lib_check_save_CFLAGS="${CFLAGS}" CFLAGS="${CFLAGS} " as_ac_Lib=`$as_echo "ac_cv_lib_lua5.2_${pbxfuncname}" | $as_tr_sh` @@ -56,7 +65,7 @@ cat confdefs.h - <<_ACEOF >conftest.$ac_ext /* end confdefs.h. */ -@@ -26391,18 +26391,18 @@ fi +@@ -26391,18 +26393,18 @@ fi # now check for the header. if test "${AST_LUA_FOUND}" = "yes"; then @@ -78,7 +87,7 @@ if test "x$ac_cv_header_lua5_2_lua_h" = xyes; then : LUA_HEADER_FOUND=1 else -@@ -26455,13 +26455,13 @@ if test "x${PBX_LUA}" != "x1" -a "${USE_ +@@ -26455,13 +26457,13 @@ if test "x${PBX_LUA}" != "x1" -a "${USE_ ast_ext_lib_check_save_CFLAGS="${CFLAGS}" CFLAGS="${CFLAGS} " as_ac_Lib=`$as_echo "ac_cv_lib_lua5.1_${pbxfuncname}" | $as_tr_sh` @@ -95,7 +104,7 @@ cat confdefs.h - <<_ACEOF >conftest.$ac_ext /* end confdefs.h. */ -@@ -26503,18 +26503,18 @@ fi +@@ -26503,18 +26505,18 @@ fi # now check for the header. if test "${AST_LUA_FOUND}" = "yes"; then @@ -117,3 +126,106 @@ if test "x$ac_cv_header_lua5_1_lua_h" = xyes; then : LUA_HEADER_FOUND=1 else +@@ -27879,6 +27881,102 @@ $as_echo "no" >&6; } + + fi + ++if test "$PBX_OPENSSL" = "1"; ++then ++ ++ if test "x${PBX_SSL_OP_NO_TLSV1_1}" != "x1"; then ++ { $as_echo "$as_me:${as_lineno-$LINENO}: checking for SSL_OP_NO_TLSv1_1 in openssl/ssl.h" >&5 ++$as_echo_n "checking for SSL_OP_NO_TLSv1_1 in openssl/ssl.h... " >&6; } ++ saved_cppflags="${CPPFLAGS}" ++ if test "x${SSL_OP_NO_TLSV1_1_DIR}" != "x"; then ++ SSL_OP_NO_TLSV1_1_INCLUDE="-I${SSL_OP_NO_TLSV1_1_DIR}/include" ++ fi ++ CPPFLAGS="${CPPFLAGS} ${SSL_OP_NO_TLSV1_1_INCLUDE}" ++ ++ cat confdefs.h - <<_ACEOF >conftest.$ac_ext ++/* end confdefs.h. */ ++ #include <openssl/ssl.h> ++int ++main () ++{ ++#if defined(SSL_OP_NO_TLSv1_1) ++ int foo = 0; ++ #else ++ int foo = bar; ++ #endif ++ 0 ++ ++ ; ++ return 0; ++ ++_ACEOF ++if ac_fn_c_try_compile "$LINENO"; then : ++ { $as_echo "$as_me:${as_lineno-$LINENO}: result: yes" >&5 ++$as_echo "yes" >&6; } ++ PBX_SSL_OP_NO_TLSV1_1=1 ++ ++$as_echo "#define HAVE_SSL_OP_NO_TLSV1_1 1" >>confdefs.h ++ ++ ++ ++else ++ { $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5 ++$as_echo "no" >&6; } ++ ++fi ++rm -f core conftest.err conftest.$ac_objext conftest.$ac_ext ++ CPPFLAGS="${saved_cppflags}" ++ fi ++ ++ ++ ++ if test "x${PBX_SSL_OP_NO_TLSV1_2}" != "x1"; then ++ { $as_echo "$as_me:${as_lineno-$LINENO}: checking for SSL_OP_NO_TLSv1_2 in openssl/ssl.h" >&5 ++$as_echo_n "checking for SSL_OP_NO_TLSv1_2 in openssl/ssl.h... " >&6; } ++ saved_cppflags="${CPPFLAGS}" ++ if test "x${SSL_OP_NO_TLSV1_2_DIR}" != "x"; then ++ SSL_OP_NO_TLSV1_2_INCLUDE="-I${SSL_OP_NO_TLSV1_2_DIR}/include" ++ fi ++ CPPFLAGS="${CPPFLAGS} ${SSL_OP_NO_TLSV1_2_INCLUDE}" ++ ++ cat confdefs.h - <<_ACEOF >conftest.$ac_ext ++/* end confdefs.h. */ ++ #include <openssl/ssl.h> ++int ++main () ++{ ++if defined(SSL_OP_NO_TLSv1_2) ++ int foo = 0; ++ #else ++ int foo = bar; ++ #endif ++ 0 ++ ++ ; ++ return 0; ++} ++_ACEOF ++if ac_fn_c_try_compile "$LINENO"; then : ++ { $as_echo "$as_me:${as_lineno-$LINENO}: result: yes" >&5 ++$as_echo "yes" >&6; } ++ PBX_SSL_OP_NO_TLSV1_2=1 ++ ++$as_echo "#define HAVE_SSL_OP_NO_TLSV1_2 1" >>confdefs.h ++ ++ ++ ++else ++ { $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5 ++$as_echo "no" >&6; } ++ ++fi ++rm -f core conftest.err conftest.$ac_objext conftest.$ac_ext ++ CPPFLAGS="${saved_cppflags}" ++ fi ++ ++ ++fi ++ + + if test "x${PBX_SRTP}" != "x1" -a "${USE_SRTP}" != "no"; then + pbxlibdir="" diff --git a/net/asterisk11/Makefile b/net/asterisk11/Makefile index 1bec3a7c8c53..c6b1155235b4 100644 --- a/net/asterisk11/Makefile +++ b/net/asterisk11/Makefile @@ -1,7 +1,7 @@ # $FreeBSD$ PORTNAME= asterisk -PORTVERSION= 11.21.1 +PORTVERSION= 11.21.2 CATEGORIES= net MASTER_SITES= http://downloads.asterisk.org/pub/telephony/%SUBDIR%/:main,g729 MASTER_SITE_SUBDIR= asterisk/:main \ @@ -227,9 +227,6 @@ post-patch: @${REINPLACE_CMD} -e '/#define HAVE_SYSINFO 1/d' ${WRKSRC}/configure @${REINPLACE_CMD} -e '/%%LIBSYSINFO%%/d' ${WRKSRC}/main/Makefile .endif -.if ${OPSYS} == FreeBSD && (${OSVERSION} < 1000015 && !(defined(WITH_OPENSSL_PORT) || (!defined(WITH_OPENSSL_BASE) && exists(${LOCALBASE}/lib/libcrypto.so)))) - @${REINPLACE_CMD} -e 's/SSL_OP_NO_TLSv1[_12]*;/0;/' ${WRKSRC}/main/tcptls.c -.endif .if exists(${FILESDIR}/.asterisk.makeopts) USER_MAKEOPTS_FILE=${FILESDIR}/.asterisk.makeopts diff --git a/net/asterisk11/distinfo b/net/asterisk11/distinfo index 6dbd63114ecc..83216834913c 100644 --- a/net/asterisk11/distinfo +++ b/net/asterisk11/distinfo @@ -1,5 +1,5 @@ -SHA256 (asterisk-11.21.1.tar.gz) = d02afbdda172a6bb98883350d64f83ce865fcea01642a05067ca2c916c3a1ee5 -SIZE (asterisk-11.21.1.tar.gz) = 34867941 +SHA256 (asterisk-11.21.2.tar.gz) = 9f4408ecda81efccbc0ce6728a7c53fa1528c527ea65d81a165e830c9f91bcac +SIZE (asterisk-11.21.2.tar.gz) = 34867025 SHA256 (asterisk-core-sounds-en-g729-1.4.27.tar.gz) = f5d21ca8305b29ea84fb4603c65c041483ea3a9cd0bf313eb4f098342a29af5f SIZE (asterisk-core-sounds-en-g729-1.4.27.tar.gz) = 1408055 SHA256 (asterisk-moh-opsound-g729-2.03.tar.gz) = 0147ca9a97f0c550227aacb7793499057c4d2c64e021c95f93722f27d5549585 diff --git a/net/asterisk13/Makefile b/net/asterisk13/Makefile index 8f8fab109090..8f68b39335c3 100644 --- a/net/asterisk13/Makefile +++ b/net/asterisk13/Makefile @@ -2,6 +2,7 @@ PORTNAME= asterisk PORTVERSION= 13.7.2 +PORTREVISION= 1 CATEGORIES= net MASTER_SITES= http://downloads.asterisk.org/pub/telephony/%SUBDIR%/:main,g729 MASTER_SITE_SUBDIR= asterisk/:main \ @@ -248,9 +249,6 @@ post-patch: @${REINPLACE_CMD} -e '/#define HAVE_SYSINFO 1/d' ${WRKSRC}/configure @${REINPLACE_CMD} -e '/%%LIBSYSINFO%%/d' ${WRKSRC}/main/Makefile .endif -.if ${OPSYS} == FreeBSD && (${OSVERSION} < 1000015 && !(defined(WITH_OPENSSL_PORT) || (!defined(WITH_OPENSSL_BASE) && exists(${LOCALBASE}/lib/libcrypto.so)))) - @${REINPLACE_CMD} -e 's/SSL_OP_NO_TLSv1[_12]*;/0;/' ${WRKSRC}/main/tcptls.c -.endif .if exists(${FILESDIR}/.asterisk.makeopts) USER_MAKEOPTS_FILE=${FILESDIR}/.asterisk.makeopts |