1 files changed, 0 insertions, 153 deletions
diff --git a/net/asterisk/files/patch-AST-2016-001 b/net/asterisk/files/patch-AST-2016-001
deleted file mode 100644
index 8888a9214f7a..000000000000
--- a/net/asterisk/files/patch-AST-2016-001
+++ /dev/null
@@ -1,153 +0,0 @@
---- configs/http.conf.sample.orig	2014-06-12 16:05:50 UTC
-+++ configs/http.conf.sample
-@@ -67,10 +67,31 @@ bindaddr=127.0.0.1
- ; If no path is given for tlscertfile or tlsprivatekey, default is to look in current
- ; directory. If no tlsprivatekey is given, default is to search tlscertfile for private key.
- ;
-+;
- ; To produce a certificate you can e.g. use openssl. This places both the cert and
- ; private in same .pem file.
- ; openssl req -new -x509 -days 365 -nodes -out /tmp/foo.pem -keyout /tmp/foo.pem
- ;
-+; tlscipher=                             ; The list of allowed ciphers
-+;                                        ; if none are specified the following cipher
-+;                                        ; list will be used instead:
-+; ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:
-+; ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:
-+; kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:
-+; ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:
-+; ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:
-+; DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:
-+; AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:
-+; AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:
-+; !EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA
-+;
-+; tlsdisablev1=yes                ; Disable TLSv1 support - if not set this defaults to "yes"
-+; tlsdisablev11=yes               ; Disable TLSv1.1 support - if not set this defaults to "no"
-+; tlsdisablev12=yes               ; Disable TLSv1.2 support - if not set this defaults to "no"
-+;
-+; tlsservercipherorder=yes        ; Use the server preference order instead of the client order
-+;                                 ; Defaults to "yes"
-+;
- ; The post_mappings section maps URLs to real paths on the filesystem.  If a
- ; POST is done from within an authenticated manager session to one of the
- ; configured POST mappings, then any files in the POST will be placed in the
---- include/asterisk/tcptls.h.orig	2014-06-13 04:58:51 UTC
-+++ include/asterisk/tcptls.h
-@@ -79,7 +79,15 @@ enum ast_ssl_flags {
- 	/*! Use SSLv3 for outgoing client connections */
- 	AST_SSL_SSLV3_CLIENT = (1 << 4),
- 	/*! Use TLSv1 for outgoing client connections */
--	AST_SSL_TLSV1_CLIENT = (1 << 5)
-+	AST_SSL_TLSV1_CLIENT = (1 << 5),
-+	/*! Use server cipher order instead of the client order */
-+	AST_SSL_SERVER_CIPHER_ORDER = (1 << 6),
-+	/*! Disable TLSv1 support */
-+	AST_SSL_DISABLE_TLSV1 = (1 << 7),
-+	/*! Disable TLSv1.1 support */
-+	AST_SSL_DISABLE_TLSV11 = (1 << 8),
-+	/*! Disable TLSv1.2 support */
-+	AST_SSL_DISABLE_TLSV12 = (1 << 9),
- };
- 
- struct ast_tls_config {
---- main/http.c.orig	2014-06-13 04:58:51 UTC
-+++ main/http.c
-@@ -1118,10 +1118,13 @@ static int __ast_http_load(int reload)
- 	}
- 	http_tls_cfg.pvtfile = ast_strdup("");
- 
-+	/* Apply modern intermediate settings according to the Mozilla OpSec team as of July 30th, 2015 but disable TLSv1 */
-+	ast_set_flag(&http_tls_cfg.flags, AST_SSL_DISABLE_TLSV1 | AST_SSL_SERVER_CIPHER_ORDER);
-+
- 	if (http_tls_cfg.cipher) {
- 		ast_free(http_tls_cfg.cipher);
- 	}
--	http_tls_cfg.cipher = ast_strdup("");
-+	http_tls_cfg.cipher = ast_strdup("ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA");
- 
- 	AST_RWLIST_WRLOCK(&uri_redirects);
- 	while ((redirect = AST_RWLIST_REMOVE_HEAD(&uri_redirects, entry))) {
-@@ -1146,8 +1149,6 @@ static int __ast_http_load(int reload)
- 				&& strcasecmp(v->name, "tlsdontverifyserver")
- 				&& strcasecmp(v->name, "tlsclientmethod")
- 				&& strcasecmp(v->name, "sslclientmethod")
--				&& strcasecmp(v->name, "tlscipher")
--				&& strcasecmp(v->name, "sslcipher")
- 				&& !ast_tls_read_conf(&http_tls_cfg, &https_desc, v->name, v->value)) {
- 				continue;
- 			}
---- main/tcptls.c.orig	2015-04-08 16:53:07 UTC
-+++ main/tcptls.c
-@@ -749,6 +749,7 @@ static int __ssl_setup(struct ast_tls_co
- 	return 0;
- #else
- 	int disable_ssl = 0;
-+	long ssl_opts = 0;
- 
- 	if (!cfg->enabled)
- 		return 0;
-@@ -793,12 +794,30 @@ static int __ssl_setup(struct ast_tls_co
- 	 * them. SSLv23_*_method supports TLSv1+.
- 	 */
- 	if (disable_ssl) {
--		long ssl_opts;
-+		ssl_opts |= SSL_OP_NO_SSLv2 | SSL_OP_NO_SSLv3;
-+	}
- 
--		ssl_opts = SSL_OP_NO_SSLv2 | SSL_OP_NO_SSLv3;
--		SSL_CTX_set_options(cfg->ssl_ctx, ssl_opts);
-+	if (ast_test_flag(&cfg->flags, AST_SSL_SERVER_CIPHER_ORDER)) {
-+		ssl_opts |= SSL_OP_CIPHER_SERVER_PREFERENCE;
- 	}
- 
-+	if (ast_test_flag(&cfg->flags, AST_SSL_DISABLE_TLSV1)) {
-+		ssl_opts |= SSL_OP_NO_TLSv1;
-+	}
-+#if defined(HAVE_SSL_OP_NO_TLSV1_1) && defined(HAVE_SSL_OP_NO_TLSV1_2)
-+	if (ast_test_flag(&cfg->flags, AST_SSL_DISABLE_TLSV11)) {
-+		ssl_opts |= SSL_OP_NO_TLSv1_1;
-+	}
-+	if (ast_test_flag(&cfg->flags, AST_SSL_DISABLE_TLSV12)) {
-+		ssl_opts |= SSL_OP_NO_TLSv1_2;
-+	}
-+#else
-+	ast_log(LOG_WARNING, "Your version of OpenSSL leaves you potentially vulnerable "
-+			"to the SSL BEAST attack. Please upgrade to OpenSSL 1.0.1 or later\n");
-+#endif
-+
-+	SSL_CTX_set_options(cfg->ssl_ctx, ssl_opts);
-+
- 	SSL_CTX_set_verify(cfg->ssl_ctx,
- 		ast_test_flag(&cfg->flags, AST_SSL_VERIFY_CLIENT) ? SSL_VERIFY_PEER | SSL_VERIFY_FAIL_IF_NO_PEER_CERT : SSL_VERIFY_NONE,
- 		NULL);
-@@ -1109,6 +1128,14 @@ int ast_tls_read_conf(struct ast_tls_con
- 			ast_clear_flag(&tls_cfg->flags, AST_SSL_TLSV1_CLIENT);
- 			ast_clear_flag(&tls_cfg->flags, AST_SSL_SSLV3_CLIENT);
- 		}
-+	} else if (!strcasecmp(varname, "tlsservercipherorder")) {
-+		ast_set2_flag(&tls_cfg->flags, ast_true(value), AST_SSL_SERVER_CIPHER_ORDER);
-+	} else if (!strcasecmp(varname, "tlsdisablev1")) {
-+		ast_set2_flag(&tls_cfg->flags, ast_true(value), AST_SSL_DISABLE_TLSV1);
-+	} else if (!strcasecmp(varname, "tlsdisablev11")) {
-+		ast_set2_flag(&tls_cfg->flags, ast_true(value), AST_SSL_DISABLE_TLSV11);
-+	} else if (!strcasecmp(varname, "tlsdisablev12")) {
-+		ast_set2_flag(&tls_cfg->flags, ast_true(value), AST_SSL_DISABLE_TLSV12);
- 	} else {
- 		return -1;
- 	}
---- include/asterisk/autoconfig.h.in.orig	2014-06-20 23:12:25 UTC
-+++ include/asterisk/autoconfig.h.in
-@@ -752,6 +752,12 @@
- /* Define to 1 if you have the ISDN SS7 library. */
- #undef HAVE_SS7
- 
-+/* Define if your system has the SSL_OP_NO_TLSV1_1 headers. */
-+#undef HAVE_SSL_OP_NO_TLSV1_1
-+
-+/* Define if your system has the SSL_OP_NO_TLSV1_2 headers. */
-+#undef HAVE_SSL_OP_NO_TLSV1_2
-+
- /* Define to 1 if `stat' has the bug that it succeeds when given the
-    zero-length file name argument. */
- #undef HAVE_STAT_EMPTY_STRING_BUG