This fixes the following compile-time warning:
cc1: note: someone does not honour COPTS correctly, passed 2 times
LTCOMPILE tport_type_connect.lo
cc1: note: someone does not honour COPTS correctly, passed 2 times
LTCOMPILE tport_type_ws.lo
cc1: note: someone does not honour COPTS correctly, passed 2 times
LTCOMPILE ws.lo
cc1: note: someone does not honour COPTS correctly, passed 2 times
ws.c: In function 'hton64':
ws.c:730:14: error: implicit declaration of function '__bswap_64' [-Werror=implicit-function-declaration]
else return __bswap_64(val);
^
cc1: all warnings being treated as errors
Makefile:1465: recipe for target 'ws.lo' failed
make[12]: *** [ws.lo] Error 1
Fix by including byteswap.h, which is available on Linux and also
everywhere glibc is used (wpa_supplicant includes this header the same
way).
Signed-off-by: Sebastian Kemper <sebastian_ml@gmx.net>
This fixes the following compile-time warning:
make[8]: Entering directory '/home/sk/tmp/lede/build_dir/target-mips_24kc_musl-1.1.15/freeswitch-1.8.0/src/mod/endpoints/mod_sofia'
CC mod_sofia_la-mod_sofia.lo
CC mod_sofia_la-sofia.lo
CC mod_sofia_la-sofia_glue.lo
CC mod_sofia_la-sofia_presence.lo
CC mod_sofia_la-sofia_reg.lo
CC mod_sofia_la-sofia_media.lo
CC mod_sofia_la-sip-dig.lo
In file included from sip-dig.c:137:0:
/home/sk/tmp/lede/build_dir/target-mips_24kc_musl-1.1.15/freeswitch-1.8.0/libs/sofia-sip/libsofia-sip-ua/bnf/../../config.h:522:0: error: "__BYTE_ORDER" redefined [-Werror]
#define __BYTE_ORDER __BIG_ENDIAN
^
In file included from /home/sk/tmp/lede/staging_dir/toolchain-mips_24kc_gcc-5.4.0_musl-1.1.15/include/sys/types.h:70:0,
from ../../../../src/include/switch.h:107,
from sip-dig.c:135:
/home/sk/tmp/lede/staging_dir/toolchain-mips_24kc_gcc-5.4.0_musl-1.1.15/include/endian.h:11:0: note: this is the location of the previous definition
#define __BYTE_ORDER __BYTE_ORDER__
^
cc1: all warnings being treated as errors
SWITCH_BYTE_ORDER is already used elsewhere in FS source and takes care
of changing byte order without causing a warning
Signed-off-by: Sebastian Kemper <sebastian_ml@gmx.net>
Sofia will unpredictably close a tls transport during call setup. This
occurs when the epoll event loop wakes up the socket reader and SSL_read
returns an error because there is no packet on the socket. Normally
sofia will read the last error using SSL_get_error and return
SSL_ERROR_WANT_READ. Sofia gracefully handles this error and the
transport stays open. Sometimes, however, the worker thread will call
SSL_shutdown for a different transport, which can write an error to the
internal openssl error queue. If that error is not read off the queue,
the next time that SSL_get_error is called, it will read that unrelated
error.
The documentation for SSL_shutdown explains that there are three
possible results -1, 0 and 1 with, oddly, 1 indicating success. The -1
result code occurs when there is no handshake callback registered on the
connection. It can return 0 when there is still work to be done. The
documentation suggest that it is insufficient to call it just once. This
is why I added the do {} while () construct.
Although just the fix to SSL_shutdown was enough to resolve my issue, I
a also audited other calls to SSL_* functions and found a few other
cases where an error may be generated, but was not handled.
The new C compiler breaks a lot of things. snprintf and timespec now exist, and redefining causes an error.
Many more things are warnings, so warnings-as-errors will fail - remove it from some projects for now.
V8: don't pass VS version to build batch file.
mod_sofia: Config has too-long if/elseif chain. Break this up to avoid "parser stack overflow; program too complex".
Add mod_conference.h to project and dir to includes.
Ephemeral ECDH (ECDHE) was supported already. This patch adds Ephemeral
DH (DHE). To enable it, add DH parameters into the private-key file of
your server (agent.pem). For example via:
openssl dhparam -out dh.pem 2048
FS-7561 #resolve
The file 'libs/sofia-sip/s2check/exit77.c' was moved in order to
silence the warning and to keep the build working. There might be a
build problem that results from this file move, but after serveral
build tests I have not found one. The contents of the file are
specifically for the make check target, so I believe it would be
highly unlikely to cause problems with any production feature.
FS-7122 #resolve
Latest automake will detect then warn if the Makefile uses source
files that are in subdirectories, but the subdirs option is not
set. In the FreeSWITCH build system the current expected behavior is
to expect the subdirs option to be enabled.
FS-7122 #resolve
ADTRAN Total Access devices do not support sending the rport parameter in
the Via header. This allows us to detect the device and force rport when
using the "safe" parameter, enabling the device to be used behind NAT.
FS-6823 #resolve
Windows has a 64 descriptor limit in WSAWaitForMultipleEvents system call.
Implemented some custom login in su_wait to work around this limitation.
Changed SU_WAIT_MAX from 64 to 0x7fffffff, like on other plaftorms.
When zero was passed for the size to `sub_alloc`, we were passing this
size on to `malloc` or `calloc`, which is unusual enough that static
analyzers warn about this (POSIX says that either NULL or a pointer
will be returned).
We'll instead just return NULL right away.
POSIX says poll.h and signal.h should not be prefixed with sys/ (ie
poll.h instead of sys/poll.h)
limits.h also defines a TZNAME_MAX so we change name of the define for
spandsp.
I found a problem here but it may not completely match your expectations.
I reviewed the RFC 4028 and checked against the code and I discovered we should not be putting a Min-SE in any response at all besides a 422:
section 5:
The Min-SE header field MUST NOT be used in responses except for
those with a 422 response code. It indicates the minimum value of
the session interval that the server is willing to accept.
I corrected this problem and implemented the 422 response so if you request a value lower than the minimum specified for the profile.
If the value is equal or higher to the minimum, it will be reflected in the Session-Expires header in the response and no Min-SE will be present.
If an attacker can cause a device to make an authenticated request to
a service via TLS while including a payload of the attacker's choice
in that request, and if TLS compression is enabled, the attacker can
uncover the plaintext authentication information by making a series of
guesses and observing changes in the length of the ciphertext.
This is CVE-2012-4929.
FS-6360 --resolve
Thanks-to: Brian West <brian@freeswitch.org>
Previously we disallowed anonymous Diffie-Hellman, but there are other
kinds of null-authentication TLS suites. In particular, disallowing
AECDH is important now that we support elliptic-curve Diffie-Hellman.
commit ee51fa4e2993ab71339e29691aec8b924c810c53
Author: Frode Isaksen <frode.isaksen@bewan.com>
Date: Thu Aug 18 16:40:58 2011 +0300
su: fix su_time() on 64-bit OS X
The field tv_sec in struct timeval is 64bits instead of 32bits as in
su_time_t, so you cannot cast su_time_t to struct timeval.
This shows the cipher name, TLS version, the number of cipher bits and
algorithm bits, and a description of the cipher in Sofia's debug
logging output on level 9.
This separates out the Linux socket TCP keepalive timeout interval
from Sofia's internal mechanisms. Earlier we tied these together. In
retrospect this seems improper.
These two values can now be set separately.
You might, for example, want to keep the Sofia internal mechanism
disabled completely while enabling the platform-based mechanism if
your platform supports it.
We also here reform the default value of the socket TCP keepalive
parameter to 30 seconds.
This is what commit a0e9639a1f should
have been.
FS-6104
Sofia keeps the TCP keepalive timeout in milliseconds, but Linux
expects the value in seconds. Before this change, it's unlikely the
TCP_KEEPIDLE and TCP_KEEPINTVL calls were having much effect as we
would have been passing them a huge value.
FS-6104
This adds support for the ephemeral elliptic curve Diffie-Hellman key
exchange, which provides for forward secrecy in the event that
long-term keys are compromised.
For the moment, we've hard-coded the curve as prime256v1.
Previously there was no way to override the hard-coded cipher suite
specification of "ALL:!ADH:!LOW:!EXP:!MD5:@STRENGTH".
This commit does leave in place the hardcoded cipher spec for WebRTC
of "HIGH:!DSS:!aNULL@STRENGTH".
Previously if the TPTAG_TLS_VERSION was set to a non-zero value we
supported only TLSv1 (but not TLSv1.1 or TLSv1.2), and if was set to
zero we supported all versions of TLS and SSL (including the
ridiculous SSLv2).
Now we take an integer field where various bits can be set indicating
which versions of TLS we would like to support.
Mike Jerris
Sebastian Kemper
Anthony Minessale
Seven Du
William King
Brian West
Sebastian Denz
Alexandr Dubovikov
Spencer Thomason
Ethan Atkins
Anthony Minessale II
Michael Giagnocavo
Alexander Traud
Artur Zaprzała
Artur Zaprzała
Jeff Lenk
Stefano Picerno
Travis Cross
Natanael Copa
Moises Silva