Open miken32 opened 8 months ago
Is DUNDi the only part of Asterisk that actually uses res_crypto
? I guess that drops my chances of seeing a fix anytime soon.
It is only ~ 1k lines of code, and a good chunk of that is module boilerplate so I'm hoping it's something someone could take on without too much work. Then there remains all the hard-coded stuff in pbx_dundi
looking for 1024 bits...
DUNDi and chan_iax2 as far as I'm aware.
Well upon further investigation it seems my system's problem is with an old SHA1 signature on the key, not the key length, and upgrading from 16 to 18 lets me load a 1024-bit key with a SHA256 signature on the default OS crypto policy. I'll leave this open though, since a 1024-bit key remains not great.
Is your feature or improvement request related to a problem? Please describe. 1024-bit RSA keys are insecure and deprecated in modern operating systems, but this is the only size key Asterisk will accept.
Describe the solution you'd like Allowing arbitrarily-sized keys to be used. After a look at the code (I am not a C programmer) it seems like this would require only minor changes to
res_crypto
because most of the work is being done in OpenSSL. More changes would be needed inpbx_dundi
andchan_iax2
where there are a number of calls to crypto functions passing and expecting 128 byte keys.Describe alternatives you've considered The alternative is continuing as at present, potentially requiring security exceptions in OS-level crypto policies.
Additional context Attempts to load a 2048-bit key result in: