1 https://github.com/coturn/coturn/commit/9af9f6306ab73c3403f9e11086b1936e9148f7de
2 https://github.com/coturn/coturn/commit/4ce784a8781ab086c150e2b9f5641b1a37fd9b31
3 https://github.com/coturn/coturn/commit/9370bb742d976166a51032760da1ecedefb92267
4 https://github.com/coturn/coturn/commit/d72a2a8920b80ce66b36e22b2c22f308ad06c424
6 From 9af9f6306ab73c3403f9e11086b1936e9148f7de Mon Sep 17 00:00:00 2001
7 From: Pavel Punsky <eakraly@users.noreply.github.com>
8 Date: Wed, 14 Sep 2022 03:29:26 -0700
9 Subject: [PATCH] Fix renegotiation flag for older version of openssl (#978)
11 `SSL_OP_NO_RENEGOTIATION` is only supported in openssl-1.1.0 and above
12 Older versions have `SSL3_FLAGS_NO_RENEGOTIATE_CIPHERS `
17 Build in a docker container running running openssl-1.0.2g (ubuntu
18 16.04) successfully (without the fix getting the same errors)
19 --- a/src/apps/relay/dtls_listener.c
20 +++ b/src/apps/relay/dtls_listener.c
21 @@ -295,8 +295,17 @@ static ioa_socket_handle dtls_server_inp
22 SSL_set_accept_state(connecting_ssl);
24 SSL_set_bio(connecting_ssl, NULL, wbio);
25 - SSL_set_options(connecting_ssl, SSL_OP_COOKIE_EXCHANGE | SSL_OP_NO_RENEGOTIATION);
27 + SSL_set_options(connecting_ssl, SSL_OP_COOKIE_EXCHANGE
28 +#if OPENSSL_VERSION_NUMBER < 0x10100000L
29 +#if defined(SSL3_FLAGS_NO_RENEGOTIATE_CIPHERS)
30 + | SSL3_FLAGS_NO_RENEGOTIATE_CIPHERS
33 +#if defined(SSL_OP_NO_RENEGOTIATION)
34 + | SSL_OP_NO_RENEGOTIATION
38 SSL_set_max_cert_list(connecting_ssl, 655350);
40 ioa_socket_handle rc = dtls_accept_client_connection(server, s, connecting_ssl,
41 @@ -581,7 +590,17 @@ static int create_new_connected_udp_sock
43 SSL_set_bio(connecting_ssl, NULL, wbio);
45 - SSL_set_options(connecting_ssl, SSL_OP_COOKIE_EXCHANGE | SSL_OP_NO_RENEGOTIATION);
46 + SSL_set_options(connecting_ssl, SSL_OP_COOKIE_EXCHANGE
47 +#if OPENSSL_VERSION_NUMBER < 0x10100000L
48 +#if defined(SSL3_FLAGS_NO_RENEGOTIATE_CIPHERS)
49 + | SSL3_FLAGS_NO_RENEGOTIATE_CIPHERS
52 +#if defined(SSL_OP_NO_RENEGOTIATION)
53 + | SSL_OP_NO_RENEGOTIATION
58 SSL_set_max_cert_list(connecting_ssl, 655350);
59 int rc = ssl_read(ret->fd, connecting_ssl, server->sm.m.sm.nd.nbh,
60 --- a/src/apps/relay/ns_ioalib_engine_impl.c
61 +++ b/src/apps/relay/ns_ioalib_engine_impl.c
62 @@ -1428,7 +1428,17 @@ static void set_socket_ssl(ioa_socket_ha
64 SSL_set_app_data(ssl,s);
65 SSL_set_info_callback(ssl, (ssl_info_callback_t)ssl_info_callback);
66 - SSL_set_options(ssl, SSL_OP_NO_RENEGOTIATION);
67 + SSL_set_options(ssl,
68 +#if OPENSSL_VERSION_NUMBER < 0x10100000L
69 +#if defined(SSL3_FLAGS_NO_RENEGOTIATE_CIPHERS)
70 + SSL3_FLAGS_NO_RENEGOTIATE_CIPHERS
73 +#if defined(SSL_OP_NO_RENEGOTIATION)
74 + SSL_OP_NO_RENEGOTIATION
81 @@ -1864,7 +1874,11 @@ int ssl_read(evutil_socket_t fd, SSL* ss
83 } else if (!if1 && if2) {
85 +#if (OPENSSL_VERSION_NUMBER >= 0x30000000L)
86 + if(verbose && SSL_get1_peer_certificate(ssl)) {
88 if(verbose && SSL_get_peer_certificate(ssl)) {
90 printf("\n------------------------------------------------------------\n");
91 X509_NAME_print_ex_fp(stdout, X509_get_subject_name(SSL_get_peer_certificate(ssl)), 1,
93 --- a/src/apps/uclient/startuclient.c
94 +++ b/src/apps/uclient/startuclient.c
95 @@ -138,7 +138,11 @@ static SSL* tls_connect(ioa_socket_raw f
97 TURN_LOG_FUNC(TURN_LOG_LEVEL_INFO,"%s: client session connected with cipher %s, method=%s\n",__FUNCTION__,
98 SSL_get_cipher(ssl),turn_get_ssl_method(ssl,NULL));
99 +#if (OPENSSL_VERSION_NUMBER >= 0x30000000L)
100 + if(clnet_verbose && SSL_get1_peer_certificate(ssl)) {
102 if(clnet_verbose && SSL_get_peer_certificate(ssl)) {
104 TURN_LOG_FUNC(TURN_LOG_LEVEL_INFO, "------------------------------------------------------------\n");
105 X509_NAME_print_ex_fp(stdout, X509_get_subject_name(SSL_get_peer_certificate(ssl)), 1,
107 --- a/src/client/ns_turn_msg.c
108 +++ b/src/client/ns_turn_msg.c
109 @@ -248,12 +248,22 @@ int stun_produce_integrity_key_str(const
111 EVP_MD_CTX_set_flags(&ctx,EVP_MD_CTX_FLAG_NON_FIPS_ALLOW);
114 +#endif // defined EVP_MD_CTX_FLAG_NON_FIPS_ALLOW && !defined(LIBRESSL_VERSION_NUMBER)
115 EVP_DigestInit_ex(&ctx,EVP_md5(), NULL);
116 EVP_DigestUpdate(&ctx,str,strl);
117 EVP_DigestFinal(&ctx,key,&keylen);
118 EVP_MD_CTX_cleanup(&ctx);
120 +#elif OPENSSL_VERSION_NUMBER >= 0x30000000L
121 + unsigned int keylen = 0;
122 + EVP_MD_CTX *ctx = EVP_MD_CTX_new();
123 + if (EVP_default_properties_is_fips_enabled(NULL)) {
124 + EVP_default_properties_enable_fips(NULL, 0);
126 + EVP_DigestInit_ex(ctx,EVP_md5(), NULL);
127 + EVP_DigestUpdate(ctx,str,strl);
128 + EVP_DigestFinal(ctx,key,&keylen);
129 + EVP_MD_CTX_free(ctx);
130 +#else // OPENSSL_VERSION_NUMBER < 0x10100000L
131 unsigned int keylen = 0;
132 EVP_MD_CTX *ctx = EVP_MD_CTX_new();
133 #if defined EVP_MD_CTX_FLAG_NON_FIPS_ALLOW && ! defined(LIBRESSL_VERSION_NUMBER)
134 @@ -265,7 +275,7 @@ int stun_produce_integrity_key_str(const
135 EVP_DigestUpdate(ctx,str,strl);
136 EVP_DigestFinal(ctx,key,&keylen);
137 EVP_MD_CTX_free(ctx);
139 +#endif // OPENSSL_VERSION_NUMBER < 0X10100000L
143 --- a/src/apps/relay/netengine.c
144 +++ b/src/apps/relay/netengine.c
146 #include "mainrelay.h"
148 //////////// Backward compatibility with OpenSSL 1.0.x //////////////
149 -#define HAVE_OPENSSL11_API (!(OPENSSL_VERSION_NUMBER < 0x10100001L || defined LIBRESSL_VERSION_NUMBER))
151 -#ifndef HAVE_SSL_CTX_UP_REF
152 -#define HAVE_SSL_CTX_UP_REF HAVE_OPENSSL11_API
155 -#if !HAVE_SSL_CTX_UP_REF
156 +#if (OPENSSL_VERSION_NUMBER < 0x10100001L || defined LIBRESSL_VERSION_NUMBER)
157 #define SSL_CTX_up_ref(ctx) CRYPTO_add(&(ctx)->references, 1, CRYPTO_LOCK_SSL_CTX)
160 --- a/src/apps/relay/mainrelay.c
161 +++ b/src/apps/relay/mainrelay.c
162 @@ -1353,7 +1353,6 @@ static void set_option(int c, char *valu
163 STRCPY(turn_params.relay_ifname, value);
166 -#if defined(OPENSSL_THREADS)
167 if(atoi(value)>MAX_NUMBER_OF_GENERAL_RELAY_SERVERS) {
168 TURN_LOG_FUNC(TURN_LOG_LEVEL_WARNING, "WARNING: max number of relay threads is 128.\n");
169 turn_params.general_relay_servers_number = MAX_NUMBER_OF_GENERAL_RELAY_SERVERS;
170 @@ -1362,9 +1361,6 @@ static void set_option(int c, char *valu
172 turn_params.general_relay_servers_number = atoi(value);
175 - TURN_LOG_FUNC(TURN_LOG_LEVEL_WARNING, "WARNING: OpenSSL version is too old OR does not support threading,\n I am using single thread for relaying.\n");
179 STRCPY(turn_params.listener_ifname, value);
180 @@ -2640,9 +2636,8 @@ int main(int argc, char **argv)
182 ////////// OpenSSL locking ////////////////////////////////////////
184 -#if defined(OPENSSL_THREADS)
186 -static char some_buffer[65536];
187 +#if defined(OPENSSL_THREADS)
188 +#if OPENSSL_VERSION_NUMBER < OPENSSL_VERSION_1_1_0
190 //array larger than anything that OpenSSL may need:
191 static pthread_mutex_t mutex_buf[256];
192 @@ -2660,76 +2655,52 @@ void coturn_locking_function(int mode, i
196 -#if OPENSSL_VERSION_NUMBER >= 0x10000000L
197 void coturn_id_function(CRYPTO_THREADID *ctid);
198 void coturn_id_function(CRYPTO_THREADID *ctid)
201 CRYPTO_THREADID_set_numeric(ctid, (unsigned long)pthread_self());
204 -unsigned long coturn_id_function(void);
205 -unsigned long coturn_id_function(void)
207 - return (unsigned long)pthread_self();
213 static int THREAD_setup(void) {
215 -#if defined(OPENSSL_THREADS)
219 - some_buffer[0] = 0;
222 for (i = 0; i < CRYPTO_num_locks(); i++) {
223 pthread_mutex_init(&(mutex_buf[i]), NULL);
226 mutex_buf_initialized = 1;
228 -#if OPENSSL_VERSION_NUMBER >= 0x10000000L && OPENSSL_VERSION_NUMBER <= OPENSSL_VERSION_1_1_1
229 CRYPTO_THREADID_set_callback(coturn_id_function);
231 - CRYPTO_set_id_callback(coturn_id_function);
234 CRYPTO_set_locking_callback(coturn_locking_function);
240 int THREAD_cleanup(void);
241 int THREAD_cleanup(void) {
244 -#if defined(OPENSSL_THREADS)
247 + if (!mutex_buf_initialized)
250 - if (!mutex_buf_initialized)
252 + CRYPTO_THREADID_set_callback(NULL);
253 + CRYPTO_set_locking_callback(NULL);
254 + for (i = 0; i < CRYPTO_num_locks(); i++) {
255 + pthread_mutex_destroy(&(mutex_buf[i]));
258 -#if OPENSSL_VERSION_NUMBER >= 0x10000000L && OPENSSL_VERSION_NUMBER <= OPENSSL_VERSION_1_1_1
259 - CRYPTO_THREADID_set_callback(NULL);
260 + mutex_buf_initialized = 0;
264 - CRYPTO_set_id_callback(NULL);
267 - CRYPTO_set_locking_callback(NULL);
268 - for (i = 0; i < CRYPTO_num_locks(); i++) {
269 - pthread_mutex_destroy(&(mutex_buf[i]));
272 - mutex_buf_initialized = 0;
275 +static int THREAD_setup(void) {
280 +int THREAD_cleanup(void);
281 +int THREAD_cleanup(void){
284 +#endif /* OPENSSL_VERSION_NUMBER < OPENSSL_VERSION_1_1_0 */
285 +#endif /* defined(OPENSSL_THREADS) */
287 static void adjust_key_file_name(char *fn, const char* file_title, int critical)