net/coturn/patches/100-coturn-4.6.0-openssl3-from-gentoo.patch

   1 https://github.com/coturn/coturn/commit/9af9f6306ab73c3403f9e11086b1936e9148f7de
   2 https://github.com/coturn/coturn/commit/4ce784a8781ab086c150e2b9f5641b1a37fd9b31
   3 https://github.com/coturn/coturn/commit/9370bb742d976166a51032760da1ecedefb92267
   4 https://github.com/coturn/coturn/commit/d72a2a8920b80ce66b36e22b2c22f308ad06c424
   5
   6 From 9af9f6306ab73c3403f9e11086b1936e9148f7de Mon Sep 17 00:00:00 2001
   7 From: Pavel Punsky <eakraly@users.noreply.github.com>
   8 Date: Wed, 14 Sep 2022 03:29:26 -0700
   9 Subject: [PATCH] Fix renegotiation flag for older version of openssl (#978)
  10
  11 `SSL_OP_NO_RENEGOTIATION` is only supported in openssl-1.1.0 and above
  12 Older versions have `SSL3_FLAGS_NO_RENEGOTIATE_CIPHERS `
  13
  14 Fixes #977 and #952
  15
  16 Test:
  17 Build in a docker container running running openssl-1.0.2g (ubuntu
  18 16.04) successfully (without the fix getting the same errors)
  19 --- a/src/apps/relay/dtls_listener.c
  20 +++ b/src/apps/relay/dtls_listener.c
  21 @@ -295,8 +295,17 @@ static ioa_socket_handle dtls_server_inp
  22         SSL_set_accept_state(connecting_ssl);
  23
  24         SSL_set_bio(connecting_ssl, NULL, wbio);
  25 -       SSL_set_options(connecting_ssl, SSL_OP_COOKIE_EXCHANGE | SSL_OP_NO_RENEGOTIATION);
  26 -
  27 +       SSL_set_options(connecting_ssl, SSL_OP_COOKIE_EXCHANGE
  28 +#if OPENSSL_VERSION_NUMBER < 0x10100000L
  29 +#if defined(SSL3_FLAGS_NO_RENEGOTIATE_CIPHERS)
  30 +               | SSL3_FLAGS_NO_RENEGOTIATE_CIPHERS
  31 +#endif
  32 +#else
  33 +#if defined(SSL_OP_NO_RENEGOTIATION)
  34 +               | SSL_OP_NO_RENEGOTIATION
  35 +#endif
  36 +#endif
  37 +       );
  38         SSL_set_max_cert_list(connecting_ssl, 655350);
  39
  40         ioa_socket_handle rc = dtls_accept_client_connection(server, s, connecting_ssl,
  41 @@ -581,7 +590,17 @@ static int create_new_connected_udp_sock
  42
  43                 SSL_set_bio(connecting_ssl, NULL, wbio);
  44
  45 -               SSL_set_options(connecting_ssl, SSL_OP_COOKIE_EXCHANGE | SSL_OP_NO_RENEGOTIATION);
  46 +               SSL_set_options(connecting_ssl, SSL_OP_COOKIE_EXCHANGE
  47 +#if OPENSSL_VERSION_NUMBER < 0x10100000L
  48 +#if defined(SSL3_FLAGS_NO_RENEGOTIATE_CIPHERS)
  49 +                       | SSL3_FLAGS_NO_RENEGOTIATE_CIPHERS
  50 +#endif
  51 +#else
  52 +#if defined(SSL_OP_NO_RENEGOTIATION)
  53 +                       | SSL_OP_NO_RENEGOTIATION
  54 +#endif
  55 +#endif
  56 +               );
  57
  58                 SSL_set_max_cert_list(connecting_ssl, 655350);
  59                 int rc = ssl_read(ret->fd, connecting_ssl, server->sm.m.sm.nd.nbh,
  60 --- a/src/apps/relay/ns_ioalib_engine_impl.c
  61 +++ b/src/apps/relay/ns_ioalib_engine_impl.c
  62 @@ -1428,7 +1428,17 @@ static void set_socket_ssl(ioa_socket_ha
  63                 if(ssl) {
  64                         SSL_set_app_data(ssl,s);
  65                         SSL_set_info_callback(ssl, (ssl_info_callback_t)ssl_info_callback);
  66 -                       SSL_set_options(ssl, SSL_OP_NO_RENEGOTIATION);
  67 +                       SSL_set_options(ssl,
  68 +#if OPENSSL_VERSION_NUMBER < 0x10100000L
  69 +#if defined(SSL3_FLAGS_NO_RENEGOTIATE_CIPHERS)
  70 +                               SSL3_FLAGS_NO_RENEGOTIATE_CIPHERS
  71 +#endif
  72 +#else
  73 +#if defined(SSL_OP_NO_RENEGOTIATION)
  74 +                               SSL_OP_NO_RENEGOTIATION
  75 +#endif
  76 +#endif
  77 +                       );
  78                 }
  79         }
  80  }
  81 @@ -1864,7 +1874,11 @@ int ssl_read(evutil_socket_t fd, SSL* ss
  82
  83         } else if (!if1 && if2) {
  84
  85 +#if (OPENSSL_VERSION_NUMBER >= 0x30000000L)
  86 +               if(verbose && SSL_get1_peer_certificate(ssl)) {
  87 +#else
  88                 if(verbose && SSL_get_peer_certificate(ssl)) {
  89 +#endif
  90                   printf("\n------------------------------------------------------------\n");
  91                   X509_NAME_print_ex_fp(stdout, X509_get_subject_name(SSL_get_peer_certificate(ssl)), 1,
  92                                         XN_FLAG_MULTILINE);
  93 --- a/src/apps/uclient/startuclient.c
  94 +++ b/src/apps/uclient/startuclient.c
  95 @@ -138,7 +138,11 @@ static SSL* tls_connect(ioa_socket_raw f
  96                 if (rc > 0) {
  97                   TURN_LOG_FUNC(TURN_LOG_LEVEL_INFO,"%s: client session connected with cipher %s, method=%s\n",__FUNCTION__,
  98                                   SSL_get_cipher(ssl),turn_get_ssl_method(ssl,NULL));
  99 +#if (OPENSSL_VERSION_NUMBER >= 0x30000000L)
 100 +                 if(clnet_verbose && SSL_get1_peer_certificate(ssl)) {
 101 +#else
 102                   if(clnet_verbose && SSL_get_peer_certificate(ssl)) {
 103 +#endif
 104                           TURN_LOG_FUNC(TURN_LOG_LEVEL_INFO, "------------------------------------------------------------\n");
 105                         X509_NAME_print_ex_fp(stdout, X509_get_subject_name(SSL_get_peer_certificate(ssl)), 1,
 106                                                                 XN_FLAG_MULTILINE);
 107 --- a/src/client/ns_turn_msg.c
 108 +++ b/src/client/ns_turn_msg.c
 109 @@ -248,12 +248,22 @@ int stun_produce_integrity_key_str(const
 110                 if (FIPS_mode()) {
 111                         EVP_MD_CTX_set_flags(&ctx,EVP_MD_CTX_FLAG_NON_FIPS_ALLOW);
 112                 }
 113 -#endif
 114 +#endif // defined EVP_MD_CTX_FLAG_NON_FIPS_ALLOW && !defined(LIBRESSL_VERSION_NUMBER)
 115                 EVP_DigestInit_ex(&ctx,EVP_md5(), NULL);
 116                 EVP_DigestUpdate(&ctx,str,strl);
 117                 EVP_DigestFinal(&ctx,key,&keylen);
 118                 EVP_MD_CTX_cleanup(&ctx);
 119 -#else
 120 +#elif OPENSSL_VERSION_NUMBER >= 0x30000000L
 121 +               unsigned int keylen = 0;
 122 +               EVP_MD_CTX *ctx = EVP_MD_CTX_new();
 123 +               if (EVP_default_properties_is_fips_enabled(NULL)) {
 124 +                       EVP_default_properties_enable_fips(NULL, 0);
 125 +               }
 126 +               EVP_DigestInit_ex(ctx,EVP_md5(), NULL);
 127 +               EVP_DigestUpdate(ctx,str,strl);
 128 +               EVP_DigestFinal(ctx,key,&keylen);
 129 +               EVP_MD_CTX_free(ctx);
 130 +#else // OPENSSL_VERSION_NUMBER < 0x10100000L
 131                 unsigned int keylen = 0;
 132                 EVP_MD_CTX *ctx = EVP_MD_CTX_new();
 133  #if defined EVP_MD_CTX_FLAG_NON_FIPS_ALLOW && ! defined(LIBRESSL_VERSION_NUMBER)
 134 @@ -265,7 +275,7 @@ int stun_produce_integrity_key_str(const
 135                 EVP_DigestUpdate(ctx,str,strl);
 136                 EVP_DigestFinal(ctx,key,&keylen);
 137                 EVP_MD_CTX_free(ctx);
 138 -#endif
 139 +#endif // OPENSSL_VERSION_NUMBER < 0X10100000L
 140                 ret = 0;
 141         }
 142
 143 --- a/src/apps/relay/netengine.c
 144 +++ b/src/apps/relay/netengine.c
 145 @@ -31,13 +31,7 @@
 146  #include "mainrelay.h"
 147
 148  //////////// Backward compatibility with OpenSSL 1.0.x //////////////
 149 -#define HAVE_OPENSSL11_API (!(OPENSSL_VERSION_NUMBER < 0x10100001L || defined LIBRESSL_VERSION_NUMBER))
 150 -
 151 -#ifndef HAVE_SSL_CTX_UP_REF
 152 -#define HAVE_SSL_CTX_UP_REF HAVE_OPENSSL11_API
 153 -#endif
 154 -
 155 -#if !HAVE_SSL_CTX_UP_REF
 156 +#if (OPENSSL_VERSION_NUMBER < 0x10100001L || defined LIBRESSL_VERSION_NUMBER)
 157  #define SSL_CTX_up_ref(ctx) CRYPTO_add(&(ctx)->references, 1, CRYPTO_LOCK_SSL_CTX)
 158  #endif
 159
 160 --- a/src/apps/relay/mainrelay.c
 161 +++ b/src/apps/relay/mainrelay.c
 162 @@ -1353,7 +1353,6 @@ static void set_option(int c, char *valu
 163                 STRCPY(turn_params.relay_ifname, value);
 164                 break;
 165         case 'm':
 166 -#if defined(OPENSSL_THREADS)
 167                 if(atoi(value)>MAX_NUMBER_OF_GENERAL_RELAY_SERVERS) {
 168                         TURN_LOG_FUNC(TURN_LOG_LEVEL_WARNING, "WARNING: max number of relay threads is 128.\n");
 169                         turn_params.general_relay_servers_number = MAX_NUMBER_OF_GENERAL_RELAY_SERVERS;
 170 @@ -1362,9 +1361,6 @@ static void set_option(int c, char *valu
 171                 } else {
 172                         turn_params.general_relay_servers_number = atoi(value);
 173                 }
 174 -#else
 175 -               TURN_LOG_FUNC(TURN_LOG_LEVEL_WARNING, "WARNING: OpenSSL version is too old OR does not support threading,\n I am using single thread for relaying.\n");
 176 -#endif
 177                 break;
 178         case 'd':
 179                 STRCPY(turn_params.listener_ifname, value);
 180 @@ -2640,9 +2636,8 @@ int main(int argc, char **argv)
 181
 182  ////////// OpenSSL locking ////////////////////////////////////////
 183
 184 -#if defined(OPENSSL_THREADS)
 185 -
 186 -static char some_buffer[65536];
 187 +#if defined(OPENSSL_THREADS)
 188 +#if OPENSSL_VERSION_NUMBER < OPENSSL_VERSION_1_1_0
 189
 190  //array larger than anything that OpenSSL may need:
 191  static pthread_mutex_t mutex_buf[256];
 192 @@ -2660,76 +2655,52 @@ void coturn_locking_function(int mode, i
 193    }
 194  }
 195
 196 -#if OPENSSL_VERSION_NUMBER >= 0x10000000L
 197  void coturn_id_function(CRYPTO_THREADID *ctid);
 198  void coturn_id_function(CRYPTO_THREADID *ctid)
 199  {
 200         UNUSED_ARG(ctid);
 201      CRYPTO_THREADID_set_numeric(ctid, (unsigned long)pthread_self());
 202  }
 203 -#else
 204 -unsigned long coturn_id_function(void);
 205 -unsigned long coturn_id_function(void)
 206 -{
 207 -    return (unsigned long)pthread_self();
 208 -}
 209 -#endif
 210 -
 211 -#endif
 212
 213  static int THREAD_setup(void) {
 214 -
 215 -#if defined(OPENSSL_THREADS)
 216 -
 217 -       int i;
 218 -
 219 -       some_buffer[0] = 0;
 220 -
 221 +    int i;
 222         for (i = 0; i < CRYPTO_num_locks(); i++) {
 223                 pthread_mutex_init(&(mutex_buf[i]), NULL);
 224         }
 225
 226         mutex_buf_initialized = 1;
 227 -
 228 -#if OPENSSL_VERSION_NUMBER >= 0x10000000L && OPENSSL_VERSION_NUMBER <= OPENSSL_VERSION_1_1_1
 229         CRYPTO_THREADID_set_callback(coturn_id_function);
 230 -#else
 231 -       CRYPTO_set_id_callback(coturn_id_function);
 232 -#endif
 233 -
 234         CRYPTO_set_locking_callback(coturn_locking_function);
 235 -#endif
 236 -
 237         return 1;
 238  }
 239
 240  int THREAD_cleanup(void);
 241  int THREAD_cleanup(void) {
 242 +    int i;
 243
 244 -#if defined(OPENSSL_THREADS)
 245 -
 246 -  int i;
 247 +    if (!mutex_buf_initialized)
 248 +        return 0;
 249
 250 -  if (!mutex_buf_initialized)
 251 -    return 0;
 252 +    CRYPTO_THREADID_set_callback(NULL);
 253 +    CRYPTO_set_locking_callback(NULL);
 254 +    for (i = 0; i < CRYPTO_num_locks(); i++) {
 255 +        pthread_mutex_destroy(&(mutex_buf[i]));
 256 +    }
 257
 258 -#if OPENSSL_VERSION_NUMBER >= 0x10000000L && OPENSSL_VERSION_NUMBER <= OPENSSL_VERSION_1_1_1
 259 -       CRYPTO_THREADID_set_callback(NULL);
 260 +    mutex_buf_initialized = 0;
 261 +  return 1;
 262 +}
 263  #else
 264 -       CRYPTO_set_id_callback(NULL);
 265 -#endif
 266 -
 267 -  CRYPTO_set_locking_callback(NULL);
 268 -  for (i = 0; i < CRYPTO_num_locks(); i++) {
 269 -         pthread_mutex_destroy(&(mutex_buf[i]));
 270 -  }
 271 -
 272 -  mutex_buf_initialized = 0;
 273 -
 274 -#endif
 275 +static int THREAD_setup(void) {
 276 +    return 1;
 277 +}
 278
 279 -  return 1;
 280 +int THREAD_cleanup(void);
 281 +int THREAD_cleanup(void){
 282 +    return 1;
 283  }
 284 +#endif /* OPENSSL_VERSION_NUMBER < OPENSSL_VERSION_1_1_0 */
 285 +#endif /* defined(OPENSSL_THREADS) */
 286
 287  static void adjust_key_file_name(char *fn, const char* file_title, int critical)
 288  {