| 1 |
commit: c0ca7de3d5a6cf9272978d19b813c5697abba710 |
| 2 |
Author: Sam James <sam <AT> gentoo <DOT> org> |
| 3 |
AuthorDate: Mon Oct 31 01:24:28 2022 +0000 |
| 4 |
Commit: Sam James <sam <AT> gentoo <DOT> org> |
| 5 |
CommitDate: Mon Oct 31 01:42:25 2022 +0000 |
| 6 |
URL: https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=c0ca7de3 |
| 7 |
|
| 8 |
net-im/coturn: add 4.6.0 |
| 9 |
|
| 10 |
Closes: https://bugs.gentoo.org/729820 |
| 11 |
Signed-off-by: Sam James <sam <AT> gentoo.org> |
| 12 |
|
| 13 |
net-im/coturn/Manifest | 1 + |
| 14 |
.../{coturn-9999.ebuild => coturn-4.6.0.ebuild} | 31 +- |
| 15 |
net-im/coturn/coturn-9999.ebuild | 31 +- |
| 16 |
net-im/coturn/files/coturn-4.6.0-openssl3.patch | 356 +++++++++++++++++++++ |
| 17 |
4 files changed, 399 insertions(+), 20 deletions(-) |
| 18 |
|
| 19 |
diff --git a/net-im/coturn/Manifest b/net-im/coturn/Manifest |
| 20 |
index f6b191a10c62..b7be62479570 100644 |
| 21 |
--- a/net-im/coturn/Manifest |
| 22 |
+++ b/net-im/coturn/Manifest |
| 23 |
@@ -1 +1,2 @@ |
| 24 |
DIST coturn-4.5.2.tar.gz 442745 BLAKE2B c18d5f5cfedd600875c0bfa08b874ef6316a5aa9af34c27e2901825da412b794d437e08f0706f9651bdf6d3d19e151486af39a42f2326c7ab6bb802d33fd0ba4 SHA512 00e86a3a273a8e4e69deaefd338bdd6c44739a807f21a72a2d68efc089053e16efd1d5b34b0c6dea7a0fa2b66f70821d8c3e1107561e1f08dfac2c93933a6121 |
| 25 |
+DIST coturn-4.6.0.tar.gz 474423 BLAKE2B b70ecd1f333f4f9f37adcab6f5fd3406aa0eb962488b7cae4a30c9339cf7b11b2bfedd1fa70bd3b0c32bf82702d39eb22278506521f71e0cb6aaadee9d3c3d05 SHA512 a80ea1b8d9c78b8f9fc632517a0246cb0d2d4ff21c59d53827f026fb3a145a01b3bec637af94a96b525c35251cb5e9e209ba7f368f08e12ef61220bcb784637c |
| 26 |
|
| 27 |
diff --git a/net-im/coturn/coturn-9999.ebuild b/net-im/coturn/coturn-4.6.0.ebuild |
| 28 |
similarity index 80% |
| 29 |
copy from net-im/coturn/coturn-9999.ebuild |
| 30 |
copy to net-im/coturn/coturn-4.6.0.ebuild |
| 31 |
index d3a3c8813604..8c10c10306aa 100644 |
| 32 |
--- a/net-im/coturn/coturn-9999.ebuild |
| 33 |
+++ b/net-im/coturn/coturn-4.6.0.ebuild |
| 34 |
@@ -4,22 +4,25 @@ |
| 35 |
EAPI=7 |
| 36 |
|
| 37 |
inherit toolchain-funcs systemd tmpfiles |
| 38 |
+ |
| 39 |
DESCRIPTION="coturn TURN server project" |
| 40 |
HOMEPAGE="https://github.com/coturn/coturn" |
| 41 |
|
| 42 |
-if [ ${PV} = 9999 ]; then |
| 43 |
- EGIT_REPO_URI="https://github.com/${PN}/${PN}.git" |
| 44 |
+if [[ ${PV} == *9999 ]]; then |
| 45 |
+ EGIT_REPO_URI="https://github.com/coturn/coturn.git" |
| 46 |
inherit git-r3 |
| 47 |
-# S="${WORKDIR}/${PN}-master" |
| 48 |
+ #S="${WORKDIR}/${PN}-master" |
| 49 |
else |
| 50 |
+ SRC_URI="https://github.com/coturn/coturn/archive/${PV}.tar.gz -> ${P}.tar.gz" |
| 51 |
KEYWORDS="~amd64 ~x86" |
| 52 |
- SRC_URI="https://github.com/${PN}/${PN}/archive/${PV}.tar.gz -> ${P}.tar.gz" |
| 53 |
fi |
| 54 |
|
| 55 |
LICENSE="BSD" |
| 56 |
SLOT="0" |
| 57 |
IUSE="mongodb mysql postgres redis sqlite" |
| 58 |
-RDEPEND="acct-group/turnserver |
| 59 |
+ |
| 60 |
+RDEPEND=" |
| 61 |
+ acct-group/turnserver |
| 62 |
acct-user/turnserver |
| 63 |
>dev-libs/libevent-2.1.8:= |
| 64 |
dev-libs/openssl:= |
| 65 |
@@ -27,18 +30,21 @@ RDEPEND="acct-group/turnserver |
| 66 |
mysql? ( dev-db/mysql-connector-c:= ) |
| 67 |
postgres? ( dev-db/postgresql:* ) |
| 68 |
redis? ( dev-libs/hiredis:= ) |
| 69 |
- sqlite? ( dev-db/sqlite )" |
| 70 |
+ sqlite? ( dev-db/sqlite ) |
| 71 |
+" |
| 72 |
DEPEND="${RDEPEND}" |
| 73 |
BDEPEND="virtual/pkgconfig" |
| 74 |
|
| 75 |
PATCHES=( |
| 76 |
"${FILESDIR}"/${PN}-4.5.2-respect-TMPDIR.patch |
| 77 |
+ "${FILESDIR}"/${P}-openssl3.patch |
| 78 |
) |
| 79 |
|
| 80 |
src_configure() { |
| 81 |
- if [ -n "${AR}" ]; then |
| 82 |
+ if [[ -n "${AR}" ]]; then |
| 83 |
sed 's:ARCHIVERCMD="ar -r":ARCHIVERCMD="${AR} -r":g' -i "${S}/configure" |
| 84 |
fi |
| 85 |
+ |
| 86 |
sed 's:MANPREFIX}/man/:MANPREFIX}/:g' -i "${S}/Makefile.in" || die "sed for mandir failed" |
| 87 |
sed 's:#log-file=/var/tmp/turn.log:log-file=/var/log/turnserver.log:' \ |
| 88 |
-i "${S}/examples/etc/turnserver.conf" || die "sed for logdir failed" |
| 89 |
@@ -46,6 +52,7 @@ src_configure() { |
| 90 |
|| die "sed for simple-log failed" |
| 91 |
sed '/INSTALL_DIR} examples\/script/a \ \${INSTALL_DIR} examples\/ca \${DESTDIR}${EXAMPLESDIR}' \ |
| 92 |
-i "${S}/Makefile.in" || die "sed for example ca failed" |
| 93 |
+ |
| 94 |
if ! use mongodb; then |
| 95 |
export TURN_NO_MONGO=yes |
| 96 |
fi |
| 97 |
@@ -73,15 +80,19 @@ src_configure() { |
| 98 |
|
| 99 |
src_install() { |
| 100 |
default |
| 101 |
+ |
| 102 |
newinitd "${FILESDIR}/turnserver.init" turnserver |
| 103 |
+ |
| 104 |
insinto /etc/logrotate.d |
| 105 |
newins "${FILESDIR}/logrotate.${PN}" "${PN}" |
| 106 |
+ |
| 107 |
systemd_dounit "${FILESDIR}/${PN}.service" |
| 108 |
dotmpfiles "${FILESDIR}/${PN}.conf" |
| 109 |
} |
| 110 |
|
| 111 |
pkg_postinst() { |
| 112 |
- tmpfiles_process "${PN}.conf" |
| 113 |
- elog "You need to copy /etc/turnserver.conf.default to" |
| 114 |
- elog "/etc/turnserver.conf and do your settings there." |
| 115 |
+ tmpfiles_process ${PN}.conf |
| 116 |
+ |
| 117 |
+ elog "You need to copy ${EROOT}/etc/turnserver.conf.default to" |
| 118 |
+ elog "${EROOT}/etc/turnserver.conf and do your settings there." |
| 119 |
} |
| 120 |
|
| 121 |
diff --git a/net-im/coturn/coturn-9999.ebuild b/net-im/coturn/coturn-9999.ebuild |
| 122 |
index d3a3c8813604..8c10c10306aa 100644 |
| 123 |
--- a/net-im/coturn/coturn-9999.ebuild |
| 124 |
+++ b/net-im/coturn/coturn-9999.ebuild |
| 125 |
@@ -4,22 +4,25 @@ |
| 126 |
EAPI=7 |
| 127 |
|
| 128 |
inherit toolchain-funcs systemd tmpfiles |
| 129 |
+ |
| 130 |
DESCRIPTION="coturn TURN server project" |
| 131 |
HOMEPAGE="https://github.com/coturn/coturn" |
| 132 |
|
| 133 |
-if [ ${PV} = 9999 ]; then |
| 134 |
- EGIT_REPO_URI="https://github.com/${PN}/${PN}.git" |
| 135 |
+if [[ ${PV} == *9999 ]]; then |
| 136 |
+ EGIT_REPO_URI="https://github.com/coturn/coturn.git" |
| 137 |
inherit git-r3 |
| 138 |
-# S="${WORKDIR}/${PN}-master" |
| 139 |
+ #S="${WORKDIR}/${PN}-master" |
| 140 |
else |
| 141 |
+ SRC_URI="https://github.com/coturn/coturn/archive/${PV}.tar.gz -> ${P}.tar.gz" |
| 142 |
KEYWORDS="~amd64 ~x86" |
| 143 |
- SRC_URI="https://github.com/${PN}/${PN}/archive/${PV}.tar.gz -> ${P}.tar.gz" |
| 144 |
fi |
| 145 |
|
| 146 |
LICENSE="BSD" |
| 147 |
SLOT="0" |
| 148 |
IUSE="mongodb mysql postgres redis sqlite" |
| 149 |
-RDEPEND="acct-group/turnserver |
| 150 |
+ |
| 151 |
+RDEPEND=" |
| 152 |
+ acct-group/turnserver |
| 153 |
acct-user/turnserver |
| 154 |
>dev-libs/libevent-2.1.8:= |
| 155 |
dev-libs/openssl:= |
| 156 |
@@ -27,18 +30,21 @@ RDEPEND="acct-group/turnserver |
| 157 |
mysql? ( dev-db/mysql-connector-c:= ) |
| 158 |
postgres? ( dev-db/postgresql:* ) |
| 159 |
redis? ( dev-libs/hiredis:= ) |
| 160 |
- sqlite? ( dev-db/sqlite )" |
| 161 |
+ sqlite? ( dev-db/sqlite ) |
| 162 |
+" |
| 163 |
DEPEND="${RDEPEND}" |
| 164 |
BDEPEND="virtual/pkgconfig" |
| 165 |
|
| 166 |
PATCHES=( |
| 167 |
"${FILESDIR}"/${PN}-4.5.2-respect-TMPDIR.patch |
| 168 |
+ "${FILESDIR}"/${P}-openssl3.patch |
| 169 |
) |
| 170 |
|
| 171 |
src_configure() { |
| 172 |
- if [ -n "${AR}" ]; then |
| 173 |
+ if [[ -n "${AR}" ]]; then |
| 174 |
sed 's:ARCHIVERCMD="ar -r":ARCHIVERCMD="${AR} -r":g' -i "${S}/configure" |
| 175 |
fi |
| 176 |
+ |
| 177 |
sed 's:MANPREFIX}/man/:MANPREFIX}/:g' -i "${S}/Makefile.in" || die "sed for mandir failed" |
| 178 |
sed 's:#log-file=/var/tmp/turn.log:log-file=/var/log/turnserver.log:' \ |
| 179 |
-i "${S}/examples/etc/turnserver.conf" || die "sed for logdir failed" |
| 180 |
@@ -46,6 +52,7 @@ src_configure() { |
| 181 |
|| die "sed for simple-log failed" |
| 182 |
sed '/INSTALL_DIR} examples\/script/a \ \${INSTALL_DIR} examples\/ca \${DESTDIR}${EXAMPLESDIR}' \ |
| 183 |
-i "${S}/Makefile.in" || die "sed for example ca failed" |
| 184 |
+ |
| 185 |
if ! use mongodb; then |
| 186 |
export TURN_NO_MONGO=yes |
| 187 |
fi |
| 188 |
@@ -73,15 +80,19 @@ src_configure() { |
| 189 |
|
| 190 |
src_install() { |
| 191 |
default |
| 192 |
+ |
| 193 |
newinitd "${FILESDIR}/turnserver.init" turnserver |
| 194 |
+ |
| 195 |
insinto /etc/logrotate.d |
| 196 |
newins "${FILESDIR}/logrotate.${PN}" "${PN}" |
| 197 |
+ |
| 198 |
systemd_dounit "${FILESDIR}/${PN}.service" |
| 199 |
dotmpfiles "${FILESDIR}/${PN}.conf" |
| 200 |
} |
| 201 |
|
| 202 |
pkg_postinst() { |
| 203 |
- tmpfiles_process "${PN}.conf" |
| 204 |
- elog "You need to copy /etc/turnserver.conf.default to" |
| 205 |
- elog "/etc/turnserver.conf and do your settings there." |
| 206 |
+ tmpfiles_process ${PN}.conf |
| 207 |
+ |
| 208 |
+ elog "You need to copy ${EROOT}/etc/turnserver.conf.default to" |
| 209 |
+ elog "${EROOT}/etc/turnserver.conf and do your settings there." |
| 210 |
} |
| 211 |
|
| 212 |
diff --git a/net-im/coturn/files/coturn-4.6.0-openssl3.patch b/net-im/coturn/files/coturn-4.6.0-openssl3.patch |
| 213 |
new file mode 100644 |
| 214 |
index 000000000000..19b88048af50 |
| 215 |
--- /dev/null |
| 216 |
+++ b/net-im/coturn/files/coturn-4.6.0-openssl3.patch |
| 217 |
@@ -0,0 +1,356 @@ |
| 218 |
+https://github.com/coturn/coturn/commit/9af9f6306ab73c3403f9e11086b1936e9148f7de |
| 219 |
+https://github.com/coturn/coturn/commit/4ce784a8781ab086c150e2b9f5641b1a37fd9b31 |
| 220 |
+https://github.com/coturn/coturn/commit/9370bb742d976166a51032760da1ecedefb92267 |
| 221 |
+https://github.com/coturn/coturn/commit/d72a2a8920b80ce66b36e22b2c22f308ad06c424 |
| 222 |
+ |
| 223 |
+From 9af9f6306ab73c3403f9e11086b1936e9148f7de Mon Sep 17 00:00:00 2001 |
| 224 |
+From: Pavel Punsky <eakraly@××××××××××××××××××××.com> |
| 225 |
+Date: Wed, 14 Sep 2022 03:29:26 -0700 |
| 226 |
+Subject: [PATCH] Fix renegotiation flag for older version of openssl (#978) |
| 227 |
+ |
| 228 |
+`SSL_OP_NO_RENEGOTIATION` is only supported in openssl-1.1.0 and above |
| 229 |
+Older versions have `SSL3_FLAGS_NO_RENEGOTIATE_CIPHERS ` |
| 230 |
+ |
| 231 |
+Fixes #977 and #952 |
| 232 |
+ |
| 233 |
+Test: |
| 234 |
+Build in a docker container running running openssl-1.0.2g (ubuntu |
| 235 |
+16.04) successfully (without the fix getting the same errors) |
| 236 |
+--- a/src/apps/relay/dtls_listener.c |
| 237 |
++++ b/src/apps/relay/dtls_listener.c |
| 238 |
+@@ -295,8 +295,17 @@ static ioa_socket_handle dtls_server_input_handler(dtls_listener_relay_server_ty |
| 239 |
+ SSL_set_accept_state(connecting_ssl); |
| 240 |
+ |
| 241 |
+ SSL_set_bio(connecting_ssl, NULL, wbio); |
| 242 |
+- SSL_set_options(connecting_ssl, SSL_OP_COOKIE_EXCHANGE | SSL_OP_NO_RENEGOTIATION); |
| 243 |
+- |
| 244 |
++ SSL_set_options(connecting_ssl, SSL_OP_COOKIE_EXCHANGE |
| 245 |
++#if OPENSSL_VERSION_NUMBER < 0x10100000L |
| 246 |
++#if defined(SSL3_FLAGS_NO_RENEGOTIATE_CIPHERS) |
| 247 |
++ | SSL3_FLAGS_NO_RENEGOTIATE_CIPHERS |
| 248 |
++#endif |
| 249 |
++#else |
| 250 |
++#if defined(SSL_OP_NO_RENEGOTIATION) |
| 251 |
++ | SSL_OP_NO_RENEGOTIATION |
| 252 |
++#endif |
| 253 |
++#endif |
| 254 |
++ ); |
| 255 |
+ SSL_set_max_cert_list(connecting_ssl, 655350); |
| 256 |
+ |
| 257 |
+ ioa_socket_handle rc = dtls_accept_client_connection(server, s, connecting_ssl, |
| 258 |
+@@ -581,7 +590,17 @@ static int create_new_connected_udp_socket( |
| 259 |
+ |
| 260 |
+ SSL_set_bio(connecting_ssl, NULL, wbio); |
| 261 |
+ |
| 262 |
+- SSL_set_options(connecting_ssl, SSL_OP_COOKIE_EXCHANGE | SSL_OP_NO_RENEGOTIATION); |
| 263 |
++ SSL_set_options(connecting_ssl, SSL_OP_COOKIE_EXCHANGE |
| 264 |
++#if OPENSSL_VERSION_NUMBER < 0x10100000L |
| 265 |
++#if defined(SSL3_FLAGS_NO_RENEGOTIATE_CIPHERS) |
| 266 |
++ | SSL3_FLAGS_NO_RENEGOTIATE_CIPHERS |
| 267 |
++#endif |
| 268 |
++#else |
| 269 |
++#if defined(SSL_OP_NO_RENEGOTIATION) |
| 270 |
++ | SSL_OP_NO_RENEGOTIATION |
| 271 |
++#endif |
| 272 |
++#endif |
| 273 |
++ ); |
| 274 |
+ |
| 275 |
+ SSL_set_max_cert_list(connecting_ssl, 655350); |
| 276 |
+ int rc = ssl_read(ret->fd, connecting_ssl, server->sm.m.sm.nd.nbh, |
| 277 |
+--- a/src/apps/relay/ns_ioalib_engine_impl.c |
| 278 |
++++ b/src/apps/relay/ns_ioalib_engine_impl.c |
| 279 |
+@@ -1428,7 +1428,17 @@ static void set_socket_ssl(ioa_socket_handle s, SSL *ssl) |
| 280 |
+ if(ssl) { |
| 281 |
+ SSL_set_app_data(ssl,s); |
| 282 |
+ SSL_set_info_callback(ssl, (ssl_info_callback_t)ssl_info_callback); |
| 283 |
+- SSL_set_options(ssl, SSL_OP_NO_RENEGOTIATION); |
| 284 |
++ SSL_set_options(ssl, |
| 285 |
++#if OPENSSL_VERSION_NUMBER < 0x10100000L |
| 286 |
++#if defined(SSL3_FLAGS_NO_RENEGOTIATE_CIPHERS) |
| 287 |
++ SSL3_FLAGS_NO_RENEGOTIATE_CIPHERS |
| 288 |
++#endif |
| 289 |
++#else |
| 290 |
++#if defined(SSL_OP_NO_RENEGOTIATION) |
| 291 |
++ SSL_OP_NO_RENEGOTIATION |
| 292 |
++#endif |
| 293 |
++#endif |
| 294 |
++ ); |
| 295 |
+ } |
| 296 |
+ } |
| 297 |
+ } |
| 298 |
+ |
| 299 |
+From 4ce784a8781ab086c150e2b9f5641b1a37fd9b31 Mon Sep 17 00:00:00 2001 |
| 300 |
+From: Pavel Punsky <eakraly@××××××××××××××××××××.com> |
| 301 |
+Date: Fri, 16 Sep 2022 00:46:45 -0700 |
| 302 |
+Subject: [PATCH] Improve openssl3 and FIPS support (#955) |
| 303 |
+ |
| 304 |
+openssl-3.0 deprecated some APIs and introduced new APIs instead: |
| 305 |
+ |
| 306 |
+`SSL_get_peer_certificate ` -> `SSL_get1_peer_certificate ` |
| 307 |
+`FIPS_mode()`->`EVP_default_properties_is_fips_enabled()` |
| 308 |
+`EVP_MD_CTX_set_flags()`->`EVP_default_properties_enable_fips()` |
| 309 |
+specifically for enabling FIPS mode |
| 310 |
+ |
| 311 |
+This change should workaround that by ifdef-ing old/new versions of |
| 312 |
+openssl and APIs - so pre-3.0 use existing APIs (so not change there) |
| 313 |
+and >=3.0 will use new APIs (whether it actually works or not is still |
| 314 |
+TBD as this is just a first step in openssl-3.0 support) |
| 315 |
+ |
| 316 |
+Should fix #886 |
| 317 |
+ |
| 318 |
+Test Plan: |
| 319 |
+Run CI build that supports ubuntu-20.04 (openssl-1.1.1) and ubuntu-22.04 |
| 320 |
+(openssl-3.0.2) |
| 321 |
+Both builds pass |
| 322 |
+None of them have FIPS support (which for 1.1.x stays the same as |
| 323 |
+before) |
| 324 |
+ |
| 325 |
+Co-authored-by: Pavel Punsky <pavel.punsky@×××××××××.com> |
| 326 |
+--- a/src/apps/relay/ns_ioalib_engine_impl.c |
| 327 |
++++ b/src/apps/relay/ns_ioalib_engine_impl.c |
| 328 |
+@@ -1868,7 +1868,11 @@ int ssl_read(evutil_socket_t fd, SSL* ssl, ioa_network_buffer_handle nbh, int ve |
| 329 |
+ |
| 330 |
+ } else if (!if1 && if2) { |
| 331 |
+ |
| 332 |
++#if (OPENSSL_VERSION_NUMBER >= 0x30000000L) |
| 333 |
++ if(verbose && SSL_get1_peer_certificate(ssl)) { |
| 334 |
++#else |
| 335 |
+ if(verbose && SSL_get_peer_certificate(ssl)) { |
| 336 |
++#endif |
| 337 |
+ printf("\n------------------------------------------------------------\n"); |
| 338 |
+ X509_NAME_print_ex_fp(stdout, X509_get_subject_name(SSL_get_peer_certificate(ssl)), 1, |
| 339 |
+ XN_FLAG_MULTILINE); |
| 340 |
+--- a/src/apps/uclient/startuclient.c |
| 341 |
++++ b/src/apps/uclient/startuclient.c |
| 342 |
+@@ -138,7 +138,11 @@ static SSL* tls_connect(ioa_socket_raw fd, ioa_addr *remote_addr, int *try_again |
| 343 |
+ if (rc > 0) { |
| 344 |
+ TURN_LOG_FUNC(TURN_LOG_LEVEL_INFO,"%s: client session connected with cipher %s, method=%s\n",__FUNCTION__, |
| 345 |
+ SSL_get_cipher(ssl),turn_get_ssl_method(ssl,NULL)); |
| 346 |
++#if (OPENSSL_VERSION_NUMBER >= 0x30000000L) |
| 347 |
++ if(clnet_verbose && SSL_get1_peer_certificate(ssl)) { |
| 348 |
++#else |
| 349 |
+ if(clnet_verbose && SSL_get_peer_certificate(ssl)) { |
| 350 |
++#endif |
| 351 |
+ TURN_LOG_FUNC(TURN_LOG_LEVEL_INFO, "------------------------------------------------------------\n"); |
| 352 |
+ X509_NAME_print_ex_fp(stdout, X509_get_subject_name(SSL_get_peer_certificate(ssl)), 1, |
| 353 |
+ XN_FLAG_MULTILINE); |
| 354 |
+--- a/src/client/ns_turn_msg.c |
| 355 |
++++ b/src/client/ns_turn_msg.c |
| 356 |
+@@ -248,12 +248,22 @@ int stun_produce_integrity_key_str(const uint8_t *uname, const uint8_t *realm, c |
| 357 |
+ if (FIPS_mode()) { |
| 358 |
+ EVP_MD_CTX_set_flags(&ctx,EVP_MD_CTX_FLAG_NON_FIPS_ALLOW); |
| 359 |
+ } |
| 360 |
+-#endif |
| 361 |
++#endif // defined EVP_MD_CTX_FLAG_NON_FIPS_ALLOW && !defined(LIBRESSL_VERSION_NUMBER) |
| 362 |
+ EVP_DigestInit_ex(&ctx,EVP_md5(), NULL); |
| 363 |
+ EVP_DigestUpdate(&ctx,str,strl); |
| 364 |
+ EVP_DigestFinal(&ctx,key,&keylen); |
| 365 |
+ EVP_MD_CTX_cleanup(&ctx); |
| 366 |
+-#else |
| 367 |
++#elif OPENSSL_VERSION_NUMBER >= 0x30000000L |
| 368 |
++ unsigned int keylen = 0; |
| 369 |
++ EVP_MD_CTX *ctx = EVP_MD_CTX_new(); |
| 370 |
++ if (EVP_default_properties_is_fips_enabled(NULL)) { |
| 371 |
++ EVP_default_properties_enable_fips(NULL, 0); |
| 372 |
++ } |
| 373 |
++ EVP_DigestInit_ex(ctx,EVP_md5(), NULL); |
| 374 |
++ EVP_DigestUpdate(ctx,str,strl); |
| 375 |
++ EVP_DigestFinal(ctx,key,&keylen); |
| 376 |
++ EVP_MD_CTX_free(ctx); |
| 377 |
++#else // OPENSSL_VERSION_NUMBER < 0x10100000L |
| 378 |
+ unsigned int keylen = 0; |
| 379 |
+ EVP_MD_CTX *ctx = EVP_MD_CTX_new(); |
| 380 |
+ #if defined EVP_MD_CTX_FLAG_NON_FIPS_ALLOW && ! defined(LIBRESSL_VERSION_NUMBER) |
| 381 |
+@@ -265,7 +275,7 @@ int stun_produce_integrity_key_str(const uint8_t *uname, const uint8_t *realm, c |
| 382 |
+ EVP_DigestUpdate(ctx,str,strl); |
| 383 |
+ EVP_DigestFinal(ctx,key,&keylen); |
| 384 |
+ EVP_MD_CTX_free(ctx); |
| 385 |
+-#endif |
| 386 |
++#endif // OPENSSL_VERSION_NUMBER < 0X10100000L |
| 387 |
+ ret = 0; |
| 388 |
+ } |
| 389 |
+ |
| 390 |
+ |
| 391 |
+From 9370bb742d976166a51032760da1ecedefb92267 Mon Sep 17 00:00:00 2001 |
| 392 |
+From: Pavel Punsky <eakraly@××××××××××××××××××××.com> |
| 393 |
+Date: Fri, 16 Sep 2022 23:29:32 -0700 |
| 394 |
+Subject: [PATCH] Fix a warning (#988) |
| 395 |
+ |
| 396 |
+There are too many defines that are, eventually, used in one place so |
| 397 |
+just inlining. |
| 398 |
+ |
| 399 |
+Current code generates following warning: |
| 400 |
+``` |
| 401 |
+warning: macro expansion producing 'defined' has undefined behavior [-Wexpansion-to-defined] |
| 402 |
+``` |
| 403 |
+ |
| 404 |
+With the fix there is no warning |
| 405 |
+ |
| 406 |
+Co-authored-by: Pavel Punsky <pavel.punsky@×××××××××.com> |
| 407 |
+--- a/src/apps/relay/netengine.c |
| 408 |
++++ b/src/apps/relay/netengine.c |
| 409 |
+@@ -31,13 +31,7 @@ |
| 410 |
+ #include "mainrelay.h" |
| 411 |
+ |
| 412 |
+ //////////// Backward compatibility with OpenSSL 1.0.x ////////////// |
| 413 |
+-#define HAVE_OPENSSL11_API (!(OPENSSL_VERSION_NUMBER < 0x10100001L || defined LIBRESSL_VERSION_NUMBER)) |
| 414 |
+- |
| 415 |
+-#ifndef HAVE_SSL_CTX_UP_REF |
| 416 |
+-#define HAVE_SSL_CTX_UP_REF HAVE_OPENSSL11_API |
| 417 |
+-#endif |
| 418 |
+- |
| 419 |
+-#if !HAVE_SSL_CTX_UP_REF |
| 420 |
++#if (OPENSSL_VERSION_NUMBER < 0x10100001L || defined LIBRESSL_VERSION_NUMBER) |
| 421 |
+ #define SSL_CTX_up_ref(ctx) CRYPTO_add(&(ctx)->references, 1, CRYPTO_LOCK_SSL_CTX) |
| 422 |
+ #endif |
| 423 |
+ |
| 424 |
+ |
| 425 |
+From d72a2a8920b80ce66b36e22b2c22f308ad06c424 Mon Sep 17 00:00:00 2001 |
| 426 |
+From: Pavel Punsky <eakraly@××××××××××××××××××××.com> |
| 427 |
+Date: Mon, 24 Oct 2022 13:06:35 -0700 |
| 428 |
+Subject: [PATCH] Cleanup openssl initialization (#1012) |
| 429 |
+ |
| 430 |
+Rewriting openssl initialization code (threading support to make it |
| 431 |
+cleaner |
| 432 |
+ |
| 433 |
+- Regroup functions so that there is one ifdef (for old code and new |
| 434 |
+code) |
| 435 |
+- Modern openssl (>1.0.2) does not need any synchornization routines so |
| 436 |
+they are empty |
| 437 |
+- Old openssl (<=1.0.2) now require `OPENSSL_THREADS` which allows |
| 438 |
+running multiple threads in turnserver. Not having turnserver |
| 439 |
+multi-threaded is a huge waste. `OPENSSL_THREADS` is now a requirement. |
| 440 |
+ |
| 441 |
+ |
| 442 |
+Test Plan: |
| 443 |
+- CI builds pass for openssl versions 1.0.2, 1.1.1, 3.0, including tests |
| 444 |
+--- a/src/apps/relay/mainrelay.c |
| 445 |
++++ b/src/apps/relay/mainrelay.c |
| 446 |
+@@ -1345,7 +1345,6 @@ static void set_option(int c, char *value) |
| 447 |
+ STRCPY(turn_params.relay_ifname, value); |
| 448 |
+ break; |
| 449 |
+ case 'm': |
| 450 |
+-#if defined(OPENSSL_THREADS) |
| 451 |
+ if(atoi(value)>MAX_NUMBER_OF_GENERAL_RELAY_SERVERS) { |
| 452 |
+ TURN_LOG_FUNC(TURN_LOG_LEVEL_WARNING, "WARNING: max number of relay threads is 128.\n"); |
| 453 |
+ turn_params.general_relay_servers_number = MAX_NUMBER_OF_GENERAL_RELAY_SERVERS; |
| 454 |
+@@ -1354,9 +1353,6 @@ static void set_option(int c, char *value) |
| 455 |
+ } else { |
| 456 |
+ turn_params.general_relay_servers_number = atoi(value); |
| 457 |
+ } |
| 458 |
+-#else |
| 459 |
+- TURN_LOG_FUNC(TURN_LOG_LEVEL_WARNING, "WARNING: OpenSSL version is too old OR does not support threading,\n I am using single thread for relaying.\n"); |
| 460 |
+-#endif |
| 461 |
+ break; |
| 462 |
+ case 'd': |
| 463 |
+ STRCPY(turn_params.listener_ifname, value); |
| 464 |
+@@ -2645,9 +2641,8 @@ int main(int argc, char **argv) |
| 465 |
+ |
| 466 |
+ ////////// OpenSSL locking //////////////////////////////////////// |
| 467 |
+ |
| 468 |
+-#if defined(OPENSSL_THREADS) |
| 469 |
+- |
| 470 |
+-static char some_buffer[65536]; |
| 471 |
++#if defined(OPENSSL_THREADS) |
| 472 |
++#if OPENSSL_VERSION_NUMBER < OPENSSL_VERSION_1_1_0 |
| 473 |
+ |
| 474 |
+ //array larger than anything that OpenSSL may need: |
| 475 |
+ static pthread_mutex_t mutex_buf[256]; |
| 476 |
+@@ -2665,76 +2660,52 @@ void coturn_locking_function(int mode, int n, const char *file, int line) { |
| 477 |
+ } |
| 478 |
+ } |
| 479 |
+ |
| 480 |
+-#if OPENSSL_VERSION_NUMBER >= 0x10000000L |
| 481 |
+ void coturn_id_function(CRYPTO_THREADID *ctid); |
| 482 |
+ void coturn_id_function(CRYPTO_THREADID *ctid) |
| 483 |
+ { |
| 484 |
+ UNUSED_ARG(ctid); |
| 485 |
+ CRYPTO_THREADID_set_numeric(ctid, (unsigned long)pthread_self()); |
| 486 |
+ } |
| 487 |
+-#else |
| 488 |
+-unsigned long coturn_id_function(void); |
| 489 |
+-unsigned long coturn_id_function(void) |
| 490 |
+-{ |
| 491 |
+- return (unsigned long)pthread_self(); |
| 492 |
+-} |
| 493 |
+-#endif |
| 494 |
+- |
| 495 |
+-#endif |
| 496 |
+ |
| 497 |
+ static int THREAD_setup(void) { |
| 498 |
+- |
| 499 |
+-#if defined(OPENSSL_THREADS) |
| 500 |
+- |
| 501 |
+- int i; |
| 502 |
+- |
| 503 |
+- some_buffer[0] = 0; |
| 504 |
+- |
| 505 |
++ int i; |
| 506 |
+ for (i = 0; i < CRYPTO_num_locks(); i++) { |
| 507 |
+ pthread_mutex_init(&(mutex_buf[i]), NULL); |
| 508 |
+ } |
| 509 |
+ |
| 510 |
+ mutex_buf_initialized = 1; |
| 511 |
+- |
| 512 |
+-#if OPENSSL_VERSION_NUMBER >= 0x10000000L && OPENSSL_VERSION_NUMBER <= OPENSSL_VERSION_1_1_1 |
| 513 |
+ CRYPTO_THREADID_set_callback(coturn_id_function); |
| 514 |
+-#else |
| 515 |
+- CRYPTO_set_id_callback(coturn_id_function); |
| 516 |
+-#endif |
| 517 |
+- |
| 518 |
+ CRYPTO_set_locking_callback(coturn_locking_function); |
| 519 |
+-#endif |
| 520 |
+- |
| 521 |
+ return 1; |
| 522 |
+ } |
| 523 |
+ |
| 524 |
+ int THREAD_cleanup(void); |
| 525 |
+ int THREAD_cleanup(void) { |
| 526 |
++ int i; |
| 527 |
+ |
| 528 |
+-#if defined(OPENSSL_THREADS) |
| 529 |
++ if (!mutex_buf_initialized) |
| 530 |
++ return 0; |
| 531 |
+ |
| 532 |
+- int i; |
| 533 |
+- |
| 534 |
+- if (!mutex_buf_initialized) |
| 535 |
+- return 0; |
| 536 |
++ CRYPTO_THREADID_set_callback(NULL); |
| 537 |
++ CRYPTO_set_locking_callback(NULL); |
| 538 |
++ for (i = 0; i < CRYPTO_num_locks(); i++) { |
| 539 |
++ pthread_mutex_destroy(&(mutex_buf[i])); |
| 540 |
++ } |
| 541 |
+ |
| 542 |
+-#if OPENSSL_VERSION_NUMBER >= 0x10000000L && OPENSSL_VERSION_NUMBER <= OPENSSL_VERSION_1_1_1 |
| 543 |
+- CRYPTO_THREADID_set_callback(NULL); |
| 544 |
++ mutex_buf_initialized = 0; |
| 545 |
++ return 1; |
| 546 |
++} |
| 547 |
+ #else |
| 548 |
+- CRYPTO_set_id_callback(NULL); |
| 549 |
+-#endif |
| 550 |
+- |
| 551 |
+- CRYPTO_set_locking_callback(NULL); |
| 552 |
+- for (i = 0; i < CRYPTO_num_locks(); i++) { |
| 553 |
+- pthread_mutex_destroy(&(mutex_buf[i])); |
| 554 |
+- } |
| 555 |
+- |
| 556 |
+- mutex_buf_initialized = 0; |
| 557 |
+- |
| 558 |
+-#endif |
| 559 |
++static int THREAD_setup(void) { |
| 560 |
++ return 1; |
| 561 |
++} |
| 562 |
+ |
| 563 |
+- return 1; |
| 564 |
++int THREAD_cleanup(void); |
| 565 |
++int THREAD_cleanup(void){ |
| 566 |
++ return 1; |
| 567 |
+ } |
| 568 |
++#endif /* OPENSSL_VERSION_NUMBER < OPENSSL_VERSION_1_1_0 */ |
| 569 |
++#endif /* defined(OPENSSL_THREADS) */ |
| 570 |
+ |
| 571 |
+ static void adjust_key_file_name(char *fn, const char* file_title, int critical) |
| 572 |
+ { |
| 573 |
+ |
Archives