coturn: update to 4.6.1

Added a patch from Gentoo that brings compatiblity with OpenSSL 3.0. Signed-off-by: Eneas U de Queiroz <cotequeiroz@gmail.com>
2023-02-09 15:27:00 -03:00 · 2023-02-09 15:27:00 -03:00 · 26bb868229
commit 26bb868229
parent 09ad78b6cc
5 changed files with 292 additions and 37 deletions
--- a/net/coturn/Makefile
+++ b/net/coturn/Makefile
@ -8,12 +8,12 @@
 include $(TOPDIR)/rules.mk
 PKG_NAME:=coturn
-PKG_VERSION:=4.5.2
+PKG_VERSION:=4.6.1
-PKG_RELEASE:=5
+PKG_RELEASE:=1
 PKG_SOURCE:=$(PKG_NAME)-$(PKG_VERSION).tar.gz
 PKG_SOURCE_URL:=https://codeload.github.com/coturn/coturn/tar.gz/$(PKG_VERSION)?
-PKG_HASH:=462f1aa5c2455f28c1c8df09510d9e88ab14a1159b5e33ea5be5095262e83745
+PKG_HASH:=8fba86e593ed74adc46e002e925cccff2819745371814f42465fbe717483f1d8
 PKG_LICENSE:=BSD-COTURN-CITRIX COMBINED-CITRIX-VIVOCHA-BSD MIT-HASH
 PKG_LICENSE_FILES:=LICENSE src/apps/relay/dbdrivers/* src/server/ns_turn_khash.h
--- a/net/coturn/patches/02-fix-flags-dupes.patch
+++ b/net/coturn/patches/02-fix-flags-dupes.patch
@ -1,6 +1,6 @@
 --- a/configure
 +++ b/configure
-@@ -1034,9 +1034,9 @@ ${ECHO_CMD} "# Generated by configure sc
+@@ -1047,9 +1047,9 @@ ${ECHO_CMD} "# Generated by configure sc
 ${ECHO_CMD} "#################################" >> Makefile
 ${ECHO_CMD} "ECHO_CMD = ${ECHO_CMD}" >> Makefile
 ${ECHO_CMD} "CC = ${CC}" >> Makefile
--- a/net/coturn/patches/03-fix-libmariadb-detection.patch
+++ b/net/coturn/patches/03-fix-libmariadb-detection.patch
@ -1,11 +0,0 @@
 --- a/configure
 +++ b/configure
@@ -931,7 +931,7 @@ fi
 ###########################
 if [ -z "${TURN_NO_MYSQL}" ] ; then
 -    if testpkg_db mariadb || testpkg_db mysqlclient ; then
 +    if testpkg_db libmariadb || testpkg_db mysqlclient ; then
         ${ECHO_CMD} "MySQL found."
     else
         ${ECHO_CMD} "MySQL not found. Building without MySQL support."
--- a/net/coturn/patches/100-configure-dont-link-libintl.patch
+++ b/net/coturn/patches/100-configure-dont-link-libintl.patch
@ -1,22 +0,0 @@
 From 2132a1a8eecb3460b8c2e4a7201e3254dc420179 Mon Sep 17 00:00:00 2001
 From: Sebastian Kemper <sebastian_ml@gmx.net>
 Date: Sun, 26 Dec 2021 15:47:41 +0100
 Subject: [PATCH] configure: don't link in libintl
 libintl isn't used, so there is no need to link coturn to it.
 Signed-off-by: Sebastian Kemper <sebastian_ml@gmx.net>
 ---
 configure | 1 -
 1 file changed, 1 deletion(-)
 --- a/configure
 +++ b/configure
@@ -699,7 +699,6 @@ if ! [ ${ER} -eq 0 ] ; then
     echo "CYGWIN ?"
 fi
 testlib wldap64
 -testlib intl
 testlib nsl
 testlib resolv
--- a/net/coturn/patches/100-coturn-4.6.0-openssl3-from-gentoo.patch
+++ b/net/coturn/patches/100-coturn-4.6.0-openssl3-from-gentoo.patch
@ -0,0 +1,288 @@
 https://github.com/coturn/coturn/commit/9af9f6306ab73c3403f9e11086b1936e9148f7de
 https://github.com/coturn/coturn/commit/4ce784a8781ab086c150e2b9f5641b1a37fd9b31
 https://github.com/coturn/coturn/commit/9370bb742d976166a51032760da1ecedefb92267
 https://github.com/coturn/coturn/commit/d72a2a8920b80ce66b36e22b2c22f308ad06c424
 From 9af9f6306ab73c3403f9e11086b1936e9148f7de Mon Sep 17 00:00:00 2001
 From: Pavel Punsky <eakraly@users.noreply.github.com>
 Date: Wed, 14 Sep 2022 03:29:26 -0700
 Subject: [PATCH] Fix renegotiation flag for older version of openssl (#978)
 `SSL_OP_NO_RENEGOTIATION` is only supported in openssl-1.1.0 and above
 Older versions have `SSL3_FLAGS_NO_RENEGOTIATE_CIPHERS `
 Fixes #977 and #952
 Test:
 Build in a docker container running running openssl-1.0.2g (ubuntu
 16.04) successfully (without the fix getting the same errors)
 --- a/src/apps/relay/dtls_listener.c
 +++ b/src/apps/relay/dtls_listener.c
@@ -295,8 +295,17 @@ static ioa_socket_handle dtls_server_inp
 	SSL_set_accept_state(connecting_ssl);
 	SSL_set_bio(connecting_ssl, NULL, wbio);
 -	SSL_set_options(connecting_ssl, SSL_OP_COOKIE_EXCHANGE | SSL_OP_NO_RENEGOTIATION);
 -
 +	SSL_set_options(connecting_ssl, SSL_OP_COOKIE_EXCHANGE
 +#if OPENSSL_VERSION_NUMBER < 0x10100000L
 +#if defined(SSL3_FLAGS_NO_RENEGOTIATE_CIPHERS)
 +		| SSL3_FLAGS_NO_RENEGOTIATE_CIPHERS
 +#endif
 +#else
 +#if defined(SSL_OP_NO_RENEGOTIATION)
 +		| SSL_OP_NO_RENEGOTIATION
 +#endif
 +#endif
 +	);
 	SSL_set_max_cert_list(connecting_ssl, 655350);
 	ioa_socket_handle rc = dtls_accept_client_connection(server, s, connecting_ssl,
@@ -581,7 +590,17 @@ static int create_new_connected_udp_sock
 		SSL_set_bio(connecting_ssl, NULL, wbio);
 -		SSL_set_options(connecting_ssl, SSL_OP_COOKIE_EXCHANGE | SSL_OP_NO_RENEGOTIATION);
 +		SSL_set_options(connecting_ssl, SSL_OP_COOKIE_EXCHANGE
 +#if OPENSSL_VERSION_NUMBER < 0x10100000L
 +#if defined(SSL3_FLAGS_NO_RENEGOTIATE_CIPHERS)
 +			| SSL3_FLAGS_NO_RENEGOTIATE_CIPHERS
 +#endif
 +#else
 +#if defined(SSL_OP_NO_RENEGOTIATION)
 +			| SSL_OP_NO_RENEGOTIATION
 +#endif
 +#endif
 +		);
 		SSL_set_max_cert_list(connecting_ssl, 655350);
 		int rc = ssl_read(ret->fd, connecting_ssl, server->sm.m.sm.nd.nbh,
 --- a/src/apps/relay/ns_ioalib_engine_impl.c
 +++ b/src/apps/relay/ns_ioalib_engine_impl.c
@@ -1428,7 +1428,17 @@ static void set_socket_ssl(ioa_socket_ha
 		if(ssl) {
 			SSL_set_app_data(ssl,s);
 			SSL_set_info_callback(ssl, (ssl_info_callback_t)ssl_info_callback);
 -			SSL_set_options(ssl, SSL_OP_NO_RENEGOTIATION);
 +			SSL_set_options(ssl, 
 +#if OPENSSL_VERSION_NUMBER < 0x10100000L
 +#if defined(SSL3_FLAGS_NO_RENEGOTIATE_CIPHERS)
 +				SSL3_FLAGS_NO_RENEGOTIATE_CIPHERS
 +#endif
 +#else
 +#if defined(SSL_OP_NO_RENEGOTIATION)
 +				SSL_OP_NO_RENEGOTIATION
 +#endif
 +#endif
 +			);
 		}
 	}
 }
@@ -1864,7 +1874,11 @@ int ssl_read(evutil_socket_t fd, SSL* ss
 	} else if (!if1 && if2) {
 +#if (OPENSSL_VERSION_NUMBER >= 0x30000000L)
 +		if(verbose && SSL_get1_peer_certificate(ssl)) {
 +#else
 		if(verbose && SSL_get_peer_certificate(ssl)) {
 +#endif
 		  printf("\n------------------------------------------------------------\n");
 		  X509_NAME_print_ex_fp(stdout, X509_get_subject_name(SSL_get_peer_certificate(ssl)), 1,
 					XN_FLAG_MULTILINE);
 --- a/src/apps/uclient/startuclient.c
 +++ b/src/apps/uclient/startuclient.c
@@ -138,7 +138,11 @@ static SSL* tls_connect(ioa_socket_raw f
 		if (rc > 0) {
 		  TURN_LOG_FUNC(TURN_LOG_LEVEL_INFO,"%s: client session connected with cipher %s, method=%s\n",__FUNCTION__,
 				  SSL_get_cipher(ssl),turn_get_ssl_method(ssl,NULL));
 +#if (OPENSSL_VERSION_NUMBER >= 0x30000000L)
 +		  if(clnet_verbose && SSL_get1_peer_certificate(ssl)) {
 +#else
 		  if(clnet_verbose && SSL_get_peer_certificate(ssl)) {
 +#endif
 			  TURN_LOG_FUNC(TURN_LOG_LEVEL_INFO, "------------------------------------------------------------\n");
 		  	X509_NAME_print_ex_fp(stdout, X509_get_subject_name(SSL_get_peer_certificate(ssl)), 1,
 		  						XN_FLAG_MULTILINE);
 --- a/src/client/ns_turn_msg.c
 +++ b/src/client/ns_turn_msg.c
@@ -248,12 +248,22 @@ int stun_produce_integrity_key_str(const
 		if (FIPS_mode()) {
 			EVP_MD_CTX_set_flags(&ctx,EVP_MD_CTX_FLAG_NON_FIPS_ALLOW);
 		}
 -#endif
 +#endif // defined EVP_MD_CTX_FLAG_NON_FIPS_ALLOW && !defined(LIBRESSL_VERSION_NUMBER)
 		EVP_DigestInit_ex(&ctx,EVP_md5(), NULL);
 		EVP_DigestUpdate(&ctx,str,strl);
 		EVP_DigestFinal(&ctx,key,&keylen);
 		EVP_MD_CTX_cleanup(&ctx);
 -#else
 +#elif OPENSSL_VERSION_NUMBER >= 0x30000000L
 + 		unsigned int keylen = 0;
 + 		EVP_MD_CTX *ctx = EVP_MD_CTX_new();
 +		if (EVP_default_properties_is_fips_enabled(NULL)) {
 +			EVP_default_properties_enable_fips(NULL, 0);
 + 		}
 + 		EVP_DigestInit_ex(ctx,EVP_md5(), NULL);
 + 		EVP_DigestUpdate(ctx,str,strl);
 + 		EVP_DigestFinal(ctx,key,&keylen);
 + 		EVP_MD_CTX_free(ctx);
 +#else // OPENSSL_VERSION_NUMBER < 0x10100000L
 		unsigned int keylen = 0;
 		EVP_MD_CTX *ctx = EVP_MD_CTX_new();
 #if defined EVP_MD_CTX_FLAG_NON_FIPS_ALLOW && ! defined(LIBRESSL_VERSION_NUMBER)
@@ -265,7 +275,7 @@ int stun_produce_integrity_key_str(const
 		EVP_DigestUpdate(ctx,str,strl);
 		EVP_DigestFinal(ctx,key,&keylen);
 		EVP_MD_CTX_free(ctx);
 -#endif
 +#endif // OPENSSL_VERSION_NUMBER < 0X10100000L
 		ret = 0;
 	}
 --- a/src/apps/relay/netengine.c
 +++ b/src/apps/relay/netengine.c
@@ -31,13 +31,7 @@
 #include "mainrelay.h"
 //////////// Backward compatibility with OpenSSL 1.0.x //////////////
 -#define HAVE_OPENSSL11_API (!(OPENSSL_VERSION_NUMBER < 0x10100001L || defined LIBRESSL_VERSION_NUMBER))
 -
 -#ifndef HAVE_SSL_CTX_UP_REF
 -#define HAVE_SSL_CTX_UP_REF HAVE_OPENSSL11_API
 -#endif
 -
 -#if !HAVE_SSL_CTX_UP_REF
 +#if (OPENSSL_VERSION_NUMBER < 0x10100001L || defined LIBRESSL_VERSION_NUMBER)
 #define SSL_CTX_up_ref(ctx) CRYPTO_add(&(ctx)->references, 1, CRYPTO_LOCK_SSL_CTX)
 #endif
 --- a/src/apps/relay/mainrelay.c
 +++ b/src/apps/relay/mainrelay.c
@@ -1353,7 +1353,6 @@ static void set_option(int c, char *valu
 		STRCPY(turn_params.relay_ifname, value);
 		break;
 	case 'm':
 -#if defined(OPENSSL_THREADS)
 		if(atoi(value)>MAX_NUMBER_OF_GENERAL_RELAY_SERVERS) {
 			TURN_LOG_FUNC(TURN_LOG_LEVEL_WARNING, "WARNING: max number of relay threads is 128.\n");
 			turn_params.general_relay_servers_number = MAX_NUMBER_OF_GENERAL_RELAY_SERVERS;
@@ -1362,9 +1361,6 @@ static void set_option(int c, char *valu
 		} else {
 			turn_params.general_relay_servers_number = atoi(value);
 		}
 -#else
 -		TURN_LOG_FUNC(TURN_LOG_LEVEL_WARNING, "WARNING: OpenSSL version is too old OR does not support threading,\n I am using single thread for relaying.\n");
 -#endif
 		break;
 	case 'd':
 		STRCPY(turn_params.listener_ifname, value);
@@ -2640,9 +2636,8 @@ int main(int argc, char **argv)
 ////////// OpenSSL locking ////////////////////////////////////////
 -#if defined(OPENSSL_THREADS)
 -
 -static char some_buffer[65536];
 +#if defined(OPENSSL_THREADS) 
 +#if OPENSSL_VERSION_NUMBER < OPENSSL_VERSION_1_1_0
 //array larger than anything that OpenSSL may need:
 static pthread_mutex_t mutex_buf[256];
@@ -2660,76 +2655,52 @@ void coturn_locking_function(int mode, i
   }
 }
 -#if OPENSSL_VERSION_NUMBER >= 0x10000000L
 void coturn_id_function(CRYPTO_THREADID *ctid);
 void coturn_id_function(CRYPTO_THREADID *ctid)
 {
 	UNUSED_ARG(ctid);
     CRYPTO_THREADID_set_numeric(ctid, (unsigned long)pthread_self());
 }
 -#else
 -unsigned long coturn_id_function(void);
 -unsigned long coturn_id_function(void)
 -{
 -    return (unsigned long)pthread_self();
 -}
 -#endif
 -
 -#endif
 static int THREAD_setup(void) {
 -
 -#if defined(OPENSSL_THREADS)
 -
 -	int i;
 -
 -	some_buffer[0] = 0;
 -
 +    int i;
 	for (i = 0; i < CRYPTO_num_locks(); i++) {
 		pthread_mutex_init(&(mutex_buf[i]), NULL);
 	}
 	mutex_buf_initialized = 1;
 -
 -#if OPENSSL_VERSION_NUMBER >= 0x10000000L && OPENSSL_VERSION_NUMBER <= OPENSSL_VERSION_1_1_1
 	CRYPTO_THREADID_set_callback(coturn_id_function);
 -#else
 -	CRYPTO_set_id_callback(coturn_id_function);
 -#endif
 -
 	CRYPTO_set_locking_callback(coturn_locking_function);
 -#endif
 -
 	return 1;
 }
 int THREAD_cleanup(void);
 int THREAD_cleanup(void) {
 +    int i;
 -#if defined(OPENSSL_THREADS)
 -
 -  int i;
 +    if (!mutex_buf_initialized)
 +        return 0;
 -  if (!mutex_buf_initialized)
 -    return 0;
 +    CRYPTO_THREADID_set_callback(NULL);
 +    CRYPTO_set_locking_callback(NULL);
 +    for (i = 0; i < CRYPTO_num_locks(); i++) {
 +        pthread_mutex_destroy(&(mutex_buf[i]));
 +    }
 -#if OPENSSL_VERSION_NUMBER >= 0x10000000L && OPENSSL_VERSION_NUMBER <= OPENSSL_VERSION_1_1_1
 -	CRYPTO_THREADID_set_callback(NULL);
 +    mutex_buf_initialized = 0;
 +  return 1;
 +}
 #else
 -	CRYPTO_set_id_callback(NULL);
 -#endif
 -
 -  CRYPTO_set_locking_callback(NULL);
 -  for (i = 0; i < CRYPTO_num_locks(); i++) {
 -	  pthread_mutex_destroy(&(mutex_buf[i]));
 -  }
 -
 -  mutex_buf_initialized = 0;
 -
 -#endif
 +static int THREAD_setup(void) {
 +    return 1;
 +}
 -  return 1;
 +int THREAD_cleanup(void);
 +int THREAD_cleanup(void){
 +    return 1;
 }
 +#endif /* OPENSSL_VERSION_NUMBER < OPENSSL_VERSION_1_1_0 */
 +#endif /* defined(OPENSSL_THREADS) */
 static void adjust_key_file_name(char *fn, const char* file_title, int critical)
 {