26bb868229
Added a patch from Gentoo that brings compatiblity with OpenSSL 3.0. Signed-off-by: Eneas U de Queiroz <cotequeiroz@gmail.com>
288 lines
8.9 KiB
Diff
288 lines
8.9 KiB
Diff
https://github.com/coturn/coturn/commit/9af9f6306ab73c3403f9e11086b1936e9148f7de
|
|
https://github.com/coturn/coturn/commit/4ce784a8781ab086c150e2b9f5641b1a37fd9b31
|
|
https://github.com/coturn/coturn/commit/9370bb742d976166a51032760da1ecedefb92267
|
|
https://github.com/coturn/coturn/commit/d72a2a8920b80ce66b36e22b2c22f308ad06c424
|
|
|
|
From 9af9f6306ab73c3403f9e11086b1936e9148f7de Mon Sep 17 00:00:00 2001
|
|
From: Pavel Punsky <eakraly@users.noreply.github.com>
|
|
Date: Wed, 14 Sep 2022 03:29:26 -0700
|
|
Subject: [PATCH] Fix renegotiation flag for older version of openssl (#978)
|
|
|
|
`SSL_OP_NO_RENEGOTIATION` is only supported in openssl-1.1.0 and above
|
|
Older versions have `SSL3_FLAGS_NO_RENEGOTIATE_CIPHERS `
|
|
|
|
Fixes #977 and #952
|
|
|
|
Test:
|
|
Build in a docker container running running openssl-1.0.2g (ubuntu
|
|
16.04) successfully (without the fix getting the same errors)
|
|
--- a/src/apps/relay/dtls_listener.c
|
|
+++ b/src/apps/relay/dtls_listener.c
|
|
@@ -295,8 +295,17 @@ static ioa_socket_handle dtls_server_inp
|
|
SSL_set_accept_state(connecting_ssl);
|
|
|
|
SSL_set_bio(connecting_ssl, NULL, wbio);
|
|
- SSL_set_options(connecting_ssl, SSL_OP_COOKIE_EXCHANGE | SSL_OP_NO_RENEGOTIATION);
|
|
-
|
|
+ SSL_set_options(connecting_ssl, SSL_OP_COOKIE_EXCHANGE
|
|
+#if OPENSSL_VERSION_NUMBER < 0x10100000L
|
|
+#if defined(SSL3_FLAGS_NO_RENEGOTIATE_CIPHERS)
|
|
+ | SSL3_FLAGS_NO_RENEGOTIATE_CIPHERS
|
|
+#endif
|
|
+#else
|
|
+#if defined(SSL_OP_NO_RENEGOTIATION)
|
|
+ | SSL_OP_NO_RENEGOTIATION
|
|
+#endif
|
|
+#endif
|
|
+ );
|
|
SSL_set_max_cert_list(connecting_ssl, 655350);
|
|
|
|
ioa_socket_handle rc = dtls_accept_client_connection(server, s, connecting_ssl,
|
|
@@ -581,7 +590,17 @@ static int create_new_connected_udp_sock
|
|
|
|
SSL_set_bio(connecting_ssl, NULL, wbio);
|
|
|
|
- SSL_set_options(connecting_ssl, SSL_OP_COOKIE_EXCHANGE | SSL_OP_NO_RENEGOTIATION);
|
|
+ SSL_set_options(connecting_ssl, SSL_OP_COOKIE_EXCHANGE
|
|
+#if OPENSSL_VERSION_NUMBER < 0x10100000L
|
|
+#if defined(SSL3_FLAGS_NO_RENEGOTIATE_CIPHERS)
|
|
+ | SSL3_FLAGS_NO_RENEGOTIATE_CIPHERS
|
|
+#endif
|
|
+#else
|
|
+#if defined(SSL_OP_NO_RENEGOTIATION)
|
|
+ | SSL_OP_NO_RENEGOTIATION
|
|
+#endif
|
|
+#endif
|
|
+ );
|
|
|
|
SSL_set_max_cert_list(connecting_ssl, 655350);
|
|
int rc = ssl_read(ret->fd, connecting_ssl, server->sm.m.sm.nd.nbh,
|
|
--- a/src/apps/relay/ns_ioalib_engine_impl.c
|
|
+++ b/src/apps/relay/ns_ioalib_engine_impl.c
|
|
@@ -1428,7 +1428,17 @@ static void set_socket_ssl(ioa_socket_ha
|
|
if(ssl) {
|
|
SSL_set_app_data(ssl,s);
|
|
SSL_set_info_callback(ssl, (ssl_info_callback_t)ssl_info_callback);
|
|
- SSL_set_options(ssl, SSL_OP_NO_RENEGOTIATION);
|
|
+ SSL_set_options(ssl,
|
|
+#if OPENSSL_VERSION_NUMBER < 0x10100000L
|
|
+#if defined(SSL3_FLAGS_NO_RENEGOTIATE_CIPHERS)
|
|
+ SSL3_FLAGS_NO_RENEGOTIATE_CIPHERS
|
|
+#endif
|
|
+#else
|
|
+#if defined(SSL_OP_NO_RENEGOTIATION)
|
|
+ SSL_OP_NO_RENEGOTIATION
|
|
+#endif
|
|
+#endif
|
|
+ );
|
|
}
|
|
}
|
|
}
|
|
@@ -1864,7 +1874,11 @@ int ssl_read(evutil_socket_t fd, SSL* ss
|
|
|
|
} else if (!if1 && if2) {
|
|
|
|
+#if (OPENSSL_VERSION_NUMBER >= 0x30000000L)
|
|
+ if(verbose && SSL_get1_peer_certificate(ssl)) {
|
|
+#else
|
|
if(verbose && SSL_get_peer_certificate(ssl)) {
|
|
+#endif
|
|
printf("\n------------------------------------------------------------\n");
|
|
X509_NAME_print_ex_fp(stdout, X509_get_subject_name(SSL_get_peer_certificate(ssl)), 1,
|
|
XN_FLAG_MULTILINE);
|
|
--- a/src/apps/uclient/startuclient.c
|
|
+++ b/src/apps/uclient/startuclient.c
|
|
@@ -138,7 +138,11 @@ static SSL* tls_connect(ioa_socket_raw f
|
|
if (rc > 0) {
|
|
TURN_LOG_FUNC(TURN_LOG_LEVEL_INFO,"%s: client session connected with cipher %s, method=%s\n",__FUNCTION__,
|
|
SSL_get_cipher(ssl),turn_get_ssl_method(ssl,NULL));
|
|
+#if (OPENSSL_VERSION_NUMBER >= 0x30000000L)
|
|
+ if(clnet_verbose && SSL_get1_peer_certificate(ssl)) {
|
|
+#else
|
|
if(clnet_verbose && SSL_get_peer_certificate(ssl)) {
|
|
+#endif
|
|
TURN_LOG_FUNC(TURN_LOG_LEVEL_INFO, "------------------------------------------------------------\n");
|
|
X509_NAME_print_ex_fp(stdout, X509_get_subject_name(SSL_get_peer_certificate(ssl)), 1,
|
|
XN_FLAG_MULTILINE);
|
|
--- a/src/client/ns_turn_msg.c
|
|
+++ b/src/client/ns_turn_msg.c
|
|
@@ -248,12 +248,22 @@ int stun_produce_integrity_key_str(const
|
|
if (FIPS_mode()) {
|
|
EVP_MD_CTX_set_flags(&ctx,EVP_MD_CTX_FLAG_NON_FIPS_ALLOW);
|
|
}
|
|
-#endif
|
|
+#endif // defined EVP_MD_CTX_FLAG_NON_FIPS_ALLOW && !defined(LIBRESSL_VERSION_NUMBER)
|
|
EVP_DigestInit_ex(&ctx,EVP_md5(), NULL);
|
|
EVP_DigestUpdate(&ctx,str,strl);
|
|
EVP_DigestFinal(&ctx,key,&keylen);
|
|
EVP_MD_CTX_cleanup(&ctx);
|
|
-#else
|
|
+#elif OPENSSL_VERSION_NUMBER >= 0x30000000L
|
|
+ unsigned int keylen = 0;
|
|
+ EVP_MD_CTX *ctx = EVP_MD_CTX_new();
|
|
+ if (EVP_default_properties_is_fips_enabled(NULL)) {
|
|
+ EVP_default_properties_enable_fips(NULL, 0);
|
|
+ }
|
|
+ EVP_DigestInit_ex(ctx,EVP_md5(), NULL);
|
|
+ EVP_DigestUpdate(ctx,str,strl);
|
|
+ EVP_DigestFinal(ctx,key,&keylen);
|
|
+ EVP_MD_CTX_free(ctx);
|
|
+#else // OPENSSL_VERSION_NUMBER < 0x10100000L
|
|
unsigned int keylen = 0;
|
|
EVP_MD_CTX *ctx = EVP_MD_CTX_new();
|
|
#if defined EVP_MD_CTX_FLAG_NON_FIPS_ALLOW && ! defined(LIBRESSL_VERSION_NUMBER)
|
|
@@ -265,7 +275,7 @@ int stun_produce_integrity_key_str(const
|
|
EVP_DigestUpdate(ctx,str,strl);
|
|
EVP_DigestFinal(ctx,key,&keylen);
|
|
EVP_MD_CTX_free(ctx);
|
|
-#endif
|
|
+#endif // OPENSSL_VERSION_NUMBER < 0X10100000L
|
|
ret = 0;
|
|
}
|
|
|
|
--- a/src/apps/relay/netengine.c
|
|
+++ b/src/apps/relay/netengine.c
|
|
@@ -31,13 +31,7 @@
|
|
#include "mainrelay.h"
|
|
|
|
//////////// Backward compatibility with OpenSSL 1.0.x //////////////
|
|
-#define HAVE_OPENSSL11_API (!(OPENSSL_VERSION_NUMBER < 0x10100001L || defined LIBRESSL_VERSION_NUMBER))
|
|
-
|
|
-#ifndef HAVE_SSL_CTX_UP_REF
|
|
-#define HAVE_SSL_CTX_UP_REF HAVE_OPENSSL11_API
|
|
-#endif
|
|
-
|
|
-#if !HAVE_SSL_CTX_UP_REF
|
|
+#if (OPENSSL_VERSION_NUMBER < 0x10100001L || defined LIBRESSL_VERSION_NUMBER)
|
|
#define SSL_CTX_up_ref(ctx) CRYPTO_add(&(ctx)->references, 1, CRYPTO_LOCK_SSL_CTX)
|
|
#endif
|
|
|
|
--- a/src/apps/relay/mainrelay.c
|
|
+++ b/src/apps/relay/mainrelay.c
|
|
@@ -1353,7 +1353,6 @@ static void set_option(int c, char *valu
|
|
STRCPY(turn_params.relay_ifname, value);
|
|
break;
|
|
case 'm':
|
|
-#if defined(OPENSSL_THREADS)
|
|
if(atoi(value)>MAX_NUMBER_OF_GENERAL_RELAY_SERVERS) {
|
|
TURN_LOG_FUNC(TURN_LOG_LEVEL_WARNING, "WARNING: max number of relay threads is 128.\n");
|
|
turn_params.general_relay_servers_number = MAX_NUMBER_OF_GENERAL_RELAY_SERVERS;
|
|
@@ -1362,9 +1361,6 @@ static void set_option(int c, char *valu
|
|
} else {
|
|
turn_params.general_relay_servers_number = atoi(value);
|
|
}
|
|
-#else
|
|
- TURN_LOG_FUNC(TURN_LOG_LEVEL_WARNING, "WARNING: OpenSSL version is too old OR does not support threading,\n I am using single thread for relaying.\n");
|
|
-#endif
|
|
break;
|
|
case 'd':
|
|
STRCPY(turn_params.listener_ifname, value);
|
|
@@ -2640,9 +2636,8 @@ int main(int argc, char **argv)
|
|
|
|
////////// OpenSSL locking ////////////////////////////////////////
|
|
|
|
-#if defined(OPENSSL_THREADS)
|
|
-
|
|
-static char some_buffer[65536];
|
|
+#if defined(OPENSSL_THREADS)
|
|
+#if OPENSSL_VERSION_NUMBER < OPENSSL_VERSION_1_1_0
|
|
|
|
//array larger than anything that OpenSSL may need:
|
|
static pthread_mutex_t mutex_buf[256];
|
|
@@ -2660,76 +2655,52 @@ void coturn_locking_function(int mode, i
|
|
}
|
|
}
|
|
|
|
-#if OPENSSL_VERSION_NUMBER >= 0x10000000L
|
|
void coturn_id_function(CRYPTO_THREADID *ctid);
|
|
void coturn_id_function(CRYPTO_THREADID *ctid)
|
|
{
|
|
UNUSED_ARG(ctid);
|
|
CRYPTO_THREADID_set_numeric(ctid, (unsigned long)pthread_self());
|
|
}
|
|
-#else
|
|
-unsigned long coturn_id_function(void);
|
|
-unsigned long coturn_id_function(void)
|
|
-{
|
|
- return (unsigned long)pthread_self();
|
|
-}
|
|
-#endif
|
|
-
|
|
-#endif
|
|
|
|
static int THREAD_setup(void) {
|
|
-
|
|
-#if defined(OPENSSL_THREADS)
|
|
-
|
|
- int i;
|
|
-
|
|
- some_buffer[0] = 0;
|
|
-
|
|
+ int i;
|
|
for (i = 0; i < CRYPTO_num_locks(); i++) {
|
|
pthread_mutex_init(&(mutex_buf[i]), NULL);
|
|
}
|
|
|
|
mutex_buf_initialized = 1;
|
|
-
|
|
-#if OPENSSL_VERSION_NUMBER >= 0x10000000L && OPENSSL_VERSION_NUMBER <= OPENSSL_VERSION_1_1_1
|
|
CRYPTO_THREADID_set_callback(coturn_id_function);
|
|
-#else
|
|
- CRYPTO_set_id_callback(coturn_id_function);
|
|
-#endif
|
|
-
|
|
CRYPTO_set_locking_callback(coturn_locking_function);
|
|
-#endif
|
|
-
|
|
return 1;
|
|
}
|
|
|
|
int THREAD_cleanup(void);
|
|
int THREAD_cleanup(void) {
|
|
+ int i;
|
|
|
|
-#if defined(OPENSSL_THREADS)
|
|
-
|
|
- int i;
|
|
+ if (!mutex_buf_initialized)
|
|
+ return 0;
|
|
|
|
- if (!mutex_buf_initialized)
|
|
- return 0;
|
|
+ CRYPTO_THREADID_set_callback(NULL);
|
|
+ CRYPTO_set_locking_callback(NULL);
|
|
+ for (i = 0; i < CRYPTO_num_locks(); i++) {
|
|
+ pthread_mutex_destroy(&(mutex_buf[i]));
|
|
+ }
|
|
|
|
-#if OPENSSL_VERSION_NUMBER >= 0x10000000L && OPENSSL_VERSION_NUMBER <= OPENSSL_VERSION_1_1_1
|
|
- CRYPTO_THREADID_set_callback(NULL);
|
|
+ mutex_buf_initialized = 0;
|
|
+ return 1;
|
|
+}
|
|
#else
|
|
- CRYPTO_set_id_callback(NULL);
|
|
-#endif
|
|
-
|
|
- CRYPTO_set_locking_callback(NULL);
|
|
- for (i = 0; i < CRYPTO_num_locks(); i++) {
|
|
- pthread_mutex_destroy(&(mutex_buf[i]));
|
|
- }
|
|
-
|
|
- mutex_buf_initialized = 0;
|
|
-
|
|
-#endif
|
|
+static int THREAD_setup(void) {
|
|
+ return 1;
|
|
+}
|
|
|
|
- return 1;
|
|
+int THREAD_cleanup(void);
|
|
+int THREAD_cleanup(void){
|
|
+ return 1;
|
|
}
|
|
+#endif /* OPENSSL_VERSION_NUMBER < OPENSSL_VERSION_1_1_0 */
|
|
+#endif /* defined(OPENSSL_THREADS) */
|
|
|
|
static void adjust_key_file_name(char *fn, const char* file_title, int critical)
|
|
{
|