From: Ted Hess Date: Mon, 9 Jan 2017 21:16:48 +0000 (-0500) Subject: shairport-sync: Create mbed TLS version (replaces PolarSSL) X-Git-Url: http://git.openwrt.org/?a=commitdiff_plain;h=3a69e2410ad621c59821c27b1630e9396269c37a;p=feed%2Fpackages.git shairport-sync: Create mbed TLS version (replaces PolarSSL) * Note: SSL Patch submitted upstream pending developer approval. * Patch will be removed in future release. Signed-off-by: Ted Hess --- diff --git a/sound/shairport-sync/Makefile b/sound/shairport-sync/Makefile index 40e357bdcf..abec42156d 100644 --- a/sound/shairport-sync/Makefile +++ b/sound/shairport-sync/Makefile @@ -1,6 +1,4 @@ # -# Copyright (C) 2015-2016 OpenWrt.org -# # This is free software, licensed under the GNU General Public License v2. # See /LICENSE for more information. # updated to work with latest source from abrasive @@ -10,13 +8,13 @@ include $(TOPDIR)/rules.mk PKG_NAME:=shairport-sync PKG_VERSION:=2.8.6 -PKG_RELEASE:=1 +PKG_RELEASE:=2 PKG_SOURCE_PROTO:=git PKG_SOURCE_URL:=git://github.com/mikebrady/shairport-sync.git PKG_SOURCE_VERSION:=$(PKG_VERSION) PKG_SOURCE_SUBDIR:=$(PKG_NAME)-$(PKG_VERSION) -PKG_SOURCE:=$(PKG_NAME)-$(PKG_VERSION).tar.gz +PKG_SOURCE:=$(PKG_VERSION).tar.gz PKG_MAINTAINER:=Ted Hess , \ Mike Brady @@ -46,18 +44,18 @@ define Package/shairport-sync-openssl VARIANT:=openssl endef -define Package/shairport-sync-polarssl +define Package/shairport-sync-mbedtls $(Package/shairport-sync/default) - TITLE+= (polarssl) - DEPENDS+= +libpolarssl +libavahi-client +libsoxr - VARIANT:=polarssl + TITLE+= (mbed TLS) + DEPENDS+= +libmbedtls +libavahi-client +libsoxr + VARIANT:=mbedtls DEFAULT_VARIANT:=1 endef define Package/shairport-sync-mini $(Package/shairport-sync/default) TITLE+= (minimal) - DEPENDS+= +libpolarssl + DEPENDS+= +libmbedtls VARIANT:=mini endef @@ -72,12 +70,12 @@ define Package/shairport-sync/default/description Also select kmod-usb-audio if you want to use USB-connected sound cards. endef Package/shairport-sync-openssl/description = $(Package/shairport-sync/default/description) -Package/shairport-sync-polarssl/description = $(Package/shairport-sync/default/description) +Package/shairport-sync-mbedtls/description = $(Package/shairport-sync/default/description) define Package/shairport-sync-mini/description $(Package/shairport-sync/default/description) - Minimal version uses PolarSSL and does not include libsoxr and avahi support. + Minimal version uses mbed TLS and does not include libsoxr and avahi support. endef CONFIGURE_ARGS+= \ @@ -88,12 +86,12 @@ ifeq ($(BUILD_VARIANT),openssl) CONFIGURE_ARGS+= --with-ssl=openssl endif -ifeq ($(BUILD_VARIANT),polarssl) - CONFIGURE_ARGS+= --with-ssl=polarssl +ifeq ($(BUILD_VARIANT),mbedtls) + CONFIGURE_ARGS+= --with-ssl=mbedtls endif ifeq ($(BUILD_VARIANT),mini) - CONFIGURE_ARGS+= --with-ssl=polarssl --with-tinysvcmdns + CONFIGURE_ARGS+= --with-ssl=mbedtls --with-tinysvcmdns else CONFIGURE_ARGS+= --with-avahi --with-soxr endif @@ -103,7 +101,7 @@ define Package/shairport-sync/default/conffiles endef Package/shairport-sync-openssl/conffiles = $(Package/shairport-sync/default/conffiles) -Package/shairport-sync-polarssl/conffiles = $(Package/shairport-sync/default/conffiles) +Package/shairport-sync-mbedtls/conffiles = $(Package/shairport-sync/default/conffiles) Package/shairport-sync-mini/conffiles = $(Package/shairport-sync/default/conffiles) define Package/shairport-sync/default/install @@ -118,9 +116,9 @@ define Package/shairport-sync/default/install endef Package/shairport-sync-openssl/install = $(Package/shairport-sync/default/install) -Package/shairport-sync-polarssl/install = $(Package/shairport-sync/default/install) +Package/shairport-sync-mbedtls/install = $(Package/shairport-sync/default/install) Package/shairport-sync-mini/install = $(Package/shairport-sync/default/install) $(eval $(call BuildPackage,shairport-sync-openssl)) -$(eval $(call BuildPackage,shairport-sync-polarssl)) +$(eval $(call BuildPackage,shairport-sync-mbedtls)) $(eval $(call BuildPackage,shairport-sync-mini)) diff --git a/sound/shairport-sync/patches/100-replace_polarssl_with_mbedtls.patch b/sound/shairport-sync/patches/100-replace_polarssl_with_mbedtls.patch new file mode 100644 index 0000000000..984eb4c638 --- /dev/null +++ b/sound/shairport-sync/patches/100-replace_polarssl_with_mbedtls.patch @@ -0,0 +1,395 @@ +diff --git a/common.c b/common.c +index bf72127..2d4739e 100644 +--- a/common.c ++++ b/common.c +@@ -54,17 +54,14 @@ + #include + #endif + +-#ifdef HAVE_LIBPOLARSSL +-#include +-#include +-#include +-#include +-#include "polarssl/entropy.h" +-#include "polarssl/ctr_drbg.h" +- +-#if POLARSSL_VERSION_NUMBER >= 0x01030000 +-#include "polarssl/compat-1.2.h" +-#endif ++#ifdef HAVE_LIBMBEDTLS ++#include ++#include ++#include ++#include ++#include "mbedtls/entropy.h" ++#include "mbedtls/ctr_drbg.h" ++ + #endif + + #include "common.h" +@@ -126,16 +123,16 @@ void inform(char *format, ...) { + daemon_log(LOG_INFO, "%s", s); + } + +-#ifdef HAVE_LIBPOLARSSL ++#ifdef HAVE_LIBMBEDTLS + char *base64_enc(uint8_t *input, int length) { + char *buf = NULL; + size_t dlen = 0; +- int rc = base64_encode(NULL, &dlen, input, length); +- if (rc && (rc != POLARSSL_ERR_BASE64_BUFFER_TOO_SMALL)) ++ int rc = mbedtls_base64_encode(NULL, 0, &dlen, input, length); ++ if (rc && (rc != MBEDTLS_ERR_BASE64_BUFFER_TOO_SMALL)) + debug(1, "Error %d getting length of base64 encode.", rc); + else { + buf = (char *)malloc(dlen); +- rc = base64_encode((unsigned char *)buf, &dlen, input, length); ++ rc = mbedtls_base64_encode((unsigned char *)buf, dlen, &dlen, input, length); + if (rc != 0) + debug(1, "Error %d encoding base64.", rc); + } +@@ -156,10 +153,10 @@ uint8_t *base64_dec(char *input, int *outlen) { + else { + strcpy(inbuf, input); + strcat(inbuf, "==="); +- // debug(1,"base64_dec called with string \"%s\", length %d, filled string: \"%s\", length +- // %d.",input,strlen(input),inbuf,inbufsize); +- int rc = base64_decode(buf, &dlen, (unsigned char *)inbuf, inbufsize); +- if (rc && (rc != POLARSSL_ERR_BASE64_BUFFER_TOO_SMALL)) ++ // debug(1,"base64_dec called with string \"%s\", length %d, filled string: \"%s\", length %d.", ++ // input,strlen(input),inbuf,inbufsize); ++ int rc = mbedtls_base64_decode(NULL, 0, &dlen, (unsigned char *)inbuf, inbufsize); ++ if (rc && (rc != MBEDTLS_ERR_BASE64_BUFFER_TOO_SMALL)) + debug(1, "Error %d getting decode length, result is %d.", rc, dlen); + else { + // debug(1,"Decode size is %d.",dlen); +@@ -167,7 +164,7 @@ uint8_t *base64_dec(char *input, int *outlen) { + if (buf == 0) + debug(1, "Can't allocate memory in base64_dec."); + else { +- rc = base64_decode(buf, &dlen, (unsigned char *)inbuf, inbufsize); ++ rc = mbedtls_base64_decode(buf, dlen, &dlen, (unsigned char *)inbuf, inbufsize); + if (rc != 0) + debug(1, "Error %d in base64_dec.", rc); + } +@@ -280,58 +277,59 @@ uint8_t *rsa_apply(uint8_t *input, int inlen, int *outlen, int mode) { + } + #endif + +-#ifdef HAVE_LIBPOLARSSL ++#ifdef HAVE_LIBMBEDTLS + uint8_t *rsa_apply(uint8_t *input, int inlen, int *outlen, int mode) { +- rsa_context trsa; ++ mbedtls_pk_context pkctx; ++ mbedtls_rsa_context *trsa; + const char *pers = "rsa_encrypt"; ++ size_t olen = *outlen; + int rc; + +- entropy_context entropy; +- ctr_drbg_context ctr_drbg; +- entropy_init(&entropy); +- if ((rc = ctr_drbg_init(&ctr_drbg, entropy_func, &entropy, (const unsigned char *)pers, +- strlen(pers))) != 0) +- debug(1, "ctr_drbg_init returned %d\n", rc); ++ mbedtls_entropy_context entropy; ++ mbedtls_ctr_drbg_context ctr_drbg; ++ ++ mbedtls_entropy_init(&entropy); ++ ++ mbedtls_ctr_drbg_init(&ctr_drbg); ++ mbedtls_ctr_drbg_seed(&ctr_drbg, mbedtls_entropy_func, &entropy, ++ (const unsigned char *)pers, strlen(pers)); + +- rsa_init(&trsa, RSA_PKCS_V21, POLARSSL_MD_SHA1); // padding and hash id get overwritten +- // BTW, this seems to reset a lot of parameters in the rsa_context +- rc = x509parse_key(&trsa, (unsigned char *)super_secret_key, strlen(super_secret_key), NULL, 0); ++ mbedtls_pk_init(&pkctx); ++ ++ rc = mbedtls_pk_parse_key(&pkctx, (unsigned char *)super_secret_key, sizeof(super_secret_key), NULL, 0); + if (rc != 0) +- debug(1, "Error %d reading the private key."); ++ debug(1, "Error %d reading the private key.", rc); + +- uint8_t *out = NULL; ++ uint8_t *outbuf = NULL; ++ trsa = mbedtls_pk_rsa(pkctx); + + switch (mode) { + case RSA_MODE_AUTH: +- trsa.padding = RSA_PKCS_V15; +- trsa.hash_id = POLARSSL_MD_NONE; +- debug(2, "rsa_apply encrypt"); +- out = malloc(trsa.len); +- rc = rsa_pkcs1_encrypt(&trsa, ctr_drbg_random, &ctr_drbg, RSA_PRIVATE, inlen, input, out); ++ mbedtls_rsa_set_padding(trsa, MBEDTLS_RSA_PKCS_V15, MBEDTLS_MD_NONE); ++ outbuf = malloc(trsa->len); ++ rc = mbedtls_rsa_pkcs1_encrypt(trsa, mbedtls_ctr_drbg_random, &ctr_drbg, MBEDTLS_RSA_PRIVATE, ++ inlen, input, outbuf); + if (rc != 0) +- debug(1, "rsa_pkcs1_encrypt error %d.", rc); +- *outlen = trsa.len; ++ debug(1, "mbedtls_pk_encrypt error %d.", rc); ++ *outlen = trsa->len; + break; + case RSA_MODE_KEY: +- debug(2, "rsa_apply decrypt"); +- trsa.padding = RSA_PKCS_V21; +- trsa.hash_id = POLARSSL_MD_SHA1; +- out = malloc(trsa.len); +-#if POLARSSL_VERSION_NUMBER >= 0x01020900 +- rc = rsa_pkcs1_decrypt(&trsa, ctr_drbg_random, &ctr_drbg, RSA_PRIVATE, (size_t *)outlen, input, +- out, trsa.len); +-#else +- rc = rsa_pkcs1_decrypt(&trsa, RSA_PRIVATE, outlen, input, out, trsa.len); +-#endif ++ mbedtls_rsa_set_padding(trsa, MBEDTLS_RSA_PKCS_V21, MBEDTLS_MD_SHA1); ++ outbuf = malloc(trsa->len); ++ rc = mbedtls_rsa_pkcs1_decrypt(trsa, mbedtls_ctr_drbg_random, &ctr_drbg, MBEDTLS_RSA_PRIVATE, ++ &olen, input, outbuf, trsa->len); + if (rc != 0) +- debug(1, "decrypt error %d.", rc); ++ debug(1, "mbedtls_pk_decrypt error %d.", rc); ++ *outlen = olen; + break; + default: + die("bad rsa mode"); + } +- rsa_free(&trsa); +- debug(2, "rsa_apply exit"); +- return out; ++ ++ mbedtls_ctr_drbg_free(&ctr_drbg); ++ mbedtls_entropy_free(&entropy); ++ mbedtls_pk_free(&pkctx); ++ return outbuf; + } + #endif + +@@ -517,7 +515,7 @@ ssize_t non_blocking_write(int fd, const void *buf, size_t count) { + void *ibuf = (void *)buf; + size_t bytes_remaining = count; + int rc = 0; +- struct pollfd ufds[1]; ++ struct pollfd ufds[1]; + while ((bytes_remaining>0) && (rc==0)) { + // check that we can do some writing + ufds[0].fd = fd; +diff --git a/configure.ac b/configure.ac +index 8d82da4..a2d1e4f 100644 +--- a/configure.ac ++++ b/configure.ac +@@ -108,11 +108,11 @@ AC_ARG_WITH(piddir, [ --with-piddir= Specify a pathname to a directory + AM_CONDITIONAL([USE_CUSTOMPIDDIR], [test "x$HAS_CUSTOMPIDDIR" = "x1"]) + + # Check --with-ssl=argument +-AC_ARG_WITH(ssl, [ choose --with-ssl=openssl or --with-ssl=polarssl for encryption services], [ ++AC_ARG_WITH(ssl, [ choose --with-ssl=openssl or --with-ssl=mbedtls for encryption services], [ + AC_MSG_CHECKING(encryption libraries chosen) + if test "x${with_ssl}" = x -o "x${with_ssl}" = xyes ; then + AC_MSG_RESULT(not found) +- AC_MSG_ERROR(choose either "openssl" or "polarssl" encryption) ++ AC_MSG_ERROR(choose either "openssl" or "mbedtls" encryption) + fi + if test "x${with_ssl}" = xopenssl ; then + if test "x${with_pkg_config}" = xyes ; then +@@ -127,10 +127,15 @@ AC_ARG_WITH(ssl, [ choose --with-ssl=openssl or --with-ssl=polarssl for encrypti + AC_DEFINE([HAVE_LIBCRYPTO],[1],[Define to 1 if you have libcrypto]) + AC_DEFINE([HAVE_LIBSSL],[1],[Define to 1 if you have libssl]) + fi +- elif test "x${with_ssl}" = xpolarssl ; then +- AC_CHECK_LIB([polarssl],[ssl_init], , AC_MSG_ERROR(PolarSSL selected but the library cannot be found!)) ++ elif test "x${with_ssl}" = xmbedtls ; then ++ AC_CHECK_LIB([mbedtls],[mbedtls_ssl_init],, ++ [AC_MSG_ERROR([Cannot find required libray: libmbedtls],1)]) ++ AC_CHECK_LIB([mbedcrypto], [mbedtls_entropy_func],, ++ [AC_MSG_ERROR([Cannot find required library: libmbedcrypto],1)]) ++ AC_CHECK_LIB([mbedx509], [mbedtls_pk_init],, ++ [AC_MSG_ERROR([Cannot find required library: libmbedx509],1)]) + else +- AC_MSG_ERROR(unknown option "${with_ssl}"." Please choose with "openssl" or "polarssl") ++ AC_MSG_ERROR(unknown option "${with_ssl}"." Please choose with "openssl" or "mbedtls") + fi + ], ) + +diff --git a/player.c b/player.c +index 97eccfb..da2d735 100644 +--- a/player.c ++++ b/player.c +@@ -47,9 +47,9 @@ + + #include "config.h" + +-#ifdef HAVE_LIBPOLARSSL +-#include +-#include ++#ifdef HAVE_LIBMBEDTLS ++#include ++#include + #endif + + #ifdef HAVE_LIBSSL +@@ -82,8 +82,8 @@ static int max_frame_size_change = 1; + // maximal resampling shift - conservative + //#define OUTFRAME_BYTES(frame_size) (4 * (frame_size + 3)) + +-#ifdef HAVE_LIBPOLARSSL +-static aes_context dctx; ++#ifdef HAVE_LIBMBEDTLS ++static mbedtls_aes_context dctx; + #endif + + //static pthread_t player_thread = NULL; +@@ -247,8 +247,8 @@ static int alac_decode(short *dest, int *destlen, uint8_t *buf, int len) { + unsigned char iv[16]; + int aeslen = len & ~0xf; + memcpy(iv, aesiv, sizeof(iv)); +-#ifdef HAVE_LIBPOLARSSL +- aes_crypt_cbc(&dctx, AES_DECRYPT, aeslen, iv, buf, packet); ++#ifdef HAVE_LIBMBEDTLS ++ mbedtls_aes_crypt_cbc(&dctx, MBEDTLS_AES_DECRYPT, aeslen, iv, buf, packet); + #endif + #ifdef HAVE_LIBSSL + AES_cbc_encrypt(buf, packet, aeslen, &aes, iv, AES_DECRYPT); +@@ -1685,9 +1685,9 @@ int player_play(stream_cfg *stream, pthread_t *player_thread) { + die("specified buffer starting fill %d > buffer size %d", config.buffer_start_fill, + BUFFER_FRAMES); + if (encrypted) { +-#ifdef HAVE_LIBPOLARSSL +- memset(&dctx, 0, sizeof(aes_context)); +- aes_setkey_dec(&dctx, stream->aeskey, 128); ++#ifdef HAVE_LIBMBEDTLS ++ memset(&dctx, 0, sizeof(mbedtls_aes_context)); ++ mbedtls_aes_setkey_dec(&dctx, stream->aeskey, 128); + #endif + + #ifdef HAVE_LIBSSL +diff --git a/rtsp.c b/rtsp.c +index 38b0745..8003803 100644 +--- a/rtsp.c ++++ b/rtsp.c +@@ -50,8 +50,8 @@ + #include + #endif + +-#ifdef HAVE_LIBPOLARSSL +-#include ++#ifdef HAVE_LIBMBEDTLS ++#include + #endif + + #include "common.h" +@@ -979,7 +979,7 @@ static void handle_set_parameter_parameter(rtsp_conn_info *conn, + // more significant changes make it not malloc memory + // needs to initialise the docoding table first + +-// add _so to end of name to avoid confusion with polarssl's implementation ++// add _so to end of name to avoid confusion with SSL library implementation + + static char encoding_table[] = { + 'A', 'B', 'C', 'D', 'E', 'F', 'G', 'H', 'I', 'J', 'K', 'L', 'M', +@@ -1651,21 +1651,21 @@ static int rtsp_auth(char **nonce, rtsp_message *req, rtsp_message *resp) { + MD5_Final(digest_mu, &ctx); + #endif + +-#ifdef HAVE_LIBPOLARSSL +- md5_context tctx; +- md5_starts(&tctx); +- md5_update(&tctx, (const unsigned char *)username, strlen(username)); +- md5_update(&tctx, (unsigned char *)":", 1); +- md5_update(&tctx, (const unsigned char *)realm, strlen(realm)); +- md5_update(&tctx, (unsigned char *)":", 1); +- md5_update(&tctx, (const unsigned char *)config.password, ++#ifdef HAVE_LIBMBEDTLS ++ mbedtls_md5_context tctx; ++ mbedtls_md5_starts(&tctx); ++ mbedtls_md5_update(&tctx, (const unsigned char *)username, strlen(username)); ++ mbedtls_md5_update(&tctx, (unsigned char *)":", 1); ++ mbedtls_md5_update(&tctx, (const unsigned char *)realm, strlen(realm)); ++ mbedtls_md5_update(&tctx, (unsigned char *)":", 1); ++ mbedtls_md5_update(&tctx, (const unsigned char *)config.password, + strlen(config.password)); +- md5_finish(&tctx, digest_urp); +- md5_starts(&tctx); +- md5_update(&tctx, (const unsigned char *)req->method, strlen(req->method)); +- md5_update(&tctx, (unsigned char *)":", 1); +- md5_update(&tctx, (const unsigned char *)uri, strlen(uri)); +- md5_finish(&tctx, digest_mu); ++ mbedtls_md5_finish(&tctx, digest_urp); ++ mbedtls_md5_starts(&tctx); ++ mbedtls_md5_update(&tctx, (const unsigned char *)req->method, strlen(req->method)); ++ mbedtls_md5_update(&tctx, (unsigned char *)":", 1); ++ mbedtls_md5_update(&tctx, (const unsigned char *)uri, strlen(uri)); ++ mbedtls_md5_finish(&tctx, digest_mu); + #endif + + int i; +@@ -1685,16 +1685,16 @@ static int rtsp_auth(char **nonce, rtsp_message *req, rtsp_message *resp) { + MD5_Final(digest_total, &ctx); + #endif + +-#ifdef HAVE_LIBPOLARSSL +- md5_starts(&tctx); +- md5_update(&tctx, buf, 32); +- md5_update(&tctx, (unsigned char *)":", 1); +- md5_update(&tctx, (const unsigned char *)*nonce, strlen(*nonce)); +- md5_update(&tctx, (unsigned char *)":", 1); ++#ifdef HAVE_LIBMBEDTLS ++ mbedtls_md5_starts(&tctx); ++ mbedtls_md5_update(&tctx, buf, 32); ++ mbedtls_md5_update(&tctx, (unsigned char *)":", 1); ++ mbedtls_md5_update(&tctx, (const unsigned char *)*nonce, strlen(*nonce)); ++ mbedtls_md5_update(&tctx, (unsigned char *)":", 1); + for (i = 0; i < 16; i++) + sprintf((char *)buf + 2 * i, "%02x", digest_mu[i]); +- md5_update(&tctx, buf, 32); +- md5_finish(&tctx, digest_total); ++ mbedtls_md5_update(&tctx, buf, 32); ++ mbedtls_md5_finish(&tctx, digest_total); + #endif + + for (i = 0; i < 16; i++) +diff --git a/shairport.c b/shairport.c +index f725d60..2349447 100644 +--- a/shairport.c ++++ b/shairport.c +@@ -42,8 +42,8 @@ + + #include "config.h" + +-#ifdef HAVE_LIBPOLARSSL +-#include ++#ifdef HAVE_LIBMBEDTLS ++#include + #endif + + #ifdef HAVE_LIBSSL +@@ -109,8 +109,8 @@ char* get_version_string() { + char* version_string = malloc(200); + if (version_string) { + strcpy(version_string, PACKAGE_VERSION); +- #ifdef HAVE_LIBPOLARSSL +- strcat(version_string, "-PolarSSL"); ++ #ifdef HAVE_LIBMBEDTLS ++ strcat(version_string, "-mbedTLS"); + #endif + #ifdef HAVE_LIBSSL + strcat(version_string, "-OpenSSL"); +@@ -1046,11 +1046,11 @@ int main(int argc, char **argv) { + MD5_Final(ap_md5, &ctx); + #endif + +-#ifdef HAVE_LIBPOLARSSL +- md5_context tctx; +- md5_starts(&tctx); +- md5_update(&tctx, (unsigned char *)config.service_name, strlen(config.service_name)); +- md5_finish(&tctx, ap_md5); ++#ifdef HAVE_LIBMBEDTLS ++ mbedtls_md5_context tctx; ++ mbedtls_md5_starts(&tctx); ++ mbedtls_md5_update(&tctx, (unsigned char *)config.service_name, strlen(config.service_name)); ++ mbedtls_md5_finish(&tctx, ap_md5); + #endif + memcpy(config.hw_addr, ap_md5, sizeof(config.hw_addr)); + #ifdef CONFIG_METADATA