From: Eneas U de Queiroz Date: Thu, 9 Feb 2023 18:27:00 +0000 (-0300) Subject: coturn: update to 4.6.1 X-Git-Url: http://git.openwrt.org/?p=feed%2Ftelephony.git;a=commitdiff_plain;h=26bb868229df32082ae8be75d8e54ac1c9a2f771 coturn: update to 4.6.1 Added a patch from Gentoo that brings compatiblity with OpenSSL 3.0. Signed-off-by: Eneas U de Queiroz --- diff --git a/net/coturn/Makefile b/net/coturn/Makefile index 850c95a..ef57cf1 100644 --- a/net/coturn/Makefile +++ b/net/coturn/Makefile @@ -8,12 +8,12 @@ include $(TOPDIR)/rules.mk PKG_NAME:=coturn -PKG_VERSION:=4.5.2 -PKG_RELEASE:=5 +PKG_VERSION:=4.6.1 +PKG_RELEASE:=1 PKG_SOURCE:=$(PKG_NAME)-$(PKG_VERSION).tar.gz PKG_SOURCE_URL:=https://codeload.github.com/coturn/coturn/tar.gz/$(PKG_VERSION)? -PKG_HASH:=462f1aa5c2455f28c1c8df09510d9e88ab14a1159b5e33ea5be5095262e83745 +PKG_HASH:=8fba86e593ed74adc46e002e925cccff2819745371814f42465fbe717483f1d8 PKG_LICENSE:=BSD-COTURN-CITRIX COMBINED-CITRIX-VIVOCHA-BSD MIT-HASH PKG_LICENSE_FILES:=LICENSE src/apps/relay/dbdrivers/* src/server/ns_turn_khash.h diff --git a/net/coturn/patches/02-fix-flags-dupes.patch b/net/coturn/patches/02-fix-flags-dupes.patch index eb12cb7..516ec24 100644 --- a/net/coturn/patches/02-fix-flags-dupes.patch +++ b/net/coturn/patches/02-fix-flags-dupes.patch @@ -1,6 +1,6 @@ --- a/configure +++ b/configure -@@ -1034,9 +1034,9 @@ ${ECHO_CMD} "# Generated by configure sc +@@ -1047,9 +1047,9 @@ ${ECHO_CMD} "# Generated by configure sc ${ECHO_CMD} "#################################" >> Makefile ${ECHO_CMD} "ECHO_CMD = ${ECHO_CMD}" >> Makefile ${ECHO_CMD} "CC = ${CC}" >> Makefile diff --git a/net/coturn/patches/03-fix-libmariadb-detection.patch b/net/coturn/patches/03-fix-libmariadb-detection.patch deleted file mode 100644 index aa81ecb..0000000 --- a/net/coturn/patches/03-fix-libmariadb-detection.patch +++ /dev/null @@ -1,11 +0,0 @@ ---- a/configure -+++ b/configure -@@ -931,7 +931,7 @@ fi - ########################### - - if [ -z "${TURN_NO_MYSQL}" ] ; then -- if testpkg_db mariadb || testpkg_db mysqlclient ; then -+ if testpkg_db libmariadb || testpkg_db mysqlclient ; then - ${ECHO_CMD} "MySQL found." - else - ${ECHO_CMD} "MySQL not found. Building without MySQL support." diff --git a/net/coturn/patches/100-configure-dont-link-libintl.patch b/net/coturn/patches/100-configure-dont-link-libintl.patch deleted file mode 100644 index 65262b3..0000000 --- a/net/coturn/patches/100-configure-dont-link-libintl.patch +++ /dev/null @@ -1,22 +0,0 @@ -From 2132a1a8eecb3460b8c2e4a7201e3254dc420179 Mon Sep 17 00:00:00 2001 -From: Sebastian Kemper -Date: Sun, 26 Dec 2021 15:47:41 +0100 -Subject: [PATCH] configure: don't link in libintl - -libintl isn't used, so there is no need to link coturn to it. - -Signed-off-by: Sebastian Kemper ---- - configure | 1 - - 1 file changed, 1 deletion(-) - ---- a/configure -+++ b/configure -@@ -699,7 +699,6 @@ if ! [ ${ER} -eq 0 ] ; then - echo "CYGWIN ?" - fi - testlib wldap64 --testlib intl - testlib nsl - testlib resolv - diff --git a/net/coturn/patches/100-coturn-4.6.0-openssl3-from-gentoo.patch b/net/coturn/patches/100-coturn-4.6.0-openssl3-from-gentoo.patch new file mode 100644 index 0000000..42f9dd2 --- /dev/null +++ b/net/coturn/patches/100-coturn-4.6.0-openssl3-from-gentoo.patch @@ -0,0 +1,288 @@ +https://github.com/coturn/coturn/commit/9af9f6306ab73c3403f9e11086b1936e9148f7de +https://github.com/coturn/coturn/commit/4ce784a8781ab086c150e2b9f5641b1a37fd9b31 +https://github.com/coturn/coturn/commit/9370bb742d976166a51032760da1ecedefb92267 +https://github.com/coturn/coturn/commit/d72a2a8920b80ce66b36e22b2c22f308ad06c424 + +From 9af9f6306ab73c3403f9e11086b1936e9148f7de Mon Sep 17 00:00:00 2001 +From: Pavel Punsky +Date: Wed, 14 Sep 2022 03:29:26 -0700 +Subject: [PATCH] Fix renegotiation flag for older version of openssl (#978) + +`SSL_OP_NO_RENEGOTIATION` is only supported in openssl-1.1.0 and above +Older versions have `SSL3_FLAGS_NO_RENEGOTIATE_CIPHERS ` + +Fixes #977 and #952 + +Test: +Build in a docker container running running openssl-1.0.2g (ubuntu +16.04) successfully (without the fix getting the same errors) +--- a/src/apps/relay/dtls_listener.c ++++ b/src/apps/relay/dtls_listener.c +@@ -295,8 +295,17 @@ static ioa_socket_handle dtls_server_inp + SSL_set_accept_state(connecting_ssl); + + SSL_set_bio(connecting_ssl, NULL, wbio); +- SSL_set_options(connecting_ssl, SSL_OP_COOKIE_EXCHANGE | SSL_OP_NO_RENEGOTIATION); +- ++ SSL_set_options(connecting_ssl, SSL_OP_COOKIE_EXCHANGE ++#if OPENSSL_VERSION_NUMBER < 0x10100000L ++#if defined(SSL3_FLAGS_NO_RENEGOTIATE_CIPHERS) ++ | SSL3_FLAGS_NO_RENEGOTIATE_CIPHERS ++#endif ++#else ++#if defined(SSL_OP_NO_RENEGOTIATION) ++ | SSL_OP_NO_RENEGOTIATION ++#endif ++#endif ++ ); + SSL_set_max_cert_list(connecting_ssl, 655350); + + ioa_socket_handle rc = dtls_accept_client_connection(server, s, connecting_ssl, +@@ -581,7 +590,17 @@ static int create_new_connected_udp_sock + + SSL_set_bio(connecting_ssl, NULL, wbio); + +- SSL_set_options(connecting_ssl, SSL_OP_COOKIE_EXCHANGE | SSL_OP_NO_RENEGOTIATION); ++ SSL_set_options(connecting_ssl, SSL_OP_COOKIE_EXCHANGE ++#if OPENSSL_VERSION_NUMBER < 0x10100000L ++#if defined(SSL3_FLAGS_NO_RENEGOTIATE_CIPHERS) ++ | SSL3_FLAGS_NO_RENEGOTIATE_CIPHERS ++#endif ++#else ++#if defined(SSL_OP_NO_RENEGOTIATION) ++ | SSL_OP_NO_RENEGOTIATION ++#endif ++#endif ++ ); + + SSL_set_max_cert_list(connecting_ssl, 655350); + int rc = ssl_read(ret->fd, connecting_ssl, server->sm.m.sm.nd.nbh, +--- a/src/apps/relay/ns_ioalib_engine_impl.c ++++ b/src/apps/relay/ns_ioalib_engine_impl.c +@@ -1428,7 +1428,17 @@ static void set_socket_ssl(ioa_socket_ha + if(ssl) { + SSL_set_app_data(ssl,s); + SSL_set_info_callback(ssl, (ssl_info_callback_t)ssl_info_callback); +- SSL_set_options(ssl, SSL_OP_NO_RENEGOTIATION); ++ SSL_set_options(ssl, ++#if OPENSSL_VERSION_NUMBER < 0x10100000L ++#if defined(SSL3_FLAGS_NO_RENEGOTIATE_CIPHERS) ++ SSL3_FLAGS_NO_RENEGOTIATE_CIPHERS ++#endif ++#else ++#if defined(SSL_OP_NO_RENEGOTIATION) ++ SSL_OP_NO_RENEGOTIATION ++#endif ++#endif ++ ); + } + } + } +@@ -1864,7 +1874,11 @@ int ssl_read(evutil_socket_t fd, SSL* ss + + } else if (!if1 && if2) { + ++#if (OPENSSL_VERSION_NUMBER >= 0x30000000L) ++ if(verbose && SSL_get1_peer_certificate(ssl)) { ++#else + if(verbose && SSL_get_peer_certificate(ssl)) { ++#endif + printf("\n------------------------------------------------------------\n"); + X509_NAME_print_ex_fp(stdout, X509_get_subject_name(SSL_get_peer_certificate(ssl)), 1, + XN_FLAG_MULTILINE); +--- a/src/apps/uclient/startuclient.c ++++ b/src/apps/uclient/startuclient.c +@@ -138,7 +138,11 @@ static SSL* tls_connect(ioa_socket_raw f + if (rc > 0) { + TURN_LOG_FUNC(TURN_LOG_LEVEL_INFO,"%s: client session connected with cipher %s, method=%s\n",__FUNCTION__, + SSL_get_cipher(ssl),turn_get_ssl_method(ssl,NULL)); ++#if (OPENSSL_VERSION_NUMBER >= 0x30000000L) ++ if(clnet_verbose && SSL_get1_peer_certificate(ssl)) { ++#else + if(clnet_verbose && SSL_get_peer_certificate(ssl)) { ++#endif + TURN_LOG_FUNC(TURN_LOG_LEVEL_INFO, "------------------------------------------------------------\n"); + X509_NAME_print_ex_fp(stdout, X509_get_subject_name(SSL_get_peer_certificate(ssl)), 1, + XN_FLAG_MULTILINE); +--- a/src/client/ns_turn_msg.c ++++ b/src/client/ns_turn_msg.c +@@ -248,12 +248,22 @@ int stun_produce_integrity_key_str(const + if (FIPS_mode()) { + EVP_MD_CTX_set_flags(&ctx,EVP_MD_CTX_FLAG_NON_FIPS_ALLOW); + } +-#endif ++#endif // defined EVP_MD_CTX_FLAG_NON_FIPS_ALLOW && !defined(LIBRESSL_VERSION_NUMBER) + EVP_DigestInit_ex(&ctx,EVP_md5(), NULL); + EVP_DigestUpdate(&ctx,str,strl); + EVP_DigestFinal(&ctx,key,&keylen); + EVP_MD_CTX_cleanup(&ctx); +-#else ++#elif OPENSSL_VERSION_NUMBER >= 0x30000000L ++ unsigned int keylen = 0; ++ EVP_MD_CTX *ctx = EVP_MD_CTX_new(); ++ if (EVP_default_properties_is_fips_enabled(NULL)) { ++ EVP_default_properties_enable_fips(NULL, 0); ++ } ++ EVP_DigestInit_ex(ctx,EVP_md5(), NULL); ++ EVP_DigestUpdate(ctx,str,strl); ++ EVP_DigestFinal(ctx,key,&keylen); ++ EVP_MD_CTX_free(ctx); ++#else // OPENSSL_VERSION_NUMBER < 0x10100000L + unsigned int keylen = 0; + EVP_MD_CTX *ctx = EVP_MD_CTX_new(); + #if defined EVP_MD_CTX_FLAG_NON_FIPS_ALLOW && ! defined(LIBRESSL_VERSION_NUMBER) +@@ -265,7 +275,7 @@ int stun_produce_integrity_key_str(const + EVP_DigestUpdate(ctx,str,strl); + EVP_DigestFinal(ctx,key,&keylen); + EVP_MD_CTX_free(ctx); +-#endif ++#endif // OPENSSL_VERSION_NUMBER < 0X10100000L + ret = 0; + } + +--- a/src/apps/relay/netengine.c ++++ b/src/apps/relay/netengine.c +@@ -31,13 +31,7 @@ + #include "mainrelay.h" + + //////////// Backward compatibility with OpenSSL 1.0.x ////////////// +-#define HAVE_OPENSSL11_API (!(OPENSSL_VERSION_NUMBER < 0x10100001L || defined LIBRESSL_VERSION_NUMBER)) +- +-#ifndef HAVE_SSL_CTX_UP_REF +-#define HAVE_SSL_CTX_UP_REF HAVE_OPENSSL11_API +-#endif +- +-#if !HAVE_SSL_CTX_UP_REF ++#if (OPENSSL_VERSION_NUMBER < 0x10100001L || defined LIBRESSL_VERSION_NUMBER) + #define SSL_CTX_up_ref(ctx) CRYPTO_add(&(ctx)->references, 1, CRYPTO_LOCK_SSL_CTX) + #endif + +--- a/src/apps/relay/mainrelay.c ++++ b/src/apps/relay/mainrelay.c +@@ -1353,7 +1353,6 @@ static void set_option(int c, char *valu + STRCPY(turn_params.relay_ifname, value); + break; + case 'm': +-#if defined(OPENSSL_THREADS) + if(atoi(value)>MAX_NUMBER_OF_GENERAL_RELAY_SERVERS) { + TURN_LOG_FUNC(TURN_LOG_LEVEL_WARNING, "WARNING: max number of relay threads is 128.\n"); + turn_params.general_relay_servers_number = MAX_NUMBER_OF_GENERAL_RELAY_SERVERS; +@@ -1362,9 +1361,6 @@ static void set_option(int c, char *valu + } else { + turn_params.general_relay_servers_number = atoi(value); + } +-#else +- TURN_LOG_FUNC(TURN_LOG_LEVEL_WARNING, "WARNING: OpenSSL version is too old OR does not support threading,\n I am using single thread for relaying.\n"); +-#endif + break; + case 'd': + STRCPY(turn_params.listener_ifname, value); +@@ -2640,9 +2636,8 @@ int main(int argc, char **argv) + + ////////// OpenSSL locking //////////////////////////////////////// + +-#if defined(OPENSSL_THREADS) +- +-static char some_buffer[65536]; ++#if defined(OPENSSL_THREADS) ++#if OPENSSL_VERSION_NUMBER < OPENSSL_VERSION_1_1_0 + + //array larger than anything that OpenSSL may need: + static pthread_mutex_t mutex_buf[256]; +@@ -2660,76 +2655,52 @@ void coturn_locking_function(int mode, i + } + } + +-#if OPENSSL_VERSION_NUMBER >= 0x10000000L + void coturn_id_function(CRYPTO_THREADID *ctid); + void coturn_id_function(CRYPTO_THREADID *ctid) + { + UNUSED_ARG(ctid); + CRYPTO_THREADID_set_numeric(ctid, (unsigned long)pthread_self()); + } +-#else +-unsigned long coturn_id_function(void); +-unsigned long coturn_id_function(void) +-{ +- return (unsigned long)pthread_self(); +-} +-#endif +- +-#endif + + static int THREAD_setup(void) { +- +-#if defined(OPENSSL_THREADS) +- +- int i; +- +- some_buffer[0] = 0; +- ++ int i; + for (i = 0; i < CRYPTO_num_locks(); i++) { + pthread_mutex_init(&(mutex_buf[i]), NULL); + } + + mutex_buf_initialized = 1; +- +-#if OPENSSL_VERSION_NUMBER >= 0x10000000L && OPENSSL_VERSION_NUMBER <= OPENSSL_VERSION_1_1_1 + CRYPTO_THREADID_set_callback(coturn_id_function); +-#else +- CRYPTO_set_id_callback(coturn_id_function); +-#endif +- + CRYPTO_set_locking_callback(coturn_locking_function); +-#endif +- + return 1; + } + + int THREAD_cleanup(void); + int THREAD_cleanup(void) { ++ int i; + +-#if defined(OPENSSL_THREADS) +- +- int i; ++ if (!mutex_buf_initialized) ++ return 0; + +- if (!mutex_buf_initialized) +- return 0; ++ CRYPTO_THREADID_set_callback(NULL); ++ CRYPTO_set_locking_callback(NULL); ++ for (i = 0; i < CRYPTO_num_locks(); i++) { ++ pthread_mutex_destroy(&(mutex_buf[i])); ++ } + +-#if OPENSSL_VERSION_NUMBER >= 0x10000000L && OPENSSL_VERSION_NUMBER <= OPENSSL_VERSION_1_1_1 +- CRYPTO_THREADID_set_callback(NULL); ++ mutex_buf_initialized = 0; ++ return 1; ++} + #else +- CRYPTO_set_id_callback(NULL); +-#endif +- +- CRYPTO_set_locking_callback(NULL); +- for (i = 0; i < CRYPTO_num_locks(); i++) { +- pthread_mutex_destroy(&(mutex_buf[i])); +- } +- +- mutex_buf_initialized = 0; +- +-#endif ++static int THREAD_setup(void) { ++ return 1; ++} + +- return 1; ++int THREAD_cleanup(void); ++int THREAD_cleanup(void){ ++ return 1; + } ++#endif /* OPENSSL_VERSION_NUMBER < OPENSSL_VERSION_1_1_0 */ ++#endif /* defined(OPENSSL_THREADS) */ + + static void adjust_key_file_name(char *fn, const char* file_title, int critical) + {