[arch-commits] Commit in opensips/trunk (PKGBUILD port-tls-1.1.0.patch)
Jan de Groot
jgc at archlinux.org
Mon Mar 20 15:25:02 UTC 2017
Date: Monday, March 20, 2017 @ 15:25:02
Author: jgc
Revision: 217662
upgpkg: opensips 2.2.2-4
OpenSSL 1.1
Added:
opensips/trunk/port-tls-1.1.0.patch
Modified:
opensips/trunk/PKGBUILD
----------------------+
PKGBUILD | 12 -
port-tls-1.1.0.patch | 446 +++++++++++++++++++++++++++++++++++++++++++++++++
2 files changed, 454 insertions(+), 4 deletions(-)
Modified: PKGBUILD
===================================================================
--- PKGBUILD 2017-03-20 15:23:42 UTC (rev 217661)
+++ PKGBUILD 2017-03-20 15:25:02 UTC (rev 217662)
@@ -3,7 +3,7 @@
pkgname=opensips
pkgver=2.2.2
-pkgrel=3
+pkgrel=4
pkgdesc="An Open Source SIP Server able to act as a SIP proxy, registrar, location server, redirect server ..."
url="http://www.opensips.org"
depends=('gcc-libs' 'openssl' 'db' 'attr' 'libxml2')
@@ -17,7 +17,7 @@
'python2'
'pcre')
backup=("etc/opensips/opensips.cfg"
- "etc/opensips/dictionary.radius"
+ "etc/opensips/osipsconsolerc"
"etc/opensips/opensipsctlrc")
arch=('i686' 'x86_64')
license=('GPL')
@@ -24,9 +24,11 @@
install=opensips.install
options=('!emptydirs' 'zipman' '!makeflags' 'docs')
source=(https://opensips.org/pub/opensips/${pkgver}/opensips-${pkgver}.tar.gz
- opensips.service)
+ opensips.service
+ port-tls-1.1.0.patch)
sha256sums=('a21777b37c3669617d24b97697dc3f4e613ec87b292f4541cf956a2d539e70c4'
- 'c2fec4be085b108db10834fa9832e98d696c2de6408f85f96cf89c13bf6be819')
+ 'c2fec4be085b108db10834fa9832e98d696c2de6408f85f96cf89c13bf6be819'
+ '1ad2558c329a1b41948ff9ef1c8169289b38500ce8183e50bae653ef82afdbec')
prepare() {
cd "$srcdir"/$pkgname-$pkgver/
@@ -39,6 +41,8 @@
sed -i 's|sbin|bin|g' Makefile
sed -i 's|bin-dir = sbin/|bin-dir = bin/|' Makefile.defs
+
+ patch -Np1 -i ../port-tls-1.1.0.patch
}
_modules="ldap db_mysql db_postgres db_unixodbc presence presence_xml h350 proto_tls tlsops tls_mgm db_http httpd tm rr"
Added: port-tls-1.1.0.patch
===================================================================
--- port-tls-1.1.0.patch (rev 0)
+++ port-tls-1.1.0.patch 2017-03-20 15:25:02 UTC (rev 217662)
@@ -0,0 +1,446 @@
+Description: Port tls_mgm module to openssl 1.1.0.
+Author: Răzvan Crainea <razvan at opensips.org>
+Last-Update: 2016-12-01
+--- a/modules/tls_mgm/tls.h
++++ b/modules/tls_mgm/tls.h
+@@ -64,41 +64,50 @@
+ #warning ""
+ #endif
+
+-static int tls_static_locks_no=0;
+-static gen_lock_set_t* tls_static_locks=NULL;
+-
+ static SSL_METHOD *ssl_methods[TLS_USE_TLSv1_2 + 1];
+
+ #define VERIFY_DEPTH_S 3
+
+
+-struct CRYPTO_dynlock_value {
+- gen_lock_t lock;
+-};
+-
+-static unsigned long tls_get_id(void)
+-{
+- return my_pid();
+-}
+-
+ /*
+ * Wrappers around OpenSIPS shared memory functions
+ * (which can be macros)
+ */
++#if OPENSSL_VERSION_NUMBER >= 0x10100000L
++static void* os_malloc(size_t size, const char *file, int line)
++#else
+ static void* os_malloc(size_t size)
++#endif
+ {
++#if (defined DBG_MALLOC && OPENSSL_VERSION_NUMBER >= 0x10100000L)
++ return _shm_malloc(size, file, __FUNCTION__, line);
++#else
+ return shm_malloc(size);
++#endif
+ }
+
+
++#if OPENSSL_VERSION_NUMBER >= 0x10100000L
++static void* os_realloc(void *ptr, size_t size, const char *file, int line)
++#else
+ static void* os_realloc(void *ptr, size_t size)
++#endif
+ {
++#if (defined DBG_MALLOC && OPENSSL_VERSION_NUMBER >= 0x10100000L)
++ return _shm_realloc(ptr, size, file, __FUNCTION__, line);
++#else
+ return shm_realloc(ptr, size);
++#endif
+ }
+
+
++#if OPENSSL_VERSION_NUMBER >= 0x10100000L
++static void os_free(void *ptr, const char *file, int line)
++#else
+ static void os_free(void *ptr)
++#endif
+ {
++ /* TODO: also handle free file and line */
+ if (ptr)
+ shm_free(ptr);
+ }
+@@ -106,21 +115,17 @@
+
+
+
+-static void tls_static_locks_ops(int mode, int n, const char* file, int line)
+-{
+- if (n<0 || n>tls_static_locks_no) {
+- LM_ERR("BUG - SSL Lib attempting to acquire bogus lock\n");
+- abort();
+- }
++/* these locks can not be used in 1.1.0, because the interface has changed */
++#if OPENSSL_VERSION_NUMBER < 0x10100000L
++struct CRYPTO_dynlock_value {
++ gen_lock_t lock;
++};
+
+- if (mode & CRYPTO_LOCK) {
+- lock_set_get(tls_static_locks,n);
+- } else {
+- lock_set_release(tls_static_locks,n);
+- }
++static unsigned long tls_get_id(void)
++{
++ return my_pid();
+ }
+
+-
+ static struct CRYPTO_dynlock_value* tls_dyn_lock_create(const char* file,
+ int line)
+ {
+@@ -158,5 +163,6 @@
+ lock_destroy(&dyn_lock->lock);
+ shm_free(dyn_lock);
+ }
++#endif
+
+ #endif /* _PROTO_TLS_H_ */
+--- a/modules/tls_mgm/tls_conn_ops.h
++++ b/modules/tls_mgm/tls_conn_ops.h
+@@ -116,12 +116,14 @@
+ return -1;
+ }
+
++#if OPENSSL_VERSION_NUMBER < 0x10100000L
+ #ifndef OPENSSL_NO_KRB5
+ if ( ((SSL *)c->extra_data)->kssl_ctx ) {
+ kssl_ctx_free( ((SSL *)c->extra_data)->kssl_ctx );
+ ((SSL *)c->extra_data)->kssl_ctx = 0;
+ }
+ #endif
++#endif
+
+ if ( c->proto_flags & F_TLS_DO_ACCEPT ) {
+ LM_DBG("Setting in ACCEPT mode (server)\n");
+--- a/modules/tls_mgm/tls_conn_server.h
++++ b/modules/tls_mgm/tls_conn_server.h
+@@ -148,17 +148,21 @@
+ }
+
+ ssl = (SSL *) c->extra_data;
++#if OPENSSL_VERSION_NUMBER < 0x10100000L
+ #ifndef OPENSSL_NO_KRB5
+ if ( ssl->kssl_ctx==NULL )
+ ssl->kssl_ctx = kssl_ctx_new( );
+ #endif
++#endif
+ ret = SSL_accept(ssl);
++#if OPENSSL_VERSION_NUMBER < 0x10100000L
+ #ifndef OPENSSL_NO_KRB5
+ if ( ssl->kssl_ctx ) {
+ kssl_ctx_free( ssl->kssl_ctx );
+ ssl->kssl_ctx = 0;
+ }
+ #endif
++#endif
+ if (ret > 0) {
+ LM_INFO("New TLS connection from %s:%d accepted\n",
+ ip_addr2a(&c->rcv.src_ip), c->rcv.src_port);
+--- a/modules/tls_mgm/tls_mgm.c
++++ b/modules/tls_mgm/tls_mgm.c
+@@ -557,11 +557,10 @@
+ LM_NOTICE("subject = %s\n", buf);
+ LM_NOTICE("verify error:num=%d:%s\n",
+ err, X509_verify_cert_error_string(err));
+- LM_NOTICE("error code is %d\n", ctx->error);
+
+- switch (ctx->error) {
++ switch (err) {
+ case X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT:
+- X509_NAME_oneline(X509_get_issuer_name(ctx->current_cert),
++ X509_NAME_oneline(X509_get_issuer_name(err_cert),
+ buf,sizeof buf);
+ LM_NOTICE("issuer= %s\n",buf);
+ break;
+@@ -611,7 +610,7 @@
+
+ default:
+ LM_NOTICE("something wrong with the cert"
+- " ... error code is %d (check x509_vfy.h)\n", ctx->error);
++ " ... error code is %d (check x509_vfy.h)\n", err);
+ break;
+ }
+
+@@ -1074,9 +1073,11 @@
+ return 0;
+ }
+
++#if (OPENSSL_VERSION_NUMBER < 0x10100000L)
+ static int check_for_krb(void)
+ {
+ SSL_CTX *xx;
++
+ int j;
+
+ xx = SSL_CTX_new(ssl_methods[tls_default_method - 1]);
+@@ -1096,6 +1097,27 @@
+ SSL_CTX_free(xx);
+ return 0;
+ }
++#endif
++
++#if (OPENSSL_VERSION_NUMBER < 0x10100000L)
++static int tls_static_locks_no=0;
++static gen_lock_set_t* tls_static_locks=NULL;
++
++static void tls_static_locks_ops(int mode, int n, const char* file, int line)
++{
++ if (n<0 || n>tls_static_locks_no) {
++ LM_ERR("BUG - SSL Lib attempting to acquire bogus lock\n");
++ abort();
++ }
++
++ if (mode & CRYPTO_LOCK) {
++ lock_set_get(tls_static_locks,n);
++ } else {
++ lock_set_release(tls_static_locks,n);
++ }
++}
++
++
+
+ static int tls_init_multithread(void)
+ {
+@@ -1126,6 +1148,7 @@
+
+ return 0;
+ }
++#endif
+
+ /*
+ * initialize ssl methods
+@@ -1135,19 +1158,31 @@
+ {
+ LM_DBG("entered\n");
+
++#if OPENSSL_VERSION_NUMBER >= 0x10100000L
++ ssl_methods[TLS_USE_TLSv1_cli-1] = (SSL_METHOD*)TLS_client_method();
++ ssl_methods[TLS_USE_TLSv1_srv-1] = (SSL_METHOD*)TLS_server_method();
++ ssl_methods[TLS_USE_TLSv1-1] = (SSL_METHOD*)TLS_method();
++#else
+ ssl_methods[TLS_USE_TLSv1_cli-1] = (SSL_METHOD*)TLSv1_client_method();
+ ssl_methods[TLS_USE_TLSv1_srv-1] = (SSL_METHOD*)TLSv1_server_method();
+ ssl_methods[TLS_USE_TLSv1-1] = (SSL_METHOD*)TLSv1_method();
++#endif
+
+ ssl_methods[TLS_USE_SSLv23_cli-1] = (SSL_METHOD*)SSLv23_client_method();
+ ssl_methods[TLS_USE_SSLv23_srv-1] = (SSL_METHOD*)SSLv23_server_method();
+ ssl_methods[TLS_USE_SSLv23-1] = (SSL_METHOD*)SSLv23_method();
+
+ #if OPENSSL_VERSION_NUMBER >= 0x10001000L
++#if OPENSSL_VERSION_NUMBER >= 0x10100000L
++ ssl_methods[TLS_USE_TLSv1_2_cli-1] = (SSL_METHOD*)TLS_client_method();
++ ssl_methods[TLS_USE_TLSv1_2_srv-1] = (SSL_METHOD*)TLS_server_method();
++ ssl_methods[TLS_USE_TLSv1_2-1] = (SSL_METHOD*)TLS_method();
++#else
+ ssl_methods[TLS_USE_TLSv1_2_cli-1] = (SSL_METHOD*)TLSv1_2_client_method();
+ ssl_methods[TLS_USE_TLSv1_2_srv-1] = (SSL_METHOD*)TLSv1_2_server_method();
+ ssl_methods[TLS_USE_TLSv1_2-1] = (SSL_METHOD*)TLSv1_2_method();
+ #endif
++#endif
+ }
+
+ /* reloads data from the db */
+@@ -1273,10 +1308,10 @@
+ * CRYPTO_malloc will set allow_customize in openssl to 0
+ */
+ if (!CRYPTO_set_mem_functions(os_malloc, os_realloc, os_free)) {
+- LM_ERR("unable to set the memory allocation functions\n");
+- LM_ERR("NOTE: check if you have openssl 1.0.1e-fips, as this "
+- "version is know to be broken; if so, you need to upgrade or "
+- "downgrade to a differen openssl version !!\n");
++ LM_ERR("NOTE: check if you are using openssl 1.0.1e-fips, (or other "
++ "FIPS version of openssl, as this is known to be broken; if so, "
++ "you need to upgrade or downgrade to a different openssl version!\n");
++ LM_ERR("current version: %s\n", SSLeay_version(SSLEAY_VERSION));
+ return -1;
+ }
+
+@@ -1291,15 +1326,18 @@
+ sk_SSL_COMP_zero(comp_methods);
+ }
+ #endif
++#if (OPENSSL_VERSION_NUMBER < 0x10100000L)
+ if (tls_init_multithread() < 0) {
+ LM_ERR("failed to init multi-threading support\n");
+ return -1;
+ }
++#endif
+
+ SSL_library_init();
+ SSL_load_error_strings();
+ init_ssl_methods();
+
++#if (OPENSSL_VERSION_NUMBER < 0x10100000L)
+ n = check_for_krb();
+ if (n==-1) {
+ LM_ERR("kerberos check failed\n");
+@@ -1318,6 +1356,7 @@
+ (n==1)?"":"no ",(n!=1)?"no ":"");
+ return -1;
+ }
++#endif
+
+ /*
+ * finish setting up the tls default domains
+--- a/modules/identity/identity.c
++++ b/modules/identity/identity.c
+@@ -107,6 +107,9 @@
+ #include "identity.h"
+
+
++#if OPENSSL_VERSION_NUMBER < 0x10100000L
++#define EVP_MD_CTX_free EVP_MD_CTX_cleanup
++#endif
+
+ /* parameters */
+
+@@ -831,7 +834,11 @@
+ {
+ #define IDENTITY_HDR_S "Identity: \""
+ #define IDENTITY_HDR_L (sizeof(IDENTITY_HDR_S)-1)
+- EVP_MD_CTX ctx;
++#if OPENSSL_VERSION_NUMBER >= 0x10100000L
++ EVP_MD_CTX *pctx;
++#else
++ EVP_MD_CTX ctx, *pctx = &ctx;
++#endif
+ unsigned int siglen = 0;
+ int b64len = 0;
+ unsigned char * sig = NULL;
+@@ -843,27 +850,30 @@
+ LM_ERR("error making digest string\n");
+ return 0;
+ }
++#if OPENSSL_VERSION_NUMBER >= 0x10100000L
++ pctx = EVP_MD_CTX_new();
++#endif
+
+- EVP_SignInit(&ctx, EVP_sha1());
++ EVP_SignInit(pctx, EVP_sha1());
+
+- EVP_SignUpdate(&ctx, digestString, strlen(digestString));
++ EVP_SignUpdate(pctx, digestString, strlen(digestString));
+
+ sig = pkg_malloc(EVP_PKEY_size(privKey_evp));
+ if(!sig)
+ {
+- EVP_MD_CTX_cleanup(&ctx);
++ EVP_MD_CTX_free(pctx);
+ LM_ERR("failed allocating memory\n");
+ return 0;
+ }
+
+- if(!EVP_SignFinal(&ctx, sig, &siglen, privKey_evp))
++ if(!EVP_SignFinal(pctx, sig, &siglen, privKey_evp))
+ {
+- EVP_MD_CTX_cleanup(&ctx);
++ EVP_MD_CTX_free(pctx);
+ pkg_free(sig);
+ LM_ERR("error calculating signature\n");
+ return 0;
+ }
+- EVP_MD_CTX_cleanup(&ctx);
++ EVP_MD_CTX_free(pctx);
+
+ /* ###Base64-encoding### */
+ /* annotation: The next few lines are based on example 7-11 of [VIE-02] */
+@@ -1138,6 +1148,10 @@
+ const unsigned char * data;
+ STACK_OF(CONF_VALUE) * val;
+ CONF_VALUE * nval;
++ int len;
++#if OPENSSL_VERSION_NUMBER >= 0x10100000L
++ ASN1_OCTET_STRING *adata;
++#endif
+
+ if(!cert || !msg)
+ {
+@@ -1190,15 +1204,22 @@
+ LM_ERR("X509V3_EXT_get failed\n");
+ return 0;
+ }
++#if OPENSSL_VERSION_NUMBER >= 0x10100000L
++ adata = X509_EXTENSION_get_data(cext);
++ data = ASN1_STRING_get0_data(adata);
++ len = ASN1_STRING_length(adata);
++#else
+ data = cext->value->data;
++ len = cext->value->length;
++#endif
+ if(meth->it)
+ {
+ ext_str = ASN1_item_d2i(NULL, &data,
+- cext->value->length, ASN1_ITEM_ptr(meth->it));
++ len, ASN1_ITEM_ptr(meth->it));
+ }
+ else
+ {
+- ext_str = meth->d2i(NULL, &data, cext->value->length);
++ ext_str = meth->d2i(NULL, &data, len);
+ }
+
+ val = meth->i2v(meth, ext_str, NULL);
+@@ -1251,7 +1272,11 @@
+ int siglen = -1;
+ unsigned char * sigbuf = NULL;
+ int b64len = 0;
+- EVP_MD_CTX ctx;
++#if OPENSSL_VERSION_NUMBER >= 0x10100000L
++ EVP_MD_CTX *pctx;
++#else
++ EVP_MD_CTX ctx, *pctx = &ctx;
++#endif
+ int result = 0;
+ char *p;
+ unsigned long err;
+@@ -1295,22 +1320,25 @@
+ p=strstr(identityHF , "=");
+ siglen-=strspn(p , "=");
+
+- EVP_VerifyInit(&ctx, EVP_sha1());
+- EVP_VerifyUpdate(&ctx, digestString, strlen(digestString));
++#if OPENSSL_VERSION_NUMBER >= 0x10100000L
++ pctx = EVP_MD_CTX_new();
++#endif
++ EVP_VerifyInit(pctx, EVP_sha1());
++ EVP_VerifyUpdate(pctx, digestString, strlen(digestString));
+
+ pubkey = X509_get_pubkey(cert);
+ if(!pubkey)
+ {
+- EVP_MD_CTX_cleanup(&ctx);
++ EVP_MD_CTX_free(pctx);
+ pkg_free(sigbuf);
+ LM_ERR("error reading pubkey from cert\n");
+ return 0;
+ }
+
+- result = EVP_VerifyFinal(&ctx, sigbuf, siglen, pubkey);
++ result = EVP_VerifyFinal(pctx, sigbuf, siglen, pubkey);
+
+ EVP_PKEY_free(pubkey);
+- EVP_MD_CTX_cleanup(&ctx);
++ EVP_MD_CTX_free(pctx);
+ pkg_free(sigbuf);
+
+ switch(result)
+@@ -1715,8 +1743,9 @@
+ {
+ if (!ok)
+ {
++ int err = X509_STORE_CTX_get_error(stor);
+ LM_INFO("certificate validation failed: %s\n",
+- X509_verify_cert_error_string(stor->error));
++ X509_verify_cert_error_string(err));
+ }
+
+ return ok;
More information about the arch-commits
mailing list