Skip to content
Snippets Groups Projects
Commit 70a64a26 authored by Sergej Pupykin's avatar Sergej Pupykin
Browse files

upgpkg: 2.3.2-1

parent adf1e14c
No related branches found
No related tags found
No related merge requests found
# Maintainer: Sergej Pupykin <pupykin.s+arch@gmail.com>
pkgname=opensips
pkgver=2.2.3
pkgrel=2
pkgver=2.3.2
pkgrel=1
pkgdesc="An Open Source SIP Server able to act as a SIP proxy, registrar, location server, redirect server ..."
url="http://www.opensips.org"
depends=('gcc-libs' 'openssl' 'db' 'attr' 'libxml2')
......@@ -23,11 +23,9 @@ license=('GPL')
install=opensips.install
options=('!emptydirs' 'zipman' '!makeflags' 'docs')
source=(https://opensips.org/pub/opensips/${pkgver}/opensips-${pkgver}.tar.gz
opensips.service
port-tls-1.1.0.patch)
sha256sums=('ccf540f7aae4335a8319b83f6cb87b562e665991fe1c2adc4e8eb4d4f3042dd7'
'c2fec4be085b108db10834fa9832e98d696c2de6408f85f96cf89c13bf6be819'
'1ad2558c329a1b41948ff9ef1c8169289b38500ce8183e50bae653ef82afdbec')
opensips.service)
sha256sums=('467ec4a7ac0187872b26485a893bed15753506624a2af3592f1a093c5cbea16a'
'c2fec4be085b108db10834fa9832e98d696c2de6408f85f96cf89c13bf6be819')
prepare() {
cd "$srcdir"/$pkgname-$pkgver/
......@@ -40,8 +38,6 @@ prepare() {
sed -i 's|sbin|bin|g' Makefile
sed -i 's|bin-dir = sbin/|bin-dir = bin/|' Makefile.defs
patch -Np1 -i ../port-tls-1.1.0.patch
}
_modules="ldap db_mysql db_postgres db_unixodbc presence presence_xml h350 proto_tls tlsops tls_mgm db_http httpd tm rr"
......
Description: Port tls_mgm module to openssl 1.1.0.
Author: Răzvan Crainea <razvan@opensips.org>
Last-Update: 2016-12-01
--- a/modules/tls_mgm/tls.h
+++ b/modules/tls_mgm/tls.h
@@ -64,41 +64,50 @@
#warning ""
#endif
-static int tls_static_locks_no=0;
-static gen_lock_set_t* tls_static_locks=NULL;
-
static SSL_METHOD *ssl_methods[TLS_USE_TLSv1_2 + 1];
#define VERIFY_DEPTH_S 3
-struct CRYPTO_dynlock_value {
- gen_lock_t lock;
-};
-
-static unsigned long tls_get_id(void)
-{
- return my_pid();
-}
-
/*
* Wrappers around OpenSIPS shared memory functions
* (which can be macros)
*/
+#if OPENSSL_VERSION_NUMBER >= 0x10100000L
+static void* os_malloc(size_t size, const char *file, int line)
+#else
static void* os_malloc(size_t size)
+#endif
{
+#if (defined DBG_MALLOC && OPENSSL_VERSION_NUMBER >= 0x10100000L)
+ return _shm_malloc(size, file, __FUNCTION__, line);
+#else
return shm_malloc(size);
+#endif
}
+#if OPENSSL_VERSION_NUMBER >= 0x10100000L
+static void* os_realloc(void *ptr, size_t size, const char *file, int line)
+#else
static void* os_realloc(void *ptr, size_t size)
+#endif
{
+#if (defined DBG_MALLOC && OPENSSL_VERSION_NUMBER >= 0x10100000L)
+ return _shm_realloc(ptr, size, file, __FUNCTION__, line);
+#else
return shm_realloc(ptr, size);
+#endif
}
+#if OPENSSL_VERSION_NUMBER >= 0x10100000L
+static void os_free(void *ptr, const char *file, int line)
+#else
static void os_free(void *ptr)
+#endif
{
+ /* TODO: also handle free file and line */
if (ptr)
shm_free(ptr);
}
@@ -106,21 +115,17 @@
-static void tls_static_locks_ops(int mode, int n, const char* file, int line)
-{
- if (n<0 || n>tls_static_locks_no) {
- LM_ERR("BUG - SSL Lib attempting to acquire bogus lock\n");
- abort();
- }
+/* these locks can not be used in 1.1.0, because the interface has changed */
+#if OPENSSL_VERSION_NUMBER < 0x10100000L
+struct CRYPTO_dynlock_value {
+ gen_lock_t lock;
+};
- if (mode & CRYPTO_LOCK) {
- lock_set_get(tls_static_locks,n);
- } else {
- lock_set_release(tls_static_locks,n);
- }
+static unsigned long tls_get_id(void)
+{
+ return my_pid();
}
-
static struct CRYPTO_dynlock_value* tls_dyn_lock_create(const char* file,
int line)
{
@@ -158,5 +163,6 @@
lock_destroy(&dyn_lock->lock);
shm_free(dyn_lock);
}
+#endif
#endif /* _PROTO_TLS_H_ */
--- a/modules/tls_mgm/tls_conn_ops.h
+++ b/modules/tls_mgm/tls_conn_ops.h
@@ -116,12 +116,14 @@
return -1;
}
+#if OPENSSL_VERSION_NUMBER < 0x10100000L
#ifndef OPENSSL_NO_KRB5
if ( ((SSL *)c->extra_data)->kssl_ctx ) {
kssl_ctx_free( ((SSL *)c->extra_data)->kssl_ctx );
((SSL *)c->extra_data)->kssl_ctx = 0;
}
#endif
+#endif
if ( c->proto_flags & F_TLS_DO_ACCEPT ) {
LM_DBG("Setting in ACCEPT mode (server)\n");
--- a/modules/tls_mgm/tls_conn_server.h
+++ b/modules/tls_mgm/tls_conn_server.h
@@ -148,17 +148,21 @@
}
ssl = (SSL *) c->extra_data;
+#if OPENSSL_VERSION_NUMBER < 0x10100000L
#ifndef OPENSSL_NO_KRB5
if ( ssl->kssl_ctx==NULL )
ssl->kssl_ctx = kssl_ctx_new( );
#endif
+#endif
ret = SSL_accept(ssl);
+#if OPENSSL_VERSION_NUMBER < 0x10100000L
#ifndef OPENSSL_NO_KRB5
if ( ssl->kssl_ctx ) {
kssl_ctx_free( ssl->kssl_ctx );
ssl->kssl_ctx = 0;
}
#endif
+#endif
if (ret > 0) {
LM_INFO("New TLS connection from %s:%d accepted\n",
ip_addr2a(&c->rcv.src_ip), c->rcv.src_port);
--- a/modules/tls_mgm/tls_mgm.c
+++ b/modules/tls_mgm/tls_mgm.c
@@ -557,11 +557,10 @@
LM_NOTICE("subject = %s\n", buf);
LM_NOTICE("verify error:num=%d:%s\n",
err, X509_verify_cert_error_string(err));
- LM_NOTICE("error code is %d\n", ctx->error);
- switch (ctx->error) {
+ switch (err) {
case X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT:
- X509_NAME_oneline(X509_get_issuer_name(ctx->current_cert),
+ X509_NAME_oneline(X509_get_issuer_name(err_cert),
buf,sizeof buf);
LM_NOTICE("issuer= %s\n",buf);
break;
@@ -611,7 +610,7 @@
default:
LM_NOTICE("something wrong with the cert"
- " ... error code is %d (check x509_vfy.h)\n", ctx->error);
+ " ... error code is %d (check x509_vfy.h)\n", err);
break;
}
@@ -1074,9 +1073,11 @@
return 0;
}
+#if (OPENSSL_VERSION_NUMBER < 0x10100000L)
static int check_for_krb(void)
{
SSL_CTX *xx;
+
int j;
xx = SSL_CTX_new(ssl_methods[tls_default_method - 1]);
@@ -1096,6 +1097,27 @@
SSL_CTX_free(xx);
return 0;
}
+#endif
+
+#if (OPENSSL_VERSION_NUMBER < 0x10100000L)
+static int tls_static_locks_no=0;
+static gen_lock_set_t* tls_static_locks=NULL;
+
+static void tls_static_locks_ops(int mode, int n, const char* file, int line)
+{
+ if (n<0 || n>tls_static_locks_no) {
+ LM_ERR("BUG - SSL Lib attempting to acquire bogus lock\n");
+ abort();
+ }
+
+ if (mode & CRYPTO_LOCK) {
+ lock_set_get(tls_static_locks,n);
+ } else {
+ lock_set_release(tls_static_locks,n);
+ }
+}
+
+
static int tls_init_multithread(void)
{
@@ -1126,6 +1148,7 @@
return 0;
}
+#endif
/*
* initialize ssl methods
@@ -1135,19 +1158,31 @@
{
LM_DBG("entered\n");
+#if OPENSSL_VERSION_NUMBER >= 0x10100000L
+ ssl_methods[TLS_USE_TLSv1_cli-1] = (SSL_METHOD*)TLS_client_method();
+ ssl_methods[TLS_USE_TLSv1_srv-1] = (SSL_METHOD*)TLS_server_method();
+ ssl_methods[TLS_USE_TLSv1-1] = (SSL_METHOD*)TLS_method();
+#else
ssl_methods[TLS_USE_TLSv1_cli-1] = (SSL_METHOD*)TLSv1_client_method();
ssl_methods[TLS_USE_TLSv1_srv-1] = (SSL_METHOD*)TLSv1_server_method();
ssl_methods[TLS_USE_TLSv1-1] = (SSL_METHOD*)TLSv1_method();
+#endif
ssl_methods[TLS_USE_SSLv23_cli-1] = (SSL_METHOD*)SSLv23_client_method();
ssl_methods[TLS_USE_SSLv23_srv-1] = (SSL_METHOD*)SSLv23_server_method();
ssl_methods[TLS_USE_SSLv23-1] = (SSL_METHOD*)SSLv23_method();
#if OPENSSL_VERSION_NUMBER >= 0x10001000L
+#if OPENSSL_VERSION_NUMBER >= 0x10100000L
+ ssl_methods[TLS_USE_TLSv1_2_cli-1] = (SSL_METHOD*)TLS_client_method();
+ ssl_methods[TLS_USE_TLSv1_2_srv-1] = (SSL_METHOD*)TLS_server_method();
+ ssl_methods[TLS_USE_TLSv1_2-1] = (SSL_METHOD*)TLS_method();
+#else
ssl_methods[TLS_USE_TLSv1_2_cli-1] = (SSL_METHOD*)TLSv1_2_client_method();
ssl_methods[TLS_USE_TLSv1_2_srv-1] = (SSL_METHOD*)TLSv1_2_server_method();
ssl_methods[TLS_USE_TLSv1_2-1] = (SSL_METHOD*)TLSv1_2_method();
#endif
+#endif
}
/* reloads data from the db */
@@ -1273,10 +1308,10 @@
* CRYPTO_malloc will set allow_customize in openssl to 0
*/
if (!CRYPTO_set_mem_functions(os_malloc, os_realloc, os_free)) {
- LM_ERR("unable to set the memory allocation functions\n");
- LM_ERR("NOTE: check if you have openssl 1.0.1e-fips, as this "
- "version is know to be broken; if so, you need to upgrade or "
- "downgrade to a differen openssl version !!\n");
+ LM_ERR("NOTE: check if you are using openssl 1.0.1e-fips, (or other "
+ "FIPS version of openssl, as this is known to be broken; if so, "
+ "you need to upgrade or downgrade to a different openssl version!\n");
+ LM_ERR("current version: %s\n", SSLeay_version(SSLEAY_VERSION));
return -1;
}
@@ -1291,15 +1326,18 @@
sk_SSL_COMP_zero(comp_methods);
}
#endif
+#if (OPENSSL_VERSION_NUMBER < 0x10100000L)
if (tls_init_multithread() < 0) {
LM_ERR("failed to init multi-threading support\n");
return -1;
}
+#endif
SSL_library_init();
SSL_load_error_strings();
init_ssl_methods();
+#if (OPENSSL_VERSION_NUMBER < 0x10100000L)
n = check_for_krb();
if (n==-1) {
LM_ERR("kerberos check failed\n");
@@ -1318,6 +1356,7 @@
(n==1)?"":"no ",(n!=1)?"no ":"");
return -1;
}
+#endif
/*
* finish setting up the tls default domains
--- a/modules/identity/identity.c
+++ b/modules/identity/identity.c
@@ -107,6 +107,9 @@
#include "identity.h"
+#if OPENSSL_VERSION_NUMBER < 0x10100000L
+#define EVP_MD_CTX_free EVP_MD_CTX_cleanup
+#endif
/* parameters */
@@ -831,7 +834,11 @@
{
#define IDENTITY_HDR_S "Identity: \""
#define IDENTITY_HDR_L (sizeof(IDENTITY_HDR_S)-1)
- EVP_MD_CTX ctx;
+#if OPENSSL_VERSION_NUMBER >= 0x10100000L
+ EVP_MD_CTX *pctx;
+#else
+ EVP_MD_CTX ctx, *pctx = &ctx;
+#endif
unsigned int siglen = 0;
int b64len = 0;
unsigned char * sig = NULL;
@@ -843,27 +850,30 @@
LM_ERR("error making digest string\n");
return 0;
}
+#if OPENSSL_VERSION_NUMBER >= 0x10100000L
+ pctx = EVP_MD_CTX_new();
+#endif
- EVP_SignInit(&ctx, EVP_sha1());
+ EVP_SignInit(pctx, EVP_sha1());
- EVP_SignUpdate(&ctx, digestString, strlen(digestString));
+ EVP_SignUpdate(pctx, digestString, strlen(digestString));
sig = pkg_malloc(EVP_PKEY_size(privKey_evp));
if(!sig)
{
- EVP_MD_CTX_cleanup(&ctx);
+ EVP_MD_CTX_free(pctx);
LM_ERR("failed allocating memory\n");
return 0;
}
- if(!EVP_SignFinal(&ctx, sig, &siglen, privKey_evp))
+ if(!EVP_SignFinal(pctx, sig, &siglen, privKey_evp))
{
- EVP_MD_CTX_cleanup(&ctx);
+ EVP_MD_CTX_free(pctx);
pkg_free(sig);
LM_ERR("error calculating signature\n");
return 0;
}
- EVP_MD_CTX_cleanup(&ctx);
+ EVP_MD_CTX_free(pctx);
/* ###Base64-encoding### */
/* annotation: The next few lines are based on example 7-11 of [VIE-02] */
@@ -1138,6 +1148,10 @@
const unsigned char * data;
STACK_OF(CONF_VALUE) * val;
CONF_VALUE * nval;
+ int len;
+#if OPENSSL_VERSION_NUMBER >= 0x10100000L
+ ASN1_OCTET_STRING *adata;
+#endif
if(!cert || !msg)
{
@@ -1190,15 +1204,22 @@
LM_ERR("X509V3_EXT_get failed\n");
return 0;
}
+#if OPENSSL_VERSION_NUMBER >= 0x10100000L
+ adata = X509_EXTENSION_get_data(cext);
+ data = ASN1_STRING_get0_data(adata);
+ len = ASN1_STRING_length(adata);
+#else
data = cext->value->data;
+ len = cext->value->length;
+#endif
if(meth->it)
{
ext_str = ASN1_item_d2i(NULL, &data,
- cext->value->length, ASN1_ITEM_ptr(meth->it));
+ len, ASN1_ITEM_ptr(meth->it));
}
else
{
- ext_str = meth->d2i(NULL, &data, cext->value->length);
+ ext_str = meth->d2i(NULL, &data, len);
}
val = meth->i2v(meth, ext_str, NULL);
@@ -1251,7 +1272,11 @@
int siglen = -1;
unsigned char * sigbuf = NULL;
int b64len = 0;
- EVP_MD_CTX ctx;
+#if OPENSSL_VERSION_NUMBER >= 0x10100000L
+ EVP_MD_CTX *pctx;
+#else
+ EVP_MD_CTX ctx, *pctx = &ctx;
+#endif
int result = 0;
char *p;
unsigned long err;
@@ -1295,22 +1320,25 @@
p=strstr(identityHF , "=");
siglen-=strspn(p , "=");
- EVP_VerifyInit(&ctx, EVP_sha1());
- EVP_VerifyUpdate(&ctx, digestString, strlen(digestString));
+#if OPENSSL_VERSION_NUMBER >= 0x10100000L
+ pctx = EVP_MD_CTX_new();
+#endif
+ EVP_VerifyInit(pctx, EVP_sha1());
+ EVP_VerifyUpdate(pctx, digestString, strlen(digestString));
pubkey = X509_get_pubkey(cert);
if(!pubkey)
{
- EVP_MD_CTX_cleanup(&ctx);
+ EVP_MD_CTX_free(pctx);
pkg_free(sigbuf);
LM_ERR("error reading pubkey from cert\n");
return 0;
}
- result = EVP_VerifyFinal(&ctx, sigbuf, siglen, pubkey);
+ result = EVP_VerifyFinal(pctx, sigbuf, siglen, pubkey);
EVP_PKEY_free(pubkey);
- EVP_MD_CTX_cleanup(&ctx);
+ EVP_MD_CTX_free(pctx);
pkg_free(sigbuf);
switch(result)
@@ -1715,8 +1743,9 @@
{
if (!ok)
{
+ int err = X509_STORE_CTX_get_error(stor);
LM_INFO("certificate validation failed: %s\n",
- X509_verify_cert_error_string(stor->error));
+ X509_verify_cert_error_string(err));
}
return ok;
0% Loading or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment