Date: Monday, March 20, 2017 @ 15:25:02 Author: jgc Revision: 217662 upgpkg: opensips 2.2.2-4
OpenSSL 1.1 Added: opensips/trunk/port-tls-1.1.0.patch Modified: opensips/trunk/PKGBUILD ----------------------+ PKGBUILD | 12 - port-tls-1.1.0.patch | 446 +++++++++++++++++++++++++++++++++++++++++++++++++ 2 files changed, 454 insertions(+), 4 deletions(-) Modified: PKGBUILD =================================================================== --- PKGBUILD 2017-03-20 15:23:42 UTC (rev 217661) +++ PKGBUILD 2017-03-20 15:25:02 UTC (rev 217662) @@ -3,7 +3,7 @@ pkgname=opensips pkgver=2.2.2 -pkgrel=3 +pkgrel=4 pkgdesc="An Open Source SIP Server able to act as a SIP proxy, registrar, location server, redirect server ..." url="http://www.opensips.org" depends=('gcc-libs' 'openssl' 'db' 'attr' 'libxml2') @@ -17,7 +17,7 @@ 'python2' 'pcre') backup=("etc/opensips/opensips.cfg" - "etc/opensips/dictionary.radius" + "etc/opensips/osipsconsolerc" "etc/opensips/opensipsctlrc") arch=('i686' 'x86_64') license=('GPL') @@ -24,9 +24,11 @@ install=opensips.install options=('!emptydirs' 'zipman' '!makeflags' 'docs') source=(https://opensips.org/pub/opensips/${pkgver}/opensips-${pkgver}.tar.gz - opensips.service) + opensips.service + port-tls-1.1.0.patch) sha256sums=('a21777b37c3669617d24b97697dc3f4e613ec87b292f4541cf956a2d539e70c4' - 'c2fec4be085b108db10834fa9832e98d696c2de6408f85f96cf89c13bf6be819') + 'c2fec4be085b108db10834fa9832e98d696c2de6408f85f96cf89c13bf6be819' + '1ad2558c329a1b41948ff9ef1c8169289b38500ce8183e50bae653ef82afdbec') prepare() { cd "$srcdir"/$pkgname-$pkgver/ @@ -39,6 +41,8 @@ sed -i 's|sbin|bin|g' Makefile sed -i 's|bin-dir = sbin/|bin-dir = bin/|' Makefile.defs + + patch -Np1 -i ../port-tls-1.1.0.patch } _modules="ldap db_mysql db_postgres db_unixodbc presence presence_xml h350 proto_tls tlsops tls_mgm db_http httpd tm rr" Added: port-tls-1.1.0.patch =================================================================== --- port-tls-1.1.0.patch (rev 0) +++ port-tls-1.1.0.patch 2017-03-20 15:25:02 UTC (rev 217662) @@ -0,0 +1,446 @@ +Description: Port tls_mgm module to openssl 1.1.0. +Author: Răzvan Crainea <raz...@opensips.org> +Last-Update: 2016-12-01 +--- a/modules/tls_mgm/tls.h ++++ b/modules/tls_mgm/tls.h +@@ -64,41 +64,50 @@ + #warning "" + #endif + +-static int tls_static_locks_no=0; +-static gen_lock_set_t* tls_static_locks=NULL; +- + static SSL_METHOD *ssl_methods[TLS_USE_TLSv1_2 + 1]; + + #define VERIFY_DEPTH_S 3 + + +-struct CRYPTO_dynlock_value { +- gen_lock_t lock; +-}; +- +-static unsigned long tls_get_id(void) +-{ +- return my_pid(); +-} +- + /* + * Wrappers around OpenSIPS shared memory functions + * (which can be macros) + */ ++#if OPENSSL_VERSION_NUMBER >= 0x10100000L ++static void* os_malloc(size_t size, const char *file, int line) ++#else + static void* os_malloc(size_t size) ++#endif + { ++#if (defined DBG_MALLOC && OPENSSL_VERSION_NUMBER >= 0x10100000L) ++ return _shm_malloc(size, file, __FUNCTION__, line); ++#else + return shm_malloc(size); ++#endif + } + + ++#if OPENSSL_VERSION_NUMBER >= 0x10100000L ++static void* os_realloc(void *ptr, size_t size, const char *file, int line) ++#else + static void* os_realloc(void *ptr, size_t size) ++#endif + { ++#if (defined DBG_MALLOC && OPENSSL_VERSION_NUMBER >= 0x10100000L) ++ return _shm_realloc(ptr, size, file, __FUNCTION__, line); ++#else + return shm_realloc(ptr, size); ++#endif + } + + ++#if OPENSSL_VERSION_NUMBER >= 0x10100000L ++static void os_free(void *ptr, const char *file, int line) ++#else + static void os_free(void *ptr) ++#endif + { ++ /* TODO: also handle free file and line */ + if (ptr) + shm_free(ptr); + } +@@ -106,21 +115,17 @@ + + + +-static void tls_static_locks_ops(int mode, int n, const char* file, int line) +-{ +- if (n<0 || n>tls_static_locks_no) { +- LM_ERR("BUG - SSL Lib attempting to acquire bogus lock\n"); +- abort(); +- } ++/* these locks can not be used in 1.1.0, because the interface has changed */ ++#if OPENSSL_VERSION_NUMBER < 0x10100000L ++struct CRYPTO_dynlock_value { ++ gen_lock_t lock; ++}; + +- if (mode & CRYPTO_LOCK) { +- lock_set_get(tls_static_locks,n); +- } else { +- lock_set_release(tls_static_locks,n); +- } ++static unsigned long tls_get_id(void) ++{ ++ return my_pid(); + } + +- + static struct CRYPTO_dynlock_value* tls_dyn_lock_create(const char* file, + int line) + { +@@ -158,5 +163,6 @@ + lock_destroy(&dyn_lock->lock); + shm_free(dyn_lock); + } ++#endif + + #endif /* _PROTO_TLS_H_ */ +--- a/modules/tls_mgm/tls_conn_ops.h ++++ b/modules/tls_mgm/tls_conn_ops.h +@@ -116,12 +116,14 @@ + return -1; + } + ++#if OPENSSL_VERSION_NUMBER < 0x10100000L + #ifndef OPENSSL_NO_KRB5 + if ( ((SSL *)c->extra_data)->kssl_ctx ) { + kssl_ctx_free( ((SSL *)c->extra_data)->kssl_ctx ); + ((SSL *)c->extra_data)->kssl_ctx = 0; + } + #endif ++#endif + + if ( c->proto_flags & F_TLS_DO_ACCEPT ) { + LM_DBG("Setting in ACCEPT mode (server)\n"); +--- a/modules/tls_mgm/tls_conn_server.h ++++ b/modules/tls_mgm/tls_conn_server.h +@@ -148,17 +148,21 @@ + } + + ssl = (SSL *) c->extra_data; ++#if OPENSSL_VERSION_NUMBER < 0x10100000L + #ifndef OPENSSL_NO_KRB5 + if ( ssl->kssl_ctx==NULL ) + ssl->kssl_ctx = kssl_ctx_new( ); + #endif ++#endif + ret = SSL_accept(ssl); ++#if OPENSSL_VERSION_NUMBER < 0x10100000L + #ifndef OPENSSL_NO_KRB5 + if ( ssl->kssl_ctx ) { + kssl_ctx_free( ssl->kssl_ctx ); + ssl->kssl_ctx = 0; + } + #endif ++#endif + if (ret > 0) { + LM_INFO("New TLS connection from %s:%d accepted\n", + ip_addr2a(&c->rcv.src_ip), c->rcv.src_port); +--- a/modules/tls_mgm/tls_mgm.c ++++ b/modules/tls_mgm/tls_mgm.c +@@ -557,11 +557,10 @@ + LM_NOTICE("subject = %s\n", buf); + LM_NOTICE("verify error:num=%d:%s\n", + err, X509_verify_cert_error_string(err)); +- LM_NOTICE("error code is %d\n", ctx->error); + +- switch (ctx->error) { ++ switch (err) { + case X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT: +- X509_NAME_oneline(X509_get_issuer_name(ctx->current_cert), ++ X509_NAME_oneline(X509_get_issuer_name(err_cert), + buf,sizeof buf); + LM_NOTICE("issuer= %s\n",buf); + break; +@@ -611,7 +610,7 @@ + + default: + LM_NOTICE("something wrong with the cert" +- " ... error code is %d (check x509_vfy.h)\n", ctx->error); ++ " ... error code is %d (check x509_vfy.h)\n", err); + break; + } + +@@ -1074,9 +1073,11 @@ + return 0; + } + ++#if (OPENSSL_VERSION_NUMBER < 0x10100000L) + static int check_for_krb(void) + { + SSL_CTX *xx; ++ + int j; + + xx = SSL_CTX_new(ssl_methods[tls_default_method - 1]); +@@ -1096,6 +1097,27 @@ + SSL_CTX_free(xx); + return 0; + } ++#endif ++ ++#if (OPENSSL_VERSION_NUMBER < 0x10100000L) ++static int tls_static_locks_no=0; ++static gen_lock_set_t* tls_static_locks=NULL; ++ ++static void tls_static_locks_ops(int mode, int n, const char* file, int line) ++{ ++ if (n<0 || n>tls_static_locks_no) { ++ LM_ERR("BUG - SSL Lib attempting to acquire bogus lock\n"); ++ abort(); ++ } ++ ++ if (mode & CRYPTO_LOCK) { ++ lock_set_get(tls_static_locks,n); ++ } else { ++ lock_set_release(tls_static_locks,n); ++ } ++} ++ ++ + + static int tls_init_multithread(void) + { +@@ -1126,6 +1148,7 @@ + + return 0; + } ++#endif + + /* + * initialize ssl methods +@@ -1135,19 +1158,31 @@ + { + LM_DBG("entered\n"); + ++#if OPENSSL_VERSION_NUMBER >= 0x10100000L ++ ssl_methods[TLS_USE_TLSv1_cli-1] = (SSL_METHOD*)TLS_client_method(); ++ ssl_methods[TLS_USE_TLSv1_srv-1] = (SSL_METHOD*)TLS_server_method(); ++ ssl_methods[TLS_USE_TLSv1-1] = (SSL_METHOD*)TLS_method(); ++#else + ssl_methods[TLS_USE_TLSv1_cli-1] = (SSL_METHOD*)TLSv1_client_method(); + ssl_methods[TLS_USE_TLSv1_srv-1] = (SSL_METHOD*)TLSv1_server_method(); + ssl_methods[TLS_USE_TLSv1-1] = (SSL_METHOD*)TLSv1_method(); ++#endif + + ssl_methods[TLS_USE_SSLv23_cli-1] = (SSL_METHOD*)SSLv23_client_method(); + ssl_methods[TLS_USE_SSLv23_srv-1] = (SSL_METHOD*)SSLv23_server_method(); + ssl_methods[TLS_USE_SSLv23-1] = (SSL_METHOD*)SSLv23_method(); + + #if OPENSSL_VERSION_NUMBER >= 0x10001000L ++#if OPENSSL_VERSION_NUMBER >= 0x10100000L ++ ssl_methods[TLS_USE_TLSv1_2_cli-1] = (SSL_METHOD*)TLS_client_method(); ++ ssl_methods[TLS_USE_TLSv1_2_srv-1] = (SSL_METHOD*)TLS_server_method(); ++ ssl_methods[TLS_USE_TLSv1_2-1] = (SSL_METHOD*)TLS_method(); ++#else + ssl_methods[TLS_USE_TLSv1_2_cli-1] = (SSL_METHOD*)TLSv1_2_client_method(); + ssl_methods[TLS_USE_TLSv1_2_srv-1] = (SSL_METHOD*)TLSv1_2_server_method(); + ssl_methods[TLS_USE_TLSv1_2-1] = (SSL_METHOD*)TLSv1_2_method(); + #endif ++#endif + } + + /* reloads data from the db */ +@@ -1273,10 +1308,10 @@ + * CRYPTO_malloc will set allow_customize in openssl to 0 + */ + if (!CRYPTO_set_mem_functions(os_malloc, os_realloc, os_free)) { +- LM_ERR("unable to set the memory allocation functions\n"); +- LM_ERR("NOTE: check if you have openssl 1.0.1e-fips, as this " +- "version is know to be broken; if so, you need to upgrade or " +- "downgrade to a differen openssl version !!\n"); ++ LM_ERR("NOTE: check if you are using openssl 1.0.1e-fips, (or other " ++ "FIPS version of openssl, as this is known to be broken; if so, " ++ "you need to upgrade or downgrade to a different openssl version!\n"); ++ LM_ERR("current version: %s\n", SSLeay_version(SSLEAY_VERSION)); + return -1; + } + +@@ -1291,15 +1326,18 @@ + sk_SSL_COMP_zero(comp_methods); + } + #endif ++#if (OPENSSL_VERSION_NUMBER < 0x10100000L) + if (tls_init_multithread() < 0) { + LM_ERR("failed to init multi-threading support\n"); + return -1; + } ++#endif + + SSL_library_init(); + SSL_load_error_strings(); + init_ssl_methods(); + ++#if (OPENSSL_VERSION_NUMBER < 0x10100000L) + n = check_for_krb(); + if (n==-1) { + LM_ERR("kerberos check failed\n"); +@@ -1318,6 +1356,7 @@ + (n==1)?"":"no ",(n!=1)?"no ":""); + return -1; + } ++#endif + + /* + * finish setting up the tls default domains +--- a/modules/identity/identity.c ++++ b/modules/identity/identity.c +@@ -107,6 +107,9 @@ + #include "identity.h" + + ++#if OPENSSL_VERSION_NUMBER < 0x10100000L ++#define EVP_MD_CTX_free EVP_MD_CTX_cleanup ++#endif + + /* parameters */ + +@@ -831,7 +834,11 @@ + { + #define IDENTITY_HDR_S "Identity: \"" + #define IDENTITY_HDR_L (sizeof(IDENTITY_HDR_S)-1) +- EVP_MD_CTX ctx; ++#if OPENSSL_VERSION_NUMBER >= 0x10100000L ++ EVP_MD_CTX *pctx; ++#else ++ EVP_MD_CTX ctx, *pctx = &ctx; ++#endif + unsigned int siglen = 0; + int b64len = 0; + unsigned char * sig = NULL; +@@ -843,27 +850,30 @@ + LM_ERR("error making digest string\n"); + return 0; + } ++#if OPENSSL_VERSION_NUMBER >= 0x10100000L ++ pctx = EVP_MD_CTX_new(); ++#endif + +- EVP_SignInit(&ctx, EVP_sha1()); ++ EVP_SignInit(pctx, EVP_sha1()); + +- EVP_SignUpdate(&ctx, digestString, strlen(digestString)); ++ EVP_SignUpdate(pctx, digestString, strlen(digestString)); + + sig = pkg_malloc(EVP_PKEY_size(privKey_evp)); + if(!sig) + { +- EVP_MD_CTX_cleanup(&ctx); ++ EVP_MD_CTX_free(pctx); + LM_ERR("failed allocating memory\n"); + return 0; + } + +- if(!EVP_SignFinal(&ctx, sig, &siglen, privKey_evp)) ++ if(!EVP_SignFinal(pctx, sig, &siglen, privKey_evp)) + { +- EVP_MD_CTX_cleanup(&ctx); ++ EVP_MD_CTX_free(pctx); + pkg_free(sig); + LM_ERR("error calculating signature\n"); + return 0; + } +- EVP_MD_CTX_cleanup(&ctx); ++ EVP_MD_CTX_free(pctx); + + /* ###Base64-encoding### */ + /* annotation: The next few lines are based on example 7-11 of [VIE-02] */ +@@ -1138,6 +1148,10 @@ + const unsigned char * data; + STACK_OF(CONF_VALUE) * val; + CONF_VALUE * nval; ++ int len; ++#if OPENSSL_VERSION_NUMBER >= 0x10100000L ++ ASN1_OCTET_STRING *adata; ++#endif + + if(!cert || !msg) + { +@@ -1190,15 +1204,22 @@ + LM_ERR("X509V3_EXT_get failed\n"); + return 0; + } ++#if OPENSSL_VERSION_NUMBER >= 0x10100000L ++ adata = X509_EXTENSION_get_data(cext); ++ data = ASN1_STRING_get0_data(adata); ++ len = ASN1_STRING_length(adata); ++#else + data = cext->value->data; ++ len = cext->value->length; ++#endif + if(meth->it) + { + ext_str = ASN1_item_d2i(NULL, &data, +- cext->value->length, ASN1_ITEM_ptr(meth->it)); ++ len, ASN1_ITEM_ptr(meth->it)); + } + else + { +- ext_str = meth->d2i(NULL, &data, cext->value->length); ++ ext_str = meth->d2i(NULL, &data, len); + } + + val = meth->i2v(meth, ext_str, NULL); +@@ -1251,7 +1272,11 @@ + int siglen = -1; + unsigned char * sigbuf = NULL; + int b64len = 0; +- EVP_MD_CTX ctx; ++#if OPENSSL_VERSION_NUMBER >= 0x10100000L ++ EVP_MD_CTX *pctx; ++#else ++ EVP_MD_CTX ctx, *pctx = &ctx; ++#endif + int result = 0; + char *p; + unsigned long err; +@@ -1295,22 +1320,25 @@ + p=strstr(identityHF , "="); + siglen-=strspn(p , "="); + +- EVP_VerifyInit(&ctx, EVP_sha1()); +- EVP_VerifyUpdate(&ctx, digestString, strlen(digestString)); ++#if OPENSSL_VERSION_NUMBER >= 0x10100000L ++ pctx = EVP_MD_CTX_new(); ++#endif ++ EVP_VerifyInit(pctx, EVP_sha1()); ++ EVP_VerifyUpdate(pctx, digestString, strlen(digestString)); + + pubkey = X509_get_pubkey(cert); + if(!pubkey) + { +- EVP_MD_CTX_cleanup(&ctx); ++ EVP_MD_CTX_free(pctx); + pkg_free(sigbuf); + LM_ERR("error reading pubkey from cert\n"); + return 0; + } + +- result = EVP_VerifyFinal(&ctx, sigbuf, siglen, pubkey); ++ result = EVP_VerifyFinal(pctx, sigbuf, siglen, pubkey); + + EVP_PKEY_free(pubkey); +- EVP_MD_CTX_cleanup(&ctx); ++ EVP_MD_CTX_free(pctx); + pkg_free(sigbuf); + + switch(result) +@@ -1715,8 +1743,9 @@ + { + if (!ok) + { ++ int err = X509_STORE_CTX_get_error(stor); + LM_INFO("certificate validation failed: %s\n", +- X509_verify_cert_error_string(stor->error)); ++ X509_verify_cert_error_string(err)); + } + + return ok;