Control: tags -1 pending patch Hi,
I intend to NMU this package with the attached patch in a few days to fix this bug. Please tell me if you don't want me to. The patch is a stripped down version of the work I did earlier (link in previous messages in this bugreport). Upstream is working on their own version but it isn't ready yet. Thanks, James
diff -Nru belle-sip-1.4.1/debian/changelog belle-sip-1.4.1/debian/changelog --- belle-sip-1.4.1/debian/changelog 2015-05-23 13:45:08.000000000 +0100 +++ belle-sip-1.4.1/debian/changelog 2016-01-15 23:59:32.000000000 +0000 @@ -1,3 +1,13 @@ +belle-sip (1.4.1-1.1) unstable; urgency=medium + + * Non-maintainer upload. + * Fix FTBFS with GCC 6. + * Port to mbedTLS since PolarSSL is going away. (Closes: #808067) + - Add --disable-strict to configure invocation to prevent -Werror from + failing the build (warning is about polarssl compat layer deprecation). + + -- James Cowgill <james...@cowgill.org.uk> Fri, 15 Jan 2016 23:59:29 +0000 + belle-sip (1.4.1-1) unstable; urgency=medium [ Felix Lechner ] diff -Nru belle-sip-1.4.1/debian/control belle-sip-1.4.1/debian/control --- belle-sip-1.4.1/debian/control 2015-05-23 13:41:05.000000000 +0100 +++ belle-sip-1.4.1/debian/control 2016-01-15 22:55:50.000000000 +0000 @@ -6,7 +6,7 @@ Build-Depends: debhelper (>= 9), dh-autoreconf, autotools-dev, quilt, pkg-config, intltool, libcunit1-ncurses-dev, - libantlr3c-dev, antlr3, libpolarssl-dev + libantlr3c-dev, antlr3, libmbedtls-dev Standards-Version: 3.9.6 Homepage: http://www.linphone.org Vcs-Browser: https://github.com/BelledonneCommunications/belle-sip diff -Nru belle-sip-1.4.1/debian/patches/0001-Fix-FTBFS-with-GCC-6-typo-in-belle_sip_uri_equals.patch belle-sip-1.4.1/debian/patches/0001-Fix-FTBFS-with-GCC-6-typo-in-belle_sip_uri_equals.patch --- belle-sip-1.4.1/debian/patches/0001-Fix-FTBFS-with-GCC-6-typo-in-belle_sip_uri_equals.patch 1970-01-01 01:00:00.000000000 +0100 +++ belle-sip-1.4.1/debian/patches/0001-Fix-FTBFS-with-GCC-6-typo-in-belle_sip_uri_equals.patch 2016-01-15 22:49:47.000000000 +0000 @@ -0,0 +1,25 @@ +From 997382640eae6067b090c2afad49a4a018c01ecb Mon Sep 17 00:00:00 2001 +From: James Cowgill <james...@cowgill.org.uk> +Date: Fri, 15 Jan 2016 22:00:49 +0000 +Subject: [PATCH 1/2] Fix FTBFS with GCC 6 - typo in belle_sip_uri_equals + +--- + src/belle_sip_uri_impl.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/src/belle_sip_uri_impl.c b/src/belle_sip_uri_impl.c +index 4d1a4bd..0c613c5 100644 +--- a/src/belle_sip_uri_impl.c ++++ b/src/belle_sip_uri_impl.c +@@ -301,7 +301,7 @@ int belle_sip_uri_equals(const belle_sip_uri_t* uri_a,const belle_sip_uri_t* uri + */ + if (uri_a->user && uri_b->user) { + if (IS_EQUAL(uri_a->user,uri_b->user)) return 0; +- } else if (uri_a->user != uri_a->user) { ++ } else if (uri_a->user != uri_b->user) { + return 0; + } + /* +-- +2.7.0.rc3 + diff -Nru belle-sip-1.4.1/debian/patches/0002-Port-to-mbedTLS.patch belle-sip-1.4.1/debian/patches/0002-Port-to-mbedTLS.patch --- belle-sip-1.4.1/debian/patches/0002-Port-to-mbedTLS.patch 1970-01-01 01:00:00.000000000 +0100 +++ belle-sip-1.4.1/debian/patches/0002-Port-to-mbedTLS.patch 2016-01-15 22:49:47.000000000 +0000 @@ -0,0 +1,730 @@ +From 48d5decbc9cad97cd72d44cff56c8e66f1cc6907 Mon Sep 17 00:00:00 2001 +From: James Cowgill <james...@cowgill.org.uk> +Date: Sun, 6 Dec 2015 17:11:36 +0000 +Subject: [PATCH 2/2] Port to mbedTLS + +--- + configure.ac | 52 ++---- + src/http-provider.c | 2 +- + src/transports/tls_channel_polarssl.c | 265 +++++++-------------------- + src/transports/tls_listeningpoint_polarssl.c | 24 --- + tester/auth_helper_tester.c | 16 +- + 5 files changed, 91 insertions(+), 268 deletions(-) + +diff --git a/configure.ac b/configure.ac +index 3ddc3ba..8f26804 100755 +--- a/configure.ac ++++ b/configure.ac +@@ -235,52 +235,36 @@ AC_ARG_ENABLE( tls, + *) AC_MSG_ERROR(bad value ${enableval} for --enable-tls) ;; + esac],[use_tls=true]) + +-AC_ARG_WITH( polarssl, +- [ --with-polarssl Set prefix where polarssl can be found (ex:/usr, /usr/local)[default=PREFIX] ], +- [ polarssl_prefix=${withval}],[ polarssl_prefix=${prefix} ]) ++AC_ARG_WITH( mbedtls, ++ [ --with-mbedtls Set prefix where mbedTLS can be found (ex:/usr, /usr/local)[default=PREFIX] ], ++ [ mbedtls_prefix=${withval}],[ mbedtls_prefix=${prefix} ]) + +-if test "$polarssl_prefix" != "NONE" && test "$polarssl_prefix" != "/usr"; then +- POLARSSL_CFLAGS="-I${polarssl_prefix}/include" +- POLARSSL_LIBS="-L${polarssl_prefix}/lib" ++if test "$mbedtls_prefix" != "NONE" && test "$mbedtls_prefix" != "/usr"; then ++ MBEDTLS_CFLAGS="-I${mbedtls_prefix}/include" ++ MBEDTLS_LIBS="-L${mbedtls_prefix}/lib" + fi + +-POLARSSL_LIBS="$POLARSSL_LIBS -lpolarssl" +-found_polarssl=no ++found_mbedtls=no + + if test "$use_tls" = "true" ; then +- CPPFLAGS_save=$CPPFLAGS + LIBS_save=$LIBS + +- CPPFLAGS="$CPPFLAGS $POLARSSL_CFLAGS" +- LIBS="$LIBS $POLARSSL_LIBS" +- AC_CHECK_HEADERS(polarssl/ssl.h, +- [ +- AC_LINK_IFELSE([AC_LANG_PROGRAM([[ +- #include <polarssl/version.h> +- #include <polarssl/x509.h> +- #if POLARSSL_VERSION_NUMBER >= 0x01030000 +- #include <polarssl/compat-1.2.h> +- #endif +- ]], +- [[x509parse_crtpath(0,0)]])] +- ,[found_polarssl=yes +- POLARSSL_LIBS=" -lpolarssl" +- AC_MSG_NOTICE([polarssl usable])] +- ,[AC_MSG_ERROR([polarssl not found or usable but TLS support required.])]) +- +- ]) +- CPPFLAGS=$CPPFLAGS_save ++ LIBS="$LIBS $MBEDTLS_LIBS" ++ AC_CHECK_LIB(mbedtls, mbedtls_ssl_setup, ++ [MBEDTLS_LIBS="$MBEDTLS_LIBS -lmbedcrypto -lmbedx509 -lmbedtls" ++ found_mbedtls=yes], ++ [AC_MSG_ERROR([mbedTLS 2 not found])]) + LIBS=$LIBS_save + fi + +-AM_CONDITIONAL([BUILD_TLS], [test "x$found_polarssl" = "xyes"]) ++AM_CONDITIONAL([BUILD_TLS], [test "x$found_mbedtls" = "xyes"]) + TLS_CFLAGS="" + TLS_LIBS="" + TLS_PC="" +-if test "x$found_polarssl" = "xyes" ; then +- AC_DEFINE(HAVE_POLARSSL,1,[Defined when polarssl api is available]) +- TLS_CFLAGS=$POLARSSL_CFLAGS +- TLS_LIBS=$POLARSSL_LIBS ++if test "x$found_mbedtls" = "xyes" ; then ++ AC_DEFINE(HAVE_MBEDTLS,1,[Defined when mbedtls api is available]) ++ TLS_CFLAGS=$MBEDTLS_CFLAGS ++ TLS_LIBS=$MBEDTLS_LIBS + fi + AC_SUBST(TLS_CFLAGS) + AC_SUBST(TLS_LIBS) +@@ -367,7 +351,7 @@ else + LIBS_PRIVATE="$LIBS_PRIVATE $CUNIT_LIBS" + fi + fi +-LIBS_PRIVATE="$LIBS_PRIVATE $ANTLR_LIBS $POLARSSL_LIBS" ++LIBS_PRIVATE="$LIBS_PRIVATE $ANTLR_LIBS $MBEDTLS_LIBS" + AC_SUBST(REQUIRES_PRIVATE) + AC_SUBST(LIBS_PRIVATE) + +diff --git a/src/http-provider.c b/src/http-provider.c +index bcb3471..84f0f45 100644 +--- a/src/http-provider.c ++++ b/src/http-provider.c +@@ -395,7 +395,7 @@ int belle_http_provider_send_request(belle_http_provider_t *obj, belle_http_requ + if (strcasecmp(hop->transport,"tcp")==0){ + chan=belle_sip_stream_channel_new_client(obj->stack,obj->bind_ip,0,hop->cname,hop->host,hop->port); + } +-#ifdef HAVE_POLARSSL ++#ifdef HAVE_MBEDTLS + else if (strcasecmp(hop->transport,"tls")==0){ + chan=belle_sip_channel_new_tls(obj->stack,obj->verify_ctx,obj->bind_ip,0,hop->cname,hop->host,hop->port); + } +diff --git a/src/transports/tls_channel_polarssl.c b/src/transports/tls_channel_polarssl.c +index e50b91b..b40da6c 100644 +--- a/src/transports/tls_channel_polarssl.c ++++ b/src/transports/tls_channel_polarssl.c +@@ -19,64 +19,35 @@ + #include "belle_sip_internal.h" + #include "stream_channel.h" + +-#ifdef HAVE_POLARSSL + /* Uncomment to get very verbose polarssl logs*/ + //#define ENABLE_POLARSSL_LOGS +-#include <polarssl/ssl.h> +-#include <polarssl/version.h> +-#include <polarssl/error.h> +-#include <polarssl/pem.h> +-#if POLARSSL_VERSION_NUMBER >= 0x01030000 +-#include <polarssl/x509.h> +-#include <polarssl/entropy.h> +-#include <polarssl/ctr_drbg.h> +-#include <polarssl/sha1.h> +-#include <polarssl/sha256.h> +-#include <polarssl/sha512.h> +-#endif +-#endif +- ++#include <mbedtls/ssl.h> ++#include <mbedtls/error.h> ++#include <mbedtls/pem.h> ++#include <mbedtls/x509.h> ++#include <mbedtls/entropy.h> ++#include <mbedtls/ctr_drbg.h> ++#include <mbedtls/sha1.h> ++#include <mbedtls/sha256.h> ++#include <mbedtls/sha512.h> ++#include <mbedtls/net.h> ++#include <mbedtls/debug.h> ++#include <mbedtls/compat-1.3.h> + + struct belle_sip_certificates_chain { + belle_sip_object_t objet; +-#ifdef HAVE_POLARSSL +-#if POLARSSL_VERSION_NUMBER < 0x01030000 +- x509_cert cert; +-#else + x509_crt cert; +-#endif +-#endif + }; + + struct belle_sip_signing_key { + belle_sip_object_t objet; +-#ifdef HAVE_POLARSSL +-#if POLARSSL_VERSION_NUMBER < 0x01030000 +- rsa_context key; +-#else + pk_context key; +-#endif +-#endif + }; + + +-#if POLARSSL_VERSION_NUMBER < 0x01030000 +-/*stubs*/ +-char *belle_sip_certificates_chain_get_pem(belle_sip_certificates_chain_t *cert) { +- return NULL; +-} +-char *belle_sip_signing_key_get_pem(belle_sip_signing_key_t *key) { +- return NULL; +-} +-#endif +- +-#ifdef HAVE_POLARSSL +- + /** + * Retrieve key or certificate in a string(PEM format) + */ +-#if POLARSSL_VERSION_NUMBER >= 0x01030000 +- + char *belle_sip_certificates_chain_get_pem(belle_sip_certificates_chain_t *cert) { + char *pem_certificate = NULL; + size_t olen=0; +@@ -94,7 +65,6 @@ char *belle_sip_signing_key_get_pem(belle_sip_signing_key_t *key) { + pk_write_key_pem( &(key->key), (unsigned char *)pem_key, 4096); + return pem_key; + } +-#endif /* POLARSSL_VERSION_NUMBER >= 0x01030000 */ + + /*************tls********/ + // SSL verification callback prototype +@@ -110,11 +80,8 @@ static int tls_process_data(belle_sip_channel_t *obj,unsigned int revents); + struct belle_sip_tls_channel{ + belle_sip_stream_channel_t base; + ssl_context sslctx; +-#if POLARSSL_VERSION_NUMBER < 0x01030000 +- x509_cert root_ca; +-#else ++ mbedtls_ssl_config sslconf; + x509_crt root_ca; +-#endif + struct sockaddr_storage ss; + socklen_t socklen; + int socket_connected; +@@ -138,11 +105,8 @@ static void tls_channel_uninit(belle_sip_tls_channel_t *obj){ + if (sock!=(belle_sip_socket_t)-1) + tls_channel_close(obj); + ssl_free(&obj->sslctx); +-#if POLARSSL_VERSION_NUMBER < 0x01030000 +- x509_free(&obj->root_ca); +-#else ++ mbedtls_ssl_config_free(&obj->sslconf); + x509_crt_free(&obj->root_ca); +-#endif + if (obj->cur_debug_msg) + belle_sip_free(obj->cur_debug_msg); + belle_sip_object_unref(obj->verify_ctx); +@@ -222,28 +186,16 @@ static int tls_channel_handshake(belle_sip_tls_channel_t *channel) { + ,NULL/*not set yet*/); + + if (channel->client_cert_chain && channel->client_cert_key) { +-#if POLARSSL_VERSION_NUMBER >= 0x01030000 + int err; +-#endif + char tmp[512]={0}; +-#if POLARSSL_VERSION_NUMBER < 0x01030000 +- x509parse_cert_info(tmp,sizeof(tmp)-1,"",&channel->client_cert_chain->cert); +-#else + x509_crt_info(tmp,sizeof(tmp)-1,"",&channel->client_cert_chain->cert); +-#endif + belle_sip_message("Channel [%p] found client certificate:\n%s",channel,tmp); +-#if POLARSSL_VERSION_NUMBER < 0x01030000 +- ssl_set_own_cert(&channel->sslctx,&channel->client_cert_chain->cert,&channel->client_cert_key->key); +-#else + /* allows public keys other than RSA */ +- if ((err=ssl_set_own_cert(&channel->sslctx,&channel->client_cert_chain->cert,&channel->client_cert_key->key))) { ++ if ((err = mbedtls_ssl_set_hs_own_cert(&channel->sslctx, &channel->client_cert_chain->cert, ++ &channel->client_cert_key->key))) { + error_strerror(err,tmp,sizeof(tmp)-1); + belle_sip_error("Channel [%p] cannot ssl_set_own_cert [%s]",channel,tmp); + } +- +- /*update own cert see ssl_handshake frompolarssl*/ +- channel->sslctx.handshake->key_cert = channel->sslctx.key_cert; +-#endif + } + } + +@@ -391,11 +343,7 @@ int belle_sip_tls_set_verify_error_cb(void * callback) + // 5) callback must disable calls to linphone_core_iterate while running + // + +-#if POLARSSL_VERSION_NUMBER < 0x01030000 +-int belle_sip_verify_cb_error_wrapper(x509_cert *cert, int depth, int *flags){ +-#else +-int belle_sip_verify_cb_error_wrapper(x509_crt *cert, int depth, int *flags){ +-#endif ++int belle_sip_verify_cb_error_wrapper(x509_crt *cert, int depth, uint32_t *flags){ + int rc = 0; + unsigned char *der = NULL; + +@@ -404,7 +352,7 @@ int belle_sip_verify_cb_error_wrapper(x509_crt *cert, int depth, int *flags){ + return 0; + } + +- belle_sip_message("belle_sip_verify_cb_error_wrapper: depth=[%d], flags=[%d]:\n", depth, *flags); ++ belle_sip_message("belle_sip_verify_cb_error_wrapper: depth=[%d], flags=[%u]:\n", depth, (unsigned)*flags); + + der = belle_sip_malloc(cert->raw.len + 1); + if (der == NULL) { +@@ -417,28 +365,20 @@ int belle_sip_verify_cb_error_wrapper(x509_crt *cert, int depth, int *flags){ + memcpy(der, cert->raw.p, cert->raw.len); + der[cert->raw.len] = '\0'; + +- rc = tls_verify_cb_error_cb(der, cert->raw.len, depth, flags); ++ rc = tls_verify_cb_error_cb(der, cert->raw.len, depth, (int*) flags); + +- belle_sip_message("belle_sip_verify_cb_error_wrapper: callback return rc: %d, flags: %d", rc, *flags); ++ belle_sip_message("belle_sip_verify_cb_error_wrapper: callback return rc: %d, flags: %u", rc, (unsigned)*flags); + belle_sip_free(der); + return rc; + } + + +-#if POLARSSL_VERSION_NUMBER < 0x01030000 +-static int belle_sip_ssl_verify(void *data , x509_cert *cert , int depth, int *flags){ +-#else +-static int belle_sip_ssl_verify(void *data , x509_crt *cert , int depth, int *flags){ +-#endif ++static int belle_sip_ssl_verify(void *data , x509_crt *cert , int depth, uint32_t *flags){ + belle_tls_verify_policy_t *verify_ctx=(belle_tls_verify_policy_t*)data; + char tmp[512]; + char flags_str[128]; + +-#if POLARSSL_VERSION_NUMBER < 0x01030000 +- x509parse_cert_info(tmp,sizeof(tmp),"",cert); +-#else + x509_crt_info(tmp,sizeof(tmp),"",cert); +-#endif + belle_sip_message("Found certificate depth=[%i], flags=[%s]:\n%s", + depth,polarssl_certflags_to_string(flags_str,sizeof(flags_str),*flags),tmp); + if (verify_ctx->exception_flags==BELLE_TLS_VERIFY_ANY_REASON){ +@@ -454,20 +394,12 @@ static int belle_sip_tls_channel_load_root_ca(belle_sip_tls_channel_t *obj, cons + struct stat statbuf; + if (stat(path,&statbuf)==0){ + if (statbuf.st_mode & S_IFDIR){ +-#if POLARSSL_VERSION_NUMBER < 0x01030000 +- if (x509parse_crtpath(&obj->root_ca,path)<0){ +-#else + if (x509_crt_parse_path(&obj->root_ca,path)<0){ +-#endif + belle_sip_error("Failed to load root ca from directory %s",path); + return -1; + } + }else{ +-#if POLARSSL_VERSION_NUMBER < 0x01030000 +- if (x509parse_crtfile(&obj->root_ca,path)<0){ +-#else + if (x509_crt_parse_file(&obj->root_ca,path)<0){ +-#endif + belle_sip_error("Failed to load root ca from file %s",path); + return -1; + } +@@ -483,7 +415,7 @@ static int belle_sip_tls_channel_load_root_ca(belle_sip_tls_channel_t *obj, cons + * polarssl does a lot of logs, some with newline, some without. + * We need to concatenate logs without new line until a new line is found. + */ +-static void ssl_debug_to_belle_sip(void *context, int level, const char *str){ ++static void ssl_debug_to_belle_sip(void *context, int level, const char* file, int line, const char *str){ + belle_sip_tls_channel_t *chan=(belle_sip_tls_channel_t*)context; + int len=strlen(str); + +@@ -515,20 +447,28 @@ belle_sip_channel_t * belle_sip_channel_new_tls(belle_sip_stack_t *stack, belle_ + belle_sip_stream_channel_init_client(super + ,stack + ,bindip,localport,peer_cname,dest,port); +- ssl_init(&obj->sslctx); ++ ++ mbedtls_ssl_config_init(&obj->sslconf); ++ mbedtls_ssl_config_defaults(&obj->sslconf, MBEDTLS_SSL_IS_CLIENT, ++ MBEDTLS_SSL_TRANSPORT_STREAM, MBEDTLS_SSL_PRESET_DEFAULT); + #ifdef ENABLE_POLARSSL_LOGS +- ssl_set_dbg(&obj->sslctx,ssl_debug_to_belle_sip,obj); ++ mbedtls_ssl_conf_dbg(&obj->sslconf, ssl_debug_to_belle_sip, obj); ++ mbedtls_debug_set_threshold(2); + #endif +- ssl_set_endpoint(&obj->sslctx,SSL_IS_CLIENT); +- ssl_set_authmode(&obj->sslctx,SSL_VERIFY_REQUIRED); +- ssl_set_bio(&obj->sslctx,polarssl_read,obj,polarssl_write,obj); +- if (verify_ctx->root_ca && belle_sip_tls_channel_load_root_ca(obj,verify_ctx->root_ca)==0){ +- ssl_set_ca_chain(&obj->sslctx,&obj->root_ca,NULL,super->base.peer_cname ? super->base.peer_cname : super->base.peer_name ); ++ mbedtls_ssl_conf_authmode(&obj->sslconf, MBEDTLS_SSL_VERIFY_REQUIRED); ++ if (verify_ctx->root_ca && belle_sip_tls_channel_load_root_ca(obj, verify_ctx->root_ca) == 0) { ++ mbedtls_ssl_conf_ca_chain(&obj->sslconf, &obj->root_ca, NULL); + } +- ssl_set_rng(&obj->sslctx,random_generator,NULL); +- ssl_set_verify(&obj->sslctx,belle_sip_ssl_verify,verify_ctx); +- obj->verify_ctx=(belle_tls_verify_policy_t*)belle_sip_object_ref(verify_ctx); +- return (belle_sip_channel_t*)obj; ++ mbedtls_ssl_conf_rng(&obj->sslconf, random_generator, NULL); ++ mbedtls_ssl_conf_verify(&obj->sslconf, belle_sip_ssl_verify, verify_ctx); ++ ++ mbedtls_ssl_init(&obj->sslctx); ++ mbedtls_ssl_setup(&obj->sslctx, &obj->sslconf); ++ mbedtls_ssl_set_bio(&obj->sslctx, obj, polarssl_write, polarssl_read, NULL); ++ mbedtls_ssl_set_hostname(&obj->sslctx, super->base.peer_cname ? super->base.peer_cname : super->base.peer_name); ++ ++ obj->verify_ctx = (belle_tls_verify_policy_t *)belle_sip_object_ref(verify_ctx); ++ return (belle_sip_channel_t *)obj; + } + + void belle_sip_tls_channel_set_client_certificates_chain(belle_sip_tls_channel_t *channel, belle_sip_certificates_chain_t* cert_chain) { +@@ -540,64 +480,46 @@ void belle_sip_tls_channel_set_client_certificate_key(belle_sip_tls_channel_t *c + } + + +-#else /*HAVE_POLARSSL*/ +-void belle_sip_tls_channel_set_client_certificates_chain(belle_sip_tls_channel_t *obj, belle_sip_certificates_chain_t* cert_chain) { +- belle_sip_error("belle_sip_channel_set_client_certificate_chain requires TLS"); +-} +-void belle_sip_tls_channel_set_client_certificate_key(belle_sip_tls_channel_t *obj, belle_sip_signing_key_t* key) { +- belle_sip_error("belle_sip_channel_set_client_certificate_key requires TLS"); +-} +-unsigned char *belle_sip_get_certificates_pem(belle_sip_certificates_chain_t *cert) { +- return NULL; +-} +-unsigned char *belle_sip_get_key_pem(belle_sip_signing_key_t *key) { +- return NULL; +-} +-#endif + + /**************************** belle_sip_certificates_chain_t **/ + + +- ++// Duplicates the given buffer with one extra null character ++// This ensures the returned buffer is always null terminated ++// This is nessesary for some mbedtls functions which now require a null ++// terminated buffer to be provided. ++static char *extend_buffer(const char *buff, size_t size) { ++ char *result = belle_sip_malloc(size + 1); ++ memcpy(result, buff, size); ++ result[size] = '\0'; ++ return result; ++} + + static int belle_sip_certificate_fill(belle_sip_certificates_chain_t* certificate,const char* buff, size_t size,belle_sip_certificate_raw_format_t format) { +-#ifdef HAVE_POLARSSL +- + int err; +-#if POLARSSL_VERSION_NUMBER < 0x01030000 +- if ((err=x509parse_crt(&certificate->cert,(const unsigned char *)buff,size)) <0) { +-#else +- if ((err=x509_crt_parse(&certificate->cert,(const unsigned char *)buff,size)) <0) { +-#endif ++ unsigned char *extended_buff = (unsigned char *)extend_buffer(buff, size); ++ ++ err = mbedtls_x509_crt_parse(&certificate->cert, extended_buff, size + 1); ++ belle_sip_free(extended_buff); ++ ++ if (err < 0) { + char tmp[128]; + error_strerror(err,tmp,sizeof(tmp)); + belle_sip_error("cannot parse x509 cert because [%s]",tmp); + return -1; + } + return 0; +-#else /*HAVE_POLARSSL*/ +- return -1; +-#endif + } + + static int belle_sip_certificate_fill_from_file(belle_sip_certificates_chain_t* certificate,const char* path,belle_sip_certificate_raw_format_t format) { +-#ifdef HAVE_POLARSSL +- + int err; +-#if POLARSSL_VERSION_NUMBER < 0x01030000 +- if ((err=x509parse_crtfile(&certificate->cert, path)) <0) { +-#else + if ((err=x509_crt_parse_file(&certificate->cert, path)) <0) { +-#endif + char tmp[128]; + error_strerror(err,tmp,sizeof(tmp)); + belle_sip_error("cannot parse x509 cert because [%s]",tmp); + return -1; + } + return 0; +-#else /*HAVE_POLARSSL*/ +- return -1; +-#endif + } + + /*belle_sip_certificate */ +@@ -628,10 +550,6 @@ belle_sip_certificates_chain_t* belle_sip_certificates_chain_parse_file(const ch + * Parse all *.pem files in a given dir(non recursively) and return the one matching the given subject + */ + int belle_sip_get_certificate_and_pkey_in_dir(const char *path, const char *subject, belle_sip_certificates_chain_t **certificate, belle_sip_signing_key_t **pkey, belle_sip_certificate_raw_format_t format) { +-#ifdef HAVE_POLARSSL +-#if POLARSSL_VERSION_NUMBER < 0x01030000 +- return -1; +-#else /* POLARSSL_VERSION_NUMBER > 0x01030000 */ + /* get all *.pem file from given path */ + belle_sip_list_t *file_list = belle_sip_parse_directory(path, ".pem"); + char *filename = NULL; +@@ -670,17 +588,9 @@ int belle_sip_get_certificate_and_pkey_in_dir(const char *path, const char *subj + file_list = belle_sip_list_pop_front(file_list, (void **)&filename); + } + return -1; +-#endif /* POLARSSL_VERSION_NUMBER >= 0x01030000 */ +-#else /* ! HAVE_POLARSSL */ +- return -1; +-#endif + } + + int belle_sip_generate_self_signed_certificate(const char* path, const char *subject, belle_sip_certificates_chain_t **certificate, belle_sip_signing_key_t **pkey) { +-#ifdef HAVE_POLARSSL +-#if POLARSSL_VERSION_NUMBER < 0x01030000 +- return -1; +-#else /* POLARSSL_VERSION_NUMBER < 0x01030000 */ + entropy_context entropy; + ctr_drbg_context ctr_drbg; + int ret; +@@ -702,8 +612,8 @@ int belle_sip_generate_self_signed_certificate(const char* path, const char *sub + *certificate = belle_sip_object_new(belle_sip_certificates_chain_t); + + entropy_init( &entropy ); +- if( ( ret = ctr_drbg_init( &ctr_drbg, entropy_func, &entropy, NULL, 0 ) ) != 0 ) +- { ++ mbedtls_ctr_drbg_init(&ctr_drbg); ++ if ((ret = mbedtls_ctr_drbg_seed(&ctr_drbg, mbedtls_entropy_func, &entropy, NULL, 0)) != 0) { + belle_sip_error("Certificate generation can't init ctr_drbg: -%x", -ret); + return -1; + } +@@ -768,7 +678,8 @@ int belle_sip_generate_self_signed_certificate(const char* path, const char *sub + + x509write_crt_free(&crt); + +- if ( (ret = x509_crt_parse(&((*certificate)->cert), (unsigned char *)file_buffer, strlen(file_buffer)) ) != 0) { ++ // mbedtls 2.0 requires the buffer to contain the terminating NULL byte ++ if ((ret = mbedtls_x509_crt_parse(&((*certificate)->cert), (unsigned char *)file_buffer, strlen(file_buffer) + 1)) != 0) { + belle_sip_error("Certificate generation can't parse crt pem: -%x", -ret); + return -1; + } +@@ -810,18 +721,10 @@ int belle_sip_generate_self_signed_certificate(const char* path, const char *sub + } + + return 0; +-#endif /* else POLARSSL_VERSION_NUMBER < 0x01030000 */ +-#else /* ! HAVE_POLARSSL */ +- return -1; +-#endif + } + + /* Note : this code is duplicated in mediastreamer2/src/voip/dtls_srtp.c but get directly a x509_crt as input parameter */ + char *belle_sip_certificates_chain_get_fingerprint(belle_sip_certificates_chain_t *certificate) { +-#ifdef HAVE_POLARSSL +-#if POLARSSL_VERSION_NUMBER < 0x01030000 +- return NULL; +-#else /* POLARSSL_VERSION_NUMBER < 0x01030000 */ + unsigned char buffer[64]={0}; /* buffer is max length of returned hash, which is 64 in case we use sha-512 */ + size_t hash_length = 0; + const char *hash_alg_string=NULL; +@@ -883,20 +786,10 @@ char *belle_sip_certificates_chain_get_fingerprint(belle_sip_certificates_chain_ + } + + return fingerprint; +-#endif /* else POLARSSL_VERSION_NUMBER < 0x01030000 */ +-#else /* ! HAVE_POLARSSL */ +- return NULL; +-#endif + } + + static void belle_sip_certificates_chain_destroy(belle_sip_certificates_chain_t *certificate){ +-#ifdef HAVE_POLARSSL +-#if POLARSSL_VERSION_NUMBER < 0x01030000 +- x509_free(&certificate->cert); +-#else + x509_crt_free(&certificate->cert); +-#endif +-#endif + } + + static void belle_sip_certificates_chain_clone(belle_sip_certificates_chain_t *certificate, const belle_sip_certificates_chain_t *orig){ +@@ -910,42 +803,32 @@ BELLE_SIP_INSTANCIATE_VPTR(belle_sip_certificates_chain_t,belle_sip_object_t,bel + + + belle_sip_signing_key_t* belle_sip_signing_key_parse(const char* buff, size_t size,const char* passwd) { +-#ifdef HAVE_POLARSSL + belle_sip_signing_key_t* signing_key = belle_sip_object_new(belle_sip_signing_key_t); + int err; +-#if POLARSSL_VERSION_NUMBER < 0x01030000 +- if ((err=x509parse_key(&signing_key->key,(const unsigned char *)buff,size,(const unsigned char*)passwd,passwd?strlen(passwd):0)) <0) { +-#else ++ unsigned char *extended_buff = (unsigned char *)extend_buffer(buff, size); ++ + pk_init(&signing_key->key); +- /* for API v1.3 or greater also parses public keys other than RSA */ +- err=pk_parse_key(&signing_key->key,(const unsigned char *)buff,size,(const unsigned char*)passwd,passwd?strlen(passwd):0); ++ err = mbedtls_pk_parse_key(&signing_key->key, extended_buff, size + 1, ++ (const unsigned char *)passwd ,passwd ? strlen(passwd) : 0); ++ belle_sip_free(extended_buff); ++ + /* make sure cipher is RSA to be consistent with API v1.2 */ + if(err==0 && !pk_can_do(&signing_key->key,POLARSSL_PK_RSA)) + err=POLARSSL_ERR_PK_TYPE_MISMATCH; + if (err<0) { +-#endif + char tmp[128]; + error_strerror(err,tmp,sizeof(tmp)); + belle_sip_error("cannot parse public key because [%s]",tmp); +-#if POLARSSL_VERSION_NUMBER >= 0x01030000 + pk_free(&signing_key->key); +-#endif + belle_sip_object_unref(signing_key); + return NULL; + } + return signing_key; +-#else /*HAVE_POLARSSL*/ +- return NULL; +-#endif + } + + belle_sip_signing_key_t* belle_sip_signing_key_parse_file(const char* path,const char* passwd) { +-#ifdef HAVE_POLARSSL + belle_sip_signing_key_t* signing_key = belle_sip_object_new(belle_sip_signing_key_t); + int err; +-#if POLARSSL_VERSION_NUMBER < 0x01030000 +- if ((err=x509parse_keyfile(&signing_key->key,path, passwd)) <0) { +-#else + pk_init(&signing_key->key); + /* for API v1.3 or greater also parses public keys other than RSA */ + err=pk_parse_keyfile(&signing_key->key,path, passwd); +@@ -953,32 +836,20 @@ belle_sip_signing_key_t* belle_sip_signing_key_parse_file(const char* path,const + if(err==0 && !pk_can_do(&signing_key->key,POLARSSL_PK_RSA)) + err=POLARSSL_ERR_PK_TYPE_MISMATCH; + if (err<0) { +-#endif + char tmp[128]; + error_strerror(err,tmp,sizeof(tmp)); + belle_sip_error("cannot parse public key because [%s]",tmp); +-#if POLARSSL_VERSION_NUMBER >= 0x01030000 +- pk_free(&signing_key->key); +-#endif ++ pk_free(&signing_key->key); + belle_sip_object_unref(signing_key); + return NULL; + } + + return signing_key; +-#else /*HAVE_POLARSSL*/ +- return NULL; +-#endif + } + + + static void belle_sip_signing_key_destroy(belle_sip_signing_key_t *signing_key){ +-#ifdef HAVE_POLARSSL +-#if POLARSSL_VERSION_NUMBER < 0x01030000 +- rsa_free(&signing_key->key); +-#else + pk_free(&signing_key->key); +-#endif +-#endif + } + + static void belle_sip_signing_key_clone(belle_sip_signing_key_t *signing_key, const belle_sip_signing_key_t *orig){ +diff --git a/src/transports/tls_listeningpoint_polarssl.c b/src/transports/tls_listeningpoint_polarssl.c +index f3f09fc..68dcc1b 100644 +--- a/src/transports/tls_listeningpoint_polarssl.c ++++ b/src/transports/tls_listeningpoint_polarssl.c +@@ -18,10 +18,6 @@ + + #include "belle_sip_internal.h" + +-#ifdef HAVE_POLARSSL +- +-#include <polarssl/ssl.h> +- + static void belle_sip_tls_listening_point_uninit(belle_sip_tls_listening_point_t *lp){ + belle_sip_object_unref(lp->verify_ctx); + } +@@ -101,23 +97,3 @@ int belle_sip_tls_listening_point_available(void){ + return TRUE; + } + +-#else +- +-belle_sip_listening_point_t * belle_sip_tls_listening_point_new(belle_sip_stack_t *s, const char *ipaddress, int port){ +- return NULL; +-} +- +-int belle_sip_tls_listening_point_set_root_ca(belle_sip_tls_listening_point_t *s, const char *path){ +- return -1; +-} +- +-int belle_sip_tls_listening_point_set_verify_exceptions(belle_sip_tls_listening_point_t *s, int value){ +- return -1; +-} +- +-int belle_sip_tls_listening_point_available(void){ +- return FALSE; +-} +- +-#endif +- +diff --git a/tester/auth_helper_tester.c b/tester/auth_helper_tester.c +index 992a229..833afa8 100644 +--- a/tester/auth_helper_tester.c ++++ b/tester/auth_helper_tester.c +@@ -26,10 +26,6 @@ + #include <stdio.h> + #include "CUnit/Basic.h" + +-#ifdef HAVE_POLARSSL +-#include <polarssl/version.h> +-#endif +- + + static void test_authentication(void) { + const char* l_raw_header = "WWW-Authenticate: Digest " +@@ -86,8 +82,7 @@ static void test_proxy_authentication(void) { + #define TEMPORARY_CERTIFICATE_DIR "/belle_sip_tester_crt" + + static void test_generate_and_parse_certificates(void) { +-#ifdef HAVE_POLARSSL +-#if POLARSSL_VERSION_NUMBER >= 0x01030000 ++#ifdef HAVE_MBEDTLS + belle_sip_certificates_chain_t *certificate, *parsed_certificate; + belle_sip_signing_key_t *key, *parsed_key; + char *pem_certificate, *pem_parsed_certificate, *pem_key, *pem_parsed_key; +@@ -127,8 +122,7 @@ static void test_generate_and_parse_certificates(void) { + belle_sip_object_unref(parsed_certificate); + belle_sip_object_unref(key); + belle_sip_object_unref(parsed_key); +-#endif /* POLARSSL_VERSION_NUMBER >= 0x01030000 */ +-#endif /* HAVE_POLARSSL */ ++#endif /* HAVE_MBEDTLS */ + } + + +@@ -161,8 +155,7 @@ const char* belle_sip_tester_fingerprint256_cert_fingerprint = + "SHA-256 A0:98:2D:3E:68:F3:14:8D:ED:50:40:DB:ED:A4:28:BC:1E:1A:6A:05:59:9E:69:3F:02:E2:F8:22:BF:4C:92:14"; + + static void test_certificate_fingerprint(void) { +-#ifdef HAVE_POLARSSL +-#if POLARSSL_VERSION_NUMBER >= 0x01030000 ++#ifdef HAVE_MBEDTLS + char *fingerprint; + /* parse certificate defined in belle_sip_register_tester.c */ + belle_sip_certificates_chain_t* cert = belle_sip_certificates_chain_parse(belle_sip_tester_client_cert,strlen(belle_sip_tester_client_cert),BELLE_SIP_CERTIFICATE_RAW_FORMAT_PEM); +@@ -186,8 +179,7 @@ static void test_certificate_fingerprint(void) { + belle_sip_free(fingerprint); + belle_sip_object_unref(cert); + +-#endif /* POLARSSL_VERSION_NUMBER >= 0x01030000 */ +-#endif /* HAVE_POLARSSL */ ++#endif /* HAVE_MBEDTLS */ + } + + test_t authentication_helper_tests[] = { +-- +2.7.0.rc3 + diff -Nru belle-sip-1.4.1/debian/patches/series belle-sip-1.4.1/debian/patches/series --- belle-sip-1.4.1/debian/patches/series 2015-05-23 12:46:20.000000000 +0100 +++ belle-sip-1.4.1/debian/patches/series 2016-01-16 00:00:46.000000000 +0000 @@ -1 +1,3 @@ fix-spelling-errors.patch +0001-Fix-FTBFS-with-GCC-6-typo-in-belle_sip_uri_equals.patch +0002-Port-to-mbedTLS.patch diff -Nru belle-sip-1.4.1/debian/rules belle-sip-1.4.1/debian/rules --- belle-sip-1.4.1/debian/rules 2015-05-23 12:46:20.000000000 +0100 +++ belle-sip-1.4.1/debian/rules 2016-01-16 00:01:40.000000000 +0000 @@ -8,7 +8,7 @@ dh $@ --parallel --with autotools-dev --with autoreconf override_dh_auto_configure: - dh_auto_configure -- --disable-tests + dh_auto_configure -- --disable-tests --disable-strict override_dh_strip: dh_strip --dbg-package=libbellesip-dbg
signature.asc
Description: This is a digitally signed message part
