coturn: update to 4.6.1

Added a patch from Gentoo that brings compatiblity with OpenSSL 3.0. Signed-off-by: N Eneas U de Queiroz <cotequeiroz@gmail.com>

coturn: update to 4.6.1
Added a patch from Gentoo that brings compatiblity with OpenSSL 3.0. Signed-off-by: N Eneas U de Queiroz <cotequeiroz@gmail.com>
26bb8682 · Eneas U de Queiroz · 09ad78b6 · 26bb8682 · 26bb8682 · 09ad78b6
5 changed file
--- a/net/coturn/Makefile
+++ b/net/coturn/Makefile
@@ -8,12 +8,12 @@
 include $(TOPDIR)/rules.mk

 PKG_NAME:=coturn
-PKG_VERSION:=4.5.2
-PKG_RELEASE:=5
+PKG_VERSION:=4.6.1
+PKG_RELEASE:=1

 PKG_SOURCE:=$(PKG_NAME)-$(PKG_VERSION).tar.gz
 PKG_SOURCE_URL:=https://codeload.github.com/coturn/coturn/tar.gz/$(PKG_VERSION)?
-PKG_HASH:=462f1aa5c2455f28c1c8df09510d9e88ab14a1159b5e33ea5be5095262e83745
+PKG_HASH:=8fba86e593ed74adc46e002e925cccff2819745371814f42465fbe717483f1d8

 PKG_LICENSE:=BSD-COTURN-CITRIX COMBINED-CITRIX-VIVOCHA-BSD MIT-HASH
 PKG_LICENSE_FILES:=LICENSE src/apps/relay/dbdrivers/* src/server/ns_turn_khash.h

--- a/net/coturn/patches/02-fix-flags-dupes.patch
+++ b/net/coturn/patches/02-fix-flags-dupes.patch
 --- a/configure
 +++ b/configure
-@@ -1034,9 +1034,9 @@ ${ECHO_CMD} "# Generated by configure sc
+@@ -1047,9 +1047,9 @@ ${ECHO_CMD} "# Generated by configure sc
 ${ECHO_CMD} "#################################" >> Makefile
 ${ECHO_CMD} "ECHO_CMD = ${ECHO_CMD}" >> Makefile
 ${ECHO_CMD} "CC = ${CC}" >> Makefile

--- a/net/coturn/patches/03-fix-libmariadb-detection.patch
+++ b/net/coturn/patches/03-fix-libmariadb-detection.patch
--- a/configure
-+++ b/configure
-@@ -931,7 +931,7 @@ fi
- ###########################
- 
- if [ -z "${TURN_NO_MYSQL}" ] ; then
-    if testpkg_db mariadb || testpkg_db mysqlclient ; then
-+    if testpkg_db libmariadb || testpkg_db mysqlclient ; then
-         ${ECHO_CMD} "MySQL found."
-     else
-         ${ECHO_CMD} "MySQL not found. Building without MySQL support."
--- a/net/coturn/patches/100-configure-dont-link-libintl.patch
+++ b/net/coturn/patches/100-configure-dont-link-libintl.patch
-From 2132a1a8eecb3460b8c2e4a7201e3254dc420179 Mon Sep 17 00:00:00 2001
-From: Sebastian Kemper <sebastian_ml@gmx.net>
-Date: Sun, 26 Dec 2021 15:47:41 +0100
-Subject: [PATCH] configure: don't link in libintl
-
-libintl isn't used, so there is no need to link coturn to it.
-
-Signed-off-by: Sebastian Kemper <sebastian_ml@gmx.net>
---
- configure | 1 -
- 1 file changed, 1 deletion(-)
-
--- a/configure
-+++ b/configure
-@@ -699,7 +699,6 @@ if ! [ ${ER} -eq 0 ] ; then
-     echo "CYGWIN ?"
- fi
- testlib wldap64
-testlib intl
- testlib nsl
- testlib resolv
- 
--- a/net/coturn/patches/100-coturn-4.6.0-openssl3-from-gentoo.patch
+++ b/net/coturn/patches/100-coturn-4.6.0-openssl3-from-gentoo.patch
+https://github.com/coturn/coturn/commit/9af9f6306ab73c3403f9e11086b1936e9148f7de
+https://github.com/coturn/coturn/commit/4ce784a8781ab086c150e2b9f5641b1a37fd9b31
+https://github.com/coturn/coturn/commit/9370bb742d976166a51032760da1ecedefb92267
+https://github.com/coturn/coturn/commit/d72a2a8920b80ce66b36e22b2c22f308ad06c424
+
+From 9af9f6306ab73c3403f9e11086b1936e9148f7de Mon Sep 17 00:00:00 2001
+From: Pavel Punsky <eakraly@users.noreply.github.com>
+Date: Wed, 14 Sep 2022 03:29:26 -0700
+Subject: [PATCH] Fix renegotiation flag for older version of openssl (#978)
+
+`SSL_OP_NO_RENEGOTIATION` is only supported in openssl-1.1.0 and above
+Older versions have `SSL3_FLAGS_NO_RENEGOTIATE_CIPHERS `
+
+Fixes #977 and #952
+
+Test:
+Build in a docker container running running openssl-1.0.2g (ubuntu
+16.04) successfully (without the fix getting the same errors)
+--- a/src/apps/relay/dtls_listener.c
+++ b/src/apps/relay/dtls_listener.c
+@@ -295,8 +295,17 @@ static ioa_socket_handle dtls_server_inp
+ 	SSL_set_accept_state(connecting_ssl);
+ 
+ 	SSL_set_bio(connecting_ssl, NULL, wbio);
+-	SSL_set_options(connecting_ssl, SSL_OP_COOKIE_EXCHANGE | SSL_OP_NO_RENEGOTIATION);
+-
+	SSL_set_options(connecting_ssl, SSL_OP_COOKIE_EXCHANGE
+#if OPENSSL_VERSION_NUMBER < 0x10100000L
+#if defined(SSL3_FLAGS_NO_RENEGOTIATE_CIPHERS)
+		| SSL3_FLAGS_NO_RENEGOTIATE_CIPHERS
+#endif
+#else
+#if defined(SSL_OP_NO_RENEGOTIATION)
+		| SSL_OP_NO_RENEGOTIATION
+#endif
+#endif
+	);
+ 	SSL_set_max_cert_list(connecting_ssl, 655350);
+ 
+ 	ioa_socket_handle rc = dtls_accept_client_connection(server, s, connecting_ssl,
+@@ -581,7 +590,17 @@ static int create_new_connected_udp_sock
+ 
+ 		SSL_set_bio(connecting_ssl, NULL, wbio);
+ 
+-		SSL_set_options(connecting_ssl, SSL_OP_COOKIE_EXCHANGE | SSL_OP_NO_RENEGOTIATION);
+		SSL_set_options(connecting_ssl, SSL_OP_COOKIE_EXCHANGE
+#if OPENSSL_VERSION_NUMBER < 0x10100000L
+#if defined(SSL3_FLAGS_NO_RENEGOTIATE_CIPHERS)
+			| SSL3_FLAGS_NO_RENEGOTIATE_CIPHERS
+#endif
+#else
+#if defined(SSL_OP_NO_RENEGOTIATION)
+			| SSL_OP_NO_RENEGOTIATION
+#endif
+#endif
+		);
+ 
+ 		SSL_set_max_cert_list(connecting_ssl, 655350);
+ 		int rc = ssl_read(ret->fd, connecting_ssl, server->sm.m.sm.nd.nbh,
+--- a/src/apps/relay/ns_ioalib_engine_impl.c
+++ b/src/apps/relay/ns_ioalib_engine_impl.c
+@@ -1428,7 +1428,17 @@ static void set_socket_ssl(ioa_socket_ha
+ 		if(ssl) {
+ 			SSL_set_app_data(ssl,s);
+ 			SSL_set_info_callback(ssl, (ssl_info_callback_t)ssl_info_callback);
+-			SSL_set_options(ssl, SSL_OP_NO_RENEGOTIATION);
+			SSL_set_options(ssl, 
+#if OPENSSL_VERSION_NUMBER < 0x10100000L
+#if defined(SSL3_FLAGS_NO_RENEGOTIATE_CIPHERS)
+				SSL3_FLAGS_NO_RENEGOTIATE_CIPHERS
+#endif
+#else
+#if defined(SSL_OP_NO_RENEGOTIATION)
+				SSL_OP_NO_RENEGOTIATION
+#endif
+#endif
+			);
+ 		}
+ 	}
+ }
+@@ -1864,7 +1874,11 @@ int ssl_read(evutil_socket_t fd, SSL* ss
+ 
+ 	} else if (!if1 && if2) {
+ 
+#if (OPENSSL_VERSION_NUMBER >= 0x30000000L)
+		if(verbose && SSL_get1_peer_certificate(ssl)) {
+#else
+ 		if(verbose && SSL_get_peer_certificate(ssl)) {
+#endif
+ 		  printf("\n------------------------------------------------------------\n");
+ 		  X509_NAME_print_ex_fp(stdout, X509_get_subject_name(SSL_get_peer_certificate(ssl)), 1,
+ 					XN_FLAG_MULTILINE);
+--- a/src/apps/uclient/startuclient.c
+++ b/src/apps/uclient/startuclient.c
+@@ -138,7 +138,11 @@ static SSL* tls_connect(ioa_socket_raw f
+ 		if (rc > 0) {
+ 		  TURN_LOG_FUNC(TURN_LOG_LEVEL_INFO,"%s: client session connected with cipher %s, method=%s\n",__FUNCTION__,
+ 				  SSL_get_cipher(ssl),turn_get_ssl_method(ssl,NULL));
+#if (OPENSSL_VERSION_NUMBER >= 0x30000000L)
+		  if(clnet_verbose && SSL_get1_peer_certificate(ssl)) {
+#else
+ 		  if(clnet_verbose && SSL_get_peer_certificate(ssl)) {
+#endif
+ 			  TURN_LOG_FUNC(TURN_LOG_LEVEL_INFO, "------------------------------------------------------------\n");
+ 		  	X509_NAME_print_ex_fp(stdout, X509_get_subject_name(SSL_get_peer_certificate(ssl)), 1,
+ 		  						XN_FLAG_MULTILINE);
+--- a/src/client/ns_turn_msg.c
+++ b/src/client/ns_turn_msg.c
+@@ -248,12 +248,22 @@ int stun_produce_integrity_key_str(const
+ 		if (FIPS_mode()) {
+ 			EVP_MD_CTX_set_flags(&ctx,EVP_MD_CTX_FLAG_NON_FIPS_ALLOW);
+ 		}
+-#endif
+#endif // defined EVP_MD_CTX_FLAG_NON_FIPS_ALLOW && !defined(LIBRESSL_VERSION_NUMBER)
+ 		EVP_DigestInit_ex(&ctx,EVP_md5(), NULL);
+ 		EVP_DigestUpdate(&ctx,str,strl);
+ 		EVP_DigestFinal(&ctx,key,&keylen);
+ 		EVP_MD_CTX_cleanup(&ctx);
+-#else
+#elif OPENSSL_VERSION_NUMBER >= 0x30000000L
+ 		unsigned int keylen = 0;
+ 		EVP_MD_CTX *ctx = EVP_MD_CTX_new();
+		if (EVP_default_properties_is_fips_enabled(NULL)) {
+			EVP_default_properties_enable_fips(NULL, 0);
+ 		}
+ 		EVP_DigestInit_ex(ctx,EVP_md5(), NULL);
+ 		EVP_DigestUpdate(ctx,str,strl);
+ 		EVP_DigestFinal(ctx,key,&keylen);
+ 		EVP_MD_CTX_free(ctx);
+#else // OPENSSL_VERSION_NUMBER < 0x10100000L
+ 		unsigned int keylen = 0;
+ 		EVP_MD_CTX *ctx = EVP_MD_CTX_new();
+ #if defined EVP_MD_CTX_FLAG_NON_FIPS_ALLOW && ! defined(LIBRESSL_VERSION_NUMBER)
+@@ -265,7 +275,7 @@ int stun_produce_integrity_key_str(const
+ 		EVP_DigestUpdate(ctx,str,strl);
+ 		EVP_DigestFinal(ctx,key,&keylen);
+ 		EVP_MD_CTX_free(ctx);
+-#endif
+#endif // OPENSSL_VERSION_NUMBER < 0X10100000L
+ 		ret = 0;
+ 	}
+ 
+--- a/src/apps/relay/netengine.c
+++ b/src/apps/relay/netengine.c
+@@ -31,13 +31,7 @@
+ #include "mainrelay.h"
+ 
+ //////////// Backward compatibility with OpenSSL 1.0.x //////////////
+-#define HAVE_OPENSSL11_API (!(OPENSSL_VERSION_NUMBER < 0x10100001L || defined LIBRESSL_VERSION_NUMBER))
+-
+-#ifndef HAVE_SSL_CTX_UP_REF
+-#define HAVE_SSL_CTX_UP_REF HAVE_OPENSSL11_API
+-#endif
+-
+-#if !HAVE_SSL_CTX_UP_REF
+#if (OPENSSL_VERSION_NUMBER < 0x10100001L || defined LIBRESSL_VERSION_NUMBER)
+ #define SSL_CTX_up_ref(ctx) CRYPTO_add(&(ctx)->references, 1, CRYPTO_LOCK_SSL_CTX)
+ #endif
+ 
+--- a/src/apps/relay/mainrelay.c
+++ b/src/apps/relay/mainrelay.c
+@@ -1353,7 +1353,6 @@ static void set_option(int c, char *valu
+ 		STRCPY(turn_params.relay_ifname, value);
+ 		break;
+ 	case 'm':
+-#if defined(OPENSSL_THREADS)
+ 		if(atoi(value)>MAX_NUMBER_OF_GENERAL_RELAY_SERVERS) {
+ 			TURN_LOG_FUNC(TURN_LOG_LEVEL_WARNING, "WARNING: max number of relay threads is 128.\n");
+ 			turn_params.general_relay_servers_number = MAX_NUMBER_OF_GENERAL_RELAY_SERVERS;
+@@ -1362,9 +1361,6 @@ static void set_option(int c, char *valu
+ 		} else {
+ 			turn_params.general_relay_servers_number = atoi(value);
+ 		}
+-#else
+-		TURN_LOG_FUNC(TURN_LOG_LEVEL_WARNING, "WARNING: OpenSSL version is too old OR does not support threading,\n I am using single thread for relaying.\n");
+-#endif
+ 		break;
+ 	case 'd':
+ 		STRCPY(turn_params.listener_ifname, value);
+@@ -2640,9 +2636,8 @@ int main(int argc, char **argv)
+ 
+ ////////// OpenSSL locking ////////////////////////////////////////
+ 
+-#if defined(OPENSSL_THREADS)
+-
+-static char some_buffer[65536];
+#if defined(OPENSSL_THREADS) 
+#if OPENSSL_VERSION_NUMBER < OPENSSL_VERSION_1_1_0
+ 
+ //array larger than anything that OpenSSL may need:
+ static pthread_mutex_t mutex_buf[256];
+@@ -2660,76 +2655,52 @@ void coturn_locking_function(int mode, i
+   }
+ }
+ 
+-#if OPENSSL_VERSION_NUMBER >= 0x10000000L
+ void coturn_id_function(CRYPTO_THREADID *ctid);
+ void coturn_id_function(CRYPTO_THREADID *ctid)
+ {
+ 	UNUSED_ARG(ctid);
+     CRYPTO_THREADID_set_numeric(ctid, (unsigned long)pthread_self());
+ }
+-#else
+-unsigned long coturn_id_function(void);
+-unsigned long coturn_id_function(void)
+-{
+-    return (unsigned long)pthread_self();
+-}
+-#endif
+-
+-#endif
+ 
+ static int THREAD_setup(void) {
+-
+-#if defined(OPENSSL_THREADS)
+-
+-	int i;
+-
+-	some_buffer[0] = 0;
+-
+    int i;
+ 	for (i = 0; i < CRYPTO_num_locks(); i++) {
+ 		pthread_mutex_init(&(mutex_buf[i]), NULL);
+ 	}
+ 
+ 	mutex_buf_initialized = 1;
+-
+-#if OPENSSL_VERSION_NUMBER >= 0x10000000L && OPENSSL_VERSION_NUMBER <= OPENSSL_VERSION_1_1_1
+ 	CRYPTO_THREADID_set_callback(coturn_id_function);
+-#else
+-	CRYPTO_set_id_callback(coturn_id_function);
+-#endif
+-
+ 	CRYPTO_set_locking_callback(coturn_locking_function);
+-#endif
+-
+ 	return 1;
+ }
+ 
+ int THREAD_cleanup(void);
+ int THREAD_cleanup(void) {
+    int i;
+ 
+-#if defined(OPENSSL_THREADS)
+-
+-  int i;
+    if (!mutex_buf_initialized)
+        return 0;
+ 
+-  if (!mutex_buf_initialized)
+-    return 0;
+    CRYPTO_THREADID_set_callback(NULL);
+    CRYPTO_set_locking_callback(NULL);
+    for (i = 0; i < CRYPTO_num_locks(); i++) {
+        pthread_mutex_destroy(&(mutex_buf[i]));
+    }
+ 
+-#if OPENSSL_VERSION_NUMBER >= 0x10000000L && OPENSSL_VERSION_NUMBER <= OPENSSL_VERSION_1_1_1
+-	CRYPTO_THREADID_set_callback(NULL);
+    mutex_buf_initialized = 0;
+  return 1;
+}
+ #else
+-	CRYPTO_set_id_callback(NULL);
+-#endif
+-
+-  CRYPTO_set_locking_callback(NULL);
+-  for (i = 0; i < CRYPTO_num_locks(); i++) {
+-	  pthread_mutex_destroy(&(mutex_buf[i]));
+-  }
+-
+-  mutex_buf_initialized = 0;
+-
+-#endif
+static int THREAD_setup(void) {
+    return 1;
+}
+ 
+-  return 1;
+int THREAD_cleanup(void);
+int THREAD_cleanup(void){
+    return 1;
+ }
+#endif /* OPENSSL_VERSION_NUMBER < OPENSSL_VERSION_1_1_0 */
+#endif /* defined(OPENSSL_THREADS) */
+ 
+ static void adjust_key_file_name(char *fn, const char* file_title, int critical)
+ {