[Pkg-voip-commits] [asterisk] 04/05: Refresh patches for OpenSSL 1.1.0 compatibility

Bernhard Schmidt berni at moszumanska.debian.org
Sun Feb 26 23:58:04 UTC 2017 

This is an automated email from the git hooks/post-receive script.

berni pushed a commit to branch master
in repository asterisk.

commit 8a3d5266f32b6e48cee4554d5405629b9ed7163a
Author: Bernhard Schmidt <berni at debian.org>
Date:   Tue Feb 14 22:02:22 2017 +0100

    Refresh patches for OpenSSL 1.1.0 compatibility
---
 debian/patches/OpenSSL-1.1.0-support-2.patch | 65 ++++++++++++++++-----
 debian/patches/OpenSSL-1.1.0-support-3.patch | 37 ++++++++++++
 debian/patches/OpenSSL-1.1.0-support.patch   | 84 ++++++++++------------------
 debian/patches/series                        |  1 +
 4 files changed, 120 insertions(+), 67 deletions(-)

diff --git a/debian/patches/OpenSSL-1.1.0-support-2.patch b/debian/patches/OpenSSL-1.1.0-support-2.patch
index 630da79..32dac51 100644
--- a/debian/patches/OpenSSL-1.1.0-support-2.patch
+++ b/debian/patches/OpenSSL-1.1.0-support-2.patch
@@ -1,15 +1,54 @@
+From 99b40e72ae347d7047547836f7f897d3ea2bc8dc Mon Sep 17 00:00:00 2001
+From: Tzafrir Cohen <tzafrir.cohen at xorcom.com>
+Date: Fri, 03 Feb 2017 10:25:33 +0200
+Subject: [PATCH] libasteriskssl: do nothing with OpenSSL >= 1.1
+
+OpenSSL 1.1 requires no explicit initialization. The hacks in the
+library are not needed. They also happen to fail running Asterisk.
+
+ASTERISK-26109 #close
+
+Change-Id: I3b3efd5d80234a4c45a8ee58dcfe25b15d9ad100
+---
+
+diff --git a/main/libasteriskssl.c b/main/libasteriskssl.c
+index bf5ecc1..9dea3df 100644
 --- a/main/libasteriskssl.c
 +++ b/main/libasteriskssl.c
-@@ -36,6 +36,12 @@
- #include <openssl/err.h>
- #endif
- 
-+#if defined(HAVE_OPENSSL) && OPENSSL_VERSION_NUMBER >= 0x10100000L
-+/* No explicit initialization is needed with OpenSSL 1.1.0.
-+ *    All the functions called or overridden in this file were removed. */
-+#undef HAVE_OPENSSL
-+#endif
-+
- #include <dlfcn.h>
- 
- #include "asterisk/_private.h" /* ast_ssl_init() */
+@@ -123,10 +123,13 @@
+ /*!
+  * \internal
+  * \brief Common OpenSSL initialization for all of Asterisk.
++ *
++ * Not needed for OpenSSL versions >= 1.1.0
+  */
+ int ast_ssl_init(void)
+ {
+-#ifdef HAVE_OPENSSL
++#if defined(HAVE_OPENSSL) && defined(OPENSSL_VERSION_NUMBER) && \
++	OPENSSL_VERSION_NUMBER < 0x10100000L
+ 	unsigned int i;
+ 	int (*real_SSL_library_init)(void);
+ 	void (*real_CRYPTO_set_id_callback)(unsigned long (*)(void));
+@@ -191,7 +194,7 @@
+ 
+ 	startup_complete = 1;
+ 
+-#endif /* HAVE_OPENSSL */
++#endif /* HAVE_OPENSSL and its version < 1.1 */
+ 	return 0;
+ }
+ 
+diff --git a/main/tcptls.c b/main/tcptls.c
+index 36a6c96..4d110cd 100644
+--- a/main/tcptls.c
++++ b/main/tcptls.c
+@@ -412,7 +412,7 @@
+ #else
+ 				ERR_remove_state(0);
+ #endif	/* openssl == 1.0 */
+-#endif  /* openssl >= 1.1 */
++#endif  /* openssl < 1.1 */
+ 			}
+ 
+ 			SSL_free(stream->ssl);
diff --git a/debian/patches/OpenSSL-1.1.0-support-3.patch b/debian/patches/OpenSSL-1.1.0-support-3.patch
new file mode 100644
index 0000000..29c40db
--- /dev/null
+++ b/debian/patches/OpenSSL-1.1.0-support-3.patch
@@ -0,0 +1,37 @@
+From e97e50b68b0497f906a73a1acc26c3a97d9c9d7f Mon Sep 17 00:00:00 2001
+From: Tzafrir Cohen <tzafrir.cohen at xorcom.com>
+Date: Sat, 21 Jan 2017 07:59:15 +0200
+Subject: [PATCH] tcptls: use TLS_client_method with OpenSSL 1.1
+
+OpenSSL 1.1 introduced TLS_client_method() and deprecated the previous
+version-specific methods (such as TLSv1_client_method(). Other than
+being simpler to use and more correct (gain support for TLS newer that
+TLS1, in our case), the older ones produce a deprecation warning that
+fails the build in dev-mode.
+
+ASTERISK-26109 #close
+
+Change-Id: I257b1c8afd09dcb0d96cda3a41cb9f7a15d0ba07
+---
+
+diff --git a/main/tcptls.c b/main/tcptls.c
+index 71bd92e..36a6c96 100644
+--- a/main/tcptls.c
++++ b/main/tcptls.c
+@@ -833,12 +833,16 @@
+ 			cfg->ssl_ctx = SSL_CTX_new(SSLv3_client_method());
+ 		} else
+ #endif
++#if defined(OPENSSL_VERSION_NUMBER) && (OPENSSL_VERSION_NUMBER  >= 0x10100000L)
++		cfg->ssl_ctx = SSL_CTX_new(TLS_client_method());
++#else
+ 		if (ast_test_flag(&cfg->flags, AST_SSL_TLSV1_CLIENT)) {
+ 			cfg->ssl_ctx = SSL_CTX_new(TLSv1_client_method());
+ 		} else {
+ 			disable_ssl = 1;
+ 			cfg->ssl_ctx = SSL_CTX_new(SSLv23_client_method());
+ 		}
++#endif
+ 	} else {
+ 		disable_ssl = 1;
+ 		cfg->ssl_ctx = SSL_CTX_new(SSLv23_server_method());
diff --git a/debian/patches/OpenSSL-1.1.0-support.patch b/debian/patches/OpenSSL-1.1.0-support.patch
index 21ecd31..92f4bde 100644
--- a/debian/patches/OpenSSL-1.1.0-support.patch
+++ b/debian/patches/OpenSSL-1.1.0-support.patch
@@ -1,88 +1,64 @@
-From e0f8222a7f4a0a2312d556375aaeed7790c08078 Mon Sep 17 00:00:00 2001
+From 0d555f0d81d3b04366a64c91acb89d24b90aead9 Mon Sep 17 00:00:00 2001
 From: Tzafrir Cohen <tzafrir.cohen at xorcom.com>
-Date: Tue, 28 Jun 2016 23:26:59 +0200
-Subject: [PATCH] OpenSSL 1.1.0 support
-Bug: https://issues.asterisk.org/jira/browse/ASTERISK-26109
+Date: Sat, 21 Jan 2017 07:57:33 +0200
+Subject: [PATCH] openssl 1.1 support: use OPENSSL_VERSION_NUMBER
 
-OpenSSL 1.1.0 includes some major changes in the interface. See
-https://wiki.openssl.org/index.php/1.1_API_Changes .
+Use OPENSSL_VERSION_NUMBER instead of OPENSSL_API_COMPAT to detect
+the openssl 1.1 API.
 
-Status: Right now there are still a few deprecation notes with OpenSSL
-1.1.0. But it's a start.
+ASTERISK-26109 #close
 
-Changes:
-* CRYPTO_LOCK is no longer available. Replace it with its value for now.
-  I don't completely understand what it is used for there.
-* Remove several functions from libasteriskssl that seem to no longer be
-  needed.
-* Structures have become opaque and are accesses with accessors.
-* ERR_remove_thread_state() no longer needed.
-* SSLv2 code now could no longer be used. Do we need it?
-
-Change-Id: I5e29d477d486ca29b6aae0dc2f5dff960c1cb82b
+Change-Id: I4e448f55ef516aedf6ad154037c35577a421a458
 ---
- main/libasteriskssl.c | 4 +++-
- main/tcptls.c         | 6 ++++--
- 2 files changed, 7 insertions(+), 3 deletions(-)
 
 diff --git a/main/libasteriskssl.c b/main/libasteriskssl.c
-index 16a1aa7..381c6c3 100644
+index c4d4c56..bf5ecc1 100644
 --- a/main/libasteriskssl.c
 +++ b/main/libasteriskssl.c
-@@ -65,13 +65,14 @@ static void ssl_lock(int mode, int n, const char *file, int line)
- 		return;
- 	}
- 
--	if (mode & CRYPTO_LOCK) {
-+	if (mode & 0x1) {
- 		ast_mutex_lock(&ssl_locks[n]);
- 	} else {
- 		ast_mutex_unlock(&ssl_locks[n]);
+@@ -74,7 +74,7 @@
  	}
  }
  
-+#if OPENSSL_API_COMPAT < 0x10100000L
+-#if !defined(OPENSSL_API_COMPAT) || OPENSSL_API_COMPAT < 0x10100000L
++#if !defined(OPENSSL_VERSION_NUMBER) || OPENSSL_VERSION_NUMBER < 0x10100000L
  int SSL_library_init(void)
  {
  #if defined(AST_DEVMODE)
-@@ -113,6 +114,7 @@ void ERR_free_strings(void)
+@@ -116,7 +116,7 @@
  {
  	/* we can't allow this to be called, ever */
  }
-+#endif /* OPENSSL_VERSION_NUMBER < 0x10100000L */
+-#endif /* !defined(OPENSSL_API_COMPAT) || OPENSSL_API_COMPAT < 0x10100000L */
++#endif /* !defined(OPENSSL_VERSION_NUMBER) || OPENSSL_VERSION_NUMBER < 0x10100000L */
  
  #endif /* HAVE_OPENSSL */
  
 diff --git a/main/tcptls.c b/main/tcptls.c
-index 262fca0..b1217ef 100644
+index 21abd26..71bd92e 100644
 --- a/main/tcptls.c
 +++ b/main/tcptls.c
-@@ -395,13 +395,15 @@ static int tcptls_stream_close(void *cookie)
+@@ -400,19 +400,19 @@
  					SSL_get_error(stream->ssl, res));
  			}
  
--			if (!stream->ssl->server) {
-+			if (!SSL_is_server(stream->ssl)) {
+-#if defined(OPENSSL_API_COMPAT) && OPENSSL_API_COMPAT >= 0x10100000L
++#if defined(OPENSSL_VERSION_NUMBER) && OPENSSL_VERSION_NUMBER >= 0x10100000L
+ 			if (!SSL_is_server(stream->ssl)) {
+ #else
+ 			if (!stream->ssl->server) {
+ #endif
  				/* For client threads, ensure that the error stack is cleared */
-+#if OPENSSL_API_COMPAT < 0x10100000L
- #if OPENSSL_VERSION_NUMBER >= 0x10000000L
+-#if !defined(OPENSSL_API_COMPAT) || OPENSSL_API_COMPAT < 0x10100000L
+-#if OPENSSL_VERSION_NUMBER >= 0x10000000L
++#if !defined(OPENSSL_VERSION_NUMBER) || OPENSSL_VERSION_NUMBER < 0x10100000L
++#if defined(OPENSSL_VERSION_NUMBER) && OPENSSL_VERSION_NUMBER >= 0x10000000L
  				ERR_remove_thread_state(NULL);
  #else
  				ERR_remove_state(0);
- #endif	/* OPENSSL_VERSION_NUMBER >= 0x10000000L */
-+#endif  /* OPENSSL_API_COMPAT < 0x10100000L */
+-#endif	/* OPENSSL_VERSION_NUMBER >= 0x10000000L */
+-#endif  /* !defined(OPENSSL_API_COMPAT) || OPENSSL_API_COMPAT < 0x10100000L */
++#endif	/* openssl == 1.0 */
++#endif  /* openssl >= 1.1 */
  			}
  
  			SSL_free(stream->ssl);
-@@ -828,7 +830,7 @@ static int __ssl_setup(struct ast_tls_config *cfg, int client)
- 	}
- 
- 	if (client) {
--#ifndef OPENSSL_NO_SSL2
-+#if !defined(OPENSSL_NO_SSL2) && (OPENSSL_VERSION_NUMBER < 0x10100000L)
- 		if (ast_test_flag(&cfg->flags, AST_SSL_SSLV2_CLIENT)) {
- 			ast_log(LOG_WARNING, "Usage of SSLv2 is discouraged due to known vulnerabilities. Please use 'tlsv1' or leave the TLS method unspecified!\n");
- 			cfg->ssl_ctx = SSL_CTX_new(SSLv2_client_method());
--- 
-2.10.1
-
diff --git a/debian/patches/series b/debian/patches/series
index 3483c88..ccd866f 100644
--- a/debian/patches/series
+++ b/debian/patches/series
@@ -35,5 +35,6 @@ ffmpeg-includes.patch
 radcli-detection.patch
 OpenSSL-1.1.0-support.patch
 OpenSSL-1.1.0-support-2.patch
+OpenSSL-1.1.0-support-3.patch
 
 pjsip_unresolved_symbol.patch

-- 
Alioth's /usr/local/bin/git-commit-notice on /srv/git.debian.org/git/pkg-voip/asterisk.git

More information about the Pkg-voip-commits mailing list