From: dkwo <dkwo@users.noreply.github.com>
To: ml@inbox.vuxu.org
Subject: Re: [PR PATCH] [Updated] poco: update to build with openssl3
Date: Mon, 30 Jan 2023 20:33:36 +0100 [thread overview]
Message-ID: <20230130193336.4tt6Jdw62PRZhrVt-SYjvJUYDeO3vtV5b0KZGYalcBE@z> (raw)
In-Reply-To: <gh-mailinglist-notifications-41a7ca26-5023-4802-975b-f1789d68868e-void-packages-41963@inbox.vuxu.org>
[-- Attachment #1: Type: text/plain, Size: 467 bytes --]
There is an updated pull request by dkwo against master on the void-packages repository
https://github.com/dkwo/void-packages O3poco
https://github.com/void-linux/void-packages/pull/41963
poco: update to build with openssl3
- I tested the changes in this PR: no
- I built this PR locally for my native architecture, (x86_64-musl)
required to build with openssl3 #37681
A patch file from https://github.com/void-linux/void-packages/pull/41963.patch is attached
[-- Warning: decoded text below may be mangled, UTF-8 assumed --]
[-- Attachment #2: github-pr-O3poco-41963.patch --]
[-- Type: text/x-diff, Size: 29116 bytes --]
From 887089c4cd33cf26b55769e2f6c5999bf3704a3f Mon Sep 17 00:00:00 2001
From: dkwo <nicolopiazzalunga@gmail.com>
Date: Fri, 27 Jan 2023 10:45:20 -0500
Subject: [PATCH 1/3] poco: update to 1.12.4, orphan
---
common/shlibs | 26 +++++++++++++-------------
srcpkgs/poco/template | 11 ++++++-----
2 files changed, 19 insertions(+), 18 deletions(-)
diff --git a/common/shlibs b/common/shlibs
index edb8a2c5dd73..523fd15af734 100644
--- a/common/shlibs
+++ b/common/shlibs
@@ -3006,19 +3006,19 @@ libsigrok.so.4 libsigrok-0.5.0_1
libsigrokcxx.so.4 libsigrok-0.5.0_1
libsigrokdecode.so.4 libsigrokdecode-0.5.0_2
libglyr.so.1 glyr-1.0.8_1
-libPocoJSON.so.64 poco-1.9.4_3
-libPocoMongoDB.so.64 poco-1.9.4_3
-libPocoZip.so.64 poco-1.9.4_3
-libPocoData.so.64 poco-1.9.4_3
-libPocoNet.so.64 poco-1.9.4_3
-libPocoDataSQLite.so.64 poco-1.9.4_3
-libPocoFoundation.so.64 poco-1.9.4_3
-libPocoXML.so.64 poco-1.9.4_3
-libPocoUtil.so.64 poco-1.9.4_3
-libPocoRedis.so.64 poco-1.9.4_3
-libPocoEncodings.so.64 poco-1.9.4_3
-libPocoNetSSL.so.64 poco-1.9.4_3
-libPocoCrypto.so.64 poco-1.9.4_3
+libPocoJSON.so.94 poco-1.12.4_1
+libPocoMongoDB.so.94 poco-1.12.4_1
+libPocoZip.so.94 poco-1.12.4_1
+libPocoData.so.94 poco-1.12.4_1
+libPocoNet.so.94 poco-1.12.4_1
+libPocoDataSQLite.so.94 poco-1.12.4_1
+libPocoFoundation.so.94 poco-1.12.4_1
+libPocoXML.so.94 poco-1.12.4_1
+libPocoUtil.so.94 poco-1.12.4_1
+libPocoRedis.so.94 poco-1.12.4_1
+libPocoEncodings.so.94 poco-1.12.4_1
+libPocoNetSSL.so.94 poco-1.12.4_1
+libPocoCrypto.so.94 poco-1.12.4_1
libPtex.so ptex-2.3.2_1
libopenblas.so.0 openblas-0.2.19_1
librtaudio.so.6 rtaudio-5.1.0_1
diff --git a/srcpkgs/poco/template b/srcpkgs/poco/template
index 008536b67121..6ca714b9e94f 100644
--- a/srcpkgs/poco/template
+++ b/srcpkgs/poco/template
@@ -1,16 +1,17 @@
# Template file for 'poco'
pkgname=poco
-version=1.9.4
-revision=3
+version=1.12.4
+revision=1
build_style=cmake
configure_args="-DPOCO_UNBUNDLED=ON"
-makedepends="openssl-devel zlib-devel pcre-devel expat-devel sqlite-devel"
+makedepends="openssl-devel zlib-devel pcre2-devel expat-devel sqlite-devel"
short_desc="C++ class libraries for building network-based applications"
-maintainer="Julien Dehos <dehos@univ-littoral.fr>"
+maintainer="Orphaned <orphan@voidlinux.org>"
license="BSL-1.0"
homepage="https://pocoproject.org"
distfiles="https://pocoproject.org/releases/${pkgname}-${version}/${pkgname}-${version}-all.tar.gz"
-checksum=eb34f257b11240a711ee505f1d80c754a80a990aeb48d8d93407884df288fd77
+checksum=4c3584daa5b0e973f268654dbeb1171ec7621e358b2b64363cd1abd558a68777
+conflicts="archiver"
post_install() {
vlicense LICENSE
From 973b00637771b58bff13c8351d18d021bc6b6837 Mon Sep 17 00:00:00 2001
From: dkwo <nicolopiazzalunga@gmail.com>
Date: Fri, 27 Jan 2023 10:45:43 -0500
Subject: [PATCH 2/3] remwharead: bump for poco
---
srcpkgs/remwharead/template | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/srcpkgs/remwharead/template b/srcpkgs/remwharead/template
index e72ab06131e4..4fb4c574b3ec 100644
--- a/srcpkgs/remwharead/template
+++ b/srcpkgs/remwharead/template
@@ -1,7 +1,7 @@
# Template file for 'remwharead'
pkgname=remwharead
version=0.10.0
-revision=4
+revision=5
build_style=cmake
hostmakedepends="poco-devel asciidoc pkg-config"
makedepends="poco-devel boost-devel"
From e56cc9b2d6d87513ce3f91e3f3fb841546b4d13c Mon Sep 17 00:00:00 2001
From: dkwo <nicolopiazzalunga@gmail.com>
Date: Mon, 30 Jan 2023 10:45:04 -0500
Subject: [PATCH 3/3] mumble: bump for poco, patch for openssl3
---
srcpkgs/mumble/patches/openssl3.patch | 685 ++++++++++++++++++++++++++
srcpkgs/mumble/template | 2 +-
2 files changed, 686 insertions(+), 1 deletion(-)
create mode 100644 srcpkgs/mumble/patches/openssl3.patch
diff --git a/srcpkgs/mumble/patches/openssl3.patch b/srcpkgs/mumble/patches/openssl3.patch
new file mode 100644
index 000000000000..906d1790444b
--- /dev/null
+++ b/srcpkgs/mumble/patches/openssl3.patch
@@ -0,0 +1,685 @@
+From f4cea62ed95e4967d8591f25e903f5e8fc2e2a30 Mon Sep 17 00:00:00 2001
+From: Terry Geng <terry@terriex.com>
+Date: Mon, 6 Dec 2021 10:45:11 -0500
+Subject: [PATCH] BUILD(crypto): Migrate to OpenSSL 3.0-compatible API
+
+OpenSSL 3.0 deprecated several low-level APIs and the usage of them
+caused errors/warnings that prevent the binary from being built against
+OpenSSL 3.0.
+Some primitive efforts have been made in #5317 but were incomplete.
+This commit follows https://www.openssl.org/docs/man3.0/man7/migration_guide.html,
+https://code.woboq.org/qt6/qtopcua/src/opcua/x509/qopcuakeypair_openssl.cpp.html,
+and clears all errors/warnings related to the usage of deprecated APIs.
+
+Fixes #5277
+Fixes #4266
+---
+ src/SelfSignedCertificate.cpp | 235 +++++++++++-----------------------
+ src/SelfSignedCertificate.h | 5 +
+ src/crypto/CryptStateOCB2.cpp | 53 +++++---
+ src/crypto/CryptStateOCB2.h | 9 +-
+ 4 files changed, 121 insertions(+), 181 deletions(-)
+
+diff --git a/src/SelfSignedCertificate.cpp b/src/SelfSignedCertificate.cpp
+index a77e5fad91..ea0dec4cc7 100644
+--- a/src/SelfSignedCertificate.cpp
++++ b/src/SelfSignedCertificate.cpp
+@@ -5,8 +5,6 @@
+
+ #include "SelfSignedCertificate.h"
+
+-#include <openssl/x509v3.h>
+-
+ #define SSL_STRING(x) QString::fromLatin1(x).toUtf8().data()
+
+ static int add_ext(X509 *crt, int nid, char *value) {
+@@ -28,108 +26,86 @@ static int add_ext(X509 *crt, int nid, char *value) {
+ return 1;
+ }
+
+-bool SelfSignedCertificate::generate(CertificateType certificateType, QString clientCertName, QString clientCertEmail,
+- QSslCertificate &qscCert, QSslKey &qskKey) {
+- bool ok = true;
+- X509 *x509 = nullptr;
+- EVP_PKEY *pkey = nullptr;
+- RSA *rsa = nullptr;
+- BIGNUM *e = nullptr;
+- X509_NAME *name = nullptr;
+- ASN1_INTEGER *serialNumber = nullptr;
+- ASN1_TIME *notBefore = nullptr;
+- ASN1_TIME *notAfter = nullptr;
+- QString commonName;
+- bool isServerCert = certificateType == CertificateTypeServerCertificate;
+-
+- if (CRYPTO_mem_ctrl(CRYPTO_MEM_CHECK_ON) == -1) {
+- ok = false;
+- goto out;
++EVP_PKEY *SelfSignedCertificate::generate_rsa_keypair() {
++ EVP_PKEY *pkey = EVP_PKEY_new();
++ if (!pkey) {
++ return nullptr;
+ }
+
+- x509 = X509_new();
+- if (!x509) {
+- ok = false;
+- goto out;
++#if OPENSSL_VERSION_NUMBER >= 0x10100000L
++ EVP_PKEY_CTX *ctx = EVP_PKEY_CTX_new_id(EVP_PKEY_RSA, nullptr);
++ if (!ctx) {
++ return nullptr;
+ }
+-
+- pkey = EVP_PKEY_new();
+- if (!pkey) {
+- ok = false;
+- goto out;
++ if (EVP_PKEY_keygen_init(ctx) <= 0) {
++ return nullptr;
+ }
+-
+- rsa = RSA_new();
++ if (EVP_PKEY_CTX_set_rsa_keygen_bits(ctx, 2048) <= 0) {
++ return nullptr;
++ }
++ if (EVP_PKEY_keygen(ctx, &pkey) <= 0) {
++ return nullptr;
++ }
++ EVP_PKEY_CTX_free(ctx);
++#else
++ RSA *rsa = RSA_new();
++ BIGNUM *e = BN_new();
+ if (!rsa) {
+- ok = false;
+- goto out;
++ return nullptr;
+ }
+-
+- e = BN_new();
+ if (!e) {
+- ok = false;
+- goto out;
++ return nullptr;
+ }
+ if (BN_set_word(e, 65537) == 0) {
+- ok = false;
+- goto out;
++ return nullptr;
+ }
+-
+ if (RSA_generate_key_ex(rsa, 2048, e, nullptr) == 0) {
+- ok = false;
+- goto out;
++ return nullptr;
+ }
+-
+ if (EVP_PKEY_assign_RSA(pkey, rsa) == 0) {
+- ok = false;
+- goto out;
++ return nullptr;
+ }
++ BN_free(e);
++ RSA_free(rsa);
++#endif
++ return pkey;
++}
+
+- if (X509_set_version(x509, 2) == 0) {
+- ok = false;
+- goto out;
++#define CHECK(statement) \
++ if (!(statement)) { \
++ ok = false; \
++ goto out; \
+ }
+
+- serialNumber = X509_get_serialNumber(x509);
+- if (!serialNumber) {
+- ok = false;
+- goto out;
+- }
+- if (ASN1_INTEGER_set(serialNumber, 1) == 0) {
+- ok = false;
+- goto out;
+- }
+
+- notBefore = X509_get_notBefore(x509);
+- if (!notBefore) {
+- ok = false;
+- goto out;
+- }
+- if (!X509_gmtime_adj(notBefore, 0)) {
+- ok = false;
+- goto out;
+- }
++bool SelfSignedCertificate::generate(CertificateType certificateType, QString clientCertName, QString clientCertEmail,
++ QSslCertificate &qscCert, QSslKey &qskKey) {
++ bool ok = true;
++ EVP_PKEY *pkey = nullptr;
++ X509 *x509 = nullptr;
++ X509_NAME *name = nullptr;
++ ASN1_INTEGER *serialNumber = nullptr;
++ ASN1_TIME *notBefore = nullptr;
++ ASN1_TIME *notAfter = nullptr;
++ QString commonName;
++ bool isServerCert = certificateType == CertificateTypeServerCertificate;
+
+- notAfter = X509_get_notAfter(x509);
+- if (!notAfter) {
+- ok = false;
+- goto out;
+- }
+- if (!X509_gmtime_adj(notAfter, 60 * 60 * 24 * 365 * 20)) {
+- ok = false;
+- goto out;
+- }
++ // In Qt 5.15, a class was added to wrap up the procedures of generating a self-signed certificate.
++ // See https://doc.qt.io/qt-5/qopcuax509certificatesigningrequest.html.
++ // We should consider migrating to this class after switching to Qt 5.15.
+
+- if (X509_set_pubkey(x509, pkey) == 0) {
+- ok = false;
+- goto out;
+- }
++ CHECK(pkey = generate_rsa_keypair());
+
+- name = X509_get_subject_name(x509);
+- if (!name) {
+- ok = false;
+- goto out;
+- }
++ CHECK(x509 = X509_new());
++ CHECK(X509_set_version(x509, 2));
++ CHECK(serialNumber = X509_get_serialNumber(x509));
++ CHECK(ASN1_INTEGER_set(serialNumber, 1));
++ CHECK(notBefore = X509_get_notBefore(x509));
++ CHECK(X509_gmtime_adj(notBefore, 0));
++ CHECK(notAfter = X509_get_notAfter(x509));
++ CHECK(X509_gmtime_adj(notAfter, 60 * 60 * 24 * 365 * 20))
++ CHECK(X509_set_pubkey(x509, pkey));
++ CHECK(name = X509_get_subject_name(x509));
+
+ if (isServerCert) {
+ commonName = QLatin1String("Murmur Autogenerated Certificate v2");
+@@ -141,120 +117,63 @@ bool SelfSignedCertificate::generate(CertificateType certificateType, QString cl
+ }
+ }
+
+- if (X509_NAME_add_entry_by_txt(name, "CN", MBSTRING_UTF8,
+- reinterpret_cast< unsigned char * >(commonName.toUtf8().data()), -1, -1, 0)
+- == 0) {
+- ok = false;
+- goto out;
+- }
++ CHECK(X509_NAME_add_entry_by_txt(name, "CN", MBSTRING_UTF8,
++ reinterpret_cast< unsigned char * >(commonName.toUtf8().data()), -1, -1, 0));
+
+- if (X509_set_issuer_name(x509, name) == 0) {
+- ok = false;
+- goto out;
+- }
++ CHECK(X509_set_issuer_name(x509, name));
+
+- if (add_ext(x509, NID_basic_constraints, SSL_STRING("critical,CA:FALSE")) == 0) {
+- ok = false;
+- goto out;
+- }
++ CHECK(add_ext(x509, NID_basic_constraints, SSL_STRING("critical,CA:FALSE")));
+
+ if (isServerCert) {
+- if (add_ext(x509, NID_ext_key_usage, SSL_STRING("serverAuth,clientAuth")) == 0) {
+- ok = false;
+- goto out;
+- }
++ CHECK(add_ext(x509, NID_ext_key_usage, SSL_STRING("serverAuth,clientAuth")))
+ } else {
+- if (add_ext(x509, NID_ext_key_usage, SSL_STRING("clientAuth")) == 0) {
+- ok = false;
+- goto out;
+- }
++ CHECK(add_ext(x509, NID_ext_key_usage, SSL_STRING("clientAuth")));
+ }
+
+- if (add_ext(x509, NID_subject_key_identifier, SSL_STRING("hash")) == 0) {
+- ok = false;
+- goto out;
+- }
++ CHECK(add_ext(x509, NID_subject_key_identifier, SSL_STRING("hash")));
+
+ if (isServerCert) {
+- if (add_ext(x509, NID_netscape_comment, SSL_STRING("Generated from murmur")) == 0) {
+- ok = false;
+- goto out;
+- }
++ CHECK(add_ext(x509, NID_netscape_comment, SSL_STRING("Generated from murmur")));
+ } else {
+- if (add_ext(x509, NID_netscape_comment, SSL_STRING("Generated by Mumble")) == 0) {
+- ok = false;
+- goto out;
+- }
++ CHECK(add_ext(x509, NID_netscape_comment, SSL_STRING("Generated by Mumble")));
+ }
+
+ if (!isServerCert) {
+ if (!clientCertEmail.trimmed().isEmpty()) {
+- if (add_ext(x509, NID_subject_alt_name,
+- QString::fromLatin1("email:%1").arg(clientCertEmail).toUtf8().data())
+- == 0) {
+- ok = false;
+- goto out;
+- }
++ CHECK(add_ext(x509, NID_subject_alt_name,
++ QString::fromLatin1("email:%1").arg(clientCertEmail).toUtf8().data()));
+ }
+ }
+
+- if (X509_sign(x509, pkey, EVP_sha1()) == 0) {
+- ok = false;
+- goto out;
+- }
++ CHECK(X509_sign(x509, pkey, EVP_sha1()));
+
+ {
+ QByteArray crt;
+ int len = i2d_X509(x509, nullptr);
+- if (len <= 0) {
+- ok = false;
+- goto out;
+- }
++ CHECK(len > 0);
+ crt.resize(len);
+
+ unsigned char *dptr = reinterpret_cast< unsigned char * >(crt.data());
+- if (i2d_X509(x509, &dptr) != len) {
+- ok = false;
+- goto out;
+- }
++ CHECK(i2d_X509(x509, &dptr) == len);
+
+ qscCert = QSslCertificate(crt, QSsl::Der);
+- if (qscCert.isNull()) {
+- ok = false;
+- goto out;
+- }
++ CHECK(!qscCert.isNull());
+ }
+
+ {
+ QByteArray key;
+ int len = i2d_PrivateKey(pkey, nullptr);
+- if (len <= 0) {
+- ok = false;
+- goto out;
+- }
++ CHECK(len > 0);
+ key.resize(len);
+
+ unsigned char *dptr = reinterpret_cast< unsigned char * >(key.data());
+- if (i2d_PrivateKey(pkey, &dptr) != len) {
+- ok = false;
+- goto out;
+- }
++ CHECK(i2d_PrivateKey(pkey, &dptr) == len);
+
+ qskKey = QSslKey(key, QSsl::Rsa, QSsl::Der);
+- if (qskKey.isNull()) {
+- ok = false;
+- goto out;
+- }
++ CHECK(!qskKey.isNull());
+ }
+
+ out:
+- if (e) {
+- BN_free(e);
+- }
+- // We only need to free the pkey pointer,
+- // not the RSA pointer. We have assigned
+- // our RSA key to pkey, and it will be freed
+- // once we free pkey.
+ if (pkey) {
+ EVP_PKEY_free(pkey);
+ }
+diff --git a/src/SelfSignedCertificate.h b/src/SelfSignedCertificate.h
+index b85a8752b8..7c5f59e9c5 100644
+--- a/src/SelfSignedCertificate.h
++++ b/src/SelfSignedCertificate.h
+@@ -6,6 +6,10 @@
+ #ifndef MUMBLE_SELFSIGNEDCERTIFICATE_H_
+ #define MUMBLE_SELFSIGNEDCERTIFICATE_H_
+
++#include <openssl/evp.h>
++#include <openssl/rsa.h>
++#include <openssl/x509v3.h>
++
+ #include <QtCore/QString>
+ #include <QtNetwork/QSslCertificate>
+ #include <QtNetwork/QSslKey>
+@@ -16,6 +20,7 @@ class SelfSignedCertificate {
+ private:
+ static bool generate(CertificateType certificateType, QString clientCertName, QString clientCertEmail,
+ QSslCertificate &qscCert, QSslKey &qskKey);
++ static EVP_PKEY *generate_rsa_keypair();
+
+ public:
+ static bool generateMumbleCertificate(QString name, QString email, QSslCertificate &qscCert, QSslKey &qskKey);
+diff --git a/src/crypto/CryptStateOCB2.cpp b/src/crypto/CryptStateOCB2.cpp
+index 2176d64883..640fdedac8 100644
+--- a/src/crypto/CryptStateOCB2.cpp
++++ b/src/crypto/CryptStateOCB2.cpp
+@@ -30,7 +30,7 @@
+ #include <cstring>
+ #include <openssl/rand.h>
+
+-CryptStateOCB2::CryptStateOCB2() : CryptState() {
++CryptStateOCB2::CryptStateOCB2() : CryptState(), enc_ctx(EVP_CIPHER_CTX_new()), dec_ctx(EVP_CIPHER_CTX_new()) {
+ for (int i = 0; i < 0x100; i++)
+ decrypt_history[i] = 0;
+ memset(raw_key, 0, AES_KEY_SIZE_BYTES);
+@@ -38,6 +38,11 @@ CryptStateOCB2::CryptStateOCB2() : CryptState() {
+ memset(decrypt_iv, 0, AES_BLOCK_SIZE);
+ }
+
++CryptStateOCB2::~CryptStateOCB2() noexcept {
++ EVP_CIPHER_CTX_free(enc_ctx);
++ EVP_CIPHER_CTX_free(dec_ctx);
++}
++
+ bool CryptStateOCB2::isValid() const {
+ return bInit;
+ }
+@@ -46,8 +51,6 @@ void CryptStateOCB2::genKey() {
+ CryptographicRandom::fillBuffer(raw_key, AES_KEY_SIZE_BYTES);
+ CryptographicRandom::fillBuffer(encrypt_iv, AES_BLOCK_SIZE);
+ CryptographicRandom::fillBuffer(decrypt_iv, AES_BLOCK_SIZE);
+- AES_set_encrypt_key(raw_key, AES_KEY_SIZE_BITS, &encrypt_key);
+- AES_set_decrypt_key(raw_key, AES_KEY_SIZE_BITS, &decrypt_key);
+ bInit = true;
+ }
+
+@@ -56,8 +59,6 @@ bool CryptStateOCB2::setKey(const std::string &rkey, const std::string &eiv, con
+ memcpy(raw_key, rkey.data(), AES_KEY_SIZE_BYTES);
+ memcpy(encrypt_iv, eiv.data(), AES_BLOCK_SIZE);
+ memcpy(decrypt_iv, div.data(), AES_BLOCK_SIZE);
+- AES_set_encrypt_key(raw_key, AES_KEY_SIZE_BITS, &encrypt_key);
+- AES_set_decrypt_key(raw_key, AES_KEY_SIZE_BITS, &decrypt_key);
+ bInit = true;
+ return true;
+ }
+@@ -256,10 +257,24 @@ static void inline ZERO(keyblock &block) {
+ block[i] = 0;
+ }
+
+-#define AESencrypt(src, dst, key) \
+- AES_encrypt(reinterpret_cast< const unsigned char * >(src), reinterpret_cast< unsigned char * >(dst), key);
+-#define AESdecrypt(src, dst, key) \
+- AES_decrypt(reinterpret_cast< const unsigned char * >(src), reinterpret_cast< unsigned char * >(dst), key);
++#define AESencrypt(src, dst, key) \
++ { \
++ int outlen = 0; \
++ EVP_EncryptInit_ex(enc_ctx, EVP_aes_128_ecb(), NULL, key, NULL); \
++ EVP_CIPHER_CTX_set_padding(enc_ctx, 0); \
++ EVP_EncryptUpdate(enc_ctx, reinterpret_cast< unsigned char * >(dst), &outlen, \
++ reinterpret_cast< const unsigned char * >(src), AES_BLOCK_SIZE); \
++ EVP_EncryptFinal_ex(enc_ctx, reinterpret_cast< unsigned char * >(dst + outlen), &outlen); \
++ }
++#define AESdecrypt(src, dst, key) \
++ { \
++ int outlen = 0; \
++ EVP_DecryptInit_ex(dec_ctx, EVP_aes_128_ecb(), NULL, key, NULL); \
++ EVP_CIPHER_CTX_set_padding(dec_ctx, 0); \
++ EVP_DecryptUpdate(dec_ctx, reinterpret_cast< unsigned char * >(dst), &outlen, \
++ reinterpret_cast< const unsigned char * >(src), AES_BLOCK_SIZE); \
++ EVP_DecryptFinal_ex(dec_ctx, reinterpret_cast< unsigned char * >(dst + outlen), &outlen); \
++ }
+
+ bool CryptStateOCB2::ocb_encrypt(const unsigned char *plain, unsigned char *encrypted, unsigned int len,
+ const unsigned char *nonce, unsigned char *tag, bool modifyPlainOnXEXStarAttack) {
+@@ -267,7 +282,7 @@ bool CryptStateOCB2::ocb_encrypt(const unsigned char *plain, unsigned char *encr
+ bool success = true;
+
+ // Initialize
+- AESencrypt(nonce, delta, &encrypt_key);
++ AESencrypt(nonce, delta, raw_key);
+ ZERO(checksum);
+
+ while (len > AES_BLOCK_SIZE) {
+@@ -299,7 +314,7 @@ bool CryptStateOCB2::ocb_encrypt(const unsigned char *plain, unsigned char *encr
+ if (flipABit) {
+ *reinterpret_cast< unsigned char * >(tmp) ^= 1;
+ }
+- AESencrypt(tmp, tmp, &encrypt_key);
++ AESencrypt(tmp, tmp, raw_key);
+ XOR(reinterpret_cast< subblock * >(encrypted), delta, tmp);
+ XOR(checksum, checksum, reinterpret_cast< const subblock * >(plain));
+ if (flipABit) {
+@@ -315,7 +330,7 @@ bool CryptStateOCB2::ocb_encrypt(const unsigned char *plain, unsigned char *encr
+ ZERO(tmp);
+ tmp[BLOCKSIZE - 1] = SWAPPED(len * 8);
+ XOR(tmp, tmp, delta);
+- AESencrypt(tmp, pad, &encrypt_key);
++ AESencrypt(tmp, pad, raw_key);
+ memcpy(tmp, plain, len);
+ memcpy(reinterpret_cast< unsigned char * >(tmp) + len, reinterpret_cast< const unsigned char * >(pad) + len,
+ AES_BLOCK_SIZE - len);
+@@ -325,7 +340,7 @@ bool CryptStateOCB2::ocb_encrypt(const unsigned char *plain, unsigned char *encr
+
+ S3(delta);
+ XOR(tmp, delta, checksum);
+- AESencrypt(tmp, tag, &encrypt_key);
++ AESencrypt(tmp, tag, raw_key);
+
+ return success;
+ }
+@@ -336,13 +351,13 @@ bool CryptStateOCB2::ocb_decrypt(const unsigned char *encrypted, unsigned char *
+ bool success = true;
+
+ // Initialize
+- AESencrypt(nonce, delta, &encrypt_key);
++ AESencrypt(nonce, delta, raw_key);
+ ZERO(checksum);
+
+ while (len > AES_BLOCK_SIZE) {
+ S2(delta);
+ XOR(tmp, delta, reinterpret_cast< const subblock * >(encrypted));
+- AESdecrypt(tmp, tmp, &decrypt_key);
++ AESdecrypt(tmp, tmp, raw_key);
+ XOR(reinterpret_cast< subblock * >(plain), delta, tmp);
+ XOR(checksum, checksum, reinterpret_cast< const subblock * >(plain));
+ len -= AES_BLOCK_SIZE;
+@@ -354,7 +369,7 @@ bool CryptStateOCB2::ocb_decrypt(const unsigned char *encrypted, unsigned char *
+ ZERO(tmp);
+ tmp[BLOCKSIZE - 1] = SWAPPED(len * 8);
+ XOR(tmp, tmp, delta);
+- AESencrypt(tmp, pad, &encrypt_key);
++ AESencrypt(tmp, pad, raw_key);
+ memset(tmp, 0, AES_BLOCK_SIZE);
+ memcpy(tmp, encrypted, len);
+ XOR(tmp, tmp, pad);
+@@ -372,7 +387,7 @@ bool CryptStateOCB2::ocb_decrypt(const unsigned char *encrypted, unsigned char *
+
+ S3(delta);
+ XOR(tmp, delta, checksum);
+- AESencrypt(tmp, tag, &encrypt_key);
++ AESencrypt(tmp, tag, raw_key);
+
+ return success;
+ }
+@@ -381,5 +396,5 @@ bool CryptStateOCB2::ocb_decrypt(const unsigned char *encrypted, unsigned char *
+ #undef SHIFTBITS
+ #undef SWAPPED
+ #undef HIGHBIT
+-#undef AES_encrypt
+-#undef AES_decrypt
++#undef AESencrypt
++#undef AESdecrypt
+diff --git a/src/crypto/CryptStateOCB2.h b/src/crypto/CryptStateOCB2.h
+index 53d4b4b6aa..cc3f1c0bc3 100644
+--- a/src/crypto/CryptStateOCB2.h
++++ b/src/crypto/CryptStateOCB2.h
+@@ -8,8 +8,9 @@
+
+ #include "CryptState.h"
+
+-#include <openssl/aes.h>
++#include <openssl/evp.h>
+
++#define AES_BLOCK_SIZE 16
+ #define AES_KEY_SIZE_BITS 128
+ #define AES_KEY_SIZE_BYTES (AES_KEY_SIZE_BITS / 8)
+
+@@ -17,7 +18,7 @@
+ class CryptStateOCB2 : public CryptState {
+ public:
+ CryptStateOCB2();
+- ~CryptStateOCB2(){};
++ ~CryptStateOCB2() noexcept override;
+
+ virtual bool isValid() const Q_DECL_OVERRIDE;
+ virtual void genKey() Q_DECL_OVERRIDE;
+@@ -43,8 +44,8 @@ class CryptStateOCB2 : public CryptState {
+ unsigned char decrypt_iv[AES_BLOCK_SIZE];
+ unsigned char decrypt_history[0x100];
+
+- AES_KEY encrypt_key;
+- AES_KEY decrypt_key;
++ EVP_CIPHER_CTX *enc_ctx;
++ EVP_CIPHER_CTX *dec_ctx;
+ };
+
+
+From f8d47db318f302f5a7d343f15c9936c7030c49c4 Mon Sep 17 00:00:00 2001
+From: Terry Geng <terry@terriex.com>
+Date: Sun, 12 Dec 2021 22:39:38 -0500
+Subject: [PATCH] FIX(crypto): Sharing EVP context between threads crushes
+ Mumble
+
+Functions ocb_encrypt and ocb_decrypt share the same set
+of encrypt and decrypt contexts. However, they are invoked
+in different threads (audio input thread and server
+handler thread).
+This may lead to conflicts that would crash Mumble.
+This patch separates contexts used in these two functions
+to avoid such conflicts.
+
+Fixes #5361
+---
+ src/crypto/CryptStateOCB2.cpp | 55 ++++++++++++++++++++++-------------
+ src/crypto/CryptStateOCB2.h | 6 ++--
+ 2 files changed, 38 insertions(+), 23 deletions(-)
+
+diff --git a/src/crypto/CryptStateOCB2.cpp b/src/crypto/CryptStateOCB2.cpp
+index 640fdedac8..3b3473ffec 100644
+--- a/src/crypto/CryptStateOCB2.cpp
++++ b/src/crypto/CryptStateOCB2.cpp
+@@ -30,7 +30,9 @@
+ #include <cstring>
+ #include <openssl/rand.h>
+
+-CryptStateOCB2::CryptStateOCB2() : CryptState(), enc_ctx(EVP_CIPHER_CTX_new()), dec_ctx(EVP_CIPHER_CTX_new()) {
++CryptStateOCB2::CryptStateOCB2()
++ : CryptState(), enc_ctx_ocb_enc(EVP_CIPHER_CTX_new()), dec_ctx_ocb_enc(EVP_CIPHER_CTX_new()),
++ enc_ctx_ocb_dec(EVP_CIPHER_CTX_new()), dec_ctx_ocb_dec(EVP_CIPHER_CTX_new()) {
+ for (int i = 0; i < 0x100; i++)
+ decrypt_history[i] = 0;
+ memset(raw_key, 0, AES_KEY_SIZE_BYTES);
+@@ -39,8 +41,10 @@ CryptStateOCB2::CryptStateOCB2() : CryptState(), enc_ctx(EVP_CIPHER_CTX_new()),
+ }
+
+ CryptStateOCB2::~CryptStateOCB2() noexcept {
+- EVP_CIPHER_CTX_free(enc_ctx);
+- EVP_CIPHER_CTX_free(dec_ctx);
++ EVP_CIPHER_CTX_free(enc_ctx_ocb_enc);
++ EVP_CIPHER_CTX_free(dec_ctx_ocb_enc);
++ EVP_CIPHER_CTX_free(enc_ctx_ocb_dec);
++ EVP_CIPHER_CTX_free(dec_ctx_ocb_dec);
+ }
+
+ bool CryptStateOCB2::isValid() const {
+@@ -257,25 +261,28 @@ static void inline ZERO(keyblock &block) {
+ block[i] = 0;
+ }
+
+-#define AESencrypt(src, dst, key) \
+- { \
+- int outlen = 0; \
+- EVP_EncryptInit_ex(enc_ctx, EVP_aes_128_ecb(), NULL, key, NULL); \
+- EVP_CIPHER_CTX_set_padding(enc_ctx, 0); \
+- EVP_EncryptUpdate(enc_ctx, reinterpret_cast< unsigned char * >(dst), &outlen, \
+- reinterpret_cast< const unsigned char * >(src), AES_BLOCK_SIZE); \
+- EVP_EncryptFinal_ex(enc_ctx, reinterpret_cast< unsigned char * >(dst + outlen), &outlen); \
++#define AESencrypt_ctx(src, dst, key, enc_ctx) \
++ { \
++ int outlen = 0; \
++ EVP_EncryptInit_ex(enc_ctx, EVP_aes_128_ecb(), NULL, key, NULL); \
++ EVP_CIPHER_CTX_set_padding(enc_ctx, 0); \
++ EVP_EncryptUpdate(enc_ctx, reinterpret_cast< unsigned char * >(dst), &outlen, \
++ reinterpret_cast< const unsigned char * >(src), AES_BLOCK_SIZE); \
++ EVP_EncryptFinal_ex(enc_ctx, reinterpret_cast< unsigned char * >((dst) + outlen), &outlen); \
+ }
+-#define AESdecrypt(src, dst, key) \
+- { \
+- int outlen = 0; \
+- EVP_DecryptInit_ex(dec_ctx, EVP_aes_128_ecb(), NULL, key, NULL); \
+- EVP_CIPHER_CTX_set_padding(dec_ctx, 0); \
+- EVP_DecryptUpdate(dec_ctx, reinterpret_cast< unsigned char * >(dst), &outlen, \
+- reinterpret_cast< const unsigned char * >(src), AES_BLOCK_SIZE); \
+- EVP_DecryptFinal_ex(dec_ctx, reinterpret_cast< unsigned char * >(dst + outlen), &outlen); \
++#define AESdecrypt_ctx(src, dst, key, dec_ctx) \
++ { \
++ int outlen = 0; \
++ EVP_DecryptInit_ex(dec_ctx, EVP_aes_128_ecb(), NULL, key, NULL); \
++ EVP_CIPHER_CTX_set_padding(dec_ctx, 0); \
++ EVP_DecryptUpdate(dec_ctx, reinterpret_cast< unsigned char * >(dst), &outlen, \
++ reinterpret_cast< const unsigned char * >(src), AES_BLOCK_SIZE); \
++ EVP_DecryptFinal_ex(dec_ctx, reinterpret_cast< unsigned char * >((dst) + outlen), &outlen); \
+ }
+
++#define AESencrypt(src, dst, key) AESencrypt_ctx(src, dst, key, enc_ctx_ocb_enc)
++#define AESdecrypt(src, dst, key) AESdecrypt_ctx(src, dst, key, dec_ctx_ocb_enc)
++
+ bool CryptStateOCB2::ocb_encrypt(const unsigned char *plain, unsigned char *encrypted, unsigned int len,
+ const unsigned char *nonce, unsigned char *tag, bool modifyPlainOnXEXStarAttack) {
+ keyblock checksum, delta, tmp, pad;
+@@ -345,6 +352,12 @@ bool CryptStateOCB2::ocb_encrypt(const unsigned char *plain, unsigned char *encr
+ return success;
+ }
+
++#undef AESencrypt
++#undef AESdecrypt
++
++#define AESencrypt(src, dst, key) AESencrypt_ctx(src, dst, key, enc_ctx_ocb_dec)
++#define AESdecrypt(src, dst, key) AESdecrypt_ctx(src, dst, key, dec_ctx_ocb_dec)
++
+ bool CryptStateOCB2::ocb_decrypt(const unsigned char *encrypted, unsigned char *plain, unsigned int len,
+ const unsigned char *nonce, unsigned char *tag) {
+ keyblock checksum, delta, tmp, pad;
+@@ -392,9 +405,9 @@ bool CryptStateOCB2::ocb_decrypt(const unsigned char *encrypted, unsigned char *
+ return success;
+ }
+
++#undef AESencrypt
++#undef AESdecrypt
+ #undef BLOCKSIZE
+ #undef SHIFTBITS
+ #undef SWAPPED
+ #undef HIGHBIT
+-#undef AESencrypt
+-#undef AESdecrypt
+diff --git a/src/crypto/CryptStateOCB2.h b/src/crypto/CryptStateOCB2.h
+index cc3f1c0bc3..0fd3000ade 100644
+--- a/src/crypto/CryptStateOCB2.h
++++ b/src/crypto/CryptStateOCB2.h
+@@ -44,8 +44,10 @@ class CryptStateOCB2 : public CryptState {
+ unsigned char decrypt_iv[AES_BLOCK_SIZE];
+ unsigned char decrypt_history[0x100];
+
+- EVP_CIPHER_CTX *enc_ctx;
+- EVP_CIPHER_CTX *dec_ctx;
++ EVP_CIPHER_CTX *enc_ctx_ocb_enc;
++ EVP_CIPHER_CTX *dec_ctx_ocb_enc;
++ EVP_CIPHER_CTX *enc_ctx_ocb_dec;
++ EVP_CIPHER_CTX *dec_ctx_ocb_dec;
+ };
+
+
diff --git a/srcpkgs/mumble/template b/srcpkgs/mumble/template
index 2e6f50da0140..acb6af454e0f 100644
--- a/srcpkgs/mumble/template
+++ b/srcpkgs/mumble/template
@@ -1,7 +1,7 @@
# Template file for 'mumble'
pkgname=mumble
version=1.4.287
-revision=1
+revision=2
build_style=cmake
make_cmd=make
configure_args="-Doverlay-xcompile=OFF -Dbundled-opus=OFF
next prev parent reply other threads:[~2023-01-30 19:33 UTC|newest]
Thread overview: 15+ messages / expand[flat|nested] mbox.gz Atom feed top
2023-01-30 15:18 [PR PATCH] " dkwo
2023-01-30 15:40 ` dkwo
2023-01-30 15:45 ` [PR PATCH] [Updated] " dkwo
2023-01-30 15:48 ` juliendehos
2023-01-30 16:11 ` [PR PATCH] [Updated] " dkwo
2023-01-30 19:33 ` dkwo [this message]
2023-01-30 20:00 ` dkwo
2023-01-30 20:19 ` dkwo
2023-01-30 20:26 ` dkwo
2023-01-30 21:58 ` Johnnynator
2023-01-30 22:52 ` [PR PATCH] [Updated] " dkwo
2023-01-30 22:52 ` dkwo
2023-01-31 1:56 ` Johnnynator
2023-01-31 18:45 ` [PR PATCH] [Updated] " dkwo
2023-01-31 19:53 ` [PR PATCH] [Merged]: " Johnnynator
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20230130193336.4tt6Jdw62PRZhrVt-SYjvJUYDeO3vtV5b0KZGYalcBE@z \
--to=dkwo@users.noreply.github.com \
--cc=ml@inbox.vuxu.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).