From a24203b2764f0762dfff2112835d90dc27bc9bb0 Mon Sep 17 00:00:00 2001 From: dkwo Date: Fri, 27 Jan 2023 10:45:20 -0500 Subject: [PATCH 1/3] poco: update to 1.12.4, orphan --- common/shlibs | 26 +++++++++++++------------- srcpkgs/poco/template | 11 ++++++----- 2 files changed, 19 insertions(+), 18 deletions(-) diff --git a/common/shlibs b/common/shlibs index edb8a2c5dd73..523fd15af734 100644 --- a/common/shlibs +++ b/common/shlibs @@ -3006,19 +3006,19 @@ libsigrok.so.4 libsigrok-0.5.0_1 libsigrokcxx.so.4 libsigrok-0.5.0_1 libsigrokdecode.so.4 libsigrokdecode-0.5.0_2 libglyr.so.1 glyr-1.0.8_1 -libPocoJSON.so.64 poco-1.9.4_3 -libPocoMongoDB.so.64 poco-1.9.4_3 -libPocoZip.so.64 poco-1.9.4_3 -libPocoData.so.64 poco-1.9.4_3 -libPocoNet.so.64 poco-1.9.4_3 -libPocoDataSQLite.so.64 poco-1.9.4_3 -libPocoFoundation.so.64 poco-1.9.4_3 -libPocoXML.so.64 poco-1.9.4_3 -libPocoUtil.so.64 poco-1.9.4_3 -libPocoRedis.so.64 poco-1.9.4_3 -libPocoEncodings.so.64 poco-1.9.4_3 -libPocoNetSSL.so.64 poco-1.9.4_3 -libPocoCrypto.so.64 poco-1.9.4_3 +libPocoJSON.so.94 poco-1.12.4_1 +libPocoMongoDB.so.94 poco-1.12.4_1 +libPocoZip.so.94 poco-1.12.4_1 +libPocoData.so.94 poco-1.12.4_1 +libPocoNet.so.94 poco-1.12.4_1 +libPocoDataSQLite.so.94 poco-1.12.4_1 +libPocoFoundation.so.94 poco-1.12.4_1 +libPocoXML.so.94 poco-1.12.4_1 +libPocoUtil.so.94 poco-1.12.4_1 +libPocoRedis.so.94 poco-1.12.4_1 +libPocoEncodings.so.94 poco-1.12.4_1 +libPocoNetSSL.so.94 poco-1.12.4_1 +libPocoCrypto.so.94 poco-1.12.4_1 libPtex.so ptex-2.3.2_1 libopenblas.so.0 openblas-0.2.19_1 librtaudio.so.6 rtaudio-5.1.0_1 diff --git a/srcpkgs/poco/template b/srcpkgs/poco/template index 008536b67121..6ca714b9e94f 100644 --- a/srcpkgs/poco/template +++ b/srcpkgs/poco/template @@ -1,16 +1,17 @@ # Template file for 'poco' pkgname=poco -version=1.9.4 -revision=3 +version=1.12.4 +revision=1 build_style=cmake configure_args="-DPOCO_UNBUNDLED=ON" -makedepends="openssl-devel zlib-devel pcre-devel expat-devel sqlite-devel" +makedepends="openssl-devel zlib-devel pcre2-devel expat-devel sqlite-devel" short_desc="C++ class libraries for building network-based applications" -maintainer="Julien Dehos " +maintainer="Orphaned " license="BSL-1.0" homepage="https://pocoproject.org" distfiles="https://pocoproject.org/releases/${pkgname}-${version}/${pkgname}-${version}-all.tar.gz" -checksum=eb34f257b11240a711ee505f1d80c754a80a990aeb48d8d93407884df288fd77 +checksum=4c3584daa5b0e973f268654dbeb1171ec7621e358b2b64363cd1abd558a68777 +conflicts="archiver" post_install() { vlicense LICENSE From f9ecb5881e823358772fa954da44aee39b79f174 Mon Sep 17 00:00:00 2001 From: dkwo Date: Fri, 27 Jan 2023 10:45:43 -0500 Subject: [PATCH 2/3] remwharead: bump for poco --- srcpkgs/remwharead/template | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/srcpkgs/remwharead/template b/srcpkgs/remwharead/template index e72ab06131e4..4af548c46743 100644 --- a/srcpkgs/remwharead/template +++ b/srcpkgs/remwharead/template @@ -1,7 +1,7 @@ # Template file for 'remwharead' pkgname=remwharead version=0.10.0 -revision=4 +revision=5 build_style=cmake hostmakedepends="poco-devel asciidoc pkg-config" makedepends="poco-devel boost-devel" @@ -9,7 +9,7 @@ short_desc="Saves URIs of things you want to remember in a database" maintainer="teldra " license="GPL-3.0-only" homepage="https://schlomp.space/tastytea/remwharead" -distfiles="https://github.com/tastytea/remwharead/archive/${version}.tar.gz" +distfiles="https://github.com/tastytea/remwharead/archive/refs/tags/${version}.tar.gz" checksum=87f14a611e3ae9f9babe2dff8e4a6c4f5495fa2883393edb36e796af3f19fb30 remwharead-firefox-plugin_package() { From 03c88e9ac9374396c910c50478144e0e78b45781 Mon Sep 17 00:00:00 2001 From: dkwo Date: Mon, 30 Jan 2023 10:45:04 -0500 Subject: [PATCH 3/3] mumble: bump for poco, patch for openssl3 --- srcpkgs/mumble/patches/openssl3.patch | 685 ++++++++++++++++++++++++++ srcpkgs/mumble/template | 2 +- 2 files changed, 686 insertions(+), 1 deletion(-) create mode 100644 srcpkgs/mumble/patches/openssl3.patch diff --git a/srcpkgs/mumble/patches/openssl3.patch b/srcpkgs/mumble/patches/openssl3.patch new file mode 100644 index 000000000000..906d1790444b --- /dev/null +++ b/srcpkgs/mumble/patches/openssl3.patch @@ -0,0 +1,685 @@ +From f4cea62ed95e4967d8591f25e903f5e8fc2e2a30 Mon Sep 17 00:00:00 2001 +From: Terry Geng +Date: Mon, 6 Dec 2021 10:45:11 -0500 +Subject: [PATCH] BUILD(crypto): Migrate to OpenSSL 3.0-compatible API + +OpenSSL 3.0 deprecated several low-level APIs and the usage of them +caused errors/warnings that prevent the binary from being built against +OpenSSL 3.0. +Some primitive efforts have been made in #5317 but were incomplete. +This commit follows https://www.openssl.org/docs/man3.0/man7/migration_guide.html, +https://code.woboq.org/qt6/qtopcua/src/opcua/x509/qopcuakeypair_openssl.cpp.html, +and clears all errors/warnings related to the usage of deprecated APIs. + +Fixes #5277 +Fixes #4266 +--- + src/SelfSignedCertificate.cpp | 235 +++++++++++----------------------- + src/SelfSignedCertificate.h | 5 + + src/crypto/CryptStateOCB2.cpp | 53 +++++--- + src/crypto/CryptStateOCB2.h | 9 +- + 4 files changed, 121 insertions(+), 181 deletions(-) + +diff --git a/src/SelfSignedCertificate.cpp b/src/SelfSignedCertificate.cpp +index a77e5fad91..ea0dec4cc7 100644 +--- a/src/SelfSignedCertificate.cpp ++++ b/src/SelfSignedCertificate.cpp +@@ -5,8 +5,6 @@ + + #include "SelfSignedCertificate.h" + +-#include +- + #define SSL_STRING(x) QString::fromLatin1(x).toUtf8().data() + + static int add_ext(X509 *crt, int nid, char *value) { +@@ -28,108 +26,86 @@ static int add_ext(X509 *crt, int nid, char *value) { + return 1; + } + +-bool SelfSignedCertificate::generate(CertificateType certificateType, QString clientCertName, QString clientCertEmail, +- QSslCertificate &qscCert, QSslKey &qskKey) { +- bool ok = true; +- X509 *x509 = nullptr; +- EVP_PKEY *pkey = nullptr; +- RSA *rsa = nullptr; +- BIGNUM *e = nullptr; +- X509_NAME *name = nullptr; +- ASN1_INTEGER *serialNumber = nullptr; +- ASN1_TIME *notBefore = nullptr; +- ASN1_TIME *notAfter = nullptr; +- QString commonName; +- bool isServerCert = certificateType == CertificateTypeServerCertificate; +- +- if (CRYPTO_mem_ctrl(CRYPTO_MEM_CHECK_ON) == -1) { +- ok = false; +- goto out; ++EVP_PKEY *SelfSignedCertificate::generate_rsa_keypair() { ++ EVP_PKEY *pkey = EVP_PKEY_new(); ++ if (!pkey) { ++ return nullptr; + } + +- x509 = X509_new(); +- if (!x509) { +- ok = false; +- goto out; ++#if OPENSSL_VERSION_NUMBER >= 0x10100000L ++ EVP_PKEY_CTX *ctx = EVP_PKEY_CTX_new_id(EVP_PKEY_RSA, nullptr); ++ if (!ctx) { ++ return nullptr; + } +- +- pkey = EVP_PKEY_new(); +- if (!pkey) { +- ok = false; +- goto out; ++ if (EVP_PKEY_keygen_init(ctx) <= 0) { ++ return nullptr; + } +- +- rsa = RSA_new(); ++ if (EVP_PKEY_CTX_set_rsa_keygen_bits(ctx, 2048) <= 0) { ++ return nullptr; ++ } ++ if (EVP_PKEY_keygen(ctx, &pkey) <= 0) { ++ return nullptr; ++ } ++ EVP_PKEY_CTX_free(ctx); ++#else ++ RSA *rsa = RSA_new(); ++ BIGNUM *e = BN_new(); + if (!rsa) { +- ok = false; +- goto out; ++ return nullptr; + } +- +- e = BN_new(); + if (!e) { +- ok = false; +- goto out; ++ return nullptr; + } + if (BN_set_word(e, 65537) == 0) { +- ok = false; +- goto out; ++ return nullptr; + } +- + if (RSA_generate_key_ex(rsa, 2048, e, nullptr) == 0) { +- ok = false; +- goto out; ++ return nullptr; + } +- + if (EVP_PKEY_assign_RSA(pkey, rsa) == 0) { +- ok = false; +- goto out; ++ return nullptr; + } ++ BN_free(e); ++ RSA_free(rsa); ++#endif ++ return pkey; ++} + +- if (X509_set_version(x509, 2) == 0) { +- ok = false; +- goto out; ++#define CHECK(statement) \ ++ if (!(statement)) { \ ++ ok = false; \ ++ goto out; \ + } + +- serialNumber = X509_get_serialNumber(x509); +- if (!serialNumber) { +- ok = false; +- goto out; +- } +- if (ASN1_INTEGER_set(serialNumber, 1) == 0) { +- ok = false; +- goto out; +- } + +- notBefore = X509_get_notBefore(x509); +- if (!notBefore) { +- ok = false; +- goto out; +- } +- if (!X509_gmtime_adj(notBefore, 0)) { +- ok = false; +- goto out; +- } ++bool SelfSignedCertificate::generate(CertificateType certificateType, QString clientCertName, QString clientCertEmail, ++ QSslCertificate &qscCert, QSslKey &qskKey) { ++ bool ok = true; ++ EVP_PKEY *pkey = nullptr; ++ X509 *x509 = nullptr; ++ X509_NAME *name = nullptr; ++ ASN1_INTEGER *serialNumber = nullptr; ++ ASN1_TIME *notBefore = nullptr; ++ ASN1_TIME *notAfter = nullptr; ++ QString commonName; ++ bool isServerCert = certificateType == CertificateTypeServerCertificate; + +- notAfter = X509_get_notAfter(x509); +- if (!notAfter) { +- ok = false; +- goto out; +- } +- if (!X509_gmtime_adj(notAfter, 60 * 60 * 24 * 365 * 20)) { +- ok = false; +- goto out; +- } ++ // In Qt 5.15, a class was added to wrap up the procedures of generating a self-signed certificate. ++ // See https://doc.qt.io/qt-5/qopcuax509certificatesigningrequest.html. ++ // We should consider migrating to this class after switching to Qt 5.15. + +- if (X509_set_pubkey(x509, pkey) == 0) { +- ok = false; +- goto out; +- } ++ CHECK(pkey = generate_rsa_keypair()); + +- name = X509_get_subject_name(x509); +- if (!name) { +- ok = false; +- goto out; +- } ++ CHECK(x509 = X509_new()); ++ CHECK(X509_set_version(x509, 2)); ++ CHECK(serialNumber = X509_get_serialNumber(x509)); ++ CHECK(ASN1_INTEGER_set(serialNumber, 1)); ++ CHECK(notBefore = X509_get_notBefore(x509)); ++ CHECK(X509_gmtime_adj(notBefore, 0)); ++ CHECK(notAfter = X509_get_notAfter(x509)); ++ CHECK(X509_gmtime_adj(notAfter, 60 * 60 * 24 * 365 * 20)) ++ CHECK(X509_set_pubkey(x509, pkey)); ++ CHECK(name = X509_get_subject_name(x509)); + + if (isServerCert) { + commonName = QLatin1String("Murmur Autogenerated Certificate v2"); +@@ -141,120 +117,63 @@ bool SelfSignedCertificate::generate(CertificateType certificateType, QString cl + } + } + +- if (X509_NAME_add_entry_by_txt(name, "CN", MBSTRING_UTF8, +- reinterpret_cast< unsigned char * >(commonName.toUtf8().data()), -1, -1, 0) +- == 0) { +- ok = false; +- goto out; +- } ++ CHECK(X509_NAME_add_entry_by_txt(name, "CN", MBSTRING_UTF8, ++ reinterpret_cast< unsigned char * >(commonName.toUtf8().data()), -1, -1, 0)); + +- if (X509_set_issuer_name(x509, name) == 0) { +- ok = false; +- goto out; +- } ++ CHECK(X509_set_issuer_name(x509, name)); + +- if (add_ext(x509, NID_basic_constraints, SSL_STRING("critical,CA:FALSE")) == 0) { +- ok = false; +- goto out; +- } ++ CHECK(add_ext(x509, NID_basic_constraints, SSL_STRING("critical,CA:FALSE"))); + + if (isServerCert) { +- if (add_ext(x509, NID_ext_key_usage, SSL_STRING("serverAuth,clientAuth")) == 0) { +- ok = false; +- goto out; +- } ++ CHECK(add_ext(x509, NID_ext_key_usage, SSL_STRING("serverAuth,clientAuth"))) + } else { +- if (add_ext(x509, NID_ext_key_usage, SSL_STRING("clientAuth")) == 0) { +- ok = false; +- goto out; +- } ++ CHECK(add_ext(x509, NID_ext_key_usage, SSL_STRING("clientAuth"))); + } + +- if (add_ext(x509, NID_subject_key_identifier, SSL_STRING("hash")) == 0) { +- ok = false; +- goto out; +- } ++ CHECK(add_ext(x509, NID_subject_key_identifier, SSL_STRING("hash"))); + + if (isServerCert) { +- if (add_ext(x509, NID_netscape_comment, SSL_STRING("Generated from murmur")) == 0) { +- ok = false; +- goto out; +- } ++ CHECK(add_ext(x509, NID_netscape_comment, SSL_STRING("Generated from murmur"))); + } else { +- if (add_ext(x509, NID_netscape_comment, SSL_STRING("Generated by Mumble")) == 0) { +- ok = false; +- goto out; +- } ++ CHECK(add_ext(x509, NID_netscape_comment, SSL_STRING("Generated by Mumble"))); + } + + if (!isServerCert) { + if (!clientCertEmail.trimmed().isEmpty()) { +- if (add_ext(x509, NID_subject_alt_name, +- QString::fromLatin1("email:%1").arg(clientCertEmail).toUtf8().data()) +- == 0) { +- ok = false; +- goto out; +- } ++ CHECK(add_ext(x509, NID_subject_alt_name, ++ QString::fromLatin1("email:%1").arg(clientCertEmail).toUtf8().data())); + } + } + +- if (X509_sign(x509, pkey, EVP_sha1()) == 0) { +- ok = false; +- goto out; +- } ++ CHECK(X509_sign(x509, pkey, EVP_sha1())); + + { + QByteArray crt; + int len = i2d_X509(x509, nullptr); +- if (len <= 0) { +- ok = false; +- goto out; +- } ++ CHECK(len > 0); + crt.resize(len); + + unsigned char *dptr = reinterpret_cast< unsigned char * >(crt.data()); +- if (i2d_X509(x509, &dptr) != len) { +- ok = false; +- goto out; +- } ++ CHECK(i2d_X509(x509, &dptr) == len); + + qscCert = QSslCertificate(crt, QSsl::Der); +- if (qscCert.isNull()) { +- ok = false; +- goto out; +- } ++ CHECK(!qscCert.isNull()); + } + + { + QByteArray key; + int len = i2d_PrivateKey(pkey, nullptr); +- if (len <= 0) { +- ok = false; +- goto out; +- } ++ CHECK(len > 0); + key.resize(len); + + unsigned char *dptr = reinterpret_cast< unsigned char * >(key.data()); +- if (i2d_PrivateKey(pkey, &dptr) != len) { +- ok = false; +- goto out; +- } ++ CHECK(i2d_PrivateKey(pkey, &dptr) == len); + + qskKey = QSslKey(key, QSsl::Rsa, QSsl::Der); +- if (qskKey.isNull()) { +- ok = false; +- goto out; +- } ++ CHECK(!qskKey.isNull()); + } + + out: +- if (e) { +- BN_free(e); +- } +- // We only need to free the pkey pointer, +- // not the RSA pointer. We have assigned +- // our RSA key to pkey, and it will be freed +- // once we free pkey. + if (pkey) { + EVP_PKEY_free(pkey); + } +diff --git a/src/SelfSignedCertificate.h b/src/SelfSignedCertificate.h +index b85a8752b8..7c5f59e9c5 100644 +--- a/src/SelfSignedCertificate.h ++++ b/src/SelfSignedCertificate.h +@@ -6,6 +6,10 @@ + #ifndef MUMBLE_SELFSIGNEDCERTIFICATE_H_ + #define MUMBLE_SELFSIGNEDCERTIFICATE_H_ + ++#include ++#include ++#include ++ + #include + #include + #include +@@ -16,6 +20,7 @@ class SelfSignedCertificate { + private: + static bool generate(CertificateType certificateType, QString clientCertName, QString clientCertEmail, + QSslCertificate &qscCert, QSslKey &qskKey); ++ static EVP_PKEY *generate_rsa_keypair(); + + public: + static bool generateMumbleCertificate(QString name, QString email, QSslCertificate &qscCert, QSslKey &qskKey); +diff --git a/src/crypto/CryptStateOCB2.cpp b/src/crypto/CryptStateOCB2.cpp +index 2176d64883..640fdedac8 100644 +--- a/src/crypto/CryptStateOCB2.cpp ++++ b/src/crypto/CryptStateOCB2.cpp +@@ -30,7 +30,7 @@ + #include + #include + +-CryptStateOCB2::CryptStateOCB2() : CryptState() { ++CryptStateOCB2::CryptStateOCB2() : CryptState(), enc_ctx(EVP_CIPHER_CTX_new()), dec_ctx(EVP_CIPHER_CTX_new()) { + for (int i = 0; i < 0x100; i++) + decrypt_history[i] = 0; + memset(raw_key, 0, AES_KEY_SIZE_BYTES); +@@ -38,6 +38,11 @@ CryptStateOCB2::CryptStateOCB2() : CryptState() { + memset(decrypt_iv, 0, AES_BLOCK_SIZE); + } + ++CryptStateOCB2::~CryptStateOCB2() noexcept { ++ EVP_CIPHER_CTX_free(enc_ctx); ++ EVP_CIPHER_CTX_free(dec_ctx); ++} ++ + bool CryptStateOCB2::isValid() const { + return bInit; + } +@@ -46,8 +51,6 @@ void CryptStateOCB2::genKey() { + CryptographicRandom::fillBuffer(raw_key, AES_KEY_SIZE_BYTES); + CryptographicRandom::fillBuffer(encrypt_iv, AES_BLOCK_SIZE); + CryptographicRandom::fillBuffer(decrypt_iv, AES_BLOCK_SIZE); +- AES_set_encrypt_key(raw_key, AES_KEY_SIZE_BITS, &encrypt_key); +- AES_set_decrypt_key(raw_key, AES_KEY_SIZE_BITS, &decrypt_key); + bInit = true; + } + +@@ -56,8 +59,6 @@ bool CryptStateOCB2::setKey(const std::string &rkey, const std::string &eiv, con + memcpy(raw_key, rkey.data(), AES_KEY_SIZE_BYTES); + memcpy(encrypt_iv, eiv.data(), AES_BLOCK_SIZE); + memcpy(decrypt_iv, div.data(), AES_BLOCK_SIZE); +- AES_set_encrypt_key(raw_key, AES_KEY_SIZE_BITS, &encrypt_key); +- AES_set_decrypt_key(raw_key, AES_KEY_SIZE_BITS, &decrypt_key); + bInit = true; + return true; + } +@@ -256,10 +257,24 @@ static void inline ZERO(keyblock &block) { + block[i] = 0; + } + +-#define AESencrypt(src, dst, key) \ +- AES_encrypt(reinterpret_cast< const unsigned char * >(src), reinterpret_cast< unsigned char * >(dst), key); +-#define AESdecrypt(src, dst, key) \ +- AES_decrypt(reinterpret_cast< const unsigned char * >(src), reinterpret_cast< unsigned char * >(dst), key); ++#define AESencrypt(src, dst, key) \ ++ { \ ++ int outlen = 0; \ ++ EVP_EncryptInit_ex(enc_ctx, EVP_aes_128_ecb(), NULL, key, NULL); \ ++ EVP_CIPHER_CTX_set_padding(enc_ctx, 0); \ ++ EVP_EncryptUpdate(enc_ctx, reinterpret_cast< unsigned char * >(dst), &outlen, \ ++ reinterpret_cast< const unsigned char * >(src), AES_BLOCK_SIZE); \ ++ EVP_EncryptFinal_ex(enc_ctx, reinterpret_cast< unsigned char * >(dst + outlen), &outlen); \ ++ } ++#define AESdecrypt(src, dst, key) \ ++ { \ ++ int outlen = 0; \ ++ EVP_DecryptInit_ex(dec_ctx, EVP_aes_128_ecb(), NULL, key, NULL); \ ++ EVP_CIPHER_CTX_set_padding(dec_ctx, 0); \ ++ EVP_DecryptUpdate(dec_ctx, reinterpret_cast< unsigned char * >(dst), &outlen, \ ++ reinterpret_cast< const unsigned char * >(src), AES_BLOCK_SIZE); \ ++ EVP_DecryptFinal_ex(dec_ctx, reinterpret_cast< unsigned char * >(dst + outlen), &outlen); \ ++ } + + bool CryptStateOCB2::ocb_encrypt(const unsigned char *plain, unsigned char *encrypted, unsigned int len, + const unsigned char *nonce, unsigned char *tag, bool modifyPlainOnXEXStarAttack) { +@@ -267,7 +282,7 @@ bool CryptStateOCB2::ocb_encrypt(const unsigned char *plain, unsigned char *encr + bool success = true; + + // Initialize +- AESencrypt(nonce, delta, &encrypt_key); ++ AESencrypt(nonce, delta, raw_key); + ZERO(checksum); + + while (len > AES_BLOCK_SIZE) { +@@ -299,7 +314,7 @@ bool CryptStateOCB2::ocb_encrypt(const unsigned char *plain, unsigned char *encr + if (flipABit) { + *reinterpret_cast< unsigned char * >(tmp) ^= 1; + } +- AESencrypt(tmp, tmp, &encrypt_key); ++ AESencrypt(tmp, tmp, raw_key); + XOR(reinterpret_cast< subblock * >(encrypted), delta, tmp); + XOR(checksum, checksum, reinterpret_cast< const subblock * >(plain)); + if (flipABit) { +@@ -315,7 +330,7 @@ bool CryptStateOCB2::ocb_encrypt(const unsigned char *plain, unsigned char *encr + ZERO(tmp); + tmp[BLOCKSIZE - 1] = SWAPPED(len * 8); + XOR(tmp, tmp, delta); +- AESencrypt(tmp, pad, &encrypt_key); ++ AESencrypt(tmp, pad, raw_key); + memcpy(tmp, plain, len); + memcpy(reinterpret_cast< unsigned char * >(tmp) + len, reinterpret_cast< const unsigned char * >(pad) + len, + AES_BLOCK_SIZE - len); +@@ -325,7 +340,7 @@ bool CryptStateOCB2::ocb_encrypt(const unsigned char *plain, unsigned char *encr + + S3(delta); + XOR(tmp, delta, checksum); +- AESencrypt(tmp, tag, &encrypt_key); ++ AESencrypt(tmp, tag, raw_key); + + return success; + } +@@ -336,13 +351,13 @@ bool CryptStateOCB2::ocb_decrypt(const unsigned char *encrypted, unsigned char * + bool success = true; + + // Initialize +- AESencrypt(nonce, delta, &encrypt_key); ++ AESencrypt(nonce, delta, raw_key); + ZERO(checksum); + + while (len > AES_BLOCK_SIZE) { + S2(delta); + XOR(tmp, delta, reinterpret_cast< const subblock * >(encrypted)); +- AESdecrypt(tmp, tmp, &decrypt_key); ++ AESdecrypt(tmp, tmp, raw_key); + XOR(reinterpret_cast< subblock * >(plain), delta, tmp); + XOR(checksum, checksum, reinterpret_cast< const subblock * >(plain)); + len -= AES_BLOCK_SIZE; +@@ -354,7 +369,7 @@ bool CryptStateOCB2::ocb_decrypt(const unsigned char *encrypted, unsigned char * + ZERO(tmp); + tmp[BLOCKSIZE - 1] = SWAPPED(len * 8); + XOR(tmp, tmp, delta); +- AESencrypt(tmp, pad, &encrypt_key); ++ AESencrypt(tmp, pad, raw_key); + memset(tmp, 0, AES_BLOCK_SIZE); + memcpy(tmp, encrypted, len); + XOR(tmp, tmp, pad); +@@ -372,7 +387,7 @@ bool CryptStateOCB2::ocb_decrypt(const unsigned char *encrypted, unsigned char * + + S3(delta); + XOR(tmp, delta, checksum); +- AESencrypt(tmp, tag, &encrypt_key); ++ AESencrypt(tmp, tag, raw_key); + + return success; + } +@@ -381,5 +396,5 @@ bool CryptStateOCB2::ocb_decrypt(const unsigned char *encrypted, unsigned char * + #undef SHIFTBITS + #undef SWAPPED + #undef HIGHBIT +-#undef AES_encrypt +-#undef AES_decrypt ++#undef AESencrypt ++#undef AESdecrypt +diff --git a/src/crypto/CryptStateOCB2.h b/src/crypto/CryptStateOCB2.h +index 53d4b4b6aa..cc3f1c0bc3 100644 +--- a/src/crypto/CryptStateOCB2.h ++++ b/src/crypto/CryptStateOCB2.h +@@ -8,8 +8,9 @@ + + #include "CryptState.h" + +-#include ++#include + ++#define AES_BLOCK_SIZE 16 + #define AES_KEY_SIZE_BITS 128 + #define AES_KEY_SIZE_BYTES (AES_KEY_SIZE_BITS / 8) + +@@ -17,7 +18,7 @@ + class CryptStateOCB2 : public CryptState { + public: + CryptStateOCB2(); +- ~CryptStateOCB2(){}; ++ ~CryptStateOCB2() noexcept override; + + virtual bool isValid() const Q_DECL_OVERRIDE; + virtual void genKey() Q_DECL_OVERRIDE; +@@ -43,8 +44,8 @@ class CryptStateOCB2 : public CryptState { + unsigned char decrypt_iv[AES_BLOCK_SIZE]; + unsigned char decrypt_history[0x100]; + +- AES_KEY encrypt_key; +- AES_KEY decrypt_key; ++ EVP_CIPHER_CTX *enc_ctx; ++ EVP_CIPHER_CTX *dec_ctx; + }; + + +From f8d47db318f302f5a7d343f15c9936c7030c49c4 Mon Sep 17 00:00:00 2001 +From: Terry Geng +Date: Sun, 12 Dec 2021 22:39:38 -0500 +Subject: [PATCH] FIX(crypto): Sharing EVP context between threads crushes + Mumble + +Functions ocb_encrypt and ocb_decrypt share the same set +of encrypt and decrypt contexts. However, they are invoked +in different threads (audio input thread and server +handler thread). +This may lead to conflicts that would crash Mumble. +This patch separates contexts used in these two functions +to avoid such conflicts. + +Fixes #5361 +--- + src/crypto/CryptStateOCB2.cpp | 55 ++++++++++++++++++++++------------- + src/crypto/CryptStateOCB2.h | 6 ++-- + 2 files changed, 38 insertions(+), 23 deletions(-) + +diff --git a/src/crypto/CryptStateOCB2.cpp b/src/crypto/CryptStateOCB2.cpp +index 640fdedac8..3b3473ffec 100644 +--- a/src/crypto/CryptStateOCB2.cpp ++++ b/src/crypto/CryptStateOCB2.cpp +@@ -30,7 +30,9 @@ + #include + #include + +-CryptStateOCB2::CryptStateOCB2() : CryptState(), enc_ctx(EVP_CIPHER_CTX_new()), dec_ctx(EVP_CIPHER_CTX_new()) { ++CryptStateOCB2::CryptStateOCB2() ++ : CryptState(), enc_ctx_ocb_enc(EVP_CIPHER_CTX_new()), dec_ctx_ocb_enc(EVP_CIPHER_CTX_new()), ++ enc_ctx_ocb_dec(EVP_CIPHER_CTX_new()), dec_ctx_ocb_dec(EVP_CIPHER_CTX_new()) { + for (int i = 0; i < 0x100; i++) + decrypt_history[i] = 0; + memset(raw_key, 0, AES_KEY_SIZE_BYTES); +@@ -39,8 +41,10 @@ CryptStateOCB2::CryptStateOCB2() : CryptState(), enc_ctx(EVP_CIPHER_CTX_new()), + } + + CryptStateOCB2::~CryptStateOCB2() noexcept { +- EVP_CIPHER_CTX_free(enc_ctx); +- EVP_CIPHER_CTX_free(dec_ctx); ++ EVP_CIPHER_CTX_free(enc_ctx_ocb_enc); ++ EVP_CIPHER_CTX_free(dec_ctx_ocb_enc); ++ EVP_CIPHER_CTX_free(enc_ctx_ocb_dec); ++ EVP_CIPHER_CTX_free(dec_ctx_ocb_dec); + } + + bool CryptStateOCB2::isValid() const { +@@ -257,25 +261,28 @@ static void inline ZERO(keyblock &block) { + block[i] = 0; + } + +-#define AESencrypt(src, dst, key) \ +- { \ +- int outlen = 0; \ +- EVP_EncryptInit_ex(enc_ctx, EVP_aes_128_ecb(), NULL, key, NULL); \ +- EVP_CIPHER_CTX_set_padding(enc_ctx, 0); \ +- EVP_EncryptUpdate(enc_ctx, reinterpret_cast< unsigned char * >(dst), &outlen, \ +- reinterpret_cast< const unsigned char * >(src), AES_BLOCK_SIZE); \ +- EVP_EncryptFinal_ex(enc_ctx, reinterpret_cast< unsigned char * >(dst + outlen), &outlen); \ ++#define AESencrypt_ctx(src, dst, key, enc_ctx) \ ++ { \ ++ int outlen = 0; \ ++ EVP_EncryptInit_ex(enc_ctx, EVP_aes_128_ecb(), NULL, key, NULL); \ ++ EVP_CIPHER_CTX_set_padding(enc_ctx, 0); \ ++ EVP_EncryptUpdate(enc_ctx, reinterpret_cast< unsigned char * >(dst), &outlen, \ ++ reinterpret_cast< const unsigned char * >(src), AES_BLOCK_SIZE); \ ++ EVP_EncryptFinal_ex(enc_ctx, reinterpret_cast< unsigned char * >((dst) + outlen), &outlen); \ + } +-#define AESdecrypt(src, dst, key) \ +- { \ +- int outlen = 0; \ +- EVP_DecryptInit_ex(dec_ctx, EVP_aes_128_ecb(), NULL, key, NULL); \ +- EVP_CIPHER_CTX_set_padding(dec_ctx, 0); \ +- EVP_DecryptUpdate(dec_ctx, reinterpret_cast< unsigned char * >(dst), &outlen, \ +- reinterpret_cast< const unsigned char * >(src), AES_BLOCK_SIZE); \ +- EVP_DecryptFinal_ex(dec_ctx, reinterpret_cast< unsigned char * >(dst + outlen), &outlen); \ ++#define AESdecrypt_ctx(src, dst, key, dec_ctx) \ ++ { \ ++ int outlen = 0; \ ++ EVP_DecryptInit_ex(dec_ctx, EVP_aes_128_ecb(), NULL, key, NULL); \ ++ EVP_CIPHER_CTX_set_padding(dec_ctx, 0); \ ++ EVP_DecryptUpdate(dec_ctx, reinterpret_cast< unsigned char * >(dst), &outlen, \ ++ reinterpret_cast< const unsigned char * >(src), AES_BLOCK_SIZE); \ ++ EVP_DecryptFinal_ex(dec_ctx, reinterpret_cast< unsigned char * >((dst) + outlen), &outlen); \ + } + ++#define AESencrypt(src, dst, key) AESencrypt_ctx(src, dst, key, enc_ctx_ocb_enc) ++#define AESdecrypt(src, dst, key) AESdecrypt_ctx(src, dst, key, dec_ctx_ocb_enc) ++ + bool CryptStateOCB2::ocb_encrypt(const unsigned char *plain, unsigned char *encrypted, unsigned int len, + const unsigned char *nonce, unsigned char *tag, bool modifyPlainOnXEXStarAttack) { + keyblock checksum, delta, tmp, pad; +@@ -345,6 +352,12 @@ bool CryptStateOCB2::ocb_encrypt(const unsigned char *plain, unsigned char *encr + return success; + } + ++#undef AESencrypt ++#undef AESdecrypt ++ ++#define AESencrypt(src, dst, key) AESencrypt_ctx(src, dst, key, enc_ctx_ocb_dec) ++#define AESdecrypt(src, dst, key) AESdecrypt_ctx(src, dst, key, dec_ctx_ocb_dec) ++ + bool CryptStateOCB2::ocb_decrypt(const unsigned char *encrypted, unsigned char *plain, unsigned int len, + const unsigned char *nonce, unsigned char *tag) { + keyblock checksum, delta, tmp, pad; +@@ -392,9 +405,9 @@ bool CryptStateOCB2::ocb_decrypt(const unsigned char *encrypted, unsigned char * + return success; + } + ++#undef AESencrypt ++#undef AESdecrypt + #undef BLOCKSIZE + #undef SHIFTBITS + #undef SWAPPED + #undef HIGHBIT +-#undef AESencrypt +-#undef AESdecrypt +diff --git a/src/crypto/CryptStateOCB2.h b/src/crypto/CryptStateOCB2.h +index cc3f1c0bc3..0fd3000ade 100644 +--- a/src/crypto/CryptStateOCB2.h ++++ b/src/crypto/CryptStateOCB2.h +@@ -44,8 +44,10 @@ class CryptStateOCB2 : public CryptState { + unsigned char decrypt_iv[AES_BLOCK_SIZE]; + unsigned char decrypt_history[0x100]; + +- EVP_CIPHER_CTX *enc_ctx; +- EVP_CIPHER_CTX *dec_ctx; ++ EVP_CIPHER_CTX *enc_ctx_ocb_enc; ++ EVP_CIPHER_CTX *dec_ctx_ocb_enc; ++ EVP_CIPHER_CTX *enc_ctx_ocb_dec; ++ EVP_CIPHER_CTX *dec_ctx_ocb_dec; + }; + + diff --git a/srcpkgs/mumble/template b/srcpkgs/mumble/template index 2e6f50da0140..acb6af454e0f 100644 --- a/srcpkgs/mumble/template +++ b/srcpkgs/mumble/template @@ -1,7 +1,7 @@ # Template file for 'mumble' pkgname=mumble version=1.4.287 -revision=1 +revision=2 build_style=cmake make_cmd=make configure_args="-Doverlay-xcompile=OFF -Dbundled-opus=OFF