Authentication-Results: name.execsw.org; dkim=pass (1024-bit key) header.d=netbsd.org header.i=@netbsd.org header.b=gt4K8YDp; dkim=pass (1024-bit key) header.d=netbsd.org header.i=@netbsd.org header.b=pi03Kvtl Received: by mail.netbsd.org (Postfix, from userid 605) id 3187684D4D; Thu, 21 Mar 2024 10:34:14 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=netbsd.org; s=20240131; t=1711017254; bh=7ibPMJcfxGdsnGY/xNhG1w0flMBpGrMkYAWQzaJp1F4=; h=Date:From:Subject:To:Reply-To:List-Id:List-Unsubscribe; b=gt4K8YDpgCfYlRuSDKcmlGATio+HrxVD8ngQXWennW3db0mrsL0WWKgVSfpLP93JZ 8WWquNINuCWjaviNwOVtWrBxVNbnQrfDeXrNfehcg3w4eGvQNW4Jy88yJvDLdDR4Me 04NPEBL+djSveNCJsr3BahfTZRe9/QwOlbmeWD0U= Received: from localhost (localhost [127.0.0.1]) by mail.netbsd.org (Postfix) with ESMTP id 2264B84D3D for ; Thu, 21 Mar 2024 10:34:13 +0000 (UTC) X-Virus-Scanned: amavisd-new at netbsd.org Authentication-Results: mail.netbsd.org (amavisd-new); dkim=pass (1024-bit key) header.d=netbsd.org Received: from mail.netbsd.org ([127.0.0.1]) by localhost (mail.netbsd.org [127.0.0.1]) (amavisd-new, port 10025) with ESMTP id JbJW5N7DLYle for ; Thu, 21 Mar 2024 10:34:11 +0000 (UTC) Received: from cvs.NetBSD.org (ivanova.NetBSD.org [IPv6:2001:470:a085:999:28c:faff:fe03:5984]) by mail.netbsd.org (Postfix) with ESMTP id 154CA84CD5 for ; Thu, 21 Mar 2024 10:34:11 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=netbsd.org; s=20240131; t=1711017251; bh=7ibPMJcfxGdsnGY/xNhG1w0flMBpGrMkYAWQzaJp1F4=; h=Date:From:Subject:To:Reply-To; b=pi03KvtlzUzwKQ75b9C9t22Us9M5bjsqxjOFedv1FjMuPy41vhh9N2objnZAFzdFY OfqhMZZ62zAx2lm/gR3k5RZuYGKS6Qhezacha5zu14Bklz7c1Yxz1ox56RgG4gbWY0 cUHF3Jda+C/7Hn2NxRGx7buzDfhB5INo/ZZyF8LQ= Received: by cvs.NetBSD.org (Postfix, from userid 500) id 03F82FA2C; Thu, 21 Mar 2024 10:34:11 +0000 (UTC) Content-Transfer-Encoding: 7bit Content-Type: multipart/mixed; boundary="_----------=_1711017250262390" MIME-Version: 1.0 Date: Thu, 21 Mar 2024 10:34:10 +0000 From: "Nia Alarie" Subject: CVS commit: pkgsrc/chat/mumble To: pkgsrc-changes@NetBSD.org Reply-To: nia@netbsd.org X-Mailer: log_accum Message-Id: <20240321103411.03F82FA2C@cvs.NetBSD.org> Sender: pkgsrc-changes-owner@NetBSD.org List-Id: Precedence: bulk List-Unsubscribe: This is a multi-part message in MIME format. --_----------=_1711017250262390 Content-Disposition: inline Content-Transfer-Encoding: 8bit Content-Type: text/plain; charset="US-ASCII" Module Name: pkgsrc Committed By: nia Date: Thu Mar 21 10:34:10 UTC 2024 Modified Files: pkgsrc/chat/mumble: Makefile PLIST distinfo Added Files: pkgsrc/chat/mumble/patches: patch-src_SelfSignedCertificate.cpp patch-src_SelfSignedCertificate.h patch-src_crypto_CryptStateOCB2.cpp patch-src_crypto_CryptStateOCB2.h Log Message: mumble: Update to 1.4.287 Various bug fixes and openssl3 support. To generate a diff of this commit: cvs rdiff -u -r1.60 -r1.61 pkgsrc/chat/mumble/Makefile cvs rdiff -u -r1.5 -r1.6 pkgsrc/chat/mumble/PLIST cvs rdiff -u -r1.11 -r1.12 pkgsrc/chat/mumble/distinfo cvs rdiff -u -r0 -r1.1 \ pkgsrc/chat/mumble/patches/patch-src_SelfSignedCertificate.cpp \ pkgsrc/chat/mumble/patches/patch-src_SelfSignedCertificate.h \ pkgsrc/chat/mumble/patches/patch-src_crypto_CryptStateOCB2.cpp \ pkgsrc/chat/mumble/patches/patch-src_crypto_CryptStateOCB2.h Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files. --_----------=_1711017250262390 Content-Disposition: inline Content-Length: 25246 Content-Transfer-Encoding: binary Content-Type: text/x-diff; charset=us-ascii Modified files: Index: pkgsrc/chat/mumble/Makefile diff -u pkgsrc/chat/mumble/Makefile:1.60 pkgsrc/chat/mumble/Makefile:1.61 --- pkgsrc/chat/mumble/Makefile:1.60 Tue Jan 30 14:21:36 2024 +++ pkgsrc/chat/mumble/Makefile Thu Mar 21 10:34:10 2024 @@ -1,7 +1,6 @@ -# $NetBSD: Makefile,v 1.60 2024/01/30 14:21:36 ryoon Exp $ +# $NetBSD: Makefile,v 1.61 2024/03/21 10:34:10 nia Exp $ -DISTNAME= mumble-1.4.230 -PKGREVISION= 19 +DISTNAME= mumble-1.4.287 CATEGORIES= chat audio MASTER_SITES= ${MASTER_SITE_GITHUB:=mumble-voip/} GITHUB_PROJECT= mumble @@ -27,7 +26,8 @@ USE_CXX_FEATURES+= c++11 LDFLAGS.NetBSD+= -lrt # Basic sensible stuff for packaging. -CMAKE_ARGS+= -Dbundled-celt=off +# Requires 0.7.x, pkgsrc version is too new +#CMAKE_ARGS+= -Dbundled-celt=off CMAKE_ARGS+= -Dbundled-opus=off CMAKE_ARGS+= -Dbundled-speex=off CMAKE_ARGS+= -Dwarnings-as-errors=off @@ -59,7 +59,8 @@ CMAKE_ARGS+= -Doss=off CHECK_PORTABILITY_SKIP+= 3rdparty/opus-src/doc/build_draft.sh .include "options.mk" -.include "../../audio/celt/buildlink3.mk" +# Requires 0.7.x, pkgsrc version is too new +#.include "../../audio/celt/buildlink3.mk" .include "../../audio/libopus/buildlink3.mk" .include "../../audio/libsndfile/buildlink3.mk" .include "../../audio/speech-dispatcher/buildlink3.mk" Index: pkgsrc/chat/mumble/PLIST diff -u pkgsrc/chat/mumble/PLIST:1.5 pkgsrc/chat/mumble/PLIST:1.6 --- pkgsrc/chat/mumble/PLIST:1.5 Fri Apr 1 11:53:28 2022 +++ pkgsrc/chat/mumble/PLIST Thu Mar 21 10:34:10 2024 @@ -1,10 +1,12 @@ -@comment $NetBSD: PLIST,v 1.5 2022/04/01 11:53:28 nia Exp $ +@comment $NetBSD: PLIST,v 1.6 2024/03/21 10:34:10 nia Exp $ bin/mumble bin/mumble-server +lib/mumble/libcelt0.so +lib/mumble/libcelt0.so.0.7.0 +man/man1/mumble-server-user-wrapper.1 +man/man1/mumble-server.1 man/man1/mumble.1 -man/man1/murmur-user-wrapper.1 -man/man1/murmurd.1 -share/applications/org.mumble_voip.mumble.desktop +share/applications/info.mumble.Mumble.desktop share/icons/hicolor/256x256/apps/mumble.png share/icons/hicolor/scalable/apps/mumble.svg -share/metainfo/org.mumble_voip.mumble.appdata.xml +share/metainfo/info.mumble.Mumble.appdata.xml Index: pkgsrc/chat/mumble/distinfo diff -u pkgsrc/chat/mumble/distinfo:1.11 pkgsrc/chat/mumble/distinfo:1.12 --- pkgsrc/chat/mumble/distinfo:1.11 Sun Apr 10 07:47:22 2022 +++ pkgsrc/chat/mumble/distinfo Thu Mar 21 10:34:10 2024 @@ -1,11 +1,15 @@ -$NetBSD: distinfo,v 1.11 2022/04/10 07:47:22 nia Exp $ +$NetBSD: distinfo,v 1.12 2024/03/21 10:34:10 nia Exp $ -BLAKE2s (mumble-1.4.230.tar.gz) = 71d12d9d94a06a3c57b8b2230040efe3dff77048cbc5c4da11d1762bd5378cc8 -SHA512 (mumble-1.4.230.tar.gz) = 6cffc7a95d88b33876f4093b99266468210f5c14f190fbd2fbe4991bef91a567e55296e7c8c6cc99e19c054853211085cc3cc08109e367e6776afb70766b3a53 -Size (mumble-1.4.230.tar.gz) = 9441667 bytes +BLAKE2s (mumble-1.4.287.tar.gz) = 3de53d3709cccb51c93c6efa192633e14b9bd48fe7f9c25f7782cbb9c020c86b +SHA512 (mumble-1.4.287.tar.gz) = 34ed30c18257ba8deae6938009a90147c8bc3a0aca28e69bea7ec0262e8d2cdacb9a840fac7d3dd623a52ef8d5903ed5424b62b483af21d6df6aa9632eae9d82 +Size (mumble-1.4.287.tar.gz) = 9457292 bytes SHA1 (patch-overlay__gl_init__unix.c) = e8db446ee6b62af5c8e580a3927664c9b52bf4f7 SHA1 (patch-src_HostAddress.cpp) = 34ea0777f76dc236e96b83e43ba486952c676a1c SHA1 (patch-src_ProcessResolver.cpp) = f75286127d01c2f44308d6483e2af5b5e7bc1304 +SHA1 (patch-src_SelfSignedCertificate.cpp) = bfd3725e4936e00ac2ef6f7071affb8847a767de +SHA1 (patch-src_SelfSignedCertificate.h) = 5cd0e3637cc282ae3c22ae25c16b6a472f85a405 +SHA1 (patch-src_crypto_CryptStateOCB2.cpp) = 1b088a8c5d4b64f6ac7a76445c56d70b204bf646 +SHA1 (patch-src_crypto_CryptStateOCB2.h) = 7fa2047bf13a397a6cb9cb48c14134ab36d768f4 SHA1 (patch-src_mumble_CMakeLists.txt) = a171b707b8f5c8316f0c0c45bb0f8a38545f0f6a SHA1 (patch-src_mumble_OSS.cpp) = b0e38bade402998f7c5d0d71090a26fa4a77eb97 SHA1 (patch-src_mumble_ServerHandler.cpp) = 915e05a3e91c78b42181ce6156231be0bae25fa1 Added files: Index: pkgsrc/chat/mumble/patches/patch-src_SelfSignedCertificate.cpp diff -u /dev/null pkgsrc/chat/mumble/patches/patch-src_SelfSignedCertificate.cpp:1.1 --- /dev/null Thu Mar 21 10:34:10 2024 +++ pkgsrc/chat/mumble/patches/patch-src_SelfSignedCertificate.cpp Thu Mar 21 10:34:10 2024 @@ -0,0 +1,335 @@ +$NetBSD: patch-src_SelfSignedCertificate.cpp,v 1.1 2024/03/21 10:34:10 nia Exp $ + +From f4cea62ed95e4967d8591f25e903f5e8fc2e2a30 Mon Sep 17 00:00:00 2001 +From: Terry Geng +Date: Mon, 6 Dec 2021 10:45:11 -0500 +Subject: [PATCH] BUILD(crypto): Migrate to OpenSSL 3.0-compatible API + +OpenSSL 3.0 deprecated several low-level APIs and the usage of them +caused errors/warnings that prevent the binary from being built against +OpenSSL 3.0. +Some primitive efforts have been made in #5317 but were incomplete. +This commit follows https://www.openssl.org/docs/man3.0/man7/migration_guide.html, +https://code.woboq.org/qt6/qtopcua/src/opcua/x509/qopcuakeypair_openssl.cpp.html, +and clears all errors/warnings related to the usage of deprecated APIs. + +--- src/SelfSignedCertificate.cpp.orig 2022-09-13 17:24:40.000000000 +0000 ++++ src/SelfSignedCertificate.cpp +@@ -5,8 +5,6 @@ + + #include "SelfSignedCertificate.h" + +-#include +- + #define SSL_STRING(x) QString::fromLatin1(x).toUtf8().data() + + static int add_ext(X509 *crt, int nid, char *value) { +@@ -28,108 +26,86 @@ static int add_ext(X509 *crt, int nid, c + return 1; + } + +-bool SelfSignedCertificate::generate(CertificateType certificateType, QString clientCertName, QString clientCertEmail, +- QSslCertificate &qscCert, QSslKey &qskKey) { +- bool ok = true; +- X509 *x509 = nullptr; +- EVP_PKEY *pkey = nullptr; +- RSA *rsa = nullptr; +- BIGNUM *e = nullptr; +- X509_NAME *name = nullptr; +- ASN1_INTEGER *serialNumber = nullptr; +- ASN1_TIME *notBefore = nullptr; +- ASN1_TIME *notAfter = nullptr; +- QString commonName; +- bool isServerCert = certificateType == CertificateTypeServerCertificate; +- +- if (CRYPTO_mem_ctrl(CRYPTO_MEM_CHECK_ON) == -1) { +- ok = false; +- goto out; ++EVP_PKEY *SelfSignedCertificate::generate_rsa_keypair() { ++ EVP_PKEY *pkey = EVP_PKEY_new(); ++ if (!pkey) { ++ return nullptr; + } + +- x509 = X509_new(); +- if (!x509) { +- ok = false; +- goto out; ++#if OPENSSL_VERSION_NUMBER >= 0x10100000L ++ EVP_PKEY_CTX *ctx = EVP_PKEY_CTX_new_id(EVP_PKEY_RSA, nullptr); ++ if (!ctx) { ++ return nullptr; + } +- +- pkey = EVP_PKEY_new(); +- if (!pkey) { +- ok = false; +- goto out; ++ if (EVP_PKEY_keygen_init(ctx) <= 0) { ++ return nullptr; + } +- +- rsa = RSA_new(); ++ if (EVP_PKEY_CTX_set_rsa_keygen_bits(ctx, 2048) <= 0) { ++ return nullptr; ++ } ++ if (EVP_PKEY_keygen(ctx, &pkey) <= 0) { ++ return nullptr; ++ } ++ EVP_PKEY_CTX_free(ctx); ++#else ++ RSA *rsa = RSA_new(); ++ BIGNUM *e = BN_new(); + if (!rsa) { +- ok = false; +- goto out; ++ return nullptr; + } +- +- e = BN_new(); + if (!e) { +- ok = false; +- goto out; ++ return nullptr; + } + if (BN_set_word(e, 65537) == 0) { +- ok = false; +- goto out; ++ return nullptr; + } +- + if (RSA_generate_key_ex(rsa, 2048, e, nullptr) == 0) { +- ok = false; +- goto out; ++ return nullptr; + } +- + if (EVP_PKEY_assign_RSA(pkey, rsa) == 0) { +- ok = false; +- goto out; +- } +- +- if (X509_set_version(x509, 2) == 0) { +- ok = false; +- goto out; +- } +- +- serialNumber = X509_get_serialNumber(x509); +- if (!serialNumber) { +- ok = false; +- goto out; +- } +- if (ASN1_INTEGER_set(serialNumber, 1) == 0) { +- ok = false; +- goto out; ++ return nullptr; + } ++ BN_free(e); ++ RSA_free(rsa); ++#endif ++ return pkey; ++} + +- notBefore = X509_get_notBefore(x509); +- if (!notBefore) { +- ok = false; +- goto out; +- } +- if (!X509_gmtime_adj(notBefore, 0)) { +- ok = false; +- goto out; ++#define CHECK(statement) \ ++ if (!(statement)) { \ ++ ok = false; \ ++ goto out; \ + } + +- notAfter = X509_get_notAfter(x509); +- if (!notAfter) { +- ok = false; +- goto out; +- } +- if (!X509_gmtime_adj(notAfter, 60 * 60 * 24 * 365 * 20)) { +- ok = false; +- goto out; +- } + +- if (X509_set_pubkey(x509, pkey) == 0) { +- ok = false; +- goto out; +- } ++bool SelfSignedCertificate::generate(CertificateType certificateType, QString clientCertName, QString clientCertEmail, ++ QSslCertificate &qscCert, QSslKey &qskKey) { ++ bool ok = true; ++ EVP_PKEY *pkey = nullptr; ++ X509 *x509 = nullptr; ++ X509_NAME *name = nullptr; ++ ASN1_INTEGER *serialNumber = nullptr; ++ ASN1_TIME *notBefore = nullptr; ++ ASN1_TIME *notAfter = nullptr; ++ QString commonName; ++ bool isServerCert = certificateType == CertificateTypeServerCertificate; + +- name = X509_get_subject_name(x509); +- if (!name) { +- ok = false; +- goto out; +- } ++ // In Qt 5.15, a class was added to wrap up the procedures of generating a self-signed certificate. ++ // See https://doc.qt.io/qt-5/qopcuax509certificatesigningrequest.html. ++ // We should consider migrating to this class after switching to Qt 5.15. ++ ++ CHECK(pkey = generate_rsa_keypair()); ++ ++ CHECK(x509 = X509_new()); ++ CHECK(X509_set_version(x509, 2)); ++ CHECK(serialNumber = X509_get_serialNumber(x509)); ++ CHECK(ASN1_INTEGER_set(serialNumber, 1)); ++ CHECK(notBefore = X509_get_notBefore(x509)); ++ CHECK(X509_gmtime_adj(notBefore, 0)); ++ CHECK(notAfter = X509_get_notAfter(x509)); ++ CHECK(X509_gmtime_adj(notAfter, 60 * 60 * 24 * 365 * 20)) ++ CHECK(X509_set_pubkey(x509, pkey)); ++ CHECK(name = X509_get_subject_name(x509)); + + if (isServerCert) { + commonName = QLatin1String("Murmur Autogenerated Certificate v2"); +@@ -141,120 +117,63 @@ bool SelfSignedCertificate::generate(Cer + } + } + +- if (X509_NAME_add_entry_by_txt(name, "CN", MBSTRING_UTF8, +- reinterpret_cast< unsigned char * >(commonName.toUtf8().data()), -1, -1, 0) +- == 0) { +- ok = false; +- goto out; +- } ++ CHECK(X509_NAME_add_entry_by_txt(name, "CN", MBSTRING_UTF8, ++ reinterpret_cast< unsigned char * >(commonName.toUtf8().data()), -1, -1, 0)); + +- if (X509_set_issuer_name(x509, name) == 0) { +- ok = false; +- goto out; +- } ++ CHECK(X509_set_issuer_name(x509, name)); + +- if (add_ext(x509, NID_basic_constraints, SSL_STRING("critical,CA:FALSE")) == 0) { +- ok = false; +- goto out; +- } ++ CHECK(add_ext(x509, NID_basic_constraints, SSL_STRING("critical,CA:FALSE"))); + + if (isServerCert) { +- if (add_ext(x509, NID_ext_key_usage, SSL_STRING("serverAuth,clientAuth")) == 0) { +- ok = false; +- goto out; +- } ++ CHECK(add_ext(x509, NID_ext_key_usage, SSL_STRING("serverAuth,clientAuth"))) + } else { +- if (add_ext(x509, NID_ext_key_usage, SSL_STRING("clientAuth")) == 0) { +- ok = false; +- goto out; +- } ++ CHECK(add_ext(x509, NID_ext_key_usage, SSL_STRING("clientAuth"))); + } + +- if (add_ext(x509, NID_subject_key_identifier, SSL_STRING("hash")) == 0) { +- ok = false; +- goto out; +- } ++ CHECK(add_ext(x509, NID_subject_key_identifier, SSL_STRING("hash"))); + + if (isServerCert) { +- if (add_ext(x509, NID_netscape_comment, SSL_STRING("Generated from murmur")) == 0) { +- ok = false; +- goto out; +- } ++ CHECK(add_ext(x509, NID_netscape_comment, SSL_STRING("Generated from murmur"))); + } else { +- if (add_ext(x509, NID_netscape_comment, SSL_STRING("Generated by Mumble")) == 0) { +- ok = false; +- goto out; +- } ++ CHECK(add_ext(x509, NID_netscape_comment, SSL_STRING("Generated by Mumble"))); + } + + if (!isServerCert) { + if (!clientCertEmail.trimmed().isEmpty()) { +- if (add_ext(x509, NID_subject_alt_name, +- QString::fromLatin1("email:%1").arg(clientCertEmail).toUtf8().data()) +- == 0) { +- ok = false; +- goto out; +- } ++ CHECK(add_ext(x509, NID_subject_alt_name, ++ QString::fromLatin1("email:%1").arg(clientCertEmail).toUtf8().data())); + } + } + +- if (X509_sign(x509, pkey, EVP_sha1()) == 0) { +- ok = false; +- goto out; +- } ++ CHECK(X509_sign(x509, pkey, EVP_sha1())); + + { + QByteArray crt; + int len = i2d_X509(x509, nullptr); +- if (len <= 0) { +- ok = false; +- goto out; +- } ++ CHECK(len > 0); + crt.resize(len); + + unsigned char *dptr = reinterpret_cast< unsigned char * >(crt.data()); +- if (i2d_X509(x509, &dptr) != len) { +- ok = false; +- goto out; +- } ++ CHECK(i2d_X509(x509, &dptr) == len); + + qscCert = QSslCertificate(crt, QSsl::Der); +- if (qscCert.isNull()) { +- ok = false; +- goto out; +- } ++ CHECK(!qscCert.isNull()); + } + + { + QByteArray key; + int len = i2d_PrivateKey(pkey, nullptr); +- if (len <= 0) { +- ok = false; +- goto out; +- } ++ CHECK(len > 0); + key.resize(len); + + unsigned char *dptr = reinterpret_cast< unsigned char * >(key.data()); +- if (i2d_PrivateKey(pkey, &dptr) != len) { +- ok = false; +- goto out; +- } ++ CHECK(i2d_PrivateKey(pkey, &dptr) == len); + + qskKey = QSslKey(key, QSsl::Rsa, QSsl::Der); +- if (qskKey.isNull()) { +- ok = false; +- goto out; +- } ++ CHECK(!qskKey.isNull()); + } + + out: +- if (e) { +- BN_free(e); +- } +- // We only need to free the pkey pointer, +- // not the RSA pointer. We have assigned +- // our RSA key to pkey, and it will be freed +- // once we free pkey. + if (pkey) { + EVP_PKEY_free(pkey); + } Index: pkgsrc/chat/mumble/patches/patch-src_SelfSignedCertificate.h diff -u /dev/null pkgsrc/chat/mumble/patches/patch-src_SelfSignedCertificate.h:1.1 --- /dev/null Thu Mar 21 10:34:10 2024 +++ pkgsrc/chat/mumble/patches/patch-src_SelfSignedCertificate.h Thu Mar 21 10:34:10 2024 @@ -0,0 +1,36 @@ +$NetBSD: patch-src_SelfSignedCertificate.h,v 1.1 2024/03/21 10:34:10 nia Exp $ + +From f4cea62ed95e4967d8591f25e903f5e8fc2e2a30 Mon Sep 17 00:00:00 2001 +From: Terry Geng +Date: Mon, 6 Dec 2021 10:45:11 -0500 +Subject: [PATCH] BUILD(crypto): Migrate to OpenSSL 3.0-compatible API + +OpenSSL 3.0 deprecated several low-level APIs and the usage of them +caused errors/warnings that prevent the binary from being built against +OpenSSL 3.0. +Some primitive efforts have been made in #5317 but were incomplete. +This commit follows https://www.openssl.org/docs/man3.0/man7/migration_guide.html, +https://code.woboq.org/qt6/qtopcua/src/opcua/x509/qopcuakeypair_openssl.cpp.html, +and clears all errors/warnings related to the usage of deprecated APIs. + +--- src/SelfSignedCertificate.h.orig 2022-09-13 17:24:40.000000000 +0000 ++++ src/SelfSignedCertificate.h +@@ -6,6 +6,10 @@ + #ifndef MUMBLE_SELFSIGNEDCERTIFICATE_H_ + #define MUMBLE_SELFSIGNEDCERTIFICATE_H_ + ++#include ++#include ++#include ++ + #include + #include + #include +@@ -16,6 +20,7 @@ class SelfSignedCertificate { + private: + static bool generate(CertificateType certificateType, QString clientCertName, QString clientCertEmail, + QSslCertificate &qscCert, QSslKey &qskKey); ++ static EVP_PKEY *generate_rsa_keypair(); + + public: + static bool generateMumbleCertificate(QString name, QString email, QSslCertificate &qscCert, QSslKey &qskKey); Index: pkgsrc/chat/mumble/patches/patch-src_crypto_CryptStateOCB2.cpp diff -u /dev/null pkgsrc/chat/mumble/patches/patch-src_crypto_CryptStateOCB2.cpp:1.1 --- /dev/null Thu Mar 21 10:34:10 2024 +++ pkgsrc/chat/mumble/patches/patch-src_crypto_CryptStateOCB2.cpp Thu Mar 21 10:34:10 2024 @@ -0,0 +1,180 @@ +$NetBSD: patch-src_crypto_CryptStateOCB2.cpp,v 1.1 2024/03/21 10:34:10 nia Exp $ + +From f4cea62ed95e4967d8591f25e903f5e8fc2e2a30 Mon Sep 17 00:00:00 2001 +From: Terry Geng +Date: Mon, 6 Dec 2021 10:45:11 -0500 +Subject: [PATCH] BUILD(crypto): Migrate to OpenSSL 3.0-compatible API + +OpenSSL 3.0 deprecated several low-level APIs and the usage of them +caused errors/warnings that prevent the binary from being built against +OpenSSL 3.0. +Some primitive efforts have been made in #5317 but were incomplete. +This commit follows https://www.openssl.org/docs/man3.0/man7/migration_guide.html, +https://code.woboq.org/qt6/qtopcua/src/opcua/x509/qopcuakeypair_openssl.cpp.html, +and clears all errors/warnings related to the usage of deprecated APIs. + +--- src/crypto/CryptStateOCB2.cpp.orig 2022-09-13 17:24:40.000000000 +0000 ++++ src/crypto/CryptStateOCB2.cpp +@@ -30,7 +30,9 @@ + #include + #include + +-CryptStateOCB2::CryptStateOCB2() : CryptState() { ++CryptStateOCB2::CryptStateOCB2() ++ : CryptState(), enc_ctx_ocb_enc(EVP_CIPHER_CTX_new()), dec_ctx_ocb_enc(EVP_CIPHER_CTX_new()), ++ enc_ctx_ocb_dec(EVP_CIPHER_CTX_new()), dec_ctx_ocb_dec(EVP_CIPHER_CTX_new()) { + for (int i = 0; i < 0x100; i++) + decrypt_history[i] = 0; + memset(raw_key, 0, AES_KEY_SIZE_BYTES); +@@ -38,6 +40,13 @@ CryptStateOCB2::CryptStateOCB2() : Crypt + memset(decrypt_iv, 0, AES_BLOCK_SIZE); + } + ++CryptStateOCB2::~CryptStateOCB2() noexcept { ++ EVP_CIPHER_CTX_free(enc_ctx_ocb_enc); ++ EVP_CIPHER_CTX_free(dec_ctx_ocb_enc); ++ EVP_CIPHER_CTX_free(enc_ctx_ocb_dec); ++ EVP_CIPHER_CTX_free(dec_ctx_ocb_dec); ++} ++ + bool CryptStateOCB2::isValid() const { + return bInit; + } +@@ -46,8 +55,6 @@ void CryptStateOCB2::genKey() { + CryptographicRandom::fillBuffer(raw_key, AES_KEY_SIZE_BYTES); + CryptographicRandom::fillBuffer(encrypt_iv, AES_BLOCK_SIZE); + CryptographicRandom::fillBuffer(decrypt_iv, AES_BLOCK_SIZE); +- AES_set_encrypt_key(raw_key, AES_KEY_SIZE_BITS, &encrypt_key); +- AES_set_decrypt_key(raw_key, AES_KEY_SIZE_BITS, &decrypt_key); + bInit = true; + } + +@@ -56,8 +63,6 @@ bool CryptStateOCB2::setKey(const std::s + memcpy(raw_key, rkey.data(), AES_KEY_SIZE_BYTES); + memcpy(encrypt_iv, eiv.data(), AES_BLOCK_SIZE); + memcpy(decrypt_iv, div.data(), AES_BLOCK_SIZE); +- AES_set_encrypt_key(raw_key, AES_KEY_SIZE_BITS, &encrypt_key); +- AES_set_decrypt_key(raw_key, AES_KEY_SIZE_BITS, &decrypt_key); + bInit = true; + return true; + } +@@ -256,10 +261,27 @@ static void inline ZERO(keyblock &block) + block[i] = 0; + } + +-#define AESencrypt(src, dst, key) \ +- AES_encrypt(reinterpret_cast< const unsigned char * >(src), reinterpret_cast< unsigned char * >(dst), key); +-#define AESdecrypt(src, dst, key) \ +- AES_decrypt(reinterpret_cast< const unsigned char * >(src), reinterpret_cast< unsigned char * >(dst), key); ++#define AESencrypt_ctx(src, dst, key, enc_ctx) \ ++ { \ ++ int outlen = 0; \ ++ EVP_EncryptInit_ex(enc_ctx, EVP_aes_128_ecb(), NULL, key, NULL); \ ++ EVP_CIPHER_CTX_set_padding(enc_ctx, 0); \ ++ EVP_EncryptUpdate(enc_ctx, reinterpret_cast< unsigned char * >(dst), &outlen, \ ++ reinterpret_cast< const unsigned char * >(src), AES_BLOCK_SIZE); \ ++ EVP_EncryptFinal_ex(enc_ctx, reinterpret_cast< unsigned char * >((dst) + outlen), &outlen); \ ++ } ++#define AESdecrypt_ctx(src, dst, key, dec_ctx) \ ++ { \ ++ int outlen = 0; \ ++ EVP_DecryptInit_ex(dec_ctx, EVP_aes_128_ecb(), NULL, key, NULL); \ ++ EVP_CIPHER_CTX_set_padding(dec_ctx, 0); \ ++ EVP_DecryptUpdate(dec_ctx, reinterpret_cast< unsigned char * >(dst), &outlen, \ ++ reinterpret_cast< const unsigned char * >(src), AES_BLOCK_SIZE); \ ++ EVP_DecryptFinal_ex(dec_ctx, reinterpret_cast< unsigned char * >((dst) + outlen), &outlen); \ ++ } ++ ++#define AESencrypt(src, dst, key) AESencrypt_ctx(src, dst, key, enc_ctx_ocb_enc) ++#define AESdecrypt(src, dst, key) AESdecrypt_ctx(src, dst, key, dec_ctx_ocb_enc) + + bool CryptStateOCB2::ocb_encrypt(const unsigned char *plain, unsigned char *encrypted, unsigned int len, + const unsigned char *nonce, unsigned char *tag, bool modifyPlainOnXEXStarAttack) { +@@ -267,7 +289,7 @@ bool CryptStateOCB2::ocb_encrypt(const u + bool success = true; + + // Initialize +- AESencrypt(nonce, delta, &encrypt_key); ++ AESencrypt(nonce, delta, raw_key); + ZERO(checksum); + + while (len > AES_BLOCK_SIZE) { +@@ -299,7 +321,7 @@ bool CryptStateOCB2::ocb_encrypt(const u + if (flipABit) { + *reinterpret_cast< unsigned char * >(tmp) ^= 1; + } +- AESencrypt(tmp, tmp, &encrypt_key); ++ AESencrypt(tmp, tmp, raw_key); + XOR(reinterpret_cast< subblock * >(encrypted), delta, tmp); + XOR(checksum, checksum, reinterpret_cast< const subblock * >(plain)); + if (flipABit) { +@@ -315,7 +337,7 @@ bool CryptStateOCB2::ocb_encrypt(const u + ZERO(tmp); + tmp[BLOCKSIZE - 1] = SWAPPED(len * 8); + XOR(tmp, tmp, delta); +- AESencrypt(tmp, pad, &encrypt_key); ++ AESencrypt(tmp, pad, raw_key); + memcpy(tmp, plain, len); + memcpy(reinterpret_cast< unsigned char * >(tmp) + len, reinterpret_cast< const unsigned char * >(pad) + len, + AES_BLOCK_SIZE - len); +@@ -325,24 +347,30 @@ bool CryptStateOCB2::ocb_encrypt(const u + + S3(delta); + XOR(tmp, delta, checksum); +- AESencrypt(tmp, tag, &encrypt_key); ++ AESencrypt(tmp, tag, raw_key); + + return success; + } + ++#undef AESencrypt ++#undef AESdecrypt ++ ++#define AESencrypt(src, dst, key) AESencrypt_ctx(src, dst, key, enc_ctx_ocb_dec) ++#define AESdecrypt(src, dst, key) AESdecrypt_ctx(src, dst, key, dec_ctx_ocb_dec) ++ + bool CryptStateOCB2::ocb_decrypt(const unsigned char *encrypted, unsigned char *plain, unsigned int len, + const unsigned char *nonce, unsigned char *tag) { + keyblock checksum, delta, tmp, pad; + bool success = true; + + // Initialize +- AESencrypt(nonce, delta, &encrypt_key); ++ AESencrypt(nonce, delta, raw_key); + ZERO(checksum); + + while (len > AES_BLOCK_SIZE) { + S2(delta); + XOR(tmp, delta, reinterpret_cast< const subblock * >(encrypted)); +- AESdecrypt(tmp, tmp, &decrypt_key); ++ AESdecrypt(tmp, tmp, raw_key); + XOR(reinterpret_cast< subblock * >(plain), delta, tmp); + XOR(checksum, checksum, reinterpret_cast< const subblock * >(plain)); + len -= AES_BLOCK_SIZE; +@@ -354,7 +382,7 @@ bool CryptStateOCB2::ocb_decrypt(const u + ZERO(tmp); + tmp[BLOCKSIZE - 1] = SWAPPED(len * 8); + XOR(tmp, tmp, delta); +- AESencrypt(tmp, pad, &encrypt_key); ++ AESencrypt(tmp, pad, raw_key); + memset(tmp, 0, AES_BLOCK_SIZE); + memcpy(tmp, encrypted, len); + XOR(tmp, tmp, pad); +@@ -372,14 +400,14 @@ bool CryptStateOCB2::ocb_decrypt(const u + + S3(delta); + XOR(tmp, delta, checksum); +- AESencrypt(tmp, tag, &encrypt_key); ++ AESencrypt(tmp, tag, raw_key); + + return success; + } + ++#undef AESencrypt ++#undef AESdecrypt + #undef BLOCKSIZE + #undef SHIFTBITS + #undef SWAPPED + #undef HIGHBIT +-#undef AES_encrypt +-#undef AES_decrypt Index: pkgsrc/chat/mumble/patches/patch-src_crypto_CryptStateOCB2.h diff -u /dev/null pkgsrc/chat/mumble/patches/patch-src_crypto_CryptStateOCB2.h:1.1 --- /dev/null Thu Mar 21 10:34:10 2024 +++ pkgsrc/chat/mumble/patches/patch-src_crypto_CryptStateOCB2.h Thu Mar 21 10:34:10 2024 @@ -0,0 +1,50 @@ +$NetBSD: patch-src_crypto_CryptStateOCB2.h,v 1.1 2024/03/21 10:34:10 nia Exp $ + +From f4cea62ed95e4967d8591f25e903f5e8fc2e2a30 Mon Sep 17 00:00:00 2001 +From: Terry Geng +Date: Mon, 6 Dec 2021 10:45:11 -0500 +Subject: [PATCH] BUILD(crypto): Migrate to OpenSSL 3.0-compatible API + +OpenSSL 3.0 deprecated several low-level APIs and the usage of them +caused errors/warnings that prevent the binary from being built against +OpenSSL 3.0. +Some primitive efforts have been made in #5317 but were incomplete. +This commit follows https://www.openssl.org/docs/man3.0/man7/migration_guide.html, +https://code.woboq.org/qt6/qtopcua/src/opcua/x509/qopcuakeypair_openssl.cpp.html, +and clears all errors/warnings related to the usage of deprecated APIs. + +--- src/crypto/CryptStateOCB2.h.orig 2022-09-13 17:24:40.000000000 +0000 ++++ src/crypto/CryptStateOCB2.h +@@ -8,8 +8,9 @@ + + #include "CryptState.h" + +-#include ++#include + ++#define AES_BLOCK_SIZE 16 + #define AES_KEY_SIZE_BITS 128 + #define AES_KEY_SIZE_BYTES (AES_KEY_SIZE_BITS / 8) + +@@ -17,7 +18,7 @@ + class CryptStateOCB2 : public CryptState { + public: + CryptStateOCB2(); +- ~CryptStateOCB2(){}; ++ ~CryptStateOCB2() noexcept override; + + virtual bool isValid() const Q_DECL_OVERRIDE; + virtual void genKey() Q_DECL_OVERRIDE; +@@ -43,8 +44,10 @@ private: + unsigned char decrypt_iv[AES_BLOCK_SIZE]; + unsigned char decrypt_history[0x100]; + +- AES_KEY encrypt_key; +- AES_KEY decrypt_key; ++ EVP_CIPHER_CTX *enc_ctx_ocb_enc; ++ EVP_CIPHER_CTX *dec_ctx_ocb_enc; ++ EVP_CIPHER_CTX *enc_ctx_ocb_dec; ++ EVP_CIPHER_CTX *dec_ctx_ocb_dec; + }; + + --_----------=_1711017250262390--