From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from lists.gentoo.org (pigeon.gentoo.org [208.92.234.80]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits)) (No client certificate requested) by finch.gentoo.org (Postfix) with ESMTPS id DEDBC158096 for ; Sun, 10 Jul 2022 22:52:09 +0000 (UTC) Received: from pigeon.gentoo.org (localhost [127.0.0.1]) by pigeon.gentoo.org (Postfix) with SMTP id 21710E0D53; Sun, 10 Jul 2022 22:52:09 +0000 (UTC) Received: from smtp.gentoo.org (dev.gentoo.org [IPv6:2001:470:ea4a:1:5054:ff:fec7:86e4]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits)) (No client certificate requested) by pigeon.gentoo.org (Postfix) with ESMTPS id E729FE0D53 for ; Sun, 10 Jul 2022 22:52:08 +0000 (UTC) Received: from oystercatcher.gentoo.org (oystercatcher.gentoo.org [148.251.78.52]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits)) (No client certificate requested) by smtp.gentoo.org (Postfix) with ESMTPS id 775CC341090 for ; Sun, 10 Jul 2022 22:52:07 +0000 (UTC) Received: from localhost.localdomain (localhost [IPv6:::1]) by oystercatcher.gentoo.org (Postfix) with ESMTP id EEA6B105 for ; Sun, 10 Jul 2022 22:52:05 +0000 (UTC) From: "Quentin Retornaz" To: gentoo-commits@lists.gentoo.org Content-Transfer-Encoding: 8bit Content-type: text/plain; charset=UTF-8 Reply-To: gentoo-dev@lists.gentoo.org, "Quentin Retornaz" Message-ID: <1657493359.df7659707786500b32825b8407c13c30b9ef4201.quentin@gentoo> Subject: [gentoo-commits] repo/proj/libressl:master commit in: net-libs/pjproject/, net-libs/pjproject/files/ X-VCS-Repository: repo/proj/libressl X-VCS-Files: net-libs/pjproject/Manifest net-libs/pjproject/files/pjproject-2.10-CVE-2020-15260-tls-hostname-check.patch net-libs/pjproject/files/pjproject-2.10-CVE-2021-21375-negotiation-failure-crash.patch net-libs/pjproject/files/pjproject-2.10-CVE-2021-32686-AST-2021-009-GHSA-cv8x-p47p-99wr.patch net-libs/pjproject/files/pjproject-2.10-libressl.patch net-libs/pjproject/files/pjproject-2.10-race-condition-between-transport-destroy-and-acquire.patch net-libs/pjproject/files/pjproject-2.9-config_site.h net-libs/pjproject/files/pjproject-2.9-ssl-enable.patch net-libs/pjproject/metadata.xml net-libs/pjproject/pjproject-2.10-r2.ebuild X-VCS-Directories: net-libs/pjproject/ net-libs/pjproject/files/ X-VCS-Committer: quentin X-VCS-Committer-Name: Quentin Retornaz X-VCS-Revision: df7659707786500b32825b8407c13c30b9ef4201 X-VCS-Branch: master Date: Sun, 10 Jul 2022 22:52:05 +0000 (UTC) Precedence: bulk List-Post: List-Help: List-Unsubscribe: List-Subscribe: List-Id: Gentoo Linux mail X-BeenThere: gentoo-commits@lists.gentoo.org X-Auto-Response-Suppress: DR, RN, NRN, OOF, AutoReply X-Archives-Salt: af54db4b-f5a2-4e61-ac5e-76d871103802 X-Archives-Hash: 655ff163be06a4c3ee80aa40f44b84c6 commit: df7659707786500b32825b8407c13c30b9ef4201 Author: orbea riseup net> AuthorDate: Wed Jul 6 04:10:42 2022 +0000 Commit: Quentin Retornaz retornaz com> CommitDate: Sun Jul 10 22:49:19 2022 +0000 URL: https://gitweb.gentoo.org/repo/proj/libressl.git/commit/?id=df765970 net-libs/pjproject: Add 2.10-r2 Signed-off-by: orbea riseup.net> Signed-off-by: Quentin Retornaz retornaz.com> net-libs/pjproject/Manifest | 1 + ...ct-2.10-CVE-2020-15260-tls-hostname-check.patch | 125 +++++++++ ...-CVE-2021-21375-negotiation-failure-crash.patch | 45 ++++ ...21-32686-AST-2021-009-GHSA-cv8x-p47p-99wr.patch | 289 +++++++++++++++++++++ .../pjproject/files/pjproject-2.10-libressl.patch | 17 ++ ...ion-between-transport-destroy-and-acquire.patch | 108 ++++++++ .../pjproject/files/pjproject-2.9-config_site.h | 74 ++++++ .../pjproject/files/pjproject-2.9-ssl-enable.patch | 100 +++++++ net-libs/pjproject/metadata.xml | 8 +- net-libs/pjproject/pjproject-2.10-r2.ebuild | 126 +++++++++ 10 files changed, 890 insertions(+), 3 deletions(-) diff --git a/net-libs/pjproject/Manifest b/net-libs/pjproject/Manifest index 0b9f89a..6adb41c 100644 --- a/net-libs/pjproject/Manifest +++ b/net-libs/pjproject/Manifest @@ -1 +1,2 @@ +DIST pjproject-2.10.tar.gz 8768705 BLAKE2B 42d70867e2e0474313426f1e188586d203d6165c28a133a62dedacd2deb2899215212824d9402a48fcc66bb08a17b796d3625e1d51a8aedc9aa4b3a3bf1cb8fa SHA512 a67f083df175b536b4e6a7b7fe39e07d3ee805d6917ec64a50694542a7455c33a100889191044ab3fa679b6656774a6be045621aa53510b5f04cdde9ddd59893 DIST pjproject-2.7.2.tar.bz2 4994233 BLAKE2B 44ecaf0997d5dd9b18e0b811cead7c9104e63894fa06fb1d64e79b60fa4210968fd90ef47e5f5be3629675363c8756ce3bc1834caa9700654ab4c53efe676ee7 SHA512 3d355ffcbbeed62cfc711e574a987dc06043ccf4f2625820adffa89167022b8306fcee3fada71d3d45e7b902fc9c65ac8221de101cbafed25362a3921f702afd diff --git a/net-libs/pjproject/files/pjproject-2.10-CVE-2020-15260-tls-hostname-check.patch b/net-libs/pjproject/files/pjproject-2.10-CVE-2020-15260-tls-hostname-check.patch new file mode 100644 index 0000000..0d7df68 --- /dev/null +++ b/net-libs/pjproject/files/pjproject-2.10-CVE-2020-15260-tls-hostname-check.patch @@ -0,0 +1,125 @@ +From 67e46c1ac45ad784db5b9080f5ed8b133c122872 Mon Sep 17 00:00:00 2001 +From: sauwming +Date: Mon, 8 Mar 2021 17:39:36 +0800 +Subject: [PATCH] Merge pull request from GHSA-8hcp-hm38-mfph + +* Check hostname during TLS transport selection + +* revision based on feedback + +* remove the code in create_request that has been moved +--- + pjsip/include/pjsip/sip_dialog.h | 1 + + pjsip/src/pjsip/sip_dialog.c | 15 +++++++++++++++ + pjsip/src/pjsip/sip_transport.c | 13 +++++++++++++ + pjsip/src/pjsip/sip_util.c | 11 ++++++++--- + 4 files changed, 37 insertions(+), 3 deletions(-) + +diff --git a/pjsip/include/pjsip/sip_dialog.h b/pjsip/include/pjsip/sip_dialog.h +index a0214d28c..e314c2ece 100644 +--- a/pjsip/include/pjsip/sip_dialog.h ++++ b/pjsip/include/pjsip/sip_dialog.h +@@ -165,6 +165,7 @@ struct pjsip_dialog + pjsip_route_hdr route_set; /**< Route set. */ + pj_bool_t route_set_frozen; /**< Route set has been set. */ + pjsip_auth_clt_sess auth_sess; /**< Client authentication session. */ ++ pj_str_t initial_dest;/**< Initial destination host. */ + + /** Session counter. */ + int sess_count; /**< Number of sessions. */ +diff --git a/pjsip/src/pjsip/sip_dialog.c b/pjsip/src/pjsip/sip_dialog.c +index 27530e4f2..9571b5a35 100644 +--- a/pjsip/src/pjsip/sip_dialog.c ++++ b/pjsip/src/pjsip/sip_dialog.c +@@ -467,6 +467,10 @@ pj_status_t create_uas_dialog( pjsip_user_agent *ua, + + /* Save the remote info. */ + pj_strdup(dlg->pool, &dlg->remote.info_str, &tmp); ++ ++ /* Save initial destination host from transport's info */ ++ pj_strdup(dlg->pool, &dlg->initial_dest, ++ &rdata->tp_info.transport->remote_name.host); + + + /* Init remote's contact from Contact header. +@@ -1192,6 +1196,12 @@ static pj_status_t dlg_create_request_throw( pjsip_dialog *dlg, + return status; + } + ++ /* Copy the initial destination host to tdata. This information can be ++ * used later by transport for transport selection. ++ */ ++ if (dlg->initial_dest.slen) ++ pj_strdup(tdata->pool, &tdata->dest_info.name, &dlg->initial_dest); ++ + /* Done. */ + *p_tdata = tdata; + +@@ -1822,6 +1832,11 @@ static void dlg_update_routeset(pjsip_dialog *dlg, const pjsip_rx_data *rdata) + * transaction as the initial transaction that establishes dialog. + */ + if (dlg->role == PJSIP_ROLE_UAC) { ++ /* Save initial destination host from transport's info. */ ++ if (!dlg->initial_dest.slen) { ++ pj_strdup(dlg->pool, &dlg->initial_dest, ++ &rdata->tp_info.transport->remote_name.host); ++ } + + /* Ignore subsequent request from remote */ + if (msg->type != PJSIP_RESPONSE_MSG) +diff --git a/pjsip/src/pjsip/sip_transport.c b/pjsip/src/pjsip/sip_transport.c +index bef6d24fe..177274b08 100644 +--- a/pjsip/src/pjsip/sip_transport.c ++++ b/pjsip/src/pjsip/sip_transport.c +@@ -2335,6 +2335,19 @@ PJ_DEF(pj_status_t) pjsip_tpmgr_acquire_transport2(pjsip_tpmgr *mgr, + if (!tp_iter->tp->is_shutdown && + !tp_iter->tp->is_destroying) + { ++ if ((type & PJSIP_TRANSPORT_SECURE) && tdata) { ++ /* For secure transport, make sure tdata's ++ * destination host matches the transport's ++ * remote host. ++ */ ++ if (pj_stricmp(&tdata->dest_info.name, ++ &tp_iter->tp->remote_name.host)) ++ { ++ tp_iter = tp_iter->next; ++ continue; ++ } ++ } ++ + if (sel && sel->type == PJSIP_TPSELECTOR_LISTENER && + sel->u.listener) + { +diff --git a/pjsip/src/pjsip/sip_util.c b/pjsip/src/pjsip/sip_util.c +index a1bf878ea..cf916805d 100644 +--- a/pjsip/src/pjsip/sip_util.c ++++ b/pjsip/src/pjsip/sip_util.c +@@ -1417,7 +1417,10 @@ PJ_DEF(pj_status_t) pjsip_endpt_send_request_stateless(pjsip_endpoint *endpt, + */ + if (tdata->dest_info.addr.count == 0) { + /* Copy the destination host name to TX data */ +- pj_strdup(tdata->pool, &tdata->dest_info.name, &dest_info.addr.host); ++ if (!tdata->dest_info.name.slen) { ++ pj_strdup(tdata->pool, &tdata->dest_info.name, ++ &dest_info.addr.host); ++ } + + pjsip_endpt_resolve( endpt, tdata->pool, &dest_info, stateless_data, + &stateless_send_resolver_callback); +@@ -1810,8 +1813,10 @@ PJ_DEF(pj_status_t) pjsip_endpt_send_response( pjsip_endpoint *endpt, + } + } else { + /* Copy the destination host name to TX data */ +- pj_strdup(tdata->pool, &tdata->dest_info.name, +- &res_addr->dst_host.addr.host); ++ if (!tdata->dest_info.name.slen) { ++ pj_strdup(tdata->pool, &tdata->dest_info.name, ++ &res_addr->dst_host.addr.host); ++ } + + pjsip_endpt_resolve(endpt, tdata->pool, &res_addr->dst_host, + send_state, &send_response_resolver_cb); +-- +2.26.2 + diff --git a/net-libs/pjproject/files/pjproject-2.10-CVE-2021-21375-negotiation-failure-crash.patch b/net-libs/pjproject/files/pjproject-2.10-CVE-2021-21375-negotiation-failure-crash.patch new file mode 100644 index 0000000..9dc9016 --- /dev/null +++ b/net-libs/pjproject/files/pjproject-2.10-CVE-2021-21375-negotiation-failure-crash.patch @@ -0,0 +1,45 @@ +From 97b3d7addbaa720b7ddb0af9bf6f3e443e664365 Mon Sep 17 00:00:00 2001 +From: Nanang Izzuddin +Date: Mon, 8 Mar 2021 16:09:34 +0700 +Subject: [PATCH] Merge pull request from GHSA-hvq6-f89p-frvp + +--- + pjmedia/src/pjmedia/sdp_neg.c | 14 ++++++++++++-- + 1 file changed, 12 insertions(+), 2 deletions(-) + +diff --git a/pjmedia/src/pjmedia/sdp_neg.c b/pjmedia/src/pjmedia/sdp_neg.c +index f4838f75d..9f76b5200 100644 +--- a/pjmedia/src/pjmedia/sdp_neg.c ++++ b/pjmedia/src/pjmedia/sdp_neg.c +@@ -304,7 +304,6 @@ PJ_DEF(pj_status_t) pjmedia_sdp_neg_modify_local_offer2( + { + pjmedia_sdp_session *new_offer; + pjmedia_sdp_session *old_offer; +- char media_used[PJMEDIA_MAX_SDP_MEDIA]; + unsigned oi; /* old offer media index */ + pj_status_t status; + +@@ -323,8 +322,19 @@ PJ_DEF(pj_status_t) pjmedia_sdp_neg_modify_local_offer2( + /* Change state to STATE_LOCAL_OFFER */ + neg->state = PJMEDIA_SDP_NEG_STATE_LOCAL_OFFER; + ++ /* When there is no active local SDP in state PJMEDIA_SDP_NEG_STATE_DONE, ++ * it means that the previous initial SDP nego must have been failed, ++ * so we'll just set the local SDP offer here. ++ */ ++ if (!neg->active_local_sdp) { ++ neg->initial_sdp_tmp = NULL; ++ neg->initial_sdp = pjmedia_sdp_session_clone(pool, local); ++ neg->neg_local_sdp = pjmedia_sdp_session_clone(pool, local); ++ ++ return PJ_SUCCESS; ++ } ++ + /* Init vars */ +- pj_bzero(media_used, sizeof(media_used)); + old_offer = neg->active_local_sdp; + new_offer = pjmedia_sdp_session_clone(pool, local); + +-- +2.26.2 + diff --git a/net-libs/pjproject/files/pjproject-2.10-CVE-2021-32686-AST-2021-009-GHSA-cv8x-p47p-99wr.patch b/net-libs/pjproject/files/pjproject-2.10-CVE-2021-32686-AST-2021-009-GHSA-cv8x-p47p-99wr.patch new file mode 100644 index 0000000..ba31cf1 --- /dev/null +++ b/net-libs/pjproject/files/pjproject-2.10-CVE-2021-32686-AST-2021-009-GHSA-cv8x-p47p-99wr.patch @@ -0,0 +1,289 @@ +From d5f95aa066f878b0aef6a64e60b61e8626e664cd Mon Sep 17 00:00:00 2001 +From: Nanang Izzuddin +Date: Fri, 23 Jul 2021 10:49:21 +0700 +Subject: [PATCH] Merge pull request from GHSA-cv8x-p47p-99wr + +* - Avoid SSL socket parent/listener getting destroyed during handshake by increasing parent's reference count. +- Add missing SSL socket close when the newly accepted SSL socket is discarded in SIP TLS transport. + +* - Fix silly mistake: accepted active socket created without group lock in SSL socket. +- Replace assertion with normal validation check of SSL socket instance in OpenSSL verification callback (verify_cb()) to avoid crash, e.g: if somehow race condition with SSL socket destroy happens or OpenSSL application data index somehow gets corrupted. +--- + pjlib/src/pj/ssl_sock_imp_common.c | 47 +++++++++++++++++++++-------- + pjlib/src/pj/ssl_sock_ossl.c | 45 ++++++++++++++++++++++----- + pjsip/src/pjsip/sip_transport_tls.c | 23 +++++++++++++- + 3 files changed, 95 insertions(+), 20 deletions(-) + +diff --git a/pjlib/src/pj/ssl_sock_imp_common.c b/pjlib/src/pj/ssl_sock_imp_common.c +index 025832da4..24533b397 100644 +--- a/pjlib/src/pj/ssl_sock_imp_common.c ++++ b/pjlib/src/pj/ssl_sock_imp_common.c +@@ -255,6 +255,8 @@ static pj_bool_t on_handshake_complete(pj_ssl_sock_t *ssock, + + /* Accepting */ + if (ssock->is_server) { ++ pj_bool_t ret = PJ_TRUE; ++ + if (status != PJ_SUCCESS) { + /* Handshake failed in accepting, destroy our self silently. */ + +@@ -272,6 +274,12 @@ static pj_bool_t on_handshake_complete(pj_ssl_sock_t *ssock, + status); + } + ++ /* Decrement ref count of parent */ ++ if (ssock->parent->param.grp_lock) { ++ pj_grp_lock_dec_ref(ssock->parent->param.grp_lock); ++ ssock->parent = NULL; ++ } ++ + /* Originally, this is a workaround for ticket #985. However, + * a race condition may occur in multiple worker threads + * environment when we are destroying SSL objects while other +@@ -315,23 +323,29 @@ static pj_bool_t on_handshake_complete(pj_ssl_sock_t *ssock, + + return PJ_FALSE; + } ++ + /* Notify application the newly accepted SSL socket */ + if (ssock->param.cb.on_accept_complete2) { +- pj_bool_t ret; + ret = (*ssock->param.cb.on_accept_complete2) + (ssock->parent, ssock, (pj_sockaddr_t*)&ssock->rem_addr, + pj_sockaddr_get_len((pj_sockaddr_t*)&ssock->rem_addr), + status); +- if (ret == PJ_FALSE) +- return PJ_FALSE; + } else if (ssock->param.cb.on_accept_complete) { +- pj_bool_t ret; + ret = (*ssock->param.cb.on_accept_complete) + (ssock->parent, ssock, (pj_sockaddr_t*)&ssock->rem_addr, + pj_sockaddr_get_len((pj_sockaddr_t*)&ssock->rem_addr)); +- if (ret == PJ_FALSE) +- return PJ_FALSE; + } ++ ++ /* Decrement ref count of parent and reset parent (we don't need it ++ * anymore, right?). ++ */ ++ if (ssock->parent->param.grp_lock) { ++ pj_grp_lock_dec_ref(ssock->parent->param.grp_lock); ++ ssock->parent = NULL; ++ } ++ ++ if (ret == PJ_FALSE) ++ return PJ_FALSE; + } + + /* Connecting */ +@@ -930,9 +944,13 @@ static pj_bool_t ssock_on_accept_complete (pj_ssl_sock_t *ssock_parent, + if (status != PJ_SUCCESS) + goto on_return; + ++ /* Set parent and add ref count (avoid parent destroy during handshake) */ ++ ssock->parent = ssock_parent; ++ if (ssock->parent->param.grp_lock) ++ pj_grp_lock_add_ref(ssock->parent->param.grp_lock); ++ + /* Update new SSL socket attributes */ + ssock->sock = newsock; +- ssock->parent = ssock_parent; + ssock->is_server = PJ_TRUE; + if (ssock_parent->cert) { + status = pj_ssl_sock_set_certificate(ssock, ssock->pool, +@@ -957,16 +975,20 @@ static pj_bool_t ssock_on_accept_complete (pj_ssl_sock_t *ssock_parent, + ssock->asock_rbuf = (void**)pj_pool_calloc(ssock->pool, + ssock->param.async_cnt, + sizeof(void*)); +- if (!ssock->asock_rbuf) +- return PJ_ENOMEM; ++ if (!ssock->asock_rbuf) { ++ status = PJ_ENOMEM; ++ goto on_return; ++ } + + for (i = 0; iparam.async_cnt; ++i) { + ssock->asock_rbuf[i] = (void*) pj_pool_alloc( + ssock->pool, + ssock->param.read_buffer_size + + sizeof(read_data_t*)); +- if (!ssock->asock_rbuf[i]) +- return PJ_ENOMEM; ++ if (!ssock->asock_rbuf[i]) { ++ status = PJ_ENOMEM; ++ goto on_return; ++ } + } + + /* If listener socket has group lock, automatically create group lock +@@ -980,7 +1002,7 @@ static pj_bool_t ssock_on_accept_complete (pj_ssl_sock_t *ssock_parent, + goto on_return; + + pj_grp_lock_add_ref(glock); +- asock_cfg.grp_lock = ssock->param.grp_lock = glock; ++ ssock->param.grp_lock = glock; + pj_grp_lock_add_handler(ssock->param.grp_lock, ssock->pool, ssock, + ssl_on_destroy); + } +@@ -1008,6 +1030,7 @@ static pj_bool_t ssock_on_accept_complete (pj_ssl_sock_t *ssock_parent, + + /* Create active socket */ + pj_activesock_cfg_default(&asock_cfg); ++ asock_cfg.grp_lock = ssock->param.grp_lock; + asock_cfg.async_cnt = ssock->param.async_cnt; + asock_cfg.concurrency = ssock->param.concurrency; + asock_cfg.whole_data = PJ_TRUE; +diff --git a/pjlib/src/pj/ssl_sock_ossl.c b/pjlib/src/pj/ssl_sock_ossl.c +index 88a2a6b94..df4f4f96a 100644 +--- a/pjlib/src/pj/ssl_sock_ossl.c ++++ b/pjlib/src/pj/ssl_sock_ossl.c +@@ -327,7 +327,8 @@ static pj_status_t STATUS_FROM_SSL_ERR(char *action, pj_ssl_sock_t *ssock, + ERROR_LOG("STATUS_FROM_SSL_ERR", err, ssock); + } + +- ssock->last_err = err; ++ if (ssock) ++ ssock->last_err = err; + return GET_STATUS_FROM_SSL_ERR(err); + } + +@@ -344,7 +345,8 @@ static pj_status_t STATUS_FROM_SSL_ERR2(char *action, pj_ssl_sock_t *ssock, + /* Dig for more from OpenSSL error queue */ + SSLLogErrors(action, ret, err, len, ssock); + +- ssock->last_err = ssl_err; ++ if (ssock) ++ ssock->last_err = ssl_err; + return GET_STATUS_FROM_SSL_ERR(ssl_err); + } + +@@ -786,6 +788,13 @@ static pj_status_t init_openssl(void) + + /* Create OpenSSL application data index for SSL socket */ + sslsock_idx = SSL_get_ex_new_index(0, "SSL socket", NULL, NULL, NULL); ++ if (sslsock_idx == -1) { ++ status = STATUS_FROM_SSL_ERR2("Init", NULL, -1, ERR_get_error(), 0); ++ PJ_LOG(1,(THIS_FILE, ++ "Fatal error: failed to get application data index for " ++ "SSL socket")); ++ return status; ++ } + + #if defined(PJ_SSL_SOCK_OSSL_USE_THREAD_CB) && \ + PJ_SSL_SOCK_OSSL_USE_THREAD_CB != 0 && OPENSSL_VERSION_NUMBER < 0x10100000L +@@ -819,21 +828,36 @@ static int password_cb(char *buf, int num, int rwflag, void *user_data) + } + + +-/* SSL password callback. */ ++/* SSL certificate verification result callback. ++ * Note that this callback seems to be always called from library worker ++ * thread, e.g: active socket on_read_complete callback, which should have ++ * already been equipped with race condition avoidance mechanism (should not ++ * be destroyed while callback is being invoked). ++ */ + static int verify_cb(int preverify_ok, X509_STORE_CTX *x509_ctx) + { +- pj_ssl_sock_t *ssock; +- SSL *ossl_ssl; ++ pj_ssl_sock_t *ssock = NULL; ++ SSL *ossl_ssl = NULL; + int err; + + /* Get SSL instance */ + ossl_ssl = X509_STORE_CTX_get_ex_data(x509_ctx, + SSL_get_ex_data_X509_STORE_CTX_idx()); +- pj_assert(ossl_ssl); ++ if (!ossl_ssl) { ++ PJ_LOG(1,(THIS_FILE, ++ "SSL verification callback failed to get SSL instance")); ++ goto on_return; ++ } + + /* Get SSL socket instance */ + ssock = SSL_get_ex_data(ossl_ssl, sslsock_idx); +- pj_assert(ssock); ++ if (!ssock) { ++ /* SSL socket may have been destroyed */ ++ PJ_LOG(1,(THIS_FILE, ++ "SSL verification callback failed to get SSL socket " ++ "instance (sslsock_idx=%d).", sslsock_idx)); ++ goto on_return; ++ } + + /* Store verification status */ + err = X509_STORE_CTX_get_error(x509_ctx); +@@ -911,6 +935,7 @@ static int verify_cb(int preverify_ok, X509_STORE_CTX *x509_ctx) + if (PJ_FALSE == ssock->param.verify_peer) + preverify_ok = 1; + ++on_return: + return preverify_ok; + } + +@@ -1474,6 +1499,12 @@ static void ssl_destroy(pj_ssl_sock_t *ssock) + static void ssl_reset_sock_state(pj_ssl_sock_t *ssock) + { + ossl_sock_t *ossock = (ossl_sock_t *)ssock; ++ ++ /* Detach from SSL instance */ ++ if (ossock->ossl_ssl) { ++ SSL_set_ex_data(ossock->ossl_ssl, sslsock_idx, NULL); ++ } ++ + /** + * Avoid calling SSL_shutdown() if handshake wasn't completed. + * OpenSSL 1.0.2f complains if SSL_shutdown() is called during an +diff --git a/pjsip/src/pjsip/sip_transport_tls.c b/pjsip/src/pjsip/sip_transport_tls.c +index 56a06cf99..24e43ef60 100644 +--- a/pjsip/src/pjsip/sip_transport_tls.c ++++ b/pjsip/src/pjsip/sip_transport_tls.c +@@ -1333,9 +1333,26 @@ static pj_bool_t on_accept_complete2(pj_ssl_sock_t *ssock, + PJ_UNUSED_ARG(src_addr_len); + + listener = (struct tls_listener*) pj_ssl_sock_get_user_data(ssock); ++ if (!listener) { ++ /* Listener already destroyed, e.g: after TCP accept but before SSL ++ * handshake is completed. ++ */ ++ if (new_ssock && accept_status == PJ_SUCCESS) { ++ /* Close the SSL socket if the accept op is successful */ ++ PJ_LOG(4,(THIS_FILE, ++ "Incoming TLS connection from %s (sock=%d) is discarded " ++ "because listener is already destroyed", ++ pj_sockaddr_print(src_addr, addr, sizeof(addr), 3), ++ new_ssock)); ++ ++ pj_ssl_sock_close(new_ssock); ++ } ++ ++ return PJ_FALSE; ++ } + + if (accept_status != PJ_SUCCESS) { +- if (listener && listener->tls_setting.on_accept_fail_cb) { ++ if (listener->tls_setting.on_accept_fail_cb) { + pjsip_tls_on_accept_fail_param param; + pj_ssl_sock_info ssi; + +@@ -1358,6 +1375,8 @@ static pj_bool_t on_accept_complete2(pj_ssl_sock_t *ssock, + PJ_ASSERT_RETURN(new_ssock, PJ_TRUE); + + if (!listener->is_registered) { ++ pj_ssl_sock_close(new_ssock); ++ + if (listener->tls_setting.on_accept_fail_cb) { + pjsip_tls_on_accept_fail_param param; + pj_bzero(¶m, sizeof(param)); +@@ -1409,6 +1428,8 @@ static pj_bool_t on_accept_complete2(pj_ssl_sock_t *ssock, + ssl_info.grp_lock, &tls); + + if (status != PJ_SUCCESS) { ++ pj_ssl_sock_close(new_ssock); ++ + if (listener->tls_setting.on_accept_fail_cb) { + pjsip_tls_on_accept_fail_param param; + pj_bzero(¶m, sizeof(param)); +-- +2.31.1 + diff --git a/net-libs/pjproject/files/pjproject-2.10-libressl.patch b/net-libs/pjproject/files/pjproject-2.10-libressl.patch new file mode 100644 index 0000000..16bf89a --- /dev/null +++ b/net-libs/pjproject/files/pjproject-2.10-libressl.patch @@ -0,0 +1,17 @@ +$OpenBSD: patch-pjlib_src_pj_ssl_sock_ossl_c,v 1.4 2021/05/07 20:00:03 tb Exp $ + +https://github.com/pjsip/pjproject/pull/2708 + +Index: pjlib/src/pj/ssl_sock_ossl.c +--- a/pjlib/src/pj/ssl_sock_ossl.c.orig ++++ b/pjlib/src/pj/ssl_sock_ossl.c +@@ -130,9 +130,6 @@ static unsigned get_nid_from_cid(unsigned cid) + # define X509_get_notBefore(x) X509_get0_notBefore(x) + # define X509_get_notAfter(x) X509_get0_notAfter(x) + # endif +-#else +-# define SSL_CIPHER_get_id(c) (c)->id +-# define SSL_set_session(ssl, s) (ssl)->session = (s) + #endif + + diff --git a/net-libs/pjproject/files/pjproject-2.10-race-condition-between-transport-destroy-and-acquire.patch b/net-libs/pjproject/files/pjproject-2.10-race-condition-between-transport-destroy-and-acquire.patch new file mode 100644 index 0000000..b036951 --- /dev/null +++ b/net-libs/pjproject/files/pjproject-2.10-race-condition-between-transport-destroy-and-acquire.patch @@ -0,0 +1,108 @@ +From 90a16c523bfdf4d43c10506c972c5fd4250b2856 Mon Sep 17 00:00:00 2001 +From: Nanang Izzuddin +Date: Fri, 20 Nov 2020 10:52:22 +0700 +Subject: [PATCH] Race condition between transport destroy and acquire (#2470) + +* Handle race condition between transport_idle_callback() and pjsip_tpmgr_acquire_transport2(). +* Add transport destroy state check as additional of transport shutdown state check +--- + pjsip/src/pjsip/sip_transaction.c | 2 +- + pjsip/src/pjsip/sip_transport.c | 34 +++++++++++++++++++++++++------ + 2 files changed, 29 insertions(+), 7 deletions(-) + +diff --git a/pjsip/src/pjsip/sip_transaction.c b/pjsip/src/pjsip/sip_transaction.c +index 2b4ece7df..f663c7f4b 100644 +--- a/pjsip/src/pjsip/sip_transaction.c ++++ b/pjsip/src/pjsip/sip_transaction.c +@@ -2443,7 +2443,7 @@ static void tsx_update_transport( pjsip_transaction *tsx, + pjsip_transport_add_ref(tp); + pjsip_transport_add_state_listener(tp, &tsx_tp_state_callback, tsx, + &tsx->tp_st_key); +- if (tp->is_shutdown) { ++ if (tp->is_shutdown || tp->is_destroying) { + pjsip_transport_state_info info; + + pj_bzero(&info, sizeof(info)); +diff --git a/pjsip/src/pjsip/sip_transport.c b/pjsip/src/pjsip/sip_transport.c +index 06fce358c..bef6d24fe 100644 +--- a/pjsip/src/pjsip/sip_transport.c ++++ b/pjsip/src/pjsip/sip_transport.c +@@ -1071,6 +1071,19 @@ static void transport_idle_callback(pj_timer_heap_t *timer_heap, + return; + + entry->id = PJ_FALSE; ++ ++ /* Set is_destroying flag under transport manager mutex to avoid ++ * race condition with pjsip_tpmgr_acquire_transport2(). ++ */ ++ pj_lock_acquire(tp->tpmgr->lock); ++ if (pj_atomic_get(tp->ref_cnt) == 0) { ++ tp->is_destroying = PJ_TRUE; ++ } else { ++ pj_lock_release(tp->tpmgr->lock); ++ return; ++ } ++ pj_lock_release(tp->tpmgr->lock); ++ + pjsip_transport_destroy(tp); + } + +@@ -1392,8 +1405,8 @@ PJ_DEF(pj_status_t) pjsip_transport_shutdown2(pjsip_transport *tp, + mgr = tp->tpmgr; + pj_lock_acquire(mgr->lock); + +- /* Do nothing if transport is being shutdown already */ +- if (tp->is_shutdown) { ++ /* Do nothing if transport is being shutdown/destroyed already */ ++ if (tp->is_shutdown || tp->is_destroying) { + pj_lock_release(mgr->lock); + pj_lock_release(tp->lock); + return PJ_SUCCESS; +@@ -2256,6 +2269,13 @@ PJ_DEF(pj_status_t) pjsip_tpmgr_acquire_transport2(pjsip_tpmgr *mgr, + return PJSIP_ETPNOTSUITABLE; + } + ++ /* Make sure the transport is not being destroyed */ ++ if (seltp->is_destroying) { ++ pj_lock_release(mgr->lock); ++ TRACE_((THIS_FILE,"Transport to be acquired is being destroyed")); ++ return PJ_ENOTFOUND; ++ } ++ + /* We could also verify that the destination address is reachable + * from this transport (i.e. both are equal), but if application + * has requested a specific transport to be used, assume that +@@ -2311,8 +2331,10 @@ PJ_DEF(pj_status_t) pjsip_tpmgr_acquire_transport2(pjsip_tpmgr *mgr, + if (tp_entry) { + transport *tp_iter = tp_entry; + do { +- /* Don't use transport being shutdown */ +- if (!tp_iter->tp->is_shutdown) { ++ /* Don't use transport being shutdown/destroyed */ ++ if (!tp_iter->tp->is_shutdown && ++ !tp_iter->tp->is_destroying) ++ { + if (sel && sel->type == PJSIP_TPSELECTOR_LISTENER && + sel->u.listener) + { +@@ -2382,7 +2404,7 @@ PJ_DEF(pj_status_t) pjsip_tpmgr_acquire_transport2(pjsip_tpmgr *mgr, + TRACE_((THIS_FILE, "Transport found but from different listener")); + } + +- if (tp_ref!=NULL && !tp_ref->is_shutdown) { ++ if (tp_ref!=NULL && !tp_ref->is_shutdown && !tp_ref->is_destroying) { + /* + * Transport found! + */ +@@ -2624,7 +2646,7 @@ PJ_DEF(pj_status_t) pjsip_transport_add_state_listener ( + + PJ_ASSERT_RETURN(tp && cb && key, PJ_EINVAL); + +- if (tp->is_shutdown) { ++ if (tp->is_shutdown || tp->is_destroying) { + *key = NULL; + return PJ_EINVALIDOP; + } +-- +2.26.2 + diff --git a/net-libs/pjproject/files/pjproject-2.9-config_site.h b/net-libs/pjproject/files/pjproject-2.9-config_site.h new file mode 100644 index 0000000..d41ac1d --- /dev/null +++ b/net-libs/pjproject/files/pjproject-2.9-config_site.h @@ -0,0 +1,74 @@ +/* + * Based off of the Asterisk config_site.h file. + * + * In general it's the same with some removals due to being ebuild-managed. + */ + +#include + +/* handled by ebuild, default to disabled here */ +#ifndef PJMEDIA_HAS_SRTP +#define PJMEDIA_HAS_SRTP 0 +#endif + +#define PJ_MAX_HOSTNAME (256) +#define PJSIP_MAX_URL_SIZE (512) +#ifdef PJ_HAS_LINUX_EPOLL +#define PJ_IOQUEUE_MAX_HANDLES (5000) +#else +#define PJ_IOQUEUE_MAX_HANDLES (FD_SETSIZE) +#endif +#define PJ_IOQUEUE_HAS_SAFE_UNREG 1 +#define PJ_IOQUEUE_MAX_EVENTS_IN_SINGLE_POLL (16) + +#define PJ_SCANNER_USE_BITWISE 0 +#define PJ_OS_HAS_CHECK_STACK 0 + +#ifndef PJ_LOG_MAX_LEVEL +#define PJ_LOG_MAX_LEVEL 6 +#endif + +#define PJ_ENABLE_EXTRA_CHECK 1 +#define PJSIP_MAX_TSX_COUNT ((64*1024)-1) +#define PJSIP_MAX_DIALOG_COUNT ((64*1024)-1) +#define PJSIP_UDP_SO_SNDBUF_SIZE (512*1024) +#define PJSIP_UDP_SO_RCVBUF_SIZE (512*1024) +#define PJSIP_SAFE_MODULE 0 +#define PJ_HAS_STRICMP_ALNUM 0 + +/* + * Do not ever enable PJ_HASH_USE_OWN_TOLOWER because the algorithm is + * inconsistently used when calculating the hash value and doesn't + * convert the same characters as pj_tolower()/tolower(). Thus you + * can get different hash values if the string hashed has certain + * characters in it. (ASCII '@', '[', '\\', ']', '^', and '_') + */ +#undef PJ_HASH_USE_OWN_TOLOWER + +/* + It is imperative that PJSIP_UNESCAPE_IN_PLACE remain 0 or undefined. + Enabling it will result in SEGFAULTS when URIs containing escape sequences are encountered. +*/ +#undef PJSIP_UNESCAPE_IN_PLACE +#define PJSIP_MAX_PKT_LEN 32000 + +#undef PJ_TODO +#define PJ_TODO(x) + +/* Defaults too low for WebRTC */ +#define PJ_ICE_MAX_CAND 32 +#define PJ_ICE_MAX_CHECKS (PJ_ICE_MAX_CAND * PJ_ICE_MAX_CAND) + +/* Increase limits to allow more formats */ +#define PJMEDIA_MAX_SDP_FMT 64 +#define PJMEDIA_MAX_SDP_BANDW 4 +#define PJMEDIA_MAX_SDP_ATTR (PJMEDIA_MAX_SDP_FMT*2 + 4) +#define PJMEDIA_MAX_SDP_MEDIA 16 + +/* + * Turn off the periodic sending of CRLNCRLN. Default is on (90 seconds), + * which conflicts with the global section's keep_alive_interval option in + * pjsip.conf. + */ +#define PJSIP_TCP_KEEP_ALIVE_INTERVAL 0 +#define PJSIP_TLS_KEEP_ALIVE_INTERVAL 0 diff --git a/net-libs/pjproject/files/pjproject-2.9-ssl-enable.patch b/net-libs/pjproject/files/pjproject-2.9-ssl-enable.patch new file mode 100644 index 0000000..bb8a11d --- /dev/null +++ b/net-libs/pjproject/files/pjproject-2.9-ssl-enable.patch @@ -0,0 +1,100 @@ +From 2942c73cd3b3389ec1a35258f22ac9d0f0742de1 Mon Sep 17 00:00:00 2001 +From: Jaco Kroon +Date: Thu, 24 May 2018 15:40:33 +0200 +Subject: [PATCH] Fix support for --enable-ssl. + +This change enables the explicit use of --enable-ssl in such a way that +package managers such as portage (Gentoo) that explicitly does +--enable-ssl or --disable-ssl will get the results that it's looking +for. + +Without this specifying --enable-ssl would end up actually disabling it. + +Additionally, if --enable-ssl is specified but the script ends up being +unable to enable ssl it will fail. +--- + aconfigure | 16 ++++++++++++---- + aconfigure.ac | 15 ++++++++++++--- + 2 files changed, 24 insertions(+), 7 deletions(-) + +diff --git a/aconfigure b/aconfigure +index 0cf17faae..57bdfba87 100755 +--- a/aconfigure ++++ b/aconfigure +@@ -8001,8 +8001,9 @@ if test "${enable_ssl+set}" = set; then : + $as_echo "Checking if SSL support is disabled... yes" >&6; } + fi + +-else ++fi + ++if test "x$ac_no_ssl" != "x1"; then + if test "x$with_ssl" != "xno" -a "x$with_ssl" != "x"; then + CFLAGS="$CFLAGS -I$with_ssl/include" + CPPFLAGS="$CPPFLAGS -I$with_ssl/include" +@@ -8317,16 +8318,23 @@ $as_echo "GnuTLS library found, SSL support enabled" >&6; } + + ac_ssl_backend="gnutls" + else +- { $as_echo "$as_me:${as_lineno-$LINENO}: result: ** No GnuTLS libraries found, disabling SSL support **" >&5 +-$as_echo "** No GnuTLS libraries found, disabling SSL support **" >&6; } ++ { $as_echo "$as_me:${as_lineno-$LINENO}: result: ** No GnuTLS libraries found **" >&5 ++$as_echo "** No GnuTLS libraries found **" >&6; } + fi + + fi + ++ if test "x$ac_ssl_backend" = "x"; then ++ if test "x$enable_ssl" = "xyes"; then ++ as_fn_error $? "SSL Support requested but neither OpenSSL nor GnuTLS operational" "$LINENO" 5 ++ else ++ { $as_echo "$as_me:${as_lineno-$LINENO}: result: No SSL detected, disabling SSL support" >&5 ++$as_echo "No SSL detected, disabling SSL support" >&6; } ++ fi ++ fi + fi + + +- + # Check whether --with-opencore-amrnb was given. + if test "${with_opencore_amrnb+set}" = set; then : + withval=$with_opencore_amrnb; as_fn_error $? "This option is obsolete and replaced by --with-opencore-amr=DIR" "$LINENO" 5 +diff --git a/aconfigure.ac b/aconfigure.ac +index 8d7d944a1..45c42756b 100644 +--- a/aconfigure.ac ++++ b/aconfigure.ac +@@ -1607,7 +1607,8 @@ AC_ARG_ENABLE(ssl, + AC_MSG_RESULT([Checking if SSL support is disabled... yes]) + fi + ], +- [ ++ []) ++if test "x$ac_no_ssl" != "x1"; then + if test "x$with_ssl" != "xno" -a "x$with_ssl" != "x"; then + CFLAGS="$CFLAGS -I$with_ssl/include" + CPPFLAGS="$CPPFLAGS -I$with_ssl/include" +@@ -1692,11 +1693,19 @@ AC_ARG_ENABLE(ssl, + AC_DEFINE(PJ_SSL_SOCK_IMP, PJ_SSL_SOCK_IMP_GNUTLS) + ac_ssl_backend="gnutls" + else +- AC_MSG_RESULT([** No GnuTLS libraries found, disabling SSL support **]) ++ AC_MSG_RESULT([** No GnuTLS libraries found **]) + fi + + fi +- ]) ++ ++ if test "x$ac_ssl_backend" = "x"; then ++ if test "x$enable_ssl" = "xyes"; then ++ AC_MSG_ERROR([SSL Support requested but neither OpenSSL nor GnuTLS operational]) ++ else ++ AC_MSG_RESULT([No SSL detected, disabling SSL support]) ++ fi ++ fi ++fi + + dnl # Obsolete option --with-opencore-amrnb + AC_ARG_WITH(opencore-amrnb, +-- +2.23.0 + diff --git a/net-libs/pjproject/metadata.xml b/net-libs/pjproject/metadata.xml index e737916..6e8f87f 100644 --- a/net-libs/pjproject/metadata.xml +++ b/net-libs/pjproject/metadata.xml @@ -1,11 +1,11 @@ - + - + jaco@uls.co.za Jaco Kroon - + proxy-maint@gentoo.org Proxy Maintainers @@ -15,6 +15,7 @@ Include G.711 codecs in the build Include G.722 codec in the build Include G.722.1 codec in the build + Include G.729 codec via net-libs/bcg729 Include iLBC codec in the build Include Linear/L16 codec family in the build Include libyuv in the build @@ -22,6 +23,7 @@ Include resampling implementations in the build Include SILK support in the build Include Video4Linux v2 support in the build + Include VP8 and VP9 codec support in the build Enable WebRTC support diff --git a/net-libs/pjproject/pjproject-2.10-r2.ebuild b/net-libs/pjproject/pjproject-2.10-r2.ebuild new file mode 100644 index 0000000..5f5276a --- /dev/null +++ b/net-libs/pjproject/pjproject-2.10-r2.ebuild @@ -0,0 +1,126 @@ +# Copyright 1999-2021 Gentoo Authors +# Distributed under the terms of the GNU General Public License v2 + +EAPI=7 + +inherit autotools flag-o-matic toolchain-funcs + +DESCRIPTION="Open source SIP, Media, and NAT Traversal Library" +HOMEPAGE="https://www.pjsip.org/" +SRC_URI="https://github.com/pjsip/${PN}/archive/${PV}.tar.gz -> ${P}.tar.gz" +KEYWORDS="amd64 ~arm ~arm64 ~ppc ~ppc64 x86" + +LICENSE="GPL-2" +SLOT="0/${PV}" + +# g729 not included due to special bcg729 handling. +CODEC_FLAGS="g711 g722 g7221 gsm ilbc speex l16" +VIDEO_FLAGS="sdl ffmpeg v4l2 openh264 libyuv vpx" +SOUND_FLAGS="alsa portaudio" +IUSE="amr debug epoll examples ipv6 opus resample silk ssl static-libs webrtc + ${CODEC_FLAGS} g729 + ${VIDEO_FLAGS} + ${SOUND_FLAGS}" + +PATCHES=( + "${FILESDIR}/pjproject-2.9-ssl-enable.patch" + "${FILESDIR}/pjproject-2.10-race-condition-between-transport-destroy-and-acquire.patch" + "${FILESDIR}/pjproject-2.10-CVE-2020-15260-tls-hostname-check.patch" + "${FILESDIR}/pjproject-2.10-CVE-2021-21375-negotiation-failure-crash.patch" + "${FILESDIR}/pjproject-2.10-CVE-2021-32686-AST-2021-009-GHSA-cv8x-p47p-99wr.patch" + "${FILESDIR}/pjproject-2.10-libressl.patch" +) + +RDEPEND="net-libs/libsrtp:= + alsa? ( media-libs/alsa-lib ) + amr? ( media-libs/opencore-amr ) + ffmpeg? ( media-video/ffmpeg:= ) + g729? ( media-libs/bcg729 ) + gsm? ( media-sound/gsm ) + ilbc? ( media-libs/libilbc ) + openh264? ( media-libs/openh264 ) + opus? ( media-libs/opus ) + portaudio? ( media-libs/portaudio ) + resample? ( media-libs/libsamplerate ) + sdl? ( media-libs/libsdl ) + speex? ( + media-libs/speex + media-libs/speexdsp + ) + ssl? ( + dev-libs/openssl:0= + ) +" +DEPEND="${RDEPEND}" +BDEPEND="virtual/pkgconfig" + +src_prepare() { + default + rm configure || die "Unable to remove unwanted wrapper" + mv aconfigure.ac configure.ac || die "Unable to rename configure script source" + eautoreconf + + cp "${FILESDIR}/pjproject-2.9-config_site.h" "${S}/pjlib/include/pj/config_site.h" || die "Unable to create config_site.h" +} + +src_configure() { + local myconf=() + local videnable="--disable-video" + local t + + use debug || append-cflags -DNDEBUG=1 + use ipv6 && append-cflags -DPJ_HAS_IPV6=1 + append-cflags -DPJMEDIA_HAS_SRTP=1 + + for t in ${CODEC_FLAGS}; do + myconf+=( $(use_enable ${t} ${t}-codec) ) + done + myconf+=( $(use_enable g729 bcg729) ) + + for t in ${VIDEO_FLAGS}; do + myconf+=( $(use_enable ${t}) ) + use "${t}" && videnable="--enable-video" + done + + [ "${videnable}" = "--enable-video" ] && append-cflags -DPJMEDIA_HAS_VIDEO=1 + + LD="$(tc-getCC)" econf \ + --enable-shared \ + --with-external-srtp \ + ${videnable} \ + $(use_enable alsa sound) \ + $(use_enable amr opencore-amr) \ + $(use_enable epoll) \ + $(use_enable opus) \ + $(use_enable portaudio ext-sound) \ + $(use_enable resample libsamplerate) \ + $(use_enable resample resample-dll) \ + $(use_enable resample) \ + $(use_enable silk) \ + $(use_enable speex speex-aec) \ + $(use_enable ssl) \ + $(use_with gsm external-gsm) \ + $(use_with portaudio external-pa) \ + $(use_with speex external-speex) \ + $(usex webrtc '' --disable-libwebrtc) \ + "${myconf[@]}" +} + +src_compile() { + emake dep LD="$(tc-getCC)" + emake LD="$(tc-getCC)" +} + +src_install() { + default + + newbin pjsip-apps/bin/pjsua-${CHOST} pjsua + newbin pjsip-apps/bin/pjsystest-${CHOST} pjsystest + + if use examples; then + insinto "/usr/share/doc/${PF}/examples" + doins -r pjsip-apps/src/samples + fi + + use static-libs || rm "${ED}/usr/$(get_libdir)"/*.a || die "Error removing static archives" +}