freeswitch icon indicating copy to clipboard operation
freeswitch copied to clipboard

Published 20 hours ago verified publisher icon signalwire

FIX #1762 update switch_apr.c for openssl3

Open jpfox156 opened this issue 3 years ago • 13 comments

Low-level openssl api for accessing md5 was deprecated in openssl3.0, leading to errors during compile of freeswitch. Update switch_md5 method to use the openssl high-level api. syntax plagiarized from: https://stackoverflow.com/questions/69806220/advice-needed-for-migration-of-low-level-openssl-api-to-high-level-openssl-apis

jpfox156 avatar Aug 21 '22 12:08 jpfox156

Unit-tests compilation failed: https://public-artifacts.signalwire.cloud/drone/signalwire/freeswitch/655/unit-tests-build-result.txt

signalwire-ci[bot] avatar Aug 21 '22 12:08 signalwire-ci[bot]

Scan-build compilation failed: https://public-artifacts.signalwire.cloud/drone/signalwire/freeswitch/655/scan-build-result.txt

signalwire-ci[bot] avatar Aug 21 '22 12:08 signalwire-ci[bot]

Unit-tests failed: https://public-artifacts.signalwire.cloud/drone/signalwire/freeswitch/656/artifacts.html

signalwire-ci[bot] avatar Aug 21 '22 12:08 signalwire-ci[bot]

Scan-build found bugs: https://public-artifacts.signalwire.cloud/drone/signalwire/freeswitch/656/index.html

signalwire-ci[bot] avatar Aug 21 '22 12:08 signalwire-ci[bot]

Unit-tests failed: https://public-artifacts.signalwire.cloud/drone/signalwire/freeswitch/657/artifacts.html

signalwire-ci[bot] avatar Aug 21 '22 12:08 signalwire-ci[bot]

Unit-tests failed: https://public-artifacts.signalwire.cloud/drone/signalwire/freeswitch/658/artifacts.html

signalwire-ci[bot] avatar Aug 21 '22 13:08 signalwire-ci[bot]

Unit-tests failed: https://public-artifacts.signalwire.cloud/drone/signalwire/freeswitch/712/artifacts.html

signalwire-ci[bot] avatar Aug 27 '22 13:08 signalwire-ci[bot]

Unit-tests failed: https://public-artifacts.signalwire.cloud/drone/signalwire/freeswitch/713/artifacts.html

signalwire-ci[bot] avatar Aug 27 '22 14:08 signalwire-ci[bot]

Unit-tests compilation failed: https://public-artifacts.signalwire.cloud/drone/signalwire/freeswitch/714/unit-tests-build-result.txt

signalwire-ci[bot] avatar Aug 27 '22 14:08 signalwire-ci[bot]

Scan-build compilation failed: https://public-artifacts.signalwire.cloud/drone/signalwire/freeswitch/714/scan-build-result.txt

signalwire-ci[bot] avatar Aug 27 '22 14:08 signalwire-ci[bot]

Unit-tests failed: https://public-artifacts.signalwire.cloud/drone/signalwire/freeswitch/716/artifacts.html

signalwire-ci[bot] avatar Aug 27 '22 14:08 signalwire-ci[bot]

Unit-tests compilation failed: https://public-artifacts.signalwire.cloud/drone/signalwire/freeswitch/718/unit-tests-build-result.txt

signalwire-ci[bot] avatar Aug 27 '22 14:08 signalwire-ci[bot]

Scan-build compilation failed: https://public-artifacts.signalwire.cloud/drone/signalwire/freeswitch/718/scan-build-result.txt

signalwire-ci[bot] avatar Aug 27 '22 15:08 signalwire-ci[bot]

@jpfox156 Can you rebase this?

ar45 avatar Dec 26 '22 22:12 ar45

@ar45, this has now been rebased to the current master branch. I can confirm that it compiles successfully with Openssl v3.

jpfox156 avatar Dec 30 '22 10:12 jpfox156

@andywolk Can you please review this?

ar45 avatar Dec 30 '22 17:12 ar45

What is preventing this to be accepted?

daniel-lucio avatar Feb 06 '23 20:02 daniel-lucio

Low-level openssl api for accessing md5 was deprecated in openssl3.0, leading to errors during compile of freeswitch. Update switch_md5 method to use the openssl high-level api. syntax plagiarized from: https://stackoverflow.com/questions/69806220/advice-needed-for-migration-of-low-level-openssl-api-to-high-level-openssl-apis

@ar45, this has now been rebased to the current master branch. I can confirm that it compiles successfully with Openssl v3.

hello bro.. you are able to compile the openssl v3 with freeswitch? if so please share git link or configuration file.. we're trying to compile.. but facing issues.. thank you in advance @ar45

dinesh1310 avatar Apr 18 '23 12:04 dinesh1310

Unit-tests failed: https://public-artifacts.signalwire.cloud/drone/signalwire/freeswitch/1313/artifacts.html

signalwire-ci[bot] avatar Jun 26 '23 14:06 signalwire-ci[bot]

With the current changes FS may segfault, depending on openssl 3 config.

The crash happens because the call to mkcert in switch_core_gen_certs is not checked on return value, and if the return value is 0 (which means that certs/keys gen have failed) the pointers are not set but still passed to PEM_write_PrivateKey which segfaults if pkey is not set.

The reason why mkcert fails is because (at least on rhel9) EVP_sha1 is deprecated which fails X509_sign.

So I suggest two addtions:

  • check retval for mkcert in switch_core_gen_certs, something like:
-	mkcert(&x509, &pkey, 4096, 0, 36500);
+	if (!mkcert(&x509, &pkey, 4096, 0, 36500)) {
+		switch_log_printf(SWITCH_CHANNEL_LOG, SWITCH_LOG_ERROR, "Certificate generation failed\n");
+		abort();
+	}

then switch to EVP_sha256 when signing the certificate in mkcert, something like:

 	 */
 	X509_set_issuer_name(x, name);
 
+#if OPENSSL_VERSION_NUMBER >= 0x30000000
+	if (!X509_sign(x, pk, EVP_sha256()))
+#else
 	if (!X509_sign(x, pk, EVP_sha1()))
+#endif
 		goto err;
 
 	*x509p = x;
 	*pkeyp = pk;
 	return(1);
  err:
+	ERR_print_errors_fp(stdout);
 	return(0);
 }

Note that I've added also a call to ERR_print_errors_fp on the err label in order to help diagnose.

xadhoom avatar Jul 06 '23 12:07 xadhoom

Unit-tests failed: https://public-artifacts.signalwire.cloud/drone/signalwire/freeswitch/1387/artifacts.html

signalwire-ci[bot] avatar Jul 24 '23 16:07 signalwire-ci[bot]

Unit-tests failed: https://public-artifacts.signalwire.cloud/drone/signalwire/freeswitch/1388/artifacts.html

signalwire-ci[bot] avatar Jul 24 '23 16:07 signalwire-ci[bot]