From 0d9fdfd8078147baeabc86d4bceec8ae2085276d Mon Sep 17 00:00:00 2001
From: martijn <martijn@openbsd.org>
Date: Thu, 19 Mar 2026 06:29:53 +0000
Subject: [PATCH] Update coturn to 4.9.0-r0.

with and OK sthen@
---
 telephony/coturn/Makefile                     |   2 +-
 telephony/coturn/distinfo                     |   4 +-
 telephony/coturn/patches/patch-configure      |  14 ++
 .../patches/patch-src_apps_common_apputils_c  |   2 +-
 .../patches/patch-src_apps_relay_mainrelay_c  | 199 +++++++++++++++++-
 .../patches/patch-src_apps_relay_mainrelay_h  |  15 ++
 telephony/coturn/pkg/PLIST                    |   4 -
 7 files changed, 229 insertions(+), 11 deletions(-)
 create mode 100644 telephony/coturn/patches/patch-configure
 create mode 100644 telephony/coturn/patches/patch-src_apps_relay_mainrelay_h

diff --git a/telephony/coturn/Makefile b/telephony/coturn/Makefile
index ef0cbfbc767..350abbba7e1 100644
--- a/telephony/coturn/Makefile
+++ b/telephony/coturn/Makefile
@@ -1,6 +1,6 @@
 COMMENT =	coturn STUN/TURN server
 
-V =		4.6.3-r0
+V =		4.9.0-r0
 GH_ACCOUNT =	coturn
 GH_PROJECT =	coturn
 GH_TAGNAME =	docker/${V}
diff --git a/telephony/coturn/distinfo b/telephony/coturn/distinfo
index 93d10c927ff..44836b10d7f 100644
--- a/telephony/coturn/distinfo
+++ b/telephony/coturn/distinfo
@@ -1,2 +1,2 @@
-SHA256 (turnserver-4.6.3pl0.tar.gz) = yIFrwM9YQT5Y6r8EDtTCHp8kHKk6cEVja1Dow0BsTrk=
-SIZE (turnserver-4.6.3pl0.tar.gz) = 535329
+SHA256 (turnserver-4.9.0pl0.tar.gz) = yCqvwI3ynHV2HxTNLTZHkpe7KsA3sKPrtX15uuvz1CQ=
+SIZE (turnserver-4.9.0pl0.tar.gz) = 546458
diff --git a/telephony/coturn/patches/patch-configure b/telephony/coturn/patches/patch-configure
new file mode 100644
index 00000000000..041730d5d92
--- /dev/null
+++ b/telephony/coturn/patches/patch-configure
@@ -0,0 +1,14 @@
+- Don't pick up coreutils
+
+Index: configure
+--- configure.orig
++++ configure
+@@ -448,7 +448,7 @@ fi
+ ###########################
+ 
+ type ginstall 2>>/dev/null
+-ER=$?
++ER=1
+ if [ ${ER} -eq 0 ] ; then
+ 	INSTALL_PROGRAM="ginstall"
+ 	INSTALL_MAN="ginstall"
diff --git a/telephony/coturn/patches/patch-src_apps_common_apputils_c b/telephony/coturn/patches/patch-src_apps_common_apputils_c
index bac4ba5c6b0..887c28bbbd5 100644
--- a/telephony/coturn/patches/patch-src_apps_common_apputils_c
+++ b/telephony/coturn/patches/patch-src_apps_common_apputils_c
@@ -1,7 +1,7 @@
 Index: src/apps/common/apputils.c
 --- src/apps/common/apputils.c.orig
 +++ src/apps/common/apputils.c
-@@ -1179,7 +1179,7 @@ char *find_config_file(const char *config_file) {
+@@ -1190,7 +1190,7 @@ char *find_config_file(const char *config_file) {
  /////////////////// SYS SETTINGS ///////////////////////
  
  void ignore_sigpipe(void) {
diff --git a/telephony/coturn/patches/patch-src_apps_relay_mainrelay_c b/telephony/coturn/patches/patch-src_apps_relay_mainrelay_c
index c79bb29d7dd..0ca8079d53f 100644
--- a/telephony/coturn/patches/patch-src_apps_relay_mainrelay_c
+++ b/telephony/coturn/patches/patch-src_apps_relay_mainrelay_c
@@ -1,14 +1,207 @@
-Don't create a default pidfile
+- Don't create a default pidfile
+- Revert 4c674289a8a2 to use old DH code, LibreSSL doesn't have OSSL_{DECODER,PARAM}
 
 Index: src/apps/relay/mainrelay.c
 --- src/apps/relay/mainrelay.c.orig
 +++ src/apps/relay/mainrelay.c
-@@ -126,7 +126,7 @@ turn_params_t turn_params = {
+@@ -33,7 +33,6 @@
+  */
  
-     0, /* do_not_use_config_file */
+ #include "mainrelay.h"
+-
+ #include "dbdrivers/dbdriver.h"
+ 
+ #include "prom_server.h"
+@@ -132,7 +131,7 @@ turn_params_t turn_params = {
+ 
+     false, /* do_not_use_config_file */
  
 -    "/var/run/turnserver.pid", /* pidfile */
 +    "",                        /* pidfile */
      "",                        /* acme_redirect */
  
      ////////////////  Listener server /////////////////
+@@ -3523,7 +3522,7 @@ static void adjust_key_file_names(void) {
+     adjust_key_file_name(turn_params.dh_file, "DH key", 0);
+   }
+ }
+-static EVP_PKEY *get_dh566(void) {
++static DH *get_dh566(void) {
+ 
+   unsigned char dh566_p[] = {0x36, 0x53, 0xA8, 0x9C, 0x3C, 0xF1, 0xD1, 0x1B, 0x2D, 0xA2, 0x64, 0xDE, 0x59, 0x3B, 0xE3,
+                              0x8C, 0x27, 0x74, 0xC2, 0xBE, 0x9B, 0x6D, 0x56, 0xE7, 0xDF, 0xFF, 0x67, 0x6A, 0xD2, 0x0C,
+@@ -3537,33 +3536,16 @@ static EVP_PKEY *get_dh566(void) {
+   //	-----END DH PARAMETERS-----
+ 
+   unsigned char dh566_g[] = {0x05};
++  DH *dh;
+ 
+-  BIGNUM *p = BN_bin2bn(dh566_p, sizeof(dh566_p), NULL);
+-  BIGNUM *g = BN_bin2bn(dh566_g, sizeof(dh566_g), NULL);
+-  if (!p || !g) {
+-    BN_free(p);
+-    BN_free(g);
+-    return NULL;
++  if ((dh = DH_new()) == NULL) {
++    return (NULL);
+   }
+-
+-  OSSL_PARAM_BLD *bld = OSSL_PARAM_BLD_new();
+-  OSSL_PARAM_BLD_push_BN(bld, "p", p);
+-  OSSL_PARAM_BLD_push_BN(bld, "g", g);
+-  OSSL_PARAM *params = OSSL_PARAM_BLD_to_param(bld);
+-  OSSL_PARAM_BLD_free(bld);
+-  BN_free(p);
+-  BN_free(g);
+-
+-  EVP_PKEY_CTX *pctx = EVP_PKEY_CTX_new_from_name(NULL, "DH", NULL);
+-  EVP_PKEY *pkey = NULL;
+-  EVP_PKEY_fromdata_init(pctx);
+-  EVP_PKEY_fromdata(pctx, &pkey, EVP_PKEY_KEY_PARAMETERS, params);
+-  EVP_PKEY_CTX_free(pctx);
+-  OSSL_PARAM_free(params);
+-  return pkey;
++  DH_set0_pqg(dh, BN_bin2bn(dh566_p, sizeof(dh566_p), NULL), NULL, BN_bin2bn(dh566_g, sizeof(dh566_g), NULL));
++  return (dh);
+ }
+ 
+-static EVP_PKEY *get_dh1066(void) {
++static DH *get_dh1066(void) {
+ 
+   unsigned char dh1066_p[] = {0x02, 0x0E, 0x26, 0x6F, 0xAA, 0x9F, 0xA8, 0xE5, 0x3F, 0x70, 0x88, 0xF1, 0xA9, 0x29, 0xAE,
+                               0x1A, 0x2B, 0xA8, 0x2F, 0xE8, 0xE5, 0x0E, 0x81, 0x78, 0xD7, 0x12, 0x41, 0xDC, 0xE2, 0xD5,
+@@ -3582,33 +3564,16 @@ static EVP_PKEY *get_dh1066(void) {
+   //	-----END DH PARAMETERS-----
+ 
+   unsigned char dh1066_g[] = {0x02};
++  DH *dh;
+ 
+-  BIGNUM *p = BN_bin2bn(dh1066_p, sizeof(dh1066_p), NULL);
+-  BIGNUM *g = BN_bin2bn(dh1066_g, sizeof(dh1066_g), NULL);
+-  if (!p || !g) {
+-    BN_free(p);
+-    BN_free(g);
+-    return NULL;
++  if ((dh = DH_new()) == NULL) {
++    return (NULL);
+   }
+-
+-  OSSL_PARAM_BLD *bld = OSSL_PARAM_BLD_new();
+-  OSSL_PARAM_BLD_push_BN(bld, "p", p);
+-  OSSL_PARAM_BLD_push_BN(bld, "g", g);
+-  OSSL_PARAM *params = OSSL_PARAM_BLD_to_param(bld);
+-  OSSL_PARAM_BLD_free(bld);
+-  BN_free(p);
+-  BN_free(g);
+-
+-  EVP_PKEY_CTX *pctx = EVP_PKEY_CTX_new_from_name(NULL, "DH", NULL);
+-  EVP_PKEY *pkey = NULL;
+-  EVP_PKEY_fromdata_init(pctx);
+-  EVP_PKEY_fromdata(pctx, &pkey, EVP_PKEY_KEY_PARAMETERS, params);
+-  EVP_PKEY_CTX_free(pctx);
+-  OSSL_PARAM_free(params);
+-  return pkey;
++  DH_set0_pqg(dh, BN_bin2bn(dh1066_p, sizeof(dh1066_p), NULL), NULL, BN_bin2bn(dh1066_g, sizeof(dh1066_g), NULL));
++  return (dh);
+ }
+ 
+-static EVP_PKEY *get_dh2066(void) {
++static DH *get_dh2066(void) {
+ 
+   unsigned char dh2066_p[] = {
+       0x03, 0x31, 0x77, 0x20, 0x58, 0xA6, 0x69, 0xA3, 0x9D, 0x2D, 0x5E, 0xE0, 0x5C, 0x46, 0x82, 0x0F, 0x9E, 0x80, 0xF0,
+@@ -3636,30 +3601,13 @@ static EVP_PKEY *get_dh2066(void) {
+   //	-----END DH PARAMETERS-----
+ 
+   unsigned char dh2066_g[] = {0x05};
++  DH *dh;
+ 
+-  BIGNUM *p = BN_bin2bn(dh2066_p, sizeof(dh2066_p), NULL);
+-  BIGNUM *g = BN_bin2bn(dh2066_g, sizeof(dh2066_g), NULL);
+-  if (!p || !g) {
+-    BN_free(p);
+-    BN_free(g);
+-    return NULL;
++  if ((dh = DH_new()) == NULL) {
++    return (NULL);
+   }
+-
+-  OSSL_PARAM_BLD *bld = OSSL_PARAM_BLD_new();
+-  OSSL_PARAM_BLD_push_BN(bld, "p", p);
+-  OSSL_PARAM_BLD_push_BN(bld, "g", g);
+-  OSSL_PARAM *params = OSSL_PARAM_BLD_to_param(bld);
+-  OSSL_PARAM_BLD_free(bld);
+-  BN_free(p);
+-  BN_free(g);
+-
+-  EVP_PKEY_CTX *pctx = EVP_PKEY_CTX_new_from_name(NULL, "DH", NULL);
+-  EVP_PKEY *pkey = NULL;
+-  EVP_PKEY_fromdata_init(pctx);
+-  EVP_PKEY_fromdata(pctx, &pkey, EVP_PKEY_KEY_PARAMETERS, params);
+-  EVP_PKEY_CTX_free(pctx);
+-  OSSL_PARAM_free(params);
+-  return pkey;
++  DH_set0_pqg(dh, BN_bin2bn(dh2066_p, sizeof(dh2066_p), NULL), NULL, BN_bin2bn(dh2066_g, sizeof(dh2066_g), NULL));
++  return (dh);
+ }
+ 
+ static int pem_password_func(char *buf, int size, int rwflag, void *password) {
+@@ -3791,14 +3739,19 @@ static void set_ctx(SSL_CTX **out, const char *protoco
+         if (nid == 0) {
+           TURN_LOG_FUNC(TURN_LOG_LEVEL_ERROR, "unknown curve name: %s\n", curve_name);
+           curve_name = DEFAULT_EC_CURVE_NAME;
++          nid = OBJ_sn2nid(curve_name);
+           set_auto_curve = 1;
+         }
+       }
+ 
+       {
+-        if (SSL_CTX_set1_groups_list(ctx, curve_name) != 1) {
+-          TURN_LOG_FUNC(TURN_LOG_LEVEL_ERROR, "%s: ERROR: set EC curve '%s' failed\n", __FUNCTION__, curve_name);
++        EC_KEY *ecdh = EC_KEY_new_by_curve_name(nid);
++        if (!ecdh) {
++          TURN_LOG_FUNC(TURN_LOG_LEVEL_ERROR, "%s: ERROR: allocate EC suite\n", __FUNCTION__);
+           set_auto_curve = 1;
++        } else {
++          SSL_CTX_set_tmp_ecdh(ctx, ecdh);
++          EC_KEY_free(ecdh);
+         }
+       }
+     }
+@@ -3811,20 +3764,13 @@ static void set_ctx(SSL_CTX **out, const char *protoco
+ 
+   { // DH algorithms:
+ 
+-    EVP_PKEY *dh = NULL;
++    DH *dh = NULL;
+     if (turn_params.dh_file[0]) {
+       FILE *paramfile = fopen(turn_params.dh_file, "r");
+       if (!paramfile) {
+         perror("Cannot open DH file");
+       } else {
+-        OSSL_DECODER_CTX *dctx =
+-            OSSL_DECODER_CTX_new_for_pkey(&dh, "PEM", NULL, "DH", EVP_PKEY_KEY_PARAMETERS, NULL, NULL);
+-        if (dctx) {
+-          if (!OSSL_DECODER_from_fp(dctx, paramfile)) {
+-            dh = NULL;
+-          }
+-          OSSL_DECODER_CTX_free(dctx);
+-        }
++        dh = PEM_read_DHparams(paramfile, NULL, NULL, NULL);
+         fclose(paramfile);
+         if (dh) {
+           turn_params.dh_key_size = DH_CUSTOM;
+@@ -3846,11 +3792,11 @@ static void set_ctx(SSL_CTX **out, const char *protoco
+       TURN_LOG_FUNC(TURN_LOG_LEVEL_ERROR, "%s: ERROR: cannot allocate DH suite\n", __FUNCTION__);
+       err = 1;
+     } else {
+-      if (1 != SSL_CTX_set0_tmp_dh_pkey(ctx, dh)) {
++      if (1 != SSL_CTX_set_tmp_dh(ctx, dh)) {
+         TURN_LOG_FUNC(TURN_LOG_LEVEL_ERROR, "%s: ERROR: cannot set DH\n", __FUNCTION__);
+         err = 1;
+       }
+-      // No EVP_PKEY_free: SSL_CTX_set0_tmp_dh_pkey always takes ownership
++      DH_free(dh);
+     }
+   }
+ 
diff --git a/telephony/coturn/patches/patch-src_apps_relay_mainrelay_h b/telephony/coturn/patches/patch-src_apps_relay_mainrelay_h
new file mode 100644
index 00000000000..d6e69a02eb8
--- /dev/null
+++ b/telephony/coturn/patches/patch-src_apps_relay_mainrelay_h
@@ -0,0 +1,15 @@
+- Revert 4c674289a8a2 to use old DH code, LibreSSL doesn't have OSSL_{DECODER,PARAM}
+
+Index: src/apps/relay/mainrelay.h
+--- src/apps/relay/mainrelay.h.orig
++++ src/apps/relay/mainrelay.h
+@@ -87,9 +87,7 @@
+ #include "ns_ioalib_impl.h"
+ 
+ #include <openssl/aes.h>
+-#include <openssl/decoder.h>
+ #include <openssl/err.h>
+-#include <openssl/param_build.h>
+ #include <openssl/pem.h>
+ #include <openssl/ssl.h>
+ 
diff --git a/telephony/coturn/pkg/PLIST b/telephony/coturn/pkg/PLIST
index 013057e0519..b702c2d5925 100644
--- a/telephony/coturn/pkg/PLIST
+++ b/telephony/coturn/pkg/PLIST
@@ -34,10 +34,6 @@ share/doc/turnserver/README.turnadmin
 share/doc/turnserver/README.turnserver
 share/doc/turnserver/README.turnutils
 share/doc/turnserver/postinstall.txt
-share/doc/turnserver/schema.mongo.sh
-share/doc/turnserver/schema.sql
-share/doc/turnserver/schema.stats.redis
-share/doc/turnserver/schema.userdb.redis
 share/examples/turnserver/
 share/examples/turnserver/etc/
 share/examples/turnserver/etc/cacert.pem