MT#57688 tls: openssl 3.0 fixes

> https://github.com/kamailio/kamailio/pull/3482

Change-Id: I045de93d7c409301164536b0ce575a8b144b1dbb

debian/patches/series

@@ -32,7 +32,13 @@ sipwise/sca-debug.patch
 sipwise/sca-fix-notify-after-bye.patch
 sipwise/sca-add-pai_avp-parameter.patch
 ## upstream 5.7
-#
+upstream/tls-OPENSSL_fork_-prepare-parent-child-deprecated-at.patch
+upstream/tls-disable-engine-for-openssl-3.0.patch
+upstream/tls-disable-tls_rand-for-openssl-3.0.patch
+upstream/http_client-fix-depecration-of-CURLOPT_PROTOCOLS-and.patch
+upstream/http_client-fix-depecration-of-CURLOPT_REDIR_PROTOCO.patch
+upstream/tls-fix-build-for-openssl-1.1.1.patch
+upstream/tls-enable-locking-for-rand-ctx-if-libssl-version-is.patch
 ## upstream master
 #
 ### relevant for upstream

debian/patches/upstream/http_client-fix-depecration-of-CURLOPT_PROTOCOLS-and.patch

@@ -0,0 +1,44 @@
+From: Daniel-Constantin Mierla <miconda@gmail.com>
+Date: Wed, 21 Jun 2023 09:27:28 +0200
+Subject: [PATCH] http_client: fix depecration of CURLOPT_PROTOCOLS and
+ CURLINFO_SIZE_DOWNLOAD
+
+- GH #3484
+
+(cherry picked from commit b7b3c67fc1205d114fadf360a594930ef69835a3)
+---
+ src/modules/http_client/functions.c | 11 ++++++++++-
+ 1 file changed, 10 insertions(+), 1 deletion(-)
+
+diff --git a/src/modules/http_client/functions.c b/src/modules/http_client/functions.c
+index 8a2b993..be0b202 100644
+--- a/src/modules/http_client/functions.c
++++ b/src/modules/http_client/functions.c
+@@ -155,8 +155,12 @@ static int curL_request_url(struct sip_msg *_m, const char *_met,
+ 	res = curl_easy_setopt(curl, CURLOPT_URL, _url);
+ 
+ 	/* Limit to HTTP and HTTPS protocols */
++#if defined(CURL_AT_LEAST_VERSION) && CURL_AT_LEAST_VERSION(7, 85, 0)
++	res = curl_easy_setopt(curl, CURLOPT_PROTOCOLS_STR, "http,https");
++#else
+ 	res = curl_easy_setopt(
+ 			curl, CURLOPT_PROTOCOLS, CURLPROTO_HTTP | CURLPROTO_HTTPS);
++#endif
+ 	res = curl_easy_setopt(
+ 			curl, CURLOPT_REDIR_PROTOCOLS, CURLPROTO_HTTP | CURLPROTO_HTTPS);
+ 
+@@ -383,8 +387,13 @@ static int curL_request_url(struct sip_msg *_m, const char *_met,
+ 
+ 	if((stat >= 200) && (stat < 500)) {
+ 		double datasize = 0;
+-
++#if defined(CURL_AT_LEAST_VERSION) && CURL_AT_LEAST_VERSION(7, 55, 0)
++		curl_off_t dlsize;
++		curl_easy_getinfo(curl, CURLINFO_SIZE_DOWNLOAD_T, &dlsize);
++		download_size = (double)dlsize;
++#else
+ 		curl_easy_getinfo(curl, CURLINFO_SIZE_DOWNLOAD, &download_size);
++#endif
+ 		LM_DBG("  -- curl download size: %u \n", (unsigned int)download_size);
+ 		datasize = download_size;
+ 

debian/patches/upstream/http_client-fix-depecration-of-CURLOPT_REDIR_PROTOCO.patch

@@ -0,0 +1,29 @@
+From: Daniel-Constantin Mierla <miconda@gmail.com>
+Date: Thu, 22 Jun 2023 14:37:18 +0200
+Subject: [PATCH] http_client: fix depecration of CURLOPT_REDIR_PROTOCOLS
+
+- GH #3492
+
+(cherry picked from commit 4d8263f9be97a541a24cbc6acc9855509640780b)
+---
+ src/modules/http_client/functions.c | 5 +++++
+ 1 file changed, 5 insertions(+)
+
+diff --git a/src/modules/http_client/functions.c b/src/modules/http_client/functions.c
+index be0b202..8b1f33d 100644
+--- a/src/modules/http_client/functions.c
++++ b/src/modules/http_client/functions.c
+@@ -161,8 +161,13 @@ static int curL_request_url(struct sip_msg *_m, const char *_met,
+ 	res = curl_easy_setopt(
+ 			curl, CURLOPT_PROTOCOLS, CURLPROTO_HTTP | CURLPROTO_HTTPS);
+ #endif
++
++#if defined(CURL_AT_LEAST_VERSION) && CURL_AT_LEAST_VERSION(7, 85, 0)
++	res = curl_easy_setopt(curl, CURLOPT_REDIR_PROTOCOLS_STR, "http,https");
++#else
+ 	res = curl_easy_setopt(
+ 			curl, CURLOPT_REDIR_PROTOCOLS, CURLPROTO_HTTP | CURLPROTO_HTTPS);
++#endif
+ 
+ 	if(_met != NULL) {
+ 		/* Enforce method (GET, PUT, ...) */

debian/patches/upstream/tls-OPENSSL_fork_-prepare-parent-child-deprecated-at.patch

@@ -0,0 +1,65 @@
+From: Victor Seva <linuxmaniac@torreviejawireless.org>
+Date: Tue, 13 Jun 2023 12:37:21 +0200
+Subject: [PATCH] tls: OPENSSL_fork_[prepare|parent|child] deprecated at
+ openssl 3.0
+
+From https://www.openssl.org/docs/man3.0/man3/OPENSSL_fork_prepare.html:
+
+> OPENSSL_fork_prepare, OPENSSL_fork_parent, OPENSSL_fork_child have been
+> deprecated since OpenSSL 3.0.
+>
+> These methods are currently unused, and as such, no replacement methods
+> are required or planned.
+>
+> OpenSSL has state that should be reset when a process forks. For
+> example, the entropy pool used to generate random numbers (and therefore
+> encryption keys) should not be shared across multiple programs. The
+> OPENSSL_fork_prepare(), OPENSSL_fork_parent(), and OPENSSL_fork_child()
+> functions are used to reset this internal state.
+>
+> OPENSSL_init_crypto(3) will register these functions with the
+> appropriate handler, when the OPENSSL_INIT_ATFORK flag is used
+
+(cherry picked from commit 9d6bfb96528c49e6aaa39aa47be877ca528c3537)
+---
+ src/modules/tls/tls_init.c | 2 +-
+ src/modules/tls/tls_mod.c  | 6 ++++--
+ 2 files changed, 5 insertions(+), 3 deletions(-)
+
+diff --git a/src/modules/tls/tls_init.c b/src/modules/tls/tls_init.c
+index 8f40fab..8071ec3 100644
+--- a/src/modules/tls/tls_init.c
++++ b/src/modules/tls/tls_init.c
+@@ -740,7 +740,7 @@ int tls_h_mod_pre_init_f(void)
+ 	LM_DBG("preparing tls env for modules initialization\n");
+ #if OPENSSL_VERSION_NUMBER >= 0x010100000L && !defined(LIBRESSL_VERSION_NUMBER)
+ 	LM_DBG("preparing tls env for modules initialization (libssl >=1.1)\n");
+-	OPENSSL_init_ssl(0, NULL);
++	OPENSSL_init_ssl(OPENSSL_INIT_ATFORK, NULL);
+ #else
+ 	LM_DBG("preparing tls env for modules initialization (libssl <=1.0)\n");
+ 	SSL_library_init();
+diff --git a/src/modules/tls/tls_mod.c b/src/modules/tls/tls_mod.c
+index 466e2fc..22be768 100644
+--- a/src/modules/tls/tls_mod.c
++++ b/src/modules/tls/tls_mod.c
+@@ -450,7 +450,8 @@ static int mod_child(int rank)
+ 									&mod_params, &mod_params) < 0)
+ 				return -1;
+ 		}
+-#if OPENSSL_VERSION_NUMBER >= 0x010101000L
++#if OPENSSL_VERSION_NUMBER >= 0x010101000L \
++		&& OPENSSL_VERSION_NUMBER < 0x030000000L
+ 		if(ksr_tls_init_mode&TLS_MODE_FORK_PREPARE) {
+ 			OPENSSL_fork_prepare();
+ 		}
+@@ -458,7 +459,8 @@ static int mod_child(int rank)
+ 		return 0;
+ 	}
+ 
+-#if OPENSSL_VERSION_NUMBER >= 0x010101000L
++#if OPENSSL_VERSION_NUMBER >= 0x010101000L \
++		&& OPENSSL_VERSION_NUMBER < 0x030000000L
+ 	if(ksr_tls_init_mode&TLS_MODE_FORK_PREPARE) {
+ 		if(rank==PROC_POSTCHILDINIT) {
+ 			/*

debian/patches/upstream/tls-disable-engine-for-openssl-3.0.patch

@@ -0,0 +1,65 @@
+From: Victor Seva <linuxmaniac@torreviejawireless.org>
+Date: Mon, 19 Jun 2023 13:36:53 +0200
+Subject: [PATCH] tls: disable engine for openssl >= 3.0
+
+From https://www.openssl.org/docs/man3.0/man7/migration_guide.html
+
+> The refactoring to support Providers conflicts internally with the APIs
+> used to support engines, including the ENGINE API and any function that
+> creates or modifies custom "METHODS"
+
+From https://www.openssl.org/docs/man3.0/man3/ENGINE_init.html:
+
+> All of the functions described on this page are deprecated. Applications
+> should instead use the provider APIs.
+
+(cherry picked from commit a0a9373ccb3d3da3a1e9e1335d904fcf013d9ebd)
+---
+ src/modules/tls/tls_domain.c | 4 ++++
+ src/modules/tls/tls_mod.c    | 3 +++
+ src/modules/tls/tls_server.c | 3 +++
+ 3 files changed, 10 insertions(+)
+
+diff --git a/src/modules/tls/tls_domain.c b/src/modules/tls/tls_domain.c
+index d718c92..ad6e08b 100644
+--- a/src/modules/tls/tls_domain.c
++++ b/src/modules/tls/tls_domain.c
+@@ -30,6 +30,10 @@
+ #include <openssl/bn.h>
+ #include <openssl/dh.h>
+ 
++#if OPENSSL_VERSION_NUMBER >= 0x030000000L
++#define OPENSSL_NO_ENGINE
++#endif
++
+ #ifndef OPENSSL_NO_ENGINE
+ #include <openssl/engine.h>
+ #include "tls_map.h"
+diff --git a/src/modules/tls/tls_mod.c b/src/modules/tls/tls_mod.c
+index 22be768..a0f90c1 100644
+--- a/src/modules/tls/tls_mod.c
++++ b/src/modules/tls/tls_mod.c
+@@ -87,6 +87,9 @@ int ksr_rand_engine_param(modparam_t type, void* val);
+ 
+ MODULE_VERSION
+ 
++#if OPENSSL_VERSION_NUMBER >= 0x030000000L
++#define OPENSSL_NO_ENGINE
++#endif
+ 
+ extern str sr_tls_event_callback;
+ str sr_tls_xavp_cfg = {0, 0};
+diff --git a/src/modules/tls/tls_server.c b/src/modules/tls/tls_server.c
+index afd16ab..5c039c9 100644
+--- a/src/modules/tls/tls_server.c
++++ b/src/modules/tls/tls_server.c
+@@ -128,6 +128,9 @@ int tls_run_event_routes(struct tcp_connection *c);
+ 	#endif /* __SUNPRO_c */
+ #endif /* TLS_RD_DEBUG */
+ 
++#if OPENSSL_VERSION_NUMBER >= 0x030000000L
++#define OPENSSL_NO_ENGINE
++#endif
+ 
+ extern str sr_tls_xavp_cfg;
+ 

debian/patches/upstream/tls-disable-tls_rand-for-openssl-3.0.patch

@@ -0,0 +1,69 @@
+From: Victor Seva <linuxmaniac@torreviejawireless.org>
+Date: Mon, 19 Jun 2023 20:12:17 +0200
+Subject: [PATCH] tls: disable tls_rand for openssl >= 3.0
+
+From https://www.openssl.org/docs/man3.0/man3/RAND_set_rand_method.html
+
+> All of the functions described on this page are deprecated.
+> Applications should instead use RAND_set_DRBG_type(3), EVP_RAND(3) and
+> EVP_RAND(7).
+
+(cherry picked from commit c4b04696a6bfe31fdd65fa56529b0d46f2774067)
+---
+ src/modules/tls/tls_mod.c  | 6 ++++--
+ src/modules/tls/tls_rand.c | 3 ++-
+ src/modules/tls/tls_rand.h | 3 ++-
+ 3 files changed, 8 insertions(+), 4 deletions(-)
+
+diff --git a/src/modules/tls/tls_mod.c b/src/modules/tls/tls_mod.c
+index a0f90c1..e57a98c 100644
+--- a/src/modules/tls/tls_mod.c
++++ b/src/modules/tls/tls_mod.c
+@@ -506,7 +506,8 @@ static void mod_destroy(void)
+ 
+ int ksr_rand_engine_param(modparam_t type, void* val)
+ {
+-#if OPENSSL_VERSION_NUMBER >= 0x10100000L
++#if OPENSSL_VERSION_NUMBER >= 0x10100000L \
++		&& OPENSSL_VERSION_NUMBER < 0x030000000L
+ 	str *reng;
+ 
+ 	if(val==NULL) {
+@@ -674,7 +675,8 @@ int mod_register(char *path, int *dlflags, void *p1, void *p2)
+ 
+ 	register_tls_hooks(&tls_h);
+ 
+-#if OPENSSL_VERSION_NUMBER >= 0x10100000L
++#if OPENSSL_VERSION_NUMBER >= 0x10100000L \
++		&& OPENSSL_VERSION_NUMBER < 0x030000000L
+ 	LM_DBG("setting cryptorand random engine\n");
+ 	RAND_set_rand_method(RAND_ksr_cryptorand_method());
+ #endif
+diff --git a/src/modules/tls/tls_rand.c b/src/modules/tls/tls_rand.c
+index 2cdb2ec..260cd7d 100644
+--- a/src/modules/tls/tls_rand.c
++++ b/src/modules/tls/tls_rand.c
+@@ -29,7 +29,8 @@
+ 
+ #include "tls_rand.h"
+ 
+-#if OPENSSL_VERSION_NUMBER >= 0x10100000L
++#if OPENSSL_VERSION_NUMBER >= 0x10100000L \
++		&& OPENSSL_VERSION_NUMBER < 0x030000000L
+ 
+ #include "../../core/dprint.h"
+ #include "../../core/locking.h"
+diff --git a/src/modules/tls/tls_rand.h b/src/modules/tls/tls_rand.h
+index 34d6b2d..58ddc85 100644
+--- a/src/modules/tls/tls_rand.h
++++ b/src/modules/tls/tls_rand.h
+@@ -21,7 +21,8 @@
+ #define _TLS_RAND_H_
+ 
+ #include <openssl/ssl.h>
+-#if OPENSSL_VERSION_NUMBER >= 0x10100000L
++#if OPENSSL_VERSION_NUMBER >= 0x10100000L \
++		&& OPENSSL_VERSION_NUMBER < 0x030000000L
+ 
+ #include <openssl/rand.h>
+ 

debian/patches/upstream/tls-enable-locking-for-rand-ctx-if-libssl-version-is.patch

@@ -0,0 +1,70 @@
+From: Daniel-Constantin Mierla <miconda@gmail.com>
+Date: Wed, 21 Jun 2023 14:15:24 +0200
+Subject: [PATCH] tls: enable locking for rand ctx if libssl version is 3.0+
+
+(cherry picked from commit 81be9e78c3731d45734480285d7afc17f8f9e87a)
+---
+ src/modules/tls/tls_init.c | 43 ++++++++++++++++++++++++++++++++++++++++++-
+ 1 file changed, 42 insertions(+), 1 deletion(-)
+
+diff --git a/src/modules/tls/tls_init.c b/src/modules/tls/tls_init.c
+index 82a850c..ae06e85 100644
+--- a/src/modules/tls/tls_init.c
++++ b/src/modules/tls/tls_init.c
+@@ -45,6 +45,10 @@
+ #include <pthread.h>
+ #include <openssl/ssl.h>
+ 
++#if OPENSSL_VERSION_NUMBER >= 0x030000000L
++#include <openssl/rand.h>
++#endif
++
+ #include "../../core/dprint.h"
+ #include "../../core/mem/shm_mem.h"
+ #include "../../core/tcp_init.h"
+@@ -750,7 +754,44 @@ int tls_h_mod_pre_init_f(void)
+ 	SSL_library_init();
+ #endif
+ 	SSL_load_error_strings();
+-	tls_mod_preinitialized=1;
++
++#if OPENSSL_VERSION_NUMBER >= 0x030000000L
++	do {
++		OSSL_LIB_CTX *osslglobal = NULL;
++		EVP_RAND_CTX *randctx = NULL;
++
++		LM_DBG("enabling locking for rand ctx\n");
++
++		osslglobal = OSSL_LIB_CTX_get0_global_default();
++		if(osslglobal == NULL) {
++			LM_ERR("failed to get lib ssl global ctx\n");
++			return -1;
++		}
++
++		randctx = RAND_get0_primary(osslglobal);
++		if(randctx == NULL) {
++			LM_ERR("primary rand ctx is null\n");
++			return -1;
++		}
++		EVP_RAND_enable_locking(randctx);
++
++		randctx = RAND_get0_public(osslglobal);
++		if(randctx == NULL) {
++			LM_ERR("public rand ctx is null\n");
++			return -1;
++		}
++		EVP_RAND_enable_locking(randctx);
++
++		randctx = RAND_get0_private(osslglobal);
++		if(randctx == NULL) {
++			LM_ERR("private rand ctx is null\n");
++			return -1;
++		}
++		EVP_RAND_enable_locking(randctx);
++	} while(0);
++#endif
++
++	tls_mod_preinitialized = 1;
+ 	return 0;
+ }
+ 

debian/patches/upstream/tls-fix-build-for-openssl-1.1.1.patch

@@ -0,0 +1,28 @@
+From: Victor Seva <linuxmaniac@torreviejawireless.org>
+Date: Thu, 22 Jun 2023 17:29:48 +0200
+Subject: [PATCH] tls: fix build for openssl < 1.1.1
+
+OPENSSL_INIT_ATFORK was introduced in libssl 1.1.1
+error introduced at 9d6bfb96528c49e6aaa39aa47be877ca528c3537
+
+(cherry picked from commit 82f5fcbf88ee3058bd9da520b528c86393cc422a)
+---
+ src/modules/tls/tls_init.c | 4 ++++
+ 1 file changed, 4 insertions(+)
+
+diff --git a/src/modules/tls/tls_init.c b/src/modules/tls/tls_init.c
+index 8071ec3..82a850c 100644
+--- a/src/modules/tls/tls_init.c
++++ b/src/modules/tls/tls_init.c
+@@ -740,7 +740,11 @@ int tls_h_mod_pre_init_f(void)
+ 	LM_DBG("preparing tls env for modules initialization\n");
+ #if OPENSSL_VERSION_NUMBER >= 0x010100000L && !defined(LIBRESSL_VERSION_NUMBER)
+ 	LM_DBG("preparing tls env for modules initialization (libssl >=1.1)\n");
++#if OPENSSL_VERSION_NUMBER >= 0x010101000L
+ 	OPENSSL_init_ssl(OPENSSL_INIT_ATFORK, NULL);
++#else
++	OPENSSL_init_ssl(0, NULL);
++#endif
+ #else
+ 	LM_DBG("preparing tls env for modules initialization (libssl <=1.0)\n");
+ 	SSL_library_init();