From 0f193b7e7423fcbd966e5d1e921dac382e37618d Mon Sep 17 00:00:00 2001 From: Victor Seva Date: Tue, 20 Jun 2023 10:28:54 +0200 Subject: [PATCH] MT#57688 tls: openssl 3.0 fixes > https://github.com/kamailio/kamailio/pull/3482 Change-Id: I045de93d7c409301164536b0ce575a8b144b1dbb --- debian/patches/series | 8 ++- ...depecration-of-CURLOPT_PROTOCOLS-and.patch | 44 ++++++++++++ ...depecration-of-CURLOPT_REDIR_PROTOCO.patch | 29 ++++++++ ..._-prepare-parent-child-deprecated-at.patch | 65 +++++++++++++++++ .../tls-disable-engine-for-openssl-3.0.patch | 65 +++++++++++++++++ ...tls-disable-tls_rand-for-openssl-3.0.patch | 69 ++++++++++++++++++ ...ng-for-rand-ctx-if-libssl-version-is.patch | 70 +++++++++++++++++++ .../tls-fix-build-for-openssl-1.1.1.patch | 28 ++++++++ 8 files changed, 377 insertions(+), 1 deletion(-) create mode 100644 debian/patches/upstream/http_client-fix-depecration-of-CURLOPT_PROTOCOLS-and.patch create mode 100644 debian/patches/upstream/http_client-fix-depecration-of-CURLOPT_REDIR_PROTOCO.patch create mode 100644 debian/patches/upstream/tls-OPENSSL_fork_-prepare-parent-child-deprecated-at.patch create mode 100644 debian/patches/upstream/tls-disable-engine-for-openssl-3.0.patch create mode 100644 debian/patches/upstream/tls-disable-tls_rand-for-openssl-3.0.patch create mode 100644 debian/patches/upstream/tls-enable-locking-for-rand-ctx-if-libssl-version-is.patch create mode 100644 debian/patches/upstream/tls-fix-build-for-openssl-1.1.1.patch diff --git a/debian/patches/series b/debian/patches/series index bf3d8e46a..60942950f 100644 --- a/debian/patches/series +++ b/debian/patches/series @@ -32,7 +32,13 @@ sipwise/sca-debug.patch sipwise/sca-fix-notify-after-bye.patch sipwise/sca-add-pai_avp-parameter.patch ## upstream 5.7 -# +upstream/tls-OPENSSL_fork_-prepare-parent-child-deprecated-at.patch +upstream/tls-disable-engine-for-openssl-3.0.patch +upstream/tls-disable-tls_rand-for-openssl-3.0.patch +upstream/http_client-fix-depecration-of-CURLOPT_PROTOCOLS-and.patch +upstream/http_client-fix-depecration-of-CURLOPT_REDIR_PROTOCO.patch +upstream/tls-fix-build-for-openssl-1.1.1.patch +upstream/tls-enable-locking-for-rand-ctx-if-libssl-version-is.patch ## upstream master # ### relevant for upstream diff --git a/debian/patches/upstream/http_client-fix-depecration-of-CURLOPT_PROTOCOLS-and.patch b/debian/patches/upstream/http_client-fix-depecration-of-CURLOPT_PROTOCOLS-and.patch new file mode 100644 index 000000000..a477f1a82 --- /dev/null +++ b/debian/patches/upstream/http_client-fix-depecration-of-CURLOPT_PROTOCOLS-and.patch @@ -0,0 +1,44 @@ +From: Daniel-Constantin Mierla +Date: Wed, 21 Jun 2023 09:27:28 +0200 +Subject: [PATCH] http_client: fix depecration of CURLOPT_PROTOCOLS and + CURLINFO_SIZE_DOWNLOAD + +- GH #3484 + +(cherry picked from commit b7b3c67fc1205d114fadf360a594930ef69835a3) +--- + src/modules/http_client/functions.c | 11 ++++++++++- + 1 file changed, 10 insertions(+), 1 deletion(-) + +diff --git a/src/modules/http_client/functions.c b/src/modules/http_client/functions.c +index 8a2b993..be0b202 100644 +--- a/src/modules/http_client/functions.c ++++ b/src/modules/http_client/functions.c +@@ -155,8 +155,12 @@ static int curL_request_url(struct sip_msg *_m, const char *_met, + res = curl_easy_setopt(curl, CURLOPT_URL, _url); + + /* Limit to HTTP and HTTPS protocols */ ++#if defined(CURL_AT_LEAST_VERSION) && CURL_AT_LEAST_VERSION(7, 85, 0) ++ res = curl_easy_setopt(curl, CURLOPT_PROTOCOLS_STR, "http,https"); ++#else + res = curl_easy_setopt( + curl, CURLOPT_PROTOCOLS, CURLPROTO_HTTP | CURLPROTO_HTTPS); ++#endif + res = curl_easy_setopt( + curl, CURLOPT_REDIR_PROTOCOLS, CURLPROTO_HTTP | CURLPROTO_HTTPS); + +@@ -383,8 +387,13 @@ static int curL_request_url(struct sip_msg *_m, const char *_met, + + if((stat >= 200) && (stat < 500)) { + double datasize = 0; +- ++#if defined(CURL_AT_LEAST_VERSION) && CURL_AT_LEAST_VERSION(7, 55, 0) ++ curl_off_t dlsize; ++ curl_easy_getinfo(curl, CURLINFO_SIZE_DOWNLOAD_T, &dlsize); ++ download_size = (double)dlsize; ++#else + curl_easy_getinfo(curl, CURLINFO_SIZE_DOWNLOAD, &download_size); ++#endif + LM_DBG(" -- curl download size: %u \n", (unsigned int)download_size); + datasize = download_size; + diff --git a/debian/patches/upstream/http_client-fix-depecration-of-CURLOPT_REDIR_PROTOCO.patch b/debian/patches/upstream/http_client-fix-depecration-of-CURLOPT_REDIR_PROTOCO.patch new file mode 100644 index 000000000..583f86194 --- /dev/null +++ b/debian/patches/upstream/http_client-fix-depecration-of-CURLOPT_REDIR_PROTOCO.patch @@ -0,0 +1,29 @@ +From: Daniel-Constantin Mierla +Date: Thu, 22 Jun 2023 14:37:18 +0200 +Subject: [PATCH] http_client: fix depecration of CURLOPT_REDIR_PROTOCOLS + +- GH #3492 + +(cherry picked from commit 4d8263f9be97a541a24cbc6acc9855509640780b) +--- + src/modules/http_client/functions.c | 5 +++++ + 1 file changed, 5 insertions(+) + +diff --git a/src/modules/http_client/functions.c b/src/modules/http_client/functions.c +index be0b202..8b1f33d 100644 +--- a/src/modules/http_client/functions.c ++++ b/src/modules/http_client/functions.c +@@ -161,8 +161,13 @@ static int curL_request_url(struct sip_msg *_m, const char *_met, + res = curl_easy_setopt( + curl, CURLOPT_PROTOCOLS, CURLPROTO_HTTP | CURLPROTO_HTTPS); + #endif ++ ++#if defined(CURL_AT_LEAST_VERSION) && CURL_AT_LEAST_VERSION(7, 85, 0) ++ res = curl_easy_setopt(curl, CURLOPT_REDIR_PROTOCOLS_STR, "http,https"); ++#else + res = curl_easy_setopt( + curl, CURLOPT_REDIR_PROTOCOLS, CURLPROTO_HTTP | CURLPROTO_HTTPS); ++#endif + + if(_met != NULL) { + /* Enforce method (GET, PUT, ...) */ diff --git a/debian/patches/upstream/tls-OPENSSL_fork_-prepare-parent-child-deprecated-at.patch b/debian/patches/upstream/tls-OPENSSL_fork_-prepare-parent-child-deprecated-at.patch new file mode 100644 index 000000000..6e18c88f3 --- /dev/null +++ b/debian/patches/upstream/tls-OPENSSL_fork_-prepare-parent-child-deprecated-at.patch @@ -0,0 +1,65 @@ +From: Victor Seva +Date: Tue, 13 Jun 2023 12:37:21 +0200 +Subject: [PATCH] tls: OPENSSL_fork_[prepare|parent|child] deprecated at + openssl 3.0 + +From https://www.openssl.org/docs/man3.0/man3/OPENSSL_fork_prepare.html: + +> OPENSSL_fork_prepare, OPENSSL_fork_parent, OPENSSL_fork_child have been +> deprecated since OpenSSL 3.0. +> +> These methods are currently unused, and as such, no replacement methods +> are required or planned. +> +> OpenSSL has state that should be reset when a process forks. For +> example, the entropy pool used to generate random numbers (and therefore +> encryption keys) should not be shared across multiple programs. The +> OPENSSL_fork_prepare(), OPENSSL_fork_parent(), and OPENSSL_fork_child() +> functions are used to reset this internal state. +> +> OPENSSL_init_crypto(3) will register these functions with the +> appropriate handler, when the OPENSSL_INIT_ATFORK flag is used + +(cherry picked from commit 9d6bfb96528c49e6aaa39aa47be877ca528c3537) +--- + src/modules/tls/tls_init.c | 2 +- + src/modules/tls/tls_mod.c | 6 ++++-- + 2 files changed, 5 insertions(+), 3 deletions(-) + +diff --git a/src/modules/tls/tls_init.c b/src/modules/tls/tls_init.c +index 8f40fab..8071ec3 100644 +--- a/src/modules/tls/tls_init.c ++++ b/src/modules/tls/tls_init.c +@@ -740,7 +740,7 @@ int tls_h_mod_pre_init_f(void) + LM_DBG("preparing tls env for modules initialization\n"); + #if OPENSSL_VERSION_NUMBER >= 0x010100000L && !defined(LIBRESSL_VERSION_NUMBER) + LM_DBG("preparing tls env for modules initialization (libssl >=1.1)\n"); +- OPENSSL_init_ssl(0, NULL); ++ OPENSSL_init_ssl(OPENSSL_INIT_ATFORK, NULL); + #else + LM_DBG("preparing tls env for modules initialization (libssl <=1.0)\n"); + SSL_library_init(); +diff --git a/src/modules/tls/tls_mod.c b/src/modules/tls/tls_mod.c +index 466e2fc..22be768 100644 +--- a/src/modules/tls/tls_mod.c ++++ b/src/modules/tls/tls_mod.c +@@ -450,7 +450,8 @@ static int mod_child(int rank) + &mod_params, &mod_params) < 0) + return -1; + } +-#if OPENSSL_VERSION_NUMBER >= 0x010101000L ++#if OPENSSL_VERSION_NUMBER >= 0x010101000L \ ++ && OPENSSL_VERSION_NUMBER < 0x030000000L + if(ksr_tls_init_mode&TLS_MODE_FORK_PREPARE) { + OPENSSL_fork_prepare(); + } +@@ -458,7 +459,8 @@ static int mod_child(int rank) + return 0; + } + +-#if OPENSSL_VERSION_NUMBER >= 0x010101000L ++#if OPENSSL_VERSION_NUMBER >= 0x010101000L \ ++ && OPENSSL_VERSION_NUMBER < 0x030000000L + if(ksr_tls_init_mode&TLS_MODE_FORK_PREPARE) { + if(rank==PROC_POSTCHILDINIT) { + /* diff --git a/debian/patches/upstream/tls-disable-engine-for-openssl-3.0.patch b/debian/patches/upstream/tls-disable-engine-for-openssl-3.0.patch new file mode 100644 index 000000000..d11323109 --- /dev/null +++ b/debian/patches/upstream/tls-disable-engine-for-openssl-3.0.patch @@ -0,0 +1,65 @@ +From: Victor Seva +Date: Mon, 19 Jun 2023 13:36:53 +0200 +Subject: [PATCH] tls: disable engine for openssl >= 3.0 + +From https://www.openssl.org/docs/man3.0/man7/migration_guide.html + +> The refactoring to support Providers conflicts internally with the APIs +> used to support engines, including the ENGINE API and any function that +> creates or modifies custom "METHODS" + +From https://www.openssl.org/docs/man3.0/man3/ENGINE_init.html: + +> All of the functions described on this page are deprecated. Applications +> should instead use the provider APIs. + +(cherry picked from commit a0a9373ccb3d3da3a1e9e1335d904fcf013d9ebd) +--- + src/modules/tls/tls_domain.c | 4 ++++ + src/modules/tls/tls_mod.c | 3 +++ + src/modules/tls/tls_server.c | 3 +++ + 3 files changed, 10 insertions(+) + +diff --git a/src/modules/tls/tls_domain.c b/src/modules/tls/tls_domain.c +index d718c92..ad6e08b 100644 +--- a/src/modules/tls/tls_domain.c ++++ b/src/modules/tls/tls_domain.c +@@ -30,6 +30,10 @@ + #include + #include + ++#if OPENSSL_VERSION_NUMBER >= 0x030000000L ++#define OPENSSL_NO_ENGINE ++#endif ++ + #ifndef OPENSSL_NO_ENGINE + #include + #include "tls_map.h" +diff --git a/src/modules/tls/tls_mod.c b/src/modules/tls/tls_mod.c +index 22be768..a0f90c1 100644 +--- a/src/modules/tls/tls_mod.c ++++ b/src/modules/tls/tls_mod.c +@@ -87,6 +87,9 @@ int ksr_rand_engine_param(modparam_t type, void* val); + + MODULE_VERSION + ++#if OPENSSL_VERSION_NUMBER >= 0x030000000L ++#define OPENSSL_NO_ENGINE ++#endif + + extern str sr_tls_event_callback; + str sr_tls_xavp_cfg = {0, 0}; +diff --git a/src/modules/tls/tls_server.c b/src/modules/tls/tls_server.c +index afd16ab..5c039c9 100644 +--- a/src/modules/tls/tls_server.c ++++ b/src/modules/tls/tls_server.c +@@ -128,6 +128,9 @@ int tls_run_event_routes(struct tcp_connection *c); + #endif /* __SUNPRO_c */ + #endif /* TLS_RD_DEBUG */ + ++#if OPENSSL_VERSION_NUMBER >= 0x030000000L ++#define OPENSSL_NO_ENGINE ++#endif + + extern str sr_tls_xavp_cfg; + diff --git a/debian/patches/upstream/tls-disable-tls_rand-for-openssl-3.0.patch b/debian/patches/upstream/tls-disable-tls_rand-for-openssl-3.0.patch new file mode 100644 index 000000000..ba0d24b2d --- /dev/null +++ b/debian/patches/upstream/tls-disable-tls_rand-for-openssl-3.0.patch @@ -0,0 +1,69 @@ +From: Victor Seva +Date: Mon, 19 Jun 2023 20:12:17 +0200 +Subject: [PATCH] tls: disable tls_rand for openssl >= 3.0 + +From https://www.openssl.org/docs/man3.0/man3/RAND_set_rand_method.html + +> All of the functions described on this page are deprecated. +> Applications should instead use RAND_set_DRBG_type(3), EVP_RAND(3) and +> EVP_RAND(7). + +(cherry picked from commit c4b04696a6bfe31fdd65fa56529b0d46f2774067) +--- + src/modules/tls/tls_mod.c | 6 ++++-- + src/modules/tls/tls_rand.c | 3 ++- + src/modules/tls/tls_rand.h | 3 ++- + 3 files changed, 8 insertions(+), 4 deletions(-) + +diff --git a/src/modules/tls/tls_mod.c b/src/modules/tls/tls_mod.c +index a0f90c1..e57a98c 100644 +--- a/src/modules/tls/tls_mod.c ++++ b/src/modules/tls/tls_mod.c +@@ -506,7 +506,8 @@ static void mod_destroy(void) + + int ksr_rand_engine_param(modparam_t type, void* val) + { +-#if OPENSSL_VERSION_NUMBER >= 0x10100000L ++#if OPENSSL_VERSION_NUMBER >= 0x10100000L \ ++ && OPENSSL_VERSION_NUMBER < 0x030000000L + str *reng; + + if(val==NULL) { +@@ -674,7 +675,8 @@ int mod_register(char *path, int *dlflags, void *p1, void *p2) + + register_tls_hooks(&tls_h); + +-#if OPENSSL_VERSION_NUMBER >= 0x10100000L ++#if OPENSSL_VERSION_NUMBER >= 0x10100000L \ ++ && OPENSSL_VERSION_NUMBER < 0x030000000L + LM_DBG("setting cryptorand random engine\n"); + RAND_set_rand_method(RAND_ksr_cryptorand_method()); + #endif +diff --git a/src/modules/tls/tls_rand.c b/src/modules/tls/tls_rand.c +index 2cdb2ec..260cd7d 100644 +--- a/src/modules/tls/tls_rand.c ++++ b/src/modules/tls/tls_rand.c +@@ -29,7 +29,8 @@ + + #include "tls_rand.h" + +-#if OPENSSL_VERSION_NUMBER >= 0x10100000L ++#if OPENSSL_VERSION_NUMBER >= 0x10100000L \ ++ && OPENSSL_VERSION_NUMBER < 0x030000000L + + #include "../../core/dprint.h" + #include "../../core/locking.h" +diff --git a/src/modules/tls/tls_rand.h b/src/modules/tls/tls_rand.h +index 34d6b2d..58ddc85 100644 +--- a/src/modules/tls/tls_rand.h ++++ b/src/modules/tls/tls_rand.h +@@ -21,7 +21,8 @@ + #define _TLS_RAND_H_ + + #include +-#if OPENSSL_VERSION_NUMBER >= 0x10100000L ++#if OPENSSL_VERSION_NUMBER >= 0x10100000L \ ++ && OPENSSL_VERSION_NUMBER < 0x030000000L + + #include + diff --git a/debian/patches/upstream/tls-enable-locking-for-rand-ctx-if-libssl-version-is.patch b/debian/patches/upstream/tls-enable-locking-for-rand-ctx-if-libssl-version-is.patch new file mode 100644 index 000000000..284932506 --- /dev/null +++ b/debian/patches/upstream/tls-enable-locking-for-rand-ctx-if-libssl-version-is.patch @@ -0,0 +1,70 @@ +From: Daniel-Constantin Mierla +Date: Wed, 21 Jun 2023 14:15:24 +0200 +Subject: [PATCH] tls: enable locking for rand ctx if libssl version is 3.0+ + +(cherry picked from commit 81be9e78c3731d45734480285d7afc17f8f9e87a) +--- + src/modules/tls/tls_init.c | 43 ++++++++++++++++++++++++++++++++++++++++++- + 1 file changed, 42 insertions(+), 1 deletion(-) + +diff --git a/src/modules/tls/tls_init.c b/src/modules/tls/tls_init.c +index 82a850c..ae06e85 100644 +--- a/src/modules/tls/tls_init.c ++++ b/src/modules/tls/tls_init.c +@@ -45,6 +45,10 @@ + #include + #include + ++#if OPENSSL_VERSION_NUMBER >= 0x030000000L ++#include ++#endif ++ + #include "../../core/dprint.h" + #include "../../core/mem/shm_mem.h" + #include "../../core/tcp_init.h" +@@ -750,7 +754,44 @@ int tls_h_mod_pre_init_f(void) + SSL_library_init(); + #endif + SSL_load_error_strings(); +- tls_mod_preinitialized=1; ++ ++#if OPENSSL_VERSION_NUMBER >= 0x030000000L ++ do { ++ OSSL_LIB_CTX *osslglobal = NULL; ++ EVP_RAND_CTX *randctx = NULL; ++ ++ LM_DBG("enabling locking for rand ctx\n"); ++ ++ osslglobal = OSSL_LIB_CTX_get0_global_default(); ++ if(osslglobal == NULL) { ++ LM_ERR("failed to get lib ssl global ctx\n"); ++ return -1; ++ } ++ ++ randctx = RAND_get0_primary(osslglobal); ++ if(randctx == NULL) { ++ LM_ERR("primary rand ctx is null\n"); ++ return -1; ++ } ++ EVP_RAND_enable_locking(randctx); ++ ++ randctx = RAND_get0_public(osslglobal); ++ if(randctx == NULL) { ++ LM_ERR("public rand ctx is null\n"); ++ return -1; ++ } ++ EVP_RAND_enable_locking(randctx); ++ ++ randctx = RAND_get0_private(osslglobal); ++ if(randctx == NULL) { ++ LM_ERR("private rand ctx is null\n"); ++ return -1; ++ } ++ EVP_RAND_enable_locking(randctx); ++ } while(0); ++#endif ++ ++ tls_mod_preinitialized = 1; + return 0; + } + diff --git a/debian/patches/upstream/tls-fix-build-for-openssl-1.1.1.patch b/debian/patches/upstream/tls-fix-build-for-openssl-1.1.1.patch new file mode 100644 index 000000000..b5e1a2a4e --- /dev/null +++ b/debian/patches/upstream/tls-fix-build-for-openssl-1.1.1.patch @@ -0,0 +1,28 @@ +From: Victor Seva +Date: Thu, 22 Jun 2023 17:29:48 +0200 +Subject: [PATCH] tls: fix build for openssl < 1.1.1 + +OPENSSL_INIT_ATFORK was introduced in libssl 1.1.1 +error introduced at 9d6bfb96528c49e6aaa39aa47be877ca528c3537 + +(cherry picked from commit 82f5fcbf88ee3058bd9da520b528c86393cc422a) +--- + src/modules/tls/tls_init.c | 4 ++++ + 1 file changed, 4 insertions(+) + +diff --git a/src/modules/tls/tls_init.c b/src/modules/tls/tls_init.c +index 8071ec3..82a850c 100644 +--- a/src/modules/tls/tls_init.c ++++ b/src/modules/tls/tls_init.c +@@ -740,7 +740,11 @@ int tls_h_mod_pre_init_f(void) + LM_DBG("preparing tls env for modules initialization\n"); + #if OPENSSL_VERSION_NUMBER >= 0x010100000L && !defined(LIBRESSL_VERSION_NUMBER) + LM_DBG("preparing tls env for modules initialization (libssl >=1.1)\n"); ++#if OPENSSL_VERSION_NUMBER >= 0x010101000L + OPENSSL_init_ssl(OPENSSL_INIT_ATFORK, NULL); ++#else ++ OPENSSL_init_ssl(0, NULL); ++#endif + #else + LM_DBG("preparing tls env for modules initialization (libssl <=1.0)\n"); + SSL_library_init();