sipwise
/
kamailio
mirror of https://github.com/sipwise/kamailio.git
1
0
Fork 0
Code Issues Releases Wiki Activity

MT#59890 backport patches from 5.7

Browse Source 
Not all changes since 5.7.4 release, just changes related to:

- tls and new tls_threads_mode

NGCP-Flow: mr12.3

Change-Id: Ia405eff2deeb7ae48a26f62e6bfd41b1c88bcd3f
mr12.3
Victor Seva 1 year ago
parent 859f44327c
commit 26734a08b3
42 changed files with 3331 additions and 5 deletions
Show Stats Download Patch File Download Diff File

41
debian/patches/series vendored
Unescape View File

@ -32,7 +32,46 @@ sipwise/sca-debug.patch
sipwise/sca-fix-notify-after-bye.patch
sipwise/sca-add-pai_avp-parameter.patch
## upstream 5.7
#
upstream/core-add-infrastructure-to-run-functions-in-threads.patch
upstream/outbound-init-libssl-in-a-thread.patch
upstream/db_mysql-init-libssl-in-a-thread.patch
upstream/db_postgres-init-libssl-in-a-thread.patch
upstream/db_unixodbc-init-libssl-in-a-thread.patch
upstream/db_mysql-backport-no-TLS-with-MariaDB-Connector-C.patch
upstream/core-rthread.h-add-prototype-for-db-queries.patch
upstream/db_unixodbc-handle-SSL-and-submit-query.patch
upstream/db_mysql-handle-SSL-and-submit-query.patch
upstream/db_postgres-handle-SSL-and-submit-query.patch
upstream/core-rthreads.h-use-thread-wrappers-only-for-process.patch
upstream/core-rthreads.h-thread-wrapper-for-db_XXXX_query.patch
upstream/db_postgres-libssl-thread-guard-for-db_postgres_clos.patch
upstream/db_unixodbc-libssl-thread-guards-for-db_unixodbc_-cl.patch
upstream/db_mysql-libssl-thread-guard-for-db_mysql_close.patch
upstream/core-added-tls_threads_mode-global-parameter.patch
upstream/core-rthreads.h-use-global-ksr_tls_threads_mode-to-c.patch
upstream/tls-restore-default-to-bypass-thread-guards.patch
upstream/tls-restore-some-function-calls-in-non-threaded-mode.patch
upstream/tls-add-logging.patch
upstream/tls-raise-logging-level-of-early-messages-in-mod_reg.patch
upstream/db_mysql-new-module-param-opt_ssl_ca-to-configure-CA.patch
upstream/db_mysql-update-docs-for-opt_ssl_ca.patch
upstream/db_mysql-libssl-thread-guard-for-db_mysql_query-and-.patch
upstream/tls-restore-early-init-for-other-modules-that-use-TL.patch
upstream/tls-fix-restore-early-init.patch
upstream/core-rthreads.h-add-thread-executor-for-curl_global_.patch
upstream/http_async_client-libssl-thread-executor-for-curl_gl.patch
upstream/http_client-libssl-thread-executor-for-curl_global_i.patch
upstream/xcap_client-libssl-thread-executor-for-curl_global_i.patch
upstream/http_async_client-libssl-refactor-thread-executors-f.patch
upstream/tls-fix-OpenSSL-1.1.1-engine-keys.patch
upstream/tls-make-explicit-ENGINE-deprecation-in-OpenSSL-3.patch
upstream/tls-clean-up-of-ENGINE.patch
upstream/tlsa-removed-the-map-files-used-in-the-past-for-tls-.patch
upstream/tls-remove-unused-ENGINE-define.patch
upstream/tls-basic-OpenSSL-3-support-of-provider-keys-replace.patch
upstream/core-rthreads.h-add-new-option-tls_threads_mode-2.patch
upstream/tls-new-option-tls_threads_mode-2.patch
upstream/tls-NULL-safety-check.patch
## upstream master
sipwise/pv_headers-rework-pvh_remove_header_param-take-two.patch
upstream/pv_headers-compare-result-of-pvh_set_xavi-with-NULL-.patch

116
debian/patches/upstream/core-add-infrastructure-to-run-functions-in-threads.patch vendored
Unescape View File

@ -0,0 +1,116 @@
From: S-P Chan <shihping.chan@gmail.com>
Date: Thu, 1 Feb 2024 10:03:47 +0800
Subject: core: add infrastructure to run functions in threads
(cherry-pick from f8909163c47c8776d23373fad688586f02d31e67)
---
src/core/rthreads.h | 100 ++++++++++++++++++++++++++++++++++++++++++++++++++++
1 file changed, 100 insertions(+)
create mode 100644 src/core/rthreads.h
diff --git a/src/core/rthreads.h b/src/core/rthreads.h
new file mode 100644
index 0000000..a5ad767
--- /dev/null
+++ b/src/core/rthreads.h
@@ -0,0 +1,100 @@
+/*
+ * Copyright (C) 2024 Chan Shih-Ping
+ *
+ * This file is part of Kamailio, a free SIP server.
+ *
+ * Permission to use, copy, modify, and distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+ * copyright notice and this permission notice appear in all copies.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
+ * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
+ * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
+ * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
+ * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
+ * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
+ * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
+ */
+
+/*
+ * A set of helpers to run functions in threads.
+ *
+ * This is not a thread pool implementation -
+ * - it runs functions in a run-once thread to avoid
+ * creating thread-locals in the calling thread.
+ *
+ * Primary use case: to init libssl in a separate thread
+ */
+#include <pthread.h>
+
+/*
+ * prototype: void *fn(void *arg) { ... }
+ */
+typedef void *(*_thread_proto)(void *);
+
+#ifndef KSR_RTHREAD_SKIP_P
+static void *run_threadP(_thread_proto fn, void *arg)
+{
+ pthread_t tid;
+ void *ret;
+
+ pthread_create(&tid, NULL, fn, arg);
+ pthread_join(tid, &ret);
+
+ return ret;
+}
+#endif
+
+/*
+ * prototype: void *fn(void *arg1, int arg2) { ... }
+ */
+#ifdef KSR_RTHREAD_NEED_PI
+typedef void *(*_thread_protoPI)(void *, int);
+struct _thread_argsPI
+{
+ _thread_protoPI fn;
+ void *tptr;
+ int tint;
+};
+static void *run_thread_wrapPI(struct _thread_argsPI *args)
+{
+ return (*args->fn)(args->tptr, args->tint);
+}
+
+static void *run_threadPI(_thread_protoPI fn, void *arg1, int arg2)
+{
+ pthread_t tid;
+ void *ret;
+
+ pthread_create(&tid, NULL, (_thread_proto)&run_thread_wrapPI,
+ &(struct _thread_argsPI){fn, arg1, arg2});
+ pthread_join(tid, &ret);
+
+ return ret;
+}
+#endif
+
+/*
+ * prototype: void fn(void) { ... }
+ */
+#ifdef KSR_RTHREAD_NEED_V
+typedef void (*_thread_protoV)(void);
+struct _thread_argsV
+{
+ _thread_protoV fn;
+};
+static void *run_thread_wrapV(struct _thread_argsV *args)
+{
+ (*args->fn)();
+ return NULL;
+}
+
+static void run_threadV(_thread_protoV fn)
+{
+ pthread_t tid;
+
+ pthread_create(&tid, NULL, (_thread_proto)run_thread_wrapV,
+ &(struct _thread_argsV){fn});
+ pthread_join(tid, NULL);
+}
+#endif

87
debian/patches/upstream/core-added-tls_threads_mode-global-parameter.patch vendored
Unescape View File

@ -0,0 +1,87 @@
From: Daniel-Constantin Mierla <miconda@gmail.com>
Date: Tue, 6 Feb 2024 14:24:08 +0100
Subject: core: added tls_threads_mode global parameter
- control how to execute functions that may be using libssl3 behind
---
src/core/cfg.lex | 2 ++
src/core/cfg.y | 9 +++++++++
src/core/globals.h | 1 +
src/main.c | 5 +++--
4 files changed, 15 insertions(+), 2 deletions(-)
diff --git a/src/core/cfg.lex b/src/core/cfg.lex
index 82278d5..d342aa5 100644
--- a/src/core/cfg.lex
+++ b/src/core/cfg.lex
@@ -439,6 +439,7 @@ TCP_WAIT_DATA "tcp_wait_data"
TCP_SCRIPT_MODE "tcp_script_mode"
DISABLE_TLS "disable_tls"|"tls_disable"
ENABLE_TLS "enable_tls"|"tls_enable"
+TLS_THREADS_MODE "tls_threads_mode"
TLSLOG "tlslog"|"tls_log"
TLS_PORT_NO "tls_port_no"
TLS_METHOD "tls_method"
@@ -953,6 +954,7 @@ IMPORTFILE "import_file"
<INITIAL>{TCP_SCRIPT_MODE} { count(); yylval.strval=yytext; return TCP_SCRIPT_MODE; }
<INITIAL>{DISABLE_TLS} { count(); yylval.strval=yytext; return DISABLE_TLS; }
<INITIAL>{ENABLE_TLS} { count(); yylval.strval=yytext; return ENABLE_TLS; }
+<INITIAL>{TLS_THREADS_MODE} { count(); yylval.strval=yytext; return TLS_THREADS_MODE; }
<INITIAL>{TLSLOG} { count(); yylval.strval=yytext; return TLS_PORT_NO; }
<INITIAL>{TLS_PORT_NO} { count(); yylval.strval=yytext; return TLS_PORT_NO; }
<INITIAL>{TLS_METHOD} { count(); yylval.strval=yytext; return TLS_METHOD; }
diff --git a/src/core/cfg.y b/src/core/cfg.y
index 1f2ad7f..412fe5d 100644
--- a/src/core/cfg.y
+++ b/src/core/cfg.y
@@ -469,6 +469,7 @@ extern char *default_routename;
%token TCP_SCRIPT_MODE
%token DISABLE_TLS
%token ENABLE_TLS
+%token TLS_THREADS_MODE
%token TLSLOG
%token TLS_PORT_NO
%token TLS_METHOD
@@ -1440,6 +1441,14 @@ assign_stm:
#endif
}
| ENABLE_TLS EQUAL error { yyerror("boolean value expected"); }
+ | TLS_THREADS_MODE EQUAL NUMBER {
+ #ifdef USE_TLS
+ ksr_tls_threads_mode = $3;
+ #else
+ warn("tls support not compiled in");
+ #endif
+ }
+ | TLS_THREADS_MODE EQUAL error { yyerror("int value expected"); }
| TLSLOG EQUAL NUMBER {
#ifdef CORE_TLS
tls_log=$3;
diff --git a/src/core/globals.h b/src/core/globals.h
index 207205c..0487a31 100644
--- a/src/core/globals.h
+++ b/src/core/globals.h
@@ -108,6 +108,7 @@ extern int ksr_tcp_script_mode;
#ifdef USE_TLS
extern int tls_disable;
extern unsigned short tls_port_no;
+extern int ksr_tls_threads_mode;
#endif
#ifdef USE_SCTP
extern int sctp_disable;
diff --git a/src/main.c b/src/main.c
index 8e34285..f7cb643 100644
--- a/src/main.c
+++ b/src/main.c
@@ -326,8 +326,9 @@ int tcp_disable = 0; /* 1 if tcp is disabled */
int tls_disable = 0; /* tls enabled by default */
#else
int tls_disable = 1; /* tls disabled by default */
-#endif /* CORE_TLS */
-#endif /* USE_TLS */
+#endif /* CORE_TLS */
+int ksr_tls_threads_mode = 0; /* threads execution mode for tls with libssl */
+#endif /* USE_TLS */
#ifdef USE_SCTP
int sctp_children_no = 0;
int sctp_disable = 2; /* 1 if sctp is disabled, 2 if auto mode, 0 enabled */

74
debian/patches/upstream/core-rthread.h-add-prototype-for-db-queries.patch vendored
Unescape View File

@ -0,0 +1,74 @@
From: S-P Chan <shihping.chan@gmail.com>
Date: Tue, 6 Feb 2024 00:22:52 +0800
Subject: core/rthread.h: add prototype for db queries
(cherry-pick from ba921b2112e87625fba5789d1b049161bb611073)
---
src/core/rthreads.h | 57 +++++++++++++++++++++++++++++++++++++++++++++++++++++
1 file changed, 57 insertions(+)
diff --git a/src/core/rthreads.h b/src/core/rthreads.h
index a5ad767..a416ad2 100644
--- a/src/core/rthreads.h
+++ b/src/core/rthreads.h
@@ -98,3 +98,60 @@ static void run_threadV(_thread_protoV fn)
pthread_join(tid, NULL);
}
#endif
+
+/*
+ * prototype: int fn(void *, void *) { ... }
+ */
+#ifdef KSR_RTHREAD_NEED_4PP
+typedef int (*_thread_proto4PP)(void *, void *);
+struct _thread_args4PP
+{
+ _thread_proto4PP fn;
+ void *arg1;
+ void *arg2;
+ int *ret;
+};
+static void *run_thread_wrap4PP(struct _thread_args4PP *args)
+{
+ *args->ret = (*args->fn)(args->arg1, args->arg2);
+ return NULL;
+}
+
+static int run_thread4PP(_thread_proto4PP fn, void *arg1, void *arg2)
+{
+ pthread_t tid;
+ int ret;
+
+ pthread_create(&tid, NULL, (_thread_proto)run_thread_wrap4PP,
+ &(struct _thread_args4PP){fn, arg1, arg2, &ret});
+ pthread_join(tid, NULL);
+
+ return ret;
+}
+#endif
+
+/*
+ * prototype: void fn(void *) { ... }
+ */
+#ifdef KSR_RTHREAD_NEED_0P
+typedef void (*_thread_proto0P)(void *);
+struct _thread_args0P
+{
+ _thread_proto0P fn;
+ void *arg1;
+};
+static void *run_thread_wrap0P(struct _thread_args0P *args)
+{
+ (*args->fn)(args->arg1);
+ return NULL;
+}
+
+static void run_thread0P(_thread_proto0P fn, void *arg1)
+{
+ pthread_t tid;
+
+ pthread_create(&tid, NULL, (_thread_proto)run_thread_wrap0P,
+ &(struct _thread_args0P){fn, arg1});
+ pthread_join(tid, NULL);
+}
+#endif

84
debian/patches/upstream/core-rthreads.h-add-new-option-tls_threads_mode-2.patch vendored
Unescape View File

@ -0,0 +1,84 @@
From: S-P Chan <shihping.chan@gmail.com>
Date: Mon, 4 Mar 2024 21:49:10 +0800
Subject: core/rthreads.h: add new option tls_threads_mode = 2
- add global handling of thread-locals with
tls_threads_mode = 2
- this will run a pthread_atfork handler to reset
all thread-locals to 0x0
- alternative solution to running functions
in thread executors
- requires tls.so to be loaded to be effective
(cherry picked from commit e7f040f219b46592081a6053b4ed1ae0d0552b1a)
---
src/core/rthreads.h | 14 +++++++-------
1 file changed, 7 insertions(+), 7 deletions(-)
diff --git a/src/core/rthreads.h b/src/core/rthreads.h
index 0f4f0cf..6fee4d0 100644
--- a/src/core/rthreads.h
+++ b/src/core/rthreads.h
@@ -40,7 +40,7 @@ static void *run_threadP(_thread_proto fn, void *arg)
pthread_t tid;
void *ret;
- if(likely(ksr_tls_threads_mode == 0
+ if(likely(ksr_tls_threads_mode == 0 || ksr_tls_threads_mode == 2
|| (ksr_tls_threads_mode == 1 && process_no > 0))) {
return fn(arg);
}
@@ -77,7 +77,7 @@ static void *run_threadPI(_thread_protoPI fn, void *arg1, int arg2)
pthread_t tid;
void *ret;
- if(likely(ksr_tls_threads_mode == 0
+ if(likely(ksr_tls_threads_mode == 0 || ksr_tls_threads_mode == 2
|| (ksr_tls_threads_mode == 1 && process_no > 0))) {
return fn(arg1, arg2);
}
@@ -113,7 +113,7 @@ static void run_threadV(_thread_protoV fn)
#ifdef USE_TLS
pthread_t tid;
- if(likely(ksr_tls_threads_mode == 0
+ if(likely(ksr_tls_threads_mode == 0 || ksr_tls_threads_mode == 2
|| (ksr_tls_threads_mode == 1 && process_no > 0))) {
fn();
return;
@@ -152,7 +152,7 @@ static int run_thread4PP(_thread_proto4PP fn, void *arg1, void *arg2)
pthread_t tid;
int ret;
- if(likely(ksr_tls_threads_mode == 0
+ if(likely(ksr_tls_threads_mode == 0 || ksr_tls_threads_mode == 2
|| (ksr_tls_threads_mode == 1 && process_no > 0))) {
return fn(arg1, arg2);
}
@@ -188,7 +188,7 @@ static void run_thread0P(_thread_proto0P fn, void *arg1)
#ifdef USE_TLS
pthread_t tid;
- if(likely(ksr_tls_threads_mode == 0
+ if(likely(ksr_tls_threads_mode == 0 || ksr_tls_threads_mode == 2
|| (ksr_tls_threads_mode == 1 && process_no > 0))) {
fn(arg1);
return;
@@ -240,7 +240,7 @@ static int run_thread4P5I2P2(_thread_proto4P5I2P2 fn, void *arg1, void *arg2,
pthread_t tid;
int ret;
- if(likely(ksr_tls_threads_mode == 0
+ if(likely(ksr_tls_threads_mode == 0 || ksr_tls_threads_mode == 2
|| (ksr_tls_threads_mode == 1 && process_no > 0))) {
return fn(arg1, arg2, arg3, arg4, arg5, arg6, arg7, arg8, arg9);
}
@@ -278,7 +278,7 @@ static int run_thread4L(_thread_proto4L fn, long arg1)
pthread_t tid;
int ret;
- if(likely(ksr_tls_threads_mode == 0
+ if(likely(ksr_tls_threads_mode == 0 || ksr_tls_threads_mode == 2
|| (ksr_tls_threads_mode == 1 && process_no > 0))) {
return fn(arg1);
}

55
debian/patches/upstream/core-rthreads.h-add-thread-executor-for-curl_global_.patch vendored
Unescape View File

@ -0,0 +1,55 @@
From: S-P Chan <shihping.chan@gmail.com>
Date: Tue, 27 Feb 2024 05:00:35 +0800
Subject: core/rthreads.h: add thread executor for curl_global_init()
Cherry-pick from db05449932
---
src/core/rthreads.h | 38 ++++++++++++++++++++++++++++++++++++++
1 file changed, 38 insertions(+)
diff --git a/src/core/rthreads.h b/src/core/rthreads.h
index e96f45c..0f4f0cf 100644
--- a/src/core/rthreads.h
+++ b/src/core/rthreads.h
@@ -254,3 +254,41 @@ static int run_thread4P5I2P2(_thread_proto4P5I2P2 fn, void *arg1, void *arg2,
#endif
}
#endif
+
+/*
+ * prototype: CURLcode curl_global_init(long flags) { ... }
+ */
+#ifdef KSR_RTHREAD_NEED_4L
+typedef int (*_thread_proto4L)(long);
+struct _thread_args4L
+{
+ _thread_proto4L fn;
+ long arg1;
+ int *ret;
+};
+static void *run_thread_wrap4L(struct _thread_args4L *args)
+{
+ *args->ret = (*args->fn)(args->arg1);
+ return NULL;
+}
+
+static int run_thread4L(_thread_proto4L fn, long arg1)
+{
+#ifdef USE_TLS
+ pthread_t tid;
+ int ret;
+
+ if(likely(ksr_tls_threads_mode == 0
+ || (ksr_tls_threads_mode == 1 && process_no > 0))) {
+ return fn(arg1);
+ }
+ pthread_create(&tid, NULL, (_thread_proto)run_thread_wrap4L,
+ &(struct _thread_args4L){fn, arg1, &ret});
+ pthread_join(tid, NULL);
+
+ return ret;
+#else
+ return fn(arg1)
+#endif
+}
+#endif

68
debian/patches/upstream/core-rthreads.h-thread-wrapper-for-db_XXXX_query.patch vendored
Unescape View File

@ -0,0 +1,68 @@
From: S-P Chan <shihping.chan@gmail.com>
Date: Thu, 8 Feb 2024 07:30:48 +0800
Subject: core/rthreads.h: thread wrapper for db_XXXX_query
---
src/core/rthreads.h | 52 ++++++++++++++++++++++++++++++++++++++++++++++++++++
1 file changed, 52 insertions(+)
diff --git a/src/core/rthreads.h b/src/core/rthreads.h
index add3426..fa60cce 100644
--- a/src/core/rthreads.h
+++ b/src/core/rthreads.h
@@ -195,3 +195,55 @@ static void run_thread0P(_thread_proto0P fn, void *arg1)
#endif /* USE_TLS */
}
#endif
+
+/*
+ * prototype:
+ * db_unixodbc_query(const db1_con_t *_h, const db_key_t *_k,
+ * const db_op_t *_op, const db_val_t *_v, const db_key_t *_c,
+ * const int _n, const int _nc, const db_key_t _o, db1_res_t **_r)
+ */
+#ifdef KSR_RTHREAD_NEED_4P5I2P2
+typedef int (*_thread_proto4P5I2P2)(
+ void *, void *, void *, void *, void *, int, int, void *, void *);
+struct _thread_args4P5I2P2
+{
+ _thread_proto4P5I2P2 fn;
+ void *arg1;
+ void *arg2;
+ void *arg3;
+ void *arg4;
+ void *arg5;
+ int arg6;
+ int arg7;
+ void *arg8;
+ void *arg9;
+ int *ret;
+};
+static void *run_thread_wrap4P5I2P2(struct _thread_args4P5I2P2 *args)
+{
+ *args->ret = (*args->fn)(args->arg1, args->arg2, args->arg3, args->arg4,
+ args->arg5, args->arg6, args->arg7, args->arg8, args->arg9);
+ return NULL;
+}
+
+static int run_thread4P5I2P2(_thread_proto4P5I2P2 fn, void *arg1, void *arg2,
+ void *arg3, void *arg4, void *arg5, int arg6, int arg7, void *arg8,
+ void *arg9)
+{
+#ifdef USE_TLS
+ pthread_t tid;
+ int ret;
+
+ if(likely(process_no)) {
+ return fn(arg1, arg2, arg3, arg4, arg5, arg6, arg7, arg8, arg9);
+ }
+ pthread_create(&tid, NULL, (_thread_proto)run_thread_wrap4P5I2P2,
+ &(struct _thread_args4P5I2P2){fn, arg1, arg2, arg3, arg4, arg5,
+ arg6, arg7, arg8, arg9, &ret});
+ pthread_join(tid, NULL);
+ return ret;
+#else
+ return fn(arg1, arg2, arg3, arg4, arg5, arg6, arg7, arg8, arg9);
+#endif
+}
+#endif

125
debian/patches/upstream/core-rthreads.h-use-global-ksr_tls_threads_mode-to-c.patch vendored
Unescape View File

@ -0,0 +1,125 @@
From: S-P Chan <shihping.chan@gmail.com>
Date: Sun, 11 Feb 2024 12:05:53 +0800
Subject: core/rthreads.h: use global ksr_tls_threads_mode to constrain thread
wrapping
- 0: run wrapped function directly
- 1: run wrapped function in thread for process#0 else run directly
- 2: always run wrapped function in thread
---
src/core/rthreads.h | 33 ++++++++++++++++++++-------------
1 file changed, 20 insertions(+), 13 deletions(-)
diff --git a/src/core/rthreads.h b/src/core/rthreads.h
index fa60cce..e96f45c 100644
--- a/src/core/rthreads.h
+++ b/src/core/rthreads.h
@@ -27,6 +27,7 @@
*/
#include <pthread.h>
+#include "./globals.h"
/*
* prototype: void *fn(void *arg) { ... }
*/
@@ -39,9 +40,11 @@ static void *run_threadP(_thread_proto fn, void *arg)
pthread_t tid;
void *ret;
- if(likely(process_no)) {
+ if(likely(ksr_tls_threads_mode == 0
+ || (ksr_tls_threads_mode == 1 && process_no > 0))) {
return fn(arg);
}
+
pthread_create(&tid, NULL, fn, arg);
pthread_join(tid, &ret);
@@ -73,7 +76,9 @@ static void *run_threadPI(_thread_protoPI fn, void *arg1, int arg2)
#ifdef USE_TLS
pthread_t tid;
void *ret;
- if(likely(process_no)) {
+
+ if(likely(ksr_tls_threads_mode == 0
+ || (ksr_tls_threads_mode == 1 && process_no > 0))) {
return fn(arg1, arg2);
}
@@ -84,7 +89,7 @@ static void *run_threadPI(_thread_protoPI fn, void *arg1, int arg2)
return ret;
#else
return fn(arg1, arg2);
-#endif /* USE_TLS */
+#endif
}
#endif
@@ -107,18 +112,19 @@ static void run_threadV(_thread_protoV fn)
{
#ifdef USE_TLS
pthread_t tid;
- if(likely(process_no)) {
+
+ if(likely(ksr_tls_threads_mode == 0
+ || (ksr_tls_threads_mode == 1 && process_no > 0))) {
fn();
return;
}
-
pthread_create(&tid, NULL, (_thread_proto)run_thread_wrapV,
&(struct _thread_argsV){fn});
pthread_join(tid, NULL);
#else
fn();
-#endif /* USE_TLS */
+#endif
}
#endif
@@ -146,10 +152,10 @@ static int run_thread4PP(_thread_proto4PP fn, void *arg1, void *arg2)
pthread_t tid;
int ret;
- if(likely(process_no)) {
+ if(likely(ksr_tls_threads_mode == 0
+ || (ksr_tls_threads_mode == 1 && process_no > 0))) {
return fn(arg1, arg2);
}
-
pthread_create(&tid, NULL, (_thread_proto)run_thread_wrap4PP,
&(struct _thread_args4PP){fn, arg1, arg2, &ret});
pthread_join(tid, NULL);
@@ -182,17 +188,17 @@ static void run_thread0P(_thread_proto0P fn, void *arg1)
#ifdef USE_TLS
pthread_t tid;
- if(likely(process_no)) {
+ if(likely(ksr_tls_threads_mode == 0
+ || (ksr_tls_threads_mode == 1 && process_no > 0))) {
fn(arg1);
return;
}
-
pthread_create(&tid, NULL, (_thread_proto)run_thread_wrap0P,
&(struct _thread_args0P){fn, arg1});
pthread_join(tid, NULL);
#else
- fn(arg1);
-#endif /* USE_TLS */
+ fn(arg1)
+#endif
}
#endif
@@ -234,7 +240,8 @@ static int run_thread4P5I2P2(_thread_proto4P5I2P2 fn, void *arg1, void *arg2,
pthread_t tid;
int ret;
- if(likely(process_no)) {
+ if(likely(ksr_tls_threads_mode == 0
+ || (ksr_tls_threads_mode == 1 && process_no > 0))) {
return fn(arg1, arg2, arg3, arg4, arg5, arg6, arg7, arg8, arg9);
}
pthread_create(&tid, NULL, (_thread_proto)run_thread_wrap4P5I2P2,

122
debian/patches/upstream/core-rthreads.h-use-thread-wrappers-only-for-process.patch vendored
Unescape View File

@ -0,0 +1,122 @@
From: S-P Chan <shihping.chan@gmail.com>
Date: Tue, 6 Feb 2024 19:31:49 +0800
Subject: core/rthreads.h: use thread wrappers only for process#0
- for process#0 use threads to avoid initializing libssl thread-locals in thread#1
- for process_no > 0 revert to standard behaviour and reduce
overhead of creating threads
---
src/core/rthreads.h | 40 ++++++++++++++++++++++++++++++++++++++++
1 file changed, 40 insertions(+)
diff --git a/src/core/rthreads.h b/src/core/rthreads.h
index a416ad2..add3426 100644
--- a/src/core/rthreads.h
+++ b/src/core/rthreads.h
@@ -35,13 +35,20 @@ typedef void *(*_thread_proto)(void *);
#ifndef KSR_RTHREAD_SKIP_P
static void *run_threadP(_thread_proto fn, void *arg)
{
+#ifdef USE_TLS
pthread_t tid;
void *ret;
+ if(likely(process_no)) {
+ return fn(arg);
+ }
pthread_create(&tid, NULL, fn, arg);
pthread_join(tid, &ret);
return ret;
+#else
+ return fn(arg);
+#endif /* USE_TLS */
}
#endif
@@ -63,14 +70,21 @@ static void *run_thread_wrapPI(struct _thread_argsPI *args)
static void *run_threadPI(_thread_protoPI fn, void *arg1, int arg2)
{
+#ifdef USE_TLS
pthread_t tid;
void *ret;
+ if(likely(process_no)) {
+ return fn(arg1, arg2);
+ }
pthread_create(&tid, NULL, (_thread_proto)&run_thread_wrapPI,
&(struct _thread_argsPI){fn, arg1, arg2});
pthread_join(tid, &ret);
return ret;
+#else
+ return fn(arg1, arg2);
+#endif /* USE_TLS */
}
#endif
@@ -91,11 +105,20 @@ static void *run_thread_wrapV(struct _thread_argsV *args)
static void run_threadV(_thread_protoV fn)
{
+#ifdef USE_TLS
pthread_t tid;
+ if(likely(process_no)) {
+ fn();
+ return;
+ }
+
pthread_create(&tid, NULL, (_thread_proto)run_thread_wrapV,
&(struct _thread_argsV){fn});
pthread_join(tid, NULL);
+#else
+ fn();
+#endif /* USE_TLS */
}
#endif
@@ -119,14 +142,22 @@ static void *run_thread_wrap4PP(struct _thread_args4PP *args)
static int run_thread4PP(_thread_proto4PP fn, void *arg1, void *arg2)
{
+#ifdef USE_TLS
pthread_t tid;
int ret;
+ if(likely(process_no)) {
+ return fn(arg1, arg2);
+ }
+
pthread_create(&tid, NULL, (_thread_proto)run_thread_wrap4PP,
&(struct _thread_args4PP){fn, arg1, arg2, &ret});
pthread_join(tid, NULL);
return ret;
+#else
+ return fn(arg1, arg2);
+#endif
}
#endif
@@ -148,10 +179,19 @@ static void *run_thread_wrap0P(struct _thread_args0P *args)
static void run_thread0P(_thread_proto0P fn, void *arg1)
{
+#ifdef USE_TLS
pthread_t tid;
+ if(likely(process_no)) {
+ fn(arg1);
+ return;
+ }
+
pthread_create(&tid, NULL, (_thread_proto)run_thread_wrap0P,
&(struct _thread_args0P){fn, arg1});
pthread_join(tid, NULL);
+#else
+ fn(arg1);
+#endif /* USE_TLS */
}
#endif

67
debian/patches/upstream/db_mysql-backport-no-TLS-with-MariaDB-Connector-C.patch vendored
Unescape View File

@ -0,0 +1,67 @@
From: S-P Chan <shihping.chan@gmail.com>
Date: Tue, 30 Jan 2024 16:49:32 +0800
Subject: db_mysql: backport - no TLS with MariaDB Connector/C
- GH #3735
- includes compilation and stretch fixes
- emulate SSL_MODE_XXX from MySQL
- opt_ssl_mode:
- 0|1(off)
- 2|3|4(MYSQL_OPT_SSL_ENFORCE)
- 5(MYSQL_OPT_SSL_VERIFY_SERVER_CERT)
---
src/modules/db_mysql/km_my_con.c | 34 ++++++++++++++++++++++++++++++++--
1 file changed, 32 insertions(+), 2 deletions(-)
diff --git a/src/modules/db_mysql/km_my_con.c b/src/modules/db_mysql/km_my_con.c
index d3f5710..b4c4dca 100644
--- a/src/modules/db_mysql/km_my_con.c
+++ b/src/modules/db_mysql/km_my_con.c
@@ -116,7 +116,36 @@ struct my_con *db_mysql_new_connection(const struct db_id *id)
(const void *)&db_mysql_timeout_interval);
mysql_options(ptr->con, MYSQL_OPT_WRITE_TIMEOUT,
(const void *)&db_mysql_timeout_interval);
-#if MYSQL_VERSION_ID > 50710 && !defined(MARIADB_BASE_VERSION)
+
+#ifdef MARIADB_BASE_VERSION
+ /*
+ * emulate SSL_MODE_XXXX from MySQL
+ */
+
+ switch(db_mysql_opt_ssl_mode) {
+ case 0: /* opt_ssl_mode = 0(off) */
+ case 1: /* SSL_MODE_DISABLED */
+ break;
+ case 2: /* SSL_MODE_PREFERRED */
+ case 3: /* SSL_MODE_REQUIRED */
+ case 4: /* SSL_MODE_VERIFY_CA */
+#if MYSQL_VERSION_ID >= 100339
+ mysql_options(ptr->con, MYSQL_OPT_SSL_ENFORCE, (void *)&(int){1});
+#else
+ LM_WARN("ssl mode not supported by %s\n", MARIADB_BASE_VERSION);
+#endif
+ break;
+ case 5: /* SSL_MODE_VERIFY_IDENTITY */
+ mysql_options(ptr->con, MYSQL_OPT_SSL_VERIFY_SERVER_CERT,
+ (void *)&(int){1});
+ break;
+ default:
+ LM_WARN("opt_ssl_mode = %d not supported by MariaDB Connector/C\n",
+ db_mysql_opt_ssl_mode);
+ break;
+ }
+#else
+#if MYSQL_VERSION_ID > 50710
if(db_mysql_opt_ssl_mode != 0) {
unsigned int optuint = 0;
if(db_mysql_opt_ssl_mode == 1) {
@@ -136,7 +165,8 @@ struct my_con *db_mysql_new_connection(const struct db_id *id)
"ignoring\n",
(unsigned int)db_mysql_opt_ssl_mode);
}
-#endif
+#endif /* MYSQL_VERSION_ID */
+#endif /* MARIADB_BASE_VERSION */
#if MYSQL_VERSION_ID > 50012
/* set reconnect flag if enabled */

43
debian/patches/upstream/db_mysql-handle-SSL-and-submit-query.patch vendored
Unescape View File

@ -0,0 +1,43 @@
From: S-P Chan <shihping.chan@gmail.com>
Date: Tue, 6 Feb 2024 00:29:41 +0800
Subject: db_mysql: handle SSL and submit query
(cherry-pick from 51d9f92eca3ef1044052581c9438af6e643652a1)
---
src/modules/db_mysql/km_dbase.c | 9 ++++++++-
1 file changed, 8 insertions(+), 1 deletion(-)
diff --git a/src/modules/db_mysql/km_dbase.c b/src/modules/db_mysql/km_dbase.c
index 9cd238b..e86e4a0 100644
--- a/src/modules/db_mysql/km_dbase.c
+++ b/src/modules/db_mysql/km_dbase.c
@@ -38,6 +38,8 @@
#include "../../core/mem/mem.h"
#include "../../core/dprint.h"
#include "../../core/async_task.h"
+
+#define KSR_RTHREAD_NEED_4PP
#include "../../core/rthreads.h"
#include "../../lib/srdb1/db_query.h"
#include "../../lib/srdb1/db_ut.h"
@@ -67,7 +69,7 @@ static char *mysql_sql_buf;
* \param _s executed query
* \return zero on success, negative value on failure
*/
-static int db_mysql_submit_query(const db1_con_t *_h, const str *_s)
+static int db_mysql_submit_query_impl(const db1_con_t *_h, const str *_s)
{
time_t t;
int i, code;
@@ -128,6 +130,11 @@ static int db_mysql_submit_query(const db1_con_t *_h, const str *_s)
}
+static int db_mysql_submit_query(const db1_con_t *_h, const str *_s)
+{
+ return run_thread4PP((_thread_proto4PP)db_mysql_submit_query_impl,
+ (void *)_h, (void *)_s);
+}
/**
*
*/

46
debian/patches/upstream/db_mysql-init-libssl-in-a-thread.patch vendored
Unescape View File

@ -0,0 +1,46 @@
From: S-P Chan <shihping.chan@gmail.com>
Date: Thu, 1 Feb 2024 10:05:39 +0800
Subject: db_mysql: init libssl in a thread
From
- 5dffb934a2f7f986fdc09e433833991c54612646
- 733a268114261d49ed11aec83fe39ea8c34a0b69
---
src/modules/db_mysql/km_dbase.c | 9 ++++++++-
1 file changed, 8 insertions(+), 1 deletion(-)
diff --git a/src/modules/db_mysql/km_dbase.c b/src/modules/db_mysql/km_dbase.c
index 577f3dc..9cd238b 100644
--- a/src/modules/db_mysql/km_dbase.c
+++ b/src/modules/db_mysql/km_dbase.c
@@ -38,6 +38,7 @@
#include "../../core/mem/mem.h"
#include "../../core/dprint.h"
#include "../../core/async_task.h"
+#include "../../core/rthreads.h"
#include "../../lib/srdb1/db_query.h"
#include "../../lib/srdb1/db_ut.h"
#include "db_mysql.h"
@@ -197,8 +198,10 @@ static char *db_mysql_tquote = "`";
* No function should be called before this
* \param _url URL used for initialization
* \return zero on success, negative value on failure
+ *
+ * Init libssl in a thread
*/
-db1_con_t *db_mysql_init(const str *_url)
+static db1_con_t *db_mysql_init0(const str *_url)
{
db1_con_t *c;
c = db_do_init(_url, (void *)db_mysql_new_connection);
@@ -208,6 +211,10 @@ db1_con_t *db_mysql_init(const str *_url)
}
+db1_con_t *db_mysql_init(const str *_url)
+{
+ return run_threadP((_thread_proto)db_mysql_init0, (void *)_url);
+}
/**
* Shut down the database module.
* No function should be called after this

38
debian/patches/upstream/db_mysql-libssl-thread-guard-for-db_mysql_close.patch vendored
Unescape View File

@ -0,0 +1,38 @@
From: S-P Chan <shihping.chan@gmail.com>
Date: Thu, 8 Feb 2024 12:50:03 +0800
Subject: db_mysql: libssl thread guard for db_mysql_close
---
src/modules/db_mysql/km_dbase.c | 8 +++++++-
1 file changed, 7 insertions(+), 1 deletion(-)
diff --git a/src/modules/db_mysql/km_dbase.c b/src/modules/db_mysql/km_dbase.c
index e86e4a0..7b65c0a 100644
--- a/src/modules/db_mysql/km_dbase.c
+++ b/src/modules/db_mysql/km_dbase.c
@@ -40,6 +40,7 @@
#include "../../core/async_task.h"
#define KSR_RTHREAD_NEED_4PP
+#define KSR_RTHREAD_NEED_0P
#include "../../core/rthreads.h"
#include "../../lib/srdb1/db_query.h"
#include "../../lib/srdb1/db_ut.h"
@@ -228,11 +229,16 @@ db1_con_t *db_mysql_init(const str *_url)
* \param _h handle to the closed connection
* \return zero on success, negative value on failure
*/
-void db_mysql_close(db1_con_t *_h)
+static void db_mysql_close_impl(db1_con_t *_h)
{
db_do_close(_h, db_mysql_free_connection);
}
+void db_mysql_close(db1_con_t *_h)
+{
+ run_thread0P((_thread_proto0P)db_mysql_close_impl, _h);
+}
+
/**
* Retrieve a result set

56
debian/patches/upstream/db_mysql-libssl-thread-guard-for-db_mysql_query-and-.patch vendored
Unescape View File

@ -0,0 +1,56 @@
From: S-P Chan <shihping.chan@gmail.com>
Date: Wed, 14 Feb 2024 19:49:10 +0800
Subject: db_mysql: libssl thread guard for db_mysql_query (and
libmysqlclient)
This function is observed to call SSL_read() when compiled with
libmysqlclient.so.21 (but not libmariadb.so.3).
Apply a thread executor just in case.
Cherry-pick from 1e42364451
---
src/modules/db_mysql/km_dbase.c | 19 +++++++++++++++++--
1 file changed, 17 insertions(+), 2 deletions(-)
diff --git a/src/modules/db_mysql/km_dbase.c b/src/modules/db_mysql/km_dbase.c
index 7b65c0a..91ace58 100644
--- a/src/modules/db_mysql/km_dbase.c
+++ b/src/modules/db_mysql/km_dbase.c
@@ -41,6 +41,7 @@
#define KSR_RTHREAD_NEED_4PP
#define KSR_RTHREAD_NEED_0P
+#define KSR_RTHREAD_NEED_4P5I2P2
#include "../../core/rthreads.h"
#include "../../lib/srdb1/db_query.h"
#include "../../lib/srdb1/db_ut.h"
@@ -348,12 +349,26 @@ int db_mysql_free_result(const db1_con_t *_h, db1_res_t *_r)
* \param _r pointer to a structure representing the result
* \return zero on success, negative value on failure
*/
+
+/*
+ * this function observed to invoke SSL_read() under libmysqlclient.so.21
+ * but not libmariadb.so.3; apply libssl guard
+ */
+static int db_mysql_query_impl(const db1_con_t *_h, const db_key_t *_k,
+ const db_op_t *_op, const db_val_t *_v, const db_key_t *_c,
+ const int _n, const int _nc, const db_key_t _o, db1_res_t **_r)
+{
+ return db_do_query(_h, _k, _op, _v, _c, _n, _nc, _o, _r, db_mysql_val2str,
+ db_mysql_submit_query, db_mysql_store_result);
+}
+
int db_mysql_query(const db1_con_t *_h, const db_key_t *_k, const db_op_t *_op,
const db_val_t *_v, const db_key_t *_c, const int _n, const int _nc,
const db_key_t _o, db1_res_t **_r)
{
- return db_do_query(_h, _k, _op, _v, _c, _n, _nc, _o, _r, db_mysql_val2str,
- db_mysql_submit_query, db_mysql_store_result);
+ return run_thread4P5I2P2((_thread_proto4P5I2P2)&db_mysql_query_impl,
+ (void *)_h, (void *)_k, (void *)_op, (void *)_v, (void *)_c, _n,
+ _nc, (void *)_o, (void *)_r);
}
/**

64
debian/patches/upstream/db_mysql-new-module-param-opt_ssl_ca-to-configure-CA.patch vendored
Unescape View File

@ -0,0 +1,64 @@
From: S-P Chan <shihping.chan@gmail.com>
Date: Wed, 14 Feb 2024 14:15:10 +0800
Subject: db_mysql: new module param opt_ssl_ca to configure CA certs
ERROR: db_mysql [km_my_con.c:200]: db_mysql_new_connection():
driver error: SSL connection error: CA certificate is required
if ssl-mode is VERIFY_CA or VERIFY_IDENTITY
When opt_ssl_mode = 4 | 5 libmysqlclient.so.21
requires that the trusted CAs be configured.
Fixed with:
mysql_options(ptr->con, MYSQL_OPT_SSL_CA, (void *)db_mysql_opt_ssl_ca)
Note: libmariadb.so.3 doesn't require this setting
and uses the system trust store.
Cherry-pick from ea81e6cb8b
---
src/modules/db_mysql/db_mysql.c | 2 ++
src/modules/db_mysql/km_my_con.c | 4 ++++
2 files changed, 6 insertions(+)
diff --git a/src/modules/db_mysql/db_mysql.c b/src/modules/db_mysql/db_mysql.c
index 1a69832..9a7aa86 100644
--- a/src/modules/db_mysql/db_mysql.c
+++ b/src/modules/db_mysql/db_mysql.c
@@ -47,6 +47,7 @@ unsigned int my_server_timezone =
unsigned long my_client_ver = 0;
int db_mysql_unsigned_type = 0;
int db_mysql_opt_ssl_mode = 0;
+char *db_mysql_opt_ssl_ca = NULL;
struct mysql_counters_h mysql_cnts_h;
counter_def_t mysql_cnt_defs[] = {
@@ -100,6 +101,7 @@ static param_export_t params[] = {
{"insert_delayed", INT_PARAM, &db_mysql_insert_all_delayed},
{"update_affected_found", INT_PARAM, &db_mysql_update_affected_found},
{"unsigned_type", PARAM_INT, &db_mysql_unsigned_type},
+ {"opt_ssl_ca", PARAM_STRING, &db_mysql_opt_ssl_ca},
{"opt_ssl_mode", PARAM_INT, &db_mysql_opt_ssl_mode}, {0, 0, 0}};
diff --git a/src/modules/db_mysql/km_my_con.c b/src/modules/db_mysql/km_my_con.c
index b4c4dca..226d724 100644
--- a/src/modules/db_mysql/km_my_con.c
+++ b/src/modules/db_mysql/km_my_con.c
@@ -41,6 +41,7 @@
#include "db_mysql.h"
extern int db_mysql_opt_ssl_mode;
+extern char *db_mysql_opt_ssl_ca;
/*! \brief
* Create a new connection structure,
@@ -167,6 +168,9 @@ struct my_con *db_mysql_new_connection(const struct db_id *id)
}
#endif /* MYSQL_VERSION_ID */
#endif /* MARIADB_BASE_VERSION */
+ if(db_mysql_opt_ssl_ca)
+ mysql_options(
+ ptr->con, MYSQL_OPT_SSL_CA, (const void *)db_mysql_opt_ssl_ca);
#if MYSQL_VERSION_ID > 50012
/* set reconnect flag if enabled */

44
debian/patches/upstream/db_mysql-update-docs-for-opt_ssl_ca.patch vendored
Unescape View File

@ -0,0 +1,44 @@
From: S-P Chan <shihping.chan@gmail.com>
Date: Wed, 14 Feb 2024 14:59:52 +0800
Subject: db_mysql: update docs for opt_ssl_ca
Cherry-pick from eafd93f057
---
src/modules/db_mysql/doc/db_mysql_admin.xml | 24 ++++++++++++++++++++++++
1 file changed, 24 insertions(+)
diff --git a/src/modules/db_mysql/doc/db_mysql_admin.xml b/src/modules/db_mysql/doc/db_mysql_admin.xml
index 51c9b5b..dceb825 100644
--- a/src/modules/db_mysql/doc/db_mysql_admin.xml
+++ b/src/modules/db_mysql/doc/db_mysql_admin.xml
@@ -211,6 +211,30 @@ modparam("db_mysql", "update_affected_found", 1)
...
modparam("db_mysql", "opt_ssl_mode", 1)
...
+</programlisting>
+ </example>
+ </section>
+ <section id="db_mysql.p.opt_ssl_ca">
+ <title><varname>opt_ssl_ca</varname> (string)</title>
+ <para>
+ Configures the CA certs used to verify the MySQL server cert when
+ SSL is enabled.
+ </para>
+ <para>
+ Required when opt_ssl_mode = 4 or 5 and db_mysql is built
+ with libmysqlclient.
+ </para>
+ <para>
+ <emphasis>
+ Default value is NULL (NULL - not configured).
+ </emphasis>
+ </para>
+ <example>
+ <title>Set <varname>opt_ssl_ca</varname> parameter</title>
+ <programlisting format="linespecific">
+...
+modparam("db_mysql", "opt_ssl_ca", "/etc/ssl/certs/mysql-ca.pem")
+...
</programlisting>
</example>
</section>

43
debian/patches/upstream/db_postgres-handle-SSL-and-submit-query.patch vendored
Unescape View File

@ -0,0 +1,43 @@
From: S-P Chan <shihping.chan@gmail.com>
Date: Tue, 6 Feb 2024 00:29:55 +0800
Subject: db_postgres: handle SSL and submit query
(cherry-pick from d638c774ed816eec800e72ba2546004215cfe097)
---
src/modules/db_postgres/km_dbase.c | 9 ++++++++-
1 file changed, 8 insertions(+), 1 deletion(-)
diff --git a/src/modules/db_postgres/km_dbase.c b/src/modules/db_postgres/km_dbase.c
index 3d58f1a..7948ff0 100644
--- a/src/modules/db_postgres/km_dbase.c
+++ b/src/modules/db_postgres/km_dbase.c
@@ -44,6 +44,7 @@
#include "../../core/hashes.h"
#include "../../core/clist.h"
#define KSR_RTHREAD_NEED_PI
+#define KSR_RTHREAD_NEED_4PP
#include "../../core/rthreads.h"
#include "km_dbase.h"
#include "km_pg_con.h"
@@ -158,7 +159,7 @@ void db_postgres_close(db1_con_t *_h)
* \param _s query string
* \return 0 on success, negative on failure
*/
-static int db_postgres_submit_query(const db1_con_t *_con, const str *_s)
+static int db_postgres_submit_query_impl(const db1_con_t *_con, const str *_s)
{
char *s = NULL;
int i, retries;
@@ -286,6 +287,12 @@ static int db_postgres_submit_query(const db1_con_t *_con, const str *_s)
return -1;
}
+static int db_postgres_submit_query(const db1_con_t *_con, const str *_s)
+{
+ return run_thread4PP((_thread_proto4PP)db_postgres_submit_query_impl,
+ (void *)_con, (void *)_s);
+}
+
void db_postgres_async_exec_task(void *param)
{
str *p;

64
debian/patches/upstream/db_postgres-init-libssl-in-a-thread.patch vendored
Unescape View File

@ -0,0 +1,64 @@
From: S-P Chan <shihping.chan@gmail.com>
Date: Thu, 1 Feb 2024 10:06:11 +0800
Subject: db_postgres: init libssl in a thread
From
- 3426b153d02d9d8d3e909eff9d18cb14108072ca
- 8a1c383f6af5bc0547e32430a4469333160b93e6
---
src/modules/db_postgres/km_dbase.c | 19 +++++++++++++++++--
1 file changed, 17 insertions(+), 2 deletions(-)
diff --git a/src/modules/db_postgres/km_dbase.c b/src/modules/db_postgres/km_dbase.c
index 02cb5c4..3d58f1a 100644
--- a/src/modules/db_postgres/km_dbase.c
+++ b/src/modules/db_postgres/km_dbase.c
@@ -43,6 +43,8 @@
#include "../../core/locking.h"
#include "../../core/hashes.h"
#include "../../core/clist.h"
+#define KSR_RTHREAD_NEED_PI
+#include "../../core/rthreads.h"
#include "km_dbase.h"
#include "km_pg_con.h"
#include "km_val.h"
@@ -108,24 +110,37 @@ static void db_postgres_free_query(const db1_con_t *_con);
* \param _url URL of the database that should be opened
* \return database connection on success, NULL on error
* \note this function must be called prior to any database functions
+ *
+ * Init libssl in a thread
*/
-db1_con_t *db_postgres_init(const str *_url)
+static db1_con_t *db_postgres_init0(const str *_url)
{
return db_do_init(_url, (void *)db_postgres_new_connection);
}
+db1_con_t *db_postgres_init(const str *_url)
+{
+ return run_threadP((_thread_proto)db_postgres_init0, (void *)_url);
+}
/*!
* \brief Initialize database for future queries, specify pooling
* \param _url URL of the database that should be opened
* \param pooling whether or not to use a pooled connection
* \return database connection on success, NULL on error
* \note this function must be called prior to any database functions
+ *
+ * Init libssl in thread
*/
-db1_con_t *db_postgres_init2(const str *_url, db_pooling_t pooling)
+static db1_con_t *db_postgres_init2_impl(const str *_url, db_pooling_t pooling)
{
return db_do_init2(_url, (void *)db_postgres_new_connection, pooling);
}
+db1_con_t *db_postgres_init2(const str *_url, db_pooling_t pooling)
+{
+ return run_threadPI(
+ (_thread_protoPI)db_postgres_init2_impl, (void *)_url, pooling);
+}
/*!
* \brief Close database when the database is no longer needed
* \param _h closed connection, as returned from db_postgres_init

38
debian/patches/upstream/db_postgres-libssl-thread-guard-for-db_postgres_clos.patch vendored
Unescape View File

@ -0,0 +1,38 @@
From: S-P Chan <shihping.chan@gmail.com>
Date: Thu, 8 Feb 2024 07:18:16 +0800
Subject: db_postgres: libssl thread guard for db_postgres_close
---
src/modules/db_postgres/km_dbase.c | 8 +++++++-
1 file changed, 7 insertions(+), 1 deletion(-)
diff --git a/src/modules/db_postgres/km_dbase.c b/src/modules/db_postgres/km_dbase.c
index 7948ff0..e8dce6e 100644
--- a/src/modules/db_postgres/km_dbase.c
+++ b/src/modules/db_postgres/km_dbase.c
@@ -45,6 +45,7 @@
#include "../../core/clist.h"
#define KSR_RTHREAD_NEED_PI
#define KSR_RTHREAD_NEED_4PP
+#define KSR_RTHREAD_NEED_0P
#include "../../core/rthreads.h"
#include "km_dbase.h"
#include "km_pg_con.h"
@@ -147,11 +148,16 @@ db1_con_t *db_postgres_init2(const str *_url, db_pooling_t pooling)
* \param _h closed connection, as returned from db_postgres_init
* \note free all memory and resources
*/
-void db_postgres_close(db1_con_t *_h)
+static void db_postgres_close_impl(db1_con_t *_h)
{
db_do_close(_h, db_postgres_free_connection);
}
+void db_postgres_close(db1_con_t *_h)
+{
+ run_thread0P((_thread_proto0P)db_postgres_close_impl, _h);
+}
+
/*!
* \brief Submit_query, run a query

42
debian/patches/upstream/db_unixodbc-handle-SSL-and-submit-query.patch vendored
Unescape View File

@ -0,0 +1,42 @@
From: S-P Chan <shihping.chan@gmail.com>
Date: Tue, 6 Feb 2024 00:23:16 +0800
Subject: db_unixodbc: handle SSL and submit query
(cherry-pick from 7d917e6649be7188bb9ab152ada75bc7199b2980)
---
src/modules/db_unixodbc/dbase.c | 8 +++++++-
1 file changed, 7 insertions(+), 1 deletion(-)
diff --git a/src/modules/db_unixodbc/dbase.c b/src/modules/db_unixodbc/dbase.c
index c4ba64b..7a5f2bd 100644
--- a/src/modules/db_unixodbc/dbase.c
+++ b/src/modules/db_unixodbc/dbase.c
@@ -25,6 +25,7 @@
#include "../../core/mem/mem.h"
#include "../../core/dprint.h"
#include "../../core/async_task.h"
+#define KSR_RTHREAD_NEED_4PP
#include "../../core/rthreads.h"
#include "../../lib/srdb1/db_query.h"
#include "val.h"
@@ -81,7 +82,7 @@ static int reconnect(const db1_con_t *_h)
/*
* Send an SQL query to the server
*/
-static int db_unixodbc_submit_query(const db1_con_t *_h, const str *_s)
+static int db_unixodbc_submit_query_impl(const db1_con_t *_h, const str *_s)
{
int ret = 0;
SQLCHAR sqlstate[7];
@@ -155,6 +156,11 @@ static int db_unixodbc_submit_query(const db1_con_t *_h, const str *_s)
return ret;
}
+static int db_unixodbc_submit_query(const db1_con_t *_h, const str *_s)
+{
+ return run_thread4PP((_thread_proto4PP)db_unixodbc_submit_query_impl,
+ (void *)_h, (void *)_s);
+}
/**
*
*/

51
debian/patches/upstream/db_unixodbc-init-libssl-in-a-thread.patch vendored
Unescape View File

@ -0,0 +1,51 @@
From: S-P Chan <shihping.chan@gmail.com>
Date: Thu, 1 Feb 2024 10:07:08 +0800
Subject: db_unixodbc: init libssl in a thread
From
- 2611a4670c65dd32fc1daf6b67e37852936ba69c
- b71ce6e5733ab08b84ff09481ada91e5fca43a33
---
src/modules/db_unixodbc/dbase.c | 11 +++++++++--
1 file changed, 9 insertions(+), 2 deletions(-)
diff --git a/src/modules/db_unixodbc/dbase.c b/src/modules/db_unixodbc/dbase.c
index eb02b29..c4ba64b 100644
--- a/src/modules/db_unixodbc/dbase.c
+++ b/src/modules/db_unixodbc/dbase.c
@@ -22,10 +22,10 @@
*
*/
-
#include "../../core/mem/mem.h"
#include "../../core/dprint.h"
#include "../../core/async_task.h"
+#include "../../core/rthreads.h"
#include "../../lib/srdb1/db_query.h"
#include "val.h"
#include "connection.h"
@@ -227,8 +227,10 @@ extern char *db_unixodbc_tquote;
/*
* Initialize database module
* No function should be called before this
+ *
+ * Init libssl in a thread
*/
-db1_con_t *db_unixodbc_init(const str *_url)
+static db1_con_t *db_unixodbc_init0(const str *_url)
{
db1_con_t *c;
c = db_do_init(_url, (void *)db_unixodbc_new_connection);
@@ -237,6 +239,11 @@ db1_con_t *db_unixodbc_init(const str *_url)
return c;
}
+db1_con_t *db_unixodbc_init(const str *_url)
+{
+ return run_threadP((_thread_proto)&db_unixodbc_init0, (void *)_url);
+}
+
/*
* Shut down database module
* No function should be called after this

86
debian/patches/upstream/db_unixodbc-libssl-thread-guards-for-db_unixodbc_-cl.patch vendored
Unescape View File

@ -0,0 +1,86 @@
From: S-P Chan <shihping.chan@gmail.com>
Date: Thu, 8 Feb 2024 07:41:45 +0800
Subject: db_unixodbc: libssl thread guards for
db_unixodbc_(close|free_result|query)
---
src/modules/db_unixodbc/dbase.c | 27 ++++++++++++++++++++++++---
1 file changed, 24 insertions(+), 3 deletions(-)
diff --git a/src/modules/db_unixodbc/dbase.c b/src/modules/db_unixodbc/dbase.c
index 7a5f2bd..01aab5b 100644
--- a/src/modules/db_unixodbc/dbase.c
+++ b/src/modules/db_unixodbc/dbase.c
@@ -26,6 +26,8 @@
#include "../../core/dprint.h"
#include "../../core/async_task.h"
#define KSR_RTHREAD_NEED_4PP
+#define KSR_RTHREAD_NEED_4P5I2P2
+#define KSR_RTHREAD_NEED_0P
#include "../../core/rthreads.h"
#include "../../lib/srdb1/db_query.h"
#include "val.h"
@@ -254,11 +256,16 @@ db1_con_t *db_unixodbc_init(const str *_url)
* Shut down database module
* No function should be called after this
*/
-void db_unixodbc_close(db1_con_t *_h)
+static void db_unixodbc_close_impl(db1_con_t *_h)
{
return db_do_close(_h, db_unixodbc_free_connection);
}
+void db_unixodbc_close(db1_con_t *_h)
+{
+ run_thread0P((_thread_proto0P)db_unixodbc_close_impl, _h);
+}
+
/*
* Retrieve result set
*/
@@ -299,7 +306,7 @@ static int db_unixodbc_store_result(const db1_con_t *_h, db1_res_t **_r)
/*
* Release a result set from memory
*/
-int db_unixodbc_free_result(db1_con_t *_h, db1_res_t *_r)
+static int db_unixodbc_free_result_impl(db1_con_t *_h, db1_res_t *_r)
{
if((!_h) || (!_r)) {
LM_ERR("invalid parameter value\n");
@@ -315,6 +322,11 @@ int db_unixodbc_free_result(db1_con_t *_h, db1_res_t *_r)
return 0;
}
+int db_unixodbc_free_result(db1_con_t *_h, db1_res_t *_r)
+{
+ return run_thread4PP((_thread_proto4PP)db_unixodbc_free_result_impl, _h, _r);
+}
+
/*
* Query table for specified rows
* _h: structure representing database connection
@@ -326,7 +338,7 @@ int db_unixodbc_free_result(db1_con_t *_h, db1_res_t *_r)
* _nc: number of columns to return
* _o: order by the specified column
*/
-int db_unixodbc_query(const db1_con_t *_h, const db_key_t *_k,
+static int db_unixodbc_query_impl(const db1_con_t *_h, const db_key_t *_k,
const db_op_t *_op, const db_val_t *_v, const db_key_t *_c,
const int _n, const int _nc, const db_key_t _o, db1_res_t **_r)
{
@@ -335,6 +347,15 @@ int db_unixodbc_query(const db1_con_t *_h, const db_key_t *_k,
db_unixodbc_store_result);
}
+int db_unixodbc_query(const db1_con_t *_h, const db_key_t *_k,
+ const db_op_t *_op, const db_val_t *_v, const db_key_t *_c,
+ const int _n, const int _nc, const db_key_t _o, db1_res_t **_r)
+{
+ return run_thread4P5I2P2((_thread_proto4P5I2P2)db_unixodbc_query_impl,
+ (void *)_h, (void *)_k, (void *)_op, (void *)_v, (void *)_c, _n,
+ _nc, (void *)_o, (void *)_r);
+}
+
/*!
* \brief Gets a partial result set, fetch rows from a result
*

57
debian/patches/upstream/http_async_client-libssl-refactor-thread-executors-f.patch vendored
Unescape View File

@ -0,0 +1,57 @@
From: S-P Chan <shihping.chan@gmail.com>
Date: Tue, 27 Feb 2024 12:38:09 +0800
Subject: http_async_client: libssl refactor thread executors for curl
Cherry-pick from 6a0c86bba8
---
src/modules/http_async_client/http_async_client_mod.c | 5 ++++-
src/modules/http_async_client/http_multi.c | 6 +-----
2 files changed, 5 insertions(+), 6 deletions(-)
diff --git a/src/modules/http_async_client/http_async_client_mod.c b/src/modules/http_async_client/http_async_client_mod.c
index e9f6cb0..4b984d3 100644
--- a/src/modules/http_async_client/http_async_client_mod.c
+++ b/src/modules/http_async_client/http_async_client_mod.c
@@ -50,6 +50,9 @@
#include "../../core/cfg/cfg_struct.h"
#include "../../core/fmsg.h"
#include "../../core/kemi.h"
+#define KSR_RTHREAD_NEED_V
+#define KSR_RTHREAD_SKIP_P
+#include "../../core/rthreads.h"
#include "../../modules/tm/tm_load.h"
#include "../../modules/pv/pv_api.h"
@@ -285,7 +288,7 @@ static int mod_init(void)
return -1;
}
- set_curl_mem_callbacks();
+ run_threadV((_thread_protoV)&set_curl_mem_callbacks);
/* init faked sip msg */
if(faked_msg_init() < 0) {
diff --git a/src/modules/http_async_client/http_multi.c b/src/modules/http_async_client/http_multi.c
index a0ee1c8..a57aba9 100644
--- a/src/modules/http_async_client/http_multi.c
+++ b/src/modules/http_async_client/http_multi.c
@@ -32,9 +32,6 @@
#include "../../core/mem/mem.h"
#include "../../core/ut.h"
#include "../../core/hashes.h"
-#define KSR_RTHREAD_NEED_4L
-#define KSR_RTHREAD_SKIP_P
-#include "../../core/rthreads.h"
#include "http_multi.h"
extern int hash_size;
@@ -392,8 +389,7 @@ void set_curl_mem_callbacks(void)
break;
case 1:
LM_DBG("Initilizing cURL with sys malloc\n");
- rc = run_thread4L(
- (_thread_proto4L)curl_global_init, CURL_GLOBAL_ALL);
+ rc = curl_global_init(CURL_GLOBAL_ALL);
if(rc != 0) {
LM_ERR("Cannot initialize cURL: %d\n", rc);
}

33
debian/patches/upstream/http_async_client-libssl-thread-executor-for-curl_gl.patch vendored
Unescape View File

@ -0,0 +1,33 @@
From: S-P Chan <shihping.chan@gmail.com>
Date: Tue, 27 Feb 2024 05:01:14 +0800
Subject: http_async_client: libssl thread executor for curl_global_init()
Cherry-pick from 514635dc3e
---
src/modules/http_async_client/http_multi.c | 6 +++++-
1 file changed, 5 insertions(+), 1 deletion(-)
diff --git a/src/modules/http_async_client/http_multi.c b/src/modules/http_async_client/http_multi.c
index a57aba9..a0ee1c8 100644
--- a/src/modules/http_async_client/http_multi.c
+++ b/src/modules/http_async_client/http_multi.c
@@ -32,6 +32,9 @@
#include "../../core/mem/mem.h"
#include "../../core/ut.h"
#include "../../core/hashes.h"
+#define KSR_RTHREAD_NEED_4L
+#define KSR_RTHREAD_SKIP_P
+#include "../../core/rthreads.h"
#include "http_multi.h"
extern int hash_size;
@@ -389,7 +392,8 @@ void set_curl_mem_callbacks(void)
break;
case 1:
LM_DBG("Initilizing cURL with sys malloc\n");
- rc = curl_global_init(CURL_GLOBAL_ALL);
+ rc = run_thread4L(
+ (_thread_proto4L)curl_global_init, CURL_GLOBAL_ALL);
if(rc != 0) {
LM_ERR("Cannot initialize cURL: %d\n", rc);
}

8
debian/patches/upstream/http_client-Add-parameter-timeout_mode-timeout-in-se.patch vendored
Unescape View File

@ -117,10 +117,10 @@ index 1472da7..dda4721 100644
curl, CURLOPT_FOLLOWLOCATION, (long)params->http_follow_redirect);
if(params->http_follow_redirect) {
diff --git a/src/modules/http_client/http_client.c b/src/modules/http_client/http_client.c
index 430933e..4884424 100644
index 3cf6628..76c5b44 100644
--- a/src/modules/http_client/http_client.c
+++ b/src/modules/http_client/http_client.c
@@ -76,7 +76,8 @@ MODULE_VERSION
@@ -79,7 +79,8 @@ MODULE_VERSION
#define CURL_USER_AGENT_LEN (sizeof(CURL_USER_AGENT) - 1)
/* Module parameter variables */
@ -130,7 +130,7 @@ index 430933e..4884424 100644
char *default_tls_cacert =
NULL; /*!< File name: Default CA cert to use for curl TLS connection */
str default_tls_clientcert =
@@ -195,6 +196,7 @@ static cmd_export_t cmds[] = {
@@ -198,6 +199,7 @@ static cmd_export_t cmds[] = {
/* Exported parameters */
static param_export_t params[] = {
{"connection_timeout", PARAM_INT, &default_connection_timeout},
@ -138,7 +138,7 @@ index 430933e..4884424 100644
{"cacert", PARAM_STRING, &default_tls_cacert },
{"client_cert", PARAM_STR, &default_tls_clientcert },
{"client_key", PARAM_STR, &default_tls_clientkey },
@@ -310,10 +312,27 @@ static int mod_init(void)
@@ -313,10 +315,27 @@ static int mod_init(void)
}
}

32
debian/patches/upstream/http_client-libssl-thread-executor-for-curl_global_i.patch vendored
Unescape View File

@ -0,0 +1,32 @@
From: S-P Chan <shihping.chan@gmail.com>
Date: Tue, 27 Feb 2024 05:01:31 +0800
Subject: http_client: libssl thread executor for curl_global_init()
Cherry-pick from f58225950c
---
src/modules/http_client/http_client.c | 5 ++++-
1 file changed, 4 insertions(+), 1 deletion(-)
diff --git a/src/modules/http_client/http_client.c b/src/modules/http_client/http_client.c
index 430933e..3cf6628 100644
--- a/src/modules/http_client/http_client.c
+++ b/src/modules/http_client/http_client.c
@@ -64,6 +64,9 @@
#include "../../core/lvalue.h"
#include "../../core/pt.h" /* Process table */
#include "../../core/kemi.h"
+#define KSR_RTHREAD_NEED_4L
+#define KSR_RTHREAD_SKIP_P
+#include "../../core/rthreads.h"
#include "functions.h"
#include "curlcon.h"
@@ -278,7 +281,7 @@ static int mod_init(void)
LM_DBG("init curl module\n");
/* Initialize curl */
- if(curl_global_init(CURL_GLOBAL_ALL)) {
+ if(run_thread4L((_thread_proto4L)&curl_global_init, CURL_GLOBAL_ALL)) {
LM_ERR("curl_global_init failed\n");
return -1;
}

87
debian/patches/upstream/outbound-init-libssl-in-a-thread.patch vendored
Unescape View File

@ -0,0 +1,87 @@
From: S-P Chan <shihping.chan@gmail.com>
Date: Tue, 30 Jan 2024 14:07:11 +0800
Subject: outbound: init libssl in a thread
- use core/rthreads.h
- Xenial(OpenSSL < 1.1.1) fixes
From:
- 94f6df509bf77c19c745749716a9e075ec17f3c7
- 8bdd9ca4b3c3d4f9f2f201b0a9e0ad9a61eee41d
---
src/modules/outbound/outbound_mod.c | 44 ++++++++++++++++++-------------------
1 file changed, 22 insertions(+), 22 deletions(-)
diff --git a/src/modules/outbound/outbound_mod.c b/src/modules/outbound/outbound_mod.c
index e2e3a86..e5ed171 100644
--- a/src/modules/outbound/outbound_mod.c
+++ b/src/modules/outbound/outbound_mod.c
@@ -40,6 +40,10 @@
#include "../../core/parser/parse_uri.h"
#include "../../core/parser/parse_supported.h"
+#define KSR_RTHREAD_SKIP_P
+#define KSR_RTHREAD_NEED_V
+#include "../../core/rthreads.h"
+
#include "api.h"
#include "config.h"
@@ -75,26 +79,25 @@ struct module_exports exports = {
destroy /* destroy function */
};
-static void *mod_init_openssl(void *arg) {
- if(flow_token_secret.s) {
- assert(ob_key.len == SHA_DIGEST_LENGTH);
- LM_DBG("flow_token_secret mod param set. use persistent ob_key");
+static void mod_init_openssl(void)
+{
+ if(flow_token_secret.s) {
+ assert(ob_key.len == SHA_DIGEST_LENGTH);
+ LM_DBG("flow_token_secret mod param set. use persistent ob_key");
#if OPENSSL_VERSION_NUMBER < 0x030000000L
- SHA1((const unsigned char *)flow_token_secret.s, flow_token_secret.len,
- (unsigned char *)ob_key.s);
+ SHA1((const unsigned char *)flow_token_secret.s, flow_token_secret.len,
+ (unsigned char *)ob_key.s);
#else
- EVP_Q_digest(NULL, "SHA1", NULL, flow_token_secret.s,
- flow_token_secret.len, (unsigned char *)ob_key.s, NULL);
+ EVP_Q_digest(NULL, "SHA1", NULL, flow_token_secret.s,
+ flow_token_secret.len, (unsigned char *)ob_key.s, NULL);
#endif
- } else {
- if(RAND_bytes((unsigned char *)ob_key.s, ob_key.len) == 0) {
- LM_ERR("unable to get %d cryptographically strong pseudo-"
- "random bytes\n",
- ob_key.len);
- }
- }
-
- return NULL;
+ } else {
+ if(RAND_bytes((unsigned char *)ob_key.s, ob_key.len) == 0) {
+ LM_ERR("unable to get %d cryptographically strong pseudo-"
+ "random bytes\n",
+ ob_key.len);
+ }
+ }
}
static int mod_init(void)
@@ -116,12 +119,9 @@ static int mod_init(void)
ob_key.len = OB_KEY_LEN;
#if OPENSSL_VERSION_NUMBER < 0x010101000L
- mod_init_openssl(NULL);
+ mod_init_openssl();
#else
- pthread_t tid;
- void *retval;
- pthread_create(&tid, NULL, mod_init_openssl, NULL);
- pthread_join(tid, &retval);
+ run_threadV(mod_init_openssl);
#endif
if(cfg_declare("outbound", outbound_cfg_def, &default_outbound_cfg,

22
debian/patches/upstream/tls-NULL-safety-check.patch vendored
Unescape View File

@ -0,0 +1,22 @@
From: S-P Chan <shihping.chan@gmail.com>
Date: Tue, 5 Mar 2024 09:59:41 +0800
Subject: tls: NULL safety check
(cherry picked from commit f6f9d90ada963b53b6552e1a172b8f2fd021c33b)
---
src/modules/tls/tls_mod.c | 2 ++
1 file changed, 2 insertions(+)
diff --git a/src/modules/tls/tls_mod.c b/src/modules/tls/tls_mod.c
index 51e88be..c2a3c8d 100644
--- a/src/modules/tls/tls_mod.c
+++ b/src/modules/tls/tls_mod.c
@@ -871,6 +871,8 @@ EVP_PKEY *tls_engine_private_key(const char *key_id)
while(!(OSSL_STORE_eof(ctx))) {
OSSL_STORE_INFO *info = OSSL_STORE_load(ctx);
+ if(info == NULL)
+ continue;
int type;
type = OSSL_STORE_INFO_get_type(info);

22
debian/patches/upstream/tls-add-logging.patch vendored
Unescape View File

@ -0,0 +1,22 @@
From: S-P Chan <shihping.chan@gmail.com>
Date: Tue, 13 Feb 2024 17:23:31 +0800
Subject: tls: add logging
---
src/modules/tls/tls_mod.c | 3 +++
1 file changed, 3 insertions(+)
diff --git a/src/modules/tls/tls_mod.c b/src/modules/tls/tls_mod.c
index 5d3982b..905ca6f 100644
--- a/src/modules/tls/tls_mod.c
+++ b/src/modules/tls/tls_mod.c
@@ -458,6 +458,9 @@ static int mod_child(int rank)
#else
if(rank == PROC_INIT) {
#endif
+ LM_DBG("Loading SSL_CTX in process_no=%d rank=%d "
+ "ksr_tls_threads_mode=%d\n",
+ process_no, rank, ksr_tls_threads_mode);
if(cfg_get(tls, tls_cfg, config_file).s) {
if(tls_fix_domains_cfg(
*tls_domains_cfg, &srv_defaults, &cli_defaults)

358
debian/patches/upstream/tls-basic-OpenSSL-3-support-of-provider-keys-replace.patch vendored
Unescape View File

@ -0,0 +1,358 @@
From: S-P Chan <shihping.chan@gmail.com>
Date: Sat, 2 Mar 2024 20:46:16 +0800
Subject: tls: basic OpenSSL 3 support of provider keys (replaces ENGINE)
- initial support for v3 provider keys (replaces ENGINE from v1.1.1)
- can be disabled behind build flag -DOPENSSL_NO_PROVIDER
- provider keys start with /uri: e.g
private_key = /uri:pkcs11:token=NSS%20Certificate%20DB;type=private;object=Fork-Test-c67cc0e0
- global config:
provider_quirks: 0 | 1
- 0 - default
- 1 - create a new OSS_LIB_CTX* in the child
This integration does not load any providers itself and depends on
the usual
export OPENSSL_CONF=my-openssl.cnf
to configure providers.
(cherry picked from commit 69883dd381368ca219cc52140e71d571775f95d5)
---
src/modules/tls/tls_domain.c | 40 +++++++++-------
src/modules/tls/tls_mod.c | 109 +++++++++++++++++++++++++++++++++++++------
2 files changed, 119 insertions(+), 30 deletions(-)
diff --git a/src/modules/tls/tls_domain.c b/src/modules/tls/tls_domain.c
index dde5fe0..e056a70 100644
--- a/src/modules/tls/tls_domain.c
+++ b/src/modules/tls/tls_domain.c
@@ -32,13 +32,21 @@
/* only OpenSSL <= 1.1.1 */
#if !defined(OPENSSL_NO_ENGINE) && OPENSSL_VERSION_NUMBER < 0x030000000L
+#define KSR_SSL_COMMON
#define KSR_SSL_ENGINE
+#define KEY_PREFIX "/engine:"
+#define KEY_PREFIX_LEN (strlen(KEY_PREFIX))
+#include <openssl/engine.h>
+extern EVP_PKEY *tls_engine_private_key(const char *key_id);
#endif
-#ifdef KSR_SSL_ENGINE
-#include <openssl/engine.h>
+#if !defined(OPENSSL_NO_PROVIDER) && OPENSSL_VERSION_NUMBER >= 0x030000000L
+#define KSR_SSL_COMMON
+#define KSR_SSL_PROVIDER
+#define KEY_PREFIX "/uri:"
+#define KEY_PREFIX_LEN (strlen(KEY_PREFIX))
extern EVP_PKEY *tls_engine_private_key(const char *key_id);
-#endif /* KSR_SSL_ENGINE */
+#endif
#if OPENSSL_VERSION_NUMBER >= 0x00907000L
#include <openssl/ui.h>
@@ -1227,7 +1235,7 @@ err:
#endif
}
-#ifdef KSR_SSL_ENGINE
+#ifdef KSR_SSL_COMMON
/**
* @brief Load a private key from an OpenSSL engine
* @param d TLS domain
@@ -1237,7 +1245,7 @@ err:
* to be fork() safe
*
* private_key setting which starts with /engine: is assumed to be
- * an HSM key and not a file-based key
+ * an HSM key and not a file-based key (/uri: for OpenSSL 3 key URIs)
*
* We store the private key in a local memory hash table as
* HSM keys must be process-local. We use the SSL_CTX* address
@@ -1253,13 +1261,13 @@ static int load_engine_private_key(tls_domain_t *d)
DBG("%s: No private key specified\n", tls_domain_str(d));
return 0;
}
- if(strncmp(d->pkey_file.s, "/engine:", 8) != 0)
+ if(strncmp(d->pkey_file.s, KEY_PREFIX, KEY_PREFIX_LEN) != 0)
return 0;
do {
i = process_no;
for(idx = 0, ret_pwd = 0; idx < 3; idx++) {
- pkey = tls_engine_private_key(d->pkey_file.s + 8);
+ pkey = tls_engine_private_key(d->pkey_file.s + KEY_PREFIX_LEN);
if(pkey) {
ret_pwd = SSL_CTX_use_PrivateKey(d->ctx[i], pkey);
} else {
@@ -1295,7 +1303,7 @@ static int load_engine_private_key(tls_domain_t *d)
d->pkey_file.s);
return 0;
}
-#endif /* KSR_SSL_ENGINE */
+#endif /* KSR_SSL_COMMON */
/**
* @brief Load a private key from a file
* @param d TLS domain
@@ -1319,10 +1327,10 @@ static int load_private_key(tls_domain_t *d)
SSL_CTX_set_default_passwd_cb_userdata(d->ctx[i], d->pkey_file.s);
for(idx = 0, ret_pwd = 0; idx < 3; idx++) {
-#ifdef KSR_SSL_ENGINE
+#ifdef KSR_SSL_COMMON
// in PROC_INIT skip loading HSM keys due to
// fork() issues with PKCS#11 libraries
- if(strncmp(d->pkey_file.s, "/engine:", 8) != 0) {
+ if(strncmp(d->pkey_file.s, KEY_PREFIX, KEY_PREFIX_LEN) != 0) {
ret_pwd = SSL_CTX_use_PrivateKey_file(
d->ctx[i], d->pkey_file.s, SSL_FILETYPE_PEM);
} else {
@@ -1331,7 +1339,7 @@ static int load_private_key(tls_domain_t *d)
#else
ret_pwd = SSL_CTX_use_PrivateKey_file(
d->ctx[i], d->pkey_file.s, SSL_FILETYPE_PEM);
-#endif /* KSR_SSL_ENGINE */
+#endif /* KSR_SSL_COMMON */
if(ret_pwd) {
break;
} else {
@@ -1348,12 +1356,12 @@ static int load_private_key(tls_domain_t *d)
TLS_ERR("load_private_key:");
return -1;
}
-#ifdef KSR_SSL_ENGINE
- if(strncmp(d->pkey_file.s, "/engine:", 8) == 0) {
+#ifdef KSR_SSL_COMMON
+ if(strncmp(d->pkey_file.s, KEY_PREFIX, KEY_PREFIX_LEN) == 0) {
// skip private key validity check for HSM keys
continue;
}
-#endif /* KSR_SSL_ENGINE */
+#endif /* KSR_SSL_COMMON */
if(!SSL_CTX_check_private_key(d->ctx[i])) {
ERR("%s: Key '%s' does not match the public key of the"
" certificate\n",
@@ -1369,7 +1377,7 @@ static int load_private_key(tls_domain_t *d)
}
-#ifdef KSR_SSL_ENGINE
+#ifdef KSR_SSL_COMMON
/**
* @brief Initialize engine private keys
*
@@ -1401,7 +1409,7 @@ int tls_fix_engine_keys(tls_domains_cfg_t *cfg, tls_domain_t *srv_defaults,
return 0;
}
-#endif /* KSR_SSL_ENGINE */
+#endif /* KSR_SSL_COMMON */
/**
* @brief Initialize attributes of all domains from default domains if necessary
*
diff --git a/src/modules/tls/tls_mod.c b/src/modules/tls/tls_mod.c
index 34689f2..c34c993 100644
--- a/src/modules/tls/tls_mod.c
+++ b/src/modules/tls/tls_mod.c
@@ -93,9 +93,21 @@ MODULE_VERSION
/* Engine is deprecated in OpenSSL 3 */
#if !defined(OPENSSL_NO_ENGINE) && OPENSSL_VERSION_NUMBER < 0x030000000L
+#define KSR_SSL_COMMON
#define KSR_SSL_ENGINE
+#define KEY_PREFIX "/engine:"
+#define KEY_PREFIX_LEN (strlen(KEY_PREFIX))
#endif
+#if !defined(OPENSSL_NO_PROVIDER) && OPENSSL_VERSION_NUMBER >= 0x030000000L
+#define KSR_SSL_COMMON
+#define KSR_SSL_PROVIDER
+#include <openssl/store.h>
+#define KEY_PREFIX "/uri:"
+#define KEY_PREFIX_LEN (strlen(KEY_PREFIX))
+#endif
+
+
extern str sr_tls_event_callback;
str sr_tls_xavp_cfg = {0, 0};
/*
@@ -151,23 +163,28 @@ tls_domain_t srv_defaults = {
#ifdef KSR_SSL_ENGINE
-
typedef struct tls_engine
{
str engine;
str engine_config;
str engine_algorithms;
} tls_engine_t;
-#include <openssl/conf.h>
-#include <openssl/engine.h>
-
-static ENGINE *ksr_tls_engine;
static tls_engine_t tls_engine_settings = {
STR_STATIC_INIT("NONE"),
STR_STATIC_INIT("NONE"),
STR_STATIC_INIT("ALL"),
};
-#endif /* KSR_SSL_ENGINE */
+
+#include <openssl/conf.h>
+#include <openssl/engine.h>
+
+static ENGINE *ksr_tls_engine;
+#endif
+
+#ifdef KSR_SSL_PROVIDER
+static int tls_provider_quirks;
+#endif
+
/*
* Default settings for client domains when using external config file
*/
@@ -238,6 +255,10 @@ static param_export_t params[] = {
{"engine_algorithms", PARAM_STR,
&tls_engine_settings.engine_algorithms},
#endif /* KSR_SSL_ENGINE */
+#ifdef KSR_SSL_PROVIDER
+ {"provider_quirks", PARAM_INT,
+ &tls_provider_quirks}, /* OpenSSL 3 provider that needs new OSSL_LIB_CTX in child */
+#endif /* KSR_SSL_PROVIDER */
{"tls_log", PARAM_INT, &default_tls_cfg.log},
{"tls_debug", PARAM_INT, &default_tls_cfg.debug},
{"session_cache", PARAM_INT, &default_tls_cfg.session_cache},
@@ -316,7 +337,6 @@ static tls_domains_cfg_t* tls_use_modparams(void)
}
#endif
-
static int mod_init(void)
{
int method;
@@ -433,10 +453,10 @@ error:
}
-#ifdef KSR_SSL_ENGINE
+#ifdef KSR_SSL_COMMON
static int tls_engine_init();
int tls_fix_engine_keys(tls_domains_cfg_t *, tls_domain_t *, tls_domain_t *);
-#endif /* KSR_SSL_ENGINE */
+#endif /* KSR_SSL_COMMON */
/*
* OpenSSL 1.1.1+: SSL_CTX is repeated in each worker
@@ -450,9 +470,10 @@ int tls_fix_engine_keys(tls_domains_cfg_t *, tls_domain_t *, tls_domain_t *);
*/
static int mod_child_hook(int *rank, void *dummy)
{
- LM_DBG("Loading SSL_CTX in process_no=%d rank=%d "
- "ksr_tls_threads_mode=%d\n",
+ LM_INFO("Loading SSL_CTX in process_no=%d rank=%d "
+ "ksr_tls_threads_mode=%d\n",
process_no, *rank, ksr_tls_threads_mode);
+
if(cfg_get(tls, tls_cfg, config_file).s) {
if(tls_fix_domains_cfg(*tls_domains_cfg, &srv_defaults, &cli_defaults)
< 0)
@@ -464,6 +485,10 @@ static int mod_child_hook(int *rank, void *dummy)
return 0;
}
+#ifdef KSR_SSL_PROVIDER
+static OSSL_LIB_CTX *orig_ctx;
+static OSSL_LIB_CTX *new_ctx;
+#endif
static int mod_child(int rank)
{
if(tls_disable || (tls_domains_cfg == 0))
@@ -477,23 +502,32 @@ static int mod_child(int rank)
return run_thread4PP((_thread_proto4PP)mod_child_hook, &rank, NULL);
}
-#ifdef KSR_SSL_ENGINE
+#ifdef KSR_SSL_COMMON
/*
* after the child is fork()ed we go through the TLS domains
* and fix up private keys from engine
*/
+#ifdef KSR_SSL_ENGINE
if(!strncmp(tls_engine_settings.engine.s, "NONE", 4))
return 0;
+#endif /* KSR_SSL_ENGINE */
if(rank > 0) {
+#ifdef KSR_SSL_PROVIDER
+ if(tls_provider_quirks & 1) {
+ new_ctx = OSSL_LIB_CTX_new();
+ orig_ctx = OSSL_LIB_CTX_set0_default(new_ctx);
+ CONF_modules_load_file(CONF_get1_default_config_file(), NULL, 0L);
+ }
+#endif /* KSR_SSL_PROVIDER */
if(tls_engine_init() < 0)
return -1;
if(tls_fix_engine_keys(*tls_domains_cfg, &srv_defaults, &cli_defaults)
< 0)
return -1;
- LM_INFO("OpenSSL Engine loaded private keys in child: %d\n", rank);
+ LM_INFO("OpenSSL loaded private keys in child: %d\n", rank);
}
-#endif /* KSR_SSL_ENGINE */
+#endif /* KSR_SSL_PROVIDER */
return 0;
}
@@ -798,3 +832,50 @@ EVP_PKEY *tls_engine_private_key(const char *key_id)
return ENGINE_load_private_key(ksr_tls_engine, key_id, NULL, NULL);
}
#endif /* KSR_SSL_ENGINE */
+
+#ifdef KSR_SSL_PROVIDER
+#include <openssl/store.h>
+static int tls_engine_init()
+{
+ return 0;
+}
+EVP_PKEY *tls_engine_private_key(const char *key_id)
+{
+ OSSL_STORE_CTX *ctx;
+ EVP_PKEY *pkey = NULL;
+
+ ctx = OSSL_STORE_open_ex(key_id, NULL, NULL, NULL, NULL, NULL, NULL, NULL);
+ if(!ctx) {
+ LM_ERR("[ERR] could not load URI %s\n", key_id);
+ goto error;
+ }
+
+ OSSL_STORE_expect(ctx, OSSL_STORE_INFO_PKEY);
+
+ while(!(OSSL_STORE_eof(ctx))) {
+ OSSL_STORE_INFO *info = OSSL_STORE_load(ctx);
+
+ int type;
+ type = OSSL_STORE_INFO_get_type(info);
+
+ switch(type) {
+ case OSSL_STORE_INFO_PKEY:
+ pkey = OSSL_STORE_INFO_get1_PKEY(info);
+ break;
+ default:
+ continue;
+ break;
+ }
+ OSSL_STORE_INFO_free(info);
+ if(pkey)
+ break;
+ }
+
+ LM_INFO("Loaded private key = %p\n", pkey);
+
+error:
+ OSSL_STORE_close(ctx);
+
+ return pkey;
+}
+#endif

463
debian/patches/upstream/tls-clean-up-of-ENGINE.patch vendored
Unescape View File

@ -0,0 +1,463 @@
From: S-P Chan <shihping.chan@gmail.com>
Date: Sat, 2 Mar 2024 08:29:31 +0800
Subject: tls: clean-up of ENGINE
- remove tls_map.* - not needed anymore
- install an ENGINE in each worker SSL_CTX
no need to replicate to all processes
---
src/modules/tls/tls_domain.c | 53 ++---------
src/modules/tls/tls_map.c | 213 -------------------------------------------
src/modules/tls/tls_map.h | 77 ----------------
src/modules/tls/tls_server.c | 20 +---
4 files changed, 11 insertions(+), 352 deletions(-)
delete mode 100644 src/modules/tls/tls_map.c
delete mode 100644 src/modules/tls/tls_map.h
diff --git a/src/modules/tls/tls_domain.c b/src/modules/tls/tls_domain.c
index 48c3aa2..dde5fe0 100644
--- a/src/modules/tls/tls_domain.c
+++ b/src/modules/tls/tls_domain.c
@@ -37,7 +37,6 @@
#ifdef KSR_SSL_ENGINE
#include <openssl/engine.h>
-#include "tls_map.h"
extern EVP_PKEY *tls_engine_private_key(const char *key_id);
#endif /* KSR_SSL_ENGINE */
@@ -1229,31 +1228,6 @@ err:
}
#ifdef KSR_SSL_ENGINE
-/*
- * Implement a hash map from SSL_CTX to private key
- * as HSM keys need to be process local
- */
-static map_void_t private_key_map;
-
-/**
- * @brief Return a private key from the lookup table
- * @param p SSL_CTX*
- * @return EVP_PKEY on success, NULL on error
- */
-EVP_PKEY *tls_lookup_private_key(SSL_CTX *ctx)
-{
- void *pkey;
- char ctx_str[64];
- snprintf(ctx_str, 64, "SSL_CTX-%p", ctx);
- pkey = map_get(&private_key_map, ctx_str);
- LM_DBG("Private key lookup for %s: %p\n", ctx_str, pkey);
- if(pkey)
- return *(EVP_PKEY **)pkey;
- else
- return NULL;
-}
-
-
/**
* @brief Load a private key from an OpenSSL engine
* @param d TLS domain
@@ -1274,8 +1248,6 @@ static int load_engine_private_key(tls_domain_t *d)
{
int idx, ret_pwd, i;
EVP_PKEY *pkey = 0;
- int procs_no;
- char ctx_str[64];
if(!d->pkey_file.s || !d->pkey_file.len) {
DBG("%s: No private key specified\n", tls_domain_str(d));
@@ -1283,22 +1255,15 @@ static int load_engine_private_key(tls_domain_t *d)
}
if(strncmp(d->pkey_file.s, "/engine:", 8) != 0)
return 0;
- procs_no = get_max_procs();
- for(i = 0; i < procs_no; i++) {
- snprintf(ctx_str, 64, "SSL_CTX-%p", d->ctx[i]);
+
+ do {
+ i = process_no;
for(idx = 0, ret_pwd = 0; idx < 3; idx++) {
- if(i) {
- map_set(&private_key_map, ctx_str, pkey);
- ret_pwd = 1;
+ pkey = tls_engine_private_key(d->pkey_file.s + 8);
+ if(pkey) {
+ ret_pwd = SSL_CTX_use_PrivateKey(d->ctx[i], pkey);
} else {
- pkey = tls_engine_private_key(d->pkey_file.s + 8);
- if(pkey) {
- map_set(&private_key_map, ctx_str, pkey);
- // store the key for i = 0 to perform certificate sanity check
- ret_pwd = SSL_CTX_use_PrivateKey(d->ctx[i], pkey);
- } else {
- ret_pwd = 0;
- }
+ ret_pwd = 0;
}
if(ret_pwd) {
break;
@@ -1316,14 +1281,14 @@ static int load_engine_private_key(tls_domain_t *d)
TLS_ERR("load_private_key:");
return -1;
}
- if(i == 0 && !SSL_CTX_check_private_key(d->ctx[i])) {
+ if(!SSL_CTX_check_private_key(d->ctx[i])) {
ERR("%s: Key '%s' does not match the public key of the"
" certificate\n",
tls_domain_str(d), d->pkey_file.s);
TLS_ERR("load_engine_private_key:");
return -1;
}
- }
+ } while(0);
LM_INFO("%s: Key '%s' successfully loaded\n", tls_domain_str(d),
diff --git a/src/modules/tls/tls_map.c b/src/modules/tls/tls_map.c
deleted file mode 100644
index 70c275d..0000000
--- a/src/modules/tls/tls_map.c
+++ /dev/null
@@ -1,213 +0,0 @@
-/**
- * Copyright (c) 2014 rxi
- *
- * This library is free software; you can redistribute it and/or modify it
- * under the terms of the MIT license. See LICENSE for details.
- */
-
-#include <stdlib.h>
-#include <string.h>
-
-#include "../../core/mem/mem.h"
-#include "tls_map.h"
-
-struct map_node_t
-{
- unsigned hash;
- void *value;
- map_node_t *next;
- /* char key[]; */
- /* char value[]; */
-};
-
-
-static unsigned map_hash(const char *str)
-{
- unsigned hash = 5381;
- while(*str) {
- hash = ((hash << 5) + hash) ^ *str++;
- }
- return hash;
-}
-
-
-static map_node_t *map_newnode(const char *key, void *value, int vsize)
-{
- map_node_t *node;
- int ksize = strlen(key) + 1;
- int voffset = ksize + ((sizeof(void *) - ksize) % sizeof(void *));
- node = pkg_malloc(sizeof(*node) + voffset + vsize);
- if(!node)
- return NULL;
- memcpy(node + 1, key, ksize);
- node->hash = map_hash(key);
- node->value = ((char *)(node + 1)) + voffset;
- memcpy(node->value, value, vsize);
- return node;
-}
-
-
-static int map_bucketidx(map_base_t *m, unsigned hash)
-{
- /* If the implementation is changed to allow a non-power-of-2 bucket count,
- * the line below should be changed to use mod instead of AND */
- return hash & (m->nbuckets - 1);
-}
-
-
-static void map_addnode(map_base_t *m, map_node_t *node)
-{
- int n = map_bucketidx(m, node->hash);
- node->next = m->buckets[n];
- m->buckets[n] = node;
-}
-
-
-static int map_resize(map_base_t *m, int nbuckets)
-{
- map_node_t *nodes, *node, *next;
- map_node_t **buckets;
- int i;
- /* Chain all nodes together */
- nodes = NULL;
- i = m->nbuckets;
- while(i--) {
- node = (m->buckets)[i];
- while(node) {
- next = node->next;
- node->next = nodes;
- nodes = node;
- node = next;
- }
- }
- /* Reset buckets */
- buckets = realloc(m->buckets, sizeof(*m->buckets) * nbuckets);
- if(buckets != NULL) {
- m->buckets = buckets;
- m->nbuckets = nbuckets;
- }
- if(m->buckets) {
- memset(m->buckets, 0, sizeof(*m->buckets) * m->nbuckets);
- /* Re-add nodes to buckets */
- node = nodes;
- while(node) {
- next = node->next;
- map_addnode(m, node);
- node = next;
- }
- }
- /* Return error code if realloc() failed */
- return (buckets == NULL) ? -1 : 0;
-}
-
-
-static map_node_t **map_getref(map_base_t *m, const char *key)
-{
- unsigned hash = map_hash(key);
- map_node_t **next;
- if(m->nbuckets > 0) {
- next = &m->buckets[map_bucketidx(m, hash)];
- while(*next) {
- if((*next)->hash == hash && !strcmp((char *)(*next + 1), key)) {
- return next;
- }
- next = &(*next)->next;
- }
- }
- return NULL;
-}
-
-
-void map_deinit_(map_base_t *m)
-{
- map_node_t *next, *node;
- int i;
- i = m->nbuckets;
- while(i--) {
- node = m->buckets[i];
- while(node) {
- next = node->next;
- pkg_free(node);
- node = next;
- }
- }
- pkg_free(m->buckets);
-}
-
-
-void *map_get_(map_base_t *m, const char *key)
-{
- map_node_t **next = map_getref(m, key);
- return next ? (*next)->value : NULL;
-}
-
-
-int map_set_(map_base_t *m, const char *key, void *value, int vsize)
-{
- int n, err;
- map_node_t **next, *node;
- /* Find & replace existing node */
- next = map_getref(m, key);
- if(next) {
- memcpy((*next)->value, value, vsize);
- return 0;
- }
- /* Add new node */
- node = map_newnode(key, value, vsize);
- if(node == NULL)
- goto fail;
- if(m->nnodes >= m->nbuckets) {
- n = (m->nbuckets > 0) ? (m->nbuckets << 1) : 1;
- err = map_resize(m, n);
- if(err)
- goto fail;
- }
- map_addnode(m, node);
- m->nnodes++;
- return 0;
-fail:
- if(node)
- pkg_free(node);
- return -1;
-}
-
-
-void map_remove_(map_base_t *m, const char *key)
-{
- map_node_t *node;
- map_node_t **next = map_getref(m, key);
- if(next) {
- node = *next;
- *next = (*next)->next;
- pkg_free(node);
- m->nnodes--;
- }
-}
-
-
-map_iter_t map_iter_(void)
-{
- map_iter_t iter;
- iter.bucketidx = -1;
- iter.node = NULL;
- return iter;
-}
-
-
-const char *map_next_(map_base_t *m, map_iter_t *iter)
-{
- if(iter->node) {
- iter->node = iter->node->next;
- if(iter->node == NULL)
- goto nextBucket;
- } else {
- nextBucket:
- do {
- if(++iter->bucketidx >= m->nbuckets) {
- return NULL;
- }
- iter->node = m->buckets[iter->bucketidx];
- } while(iter->node == NULL);
- }
- return (char *)(iter->node + 1);
-}
diff --git a/src/modules/tls/tls_map.h b/src/modules/tls/tls_map.h
deleted file mode 100644
index e4028a3..0000000
--- a/src/modules/tls/tls_map.h
+++ /dev/null
@@ -1,77 +0,0 @@
-/**
- * Copyright (c) 2014 rxi
- *
- * This library is free software; you can redistribute it and/or modify it
- * under the terms of the MIT license. See LICENSE for details.
- */
-
-#ifndef _TLS_MAP_H
-#define _TLS_MAP_H
-
-#include <string.h>
-
-#define MAP_VERSION "0.1.0"
-
-struct map_node_t;
-typedef struct map_node_t map_node_t;
-
-typedef struct
-{
- map_node_t **buckets;
- unsigned nbuckets, nnodes;
-} map_base_t;
-
-typedef struct
-{
- unsigned bucketidx;
- map_node_t *node;
-} map_iter_t;
-
-
-#define map_t(T) \
- struct \
- { \
- map_base_t base; \
- T *ref; \
- T tmp; \
- }
-
-
-#define map_init(m) memset(m, 0, sizeof(*(m)))
-
-
-#define map_deinit(m) map_deinit_(&(m)->base)
-
-
-#define map_get(m, key) ((m)->ref = map_get_(&(m)->base, key))
-
-
-#define map_set(m, key, value) \
- ((m)->tmp = (value), map_set_(&(m)->base, key, &(m)->tmp, sizeof((m)->tmp)))
-
-
-#define map_remove(m, key) map_remove_(&(m)->base, key)
-
-
-#define map_iter(m) map_iter_()
-
-
-#define map_next(m, iter) map_next_(&(m)->base, iter)
-
-
-void map_deinit_(map_base_t *m);
-void *map_get_(map_base_t *m, const char *key);
-int map_set_(map_base_t *m, const char *key, void *value, int vsize);
-void map_remove_(map_base_t *m, const char *key);
-map_iter_t map_iter_(void);
-const char *map_next_(map_base_t *m, map_iter_t *iter);
-
-
-typedef map_t(void *) map_void_t;
-typedef map_t(char *) map_str_t;
-typedef map_t(int) map_int_t;
-typedef map_t(char) map_char_t;
-typedef map_t(float) map_float_t;
-typedef map_t(double) map_double_t;
-
-#endif /* _TLS_MAP_H */
diff --git a/src/modules/tls/tls_server.c b/src/modules/tls/tls_server.c
index 947f107..3e22ec4 100644
--- a/src/modules/tls/tls_server.c
+++ b/src/modules/tls/tls_server.c
@@ -427,11 +427,6 @@ static void tls_dump_cert_info(char *s, X509 *cert)
}
}
-
-#ifdef KSR_SSL_ENGINE
-// lookup HSM keys in process-local memory
-EVP_PKEY *tls_lookup_private_key(SSL_CTX *);
-#endif /* KSR_SSL_ENGINE */
/** wrapper around SSL_accept, usin SSL return convention.
* It will also log critical errors and certificate debugging info.
* @param c - tcp connection with tls (extra_data must be a filled
@@ -462,12 +457,7 @@ int tls_accept(struct tcp_connection *c, int *error)
BUG("Invalid connection state %d (bug in TLS code)\n", tls_c->state);
goto err;
}
-#ifdef KSR_SSL_ENGINE
- /* check if we have a HSM key */
- EVP_PKEY *pkey = tls_lookup_private_key(SSL_get_SSL_CTX(ssl));
- if(pkey)
- SSL_use_PrivateKey(ssl, pkey);
-#endif /* KSR_SSL_ENGINE */
+
tls_openssl_clear_errors();
ret = SSL_accept(ssl);
if(unlikely(ret == 1)) {
@@ -532,13 +522,7 @@ int tls_connect(struct tcp_connection *c, int *error)
BUG("Invalid connection state %d (bug in TLS code)\n", tls_c->state);
goto err;
}
-#ifdef KSR_SSL_ENGINE
- // lookup HSM private key in process-local memory
- EVP_PKEY *pkey = tls_lookup_private_key(SSL_get_SSL_CTX(ssl));
- if(pkey) {
- SSL_use_PrivateKey(ssl, pkey);
- }
-#endif
+
tls_openssl_clear_errors();
ret = SSL_connect(ssl);
if(unlikely(ret == 1)) {

21
debian/patches/upstream/tls-fix-OpenSSL-1.1.1-engine-keys.patch vendored
Unescape View File

@ -0,0 +1,21 @@
From: S-P Chan <shihping.chan@gmail.com>
Date: Thu, 29 Feb 2024 19:01:14 +0800
Subject: tls: fix OpenSSL 1.1.1 engine keys
Cherry-pick from e535cc5eb2
---
src/modules/tls/tls_mod.c | 1 +
1 file changed, 1 insertion(+)
diff --git a/src/modules/tls/tls_mod.c b/src/modules/tls/tls_mod.c
index 664e35f..85a1fc4 100644
--- a/src/modules/tls/tls_mod.c
+++ b/src/modules/tls/tls_mod.c
@@ -728,6 +728,7 @@ static int tls_engine_init()
* We are in the child process and the global engine linked-list
* is initialized in the parent.
*/
+ ENGINE_load_builtin_engines();
e = ENGINE_by_id("dynamic");
if(!e) {
err = "Error loading dynamic engine";

35
debian/patches/upstream/tls-fix-restore-early-init.patch vendored
Unescape View File

@ -0,0 +1,35 @@
From: S-P Chan <shihping.chan@gmail.com>
Date: Sun, 25 Feb 2024 12:56:19 +0800
Subject: tls: fix restore early init
Cherry-pick from a02ca644e8
---
src/modules/tls/tls_mod.c | 10 ++--------
1 file changed, 2 insertions(+), 8 deletions(-)
diff --git a/src/modules/tls/tls_mod.c b/src/modules/tls/tls_mod.c
index 6058592..664e35f 100644
--- a/src/modules/tls/tls_mod.c
+++ b/src/modules/tls/tls_mod.c
@@ -468,19 +468,13 @@ static int mod_child(int rank)
if(tls_disable || (tls_domains_cfg == 0))
return 0;
-#if OPENSSL_VERSION_NUMBER >= 0x010101000L
/*
* OpenSSL 3.x/1.1.1: create shared SSL_CTX* in thread executor
- * to avoid init of libssl in thread#1
+ * to avoid init of libssl in thread#1: ksr_tls_threads_mode = 1
*/
- if(rank == PROC_INIT && ksr_tls_threads_mode != 0) {
- return run_thread4PP((_thread_proto4PP)mod_child_hook, &rank, NULL);
- }
-#else
if(rank == PROC_INIT) {
- return mod_child_hook(&rank, NULL);
+ return run_thread4PP((_thread_proto4PP)mod_child_hook, &rank, NULL);
}
-#endif /* OPENSSL_VERSION_NUMBER */
#ifndef OPENSSL_NO_ENGINE
/*

252
debian/patches/upstream/tls-make-explicit-ENGINE-deprecation-in-OpenSSL-3.patch vendored
Unescape View File

@ -0,0 +1,252 @@
From: S-P Chan <shihping.chan@gmail.com>
Date: Fri, 1 Mar 2024 08:06:13 +0800
Subject: tls: make explicit ENGINE deprecation in OpenSSL 3
---
src/modules/tls/tls_domain.c | 25 +++++++++++++------------
src/modules/tls/tls_mod.c | 25 +++++++++++++------------
src/modules/tls/tls_server.c | 15 ++++++++-------
3 files changed, 34 insertions(+), 31 deletions(-)
diff --git a/src/modules/tls/tls_domain.c b/src/modules/tls/tls_domain.c
index 4e35f91..48c3aa2 100644
--- a/src/modules/tls/tls_domain.c
+++ b/src/modules/tls/tls_domain.c
@@ -30,15 +30,16 @@
#include <openssl/bn.h>
#include <openssl/dh.h>
-#if OPENSSL_VERSION_NUMBER >= 0x030000000L
-#define OPENSSL_NO_ENGINE
+/* only OpenSSL <= 1.1.1 */
+#if !defined(OPENSSL_NO_ENGINE) && OPENSSL_VERSION_NUMBER < 0x030000000L
+#define KSR_SSL_ENGINE
#endif
-#ifndef OPENSSL_NO_ENGINE
+#ifdef KSR_SSL_ENGINE
#include <openssl/engine.h>
#include "tls_map.h"
extern EVP_PKEY *tls_engine_private_key(const char *key_id);
-#endif
+#endif /* KSR_SSL_ENGINE */
#if OPENSSL_VERSION_NUMBER >= 0x00907000L
#include <openssl/ui.h>
@@ -1227,7 +1228,7 @@ err:
#endif
}
-#ifndef OPENSSL_NO_ENGINE
+#ifdef KSR_SSL_ENGINE
/*
* Implement a hash map from SSL_CTX to private key
* as HSM keys need to be process local
@@ -1329,7 +1330,7 @@ static int load_engine_private_key(tls_domain_t *d)
d->pkey_file.s);
return 0;
}
-#endif
+#endif /* KSR_SSL_ENGINE */
/**
* @brief Load a private key from a file
* @param d TLS domain
@@ -1353,7 +1354,7 @@ static int load_private_key(tls_domain_t *d)
SSL_CTX_set_default_passwd_cb_userdata(d->ctx[i], d->pkey_file.s);
for(idx = 0, ret_pwd = 0; idx < 3; idx++) {
-#ifndef OPENSSL_NO_ENGINE
+#ifdef KSR_SSL_ENGINE
// in PROC_INIT skip loading HSM keys due to
// fork() issues with PKCS#11 libraries
if(strncmp(d->pkey_file.s, "/engine:", 8) != 0) {
@@ -1365,7 +1366,7 @@ static int load_private_key(tls_domain_t *d)
#else
ret_pwd = SSL_CTX_use_PrivateKey_file(
d->ctx[i], d->pkey_file.s, SSL_FILETYPE_PEM);
-#endif
+#endif /* KSR_SSL_ENGINE */
if(ret_pwd) {
break;
} else {
@@ -1382,12 +1383,12 @@ static int load_private_key(tls_domain_t *d)
TLS_ERR("load_private_key:");
return -1;
}
-#ifndef OPENSSL_NO_ENGINE
+#ifdef KSR_SSL_ENGINE
if(strncmp(d->pkey_file.s, "/engine:", 8) == 0) {
// skip private key validity check for HSM keys
continue;
}
-#endif
+#endif /* KSR_SSL_ENGINE */
if(!SSL_CTX_check_private_key(d->ctx[i])) {
ERR("%s: Key '%s' does not match the public key of the"
" certificate\n",
@@ -1403,7 +1404,7 @@ static int load_private_key(tls_domain_t *d)
}
-#ifndef OPENSSL_NO_ENGINE
+#ifdef KSR_SSL_ENGINE
/**
* @brief Initialize engine private keys
*
@@ -1435,7 +1436,7 @@ int tls_fix_engine_keys(tls_domains_cfg_t *cfg, tls_domain_t *srv_defaults,
return 0;
}
-#endif
+#endif /* KSR_SSL_ENGINE */
/**
* @brief Initialize attributes of all domains from default domains if necessary
*
diff --git a/src/modules/tls/tls_mod.c b/src/modules/tls/tls_mod.c
index 85a1fc4..34689f2 100644
--- a/src/modules/tls/tls_mod.c
+++ b/src/modules/tls/tls_mod.c
@@ -91,8 +91,9 @@ int ksr_rand_engine_param(modparam_t type, void *val);
MODULE_VERSION
-#if OPENSSL_VERSION_NUMBER >= 0x030000000L
-#define OPENSSL_NO_ENGINE
+/* Engine is deprecated in OpenSSL 3 */
+#if !defined(OPENSSL_NO_ENGINE) && OPENSSL_VERSION_NUMBER < 0x030000000L
+#define KSR_SSL_ENGINE
#endif
extern str sr_tls_event_callback;
@@ -149,7 +150,7 @@ tls_domain_t srv_defaults = {
};
-#ifndef OPENSSL_NO_ENGINE
+#ifdef KSR_SSL_ENGINE
typedef struct tls_engine
{
@@ -166,7 +167,7 @@ static tls_engine_t tls_engine_settings = {
STR_STATIC_INIT("NONE"),
STR_STATIC_INIT("ALL"),
};
-#endif /* OPENSSL_NO_ENGINE */
+#endif /* KSR_SSL_ENGINE */
/*
* Default settings for client domains when using external config file
*/
@@ -231,12 +232,12 @@ static param_export_t params[] = {
{"crl", PARAM_STR, &default_tls_cfg.crl},
{"cipher_list", PARAM_STR, &default_tls_cfg.cipher_list},
{"connection_timeout", PARAM_INT, &default_tls_cfg.con_lifetime},
-#ifndef OPENSSL_NO_ENGINE
+#ifdef KSR_SSL_ENGINE
{"engine", PARAM_STR, &tls_engine_settings.engine},
{"engine_config", PARAM_STR, &tls_engine_settings.engine_config},
{"engine_algorithms", PARAM_STR,
&tls_engine_settings.engine_algorithms},
-#endif /* OPENSSL_NO_ENGINE */
+#endif /* KSR_SSL_ENGINE */
{"tls_log", PARAM_INT, &default_tls_cfg.log},
{"tls_debug", PARAM_INT, &default_tls_cfg.debug},
{"session_cache", PARAM_INT, &default_tls_cfg.session_cache},
@@ -432,10 +433,10 @@ error:
}
-#ifndef OPENSSL_NO_ENGINE
+#ifdef KSR_SSL_ENGINE
static int tls_engine_init();
int tls_fix_engine_keys(tls_domains_cfg_t *, tls_domain_t *, tls_domain_t *);
-#endif
+#endif /* KSR_SSL_ENGINE */
/*
* OpenSSL 1.1.1+: SSL_CTX is repeated in each worker
@@ -476,7 +477,7 @@ static int mod_child(int rank)
return run_thread4PP((_thread_proto4PP)mod_child_hook, &rank, NULL);
}
-#ifndef OPENSSL_NO_ENGINE
+#ifdef KSR_SSL_ENGINE
/*
* after the child is fork()ed we go through the TLS domains
* and fix up private keys from engine
@@ -492,7 +493,7 @@ static int mod_child(int rank)
return -1;
LM_INFO("OpenSSL Engine loaded private keys in child: %d\n", rank);
}
-#endif
+#endif /* KSR_SSL_ENGINE */
return 0;
}
@@ -702,7 +703,7 @@ int mod_register(char *path, int *dlflags, void *p1, void *p2)
}
-#ifndef OPENSSL_NO_ENGINE
+#ifdef KSR_SSL_ENGINE
/*
* initialize OpenSSL engine in child process
* PKCS#11 libraries are not guaranteed to be fork() safe
@@ -796,4 +797,4 @@ EVP_PKEY *tls_engine_private_key(const char *key_id)
{
return ENGINE_load_private_key(ksr_tls_engine, key_id, NULL, NULL);
}
-#endif
+#endif /* KSR_SSL_ENGINE */
diff --git a/src/modules/tls/tls_server.c b/src/modules/tls/tls_server.c
index 420fd5a..947f107 100644
--- a/src/modules/tls/tls_server.c
+++ b/src/modules/tls/tls_server.c
@@ -128,8 +128,9 @@ int tls_run_event_routes(struct tcp_connection *c);
#endif /* __SUNPRO_c */
#endif /* TLS_RD_DEBUG */
-#if OPENSSL_VERSION_NUMBER >= 0x030000000L
-#define OPENSSL_NO_ENGINE
+/* only OpenSSL <= 1.1.1 */
+#if !defined(OPENSSL_NO_ENGINE) && OPENSSL_VERSION_NUMBER < 0x030000000L
+#define KSR_SSL_ENGINE
#endif
extern str sr_tls_xavp_cfg;
@@ -427,10 +428,10 @@ static void tls_dump_cert_info(char *s, X509 *cert)
}
-#ifndef OPENSSL_NO_ENGINE
+#ifdef KSR_SSL_ENGINE
// lookup HSM keys in process-local memory
EVP_PKEY *tls_lookup_private_key(SSL_CTX *);
-#endif
+#endif /* KSR_SSL_ENGINE */
/** wrapper around SSL_accept, usin SSL return convention.
* It will also log critical errors and certificate debugging info.
* @param c - tcp connection with tls (extra_data must be a filled
@@ -461,12 +462,12 @@ int tls_accept(struct tcp_connection *c, int *error)
BUG("Invalid connection state %d (bug in TLS code)\n", tls_c->state);
goto err;
}
-#ifndef OPENSSL_NO_ENGINE
+#ifdef KSR_SSL_ENGINE
/* check if we have a HSM key */
EVP_PKEY *pkey = tls_lookup_private_key(SSL_get_SSL_CTX(ssl));
if(pkey)
SSL_use_PrivateKey(ssl, pkey);
-#endif
+#endif /* KSR_SSL_ENGINE */
tls_openssl_clear_errors();
ret = SSL_accept(ssl);
if(unlikely(ret == 1)) {
@@ -531,7 +532,7 @@ int tls_connect(struct tcp_connection *c, int *error)
BUG("Invalid connection state %d (bug in TLS code)\n", tls_c->state);
goto err;
}
-#ifndef OPENSSL_NO_ENGINE
+#ifdef KSR_SSL_ENGINE
// lookup HSM private key in process-local memory
EVP_PKEY *pkey = tls_lookup_private_key(SSL_get_SSL_CTX(ssl));
if(pkey) {

47
debian/patches/upstream/tls-new-option-tls_threads_mode-2.patch vendored
Unescape View File

@ -0,0 +1,47 @@
From: S-P Chan <shihping.chan@gmail.com>
Date: Mon, 4 Mar 2024 22:00:14 +0800
Subject: tls: new option tls_threads_mode = 2
- use pthread_atfork to force all thread-locals
to 0x0 after fork()
(cherry picked from commit 464299c202f3ba963aed821b777075397e843856)
---
src/modules/tls/tls_mod.c | 17 +++++++++++++++++
1 file changed, 17 insertions(+)
diff --git a/src/modules/tls/tls_mod.c b/src/modules/tls/tls_mod.c
index c34c993..51e88be 100644
--- a/src/modules/tls/tls_mod.c
+++ b/src/modules/tls/tls_mod.c
@@ -337,6 +337,20 @@ static tls_domains_cfg_t* tls_use_modparams(void)
}
#endif
+/* global config tls_threads_mode = 2
+ * - force all thread-locals to be 0x0 after fork()
+ * - with OpenSSL loaded the largest value observed
+ * is < 10
+ *
+ */
+static void fork_child(void)
+{
+ for(int k = 0; k < 16; k++) {
+ if(pthread_getspecific(k) != 0)
+ pthread_setspecific(k, 0x0);
+ }
+}
+
static int mod_init(void)
{
int method;
@@ -446,6 +460,9 @@ static int mod_init(void)
ksr_module_set_flag(KSRMOD_FLAG_POSTCHILDINIT);
}
#endif
+ if(ksr_tls_threads_mode == 2) {
+ pthread_atfork(NULL, NULL, &fork_child);
+ }
return 0;
error:
tls_h_mod_destroy_f();

21
debian/patches/upstream/tls-raise-logging-level-of-early-messages-in-mod_reg.patch vendored
Unescape View File

@ -0,0 +1,21 @@
From: S-P Chan <shihping.chan@gmail.com>
Date: Tue, 13 Feb 2024 19:10:34 +0800
Subject: tls: raise logging level of early messages in mod_register
---
src/modules/tls/tls_mod.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/src/modules/tls/tls_mod.c b/src/modules/tls/tls_mod.c
index 905ca6f..0d8ea3d 100644
--- a/src/modules/tls/tls_mod.c
+++ b/src/modules/tls/tls_mod.c
@@ -689,7 +689,7 @@ int mod_register(char *path, int *dlflags, void *p1, void *p2)
#if OPENSSL_VERSION_NUMBER >= 0x10100000L \
&& OPENSSL_VERSION_NUMBER < 0x030000000L
if(ksr_tls_threads_mode == 0) {
- LM_DBG("setting cryptorand random engine\n");
+ LM_WARN("OpenSSL 1.1.1 setting cryptorand random engine\n");
RAND_set_rand_method(RAND_ksr_cryptorand_method());
}
#endif

24
debian/patches/upstream/tls-remove-unused-ENGINE-define.patch vendored
Unescape View File

@ -0,0 +1,24 @@
From: S-P Chan <shihping.chan@gmail.com>
Date: Sat, 2 Mar 2024 21:41:11 +0800
Subject: tls: remove unused ENGINE define
---
src/modules/tls/tls_server.c | 5 -----
1 file changed, 5 deletions(-)
diff --git a/src/modules/tls/tls_server.c b/src/modules/tls/tls_server.c
index 3e22ec4..3bfea13 100644
--- a/src/modules/tls/tls_server.c
+++ b/src/modules/tls/tls_server.c
@@ -128,11 +128,6 @@ int tls_run_event_routes(struct tcp_connection *c);
#endif /* __SUNPRO_c */
#endif /* TLS_RD_DEBUG */
-/* only OpenSSL <= 1.1.1 */
-#if !defined(OPENSSL_NO_ENGINE) && OPENSSL_VERSION_NUMBER < 0x030000000L
-#define KSR_SSL_ENGINE
-#endif
-
extern str sr_tls_xavp_cfg;
static str _ksr_tls_connect_server_id = STR_NULL;

27
debian/patches/upstream/tls-restore-default-to-bypass-thread-guards.patch vendored
Unescape View File

@ -0,0 +1,27 @@
From: S-P Chan <shihping.chan@gmail.com>
Date: Sun, 11 Feb 2024 12:14:19 +0800
Subject: tls: restore default to bypass thread guards
- restore <= 5.7.3 behaviour
- require user to opt-in to libssl thread-guards
with tls_threads_mode = 1|2
---
src/modules/tls/tls_mod.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/src/modules/tls/tls_mod.c b/src/modules/tls/tls_mod.c
index beaf1b7..3359aaf 100644
--- a/src/modules/tls/tls_mod.c
+++ b/src/modules/tls/tls_mod.c
@@ -451,9 +451,9 @@ static int mod_child(int rank)
#if OPENSSL_VERSION_NUMBER >= 0x010101000L
/*
* OpenSSL 3.x/1.1.1: create shared SSL_CTX* in worker to avoid init of
- * libssl in rank 0(thread#1)
+ * libssl in rank 0(thread#1). Requires tls_threads_mode = 1 config.
*/
- if(rank == PROC_SIPINIT) {
+ if((rank == PROC_SIPINIT && ksr_tls_threads_mode) || (rank == PROC_INIT && !ksr_tls_threads_mode)) {
#else
if(rank == PROC_INIT) {
#endif

92
debian/patches/upstream/tls-restore-early-init-for-other-modules-that-use-TL.patch vendored
Unescape View File

@ -0,0 +1,92 @@
From: S-P Chan <shihping.chan@gmail.com>
Date: Sun, 25 Feb 2024 08:03:17 +0800
Subject: tls: restore early init for other modules that use TLS
Client modules (e.g. dispatcher) that require outbound TLS
may race if tls init is too late.
Restore tls init to PROC_INIT with a thread executor.
Addresses GH #3765
Cherry-pick from 706d7b7ff3
---
src/modules/tls/tls_mod.c | 48 +++++++++++++++++++++++++++--------------------
1 file changed, 28 insertions(+), 20 deletions(-)
diff --git a/src/modules/tls/tls_mod.c b/src/modules/tls/tls_mod.c
index 0d8ea3d..6058592 100644
--- a/src/modules/tls/tls_mod.c
+++ b/src/modules/tls/tls_mod.c
@@ -42,6 +42,10 @@
#include "../../core/dprint.h"
#include "../../core/mod_fix.h"
#include "../../core/kemi.h"
+
+#define KSR_RTHREAD_SKIP_P
+#define KSR_RTHREAD_NEED_4PP
+#include "../../core/rthreads.h"
#include "tls_init.h"
#include "tls_server.h"
#include "tls_domain.h"
@@ -443,6 +447,22 @@ int tls_fix_engine_keys(tls_domains_cfg_t *, tls_domain_t *, tls_domain_t *);
*
* EC operations do not use pthread_self(), so could use shared SSL_CTX
*/
+static int mod_child_hook(int *rank, void *dummy)
+{
+ LM_DBG("Loading SSL_CTX in process_no=%d rank=%d "
+ "ksr_tls_threads_mode=%d\n",
+ process_no, *rank, ksr_tls_threads_mode);
+ if(cfg_get(tls, tls_cfg, config_file).s) {
+ if(tls_fix_domains_cfg(*tls_domains_cfg, &srv_defaults, &cli_defaults)
+ < 0)
+ return -1;
+ } else {
+ if(tls_fix_domains_cfg(*tls_domains_cfg, &mod_params, &mod_params) < 0)
+ return -1;
+ }
+ return 0;
+}
+
static int mod_child(int rank)
{
if(tls_disable || (tls_domains_cfg == 0))
@@ -450,29 +470,17 @@ static int mod_child(int rank)
#if OPENSSL_VERSION_NUMBER >= 0x010101000L
/*
- * OpenSSL 3.x/1.1.1: create shared SSL_CTX* in worker to avoid init of
- * libssl in rank 0(thread#1). Requires tls_threads_mode = 1 config.
- */
- if((rank == PROC_SIPINIT && ksr_tls_threads_mode)
- || (rank == PROC_INIT && !ksr_tls_threads_mode)) {
+ * OpenSSL 3.x/1.1.1: create shared SSL_CTX* in thread executor
+ * to avoid init of libssl in thread#1
+ */
+ if(rank == PROC_INIT && ksr_tls_threads_mode != 0) {
+ return run_thread4PP((_thread_proto4PP)mod_child_hook, &rank, NULL);
+ }
#else
if(rank == PROC_INIT) {
-#endif
- LM_DBG("Loading SSL_CTX in process_no=%d rank=%d "
- "ksr_tls_threads_mode=%d\n",
- process_no, rank, ksr_tls_threads_mode);
- if(cfg_get(tls, tls_cfg, config_file).s) {
- if(tls_fix_domains_cfg(
- *tls_domains_cfg, &srv_defaults, &cli_defaults)
- < 0)
- return -1;
- } else {
- if(tls_fix_domains_cfg(*tls_domains_cfg, &mod_params, &mod_params)
- < 0)
- return -1;
- }
- return 0;
+ return mod_child_hook(&rank, NULL);
}
+#endif /* OPENSSL_VERSION_NUMBER */
#ifndef OPENSSL_NO_ENGINE
/*

171
debian/patches/upstream/tls-restore-some-function-calls-in-non-threaded-mode.patch vendored
Unescape View File

@ -0,0 +1,171 @@
From: S-P Chan <shihping.chan@gmail.com>
Date: Tue, 13 Feb 2024 07:15:05 +0800
Subject: tls: restore some function calls in non-threaded mode
In the case that tls_threads_mode = 0 we restore the earlier
behaviour of 5.7.3.
- OpenSSL 1.1.1: restore early call to RAND_set_rand_method
- OpenSSL 3.x: restore enable locking on EVP_RAND_CTX
---
src/modules/tls/tls_init.c | 92 +++++++++++++++++++++++-----------------------
src/modules/tls/tls_mod.c | 19 +++++++---
2 files changed, 59 insertions(+), 52 deletions(-)
diff --git a/src/modules/tls/tls_init.c b/src/modules/tls/tls_init.c
index 1c6b19f..b7901af 100644
--- a/src/modules/tls/tls_init.c
+++ b/src/modules/tls/tls_init.c
@@ -737,43 +737,43 @@ int tls_pre_init(void)
* left here in case more complex requirements arise in
* OpenSSL >= 3.2.
*/
-long tls_h_mod_randctx(void *param)
+int tls_h_mod_randctx()
{
- do {
- OSSL_LIB_CTX *osslglobal = NULL;
- EVP_RAND_CTX *randctx = NULL;
-
- LM_DBG("enabling locking for rand ctx\n");
-
- osslglobal = OSSL_LIB_CTX_get0_global_default();
- if(osslglobal == NULL) {
- LM_ERR("failed to get lib ssl global ctx\n");
- return -1L;
- }
-
- randctx = RAND_get0_primary(osslglobal);
- if(randctx == NULL) {
- LM_ERR("primary rand ctx is null\n");
- return -1L;
- }
- EVP_RAND_enable_locking(randctx);
-
- randctx = RAND_get0_public(osslglobal);
- if(randctx == NULL) {
- LM_ERR("public rand ctx is null\n");
- return -1L;
- }
- EVP_RAND_enable_locking(randctx);
-
- randctx = RAND_get0_private(osslglobal);
- if(randctx == NULL) {
- LM_ERR("private rand ctx is null\n");
- return -1L;
- }
- EVP_RAND_enable_locking(randctx);
- } while(0);
-
- return 0L;
+ do {
+ OSSL_LIB_CTX *osslglobal = NULL;
+ EVP_RAND_CTX *randctx = NULL;
+
+ LM_DBG("enabling locking for rand ctx\n");
+
+ osslglobal = OSSL_LIB_CTX_get0_global_default();
+ if(osslglobal == NULL) {
+ LM_ERR("failed to get lib ssl global ctx\n");
+ return -1;
+ }
+
+ randctx = RAND_get0_primary(osslglobal);
+ if(randctx == NULL) {
+ LM_ERR("primary rand ctx is null\n");
+ return -1;
+ }
+ EVP_RAND_enable_locking(randctx);
+
+ randctx = RAND_get0_public(osslglobal);
+ if(randctx == NULL) {
+ LM_ERR("public rand ctx is null\n");
+ return -1;
+ }
+ EVP_RAND_enable_locking(randctx);
+
+ randctx = RAND_get0_private(osslglobal);
+ if(randctx == NULL) {
+ LM_ERR("private rand ctx is null\n");
+ return -1;
+ }
+ EVP_RAND_enable_locking(randctx);
+ } while(0);
+
+ return 0;
}
#endif /* OPENSSL_VERSION_NUMBER */
@@ -801,21 +801,19 @@ int tls_h_mod_pre_init_f(void)
SSL_load_error_strings();
#endif
-#if 0
#if OPENSSL_VERSION_NUMBER >= 0x030000000L
- /*
+ /*
* With deferred initialisation it is not necessary to enable threading
- * on the EVP_RAND_CTX. We leave this block here as an example of how
- * to do it in case of future requirements.
+ * on the EVP_RAND_CTX in tls_threads_mode = 1
*/
- pthread_t tid;
- long rl;
- pthread_create(&tid, NULL, (void *(*)(void *))tls_h_mod_randctx, NULL);
- pthread_join(tid, (void **)&rl);
- if ((int)rl)
- return (int)rl;
+ int ret;
+
+ if(ksr_tls_threads_mode == 0) {
+ ret = tls_h_mod_randctx();
+ if(ret)
+ return ret;
+ }
#endif /* OPENSSL_VERSION_NUMBER */
-#endif /* 0 */
tls_mod_preinitialized = 1;
return 0;
diff --git a/src/modules/tls/tls_mod.c b/src/modules/tls/tls_mod.c
index 3359aaf..5d3982b 100644
--- a/src/modules/tls/tls_mod.c
+++ b/src/modules/tls/tls_mod.c
@@ -449,13 +449,14 @@ static int mod_child(int rank)
return 0;
#if OPENSSL_VERSION_NUMBER >= 0x010101000L
- /*
+ /*
* OpenSSL 3.x/1.1.1: create shared SSL_CTX* in worker to avoid init of
* libssl in rank 0(thread#1). Requires tls_threads_mode = 1 config.
*/
- if((rank == PROC_SIPINIT && ksr_tls_threads_mode) || (rank == PROC_INIT && !ksr_tls_threads_mode)) {
+ if((rank == PROC_SIPINIT && ksr_tls_threads_mode)
+ || (rank == PROC_INIT && !ksr_tls_threads_mode)) {
#else
- if(rank == PROC_INIT) {
+ if(rank == PROC_INIT) {
#endif
if(cfg_get(tls, tls_cfg, config_file).s) {
if(tls_fix_domains_cfg(
@@ -678,10 +679,18 @@ int mod_register(char *path, int *dlflags, void *p1, void *p2)
register_tls_hooks(&tls_h);
- /*
+ /*
* GH #3695: OpenSSL 1.1.1 historical note: it is no longer
- * needed to replace RAND with cryptorand
+ * needed to replace RAND with cryptorand in tls_threads_mode = 1
*/
+#if OPENSSL_VERSION_NUMBER >= 0x10100000L \
+ && OPENSSL_VERSION_NUMBER < 0x030000000L
+ if(ksr_tls_threads_mode == 0) {
+ LM_DBG("setting cryptorand random engine\n");
+ RAND_set_rand_method(RAND_ksr_cryptorand_method());
+ }
+#endif
+
sr_kemi_modules_add(sr_kemi_tls_exports);
return 0;

78
debian/patches/upstream/tlsa-removed-the-map-files-used-in-the-past-for-tls-.patch vendored
Unescape View File

@ -0,0 +1,78 @@
From: Daniel-Constantin Mierla <miconda@gmail.com>
Date: Sat, 2 Mar 2024 08:13:40 +0100
Subject: tlsa: removed the map files used in the past for tls engine
- sync with code of tls module
---
src/modules/tlsa/tls_map.c | 27 ---------------------------
src/modules/tlsa/tls_map.h | 27 ---------------------------
2 files changed, 54 deletions(-)
delete mode 100644 src/modules/tlsa/tls_map.c
delete mode 100644 src/modules/tlsa/tls_map.h
diff --git a/src/modules/tlsa/tls_map.c b/src/modules/tlsa/tls_map.c
deleted file mode 100644
index ad799b5..0000000
--- a/src/modules/tlsa/tls_map.c
+++ /dev/null
@@ -1,27 +0,0 @@
-/**
- * Copyright (C) 2021 Daniel-Constantin Mierla (asipto.com)
- *
- * This file is part of Kamailio, a free SIP server.
- *
- * This file is free software; you can redistribute it and/or modify
- * it under the terms of the GNU General Public License as published by
- * the Free Software Foundation; either version 2 of the License, or
- * (at your option) any later version
- *
- *
- * This file is distributed in the hope that it will be useful,
- * but WITHOUT ANY WARRANTY; without even the implied warranty of
- * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
- * GNU General Public License for more details.
- *
- * You should have received a copy of the GNU General Public License
- * along with this program; if not, write to the Free Software
- * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA
- *
- */
-
-/**
- * THIS FILE IS GENERATED - DO NOT MODIFY IT
- */
-
-#include "../tls/tls_map.c"
diff --git a/src/modules/tlsa/tls_map.h b/src/modules/tlsa/tls_map.h
deleted file mode 100644
index 96705a7..0000000
--- a/src/modules/tlsa/tls_map.h
+++ /dev/null
@@ -1,27 +0,0 @@
-/**
- * Copyright (C) 2021 Daniel-Constantin Mierla (asipto.com)
- *
- * This file is part of Kamailio, a free SIP server.
- *
- * This file is free software; you can redistribute it and/or modify
- * it under the terms of the GNU General Public License as published by
- * the Free Software Foundation; either version 2 of the License, or
- * (at your option) any later version
- *
- *
- * This file is distributed in the hope that it will be useful,
- * but WITHOUT ANY WARRANTY; without even the implied warranty of
- * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
- * GNU General Public License for more details.
- *
- * You should have received a copy of the GNU General Public License
- * along with this program; if not, write to the Free Software
- * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA
- *
- */
-
-/**
- * THIS FILE IS GENERATED - DO NOT MODIFY IT
- */
-
-#include "../tls/tls_map.h"

32
debian/patches/upstream/xcap_client-libssl-thread-executor-for-curl_global_i.patch vendored
Unescape View File

@ -0,0 +1,32 @@
From: S-P Chan <shihping.chan@gmail.com>
Date: Tue, 27 Feb 2024 05:01:45 +0800
Subject: xcap_client: libssl thread executor for curl_global_init()
Cherry-pick from f5164b39c8
---
src/modules/xcap_client/xcap_client.c | 5 ++++-
1 file changed, 4 insertions(+), 1 deletion(-)
diff --git a/src/modules/xcap_client/xcap_client.c b/src/modules/xcap_client/xcap_client.c
index ac77228..4de2d36 100644
--- a/src/modules/xcap_client/xcap_client.c
+++ b/src/modules/xcap_client/xcap_client.c
@@ -41,6 +41,9 @@
#include "../../core/mem/shm_mem.h"
#include "../../core/rpc.h"
#include "../../core/rpc_lookup.h"
+#define KSR_RTHREAD_NEED_4L
+#define KSR_RTHREAD_SKIP_P
+#include "../../core/rthreads.h"
#include "../presence/utils_func.h"
#include "xcap_functions.h"
#include "xcap_client.h"
@@ -140,7 +143,7 @@ static int mod_init(void)
xcap_dbf.close(xcap_db);
xcap_db = NULL;
- curl_global_init(CURL_GLOBAL_ALL);
+ run_thread4L((_thread_proto4L)curl_global_init, CURL_GLOBAL_ALL);
if(periodical_query) {
register_timer(query_xcap_update, 0, query_period);
Write Preview
Loading…
Cancel
Save