From 301495738cabced987502bca830f3fbfefbdd7d7 Mon Sep 17 00:00:00 2001 From: Victor Seva Date: Tue, 12 Dec 2023 14:48:14 +0100 Subject: [PATCH] MT#58875 tls fixes from upstream 5.7 branch (5.7.3) Change-Id: I1f052ac05dd41a80a08c5e7edfd080ce0288c8c7 --- debian/patches/series | 2 + ...ly-tls_openssl_clear_errors-function.patch | 165 ++++++++++++++++++ ...-to-fix-warning-about-tls_openssl_cl.patch | 21 +++ 3 files changed, 188 insertions(+) create mode 100644 debian/patches/upstream/tls-Add-and-apply-tls_openssl_clear_errors-function.patch create mode 100644 debian/patches/upstream/tls-include-file-to-fix-warning-about-tls_openssl_cl.patch diff --git a/debian/patches/series b/debian/patches/series index 441dc1257..48482be5b 100644 --- a/debian/patches/series +++ b/debian/patches/series @@ -32,6 +32,8 @@ sipwise/sca-debug.patch sipwise/sca-fix-notify-after-bye.patch sipwise/sca-add-pai_avp-parameter.patch ## upstream 5.7 +upstream/tls-Add-and-apply-tls_openssl_clear_errors-function.patch +upstream/tls-include-file-to-fix-warning-about-tls_openssl_cl.patch upstream/Makefile.groups-tlsa-in-packaging-group-ktls-if-KTLS.patch ## upstream master upstream/pv_headers-compare-result-of-pvh_set_xavi-with-NULL-.patch diff --git a/debian/patches/upstream/tls-Add-and-apply-tls_openssl_clear_errors-function.patch b/debian/patches/upstream/tls-Add-and-apply-tls_openssl_clear_errors-function.patch new file mode 100644 index 000000000..b40b3ad4f --- /dev/null +++ b/debian/patches/upstream/tls-Add-and-apply-tls_openssl_clear_errors-function.patch @@ -0,0 +1,165 @@ +From: Xenofon Karamanos +Date: Thu, 19 Oct 2023 12:18:38 +0000 +Subject: tls: Add and apply tls_openssl_clear_errors function + +(cherry picked from commit 110ebbafadcc225f4e88749287f06ae29a6cfa2e) +--- + src/modules/tls/tls_ct_wrq.c | 3 +++ + src/modules/tls/tls_server.c | 11 +++++++++++ + src/modules/tls/tls_util.c | 15 +++++++++++++++ + src/modules/tls/tls_util.h | 2 ++ + 4 files changed, 31 insertions(+) + +diff --git a/src/modules/tls/tls_ct_wrq.c b/src/modules/tls/tls_ct_wrq.c +index c3b6156..8850e54 100644 +--- a/src/modules/tls/tls_ct_wrq.c ++++ b/src/modules/tls/tls_ct_wrq.c +@@ -103,6 +103,7 @@ static int ssl_flush(void* tcp_c, void* error, const void* buf, unsigned size) + if (unlikely(tls_c->state == S_TLS_CONNECTING)) { + n = tls_connect(tcp_c, &ssl_error); + if (unlikely(n>=1)) { ++ tls_openssl_clear_errors(); + n = SSL_write(ssl, buf, size); + if (unlikely(n <= 0)) + ssl_error = SSL_get_error(ssl, n); +@@ -110,11 +111,13 @@ static int ssl_flush(void* tcp_c, void* error, const void* buf, unsigned size) + } else if (unlikely(tls_c->state == S_TLS_ACCEPTING)) { + n = tls_accept(tcp_c, &ssl_error); + if (unlikely(n>=1)) { ++ tls_openssl_clear_errors(); + n = SSL_write(ssl, buf, size); + if (unlikely(n <= 0)) + ssl_error = SSL_get_error(ssl, n); + } + } else { ++ tls_openssl_clear_errors(); + n = SSL_write(ssl, buf, size); + if (unlikely(n <= 0)) + ssl_error = SSL_get_error(ssl, n); +diff --git a/src/modules/tls/tls_server.c b/src/modules/tls/tls_server.c +index 5c039c9..cb66794 100644 +--- a/src/modules/tls/tls_server.c ++++ b/src/modules/tls/tls_server.c +@@ -281,6 +281,7 @@ static int tls_complete_init(struct tcp_connection* c) + goto error; + } + memset(data, '\0', sizeof(struct tls_extra_data)); ++ tls_openssl_clear_errors(); + data->ssl = SSL_new(dom->ctx[process_no]); + data->rwbio = tls_BIO_new_mbuf(0, 0); + data->cfg = cfg; +@@ -467,6 +468,7 @@ int tls_accept(struct tcp_connection *c, int* error) + if (pkey) + SSL_use_PrivateKey(ssl, pkey); + #endif ++ tls_openssl_clear_errors(); + ret = SSL_accept(ssl); + if (unlikely(ret == 1)) { + DBG("TLS accept successful\n"); +@@ -539,6 +541,7 @@ int tls_connect(struct tcp_connection *c, int* error) + SSL_use_PrivateKey(ssl, pkey); + } + #endif ++ tls_openssl_clear_errors(); + ret = SSL_connect(ssl); + if (unlikely(ret == 1)) { + DBG("TLS connect successful\n"); +@@ -603,6 +606,7 @@ static int tls_shutdown(struct tcp_connection *c) + goto err; + } + ++ tls_openssl_clear_errors(); + ret = SSL_shutdown(ssl); + if (ret == 1) { + DBG("TLS shutdown successful\n"); +@@ -698,6 +702,7 @@ void tls_h_tcpconn_clean_f(struct tcp_connection *c) + BUG("Bad connection structure\n"); + abort(); + } ++ tls_openssl_clear_errors(); + if (c->extra_data) { + extra = (struct tls_extra_data*)c->extra_data; + SSL_free(extra->ssl); +@@ -851,6 +856,7 @@ redo_wr: + n = tls_connect(c, &ssl_error); + TLS_WR_TRACE("(%p) tls_connect() => %d (err=%d)\n", c, n, ssl_error); + if (unlikely(n>=1)) { ++ tls_openssl_clear_errors(); + n = SSL_write(ssl, buf + offs, len - offs); + if (unlikely(n <= 0)) + ssl_error = SSL_get_error(ssl, n); +@@ -864,6 +870,7 @@ redo_wr: + n = tls_accept(c, &ssl_error); + TLS_WR_TRACE("(%p) tls_accept() => %d (err=%d)\n", c, n, ssl_error); + if (unlikely(n>=1)) { ++ tls_openssl_clear_errors(); + n = SSL_write(ssl, buf + offs, len - offs); + if (unlikely(n <= 0)) + ssl_error = SSL_get_error(ssl, n); +@@ -874,6 +881,7 @@ redo_wr: + err_src = "TLS accept:"; + } + } else { ++ tls_openssl_clear_errors(); + n = SSL_write(ssl, buf + offs, len - offs); + if (unlikely(n <= 0)) + ssl_error = SSL_get_error(ssl, n); +@@ -1161,6 +1169,7 @@ continue_ssl_read: + TLS_RD_TRACE("(%p, %p) tls_connect() => %d (err=%d)\n", + c, flags, n, ssl_error); + if (unlikely(n>=1)) { ++ tls_openssl_clear_errors(); + n = SSL_read(ssl, r->pos, bytes_free); + } else { + /* tls_connect failed/needs more IO */ +@@ -1176,6 +1185,7 @@ continue_ssl_read: + TLS_RD_TRACE("(%p, %p) tls_accept() => %d (err=%d)\n", + c, flags, n, ssl_error); + if (unlikely(n>=1)) { ++ tls_openssl_clear_errors(); + n = SSL_read(ssl, r->pos, bytes_free); + } else { + /* tls_accept failed/needs more IO */ +@@ -1189,6 +1199,7 @@ continue_ssl_read: + } else { + /* if bytes in then decrypt read buffer into tcpconn req. + * buffer */ ++ tls_openssl_clear_errors(); + n = SSL_read(ssl, r->pos, bytes_free); + } + /** handle SSL_read() return. +diff --git a/src/modules/tls/tls_util.c b/src/modules/tls/tls_util.c +index 4c976f3..1882666 100644 +--- a/src/modules/tls/tls_util.c ++++ b/src/modules/tls/tls_util.c +@@ -97,3 +97,18 @@ void collect_garbage(void) + lock_release(tls_domains_cfg_lock); + } + ++/* ++ * Get any leftover errors from OpenSSL and print them. ++ * ERR_get_error() also removes the error from the OpenSSL error stack. ++ * This is useful to call before any SSL_* IO calls to make sure ++ * we don't have any leftover errors from previous calls (OpenSSL docs). ++ */ ++void tls_openssl_clear_errors(void) ++{ ++ int i; ++ char err[160]; ++ while((i = ERR_get_error())) { ++ ERR_error_string(i, err); ++ INFO("clearing leftover error before SSL_* calls: %s", err); ++ } ++} +\ No newline at end of file +diff --git a/src/modules/tls/tls_util.h b/src/modules/tls/tls_util.h +index b1f488e..e92f164 100644 +--- a/src/modules/tls/tls_util.h ++++ b/src/modules/tls/tls_util.h +@@ -83,4 +83,6 @@ int shm_asciiz_dup(char** dest, char* val); + */ + void collect_garbage(void); + ++void tls_openssl_clear_errors(void); ++ + #endif /* _TLS_UTIL_H */ diff --git a/debian/patches/upstream/tls-include-file-to-fix-warning-about-tls_openssl_cl.patch b/debian/patches/upstream/tls-include-file-to-fix-warning-about-tls_openssl_cl.patch new file mode 100644 index 000000000..944bb7659 --- /dev/null +++ b/debian/patches/upstream/tls-include-file-to-fix-warning-about-tls_openssl_cl.patch @@ -0,0 +1,21 @@ +From: Daniel-Constantin Mierla +Date: Fri, 20 Oct 2023 10:34:21 +0200 +Subject: tls: include file to fix warning about tls_openssl_clear_errors() + +(cherry picked from commit fe8eafd31327c14e7b081cd8f4a6532953e0a1c6) +--- + src/modules/tls/tls_ct_wrq.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/src/modules/tls/tls_ct_wrq.c b/src/modules/tls/tls_ct_wrq.c +index 8850e54..34b338e 100644 +--- a/src/modules/tls/tls_ct_wrq.c ++++ b/src/modules/tls/tls_ct_wrq.c +@@ -28,6 +28,7 @@ + #include "tls_ct_wrq.h" + #include "tls_cfg.h" + #include "tls_server.h" ++#include "tls_util.h" + #include "../../core/atomic_ops.h" + #include "../../core/mem/shm_mem.h" + #include