diff --git a/debian/patches/series b/debian/patches/series index d7caaed47..3619e7c0c 100644 --- a/debian/patches/series +++ b/debian/patches/series @@ -32,46 +32,7 @@ sipwise/sca-debug.patch sipwise/sca-fix-notify-after-bye.patch sipwise/sca-add-pai_avp-parameter.patch ## upstream 5.7 -upstream/core-add-infrastructure-to-run-functions-in-threads.patch -upstream/outbound-init-libssl-in-a-thread.patch -upstream/db_mysql-init-libssl-in-a-thread.patch -upstream/db_postgres-init-libssl-in-a-thread.patch -upstream/db_unixodbc-init-libssl-in-a-thread.patch -upstream/db_mysql-backport-no-TLS-with-MariaDB-Connector-C.patch -upstream/core-rthread.h-add-prototype-for-db-queries.patch -upstream/db_unixodbc-handle-SSL-and-submit-query.patch -upstream/db_mysql-handle-SSL-and-submit-query.patch -upstream/db_postgres-handle-SSL-and-submit-query.patch -upstream/core-rthreads.h-use-thread-wrappers-only-for-process.patch -upstream/core-rthreads.h-thread-wrapper-for-db_XXXX_query.patch -upstream/db_postgres-libssl-thread-guard-for-db_postgres_clos.patch -upstream/db_unixodbc-libssl-thread-guards-for-db_unixodbc_-cl.patch -upstream/db_mysql-libssl-thread-guard-for-db_mysql_close.patch -upstream/core-added-tls_threads_mode-global-parameter.patch -upstream/core-rthreads.h-use-global-ksr_tls_threads_mode-to-c.patch -upstream/tls-restore-default-to-bypass-thread-guards.patch -upstream/tls-restore-some-function-calls-in-non-threaded-mode.patch -upstream/tls-add-logging.patch -upstream/tls-raise-logging-level-of-early-messages-in-mod_reg.patch -upstream/db_mysql-new-module-param-opt_ssl_ca-to-configure-CA.patch -upstream/db_mysql-update-docs-for-opt_ssl_ca.patch -upstream/db_mysql-libssl-thread-guard-for-db_mysql_query-and-.patch -upstream/tls-restore-early-init-for-other-modules-that-use-TL.patch -upstream/tls-fix-restore-early-init.patch -upstream/core-rthreads.h-add-thread-executor-for-curl_global_.patch -upstream/http_async_client-libssl-thread-executor-for-curl_gl.patch -upstream/http_client-libssl-thread-executor-for-curl_global_i.patch -upstream/xcap_client-libssl-thread-executor-for-curl_global_i.patch -upstream/http_async_client-libssl-refactor-thread-executors-f.patch -upstream/tls-fix-OpenSSL-1.1.1-engine-keys.patch -upstream/tls-make-explicit-ENGINE-deprecation-in-OpenSSL-3.patch -upstream/tls-clean-up-of-ENGINE.patch -upstream/tlsa-removed-the-map-files-used-in-the-past-for-tls-.patch -upstream/tls-remove-unused-ENGINE-define.patch -upstream/tls-basic-OpenSSL-3-support-of-provider-keys-replace.patch -upstream/core-rthreads.h-add-new-option-tls_threads_mode-2.patch -upstream/tls-new-option-tls_threads_mode-2.patch -upstream/tls-NULL-safety-check.patch +# ## upstream master sipwise/pv_headers-rework-pvh_remove_header_param-take-two.patch upstream/pv_headers-compare-result-of-pvh_set_xavi-with-NULL-.patch diff --git a/debian/patches/upstream/core-add-infrastructure-to-run-functions-in-threads.patch b/debian/patches/upstream/core-add-infrastructure-to-run-functions-in-threads.patch deleted file mode 100644 index c2d949191..000000000 --- a/debian/patches/upstream/core-add-infrastructure-to-run-functions-in-threads.patch +++ /dev/null @@ -1,116 +0,0 @@ -From: S-P Chan -Date: Thu, 1 Feb 2024 10:03:47 +0800 -Subject: core: add infrastructure to run functions in threads - -(cherry-pick from f8909163c47c8776d23373fad688586f02d31e67) ---- - src/core/rthreads.h | 100 ++++++++++++++++++++++++++++++++++++++++++++++++++++ - 1 file changed, 100 insertions(+) - create mode 100644 src/core/rthreads.h - -diff --git a/src/core/rthreads.h b/src/core/rthreads.h -new file mode 100644 -index 0000000..a5ad767 ---- /dev/null -+++ b/src/core/rthreads.h -@@ -0,0 +1,100 @@ -+/* -+ * Copyright (C) 2024 Chan Shih-Ping -+ * -+ * This file is part of Kamailio, a free SIP server. -+ * -+ * Permission to use, copy, modify, and distribute this software for any -+ * purpose with or without fee is hereby granted, provided that the above -+ * copyright notice and this permission notice appear in all copies. -+ * -+ * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES -+ * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF -+ * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR -+ * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES -+ * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN -+ * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF -+ * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. -+ */ -+ -+/* -+ * A set of helpers to run functions in threads. -+ * -+ * This is not a thread pool implementation - -+ * - it runs functions in a run-once thread to avoid -+ * creating thread-locals in the calling thread. -+ * -+ * Primary use case: to init libssl in a separate thread -+ */ -+#include -+ -+/* -+ * prototype: void *fn(void *arg) { ... } -+ */ -+typedef void *(*_thread_proto)(void *); -+ -+#ifndef KSR_RTHREAD_SKIP_P -+static void *run_threadP(_thread_proto fn, void *arg) -+{ -+ pthread_t tid; -+ void *ret; -+ -+ pthread_create(&tid, NULL, fn, arg); -+ pthread_join(tid, &ret); -+ -+ return ret; -+} -+#endif -+ -+/* -+ * prototype: void *fn(void *arg1, int arg2) { ... } -+ */ -+#ifdef KSR_RTHREAD_NEED_PI -+typedef void *(*_thread_protoPI)(void *, int); -+struct _thread_argsPI -+{ -+ _thread_protoPI fn; -+ void *tptr; -+ int tint; -+}; -+static void *run_thread_wrapPI(struct _thread_argsPI *args) -+{ -+ return (*args->fn)(args->tptr, args->tint); -+} -+ -+static void *run_threadPI(_thread_protoPI fn, void *arg1, int arg2) -+{ -+ pthread_t tid; -+ void *ret; -+ -+ pthread_create(&tid, NULL, (_thread_proto)&run_thread_wrapPI, -+ &(struct _thread_argsPI){fn, arg1, arg2}); -+ pthread_join(tid, &ret); -+ -+ return ret; -+} -+#endif -+ -+/* -+ * prototype: void fn(void) { ... } -+ */ -+#ifdef KSR_RTHREAD_NEED_V -+typedef void (*_thread_protoV)(void); -+struct _thread_argsV -+{ -+ _thread_protoV fn; -+}; -+static void *run_thread_wrapV(struct _thread_argsV *args) -+{ -+ (*args->fn)(); -+ return NULL; -+} -+ -+static void run_threadV(_thread_protoV fn) -+{ -+ pthread_t tid; -+ -+ pthread_create(&tid, NULL, (_thread_proto)run_thread_wrapV, -+ &(struct _thread_argsV){fn}); -+ pthread_join(tid, NULL); -+} -+#endif diff --git a/debian/patches/upstream/core-added-tls_threads_mode-global-parameter.patch b/debian/patches/upstream/core-added-tls_threads_mode-global-parameter.patch deleted file mode 100644 index 8ca86bf87..000000000 --- a/debian/patches/upstream/core-added-tls_threads_mode-global-parameter.patch +++ /dev/null @@ -1,87 +0,0 @@ -From: Daniel-Constantin Mierla -Date: Tue, 6 Feb 2024 14:24:08 +0100 -Subject: core: added tls_threads_mode global parameter - -- control how to execute functions that may be using libssl3 behind ---- - src/core/cfg.lex | 2 ++ - src/core/cfg.y | 9 +++++++++ - src/core/globals.h | 1 + - src/main.c | 5 +++-- - 4 files changed, 15 insertions(+), 2 deletions(-) - -diff --git a/src/core/cfg.lex b/src/core/cfg.lex -index 82278d5..d342aa5 100644 ---- a/src/core/cfg.lex -+++ b/src/core/cfg.lex -@@ -439,6 +439,7 @@ TCP_WAIT_DATA "tcp_wait_data" - TCP_SCRIPT_MODE "tcp_script_mode" - DISABLE_TLS "disable_tls"|"tls_disable" - ENABLE_TLS "enable_tls"|"tls_enable" -+TLS_THREADS_MODE "tls_threads_mode" - TLSLOG "tlslog"|"tls_log" - TLS_PORT_NO "tls_port_no" - TLS_METHOD "tls_method" -@@ -953,6 +954,7 @@ IMPORTFILE "import_file" - {TCP_SCRIPT_MODE} { count(); yylval.strval=yytext; return TCP_SCRIPT_MODE; } - {DISABLE_TLS} { count(); yylval.strval=yytext; return DISABLE_TLS; } - {ENABLE_TLS} { count(); yylval.strval=yytext; return ENABLE_TLS; } -+{TLS_THREADS_MODE} { count(); yylval.strval=yytext; return TLS_THREADS_MODE; } - {TLSLOG} { count(); yylval.strval=yytext; return TLS_PORT_NO; } - {TLS_PORT_NO} { count(); yylval.strval=yytext; return TLS_PORT_NO; } - {TLS_METHOD} { count(); yylval.strval=yytext; return TLS_METHOD; } -diff --git a/src/core/cfg.y b/src/core/cfg.y -index 1f2ad7f..412fe5d 100644 ---- a/src/core/cfg.y -+++ b/src/core/cfg.y -@@ -469,6 +469,7 @@ extern char *default_routename; - %token TCP_SCRIPT_MODE - %token DISABLE_TLS - %token ENABLE_TLS -+%token TLS_THREADS_MODE - %token TLSLOG - %token TLS_PORT_NO - %token TLS_METHOD -@@ -1440,6 +1441,14 @@ assign_stm: - #endif - } - | ENABLE_TLS EQUAL error { yyerror("boolean value expected"); } -+ | TLS_THREADS_MODE EQUAL NUMBER { -+ #ifdef USE_TLS -+ ksr_tls_threads_mode = $3; -+ #else -+ warn("tls support not compiled in"); -+ #endif -+ } -+ | TLS_THREADS_MODE EQUAL error { yyerror("int value expected"); } - | TLSLOG EQUAL NUMBER { - #ifdef CORE_TLS - tls_log=$3; -diff --git a/src/core/globals.h b/src/core/globals.h -index 207205c..0487a31 100644 ---- a/src/core/globals.h -+++ b/src/core/globals.h -@@ -108,6 +108,7 @@ extern int ksr_tcp_script_mode; - #ifdef USE_TLS - extern int tls_disable; - extern unsigned short tls_port_no; -+extern int ksr_tls_threads_mode; - #endif - #ifdef USE_SCTP - extern int sctp_disable; -diff --git a/src/main.c b/src/main.c -index 8e34285..f7cb643 100644 ---- a/src/main.c -+++ b/src/main.c -@@ -326,8 +326,9 @@ int tcp_disable = 0; /* 1 if tcp is disabled */ - int tls_disable = 0; /* tls enabled by default */ - #else - int tls_disable = 1; /* tls disabled by default */ --#endif /* CORE_TLS */ --#endif /* USE_TLS */ -+#endif /* CORE_TLS */ -+int ksr_tls_threads_mode = 0; /* threads execution mode for tls with libssl */ -+#endif /* USE_TLS */ - #ifdef USE_SCTP - int sctp_children_no = 0; - int sctp_disable = 2; /* 1 if sctp is disabled, 2 if auto mode, 0 enabled */ diff --git a/debian/patches/upstream/core-rthread.h-add-prototype-for-db-queries.patch b/debian/patches/upstream/core-rthread.h-add-prototype-for-db-queries.patch deleted file mode 100644 index 62ce85a5d..000000000 --- a/debian/patches/upstream/core-rthread.h-add-prototype-for-db-queries.patch +++ /dev/null @@ -1,74 +0,0 @@ -From: S-P Chan -Date: Tue, 6 Feb 2024 00:22:52 +0800 -Subject: core/rthread.h: add prototype for db queries - -(cherry-pick from ba921b2112e87625fba5789d1b049161bb611073) ---- - src/core/rthreads.h | 57 +++++++++++++++++++++++++++++++++++++++++++++++++++++ - 1 file changed, 57 insertions(+) - -diff --git a/src/core/rthreads.h b/src/core/rthreads.h -index a5ad767..a416ad2 100644 ---- a/src/core/rthreads.h -+++ b/src/core/rthreads.h -@@ -98,3 +98,60 @@ static void run_threadV(_thread_protoV fn) - pthread_join(tid, NULL); - } - #endif -+ -+/* -+ * prototype: int fn(void *, void *) { ... } -+ */ -+#ifdef KSR_RTHREAD_NEED_4PP -+typedef int (*_thread_proto4PP)(void *, void *); -+struct _thread_args4PP -+{ -+ _thread_proto4PP fn; -+ void *arg1; -+ void *arg2; -+ int *ret; -+}; -+static void *run_thread_wrap4PP(struct _thread_args4PP *args) -+{ -+ *args->ret = (*args->fn)(args->arg1, args->arg2); -+ return NULL; -+} -+ -+static int run_thread4PP(_thread_proto4PP fn, void *arg1, void *arg2) -+{ -+ pthread_t tid; -+ int ret; -+ -+ pthread_create(&tid, NULL, (_thread_proto)run_thread_wrap4PP, -+ &(struct _thread_args4PP){fn, arg1, arg2, &ret}); -+ pthread_join(tid, NULL); -+ -+ return ret; -+} -+#endif -+ -+/* -+ * prototype: void fn(void *) { ... } -+ */ -+#ifdef KSR_RTHREAD_NEED_0P -+typedef void (*_thread_proto0P)(void *); -+struct _thread_args0P -+{ -+ _thread_proto0P fn; -+ void *arg1; -+}; -+static void *run_thread_wrap0P(struct _thread_args0P *args) -+{ -+ (*args->fn)(args->arg1); -+ return NULL; -+} -+ -+static void run_thread0P(_thread_proto0P fn, void *arg1) -+{ -+ pthread_t tid; -+ -+ pthread_create(&tid, NULL, (_thread_proto)run_thread_wrap0P, -+ &(struct _thread_args0P){fn, arg1}); -+ pthread_join(tid, NULL); -+} -+#endif diff --git a/debian/patches/upstream/core-rthreads.h-add-new-option-tls_threads_mode-2.patch b/debian/patches/upstream/core-rthreads.h-add-new-option-tls_threads_mode-2.patch deleted file mode 100644 index 2bd4b5631..000000000 --- a/debian/patches/upstream/core-rthreads.h-add-new-option-tls_threads_mode-2.patch +++ /dev/null @@ -1,84 +0,0 @@ -From: S-P Chan -Date: Mon, 4 Mar 2024 21:49:10 +0800 -Subject: core/rthreads.h: add new option tls_threads_mode = 2 - -- add global handling of thread-locals with - tls_threads_mode = 2 -- this will run a pthread_atfork handler to reset - all thread-locals to 0x0 -- alternative solution to running functions - in thread executors -- requires tls.so to be loaded to be effective - -(cherry picked from commit e7f040f219b46592081a6053b4ed1ae0d0552b1a) ---- - src/core/rthreads.h | 14 +++++++------- - 1 file changed, 7 insertions(+), 7 deletions(-) - -diff --git a/src/core/rthreads.h b/src/core/rthreads.h -index 0f4f0cf..6fee4d0 100644 ---- a/src/core/rthreads.h -+++ b/src/core/rthreads.h -@@ -40,7 +40,7 @@ static void *run_threadP(_thread_proto fn, void *arg) - pthread_t tid; - void *ret; - -- if(likely(ksr_tls_threads_mode == 0 -+ if(likely(ksr_tls_threads_mode == 0 || ksr_tls_threads_mode == 2 - || (ksr_tls_threads_mode == 1 && process_no > 0))) { - return fn(arg); - } -@@ -77,7 +77,7 @@ static void *run_threadPI(_thread_protoPI fn, void *arg1, int arg2) - pthread_t tid; - void *ret; - -- if(likely(ksr_tls_threads_mode == 0 -+ if(likely(ksr_tls_threads_mode == 0 || ksr_tls_threads_mode == 2 - || (ksr_tls_threads_mode == 1 && process_no > 0))) { - return fn(arg1, arg2); - } -@@ -113,7 +113,7 @@ static void run_threadV(_thread_protoV fn) - #ifdef USE_TLS - pthread_t tid; - -- if(likely(ksr_tls_threads_mode == 0 -+ if(likely(ksr_tls_threads_mode == 0 || ksr_tls_threads_mode == 2 - || (ksr_tls_threads_mode == 1 && process_no > 0))) { - fn(); - return; -@@ -152,7 +152,7 @@ static int run_thread4PP(_thread_proto4PP fn, void *arg1, void *arg2) - pthread_t tid; - int ret; - -- if(likely(ksr_tls_threads_mode == 0 -+ if(likely(ksr_tls_threads_mode == 0 || ksr_tls_threads_mode == 2 - || (ksr_tls_threads_mode == 1 && process_no > 0))) { - return fn(arg1, arg2); - } -@@ -188,7 +188,7 @@ static void run_thread0P(_thread_proto0P fn, void *arg1) - #ifdef USE_TLS - pthread_t tid; - -- if(likely(ksr_tls_threads_mode == 0 -+ if(likely(ksr_tls_threads_mode == 0 || ksr_tls_threads_mode == 2 - || (ksr_tls_threads_mode == 1 && process_no > 0))) { - fn(arg1); - return; -@@ -240,7 +240,7 @@ static int run_thread4P5I2P2(_thread_proto4P5I2P2 fn, void *arg1, void *arg2, - pthread_t tid; - int ret; - -- if(likely(ksr_tls_threads_mode == 0 -+ if(likely(ksr_tls_threads_mode == 0 || ksr_tls_threads_mode == 2 - || (ksr_tls_threads_mode == 1 && process_no > 0))) { - return fn(arg1, arg2, arg3, arg4, arg5, arg6, arg7, arg8, arg9); - } -@@ -278,7 +278,7 @@ static int run_thread4L(_thread_proto4L fn, long arg1) - pthread_t tid; - int ret; - -- if(likely(ksr_tls_threads_mode == 0 -+ if(likely(ksr_tls_threads_mode == 0 || ksr_tls_threads_mode == 2 - || (ksr_tls_threads_mode == 1 && process_no > 0))) { - return fn(arg1); - } diff --git a/debian/patches/upstream/core-rthreads.h-add-thread-executor-for-curl_global_.patch b/debian/patches/upstream/core-rthreads.h-add-thread-executor-for-curl_global_.patch deleted file mode 100644 index 78fbd28af..000000000 --- a/debian/patches/upstream/core-rthreads.h-add-thread-executor-for-curl_global_.patch +++ /dev/null @@ -1,55 +0,0 @@ -From: S-P Chan -Date: Tue, 27 Feb 2024 05:00:35 +0800 -Subject: core/rthreads.h: add thread executor for curl_global_init() - -Cherry-pick from db05449932 ---- - src/core/rthreads.h | 38 ++++++++++++++++++++++++++++++++++++++ - 1 file changed, 38 insertions(+) - -diff --git a/src/core/rthreads.h b/src/core/rthreads.h -index e96f45c..0f4f0cf 100644 ---- a/src/core/rthreads.h -+++ b/src/core/rthreads.h -@@ -254,3 +254,41 @@ static int run_thread4P5I2P2(_thread_proto4P5I2P2 fn, void *arg1, void *arg2, - #endif - } - #endif -+ -+/* -+ * prototype: CURLcode curl_global_init(long flags) { ... } -+ */ -+#ifdef KSR_RTHREAD_NEED_4L -+typedef int (*_thread_proto4L)(long); -+struct _thread_args4L -+{ -+ _thread_proto4L fn; -+ long arg1; -+ int *ret; -+}; -+static void *run_thread_wrap4L(struct _thread_args4L *args) -+{ -+ *args->ret = (*args->fn)(args->arg1); -+ return NULL; -+} -+ -+static int run_thread4L(_thread_proto4L fn, long arg1) -+{ -+#ifdef USE_TLS -+ pthread_t tid; -+ int ret; -+ -+ if(likely(ksr_tls_threads_mode == 0 -+ || (ksr_tls_threads_mode == 1 && process_no > 0))) { -+ return fn(arg1); -+ } -+ pthread_create(&tid, NULL, (_thread_proto)run_thread_wrap4L, -+ &(struct _thread_args4L){fn, arg1, &ret}); -+ pthread_join(tid, NULL); -+ -+ return ret; -+#else -+ return fn(arg1) -+#endif -+} -+#endif diff --git a/debian/patches/upstream/core-rthreads.h-thread-wrapper-for-db_XXXX_query.patch b/debian/patches/upstream/core-rthreads.h-thread-wrapper-for-db_XXXX_query.patch deleted file mode 100644 index b0e8d63fa..000000000 --- a/debian/patches/upstream/core-rthreads.h-thread-wrapper-for-db_XXXX_query.patch +++ /dev/null @@ -1,68 +0,0 @@ -From: S-P Chan -Date: Thu, 8 Feb 2024 07:30:48 +0800 -Subject: core/rthreads.h: thread wrapper for db_XXXX_query - ---- - src/core/rthreads.h | 52 ++++++++++++++++++++++++++++++++++++++++++++++++++++ - 1 file changed, 52 insertions(+) - -diff --git a/src/core/rthreads.h b/src/core/rthreads.h -index add3426..fa60cce 100644 ---- a/src/core/rthreads.h -+++ b/src/core/rthreads.h -@@ -195,3 +195,55 @@ static void run_thread0P(_thread_proto0P fn, void *arg1) - #endif /* USE_TLS */ - } - #endif -+ -+/* -+ * prototype: -+ * db_unixodbc_query(const db1_con_t *_h, const db_key_t *_k, -+ * const db_op_t *_op, const db_val_t *_v, const db_key_t *_c, -+ * const int _n, const int _nc, const db_key_t _o, db1_res_t **_r) -+ */ -+#ifdef KSR_RTHREAD_NEED_4P5I2P2 -+typedef int (*_thread_proto4P5I2P2)( -+ void *, void *, void *, void *, void *, int, int, void *, void *); -+struct _thread_args4P5I2P2 -+{ -+ _thread_proto4P5I2P2 fn; -+ void *arg1; -+ void *arg2; -+ void *arg3; -+ void *arg4; -+ void *arg5; -+ int arg6; -+ int arg7; -+ void *arg8; -+ void *arg9; -+ int *ret; -+}; -+static void *run_thread_wrap4P5I2P2(struct _thread_args4P5I2P2 *args) -+{ -+ *args->ret = (*args->fn)(args->arg1, args->arg2, args->arg3, args->arg4, -+ args->arg5, args->arg6, args->arg7, args->arg8, args->arg9); -+ return NULL; -+} -+ -+static int run_thread4P5I2P2(_thread_proto4P5I2P2 fn, void *arg1, void *arg2, -+ void *arg3, void *arg4, void *arg5, int arg6, int arg7, void *arg8, -+ void *arg9) -+{ -+#ifdef USE_TLS -+ pthread_t tid; -+ int ret; -+ -+ if(likely(process_no)) { -+ return fn(arg1, arg2, arg3, arg4, arg5, arg6, arg7, arg8, arg9); -+ } -+ pthread_create(&tid, NULL, (_thread_proto)run_thread_wrap4P5I2P2, -+ &(struct _thread_args4P5I2P2){fn, arg1, arg2, arg3, arg4, arg5, -+ arg6, arg7, arg8, arg9, &ret}); -+ pthread_join(tid, NULL); -+ return ret; -+#else -+ return fn(arg1, arg2, arg3, arg4, arg5, arg6, arg7, arg8, arg9); -+#endif -+} -+#endif diff --git a/debian/patches/upstream/core-rthreads.h-use-global-ksr_tls_threads_mode-to-c.patch b/debian/patches/upstream/core-rthreads.h-use-global-ksr_tls_threads_mode-to-c.patch deleted file mode 100644 index 6f90ab4b0..000000000 --- a/debian/patches/upstream/core-rthreads.h-use-global-ksr_tls_threads_mode-to-c.patch +++ /dev/null @@ -1,125 +0,0 @@ -From: S-P Chan -Date: Sun, 11 Feb 2024 12:05:53 +0800 -Subject: core/rthreads.h: use global ksr_tls_threads_mode to constrain thread - wrapping - -- 0: run wrapped function directly -- 1: run wrapped function in thread for process#0 else run directly -- 2: always run wrapped function in thread ---- - src/core/rthreads.h | 33 ++++++++++++++++++++------------- - 1 file changed, 20 insertions(+), 13 deletions(-) - -diff --git a/src/core/rthreads.h b/src/core/rthreads.h -index fa60cce..e96f45c 100644 ---- a/src/core/rthreads.h -+++ b/src/core/rthreads.h -@@ -27,6 +27,7 @@ - */ - #include - -+#include "./globals.h" - /* - * prototype: void *fn(void *arg) { ... } - */ -@@ -39,9 +40,11 @@ static void *run_threadP(_thread_proto fn, void *arg) - pthread_t tid; - void *ret; - -- if(likely(process_no)) { -+ if(likely(ksr_tls_threads_mode == 0 -+ || (ksr_tls_threads_mode == 1 && process_no > 0))) { - return fn(arg); - } -+ - pthread_create(&tid, NULL, fn, arg); - pthread_join(tid, &ret); - -@@ -73,7 +76,9 @@ static void *run_threadPI(_thread_protoPI fn, void *arg1, int arg2) - #ifdef USE_TLS - pthread_t tid; - void *ret; -- if(likely(process_no)) { -+ -+ if(likely(ksr_tls_threads_mode == 0 -+ || (ksr_tls_threads_mode == 1 && process_no > 0))) { - return fn(arg1, arg2); - } - -@@ -84,7 +89,7 @@ static void *run_threadPI(_thread_protoPI fn, void *arg1, int arg2) - return ret; - #else - return fn(arg1, arg2); --#endif /* USE_TLS */ -+#endif - } - #endif - -@@ -107,18 +112,19 @@ static void run_threadV(_thread_protoV fn) - { - #ifdef USE_TLS - pthread_t tid; -- if(likely(process_no)) { -+ -+ if(likely(ksr_tls_threads_mode == 0 -+ || (ksr_tls_threads_mode == 1 && process_no > 0))) { - fn(); - return; - } - -- - pthread_create(&tid, NULL, (_thread_proto)run_thread_wrapV, - &(struct _thread_argsV){fn}); - pthread_join(tid, NULL); - #else - fn(); --#endif /* USE_TLS */ -+#endif - } - #endif - -@@ -146,10 +152,10 @@ static int run_thread4PP(_thread_proto4PP fn, void *arg1, void *arg2) - pthread_t tid; - int ret; - -- if(likely(process_no)) { -+ if(likely(ksr_tls_threads_mode == 0 -+ || (ksr_tls_threads_mode == 1 && process_no > 0))) { - return fn(arg1, arg2); - } -- - pthread_create(&tid, NULL, (_thread_proto)run_thread_wrap4PP, - &(struct _thread_args4PP){fn, arg1, arg2, &ret}); - pthread_join(tid, NULL); -@@ -182,17 +188,17 @@ static void run_thread0P(_thread_proto0P fn, void *arg1) - #ifdef USE_TLS - pthread_t tid; - -- if(likely(process_no)) { -+ if(likely(ksr_tls_threads_mode == 0 -+ || (ksr_tls_threads_mode == 1 && process_no > 0))) { - fn(arg1); - return; - } -- - pthread_create(&tid, NULL, (_thread_proto)run_thread_wrap0P, - &(struct _thread_args0P){fn, arg1}); - pthread_join(tid, NULL); - #else -- fn(arg1); --#endif /* USE_TLS */ -+ fn(arg1) -+#endif - } - #endif - -@@ -234,7 +240,8 @@ static int run_thread4P5I2P2(_thread_proto4P5I2P2 fn, void *arg1, void *arg2, - pthread_t tid; - int ret; - -- if(likely(process_no)) { -+ if(likely(ksr_tls_threads_mode == 0 -+ || (ksr_tls_threads_mode == 1 && process_no > 0))) { - return fn(arg1, arg2, arg3, arg4, arg5, arg6, arg7, arg8, arg9); - } - pthread_create(&tid, NULL, (_thread_proto)run_thread_wrap4P5I2P2, diff --git a/debian/patches/upstream/core-rthreads.h-use-thread-wrappers-only-for-process.patch b/debian/patches/upstream/core-rthreads.h-use-thread-wrappers-only-for-process.patch deleted file mode 100644 index 00f2d86fc..000000000 --- a/debian/patches/upstream/core-rthreads.h-use-thread-wrappers-only-for-process.patch +++ /dev/null @@ -1,122 +0,0 @@ -From: S-P Chan -Date: Tue, 6 Feb 2024 19:31:49 +0800 -Subject: core/rthreads.h: use thread wrappers only for process#0 - -- for process#0 use threads to avoid initializing libssl thread-locals in thread#1 -- for process_no > 0 revert to standard behaviour and reduce - overhead of creating threads ---- - src/core/rthreads.h | 40 ++++++++++++++++++++++++++++++++++++++++ - 1 file changed, 40 insertions(+) - -diff --git a/src/core/rthreads.h b/src/core/rthreads.h -index a416ad2..add3426 100644 ---- a/src/core/rthreads.h -+++ b/src/core/rthreads.h -@@ -35,13 +35,20 @@ typedef void *(*_thread_proto)(void *); - #ifndef KSR_RTHREAD_SKIP_P - static void *run_threadP(_thread_proto fn, void *arg) - { -+#ifdef USE_TLS - pthread_t tid; - void *ret; - -+ if(likely(process_no)) { -+ return fn(arg); -+ } - pthread_create(&tid, NULL, fn, arg); - pthread_join(tid, &ret); - - return ret; -+#else -+ return fn(arg); -+#endif /* USE_TLS */ - } - #endif - -@@ -63,14 +70,21 @@ static void *run_thread_wrapPI(struct _thread_argsPI *args) - - static void *run_threadPI(_thread_protoPI fn, void *arg1, int arg2) - { -+#ifdef USE_TLS - pthread_t tid; - void *ret; -+ if(likely(process_no)) { -+ return fn(arg1, arg2); -+ } - - pthread_create(&tid, NULL, (_thread_proto)&run_thread_wrapPI, - &(struct _thread_argsPI){fn, arg1, arg2}); - pthread_join(tid, &ret); - - return ret; -+#else -+ return fn(arg1, arg2); -+#endif /* USE_TLS */ - } - #endif - -@@ -91,11 +105,20 @@ static void *run_thread_wrapV(struct _thread_argsV *args) - - static void run_threadV(_thread_protoV fn) - { -+#ifdef USE_TLS - pthread_t tid; -+ if(likely(process_no)) { -+ fn(); -+ return; -+ } -+ - - pthread_create(&tid, NULL, (_thread_proto)run_thread_wrapV, - &(struct _thread_argsV){fn}); - pthread_join(tid, NULL); -+#else -+ fn(); -+#endif /* USE_TLS */ - } - #endif - -@@ -119,14 +142,22 @@ static void *run_thread_wrap4PP(struct _thread_args4PP *args) - - static int run_thread4PP(_thread_proto4PP fn, void *arg1, void *arg2) - { -+#ifdef USE_TLS - pthread_t tid; - int ret; - -+ if(likely(process_no)) { -+ return fn(arg1, arg2); -+ } -+ - pthread_create(&tid, NULL, (_thread_proto)run_thread_wrap4PP, - &(struct _thread_args4PP){fn, arg1, arg2, &ret}); - pthread_join(tid, NULL); - - return ret; -+#else -+ return fn(arg1, arg2); -+#endif - } - #endif - -@@ -148,10 +179,19 @@ static void *run_thread_wrap0P(struct _thread_args0P *args) - - static void run_thread0P(_thread_proto0P fn, void *arg1) - { -+#ifdef USE_TLS - pthread_t tid; - -+ if(likely(process_no)) { -+ fn(arg1); -+ return; -+ } -+ - pthread_create(&tid, NULL, (_thread_proto)run_thread_wrap0P, - &(struct _thread_args0P){fn, arg1}); - pthread_join(tid, NULL); -+#else -+ fn(arg1); -+#endif /* USE_TLS */ - } - #endif diff --git a/debian/patches/upstream/db_mysql-backport-no-TLS-with-MariaDB-Connector-C.patch b/debian/patches/upstream/db_mysql-backport-no-TLS-with-MariaDB-Connector-C.patch deleted file mode 100644 index 683f7ee7e..000000000 --- a/debian/patches/upstream/db_mysql-backport-no-TLS-with-MariaDB-Connector-C.patch +++ /dev/null @@ -1,67 +0,0 @@ -From: S-P Chan -Date: Tue, 30 Jan 2024 16:49:32 +0800 -Subject: db_mysql: backport - no TLS with MariaDB Connector/C - -- GH #3735 -- includes compilation and stretch fixes -- emulate SSL_MODE_XXX from MySQL -- opt_ssl_mode: - - 0|1(off) - - 2|3|4(MYSQL_OPT_SSL_ENFORCE) - - 5(MYSQL_OPT_SSL_VERIFY_SERVER_CERT) ---- - src/modules/db_mysql/km_my_con.c | 34 ++++++++++++++++++++++++++++++++-- - 1 file changed, 32 insertions(+), 2 deletions(-) - -diff --git a/src/modules/db_mysql/km_my_con.c b/src/modules/db_mysql/km_my_con.c -index d3f5710..b4c4dca 100644 ---- a/src/modules/db_mysql/km_my_con.c -+++ b/src/modules/db_mysql/km_my_con.c -@@ -116,7 +116,36 @@ struct my_con *db_mysql_new_connection(const struct db_id *id) - (const void *)&db_mysql_timeout_interval); - mysql_options(ptr->con, MYSQL_OPT_WRITE_TIMEOUT, - (const void *)&db_mysql_timeout_interval); --#if MYSQL_VERSION_ID > 50710 && !defined(MARIADB_BASE_VERSION) -+ -+#ifdef MARIADB_BASE_VERSION -+ /* -+ * emulate SSL_MODE_XXXX from MySQL -+ */ -+ -+ switch(db_mysql_opt_ssl_mode) { -+ case 0: /* opt_ssl_mode = 0(off) */ -+ case 1: /* SSL_MODE_DISABLED */ -+ break; -+ case 2: /* SSL_MODE_PREFERRED */ -+ case 3: /* SSL_MODE_REQUIRED */ -+ case 4: /* SSL_MODE_VERIFY_CA */ -+#if MYSQL_VERSION_ID >= 100339 -+ mysql_options(ptr->con, MYSQL_OPT_SSL_ENFORCE, (void *)&(int){1}); -+#else -+ LM_WARN("ssl mode not supported by %s\n", MARIADB_BASE_VERSION); -+#endif -+ break; -+ case 5: /* SSL_MODE_VERIFY_IDENTITY */ -+ mysql_options(ptr->con, MYSQL_OPT_SSL_VERIFY_SERVER_CERT, -+ (void *)&(int){1}); -+ break; -+ default: -+ LM_WARN("opt_ssl_mode = %d not supported by MariaDB Connector/C\n", -+ db_mysql_opt_ssl_mode); -+ break; -+ } -+#else -+#if MYSQL_VERSION_ID > 50710 - if(db_mysql_opt_ssl_mode != 0) { - unsigned int optuint = 0; - if(db_mysql_opt_ssl_mode == 1) { -@@ -136,7 +165,8 @@ struct my_con *db_mysql_new_connection(const struct db_id *id) - "ignoring\n", - (unsigned int)db_mysql_opt_ssl_mode); - } --#endif -+#endif /* MYSQL_VERSION_ID */ -+#endif /* MARIADB_BASE_VERSION */ - - #if MYSQL_VERSION_ID > 50012 - /* set reconnect flag if enabled */ diff --git a/debian/patches/upstream/db_mysql-handle-SSL-and-submit-query.patch b/debian/patches/upstream/db_mysql-handle-SSL-and-submit-query.patch deleted file mode 100644 index 471d31ed7..000000000 --- a/debian/patches/upstream/db_mysql-handle-SSL-and-submit-query.patch +++ /dev/null @@ -1,43 +0,0 @@ -From: S-P Chan -Date: Tue, 6 Feb 2024 00:29:41 +0800 -Subject: db_mysql: handle SSL and submit query - -(cherry-pick from 51d9f92eca3ef1044052581c9438af6e643652a1) ---- - src/modules/db_mysql/km_dbase.c | 9 ++++++++- - 1 file changed, 8 insertions(+), 1 deletion(-) - -diff --git a/src/modules/db_mysql/km_dbase.c b/src/modules/db_mysql/km_dbase.c -index 9cd238b..e86e4a0 100644 ---- a/src/modules/db_mysql/km_dbase.c -+++ b/src/modules/db_mysql/km_dbase.c -@@ -38,6 +38,8 @@ - #include "../../core/mem/mem.h" - #include "../../core/dprint.h" - #include "../../core/async_task.h" -+ -+#define KSR_RTHREAD_NEED_4PP - #include "../../core/rthreads.h" - #include "../../lib/srdb1/db_query.h" - #include "../../lib/srdb1/db_ut.h" -@@ -67,7 +69,7 @@ static char *mysql_sql_buf; - * \param _s executed query - * \return zero on success, negative value on failure - */ --static int db_mysql_submit_query(const db1_con_t *_h, const str *_s) -+static int db_mysql_submit_query_impl(const db1_con_t *_h, const str *_s) - { - time_t t; - int i, code; -@@ -128,6 +130,11 @@ static int db_mysql_submit_query(const db1_con_t *_h, const str *_s) - } - - -+static int db_mysql_submit_query(const db1_con_t *_h, const str *_s) -+{ -+ return run_thread4PP((_thread_proto4PP)db_mysql_submit_query_impl, -+ (void *)_h, (void *)_s); -+} - /** - * - */ diff --git a/debian/patches/upstream/db_mysql-init-libssl-in-a-thread.patch b/debian/patches/upstream/db_mysql-init-libssl-in-a-thread.patch deleted file mode 100644 index 6c4125107..000000000 --- a/debian/patches/upstream/db_mysql-init-libssl-in-a-thread.patch +++ /dev/null @@ -1,46 +0,0 @@ -From: S-P Chan -Date: Thu, 1 Feb 2024 10:05:39 +0800 -Subject: db_mysql: init libssl in a thread - -From -- 5dffb934a2f7f986fdc09e433833991c54612646 -- 733a268114261d49ed11aec83fe39ea8c34a0b69 ---- - src/modules/db_mysql/km_dbase.c | 9 ++++++++- - 1 file changed, 8 insertions(+), 1 deletion(-) - -diff --git a/src/modules/db_mysql/km_dbase.c b/src/modules/db_mysql/km_dbase.c -index 577f3dc..9cd238b 100644 ---- a/src/modules/db_mysql/km_dbase.c -+++ b/src/modules/db_mysql/km_dbase.c -@@ -38,6 +38,7 @@ - #include "../../core/mem/mem.h" - #include "../../core/dprint.h" - #include "../../core/async_task.h" -+#include "../../core/rthreads.h" - #include "../../lib/srdb1/db_query.h" - #include "../../lib/srdb1/db_ut.h" - #include "db_mysql.h" -@@ -197,8 +198,10 @@ static char *db_mysql_tquote = "`"; - * No function should be called before this - * \param _url URL used for initialization - * \return zero on success, negative value on failure -+ * -+ * Init libssl in a thread - */ --db1_con_t *db_mysql_init(const str *_url) -+static db1_con_t *db_mysql_init0(const str *_url) - { - db1_con_t *c; - c = db_do_init(_url, (void *)db_mysql_new_connection); -@@ -208,6 +211,10 @@ db1_con_t *db_mysql_init(const str *_url) - } - - -+db1_con_t *db_mysql_init(const str *_url) -+{ -+ return run_threadP((_thread_proto)db_mysql_init0, (void *)_url); -+} - /** - * Shut down the database module. - * No function should be called after this diff --git a/debian/patches/upstream/db_mysql-libssl-thread-guard-for-db_mysql_close.patch b/debian/patches/upstream/db_mysql-libssl-thread-guard-for-db_mysql_close.patch deleted file mode 100644 index c3bc57be6..000000000 --- a/debian/patches/upstream/db_mysql-libssl-thread-guard-for-db_mysql_close.patch +++ /dev/null @@ -1,38 +0,0 @@ -From: S-P Chan -Date: Thu, 8 Feb 2024 12:50:03 +0800 -Subject: db_mysql: libssl thread guard for db_mysql_close - ---- - src/modules/db_mysql/km_dbase.c | 8 +++++++- - 1 file changed, 7 insertions(+), 1 deletion(-) - -diff --git a/src/modules/db_mysql/km_dbase.c b/src/modules/db_mysql/km_dbase.c -index e86e4a0..7b65c0a 100644 ---- a/src/modules/db_mysql/km_dbase.c -+++ b/src/modules/db_mysql/km_dbase.c -@@ -40,6 +40,7 @@ - #include "../../core/async_task.h" - - #define KSR_RTHREAD_NEED_4PP -+#define KSR_RTHREAD_NEED_0P - #include "../../core/rthreads.h" - #include "../../lib/srdb1/db_query.h" - #include "../../lib/srdb1/db_ut.h" -@@ -228,11 +229,16 @@ db1_con_t *db_mysql_init(const str *_url) - * \param _h handle to the closed connection - * \return zero on success, negative value on failure - */ --void db_mysql_close(db1_con_t *_h) -+static void db_mysql_close_impl(db1_con_t *_h) - { - db_do_close(_h, db_mysql_free_connection); - } - -+void db_mysql_close(db1_con_t *_h) -+{ -+ run_thread0P((_thread_proto0P)db_mysql_close_impl, _h); -+} -+ - - /** - * Retrieve a result set diff --git a/debian/patches/upstream/db_mysql-libssl-thread-guard-for-db_mysql_query-and-.patch b/debian/patches/upstream/db_mysql-libssl-thread-guard-for-db_mysql_query-and-.patch deleted file mode 100644 index 079f0eced..000000000 --- a/debian/patches/upstream/db_mysql-libssl-thread-guard-for-db_mysql_query-and-.patch +++ /dev/null @@ -1,56 +0,0 @@ -From: S-P Chan -Date: Wed, 14 Feb 2024 19:49:10 +0800 -Subject: db_mysql: libssl thread guard for db_mysql_query (and - libmysqlclient) - -This function is observed to call SSL_read() when compiled with -libmysqlclient.so.21 (but not libmariadb.so.3). - -Apply a thread executor just in case. - -Cherry-pick from 1e42364451 ---- - src/modules/db_mysql/km_dbase.c | 19 +++++++++++++++++-- - 1 file changed, 17 insertions(+), 2 deletions(-) - -diff --git a/src/modules/db_mysql/km_dbase.c b/src/modules/db_mysql/km_dbase.c -index 7b65c0a..91ace58 100644 ---- a/src/modules/db_mysql/km_dbase.c -+++ b/src/modules/db_mysql/km_dbase.c -@@ -41,6 +41,7 @@ - - #define KSR_RTHREAD_NEED_4PP - #define KSR_RTHREAD_NEED_0P -+#define KSR_RTHREAD_NEED_4P5I2P2 - #include "../../core/rthreads.h" - #include "../../lib/srdb1/db_query.h" - #include "../../lib/srdb1/db_ut.h" -@@ -348,12 +349,26 @@ int db_mysql_free_result(const db1_con_t *_h, db1_res_t *_r) - * \param _r pointer to a structure representing the result - * \return zero on success, negative value on failure - */ -+ -+/* -+ * this function observed to invoke SSL_read() under libmysqlclient.so.21 -+ * but not libmariadb.so.3; apply libssl guard -+ */ -+static int db_mysql_query_impl(const db1_con_t *_h, const db_key_t *_k, -+ const db_op_t *_op, const db_val_t *_v, const db_key_t *_c, -+ const int _n, const int _nc, const db_key_t _o, db1_res_t **_r) -+{ -+ return db_do_query(_h, _k, _op, _v, _c, _n, _nc, _o, _r, db_mysql_val2str, -+ db_mysql_submit_query, db_mysql_store_result); -+} -+ - int db_mysql_query(const db1_con_t *_h, const db_key_t *_k, const db_op_t *_op, - const db_val_t *_v, const db_key_t *_c, const int _n, const int _nc, - const db_key_t _o, db1_res_t **_r) - { -- return db_do_query(_h, _k, _op, _v, _c, _n, _nc, _o, _r, db_mysql_val2str, -- db_mysql_submit_query, db_mysql_store_result); -+ return run_thread4P5I2P2((_thread_proto4P5I2P2)&db_mysql_query_impl, -+ (void *)_h, (void *)_k, (void *)_op, (void *)_v, (void *)_c, _n, -+ _nc, (void *)_o, (void *)_r); - } - - /** diff --git a/debian/patches/upstream/db_mysql-new-module-param-opt_ssl_ca-to-configure-CA.patch b/debian/patches/upstream/db_mysql-new-module-param-opt_ssl_ca-to-configure-CA.patch deleted file mode 100644 index 9a12c117b..000000000 --- a/debian/patches/upstream/db_mysql-new-module-param-opt_ssl_ca-to-configure-CA.patch +++ /dev/null @@ -1,64 +0,0 @@ -From: S-P Chan -Date: Wed, 14 Feb 2024 14:15:10 +0800 -Subject: db_mysql: new module param opt_ssl_ca to configure CA certs - -ERROR: db_mysql [km_my_con.c:200]: db_mysql_new_connection(): -driver error: SSL connection error: CA certificate is required -if ssl-mode is VERIFY_CA or VERIFY_IDENTITY - -When opt_ssl_mode = 4 | 5 libmysqlclient.so.21 -requires that the trusted CAs be configured. -Fixed with: -mysql_options(ptr->con, MYSQL_OPT_SSL_CA, (void *)db_mysql_opt_ssl_ca) - -Note: libmariadb.so.3 doesn't require this setting -and uses the system trust store. - -Cherry-pick from ea81e6cb8b ---- - src/modules/db_mysql/db_mysql.c | 2 ++ - src/modules/db_mysql/km_my_con.c | 4 ++++ - 2 files changed, 6 insertions(+) - -diff --git a/src/modules/db_mysql/db_mysql.c b/src/modules/db_mysql/db_mysql.c -index 1a69832..9a7aa86 100644 ---- a/src/modules/db_mysql/db_mysql.c -+++ b/src/modules/db_mysql/db_mysql.c -@@ -47,6 +47,7 @@ unsigned int my_server_timezone = - unsigned long my_client_ver = 0; - int db_mysql_unsigned_type = 0; - int db_mysql_opt_ssl_mode = 0; -+char *db_mysql_opt_ssl_ca = NULL; - - struct mysql_counters_h mysql_cnts_h; - counter_def_t mysql_cnt_defs[] = { -@@ -100,6 +101,7 @@ static param_export_t params[] = { - {"insert_delayed", INT_PARAM, &db_mysql_insert_all_delayed}, - {"update_affected_found", INT_PARAM, &db_mysql_update_affected_found}, - {"unsigned_type", PARAM_INT, &db_mysql_unsigned_type}, -+ {"opt_ssl_ca", PARAM_STRING, &db_mysql_opt_ssl_ca}, - {"opt_ssl_mode", PARAM_INT, &db_mysql_opt_ssl_mode}, {0, 0, 0}}; - - -diff --git a/src/modules/db_mysql/km_my_con.c b/src/modules/db_mysql/km_my_con.c -index b4c4dca..226d724 100644 ---- a/src/modules/db_mysql/km_my_con.c -+++ b/src/modules/db_mysql/km_my_con.c -@@ -41,6 +41,7 @@ - #include "db_mysql.h" - - extern int db_mysql_opt_ssl_mode; -+extern char *db_mysql_opt_ssl_ca; - - /*! \brief - * Create a new connection structure, -@@ -167,6 +168,9 @@ struct my_con *db_mysql_new_connection(const struct db_id *id) - } - #endif /* MYSQL_VERSION_ID */ - #endif /* MARIADB_BASE_VERSION */ -+ if(db_mysql_opt_ssl_ca) -+ mysql_options( -+ ptr->con, MYSQL_OPT_SSL_CA, (const void *)db_mysql_opt_ssl_ca); - - #if MYSQL_VERSION_ID > 50012 - /* set reconnect flag if enabled */ diff --git a/debian/patches/upstream/db_mysql-update-docs-for-opt_ssl_ca.patch b/debian/patches/upstream/db_mysql-update-docs-for-opt_ssl_ca.patch deleted file mode 100644 index b24363046..000000000 --- a/debian/patches/upstream/db_mysql-update-docs-for-opt_ssl_ca.patch +++ /dev/null @@ -1,44 +0,0 @@ -From: S-P Chan -Date: Wed, 14 Feb 2024 14:59:52 +0800 -Subject: db_mysql: update docs for opt_ssl_ca - -Cherry-pick from eafd93f057 ---- - src/modules/db_mysql/doc/db_mysql_admin.xml | 24 ++++++++++++++++++++++++ - 1 file changed, 24 insertions(+) - -diff --git a/src/modules/db_mysql/doc/db_mysql_admin.xml b/src/modules/db_mysql/doc/db_mysql_admin.xml -index 51c9b5b..dceb825 100644 ---- a/src/modules/db_mysql/doc/db_mysql_admin.xml -+++ b/src/modules/db_mysql/doc/db_mysql_admin.xml -@@ -211,6 +211,30 @@ modparam("db_mysql", "update_affected_found", 1) - ... - modparam("db_mysql", "opt_ssl_mode", 1) - ... -+ -+ -+ -+
-+ <varname>opt_ssl_ca</varname> (string) -+ -+ Configures the CA certs used to verify the MySQL server cert when -+ SSL is enabled. -+ -+ -+ Required when opt_ssl_mode = 4 or 5 and db_mysql is built -+ with libmysqlclient. -+ -+ -+ -+ Default value is NULL (NULL - not configured). -+ -+ -+ -+ Set <varname>opt_ssl_ca</varname> parameter -+ -+... -+modparam("db_mysql", "opt_ssl_ca", "/etc/ssl/certs/mysql-ca.pem") -+... - - -
diff --git a/debian/patches/upstream/db_postgres-handle-SSL-and-submit-query.patch b/debian/patches/upstream/db_postgres-handle-SSL-and-submit-query.patch deleted file mode 100644 index 43b173660..000000000 --- a/debian/patches/upstream/db_postgres-handle-SSL-and-submit-query.patch +++ /dev/null @@ -1,43 +0,0 @@ -From: S-P Chan -Date: Tue, 6 Feb 2024 00:29:55 +0800 -Subject: db_postgres: handle SSL and submit query - -(cherry-pick from d638c774ed816eec800e72ba2546004215cfe097) ---- - src/modules/db_postgres/km_dbase.c | 9 ++++++++- - 1 file changed, 8 insertions(+), 1 deletion(-) - -diff --git a/src/modules/db_postgres/km_dbase.c b/src/modules/db_postgres/km_dbase.c -index 3d58f1a..7948ff0 100644 ---- a/src/modules/db_postgres/km_dbase.c -+++ b/src/modules/db_postgres/km_dbase.c -@@ -44,6 +44,7 @@ - #include "../../core/hashes.h" - #include "../../core/clist.h" - #define KSR_RTHREAD_NEED_PI -+#define KSR_RTHREAD_NEED_4PP - #include "../../core/rthreads.h" - #include "km_dbase.h" - #include "km_pg_con.h" -@@ -158,7 +159,7 @@ void db_postgres_close(db1_con_t *_h) - * \param _s query string - * \return 0 on success, negative on failure - */ --static int db_postgres_submit_query(const db1_con_t *_con, const str *_s) -+static int db_postgres_submit_query_impl(const db1_con_t *_con, const str *_s) - { - char *s = NULL; - int i, retries; -@@ -286,6 +287,12 @@ static int db_postgres_submit_query(const db1_con_t *_con, const str *_s) - return -1; - } - -+static int db_postgres_submit_query(const db1_con_t *_con, const str *_s) -+{ -+ return run_thread4PP((_thread_proto4PP)db_postgres_submit_query_impl, -+ (void *)_con, (void *)_s); -+} -+ - void db_postgres_async_exec_task(void *param) - { - str *p; diff --git a/debian/patches/upstream/db_postgres-init-libssl-in-a-thread.patch b/debian/patches/upstream/db_postgres-init-libssl-in-a-thread.patch deleted file mode 100644 index 4ce7e79a9..000000000 --- a/debian/patches/upstream/db_postgres-init-libssl-in-a-thread.patch +++ /dev/null @@ -1,64 +0,0 @@ -From: S-P Chan -Date: Thu, 1 Feb 2024 10:06:11 +0800 -Subject: db_postgres: init libssl in a thread - -From -- 3426b153d02d9d8d3e909eff9d18cb14108072ca -- 8a1c383f6af5bc0547e32430a4469333160b93e6 ---- - src/modules/db_postgres/km_dbase.c | 19 +++++++++++++++++-- - 1 file changed, 17 insertions(+), 2 deletions(-) - -diff --git a/src/modules/db_postgres/km_dbase.c b/src/modules/db_postgres/km_dbase.c -index 02cb5c4..3d58f1a 100644 ---- a/src/modules/db_postgres/km_dbase.c -+++ b/src/modules/db_postgres/km_dbase.c -@@ -43,6 +43,8 @@ - #include "../../core/locking.h" - #include "../../core/hashes.h" - #include "../../core/clist.h" -+#define KSR_RTHREAD_NEED_PI -+#include "../../core/rthreads.h" - #include "km_dbase.h" - #include "km_pg_con.h" - #include "km_val.h" -@@ -108,24 +110,37 @@ static void db_postgres_free_query(const db1_con_t *_con); - * \param _url URL of the database that should be opened - * \return database connection on success, NULL on error - * \note this function must be called prior to any database functions -+ * -+ * Init libssl in a thread - */ --db1_con_t *db_postgres_init(const str *_url) -+static db1_con_t *db_postgres_init0(const str *_url) - { - return db_do_init(_url, (void *)db_postgres_new_connection); - } - -+db1_con_t *db_postgres_init(const str *_url) -+{ -+ return run_threadP((_thread_proto)db_postgres_init0, (void *)_url); -+} - /*! - * \brief Initialize database for future queries, specify pooling - * \param _url URL of the database that should be opened - * \param pooling whether or not to use a pooled connection - * \return database connection on success, NULL on error - * \note this function must be called prior to any database functions -+ * -+ * Init libssl in thread - */ --db1_con_t *db_postgres_init2(const str *_url, db_pooling_t pooling) -+static db1_con_t *db_postgres_init2_impl(const str *_url, db_pooling_t pooling) - { - return db_do_init2(_url, (void *)db_postgres_new_connection, pooling); - } - -+db1_con_t *db_postgres_init2(const str *_url, db_pooling_t pooling) -+{ -+ return run_threadPI( -+ (_thread_protoPI)db_postgres_init2_impl, (void *)_url, pooling); -+} - /*! - * \brief Close database when the database is no longer needed - * \param _h closed connection, as returned from db_postgres_init diff --git a/debian/patches/upstream/db_postgres-libssl-thread-guard-for-db_postgres_clos.patch b/debian/patches/upstream/db_postgres-libssl-thread-guard-for-db_postgres_clos.patch deleted file mode 100644 index 6de85861f..000000000 --- a/debian/patches/upstream/db_postgres-libssl-thread-guard-for-db_postgres_clos.patch +++ /dev/null @@ -1,38 +0,0 @@ -From: S-P Chan -Date: Thu, 8 Feb 2024 07:18:16 +0800 -Subject: db_postgres: libssl thread guard for db_postgres_close - ---- - src/modules/db_postgres/km_dbase.c | 8 +++++++- - 1 file changed, 7 insertions(+), 1 deletion(-) - -diff --git a/src/modules/db_postgres/km_dbase.c b/src/modules/db_postgres/km_dbase.c -index 7948ff0..e8dce6e 100644 ---- a/src/modules/db_postgres/km_dbase.c -+++ b/src/modules/db_postgres/km_dbase.c -@@ -45,6 +45,7 @@ - #include "../../core/clist.h" - #define KSR_RTHREAD_NEED_PI - #define KSR_RTHREAD_NEED_4PP -+#define KSR_RTHREAD_NEED_0P - #include "../../core/rthreads.h" - #include "km_dbase.h" - #include "km_pg_con.h" -@@ -147,11 +148,16 @@ db1_con_t *db_postgres_init2(const str *_url, db_pooling_t pooling) - * \param _h closed connection, as returned from db_postgres_init - * \note free all memory and resources - */ --void db_postgres_close(db1_con_t *_h) -+static void db_postgres_close_impl(db1_con_t *_h) - { - db_do_close(_h, db_postgres_free_connection); - } - -+void db_postgres_close(db1_con_t *_h) -+{ -+ run_thread0P((_thread_proto0P)db_postgres_close_impl, _h); -+} -+ - - /*! - * \brief Submit_query, run a query diff --git a/debian/patches/upstream/db_unixodbc-handle-SSL-and-submit-query.patch b/debian/patches/upstream/db_unixodbc-handle-SSL-and-submit-query.patch deleted file mode 100644 index 2aa8d2b86..000000000 --- a/debian/patches/upstream/db_unixodbc-handle-SSL-and-submit-query.patch +++ /dev/null @@ -1,42 +0,0 @@ -From: S-P Chan -Date: Tue, 6 Feb 2024 00:23:16 +0800 -Subject: db_unixodbc: handle SSL and submit query - -(cherry-pick from 7d917e6649be7188bb9ab152ada75bc7199b2980) ---- - src/modules/db_unixodbc/dbase.c | 8 +++++++- - 1 file changed, 7 insertions(+), 1 deletion(-) - -diff --git a/src/modules/db_unixodbc/dbase.c b/src/modules/db_unixodbc/dbase.c -index c4ba64b..7a5f2bd 100644 ---- a/src/modules/db_unixodbc/dbase.c -+++ b/src/modules/db_unixodbc/dbase.c -@@ -25,6 +25,7 @@ - #include "../../core/mem/mem.h" - #include "../../core/dprint.h" - #include "../../core/async_task.h" -+#define KSR_RTHREAD_NEED_4PP - #include "../../core/rthreads.h" - #include "../../lib/srdb1/db_query.h" - #include "val.h" -@@ -81,7 +82,7 @@ static int reconnect(const db1_con_t *_h) - /* - * Send an SQL query to the server - */ --static int db_unixodbc_submit_query(const db1_con_t *_h, const str *_s) -+static int db_unixodbc_submit_query_impl(const db1_con_t *_h, const str *_s) - { - int ret = 0; - SQLCHAR sqlstate[7]; -@@ -155,6 +156,11 @@ static int db_unixodbc_submit_query(const db1_con_t *_h, const str *_s) - return ret; - } - -+static int db_unixodbc_submit_query(const db1_con_t *_h, const str *_s) -+{ -+ return run_thread4PP((_thread_proto4PP)db_unixodbc_submit_query_impl, -+ (void *)_h, (void *)_s); -+} - /** - * - */ diff --git a/debian/patches/upstream/db_unixodbc-init-libssl-in-a-thread.patch b/debian/patches/upstream/db_unixodbc-init-libssl-in-a-thread.patch deleted file mode 100644 index 6199a4145..000000000 --- a/debian/patches/upstream/db_unixodbc-init-libssl-in-a-thread.patch +++ /dev/null @@ -1,51 +0,0 @@ -From: S-P Chan -Date: Thu, 1 Feb 2024 10:07:08 +0800 -Subject: db_unixodbc: init libssl in a thread - -From -- 2611a4670c65dd32fc1daf6b67e37852936ba69c -- b71ce6e5733ab08b84ff09481ada91e5fca43a33 ---- - src/modules/db_unixodbc/dbase.c | 11 +++++++++-- - 1 file changed, 9 insertions(+), 2 deletions(-) - -diff --git a/src/modules/db_unixodbc/dbase.c b/src/modules/db_unixodbc/dbase.c -index eb02b29..c4ba64b 100644 ---- a/src/modules/db_unixodbc/dbase.c -+++ b/src/modules/db_unixodbc/dbase.c -@@ -22,10 +22,10 @@ - * - */ - -- - #include "../../core/mem/mem.h" - #include "../../core/dprint.h" - #include "../../core/async_task.h" -+#include "../../core/rthreads.h" - #include "../../lib/srdb1/db_query.h" - #include "val.h" - #include "connection.h" -@@ -227,8 +227,10 @@ extern char *db_unixodbc_tquote; - /* - * Initialize database module - * No function should be called before this -+ * -+ * Init libssl in a thread - */ --db1_con_t *db_unixodbc_init(const str *_url) -+static db1_con_t *db_unixodbc_init0(const str *_url) - { - db1_con_t *c; - c = db_do_init(_url, (void *)db_unixodbc_new_connection); -@@ -237,6 +239,11 @@ db1_con_t *db_unixodbc_init(const str *_url) - return c; - } - -+db1_con_t *db_unixodbc_init(const str *_url) -+{ -+ return run_threadP((_thread_proto)&db_unixodbc_init0, (void *)_url); -+} -+ - /* - * Shut down database module - * No function should be called after this diff --git a/debian/patches/upstream/db_unixodbc-libssl-thread-guards-for-db_unixodbc_-cl.patch b/debian/patches/upstream/db_unixodbc-libssl-thread-guards-for-db_unixodbc_-cl.patch deleted file mode 100644 index 3c71ea677..000000000 --- a/debian/patches/upstream/db_unixodbc-libssl-thread-guards-for-db_unixodbc_-cl.patch +++ /dev/null @@ -1,86 +0,0 @@ -From: S-P Chan -Date: Thu, 8 Feb 2024 07:41:45 +0800 -Subject: db_unixodbc: libssl thread guards for - db_unixodbc_(close|free_result|query) - ---- - src/modules/db_unixodbc/dbase.c | 27 ++++++++++++++++++++++++--- - 1 file changed, 24 insertions(+), 3 deletions(-) - -diff --git a/src/modules/db_unixodbc/dbase.c b/src/modules/db_unixodbc/dbase.c -index 7a5f2bd..01aab5b 100644 ---- a/src/modules/db_unixodbc/dbase.c -+++ b/src/modules/db_unixodbc/dbase.c -@@ -26,6 +26,8 @@ - #include "../../core/dprint.h" - #include "../../core/async_task.h" - #define KSR_RTHREAD_NEED_4PP -+#define KSR_RTHREAD_NEED_4P5I2P2 -+#define KSR_RTHREAD_NEED_0P - #include "../../core/rthreads.h" - #include "../../lib/srdb1/db_query.h" - #include "val.h" -@@ -254,11 +256,16 @@ db1_con_t *db_unixodbc_init(const str *_url) - * Shut down database module - * No function should be called after this - */ --void db_unixodbc_close(db1_con_t *_h) -+static void db_unixodbc_close_impl(db1_con_t *_h) - { - return db_do_close(_h, db_unixodbc_free_connection); - } - -+void db_unixodbc_close(db1_con_t *_h) -+{ -+ run_thread0P((_thread_proto0P)db_unixodbc_close_impl, _h); -+} -+ - /* - * Retrieve result set - */ -@@ -299,7 +306,7 @@ static int db_unixodbc_store_result(const db1_con_t *_h, db1_res_t **_r) - /* - * Release a result set from memory - */ --int db_unixodbc_free_result(db1_con_t *_h, db1_res_t *_r) -+static int db_unixodbc_free_result_impl(db1_con_t *_h, db1_res_t *_r) - { - if((!_h) || (!_r)) { - LM_ERR("invalid parameter value\n"); -@@ -315,6 +322,11 @@ int db_unixodbc_free_result(db1_con_t *_h, db1_res_t *_r) - return 0; - } - -+int db_unixodbc_free_result(db1_con_t *_h, db1_res_t *_r) -+{ -+ return run_thread4PP((_thread_proto4PP)db_unixodbc_free_result_impl, _h, _r); -+} -+ - /* - * Query table for specified rows - * _h: structure representing database connection -@@ -326,7 +338,7 @@ int db_unixodbc_free_result(db1_con_t *_h, db1_res_t *_r) - * _nc: number of columns to return - * _o: order by the specified column - */ --int db_unixodbc_query(const db1_con_t *_h, const db_key_t *_k, -+static int db_unixodbc_query_impl(const db1_con_t *_h, const db_key_t *_k, - const db_op_t *_op, const db_val_t *_v, const db_key_t *_c, - const int _n, const int _nc, const db_key_t _o, db1_res_t **_r) - { -@@ -335,6 +347,15 @@ int db_unixodbc_query(const db1_con_t *_h, const db_key_t *_k, - db_unixodbc_store_result); - } - -+int db_unixodbc_query(const db1_con_t *_h, const db_key_t *_k, -+ const db_op_t *_op, const db_val_t *_v, const db_key_t *_c, -+ const int _n, const int _nc, const db_key_t _o, db1_res_t **_r) -+{ -+ return run_thread4P5I2P2((_thread_proto4P5I2P2)db_unixodbc_query_impl, -+ (void *)_h, (void *)_k, (void *)_op, (void *)_v, (void *)_c, _n, -+ _nc, (void *)_o, (void *)_r); -+} -+ - /*! - * \brief Gets a partial result set, fetch rows from a result - * diff --git a/debian/patches/upstream/http_async_client-libssl-refactor-thread-executors-f.patch b/debian/patches/upstream/http_async_client-libssl-refactor-thread-executors-f.patch deleted file mode 100644 index 8abc3812b..000000000 --- a/debian/patches/upstream/http_async_client-libssl-refactor-thread-executors-f.patch +++ /dev/null @@ -1,57 +0,0 @@ -From: S-P Chan -Date: Tue, 27 Feb 2024 12:38:09 +0800 -Subject: http_async_client: libssl refactor thread executors for curl - -Cherry-pick from 6a0c86bba8 ---- - src/modules/http_async_client/http_async_client_mod.c | 5 ++++- - src/modules/http_async_client/http_multi.c | 6 +----- - 2 files changed, 5 insertions(+), 6 deletions(-) - -diff --git a/src/modules/http_async_client/http_async_client_mod.c b/src/modules/http_async_client/http_async_client_mod.c -index e9f6cb0..4b984d3 100644 ---- a/src/modules/http_async_client/http_async_client_mod.c -+++ b/src/modules/http_async_client/http_async_client_mod.c -@@ -50,6 +50,9 @@ - #include "../../core/cfg/cfg_struct.h" - #include "../../core/fmsg.h" - #include "../../core/kemi.h" -+#define KSR_RTHREAD_NEED_V -+#define KSR_RTHREAD_SKIP_P -+#include "../../core/rthreads.h" - - #include "../../modules/tm/tm_load.h" - #include "../../modules/pv/pv_api.h" -@@ -285,7 +288,7 @@ static int mod_init(void) - return -1; - } - -- set_curl_mem_callbacks(); -+ run_threadV((_thread_protoV)&set_curl_mem_callbacks); - - /* init faked sip msg */ - if(faked_msg_init() < 0) { -diff --git a/src/modules/http_async_client/http_multi.c b/src/modules/http_async_client/http_multi.c -index a0ee1c8..a57aba9 100644 ---- a/src/modules/http_async_client/http_multi.c -+++ b/src/modules/http_async_client/http_multi.c -@@ -32,9 +32,6 @@ - #include "../../core/mem/mem.h" - #include "../../core/ut.h" - #include "../../core/hashes.h" --#define KSR_RTHREAD_NEED_4L --#define KSR_RTHREAD_SKIP_P --#include "../../core/rthreads.h" - #include "http_multi.h" - - extern int hash_size; -@@ -392,8 +389,7 @@ void set_curl_mem_callbacks(void) - break; - case 1: - LM_DBG("Initilizing cURL with sys malloc\n"); -- rc = run_thread4L( -- (_thread_proto4L)curl_global_init, CURL_GLOBAL_ALL); -+ rc = curl_global_init(CURL_GLOBAL_ALL); - if(rc != 0) { - LM_ERR("Cannot initialize cURL: %d\n", rc); - } diff --git a/debian/patches/upstream/http_async_client-libssl-thread-executor-for-curl_gl.patch b/debian/patches/upstream/http_async_client-libssl-thread-executor-for-curl_gl.patch deleted file mode 100644 index a17ae3fae..000000000 --- a/debian/patches/upstream/http_async_client-libssl-thread-executor-for-curl_gl.patch +++ /dev/null @@ -1,33 +0,0 @@ -From: S-P Chan -Date: Tue, 27 Feb 2024 05:01:14 +0800 -Subject: http_async_client: libssl thread executor for curl_global_init() - -Cherry-pick from 514635dc3e ---- - src/modules/http_async_client/http_multi.c | 6 +++++- - 1 file changed, 5 insertions(+), 1 deletion(-) - -diff --git a/src/modules/http_async_client/http_multi.c b/src/modules/http_async_client/http_multi.c -index a57aba9..a0ee1c8 100644 ---- a/src/modules/http_async_client/http_multi.c -+++ b/src/modules/http_async_client/http_multi.c -@@ -32,6 +32,9 @@ - #include "../../core/mem/mem.h" - #include "../../core/ut.h" - #include "../../core/hashes.h" -+#define KSR_RTHREAD_NEED_4L -+#define KSR_RTHREAD_SKIP_P -+#include "../../core/rthreads.h" - #include "http_multi.h" - - extern int hash_size; -@@ -389,7 +392,8 @@ void set_curl_mem_callbacks(void) - break; - case 1: - LM_DBG("Initilizing cURL with sys malloc\n"); -- rc = curl_global_init(CURL_GLOBAL_ALL); -+ rc = run_thread4L( -+ (_thread_proto4L)curl_global_init, CURL_GLOBAL_ALL); - if(rc != 0) { - LM_ERR("Cannot initialize cURL: %d\n", rc); - } diff --git a/debian/patches/upstream/http_client-libssl-thread-executor-for-curl_global_i.patch b/debian/patches/upstream/http_client-libssl-thread-executor-for-curl_global_i.patch deleted file mode 100644 index cee3cb0dd..000000000 --- a/debian/patches/upstream/http_client-libssl-thread-executor-for-curl_global_i.patch +++ /dev/null @@ -1,32 +0,0 @@ -From: S-P Chan -Date: Tue, 27 Feb 2024 05:01:31 +0800 -Subject: http_client: libssl thread executor for curl_global_init() - -Cherry-pick from f58225950c ---- - src/modules/http_client/http_client.c | 5 ++++- - 1 file changed, 4 insertions(+), 1 deletion(-) - -diff --git a/src/modules/http_client/http_client.c b/src/modules/http_client/http_client.c -index 430933e..3cf6628 100644 ---- a/src/modules/http_client/http_client.c -+++ b/src/modules/http_client/http_client.c -@@ -64,6 +64,9 @@ - #include "../../core/lvalue.h" - #include "../../core/pt.h" /* Process table */ - #include "../../core/kemi.h" -+#define KSR_RTHREAD_NEED_4L -+#define KSR_RTHREAD_SKIP_P -+#include "../../core/rthreads.h" - - #include "functions.h" - #include "curlcon.h" -@@ -278,7 +281,7 @@ static int mod_init(void) - LM_DBG("init curl module\n"); - - /* Initialize curl */ -- if(curl_global_init(CURL_GLOBAL_ALL)) { -+ if(run_thread4L((_thread_proto4L)&curl_global_init, CURL_GLOBAL_ALL)) { - LM_ERR("curl_global_init failed\n"); - return -1; - } diff --git a/debian/patches/upstream/outbound-init-libssl-in-a-thread.patch b/debian/patches/upstream/outbound-init-libssl-in-a-thread.patch deleted file mode 100644 index f625bd416..000000000 --- a/debian/patches/upstream/outbound-init-libssl-in-a-thread.patch +++ /dev/null @@ -1,87 +0,0 @@ -From: S-P Chan -Date: Tue, 30 Jan 2024 14:07:11 +0800 -Subject: outbound: init libssl in a thread - -- use core/rthreads.h -- Xenial(OpenSSL < 1.1.1) fixes - -From: -- 94f6df509bf77c19c745749716a9e075ec17f3c7 -- 8bdd9ca4b3c3d4f9f2f201b0a9e0ad9a61eee41d ---- - src/modules/outbound/outbound_mod.c | 44 ++++++++++++++++++------------------- - 1 file changed, 22 insertions(+), 22 deletions(-) - -diff --git a/src/modules/outbound/outbound_mod.c b/src/modules/outbound/outbound_mod.c -index e2e3a86..e5ed171 100644 ---- a/src/modules/outbound/outbound_mod.c -+++ b/src/modules/outbound/outbound_mod.c -@@ -40,6 +40,10 @@ - #include "../../core/parser/parse_uri.h" - #include "../../core/parser/parse_supported.h" - -+#define KSR_RTHREAD_SKIP_P -+#define KSR_RTHREAD_NEED_V -+#include "../../core/rthreads.h" -+ - #include "api.h" - #include "config.h" - -@@ -75,26 +79,25 @@ struct module_exports exports = { - destroy /* destroy function */ - }; - --static void *mod_init_openssl(void *arg) { -- if(flow_token_secret.s) { -- assert(ob_key.len == SHA_DIGEST_LENGTH); -- LM_DBG("flow_token_secret mod param set. use persistent ob_key"); -+static void mod_init_openssl(void) -+{ -+ if(flow_token_secret.s) { -+ assert(ob_key.len == SHA_DIGEST_LENGTH); -+ LM_DBG("flow_token_secret mod param set. use persistent ob_key"); - #if OPENSSL_VERSION_NUMBER < 0x030000000L -- SHA1((const unsigned char *)flow_token_secret.s, flow_token_secret.len, -- (unsigned char *)ob_key.s); -+ SHA1((const unsigned char *)flow_token_secret.s, flow_token_secret.len, -+ (unsigned char *)ob_key.s); - #else -- EVP_Q_digest(NULL, "SHA1", NULL, flow_token_secret.s, -- flow_token_secret.len, (unsigned char *)ob_key.s, NULL); -+ EVP_Q_digest(NULL, "SHA1", NULL, flow_token_secret.s, -+ flow_token_secret.len, (unsigned char *)ob_key.s, NULL); - #endif -- } else { -- if(RAND_bytes((unsigned char *)ob_key.s, ob_key.len) == 0) { -- LM_ERR("unable to get %d cryptographically strong pseudo-" -- "random bytes\n", -- ob_key.len); -- } -- } -- -- return NULL; -+ } else { -+ if(RAND_bytes((unsigned char *)ob_key.s, ob_key.len) == 0) { -+ LM_ERR("unable to get %d cryptographically strong pseudo-" -+ "random bytes\n", -+ ob_key.len); -+ } -+ } - } - - static int mod_init(void) -@@ -116,12 +119,9 @@ static int mod_init(void) - ob_key.len = OB_KEY_LEN; - - #if OPENSSL_VERSION_NUMBER < 0x010101000L -- mod_init_openssl(NULL); -+ mod_init_openssl(); - #else -- pthread_t tid; -- void *retval; -- pthread_create(&tid, NULL, mod_init_openssl, NULL); -- pthread_join(tid, &retval); -+ run_threadV(mod_init_openssl); - #endif - - if(cfg_declare("outbound", outbound_cfg_def, &default_outbound_cfg, diff --git a/debian/patches/upstream/tls-NULL-safety-check.patch b/debian/patches/upstream/tls-NULL-safety-check.patch deleted file mode 100644 index db63b6062..000000000 --- a/debian/patches/upstream/tls-NULL-safety-check.patch +++ /dev/null @@ -1,22 +0,0 @@ -From: S-P Chan -Date: Tue, 5 Mar 2024 09:59:41 +0800 -Subject: tls: NULL safety check - -(cherry picked from commit f6f9d90ada963b53b6552e1a172b8f2fd021c33b) ---- - src/modules/tls/tls_mod.c | 2 ++ - 1 file changed, 2 insertions(+) - -diff --git a/src/modules/tls/tls_mod.c b/src/modules/tls/tls_mod.c -index 51e88be..c2a3c8d 100644 ---- a/src/modules/tls/tls_mod.c -+++ b/src/modules/tls/tls_mod.c -@@ -871,6 +871,8 @@ EVP_PKEY *tls_engine_private_key(const char *key_id) - - while(!(OSSL_STORE_eof(ctx))) { - OSSL_STORE_INFO *info = OSSL_STORE_load(ctx); -+ if(info == NULL) -+ continue; - - int type; - type = OSSL_STORE_INFO_get_type(info); diff --git a/debian/patches/upstream/tls-add-logging.patch b/debian/patches/upstream/tls-add-logging.patch deleted file mode 100644 index 3446f56c0..000000000 --- a/debian/patches/upstream/tls-add-logging.patch +++ /dev/null @@ -1,22 +0,0 @@ -From: S-P Chan -Date: Tue, 13 Feb 2024 17:23:31 +0800 -Subject: tls: add logging - ---- - src/modules/tls/tls_mod.c | 3 +++ - 1 file changed, 3 insertions(+) - -diff --git a/src/modules/tls/tls_mod.c b/src/modules/tls/tls_mod.c -index 5d3982b..905ca6f 100644 ---- a/src/modules/tls/tls_mod.c -+++ b/src/modules/tls/tls_mod.c -@@ -458,6 +458,9 @@ static int mod_child(int rank) - #else - if(rank == PROC_INIT) { - #endif -+ LM_DBG("Loading SSL_CTX in process_no=%d rank=%d " -+ "ksr_tls_threads_mode=%d\n", -+ process_no, rank, ksr_tls_threads_mode); - if(cfg_get(tls, tls_cfg, config_file).s) { - if(tls_fix_domains_cfg( - *tls_domains_cfg, &srv_defaults, &cli_defaults) diff --git a/debian/patches/upstream/tls-basic-OpenSSL-3-support-of-provider-keys-replace.patch b/debian/patches/upstream/tls-basic-OpenSSL-3-support-of-provider-keys-replace.patch deleted file mode 100644 index 640885ece..000000000 --- a/debian/patches/upstream/tls-basic-OpenSSL-3-support-of-provider-keys-replace.patch +++ /dev/null @@ -1,358 +0,0 @@ -From: S-P Chan -Date: Sat, 2 Mar 2024 20:46:16 +0800 -Subject: tls: basic OpenSSL 3 support of provider keys (replaces ENGINE) - -- initial support for v3 provider keys (replaces ENGINE from v1.1.1) -- can be disabled behind build flag -DOPENSSL_NO_PROVIDER -- provider keys start with /uri: e.g - private_key = /uri:pkcs11:token=NSS%20Certificate%20DB;type=private;object=Fork-Test-c67cc0e0 -- global config: - provider_quirks: 0 | 1 - - 0 - default - - 1 - create a new OSS_LIB_CTX* in the child - -This integration does not load any providers itself and depends on -the usual - -export OPENSSL_CONF=my-openssl.cnf - -to configure providers. - -(cherry picked from commit 69883dd381368ca219cc52140e71d571775f95d5) ---- - src/modules/tls/tls_domain.c | 40 +++++++++------- - src/modules/tls/tls_mod.c | 109 +++++++++++++++++++++++++++++++++++++------ - 2 files changed, 119 insertions(+), 30 deletions(-) - -diff --git a/src/modules/tls/tls_domain.c b/src/modules/tls/tls_domain.c -index dde5fe0..e056a70 100644 ---- a/src/modules/tls/tls_domain.c -+++ b/src/modules/tls/tls_domain.c -@@ -32,13 +32,21 @@ - - /* only OpenSSL <= 1.1.1 */ - #if !defined(OPENSSL_NO_ENGINE) && OPENSSL_VERSION_NUMBER < 0x030000000L -+#define KSR_SSL_COMMON - #define KSR_SSL_ENGINE -+#define KEY_PREFIX "/engine:" -+#define KEY_PREFIX_LEN (strlen(KEY_PREFIX)) -+#include -+extern EVP_PKEY *tls_engine_private_key(const char *key_id); - #endif - --#ifdef KSR_SSL_ENGINE --#include -+#if !defined(OPENSSL_NO_PROVIDER) && OPENSSL_VERSION_NUMBER >= 0x030000000L -+#define KSR_SSL_COMMON -+#define KSR_SSL_PROVIDER -+#define KEY_PREFIX "/uri:" -+#define KEY_PREFIX_LEN (strlen(KEY_PREFIX)) - extern EVP_PKEY *tls_engine_private_key(const char *key_id); --#endif /* KSR_SSL_ENGINE */ -+#endif - - #if OPENSSL_VERSION_NUMBER >= 0x00907000L - #include -@@ -1227,7 +1235,7 @@ err: - #endif - } - --#ifdef KSR_SSL_ENGINE -+#ifdef KSR_SSL_COMMON - /** - * @brief Load a private key from an OpenSSL engine - * @param d TLS domain -@@ -1237,7 +1245,7 @@ err: - * to be fork() safe - * - * private_key setting which starts with /engine: is assumed to be -- * an HSM key and not a file-based key -+ * an HSM key and not a file-based key (/uri: for OpenSSL 3 key URIs) - * - * We store the private key in a local memory hash table as - * HSM keys must be process-local. We use the SSL_CTX* address -@@ -1253,13 +1261,13 @@ static int load_engine_private_key(tls_domain_t *d) - DBG("%s: No private key specified\n", tls_domain_str(d)); - return 0; - } -- if(strncmp(d->pkey_file.s, "/engine:", 8) != 0) -+ if(strncmp(d->pkey_file.s, KEY_PREFIX, KEY_PREFIX_LEN) != 0) - return 0; - - do { - i = process_no; - for(idx = 0, ret_pwd = 0; idx < 3; idx++) { -- pkey = tls_engine_private_key(d->pkey_file.s + 8); -+ pkey = tls_engine_private_key(d->pkey_file.s + KEY_PREFIX_LEN); - if(pkey) { - ret_pwd = SSL_CTX_use_PrivateKey(d->ctx[i], pkey); - } else { -@@ -1295,7 +1303,7 @@ static int load_engine_private_key(tls_domain_t *d) - d->pkey_file.s); - return 0; - } --#endif /* KSR_SSL_ENGINE */ -+#endif /* KSR_SSL_COMMON */ - /** - * @brief Load a private key from a file - * @param d TLS domain -@@ -1319,10 +1327,10 @@ static int load_private_key(tls_domain_t *d) - SSL_CTX_set_default_passwd_cb_userdata(d->ctx[i], d->pkey_file.s); - - for(idx = 0, ret_pwd = 0; idx < 3; idx++) { --#ifdef KSR_SSL_ENGINE -+#ifdef KSR_SSL_COMMON - // in PROC_INIT skip loading HSM keys due to - // fork() issues with PKCS#11 libraries -- if(strncmp(d->pkey_file.s, "/engine:", 8) != 0) { -+ if(strncmp(d->pkey_file.s, KEY_PREFIX, KEY_PREFIX_LEN) != 0) { - ret_pwd = SSL_CTX_use_PrivateKey_file( - d->ctx[i], d->pkey_file.s, SSL_FILETYPE_PEM); - } else { -@@ -1331,7 +1339,7 @@ static int load_private_key(tls_domain_t *d) - #else - ret_pwd = SSL_CTX_use_PrivateKey_file( - d->ctx[i], d->pkey_file.s, SSL_FILETYPE_PEM); --#endif /* KSR_SSL_ENGINE */ -+#endif /* KSR_SSL_COMMON */ - if(ret_pwd) { - break; - } else { -@@ -1348,12 +1356,12 @@ static int load_private_key(tls_domain_t *d) - TLS_ERR("load_private_key:"); - return -1; - } --#ifdef KSR_SSL_ENGINE -- if(strncmp(d->pkey_file.s, "/engine:", 8) == 0) { -+#ifdef KSR_SSL_COMMON -+ if(strncmp(d->pkey_file.s, KEY_PREFIX, KEY_PREFIX_LEN) == 0) { - // skip private key validity check for HSM keys - continue; - } --#endif /* KSR_SSL_ENGINE */ -+#endif /* KSR_SSL_COMMON */ - if(!SSL_CTX_check_private_key(d->ctx[i])) { - ERR("%s: Key '%s' does not match the public key of the" - " certificate\n", -@@ -1369,7 +1377,7 @@ static int load_private_key(tls_domain_t *d) - } - - --#ifdef KSR_SSL_ENGINE -+#ifdef KSR_SSL_COMMON - /** - * @brief Initialize engine private keys - * -@@ -1401,7 +1409,7 @@ int tls_fix_engine_keys(tls_domains_cfg_t *cfg, tls_domain_t *srv_defaults, - - return 0; - } --#endif /* KSR_SSL_ENGINE */ -+#endif /* KSR_SSL_COMMON */ - /** - * @brief Initialize attributes of all domains from default domains if necessary - * -diff --git a/src/modules/tls/tls_mod.c b/src/modules/tls/tls_mod.c -index 34689f2..c34c993 100644 ---- a/src/modules/tls/tls_mod.c -+++ b/src/modules/tls/tls_mod.c -@@ -93,9 +93,21 @@ MODULE_VERSION - - /* Engine is deprecated in OpenSSL 3 */ - #if !defined(OPENSSL_NO_ENGINE) && OPENSSL_VERSION_NUMBER < 0x030000000L -+#define KSR_SSL_COMMON - #define KSR_SSL_ENGINE -+#define KEY_PREFIX "/engine:" -+#define KEY_PREFIX_LEN (strlen(KEY_PREFIX)) - #endif - -+#if !defined(OPENSSL_NO_PROVIDER) && OPENSSL_VERSION_NUMBER >= 0x030000000L -+#define KSR_SSL_COMMON -+#define KSR_SSL_PROVIDER -+#include -+#define KEY_PREFIX "/uri:" -+#define KEY_PREFIX_LEN (strlen(KEY_PREFIX)) -+#endif -+ -+ - extern str sr_tls_event_callback; - str sr_tls_xavp_cfg = {0, 0}; - /* -@@ -151,23 +163,28 @@ tls_domain_t srv_defaults = { - - - #ifdef KSR_SSL_ENGINE -- - typedef struct tls_engine - { - str engine; - str engine_config; - str engine_algorithms; - } tls_engine_t; --#include --#include -- --static ENGINE *ksr_tls_engine; - static tls_engine_t tls_engine_settings = { - STR_STATIC_INIT("NONE"), - STR_STATIC_INIT("NONE"), - STR_STATIC_INIT("ALL"), - }; --#endif /* KSR_SSL_ENGINE */ -+ -+#include -+#include -+ -+static ENGINE *ksr_tls_engine; -+#endif -+ -+#ifdef KSR_SSL_PROVIDER -+static int tls_provider_quirks; -+#endif -+ - /* - * Default settings for client domains when using external config file - */ -@@ -238,6 +255,10 @@ static param_export_t params[] = { - {"engine_algorithms", PARAM_STR, - &tls_engine_settings.engine_algorithms}, - #endif /* KSR_SSL_ENGINE */ -+#ifdef KSR_SSL_PROVIDER -+ {"provider_quirks", PARAM_INT, -+ &tls_provider_quirks}, /* OpenSSL 3 provider that needs new OSSL_LIB_CTX in child */ -+#endif /* KSR_SSL_PROVIDER */ - {"tls_log", PARAM_INT, &default_tls_cfg.log}, - {"tls_debug", PARAM_INT, &default_tls_cfg.debug}, - {"session_cache", PARAM_INT, &default_tls_cfg.session_cache}, -@@ -316,7 +337,6 @@ static tls_domains_cfg_t* tls_use_modparams(void) - } - #endif - -- - static int mod_init(void) - { - int method; -@@ -433,10 +453,10 @@ error: - } - - --#ifdef KSR_SSL_ENGINE -+#ifdef KSR_SSL_COMMON - static int tls_engine_init(); - int tls_fix_engine_keys(tls_domains_cfg_t *, tls_domain_t *, tls_domain_t *); --#endif /* KSR_SSL_ENGINE */ -+#endif /* KSR_SSL_COMMON */ - - /* - * OpenSSL 1.1.1+: SSL_CTX is repeated in each worker -@@ -450,9 +470,10 @@ int tls_fix_engine_keys(tls_domains_cfg_t *, tls_domain_t *, tls_domain_t *); - */ - static int mod_child_hook(int *rank, void *dummy) - { -- LM_DBG("Loading SSL_CTX in process_no=%d rank=%d " -- "ksr_tls_threads_mode=%d\n", -+ LM_INFO("Loading SSL_CTX in process_no=%d rank=%d " -+ "ksr_tls_threads_mode=%d\n", - process_no, *rank, ksr_tls_threads_mode); -+ - if(cfg_get(tls, tls_cfg, config_file).s) { - if(tls_fix_domains_cfg(*tls_domains_cfg, &srv_defaults, &cli_defaults) - < 0) -@@ -464,6 +485,10 @@ static int mod_child_hook(int *rank, void *dummy) - return 0; - } - -+#ifdef KSR_SSL_PROVIDER -+static OSSL_LIB_CTX *orig_ctx; -+static OSSL_LIB_CTX *new_ctx; -+#endif - static int mod_child(int rank) - { - if(tls_disable || (tls_domains_cfg == 0)) -@@ -477,23 +502,32 @@ static int mod_child(int rank) - return run_thread4PP((_thread_proto4PP)mod_child_hook, &rank, NULL); - } - --#ifdef KSR_SSL_ENGINE -+#ifdef KSR_SSL_COMMON - /* - * after the child is fork()ed we go through the TLS domains - * and fix up private keys from engine - */ -+#ifdef KSR_SSL_ENGINE - if(!strncmp(tls_engine_settings.engine.s, "NONE", 4)) - return 0; -+#endif /* KSR_SSL_ENGINE */ - - if(rank > 0) { -+#ifdef KSR_SSL_PROVIDER -+ if(tls_provider_quirks & 1) { -+ new_ctx = OSSL_LIB_CTX_new(); -+ orig_ctx = OSSL_LIB_CTX_set0_default(new_ctx); -+ CONF_modules_load_file(CONF_get1_default_config_file(), NULL, 0L); -+ } -+#endif /* KSR_SSL_PROVIDER */ - if(tls_engine_init() < 0) - return -1; - if(tls_fix_engine_keys(*tls_domains_cfg, &srv_defaults, &cli_defaults) - < 0) - return -1; -- LM_INFO("OpenSSL Engine loaded private keys in child: %d\n", rank); -+ LM_INFO("OpenSSL loaded private keys in child: %d\n", rank); - } --#endif /* KSR_SSL_ENGINE */ -+#endif /* KSR_SSL_PROVIDER */ - return 0; - } - -@@ -798,3 +832,50 @@ EVP_PKEY *tls_engine_private_key(const char *key_id) - return ENGINE_load_private_key(ksr_tls_engine, key_id, NULL, NULL); - } - #endif /* KSR_SSL_ENGINE */ -+ -+#ifdef KSR_SSL_PROVIDER -+#include -+static int tls_engine_init() -+{ -+ return 0; -+} -+EVP_PKEY *tls_engine_private_key(const char *key_id) -+{ -+ OSSL_STORE_CTX *ctx; -+ EVP_PKEY *pkey = NULL; -+ -+ ctx = OSSL_STORE_open_ex(key_id, NULL, NULL, NULL, NULL, NULL, NULL, NULL); -+ if(!ctx) { -+ LM_ERR("[ERR] could not load URI %s\n", key_id); -+ goto error; -+ } -+ -+ OSSL_STORE_expect(ctx, OSSL_STORE_INFO_PKEY); -+ -+ while(!(OSSL_STORE_eof(ctx))) { -+ OSSL_STORE_INFO *info = OSSL_STORE_load(ctx); -+ -+ int type; -+ type = OSSL_STORE_INFO_get_type(info); -+ -+ switch(type) { -+ case OSSL_STORE_INFO_PKEY: -+ pkey = OSSL_STORE_INFO_get1_PKEY(info); -+ break; -+ default: -+ continue; -+ break; -+ } -+ OSSL_STORE_INFO_free(info); -+ if(pkey) -+ break; -+ } -+ -+ LM_INFO("Loaded private key = %p\n", pkey); -+ -+error: -+ OSSL_STORE_close(ctx); -+ -+ return pkey; -+} -+#endif diff --git a/debian/patches/upstream/tls-clean-up-of-ENGINE.patch b/debian/patches/upstream/tls-clean-up-of-ENGINE.patch deleted file mode 100644 index c274e5544..000000000 --- a/debian/patches/upstream/tls-clean-up-of-ENGINE.patch +++ /dev/null @@ -1,463 +0,0 @@ -From: S-P Chan -Date: Sat, 2 Mar 2024 08:29:31 +0800 -Subject: tls: clean-up of ENGINE - -- remove tls_map.* - not needed anymore -- install an ENGINE in each worker SSL_CTX - no need to replicate to all processes ---- - src/modules/tls/tls_domain.c | 53 ++--------- - src/modules/tls/tls_map.c | 213 ------------------------------------------- - src/modules/tls/tls_map.h | 77 ---------------- - src/modules/tls/tls_server.c | 20 +--- - 4 files changed, 11 insertions(+), 352 deletions(-) - delete mode 100644 src/modules/tls/tls_map.c - delete mode 100644 src/modules/tls/tls_map.h - -diff --git a/src/modules/tls/tls_domain.c b/src/modules/tls/tls_domain.c -index 48c3aa2..dde5fe0 100644 ---- a/src/modules/tls/tls_domain.c -+++ b/src/modules/tls/tls_domain.c -@@ -37,7 +37,6 @@ - - #ifdef KSR_SSL_ENGINE - #include --#include "tls_map.h" - extern EVP_PKEY *tls_engine_private_key(const char *key_id); - #endif /* KSR_SSL_ENGINE */ - -@@ -1229,31 +1228,6 @@ err: - } - - #ifdef KSR_SSL_ENGINE --/* -- * Implement a hash map from SSL_CTX to private key -- * as HSM keys need to be process local -- */ --static map_void_t private_key_map; -- --/** -- * @brief Return a private key from the lookup table -- * @param p SSL_CTX* -- * @return EVP_PKEY on success, NULL on error -- */ --EVP_PKEY *tls_lookup_private_key(SSL_CTX *ctx) --{ -- void *pkey; -- char ctx_str[64]; -- snprintf(ctx_str, 64, "SSL_CTX-%p", ctx); -- pkey = map_get(&private_key_map, ctx_str); -- LM_DBG("Private key lookup for %s: %p\n", ctx_str, pkey); -- if(pkey) -- return *(EVP_PKEY **)pkey; -- else -- return NULL; --} -- -- - /** - * @brief Load a private key from an OpenSSL engine - * @param d TLS domain -@@ -1274,8 +1248,6 @@ static int load_engine_private_key(tls_domain_t *d) - { - int idx, ret_pwd, i; - EVP_PKEY *pkey = 0; -- int procs_no; -- char ctx_str[64]; - - if(!d->pkey_file.s || !d->pkey_file.len) { - DBG("%s: No private key specified\n", tls_domain_str(d)); -@@ -1283,22 +1255,15 @@ static int load_engine_private_key(tls_domain_t *d) - } - if(strncmp(d->pkey_file.s, "/engine:", 8) != 0) - return 0; -- procs_no = get_max_procs(); -- for(i = 0; i < procs_no; i++) { -- snprintf(ctx_str, 64, "SSL_CTX-%p", d->ctx[i]); -+ -+ do { -+ i = process_no; - for(idx = 0, ret_pwd = 0; idx < 3; idx++) { -- if(i) { -- map_set(&private_key_map, ctx_str, pkey); -- ret_pwd = 1; -+ pkey = tls_engine_private_key(d->pkey_file.s + 8); -+ if(pkey) { -+ ret_pwd = SSL_CTX_use_PrivateKey(d->ctx[i], pkey); - } else { -- pkey = tls_engine_private_key(d->pkey_file.s + 8); -- if(pkey) { -- map_set(&private_key_map, ctx_str, pkey); -- // store the key for i = 0 to perform certificate sanity check -- ret_pwd = SSL_CTX_use_PrivateKey(d->ctx[i], pkey); -- } else { -- ret_pwd = 0; -- } -+ ret_pwd = 0; - } - if(ret_pwd) { - break; -@@ -1316,14 +1281,14 @@ static int load_engine_private_key(tls_domain_t *d) - TLS_ERR("load_private_key:"); - return -1; - } -- if(i == 0 && !SSL_CTX_check_private_key(d->ctx[i])) { -+ if(!SSL_CTX_check_private_key(d->ctx[i])) { - ERR("%s: Key '%s' does not match the public key of the" - " certificate\n", - tls_domain_str(d), d->pkey_file.s); - TLS_ERR("load_engine_private_key:"); - return -1; - } -- } -+ } while(0); - - - LM_INFO("%s: Key '%s' successfully loaded\n", tls_domain_str(d), -diff --git a/src/modules/tls/tls_map.c b/src/modules/tls/tls_map.c -deleted file mode 100644 -index 70c275d..0000000 ---- a/src/modules/tls/tls_map.c -+++ /dev/null -@@ -1,213 +0,0 @@ --/** -- * Copyright (c) 2014 rxi -- * -- * This library is free software; you can redistribute it and/or modify it -- * under the terms of the MIT license. See LICENSE for details. -- */ -- --#include --#include -- --#include "../../core/mem/mem.h" --#include "tls_map.h" -- --struct map_node_t --{ -- unsigned hash; -- void *value; -- map_node_t *next; -- /* char key[]; */ -- /* char value[]; */ --}; -- -- --static unsigned map_hash(const char *str) --{ -- unsigned hash = 5381; -- while(*str) { -- hash = ((hash << 5) + hash) ^ *str++; -- } -- return hash; --} -- -- --static map_node_t *map_newnode(const char *key, void *value, int vsize) --{ -- map_node_t *node; -- int ksize = strlen(key) + 1; -- int voffset = ksize + ((sizeof(void *) - ksize) % sizeof(void *)); -- node = pkg_malloc(sizeof(*node) + voffset + vsize); -- if(!node) -- return NULL; -- memcpy(node + 1, key, ksize); -- node->hash = map_hash(key); -- node->value = ((char *)(node + 1)) + voffset; -- memcpy(node->value, value, vsize); -- return node; --} -- -- --static int map_bucketidx(map_base_t *m, unsigned hash) --{ -- /* If the implementation is changed to allow a non-power-of-2 bucket count, -- * the line below should be changed to use mod instead of AND */ -- return hash & (m->nbuckets - 1); --} -- -- --static void map_addnode(map_base_t *m, map_node_t *node) --{ -- int n = map_bucketidx(m, node->hash); -- node->next = m->buckets[n]; -- m->buckets[n] = node; --} -- -- --static int map_resize(map_base_t *m, int nbuckets) --{ -- map_node_t *nodes, *node, *next; -- map_node_t **buckets; -- int i; -- /* Chain all nodes together */ -- nodes = NULL; -- i = m->nbuckets; -- while(i--) { -- node = (m->buckets)[i]; -- while(node) { -- next = node->next; -- node->next = nodes; -- nodes = node; -- node = next; -- } -- } -- /* Reset buckets */ -- buckets = realloc(m->buckets, sizeof(*m->buckets) * nbuckets); -- if(buckets != NULL) { -- m->buckets = buckets; -- m->nbuckets = nbuckets; -- } -- if(m->buckets) { -- memset(m->buckets, 0, sizeof(*m->buckets) * m->nbuckets); -- /* Re-add nodes to buckets */ -- node = nodes; -- while(node) { -- next = node->next; -- map_addnode(m, node); -- node = next; -- } -- } -- /* Return error code if realloc() failed */ -- return (buckets == NULL) ? -1 : 0; --} -- -- --static map_node_t **map_getref(map_base_t *m, const char *key) --{ -- unsigned hash = map_hash(key); -- map_node_t **next; -- if(m->nbuckets > 0) { -- next = &m->buckets[map_bucketidx(m, hash)]; -- while(*next) { -- if((*next)->hash == hash && !strcmp((char *)(*next + 1), key)) { -- return next; -- } -- next = &(*next)->next; -- } -- } -- return NULL; --} -- -- --void map_deinit_(map_base_t *m) --{ -- map_node_t *next, *node; -- int i; -- i = m->nbuckets; -- while(i--) { -- node = m->buckets[i]; -- while(node) { -- next = node->next; -- pkg_free(node); -- node = next; -- } -- } -- pkg_free(m->buckets); --} -- -- --void *map_get_(map_base_t *m, const char *key) --{ -- map_node_t **next = map_getref(m, key); -- return next ? (*next)->value : NULL; --} -- -- --int map_set_(map_base_t *m, const char *key, void *value, int vsize) --{ -- int n, err; -- map_node_t **next, *node; -- /* Find & replace existing node */ -- next = map_getref(m, key); -- if(next) { -- memcpy((*next)->value, value, vsize); -- return 0; -- } -- /* Add new node */ -- node = map_newnode(key, value, vsize); -- if(node == NULL) -- goto fail; -- if(m->nnodes >= m->nbuckets) { -- n = (m->nbuckets > 0) ? (m->nbuckets << 1) : 1; -- err = map_resize(m, n); -- if(err) -- goto fail; -- } -- map_addnode(m, node); -- m->nnodes++; -- return 0; --fail: -- if(node) -- pkg_free(node); -- return -1; --} -- -- --void map_remove_(map_base_t *m, const char *key) --{ -- map_node_t *node; -- map_node_t **next = map_getref(m, key); -- if(next) { -- node = *next; -- *next = (*next)->next; -- pkg_free(node); -- m->nnodes--; -- } --} -- -- --map_iter_t map_iter_(void) --{ -- map_iter_t iter; -- iter.bucketidx = -1; -- iter.node = NULL; -- return iter; --} -- -- --const char *map_next_(map_base_t *m, map_iter_t *iter) --{ -- if(iter->node) { -- iter->node = iter->node->next; -- if(iter->node == NULL) -- goto nextBucket; -- } else { -- nextBucket: -- do { -- if(++iter->bucketidx >= m->nbuckets) { -- return NULL; -- } -- iter->node = m->buckets[iter->bucketidx]; -- } while(iter->node == NULL); -- } -- return (char *)(iter->node + 1); --} -diff --git a/src/modules/tls/tls_map.h b/src/modules/tls/tls_map.h -deleted file mode 100644 -index e4028a3..0000000 ---- a/src/modules/tls/tls_map.h -+++ /dev/null -@@ -1,77 +0,0 @@ --/** -- * Copyright (c) 2014 rxi -- * -- * This library is free software; you can redistribute it and/or modify it -- * under the terms of the MIT license. See LICENSE for details. -- */ -- --#ifndef _TLS_MAP_H --#define _TLS_MAP_H -- --#include -- --#define MAP_VERSION "0.1.0" -- --struct map_node_t; --typedef struct map_node_t map_node_t; -- --typedef struct --{ -- map_node_t **buckets; -- unsigned nbuckets, nnodes; --} map_base_t; -- --typedef struct --{ -- unsigned bucketidx; -- map_node_t *node; --} map_iter_t; -- -- --#define map_t(T) \ -- struct \ -- { \ -- map_base_t base; \ -- T *ref; \ -- T tmp; \ -- } -- -- --#define map_init(m) memset(m, 0, sizeof(*(m))) -- -- --#define map_deinit(m) map_deinit_(&(m)->base) -- -- --#define map_get(m, key) ((m)->ref = map_get_(&(m)->base, key)) -- -- --#define map_set(m, key, value) \ -- ((m)->tmp = (value), map_set_(&(m)->base, key, &(m)->tmp, sizeof((m)->tmp))) -- -- --#define map_remove(m, key) map_remove_(&(m)->base, key) -- -- --#define map_iter(m) map_iter_() -- -- --#define map_next(m, iter) map_next_(&(m)->base, iter) -- -- --void map_deinit_(map_base_t *m); --void *map_get_(map_base_t *m, const char *key); --int map_set_(map_base_t *m, const char *key, void *value, int vsize); --void map_remove_(map_base_t *m, const char *key); --map_iter_t map_iter_(void); --const char *map_next_(map_base_t *m, map_iter_t *iter); -- -- --typedef map_t(void *) map_void_t; --typedef map_t(char *) map_str_t; --typedef map_t(int) map_int_t; --typedef map_t(char) map_char_t; --typedef map_t(float) map_float_t; --typedef map_t(double) map_double_t; -- --#endif /* _TLS_MAP_H */ -diff --git a/src/modules/tls/tls_server.c b/src/modules/tls/tls_server.c -index 947f107..3e22ec4 100644 ---- a/src/modules/tls/tls_server.c -+++ b/src/modules/tls/tls_server.c -@@ -427,11 +427,6 @@ static void tls_dump_cert_info(char *s, X509 *cert) - } - } - -- --#ifdef KSR_SSL_ENGINE --// lookup HSM keys in process-local memory --EVP_PKEY *tls_lookup_private_key(SSL_CTX *); --#endif /* KSR_SSL_ENGINE */ - /** wrapper around SSL_accept, usin SSL return convention. - * It will also log critical errors and certificate debugging info. - * @param c - tcp connection with tls (extra_data must be a filled -@@ -462,12 +457,7 @@ int tls_accept(struct tcp_connection *c, int *error) - BUG("Invalid connection state %d (bug in TLS code)\n", tls_c->state); - goto err; - } --#ifdef KSR_SSL_ENGINE -- /* check if we have a HSM key */ -- EVP_PKEY *pkey = tls_lookup_private_key(SSL_get_SSL_CTX(ssl)); -- if(pkey) -- SSL_use_PrivateKey(ssl, pkey); --#endif /* KSR_SSL_ENGINE */ -+ - tls_openssl_clear_errors(); - ret = SSL_accept(ssl); - if(unlikely(ret == 1)) { -@@ -532,13 +522,7 @@ int tls_connect(struct tcp_connection *c, int *error) - BUG("Invalid connection state %d (bug in TLS code)\n", tls_c->state); - goto err; - } --#ifdef KSR_SSL_ENGINE -- // lookup HSM private key in process-local memory -- EVP_PKEY *pkey = tls_lookup_private_key(SSL_get_SSL_CTX(ssl)); -- if(pkey) { -- SSL_use_PrivateKey(ssl, pkey); -- } --#endif -+ - tls_openssl_clear_errors(); - ret = SSL_connect(ssl); - if(unlikely(ret == 1)) { diff --git a/debian/patches/upstream/tls-fix-OpenSSL-1.1.1-engine-keys.patch b/debian/patches/upstream/tls-fix-OpenSSL-1.1.1-engine-keys.patch deleted file mode 100644 index bb73af1e5..000000000 --- a/debian/patches/upstream/tls-fix-OpenSSL-1.1.1-engine-keys.patch +++ /dev/null @@ -1,21 +0,0 @@ -From: S-P Chan -Date: Thu, 29 Feb 2024 19:01:14 +0800 -Subject: tls: fix OpenSSL 1.1.1 engine keys - -Cherry-pick from e535cc5eb2 ---- - src/modules/tls/tls_mod.c | 1 + - 1 file changed, 1 insertion(+) - -diff --git a/src/modules/tls/tls_mod.c b/src/modules/tls/tls_mod.c -index 664e35f..85a1fc4 100644 ---- a/src/modules/tls/tls_mod.c -+++ b/src/modules/tls/tls_mod.c -@@ -728,6 +728,7 @@ static int tls_engine_init() - * We are in the child process and the global engine linked-list - * is initialized in the parent. - */ -+ ENGINE_load_builtin_engines(); - e = ENGINE_by_id("dynamic"); - if(!e) { - err = "Error loading dynamic engine"; diff --git a/debian/patches/upstream/tls-fix-restore-early-init.patch b/debian/patches/upstream/tls-fix-restore-early-init.patch deleted file mode 100644 index 217b21333..000000000 --- a/debian/patches/upstream/tls-fix-restore-early-init.patch +++ /dev/null @@ -1,35 +0,0 @@ -From: S-P Chan -Date: Sun, 25 Feb 2024 12:56:19 +0800 -Subject: tls: fix restore early init - -Cherry-pick from a02ca644e8 ---- - src/modules/tls/tls_mod.c | 10 ++-------- - 1 file changed, 2 insertions(+), 8 deletions(-) - -diff --git a/src/modules/tls/tls_mod.c b/src/modules/tls/tls_mod.c -index 6058592..664e35f 100644 ---- a/src/modules/tls/tls_mod.c -+++ b/src/modules/tls/tls_mod.c -@@ -468,19 +468,13 @@ static int mod_child(int rank) - if(tls_disable || (tls_domains_cfg == 0)) - return 0; - --#if OPENSSL_VERSION_NUMBER >= 0x010101000L - /* - * OpenSSL 3.x/1.1.1: create shared SSL_CTX* in thread executor -- * to avoid init of libssl in thread#1 -+ * to avoid init of libssl in thread#1: ksr_tls_threads_mode = 1 - */ -- if(rank == PROC_INIT && ksr_tls_threads_mode != 0) { -- return run_thread4PP((_thread_proto4PP)mod_child_hook, &rank, NULL); -- } --#else - if(rank == PROC_INIT) { -- return mod_child_hook(&rank, NULL); -+ return run_thread4PP((_thread_proto4PP)mod_child_hook, &rank, NULL); - } --#endif /* OPENSSL_VERSION_NUMBER */ - - #ifndef OPENSSL_NO_ENGINE - /* diff --git a/debian/patches/upstream/tls-make-explicit-ENGINE-deprecation-in-OpenSSL-3.patch b/debian/patches/upstream/tls-make-explicit-ENGINE-deprecation-in-OpenSSL-3.patch deleted file mode 100644 index c1c65c18a..000000000 --- a/debian/patches/upstream/tls-make-explicit-ENGINE-deprecation-in-OpenSSL-3.patch +++ /dev/null @@ -1,252 +0,0 @@ -From: S-P Chan -Date: Fri, 1 Mar 2024 08:06:13 +0800 -Subject: tls: make explicit ENGINE deprecation in OpenSSL 3 - ---- - src/modules/tls/tls_domain.c | 25 +++++++++++++------------ - src/modules/tls/tls_mod.c | 25 +++++++++++++------------ - src/modules/tls/tls_server.c | 15 ++++++++------- - 3 files changed, 34 insertions(+), 31 deletions(-) - -diff --git a/src/modules/tls/tls_domain.c b/src/modules/tls/tls_domain.c -index 4e35f91..48c3aa2 100644 ---- a/src/modules/tls/tls_domain.c -+++ b/src/modules/tls/tls_domain.c -@@ -30,15 +30,16 @@ - #include - #include - --#if OPENSSL_VERSION_NUMBER >= 0x030000000L --#define OPENSSL_NO_ENGINE -+/* only OpenSSL <= 1.1.1 */ -+#if !defined(OPENSSL_NO_ENGINE) && OPENSSL_VERSION_NUMBER < 0x030000000L -+#define KSR_SSL_ENGINE - #endif - --#ifndef OPENSSL_NO_ENGINE -+#ifdef KSR_SSL_ENGINE - #include - #include "tls_map.h" - extern EVP_PKEY *tls_engine_private_key(const char *key_id); --#endif -+#endif /* KSR_SSL_ENGINE */ - - #if OPENSSL_VERSION_NUMBER >= 0x00907000L - #include -@@ -1227,7 +1228,7 @@ err: - #endif - } - --#ifndef OPENSSL_NO_ENGINE -+#ifdef KSR_SSL_ENGINE - /* - * Implement a hash map from SSL_CTX to private key - * as HSM keys need to be process local -@@ -1329,7 +1330,7 @@ static int load_engine_private_key(tls_domain_t *d) - d->pkey_file.s); - return 0; - } --#endif -+#endif /* KSR_SSL_ENGINE */ - /** - * @brief Load a private key from a file - * @param d TLS domain -@@ -1353,7 +1354,7 @@ static int load_private_key(tls_domain_t *d) - SSL_CTX_set_default_passwd_cb_userdata(d->ctx[i], d->pkey_file.s); - - for(idx = 0, ret_pwd = 0; idx < 3; idx++) { --#ifndef OPENSSL_NO_ENGINE -+#ifdef KSR_SSL_ENGINE - // in PROC_INIT skip loading HSM keys due to - // fork() issues with PKCS#11 libraries - if(strncmp(d->pkey_file.s, "/engine:", 8) != 0) { -@@ -1365,7 +1366,7 @@ static int load_private_key(tls_domain_t *d) - #else - ret_pwd = SSL_CTX_use_PrivateKey_file( - d->ctx[i], d->pkey_file.s, SSL_FILETYPE_PEM); --#endif -+#endif /* KSR_SSL_ENGINE */ - if(ret_pwd) { - break; - } else { -@@ -1382,12 +1383,12 @@ static int load_private_key(tls_domain_t *d) - TLS_ERR("load_private_key:"); - return -1; - } --#ifndef OPENSSL_NO_ENGINE -+#ifdef KSR_SSL_ENGINE - if(strncmp(d->pkey_file.s, "/engine:", 8) == 0) { - // skip private key validity check for HSM keys - continue; - } --#endif -+#endif /* KSR_SSL_ENGINE */ - if(!SSL_CTX_check_private_key(d->ctx[i])) { - ERR("%s: Key '%s' does not match the public key of the" - " certificate\n", -@@ -1403,7 +1404,7 @@ static int load_private_key(tls_domain_t *d) - } - - --#ifndef OPENSSL_NO_ENGINE -+#ifdef KSR_SSL_ENGINE - /** - * @brief Initialize engine private keys - * -@@ -1435,7 +1436,7 @@ int tls_fix_engine_keys(tls_domains_cfg_t *cfg, tls_domain_t *srv_defaults, - - return 0; - } --#endif -+#endif /* KSR_SSL_ENGINE */ - /** - * @brief Initialize attributes of all domains from default domains if necessary - * -diff --git a/src/modules/tls/tls_mod.c b/src/modules/tls/tls_mod.c -index 85a1fc4..34689f2 100644 ---- a/src/modules/tls/tls_mod.c -+++ b/src/modules/tls/tls_mod.c -@@ -91,8 +91,9 @@ int ksr_rand_engine_param(modparam_t type, void *val); - - MODULE_VERSION - --#if OPENSSL_VERSION_NUMBER >= 0x030000000L --#define OPENSSL_NO_ENGINE -+/* Engine is deprecated in OpenSSL 3 */ -+#if !defined(OPENSSL_NO_ENGINE) && OPENSSL_VERSION_NUMBER < 0x030000000L -+#define KSR_SSL_ENGINE - #endif - - extern str sr_tls_event_callback; -@@ -149,7 +150,7 @@ tls_domain_t srv_defaults = { - }; - - --#ifndef OPENSSL_NO_ENGINE -+#ifdef KSR_SSL_ENGINE - - typedef struct tls_engine - { -@@ -166,7 +167,7 @@ static tls_engine_t tls_engine_settings = { - STR_STATIC_INIT("NONE"), - STR_STATIC_INIT("ALL"), - }; --#endif /* OPENSSL_NO_ENGINE */ -+#endif /* KSR_SSL_ENGINE */ - /* - * Default settings for client domains when using external config file - */ -@@ -231,12 +232,12 @@ static param_export_t params[] = { - {"crl", PARAM_STR, &default_tls_cfg.crl}, - {"cipher_list", PARAM_STR, &default_tls_cfg.cipher_list}, - {"connection_timeout", PARAM_INT, &default_tls_cfg.con_lifetime}, --#ifndef OPENSSL_NO_ENGINE -+#ifdef KSR_SSL_ENGINE - {"engine", PARAM_STR, &tls_engine_settings.engine}, - {"engine_config", PARAM_STR, &tls_engine_settings.engine_config}, - {"engine_algorithms", PARAM_STR, - &tls_engine_settings.engine_algorithms}, --#endif /* OPENSSL_NO_ENGINE */ -+#endif /* KSR_SSL_ENGINE */ - {"tls_log", PARAM_INT, &default_tls_cfg.log}, - {"tls_debug", PARAM_INT, &default_tls_cfg.debug}, - {"session_cache", PARAM_INT, &default_tls_cfg.session_cache}, -@@ -432,10 +433,10 @@ error: - } - - --#ifndef OPENSSL_NO_ENGINE -+#ifdef KSR_SSL_ENGINE - static int tls_engine_init(); - int tls_fix_engine_keys(tls_domains_cfg_t *, tls_domain_t *, tls_domain_t *); --#endif -+#endif /* KSR_SSL_ENGINE */ - - /* - * OpenSSL 1.1.1+: SSL_CTX is repeated in each worker -@@ -476,7 +477,7 @@ static int mod_child(int rank) - return run_thread4PP((_thread_proto4PP)mod_child_hook, &rank, NULL); - } - --#ifndef OPENSSL_NO_ENGINE -+#ifdef KSR_SSL_ENGINE - /* - * after the child is fork()ed we go through the TLS domains - * and fix up private keys from engine -@@ -492,7 +493,7 @@ static int mod_child(int rank) - return -1; - LM_INFO("OpenSSL Engine loaded private keys in child: %d\n", rank); - } --#endif -+#endif /* KSR_SSL_ENGINE */ - return 0; - } - -@@ -702,7 +703,7 @@ int mod_register(char *path, int *dlflags, void *p1, void *p2) - } - - --#ifndef OPENSSL_NO_ENGINE -+#ifdef KSR_SSL_ENGINE - /* - * initialize OpenSSL engine in child process - * PKCS#11 libraries are not guaranteed to be fork() safe -@@ -796,4 +797,4 @@ EVP_PKEY *tls_engine_private_key(const char *key_id) - { - return ENGINE_load_private_key(ksr_tls_engine, key_id, NULL, NULL); - } --#endif -+#endif /* KSR_SSL_ENGINE */ -diff --git a/src/modules/tls/tls_server.c b/src/modules/tls/tls_server.c -index 420fd5a..947f107 100644 ---- a/src/modules/tls/tls_server.c -+++ b/src/modules/tls/tls_server.c -@@ -128,8 +128,9 @@ int tls_run_event_routes(struct tcp_connection *c); - #endif /* __SUNPRO_c */ - #endif /* TLS_RD_DEBUG */ - --#if OPENSSL_VERSION_NUMBER >= 0x030000000L --#define OPENSSL_NO_ENGINE -+/* only OpenSSL <= 1.1.1 */ -+#if !defined(OPENSSL_NO_ENGINE) && OPENSSL_VERSION_NUMBER < 0x030000000L -+#define KSR_SSL_ENGINE - #endif - - extern str sr_tls_xavp_cfg; -@@ -427,10 +428,10 @@ static void tls_dump_cert_info(char *s, X509 *cert) - } - - --#ifndef OPENSSL_NO_ENGINE -+#ifdef KSR_SSL_ENGINE - // lookup HSM keys in process-local memory - EVP_PKEY *tls_lookup_private_key(SSL_CTX *); --#endif -+#endif /* KSR_SSL_ENGINE */ - /** wrapper around SSL_accept, usin SSL return convention. - * It will also log critical errors and certificate debugging info. - * @param c - tcp connection with tls (extra_data must be a filled -@@ -461,12 +462,12 @@ int tls_accept(struct tcp_connection *c, int *error) - BUG("Invalid connection state %d (bug in TLS code)\n", tls_c->state); - goto err; - } --#ifndef OPENSSL_NO_ENGINE -+#ifdef KSR_SSL_ENGINE - /* check if we have a HSM key */ - EVP_PKEY *pkey = tls_lookup_private_key(SSL_get_SSL_CTX(ssl)); - if(pkey) - SSL_use_PrivateKey(ssl, pkey); --#endif -+#endif /* KSR_SSL_ENGINE */ - tls_openssl_clear_errors(); - ret = SSL_accept(ssl); - if(unlikely(ret == 1)) { -@@ -531,7 +532,7 @@ int tls_connect(struct tcp_connection *c, int *error) - BUG("Invalid connection state %d (bug in TLS code)\n", tls_c->state); - goto err; - } --#ifndef OPENSSL_NO_ENGINE -+#ifdef KSR_SSL_ENGINE - // lookup HSM private key in process-local memory - EVP_PKEY *pkey = tls_lookup_private_key(SSL_get_SSL_CTX(ssl)); - if(pkey) { diff --git a/debian/patches/upstream/tls-new-option-tls_threads_mode-2.patch b/debian/patches/upstream/tls-new-option-tls_threads_mode-2.patch deleted file mode 100644 index 76ee912a2..000000000 --- a/debian/patches/upstream/tls-new-option-tls_threads_mode-2.patch +++ /dev/null @@ -1,47 +0,0 @@ -From: S-P Chan -Date: Mon, 4 Mar 2024 22:00:14 +0800 -Subject: tls: new option tls_threads_mode = 2 - -- use pthread_atfork to force all thread-locals - to 0x0 after fork() - -(cherry picked from commit 464299c202f3ba963aed821b777075397e843856) ---- - src/modules/tls/tls_mod.c | 17 +++++++++++++++++ - 1 file changed, 17 insertions(+) - -diff --git a/src/modules/tls/tls_mod.c b/src/modules/tls/tls_mod.c -index c34c993..51e88be 100644 ---- a/src/modules/tls/tls_mod.c -+++ b/src/modules/tls/tls_mod.c -@@ -337,6 +337,20 @@ static tls_domains_cfg_t* tls_use_modparams(void) - } - #endif - -+/* global config tls_threads_mode = 2 -+ * - force all thread-locals to be 0x0 after fork() -+ * - with OpenSSL loaded the largest value observed -+ * is < 10 -+ * -+ */ -+static void fork_child(void) -+{ -+ for(int k = 0; k < 16; k++) { -+ if(pthread_getspecific(k) != 0) -+ pthread_setspecific(k, 0x0); -+ } -+} -+ - static int mod_init(void) - { - int method; -@@ -446,6 +460,9 @@ static int mod_init(void) - ksr_module_set_flag(KSRMOD_FLAG_POSTCHILDINIT); - } - #endif -+ if(ksr_tls_threads_mode == 2) { -+ pthread_atfork(NULL, NULL, &fork_child); -+ } - return 0; - error: - tls_h_mod_destroy_f(); diff --git a/debian/patches/upstream/tls-raise-logging-level-of-early-messages-in-mod_reg.patch b/debian/patches/upstream/tls-raise-logging-level-of-early-messages-in-mod_reg.patch deleted file mode 100644 index 38a5a0cd9..000000000 --- a/debian/patches/upstream/tls-raise-logging-level-of-early-messages-in-mod_reg.patch +++ /dev/null @@ -1,21 +0,0 @@ -From: S-P Chan -Date: Tue, 13 Feb 2024 19:10:34 +0800 -Subject: tls: raise logging level of early messages in mod_register - ---- - src/modules/tls/tls_mod.c | 2 +- - 1 file changed, 1 insertion(+), 1 deletion(-) - -diff --git a/src/modules/tls/tls_mod.c b/src/modules/tls/tls_mod.c -index 905ca6f..0d8ea3d 100644 ---- a/src/modules/tls/tls_mod.c -+++ b/src/modules/tls/tls_mod.c -@@ -689,7 +689,7 @@ int mod_register(char *path, int *dlflags, void *p1, void *p2) - #if OPENSSL_VERSION_NUMBER >= 0x10100000L \ - && OPENSSL_VERSION_NUMBER < 0x030000000L - if(ksr_tls_threads_mode == 0) { -- LM_DBG("setting cryptorand random engine\n"); -+ LM_WARN("OpenSSL 1.1.1 setting cryptorand random engine\n"); - RAND_set_rand_method(RAND_ksr_cryptorand_method()); - } - #endif diff --git a/debian/patches/upstream/tls-remove-unused-ENGINE-define.patch b/debian/patches/upstream/tls-remove-unused-ENGINE-define.patch deleted file mode 100644 index 43d0e345d..000000000 --- a/debian/patches/upstream/tls-remove-unused-ENGINE-define.patch +++ /dev/null @@ -1,24 +0,0 @@ -From: S-P Chan -Date: Sat, 2 Mar 2024 21:41:11 +0800 -Subject: tls: remove unused ENGINE define - ---- - src/modules/tls/tls_server.c | 5 ----- - 1 file changed, 5 deletions(-) - -diff --git a/src/modules/tls/tls_server.c b/src/modules/tls/tls_server.c -index 3e22ec4..3bfea13 100644 ---- a/src/modules/tls/tls_server.c -+++ b/src/modules/tls/tls_server.c -@@ -128,11 +128,6 @@ int tls_run_event_routes(struct tcp_connection *c); - #endif /* __SUNPRO_c */ - #endif /* TLS_RD_DEBUG */ - --/* only OpenSSL <= 1.1.1 */ --#if !defined(OPENSSL_NO_ENGINE) && OPENSSL_VERSION_NUMBER < 0x030000000L --#define KSR_SSL_ENGINE --#endif -- - extern str sr_tls_xavp_cfg; - - static str _ksr_tls_connect_server_id = STR_NULL; diff --git a/debian/patches/upstream/tls-restore-default-to-bypass-thread-guards.patch b/debian/patches/upstream/tls-restore-default-to-bypass-thread-guards.patch deleted file mode 100644 index 0dcbbd255..000000000 --- a/debian/patches/upstream/tls-restore-default-to-bypass-thread-guards.patch +++ /dev/null @@ -1,27 +0,0 @@ -From: S-P Chan -Date: Sun, 11 Feb 2024 12:14:19 +0800 -Subject: tls: restore default to bypass thread guards - -- restore <= 5.7.3 behaviour -- require user to opt-in to libssl thread-guards - with tls_threads_mode = 1|2 ---- - src/modules/tls/tls_mod.c | 4 ++-- - 1 file changed, 2 insertions(+), 2 deletions(-) - -diff --git a/src/modules/tls/tls_mod.c b/src/modules/tls/tls_mod.c -index beaf1b7..3359aaf 100644 ---- a/src/modules/tls/tls_mod.c -+++ b/src/modules/tls/tls_mod.c -@@ -451,9 +451,9 @@ static int mod_child(int rank) - #if OPENSSL_VERSION_NUMBER >= 0x010101000L - /* - * OpenSSL 3.x/1.1.1: create shared SSL_CTX* in worker to avoid init of -- * libssl in rank 0(thread#1) -+ * libssl in rank 0(thread#1). Requires tls_threads_mode = 1 config. - */ -- if(rank == PROC_SIPINIT) { -+ if((rank == PROC_SIPINIT && ksr_tls_threads_mode) || (rank == PROC_INIT && !ksr_tls_threads_mode)) { - #else - if(rank == PROC_INIT) { - #endif diff --git a/debian/patches/upstream/tls-restore-early-init-for-other-modules-that-use-TL.patch b/debian/patches/upstream/tls-restore-early-init-for-other-modules-that-use-TL.patch deleted file mode 100644 index 47f45883f..000000000 --- a/debian/patches/upstream/tls-restore-early-init-for-other-modules-that-use-TL.patch +++ /dev/null @@ -1,92 +0,0 @@ -From: S-P Chan -Date: Sun, 25 Feb 2024 08:03:17 +0800 -Subject: tls: restore early init for other modules that use TLS - -Client modules (e.g. dispatcher) that require outbound TLS -may race if tls init is too late. - -Restore tls init to PROC_INIT with a thread executor. - -Addresses GH #3765 - -Cherry-pick from 706d7b7ff3 ---- - src/modules/tls/tls_mod.c | 48 +++++++++++++++++++++++++++-------------------- - 1 file changed, 28 insertions(+), 20 deletions(-) - -diff --git a/src/modules/tls/tls_mod.c b/src/modules/tls/tls_mod.c -index 0d8ea3d..6058592 100644 ---- a/src/modules/tls/tls_mod.c -+++ b/src/modules/tls/tls_mod.c -@@ -42,6 +42,10 @@ - #include "../../core/dprint.h" - #include "../../core/mod_fix.h" - #include "../../core/kemi.h" -+ -+#define KSR_RTHREAD_SKIP_P -+#define KSR_RTHREAD_NEED_4PP -+#include "../../core/rthreads.h" - #include "tls_init.h" - #include "tls_server.h" - #include "tls_domain.h" -@@ -443,6 +447,22 @@ int tls_fix_engine_keys(tls_domains_cfg_t *, tls_domain_t *, tls_domain_t *); - * - * EC operations do not use pthread_self(), so could use shared SSL_CTX - */ -+static int mod_child_hook(int *rank, void *dummy) -+{ -+ LM_DBG("Loading SSL_CTX in process_no=%d rank=%d " -+ "ksr_tls_threads_mode=%d\n", -+ process_no, *rank, ksr_tls_threads_mode); -+ if(cfg_get(tls, tls_cfg, config_file).s) { -+ if(tls_fix_domains_cfg(*tls_domains_cfg, &srv_defaults, &cli_defaults) -+ < 0) -+ return -1; -+ } else { -+ if(tls_fix_domains_cfg(*tls_domains_cfg, &mod_params, &mod_params) < 0) -+ return -1; -+ } -+ return 0; -+} -+ - static int mod_child(int rank) - { - if(tls_disable || (tls_domains_cfg == 0)) -@@ -450,29 +470,17 @@ static int mod_child(int rank) - - #if OPENSSL_VERSION_NUMBER >= 0x010101000L - /* -- * OpenSSL 3.x/1.1.1: create shared SSL_CTX* in worker to avoid init of -- * libssl in rank 0(thread#1). Requires tls_threads_mode = 1 config. -- */ -- if((rank == PROC_SIPINIT && ksr_tls_threads_mode) -- || (rank == PROC_INIT && !ksr_tls_threads_mode)) { -+ * OpenSSL 3.x/1.1.1: create shared SSL_CTX* in thread executor -+ * to avoid init of libssl in thread#1 -+ */ -+ if(rank == PROC_INIT && ksr_tls_threads_mode != 0) { -+ return run_thread4PP((_thread_proto4PP)mod_child_hook, &rank, NULL); -+ } - #else - if(rank == PROC_INIT) { --#endif -- LM_DBG("Loading SSL_CTX in process_no=%d rank=%d " -- "ksr_tls_threads_mode=%d\n", -- process_no, rank, ksr_tls_threads_mode); -- if(cfg_get(tls, tls_cfg, config_file).s) { -- if(tls_fix_domains_cfg( -- *tls_domains_cfg, &srv_defaults, &cli_defaults) -- < 0) -- return -1; -- } else { -- if(tls_fix_domains_cfg(*tls_domains_cfg, &mod_params, &mod_params) -- < 0) -- return -1; -- } -- return 0; -+ return mod_child_hook(&rank, NULL); - } -+#endif /* OPENSSL_VERSION_NUMBER */ - - #ifndef OPENSSL_NO_ENGINE - /* diff --git a/debian/patches/upstream/tls-restore-some-function-calls-in-non-threaded-mode.patch b/debian/patches/upstream/tls-restore-some-function-calls-in-non-threaded-mode.patch deleted file mode 100644 index 523cbab9d..000000000 --- a/debian/patches/upstream/tls-restore-some-function-calls-in-non-threaded-mode.patch +++ /dev/null @@ -1,171 +0,0 @@ -From: S-P Chan -Date: Tue, 13 Feb 2024 07:15:05 +0800 -Subject: tls: restore some function calls in non-threaded mode - -In the case that tls_threads_mode = 0 we restore the earlier -behaviour of 5.7.3. -- OpenSSL 1.1.1: restore early call to RAND_set_rand_method -- OpenSSL 3.x: restore enable locking on EVP_RAND_CTX ---- - src/modules/tls/tls_init.c | 92 +++++++++++++++++++++++----------------------- - src/modules/tls/tls_mod.c | 19 +++++++--- - 2 files changed, 59 insertions(+), 52 deletions(-) - -diff --git a/src/modules/tls/tls_init.c b/src/modules/tls/tls_init.c -index 1c6b19f..b7901af 100644 ---- a/src/modules/tls/tls_init.c -+++ b/src/modules/tls/tls_init.c -@@ -737,43 +737,43 @@ int tls_pre_init(void) - * left here in case more complex requirements arise in - * OpenSSL >= 3.2. - */ --long tls_h_mod_randctx(void *param) -+int tls_h_mod_randctx() - { -- do { -- OSSL_LIB_CTX *osslglobal = NULL; -- EVP_RAND_CTX *randctx = NULL; -- -- LM_DBG("enabling locking for rand ctx\n"); -- -- osslglobal = OSSL_LIB_CTX_get0_global_default(); -- if(osslglobal == NULL) { -- LM_ERR("failed to get lib ssl global ctx\n"); -- return -1L; -- } -- -- randctx = RAND_get0_primary(osslglobal); -- if(randctx == NULL) { -- LM_ERR("primary rand ctx is null\n"); -- return -1L; -- } -- EVP_RAND_enable_locking(randctx); -- -- randctx = RAND_get0_public(osslglobal); -- if(randctx == NULL) { -- LM_ERR("public rand ctx is null\n"); -- return -1L; -- } -- EVP_RAND_enable_locking(randctx); -- -- randctx = RAND_get0_private(osslglobal); -- if(randctx == NULL) { -- LM_ERR("private rand ctx is null\n"); -- return -1L; -- } -- EVP_RAND_enable_locking(randctx); -- } while(0); -- -- return 0L; -+ do { -+ OSSL_LIB_CTX *osslglobal = NULL; -+ EVP_RAND_CTX *randctx = NULL; -+ -+ LM_DBG("enabling locking for rand ctx\n"); -+ -+ osslglobal = OSSL_LIB_CTX_get0_global_default(); -+ if(osslglobal == NULL) { -+ LM_ERR("failed to get lib ssl global ctx\n"); -+ return -1; -+ } -+ -+ randctx = RAND_get0_primary(osslglobal); -+ if(randctx == NULL) { -+ LM_ERR("primary rand ctx is null\n"); -+ return -1; -+ } -+ EVP_RAND_enable_locking(randctx); -+ -+ randctx = RAND_get0_public(osslglobal); -+ if(randctx == NULL) { -+ LM_ERR("public rand ctx is null\n"); -+ return -1; -+ } -+ EVP_RAND_enable_locking(randctx); -+ -+ randctx = RAND_get0_private(osslglobal); -+ if(randctx == NULL) { -+ LM_ERR("private rand ctx is null\n"); -+ return -1; -+ } -+ EVP_RAND_enable_locking(randctx); -+ } while(0); -+ -+ return 0; - } - #endif /* OPENSSL_VERSION_NUMBER */ - -@@ -801,21 +801,19 @@ int tls_h_mod_pre_init_f(void) - SSL_load_error_strings(); - #endif - --#if 0 - #if OPENSSL_VERSION_NUMBER >= 0x030000000L -- /* -+ /* - * With deferred initialisation it is not necessary to enable threading -- * on the EVP_RAND_CTX. We leave this block here as an example of how -- * to do it in case of future requirements. -+ * on the EVP_RAND_CTX in tls_threads_mode = 1 - */ -- pthread_t tid; -- long rl; -- pthread_create(&tid, NULL, (void *(*)(void *))tls_h_mod_randctx, NULL); -- pthread_join(tid, (void **)&rl); -- if ((int)rl) -- return (int)rl; -+ int ret; -+ -+ if(ksr_tls_threads_mode == 0) { -+ ret = tls_h_mod_randctx(); -+ if(ret) -+ return ret; -+ } - #endif /* OPENSSL_VERSION_NUMBER */ --#endif /* 0 */ - - tls_mod_preinitialized = 1; - return 0; -diff --git a/src/modules/tls/tls_mod.c b/src/modules/tls/tls_mod.c -index 3359aaf..5d3982b 100644 ---- a/src/modules/tls/tls_mod.c -+++ b/src/modules/tls/tls_mod.c -@@ -449,13 +449,14 @@ static int mod_child(int rank) - return 0; - - #if OPENSSL_VERSION_NUMBER >= 0x010101000L -- /* -+ /* - * OpenSSL 3.x/1.1.1: create shared SSL_CTX* in worker to avoid init of - * libssl in rank 0(thread#1). Requires tls_threads_mode = 1 config. - */ -- if((rank == PROC_SIPINIT && ksr_tls_threads_mode) || (rank == PROC_INIT && !ksr_tls_threads_mode)) { -+ if((rank == PROC_SIPINIT && ksr_tls_threads_mode) -+ || (rank == PROC_INIT && !ksr_tls_threads_mode)) { - #else -- if(rank == PROC_INIT) { -+ if(rank == PROC_INIT) { - #endif - if(cfg_get(tls, tls_cfg, config_file).s) { - if(tls_fix_domains_cfg( -@@ -678,10 +679,18 @@ int mod_register(char *path, int *dlflags, void *p1, void *p2) - - register_tls_hooks(&tls_h); - -- /* -+ /* - * GH #3695: OpenSSL 1.1.1 historical note: it is no longer -- * needed to replace RAND with cryptorand -+ * needed to replace RAND with cryptorand in tls_threads_mode = 1 - */ -+#if OPENSSL_VERSION_NUMBER >= 0x10100000L \ -+ && OPENSSL_VERSION_NUMBER < 0x030000000L -+ if(ksr_tls_threads_mode == 0) { -+ LM_DBG("setting cryptorand random engine\n"); -+ RAND_set_rand_method(RAND_ksr_cryptorand_method()); -+ } -+#endif -+ - sr_kemi_modules_add(sr_kemi_tls_exports); - - return 0; diff --git a/debian/patches/upstream/tlsa-removed-the-map-files-used-in-the-past-for-tls-.patch b/debian/patches/upstream/tlsa-removed-the-map-files-used-in-the-past-for-tls-.patch deleted file mode 100644 index f342731ea..000000000 --- a/debian/patches/upstream/tlsa-removed-the-map-files-used-in-the-past-for-tls-.patch +++ /dev/null @@ -1,78 +0,0 @@ -From: Daniel-Constantin Mierla -Date: Sat, 2 Mar 2024 08:13:40 +0100 -Subject: tlsa: removed the map files used in the past for tls engine - -- sync with code of tls module ---- - src/modules/tlsa/tls_map.c | 27 --------------------------- - src/modules/tlsa/tls_map.h | 27 --------------------------- - 2 files changed, 54 deletions(-) - delete mode 100644 src/modules/tlsa/tls_map.c - delete mode 100644 src/modules/tlsa/tls_map.h - -diff --git a/src/modules/tlsa/tls_map.c b/src/modules/tlsa/tls_map.c -deleted file mode 100644 -index ad799b5..0000000 ---- a/src/modules/tlsa/tls_map.c -+++ /dev/null -@@ -1,27 +0,0 @@ --/** -- * Copyright (C) 2021 Daniel-Constantin Mierla (asipto.com) -- * -- * This file is part of Kamailio, a free SIP server. -- * -- * This file is free software; you can redistribute it and/or modify -- * it under the terms of the GNU General Public License as published by -- * the Free Software Foundation; either version 2 of the License, or -- * (at your option) any later version -- * -- * -- * This file is distributed in the hope that it will be useful, -- * but WITHOUT ANY WARRANTY; without even the implied warranty of -- * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the -- * GNU General Public License for more details. -- * -- * You should have received a copy of the GNU General Public License -- * along with this program; if not, write to the Free Software -- * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA -- * -- */ -- --/** -- * THIS FILE IS GENERATED - DO NOT MODIFY IT -- */ -- --#include "../tls/tls_map.c" -diff --git a/src/modules/tlsa/tls_map.h b/src/modules/tlsa/tls_map.h -deleted file mode 100644 -index 96705a7..0000000 ---- a/src/modules/tlsa/tls_map.h -+++ /dev/null -@@ -1,27 +0,0 @@ --/** -- * Copyright (C) 2021 Daniel-Constantin Mierla (asipto.com) -- * -- * This file is part of Kamailio, a free SIP server. -- * -- * This file is free software; you can redistribute it and/or modify -- * it under the terms of the GNU General Public License as published by -- * the Free Software Foundation; either version 2 of the License, or -- * (at your option) any later version -- * -- * -- * This file is distributed in the hope that it will be useful, -- * but WITHOUT ANY WARRANTY; without even the implied warranty of -- * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the -- * GNU General Public License for more details. -- * -- * You should have received a copy of the GNU General Public License -- * along with this program; if not, write to the Free Software -- * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA -- * -- */ -- --/** -- * THIS FILE IS GENERATED - DO NOT MODIFY IT -- */ -- --#include "../tls/tls_map.h" diff --git a/debian/patches/upstream/xcap_client-libssl-thread-executor-for-curl_global_i.patch b/debian/patches/upstream/xcap_client-libssl-thread-executor-for-curl_global_i.patch deleted file mode 100644 index 165bb7fdb..000000000 --- a/debian/patches/upstream/xcap_client-libssl-thread-executor-for-curl_global_i.patch +++ /dev/null @@ -1,32 +0,0 @@ -From: S-P Chan -Date: Tue, 27 Feb 2024 05:01:45 +0800 -Subject: xcap_client: libssl thread executor for curl_global_init() - -Cherry-pick from f5164b39c8 ---- - src/modules/xcap_client/xcap_client.c | 5 ++++- - 1 file changed, 4 insertions(+), 1 deletion(-) - -diff --git a/src/modules/xcap_client/xcap_client.c b/src/modules/xcap_client/xcap_client.c -index ac77228..4de2d36 100644 ---- a/src/modules/xcap_client/xcap_client.c -+++ b/src/modules/xcap_client/xcap_client.c -@@ -41,6 +41,9 @@ - #include "../../core/mem/shm_mem.h" - #include "../../core/rpc.h" - #include "../../core/rpc_lookup.h" -+#define KSR_RTHREAD_NEED_4L -+#define KSR_RTHREAD_SKIP_P -+#include "../../core/rthreads.h" - #include "../presence/utils_func.h" - #include "xcap_functions.h" - #include "xcap_client.h" -@@ -140,7 +143,7 @@ static int mod_init(void) - xcap_dbf.close(xcap_db); - xcap_db = NULL; - -- curl_global_init(CURL_GLOBAL_ALL); -+ run_thread4L((_thread_proto4L)curl_global_init, CURL_GLOBAL_ALL); - - if(periodical_query) { - register_timer(query_xcap_update, 0, query_period);