From 901ea7aa341a8c0afac2dc6234ac0892e2124542 Mon Sep 17 00:00:00 2001 From: Victor Seva Date: Tue, 9 Jan 2024 20:26:08 +0100 Subject: [PATCH] MT#58875 tls fixes from upstream 5.7 branch, take two Change-Id: I4f263a679653018f1d97c7e920ff79ece9298f9d --- debian/patches/series | 8 + ...-1.1.1-thread-local-init-libssl-in-t.patch | 22 +++ ...-3.x-thread-local-init-libssl-in-thr.patch | 64 ++++++++ ...ound-build-fix-missing-argument-name.patch | 22 +++ ...1-thread-local-init-libssl-in-thread.patch | 94 ++++++++++++ ...1.1.1-thread-local-clean-up-dead-cod.patch | 107 +++++++++++++ ...thread-local-init-libssl-in-thread-o.patch | 145 ++++++++++++++++++ ...s-fix-compilation-with-OpenSSL-1.1.1.patch | 29 ++++ ...-revert-1a9b0b6361-as-double-layer-l.patch | 140 +++++++++++++++++ 9 files changed, 631 insertions(+) create mode 100644 debian/patches/upstream/outbound-OpenSSL-1.1.1-thread-local-init-libssl-in-t.patch create mode 100644 debian/patches/upstream/outbound-OpenSSL-3.x-thread-local-init-libssl-in-thr.patch create mode 100644 debian/patches/upstream/outbound-build-fix-missing-argument-name.patch create mode 100644 debian/patches/upstream/tls-OpenSSL-1.1.1-thread-local-init-libssl-in-thread.patch create mode 100644 debian/patches/upstream/tls-OpenSSL-3.x-1.1.1-thread-local-clean-up-dead-cod.patch create mode 100644 debian/patches/upstream/tls-OpenSSL-3.x-thread-local-init-libssl-in-thread-o.patch create mode 100644 debian/patches/upstream/tls-fix-compilation-with-OpenSSL-1.1.1.patch create mode 100644 debian/patches/upstream/tls-thread-local-revert-1a9b0b6361-as-double-layer-l.patch diff --git a/debian/patches/series b/debian/patches/series index 383c4fd38..6784cec4d 100644 --- a/debian/patches/series +++ b/debian/patches/series @@ -36,6 +36,14 @@ upstream/Makefile.groups-tlsa-in-packaging-group-ktls-if-KTLS.patch upstream/tls-rework-init-mode-1-to-set-PTHREAD_PROCESS_SHARED.patch upstream/tls-init-early-the-local-lock-for-memory.patch upstream/core-parse-privacy-recompute-lenght-of-rest-to-parse.patch +upstream/tls-OpenSSL-3.x-thread-local-init-libssl-in-thread-o.patch +upstream/tls-fix-compilation-with-OpenSSL-1.1.1.patch +upstream/tls-OpenSSL-1.1.1-thread-local-init-libssl-in-thread.patch +upstream/tls-thread-local-revert-1a9b0b6361-as-double-layer-l.patch +upstream/tls-OpenSSL-3.x-1.1.1-thread-local-clean-up-dead-cod.patch +upstream/outbound-OpenSSL-3.x-thread-local-init-libssl-in-thr.patch +upstream/outbound-OpenSSL-1.1.1-thread-local-init-libssl-in-t.patch +upstream/outbound-build-fix-missing-argument-name.patch ## upstream master sipwise/pv_headers-rework-pvh_remove_header_param-take-two.patch upstream/pv_headers-compare-result-of-pvh_set_xavi-with-NULL-.patch diff --git a/debian/patches/upstream/outbound-OpenSSL-1.1.1-thread-local-init-libssl-in-t.patch b/debian/patches/upstream/outbound-OpenSSL-1.1.1-thread-local-init-libssl-in-t.patch new file mode 100644 index 000000000..91677c07b --- /dev/null +++ b/debian/patches/upstream/outbound-OpenSSL-1.1.1-thread-local-init-libssl-in-t.patch @@ -0,0 +1,22 @@ +From: S-P Chan +Date: Thu, 4 Jan 2024 21:47:23 +0800 +Subject: outbound: OpenSSL 1.1.1 thread-local, init libssl in thread + +(cherry-pick from 689de2736f5c92f11860e5854ccd95c84239f032) +--- + src/modules/outbound/outbound_mod.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/src/modules/outbound/outbound_mod.c b/src/modules/outbound/outbound_mod.c +index 00c0a66..a797eb8 100644 +--- a/src/modules/outbound/outbound_mod.c ++++ b/src/modules/outbound/outbound_mod.c +@@ -110,7 +110,7 @@ static int mod_init(void) + } + ob_key.len = OB_KEY_LEN; + +-#if OPENSSL_VERSION_NUMBER < 0x030000000L ++#if OPENSSL_VERSION_NUMBER < 0x010101000L + mod_init_openssl(NULL); + #else + pthread_t tid; diff --git a/debian/patches/upstream/outbound-OpenSSL-3.x-thread-local-init-libssl-in-thr.patch b/debian/patches/upstream/outbound-OpenSSL-3.x-thread-local-init-libssl-in-thr.patch new file mode 100644 index 000000000..713702ada --- /dev/null +++ b/debian/patches/upstream/outbound-OpenSSL-3.x-thread-local-init-libssl-in-thr.patch @@ -0,0 +1,64 @@ +From: S-P Chan +Date: Thu, 4 Jan 2024 20:11:21 +0800 +Subject: outbound: OpenSSL 3.x thread-local, init libssl in thread + +(cherry-pick from 4742c8131aba878c4fc954e42b656b9d4bafdd24) +--- + src/modules/outbound/outbound_mod.c | 37 +++++++++++++++++++++++++------------ + 1 file changed, 25 insertions(+), 12 deletions(-) + +diff --git a/src/modules/outbound/outbound_mod.c b/src/modules/outbound/outbound_mod.c +index 4e408e2..00c0a66 100644 +--- a/src/modules/outbound/outbound_mod.c ++++ b/src/modules/outbound/outbound_mod.c +@@ -75,6 +75,23 @@ struct module_exports exports = { + destroy /* destroy function */ + }; + ++static void *mod_init_openssl(void *) { ++ if(flow_token_secret.s) { ++ assert(ob_key.len == SHA_DIGEST_LENGTH); ++ LM_DBG("flow_token_secret mod param set. use persistent ob_key"); ++ SHA1((const unsigned char *)flow_token_secret.s, flow_token_secret.len, ++ (unsigned char *)ob_key.s); ++ } else { ++ if(RAND_bytes((unsigned char *)ob_key.s, ob_key.len) == 0) { ++ LM_ERR("unable to get %d cryptographically strong pseudo-" ++ "random bytes\n", ++ ob_key.len); ++ } ++ } ++ ++ return NULL; ++} ++ + static int mod_init(void) + { + if(ob_force_flag != -1 && !flag_in_range(ob_force_flag)) { +@@ -93,18 +110,14 @@ static int mod_init(void) + } + ob_key.len = OB_KEY_LEN; + +- if(flow_token_secret.s) { +- assert(ob_key.len == SHA_DIGEST_LENGTH); +- LM_DBG("flow_token_secret mod param set. use persistent ob_key"); +- SHA1((const unsigned char *)flow_token_secret.s, flow_token_secret.len, +- (unsigned char *)ob_key.s); +- } else { +- if(RAND_bytes((unsigned char *)ob_key.s, ob_key.len) == 0) { +- LM_ERR("unable to get %d cryptographically strong pseudo-" +- "random bytes\n", +- ob_key.len); +- } +- } ++#if OPENSSL_VERSION_NUMBER < 0x030000000L ++ mod_init_openssl(NULL); ++#else ++ pthread_t tid; ++ void *retval; ++ pthread_create(&tid, NULL, mod_init_openssl, NULL); ++ pthread_join(tid, &retval); ++#endif + + if(cfg_declare("outbound", outbound_cfg_def, &default_outbound_cfg, + cfg_sizeof(outbound), &outbound_cfg)) { diff --git a/debian/patches/upstream/outbound-build-fix-missing-argument-name.patch b/debian/patches/upstream/outbound-build-fix-missing-argument-name.patch new file mode 100644 index 000000000..95dc260e8 --- /dev/null +++ b/debian/patches/upstream/outbound-build-fix-missing-argument-name.patch @@ -0,0 +1,22 @@ +From: S-P Chan +Date: Fri, 5 Jan 2024 20:56:39 +0800 +Subject: outbound: build, fix missing argument name + +(cherry-pick from 4708f537d7f5d28123b48cd89474a4931dd698ad) +--- + src/modules/outbound/outbound_mod.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/src/modules/outbound/outbound_mod.c b/src/modules/outbound/outbound_mod.c +index a797eb8..32f10f6 100644 +--- a/src/modules/outbound/outbound_mod.c ++++ b/src/modules/outbound/outbound_mod.c +@@ -75,7 +75,7 @@ struct module_exports exports = { + destroy /* destroy function */ + }; + +-static void *mod_init_openssl(void *) { ++static void *mod_init_openssl(void *arg) { + if(flow_token_secret.s) { + assert(ob_key.len == SHA_DIGEST_LENGTH); + LM_DBG("flow_token_secret mod param set. use persistent ob_key"); diff --git a/debian/patches/upstream/tls-OpenSSL-1.1.1-thread-local-init-libssl-in-thread.patch b/debian/patches/upstream/tls-OpenSSL-1.1.1-thread-local-init-libssl-in-thread.patch new file mode 100644 index 000000000..bf30952c8 --- /dev/null +++ b/debian/patches/upstream/tls-OpenSSL-1.1.1-thread-local-init-libssl-in-thread.patch @@ -0,0 +1,94 @@ +From: S-P Chan +Date: Thu, 4 Jan 2024 21:56:00 +0800 +Subject: tls: OpenSSL 1.1.1 thread-local, init libssl in thread + +- no need for RAND workaround; default is OpenSSL 1.1.1 RAND +- linux/pthreads will handle forking + +(cherry-pick from 7b531cfe038fae5e3414ac74c4e076c10e32b86c) +--- + src/modules/tls/tls_init.c | 5 +++-- + src/modules/tls/tls_mod.c | 22 ++++++++++++---------- + 2 files changed, 15 insertions(+), 12 deletions(-) + +diff --git a/src/modules/tls/tls_init.c b/src/modules/tls/tls_init.c +index 872fdb2..2d5a9e1 100644 +--- a/src/modules/tls/tls_init.c ++++ b/src/modules/tls/tls_init.c +@@ -825,7 +825,8 @@ int tls_h_mod_pre_init_f(void) + #if OPENSSL_VERSION_NUMBER >= 0x030000000L + // skip init for 3.x + #elif OPENSSL_VERSION_NUMBER >= 0x010101000L +- OPENSSL_init_ssl(OPENSSL_INIT_ATFORK, NULL); ++ //not needed on Linux ++ //OPENSSL_init_ssl(OPENSSL_INIT_ATFORK, NULL); + #else + OPENSSL_init_ssl(0, NULL); + #endif +@@ -833,7 +834,7 @@ int tls_h_mod_pre_init_f(void) + LM_DBG("preparing tls env for modules initialization (libssl <=1.0)\n"); + SSL_library_init(); + #endif +-#if OPENSSL_VERSION_NUMBER < 0x030000000L ++#if OPENSSL_VERSION_NUMBER < 0x010101000L + SSL_load_error_strings(); + #endif + +diff --git a/src/modules/tls/tls_mod.c b/src/modules/tls/tls_mod.c +index 1e74ba0..03874ed 100644 +--- a/src/modules/tls/tls_mod.c ++++ b/src/modules/tls/tls_mod.c +@@ -440,8 +440,16 @@ static int mod_child(int rank) + + /* fix tls config only from the main proc/PROC_INIT., when we know + * the exact process number and before any other process starts*/ ++ if(rank == PROC_INIT) { ++#if OPENSSL_VERSION_NUMBER >= 0x010101000L \ ++ && OPENSSL_VERSION_NUMBER < 0x030000000L ++ if(ksr_tls_init_mode & TLS_MODE_FORK_PREPARE) { ++ // not needed on Linux: OPENSSL_fork_prepare(); ++ } ++#endif ++ } + +-#if OPENSSL_VERSION_NUMBER >= 0x030000000L ++#if OPENSSL_VERSION_NUMBER >= 0x010101000L + /* + * OpenSSL 3.x: create shared SSL_CTX* in worker to avoid init of + * libssl in rank 0(thread#1) +@@ -460,12 +468,6 @@ static int mod_child(int rank) + < 0) + return -1; + } +-#if OPENSSL_VERSION_NUMBER >= 0x010101000L \ +- && OPENSSL_VERSION_NUMBER < 0x030000000L +- if(ksr_tls_init_mode & TLS_MODE_FORK_PREPARE) { +- OPENSSL_fork_prepare(); +- } +-#endif + return 0; + } + +@@ -476,11 +478,11 @@ static int mod_child(int rank) + /* + * this is called after forking of all child processes + */ +- OPENSSL_fork_parent(); ++ // not needed on Linux: OPENSSL_fork_parent(); + return 0; + } + if(!_ksr_is_main) { +- OPENSSL_fork_child(); ++ // not needed on Linux: OPENSSL_fork_child(); + } + } + #endif +@@ -691,7 +693,7 @@ int mod_register(char *path, int *dlflags, void *p1, void *p2) + #if OPENSSL_VERSION_NUMBER >= 0x10100000L \ + && OPENSSL_VERSION_NUMBER < 0x030000000L + LM_DBG("setting cryptorand random engine\n"); +- RAND_set_rand_method(RAND_ksr_cryptorand_method()); ++ // RAND_set_rand_method(RAND_ksr_cryptorand_method()); + #endif + + sr_kemi_modules_add(sr_kemi_tls_exports); diff --git a/debian/patches/upstream/tls-OpenSSL-3.x-1.1.1-thread-local-clean-up-dead-cod.patch b/debian/patches/upstream/tls-OpenSSL-3.x-1.1.1-thread-local-clean-up-dead-cod.patch new file mode 100644 index 000000000..4b6cb7f33 --- /dev/null +++ b/debian/patches/upstream/tls-OpenSSL-3.x-1.1.1-thread-local-clean-up-dead-cod.patch @@ -0,0 +1,107 @@ +From: S-P Chan +Date: Fri, 5 Jan 2024 07:38:56 +0800 +Subject: tls: OpenSSL 3.x/1.1.1 thread-local, + clean-up dead code and preprocessor blocks + +(cherry-pick from 798cc26908395d2ba21015684ad6f0ac4f012b2e) +--- + src/modules/tls/tls_init.c | 7 +------ + src/modules/tls/tls_mod.c | 44 ++++++++++---------------------------------- + 2 files changed, 11 insertions(+), 40 deletions(-) + +diff --git a/src/modules/tls/tls_init.c b/src/modules/tls/tls_init.c +index 58289c6..65f5ae7 100644 +--- a/src/modules/tls/tls_init.c ++++ b/src/modules/tls/tls_init.c +@@ -783,12 +783,7 @@ int tls_h_mod_pre_init_f(void) + LM_DBG("preparing tls env for modules initialization\n"); + #if OPENSSL_VERSION_NUMBER >= 0x010100000L && !defined(LIBRESSL_VERSION_NUMBER) + LM_DBG("preparing tls env for modules initialization (libssl >=1.1)\n"); +-#if OPENSSL_VERSION_NUMBER >= 0x030000000L +- // skip init for 3.x +-#elif OPENSSL_VERSION_NUMBER >= 0x010101000L +- //not needed on Linux +- //OPENSSL_init_ssl(OPENSSL_INIT_ATFORK, NULL); +-#else ++#if OPENSSL_VERSION_NUMBER < 0x010100000L + OPENSSL_init_ssl(0, NULL); + #endif + #else +diff --git a/src/modules/tls/tls_mod.c b/src/modules/tls/tls_mod.c +index 03874ed..7cad1b0 100644 +--- a/src/modules/tls/tls_mod.c ++++ b/src/modules/tls/tls_mod.c +@@ -438,20 +438,9 @@ static int mod_child(int rank) + if(tls_disable || (tls_domains_cfg == 0)) + return 0; + +- /* fix tls config only from the main proc/PROC_INIT., when we know +- * the exact process number and before any other process starts*/ +- if(rank == PROC_INIT) { +-#if OPENSSL_VERSION_NUMBER >= 0x010101000L \ +- && OPENSSL_VERSION_NUMBER < 0x030000000L +- if(ksr_tls_init_mode & TLS_MODE_FORK_PREPARE) { +- // not needed on Linux: OPENSSL_fork_prepare(); +- } +-#endif +- } +- + #if OPENSSL_VERSION_NUMBER >= 0x010101000L + /* +- * OpenSSL 3.x: create shared SSL_CTX* in worker to avoid init of ++ * OpenSSL 3.x/1.1.1: create shared SSL_CTX* in worker to avoid init of + * libssl in rank 0(thread#1) + */ + if(rank == PROC_SIPINIT) { +@@ -471,22 +460,6 @@ static int mod_child(int rank) + return 0; + } + +-#if OPENSSL_VERSION_NUMBER >= 0x010101000L \ +- && OPENSSL_VERSION_NUMBER < 0x030000000L +- if(ksr_tls_init_mode & TLS_MODE_FORK_PREPARE) { +- if(rank == PROC_POSTCHILDINIT) { +- /* +- * this is called after forking of all child processes +- */ +- // not needed on Linux: OPENSSL_fork_parent(); +- return 0; +- } +- if(!_ksr_is_main) { +- // not needed on Linux: OPENSSL_fork_child(); +- } +- } +-#endif +- + #ifndef OPENSSL_NO_ENGINE + /* + * after the child is fork()ed we go through the TLS domains +@@ -514,6 +487,11 @@ static void mod_destroy(void) + * => nothing to do here */ + } + ++/* ++ * GH #3695: OpenSSL 1.1.1: it is no longer necessary to replace RAND ++ * - early init in rank 0 causes workers to inherit public_drbg/private_drbg ++ * which are not thread-safe ++ */ + + int ksr_rand_engine_param(modparam_t type, void *val) + { +@@ -690,12 +668,10 @@ int mod_register(char *path, int *dlflags, void *p1, void *p2) + + register_tls_hooks(&tls_h); + +-#if OPENSSL_VERSION_NUMBER >= 0x10100000L \ +- && OPENSSL_VERSION_NUMBER < 0x030000000L +- LM_DBG("setting cryptorand random engine\n"); +- // RAND_set_rand_method(RAND_ksr_cryptorand_method()); +-#endif +- ++ /* ++ * GH #3695: OpenSSL 1.1.1 historical note: it is no longer ++ * needed to replace RAND with cryptorand ++ */ + sr_kemi_modules_add(sr_kemi_tls_exports); + + return 0; diff --git a/debian/patches/upstream/tls-OpenSSL-3.x-thread-local-init-libssl-in-thread-o.patch b/debian/patches/upstream/tls-OpenSSL-3.x-thread-local-init-libssl-in-thread-o.patch new file mode 100644 index 000000000..f61b0cc02 --- /dev/null +++ b/debian/patches/upstream/tls-OpenSSL-3.x-thread-local-init-libssl-in-thread-o.patch @@ -0,0 +1,145 @@ +From: S-P Chan +Date: Thu, 4 Jan 2024 20:00:09 +0800 +Subject: tls: OpenSSL 3.x thread-local, init libssl in thread or PROC_SIPINIT + +- avoid initialising ERR_STATE in rank 0(thread#1) + +(cherry-pick from e49a60e1052c6c1dcebe7f78f2ac970338eabe2e) +--- + src/modules/tls/tls_init.c | 83 +++++++++++++++++++++++++++------------------- + src/modules/tls/tls_mod.c | 11 +++++- + 2 files changed, 59 insertions(+), 35 deletions(-) + +diff --git a/src/modules/tls/tls_init.c b/src/modules/tls/tls_init.c +index 57be9ca..0bc12d3 100644 +--- a/src/modules/tls/tls_init.c ++++ b/src/modules/tls/tls_init.c +@@ -769,6 +769,44 @@ int tls_pre_init(void) + * tls mod pre-init function + * - executed before any mod_init() + */ ++long tls_h_mod_randctx(void *) { ++ do { ++ OSSL_LIB_CTX *osslglobal = NULL; ++ EVP_RAND_CTX *randctx = NULL; ++ ++ LM_DBG("enabling locking for rand ctx\n"); ++ ++ osslglobal = OSSL_LIB_CTX_get0_global_default(); ++ if(osslglobal == NULL) { ++ LM_ERR("failed to get lib ssl global ctx\n"); ++ return -1L; ++ } ++ ++ randctx = RAND_get0_primary(osslglobal); ++ if(randctx == NULL) { ++ LM_ERR("primary rand ctx is null\n"); ++ return -1L; ++ } ++ EVP_RAND_enable_locking(randctx); ++ ++ randctx = RAND_get0_public(osslglobal); ++ if(randctx == NULL) { ++ LM_ERR("public rand ctx is null\n"); ++ return -1L; ++ } ++ EVP_RAND_enable_locking(randctx); ++ ++ randctx = RAND_get0_private(osslglobal); ++ if(randctx == NULL) { ++ LM_ERR("private rand ctx is null\n"); ++ return -1L; ++ } ++ EVP_RAND_enable_locking(randctx); ++ } while(0); ++ ++ return 0L; ++} ++ + int tls_h_mod_pre_init_f(void) + { + if(tls_mod_preinitialized == 1) { +@@ -782,7 +820,9 @@ int tls_h_mod_pre_init_f(void) + LM_DBG("preparing tls env for modules initialization\n"); + #if OPENSSL_VERSION_NUMBER >= 0x010100000L && !defined(LIBRESSL_VERSION_NUMBER) + LM_DBG("preparing tls env for modules initialization (libssl >=1.1)\n"); +-#if OPENSSL_VERSION_NUMBER >= 0x010101000L ++#if OPENSSL_VERSION_NUMBER >= 0x030000000L ++ // skip init for 3.x ++#elif OPENSSL_VERSION_NUMBER >= 0x010101000L + OPENSSL_init_ssl(OPENSSL_INIT_ATFORK, NULL); + #else + OPENSSL_init_ssl(0, NULL); +@@ -791,42 +831,17 @@ int tls_h_mod_pre_init_f(void) + LM_DBG("preparing tls env for modules initialization (libssl <=1.0)\n"); + SSL_library_init(); + #endif ++#if OPENSSL_VERSION_NUMBER < 0x030000000L + SSL_load_error_strings(); ++#endif + + #if OPENSSL_VERSION_NUMBER >= 0x030000000L +- do { +- OSSL_LIB_CTX *osslglobal = NULL; +- EVP_RAND_CTX *randctx = NULL; +- +- LM_DBG("enabling locking for rand ctx\n"); +- +- osslglobal = OSSL_LIB_CTX_get0_global_default(); +- if(osslglobal == NULL) { +- LM_ERR("failed to get lib ssl global ctx\n"); +- return -1; +- } +- +- randctx = RAND_get0_primary(osslglobal); +- if(randctx == NULL) { +- LM_ERR("primary rand ctx is null\n"); +- return -1; +- } +- EVP_RAND_enable_locking(randctx); +- +- randctx = RAND_get0_public(osslglobal); +- if(randctx == NULL) { +- LM_ERR("public rand ctx is null\n"); +- return -1; +- } +- EVP_RAND_enable_locking(randctx); +- +- randctx = RAND_get0_private(osslglobal); +- if(randctx == NULL) { +- LM_ERR("private rand ctx is null\n"); +- return -1; +- } +- EVP_RAND_enable_locking(randctx); +- } while(0); ++ pthread_t tid; ++ long rl; ++ pthread_create(&tid, NULL, (void *(*)(void *))tls_h_mod_randctx, NULL); ++ pthread_join(tid, (void **)&rl); ++ if ((int)rl) ++ return (int)rl; + #endif + + tls_mod_preinitialized = 1; +diff --git a/src/modules/tls/tls_mod.c b/src/modules/tls/tls_mod.c +index 3a04776..1e74ba0 100644 +--- a/src/modules/tls/tls_mod.c ++++ b/src/modules/tls/tls_mod.c +@@ -440,7 +440,16 @@ static int mod_child(int rank) + + /* fix tls config only from the main proc/PROC_INIT., when we know + * the exact process number and before any other process starts*/ +- if(rank == PROC_INIT) { ++ ++#if OPENSSL_VERSION_NUMBER >= 0x030000000L ++ /* ++ * OpenSSL 3.x: create shared SSL_CTX* in worker to avoid init of ++ * libssl in rank 0(thread#1) ++ */ ++ if(rank == PROC_SIPINIT) { ++#else ++ if(rank == PROC_INIT) { ++#endif + if(cfg_get(tls, tls_cfg, config_file).s) { + if(tls_fix_domains_cfg( + *tls_domains_cfg, &srv_defaults, &cli_defaults) diff --git a/debian/patches/upstream/tls-fix-compilation-with-OpenSSL-1.1.1.patch b/debian/patches/upstream/tls-fix-compilation-with-OpenSSL-1.1.1.patch new file mode 100644 index 000000000..fc48944c2 --- /dev/null +++ b/debian/patches/upstream/tls-fix-compilation-with-OpenSSL-1.1.1.patch @@ -0,0 +1,29 @@ +From: S-P Chan +Date: Thu, 4 Jan 2024 21:51:15 +0800 +Subject: tls: fix compilation with OpenSSL <= 1.1.1 + +(cherry-pick from 7111687e1107261bcdd7a9f8cc90959754c93272) +--- + src/modules/tls/tls_init.c | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/src/modules/tls/tls_init.c b/src/modules/tls/tls_init.c +index 0bc12d3..872fdb2 100644 +--- a/src/modules/tls/tls_init.c ++++ b/src/modules/tls/tls_init.c +@@ -769,6 +769,7 @@ int tls_pre_init(void) + * tls mod pre-init function + * - executed before any mod_init() + */ ++#if OPENSSL_VERSION_NUMBER >= 0x030000000L + long tls_h_mod_randctx(void *) { + do { + OSSL_LIB_CTX *osslglobal = NULL; +@@ -806,6 +807,7 @@ long tls_h_mod_randctx(void *) { + + return 0L; + } ++#endif + + int tls_h_mod_pre_init_f(void) + { diff --git a/debian/patches/upstream/tls-thread-local-revert-1a9b0b6361-as-double-layer-l.patch b/debian/patches/upstream/tls-thread-local-revert-1a9b0b6361-as-double-layer-l.patch new file mode 100644 index 000000000..de3e5b298 --- /dev/null +++ b/debian/patches/upstream/tls-thread-local-revert-1a9b0b6361-as-double-layer-l.patch @@ -0,0 +1,140 @@ +From: S-P Chan +Date: Fri, 5 Jan 2024 08:09:34 +0800 +Subject: tls: thread-local, + revert 1a9b0b6361 as double-layer locking is redundant + +- the 2nd lock was put in place as defensive programming for shm contention +- GH #3695: the underlying issue is early init of thread-locals + +(cherry-pick from 1c70775530b1a3a905e8a983610cb0d092b0d240) +--- + src/modules/tls/tls_init.c | 39 --------------------------------------- + 1 file changed, 39 deletions(-) + +diff --git a/src/modules/tls/tls_init.c b/src/modules/tls/tls_init.c +index 2d5a9e1..58289c6 100644 +--- a/src/modules/tls/tls_init.c ++++ b/src/modules/tls/tls_init.c +@@ -259,9 +259,6 @@ static void *ser_malloc(size_t size, const char *file, int line) + static ticks_t st = 0; + #endif + +- if(ksr_tls_init_mode & TLS_MODE_PTHREAD_LOCK_SHM) +- pthread_mutex_lock(ksr_tls_lock_shm); +- + #ifdef RAND_NULL_MALLOC + /* start random null returns only after + * NULL_GRACE_PERIOD from first call */ +@@ -289,8 +286,6 @@ static void *ser_malloc(size_t size, const char *file, int line) + size, file, line, bt_buf); + } + #endif +- if(ksr_tls_init_mode & TLS_MODE_PTHREAD_LOCK_SHM) +- pthread_mutex_unlock(ksr_tls_lock_shm); + return p; + } + +@@ -304,9 +299,6 @@ static void *ser_realloc(void *ptr, size_t size, const char *file, int line) + static ticks_t st = 0; + #endif + +- if(ksr_tls_init_mode & TLS_MODE_PTHREAD_LOCK_SHM) +- pthread_mutex_lock(ksr_tls_lock_shm); +- + #ifdef RAND_NULL_MALLOC + /* start random null returns only after + * NULL_GRACE_PERIOD from first call */ +@@ -335,21 +327,14 @@ static void *ser_realloc(void *ptr, size_t size, const char *file, int line) + } + #endif + +- if(ksr_tls_init_mode & TLS_MODE_PTHREAD_LOCK_SHM) +- pthread_mutex_unlock(ksr_tls_lock_shm); +- + return p; + } + + static void ser_free(void *ptr, const char *fname, int fline) + { +- if(ksr_tls_init_mode & TLS_MODE_PTHREAD_LOCK_SHM) +- pthread_mutex_lock(ksr_tls_lock_shm); + if(ptr) { + shm_free(ptr); + } +- if(ksr_tls_init_mode & TLS_MODE_PTHREAD_LOCK_SHM) +- pthread_mutex_unlock(ksr_tls_lock_shm); + } + + #endif /* LIBRESSL_VERSION_NUMBER */ +@@ -363,11 +348,7 @@ static void *ser_malloc(size_t size) + { + void *p; + +- if(ksr_tls_init_mode & TLS_MODE_PTHREAD_LOCK_SHM) +- pthread_mutex_lock(ksr_tls_lock_shm); + p = shm_malloc(size); +- if(ksr_tls_init_mode & TLS_MODE_PTHREAD_LOCK_SHM) +- pthread_mutex_unlock(ksr_tls_lock_shm); + return p; + } + +@@ -375,22 +356,14 @@ static void *ser_malloc(size_t size) + static void *ser_realloc(void *ptr, size_t size) + { + void *p; +- if(ksr_tls_init_mode & TLS_MODE_PTHREAD_LOCK_SHM) +- pthread_mutex_lock(ksr_tls_lock_shm); + p = shm_realloc(ptr, size); +- if(ksr_tls_init_mode & TLS_MODE_PTHREAD_LOCK_SHM) +- pthread_mutex_unlock(ksr_tls_lock_shm); + return p; + } + #else + static void *ser_malloc(size_t size, const char *fname, int fline) + { + void *p; +- if(ksr_tls_init_mode & TLS_MODE_PTHREAD_LOCK_SHM) +- pthread_mutex_lock(ksr_tls_lock_shm); + p = shm_malloc(size); +- if(ksr_tls_init_mode & TLS_MODE_PTHREAD_LOCK_SHM) +- pthread_mutex_unlock(ksr_tls_lock_shm); + return p; + } + +@@ -398,11 +371,7 @@ static void *ser_malloc(size_t size, const char *fname, int fline) + static void *ser_realloc(void *ptr, size_t size, const char *fname, int fline) + { + void *p; +- if(ksr_tls_init_mode & TLS_MODE_PTHREAD_LOCK_SHM) +- pthread_mutex_lock(ksr_tls_lock_shm); + p = shm_realloc(ptr, size); +- if(ksr_tls_init_mode & TLS_MODE_PTHREAD_LOCK_SHM) +- pthread_mutex_unlock(ksr_tls_lock_shm); + return p; + } + #endif +@@ -419,24 +388,16 @@ static void ser_free(void *ptr) + * As shm_free() aborts on null pointers, we have to check for null pointer + * here in the wrapper function. + */ +- if(ksr_tls_init_mode & TLS_MODE_PTHREAD_LOCK_SHM) +- pthread_mutex_lock(ksr_tls_lock_shm); + if(ptr) { + shm_free(ptr); + } +- if(ksr_tls_init_mode & TLS_MODE_PTHREAD_LOCK_SHM) +- pthread_mutex_unlock(ksr_tls_lock_shm); + } + #else + static void ser_free(void *ptr, const char *fname, int fline) + { +- if(ksr_tls_init_mode & TLS_MODE_PTHREAD_LOCK_SHM) +- pthread_mutex_lock(ksr_tls_lock_shm); + if(ptr) { + shm_free(ptr); + } +- if(ksr_tls_init_mode & TLS_MODE_PTHREAD_LOCK_SHM) +- pthread_mutex_unlock(ksr_tls_lock_shm); + } + #endif +