From 94926a6af2305f8d176ee75f02385c8f3cc564b2 Mon Sep 17 00:00:00 2001
From: Victor Seva <vseva@sipwise.com>
Date: Tue, 12 Dec 2023 08:34:10 +0100
Subject: [PATCH] MT#58875 tls fixes from upstream 5.7 branch

Change-Id: Iedac6977dfaf2587602778d3a1f8518450061f8b
(cherry picked from commit 5cce2f8c3c2955a176f4887dc008c52da6a5627f)
---
 debian/patches/series                         |   3 +
 ...cy-recompute-lenght-of-rest-to-parse.patch |  30 +++
 ...init-early-the-local-lock-for-memory.patch |  49 ++++
 ...mode-1-to-set-PTHREAD_PROCESS_SHARED.patch | 218 ++++++++++++++++++
 4 files changed, 300 insertions(+)
 create mode 100644 debian/patches/upstream/core-parse-privacy-recompute-lenght-of-rest-to-parse.patch
 create mode 100644 debian/patches/upstream/tls-init-early-the-local-lock-for-memory.patch
 create mode 100644 debian/patches/upstream/tls-rework-init-mode-1-to-set-PTHREAD_PROCESS_SHARED.patch

diff --git a/debian/patches/series b/debian/patches/series
index b88171174..383c4fd38 100644
--- a/debian/patches/series
+++ b/debian/patches/series
@@ -33,6 +33,9 @@ sipwise/sca-fix-notify-after-bye.patch
 sipwise/sca-add-pai_avp-parameter.patch
 ## upstream 5.7
 upstream/Makefile.groups-tlsa-in-packaging-group-ktls-if-KTLS.patch
+upstream/tls-rework-init-mode-1-to-set-PTHREAD_PROCESS_SHARED.patch
+upstream/tls-init-early-the-local-lock-for-memory.patch
+upstream/core-parse-privacy-recompute-lenght-of-rest-to-parse.patch
 ## upstream master
 sipwise/pv_headers-rework-pvh_remove_header_param-take-two.patch
 upstream/pv_headers-compare-result-of-pvh_set_xavi-with-NULL-.patch
diff --git a/debian/patches/upstream/core-parse-privacy-recompute-lenght-of-rest-to-parse.patch b/debian/patches/upstream/core-parse-privacy-recompute-lenght-of-rest-to-parse.patch
new file mode 100644
index 000000000..4f22bfe06
--- /dev/null
+++ b/debian/patches/upstream/core-parse-privacy-recompute-lenght-of-rest-to-parse.patch
@@ -0,0 +1,30 @@
+From: Daniel-Constantin Mierla <miconda@gmail.com>
+Date: Fri, 8 Dec 2023 22:10:36 +0100
+Subject: core: parse privacy recompute lenght of rest to parse
+
+(cherry picked from commit 804ee651b45498727196886c97cb55d20b254c4a)
+---
+ src/core/parser/parse_privacy.c | 5 ++---
+ 1 file changed, 2 insertions(+), 3 deletions(-)
+
+diff --git a/src/core/parser/parse_privacy.c b/src/core/parser/parse_privacy.c
+index 6443146..89423c1 100644
+--- a/src/core/parser/parse_privacy.c
++++ b/src/core/parser/parse_privacy.c
+@@ -178,14 +178,13 @@ int parse_privacy(struct sip_msg *msg)
+ 
+ 	values = 0;
+ 	p = next.s;
+-	len = next.len;
+-	beyond = p + len;
++	beyond = next.s + next.len;
+ 
+ 	while(p < beyond) {
++		len = beyond - p;
+ 		if((val_len = parse_priv_value(p, len, &value)) != 0) {
+ 			values |= value;
+ 			p = p + val_len;
+-			len = len - val_len;
+ 		} else {
+ 			LM_ERR("invalid privacy value\n");
+ 			return -1;
diff --git a/debian/patches/upstream/tls-init-early-the-local-lock-for-memory.patch b/debian/patches/upstream/tls-init-early-the-local-lock-for-memory.patch
new file mode 100644
index 000000000..74eaf7f6c
--- /dev/null
+++ b/debian/patches/upstream/tls-init-early-the-local-lock-for-memory.patch
@@ -0,0 +1,49 @@
+From: Daniel-Constantin Mierla <miconda@gmail.com>
+Date: Fri, 8 Dec 2023 12:34:56 +0100
+Subject: tls: init early the local lock for memory
+
+- needed to done before mod param init_mode is set
+- runtime uses the modparam to do lock/unlock
+- #3668
+
+(cherry picked from commit 1a9b0b63617afebcee2aecb3b2240d7684ecabc2)
+---
+ src/modules/tls/tls_init.c | 11 ++++++++++-
+ 1 file changed, 10 insertions(+), 1 deletion(-)
+
+diff --git a/src/modules/tls/tls_init.c b/src/modules/tls/tls_init.c
+index 6106cc7..57be9ca 100644
+--- a/src/modules/tls/tls_init.c
++++ b/src/modules/tls/tls_init.c
+@@ -78,7 +78,7 @@ int ksr_tls_lock_init(void)
+ {
+ 	pthread_mutexattr_t attr;
+ 
+-	if(!(ksr_tls_init_mode & TLS_MODE_PTHREAD_LOCK_SHM)) {
++	if(ksr_tls_lock_shm != NULL) {
+ 		return 0;
+ 	}
+ 	ksr_tls_lock_shm = (pthread_mutex_t *)shm_mallocxz(sizeof(pthread_mutex_t));
+@@ -723,6 +723,11 @@ int tls_pre_init(void)
+ 	LM_INFO("libssl linked mode: static\n");
+ #endif
+ 
++	if(ksr_tls_lock_init() < 0) {
++		LM_ERR("failed to init local lock\n");
++		return -1;
++	}
++
+ 	/*
+ 	 * this has to be called before any function calling CRYPTO_malloc,
+ 	 * CRYPTO_malloc will set allow_customize in openssl to 0
+@@ -770,6 +775,10 @@ int tls_h_mod_pre_init_f(void)
+ 		LM_DBG("already mod pre-initialized\n");
+ 		return 0;
+ 	}
++	if(ksr_tls_lock_init() < 0) {
++		LM_ERR("failed to init local lock\n");
++		return -1;
++	}
+ 	LM_DBG("preparing tls env for modules initialization\n");
+ #if OPENSSL_VERSION_NUMBER >= 0x010100000L && !defined(LIBRESSL_VERSION_NUMBER)
+ 	LM_DBG("preparing tls env for modules initialization (libssl >=1.1)\n");
diff --git a/debian/patches/upstream/tls-rework-init-mode-1-to-set-PTHREAD_PROCESS_SHARED.patch b/debian/patches/upstream/tls-rework-init-mode-1-to-set-PTHREAD_PROCESS_SHARED.patch
new file mode 100644
index 000000000..c10aa538f
--- /dev/null
+++ b/debian/patches/upstream/tls-rework-init-mode-1-to-set-PTHREAD_PROCESS_SHARED.patch
@@ -0,0 +1,218 @@
+From: Daniel-Constantin Mierla <miconda@gmail.com>
+Date: Thu, 7 Dec 2023 13:00:50 +0100
+Subject: tls: rework init mode 1 to set PTHREAD_PROCESS_SHARED
+
+- pthread mutex set in shm
+- GH #3635
+
+(cherry picked from commit 4b068f49b618dca5fa85a1687bd9054c1d98ae6a)
+---
+ src/modules/tls/tls_init.c | 62 ++++++++++++++++++++++++++++++++--------------
+ src/modules/tls/tls_mod.c  |  8 +++---
+ 2 files changed, 47 insertions(+), 23 deletions(-)
+
+diff --git a/src/modules/tls/tls_init.c b/src/modules/tls/tls_init.c
+index d7399e8..6106cc7 100644
+--- a/src/modules/tls/tls_init.c
++++ b/src/modules/tls/tls_init.c
+@@ -69,20 +69,31 @@ static int tls_mod_preinitialized = 0;
+ static int tls_mod_initialized = 0;
+ 
+ extern int ksr_tls_init_mode;
+-pthread_mutex_t ksr_tls_lock_shm;
++static pthread_mutex_t *ksr_tls_lock_shm = NULL;
+ 
+ /**
+  *
+  */
+ int ksr_tls_lock_init(void)
+ {
++	pthread_mutexattr_t attr;
++
+ 	if(!(ksr_tls_init_mode & TLS_MODE_PTHREAD_LOCK_SHM)) {
+ 		return 0;
+ 	}
+-	if(pthread_mutex_init(&ksr_tls_lock_shm, NULL) != 0) {
++	ksr_tls_lock_shm = (pthread_mutex_t *)shm_mallocxz(sizeof(pthread_mutex_t));
++	if(ksr_tls_lock_shm == NULL) {
++		LM_ERR("mutex allocation failed\n");
++		return -1;
++	}
++	pthread_mutexattr_init(&attr);
++	pthread_mutexattr_setpshared(&attr, PTHREAD_PROCESS_SHARED);
++	if(pthread_mutex_init(ksr_tls_lock_shm, &attr) != 0) {
++		pthread_mutexattr_destroy(&attr);
+ 		LM_ERR("mutex init failed\n");
+ 		return -1;
+ 	}
++	pthread_mutexattr_destroy(&attr);
+ 	return 0;
+ }
+ 
+@@ -94,7 +105,8 @@ void ksr_tls_lock_destroy(void)
+ 	if(!(ksr_tls_init_mode & TLS_MODE_PTHREAD_LOCK_SHM)) {
+ 		return;
+ 	}
+-	pthread_mutex_destroy(&ksr_tls_lock_shm);
++	pthread_mutex_destroy(ksr_tls_lock_shm);
++	shm_free(ksr_tls_lock_shm);
+ 	return;
+ }
+ 
+@@ -248,7 +260,7 @@ static void *ser_malloc(size_t size, const char *file, int line)
+ #endif
+ 
+ 	if(ksr_tls_init_mode & TLS_MODE_PTHREAD_LOCK_SHM)
+-		pthread_mutex_lock(&ksr_tls_lock_shm);
++		pthread_mutex_lock(ksr_tls_lock_shm);
+ 
+ #ifdef RAND_NULL_MALLOC
+ 	/* start random null returns only after
+@@ -278,7 +290,7 @@ static void *ser_malloc(size_t size, const char *file, int line)
+ 	}
+ #endif
+ 	if(ksr_tls_init_mode & TLS_MODE_PTHREAD_LOCK_SHM)
+-		pthread_mutex_unlock(&ksr_tls_lock_shm);
++		pthread_mutex_unlock(ksr_tls_lock_shm);
+ 	return p;
+ }
+ 
+@@ -293,7 +305,7 @@ static void *ser_realloc(void *ptr, size_t size, const char *file, int line)
+ #endif
+ 
+ 	if(ksr_tls_init_mode & TLS_MODE_PTHREAD_LOCK_SHM)
+-		pthread_mutex_lock(&ksr_tls_lock_shm);
++		pthread_mutex_lock(ksr_tls_lock_shm);
+ 
+ #ifdef RAND_NULL_MALLOC
+ 	/* start random null returns only after
+@@ -324,10 +336,22 @@ static void *ser_realloc(void *ptr, size_t size, const char *file, int line)
+ #endif
+ 
+ 	if(ksr_tls_init_mode & TLS_MODE_PTHREAD_LOCK_SHM)
+-		pthread_mutex_unlock(&ksr_tls_lock_shm);
++		pthread_mutex_unlock(ksr_tls_lock_shm);
+ 
+ 	return p;
+ }
++
++static void ser_free(void *ptr, const char *fname, int fline)
++{
++	if(ksr_tls_init_mode & TLS_MODE_PTHREAD_LOCK_SHM)
++		pthread_mutex_lock(ksr_tls_lock_shm);
++	if(ptr) {
++		shm_free(ptr);
++	}
++	if(ksr_tls_init_mode & TLS_MODE_PTHREAD_LOCK_SHM)
++		pthread_mutex_unlock(ksr_tls_lock_shm);
++}
++
+ #endif /* LIBRESSL_VERSION_NUMBER */
+ 
+ #else /*TLS_MALLOC_DBG */
+@@ -340,10 +364,10 @@ static void *ser_malloc(size_t size)
+ 	void *p;
+ 
+ 	if(ksr_tls_init_mode & TLS_MODE_PTHREAD_LOCK_SHM)
+-		pthread_mutex_lock(&ksr_tls_lock_shm);
++		pthread_mutex_lock(ksr_tls_lock_shm);
+ 	p = shm_malloc(size);
+ 	if(ksr_tls_init_mode & TLS_MODE_PTHREAD_LOCK_SHM)
+-		pthread_mutex_unlock(&ksr_tls_lock_shm);
++		pthread_mutex_unlock(ksr_tls_lock_shm);
+ 	return p;
+ }
+ 
+@@ -352,10 +376,10 @@ static void *ser_realloc(void *ptr, size_t size)
+ {
+ 	void *p;
+ 	if(ksr_tls_init_mode & TLS_MODE_PTHREAD_LOCK_SHM)
+-		pthread_mutex_lock(&ksr_tls_lock_shm);
++		pthread_mutex_lock(ksr_tls_lock_shm);
+ 	p = shm_realloc(ptr, size);
+ 	if(ksr_tls_init_mode & TLS_MODE_PTHREAD_LOCK_SHM)
+-		pthread_mutex_unlock(&ksr_tls_lock_shm);
++		pthread_mutex_unlock(ksr_tls_lock_shm);
+ 	return p;
+ }
+ #else
+@@ -363,10 +387,10 @@ static void *ser_malloc(size_t size, const char *fname, int fline)
+ {
+ 	void *p;
+ 	if(ksr_tls_init_mode & TLS_MODE_PTHREAD_LOCK_SHM)
+-		pthread_mutex_lock(&ksr_tls_lock_shm);
++		pthread_mutex_lock(ksr_tls_lock_shm);
+ 	p = shm_malloc(size);
+ 	if(ksr_tls_init_mode & TLS_MODE_PTHREAD_LOCK_SHM)
+-		pthread_mutex_unlock(&ksr_tls_lock_shm);
++		pthread_mutex_unlock(ksr_tls_lock_shm);
+ 	return p;
+ }
+ 
+@@ -375,10 +399,10 @@ static void *ser_realloc(void *ptr, size_t size, const char *fname, int fline)
+ {
+ 	void *p;
+ 	if(ksr_tls_init_mode & TLS_MODE_PTHREAD_LOCK_SHM)
+-		pthread_mutex_lock(&ksr_tls_lock_shm);
++		pthread_mutex_lock(ksr_tls_lock_shm);
+ 	p = shm_realloc(ptr, size);
+ 	if(ksr_tls_init_mode & TLS_MODE_PTHREAD_LOCK_SHM)
+-		pthread_mutex_unlock(&ksr_tls_lock_shm);
++		pthread_mutex_unlock(ksr_tls_lock_shm);
+ 	return p;
+ }
+ #endif
+@@ -396,23 +420,23 @@ static void ser_free(void *ptr)
+ 	 * here in the wrapper function.
+ 	 */
+ 	if(ksr_tls_init_mode & TLS_MODE_PTHREAD_LOCK_SHM)
+-		pthread_mutex_lock(&ksr_tls_lock_shm);
++		pthread_mutex_lock(ksr_tls_lock_shm);
+ 	if(ptr) {
+ 		shm_free(ptr);
+ 	}
+ 	if(ksr_tls_init_mode & TLS_MODE_PTHREAD_LOCK_SHM)
+-		pthread_mutex_unlock(&ksr_tls_lock_shm);
++		pthread_mutex_unlock(ksr_tls_lock_shm);
+ }
+ #else
+ static void ser_free(void *ptr, const char *fname, int fline)
+ {
+ 	if(ksr_tls_init_mode & TLS_MODE_PTHREAD_LOCK_SHM)
+-		pthread_mutex_lock(&ksr_tls_lock_shm);
++		pthread_mutex_lock(ksr_tls_lock_shm);
+ 	if(ptr) {
+ 		shm_free(ptr);
+ 	}
+ 	if(ksr_tls_init_mode & TLS_MODE_PTHREAD_LOCK_SHM)
+-		pthread_mutex_unlock(&ksr_tls_lock_shm);
++		pthread_mutex_unlock(ksr_tls_lock_shm);
+ }
+ #endif
+ 
+diff --git a/src/modules/tls/tls_mod.c b/src/modules/tls/tls_mod.c
+index c966e34..3a04776 100644
+--- a/src/modules/tls/tls_mod.c
++++ b/src/modules/tls/tls_mod.c
+@@ -402,10 +402,6 @@ static int mod_init(void)
+ 	if(tls_check_sockets(*tls_domains_cfg) < 0)
+ 		goto error;
+ 
+-	if(ksr_tls_lock_init() < 0) {
+-		goto error;
+-	}
+-
+ 	LM_INFO("use OpenSSL version: %08x\n", (uint32_t)(OPENSSL_VERSION_NUMBER));
+ #ifndef OPENSSL_NO_ECDH
+ 	LM_INFO("With ECDH-Support!\n");
+@@ -674,6 +670,10 @@ int mod_register(char *path, int *dlflags, void *p1, void *p2)
+ 	if(!shm_initialized() && init_shm() < 0)
+ 		return -1;
+ 
++	if(ksr_tls_lock_init() < 0) {
++		return -1;
++	}
++
+ 	if(tls_pre_init() < 0)
+ 		return -1;
+