MT#59178 remove already applied patches

Change-Id: Ie4f68a60e4b4ecfc798efef940cfd944b2b85f9d
(cherry picked from commit 8becf82158)
(cherry picked from commit e1233a185d)
mr11.5
Victor Seva 1 year ago
parent 1ae53feaa6
commit a46e882a3a

@ -7,7 +7,7 @@ Subject: no_lib64_on_64_bits
1 file changed, 1 insertion(+), 9 deletions(-)
diff --git a/src/Makefile.defs b/src/Makefile.defs
index 5d485bb..33b83ad 100644
index d393653..f43d100 100644
--- a/src/Makefile.defs
+++ b/src/Makefile.defs
@@ -458,15 +458,7 @@ endif

@ -32,18 +32,7 @@ sipwise/sca-debug.patch
sipwise/sca-fix-notify-after-bye.patch
sipwise/sca-add-pai_avp-parameter.patch
## upstream 5.7
upstream/Makefile.groups-tlsa-in-packaging-group-ktls-if-KTLS.patch
upstream/tls-rework-init-mode-1-to-set-PTHREAD_PROCESS_SHARED.patch
upstream/tls-init-early-the-local-lock-for-memory.patch
upstream/core-parse-privacy-recompute-lenght-of-rest-to-parse.patch
upstream/tls-OpenSSL-3.x-thread-local-init-libssl-in-thread-o.patch
upstream/tls-fix-compilation-with-OpenSSL-1.1.1.patch
upstream/tls-OpenSSL-1.1.1-thread-local-init-libssl-in-thread.patch
upstream/tls-thread-local-revert-1a9b0b6361-as-double-layer-l.patch
upstream/tls-OpenSSL-3.x-1.1.1-thread-local-clean-up-dead-cod.patch
upstream/outbound-OpenSSL-3.x-thread-local-init-libssl-in-thr.patch
upstream/outbound-OpenSSL-1.1.1-thread-local-init-libssl-in-t.patch
upstream/outbound-build-fix-missing-argument-name.patch
#
## upstream master
sipwise/pv_headers-rework-pvh_remove_header_param-take-two.patch
upstream/pv_headers-compare-result-of-pvh_set_xavi-with-NULL-.patch

@ -13,7 +13,7 @@ Subject: add_lcr_rate_module
create mode 100644 src/modules/lcr_rate/lcr_rate_mod.c
diff --git a/src/Makefile.groups b/src/Makefile.groups
index 15fec0d..87e624a 100644
index 4dcac9e..c419f7d 100644
--- a/src/Makefile.groups
+++ b/src/Makefile.groups
@@ -112,6 +112,9 @@ mod_list_sctp=sctp

@ -17,7 +17,7 @@ Subject: add_pcem_module
create mode 100644 src/modules/pcem/pcem_mod.h
diff --git a/src/Makefile.groups b/src/Makefile.groups
index 7d05dc1..15fec0d 100644
index ee4ec90..4dcac9e 100644
--- a/src/Makefile.groups
+++ b/src/Makefile.groups
@@ -30,8 +30,8 @@ mod_list_db=acc alias_db auth_db avpops cfg_db db_text db_flatstore \

@ -22,7 +22,7 @@ Subject: add_presence_dfks_module
create mode 100644 src/modules/presence_dfks/presence_dfks.h
diff --git a/src/Makefile.groups b/src/Makefile.groups
index 4aee35f..ec0d8ac 100644
index b85c1c5..f61bcec 100644
--- a/src/Makefile.groups
+++ b/src/Makefile.groups
@@ -121,7 +121,7 @@ mod_list_presence=presence presence_conference presence_dialoginfo \

@ -11,7 +11,7 @@ Subject: add_tcap_module
create mode 100644 src/modules/tcap/tcap_mod.c
diff --git a/src/Makefile.groups b/src/Makefile.groups
index 87e624a..4aee35f 100644
index c419f7d..b85c1c5 100644
--- a/src/Makefile.groups
+++ b/src/Makefile.groups
@@ -217,6 +217,9 @@ mod_list_erlang=erlang

@ -9,7 +9,7 @@ Subject: dialog: dlg_get_ttag()
3 files changed, 211 insertions(+)
diff --git a/src/modules/dialog/dialog.c b/src/modules/dialog/dialog.c
index 7a416ee..02c8b1b 100644
index 0127e61..a0d654d 100644
--- a/src/modules/dialog/dialog.c
+++ b/src/modules/dialog/dialog.c
@@ -54,6 +54,7 @@

@ -10,7 +10,7 @@ Subject: dialog: support profile_get_size for all profiles
4 files changed, 69 insertions(+)
diff --git a/src/modules/dialog/dialog.c b/src/modules/dialog/dialog.c
index e937947..7a416ee 100644
index 79221a1..0127e61 100644
--- a/src/modules/dialog/dialog.c
+++ b/src/modules/dialog/dialog.c
@@ -3026,6 +3026,31 @@ static void internal_rpc_profile_get_size(

@ -7,7 +7,7 @@ Subject: pv_trans_eval_uri
1 file changed, 2 insertions(+), 1 deletion(-)
diff --git a/src/modules/pv/pv_trans.c b/src/modules/pv/pv_trans.c
index 5204c8f..80c42ef 100644
index e4754e7..07a3957 100644
--- a/src/modules/pv/pv_trans.c
+++ b/src/modules/pv/pv_trans.c
@@ -1542,7 +1542,8 @@ int tr_eval_uri(

@ -8,7 +8,7 @@ Subject: usrloc_dbro
2 files changed, 69 insertions(+), 1 deletion(-)
diff --git a/src/modules/usrloc/usrloc_mod.c b/src/modules/usrloc/usrloc_mod.c
index de75545..fcbb171 100644
index 16a48e4..2c77f29 100644
--- a/src/modules/usrloc/usrloc_mod.c
+++ b/src/modules/usrloc/usrloc_mod.c
@@ -198,6 +198,7 @@ str ulattrs_last_mod_col = str_init(

@ -1,48 +0,0 @@
From: Daniel-Constantin Mierla <miconda@gmail.com>
Date: Fri, 24 Nov 2023 10:38:49 +0100
Subject: Makefile.groups: tlsa in packaging group ktls if
KTLS_INCLUDE_TLSA=yes
- if not, then it is in separate group module_group_ktlsa
(cherry picked from commit a49c8d8d968e31a539e47db6c06a0756e4be55e3)
---
src/Makefile.groups | 12 +++++++-----
1 file changed, 7 insertions(+), 5 deletions(-)
diff --git a/src/Makefile.groups b/src/Makefile.groups
index ec0d8ac..7cb9586 100644
--- a/src/Makefile.groups
+++ b/src/Makefile.groups
@@ -88,12 +88,12 @@ mod_list_memcached=memcached
# - modules depending on openssl library
mod_list_tlsdeps=crypto tls
-# - modules depending on openssl (+curl) library
-mod_list_tlsdeps_curl=auth_identity
-
# - modules depending on static openssl library
mod_list_tlsa=tlsa
+# - modules depending on openssl (+curl) library
+mod_list_tlsdeps_curl=auth_identity
+
# - modules depending on static wolfssl library
mod_list_tls_wolfssl=tls_wolfssl
@@ -414,11 +414,13 @@ module_group_kmemcached=$(mod_list_memcached)
# pkg tls module
module_group_ktls_basic=$(mod_list_tlsdeps)
+ifeq ($(KTLS_INCLUDE_TLSA),yes)
# pkg tls module with curl
-module_group_ktls=$(mod_list_tlsdeps) $(mod_list_tlsdeps_curl)
-
+module_group_ktls=$(mod_list_tlsdeps) $(mod_list_tlsdeps_curl) $(mod_list_tlsa)
+else
# pkg tlsa module
module_group_ktlsa=$(mod_list_tlsa)
+endif
# pkg tls_wolfssl module
module_group_ktls_wolfssl=$(mod_list_tls_wolfssl)

@ -1,30 +0,0 @@
From: Daniel-Constantin Mierla <miconda@gmail.com>
Date: Fri, 8 Dec 2023 22:10:36 +0100
Subject: core: parse privacy recompute lenght of rest to parse
(cherry picked from commit 804ee651b45498727196886c97cb55d20b254c4a)
---
src/core/parser/parse_privacy.c | 5 ++---
1 file changed, 2 insertions(+), 3 deletions(-)
diff --git a/src/core/parser/parse_privacy.c b/src/core/parser/parse_privacy.c
index 6443146..89423c1 100644
--- a/src/core/parser/parse_privacy.c
+++ b/src/core/parser/parse_privacy.c
@@ -178,14 +178,13 @@ int parse_privacy(struct sip_msg *msg)
values = 0;
p = next.s;
- len = next.len;
- beyond = p + len;
+ beyond = next.s + next.len;
while(p < beyond) {
+ len = beyond - p;
if((val_len = parse_priv_value(p, len, &value)) != 0) {
values |= value;
p = p + val_len;
- len = len - val_len;
} else {
LM_ERR("invalid privacy value\n");
return -1;

@ -1,22 +0,0 @@
From: S-P Chan <shihping.chan@gmail.com>
Date: Thu, 4 Jan 2024 21:47:23 +0800
Subject: outbound: OpenSSL 1.1.1 thread-local, init libssl in thread
(cherry-pick from 689de2736f5c92f11860e5854ccd95c84239f032)
---
src/modules/outbound/outbound_mod.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/src/modules/outbound/outbound_mod.c b/src/modules/outbound/outbound_mod.c
index 00c0a66..a797eb8 100644
--- a/src/modules/outbound/outbound_mod.c
+++ b/src/modules/outbound/outbound_mod.c
@@ -110,7 +110,7 @@ static int mod_init(void)
}
ob_key.len = OB_KEY_LEN;
-#if OPENSSL_VERSION_NUMBER < 0x030000000L
+#if OPENSSL_VERSION_NUMBER < 0x010101000L
mod_init_openssl(NULL);
#else
pthread_t tid;

@ -1,64 +0,0 @@
From: S-P Chan <shihping.chan@gmail.com>
Date: Thu, 4 Jan 2024 20:11:21 +0800
Subject: outbound: OpenSSL 3.x thread-local, init libssl in thread
(cherry-pick from 4742c8131aba878c4fc954e42b656b9d4bafdd24)
---
src/modules/outbound/outbound_mod.c | 37 +++++++++++++++++++++++++------------
1 file changed, 25 insertions(+), 12 deletions(-)
diff --git a/src/modules/outbound/outbound_mod.c b/src/modules/outbound/outbound_mod.c
index 4e408e2..00c0a66 100644
--- a/src/modules/outbound/outbound_mod.c
+++ b/src/modules/outbound/outbound_mod.c
@@ -75,6 +75,23 @@ struct module_exports exports = {
destroy /* destroy function */
};
+static void *mod_init_openssl(void *) {
+ if(flow_token_secret.s) {
+ assert(ob_key.len == SHA_DIGEST_LENGTH);
+ LM_DBG("flow_token_secret mod param set. use persistent ob_key");
+ SHA1((const unsigned char *)flow_token_secret.s, flow_token_secret.len,
+ (unsigned char *)ob_key.s);
+ } else {
+ if(RAND_bytes((unsigned char *)ob_key.s, ob_key.len) == 0) {
+ LM_ERR("unable to get %d cryptographically strong pseudo-"
+ "random bytes\n",
+ ob_key.len);
+ }
+ }
+
+ return NULL;
+}
+
static int mod_init(void)
{
if(ob_force_flag != -1 && !flag_in_range(ob_force_flag)) {
@@ -93,18 +110,14 @@ static int mod_init(void)
}
ob_key.len = OB_KEY_LEN;
- if(flow_token_secret.s) {
- assert(ob_key.len == SHA_DIGEST_LENGTH);
- LM_DBG("flow_token_secret mod param set. use persistent ob_key");
- SHA1((const unsigned char *)flow_token_secret.s, flow_token_secret.len,
- (unsigned char *)ob_key.s);
- } else {
- if(RAND_bytes((unsigned char *)ob_key.s, ob_key.len) == 0) {
- LM_ERR("unable to get %d cryptographically strong pseudo-"
- "random bytes\n",
- ob_key.len);
- }
- }
+#if OPENSSL_VERSION_NUMBER < 0x030000000L
+ mod_init_openssl(NULL);
+#else
+ pthread_t tid;
+ void *retval;
+ pthread_create(&tid, NULL, mod_init_openssl, NULL);
+ pthread_join(tid, &retval);
+#endif
if(cfg_declare("outbound", outbound_cfg_def, &default_outbound_cfg,
cfg_sizeof(outbound), &outbound_cfg)) {

@ -1,22 +0,0 @@
From: S-P Chan <shihping.chan@gmail.com>
Date: Fri, 5 Jan 2024 20:56:39 +0800
Subject: outbound: build, fix missing argument name
(cherry-pick from 4708f537d7f5d28123b48cd89474a4931dd698ad)
---
src/modules/outbound/outbound_mod.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/src/modules/outbound/outbound_mod.c b/src/modules/outbound/outbound_mod.c
index a797eb8..32f10f6 100644
--- a/src/modules/outbound/outbound_mod.c
+++ b/src/modules/outbound/outbound_mod.c
@@ -75,7 +75,7 @@ struct module_exports exports = {
destroy /* destroy function */
};
-static void *mod_init_openssl(void *) {
+static void *mod_init_openssl(void *arg) {
if(flow_token_secret.s) {
assert(ob_key.len == SHA_DIGEST_LENGTH);
LM_DBG("flow_token_secret mod param set. use persistent ob_key");

@ -1,94 +0,0 @@
From: S-P Chan <shihping.chan@gmail.com>
Date: Thu, 4 Jan 2024 21:56:00 +0800
Subject: tls: OpenSSL 1.1.1 thread-local, init libssl in thread
- no need for RAND workaround; default is OpenSSL 1.1.1 RAND
- linux/pthreads will handle forking
(cherry-pick from 7b531cfe038fae5e3414ac74c4e076c10e32b86c)
---
src/modules/tls/tls_init.c | 5 +++--
src/modules/tls/tls_mod.c | 22 ++++++++++++----------
2 files changed, 15 insertions(+), 12 deletions(-)
diff --git a/src/modules/tls/tls_init.c b/src/modules/tls/tls_init.c
index 872fdb2..2d5a9e1 100644
--- a/src/modules/tls/tls_init.c
+++ b/src/modules/tls/tls_init.c
@@ -825,7 +825,8 @@ int tls_h_mod_pre_init_f(void)
#if OPENSSL_VERSION_NUMBER >= 0x030000000L
// skip init for 3.x
#elif OPENSSL_VERSION_NUMBER >= 0x010101000L
- OPENSSL_init_ssl(OPENSSL_INIT_ATFORK, NULL);
+ //not needed on Linux
+ //OPENSSL_init_ssl(OPENSSL_INIT_ATFORK, NULL);
#else
OPENSSL_init_ssl(0, NULL);
#endif
@@ -833,7 +834,7 @@ int tls_h_mod_pre_init_f(void)
LM_DBG("preparing tls env for modules initialization (libssl <=1.0)\n");
SSL_library_init();
#endif
-#if OPENSSL_VERSION_NUMBER < 0x030000000L
+#if OPENSSL_VERSION_NUMBER < 0x010101000L
SSL_load_error_strings();
#endif
diff --git a/src/modules/tls/tls_mod.c b/src/modules/tls/tls_mod.c
index 1e74ba0..03874ed 100644
--- a/src/modules/tls/tls_mod.c
+++ b/src/modules/tls/tls_mod.c
@@ -440,8 +440,16 @@ static int mod_child(int rank)
/* fix tls config only from the main proc/PROC_INIT., when we know
* the exact process number and before any other process starts*/
+ if(rank == PROC_INIT) {
+#if OPENSSL_VERSION_NUMBER >= 0x010101000L \
+ && OPENSSL_VERSION_NUMBER < 0x030000000L
+ if(ksr_tls_init_mode & TLS_MODE_FORK_PREPARE) {
+ // not needed on Linux: OPENSSL_fork_prepare();
+ }
+#endif
+ }
-#if OPENSSL_VERSION_NUMBER >= 0x030000000L
+#if OPENSSL_VERSION_NUMBER >= 0x010101000L
/*
* OpenSSL 3.x: create shared SSL_CTX* in worker to avoid init of
* libssl in rank 0(thread#1)
@@ -460,12 +468,6 @@ static int mod_child(int rank)
< 0)
return -1;
}
-#if OPENSSL_VERSION_NUMBER >= 0x010101000L \
- && OPENSSL_VERSION_NUMBER < 0x030000000L
- if(ksr_tls_init_mode & TLS_MODE_FORK_PREPARE) {
- OPENSSL_fork_prepare();
- }
-#endif
return 0;
}
@@ -476,11 +478,11 @@ static int mod_child(int rank)
/*
* this is called after forking of all child processes
*/
- OPENSSL_fork_parent();
+ // not needed on Linux: OPENSSL_fork_parent();
return 0;
}
if(!_ksr_is_main) {
- OPENSSL_fork_child();
+ // not needed on Linux: OPENSSL_fork_child();
}
}
#endif
@@ -691,7 +693,7 @@ int mod_register(char *path, int *dlflags, void *p1, void *p2)
#if OPENSSL_VERSION_NUMBER >= 0x10100000L \
&& OPENSSL_VERSION_NUMBER < 0x030000000L
LM_DBG("setting cryptorand random engine\n");
- RAND_set_rand_method(RAND_ksr_cryptorand_method());
+ // RAND_set_rand_method(RAND_ksr_cryptorand_method());
#endif
sr_kemi_modules_add(sr_kemi_tls_exports);

@ -1,107 +0,0 @@
From: S-P Chan <shihping.chan@gmail.com>
Date: Fri, 5 Jan 2024 07:38:56 +0800
Subject: tls: OpenSSL 3.x/1.1.1 thread-local,
clean-up dead code and preprocessor blocks
(cherry-pick from 798cc26908395d2ba21015684ad6f0ac4f012b2e)
---
src/modules/tls/tls_init.c | 7 +------
src/modules/tls/tls_mod.c | 44 ++++++++++----------------------------------
2 files changed, 11 insertions(+), 40 deletions(-)
diff --git a/src/modules/tls/tls_init.c b/src/modules/tls/tls_init.c
index 58289c6..65f5ae7 100644
--- a/src/modules/tls/tls_init.c
+++ b/src/modules/tls/tls_init.c
@@ -783,12 +783,7 @@ int tls_h_mod_pre_init_f(void)
LM_DBG("preparing tls env for modules initialization\n");
#if OPENSSL_VERSION_NUMBER >= 0x010100000L && !defined(LIBRESSL_VERSION_NUMBER)
LM_DBG("preparing tls env for modules initialization (libssl >=1.1)\n");
-#if OPENSSL_VERSION_NUMBER >= 0x030000000L
- // skip init for 3.x
-#elif OPENSSL_VERSION_NUMBER >= 0x010101000L
- //not needed on Linux
- //OPENSSL_init_ssl(OPENSSL_INIT_ATFORK, NULL);
-#else
+#if OPENSSL_VERSION_NUMBER < 0x010100000L
OPENSSL_init_ssl(0, NULL);
#endif
#else
diff --git a/src/modules/tls/tls_mod.c b/src/modules/tls/tls_mod.c
index 03874ed..7cad1b0 100644
--- a/src/modules/tls/tls_mod.c
+++ b/src/modules/tls/tls_mod.c
@@ -438,20 +438,9 @@ static int mod_child(int rank)
if(tls_disable || (tls_domains_cfg == 0))
return 0;
- /* fix tls config only from the main proc/PROC_INIT., when we know
- * the exact process number and before any other process starts*/
- if(rank == PROC_INIT) {
-#if OPENSSL_VERSION_NUMBER >= 0x010101000L \
- && OPENSSL_VERSION_NUMBER < 0x030000000L
- if(ksr_tls_init_mode & TLS_MODE_FORK_PREPARE) {
- // not needed on Linux: OPENSSL_fork_prepare();
- }
-#endif
- }
-
#if OPENSSL_VERSION_NUMBER >= 0x010101000L
/*
- * OpenSSL 3.x: create shared SSL_CTX* in worker to avoid init of
+ * OpenSSL 3.x/1.1.1: create shared SSL_CTX* in worker to avoid init of
* libssl in rank 0(thread#1)
*/
if(rank == PROC_SIPINIT) {
@@ -471,22 +460,6 @@ static int mod_child(int rank)
return 0;
}
-#if OPENSSL_VERSION_NUMBER >= 0x010101000L \
- && OPENSSL_VERSION_NUMBER < 0x030000000L
- if(ksr_tls_init_mode & TLS_MODE_FORK_PREPARE) {
- if(rank == PROC_POSTCHILDINIT) {
- /*
- * this is called after forking of all child processes
- */
- // not needed on Linux: OPENSSL_fork_parent();
- return 0;
- }
- if(!_ksr_is_main) {
- // not needed on Linux: OPENSSL_fork_child();
- }
- }
-#endif
-
#ifndef OPENSSL_NO_ENGINE
/*
* after the child is fork()ed we go through the TLS domains
@@ -514,6 +487,11 @@ static void mod_destroy(void)
* => nothing to do here */
}
+/*
+ * GH #3695: OpenSSL 1.1.1: it is no longer necessary to replace RAND
+ * - early init in rank 0 causes workers to inherit public_drbg/private_drbg
+ * which are not thread-safe
+ */
int ksr_rand_engine_param(modparam_t type, void *val)
{
@@ -690,12 +668,10 @@ int mod_register(char *path, int *dlflags, void *p1, void *p2)
register_tls_hooks(&tls_h);
-#if OPENSSL_VERSION_NUMBER >= 0x10100000L \
- && OPENSSL_VERSION_NUMBER < 0x030000000L
- LM_DBG("setting cryptorand random engine\n");
- // RAND_set_rand_method(RAND_ksr_cryptorand_method());
-#endif
-
+ /*
+ * GH #3695: OpenSSL 1.1.1 historical note: it is no longer
+ * needed to replace RAND with cryptorand
+ */
sr_kemi_modules_add(sr_kemi_tls_exports);
return 0;

@ -1,145 +0,0 @@
From: S-P Chan <shihping.chan@gmail.com>
Date: Thu, 4 Jan 2024 20:00:09 +0800
Subject: tls: OpenSSL 3.x thread-local, init libssl in thread or PROC_SIPINIT
- avoid initialising ERR_STATE in rank 0(thread#1)
(cherry-pick from e49a60e1052c6c1dcebe7f78f2ac970338eabe2e)
---
src/modules/tls/tls_init.c | 83 +++++++++++++++++++++++++++-------------------
src/modules/tls/tls_mod.c | 11 +++++-
2 files changed, 59 insertions(+), 35 deletions(-)
diff --git a/src/modules/tls/tls_init.c b/src/modules/tls/tls_init.c
index 57be9ca..0bc12d3 100644
--- a/src/modules/tls/tls_init.c
+++ b/src/modules/tls/tls_init.c
@@ -769,6 +769,44 @@ int tls_pre_init(void)
* tls mod pre-init function
* - executed before any mod_init()
*/
+long tls_h_mod_randctx(void *) {
+ do {
+ OSSL_LIB_CTX *osslglobal = NULL;
+ EVP_RAND_CTX *randctx = NULL;
+
+ LM_DBG("enabling locking for rand ctx\n");
+
+ osslglobal = OSSL_LIB_CTX_get0_global_default();
+ if(osslglobal == NULL) {
+ LM_ERR("failed to get lib ssl global ctx\n");
+ return -1L;
+ }
+
+ randctx = RAND_get0_primary(osslglobal);
+ if(randctx == NULL) {
+ LM_ERR("primary rand ctx is null\n");
+ return -1L;
+ }
+ EVP_RAND_enable_locking(randctx);
+
+ randctx = RAND_get0_public(osslglobal);
+ if(randctx == NULL) {
+ LM_ERR("public rand ctx is null\n");
+ return -1L;
+ }
+ EVP_RAND_enable_locking(randctx);
+
+ randctx = RAND_get0_private(osslglobal);
+ if(randctx == NULL) {
+ LM_ERR("private rand ctx is null\n");
+ return -1L;
+ }
+ EVP_RAND_enable_locking(randctx);
+ } while(0);
+
+ return 0L;
+}
+
int tls_h_mod_pre_init_f(void)
{
if(tls_mod_preinitialized == 1) {
@@ -782,7 +820,9 @@ int tls_h_mod_pre_init_f(void)
LM_DBG("preparing tls env for modules initialization\n");
#if OPENSSL_VERSION_NUMBER >= 0x010100000L && !defined(LIBRESSL_VERSION_NUMBER)
LM_DBG("preparing tls env for modules initialization (libssl >=1.1)\n");
-#if OPENSSL_VERSION_NUMBER >= 0x010101000L
+#if OPENSSL_VERSION_NUMBER >= 0x030000000L
+ // skip init for 3.x
+#elif OPENSSL_VERSION_NUMBER >= 0x010101000L
OPENSSL_init_ssl(OPENSSL_INIT_ATFORK, NULL);
#else
OPENSSL_init_ssl(0, NULL);
@@ -791,42 +831,17 @@ int tls_h_mod_pre_init_f(void)
LM_DBG("preparing tls env for modules initialization (libssl <=1.0)\n");
SSL_library_init();
#endif
+#if OPENSSL_VERSION_NUMBER < 0x030000000L
SSL_load_error_strings();
+#endif
#if OPENSSL_VERSION_NUMBER >= 0x030000000L
- do {
- OSSL_LIB_CTX *osslglobal = NULL;
- EVP_RAND_CTX *randctx = NULL;
-
- LM_DBG("enabling locking for rand ctx\n");
-
- osslglobal = OSSL_LIB_CTX_get0_global_default();
- if(osslglobal == NULL) {
- LM_ERR("failed to get lib ssl global ctx\n");
- return -1;
- }
-
- randctx = RAND_get0_primary(osslglobal);
- if(randctx == NULL) {
- LM_ERR("primary rand ctx is null\n");
- return -1;
- }
- EVP_RAND_enable_locking(randctx);
-
- randctx = RAND_get0_public(osslglobal);
- if(randctx == NULL) {
- LM_ERR("public rand ctx is null\n");
- return -1;
- }
- EVP_RAND_enable_locking(randctx);
-
- randctx = RAND_get0_private(osslglobal);
- if(randctx == NULL) {
- LM_ERR("private rand ctx is null\n");
- return -1;
- }
- EVP_RAND_enable_locking(randctx);
- } while(0);
+ pthread_t tid;
+ long rl;
+ pthread_create(&tid, NULL, (void *(*)(void *))tls_h_mod_randctx, NULL);
+ pthread_join(tid, (void **)&rl);
+ if ((int)rl)
+ return (int)rl;
#endif
tls_mod_preinitialized = 1;
diff --git a/src/modules/tls/tls_mod.c b/src/modules/tls/tls_mod.c
index 3a04776..1e74ba0 100644
--- a/src/modules/tls/tls_mod.c
+++ b/src/modules/tls/tls_mod.c
@@ -440,7 +440,16 @@ static int mod_child(int rank)
/* fix tls config only from the main proc/PROC_INIT., when we know
* the exact process number and before any other process starts*/
- if(rank == PROC_INIT) {
+
+#if OPENSSL_VERSION_NUMBER >= 0x030000000L
+ /*
+ * OpenSSL 3.x: create shared SSL_CTX* in worker to avoid init of
+ * libssl in rank 0(thread#1)
+ */
+ if(rank == PROC_SIPINIT) {
+#else
+ if(rank == PROC_INIT) {
+#endif
if(cfg_get(tls, tls_cfg, config_file).s) {
if(tls_fix_domains_cfg(
*tls_domains_cfg, &srv_defaults, &cli_defaults)

@ -1,29 +0,0 @@
From: S-P Chan <shihping.chan@gmail.com>
Date: Thu, 4 Jan 2024 21:51:15 +0800
Subject: tls: fix compilation with OpenSSL <= 1.1.1
(cherry-pick from 7111687e1107261bcdd7a9f8cc90959754c93272)
---
src/modules/tls/tls_init.c | 2 ++
1 file changed, 2 insertions(+)
diff --git a/src/modules/tls/tls_init.c b/src/modules/tls/tls_init.c
index 0bc12d3..872fdb2 100644
--- a/src/modules/tls/tls_init.c
+++ b/src/modules/tls/tls_init.c
@@ -769,6 +769,7 @@ int tls_pre_init(void)
* tls mod pre-init function
* - executed before any mod_init()
*/
+#if OPENSSL_VERSION_NUMBER >= 0x030000000L
long tls_h_mod_randctx(void *) {
do {
OSSL_LIB_CTX *osslglobal = NULL;
@@ -806,6 +807,7 @@ long tls_h_mod_randctx(void *) {
return 0L;
}
+#endif
int tls_h_mod_pre_init_f(void)
{

@ -1,49 +0,0 @@
From: Daniel-Constantin Mierla <miconda@gmail.com>
Date: Fri, 8 Dec 2023 12:34:56 +0100
Subject: tls: init early the local lock for memory
- needed to done before mod param init_mode is set
- runtime uses the modparam to do lock/unlock
- #3668
(cherry picked from commit 1a9b0b63617afebcee2aecb3b2240d7684ecabc2)
---
src/modules/tls/tls_init.c | 11 ++++++++++-
1 file changed, 10 insertions(+), 1 deletion(-)
diff --git a/src/modules/tls/tls_init.c b/src/modules/tls/tls_init.c
index 6106cc7..57be9ca 100644
--- a/src/modules/tls/tls_init.c
+++ b/src/modules/tls/tls_init.c
@@ -78,7 +78,7 @@ int ksr_tls_lock_init(void)
{
pthread_mutexattr_t attr;
- if(!(ksr_tls_init_mode & TLS_MODE_PTHREAD_LOCK_SHM)) {
+ if(ksr_tls_lock_shm != NULL) {
return 0;
}
ksr_tls_lock_shm = (pthread_mutex_t *)shm_mallocxz(sizeof(pthread_mutex_t));
@@ -723,6 +723,11 @@ int tls_pre_init(void)
LM_INFO("libssl linked mode: static\n");
#endif
+ if(ksr_tls_lock_init() < 0) {
+ LM_ERR("failed to init local lock\n");
+ return -1;
+ }
+
/*
* this has to be called before any function calling CRYPTO_malloc,
* CRYPTO_malloc will set allow_customize in openssl to 0
@@ -770,6 +775,10 @@ int tls_h_mod_pre_init_f(void)
LM_DBG("already mod pre-initialized\n");
return 0;
}
+ if(ksr_tls_lock_init() < 0) {
+ LM_ERR("failed to init local lock\n");
+ return -1;
+ }
LM_DBG("preparing tls env for modules initialization\n");
#if OPENSSL_VERSION_NUMBER >= 0x010100000L && !defined(LIBRESSL_VERSION_NUMBER)
LM_DBG("preparing tls env for modules initialization (libssl >=1.1)\n");

@ -1,218 +0,0 @@
From: Daniel-Constantin Mierla <miconda@gmail.com>
Date: Thu, 7 Dec 2023 13:00:50 +0100
Subject: tls: rework init mode 1 to set PTHREAD_PROCESS_SHARED
- pthread mutex set in shm
- GH #3635
(cherry picked from commit 4b068f49b618dca5fa85a1687bd9054c1d98ae6a)
---
src/modules/tls/tls_init.c | 62 ++++++++++++++++++++++++++++++++--------------
src/modules/tls/tls_mod.c | 8 +++---
2 files changed, 47 insertions(+), 23 deletions(-)
diff --git a/src/modules/tls/tls_init.c b/src/modules/tls/tls_init.c
index d7399e8..6106cc7 100644
--- a/src/modules/tls/tls_init.c
+++ b/src/modules/tls/tls_init.c
@@ -69,20 +69,31 @@ static int tls_mod_preinitialized = 0;
static int tls_mod_initialized = 0;
extern int ksr_tls_init_mode;
-pthread_mutex_t ksr_tls_lock_shm;
+static pthread_mutex_t *ksr_tls_lock_shm = NULL;
/**
*
*/
int ksr_tls_lock_init(void)
{
+ pthread_mutexattr_t attr;
+
if(!(ksr_tls_init_mode & TLS_MODE_PTHREAD_LOCK_SHM)) {
return 0;
}
- if(pthread_mutex_init(&ksr_tls_lock_shm, NULL) != 0) {
+ ksr_tls_lock_shm = (pthread_mutex_t *)shm_mallocxz(sizeof(pthread_mutex_t));
+ if(ksr_tls_lock_shm == NULL) {
+ LM_ERR("mutex allocation failed\n");
+ return -1;
+ }
+ pthread_mutexattr_init(&attr);
+ pthread_mutexattr_setpshared(&attr, PTHREAD_PROCESS_SHARED);
+ if(pthread_mutex_init(ksr_tls_lock_shm, &attr) != 0) {
+ pthread_mutexattr_destroy(&attr);
LM_ERR("mutex init failed\n");
return -1;
}
+ pthread_mutexattr_destroy(&attr);
return 0;
}
@@ -94,7 +105,8 @@ void ksr_tls_lock_destroy(void)
if(!(ksr_tls_init_mode & TLS_MODE_PTHREAD_LOCK_SHM)) {
return;
}
- pthread_mutex_destroy(&ksr_tls_lock_shm);
+ pthread_mutex_destroy(ksr_tls_lock_shm);
+ shm_free(ksr_tls_lock_shm);
return;
}
@@ -248,7 +260,7 @@ static void *ser_malloc(size_t size, const char *file, int line)
#endif
if(ksr_tls_init_mode & TLS_MODE_PTHREAD_LOCK_SHM)
- pthread_mutex_lock(&ksr_tls_lock_shm);
+ pthread_mutex_lock(ksr_tls_lock_shm);
#ifdef RAND_NULL_MALLOC
/* start random null returns only after
@@ -278,7 +290,7 @@ static void *ser_malloc(size_t size, const char *file, int line)
}
#endif
if(ksr_tls_init_mode & TLS_MODE_PTHREAD_LOCK_SHM)
- pthread_mutex_unlock(&ksr_tls_lock_shm);
+ pthread_mutex_unlock(ksr_tls_lock_shm);
return p;
}
@@ -293,7 +305,7 @@ static void *ser_realloc(void *ptr, size_t size, const char *file, int line)
#endif
if(ksr_tls_init_mode & TLS_MODE_PTHREAD_LOCK_SHM)
- pthread_mutex_lock(&ksr_tls_lock_shm);
+ pthread_mutex_lock(ksr_tls_lock_shm);
#ifdef RAND_NULL_MALLOC
/* start random null returns only after
@@ -324,10 +336,22 @@ static void *ser_realloc(void *ptr, size_t size, const char *file, int line)
#endif
if(ksr_tls_init_mode & TLS_MODE_PTHREAD_LOCK_SHM)
- pthread_mutex_unlock(&ksr_tls_lock_shm);
+ pthread_mutex_unlock(ksr_tls_lock_shm);
return p;
}
+
+static void ser_free(void *ptr, const char *fname, int fline)
+{
+ if(ksr_tls_init_mode & TLS_MODE_PTHREAD_LOCK_SHM)
+ pthread_mutex_lock(ksr_tls_lock_shm);
+ if(ptr) {
+ shm_free(ptr);
+ }
+ if(ksr_tls_init_mode & TLS_MODE_PTHREAD_LOCK_SHM)
+ pthread_mutex_unlock(ksr_tls_lock_shm);
+}
+
#endif /* LIBRESSL_VERSION_NUMBER */
#else /*TLS_MALLOC_DBG */
@@ -340,10 +364,10 @@ static void *ser_malloc(size_t size)
void *p;
if(ksr_tls_init_mode & TLS_MODE_PTHREAD_LOCK_SHM)
- pthread_mutex_lock(&ksr_tls_lock_shm);
+ pthread_mutex_lock(ksr_tls_lock_shm);
p = shm_malloc(size);
if(ksr_tls_init_mode & TLS_MODE_PTHREAD_LOCK_SHM)
- pthread_mutex_unlock(&ksr_tls_lock_shm);
+ pthread_mutex_unlock(ksr_tls_lock_shm);
return p;
}
@@ -352,10 +376,10 @@ static void *ser_realloc(void *ptr, size_t size)
{
void *p;
if(ksr_tls_init_mode & TLS_MODE_PTHREAD_LOCK_SHM)
- pthread_mutex_lock(&ksr_tls_lock_shm);
+ pthread_mutex_lock(ksr_tls_lock_shm);
p = shm_realloc(ptr, size);
if(ksr_tls_init_mode & TLS_MODE_PTHREAD_LOCK_SHM)
- pthread_mutex_unlock(&ksr_tls_lock_shm);
+ pthread_mutex_unlock(ksr_tls_lock_shm);
return p;
}
#else
@@ -363,10 +387,10 @@ static void *ser_malloc(size_t size, const char *fname, int fline)
{
void *p;
if(ksr_tls_init_mode & TLS_MODE_PTHREAD_LOCK_SHM)
- pthread_mutex_lock(&ksr_tls_lock_shm);
+ pthread_mutex_lock(ksr_tls_lock_shm);
p = shm_malloc(size);
if(ksr_tls_init_mode & TLS_MODE_PTHREAD_LOCK_SHM)
- pthread_mutex_unlock(&ksr_tls_lock_shm);
+ pthread_mutex_unlock(ksr_tls_lock_shm);
return p;
}
@@ -375,10 +399,10 @@ static void *ser_realloc(void *ptr, size_t size, const char *fname, int fline)
{
void *p;
if(ksr_tls_init_mode & TLS_MODE_PTHREAD_LOCK_SHM)
- pthread_mutex_lock(&ksr_tls_lock_shm);
+ pthread_mutex_lock(ksr_tls_lock_shm);
p = shm_realloc(ptr, size);
if(ksr_tls_init_mode & TLS_MODE_PTHREAD_LOCK_SHM)
- pthread_mutex_unlock(&ksr_tls_lock_shm);
+ pthread_mutex_unlock(ksr_tls_lock_shm);
return p;
}
#endif
@@ -396,23 +420,23 @@ static void ser_free(void *ptr)
* here in the wrapper function.
*/
if(ksr_tls_init_mode & TLS_MODE_PTHREAD_LOCK_SHM)
- pthread_mutex_lock(&ksr_tls_lock_shm);
+ pthread_mutex_lock(ksr_tls_lock_shm);
if(ptr) {
shm_free(ptr);
}
if(ksr_tls_init_mode & TLS_MODE_PTHREAD_LOCK_SHM)
- pthread_mutex_unlock(&ksr_tls_lock_shm);
+ pthread_mutex_unlock(ksr_tls_lock_shm);
}
#else
static void ser_free(void *ptr, const char *fname, int fline)
{
if(ksr_tls_init_mode & TLS_MODE_PTHREAD_LOCK_SHM)
- pthread_mutex_lock(&ksr_tls_lock_shm);
+ pthread_mutex_lock(ksr_tls_lock_shm);
if(ptr) {
shm_free(ptr);
}
if(ksr_tls_init_mode & TLS_MODE_PTHREAD_LOCK_SHM)
- pthread_mutex_unlock(&ksr_tls_lock_shm);
+ pthread_mutex_unlock(ksr_tls_lock_shm);
}
#endif
diff --git a/src/modules/tls/tls_mod.c b/src/modules/tls/tls_mod.c
index c966e34..3a04776 100644
--- a/src/modules/tls/tls_mod.c
+++ b/src/modules/tls/tls_mod.c
@@ -402,10 +402,6 @@ static int mod_init(void)
if(tls_check_sockets(*tls_domains_cfg) < 0)
goto error;
- if(ksr_tls_lock_init() < 0) {
- goto error;
- }
-
LM_INFO("use OpenSSL version: %08x\n", (uint32_t)(OPENSSL_VERSION_NUMBER));
#ifndef OPENSSL_NO_ECDH
LM_INFO("With ECDH-Support!\n");
@@ -674,6 +670,10 @@ int mod_register(char *path, int *dlflags, void *p1, void *p2)
if(!shm_initialized() && init_shm() < 0)
return -1;
+ if(ksr_tls_lock_init() < 0) {
+ return -1;
+ }
+
if(tls_pre_init() < 0)
return -1;

@ -1,140 +0,0 @@
From: S-P Chan <shihping.chan@gmail.com>
Date: Fri, 5 Jan 2024 08:09:34 +0800
Subject: tls: thread-local,
revert 1a9b0b6361 as double-layer locking is redundant
- the 2nd lock was put in place as defensive programming for shm contention
- GH #3695: the underlying issue is early init of thread-locals
(cherry-pick from 1c70775530b1a3a905e8a983610cb0d092b0d240)
---
src/modules/tls/tls_init.c | 39 ---------------------------------------
1 file changed, 39 deletions(-)
diff --git a/src/modules/tls/tls_init.c b/src/modules/tls/tls_init.c
index 2d5a9e1..58289c6 100644
--- a/src/modules/tls/tls_init.c
+++ b/src/modules/tls/tls_init.c
@@ -259,9 +259,6 @@ static void *ser_malloc(size_t size, const char *file, int line)
static ticks_t st = 0;
#endif
- if(ksr_tls_init_mode & TLS_MODE_PTHREAD_LOCK_SHM)
- pthread_mutex_lock(ksr_tls_lock_shm);
-
#ifdef RAND_NULL_MALLOC
/* start random null returns only after
* NULL_GRACE_PERIOD from first call */
@@ -289,8 +286,6 @@ static void *ser_malloc(size_t size, const char *file, int line)
size, file, line, bt_buf);
}
#endif
- if(ksr_tls_init_mode & TLS_MODE_PTHREAD_LOCK_SHM)
- pthread_mutex_unlock(ksr_tls_lock_shm);
return p;
}
@@ -304,9 +299,6 @@ static void *ser_realloc(void *ptr, size_t size, const char *file, int line)
static ticks_t st = 0;
#endif
- if(ksr_tls_init_mode & TLS_MODE_PTHREAD_LOCK_SHM)
- pthread_mutex_lock(ksr_tls_lock_shm);
-
#ifdef RAND_NULL_MALLOC
/* start random null returns only after
* NULL_GRACE_PERIOD from first call */
@@ -335,21 +327,14 @@ static void *ser_realloc(void *ptr, size_t size, const char *file, int line)
}
#endif
- if(ksr_tls_init_mode & TLS_MODE_PTHREAD_LOCK_SHM)
- pthread_mutex_unlock(ksr_tls_lock_shm);
-
return p;
}
static void ser_free(void *ptr, const char *fname, int fline)
{
- if(ksr_tls_init_mode & TLS_MODE_PTHREAD_LOCK_SHM)
- pthread_mutex_lock(ksr_tls_lock_shm);
if(ptr) {
shm_free(ptr);
}
- if(ksr_tls_init_mode & TLS_MODE_PTHREAD_LOCK_SHM)
- pthread_mutex_unlock(ksr_tls_lock_shm);
}
#endif /* LIBRESSL_VERSION_NUMBER */
@@ -363,11 +348,7 @@ static void *ser_malloc(size_t size)
{
void *p;
- if(ksr_tls_init_mode & TLS_MODE_PTHREAD_LOCK_SHM)
- pthread_mutex_lock(ksr_tls_lock_shm);
p = shm_malloc(size);
- if(ksr_tls_init_mode & TLS_MODE_PTHREAD_LOCK_SHM)
- pthread_mutex_unlock(ksr_tls_lock_shm);
return p;
}
@@ -375,22 +356,14 @@ static void *ser_malloc(size_t size)
static void *ser_realloc(void *ptr, size_t size)
{
void *p;
- if(ksr_tls_init_mode & TLS_MODE_PTHREAD_LOCK_SHM)
- pthread_mutex_lock(ksr_tls_lock_shm);
p = shm_realloc(ptr, size);
- if(ksr_tls_init_mode & TLS_MODE_PTHREAD_LOCK_SHM)
- pthread_mutex_unlock(ksr_tls_lock_shm);
return p;
}
#else
static void *ser_malloc(size_t size, const char *fname, int fline)
{
void *p;
- if(ksr_tls_init_mode & TLS_MODE_PTHREAD_LOCK_SHM)
- pthread_mutex_lock(ksr_tls_lock_shm);
p = shm_malloc(size);
- if(ksr_tls_init_mode & TLS_MODE_PTHREAD_LOCK_SHM)
- pthread_mutex_unlock(ksr_tls_lock_shm);
return p;
}
@@ -398,11 +371,7 @@ static void *ser_malloc(size_t size, const char *fname, int fline)
static void *ser_realloc(void *ptr, size_t size, const char *fname, int fline)
{
void *p;
- if(ksr_tls_init_mode & TLS_MODE_PTHREAD_LOCK_SHM)
- pthread_mutex_lock(ksr_tls_lock_shm);
p = shm_realloc(ptr, size);
- if(ksr_tls_init_mode & TLS_MODE_PTHREAD_LOCK_SHM)
- pthread_mutex_unlock(ksr_tls_lock_shm);
return p;
}
#endif
@@ -419,24 +388,16 @@ static void ser_free(void *ptr)
* As shm_free() aborts on null pointers, we have to check for null pointer
* here in the wrapper function.
*/
- if(ksr_tls_init_mode & TLS_MODE_PTHREAD_LOCK_SHM)
- pthread_mutex_lock(ksr_tls_lock_shm);
if(ptr) {
shm_free(ptr);
}
- if(ksr_tls_init_mode & TLS_MODE_PTHREAD_LOCK_SHM)
- pthread_mutex_unlock(ksr_tls_lock_shm);
}
#else
static void ser_free(void *ptr, const char *fname, int fline)
{
- if(ksr_tls_init_mode & TLS_MODE_PTHREAD_LOCK_SHM)
- pthread_mutex_lock(ksr_tls_lock_shm);
if(ptr) {
shm_free(ptr);
}
- if(ksr_tls_init_mode & TLS_MODE_PTHREAD_LOCK_SHM)
- pthread_mutex_unlock(ksr_tls_lock_shm);
}
#endif
Loading…
Cancel
Save