TT#91551 tls: revert possible regression

Change-Id: Ib7274e5044ba435fc9cbdc54e924bf2dbe793111

debian/patches/series

@@ -30,6 +30,10 @@ sipwise/sca-fix-pickup-when-upstream-flow.patch
 sipwise/sca-fix-on-hold-detection-when-upstream-flow.patch
 sipwise/sca-debug.patch
 sipwise/sca-fix-notify-after-bye.patch
+## backports from upstream (5.4)
+upstream/0001-Revert-tls-proper-ifdef-on-libssl-version-for-tls_in.patch
+upstream/0002-Revert-tls-added-define-condition-on-version-functio.patch
+upstream/0003-Revert-tls-support-compilation-without-deprecated-Op.patch
 ### relevant for upstream
 sipwise/pua_dialoginfo-refresh_pubruri_avps_flag.patch
 sipwise/pua_dialoginfo-local_identity_dlg_var.patch

debian/patches/upstream/0001-Revert-tls-proper-ifdef-on-libssl-version-for-tls_in.patch

@@ -0,0 +1,38 @@
+From: Victor Seva <linuxmaniac@torreviejawireless.org>
+Date: Wed, 2 Sep 2020 13:11:51 +0200
+Subject: [PATCH 1/3] Revert "tls: proper ifdef on libssl version for
+ tls_init_locks()"
+
+This reverts commit e9baba91c6c7e3d1817e8a07bbabbce3a8efbe79.
+---
+ src/modules/tls/tls_locking.c | 7 ++-----
+ 1 file changed, 2 insertions(+), 5 deletions(-)
+
+diff --git a/src/modules/tls/tls_locking.c b/src/modules/tls/tls_locking.c
+index 21078e8..3eb6f03 100644
+--- a/src/modules/tls/tls_locking.c
++++ b/src/modules/tls/tls_locking.c
+@@ -140,7 +140,7 @@ unsigned long sr_ssl_id_f()
+ /* returns -1 on error, 0 on success */
+ int tls_init_locks()
+ {
+-/* OpenSSL is no longer supporting to set locking callbacks since 1.1.0 */
++/* OpenSSL is thread-safe since 1.1.0 */
+ #if OPENSSL_VERSION_NUMBER < 0x10100000L
+ 	/* init "static" tls locks */
+ 	n_static_locks=CRYPTO_num_locks();
+@@ -185,13 +185,10 @@ int tls_init_locks()
+ 	 *  (only atomic_inc), fallback to the default use-locks mode
+ 	 * CRYPTO_set_add_lock_callback(atomic_add_f);
+ 	 */
++#endif
+ 
+ 	return 0;
+ error:
+ 	tls_destroy_locks();
+ 	return -1;
+-
+-#else
+-	return 0;
+-#endif
+ }

debian/patches/upstream/0002-Revert-tls-added-define-condition-on-version-functio.patch

@@ -0,0 +1,65 @@
+From: Victor Seva <linuxmaniac@torreviejawireless.org>
+Date: Wed, 2 Sep 2020 13:12:06 +0200
+Subject: [PATCH 2/3] Revert "tls: added define condition on version
+ functions"
+
+This reverts commit 67979e07b63b574687b1924c38fabd724d0ad876.
+---
+ src/modules/tls/tls_domain.c |  4 +---
+ src/modules/tls/tls_init.c   | 11 +----------
+ 2 files changed, 2 insertions(+), 13 deletions(-)
+
+diff --git a/src/modules/tls/tls_domain.c b/src/modules/tls/tls_domain.c
+index 2930bde..fc84033 100644
+--- a/src/modules/tls/tls_domain.c
++++ b/src/modules/tls/tls_domain.c
+@@ -63,11 +63,9 @@ static void setup_ecdh(SSL_CTX *ctx)
+ {
+    EC_KEY *ecdh;
+ 
+-#if OPENSSL_VERSION_NUMBER < 0x010100000L
+-   if (SSLeay() < 0x1000005fL) {
++   if (OpenSSL_version_num() < 0x1000005fL) {
+       return;
+    }
+-#endif
+ 
+    ecdh = EC_KEY_new_by_curve_name(NID_X9_62_prime256v1);
+    SSL_CTX_set_options(ctx, SSL_OP_SINGLE_ECDH_USE);
+diff --git a/src/modules/tls/tls_init.c b/src/modules/tls/tls_init.c
+index f10d0c0..351ed41 100644
+--- a/src/modules/tls/tls_init.c
++++ b/src/modules/tls/tls_init.c
+@@ -645,7 +645,6 @@ int tls_h_mod_init_f(void)
+ {
+ 	/*struct socket_info* si;*/
+ 	long ssl_version;
+-	const char *ssl_version_txt;
+ #if OPENSSL_VERSION_NUMBER < 0x010100000L && !defined(LIBRESSL_VERSION_NUMBER)
+ 	int lib_kerberos;
+ 	int lib_zlib;
+@@ -668,15 +667,7 @@ int tls_h_mod_init_f(void)
+ #if OPENSSL_VERSION_NUMBER < 0x00907000L
+ 	LM_WARN("You are using an old version of OpenSSL (< 0.9.7). Upgrade!\n");
+ #endif
+-
+-#if OPENSSL_VERSION_NUMBER < 0x010100000L
+-	ssl_version=SSLeay();
+-	ssl_version_txt=SSLeay_version(SSLEAY_VERSION);
+-#else
+ 	ssl_version=OpenSSL_version_num();
+-	ssl_version_txt=OpenSSL_version(OPENSSL_VERSION);
+-#endif
+-
+ 	/* check if version have the same major minor and fix level
+ 	 * (e.g. 0.9.8a & 0.9.8c are ok, but 0.9.8 and 0.9.9x are not)
+ 	 * - values is represented as 0xMMNNFFPPS: major minor fix patch status
+@@ -688,7 +679,7 @@ int tls_h_mod_init_f(void)
+ 				" compiled \"%s\" (0x%08lx).\n"
+ 				" Please make sure a compatible version is used"
+ 				" (tls_force_run in kamailio.cfg will override this check)\n",
+-				ssl_version_txt, ssl_version,
++				OpenSSL_version(OPENSSL_VERSION), ssl_version,
+ 				OPENSSL_VERSION_TEXT, (long)OPENSSL_VERSION_NUMBER);
+ 		if (cfg_get(tls, tls_cfg, force_run))
+ 			LM_WARN("tls_force_run turned on, ignoring "

debian/patches/upstream/0003-Revert-tls-support-compilation-without-deprecated-Op.patch

@@ -0,0 +1,124 @@
+From: Victor Seva <linuxmaniac@torreviejawireless.org>
+Date: Wed, 2 Sep 2020 13:12:25 +0200
+Subject: [PATCH 3/3] Revert "tls: support compilation without deprecated
+ OpenSSL APIs"
+
+This reverts commit 10af8efa9061c2f52ee1db51c4cf665073c20dcc.
+---
+ src/modules/tls/tls_domain.c  |  4 +---
+ src/modules/tls/tls_init.c    | 15 +++++++--------
+ src/modules/tls/tls_locking.c |  6 +++---
+ 3 files changed, 11 insertions(+), 14 deletions(-)
+
+diff --git a/src/modules/tls/tls_domain.c b/src/modules/tls/tls_domain.c
+index fc84033..a8859c4 100644
+--- a/src/modules/tls/tls_domain.c
++++ b/src/modules/tls/tls_domain.c
+@@ -27,8 +27,6 @@
+ #include <stdlib.h>
+ #include <openssl/ssl.h>
+ #include <openssl/opensslv.h>
+-#include <openssl/bn.h>
+-#include <openssl/dh.h>
+ 
+ #ifndef OPENSSL_NO_ENGINE
+ #include <openssl/engine.h>
+@@ -63,7 +61,7 @@ static void setup_ecdh(SSL_CTX *ctx)
+ {
+    EC_KEY *ecdh;
+ 
+-   if (OpenSSL_version_num() < 0x1000005fL) {
++   if (SSLeay() < 0x1000005fL) {
+       return;
+    }
+ 
+diff --git a/src/modules/tls/tls_init.c b/src/modules/tls/tls_init.c
+index 351ed41..b9288cb 100644
+--- a/src/modules/tls/tls_init.c
++++ b/src/modules/tls/tls_init.c
+@@ -627,13 +627,14 @@ int tls_h_mod_pre_init_f(void)
+ 		return 0;
+ 	}
+ 	LM_DBG("preparing tls env for modules initialization\n");
+-#if OPENSSL_VERSION_NUMBER < 0x010100000L || defined(LIBRESSL_VERSION_NUMBER)
++#if OPENSSL_VERSION_NUMBER >= 0x010100000L && !defined(LIBRESSL_VERSION_NUMBER)
++	LM_DBG("preparing tls env for modules initialization (libssl >=1.1)\n");
++	OPENSSL_init_ssl(0, NULL);
++#else
+ 	LM_DBG("preparing tls env for modules initialization (libssl <=1.0)\n");
+ 	SSL_library_init();
+-	SSL_load_error_strings();
+-#else
+-	LM_DBG("preparing tls env for modules initialization (libssl >=1.1)\n");
+ #endif
++	SSL_load_error_strings();
+ 	tls_mod_preinitialized=1;
+ 	return 0;
+ }
+@@ -667,7 +668,7 @@ int tls_h_mod_init_f(void)
+ #if OPENSSL_VERSION_NUMBER < 0x00907000L
+ 	LM_WARN("You are using an old version of OpenSSL (< 0.9.7). Upgrade!\n");
+ #endif
+-	ssl_version=OpenSSL_version_num();
++	ssl_version=SSLeay();
+ 	/* check if version have the same major minor and fix level
+ 	 * (e.g. 0.9.8a & 0.9.8c are ok, but 0.9.8 and 0.9.9x are not)
+ 	 * - values is represented as 0xMMNNFFPPS: major minor fix patch status
+@@ -679,7 +680,7 @@ int tls_h_mod_init_f(void)
+ 				" compiled \"%s\" (0x%08lx).\n"
+ 				" Please make sure a compatible version is used"
+ 				" (tls_force_run in kamailio.cfg will override this check)\n",
+-				OpenSSL_version(OPENSSL_VERSION), ssl_version,
++				SSLeay_version(SSLEAY_VERSION), ssl_version,
+ 				OPENSSL_VERSION_TEXT, (long)OPENSSL_VERSION_NUMBER);
+ 		if (cfg_get(tls, tls_cfg, force_run))
+ 			LM_WARN("tls_force_run turned on, ignoring "
+@@ -856,7 +857,6 @@ int tls_check_sockets(tls_domains_cfg_t* cfg)
+ void tls_h_mod_destroy_f(void)
+ {
+ 	LM_DBG("tls module final tls destroy\n");
+-#if OPENSSL_VERSION_NUMBER < 0x010100000L || defined(LIBRESSL_VERSION_NUMBER)
+ 	if(tls_mod_preinitialized > 0)
+ 		ERR_free_strings();
+ 	/* TODO: free all the ctx'es */
+@@ -869,5 +869,4 @@ void tls_h_mod_destroy_f(void)
+ 	LM_DBG("executing openssl v1.1+ cleanup\n");
+ 	OPENSSL_cleanup();
+ #endif
+-#endif
+ }
+diff --git a/src/modules/tls/tls_locking.c b/src/modules/tls/tls_locking.c
+index 3eb6f03..4e5bbcc 100644
+--- a/src/modules/tls/tls_locking.c
++++ b/src/modules/tls/tls_locking.c
+@@ -140,8 +140,6 @@ unsigned long sr_ssl_id_f()
+ /* returns -1 on error, 0 on success */
+ int tls_init_locks()
+ {
+-/* OpenSSL is thread-safe since 1.1.0 */
+-#if OPENSSL_VERSION_NUMBER < 0x10100000L
+ 	/* init "static" tls locks */
+ 	n_static_locks=CRYPTO_num_locks();
+ 	if (n_static_locks<0){
+@@ -169,10 +167,13 @@ int tls_init_locks()
+ 		CRYPTO_set_locking_callback(locking_f);
+ 	}
+ 
++/* OpenSSL is thread-safe since 1.1.0 */
++#if OPENSSL_VERSION_NUMBER < 0x10100000L
+ 	/* set "dynamic" locks callbacks */
+ 	CRYPTO_set_dynlock_create_callback(dyn_create_f);
+ 	CRYPTO_set_dynlock_lock_callback(dyn_lock_f);
+ 	CRYPTO_set_dynlock_destroy_callback(dyn_destroy_f);
++#endif
+ 
+ 	/* starting with v1.0.0 openssl does not use anymore getpid(), but address
+ 	 * of errno which can point to same virtual address in a multi-process
+@@ -185,7 +186,6 @@ int tls_init_locks()
+ 	 *  (only atomic_inc), fallback to the default use-locks mode
+ 	 * CRYPTO_set_add_lock_callback(atomic_add_f);
+ 	 */
+-#endif
+ 
+ 	return 0;
+ error: