sr-dev January 2024

sr-dev@lists.kamailio.org

19 participants
311 discussions

git:master:8038fba2: pv_core: Fix negative index bug for hfl()

by Daniel-Constantin Mierla

Module: kamailio Branch: master Commit: 8038fba2dd056193b37a5c2571f2d4d910c47e73 URL: https://github.com/kamailio/kamailio/commit/8038fba2dd056193b37a5c2571f2d4d… Author: Xenofon Karamanos <xk(a)gilawa.com> Committer: Daniel-Constantin Mierla <miconda(a)gmail.com> Date: 2024-01-05T10:25:02+01:00 pv_core: Fix negative index bug for hfl() Before: -1 yielded null and -2 the last element of a header --- Modified: src/modules/pv/pv_core.c --- Diff: https://github.com/kamailio/kamailio/commit/8038fba2dd056193b37a5c2571f2d4d… Patch: https://github.com/kamailio/kamailio/commit/8038fba2dd056193b37a5c2571f2d4d… --- diff --git a/src/modules/pv/pv_core.c b/src/modules/pv/pv_core.c index d98abbf975d..129247f2688 100644 --- a/src/modules/pv/pv_core.c +++ b/src/modules/pv/pv_core.c @@ -2149,7 +2149,7 @@ int pv_get_hfl(sip_msg_t *msg, pv_param_t *param, pv_value_t *res) return pv_get_null(msg, param, res); } if(idx < 0) { - n = 1; + n = 0; /* count Via header bodies */ for(hf = msg->h_via1; hf != NULL; hf = hf->next) { if(hf->type == HDR_VIA_T) { @@ -2207,7 +2207,7 @@ int pv_get_hfl(sip_msg_t *msg, pv_param_t *param, pv_value_t *res) } if(idx < 0) { - n = 1; + n = 0; /* count Record-Route/Route header bodies */ for(; hf != NULL; hf = hf->next) { if(hf->type == tv.ri) { @@ -2290,7 +2290,7 @@ int pv_get_hfl(sip_msg_t *msg, pv_param_t *param, pv_value_t *res) return pv_get_null(msg, param, res); } if(idx < 0) { - n = 1; + n = 0; /* count Contact header bodies */ for(hf = msg->contact; hf != NULL; hf = hf->next) { if(hf->type == HDR_CONTACT_T) {

10 months, 3 weeks

[kamailio/kamailio] pv_core: Fix negative index bug for hfl() (PR #3697)

by Xenofon Karamanos

Before: -1 yielded null and -2 the last element of a header   #### Pre-Submission Checklist    - [x] Commit message has the format required by CONTRIBUTING guide - [x] Commits are split per component (core, individual modules, libs, utils, ...) - [x] Each component has a single commit (if not, squash them into one commit) - [x] No commits to README files for modules (changes must be done to docbook files in `doc/` subfolder, the README file is autogenerated) #### Type Of Change - [x] Small bug fix (non-breaking change which fixes an issue) - [ ] New feature (non-breaking change which adds new functionality) - [ ] Breaking change (fix or feature that would change existing functionality) #### Checklist:  - [x] PR should be backported to stable branches - [x] Tested changes locally - [x] Related to issue #3653 #### Description  This PR fixes a bug referenced in #3653. Before fix `$(hfl(HEADER)[-1]` where `HEADER='Via' | Contact | Route | Record-Route ` produced `null` instead of the last element of header. You can view, comment on, or merge this pull request online at: https://github.com/kamailio/kamailio/pull/3697 -- Commit Summary -- * pv_core: Fix negative index bug for hfl() -- File Changes -- M src/modules/pv/pv_core.c (6) -- Patch Links -- https://github.com/kamailio/kamailio/pull/3697.patch https://github.com/kamailio/kamailio/pull/3697.diff -- Reply to this email directly or view it on GitHub: https://github.com/kamailio/kamailio/pull/3697 You are receiving this because you are subscribed to this thread. Message ID: <kamailio/kamailio/pull/3697(a)github.com>

10 months, 3 weeks

git:master:1c707755: tls: thread-local, revert 1a9b0b6361 as double-layer locking is redundant

by S-P Chan

Module: kamailio Branch: master Commit: 1c70775530b1a3a905e8a983610cb0d092b0d240 URL: https://github.com/kamailio/kamailio/commit/1c70775530b1a3a905e8a983610cb0d… Author: S-P Chan <shihping.chan(a)gmail.com> Committer: S-P Chan <shihping.chan(a)gmail.com> Date: 2024-01-05T08:09:34+08:00 tls: thread-local, revert 1a9b0b6361 as double-layer locking is redundant - the 2nd lock was put in place as defensive programming for shm contention - GH #3695: the underlying issue is early init of thread-locals --- Modified: src/modules/tls/tls_init.c --- Diff: https://github.com/kamailio/kamailio/commit/1c70775530b1a3a905e8a983610cb0d… Patch: https://github.com/kamailio/kamailio/commit/1c70775530b1a3a905e8a983610cb0d… --- diff --git a/src/modules/tls/tls_init.c b/src/modules/tls/tls_init.c index 6a46ecbf2aa..d077b41e08a 100644 --- a/src/modules/tls/tls_init.c +++ b/src/modules/tls/tls_init.c @@ -259,9 +259,6 @@ static void *ser_malloc(size_t size, const char *file, int line) static ticks_t st = 0; #endif - if(ksr_tls_init_mode & TLS_MODE_PTHREAD_LOCK_SHM) - pthread_mutex_lock(ksr_tls_lock_shm); - #ifdef RAND_NULL_MALLOC /* start random null returns only after * NULL_GRACE_PERIOD from first call */ @@ -288,8 +285,6 @@ static void *ser_malloc(size_t size, const char *file, int line) size, file, line, bt_buf); } #endif - if(ksr_tls_init_mode & TLS_MODE_PTHREAD_LOCK_SHM) - pthread_mutex_unlock(ksr_tls_lock_shm); return p; } @@ -303,9 +298,6 @@ static void *ser_realloc(void *ptr, size_t size, const char *file, int line) static ticks_t st = 0; #endif - if(ksr_tls_init_mode & TLS_MODE_PTHREAD_LOCK_SHM) - pthread_mutex_lock(ksr_tls_lock_shm); - #ifdef RAND_NULL_MALLOC /* start random null returns only after * NULL_GRACE_PERIOD from first call */ @@ -333,21 +325,14 @@ static void *ser_realloc(void *ptr, size_t size, const char *file, int line) } #endif - if(ksr_tls_init_mode & TLS_MODE_PTHREAD_LOCK_SHM) - pthread_mutex_unlock(ksr_tls_lock_shm); - return p; } static void ser_free(void *ptr, const char *fname, int fline) { - if(ksr_tls_init_mode & TLS_MODE_PTHREAD_LOCK_SHM) - pthread_mutex_lock(ksr_tls_lock_shm); if(ptr) { shm_free(ptr); } - if(ksr_tls_init_mode & TLS_MODE_PTHREAD_LOCK_SHM) - pthread_mutex_unlock(ksr_tls_lock_shm); } #endif /* LIBRESSL_VERSION_NUMBER */ @@ -361,11 +346,7 @@ static void *ser_malloc(size_t size) { void *p; - if(ksr_tls_init_mode & TLS_MODE_PTHREAD_LOCK_SHM) - pthread_mutex_lock(ksr_tls_lock_shm); p = shm_malloc(size); - if(ksr_tls_init_mode & TLS_MODE_PTHREAD_LOCK_SHM) - pthread_mutex_unlock(ksr_tls_lock_shm); return p; } @@ -373,22 +354,14 @@ static void *ser_malloc(size_t size) static void *ser_realloc(void *ptr, size_t size) { void *p; - if(ksr_tls_init_mode & TLS_MODE_PTHREAD_LOCK_SHM) - pthread_mutex_lock(ksr_tls_lock_shm); p = shm_realloc(ptr, size); - if(ksr_tls_init_mode & TLS_MODE_PTHREAD_LOCK_SHM) - pthread_mutex_unlock(ksr_tls_lock_shm); return p; } #else static void *ser_malloc(size_t size, const char *fname, int fline) { void *p; - if(ksr_tls_init_mode & TLS_MODE_PTHREAD_LOCK_SHM) - pthread_mutex_lock(ksr_tls_lock_shm); p = shm_malloc(size); - if(ksr_tls_init_mode & TLS_MODE_PTHREAD_LOCK_SHM) - pthread_mutex_unlock(ksr_tls_lock_shm); return p; } @@ -396,11 +369,7 @@ static void *ser_malloc(size_t size, const char *fname, int fline) static void *ser_realloc(void *ptr, size_t size, const char *fname, int fline) { void *p; - if(ksr_tls_init_mode & TLS_MODE_PTHREAD_LOCK_SHM) - pthread_mutex_lock(ksr_tls_lock_shm); p = shm_realloc(ptr, size); - if(ksr_tls_init_mode & TLS_MODE_PTHREAD_LOCK_SHM) - pthread_mutex_unlock(ksr_tls_lock_shm); return p; } #endif @@ -417,24 +386,16 @@ static void ser_free(void *ptr) * As shm_free() aborts on null pointers, we have to check for null pointer * here in the wrapper function. */ - if(ksr_tls_init_mode & TLS_MODE_PTHREAD_LOCK_SHM) - pthread_mutex_lock(ksr_tls_lock_shm); if(ptr) { shm_free(ptr); } - if(ksr_tls_init_mode & TLS_MODE_PTHREAD_LOCK_SHM) - pthread_mutex_unlock(ksr_tls_lock_shm); } #else static void ser_free(void *ptr, const char *fname, int fline) { - if(ksr_tls_init_mode & TLS_MODE_PTHREAD_LOCK_SHM) - pthread_mutex_lock(ksr_tls_lock_shm); if(ptr) { shm_free(ptr); } - if(ksr_tls_init_mode & TLS_MODE_PTHREAD_LOCK_SHM) - pthread_mutex_unlock(ksr_tls_lock_shm); } #endif

10 months, 3 weeks

git:master:798cc269: tls: OpenSSL 3.x/1.1.1 thread-local, clean-up dead code and preprocessor

by S-P Chan

Module: kamailio Branch: master Commit: 798cc26908395d2ba21015684ad6f0ac4f012b2e URL: https://github.com/kamailio/kamailio/commit/798cc26908395d2ba21015684ad6f0a… Author: S-P Chan <shihping.chan(a)gmail.com> Committer: S-P Chan <shihping.chan(a)gmail.com> Date: 2024-01-05T08:06:13+08:00 tls: OpenSSL 3.x/1.1.1 thread-local, clean-up dead code and preprocessor blocks --- Modified: src/modules/tls/tls_init.c Modified: src/modules/tls/tls_mod.c --- Diff: https://github.com/kamailio/kamailio/commit/798cc26908395d2ba21015684ad6f0a… Patch: https://github.com/kamailio/kamailio/commit/798cc26908395d2ba21015684ad6f0a… --- diff --git a/src/modules/tls/tls_init.c b/src/modules/tls/tls_init.c index 8da6dfb07f1..6a46ecbf2aa 100644 --- a/src/modules/tls/tls_init.c +++ b/src/modules/tls/tls_init.c @@ -824,12 +824,7 @@ int tls_h_mod_pre_init_f(void) LM_DBG("preparing tls env for modules initialization\n"); #if OPENSSL_VERSION_NUMBER >= 0x010100000L && !defined(LIBRESSL_VERSION_NUMBER) LM_DBG("preparing tls env for modules initialization (libssl >=1.1)\n"); -#if OPENSSL_VERSION_NUMBER >= 0x030000000L - // skip init for 3.x -#elif OPENSSL_VERSION_NUMBER >= 0x010101000L - //not needed on Linux - //OPENSSL_init_ssl(OPENSSL_INIT_ATFORK, NULL); -#else +#if OPENSSL_VERSION_NUMBER < 0x010100000L OPENSSL_init_ssl(0, NULL); #endif #else diff --git a/src/modules/tls/tls_mod.c b/src/modules/tls/tls_mod.c index 03874edabba..7cad1b046e4 100644 --- a/src/modules/tls/tls_mod.c +++ b/src/modules/tls/tls_mod.c @@ -438,20 +438,9 @@ static int mod_child(int rank) if(tls_disable || (tls_domains_cfg == 0)) return 0; - /* fix tls config only from the main proc/PROC_INIT., when we know - * the exact process number and before any other process starts*/ - if(rank == PROC_INIT) { -#if OPENSSL_VERSION_NUMBER >= 0x010101000L \ - && OPENSSL_VERSION_NUMBER < 0x030000000L - if(ksr_tls_init_mode & TLS_MODE_FORK_PREPARE) { - // not needed on Linux: OPENSSL_fork_prepare(); - } -#endif - } - #if OPENSSL_VERSION_NUMBER >= 0x010101000L /* - * OpenSSL 3.x: create shared SSL_CTX* in worker to avoid init of + * OpenSSL 3.x/1.1.1: create shared SSL_CTX* in worker to avoid init of * libssl in rank 0(thread#1) */ if(rank == PROC_SIPINIT) { @@ -471,22 +460,6 @@ static int mod_child(int rank) return 0; } -#if OPENSSL_VERSION_NUMBER >= 0x010101000L \ - && OPENSSL_VERSION_NUMBER < 0x030000000L - if(ksr_tls_init_mode & TLS_MODE_FORK_PREPARE) { - if(rank == PROC_POSTCHILDINIT) { - /* - * this is called after forking of all child processes - */ - // not needed on Linux: OPENSSL_fork_parent(); - return 0; - } - if(!_ksr_is_main) { - // not needed on Linux: OPENSSL_fork_child(); - } - } -#endif - #ifndef OPENSSL_NO_ENGINE /* * after the child is fork()ed we go through the TLS domains @@ -514,6 +487,11 @@ static void mod_destroy(void) * => nothing to do here */ } +/* + * GH #3695: OpenSSL 1.1.1: it is no longer necessary to replace RAND + * - early init in rank 0 causes workers to inherit public_drbg/private_drbg + * which are not thread-safe + */ int ksr_rand_engine_param(modparam_t type, void *val) { @@ -690,12 +668,10 @@ int mod_register(char *path, int *dlflags, void *p1, void *p2) register_tls_hooks(&tls_h); -#if OPENSSL_VERSION_NUMBER >= 0x10100000L \ - && OPENSSL_VERSION_NUMBER < 0x030000000L - LM_DBG("setting cryptorand random engine\n"); - // RAND_set_rand_method(RAND_ksr_cryptorand_method()); -#endif - + /* + * GH #3695: OpenSSL 1.1.1 historical note: it is no longer + * needed to replace RAND with cryptorand + */ sr_kemi_modules_add(sr_kemi_tls_exports); return 0;

10 months, 3 weeks

[kamailio/kamailio] tls: OpenSSL 3 root cause of crashes is shared state (Issue #3695)

by space88man

### Description References: #3635 Early initialization of tls in OpenSSL 3 in rank 0 results in the use of shared state (pointers to the same shared memory location). Note: this is not related to shared memory allocation contention as this protected by a (multi-process)futex. Under heavy traffic the workers will corrupt each others state (race condition). This is only visible under heavy loading and is the reason for the intermittent appearance in #3635. Ping @miconda https://github.com/kamailio/kamailio/commit/1a9b0b63617afebcee2aecb3b2240d7… Since qm/fm are already protected by a multi-process futex this commit is redundant (it puts a pthread mutex around the futex). I have been able to reproduce OpenSSL 3 crashes with heavy loading with this commit. Example of shared object is the error state (SSL_get_error). It should be per worker but ``` CRITICAL: <core> [core/mem/q_malloc.c:555]: qm_free(): BUG: freeing already freed pointer (0x7f1d7f9c77b0), called from tls: tls_init.c: ser_free(535), first free tls: tls_init.c: ser_free(535) - ignoring ``` shows that multiple workers are accessing the same object (in OpenSSL this is `ERR_STATE *`). ### Troubleshooting N/A #### Reproduction * create heaving loading of TLS clients * observe shm logging errors #### Debugging Data Dump `ERR_STATE *` from two different processes: observe that these are identical meaning both workers are using the same struct. ``` # !!!!IMPORTANT!!!! 2 == OpenSSL thread local key for ERR_STATE * (gdb) p err_thread_local $3 = 2 # this is worker 1, process_no 7 Reading symbols from /usr/local/kamailio/lib64/kamailio/modules/debugger.so... [Thread debugging using libthread_db enabled] Using host libthread_db library "/lib64/libthread_db.so.1". 0x00007f1df054e80a in epoll_wait (epfd=5, events=0x7f1db0504990, maxevents=1, timeout=2000) at ../sysdeps/unix/sysv/linux/epoll_wait.c:30 30 return SYSCALL_CANCEL (epoll_wait, epfd, events, maxevents, timeout); (gdb) p pthread_getspecific(2) $1 = (void *) 0x7f1d700a65a0 # this is worker 2, process_no 8, rank 4 Reading symbols from /usr/local/kamailio/lib64/kamailio/modules/stun.so... Reading symbols from /usr/local/kamailio/lib64/kamailio/modules/debugger.so... [Thread debugging using libthread_db enabled] Using host libthread_db library "/lib64/libthread_db.so.1". --Type <RET> for more, q to quit, c to continue without paging--c 0x00007f1df054e80a in epoll_wait (epfd=5, events=0x7f1db0504990, maxevents=1, timeout=2000) at ../sysdeps/unix/sysv/linux/epoll_wait.c:30 30 return SYSCALL_CANCEL (epoll_wait, epfd, events, maxevents, timeout); (gdb) p pthread_getspecific(2) $2 = (void *) 0x7f1d700a65a0 ``` #### Log Messages ``` CRITICAL: <core> [core/mem/q_malloc.c:555]: qm_free(): BUG: freeing already freed pointer (0x7f1d7f9c77b0), called from tls: tls_init.c: ser_free(535), first free tls: tls_init.c: ser_free(535) - ignoring ``` #### SIP Traffic N/A ### Possible Solutions - avoid doing TLS initialization in rank 0; this will require cooperation from all modules that use OpenSSL 3 themselves. If an OpenSSL-using module initializes state before `fork()` then all workers will reuse global state ### Additional Information - OpenSSL 3 has initialize-once and initialize-once-per-thread states. An example of this is `ERR_STATE *` - this is of the type initialize-once-per-thread. - when kamailio does OpenSSL initialization in rank 0, the workers inherit all "global" objects. If these objects are in shared memory then the worker processes will contend for the same state leading to corruption - due to the design of the OpenSSL 3 alot of this state (static variables, one time initialization) cannot be reinitialized after `fork()`. "initialize-once-per-thread" can be reinitialized if the child were to spawn threads. -- Reply to this email directly or view it on GitHub: https://github.com/kamailio/kamailio/issues/3695 You are receiving this because you are subscribed to this thread. Message ID: <kamailio/kamailio/issues/3695(a)github.com>

10 months, 3 weeks

git:master:7b531cfe: tls: OpenSSL 1.1.1 thread-local, init libssl in thread

by S-P Chan

Module: kamailio Branch: master Commit: 7b531cfe038fae5e3414ac74c4e076c10e32b86c URL: https://github.com/kamailio/kamailio/commit/7b531cfe038fae5e3414ac74c4e076c… Author: S-P Chan <shihping.chan(a)gmail.com> Committer: S-P Chan <shihping.chan(a)gmail.com> Date: 2024-01-04T22:24:16+08:00 tls: OpenSSL 1.1.1 thread-local, init libssl in thread - no need for RAND workaround; default is OpenSSL 1.1.1 RAND - linux/pthreads will handle forking --- Modified: src/modules/tls/tls_init.c Modified: src/modules/tls/tls_mod.c --- Diff: https://github.com/kamailio/kamailio/commit/7b531cfe038fae5e3414ac74c4e076c… Patch: https://github.com/kamailio/kamailio/commit/7b531cfe038fae5e3414ac74c4e076c… --- diff --git a/src/modules/tls/tls_init.c b/src/modules/tls/tls_init.c index acf1c1456f8..8da6dfb07f1 100644 --- a/src/modules/tls/tls_init.c +++ b/src/modules/tls/tls_init.c @@ -827,7 +827,8 @@ int tls_h_mod_pre_init_f(void) #if OPENSSL_VERSION_NUMBER >= 0x030000000L // skip init for 3.x #elif OPENSSL_VERSION_NUMBER >= 0x010101000L - OPENSSL_init_ssl(OPENSSL_INIT_ATFORK, NULL); + //not needed on Linux + //OPENSSL_init_ssl(OPENSSL_INIT_ATFORK, NULL); #else OPENSSL_init_ssl(0, NULL); #endif @@ -835,7 +836,7 @@ int tls_h_mod_pre_init_f(void) LM_DBG("preparing tls env for modules initialization (libssl <=1.0)\n"); SSL_library_init(); #endif -#if OPENSSL_VERSION_NUMBER < 0x030000000L +#if OPENSSL_VERSION_NUMBER < 0x010101000L SSL_load_error_strings(); #endif diff --git a/src/modules/tls/tls_mod.c b/src/modules/tls/tls_mod.c index 1e74ba0e309..03874edabba 100644 --- a/src/modules/tls/tls_mod.c +++ b/src/modules/tls/tls_mod.c @@ -440,8 +440,16 @@ static int mod_child(int rank) /* fix tls config only from the main proc/PROC_INIT., when we know * the exact process number and before any other process starts*/ + if(rank == PROC_INIT) { +#if OPENSSL_VERSION_NUMBER >= 0x010101000L \ + && OPENSSL_VERSION_NUMBER < 0x030000000L + if(ksr_tls_init_mode & TLS_MODE_FORK_PREPARE) { + // not needed on Linux: OPENSSL_fork_prepare(); + } +#endif + } -#if OPENSSL_VERSION_NUMBER >= 0x030000000L +#if OPENSSL_VERSION_NUMBER >= 0x010101000L /* * OpenSSL 3.x: create shared SSL_CTX* in worker to avoid init of * libssl in rank 0(thread#1) @@ -460,12 +468,6 @@ static int mod_child(int rank) < 0) return -1; } -#if OPENSSL_VERSION_NUMBER >= 0x010101000L \ - && OPENSSL_VERSION_NUMBER < 0x030000000L - if(ksr_tls_init_mode & TLS_MODE_FORK_PREPARE) { - OPENSSL_fork_prepare(); - } -#endif return 0; } @@ -476,11 +478,11 @@ static int mod_child(int rank) /* * this is called after forking of all child processes */ - OPENSSL_fork_parent(); + // not needed on Linux: OPENSSL_fork_parent(); return 0; } if(!_ksr_is_main) { - OPENSSL_fork_child(); + // not needed on Linux: OPENSSL_fork_child(); } } #endif @@ -691,7 +693,7 @@ int mod_register(char *path, int *dlflags, void *p1, void *p2) #if OPENSSL_VERSION_NUMBER >= 0x10100000L \ && OPENSSL_VERSION_NUMBER < 0x030000000L LM_DBG("setting cryptorand random engine\n"); - RAND_set_rand_method(RAND_ksr_cryptorand_method()); + // RAND_set_rand_method(RAND_ksr_cryptorand_method()); #endif sr_kemi_modules_add(sr_kemi_tls_exports);

10 months, 3 weeks

git:master:7111687e: tls: fix compilation with OpenSSL <= 1.1.1

by S-P Chan

Module: kamailio Branch: master Commit: 7111687e1107261bcdd7a9f8cc90959754c93272 URL: https://github.com/kamailio/kamailio/commit/7111687e1107261bcdd7a9f8cc90959… Author: S-P Chan <shihping.chan(a)gmail.com> Committer: S-P Chan <shihping.chan(a)gmail.com> Date: 2024-01-04T21:57:56+08:00 tls: fix compilation with OpenSSL <= 1.1.1 --- Modified: src/modules/tls/tls_init.c --- Diff: https://github.com/kamailio/kamailio/commit/7111687e1107261bcdd7a9f8cc90959… Patch: https://github.com/kamailio/kamailio/commit/7111687e1107261bcdd7a9f8cc90959… --- diff --git a/src/modules/tls/tls_init.c b/src/modules/tls/tls_init.c index ec62cf7669e..acf1c1456f8 100644 --- a/src/modules/tls/tls_init.c +++ b/src/modules/tls/tls_init.c @@ -771,6 +771,7 @@ int tls_pre_init(void) * tls mod pre-init function * - executed before any mod_init() */ +#if OPENSSL_VERSION_NUMBER >= 0x030000000L long tls_h_mod_randctx(void *) { do { OSSL_LIB_CTX *osslglobal = NULL; @@ -808,6 +809,7 @@ long tls_h_mod_randctx(void *) { return 0L; } +#endif int tls_h_mod_pre_init_f(void) {

10 months, 3 weeks

git:master:689de273: outbound: OpenSSL 1.1.1 thread-local, init libssl in thread

by S-P Chan

Module: kamailio Branch: master Commit: 689de2736f5c92f11860e5854ccd95c84239f032 URL: https://github.com/kamailio/kamailio/commit/689de2736f5c92f11860e5854ccd95c… Author: S-P Chan <shihping.chan(a)gmail.com> Committer: S-P Chan <shihping.chan(a)gmail.com> Date: 2024-01-04T21:47:23+08:00 outbound: OpenSSL 1.1.1 thread-local, init libssl in thread --- Modified: src/modules/outbound/outbound_mod.c --- Diff: https://github.com/kamailio/kamailio/commit/689de2736f5c92f11860e5854ccd95c… Patch: https://github.com/kamailio/kamailio/commit/689de2736f5c92f11860e5854ccd95c… --- diff --git a/src/modules/outbound/outbound_mod.c b/src/modules/outbound/outbound_mod.c index 00c0a66f73b..a797eb8132e 100644 --- a/src/modules/outbound/outbound_mod.c +++ b/src/modules/outbound/outbound_mod.c @@ -110,7 +110,7 @@ static int mod_init(void) } ob_key.len = OB_KEY_LEN; -#if OPENSSL_VERSION_NUMBER < 0x030000000L +#if OPENSSL_VERSION_NUMBER < 0x010101000L mod_init_openssl(NULL); #else pthread_t tid;

10 months, 3 weeks

[kamailio/kamailio] WIP: RFC OpenSSL 3 fixes (PR #3696)

by space88man

#### Pre-Submission Checklist - [X] Commit message has the format required by CONTRIBUTING guide - [X ] Commits are split per component (core, individual modules, libs, utils, ...) - [X] Each component has a single commit (if not, squash them into one commit) - [X] No commits to README files for modules (changes must be done to docbook files in `doc/` subfolder, the README file is autogenerated) #### Type Of Change - [ ] Small bug fix (non-breaking change which fixes an issue) - [ ] New feature (non-breaking change which adds new functionality) - [X] Breaking change (fix or feature that would change existing functionality) #### Checklist:  - [ ] PR should be backported to stable branches - [x] Tested changes locally - [X] Related to issue #3695 , #3635 #### Description - changes to avoid setting `ERR_STATE *` in rank 0 main thread - all config is done in a transient worker thread - `tls_fix_domains_cfg()` is performed in `PROC_SIPINIT` instead of `PROC_INIT` (could also be done in worker thread) - changes to a module `outbound.so`: OpenSSL config is done in a transient worker thread You can view, comment on, or merge this pull request online at: https://github.com/kamailio/kamailio/pull/3696 -- Commit Summary -- * tls: POC for OpenSSL 3 * outbound: OpenSSL 3 POC * tls: skip OPENSSL_init_ssl -- File Changes -- M src/modules/outbound/outbound_mod.c (38) M src/modules/tls/tls_init.c (89) M src/modules/tls/tls_mod.c (6) -- Patch Links -- https://github.com/kamailio/kamailio/pull/3696.patch https://github.com/kamailio/kamailio/pull/3696.diff -- Reply to this email directly or view it on GitHub: https://github.com/kamailio/kamailio/pull/3696 You are receiving this because you are subscribed to this thread. Message ID: <kamailio/kamailio/pull/3696(a)github.com>

10 months, 3 weeks

git:master:4742c813: outbound: OpenSSL 3.x thread-local, init libssl in thread

by S-P Chan

Module: kamailio Branch: master Commit: 4742c8131aba878c4fc954e42b656b9d4bafdd24 URL: https://github.com/kamailio/kamailio/commit/4742c8131aba878c4fc954e42b656b9… Author: S-P Chan <shihping.chan(a)gmail.com> Committer: S-P Chan <shihping.chan(a)gmail.com> Date: 2024-01-04T20:28:41+08:00 outbound: OpenSSL 3.x thread-local, init libssl in thread --- Modified: src/modules/outbound/outbound_mod.c --- Diff: https://github.com/kamailio/kamailio/commit/4742c8131aba878c4fc954e42b656b9… Patch: https://github.com/kamailio/kamailio/commit/4742c8131aba878c4fc954e42b656b9… --- diff --git a/src/modules/outbound/outbound_mod.c b/src/modules/outbound/outbound_mod.c index 4e408e22356..00c0a66f73b 100644 --- a/src/modules/outbound/outbound_mod.c +++ b/src/modules/outbound/outbound_mod.c @@ -75,6 +75,23 @@ struct module_exports exports = { destroy /* destroy function */ }; +static void *mod_init_openssl(void *) { + if(flow_token_secret.s) { + assert(ob_key.len == SHA_DIGEST_LENGTH); + LM_DBG("flow_token_secret mod param set. use persistent ob_key"); + SHA1((const unsigned char *)flow_token_secret.s, flow_token_secret.len, + (unsigned char *)ob_key.s); + } else { + if(RAND_bytes((unsigned char *)ob_key.s, ob_key.len) == 0) { + LM_ERR("unable to get %d cryptographically strong pseudo-" + "random bytes\n", + ob_key.len); + } + } + + return NULL; +} + static int mod_init(void) { if(ob_force_flag != -1 && !flag_in_range(ob_force_flag)) { @@ -93,18 +110,14 @@ static int mod_init(void) } ob_key.len = OB_KEY_LEN; - if(flow_token_secret.s) { - assert(ob_key.len == SHA_DIGEST_LENGTH); - LM_DBG("flow_token_secret mod param set. use persistent ob_key"); - SHA1((const unsigned char *)flow_token_secret.s, flow_token_secret.len, - (unsigned char *)ob_key.s); - } else { - if(RAND_bytes((unsigned char *)ob_key.s, ob_key.len) == 0) { - LM_ERR("unable to get %d cryptographically strong pseudo-" - "random bytes\n", - ob_key.len); - } - } +#if OPENSSL_VERSION_NUMBER < 0x030000000L + mod_init_openssl(NULL); +#else + pthread_t tid; + void *retval; + pthread_create(&tid, NULL, mod_init_openssl, NULL); + pthread_join(tid, &retval); +#endif if(cfg_declare("outbound", outbound_cfg_def, &default_outbound_cfg, cfg_sizeof(outbound), &outbound_cfg)) {

10 months, 3 weeks

Jump to page:

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

2009

2008

sr-dev January 2024