Module: kamailio
Branch: 5.8
Commit: cafe437dcb637b0e571a2d2ffd04d911584404d9
URL:
https://github.com/kamailio/kamailio/commit/cafe437dcb637b0e571a2d2ffd04d91…
Author: S-P Chan <shihping.chan(a)gmail.com>
Committer: S-P Chan <shihping.chan(a)gmail.com>
Date: 2024-04-29T21:27:38+08:00
tls: clear thread-local variables up to tls_pthreads_key_mark
- other libraries may set thread-locals via pthread_setspecific
- assume that tls_pthreads_key_mark demarcates libssl's values
- only clean thread-local values up to tls_pthreads_key_mark
Currently only used by app_python[s]
(cherry picked from commit fe6f4fcde2fa06a3c00479cef169c27dc32ae490)
---
Modified: src/modules/tls/tls_mod.c
Modified: src/modules/tls/tls_rand.h
---
Diff:
https://github.com/kamailio/kamailio/commit/cafe437dcb637b0e571a2d2ffd04d91…
Patch:
https://github.com/kamailio/kamailio/commit/cafe437dcb637b0e571a2d2ffd04d91…
---
diff --git a/src/modules/tls/tls_mod.c b/src/modules/tls/tls_mod.c
index 83b86d99d58..baa1a7c76d1 100644
--- a/src/modules/tls/tls_mod.c
+++ b/src/modules/tls/tls_mod.c
@@ -343,10 +343,11 @@ static tls_domains_cfg_t* tls_use_modparams(void)
* is < 10
*
*/
+static int tls_pthreads_key_mark;
static void fork_child(void)
{
- int k = 0;
- for(k = 0; k < 16; k++) {
+ int k;
+ for(k = 0; k < tls_pthreads_key_mark; k++) {
if(pthread_getspecific(k) != 0)
pthread_setspecific(k, 0x0);
}
@@ -356,6 +357,8 @@ static int mod_init(void)
{
int method;
int verify_client;
+ unsigned char rand_buf[32];
+ int k;
if(tls_disable) {
LM_WARN("tls support is disabled "
@@ -464,6 +467,23 @@ static int mod_init(void)
if(ksr_tls_threads_mode == 2) {
pthread_atfork(NULL, NULL, &fork_child);
}
+
+#if OPENSSL_VERSION_NUMBER >= 0x010101000L
+ /*
+ * force creation of all thread-locals now so that other libraries
+ * that use pthread_key_create(), e.g. python,
+ * will have larger key values
+ */
+ if(ksr_tls_threads_mode > 0) {
+ ERR_clear_error();
+ RAND_bytes(rand_buf, sizeof(rand_buf));
+ for(k = 0; k < 32; k++) {
+ if(pthread_getspecific(k))
+ tls_pthreads_key_mark = k + 1;
+ }
+ LM_WARN("set maximum pthreads key to %d\n", tls_pthreads_key_mark);
+ }
+#endif
return 0;
error:
tls_h_mod_destroy_f();
@@ -500,6 +520,7 @@ static int mod_child_hook(int *rank, void *dummy)
if(tls_fix_domains_cfg(*tls_domains_cfg, &mod_params, &mod_params) < 0)
return -1;
}
+
return 0;
}
@@ -509,17 +530,26 @@ static OSSL_LIB_CTX *new_ctx;
#endif
static int mod_child(int rank)
{
+ int k;
+
if(tls_disable || (tls_domains_cfg == 0))
return 0;
/*
- * OpenSSL 3.x/1.1.1: create shared SSL_CTX* in thread executor
- * to avoid init of libssl in thread#1: ksr_tls_threads_mode = 1
- */
+ * OpenSSL 3.x/1.1.1: create shared SSL_CTX* in thread executor
+ * to avoid init of libssl in thread#1: ksr_tls_threads_mode = 1
+ */
if(rank == PROC_INIT) {
return run_thread4PP((_thread_proto4PP)mod_child_hook, &rank, NULL);
}
+ if(ksr_tls_threads_mode == 1 && rank && rank != PROC_INIT
+ && rank != PROC_POSTCHILDINIT) {
+ for(k = 0; k < tls_pthreads_key_mark; k++)
+ pthread_setspecific(k, 0x0);
+ LM_WARN("clean-up of thread-locals key < %d\n", tls_pthreads_key_mark);
+ }
+
#ifdef KSR_SSL_COMMON
/*
* after the child is fork()ed we go through the TLS domains
diff --git a/src/modules/tls/tls_rand.h b/src/modules/tls/tls_rand.h
index 58ddc853acd..7bbcf3a628c 100644
--- a/src/modules/tls/tls_rand.h
+++ b/src/modules/tls/tls_rand.h
@@ -21,10 +21,10 @@
#define _TLS_RAND_H_
#include <openssl/ssl.h>
+#include <openssl/rand.h>
#if OPENSSL_VERSION_NUMBER >= 0x10100000L \
&& OPENSSL_VERSION_NUMBER < 0x030000000L
-#include <openssl/rand.h>
const RAND_METHOD *RAND_ksr_krand_method(void);
const RAND_METHOD *RAND_ksr_fastrand_method(void);