Module: kamailio
Branch: master
Commit: 706d7b7ff3bc2723614de328611c2100d19bf742
URL:
https://github.com/kamailio/kamailio/commit/706d7b7ff3bc2723614de328611c210…
Author: S-P Chan <shihping.chan(a)gmail.com>
Committer: S-P Chan <shihping.chan(a)gmail.com>
Date: 2024-02-25T10:41:18+08:00
tls: restore early init for other modules that use TLS
Client modules (e.g. dispatcher) that require outbound TLS
may race if tls init is too late.
Restore tls init to PROC_INIT with a thread executor.
Addresses GH #3765
---
Modified: src/modules/tls/tls_mod.c
---
Diff:
https://github.com/kamailio/kamailio/commit/706d7b7ff3bc2723614de328611c210…
Patch:
https://github.com/kamailio/kamailio/commit/706d7b7ff3bc2723614de328611c210…
---
diff --git a/src/modules/tls/tls_mod.c b/src/modules/tls/tls_mod.c
index beaf1b7b70b..463814720b8 100644
--- a/src/modules/tls/tls_mod.c
+++ b/src/modules/tls/tls_mod.c
@@ -42,6 +42,10 @@
#include "../../core/dprint.h"
#include "../../core/mod_fix.h"
#include "../../core/kemi.h"
+
+#define KSR_RTHREAD_SKIP_P
+#define KSR_RTHREAD_NEED_4PP
+#include "../../core/rthreads.h"
#include "tls_init.h"
#include "tls_server.h"
#include "tls_domain.h"
@@ -443,32 +447,40 @@ int tls_fix_engine_keys(tls_domains_cfg_t *, tls_domain_t *,
tls_domain_t *);
*
* EC operations do not use pthread_self(), so could use shared SSL_CTX
*/
+static int mod_child_hook(int *rank, void *dummy)
+{
+ LM_DBG("Loading SSL_CTX in process_no=%d rank=%d "
+ "ksr_tls_threads_mode=%d\n",
+ process_no, *rank, ksr_tls_threads_mode);
+ if(cfg_get(tls, tls_cfg, config_file).s) {
+ if(tls_fix_domains_cfg(*tls_domains_cfg, &srv_defaults, &cli_defaults)
+ < 0)
+ return -1;
+ } else {
+ if(tls_fix_domains_cfg(*tls_domains_cfg, &mod_params, &mod_params) < 0)
+ return -1;
+ }
+ return 0;
+}
+
static int mod_child(int rank)
{
if(tls_disable || (tls_domains_cfg == 0))
return 0;
#if OPENSSL_VERSION_NUMBER >= 0x010101000L
- /*
- * OpenSSL 3.x/1.1.1: create shared SSL_CTX* in worker to avoid init of
- * libssl in rank 0(thread#1)
+ /*
+ * OpenSSL 3.x/1.1.1: create shared SSL_CTX* in thread executor
+ * to avoid init of libssl in thread#1
*/
- if(rank == PROC_SIPINIT) {
+ if(rank == PROC_INIT && ksr_tls_threads_mode != 0) {
+ return run_thread4PP((_thread_proto4PP)mod_child_hook, &rank, NULL);
+ }
#else
- if(rank == PROC_INIT) {
-#endif
- if(cfg_get(tls, tls_cfg, config_file).s) {
- if(tls_fix_domains_cfg(
- *tls_domains_cfg, &srv_defaults, &cli_defaults)
- < 0)
- return -1;
- } else {
- if(tls_fix_domains_cfg(*tls_domains_cfg, &mod_params, &mod_params)
- < 0)
- return -1;
- }
- return 0;
+ if(rank == PROC_INIT) {
+ return mod_child_hook(&rank, NULL);
}
+#endif /* OPENSSL_VERSION_NUMBER */
#ifndef OPENSSL_NO_ENGINE
/*
@@ -678,7 +690,7 @@ int mod_register(char *path, int *dlflags, void *p1, void *p2)
register_tls_hooks(&tls_h);
- /*
+ /*
* GH #3695: OpenSSL 1.1.1 historical note: it is no longer
* needed to replace RAND with cryptorand
*/