git:5.7:d8907b62: tls: clear thread-local variables up to tls_pthreads_key_mark - sr-dev

4 May 2024

Module: kamailio
Branch: 5.7
Commit: d8907b6290d37965d07ceaf30e6c06956a59c90a
URL: https://github.com/kamailio/kamailio/commit/d8907b6290d37965d07ceaf30e6c0695...
Author: S-P Chan shihping.chan@gmail.com
Committer: S-P Chan shihping.chan@gmail.com
Date: 2024-05-04T19:35:23+08:00
tls: clear thread-local variables up to tls_pthreads_key_mark
- other libraries may set thread-locals via pthread_setspecific
- assume that tls_pthreads_key_mark demarcates libssl's values
- only clean thread-local values up to tls_pthreads_key_mark
Currently only used by app_python[s]
(cherry picked from commit fe6f4fcde2fa06a3c00479cef169c27dc32ae490)
---
Modified: src/modules/tls/tls_mod.c
Modified: src/modules/tls/tls_rand.h
---
Diff:  https://github.com/kamailio/kamailio/commit/d8907b6290d37965d07ceaf30e6c0695...
Patch: https://github.com/kamailio/kamailio/commit/d8907b6290d37965d07ceaf30e6c0695...
---

diff --git a/src/modules/tls/tls_mod.c b/src/modules/tls/tls_mod.c
index c2a3c8de271..524419dd854 100644
--- a/src/modules/tls/tls_mod.c
+++ b/src/modules/tls/tls_mod.c
@@ -343,9 +343,11 @@ static tls_domains_cfg_t* tls_use_modparams(void)
  *     is < 10
  *
  */
+static int tls_pthreads_key_mark;
 static void fork_child(void)
 {
-	for(int k = 0; k < 16; k++) {
+	int k;
+	for(k = 0; k < tls_pthreads_key_mark; k++) {
    	if(pthread_getspecific(k) != 0)
    		pthread_setspecific(k, 0x0);
    }
@@ -355,6 +357,8 @@ static int mod_init(void)
 {
    int method;
    int verify_client;
+	unsigned char rand_buf[32];
+	int k;
if(tls_disable) {
    	LM_WARN("tls support is disabled "
@@ -463,6 +467,23 @@ static int mod_init(void)
    if(ksr_tls_threads_mode == 2) {
    	pthread_atfork(NULL, NULL, &fork_child);
    }
+
+#if OPENSSL_VERSION_NUMBER >= 0x010101000L
+	/*
+	 * force creation of all thread-locals now so that other libraries
+	 * that use pthread_key_create(), e.g. python,
+	 * will have larger key values
+	 */
+	if(ksr_tls_threads_mode > 0) {
+		ERR_clear_error();
+		RAND_bytes(rand_buf, sizeof(rand_buf));
+		for(k = 0; k < 32; k++) {
+			if(pthread_getspecific(k))
+				tls_pthreads_key_mark = k + 1;
+		}
+		LM_WARN("set maximum pthreads key to %d\n", tls_pthreads_key_mark);
+	}
+#endif
    return 0;
 error:
    tls_h_mod_destroy_f();
@@ -499,6 +520,7 @@ static int mod_child_hook(int *rank, void *dummy)
    	if(tls_fix_domains_cfg(*tls_domains_cfg, &mod_params, &mod_params) < 0)
    		return -1;
    }
+
    return 0;
 }
@@ -508,6 +530,8 @@ static OSSL_LIB_CTX *new_ctx;
 #endif
 static int mod_child(int rank)
 {
+	int k;
+
    if(tls_disable || (tls_domains_cfg == 0))
    	return 0;
@@ -519,6 +543,13 @@ static int mod_child(int rank)
    	return run_thread4PP((_thread_proto4PP)mod_child_hook, &rank, NULL);
    }
+	if(ksr_tls_threads_mode == 1 && rank && rank != PROC_INIT
+			&& rank != PROC_POSTCHILDINIT) {
+		for(k = 0; k < tls_pthreads_key_mark; k++)
+			pthread_setspecific(k, 0x0);
+		LM_WARN("clean-up of thread-locals key < %d\n", tls_pthreads_key_mark);
+	}
+
 #ifdef KSR_SSL_COMMON
    /*
     * after the child is fork()ed we go through the TLS domains
diff --git a/src/modules/tls/tls_rand.h b/src/modules/tls/tls_rand.h
index 58ddc853acd..7bbcf3a628c 100644
--- a/src/modules/tls/tls_rand.h
+++ b/src/modules/tls/tls_rand.h
@@ -21,10 +21,10 @@
 #define _TLS_RAND_H_
#include <openssl/ssl.h>
+#include <openssl/rand.h>
 #if OPENSSL_VERSION_NUMBER >= 0x10100000L \
    	&& OPENSSL_VERSION_NUMBER < 0x030000000L
-#include <openssl/rand.h>
const RAND_METHOD *RAND_ksr_krand_method(void);
 const RAND_METHOD *RAND_ksr_fastrand_method(void);

    