Module: kamailio Branch: 5.7 Commit: d8907b6290d37965d07ceaf30e6c06956a59c90a URL: https://github.com/kamailio/kamailio/commit/d8907b6290d37965d07ceaf30e6c069… Author: S-P Chan &lt;shihping.chan(a)gmail.com&gt; Committer: S-P Chan &lt;shihping.chan(a)gmail.com&gt; Date: 2024-05-04T19:35:23+08:00 tls: clear thread-local variables up to tls_pthreads_key_mark - other libraries may set thread-locals via pthread_setspecific - assume that tls_pthreads_key_mark demarcates libssl's values - only clean thread-local values up to tls_pthreads_key_mark Currently only used by app_python[s] (cherry picked from commit fe6f4fcde2fa06a3c00479cef169c27dc32ae490) --- Modified: src/modules/tls/tls_mod.c Modified: src/modules/tls/tls_rand.h --- Diff: https://github.com/kamailio/kamailio/commit/d8907b6290d37965d07ceaf30e6c069… Patch: https://github.com/kamailio/kamailio/commit/d8907b6290d37965d07ceaf30e6c069… --- diff --git a/src/modules/tls/tls_mod.c b/src/modules/tls/tls_mod.c index c2a3c8de271..524419dd854 100644 --- a/src/modules/tls/tls_mod.c +++ b/src/modules/tls/tls_mod.c @@ -343,9 +343,11 @@ static tls_domains_cfg_t* tls_use_modparams(void) * is < 10 * */ +static int tls_pthreads_key_mark; static void fork_child(void) { - for(int k = 0; k < 16; k++) { + int k; + for(k = 0; k < tls_pthreads_key_mark; k++) { if(pthread_getspecific(k) != 0) pthread_setspecific(k, 0x0); } @@ -355,6 +357,8 @@ static int mod_init(void) { int method; int verify_client; + unsigned char rand_buf[32]; + int k; if(tls_disable) { LM_WARN("tls support is disabled " @@ -463,6 +467,23 @@ static int mod_init(void) if(ksr_tls_threads_mode == 2) { pthread_atfork(NULL, NULL, &fork_child); } + +#if OPENSSL_VERSION_NUMBER >= 0x010101000L + /* + * force creation of all thread-locals now so that other libraries + * that use pthread_key_create(), e.g. python, + * will have larger key values + */ + if(ksr_tls_threads_mode > 0) { + ERR_clear_error(); + RAND_bytes(rand_buf, sizeof(rand_buf)); + for(k = 0; k < 32; k++) { + if(pthread_getspecific(k)) + tls_pthreads_key_mark = k + 1; + } + LM_WARN("set maximum pthreads key to %d\n", tls_pthreads_key_mark); + } +#endif return 0; error: tls_h_mod_destroy_f(); @@ -499,6 +520,7 @@ static int mod_child_hook(int *rank, void *dummy) if(tls_fix_domains_cfg(*tls_domains_cfg, &mod_params, &mod_params) < 0) return -1; } + return 0; } @@ -508,6 +530,8 @@ static OSSL_LIB_CTX *new_ctx; #endif static int mod_child(int rank) { + int k; + if(tls_disable || (tls_domains_cfg == 0)) return 0; @@ -519,6 +543,13 @@ static int mod_child(int rank) return run_thread4PP((_thread_proto4PP)mod_child_hook, &rank, NULL); } + if(ksr_tls_threads_mode == 1 && rank && rank != PROC_INIT + && rank != PROC_POSTCHILDINIT) { + for(k = 0; k < tls_pthreads_key_mark; k++) + pthread_setspecific(k, 0x0); + LM_WARN("clean-up of thread-locals key < %d\n", tls_pthreads_key_mark); + } + #ifdef KSR_SSL_COMMON /* * after the child is fork()ed we go through the TLS domains diff --git a/src/modules/tls/tls_rand.h b/src/modules/tls/tls_rand.h index 58ddc853acd..7bbcf3a628c 100644 --- a/src/modules/tls/tls_rand.h +++ b/src/modules/tls/tls_rand.h @@ -21,10 +21,10 @@ #define _TLS_RAND_H_ #include <openssl/ssl.h> +#include <openssl/rand.h> #if OPENSSL_VERSION_NUMBER >= 0x10100000L \ && OPENSSL_VERSION_NUMBER < 0x030000000L -#include <openssl/rand.h> const RAND_METHOD *RAND_ksr_krand_method(void); const RAND_METHOD *RAND_ksr_fastrand_method(void);