Module: kamailio
Branch: master
Commit: fe6f4fcde2fa06a3c00479cef169c27dc32ae490
URL: 
https://github.com/kamailio/kamailio/commit/fe6f4fcde2fa06a3c00479cef169c27dc32ae490

Author: S-P Chan <shihping.c...@gmail.com>
Committer: S-P Chan <shihping.c...@gmail.com>
Date: 2024-04-29T21:20:20+08:00

tls: clear thread-local variables up to tls_pthreads_key_mark

- other libraries may set thread-locals via pthread_setspecific
- assume that tls_pthreads_key_mark demarcates libssl's values
- only clean thread-local values up to tls_pthreads_key_mark

Currently only used by app_python[s]

---

Modified: src/modules/tls/tls_mod.c
Modified: src/modules/tls/tls_rand.h

---

Diff:  
https://github.com/kamailio/kamailio/commit/fe6f4fcde2fa06a3c00479cef169c27dc32ae490.diff
Patch: 
https://github.com/kamailio/kamailio/commit/fe6f4fcde2fa06a3c00479cef169c27dc32ae490.patch

---

diff --git a/src/modules/tls/tls_mod.c b/src/modules/tls/tls_mod.c
index 83b86d99d58..baa1a7c76d1 100644
--- a/src/modules/tls/tls_mod.c
+++ b/src/modules/tls/tls_mod.c
@@ -343,10 +343,11 @@ static tls_domains_cfg_t* tls_use_modparams(void)
  *     is < 10
  *
  */
+static int tls_pthreads_key_mark;
 static void fork_child(void)
 {
-       int k = 0;
-       for(k = 0; k < 16; k++) {
+       int k;
+       for(k = 0; k < tls_pthreads_key_mark; k++) {
                if(pthread_getspecific(k) != 0)
                        pthread_setspecific(k, 0x0);
        }
@@ -356,6 +357,8 @@ static int mod_init(void)
 {
        int method;
        int verify_client;
+       unsigned char rand_buf[32];
+       int k;
 
        if(tls_disable) {
                LM_WARN("tls support is disabled "
@@ -464,6 +467,23 @@ static int mod_init(void)
        if(ksr_tls_threads_mode == 2) {
                pthread_atfork(NULL, NULL, &fork_child);
        }
+
+#if OPENSSL_VERSION_NUMBER >= 0x010101000L
+       /*
+        * force creation of all thread-locals now so that other libraries
+        * that use pthread_key_create(), e.g. python,
+        * will have larger key values
+        */
+       if(ksr_tls_threads_mode > 0) {
+               ERR_clear_error();
+               RAND_bytes(rand_buf, sizeof(rand_buf));
+               for(k = 0; k < 32; k++) {
+                       if(pthread_getspecific(k))
+                               tls_pthreads_key_mark = k + 1;
+               }
+               LM_WARN("set maximum pthreads key to %d\n", 
tls_pthreads_key_mark);
+       }
+#endif
        return 0;
 error:
        tls_h_mod_destroy_f();
@@ -500,6 +520,7 @@ static int mod_child_hook(int *rank, void *dummy)
                if(tls_fix_domains_cfg(*tls_domains_cfg, &mod_params, 
&mod_params) < 0)
                        return -1;
        }
+
        return 0;
 }
 
@@ -509,17 +530,26 @@ static OSSL_LIB_CTX *new_ctx;
 #endif
 static int mod_child(int rank)
 {
+       int k;
+
        if(tls_disable || (tls_domains_cfg == 0))
                return 0;
 
        /*
-         * OpenSSL 3.x/1.1.1: create shared SSL_CTX* in thread executor
-         * to avoid init of libssl in thread#1: ksr_tls_threads_mode = 1
-         */
+        * OpenSSL 3.x/1.1.1: create shared SSL_CTX* in thread executor
+        * to avoid init of libssl in thread#1: ksr_tls_threads_mode = 1
+        */
        if(rank == PROC_INIT) {
                return run_thread4PP((_thread_proto4PP)mod_child_hook, &rank, 
NULL);
        }
 
+       if(ksr_tls_threads_mode == 1 && rank && rank != PROC_INIT
+                       && rank != PROC_POSTCHILDINIT) {
+               for(k = 0; k < tls_pthreads_key_mark; k++)
+                       pthread_setspecific(k, 0x0);
+               LM_WARN("clean-up of thread-locals key < %d\n", 
tls_pthreads_key_mark);
+       }
+
 #ifdef KSR_SSL_COMMON
        /*
         * after the child is fork()ed we go through the TLS domains
diff --git a/src/modules/tls/tls_rand.h b/src/modules/tls/tls_rand.h
index 58ddc853acd..7bbcf3a628c 100644
--- a/src/modules/tls/tls_rand.h
+++ b/src/modules/tls/tls_rand.h
@@ -21,10 +21,10 @@
 #define _TLS_RAND_H_
 
 #include <openssl/ssl.h>
+#include <openssl/rand.h>
 #if OPENSSL_VERSION_NUMBER >= 0x10100000L \
                && OPENSSL_VERSION_NUMBER < 0x030000000L
 
-#include <openssl/rand.h>
 
 const RAND_METHOD *RAND_ksr_krand_method(void);
 const RAND_METHOD *RAND_ksr_fastrand_method(void);

_______________________________________________
Kamailio (SER) - Development Mailing List
To unsubscribe send an email to sr-dev-le...@lists.kamailio.org

Reply via email to