Module: kamailio Branch: 5.8 Commit: cafe437dcb637b0e571a2d2ffd04d911584404d9 URL: https://github.com/kamailio/kamailio/commit/cafe437dcb637b0e571a2d2ffd04d911584404d9
Author: S-P Chan <shihping.c...@gmail.com> Committer: S-P Chan <shihping.c...@gmail.com> Date: 2024-04-29T21:27:38+08:00 tls: clear thread-local variables up to tls_pthreads_key_mark - other libraries may set thread-locals via pthread_setspecific - assume that tls_pthreads_key_mark demarcates libssl's values - only clean thread-local values up to tls_pthreads_key_mark Currently only used by app_python[s] (cherry picked from commit fe6f4fcde2fa06a3c00479cef169c27dc32ae490) --- Modified: src/modules/tls/tls_mod.c Modified: src/modules/tls/tls_rand.h --- Diff: https://github.com/kamailio/kamailio/commit/cafe437dcb637b0e571a2d2ffd04d911584404d9.diff Patch: https://github.com/kamailio/kamailio/commit/cafe437dcb637b0e571a2d2ffd04d911584404d9.patch --- diff --git a/src/modules/tls/tls_mod.c b/src/modules/tls/tls_mod.c index 83b86d99d58..baa1a7c76d1 100644 --- a/src/modules/tls/tls_mod.c +++ b/src/modules/tls/tls_mod.c @@ -343,10 +343,11 @@ static tls_domains_cfg_t* tls_use_modparams(void) * is < 10 * */ +static int tls_pthreads_key_mark; static void fork_child(void) { - int k = 0; - for(k = 0; k < 16; k++) { + int k; + for(k = 0; k < tls_pthreads_key_mark; k++) { if(pthread_getspecific(k) != 0) pthread_setspecific(k, 0x0); } @@ -356,6 +357,8 @@ static int mod_init(void) { int method; int verify_client; + unsigned char rand_buf[32]; + int k; if(tls_disable) { LM_WARN("tls support is disabled " @@ -464,6 +467,23 @@ static int mod_init(void) if(ksr_tls_threads_mode == 2) { pthread_atfork(NULL, NULL, &fork_child); } + +#if OPENSSL_VERSION_NUMBER >= 0x010101000L + /* + * force creation of all thread-locals now so that other libraries + * that use pthread_key_create(), e.g. python, + * will have larger key values + */ + if(ksr_tls_threads_mode > 0) { + ERR_clear_error(); + RAND_bytes(rand_buf, sizeof(rand_buf)); + for(k = 0; k < 32; k++) { + if(pthread_getspecific(k)) + tls_pthreads_key_mark = k + 1; + } + LM_WARN("set maximum pthreads key to %d\n", tls_pthreads_key_mark); + } +#endif return 0; error: tls_h_mod_destroy_f(); @@ -500,6 +520,7 @@ static int mod_child_hook(int *rank, void *dummy) if(tls_fix_domains_cfg(*tls_domains_cfg, &mod_params, &mod_params) < 0) return -1; } + return 0; } @@ -509,17 +530,26 @@ static OSSL_LIB_CTX *new_ctx; #endif static int mod_child(int rank) { + int k; + if(tls_disable || (tls_domains_cfg == 0)) return 0; /* - * OpenSSL 3.x/1.1.1: create shared SSL_CTX* in thread executor - * to avoid init of libssl in thread#1: ksr_tls_threads_mode = 1 - */ + * OpenSSL 3.x/1.1.1: create shared SSL_CTX* in thread executor + * to avoid init of libssl in thread#1: ksr_tls_threads_mode = 1 + */ if(rank == PROC_INIT) { return run_thread4PP((_thread_proto4PP)mod_child_hook, &rank, NULL); } + if(ksr_tls_threads_mode == 1 && rank && rank != PROC_INIT + && rank != PROC_POSTCHILDINIT) { + for(k = 0; k < tls_pthreads_key_mark; k++) + pthread_setspecific(k, 0x0); + LM_WARN("clean-up of thread-locals key < %d\n", tls_pthreads_key_mark); + } + #ifdef KSR_SSL_COMMON /* * after the child is fork()ed we go through the TLS domains diff --git a/src/modules/tls/tls_rand.h b/src/modules/tls/tls_rand.h index 58ddc853acd..7bbcf3a628c 100644 --- a/src/modules/tls/tls_rand.h +++ b/src/modules/tls/tls_rand.h @@ -21,10 +21,10 @@ #define _TLS_RAND_H_ #include <openssl/ssl.h> +#include <openssl/rand.h> #if OPENSSL_VERSION_NUMBER >= 0x10100000L \ && OPENSSL_VERSION_NUMBER < 0x030000000L -#include <openssl/rand.h> const RAND_METHOD *RAND_ksr_krand_method(void); const RAND_METHOD *RAND_ksr_fastrand_method(void); _______________________________________________ Kamailio (SER) - Development Mailing List To unsubscribe send an email to sr-dev-le...@lists.kamailio.org