'[sr-dev] git:5.8:cafe437d: tls: clear thread-local variables up to tls_pthreads_key_mark'

[prev in list] [next in list] [prev in thread] [next in thread] 

List:       openser-devel
Subject:    [sr-dev] git:5.8:cafe437d: tls: clear thread-local variables up to tls_pthreads_key_mark
From:       S-P Chan via sr-dev <sr-dev () lists ! kamailio ! org>
Date:       2024-04-29 13:28:15
Message-ID: E1s1R3H-0002Tb-P4 () www ! kamailio ! org
[Download RAW message or body]

Module: kamailio
Branch: 5.8
Commit: cafe437dcb637b0e571a2d2ffd04d911584404d9
URL: https://github.com/kamailio/kamailio/commit/cafe437dcb637b0e571a2d2ffd04d911584404d9

Author: S-P Chan <shihping.chan@gmail.com>
Committer: S-P Chan <shihping.chan@gmail.com>
Date: 2024-04-29T21:27:38+08:00

tls: clear thread-local variables up to tls_pthreads_key_mark

- other libraries may set thread-locals via pthread_setspecific
- assume that tls_pthreads_key_mark demarcates libssl's values
- only clean thread-local values up to tls_pthreads_key_mark

Currently only used by app_python[s]

(cherry picked from commit fe6f4fcde2fa06a3c00479cef169c27dc32ae490)

---

Modified: src/modules/tls/tls_mod.c
Modified: src/modules/tls/tls_rand.h

---

Diff:  https://github.com/kamailio/kamailio/commit/cafe437dcb637b0e571a2d2ffd04d911584404d9.diff
Patch: https://github.com/kamailio/kamailio/commit/cafe437dcb637b0e571a2d2ffd04d911584404d9.patch

---

diff --git a/src/modules/tls/tls_mod.c b/src/modules/tls/tls_mod.c
index 83b86d99d58..baa1a7c76d1 100644
--- a/src/modules/tls/tls_mod.c
+++ b/src/modules/tls/tls_mod.c
@@ -343,10 +343,11 @@ static tls_domains_cfg_t* tls_use_modparams(void)
  *     is < 10
  *
  */
+static int tls_pthreads_key_mark;
 static void fork_child(void)
 {
-	int k = 0;
-	for(k = 0; k < 16; k++) {
+	int k;
+	for(k = 0; k < tls_pthreads_key_mark; k++) {
 		if(pthread_getspecific(k) != 0)
 			pthread_setspecific(k, 0x0);
 	}
@@ -356,6 +357,8 @@ static int mod_init(void)
 {
 	int method;
 	int verify_client;
+	unsigned char rand_buf[32];
+	int k;
 
 	if(tls_disable) {
 		LM_WARN("tls support is disabled "
@@ -464,6 +467,23 @@ static int mod_init(void)
 	if(ksr_tls_threads_mode == 2) {
 		pthread_atfork(NULL, NULL, &fork_child);
 	}
+
+#if OPENSSL_VERSION_NUMBER >= 0x010101000L
+	/*
+	 * force creation of all thread-locals now so that other libraries
+	 * that use pthread_key_create(), e.g. python,
+	 * will have larger key values
+	 */
+	if(ksr_tls_threads_mode > 0) {
+		ERR_clear_error();
+		RAND_bytes(rand_buf, sizeof(rand_buf));
+		for(k = 0; k < 32; k++) {
+			if(pthread_getspecific(k))
+				tls_pthreads_key_mark = k + 1;
+		}
+		LM_WARN("set maximum pthreads key to %d\n", tls_pthreads_key_mark);
+	}
+#endif
 	return 0;
 error:
 	tls_h_mod_destroy_f();
@@ -500,6 +520,7 @@ static int mod_child_hook(int *rank, void *dummy)
 		if(tls_fix_domains_cfg(*tls_domains_cfg, &mod_params, &mod_params) < 0)
 			return -1;
 	}
+
 	return 0;
 }
 
@@ -509,17 +530,26 @@ static OSSL_LIB_CTX *new_ctx;
 #endif
 static int mod_child(int rank)
 {
+	int k;
+
 	if(tls_disable || (tls_domains_cfg == 0))
 		return 0;
 
 	/*
-         * OpenSSL 3.x/1.1.1: create shared SSL_CTX* in thread executor
-         * to avoid init of libssl in thread#1: ksr_tls_threads_mode = 1
-         */
+	 * OpenSSL 3.x/1.1.1: create shared SSL_CTX* in thread executor
+	 * to avoid init of libssl in thread#1: ksr_tls_threads_mode = 1
+	 */
 	if(rank == PROC_INIT) {
 		return run_thread4PP((_thread_proto4PP)mod_child_hook, &rank, NULL);
 	}
 
+	if(ksr_tls_threads_mode == 1 && rank && rank != PROC_INIT
+			&& rank != PROC_POSTCHILDINIT) {
+		for(k = 0; k < tls_pthreads_key_mark; k++)
+			pthread_setspecific(k, 0x0);
+		LM_WARN("clean-up of thread-locals key < %d\n", tls_pthreads_key_mark);
+	}
+
 #ifdef KSR_SSL_COMMON
 	/*
 	 * after the child is fork()ed we go through the TLS domains
diff --git a/src/modules/tls/tls_rand.h b/src/modules/tls/tls_rand.h
index 58ddc853acd..7bbcf3a628c 100644
--- a/src/modules/tls/tls_rand.h
+++ b/src/modules/tls/tls_rand.h
@@ -21,10 +21,10 @@
 #define _TLS_RAND_H_
 
 #include <openssl/ssl.h>
+#include <openssl/rand.h>
 #if OPENSSL_VERSION_NUMBER >= 0x10100000L \
 		&& OPENSSL_VERSION_NUMBER < 0x030000000L
 
-#include <openssl/rand.h>
 
 const RAND_METHOD *RAND_ksr_krand_method(void);
 const RAND_METHOD *RAND_ksr_fastrand_method(void);

_______________________________________________
Kamailio (SER) - Development Mailing List
To unsubscribe send an email to sr-dev-leave@lists.kamailio.org
[prev in list] [next in list] [prev in thread] [next in thread]
Configure | About | News | Add a list | Sponsored by KoreLogic