Module: kamailio Branch: master Commit: 684533d099d304091082fd8a130619a4c5550a80 URL: https://github.com/kamailio/kamailio/commit/684533d099d304091082fd8a130619a4...
Author: S-P Chan shihping.chan@gmail.com Committer: S-P Chan shihping.chan@gmail.com Date: 2024-12-05T09:28:07+08:00
tls: update docs about thread-locals
---
Modified: src/modules/tls/OpenSSL3-README.md
---
Diff: https://github.com/kamailio/kamailio/commit/684533d099d304091082fd8a130619a4... Patch: https://github.com/kamailio/kamailio/commit/684533d099d304091082fd8a130619a4...
---
diff --git a/src/modules/tls/OpenSSL3-README.md b/src/modules/tls/OpenSSL3-README.md index 6b6a7814129..ccc59957869 100644 --- a/src/modules/tls/OpenSSL3-README.md +++ b/src/modules/tls/OpenSSL3-README.md @@ -52,4 +52,99 @@ It is assumed that all `pthread_key_t` values at the high-water mark or greater by non-OpenSSL libraries. During fork, tls.so will clear all thread-locals up to the high-water mark.
- +## Update +@meengu(github) has an alternate solution from this [issue](https://github.com/OpenSIPS/opensips/issues/3388) +The diff is included here for future reference. It may prove useful if the current +solution fails in later versions of OpenSSL. + + From 84b4df66853506ce8d4853ec0fbcb25545a67a54 Mon Sep 17 00:00:00 2001 + From: Ondrej Jirman megi@xff.cz + Date: Mon, 13 May 2024 17:34:52 +0200 + Subject: [PATCH] Fix openssl TLS data corruption in shared memory by workers + + The problem is that somet TLS state is shared among workers but should + not be. We solve this by clearing the relevant TLS data after fork in the + child process. + + We identify the data to clear by asking OPENSSL itself for the pointers, + and then searching through the first 32 TLS items. + + Signed-off-by: Ondrej Jirman megi@xff.cz + --- + modules/tls_openssl/openssl.c | 47 +++++++++++++++++++++++++++++++++++ + 1 file changed, 47 insertions(+) + + diff --git a/modules/tls_openssl/openssl.c b/modules/tls_openssl/openssl.c + index 522b68258527..067865eef20f 100644 + --- a/modules/tls_openssl/openssl.c + +++ b/modules/tls_openssl/openssl.c + @@ -29,6 +29,9 @@ + #include <openssl/opensslv.h> + #include <openssl/err.h> + #include <openssl/rand.h> + +#if OPENSSL_VERSION_NUMBER < 0x30000000L + +#include <openssl/rand_drbg.h> + +#endif + + #include "../../dprint.h" + #include "../../mem/shm_mem.h" + @@ -188,6 +191,48 @@ static int check_for_krb(void) + } + #endif + + +static void clean_openssl_locals(void) + +{ + +#if OPENSSL_VERSION_NUMBER < 0x30000000L + + ERR_STATE *es = ERR_get_state(); + + RAND_DRBG *r0 = RAND_DRBG_get0_public(); + + RAND_DRBG *r1 = RAND_DRBG_get0_private(); + + + + for(int k = 0; k < 32; k++) { + + void* p = pthread_getspecific(k); + + if (p && p == es) { + + pthread_setspecific(k, NULL); + + ERR_clear_error(); + + } else if (p && p == r0) { + + pthread_setspecific(k, NULL); + + RAND_DRBG_get0_public(); + + } else if (p && p == r1) { + + pthread_setspecific(k, NULL); + + RAND_DRBG_get0_private(); + + } + + } + +#else + + OSSL_LIB_CTX *ctx = OSSL_LIB_CTX_get0_global_default(); + + ERR_STATE *es = ERR_get_state(); + + EVP_RAND_CTX *r0 = RAND_get0_public(ctx); + + EVP_RAND_CTX *r1 = RAND_get0_private(ctx); + + + + for(int k = 0; k < 32; k++) { + + void* p = pthread_getspecific(k); + + if (p && p == es) { + + pthread_setspecific(k, NULL); + + ERR_clear_error(); + + } else if (p && p == r0) { + + pthread_setspecific(k, NULL); + + RAND_get0_public(ctx); + + } else if (p && p == r1) { + + pthread_setspecific(k, NULL); + + RAND_get0_private(ctx); + + } + + } + +#endif + +} + + + /* + * initialize ssl methods + */ + @@ -297,6 +342,8 @@ static int mod_init(void) + on_exit(openssl_on_exit, NULL); + #endif + + + pthread_atfork(NULL, NULL, clean_openssl_locals); + + + return 0; + } + + -- + 2.45.0