Module: kamailio
Branch: master
Commit: 684533d099d304091082fd8a130619a4c5550a80
URL:
https://github.com/kamailio/kamailio/commit/684533d099d304091082fd8a130619a…
Author: S-P Chan <shihping.chan(a)gmail.com>
Committer: S-P Chan <shihping.chan(a)gmail.com>
Date: 2024-12-05T09:28:07+08:00
tls: update docs about thread-locals
---
Modified: src/modules/tls/OpenSSL3-README.md
---
Diff:
https://github.com/kamailio/kamailio/commit/684533d099d304091082fd8a130619a…
Patch:
https://github.com/kamailio/kamailio/commit/684533d099d304091082fd8a130619a…
---
diff --git a/src/modules/tls/OpenSSL3-README.md b/src/modules/tls/OpenSSL3-README.md
index 6b6a7814129..ccc59957869 100644
--- a/src/modules/tls/OpenSSL3-README.md
+++ b/src/modules/tls/OpenSSL3-README.md
@@ -52,4 +52,99 @@ It is assumed that all `pthread_key_t` values at the high-water mark or
greater
by non-OpenSSL libraries. During fork, tls.so will clear all thread-locals up to the
high-water
mark.
-
+## Update
+@meengu(github) has an alternate solution from this
[
issue](https://github.com/OpenSIPS/opensips/issues/3388)
+The diff is included here for future reference. It may prove useful if the current
+solution fails in later versions of OpenSSL.
+
+ From 84b4df66853506ce8d4853ec0fbcb25545a67a54 Mon Sep 17 00:00:00 2001
+ From: Ondrej Jirman <megi(a)xff.cz>
+ Date: Mon, 13 May 2024 17:34:52 +0200
+ Subject: [PATCH] Fix openssl TLS data corruption in shared memory by workers
+
+ The problem is that somet TLS state is shared among workers but should
+ not be. We solve this by clearing the relevant TLS data after fork in the
+ child process.
+
+ We identify the data to clear by asking OPENSSL itself for the pointers,
+ and then searching through the first 32 TLS items.
+
+ Signed-off-by: Ondrej Jirman <megi(a)xff.cz>
+ ---
+ modules/tls_openssl/openssl.c | 47 +++++++++++++++++++++++++++++++++++
+ 1 file changed, 47 insertions(+)
+
+ diff --git a/modules/tls_openssl/openssl.c b/modules/tls_openssl/openssl.c
+ index 522b68258527..067865eef20f 100644
+ --- a/modules/tls_openssl/openssl.c
+ +++ b/modules/tls_openssl/openssl.c
+ @@ -29,6 +29,9 @@
+ #include <openssl/opensslv.h>
+ #include <openssl/err.h>
+ #include <openssl/rand.h>
+ +#if OPENSSL_VERSION_NUMBER < 0x30000000L
+ +#include <openssl/rand_drbg.h>
+ +#endif
+
+ #include "../../dprint.h"
+ #include "../../mem/shm_mem.h"
+ @@ -188,6 +191,48 @@ static int check_for_krb(void)
+ }
+ #endif
+
+ +static void clean_openssl_locals(void)
+ +{
+ +#if OPENSSL_VERSION_NUMBER < 0x30000000L
+ + ERR_STATE *es = ERR_get_state();
+ + RAND_DRBG *r0 = RAND_DRBG_get0_public();
+ + RAND_DRBG *r1 = RAND_DRBG_get0_private();
+ +
+ + for(int k = 0; k < 32; k++) {
+ + void* p = pthread_getspecific(k);
+ + if (p && p == es) {
+ + pthread_setspecific(k, NULL);
+ + ERR_clear_error();
+ + } else if (p && p == r0) {
+ + pthread_setspecific(k, NULL);
+ + RAND_DRBG_get0_public();
+ + } else if (p && p == r1) {
+ + pthread_setspecific(k, NULL);
+ + RAND_DRBG_get0_private();
+ + }
+ + }
+ +#else
+ + OSSL_LIB_CTX *ctx = OSSL_LIB_CTX_get0_global_default();
+ + ERR_STATE *es = ERR_get_state();
+ + EVP_RAND_CTX *r0 = RAND_get0_public(ctx);
+ + EVP_RAND_CTX *r1 = RAND_get0_private(ctx);
+ +
+ + for(int k = 0; k < 32; k++) {
+ + void* p = pthread_getspecific(k);
+ + if (p && p == es) {
+ + pthread_setspecific(k, NULL);
+ + ERR_clear_error();
+ + } else if (p && p == r0) {
+ + pthread_setspecific(k, NULL);
+ + RAND_get0_public(ctx);
+ + } else if (p && p == r1) {
+ + pthread_setspecific(k, NULL);
+ + RAND_get0_private(ctx);
+ + }
+ + }
+ +#endif
+ +}
+ +
+ /*
+ * initialize ssl methods
+ */
+ @@ -297,6 +342,8 @@ static int mod_init(void)
+ on_exit(openssl_on_exit, NULL);
+ #endif
+
+ + pthread_atfork(NULL, NULL, clean_openssl_locals);
+ +
+ return 0;
+ }
+
+ --
+ 2.45.0