git:5.7:73b19da1: tls: restore early init for other modules that use TLS - sr-dev

25 Feb 2024

Module: kamailio
Branch: 5.7
Commit: 73b19da1e0dd512f9eb77ca0606092c545e8fb99
URL: https://github.com/kamailio/kamailio/commit/73b19da1e0dd512f9eb77ca0606092c5...
Author: S-P Chan shihping.chan@gmail.com
Committer: S-P Chan shihping.chan@gmail.com
Date: 2024-02-25T11:04:27+08:00
tls: restore early init for other modules that use TLS
Client modules (e.g. dispatcher) that require outbound TLS
may race if tls init is too late.
Restore tls init to PROC_INIT with a thread executor.
Addresses GH #3765
Cherry-pick from 706d7b7ff3
---
Modified: src/modules/tls/tls_mod.c
---
Diff:  https://github.com/kamailio/kamailio/commit/73b19da1e0dd512f9eb77ca0606092c5...
Patch: https://github.com/kamailio/kamailio/commit/73b19da1e0dd512f9eb77ca0606092c5...
---

diff --git a/src/modules/tls/tls_mod.c b/src/modules/tls/tls_mod.c
index 0d8ea3df4c5..6058592aa01 100644
--- a/src/modules/tls/tls_mod.c
+++ b/src/modules/tls/tls_mod.c
@@ -42,6 +42,10 @@
 #include "../../core/dprint.h"
 #include "../../core/mod_fix.h"
 #include "../../core/kemi.h"
+
+#define KSR_RTHREAD_SKIP_P
+#define KSR_RTHREAD_NEED_4PP
+#include "../../core/rthreads.h"
 #include "tls_init.h"
 #include "tls_server.h"
 #include "tls_domain.h"
@@ -443,6 +447,22 @@ int tls_fix_engine_keys(tls_domains_cfg_t *, tls_domain_t *, tls_domain_t *);
  *
  * EC operations do not use pthread_self(), so could use shared SSL_CTX
  */
+static int mod_child_hook(int *rank, void *dummy)
+{
+	LM_DBG("Loading SSL_CTX in process_no=%d rank=%d "
+		   "ksr_tls_threads_mode=%d\n",
+			process_no, *rank, ksr_tls_threads_mode);
+	if(cfg_get(tls, tls_cfg, config_file).s) {
+		if(tls_fix_domains_cfg(*tls_domains_cfg, &srv_defaults, &cli_defaults)
+				< 0)
+			return -1;
+	} else {
+		if(tls_fix_domains_cfg(*tls_domains_cfg, &mod_params, &mod_params) < 0)
+			return -1;
+	}
+	return 0;
+}
+
 static int mod_child(int rank)
 {
    if(tls_disable || (tls_domains_cfg == 0))
@@ -450,29 +470,17 @@ static int mod_child(int rank)
#if OPENSSL_VERSION_NUMBER >= 0x010101000L
    /*
-         * OpenSSL 3.x/1.1.1: create shared SSL_CTX* in worker to avoid init of
-         * libssl in rank 0(thread#1). Requires tls_threads_mode = 1 config.
-         */
-	if((rank == PROC_SIPINIT && ksr_tls_threads_mode)
-			|| (rank == PROC_INIT && !ksr_tls_threads_mode)) {
+	 * OpenSSL 3.x/1.1.1: create shared SSL_CTX* in thread executor
+	 * to avoid init of libssl in thread#1
+	 */
+	if(rank == PROC_INIT && ksr_tls_threads_mode != 0) {
+		return run_thread4PP((_thread_proto4PP)mod_child_hook, &rank, NULL);
+	}
 #else
    if(rank == PROC_INIT) {
-#endif
-		LM_DBG("Loading SSL_CTX in process_no=%d rank=%d "
-			   "ksr_tls_threads_mode=%d\n",
-				process_no, rank, ksr_tls_threads_mode);
-		if(cfg_get(tls, tls_cfg, config_file).s) {
-			if(tls_fix_domains_cfg(
-					   *tls_domains_cfg, &srv_defaults, &cli_defaults)
-					< 0)
-				return -1;
-		} else {
-			if(tls_fix_domains_cfg(*tls_domains_cfg, &mod_params, &mod_params)
-					< 0)
-				return -1;
-		}
-		return 0;
+		return mod_child_hook(&rank, NULL);
    }
+#endif /* OPENSSL_VERSION_NUMBER */
#ifndef OPENSSL_NO_ENGINE
    /*

    