8 Jan
2024
8 Jan
'24
9:21 p.m.
Module: kamailio
Branch: 5.7
Commit: ed2d70359723458089dd8a62fe1e37a60dd83869
URL: https://github.com/kamailio/kamailio/commit/ed2d70359723458089dd8a62fe1e37a…
Author: S-P Chan <shihping.chan(a)gmail.com>
Committer: Richard Chan <richard(a)treeboxsolutions.com>
Date: 2024-01-09T10:12:59+08:00
tls: OpenSSL 3.x thread-local, init libssl in thread or PROC_SIPINIT
- avoid initialising ERR_STATE in rank 0(thread#1)
(cherry-pick from e49a60e1052c6c1dcebe7f78f2ac970338eabe2e)
---
Modified: src/modules/tls/tls_init.c
Modified: src/modules/tls/tls_mod.c
---
Diff:
https://github.com/kamailio/kamailio/commit/ed2d70359723458089dd8a62fe1e37a…
Patch:
https://github.com/kamailio/kamailio/commit/ed2d70359723458089dd8a62fe1e37a…
---
diff --git a/src/modules/tls/tls_init.c b/src/modules/tls/tls_init.c
index 57be9cad814..0bc12d31b4a 100644
--- a/src/modules/tls/tls_init.c
+++ b/src/modules/tls/tls_init.c
@@ -769,6 +769,44 @@ int tls_pre_init(void)
* tls mod pre-init function
* - executed before any mod_init()
*/
+long tls_h_mod_randctx(void *) {
+ do {
+ OSSL_LIB_CTX *osslglobal = NULL;
+ EVP_RAND_CTX *randctx = NULL;
+
+ LM_DBG("enabling locking for rand ctx\n");
+
+ osslglobal = OSSL_LIB_CTX_get0_global_default();
+ if(osslglobal == NULL) {
+ LM_ERR("failed to get lib ssl global ctx\n");
+ return -1L;
+ }
+
+ randctx = RAND_get0_primary(osslglobal);
+ if(randctx == NULL) {
+ LM_ERR("primary rand ctx is null\n");
+ return -1L;
+ }
+ EVP_RAND_enable_locking(randctx);
+
+ randctx = RAND_get0_public(osslglobal);
+ if(randctx == NULL) {
+ LM_ERR("public rand ctx is null\n");
+ return -1L;
+ }
+ EVP_RAND_enable_locking(randctx);
+
+ randctx = RAND_get0_private(osslglobal);
+ if(randctx == NULL) {
+ LM_ERR("private rand ctx is null\n");
+ return -1L;
+ }
+ EVP_RAND_enable_locking(randctx);
+ } while(0);
+
+ return 0L;
+}
+
int tls_h_mod_pre_init_f(void)
{
if(tls_mod_preinitialized == 1) {
@@ -782,7 +820,9 @@ int tls_h_mod_pre_init_f(void)
LM_DBG("preparing tls env for modules initialization\n");
#if OPENSSL_VERSION_NUMBER >= 0x010100000L &&
!defined(LIBRESSL_VERSION_NUMBER)
LM_DBG("preparing tls env for modules initialization (libssl >=1.1)\n");
-#if OPENSSL_VERSION_NUMBER >= 0x010101000L
+#if OPENSSL_VERSION_NUMBER >= 0x030000000L
+ // skip init for 3.x
+#elif OPENSSL_VERSION_NUMBER >= 0x010101000L
OPENSSL_init_ssl(OPENSSL_INIT_ATFORK, NULL);
#else
OPENSSL_init_ssl(0, NULL);
@@ -791,42 +831,17 @@ int tls_h_mod_pre_init_f(void)
LM_DBG("preparing tls env for modules initialization (libssl <=1.0)\n");
SSL_library_init();
#endif
+#if OPENSSL_VERSION_NUMBER < 0x030000000L
SSL_load_error_strings();
+#endif
#if OPENSSL_VERSION_NUMBER >= 0x030000000L
- do {
- OSSL_LIB_CTX *osslglobal = NULL;
- EVP_RAND_CTX *randctx = NULL;
-
- LM_DBG("enabling locking for rand ctx\n");
-
- osslglobal = OSSL_LIB_CTX_get0_global_default();
- if(osslglobal == NULL) {
- LM_ERR("failed to get lib ssl global ctx\n");
- return -1;
- }
-
- randctx = RAND_get0_primary(osslglobal);
- if(randctx == NULL) {
- LM_ERR("primary rand ctx is null\n");
- return -1;
- }
- EVP_RAND_enable_locking(randctx);
-
- randctx = RAND_get0_public(osslglobal);
- if(randctx == NULL) {
- LM_ERR("public rand ctx is null\n");
- return -1;
- }
- EVP_RAND_enable_locking(randctx);
-
- randctx = RAND_get0_private(osslglobal);
- if(randctx == NULL) {
- LM_ERR("private rand ctx is null\n");
- return -1;
- }
- EVP_RAND_enable_locking(randctx);
- } while(0);
+ pthread_t tid;
+ long rl;
+ pthread_create(&tid, NULL, (void *(*)(void *))tls_h_mod_randctx, NULL);
+ pthread_join(tid, (void **)&rl);
+ if ((int)rl)
+ return (int)rl;
#endif
tls_mod_preinitialized = 1;
diff --git a/src/modules/tls/tls_mod.c b/src/modules/tls/tls_mod.c
index 3a047769ca4..1e74ba0e309 100644
--- a/src/modules/tls/tls_mod.c
+++ b/src/modules/tls/tls_mod.c
@@ -440,7 +440,16 @@ static int mod_child(int rank)
/* fix tls config only from the main proc/PROC_INIT., when we know
* the exact process number and before any other process starts*/
- if(rank == PROC_INIT) {
+
+#if OPENSSL_VERSION_NUMBER >= 0x030000000L
+ /*
+ * OpenSSL 3.x: create shared SSL_CTX* in worker to avoid init of
+ * libssl in rank 0(thread#1)
+ */
+ if(rank == PROC_SIPINIT) {
+#else
+ if(rank == PROC_INIT) {
+#endif
if(cfg_get(tls, tls_cfg, config_file).s) {
if(tls_fix_domains_cfg(
*tls_domains_cfg, &srv_defaults, &cli_defaults)
360
days inactive
360
days old
0 comments
1 participants
participants (1)
-
Richard Chan