git:5.7:ed2d7035: tls: OpenSSL 3.x thread-local, init libssl in thread or PROC_SIPINIT - sr-dev

8 Jan 2024

Module: kamailio
Branch: 5.7
Commit: ed2d70359723458089dd8a62fe1e37a60dd83869
URL: https://github.com/kamailio/kamailio/commit/ed2d70359723458089dd8a62fe1e37a6...
Author: S-P Chan shihping.chan@gmail.com
Committer: Richard Chan richard@treeboxsolutions.com
Date: 2024-01-09T10:12:59+08:00
tls: OpenSSL 3.x thread-local, init libssl in thread or PROC_SIPINIT
- avoid initialising ERR_STATE in rank 0(thread#1)
(cherry-pick from e49a60e1052c6c1dcebe7f78f2ac970338eabe2e)
---
Modified: src/modules/tls/tls_init.c
Modified: src/modules/tls/tls_mod.c
---
Diff:  https://github.com/kamailio/kamailio/commit/ed2d70359723458089dd8a62fe1e37a6...
Patch: https://github.com/kamailio/kamailio/commit/ed2d70359723458089dd8a62fe1e37a6...
---

diff --git a/src/modules/tls/tls_init.c b/src/modules/tls/tls_init.c
index 57be9cad814..0bc12d31b4a 100644
--- a/src/modules/tls/tls_init.c
+++ b/src/modules/tls/tls_init.c
@@ -769,6 +769,44 @@ int tls_pre_init(void)
  * tls mod pre-init function
  * - executed before any mod_init()
  */
+long tls_h_mod_randctx(void *) {
+    do {
+        OSSL_LIB_CTX *osslglobal = NULL;
+        EVP_RAND_CTX *randctx = NULL;
+
+        LM_DBG("enabling locking for rand ctx\n");
+
+        osslglobal = OSSL_LIB_CTX_get0_global_default();
+        if(osslglobal == NULL) {
+            LM_ERR("failed to get lib ssl global ctx\n");
+            return -1L;
+        }
+
+        randctx = RAND_get0_primary(osslglobal);
+        if(randctx == NULL) {
+            LM_ERR("primary rand ctx is null\n");
+            return -1L;
+        }
+        EVP_RAND_enable_locking(randctx);
+
+        randctx = RAND_get0_public(osslglobal);
+        if(randctx == NULL) {
+            LM_ERR("public rand ctx is null\n");
+            return -1L;
+        }
+        EVP_RAND_enable_locking(randctx);
+
+        randctx = RAND_get0_private(osslglobal);
+        if(randctx == NULL) {
+            LM_ERR("private rand ctx is null\n");
+            return -1L;
+        }
+        EVP_RAND_enable_locking(randctx);
+    } while(0);
+
+    return 0L;
+}
+
 int tls_h_mod_pre_init_f(void)
 {
    if(tls_mod_preinitialized == 1) {
@@ -782,7 +820,9 @@ int tls_h_mod_pre_init_f(void)
    LM_DBG("preparing tls env for modules initialization\n");
 #if OPENSSL_VERSION_NUMBER >= 0x010100000L && !defined(LIBRESSL_VERSION_NUMBER)
    LM_DBG("preparing tls env for modules initialization (libssl >=1.1)\n");
-#if OPENSSL_VERSION_NUMBER >= 0x010101000L
+#if OPENSSL_VERSION_NUMBER >= 0x030000000L
+        // skip init for 3.x
+#elif OPENSSL_VERSION_NUMBER >= 0x010101000L
    OPENSSL_init_ssl(OPENSSL_INIT_ATFORK, NULL);
 #else
    OPENSSL_init_ssl(0, NULL);
@@ -791,42 +831,17 @@ int tls_h_mod_pre_init_f(void)
    LM_DBG("preparing tls env for modules initialization (libssl <=1.0)\n");
    SSL_library_init();
 #endif
+#if OPENSSL_VERSION_NUMBER < 0x030000000L
    SSL_load_error_strings();
+#endif
#if OPENSSL_VERSION_NUMBER >= 0x030000000L
-	do {
-		OSSL_LIB_CTX *osslglobal = NULL;
-		EVP_RAND_CTX *randctx = NULL;
-
-		LM_DBG("enabling locking for rand ctx\n");
-
-		osslglobal = OSSL_LIB_CTX_get0_global_default();
-		if(osslglobal == NULL) {
-			LM_ERR("failed to get lib ssl global ctx\n");
-			return -1;
-		}
-
-		randctx = RAND_get0_primary(osslglobal);
-		if(randctx == NULL) {
-			LM_ERR("primary rand ctx is null\n");
-			return -1;
-		}
-		EVP_RAND_enable_locking(randctx);
-
-		randctx = RAND_get0_public(osslglobal);
-		if(randctx == NULL) {
-			LM_ERR("public rand ctx is null\n");
-			return -1;
-		}
-		EVP_RAND_enable_locking(randctx);
-
-		randctx = RAND_get0_private(osslglobal);
-		if(randctx == NULL) {
-			LM_ERR("private rand ctx is null\n");
-			return -1;
-		}
-		EVP_RAND_enable_locking(randctx);
-	} while(0);
+        pthread_t tid;
+        long rl;
+        pthread_create(&tid, NULL, (void *(*)(void *))tls_h_mod_randctx, NULL);
+        pthread_join(tid, (void **)&rl);
+        if ((int)rl)
+            return (int)rl;
 #endif
tls_mod_preinitialized = 1;
diff --git a/src/modules/tls/tls_mod.c b/src/modules/tls/tls_mod.c
index 3a047769ca4..1e74ba0e309 100644
--- a/src/modules/tls/tls_mod.c
+++ b/src/modules/tls/tls_mod.c
@@ -440,7 +440,16 @@ static int mod_child(int rank)
/* fix tls config only from the main proc/PROC_INIT., when we know
     * the exact process number and before any other process starts*/
-	if(rank == PROC_INIT) {
+
+#if OPENSSL_VERSION_NUMBER >= 0x030000000L
+        /*
+         * OpenSSL 3.x: create shared SSL_CTX* in worker to avoid init of
+         * libssl in rank 0(thread#1)
+         */
+        if(rank == PROC_SIPINIT) {
+#else
+        if(rank == PROC_INIT) {
+#endif
    	if(cfg_get(tls, tls_cfg, config_file).s) {
    		if(tls_fix_domains_cfg(
    				   *tls_domains_cfg, &srv_defaults, &cli_defaults)

    