tls: OpenSSL 3.x/1.1.1 thread-local, clean-up dead code and preprocessor

blocks
kamailio · Jan 5, 2024 · 798cc26 · 798cc26
1 parent 7b531cf
commit 798cc26
Show file tree

Hide file tree

Showing 2 changed files with 11 additions and 40 deletions.
diff --git a/src/modules/tls/tls_init.c b/src/modules/tls/tls_init.c
@@ -824,12 +824,7 @@ int tls_h_mod_pre_init_f(void)
 	LM_DBG("preparing tls env for modules initialization\n");
 #if OPENSSL_VERSION_NUMBER >= 0x010100000L && !defined(LIBRESSL_VERSION_NUMBER)
 	LM_DBG("preparing tls env for modules initialization (libssl >=1.1)\n");
-#if OPENSSL_VERSION_NUMBER >= 0x030000000L
-        // skip init for 3.x
-#elif OPENSSL_VERSION_NUMBER >= 0x010101000L
-        //not needed on Linux
-	//OPENSSL_init_ssl(OPENSSL_INIT_ATFORK, NULL);
-#else
+#if OPENSSL_VERSION_NUMBER < 0x010100000L
 	OPENSSL_init_ssl(0, NULL);
 #endif
 #else

diff --git a/src/modules/tls/tls_mod.c b/src/modules/tls/tls_mod.c
@@ -438,20 +438,9 @@ static int mod_child(int rank)
 	if(tls_disable || (tls_domains_cfg == 0))
 		return 0;
 
-	/* fix tls config only from the main proc/PROC_INIT., when we know
-	 * the exact process number and before any other process starts*/
-        if(rank == PROC_INIT) {
-#if OPENSSL_VERSION_NUMBER >= 0x010101000L      \
-    && OPENSSL_VERSION_NUMBER < 0x030000000L
-            if(ksr_tls_init_mode & TLS_MODE_FORK_PREPARE) {
-                // not needed on Linux: OPENSSL_fork_prepare();
-            }
-#endif
-        }
-
 #if OPENSSL_VERSION_NUMBER >= 0x010101000L
         /*
-         * OpenSSL 3.x: create shared SSL_CTX* in worker to avoid init of
+         * OpenSSL 3.x/1.1.1: create shared SSL_CTX* in worker to avoid init of
          * libssl in rank 0(thread#1)
          */
         if(rank == PROC_SIPINIT) {
@@ -471,22 +460,6 @@ static int mod_child(int rank)
 		return 0;
 	}
 
-#if OPENSSL_VERSION_NUMBER >= 0x010101000L \
-		&& OPENSSL_VERSION_NUMBER < 0x030000000L
-	if(ksr_tls_init_mode & TLS_MODE_FORK_PREPARE) {
-		if(rank == PROC_POSTCHILDINIT) {
-			/*
-			 * this is called after forking of all child processes
-			 */
-			// not needed on Linux: OPENSSL_fork_parent();
-			return 0;
-		}
-		if(!_ksr_is_main) {
-                    // not needed on Linux: OPENSSL_fork_child();
-		}
-	}
-#endif
-
 #ifndef OPENSSL_NO_ENGINE
 	/*
 	 * after the child is fork()ed we go through the TLS domains
@@ -514,6 +487,11 @@ static void mod_destroy(void)
 	 *   => nothing to do here */
 }
 
+/*
+ * GH #3695: OpenSSL 1.1.1: it is no longer necessary to replace RAND
+ * - early init in rank 0 causes workers to inherit public_drbg/private_drbg
+ *   which are not thread-safe
+ */
 
 int ksr_rand_engine_param(modparam_t type, void *val)
 {
@@ -690,12 +668,10 @@ int mod_register(char *path, int *dlflags, void *p1, void *p2)
 
 	register_tls_hooks(&tls_h);
 
-#if OPENSSL_VERSION_NUMBER >= 0x10100000L \
-		&& OPENSSL_VERSION_NUMBER < 0x030000000L
-	LM_DBG("setting cryptorand random engine\n");
-	// RAND_set_rand_method(RAND_ksr_cryptorand_method());
-#endif
-
+        /*
+         * GH #3695: OpenSSL 1.1.1 historical note: it is no longer
+         * needed to replace RAND with cryptorand
+         */
 	sr_kemi_modules_add(sr_kemi_tls_exports);
 
 	return 0;