From 798cc26908395d2ba21015684ad6f0ac4f012b2e Mon Sep 17 00:00:00 2001 From: S-P Chan Date: Fri, 5 Jan 2024 07:38:56 +0800 Subject: [PATCH] tls: OpenSSL 3.x/1.1.1 thread-local, clean-up dead code and preprocessor blocks --- src/modules/tls/tls_init.c | 7 +----- src/modules/tls/tls_mod.c | 44 +++++++++----------------------------- 2 files changed, 11 insertions(+), 40 deletions(-) diff --git a/src/modules/tls/tls_init.c b/src/modules/tls/tls_init.c index 8da6dfb07f1..6a46ecbf2aa 100644 --- a/src/modules/tls/tls_init.c +++ b/src/modules/tls/tls_init.c @@ -824,12 +824,7 @@ int tls_h_mod_pre_init_f(void) LM_DBG("preparing tls env for modules initialization\n"); #if OPENSSL_VERSION_NUMBER >= 0x010100000L && !defined(LIBRESSL_VERSION_NUMBER) LM_DBG("preparing tls env for modules initialization (libssl >=1.1)\n"); -#if OPENSSL_VERSION_NUMBER >= 0x030000000L - // skip init for 3.x -#elif OPENSSL_VERSION_NUMBER >= 0x010101000L - //not needed on Linux - //OPENSSL_init_ssl(OPENSSL_INIT_ATFORK, NULL); -#else +#if OPENSSL_VERSION_NUMBER < 0x010100000L OPENSSL_init_ssl(0, NULL); #endif #else diff --git a/src/modules/tls/tls_mod.c b/src/modules/tls/tls_mod.c index 03874edabba..7cad1b046e4 100644 --- a/src/modules/tls/tls_mod.c +++ b/src/modules/tls/tls_mod.c @@ -438,20 +438,9 @@ static int mod_child(int rank) if(tls_disable || (tls_domains_cfg == 0)) return 0; - /* fix tls config only from the main proc/PROC_INIT., when we know - * the exact process number and before any other process starts*/ - if(rank == PROC_INIT) { -#if OPENSSL_VERSION_NUMBER >= 0x010101000L \ - && OPENSSL_VERSION_NUMBER < 0x030000000L - if(ksr_tls_init_mode & TLS_MODE_FORK_PREPARE) { - // not needed on Linux: OPENSSL_fork_prepare(); - } -#endif - } - #if OPENSSL_VERSION_NUMBER >= 0x010101000L /* - * OpenSSL 3.x: create shared SSL_CTX* in worker to avoid init of + * OpenSSL 3.x/1.1.1: create shared SSL_CTX* in worker to avoid init of * libssl in rank 0(thread#1) */ if(rank == PROC_SIPINIT) { @@ -471,22 +460,6 @@ static int mod_child(int rank) return 0; } -#if OPENSSL_VERSION_NUMBER >= 0x010101000L \ - && OPENSSL_VERSION_NUMBER < 0x030000000L - if(ksr_tls_init_mode & TLS_MODE_FORK_PREPARE) { - if(rank == PROC_POSTCHILDINIT) { - /* - * this is called after forking of all child processes - */ - // not needed on Linux: OPENSSL_fork_parent(); - return 0; - } - if(!_ksr_is_main) { - // not needed on Linux: OPENSSL_fork_child(); - } - } -#endif - #ifndef OPENSSL_NO_ENGINE /* * after the child is fork()ed we go through the TLS domains @@ -514,6 +487,11 @@ static void mod_destroy(void) * => nothing to do here */ } +/* + * GH #3695: OpenSSL 1.1.1: it is no longer necessary to replace RAND + * - early init in rank 0 causes workers to inherit public_drbg/private_drbg + * which are not thread-safe + */ int ksr_rand_engine_param(modparam_t type, void *val) { @@ -690,12 +668,10 @@ int mod_register(char *path, int *dlflags, void *p1, void *p2) register_tls_hooks(&tls_h); -#if OPENSSL_VERSION_NUMBER >= 0x10100000L \ - && OPENSSL_VERSION_NUMBER < 0x030000000L - LM_DBG("setting cryptorand random engine\n"); - // RAND_set_rand_method(RAND_ksr_cryptorand_method()); -#endif - + /* + * GH #3695: OpenSSL 1.1.1 historical note: it is no longer + * needed to replace RAND with cryptorand + */ sr_kemi_modules_add(sr_kemi_tls_exports); return 0;