tls: clear thread-local variables up to tls_pthreads_key_mark

- other libraries may set thread-locals via pthread_setspecific
- assume that tls_pthreads_key_mark demarcates libssl's values
- only clean thread-local values up to tls_pthreads_key_mark

Currently only used by app_python[s]

(cherry picked from commit fe6f4fc)

src/modules/tls/tls_mod.c

@@ -343,10 +343,11 @@ static tls_domains_cfg_t* tls_use_modparams(void)
  *     is < 10
  *
  */
+static int tls_pthreads_key_mark;
 static void fork_child(void)
 {
-	int k = 0;
-	for(k = 0; k < 16; k++) {
+	int k;
+	for(k = 0; k < tls_pthreads_key_mark; k++) {
 		if(pthread_getspecific(k) != 0)
 			pthread_setspecific(k, 0x0);
 	}
@@ -356,6 +357,8 @@ static int mod_init(void)
 {
 	int method;
 	int verify_client;
+	unsigned char rand_buf[32];
+	int k;
 
 	if(tls_disable) {
 		LM_WARN("tls support is disabled "
@@ -464,6 +467,23 @@ static int mod_init(void)
 	if(ksr_tls_threads_mode == 2) {
 		pthread_atfork(NULL, NULL, &fork_child);
 	}
+
+#if OPENSSL_VERSION_NUMBER >= 0x010101000L
+	/*
+	 * force creation of all thread-locals now so that other libraries
+	 * that use pthread_key_create(), e.g. python,
+	 * will have larger key values
+	 */
+	if(ksr_tls_threads_mode > 0) {
+		ERR_clear_error();
+		RAND_bytes(rand_buf, sizeof(rand_buf));
+		for(k = 0; k < 32; k++) {
+			if(pthread_getspecific(k))
+				tls_pthreads_key_mark = k + 1;
+		}
+		LM_WARN("set maximum pthreads key to %d\n", tls_pthreads_key_mark);
+	}
+#endif
 	return 0;
 error:
 	tls_h_mod_destroy_f();
@@ -500,6 +520,7 @@ static int mod_child_hook(int *rank, void *dummy)
 		if(tls_fix_domains_cfg(*tls_domains_cfg, &mod_params, &mod_params) < 0)
 			return -1;
 	}
+
 	return 0;
 }
 
@@ -509,17 +530,26 @@ static OSSL_LIB_CTX *new_ctx;
 #endif
 static int mod_child(int rank)
 {
+	int k;
+
 	if(tls_disable || (tls_domains_cfg == 0))
 		return 0;
 
 	/*
-         * OpenSSL 3.x/1.1.1: create shared SSL_CTX* in thread executor
-         * to avoid init of libssl in thread#1: ksr_tls_threads_mode = 1
-         */
+	 * OpenSSL 3.x/1.1.1: create shared SSL_CTX* in thread executor
+	 * to avoid init of libssl in thread#1: ksr_tls_threads_mode = 1
+	 */
 	if(rank == PROC_INIT) {
 		return run_thread4PP((_thread_proto4PP)mod_child_hook, &rank, NULL);
 	}
 
+	if(ksr_tls_threads_mode == 1 && rank && rank != PROC_INIT
+			&& rank != PROC_POSTCHILDINIT) {
+		for(k = 0; k < tls_pthreads_key_mark; k++)
+			pthread_setspecific(k, 0x0);
+		LM_WARN("clean-up of thread-locals key < %d\n", tls_pthreads_key_mark);
+	}
+
 #ifdef KSR_SSL_COMMON
 	/*
 	 * after the child is fork()ed we go through the TLS domains

src/modules/tls/tls_rand.h

@@ -21,10 +21,10 @@
 #define _TLS_RAND_H_
 
 #include <openssl/ssl.h>
+#include <openssl/rand.h>
 #if OPENSSL_VERSION_NUMBER >= 0x10100000L \
 		&& OPENSSL_VERSION_NUMBER < 0x030000000L
 
-#include <openssl/rand.h>
 
 const RAND_METHOD *RAND_ksr_krand_method(void);
 const RAND_METHOD *RAND_ksr_fastrand_method(void);