From e49a60e1052c6c1dcebe7f78f2ac970338eabe2e Mon Sep 17 00:00:00 2001 From: S-P Chan Date: Thu, 4 Jan 2024 20:00:09 +0800 Subject: [PATCH] tls: OpenSSL 3.x thread-local, init libssl in thread or PROC_SIPINIT - avoid initialising ERR_STATE in rank 0(thread#1) --- src/modules/tls/tls_init.c | 83 ++++++++++++++++++++++---------------- src/modules/tls/tls_mod.c | 11 ++++- 2 files changed, 59 insertions(+), 35 deletions(-) diff --git a/src/modules/tls/tls_init.c b/src/modules/tls/tls_init.c index 9be5e1d4fab..ec62cf7669e 100644 --- a/src/modules/tls/tls_init.c +++ b/src/modules/tls/tls_init.c @@ -771,6 +771,44 @@ int tls_pre_init(void) * tls mod pre-init function * - executed before any mod_init() */ +long tls_h_mod_randctx(void *) { + do { + OSSL_LIB_CTX *osslglobal = NULL; + EVP_RAND_CTX *randctx = NULL; + + LM_DBG("enabling locking for rand ctx\n"); + + osslglobal = OSSL_LIB_CTX_get0_global_default(); + if(osslglobal == NULL) { + LM_ERR("failed to get lib ssl global ctx\n"); + return -1L; + } + + randctx = RAND_get0_primary(osslglobal); + if(randctx == NULL) { + LM_ERR("primary rand ctx is null\n"); + return -1L; + } + EVP_RAND_enable_locking(randctx); + + randctx = RAND_get0_public(osslglobal); + if(randctx == NULL) { + LM_ERR("public rand ctx is null\n"); + return -1L; + } + EVP_RAND_enable_locking(randctx); + + randctx = RAND_get0_private(osslglobal); + if(randctx == NULL) { + LM_ERR("private rand ctx is null\n"); + return -1L; + } + EVP_RAND_enable_locking(randctx); + } while(0); + + return 0L; +} + int tls_h_mod_pre_init_f(void) { if(tls_mod_preinitialized == 1) { @@ -784,7 +822,9 @@ int tls_h_mod_pre_init_f(void) LM_DBG("preparing tls env for modules initialization\n"); #if OPENSSL_VERSION_NUMBER >= 0x010100000L && !defined(LIBRESSL_VERSION_NUMBER) LM_DBG("preparing tls env for modules initialization (libssl >=1.1)\n"); -#if OPENSSL_VERSION_NUMBER >= 0x010101000L +#if OPENSSL_VERSION_NUMBER >= 0x030000000L + // skip init for 3.x +#elif OPENSSL_VERSION_NUMBER >= 0x010101000L OPENSSL_init_ssl(OPENSSL_INIT_ATFORK, NULL); #else OPENSSL_init_ssl(0, NULL); @@ -793,42 +833,17 @@ int tls_h_mod_pre_init_f(void) LM_DBG("preparing tls env for modules initialization (libssl <=1.0)\n"); SSL_library_init(); #endif +#if OPENSSL_VERSION_NUMBER < 0x030000000L SSL_load_error_strings(); +#endif #if OPENSSL_VERSION_NUMBER >= 0x030000000L - do { - OSSL_LIB_CTX *osslglobal = NULL; - EVP_RAND_CTX *randctx = NULL; - - LM_DBG("enabling locking for rand ctx\n"); - - osslglobal = OSSL_LIB_CTX_get0_global_default(); - if(osslglobal == NULL) { - LM_ERR("failed to get lib ssl global ctx\n"); - return -1; - } - - randctx = RAND_get0_primary(osslglobal); - if(randctx == NULL) { - LM_ERR("primary rand ctx is null\n"); - return -1; - } - EVP_RAND_enable_locking(randctx); - - randctx = RAND_get0_public(osslglobal); - if(randctx == NULL) { - LM_ERR("public rand ctx is null\n"); - return -1; - } - EVP_RAND_enable_locking(randctx); - - randctx = RAND_get0_private(osslglobal); - if(randctx == NULL) { - LM_ERR("private rand ctx is null\n"); - return -1; - } - EVP_RAND_enable_locking(randctx); - } while(0); + pthread_t tid; + long rl; + pthread_create(&tid, NULL, (void *(*)(void *))tls_h_mod_randctx, NULL); + pthread_join(tid, (void **)&rl); + if ((int)rl) + return (int)rl; #endif tls_mod_preinitialized = 1; diff --git a/src/modules/tls/tls_mod.c b/src/modules/tls/tls_mod.c index 3a047769ca4..1e74ba0e309 100644 --- a/src/modules/tls/tls_mod.c +++ b/src/modules/tls/tls_mod.c @@ -440,7 +440,16 @@ static int mod_child(int rank) /* fix tls config only from the main proc/PROC_INIT., when we know * the exact process number and before any other process starts*/ - if(rank == PROC_INIT) { + +#if OPENSSL_VERSION_NUMBER >= 0x030000000L + /* + * OpenSSL 3.x: create shared SSL_CTX* in worker to avoid init of + * libssl in rank 0(thread#1) + */ + if(rank == PROC_SIPINIT) { +#else + if(rank == PROC_INIT) { +#endif if(cfg_get(tls, tls_cfg, config_file).s) { if(tls_fix_domains_cfg( *tls_domains_cfg, &srv_defaults, &cli_defaults)