Browse code

tls_wolfssl: memory handling cleanup

Set memory allocators to align up to 16-bytes

S-P Chan authored on 18/06/2022 03:11:36
Showing 2 changed files
... ...
@@ -216,26 +216,49 @@ static void* ser_realloc(void *ptr, size_t size, const char* file, int line)
216 216
 
217 217
 #else /*TLS_MALLOC_DBG */
218 218
 
219
+// up align memory allocations to 16 bytes for
220
+// wolfSSL --enable-aligndata=yes (the default)
221
+static const int MAX_ALIGN = __alignof__(max_align_t);
219 222
 
220
-static void* ser_malloc(size_t size, const char *fname, int fline)
223
+static void* ser_malloc(size_t size)
221 224
 {
222
-	return shm_malloc(size);
223
-}
225
+	char* ptr =  shm_malloc(size + 2*MAX_ALIGN);
226
+	int pad = MAX_ALIGN - ((long) ptr % MAX_ALIGN);
227
+
228
+	*(size_t*)ptr = size;
224 229
 
230
+	memset(ptr + MAX_ALIGN, pad, pad);
231
+	return ptr + MAX_ALIGN + pad;
232
+}
225 233
 
226
-static void* ser_realloc(void *ptr, size_t size, const char *fname, int fline)
234
+static void* ser_realloc(void *ptr, size_t new_size)
227 235
 {
228
-	return shm_realloc(ptr, size);
236
+	if(!ptr) return ser_malloc(new_size);
237
+
238
+	int pad = *((unsigned char*)ptr - 1);
239
+	unsigned char *real_ptr = (unsigned char*)ptr - pad - MAX_ALIGN;
240
+	int size = *(size_t*)real_ptr;
241
+
242
+	char *new_ptr = shm_realloc(real_ptr, new_size+2*MAX_ALIGN);
243
+	*(size_t*)new_ptr = new_size;
244
+	int new_pad = MAX_ALIGN - ((long) new_ptr % MAX_ALIGN);
245
+	if (new_pad != pad) {
246
+		memmove(new_ptr + MAX_ALIGN + new_pad, new_ptr + MAX_ALIGN + pad, size);
247
+		memset(new_ptr + MAX_ALIGN, new_pad, new_pad);
248
+	}
249
+		
250
+	return new_ptr + MAX_ALIGN + new_pad;
229 251
 }
252
+#endif /* LIBRESSL_VERSION_NUMBER */
230 253
 
231
-static void ser_free(void *ptr, const char *fname, int fline)
254
+static void ser_free(void *ptr)
232 255
 {
233 256
 	if (ptr) {
234
-		shm_free(ptr);
257
+		int pad = *((unsigned char *)ptr - 1);
258
+		shm_free((unsigned char*)ptr - pad  - MAX_ALIGN);
235 259
 	}
236 260
 }
237 261
 
238
-#endif /* LIBRESSL_VERSION_NUMBER */
239 262
 
240 263
 /*
241 264
  * Initialize TLS socket
... ...
@@ -366,11 +389,7 @@ int tls_pre_init(void)
366 389
 	mf = NULL;
367 390
 	rf = NULL;
368 391
 	ff = NULL;
369
-#ifdef TLS_MALLOC_DBG
370
-	if (!CRYPTO_set_mem_ex_functions(ser_malloc, ser_realloc, ser_free)) {
371
-#else
372
-	if (!CRYPTO_set_mem_functions(ser_malloc, ser_realloc, ser_free)) {
373
-#endif
392
+	if (wolfSSL_SetAllocators(ser_malloc, ser_free, ser_realloc)) {
374 393
 		LM_ERR("Unable to set the memory allocation functions\n");
375 394
 		// CRYPTO_get_mem_functions(&mf, &rf, &ff);
376 395
 		LM_ERR("libssl current mem functions - m: %p r: %p f: %p\n",
... ...
@@ -412,108 +431,12 @@ int tls_h_mod_pre_init_f(void)
412 431
  */
413 432
 int tls_h_mod_init_f(void)
414 433
 {
415
-	/*struct socket_info* si;*/
416
-	long ssl_version;
417
-	const char *ssl_version_txt;
418
-	int low_mem_threshold1;
419
-	int low_mem_threshold2;
420
-	str tls_grp;
421
-	str s;
422
-	cfg_ctx_t* cfg_ctx;
423
-
424 434
 	if(tls_mod_initialized == 1) {
425 435
 		LM_DBG("already initialized\n");
426 436
 		return 0;
427 437
 	}
428 438
 	LM_DBG("initializing tls system\n");
429 439
 
430
-	ssl_version=wolfSSL_OpenSSL_version_num();
431
-	ssl_version_txt=wolfSSL_OpenSSL_version(OPENSSL_VERSION);
432
-
433
-	/* check if version have the same major minor and fix level
434
-	 * (e.g. 0.9.8a & 0.9.8c are ok, but 0.9.8 and 0.9.9x are not)
435
-	 * - values is represented as 0xMMNNFFPPS: major minor fix patch status
436
-	 *   0x00090705f == 0.9.7e release */
437
-	if ((ssl_version>>12)!=(OPENSSL_VERSION_NUMBER>>12)){
438
-		LM_CRIT("installed openssl library"
439
-				" version is too different from the library the " NAME " tls"
440
-				" module was compiled with: installed \"%s\" (0x%08lx),"
441
-				" compiled \"%s\" (0x%08lx).\n"
442
-				" Please make sure a compatible version is used"
443
-				" (tls_force_run in kamailio.cfg will override this check)\n",
444
-				ssl_version_txt, ssl_version,
445
-				OPENSSL_VERSION_TEXT, (long)OPENSSL_VERSION_NUMBER);
446
-		if (cfg_get(tls, tls_cfg, force_run))
447
-			LM_WARN("tls_force_run turned on, ignoring "
448
-					" openssl version mismatch\n");
449
-		else
450
-			return -1; /* safer to exit */
451
-	}
452
-
453
-	/* check kerberos support using compile flags only for version < 1.1.0 */
454
-
455
-	/* set free memory threshold for openssl bug #1491 workaround */
456
-	low_mem_threshold1 = cfg_get(tls, tls_cfg, low_mem_threshold1);
457
-	low_mem_threshold2 = cfg_get(tls, tls_cfg, low_mem_threshold2);
458
-	if (low_mem_threshold1<0){
459
-		/* default */
460
-		low_mem_threshold1=512*1024*get_max_procs();
461
-	}else
462
-		low_mem_threshold1*=1024; /* KB */
463
-	if (low_mem_threshold2<0){
464
-		/* default */
465
-		low_mem_threshold2=256*1024*get_max_procs();
466
-	}else
467
-		low_mem_threshold2*=1024; /* KB */
468
-
469
-#if 0
470
-	if ((low_mem_threshold1==0) || (low_mem_threshold2==0))
471
-	 LM_WARN("tls: openssl bug #1491 (crash/mem leaks on low memory)"
472
-				" workaround disabled\n");
473
-	else
474
-		LM_WARN("openssl bug #1491 (crash/mem leaks on low memory)"
475
-				" workaround enabled (on low memory tls operations will fail"
476
-				" preemptively) with free memory thresholds %d and %d bytes\n",
477
-				low_mem_threshold1, low_mem_threshold2);
478
-#endif
479
-
480
-	if (shm_available()==(unsigned long)(-1)){
481
-		LM_WARN(NAME " is compiled without MALLOC_STATS support:"
482
-				" the workaround for low mem. openssl bugs will _not_ "
483
-				"work\n");
484
-		low_mem_threshold1=0;
485
-		low_mem_threshold2=0;
486
-	}
487
-	if ((low_mem_threshold1 != cfg_get(tls, tls_cfg, low_mem_threshold1))
488
-			|| (low_mem_threshold2
489
-				!= cfg_get(tls, tls_cfg, low_mem_threshold2))) {
490
-		/* ugly hack to set the initial values for the mem tresholds */
491
-		if (cfg_register_ctx(&cfg_ctx, 0)) {
492
-			LM_ERR("failed to register cfg context\n");
493
-			return -1;
494
-		}
495
-		tls_grp.s = "tls";
496
-		tls_grp.len = strlen(tls_grp.s);
497
-		s.s = "low_mem_threshold1";
498
-		s.len = strlen(s.s);
499
-		if (low_mem_threshold1 != cfg_get(tls, tls_cfg, low_mem_threshold1) &&
500
-				cfg_set_now_int(cfg_ctx, &tls_grp, NULL /* group id */, &s,
501
-					low_mem_threshold1)) {
502
-			LM_ERR("failed to set tls.low_mem_threshold1 to %d\n",
503
-					low_mem_threshold1);
504
-			return -1;
505
-		}
506
-		s.s = "low_mem_threshold2";
507
-		s.len = strlen(s.s);
508
-		if (low_mem_threshold2 != cfg_get(tls, tls_cfg, low_mem_threshold2) &&
509
-				cfg_set_now_int(cfg_ctx, &tls_grp, NULL /* group id */, &s,
510
-					low_mem_threshold2)) {
511
-			LM_ERR("failed to set tls.low_mem_threshold1 to %d\n",
512
-					low_mem_threshold2);
513
-			return -1;
514
-		}
515
-	}
516
-
517 440
 	init_ssl_methods();
518 441
 	tls_mod_initialized = 1;
519 442
 	return 0;
... ...
@@ -65,14 +65,6 @@
65 65
 
66 66
 int tls_run_event_routes(struct tcp_connection *c);
67 67
 
68
-/* low memory treshold for openssl bug #1491 workaround */
69
-#define LOW_MEM_NEW_CONNECTION_TEST() \
70
-	(cfg_get(tls, tls_cfg, low_mem_threshold1) && \
71
-		(shm_available_safe() < cfg_get(tls, tls_cfg, low_mem_threshold1)))
72
-#define LOW_MEM_CONNECTED_TEST() \
73
-	(cfg_get(tls, tls_cfg, low_mem_threshold2) && \
74
-		(shm_available_safe() <  cfg_get(tls, tls_cfg, low_mem_threshold2)))
75
-
76 68
 #define TLS_RD_MBUF_SZ	65536
77 69
 #define TLS_WR_MBUF_SZ	65536
78 70
 
... ...
@@ -238,12 +230,6 @@ static int tls_complete_init(struct tcp_connection* c)
238 230
 	str *sname = NULL;
239 231
 	str *srvid = NULL;
240 232
 
241
-	if (LOW_MEM_NEW_CONNECTION_TEST()){
242
-		ERR("tls: ssl bug #1491 workaround: not enough memory for safe"
243
-				" operation: shm=%lu threshold1=%d\n", shm_available_safe(),
244
-				cfg_get(tls, tls_cfg, low_mem_threshold1));
245
-		goto error2;
246
-	}
247 233
 	/* Get current TLS configuration and increase reference
248 234
 	 * count immediately.
249 235
 	 */
... ...
@@ -341,11 +327,6 @@ static int tls_fix_connection_unsafe(struct tcp_connection* c)
341 327
 		if (unlikely(tls_complete_init(c) < 0)) {
342 328
 			return -1;
343 329
 		}
344
-	}else if (unlikely(LOW_MEM_CONNECTED_TEST())){
345
-		ERR("tls: ssl bug #1491 workaround: not enough memory for safe"
346
-				" operation: shm=%lu threshold2=%d\n", shm_available_safe(),
347
-				cfg_get(tls, tls_cfg, low_mem_threshold2));
348
-		return -1;
349 330
 	}
350 331
 	return 0;
351 332
 }
... ...
@@ -372,12 +353,6 @@ static int tls_fix_connection(struct tcp_connection* c)
372 353
 			}
373 354
 		lock_release(&c->write_lock);
374 355
 	}
375
-	if (unlikely(LOW_MEM_CONNECTED_TEST())){
376
-		ERR("tls: ssl bug #1491 workaround: not enough memory for safe"
377
-				" operation: shm=%lu threshold2=%d\n", shm_available_safe(),
378
-				cfg_get(tls, tls_cfg, low_mem_threshold2));
379
-		return -1;
380
-	}
381 356
 	return 0;
382 357
 }
383 358
 
... ...
@@ -575,12 +550,6 @@ static int tls_shutdown(struct tcp_connection *c)
575 550
 	 * if the connection is not fully initialized */
576 551
 	if (unlikely(tls_c->state != S_TLS_ESTABLISHED))
577 552
 		return 0;
578
-	if (unlikely(LOW_MEM_CONNECTED_TEST())){
579
-		ERR("tls: ssl bug #1491 workaround: not enough memory for safe"
580
-				" operation: shm=%lu threshold2=%d\n", shm_available_safe(),
581
-				cfg_get(tls, tls_cfg, low_mem_threshold2));
582
-		goto err;
583
-	}
584 553
 
585 554
 	ret = wolfSSL_shutdown(ssl);
586 555
 	if (ret == 1) {