sr-dev

sr-dev@lists.kamailio.org

44307 discussions

git:sr_3.0: tls: disable kerberos more thoroughly [fix]

by Andrei Pelinescu-Onciul

Module: sip-router Branch: sr_3.0 Commit: e061e1225873759d37ce3cd49f21a68e54684641 URL: http://git.sip-router.org/cgi-bin/gitweb.cgi/sip-router/?a=commit;h=e061e12… Author: Andrei Pelinescu-Onciul <andrei(a)iptel.org> Committer: Andrei Pelinescu-Onciul <andrei(a)iptel.org> Date: Tue Feb 23 16:10:21 2010 +0100 tls: disable kerberos more thoroughly [fix] Older openssl versions (< 0.9.8e release) have a bug in the kerberos code (it uses the wrong malloc, for more details see openssl bug # 1467). While there is already a workaround for this openssl bug in the sr code (see commits 36cb8f & 560a42), in some situations this workaround causes another bug (crash on connection opening when openssl is compiled with kerberos support and kerberos is enabled for key exchange). The current fix will disable automatically all the ciphers containing KRB5 if the openssl version is < 0.9.8e beta1 or it is between 0.9.9-dev and 0.9.9-beta1. It iss equivalent to setting cipher_list to "<prev. value>:!KRB5". Impact: this fix is needed only if openssl is compiled with kerberos support and the version is < 0.9.8e. It also affects at least CentOS users with openssl-0.9.8e-12.el5_4.1 (in the centos openssl package they play some strange games with the version and report 0.9.8b via SSLeay). Tested-by: Klaus Darilion klaus.mailinglists at pernau.at Reported-by: Klaus Darilion klaus.mailinglists at pernau.at Reported-by: Andreas Rehbein rehbein at e-technik.org Reported-by: Martin Koenig koenig starface.de (cherry picked from commit 51ee5da9ebf09447f71d4393f7c5b703305ff46d) --- modules/tls/tls_domain.c | 35 +++++++++++++++++++++++++++++++---- 1 files changed, 31 insertions(+), 4 deletions(-) diff --git a/modules/tls/tls_domain.c b/modules/tls/tls_domain.c index db35eda..628b3e2 100644 --- a/modules/tls/tls_domain.c +++ b/modules/tls/tls_domain.c @@ -269,6 +269,10 @@ static int load_ca_list(tls_domain_t* d) return 0; } +#define C_DEF_NO_KRB5 "DEFAULT:!KRB5" +#define C_DEF_NO_KRB5_LEN (sizeof(C_DEF_NO_KRB5)-1) +#define C_NO_KRB5_SUFFIX ":!KRB5" +#define C_NO_KRB5_SUFFIX_LEN (sizeof(C_NO_KRB5_SUFFIX)-1) /* * Configure cipher list @@ -277,12 +281,35 @@ static int set_cipher_list(tls_domain_t* d) { int i; int procs_no; - - if (!d->cipher_list.s) return 0; + char* cipher_list; + + cipher_list=d->cipher_list.s; +#ifdef TLS_KSSL_WORKARROUND + if (openssl_kssl_malloc_bug) { /* is openssl bug #1467 present ? */ + if (d->cipher_list.s==0) { + /* use "DEFAULT:!KRB5" */ + cipher_list="DEFAULT:!KRB5"; + } else { + /* append ":!KRB5" */ + cipher_list=shm_malloc(d->cipher_list.len+C_NO_KRB5_SUFFIX_LEN+1); + if (cipher_list) { + memcpy(cipher_list, d->cipher_list.s, d->cipher_list.len); + memcpy(cipher_list+d->cipher_list.len, C_NO_KRB5_SUFFIX, + C_NO_KRB5_SUFFIX_LEN); + cipher_list[d->cipher_list.len+C_NO_KRB5_SUFFIX_LEN]=0; + shm_free(d->cipher_list.s); + d->cipher_list.s=cipher_list; + d->cipher_list.len+=C_NO_KRB5_SUFFIX_LEN; + } + } + } +#endif /* TLS_KSSL_WORKARROUND */ + if (!cipher_list) return 0; procs_no=get_max_procs(); for(i = 0; i < procs_no; i++) { - if (SSL_CTX_set_cipher_list(d->ctx[i], d->cipher_list.s) == 0 ) { - ERR("%s: Failure to set SSL context cipher list\n", tls_domain_str(d)); + if (SSL_CTX_set_cipher_list(d->ctx[i], cipher_list) == 0 ) { + ERR("%s: Failure to set SSL context cipher list \"%s\"\n", + tls_domain_str(d), cipher_list); return -1; } }

14 years, 11 months

git:sr_3.0: tls: TLS_MALLOC_DBG can now be set on make cfg

by Andrei Pelinescu-Onciul

Module: sip-router Branch: sr_3.0 Commit: e9c0d837dccb65c10895c41f42d8d2d82e944f7a URL: http://git.sip-router.org/cgi-bin/gitweb.cgi/sip-router/?a=commit;h=e9c0d83… Author: Andrei Pelinescu-Onciul <andrei(a)iptel.org> Committer: Andrei Pelinescu-Onciul <andrei(a)iptel.org> Date: Fri Feb 26 13:39:55 2010 +0100 tls: TLS_MALLOC_DBG can now be set on make cfg Enabling tls extra malloc debugging info, does not require anymore editing tls_init.c. It can be enabled at cfg time (make cfg extra_defs=-DTLS_MALLOC_DBG) or at compile/re-compile time ( make -C modules/tls clean; make -C modules/tls extra_defs=-DTLS_MALLOC_DBG). When TLS_MALLOC_DBG is enabled, an extra warning will be printed at compile time. NO_TLS_MALLOC_DBG takes precedence over TLS_MALLOC_DBG. (cherry picked from commit 9bc19d4994f20aa354092aba9ae784de91547fc6) --- modules/tls/tls_init.c | 4 ++++ 1 files changed, 4 insertions(+), 0 deletions(-) diff --git a/modules/tls/tls_init.c b/modules/tls/tls_init.c index b0f07f9..5c8e832 100644 --- a/modules/tls/tls_init.c +++ b/modules/tls/tls_init.c @@ -115,12 +115,16 @@ int tls_force_run = 0; /* ignore some start-up sanity checks, use it const SSL_METHOD* ssl_methods[TLS_USE_SSLv23 + 1]; +#ifdef NO_TLS_MALLOC_DBG #undef TLS_MALLOC_DBG /* extra malloc debug info from openssl */ +#endif /* NO_TLS_MALLOC_DBG */ + /* * Wrappers around SER shared memory functions * (which can be macros) */ #ifdef TLS_MALLOC_DBG +#warning "tls module compiled with malloc debugging info (extra overhead)" #include <execinfo.h> /*

14 years, 11 months

git:sr_3.0: * modules_k/permissions: subnet matching fix ( credits to anonymous)

by Juha Heinanen

Module: sip-router Branch: sr_3.0 Commit: 5927281f4c8c80dd0ca5c066ac9f1d63438d2bf4 URL: http://git.sip-router.org/cgi-bin/gitweb.cgi/sip-router/?a=commit;h=5927281… Author: Juha Heinanen <jh(a)tutpro.com> Committer: Juha Heinanen <jh(a)tutpro.com> Date: Thu Mar 4 09:09:22 2010 +0200 * modules_k/permissions: subnet matching fix (credits to anonymous) (cherry picked from commit f5a29762b6155209721ba0dfc3f30b4a9764c191) --- modules_k/permissions/hash.c | 2 +- 1 files changed, 1 insertions(+), 1 deletions(-) diff --git a/modules_k/permissions/hash.c b/modules_k/permissions/hash.c index 7358225..5c5c7a6 100644 --- a/modules_k/permissions/hash.c +++ b/modules_k/permissions/hash.c @@ -565,7 +565,7 @@ int find_group_in_subnet_table(struct subnet* table, i = 0; while (i < count) { - subnet = ip_addr << table[i].mask; + subnet = htonl(ntohl(ip_addr) >> table[i].mask); if ((table[i].subnet == subnet) && ((table[i].port == port) || (table[i].port == 0))) return table[i].grp;

14 years, 11 months

SF.net SVN: openser:[5991] branches/1.5/modules/permissions/hash.c

by Juha Heinanen

Revision: 5991 http://openser.svn.sourceforge.net/openser/?rev=5991&view=rev Author: juhe Date: 2010-03-04 09:06:31 +0000 (Thu, 04 Mar 2010) Log Message: ----------- * permissions: allow_source_address_group() subnet matching fix (backport from sr). Modified Paths: -------------- branches/1.5/modules/permissions/hash.c This was sent by the SourceForge.net collaborative development platform, the world's largest Open Source development site.

14 years, 11 months

git:master: * modules_k/permissions: subnet matching fix ( credits to anonymous)

by Juha Heinanen

Module: sip-router Branch: master Commit: f5a29762b6155209721ba0dfc3f30b4a9764c191 URL: http://git.sip-router.org/cgi-bin/gitweb.cgi/sip-router/?a=commit;h=f5a2976… Author: Juha Heinanen <jh(a)tutpro.com> Committer: Juha Heinanen <jh(a)tutpro.com> Date: Thu Mar 4 09:09:22 2010 +0200 * modules_k/permissions: subnet matching fix (credits to anonymous) --- modules_k/permissions/hash.c | 2 +- 1 files changed, 1 insertions(+), 1 deletions(-) diff --git a/modules_k/permissions/hash.c b/modules_k/permissions/hash.c index 7358225..5c5c7a6 100644 --- a/modules_k/permissions/hash.c +++ b/modules_k/permissions/hash.c @@ -565,7 +565,7 @@ int find_group_in_subnet_table(struct subnet* table, i = 0; while (i < count) { - subnet = ip_addr << table[i].mask; + subnet = htonl(ntohl(ip_addr) >> table[i].mask); if ((table[i].subnet == subnet) && ((table[i].port == port) || (table[i].port == 0))) return table[i].grp;

14 years, 11 months

[ openser-Bugs-2963040 ] allow_source_address_group() not matching correctly

by SourceForge.net

Bugs item #2963040, was opened at 2010-03-04 02:04 Message generated for change (Tracker Item Submitted) made by nobody You can respond by visiting: https://sourceforge.net/tracker/?func=detail&atid=743020&aid=2963040&group_… Please note that this message will contain a full copy of the comment thread, including the initial issue submission, for this request, not just the latest update. Category: modules Group: ver devel Status: Open Resolution: None Priority: 5 Private: No Submitted By: Nobody/Anonymous (nobody) Assigned to: Nobody/Anonymous (nobody) Summary: allow_source_address_group() not matching correctly Initial Comment: IP address subnet matching does not work properly when using the allow_source_address_group() function from the Permissions module. The problem comes from /modules_k/permissions/hash.c:568 in function find_group_in_subnet_table(). subnet = ip_addr << table[i].mask; should be subnet = htonl(ntohl(ip_addr) >> table[i].mask); Here is a git diff to fix it: diff --git a/modules_k/permissions/hash.c b/modules_k/permissions/hash.c index 7358225..7917d5a 100644 --- a/modules_k/permissions/hash.c +++ b/modules_k/permissions/hash.c @@ -565,7 +565,7 @@ int find_group_in_subnet_table(struct subnet* table, i = 0; while (i < count) { - subnet = ip_addr << table[i].mask; + subnet = htonl(ntohl(ip_addr) >> table[i].mask); //ip_addr << table[i].mask; if ((table[i].subnet == subnet) && ((table[i].port == port) || (table[i].port == 0))) return table[i].grp; ---------------------------------------------------------------------- You can respond by visiting: https://sourceforge.net/tracker/?func=detail&atid=743020&aid=2963040&group_…

14 years, 11 months

[tracker] Comment added: display name without quotes and uac_replace_from

by sip-router

THIS IS AN AUTOMATED MESSAGE, DO NOT REPLY. The following task has a new comment added: FS#39 - display name without quotes and uac_replace_from User who did this - Andrei Pelinescu-Onciul (andrei) ---------- Thanks, it should be fixed on master GIT#907686. ---------- More information can be found at the following URL: http://sip-router.org/tracker/index.php?do=details&task_id=39#comment30 You are receiving this message because you have requested it from the Flyspray bugtracking system. If you did not expect this message or don't want to receive mails in future, you can change your notification settings at the URL shown above.

14 years, 11 months

[tracker] Task changed: display name without quotes and uac_replace_from

by sip-router

THIS IS AN AUTOMATED MESSAGE, DO NOT REPLY. The following task has been changed. The changes are listed below. For full information about what has changed, visit the URL and click the History tab. FS#39 - display name without quotes and uac_replace_from User who did this: Andrei Pelinescu-Onciul (andrei) Percent Complete: 0% -> 90% Status: Assigned -> Requires testing Severity: Medium -> Low Priority: Normal -> Low More information can be found at the following URL: http://sip-router.org/tracker/index.php?do=details&task_id=39 You are receiving this message because you have requested it from the Flyspray bugtracking system. If you did not expect this message or don't want to receive mails in future, you can change your notification settings at the URL shown above.

14 years, 11 months

git:master: core: define shm_str_dup() only ifdef SHM_MEM

by Andrei Pelinescu-Onciul

Module: sip-router Branch: master Commit: f2e37b7e4f3d6041bcd8dbe1846ab0c24b9e26df URL: http://git.sip-router.org/cgi-bin/gitweb.cgi/sip-router/?a=commit;h=f2e37b7… Author: Andrei Pelinescu-Onciul <andrei(a)iptel.org> Committer: Andrei Pelinescu-Onciul <andrei(a)iptel.org> Date: Wed Mar 3 19:29:04 2010 +0100 core: define shm_str_dup() only ifdef SHM_MEM --- ut.h | 6 ++++++ 1 files changed, 6 insertions(+), 0 deletions(-) diff --git a/ut.h b/ut.h index 3d98e11..2328824 100644 --- a/ut.h +++ b/ut.h @@ -642,6 +642,9 @@ static inline int str2sint(str* _s, int* _r) return 0; } + + +#ifdef SHM_MEM /** * \brief Make a copy of a str structure using shm_malloc * \param dst destination @@ -660,6 +663,9 @@ static inline int shm_str_dup(str* dst, const str* src) dst->len = src->len; return 0; } +#endif /* SHM_MEM */ + + /** * \brief Make a copy of a str structure using pkg_malloc

14 years, 11 months

git:master: test: added parse to body test program

by Andrei Pelinescu-Onciul

Module: sip-router Branch: master Commit: 2cedf1626147ce0bcf67435a57dc23643c55d7d6 URL: http://git.sip-router.org/cgi-bin/gitweb.cgi/sip-router/?a=commit;h=2cedf16… Author: Andrei Pelinescu-Onciul <andrei(a)iptel.org> Committer: Andrei Pelinescu-Onciul <andrei(a)iptel.org> Date: Wed Mar 3 19:30:04 2010 +0100 test: added parse to body test program - added parse to body test program that uses the same code as sip-router. E.g. test/parse_to_body "Foo <foo@bar>CR". - update p_uri (parse uri test) to compile with sip-router. --- test/p_uri.c | 7 +-- test/parse_to_body.c | 116 ++++++++++++++++++++++++++++++++++++++++++++++++++ 2 files changed, 119 insertions(+), 4 deletions(-) diff --git a/test/p_uri.c b/test/p_uri.c index 1f2cc99..ea75676 100644 --- a/test/p_uri.c +++ b/test/p_uri.c @@ -1,6 +1,6 @@ /** uri parser test program. */ /* compile with: - gcc -Wall p_uri.c -o p_uri -DFAST_LOCK -D__CPU_i386 -DSHM_MEM */ + gcc -Wall p_uri.c -o p_uri -DFAST_LOCK -D__CPU_i386 */ #include <stdio.h> #include <stdlib.h> /* exit() */ #include <string.h> @@ -10,6 +10,7 @@ /* ser compat defs */ #define EXTRA_DEBUG #include "../parser/parse_uri.c" +#include "../dprint.c" int ser_error=0; @@ -17,7 +18,7 @@ int log_stderr=1; int process_no=0; struct process_table* pt=0; int phone2tel=1; -volatile int dprint_crit=0; +/*volatile int dprint_crit=0; */ int my_pid() {return 0; }; struct cfg_group_core default_core_cfg = { @@ -68,7 +69,6 @@ struct cfg_group_core default_core_cfg = { void *core_cfg = &default_core_cfg; - void dprint(char * format, ...) { va_list ap; @@ -82,7 +82,6 @@ void dprint(char * format, ...) - int main (int argc, char** argv) { diff --git a/test/parse_to_body.c b/test/parse_to_body.c new file mode 100644 index 0000000..fe92371 --- /dev/null +++ b/test/parse_to_body.c @@ -0,0 +1,116 @@ +/** to/from body parser test program. */ +/* compile with: + gcc -Wall parse_to_body.c -o parse_to_body -DFAST_LOCK -D__CPU_i386 */ +#include <stdio.h> +#include <stdlib.h> /* exit() */ +#include <string.h> +#include <stdarg.h> +#include "../str.h" + +/* ser compat defs */ +#define EXTRA_DEBUG +#include "../parser/parse_to.c" +#include "../dprint.c" + + +int ser_error=0; +int log_stderr=1; +int process_no=0; +struct process_table* pt=0; +int phone2tel=1; +/*volatile int dprint_crit=0; */ +int my_pid() {return 0; }; + +struct cfg_group_core default_core_cfg = { + L_DBG, /* print only msg. < L_WARN */ + LOG_DAEMON, /* log_facility -- see syslog(3) */ +#ifdef USE_DST_BLACKLIST + /* blacklist */ + 0, /* dst blacklist is disabled by default */ + DEFAULT_BLST_TIMEOUT, + DEFAULT_BLST_MAX_MEM, +#endif + /* resolver */ +#ifdef USE_IPV6 + 1, /* dns_try_ipv6 -- on by default */ +#else + 0, /* dns_try_ipv6 -- off, if no ipv6 support */ +#endif + 0, /* dns_try_naptr -- off by default */ + 30, /* udp transport preference (for naptr) */ + 20, /* tcp transport preference (for naptr) */ + 10, /* tls transport preference (for naptr) */ + 20, /* sctp transport preference (for naptr) */ + -1, /* dns_retr_time */ + -1, /* dns_retr_no */ + -1, /* dns_servers_no */ + 1, /* dns_search_list */ + 1, /* dns_search_fmatch */ + 0, /* dns_reinit */ + /* DNS cache */ +#ifdef USE_DNS_CACHE + 1, /* use_dns_cache -- on by default */ + 0, /* dns_cache_flags */ + 0, /* use_dns_failover -- off by default */ + 0, /* dns_srv_lb -- off by default */ + DEFAULT_DNS_NEG_CACHE_TTL, /* neg. cache ttl */ + DEFAULT_DNS_CACHE_MIN_TTL, /* minimum ttl */ + DEFAULT_DNS_CACHE_MAX_TTL, /* maximum ttl */ + DEFAULT_DNS_MAX_MEM, /* dns_cache_max_mem */ + 0, /* dns_cache_del_nonexp -- delete only expired entries by default */ +#endif +#ifdef PKG_MALLOC + 0, /* mem_dump_pkg */ +#endif +#ifdef SHM_MEM + 0, /* mem_dump_shm */ +#endif +}; + +void *core_cfg = &default_core_cfg; + +void dprint(char * format, ...) +{ + va_list ap; + + fprintf(stderr, "%2d(%d) ", process_no, my_pid()); + va_start(ap, format); + vfprintf(stderr,format,ap); + fflush(stderr); + va_end(ap); +} + + + +int main (int argc, char** argv) +{ + + int r; + struct to_body to_b; + struct to_param *p; + + if (argc<2){ + printf("usage: %s to_body [, to_body...]\n", argv[0]); + exit(1); + } + + for (r=1; r<argc; r++){ + /*memset(&to_b, 0, sizeof(to_b));*/ + if (parse_to(argv[r], argv[r]+strlen(argv[r]), &to_b)==0 || + to_b.error!=1){ + printf("error: parsing %s\n", argv[r]); + continue; + } + printf("body: [%.*s]\n", to_b.body.len, to_b.body.s); + printf("uri: [%.*s]\n", to_b.uri.len, to_b.uri.s); + printf("display: [%.*s]\n", to_b.display.len, to_b.display.s); + printf("tag: [%.*s]\n\n", to_b.tag_value.len, to_b.tag_value.s); + for (p=to_b.param_lst; p; p=p->next){ + printf(" param type: %d\n", p->type); + printf(" param name: [%.*s]\n", p->name.len, p->name.s); + printf(" param value: [%.*s]\n\n", p->value.len, p->value.s); + } + printf("\n"); + } + return 0; +}

14 years, 11 months

Jump to page:

2025

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

2009

2008

sr-dev