Pre-Submission Checklist

• Commit message has the format required by CONTRIBUTING guide
• Commits are split per component (core, individual modules, libs, utils, ...)
• Each component has a single commit (if not, squash them into one commit)
• No commits to README files for modules (changes must be done to docbook files
  in doc/ subfolder, the README file is autogenerated)

Type Of Change

• Small bug fix (non-breaking change which fixes an issue)
• New feature (non-breaking change which adds new functionality)
• Breaking change (fix or feature that would change existing functionality)

Checklist:

• PR should be backported to stable branches
• Tested changes locally
• Related to issue reported in lists

Description

This PR aims to fix a bug/security issue where data that was supposed to be encrypted and transferred through TLS, were transferred instead with TCP protocol.

More information and how to replicate can be found in the above issue in list.

This PR suggests using also the protocol to match if a TCP connection exists, and when doing connection lookups, otherwise, it might return a wrong connection, ie a TCP one when we are asking for a TLS one (a case when source ip/port and dest IP are same but dest port is set 0 (wildcard) ).

tcpconn_get was left unchanged due to being used by some modules and not wanting to break them. Please advise whether it should be beneficial to also change it.

In some cases like, tcpconn_add_alias and tcpconn_get we used the PROTO_NONE which preserves the original behavior. tcpconn_add_alias we do have the protocol available, should it be also used?
tcpconn_get does not have the protocol available unless we pass it as an argument.

You can view, comment on, or merge this pull request online at:

  https://github.com/kamailio/kamailio/pull/3810

Commit Summary

• 069b0b2 tcp_main: Add protocol argument for searching tcp/tls connections
• aba184b tcp_main: Add proto argument to tcpconn_exists function
• 6626cbd tcp_main: Update comment docs
• 8edeac3 core/forward: Match protocol when forwarding
• a3f7525 tcp_main: Match wss protocol

File Changes

(3 files)

• M src/core/forward.h (3)
• M src/core/tcp_conn.h (3)
• M src/core/tcp_main.c (43)

Patch Links:

• https://github.com/kamailio/kamailio/pull/3810.patch
• https://github.com/kamailio/kamailio/pull/3810.diff

—
Reply to this email directly, view it on GitHub, or unsubscribe.
You are receiving this because you are subscribed to this thread.Message ID: <kamailio/kamailio/pull/3810@github.com>