[sr-dev] git:master: tls: disable kerberos more thoroughly [fix]

Andrei Pelinescu-Onciul andrei at iptel.org
Wed Feb 24 15:21:32 CET 2010 

On Feb 23, 2010 at 17:47, Klaus Darilion <klaus.mailinglists at pernau.at> wrote:
> Is it possible to overrule this behavior, e.g. for testing?

No, but if you mean the cipher_list=RSA bug, then there's no need to
overwrite it, it should be still triggered.

If you need an overwrite switch, I could add a new
force_no_krb_workaround param.


Andrei

> 
> Am 23.02.2010 16:37, schrieb Andrei Pelinescu-Onciul:
> >Module: sip-router
> >Branch: master
> >Commit: 51ee5da9ebf09447f71d4393f7c5b703305ff46d
> >URL:    
> >http://git.sip-router.org/cgi-bin/gitweb.cgi/sip-router/?a=commit;h=51ee5da9ebf09447f71d4393f7c5b703305ff46d
> >
> >Author: Andrei Pelinescu-Onciul<andrei at iptel.org>
> >Committer: Andrei Pelinescu-Onciul<andrei at iptel.org>
> >Date:   Tue Feb 23 16:10:21 2010 +0100
> >
> >tls: disable kerberos more thoroughly [fix]
> >
> >Older openssl versions (<  0.9.8e release) have a bug in the
> >kerberos code (it uses the wrong malloc, for more details see
> >openssl bug # 1467). While there is already a workaround for this
> >openssl bug in the sr code (see commits 36cb8f&  560a42), in some
> >situations this workaround causes another bug (crash on connection
> >opening when openssl is compiled with kerberos support and
> >kerberos is enabled for key exchange).
> >The current fix will disable automatically all the ciphers containing
> >KRB5 if the openssl version is<  0.9.8e beta1 or it is between
> >0.9.9-dev and 0.9.9-beta1.
> >It iss equivalent to setting cipher_list to "<prev. value>:!KRB5".
> >
> >Impact: this fix is needed only if openssl is compiled with
> >kerberos support and the version is<  0.9.8e. It also affects at
> >least CentOS users with openssl-0.9.8e-12.el5_4.1 (in the centos
> >openssl package they play some strange games with the version and
> >report 0.9.8b via SSLeay).
> >
> >Tested-by: Klaus Darilion  klaus.mailinglists at pernau.at
> >Reported-by: Klaus Darilion  klaus.mailinglists at pernau.at
> >Reported-by: Andreas Rehbein  rehbein at e-technik.org
> >Reported-by: Martin Koenig  koenig starface.de
> >
> >---
> >
> >  modules/tls/tls_domain.c |   35 +++++++++++++++++++++++++++++++----
> >  1 files changed, 31 insertions(+), 4 deletions(-)
> >
> >diff --git a/modules/tls/tls_domain.c b/modules/tls/tls_domain.c
> >index b0d5d3c..c4f25e8 100644
> >--- a/modules/tls/tls_domain.c
> >+++ b/modules/tls/tls_domain.c
> >@@ -271,6 +271,10 @@ static int load_ca_list(tls_domain_t* d)
> >  	return 0;
> >  }
> >
> >+#define C_DEF_NO_KRB5 "DEFAULT:!KRB5"
> >+#define C_DEF_NO_KRB5_LEN (sizeof(C_DEF_NO_KRB5)-1)
> >+#define C_NO_KRB5_SUFFIX ":!KRB5"
> >+#define C_NO_KRB5_SUFFIX_LEN (sizeof(C_NO_KRB5_SUFFIX)-1)
> >
> >  /*
> >   * Configure cipher list
> >@@ -279,12 +283,35 @@ static int set_cipher_list(tls_domain_t* d)
> >  {
> >  	int i;
> >  	int procs_no;
> >-
> >-	if (!d->cipher_list.s) return 0;
> >+	char* cipher_list;
> >+
> >+	cipher_list=d->cipher_list.s;
> >+#ifdef TLS_KSSL_WORKARROUND
> >+	if (openssl_kssl_malloc_bug) { /* is openssl bug #1467 present ? */
> >+		if (d->cipher_list.s==0) {
> >+			/* use "DEFAULT:!KRB5" */
> >+			cipher_list="DEFAULT:!KRB5";
> >+		} else {
> >+			/* append ":!KRB5" */
> >+		 
> >cipher_list=shm_malloc(d->cipher_list.len+C_NO_KRB5_SUFFIX_LEN+1);
> >+			if (cipher_list) {
> >+				memcpy(cipher_list, d->cipher_list.s, 
> >d->cipher_list.len);
> >+				memcpy(cipher_list+d->cipher_list.len, 
> >C_NO_KRB5_SUFFIX,
> >+						C_NO_KRB5_SUFFIX_LEN);
> >+			 
> >cipher_list[d->cipher_list.len+C_NO_KRB5_SUFFIX_LEN]=0;
> >+				shm_free(d->cipher_list.s);
> >+				d->cipher_list.s=cipher_list;
> >+				d->cipher_list.len+=C_NO_KRB5_SUFFIX_LEN;
> >+			}
> >+		}
> >+	}
> >+#endif /* TLS_KSSL_WORKARROUND */
> >+	if (!cipher_list) return 0;
> >  	procs_no=get_max_procs();
> >  	for(i = 0; i<  procs_no; i++) {
> >-		if (SSL_CTX_set_cipher_list(d->ctx[i], d->cipher_list.s) == 
> >0 ) {
> >-			ERR("%s: Failure to set SSL context cipher list\n", 
> >tls_domain_str(d));
> >+		if (SSL_CTX_set_cipher_list(d->ctx[i], cipher_list) == 0 ) {
> >+			ERR("%s: Failure to set SSL context cipher list 
> >\"%s\"\n",
> >+					tls_domain_str(d), cipher_list);
> >  			return -1;
> >  		}
> >  	}
> >
> >
> >_______________________________________________
> >sr-dev mailing list
> >sr-dev at lists.sip-router.org
> >http://lists.sip-router.org/cgi-bin/mailman/listinfo/sr-dev

More information about the sr-dev mailing list