[sr-dev] git:master: tls: disable kerberos more thoroughly [fix]
Andrei Pelinescu-Onciul
andrei at iptel.org
Wed Feb 24 15:21:32 CET 2010
On Feb 23, 2010 at 17:47, Klaus Darilion <klaus.mailinglists at pernau.at> wrote:
> Is it possible to overrule this behavior, e.g. for testing?
No, but if you mean the cipher_list=RSA bug, then there's no need to
overwrite it, it should be still triggered.
If you need an overwrite switch, I could add a new
force_no_krb_workaround param.
Andrei
>
> Am 23.02.2010 16:37, schrieb Andrei Pelinescu-Onciul:
> >Module: sip-router
> >Branch: master
> >Commit: 51ee5da9ebf09447f71d4393f7c5b703305ff46d
> >URL:
> >http://git.sip-router.org/cgi-bin/gitweb.cgi/sip-router/?a=commit;h=51ee5da9ebf09447f71d4393f7c5b703305ff46d
> >
> >Author: Andrei Pelinescu-Onciul<andrei at iptel.org>
> >Committer: Andrei Pelinescu-Onciul<andrei at iptel.org>
> >Date: Tue Feb 23 16:10:21 2010 +0100
> >
> >tls: disable kerberos more thoroughly [fix]
> >
> >Older openssl versions (< 0.9.8e release) have a bug in the
> >kerberos code (it uses the wrong malloc, for more details see
> >openssl bug # 1467). While there is already a workaround for this
> >openssl bug in the sr code (see commits 36cb8f& 560a42), in some
> >situations this workaround causes another bug (crash on connection
> >opening when openssl is compiled with kerberos support and
> >kerberos is enabled for key exchange).
> >The current fix will disable automatically all the ciphers containing
> >KRB5 if the openssl version is< 0.9.8e beta1 or it is between
> >0.9.9-dev and 0.9.9-beta1.
> >It iss equivalent to setting cipher_list to "<prev. value>:!KRB5".
> >
> >Impact: this fix is needed only if openssl is compiled with
> >kerberos support and the version is< 0.9.8e. It also affects at
> >least CentOS users with openssl-0.9.8e-12.el5_4.1 (in the centos
> >openssl package they play some strange games with the version and
> >report 0.9.8b via SSLeay).
> >
> >Tested-by: Klaus Darilion klaus.mailinglists at pernau.at
> >Reported-by: Klaus Darilion klaus.mailinglists at pernau.at
> >Reported-by: Andreas Rehbein rehbein at e-technik.org
> >Reported-by: Martin Koenig koenig starface.de
> >
> >---
> >
> > modules/tls/tls_domain.c | 35 +++++++++++++++++++++++++++++++----
> > 1 files changed, 31 insertions(+), 4 deletions(-)
> >
> >diff --git a/modules/tls/tls_domain.c b/modules/tls/tls_domain.c
> >index b0d5d3c..c4f25e8 100644
> >--- a/modules/tls/tls_domain.c
> >+++ b/modules/tls/tls_domain.c
> >@@ -271,6 +271,10 @@ static int load_ca_list(tls_domain_t* d)
> > return 0;
> > }
> >
> >+#define C_DEF_NO_KRB5 "DEFAULT:!KRB5"
> >+#define C_DEF_NO_KRB5_LEN (sizeof(C_DEF_NO_KRB5)-1)
> >+#define C_NO_KRB5_SUFFIX ":!KRB5"
> >+#define C_NO_KRB5_SUFFIX_LEN (sizeof(C_NO_KRB5_SUFFIX)-1)
> >
> > /*
> > * Configure cipher list
> >@@ -279,12 +283,35 @@ static int set_cipher_list(tls_domain_t* d)
> > {
> > int i;
> > int procs_no;
> >-
> >- if (!d->cipher_list.s) return 0;
> >+ char* cipher_list;
> >+
> >+ cipher_list=d->cipher_list.s;
> >+#ifdef TLS_KSSL_WORKARROUND
> >+ if (openssl_kssl_malloc_bug) { /* is openssl bug #1467 present ? */
> >+ if (d->cipher_list.s==0) {
> >+ /* use "DEFAULT:!KRB5" */
> >+ cipher_list="DEFAULT:!KRB5";
> >+ } else {
> >+ /* append ":!KRB5" */
> >+
> >cipher_list=shm_malloc(d->cipher_list.len+C_NO_KRB5_SUFFIX_LEN+1);
> >+ if (cipher_list) {
> >+ memcpy(cipher_list, d->cipher_list.s,
> >d->cipher_list.len);
> >+ memcpy(cipher_list+d->cipher_list.len,
> >C_NO_KRB5_SUFFIX,
> >+ C_NO_KRB5_SUFFIX_LEN);
> >+
> >cipher_list[d->cipher_list.len+C_NO_KRB5_SUFFIX_LEN]=0;
> >+ shm_free(d->cipher_list.s);
> >+ d->cipher_list.s=cipher_list;
> >+ d->cipher_list.len+=C_NO_KRB5_SUFFIX_LEN;
> >+ }
> >+ }
> >+ }
> >+#endif /* TLS_KSSL_WORKARROUND */
> >+ if (!cipher_list) return 0;
> > procs_no=get_max_procs();
> > for(i = 0; i< procs_no; i++) {
> >- if (SSL_CTX_set_cipher_list(d->ctx[i], d->cipher_list.s) ==
> >0 ) {
> >- ERR("%s: Failure to set SSL context cipher list\n",
> >tls_domain_str(d));
> >+ if (SSL_CTX_set_cipher_list(d->ctx[i], cipher_list) == 0 ) {
> >+ ERR("%s: Failure to set SSL context cipher list
> >\"%s\"\n",
> >+ tls_domain_str(d), cipher_list);
> > return -1;
> > }
> > }
> >
> >
> >_______________________________________________
> >sr-dev mailing list
> >sr-dev at lists.sip-router.org
> >http://lists.sip-router.org/cgi-bin/mailman/listinfo/sr-dev
More information about the sr-dev
mailing list