sr-dev February 2010

sr-dev@lists.kamailio.org

31 participants
250 discussions

git:kamailio_3.0: tls: disable kerberos more thoroughly [fix]

by Daniel-Constantin Mierla

Module: sip-router Branch: kamailio_3.0 Commit: aff7ce53ed0dc9a63143f45fa546b7e2640f82b1 URL: http://git.sip-router.org/cgi-bin/gitweb.cgi/sip-router/?a=commit;h=aff7ce5… Author: Andrei Pelinescu-Onciul <andrei(a)iptel.org> Committer: Daniel-Constantin Mierla <miconda(a)gmail.com> Date: Tue Feb 23 16:10:21 2010 +0100 tls: disable kerberos more thoroughly [fix] Older openssl versions (< 0.9.8e release) have a bug in the kerberos code (it uses the wrong malloc, for more details see openssl bug # 1467). While there is already a workaround for this openssl bug in the sr code (see commits 36cb8f & 560a42), in some situations this workaround causes another bug (crash on connection opening when openssl is compiled with kerberos support and kerberos is enabled for key exchange). The current fix will disable automatically all the ciphers containing KRB5 if the openssl version is < 0.9.8e beta1 or it is between 0.9.9-dev and 0.9.9-beta1. It iss equivalent to setting cipher_list to "<prev. value>:!KRB5". Impact: this fix is needed only if openssl is compiled with kerberos support and the version is < 0.9.8e. It also affects at least CentOS users with openssl-0.9.8e-12.el5_4.1 (in the centos openssl package they play some strange games with the version and report 0.9.8b via SSLeay). Tested-by: Klaus Darilion klaus.mailinglists at pernau.at Reported-by: Klaus Darilion klaus.mailinglists at pernau.at Reported-by: Andreas Rehbein rehbein at e-technik.org Reported-by: Martin Koenig koenig starface.de (cherry picked from commit 51ee5da9ebf09447f71d4393f7c5b703305ff46d) --- modules/tls/tls_domain.c | 35 +++++++++++++++++++++++++++++++---- 1 files changed, 31 insertions(+), 4 deletions(-) diff --git a/modules/tls/tls_domain.c b/modules/tls/tls_domain.c index db35eda..628b3e2 100644 --- a/modules/tls/tls_domain.c +++ b/modules/tls/tls_domain.c @@ -269,6 +269,10 @@ static int load_ca_list(tls_domain_t* d) return 0; } +#define C_DEF_NO_KRB5 "DEFAULT:!KRB5" +#define C_DEF_NO_KRB5_LEN (sizeof(C_DEF_NO_KRB5)-1) +#define C_NO_KRB5_SUFFIX ":!KRB5" +#define C_NO_KRB5_SUFFIX_LEN (sizeof(C_NO_KRB5_SUFFIX)-1) /* * Configure cipher list @@ -277,12 +281,35 @@ static int set_cipher_list(tls_domain_t* d) { int i; int procs_no; - - if (!d->cipher_list.s) return 0; + char* cipher_list; + + cipher_list=d->cipher_list.s; +#ifdef TLS_KSSL_WORKARROUND + if (openssl_kssl_malloc_bug) { /* is openssl bug #1467 present ? */ + if (d->cipher_list.s==0) { + /* use "DEFAULT:!KRB5" */ + cipher_list="DEFAULT:!KRB5"; + } else { + /* append ":!KRB5" */ + cipher_list=shm_malloc(d->cipher_list.len+C_NO_KRB5_SUFFIX_LEN+1); + if (cipher_list) { + memcpy(cipher_list, d->cipher_list.s, d->cipher_list.len); + memcpy(cipher_list+d->cipher_list.len, C_NO_KRB5_SUFFIX, + C_NO_KRB5_SUFFIX_LEN); + cipher_list[d->cipher_list.len+C_NO_KRB5_SUFFIX_LEN]=0; + shm_free(d->cipher_list.s); + d->cipher_list.s=cipher_list; + d->cipher_list.len+=C_NO_KRB5_SUFFIX_LEN; + } + } + } +#endif /* TLS_KSSL_WORKARROUND */ + if (!cipher_list) return 0; procs_no=get_max_procs(); for(i = 0; i < procs_no; i++) { - if (SSL_CTX_set_cipher_list(d->ctx[i], d->cipher_list.s) == 0 ) { - ERR("%s: Failure to set SSL context cipher list\n", tls_domain_str(d)); + if (SSL_CTX_set_cipher_list(d->ctx[i], cipher_list) == 0 ) { + ERR("%s: Failure to set SSL context cipher list \"%s\"\n", + tls_domain_str(d), cipher_list); return -1; } }

14 years, 8 months

git:kamailio_3.0: cfg parser: segfault on case RE parse error fix

by Daniel-Constantin Mierla

Module: sip-router Branch: kamailio_3.0 Commit: cee359fdc0bd85b85dc170c61ca296a3f13b0639 URL: http://git.sip-router.org/cgi-bin/gitweb.cgi/sip-router/?a=commit;h=cee359f… Author: Andrei Pelinescu-Onciul <andrei(a)iptel.org> Committer: Daniel-Constantin Mierla <miconda(a)gmail.com> Date: Wed Feb 24 15:13:12 2010 +0100 cfg parser: segfault on case RE parse error fix Reported-by: Klaus Feichtinger klaus.feichtinger gmx net (cherry picked from commit d2871c1190291e4b801f42e0763e5ca7ea28ee36) --- cfg.y | 21 +++++++++++++-------- 1 files changed, 13 insertions(+), 8 deletions(-) diff --git a/cfg.y b/cfg.y index c618a52..f535d98 100644 --- a/cfg.y +++ b/cfg.y @@ -2239,12 +2239,14 @@ if_cmd: ct_rval: rval_expr { $$=0; - if (!rve_is_constant($1)){ + if ($1 && !rve_is_constant($1)){ yyerror("constant expected"); + YYERROR; /* - } else if (!rve_check_type((enum rval_type*)&i_tmp, $1, 0, 0 ,0)){ + } else if ($1 && + !rve_check_type((enum rval_type*)&i_tmp, $1, 0, 0 ,0)){ yyerror("invalid expression (bad type)"); - }else if (i_tmp!=RV_INT){ + }else if ($1 && i_tmp!=RV_INT){ yyerror("invalid expression type, int expected\n"); */ }else @@ -2254,28 +2256,28 @@ ct_rval: rval_expr { single_case: CASE ct_rval COLON actions { $$=0; - if ($2==0) yyerror ("bad case label"); + if ($2==0) { yyerror ("bad case label"); YYERROR; } else if ((($$=mk_case_stm($2, 0, $4, &i_tmp))==0) && (i_tmp==-10)){ YYABORT; } } | CASE SLASH ct_rval COLON actions { $$=0; - if ($3==0) yyerror ("bad case label"); + if ($3==0) { yyerror ("bad case label"); YYERROR; } else if ((($$=mk_case_stm($3, 1, $5, &i_tmp))==0) && (i_tmp==-10)){ YYABORT; } } | CASE ct_rval COLON { $$=0; - if ($2==0) yyerror ("bad case label"); + if ($2==0) { yyerror ("bad case label"); YYERROR; } else if ((($$=mk_case_stm($2, 0, 0, &i_tmp))==0) && (i_tmp==-10)){ YYABORT; } } | CASE SLASH ct_rval COLON { $$=0; - if ($3==0) yyerror ("bad case label"); + if ($3==0) { yyerror ("bad regex case label"); YYERROR; } else if ((($$=mk_case_stm($3, 1, 0, &i_tmp))==0) && (i_tmp==-10)){ YYABORT; } @@ -2290,7 +2292,10 @@ single_case: YYABORT; } } - | CASE error { $$=0; yyerror("bad case label"); } + | CASE error COLON actions { $$=0; yyerror("bad case label"); } + | CASE SLASH error COLON actions { $$=0; yyerror("bad case regex label"); } + | CASE error COLON { $$=0; yyerror("bad case label"); } + | CASE SLASH error COLON { $$=0; yyerror("bad case regex label"); } | CASE ct_rval COLON error { $$=0; yyerror ("bad case body"); } ; case_stms:

14 years, 8 months

git:kamailio_3.0: dialog(k): init local parameter

by Daniel-Constantin Mierla

Module: sip-router Branch: kamailio_3.0 Commit: b3e99c07b69f28d55de89b2adb96468ff71c9764 URL: http://git.sip-router.org/cgi-bin/gitweb.cgi/sip-router/?a=commit;h=b3e99c0… Author: Daniel-Constantin Mierla <miconda(a)gmail.com> Committer: Daniel-Constantin Mierla <miconda(a)gmail.com> Date: Fri Feb 12 11:12:37 2010 +0100 dialog(k): init local parameter - memset tm callback param to 0 - safety checks for MI cmd dlg match - credits to Inaki Baz Castillo and Torben Friese (cherry picked from commit 787fabb1e0085355aa1eeb77d5f17e7940f4ed3c) --- modules_k/dialog/dlg_handlers.c | 34 ++++++++++++++++++++-------------- modules_k/dialog/dlg_hash.h | 2 ++ 2 files changed, 22 insertions(+), 14 deletions(-) diff --git a/modules_k/dialog/dlg_handlers.c b/modules_k/dialog/dlg_handlers.c index 450cc12..1091777 100644 --- a/modules_k/dialog/dlg_handlers.c +++ b/modules_k/dialog/dlg_handlers.c @@ -331,24 +331,29 @@ static void dlg_onreply(struct cell* t, int type, struct tmcb_params *param) old_state!=DLG_STATE_CONFIRMED_NA && old_state!=DLG_STATE_CONFIRMED ) { LM_DBG("dialog %p confirmed\n",dlg); - /* get to tag*/ - if ( !rpl->to && ((parse_headers(rpl, HDR_TO_F,0)<0) || !rpl->to) ) { - LM_ERR("bad reply or missing TO hdr :-/\n"); - tag.s = 0; - tag.len = 0; - } else { - tag = get_to(rpl)->tag_value; - if (tag.s==0 || tag.len==0) { - LM_ERR("missing TAG param in TO hdr :-/\n"); + if (rpl != FAKED_REPLY) { + /* get to tag*/ + if ( !rpl->to && ((parse_headers(rpl, HDR_TO_F,0)<0) + || !rpl->to) ) { + LM_ERR("bad reply or missing TO hdr :-/\n"); tag.s = 0; tag.len = 0; + } else { + tag = get_to(rpl)->tag_value; + if (tag.s==0 || tag.len==0) { + LM_ERR("missing TAG param in TO hdr :-/\n"); + tag.s = 0; + tag.len = 0; + } } - } - /* save callee's tag, cseq, contact and record route*/ - if (populate_leg_info( dlg, rpl, t, DLG_CALLEE_LEG, &tag) !=0) { - LM_ERR("could not add further info to the dialog\n"); - } + /* save callee's tag, cseq, contact and record route*/ + if (populate_leg_info( dlg, rpl, t, DLG_CALLEE_LEG, &tag) !=0) { + LM_ERR("could not add further info to the dialog\n"); + } + } else { + LM_ERR("Faked reply!\n"); + } /* set start time */ dlg->start_ts = (unsigned int)(time(0)); @@ -500,6 +505,7 @@ static void unref_new_dialog(void *dialog) { struct tmcb_params p; + memset(&p, 0, sizeof(struct tmcb_params)); p.param = (void*)&dialog; dlg_onreply(0, TMCB_DESTROY, &p); } diff --git a/modules_k/dialog/dlg_hash.h b/modules_k/dialog/dlg_hash.h index bd1de87..889a318 100644 --- a/modules_k/dialog/dlg_hash.h +++ b/modules_k/dialog/dlg_hash.h @@ -426,6 +426,8 @@ static inline int match_dialog(struct dlg_cell *dlg, str *callid, */ static inline int match_downstream_dialog(struct dlg_cell *dlg, str *callid, str *ftag) { + if(dlg==NULL || callid==NULL || ftag==NULL) + return 0; if (dlg->callid.len!=callid->len || dlg->tag[DLG_CALLER_LEG].len!=ftag->len || strncmp(dlg->callid.s,callid->s,callid->len)!=0 ||

14 years, 8 months

ratelimit enhancements

by Daniel-Constantin Mierla

Hi Marius, since you did some updates to this module, I am opening for debate some needed enhancements I did during 3.0 testing phase and want to get opinions how to get in the code repo. Practically is a new module I named for now ratelimit2 and my last idea is to get it named pipelimit in the trunk. The reason for a new module are some major changes. The module uses the same algorithm but its core is overhaul. - definitions of pipes are loaded from database - there can be unlimited number of pipes - pipes are identified by string names - should be possible to reload pipes at runtime (iirc, not yet in) - new pipes can be added at runtime - functions accept variables to identify the pipe Since I never used queues from this module and haven't spent time to understand the concept behind, this functionality is completely missing. The old module might be good to keep in place, probably many people are using it in this form. So, proposals? What is the way to go on? Common code (algorithms) can be made lib at some point. Cheers, Daniel -- Daniel-Constantin Mierla * http://www.asipto.com/

14 years, 8 months

tracking new features

by Daniel-Constantin Mierla

Hello, a reminder for developers to write a short note for each new feature either to NEWS file in source tree or to wiki page: http://sip-router.org/wiki/features/new-in-devel Makes life much easier when the next major release is going to happen and help people to spot quickly what new features are already available in devel branch, hopefully attracting some of them to go for it and test. Now the wiki page is updated with most of NEWS content for 3.1. Thanks, Daniel -- Daniel-Constantin Mierla Kamailio SIP Router Masterclass, Berlin, March 22-26, 2010 * http://www.asipto.com/index.php/sip-router-masterclass/

14 years, 8 months

modules_s/tls

by Klaus Darilion

Hi! Currently we have 2 tls modules, one in modules/ and one in modules_s/. Shouldn't the second be removed? regards Klaus

14 years, 8 months

CeBIT 2010

by Daniel-Constantin Mierla

Hello, I am going to visit CeBIT 2010 in Hannover next week. Drop me an email if you are around and want to meet and chat about Kamailio, SIP Router projects, etc. Cheers, Daniel -- Daniel-Constantin Mierla Kamailio SIP Router Masterclass, Berlin, March 22-26, 2010 * http://www.asipto.com/index.php/sip-router-masterclass/

14 years, 8 months

autogenerated docs for cfg vars, rpcs and selects

by Andrei Pelinescu-Onciul

I've created some perl scripts that generate documentation (both in txt and docbook format) from the cfg vars, RPCs and select declarations in the code. The RPCs and cfg vars include also the doc strings. The selects are only listed (more then that cannot be automatically extracted, but at least their name is self-explaining in 99% of the cases). The scripts (for now only in the andrei/cdefs2doc branch) require a non-standard perl module (GCC::TranslationUnit) with one extra patch to it and take a lot of time to execute. Because of this I think it would be much better to also have the generated documentation in the repository, in the xml and .txt format (it would add 500k-1Mb of docs). Examples: html generated from the auto-generated docbook xmls: http://sip-router.org/docbook/sip-router/branch/andrei/cdefs2doc/cfg_list/c… http://sip-router.org/docbook/sip-router/branch/andrei/cdefs2doc/rpc_list/r… http://sip-router.org/docbook/sip-router/branch/andrei/cdefs2doc/select_lis… txt output for the cfg vars: http://git.sip-router.org/cgi-bin/gitweb.cgi?p=sip-router;a=blob;f=doc/cfg_… example of an auto-generated xml: http://git.sip-router.org/cgi-bin/gitweb.cgi?p=sip-router;a=blob;f=doc/rpc_… (note that the above example were generated from older code and not from the latest master or 3.0 versions) If you have an idea for better formatting, please provide a short xml example. If nobody speaks against it, I will merge the branch into master next week and start to re-generate the docs periodically. Andrei P.S.: for the perl scripts see http://git.sip-router.org/cgi-bin/gitweb.cgi?p=sip-router;a=tree;f=doc/scri…

14 years, 8 months

Your opinion about presence subscription blocking actions

by Iñaki Baz Castillo

Hi, I'm dealing with presence right now. I've read full OMA and RCS specifications/proposals/guidelines for presence and XCAP but I don't feel comfortable with some parts of them. So let me to explain the question (it involves the sr/kamailio presence module behavior for a future re-design in which I want to participate): In presence/XCAP/XDM there are three ways bob can deny alice to see his presence status (by modifying the XCAP documents according): 1) Ignore alice's request. This is, bob doesn't "allow" neither "blocks" alice, so alice just gets the first NOTIFY from the server with: Subscription-Status: pending After some long time the server will send: Subscription-Status: terminated ; reason=expired 2) Block alice by invoking a "block" action. This means that alice receives a NOTIFY from the server with: Subscription-Status: terminated; reason=rejected This is: alice *knows* that she has been explicitely blocked by bob. 3) Polite-block alice by invoking "polite-block" action. In this way the presence server generates a spoofed NOTIFY for alice containing "offline" information but the header: Subscription-Status: active This is: alice *things* she has been allowed by bob and bob it's offline right now (not true). Well, in real IM/presence world (MSN, Skype, XMPP, Yahoo...) option 2 doesn't exist, am I right? This is, if you block an user he doesn't know that you have blocked him. Instead just options 1 or 3 are used (and in some networks just option 1). Do you see any advantage in point 2? Personally I don't see it and it just introduces too much complexity for presence/XCAP/XDM client developers. I would appreciate your opinnions about it. Thanks. -- Iñaki Baz Castillo <ibc(a)aliax.net>

14 years, 9 months

git:master: userblacklist(k): short term fix in the docs for redundant table definition

by Henning Westerholt

Module: sip-router Branch: master Commit: 2372a7d5039a72f9cdb6b8bb7acb8a5ae2cb5c5f URL: http://git.sip-router.org/cgi-bin/gitweb.cgi/sip-router/?a=commit;h=2372a7d… Author: Henning Westerholt <henning.westerholt(a)1und1.de> Committer: Henning Westerholt <henning.westerholt(a)1und1.de> Date: Wed Feb 24 17:04:54 2010 +0100 userblacklist(k): short term fix in the docs for redundant table definition --- modules_k/userblacklist/README | 12 +++++++----- modules_k/userblacklist/doc/userblacklist_db.xml | 4 +++- 2 files changed, 10 insertions(+), 6 deletions(-) diff --git a/modules_k/userblacklist/README b/modules_k/userblacklist/README index 3d7927a..5e0c242 100644 --- a/modules_k/userblacklist/README +++ b/modules_k/userblacklist/README @@ -187,7 +187,7 @@ modparam("userblacklist", "use_domain", 0) 4.3. check_blacklist (string table) -4.1. check_user_blacklist (string user, string domain, string number, string +4.1. check_user_blacklist (string user, string domain, string number, string table) Finds the longest prefix that matches the request URI user (or the @@ -208,7 +208,7 @@ if (!check_user_blacklist("$avp(i:80)", "$avp(i:82)")) } ... -4.2. check_user_whitelist (string user, string domain, string number, string +4.2. check_user_whitelist (string user, string domain, string number, string table) Finds the longest prefix that matches the request URI user (or the @@ -229,7 +229,7 @@ if (!check_user_whitelist("$avp(i:80)", "$avp(i:82)")) } ... -4.3. check_blacklist (string table) +4.3. check_blacklist (string table) Finds the longest prefix that matches the request URI for the given table. If a match is found and it is not set to whitelist, false is @@ -247,7 +247,7 @@ if (!check_blacklist("global_blacklist"))) 5.1. reload_blacklist -5.1. reload_blacklist +5.1. reload_blacklist Reload the internal global blacklist cache. This is necessary after the database tables for the global blacklist have been changed. @@ -399,7 +399,9 @@ modparam("userblacklist", "userblacklist_whitelist_col", "whitelist") 8. globalblacklist_table (String) - Name of the globalblacklist table for the userblacklist module. + Name of the globalblacklist table for the userblacklist module. Please + not that this table is currently ignored, the table needs to be given + as a parameter for the check_blacklist function. Default value is "globalblacklist". diff --git a/modules_k/userblacklist/doc/userblacklist_db.xml b/modules_k/userblacklist/doc/userblacklist_db.xml index f4d2585..5e8df9c 100644 --- a/modules_k/userblacklist/doc/userblacklist_db.xml +++ b/modules_k/userblacklist/doc/userblacklist_db.xml @@ -111,7 +111,9 @@ modparam("userblacklist", "userblacklist_whitelist_col", "whitelist") </section> <section> <title><varname>globalblacklist_table</varname> (String)</title> - <para>Name of the globalblacklist table for the userblacklist module.</para> + <para>Name of the globalblacklist table for the userblacklist module. + Please not that this table is currently ignored, the table needs to be + given as a parameter for the check_blacklist function.</para> <para> <emphasis>Default value is <quote>globalblacklist</quote>.</emphasis> </para>

14 years, 9 months

Jump to page:

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

2009

2008

sr-dev February 2010