sr-dev October 2019

sr-dev@lists.kamailio.org

22 participants
436 discussions

git:master:4e9f49a5: tls: docs - relocated the note about krand and fastrand from default value paragraph

by Daniel-Constantin Mierla

Module: kamailio Branch: master Commit: 4e9f49a5e8ebd90d6b6913310402acea7f5a3ca9 URL: https://github.com/kamailio/kamailio/commit/4e9f49a5e8ebd90d6b6913310402ace… Author: Daniel-Constantin Mierla <miconda(a)gmail.com> Committer: Daniel-Constantin Mierla <miconda(a)gmail.com> Date: 2019-10-07T15:07:41+02:00 tls: docs - relocated the note about krand and fastrand from default value paragraph - rephrased a bit to avoid eventual confusion they are not production ready --- Modified: src/modules/tls/doc/params.xml --- Diff: https://github.com/kamailio/kamailio/commit/4e9f49a5e8ebd90d6b6913310402ace… Patch: https://github.com/kamailio/kamailio/commit/4e9f49a5e8ebd90d6b6913310402ace… --- diff --git a/src/modules/tls/doc/params.xml b/src/modules/tls/doc/params.xml index 72d3278ed7..dc6494c2db 100644 --- a/src/modules/tls/doc/params.xml +++ b/src/modules/tls/doc/params.xml @@ -1259,13 +1259,16 @@ end <itemizedlist> <listitem><para>krand - use internal kam_rand() function</para></listitem> <listitem><para>fastrand - use internal fastrand function</para></listitem> - <listitem><para>cryptorand - use internal cryptorand function</para></listitem> + <listitem><para>cryptorand - use internal cryptorand (fortuna) function</para></listitem> </itemizedlist> + <para> + Note: the krand and fastrand engines are not recommended for use on + systems requiring strong security, as they may not generate numbers + with enough randomness. + </para> <para> The default value is empty (not set) for libssl v1.0.x or older, and - "cryptorand" for libssl v1.1.x or newer. The krand and fastrand engines are - not recommended for production use, as they will not generate secure enough - random numbers. + "cryptorand" for libssl v1.1.x or newer. </para> <example> <title>Set <varname>rand_engine</varname> parameter</title>

5 years, 1 month

git:5.1:31ee7514: core: workaround related to T_OPT for alpine linux musl C library (GH #2095)

by Henning Westerholt

Module: kamailio Branch: 5.1 Commit: 31ee751409e0efdace1f76ee78cc85da78b049b8 URL: https://github.com/kamailio/kamailio/commit/31ee751409e0efdace1f76ee78cc85d… Author: Henning Westerholt <hw(a)skalatan.de> Committer: Henning Westerholt <hw(a)skalatan.de> Date: 2019-10-07T16:35:44+02:00 core: workaround related to T_OPT for alpine linux musl C library (GH #2095) (cherry picked from commit cec1043a9c4daa39b4245b87f28fb5566e8627bd) --- Modified: src/core/resolve.c --- Diff: https://github.com/kamailio/kamailio/commit/31ee751409e0efdace1f76ee78cc85d… Patch: https://github.com/kamailio/kamailio/commit/31ee751409e0efdace1f76ee78cc85d… --- diff --git a/src/core/resolve.c b/src/core/resolve.c index 439435791a..f12b6e1ca6 100644 --- a/src/core/resolve.c +++ b/src/core/resolve.c @@ -32,8 +32,12 @@ #include <resolv.h> #include <string.h> -/* older glibc < 2.25 does not include T_OPT in nameser_compat.h yet */ -#if __GLIBC__ == 2 && __GLIBC_MINOR__ < 25 +/* + * Older glibc < 2.25 does not include T_OPT in nameser_compat.h yet. + * On alpine linux musl library it is also not defined. There is no + * musl feature test macro, so we look for glibc instead. + */ +#if (defined __GLIBC__ && __GLIBC__ == 2 && __GLIBC_MINOR__ < 25) || !defined __GLIBC__ #ifndef T_OPT #define T_OPT ns_t_opt #endif

5 years, 1 month

git:5.2:052c647e: core: workaround related to T_OPT for alpine linux musl C library (GH #2095)

by Henning Westerholt

Module: kamailio Branch: 5.2 Commit: 052c647e310b59efd06903668aec231eadf321c2 URL: https://github.com/kamailio/kamailio/commit/052c647e310b59efd06903668aec231… Author: Henning Westerholt <hw(a)skalatan.de> Committer: Henning Westerholt <hw(a)skalatan.de> Date: 2019-10-07T16:35:11+02:00 core: workaround related to T_OPT for alpine linux musl C library (GH #2095) (cherry picked from commit cec1043a9c4daa39b4245b87f28fb5566e8627bd) --- Modified: src/core/resolve.c --- Diff: https://github.com/kamailio/kamailio/commit/052c647e310b59efd06903668aec231… Patch: https://github.com/kamailio/kamailio/commit/052c647e310b59efd06903668aec231… --- diff --git a/src/core/resolve.c b/src/core/resolve.c index 9f9705341e..04e65962ea 100644 --- a/src/core/resolve.c +++ b/src/core/resolve.c @@ -32,8 +32,12 @@ #include <resolv.h> #include <string.h> -/* older glibc < 2.25 does not include T_OPT in nameser_compat.h yet */ -#if __GLIBC__ == 2 && __GLIBC_MINOR__ < 25 +/* + * Older glibc < 2.25 does not include T_OPT in nameser_compat.h yet. + * On alpine linux musl library it is also not defined. There is no + * musl feature test macro, so we look for glibc instead. + */ +#if (defined __GLIBC__ && __GLIBC__ == 2 && __GLIBC_MINOR__ < 25) || !defined __GLIBC__ #ifndef T_OPT #define T_OPT ns_t_opt #endif

5 years, 1 month

git:5.2:c419dfdd: http_async_client: use enough size to print pointer as string in build_hash_key()

by Daniel-Constantin Mierla

Module: kamailio Branch: 5.2 Commit: c419dfddfbfc7b250a4be18665d4ed779435ac2e URL: https://github.com/kamailio/kamailio/commit/c419dfddfbfc7b250a4be18665d4ed7… Author: Daniel-Constantin Mierla <miconda(a)gmail.com> Committer: Daniel-Constantin Mierla <miconda(a)gmail.com> Date: 2019-10-07T16:30:47+02:00 http_async_client: use enough size to print pointer as string in build_hash_key() - use local string variables instead of allocation in pkg, because the values are needed only inside the function - use safer snprintf() instead of sprintf() - GH #2091 (cherry picked from commit 087654a5028cd800e17fcd9d1768135a60fd6706) (cherry picked from commit 2ec8caa1ef9577fa4f21fb1fa2f9f6217a29f3eb) --- Modified: src/modules/http_async_client/hm_hash.c --- Diff: https://github.com/kamailio/kamailio/commit/c419dfddfbfc7b250a4be18665d4ed7… Patch: https://github.com/kamailio/kamailio/commit/c419dfddfbfc7b250a4be18665d4ed7… --- diff --git a/src/modules/http_async_client/hm_hash.c b/src/modules/http_async_client/hm_hash.c index 9497809847..b18a8b9c37 100644 --- a/src/modules/http_async_client/hm_hash.c +++ b/src/modules/http_async_client/hm_hash.c @@ -62,39 +62,25 @@ int init_http_m_table(unsigned int size) unsigned int build_hash_key(void *p) { - str *hash_str; - char *pointer_str; - int len; + str hash_str; + char pointer_str[20]; unsigned int hash; - pointer_str = (char *)pkg_malloc(sizeof(p) + 1); - - if (pointer_str==0) { - LM_ERR("no more pkg mem\n"); + hash_str.len = snprintf(pointer_str, 20, "%p", p); + if(hash_str.len<=0 || hash_str.len>=20) { + LM_ERR("failed to print the pointer address\n"); return 0; } + LM_DBG("received id %p (%d)-> %s (%d)\n", p, (int)sizeof(p), pointer_str, + hash_str.len); - sprintf(pointer_str, "%p", p); - len = strlen(pointer_str); - LM_DBG("received id %p (%d)-> %s (%d)\n", p, (int)sizeof(p), pointer_str, len); + hash_str.s = pointer_str; - hash_str = (str *)pkg_malloc(sizeof(str)); - if (hash_str==0) { - LM_ERR("no more pkg mem\n"); - pkg_free(pointer_str); - return 0; - } - hash_str->s = pointer_str; - hash_str->len = len; - - hash = core_hash(hash_str, 0, hash_size); + hash = core_hash(&hash_str, 0, hash_size); LM_DBG("hash for %p is %d\n", p, hash); - pkg_free(pointer_str); - pkg_free(hash_str); - return hash; }

5 years, 1 month

git:5.3:2ec8caa1: http_async_client: use enough size to print pointer as string in build_hash_key()

by Daniel-Constantin Mierla

Module: kamailio Branch: 5.3 Commit: 2ec8caa1ef9577fa4f21fb1fa2f9f6217a29f3eb URL: https://github.com/kamailio/kamailio/commit/2ec8caa1ef9577fa4f21fb1fa2f9f62… Author: Daniel-Constantin Mierla <miconda(a)gmail.com> Committer: Daniel-Constantin Mierla <miconda(a)gmail.com> Date: 2019-10-07T16:29:16+02:00 http_async_client: use enough size to print pointer as string in build_hash_key() - use local string variables instead of allocation in pkg, because the values are needed only inside the function - use safer snprintf() instead of sprintf() - GH #2091 (cherry picked from commit 087654a5028cd800e17fcd9d1768135a60fd6706) --- Modified: src/modules/http_async_client/hm_hash.c --- Diff: https://github.com/kamailio/kamailio/commit/2ec8caa1ef9577fa4f21fb1fa2f9f62… Patch: https://github.com/kamailio/kamailio/commit/2ec8caa1ef9577fa4f21fb1fa2f9f62… --- diff --git a/src/modules/http_async_client/hm_hash.c b/src/modules/http_async_client/hm_hash.c index 9497809847..b18a8b9c37 100644 --- a/src/modules/http_async_client/hm_hash.c +++ b/src/modules/http_async_client/hm_hash.c @@ -62,39 +62,25 @@ int init_http_m_table(unsigned int size) unsigned int build_hash_key(void *p) { - str *hash_str; - char *pointer_str; - int len; + str hash_str; + char pointer_str[20]; unsigned int hash; - pointer_str = (char *)pkg_malloc(sizeof(p) + 1); - - if (pointer_str==0) { - LM_ERR("no more pkg mem\n"); + hash_str.len = snprintf(pointer_str, 20, "%p", p); + if(hash_str.len<=0 || hash_str.len>=20) { + LM_ERR("failed to print the pointer address\n"); return 0; } + LM_DBG("received id %p (%d)-> %s (%d)\n", p, (int)sizeof(p), pointer_str, + hash_str.len); - sprintf(pointer_str, "%p", p); - len = strlen(pointer_str); - LM_DBG("received id %p (%d)-> %s (%d)\n", p, (int)sizeof(p), pointer_str, len); + hash_str.s = pointer_str; - hash_str = (str *)pkg_malloc(sizeof(str)); - if (hash_str==0) { - LM_ERR("no more pkg mem\n"); - pkg_free(pointer_str); - return 0; - } - hash_str->s = pointer_str; - hash_str->len = len; - - hash = core_hash(hash_str, 0, hash_size); + hash = core_hash(&hash_str, 0, hash_size); LM_DBG("hash for %p is %d\n", p, hash); - pkg_free(pointer_str); - pkg_free(hash_str); - return hash; }

5 years, 1 month

git:master:087654a5: http_async_client: use enough size to print pointer as string in build_hash_key()

by Daniel-Constantin Mierla

Module: kamailio Branch: master Commit: 087654a5028cd800e17fcd9d1768135a60fd6706 URL: https://github.com/kamailio/kamailio/commit/087654a5028cd800e17fcd9d1768135… Author: Daniel-Constantin Mierla <miconda(a)gmail.com> Committer: Daniel-Constantin Mierla <miconda(a)gmail.com> Date: 2019-10-07T16:28:24+02:00 http_async_client: use enough size to print pointer as string in build_hash_key() - use local string variables instead of allocation in pkg, because the values are needed only inside the function - use safer snprintf() instead of sprintf() - GH #2091 --- Modified: src/modules/http_async_client/hm_hash.c --- Diff: https://github.com/kamailio/kamailio/commit/087654a5028cd800e17fcd9d1768135… Patch: https://github.com/kamailio/kamailio/commit/087654a5028cd800e17fcd9d1768135… --- diff --git a/src/modules/http_async_client/hm_hash.c b/src/modules/http_async_client/hm_hash.c index 9497809847..b18a8b9c37 100644 --- a/src/modules/http_async_client/hm_hash.c +++ b/src/modules/http_async_client/hm_hash.c @@ -62,39 +62,25 @@ int init_http_m_table(unsigned int size) unsigned int build_hash_key(void *p) { - str *hash_str; - char *pointer_str; - int len; + str hash_str; + char pointer_str[20]; unsigned int hash; - pointer_str = (char *)pkg_malloc(sizeof(p) + 1); - - if (pointer_str==0) { - LM_ERR("no more pkg mem\n"); + hash_str.len = snprintf(pointer_str, 20, "%p", p); + if(hash_str.len<=0 || hash_str.len>=20) { + LM_ERR("failed to print the pointer address\n"); return 0; } + LM_DBG("received id %p (%d)-> %s (%d)\n", p, (int)sizeof(p), pointer_str, + hash_str.len); - sprintf(pointer_str, "%p", p); - len = strlen(pointer_str); - LM_DBG("received id %p (%d)-> %s (%d)\n", p, (int)sizeof(p), pointer_str, len); + hash_str.s = pointer_str; - hash_str = (str *)pkg_malloc(sizeof(str)); - if (hash_str==0) { - LM_ERR("no more pkg mem\n"); - pkg_free(pointer_str); - return 0; - } - hash_str->s = pointer_str; - hash_str->len = len; - - hash = core_hash(hash_str, 0, hash_size); + hash = core_hash(&hash_str, 0, hash_size); LM_DBG("hash for %p is %d\n", p, hash); - pkg_free(pointer_str); - pkg_free(hash_str); - return hash; }

5 years, 1 month

git:master:cec1043a: core: workaround related to T_OPT for alpine linux musl C library (GH #2095)

by Henning Westerholt

Module: kamailio Branch: master Commit: cec1043a9c4daa39b4245b87f28fb5566e8627bd URL: https://github.com/kamailio/kamailio/commit/cec1043a9c4daa39b4245b87f28fb55… Author: Henning Westerholt <hw(a)skalatan.de> Committer: Henning Westerholt <hw(a)skalatan.de> Date: 2019-10-07T15:39:49+02:00 core: workaround related to T_OPT for alpine linux musl C library (GH #2095) --- Modified: src/core/resolve.c --- Diff: https://github.com/kamailio/kamailio/commit/cec1043a9c4daa39b4245b87f28fb55… Patch: https://github.com/kamailio/kamailio/commit/cec1043a9c4daa39b4245b87f28fb55… --- diff --git a/src/core/resolve.c b/src/core/resolve.c index 6edc47e506..ac9b2f2363 100644 --- a/src/core/resolve.c +++ b/src/core/resolve.c @@ -32,8 +32,12 @@ #include <resolv.h> #include <string.h> -/* older glibc < 2.25 does not include T_OPT in nameser_compat.h yet */ -#if __GLIBC__ == 2 && __GLIBC_MINOR__ < 25 +/* + * Older glibc < 2.25 does not include T_OPT in nameser_compat.h yet. + * On alpine linux musl library it is also not defined. There is no + * musl feature test macro, so we look for glibc instead. + */ +#if (defined __GLIBC__ && __GLIBC__ == 2 && __GLIBC_MINOR__ < 25) || !defined __GLIBC__ #ifndef T_OPT #define T_OPT ns_t_opt #endif

5 years, 1 month

git:5.2:a365a8d3: modules: readme files regenerated - modules ... [skip ci]

by Kamailio Dev

Module: kamailio Branch: 5.2 Commit: a365a8d3519d33f5314a9c3bdab4e1c1ea465642 URL: https://github.com/kamailio/kamailio/commit/a365a8d3519d33f5314a9c3bdab4e1c… Author: Kamailio Dev <kamailio.dev(a)kamailio.org> Committer: Kamailio Dev <kamailio.dev(a)kamailio.org> Date: 2019-10-07T15:31:30+02:00 modules: readme files regenerated - modules ... [skip ci] --- Modified: src/modules/tls/README --- Diff: https://github.com/kamailio/kamailio/commit/a365a8d3519d33f5314a9c3bdab4e1c… Patch: https://github.com/kamailio/kamailio/commit/a365a8d3519d33f5314a9c3bdab4e1c… --- diff --git a/src/modules/tls/README b/src/modules/tls/README index bf9f693bd0..5a0d9dab1f 100644 --- a/src/modules/tls/README +++ b/src/modules/tls/README @@ -1427,14 +1427,19 @@ end v1.1.x is not designed for multi-process applications and can result in a crash. Therefore set the PRNG engine to one of the options listed in this section. If libssl 1.1.x (or newer) is detected at compile time, - then the PRNG engine is set to "fastrand". + then the PRNG engine is set to "cryptorand". The following options are avaialble: * krand - use internal kam_rand() function * fastrand - use internal fastrand function + * cryptorand - use internal cryptorand (fortuna) function + + Note: the krand and fastrand engines are not recommended for use on + systems requiring strong security, as they may not generate numbers + with enough randomness. The default value is empty (not set) for libssl v1.0.x or older, and - "fastrand" for libssl v1.1.x or newer. + "cryptorand" for libssl v1.1.x or newer. Example 1.45. Set rand_engine parameter ...

5 years, 1 month

git:5.2:dde78715: tls: docs - documented cryptorand engine for prng

by Daniel-Constantin Mierla

Module: kamailio Branch: 5.2 Commit: dde78715ce88c8bfb6530559fcaa3a182ca72af7 URL: https://github.com/kamailio/kamailio/commit/dde78715ce88c8bfb6530559fcaa3a1… Author: Daniel-Constantin Mierla <miconda(a)gmail.com> Committer: Daniel-Constantin Mierla <miconda(a)gmail.com> Date: 2019-10-07T15:16:27+02:00 tls: docs - documented cryptorand engine for prng (cherry picked from commit 398641926648a32b635f39f655ae3231038b9c3d) --- Modified: src/modules/tls/doc/params.xml --- Diff: https://github.com/kamailio/kamailio/commit/dde78715ce88c8bfb6530559fcaa3a1… Patch: https://github.com/kamailio/kamailio/commit/dde78715ce88c8bfb6530559fcaa3a1… --- diff --git a/src/modules/tls/doc/params.xml b/src/modules/tls/doc/params.xml index 6028642b5f..dc6494c2db 100644 --- a/src/modules/tls/doc/params.xml +++ b/src/modules/tls/doc/params.xml @@ -1251,7 +1251,7 @@ end is not designed for multi-process applications and can result in a crash. Therefore set the PRNG engine to one of the options listed in this section. If libssl 1.1.x (or newer) is detected at compile time, then - the PRNG engine is set to "fastrand". + the PRNG engine is set to "cryptorand". </para> <para> The following options are avaialble: @@ -1259,10 +1259,16 @@ end <itemizedlist> <listitem><para>krand - use internal kam_rand() function</para></listitem> <listitem><para>fastrand - use internal fastrand function</para></listitem> + <listitem><para>cryptorand - use internal cryptorand (fortuna) function</para></listitem> </itemizedlist> + <para> + Note: the krand and fastrand engines are not recommended for use on + systems requiring strong security, as they may not generate numbers + with enough randomness. + </para> <para> The default value is empty (not set) for libssl v1.0.x or older, and - "fastrand" for libssl v1.1.x or newer. + "cryptorand" for libssl v1.1.x or newer. </para> <example> <title>Set <varname>rand_engine</varname> parameter</title>

5 years, 1 month

git:5.2:0e5fbd02: tls: add cryptorand (fortuna) engine for PRNG if libssl v1.1.0+

by Daniel-Constantin Mierla

Module: kamailio Branch: 5.2 Commit: 0e5fbd02c95d76045487b707a7386abb029234ff URL: https://github.com/kamailio/kamailio/commit/0e5fbd02c95d76045487b707a7386ab… Author: Daniel-Constantin Mierla <miconda(a)gmail.com> Committer: Daniel-Constantin Mierla <miconda(a)gmail.com> Date: 2019-10-07T15:16:17+02:00 tls: add cryptorand (fortuna) engine for PRNG if libssl v1.1.0+ - set it to be the default PRNG with libssl v1.1.0+ (cherry picked from commit 58f6eb7b8bbd6e22994f4b147b6c2fc9c7d1daa0) --- Modified: src/modules/tls/tls_mod.c Modified: src/modules/tls/tls_rand.c Modified: src/modules/tls/tls_rand.h --- Diff: https://github.com/kamailio/kamailio/commit/0e5fbd02c95d76045487b707a7386ab… Patch: https://github.com/kamailio/kamailio/commit/0e5fbd02c95d76045487b707a7386ab… --- diff --git a/src/modules/tls/tls_mod.c b/src/modules/tls/tls_mod.c index 75d8aa8fd2..424fad8a08 100644 --- a/src/modules/tls/tls_mod.c +++ b/src/modules/tls/tls_mod.c @@ -453,6 +453,9 @@ int ksr_rand_engine_param(modparam_t type, void* val) } else if(reng->len == 8 && strncasecmp(reng->s, "fastrand", 8) == 0) { LM_DBG("setting fastrand random engine\n"); RAND_set_rand_method(RAND_ksr_fastrand_method()); + } else if (reng->len == 10 && strncasecmp(reng->s, "cryptorand", 10) == 0) { + LM_DBG("setting cryptorand random engine\n"); + RAND_set_rand_method(RAND_ksr_cryptorand_method()); } #endif return 0; @@ -563,8 +566,8 @@ int mod_register(char *path, int *dlflags, void *p1, void *p2) register_tls_hooks(&tls_h); #if OPENSSL_VERSION_NUMBER >= 0x10100000L - LM_DBG("setting fastrand random engine\n"); - RAND_set_rand_method(RAND_ksr_fastrand_method()); + LM_DBG("setting cryptorand random engine\n"); + RAND_set_rand_method(RAND_ksr_cryptorand_method()); #endif sr_kemi_modules_add(sr_kemi_tls_exports); diff --git a/src/modules/tls/tls_rand.c b/src/modules/tls/tls_rand.c index bc80f658c3..3cb2e8a712 100644 --- a/src/modules/tls/tls_rand.c +++ b/src/modules/tls/tls_rand.c @@ -129,4 +129,46 @@ const RAND_METHOD *RAND_ksr_fastrand_method(void) return &_ksr_fastrand_method; } + +/* + * Implementation with Fortuna cryptographic PRNG. + * We are not strictly implementing the OpenSSL API here - we will + * not return an error if the PRNG has not been seeded with enough + * randomness to ensure an unpredictable byte sequence. + */ +static int ksr_cryptorand_bytes(unsigned char *outdata, int size) +{ + if (size < 0) { + return 0; + } else if (size == 0) { + return 1; + } + + sr_get_pseudo_random_bytes(outdata, size); + return 1; +} + +static int ksr_cryptorand_status(void) +{ + return 1; +} + +/* + * We don't have a dedicated function for pseudo-random + * bytes, just use the secure version as well for it. + */ +const RAND_METHOD _ksr_cryptorand_method = { + NULL, + ksr_cryptorand_bytes, + NULL, + NULL, + ksr_cryptorand_bytes, + ksr_cryptorand_status +}; + +const RAND_METHOD *RAND_ksr_cryptorand_method(void) +{ + return &_ksr_cryptorand_method; +} + #endif /* OPENSSL_VERSION_NUMBER >= 0x10100000L */ diff --git a/src/modules/tls/tls_rand.h b/src/modules/tls/tls_rand.h index d1a3f0d37f..c73d36b8d9 100644 --- a/src/modules/tls/tls_rand.h +++ b/src/modules/tls/tls_rand.h @@ -27,6 +27,7 @@ const RAND_METHOD *RAND_ksr_krand_method(void); const RAND_METHOD *RAND_ksr_fastrand_method(void); +const RAND_METHOD *RAND_ksr_cryptorand_method(void); #endif /* OPENSSL_VERSION_NUMBER >= 0x10100000L */ #endif

5 years, 1 month

← Newer
1
...
31
32
33
34
35
36
37
...
44
Older →

Jump to page:

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

2009

2008

sr-dev October 2019