sr-dev December 2022

sr-dev@lists.kamailio.org

11 participants
267 discussions

[kamailio/kamailio] Add CodeQL workflow for GitHub code scanning (PR #3295)
by lgtm-com[bot] 13 Dec '22

13 Dec '22

Hi `kamailio/kamailio`! This is a one-off automatically generated pull request from LGTM.com :robot:. You might have heard that we’ve integrated LGTM’s underlying CodeQL analysis engine natively into GitHub. The result is [**GitHub code scanning**](https://docs.github.com/en/code-security/code-scanning/automati…! With LGTM fully integrated into code scanning, we are focused on improving CodeQL within the native GitHub code scanning experience. In order to take advantage of current and future improvements to our analysis capabilities, we suggest you enable code scanning on your repository. Please take a look at our [blog post for more information](https://github.blog/2022-08-15-the-next-step-for-lgtm-com-github-code-scanning/). This pull request enables code scanning by adding an auto-generated [`codeql.yml` workflow file for GitHub Actions](https://docs.github.com/en/code-security/code-scanning/automatical… to your repository — take a look! We tested it before opening this pull request, so all should be working :heavy_check_mark:. In fact, you might already have seen some alerts appear on this pull request! Where needed and if possible, we’ve adjusted the configuration to the needs of your particular repository. But of course, you should feel free to tweak it further! Check [this page](https://docs.github.com/en/code-security/code-scanning/automatically-… for detailed documentation. Questions? Check out the FAQ below! ### FAQ <details> <summary>Click here to expand the FAQ section</summary> #### How often will the code scanning analysis run? By default, code scanning will trigger a scan with the CodeQL engine on the following events: * On every pull request — to flag up potential security problems for you to investigate before merging a PR. * On every push to your default branch and other protected branches — this keeps the analysis results on your repository’s *Security* tab up to date. * Once a week at a fixed time — to make sure you benefit from the latest updated security analysis even when no code was committed or PRs were opened. #### What will this cost? Nothing! The CodeQL engine will run inside GitHub Actions, making use of your [unlimited free compute minutes for public repositories](https://docs.github.com/en/actions/learn-github-actions/usage…. #### What types of problems does CodeQL find? The CodeQL engine that powers GitHub code scanning is the exact same engine that powers LGTM.com. The exact set of rules has been tweaked slightly, but you should see almost exactly the same types of alerts as you were used to on LGTM.com: we’ve enabled the [`security-and-quality` query suite](https://docs.github.com/en/code-security/code-scanning/automatically… for you. #### How do I upgrade my CodeQL engine? No need! New versions of the CodeQL analysis are constantly deployed on GitHub.com; your repository will automatically benefit from the most recently released version. #### The analysis doesn’t seem to be working If you get an error in GitHub Actions that indicates that CodeQL wasn’t able to analyze your code, please [follow the instructions here](https://docs.github.com/en/code-security/code-scanning/automatically-… to debug the analysis. #### How do I disable LGTM.com? If you have LGTM’s automatic pull request analysis enabled, then you can [follow these steps to disable the LGTM pull request analysis](https://lgtm.com/help/lgtm/managing-automated-code-review#disabli…. You don’t actually need to remove your repository from LGTM.com; it will automatically be removed in the next few months as part of the deprecation of LGTM.com ([more info here](https://github.blog/2022-08-15-the-next-step-for-lgtm-com-github-code-scanning/)). #### Which source code hosting platforms does code scanning support? GitHub code scanning is deeply integrated within GitHub itself. If you’d like to scan source code that is hosted elsewhere, we suggest that you create a mirror of that code on GitHub. #### How do I know this PR is legitimate? This PR is filed by the official LGTM.com GitHub App, in line with the [deprecation timeline that was announced on the official GitHub Blog](https://github.blog/2022-08-15-the-next-step-for-lgtm-com-github-code-scanning/). The proposed GitHub Action workflow uses the [official open source GitHub CodeQL Action](https://github.com/github/codeql-action/). If you have any other questions or concerns, please join the discussion [here](https://github.com/orgs/community/discussions/29534) in the official GitHub community! #### I have another question / how do I get in touch? Please join the discussion [here](https://github.com/orgs/community/discussions/29534) to ask further questions and send us suggestions! </details> You can view, comment on, or merge this pull request online at: https://github.com/kamailio/kamailio/pull/3295 -- Commit Summary -- * Add CodeQL workflow for GitHub code scanning -- File Changes -- A .github/workflows/codeql.yml (62) -- Patch Links -- https://github.com/kamailio/kamailio/pull/3295.patch https://github.com/kamailio/kamailio/pull/3295.diff -- Reply to this email directly or view it on GitHub: https://github.com/kamailio/kamailio/pull/3295 You are receiving this because you are subscribed to this thread. Message ID: <kamailio/kamailio/pull/3295(a)github.com>

3 3

git:master:720a1ca1: Add CodeQL workflow for GitHub code scanning
by Victor Seva 13 Dec '22

13 Dec '22

Module: kamailio Branch: master Commit: 720a1ca1e243937e009579747c747306d35625fd URL: https://github.com/kamailio/kamailio/commit/720a1ca1e243937e009579747c74730… Author: LGTM Migrator <lgtm-migrator(a)users.noreply.github.com> Committer: Victor Seva <linuxmaniac(a)torreviejawireless.org> Date: 2022-12-13T22:37:35+01:00 Add CodeQL workflow for GitHub code scanning --- Added: .github/workflows/codeql.yml --- Diff: https://github.com/kamailio/kamailio/commit/720a1ca1e243937e009579747c74730… Patch: https://github.com/kamailio/kamailio/commit/720a1ca1e243937e009579747c74730… --- diff --git a/.github/workflows/codeql.yml b/.github/workflows/codeql.yml new file mode 100644 index 0000000000..bc0eebfbe4 --- /dev/null +++ b/.github/workflows/codeql.yml @@ -0,0 +1,62 @@ +name: "CodeQL" + +on: + push: + branches: [ "master", "3.1", "3.2", "3.3", "4.0", "4.1", "4.2", "4.3", "4.4", "5.0", "5.1", "5.2", "5.3", "5.4", "5.5", "5.6" ] + pull_request: + branches: [ "master" ] + schedule: + - cron: "35 19 * * 3" + +jobs: + analyze: + name: Analyze + runs-on: ubuntu-latest + permissions: + actions: read + contents: read + security-events: write + + strategy: + fail-fast: false + matrix: + language: [ javascript, cpp, python ] + + steps: + - name: Checkout + uses: actions/checkout@v3 + with: + submodules: recursive + + - name: Install Packages (cpp) + if: ${{ matrix.language == 'cpp' }} + run: | + sudo apt-get update + sudo apt-get install --yes bison default-libmysqlclient-dev flex libcurl4-openssl-dev libjansson-dev libhiredis-dev libevent-dev liblua5.1-0-dev libpcre3-dev libncurses5-dev libpq-dev libreadline-dev libssl-dev libunistring-dev libxml2-dev pkg-config python3 python3-dev uuid-dev zlib1g-dev + + - name: Configure (cpp) + if: ${{ matrix.language == 'cpp' }} + run: make include_modules='app_lua app_python3 cnxcc db_mysql db_postgres db_redis dialplan http_client jansson lcr ndb_redis presence presence_xml presence_dialoginfo pua pua_dialoginfo topos_redis uuid websocket xmlops' cfg + + - name: After Prepare (cpp) + if: ${{ matrix.language == 'cpp' }} + run: export PKG_CONFIG_PATH=$RUNNER_TEMP/usr/lib/pkgconfig:$PKG_CONFIG_PATH && echo "PKG_CONFIG_PATH=$PKG_CONFIG_PATH" >> $GITHUB_ENV + + - name: Initialize CodeQL + uses: github/codeql-action/init@v2 + with: + languages: ${{ matrix.language }} + queries: +security-and-quality + + - name: Autobuild + uses: github/codeql-action/autobuild@v2 + if: ${{ matrix.language == 'javascript' || matrix.language == 'python' }} + + - name: Build cpp + if: ${{ matrix.language == 'cpp' }} + run: make all + + - name: Perform CodeQL Analysis + uses: github/codeql-action/analyze@v2 + with: + category: "/language:${{ matrix.language }}"

1 0

Re: [sr-dev] [kamailio/kamailio] tls: reintroduced use of OPENSSL_cleanup() on mod destroy (6df13e6)
by Дилян Палаузов 13 Dec '22

13 Dec '22

As of openssl 1.1.1s SSL_load_error_strings(); exists only in this form in include/openssl/ssl.h: ```c # if OPENSSL_API_COMPAT < 0x10100000L # define SSL_load_error_strings() \ OPENSSL_init_ssl(OPENSSL_INIT_LOAD_SSL_STRINGS \ | OPENSSL_INIT_LOAD_CRYPTO_STRINGS, NULL) # endif ``` It does not exist, when OPENSSL_API_COMPAT == 0x10100000L. When openssl is ./Configure’d with `no-deprecated`then OPENSSL_API_COMPAT is set in include/openssl/opensslconf.h to OPENSSL_MIN_API=0x10100000L. That is: when OpenSSL 1.1.1s is `./Configure no-deprecated`, the macro SSL_load_error_strings() does not exist, but tls_h_mod_pre_init_f() calls it. This might or might not help: ```diff diff --git a/src/modules/tls/tls_init.c b/src/modules/tls/tls_init.c index 4c858bbbd8..784168c6f7 100644 --- a/src/modules/tls/tls_init.c +++ b/src/modules/tls/tls_init.c @@ -647,8 +647,8 @@ int tls_h_mod_pre_init_f(void) #else LM_DBG("preparing tls env for modules initialization (libssl <=1.0)\n"); SSL_library_init(); -#endif SSL_load_error_strings(); +#endif tls_mod_preinitialized=1; return 0; } ``` -- Reply to this email directly or view it on GitHub: https://github.com/kamailio/kamailio/commit/6df13e614cf6898b6d67f36c9b185a7… You are receiving this because you are subscribed to this thread. Message ID: <kamailio/kamailio/commit/6df13e614cf6898b6d67f36c9b185a7530102ef1/92954312(a)github.com>

1 0

[kamailio/kamailio] stirshaken: Properly handle intermediary/chain certificates when caching certificates (PR #3289)
by mrtrev 13 Dec '22

13 Dec '22

stirshaken: Properly handle intermediary/chain certificates when caching certificates - requires patch to libstirshaken (https://github.com/signalwire/libstirshaken/pull/124) to do anything - if patched version of libstirshaken detected, uses new methods to store all intermediary certs - unrelated minor logging tweaks   #### Pre-Submission Checklist    - [x] Commit message has the format required by CONTRIBUTING guide - [x] Commits are split per component (core, individual modules, libs, utils, ...) - [x] Each component has a single commit (if not, squash them into one commit) - [x] No commits to README files for modules (changes must be done to docbook files in `doc/` subfolder, the README file is autogenerated) #### Type Of Change - [x] Small bug fix (non-breaking change which fixes an issue) - [ ] New feature (non-breaking change which adds new functionality) - [ ] Breaking change (fix or feature that would change existing functionality) #### Checklist:  - [x] PR should be backported to stable branches - [x] Tested changes locally - [ ] Related to issue #XXXX (replace XXXX with an open issue number) #### Description  The guts of this PR have been submitted to the libstirshaken side based on the suggestions of my previous PR. I didn't mean to close it but since I hadn't created a branch, it got closed when I updated my repo. Original PR is https://github.com/kamailio/kamailio/pull/3175 I've been running this in production for a day and it seems to be performing the same as my previous attempt. You can view, comment on, or merge this pull request online at: https://github.com/kamailio/kamailio/pull/3289 -- Commit Summary -- * stirshaken: Properly handle intermediary/chain certificates when caching certificates -- File Changes -- M src/modules/stirshaken/stirshaken_mod.c (24) -- Patch Links -- https://github.com/kamailio/kamailio/pull/3289.patch https://github.com/kamailio/kamailio/pull/3289.diff -- Reply to this email directly or view it on GitHub: https://github.com/kamailio/kamailio/pull/3289 You are receiving this because you are subscribed to this thread. Message ID: <kamailio/kamailio/pull/3289(a)github.com>

4 17

git:5.5:e75897a1: stirshaken: Properly handle intermediary/chain certificates when caching certificates
by Henning Westerholt 13 Dec '22

13 Dec '22

Module: kamailio Branch: 5.5 Commit: e75897a1406a07f0376278ddc54188bce99ae6f5 URL: https://github.com/kamailio/kamailio/commit/e75897a1406a07f0376278ddc54188b… Author: Trevor Peirce <trev(a)acrovoice.ca> Committer: Henning Westerholt <hw(a)gilawa.com> Date: 2022-12-13T10:07:58Z stirshaken: Properly handle intermediary/chain certificates when caching certificates - requires patch to libstirshaken (PR 124) to do anything - if patched version of libstirshaken detected, uses new methods to store all intermediary certs - unrelated minor logging tweaks (cherry picked from commit 043ce0e75eae04f356cd539f2146df6846a169e2) (cherry picked from commit 7bb9cadb1cec146cc6f0b5dafb2d50920dc40bcf) --- Modified: src/modules/stirshaken/stirshaken_mod.c --- Diff: https://github.com/kamailio/kamailio/commit/e75897a1406a07f0376278ddc54188b… Patch: https://github.com/kamailio/kamailio/commit/e75897a1406a07f0376278ddc54188b… --- diff --git a/src/modules/stirshaken/stirshaken_mod.c b/src/modules/stirshaken/stirshaken_mod.c index 88ec8812ab..156fdc9098 100644 --- a/src/modules/stirshaken/stirshaken_mod.c +++ b/src/modules/stirshaken/stirshaken_mod.c @@ -200,18 +200,21 @@ static stir_shaken_status_t shaken_callback(stir_shaken_callback_arg_t *arg) diff = now_s - attr.st_mtime; - LM_DBG("Checking cached certificate against expiration setting of %zus (now is: %zu, file modification timestamp is: %zu, difference is: %zu)\n", + LM_DBG("Checking cached certificate against expiration setting of %zus (now is: %lu, file modification timestamp is: %lu, difference is: %lu)\n", stirshaken_vs_cache_expire_s, now_s, attr.st_mtime, diff); if (diff > stirshaken_vs_cache_expire_s) { - LM_WARN("Cached certificate %s is behind expiration threshold (%zu > %zu). Need to download new certificate...\n", cert_full_path, diff, stirshaken_vs_cache_expire_s); + LM_NOTICE("Cached certificate %s is behind expiration threshold (%lu > %zu). Need to download new certificate...\n", cert_full_path, diff, stirshaken_vs_cache_expire_s); goto exit; } else { - LM_WARN("Cached certificate %s is valid for next %zus\n", cert_full_path, stirshaken_vs_cache_expire_s - diff); + LM_NOTICE("Cached certificate %s is valid for next %lus\n", cert_full_path, stirshaken_vs_cache_expire_s - diff); } } - +#ifdef STIR_SHAKEN_CAN_RW_X509_FULLCHAIN + if (STIR_SHAKEN_STATUS_OK != stir_shaken_load_x509_from_file_fullchain(&ss, &cache_copy, cert_full_path)) { +#else if (!(cache_copy.x = stir_shaken_load_x509_from_file(&ss, cert_full_path))) { +#endif LM_ERR("Cannot load X509 from file %s\n", cert_full_path); goto exit; } @@ -420,10 +423,14 @@ static int stirshaken_handle_cache(stir_shaken_context_t *ss, stir_shaken_passpo } } - LM_DBG("Saving fresh certificate %s in cache (with name: %s)...\n", x5u, cert_full_path); - +#ifdef STIR_SHAKEN_CAN_RW_X509_FULLCHAIN + LM_DBG("Saving fresh certificate+chain %s to cache as %s\n", x5u, cert_full_path); + if (STIR_SHAKEN_STATUS_OK != stir_shaken_x509_to_disk_fullchain(ss, cert->x, cert->xchain, cert_full_path)) { +#else + LM_DBG("Saving fresh certificate %s to cache as %s\n", x5u, cert_full_path); if (STIR_SHAKEN_STATUS_OK != stir_shaken_x509_to_disk(ss, cert->x, cert_full_path)) { - LM_ERR("Failed to write cert %s to disk (as: %s)", x5u, cert_full_path); +#endif + LM_ERR("Failed to cache certificate %s to disk", x5u); } } else { @@ -460,7 +467,8 @@ static int ki_stirshaken_check_identity(sip_msg_t *msg) ibody = hf->body; if (STIR_SHAKEN_STATUS_OK != stir_shaken_vs_sih_verify(&ss, vs, ibody.s, &cert_out, &passport_out)) { - LM_ERR("SIP Identity Header did not pass verification\n"); + LM_ERR("SIP Identity Header did not pass verification: %s", stir_shaken_get_error(&ss, NULL)); + stirshaken_print_error_details(&ss); goto fail; }

1 0

git:5.6:7bb9cadb: stirshaken: Properly handle intermediary/chain certificates when caching certificates
by Henning Westerholt 13 Dec '22

13 Dec '22

Module: kamailio Branch: 5.6 Commit: 7bb9cadb1cec146cc6f0b5dafb2d50920dc40bcf URL: https://github.com/kamailio/kamailio/commit/7bb9cadb1cec146cc6f0b5dafb2d509… Author: Trevor Peirce <trev(a)acrovoice.ca> Committer: Henning Westerholt <hw(a)gilawa.com> Date: 2022-12-13T10:07:21Z stirshaken: Properly handle intermediary/chain certificates when caching certificates - requires patch to libstirshaken (PR 124) to do anything - if patched version of libstirshaken detected, uses new methods to store all intermediary certs - unrelated minor logging tweaks (cherry picked from commit 043ce0e75eae04f356cd539f2146df6846a169e2) --- Modified: src/modules/stirshaken/stirshaken_mod.c --- Diff: https://github.com/kamailio/kamailio/commit/7bb9cadb1cec146cc6f0b5dafb2d509… Patch: https://github.com/kamailio/kamailio/commit/7bb9cadb1cec146cc6f0b5dafb2d509… --- diff --git a/src/modules/stirshaken/stirshaken_mod.c b/src/modules/stirshaken/stirshaken_mod.c index 6f2ec8fa03..b64396b0ab 100644 --- a/src/modules/stirshaken/stirshaken_mod.c +++ b/src/modules/stirshaken/stirshaken_mod.c @@ -207,18 +207,21 @@ static stir_shaken_status_t shaken_callback(stir_shaken_callback_arg_t *arg) diff = now_s - attr.st_mtime; - LM_DBG("Checking cached certificate against expiration setting of %zus (now is: %zu, file modification timestamp is: %zu, difference is: %zu)\n", + LM_DBG("Checking cached certificate against expiration setting of %zus (now is: %lu, file modification timestamp is: %lu, difference is: %lu)\n", stirshaken_vs_cache_expire_s, now_s, attr.st_mtime, diff); if (diff > stirshaken_vs_cache_expire_s) { - LM_WARN("Cached certificate %s is behind expiration threshold (%zu > %zu). Need to download new certificate...\n", cert_full_path, diff, stirshaken_vs_cache_expire_s); + LM_NOTICE("Cached certificate %s is behind expiration threshold (%lu > %zu). Need to download new certificate...\n", cert_full_path, diff, stirshaken_vs_cache_expire_s); goto exit; } else { - LM_WARN("Cached certificate %s is valid for next %zus\n", cert_full_path, stirshaken_vs_cache_expire_s - diff); + LM_NOTICE("Cached certificate %s is valid for next %lus\n", cert_full_path, stirshaken_vs_cache_expire_s - diff); } } - +#ifdef STIR_SHAKEN_CAN_RW_X509_FULLCHAIN + if (STIR_SHAKEN_STATUS_OK != stir_shaken_load_x509_from_file_fullchain(&ss, &cache_copy, cert_full_path)) { +#else if (!(cache_copy.x = stir_shaken_load_x509_from_file(&ss, cert_full_path))) { +#endif LM_ERR("Cannot load X509 from file %s\n", cert_full_path); goto exit; } @@ -443,10 +446,14 @@ static int stirshaken_handle_cache(stir_shaken_context_t *ss, stir_shaken_passpo } } - LM_DBG("Saving fresh certificate %s in cache (with name: %s)...\n", x5u, cert_full_path); - +#ifdef STIR_SHAKEN_CAN_RW_X509_FULLCHAIN + LM_DBG("Saving fresh certificate+chain %s to cache as %s\n", x5u, cert_full_path); + if (STIR_SHAKEN_STATUS_OK != stir_shaken_x509_to_disk_fullchain(ss, cert->x, cert->xchain, cert_full_path)) { +#else + LM_DBG("Saving fresh certificate %s to cache as %s\n", x5u, cert_full_path); if (STIR_SHAKEN_STATUS_OK != stir_shaken_x509_to_disk(ss, cert->x, cert_full_path)) { - LM_ERR("Failed to write cert %s to disk (as: %s)", x5u, cert_full_path); +#endif + LM_ERR("Failed to cache certificate %s to disk", x5u); } } else { @@ -485,7 +492,8 @@ static int ki_stirshaken_check_identity(sip_msg_t *msg) ibody = hf->body; if (STIR_SHAKEN_STATUS_OK != stir_shaken_vs_sih_verify(&ss, vs, ibody.s, &cert_out, &passport_out)) { - LM_ERR("SIP Identity Header did not pass verification\n"); + LM_ERR("SIP Identity Header did not pass verification: %s", stir_shaken_get_error(&ss, NULL)); + stirshaken_print_error_details(&ss); goto fail; }

1 0

git:master:899b0f45: core: also print maximum branches parameter compile time value
by Henning Westerholt 12 Dec '22

12 Dec '22

Module: kamailio Branch: master Commit: 899b0f4518b768fd8184fb97b0c8c64cecf3a575 URL: https://github.com/kamailio/kamailio/commit/899b0f4518b768fd8184fb97b0c8c64… Author: Henning Westerholt <hw(a)gilawa.com> Committer: Henning Westerholt <hw(a)gilawa.com> Date: 2022-12-12T08:18:24Z core: also print maximum branches parameter compile time value --- Modified: src/core/dset.c --- Diff: https://github.com/kamailio/kamailio/commit/899b0f4518b768fd8184fb97b0c8c64… Patch: https://github.com/kamailio/kamailio/commit/899b0f4518b768fd8184fb97b0c8c64… --- diff --git a/src/core/dset.c b/src/core/dset.c index 26530c2769..3eb34f38ae 100644 --- a/src/core/dset.c +++ b/src/core/dset.c @@ -85,8 +85,8 @@ str _ksr_contact_salias = str_init(";alias="); int init_dst_set(void) { if(sr_dst_max_branches<=0 || sr_dst_max_branches>=MAX_BRANCHES_LIMIT) { - LM_ERR("invalid value for max branches parameter: %u\n", - sr_dst_max_branches); + LM_ERR("invalid value for max branches parameter: %u, maximum value: %u\n", + sr_dst_max_branches, MAX_BRANCHES_LIMIT); return -1; } /* sr_dst_max_branches - 1 : because of the default branch for r-uri, #0 in tm */

1 0

app_python3s not included in module exclude list
by Henning Westerholt 12 Dec '22

12 Dec '22

Hi, the new module app_python3s is causing compilation issues, probably needs to be included in the exclude list: $ make cfg $ make all make[2]: python3.8-config: Command not found CC (gcc) [M app_python3s.so] apy3s_exception.o apy3s_exception.c:22:10: fatal error: Python.h: No such file or directory 22 | #include <Python.h> | ^~~~~~~~~~ compilation terminated. Thanks, Henning -- Henning Westerholt - https://skalatan.de/blog/ Kamailio services - https://gilawa.com<https://gilawa.com/>

2 1

git:master:eb19c52d: Makefile.groups: added app_python3s to mod_list_python3
by Daniel-Constantin Mierla 12 Dec '22

12 Dec '22

Module: kamailio Branch: master Commit: eb19c52d9b89f393d7336b4a9c6be991372e25c8 URL: https://github.com/kamailio/kamailio/commit/eb19c52d9b89f393d7336b4a9c6be99… Author: Daniel-Constantin Mierla <miconda(a)gmail.com> Committer: Daniel-Constantin Mierla <miconda(a)gmail.com> Date: 2022-12-12T09:06:36+01:00 Makefile.groups: added app_python3s to mod_list_python3 --- Modified: src/Makefile.groups --- Diff: https://github.com/kamailio/kamailio/commit/eb19c52d9b89f393d7336b4a9c6be99… Patch: https://github.com/kamailio/kamailio/commit/eb19c52d9b89f393d7336b4a9c6be99… --- diff --git a/src/Makefile.groups b/src/Makefile.groups index 4934ff0815..7c6bafff41 100644 --- a/src/Makefile.groups +++ b/src/Makefile.groups @@ -131,7 +131,7 @@ mod_list_perldeps=app_perl db_perlvdb mod_list_python=app_python # - modules depending on python3 library -mod_list_python3=app_python3 +mod_list_python3=app_python3 app_python3s # - modules depending on libm (math library - standard system library) mod_list_jsdt=app_jsdt

1 0

git:master:043ce0e7: stirshaken: Properly handle intermediary/chain certificates when caching certificates
by Henning Westerholt 12 Dec '22

12 Dec '22

Module: kamailio Branch: master Commit: 043ce0e75eae04f356cd539f2146df6846a169e2 URL: https://github.com/kamailio/kamailio/commit/043ce0e75eae04f356cd539f2146df6… Author: Trevor Peirce <trev(a)acrovoice.ca> Committer: Henning Westerholt <hw(a)gilawa.com> Date: 2022-12-12T07:48:38+01:00 stirshaken: Properly handle intermediary/chain certificates when caching certificates - requires patch to libstirshaken (PR 124) to do anything - if patched version of libstirshaken detected, uses new methods to store all intermediary certs - unrelated minor logging tweaks --- Modified: src/modules/stirshaken/stirshaken_mod.c --- Diff: https://github.com/kamailio/kamailio/commit/043ce0e75eae04f356cd539f2146df6… Patch: https://github.com/kamailio/kamailio/commit/043ce0e75eae04f356cd539f2146df6… --- diff --git a/src/modules/stirshaken/stirshaken_mod.c b/src/modules/stirshaken/stirshaken_mod.c index 6f2ec8fa03e..b64396b0ab7 100644 --- a/src/modules/stirshaken/stirshaken_mod.c +++ b/src/modules/stirshaken/stirshaken_mod.c @@ -207,18 +207,21 @@ static stir_shaken_status_t shaken_callback(stir_shaken_callback_arg_t *arg) diff = now_s - attr.st_mtime; - LM_DBG("Checking cached certificate against expiration setting of %zus (now is: %zu, file modification timestamp is: %zu, difference is: %zu)\n", + LM_DBG("Checking cached certificate against expiration setting of %zus (now is: %lu, file modification timestamp is: %lu, difference is: %lu)\n", stirshaken_vs_cache_expire_s, now_s, attr.st_mtime, diff); if (diff > stirshaken_vs_cache_expire_s) { - LM_WARN("Cached certificate %s is behind expiration threshold (%zu > %zu). Need to download new certificate...\n", cert_full_path, diff, stirshaken_vs_cache_expire_s); + LM_NOTICE("Cached certificate %s is behind expiration threshold (%lu > %zu). Need to download new certificate...\n", cert_full_path, diff, stirshaken_vs_cache_expire_s); goto exit; } else { - LM_WARN("Cached certificate %s is valid for next %zus\n", cert_full_path, stirshaken_vs_cache_expire_s - diff); + LM_NOTICE("Cached certificate %s is valid for next %lus\n", cert_full_path, stirshaken_vs_cache_expire_s - diff); } } - +#ifdef STIR_SHAKEN_CAN_RW_X509_FULLCHAIN + if (STIR_SHAKEN_STATUS_OK != stir_shaken_load_x509_from_file_fullchain(&ss, &cache_copy, cert_full_path)) { +#else if (!(cache_copy.x = stir_shaken_load_x509_from_file(&ss, cert_full_path))) { +#endif LM_ERR("Cannot load X509 from file %s\n", cert_full_path); goto exit; } @@ -443,10 +446,14 @@ static int stirshaken_handle_cache(stir_shaken_context_t *ss, stir_shaken_passpo } } - LM_DBG("Saving fresh certificate %s in cache (with name: %s)...\n", x5u, cert_full_path); - +#ifdef STIR_SHAKEN_CAN_RW_X509_FULLCHAIN + LM_DBG("Saving fresh certificate+chain %s to cache as %s\n", x5u, cert_full_path); + if (STIR_SHAKEN_STATUS_OK != stir_shaken_x509_to_disk_fullchain(ss, cert->x, cert->xchain, cert_full_path)) { +#else + LM_DBG("Saving fresh certificate %s to cache as %s\n", x5u, cert_full_path); if (STIR_SHAKEN_STATUS_OK != stir_shaken_x509_to_disk(ss, cert->x, cert_full_path)) { - LM_ERR("Failed to write cert %s to disk (as: %s)", x5u, cert_full_path); +#endif + LM_ERR("Failed to cache certificate %s to disk", x5u); } } else { @@ -485,7 +492,8 @@ static int ki_stirshaken_check_identity(sip_msg_t *msg) ibody = hf->body; if (STIR_SHAKEN_STATUS_OK != stir_shaken_vs_sih_verify(&ss, vs, ibody.s, &cert_out, &passport_out)) { - LM_ERR("SIP Identity Header did not pass verification\n"); + LM_ERR("SIP Identity Header did not pass verification: %s", stir_shaken_get_error(&ss, NULL)); + stirshaken_print_error_details(&ss); goto fail; }

1 0

← Newer
1
...
17
18
19
20
21
22
23
...
27
Older →

Jump to page:

2025

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

2009

2008

sr-dev December 2022