23 Feb
2010
23 Feb
'10
3:37 p.m.
Module: sip-router
Branch: master
Commit: 51ee5da9ebf09447f71d4393f7c5b703305ff46d
URL:
http://git.sip-router.org/cgi-bin/gitweb.cgi/sip-router/?a=commit;h=51ee5da…
Author: Andrei Pelinescu-Onciul <andrei(a)iptel.org>
Committer: Andrei Pelinescu-Onciul <andrei(a)iptel.org>
Date: Tue Feb 23 16:10:21 2010 +0100
tls: disable kerberos more thoroughly [fix]
Older openssl versions (< 0.9.8e release) have a bug in the
kerberos code (it uses the wrong malloc, for more details see
openssl bug # 1467). While there is already a workaround for this
openssl bug in the sr code (see commits 36cb8f & 560a42), in some
situations this workaround causes another bug (crash on connection
opening when openssl is compiled with kerberos support and
kerberos is enabled for key exchange).
The current fix will disable automatically all the ciphers containing
KRB5 if the openssl version is < 0.9.8e beta1 or it is between
0.9.9-dev and 0.9.9-beta1.
It iss equivalent to setting cipher_list to "<prev. value>:!KRB5".
Impact: this fix is needed only if openssl is compiled with
kerberos support and the version is < 0.9.8e. It also affects at
least CentOS users with openssl-0.9.8e-12.el5_4.1 (in the centos
openssl package they play some strange games with the version and
report 0.9.8b via SSLeay).
Tested-by: Klaus Darilion klaus.mailinglists at pernau.at
Reported-by: Klaus Darilion klaus.mailinglists at pernau.at
Reported-by: Andreas Rehbein rehbein at e-technik.org
Reported-by: Martin Koenig koenig starface.de
---
modules/tls/tls_domain.c | 35 +++++++++++++++++++++++++++++++----
1 files changed, 31 insertions(+), 4 deletions(-)
diff --git a/modules/tls/tls_domain.c b/modules/tls/tls_domain.c
index b0d5d3c..c4f25e8 100644
--- a/modules/tls/tls_domain.c
+++ b/modules/tls/tls_domain.c
@@ -271,6 +271,10 @@ static int load_ca_list(tls_domain_t* d)
return 0;
}
+#define C_DEF_NO_KRB5 "DEFAULT:!KRB5"
+#define C_DEF_NO_KRB5_LEN (sizeof(C_DEF_NO_KRB5)-1)
+#define C_NO_KRB5_SUFFIX ":!KRB5"
+#define C_NO_KRB5_SUFFIX_LEN (sizeof(C_NO_KRB5_SUFFIX)-1)
/*
* Configure cipher list
@@ -279,12 +283,35 @@ static int set_cipher_list(tls_domain_t* d)
{
int i;
int procs_no;
-
- if (!d->cipher_list.s) return 0;
+ char* cipher_list;
+
+ cipher_list=d->cipher_list.s;
+#ifdef TLS_KSSL_WORKARROUND
+ if (openssl_kssl_malloc_bug) { /* is openssl bug #1467 present ? */
+ if (d->cipher_list.s==0) {
+ /* use "DEFAULT:!KRB5" */
+ cipher_list="DEFAULT:!KRB5";
+ } else {
+ /* append ":!KRB5" */
+ cipher_list=shm_malloc(d->cipher_list.len+C_NO_KRB5_SUFFIX_LEN+1);
+ if (cipher_list) {
+ memcpy(cipher_list, d->cipher_list.s, d->cipher_list.len);
+ memcpy(cipher_list+d->cipher_list.len, C_NO_KRB5_SUFFIX,
+ C_NO_KRB5_SUFFIX_LEN);
+ cipher_list[d->cipher_list.len+C_NO_KRB5_SUFFIX_LEN]=0;
+ shm_free(d->cipher_list.s);
+ d->cipher_list.s=cipher_list;
+ d->cipher_list.len+=C_NO_KRB5_SUFFIX_LEN;
+ }
+ }
+ }
+#endif /* TLS_KSSL_WORKARROUND */
+ if (!cipher_list) return 0;
procs_no=get_max_procs();
for(i = 0; i < procs_no; i++) {
- if (SSL_CTX_set_cipher_list(d->ctx[i], d->cipher_list.s) == 0 ) {
- ERR("%s: Failure to set SSL context cipher list\n", tls_domain_str(d));
+ if (SSL_CTX_set_cipher_list(d->ctx[i], cipher_list) == 0 ) {
+ ERR("%s: Failure to set SSL context cipher list \"%s\"\n",
+ tls_domain_str(d), cipher_list);
return -1;
}
}
23 Feb
23 Feb
4:47 p.m.
Is it possible to overrule this behavior, e.g. for testing?
regards
klaus
Am 23.02.2010 16:37, schrieb Andrei Pelinescu-Onciul:
Module: sip-router
Branch: master
Commit: 51ee5da9ebf09447f71d4393f7c5b703305ff46d
URL:
http://git.sip-router.org/cgi-bin/gitweb.cgi/sip-router/?a=commit;h=51ee5da…
Author: Andrei Pelinescu-Onciul<andrei(a)iptel.org>
Committer: Andrei Pelinescu-Onciul<andrei(a)iptel.org>
Date: Tue Feb 23 16:10:21 2010 +0100
tls: disable kerberos more thoroughly [fix]
Older openssl versions (< 0.9.8e release) have a bug in the
kerberos code (it uses the wrong malloc, for more details see
openssl bug # 1467). While there is already a workaround for this
openssl bug in the sr code (see commits 36cb8f& 560a42), in some
situations this workaround causes another bug (crash on connection
opening when openssl is compiled with kerberos support and
kerberos is enabled for key exchange).
The current fix will disable automatically all the ciphers containing
KRB5 if the openssl version is< 0.9.8e beta1 or it is between
0.9.9-dev and 0.9.9-beta1.
It iss equivalent to setting cipher_list to "<prev. value>:!KRB5".
Impact: this fix is needed only if openssl is compiled with
kerberos support and the version is< 0.9.8e. It also affects at
least CentOS users with openssl-0.9.8e-12.el5_4.1 (in the centos
openssl package they play some strange games with the version and
report 0.9.8b via SSLeay).
Tested-by: Klaus Darilion klaus.mailinglists at pernau.at
Reported-by: Klaus Darilion klaus.mailinglists at pernau.at
Reported-by: Andreas Rehbein rehbein at e-technik.org
Reported-by: Martin Koenig koenig starface.de
---
modules/tls/tls_domain.c | 35 +++++++++++++++++++++++++++++++----
1 files changed, 31 insertions(+), 4 deletions(-)
diff --git a/modules/tls/tls_domain.c b/modules/tls/tls_domain.c
index b0d5d3c..c4f25e8 100644
--- a/modules/tls/tls_domain.c
+++ b/modules/tls/tls_domain.c
@@ -271,6 +271,10 @@ static int load_ca_list(tls_domain_t* d)
return 0;
}
+#define C_DEF_NO_KRB5 "DEFAULT:!KRB5"
+#define C_DEF_NO_KRB5_LEN (sizeof(C_DEF_NO_KRB5)-1)
+#define C_NO_KRB5_SUFFIX ":!KRB5"
+#define C_NO_KRB5_SUFFIX_LEN (sizeof(C_NO_KRB5_SUFFIX)-1)
/*
* Configure cipher list
@@ -279,12 +283,35 @@ static int set_cipher_list(tls_domain_t* d)
{
int i;
int procs_no;
-
- if (!d->cipher_list.s) return 0;
+ char* cipher_list;
+
+ cipher_list=d->cipher_list.s;
+#ifdef TLS_KSSL_WORKARROUND
+ if (openssl_kssl_malloc_bug) { /* is openssl bug #1467 present ? */
+ if (d->cipher_list.s==0) {
+ /* use "DEFAULT:!KRB5" */
+ cipher_list="DEFAULT:!KRB5";
+ } else {
+ /* append ":!KRB5" */
+ cipher_list=shm_malloc(d->cipher_list.len+C_NO_KRB5_SUFFIX_LEN+1);
+ if (cipher_list) {
+ memcpy(cipher_list, d->cipher_list.s, d->cipher_list.len);
+ memcpy(cipher_list+d->cipher_list.len, C_NO_KRB5_SUFFIX,
+ C_NO_KRB5_SUFFIX_LEN);
+ cipher_list[d->cipher_list.len+C_NO_KRB5_SUFFIX_LEN]=0;
+ shm_free(d->cipher_list.s);
+ d->cipher_list.s=cipher_list;
+ d->cipher_list.len+=C_NO_KRB5_SUFFIX_LEN;
+ }
+ }
+ }
+#endif /* TLS_KSSL_WORKARROUND */
+ if (!cipher_list) return 0;
procs_no=get_max_procs();
for(i = 0; i< procs_no; i++) {
- if (SSL_CTX_set_cipher_list(d->ctx[i], d->cipher_list.s) == 0 ) {
- ERR("%s: Failure to set SSL context cipher list\n", tls_domain_str(d));
+ if (SSL_CTX_set_cipher_list(d->ctx[i], cipher_list) == 0 ) {
+ ERR("%s: Failure to set SSL context cipher list \"%s\"\n",
+ tls_domain_str(d), cipher_list);
return -1;
}
}
_______________________________________________
sr-dev mailing list
sr-dev(a)lists.sip-router.org
http://lists.sip-router.org/cgi-bin/mailman/listinfo/sr-dev
24 Feb
24 Feb
2:21 p.m.
On Feb 23, 2010 at 17:47, Klaus Darilion <klaus.mailinglists(a)pernau.at> wrote:
Is it possible to overrule this behavior, e.g. for
testing?
No, but if you mean the cipher_list=RSA bug, then there's no need to
overwrite it, it should be still triggered.
If you need an overwrite switch, I could add a new
force_no_krb_workaround param.
Andrei
Am 23.02.2010 16:37, schrieb Andrei Pelinescu-Onciul:
>Module: sip-router
>Branch: master
>Commit: 51ee5da9ebf09447f71d4393f7c5b703305ff46d
>URL:
>http://git.sip-router.org/cgi-bin/gitweb.cgi/sip-router/?a=commit;h=51ee5da9ebf09447f71d4393f7c5b703305ff46d
>
>Author: Andrei Pelinescu-Onciul<andrei(a)iptel.org>
>Committer: Andrei Pelinescu-Onciul<andrei(a)iptel.org>
>Date: Tue Feb 23 16:10:21 2010 +0100
>
>tls: disable kerberos more thoroughly [fix]
>
>Older openssl versions (< 0.9.8e release) have a bug in the
>kerberos code (it uses the wrong malloc, for more details see
>openssl bug # 1467). While there is already a workaround for this
>openssl bug in the sr code (see commits 36cb8f& 560a42), in some
>situations this workaround causes another bug (crash on connection
>opening when openssl is compiled with kerberos support and
>kerberos is enabled for key exchange).
>The current fix will disable automatically all the ciphers containing
>KRB5 if the openssl version is< 0.9.8e beta1 or it is between
>0.9.9-dev and 0.9.9-beta1.
>It iss equivalent to setting cipher_list to "<prev. value>:!KRB5".
>
>Impact: this fix is needed only if openssl is compiled with
>kerberos support and the version is< 0.9.8e. It also affects at
>least CentOS users with openssl-0.9.8e-12.el5_4.1 (in the centos
>openssl package they play some strange games with the version and
>report 0.9.8b via SSLeay).
>
>Tested-by: Klaus Darilion klaus.mailinglists at pernau.at
>Reported-by: Klaus Darilion klaus.mailinglists at pernau.at
>Reported-by: Andreas Rehbein rehbein at e-technik.org
>Reported-by: Martin Koenig koenig starface.de
>
>---
>
> modules/tls/tls_domain.c | 35 +++++++++++++++++++++++++++++++----
> 1 files changed, 31 insertions(+), 4 deletions(-)
>
>diff --git a/modules/tls/tls_domain.c b/modules/tls/tls_domain.c
>index b0d5d3c..c4f25e8 100644
>--- a/modules/tls/tls_domain.c
>+++ b/modules/tls/tls_domain.c
>@@ -271,6 +271,10 @@ static int load_ca_list(tls_domain_t* d)
> return 0;
> }
>
>+#define C_DEF_NO_KRB5 "DEFAULT:!KRB5"
>+#define C_DEF_NO_KRB5_LEN (sizeof(C_DEF_NO_KRB5)-1)
>+#define C_NO_KRB5_SUFFIX ":!KRB5"
>+#define C_NO_KRB5_SUFFIX_LEN (sizeof(C_NO_KRB5_SUFFIX)-1)
>
> /*
> * Configure cipher list
>@@ -279,12 +283,35 @@ static int set_cipher_list(tls_domain_t* d)
> {
> int i;
> int procs_no;
>-
>- if (!d->cipher_list.s) return 0;
>+ char* cipher_list;
>+
>+ cipher_list=d->cipher_list.s;
>+#ifdef TLS_KSSL_WORKARROUND
>+ if (openssl_kssl_malloc_bug) { /* is openssl bug #1467 present ? */
>+ if (d->cipher_list.s==0) {
>+ /* use "DEFAULT:!KRB5" */
>+ cipher_list="DEFAULT:!KRB5";
>+ } else {
>+ /* append ":!KRB5" */
>+
>cipher_list=shm_malloc(d->cipher_list.len+C_NO_KRB5_SUFFIX_LEN+1);
>+ if (cipher_list) {
>+ memcpy(cipher_list, d->cipher_list.s,
>d->cipher_list.len);
>+ memcpy(cipher_list+d->cipher_list.len,
>C_NO_KRB5_SUFFIX,
>+ C_NO_KRB5_SUFFIX_LEN);
>+
>cipher_list[d->cipher_list.len+C_NO_KRB5_SUFFIX_LEN]=0;
>+ shm_free(d->cipher_list.s);
>+ d->cipher_list.s=cipher_list;
>+ d->cipher_list.len+=C_NO_KRB5_SUFFIX_LEN;
>+ }
>+ }
>+ }
>+#endif /* TLS_KSSL_WORKARROUND */
>+ if (!cipher_list) return 0;
> procs_no=get_max_procs();
> for(i = 0; i< procs_no; i++) {
>- if (SSL_CTX_set_cipher_list(d->ctx[i], d->cipher_list.s) ==
>0 ) {
>- ERR("%s: Failure to set SSL context cipher list\n",
>tls_domain_str(d));
>+ if (SSL_CTX_set_cipher_list(d->ctx[i], cipher_list) == 0 ) {
>+ ERR("%s: Failure to set SSL context cipher list
>\"%s\"\n",
>+ tls_domain_str(d), cipher_list);
> return -1;
> }
> }
>
>
>_______________________________________________
>sr-dev mailing list
>sr-dev(a)lists.sip-router.org
>http://lists.sip-router.org/cgi-bin/mailman/listinfo/sr-dev
5256
days inactive
5257
days old
2 comments
2 participants
participants (2)
-
Andrei Pelinescu-Onciul -
Klaus Darilion