[sr-dev] git:master: tls: disable kerberos more thoroughly [fix]
Klaus Darilion
klaus.mailinglists at pernau.at
Tue Feb 23 17:47:45 CET 2010
Is it possible to overrule this behavior, e.g. for testing?
regards
klaus
Am 23.02.2010 16:37, schrieb Andrei Pelinescu-Onciul:
> Module: sip-router
> Branch: master
> Commit: 51ee5da9ebf09447f71d4393f7c5b703305ff46d
> URL: http://git.sip-router.org/cgi-bin/gitweb.cgi/sip-router/?a=commit;h=51ee5da9ebf09447f71d4393f7c5b703305ff46d
>
> Author: Andrei Pelinescu-Onciul<andrei at iptel.org>
> Committer: Andrei Pelinescu-Onciul<andrei at iptel.org>
> Date: Tue Feb 23 16:10:21 2010 +0100
>
> tls: disable kerberos more thoroughly [fix]
>
> Older openssl versions (< 0.9.8e release) have a bug in the
> kerberos code (it uses the wrong malloc, for more details see
> openssl bug # 1467). While there is already a workaround for this
> openssl bug in the sr code (see commits 36cb8f& 560a42), in some
> situations this workaround causes another bug (crash on connection
> opening when openssl is compiled with kerberos support and
> kerberos is enabled for key exchange).
> The current fix will disable automatically all the ciphers containing
> KRB5 if the openssl version is< 0.9.8e beta1 or it is between
> 0.9.9-dev and 0.9.9-beta1.
> It iss equivalent to setting cipher_list to "<prev. value>:!KRB5".
>
> Impact: this fix is needed only if openssl is compiled with
> kerberos support and the version is< 0.9.8e. It also affects at
> least CentOS users with openssl-0.9.8e-12.el5_4.1 (in the centos
> openssl package they play some strange games with the version and
> report 0.9.8b via SSLeay).
>
> Tested-by: Klaus Darilion klaus.mailinglists at pernau.at
> Reported-by: Klaus Darilion klaus.mailinglists at pernau.at
> Reported-by: Andreas Rehbein rehbein at e-technik.org
> Reported-by: Martin Koenig koenig starface.de
>
> ---
>
> modules/tls/tls_domain.c | 35 +++++++++++++++++++++++++++++++----
> 1 files changed, 31 insertions(+), 4 deletions(-)
>
> diff --git a/modules/tls/tls_domain.c b/modules/tls/tls_domain.c
> index b0d5d3c..c4f25e8 100644
> --- a/modules/tls/tls_domain.c
> +++ b/modules/tls/tls_domain.c
> @@ -271,6 +271,10 @@ static int load_ca_list(tls_domain_t* d)
> return 0;
> }
>
> +#define C_DEF_NO_KRB5 "DEFAULT:!KRB5"
> +#define C_DEF_NO_KRB5_LEN (sizeof(C_DEF_NO_KRB5)-1)
> +#define C_NO_KRB5_SUFFIX ":!KRB5"
> +#define C_NO_KRB5_SUFFIX_LEN (sizeof(C_NO_KRB5_SUFFIX)-1)
>
> /*
> * Configure cipher list
> @@ -279,12 +283,35 @@ static int set_cipher_list(tls_domain_t* d)
> {
> int i;
> int procs_no;
> -
> - if (!d->cipher_list.s) return 0;
> + char* cipher_list;
> +
> + cipher_list=d->cipher_list.s;
> +#ifdef TLS_KSSL_WORKARROUND
> + if (openssl_kssl_malloc_bug) { /* is openssl bug #1467 present ? */
> + if (d->cipher_list.s==0) {
> + /* use "DEFAULT:!KRB5" */
> + cipher_list="DEFAULT:!KRB5";
> + } else {
> + /* append ":!KRB5" */
> + cipher_list=shm_malloc(d->cipher_list.len+C_NO_KRB5_SUFFIX_LEN+1);
> + if (cipher_list) {
> + memcpy(cipher_list, d->cipher_list.s, d->cipher_list.len);
> + memcpy(cipher_list+d->cipher_list.len, C_NO_KRB5_SUFFIX,
> + C_NO_KRB5_SUFFIX_LEN);
> + cipher_list[d->cipher_list.len+C_NO_KRB5_SUFFIX_LEN]=0;
> + shm_free(d->cipher_list.s);
> + d->cipher_list.s=cipher_list;
> + d->cipher_list.len+=C_NO_KRB5_SUFFIX_LEN;
> + }
> + }
> + }
> +#endif /* TLS_KSSL_WORKARROUND */
> + if (!cipher_list) return 0;
> procs_no=get_max_procs();
> for(i = 0; i< procs_no; i++) {
> - if (SSL_CTX_set_cipher_list(d->ctx[i], d->cipher_list.s) == 0 ) {
> - ERR("%s: Failure to set SSL context cipher list\n", tls_domain_str(d));
> + if (SSL_CTX_set_cipher_list(d->ctx[i], cipher_list) == 0 ) {
> + ERR("%s: Failure to set SSL context cipher list \"%s\"\n",
> + tls_domain_str(d), cipher_list);
> return -1;
> }
> }
>
>
> _______________________________________________
> sr-dev mailing list
> sr-dev at lists.sip-router.org
> http://lists.sip-router.org/cgi-bin/mailman/listinfo/sr-dev
More information about the sr-dev
mailing list