- workarround for openssl kerberos malloc bug:

openssl kerberos code in kssl.c uses libc malloc/free/calloc instead
of the OPENSSL* versions (set using CRYPTO_set_mem_functions()). In ser
 ssl connections "move" between processes and so everything must be
 allocated in shared mem. If the wrong malloc function are called ser
 will eventually crash. This workarround tries to disable kerberos support
 each time a new SSL structure is created. For this fix to work is important
 to either use statically linked openssl or re-compile ser on the target
 machine (if openssl is linked dynamically then it must use the same
 compilation options as the machine on which ser is compiled).
Bug reporterd by Atle Samuelsen <[email protected]>.

modules/tls/tls_init.c

@@ -45,6 +45,7 @@
 #include "tls_util.h"
 #include "tls_mod.h"
 #include "tls_init.h"
+#include "tls_locking.h"
 
 #if OPENSSL_VERSION_NUMBER < 0x00907000L
 #    warning ""
@@ -225,6 +226,10 @@ int init_tls(void)
 	if (tls_init_locks()<0)
 		return -1;
 	init_tls_compression();
+	#ifdef TLS_KSSL_WORKARROUND
+		LOG(L_INFO, "init_tls: kerberos malloc bug workarround "
+			"(krb disabled)...\n");
+	#endif
 	SSL_library_init();
 	SSL_load_error_strings();
 	init_ssl_methods();

modules/tls/tls_init.h

@@ -36,6 +36,20 @@
 #include "../../ip_addr.h"
 #include "tls_domain.h"
 
+#ifndef OPENSSL_NO_KRB5
+#warning openssl lib compiled with kerberos support which introduces a bug \
+ (wrong malloc/free used in kssl.c) -- attempting workarround
+#warning NOTE: if you don't link libssl staticaly don't try running the \
+ compiled code on a system with a differently compiled openssl (it's safer \
+ to compile on the  _target_ system)
+/* enable workarround for openssl kerberos wrong malloc bug
+ * (kssl code uses libc malloc/free/calloc instead of OPENSSL_malloc & 
+ * friends)*/
+#define TLS_KSSL_WORKARROUND
+#endif
+
+
+
 extern SSL_METHOD* ssl_methods[];
 
 

modules/tls/tls_server.c

@@ -28,6 +28,11 @@
  * along with this program; if not, write to the Free Software 
  * Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA  02111-1307  USA
  */
+/*
+ * History:
+ * --------
+ *  2007-01-26  openssl kerberos malloc bug detection/workarround (andrei)
+ */
 
 #include <sys/poll.h>
 #include <openssl/err.h>
@@ -95,6 +100,12 @@ static int tls_complete_init(struct tcp_connection* c)
 		TLS_ERR("Failed to create SSL structure:");
 		goto error;
 	}
+#ifdef TLS_KSSL_WORKARROUND
+	if (data->ssl->kssl_ctx){
+		kssl_ctx_free(data->ssl->kssl_ctx);
+		data->ssl->kssl_ctx=0;
+	}
+#endif
 	c->extra_data = data;
 	return 0;