Inicio Explorar Ayuda
Iniciar sesión
Kamailio
/
kamailio
espejo de https://github.com/kamailio/kamailio.git
2
0
Fork 0
Archivos Incidencias 0 Wiki
Explorar el Código

tls: disable kerberos more thoroughly [fix]

Older openssl versions (< 0.9.8e release) have a bug in the
kerberos code (it uses the wrong malloc, for more details see
openssl bug # 1467). While there is already a workaround for this
openssl bug in the sr code (see commits 36cb8f & 560a42), in some
situations this workaround causes another bug (crash on connection
opening when openssl is compiled with kerberos support and
kerberos is enabled for key exchange).
The current fix will disable automatically all the ciphers containing
KRB5 if the openssl version is < 0.9.8e beta1 or it is between
0.9.9-dev and 0.9.9-beta1.
It iss equivalent to setting cipher_list to "<prev. value>:!KRB5".

Impact: this fix is needed only if openssl is compiled with
kerberos support and the version is < 0.9.8e. It also affects at
least CentOS users with openssl-0.9.8e-12.el5_4.1 (in the centos
openssl package they play some strange games with the version and
report 0.9.8b via SSLeay).

Tested-by: Klaus Darilion  klaus.mailinglists at pernau.at
Reported-by: Klaus Darilion  klaus.mailinglists at pernau.at
Reported-by: Andreas Rehbein  rehbein at e-technik.org
Reported-by: Martin Koenig  koenig starface.de
Andrei Pelinescu-Onciul hace 15 años
padre
d06c0f78f3
commit
51ee5da9eb
Se han modificado 1 ficheros con 31 adiciones y 4 borrados
Dividir vista Mostrar estadísticas de diff
  1. 31 4
      modules/tls/tls_domain.c

+ 31 - 4
modules/tls/tls_domain.c
Ver fichero 

@@ -271,6 +271,10 @@ static int load_ca_list(tls_domain_t* d)
 
 	return 0;
 
 }
 
 
+#define C_DEF_NO_KRB5 "DEFAULT:!KRB5"
 
+#define C_DEF_NO_KRB5_LEN (sizeof(C_DEF_NO_KRB5)-1)
 
+#define C_NO_KRB5_SUFFIX ":!KRB5"
 
+#define C_NO_KRB5_SUFFIX_LEN (sizeof(C_NO_KRB5_SUFFIX)-1)
 
 
 /* 
  * Configure cipher list 
@@ -279,12 +283,35 @@ static int set_cipher_list(tls_domain_t* d)
 
 {
 
 	int i;
 
 	int procs_no;
 
-
 
-	if (!d->cipher_list.s) return 0;
 
+	char* cipher_list;
 
+
 
+	cipher_list=d->cipher_list.s;
 
+#ifdef TLS_KSSL_WORKARROUND
 
+	if (openssl_kssl_malloc_bug) { /* is openssl bug #1467 present ? */
 
+		if (d->cipher_list.s==0) {
 
+			/* use "DEFAULT:!KRB5" */
 
+			cipher_list="DEFAULT:!KRB5";
 
+		} else {
 
+			/* append ":!KRB5" */
 
+			cipher_list=shm_malloc(d->cipher_list.len+C_NO_KRB5_SUFFIX_LEN+1);
 
+			if (cipher_list) {
 
+				memcpy(cipher_list, d->cipher_list.s, d->cipher_list.len);
 
+				memcpy(cipher_list+d->cipher_list.len, C_NO_KRB5_SUFFIX,
 
+						C_NO_KRB5_SUFFIX_LEN);
 
+				cipher_list[d->cipher_list.len+C_NO_KRB5_SUFFIX_LEN]=0;
 
+				shm_free(d->cipher_list.s);
 
+				d->cipher_list.s=cipher_list;
 
+				d->cipher_list.len+=C_NO_KRB5_SUFFIX_LEN;
 
+			}
 
+		}
 
+	}
 
+#endif /* TLS_KSSL_WORKARROUND */
 
+	if (!cipher_list) return 0;
 
 	procs_no=get_max_procs();
 
 	for(i = 0; i < procs_no; i++) {
 
-		if (SSL_CTX_set_cipher_list(d->ctx[i], d->cipher_list.s) == 0 ) {
 
-			ERR("%s: Failure to set SSL context cipher list\n", tls_domain_str(d));
 
+		if (SSL_CTX_set_cipher_list(d->ctx[i], cipher_list) == 0 ) {
 
+			ERR("%s: Failure to set SSL context cipher list \"%s\"\n",
 
+					tls_domain_str(d), cipher_list);
 
 			return -1;
 
 		}
 
 	}