Fixed TLS CRLF pingpong regression

Properly handle CRLFCRLF pings over TLS (cherry picked from commit 558a4f1)
OpenSIPS · Mar 24, 2015 · f3b03dc · f3b03dc
1 parent 9ee5093
commit f3b03dc
Show file tree

Hide file tree

Showing 3 changed files with 134 additions and 8 deletions.
diff --git a/modules/proto_tls/README b/modules/proto_tls/README
@@ -75,6 +75,9 @@ Ionut-Razvan Ionita
 
               1.6.13. client_domain_avp (integer)
               1.6.14. server_domain, client_domain (string)
+              1.6.15. tls_crlf_pingpong (integer)
+              1.6.16. tls_crlf_drop (integer)
+              1.6.17. tls_max_msg_chunks (integer)
 
         1.7. Pseudo-Variables
 
@@ -123,9 +126,12 @@ Ionut-Razvan Ionita
    1.12. Set tls_handshake_timeout & tls_send_timeout variable
    1.13. Set tls_client_domain_avp variable
    1.14. Usage of tls_client_domain and tls_server_domain block
-   1.15. Example of $tls_[peer|my]_[subject|issuer]
-   1.16. Script with TLS support
-   1.17. Example of TLS logging
+   1.15. Set tls_crlf_pingpong parameter
+   1.16. Set tls_crlf_drop parameter
+   1.17. Set tls_max_msg_chunks parameter
+   1.18. Example of $tls_[peer|my]_[subject|issuer]
+   1.19. Script with TLS support
+   1.20. Example of TLS logging
 
 Chapter 1. Admin Guide
 
@@ -665,6 +671,48 @@ route{
     exit;
 ...
 
+1.6.15. tls_crlf_pingpong (integer)
+
+   Send CRLF pong (\r\n) to incoming CRLFCRLF ping messages over
+   TLS. By default it is enabled (1).
+
+   Default value is 1 (enabled).
+
+   Example 1.15. Set tls_crlf_pingpong parameter
+...
+modparam("proto_tcp", "tls_crlf_pingpong", 0)
+...
+
+1.6.16. tls_crlf_drop (integer)
+
+   Drop CRLF (\r\n) ping messages. When this parameter is enabled,
+   the TLS layer drops packets that contains a single CRLF
+   message. If a CRLFCRLF message is received, it is handled
+   according to the tls_crlf_pingpong parameter.
+
+   Default value is 0 (disabled).
+
+   Example 1.16. Set tls_crlf_drop parameter
+...
+modparam("proto_tcp", "tls_crlf_drop", 1)
+...
+
+1.6.17. tls_max_msg_chunks (integer)
+
+   The maximum number of chunks that a SIP message is expected to
+   arrive via TLS. If a packet is received more fragmented than
+   this, the connection is dropped (either the connection is very
+   overloaded and this leads to high fragmentation - or we are the
+   victim of an ongoing attack where the attacker is sending the
+   traffic very fragmented in order to decrease our performance).
+
+   Default value is 4.
+
+   Example 1.17. Set tls_max_msg_chunks parameter
+...
+modparam("proto_tcp", "tls_max_msg_chunks", 8)
+...
+
 1.7. Pseudo-Variables
 
    This module exports the follong pseudo-variables:
@@ -709,7 +757,7 @@ route{
    $tls_[peer|my]_[subject|issuer] - ASCII dump of the fields in
    the issuer/subject section of the certificate. String type.
 
-   Example 1.15. Example of $tls_[peer|my]_[subject|issuer]
+   Example 1.18. Example of $tls_[peer|my]_[subject|issuer]
 /C=AT/ST=Vienna/L=Vienna/O=enum.at/CN=enum.at
 
 1.7.8. $tls_[peer|my]_[subject|issuer]_cn
@@ -804,7 +852,7 @@ route{
    for more details).
      * fork = yes
 
-   Example 1.16. Script with TLS support
+   Example 1.19. Script with TLS support
   # ----------- global configuration parameters ------------------------
   debug=3
   fork=yes
@@ -980,7 +1028,7 @@ route{
    statements into your OpenSIPS.cfg. This will dump all available
    TLS pseudo variables.
 
-   Example 1.17. Example of TLS logging
+   Example 1.20. Example of TLS logging
 xlog("L_INFO","==================== start TLS pseudo variables =========
 ========='\n");
 xlog("L_INFO","$$tls_version                    = '$tls_version'\n");

diff --git a/modules/proto_tls/doc/proto_tls_admin.xml b/modules/proto_tls/doc/proto_tls_admin.xml
@@ -727,6 +727,73 @@ route{
 				</programlisting>
 			</example>
 		</section>
+	<section>
+		<title><varname>tls_crlf_pingpong</varname> (integer)</title>
+		<para>
+			Send CRLF pong (\r\n) to incoming CRLFCRLF ping messages over TLS.
+			By default it is enabled (1).
+		</para>
+		<para>
+		<emphasis>
+			Default value is 1 (enabled).
+		</emphasis>
+		</para>
+		<example>
+		<title>Set <varname>tls_crlf_pingpong</varname> parameter</title>
+		<programlisting format="linespecific">
+...
+modparam("proto_tcp", "tls_crlf_pingpong", 0)
+...
+</programlisting>
+		</example>
+	</section>
+	<section>
+		<title><varname>tls_crlf_drop</varname> (integer)</title>
+		<para>
+			Drop CRLF (\r\n) ping messages. When this parameter is enabled,
+			the TLS layer drops packets that contains a single CRLF message.
+			If a CRLFCRLF message is received, it is handled according to the
+			<emphasis>tls_crlf_pingpong</emphasis> parameter.
+		</para>
+		<para>
+		<emphasis>
+			Default value is 0 (disabled).
+		</emphasis>
+		</para>
+		<example>
+		<title>Set <varname>tls_crlf_drop</varname> parameter</title>
+		<programlisting format="linespecific">
+...
+modparam("proto_tcp", "tls_crlf_drop", 1)
+...
+</programlisting>
+		</example>
+	</section>
+
+	<section>
+		<title><varname>tls_max_msg_chunks</varname> (integer)</title>
+		<para>
+			The maximum number of chunks that a SIP message is expected to
+			arrive via TLS. If a packet is received more fragmented than this,
+			the connection is dropped (either the connection is very
+			overloaded and this leads to high fragmentation - or we are the
+			victim of an ongoing attack where the attacker is sending the
+			traffic very fragmented in order to decrease our performance).
+		</para>
+		<para>
+		<emphasis>
+			Default value is 4.
+		</emphasis>
+		</para>
+		<example>
+		<title>Set <varname>tls_max_msg_chunks</varname> parameter</title>
+		<programlisting format="linespecific">
+...
+modparam("proto_tcp", "tls_max_msg_chunks", 8)
+...
+</programlisting>
+		</example>
+	</section>
 	</section>
 
 

diff --git a/modules/proto_tls/proto_tls.c b/modules/proto_tls/proto_tls.c
@@ -60,6 +60,14 @@ static int is_peer_verified(struct sip_msg*, char*, char*);
 static int tls_port_no = SIPS_PORT;
 static char *tls_domain_avp = NULL;
 
+static int tls_max_msg_chunks = TCP_CHILD_MAX_MSG_CHUNK;
+
+/* 0: send CRLF pong to incoming CRLFCRLF ping */
+static int tls_crlf_pingpong = 1;
+
+/* 0: do not drop single CRLF messages */
+static int tls_crlf_drop = 0;
+
 static int  mod_init(void);
 static void mod_destroy(void);
 static int proto_tls_init(struct proto_info *pi);
@@ -110,6 +118,9 @@ static param_export_t params[] = {
 	{ "ciphers_list",  STR_PARAM|USE_FUNC_PARAM,  (void*)tlsp_set_cplist     },
 	{ "dh_params",     STR_PARAM|USE_FUNC_PARAM,  (void*)tlsp_set_dhparams   },
 	{ "ec_curve",      STR_PARAM|USE_FUNC_PARAM,  (void*)tlsp_set_eccurve    },
+	{ "tls_crlf_pingpong",     INT_PARAM,         &tls_crlf_pingpong         },
+	{ "tls_crlf_drop",         INT_PARAM,         &tls_crlf_drop             },
+	{ "tls_max_msg_chunks",    INT_PARAM,         &tls_max_msg_chunks        },
 	{0, 0, 0}
 };
 
@@ -1448,7 +1459,7 @@ static int tls_read_req(struct tcp_connection* con, int* bytes_read)
 			}
 		}
 
-		tcp_parse_headers(req, 0/*crlf_pingpong*/, 0/*crlf_drop*/);
+		tcp_parse_headers(req, tls_crlf_pingpong, tls_crlf_drop);
 #ifdef EXTRA_DEBUG
 					/* if timeout state=0; goto end__req; */
 		LM_DBG("read= %d bytes, parsed=%d, state=%d, error=%d\n",
@@ -1480,7 +1491,7 @@ static int tls_read_req(struct tcp_connection* con, int* bytes_read)
 		goto error;
 	}
 
-	switch (tcp_handle_req(req, con, 4/*max_msg_chunks*/) ) {
+	switch (tcp_handle_req(req, con, tls_max_msg_chunks) ) {
 		case 1:
 			goto again;
 		case -1: