Asterisk
/
asterisk
mirror of https://github.com/asterisk/asterisk
1
0
Fork 0
Code Issues Releases Wiki Activity

Merged revisions 151101 via svnmerge from

Browse Source 
https://origsvn.digium.com/svn/asterisk/trunk

........
  r151101 | kpfleming | 2008-10-19 22:11:28 +0300 (Sun, 19 Oct 2008) | 13 lines
  
  cleaup of the TCP/TLS socket API:
  
  1) rename 'struct server_args' to 'struct ast_tcptls_session_args', to follow coding guidelines
  
  2) make ast_make_file_from_fd() static and rename it to something that indicates what it really is for (again coding guidelines)
  
  3) rename address variables inside 'struct ast_tcptls_session_args' to be more descriptive (dare i say it... coding guidelines)
  
  4) change ast_tcptls_client_start() to use the new 'remote_address' field of the session args for the destination of the connection, and use the 'local_address' field to bind() the socket to the proper source address, if one is supplied
  
  5) in chan_sip, ensure that we pass in the PP address we are bound to when creating outbound (client) connections, so that our connections will appear from the correct address
........


git-svn-id: https://origsvn.digium.com/svn/asterisk/branches/1.6.1@151135 65c4cc65-6c06-0410-ace0-fbb531ad65f3
1.6.1
Kevin P. Fleming 17 years ago
parent f4be174ad8
commit f0c712cf4b
6 changed files with 240 additions and 232 deletions
Show Stats Download Patch File Download Diff File

9
apps/app_externalivr.c
Unescape View File

@ -46,6 +46,7 @@ ASTERISK_FILE_VERSION(__FILE__, "$Revision$")
#include "asterisk/app.h"
#include "asterisk/utils.h"
#include "asterisk/tcptls.h"
#include "asterisk/astobj2.h"
static const char *app = "ExternalIVR";
@ -419,7 +420,7 @@ static int app_exec(struct ast_channel *chan, void *data)
}
if (!strncmp(app_args[0], "ivr://", 6)) {
struct server_args ivr_desc = {
struct ast_tcptls_session_args ivr_desc = {
.accept_fd = -1,
.name = "IVR",
};
@ -438,9 +439,9 @@ static int app_exec(struct ast_channel *chan, void *data)
}
ast_gethostbyname(hostname, &hp);
ivr_desc.sin.sin_family = AF_INET;
ivr_desc.sin.sin_port = htons(port);
memmove(&ivr_desc.sin.sin_addr.s_addr, hp.hp.h_addr, hp.hp.h_length);
ivr_desc.local_address.sin_family = AF_INET;
ivr_desc.local_address.sin_port = htons(port);
memcpy(&ivr_desc.local_address.sin_addr.s_addr, hp.hp.h_addr, hp.hp.h_length);
ser = ast_tcptls_client_start(&ivr_desc);
if (!ser) {

62
channels/chan_sip.c
Unescape View File

@ -2260,7 +2260,7 @@ static struct ast_tls_config sip_tls_cfg;
static struct ast_tls_config default_tls_cfg;
/*! \brief The TCP server definition */
static struct server_args sip_tcp_desc = {
static struct ast_tcptls_session_args sip_tcp_desc = {
.accept_fd = -1,
.master = AST_PTHREADT_NULL,
.tls_cfg = NULL,
@ -2271,7 +2271,7 @@ static struct server_args sip_tcp_desc = {
};
/*! \brief The TCP/TLS server definition */
static struct server_args sip_tls_desc = {
static struct ast_tcptls_session_args sip_tls_desc = {
.accept_fd = -1,
.master = AST_PTHREADT_NULL,
.tls_cfg = &sip_tls_cfg,
@ -2417,7 +2417,7 @@ static void *_sip_tcp_helper_thread(struct sip_pvt *pvt, struct ast_tcptls_sessi
}
}
req.socket.ser = ser;
handle_request_do(&req, &ser->requestor);
handle_request_do(&req, &ser->remote_address);
}
cleanup:
@ -2459,7 +2459,7 @@ static void *unref_peer(struct sip_peer *peer, char *tag)
static struct sip_peer *ref_peer(struct sip_peer *peer, char *tag)
{
ao2_t_ref(peer, 1,tag);
ao2_t_ref(peer, 1, tag);
return peer;
}
@ -12376,8 +12376,8 @@ static char *sip_show_tcp(struct ast_cli_entry *e, int cmd, struct ast_cli_args
ast_cli(a->fd, FORMAT2, "Host", "Port", "Transport", "Type");
AST_LIST_LOCK(&threadl);
AST_LIST_TRAVERSE(&threadl, th, list) {
ast_cli(a->fd, FORMAT, ast_inet_ntoa(th->ser->requestor.sin_addr),
ntohs(th->ser->requestor.sin_port),
ast_cli(a->fd, FORMAT, ast_inet_ntoa(th->ser->remote_address.sin_addr),
ntohs(th->ser->remote_address.sin_port),
get_transport(th->type),
(th->ser->client ? "Client" : "Server"));
@ -13636,16 +13636,16 @@ static char *sip_show_settings(struct ast_cli_entry *e, int cmd, struct ast_cli_
ast_cli(a->fd, " UDP SIP Port: %d\n", ntohs(bindaddr.sin_port));
ast_cli(a->fd, " UDP Bindaddress: %s\n", ast_inet_ntoa(bindaddr.sin_addr));
ast_cli(a->fd, " TCP SIP Port: ");
if (sip_tcp_desc.sin.sin_family == AF_INET) {
ast_cli(a->fd, "%d\n", ntohs(sip_tcp_desc.sin.sin_port));
ast_cli(a->fd, " TCP Bindaddress: %s\n", ast_inet_ntoa(sip_tcp_desc.sin.sin_addr));
if (sip_tcp_desc.local_address.sin_family == AF_INET) {
ast_cli(a->fd, "%d\n", ntohs(sip_tcp_desc.local_address.sin_port));
ast_cli(a->fd, " TCP Bindaddress: %s\n", ast_inet_ntoa(sip_tcp_desc.local_address.sin_addr));
} else {
ast_cli(a->fd, "Disabled\n");
}
ast_cli(a->fd, " TLS SIP Port: ");
if (default_tls_cfg.enabled != FALSE) {
ast_cli(a->fd, "%d\n", ntohs(sip_tls_desc.sin.sin_port));
ast_cli(a->fd, " TLS Bindaddress: %s\n", ast_inet_ntoa(sip_tls_desc.sin.sin_addr));
ast_cli(a->fd, "%d\n", ntohs(sip_tls_desc.local_address.sin_port));
ast_cli(a->fd, " TLS Bindaddress: %s\n", ast_inet_ntoa(sip_tls_desc.local_address.sin_addr));
} else {
ast_cli(a->fd, "Disabled\n");
}
@ -19376,9 +19376,9 @@ static struct ast_tcptls_session_instance *sip_tcp_locate(struct sockaddr_in *s)
AST_LIST_LOCK(&threadl);
AST_LIST_TRAVERSE(&threadl, th, list) {
if ((s->sin_family == th->ser->requestor.sin_family) &&
(s->sin_addr.s_addr == th->ser->requestor.sin_addr.s_addr) &&
(s->sin_port == th->ser->requestor.sin_port)) {
if ((s->sin_family == th->ser->remote_address.sin_family) &&
(s->sin_addr.s_addr == th->ser->remote_address.sin_addr.s_addr) &&
(s->sin_port == th->ser->remote_address.sin_port)) {
AST_LIST_UNLOCK(&threadl);
return th->ser;
}
@ -19393,7 +19393,7 @@ static int sip_prepare_socket(struct sip_pvt *p)
struct sip_socket *s = &p->socket;
static const char name[] = "SIP socket";
struct ast_tcptls_session_instance *ser;
struct server_args ca = {
struct ast_tcptls_session_args ca = {
.name = name,
.accept_fd = -1,
};
@ -19410,9 +19410,9 @@ static int sip_prepare_socket(struct sip_pvt *p)
return s->fd;
}
ca.sin = *(sip_real_dst(p));
ca.remote_address = *(sip_real_dst(p));
if ((ser = sip_tcp_locate(&ca.sin))) {
if ((ser = sip_tcp_locate(&ca.remote_address))) { /* Check if we have a thread handling a socket connected to this IP/port */
s->fd = ser->fd;
if (s->ser) {
ao2_ref(s->ser, -1);
@ -21344,16 +21344,16 @@ static int reload_config(enum channelreloadreason reason)
}
/* Initialize tcp sockets */
memset(&sip_tcp_desc.sin, 0, sizeof(sip_tcp_desc.sin));
memset(&sip_tls_desc.sin, 0, sizeof(sip_tls_desc.sin));
memset(&sip_tcp_desc.local_address, 0, sizeof(sip_tcp_desc.local_address));
memset(&sip_tls_desc.local_address, 0, sizeof(sip_tls_desc.local_address));
ast_free_ha(global_contact_ha);
global_contact_ha = NULL;
default_tls_cfg.enabled = FALSE; /* Default: Disable TLS */
sip_tcp_desc.sin.sin_port = htons(STANDARD_SIP_PORT);
sip_tls_desc.sin.sin_port = htons(STANDARD_TLS_PORT);
sip_tcp_desc.local_address.sin_port = htons(STANDARD_SIP_PORT);
sip_tls_desc.local_address.sin_port = htons(STANDARD_TLS_PORT);
if (reason != CHANNEL_MODULE_LOAD) {
ast_debug(4, "--------------- SIP reload started\n");
@ -21566,17 +21566,17 @@ static int reload_config(enum channelreloadreason reason)
} else if (!strcasecmp(v->name, "t1min")) {
global_t1min = atoi(v->value);
} else if (!strcasecmp(v->name, "tcpenable")) {
sip_tcp_desc.sin.sin_family = ast_false(v->value) ? 0 : AF_INET;
sip_tcp_desc.local_address.sin_family = ast_false(v->value) ? 0 : AF_INET;
ast_debug(2, "Enabling TCP socket for listening\n");
} else if (!strcasecmp(v->name, "tcpbindaddr")) {
int family = sip_tcp_desc.sin.sin_family;
if (ast_parse_arg(v->value, PARSE_INADDR, &sip_tcp_desc.sin))
int family = sip_tcp_desc.local_address.sin_family;
if (ast_parse_arg(v->value, PARSE_INADDR, &sip_tcp_desc.local_address))
ast_log(LOG_WARNING, "Invalid %s '%s' at line %d of %s\n", v->name, v->value, v->lineno, config);
sip_tcp_desc.sin.sin_family = family;
sip_tcp_desc.local_address.sin_family = family;
ast_debug(2, "Setting TCP socket address to %s\n", v->value);
} else if (!strcasecmp(v->name, "tlsenable")) {
default_tls_cfg.enabled = ast_true(v->value) ? TRUE : FALSE;
sip_tls_desc.sin.sin_family = AF_INET;
sip_tls_desc.local_address.sin_family = AF_INET;
} else if (!strcasecmp(v->name, "tlscertfile")) {
ast_free(default_tls_cfg.certfile);
default_tls_cfg.certfile = ast_strdup(v->value);
@ -21594,7 +21594,7 @@ static int reload_config(enum channelreloadreason reason)
} else if (!strcasecmp(v->name, "tlsdontverifyserver")) {
ast_set2_flag(&default_tls_cfg.flags, ast_true(v->value), AST_SSL_DONT_VERIFY_SERVER);
} else if (!strcasecmp(v->name, "tlsbindaddr")) {
if (ast_parse_arg(v->value, PARSE_INADDR, &sip_tls_desc.sin))
if (ast_parse_arg(v->value, PARSE_INADDR, &sip_tls_desc.local_address))
ast_log(LOG_WARNING, "Invalid %s '%s' at line %d of %s\n", v->name, v->value, v->lineno, config);
} else if (!strcasecmp(v->name, "dynamic_exclude_static") || !strcasecmp(v->name, "dynamic_excludes_static")) {
global_dynamic_exclude_static = ast_true(v->value);
@ -22089,12 +22089,12 @@ static int reload_config(enum channelreloadreason reason)
ast_log(LOG_NOTICE, "Can't add wildcard IP address to domain list, please add IP address to domain manually.\n");
/* If TCP is running on a different IP than UDP, then add it too */
if (sip_tcp_desc.sin.sin_addr.s_addr && !inaddrcmp(&bindaddr, &sip_tcp_desc.sin))
add_sip_domain(ast_inet_ntoa(sip_tcp_desc.sin.sin_addr), SIP_DOMAIN_AUTO, NULL);
if (sip_tcp_desc.local_address.sin_addr.s_addr && !inaddrcmp(&bindaddr, &sip_tcp_desc.local_address))
add_sip_domain(ast_inet_ntoa(sip_tcp_desc.local_address.sin_addr), SIP_DOMAIN_AUTO, NULL);
/* If TLS is running on a differen IP than UDP and TCP, then add that too */
if (sip_tls_desc.sin.sin_addr.s_addr && !inaddrcmp(&bindaddr, &sip_tls_desc.sin) && inaddrcmp(&sip_tcp_desc.sin, &sip_tls_desc.sin))
add_sip_domain(ast_inet_ntoa(sip_tls_desc.sin.sin_addr), SIP_DOMAIN_AUTO, NULL);
if (sip_tls_desc.local_address.sin_addr.s_addr && !inaddrcmp(&bindaddr, &sip_tls_desc.local_address) && inaddrcmp(&sip_tcp_desc.local_address, &sip_tls_desc.local_address))
add_sip_domain(ast_inet_ntoa(sip_tls_desc.local_address.sin_addr), SIP_DOMAIN_AUTO, NULL);
/* Our extern IP address, if configured */
if (externip.sin_addr.s_addr)

63
include/asterisk/tcptls.h
Unescape View File

@ -45,12 +45,10 @@
*
*/
#ifndef _ASTERISK_SERVER_H
#define _ASTERISK_SERVER_H
#ifndef _ASTERISK_TCPTLS_H
#define _ASTERISK_TCPTLS_H
#include "asterisk/utils.h"
#include "asterisk/astobj2.h"
#if defined(HAVE_OPENSSL) && (defined(HAVE_FUNOPEN) || defined(HAVE_FOPENCOOKIE))
#define DO_SSL /* comment in/out if you want to support ssl */
@ -90,7 +88,7 @@ struct ast_tls_config {
/*!
* The following code implements a generic mechanism for starting
* services on a TCP or TLS socket.
* The service is configured in the struct server_args, and
* The service is configured in the struct session_args, and
* then started by calling server_start(desc) on the descriptor.
* server_start() first verifies if an instance of the service is active,
* and in case shuts it down. Then, if the service must be started, creates
@ -105,38 +103,19 @@ struct ast_tls_config {
* running the session, whose body is desc->worker_fn(). The argument of
* worker_fn() is a struct ast_tcptls_session_instance, which contains the address
* of the other party, a pointer to desc, the file descriptors (fd) on which
* we can do a select/poll (but NOT IO/, and a FILE *on which we can do I/O.
* we can do a select/poll (but NOT I/O), and a FILE *on which we can do I/O.
* We have both because we want to support plain and SSL sockets, and
* going through a FILE *lets us provide the encryption/decryption
* going through a FILE * lets us provide the encryption/decryption
* on the stream without using an auxiliary thread.
*
* NOTE: in order to let other parts of asterisk use these services,
* we need to do the following:
* + move struct ast_tcptls_session_instance and struct server_args to
* a common header file, together with prototypes for
* server_start() and server_root().
*/
/*! \brief
* describes a server instance
*/
struct ast_tcptls_session_instance {
FILE *f; /* fopen/funopen result */
int fd; /* the socket returned by accept() */
SSL *ssl; /* ssl state */
/* iint (*ssl_setup)(SSL *); */
int client;
struct sockaddr_in requestor;
struct server_args *parent;
ast_mutex_t lock;
};
/*! \brief
* arguments for the accepting thread
*/
struct server_args {
struct sockaddr_in sin;
struct sockaddr_in oldsin;
struct ast_tcptls_session_args {
struct sockaddr_in local_address;
struct sockaddr_in old_local_address;
struct sockaddr_in remote_address;
char hostname[MAXHOSTNAMELEN]; /*!< only necessary for SSL clients so we can compare to common name */
struct ast_tls_config *tls_cfg; /*!< points to the SSL configuration if any */
int accept_fd;
@ -148,6 +127,20 @@ struct server_args {
const char *name;
};
/*
* describes a server instance
*/
struct ast_tcptls_session_instance {
FILE *f; /* fopen/funopen result */
int fd; /* the socket returned by accept() */
SSL *ssl; /* ssl state */
/* iint (*ssl_setup)(SSL *); */
int client;
struct sockaddr_in remote_address;
struct ast_tcptls_session_args *parent;
ast_mutex_t lock;
};
#if defined(HAVE_FUNOPEN)
#define HOOK_T int
#define LEN_T int
@ -156,16 +149,14 @@ struct server_args {
#define LEN_T size_t
#endif
struct ast_tcptls_session_instance *ast_tcptls_client_start(struct server_args *desc);
struct ast_tcptls_session_instance *ast_tcptls_client_start(struct ast_tcptls_session_args *desc);
void *ast_tcptls_server_root(void *);
void ast_tcptls_server_start(struct server_args *desc);
void ast_tcptls_server_stop(struct server_args *desc);
void ast_tcptls_server_start(struct ast_tcptls_session_args *desc);
void ast_tcptls_server_stop(struct ast_tcptls_session_args *desc);
int ast_ssl_setup(struct ast_tls_config *cfg);
void *ast_make_file_from_fd(void *data);
HOOK_T ast_tcptls_server_read(struct ast_tcptls_session_instance *ser, void *buf, size_t count);
HOOK_T ast_tcptls_server_write(struct ast_tcptls_session_instance *ser, void *buf, size_t count);
#endif /* _ASTERISK_SERVER_H */
#endif /* _ASTERISK_TCPTLS_H */

41
main/http.c
Unescape View File

@ -50,6 +50,7 @@ ASTERISK_FILE_VERSION(__FILE__, "$Revision$")
#include "asterisk/ast_version.h"
#include "asterisk/manager.h"
#include "asterisk/_private.h"
#include "asterisk/astobj2.h"
#define MAX_PREFIX 80
@ -65,7 +66,7 @@ static void *httpd_helper_thread(void *arg);
/*!
* we have up to two accepting threads, one for http, one for https
*/
static struct server_args http_desc = {
static struct ast_tcptls_session_args http_desc = {
.accept_fd = -1,
.master = AST_PTHREADT_NULL,
.tls_cfg = NULL,
@ -75,7 +76,7 @@ static struct server_args http_desc = {
.worker_fn = httpd_helper_thread,
};
static struct server_args https_desc = {
static struct ast_tcptls_session_args https_desc = {
.accept_fd = -1,
.master = AST_PTHREADT_NULL,
.tls_cfg = &http_tls_cfg,
@ -254,13 +255,13 @@ static struct ast_str *httpstatus_callback(struct ast_tcptls_session_instance *s
"<h2>&nbsp;&nbsp;Asterisk&trade; HTTP Status</h2></td></tr>\r\n");
ast_str_append(&out, 0, "<tr><td><i>Prefix</i></td><td><b>%s</b></td></tr>\r\n", prefix);
ast_str_append(&out, 0, "<tr><td><i>Bind Address</i></td><td><b>%s</b></td></tr>\r\n",
ast_inet_ntoa(http_desc.oldsin.sin_addr));
ast_inet_ntoa(http_desc.old_local_address.sin_addr));
ast_str_append(&out, 0, "<tr><td><i>Bind Port</i></td><td><b>%d</b></td></tr>\r\n",
ntohs(http_desc.oldsin.sin_port));
ntohs(http_desc.old_local_address.sin_port));
if (http_tls_cfg.enabled) {
ast_str_append(&out, 0, "<tr><td><i>SSL Bind Port</i></td><td><b>%d</b></td></tr>\r\n",
ntohs(https_desc.oldsin.sin_port));
ntohs(https_desc.old_local_address.sin_port));
}
ast_str_append(&out, 0, "<tr><td colspan=\"2\"><hr></td></tr>\r\n");
@ -856,11 +857,11 @@ static int __ast_http_load(int reload)
}
/* default values */
memset(&http_desc.sin, 0, sizeof(http_desc.sin));
http_desc.sin.sin_port = htons(8088);
memset(&http_desc.local_address, 0, sizeof(http_desc.local_address));
http_desc.local_address.sin_port = htons(8088);
memset(&https_desc.sin, 0, sizeof(https_desc.sin));
https_desc.sin.sin_port = htons(8089);
memset(&https_desc.local_address, 0, sizeof(https_desc.local_address));
https_desc.local_address.sin_port = htons(8089);
http_tls_cfg.enabled = 0;
if (http_tls_cfg.certfile) {
@ -886,7 +887,7 @@ static int __ast_http_load(int reload)
} else if (!strcasecmp(v->name, "sslenable")) {
http_tls_cfg.enabled = ast_true(v->value);
} else if (!strcasecmp(v->name, "sslbindport")) {
https_desc.sin.sin_port = htons(atoi(v->value));
https_desc.local_address.sin_port = htons(atoi(v->value));
} else if (!strcasecmp(v->name, "sslcert")) {
ast_free(http_tls_cfg.certfile);
http_tls_cfg.certfile = ast_strdup(v->value);
@ -896,17 +897,17 @@ static int __ast_http_load(int reload)
} else if (!strcasecmp(v->name, "enablestatic")) {
newenablestatic = ast_true(v->value);
} else if (!strcasecmp(v->name, "bindport")) {
http_desc.sin.sin_port = htons(atoi(v->value));
http_desc.local_address.sin_port = htons(atoi(v->value));
} else if (!strcasecmp(v->name, "sslbindaddr")) {
if ((hp = ast_gethostbyname(v->value, &ahp))) {
memcpy(&https_desc.sin.sin_addr, hp->h_addr, sizeof(https_desc.sin.sin_addr));
memcpy(&https_desc.local_address.sin_addr, hp->h_addr, sizeof(https_desc.local_address.sin_addr));
have_sslbindaddr = 1;
} else {
ast_log(LOG_WARNING, "Invalid bind address '%s'\n", v->value);
}
} else if (!strcasecmp(v->name, "bindaddr")) {
if ((hp = ast_gethostbyname(v->value, &ahp))) {
memcpy(&http_desc.sin.sin_addr, hp->h_addr, sizeof(http_desc.sin.sin_addr));
memcpy(&http_desc.local_address.sin_addr, hp->h_addr, sizeof(http_desc.local_address.sin_addr));
} else {
ast_log(LOG_WARNING, "Invalid bind address '%s'\n", v->value);
}
@ -928,10 +929,10 @@ static int __ast_http_load(int reload)
}
if (!have_sslbindaddr) {
https_desc.sin.sin_addr = http_desc.sin.sin_addr;
https_desc.local_address.sin_addr = http_desc.local_address.sin_addr;
}
if (enabled) {
http_desc.sin.sin_family = https_desc.sin.sin_family = AF_INET;
http_desc.local_address.sin_family = https_desc.local_address.sin_family = AF_INET;
}
if (strcmp(prefix, newprefix)) {
ast_copy_string(prefix, newprefix, sizeof(prefix));
@ -966,16 +967,16 @@ static char *handle_show_http(struct ast_cli_entry *e, int cmd, struct ast_cli_a
}
ast_cli(a->fd, "HTTP Server Status:\n");
ast_cli(a->fd, "Prefix: %s\n", prefix);
if (!http_desc.oldsin.sin_family) {
if (!http_desc.old_local_address.sin_family) {
ast_cli(a->fd, "Server Disabled\n\n");
} else {
ast_cli(a->fd, "Server Enabled and Bound to %s:%d\n\n",
ast_inet_ntoa(http_desc.oldsin.sin_addr),
ntohs(http_desc.oldsin.sin_port));
ast_inet_ntoa(http_desc.old_local_address.sin_addr),
ntohs(http_desc.old_local_address.sin_port));
if (http_tls_cfg.enabled) {
ast_cli(a->fd, "HTTPS Server Enabled and Bound to %s:%d\n\n",
ast_inet_ntoa(https_desc.oldsin.sin_addr),
ntohs(https_desc.oldsin.sin_port));
ast_inet_ntoa(https_desc.old_local_address.sin_addr),
ntohs(https_desc.old_local_address.sin_port));
}
}

40
main/manager.c
Unescape View File

@ -3104,7 +3104,7 @@ static void *session_do(void *data)
/* these fields duplicate those in the 'ser' structure */
s->fd = ser->fd;
s->f = ser->f;
s->sin = ser->requestor;
s->sin = ser->remote_address;
AST_LIST_HEAD_INIT_NOLOCK(&s->datastores);
@ -3695,7 +3695,7 @@ static void xml_translate(struct ast_str **out, char *in, struct ast_variable *v
}
static struct ast_str *generic_http_callback(enum output_format format,
struct sockaddr_in *requestor, const char *uri, enum ast_http_method method,
struct sockaddr_in *remote_address, const char *uri, enum ast_http_method method,
struct ast_variable *params, int *status,
char **title, int *contentlength)
{
@ -3724,7 +3724,7 @@ static struct ast_str *generic_http_callback(enum output_format format,
*status = 500;
goto generic_callback_out;
}
s->sin = *requestor;
s->sin = *remote_address;
s->fd = -1;
s->waiting_thread = AST_PTHREADT_NULL;
s->send_events = 0;
@ -3870,17 +3870,17 @@ generic_callback_out:
static struct ast_str *manager_http_callback(struct ast_tcptls_session_instance *ser, const struct ast_http_uri *urih, const char *uri, enum ast_http_method method, struct ast_variable *params, struct ast_variable *headers, int *status, char **title, int *contentlength)
{
return generic_http_callback(FORMAT_HTML, &ser->requestor, uri, method, params, status, title, contentlength);
return generic_http_callback(FORMAT_HTML, &ser->remote_address, uri, method, params, status, title, contentlength);
}
static struct ast_str *mxml_http_callback(struct ast_tcptls_session_instance *ser, const struct ast_http_uri *urih, const char *uri, enum ast_http_method method, struct ast_variable *params, struct ast_variable *headers, int *status, char **title, int *contentlength)
{
return generic_http_callback(FORMAT_XML, &ser->requestor, uri, method, params, status, title, contentlength);
return generic_http_callback(FORMAT_XML, &ser->remote_address, uri, method, params, status, title, contentlength);
}
static struct ast_str *rawman_http_callback(struct ast_tcptls_session_instance *ser, const struct ast_http_uri *urih, const char *uri, enum ast_http_method method, struct ast_variable *params, struct ast_variable *headers, int *status, char **title, int *contentlength)
{
return generic_http_callback(FORMAT_RAW, &ser->requestor, uri, method, params, status, title, contentlength);
return generic_http_callback(FORMAT_RAW, &ser->remote_address, uri, method, params, status, title, contentlength);
}
struct ast_http_uri rawmanuri = {
@ -3923,7 +3923,7 @@ static void purge_old_stuff(void *data)
}
struct ast_tls_config ami_tls_cfg;
static struct server_args ami_desc = {
static struct ast_tcptls_session_args ami_desc = {
.accept_fd = -1,
.master = AST_PTHREADT_NULL,
.tls_cfg = NULL,
@ -3934,7 +3934,7 @@ static struct server_args ami_desc = {
.worker_fn = session_do, /* thread handling the session */
};
static struct server_args amis_desc = {
static struct ast_tcptls_session_args amis_desc = {
.accept_fd = -1,
.master = AST_PTHREADT_NULL,
.tls_cfg = &ami_tls_cfg,
@ -4010,10 +4010,10 @@ static int __init_manager(int reload)
}
/* default values */
memset(&ami_desc.sin, 0, sizeof(struct sockaddr_in));
memset(&amis_desc.sin, 0, sizeof(amis_desc.sin));
amis_desc.sin.sin_port = htons(5039);
ami_desc.sin.sin_port = htons(DEFAULT_MANAGER_PORT);
memset(&ami_desc.local_address, 0, sizeof(struct sockaddr_in));
memset(&amis_desc.local_address, 0, sizeof(amis_desc.local_address));
amis_desc.local_address.sin_port = htons(5039);
ami_desc.local_address.sin_port = htons(DEFAULT_MANAGER_PORT);
ami_tls_cfg.enabled = 0;
if (ami_tls_cfg.certfile)
@ -4028,10 +4028,10 @@ static int __init_manager(int reload)
if (!strcasecmp(var->name, "sslenable"))
ami_tls_cfg.enabled = ast_true(val);
else if (!strcasecmp(var->name, "sslbindport"))
amis_desc.sin.sin_port = htons(atoi(val));
amis_desc.local_address.sin_port = htons(atoi(val));
else if (!strcasecmp(var->name, "sslbindaddr")) {
if ((hp = ast_gethostbyname(val, &ahp))) {
memcpy(&amis_desc.sin.sin_addr, hp->h_addr, sizeof(amis_desc.sin.sin_addr));
memcpy(&amis_desc.local_address.sin_addr, hp->h_addr, sizeof(amis_desc.local_address.sin_addr));
have_sslbindaddr = 1;
} else {
ast_log(LOG_WARNING, "Invalid bind address '%s'\n", val);
@ -4049,11 +4049,11 @@ static int __init_manager(int reload)
} else if (!strcasecmp(var->name, "webenabled")) {
webmanager_enabled = ast_true(val);
} else if (!strcasecmp(var->name, "port")) {
ami_desc.sin.sin_port = htons(atoi(val));
ami_desc.local_address.sin_port = htons(atoi(val));
} else if (!strcasecmp(var->name, "bindaddr")) {
if (!inet_aton(val, &ami_desc.sin.sin_addr)) {
if (!inet_aton(val, &ami_desc.local_address.sin_addr)) {
ast_log(LOG_WARNING, "Invalid address '%s' specified, using 0.0.0.0\n", val);
memset(&ami_desc.sin.sin_addr, 0, sizeof(ami_desc.sin.sin_addr));
memset(&ami_desc.local_address.sin_addr, 0, sizeof(ami_desc.local_address.sin_addr));
}
} else if (!strcasecmp(var->name, "allowmultiplelogin")) {
allowmultiplelogin = ast_true(val);
@ -4072,11 +4072,11 @@ static int __init_manager(int reload)
}
if (manager_enabled)
ami_desc.sin.sin_family = AF_INET;
ami_desc.local_address.sin_family = AF_INET;
if (!have_sslbindaddr)
amis_desc.sin.sin_addr = ami_desc.sin.sin_addr;
amis_desc.local_address.sin_addr = ami_desc.local_address.sin_addr;
if (ami_tls_cfg.enabled)
amis_desc.sin.sin_family = AF_INET;
amis_desc.local_address.sin_family = AF_INET;
AST_RWLIST_WRLOCK(&users);

257
main/tcptls.c
Unescape View File

@ -42,6 +42,7 @@ ASTERISK_FILE_VERSION(__FILE__, "$Revision$")
#include "asterisk/strings.h"
#include "asterisk/options.h"
#include "asterisk/manager.h"
#include "asterisk/astobj2.h"
/*! \brief
* replacement read/write functions for SSL support.
@ -117,9 +118,110 @@ static void session_instance_destructor(void *obj)
ast_mutex_destroy(&i->lock);
}
/*! \brief
* creates a FILE * from the fd passed by the accept thread.
* This operation is potentially expensive (certificate verification),
* so we do it in the child thread context.
*/
static void *handle_tls_connection(void *data)
{
struct ast_tcptls_session_instance *ser = data;
#ifdef DO_SSL
int (*ssl_setup)(SSL *) = (ser->client) ? SSL_connect : SSL_accept;
int ret;
char err[256];
#endif
/*
* open a FILE * as appropriate.
*/
if (!ser->parent->tls_cfg)
ser->f = fdopen(ser->fd, "w+");
#ifdef DO_SSL
else if ( (ser->ssl = SSL_new(ser->parent->tls_cfg->ssl_ctx)) ) {
SSL_set_fd(ser->ssl, ser->fd);
if ((ret = ssl_setup(ser->ssl)) <= 0) {
ast_verb(2, "Problem setting up ssl connection: %s\n", ERR_error_string(ERR_get_error(), err));
} else {
#if defined(HAVE_FUNOPEN) /* the BSD interface */
ser->f = funopen(ser->ssl, ssl_read, ssl_write, NULL, ssl_close);
#elif defined(HAVE_FOPENCOOKIE) /* the glibc/linux interface */
static const cookie_io_functions_t cookie_funcs = {
ssl_read, ssl_write, NULL, ssl_close
};
ser->f = fopencookie(ser->ssl, "w+", cookie_funcs);
#else
/* could add other methods here */
ast_debug(2, "no ser->f methods attempted!");
#endif
if ((ser->client && !ast_test_flag(&ser->parent->tls_cfg->flags, AST_SSL_DONT_VERIFY_SERVER))
|| (!ser->client && ast_test_flag(&ser->parent->tls_cfg->flags, AST_SSL_VERIFY_CLIENT))) {
X509 *peer;
long res;
peer = SSL_get_peer_certificate(ser->ssl);
if (!peer)
ast_log(LOG_WARNING, "No peer SSL certificate\n");
res = SSL_get_verify_result(ser->ssl);
if (res != X509_V_OK)
ast_log(LOG_ERROR, "Certificate did not verify: %s\n", X509_verify_cert_error_string(res));
if (!ast_test_flag(&ser->parent->tls_cfg->flags, AST_SSL_IGNORE_COMMON_NAME)) {
ASN1_STRING *str;
unsigned char *str2;
X509_NAME *name = X509_get_subject_name(peer);
int pos = -1;
int found = 0;
for (;;) {
/* Walk the certificate to check all available "Common Name" */
/* XXX Probably should do a gethostbyname on the hostname and compare that as well */
pos = X509_NAME_get_index_by_NID(name, NID_commonName, pos);
if (pos < 0)
break;
str = X509_NAME_ENTRY_get_data(X509_NAME_get_entry(name, pos));
ASN1_STRING_to_UTF8(&str2, str);
if (str2) {
if (!strcasecmp(ser->parent->hostname, (char *) str2))
found = 1;
ast_debug(3, "SSL Common Name compare s1='%s' s2='%s'\n", ser->parent->hostname, str2);
OPENSSL_free(str2);
}
if (found)
break;
}
if (!found) {
ast_log(LOG_ERROR, "Certificate common name did not match (%s)\n", ser->parent->hostname);
if (peer)
X509_free(peer);
fclose(ser->f);
return NULL;
}
}
if (peer)
X509_free(peer);
}
}
if (!ser->f) /* no success opening descriptor stacking */
SSL_free(ser->ssl);
}
#endif /* DO_SSL */
if (!ser->f) {
close(ser->fd);
ast_log(LOG_WARNING, "FILE * open failed!\n");
ao2_ref(ser, -1);
return NULL;
}
if (ser && ser->parent->worker_fn)
return ser->parent->worker_fn(ser);
else
return ser;
}
void *ast_tcptls_server_root(void *data)
{
struct server_args *desc = data;
struct ast_tcptls_session_args *desc = data;
int fd;
struct sockaddr_in sin;
socklen_t sinlen;
@ -135,7 +237,7 @@ void *ast_tcptls_server_root(void *data)
if (i <= 0)
continue;
sinlen = sizeof(sin);
fd = accept(desc->accept_fd, (struct sockaddr *)&sin, &sinlen);
fd = accept(desc->accept_fd, (struct sockaddr *) &sin, &sinlen);
if (fd < 0) {
if ((errno != EAGAIN) && (errno != EINTR))
ast_log(LOG_WARNING, "Accept failed: %s\n", strerror(errno));
@ -154,11 +256,11 @@ void *ast_tcptls_server_root(void *data)
fcntl(fd, F_SETFL, flags & ~O_NONBLOCK);
ser->fd = fd;
ser->parent = desc;
memcpy(&ser->requestor, &sin, sizeof(ser->requestor));
memcpy(&ser->remote_address, &sin, sizeof(ser->remote_address));
ser->client = 0;
if (ast_pthread_create_detached_background(&launched, NULL, ast_make_file_from_fd, ser)) {
if (ast_pthread_create_detached_background(&launched, NULL, handle_tls_connection, ser)) {
ast_log(LOG_WARNING, "Unable to launch helper thread: %s\n", strerror(errno));
close(ser->fd);
ao2_ref(ser, -1);
@ -225,18 +327,19 @@ int ast_ssl_setup(struct ast_tls_config *cfg)
/*! \brief A generic client routine for a TCP client
* and starts a thread for handling accept()
*/
struct ast_tcptls_session_instance *ast_tcptls_client_start(struct server_args *desc)
struct ast_tcptls_session_instance *ast_tcptls_client_start(struct ast_tcptls_session_args *desc)
{
int flags;
int x = 1;
struct ast_tcptls_session_instance *ser = NULL;
/* Do nothing if nothing has changed */
if(!memcmp(&desc->oldsin, &desc->sin, sizeof(desc->oldsin))) {
if(!memcmp(&desc->old_local_address, &desc->local_address, sizeof(desc->old_local_address))) {
ast_debug(1, "Nothing changed in %s\n", desc->name);
return NULL;
}
desc->oldsin = desc->sin;
desc->old_local_address = desc->local_address;
if (desc->accept_fd != -1)
close(desc->accept_fd);
@ -248,10 +351,23 @@ struct ast_tcptls_session_instance *ast_tcptls_client_start(struct server_args *
return NULL;
}
if (connect(desc->accept_fd, (const struct sockaddr *)&desc->sin, sizeof(desc->sin))) {
/* if a local address was specified, bind to it so the connection will
originate from the desired address */
if (desc->local_address.sin_family != 0) {
setsockopt(desc->accept_fd, SOL_SOCKET, SO_REUSEADDR, &x, sizeof(x));
if (bind(desc->accept_fd, (struct sockaddr *) &desc->local_address, sizeof(desc->local_address))) {
ast_log(LOG_ERROR, "Unable to bind %s to %s:%d: %s\n",
desc->name,
ast_inet_ntoa(desc->local_address.sin_addr), ntohs(desc->local_address.sin_port),
strerror(errno));
goto error;
}
}
if (connect(desc->accept_fd, (const struct sockaddr *) &desc->remote_address, sizeof(desc->remote_address))) {
ast_log(LOG_ERROR, "Unable to connect %s to %s:%d: %s\n",
desc->name,
ast_inet_ntoa(desc->sin.sin_addr), ntohs(desc->sin.sin_port),
ast_inet_ntoa(desc->remote_address.sin_addr), ntohs(desc->remote_address.sin_port),
strerror(errno));
goto error;
}
@ -267,7 +383,7 @@ struct ast_tcptls_session_instance *ast_tcptls_client_start(struct server_args *
ser->fd = desc->accept_fd;
ser->parent = desc;
ser->parent->worker_fn = NULL;
memcpy(&ser->requestor, &desc->sin, sizeof(ser->requestor));
memcpy(&ser->remote_address, &desc->local_address, sizeof(ser->remote_address));
ser->client = 1;
@ -277,7 +393,7 @@ struct ast_tcptls_session_instance *ast_tcptls_client_start(struct server_args *
}
ao2_ref(ser, +1);
if (!ast_make_file_from_fd(ser))
if (!handle_tls_connection(ser))
goto error;
return ser;
@ -295,18 +411,18 @@ error:
* which does the socket/bind/listen and starts a thread for handling
* accept().
*/
void ast_tcptls_server_start(struct server_args *desc)
void ast_tcptls_server_start(struct ast_tcptls_session_args *desc)
{
int flags;
int x = 1;
/* Do nothing if nothing has changed */
if (!memcmp(&desc->oldsin, &desc->sin, sizeof(desc->oldsin))) {
if (!memcmp(&desc->old_local_address, &desc->local_address, sizeof(desc->old_local_address))) {
ast_debug(1, "Nothing changed in %s\n", desc->name);
return;
}
desc->oldsin = desc->sin;
desc->old_local_address = desc->local_address;
/* Shutdown a running server if there is one */
if (desc->master != AST_PTHREADT_NULL) {
@ -319,8 +435,9 @@ void ast_tcptls_server_start(struct server_args *desc)
close(desc->accept_fd);
/* If there's no new server, stop here */
if (desc->sin.sin_family == 0)
if (desc->local_address.sin_family == 0) {
return;
}
desc->accept_fd = socket(AF_INET, SOCK_STREAM, 0);
if (desc->accept_fd < 0) {
@ -330,10 +447,10 @@ void ast_tcptls_server_start(struct server_args *desc)
}
setsockopt(desc->accept_fd, SOL_SOCKET, SO_REUSEADDR, &x, sizeof(x));
if (bind(desc->accept_fd, (struct sockaddr *)&desc->sin, sizeof(desc->sin))) {
if (bind(desc->accept_fd, (struct sockaddr *) &desc->local_address, sizeof(desc->local_address))) {
ast_log(LOG_ERROR, "Unable to bind %s to %s:%d: %s\n",
desc->name,
ast_inet_ntoa(desc->sin.sin_addr), ntohs(desc->sin.sin_port),
ast_inet_ntoa(desc->local_address.sin_addr), ntohs(desc->local_address.sin_port),
strerror(errno));
goto error;
}
@ -346,7 +463,7 @@ void ast_tcptls_server_start(struct server_args *desc)
if (ast_pthread_create_background(&desc->master, NULL, desc->accept_fn, desc)) {
ast_log(LOG_ERROR, "Unable to launch thread for %s on %s:%d: %s\n",
desc->name,
ast_inet_ntoa(desc->sin.sin_addr), ntohs(desc->sin.sin_port),
ast_inet_ntoa(desc->local_address.sin_addr), ntohs(desc->local_address.sin_port),
strerror(errno));
goto error;
}
@ -358,7 +475,7 @@ error:
}
/*! \brief Shutdown a running server if there is one */
void ast_tcptls_server_stop(struct server_args *desc)
void ast_tcptls_server_stop(struct ast_tcptls_session_args *desc)
{
if (desc->master != AST_PTHREADT_NULL) {
pthread_cancel(desc->master);
@ -369,105 +486,3 @@ void ast_tcptls_server_stop(struct server_args *desc)
close(desc->accept_fd);
desc->accept_fd = -1;
}
/*! \brief
* creates a FILE * from the fd passed by the accept thread.
* This operation is potentially expensive (certificate verification),
* so we do it in the child thread context.
*/
void *ast_make_file_from_fd(void *data)
{
struct ast_tcptls_session_instance *ser = data;
#ifdef DO_SSL
int (*ssl_setup)(SSL *) = (ser->client) ? SSL_connect : SSL_accept;
int ret;
char err[256];
#endif
/*
* open a FILE * as appropriate.
*/
if (!ser->parent->tls_cfg)
ser->f = fdopen(ser->fd, "w+");
#ifdef DO_SSL
else if ( (ser->ssl = SSL_new(ser->parent->tls_cfg->ssl_ctx)) ) {
SSL_set_fd(ser->ssl, ser->fd);
if ((ret = ssl_setup(ser->ssl)) <= 0) {
ast_verb(2, "Problem setting up ssl connection: %s\n", ERR_error_string(ERR_get_error(), err));
} else {
#if defined(HAVE_FUNOPEN) /* the BSD interface */
ser->f = funopen(ser->ssl, ssl_read, ssl_write, NULL, ssl_close);
#elif defined(HAVE_FOPENCOOKIE) /* the glibc/linux interface */
static const cookie_io_functions_t cookie_funcs = {
ssl_read, ssl_write, NULL, ssl_close
};
ser->f = fopencookie(ser->ssl, "w+", cookie_funcs);
#else
/* could add other methods here */
ast_debug(2, "no ser->f methods attempted!");
#endif
if ((ser->client && !ast_test_flag(&ser->parent->tls_cfg->flags, AST_SSL_DONT_VERIFY_SERVER))
|| (!ser->client && ast_test_flag(&ser->parent->tls_cfg->flags, AST_SSL_VERIFY_CLIENT))) {
X509 *peer;
long res;
peer = SSL_get_peer_certificate(ser->ssl);
if (!peer)
ast_log(LOG_WARNING, "No peer SSL certificate\n");
res = SSL_get_verify_result(ser->ssl);
if (res != X509_V_OK)
ast_log(LOG_ERROR, "Certificate did not verify: %s\n", X509_verify_cert_error_string(res));
if (!ast_test_flag(&ser->parent->tls_cfg->flags, AST_SSL_IGNORE_COMMON_NAME)) {
ASN1_STRING *str;
unsigned char *str2;
X509_NAME *name = X509_get_subject_name(peer);
int pos = -1;
int found = 0;
for (;;) {
/* Walk the certificate to check all available "Common Name" */
/* XXX Probably should do a gethostbyname on the hostname and compare that as well */
pos = X509_NAME_get_index_by_NID(name, NID_commonName, pos);
if (pos < 0)
break;
str = X509_NAME_ENTRY_get_data(X509_NAME_get_entry(name, pos));
ASN1_STRING_to_UTF8(&str2, str);
if (str2) {
if (!strcasecmp(ser->parent->hostname, (char *) str2))
found = 1;
ast_debug(3, "SSL Common Name compare s1='%s' s2='%s'\n", ser->parent->hostname, str2);
OPENSSL_free(str2);
}
if (found)
break;
}
if (!found) {
ast_log(LOG_ERROR, "Certificate common name did not match (%s)\n", ser->parent->hostname);
if (peer)
X509_free(peer);
fclose(ser->f);
return NULL;
}
}
if (peer)
X509_free(peer);
}
}
if (!ser->f) /* no success opening descriptor stacking */
SSL_free(ser->ssl);
}
#endif /* DO_SSL */
if (!ser->f) {
close(ser->fd);
ast_log(LOG_WARNING, "FILE * open failed!\n");
ao2_ref(ser, -1);
return NULL;
}
if (ser && ser->parent->worker_fn)
return ser->parent->worker_fn(ser);
else
return ser;
}

Write Preview
Loading…
Cancel
Save