mirror of https://github.com/asterisk/asterisk
You can not select more than 25 topics
Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
245 lines
9.0 KiB
245 lines
9.0 KiB
/*
|
|
* Asterisk -- An open source telephony toolkit.
|
|
*
|
|
* Copyright (C) 1999 - 2006, Digium, Inc.
|
|
*
|
|
* Mark Spencer <markster@digium.com>
|
|
*
|
|
* See http://www.asterisk.org for more information about
|
|
* the Asterisk project. Please do not directly contact
|
|
* any of the maintainers of this project for assistance;
|
|
* the project provides a web site, mailing lists and IRC
|
|
* channels for your use.
|
|
*
|
|
* This program is free software, distributed under the terms of
|
|
* the GNU General Public License Version 2. See the LICENSE file
|
|
* at the top of the source tree.
|
|
*/
|
|
|
|
/*!
|
|
* \file
|
|
*
|
|
* \brief Generic support for tcp/tls servers in Asterisk.
|
|
*
|
|
* \note In order to have TLS/SSL support, we need the openssl libraries.
|
|
* Still we can decide whether or not to use them by commenting
|
|
* in or out the DO_SSL macro.
|
|
*
|
|
* TLS/SSL support is basically implemented by reading from a config file
|
|
* (currently manager.conf, http.conf and pjsip.conf) the names of the certificate
|
|
* files and cipher to use, and then run ssl_setup() to create an appropriate
|
|
* data structure named ssl_ctx.
|
|
*
|
|
* If we support multiple domains, presumably we need to read multiple
|
|
* certificates.
|
|
*
|
|
* When we are requested to open a TLS socket, we run make_file_from_fd()
|
|
* on the socket, to do the necessary setup. At the moment the context's name
|
|
* is hardwired in the function, but we can certainly make it into an extra
|
|
* parameter to the function.
|
|
*
|
|
* We declare most of ssl support variables unconditionally,
|
|
* because their number is small and this simplifies the code.
|
|
*
|
|
* \note The ssl-support variables (ssl_ctx, do_ssl, certfile, cipher)
|
|
* and their setup should be moved to a more central place, e.g. asterisk.conf
|
|
* and the source files that processes it. Similarly, ssl_setup() should
|
|
* be run earlier in the startup process so modules have it available.
|
|
*
|
|
* \ref AstTlsOverview
|
|
*/
|
|
|
|
#ifndef _ASTERISK_TCPTLS_H
|
|
#define _ASTERISK_TCPTLS_H
|
|
|
|
#include <pthread.h> /* for pthread_t */
|
|
#include <sys/param.h> /* for MAXHOSTNAMELEN */
|
|
|
|
#include "asterisk/iostream.h"
|
|
#include "asterisk/netsock2.h" /* for ast_sockaddr */
|
|
#include "asterisk/utils.h" /* for ast_flags */
|
|
|
|
/*! SSL support */
|
|
#define AST_CERTFILE "asterisk.pem"
|
|
|
|
enum ast_ssl_flags {
|
|
/*! Verify certificate when acting as server */
|
|
AST_SSL_VERIFY_CLIENT = (1 << 0),
|
|
/*! Don't verify certificate when connecting to a server */
|
|
AST_SSL_DONT_VERIFY_SERVER = (1 << 1),
|
|
/*! Don't compare "Common Name" against IP or hostname */
|
|
AST_SSL_IGNORE_COMMON_NAME = (1 << 2),
|
|
/*! Use SSLv2 for outgoing client connections */
|
|
AST_SSL_SSLV2_CLIENT = (1 << 3),
|
|
/*! Use SSLv3 for outgoing client connections */
|
|
AST_SSL_SSLV3_CLIENT = (1 << 4),
|
|
/*! Use TLSv1 for outgoing client connections */
|
|
AST_SSL_TLSV1_CLIENT = (1 << 5),
|
|
/*! Use server cipher order instead of the client order */
|
|
AST_SSL_SERVER_CIPHER_ORDER = (1 << 6),
|
|
/*! Disable TLSv1 support */
|
|
AST_SSL_DISABLE_TLSV1 = (1 << 7),
|
|
/*! Disable TLSv1.1 support */
|
|
AST_SSL_DISABLE_TLSV11 = (1 << 8),
|
|
/*! Disable TLSv1.2 support */
|
|
AST_SSL_DISABLE_TLSV12 = (1 << 9),
|
|
};
|
|
|
|
struct ast_tls_config {
|
|
int enabled;
|
|
char *certfile;
|
|
char *pvtfile;
|
|
char *cipher;
|
|
char *cafile;
|
|
char *capath;
|
|
struct ast_flags flags;
|
|
SSL_CTX *ssl_ctx;
|
|
char certhash[41];
|
|
char pvthash[41];
|
|
char cahash[41];
|
|
};
|
|
|
|
/*! \page AstTlsOverview TLS Implementation Overview
|
|
*
|
|
* The following code implements a generic mechanism for starting
|
|
* services on a TCP or TLS socket.
|
|
* The service is configured in the struct session_args, and
|
|
* then started by calling server_start(desc) on the descriptor.
|
|
* server_start() first verifies if an instance of the service is active,
|
|
* and in case shuts it down. Then, if the service must be started, creates
|
|
* a socket and a thread in charge of doing the accept().
|
|
*
|
|
* The body of the thread is desc->accept_fn(desc), which the user can define
|
|
* freely. We supply a sample implementation, server_root(), structured as an
|
|
* infinite loop. At the beginning of each iteration it runs periodic_fn()
|
|
* if defined (e.g. to perform some cleanup etc.) then issues a poll()
|
|
* or equivalent with a timeout of 'poll_timeout' milliseconds, and if the
|
|
* following accept() is successful it creates a thread in charge of
|
|
* running the session, whose body is desc->worker_fn(). The argument of
|
|
* worker_fn() is a struct ast_tcptls_session_instance, which contains the address
|
|
* of the other party, a pointer to desc, the file descriptors (fd) on which
|
|
* we can do a select/poll (but NOT I/O), and a FILE *on which we can do I/O.
|
|
* We have both because we want to support plain and SSL sockets, and
|
|
* going through a FILE * lets us provide the encryption/decryption
|
|
* on the stream without using an auxiliary thread.
|
|
*/
|
|
|
|
/*! \brief
|
|
* arguments for the accepting thread
|
|
*/
|
|
struct ast_tcptls_session_args {
|
|
struct ast_sockaddr local_address;
|
|
struct ast_sockaddr old_address; /*!< copy of the local or remote address depending on if its a client or server session */
|
|
struct ast_sockaddr remote_address;
|
|
char hostname[MAXHOSTNAMELEN]; /*!< only necessary for SSL clients so we can compare to common name */
|
|
struct ast_tls_config *tls_cfg; /*!< points to the SSL configuration if any */
|
|
int accept_fd;
|
|
int poll_timeout;
|
|
/*! Server accept_fn thread ID used for external shutdown requests. */
|
|
pthread_t master;
|
|
void *(*accept_fn)(void *); /*!< the function in charge of doing the accept */
|
|
void (*periodic_fn)(void *);/*!< something we may want to run before after select on the accept socket */
|
|
void *(*worker_fn)(void *); /*!< the function in charge of doing the actual work */
|
|
const char *name;
|
|
struct ast_tls_config *old_tls_cfg; /*!< copy of the SSL configuration to determine whether changes have been made */
|
|
int suppress_connection_msgs; /*!< suppress connection messages to allow caller to manage logging */
|
|
};
|
|
|
|
/*! \brief
|
|
* describes a server instance
|
|
*/
|
|
struct ast_tcptls_session_instance {
|
|
int client;
|
|
struct ast_sockaddr remote_address;
|
|
struct ast_tcptls_session_args *parent;
|
|
/* Sometimes, when an entity reads TCP data, multiple
|
|
* logical messages might be read at the same time. In such
|
|
* a circumstance, there needs to be a place to stash the
|
|
* extra data.
|
|
*/
|
|
struct ast_str *overflow_buf;
|
|
/*! ao2 stream object associated with this session. */
|
|
struct ast_iostream *stream;
|
|
/*! ao2 object private data of parent->worker_fn */
|
|
void *private_data;
|
|
};
|
|
|
|
/*!
|
|
* \brief Attempt to connect and start a tcptls session within the given timeout
|
|
*
|
|
* \note On error the tcptls_session's ref count is decremented, fd and file
|
|
* are closed, and NULL is returned.
|
|
*
|
|
* \param tcptls_session The session instance to connect and start
|
|
* \param timeout How long (in milliseconds) to attempt to connect (-1 equals infinite)
|
|
*
|
|
* \return The tcptls_session, or NULL on error
|
|
*/
|
|
struct ast_tcptls_session_instance *ast_tcptls_client_start_timeout(
|
|
struct ast_tcptls_session_instance *tcptls_session, int timeout);
|
|
|
|
/*!
|
|
* \brief Attempt to connect and start a tcptls session
|
|
*
|
|
* Blocks until a connection is established, or an error occurs.
|
|
*
|
|
* \note On error the tcptls_session's ref count is decremented, fd and file
|
|
* are closed, and NULL is returned.
|
|
*
|
|
* \param tcptls_session The session instance to connect and start
|
|
*
|
|
* \return The tcptls_session, or NULL on error
|
|
*/
|
|
struct ast_tcptls_session_instance *ast_tcptls_client_start(struct ast_tcptls_session_instance *tcptls_session);
|
|
|
|
/*! \brief Creates a client connection's ast_tcptls_session_instance. */
|
|
struct ast_tcptls_session_instance *ast_tcptls_client_create(struct ast_tcptls_session_args *desc);
|
|
|
|
void *ast_tcptls_server_root(void *);
|
|
|
|
/*!
|
|
* \brief Closes a tcptls session instance's file and/or file descriptor.
|
|
* The tcptls_session will be set to NULL and it's file descriptor will be set to -1
|
|
* by this function.
|
|
*/
|
|
void ast_tcptls_close_session_file(struct ast_tcptls_session_instance *tcptls_session);
|
|
|
|
/*!
|
|
* \brief This is a generic (re)start routine for a TCP server,
|
|
* which does the socket/bind/listen and starts a thread for handling
|
|
* accept().
|
|
* \version 1.6.1 changed desc parameter to be of ast_tcptls_session_args type
|
|
*/
|
|
void ast_tcptls_server_start(struct ast_tcptls_session_args *desc);
|
|
|
|
/*!
|
|
* \brief Shutdown a running server if there is one
|
|
* \version 1.6.1 changed desc parameter to be of ast_tcptls_session_args type
|
|
*/
|
|
void ast_tcptls_server_stop(struct ast_tcptls_session_args *desc);
|
|
|
|
/*!
|
|
* \brief Set up an SSL server
|
|
*
|
|
* \param cfg Configuration for the SSL server
|
|
* \retval 1 Success
|
|
* \retval 0 Failure
|
|
*/
|
|
int ast_ssl_setup(struct ast_tls_config *cfg);
|
|
|
|
/*!
|
|
* \brief free resources used by an SSL server
|
|
*
|
|
* \note This only needs to be called if ast_ssl_setup() was
|
|
* directly called first.
|
|
* \param cfg Configuration for the SSL server
|
|
*/
|
|
void ast_ssl_teardown(struct ast_tls_config *cfg);
|
|
|
|
/*!
|
|
* \brief Used to parse conf files containing tls/ssl options.
|
|
*/
|
|
int ast_tls_read_conf(struct ast_tls_config *tls_cfg, struct ast_tcptls_session_args *tls_desc, const char *varname, const char *value);
|
|
|
|
#endif /* _ASTERISK_TCPTLS_H */
|