Asterisk - The Open Source Telephony Project GIT-master-f36a736
Data Structures | Macros | Enumerations | Functions
tcptls.h File Reference

Generic support for tcp/tls servers in Asterisk. More...

#include <pthread.h>
#include <sys/param.h>
#include "asterisk/iostream.h"
#include "asterisk/netsock2.h"
#include "asterisk/utils.h"
Include dependency graph for tcptls.h:
This graph shows which files directly or indirectly include this file:

Go to the source code of this file.

Data Structures

struct  ast_tcptls_session_args
 arguments for the accepting thread More...
 
struct  ast_tcptls_session_instance
 describes a server instance More...
 
struct  ast_tls_config
 

Macros

#define AST_CERTFILE   "asterisk.pem"
 

Enumerations

enum  ast_ssl_flags {
  AST_SSL_VERIFY_CLIENT = (1 << 0) , AST_SSL_DONT_VERIFY_SERVER = (1 << 1) , AST_SSL_IGNORE_COMMON_NAME = (1 << 2) , AST_SSL_SSLV2_CLIENT = (1 << 3) ,
  AST_SSL_SSLV3_CLIENT = (1 << 4) , AST_SSL_TLSV1_CLIENT = (1 << 5) , AST_SSL_SERVER_CIPHER_ORDER = (1 << 6) , AST_SSL_DISABLE_TLSV1 = (1 << 7) ,
  AST_SSL_DISABLE_TLSV11 = (1 << 8) , AST_SSL_DISABLE_TLSV12 = (1 << 9)
}
 

Functions

int ast_ssl_setup (struct ast_tls_config *cfg)
 Set up an SSL server. More...
 
void ast_ssl_teardown (struct ast_tls_config *cfg)
 free resources used by an SSL server More...
 
struct ast_tcptls_session_instanceast_tcptls_client_create (struct ast_tcptls_session_args *desc)
 Creates a client connection's ast_tcptls_session_instance. More...
 
struct ast_tcptls_session_instanceast_tcptls_client_start (struct ast_tcptls_session_instance *tcptls_session)
 Attempt to connect and start a tcptls session. More...
 
struct ast_tcptls_session_instanceast_tcptls_client_start_timeout (struct ast_tcptls_session_instance *tcptls_session, int timeout)
 Attempt to connect and start a tcptls session within the given timeout. More...
 
void ast_tcptls_close_session_file (struct ast_tcptls_session_instance *tcptls_session)
 Closes a tcptls session instance's file and/or file descriptor. The tcptls_session will be set to NULL and it's file descriptor will be set to -1 by this function. More...
 
void * ast_tcptls_server_root (void *)
 
void ast_tcptls_server_start (struct ast_tcptls_session_args *desc)
 This is a generic (re)start routine for a TCP server, which does the socket/bind/listen and starts a thread for handling accept(). More...
 
void ast_tcptls_server_stop (struct ast_tcptls_session_args *desc)
 Shutdown a running server if there is one. More...
 
int ast_tls_read_conf (struct ast_tls_config *tls_cfg, struct ast_tcptls_session_args *tls_desc, const char *varname, const char *value)
 Used to parse conf files containing tls/ssl options. More...
 

Detailed Description

Generic support for tcp/tls servers in Asterisk.

Note
In order to have TLS/SSL support, we need the openssl libraries. Still we can decide whether or not to use them by commenting in or out the DO_SSL macro.

TLS/SSL support is basically implemented by reading from a config file (currently manager.conf, http.conf and pjsip.conf) the names of the certificate files and cipher to use, and then run ssl_setup() to create an appropriate data structure named ssl_ctx.

If we support multiple domains, presumably we need to read multiple certificates.

When we are requested to open a TLS socket, we run make_file_from_fd() on the socket, to do the necessary setup. At the moment the context's name is hardwired in the function, but we can certainly make it into an extra parameter to the function.

We declare most of ssl support variables unconditionally, because their number is small and this simplifies the code.

Note
The ssl-support variables (ssl_ctx, do_ssl, certfile, cipher) and their setup should be moved to a more central place, e.g. asterisk.conf and the source files that processes it. Similarly, ssl_setup() should be run earlier in the startup process so modules have it available.

TLS Implementation Overview

Definition in file tcptls.h.

Macro Definition Documentation

◆ AST_CERTFILE

#define AST_CERTFILE   "asterisk.pem"

SSL support

Definition at line 63 of file tcptls.h.

Enumeration Type Documentation

◆ ast_ssl_flags

enum ast_ssl_flags
Enumerator
AST_SSL_VERIFY_CLIENT 

Verify certificate when acting as server

AST_SSL_DONT_VERIFY_SERVER 

Don't verify certificate when connecting to a server

AST_SSL_IGNORE_COMMON_NAME 

Don't compare "Common Name" against IP or hostname

AST_SSL_SSLV2_CLIENT 

Use SSLv2 for outgoing client connections

AST_SSL_SSLV3_CLIENT 

Use SSLv3 for outgoing client connections

AST_SSL_TLSV1_CLIENT 

Use TLSv1 for outgoing client connections

AST_SSL_SERVER_CIPHER_ORDER 

Use server cipher order instead of the client order

AST_SSL_DISABLE_TLSV1 

Disable TLSv1 support

AST_SSL_DISABLE_TLSV11 

Disable TLSv1.1 support

AST_SSL_DISABLE_TLSV12 

Disable TLSv1.2 support

Definition at line 65 of file tcptls.h.

65 {
66 /*! Verify certificate when acting as server */
67 AST_SSL_VERIFY_CLIENT = (1 << 0),
68 /*! Don't verify certificate when connecting to a server */
69 AST_SSL_DONT_VERIFY_SERVER = (1 << 1),
70 /*! Don't compare "Common Name" against IP or hostname */
71 AST_SSL_IGNORE_COMMON_NAME = (1 << 2),
72 /*! Use SSLv2 for outgoing client connections */
73 AST_SSL_SSLV2_CLIENT = (1 << 3),
74 /*! Use SSLv3 for outgoing client connections */
75 AST_SSL_SSLV3_CLIENT = (1 << 4),
76 /*! Use TLSv1 for outgoing client connections */
77 AST_SSL_TLSV1_CLIENT = (1 << 5),
78 /*! Use server cipher order instead of the client order */
79 AST_SSL_SERVER_CIPHER_ORDER = (1 << 6),
80 /*! Disable TLSv1 support */
81 AST_SSL_DISABLE_TLSV1 = (1 << 7),
82 /*! Disable TLSv1.1 support */
83 AST_SSL_DISABLE_TLSV11 = (1 << 8),
84 /*! Disable TLSv1.2 support */
85 AST_SSL_DISABLE_TLSV12 = (1 << 9),
86};
AST_SSL_VERIFY_CLIENT
@ AST_SSL_VERIFY_CLIENT
Definition: tcptls.h:67
AST_SSL_DONT_VERIFY_SERVER
@ AST_SSL_DONT_VERIFY_SERVER
Definition: tcptls.h:69
AST_SSL_SSLV3_CLIENT
@ AST_SSL_SSLV3_CLIENT
Definition: tcptls.h:75
AST_SSL_DISABLE_TLSV11
@ AST_SSL_DISABLE_TLSV11
Definition: tcptls.h:83
AST_SSL_IGNORE_COMMON_NAME
@ AST_SSL_IGNORE_COMMON_NAME
Definition: tcptls.h:71
AST_SSL_TLSV1_CLIENT
@ AST_SSL_TLSV1_CLIENT
Definition: tcptls.h:77
AST_SSL_DISABLE_TLSV12
@ AST_SSL_DISABLE_TLSV12
Definition: tcptls.h:85
AST_SSL_SERVER_CIPHER_ORDER
@ AST_SSL_SERVER_CIPHER_ORDER
Definition: tcptls.h:79
AST_SSL_DISABLE_TLSV1
@ AST_SSL_DISABLE_TLSV1
Definition: tcptls.h:81
AST_SSL_SSLV2_CLIENT
@ AST_SSL_SSLV2_CLIENT
Definition: tcptls.h:73

Function Documentation

◆ ast_ssl_setup()

int ast_ssl_setup ( struct ast_tls_config cfg)

Set up an SSL server.

Parameters
cfgConfiguration for the SSL server
Return values
1Success
0Failure

Definition at line 570 of file tcptls.c.

571{
572 return __ssl_setup(cfg, 0);
573}
__ssl_setup
static int __ssl_setup(struct ast_tls_config *cfg, int client)
Definition: tcptls.c:382

References __ssl_setup().

Referenced by __ast_http_load(), and __init_manager().

◆ ast_ssl_teardown()

void ast_ssl_teardown ( struct ast_tls_config cfg)

free resources used by an SSL server

Note
This only needs to be called if ast_ssl_setup() was directly called first.
Parameters
cfgConfiguration for the SSL server

Definition at line 575 of file tcptls.c.

576{
577#ifdef DO_SSL
578 if (cfg && cfg->ssl_ctx) {
579 SSL_CTX_free(cfg->ssl_ctx);
580 cfg->ssl_ctx = NULL;
581 }
582#endif
583}
NULL
#define NULL
Definition: resample.c:96
ast_tls_config::ssl_ctx
SSL_CTX * ssl_ctx
Definition: tcptls.h:96

References NULL, and ast_tls_config::ssl_ctx.

Referenced by websocket_client_args_destroy().

◆ ast_tcptls_client_create()

struct ast_tcptls_session_instance * ast_tcptls_client_create ( struct ast_tcptls_session_args desc)

Creates a client connection's ast_tcptls_session_instance.

Definition at line 678 of file tcptls.c.

679{
680 int fd, x = 1;
681 struct ast_tcptls_session_instance *tcptls_session = NULL;
682
683 ast_assert(!desc->tls_cfg
684 || ast_test_flag(&desc->tls_cfg->flags, AST_SSL_DONT_VERIFY_SERVER)
685 || !ast_strlen_zero(desc->hostname));
686
687 /* Do nothing if nothing has changed */
688 if (!ast_sockaddr_cmp(&desc->old_address, &desc->remote_address)) {
689 ast_debug(1, "Nothing changed in %s\n", desc->name);
690 return NULL;
691 }
692
693 /* If we return early, there is no connection */
694 ast_sockaddr_setnull(&desc->old_address);
695
696 fd = desc->accept_fd = ast_socket_nonblock(ast_sockaddr_is_ipv6(&desc->remote_address) ?
697 AF_INET6 : AF_INET, SOCK_STREAM, IPPROTO_TCP);
698 if (desc->accept_fd < 0) {
699 ast_log(LOG_ERROR, "Unable to allocate socket for %s: %s\n",
700 desc->name, strerror(errno));
701 return NULL;
702 }
703
704 /* if a local address was specified, bind to it so the connection will
705 originate from the desired address */
706 if (!ast_sockaddr_isnull(&desc->local_address) &&
707 !ast_sockaddr_is_any(&desc->local_address)) {
708 setsockopt(desc->accept_fd, SOL_SOCKET, SO_REUSEADDR, &x, sizeof(x));
709 if (ast_bind(desc->accept_fd, &desc->local_address)) {
710 ast_log(LOG_ERROR, "Unable to bind %s to %s: %s\n",
711 desc->name,
712 ast_sockaddr_stringify(&desc->local_address),
713 strerror(errno));
714 goto error;
715 }
716 }
717
718 tcptls_session = ao2_alloc(sizeof(*tcptls_session), session_instance_destructor);
719 if (!tcptls_session) {
720 goto error;
721 }
722
723 tcptls_session->overflow_buf = ast_str_create(128);
724 if (!tcptls_session->overflow_buf) {
725 goto error;
726 }
727 tcptls_session->client = 1;
728 tcptls_session->stream = ast_iostream_from_fd(&fd);
729 if (!tcptls_session->stream) {
730 goto error;
731 }
732
733 /* From here on out, the iostream owns the accept_fd and it will take
734 * care of closing it when the iostream is closed */
735
736 tcptls_session->parent = desc;
737 tcptls_session->parent->worker_fn = NULL;
738 ast_sockaddr_copy(&tcptls_session->remote_address,
739 &desc->remote_address);
740
741 /* Set current info */
742 ast_sockaddr_copy(&desc->old_address, &desc->remote_address);
743
744 if (!ast_strlen_zero(desc->hostname)) {
745 if (ast_iostream_set_sni_hostname(tcptls_session->stream, desc->hostname) != 0) {
746 ast_log(LOG_WARNING, "Unable to set SNI hostname '%s' on connection '%s'\n",
747 desc->hostname, desc->name);
748 }
749 }
750
751 return tcptls_session;
752
753error:
754 close(desc->accept_fd);
755 desc->accept_fd = -1;
756 ao2_cleanup(tcptls_session);
757 return NULL;
758}
ast_log
#define ast_log
Definition: astobj2.c:42
ao2_cleanup
#define ao2_cleanup(obj)
Definition: astobj2.h:1934
ao2_alloc
#define ao2_alloc(data_size, destructor_fn)
Definition: astobj2.h:409
desc
static const char desc[]
Definition: cdr_radius.c:84
ast_debug
#define ast_debug(level,...)
Log a DEBUG message.
Definition: include/asterisk/logger.h:457
LOG_ERROR
#define LOG_ERROR
Definition: include/asterisk/logger.h:292
LOG_WARNING
#define LOG_WARNING
Definition: include/asterisk/logger.h:281
ast_iostream_from_fd
struct ast_iostream * ast_iostream_from_fd(int *fd)
Create an iostream from a file descriptor.
Definition: iostream.c:611
ast_iostream_set_sni_hostname
int ast_iostream_set_sni_hostname(struct ast_iostream *stream, const char *sni_hostname)
Set the iostream's SNI hostname for TLS client connections.
Definition: iostream.c:156
errno
int errno
ast_sockaddr_stringify
static char * ast_sockaddr_stringify(const struct ast_sockaddr *addr)
Wrapper around ast_sockaddr_stringify_fmt() with default format.
Definition: netsock2.h:256
ast_sockaddr_copy
static void ast_sockaddr_copy(struct ast_sockaddr *dst, const struct ast_sockaddr *src)
Copies the data from one ast_sockaddr to another.
Definition: netsock2.h:167
ast_sockaddr_is_ipv6
int ast_sockaddr_is_ipv6(const struct ast_sockaddr *addr)
Determine if this is an IPv6 address.
Definition: netsock2.c:524
ast_bind
int ast_bind(int sockfd, const struct ast_sockaddr *addr)
Wrapper around bind(2) that uses struct ast_sockaddr.
Definition: netsock2.c:590
ast_sockaddr_is_any
int ast_sockaddr_is_any(const struct ast_sockaddr *addr)
Determine if the address type is unspecified, or "any" address.
Definition: netsock2.c:534
ast_sockaddr_isnull
static int ast_sockaddr_isnull(const struct ast_sockaddr *addr)
Checks if the ast_sockaddr is null. "null" in this sense essentially means uninitialized,...
Definition: netsock2.h:127
ast_sockaddr_cmp
int ast_sockaddr_cmp(const struct ast_sockaddr *a, const struct ast_sockaddr *b)
Compares two ast_sockaddr structures.
Definition: netsock2.c:388
ast_sockaddr_setnull
static void ast_sockaddr_setnull(struct ast_sockaddr *addr)
Sets address addr to null.
Definition: netsock2.h:138
ast_strlen_zero
static force_inline int attribute_pure ast_strlen_zero(const char *s)
Definition: strings.h:65
ast_str_create
#define ast_str_create(init_len)
Create a malloc'ed dynamic length string.
Definition: strings.h:659
ast_tcptls_session_args::worker_fn
void *(* worker_fn)(void *)
Definition: tcptls.h:142
ast_tcptls_session_instance
describes a server instance
Definition: tcptls.h:150
ast_tcptls_session_instance::stream
struct ast_iostream * stream
Definition: tcptls.h:161
ast_tcptls_session_instance::client
int client
Definition: tcptls.h:151
ast_tcptls_session_instance::remote_address
struct ast_sockaddr remote_address
Definition: tcptls.h:152
ast_tcptls_session_instance::parent
struct ast_tcptls_session_args * parent
Definition: tcptls.h:153
ast_tcptls_session_instance::overflow_buf
struct ast_str * overflow_buf
Definition: tcptls.h:159
session_instance_destructor
static void session_instance_destructor(void *obj)
Definition: tcptls.c:72
error
int error(const char *format,...)
Definition: utils/frame.c:999
ast_test_flag
#define ast_test_flag(p, flag)
Definition: utils.h:63
ast_assert
#define ast_assert(a)
Definition: utils.h:739
ast_socket_nonblock
#define ast_socket_nonblock(domain, type, protocol)
Create a non-blocking socket.
Definition: utils.h:1073

References ao2_alloc, ao2_cleanup, ast_assert, ast_bind(), ast_debug, ast_iostream_from_fd(), ast_iostream_set_sni_hostname(), ast_log, ast_sockaddr_cmp(), ast_sockaddr_copy(), ast_sockaddr_is_any(), ast_sockaddr_is_ipv6(), ast_sockaddr_isnull(), ast_sockaddr_setnull(), ast_sockaddr_stringify(), ast_socket_nonblock, AST_SSL_DONT_VERIFY_SERVER, ast_str_create, ast_strlen_zero(), ast_test_flag, ast_tcptls_session_instance::client, desc, errno, error(), LOG_ERROR, LOG_WARNING, NULL, ast_tcptls_session_instance::overflow_buf, ast_tcptls_session_instance::parent, ast_tcptls_session_instance::remote_address, session_instance_destructor(), ast_tcptls_session_instance::stream, and ast_tcptls_session_args::worker_fn.

Referenced by app_exec(), and websocket_client_connect().

◆ ast_tcptls_client_start()

struct ast_tcptls_session_instance * ast_tcptls_client_start ( struct ast_tcptls_session_instance tcptls_session)

Attempt to connect and start a tcptls session.

Blocks until a connection is established, or an error occurs.

Note
On error the tcptls_session's ref count is decremented, fd and file are closed, and NULL is returned.
Parameters
tcptls_sessionThe session instance to connect and start
Returns
The tcptls_session, or NULL on error

Definition at line 673 of file tcptls.c.

674{
675 return ast_tcptls_client_start_timeout(tcptls_session, -1);
676}
ast_tcptls_client_start_timeout
struct ast_tcptls_session_instance * ast_tcptls_client_start_timeout(struct ast_tcptls_session_instance *tcptls_session, int timeout)
Attempt to connect and start a tcptls session within the given timeout.
Definition: tcptls.c:645

References ast_tcptls_client_start_timeout().

Referenced by app_exec().

◆ ast_tcptls_client_start_timeout()

struct ast_tcptls_session_instance * ast_tcptls_client_start_timeout ( struct ast_tcptls_session_instance tcptls_session,
int  timeout 
)

Attempt to connect and start a tcptls session within the given timeout.

Note
On error the tcptls_session's ref count is decremented, fd and file are closed, and NULL is returned.
Parameters
tcptls_sessionThe session instance to connect and start
timeoutHow long (in milliseconds) to attempt to connect (-1 equals infinite)
Returns
The tcptls_session, or NULL on error

Definition at line 645 of file tcptls.c.

647{
648 struct ast_tcptls_session_args *desc;
649
650 if (!(desc = tcptls_session->parent)) {
651 ao2_ref(tcptls_session, -1);
652 return NULL;
653 }
654
655 if (socket_connect(desc->accept_fd, &desc->remote_address, timeout)) {
656 ast_log(LOG_WARNING, "Unable to connect %s to %s: %s\n", desc->name,
657 ast_sockaddr_stringify(&desc->remote_address), strerror(errno));
658
659 ao2_ref(tcptls_session, -1);
660 return NULL;
661 }
662
663 ast_fd_clear_flags(desc->accept_fd, O_NONBLOCK);
664
665 if (desc->tls_cfg) {
666 desc->tls_cfg->enabled = 1;
667 __ssl_setup(desc->tls_cfg, 1);
668 }
669
670 return handle_tcptls_connection(tcptls_session);
671}
ao2_ref
#define ao2_ref(o, delta)
Reference/unreference an object and return the old refcount.
Definition: astobj2.h:459
ast_tcptls_session_args
arguments for the accepting thread
Definition: tcptls.h:130
socket_connect
static int socket_connect(int sockfd, const struct ast_sockaddr *addr, int timeout)
Definition: tcptls.c:601
handle_tcptls_connection
static void * handle_tcptls_connection(void *data)
creates a FILE * from the fd passed by the accept thread. This operation is potentially expensive (ce...
Definition: tcptls.c:140
ast_fd_clear_flags
#define ast_fd_clear_flags(fd, flags)
Clear flags on the given file descriptor.
Definition: utils.h:1055

References __ssl_setup(), ao2_ref, ast_fd_clear_flags, ast_log, ast_sockaddr_stringify(), desc, errno, handle_tcptls_connection(), LOG_WARNING, NULL, ast_tcptls_session_instance::parent, and socket_connect().

Referenced by ast_tcptls_client_start(), and websocket_client_connect().

◆ ast_tcptls_close_session_file()

void ast_tcptls_close_session_file ( struct ast_tcptls_session_instance tcptls_session)

Closes a tcptls session instance's file and/or file descriptor. The tcptls_session will be set to NULL and it's file descriptor will be set to -1 by this function.

Definition at line 915 of file tcptls.c.

916{
917 if (tcptls_session->stream) {
918 ast_iostream_close(tcptls_session->stream);
919 tcptls_session->stream = NULL;
920 } else {
921 ast_debug(1, "ast_tcptls_close_session_file invoked on session instance without file or file descriptor\n");
922 }
923}
ast_iostream_close
int ast_iostream_close(struct ast_iostream *stream)
Close an iostream.
Definition: iostream.c:539

References ast_debug, ast_iostream_close(), NULL, and ast_tcptls_session_instance::stream.

Referenced by ast_http_create_response(), ast_http_send(), handle_tcptls_connection(), and httpd_helper_thread().

◆ ast_tcptls_server_root()

void * ast_tcptls_server_root ( void *  data)

Definition at line 280 of file tcptls.c.

281{
282 struct ast_tcptls_session_args *desc = data;
283 int fd;
284 struct ast_sockaddr addr;
285 struct ast_tcptls_session_instance *tcptls_session;
286 pthread_t launched;
287
288 for (;;) {
289 int i;
290
291 if (desc->periodic_fn) {
292 desc->periodic_fn(desc);
293 }
294 i = ast_wait_for_input(desc->accept_fd, desc->poll_timeout);
295 if (i <= 0) {
296 /* Prevent tight loop from hogging CPU */
297 usleep(1);
298 continue;
299 }
300 fd = ast_accept(desc->accept_fd, &addr);
301 if (fd < 0) {
302 if (errno != EAGAIN
303 && errno != EWOULDBLOCK
304 && errno != EINTR
305 && errno != ECONNABORTED) {
306 ast_log(LOG_ERROR, "TCP/TLS accept failed: %s\n", strerror(errno));
307 if (errno != EMFILE) {
308 break;
309 }
310 }
311 /* Prevent tight loop from hogging CPU */
312 usleep(1);
313 continue;
314 }
315 tcptls_session = ao2_alloc(sizeof(*tcptls_session), session_instance_destructor);
316 if (!tcptls_session) {
317 close(fd);
318 continue;
319 }
320
321 tcptls_session->overflow_buf = ast_str_create(128);
322 if (!tcptls_session->overflow_buf) {
323 ao2_ref(tcptls_session, -1);
324 close(fd);
325 continue;
326 }
327 ast_fd_clear_flags(fd, O_NONBLOCK);
328
329 tcptls_session->stream = ast_iostream_from_fd(&fd);
330 if (!tcptls_session->stream) {
331 ao2_ref(tcptls_session, -1);
332 close(fd);
333 continue;
334 }
335
336 tcptls_session->parent = desc;
337 ast_sockaddr_copy(&tcptls_session->remote_address, &addr);
338
339 tcptls_session->client = 0;
340
341 /* This thread is now the only place that controls the single ref to tcptls_session */
342 if (ast_pthread_create_detached_background(&launched, NULL, handle_tcptls_connection, tcptls_session)) {
343 ast_log(LOG_ERROR, "TCP/TLS unable to launch helper thread for peer '%s': %s\n",
344 ast_sockaddr_stringify(&tcptls_session->remote_address),
345 strerror(errno));
346 ao2_ref(tcptls_session, -1);
347 }
348 }
349
350 ast_log(LOG_ERROR, "TCP/TLS listener thread ended abnormally\n");
351
352 /* Close the listener socket so Asterisk doesn't appear dead. */
353 fd = desc->accept_fd;
354 desc->accept_fd = -1;
355 if (0 <= fd) {
356 close(fd);
357 }
358 return NULL;
359}
ast_accept
int ast_accept(int sockfd, struct ast_sockaddr *addr)
Wrapper around accept(2) that uses struct ast_sockaddr.
Definition: netsock2.c:584
ast_sockaddr
Socket address structure.
Definition: netsock2.h:97
ast_wait_for_input
int ast_wait_for_input(int fd, int ms)
Definition: utils.c:1698
ast_pthread_create_detached_background
#define ast_pthread_create_detached_background(a, b, c, d)
Definition: utils.h:597

References ao2_alloc, ao2_ref, ast_accept(), ast_fd_clear_flags, ast_iostream_from_fd(), ast_log, ast_pthread_create_detached_background, ast_sockaddr_copy(), ast_sockaddr_stringify(), ast_str_create, ast_wait_for_input(), ast_tcptls_session_instance::client, desc, errno, handle_tcptls_connection(), LOG_ERROR, NULL, ast_tcptls_session_instance::overflow_buf, ast_tcptls_session_instance::parent, ast_tcptls_session_instance::remote_address, session_instance_destructor(), and ast_tcptls_session_instance::stream.

Referenced by http_server_create().

◆ ast_tcptls_server_start()

void ast_tcptls_server_start ( struct ast_tcptls_session_args desc)

This is a generic (re)start routine for a TCP server, which does the socket/bind/listen and starts a thread for handling accept().

Version
1.6.1 changed desc parameter to be of ast_tcptls_session_args type

Definition at line 760 of file tcptls.c.

761{
762 int x = 1;
763 int tls_changed = 0;
764 int sd_socket;
765
766 if (desc->tls_cfg) {
767 char hash[41];
768 char *str = NULL;
769 struct stat st;
770
771 /* Store the hashes of the TLS certificate etc. */
772 if (stat(desc->tls_cfg->certfile, &st) || NULL == (str = ast_read_textfile(desc->tls_cfg->certfile))) {
773 memset(hash, 0, 41);
774 } else {
775 ast_sha1_hash(hash, str);
776 }
777 ast_free(str);
778 str = NULL;
779 memcpy(desc->tls_cfg->certhash, hash, 41);
780 if (stat(desc->tls_cfg->pvtfile, &st) || NULL == (str = ast_read_textfile(desc->tls_cfg->pvtfile))) {
781 memset(hash, 0, 41);
782 } else {
783 ast_sha1_hash(hash, str);
784 }
785 ast_free(str);
786 str = NULL;
787 memcpy(desc->tls_cfg->pvthash, hash, 41);
788 if (stat(desc->tls_cfg->cafile, &st) || NULL == (str = ast_read_textfile(desc->tls_cfg->cafile))) {
789 memset(hash, 0, 41);
790 } else {
791 ast_sha1_hash(hash, str);
792 }
793 ast_free(str);
794 str = NULL;
795 memcpy(desc->tls_cfg->cahash, hash, 41);
796
797 /* Check whether TLS configuration has changed */
798 if (!desc->old_tls_cfg) { /* No previous configuration */
799 tls_changed = 1;
800 desc->old_tls_cfg = ast_calloc(1, sizeof(*desc->old_tls_cfg));
801 } else if (memcmp(desc->tls_cfg->certhash, desc->old_tls_cfg->certhash, 41)) {
802 tls_changed = 1;
803 } else if (memcmp(desc->tls_cfg->pvthash, desc->old_tls_cfg->pvthash, 41)) {
804 tls_changed = 1;
805 } else if (strcmp(desc->tls_cfg->cipher, desc->old_tls_cfg->cipher)) {
806 tls_changed = 1;
807 } else if (memcmp(desc->tls_cfg->cahash, desc->old_tls_cfg->cahash, 41)) {
808 tls_changed = 1;
809 } else if (strcmp(desc->tls_cfg->capath, desc->old_tls_cfg->capath)) {
810 tls_changed = 1;
811 } else if (memcmp(&desc->tls_cfg->flags, &desc->old_tls_cfg->flags, sizeof(desc->tls_cfg->flags))) {
812 tls_changed = 1;
813 }
814
815 if (tls_changed) {
816 ast_debug(1, "Changed parameters for %s found\n", desc->name);
817 }
818 }
819
820 /* Do nothing if nothing has changed */
821 if (!tls_changed && !ast_sockaddr_cmp(&desc->old_address, &desc->local_address)) {
822 ast_debug(1, "Nothing changed in %s\n", desc->name);
823 return;
824 }
825
826 /* If we return early, there is no one listening */
827 ast_sockaddr_setnull(&desc->old_address);
828
829 /* Shutdown a running server if there is one */
830 if (desc->master != AST_PTHREADT_NULL) {
831 pthread_cancel(desc->master);
832 pthread_kill(desc->master, SIGURG);
833 pthread_join(desc->master, NULL);
834 }
835
836 sd_socket = ast_sd_get_fd(SOCK_STREAM, &desc->local_address);
837
838 if (sd_socket != -1) {
839 if (desc->accept_fd != sd_socket) {
840 if (desc->accept_fd != -1) {
841 close(desc->accept_fd);
842 }
843 desc->accept_fd = sd_socket;
844 }
845
846 goto systemd_socket_activation;
847 }
848
849 if (desc->accept_fd != -1) {
850 close(desc->accept_fd);
851 desc->accept_fd = -1;
852 }
853
854 /* If there's no new server, stop here */
855 if (ast_sockaddr_isnull(&desc->local_address)) {
856 ast_debug(2, "Server disabled: %s\n", desc->name);
857 return;
858 }
859
860 desc->accept_fd = ast_socket_nonblock(ast_sockaddr_is_ipv6(&desc->local_address) ?
861 AF_INET6 : AF_INET, SOCK_STREAM, 0);
862 if (desc->accept_fd < 0) {
863 ast_log(LOG_ERROR, "Unable to allocate socket for %s: %s\n", desc->name, strerror(errno));
864 return;
865 }
866
867 setsockopt(desc->accept_fd, SOL_SOCKET, SO_REUSEADDR, &x, sizeof(x));
868 if (ast_bind(desc->accept_fd, &desc->local_address)) {
869 ast_log(LOG_ERROR, "Unable to bind %s to %s: %s\n",
870 desc->name,
871 ast_sockaddr_stringify(&desc->local_address),
872 strerror(errno));
873 goto error;
874 }
875 if (listen(desc->accept_fd, 10)) {
876 ast_log(LOG_ERROR, "Unable to listen for %s!\n", desc->name);
877 goto error;
878 }
879
880systemd_socket_activation:
881 if (ast_pthread_create_background(&desc->master, NULL, desc->accept_fn, desc)) {
882 ast_log(LOG_ERROR, "Unable to launch thread for %s on %s: %s\n",
883 desc->name,
884 ast_sockaddr_stringify(&desc->local_address),
885 strerror(errno));
886 goto error;
887 }
888
889 /* Set current info */
890 ast_sockaddr_copy(&desc->old_address, &desc->local_address);
891 if (desc->old_tls_cfg) {
892 ast_free(desc->old_tls_cfg->certfile);
893 ast_free(desc->old_tls_cfg->pvtfile);
894 ast_free(desc->old_tls_cfg->cipher);
895 ast_free(desc->old_tls_cfg->cafile);
896 ast_free(desc->old_tls_cfg->capath);
897 desc->old_tls_cfg->certfile = ast_strdup(desc->tls_cfg->certfile);
898 desc->old_tls_cfg->pvtfile = ast_strdup(desc->tls_cfg->pvtfile);
899 desc->old_tls_cfg->cipher = ast_strdup(desc->tls_cfg->cipher);
900 desc->old_tls_cfg->cafile = ast_strdup(desc->tls_cfg->cafile);
901 desc->old_tls_cfg->capath = ast_strdup(desc->tls_cfg->capath);
902 memcpy(desc->old_tls_cfg->certhash, desc->tls_cfg->certhash, 41);
903 memcpy(desc->old_tls_cfg->pvthash, desc->tls_cfg->pvthash, 41);
904 memcpy(desc->old_tls_cfg->cahash, desc->tls_cfg->cahash, 41);
905 memcpy(&desc->old_tls_cfg->flags, &desc->tls_cfg->flags, sizeof(desc->old_tls_cfg->flags));
906 }
907
908 return;
909
910error:
911 close(desc->accept_fd);
912 desc->accept_fd = -1;
913}
str
const char * str
Definition: app_jack.c:147
ast_free
#define ast_free(a)
Definition: astmm.h:180
ast_strdup
#define ast_strdup(str)
A wrapper for strdup()
Definition: astmm.h:241
ast_calloc
#define ast_calloc(num, len)
A wrapper for calloc()
Definition: astmm.h:202
ast_read_textfile
char * ast_read_textfile(const char *file)
Read a file into asterisk.
Definition: main/app.c:2949
ast_sd_get_fd
int ast_sd_get_fd(int type, const struct ast_sockaddr *addr)
Find a listening file descriptor provided by socket activation.
Definition: io.c:438
AST_PTHREADT_NULL
#define AST_PTHREADT_NULL
Definition: lock.h:66
ast_pthread_create_background
#define ast_pthread_create_background(a, b, c, d)
Definition: utils.h:592
ast_sha1_hash
void ast_sha1_hash(char *output, const char *input)
Produces SHA1 hash based on input string.
Definition: utils.c:266

References ast_bind(), ast_calloc, ast_debug, ast_free, ast_log, ast_pthread_create_background, AST_PTHREADT_NULL, ast_read_textfile(), ast_sd_get_fd(), ast_sha1_hash(), ast_sockaddr_cmp(), ast_sockaddr_copy(), ast_sockaddr_is_ipv6(), ast_sockaddr_isnull(), ast_sockaddr_setnull(), ast_sockaddr_stringify(), ast_socket_nonblock, ast_strdup, desc, errno, error(), LOG_ERROR, NULL, and str.

Referenced by __ast_http_load(), __init_manager(), and http_server_start().

◆ ast_tcptls_server_stop()

void ast_tcptls_server_stop ( struct ast_tcptls_session_args desc)

Shutdown a running server if there is one.

Version
1.6.1 changed desc parameter to be of ast_tcptls_session_args type

Definition at line 925 of file tcptls.c.

926{
927 if (desc->master != AST_PTHREADT_NULL) {
928 pthread_cancel(desc->master);
929 pthread_kill(desc->master, SIGURG);
930 pthread_join(desc->master, NULL);
931 desc->master = AST_PTHREADT_NULL;
932 }
933 if (desc->accept_fd != -1) {
934 close(desc->accept_fd);
935 }
936 desc->accept_fd = -1;
937
938 if (desc->old_tls_cfg) {
939 ast_free(desc->old_tls_cfg->certfile);
940 ast_free(desc->old_tls_cfg->pvtfile);
941 ast_free(desc->old_tls_cfg->cipher);
942 ast_free(desc->old_tls_cfg->cafile);
943 ast_free(desc->old_tls_cfg->capath);
944 ast_free(desc->old_tls_cfg);
945 desc->old_tls_cfg = NULL;
946 }
947
948 ast_debug(2, "Stopped server :: %s\n", desc->name);
949}

References ast_debug, ast_free, AST_PTHREADT_NULL, desc, and NULL.

Referenced by __ast_http_load(), __init_manager(), http_server_destroy(), manager_shutdown(), and unload_module().

◆ ast_tls_read_conf()

int ast_tls_read_conf ( struct ast_tls_config tls_cfg,
struct ast_tcptls_session_args tls_desc,
const char *  varname,
const char *  value 
)

Used to parse conf files containing tls/ssl options.

Definition at line 951 of file tcptls.c.

952{
953 if (!strcasecmp(varname, "tlsenable") || !strcasecmp(varname, "sslenable")) {
954 tls_cfg->enabled = ast_true(value) ? 1 : 0;
955 } else if (!strcasecmp(varname, "tlscertfile") || !strcasecmp(varname, "sslcert") || !strcasecmp(varname, "tlscert")) {
956 ast_free(tls_cfg->certfile);
957 tls_cfg->certfile = ast_strdup(value);
958 } else if (!strcasecmp(varname, "tlsprivatekey") || !strcasecmp(varname, "sslprivatekey")) {
959 ast_free(tls_cfg->pvtfile);
960 tls_cfg->pvtfile = ast_strdup(value);
961 } else if (!strcasecmp(varname, "tlscipher") || !strcasecmp(varname, "sslcipher")) {
962 ast_free(tls_cfg->cipher);
963 tls_cfg->cipher = ast_strdup(value);
964 } else if (!strcasecmp(varname, "tlscafile")) {
965 ast_free(tls_cfg->cafile);
966 tls_cfg->cafile = ast_strdup(value);
967 } else if (!strcasecmp(varname, "tlscapath") || !strcasecmp(varname, "tlscadir")) {
968 ast_free(tls_cfg->capath);
969 tls_cfg->capath = ast_strdup(value);
970 } else if (!strcasecmp(varname, "tlsverifyclient")) {
971 ast_set2_flag(&tls_cfg->flags, ast_true(value), AST_SSL_VERIFY_CLIENT);
972 } else if (!strcasecmp(varname, "tlsdontverifyserver")) {
973 ast_set2_flag(&tls_cfg->flags, ast_true(value), AST_SSL_DONT_VERIFY_SERVER);
974 } else if (!strcasecmp(varname, "tlsbindaddr") || !strcasecmp(varname, "sslbindaddr")) {
975 if (ast_parse_arg(value, PARSE_ADDR, &tls_desc->local_address))
976 ast_log(LOG_ERROR, "Invalid %s '%s'\n", varname, value);
977 } else if (!strcasecmp(varname, "tlsclientmethod") || !strcasecmp(varname, "sslclientmethod")) {
978 if (!strcasecmp(value, "tlsv1")) {
979 ast_set_flag(&tls_cfg->flags, AST_SSL_TLSV1_CLIENT);
980 ast_clear_flag(&tls_cfg->flags, AST_SSL_SSLV3_CLIENT);
981 ast_clear_flag(&tls_cfg->flags, AST_SSL_SSLV2_CLIENT);
982 } else if (!strcasecmp(value, "sslv3")) {
983 ast_set_flag(&tls_cfg->flags, AST_SSL_SSLV3_CLIENT);
984 ast_clear_flag(&tls_cfg->flags, AST_SSL_SSLV2_CLIENT);
985 ast_clear_flag(&tls_cfg->flags, AST_SSL_TLSV1_CLIENT);
986 } else if (!strcasecmp(value, "sslv2")) {
987 ast_set_flag(&tls_cfg->flags, AST_SSL_SSLV2_CLIENT);
988 ast_clear_flag(&tls_cfg->flags, AST_SSL_TLSV1_CLIENT);
989 ast_clear_flag(&tls_cfg->flags, AST_SSL_SSLV3_CLIENT);
990 }
991 } else if (!strcasecmp(varname, "tlsservercipherorder")) {
992 ast_set2_flag(&tls_cfg->flags, ast_true(value), AST_SSL_SERVER_CIPHER_ORDER);
993 } else if (!strcasecmp(varname, "tlsdisablev1")) {
994 ast_set2_flag(&tls_cfg->flags, ast_true(value), AST_SSL_DISABLE_TLSV1);
995 } else if (!strcasecmp(varname, "tlsdisablev11")) {
996 ast_set2_flag(&tls_cfg->flags, ast_true(value), AST_SSL_DISABLE_TLSV11);
997 } else if (!strcasecmp(varname, "tlsdisablev12")) {
998 ast_set2_flag(&tls_cfg->flags, ast_true(value), AST_SSL_DISABLE_TLSV12);
999 } else {
1000 return -1;
1001 }
1002
1003 return 0;
1004}
ast_parse_arg
int ast_parse_arg(const char *arg, enum ast_parse_flags flags, void *p_result,...)
The argument parsing routine.
Definition: main/config.c:3842
ast_true
int attribute_pure ast_true(const char *val)
Make sure something is true. Determine if a string containing a boolean value is "true"....
Definition: utils.c:2199
ast_tcptls_session_args::local_address
struct ast_sockaddr local_address
Definition: tcptls.h:131
ast_tls_config::enabled
int enabled
Definition: tcptls.h:89
ast_tls_config::certfile
char * certfile
Definition: tcptls.h:90
ast_tls_config::cipher
char * cipher
Definition: tcptls.h:92
ast_tls_config::pvtfile
char * pvtfile
Definition: tcptls.h:91
ast_tls_config::capath
char * capath
Definition: tcptls.h:94
ast_tls_config::cafile
char * cafile
Definition: tcptls.h:93
ast_tls_config::flags
struct ast_flags flags
Definition: tcptls.h:95
value
int value
Definition: syslog.c:37
ast_set2_flag
#define ast_set2_flag(p, value, flag)
Definition: utils.h:94
ast_clear_flag
#define ast_clear_flag(p, flag)
Definition: utils.h:77
ast_set_flag
#define ast_set_flag(p, flag)
Definition: utils.h:70

References ast_clear_flag, ast_free, ast_log, ast_parse_arg(), ast_set2_flag, ast_set_flag, AST_SSL_DISABLE_TLSV1, AST_SSL_DISABLE_TLSV11, AST_SSL_DISABLE_TLSV12, AST_SSL_DONT_VERIFY_SERVER, AST_SSL_SERVER_CIPHER_ORDER, AST_SSL_SSLV2_CLIENT, AST_SSL_SSLV3_CLIENT, AST_SSL_TLSV1_CLIENT, AST_SSL_VERIFY_CLIENT, ast_strdup, ast_true(), ast_tls_config::cafile, ast_tls_config::capath, ast_tls_config::certfile, ast_tls_config::cipher, ast_tls_config::enabled, ast_tls_config::flags, ast_tcptls_session_args::local_address, LOG_ERROR, PARSE_ADDR, ast_tls_config::pvtfile, and value.

Referenced by __ast_http_load(), and __init_manager().

Generated on Wed Dec 25 2024 20:04:33 for Asterisk - The Open Source Telephony Project by doxygen 1.9.4