Asterisk - The Open Source Telephony Project GIT-master-3dae2cf
verification_config.c
Go to the documentation of this file.
1/*
2 * Asterisk -- An open source telephony toolkit.
3 *
4 * Copyright (C) 2023, Sangoma Technologies Corporation
5 *
6 * George Joseph <gjoseph@digium.com>
7 *
8 * See http://www.asterisk.org for more information about
9 * the Asterisk project. Please do not directly contact
10 * any of the maintainers of this project for assistance;
11 * the project provides a web site, mailing lists and IRC
12 * channels for your use.
13 *
14 * This program is free software, distributed under the terms of
15 * the GNU General Public License Version 2. See the LICENSE file
16 * at the top of the source tree.
17 */
18
19#define _TRACE_PREFIX_ "vc",__LINE__, ""
20
21#include "asterisk.h"
22
23#include "asterisk/cli.h"
24#include "asterisk/logger.h"
25#include "stir_shaken.h"
26
27#define CONFIG_TYPE "verification"
28
29#define DEFAULT_global_disable 0
30
31#define DEFAULT_ca_file NULL
32#define DEFAULT_ca_path NULL
33#define DEFAULT_crl_file NULL
34#define DEFAULT_crl_path NULL
35#define DEFAULT_untrusted_cert_file NULL
36#define DEFAULT_untrusted_cert_path NULL
38
39#define DEFAULT_curl_timeout 2
40#define DEFAULT_max_iat_age 15
41#define DEFAULT_max_date_header_age 15
42#define DEFAULT_max_cache_entry_age 3600
43#define DEFAULT_max_cache_size 1000
44#define DEFAULT_stir_shaken_failure_action stir_shaken_failure_action_CONTINUE
45#define DEFAULT_use_rfc9410_responses use_rfc9410_responses_NO
46#define DEFAULT_relax_x5u_port_scheme_restrictions relax_x5u_port_scheme_restrictions_NO
47#define DEFAULT_relax_x5u_path_restrictions relax_x5u_path_restrictions_NO
48#define DEFAULT_load_system_certs load_system_certs_NO
49
51
52#define STIR_SHAKEN_DIR_NAME "stir_shaken"
53
55{
58 if (cfg) {
59 return cfg;
60 }
61
62 return empty_cfg ? ao2_bump(empty_cfg) : NULL;
63}
64
66{
69 ao2_cleanup(cfg);
70
71 return !!cfg;
72}
73
75
77{
78 if (!vcfg_common) {
79 return;
80 }
82 if (vcfg_common->tcs) {
84 }
86}
87
88static void verification_destructor(void *obj)
89{
90 struct verification_cfg *cfg = obj;
93}
94
95static void *verification_alloc(const char *name)
96{
97 struct verification_cfg *cfg;
98
100 if (!cfg) {
101 return NULL;
102 }
103
104 if (ast_string_field_init(cfg, 1024)) {
105 ao2_ref(cfg, -1);
106 return NULL;
107 }
108
109 /*
110 * The memory for vcfg_common actually comes from cfg
111 * due to the weirdness of the STRFLDSET macro used with
112 * sorcery. We just use a token amount of memory in
113 * this call so the initialize doesn't fail.
114 */
115 if (ast_string_field_init(&cfg->vcfg_common, 8)) {
116 ao2_ref(cfg, -1);
117 return NULL;
118 }
119
120 return cfg;
121}
122
123int vs_copy_cfg_common(const char *id, struct verification_cfg_common *cfg_dst,
124 struct verification_cfg_common *cfg_src)
125{
126 int rc = 0;
127
128 if (!cfg_dst || !cfg_src) {
129 return -1;
130 }
131
132 if (!cfg_dst->tcs && cfg_src->tcs) {
133 cfg_sf_copy_wrapper(id, cfg_dst, cfg_src, ca_file);
134 cfg_sf_copy_wrapper(id, cfg_dst, cfg_src, ca_path);
135 cfg_sf_copy_wrapper(id, cfg_dst, cfg_src, crl_file);
136 cfg_sf_copy_wrapper(id, cfg_dst, cfg_src, crl_path);
137 cfg_sf_copy_wrapper(id, cfg_dst, cfg_src, untrusted_cert_file);
138 cfg_sf_copy_wrapper(id, cfg_dst, cfg_src, untrusted_cert_path);
139 ao2_bump(cfg_src->tcs);
140 cfg_dst->tcs = cfg_src->tcs;
141 }
142
143 cfg_sf_copy_wrapper(id, cfg_dst, cfg_src, cert_cache_dir);
144
145 cfg_uint_copy(cfg_dst, cfg_src, curl_timeout);
146 cfg_uint_copy(cfg_dst, cfg_src, max_iat_age);
147 cfg_uint_copy(cfg_dst, cfg_src, max_date_header_age);
148 cfg_uint_copy(cfg_dst, cfg_src, max_cache_entry_age);
149 cfg_uint_copy(cfg_dst, cfg_src, max_cache_size);
150
151 cfg_enum_copy(cfg_dst, cfg_src, stir_shaken_failure_action);
152 cfg_enum_copy(cfg_dst, cfg_src, use_rfc9410_responses);
153 cfg_enum_copy(cfg_dst, cfg_src, relax_x5u_port_scheme_restrictions);
154 cfg_enum_copy(cfg_dst, cfg_src, relax_x5u_path_restrictions);
155 cfg_enum_copy(cfg_dst, cfg_src, load_system_certs);
156
157 if (cfg_src->acl) {
158 ast_free_acl_list(cfg_dst->acl);
159 cfg_dst->acl = ast_duplicate_acl_list(cfg_src->acl);
160 }
161
162 return rc;
163}
164
165int vs_check_common_config(const char *id,
167{
168 SCOPE_ENTER(3, "%s: Checking common config\n", id);
169
173 "%s: ca_file '%s' not found, or is unreadable\n",
174 id, vcfg_common->ca_file);
175 }
176
180 "%s: ca_path '%s' not found, or is unreadable\n",
181 id, vcfg_common->ca_path);
182 }
183
187 "%s: crl_file '%s' not found, or is unreadable\n",
188 id, vcfg_common->crl_file);
189 }
190
194 "%s: crl_path '%s' not found, or is unreadable\n",
195 id, vcfg_common->crl_path);
196 }
197
201 "%s: untrusted_cert_file '%s' not found, or is unreadable\n",
203 }
204
208 "%s: untrusted_cert_path '%s' not found, or is unreadable\n",
210 }
211
214 int rc = 0;
215
216 if (!vcfg_common->tcs) {
218 if (!vcfg_common->tcs) {
220 "%s: Unable to create CA cert store\n", id);
221 }
222 }
225 if (rc != 0) {
227 "%s: Unable to load CA cert store from '%s' or '%s'\n",
229 }
230 }
231
234 int rc = 0;
235
236 if (!vcfg_common->tcs) {
238 if (!vcfg_common->tcs) {
240 "%s: Unable to create CA cert store\n", id);
241 }
242 }
245 if (rc != 0) {
247 "%s: Unable to load CA CRL store from '%s' or '%s'\n",
249 }
250 }
251
254 int rc = 0;
255
256 if (!vcfg_common->tcs) {
258 if (!vcfg_common->tcs) {
260 "%s: Unable to create CA cert store\n", id);
261 }
262 }
265 if (rc != 0) {
267 "%s: Unable to load CA CRL store from '%s' or '%s'\n",
269 }
270 }
271
272 if (vcfg_common->tcs) {
273 if (ENUM_BOOL(vcfg_common->load_system_certs, load_system_certs)) {
274 X509_STORE_set_default_paths(vcfg_common->tcs->certs);
275 }
276
279 X509_STORE_set_flags(vcfg_common->tcs->certs, X509_V_FLAG_CRL_CHECK | X509_V_FLAG_EXTENDED_CRL_SUPPORT);
280 }
281 }
282
284 FILE *fp;
285 char *testfile;
286
287 if (ast_asprintf(&testfile, "%s/testfile", vcfg_common->cert_cache_dir) <= 0) {
289 "%s: Unable to allocate memory for testfile\n", id);
290 }
291
292 fp = fopen(testfile, "w+");
293 if (!fp) {
294 ast_free(testfile);
296 "%s: cert_cache_dir '%s' was not writable\n",
298 }
299 fclose(fp);
300 remove(testfile);
301 ast_free(testfile);
302 }
303
304 SCOPE_EXIT_RTN_VALUE(0, "%s: Done\n", id);
305}
306
307static char *special_addresses[] = {
308 "0.0.0.0/8",
309 "10.0.0.0/8",
310 "100.64.0.0/10",
311 "127.0.0.0/8",
312 "169.254.0.0/16",
313 "172.16.0.0/12",
314 "192.0.0.0/24",
315 "192.0.0.0/29",
316 "192.88.99.0/24",
317 "192.168.0.0/16",
318 "198.18.0.0/15",
319 "198.51.100.0/24",
320 "203.0.113.0/24",
321 "240.0.0.0/4",
322 "255.255.255.255/32",
323 "::1/128",
324 "::/128",
325/* "64:ff9b::/96", IPv4-IPv6 translation addresses should probably not be blocked by default */
326/* "::ffff:0:0/96", IPv4 mapped addresses should probably not be blocked by default */
327 "100::/64",
328 "2001::/23",
329 "2001::/32",
330 "2001:2::/48",
331 "2001:db8::/32",
332 "2001:10::/28",
333/* "2002::/16", 6to4 should problably not be blocked by default */
334 "fc00::/7",
335 "fe80::/10",
336};
337
338static int verification_apply(const struct ast_sorcery *sorcery, void *obj)
339{
340 struct verification_cfg *cfg = obj;
341 const char *id = ast_sorcery_object_get_id(cfg);
342
343 if (vs_check_common_config("verification", &cfg->vcfg_common) !=0) {
344 return -1;
345 }
346
347 if (!cfg->vcfg_common.acl) {
348 int error = 0;
349 int ignore;
350 int i;
351
352 ast_append_acl("permit", "0.0.0.0/0", &cfg->vcfg_common.acl, &error, &ignore);
353 if (error) {
355 cfg->vcfg_common.acl = NULL;
356 ast_log(LOG_ERROR, "%s: Unable to create default acl rule for '%s: %s'\n",
357 id, "permit", "0.0.0.0/0");
358 return -1;
359 }
360
361 for (i = 0; i < ARRAY_LEN(special_addresses); i++) {
363 if (error) {
365 cfg->vcfg_common.acl = NULL;
366 ast_log(LOG_ERROR, "%s: Unable to create default acl rule for '%s: %s'\n",
367 id, "deny", special_addresses[i]);
368 return -1;
369 }
370 }
371 }
372
373 return 0;
374}
375
376static char *cli_verification_show(struct ast_cli_entry *e, int cmd, struct ast_cli_args *a)
377{
378 struct verification_cfg *cfg;
379 struct config_object_cli_data data = {
380 .title = "Default Verification",
381 .object_type = config_object_type_verification,
382 };
383
384 switch(cmd) {
385 case CLI_INIT:
386 e->command = "stir_shaken show verification";
387 e->usage =
388 "Usage: stir_shaken show verification\n"
389 " Show the stir/shaken verification settings\n";
390 return NULL;
391 case CLI_GENERATE:
392 return NULL;
393 }
394
395 if (a->argc != 3) {
396 return CLI_SHOWUSAGE;
397 }
398
399 if (!vs_is_config_loaded()) {
400 ast_log(LOG_WARNING,"Stir/Shaken verification service disabled. Either there were errors in the 'verification' object in stir_shaken.conf or it was missing altogether.\n");
401 return CLI_FAILURE;
402 }
403
404 cfg = vs_get_cfg();
405 config_object_cli_show(cfg, a, &data, 0);
406
407 ao2_cleanup(cfg);
408
409 return CLI_SUCCESS;
410}
411
413 AST_CLI_DEFINE(cli_verification_show, "Show stir/shaken verification configuration"),
414};
415
417{
418 struct ast_sorcery *sorcery = get_sorcery();
420
421 if (!vs_is_config_loaded()) {
422 ast_log(LOG_WARNING,"Stir/Shaken verification service disabled. Either there were errors in the 'verification' object in stir_shaken.conf or it was missing altogether.\n");
423 }
424 if (!empty_cfg) {
426 if (!empty_cfg) {
427 return -1;
428 }
430 }
431
432 return 0;
433}
434
436{
440
441 return 0;
442}
443
445{
446 struct ast_sorcery *sorcery = get_sorcery();
447
448 snprintf(DEFAULT_cert_cache_dir, sizeof(DEFAULT_cert_cache_dir), "%s/keys/%s/cache",
450
452 "stir_shaken.conf,criteria=type=" CONFIG_TYPE ",single_object=yes,explicit_name=" CONFIG_TYPE);
453
456 ast_log(LOG_ERROR, "stir/shaken - failed to register '%s' sorcery object\n", CONFIG_TYPE);
457 return -1;
458 }
459
461 OPT_NOOP_T, 0, 0);
462
464 DEFAULT_global_disable ? "yes" : "no",
465 OPT_YESNO_T, 1, FLDSET(struct verification_cfg, global_disable));
466
468
470
471 if (!vs_is_config_loaded()) {
472 ast_log(LOG_WARNING,"Stir/Shaken verification service disabled. Either there were errors in the 'verification' object in stir_shaken.conf or it was missing altogether.\n");
473 }
474 if (!empty_cfg) {
476 if (!empty_cfg) {
477 return -1;
478 }
480 }
481
484
485 return 0;
486}
void ast_append_acl(const char *sense, const char *stuff, struct ast_acl_list **path, int *error, int *named_acl_flag)
Add a rule to an ACL struct.
Definition: acl.c:429
struct ast_acl_list * ast_free_acl_list(struct ast_acl_list *acl)
Free a list of ACLs.
Definition: acl.c:233
struct ast_acl_list * ast_duplicate_acl_list(struct ast_acl_list *original)
Duplicates the contests of a list of lists of host access rules.
Definition: acl.c:315
Asterisk main include file. File version handling, generic pbx functions.
#define PATH_MAX
Definition: asterisk.h:40
#define ast_free(a)
Definition: astmm.h:180
#define ast_asprintf(ret, fmt,...)
A wrapper for asprintf()
Definition: astmm.h:267
#define ast_log
Definition: astobj2.c:42
#define ao2_cleanup(obj)
Definition: astobj2.h:1934
#define ao2_ref(o, delta)
Reference/unreference an object and return the old refcount.
Definition: astobj2.h:459
#define ao2_bump(obj)
Bump refcount on an AO2 object by one, returning the object.
Definition: astobj2.h:480
Standard Command Line Interface.
#define CLI_SHOWUSAGE
Definition: cli.h:45
#define CLI_SUCCESS
Definition: cli.h:44
int ast_cli_unregister_multiple(struct ast_cli_entry *e, int len)
Unregister multiple commands.
Definition: clicompat.c:30
#define AST_CLI_DEFINE(fn, txt,...)
Definition: cli.h:197
@ CLI_INIT
Definition: cli.h:152
@ CLI_GENERATE
Definition: cli.h:153
#define CLI_FAILURE
Definition: cli.h:46
#define ast_cli_register_multiple(e, len)
Register multiple commands.
Definition: cli.h:265
int config_object_cli_show(void *obj, void *arg, void *data, int flags)
Output configuration settings to the Asterisk CLI.
struct ast_sorcery * get_sorcery(void)
Retrieve the stir/shaken sorcery context.
Definition: common_config.c:34
@ config_object_type_verification
#define cfg_uint_copy(__cfg_dst, __cfg_src, __field)
cfg_uint_copy
#define cfg_sf_copy_wrapper(id, __cfg_dst, __cfg_src, __field)
cfg_copy_wrapper
#define register_common_verification_fields(sorcery, object, CONFIG_TYPE, nodoc)
#define ENUM_BOOL(__enum1, __field)
#define cfg_enum_copy(__cfg_dst, __cfg_src, __field)
#define FLDSET(type,...)
Convert a struct and list of fields to an argument list of field offsets.
@ OPT_NOOP_T
Type for a default handler that should do nothing.
@ OPT_YESNO_T
Type for default option handler for bools (ast_true/ast_false)
int crypto_load_crl_store(struct crypto_cert_store *store, const char *file, const char *path)
Load an X509 Store with certificate revocation lists.
Definition: crypto_utils.c:622
int crypto_load_untrusted_cert_store(struct crypto_cert_store *store, const char *file, const char *path)
Load an X509 Store with untrusted certificates.
Definition: crypto_utils.c:579
struct crypto_cert_store * crypto_create_cert_store(void)
Create an empty X509 store.
Definition: crypto_utils.c:390
int crypto_load_cert_store(struct crypto_cert_store *store, const char *file, const char *path)
Load an X509 Store with either certificates or CRLs.
Definition: crypto_utils.c:563
#define crypto_free_cert_store(store)
Free an X509 store.
Definition: crypto_utils.h:195
static const char name[]
Definition: format_mp3.c:68
#define SCOPE_EXIT_RTN_VALUE(__return_value,...)
#define SCOPE_EXIT_LOG_RTN_VALUE(__value, __log_level,...)
#define SCOPE_ENTER(level,...)
Support for logging to various files, console and syslog Configuration in file logger....
#define LOG_ERROR
#define LOG_WARNING
#define remove
def ignore(key=None, val=None, section=None, pjsip=None, nmapped=None, type='endpoint')
Definition: sip_to_pjsip.py:48
const char * ast_config_AST_DATA_DIR
Definition: options.c:158
static struct ast_sorcery * sorcery
#define NULL
Definition: resample.c:96
const char * ast_sorcery_object_get_id(const void *object)
Get the unique identifier of a sorcery object.
Definition: sorcery.c:2317
#define ast_sorcery_object_field_register_nodoc(sorcery, type, name, default_val, opt_type, flags,...)
Register a field within an object without documentation.
Definition: sorcery.h:987
void * ast_sorcery_retrieve_by_id(const struct ast_sorcery *sorcery, const char *type, const char *id)
Retrieve an object using its unique identifier.
Definition: sorcery.c:1853
#define ast_sorcery_object_register(sorcery, type, alloc, transform, apply)
Register an object type.
Definition: sorcery.h:837
void ast_sorcery_load_object(const struct ast_sorcery *sorcery, const char *type)
Inform any wizards of a specific object type to load persistent objects.
Definition: sorcery.c:1393
void * ast_sorcery_generic_alloc(size_t size, ao2_destructor_fn destructor)
Allocate a generic sorcery capable object.
Definition: sorcery.c:1728
#define ast_sorcery_object_field_register(sorcery, type, name, default_val, opt_type, flags,...)
Register a field within an object.
Definition: sorcery.h:955
void ast_sorcery_force_reload_object(const struct ast_sorcery *sorcery, const char *type)
Inform any wizards of a specific object type to reload persistent objects even if no changes determin...
Definition: sorcery.c:1457
#define ast_sorcery_apply_default(sorcery, type, name, data)
Definition: sorcery.h:476
#define ast_string_field_init(x, size)
Initialize a field pool and fields.
Definition: stringfields.h:359
#define ast_string_field_free_memory(x)
free all memory - to be called before destroying the object
Definition: stringfields.h:374
static force_inline int attribute_pure ast_strlen_zero(const char *s)
Definition: strings.h:65
descriptor for a cli entry.
Definition: cli.h:171
char * command
Definition: cli.h:186
const char * usage
Definition: cli.h:177
Full structure for sorcery.
Definition: sorcery.c:230
X509_STORE * certs
Definition: crypto_utils.h:180
Verification Service configuration for stir/shaken.
struct crypto_cert_store * tcs
const ast_string_field cert_cache_dir
const ast_string_field ca_path
const ast_string_field crl_file
const ast_string_field crl_path
enum load_system_certs_enum load_system_certs
const ast_string_field ca_file
const ast_string_field untrusted_cert_file
struct ast_acl_list * acl
const ast_string_field untrusted_cert_path
struct verification_cfg_common vcfg_common
static struct test_val a
int error(const char *format,...)
Definition: utils/frame.c:999
int ast_file_is_readable(const char *filename)
Test that a file exists and is readable by the effective user.
Definition: utils.c:3107
#define ARRAY_LEN(a)
Definition: utils.h:666
static int verification_apply(const struct ast_sorcery *sorcery, void *obj)
void vcfg_cleanup(struct verification_cfg_common *vcfg_common)
int vs_config_reload(void)
static struct ast_cli_entry verification_cli[]
generate_vcfg_common_sorcery_handlers(verification_cfg)
int vs_is_config_loaded(void)
static void verification_destructor(void *obj)
#define STIR_SHAKEN_DIR_NAME
static char * cli_verification_show(struct ast_cli_entry *e, int cmd, struct ast_cli_args *a)
struct verification_cfg * vs_get_cfg(void)
static void * verification_alloc(const char *name)
int vs_copy_cfg_common(const char *id, struct verification_cfg_common *cfg_dst, struct verification_cfg_common *cfg_src)
static char DEFAULT_cert_cache_dir[PATH_MAX]
#define DEFAULT_global_disable
int vs_config_load(void)
static struct verification_cfg * empty_cfg
int vs_config_unload(void)
int vs_check_common_config(const char *id, struct verification_cfg_common *vcfg_common)
static char * special_addresses[]
#define CONFIG_TYPE