dect
/
asterisk
Archived
13
0
Fork 0
Code Releases Activity

cleaup of the TCP/TLS socket API: 

1) rename 'struct server_args' to 'struct ast_tcptls_session_args', to follow coding guidelines

2) make ast_make_file_from_fd() static and rename it to something that indicates what it really is for (again coding guidelines)

3) rename address variables inside 'struct ast_tcptls_session_args' to be more descriptive (dare i say it... coding guidelines)

4) change ast_tcptls_client_start() to use the new 'remote_address' field of the session args for the destination of the connection, and use the 'local_address' field to bind() the socket to the proper source address, if one is supplied

5) in chan_sip, ensure that we pass in the PP address we are bound to when creating outbound (client) connections, so that our connections will appear from the correct address



git-svn-id: http://svn.digium.com/svn/asterisk/trunk@151101 f38db490-d61c-443f-a65b-d21fe96a405b
This commit is contained in:
kpfleming 2008-10-19 19:11:28 +00:00
parent e5859a4d31
commit 2b799006a1
6 changed files with 376 additions and 369 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

9
apps/app_externalivr.c
View File

@ -46,6 +46,7 @@ ASTERISK_FILE_VERSION(__FILE__, "$Revision$")
#include "asterisk/app.h"
#include "asterisk/utils.h"
#include "asterisk/tcptls.h"
#include "asterisk/astobj2.h"
static const char *app = "ExternalIVR";
@ -419,7 +420,7 @@ static int app_exec(struct ast_channel *chan, void *data)
}
if (!strncmp(app_args[0], "ivr://", 6)) {
struct server_args ivr_desc = {
struct ast_tcptls_session_args ivr_desc = {
.accept_fd = -1,
.name = "IVR",
};
@ -438,9 +439,9 @@ static int app_exec(struct ast_channel *chan, void *data)
}
ast_gethostbyname(hostname, &hp);
ivr_desc.sin.sin_family = AF_INET;
ivr_desc.sin.sin_port = htons(port);
memmove(&ivr_desc.sin.sin_addr.s_addr, hp.hp.h_addr, hp.hp.h_length);
ivr_desc.local_address.sin_family = AF_INET;
ivr_desc.local_address.sin_port = htons(port);
memcpy(&ivr_desc.local_address.sin_addr.s_addr, hp.hp.h_addr, hp.hp.h_length);
ser = ast_tcptls_client_start(&ivr_desc);
if (!ser) {

66
channels/chan_sip.c
View File

@ -2379,7 +2379,7 @@ static struct ast_tls_config sip_tls_cfg;
static struct ast_tls_config default_tls_cfg;
/*! \brief The TCP server definition */
static struct server_args sip_tcp_desc = {
static struct ast_tcptls_session_args sip_tcp_desc = {
.accept_fd = -1,
.master = AST_PTHREADT_NULL,
.tls_cfg = NULL,
@ -2390,7 +2390,7 @@ static struct server_args sip_tcp_desc = {
};
/*! \brief The TCP/TLS server definition */
static struct server_args sip_tls_desc = {
static struct ast_tcptls_session_args sip_tls_desc = {
.accept_fd = -1,
.master = AST_PTHREADT_NULL,
.tls_cfg = &sip_tls_cfg,
@ -2544,7 +2544,7 @@ static void *_sip_tcp_helper_thread(struct sip_pvt *pvt, struct ast_tcptls_sessi
we receive is not the same - we should generate an error */
req.socket.ser = ser;
handle_request_do(&req, &ser->requestor);
handle_request_do(&req, &ser->remote_address);
}
cleanup:
@ -2588,7 +2588,7 @@ static void *unref_peer(struct sip_peer *peer, char *tag)
static struct sip_peer *ref_peer(struct sip_peer *peer, char *tag)
{
ao2_t_ref(peer, 1,tag);
ao2_t_ref(peer, 1, tag);
return peer;
}
@ -12838,8 +12838,8 @@ static char *sip_show_tcp(struct ast_cli_entry *e, int cmd, struct ast_cli_args
ast_cli(a->fd, FORMAT2, "Host", "Port", "Transport", "Type");
AST_LIST_LOCK(&threadl);
AST_LIST_TRAVERSE(&threadl, th, list) {
ast_cli(a->fd, FORMAT, ast_inet_ntoa(th->ser->requestor.sin_addr),
ntohs(th->ser->requestor.sin_port),
ast_cli(a->fd, FORMAT, ast_inet_ntoa(th->ser->remote_address.sin_addr),
ntohs(th->ser->remote_address.sin_port),
get_transport(th->type),
(th->ser->client ? "Client" : "Server"));
@ -14105,16 +14105,16 @@ static char *sip_show_settings(struct ast_cli_entry *e, int cmd, struct ast_cli_
ast_cli(a->fd, " UDP SIP Port: %d\n", ntohs(bindaddr.sin_port));
ast_cli(a->fd, " UDP Bindaddress: %s\n", ast_inet_ntoa(bindaddr.sin_addr));
ast_cli(a->fd, " TCP SIP Port: ");
if (sip_tcp_desc.sin.sin_family == AF_INET) {
ast_cli(a->fd, "%d\n", ntohs(sip_tcp_desc.sin.sin_port));
ast_cli(a->fd, " TCP Bindaddress: %s\n", ast_inet_ntoa(sip_tcp_desc.sin.sin_addr));
if (sip_tcp_desc.local_address.sin_family == AF_INET) {
ast_cli(a->fd, "%d\n", ntohs(sip_tcp_desc.local_address.sin_port));
ast_cli(a->fd, " TCP Bindaddress: %s\n", ast_inet_ntoa(sip_tcp_desc.local_address.sin_addr));
} else {
ast_cli(a->fd, "Disabled\n");
}
ast_cli(a->fd, " TLS SIP Port: ");
if (default_tls_cfg.enabled != FALSE) {
ast_cli(a->fd, "%d\n", ntohs(sip_tls_desc.sin.sin_port));
ast_cli(a->fd, " TLS Bindaddress: %s\n", ast_inet_ntoa(sip_tls_desc.sin.sin_addr));
ast_cli(a->fd, "%d\n", ntohs(sip_tls_desc.local_address.sin_port));
ast_cli(a->fd, " TLS Bindaddress: %s\n", ast_inet_ntoa(sip_tls_desc.local_address.sin_addr));
} else {
ast_cli(a->fd, "Disabled\n");
}
@ -20060,9 +20060,9 @@ static struct ast_tcptls_session_instance *sip_tcp_locate(struct sockaddr_in *s)
AST_LIST_LOCK(&threadl);
AST_LIST_TRAVERSE(&threadl, th, list) {
if ((s->sin_family == th->ser->requestor.sin_family) &&
(s->sin_addr.s_addr == th->ser->requestor.sin_addr.s_addr) &&
(s->sin_port == th->ser->requestor.sin_port)) {
if ((s->sin_family == th->ser->remote_address.sin_family) &&
(s->sin_addr.s_addr == th->ser->remote_address.sin_addr.s_addr) &&
(s->sin_port == th->ser->remote_address.sin_port)) {
AST_LIST_UNLOCK(&threadl);
return th->ser;
}
@ -20077,7 +20077,7 @@ static int sip_prepare_socket(struct sip_pvt *p)
struct sip_socket *s = &p->socket;
static const char name[] = "SIP socket";
struct ast_tcptls_session_instance *ser;
struct server_args ca = {
struct ast_tcptls_session_args ca = {
.name = name,
.accept_fd = -1,
};
@ -20097,9 +20097,9 @@ static int sip_prepare_socket(struct sip_pvt *p)
return s->fd;
}
ca.sin = *(sip_real_dst(p));
ca.remote_address = *(sip_real_dst(p));
if ((ser = sip_tcp_locate(&ca.sin))) { /* Check if we have a thread handling a socket connected to this IP/port */
if ((ser = sip_tcp_locate(&ca.remote_address))) { /* Check if we have a thread handling a socket connected to this IP/port */
s->fd = ser->fd;
if (s->ser) {
ao2_ref(s->ser, -1);
@ -22048,16 +22048,16 @@ static int reload_config(enum channelreloadreason reason)
}
/* Initialize tcp sockets */
memset(&sip_tcp_desc.sin, 0, sizeof(sip_tcp_desc.sin));
memset(&sip_tls_desc.sin, 0, sizeof(sip_tls_desc.sin));
memset(&sip_tcp_desc.local_address, 0, sizeof(sip_tcp_desc.local_address));
memset(&sip_tls_desc.local_address, 0, sizeof(sip_tls_desc.local_address));
ast_free_ha(global_contact_ha);
global_contact_ha = NULL;
default_tls_cfg.enabled = FALSE; /* Default: Disable TLS */
sip_tcp_desc.sin.sin_port = htons(STANDARD_SIP_PORT);
sip_tls_desc.sin.sin_port = htons(STANDARD_TLS_PORT);
sip_tcp_desc.local_address.sin_port = htons(STANDARD_SIP_PORT);
sip_tls_desc.local_address.sin_port = htons(STANDARD_TLS_PORT);
if (reason != CHANNEL_MODULE_LOAD) {
ast_debug(4, "--------------- SIP reload started\n");
@ -22292,17 +22292,17 @@ static int reload_config(enum channelreloadreason reason)
}
}
} else if (!strcasecmp(v->name, "tcpenable")) {
sip_tcp_desc.sin.sin_family = ast_false(v->value) ? 0 : AF_INET;
sip_tcp_desc.local_address.sin_family = ast_false(v->value) ? 0 : AF_INET;
ast_debug(2, "Enabling TCP socket for listening\n");
} else if (!strcasecmp(v->name, "tcpbindaddr")) {
int family = sip_tcp_desc.sin.sin_family;
if (ast_parse_arg(v->value, PARSE_INADDR, &sip_tcp_desc.sin))
int family = sip_tcp_desc.local_address.sin_family;
if (ast_parse_arg(v->value, PARSE_INADDR, &sip_tcp_desc.local_address))
ast_log(LOG_WARNING, "Invalid %s '%s' at line %d of %s\n", v->name, v->value, v->lineno, config);
sip_tcp_desc.sin.sin_family = family;
sip_tcp_desc.local_address.sin_family = family;
ast_debug(2, "Setting TCP socket address to %s\n", v->value);
} else if (!strcasecmp(v->name, "tlsenable")) {
default_tls_cfg.enabled = ast_true(v->value) ? TRUE : FALSE;
sip_tls_desc.sin.sin_family = AF_INET;
sip_tls_desc.local_address.sin_family = AF_INET;
} else if (!strcasecmp(v->name, "tlscertfile")) {
ast_free(default_tls_cfg.certfile);
default_tls_cfg.certfile = ast_strdup(v->value);
@ -22320,7 +22320,7 @@ static int reload_config(enum channelreloadreason reason)
} else if (!strcasecmp(v->name, "tlsdontverifyserver")) {
ast_set2_flag(&default_tls_cfg.flags, ast_true(v->value), AST_SSL_DONT_VERIFY_SERVER);
} else if (!strcasecmp(v->name, "tlsbindaddr")) {
if (ast_parse_arg(v->value, PARSE_INADDR, &sip_tls_desc.sin))
if (ast_parse_arg(v->value, PARSE_INADDR, &sip_tls_desc.local_address))
ast_log(LOG_WARNING, "Invalid %s '%s' at line %d of %s\n", v->name, v->value, v->lineno, config);
} else if (!strcasecmp(v->name, "dynamic_exclude_static") || !strcasecmp(v->name, "dynamic_excludes_static")) {
global_dynamic_exclude_static = ast_true(v->value);
@ -22798,10 +22798,10 @@ static int reload_config(enum channelreloadreason reason)
/* Start TCP server */
ast_tcptls_server_start(&sip_tcp_desc);
if (sip_tcp_desc.accept_fd == -1 && sip_tcp_desc.sin.sin_family == AF_INET) {
if (sip_tcp_desc.accept_fd == -1 && sip_tcp_desc.local_address.sin_family == AF_INET) {
/* TCP server start failed. Tell the admin */
ast_log(LOG_ERROR, "SIP TCP Server start failed. Not listening on TCP socket.\n");
sip_tcp_desc.sin.sin_family = 0;
sip_tcp_desc.local_address.sin_family = 0;
} else {
ast_debug(2, "SIP TCP server started\n");
}
@ -22836,12 +22836,12 @@ static int reload_config(enum channelreloadreason reason)
ast_log(LOG_NOTICE, "Can't add wildcard IP address to domain list, please add IP address to domain manually.\n");
/* If TCP is running on a different IP than UDP, then add it too */
if (sip_tcp_desc.sin.sin_addr.s_addr && !inaddrcmp(&bindaddr, &sip_tcp_desc.sin))
add_sip_domain(ast_inet_ntoa(sip_tcp_desc.sin.sin_addr), SIP_DOMAIN_AUTO, NULL);
if (sip_tcp_desc.local_address.sin_addr.s_addr && !inaddrcmp(&bindaddr, &sip_tcp_desc.local_address))
add_sip_domain(ast_inet_ntoa(sip_tcp_desc.local_address.sin_addr), SIP_DOMAIN_AUTO, NULL);
/* If TLS is running on a differen IP than UDP and TCP, then add that too */
if (sip_tls_desc.sin.sin_addr.s_addr && !inaddrcmp(&bindaddr, &sip_tls_desc.sin) && inaddrcmp(&sip_tcp_desc.sin, &sip_tls_desc.sin))
add_sip_domain(ast_inet_ntoa(sip_tls_desc.sin.sin_addr), SIP_DOMAIN_AUTO, NULL);
if (sip_tls_desc.local_address.sin_addr.s_addr && !inaddrcmp(&bindaddr, &sip_tls_desc.local_address) && inaddrcmp(&sip_tcp_desc.local_address, &sip_tls_desc.local_address))
add_sip_domain(ast_inet_ntoa(sip_tls_desc.local_address.sin_addr), SIP_DOMAIN_AUTO, NULL);
/* Our extern IP address, if configured */
if (externip.sin_addr.s_addr)

63
include/asterisk/tcptls.h
View File

@ -45,12 +45,10 @@
*
*/
#ifndef _ASTERISK_SERVER_H
#define _ASTERISK_SERVER_H
#ifndef _ASTERISK_TCPTLS_H
#define _ASTERISK_TCPTLS_H
#include "asterisk/utils.h"
#include "asterisk/astobj2.h"
#if defined(HAVE_OPENSSL) && (defined(HAVE_FUNOPEN) || defined(HAVE_FOPENCOOKIE))
#define DO_SSL /* comment in/out if you want to support ssl */
@ -90,7 +88,7 @@ struct ast_tls_config {
/*!
* The following code implements a generic mechanism for starting
* services on a TCP or TLS socket.
* The service is configured in the struct server_args, and
* The service is configured in the struct session_args, and
* then started by calling server_start(desc) on the descriptor.
* server_start() first verifies if an instance of the service is active,
* and in case shuts it down. Then, if the service must be started, creates
@ -105,38 +103,19 @@ struct ast_tls_config {
* running the session, whose body is desc->worker_fn(). The argument of
* worker_fn() is a struct ast_tcptls_session_instance, which contains the address
* of the other party, a pointer to desc, the file descriptors (fd) on which
* we can do a select/poll (but NOT IO/, and a FILE *on which we can do I/O.
* we can do a select/poll (but NOT I/O), and a FILE *on which we can do I/O.
* We have both because we want to support plain and SSL sockets, and
* going through a FILE *lets us provide the encryption/decryption
* going through a FILE * lets us provide the encryption/decryption
* on the stream without using an auxiliary thread.
*
* NOTE: in order to let other parts of asterisk use these services,
* we need to do the following:
* + move struct ast_tcptls_session_instance and struct server_args to
* a common header file, together with prototypes for
* server_start() and server_root().
*/
/*! \brief
* describes a server instance
*/
struct ast_tcptls_session_instance {
FILE *f; /* fopen/funopen result */
int fd; /* the socket returned by accept() */
SSL *ssl; /* ssl state */
/* iint (*ssl_setup)(SSL *); */
int client;
struct sockaddr_in requestor;
struct server_args *parent;
ast_mutex_t lock;
};
/*! \brief
* arguments for the accepting thread
*/
struct server_args {
struct sockaddr_in sin;
struct sockaddr_in oldsin;
struct ast_tcptls_session_args {
struct sockaddr_in local_address;
struct sockaddr_in old_local_address;
struct sockaddr_in remote_address;
char hostname[MAXHOSTNAMELEN]; /*!< only necessary for SSL clients so we can compare to common name */
struct ast_tls_config *tls_cfg; /*!< points to the SSL configuration if any */
int accept_fd;
@ -148,6 +127,20 @@ struct server_args {
const char *name;
};
/*
* describes a server instance
*/
struct ast_tcptls_session_instance {
FILE *f; /* fopen/funopen result */
int fd; /* the socket returned by accept() */
SSL *ssl; /* ssl state */
/* iint (*ssl_setup)(SSL *); */
int client;
struct sockaddr_in remote_address;
struct ast_tcptls_session_args *parent;
ast_mutex_t lock;
};
#if defined(HAVE_FUNOPEN)
#define HOOK_T int
#define LEN_T int
@ -156,16 +149,14 @@ struct server_args {
#define LEN_T size_t
#endif
struct ast_tcptls_session_instance *ast_tcptls_client_start(struct server_args *desc);
struct ast_tcptls_session_instance *ast_tcptls_client_start(struct ast_tcptls_session_args *desc);
void *ast_tcptls_server_root(void *);
void ast_tcptls_server_start(struct server_args *desc);
void ast_tcptls_server_stop(struct server_args *desc);
void ast_tcptls_server_start(struct ast_tcptls_session_args *desc);
void ast_tcptls_server_stop(struct ast_tcptls_session_args *desc);
int ast_ssl_setup(struct ast_tls_config *cfg);
void *ast_make_file_from_fd(void *data);
HOOK_T ast_tcptls_server_read(struct ast_tcptls_session_instance *ser, void *buf, size_t count);
HOOK_T ast_tcptls_server_write(struct ast_tcptls_session_instance *ser, void *buf, size_t count);
#endif /* _ASTERISK_SERVER_H */
#endif /* _ASTERISK_TCPTLS_H */

41
main/http.c
View File

@ -50,6 +50,7 @@ ASTERISK_FILE_VERSION(__FILE__, "$Revision$")
#include "asterisk/ast_version.h"
#include "asterisk/manager.h"
#include "asterisk/_private.h"
#include "asterisk/astobj2.h"
#define MAX_PREFIX 80
@ -65,7 +66,7 @@ static void *httpd_helper_thread(void *arg);
/*!
* we have up to two accepting threads, one for http, one for https
*/
static struct server_args http_desc = {
static struct ast_tcptls_session_args http_desc = {
.accept_fd = -1,
.master = AST_PTHREADT_NULL,
.tls_cfg = NULL,
@ -75,7 +76,7 @@ static struct server_args http_desc = {
.worker_fn = httpd_helper_thread,
};
static struct server_args https_desc = {
static struct ast_tcptls_session_args https_desc = {
.accept_fd = -1,
.master = AST_PTHREADT_NULL,
.tls_cfg = &http_tls_cfg,
@ -254,13 +255,13 @@ static struct ast_str *httpstatus_callback(struct ast_tcptls_session_instance *s
"<h2>&nbsp;&nbsp;Asterisk&trade; HTTP Status</h2></td></tr>\r\n");
ast_str_append(&out, 0, "<tr><td><i>Prefix</i></td><td><b>%s</b></td></tr>\r\n", prefix);
ast_str_append(&out, 0, "<tr><td><i>Bind Address</i></td><td><b>%s</b></td></tr>\r\n",
ast_inet_ntoa(http_desc.oldsin.sin_addr));
ast_inet_ntoa(http_desc.old_local_address.sin_addr));
ast_str_append(&out, 0, "<tr><td><i>Bind Port</i></td><td><b>%d</b></td></tr>\r\n",
ntohs(http_desc.oldsin.sin_port));
ntohs(http_desc.old_local_address.sin_port));
if (http_tls_cfg.enabled) {
ast_str_append(&out, 0, "<tr><td><i>SSL Bind Port</i></td><td><b>%d</b></td></tr>\r\n",
ntohs(https_desc.oldsin.sin_port));
ntohs(https_desc.old_local_address.sin_port));
}
ast_str_append(&out, 0, "<tr><td colspan=\"2\"><hr></td></tr>\r\n");
@ -857,11 +858,11 @@ static int __ast_http_load(int reload)
}
/* default values */
memset(&http_desc.sin, 0, sizeof(http_desc.sin));
http_desc.sin.sin_port = htons(8088);
memset(&http_desc.local_address, 0, sizeof(http_desc.local_address));
http_desc.local_address.sin_port = htons(8088);
memset(&https_desc.sin, 0, sizeof(https_desc.sin));
https_desc.sin.sin_port = htons(8089);
memset(&https_desc.local_address, 0, sizeof(https_desc.local_address));
https_desc.local_address.sin_port = htons(8089);
http_tls_cfg.enabled = 0;
if (http_tls_cfg.certfile) {
@ -887,7 +888,7 @@ static int __ast_http_load(int reload)
} else if (!strcasecmp(v->name, "sslenable")) {
http_tls_cfg.enabled = ast_true(v->value);
} else if (!strcasecmp(v->name, "sslbindport")) {
https_desc.sin.sin_port = htons(atoi(v->value));
https_desc.local_address.sin_port = htons(atoi(v->value));
} else if (!strcasecmp(v->name, "sslcert")) {
ast_free(http_tls_cfg.certfile);
http_tls_cfg.certfile = ast_strdup(v->value);
@ -897,17 +898,17 @@ static int __ast_http_load(int reload)
} else if (!strcasecmp(v->name, "enablestatic")) {
newenablestatic = ast_true(v->value);
} else if (!strcasecmp(v->name, "bindport")) {
http_desc.sin.sin_port = htons(atoi(v->value));
http_desc.local_address.sin_port = htons(atoi(v->value));
} else if (!strcasecmp(v->name, "sslbindaddr")) {
if ((hp = ast_gethostbyname(v->value, &ahp))) {
memcpy(&https_desc.sin.sin_addr, hp->h_addr, sizeof(https_desc.sin.sin_addr));
memcpy(&https_desc.local_address.sin_addr, hp->h_addr, sizeof(https_desc.local_address.sin_addr));
have_sslbindaddr = 1;
} else {
ast_log(LOG_WARNING, "Invalid bind address '%s'\n", v->value);
}
} else if (!strcasecmp(v->name, "bindaddr")) {
if ((hp = ast_gethostbyname(v->value, &ahp))) {
memcpy(&http_desc.sin.sin_addr, hp->h_addr, sizeof(http_desc.sin.sin_addr));
memcpy(&http_desc.local_address.sin_addr, hp->h_addr, sizeof(http_desc.local_address.sin_addr));
} else {
ast_log(LOG_WARNING, "Invalid bind address '%s'\n", v->value);
}
@ -929,10 +930,10 @@ static int __ast_http_load(int reload)
}
if (!have_sslbindaddr) {
https_desc.sin.sin_addr = http_desc.sin.sin_addr;
https_desc.local_address.sin_addr = http_desc.local_address.sin_addr;
}
if (enabled) {
http_desc.sin.sin_family = https_desc.sin.sin_family = AF_INET;
http_desc.local_address.sin_family = https_desc.local_address.sin_family = AF_INET;
}
if (strcmp(prefix, newprefix)) {
ast_copy_string(prefix, newprefix, sizeof(prefix));
@ -967,16 +968,16 @@ static char *handle_show_http(struct ast_cli_entry *e, int cmd, struct ast_cli_a
}
ast_cli(a->fd, "HTTP Server Status:\n");
ast_cli(a->fd, "Prefix: %s\n", prefix);
if (!http_desc.oldsin.sin_family) {
if (!http_desc.old_local_address.sin_family) {
ast_cli(a->fd, "Server Disabled\n\n");
} else {
ast_cli(a->fd, "Server Enabled and Bound to %s:%d\n\n",
ast_inet_ntoa(http_desc.oldsin.sin_addr),
ntohs(http_desc.oldsin.sin_port));
ast_inet_ntoa(http_desc.old_local_address.sin_addr),
ntohs(http_desc.old_local_address.sin_port));
if (http_tls_cfg.enabled) {
ast_cli(a->fd, "HTTPS Server Enabled and Bound to %s:%d\n\n",
ast_inet_ntoa(https_desc.oldsin.sin_addr),
ntohs(https_desc.oldsin.sin_port));
ast_inet_ntoa(https_desc.old_local_address.sin_addr),
ntohs(https_desc.old_local_address.sin_port));
}
}

40
main/manager.c
View File

@ -3105,7 +3105,7 @@ static void *session_do(void *data)
/* these fields duplicate those in the 'ser' structure */
s->fd = ser->fd;
s->f = ser->f;
s->sin = ser->requestor;
s->sin = ser->remote_address;
AST_LIST_HEAD_INIT_NOLOCK(&s->datastores);
@ -3696,7 +3696,7 @@ static void xml_translate(struct ast_str **out, char *in, struct ast_variable *v
}
static struct ast_str *generic_http_callback(enum output_format format,
struct sockaddr_in *requestor, const char *uri, enum ast_http_method method,
struct sockaddr_in *remote_address, const char *uri, enum ast_http_method method,
struct ast_variable *params, int *status,
char **title, int *contentlength)
{
@ -3725,7 +3725,7 @@ static struct ast_str *generic_http_callback(enum output_format format,
*status = 500;
goto generic_callback_out;
}
s->sin = *requestor;
s->sin = *remote_address;
s->fd = -1;
s->waiting_thread = AST_PTHREADT_NULL;
s->send_events = 0;
@ -3871,17 +3871,17 @@ generic_callback_out:
static struct ast_str *manager_http_callback(struct ast_tcptls_session_instance *ser, const struct ast_http_uri *urih, const char *uri, enum ast_http_method method, struct ast_variable *params, struct ast_variable *headers, int *status, char **title, int *contentlength)
{
return generic_http_callback(FORMAT_HTML, &ser->requestor, uri, method, params, status, title, contentlength);
return generic_http_callback(FORMAT_HTML, &ser->remote_address, uri, method, params, status, title, contentlength);
}
static struct ast_str *mxml_http_callback(struct ast_tcptls_session_instance *ser, const struct ast_http_uri *urih, const char *uri, enum ast_http_method method, struct ast_variable *params, struct ast_variable *headers, int *status, char **title, int *contentlength)
{
return generic_http_callback(FORMAT_XML, &ser->requestor, uri, method, params, status, title, contentlength);
return generic_http_callback(FORMAT_XML, &ser->remote_address, uri, method, params, status, title, contentlength);
}
static struct ast_str *rawman_http_callback(struct ast_tcptls_session_instance *ser, const struct ast_http_uri *urih, const char *uri, enum ast_http_method method, struct ast_variable *params, struct ast_variable *headers, int *status, char **title, int *contentlength)
{
return generic_http_callback(FORMAT_RAW, &ser->requestor, uri, method, params, status, title, contentlength);
return generic_http_callback(FORMAT_RAW, &ser->remote_address, uri, method, params, status, title, contentlength);
}
struct ast_http_uri rawmanuri = {
@ -3924,7 +3924,7 @@ static void purge_old_stuff(void *data)
}
struct ast_tls_config ami_tls_cfg;
static struct server_args ami_desc = {
static struct ast_tcptls_session_args ami_desc = {
.accept_fd = -1,
.master = AST_PTHREADT_NULL,
.tls_cfg = NULL,
@ -3935,7 +3935,7 @@ static struct server_args ami_desc = {
.worker_fn = session_do, /* thread handling the session */
};
static struct server_args amis_desc = {
static struct ast_tcptls_session_args amis_desc = {
.accept_fd = -1,
.master = AST_PTHREADT_NULL,
.tls_cfg = &ami_tls_cfg,
@ -4011,10 +4011,10 @@ static int __init_manager(int reload)
}
/* default values */
memset(&ami_desc.sin, 0, sizeof(struct sockaddr_in));
memset(&amis_desc.sin, 0, sizeof(amis_desc.sin));
amis_desc.sin.sin_port = htons(5039);
ami_desc.sin.sin_port = htons(DEFAULT_MANAGER_PORT);
memset(&ami_desc.local_address, 0, sizeof(struct sockaddr_in));
memset(&amis_desc.local_address, 0, sizeof(amis_desc.local_address));
amis_desc.local_address.sin_port = htons(5039);
ami_desc.local_address.sin_port = htons(DEFAULT_MANAGER_PORT);
ami_tls_cfg.enabled = 0;
if (ami_tls_cfg.certfile)
@ -4029,10 +4029,10 @@ static int __init_manager(int reload)
if (!strcasecmp(var->name, "sslenable"))
ami_tls_cfg.enabled = ast_true(val);
else if (!strcasecmp(var->name, "sslbindport"))
amis_desc.sin.sin_port = htons(atoi(val));
amis_desc.local_address.sin_port = htons(atoi(val));
else if (!strcasecmp(var->name, "sslbindaddr")) {
if ((hp = ast_gethostbyname(val, &ahp))) {
memcpy(&amis_desc.sin.sin_addr, hp->h_addr, sizeof(amis_desc.sin.sin_addr));
memcpy(&amis_desc.local_address.sin_addr, hp->h_addr, sizeof(amis_desc.local_address.sin_addr));
have_sslbindaddr = 1;
} else {
ast_log(LOG_WARNING, "Invalid bind address '%s'\n", val);
@ -4050,11 +4050,11 @@ static int __init_manager(int reload)
} else if (!strcasecmp(var->name, "webenabled")) {
webmanager_enabled = ast_true(val);
} else if (!strcasecmp(var->name, "port")) {
ami_desc.sin.sin_port = htons(atoi(val));
ami_desc.local_address.sin_port = htons(atoi(val));
} else if (!strcasecmp(var->name, "bindaddr")) {
if (!inet_aton(val, &ami_desc.sin.sin_addr)) {
if (!inet_aton(val, &ami_desc.local_address.sin_addr)) {
ast_log(LOG_WARNING, "Invalid address '%s' specified, using 0.0.0.0\n", val);
memset(&ami_desc.sin.sin_addr, 0, sizeof(ami_desc.sin.sin_addr));
memset(&ami_desc.local_address.sin_addr, 0, sizeof(ami_desc.local_address.sin_addr));
}
} else if (!strcasecmp(var->name, "allowmultiplelogin")) {
allowmultiplelogin = ast_true(val);
@ -4073,11 +4073,11 @@ static int __init_manager(int reload)
}
if (manager_enabled)
ami_desc.sin.sin_family = AF_INET;
ami_desc.local_address.sin_family = AF_INET;
if (!have_sslbindaddr)
amis_desc.sin.sin_addr = ami_desc.sin.sin_addr;
amis_desc.local_address.sin_addr = ami_desc.local_address.sin_addr;
if (ami_tls_cfg.enabled)
amis_desc.sin.sin_family = AF_INET;
amis_desc.local_address.sin_family = AF_INET;
AST_RWLIST_WRLOCK(&users);

526
main/tcptls.c
View File

@ -42,6 +42,7 @@ ASTERISK_FILE_VERSION(__FILE__, "$Revision$")
#include "asterisk/strings.h"
#include "asterisk/options.h"
#include "asterisk/manager.h"
#include "asterisk/astobj2.h"
/*! \brief
* replacement read/write functions for SSL support.
@ -117,267 +118,12 @@ static void session_instance_destructor(void *obj)
ast_mutex_destroy(&i->lock);
}
void *ast_tcptls_server_root(void *data)
{
struct server_args *desc = data;
int fd;
struct sockaddr_in sin;
socklen_t sinlen;
struct ast_tcptls_session_instance *ser;
pthread_t launched;
for (;;) {
int i, flags;
if (desc->periodic_fn)
desc->periodic_fn(desc);
i = ast_wait_for_input(desc->accept_fd, desc->poll_timeout);
if (i <= 0)
continue;
sinlen = sizeof(sin);
fd = accept(desc->accept_fd, (struct sockaddr *)&sin, &sinlen);
if (fd < 0) {
if ((errno != EAGAIN) && (errno != EINTR))
ast_log(LOG_WARNING, "Accept failed: %s\n", strerror(errno));
continue;
}
ser = ao2_alloc(sizeof(*ser), session_instance_destructor);
if (!ser) {
ast_log(LOG_WARNING, "No memory for new session: %s\n", strerror(errno));
close(fd);
continue;
}
ast_mutex_init(&ser->lock);
flags = fcntl(fd, F_GETFL);
fcntl(fd, F_SETFL, flags & ~O_NONBLOCK);
ser->fd = fd;
ser->parent = desc;
memcpy(&ser->requestor, &sin, sizeof(ser->requestor));
ser->client = 0;
if (ast_pthread_create_detached_background(&launched, NULL, ast_make_file_from_fd, ser)) {
ast_log(LOG_WARNING, "Unable to launch helper thread: %s\n", strerror(errno));
close(ser->fd);
ao2_ref(ser, -1);
}
}
return NULL;
}
static int __ssl_setup(struct ast_tls_config *cfg, int client)
{
#ifndef DO_SSL
cfg->enabled = 0;
return 0;
#else
if (!cfg->enabled)
return 0;
SSL_load_error_strings();
SSLeay_add_ssl_algorithms();
if (!(cfg->ssl_ctx = SSL_CTX_new( client ? SSLv23_client_method() : SSLv23_server_method() ))) {
ast_debug(1, "Sorry, SSL_CTX_new call returned null...\n");
cfg->enabled = 0;
return 0;
}
if (!ast_strlen_zero(cfg->certfile)) {
if (SSL_CTX_use_certificate_file(cfg->ssl_ctx, cfg->certfile, SSL_FILETYPE_PEM) == 0 ||
SSL_CTX_use_PrivateKey_file(cfg->ssl_ctx, cfg->certfile, SSL_FILETYPE_PEM) == 0 ||
SSL_CTX_check_private_key(cfg->ssl_ctx) == 0 ) {
if (!client) {
/* Clients don't need a certificate, but if its setup we can use it */
ast_verb(0, "SSL cert error <%s>", cfg->certfile);
sleep(2);
cfg->enabled = 0;
return 0;
}
}
}
if (!ast_strlen_zero(cfg->cipher)) {
if (SSL_CTX_set_cipher_list(cfg->ssl_ctx, cfg->cipher) == 0 ) {
if (!client) {
ast_verb(0, "SSL cipher error <%s>", cfg->cipher);
sleep(2);
cfg->enabled = 0;
return 0;
}
}
}
if (!ast_strlen_zero(cfg->cafile) || !ast_strlen_zero(cfg->capath)) {
if (SSL_CTX_load_verify_locations(cfg->ssl_ctx, S_OR(cfg->cafile, NULL), S_OR(cfg->capath,NULL)) == 0)
ast_verb(0, "SSL CA file(%s)/path(%s) error\n", cfg->cafile, cfg->capath);
}
ast_verb(0, "SSL certificate ok\n");
return 1;
#endif
}
int ast_ssl_setup(struct ast_tls_config *cfg)
{
return __ssl_setup(cfg, 0);
}
/*! \brief A generic client routine for a TCP client
* and starts a thread for handling accept()
*/
struct ast_tcptls_session_instance *ast_tcptls_client_start(struct server_args *desc)
{
int flags;
struct ast_tcptls_session_instance *ser = NULL;
/* Do nothing if nothing has changed */
if(!memcmp(&desc->oldsin, &desc->sin, sizeof(desc->oldsin))) {
ast_debug(1, "Nothing changed in %s\n", desc->name);
return NULL;
}
desc->oldsin = desc->sin;
if (desc->accept_fd != -1)
close(desc->accept_fd);
desc->accept_fd = socket(AF_INET, SOCK_STREAM, IPPROTO_TCP);
if (desc->accept_fd < 0) {
ast_log(LOG_WARNING, "Unable to allocate socket for %s: %s\n",
desc->name, strerror(errno));
return NULL;
}
if (connect(desc->accept_fd, (const struct sockaddr *)&desc->sin, sizeof(desc->sin))) {
ast_log(LOG_ERROR, "Unable to connect %s to %s:%d: %s\n",
desc->name,
ast_inet_ntoa(desc->sin.sin_addr), ntohs(desc->sin.sin_port),
strerror(errno));
goto error;
}
if (!(ser = ao2_alloc(sizeof(*ser), session_instance_destructor)))
goto error;
ast_mutex_init(&ser->lock);
flags = fcntl(desc->accept_fd, F_GETFL);
fcntl(desc->accept_fd, F_SETFL, flags & ~O_NONBLOCK);
ser->fd = desc->accept_fd;
ser->parent = desc;
ser->parent->worker_fn = NULL;
memcpy(&ser->requestor, &desc->sin, sizeof(ser->requestor));
ser->client = 1;
if (desc->tls_cfg) {
desc->tls_cfg->enabled = 1;
__ssl_setup(desc->tls_cfg, 1);
}
ao2_ref(ser, +1);
if (!ast_make_file_from_fd(ser))
goto error;
return ser;
error:
close(desc->accept_fd);
desc->accept_fd = -1;
if (ser)
ao2_ref(ser, -1);
return NULL;
}
/*! \brief
* This is a generic (re)start routine for a TCP server,
* which does the socket/bind/listen and starts a thread for handling
* accept().
*/
void ast_tcptls_server_start(struct server_args *desc)
{
int flags;
int x = 1;
/* Do nothing if nothing has changed */
if (!memcmp(&desc->oldsin, &desc->sin, sizeof(desc->oldsin))) {
ast_debug(1, "Nothing changed in %s\n", desc->name);
return;
}
desc->oldsin = desc->sin;
/* Shutdown a running server if there is one */
if (desc->master != AST_PTHREADT_NULL) {
pthread_cancel(desc->master);
pthread_kill(desc->master, SIGURG);
pthread_join(desc->master, NULL);
}
if (desc->accept_fd != -1)
close(desc->accept_fd);
/* If there's no new server, stop here */
if (desc->sin.sin_family == 0) {
ast_debug(2, "Server disabled: %s\n", desc->name);
return;
}
desc->accept_fd = socket(AF_INET, SOCK_STREAM, 0);
if (desc->accept_fd < 0) {
ast_log(LOG_ERROR, "Unable to allocate socket for %s: %s\n", desc->name, strerror(errno));
return;
}
setsockopt(desc->accept_fd, SOL_SOCKET, SO_REUSEADDR, &x, sizeof(x));
if (bind(desc->accept_fd, (struct sockaddr *)&desc->sin, sizeof(desc->sin))) {
ast_log(LOG_ERROR, "Unable to bind %s to %s:%d: %s\n",
desc->name,
ast_inet_ntoa(desc->sin.sin_addr), ntohs(desc->sin.sin_port),
strerror(errno));
goto error;
}
if (listen(desc->accept_fd, 10)) {
ast_log(LOG_ERROR, "Unable to listen for %s!\n", desc->name);
goto error;
}
flags = fcntl(desc->accept_fd, F_GETFL);
fcntl(desc->accept_fd, F_SETFL, flags | O_NONBLOCK);
if (ast_pthread_create_background(&desc->master, NULL, desc->accept_fn, desc)) {
ast_log(LOG_ERROR, "Unable to launch thread for %s on %s:%d: %s\n",
desc->name,
ast_inet_ntoa(desc->sin.sin_addr), ntohs(desc->sin.sin_port),
strerror(errno));
goto error;
}
return;
error:
close(desc->accept_fd);
desc->accept_fd = -1;
}
/*! \brief Shutdown a running server if there is one */
void ast_tcptls_server_stop(struct server_args *desc)
{
if (desc->master != AST_PTHREADT_NULL) {
pthread_cancel(desc->master);
pthread_kill(desc->master, SIGURG);
pthread_join(desc->master, NULL);
}
if (desc->accept_fd != -1)
close(desc->accept_fd);
desc->accept_fd = -1;
ast_debug(2, "Stopped server :: %s\n", desc->name);
}
/*! \brief
* creates a FILE * from the fd passed by the accept thread.
* This operation is potentially expensive (certificate verification),
* so we do it in the child thread context.
*/
void *ast_make_file_from_fd(void *data)
static void *handle_tls_connection(void *data)
{
struct ast_tcptls_session_instance *ser = data;
#ifdef DO_SSL
@ -473,3 +219,271 @@ void *ast_make_file_from_fd(void *data)
return ser;
}
void *ast_tcptls_server_root(void *data)
{
struct ast_tcptls_session_args *desc = data;
int fd;
struct sockaddr_in sin;
socklen_t sinlen;
struct ast_tcptls_session_instance *ser;
pthread_t launched;
for (;;) {
int i, flags;
if (desc->periodic_fn)
desc->periodic_fn(desc);
i = ast_wait_for_input(desc->accept_fd, desc->poll_timeout);
if (i <= 0)
continue;
sinlen = sizeof(sin);
fd = accept(desc->accept_fd, (struct sockaddr *) &sin, &sinlen);
if (fd < 0) {
if ((errno != EAGAIN) && (errno != EINTR))
ast_log(LOG_WARNING, "Accept failed: %s\n", strerror(errno));
continue;
}
ser = ao2_alloc(sizeof(*ser), session_instance_destructor);
if (!ser) {
ast_log(LOG_WARNING, "No memory for new session: %s\n", strerror(errno));
close(fd);
continue;
}
ast_mutex_init(&ser->lock);
flags = fcntl(fd, F_GETFL);
fcntl(fd, F_SETFL, flags & ~O_NONBLOCK);
ser->fd = fd;
ser->parent = desc;
memcpy(&ser->remote_address, &sin, sizeof(ser->remote_address));
ser->client = 0;
if (ast_pthread_create_detached_background(&launched, NULL, handle_tls_connection, ser)) {
ast_log(LOG_WARNING, "Unable to launch helper thread: %s\n", strerror(errno));
close(ser->fd);
ao2_ref(ser, -1);
}
}
return NULL;
}
static int __ssl_setup(struct ast_tls_config *cfg, int client)
{
#ifndef DO_SSL
cfg->enabled = 0;
return 0;
#else
if (!cfg->enabled)
return 0;
SSL_load_error_strings();
SSLeay_add_ssl_algorithms();
if (!(cfg->ssl_ctx = SSL_CTX_new( client ? SSLv23_client_method() : SSLv23_server_method() ))) {
ast_debug(1, "Sorry, SSL_CTX_new call returned null...\n");
cfg->enabled = 0;
return 0;
}
if (!ast_strlen_zero(cfg->certfile)) {
if (SSL_CTX_use_certificate_file(cfg->ssl_ctx, cfg->certfile, SSL_FILETYPE_PEM) == 0 ||
SSL_CTX_use_PrivateKey_file(cfg->ssl_ctx, cfg->certfile, SSL_FILETYPE_PEM) == 0 ||
SSL_CTX_check_private_key(cfg->ssl_ctx) == 0 ) {
if (!client) {
/* Clients don't need a certificate, but if its setup we can use it */
ast_verb(0, "SSL cert error <%s>", cfg->certfile);
sleep(2);
cfg->enabled = 0;
return 0;
}
}
}
if (!ast_strlen_zero(cfg->cipher)) {
if (SSL_CTX_set_cipher_list(cfg->ssl_ctx, cfg->cipher) == 0 ) {
if (!client) {
ast_verb(0, "SSL cipher error <%s>", cfg->cipher);
sleep(2);
cfg->enabled = 0;
return 0;
}
}
}
if (!ast_strlen_zero(cfg->cafile) || !ast_strlen_zero(cfg->capath)) {
if (SSL_CTX_load_verify_locations(cfg->ssl_ctx, S_OR(cfg->cafile, NULL), S_OR(cfg->capath,NULL)) == 0)
ast_verb(0, "SSL CA file(%s)/path(%s) error\n", cfg->cafile, cfg->capath);
}
ast_verb(0, "SSL certificate ok\n");
return 1;
#endif
}
int ast_ssl_setup(struct ast_tls_config *cfg)
{
return __ssl_setup(cfg, 0);
}
/*! \brief A generic client routine for a TCP client
* and starts a thread for handling accept()
*/
struct ast_tcptls_session_instance *ast_tcptls_client_start(struct ast_tcptls_session_args *desc)
{
int flags;
int x = 1;
struct ast_tcptls_session_instance *ser = NULL;
/* Do nothing if nothing has changed */
if(!memcmp(&desc->old_local_address, &desc->local_address, sizeof(desc->old_local_address))) {
ast_debug(1, "Nothing changed in %s\n", desc->name);
return NULL;
}
desc->old_local_address = desc->local_address;
if (desc->accept_fd != -1)
close(desc->accept_fd);
desc->accept_fd = socket(AF_INET, SOCK_STREAM, IPPROTO_TCP);
if (desc->accept_fd < 0) {
ast_log(LOG_WARNING, "Unable to allocate socket for %s: %s\n",
desc->name, strerror(errno));
return NULL;
}
/* if a local address was specified, bind to it so the connection will
originate from the desired address */
if (desc->local_address.sin_family != 0) {
setsockopt(desc->accept_fd, SOL_SOCKET, SO_REUSEADDR, &x, sizeof(x));
if (bind(desc->accept_fd, (struct sockaddr *) &desc->local_address, sizeof(desc->local_address))) {
ast_log(LOG_ERROR, "Unable to bind %s to %s:%d: %s\n",
desc->name,
ast_inet_ntoa(desc->local_address.sin_addr), ntohs(desc->local_address.sin_port),
strerror(errno));
goto error;
}
}
if (connect(desc->accept_fd, (const struct sockaddr *) &desc->remote_address, sizeof(desc->remote_address))) {
ast_log(LOG_ERROR, "Unable to connect %s to %s:%d: %s\n",
desc->name,
ast_inet_ntoa(desc->remote_address.sin_addr), ntohs(desc->remote_address.sin_port),
strerror(errno));
goto error;
}
if (!(ser = ao2_alloc(sizeof(*ser), session_instance_destructor)))
goto error;
ast_mutex_init(&ser->lock);
flags = fcntl(desc->accept_fd, F_GETFL);
fcntl(desc->accept_fd, F_SETFL, flags & ~O_NONBLOCK);
ser->fd = desc->accept_fd;
ser->parent = desc;
ser->parent->worker_fn = NULL;
memcpy(&ser->remote_address, &desc->local_address, sizeof(ser->remote_address));
ser->client = 1;
if (desc->tls_cfg) {
desc->tls_cfg->enabled = 1;
__ssl_setup(desc->tls_cfg, 1);
}
ao2_ref(ser, +1);
if (!handle_tls_connection(ser))
goto error;
return ser;
error:
close(desc->accept_fd);
desc->accept_fd = -1;
if (ser)
ao2_ref(ser, -1);
return NULL;
}
/*! \brief
* This is a generic (re)start routine for a TCP server,
* which does the socket/bind/listen and starts a thread for handling
* accept().
*/
void ast_tcptls_server_start(struct ast_tcptls_session_args *desc)
{
int flags;
int x = 1;
/* Do nothing if nothing has changed */
if (!memcmp(&desc->old_local_address, &desc->local_address, sizeof(desc->old_local_address))) {
ast_debug(1, "Nothing changed in %s\n", desc->name);
return;
}
desc->old_local_address = desc->local_address;
/* Shutdown a running server if there is one */
if (desc->master != AST_PTHREADT_NULL) {
pthread_cancel(desc->master);
pthread_kill(desc->master, SIGURG);
pthread_join(desc->master, NULL);
}
if (desc->accept_fd != -1)
close(desc->accept_fd);
/* If there's no new server, stop here */
if (desc->local_address.sin_family == 0) {
ast_debug(2, "Server disabled: %s\n", desc->name);
return;
}
desc->accept_fd = socket(AF_INET, SOCK_STREAM, 0);
if (desc->accept_fd < 0) {
ast_log(LOG_ERROR, "Unable to allocate socket for %s: %s\n", desc->name, strerror(errno));
return;
}
setsockopt(desc->accept_fd, SOL_SOCKET, SO_REUSEADDR, &x, sizeof(x));
if (bind(desc->accept_fd, (struct sockaddr *) &desc->local_address, sizeof(desc->local_address))) {
ast_log(LOG_ERROR, "Unable to bind %s to %s:%d: %s\n",
desc->name,
ast_inet_ntoa(desc->local_address.sin_addr), ntohs(desc->local_address.sin_port),
strerror(errno));
goto error;
}
if (listen(desc->accept_fd, 10)) {
ast_log(LOG_ERROR, "Unable to listen for %s!\n", desc->name);
goto error;
}
flags = fcntl(desc->accept_fd, F_GETFL);
fcntl(desc->accept_fd, F_SETFL, flags | O_NONBLOCK);
if (ast_pthread_create_background(&desc->master, NULL, desc->accept_fn, desc)) {
ast_log(LOG_ERROR, "Unable to launch thread for %s on %s:%d: %s\n",
desc->name,
ast_inet_ntoa(desc->local_address.sin_addr), ntohs(desc->local_address.sin_port),
strerror(errno));
goto error;
}
return;
error:
close(desc->accept_fd);
desc->accept_fd = -1;
}
/*! \brief Shutdown a running server if there is one */
void ast_tcptls_server_stop(struct ast_tcptls_session_args *desc)
{
if (desc->master != AST_PTHREADT_NULL) {
pthread_cancel(desc->master);
pthread_kill(desc->master, SIGURG);
pthread_join(desc->master, NULL);
}
if (desc->accept_fd != -1)
close(desc->accept_fd);
desc->accept_fd = -1;
ast_debug(2, "Stopped server :: %s\n", desc->name);
}