Wed Oct 28 11:51:08 2009

Asterisk developer's documentation


tcptls.c

Go to the documentation of this file.
00001 /*
00002  * Asterisk -- An open source telephony toolkit.
00003  *
00004  * Copyright (C) 2007 - 2008, Digium, Inc.
00005  *
00006  * Luigi Rizzo (TCP and TLS server code)
00007  * Brett Bryant <brettbryant@gmail.com> (updated for client support)
00008  *
00009  * See http://www.asterisk.org for more information about
00010  * the Asterisk project. Please do not directly contact
00011  * any of the maintainers of this project for assistance;
00012  * the project provides a web site, mailing lists and IRC
00013  * channels for your use.
00014  *
00015  * This program is free software, distributed under the terms of
00016  * the GNU General Public License Version 2. See the LICENSE file
00017  * at the top of the source tree.
00018  */
00019 
00020 /*!
00021  * \file
00022  * \brief Code to support TCP and TLS server/client
00023  *
00024  * \author Luigi Rizzo
00025  * \author Brett Bryant <brettbryant@gmail.com>
00026  */
00027 
00028 #include "asterisk.h"
00029 
00030 ASTERISK_FILE_VERSION(__FILE__, "$Revision: 225490 $")
00031 
00032 #ifdef HAVE_FCNTL_H
00033 #include <fcntl.h>
00034 #endif
00035 
00036 #include <sys/signal.h>
00037 
00038 #include "asterisk/compat.h"
00039 #include "asterisk/tcptls.h"
00040 #include "asterisk/http.h"
00041 #include "asterisk/utils.h"
00042 #include "asterisk/strings.h"
00043 #include "asterisk/options.h"
00044 #include "asterisk/manager.h"
00045 #include "asterisk/astobj2.h"
00046 
00047 /*! \brief
00048  * replacement read/write functions for SSL support.
00049  * We use wrappers rather than SSL_read/SSL_write directly so
00050  * we can put in some debugging.
00051  */
00052 
00053 #ifdef DO_SSL
00054 static HOOK_T ssl_read(void *cookie, char *buf, LEN_T len)
00055 {
00056    int i = SSL_read(cookie, buf, len-1);
00057 #if 0
00058    if (i >= 0)
00059       buf[i] = '\0';
00060    ast_verb(0, "ssl read size %d returns %d <%s>\n", (int)len, i, buf);
00061 #endif
00062    return i;
00063 }
00064 
00065 static HOOK_T ssl_write(void *cookie, const char *buf, LEN_T len)
00066 {
00067 #if 0
00068    char *s = alloca(len+1);
00069    strncpy(s, buf, len);
00070    s[len] = '\0';
00071    ast_verb(0, "ssl write size %d <%s>\n", (int)len, s);
00072 #endif
00073    return SSL_write(cookie, buf, len);
00074 }
00075 
00076 static int ssl_close(void *cookie)
00077 {
00078    close(SSL_get_fd(cookie));
00079    SSL_shutdown(cookie);
00080    SSL_free(cookie);
00081    return 0;
00082 }
00083 #endif   /* DO_SSL */
00084 
00085 HOOK_T ast_tcptls_server_read(struct ast_tcptls_session_instance *tcptls_session, void *buf, size_t count)
00086 {
00087    if (tcptls_session->fd == -1) {
00088       ast_log(LOG_ERROR, "server_read called with an fd of -1\n");
00089       errno = EIO;
00090       return -1;
00091    }
00092 
00093 #ifdef DO_SSL
00094    if (tcptls_session->ssl)
00095       return ssl_read(tcptls_session->ssl, buf, count);
00096 #endif
00097    return read(tcptls_session->fd, buf, count);
00098 }
00099 
00100 HOOK_T ast_tcptls_server_write(struct ast_tcptls_session_instance *tcptls_session, void *buf, size_t count)
00101 {
00102    if (tcptls_session->fd == -1) {
00103       ast_log(LOG_ERROR, "server_write called with an fd of -1\n");
00104       errno = EIO;
00105       return -1;
00106    }
00107 
00108 #ifdef DO_SSL
00109    if (tcptls_session->ssl)
00110       return ssl_write(tcptls_session->ssl, buf, count);
00111 #endif
00112    return write(tcptls_session->fd, buf, count);
00113 }
00114 
00115 static void session_instance_destructor(void *obj)
00116 {
00117    struct ast_tcptls_session_instance *i = obj;
00118    ast_mutex_destroy(&i->lock);
00119 }
00120 
00121 /*! \brief
00122 * creates a FILE * from the fd passed by the accept thread.
00123 * This operation is potentially expensive (certificate verification),
00124 * so we do it in the child thread context.
00125 *
00126 * \note must decrement ref count before returning NULL on error
00127 */
00128 static void *handle_tcptls_connection(void *data)
00129 {
00130    struct ast_tcptls_session_instance *tcptls_session = data;
00131 #ifdef DO_SSL
00132    int (*ssl_setup)(SSL *) = (tcptls_session->client) ? SSL_connect : SSL_accept;
00133    int ret;
00134    char err[256];
00135 #endif
00136 
00137    /*
00138    * open a FILE * as appropriate.
00139    */
00140    if (!tcptls_session->parent->tls_cfg) {
00141       tcptls_session->f = fdopen(tcptls_session->fd, "w+");
00142       setvbuf(tcptls_session->f, NULL, _IONBF, 0);
00143    }
00144 #ifdef DO_SSL
00145    else if ( (tcptls_session->ssl = SSL_new(tcptls_session->parent->tls_cfg->ssl_ctx)) ) {
00146       SSL_set_fd(tcptls_session->ssl, tcptls_session->fd);
00147       if ((ret = ssl_setup(tcptls_session->ssl)) <= 0) {
00148          ast_verb(2, "Problem setting up ssl connection: %s\n", ERR_error_string(ERR_get_error(), err));
00149       } else {
00150 #if defined(HAVE_FUNOPEN)  /* the BSD interface */
00151          tcptls_session->f = funopen(tcptls_session->ssl, ssl_read, ssl_write, NULL, ssl_close);
00152 
00153 #elif defined(HAVE_FOPENCOOKIE)  /* the glibc/linux interface */
00154          static const cookie_io_functions_t cookie_funcs = {
00155             ssl_read, ssl_write, NULL, ssl_close
00156          };
00157          tcptls_session->f = fopencookie(tcptls_session->ssl, "w+", cookie_funcs);
00158 #else
00159          /* could add other methods here */
00160          ast_debug(2, "no tcptls_session->f methods attempted!");
00161 #endif
00162          if ((tcptls_session->client && !ast_test_flag(&tcptls_session->parent->tls_cfg->flags, AST_SSL_DONT_VERIFY_SERVER))
00163             || (!tcptls_session->client && ast_test_flag(&tcptls_session->parent->tls_cfg->flags, AST_SSL_VERIFY_CLIENT))) {
00164             X509 *peer;
00165             long res;
00166             peer = SSL_get_peer_certificate(tcptls_session->ssl);
00167             if (!peer)
00168                ast_log(LOG_WARNING, "No peer SSL certificate\n");
00169             res = SSL_get_verify_result(tcptls_session->ssl);
00170             if (res != X509_V_OK)
00171                ast_log(LOG_ERROR, "Certificate did not verify: %s\n", X509_verify_cert_error_string(res));
00172             if (!ast_test_flag(&tcptls_session->parent->tls_cfg->flags, AST_SSL_IGNORE_COMMON_NAME)) {
00173                ASN1_STRING *str;
00174                unsigned char *str2;
00175                X509_NAME *name = X509_get_subject_name(peer);
00176                int pos = -1;
00177                int found = 0;
00178             
00179                for (;;) {
00180                   /* Walk the certificate to check all available "Common Name" */
00181                   /* XXX Probably should do a gethostbyname on the hostname and compare that as well */
00182                   pos = X509_NAME_get_index_by_NID(name, NID_commonName, pos);
00183                   if (pos < 0)
00184                      break;
00185                   str = X509_NAME_ENTRY_get_data(X509_NAME_get_entry(name, pos));
00186                   ASN1_STRING_to_UTF8(&str2, str);
00187                   if (str2) {
00188                      if (!strcasecmp(tcptls_session->parent->hostname, (char *) str2))
00189                         found = 1;
00190                      ast_debug(3, "SSL Common Name compare s1='%s' s2='%s'\n", tcptls_session->parent->hostname, str2);
00191                      OPENSSL_free(str2);
00192                   }
00193                   if (found)
00194                      break;
00195                }
00196                if (!found) {
00197                   ast_log(LOG_ERROR, "Certificate common name did not match (%s)\n", tcptls_session->parent->hostname);
00198                   if (peer)
00199                      X509_free(peer);
00200                   close(tcptls_session->fd);
00201                   fclose(tcptls_session->f);
00202                   ao2_ref(tcptls_session, -1);
00203                   return NULL;
00204                }
00205             }
00206             if (peer)
00207                X509_free(peer);
00208          }
00209       }
00210       if (!tcptls_session->f) /* no success opening descriptor stacking */
00211          SSL_free(tcptls_session->ssl);
00212    }
00213 #endif /* DO_SSL */
00214 
00215    if (!tcptls_session->f) {
00216       close(tcptls_session->fd);
00217       ast_log(LOG_WARNING, "FILE * open failed!\n");
00218       ao2_ref(tcptls_session, -1);
00219       return NULL;
00220    }
00221 
00222    if (tcptls_session && tcptls_session->parent->worker_fn)
00223       return tcptls_session->parent->worker_fn(tcptls_session);
00224    else
00225       return tcptls_session;
00226 }
00227 
00228 void *ast_tcptls_server_root(void *data)
00229 {
00230    struct ast_tcptls_session_args *desc = data;
00231    int fd;
00232    struct sockaddr_in sin;
00233    socklen_t sinlen;
00234    struct ast_tcptls_session_instance *tcptls_session;
00235    pthread_t launched;
00236    
00237    for (;;) {
00238       int i, flags;
00239 
00240       if (desc->periodic_fn)
00241          desc->periodic_fn(desc);
00242       i = ast_wait_for_input(desc->accept_fd, desc->poll_timeout);
00243       if (i <= 0)
00244          continue;
00245       sinlen = sizeof(sin);
00246       fd = accept(desc->accept_fd, (struct sockaddr *) &sin, &sinlen);
00247       if (fd < 0) {
00248          if ((errno != EAGAIN) && (errno != EINTR))
00249             ast_log(LOG_WARNING, "Accept failed: %s\n", strerror(errno));
00250          continue;
00251       }
00252       tcptls_session = ao2_alloc(sizeof(*tcptls_session), session_instance_destructor);
00253       if (!tcptls_session) {
00254          ast_log(LOG_WARNING, "No memory for new session: %s\n", strerror(errno));
00255          close(fd);
00256          continue;
00257       }
00258 
00259       ast_mutex_init(&tcptls_session->lock);
00260 
00261       flags = fcntl(fd, F_GETFL);
00262       fcntl(fd, F_SETFL, flags & ~O_NONBLOCK);
00263       tcptls_session->fd = fd;
00264       tcptls_session->parent = desc;
00265       memcpy(&tcptls_session->remote_address, &sin, sizeof(tcptls_session->remote_address));
00266 
00267       tcptls_session->client = 0;
00268          
00269       /* This thread is now the only place that controls the single ref to tcptls_session */
00270       if (ast_pthread_create_detached_background(&launched, NULL, handle_tcptls_connection, tcptls_session)) {
00271          ast_log(LOG_WARNING, "Unable to launch helper thread: %s\n", strerror(errno));
00272          close(tcptls_session->fd);
00273          ao2_ref(tcptls_session, -1);
00274       }
00275    }
00276    return NULL;
00277 }
00278 
00279 static int __ssl_setup(struct ast_tls_config *cfg, int client)
00280 {
00281 #ifndef DO_SSL
00282    cfg->enabled = 0;
00283    return 0;
00284 #else
00285    if (!cfg->enabled)
00286       return 0;
00287 
00288    SSL_load_error_strings();
00289    SSLeay_add_ssl_algorithms();
00290 
00291    if (!(cfg->ssl_ctx = SSL_CTX_new( client ? SSLv23_client_method() : SSLv23_server_method() ))) {
00292       ast_debug(1, "Sorry, SSL_CTX_new call returned null...\n");
00293       cfg->enabled = 0;
00294       return 0;
00295    }
00296    if (!ast_strlen_zero(cfg->certfile)) {
00297       if (SSL_CTX_use_certificate_file(cfg->ssl_ctx, cfg->certfile, SSL_FILETYPE_PEM) == 0 ||
00298           SSL_CTX_use_PrivateKey_file(cfg->ssl_ctx, cfg->certfile, SSL_FILETYPE_PEM) == 0 ||
00299           SSL_CTX_check_private_key(cfg->ssl_ctx) == 0 ) {
00300          if (!client) {
00301             /* Clients don't need a certificate, but if its setup we can use it */
00302             ast_verb(0, "SSL cert error <%s>", cfg->certfile);
00303             sleep(2);
00304             cfg->enabled = 0;
00305             return 0;
00306          }
00307       }
00308    }
00309    if (!ast_strlen_zero(cfg->cipher)) {
00310       if (SSL_CTX_set_cipher_list(cfg->ssl_ctx, cfg->cipher) == 0 ) {
00311          if (!client) {
00312             ast_verb(0, "SSL cipher error <%s>", cfg->cipher);
00313             sleep(2);
00314             cfg->enabled = 0;
00315             return 0;
00316          }
00317       }
00318    }
00319    if (!ast_strlen_zero(cfg->cafile) || !ast_strlen_zero(cfg->capath)) {
00320       if (SSL_CTX_load_verify_locations(cfg->ssl_ctx, S_OR(cfg->cafile, NULL), S_OR(cfg->capath,NULL)) == 0)
00321          ast_verb(0, "SSL CA file(%s)/path(%s) error\n", cfg->cafile, cfg->capath);
00322    }
00323 
00324    ast_verb(0, "SSL certificate ok\n");
00325    return 1;
00326 #endif
00327 }
00328 
00329 int ast_ssl_setup(struct ast_tls_config *cfg)
00330 {
00331    return __ssl_setup(cfg, 0);
00332 }
00333 
00334 struct ast_tcptls_session_instance *ast_tcptls_client_start(struct ast_tcptls_session_instance *tcptls_session)
00335 {
00336    struct ast_tcptls_session_args *desc;
00337    int flags;
00338 
00339    if (!(desc = tcptls_session->parent)) {
00340       goto client_start_error;
00341    }
00342 
00343    if (connect(desc->accept_fd, (const struct sockaddr *) &desc->remote_address, sizeof(desc->remote_address))) {
00344       ast_log(LOG_ERROR, "Unable to connect %s to %s:%d: %s\n",
00345          desc->name,
00346          ast_inet_ntoa(desc->remote_address.sin_addr), ntohs(desc->remote_address.sin_port),
00347          strerror(errno));
00348       goto client_start_error;
00349    }
00350 
00351    flags = fcntl(desc->accept_fd, F_GETFL);
00352    fcntl(desc->accept_fd, F_SETFL, flags & ~O_NONBLOCK);
00353 
00354    if (desc->tls_cfg) {
00355       desc->tls_cfg->enabled = 1;
00356       __ssl_setup(desc->tls_cfg, 1);
00357    }
00358 
00359    return handle_tcptls_connection(tcptls_session);
00360 
00361 client_start_error:
00362    close(desc->accept_fd);
00363    desc->accept_fd = -1;
00364    if (tcptls_session) {
00365       ao2_ref(tcptls_session, -1);
00366    }
00367    return NULL;
00368 
00369 }
00370 
00371 struct ast_tcptls_session_instance *ast_tcptls_client_create(struct ast_tcptls_session_args *desc)
00372 {
00373    int x = 1;
00374    struct ast_tcptls_session_instance *tcptls_session = NULL;
00375 
00376    /* Do nothing if nothing has changed */
00377    if (!memcmp(&desc->old_address, &desc->remote_address, sizeof(desc->old_address))) {
00378       ast_debug(1, "Nothing changed in %s\n", desc->name);
00379       return NULL;
00380    }
00381 
00382    desc->old_address = desc->remote_address;
00383 
00384    if (desc->accept_fd != -1)
00385       close(desc->accept_fd);
00386 
00387    desc->accept_fd = socket(AF_INET, SOCK_STREAM, IPPROTO_TCP);
00388    if (desc->accept_fd < 0) {
00389       ast_log(LOG_WARNING, "Unable to allocate socket for %s: %s\n",
00390          desc->name, strerror(errno));
00391       return NULL;
00392    }
00393 
00394    /* if a local address was specified, bind to it so the connection will
00395       originate from the desired address */
00396    if (desc->local_address.sin_family != 0) {
00397       setsockopt(desc->accept_fd, SOL_SOCKET, SO_REUSEADDR, &x, sizeof(x));
00398       if (bind(desc->accept_fd, (struct sockaddr *) &desc->local_address, sizeof(desc->local_address))) {
00399          ast_log(LOG_ERROR, "Unable to bind %s to %s:%d: %s\n",
00400          desc->name,
00401             ast_inet_ntoa(desc->local_address.sin_addr), ntohs(desc->local_address.sin_port),
00402             strerror(errno));
00403          goto error;
00404       }
00405    }
00406 
00407    if (!(tcptls_session = ao2_alloc(sizeof(*tcptls_session), session_instance_destructor)))
00408       goto error;
00409 
00410    ast_mutex_init(&tcptls_session->lock);
00411    tcptls_session->client = 1;
00412    tcptls_session->fd = desc->accept_fd;
00413    tcptls_session->parent = desc;
00414    tcptls_session->parent->worker_fn = NULL;
00415    memcpy(&tcptls_session->remote_address, &desc->remote_address, sizeof(tcptls_session->remote_address));
00416 
00417    return tcptls_session;
00418 
00419 error:
00420    close(desc->accept_fd);
00421    desc->accept_fd = -1;
00422    if (tcptls_session)
00423       ao2_ref(tcptls_session, -1);
00424    return NULL;
00425 }
00426 
00427 void ast_tcptls_server_start(struct ast_tcptls_session_args *desc)
00428 {
00429    int flags;
00430    int x = 1;
00431    
00432    /* Do nothing if nothing has changed */
00433    if (!memcmp(&desc->old_address, &desc->local_address, sizeof(desc->old_address))) {
00434       ast_debug(1, "Nothing changed in %s\n", desc->name);
00435       return;
00436    }
00437    
00438    desc->old_address = desc->local_address;
00439    
00440    /* Shutdown a running server if there is one */
00441    if (desc->master != AST_PTHREADT_NULL) {
00442       pthread_cancel(desc->master);
00443       pthread_kill(desc->master, SIGURG);
00444       pthread_join(desc->master, NULL);
00445    }
00446    
00447    if (desc->accept_fd != -1)
00448       close(desc->accept_fd);
00449 
00450    /* If there's no new server, stop here */
00451    if (desc->local_address.sin_family == 0) {
00452       return;
00453    }
00454 
00455    desc->accept_fd = socket(AF_INET, SOCK_STREAM, 0);
00456    if (desc->accept_fd < 0) {
00457       ast_log(LOG_ERROR, "Unable to allocate socket for %s: %s\n",
00458          desc->name, strerror(errno));
00459       return;
00460    }
00461    
00462    setsockopt(desc->accept_fd, SOL_SOCKET, SO_REUSEADDR, &x, sizeof(x));
00463    if (bind(desc->accept_fd, (struct sockaddr *) &desc->local_address, sizeof(desc->local_address))) {
00464       ast_log(LOG_ERROR, "Unable to bind %s to %s:%d: %s\n",
00465          desc->name,
00466          ast_inet_ntoa(desc->local_address.sin_addr), ntohs(desc->local_address.sin_port),
00467          strerror(errno));
00468       goto error;
00469    }
00470    if (listen(desc->accept_fd, 10)) {
00471       ast_log(LOG_ERROR, "Unable to listen for %s!\n", desc->name);
00472       goto error;
00473    }
00474    flags = fcntl(desc->accept_fd, F_GETFL);
00475    fcntl(desc->accept_fd, F_SETFL, flags | O_NONBLOCK);
00476    if (ast_pthread_create_background(&desc->master, NULL, desc->accept_fn, desc)) {
00477       ast_log(LOG_ERROR, "Unable to launch thread for %s on %s:%d: %s\n",
00478          desc->name,
00479          ast_inet_ntoa(desc->local_address.sin_addr), ntohs(desc->local_address.sin_port),
00480          strerror(errno));
00481       goto error;
00482    }
00483    return;
00484 
00485 error:
00486    close(desc->accept_fd);
00487    desc->accept_fd = -1;
00488 }
00489 
00490 void ast_tcptls_server_stop(struct ast_tcptls_session_args *desc)
00491 {
00492    if (desc->master != AST_PTHREADT_NULL) {
00493       pthread_cancel(desc->master);
00494       pthread_kill(desc->master, SIGURG);
00495       pthread_join(desc->master, NULL);
00496    }
00497    if (desc->accept_fd != -1)
00498       close(desc->accept_fd);
00499    desc->accept_fd = -1;
00500 }

Generated on Wed Oct 28 11:51:08 2009 for Asterisk - the Open Source PBX by  doxygen 1.5.6