Wed Oct 28 11:51:08 2009

Asterisk developer's documentation


tcptls.h

Go to the documentation of this file.
00001 /*
00002  * Asterisk -- An open source telephony toolkit.
00003  *
00004  * Copyright (C) 1999 - 2006, Digium, Inc.
00005  *
00006  * Mark Spencer <markster@digium.com>
00007  *
00008  * See http://www.asterisk.org for more information about
00009  * the Asterisk project. Please do not directly contact
00010  * any of the maintainers of this project for assistance;
00011  * the project provides a web site, mailing lists and IRC
00012  * channels for your use.
00013  *
00014  * This program is free software, distributed under the terms of
00015  * the GNU General Public License Version 2. See the LICENSE file
00016  * at the top of the source tree.
00017  */
00018 
00019 /*!
00020  * \file tcptls.h
00021  *
00022  * \brief Generic support for tcp/tls servers in Asterisk.
00023  * \note In order to have TLS/SSL support, we need the openssl libraries.
00024  * Still we can decide whether or not to use them by commenting
00025  * in or out the DO_SSL macro.
00026  *
00027  * TLS/SSL support is basically implemented by reading from a config file
00028  * (currently http.conf and sip.conf) the names of the certificate and cipher to use,
00029  * and then run ssl_setup() to create an appropriate SSL_CTX (ssl_ctx)
00030  * If we support multiple domains, presumably we need to read multiple
00031  * certificates.
00032  *
00033  * When we are requested to open a TLS socket, we run make_file_from_fd()
00034  * on the socket, to do the necessary setup. At the moment the context's name
00035  * is hardwired in the function, but we can certainly make it into an extra
00036  * parameter to the function.
00037  *
00038  * We declare most of ssl support variables unconditionally,
00039  * because their number is small and this simplifies the code.
00040  *
00041  * \note The ssl-support variables (ssl_ctx, do_ssl, certfile, cipher)
00042  * and their setup should be moved to a more central place, e.g. asterisk.conf
00043  * and the source files that processes it. Similarly, ssl_setup() should
00044  * be run earlier in the startup process so modules have it available.
00045  *
00046  */
00047 
00048 #ifndef _ASTERISK_TCPTLS_H
00049 #define _ASTERISK_TCPTLS_H
00050 
00051 #include "asterisk/utils.h"
00052 
00053 #if defined(HAVE_OPENSSL) && (defined(HAVE_FUNOPEN) || defined(HAVE_FOPENCOOKIE))
00054 #define DO_SSL  /* comment in/out if you want to support ssl */
00055 #endif
00056 
00057 #ifdef DO_SSL
00058 #include <openssl/ssl.h>
00059 #include <openssl/err.h>
00060 #else
00061 /* declare dummy types so we can define a pointer to them */
00062 typedef struct {} SSL;
00063 typedef struct {} SSL_CTX;
00064 #endif /* DO_SSL */
00065 
00066 /*! SSL support */
00067 #define AST_CERTFILE "asterisk.pem"
00068 
00069 enum ast_ssl_flags {
00070    /*! Verify certificate when acting as server */
00071    AST_SSL_VERIFY_CLIENT = (1 << 0),
00072    /*! Don't verify certificate when connecting to a server */
00073    AST_SSL_DONT_VERIFY_SERVER = (1 << 1),
00074    /*! Don't compare "Common Name" against IP or hostname */
00075    AST_SSL_IGNORE_COMMON_NAME = (1 << 2)
00076 };
00077 
00078 struct ast_tls_config {
00079    int enabled;
00080    char *certfile;
00081    char *cipher;
00082    char *cafile;
00083    char *capath;
00084    struct ast_flags flags;
00085    SSL_CTX *ssl_ctx;
00086 };
00087 
00088 /*!
00089  * The following code implements a generic mechanism for starting
00090  * services on a TCP or TLS socket.
00091  * The service is configured in the struct session_args, and
00092  * then started by calling server_start(desc) on the descriptor.
00093  * server_start() first verifies if an instance of the service is active,
00094  * and in case shuts it down. Then, if the service must be started, creates
00095  * a socket and a thread in charge of doing the accept().
00096  *
00097  * The body of the thread is desc->accept_fn(desc), which the user can define
00098  * freely. We supply a sample implementation, server_root(), structured as an
00099  * infinite loop. At the beginning of each iteration it runs periodic_fn()
00100  * if defined (e.g. to perform some cleanup etc.) then issues a poll()
00101  * or equivalent with a timeout of 'poll_timeout' milliseconds, and if the
00102  * following accept() is successful it creates a thread in charge of
00103  * running the session, whose body is desc->worker_fn(). The argument of
00104  * worker_fn() is a struct ast_tcptls_session_instance, which contains the address
00105  * of the other party, a pointer to desc, the file descriptors (fd) on which
00106  * we can do a select/poll (but NOT I/O), and a FILE *on which we can do I/O.
00107  * We have both because we want to support plain and SSL sockets, and
00108  * going through a FILE * lets us provide the encryption/decryption
00109  * on the stream without using an auxiliary thread.
00110  */
00111 
00112 /*! \brief
00113  * arguments for the accepting thread
00114  */
00115 struct ast_tcptls_session_args {
00116    struct sockaddr_in local_address;
00117    struct sockaddr_in old_address; /*!< copy of the local or remote address depending on if its a client or server session */
00118    struct sockaddr_in remote_address;
00119    char hostname[MAXHOSTNAMELEN]; /*!< only necessary for SSL clients so we can compare to common name */
00120    struct ast_tls_config *tls_cfg; /*!< points to the SSL configuration if any */
00121    int accept_fd;
00122    int poll_timeout;
00123    pthread_t master;
00124    void *(*accept_fn)(void *); /*!< the function in charge of doing the accept */
00125    void (*periodic_fn)(void *);/*!< something we may want to run before after select on the accept socket */
00126    void *(*worker_fn)(void *); /*!< the function in charge of doing the actual work */
00127    const char *name;
00128 };
00129 
00130 /*
00131  * describes a server instance
00132  */
00133 struct ast_tcptls_session_instance {
00134    FILE *f;    /* fopen/funopen result */
00135    int fd;     /* the socket returned by accept() */
00136    SSL *ssl;   /* ssl state */
00137 /* iint (*ssl_setup)(SSL *); */
00138    int client;
00139    struct sockaddr_in remote_address;
00140    struct ast_tcptls_session_args *parent;
00141    ast_mutex_t lock;
00142 };
00143 
00144 #if defined(HAVE_FUNOPEN)
00145 #define HOOK_T int
00146 #define LEN_T int
00147 #else
00148 #define HOOK_T ssize_t
00149 #define LEN_T size_t
00150 #endif
00151 
00152 /*! 
00153   * \brief attempts to connect and start tcptls session, on error the tcptls_session's
00154   * ref count is decremented, fd and file are closed, and NULL is returned.
00155   */
00156 struct ast_tcptls_session_instance *ast_tcptls_client_start(struct ast_tcptls_session_instance *tcptls_session);
00157 
00158 /* \brief Creates a client connection's ast_tcptls_session_instance. */
00159 struct ast_tcptls_session_instance *ast_tcptls_client_create(struct ast_tcptls_session_args *desc);
00160 
00161 void *ast_tcptls_server_root(void *);
00162 
00163 /*!
00164  * \brief This is a generic (re)start routine for a TCP server,
00165  * which does the socket/bind/listen and starts a thread for handling
00166  * accept().
00167  * \version 1.6.1 changed desc parameter to be of ast_tcptls_session_args type
00168  */
00169 void ast_tcptls_server_start(struct ast_tcptls_session_args *desc);
00170 
00171 /*!
00172  * \brief Shutdown a running server if there is one
00173  * \version 1.6.1 changed desc parameter to be of ast_tcptls_session_args type
00174  */
00175 void ast_tcptls_server_stop(struct ast_tcptls_session_args *desc);
00176 int ast_ssl_setup(struct ast_tls_config *cfg);
00177 
00178 HOOK_T ast_tcptls_server_read(struct ast_tcptls_session_instance *ser, void *buf, size_t count);
00179 HOOK_T ast_tcptls_server_write(struct ast_tcptls_session_instance *ser, void *buf, size_t count);
00180 
00181 #endif /* _ASTERISK_TCPTLS_H */

Generated on Wed Oct 28 11:51:08 2009 for Asterisk - the Open Source PBX by  doxygen 1.5.6