git-svn-id: http://svncommunity.digium.com/svn/astmanproxy/branches/1.20pre@59 f02b47b9-160a-0410-81a6-dc3441afb0ec

7 files changed, 204 insertions, 11 deletions

diff --git a/astmanproxy.conf b/astmanproxy.conf
index b8ab5d3..95db4e6 100644
--- a/astmanproxy.conf
+++ b/astmanproxy.conf
@@ -36,6 +36,9 @@ asteriskwritetimeout=100
 ; Amount of time to wait before timing out on writes to clients
 clientwritetimeout=200
 
+; Our server-side SSL certificate; what we use when answering clients
+certfile = /var/lib/asterisk/certs/proxy.pem
+
 ; Address for proxy to listen on, can be set to * or x.x.x.x format
 ; recommend that you listen only on 127.0.0.1 or on an interface that
 ; is otherwise locked down to a trusted host, since the proxy
diff --git a/src/astmanproxy.c b/src/astmanproxy.c
index 0a3a172..29259d3 100644
--- a/src/astmanproxy.c
+++ b/src/astmanproxy.c
@@ -78,7 +78,7 @@ void leave(int sig) {
             c->output->write(c, &cm);
             logmsg("Shutdown, closed client %s", ast_inet_ntoa(iabuf, sizeof(iabuf), c->sin.sin_addr));
         }
-        close(c->fd);
+        close_sock(c->fd);	/* close tcp & ssl socket */
         pthread_mutex_destroy(&c->lock);
         free(c);
     }
@@ -95,7 +95,7 @@ void leave(int sig) {
 
     if (debug)
         debugmsg("Closing listener socket");
-    close(asock);
+    close_sock(asock);		/* close tcp & ssl socket */
 
     /* unload io handlers */
     while (iohandlers) {
@@ -154,7 +154,7 @@ void destroy_session(struct mansession *s)
                         sessions = cur->next;
                 debugmsg("Connection closed: %s", ast_inet_ntoa(iabuf, sizeof(iabuf), s->sin.sin_addr));
                 if (s->fd > -1)
-                        close(s->fd);
+                        close_sock(s->fd);	/* close tcp & ssl socket */
                 pthread_mutex_destroy(&s->lock);
                 free(s);
         } else
@@ -183,7 +183,7 @@ int WriteClients(struct message *m) {
             } else
                 c->output->write(c, m);
             if ( c->input->autodisconnect && c->input->autodisconnect() )
-                close(c->fd);
+                close_sock(c->fd);	/* close tcp & ssl socket */
         }
         c = c->next;
     }
@@ -517,6 +517,7 @@ static void *accept_thread()
         int flags;
         pthread_attr_t attr;
         char iabuf[INET_ADDRSTRLEN];
+        int is_encrypted;
 
         pthread_attr_init(&attr);
         pthread_attr_setdetachstate(&attr, PTHREAD_CREATE_DETACHED);
@@ -534,6 +535,35 @@ static void *accept_thread()
                                 logmsg("Failed to set listener tcp connection to TCP_NODELAY mode: %s\n", strerror(errno));
                         }
                 }
+
+		/* SSL stuff below */
+                is_encrypted = is_encrypt_request(pc.sslclhellotimeout, as);
+                if (is_encrypted > 0) {
+                        if (!pc.acceptencryptedconnection) {
+                                if( debug )
+					debugmsg("Accepting encrypted connection disabled, closing the connection \n");
+                                close_sock(as);
+                                continue;
+                        } else {
+                                if((as = saccept(as)) >= 0 ) {
+					if( debug )
+	                                        debugmsg("Can't accept the ssl connection, since SSL init has failed for certificate reason\n");
+                                        close_sock(as);
+                                        continue;
+                                }
+                        }
+                } else if (is_encrypted == -1) {
+                        logmsg("SSL version 2 is unsecure, we don't support it\n");
+                        close_sock(as);
+                        continue;
+                }
+                if ( (! pc.acceptunencryptedconnection) && (as >= 0)) {
+                        logmsg("Unencrypted connections are not accepted and we received an unencrypted connection request\n");
+                        close_sock(as);
+                        continue;
+                }
+		/* SSL stuff end */
+
                 s = malloc(sizeof(struct mansession));
                 if ( !s ) {
                         logmsg("Failed to allocate listener session: %s\n", strerror(errno));
diff --git a/src/common.c b/src/common.c
index b52ee59..8ec016d 100644
--- a/src/common.c
+++ b/src/common.c
@@ -143,7 +143,7 @@ done:
 	fcntl(sockfd, F_SETFL, flags);	/* restore file status flags */
 
 	if (error) {
-		/* close(sockfd); */	/* disable for now, we want to retry... */
+		/* close(sockfd); */	/* we want to retry... */
 		errno = error;
 		return(-1);
 	}
diff --git a/src/config.c b/src/config.c
index 824043b..29213ad 100644
--- a/src/config.c
+++ b/src/config.c
@@ -105,6 +105,8 @@ void *processline(char *s) {
         pc.acceptencryptedconnection = strcmp(value,"yes") ? 0 : 1;
     else if (!strcmp(name,"acceptunencryptedconnection") )
         pc.acceptunencryptedconnection = strcmp(value,"yes") ? 0 : 1;
+    else if (!strcmp(name,"certfile") )
+        strcpy(pc.certfile, value);
     else if (!strcmp(name,"proxykey") )
         strcpy(pc.key, value);
     else if (!strcmp(name,"proc_user") )
@@ -217,7 +219,7 @@ int ReadConfig() {
     /* Set nonzero config defaults */
     pc.asteriskwritetimeout = 100;
     pc.clientwritetimeout = 100;
-    pc.sslclhellotimeout = 200;
+    pc.sslclhellotimeout = 500;
 
     sprintf(cfn, "%s/%s", CDIR, CFILE);
     FP = fopen( cfn, "r" );
@@ -238,6 +240,9 @@ int ReadConfig() {
 
     fclose(FP);
 
+    /* initialize SSL layer with our server certfile */
+    init_secure(pc.certfile);
+
     return 0;
 }
 
diff --git a/src/include/astmanproxy.h b/src/include/astmanproxy.h
index fdd783d..6c4ef0b 100644
--- a/src/include/astmanproxy.h
+++ b/src/include/astmanproxy.h
@@ -63,16 +63,17 @@ struct proxyconfig {
     char outputformat[80];
     int autofilter;
     char key[80];
-    char proc_user[30];
-    char proc_group[30];
-    char logfile[80];
+    char proc_user[40];
+    char proc_group[40];
+    char logfile[256];
     int retryinterval;
     int maxretries;
     int asteriskwritetimeout;		/* ms to wait when writing to asteriskfor ast_carefulwrite */
     int clientwritetimeout;		/* ms to wait when writing to client ast_carefulwrite */
     int sslclhellotimeout;		/* ssl client hello timeout -- how long to wait before assuming not ssl */
-    int acceptencryptedconnection;		/* accept encrypted connections? */
+    int acceptencryptedconnection;	/* accept encrypted connections? */
     int acceptunencryptedconnection;	/* accept unencrypted connections? */
+    char certfile[256];			/* our SERVER-side SSL certificate file */
 };
 
 struct iohandler {
diff --git a/src/ssl.c b/src/ssl.c
index b884eac..c4377cd 100644
--- a/src/ssl.c
+++ b/src/ssl.c
@@ -215,7 +215,7 @@ int m_recv(int s, void *buf, size_t len, int flags)
 		rec_bytes += ret;
 
 	if (debug)
-		debugmsg("Received data from SSL socket - %d\n", ret);
+		debugmsg("Received data from SSL socket - %d", ret);
 	return ret;
 }
 
diff --git a/ssl.conf b/ssl.conf
new file mode 100644
index 0000000..d10d9a1
--- /dev/null
+++ b/ssl.conf
@@ -0,0 +1,154 @@
+# Asterisk SSL configuration
+#
+# OpenSSL configuration file for custom Certificate Authority. Use a
+# different openssl.cnf file to generate certificate signing requests;
+# this one is for use only in Certificate Authority operations (csr ->
+# cert, cert revocation, revocation list generation).
+#
+# Be sure to customize this file prior to use, e.g. the commonName and
+# other options under the root_ca_distinguished_name section.
+
+HOME                    = .
+RANDFILE                = $ENV::HOME/.rnd
+
+[ ca ]
+default_ca      = MyAsteriskCA
+
+[ MyAsteriskCA ]
+dir             = .
+# unsed at present, and my limited certs can be kept in current dir
+#certs          = $dir/certs
+new_certs_dir   = $dir/newcerts
+crl_dir         = $dir/crl
+database        = $dir/index
+
+certificate     = $dir/ca-cert.pem
+serial          = $dir/serial
+crl             = $dir/ca-crl.pem
+private_key     = $dir/private/ca-key.pem
+RANDFILE        = $dir/private/.rand
+
+x509_extensions = usr_cert
+
+# Comment out the following two lines for the "traditional"
+# (and highly broken) format.
+name_opt        = ca_default
+cert_opt        = ca_default
+
+default_crl_days= 30
+default_days    = 7300
+# if need to be compatible with older software, use weaker md5
+default_md      = sha1
+# MSIE may need following set to yes?
+preserve        = no
+
+# A few difference way of specifying how similar the request should look
+# For type CA, the listed attributes must be the same, and the optional
+# and supplied fields are just that :-)
+policy          = policy_match
+
+# For the CA policy
+[ policy_match ]
+countryName             = US
+stateOrProvinceName     = CA
+organizationName        = XYZ
+organizationalUnitName  = XYZ 
+commonName              = asterisk
+emailAddress            = root@localhost 
+
+# For the 'anything' policy
+# At this point in time, you must list all acceptable 'object'
+# types.
+[ policy_anything ]
+countryName             = optional
+stateOrProvinceName     = optional
+localityName            = optional
+organizationName        = optional
+organizationalUnitName  = optional
+commonName              = supplied
+emailAddress            = optional
+
+####################################################################
+[ req ]
+default_bits            = 2048
+default_keyfile         = ./private/ca-key.pem
+default_md              = sha1
+
+prompt                  = no
+distinguished_name      = root_ca_distinguished_name
+
+x509_extensions = v3_ca
+
+# Passwords for private keys if not present they will be prompted for
+# input_password = secret
+# output_password = secret
+
+# This sets a mask for permitted string types. There are several options. 
+# default: PrintableString, T61String, BMPString.
+# pkix   : PrintableString, BMPString.
+# utf8only: only UTF8Strings.
+# nombstr : PrintableString, T61String (no BMPStrings or UTF8Strings).
+# MASK:XXXX a literal mask value.
+# WARNING: current versions of Netscape crash on BMPStrings or UTF8Strings
+# so use this option with caution!
+string_mask = nombstr
+
+# req_extensions = v3_req
+
+[ root_ca_distinguished_name ]
+commonName = NoSuchCA CA
+countryName = US
+stateOrProvinceName = California
+localityName = San Mateo
+0.organizationName = domain.net
+emailAddress = nobody@localhost
+
+[ usr_cert ]
+
+# These extensions are added when 'ca' signs a request.
+
+# This goes against PKIX guidelines but some CAs do it and some software
+# requires this to avoid interpreting an end user certificate as a CA.
+
+basicConstraints=CA:FALSE
+
+# PKIX recommendations harmless if included in all certificates.
+subjectKeyIdentifier=hash
+authorityKeyIdentifier=keyid,issuer:always
+
+nsCaRevocationUrl               = https://www.sial.org/ca-crl.pem
+#nsBaseUrl
+#nsRevocationUrl
+#nsRenewalUrl
+#nsCaPolicyUrl
+#nsSslServerName
+
+[ v3_req ]
+
+# Extensions to add to a certificate request
+
+basicConstraints = CA:FALSE
+keyUsage = nonRepudiation, digitalSignature, keyEncipherment
+
+[ v3_ca ]
+
+
+# Extensions for a typical CA
+
+# PKIX recommendation.
+subjectKeyIdentifier=hash
+authorityKeyIdentifier=keyid:always,issuer:always
+
+# This is what PKIX recommends but some broken software chokes on critical
+# extensions.
+#basicConstraints = critical,CA:true
+# So we do this instead.
+basicConstraints = CA:true
+
+[ crl_ext ]
+
+# CRL extensions.
+# Only issuerAltName and authorityKeyIdentifier make any sense in a CRL.
+
+# issuerAltName=issuer:copy
+authorityKeyIdentifier=keyid:always,issuer:always