git-svn-id: http://svncommunity.digium.com/svn/astmanproxy/branches/1.20pre@40 f02b47b9-160a-0410-81a6-dc3441afb0ec

2 files changed, 404 insertions, 0 deletions

diff --git a/src/include/ssl.h b/src/include/ssl.h
new file mode 100644
index 0000000..a52b424
--- /dev/null
+++ b/src/include/ssl.h
@@ -0,0 +1,91 @@
+/*
+ * ssl_addon: Encrypts the asterisk management interface
+ *
+ * Copyrights:
+ * Copyright (C) 2005-2006, Tello Corporation, Inc.
+ *
+ * Contributors:
+ * Remco Treffkorn(Architect) and Mahesh Karoshi
+ *
+ * This program is free software, distributed under the terms of
+ * the GNU Lesser (Library) General Public License
+ *
+ * Copyright on this file is disclaimed to Digium for inclusion in Asterisk
+ */
+
+#ifndef _SSL_ADDON_H_
+#define _SSL_ADDON_H_
+
+#include <openssl/ssl.h>
+
+
+#ifdef __cplusplus
+extern "C" {
+#endif
+
+/*! \brief
+   This data structure holds the additional SSL data needed to use the ssl functions.
+   The negative fd is used as an index into this data structure (after processing).
+   Choose SEC_MAX to be impossibly large for the application.
+*/
+#define SEC_MAX 8
+struct {
+    int fd;
+    SSL* ssl;
+} sec_channel[SEC_MAX];
+
+/*! \brief
+   this has to be called before any other function dealing with ssl.
+*/
+int init_secure(char* certfile);
+
+/*! \brief
+   Returns the real fd, that is received from os, when we accept the connection.
+*/
+int get_real_fd(int fd);
+
+/*!  \brief
+   Returns the ssl structure from the fd.  
+*/
+SSL *get_ssl(int fd);
+
+/*! \brief
+   Returns the availabe security slot. This restricts the maximun number of security connection, 
+   the asterisk server can have for AMI. 
+*/
+int sec_getslot(void);
+
+/*! \brief
+   Accepts the connection, if the security is enabled it returns the negative fd. -1 is flase, -2, -3 
+   etc are ssl connections. 
+*/ 
+int saccept(int s);
+
+/*!  \brief
+   Sends the data over secured or unsecured connections. 
+*/ 
+int m_send(int fd, const void *data, size_t len);
+
+
+/*! \brief
+   Receives the connection from either ssl or fd.
+*/
+int m_recv(int s, void *buf, size_t len, int flags);
+
+
+/*! \brief
+  Needs to be called instead of close() to close a socket.
+  It also closes the ssl meta connection.
+*/
+
+int close_sock(int socket);
+
+int errexit(char s[]);
+
+int is_encrypt_request(int sslclhellotimeout, int fd);
+#ifdef __cplusplus
+}
+#endif
+
+
+#endif
diff --git a/src/ssl.c b/src/ssl.c
new file mode 100644
index 0000000..c912435
--- /dev/null
+++ b/src/ssl.c
@@ -0,0 +1,313 @@
+/*
+ * Asterisk -- An open source telephony toolkit.
+ *
+ * Copyright (C) 2006, Tello Corporation, Inc.
+ *
+ * Remco Treffkorn(Architect) and Mahesh Karoshi(Senior Software Developer)
+ *
+ * See http://www.asterisk.org for more information about
+ * the Asterisk project. Please do not directly contact
+ * any of the maintainers of this project for assistance;
+ * the project provides a web site, mailing lists and IRC
+ * channels for your use.
+ *
+ * This program is free software, distributed under the terms of
+ * the GNU General Public License Version 2. See the LICENSE file
+ * at the top of the source tree.
+ */
+
+/*! \file
+ *
+ * \brief SSL for The Asterisk Management Interface - AMI
+ *
+ * Channel Management and more
+ *
+ * \author Remco Treffkorn(Architect) and Mahesh Karoshi(Senior Software Developer)
+ * \ref amiconf
+ */
+
+/*! \addtogroup Group_AMI AMI functions
+*/
+/*! @{
+ Doxygen group */
+
+/*! \note We use negative file descriptors for secure channels. The file descriptor
+   -1 is reseved for errors. -2 to -... are secure file descriptors. 0  to ...
+   are regular file descriptors.
+
+   NOTE: Commonly error checks for routines returning fd's are done with (value<0).
+   You must check for (value==-1) instead, since all other negative fd's now
+   are valid fd's.
+*/
+#ifdef AMI_WITH_SSL
+#include <sys/types.h>
+#include <string.h>
+#include <unistd.h>
+#include <stdlib.h>
+#include <stdio.h>
+#include <ctype.h>
+#include <errno.h>
+#include <time.h>
+#include <sys/time.h>
+#include <stdio.h> 
+#include <sys/socket.h>
+#include <netinet/in.h>
+#include <netinet/tcp.h>
+
+#include "asterisk.h"
+ASTERISK_FILE_VERSION(__FILE__, "$Revision: 15611 $")
+
+#include "asterisk/logger.h"
+#include "asterisk/options.h"
+#include "asterisk/config.h"
+#include "asterisk/ssl_addon.h"
+
+SSL_CTX *sctx;
+static long rec_bytes;
+static long sent_bytes;
+static int ssl_initialized;
+
+
+/*! \brief this has to be called before any other function dealing with ssl.
+   Initializes all the ssl related stuff here.  */
+int init_secure(char *certfile)
+{
+    	SSL_METHOD *meth;
+
+	SSLeay_add_ssl_algorithms();
+	SSL_load_error_strings();
+
+	/* server init */
+	meth = SSLv23_server_method();
+	sctx = SSL_CTX_new(meth);
+
+	if (!sctx) {
+		return errexit("Failed to create a server ssl context!");
+	}
+
+	if (SSL_CTX_use_certificate_file(sctx, certfile, SSL_FILETYPE_PEM) <= 0) {
+		return errexit("Failed to use the certificate file!");
+	}
+
+	if (SSL_CTX_use_PrivateKey_file(sctx, certfile, SSL_FILETYPE_PEM) <= 0) {
+		return errexit("Failed to use the key file!\n");
+	}
+
+	if (!SSL_CTX_check_private_key(sctx)) {
+		return errexit("Private key does not match the certificate public key");
+	}
+	ssl_initialized = 1;
+	return 0;
+}
+
+/*! \brief Takes the negative ssl fd and returns the positive fd recieved from the os. 
+ * 	It goes through arrray of fixed maximum number of secured channels. 
+*/
+int get_real_fd(int fd)
+{
+	if (fd<-1) {
+		fd =  -fd - 2;
+		if (fd>=0 && fd <SEC_MAX)
+	    		fd = sec_channel[fd].fd;
+		else fd = -1;
+
+	}
+	return fd;
+}
+
+/*! \brief    Returns the SSL pointer from the fd. This structure is filled when we accept 
+ *     the ssl connection and used 
+ *     for reading and writing through ssl.
+*/
+SSL *get_ssl(int fd)
+{
+	SSL *ssl = NULL;
+
+	fd = -fd - 2;
+
+	if (fd>=0 && fd <SEC_MAX)
+		ssl = sec_channel[fd].ssl;
+
+	return ssl;
+}
+
+/*! \brief    Returns the empty ssl slot. Used to save ssl information.
+*/
+int sec_getslot(void)
+{
+	int i;
+
+	for (i=0; i<SEC_MAX; i++) {
+		if(sec_channel[i].ssl==NULL)
+	    		break;
+	}
+
+	if (i==SEC_MAX)
+		return -1;
+	return i;
+}
+
+/*! \brief     Accepts the ssl connection. Retrurns the negative fd. negative fd's are 
+ *	choosen to differentiate between ssl and non-ssl connections. positive 
+ *	fd's are used for non-ssl connections and negative fd's are used for ssl 
+ *	connections. So we purposefully calculate and return negative fds. 
+ *	You can always get positive fd by calling get_real_fd(negative fd). 
+ *	The positive fd's are required for system calls.
+ *
+*/
+int saccept(int s)
+{
+	int fd, err;
+	SSL* ssl;
+
+	if (!ssl_initialized)
+		return s;
+
+	if (((fd=sec_getslot())!=-1))  {
+		ssl=SSL_new(sctx);
+		SSL_set_fd(ssl, s);
+		sec_channel[fd].ssl = ssl;	/* remember ssl */
+		sec_channel[fd].fd = s;		/* remember the real fd */
+		do {
+			err = SSL_accept(ssl);
+			err = SSL_get_error(ssl, err);
+		} while( err == SSL_ERROR_WANT_READ || err == SSL_ERROR_WANT_WRITE);
+
+		SSL_set_mode(ssl, SSL_MODE_ENABLE_PARTIAL_WRITE);
+		ast_log(LOG_DEBUG, "ssl_addon: Connection accepted");
+
+		err=1;
+
+		fd = -(fd+2);
+
+		if (err!=1 || !ssl) {
+		    /* it did not work */
+		    sec_channel[fd].ssl = NULL;	/* free the slot */
+		    fd = -1;
+		}
+	}
+	return fd;
+}
+
+/*!	
+ * \brief Writes through secured ssl connection 
+*/
+int m_send(int fd, const void *data, size_t len)
+{
+	sent_bytes += len;
+
+	if (fd < -1) {
+		SSL* ssl = get_ssl(fd);
+		return SSL_write(ssl, data, len);
+	}
+	return write(fd, data, len);
+}
+
+/*!
+ * \brief	Receives data from the SSL connection. 
+*/
+int m_recv(int s, void *buf, size_t len, int flags)
+{
+	int ret = 0;
+
+	if (s<-1) {
+		SSL* ssl = get_ssl(s);
+		ret = SSL_read (ssl, buf, len);
+	} else
+		ret = recv(s, buf, len, flags);
+
+	if (ret > 0)
+		rec_bytes += ret;
+
+	if (option_debug > 2)
+		ast_log(LOG_DEBUG, "Received data from SSL socket - %d\n", ret);
+	return ret;
+}
+
+
+/*! \brief
+	Needs to be called instead of close() to close a socket.
+	It also closes the SSL meta connection.
+*/
+
+int close_sock(int socket)
+{
+	int ret=0;
+	SSL* ssl = NULL;
+
+	if (socket < -1) {
+		socket = - socket - 2;
+
+		ssl = sec_channel[socket].ssl;
+		sec_channel[socket].ssl = NULL;
+		socket = sec_channel[socket].fd;
+	}
+
+	ret= close(socket);
+
+	if (ssl)
+		SSL_free (ssl);
+
+	return(ret);
+}
+
+/*! \brief This process cannot continue without fixing this error. 
+*/
+int errexit(char s[])
+{
+    	ast_log(LOG_ERROR, "SSL critical error: %s", s);
+	return -1;
+}
+
+/*!  \brief Checks whether the client is requesting an ssl encrypted connection or not. If its encrypted
+ *   request we expect "Client Hello" in the beginning of the message and ssl version 2.
+ *   This can be verified by checking buf[0x02], buf[0x03] and buf[0x04]. If the contents are
+ *   0x01, 0x00, 0x02, then its an ssl packet with content "Client Hello", "SSL version 2".
+ *   For SSL version 3, we might need to check for 0x01, 0x00, 0x03.
+ *
+*/
+int is_encrypt_request(int sslclhellotimeout, int fd)
+{
+        fd_set listeners;
+        struct timeval tv;
+        char buf[1024];
+        int ready_fdescriptors;
+        int ret;
+
+        tv.tv_sec = 0;
+        tv.tv_usec = sslclhellotimeout * 1000;
+
+        FD_ZERO(&listeners);
+        FD_SET(fd, &listeners);
+
+        ready_fdescriptors = select (fd + 1, &listeners, NULL, NULL, &tv);
+
+        if (ready_fdescriptors < 0 ) {
+                ast_log(LOG_ERROR, "select returned error, This should not happen: \n");
+                return 0;
+        } else if (ready_fdescriptors == 0) {
+                return 0;
+        }
+        ret = recv(fd, buf, 100, MSG_PEEK);
+        if(ret > 0) {
+	    	/* check for sslv3  or tls*/
+	    	if ((buf[0x00] == 0x16) && (buf[0x01] == 0x03) &&
+			/* for tls buf[0x02] = 0x01 and ssl v3 buf[0x02] = 0x02 */
+			((buf[0x02] == 0x00) || (buf[0x02] == 0x01))) {
+			if (option_debug > 1)
+		    		ast_log(LOG_DEBUG, "Received a SSL request\n");
+			return 1;
+		/* check for sslv23_client_method */
+		} else if ((buf[0x02] == 0x01) && (buf[0x03] == 0x03) && (buf[0x04] == 0x01)) {
+			if (option_debug > 1)
+		    		ast_log(LOG_DEBUG, "Received a SSL request for SSLv23_client_method()\n");
+			return 1;
+		}
+		/* check for sslv2 and return -1 */
+		else if ((buf[0x02] == 0x01) && (buf[0x03] == 0x00) && (buf[0x04] == 0x02)) {
+		    	return -1;
+		}
+        }
+        return 0;
+}
+#endif