diff options
author | David Troy <dave@popvox.com> | 2006-04-01 17:12:46 +0000 |
---|---|---|
committer | David Troy <dave@popvox.com> | 2006-04-01 17:12:46 +0000 |
commit | d42357d54b2c933a95ac637c9c1e521b3dbf0a16 (patch) | |
tree | c2ff48d3a24b250c6d8519360cfe1b96ead54251 /src | |
parent | aa8304c0664b780dd47cb2a662664f897a8e7c34 (diff) | |
download | astmanproxy-d42357d54b2c933a95ac637c9c1e521b3dbf0a16.tar.gz astmanproxy-d42357d54b2c933a95ac637c9c1e521b3dbf0a16.tar.xz astmanproxy-d42357d54b2c933a95ac637c9c1e521b3dbf0a16.zip |
git-svn-id: http://svncommunity.digium.com/svn/astmanproxy/branches/1.20pre@40 f02b47b9-160a-0410-81a6-dc3441afb0ec
Diffstat (limited to 'src')
-rw-r--r-- | src/include/ssl.h | 91 | ||||
-rw-r--r-- | src/ssl.c | 313 |
2 files changed, 404 insertions, 0 deletions
diff --git a/src/include/ssl.h b/src/include/ssl.h new file mode 100644 index 0000000..a52b424 --- /dev/null +++ b/src/include/ssl.h @@ -0,0 +1,91 @@ +/* + * ssl_addon: Encrypts the asterisk management interface + * + * Copyrights: + * Copyright (C) 2005-2006, Tello Corporation, Inc. + * + * Contributors: + * Remco Treffkorn(Architect) and Mahesh Karoshi + * + * This program is free software, distributed under the terms of + * the GNU Lesser (Library) General Public License + * + * Copyright on this file is disclaimed to Digium for inclusion in Asterisk + */ + +#ifndef _SSL_ADDON_H_ +#define _SSL_ADDON_H_ + +#include <openssl/ssl.h> + + +#ifdef __cplusplus +extern "C" { +#endif + +/*! \brief + This data structure holds the additional SSL data needed to use the ssl functions. + The negative fd is used as an index into this data structure (after processing). + Choose SEC_MAX to be impossibly large for the application. +*/ +#define SEC_MAX 8 +struct { + int fd; + SSL* ssl; +} sec_channel[SEC_MAX]; + +/*! \brief + this has to be called before any other function dealing with ssl. +*/ +int init_secure(char* certfile); + +/*! \brief + Returns the real fd, that is received from os, when we accept the connection. +*/ +int get_real_fd(int fd); + +/*! \brief + Returns the ssl structure from the fd. +*/ +SSL *get_ssl(int fd); + +/*! \brief + Returns the availabe security slot. This restricts the maximun number of security connection, + the asterisk server can have for AMI. +*/ +int sec_getslot(void); + +/*! \brief + Accepts the connection, if the security is enabled it returns the negative fd. -1 is flase, -2, -3 + etc are ssl connections. +*/ +int saccept(int s); + +/*! \brief + Sends the data over secured or unsecured connections. +*/ +int m_send(int fd, const void *data, size_t len); + + +/*! \brief + Receives the connection from either ssl or fd. +*/ +int m_recv(int s, void *buf, size_t len, int flags); + + +/*! \brief + Needs to be called instead of close() to close a socket. + It also closes the ssl meta connection. +*/ + +int close_sock(int socket); + +int errexit(char s[]); + +int is_encrypt_request(int sslclhellotimeout, int fd); +#ifdef __cplusplus +} +#endif + + +#endif diff --git a/src/ssl.c b/src/ssl.c new file mode 100644 index 0000000..c912435 --- /dev/null +++ b/src/ssl.c @@ -0,0 +1,313 @@ +/* + * Asterisk -- An open source telephony toolkit. + * + * Copyright (C) 2006, Tello Corporation, Inc. + * + * Remco Treffkorn(Architect) and Mahesh Karoshi(Senior Software Developer) + * + * See http://www.asterisk.org for more information about + * the Asterisk project. Please do not directly contact + * any of the maintainers of this project for assistance; + * the project provides a web site, mailing lists and IRC + * channels for your use. + * + * This program is free software, distributed under the terms of + * the GNU General Public License Version 2. See the LICENSE file + * at the top of the source tree. + */ + +/*! \file + * + * \brief SSL for The Asterisk Management Interface - AMI + * + * Channel Management and more + * + * \author Remco Treffkorn(Architect) and Mahesh Karoshi(Senior Software Developer) + * \ref amiconf + */ + +/*! \addtogroup Group_AMI AMI functions +*/ +/*! @{ + Doxygen group */ + +/*! \note We use negative file descriptors for secure channels. The file descriptor + -1 is reseved for errors. -2 to -... are secure file descriptors. 0 to ... + are regular file descriptors. + + NOTE: Commonly error checks for routines returning fd's are done with (value<0). + You must check for (value==-1) instead, since all other negative fd's now + are valid fd's. +*/ +#ifdef AMI_WITH_SSL +#include <sys/types.h> +#include <string.h> +#include <unistd.h> +#include <stdlib.h> +#include <stdio.h> +#include <ctype.h> +#include <errno.h> +#include <time.h> +#include <sys/time.h> +#include <stdio.h> +#include <sys/socket.h> +#include <netinet/in.h> +#include <netinet/tcp.h> + +#include "asterisk.h" +ASTERISK_FILE_VERSION(__FILE__, "$Revision: 15611 $") + +#include "asterisk/logger.h" +#include "asterisk/options.h" +#include "asterisk/config.h" +#include "asterisk/ssl_addon.h" + +SSL_CTX *sctx; +static long rec_bytes; +static long sent_bytes; +static int ssl_initialized; + + +/*! \brief this has to be called before any other function dealing with ssl. + Initializes all the ssl related stuff here. */ +int init_secure(char *certfile) +{ + SSL_METHOD *meth; + + SSLeay_add_ssl_algorithms(); + SSL_load_error_strings(); + + /* server init */ + meth = SSLv23_server_method(); + sctx = SSL_CTX_new(meth); + + if (!sctx) { + return errexit("Failed to create a server ssl context!"); + } + + if (SSL_CTX_use_certificate_file(sctx, certfile, SSL_FILETYPE_PEM) <= 0) { + return errexit("Failed to use the certificate file!"); + } + + if (SSL_CTX_use_PrivateKey_file(sctx, certfile, SSL_FILETYPE_PEM) <= 0) { + return errexit("Failed to use the key file!\n"); + } + + if (!SSL_CTX_check_private_key(sctx)) { + return errexit("Private key does not match the certificate public key"); + } + ssl_initialized = 1; + return 0; +} + +/*! \brief Takes the negative ssl fd and returns the positive fd recieved from the os. + * It goes through arrray of fixed maximum number of secured channels. +*/ +int get_real_fd(int fd) +{ + if (fd<-1) { + fd = -fd - 2; + if (fd>=0 && fd <SEC_MAX) + fd = sec_channel[fd].fd; + else fd = -1; + + } + return fd; +} + +/*! \brief Returns the SSL pointer from the fd. This structure is filled when we accept + * the ssl connection and used + * for reading and writing through ssl. +*/ +SSL *get_ssl(int fd) +{ + SSL *ssl = NULL; + + fd = -fd - 2; + + if (fd>=0 && fd <SEC_MAX) + ssl = sec_channel[fd].ssl; + + return ssl; +} + +/*! \brief Returns the empty ssl slot. Used to save ssl information. +*/ +int sec_getslot(void) +{ + int i; + + for (i=0; i<SEC_MAX; i++) { + if(sec_channel[i].ssl==NULL) + break; + } + + if (i==SEC_MAX) + return -1; + return i; +} + +/*! \brief Accepts the ssl connection. Retrurns the negative fd. negative fd's are + * choosen to differentiate between ssl and non-ssl connections. positive + * fd's are used for non-ssl connections and negative fd's are used for ssl + * connections. So we purposefully calculate and return negative fds. + * You can always get positive fd by calling get_real_fd(negative fd). + * The positive fd's are required for system calls. + * +*/ +int saccept(int s) +{ + int fd, err; + SSL* ssl; + + if (!ssl_initialized) + return s; + + if (((fd=sec_getslot())!=-1)) { + ssl=SSL_new(sctx); + SSL_set_fd(ssl, s); + sec_channel[fd].ssl = ssl; /* remember ssl */ + sec_channel[fd].fd = s; /* remember the real fd */ + do { + err = SSL_accept(ssl); + err = SSL_get_error(ssl, err); + } while( err == SSL_ERROR_WANT_READ || err == SSL_ERROR_WANT_WRITE); + + SSL_set_mode(ssl, SSL_MODE_ENABLE_PARTIAL_WRITE); + ast_log(LOG_DEBUG, "ssl_addon: Connection accepted"); + + err=1; + + fd = -(fd+2); + + if (err!=1 || !ssl) { + /* it did not work */ + sec_channel[fd].ssl = NULL; /* free the slot */ + fd = -1; + } + } + return fd; +} + +/*! + * \brief Writes through secured ssl connection +*/ +int m_send(int fd, const void *data, size_t len) +{ + sent_bytes += len; + + if (fd < -1) { + SSL* ssl = get_ssl(fd); + return SSL_write(ssl, data, len); + } + return write(fd, data, len); +} + +/*! + * \brief Receives data from the SSL connection. +*/ +int m_recv(int s, void *buf, size_t len, int flags) +{ + int ret = 0; + + if (s<-1) { + SSL* ssl = get_ssl(s); + ret = SSL_read (ssl, buf, len); + } else + ret = recv(s, buf, len, flags); + + if (ret > 0) + rec_bytes += ret; + + if (option_debug > 2) + ast_log(LOG_DEBUG, "Received data from SSL socket - %d\n", ret); + return ret; +} + + +/*! \brief + Needs to be called instead of close() to close a socket. + It also closes the SSL meta connection. +*/ + +int close_sock(int socket) +{ + int ret=0; + SSL* ssl = NULL; + + if (socket < -1) { + socket = - socket - 2; + + ssl = sec_channel[socket].ssl; + sec_channel[socket].ssl = NULL; + socket = sec_channel[socket].fd; + } + + ret= close(socket); + + if (ssl) + SSL_free (ssl); + + return(ret); +} + +/*! \brief This process cannot continue without fixing this error. +*/ +int errexit(char s[]) +{ + ast_log(LOG_ERROR, "SSL critical error: %s", s); + return -1; +} + +/*! \brief Checks whether the client is requesting an ssl encrypted connection or not. If its encrypted + * request we expect "Client Hello" in the beginning of the message and ssl version 2. + * This can be verified by checking buf[0x02], buf[0x03] and buf[0x04]. If the contents are + * 0x01, 0x00, 0x02, then its an ssl packet with content "Client Hello", "SSL version 2". + * For SSL version 3, we might need to check for 0x01, 0x00, 0x03. + * +*/ +int is_encrypt_request(int sslclhellotimeout, int fd) +{ + fd_set listeners; + struct timeval tv; + char buf[1024]; + int ready_fdescriptors; + int ret; + + tv.tv_sec = 0; + tv.tv_usec = sslclhellotimeout * 1000; + + FD_ZERO(&listeners); + FD_SET(fd, &listeners); + + ready_fdescriptors = select (fd + 1, &listeners, NULL, NULL, &tv); + + if (ready_fdescriptors < 0 ) { + ast_log(LOG_ERROR, "select returned error, This should not happen: \n"); + return 0; + } else if (ready_fdescriptors == 0) { + return 0; + } + ret = recv(fd, buf, 100, MSG_PEEK); + if(ret > 0) { + /* check for sslv3 or tls*/ + if ((buf[0x00] == 0x16) && (buf[0x01] == 0x03) && + /* for tls buf[0x02] = 0x01 and ssl v3 buf[0x02] = 0x02 */ + ((buf[0x02] == 0x00) || (buf[0x02] == 0x01))) { + if (option_debug > 1) + ast_log(LOG_DEBUG, "Received a SSL request\n"); + return 1; + /* check for sslv23_client_method */ + } else if ((buf[0x02] == 0x01) && (buf[0x03] == 0x03) && (buf[0x04] == 0x01)) { + if (option_debug > 1) + ast_log(LOG_DEBUG, "Received a SSL request for SSLv23_client_method()\n"); + return 1; + } + /* check for sslv2 and return -1 */ + else if ((buf[0x02] == 0x01) && (buf[0x03] == 0x00) && (buf[0x04] == 0x02)) { + return -1; + } + } + return 0; +} +#endif |