From 273e500c262b84c8cd9a2249ba8955e6f3ff8c74 Mon Sep 17 00:00:00 2001 From: David Troy Date: Sun, 2 Apr 2006 17:32:12 +0000 Subject: git-svn-id: http://svncommunity.digium.com/svn/astmanproxy/branches/1.20pre@59 f02b47b9-160a-0410-81a6-dc3441afb0ec --- src/astmanproxy.c | 38 ++++++++++++++++++++++++++++++++++---- src/common.c | 2 +- src/config.c | 7 ++++++- src/include/astmanproxy.h | 9 +++++---- src/ssl.c | 2 +- 5 files changed, 47 insertions(+), 11 deletions(-) (limited to 'src') diff --git a/src/astmanproxy.c b/src/astmanproxy.c index 0a3a172..29259d3 100644 --- a/src/astmanproxy.c +++ b/src/astmanproxy.c @@ -78,7 +78,7 @@ void leave(int sig) { c->output->write(c, &cm); logmsg("Shutdown, closed client %s", ast_inet_ntoa(iabuf, sizeof(iabuf), c->sin.sin_addr)); } - close(c->fd); + close_sock(c->fd); /* close tcp & ssl socket */ pthread_mutex_destroy(&c->lock); free(c); } @@ -95,7 +95,7 @@ void leave(int sig) { if (debug) debugmsg("Closing listener socket"); - close(asock); + close_sock(asock); /* close tcp & ssl socket */ /* unload io handlers */ while (iohandlers) { @@ -154,7 +154,7 @@ void destroy_session(struct mansession *s) sessions = cur->next; debugmsg("Connection closed: %s", ast_inet_ntoa(iabuf, sizeof(iabuf), s->sin.sin_addr)); if (s->fd > -1) - close(s->fd); + close_sock(s->fd); /* close tcp & ssl socket */ pthread_mutex_destroy(&s->lock); free(s); } else @@ -183,7 +183,7 @@ int WriteClients(struct message *m) { } else c->output->write(c, m); if ( c->input->autodisconnect && c->input->autodisconnect() ) - close(c->fd); + close_sock(c->fd); /* close tcp & ssl socket */ } c = c->next; } @@ -517,6 +517,7 @@ static void *accept_thread() int flags; pthread_attr_t attr; char iabuf[INET_ADDRSTRLEN]; + int is_encrypted; pthread_attr_init(&attr); pthread_attr_setdetachstate(&attr, PTHREAD_CREATE_DETACHED); @@ -534,6 +535,35 @@ static void *accept_thread() logmsg("Failed to set listener tcp connection to TCP_NODELAY mode: %s\n", strerror(errno)); } } + + /* SSL stuff below */ + is_encrypted = is_encrypt_request(pc.sslclhellotimeout, as); + if (is_encrypted > 0) { + if (!pc.acceptencryptedconnection) { + if( debug ) + debugmsg("Accepting encrypted connection disabled, closing the connection \n"); + close_sock(as); + continue; + } else { + if((as = saccept(as)) >= 0 ) { + if( debug ) + debugmsg("Can't accept the ssl connection, since SSL init has failed for certificate reason\n"); + close_sock(as); + continue; + } + } + } else if (is_encrypted == -1) { + logmsg("SSL version 2 is unsecure, we don't support it\n"); + close_sock(as); + continue; + } + if ( (! pc.acceptunencryptedconnection) && (as >= 0)) { + logmsg("Unencrypted connections are not accepted and we received an unencrypted connection request\n"); + close_sock(as); + continue; + } + /* SSL stuff end */ + s = malloc(sizeof(struct mansession)); if ( !s ) { logmsg("Failed to allocate listener session: %s\n", strerror(errno)); diff --git a/src/common.c b/src/common.c index b52ee59..8ec016d 100644 --- a/src/common.c +++ b/src/common.c @@ -143,7 +143,7 @@ done: fcntl(sockfd, F_SETFL, flags); /* restore file status flags */ if (error) { - /* close(sockfd); */ /* disable for now, we want to retry... */ + /* close(sockfd); */ /* we want to retry... */ errno = error; return(-1); } diff --git a/src/config.c b/src/config.c index 824043b..29213ad 100644 --- a/src/config.c +++ b/src/config.c @@ -105,6 +105,8 @@ void *processline(char *s) { pc.acceptencryptedconnection = strcmp(value,"yes") ? 0 : 1; else if (!strcmp(name,"acceptunencryptedconnection") ) pc.acceptunencryptedconnection = strcmp(value,"yes") ? 0 : 1; + else if (!strcmp(name,"certfile") ) + strcpy(pc.certfile, value); else if (!strcmp(name,"proxykey") ) strcpy(pc.key, value); else if (!strcmp(name,"proc_user") ) @@ -217,7 +219,7 @@ int ReadConfig() { /* Set nonzero config defaults */ pc.asteriskwritetimeout = 100; pc.clientwritetimeout = 100; - pc.sslclhellotimeout = 200; + pc.sslclhellotimeout = 500; sprintf(cfn, "%s/%s", CDIR, CFILE); FP = fopen( cfn, "r" ); @@ -238,6 +240,9 @@ int ReadConfig() { fclose(FP); + /* initialize SSL layer with our server certfile */ + init_secure(pc.certfile); + return 0; } diff --git a/src/include/astmanproxy.h b/src/include/astmanproxy.h index fdd783d..6c4ef0b 100644 --- a/src/include/astmanproxy.h +++ b/src/include/astmanproxy.h @@ -63,16 +63,17 @@ struct proxyconfig { char outputformat[80]; int autofilter; char key[80]; - char proc_user[30]; - char proc_group[30]; - char logfile[80]; + char proc_user[40]; + char proc_group[40]; + char logfile[256]; int retryinterval; int maxretries; int asteriskwritetimeout; /* ms to wait when writing to asteriskfor ast_carefulwrite */ int clientwritetimeout; /* ms to wait when writing to client ast_carefulwrite */ int sslclhellotimeout; /* ssl client hello timeout -- how long to wait before assuming not ssl */ - int acceptencryptedconnection; /* accept encrypted connections? */ + int acceptencryptedconnection; /* accept encrypted connections? */ int acceptunencryptedconnection; /* accept unencrypted connections? */ + char certfile[256]; /* our SERVER-side SSL certificate file */ }; struct iohandler { diff --git a/src/ssl.c b/src/ssl.c index b884eac..c4377cd 100644 --- a/src/ssl.c +++ b/src/ssl.c @@ -215,7 +215,7 @@ int m_recv(int s, void *buf, size_t len, int flags) rec_bytes += ret; if (debug) - debugmsg("Received data from SSL socket - %d\n", ret); + debugmsg("Received data from SSL socket - %d", ret); return ret; } -- cgit