diff options
author | kpfleming <kpfleming@f38db490-d61c-443f-a65b-d21fe96a405b> | 2008-10-19 19:11:28 +0000 |
---|---|---|
committer | kpfleming <kpfleming@f38db490-d61c-443f-a65b-d21fe96a405b> | 2008-10-19 19:11:28 +0000 |
commit | 2b799006a14dcf6677df848ee66732d2cf0ba7ec (patch) | |
tree | bea89853faca5cdbd5de5c469f8726139ecd610b /main | |
parent | e5859a4d316d4ade0c04b9b4a19232233770784e (diff) |
cleaup of the TCP/TLS socket API:
1) rename 'struct server_args' to 'struct ast_tcptls_session_args', to follow coding guidelines
2) make ast_make_file_from_fd() static and rename it to something that indicates what it really is for (again coding guidelines)
3) rename address variables inside 'struct ast_tcptls_session_args' to be more descriptive (dare i say it... coding guidelines)
4) change ast_tcptls_client_start() to use the new 'remote_address' field of the session args for the destination of the connection, and use the 'local_address' field to bind() the socket to the proper source address, if one is supplied
5) in chan_sip, ensure that we pass in the PP address we are bound to when creating outbound (client) connections, so that our connections will appear from the correct address
git-svn-id: http://svn.digium.com/svn/asterisk/trunk@151101 f38db490-d61c-443f-a65b-d21fe96a405b
Diffstat (limited to 'main')
-rw-r--r-- | main/http.c | 41 | ||||
-rw-r--r-- | main/manager.c | 40 | ||||
-rw-r--r-- | main/tcptls.c | 256 |
3 files changed, 176 insertions, 161 deletions
diff --git a/main/http.c b/main/http.c index b1bb878f7..f7a1e18a0 100644 --- a/main/http.c +++ b/main/http.c @@ -50,6 +50,7 @@ ASTERISK_FILE_VERSION(__FILE__, "$Revision$") #include "asterisk/ast_version.h" #include "asterisk/manager.h" #include "asterisk/_private.h" +#include "asterisk/astobj2.h" #define MAX_PREFIX 80 @@ -65,7 +66,7 @@ static void *httpd_helper_thread(void *arg); /*! * we have up to two accepting threads, one for http, one for https */ -static struct server_args http_desc = { +static struct ast_tcptls_session_args http_desc = { .accept_fd = -1, .master = AST_PTHREADT_NULL, .tls_cfg = NULL, @@ -75,7 +76,7 @@ static struct server_args http_desc = { .worker_fn = httpd_helper_thread, }; -static struct server_args https_desc = { +static struct ast_tcptls_session_args https_desc = { .accept_fd = -1, .master = AST_PTHREADT_NULL, .tls_cfg = &http_tls_cfg, @@ -254,13 +255,13 @@ static struct ast_str *httpstatus_callback(struct ast_tcptls_session_instance *s "<h2> Asterisk™ HTTP Status</h2></td></tr>\r\n"); ast_str_append(&out, 0, "<tr><td><i>Prefix</i></td><td><b>%s</b></td></tr>\r\n", prefix); ast_str_append(&out, 0, "<tr><td><i>Bind Address</i></td><td><b>%s</b></td></tr>\r\n", - ast_inet_ntoa(http_desc.oldsin.sin_addr)); + ast_inet_ntoa(http_desc.old_local_address.sin_addr)); ast_str_append(&out, 0, "<tr><td><i>Bind Port</i></td><td><b>%d</b></td></tr>\r\n", - ntohs(http_desc.oldsin.sin_port)); + ntohs(http_desc.old_local_address.sin_port)); if (http_tls_cfg.enabled) { ast_str_append(&out, 0, "<tr><td><i>SSL Bind Port</i></td><td><b>%d</b></td></tr>\r\n", - ntohs(https_desc.oldsin.sin_port)); + ntohs(https_desc.old_local_address.sin_port)); } ast_str_append(&out, 0, "<tr><td colspan=\"2\"><hr></td></tr>\r\n"); @@ -857,11 +858,11 @@ static int __ast_http_load(int reload) } /* default values */ - memset(&http_desc.sin, 0, sizeof(http_desc.sin)); - http_desc.sin.sin_port = htons(8088); + memset(&http_desc.local_address, 0, sizeof(http_desc.local_address)); + http_desc.local_address.sin_port = htons(8088); - memset(&https_desc.sin, 0, sizeof(https_desc.sin)); - https_desc.sin.sin_port = htons(8089); + memset(&https_desc.local_address, 0, sizeof(https_desc.local_address)); + https_desc.local_address.sin_port = htons(8089); http_tls_cfg.enabled = 0; if (http_tls_cfg.certfile) { @@ -887,7 +888,7 @@ static int __ast_http_load(int reload) } else if (!strcasecmp(v->name, "sslenable")) { http_tls_cfg.enabled = ast_true(v->value); } else if (!strcasecmp(v->name, "sslbindport")) { - https_desc.sin.sin_port = htons(atoi(v->value)); + https_desc.local_address.sin_port = htons(atoi(v->value)); } else if (!strcasecmp(v->name, "sslcert")) { ast_free(http_tls_cfg.certfile); http_tls_cfg.certfile = ast_strdup(v->value); @@ -897,17 +898,17 @@ static int __ast_http_load(int reload) } else if (!strcasecmp(v->name, "enablestatic")) { newenablestatic = ast_true(v->value); } else if (!strcasecmp(v->name, "bindport")) { - http_desc.sin.sin_port = htons(atoi(v->value)); + http_desc.local_address.sin_port = htons(atoi(v->value)); } else if (!strcasecmp(v->name, "sslbindaddr")) { if ((hp = ast_gethostbyname(v->value, &ahp))) { - memcpy(&https_desc.sin.sin_addr, hp->h_addr, sizeof(https_desc.sin.sin_addr)); + memcpy(&https_desc.local_address.sin_addr, hp->h_addr, sizeof(https_desc.local_address.sin_addr)); have_sslbindaddr = 1; } else { ast_log(LOG_WARNING, "Invalid bind address '%s'\n", v->value); } } else if (!strcasecmp(v->name, "bindaddr")) { if ((hp = ast_gethostbyname(v->value, &ahp))) { - memcpy(&http_desc.sin.sin_addr, hp->h_addr, sizeof(http_desc.sin.sin_addr)); + memcpy(&http_desc.local_address.sin_addr, hp->h_addr, sizeof(http_desc.local_address.sin_addr)); } else { ast_log(LOG_WARNING, "Invalid bind address '%s'\n", v->value); } @@ -929,10 +930,10 @@ static int __ast_http_load(int reload) } if (!have_sslbindaddr) { - https_desc.sin.sin_addr = http_desc.sin.sin_addr; + https_desc.local_address.sin_addr = http_desc.local_address.sin_addr; } if (enabled) { - http_desc.sin.sin_family = https_desc.sin.sin_family = AF_INET; + http_desc.local_address.sin_family = https_desc.local_address.sin_family = AF_INET; } if (strcmp(prefix, newprefix)) { ast_copy_string(prefix, newprefix, sizeof(prefix)); @@ -967,16 +968,16 @@ static char *handle_show_http(struct ast_cli_entry *e, int cmd, struct ast_cli_a } ast_cli(a->fd, "HTTP Server Status:\n"); ast_cli(a->fd, "Prefix: %s\n", prefix); - if (!http_desc.oldsin.sin_family) { + if (!http_desc.old_local_address.sin_family) { ast_cli(a->fd, "Server Disabled\n\n"); } else { ast_cli(a->fd, "Server Enabled and Bound to %s:%d\n\n", - ast_inet_ntoa(http_desc.oldsin.sin_addr), - ntohs(http_desc.oldsin.sin_port)); + ast_inet_ntoa(http_desc.old_local_address.sin_addr), + ntohs(http_desc.old_local_address.sin_port)); if (http_tls_cfg.enabled) { ast_cli(a->fd, "HTTPS Server Enabled and Bound to %s:%d\n\n", - ast_inet_ntoa(https_desc.oldsin.sin_addr), - ntohs(https_desc.oldsin.sin_port)); + ast_inet_ntoa(https_desc.old_local_address.sin_addr), + ntohs(https_desc.old_local_address.sin_port)); } } diff --git a/main/manager.c b/main/manager.c index a865e0fe0..71e97b8f9 100644 --- a/main/manager.c +++ b/main/manager.c @@ -3105,7 +3105,7 @@ static void *session_do(void *data) /* these fields duplicate those in the 'ser' structure */ s->fd = ser->fd; s->f = ser->f; - s->sin = ser->requestor; + s->sin = ser->remote_address; AST_LIST_HEAD_INIT_NOLOCK(&s->datastores); @@ -3696,7 +3696,7 @@ static void xml_translate(struct ast_str **out, char *in, struct ast_variable *v } static struct ast_str *generic_http_callback(enum output_format format, - struct sockaddr_in *requestor, const char *uri, enum ast_http_method method, + struct sockaddr_in *remote_address, const char *uri, enum ast_http_method method, struct ast_variable *params, int *status, char **title, int *contentlength) { @@ -3725,7 +3725,7 @@ static struct ast_str *generic_http_callback(enum output_format format, *status = 500; goto generic_callback_out; } - s->sin = *requestor; + s->sin = *remote_address; s->fd = -1; s->waiting_thread = AST_PTHREADT_NULL; s->send_events = 0; @@ -3871,17 +3871,17 @@ generic_callback_out: static struct ast_str *manager_http_callback(struct ast_tcptls_session_instance *ser, const struct ast_http_uri *urih, const char *uri, enum ast_http_method method, struct ast_variable *params, struct ast_variable *headers, int *status, char **title, int *contentlength) { - return generic_http_callback(FORMAT_HTML, &ser->requestor, uri, method, params, status, title, contentlength); + return generic_http_callback(FORMAT_HTML, &ser->remote_address, uri, method, params, status, title, contentlength); } static struct ast_str *mxml_http_callback(struct ast_tcptls_session_instance *ser, const struct ast_http_uri *urih, const char *uri, enum ast_http_method method, struct ast_variable *params, struct ast_variable *headers, int *status, char **title, int *contentlength) { - return generic_http_callback(FORMAT_XML, &ser->requestor, uri, method, params, status, title, contentlength); + return generic_http_callback(FORMAT_XML, &ser->remote_address, uri, method, params, status, title, contentlength); } static struct ast_str *rawman_http_callback(struct ast_tcptls_session_instance *ser, const struct ast_http_uri *urih, const char *uri, enum ast_http_method method, struct ast_variable *params, struct ast_variable *headers, int *status, char **title, int *contentlength) { - return generic_http_callback(FORMAT_RAW, &ser->requestor, uri, method, params, status, title, contentlength); + return generic_http_callback(FORMAT_RAW, &ser->remote_address, uri, method, params, status, title, contentlength); } struct ast_http_uri rawmanuri = { @@ -3924,7 +3924,7 @@ static void purge_old_stuff(void *data) } struct ast_tls_config ami_tls_cfg; -static struct server_args ami_desc = { +static struct ast_tcptls_session_args ami_desc = { .accept_fd = -1, .master = AST_PTHREADT_NULL, .tls_cfg = NULL, @@ -3935,7 +3935,7 @@ static struct server_args ami_desc = { .worker_fn = session_do, /* thread handling the session */ }; -static struct server_args amis_desc = { +static struct ast_tcptls_session_args amis_desc = { .accept_fd = -1, .master = AST_PTHREADT_NULL, .tls_cfg = &ami_tls_cfg, @@ -4011,10 +4011,10 @@ static int __init_manager(int reload) } /* default values */ - memset(&ami_desc.sin, 0, sizeof(struct sockaddr_in)); - memset(&amis_desc.sin, 0, sizeof(amis_desc.sin)); - amis_desc.sin.sin_port = htons(5039); - ami_desc.sin.sin_port = htons(DEFAULT_MANAGER_PORT); + memset(&ami_desc.local_address, 0, sizeof(struct sockaddr_in)); + memset(&amis_desc.local_address, 0, sizeof(amis_desc.local_address)); + amis_desc.local_address.sin_port = htons(5039); + ami_desc.local_address.sin_port = htons(DEFAULT_MANAGER_PORT); ami_tls_cfg.enabled = 0; if (ami_tls_cfg.certfile) @@ -4029,10 +4029,10 @@ static int __init_manager(int reload) if (!strcasecmp(var->name, "sslenable")) ami_tls_cfg.enabled = ast_true(val); else if (!strcasecmp(var->name, "sslbindport")) - amis_desc.sin.sin_port = htons(atoi(val)); + amis_desc.local_address.sin_port = htons(atoi(val)); else if (!strcasecmp(var->name, "sslbindaddr")) { if ((hp = ast_gethostbyname(val, &ahp))) { - memcpy(&amis_desc.sin.sin_addr, hp->h_addr, sizeof(amis_desc.sin.sin_addr)); + memcpy(&amis_desc.local_address.sin_addr, hp->h_addr, sizeof(amis_desc.local_address.sin_addr)); have_sslbindaddr = 1; } else { ast_log(LOG_WARNING, "Invalid bind address '%s'\n", val); @@ -4050,11 +4050,11 @@ static int __init_manager(int reload) } else if (!strcasecmp(var->name, "webenabled")) { webmanager_enabled = ast_true(val); } else if (!strcasecmp(var->name, "port")) { - ami_desc.sin.sin_port = htons(atoi(val)); + ami_desc.local_address.sin_port = htons(atoi(val)); } else if (!strcasecmp(var->name, "bindaddr")) { - if (!inet_aton(val, &ami_desc.sin.sin_addr)) { + if (!inet_aton(val, &ami_desc.local_address.sin_addr)) { ast_log(LOG_WARNING, "Invalid address '%s' specified, using 0.0.0.0\n", val); - memset(&ami_desc.sin.sin_addr, 0, sizeof(ami_desc.sin.sin_addr)); + memset(&ami_desc.local_address.sin_addr, 0, sizeof(ami_desc.local_address.sin_addr)); } } else if (!strcasecmp(var->name, "allowmultiplelogin")) { allowmultiplelogin = ast_true(val); @@ -4073,11 +4073,11 @@ static int __init_manager(int reload) } if (manager_enabled) - ami_desc.sin.sin_family = AF_INET; + ami_desc.local_address.sin_family = AF_INET; if (!have_sslbindaddr) - amis_desc.sin.sin_addr = ami_desc.sin.sin_addr; + amis_desc.local_address.sin_addr = ami_desc.local_address.sin_addr; if (ami_tls_cfg.enabled) - amis_desc.sin.sin_family = AF_INET; + amis_desc.local_address.sin_family = AF_INET; AST_RWLIST_WRLOCK(&users); diff --git a/main/tcptls.c b/main/tcptls.c index 3a2c02619..a31410525 100644 --- a/main/tcptls.c +++ b/main/tcptls.c @@ -42,6 +42,7 @@ ASTERISK_FILE_VERSION(__FILE__, "$Revision$") #include "asterisk/strings.h" #include "asterisk/options.h" #include "asterisk/manager.h" +#include "asterisk/astobj2.h" /*! \brief * replacement read/write functions for SSL support. @@ -117,9 +118,110 @@ static void session_instance_destructor(void *obj) ast_mutex_destroy(&i->lock); } +/*! \brief +* creates a FILE * from the fd passed by the accept thread. +* This operation is potentially expensive (certificate verification), +* so we do it in the child thread context. +*/ +static void *handle_tls_connection(void *data) +{ + struct ast_tcptls_session_instance *ser = data; +#ifdef DO_SSL + int (*ssl_setup)(SSL *) = (ser->client) ? SSL_connect : SSL_accept; + int ret; + char err[256]; +#endif + + /* + * open a FILE * as appropriate. + */ + if (!ser->parent->tls_cfg) + ser->f = fdopen(ser->fd, "w+"); +#ifdef DO_SSL + else if ( (ser->ssl = SSL_new(ser->parent->tls_cfg->ssl_ctx)) ) { + SSL_set_fd(ser->ssl, ser->fd); + if ((ret = ssl_setup(ser->ssl)) <= 0) { + ast_verb(2, "Problem setting up ssl connection: %s\n", ERR_error_string(ERR_get_error(), err)); + } else { +#if defined(HAVE_FUNOPEN) /* the BSD interface */ + ser->f = funopen(ser->ssl, ssl_read, ssl_write, NULL, ssl_close); + +#elif defined(HAVE_FOPENCOOKIE) /* the glibc/linux interface */ + static const cookie_io_functions_t cookie_funcs = { + ssl_read, ssl_write, NULL, ssl_close + }; + ser->f = fopencookie(ser->ssl, "w+", cookie_funcs); +#else + /* could add other methods here */ + ast_debug(2, "no ser->f methods attempted!"); +#endif + if ((ser->client && !ast_test_flag(&ser->parent->tls_cfg->flags, AST_SSL_DONT_VERIFY_SERVER)) + || (!ser->client && ast_test_flag(&ser->parent->tls_cfg->flags, AST_SSL_VERIFY_CLIENT))) { + X509 *peer; + long res; + peer = SSL_get_peer_certificate(ser->ssl); + if (!peer) + ast_log(LOG_WARNING, "No peer SSL certificate\n"); + res = SSL_get_verify_result(ser->ssl); + if (res != X509_V_OK) + ast_log(LOG_ERROR, "Certificate did not verify: %s\n", X509_verify_cert_error_string(res)); + if (!ast_test_flag(&ser->parent->tls_cfg->flags, AST_SSL_IGNORE_COMMON_NAME)) { + ASN1_STRING *str; + unsigned char *str2; + X509_NAME *name = X509_get_subject_name(peer); + int pos = -1; + int found = 0; + + for (;;) { + /* Walk the certificate to check all available "Common Name" */ + /* XXX Probably should do a gethostbyname on the hostname and compare that as well */ + pos = X509_NAME_get_index_by_NID(name, NID_commonName, pos); + if (pos < 0) + break; + str = X509_NAME_ENTRY_get_data(X509_NAME_get_entry(name, pos)); + ASN1_STRING_to_UTF8(&str2, str); + if (str2) { + if (!strcasecmp(ser->parent->hostname, (char *) str2)) + found = 1; + ast_debug(3, "SSL Common Name compare s1='%s' s2='%s'\n", ser->parent->hostname, str2); + OPENSSL_free(str2); + } + if (found) + break; + } + if (!found) { + ast_log(LOG_ERROR, "Certificate common name did not match (%s)\n", ser->parent->hostname); + if (peer) + X509_free(peer); + fclose(ser->f); + return NULL; + } + } + if (peer) + X509_free(peer); + } + } + if (!ser->f) /* no success opening descriptor stacking */ + SSL_free(ser->ssl); + } +#endif /* DO_SSL */ + + if (!ser->f) { + close(ser->fd); + ast_log(LOG_WARNING, "FILE * open failed!\n"); + ao2_ref(ser, -1); + return NULL; + } + + if (ser && ser->parent->worker_fn) + return ser->parent->worker_fn(ser); + else + return ser; +} + void *ast_tcptls_server_root(void *data) { - struct server_args *desc = data; + struct ast_tcptls_session_args *desc = data; int fd; struct sockaddr_in sin; socklen_t sinlen; @@ -135,7 +237,7 @@ void *ast_tcptls_server_root(void *data) if (i <= 0) continue; sinlen = sizeof(sin); - fd = accept(desc->accept_fd, (struct sockaddr *)&sin, &sinlen); + fd = accept(desc->accept_fd, (struct sockaddr *) &sin, &sinlen); if (fd < 0) { if ((errno != EAGAIN) && (errno != EINTR)) ast_log(LOG_WARNING, "Accept failed: %s\n", strerror(errno)); @@ -154,11 +256,11 @@ void *ast_tcptls_server_root(void *data) fcntl(fd, F_SETFL, flags & ~O_NONBLOCK); ser->fd = fd; ser->parent = desc; - memcpy(&ser->requestor, &sin, sizeof(ser->requestor)); + memcpy(&ser->remote_address, &sin, sizeof(ser->remote_address)); ser->client = 0; - if (ast_pthread_create_detached_background(&launched, NULL, ast_make_file_from_fd, ser)) { + if (ast_pthread_create_detached_background(&launched, NULL, handle_tls_connection, ser)) { ast_log(LOG_WARNING, "Unable to launch helper thread: %s\n", strerror(errno)); close(ser->fd); ao2_ref(ser, -1); @@ -225,18 +327,19 @@ int ast_ssl_setup(struct ast_tls_config *cfg) /*! \brief A generic client routine for a TCP client * and starts a thread for handling accept() */ -struct ast_tcptls_session_instance *ast_tcptls_client_start(struct server_args *desc) +struct ast_tcptls_session_instance *ast_tcptls_client_start(struct ast_tcptls_session_args *desc) { int flags; + int x = 1; struct ast_tcptls_session_instance *ser = NULL; /* Do nothing if nothing has changed */ - if(!memcmp(&desc->oldsin, &desc->sin, sizeof(desc->oldsin))) { + if(!memcmp(&desc->old_local_address, &desc->local_address, sizeof(desc->old_local_address))) { ast_debug(1, "Nothing changed in %s\n", desc->name); return NULL; } - desc->oldsin = desc->sin; + desc->old_local_address = desc->local_address; if (desc->accept_fd != -1) close(desc->accept_fd); @@ -248,10 +351,23 @@ struct ast_tcptls_session_instance *ast_tcptls_client_start(struct server_args * return NULL; } - if (connect(desc->accept_fd, (const struct sockaddr *)&desc->sin, sizeof(desc->sin))) { + /* if a local address was specified, bind to it so the connection will + originate from the desired address */ + if (desc->local_address.sin_family != 0) { + setsockopt(desc->accept_fd, SOL_SOCKET, SO_REUSEADDR, &x, sizeof(x)); + if (bind(desc->accept_fd, (struct sockaddr *) &desc->local_address, sizeof(desc->local_address))) { + ast_log(LOG_ERROR, "Unable to bind %s to %s:%d: %s\n", + desc->name, + ast_inet_ntoa(desc->local_address.sin_addr), ntohs(desc->local_address.sin_port), + strerror(errno)); + goto error; + } + } + + if (connect(desc->accept_fd, (const struct sockaddr *) &desc->remote_address, sizeof(desc->remote_address))) { ast_log(LOG_ERROR, "Unable to connect %s to %s:%d: %s\n", desc->name, - ast_inet_ntoa(desc->sin.sin_addr), ntohs(desc->sin.sin_port), + ast_inet_ntoa(desc->remote_address.sin_addr), ntohs(desc->remote_address.sin_port), strerror(errno)); goto error; } @@ -267,7 +383,7 @@ struct ast_tcptls_session_instance *ast_tcptls_client_start(struct server_args * ser->fd = desc->accept_fd; ser->parent = desc; ser->parent->worker_fn = NULL; - memcpy(&ser->requestor, &desc->sin, sizeof(ser->requestor)); + memcpy(&ser->remote_address, &desc->local_address, sizeof(ser->remote_address)); ser->client = 1; @@ -277,7 +393,7 @@ struct ast_tcptls_session_instance *ast_tcptls_client_start(struct server_args * } ao2_ref(ser, +1); - if (!ast_make_file_from_fd(ser)) + if (!handle_tls_connection(ser)) goto error; return ser; @@ -295,18 +411,18 @@ error: * which does the socket/bind/listen and starts a thread for handling * accept(). */ -void ast_tcptls_server_start(struct server_args *desc) +void ast_tcptls_server_start(struct ast_tcptls_session_args *desc) { int flags; int x = 1; /* Do nothing if nothing has changed */ - if (!memcmp(&desc->oldsin, &desc->sin, sizeof(desc->oldsin))) { + if (!memcmp(&desc->old_local_address, &desc->local_address, sizeof(desc->old_local_address))) { ast_debug(1, "Nothing changed in %s\n", desc->name); return; } - desc->oldsin = desc->sin; + desc->old_local_address = desc->local_address; /* Shutdown a running server if there is one */ if (desc->master != AST_PTHREADT_NULL) { @@ -319,7 +435,7 @@ void ast_tcptls_server_start(struct server_args *desc) close(desc->accept_fd); /* If there's no new server, stop here */ - if (desc->sin.sin_family == 0) { + if (desc->local_address.sin_family == 0) { ast_debug(2, "Server disabled: %s\n", desc->name); return; } @@ -331,10 +447,10 @@ void ast_tcptls_server_start(struct server_args *desc) } setsockopt(desc->accept_fd, SOL_SOCKET, SO_REUSEADDR, &x, sizeof(x)); - if (bind(desc->accept_fd, (struct sockaddr *)&desc->sin, sizeof(desc->sin))) { + if (bind(desc->accept_fd, (struct sockaddr *) &desc->local_address, sizeof(desc->local_address))) { ast_log(LOG_ERROR, "Unable to bind %s to %s:%d: %s\n", desc->name, - ast_inet_ntoa(desc->sin.sin_addr), ntohs(desc->sin.sin_port), + ast_inet_ntoa(desc->local_address.sin_addr), ntohs(desc->local_address.sin_port), strerror(errno)); goto error; } @@ -347,7 +463,7 @@ void ast_tcptls_server_start(struct server_args *desc) if (ast_pthread_create_background(&desc->master, NULL, desc->accept_fn, desc)) { ast_log(LOG_ERROR, "Unable to launch thread for %s on %s:%d: %s\n", desc->name, - ast_inet_ntoa(desc->sin.sin_addr), ntohs(desc->sin.sin_port), + ast_inet_ntoa(desc->local_address.sin_addr), ntohs(desc->local_address.sin_port), strerror(errno)); goto error; } @@ -359,7 +475,7 @@ error: } /*! \brief Shutdown a running server if there is one */ -void ast_tcptls_server_stop(struct server_args *desc) +void ast_tcptls_server_stop(struct ast_tcptls_session_args *desc) { if (desc->master != AST_PTHREADT_NULL) { pthread_cancel(desc->master); @@ -371,105 +487,3 @@ void ast_tcptls_server_stop(struct server_args *desc) desc->accept_fd = -1; ast_debug(2, "Stopped server :: %s\n", desc->name); } - -/*! \brief -* creates a FILE * from the fd passed by the accept thread. -* This operation is potentially expensive (certificate verification), -* so we do it in the child thread context. -*/ -void *ast_make_file_from_fd(void *data) -{ - struct ast_tcptls_session_instance *ser = data; -#ifdef DO_SSL - int (*ssl_setup)(SSL *) = (ser->client) ? SSL_connect : SSL_accept; - int ret; - char err[256]; -#endif - - /* - * open a FILE * as appropriate. - */ - if (!ser->parent->tls_cfg) - ser->f = fdopen(ser->fd, "w+"); -#ifdef DO_SSL - else if ( (ser->ssl = SSL_new(ser->parent->tls_cfg->ssl_ctx)) ) { - SSL_set_fd(ser->ssl, ser->fd); - if ((ret = ssl_setup(ser->ssl)) <= 0) { - ast_verb(2, "Problem setting up ssl connection: %s\n", ERR_error_string(ERR_get_error(), err)); - } else { -#if defined(HAVE_FUNOPEN) /* the BSD interface */ - ser->f = funopen(ser->ssl, ssl_read, ssl_write, NULL, ssl_close); - -#elif defined(HAVE_FOPENCOOKIE) /* the glibc/linux interface */ - static const cookie_io_functions_t cookie_funcs = { - ssl_read, ssl_write, NULL, ssl_close - }; - ser->f = fopencookie(ser->ssl, "w+", cookie_funcs); -#else - /* could add other methods here */ - ast_debug(2, "no ser->f methods attempted!"); -#endif - if ((ser->client && !ast_test_flag(&ser->parent->tls_cfg->flags, AST_SSL_DONT_VERIFY_SERVER)) - || (!ser->client && ast_test_flag(&ser->parent->tls_cfg->flags, AST_SSL_VERIFY_CLIENT))) { - X509 *peer; - long res; - peer = SSL_get_peer_certificate(ser->ssl); - if (!peer) - ast_log(LOG_WARNING, "No peer SSL certificate\n"); - res = SSL_get_verify_result(ser->ssl); - if (res != X509_V_OK) - ast_log(LOG_ERROR, "Certificate did not verify: %s\n", X509_verify_cert_error_string(res)); - if (!ast_test_flag(&ser->parent->tls_cfg->flags, AST_SSL_IGNORE_COMMON_NAME)) { - ASN1_STRING *str; - unsigned char *str2; - X509_NAME *name = X509_get_subject_name(peer); - int pos = -1; - int found = 0; - - for (;;) { - /* Walk the certificate to check all available "Common Name" */ - /* XXX Probably should do a gethostbyname on the hostname and compare that as well */ - pos = X509_NAME_get_index_by_NID(name, NID_commonName, pos); - if (pos < 0) - break; - str = X509_NAME_ENTRY_get_data(X509_NAME_get_entry(name, pos)); - ASN1_STRING_to_UTF8(&str2, str); - if (str2) { - if (!strcasecmp(ser->parent->hostname, (char *) str2)) - found = 1; - ast_debug(3, "SSL Common Name compare s1='%s' s2='%s'\n", ser->parent->hostname, str2); - OPENSSL_free(str2); - } - if (found) - break; - } - if (!found) { - ast_log(LOG_ERROR, "Certificate common name did not match (%s)\n", ser->parent->hostname); - if (peer) - X509_free(peer); - fclose(ser->f); - return NULL; - } - } - if (peer) - X509_free(peer); - } - } - if (!ser->f) /* no success opening descriptor stacking */ - SSL_free(ser->ssl); - } -#endif /* DO_SSL */ - - if (!ser->f) { - close(ser->fd); - ast_log(LOG_WARNING, "FILE * open failed!\n"); - ao2_ref(ser, -1); - return NULL; - } - - if (ser && ser->parent->worker_fn) - return ser->parent->worker_fn(ser); - else - return ser; -} - |