[Asterisk-code-review] BuildSystem: Add patches to allow building with recent LibreSSL (asterisk[master])
Guido Falsi
asteriskteam at digium.com
Fri Jun 9 08:29:28 CDT 2017
Guido Falsi has uploaded a new change for review. ( https://gerrit.asterisk.org/5790 )
Change subject: BuildSystem: Add patches to allow building with recent LibreSSL
......................................................................
BuildSystem: Add patches to allow building with recent LibreSSL
Add some #if defined checks which allow building against LibreSSL.
These patchess come from OpenBSD ports:
https://cvsweb.openbsd.org/cgi-bin/cvsweb/ports/telephony/asterisk/patches/
ASTERISK-27043 #close
Reported by: OpenBSD ports
Change-Id: I2f6c08a5840b85ad4d2b75370b947ddde7a9a572
---
M main/iostream.c
M main/libasteriskssl.c
M main/tcptls.c
3 files changed, 689 insertions(+), 101 deletions(-)
git pull ssh://gerrit.asterisk.org:29418/asterisk refs/changes/90/5790/1
diff --git a/main/iostream.c b/main/iostream.c
index 06414cf..2a2601d 100644
--- a/main/iostream.c
+++ b/main/iostream.c
@@ -508,13 +508,13 @@
ERR_error_string(sslerr, err), ssl_error_to_string(sslerr, res));
}
-#if defined(OPENSSL_VERSION_NUMBER) && OPENSSL_VERSION_NUMBER >= 0x10100000L
+#if defined(OPENSSL_VERSION_NUMBER) && OPENSSL_VERSION_NUMBER >= 0x10100000L && !defined(LIBRESSL_VERSION_NUMBER)
if (!SSL_is_server(stream->ssl)) {
#else
if (!stream->ssl->server) {
#endif
/* For client threads, ensure that the error stack is cleared */
-#if !defined(OPENSSL_VERSION_NUMBER) || OPENSSL_VERSION_NUMBER < 0x10100000L
+#if !defined(OPENSSL_VERSION_NUMBER) || OPENSSL_VERSION_NUMBER < 0x10100000L || defined(LIBRESSL_VERSION_NUMBER)
#if OPENSSL_VERSION_NUMBER >= 0x10000000L
ERR_remove_thread_state(NULL);
#else
diff --git a/main/libasteriskssl.c b/main/libasteriskssl.c
index 0ed05e3..9da63de 100644
--- a/main/libasteriskssl.c
+++ b/main/libasteriskssl.c
@@ -72,7 +72,7 @@
}
}
-#if !defined(OPENSSL_VERSION_NUMBER) || OPENSSL_VERSION_NUMBER < 0x10100000L
+#if !defined(OPENSSL_VERSION_NUMBER) || OPENSSL_VERSION_NUMBER < 0x10100000L || defined(LIBRESSL_VERSION_NUMBER)
int SSL_library_init(void)
{
#if defined(AST_DEVMODE)
@@ -127,7 +127,7 @@
int ast_ssl_init(void)
{
#if defined(HAVE_OPENSSL) && defined(OPENSSL_VERSION_NUMBER) && \
- OPENSSL_VERSION_NUMBER < 0x10100000L
+ (OPENSSL_VERSION_NUMBER < 0x10100000L || defined(LIBRESSL_VERSION_NUMBER))
unsigned int i;
int (*real_SSL_library_init)(void);
void (*real_CRYPTO_set_id_callback)(unsigned long (*)(void));
diff --git a/main/tcptls.c b/main/tcptls.c
index a3c7dfa..8e50a0c 100644
--- a/main/tcptls.c
+++ b/main/tcptls.c
@@ -31,6 +31,8 @@
#include "asterisk.h"
+ASTERISK_REGISTER_FILE()
+
#ifdef HAVE_FCNTL_H
#include <fcntl.h>
#endif
@@ -49,13 +51,559 @@
#include "asterisk/pbx.h"
#include "asterisk/app.h"
+/*! ao2 object used for the FILE stream fopencookie()/funopen() cookie. */
+struct ast_tcptls_stream {
+ /*! SSL state if not NULL */
+ SSL *ssl;
+ /*!
+ * \brief Start time from when an I/O sequence must complete
+ * by struct ast_tcptls_stream.timeout.
+ *
+ * \note If struct ast_tcptls_stream.start.tv_sec is zero then
+ * start time is the current I/O request.
+ */
+ struct timeval start;
+ /*!
+ * \brief The socket returned by accept().
+ *
+ * \note Set to -1 if the stream is closed.
+ */
+ int fd;
+ /*!
+ * \brief Timeout in ms relative to struct ast_tcptls_stream.start
+ * to wait for an event on struct ast_tcptls_stream.fd.
+ *
+ * \note Set to -1 to disable timeout.
+ * \note The socket needs to be set to non-blocking for the timeout
+ * feature to work correctly.
+ */
+ int timeout;
+ /*! TRUE if stream can exclusively wait for fd input. */
+ int exclusive_input;
+};
+
+#if defined(DO_SSL)
+AST_THREADSTORAGE(err2str_threadbuf);
+#define ERR2STR_BUFSIZE 128
+
+static const char *ssl_error_to_string(int sslerr, int ret)
+{
+ switch (sslerr) {
+ case SSL_ERROR_SSL:
+ return "Internal SSL error";
+ case SSL_ERROR_SYSCALL:
+ if (!ret) {
+ return "System call EOF";
+ } else if (ret == -1) {
+ char *buf;
+
+ buf = ast_threadstorage_get(&err2str_threadbuf, ERR2STR_BUFSIZE);
+ if (!buf) {
+ return "Unknown";
+ }
+
+ snprintf(buf, ERR2STR_BUFSIZE, "Underlying BIO error: %s", strerror(errno));
+ return buf;
+ } else {
+ return "System call other";
+ }
+ default:
+ break;
+ }
+
+ return "Unknown";
+}
+#endif
+
+void ast_tcptls_stream_set_timeout_disable(struct ast_tcptls_stream *stream)
+{
+ ast_assert(stream != NULL);
+
+ stream->timeout = -1;
+}
+
+void ast_tcptls_stream_set_timeout_inactivity(struct ast_tcptls_stream *stream, int timeout)
+{
+ ast_assert(stream != NULL);
+
+ stream->start.tv_sec = 0;
+ stream->timeout = timeout;
+}
+
+void ast_tcptls_stream_set_timeout_sequence(struct ast_tcptls_stream *stream, struct timeval start, int timeout)
+{
+ ast_assert(stream != NULL);
+
+ stream->start = start;
+ stream->timeout = timeout;
+}
+
+void ast_tcptls_stream_set_exclusive_input(struct ast_tcptls_stream *stream, int exclusive_input)
+{
+ ast_assert(stream != NULL);
+
+ stream->exclusive_input = exclusive_input;
+}
+
+/*!
+ * \internal
+ * \brief fopencookie()/funopen() stream read function.
+ *
+ * \param cookie Stream control data.
+ * \param buf Where to put read data.
+ * \param size Size of the buffer.
+ *
+ * \retval number of bytes put into buf.
+ * \retval 0 on end of file.
+ * \retval -1 on error.
+ */
+static HOOK_T tcptls_stream_read(void *cookie, char *buf, LEN_T size)
+{
+ struct ast_tcptls_stream *stream = cookie;
+ struct timeval start;
+ int ms;
+ int res;
+
+ if (!size) {
+ /* You asked for no data you got no data. */
+ return 0;
+ }
+
+ if (!stream || stream->fd == -1) {
+ errno = EBADF;
+ return -1;
+ }
+
+ if (stream->start.tv_sec) {
+ start = stream->start;
+ } else {
+ start = ast_tvnow();
+ }
+
+#if defined(DO_SSL)
+ if (stream->ssl) {
+ for (;;) {
+ int sslerr;
+ char err[256];
+
+ res = SSL_read(stream->ssl, buf, size);
+ if (0 < res) {
+ /* We read some payload data. */
+ return res;
+ }
+
+ sslerr = SSL_get_error(stream->ssl, res);
+ switch (sslerr) {
+ case SSL_ERROR_ZERO_RETURN:
+ /* Report EOF for a shutdown */
+ ast_debug(1, "TLS clean shutdown alert reading data\n");
+ return 0;
+ case SSL_ERROR_WANT_READ:
+ if (!stream->exclusive_input) {
+ /* We cannot wait for data now. */
+ errno = EAGAIN;
+ return -1;
+ }
+ while ((ms = ast_remaining_ms(start, stream->timeout))) {
+ res = ast_wait_for_input(stream->fd, ms);
+ if (0 < res) {
+ /* Socket is ready to be read. */
+ break;
+ }
+ if (res < 0) {
+ if (errno == EINTR || errno == EAGAIN) {
+ /* Try again. */
+ continue;
+ }
+ ast_debug(1, "TLS socket error waiting for read data: %s\n",
+ strerror(errno));
+ return -1;
+ }
+ }
+ break;
+ case SSL_ERROR_WANT_WRITE:
+ while ((ms = ast_remaining_ms(start, stream->timeout))) {
+ res = ast_wait_for_output(stream->fd, ms);
+ if (0 < res) {
+ /* Socket is ready to be written. */
+ break;
+ }
+ if (res < 0) {
+ if (errno == EINTR || errno == EAGAIN) {
+ /* Try again. */
+ continue;
+ }
+ ast_debug(1, "TLS socket error waiting for write space: %s\n",
+ strerror(errno));
+ return -1;
+ }
+ }
+ break;
+ default:
+ /* Report EOF for an undecoded SSL or transport error. */
+ ast_debug(1, "TLS transport or SSL error reading data: %s, %s\n", ERR_error_string(sslerr, err),
+ ssl_error_to_string(sslerr, res));
+ return 0;
+ }
+ if (!ms) {
+ /* Report EOF for a timeout */
+ ast_debug(1, "TLS timeout reading data\n");
+ return 0;
+ }
+ }
+ }
+#endif /* defined(DO_SSL) */
+
+ for (;;) {
+ res = read(stream->fd, buf, size);
+ if (0 <= res || !stream->exclusive_input) {
+ /* Got data or we cannot wait for it. */
+ return res;
+ }
+ if (errno != EINTR && errno != EAGAIN) {
+ /* Not a retryable error. */
+ ast_debug(1, "TCP socket error reading data: %s\n",
+ strerror(errno));
+ return -1;
+ }
+ ms = ast_remaining_ms(start, stream->timeout);
+ if (!ms) {
+ /* Report EOF for a timeout */
+ ast_debug(1, "TCP timeout reading data\n");
+ return 0;
+ }
+ ast_wait_for_input(stream->fd, ms);
+ }
+}
+
+/*!
+ * \internal
+ * \brief fopencookie()/funopen() stream write function.
+ *
+ * \param cookie Stream control data.
+ * \param buf Where to get data to write.
+ * \param size Size of the buffer.
+ *
+ * \retval number of bytes written from buf.
+ * \retval -1 on error.
+ */
+static HOOK_T tcptls_stream_write(void *cookie, const char *buf, LEN_T size)
+{
+ struct ast_tcptls_stream *stream = cookie;
+ struct timeval start;
+ int ms;
+ int res;
+ int written;
+ int remaining;
+
+ if (!size) {
+ /* You asked to write no data you wrote no data. */
+ return 0;
+ }
+
+ if (!stream || stream->fd == -1) {
+ errno = EBADF;
+ return -1;
+ }
+
+ if (stream->start.tv_sec) {
+ start = stream->start;
+ } else {
+ start = ast_tvnow();
+ }
+
+#if defined(DO_SSL)
+ if (stream->ssl) {
+ written = 0;
+ remaining = size;
+ for (;;) {
+ int sslerr;
+ char err[256];
+
+ res = SSL_write(stream->ssl, buf + written, remaining);
+ if (res == remaining) {
+ /* Everything was written. */
+ return size;
+ }
+ if (0 < res) {
+ /* Successfully wrote part of the buffer. Try to write the rest. */
+ written += res;
+ remaining -= res;
+ continue;
+ }
+ sslerr = SSL_get_error(stream->ssl, res);
+ switch (sslerr) {
+ case SSL_ERROR_ZERO_RETURN:
+ ast_debug(1, "TLS clean shutdown alert writing data\n");
+ if (written) {
+ /* Report partial write. */
+ return written;
+ }
+ errno = EBADF;
+ return -1;
+ case SSL_ERROR_WANT_READ:
+ ms = ast_remaining_ms(start, stream->timeout);
+ if (!ms) {
+ /* Report partial write. */
+ ast_debug(1, "TLS timeout writing data (want read)\n");
+ return written;
+ }
+ ast_wait_for_input(stream->fd, ms);
+ break;
+ case SSL_ERROR_WANT_WRITE:
+ ms = ast_remaining_ms(start, stream->timeout);
+ if (!ms) {
+ /* Report partial write. */
+ ast_debug(1, "TLS timeout writing data (want write)\n");
+ return written;
+ }
+ ast_wait_for_output(stream->fd, ms);
+ break;
+ default:
+ /* Undecoded SSL or transport error. */
+ ast_debug(1, "TLS transport or SSL error writing data: %s, %s\n", ERR_error_string(sslerr, err),
+ ssl_error_to_string(sslerr, res));
+ if (written) {
+ /* Report partial write. */
+ return written;
+ }
+ errno = EBADF;
+ return -1;
+ }
+ }
+ }
+#endif /* defined(DO_SSL) */
+
+ written = 0;
+ remaining = size;
+ for (;;) {
+ res = write(stream->fd, buf + written, remaining);
+ if (res == remaining) {
+ /* Yay everything was written. */
+ return size;
+ }
+ if (0 < res) {
+ /* Successfully wrote part of the buffer. Try to write the rest. */
+ written += res;
+ remaining -= res;
+ continue;
+ }
+ if (errno != EINTR && errno != EAGAIN) {
+ /* Not a retryable error. */
+ ast_debug(1, "TCP socket error writing: %s\n", strerror(errno));
+ if (written) {
+ return written;
+ }
+ return -1;
+ }
+ ms = ast_remaining_ms(start, stream->timeout);
+ if (!ms) {
+ /* Report partial write. */
+ ast_debug(1, "TCP timeout writing data\n");
+ return written;
+ }
+ ast_wait_for_output(stream->fd, ms);
+ }
+}
+
+/*!
+ * \internal
+ * \brief fopencookie()/funopen() stream close function.
+ *
+ * \param cookie Stream control data.
+ *
+ * \retval 0 on success.
+ * \retval -1 on error.
+ */
+static int tcptls_stream_close(void *cookie)
+{
+ struct ast_tcptls_stream *stream = cookie;
+
+ if (!stream) {
+ errno = EBADF;
+ return -1;
+ }
+
+ if (stream->fd != -1) {
+#if defined(DO_SSL)
+ if (stream->ssl) {
+ int res;
+
+ /*
+ * According to the TLS standard, it is acceptable for an
+ * application to only send its shutdown alert and then
+ * close the underlying connection without waiting for
+ * the peer's response (this way resources can be saved,
+ * as the process can already terminate or serve another
+ * connection).
+ */
+ res = SSL_shutdown(stream->ssl);
+ if (res < 0) {
+ int sslerr = SSL_get_error(stream->ssl, res);
+ char err[256];
+
+ ast_log(LOG_ERROR, "SSL_shutdown() failed: %s, %s\n",
+ ERR_error_string(sslerr, err), ssl_error_to_string(sslerr, res));
+ }
+
+#if defined(OPENSSL_VERSION_NUMBER) && OPENSSL_VERSION_NUMBER >= 0x10100000L && !defined(LIBRESSL_VERSION_NUMBER)
+ if (!SSL_is_server(stream->ssl)) {
+#else
+ if (!stream->ssl->server) {
+#endif
+ /* For client threads, ensure that the error stack is cleared */
+#if !defined(OPENSSL_VERSION_NUMBER) || OPENSSL_VERSION_NUMBER < 0x10100000L || defined(LIBRESSL_VERSION_NUMBER)
+#if !defined(OPENSSL_VERSION_NUMBER) || OPENSSL_VERSION_NUMBER >= 0x10000000L
+ ERR_remove_thread_state(NULL);
+#else
+ ERR_remove_state(0);
+#endif /* openssl = 1.0 */
+#endif /* openssl < 1.1 */
+ }
+
+ SSL_free(stream->ssl);
+ stream->ssl = NULL;
+ }
+#endif /* defined(DO_SSL) */
+
+ /*
+ * Issuing shutdown() is necessary here to avoid a race
+ * condition where the last data written may not appear
+ * in the TCP stream. See ASTERISK-23548
+ */
+ shutdown(stream->fd, SHUT_RDWR);
+ if (close(stream->fd)) {
+ ast_log(LOG_ERROR, "close() failed: %s\n", strerror(errno));
+ }
+ stream->fd = -1;
+ }
+ ao2_t_ref(stream, -1, "Closed tcptls stream cookie");
+
+ return 0;
+}
+
+/*!
+ * \internal
+ * \brief fopencookie()/funopen() stream destructor function.
+ *
+ * \param cookie Stream control data.
+ *
+ * \return Nothing
+ */
+static void tcptls_stream_dtor(void *cookie)
+{
+#ifdef AST_DEVMODE
+ /* Since the ast_assert below is the only one using stream,
+ * and ast_assert is only available with AST_DEVMODE, we
+ * put this in a conditional to avoid compiler warnings. */
+ struct ast_tcptls_stream *stream = cookie;
+#endif
+
+ ast_assert(stream->fd == -1);
+}
+
+/*!
+ * \internal
+ * \brief fopencookie()/funopen() stream allocation function.
+ *
+ * \retval stream_cookie on success.
+ * \retval NULL on error.
+ */
+static struct ast_tcptls_stream *tcptls_stream_alloc(void)
+{
+ struct ast_tcptls_stream *stream;
+
+ stream = ao2_alloc_options(sizeof(*stream), tcptls_stream_dtor,
+ AO2_ALLOC_OPT_LOCK_NOLOCK);
+ if (stream) {
+ stream->fd = -1;
+ stream->timeout = -1;
+ }
+ return stream;
+}
+
+/*!
+ * \internal
+ * \brief Open a custom FILE stream for tcptls.
+ *
+ * \param stream Stream cookie control data.
+ * \param ssl SSL state if not NULL.
+ * \param fd Socket file descriptor.
+ * \param timeout ms to wait for an event on fd. -1 if timeout disabled.
+ *
+ * \retval fp on success.
+ * \retval NULL on error.
+ */
+static FILE *tcptls_stream_fopen(struct ast_tcptls_stream *stream, SSL *ssl, int fd, int timeout)
+{
+ FILE *fp;
+
+#if defined(HAVE_FOPENCOOKIE) /* the glibc/linux interface */
+ static const cookie_io_functions_t cookie_funcs = {
+ tcptls_stream_read,
+ tcptls_stream_write,
+ NULL,
+ tcptls_stream_close
+ };
+#endif /* defined(HAVE_FOPENCOOKIE) */
+
+ if (fd == -1) {
+ /* Socket not open. */
+ return NULL;
+ }
+
+ stream->ssl = ssl;
+ stream->fd = fd;
+ stream->timeout = timeout;
+ ao2_t_ref(stream, +1, "Opening tcptls stream cookie");
+
+#if defined(HAVE_FUNOPEN) /* the BSD interface */
+ fp = funopen(stream, tcptls_stream_read, tcptls_stream_write, NULL,
+ tcptls_stream_close);
+#elif defined(HAVE_FOPENCOOKIE) /* the glibc/linux interface */
+ fp = fopencookie(stream, "w+", cookie_funcs);
+#else
+ /* could add other methods here */
+ ast_debug(2, "No stream FILE methods attempted!\n");
+ fp = NULL;
+#endif
+
+ if (!fp) {
+ stream->fd = -1;
+ ao2_t_ref(stream, -1, "Failed to open tcptls stream cookie");
+ }
+ return fp;
+}
+
+HOOK_T ast_tcptls_server_read(struct ast_tcptls_session_instance *tcptls_session, void *buf, size_t count)
+{
+ if (!tcptls_session->stream_cookie || tcptls_session->stream_cookie->fd == -1) {
+ ast_log(LOG_ERROR, "TCP/TLS read called on invalid stream.\n");
+ errno = EIO;
+ return -1;
+ }
+
+ return tcptls_stream_read(tcptls_session->stream_cookie, buf, count);
+}
+
+HOOK_T ast_tcptls_server_write(struct ast_tcptls_session_instance *tcptls_session, const void *buf, size_t count)
+{
+ if (!tcptls_session->stream_cookie || tcptls_session->stream_cookie->fd == -1) {
+ ast_log(LOG_ERROR, "TCP/TLS write called on invalid stream.\n");
+ errno = EIO;
+ return -1;
+ }
+
+ return tcptls_stream_write(tcptls_session->stream_cookie, buf, count);
+}
+
static void session_instance_destructor(void *obj)
{
struct ast_tcptls_session_instance *i = obj;
- if (i->stream) {
- ast_iostream_close(i->stream);
- i->stream = NULL;
+ if (i->stream_cookie) {
+ ao2_t_ref(i->stream_cookie, -1, "Destroying tcptls session instance");
+ i->stream_cookie = NULL;
}
ast_free(i->overflow_buf);
ao2_cleanup(i->private_data);
@@ -87,6 +635,7 @@
return ret;
}
+
#endif
/*! \brief
@@ -100,7 +649,8 @@
{
struct ast_tcptls_session_instance *tcptls_session = data;
#ifdef DO_SSL
- SSL *ssl;
+ int (*ssl_setup)(SSL *) = (tcptls_session->client) ? SSL_connect : SSL_accept;
+ int ret;
#endif
/* TCP/TLS connections are associated with external protocols, and
@@ -115,94 +665,127 @@
return NULL;
}
- if (tcptls_session->parent->tls_cfg) {
-#ifdef DO_SSL
- if (ast_iostream_start_tls(&tcptls_session->stream, tcptls_session->parent->tls_cfg->ssl_ctx, tcptls_session->client) < 0) {
- ast_tcptls_close_session_file(tcptls_session);
- ao2_ref(tcptls_session, -1);
- return NULL;
+ tcptls_session->stream_cookie = tcptls_stream_alloc();
+ if (!tcptls_session->stream_cookie) {
+ ast_tcptls_close_session_file(tcptls_session);
+ ao2_ref(tcptls_session, -1);
+ return NULL;
+ }
+
+ /*
+ * open a FILE * as appropriate.
+ */
+ if (!tcptls_session->parent->tls_cfg) {
+ tcptls_session->f = tcptls_stream_fopen(tcptls_session->stream_cookie, NULL,
+ tcptls_session->fd, -1);
+ if (tcptls_session->f) {
+ if (setvbuf(tcptls_session->f, NULL, _IONBF, 0)) {
+ ast_tcptls_close_session_file(tcptls_session);
+ }
}
+ }
+#ifdef DO_SSL
+ else if ( (tcptls_session->ssl = SSL_new(tcptls_session->parent->tls_cfg->ssl_ctx)) ) {
+ SSL_set_fd(tcptls_session->ssl, tcptls_session->fd);
+ if ((ret = ssl_setup(tcptls_session->ssl)) <= 0) {
+ char err[256];
+ int sslerr = SSL_get_error(tcptls_session->ssl, ret);
- ssl = ast_iostream_get_ssl(tcptls_session->stream);
- if ((tcptls_session->client && !ast_test_flag(&tcptls_session->parent->tls_cfg->flags, AST_SSL_DONT_VERIFY_SERVER))
- || (!tcptls_session->client && ast_test_flag(&tcptls_session->parent->tls_cfg->flags, AST_SSL_VERIFY_CLIENT))) {
- X509 *peer;
- long res;
- peer = SSL_get_peer_certificate(ssl);
- if (!peer) {
- ast_log(LOG_ERROR, "No peer SSL certificate to verify\n");
- ast_tcptls_close_session_file(tcptls_session);
- ao2_ref(tcptls_session, -1);
- return NULL;
- }
-
- res = SSL_get_verify_result(ssl);
- if (res != X509_V_OK) {
- ast_log(LOG_ERROR, "Certificate did not verify: %s\n", X509_verify_cert_error_string(res));
- X509_free(peer);
- ast_tcptls_close_session_file(tcptls_session);
- ao2_ref(tcptls_session, -1);
- return NULL;
- }
- if (!ast_test_flag(&tcptls_session->parent->tls_cfg->flags, AST_SSL_IGNORE_COMMON_NAME)) {
- ASN1_STRING *str;
- X509_NAME *name = X509_get_subject_name(peer);
- STACK_OF(GENERAL_NAME) *alt_names;
- int pos = -1;
- int found = 0;
-
- for (;;) {
- /* Walk the certificate to check all available "Common Name" */
- /* XXX Probably should do a gethostbyname on the hostname and compare that as well */
- pos = X509_NAME_get_index_by_NID(name, NID_commonName, pos);
- if (pos < 0) {
- break;
- }
- str = X509_NAME_ENTRY_get_data(X509_NAME_get_entry(name, pos));
- if (!check_tcptls_cert_name(str, tcptls_session->parent->hostname, "common name")) {
- found = 1;
- break;
- }
+ ast_log(LOG_ERROR, "Problem setting up ssl connection: %s, %s\n", ERR_error_string(sslerr, err),
+ ssl_error_to_string(sslerr, ret));
+ } else if ((tcptls_session->f = tcptls_stream_fopen(tcptls_session->stream_cookie,
+ tcptls_session->ssl, tcptls_session->fd, -1))) {
+ if ((tcptls_session->client && !ast_test_flag(&tcptls_session->parent->tls_cfg->flags, AST_SSL_DONT_VERIFY_SERVER))
+ || (!tcptls_session->client && ast_test_flag(&tcptls_session->parent->tls_cfg->flags, AST_SSL_VERIFY_CLIENT))) {
+ X509 *peer;
+ long res;
+ peer = SSL_get_peer_certificate(tcptls_session->ssl);
+ if (!peer) {
+ ast_log(LOG_ERROR, "No peer SSL certificate to verify\n");
+ ast_tcptls_close_session_file(tcptls_session);
+ ao2_ref(tcptls_session, -1);
+ return NULL;
}
- if (!found) {
- alt_names = X509_get_ext_d2i(peer, NID_subject_alt_name, NULL, NULL);
- if (alt_names != NULL) {
- int alt_names_count = sk_GENERAL_NAME_num(alt_names);
-
- for (pos = 0; pos < alt_names_count; pos++) {
- const GENERAL_NAME *alt_name = sk_GENERAL_NAME_value(alt_names, pos);
-
- if (alt_name->type != GEN_DNS) {
- continue;
- }
-
- if (!check_tcptls_cert_name(alt_name->d.dNSName, tcptls_session->parent->hostname, "alt name")) {
- found = 1;
- break;
- }
- }
-
- sk_GENERAL_NAME_pop_free(alt_names, GENERAL_NAME_free);
- }
- }
-
- if (!found) {
- ast_log(LOG_ERROR, "Certificate common name did not match (%s)\n", tcptls_session->parent->hostname);
+ res = SSL_get_verify_result(tcptls_session->ssl);
+ if (res != X509_V_OK) {
+ ast_log(LOG_ERROR, "Certificate did not verify: %s\n", X509_verify_cert_error_string(res));
X509_free(peer);
ast_tcptls_close_session_file(tcptls_session);
ao2_ref(tcptls_session, -1);
return NULL;
}
+ if (!ast_test_flag(&tcptls_session->parent->tls_cfg->flags, AST_SSL_IGNORE_COMMON_NAME)) {
+ ASN1_STRING *str;
+ X509_NAME *name = X509_get_subject_name(peer);
+ STACK_OF(GENERAL_NAME) *alt_names;
+ int pos = -1;
+ int found = 0;
+
+ for (;;) {
+ /* Walk the certificate to check all available "Common Name" */
+ /* XXX Probably should do a gethostbyname on the hostname and compare that as well */
+ pos = X509_NAME_get_index_by_NID(name, NID_commonName, pos);
+ if (pos < 0) {
+ break;
+ }
+
+ str = X509_NAME_ENTRY_get_data(X509_NAME_get_entry(name, pos));
+ if (!check_tcptls_cert_name(str, tcptls_session->parent->hostname, "common name")) {
+ found = 1;
+ break;
+ }
+ }
+
+ if (!found) {
+ alt_names = X509_get_ext_d2i(peer, NID_subject_alt_name, NULL, NULL);
+ if (alt_names != NULL) {
+ int alt_names_count = sk_GENERAL_NAME_num(alt_names);
+
+ for (pos = 0; pos < alt_names_count; pos++) {
+ const GENERAL_NAME *alt_name = sk_GENERAL_NAME_value(alt_names, pos);
+
+ if (alt_name->type != GEN_DNS) {
+ continue;
+ }
+
+ if (!check_tcptls_cert_name(alt_name->d.dNSName, tcptls_session->parent->hostname, "alt name")) {
+ found = 1;
+ break;
+ }
+ }
+
+ sk_GENERAL_NAME_pop_free(alt_names, GENERAL_NAME_free);
+ }
+ }
+
+ if (!found) {
+ ast_log(LOG_ERROR, "Certificate common name did not match (%s)\n", tcptls_session->parent->hostname);
+ X509_free(peer);
+ ast_tcptls_close_session_file(tcptls_session);
+ ao2_ref(tcptls_session, -1);
+ return NULL;
+ }
+ }
+ X509_free(peer);
}
- X509_free(peer);
}
-#else
- ast_log(LOG_ERROR, "Attempted a TLS connection without OpenSSL support. This will not work!\n");
+ if (!tcptls_session->f) { /* no success opening descriptor stacking */
+ SSL_free(tcptls_session->ssl);
+ }
+ }
+#endif /* DO_SSL */
+
+ if (!tcptls_session->f) {
ast_tcptls_close_session_file(tcptls_session);
+ ast_log(LOG_WARNING, "FILE * open failed!\n");
+#ifndef DO_SSL
+ if (tcptls_session->parent->tls_cfg) {
+ ast_log(LOG_ERROR, "Attempted a TLS connection without OpenSSL support. This will not work!\n");
+ }
+#endif
ao2_ref(tcptls_session, -1);
return NULL;
-#endif /* DO_SSL */
}
if (tcptls_session->parent->worker_fn) {
@@ -261,14 +844,7 @@
}
flags = fcntl(fd, F_GETFL);
fcntl(fd, F_SETFL, flags & ~O_NONBLOCK);
-
- tcptls_session->stream = ast_iostream_from_fd(&fd);
- if (!tcptls_session->stream) {
- ao2_ref(tcptls_session, -1);
- close(fd);
- continue;
- }
-
+ tcptls_session->fd = fd;
tcptls_session->parent = desc;
ast_sockaddr_copy(&tcptls_session->remote_address, &addr);
@@ -278,6 +854,7 @@
if (ast_pthread_create_detached_background(&launched, NULL, handle_tcptls_connection, tcptls_session)) {
ast_log(LOG_ERROR, "TCP/TLS unable to launch helper thread: %s\n",
strerror(errno));
+ ast_tcptls_close_session_file(tcptls_session);
ao2_ref(tcptls_session, -1);
}
}
@@ -545,7 +1122,7 @@
struct ast_tcptls_session_instance *ast_tcptls_client_create(struct ast_tcptls_session_args *desc)
{
- int fd, x = 1;
+ int x = 1;
struct ast_tcptls_session_instance *tcptls_session = NULL;
/* Do nothing if nothing has changed */
@@ -561,8 +1138,8 @@
close(desc->accept_fd);
}
- fd = desc->accept_fd = socket(ast_sockaddr_is_ipv6(&desc->remote_address) ?
- AF_INET6 : AF_INET, SOCK_STREAM, IPPROTO_TCP);
+ desc->accept_fd = socket(ast_sockaddr_is_ipv6(&desc->remote_address) ?
+ AF_INET6 : AF_INET, SOCK_STREAM, IPPROTO_TCP);
if (desc->accept_fd < 0) {
ast_log(LOG_ERROR, "Unable to allocate socket for %s: %s\n",
desc->name, strerror(errno));
@@ -592,11 +1169,7 @@
goto error;
}
tcptls_session->client = 1;
- tcptls_session->stream = ast_iostream_from_fd(&fd);
- if (!tcptls_session->stream) {
- goto error;
- }
-
+ tcptls_session->fd = desc->accept_fd;
tcptls_session->parent = desc;
tcptls_session->parent->worker_fn = NULL;
ast_sockaddr_copy(&tcptls_session->remote_address,
@@ -756,9 +1329,24 @@
void ast_tcptls_close_session_file(struct ast_tcptls_session_instance *tcptls_session)
{
- if (tcptls_session->stream) {
- ast_iostream_close(tcptls_session->stream);
- tcptls_session->stream = NULL;
+ if (tcptls_session->f) {
+ fflush(tcptls_session->f);
+ if (fclose(tcptls_session->f)) {
+ ast_log(LOG_ERROR, "fclose() failed: %s\n", strerror(errno));
+ }
+ tcptls_session->f = NULL;
+ tcptls_session->fd = -1;
+ } else if (tcptls_session->fd != -1) {
+ /*
+ * Issuing shutdown() is necessary here to avoid a race
+ * condition where the last data written may not appear
+ * in the TCP stream. See ASTERISK-23548
+ */
+ shutdown(tcptls_session->fd, SHUT_RDWR);
+ if (close(tcptls_session->fd)) {
+ ast_log(LOG_ERROR, "close() failed: %s\n", strerror(errno));
+ }
+ tcptls_session->fd = -1;
} else {
ast_log(LOG_ERROR, "ast_tcptls_close_session_file invoked on session instance without file or file descriptor\n");
}
--
To view, visit https://gerrit.asterisk.org/5790
To unsubscribe, visit https://gerrit.asterisk.org/settings
Gerrit-MessageType: newchange
Gerrit-Change-Id: I2f6c08a5840b85ad4d2b75370b947ddde7a9a572
Gerrit-PatchSet: 1
Gerrit-Project: asterisk
Gerrit-Branch: master
Gerrit-Owner: Guido Falsi <madpilot at freebsd.org>
More information about the asterisk-code-review
mailing list