[asterisk-commits] branch oej/ami_ssl r15611 - in
/team/oej/ami_ssl: ./ configs/ include/asterisk/
asterisk-commits at lists.digium.com
asterisk-commits at lists.digium.com
Tue Mar 28 09:32:44 MST 2006
Author: oej
Date: Tue Mar 28 10:32:42 2006
New Revision: 15611
URL: http://svn.digium.com/view/asterisk?rev=15611&view=rev
Log:
- Changes to comply more with coding guidelines (oej)
- Compilation enabled by default in this branch
- Doxygen fixes
Modified:
team/oej/ami_ssl/Makefile
team/oej/ami_ssl/configs/manager.conf.sample
team/oej/ami_ssl/configs/ssl.conf.sample
team/oej/ami_ssl/include/asterisk/ssl_addon.h
team/oej/ami_ssl/manager.c
team/oej/ami_ssl/ssl_addon.c
Modified: team/oej/ami_ssl/Makefile
URL: http://svn.digium.com/view/asterisk/team/oej/ami_ssl/Makefile?rev=15611&r1=15610&r2=15611&view=diff
==============================================================================
--- team/oej/ami_ssl/Makefile (original)
+++ team/oej/ami_ssl/Makefile Tue Mar 28 10:32:42 2006
@@ -152,6 +152,11 @@
# Define this to use files larger than 2GB (useful for sound files longer than 37 hours and logfiles)
ASTCFLAGS+=-D_FILE_OFFSET_BITS=64
+# Compile Asterisk manager Interface with SSL support
+# Requires OpenSSL development libraries
+# (This will be disabled in svn, but not in the dev branch)
+ASTCFLAGS+=-DAMI_WITH_SSL
+
# Pentium Pro Optimize
#PROC=i686
@@ -234,7 +239,7 @@
endif
INCLUDE+=-Iinclude -I../include
-ASTCFLAGS+=-pipe -Wall -Wstrict-prototypes -Wmissing-prototypes -Wmissing-declarations $(DEBUG) $(INCLUDE) -D_REENTRANT -D_GNU_SOURCE #-DAMI_WITH_SSL #-DMAKE_VALGRIND_HAPPY
+ASTCFLAGS+=-pipe -Wall -Wstrict-prototypes -Wmissing-prototypes -Wmissing-declarations $(DEBUG) $(INCLUDE) -D_REENTRANT -D_GNU_SOURCE #-DMAKE_VALGRIND_HAPPY
ASTCFLAGS+=$(OPTIMIZE)
ASTCFLAGS+=# -Werror -Wunused
ifeq ($(shell gcc -v 2>&1 | grep 'gcc version' | cut -f3 -d' ' | cut -f1 -d.),4)
Modified: team/oej/ami_ssl/configs/manager.conf.sample
URL: http://svn.digium.com/view/asterisk/team/oej/ami_ssl/configs/manager.conf.sample?rev=15611&r1=15610&r2=15611&view=diff
==============================================================================
--- team/oej/ami_ssl/configs/manager.conf.sample (original)
+++ team/oej/ami_ssl/configs/manager.conf.sample Tue Mar 28 10:32:42 2006
@@ -24,6 +24,26 @@
; Add a Unix epoch timestamp to events (not action responses)
;
;timestampevents = yes
+;
+; To enable SSL encryption in manager, set the AMI_SSL optin
+; in the Makefile
+;
+; For SSL encryption, where is the cert file?
+;
+;certfile = /var/lib/asterisk/certs/server.pem
+;
+; How long do we wait on the manager port for an SSL session start? (ms)
+;
+;sslclienthellotimeout = 500
+;
+; Do we accept encrypted SSL manager connections?
+;
+;acceptencryptedconnection = yes
+;
+; Do we accept unencrypted manager connections?
+;
+acceptunencryptedconnection = yes
+;
;[mark]
;secret = mysecret
Modified: team/oej/ami_ssl/configs/ssl.conf.sample
URL: http://svn.digium.com/view/asterisk/team/oej/ami_ssl/configs/ssl.conf.sample?rev=15611&r1=15610&r2=15611&view=diff
==============================================================================
--- team/oej/ami_ssl/configs/ssl.conf.sample (original)
+++ team/oej/ami_ssl/configs/ssl.conf.sample Tue Mar 28 10:32:42 2006
@@ -1,4 +1,4 @@
-# $Id$
+# Asterisk SSL configuration
#
# OpenSSL configuration file for custom Certificate Authority. Use a
# different openssl.cnf file to generate certificate signing requests;
@@ -12,9 +12,9 @@
RANDFILE = $ENV::HOME/.rnd
[ ca ]
-default_ca = CA_default
+default_ca = MyAsteriskCA
-[ CA_default ]
+[ MyAsteriskCA ]
dir = .
# unsed at present, and my limited certs can be kept in current dir
#certs = $dir/certs
Modified: team/oej/ami_ssl/include/asterisk/ssl_addon.h
URL: http://svn.digium.com/view/asterisk/team/oej/ami_ssl/include/asterisk/ssl_addon.h?rev=15611&r1=15610&r2=15611&view=diff
==============================================================================
--- team/oej/ami_ssl/include/asterisk/ssl_addon.h (original)
+++ team/oej/ami_ssl/include/asterisk/ssl_addon.h Tue Mar 28 10:32:42 2006
@@ -23,7 +23,7 @@
extern "C" {
#endif
-/*!
+/*! \brief
This data structure holds the additional SSL data needed to use the ssl functions.
The negative fd is used as an index into this data structure (after processing).
Choose SEC_MAX to be impossibly large for the application.
@@ -34,46 +34,46 @@
SSL* ssl;
} sec_channel[SEC_MAX];
-/*!
+/*! \brief
this has to be called before any other function dealing with ssl.
*/
int init_secure(char* certfile);
-/*!
+/*! \brief
Returns the real fd, that is received from os, when we accept the connection.
*/
int get_real_fd(int fd);
-/*!
+/*! \brief
Returns the ssl structure from the fd.
*/
SSL *get_ssl(int fd);
-/*!
+/*! \brief
Returns the availabe security slot. This restricts the maximun number of security connection,
the asterisk server can have for AMI.
*/
int sec_getslot(void);
-/*!
+/*! \brief
Accepts the connection, if the security is enabled it returns the negative fd. -1 is flase, -2, -3
etc are ssl connections.
*/
int saccept(int s);
-/*!
+/*! \brief
Sends the data over secured or unsecured connections.
*/
int m_send(int fd, const void *data, size_t len);
-/*!
+/*! \brief
Receives the connection from either ssl or fd.
*/
int m_recv(int s, void *buf, size_t len, int flags);
-/*!
+/*! \brief
Needs to be called instead of close() to close a socket.
It also closes the ssl meta connection.
*/
Modified: team/oej/ami_ssl/manager.c
URL: http://svn.digium.com/view/asterisk/team/oej/ami_ssl/manager.c?rev=15611&r1=15610&r2=15611&view=diff
==============================================================================
--- team/oej/ami_ssl/manager.c (original)
+++ team/oej/ami_ssl/manager.c Tue Mar 28 10:32:42 2006
@@ -65,7 +65,7 @@
#include "asterisk/acl.h"
#include "asterisk/utils.h"
#ifdef AMI_WITH_SSL
-#include "ssl_addon.h"
+#include "asterisk/ssl_addon.h"
#endif
struct fast_originate_helper {
@@ -1523,6 +1523,7 @@
pthread_attr_init(&attr);
pthread_attr_setdetachstate(&attr, PTHREAD_CREATE_DETACHED);
+ int is_encrypted;
for (;;) {
sinlen = sizeof(sin);
@@ -1538,21 +1539,21 @@
}
}
#ifdef AMI_WITH_SSL
- int is_encrytped = is_encrypt_request(sslclhellotimeout, as);
- if( is_encrytped > 0) {
- if (! acceptencryptedconnection ) {
- ast_log(LOG_NOTICE, "Accepting encrypted connection disabled, closing the connection \n");
+ is_encrypted = is_encrypt_request(sslclhellotimeout, as);
+ if (is_encrypted > 0) {
+ if (!acceptencryptedconnection) {
+ ast_log(LOG_WARNING, "Accepting encrypted connection disabled, closing the connection \n");
close_sock(as);
continue;
} else {
if((as = saccept(as)) >= 0 ) {
- ast_log(LOG_NOTICE, "Can't accept the ssl connection, since SSL init has failed for certificate reason\n");
+ ast_log(LOG_WARNING, "Can't accept the ssl connection, since SSL init has failed for certificate reason\n");
close_sock(as);
continue;
}
}
- } else if (is_encrytped == -1) {
- ast_log(LOG_NOTICE, "SSL version 2 is unsecured, we don't support it\n");
+ } else if (is_encrypted == -1) {
+ ast_log(LOG_ERROR, "SSL version 2 is unsecure, we don't support it\n");
close_sock(as);
continue;
}
@@ -1853,10 +1854,10 @@
if ((val = ast_variable_retrieve(cfg, "general", "certfile"))) {
if (sscanf(val, "%s", (char *)certfile) != 1) {
ast_log(LOG_WARNING, "Certificate directory not found, assigning default directory\n");
- strcpy((char *)certfile, "/var/lib/asterisk/certs/server.pem");
+ snprintf(certfile, sizeof(certfile), "%s/%s", ast_config_AST_VAR_DIR, "certs/server.pem");
}
} else {
- strcpy((char *)certfile, "/var/lib/asterisk/certs/server.pem");
+ snprintf(certfile, sizeof(certfile), "%s/%s", ast_config_AST_VAR_DIR, "certs/server.pem");
}
if ((val = ast_variable_retrieve(cfg, "general", "sslclienthellotimeout"))) {
if (sscanf(val, "%s", (char *)ssltimeout) != 1) {
@@ -1864,7 +1865,8 @@
ast_log(LOG_NOTICE, "Failed to read sslclhellotime\n");
} else {
sslclhellotimeout = atoi(ssltimeout);
- ast_log(LOG_NOTICE, "sslclhellotime = %d", sslclhellotimeout);
+ if (option_debug > 1)
+ ast_log(LOG_DEBUG, "sslclhellotime = %d", sslclhellotimeout);
}
} else {
sslclhellotimeout = 500;
@@ -1872,14 +1874,16 @@
val = ast_variable_retrieve(cfg, "general", "acceptencryptedconnection");
if (val) {
acceptencryptedconnection = ast_true(val);
- ast_log(LOG_NOTICE, "acceptencryptedconnection = %d", acceptencryptedconnection);
+ if (option_debug > 1)
+ ast_log(LOG_DEBUG, "acceptencryptedconnection = %d", acceptencryptedconnection);
} else {
acceptencryptedconnection = -1;
}
val = ast_variable_retrieve(cfg, "general", "acceptunencryptedconnection");
if (val) {
acceptunencryptedconnection = ast_true(val);
- ast_log(LOG_NOTICE, "acceptunencryptedconnection = %d", acceptunencryptedconnection);
+ if (option_debug > 1)
+ ast_log(LOG_DEBUG, "acceptunencryptedconnection = %d", acceptunencryptedconnection);
} else {
acceptunencryptedconnection = -1;
}
Modified: team/oej/ami_ssl/ssl_addon.c
URL: http://svn.digium.com/view/asterisk/team/oej/ami_ssl/ssl_addon.c?rev=15611&r1=15610&r2=15611&view=diff
==============================================================================
--- team/oej/ami_ssl/ssl_addon.c (original)
+++ team/oej/ami_ssl/ssl_addon.c Tue Mar 28 10:32:42 2006
@@ -1,7 +1,7 @@
/*
* Asterisk -- An open source telephony toolkit.
*
- * Copyright (C) 1999 - 2005, Tello Corporation, Inc.
+ * Copyright (C) 2006, Tello Corporation, Inc.
*
* Remco Treffkorn(Architect) and Mahesh Karoshi(Senior Software Developer)
*
@@ -22,6 +22,7 @@
*
* Channel Management and more
*
+ * \author Remco Treffkorn(Architect) and Mahesh Karoshi(Senior Software Developer)
* \ref amiconf
*/
@@ -30,11 +31,9 @@
/*! @{
Doxygen group */
-/*! We use negative file descriptors for secure channels. The file descriptor
+/*! \note We use negative file descriptors for secure channels. The file descriptor
-1 is reseved for errors. -2 to -... are secure file descriptors. 0 to ...
are regular file descriptors.
-
- The routines in here demonstrate the use of secure fd's.
NOTE: Commonly error checks for routines returning fd's are done with (value<0).
You must check for (value==-1) instead, since all other negative fd's now
@@ -54,20 +53,22 @@
#include <sys/socket.h>
#include <netinet/in.h>
#include <netinet/tcp.h>
-#include "asterisk/logger.h"
-#include "asterisk/config.h"
#include "asterisk.h"
ASTERISK_FILE_VERSION(__FILE__, "$Revision$")
-#include "ssl_addon.h"
+#include "asterisk/logger.h"
+#include "asterisk/options.h"
+#include "asterisk/config.h"
+#include "asterisk/ssl_addon.h"
+
SSL_CTX *sctx;
static long rec_bytes;
static long sent_bytes;
static int ssl_initialized;
-/*! this has to be called before any other function dealing with ssl.
+/*! \brief this has to be called before any other function dealing with ssl.
Initializes all the ssl related stuff here. */
int init_secure(char *certfile)
{
@@ -99,7 +100,7 @@
return 0;
}
-/*! Takes the negative ssl fd and returns the positive fd recieved from the os.
+/*! \brief Takes the negative ssl fd and returns the positive fd recieved from the os.
* It goes through arrray of fixed maximum number of secured channels.
*/
int get_real_fd(int fd)
@@ -114,7 +115,7 @@
return fd;
}
-/*! Returns the SSL pointer from the fd. This structure is filled when we accept
+/*! \brief Returns the SSL pointer from the fd. This structure is filled when we accept
* the ssl connection and used
* for reading and writing through ssl.
*/
@@ -130,7 +131,7 @@
return ssl;
}
-/*! Returns the empty ssl slot. Used to save ssl information.
+/*! \brief Returns the empty ssl slot. Used to save ssl information.
*/
int sec_getslot(void)
{
@@ -141,11 +142,12 @@
break;
}
- if (i==SEC_MAX) return -1;
- return i;
-}
-
-/*! Accepts the ssl connection. Retrurns the negative fd. negative fd's are
+ if (i==SEC_MAX)
+ return -1;
+ return i;
+}
+
+/*! \brief Accepts the ssl connection. Retrurns the negative fd. negative fd's are
* choosen to differentiate between ssl and non-ssl connections. positive
* fd's are used for non-ssl connections and negative fd's are used for ssl
* connections. So we purposefully calculate and return negative fds.
@@ -166,10 +168,10 @@
SSL_set_fd(ssl, s);
sec_channel[fd].ssl = ssl; /* remember ssl */
sec_channel[fd].fd = s; /* remember the real fd */
- do{
+ do {
err = SSL_accept(ssl);
err = SSL_get_error(ssl, err);
- }while( err == SSL_ERROR_WANT_READ || err == SSL_ERROR_WANT_WRITE);
+ } while( err == SSL_ERROR_WANT_READ || err == SSL_ERROR_WANT_WRITE);
SSL_set_mode(ssl, SSL_MODE_ENABLE_PARTIAL_WRITE);
ast_log(LOG_DEBUG, "ssl_addon: Connection accepted");
@@ -188,13 +190,13 @@
}
/*!
- * Writes through secured ssl connection
+ * \brief Writes through secured ssl connection
*/
int m_send(int fd, const void *data, size_t len)
{
sent_bytes += len;
- if (fd<-1) {
+ if (fd < -1) {
SSL* ssl = get_ssl(fd);
return SSL_write(ssl, data, len);
}
@@ -202,7 +204,7 @@
}
/*!
- * Receives data from the ssl connection.
+ * \brief Receives data from the SSL connection.
*/
int m_recv(int s, void *buf, size_t len, int flags)
{
@@ -217,14 +219,15 @@
if (ret > 0)
rec_bytes += ret;
- ast_log(LOG_DEBUG, "ssl_addon: Received data from ssl\n");
+ if (option_debug > 2)
+ ast_log(LOG_DEBUG, "Received data from SSL socket - %d\n", ret);
return ret;
}
-/*!
+/*! \brief
Needs to be called instead of close() to close a socket.
- It also closes the ssl meta connection.
+ It also closes the SSL meta connection.
*/
int close_sock(int socket)
@@ -248,15 +251,15 @@
return(ret);
}
-/*! This process cannot continue without fixing this error.
+/*! \brief This process cannot continue without fixing this error.
*/
int errexit(char s[])
{
- ast_log(LOG_NOTICE, "ssl_addon: %s", s);
+ ast_log(LOG_ERROR, "SSL critical error: %s", s);
return -1;
}
-/*! Checks whether the client is requesting an ssl encrypted connection or not. If its encrypted
+/*! \brief Checks whether the client is requesting an ssl encrypted connection or not. If its encrypted
* request we expect "Client Hello" in the beginning of the message and ssl version 2.
* This can be verified by checking buf[0x02], buf[0x03] and buf[0x04]. If the contents are
* 0x01, 0x00, 0x02, then its an ssl packet with content "Client Hello", "SSL version 2".
@@ -268,6 +271,8 @@
fd_set listeners;
struct timeval tv;
char buf[1024];
+ int ready_fdescriptors;
+ int ret;
tv.tv_sec = 0;
tv.tv_usec = sslclhellotimeout * 1000;
@@ -275,25 +280,27 @@
FD_ZERO(&listeners);
FD_SET(fd, &listeners);
- int ready_fdescriptors = select (fd + 1, &listeners, NULL, NULL, &tv);
+ ready_fdescriptors = select (fd + 1, &listeners, NULL, NULL, &tv);
if (ready_fdescriptors < 0 ) {
- ast_log(LOG_WARNING,"select returned error, This should not happen: \n");
+ ast_log(LOG_ERROR, "select returned error, This should not happen: \n");
return 0;
} else if (ready_fdescriptors == 0) {
return 0;
}
- int ret = recv(fd, buf, 100, MSG_PEEK);
+ ret = recv(fd, buf, 100, MSG_PEEK);
if(ret > 0) {
/* check for sslv3 or tls*/
if ((buf[0x00] == 0x16) && (buf[0x01] == 0x03) &&
/* for tls buf[0x02] = 0x01 and ssl v3 buf[0x02] = 0x02 */
((buf[0x02] == 0x00) || (buf[0x02] == 0x01))) {
- ast_log(LOG_DEBUG, "Received a SSL request\n");
+ if (option_debug > 1)
+ ast_log(LOG_DEBUG, "Received a SSL request\n");
return 1;
/* check for sslv23_client_method */
} else if ((buf[0x02] == 0x01) && (buf[0x03] == 0x03) && (buf[0x04] == 0x01)) {
- ast_log(LOG_DEBUG, "Received a SSL request for SSLv23_client_method()\n");
+ if (option_debug > 1)
+ ast_log(LOG_DEBUG, "Received a SSL request for SSLv23_client_method()\n");
return 1;
}
/* check for sslv2 and return -1 */
More information about the asterisk-commits
mailing list