[asterisk-commits] dvossel: trunk r191028 - in /trunk: ./ channels/ configs/ include/asterisk/ m...
SVN commits to the Asterisk project
asterisk-commits at lists.digium.com
Wed Apr 29 09:39:52 CDT 2009
Author: dvossel
Date: Wed Apr 29 09:39:48 2009
New Revision: 191028
URL: http://svn.digium.com/svn-view/asterisk?view=rev&rev=191028
Log:
Consistent SSL/TLS options across conf files
ast_tls_read_conf() is a new api call for handling SSL/TLS options across all conf files. Before this change, SSL/TLS options were not consistent. http.conf and manager.conf required the 'ssl' prefix while sip.conf used options with the 'tls' prefix. While the options had different names in different conf files, they all did the exact same thing. Now, instead of mixing 'ssl' or 'tls' prefixes to do the same thing depending on what conf file you're in, all SSL/TLS options use the 'tls' prefix. For example. 'sslenable' in http.conf and manager.conf is now 'tlsenable' which matches what already existed in sip.conf. Since this has the potential to break backwards compatibility, previous options containing the 'ssl' prefix still work, but they are no longer documented in the sample.conf files. The change is noted in the CHANGES file though.
Review: http://reviewboard.digium.com/r/237/
Modified:
trunk/CHANGES
trunk/channels/chan_sip.c
trunk/configs/http.conf.sample
trunk/configs/manager.conf.sample
trunk/include/asterisk/tcptls.h
trunk/main/http.c
trunk/main/manager.c
trunk/main/tcptls.c
Modified: trunk/CHANGES
URL: http://svn.digium.com/svn-view/asterisk/trunk/CHANGES?view=diff&rev=191028&r1=191027&r2=191028
==============================================================================
--- trunk/CHANGES (original)
+++ trunk/CHANGES Wed Apr 29 09:39:48 2009
@@ -107,6 +107,12 @@
* sslprivatekey option added to manager.conf and http.conf. Adds the ability
to specify a separate .pem file to hold a private key. By default sslcert
is used to hold both the public and private key.
+ * Options in manager.conf and http.conf with the 'ssl' prefix have been replaced
+ for options containing the 'tls' prefix. For example, 'sslenable' is now
+ 'tlsenable'. This has been done in effort to keep ssl and tls options consistent
+ across all .conf files. All affected sample.conf files have been modified to
+ reflect this change. Previous options such as 'sslenable' still work,
+ but options with the 'tls' prefix are preferred.
------------------------------------------------------------------------------
--- Functionality changes from Asterisk 1.6.1 to Asterisk 1.6.2 -------------
------------------------------------------------------------------------------
Modified: trunk/channels/chan_sip.c
URL: http://svn.digium.com/svn-view/asterisk/trunk/channels/chan_sip.c?view=diff&rev=191028&r1=191027&r2=191028
==============================================================================
--- trunk/channels/chan_sip.c (original)
+++ trunk/channels/chan_sip.c Wed Apr 29 09:39:48 2009
@@ -23943,13 +23943,18 @@
if (!ast_jb_read_conf(&global_jbconf, v->name, v->value))
continue;
+ /* handle tls conf */
+ if (!ast_tls_read_conf(&default_tls_cfg, &sip_tls_desc, v->name, v->value)) {
+ continue;
+ }
+
if (!strcasecmp(v->name, "context")) {
ast_copy_string(sip_cfg.default_context, v->value, sizeof(sip_cfg.default_context));
} else if (!strcasecmp(v->name, "subscribecontext")) {
ast_copy_string(sip_cfg.default_subscribecontext, v->value, sizeof(sip_cfg.default_subscribecontext));
- } else if (!strcasecmp(v->name, "callcounter")) {
+ } else if (!strcasecmp(v->name, "callcounter")) {
global_callcounter = ast_true(v->value) ? 1 : 0;
- } else if (!strcasecmp(v->name, "allowguest")) {
+ } else if (!strcasecmp(v->name, "allowguest")) {
sip_cfg.allowguest = ast_true(v->value) ? 1 : 0;
} else if (!strcasecmp(v->name, "realm")) {
ast_copy_string(sip_cfg.realm, v->value, sizeof(sip_cfg.realm));
@@ -23967,7 +23972,7 @@
} else if (!strcasecmp(v->name, "allowtransfer")) {
sip_cfg.allowtransfer = ast_true(v->value) ? TRANSFER_OPENFORALL : TRANSFER_CLOSED;
} else if (!strcasecmp(v->name, "rtcachefriends")) {
- ast_set2_flag(&global_flags[1], ast_true(v->value), SIP_PAGE2_RTCACHEFRIENDS);
+ ast_set2_flag(&global_flags[1], ast_true(v->value), SIP_PAGE2_RTCACHEFRIENDS);
} else if (!strcasecmp(v->name, "rtsavesysname")) {
sip_cfg.rtsave_sysname = ast_true(v->value);
} else if (!strcasecmp(v->name, "rtupdate")) {
@@ -23990,7 +23995,7 @@
while ((trans = strsep(&val, ","))) {
trans = ast_skip_blanks(trans);
- if (!strncasecmp(trans, "udp", 3))
+ if (!strncasecmp(trans, "udp", 3))
default_transports |= SIP_TRANSPORT_UDP;
else if (!strncasecmp(trans, "tcp", 3))
default_transports |= SIP_TRANSPORT_TCP;
@@ -24011,31 +24016,6 @@
ast_log(LOG_WARNING, "Invalid %s '%s' at line %d of %s\n", v->name, v->value, v->lineno, config);
sip_tcp_desc.local_address.sin_family = family;
ast_debug(2, "Setting TCP socket address to %s\n", v->value);
- } else if (!strcasecmp(v->name, "tlsenable")) {
- default_tls_cfg.enabled = ast_true(v->value) ? TRUE : FALSE;
- sip_tls_desc.local_address.sin_family = AF_INET;
- } else if (!strcasecmp(v->name, "tlscertfile")) {
- ast_free(default_tls_cfg.certfile);
- default_tls_cfg.certfile = ast_strdup(v->value);
- } else if (!strcasecmp(v->name, "tlsprivatekey")) {
- ast_free(default_tls_cfg.pvtfile);
- default_tls_cfg.pvtfile = ast_strdup(v->value);
- } else if (!strcasecmp(v->name, "tlscipher")) {
- ast_free(default_tls_cfg.cipher);
- default_tls_cfg.cipher = ast_strdup(v->value);
- } else if (!strcasecmp(v->name, "tlscafile")) {
- ast_free(default_tls_cfg.cafile);
- default_tls_cfg.cafile = ast_strdup(v->value);
- } else if (!strcasecmp(v->name, "tlscapath")) {
- ast_free(default_tls_cfg.capath);
- default_tls_cfg.capath = ast_strdup(v->value);
- } else if (!strcasecmp(v->name, "tlsverifyclient")) {
- ast_set2_flag(&default_tls_cfg.flags, ast_true(v->value), AST_SSL_VERIFY_CLIENT);
- } else if (!strcasecmp(v->name, "tlsdontverifyserver")) {
- ast_set2_flag(&default_tls_cfg.flags, ast_true(v->value), AST_SSL_DONT_VERIFY_SERVER);
- } else if (!strcasecmp(v->name, "tlsbindaddr")) {
- if (ast_parse_arg(v->value, PARSE_INADDR, &sip_tls_desc.local_address))
- ast_log(LOG_WARNING, "Invalid %s '%s' at line %d of %s\n", v->name, v->value, v->lineno, config);
} else if (!strcasecmp(v->name, "dynamic_exclude_static") || !strcasecmp(v->name, "dynamic_excludes_static")) {
global_dynamic_exclude_static = ast_true(v->value);
} else if (!strcasecmp(v->name, "contactpermit") || !strcasecmp(v->name, "contactdeny")) {
@@ -24052,7 +24032,7 @@
i = 0;
ast_set2_flag(&global_flags[1], i || ast_true(v->value), SIP_PAGE2_RTAUTOCLEAR);
} else if (!strcasecmp(v->name, "usereqphone")) {
- ast_set2_flag(&global_flags[0], ast_true(v->value), SIP_USEREQPHONE);
+ ast_set2_flag(&global_flags[0], ast_true(v->value), SIP_USEREQPHONE);
} else if (!strcasecmp(v->name, "relaxdtmf")) {
global_relaxdtmf = ast_true(v->value);
} else if (!strcasecmp(v->name, "vmexten")) {
Modified: trunk/configs/http.conf.sample
URL: http://svn.digium.com/svn-view/asterisk/trunk/configs/http.conf.sample?view=diff&rev=191028&r1=191027&r2=191028
==============================================================================
--- trunk/configs/http.conf.sample (original)
+++ trunk/configs/http.conf.sample Wed Apr 29 09:39:48 2009
@@ -46,17 +46,16 @@
;redirect = / /static/config/cfgbasic.html
;
; HTTPS support. In addition to enabled=yes, you need to
-; explicitly enable ssl, define the port to use,
+; explicitly enable tls, define the port to use,
; and have a certificate somewhere.
-; sslenable=yes ; enable ssl - default no.
-; sslbindport=4433 ; port to use - default is 8089
-; sslbindaddr=0.0.0.0 ; address to bind to - default is bindaddr.
+;tlsenable=yes ; enable tls - default no.
+;tlsbindport=4433 ; port to use - default is 8089
+;tlsbindaddr=0.0.0.0 ; address to bind to - default is bindaddr.
;
-;
-; sslcert=</path/to/certificate.pem> ; path to the certificate file (*.pem) only.
-; sslprivatekey=</path/to/private.pem> ; path to private key file (*.pem) only.
-; If no path is given for sslcert or sslprivatekey, default is to look in current
-; directory. If no sslprivatekey is given, default is to search sslcert for private key.
+;tlscertfile=</path/to/certificate.pem> ; path to the certificate file (*.pem) only.
+;tlsprivatekey=</path/to/private.pem> ; path to private key file (*.pem) only.
+; If no path is given for tlscertfile or tlsprivatekey, default is to look in current
+; directory. If no tlsprivatekey is given, default is to search tlscertfile for private key.
;
; To produce a certificate you can e.g. use openssl. This places both the cert and
; private in same .pem file.
Modified: trunk/configs/manager.conf.sample
URL: http://svn.digium.com/svn-view/asterisk/trunk/configs/manager.conf.sample?view=diff&rev=191028&r1=191027&r2=191028
==============================================================================
--- trunk/configs/manager.conf.sample (original)
+++ trunk/configs/manager.conf.sample Wed Apr 29 09:39:48 2009
@@ -39,15 +39,14 @@
;
; openssl s_client -connect my_host:5039
;
-; sslenable=no ; set to YES to enable it
-; sslbindport=5039 ; the port to bind to
-; sslbindaddr=0.0.0.0 ; address to bind to, default to bindaddr
-; sslcert=/tmp/asterisk.pem ; path to the certificate.
-; sslprivatekey=/tmp/private.pem ; path to the private key, if no private given,
- ; if no sslprivatekey is given, default is to search
- ; sslcert for private key.
-; sslcipher=<cipher string> ; string specifying which SSL ciphers to use or not use
-
+;tlsenable=no ; set to YES to enable it
+;tlsbindport=5039 ; the port to bind to
+;tlsbindaddr=0.0.0.0 ; address to bind to, default to bindaddr
+;tlscertfile=/tmp/asterisk.pem ; path to the certificate.
+;tlsprivatekey=/tmp/private.pem ; path to the private key, if no private given,
+ ; if no tlsprivatekey is given, default is to search
+ ; tlscertfile for private key.
+;tlscipher=<cipher string> ; string specifying which SSL ciphers to use or not use
;
;allowmultiplelogin = yes ; IF set to no, rejects manager logins that are already in use.
; ; The default is yes.
Modified: trunk/include/asterisk/tcptls.h
URL: http://svn.digium.com/svn-view/asterisk/trunk/include/asterisk/tcptls.h?view=diff&rev=191028&r1=191027&r2=191028
==============================================================================
--- trunk/include/asterisk/tcptls.h (original)
+++ trunk/include/asterisk/tcptls.h Wed Apr 29 09:39:48 2009
@@ -174,6 +174,11 @@
void ast_tcptls_server_stop(struct ast_tcptls_session_args *desc);
int ast_ssl_setup(struct ast_tls_config *cfg);
+/*!
+ * \brief Used to parse conf files containing tls/ssl options.
+ */
+int ast_tls_read_conf(struct ast_tls_config *tls_cfg, struct ast_tcptls_session_args *tls_desc, const char *varname, const char *value);
+
HOOK_T ast_tcptls_server_read(struct ast_tcptls_session_instance *ser, void *buf, size_t count);
HOOK_T ast_tcptls_server_write(struct ast_tcptls_session_instance *ser, const void *buf, size_t count);
Modified: trunk/main/http.c
URL: http://svn.digium.com/svn-view/asterisk/trunk/main/http.c?view=diff&rev=191028&r1=191027&r2=191028
==============================================================================
--- trunk/main/http.c (original)
+++ trunk/main/http.c Wed Apr 29 09:39:48 2009
@@ -983,7 +983,6 @@
struct hostent *hp;
struct ast_hostent ahp;
char newprefix[MAX_PREFIX] = "";
- int have_sslbindaddr = 0;
struct http_uri_redirect *redirect;
struct ast_flags config_flags = { reload ? CONFIG_FLAG_FILEUNCHANGED : 0 };
@@ -1024,32 +1023,18 @@
if (cfg) {
v = ast_variable_browse(cfg, "general");
for (; v; v = v->next) {
+
+ /* handle tls conf */
+ if (!ast_tls_read_conf(&http_tls_cfg, &https_desc, v->name, v->value)) {
+ continue;
+ }
+
if (!strcasecmp(v->name, "enabled")) {
enabled = ast_true(v->value);
- } else if (!strcasecmp(v->name, "sslenable")) {
- http_tls_cfg.enabled = ast_true(v->value);
- } else if (!strcasecmp(v->name, "sslbindport")) {
- https_desc.local_address.sin_port = htons(atoi(v->value));
- } else if (!strcasecmp(v->name, "sslcert")) {
- ast_free(http_tls_cfg.certfile);
- http_tls_cfg.certfile = ast_strdup(v->value);
- } else if (!strcasecmp(v->name, "sslprivatekey")) {
- ast_free(http_tls_cfg.pvtfile);
- http_tls_cfg.pvtfile = ast_strdup(v->value);
- } else if (!strcasecmp(v->name, "sslcipher")) {
- ast_free(http_tls_cfg.cipher);
- http_tls_cfg.cipher = ast_strdup(v->value);
} else if (!strcasecmp(v->name, "enablestatic")) {
newenablestatic = ast_true(v->value);
} else if (!strcasecmp(v->name, "bindport")) {
http_desc.local_address.sin_port = htons(atoi(v->value));
- } else if (!strcasecmp(v->name, "sslbindaddr")) {
- if ((hp = ast_gethostbyname(v->value, &ahp))) {
- memcpy(&https_desc.local_address.sin_addr, hp->h_addr, sizeof(https_desc.local_address.sin_addr));
- have_sslbindaddr = 1;
- } else {
- ast_log(LOG_WARNING, "Invalid bind address '%s'\n", v->value);
- }
} else if (!strcasecmp(v->name, "bindaddr")) {
if ((hp = ast_gethostbyname(v->value, &ahp))) {
memcpy(&http_desc.local_address.sin_addr, hp->h_addr, sizeof(http_desc.local_address.sin_addr));
@@ -1072,8 +1057,8 @@
ast_config_destroy(cfg);
}
-
- if (!have_sslbindaddr) {
+ /* if the https addres has not been set, default is the same as non secure http */
+ if (!https_desc.local_address.sin_addr.s_addr) {
https_desc.local_address.sin_addr = http_desc.local_address.sin_addr;
}
if (enabled) {
Modified: trunk/main/manager.c
URL: http://svn.digium.com/svn-view/asterisk/trunk/main/manager.c?view=diff&rev=191028&r1=191027&r2=191028
==============================================================================
--- trunk/main/manager.c (original)
+++ trunk/main/manager.c Wed Apr 29 09:39:48 2009
@@ -4719,9 +4719,6 @@
const char *val;
char *cat = NULL;
int newhttptimeout = 60;
- int have_sslbindaddr = 0;
- struct hostent *hp;
- struct ast_hostent ahp;
struct ast_manager_user *user = NULL;
struct ast_variable *var;
struct ast_flags config_flags = { reload ? CONFIG_FLAG_FILEUNCHANGED : 0 };
@@ -4804,27 +4801,12 @@
for (var = ast_variable_browse(cfg, "general"); var; var = var->next) {
val = var->value;
- if (!strcasecmp(var->name, "sslenable")) {
- ami_tls_cfg.enabled = ast_true(val);
- } else if (!strcasecmp(var->name, "sslbindport")) {
- amis_desc.local_address.sin_port = htons(atoi(val));
- } else if (!strcasecmp(var->name, "sslbindaddr")) {
- if ((hp = ast_gethostbyname(val, &ahp))) {
- memcpy(&amis_desc.local_address.sin_addr, hp->h_addr, sizeof(amis_desc.local_address.sin_addr));
- have_sslbindaddr = 1;
- } else {
- ast_log(LOG_WARNING, "Invalid bind address '%s'\n", val);
- }
- } else if (!strcasecmp(var->name, "sslcert")) {
- ast_free(ami_tls_cfg.certfile);
- ami_tls_cfg.certfile = ast_strdup(val);
- } else if (!strcasecmp(var->name, "sslprivatekey")) {
- ast_free(ami_tls_cfg.pvtfile);
- ami_tls_cfg.pvtfile = ast_strdup(val);
- } else if (!strcasecmp(var->name, "sslcipher")) {
- ast_free(ami_tls_cfg.cipher);
- ami_tls_cfg.cipher = ast_strdup(val);
- } else if (!strcasecmp(var->name, "enabled")) {
+
+ if (!ast_tls_read_conf(&ami_tls_cfg, &amis_desc, var->name, val)) {
+ continue;
+ }
+
+ if (!strcasecmp(var->name, "enabled")) {
manager_enabled = ast_true(val);
} else if (!strcasecmp(var->name, "block-sockets")) {
block_sockets = ast_true(val);
@@ -4856,7 +4838,8 @@
if (manager_enabled) {
ami_desc.local_address.sin_family = AF_INET;
}
- if (!have_sslbindaddr) {
+ /* if the amis address has not been set, default is the same as non secure ami */
+ if (!amis_desc.local_address.sin_addr.s_addr) {
amis_desc.local_address.sin_addr = ami_desc.local_address.sin_addr;
}
if (ami_tls_cfg.enabled) {
Modified: trunk/main/tcptls.c
URL: http://svn.digium.com/svn-view/asterisk/trunk/main/tcptls.c?view=diff&rev=191028&r1=191027&r2=191028
==============================================================================
--- trunk/main/tcptls.c (original)
+++ trunk/main/tcptls.c Wed Apr 29 09:39:48 2009
@@ -488,3 +488,39 @@
desc->accept_fd = -1;
ast_debug(2, "Stopped server :: %s\n", desc->name);
}
+
+int ast_tls_read_conf(struct ast_tls_config *tls_cfg, struct ast_tcptls_session_args *tls_desc, const char *varname, const char *value)
+{
+ if (!strcasecmp(varname, "tlsenable") || !strcasecmp(varname, "sslenable")) {
+ tls_cfg->enabled = ast_true(value) ? 1 : 0;
+ tls_desc->local_address.sin_family = AF_INET;
+ } else if (!strcasecmp(varname, "tlscertfile") || !strcasecmp(varname, "sslcert")) {
+ ast_free(tls_cfg->certfile);
+ tls_cfg->certfile = ast_strdup(value);
+ } else if (!strcasecmp(varname, "tlsprivatekey") || !strcasecmp(varname, "sslprivatekey")) {
+ ast_free(tls_cfg->pvtfile);
+ tls_cfg->pvtfile = ast_strdup(value);
+ } else if (!strcasecmp(varname, "tlscipher") || !strcasecmp(varname, "sslcipher")) {
+ ast_free(tls_cfg->cipher);
+ tls_cfg->cipher = ast_strdup(value);
+ } else if (!strcasecmp(varname, "tlscafile")) {
+ ast_free(tls_cfg->cafile);
+ tls_cfg->cafile = ast_strdup(value);
+ } else if (!strcasecmp(varname, "tlscapath")) {
+ ast_free(tls_cfg->capath);
+ tls_cfg->capath = ast_strdup(value);
+ } else if (!strcasecmp(varname, "tlsverifyclient")) {
+ ast_set2_flag(&tls_cfg->flags, ast_true(value), AST_SSL_VERIFY_CLIENT);
+ } else if (!strcasecmp(varname, "tlsdontverifyserver")) {
+ ast_set2_flag(&tls_cfg->flags, ast_true(value), AST_SSL_DONT_VERIFY_SERVER);
+ } else if (!strcasecmp(varname, "tlsbindaddr") || !strcasecmp(varname, "sslbindaddr")) {
+ if (ast_parse_arg(value, PARSE_INADDR, &tls_desc->local_address))
+ ast_log(LOG_WARNING, "Invalid %s '%s'\n", varname, value);
+ } else if (!strcasecmp(varname, "tlsbindport") || !strcasecmp(varname, "sslbindport")) {
+ tls_desc->local_address.sin_port = htons(atoi(value));
+ } else {
+ return -1;
+ }
+
+ return 0;
+}
More information about the asterisk-commits
mailing list