[svn-commits] transnexus: trunk r191418 - in /trunk: apps/ configs/
SVN commits to the Digium repositories
svn-commits at lists.digium.com
Fri May 1 04:50:13 CDT 2009
Author: transnexus
Date: Fri May 1 04:50:11 2009
New Revision: 191418
URL: http://svn.digium.com/svn-view/asterisk?view=rev&rev=191418
Log:
Made security features optional.
Modified:
trunk/apps/app_osplookup.c
trunk/configs/osp.conf.sample
Modified: trunk/apps/app_osplookup.c
URL: http://svn.digium.com/svn-view/asterisk/trunk/apps/app_osplookup.c?view=diff&rev=191418&r1=191417&r2=191418
==============================================================================
--- trunk/apps/app_osplookup.c (original)
+++ trunk/apps/app_osplookup.c Fri May 1 04:50:11 2009
@@ -39,6 +39,7 @@
#include <osp/osp.h>
#include <osp/osputils.h>
+#include <osp/ospb64.h>
#include "asterisk/paths.h"
#include "asterisk/lock.h"
@@ -55,6 +56,7 @@
/* OSP Buffer Sizes */
#define OSP_INTSTR_SIZE ((unsigned int)16) /* OSP signed/unsigned int string buffer size */
#define OSP_NORSTR_SIZE ((unsigned int)256) /* OSP normal string buffer size */
+#define OSP_KEYSTR_SIZE ((unsigned int)1024) /* OSP certificate string buffer size */
#define OSP_TOKSTR_SIZE ((unsigned int)4096) /* OSP token string buffer size */
#define OSP_TECHSTR_SIZE ((unsigned int)32) /* OSP signed/unsigned int string buffer size */
#define OSP_UUID_SIZE ((unsigned int)16) /* UUID size */
@@ -127,7 +129,7 @@
char privatekey[OSP_NORSTR_SIZE]; /* OSP private key file name */
char localcert[OSP_NORSTR_SIZE]; /* OSP local cert file name */
unsigned int cacount; /* Number of cacerts */
- char cacerts[OSP_MAX_CERTS][OSP_NORSTR_SIZE]; /* Cacert file names */
+ char cacerts[OSP_MAX_CERTS][OSP_NORSTR_SIZE]; /* Cacert file names */
unsigned int spcount; /* Number of service points */
char srvpoints[OSP_MAX_SRVS][OSP_NORSTR_SIZE]; /* Service point URLs */
int maxconnections; /* Max number of connections */
@@ -167,8 +169,14 @@
AST_MUTEX_DEFINE_STATIC(osplock); /* Lock of OSP provider list */
static int osp_initialized = 0; /* Init flag */
static int osp_hardware = 0; /* Hardware accelleration flag */
+static int osp_security = 0; /* Using security features flag */
static struct osp_provider* ospproviders = NULL; /* OSP provider list */
static unsigned int osp_tokenformat = TOKEN_ALGO_SIGNED; /* Token format supported */
+
+/* OSP default certificates */
+const char* B64PKey = "MIIBOgIBAAJBAK8t5l+PUbTC4lvwlNxV5lpl+2dwSZGW46dowTe6y133XyVEwNiiRma2YNk3xKs/TJ3Wl9Wpns2SYEAJsFfSTukCAwEAAQJAPz13vCm2GmZ8Zyp74usTxLCqSJZNyMRLHQWBM0g44Iuy4wE3vpi7Wq+xYuSOH2mu4OddnxswCP4QhaXVQavTAQIhAOBVCKXtppEw9UaOBL4vW0Ed/6EA/1D8hDW6St0h7EXJAiEAx+iRmZKhJD6VT84dtX5ZYNVk3j3dAcIOovpzUj9a0CECIEduTCapmZQ5xqAEsLXuVlxRtQgLTUD4ZxDElPn8x0MhAiBE2HlcND0+qDbvtwJQQOUzDgqg5xk3w8capboVdzAlQQIhAMC+lDL7+gDYkNAft5Mu+NObJmQs4Cr+DkDFsKqoxqrm";
+const char* B64LCert = "MIIBeTCCASMCEHqkOHVRRWr+1COq3CR/xsowDQYJKoZIhvcNAQEEBQAwOzElMCMGA1UEAxMcb3NwdGVzdHNlcnZlci50cmFuc25leHVzLmNvbTESMBAGA1UEChMJT1NQU2VydmVyMB4XDTA1MDYyMzAwMjkxOFoXDTA2MDYyNDAwMjkxOFowRTELMAkGA1UEBhMCQVUxEzARBgNVBAgTClNvbWUtU3RhdGUxITAfBgNVBAoTGEludGVybmV0IFdpZGdpdHMgUHR5IEx0ZDBcMA0GCSqGSIb3DQEBAQUAA0sAMEgCQQCvLeZfj1G0wuJb8JTcVeZaZftncEmRluOnaME3ustd918lRMDYokZmtmDZN8SrP0yd1pfVqZ7NkmBACbBX0k7pAgMBAAEwDQYJKoZIhvcNAQEEBQADQQDnV8QNFVVJx/+7IselU0wsepqMurivXZzuxOmTEmTVDzCJx1xhA8jd3vGAj7XDIYiPub1PV23eY5a2ARJuw5w9";
+const char* B64CACert = "MIIBYDCCAQoCAQEwDQYJKoZIhvcNAQEEBQAwOzElMCMGA1UEAxMcb3NwdGVzdHNlcnZlci50cmFuc25leHVzLmNvbTESMBAGA1UEChMJT1NQU2VydmVyMB4XDTAyMDIwNDE4MjU1MloXDTEyMDIwMzE4MjU1MlowOzElMCMGA1UEAxMcb3NwdGVzdHNlcnZlci50cmFuc25leHVzLmNvbTESMBAGA1UEChMJT1NQU2VydmVyMFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBAPGeGwV41EIhX0jEDFLRXQhDEr50OUQPq+f55VwQd0TQNts06BP29+UiNdRW3c3IRHdZcJdC1Cg68ME9cgeq0h8CAwEAATANBgkqhkiG9w0BAQQFAANBAGkzBSj1EnnmUxbaiG1N4xjIuLAWydun7o3bFk2tV8dBIhnuh445obYyk1EnQ27kI7eACCILBZqi2MHDOIMnoN0=";
/* OSP Client Wrapper APIs */
@@ -190,7 +198,10 @@
OSPT_CERT cacerts[OSP_MAX_CERTS];
const OSPT_CERT* pcacerts[OSP_MAX_CERTS];
const char* psrvpoints[OSP_MAX_SRVS];
- int t, i, j, error = OSPC_ERR_NO_ERROR;
+ unsigned char privatekeydata[OSP_KEYSTR_SIZE];
+ unsigned char localcertdata[OSP_KEYSTR_SIZE];
+ unsigned char cacertdata[OSP_KEYSTR_SIZE];
+ int i, t, error = OSPC_ERR_NO_ERROR;
if (!(p = ast_calloc(1, sizeof(*p)))) {
ast_log(LOG_ERROR, "Out of memory\n");
@@ -213,30 +224,36 @@
v = ast_variable_browse(cfg, provider);
while(v) {
if (!strcasecmp(v->name, "privatekey")) {
- if (v->value[0] == '/') {
- ast_copy_string(p->privatekey, v->value, sizeof(p->privatekey));
- } else {
- snprintf(p->privatekey, sizeof(p->privatekey), "%s/%s", ast_config_AST_KEY_DIR, v->value);
- }
- ast_debug(1, "OSP: privatekey '%s'\n", p->privatekey);
+ if (osp_security) {
+ if (v->value[0] == '/') {
+ ast_copy_string(p->privatekey, v->value, sizeof(p->privatekey));
+ } else {
+ snprintf(p->privatekey, sizeof(p->privatekey), "%s/%s", ast_config_AST_KEY_DIR, v->value);
+ }
+ ast_debug(1, "OSP: privatekey '%s'\n", p->privatekey);
+ }
} else if (!strcasecmp(v->name, "localcert")) {
- if (v->value[0] == '/') {
- ast_copy_string(p->localcert, v->value, sizeof(p->localcert));
- } else {
- snprintf(p->localcert, sizeof(p->localcert), "%s/%s", ast_config_AST_KEY_DIR, v->value);
- }
- ast_debug(1, "OSP: localcert '%s'\n", p->localcert);
+ if (osp_security) {
+ if (v->value[0] == '/') {
+ ast_copy_string(p->localcert, v->value, sizeof(p->localcert));
+ } else {
+ snprintf(p->localcert, sizeof(p->localcert), "%s/%s", ast_config_AST_KEY_DIR, v->value);
+ }
+ ast_debug(1, "OSP: localcert '%s'\n", p->localcert);
+ }
} else if (!strcasecmp(v->name, "cacert")) {
- if (p->cacount < OSP_MAX_CERTS) {
- if (v->value[0] == '/') {
- ast_copy_string(p->cacerts[p->cacount], v->value, sizeof(p->cacerts[0]));
+ if (osp_security) {
+ if (p->cacount < OSP_MAX_CERTS) {
+ if (v->value[0] == '/') {
+ ast_copy_string(p->cacerts[p->cacount], v->value, sizeof(p->cacerts[0]));
+ } else {
+ snprintf(p->cacerts[p->cacount], sizeof(p->cacerts[0]), "%s/%s", ast_config_AST_KEY_DIR, v->value);
+ }
+ ast_debug(1, "OSP: cacerts[%d]: '%s'\n", p->cacount, p->cacerts[p->cacount]);
+ p->cacount++;
} else {
- snprintf(p->cacerts[p->cacount], sizeof(p->cacerts[0]), "%s/%s", ast_config_AST_KEY_DIR, v->value);
+ ast_log(LOG_WARNING, "OSP: Too many CA Certificates at line %d\n", v->lineno);
}
- ast_debug(1, "OSP: cacert[%d]: '%s'\n", p->cacount, p->cacerts[p->cacount]);
- p->cacount++;
- } else {
- ast_log(LOG_WARNING, "OSP: Too many CA Certificates at line %d\n", v->lineno);
}
} else if (!strcasecmp(v->name, "servicepoint")) {
if (p->spcount < OSP_MAX_SRVS) {
@@ -307,95 +324,109 @@
v = v->next;
}
- error = OSPPUtilLoadPEMPrivateKey((unsigned char*)p->privatekey, &privatekey);
- if (error != OSPC_ERR_NO_ERROR) {
- ast_log(LOG_WARNING, "OSP: Unable to load privatekey '%s', error '%d'\n", p->privatekey, error);
- ast_free(p);
- return 0;
- }
-
- error = OSPPUtilLoadPEMCert((unsigned char*)p->localcert, &localcert);
- if (error != OSPC_ERR_NO_ERROR) {
- ast_log(LOG_WARNING, "OSP: Unable to load localcert '%s', error '%d'\n", p->localcert, error);
+ if (p->cacount == 0) {
+ p->cacount = 1;
+ }
+
+ for (i = 0; i < p->spcount; i++) {
+ psrvpoints[i] = p->srvpoints[i];
+ }
+
+ if (osp_security) {
+ privatekey.PrivateKeyData = NULL;
+ privatekey.PrivateKeyLength = 0;
+
+ localcert.CertData = NULL;
+ localcert.CertDataLength = 0;
+
+ for (i = 0; i < p->cacount; i++) {
+ cacerts[i].CertData = NULL;
+ cacerts[i].CertDataLength = 0;
+ }
+
+ if ((error = OSPPUtilLoadPEMPrivateKey((unsigned char*)p->privatekey, &privatekey)) != OSPC_ERR_NO_ERROR) {
+ ast_log(LOG_WARNING, "OSP: Unable to load privatekey '%s', error '%d'\n", p->privatekey, error);
+ } else if ((error = OSPPUtilLoadPEMCert((unsigned char*)p->localcert, &localcert)) != OSPC_ERR_NO_ERROR) {
+ ast_log(LOG_WARNING, "OSP: Unable to load localcert '%s', error '%d'\n", p->localcert, error);
+ } else {
+ for (i = 0; i < p->cacount; i++) {
+ if ((error = OSPPUtilLoadPEMCert((unsigned char*)p->cacerts[i], &cacerts[i])) != OSPC_ERR_NO_ERROR) {
+ ast_log(LOG_WARNING, "OSP: Unable to load cacert '%s', error '%d'\n", p->cacerts[i], error);
+ break;
+ } else {
+ pcacerts[i] = &cacerts[i];
+ }
+ }
+ }
+ } else {
+ privatekey.PrivateKeyData = privatekeydata;
+ privatekey.PrivateKeyLength = sizeof(privatekeydata);
+
+ localcert.CertData = localcertdata;
+ localcert.CertDataLength = sizeof(localcertdata);
+
+ cacerts[0].CertData = cacertdata;
+ cacerts[0].CertDataLength = sizeof(cacertdata);
+ pcacerts[0] = &cacerts[0];
+
+ if ((error = OSPPBase64Decode(B64PKey, strlen(B64PKey), privatekey.PrivateKeyData, &privatekey.PrivateKeyLength)) != OSPC_ERR_NO_ERROR) {
+ ast_log(LOG_WARNING, "OSP: Unable to decode private key, error '%d'\n", error);
+ } else if ((error = OSPPBase64Decode(B64LCert, strlen(B64LCert), localcert.CertData, &localcert.CertDataLength)) != OSPC_ERR_NO_ERROR) {
+ ast_log(LOG_WARNING, "OSP: Unable to decode local cert, error '%d'\n", error);
+ } else if ((error = OSPPBase64Decode(B64CACert, strlen(B64CACert), cacerts[0].CertData, &cacerts[0].CertDataLength)) != OSPC_ERR_NO_ERROR) {
+ ast_log(LOG_WARNING, "OSP: Unable to decode cacert, error '%d'\n", error);
+ }
+ }
+
+ if (error == OSPC_ERR_NO_ERROR) {
+ error = OSPPProviderNew(
+ p->spcount,
+ psrvpoints,
+ NULL,
+ OSP_AUDIT_URL,
+ &privatekey,
+ &localcert,
+ p->cacount,
+ pcacerts,
+ OSP_LOCAL_VALIDATION,
+ OSP_SSL_LIFETIME,
+ p->maxconnections,
+ OSP_HTTP_PERSISTENCE,
+ p->retrydelay,
+ p->retrylimit,
+ p->timeout,
+ OSP_CUSTOMER_ID,
+ OSP_DEVICE_ID,
+ &p->handle);
+ if (error != OSPC_ERR_NO_ERROR) {
+ ast_log(LOG_WARNING, "OSP: Unable to create provider '%s', error '%d'\n", provider, error);
+ res = -1;
+ } else {
+ ast_debug(1, "OSP: provider '%s'\n", provider);
+ ast_mutex_lock(&osplock);
+ p->next = ospproviders;
+ ospproviders = p;
+ ast_mutex_unlock(&osplock);
+ res = 1;
+ }
+ }
+
+ if (osp_security) {
+ for (i = 0; i < p->cacount; i++) {
+ if (cacerts[i].CertData) {
+ ast_free(cacerts[i].CertData);
+ }
+ }
+ if (localcert.CertData) {
+ ast_free(localcert.CertData);
+ }
if (privatekey.PrivateKeyData) {
ast_free(privatekey.PrivateKeyData);
}
+ }
+
+ if (res != 1) {
ast_free(p);
- return 0;
- }
-
- if (p->cacount < 1) {
- snprintf(p->cacerts[p->cacount], sizeof(p->cacerts[0]), "%s/%s-cacert.pem", ast_config_AST_KEY_DIR, provider);
- ast_debug(1, "OSP: cacert[%d]: '%s'\n", p->cacount, p->cacerts[p->cacount]);
- p->cacount++;
- }
- for (i = 0; i < p->cacount; i++) {
- error = OSPPUtilLoadPEMCert((unsigned char*)p->cacerts[i], &cacerts[i]);
- if (error != OSPC_ERR_NO_ERROR) {
- ast_log(LOG_WARNING, "OSP: Unable to load cacert '%s', error '%d'\n", p->cacerts[i], error);
- for (j = 0; j < i; j++) {
- if (cacerts[j].CertData) {
- ast_free(cacerts[j].CertData);
- }
- }
- if (localcert.CertData) {
- ast_free(localcert.CertData);
- }
- if (privatekey.PrivateKeyData) {
- ast_free(privatekey.PrivateKeyData);
- }
- ast_free(p);
- return 0;
- }
- pcacerts[i] = &cacerts[i];
- }
-
- for (i = 0; i < p->spcount; i++) {
- psrvpoints[i] = p->srvpoints[i];
- }
-
- error = OSPPProviderNew(
- p->spcount,
- psrvpoints,
- NULL,
- OSP_AUDIT_URL,
- &privatekey,
- &localcert,
- p->cacount,
- pcacerts,
- OSP_LOCAL_VALIDATION,
- OSP_SSL_LIFETIME,
- p->maxconnections,
- OSP_HTTP_PERSISTENCE,
- p->retrydelay,
- p->retrylimit,
- p->timeout,
- OSP_CUSTOMER_ID,
- OSP_DEVICE_ID,
- &p->handle);
- if (error != OSPC_ERR_NO_ERROR) {
- ast_log(LOG_WARNING, "OSP: Unable to create provider '%s', error '%d'\n", provider, error);
- ast_free(p);
- res = -1;
- } else {
- ast_debug(1, "OSP: provider '%s'\n", provider);
- ast_mutex_lock(&osplock);
- p->next = ospproviders;
- ospproviders = p;
- ast_mutex_unlock(&osplock);
- res = 1;
- }
-
- for (i = 0; i < p->cacount; i++) {
- if (cacerts[i].CertData) {
- ast_free(cacerts[i].CertData);
- }
- }
- if (localcert.CertData) {
- ast_free(localcert.CertData);
- }
- if (privatekey.PrivateKeyData) {
- ast_free(privatekey.PrivateKeyData);
}
return res;
@@ -1821,6 +1852,12 @@
}
ast_debug(1, "OSP: osp_hardware '%d'\n", osp_hardware);
+ t = ast_variable_retrieve(cfg, OSP_GENERAL_CAT, "securityfeatures");
+ if (t && ast_true(t)) {
+ osp_security = 1;
+ }
+ ast_debug(1, "OSP: osp_security '%d'\n", osp_security);
+
t = ast_variable_retrieve(cfg, OSP_GENERAL_CAT, "tokenformat");
if (t) {
if ((sscanf(t, "%d", &v) == 1) &&
@@ -1874,6 +1911,7 @@
OSPPCleanup();
osp_tokenformat = TOKEN_ALGO_SIGNED;
+ osp_security = 0;
osp_hardware = 0;
osp_initialized = 0;
}
@@ -1916,8 +1954,11 @@
tokenalgo = "Signed";
break;
}
- ast_cli(a->fd, "OSP: %s %s %s\n",
- osp_initialized ? "Initialized" : "Uninitialized", osp_hardware ? "Accelerated" : "Normal", tokenalgo);
+ ast_cli(a->fd, "OSP: %s/%s/%s/%s\n",
+ osp_initialized ? "Initialized" : "Uninitialized",
+ osp_hardware ? "Accelerated" : "Normal",
+ osp_security ? "Enabled" : "Disabled",
+ tokenalgo);
}
ast_mutex_lock(&osplock);
@@ -1928,10 +1969,12 @@
ast_cli(a->fd, "\n");
}
ast_cli(a->fd, " == OSP Provider '%s' == \n", p->name);
- ast_cli(a->fd, "Local Private Key: %s\n", p->privatekey);
- ast_cli(a->fd, "Local Certificate: %s\n", p->localcert);
- for (i = 0; i < p->cacount; i++) {
- ast_cli(a->fd, "CA Certificate %d: %s\n", i + 1, p->cacerts[i]);
+ if (osp_security) {
+ ast_cli(a->fd, "Local Private Key: %s\n", p->privatekey);
+ ast_cli(a->fd, "Local Certificate: %s\n", p->localcert);
+ for (i = 0; i < p->cacount; i++) {
+ ast_cli(a->fd, "CA Certificate %d: %s\n", i + 1, p->cacerts[i]);
+ }
}
for (i = 0; i < p->spcount; i++) {
ast_cli(a->fd, "Service Point %d: %s\n", i + 1, p->srvpoints[i]);
Modified: trunk/configs/osp.conf.sample
URL: http://svn.digium.com/svn-view/asterisk/trunk/configs/osp.conf.sample?view=diff&rev=191418&r1=191417&r2=191418
==============================================================================
--- trunk/configs/osp.conf.sample (original)
+++ trunk/configs/osp.conf.sample Fri May 1 04:50:11 2009
@@ -12,14 +12,23 @@
[general]
;
; Enable cryptographic acceleration hardware.
+; The default value is no.
;
;accelerate=no
+;
+; Enable security features.
+; If security features are disabled, Asterisk cannot validate signed tokens and
+; all certificate file name parameters are ignored.
+; The default value is no.
+;
+;securityfeatures=no
;
; Defines the status of tokens that Asterisk will validate.
; 0 - signed tokens only
; 1 - unsigned tokens only
; 2 - both signed and unsigned
; The default value is 0, i.e. the Asterisk will only validate signed tokens.
+; If securityfeatures are disabled, Asterisk cannot validate signed tokens.
;
;tokenformat=0
;
@@ -43,6 +52,7 @@
; If this parameter is unspecified or not present, the default name will be the
; osp.conf section name followed by "-privatekey.pem" (for example:
; default-privatekey.pem)
+; If securityfeatures are disabled, this parameter is ignored.
;
;privatekey=pkey.pem
;
@@ -50,6 +60,7 @@
; If this parameter is unspecified or not present, the default name will be the
; osp.conf section name followed by "- localcert.pem " (for example:
; default-localcert.pem)
+; If securityfeatures are disabled, this parameter is ignored.
;
;localcert=localcert.pem
;
@@ -57,6 +68,7 @@
; a single Certificate Authority key file name is added with the default name of
; the osp.conf section name followed by "-cacert_0.pem " (for example:
; default-cacert_0.pem)
+; If securityfeatures are disabled, this parameter is ignored.
;
;cacert=cacert_0.pem
;
@@ -81,6 +93,7 @@
; 2 - EXCLUSIVE - Accept calls with valid token. Block calls with invalid token
; or no token.
; Default is 1,
+; If securityfeatures are disabled, Asterisk cannot validate signed tokens.
;
;authpolicy=1
;
More information about the svn-commits
mailing list