00001 /* 00002 * Asterisk -- An open source telephony toolkit. 00003 * 00004 * Copyright (C) 1999 - 2006, Digium, Inc. 00005 * 00006 * Mark Spencer <markster@digium.com> 00007 * 00008 * See http://www.asterisk.org for more information about 00009 * the Asterisk project. Please do not directly contact 00010 * any of the maintainers of this project for assistance; 00011 * the project provides a web site, mailing lists and IRC 00012 * channels for your use. 00013 * 00014 * This program is free software, distributed under the terms of 00015 * the GNU General Public License Version 2. See the LICENSE file 00016 * at the top of the source tree. 00017 */ 00018 00019 /*! 00020 * \file tcptls.h 00021 * 00022 * \brief Generic support for tcp/tls servers in Asterisk. 00023 * \note In order to have TLS/SSL support, we need the openssl libraries. 00024 * Still we can decide whether or not to use them by commenting 00025 * in or out the DO_SSL macro. 00026 * 00027 * TLS/SSL support is basically implemented by reading from a config file 00028 * (currently http.conf and sip.conf) the names of the certificate and cipher to use, 00029 * and then run ssl_setup() to create an appropriate SSL_CTX (ssl_ctx) 00030 * If we support multiple domains, presumably we need to read multiple 00031 * certificates. 00032 * 00033 * When we are requested to open a TLS socket, we run make_file_from_fd() 00034 * on the socket, to do the necessary setup. At the moment the context's name 00035 * is hardwired in the function, but we can certainly make it into an extra 00036 * parameter to the function. 00037 * 00038 * We declare most of ssl support variables unconditionally, 00039 * because their number is small and this simplifies the code. 00040 * 00041 * \note The ssl-support variables (ssl_ctx, do_ssl, certfile, cipher) 00042 * and their setup should be moved to a more central place, e.g. asterisk.conf 00043 * and the source files that processes it. Similarly, ssl_setup() should 00044 * be run earlier in the startup process so modules have it available. 00045 * 00046 */ 00047 00048 #ifndef _ASTERISK_TCPTLS_H 00049 #define _ASTERISK_TCPTLS_H 00050 00051 #include "asterisk/utils.h" 00052 00053 #if defined(HAVE_OPENSSL) && (defined(HAVE_FUNOPEN) || defined(HAVE_FOPENCOOKIE)) 00054 #define DO_SSL /* comment in/out if you want to support ssl */ 00055 #endif 00056 00057 #ifdef DO_SSL 00058 #include <openssl/ssl.h> 00059 #include <openssl/err.h> 00060 #else 00061 /* declare dummy types so we can define a pointer to them */ 00062 typedef struct {} SSL; 00063 typedef struct {} SSL_CTX; 00064 #endif /* DO_SSL */ 00065 00066 /*! SSL support */ 00067 #define AST_CERTFILE "asterisk.pem" 00068 00069 enum ast_ssl_flags { 00070 /*! Verify certificate when acting as server */ 00071 AST_SSL_VERIFY_CLIENT = (1 << 0), 00072 /*! Don't verify certificate when connecting to a server */ 00073 AST_SSL_DONT_VERIFY_SERVER = (1 << 1), 00074 /*! Don't compare "Common Name" against IP or hostname */ 00075 AST_SSL_IGNORE_COMMON_NAME = (1 << 2) 00076 }; 00077 00078 struct ast_tls_config { 00079 int enabled; 00080 char *certfile; 00081 char *cipher; 00082 char *cafile; 00083 char *capath; 00084 struct ast_flags flags; 00085 SSL_CTX *ssl_ctx; 00086 }; 00087 00088 /*! 00089 * The following code implements a generic mechanism for starting 00090 * services on a TCP or TLS socket. 00091 * The service is configured in the struct session_args, and 00092 * then started by calling server_start(desc) on the descriptor. 00093 * server_start() first verifies if an instance of the service is active, 00094 * and in case shuts it down. Then, if the service must be started, creates 00095 * a socket and a thread in charge of doing the accept(). 00096 * 00097 * The body of the thread is desc->accept_fn(desc), which the user can define 00098 * freely. We supply a sample implementation, server_root(), structured as an 00099 * infinite loop. At the beginning of each iteration it runs periodic_fn() 00100 * if defined (e.g. to perform some cleanup etc.) then issues a poll() 00101 * or equivalent with a timeout of 'poll_timeout' milliseconds, and if the 00102 * following accept() is successful it creates a thread in charge of 00103 * running the session, whose body is desc->worker_fn(). The argument of 00104 * worker_fn() is a struct ast_tcptls_session_instance, which contains the address 00105 * of the other party, a pointer to desc, the file descriptors (fd) on which 00106 * we can do a select/poll (but NOT I/O), and a FILE *on which we can do I/O. 00107 * We have both because we want to support plain and SSL sockets, and 00108 * going through a FILE * lets us provide the encryption/decryption 00109 * on the stream without using an auxiliary thread. 00110 */ 00111 00112 /*! \brief 00113 * arguments for the accepting thread 00114 */ 00115 struct ast_tcptls_session_args { 00116 struct sockaddr_in local_address; 00117 struct sockaddr_in old_address; /*!< copy of the local or remote address depending on if its a client or server session */ 00118 struct sockaddr_in remote_address; 00119 char hostname[MAXHOSTNAMELEN]; /*!< only necessary for SSL clients so we can compare to common name */ 00120 struct ast_tls_config *tls_cfg; /*!< points to the SSL configuration if any */ 00121 int accept_fd; 00122 int poll_timeout; 00123 pthread_t master; 00124 void *(*accept_fn)(void *); /*!< the function in charge of doing the accept */ 00125 void (*periodic_fn)(void *);/*!< something we may want to run before after select on the accept socket */ 00126 void *(*worker_fn)(void *); /*!< the function in charge of doing the actual work */ 00127 const char *name; 00128 }; 00129 00130 /* 00131 * describes a server instance 00132 */ 00133 struct ast_tcptls_session_instance { 00134 FILE *f; /* fopen/funopen result */ 00135 int fd; /* the socket returned by accept() */ 00136 SSL *ssl; /* ssl state */ 00137 /* iint (*ssl_setup)(SSL *); */ 00138 int client; 00139 struct sockaddr_in remote_address; 00140 struct ast_tcptls_session_args *parent; 00141 ast_mutex_t lock; 00142 }; 00143 00144 #if defined(HAVE_FUNOPEN) 00145 #define HOOK_T int 00146 #define LEN_T int 00147 #else 00148 #define HOOK_T ssize_t 00149 #define LEN_T size_t 00150 #endif 00151 00152 /*! 00153 * \brief attempts to connect and start tcptls session, on error the tcptls_session's 00154 * ref count is decremented, fd and file are closed, and NULL is returned. 00155 */ 00156 struct ast_tcptls_session_instance *ast_tcptls_client_start(struct ast_tcptls_session_instance *tcptls_session); 00157 00158 /* \brief Creates a client connection's ast_tcptls_session_instance. */ 00159 struct ast_tcptls_session_instance *ast_tcptls_client_create(struct ast_tcptls_session_args *desc); 00160 00161 void *ast_tcptls_server_root(void *); 00162 00163 /*! 00164 * \brief This is a generic (re)start routine for a TCP server, 00165 * which does the socket/bind/listen and starts a thread for handling 00166 * accept(). 00167 * \version 1.6.1 changed desc parameter to be of ast_tcptls_session_args type 00168 */ 00169 void ast_tcptls_server_start(struct ast_tcptls_session_args *desc); 00170 00171 /*! 00172 * \brief Shutdown a running server if there is one 00173 * \version 1.6.1 changed desc parameter to be of ast_tcptls_session_args type 00174 */ 00175 void ast_tcptls_server_stop(struct ast_tcptls_session_args *desc); 00176 int ast_ssl_setup(struct ast_tls_config *cfg); 00177 00178 HOOK_T ast_tcptls_server_read(struct ast_tcptls_session_instance *ser, void *buf, size_t count); 00179 HOOK_T ast_tcptls_server_write(struct ast_tcptls_session_instance *ser, void *buf, size_t count); 00180 00181 #endif /* _ASTERISK_TCPTLS_H */