00001 /* 00002 * Asterisk -- An open source telephony toolkit. 00003 * 00004 * Copyright (C) 1999 - 2006, Digium, Inc. 00005 * 00006 * Mark Spencer <markster@digium.com> 00007 * 00008 * See http://www.asterisk.org for more information about 00009 * the Asterisk project. Please do not directly contact 00010 * any of the maintainers of this project for assistance; 00011 * the project provides a web site, mailing lists and IRC 00012 * channels for your use. 00013 * 00014 * This program is free software, distributed under the terms of 00015 * the GNU General Public License Version 2. See the LICENSE file 00016 * at the top of the source tree. 00017 */ 00018 00019 /*! 00020 * \file tcptls.h 00021 * 00022 * \brief Generic support for tcp/tls servers in Asterisk. 00023 * \note In order to have TLS/SSL support, we need the openssl libraries. 00024 * Still we can decide whether or not to use them by commenting 00025 * in or out the DO_SSL macro. 00026 * 00027 * TLS/SSL support is basically implemented by reading from a config file 00028 * (currently http.conf and sip.conf) the names of the certificate and cipher to use, 00029 * and then run ssl_setup() to create an appropriate SSL_CTX (ssl_ctx) 00030 * If we support multiple domains, presumably we need to read multiple 00031 * certificates. 00032 * 00033 * When we are requested to open a TLS socket, we run make_file_from_fd() 00034 * on the socket, to do the necessary setup. At the moment the context's name 00035 * is hardwired in the function, but we can certainly make it into an extra 00036 * parameter to the function. 00037 * 00038 * We declare most of ssl support variables unconditionally, 00039 * because their number is small and this simplifies the code. 00040 * 00041 * \note The ssl-support variables (ssl_ctx, do_ssl, certfile, cipher) 00042 * and their setup should be moved to a more central place, e.g. asterisk.conf 00043 * and the source files that processes it. Similarly, ssl_setup() should 00044 * be run earlier in the startup process so modules have it available. 00045 * 00046 */ 00047 00048 #ifndef _ASTERISK_TCPTLS_H 00049 #define _ASTERISK_TCPTLS_H 00050 00051 #include "asterisk/netsock2.h" 00052 #include "asterisk/utils.h" 00053 00054 #if defined(HAVE_OPENSSL) && (defined(HAVE_FUNOPEN) || defined(HAVE_FOPENCOOKIE)) 00055 #define DO_SSL /* comment in/out if you want to support ssl */ 00056 #endif 00057 00058 #ifdef DO_SSL 00059 #include <openssl/ssl.h> 00060 #include <openssl/err.h> 00061 #else 00062 /* declare dummy types so we can define a pointer to them */ 00063 typedef struct {} SSL; 00064 typedef struct {} SSL_CTX; 00065 #endif /* DO_SSL */ 00066 00067 /*! SSL support */ 00068 #define AST_CERTFILE "asterisk.pem" 00069 00070 enum ast_ssl_flags { 00071 /*! Verify certificate when acting as server */ 00072 AST_SSL_VERIFY_CLIENT = (1 << 0), 00073 /*! Don't verify certificate when connecting to a server */ 00074 AST_SSL_DONT_VERIFY_SERVER = (1 << 1), 00075 /*! Don't compare "Common Name" against IP or hostname */ 00076 AST_SSL_IGNORE_COMMON_NAME = (1 << 2), 00077 /*! Use SSLv2 for outgoing client connections */ 00078 AST_SSL_SSLV2_CLIENT = (1 << 3), 00079 /*! Use SSLv3 for outgoing client connections */ 00080 AST_SSL_SSLV3_CLIENT = (1 << 4), 00081 /*! Use TLSv1 for outgoing client connections */ 00082 AST_SSL_TLSV1_CLIENT = (1 << 5) 00083 }; 00084 00085 struct ast_tls_config { 00086 int enabled; 00087 char *certfile; 00088 char *pvtfile; 00089 char *cipher; 00090 char *cafile; 00091 char *capath; 00092 struct ast_flags flags; 00093 SSL_CTX *ssl_ctx; 00094 }; 00095 00096 /*! 00097 * The following code implements a generic mechanism for starting 00098 * services on a TCP or TLS socket. 00099 * The service is configured in the struct session_args, and 00100 * then started by calling server_start(desc) on the descriptor. 00101 * server_start() first verifies if an instance of the service is active, 00102 * and in case shuts it down. Then, if the service must be started, creates 00103 * a socket and a thread in charge of doing the accept(). 00104 * 00105 * The body of the thread is desc->accept_fn(desc), which the user can define 00106 * freely. We supply a sample implementation, server_root(), structured as an 00107 * infinite loop. At the beginning of each iteration it runs periodic_fn() 00108 * if defined (e.g. to perform some cleanup etc.) then issues a poll() 00109 * or equivalent with a timeout of 'poll_timeout' milliseconds, and if the 00110 * following accept() is successful it creates a thread in charge of 00111 * running the session, whose body is desc->worker_fn(). The argument of 00112 * worker_fn() is a struct ast_tcptls_session_instance, which contains the address 00113 * of the other party, a pointer to desc, the file descriptors (fd) on which 00114 * we can do a select/poll (but NOT I/O), and a FILE *on which we can do I/O. 00115 * We have both because we want to support plain and SSL sockets, and 00116 * going through a FILE * lets us provide the encryption/decryption 00117 * on the stream without using an auxiliary thread. 00118 */ 00119 00120 /*! \brief 00121 * arguments for the accepting thread 00122 */ 00123 struct ast_tcptls_session_args { 00124 struct ast_sockaddr local_address; 00125 struct ast_sockaddr old_address; /*!< copy of the local or remote address depending on if its a client or server session */ 00126 struct ast_sockaddr remote_address; 00127 char hostname[MAXHOSTNAMELEN]; /*!< only necessary for SSL clients so we can compare to common name */ 00128 struct ast_tls_config *tls_cfg; /*!< points to the SSL configuration if any */ 00129 int accept_fd; 00130 int poll_timeout; 00131 pthread_t master; 00132 void *(*accept_fn)(void *); /*!< the function in charge of doing the accept */ 00133 void (*periodic_fn)(void *);/*!< something we may want to run before after select on the accept socket */ 00134 void *(*worker_fn)(void *); /*!< the function in charge of doing the actual work */ 00135 const char *name; 00136 }; 00137 00138 /* 00139 * describes a server instance 00140 */ 00141 struct ast_tcptls_session_instance { 00142 FILE *f; /* fopen/funopen result */ 00143 int fd; /* the socket returned by accept() */ 00144 SSL *ssl; /* ssl state */ 00145 /* iint (*ssl_setup)(SSL *); */ 00146 int client; 00147 struct ast_sockaddr remote_address; 00148 struct ast_tcptls_session_args *parent; 00149 ast_mutex_t lock; 00150 }; 00151 00152 #if defined(HAVE_FUNOPEN) 00153 #define HOOK_T int 00154 #define LEN_T int 00155 #else 00156 #define HOOK_T ssize_t 00157 #define LEN_T size_t 00158 #endif 00159 00160 /*! 00161 * \brief attempts to connect and start tcptls session, on error the tcptls_session's 00162 * ref count is decremented, fd and file are closed, and NULL is returned. 00163 */ 00164 struct ast_tcptls_session_instance *ast_tcptls_client_start(struct ast_tcptls_session_instance *tcptls_session); 00165 00166 /* \brief Creates a client connection's ast_tcptls_session_instance. */ 00167 struct ast_tcptls_session_instance *ast_tcptls_client_create(struct ast_tcptls_session_args *desc); 00168 00169 void *ast_tcptls_server_root(void *); 00170 00171 /*! 00172 * \brief This is a generic (re)start routine for a TCP server, 00173 * which does the socket/bind/listen and starts a thread for handling 00174 * accept(). 00175 * \version 1.6.1 changed desc parameter to be of ast_tcptls_session_args type 00176 */ 00177 void ast_tcptls_server_start(struct ast_tcptls_session_args *desc); 00178 00179 /*! 00180 * \brief Shutdown a running server if there is one 00181 * \version 1.6.1 changed desc parameter to be of ast_tcptls_session_args type 00182 */ 00183 void ast_tcptls_server_stop(struct ast_tcptls_session_args *desc); 00184 int ast_ssl_setup(struct ast_tls_config *cfg); 00185 00186 /*! 00187 * \brief Used to parse conf files containing tls/ssl options. 00188 */ 00189 int ast_tls_read_conf(struct ast_tls_config *tls_cfg, struct ast_tcptls_session_args *tls_desc, const char *varname, const char *value); 00190 00191 HOOK_T ast_tcptls_server_read(struct ast_tcptls_session_instance *ser, void *buf, size_t count); 00192 HOOK_T ast_tcptls_server_write(struct ast_tcptls_session_instance *ser, const void *buf, size_t count); 00193 00194 #endif /* _ASTERISK_TCPTLS_H */