/usr/include/asterisk/tcptls.h is in asterisk-dev 1:11.7.0~dfsg-1ubuntu1.
This file is owned by root:root, with mode 0o644.
The actual contents of the file can be viewed below.
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 119 120 121 122 123 124 125 126 127 128 129 130 131 132 133 134 135 136 137 138 139 140 141 142 143 144 145 146 147 148 149 150 151 152 153 154 155 156 157 158 159 160 161 162 163 164 165 166 167 168 169 170 171 172 173 174 175 176 177 178 179 180 181 182 183 184 185 186 187 188 189 190 191 192 193 194 195 196 197 198 199 200 201 202 203 204 205 206 207 208 209 210 211 212 213 214 215 216 217 218 219 220 221 222 223 224 225 226 227 228 229 230 231 232 | /*
* Asterisk -- An open source telephony toolkit.
*
* Copyright (C) 1999 - 2006, Digium, Inc.
*
* Mark Spencer <markster@digium.com>
*
* See http://www.asterisk.org for more information about
* the Asterisk project. Please do not directly contact
* any of the maintainers of this project for assistance;
* the project provides a web site, mailing lists and IRC
* channels for your use.
*
* This program is free software, distributed under the terms of
* the GNU General Public License Version 2. See the LICENSE file
* at the top of the source tree.
*/
/*!
* \file tcptls.h
*
* \brief Generic support for tcp/tls servers in Asterisk.
* \note In order to have TLS/SSL support, we need the openssl libraries.
* Still we can decide whether or not to use them by commenting
* in or out the DO_SSL macro.
*
* TLS/SSL support is basically implemented by reading from a config file
* (currently manager.conf, http.conf and sip.conf) the names of the certificate
* files and cipher to use, and then run ssl_setup() to create an appropriate
* data structure named ssl_ctx.
*
* If we support multiple domains, presumably we need to read multiple
* certificates.
*
* When we are requested to open a TLS socket, we run make_file_from_fd()
* on the socket, to do the necessary setup. At the moment the context's name
* is hardwired in the function, but we can certainly make it into an extra
* parameter to the function.
*
* We declare most of ssl support variables unconditionally,
* because their number is small and this simplifies the code.
*
* \note The ssl-support variables (ssl_ctx, do_ssl, certfile, cipher)
* and their setup should be moved to a more central place, e.g. asterisk.conf
* and the source files that processes it. Similarly, ssl_setup() should
* be run earlier in the startup process so modules have it available.
*
* \ref AstTlsOverview
*
* \todo For SIP, the SubjectAltNames should be checked on verification
* of the certificate. (Check RFC 5922)
*
*/
#ifndef _ASTERISK_TCPTLS_H
#define _ASTERISK_TCPTLS_H
#include "asterisk/netsock2.h"
#include "asterisk/utils.h"
#if defined(HAVE_OPENSSL) && (defined(HAVE_FUNOPEN) || defined(HAVE_FOPENCOOKIE))
#define DO_SSL /* comment in/out if you want to support ssl */
#endif
#ifdef DO_SSL
#include <openssl/ssl.h>
#include <openssl/err.h>
#else
/* declare dummy types so we can define a pointer to them */
typedef struct {} SSL;
typedef struct {} SSL_CTX;
#endif /* DO_SSL */
/*! SSL support */
#define AST_CERTFILE "asterisk.pem"
enum ast_ssl_flags {
/*! Verify certificate when acting as server */
AST_SSL_VERIFY_CLIENT = (1 << 0),
/*! Don't verify certificate when connecting to a server */
AST_SSL_DONT_VERIFY_SERVER = (1 << 1),
/*! Don't compare "Common Name" against IP or hostname */
AST_SSL_IGNORE_COMMON_NAME = (1 << 2),
/*! Use SSLv2 for outgoing client connections */
AST_SSL_SSLV2_CLIENT = (1 << 3),
/*! Use SSLv3 for outgoing client connections */
AST_SSL_SSLV3_CLIENT = (1 << 4),
/*! Use TLSv1 for outgoing client connections */
AST_SSL_TLSV1_CLIENT = (1 << 5)
};
struct ast_tls_config {
int enabled;
char *certfile;
char *pvtfile;
char *cipher;
char *cafile;
char *capath;
struct ast_flags flags;
SSL_CTX *ssl_ctx;
};
/*! \page AstTlsOverview TLS Implementation Overview
*
* The following code implements a generic mechanism for starting
* services on a TCP or TLS socket.
* The service is configured in the struct session_args, and
* then started by calling server_start(desc) on the descriptor.
* server_start() first verifies if an instance of the service is active,
* and in case shuts it down. Then, if the service must be started, creates
* a socket and a thread in charge of doing the accept().
*
* The body of the thread is desc->accept_fn(desc), which the user can define
* freely. We supply a sample implementation, server_root(), structured as an
* infinite loop. At the beginning of each iteration it runs periodic_fn()
* if defined (e.g. to perform some cleanup etc.) then issues a poll()
* or equivalent with a timeout of 'poll_timeout' milliseconds, and if the
* following accept() is successful it creates a thread in charge of
* running the session, whose body is desc->worker_fn(). The argument of
* worker_fn() is a struct ast_tcptls_session_instance, which contains the address
* of the other party, a pointer to desc, the file descriptors (fd) on which
* we can do a select/poll (but NOT I/O), and a FILE *on which we can do I/O.
* We have both because we want to support plain and SSL sockets, and
* going through a FILE * lets us provide the encryption/decryption
* on the stream without using an auxiliary thread.
*/
/*! \brief
* arguments for the accepting thread
*/
struct ast_tcptls_session_args {
struct ast_sockaddr local_address;
struct ast_sockaddr old_address; /*!< copy of the local or remote address depending on if its a client or server session */
struct ast_sockaddr remote_address;
char hostname[MAXHOSTNAMELEN]; /*!< only necessary for SSL clients so we can compare to common name */
struct ast_tls_config *tls_cfg; /*!< points to the SSL configuration if any */
int accept_fd;
int poll_timeout;
/*! Server accept_fn thread ID used for external shutdown requests. */
pthread_t master;
void *(*accept_fn)(void *); /*!< the function in charge of doing the accept */
void (*periodic_fn)(void *);/*!< something we may want to run before after select on the accept socket */
void *(*worker_fn)(void *); /*!< the function in charge of doing the actual work */
const char *name;
};
/*! \brief
* describes a server instance
*/
struct ast_tcptls_session_instance {
FILE *f; /*!< fopen/funopen result */
int fd; /*!< the socket returned by accept() */
SSL *ssl; /*!< ssl state */
/* iint (*ssl_setup)(SSL *); */
int client;
struct ast_sockaddr remote_address;
struct ast_tcptls_session_args *parent;
/* Sometimes, when an entity reads TCP data, multiple
* logical messages might be read at the same time. In such
* a circumstance, there needs to be a place to stash the
* extra data.
*/
struct ast_str *overflow_buf;
};
#if defined(HAVE_FUNOPEN)
#define HOOK_T int
#define LEN_T int
#else
#define HOOK_T ssize_t
#define LEN_T size_t
#endif
/*!
* \brief attempts to connect and start tcptls session, on error the tcptls_session's
* ref count is decremented, fd and file are closed, and NULL is returned.
*/
struct ast_tcptls_session_instance *ast_tcptls_client_start(struct ast_tcptls_session_instance *tcptls_session);
/* \brief Creates a client connection's ast_tcptls_session_instance. */
struct ast_tcptls_session_instance *ast_tcptls_client_create(struct ast_tcptls_session_args *desc);
void *ast_tcptls_server_root(void *);
/*!
* \brief Closes a tcptls session instance's file and/or file descriptor.
* The tcptls_session will be set to NULL and it's file descriptor will be set to -1
* by this function.
*/
void ast_tcptls_close_session_file(struct ast_tcptls_session_instance *tcptls_session);
/*!
* \brief This is a generic (re)start routine for a TCP server,
* which does the socket/bind/listen and starts a thread for handling
* accept().
* \version 1.6.1 changed desc parameter to be of ast_tcptls_session_args type
*/
void ast_tcptls_server_start(struct ast_tcptls_session_args *desc);
/*!
* \brief Shutdown a running server if there is one
* \version 1.6.1 changed desc parameter to be of ast_tcptls_session_args type
*/
void ast_tcptls_server_stop(struct ast_tcptls_session_args *desc);
/*!
* \brief Set up an SSL server
*
* \param cfg Configuration for the SSL server
* \retval 1 Success
* \retval 0 Failure
*/
int ast_ssl_setup(struct ast_tls_config *cfg);
/*!
* \brief free resources used by an SSL server
*
* \note This only needs to be called if ast_ssl_setup() was
* directly called first.
* \param cfg Configuration for the SSL server
*/
void ast_ssl_teardown(struct ast_tls_config *cfg);
/*!
* \brief Used to parse conf files containing tls/ssl options.
*/
int ast_tls_read_conf(struct ast_tls_config *tls_cfg, struct ast_tcptls_session_args *tls_desc, const char *varname, const char *value);
HOOK_T ast_tcptls_server_read(struct ast_tcptls_session_instance *ser, void *buf, size_t count);
HOOK_T ast_tcptls_server_write(struct ast_tcptls_session_instance *ser, const void *buf, size_t count);
#endif /* _ASTERISK_TCPTLS_H */
|