sysmocom
/
asterisk
11
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Made security features optional. 

git-svn-id: https://origsvn.digium.com/svn/asterisk/trunk@191418 65c4cc65-6c06-0410-ace0-fbb531ad65f3
This commit is contained in:
TransNexus OSP Development 2009-05-01 09:50:11 +00:00
parent d9d2779008
commit 8612c7ac8a
2 changed files with 164 additions and 108 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

259
apps/app_osplookup.c
View File

@ -39,6 +39,7 @@ ASTERISK_FILE_VERSION(__FILE__, "$Revision$")
#include <osp/osp.h>
#include <osp/osputils.h>
#include <osp/ospb64.h>
#include "asterisk/paths.h"
#include "asterisk/lock.h"
@ -55,6 +56,7 @@ ASTERISK_FILE_VERSION(__FILE__, "$Revision$")
/* OSP Buffer Sizes */
#define OSP_INTSTR_SIZE ((unsigned int)16) /* OSP signed/unsigned int string buffer size */
#define OSP_NORSTR_SIZE ((unsigned int)256) /* OSP normal string buffer size */
#define OSP_KEYSTR_SIZE ((unsigned int)1024) /* OSP certificate string buffer size */
#define OSP_TOKSTR_SIZE ((unsigned int)4096) /* OSP token string buffer size */
#define OSP_TECHSTR_SIZE ((unsigned int)32) /* OSP signed/unsigned int string buffer size */
#define OSP_UUID_SIZE ((unsigned int)16) /* UUID size */
@ -127,7 +129,7 @@ struct osp_provider {
char privatekey[OSP_NORSTR_SIZE]; /* OSP private key file name */
char localcert[OSP_NORSTR_SIZE]; /* OSP local cert file name */
unsigned int cacount; /* Number of cacerts */
char cacerts[OSP_MAX_CERTS][OSP_NORSTR_SIZE]; /* Cacert file names */
char cacerts[OSP_MAX_CERTS][OSP_NORSTR_SIZE]; /* Cacert file names */
unsigned int spcount; /* Number of service points */
char srvpoints[OSP_MAX_SRVS][OSP_NORSTR_SIZE]; /* Service point URLs */
int maxconnections; /* Max number of connections */
@ -167,9 +169,15 @@ struct osp_result {
AST_MUTEX_DEFINE_STATIC(osplock); /* Lock of OSP provider list */
static int osp_initialized = 0; /* Init flag */
static int osp_hardware = 0; /* Hardware accelleration flag */
static int osp_security = 0; /* Using security features flag */
static struct osp_provider* ospproviders = NULL; /* OSP provider list */
static unsigned int osp_tokenformat = TOKEN_ALGO_SIGNED; /* Token format supported */
/* OSP default certificates */
const char* B64PKey = "MIIBOgIBAAJBAK8t5l+PUbTC4lvwlNxV5lpl+2dwSZGW46dowTe6y133XyVEwNiiRma2YNk3xKs/TJ3Wl9Wpns2SYEAJsFfSTukCAwEAAQJAPz13vCm2GmZ8Zyp74usTxLCqSJZNyMRLHQWBM0g44Iuy4wE3vpi7Wq+xYuSOH2mu4OddnxswCP4QhaXVQavTAQIhAOBVCKXtppEw9UaOBL4vW0Ed/6EA/1D8hDW6St0h7EXJAiEAx+iRmZKhJD6VT84dtX5ZYNVk3j3dAcIOovpzUj9a0CECIEduTCapmZQ5xqAEsLXuVlxRtQgLTUD4ZxDElPn8x0MhAiBE2HlcND0+qDbvtwJQQOUzDgqg5xk3w8capboVdzAlQQIhAMC+lDL7+gDYkNAft5Mu+NObJmQs4Cr+DkDFsKqoxqrm";
const char* B64LCert = "MIIBeTCCASMCEHqkOHVRRWr+1COq3CR/xsowDQYJKoZIhvcNAQEEBQAwOzElMCMGA1UEAxMcb3NwdGVzdHNlcnZlci50cmFuc25leHVzLmNvbTESMBAGA1UEChMJT1NQU2VydmVyMB4XDTA1MDYyMzAwMjkxOFoXDTA2MDYyNDAwMjkxOFowRTELMAkGA1UEBhMCQVUxEzARBgNVBAgTClNvbWUtU3RhdGUxITAfBgNVBAoTGEludGVybmV0IFdpZGdpdHMgUHR5IEx0ZDBcMA0GCSqGSIb3DQEBAQUAA0sAMEgCQQCvLeZfj1G0wuJb8JTcVeZaZftncEmRluOnaME3ustd918lRMDYokZmtmDZN8SrP0yd1pfVqZ7NkmBACbBX0k7pAgMBAAEwDQYJKoZIhvcNAQEEBQADQQDnV8QNFVVJx/+7IselU0wsepqMurivXZzuxOmTEmTVDzCJx1xhA8jd3vGAj7XDIYiPub1PV23eY5a2ARJuw5w9";
const char* B64CACert = "MIIBYDCCAQoCAQEwDQYJKoZIhvcNAQEEBQAwOzElMCMGA1UEAxMcb3NwdGVzdHNlcnZlci50cmFuc25leHVzLmNvbTESMBAGA1UEChMJT1NQU2VydmVyMB4XDTAyMDIwNDE4MjU1MloXDTEyMDIwMzE4MjU1MlowOzElMCMGA1UEAxMcb3NwdGVzdHNlcnZlci50cmFuc25leHVzLmNvbTESMBAGA1UEChMJT1NQU2VydmVyMFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBAPGeGwV41EIhX0jEDFLRXQhDEr50OUQPq+f55VwQd0TQNts06BP29+UiNdRW3c3IRHdZcJdC1Cg68ME9cgeq0h8CAwEAATANBgkqhkiG9w0BAQQFAANBAGkzBSj1EnnmUxbaiG1N4xjIuLAWydun7o3bFk2tV8dBIhnuh445obYyk1EnQ27kI7eACCILBZqi2MHDOIMnoN0=";
/* OSP Client Wrapper APIs */
/*!
@ -190,7 +198,10 @@ static int osp_create_provider(
OSPT_CERT cacerts[OSP_MAX_CERTS];
const OSPT_CERT* pcacerts[OSP_MAX_CERTS];
const char* psrvpoints[OSP_MAX_SRVS];
int t, i, j, error = OSPC_ERR_NO_ERROR;
unsigned char privatekeydata[OSP_KEYSTR_SIZE];
unsigned char localcertdata[OSP_KEYSTR_SIZE];
unsigned char cacertdata[OSP_KEYSTR_SIZE];
int i, t, error = OSPC_ERR_NO_ERROR;
if (!(p = ast_calloc(1, sizeof(*p)))) {
ast_log(LOG_ERROR, "Out of memory\n");
@ -213,30 +224,36 @@ static int osp_create_provider(
v = ast_variable_browse(cfg, provider);
while(v) {
if (!strcasecmp(v->name, "privatekey")) {
if (v->value[0] == '/') {
ast_copy_string(p->privatekey, v->value, sizeof(p->privatekey));
} else {
snprintf(p->privatekey, sizeof(p->privatekey), "%s/%s", ast_config_AST_KEY_DIR, v->value);
}
ast_debug(1, "OSP: privatekey '%s'\n", p->privatekey);
} else if (!strcasecmp(v->name, "localcert")) {
if (v->value[0] == '/') {
ast_copy_string(p->localcert, v->value, sizeof(p->localcert));
} else {
snprintf(p->localcert, sizeof(p->localcert), "%s/%s", ast_config_AST_KEY_DIR, v->value);
}
ast_debug(1, "OSP: localcert '%s'\n", p->localcert);
} else if (!strcasecmp(v->name, "cacert")) {
if (p->cacount < OSP_MAX_CERTS) {
if (osp_security) {
if (v->value[0] == '/') {
ast_copy_string(p->cacerts[p->cacount], v->value, sizeof(p->cacerts[0]));
ast_copy_string(p->privatekey, v->value, sizeof(p->privatekey));
} else {
snprintf(p->cacerts[p->cacount], sizeof(p->cacerts[0]), "%s/%s", ast_config_AST_KEY_DIR, v->value);
snprintf(p->privatekey, sizeof(p->privatekey), "%s/%s", ast_config_AST_KEY_DIR, v->value);
}
ast_debug(1, "OSP: privatekey '%s'\n", p->privatekey);
}
} else if (!strcasecmp(v->name, "localcert")) {
if (osp_security) {
if (v->value[0] == '/') {
ast_copy_string(p->localcert, v->value, sizeof(p->localcert));
} else {
snprintf(p->localcert, sizeof(p->localcert), "%s/%s", ast_config_AST_KEY_DIR, v->value);
}
ast_debug(1, "OSP: localcert '%s'\n", p->localcert);
}
} else if (!strcasecmp(v->name, "cacert")) {
if (osp_security) {
if (p->cacount < OSP_MAX_CERTS) {
if (v->value[0] == '/') {
ast_copy_string(p->cacerts[p->cacount], v->value, sizeof(p->cacerts[0]));
} else {
snprintf(p->cacerts[p->cacount], sizeof(p->cacerts[0]), "%s/%s", ast_config_AST_KEY_DIR, v->value);
}
ast_debug(1, "OSP: cacerts[%d]: '%s'\n", p->cacount, p->cacerts[p->cacount]);
p->cacount++;
} else {
ast_log(LOG_WARNING, "OSP: Too many CA Certificates at line %d\n", v->lineno);
}
ast_debug(1, "OSP: cacert[%d]: '%s'\n", p->cacount, p->cacerts[p->cacount]);
p->cacount++;
} else {
ast_log(LOG_WARNING, "OSP: Too many CA Certificates at line %d\n", v->lineno);
}
} else if (!strcasecmp(v->name, "servicepoint")) {
if (p->spcount < OSP_MAX_SRVS) {
@ -307,95 +324,109 @@ static int osp_create_provider(
v = v->next;
}
error = OSPPUtilLoadPEMPrivateKey((unsigned char*)p->privatekey, &privatekey);
if (error != OSPC_ERR_NO_ERROR) {
ast_log(LOG_WARNING, "OSP: Unable to load privatekey '%s', error '%d'\n", p->privatekey, error);
ast_free(p);
return 0;
}
error = OSPPUtilLoadPEMCert((unsigned char*)p->localcert, &localcert);
if (error != OSPC_ERR_NO_ERROR) {
ast_log(LOG_WARNING, "OSP: Unable to load localcert '%s', error '%d'\n", p->localcert, error);
if (privatekey.PrivateKeyData) {
ast_free(privatekey.PrivateKeyData);
}
ast_free(p);
return 0;
}
if (p->cacount < 1) {
snprintf(p->cacerts[p->cacount], sizeof(p->cacerts[0]), "%s/%s-cacert.pem", ast_config_AST_KEY_DIR, provider);
ast_debug(1, "OSP: cacert[%d]: '%s'\n", p->cacount, p->cacerts[p->cacount]);
p->cacount++;
}
for (i = 0; i < p->cacount; i++) {
error = OSPPUtilLoadPEMCert((unsigned char*)p->cacerts[i], &cacerts[i]);
if (error != OSPC_ERR_NO_ERROR) {
ast_log(LOG_WARNING, "OSP: Unable to load cacert '%s', error '%d'\n", p->cacerts[i], error);
for (j = 0; j < i; j++) {
if (cacerts[j].CertData) {
ast_free(cacerts[j].CertData);
}
}
if (localcert.CertData) {
ast_free(localcert.CertData);
}
if (privatekey.PrivateKeyData) {
ast_free(privatekey.PrivateKeyData);
}
ast_free(p);
return 0;
}
pcacerts[i] = &cacerts[i];
if (p->cacount == 0) {
p->cacount = 1;
}
for (i = 0; i < p->spcount; i++) {
psrvpoints[i] = p->srvpoints[i];
}
error = OSPPProviderNew(
p->spcount,
psrvpoints,
NULL,
OSP_AUDIT_URL,
&privatekey,
&localcert,
p->cacount,
pcacerts,
OSP_LOCAL_VALIDATION,
OSP_SSL_LIFETIME,
p->maxconnections,
OSP_HTTP_PERSISTENCE,
p->retrydelay,
p->retrylimit,
p->timeout,
OSP_CUSTOMER_ID,
OSP_DEVICE_ID,
&p->handle);
if (error != OSPC_ERR_NO_ERROR) {
ast_log(LOG_WARNING, "OSP: Unable to create provider '%s', error '%d'\n", provider, error);
ast_free(p);
res = -1;
} else {
ast_debug(1, "OSP: provider '%s'\n", provider);
ast_mutex_lock(&osplock);
p->next = ospproviders;
ospproviders = p;
ast_mutex_unlock(&osplock);
res = 1;
}
if (osp_security) {
privatekey.PrivateKeyData = NULL;
privatekey.PrivateKeyLength = 0;
for (i = 0; i < p->cacount; i++) {
if (cacerts[i].CertData) {
ast_free(cacerts[i].CertData);
localcert.CertData = NULL;
localcert.CertDataLength = 0;
for (i = 0; i < p->cacount; i++) {
cacerts[i].CertData = NULL;
cacerts[i].CertDataLength = 0;
}
if ((error = OSPPUtilLoadPEMPrivateKey((unsigned char*)p->privatekey, &privatekey)) != OSPC_ERR_NO_ERROR) {
ast_log(LOG_WARNING, "OSP: Unable to load privatekey '%s', error '%d'\n", p->privatekey, error);
} else if ((error = OSPPUtilLoadPEMCert((unsigned char*)p->localcert, &localcert)) != OSPC_ERR_NO_ERROR) {
ast_log(LOG_WARNING, "OSP: Unable to load localcert '%s', error '%d'\n", p->localcert, error);
} else {
for (i = 0; i < p->cacount; i++) {
if ((error = OSPPUtilLoadPEMCert((unsigned char*)p->cacerts[i], &cacerts[i])) != OSPC_ERR_NO_ERROR) {
ast_log(LOG_WARNING, "OSP: Unable to load cacert '%s', error '%d'\n", p->cacerts[i], error);
break;
} else {
pcacerts[i] = &cacerts[i];
}
}
}
} else {
privatekey.PrivateKeyData = privatekeydata;
privatekey.PrivateKeyLength = sizeof(privatekeydata);
localcert.CertData = localcertdata;
localcert.CertDataLength = sizeof(localcertdata);
cacerts[0].CertData = cacertdata;
cacerts[0].CertDataLength = sizeof(cacertdata);
pcacerts[0] = &cacerts[0];
if ((error = OSPPBase64Decode(B64PKey, strlen(B64PKey), privatekey.PrivateKeyData, &privatekey.PrivateKeyLength)) != OSPC_ERR_NO_ERROR) {
ast_log(LOG_WARNING, "OSP: Unable to decode private key, error '%d'\n", error);
} else if ((error = OSPPBase64Decode(B64LCert, strlen(B64LCert), localcert.CertData, &localcert.CertDataLength)) != OSPC_ERR_NO_ERROR) {
ast_log(LOG_WARNING, "OSP: Unable to decode local cert, error '%d'\n", error);
} else if ((error = OSPPBase64Decode(B64CACert, strlen(B64CACert), cacerts[0].CertData, &cacerts[0].CertDataLength)) != OSPC_ERR_NO_ERROR) {
ast_log(LOG_WARNING, "OSP: Unable to decode cacert, error '%d'\n", error);
}
}
if (localcert.CertData) {
ast_free(localcert.CertData);
if (error == OSPC_ERR_NO_ERROR) {
error = OSPPProviderNew(
p->spcount,
psrvpoints,
NULL,
OSP_AUDIT_URL,
&privatekey,
&localcert,
p->cacount,
pcacerts,
OSP_LOCAL_VALIDATION,
OSP_SSL_LIFETIME,
p->maxconnections,
OSP_HTTP_PERSISTENCE,
p->retrydelay,
p->retrylimit,
p->timeout,
OSP_CUSTOMER_ID,
OSP_DEVICE_ID,
&p->handle);
if (error != OSPC_ERR_NO_ERROR) {
ast_log(LOG_WARNING, "OSP: Unable to create provider '%s', error '%d'\n", provider, error);
res = -1;
} else {
ast_debug(1, "OSP: provider '%s'\n", provider);
ast_mutex_lock(&osplock);
p->next = ospproviders;
ospproviders = p;
ast_mutex_unlock(&osplock);
res = 1;
}
}
if (privatekey.PrivateKeyData) {
ast_free(privatekey.PrivateKeyData);
if (osp_security) {
for (i = 0; i < p->cacount; i++) {
if (cacerts[i].CertData) {
ast_free(cacerts[i].CertData);
}
}
if (localcert.CertData) {
ast_free(localcert.CertData);
}
if (privatekey.PrivateKeyData) {
ast_free(privatekey.PrivateKeyData);
}
}
if (res != 1) {
ast_free(p);
}
return res;
@ -1821,6 +1852,12 @@ static int osp_load(int reload)
}
ast_debug(1, "OSP: osp_hardware '%d'\n", osp_hardware);
t = ast_variable_retrieve(cfg, OSP_GENERAL_CAT, "securityfeatures");
if (t && ast_true(t)) {
osp_security = 1;
}
ast_debug(1, "OSP: osp_security '%d'\n", osp_security);
t = ast_variable_retrieve(cfg, OSP_GENERAL_CAT, "tokenformat");
if (t) {
if ((sscanf(t, "%d", &v) == 1) &&
@ -1874,6 +1911,7 @@ static int osp_unload(void)
OSPPCleanup();
osp_tokenformat = TOKEN_ALGO_SIGNED;
osp_security = 0;
osp_hardware = 0;
osp_initialized = 0;
}
@ -1916,8 +1954,11 @@ static char *handle_cli_osp_show(struct ast_cli_entry *e, int cmd, struct ast_cl
tokenalgo = "Signed";
break;
}
ast_cli(a->fd, "OSP: %s %s %s\n",
osp_initialized ? "Initialized" : "Uninitialized", osp_hardware ? "Accelerated" : "Normal", tokenalgo);
ast_cli(a->fd, "OSP: %s/%s/%s/%s\n",
osp_initialized ? "Initialized" : "Uninitialized",
osp_hardware ? "Accelerated" : "Normal",
osp_security ? "Enabled" : "Disabled",
tokenalgo);
}
ast_mutex_lock(&osplock);
@ -1928,10 +1969,12 @@ static char *handle_cli_osp_show(struct ast_cli_entry *e, int cmd, struct ast_cl
ast_cli(a->fd, "\n");
}
ast_cli(a->fd, " == OSP Provider '%s' == \n", p->name);
ast_cli(a->fd, "Local Private Key: %s\n", p->privatekey);
ast_cli(a->fd, "Local Certificate: %s\n", p->localcert);
for (i = 0; i < p->cacount; i++) {
ast_cli(a->fd, "CA Certificate %d: %s\n", i + 1, p->cacerts[i]);
if (osp_security) {
ast_cli(a->fd, "Local Private Key: %s\n", p->privatekey);
ast_cli(a->fd, "Local Certificate: %s\n", p->localcert);
for (i = 0; i < p->cacount; i++) {
ast_cli(a->fd, "CA Certificate %d: %s\n", i + 1, p->cacerts[i]);
}
}
for (i = 0; i < p->spcount; i++) {
ast_cli(a->fd, "Service Point %d: %s\n", i + 1, p->srvpoints[i]);

13
configs/osp.conf.sample
View File

@ -12,14 +12,23 @@
[general]
;
; Enable cryptographic acceleration hardware.
; The default value is no.
;
;accelerate=no
;
; Enable security features.
; If security features are disabled, Asterisk cannot validate signed tokens and
; all certificate file name parameters are ignored.
; The default value is no.
;
;securityfeatures=no
;
; Defines the status of tokens that Asterisk will validate.
; 0 - signed tokens only
; 1 - unsigned tokens only
; 2 - both signed and unsigned
; The default value is 0, i.e. the Asterisk will only validate signed tokens.
; If securityfeatures are disabled, Asterisk cannot validate signed tokens.
;
;tokenformat=0
;
@ -43,6 +52,7 @@
; If this parameter is unspecified or not present, the default name will be the
; osp.conf section name followed by "-privatekey.pem" (for example:
; default-privatekey.pem)
; If securityfeatures are disabled, this parameter is ignored.
;
;privatekey=pkey.pem
;
@ -50,6 +60,7 @@
; If this parameter is unspecified or not present, the default name will be the
; osp.conf section name followed by "- localcert.pem " (for example:
; default-localcert.pem)
; If securityfeatures are disabled, this parameter is ignored.
;
;localcert=localcert.pem
;
@ -57,6 +68,7 @@
; a single Certificate Authority key file name is added with the default name of
; the osp.conf section name followed by "-cacert_0.pem " (for example:
; default-cacert_0.pem)
; If securityfeatures are disabled, this parameter is ignored.
;
;cacert=cacert_0.pem
;
@ -81,6 +93,7 @@
; 2 - EXCLUSIVE - Accept calls with valid token. Block calls with invalid token
; or no token.
; Default is 1,
; If securityfeatures are disabled, Asterisk cannot validate signed tokens.
;
;authpolicy=1
;