kenmirrors/asterisk
1
0
Fork 0
mirror of https://github.com/asterisk/asterisk.git synced 2025-10-27 06:31:54 +00:00
Code Issues Packages Projects Releases Wiki Activity

Clean up res_crypto module. It now uses an rwlist to keep the keys and it should also be thread safe now.

Browse Source 
git-svn-id: https://origsvn.digium.com/svn/asterisk/trunk@76706 65c4cc65-6c06-0410-ace0-fbb531ad65f3
This commit is contained in:
Joshua Colp
2007-07-23 21:42:43 +00:00
parent a1fdc1c769
commit 84f325abb2
1 changed files with 96 additions and 168 deletions
Download Patch File Download Diff File Expand all files Collapse all files

264
res/res_crypto.c
View File

@@ -70,17 +70,6 @@ ASTERISK_FILE_VERSION(__FILE__, "$Revision$")
* *
*/ */
/*
* XXX This module is not very thread-safe. It is for everyday stuff
* like reading keys and stuff, but there are all kinds of weird
* races with people running reload and key init at the same time
* for example
*
* XXXX
*/
AST_MUTEX_DEFINE_STATIC(keylock);
#define KEY_NEEDS_PASSCODE (1 << 16) #define KEY_NEEDS_PASSCODE (1 << 16)
struct ast_key { struct ast_key {
@@ -100,19 +89,10 @@ struct ast_key {
int outfd; int outfd;
/*! Last MD5 Digest */ /*! Last MD5 Digest */
unsigned char digest[16]; unsigned char digest[16];
struct ast_key *next; AST_RWLIST_ENTRY(ast_key) list;
}; };
static struct ast_key *keys = NULL; static AST_RWLIST_HEAD_STATIC(keys, ast_key);
#if 0
static int fdprint(int fd, char *s)
{
return write(fd, s, strlen(s) + 1);
}
#endif
/*! /*!
* \brief setting of priv key * \brief setting of priv key
@@ -126,25 +106,25 @@ static int pw_cb(char *buf, int size, int rwflag, void *userdata)
{ {
struct ast_key *key = (struct ast_key *)userdata; struct ast_key *key = (struct ast_key *)userdata;
char prompt[256]; char prompt[256];
int res; int res, tmp;
int tmp;
if (key->infd > -1) { if (key->infd < 0) {
snprintf(prompt, sizeof(prompt), ">>>> passcode for %s key '%s': ",
key->ktype == AST_KEY_PRIVATE ? "PRIVATE" : "PUBLIC", key->name);
write(key->outfd, prompt, strlen(prompt));
memset(buf, 0, sizeof(buf));
tmp = ast_hide_password(key->infd);
memset(buf, 0, size);
res = read(key->infd, buf, size);
ast_restore_tty(key->infd, tmp);
if (buf[strlen(buf) -1] == '\n')
buf[strlen(buf) - 1] = '\0';
return strlen(buf);
} else {
/* Note that we were at least called */ /* Note that we were at least called */
key->infd = -2; key->infd = -2;
return -1;
} }
return -1;
snprintf(prompt, sizeof(prompt), ">>>> passcode for %s key '%s': ",
key->ktype == AST_KEY_PRIVATE ? "PRIVATE" : "PUBLIC", key->name);
write(key->outfd, prompt, strlen(prompt));
memset(buf, 0, sizeof(buf));
tmp = ast_hide_password(key->infd);
memset(buf, 0, size);
res = read(key->infd, buf, size);
ast_restore_tty(key->infd, tmp);
if (buf[strlen(buf) -1] == '\n')
buf[strlen(buf) - 1] = '\0';
return strlen(buf);
} }
/*! /*!
@@ -154,15 +134,15 @@ static int pw_cb(char *buf, int size, int rwflag, void *userdata)
static struct ast_key *__ast_key_get(const char *kname, int ktype) static struct ast_key *__ast_key_get(const char *kname, int ktype)
{ {
struct ast_key *key; struct ast_key *key;
ast_mutex_lock(&keylock);
key = keys; AST_RWLIST_RDLOCK(&keys);
while(key) { AST_RWLIST_TRAVERSE(&keys, key, list) {
if (!strcmp(kname, key->name) && if (!strcmp(kname, key->name) &&
(ktype == key->ktype)) (ktype == key->ktype))
break; break;
key = key->next;
} }
ast_mutex_unlock(&keylock); AST_RWLIST_UNLOCK(&keys);
return key; return key;
} }
@@ -176,57 +156,49 @@ static struct ast_key *__ast_key_get(const char *kname, int ktype)
* \retval key on success. * \retval key on success.
* \retval NULL on failure. * \retval NULL on failure.
*/ */
static struct ast_key *try_load_key (char *dir, char *fname, int ifd, int ofd, int *not2) static struct ast_key *try_load_key(char *dir, char *fname, int ifd, int ofd, int *not2)
{ {
int ktype = 0; int ktype = 0, found = 0;
char *c = NULL; char *c = NULL, ffname[256];
char ffname[256];
unsigned char digest[16]; unsigned char digest[16];
FILE *f; FILE *f;
struct MD5Context md5; struct MD5Context md5;
struct ast_key *key; struct ast_key *key;
static int notice = 0; static int notice = 0;
int found = 0;
/* Make sure its name is a public or private key */ /* Make sure its name is a public or private key */
if ((c = strstr(fname, ".pub")) && !strcmp(c, ".pub"))
if ((c = strstr(fname, ".pub")) && !strcmp(c, ".pub")) {
ktype = AST_KEY_PUBLIC; ktype = AST_KEY_PUBLIC;
} else if ((c = strstr(fname, ".key")) && !strcmp(c, ".key")) { else if ((c = strstr(fname, ".key")) && !strcmp(c, ".key"))
ktype = AST_KEY_PRIVATE; ktype = AST_KEY_PRIVATE;
} else else
return NULL; return NULL;
/* Get actual filename */ /* Get actual filename */
snprintf(ffname, sizeof(ffname), "%s/%s", dir, fname); snprintf(ffname, sizeof(ffname), "%s/%s", dir, fname);
ast_mutex_lock(&keylock);
key = keys;
while(key) {
/* Look for an existing version already */
if (!strcasecmp(key->fn, ffname))
break;
key = key->next;
}
ast_mutex_unlock(&keylock);
/* Open file */ /* Open file */
f = fopen(ffname, "r"); if (!(f = fopen(ffname, "r"))) {
if (!f) {
ast_log(LOG_WARNING, "Unable to open key file %s: %s\n", ffname, strerror(errno)); ast_log(LOG_WARNING, "Unable to open key file %s: %s\n", ffname, strerror(errno));
return NULL; return NULL;
} }
MD5Init(&md5); MD5Init(&md5);
while(!feof(f)) { while(!feof(f)) {
/* Calculate a "whatever" quality md5sum of the key */ /* Calculate a "whatever" quality md5sum of the key */
char buf[256]; char buf[256] = "";
memset(buf, 0, 256);
fgets(buf, sizeof(buf), f); fgets(buf, sizeof(buf), f);
if (!feof(f)) { if (!feof(f))
MD5Update(&md5, (unsigned char *) buf, strlen(buf)); MD5Update(&md5, (unsigned char *) buf, strlen(buf));
}
} }
MD5Final(digest, &md5); MD5Final(digest, &md5);
/* Look for an existing key */
AST_RWLIST_TRAVERSE(&keys, key, list) {
if (!strcasecmp(key->fn, ffname))
break;
}
if (key) { if (key) {
/* If the MD5 sum is the same, and it isn't awaiting a passcode /* If the MD5 sum is the same, and it isn't awaiting a passcode
then this is far enough */ then this is far enough */
@@ -251,11 +223,6 @@ static struct ast_key *try_load_key (char *dir, char *fname, int ifd, int ofd, i
return NULL; return NULL;
} }
} }
/* At this point we have a key structure (old or new). Time to
fill it with what we know */
/* Gotta lock if this one already exists */
if (found)
ast_mutex_lock(&keylock);
/* First the filename */ /* First the filename */
ast_copy_string(key->fn, ffname, sizeof(key->fn)); ast_copy_string(key->fn, ffname, sizeof(key->fn));
/* Then the name */ /* Then the name */
@@ -288,9 +255,9 @@ static struct ast_key *try_load_key (char *dir, char *fname, int ifd, int ofd, i
ast_log(LOG_NOTICE, "Key '%s' is not expected size.\n", key->name); ast_log(LOG_NOTICE, "Key '%s' is not expected size.\n", key->name);
} else if (key->infd != -2) { } else if (key->infd != -2) {
ast_log(LOG_WARNING, "Key load %s '%s' failed\n",key->ktype == AST_KEY_PUBLIC ? "PUBLIC" : "PRIVATE", key->name); ast_log(LOG_WARNING, "Key load %s '%s' failed\n",key->ktype == AST_KEY_PUBLIC ? "PUBLIC" : "PRIVATE", key->name);
if (ofd > -1) { if (ofd > -1)
ERR_print_errors_fp(stderr); ERR_print_errors_fp(stderr);
} else else
ERR_print_errors_fp(stderr); ERR_print_errors_fp(stderr);
} else { } else {
ast_log(LOG_NOTICE, "Key '%s' needs passcode.\n", key->name); ast_log(LOG_NOTICE, "Key '%s' needs passcode.\n", key->name);
@@ -305,43 +272,14 @@ static struct ast_key *try_load_key (char *dir, char *fname, int ifd, int ofd, i
/* Print final notice about "init keys" when done */ /* Print final notice about "init keys" when done */
*not2 = 1; *not2 = 1;
} }
if (found)
ast_mutex_unlock(&keylock); /* If this is a new key add it to the list */
if (!found) { if (!found)
ast_mutex_lock(&keylock); AST_RWLIST_INSERT_TAIL(&keys, key, list);
key->next = keys;
keys = key;
ast_mutex_unlock(&keylock);
}
return key; return key;
} }
#if 0
static void dump(unsigned char *src, int len)
{
int x;
for (x=0;x<len;x++)
printf("%02x", *(src++));
printf("\n");
}
static char *binary(int y, int len)
{
static char res[80];
int x;
memset(res, 0, sizeof(res));
for (x=0;x<len;x++) {
if (y & (1 << x))
res[(len - x - 1)] = '1';
else
res[(len - x - 1)] = '0';
}
return res;
}
#endif
/*! /*!
* \brief signs outgoing message with public key * \brief signs outgoing message with public key
* \see ast_sign_bin * \see ast_sign_bin
@@ -361,9 +299,7 @@ static int __ast_sign_bin(struct ast_key *key, const char *msg, int msglen, unsi
SHA1((unsigned char *)msg, msglen, digest); SHA1((unsigned char *)msg, msglen, digest);
/* Verify signature */ /* Verify signature */
res = RSA_sign(NID_sha1, digest, sizeof(digest), dsig, &siglen, key->rsa); if (!(res = RSA_sign(NID_sha1, digest, sizeof(digest), dsig, &siglen, key->rsa))) {
if (!res) {
ast_log(LOG_WARNING, "RSA Signature (key %s) failed\n", key->name); ast_log(LOG_WARNING, "RSA Signature (key %s) failed\n", key->name);
return -1; return -1;
} }
@@ -383,8 +319,8 @@ static int __ast_sign_bin(struct ast_key *key, const char *msg, int msglen, unsi
*/ */
static int __ast_decrypt_bin(unsigned char *dst, const unsigned char *src, int srclen, struct ast_key *key) static int __ast_decrypt_bin(unsigned char *dst, const unsigned char *src, int srclen, struct ast_key *key)
{ {
int res; int res, pos = 0;
int pos = 0;
if (key->ktype != AST_KEY_PRIVATE) { if (key->ktype != AST_KEY_PRIVATE) {
ast_log(LOG_WARNING, "Cannot decrypt with a public key\n"); ast_log(LOG_WARNING, "Cannot decrypt with a public key\n");
return -1; return -1;
@@ -394,16 +330,17 @@ static int __ast_decrypt_bin(unsigned char *dst, const unsigned char *src, int s
ast_log(LOG_NOTICE, "Tried to decrypt something not a multiple of 128 bytes\n"); ast_log(LOG_NOTICE, "Tried to decrypt something not a multiple of 128 bytes\n");
return -1; return -1;
} }
while(srclen) { while(srclen) {
/* Process chunks 128 bytes at a time */ /* Process chunks 128 bytes at a time */
res = RSA_private_decrypt(128, src, dst, key->rsa, RSA_PKCS1_OAEP_PADDING); if ((res = RSA_private_decrypt(128, src, dst, key->rsa, RSA_PKCS1_OAEP_PADDING)) < 0)
if (res < 0)
return -1; return -1;
pos += res; pos += res;
src += 128; src += 128;
srclen -= 128; srclen -= 128;
dst += res; dst += res;
} }
return pos; return pos;
} }
@@ -413,9 +350,8 @@ static int __ast_decrypt_bin(unsigned char *dst, const unsigned char *src, int s
*/ */
static int __ast_encrypt_bin(unsigned char *dst, const unsigned char *src, int srclen, struct ast_key *key) static int __ast_encrypt_bin(unsigned char *dst, const unsigned char *src, int srclen, struct ast_key *key)
{ {
int res; int res, bytes, pos = 0;
int bytes;
int pos = 0;
if (key->ktype != AST_KEY_PUBLIC) { if (key->ktype != AST_KEY_PUBLIC) {
ast_log(LOG_WARNING, "Cannot encrypt with a private key\n"); ast_log(LOG_WARNING, "Cannot encrypt with a private key\n");
return -1; return -1;
@@ -426,8 +362,7 @@ static int __ast_encrypt_bin(unsigned char *dst, const unsigned char *src, int s
if (bytes > 128 - 41) if (bytes > 128 - 41)
bytes = 128 - 41; bytes = 128 - 41;
/* Process chunks 128-41 bytes at a time */ /* Process chunks 128-41 bytes at a time */
res = RSA_public_encrypt(bytes, src, dst, key->rsa, RSA_PKCS1_OAEP_PADDING); if ((res = RSA_public_encrypt(bytes, src, dst, key->rsa, RSA_PKCS1_OAEP_PADDING)) != 128) {
if (res != 128) {
ast_log(LOG_NOTICE, "How odd, encrypted size is %d\n", res); ast_log(LOG_NOTICE, "How odd, encrypted size is %d\n", res);
return -1; return -1;
} }
@@ -446,14 +381,13 @@ static int __ast_encrypt_bin(unsigned char *dst, const unsigned char *src, int s
static int __ast_sign(struct ast_key *key, char *msg, char *sig) static int __ast_sign(struct ast_key *key, char *msg, char *sig)
{ {
unsigned char dsig[128]; unsigned char dsig[128];
int siglen = sizeof(dsig); int siglen = sizeof(dsig), res;
int res;
res = ast_sign_bin(key, msg, strlen(msg), dsig); if (!(res = ast_sign_bin(key, msg, strlen(msg), dsig)))
if (!res)
/* Success -- encode (256 bytes max as documented) */ /* Success -- encode (256 bytes max as documented) */
ast_base64encode(sig, dsig, siglen, 256); ast_base64encode(sig, dsig, siglen, 256);
return res; return res;
} }
/*! /*!
@@ -476,12 +410,11 @@ static int __ast_check_signature_bin(struct ast_key *key, const char *msg, int m
SHA1((unsigned char *)msg, msglen, digest); SHA1((unsigned char *)msg, msglen, digest);
/* Verify signature */ /* Verify signature */
res = RSA_verify(NID_sha1, digest, sizeof(digest), (unsigned char *)dsig, 128, key->rsa); if (!(res = RSA_verify(NID_sha1, digest, sizeof(digest), (unsigned char *)dsig, 128, key->rsa))) {
if (!res) {
ast_debug(1, "Key failed verification: %s\n", key->name); ast_debug(1, "Key failed verification: %s\n", key->name);
return -1; return -1;
} }
/* Pass */ /* Pass */
return 0; return 0;
} }
@@ -496,12 +429,13 @@ static int __ast_check_signature(struct ast_key *key, const char *msg, const cha
int res; int res;
/* Decode signature */ /* Decode signature */
res = ast_base64decode(dsig, sig, sizeof(dsig)); if ((res = ast_base64decode(dsig, sig, sizeof(dsig))) != sizeof(dsig)) {
if (res != sizeof(dsig)) {
ast_log(LOG_WARNING, "Signature improper length (expect %d, got %d)\n", (int)sizeof(dsig), (int)res); ast_log(LOG_WARNING, "Signature improper length (expect %d, got %d)\n", (int)sizeof(dsig), (int)res);
return -1; return -1;
} }
res = ast_check_signature_bin(key, msg, strlen(msg), dsig); res = ast_check_signature_bin(key, msg, strlen(msg), dsig);
return res; return res;
} }
@@ -513,56 +447,49 @@ static int __ast_check_signature(struct ast_key *key, const char *msg, const cha
*/ */
static void crypto_load(int ifd, int ofd) static void crypto_load(int ifd, int ofd)
{ {
struct ast_key *key, *nkey, *last; struct ast_key *key;
DIR *dir = NULL; DIR *dir = NULL;
struct dirent *ent; struct dirent *ent;
int note = 0; int note = 0;
AST_RWLIST_WRLOCK(&keys);
/* Mark all keys for deletion */ /* Mark all keys for deletion */
ast_mutex_lock(&keylock); AST_RWLIST_TRAVERSE(&keys, key, list) {
key = keys;
while(key) {
key->delme = 1; key->delme = 1;
key = key->next;
} }
ast_mutex_unlock(&keylock);
/* Load new keys */ /* Load new keys */
dir = opendir((char *)ast_config_AST_KEY_DIR); if ((dir = opendir((char *)ast_config_AST_KEY_DIR))) {
if (dir) {
while((ent = readdir(dir))) { while((ent = readdir(dir))) {
try_load_key((char *)ast_config_AST_KEY_DIR, ent->d_name, ifd, ofd, &note); try_load_key((char *)ast_config_AST_KEY_DIR, ent->d_name, ifd, ofd, &note);
} }
closedir(dir); closedir(dir);
} else } else
ast_log(LOG_WARNING, "Unable to open key directory '%s'\n", (char *)ast_config_AST_KEY_DIR); ast_log(LOG_WARNING, "Unable to open key directory '%s'\n", (char *)ast_config_AST_KEY_DIR);
if (note) {
if (note)
ast_log(LOG_NOTICE, "Please run the command 'init keys' to enter the passcodes for the keys\n"); ast_log(LOG_NOTICE, "Please run the command 'init keys' to enter the passcodes for the keys\n");
}
ast_mutex_lock(&keylock); /* Delete any keys that are no longer present */
key = keys; AST_RWLIST_TRAVERSE_SAFE_BEGIN(&keys, key, list) {
last = NULL;
while(key) {
nkey = key->next;
if (key->delme) { if (key->delme) {
ast_debug(1, "Deleting key %s type %d\n", key->name, key->ktype); ast_debug(1, "Deleting key %s type %d\n", key->name, key->ktype);
/* Do the delete */ AST_RWLIST_REMOVE_CURRENT(&keys, list);
if (last)
last->next = nkey;
else
keys = nkey;
if (key->rsa) if (key->rsa)
RSA_free(key->rsa); RSA_free(key->rsa);
free(key); ast_free(key);
} else }
last = key;
key = nkey;
} }
ast_mutex_unlock(&keylock); AST_RWLIST_TRAVERSE_SAFE_END
AST_RWLIST_UNLOCK(&keys);
} }
static void md52sum(char *sum, unsigned char *md5) static void md52sum(char *sum, unsigned char *md5)
{ {
int x; int x;
for (x=0;x<16;x++) for (x = 0; x < 16; x++)
sum += sprintf(sum, "%02x", *(md5++)); sum += sprintf(sum, "%02x", *(md5++));
} }
@@ -579,20 +506,20 @@ static int show_keys(int fd, int argc, char *argv[])
char sum[16 * 2 + 1]; char sum[16 * 2 + 1];
int count_keys = 0; int count_keys = 0;
ast_mutex_lock(&keylock);
key = keys;
ast_cli(fd, "%-18s %-8s %-16s %-33s\n", "Key Name", "Type", "Status", "Sum"); ast_cli(fd, "%-18s %-8s %-16s %-33s\n", "Key Name", "Type", "Status", "Sum");
while(key) {
AST_RWLIST_RDLOCK(&keys);
AST_RWLIST_TRAVERSE(&keys, key, list) {
md52sum(sum, key->digest); md52sum(sum, key->digest);
ast_cli(fd, "%-18s %-8s %-16s %-33s\n", key->name, ast_cli(fd, "%-18s %-8s %-16s %-33s\n", key->name,
(key->ktype & 0xf) == AST_KEY_PUBLIC ? "PUBLIC" : "PRIVATE", (key->ktype & 0xf) == AST_KEY_PUBLIC ? "PUBLIC" : "PRIVATE",
key->ktype & KEY_NEEDS_PASSCODE ? "[Needs Passcode]" : "[Loaded]", sum); key->ktype & KEY_NEEDS_PASSCODE ? "[Needs Passcode]" : "[Loaded]", sum);
key = key->next;
count_keys++; count_keys++;
} }
ast_mutex_unlock(&keylock); AST_RWLIST_UNLOCK(&keys);
ast_cli(fd, "%d known RSA keys.\n", count_keys); ast_cli(fd, "%d known RSA keys.\n", count_keys);
return RESULT_SUCCESS; return RESULT_SUCCESS;
} }
@@ -607,19 +534,20 @@ static int init_keys(int fd, int argc, char *argv[])
{ {
struct ast_key *key; struct ast_key *key;
int ign; int ign;
char *kn; char *kn, tmp[256] = "";
char tmp[256] = "";
key = keys; AST_RWLIST_WRLOCK(&keys);
while(key) { AST_RWLIST_TRAVERSE_SAFE_BEGIN(&keys, key, list) {
/* Reload keys that need pass codes now */ /* Reload keys that need pass codes now */
if (key->ktype & KEY_NEEDS_PASSCODE) { if (key->ktype & KEY_NEEDS_PASSCODE) {
kn = key->fn + strlen(ast_config_AST_KEY_DIR) + 1; kn = key->fn + strlen(ast_config_AST_KEY_DIR) + 1;
ast_copy_string(tmp, kn, sizeof(tmp)); ast_copy_string(tmp, kn, sizeof(tmp));
try_load_key((char *)ast_config_AST_KEY_DIR, tmp, fd, fd, &ign); try_load_key((char *)ast_config_AST_KEY_DIR, tmp, fd, fd, &ign);
} }
key = key->next;
} }
AST_RWLIST_TRAVERSE_SAFE_END
AST_RWLIST_UNLOCK(&keys);
return RESULT_SUCCESS; return RESULT_SUCCESS;
} }