Skip to content
Snippets Groups Projects
Select Git revision
0 results
Search by author
  • Any Author
0 authors
  1. Jan 05, 2022
    • Kevin Harwell's avatar
      tcptls.c: refactor client connection to be more robust · 06f9227a
      Kevin Harwell authored 
      The current TCP client connect code, blocks and does not handle EINTR
error case.

This patch makes the client socket non-blocking while connecting,
ensures a connect does not immediately fail due to EINTR "errors",
and adds a connect timeout option.

The original client start call sets the new timeout option to
"infinite", thus making sure old, orginal behavior is retained.

ASTERISK-29746 #close

Change-Id: I907571843a83e43c0742b95a64785f4411f02671
      06f9227a
  3. Oct 08, 2020
  5. May 11, 2020
  7. Feb 19, 2020
  9. Jun 27, 2019
  11. Dec 11, 2018
  13. Jun 19, 2018
    • Richard Mudgett's avatar
      autoservice: Don't start channel autoservice if the thread is a user interface. · 0989b630
      Richard Mudgett authored 
      Executing dialplan functions from either AMI or ARI by getting a variable
could place the channel into autoservice.  However, these user interface
threads do not handle the channel's media so we wind up with two threads
attempting to handle the media.

There can be one and only one thread handling a channel's media at a time.
Otherwise, we don't know which thread is going to handle the media frames.

ASTERISK-27625

Change-Id: If2dc94ce15ddabf923ed1e2a65ea0ef56e013e49
      0989b630
  15. May 28, 2018
    • Alexander Traud's avatar
      tcptls.h: Repair ./configure --with-ssl=PATH. · 24503fb6
      Alexander Traud authored 
      asterisk/tcptls.h was included (explicitly, implicitly, or transitively). Those
inclusions got replaced by forward declarations. As side effect, the inclusions
got completed.

ASTERISK-27878

Change-Id: I9d102728e30336d6522e5e4ae9e964013a0835f7
      24503fb6
  17. May 25, 2018
  19. May 19, 2018
  21. Dec 08, 2017
    • Sean Bright's avatar
      utils: Add convenience function for setting fd flags · 2ffe52a1
      Sean Bright authored 
      There are many places in the code base where we ignore the return value
of fcntl() when getting/setting file descriptior flags. This patch
introduces a convenience function that allows setting or clearing file
descriptor flags and will also log an error on failure for later
analysis.

Change-Id: I8b81901e1b1bd537ca632567cdb408931c6eded7
      2ffe52a1
  23. Nov 06, 2017
    • Alexander Traud's avatar
      tcptls: Print notice when TLS is enabled but not configured. · 19332e69
      Alexander Traud authored 
      Asterisk can be compiled without a SSL/TLS library, without the Development
Headers of OpenSSL. However, if TLS (SIP) or Secure-WebSockets (WebRTC) was
enabled in a configuration file, Asterisk did not notice the user. Asterisk
failed silently, only the corresponding TCP ports were not open.

ASTERISK-27394
Reported-by: mossley74

Change-Id: Ib8b7539a5b2af8154c22e5f7a40fc68f95d95b93
      19332e69
  25. Oct 13, 2017
  27. Oct 10, 2017
  29. Oct 08, 2017
    • Alexander Traud's avatar
      tcptls: Do not re-bind to wildcard on client creation. · feeb0974
      Alexander Traud authored 
      Since ASTERISK-26922, this issue affected only those chan_sip which were
* enabled for dual-stack (bindaddr=::), and
* enabled for TCP (tcpenable=yes) and/or TLS (tlsenable=yes), and
* tried to register and/or invite a IPv4-only service,
* via TCP and/or TLS.
Now, ast_tcptls_client_create does not re-bind to [::] anymore.

ASTERISK-27324 #close

Change-Id: I4b242837bdeb1ec7130dc82505c6180a946fd9b5
      feeb0974
  31. Sep 14, 2017
    • Joshua Colp's avatar
      tcptls: Change error message to debug. · 01f2220b
      Joshua Colp authored 
      The Websocket implementation will steal the underlying stream of
TCP/TLS sessions. This results in an error message being output
about a stream not being present when in reality this is actually
fine.

This change moves it to a debug message instead.

Change-Id: I66cc639080b4b4599beadb4faa7d313f2721d094
      01f2220b
  33. Jun 19, 2017
    • Corey Farrell's avatar
      Core: Add support for systemd socket activation. · 70d2ccb9
      Corey Farrell authored 
      This change adds support for socket activation of certain SOCK_STREAM
listeners in Asterisk:
* AMI / AMI over TLS
* CLI
* HTTP / HTTPS

Example systemd units are provided.  This support extends to any socket
which is initialized using ast_tcptls_server_start, so any unknown
modules using this function will support socket activation.

Asterisk continues to function as normal if socket activation is not
enabled or if systemd development headers are not available during
build.

ASTERISK-27063 #close

Change-Id: Id814ee6a892f4b80d018365c8ad8d89063474f4d
      70d2ccb9
  35. Apr 11, 2017
    • Richard Mudgett's avatar
      tcptls.c: Cleanup TCP/TLS listener thread on abnormal exit. · d76bc056
      Richard Mudgett authored 
      Temporarily running out of file descriptors should not terminate the
listener thread.  Otherwise, when there becomes more file descriptors
available, nothing is listening.

* Added EMFILE exception to abnormal thread exit.

* Added an abnormal TCP/TLS listener exit error message.

* Closed the TCP/TLS listener socket on abnormal exit so Asterisk does not
appear dead if something tries to connect to the socket.

ASTERISK-26903 #close

Change-Id: I10f2f784065136277f271159f0925927194581b5
      d76bc056
  37. Feb 17, 2017
  39. Feb 03, 2017
    • Tzafrir Cohen's avatar
      tcptls: use TLS_client_method with OpenSSL 1.1 · bc041ca1
      Tzafrir Cohen authored 
      OpenSSL 1.1 introduced TLS_client_method() and deprecated the previous
version-specific methods (such as TLSv1_client_method(). Other than
being simpler to use and more correct (gain support for TLS newer that
TLS1, in our case), the older ones produce a deprecation warning that
fails the build in dev-mode.

Change-Id: I257b1c8afd09dcb0d96cda3a41cb9f7a15d0ba07
      bc041ca1
  41. Dec 01, 2016
    • Tzafrir Cohen's avatar
      OpenSSL 1.1.0 support · 26c8552f
      Tzafrir Cohen authored 
      OpenSSL 1.1.0 includes some major changes in the interface. See
https://wiki.openssl.org/index.php/1.1_API_Changes .

Status: Right now there are still a few deprecation notes with OpenSSL
1.1.0. But it's a start.

Changes:
* CRYPTO_LOCK is no longer available. Replace it with its value for now.
  I don't completely understand what it is used for there.
* Remove several functions from libasteriskssl that seem to no longer be
  needed.
* Structures have become opaque and are accesses with accessors.
* ERR_remove_thread_state() no longer needed.
* SSLv2 code now could no longer be used in 1.1.

ASTERISK-26109 #close

Change-Id: I5e29d477d486ca29b6aae0dc2f5dff960c1cb82b
      26c8552f
  43. Nov 22, 2016
    • Michael Kuron's avatar
      tcptls: Use new certificate upon sip reload · 635b0a0a
      Michael Kuron authored 
      Previously, a TLS server socket would only be restarted upon sip reload if the
bind address had changed. This commit adds checking for changes to TLS
parameters like certificate, ciphers, etc. so they get picked up without
requiring a reload of the entire chan_sip module. This does not affect open
connections in any way, but new connections will use the new TLS parameters.
The changes also apply to HTTP and Manager.

ASTERISK-26604 #close

Change-Id: I169e86cefc6dcd627c915134015a6a1ab1aadbe6
      635b0a0a
  45. Nov 15, 2016
    • Timo Teräs's avatar
      Implement internal abstraction for iostreams · 070a51bf
      Timo Teräs authored 
      fopencookie/funclose is a non-standard API and should not be used
in portable software. Additionally, the way FILE's fd is used in
non-blocking mode is undefined behaviour and cannot be relied on.

This introduces internal abstraction for io streams, that allows
implementing the desired virtualization of read/write operations
with necessary timeout handling.

ASTERISK-24515 #close
ASTERISK-24517 #close

Change-Id: Id916aef418b665ced6a7489aef74908b6e376e85
      070a51bf
  47. Oct 27, 2016
    • Corey Farrell's avatar
      Remove ASTERISK_REGISTER_FILE. · a6e5bae3
      Corey Farrell authored 
      ASTERISK_REGISTER_FILE no longer has any purpose so this commit removes
all traces of it.

Previously exported symbols removed:
* __ast_register_file
* __ast_unregister_file
* ast_complete_source_filename

This also removes the mtx_prof static variable that was declared when
MTX_PROFILE was enabled.  This variable was only used in lock.c so it
is now initialized in that file only.

ASTERISK-26480 #close

Change-Id: I1074af07d71f9e159c48ef36631aa432c86f9966
      a6e5bae3
  49. Jun 08, 2016
    • Timo Teräs's avatar
      Fixes to include signal.h · 39b69ab5
      Timo Teräs authored 
      POSIX defines signal.h. sys/signal.h should not be used as it is
c-library internal header which may or may not exist. Notably with
musl it generates warning of being incorrect.

Change-Id: Ia56b0aa1d84b5c590114867b1b384a624f39a6fc
      39b69ab5
  51. Feb 04, 2016
    • Mark Michelson's avatar
      Check for OpenSSL defines before trying to use them. · 3b426a8b
      Mark Michelson authored 
      The SSL_OP_NO_TLSv1_1 and SSL_OP_NO_TLSv1_2 defines did not exist prior
to OpenSSL version 1.0.1. A recent commit attempts to, by default, set
these options, which can cause problems on systems with older OpenSSL
installations.

This commit adds a configure script check for those defines and will not
attempt to make use of those if they do not exist. We will print a
warning urging the user to upgrade their OpenSSL installation if those
defines are not present.

Change-Id: I6a2eb9a43fd0738b404d8f6f2cf4b5c22d9d752d
      3b426a8b
  53. Feb 03, 2016
    • Joshua Colp's avatar
      AST-2016-001 http: Provide greater control of TLS and set modern defaults. · 0de74fad
      Joshua Colp authored 
      This change exposes the configuration of various aspects of the TLS
support and sets the default to the modern standards.

The TLS cipher is now set to the best values according to the
Mozilla OpSec team, different TLS versions can now be disabled, and
the cipher order can be forced to be that of the server instead of
the client.

ASTERISK-24972 #close

Change-Id: I0a10f2883f7559af5e48dee0901251dbf30d45b8
      0de74fad
  55. Jun 02, 2015
  57. May 15, 2015
    • Alexander Traud's avatar
      tcptls: Enable multiple TLS certificate chains (RSA+ECC+DSA) for server socket. · 8f3f414d
      Alexander Traud authored 
      When a client connects to a server via SSL/TLS, the server commonly utilizes an
RSA key-pair. However, other such algorithms exist (i.e. DSA and ECDSA), and if
the server socket is configured with a certificate for either one of those, it
would lose its compatibility with RSA-only clients.

Now, the server socket can be configured with up to one RSA, ECDSA and DSA key
each. For example, if a client is not compatible with SHA-2 hashed certificates
like Nokia mobile phones, the server socket still can use RSA/SHA-1 for legacy
clients and ECDSA/SHA-2 for everyone else.

ASTERISK-24815 #close
Reported by: Alexander Traud
patches:
  tls_rsa_ecc_dsa.patch uploaded by Alexander Traud (License 6520)

Change-Id: Iada5e00d326db5ef86e0af7069b4dfa1b979da9a
      8f3f414d
  59. May 14, 2015
  61. May 05, 2015
    • Alexander Traud's avatar
      tcptls: Avoiding ERR_remove_state in OpenSSL. · 247fef66
      Alexander Traud authored 
      ERR_remove_state was deprecated with OpenSSL 1.0.0 and was replaced by 
ERR_remove_thread_state. ERR_load_SSL_strings and ERR_load_BIO_strings were 
called by SSL_load_error_strings already and got removed. These changes allow 
OpenSSL forks like BoringSSL to be used with Asterisk.

ASTERISK-25043 #close
Reported by: Alexander Traud
patches:
  asterisk_with_BoringSSL.patch uploaded by Alexander Traud (License 6520)

Change-Id: If1c0871ece21a7e0763fafbd2fa023ae49d4d629
      247fef66
  63. Apr 13, 2015
    • Matt Jordan's avatar
      git migration: Refactor the ASTERISK_FILE_VERSION macro · 4a582616
      Matt Jordan authored 
      Git does not support the ability to replace a token with a version
string during check-in. While it does have support for replacing a
token on clone, this is somewhat sub-optimal: the token is replaced
with the object hash, which is not particularly easy for human
consumption. What's more, in practice, the source file version was often
not terribly useful. Generally, when triaging bugs, the overall version
of Asterisk is far more useful than an individual SVN version of a file. As a
result, this patch removes Asterisk's support for showing source file
versions.

Specifically, it does the following:

* Rename ASTERISK_FILE_VERSION macro to ASTERISK_REGISTER_FILE, and
  remove passing the version in with the macro. Other facilities
  than 'core show file version' make use of the file names, such as
  setting a debug level only on a specific file. As such, the act of
  registering source files with the Asterisk core still has use. The
  macro rename now reflects the new macro purpose.

* main/asterisk:
  - Refactor the file_version structure to reflect that it no longer
    tracks a version field.
  - Remove the "core show file version" CLI command. Without the file
    version, it is no longer useful.
  - Remove the ast_file_version_find function. The file version is no
    longer tracked.
  - Rename ast_register_file_version/ast_unregister_file_version to
    ast_register_file/ast_unregister_file, respectively.

* main/manager: Remove value from the Version key of the ModuleCheck
  Action. The actual key itself has not been removed, as doing so would
  absolutely constitute a backwards incompatible change. However, since
  the file version is no longer tracked, there is no need to attempt to
  include it in the Version key.

* UPGRADE: Add notes for:
  - Modification to the ModuleCheck AMI Action
  - Removal of the "core show file version" CLI command

Change-Id: I6cf0ff280e1668bf4957dc21f32a5ff43444a40e
      4a582616
  65. Apr 08, 2015
  67. Feb 19, 2015
  69. Jan 27, 2015
  71. Oct 20, 2014
    • Matthew Jordan's avatar
      AST-2014-011: Fix POODLE security issues · dad0334c
      Matthew Jordan authored 
      There are two aspects to the vulnerability:
(1) res_jabber/res_xmpp use SSLv3 only. This patch updates the module to use
    TLSv1+. At this time, it does not refactor res_jabber/res_xmpp to use the
    TCP/TLS core, which should be done as an improvement at a latter date.
(2) The TCP/TLS core, when tlsclientmethod/sslclientmethod is left unspecified,
    will default to the OpenSSL SSLv23_method. This method allows for all
    ecnryption methods, including SSLv2/SSLv3. A MITM can exploit this by
    forcing a fallback to SSLv3, which leaves the server vulnerable to POODLE.
    This patch adds WARNINGS if a user uses SSLv2/SSLv3 in their configuration,
    and explicitly disables SSLv2/SSLv3 if using SSLv23_method.

For TLS clients, Asterisk will default to TLSv1+ and WARN if SSLv2 or SSLv3 is
explicitly chosen. For TLS servers, Asterisk will no longer support SSLv2 or
SSLv3.

Much thanks to abelbeck for reporting the vulnerability and providing a patch
for the res_jabber/res_xmpp modules.

Review: https://reviewboard.asterisk.org/r/4096/

ASTERISK-24425 #close
Reported by: abelbeck
Tested by: abelbeck, opsmonitor, gtjoseph
patches:
  asterisk-1.8-jabber-tls.patch uploaded by abelbeck (License 5903)
  asterisk-11-jabber-xmpp-tls.patch uploaded by abelbeck (License 5903)
  AST-2014-011-1.8.diff uploaded by mjordan (License 6283)
  AST-2014-011-11.diff uploaded by mjordan (License 6283)
........

Merged revisions 425987 from http://svn.asterisk.org/svn/asterisk/branches/12
........

Merged revisions 425991 from http://svn.asterisk.org/svn/asterisk/branches/13


git-svn-id: https://origsvn.digium.com/svn/asterisk/trunk@426003 65c4cc65-6c06-0410-ace0-fbb531ad65f3
      dad0334c
  73. Aug 11, 2014
  75. Jul 03, 2014