Merge "tcptls: Use new certificate upon sip reload"
authorJoshua Colp <jcolp@digium.com>
Fri, 2 Dec 2016 13:15:07 +0000 (07:15 -0600)
committerGerrit Code Review <gerrit2@gerrit.digium.api>
Fri, 2 Dec 2016 13:15:08 +0000 (07:15 -0600)
1  2 
main/tcptls.c

diff --combined main/tcptls.c
@@@ -36,6 -36,7 +36,7 @@@
  #endif
  
  #include <signal.h>
+ #include <sys/stat.h>
  
  #include "asterisk/compat.h"
  #include "asterisk/tcptls.h"
@@@ -46,6 -47,7 +47,7 @@@
  #include "asterisk/manager.h"
  #include "asterisk/astobj2.h"
  #include "asterisk/pbx.h"
+ #include "asterisk/app.h"
  
  static void session_instance_destructor(void *obj)
  {
@@@ -310,7 -312,7 +312,7 @@@ static int __ssl_setup(struct ast_tls_c
        }
  
        if (client) {
 -#ifndef OPENSSL_NO_SSL2
 +#if !defined(OPENSSL_NO_SSL2) && (OPENSSL_VERSION_NUMBER < 0x10100000L)
                if (ast_test_flag(&cfg->flags, AST_SSL_SSLV2_CLIENT)) {
                        ast_log(LOG_WARNING, "Usage of SSLv2 is discouraged due to known vulnerabilities. Please use 'tlsv1' or leave the TLS method unspecified!\n");
                        cfg->ssl_ctx = SSL_CTX_new(SSLv2_client_method());
@@@ -588,9 -590,64 +590,64 @@@ void ast_tcptls_server_start(struct ast
  {
        int flags;
        int x = 1;
+       int tls_changed = 0;
+       if (desc->tls_cfg) {
+               char hash[41];
+               char *str = NULL;
+               struct stat st;
+               /* Store the hashes of the TLS certificate etc. */
+               if (stat(desc->tls_cfg->certfile, &st) || NULL == (str = ast_read_textfile(desc->tls_cfg->certfile))) {
+                       memset(hash, 0, 41);
+               } else {
+                       ast_sha1_hash(hash, str);
+               }
+               ast_free(str);
+               str = NULL;
+               memcpy(desc->tls_cfg->certhash, hash, 41);
+               if (stat(desc->tls_cfg->pvtfile, &st) || NULL == (str = ast_read_textfile(desc->tls_cfg->pvtfile))) {
+                       memset(hash, 0, 41);
+               } else {
+                       ast_sha1_hash(hash, str);
+               }
+               ast_free(str);
+               str = NULL;
+               memcpy(desc->tls_cfg->pvthash, hash, 41);
+               if (stat(desc->tls_cfg->cafile, &st) || NULL == (str = ast_read_textfile(desc->tls_cfg->cafile))) {
+                       memset(hash, 0, 41);
+               } else {
+                       ast_sha1_hash(hash, str);
+               }
+               ast_free(str);
+               str = NULL;
+               memcpy(desc->tls_cfg->cahash, hash, 41);
+               /* Check whether TLS configuration has changed */
+               if (!desc->old_tls_cfg) { /* No previous configuration */
+                       tls_changed = 1;
+                       desc->old_tls_cfg = ast_calloc(1, sizeof(*desc->old_tls_cfg));
+               } else if (memcmp(desc->tls_cfg->certhash, desc->old_tls_cfg->certhash, 41)) {
+                       tls_changed = 1;
+               } else if (memcmp(desc->tls_cfg->pvthash, desc->old_tls_cfg->pvthash, 41)) {
+                       tls_changed = 1;
+               } else if (strcmp(desc->tls_cfg->cipher, desc->old_tls_cfg->cipher)) {
+                       tls_changed = 1;
+               } else if (memcmp(desc->tls_cfg->cahash, desc->old_tls_cfg->cahash, 41)) {
+                       tls_changed = 1;
+               } else if (strcmp(desc->tls_cfg->capath, desc->old_tls_cfg->capath)) {
+                       tls_changed = 1;
+               } else if (memcmp(&desc->tls_cfg->flags, &desc->old_tls_cfg->flags, sizeof(desc->tls_cfg->flags))) {
+                       tls_changed = 1;
+               }
+               if (tls_changed) {
+                       ast_debug(1, "Changed parameters for %s found\n", desc->name);
+               }
+       }
  
        /* Do nothing if nothing has changed */
-       if (!ast_sockaddr_cmp(&desc->old_address, &desc->local_address)) {
+       if (!tls_changed && !ast_sockaddr_cmp(&desc->old_address, &desc->local_address)) {
                ast_debug(1, "Nothing changed in %s\n", desc->name);
                return;
        }
  
        /* Set current info */
        ast_sockaddr_copy(&desc->old_address, &desc->local_address);
+       if (desc->old_tls_cfg) {
+               ast_free(desc->old_tls_cfg->certfile);
+               ast_free(desc->old_tls_cfg->pvtfile);
+               ast_free(desc->old_tls_cfg->cipher);
+               ast_free(desc->old_tls_cfg->cafile);
+               ast_free(desc->old_tls_cfg->capath);
+               desc->old_tls_cfg->certfile = ast_strdup(desc->tls_cfg->certfile);
+               desc->old_tls_cfg->pvtfile = ast_strdup(desc->tls_cfg->pvtfile);
+               desc->old_tls_cfg->cipher = ast_strdup(desc->tls_cfg->cipher);
+               desc->old_tls_cfg->cafile = ast_strdup(desc->tls_cfg->cafile);
+               desc->old_tls_cfg->capath = ast_strdup(desc->tls_cfg->capath);
+               memcpy(desc->old_tls_cfg->certhash, desc->tls_cfg->certhash, 41);
+               memcpy(desc->old_tls_cfg->pvthash, desc->tls_cfg->pvthash, 41);
+               memcpy(desc->old_tls_cfg->cahash, desc->tls_cfg->cahash, 41);
+               memcpy(&desc->old_tls_cfg->flags, &desc->tls_cfg->flags, sizeof(desc->old_tls_cfg->flags));
+       }
  
        return;
  
@@@ -676,6 -749,17 +749,17 @@@ void ast_tcptls_server_stop(struct ast_
                close(desc->accept_fd);
        }
        desc->accept_fd = -1;
+       if (desc->old_tls_cfg) {
+               ast_free(desc->old_tls_cfg->certfile);
+               ast_free(desc->old_tls_cfg->pvtfile);
+               ast_free(desc->old_tls_cfg->cipher);
+               ast_free(desc->old_tls_cfg->cafile);
+               ast_free(desc->old_tls_cfg->capath);
+               ast_free(desc->old_tls_cfg);
+               desc->old_tls_cfg = NULL;
+       }
        ast_debug(2, "Stopped server :: %s\n", desc->name);
  }