kenmirrors/asterisk
1
0
Fork 0
mirror of https://github.com/asterisk/asterisk.git synced 2025-09-04 11:58:52 +00:00
Code Issues Packages Projects Releases Wiki Activity

Clean up res_crypto module. It now uses an rwlist to keep the keys and it should also be thread safe now.

Browse Source 
git-svn-id: https://origsvn.digium.com/svn/asterisk/trunk@76706 65c4cc65-6c06-0410-ace0-fbb531ad65f3
This commit is contained in:
Joshua Colp
2007-07-23 21:42:43 +00:00
parent a1fdc1c769
commit 84f325abb2
1 changed files with 96 additions and 168 deletions
Download Patch File Download Diff File Expand all files Collapse all files

264
res/res_crypto.c
View File

@@ -70,17 +70,6 @@ ASTERISK_FILE_VERSION(__FILE__, "$Revision$")
*
*/
/*
* XXX This module is not very thread-safe. It is for everyday stuff
* like reading keys and stuff, but there are all kinds of weird
* races with people running reload and key init at the same time
* for example
*
* XXXX
*/
AST_MUTEX_DEFINE_STATIC(keylock);
#define KEY_NEEDS_PASSCODE (1 << 16)
struct ast_key {
@@ -100,19 +89,10 @@ struct ast_key {
int outfd;
/*! Last MD5 Digest */
unsigned char digest[16];
struct ast_key *next;
AST_RWLIST_ENTRY(ast_key) list;
};
static struct ast_key *keys = NULL;
#if 0
static int fdprint(int fd, char *s)
{
return write(fd, s, strlen(s) + 1);
}
#endif
static AST_RWLIST_HEAD_STATIC(keys, ast_key);
/*!
* \brief setting of priv key
@@ -126,25 +106,25 @@ static int pw_cb(char *buf, int size, int rwflag, void *userdata)
{
struct ast_key *key = (struct ast_key *)userdata;
char prompt[256];
int res;
int tmp;
if (key->infd > -1) {
snprintf(prompt, sizeof(prompt), ">>>> passcode for %s key '%s': ",
key->ktype == AST_KEY_PRIVATE ? "PRIVATE" : "PUBLIC", key->name);
write(key->outfd, prompt, strlen(prompt));
memset(buf, 0, sizeof(buf));
tmp = ast_hide_password(key->infd);
memset(buf, 0, size);
res = read(key->infd, buf, size);
ast_restore_tty(key->infd, tmp);
if (buf[strlen(buf) -1] == '\n')
buf[strlen(buf) - 1] = '\0';
return strlen(buf);
} else {
int res, tmp;
if (key->infd < 0) {
/* Note that we were at least called */
key->infd = -2;
return -1;
}
return -1;
snprintf(prompt, sizeof(prompt), ">>>> passcode for %s key '%s': ",
key->ktype == AST_KEY_PRIVATE ? "PRIVATE" : "PUBLIC", key->name);
write(key->outfd, prompt, strlen(prompt));
memset(buf, 0, sizeof(buf));
tmp = ast_hide_password(key->infd);
memset(buf, 0, size);
res = read(key->infd, buf, size);
ast_restore_tty(key->infd, tmp);
if (buf[strlen(buf) -1] == '\n')
buf[strlen(buf) - 1] = '\0';
return strlen(buf);
}
/*!
@@ -154,15 +134,15 @@ static int pw_cb(char *buf, int size, int rwflag, void *userdata)
static struct ast_key *__ast_key_get(const char *kname, int ktype)
{
struct ast_key *key;
ast_mutex_lock(&keylock);
key = keys;
while(key) {
AST_RWLIST_RDLOCK(&keys);
AST_RWLIST_TRAVERSE(&keys, key, list) {
if (!strcmp(kname, key->name) &&
(ktype == key->ktype))
break;
key = key->next;
}
ast_mutex_unlock(&keylock);
AST_RWLIST_UNLOCK(&keys);
return key;
}
@@ -176,57 +156,49 @@ static struct ast_key *__ast_key_get(const char *kname, int ktype)
* \retval key on success.
* \retval NULL on failure.
*/
static struct ast_key *try_load_key (char *dir, char *fname, int ifd, int ofd, int *not2)
static struct ast_key *try_load_key(char *dir, char *fname, int ifd, int ofd, int *not2)
{
int ktype = 0;
char *c = NULL;
char ffname[256];
int ktype = 0, found = 0;
char *c = NULL, ffname[256];
unsigned char digest[16];
FILE *f;
struct MD5Context md5;
struct ast_key *key;
static int notice = 0;
int found = 0;
/* Make sure its name is a public or private key */
if ((c = strstr(fname, ".pub")) && !strcmp(c, ".pub")) {
if ((c = strstr(fname, ".pub")) && !strcmp(c, ".pub"))
ktype = AST_KEY_PUBLIC;
} else if ((c = strstr(fname, ".key")) && !strcmp(c, ".key")) {
else if ((c = strstr(fname, ".key")) && !strcmp(c, ".key"))
ktype = AST_KEY_PRIVATE;
} else
else
return NULL;
/* Get actual filename */
snprintf(ffname, sizeof(ffname), "%s/%s", dir, fname);
ast_mutex_lock(&keylock);
key = keys;
while(key) {
/* Look for an existing version already */
if (!strcasecmp(key->fn, ffname))
break;
key = key->next;
}
ast_mutex_unlock(&keylock);
/* Open file */
f = fopen(ffname, "r");
if (!f) {
if (!(f = fopen(ffname, "r"))) {
ast_log(LOG_WARNING, "Unable to open key file %s: %s\n", ffname, strerror(errno));
return NULL;
}
MD5Init(&md5);
while(!feof(f)) {
/* Calculate a "whatever" quality md5sum of the key */
char buf[256];
memset(buf, 0, 256);
char buf[256] = "";
fgets(buf, sizeof(buf), f);
if (!feof(f)) {
if (!feof(f))
MD5Update(&md5, (unsigned char *) buf, strlen(buf));
}
}
MD5Final(digest, &md5);
/* Look for an existing key */
AST_RWLIST_TRAVERSE(&keys, key, list) {
if (!strcasecmp(key->fn, ffname))
break;
}
if (key) {
/* If the MD5 sum is the same, and it isn't awaiting a passcode
then this is far enough */
@@ -251,11 +223,6 @@ static struct ast_key *try_load_key (char *dir, char *fname, int ifd, int ofd, i
return NULL;
}
}
/* At this point we have a key structure (old or new). Time to
fill it with what we know */
/* Gotta lock if this one already exists */
if (found)
ast_mutex_lock(&keylock);
/* First the filename */
ast_copy_string(key->fn, ffname, sizeof(key->fn));
/* Then the name */
@@ -288,9 +255,9 @@ static struct ast_key *try_load_key (char *dir, char *fname, int ifd, int ofd, i
ast_log(LOG_NOTICE, "Key '%s' is not expected size.\n", key->name);
} else if (key->infd != -2) {
ast_log(LOG_WARNING, "Key load %s '%s' failed\n",key->ktype == AST_KEY_PUBLIC ? "PUBLIC" : "PRIVATE", key->name);
if (ofd > -1) {
if (ofd > -1)
ERR_print_errors_fp(stderr);
} else
else
ERR_print_errors_fp(stderr);
} else {
ast_log(LOG_NOTICE, "Key '%s' needs passcode.\n", key->name);
@@ -305,43 +272,14 @@ static struct ast_key *try_load_key (char *dir, char *fname, int ifd, int ofd, i
/* Print final notice about "init keys" when done */
*not2 = 1;
}
if (found)
ast_mutex_unlock(&keylock);
if (!found) {
ast_mutex_lock(&keylock);
key->next = keys;
keys = key;
ast_mutex_unlock(&keylock);
}
/* If this is a new key add it to the list */
if (!found)
AST_RWLIST_INSERT_TAIL(&keys, key, list);
return key;
}
#if 0
static void dump(unsigned char *src, int len)
{
int x;
for (x=0;x<len;x++)
printf("%02x", *(src++));
printf("\n");
}
static char *binary(int y, int len)
{
static char res[80];
int x;
memset(res, 0, sizeof(res));
for (x=0;x<len;x++) {
if (y & (1 << x))
res[(len - x - 1)] = '1';
else
res[(len - x - 1)] = '0';
}
return res;
}
#endif
/*!
* \brief signs outgoing message with public key
* \see ast_sign_bin
@@ -361,9 +299,7 @@ static int __ast_sign_bin(struct ast_key *key, const char *msg, int msglen, unsi
SHA1((unsigned char *)msg, msglen, digest);
/* Verify signature */
res = RSA_sign(NID_sha1, digest, sizeof(digest), dsig, &siglen, key->rsa);
if (!res) {
if (!(res = RSA_sign(NID_sha1, digest, sizeof(digest), dsig, &siglen, key->rsa))) {
ast_log(LOG_WARNING, "RSA Signature (key %s) failed\n", key->name);
return -1;
}
@@ -383,8 +319,8 @@ static int __ast_sign_bin(struct ast_key *key, const char *msg, int msglen, unsi
*/
static int __ast_decrypt_bin(unsigned char *dst, const unsigned char *src, int srclen, struct ast_key *key)
{
int res;
int pos = 0;
int res, pos = 0;
if (key->ktype != AST_KEY_PRIVATE) {
ast_log(LOG_WARNING, "Cannot decrypt with a public key\n");
return -1;
@@ -394,16 +330,17 @@ static int __ast_decrypt_bin(unsigned char *dst, const unsigned char *src, int s
ast_log(LOG_NOTICE, "Tried to decrypt something not a multiple of 128 bytes\n");
return -1;
}
while(srclen) {
/* Process chunks 128 bytes at a time */
res = RSA_private_decrypt(128, src, dst, key->rsa, RSA_PKCS1_OAEP_PADDING);
if (res < 0)
if ((res = RSA_private_decrypt(128, src, dst, key->rsa, RSA_PKCS1_OAEP_PADDING)) < 0)
return -1;
pos += res;
src += 128;
srclen -= 128;
dst += res;
}
return pos;
}
@@ -413,9 +350,8 @@ static int __ast_decrypt_bin(unsigned char *dst, const unsigned char *src, int s
*/
static int __ast_encrypt_bin(unsigned char *dst, const unsigned char *src, int srclen, struct ast_key *key)
{
int res;
int bytes;
int pos = 0;
int res, bytes, pos = 0;
if (key->ktype != AST_KEY_PUBLIC) {
ast_log(LOG_WARNING, "Cannot encrypt with a private key\n");
return -1;
@@ -426,8 +362,7 @@ static int __ast_encrypt_bin(unsigned char *dst, const unsigned char *src, int s
if (bytes > 128 - 41)
bytes = 128 - 41;
/* Process chunks 128-41 bytes at a time */
res = RSA_public_encrypt(bytes, src, dst, key->rsa, RSA_PKCS1_OAEP_PADDING);
if (res != 128) {
if ((res = RSA_public_encrypt(bytes, src, dst, key->rsa, RSA_PKCS1_OAEP_PADDING)) != 128) {
ast_log(LOG_NOTICE, "How odd, encrypted size is %d\n", res);
return -1;
}
@@ -446,14 +381,13 @@ static int __ast_encrypt_bin(unsigned char *dst, const unsigned char *src, int s
static int __ast_sign(struct ast_key *key, char *msg, char *sig)
{
unsigned char dsig[128];
int siglen = sizeof(dsig);
int res;
res = ast_sign_bin(key, msg, strlen(msg), dsig);
if (!res)
int siglen = sizeof(dsig), res;
if (!(res = ast_sign_bin(key, msg, strlen(msg), dsig)))
/* Success -- encode (256 bytes max as documented) */
ast_base64encode(sig, dsig, siglen, 256);
return res;
}
/*!
@@ -476,12 +410,11 @@ static int __ast_check_signature_bin(struct ast_key *key, const char *msg, int m
SHA1((unsigned char *)msg, msglen, digest);
/* Verify signature */
res = RSA_verify(NID_sha1, digest, sizeof(digest), (unsigned char *)dsig, 128, key->rsa);
if (!res) {
if (!(res = RSA_verify(NID_sha1, digest, sizeof(digest), (unsigned char *)dsig, 128, key->rsa))) {
ast_debug(1, "Key failed verification: %s\n", key->name);
return -1;
}
/* Pass */
return 0;
}
@@ -496,12 +429,13 @@ static int __ast_check_signature(struct ast_key *key, const char *msg, const cha
int res;
/* Decode signature */
res = ast_base64decode(dsig, sig, sizeof(dsig));
if (res != sizeof(dsig)) {
if ((res = ast_base64decode(dsig, sig, sizeof(dsig))) != sizeof(dsig)) {
ast_log(LOG_WARNING, "Signature improper length (expect %d, got %d)\n", (int)sizeof(dsig), (int)res);
return -1;
}
res = ast_check_signature_bin(key, msg, strlen(msg), dsig);
return res;
}
@@ -513,56 +447,49 @@ static int __ast_check_signature(struct ast_key *key, const char *msg, const cha
*/
static void crypto_load(int ifd, int ofd)
{
struct ast_key *key, *nkey, *last;
struct ast_key *key;
DIR *dir = NULL;
struct dirent *ent;
int note = 0;
AST_RWLIST_WRLOCK(&keys);
/* Mark all keys for deletion */
ast_mutex_lock(&keylock);
key = keys;
while(key) {
AST_RWLIST_TRAVERSE(&keys, key, list) {
key->delme = 1;
key = key->next;
}
ast_mutex_unlock(&keylock);
/* Load new keys */
dir = opendir((char *)ast_config_AST_KEY_DIR);
if (dir) {
if ((dir = opendir((char *)ast_config_AST_KEY_DIR))) {
while((ent = readdir(dir))) {
try_load_key((char *)ast_config_AST_KEY_DIR, ent->d_name, ifd, ofd, &note);
}
closedir(dir);
} else
ast_log(LOG_WARNING, "Unable to open key directory '%s'\n", (char *)ast_config_AST_KEY_DIR);
if (note) {
if (note)
ast_log(LOG_NOTICE, "Please run the command 'init keys' to enter the passcodes for the keys\n");
}
ast_mutex_lock(&keylock);
key = keys;
last = NULL;
while(key) {
nkey = key->next;
/* Delete any keys that are no longer present */
AST_RWLIST_TRAVERSE_SAFE_BEGIN(&keys, key, list) {
if (key->delme) {
ast_debug(1, "Deleting key %s type %d\n", key->name, key->ktype);
/* Do the delete */
if (last)
last->next = nkey;
else
keys = nkey;
AST_RWLIST_REMOVE_CURRENT(&keys, list);
if (key->rsa)
RSA_free(key->rsa);
free(key);
} else
last = key;
key = nkey;
ast_free(key);
}
}
ast_mutex_unlock(&keylock);
AST_RWLIST_TRAVERSE_SAFE_END
AST_RWLIST_UNLOCK(&keys);
}
static void md52sum(char *sum, unsigned char *md5)
{
int x;
for (x=0;x<16;x++)
for (x = 0; x < 16; x++)
sum += sprintf(sum, "%02x", *(md5++));
}
@@ -579,20 +506,20 @@ static int show_keys(int fd, int argc, char *argv[])
char sum[16 * 2 + 1];
int count_keys = 0;
ast_mutex_lock(&keylock);
key = keys;
ast_cli(fd, "%-18s %-8s %-16s %-33s\n", "Key Name", "Type", "Status", "Sum");
while(key) {
AST_RWLIST_RDLOCK(&keys);
AST_RWLIST_TRAVERSE(&keys, key, list) {
md52sum(sum, key->digest);
ast_cli(fd, "%-18s %-8s %-16s %-33s\n", key->name,
(key->ktype & 0xf) == AST_KEY_PUBLIC ? "PUBLIC" : "PRIVATE",
key->ktype & KEY_NEEDS_PASSCODE ? "[Needs Passcode]" : "[Loaded]", sum);
key = key->next;
count_keys++;
}
ast_mutex_unlock(&keylock);
AST_RWLIST_UNLOCK(&keys);
ast_cli(fd, "%d known RSA keys.\n", count_keys);
return RESULT_SUCCESS;
}
@@ -607,19 +534,20 @@ static int init_keys(int fd, int argc, char *argv[])
{
struct ast_key *key;
int ign;
char *kn;
char tmp[256] = "";
char *kn, tmp[256] = "";
key = keys;
while(key) {
AST_RWLIST_WRLOCK(&keys);
AST_RWLIST_TRAVERSE_SAFE_BEGIN(&keys, key, list) {
/* Reload keys that need pass codes now */
if (key->ktype & KEY_NEEDS_PASSCODE) {
kn = key->fn + strlen(ast_config_AST_KEY_DIR) + 1;
ast_copy_string(tmp, kn, sizeof(tmp));
try_load_key((char *)ast_config_AST_KEY_DIR, tmp, fd, fd, &ign);
}
key = key->next;
}
AST_RWLIST_TRAVERSE_SAFE_END
AST_RWLIST_UNLOCK(&keys);
return RESULT_SUCCESS;
}