Made security features optional.

git-svn-id: https://origsvn.digium.com/svn/asterisk/trunk@191418 65c4cc65-6c06-0410-ace0-fbb531ad65f3

apps/app_osplookup.c

@@ -39,6 +39,7 @@ ASTERISK_FILE_VERSION(__FILE__, "$Revision$")
 
 #include <osp/osp.h>
 #include <osp/osputils.h>
+#include <osp/ospb64.h>
 
 #include "asterisk/paths.h"
 #include "asterisk/lock.h"
@@ -55,6 +56,7 @@ ASTERISK_FILE_VERSION(__FILE__, "$Revision$")
 /* OSP Buffer Sizes */
 #define OSP_INTSTR_SIZE		((unsigned int)16)		/* OSP signed/unsigned int string buffer size */
 #define OSP_NORSTR_SIZE		((unsigned int)256)		/* OSP normal string buffer size */
+#define OSP_KEYSTR_SIZE		((unsigned int)1024)	/* OSP certificate string buffer size */
 #define OSP_TOKSTR_SIZE		((unsigned int)4096)	/* OSP token string buffer size */
 #define OSP_TECHSTR_SIZE	((unsigned int)32)		/* OSP signed/unsigned int string buffer size */
 #define OSP_UUID_SIZE		((unsigned int)16)		/* UUID size */
@@ -127,7 +129,7 @@ struct osp_provider {
 	char privatekey[OSP_NORSTR_SIZE];				/* OSP private key file name */
 	char localcert[OSP_NORSTR_SIZE];				/* OSP local cert file name */
 	unsigned int cacount;							/* Number of cacerts */
-	char cacerts[OSP_MAX_CERTS][OSP_NORSTR_SIZE]; 	/* Cacert file names */
+	char cacerts[OSP_MAX_CERTS][OSP_NORSTR_SIZE];	/* Cacert file names */
 	unsigned int spcount;							/* Number of service points */
 	char srvpoints[OSP_MAX_SRVS][OSP_NORSTR_SIZE];	/* Service point URLs */
 	int maxconnections;								/* Max number of connections */
@@ -167,9 +169,15 @@ struct osp_result {
 AST_MUTEX_DEFINE_STATIC(osplock);							/* Lock of OSP provider list */
 static int osp_initialized = 0;								/* Init flag */
 static int osp_hardware = 0;								/* Hardware accelleration flag */
+static int osp_security = 0;								/* Using security features flag */
 static struct osp_provider* ospproviders = NULL;			/* OSP provider list */
 static unsigned int osp_tokenformat = TOKEN_ALGO_SIGNED;	/* Token format supported */
 
+/* OSP default certificates */
+const char* B64PKey = "MIIBOgIBAAJBAK8t5l+PUbTC4lvwlNxV5lpl+2dwSZGW46dowTe6y133XyVEwNiiRma2YNk3xKs/TJ3Wl9Wpns2SYEAJsFfSTukCAwEAAQJAPz13vCm2GmZ8Zyp74usTxLCqSJZNyMRLHQWBM0g44Iuy4wE3vpi7Wq+xYuSOH2mu4OddnxswCP4QhaXVQavTAQIhAOBVCKXtppEw9UaOBL4vW0Ed/6EA/1D8hDW6St0h7EXJAiEAx+iRmZKhJD6VT84dtX5ZYNVk3j3dAcIOovpzUj9a0CECIEduTCapmZQ5xqAEsLXuVlxRtQgLTUD4ZxDElPn8x0MhAiBE2HlcND0+qDbvtwJQQOUzDgqg5xk3w8capboVdzAlQQIhAMC+lDL7+gDYkNAft5Mu+NObJmQs4Cr+DkDFsKqoxqrm";
+const char* B64LCert = "MIIBeTCCASMCEHqkOHVRRWr+1COq3CR/xsowDQYJKoZIhvcNAQEEBQAwOzElMCMGA1UEAxMcb3NwdGVzdHNlcnZlci50cmFuc25leHVzLmNvbTESMBAGA1UEChMJT1NQU2VydmVyMB4XDTA1MDYyMzAwMjkxOFoXDTA2MDYyNDAwMjkxOFowRTELMAkGA1UEBhMCQVUxEzARBgNVBAgTClNvbWUtU3RhdGUxITAfBgNVBAoTGEludGVybmV0IFdpZGdpdHMgUHR5IEx0ZDBcMA0GCSqGSIb3DQEBAQUAA0sAMEgCQQCvLeZfj1G0wuJb8JTcVeZaZftncEmRluOnaME3ustd918lRMDYokZmtmDZN8SrP0yd1pfVqZ7NkmBACbBX0k7pAgMBAAEwDQYJKoZIhvcNAQEEBQADQQDnV8QNFVVJx/+7IselU0wsepqMurivXZzuxOmTEmTVDzCJx1xhA8jd3vGAj7XDIYiPub1PV23eY5a2ARJuw5w9";
+const char* B64CACert = "MIIBYDCCAQoCAQEwDQYJKoZIhvcNAQEEBQAwOzElMCMGA1UEAxMcb3NwdGVzdHNlcnZlci50cmFuc25leHVzLmNvbTESMBAGA1UEChMJT1NQU2VydmVyMB4XDTAyMDIwNDE4MjU1MloXDTEyMDIwMzE4MjU1MlowOzElMCMGA1UEAxMcb3NwdGVzdHNlcnZlci50cmFuc25leHVzLmNvbTESMBAGA1UEChMJT1NQU2VydmVyMFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBAPGeGwV41EIhX0jEDFLRXQhDEr50OUQPq+f55VwQd0TQNts06BP29+UiNdRW3c3IRHdZcJdC1Cg68ME9cgeq0h8CAwEAATANBgkqhkiG9w0BAQQFAANBAGkzBSj1EnnmUxbaiG1N4xjIuLAWydun7o3bFk2tV8dBIhnuh445obYyk1EnQ27kI7eACCILBZqi2MHDOIMnoN0=";
+
 /* OSP Client Wrapper APIs */
 
 /*!
@@ -190,7 +198,10 @@ static int osp_create_provider(
 	OSPT_CERT cacerts[OSP_MAX_CERTS];
 	const OSPT_CERT* pcacerts[OSP_MAX_CERTS];
 	const char* psrvpoints[OSP_MAX_SRVS];
-	int t, i, j, error = OSPC_ERR_NO_ERROR;
+	unsigned char privatekeydata[OSP_KEYSTR_SIZE];
+	unsigned char localcertdata[OSP_KEYSTR_SIZE];
+	unsigned char cacertdata[OSP_KEYSTR_SIZE];
+	int i, t, error = OSPC_ERR_NO_ERROR;
 
 	if (!(p = ast_calloc(1, sizeof(*p)))) {
 		ast_log(LOG_ERROR, "Out of memory\n");
@@ -213,30 +224,36 @@ static int osp_create_provider(
 	v = ast_variable_browse(cfg, provider);
 	while(v) {
 		if (!strcasecmp(v->name, "privatekey")) {
-			if (v->value[0] == '/') {
+			if (osp_security) {
-				ast_copy_string(p->privatekey, v->value, sizeof(p->privatekey));
-			} else {
-				snprintf(p->privatekey, sizeof(p->privatekey), "%s/%s", ast_config_AST_KEY_DIR, v->value);
-			}
-			ast_debug(1, "OSP: privatekey '%s'\n", p->privatekey);
-		} else if (!strcasecmp(v->name, "localcert")) {
-			if (v->value[0] == '/') {
-				ast_copy_string(p->localcert, v->value, sizeof(p->localcert));
-			} else {
-				snprintf(p->localcert, sizeof(p->localcert), "%s/%s", ast_config_AST_KEY_DIR, v->value);
-			}
-			ast_debug(1, "OSP: localcert '%s'\n", p->localcert);
-		} else if (!strcasecmp(v->name, "cacert")) {
-			if (p->cacount < OSP_MAX_CERTS) {
 				if (v->value[0] == '/') {
-					ast_copy_string(p->cacerts[p->cacount], v->value, sizeof(p->cacerts[0]));
+					ast_copy_string(p->privatekey, v->value, sizeof(p->privatekey));
 				} else {
-					snprintf(p->cacerts[p->cacount], sizeof(p->cacerts[0]), "%s/%s", ast_config_AST_KEY_DIR, v->value);
+					snprintf(p->privatekey, sizeof(p->privatekey), "%s/%s", ast_config_AST_KEY_DIR, v->value);
+				}
+				ast_debug(1, "OSP: privatekey '%s'\n", p->privatekey);
+			}
+		} else if (!strcasecmp(v->name, "localcert")) {
+			if (osp_security) {
+				if (v->value[0] == '/') {
+					ast_copy_string(p->localcert, v->value, sizeof(p->localcert));
+				} else {
+					snprintf(p->localcert, sizeof(p->localcert), "%s/%s", ast_config_AST_KEY_DIR, v->value);
+				}
+				ast_debug(1, "OSP: localcert '%s'\n", p->localcert);
+			}
+		} else if (!strcasecmp(v->name, "cacert")) {
+			if (osp_security) {
+				if (p->cacount < OSP_MAX_CERTS) {
+					if (v->value[0] == '/') {
+						ast_copy_string(p->cacerts[p->cacount], v->value, sizeof(p->cacerts[0]));
+					} else {
+						snprintf(p->cacerts[p->cacount], sizeof(p->cacerts[0]), "%s/%s", ast_config_AST_KEY_DIR, v->value);
+					}
+					ast_debug(1, "OSP: cacerts[%d]: '%s'\n", p->cacount, p->cacerts[p->cacount]);
+					p->cacount++;
+				} else {
+					ast_log(LOG_WARNING, "OSP: Too many CA Certificates at line %d\n", v->lineno);
 				}
-				ast_debug(1, "OSP: cacert[%d]: '%s'\n", p->cacount, p->cacerts[p->cacount]);
-				p->cacount++;
-			} else {
-				ast_log(LOG_WARNING, "OSP: Too many CA Certificates at line %d\n", v->lineno);
 			}
 		} else if (!strcasecmp(v->name, "servicepoint")) {
 			if (p->spcount < OSP_MAX_SRVS) {
@@ -307,95 +324,109 @@ static int osp_create_provider(
 		v = v->next;
 	}
 
-	error = OSPPUtilLoadPEMPrivateKey((unsigned char*)p->privatekey, &privatekey);
+	if (p->cacount == 0) {
-	if (error != OSPC_ERR_NO_ERROR) {
+		p->cacount = 1;
-		ast_log(LOG_WARNING, "OSP: Unable to load privatekey '%s', error '%d'\n", p->privatekey, error);
-		ast_free(p);
-		return 0;
-	}
-
-	error = OSPPUtilLoadPEMCert((unsigned char*)p->localcert, &localcert);
-	if (error != OSPC_ERR_NO_ERROR) {
-		ast_log(LOG_WARNING, "OSP: Unable to load localcert '%s', error '%d'\n", p->localcert, error);
-		if (privatekey.PrivateKeyData) {
-			ast_free(privatekey.PrivateKeyData);
-		}
-		ast_free(p);
-		return 0;
-	}
-
-	if (p->cacount < 1) {
-		snprintf(p->cacerts[p->cacount], sizeof(p->cacerts[0]), "%s/%s-cacert.pem", ast_config_AST_KEY_DIR, provider);
-		ast_debug(1, "OSP: cacert[%d]: '%s'\n", p->cacount, p->cacerts[p->cacount]);
-		p->cacount++;
-	}
-	for (i = 0; i < p->cacount; i++) {
-		error = OSPPUtilLoadPEMCert((unsigned char*)p->cacerts[i], &cacerts[i]);
-		if (error != OSPC_ERR_NO_ERROR) {
-			ast_log(LOG_WARNING, "OSP: Unable to load cacert '%s', error '%d'\n", p->cacerts[i], error);
-			for (j = 0; j < i; j++) {
-				if (cacerts[j].CertData) {
-					ast_free(cacerts[j].CertData);
-				}
-			}
-			if (localcert.CertData) {
-				ast_free(localcert.CertData);
-			}
-			if (privatekey.PrivateKeyData) {
-				ast_free(privatekey.PrivateKeyData);
-			}
-			ast_free(p);
-			return 0;
-		}
-		pcacerts[i] = &cacerts[i];
 	}
 
 	for (i = 0; i < p->spcount; i++) {
 		psrvpoints[i] = p->srvpoints[i];
 	}
 
-	error = OSPPProviderNew(
+	if (osp_security) {
-		p->spcount,
+		privatekey.PrivateKeyData = NULL;
-		psrvpoints,
+		privatekey.PrivateKeyLength = 0;
-		NULL,
-		OSP_AUDIT_URL,
-		&privatekey,
-		&localcert,
-		p->cacount,
-		pcacerts,
-		OSP_LOCAL_VALIDATION,
-		OSP_SSL_LIFETIME,
-		p->maxconnections,
-		OSP_HTTP_PERSISTENCE,
-		p->retrydelay,
-		p->retrylimit,
-		p->timeout,
-		OSP_CUSTOMER_ID,
-		OSP_DEVICE_ID,
-		&p->handle);
-	if (error != OSPC_ERR_NO_ERROR) {
-		ast_log(LOG_WARNING, "OSP: Unable to create provider '%s', error '%d'\n", provider, error);
-		ast_free(p);
-		res = -1;
-	} else {
-		ast_debug(1, "OSP: provider '%s'\n", provider);
-		ast_mutex_lock(&osplock);
-		p->next = ospproviders;
-		ospproviders = p;
-		ast_mutex_unlock(&osplock);
-		res = 1;
-	}
 
-	for (i = 0; i < p->cacount; i++) {
+		localcert.CertData = NULL;
-		if (cacerts[i].CertData) {
+		localcert.CertDataLength = 0;
-			ast_free(cacerts[i].CertData);
+
+		for (i = 0; i < p->cacount; i++) {
+			cacerts[i].CertData = NULL;
+			cacerts[i].CertDataLength = 0;
+		}
+
+		if ((error = OSPPUtilLoadPEMPrivateKey((unsigned char*)p->privatekey, &privatekey)) != OSPC_ERR_NO_ERROR) {
+			ast_log(LOG_WARNING, "OSP: Unable to load privatekey '%s', error '%d'\n", p->privatekey, error);
+		} else if ((error = OSPPUtilLoadPEMCert((unsigned char*)p->localcert, &localcert)) != OSPC_ERR_NO_ERROR) {
+			ast_log(LOG_WARNING, "OSP: Unable to load localcert '%s', error '%d'\n", p->localcert, error);
+		} else {
+			for (i = 0; i < p->cacount; i++) {
+				if ((error = OSPPUtilLoadPEMCert((unsigned char*)p->cacerts[i], &cacerts[i])) != OSPC_ERR_NO_ERROR) {
+					ast_log(LOG_WARNING, "OSP: Unable to load cacert '%s', error '%d'\n", p->cacerts[i], error);
+					break;
+				} else {
+					pcacerts[i] = &cacerts[i];
+				}
+			}
+		}
+	} else {
+		privatekey.PrivateKeyData = privatekeydata;
+		privatekey.PrivateKeyLength = sizeof(privatekeydata);
+
+		localcert.CertData = localcertdata;
+		localcert.CertDataLength = sizeof(localcertdata);
+
+		cacerts[0].CertData = cacertdata;
+		cacerts[0].CertDataLength = sizeof(cacertdata);
+		pcacerts[0] = &cacerts[0];
+
+		if ((error = OSPPBase64Decode(B64PKey, strlen(B64PKey), privatekey.PrivateKeyData, &privatekey.PrivateKeyLength)) != OSPC_ERR_NO_ERROR) {
+			ast_log(LOG_WARNING, "OSP: Unable to decode private key, error '%d'\n", error);
+		} else if ((error = OSPPBase64Decode(B64LCert, strlen(B64LCert), localcert.CertData, &localcert.CertDataLength)) != OSPC_ERR_NO_ERROR) {
+			ast_log(LOG_WARNING, "OSP: Unable to decode local cert, error '%d'\n", error);
+		} else if ((error = OSPPBase64Decode(B64CACert, strlen(B64CACert), cacerts[0].CertData, &cacerts[0].CertDataLength)) != OSPC_ERR_NO_ERROR) {
+			ast_log(LOG_WARNING, "OSP: Unable to decode cacert, error '%d'\n", error);
 		}
 	}
-	if (localcert.CertData) {
+
-		ast_free(localcert.CertData);
+	if (error == OSPC_ERR_NO_ERROR) {
+		error = OSPPProviderNew(
+			p->spcount,
+			psrvpoints,
+			NULL,
+			OSP_AUDIT_URL,
+			&privatekey,
+			&localcert,
+			p->cacount,
+			pcacerts,
+			OSP_LOCAL_VALIDATION,
+			OSP_SSL_LIFETIME,
+			p->maxconnections,
+			OSP_HTTP_PERSISTENCE,
+			p->retrydelay,
+			p->retrylimit,
+			p->timeout,
+			OSP_CUSTOMER_ID,
+			OSP_DEVICE_ID,
+			&p->handle);
+		if (error != OSPC_ERR_NO_ERROR) {
+			ast_log(LOG_WARNING, "OSP: Unable to create provider '%s', error '%d'\n", provider, error);
+			res = -1;
+		} else {
+			ast_debug(1, "OSP: provider '%s'\n", provider);
+			ast_mutex_lock(&osplock);
+			p->next = ospproviders;
+			ospproviders = p;
+			ast_mutex_unlock(&osplock);
+			res = 1;
+		}
 	}
-	if (privatekey.PrivateKeyData) {
+
-		ast_free(privatekey.PrivateKeyData);
+	if (osp_security) {
+		for (i = 0; i < p->cacount; i++) {
+			if (cacerts[i].CertData) {
+				ast_free(cacerts[i].CertData);
+			}
+		}
+		if (localcert.CertData) {
+			ast_free(localcert.CertData);
+		}
+		if (privatekey.PrivateKeyData) {
+			ast_free(privatekey.PrivateKeyData);
+		}
+	}
+
+	if (res != 1) {
+		ast_free(p);
 	}
 
 	return res;
@@ -1821,6 +1852,12 @@ static int osp_load(int reload)
 		}
 		ast_debug(1, "OSP: osp_hardware '%d'\n", osp_hardware);
 
+		t = ast_variable_retrieve(cfg, OSP_GENERAL_CAT, "securityfeatures");
+		if (t && ast_true(t)) {
+			osp_security = 1;
+		}
+		ast_debug(1, "OSP: osp_security '%d'\n", osp_security);
+
 		t = ast_variable_retrieve(cfg, OSP_GENERAL_CAT, "tokenformat");
 		if (t) {
 			if ((sscanf(t, "%d", &v) == 1) &&
@@ -1874,6 +1911,7 @@ static int osp_unload(void)
 		OSPPCleanup();
 
 		osp_tokenformat = TOKEN_ALGO_SIGNED;
+		osp_security = 0;
 		osp_hardware = 0;
 		osp_initialized = 0;
 	}
@@ -1916,8 +1954,11 @@ static char *handle_cli_osp_show(struct ast_cli_entry *e, int cmd, struct ast_cl
 			tokenalgo = "Signed";
 			break;
 		}
-		ast_cli(a->fd, "OSP: %s %s %s\n",
+		ast_cli(a->fd, "OSP: %s/%s/%s/%s\n",
-			osp_initialized ? "Initialized" : "Uninitialized", osp_hardware ? "Accelerated" : "Normal", tokenalgo);
+			osp_initialized ? "Initialized" : "Uninitialized", 
+			osp_hardware ? "Accelerated" : "Normal", 
+			osp_security ? "Enabled" : "Disabled", 
+			tokenalgo);
 	}
 
 	ast_mutex_lock(&osplock);
@@ -1928,10 +1969,12 @@ static char *handle_cli_osp_show(struct ast_cli_entry *e, int cmd, struct ast_cl
 				ast_cli(a->fd, "\n");
 			}
 			ast_cli(a->fd, " == OSP Provider '%s' == \n", p->name);
-			ast_cli(a->fd, "Local Private Key: %s\n", p->privatekey);
+			if (osp_security) {
-			ast_cli(a->fd, "Local Certificate: %s\n", p->localcert);
+				ast_cli(a->fd, "Local Private Key: %s\n", p->privatekey);
-			for (i = 0; i < p->cacount; i++) {
+				ast_cli(a->fd, "Local Certificate: %s\n", p->localcert);
-				ast_cli(a->fd, "CA Certificate %d:  %s\n", i + 1, p->cacerts[i]);
+				for (i = 0; i < p->cacount; i++) {
+					ast_cli(a->fd, "CA Certificate %d:  %s\n", i + 1, p->cacerts[i]);
+				}
 			}
 			for (i = 0; i < p->spcount; i++) {
 				ast_cli(a->fd, "Service Point %d:   %s\n", i + 1, p->srvpoints[i]);

configs/osp.conf.sample

@@ -12,14 +12,23 @@
 [general]
 ;
 ; Enable cryptographic acceleration hardware.  
+; The default value is no.
 ;
 ;accelerate=no
 ;
+; Enable security features.
+; If security features are disabled, Asterisk cannot validate signed tokens and
+; all certificate file name parameters are ignored.
+; The default value is no.
+;
+;securityfeatures=no
+;
 ; Defines the status of tokens that Asterisk will validate. 
 ; 0 - signed tokens only 
 ; 1 - unsigned tokens only 
 ; 2 - both signed and unsigned
 ; The default value is 0, i.e. the Asterisk will only validate signed tokens.
+; If securityfeatures are disabled, Asterisk cannot validate signed tokens.
 ;
 ;tokenformat=0
 ;
@@ -43,6 +52,7 @@
 ; If this parameter is unspecified or not present, the default name will be the 
 ; osp.conf section name followed by "-privatekey.pem" (for example: 
 ; default-privatekey.pem)
+; If securityfeatures are disabled, this parameter is ignored.
 ;
 ;privatekey=pkey.pem
 ;
@@ -50,6 +60,7 @@
 ; If this parameter is unspecified or not present, the default name will be the 
 ; osp.conf section name followed by "- localcert.pem " (for example: 
 ; default-localcert.pem)  
+; If securityfeatures are disabled, this parameter is ignored.
 ;
 ;localcert=localcert.pem
 ;
@@ -57,6 +68,7 @@
 ; a single Certificate Authority key file name is added with the default name of 
 ; the osp.conf section name followed by "-cacert_0.pem " (for example: 
 ; default-cacert_0.pem)
+; If securityfeatures are disabled, this parameter is ignored.
 ;
 ;cacert=cacert_0.pem
 ;
@@ -81,6 +93,7 @@
 ; 2 - EXCLUSIVE - Accept calls with valid token. Block calls with invalid token 
 ;                 or no token.
 ; Default is 1,
+; If securityfeatures are disabled, Asterisk cannot validate signed tokens.
 ;
 ;authpolicy=1
 ;