switch_core_cert.c File Reference

#include <switch.h>
#include <switch_ssl.h>

Include dependency graph for switch_core_cert.c:

Go to the source code of this file.

Functions
static void	switch_ssl_ssl_lock_callback (int mode, int type, char *file, int line)
static void	switch_ssl_ssl_thread_id (CRYPTO_THREADID *id)
void	switch_ssl_init_ssl_locks (void)
void	switch_ssl_destroy_ssl_locks (void)
static const EVP_MD *	get_evp_by_name (const char *name)
int	switch_core_cert_verify (dtls_fingerprint_t *fp)
int	switch_core_cert_expand_fingerprint (dtls_fingerprint_t *fp, const char *str)
int	switch_core_cert_extract_fingerprint (X509 *x509, dtls_fingerprint_t *fp)
int	switch_core_cert_gen_fingerprint (const char *prefix, dtls_fingerprint_t *fp)
static int	mkcert (X509 **x509p, EVP_PKEY **pkeyp, int bits, int serial, int days)
int	switch_core_gen_certs (const char *prefix)
switch_bool_t	switch_core_check_dtls_pem (const char *file)

Variables
static switch_mutex_t **	ssl_mutexes
static switch_memory_pool_t *	ssl_pool = NULL
static int	ssl_count = 0

Function Documentation

get_evp_by_name()

static const EVP_MD* get_evp_by_name ( const char *  name )

static

Definition at line 106 of file switch_core_cert.c.

Referenced by switch_core_cert_extract_fingerprint().

{
        if (!strcasecmp(name, "md5")) return EVP_md5();
        if (!strcasecmp(name, "sha1")) return EVP_sha1();
        if (!strcasecmp(name, "sha-1")) return EVP_sha1();
        if (!strcasecmp(name, "sha-256")) return EVP_sha256();
        if (!strcasecmp(name, "sha-512")) return EVP_sha512();

        return NULL;
}

mkcert()

static int mkcert ( X509 **  x509p, EVP_PKEY **  pkeyp, int  bits, int  serial, int  days  )

static

Definition at line 412 of file switch_core_cert.c.

References name, and switch_assert.

Referenced by switch_core_cert_gen_fingerprint(), and switch_core_gen_certs().

{
        X509 *x;
        EVP_PKEY *pk;
#if OPENSSL_VERSION_NUMBER < 0x30000000
        RSA *rsa;
#endif
        X509_NAME *name=NULL;

        switch_assert(pkeyp);
        switch_assert(x509p);

        if (*pkeyp == NULL) {
                if ((pk = EVP_PKEY_new()) == NULL) {
                        abort();
                }
        } else {
                pk = *pkeyp;
        }

        if (*x509p == NULL) {
                if ((x = X509_new()) == NULL) {
                        goto err;
                }
        } else {
                x = *x509p;
        }

#if OPENSSL_VERSION_NUMBER >= 0x30000000
        {
                EVP_PKEY_CTX *ctx;

                ctx = EVP_PKEY_CTX_new_id(EVP_PKEY_RSA, NULL);
                /* Setup the key context */
                if ((!ctx) || (EVP_PKEY_keygen_init(ctx) <= 0) || (EVP_PKEY_CTX_set_rsa_keygen_bits(ctx, bits) <= 0)) {
                        abort();
                        goto err;
                }

                /* Generate key */
                if (EVP_PKEY_generate(ctx, &pk) <= 0) {
                        abort();
                        goto err;
                }

                EVP_PKEY_CTX_free(ctx);
        }
#elif OPENSSL_VERSION_NUMBER >= 0x10100000
        rsa = RSA_new();
        {
                static const BN_ULONG ULONG_RSA_F4 = RSA_F4;
                BIGNUM* BN_value_RSA_F4 = BN_new();
                if (!BN_value_RSA_F4) {
                        abort();
                        goto err;
                }
                BN_set_word(BN_value_RSA_F4,ULONG_RSA_F4);
                RSA_generate_key_ex(rsa, bits, BN_value_RSA_F4, NULL);
                BN_free(BN_value_RSA_F4);
        }
#else
        rsa = RSA_generate_key(bits, RSA_F4, NULL, NULL);
#endif

#if OPENSSL_VERSION_NUMBER < 0x30000000
        if (!EVP_PKEY_assign_RSA(pk, rsa)) {
                abort();
        }

        rsa = NULL;
#endif

        X509_set_version(x, 2);
        ASN1_INTEGER_set(X509_get_serialNumber(x), serial);
        X509_gmtime_adj(X509_get_notBefore(x), -(long)60*60*24*7);
        X509_gmtime_adj(X509_get_notAfter(x), (long)60*60*24*days);
        X509_set_pubkey(x, pk);

        name = X509_get_subject_name(x);

        /* This function creates and adds the entry, working out the
         * correct string type and performing checks on its length.
         * Normally we'd check the return value for errors...
         */
        X509_NAME_add_entry_by_txt(name, "C", MBSTRING_ASC, (unsigned char *)"US", -1, -1, 0);
        X509_NAME_add_entry_by_txt(name, "CN", MBSTRING_ASC, (unsigned char *)"FreeSWITCH", -1, -1, 0);


        /* Its self signed so set the issuer name to be the same as the
         * subject.
         */
        X509_set_issuer_name(x, name);

#if OPENSSL_VERSION_NUMBER >= 0x30000000
        if (!X509_sign(x, pk, EVP_sha256())) {
#else
        if (!X509_sign(x, pk, EVP_sha1())) {
#endif
                goto err;
        }

        *x509p = x;
        *pkeyp = pk;

        return(1);
err:
        ERR_print_errors_fp(stdout);

        return(0);
}

switch_core_cert_expand_fingerprint()

int switch_core_cert_expand_fingerprint	(	dtls_fingerprint_t *	fp,
		const char *	str
	)

Definition at line 162 of file switch_core_cert.c.

References dtls_fp_s::data, and MAX_FPLEN.

Referenced by switch_rtp_add_dtls().

{
        char *tmp = strdup(str);
        char *p = tmp;
        int i = 0;
        char *v;

        while ((v = strsep(&p, ":")) && (i != (MAX_FPLEN - 1))) {
                sscanf(v, "%02x", (uint32_t *) &fp->data[i++]);
        }

        free(tmp);

        return i;
}

switch_core_cert_extract_fingerprint()

int switch_core_cert_extract_fingerprint	(	X509 *	x509,
		dtls_fingerprint_t *	fp
	)

Definition at line 178 of file switch_core_cert.c.

References dtls_fp_s::data, get_evp_by_name(), dtls_fp_s::len, dtls_fp_s::str, SWITCH_CHANNEL_LOG, SWITCH_LOG_ERROR, switch_log_printf(), and dtls_fp_s::type.

Referenced by do_dtls(), dtls_state_setup(), and switch_core_cert_gen_fingerprint().

{
        const EVP_MD *evp;
        unsigned int i, j;

        evp = get_evp_by_name(fp->type);

        if (X509_digest(x509, evp, fp->data, &fp->len) != 1 ||  fp->len <= 0) {
                switch_log_printf(SWITCH_CHANNEL_LOG, SWITCH_LOG_ERROR, "FP DIGEST ERR!\n");
                return -1;
        }

        for (i = 0, j = 0; i < fp->len; ++i, j += 3){
                sprintf((char*)&fp->str[j], (i == (fp->len - 1)) ? "%.2X" : "%.2X:", fp->data[i]);
        }
        *(&fp->str[fp->len * 3]) = '\0';

        return 0;

}

switch_core_cert_gen_fingerprint()

int switch_core_cert_gen_fingerprint	(	const char *	prefix,
		dtls_fingerprint_t *	fp
	)

Definition at line 199 of file switch_core_cert.c.

References switch_directories::certs_dir, mkcert(), SWITCH_CHANNEL_LOG, switch_core_cert_extract_fingerprint(), switch_file_exists(), SWITCH_GLOBAL_dirs, SWITCH_LOG_ERROR, switch_log_printf(), switch_mprintf(), SWITCH_PATH_SEPARATOR, and SWITCH_STATUS_SUCCESS.

Referenced by generate_local_fingerprint().

{
        X509* x509 = NULL;
        BIO* bio = NULL;
        int ret = 0;
        char *rsa;

        rsa = switch_mprintf("%s%s%s.pem", SWITCH_GLOBAL_dirs.certs_dir, SWITCH_PATH_SEPARATOR, prefix);

        if (switch_file_exists(rsa, NULL) != SWITCH_STATUS_SUCCESS) {
                free(rsa);
                rsa = switch_mprintf("%s%s%s.crt", SWITCH_GLOBAL_dirs.certs_dir, SWITCH_PATH_SEPARATOR, prefix);
        }

        if (!(bio = BIO_new(BIO_s_file()))) {
                switch_log_printf(SWITCH_CHANNEL_LOG, SWITCH_LOG_ERROR, "FP BIO ERR!\n");
                goto end;
        }

        if (BIO_read_filename(bio, rsa) != 1) {
                switch_log_printf(SWITCH_CHANNEL_LOG, SWITCH_LOG_ERROR, "FP FILE ERR!\n");
                goto end;
        }

        if (!(x509 = PEM_read_bio_X509(bio, NULL, 0, NULL))) {
                switch_log_printf(SWITCH_CHANNEL_LOG, SWITCH_LOG_ERROR, "FP READ ERR!\n");
                goto end;
        }

        switch_core_cert_extract_fingerprint(x509, fp);

        ret = 1;

 end:

        if (bio) {
                BIO_free_all(bio);
        }

        if (x509) {
                X509_free(x509);
        }

        free(rsa);

        return ret;
}

switch_core_cert_verify()

int switch_core_cert_verify

(

dtls_fingerprint_t *

fp

)

Definition at line 143 of file switch_core_cert.c.

References dtls_fp_s::data, MAX_FPLEN, and dtls_fp_s::str.

Referenced by do_dtls(), and dtls_state_setup().

{
        unsigned char fdata[MAX_FPLEN] = { 0 };
        char *tmp = strdup(fp->str);
        char *p = tmp;
        int i = 0;
        char *v;

        while ((v = strsep(&p, ":")) && (i != (MAX_FPLEN - 1))) {
                sscanf(v, "%02x", (uint32_t *) &fdata[i++]);
        }

        free(tmp);

        i = !memcmp(fdata, fp->data, i);

        return i;
}

switch_core_check_dtls_pem()

switch_bool_t switch_core_check_dtls_pem

(

const char *

file

)

Definition at line 338 of file switch_core_cert.c.

References switch_directories::certs_dir, SWITCH_CHANNEL_LOG, SWITCH_FALSE, switch_file_exists(), SWITCH_GLOBAL_dirs, switch_is_file_path(), SWITCH_LOG_DEBUG, SWITCH_LOG_ERROR, switch_log_printf(), SWITCH_LOG_WARNING, switch_mprintf(), SWITCH_PATH_SEPARATOR, switch_safe_free, SWITCH_STATUS_SUCCESS, and SWITCH_TRUE.

Referenced by switch_core_media_init().

{
        char *pem = NULL, *old_pem = NULL;
        FILE *fp = NULL;
        EVP_PKEY *pkey = NULL;
        int bits = 0;

        if (switch_is_file_path(file)) {
                pem = strdup(file);
        } else {
                pem = switch_mprintf("%s%s%s", SWITCH_GLOBAL_dirs.certs_dir, SWITCH_PATH_SEPARATOR, file);
        }

        if (switch_file_exists(pem, NULL) != SWITCH_STATUS_SUCCESS) {
                switch_safe_free(pem);

                return SWITCH_FALSE;
        }

        fp = fopen(pem, "r");
        if (!fp) {
                switch_log_printf(SWITCH_CHANNEL_LOG, SWITCH_LOG_ERROR, "Cannot open %s: %s\n", pem, strerror(errno));
                goto rename_pem;
        }

        pkey = PEM_read_PrivateKey(fp, NULL, NULL, NULL);
        fclose(fp);

        if (!pkey) {
                switch_log_printf(SWITCH_CHANNEL_LOG, SWITCH_LOG_ERROR, "Cannot read key %s: %s\n", pem, ERR_error_string(ERR_get_error(), NULL));
                goto rename_pem;
        }

        bits = EVP_PKEY_bits(pkey);
        EVP_PKEY_free(pkey);

        if (bits < 4096) {
                switch_log_printf(SWITCH_CHANNEL_LOG, SWITCH_LOG_WARNING, "%s cryptographic length is too short (%d), it will be regenerated\n", pem, bits);
                goto rename_pem;
        }

        switch_safe_free(pem);

        return SWITCH_TRUE;

rename_pem:

        old_pem = switch_mprintf("%s.old", pem);

        if (rename(pem, old_pem) != -1) {
                switch_log_printf(SWITCH_CHANNEL_LOG, SWITCH_LOG_DEBUG, "Renamed %s to %s\n", pem, old_pem);
        } else {
                switch_log_printf(SWITCH_CHANNEL_LOG, SWITCH_LOG_ERROR, "Could not rename %s: %s\n", pem, strerror(errno));
        }

        switch_safe_free(old_pem);
        switch_safe_free(pem);

        return SWITCH_FALSE;
}

switch_core_gen_certs()

int switch_core_gen_certs

(

const char *

prefix

)

Definition at line 250 of file switch_core_cert.c.

References switch_directories::certs_dir, mkcert(), SWITCH_CHANNEL_LOG, switch_file_exists(), SWITCH_GLOBAL_dirs, switch_is_file_path(), SWITCH_LOG_ERROR, switch_log_printf(), switch_mprintf(), SWITCH_PATH_SEPARATOR, switch_safe_free, SWITCH_STATUS_SUCCESS, and switch_stristr().

Referenced by load_config(), and switch_core_media_init().

{
        //BIO *bio_err;
        X509 *x509 = NULL;
        EVP_PKEY *pkey = NULL;
        char *rsa = NULL, *pvt = NULL;
        FILE *fp;
        char *pem = NULL;

        if (switch_stristr(".pem", prefix)) {

                if (switch_is_file_path(prefix)) {
                        pem = strdup(prefix);
                } else {
                        pem = switch_mprintf("%s%s%s", SWITCH_GLOBAL_dirs.certs_dir, SWITCH_PATH_SEPARATOR, prefix);
                }

                if (switch_file_exists(pem, NULL) == SWITCH_STATUS_SUCCESS) {
                        goto end;
                }
        } else {
                if (switch_is_file_path(prefix)) {
                        pvt = switch_mprintf("%s.key", prefix);
                        rsa = switch_mprintf("%s.crt", prefix);
                } else {
                        pvt = switch_mprintf("%s%s%s.key", SWITCH_GLOBAL_dirs.certs_dir, SWITCH_PATH_SEPARATOR, prefix);
                        rsa = switch_mprintf("%s%s%s.crt", SWITCH_GLOBAL_dirs.certs_dir, SWITCH_PATH_SEPARATOR, prefix);
                }

                if (switch_file_exists(pvt, NULL) == SWITCH_STATUS_SUCCESS || switch_file_exists(rsa, NULL) == SWITCH_STATUS_SUCCESS) {
                        goto end;
                }
        }

#ifdef CRYPTO_MEM_CHECK_ON
        CRYPTO_mem_ctrl(CRYPTO_MEM_CHECK_ON);
#endif

        //bio_err=BIO_new_fp(stderr, BIO_NOCLOSE);

        if (!mkcert(&x509, &pkey, 4096, 0, 36500)) {
                switch_log_printf(SWITCH_CHANNEL_LOG, SWITCH_LOG_ERROR, "Certificate generation failed\n");
                goto end;
        }

        //RSA_print_fp(stdout, pkey->pkey.rsa, 0);
        //X509_print_fp(stdout, x509);

        if (pem) {
                if ((fp = fopen(pem, "w"))) {
                        PEM_write_PrivateKey(fp, pkey, NULL, NULL, 0, NULL, NULL);
                        PEM_write_X509(fp, x509);
                        fclose(fp);
                }

        } else {
                if (pvt && (fp = fopen(pvt, "w"))) {
                        PEM_write_PrivateKey(fp, pkey, NULL, NULL, 0, NULL, NULL);
                        fclose(fp);
                }

                if (rsa && (fp = fopen(rsa, "w"))) {
                        PEM_write_X509(fp, x509);
                        fclose(fp);
                }
        }

        X509_free(x509);
        EVP_PKEY_free(pkey);

#ifndef OPENSSL_NO_ENGINE
        ENGINE_cleanup();
#endif
        CRYPTO_cleanup_all_ex_data();

        //CRYPTO_mem_leaks(bio_err);
        //BIO_free(bio_err);


 end:

        switch_safe_free(pvt);
        switch_safe_free(rsa);
        switch_safe_free(pem);

        return(0);
}

switch_ssl_destroy_ssl_locks()

void switch_ssl_destroy_ssl_locks

(

void

)

Definition at line 85 of file switch_core_cert.c.

References ssl_count, ssl_mutexes, ssl_pool, switch_core_destroy_memory_pool, and switch_mutex_destroy().

Referenced by switch_core_cert_extract_fingerprint(), and switch_core_destroy().

{
        int i;

        if (ssl_count == 1) {
                CRYPTO_set_locking_callback(NULL);
                for (i = 0; i < CRYPTO_num_locks(); i++) {
                        if (ssl_mutexes[i]) {
                                switch_mutex_destroy(ssl_mutexes[i]);
                        }
                }

                OPENSSL_free(ssl_mutexes);
                ssl_count--;
        }

        if (ssl_pool) {
                switch_core_destroy_memory_pool(&ssl_pool);
        }
}

switch_ssl_init_ssl_locks()

void switch_ssl_init_ssl_locks

(

void

)

Definition at line 58 of file switch_core_cert.c.

References ssl_count, ssl_mutexes, ssl_pool, switch_assert, switch_core_new_memory_pool, switch_mutex_init(), SWITCH_MUTEX_NESTED, switch_ssl_ssl_lock_callback(), and switch_ssl_ssl_thread_id().

Referenced by switch_core_cert_extract_fingerprint(), and switch_core_init().

{

        int i, num;

        if (ssl_count == 0) {
                num = CRYPTO_num_locks();

                ssl_mutexes = OPENSSL_malloc(CRYPTO_num_locks() * sizeof(switch_mutex_t*));
                switch_assert(ssl_mutexes != NULL);

                switch_core_new_memory_pool(&ssl_pool);

                for (i = 0; i < num; i++) {
                        switch_mutex_init(&(ssl_mutexes[i]), SWITCH_MUTEX_NESTED, ssl_pool);
                        switch_assert(ssl_mutexes[i] != NULL);
                }

#if OPENSSL_VERSION_NUMBER <= 0x10100000
                CRYPTO_THREADID_set_callback(switch_ssl_ssl_thread_id);
                CRYPTO_set_locking_callback((void (*)(int, int, const char*, int))switch_ssl_ssl_lock_callback);
#endif
        }

        ssl_count++;
}

switch_ssl_ssl_lock_callback()

static void switch_ssl_ssl_lock_callback ( int  mode, int  type, char *  file, int  line  )

inlinestatic

Definition at line 41 of file switch_core_cert.c.

References ssl_mutexes, switch_mutex_lock(), and switch_mutex_unlock().

Referenced by switch_ssl_init_ssl_locks().

{
        if (mode & CRYPTO_LOCK) {
                switch_mutex_lock(ssl_mutexes[type]);
        }
        else {
                switch_mutex_unlock(ssl_mutexes[type]);
        }
}

switch_ssl_ssl_thread_id()

static void switch_ssl_ssl_thread_id ( CRYPTO_THREADID *  id )

inlinestatic

Definition at line 51 of file switch_core_cert.c.

References switch_thread_self().

Referenced by switch_ssl_init_ssl_locks().

{
        CRYPTO_THREADID_set_numeric(id, (unsigned long)switch_thread_self());
}

Variable Documentation

ssl_count

int ssl_count = 0

static

Definition at line 37 of file switch_core_cert.c.

Referenced by switch_ssl_destroy_ssl_locks(), and switch_ssl_init_ssl_locks().

ssl_mutexes

switch_mutex_t** ssl_mutexes

static

Definition at line 35 of file switch_core_cert.c.

Referenced by switch_ssl_destroy_ssl_locks(), switch_ssl_init_ssl_locks(), and switch_ssl_ssl_lock_callback().

ssl_pool

switch_memory_pool_t* ssl_pool = NULL

static

Definition at line 36 of file switch_core_cert.c.

Referenced by switch_ssl_destroy_ssl_locks(), and switch_ssl_init_ssl_locks().