AST-2014-007: Fix DOS by consuming the number of allowed HTTP connections.

Simply establishing a TCP connection and never sending anything to the configured HTTP port in http.conf will tie up a HTTP connection. Since there is a maximum number of open HTTP sessions allowed at a time you can block legitimate connections. A similar problem exists if a HTTP request is started but never finished. * Added http.conf session_inactivity timer option to close HTTP connections that aren't doing anything. Defaults to 30000 ms. * Removed the undocumented manager.conf block-sockets option. It interferes with TCP/TLS inactivity timeouts. * AMI and SIP TLS connections now have better authentication timeout protection. Though I didn't remove the bizzare TLS timeout polling code from chan_sip. * chan_sip can now handle SSL certificate renegotiations in the middle of a session. It couldn't do that before because the socket was non-blocking and the SSL calls were not restarted as documented by the OpenSSL documentation. * Fixed an off nominal leak of the ssl struct in handle_tcptls_connection() if the FILE stream failed to open and the SSL certificate negotiations failed. The patch creates a custom FILE stream handler to give the created FILE streams inactivity timeout and timeout after a specific moment in time capability. This approach eliminates the need for code using the FILE stream to be redesigned to deal with the timeouts. This patch indirectly fixes most of ASTERISK-18345 by fixing the usage of the SSL_read/SSL_write operations. ASTERISK-23673 #close Reported by: Richard Mudgett ........ Merged revisions 415841 from http://svn.asterisk.org/svn/asterisk/branches/1.8 ........ Merged revisions 415854 from http://svn.asterisk.org/svn/asterisk/branches/11 ........ Merged revisions 415896 from http://svn.asterisk.org/svn/asterisk/branches/12 git-svn-id: https://origsvn.digium.com/svn/asterisk/trunk@415907 65c4cc65-6c06-0410-ace0-fbb531ad65f3
author: Richard Mudgett <rmudgett@digium.com> 2014-06-12 17:00:08 +0000
committer: Richard Mudgett <rmudgett@digium.com> 2014-06-12 17:00:08 +0000
commit: 4ca5745dbe4c177d9be36f0fb64eda714c613c4b (patch)
tree: f0f359d02cc77e055b08fb1bee514357ffe00c25 /include
parent: 435343cfea85d54b59a271685530e09c3844ec7b (diff)
2 files changed, 48 insertions, 0 deletions
diff --git a/include/asterisk/tcptls.h b/include/asterisk/tcptls.h
index 6364158de..17b532cda 100644
--- a/include/asterisk/tcptls.h
+++ b/include/asterisk/tcptls.h
@@ -144,6 +144,51 @@ struct ast_tcptls_session_args {
 	const char *name;
 };
 
+struct ast_tcptls_stream;
+
+/*!
+ * \brief Disable the TCP/TLS stream timeout timer.
+ *
+ * \param stream TCP/TLS stream control data.
+ *
+ * \return Nothing
+ */
+void ast_tcptls_stream_set_timeout_disable(struct ast_tcptls_stream *stream);
+
+/*!
+ * \brief Set the TCP/TLS stream inactivity timeout timer.
+ *
+ * \param stream TCP/TLS stream control data.
+ * \param timeout Number of milliseconds to wait for data transfer with the peer.
+ *
+ * \details This is basically how much time we are willing to spend
+ * in an I/O call before we declare the peer unresponsive.
+ *
+ * \note Setting timeout to -1 disables the timeout.
+ * \note Setting this timeout replaces the I/O sequence timeout timer.
+ *
+ * \return Nothing
+ */
+void ast_tcptls_stream_set_timeout_inactivity(struct ast_tcptls_stream *stream, int timeout);
+
+/*!
+ * \brief Set the TCP/TLS stream I/O sequence timeout timer.
+ *
+ * \param stream TCP/TLS stream control data.
+ * \param start Time the I/O sequence timer starts.
+ * \param timeout Number of milliseconds from the start time before timeout.
+ *
+ * \details This is how much time are we willing to allow the peer
+ * to complete an operation that can take several I/O calls.  The
+ * main use is as an authentication timer with us.
+ *
+ * \note Setting timeout to -1 disables the timeout.
+ * \note Setting this timeout replaces the inactivity timeout timer.
+ *
+ * \return Nothing
+ */
+void ast_tcptls_stream_set_timeout_sequence(struct ast_tcptls_stream *stream, struct timeval start, int timeout);
+
 /*! \brief 
  * describes a server instance
  */
@@ -161,6 +206,8 @@ struct ast_tcptls_session_instance {
 	 * extra data.
 	 */
 	struct ast_str *overflow_buf;
+	/*! ao2 FILE stream cookie object associated with f. */
+	struct ast_tcptls_stream *stream_cookie;
 };
 
 #if defined(HAVE_FUNOPEN)
diff --git a/include/asterisk/utils.h b/include/asterisk/utils.h
index e441ba055..47a438eb3 100644
--- a/include/asterisk/utils.h
+++ b/include/asterisk/utils.h
@@ -369,6 +369,7 @@ static force_inline void ast_slinear_saturated_divide(short *input, short *value
 
 int ast_utils_init(void);
 int ast_wait_for_input(int fd, int ms);
+int ast_wait_for_output(int fd, int ms);
 
 /*!
  * \brief Try to write string, but wait no more than ms milliseconds
author	Richard Mudgett <rmudgett@digium.com>	2014-06-12 17:00:08 +0000
committer	Richard Mudgett <rmudgett@digium.com>	2014-06-12 17:00:08 +0000
commit	4ca5745dbe4c177d9be36f0fb64eda714c613c4b (patch)
tree	f0f359d02cc77e055b08fb1bee514357ffe00c25 /include
parent	435343cfea85d54b59a271685530e09c3844ec7b (diff)