static const int DEFAULT_TIMESTAMPEVENTS = 0; /*!< Default setting for timestampevents */
static const int DEFAULT_HTTPTIMEOUT = 60; /*!< Default manager http timeout */
static const int DEFAULT_BROKENEVENTSACTION = 0; /*!< Default setting for brokeneventsaction */
+static const int DEFAULT_AUTHTIMEOUT = 30; /*!< Default setting for authtimeout */
+static const int DEFAULT_AUTHLIMIT = 50; /*!< Default setting for authlimit */
static int displayconnects;
static int allowmultiplelogin = 1;
static int broken_events_action;
static int manager_enabled = 0;
static int webmanager_enabled = 0;
+static int authtimeout;
+static int authlimit;
static int block_sockets;
static int num_sessions;
+static int unauth_sessions = 0;
static int manager_debug; /*!< enable some debugging code in the manager */
int send_events; /*!< XXX what ? */
struct eventqent *last_ev; /*!< last event processed. */
int writetimeout; /*!< Timeout for ast_carefulwrite() */
+ time_t authstart;
int pending_event; /*!< Pending events indicator in case when waiting_thread is NULL */
AST_LIST_HEAD_NOLOCK(mansession_datastores, ast_datastore) datastores; /*!< Data stores on the session */
AST_LIST_ENTRY(mansession_session) list;
return -1;
}
s->session->authenticated = 1;
+ ast_atomic_fetchadd_int(&unauth_sessions, -1);
if (manager_displayconnects(s->session))
ast_verb(2, "%sManager '%s' logged on from %s\n", (s->session->managerid ? "HTTP " : ""), s->session->username, ast_inet_ntoa(s->session->sin.sin_addr));
ast_log(LOG_EVENT, "%sManager '%s' logged on from %s\n", (s->session->managerid ? "HTTP " : ""), s->session->username, ast_inet_ntoa(s->session->sin.sin_addr));
int res, x;
int maxlen = sizeof(s->session->inbuf) - 1;
char *src = s->session->inbuf;
+ int timeout = -1;
+ time_t now;
/*
* Look for \r\n within the buffer. If found, copy to the output
}
res = 0;
while (res == 0) {
+ /* calculate a timeout if we are not authenticated */
+ if (!s->session->authenticated) {
+ if(time(&now) == -1) {
+ ast_log(LOG_ERROR, "error executing time(): %s\n", strerror(errno));
+ return -1;
+ }
+
+ timeout = (authtimeout - (now - s->session->authstart)) * 1000;
+ if (timeout < 0) {
+ /* we have timed out */
+ return 0;
+ }
+ }
+
/* XXX do we really need this locking ? */
ast_mutex_lock(&s->session->__lock);
if (s->session->pending_event) {
s->session->waiting_thread = pthread_self();
ast_mutex_unlock(&s->session->__lock);
- res = ast_wait_for_input(s->session->fd, -1); /* return 0 on timeout ? */
+ res = ast_wait_for_input(s->session->fd, timeout);
ast_mutex_lock(&s->session->__lock);
s->session->waiting_thread = AST_PTHREADT_NULL;
struct message m = { 0 };
char header_buf[sizeof(s->session->inbuf)] = { '\0' };
int res;
+ time_t now;
for (;;) {
/* Check if any events are pending and do them if needed */
return -1;
res = get_input(s, header_buf);
if (res == 0) {
+ if (!s->session->authenticated) {
+ if(time(&now) == -1) {
+ ast_log(LOG_ERROR, "error executing time(): %s\n", strerror(errno));
+ return -1;
+ }
+
+ if (now - s->session->authstart > authtimeout) {
+ ast_log(LOG_EVENT, "Client from %s, failed to authenticate in %d seconds\n", ast_inet_ntoa(s->session->sin.sin_addr), authtimeout);
+ return -1;
+ }
+ }
continue;
} else if (res > 0) {
if (ast_strlen_zero(header_buf))
static void *session_do(void *data)
{
struct ast_tcptls_session_instance *ser = data;
- struct mansession_session *session = ast_calloc(1, sizeof(*session));
+ struct mansession_session *session = NULL;
struct mansession s = {.session = NULL, };
int flags;
int res;
struct protoent *p;
- if (session == NULL)
+ if (ast_atomic_fetchadd_int(&unauth_sessions, +1) >= authlimit) {
+ fclose(ser->f);
+ ast_atomic_fetchadd_int(&unauth_sessions, -1);
goto done;
+ }
+
+ if ((session = ast_calloc(1, sizeof(*session))) == NULL) {
+ fclose(ser->f);
+ ast_atomic_fetchadd_int(&unauth_sessions, -1);
+ goto done;
+ }
/* here we set TCP_NODELAY on the socket to disable Nagle's algorithm.
* This is necessary to prevent delays (caused by buffering) as we
ast_atomic_fetchadd_int(&num_sessions, 1);
AST_LIST_UNLOCK(&sessions);
+ if(time(&session->authstart) == -1) {
+ ast_log(LOG_ERROR, "error executing time(): %s; disconnecting client\n", strerror(errno));
+ ast_atomic_fetchadd_int(&unauth_sessions, -1);
+ destroy_session(session);
+ goto done;
+ }
+
astman_append(&s, "Asterisk Call Manager/%s\r\n", AMI_VERSION); /* welcome prompt */
for (;;) {
if ((res = do_message(&s)) < 0 || s.write_error)
ast_verb(2, "Manager '%s' logged off from %s\n", session->username, ast_inet_ntoa(session->sin.sin_addr));
ast_log(LOG_EVENT, "Manager '%s' logged off from %s\n", session->username, ast_inet_ntoa(session->sin.sin_addr));
} else {
+ ast_atomic_fetchadd_int(&unauth_sessions, -1);
if (displayconnects)
ast_verb(2, "Connect attempt from '%s' unable to authenticate\n", ast_inet_ntoa(session->sin.sin_addr));
ast_log(LOG_EVENT, "Failed attempt from %s\n", ast_inet_ntoa(session->sin.sin_addr));
block_sockets = DEFAULT_BLOCKSOCKETS;
timestampevents = DEFAULT_TIMESTAMPEVENTS;
httptimeout = DEFAULT_HTTPTIMEOUT;
+ authtimeout = DEFAULT_AUTHTIMEOUT;
+ authlimit = DEFAULT_AUTHLIMIT;
if (!cfg || cfg == CONFIG_STATUS_FILEINVALID) {
ast_log(LOG_NOTICE, "Unable to open AMI configuration manager.conf, or configuration is invalid. Asterisk management interface (AMI) disabled.\n");
manager_debug = ast_true(val);
} else if (!strcasecmp(var->name, "httptimeout")) {
newhttptimeout = atoi(val);
+ } else if (!strcasecmp(var->name, "authtimeout")) {
+ int timeout = atoi(var->value);
+
+ if (timeout < 1) {
+ ast_log(LOG_WARNING, "Invalid authtimeout value '%s', using default value\n", var->value);
+ } else {
+ authtimeout = timeout;
+ }
+ } else if (!strcasecmp(var->name, "authlimit")) {
+ int limit = atoi(var->value);
+
+ if (limit < 1) {
+ ast_log(LOG_WARNING, "Invalid authlimit value '%s', using default value\n", var->value);
+ } else {
+ authlimit = limit;
+ }
} else {
ast_log(LOG_NOTICE, "Invalid keyword <%s> = <%s> in manager.conf [general]\n",
var->name, val);
projects / thirdparty / asterisk.git / commitdiff
