oversip 0.9.0 → 0.9.1

data/etc/tls/demo-tls.oversip.net.crt

@@ -0,0 +1,17 @@
+-----BEGIN CERTIFICATE-----
+MIICrzCCAhigAwIBAgIET/1hdzANBgkqhkiG9w0BAQUFADBxMR0wGwYDVQQDDBRk
+ZW1vLXRscy5vdmVyc2lwLm5ldDELMAkGA1UEBhMCRVMxEjAQBgNVBAoMCVZlcnNh
+dGljYTEQMA4GA1UECwwHT3ZlclNJUDEdMBsGCgmSJomT8ixkAQMMDWliY0BhbGlh
+eC5uZXQwHhcNMTIwNzEwMTEyMDMyWhcNMTcwNzEwMTEyMDMyWjBxMR0wGwYDVQQD
+DBRkZW1vLXRscy5vdmVyc2lwLm5ldDELMAkGA1UEBhMCRVMxEjAQBgNVBAoMCVZl
+cnNhdGljYTEQMA4GA1UECwwHT3ZlclNJUDEdMBsGCgmSJomT8ixkAQMMDWliY0Bh
+bGlheC5uZXQwgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBALXVloxokaERx4xL
+0pH4rEe5liijlScKLGFJtpESUiG1pMTtWCxNzNTZ4J6mgdE07umS7567tHAEpRbr
+C+yJ+VzoLNEpOf+x9zm83NTs3xg55SbhfVEL1vQqlnsfr5YG0iTy2znUPM3r3LVS
+rTXz9UsIpnJO9ICvi28wz2a+HgStAgMBAAGjVDBSMAwGA1UdEwQFMAMBAf8wHQYD
+VR0OBBYEFLMUKsF6Xm3uI2UnBTXZihnyOv90MCMGA1UdEQQcMBqGGHNpcDpkZW1v
+LXRscy5vdmVyc2lwLm5ldDANBgkqhkiG9w0BAQUFAAOBgQAPj8XD5/snSPgjJocn
+TpWqbOIbsQBMn11+sRpftf2SsC82wQ4iZy3E1nEDVItO+YzGkxtt2VV+uFoWYNKp
+kzlTJDjvuE2lHwpiWgHIK4qcuC3NBYRKqopfmEtNj2vojQ3DPqyOA5v1YZyGw+SI
+AhSZ8W6FTvfiHCO5ut/d7036VA==
+-----END CERTIFICATE-----

data/etc/tls/demo-tls.oversip.net.key

@@ -0,0 +1,15 @@
+-----BEGIN RSA PRIVATE KEY-----
+MIICWwIBAAKBgQC11ZaMaJGhEceMS9KR+KxHuZYoo5UnCixhSbaRElIhtaTE7Vgs
+TczU2eCepoHRNO7pku+eu7RwBKUW6wvsiflc6CzRKTn/sfc5vNzU7N8YOeUm4X1R
+C9b0KpZ7H6+WBtIk8ts51DzN69y1Uq018/VLCKZyTvSAr4tvMM9mvh4ErQIDAQAB
+AoGAVFzCOmaRmk8ra9YJ3hunoqdiGXy7yJ8ZtBGFGI2NeYJS7eLIU9XMwLxNUI4k
+ELIkXk4Dynt/3bDp/1YR9C6XeFEZkmLcA3jbaX74/mcx6GgeCdAUg1bvrzpSFqyk
+UYUw2ioFTKyfI1Z3VQmtWDxtz9BkHQ7uakOyu/HA8N8m0EECQQDe1velUoiQUTTn
+DlsdrMvwFhBvJHstXzZMA6Rwp7HKwh6kmaqycr4Lv5UZX/6nzpqiM7EO7eCD6l9n
+x7zIoOD5AkEA0OSHbCzJr0Wlxuq8joQe+ZXRz5BS+A3XWLG2ahnw/FdtLuxzNsWi
+PdDiUOO4xdPoVj/9l2xwkPTfDLsxmDRiVQJAWfZ7QBkT3P+L1gQrsM1EAAdIVzZp
+LCYWK5YE2x44Xt0Dtfv7t9Mu+ls7/GSO0HxOXVF1F8vdKiSCo8k1Y+HfMQJAcrLY
+zQP2ph+2+/cOG67eFys1biQP+pYXBWNnBvFBij0y/U3loVB5Wjnk2od/gFhvvVQb
+mVZ4pI9gHex3OdyhlQJAXNLuufGOEjnUC8lsmupiAQApMXscYPP0ahNES+hfX5uS
+ylXyHsIJp7h6tBbK/bv/BW4HYFsWUpLbjl71EC2ymg==
+-----END RSA PRIVATE KEY-----

data/etc/tls/upgrade-cacert.sh

@@ -0,0 +1,12 @@
+#!/bin/bash
+
+# This script downloads the Root CAs list from Mozilla and stores
+# it under ca/ directory for TLS validation.
+# cacert.pem is downloaded from http://curl.haxx.se/docs/caextract.html
+# (the exact link is http://curl.haxx.se/ca/cacert.pem).
+# cacert.pem is just downloaded in case the server version is newer than
+# the local version of the file.
+
+cd ca/
+wget -N http://curl.haxx.se/ca/cacert.pem
+

data/etc/tls/utils/create-cert.rb

@@ -0,0 +1,162 @@
+#!/usr/bin/ruby1.9.1
+
+require "openssl"
+require "socket"
+require "readline"
+require "term/ansicolor"
+
+
+module OverSIP
+  module Cert
+
+    class Error < ::StandardError ; end
+
+    extend Term::ANSIColor
+
+    def self.create_cert
+
+      begin
+        puts
+        puts bold(green("OverSIP TLS Certificate Generator"))
+
+        puts
+        puts bold("Certificate informational fields.")
+
+        ca = OpenSSL::X509::Name.new
+
+        cert_common_name = Readline.readline("- Common Name (eg, your name or your server's hostname): ").downcase.strip
+        cert_common_name = nil if cert_common_name.empty?
+        ca.add_entry "CN", cert_common_name if cert_common_name
+
+        cert_country_code = Readline.readline("- Country Name (2 letter code): ").upcase.strip
+        ca.add_entry "C", cert_country_code unless cert_country_code.empty?
+
+        cert_state = Readline.readline("- State or Province Name (full name): ").strip
+        ca.add_entry "ST", cert_state unless cert_state.empty?
+
+        cert_locality = Readline.readline("- Locality Name (eg, city): ").strip
+        ca.add_entry "L", cert_locality unless cert_locality.empty?
+
+        cert_organization = Readline.readline("- Organization Name (eg, company): ").strip
+        ca.add_entry "O", cert_organization unless cert_organization.empty?
+
+        cert_organization_unit = Readline.readline("- Organizational Unit Name (eg, section): ").strip
+        ca.add_entry "OU", cert_organization_unit unless cert_organization_unit.empty?
+
+        cert_mail = Readline.readline("- Email: ").strip
+        ca.add_entry "mail", cert_mail unless cert_mail.empty?
+
+        puts
+        puts bold("SubjectAltName SIP URI domains. ") + "For each given _domain_ an entry \"URI:sip:_domain_\" will be added to the SubjectAltName field."
+        cert_sipuri_domains = Readline.readline("- SubjectAltName SIP URI domains (multiple values separated by space): ").downcase.strip.split
+        cert_sipuri_domains = nil if cert_sipuri_domains.empty?
+
+        puts
+        puts bold("SubjectAltName DNS domains. ") + "For each given _domain_ an entry \"DNS:_domain_\" will be added to the SubjectAltName field."
+        cert_dns_domains = Readline.readline("- SubjectAltName DNS domains (multiple values separated by space): ").downcase.strip.split
+        cert_dns_domains = nil if cert_dns_domains.empty?
+
+        puts
+        puts bold("Signing data.")
+
+        rsa_key_bits = Readline.readline("- RSA key bits (1024/2048/4096) [1024]: ").strip.to_i
+        unless rsa_key_bits.zero?
+          unless [1024, 2048, 4096].include? rsa_key_bits
+            raise OverSIP::Cert::Error, "invalid number of bits (#{rsa_key_bits}) for RSA key"
+          end
+        else
+          rsa_key_bits = 1024
+        end
+
+        key = OpenSSL::PKey::RSA.generate(rsa_key_bits)
+
+        cert = OpenSSL::X509::Certificate.new
+        cert.version = 2
+        cert.subject = ca
+        cert.issuer = ca
+        cert.serial = Time.now.to_i
+        cert.public_key = key.public_key
+
+        years_to_expire = Readline.readline("- Expiration (in years from now) [1]: ").strip.to_i
+        years_to_expire = 1 if years_to_expire.zero?
+        cert.not_after = Time.now + (years_to_expire * 365 * 24 * 60 * 60)
+        cert.not_before = Time.now - (24 * 60 * 60)
+
+        factory = OpenSSL::X509::ExtensionFactory.new
+        factory.subject_certificate = cert
+        factory.issuer_certificate = cert
+
+        subject_alt_name_fields = []
+
+        cert_sipuri_domains.each do |sipuri_domain|
+          subject_alt_name_fields.<< "URI:sip:#{sipuri_domain}"
+        end if cert_sipuri_domains
+
+        cert_dns_domains.each do |dns_domain|
+          subject_alt_name_fields.<< "DNS:#{dns_domain}"
+        end if cert_dns_domains
+
+        extensions = {
+          "basicConstraints" => "CA:TRUE",
+          "subjectKeyIdentifier" => "hash"
+        }
+        if subject_alt_name_fields.any?
+          extensions["subjectAltName"] = subject_alt_name_fields.join(",")
+        end
+
+        cert.extensions = extensions.map {|k,v| factory.create_ext(k,v) }
+
+        cert.sign(key, OpenSSL::Digest::SHA1.new)
+
+        puts
+        puts bold("File name. ") + "For the given _name_ a public certificate _name_.crt and a private key _name_.key will be created. Also a file _name_.key.crt containing both the public certificate and the private key will be created."
+        file_name = Readline.readline("- File name [#{cert_common_name}]: ").strip
+        file_name = cert_common_name  if file_name.empty?
+        unless file_name
+          raise OverSIP::Cert::Error, "a file name must be set"
+        end
+
+        puts
+
+        # Make two files:
+        # - file_name.crt => public certificate.
+        # - file_name.key => private key.
+        {"key" => key, "crt" => cert}.each_pair do |ext, o|
+          name = "#{file_name}.#{ext}"
+          File.open(name, "w") {|f| f.write(o.to_pem) }
+          File.chmod(0600, name) if ext == "key"
+
+          case ext
+          when "key"
+            puts yellow(">> private key generated in file '#{bold("#{name}")}'")
+          when "crt"
+            puts yellow(">> public certificate generated in file '#{bold("#{name}")}'")
+          end
+        end
+
+        # Make a single file containing both the public certificate and the private key.
+        name = "#{file_name}.key.crt"
+        File.open(name, "w") do |f|
+          f.write(cert.to_pem)
+          f.write(key.to_pem)
+        end
+        File.chmod(0600, name)
+        puts yellow(">> public certificate + private key generated in file '#{bold("#{name}")}'")
+
+      rescue ::Interrupt => e
+        puts "\n\n" + red("Interrupted")
+        exit
+
+      rescue ::OverSIP::Cert::Error => e
+        puts "\n" + bold(red("ERROR: #{e}"))
+        exit 1
+      end
+
+    end # def create_cert
+
+  end
+end
+
+
+OverSIP::Cert.create_cert
+

data/etc/tls/utils/get-sip-identities.rb

@@ -0,0 +1,95 @@
+#!/usr/bin/ruby1.9.1
+
+# Runs as follows:
+#
+# ~$ ruby get-sip-identities.rb PEM_FILE
+
+
+require "openssl"
+
+
+module TLS
+
+  # Extracts the SIP identities in a public certificate following
+  # the mechanism in http://tools.ietf.org/html/rfc5922#section-7.1
+  # and returns an array containing them.
+  #
+  # Arguments:
+  # - _cert_: must be a public X.509 certificate in PEM format.
+  #
+  def self.get_sip_identities cert
+    puts "DEBUG: following rules in RFC 5922 \"Domain Certificates in SIP\" section 7.1 \"Finding SIP Identities in a Certificate\""
+    verify_subjectAltName_DNS = true
+    verify_CN = true
+    subjectAltName_URI_sip_entries = []
+    subjectAltName_DNS_entries = []
+    sip_identities = {}
+
+    cert.extensions.each do |ext|
+      next if ext.oid != "subjectAltName"
+      verify_CN = false
+
+      ext.value.split(/,\s+/).each do |name|
+        if /^URI:sip:([^@]*)/i =~ name
+          verify_subjectAltName_DNS = false
+          subjectAltName_URI_sip_entries << $1.downcase
+        elsif verify_subjectAltName_DNS && /^DNS:(.*)/i =~ name
+          subjectAltName_DNS_entries << $1.downcase
+        end
+      end
+    end
+
+    unless verify_CN
+      puts "DEBUG: certificate contains 'subjectAltName' extensions, 'CommonName' ignored"
+      unless verify_subjectAltName_DNS
+        subjectAltName_URI_sip_entries.each {|domain| sip_identities[domain] = true}
+        puts "DEBUG: 'subjectAltName' entries of type \"URI:sip:\" found, 'subjectAltName' entries of type \"DNS\" ignored"
+      else
+        subjectAltName_DNS_entries.each {|domain| sip_identities[domain] = true}
+        puts "DEBUG: 'subjectAltName' entries of type \"URI:sip:\" not found, using 'subjectAltName' entries of type \"DNS\""
+      end
+
+    else
+      puts "DEBUG: no 'subjectAltName' extension found, using 'CommonName' value"
+      cert.subject.to_a.each do |oid, value|
+        if oid == "CN"
+          sip_identities[value.downcase] = true
+          break
+        end
+      end
+    end
+
+    return sip_identities
+  end
+
+end
+
+
+unless (file = ARGV[0])
+  $stderr.puts "ERROR: no file given as argument"
+  exit false
+end
+
+unless ::File.file?(file) and ::File.readable?(file)
+  $stderr.puts "ERROR: given file is not a readable file"
+  exit false
+end
+
+begin
+  cert = ::OpenSSL::X509::Certificate.new(::File.read(file))
+rescue => e
+  $stderr.puts "ERROR: cannot get a PEM certificate in the given file: #{e.message} (#{e.class})"
+  exit false
+end
+
+sip_identities = TLS.get_sip_identities cert
+
+puts
+if sip_identities.any?
+  puts "SIP identities found in the certificate:"
+  puts
+  sip_identities.each_key {|name| puts "  - #{name}"}
+else
+  puts "No SIP identities found in the certificate"
+end
+puts

data/etc/websocket_policy.rb

@@ -0,0 +1,31 @@
+#
+# OverSIP - WebSocket Access Policy
+#
+#
+# Fill these functions with your own access policy for allowing or
+# disallowing WebSocket connections from clients.
+#
+# If any of the following methods return _false_ then the WebSocket
+# connection is rejected.
+
+
+module OverSIP::WebSocket::Policy
+
+  # Check the value of the Host header, by splitting it into
+  # host (a String) and port (Fixnum). Both could be _nil_.
+  def check_hostport host=nil, port=nil
+    return true
+  end
+
+  # Check the value of the Origin header (a String with original value).
+  def check_origin origin=nil
+    return true
+  end
+
+  # Check the request URI path (String) and query (String). Both can be _nil_.
+  def check_request_uri path=nil, query=nil
+    return true
+  end
+
+end
+

data/ext/stud/extconf.rb

@@ -12,9 +12,10 @@ end
 
 
 here = File.expand_path(File.dirname(__FILE__))
-stud_tarball = "#{here}/stud.tar.gz"
+stud_dir = "#{here}/../../thirdparty/stud/"
+stud_tarball = "stud.tar.gz"
 
-Dir.chdir(here) do
+Dir.chdir(stud_dir) do
   sys("tar -zxf #{stud_tarball}")
   Dir.chdir("stud") do
     sys("make")

data/lib/oversip/launcher.rb

@@ -446,6 +446,9 @@ module OverSIP::Launcher
     # Kill Stud processes.
     pid = Process.spawn "killall oversip_stud 2>/dev/null"
     Process.wait(pid)
+    sleep 0.5
+    pid = Process.spawn "killall -9 oversip_stud 2>/dev/null"
+    Process.wait(pid)
 
     # Exit by preventing any exception.
     exit!( error ? false : true )

data/lib/oversip/version.rb

@@ -5,7 +5,7 @@ module OverSIP
   module Version
     MAJOR = 0
     MINOR = 9
-    TINY  = 0
+    TINY  = 1
   end
 
   PROGRAM_NAME     = "OverSIP"

metadata

@@ -1,7 +1,7 @@
 --- !ruby/object:Gem::Specification
 name: oversip
 version: !ruby/object:Gem::Version
-  version: 0.9.0
+  version: 0.9.1
   prerelease: 
 platform: ruby
 authors:
@@ -13,7 +13,7 @@ date: 2012-07-11 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: eventmachine-le
-  requirement: &22334580 !ruby/object:Gem::Requirement
+  requirement: &13397980 !ruby/object:Gem::Requirement
     none: false
     requirements:
     - - ! '>='
@@ -21,10 +21,10 @@ dependencies:
         version: 1.1.0
   type: :runtime
   prerelease: false
-  version_requirements: *22334580
+  version_requirements: *13397980
 - !ruby/object:Gem::Dependency
   name: iobuffer
-  requirement: &22333920 !ruby/object:Gem::Requirement
+  requirement: &13397340 !ruby/object:Gem::Requirement
     none: false
     requirements:
     - - ! '>='
@@ -32,10 +32,10 @@ dependencies:
         version: 1.1.2
   type: :runtime
   prerelease: false
-  version_requirements: *22333920
+  version_requirements: *13397340
 - !ruby/object:Gem::Dependency
   name: em-posixmq
-  requirement: &22333300 !ruby/object:Gem::Requirement
+  requirement: &13396680 !ruby/object:Gem::Requirement
     none: false
     requirements:
     - - ! '>='
@@ -43,10 +43,10 @@ dependencies:
         version: 0.2.3
   type: :runtime
   prerelease: false
-  version_requirements: *22333300
+  version_requirements: *13396680
 - !ruby/object:Gem::Dependency
   name: em-udns
-  requirement: &22332660 !ruby/object:Gem::Requirement
+  requirement: &13396180 !ruby/object:Gem::Requirement
     none: false
     requirements:
     - - ! '>='
@@ -54,10 +54,10 @@ dependencies:
         version: 0.3.6
   type: :runtime
   prerelease: false
-  version_requirements: *22332660
+  version_requirements: *13396180
 - !ruby/object:Gem::Dependency
   name: escape_utils
-  requirement: &22332180 !ruby/object:Gem::Requirement
+  requirement: &13395700 !ruby/object:Gem::Requirement
     none: false
     requirements:
     - - ! '>='
@@ -65,10 +65,10 @@ dependencies:
         version: 0.2.4
   type: :runtime
   prerelease: false
-  version_requirements: *22332180
+  version_requirements: *13395700
 - !ruby/object:Gem::Dependency
   name: term-ansicolor
-  requirement: &22331800 !ruby/object:Gem::Requirement
+  requirement: &13395320 !ruby/object:Gem::Requirement
     none: false
     requirements:
     - - ! '>='
@@ -76,10 +76,10 @@ dependencies:
         version: '0'
   type: :runtime
   prerelease: false
-  version_requirements: *22331800
+  version_requirements: *13395320
 - !ruby/object:Gem::Dependency
   name: posix-spawn
-  requirement: &22331320 !ruby/object:Gem::Requirement
+  requirement: &13394720 !ruby/object:Gem::Requirement
     none: false
     requirements:
     - - ! '>='
@@ -87,7 +87,7 @@ dependencies:
         version: '0'
   type: :runtime
   prerelease: false
-  version_requirements: *22331320
+  version_requirements: *13394720
 description: ! "OverSIP is an async SIP server. Built on top of Ruby EventMachine\n
   \   library it follows the Reactor Pattern, allowing thousands of concurrent connections
   and requests\n    handled by a single processor in a never-blocking fashion. It
@@ -216,11 +216,30 @@ files:
 - ext/websocket_framing_utils/ws_framing_utils.h
 - ext/websocket_framing_utils/ws_framing_utils_ruby.c
 - ext/stud/extconf.rb
-- ext/stud/stud.tar.gz
+- thirdparty/stud/stud.tar.gz
+- etc/oversip.conf
+- etc/logic.rb
+- etc/proxies.conf
+- etc/websocket_policy.rb
+- etc/tls/demo-tls.oversip.net.crt
+- etc/tls/demo-tls.oversip.net.key
+- etc/tls/upgrade-cacert.sh
+- etc/tls/ca/cacert.pem
+- etc/tls/utils/get-sip-identities.rb
+- etc/tls/utils/create-cert.rb
+- debian/postrm
+- debian/compat
+- debian/copyright
+- debian/rules
+- debian/oversip.init
+- debian/oversip.default
+- debian/changelog
+- debian/postinst
+- debian/control
 - Rakefile
 - README.md
-- AUTHORS.txt
-- LICENSE.txt
+- AUTHORS
+- LICENSE
 - test/oversip_test_helper.rb
 - test/test_sip_parser.rb
 - test/test_http_parser.rb