2e5cbf4c6af039b1d9494179391fbc16d8825ada
[asterisk/asterisk.git] / main / tcptls.c
1 /*
2  * Asterisk -- An open source telephony toolkit.
3  *
4  * Copyright (C) 2007 - 2008, Digium, Inc.
5  *
6  * Luigi Rizzo (TCP and TLS server code)
7  * Brett Bryant <brettbryant@gmail.com> (updated for client support)
8  *
9  * See http://www.asterisk.org for more information about
10  * the Asterisk project. Please do not directly contact
11  * any of the maintainers of this project for assistance;
12  * the project provides a web site, mailing lists and IRC
13  * channels for your use.
14  *
15  * This program is free software, distributed under the terms of
16  * the GNU General Public License Version 2. See the LICENSE file
17  * at the top of the source tree.
18  */
19
20 /*!
21  * \file
22  * \brief Code to support TCP and TLS server/client
23  *
24  * \author Luigi Rizzo
25  * \author Brett Bryant <brettbryant@gmail.com>
26  */
27
28 /*** MODULEINFO
29         <support_level>core</support_level>
30  ***/
31
32 #include "asterisk.h"
33
34 ASTERISK_FILE_VERSION(__FILE__, "$Revision$")
35
36 #ifdef HAVE_FCNTL_H
37 #include <fcntl.h>
38 #endif
39
40 #include <signal.h>
41 #include <sys/signal.h>
42
43 #include "asterisk/compat.h"
44 #include "asterisk/tcptls.h"
45 #include "asterisk/http.h"
46 #include "asterisk/utils.h"
47 #include "asterisk/strings.h"
48 #include "asterisk/options.h"
49 #include "asterisk/manager.h"
50 #include "asterisk/astobj2.h"
51
52 /*! \brief
53  * replacement read/write functions for SSL support.
54  * We use wrappers rather than SSL_read/SSL_write directly so
55  * we can put in some debugging.
56  */
57
58 #ifdef DO_SSL
59 static HOOK_T ssl_read(void *cookie, char *buf, LEN_T len)
60 {
61         int i = SSL_read(cookie, buf, len-1);
62 #if 0
63         if (i >= 0) {
64                 buf[i] = '\0';
65         }
66         ast_verb(0, "ssl read size %d returns %d <%s>\n", (int)len, i, buf);
67 #endif
68         return i;
69 }
70
71 static HOOK_T ssl_write(void *cookie, const char *buf, LEN_T len)
72 {
73 #if 0
74         char *s = ast_alloca(len+1);
75
76         strncpy(s, buf, len);
77         s[len] = '\0';
78         ast_verb(0, "ssl write size %d <%s>\n", (int)len, s);
79 #endif
80         return SSL_write(cookie, buf, len);
81 }
82
83 static int ssl_close(void *cookie)
84 {
85         int cookie_fd = SSL_get_fd(cookie);
86         int ret;
87
88         if (cookie_fd > -1) {
89                 /*
90                  * According to the TLS standard, it is acceptable for an application to only send its shutdown
91                  * alert and then close the underlying connection without waiting for the peer's response (this
92                  * way resources can be saved, as the process can already terminate or serve another connection).
93                  */
94                 if ((ret = SSL_shutdown(cookie)) < 0) {
95                         ast_log(LOG_ERROR, "SSL_shutdown() failed: %d\n", SSL_get_error(cookie, ret));
96                 }
97
98                 if (!((SSL*)cookie)->server) {
99                         /* For client threads, ensure that the error stack is cleared */
100                         ERR_remove_state(0);
101                 }
102
103                 SSL_free(cookie);
104                 /* adding shutdown(2) here has no added benefit */
105                 if (close(cookie_fd)) {
106                         ast_log(LOG_ERROR, "close() failed: %s\n", strerror(errno));
107                 }
108         }
109         return 0;
110 }
111 #endif  /* DO_SSL */
112
113 HOOK_T ast_tcptls_server_read(struct ast_tcptls_session_instance *tcptls_session, void *buf, size_t count)
114 {
115         if (tcptls_session->fd == -1) {
116                 ast_log(LOG_ERROR, "server_read called with an fd of -1\n");
117                 errno = EIO;
118                 return -1;
119         }
120
121 #ifdef DO_SSL
122         if (tcptls_session->ssl) {
123                 return ssl_read(tcptls_session->ssl, buf, count);
124         }
125 #endif
126         return read(tcptls_session->fd, buf, count);
127 }
128
129 HOOK_T ast_tcptls_server_write(struct ast_tcptls_session_instance *tcptls_session, const void *buf, size_t count)
130 {
131         if (tcptls_session->fd == -1) {
132                 ast_log(LOG_ERROR, "server_write called with an fd of -1\n");
133                 errno = EIO;
134                 return -1;
135         }
136
137 #ifdef DO_SSL
138         if (tcptls_session->ssl) {
139                 return ssl_write(tcptls_session->ssl, buf, count);
140         }
141 #endif
142         return write(tcptls_session->fd, buf, count);
143 }
144
145 /*! \brief
146 * creates a FILE * from the fd passed by the accept thread.
147 * This operation is potentially expensive (certificate verification),
148 * so we do it in the child thread context.
149 *
150 * \note must decrement ref count before returning NULL on error
151 */
152 static void *handle_tcptls_connection(void *data)
153 {
154         struct ast_tcptls_session_instance *tcptls_session = data;
155 #ifdef DO_SSL
156         int (*ssl_setup)(SSL *) = (tcptls_session->client) ? SSL_connect : SSL_accept;
157         int ret;
158         char err[256];
159 #endif
160
161         /*
162         * open a FILE * as appropriate.
163         */
164         if (!tcptls_session->parent->tls_cfg) {
165                 if ((tcptls_session->f = fdopen(tcptls_session->fd, "w+"))) {
166                         if(setvbuf(tcptls_session->f, NULL, _IONBF, 0)) {
167                                 ast_tcptls_close_session_file(tcptls_session);
168                         }
169                 }
170         }
171 #ifdef DO_SSL
172         else if ( (tcptls_session->ssl = SSL_new(tcptls_session->parent->tls_cfg->ssl_ctx)) ) {
173                 SSL_set_fd(tcptls_session->ssl, tcptls_session->fd);
174                 if ((ret = ssl_setup(tcptls_session->ssl)) <= 0) {
175                         ast_verb(2, "Problem setting up ssl connection: %s\n", ERR_error_string(ERR_get_error(), err));
176                 } else {
177 #if defined(HAVE_FUNOPEN)       /* the BSD interface */
178                         tcptls_session->f = funopen(tcptls_session->ssl, ssl_read, ssl_write, NULL, ssl_close);
179
180 #elif defined(HAVE_FOPENCOOKIE) /* the glibc/linux interface */
181                         static const cookie_io_functions_t cookie_funcs = {
182                                 ssl_read, ssl_write, NULL, ssl_close
183                         };
184                         tcptls_session->f = fopencookie(tcptls_session->ssl, "w+", cookie_funcs);
185 #else
186                         /* could add other methods here */
187                         ast_debug(2, "no tcptls_session->f methods attempted!\n");
188 #endif
189                         if ((tcptls_session->client && !ast_test_flag(&tcptls_session->parent->tls_cfg->flags, AST_SSL_DONT_VERIFY_SERVER))
190                                 || (!tcptls_session->client && ast_test_flag(&tcptls_session->parent->tls_cfg->flags, AST_SSL_VERIFY_CLIENT))) {
191                                 X509 *peer;
192                                 long res;
193                                 peer = SSL_get_peer_certificate(tcptls_session->ssl);
194                                 if (!peer) {
195                                         ast_log(LOG_WARNING, "No peer SSL certificate\n");
196                                 }
197                                 res = SSL_get_verify_result(tcptls_session->ssl);
198                                 if (res != X509_V_OK) {
199                                         ast_log(LOG_ERROR, "Certificate did not verify: %s\n", X509_verify_cert_error_string(res));
200                                 }
201                                 if (!ast_test_flag(&tcptls_session->parent->tls_cfg->flags, AST_SSL_IGNORE_COMMON_NAME)) {
202                                         ASN1_STRING *str;
203                                         unsigned char *str2;
204                                         X509_NAME *name = X509_get_subject_name(peer);
205                                         int pos = -1;
206                                         int found = 0;
207
208                                         for (;;) {
209                                                 /* Walk the certificate to check all available "Common Name" */
210                                                 /* XXX Probably should do a gethostbyname on the hostname and compare that as well */
211                                                 pos = X509_NAME_get_index_by_NID(name, NID_commonName, pos);
212                                                 if (pos < 0) {
213                                                         break;
214                                                 }
215                                                 str = X509_NAME_ENTRY_get_data(X509_NAME_get_entry(name, pos));
216                                                 ASN1_STRING_to_UTF8(&str2, str);
217                                                 if (str2) {
218                                                         if (!strcasecmp(tcptls_session->parent->hostname, (char *) str2)) {
219                                                                 found = 1;
220                                                         }
221                                                         ast_debug(3, "SSL Common Name compare s1='%s' s2='%s'\n", tcptls_session->parent->hostname, str2);
222                                                         OPENSSL_free(str2);
223                                                 }
224                                                 if (found) {
225                                                         break;
226                                                 }
227                                         }
228                                         if (!found) {
229                                                 ast_log(LOG_ERROR, "Certificate common name did not match (%s)\n", tcptls_session->parent->hostname);
230                                                 if (peer) {
231                                                         X509_free(peer);
232                                                 }
233                                                 ast_tcptls_close_session_file(tcptls_session);
234                                                 ao2_ref(tcptls_session, -1);
235                                                 return NULL;
236                                         }
237                                 }
238                                 if (peer) {
239                                         X509_free(peer);
240                                 }
241                         }
242                 }
243                 if (!tcptls_session->f) {       /* no success opening descriptor stacking */
244                         SSL_free(tcptls_session->ssl);
245                 }
246         }
247 #endif /* DO_SSL */
248
249         if (!tcptls_session->f) {
250                 ast_tcptls_close_session_file(tcptls_session);
251                 ast_log(LOG_WARNING, "FILE * open failed!\n");
252 #ifndef DO_SSL
253                 if (tcptls_session->parent->tls_cfg) {
254                         ast_log(LOG_WARNING, "Attempted a TLS connection without OpenSSL support. This will not work!\n");
255                 }
256 #endif
257                 ao2_ref(tcptls_session, -1);
258                 return NULL;
259         }
260
261         if (tcptls_session->parent->worker_fn) {
262                 return tcptls_session->parent->worker_fn(tcptls_session);
263         } else {
264                 return tcptls_session;
265         }
266 }
267
268 void *ast_tcptls_server_root(void *data)
269 {
270         struct ast_tcptls_session_args *desc = data;
271         int fd;
272         struct ast_sockaddr addr;
273         struct ast_tcptls_session_instance *tcptls_session;
274         pthread_t launched;
275
276         for (;;) {
277                 int i, flags;
278
279                 if (desc->periodic_fn) {
280                         desc->periodic_fn(desc);
281                 }
282                 i = ast_wait_for_input(desc->accept_fd, desc->poll_timeout);
283                 if (i <= 0) {
284                         continue;
285                 }
286                 fd = ast_accept(desc->accept_fd, &addr);
287                 if (fd < 0) {
288                         if ((errno != EAGAIN) && (errno != EINTR)) {
289                                 ast_log(LOG_WARNING, "Accept failed: %s\n", strerror(errno));
290                         }
291                         continue;
292                 }
293                 tcptls_session = ao2_alloc(sizeof(*tcptls_session), NULL);
294                 if (!tcptls_session) {
295                         ast_log(LOG_WARNING, "No memory for new session: %s\n", strerror(errno));
296                         if (close(fd)) {
297                                 ast_log(LOG_ERROR, "close() failed: %s\n", strerror(errno));
298                         }
299                         continue;
300                 }
301
302                 flags = fcntl(fd, F_GETFL);
303                 fcntl(fd, F_SETFL, flags & ~O_NONBLOCK);
304                 tcptls_session->fd = fd;
305                 tcptls_session->parent = desc;
306                 ast_sockaddr_copy(&tcptls_session->remote_address, &addr);
307
308                 tcptls_session->client = 0;
309
310                 /* This thread is now the only place that controls the single ref to tcptls_session */
311                 if (ast_pthread_create_detached_background(&launched, NULL, handle_tcptls_connection, tcptls_session)) {
312                         ast_log(LOG_WARNING, "Unable to launch helper thread: %s\n", strerror(errno));
313                         ast_tcptls_close_session_file(tcptls_session);
314                         ao2_ref(tcptls_session, -1);
315                 }
316         }
317         return NULL;
318 }
319
320 static int __ssl_setup(struct ast_tls_config *cfg, int client)
321 {
322 #ifndef DO_SSL
323         cfg->enabled = 0;
324         return 0;
325 #else
326         if (!cfg->enabled) {
327                 return 0;
328         }
329
330         /* Get rid of an old SSL_CTX since we're about to
331          * allocate a new one
332          */
333         if (cfg->ssl_ctx) {
334                 SSL_CTX_free(cfg->ssl_ctx);
335                 cfg->ssl_ctx = NULL;
336         }
337
338         if (client) {
339 #ifndef OPENSSL_NO_SSL2
340                 if (ast_test_flag(&cfg->flags, AST_SSL_SSLV2_CLIENT)) {
341                         cfg->ssl_ctx = SSL_CTX_new(SSLv2_client_method());
342                 } else
343 #endif
344                 if (ast_test_flag(&cfg->flags, AST_SSL_SSLV3_CLIENT)) {
345                         cfg->ssl_ctx = SSL_CTX_new(SSLv3_client_method());
346                 } else if (ast_test_flag(&cfg->flags, AST_SSL_TLSV1_CLIENT)) {
347                         cfg->ssl_ctx = SSL_CTX_new(TLSv1_client_method());
348                 } else {
349                         /* SSLv23_client_method() sends SSLv2, this was the original
350                          * default for ssl clients before the option was given to
351                          * pick what protocol a client should use.  In order not
352                          * to break expected behavior it remains the default. */
353                         cfg->ssl_ctx = SSL_CTX_new(SSLv23_client_method());
354                 }
355         } else {
356                 /* SSLv23_server_method() supports TLSv1, SSLv2, and SSLv3 inbound connections. */
357                 cfg->ssl_ctx = SSL_CTX_new(SSLv23_server_method());
358         }
359
360         if (!cfg->ssl_ctx) {
361                 ast_debug(1, "Sorry, SSL_CTX_new call returned null...\n");
362                 cfg->enabled = 0;
363                 return 0;
364         }
365         if (!ast_strlen_zero(cfg->certfile)) {
366                 char *tmpprivate = ast_strlen_zero(cfg->pvtfile) ? cfg->certfile : cfg->pvtfile;
367                 if (SSL_CTX_use_certificate_file(cfg->ssl_ctx, cfg->certfile, SSL_FILETYPE_PEM) == 0) {
368                         if (!client) {
369                                 /* Clients don't need a certificate, but if its setup we can use it */
370                                 ast_verb(0, "SSL error loading cert file. <%s>\n", cfg->certfile);
371                                 cfg->enabled = 0;
372                                 SSL_CTX_free(cfg->ssl_ctx);
373                                 cfg->ssl_ctx = NULL;
374                                 return 0;
375                         }
376                 }
377                 if ((SSL_CTX_use_PrivateKey_file(cfg->ssl_ctx, tmpprivate, SSL_FILETYPE_PEM) == 0) || (SSL_CTX_check_private_key(cfg->ssl_ctx) == 0 )) {
378                         if (!client) {
379                                 /* Clients don't need a private key, but if its setup we can use it */
380                                 ast_verb(0, "SSL error loading private key file. <%s>\n", tmpprivate);
381                                 cfg->enabled = 0;
382                                 SSL_CTX_free(cfg->ssl_ctx);
383                                 cfg->ssl_ctx = NULL;
384                                 return 0;
385                         }
386                 }
387         }
388         if (!ast_strlen_zero(cfg->cipher)) {
389                 if (SSL_CTX_set_cipher_list(cfg->ssl_ctx, cfg->cipher) == 0 ) {
390                         if (!client) {
391                                 ast_verb(0, "SSL cipher error <%s>\n", cfg->cipher);
392                                 cfg->enabled = 0;
393                                 SSL_CTX_free(cfg->ssl_ctx);
394                                 cfg->ssl_ctx = NULL;
395                                 return 0;
396                         }
397                 }
398         }
399         if (!ast_strlen_zero(cfg->cafile) || !ast_strlen_zero(cfg->capath)) {
400                 if (SSL_CTX_load_verify_locations(cfg->ssl_ctx, S_OR(cfg->cafile, NULL), S_OR(cfg->capath,NULL)) == 0) {
401                         ast_verb(0, "SSL CA file(%s)/path(%s) error\n", cfg->cafile, cfg->capath);
402                 }
403         }
404
405         ast_verb(0, "SSL certificate ok\n");
406         return 1;
407 #endif
408 }
409
410 int ast_ssl_setup(struct ast_tls_config *cfg)
411 {
412         return __ssl_setup(cfg, 0);
413 }
414
415 void ast_ssl_teardown(struct ast_tls_config *cfg)
416 {
417 #ifdef DO_SSL
418         if (cfg->ssl_ctx) {
419                 SSL_CTX_free(cfg->ssl_ctx);
420                 cfg->ssl_ctx = NULL;
421         }
422 #endif
423 }
424
425 struct ast_tcptls_session_instance *ast_tcptls_client_start(struct ast_tcptls_session_instance *tcptls_session)
426 {
427         struct ast_tcptls_session_args *desc;
428         int flags;
429
430         if (!(desc = tcptls_session->parent)) {
431                 goto client_start_error;
432         }
433
434         if (ast_connect(desc->accept_fd, &desc->remote_address)) {
435                 ast_log(LOG_ERROR, "Unable to connect %s to %s: %s\n",
436                         desc->name,
437                         ast_sockaddr_stringify(&desc->remote_address),
438                         strerror(errno));
439                 goto client_start_error;
440         }
441
442         flags = fcntl(desc->accept_fd, F_GETFL);
443         fcntl(desc->accept_fd, F_SETFL, flags & ~O_NONBLOCK);
444
445         if (desc->tls_cfg) {
446                 desc->tls_cfg->enabled = 1;
447                 __ssl_setup(desc->tls_cfg, 1);
448         }
449
450         return handle_tcptls_connection(tcptls_session);
451
452 client_start_error:
453         if (desc) {
454                 close(desc->accept_fd);
455                 desc->accept_fd = -1;
456         }
457         ao2_ref(tcptls_session, -1);
458         return NULL;
459
460 }
461
462 struct ast_tcptls_session_instance *ast_tcptls_client_create(struct ast_tcptls_session_args *desc)
463 {
464         int x = 1;
465         struct ast_tcptls_session_instance *tcptls_session = NULL;
466
467         /* Do nothing if nothing has changed */
468         if (!ast_sockaddr_cmp(&desc->old_address, &desc->remote_address)) {
469                 ast_debug(1, "Nothing changed in %s\n", desc->name);
470                 return NULL;
471         }
472
473         /* If we return early, there is no connection */
474         ast_sockaddr_setnull(&desc->old_address);
475
476         if (desc->accept_fd != -1) {
477                 close(desc->accept_fd);
478         }
479
480         desc->accept_fd = socket(ast_sockaddr_is_ipv6(&desc->remote_address) ?
481                                  AF_INET6 : AF_INET, SOCK_STREAM, IPPROTO_TCP);
482         if (desc->accept_fd < 0) {
483                 ast_log(LOG_WARNING, "Unable to allocate socket for %s: %s\n",
484                         desc->name, strerror(errno));
485                 return NULL;
486         }
487
488         /* if a local address was specified, bind to it so the connection will
489            originate from the desired address */
490         if (!ast_sockaddr_isnull(&desc->local_address)) {
491                 setsockopt(desc->accept_fd, SOL_SOCKET, SO_REUSEADDR, &x, sizeof(x));
492                 if (ast_bind(desc->accept_fd, &desc->local_address)) {
493                         ast_log(LOG_ERROR, "Unable to bind %s to %s: %s\n",
494                                 desc->name,
495                                 ast_sockaddr_stringify(&desc->local_address),
496                                 strerror(errno));
497                         goto error;
498                 }
499         }
500
501         if (!(tcptls_session = ao2_alloc(sizeof(*tcptls_session), NULL))) {
502                 goto error;
503         }
504
505         tcptls_session->client = 1;
506         tcptls_session->fd = desc->accept_fd;
507         tcptls_session->parent = desc;
508         tcptls_session->parent->worker_fn = NULL;
509         ast_sockaddr_copy(&tcptls_session->remote_address,
510                           &desc->remote_address);
511
512         /* Set current info */
513         ast_sockaddr_copy(&desc->old_address, &desc->remote_address);
514         return tcptls_session;
515
516 error:
517         close(desc->accept_fd);
518         desc->accept_fd = -1;
519         if (tcptls_session) {
520                 ao2_ref(tcptls_session, -1);
521         }
522         return NULL;
523 }
524
525 void ast_tcptls_server_start(struct ast_tcptls_session_args *desc)
526 {
527         int flags;
528         int x = 1;
529
530         /* Do nothing if nothing has changed */
531         if (!ast_sockaddr_cmp(&desc->old_address, &desc->local_address)) {
532                 ast_debug(1, "Nothing changed in %s\n", desc->name);
533                 return;
534         }
535
536         /* If we return early, there is no one listening */
537         ast_sockaddr_setnull(&desc->old_address);
538
539         /* Shutdown a running server if there is one */
540         if (desc->master != AST_PTHREADT_NULL) {
541                 pthread_cancel(desc->master);
542                 pthread_kill(desc->master, SIGURG);
543                 pthread_join(desc->master, NULL);
544         }
545
546         if (desc->accept_fd != -1) {
547                 close(desc->accept_fd);
548         }
549
550         /* If there's no new server, stop here */
551         if (ast_sockaddr_isnull(&desc->local_address)) {
552                 ast_debug(2, "Server disabled:  %s\n", desc->name);
553                 return;
554         }
555
556         desc->accept_fd = socket(ast_sockaddr_is_ipv6(&desc->local_address) ?
557                                  AF_INET6 : AF_INET, SOCK_STREAM, 0);
558         if (desc->accept_fd < 0) {
559                 ast_log(LOG_ERROR, "Unable to allocate socket for %s: %s\n", desc->name, strerror(errno));
560                 return;
561         }
562
563         setsockopt(desc->accept_fd, SOL_SOCKET, SO_REUSEADDR, &x, sizeof(x));
564         if (ast_bind(desc->accept_fd, &desc->local_address)) {
565                 ast_log(LOG_ERROR, "Unable to bind %s to %s: %s\n",
566                         desc->name,
567                         ast_sockaddr_stringify(&desc->local_address),
568                         strerror(errno));
569                 goto error;
570         }
571         if (listen(desc->accept_fd, 10)) {
572                 ast_log(LOG_ERROR, "Unable to listen for %s!\n", desc->name);
573                 goto error;
574         }
575         flags = fcntl(desc->accept_fd, F_GETFL);
576         fcntl(desc->accept_fd, F_SETFL, flags | O_NONBLOCK);
577         if (ast_pthread_create_background(&desc->master, NULL, desc->accept_fn, desc)) {
578                 ast_log(LOG_ERROR, "Unable to launch thread for %s on %s: %s\n",
579                         desc->name,
580                         ast_sockaddr_stringify(&desc->local_address),
581                         strerror(errno));
582                 goto error;
583         }
584
585         /* Set current info */
586         ast_sockaddr_copy(&desc->old_address, &desc->local_address);
587
588         return;
589
590 error:
591         close(desc->accept_fd);
592         desc->accept_fd = -1;
593 }
594
595 void ast_tcptls_close_session_file(struct ast_tcptls_session_instance *tcptls_session)
596 {
597         if (tcptls_session->f) {
598                 if (fclose(tcptls_session->f)) {
599                         ast_log(LOG_ERROR, "fclose() failed: %s\n", strerror(errno));
600                 }
601                 tcptls_session->f = NULL;
602                 tcptls_session->fd = -1;
603         } else if (tcptls_session->fd != -1) {
604                 if (close(tcptls_session->fd)) {
605                         ast_log(LOG_ERROR, "close() failed: %s\n", strerror(errno));
606                 }
607                 tcptls_session->fd = -1;
608         } else {
609                 ast_log(LOG_ERROR, "ast_tcptls_close_session_file invoked on session instance without file or file descriptor\n");
610         }
611 }
612
613 void ast_tcptls_server_stop(struct ast_tcptls_session_args *desc)
614 {
615         if (desc->master != AST_PTHREADT_NULL) {
616                 pthread_cancel(desc->master);
617                 pthread_kill(desc->master, SIGURG);
618                 pthread_join(desc->master, NULL);
619                 desc->master = AST_PTHREADT_NULL;
620         }
621         if (desc->accept_fd != -1) {
622                 close(desc->accept_fd);
623         }
624         desc->accept_fd = -1;
625         ast_debug(2, "Stopped server :: %s\n", desc->name);
626 }
627
628 int ast_tls_read_conf(struct ast_tls_config *tls_cfg, struct ast_tcptls_session_args *tls_desc, const char *varname, const char *value)
629 {
630         if (!strcasecmp(varname, "tlsenable") || !strcasecmp(varname, "sslenable")) {
631                 tls_cfg->enabled = ast_true(value) ? 1 : 0;
632         } else if (!strcasecmp(varname, "tlscertfile") || !strcasecmp(varname, "sslcert") || !strcasecmp(varname, "tlscert")) {
633                 ast_free(tls_cfg->certfile);
634                 tls_cfg->certfile = ast_strdup(value);
635         } else if (!strcasecmp(varname, "tlsprivatekey") || !strcasecmp(varname, "sslprivatekey")) {
636                 ast_free(tls_cfg->pvtfile);
637                 tls_cfg->pvtfile = ast_strdup(value);
638         } else if (!strcasecmp(varname, "tlscipher") || !strcasecmp(varname, "sslcipher")) {
639                 ast_free(tls_cfg->cipher);
640                 tls_cfg->cipher = ast_strdup(value);
641         } else if (!strcasecmp(varname, "tlscafile")) {
642                 ast_free(tls_cfg->cafile);
643                 tls_cfg->cafile = ast_strdup(value);
644         } else if (!strcasecmp(varname, "tlscapath") || !strcasecmp(varname, "tlscadir")) {
645                 ast_free(tls_cfg->capath);
646                 tls_cfg->capath = ast_strdup(value);
647         } else if (!strcasecmp(varname, "tlsverifyclient")) {
648                 ast_set2_flag(&tls_cfg->flags, ast_true(value), AST_SSL_VERIFY_CLIENT);
649         } else if (!strcasecmp(varname, "tlsdontverifyserver")) {
650                 ast_set2_flag(&tls_cfg->flags, ast_true(value), AST_SSL_DONT_VERIFY_SERVER);
651         } else if (!strcasecmp(varname, "tlsbindaddr") || !strcasecmp(varname, "sslbindaddr")) {
652                 if (ast_parse_arg(value, PARSE_ADDR, &tls_desc->local_address))
653                         ast_log(LOG_WARNING, "Invalid %s '%s'\n", varname, value);
654         } else if (!strcasecmp(varname, "tlsclientmethod") || !strcasecmp(varname, "sslclientmethod")) {
655                 if (!strcasecmp(value, "tlsv1")) {
656                         ast_set_flag(&tls_cfg->flags, AST_SSL_TLSV1_CLIENT);
657                         ast_clear_flag(&tls_cfg->flags, AST_SSL_SSLV3_CLIENT);
658                         ast_clear_flag(&tls_cfg->flags, AST_SSL_SSLV2_CLIENT);
659                 } else if (!strcasecmp(value, "sslv3")) {
660                         ast_set_flag(&tls_cfg->flags, AST_SSL_SSLV3_CLIENT);
661                         ast_clear_flag(&tls_cfg->flags, AST_SSL_SSLV2_CLIENT);
662                         ast_clear_flag(&tls_cfg->flags, AST_SSL_TLSV1_CLIENT);
663                 } else if (!strcasecmp(value, "sslv2")) {
664                         ast_set_flag(&tls_cfg->flags, AST_SSL_SSLV2_CLIENT);
665                         ast_clear_flag(&tls_cfg->flags, AST_SSL_TLSV1_CLIENT);
666                         ast_clear_flag(&tls_cfg->flags, AST_SSL_SSLV3_CLIENT);
667                 }
668         } else {
669                 return -1;
670         }
671
672         return 0;
673 }