Multiple revisions 369001-369002
[asterisk/asterisk.git] / main / tcptls.c
1 /*
2  * Asterisk -- An open source telephony toolkit.
3  *
4  * Copyright (C) 2007 - 2008, Digium, Inc.
5  *
6  * Luigi Rizzo (TCP and TLS server code)
7  * Brett Bryant <brettbryant@gmail.com> (updated for client support)
8  *
9  * See http://www.asterisk.org for more information about
10  * the Asterisk project. Please do not directly contact
11  * any of the maintainers of this project for assistance;
12  * the project provides a web site, mailing lists and IRC
13  * channels for your use.
14  *
15  * This program is free software, distributed under the terms of
16  * the GNU General Public License Version 2. See the LICENSE file
17  * at the top of the source tree.
18  */
19
20 /*!
21  * \file
22  * \brief Code to support TCP and TLS server/client
23  *
24  * \author Luigi Rizzo
25  * \author Brett Bryant <brettbryant@gmail.com>
26  */
27
28 /*** MODULEINFO
29         <support_level>core</support_level>
30  ***/
31
32 #include "asterisk.h"
33
34 ASTERISK_FILE_VERSION(__FILE__, "$Revision$")
35
36 #ifdef HAVE_FCNTL_H
37 #include <fcntl.h>
38 #endif
39
40 #include <signal.h>
41 #include <sys/signal.h>
42
43 #include "asterisk/compat.h"
44 #include "asterisk/tcptls.h"
45 #include "asterisk/http.h"
46 #include "asterisk/utils.h"
47 #include "asterisk/strings.h"
48 #include "asterisk/options.h"
49 #include "asterisk/manager.h"
50 #include "asterisk/astobj2.h"
51
52 /*! \brief
53  * replacement read/write functions for SSL support.
54  * We use wrappers rather than SSL_read/SSL_write directly so
55  * we can put in some debugging.
56  */
57
58 #ifdef DO_SSL
59 static HOOK_T ssl_read(void *cookie, char *buf, LEN_T len)
60 {
61         int i = SSL_read(cookie, buf, len-1);
62 #if 0
63         if (i >= 0) {
64                 buf[i] = '\0';
65         }
66         ast_verb(0, "ssl read size %d returns %d <%s>\n", (int)len, i, buf);
67 #endif
68         return i;
69 }
70
71 static HOOK_T ssl_write(void *cookie, const char *buf, LEN_T len)
72 {
73 #if 0
74         char *s = alloca(len+1);
75
76         strncpy(s, buf, len);
77         s[len] = '\0';
78         ast_verb(0, "ssl write size %d <%s>\n", (int)len, s);
79 #endif
80         return SSL_write(cookie, buf, len);
81 }
82
83 static int ssl_close(void *cookie)
84 {
85         int cookie_fd = SSL_get_fd(cookie);
86         int ret;
87         if (cookie_fd > -1) {
88                 /*
89                  * According to the TLS standard, it is acceptable for an application to only send its shutdown
90                  * alert and then close the underlying connection without waiting for the peer's response (this
91                  * way resources can be saved, as the process can already terminate or serve another connection).
92                  */
93                 if ((ret = SSL_shutdown(cookie)) < 0) {
94                         ast_log(LOG_ERROR, "SSL_shutdown() failed: %d\n", SSL_get_error(cookie, ret));
95                 }
96                 SSL_free(cookie);
97                 /* adding shutdown(2) here has no added benefit */
98                 if (close(cookie_fd)) {
99                         ast_log(LOG_ERROR, "close() failed: %s\n", strerror(errno));
100                 }
101         }
102         return 0;
103 }
104 #endif  /* DO_SSL */
105
106 HOOK_T ast_tcptls_server_read(struct ast_tcptls_session_instance *tcptls_session, void *buf, size_t count)
107 {
108         if (tcptls_session->fd == -1) {
109                 ast_log(LOG_ERROR, "server_read called with an fd of -1\n");
110                 errno = EIO;
111                 return -1;
112         }
113
114 #ifdef DO_SSL
115         if (tcptls_session->ssl) {
116                 return ssl_read(tcptls_session->ssl, buf, count);
117         }
118 #endif
119         return read(tcptls_session->fd, buf, count);
120 }
121
122 HOOK_T ast_tcptls_server_write(struct ast_tcptls_session_instance *tcptls_session, const void *buf, size_t count)
123 {
124         if (tcptls_session->fd == -1) {
125                 ast_log(LOG_ERROR, "server_write called with an fd of -1\n");
126                 errno = EIO;
127                 return -1;
128         }
129
130 #ifdef DO_SSL
131         if (tcptls_session->ssl) {
132                 return ssl_write(tcptls_session->ssl, buf, count);
133         }
134 #endif
135         return write(tcptls_session->fd, buf, count);
136 }
137
138 static void session_instance_destructor(void *obj)
139 {
140         struct ast_tcptls_session_instance *i = obj;
141         if (i->parent && i->parent->tls_cfg) {
142                 ast_ssl_teardown(i->parent->tls_cfg);
143         }
144 }
145
146 /*! \brief
147 * creates a FILE * from the fd passed by the accept thread.
148 * This operation is potentially expensive (certificate verification),
149 * so we do it in the child thread context.
150 *
151 * \note must decrement ref count before returning NULL on error
152 */
153 static void *handle_tcptls_connection(void *data)
154 {
155         struct ast_tcptls_session_instance *tcptls_session = data;
156 #ifdef DO_SSL
157         int (*ssl_setup)(SSL *) = (tcptls_session->client) ? SSL_connect : SSL_accept;
158         int ret;
159         char err[256];
160 #endif
161
162         /*
163         * open a FILE * as appropriate.
164         */
165         if (!tcptls_session->parent->tls_cfg) {
166                 if ((tcptls_session->f = fdopen(tcptls_session->fd, "w+"))) {
167                         if(setvbuf(tcptls_session->f, NULL, _IONBF, 0)) {
168                                 ast_tcptls_close_session_file(tcptls_session);
169                         }
170                 }
171         }
172 #ifdef DO_SSL
173         else if ( (tcptls_session->ssl = SSL_new(tcptls_session->parent->tls_cfg->ssl_ctx)) ) {
174                 SSL_set_fd(tcptls_session->ssl, tcptls_session->fd);
175                 if ((ret = ssl_setup(tcptls_session->ssl)) <= 0) {
176                         ast_verb(2, "Problem setting up ssl connection: %s\n", ERR_error_string(ERR_get_error(), err));
177                 } else {
178 #if defined(HAVE_FUNOPEN)       /* the BSD interface */
179                         tcptls_session->f = funopen(tcptls_session->ssl, ssl_read, ssl_write, NULL, ssl_close);
180
181 #elif defined(HAVE_FOPENCOOKIE) /* the glibc/linux interface */
182                         static const cookie_io_functions_t cookie_funcs = {
183                                 ssl_read, ssl_write, NULL, ssl_close
184                         };
185                         tcptls_session->f = fopencookie(tcptls_session->ssl, "w+", cookie_funcs);
186 #else
187                         /* could add other methods here */
188                         ast_debug(2, "no tcptls_session->f methods attempted!\n");
189 #endif
190                         if ((tcptls_session->client && !ast_test_flag(&tcptls_session->parent->tls_cfg->flags, AST_SSL_DONT_VERIFY_SERVER))
191                                 || (!tcptls_session->client && ast_test_flag(&tcptls_session->parent->tls_cfg->flags, AST_SSL_VERIFY_CLIENT))) {
192                                 X509 *peer;
193                                 long res;
194                                 peer = SSL_get_peer_certificate(tcptls_session->ssl);
195                                 if (!peer) {
196                                         ast_log(LOG_WARNING, "No peer SSL certificate\n");
197                                 }
198                                 res = SSL_get_verify_result(tcptls_session->ssl);
199                                 if (res != X509_V_OK) {
200                                         ast_log(LOG_ERROR, "Certificate did not verify: %s\n", X509_verify_cert_error_string(res));
201                                 }
202                                 if (!ast_test_flag(&tcptls_session->parent->tls_cfg->flags, AST_SSL_IGNORE_COMMON_NAME)) {
203                                         ASN1_STRING *str;
204                                         unsigned char *str2;
205                                         X509_NAME *name = X509_get_subject_name(peer);
206                                         int pos = -1;
207                                         int found = 0;
208
209                                         for (;;) {
210                                                 /* Walk the certificate to check all available "Common Name" */
211                                                 /* XXX Probably should do a gethostbyname on the hostname and compare that as well */
212                                                 pos = X509_NAME_get_index_by_NID(name, NID_commonName, pos);
213                                                 if (pos < 0) {
214                                                         break;
215                                                 }
216                                                 str = X509_NAME_ENTRY_get_data(X509_NAME_get_entry(name, pos));
217                                                 ASN1_STRING_to_UTF8(&str2, str);
218                                                 if (str2) {
219                                                         if (!strcasecmp(tcptls_session->parent->hostname, (char *) str2)) {
220                                                                 found = 1;
221                                                         }
222                                                         ast_debug(3, "SSL Common Name compare s1='%s' s2='%s'\n", tcptls_session->parent->hostname, str2);
223                                                         OPENSSL_free(str2);
224                                                 }
225                                                 if (found) {
226                                                         break;
227                                                 }
228                                         }
229                                         if (!found) {
230                                                 ast_log(LOG_ERROR, "Certificate common name did not match (%s)\n", tcptls_session->parent->hostname);
231                                                 if (peer) {
232                                                         X509_free(peer);
233                                                 }
234                                                 ast_tcptls_close_session_file(tcptls_session);
235                                                 ao2_ref(tcptls_session, -1);
236                                                 return NULL;
237                                         }
238                                 }
239                                 if (peer) {
240                                         X509_free(peer);
241                                 }
242                         }
243                 }
244                 if (!tcptls_session->f) {       /* no success opening descriptor stacking */
245                         SSL_free(tcptls_session->ssl);
246                 }
247         }
248 #endif /* DO_SSL */
249
250         if (!tcptls_session->f) {
251                 ast_tcptls_close_session_file(tcptls_session);
252                 ast_log(LOG_WARNING, "FILE * open failed!\n");
253 #ifndef DO_SSL
254                 if (tcptls_session->parent->tls_cfg) {
255                         ast_log(LOG_WARNING, "Attempted a TLS connection without OpenSSL support. This will not work!\n");
256                 }
257 #endif
258                 ao2_ref(tcptls_session, -1);
259                 return NULL;
260         }
261
262         if (tcptls_session->parent->worker_fn) {
263                 return tcptls_session->parent->worker_fn(tcptls_session);
264         } else {
265                 return tcptls_session;
266         }
267 }
268
269 void *ast_tcptls_server_root(void *data)
270 {
271         struct ast_tcptls_session_args *desc = data;
272         int fd;
273         struct ast_sockaddr addr;
274         struct ast_tcptls_session_instance *tcptls_session;
275         pthread_t launched;
276
277         for (;;) {
278                 int i, flags;
279
280                 if (desc->periodic_fn) {
281                         desc->periodic_fn(desc);
282                 }
283                 i = ast_wait_for_input(desc->accept_fd, desc->poll_timeout);
284                 if (i <= 0) {
285                         continue;
286                 }
287                 fd = ast_accept(desc->accept_fd, &addr);
288                 if (fd < 0) {
289                         if ((errno != EAGAIN) && (errno != EINTR)) {
290                                 ast_log(LOG_WARNING, "Accept failed: %s\n", strerror(errno));
291                         }
292                         continue;
293                 }
294                 tcptls_session = ao2_alloc(sizeof(*tcptls_session), session_instance_destructor);
295                 if (!tcptls_session) {
296                         ast_log(LOG_WARNING, "No memory for new session: %s\n", strerror(errno));
297                         if (close(fd)) {
298                                 ast_log(LOG_ERROR, "close() failed: %s\n", strerror(errno));
299                         }
300                         continue;
301                 }
302
303                 flags = fcntl(fd, F_GETFL);
304                 fcntl(fd, F_SETFL, flags & ~O_NONBLOCK);
305                 tcptls_session->fd = fd;
306                 tcptls_session->parent = desc;
307                 ast_sockaddr_copy(&tcptls_session->remote_address, &addr);
308
309                 tcptls_session->client = 0;
310
311                 /* This thread is now the only place that controls the single ref to tcptls_session */
312                 if (ast_pthread_create_detached_background(&launched, NULL, handle_tcptls_connection, tcptls_session)) {
313                         ast_log(LOG_WARNING, "Unable to launch helper thread: %s\n", strerror(errno));
314                         ast_tcptls_close_session_file(tcptls_session);
315                         ao2_ref(tcptls_session, -1);
316                 }
317         }
318         return NULL;
319 }
320
321 static int __ssl_setup(struct ast_tls_config *cfg, int client)
322 {
323 #ifndef DO_SSL
324         cfg->enabled = 0;
325         return 0;
326 #else
327         if (!cfg->enabled) {
328                 return 0;
329         }
330
331         SSL_load_error_strings();
332         SSLeay_add_ssl_algorithms();
333
334         /* Get rid of an old SSL_CTX since we're about to
335          * allocate a new one
336          */
337         if (cfg->ssl_ctx) {
338                 SSL_CTX_free(cfg->ssl_ctx);
339                 cfg->ssl_ctx = NULL;
340         }
341
342         if (client) {
343 #ifndef OPENSSL_NO_SSL2
344                 if (ast_test_flag(&cfg->flags, AST_SSL_SSLV2_CLIENT)) {
345                         cfg->ssl_ctx = SSL_CTX_new(SSLv2_client_method());
346                 } else
347 #endif
348                 if (ast_test_flag(&cfg->flags, AST_SSL_SSLV3_CLIENT)) {
349                         cfg->ssl_ctx = SSL_CTX_new(SSLv3_client_method());
350                 } else if (ast_test_flag(&cfg->flags, AST_SSL_TLSV1_CLIENT)) {
351                         cfg->ssl_ctx = SSL_CTX_new(TLSv1_client_method());
352                 } else {
353                         /* SSLv23_client_method() sends SSLv2, this was the original
354                          * default for ssl clients before the option was given to
355                          * pick what protocol a client should use.  In order not
356                          * to break expected behavior it remains the default. */
357                         cfg->ssl_ctx = SSL_CTX_new(SSLv23_client_method());
358                 }
359         } else {
360                 /* SSLv23_server_method() supports TLSv1, SSLv2, and SSLv3 inbound connections. */
361                 cfg->ssl_ctx = SSL_CTX_new(SSLv23_server_method());
362         }
363
364         if (!cfg->ssl_ctx) {
365                 ast_debug(1, "Sorry, SSL_CTX_new call returned null...\n");
366                 cfg->enabled = 0;
367                 return 0;
368         }
369         if (!ast_strlen_zero(cfg->certfile)) {
370                 char *tmpprivate = ast_strlen_zero(cfg->pvtfile) ? cfg->certfile : cfg->pvtfile;
371                 if (SSL_CTX_use_certificate_file(cfg->ssl_ctx, cfg->certfile, SSL_FILETYPE_PEM) == 0) {
372                         if (!client) {
373                                 /* Clients don't need a certificate, but if its setup we can use it */
374                                 ast_verb(0, "SSL error loading cert file. <%s>\n", cfg->certfile);
375                                 sleep(2);
376                                 cfg->enabled = 0;
377                                 SSL_CTX_free(cfg->ssl_ctx);
378                                 cfg->ssl_ctx = NULL;
379                                 return 0;
380                         }
381                 }
382                 if ((SSL_CTX_use_PrivateKey_file(cfg->ssl_ctx, tmpprivate, SSL_FILETYPE_PEM) == 0) || (SSL_CTX_check_private_key(cfg->ssl_ctx) == 0 )) {
383                         if (!client) {
384                                 /* Clients don't need a private key, but if its setup we can use it */
385                                 ast_verb(0, "SSL error loading private key file. <%s>\n", tmpprivate);
386                                 sleep(2);
387                                 cfg->enabled = 0;
388                                 SSL_CTX_free(cfg->ssl_ctx);
389                                 cfg->ssl_ctx = NULL;
390                                 return 0;
391                         }
392                 }
393         }
394         if (!ast_strlen_zero(cfg->cipher)) {
395                 if (SSL_CTX_set_cipher_list(cfg->ssl_ctx, cfg->cipher) == 0 ) {
396                         if (!client) {
397                                 ast_verb(0, "SSL cipher error <%s>\n", cfg->cipher);
398                                 sleep(2);
399                                 cfg->enabled = 0;
400                                 SSL_CTX_free(cfg->ssl_ctx);
401                                 cfg->ssl_ctx = NULL;
402                                 return 0;
403                         }
404                 }
405         }
406         if (!ast_strlen_zero(cfg->cafile) || !ast_strlen_zero(cfg->capath)) {
407                 if (SSL_CTX_load_verify_locations(cfg->ssl_ctx, S_OR(cfg->cafile, NULL), S_OR(cfg->capath,NULL)) == 0) {
408                         ast_verb(0, "SSL CA file(%s)/path(%s) error\n", cfg->cafile, cfg->capath);
409                 }
410         }
411
412         ast_verb(0, "SSL certificate ok\n");
413         return 1;
414 #endif
415 }
416
417 int ast_ssl_setup(struct ast_tls_config *cfg)
418 {
419         return __ssl_setup(cfg, 0);
420 }
421
422 void ast_ssl_teardown(struct ast_tls_config *cfg)
423 {
424 #ifdef DO_SSL
425         if (cfg->ssl_ctx) {
426                 SSL_CTX_free(cfg->ssl_ctx);
427                 cfg->ssl_ctx = NULL;
428         }
429 #endif
430 }
431
432 struct ast_tcptls_session_instance *ast_tcptls_client_start(struct ast_tcptls_session_instance *tcptls_session)
433 {
434         struct ast_tcptls_session_args *desc;
435         int flags;
436
437         if (!(desc = tcptls_session->parent)) {
438                 goto client_start_error;
439         }
440
441         if (ast_connect(desc->accept_fd, &desc->remote_address)) {
442                 ast_log(LOG_ERROR, "Unable to connect %s to %s: %s\n",
443                         desc->name,
444                         ast_sockaddr_stringify(&desc->remote_address),
445                         strerror(errno));
446                 goto client_start_error;
447         }
448
449         flags = fcntl(desc->accept_fd, F_GETFL);
450         fcntl(desc->accept_fd, F_SETFL, flags & ~O_NONBLOCK);
451
452         if (desc->tls_cfg) {
453                 desc->tls_cfg->enabled = 1;
454                 __ssl_setup(desc->tls_cfg, 1);
455         }
456
457         return handle_tcptls_connection(tcptls_session);
458
459 client_start_error:
460         if (desc) {
461                 close(desc->accept_fd);
462                 desc->accept_fd = -1;
463         }
464         ao2_ref(tcptls_session, -1);
465         return NULL;
466
467 }
468
469 struct ast_tcptls_session_instance *ast_tcptls_client_create(struct ast_tcptls_session_args *desc)
470 {
471         int x = 1;
472         struct ast_tcptls_session_instance *tcptls_session = NULL;
473
474         /* Do nothing if nothing has changed */
475         if (!ast_sockaddr_cmp(&desc->old_address, &desc->remote_address)) {
476                 ast_debug(1, "Nothing changed in %s\n", desc->name);
477                 return NULL;
478         }
479
480         /* If we return early, there is no connection */
481         ast_sockaddr_setnull(&desc->old_address);
482
483         if (desc->accept_fd != -1) {
484                 close(desc->accept_fd);
485         }
486
487         desc->accept_fd = socket(ast_sockaddr_is_ipv6(&desc->remote_address) ?
488                                  AF_INET6 : AF_INET, SOCK_STREAM, IPPROTO_TCP);
489         if (desc->accept_fd < 0) {
490                 ast_log(LOG_WARNING, "Unable to allocate socket for %s: %s\n",
491                         desc->name, strerror(errno));
492                 return NULL;
493         }
494
495         /* if a local address was specified, bind to it so the connection will
496            originate from the desired address */
497         if (!ast_sockaddr_isnull(&desc->local_address)) {
498                 setsockopt(desc->accept_fd, SOL_SOCKET, SO_REUSEADDR, &x, sizeof(x));
499                 if (ast_bind(desc->accept_fd, &desc->local_address)) {
500                         ast_log(LOG_ERROR, "Unable to bind %s to %s: %s\n",
501                                 desc->name,
502                                 ast_sockaddr_stringify(&desc->local_address),
503                                 strerror(errno));
504                         goto error;
505                 }
506         }
507
508         if (!(tcptls_session = ao2_alloc(sizeof(*tcptls_session), session_instance_destructor))) {
509                 goto error;
510         }
511
512         tcptls_session->client = 1;
513         tcptls_session->fd = desc->accept_fd;
514         tcptls_session->parent = desc;
515         tcptls_session->parent->worker_fn = NULL;
516         ast_sockaddr_copy(&tcptls_session->remote_address,
517                           &desc->remote_address);
518
519         /* Set current info */
520         ast_sockaddr_copy(&desc->old_address, &desc->remote_address);
521         return tcptls_session;
522
523 error:
524         close(desc->accept_fd);
525         desc->accept_fd = -1;
526         if (tcptls_session) {
527                 ao2_ref(tcptls_session, -1);
528         }
529         return NULL;
530 }
531
532 void ast_tcptls_server_start(struct ast_tcptls_session_args *desc)
533 {
534         int flags;
535         int x = 1;
536
537         /* Do nothing if nothing has changed */
538         if (!ast_sockaddr_cmp(&desc->old_address, &desc->local_address)) {
539                 ast_debug(1, "Nothing changed in %s\n", desc->name);
540                 return;
541         }
542
543         /* If we return early, there is no one listening */
544         ast_sockaddr_setnull(&desc->old_address);
545
546         /* Shutdown a running server if there is one */
547         if (desc->master != AST_PTHREADT_NULL) {
548                 pthread_cancel(desc->master);
549                 pthread_kill(desc->master, SIGURG);
550                 pthread_join(desc->master, NULL);
551         }
552
553         if (desc->accept_fd != -1) {
554                 close(desc->accept_fd);
555         }
556
557         /* If there's no new server, stop here */
558         if (ast_sockaddr_isnull(&desc->local_address)) {
559                 ast_debug(2, "Server disabled:  %s\n", desc->name);
560                 return;
561         }
562
563         desc->accept_fd = socket(ast_sockaddr_is_ipv6(&desc->local_address) ?
564                                  AF_INET6 : AF_INET, SOCK_STREAM, 0);
565         if (desc->accept_fd < 0) {
566                 ast_log(LOG_ERROR, "Unable to allocate socket for %s: %s\n", desc->name, strerror(errno));
567                 return;
568         }
569
570         setsockopt(desc->accept_fd, SOL_SOCKET, SO_REUSEADDR, &x, sizeof(x));
571         if (ast_bind(desc->accept_fd, &desc->local_address)) {
572                 ast_log(LOG_ERROR, "Unable to bind %s to %s: %s\n",
573                         desc->name,
574                         ast_sockaddr_stringify(&desc->local_address),
575                         strerror(errno));
576                 goto error;
577         }
578         if (listen(desc->accept_fd, 10)) {
579                 ast_log(LOG_ERROR, "Unable to listen for %s!\n", desc->name);
580                 goto error;
581         }
582         flags = fcntl(desc->accept_fd, F_GETFL);
583         fcntl(desc->accept_fd, F_SETFL, flags | O_NONBLOCK);
584         if (ast_pthread_create_background(&desc->master, NULL, desc->accept_fn, desc)) {
585                 ast_log(LOG_ERROR, "Unable to launch thread for %s on %s: %s\n",
586                         desc->name,
587                         ast_sockaddr_stringify(&desc->local_address),
588                         strerror(errno));
589                 goto error;
590         }
591
592         /* Set current info */
593         ast_sockaddr_copy(&desc->old_address, &desc->local_address);
594
595         return;
596
597 error:
598         close(desc->accept_fd);
599         desc->accept_fd = -1;
600 }
601
602 void ast_tcptls_close_session_file(struct ast_tcptls_session_instance *tcptls_session)
603 {
604         if (tcptls_session->f) {
605                 if (fclose(tcptls_session->f)) {
606                         ast_log(LOG_ERROR, "fclose() failed: %s\n", strerror(errno));
607                 }
608                 tcptls_session->f = NULL;
609                 tcptls_session->fd = -1;
610         } else if (tcptls_session->fd != -1) {
611                 if (close(tcptls_session->fd)) {
612                         ast_log(LOG_ERROR, "close() failed: %s\n", strerror(errno));
613                 }
614                 tcptls_session->fd = -1;
615         } else {
616                 ast_log(LOG_ERROR, "ast_tcptls_close_session_file invoked on session instance without file or file descriptor\n");
617         }
618 }
619
620 void ast_tcptls_server_stop(struct ast_tcptls_session_args *desc)
621 {
622         if (desc->master != AST_PTHREADT_NULL) {
623                 pthread_cancel(desc->master);
624                 pthread_kill(desc->master, SIGURG);
625                 pthread_join(desc->master, NULL);
626                 desc->master = AST_PTHREADT_NULL;
627         }
628         if (desc->accept_fd != -1) {
629                 close(desc->accept_fd);
630         }
631         desc->accept_fd = -1;
632         ast_debug(2, "Stopped server :: %s\n", desc->name);
633 }
634
635 int ast_tls_read_conf(struct ast_tls_config *tls_cfg, struct ast_tcptls_session_args *tls_desc, const char *varname, const char *value)
636 {
637         if (!strcasecmp(varname, "tlsenable") || !strcasecmp(varname, "sslenable")) {
638                 tls_cfg->enabled = ast_true(value) ? 1 : 0;
639         } else if (!strcasecmp(varname, "tlscertfile") || !strcasecmp(varname, "sslcert") || !strcasecmp(varname, "tlscert")) {
640                 ast_free(tls_cfg->certfile);
641                 tls_cfg->certfile = ast_strdup(value);
642         } else if (!strcasecmp(varname, "tlsprivatekey") || !strcasecmp(varname, "sslprivatekey")) {
643                 ast_free(tls_cfg->pvtfile);
644                 tls_cfg->pvtfile = ast_strdup(value);
645         } else if (!strcasecmp(varname, "tlscipher") || !strcasecmp(varname, "sslcipher")) {
646                 ast_free(tls_cfg->cipher);
647                 tls_cfg->cipher = ast_strdup(value);
648         } else if (!strcasecmp(varname, "tlscafile")) {
649                 ast_free(tls_cfg->cafile);
650                 tls_cfg->cafile = ast_strdup(value);
651         } else if (!strcasecmp(varname, "tlscapath") || !strcasecmp(varname, "tlscadir")) {
652                 ast_free(tls_cfg->capath);
653                 tls_cfg->capath = ast_strdup(value);
654         } else if (!strcasecmp(varname, "tlsverifyclient")) {
655                 ast_set2_flag(&tls_cfg->flags, ast_true(value), AST_SSL_VERIFY_CLIENT);
656         } else if (!strcasecmp(varname, "tlsdontverifyserver")) {
657                 ast_set2_flag(&tls_cfg->flags, ast_true(value), AST_SSL_DONT_VERIFY_SERVER);
658         } else if (!strcasecmp(varname, "tlsbindaddr") || !strcasecmp(varname, "sslbindaddr")) {
659                 if (ast_parse_arg(value, PARSE_ADDR, &tls_desc->local_address))
660                         ast_log(LOG_WARNING, "Invalid %s '%s'\n", varname, value);
661         } else if (!strcasecmp(varname, "tlsclientmethod") || !strcasecmp(varname, "sslclientmethod")) {
662                 if (!strcasecmp(value, "tlsv1")) {
663                         ast_set_flag(&tls_cfg->flags, AST_SSL_TLSV1_CLIENT);
664                         ast_clear_flag(&tls_cfg->flags, AST_SSL_SSLV3_CLIENT);
665                         ast_clear_flag(&tls_cfg->flags, AST_SSL_SSLV2_CLIENT);
666                 } else if (!strcasecmp(value, "sslv3")) {
667                         ast_set_flag(&tls_cfg->flags, AST_SSL_SSLV3_CLIENT);
668                         ast_clear_flag(&tls_cfg->flags, AST_SSL_SSLV2_CLIENT);
669                         ast_clear_flag(&tls_cfg->flags, AST_SSL_TLSV1_CLIENT);
670                 } else if (!strcasecmp(value, "sslv2")) {
671                         ast_set_flag(&tls_cfg->flags, AST_SSL_SSLV2_CLIENT);
672                         ast_clear_flag(&tls_cfg->flags, AST_SSL_TLSV1_CLIENT);
673                         ast_clear_flag(&tls_cfg->flags, AST_SSL_SSLV3_CLIENT);
674                 }
675         } else {
676                 return -1;
677         }
678
679         return 0;
680 }