Ensure Asterisk fails TCP/TLS SIP calls when certificate checking fails
[asterisk/asterisk.git] / main / tcptls.c
1 /*
2  * Asterisk -- An open source telephony toolkit.
3  *
4  * Copyright (C) 2007 - 2008, Digium, Inc.
5  *
6  * Luigi Rizzo (TCP and TLS server code)
7  * Brett Bryant <brettbryant@gmail.com> (updated for client support)
8  *
9  * See http://www.asterisk.org for more information about
10  * the Asterisk project. Please do not directly contact
11  * any of the maintainers of this project for assistance;
12  * the project provides a web site, mailing lists and IRC
13  * channels for your use.
14  *
15  * This program is free software, distributed under the terms of
16  * the GNU General Public License Version 2. See the LICENSE file
17  * at the top of the source tree.
18  */
19
20 /*!
21  * \file
22  * \brief Code to support TCP and TLS server/client
23  *
24  * \author Luigi Rizzo
25  * \author Brett Bryant <brettbryant@gmail.com>
26  */
27
28 /*** MODULEINFO
29         <support_level>core</support_level>
30  ***/
31
32 #include "asterisk.h"
33
34 ASTERISK_FILE_VERSION(__FILE__, "$Revision$")
35
36 #ifdef HAVE_FCNTL_H
37 #include <fcntl.h>
38 #endif
39
40 #include <signal.h>
41 #include <sys/signal.h>
42
43 #include "asterisk/compat.h"
44 #include "asterisk/tcptls.h"
45 #include "asterisk/http.h"
46 #include "asterisk/utils.h"
47 #include "asterisk/strings.h"
48 #include "asterisk/options.h"
49 #include "asterisk/manager.h"
50 #include "asterisk/astobj2.h"
51
52 /*! \brief
53  * replacement read/write functions for SSL support.
54  * We use wrappers rather than SSL_read/SSL_write directly so
55  * we can put in some debugging.
56  */
57
58 #ifdef DO_SSL
59 static HOOK_T ssl_read(void *cookie, char *buf, LEN_T len)
60 {
61         int i = SSL_read(cookie, buf, len-1);
62 #if 0
63         if (i >= 0) {
64                 buf[i] = '\0';
65         }
66         ast_verb(0, "ssl read size %d returns %d <%s>\n", (int)len, i, buf);
67 #endif
68         return i;
69 }
70
71 static HOOK_T ssl_write(void *cookie, const char *buf, LEN_T len)
72 {
73 #if 0
74         char *s = ast_alloca(len+1);
75
76         strncpy(s, buf, len);
77         s[len] = '\0';
78         ast_verb(0, "ssl write size %d <%s>\n", (int)len, s);
79 #endif
80         return SSL_write(cookie, buf, len);
81 }
82
83 static int ssl_close(void *cookie)
84 {
85         int cookie_fd = SSL_get_fd(cookie);
86         int ret;
87
88         if (cookie_fd > -1) {
89                 /*
90                  * According to the TLS standard, it is acceptable for an application to only send its shutdown
91                  * alert and then close the underlying connection without waiting for the peer's response (this
92                  * way resources can be saved, as the process can already terminate or serve another connection).
93                  */
94                 if ((ret = SSL_shutdown(cookie)) < 0) {
95                         ast_log(LOG_ERROR, "SSL_shutdown() failed: %d\n", SSL_get_error(cookie, ret));
96                 }
97
98                 if (!((SSL*)cookie)->server) {
99                         /* For client threads, ensure that the error stack is cleared */
100                         ERR_remove_state(0);
101                 }
102
103                 SSL_free(cookie);
104                 /* adding shutdown(2) here has no added benefit */
105                 if (close(cookie_fd)) {
106                         ast_log(LOG_ERROR, "close() failed: %s\n", strerror(errno));
107                 }
108         }
109         return 0;
110 }
111 #endif  /* DO_SSL */
112
113 HOOK_T ast_tcptls_server_read(struct ast_tcptls_session_instance *tcptls_session, void *buf, size_t count)
114 {
115         if (tcptls_session->fd == -1) {
116                 ast_log(LOG_ERROR, "server_read called with an fd of -1\n");
117                 errno = EIO;
118                 return -1;
119         }
120
121 #ifdef DO_SSL
122         if (tcptls_session->ssl) {
123                 return ssl_read(tcptls_session->ssl, buf, count);
124         }
125 #endif
126         return read(tcptls_session->fd, buf, count);
127 }
128
129 HOOK_T ast_tcptls_server_write(struct ast_tcptls_session_instance *tcptls_session, const void *buf, size_t count)
130 {
131         if (tcptls_session->fd == -1) {
132                 ast_log(LOG_ERROR, "server_write called with an fd of -1\n");
133                 errno = EIO;
134                 return -1;
135         }
136
137 #ifdef DO_SSL
138         if (tcptls_session->ssl) {
139                 return ssl_write(tcptls_session->ssl, buf, count);
140         }
141 #endif
142         return write(tcptls_session->fd, buf, count);
143 }
144
145 static void session_instance_destructor(void *obj)
146 {
147         struct ast_tcptls_session_instance *i = obj;
148         ast_free(i->overflow_buf);
149 }
150
151 /*! \brief
152 * creates a FILE * from the fd passed by the accept thread.
153 * This operation is potentially expensive (certificate verification),
154 * so we do it in the child thread context.
155 *
156 * \note must decrement ref count before returning NULL on error
157 */
158 static void *handle_tcptls_connection(void *data)
159 {
160         struct ast_tcptls_session_instance *tcptls_session = data;
161 #ifdef DO_SSL
162         int (*ssl_setup)(SSL *) = (tcptls_session->client) ? SSL_connect : SSL_accept;
163         int ret;
164         char err[256];
165 #endif
166
167         /*
168         * open a FILE * as appropriate.
169         */
170         if (!tcptls_session->parent->tls_cfg) {
171                 if ((tcptls_session->f = fdopen(tcptls_session->fd, "w+"))) {
172                         if(setvbuf(tcptls_session->f, NULL, _IONBF, 0)) {
173                                 ast_tcptls_close_session_file(tcptls_session);
174                         }
175                 }
176         }
177 #ifdef DO_SSL
178         else if ( (tcptls_session->ssl = SSL_new(tcptls_session->parent->tls_cfg->ssl_ctx)) ) {
179                 SSL_set_fd(tcptls_session->ssl, tcptls_session->fd);
180                 if ((ret = ssl_setup(tcptls_session->ssl)) <= 0) {
181                         ast_verb(2, "Problem setting up ssl connection: %s\n", ERR_error_string(ERR_get_error(), err));
182                 } else {
183 #if defined(HAVE_FUNOPEN)       /* the BSD interface */
184                         tcptls_session->f = funopen(tcptls_session->ssl, ssl_read, ssl_write, NULL, ssl_close);
185
186 #elif defined(HAVE_FOPENCOOKIE) /* the glibc/linux interface */
187                         static const cookie_io_functions_t cookie_funcs = {
188                                 ssl_read, ssl_write, NULL, ssl_close
189                         };
190                         tcptls_session->f = fopencookie(tcptls_session->ssl, "w+", cookie_funcs);
191 #else
192                         /* could add other methods here */
193                         ast_debug(2, "no tcptls_session->f methods attempted!\n");
194 #endif
195                         if ((tcptls_session->client && !ast_test_flag(&tcptls_session->parent->tls_cfg->flags, AST_SSL_DONT_VERIFY_SERVER))
196                                 || (!tcptls_session->client && ast_test_flag(&tcptls_session->parent->tls_cfg->flags, AST_SSL_VERIFY_CLIENT))) {
197                                 X509 *peer;
198                                 long res;
199                                 peer = SSL_get_peer_certificate(tcptls_session->ssl);
200                                 if (!peer) {
201                                         ast_log(LOG_ERROR, "No peer SSL certificate to verify\n");
202                                         ast_tcptls_close_session_file(tcptls_session);
203                                         ao2_ref(tcptls_session, -1);
204                                         return NULL;
205                                 }
206
207                                 res = SSL_get_verify_result(tcptls_session->ssl);
208                                 if (res != X509_V_OK) {
209                                         ast_log(LOG_ERROR, "Certificate did not verify: %s\n", X509_verify_cert_error_string(res));
210                                         X509_free(peer);
211                                         ast_tcptls_close_session_file(tcptls_session);
212                                         ao2_ref(tcptls_session, -1);
213                                         return NULL;
214                                 }
215                                 if (!ast_test_flag(&tcptls_session->parent->tls_cfg->flags, AST_SSL_IGNORE_COMMON_NAME)) {
216                                         ASN1_STRING *str;
217                                         unsigned char *str2;
218                                         X509_NAME *name = X509_get_subject_name(peer);
219                                         int pos = -1;
220                                         int found = 0;
221
222                                         for (;;) {
223                                                 /* Walk the certificate to check all available "Common Name" */
224                                                 /* XXX Probably should do a gethostbyname on the hostname and compare that as well */
225                                                 pos = X509_NAME_get_index_by_NID(name, NID_commonName, pos);
226                                                 if (pos < 0) {
227                                                         break;
228                                                 }
229                                                 str = X509_NAME_ENTRY_get_data(X509_NAME_get_entry(name, pos));
230                                                 ASN1_STRING_to_UTF8(&str2, str);
231                                                 if (str2) {
232                                                         if (!strcasecmp(tcptls_session->parent->hostname, (char *) str2)) {
233                                                                 found = 1;
234                                                         }
235                                                         ast_debug(3, "SSL Common Name compare s1='%s' s2='%s'\n", tcptls_session->parent->hostname, str2);
236                                                         OPENSSL_free(str2);
237                                                 }
238                                                 if (found) {
239                                                         break;
240                                                 }
241                                         }
242                                         if (!found) {
243                                                 ast_log(LOG_ERROR, "Certificate common name did not match (%s)\n", tcptls_session->parent->hostname);
244                                                 X509_free(peer);
245                                                 ast_tcptls_close_session_file(tcptls_session);
246                                                 ao2_ref(tcptls_session, -1);
247                                                 return NULL;
248                                         }
249                                 }
250                                 X509_free(peer);
251                         }
252                 }
253                 if (!tcptls_session->f) {       /* no success opening descriptor stacking */
254                         SSL_free(tcptls_session->ssl);
255                 }
256         }
257 #endif /* DO_SSL */
258
259         if (!tcptls_session->f) {
260                 ast_tcptls_close_session_file(tcptls_session);
261                 ast_log(LOG_WARNING, "FILE * open failed!\n");
262 #ifndef DO_SSL
263                 if (tcptls_session->parent->tls_cfg) {
264                         ast_log(LOG_WARNING, "Attempted a TLS connection without OpenSSL support. This will not work!\n");
265                 }
266 #endif
267                 ao2_ref(tcptls_session, -1);
268                 return NULL;
269         }
270
271         if (tcptls_session->parent->worker_fn) {
272                 return tcptls_session->parent->worker_fn(tcptls_session);
273         } else {
274                 return tcptls_session;
275         }
276 }
277
278 void *ast_tcptls_server_root(void *data)
279 {
280         struct ast_tcptls_session_args *desc = data;
281         int fd;
282         struct ast_sockaddr addr;
283         struct ast_tcptls_session_instance *tcptls_session;
284         pthread_t launched;
285
286         for (;;) {
287                 int i, flags;
288
289                 if (desc->periodic_fn) {
290                         desc->periodic_fn(desc);
291                 }
292                 i = ast_wait_for_input(desc->accept_fd, desc->poll_timeout);
293                 if (i <= 0) {
294                         continue;
295                 }
296                 fd = ast_accept(desc->accept_fd, &addr);
297                 if (fd < 0) {
298                         if ((errno != EAGAIN) && (errno != EINTR)) {
299                                 ast_log(LOG_WARNING, "Accept failed: %s\n", strerror(errno));
300                         }
301                         continue;
302                 }
303                 tcptls_session = ao2_alloc(sizeof(*tcptls_session), session_instance_destructor);
304                 if (!tcptls_session) {
305                         ast_log(LOG_WARNING, "No memory for new session: %s\n", strerror(errno));
306                         if (close(fd)) {
307                                 ast_log(LOG_ERROR, "close() failed: %s\n", strerror(errno));
308                         }
309                         continue;
310                 }
311
312                 tcptls_session->overflow_buf = ast_str_create(128);
313                 flags = fcntl(fd, F_GETFL);
314                 fcntl(fd, F_SETFL, flags & ~O_NONBLOCK);
315                 tcptls_session->fd = fd;
316                 tcptls_session->parent = desc;
317                 ast_sockaddr_copy(&tcptls_session->remote_address, &addr);
318
319                 tcptls_session->client = 0;
320
321                 /* This thread is now the only place that controls the single ref to tcptls_session */
322                 if (ast_pthread_create_detached_background(&launched, NULL, handle_tcptls_connection, tcptls_session)) {
323                         ast_log(LOG_WARNING, "Unable to launch helper thread: %s\n", strerror(errno));
324                         ast_tcptls_close_session_file(tcptls_session);
325                         ao2_ref(tcptls_session, -1);
326                 }
327         }
328         return NULL;
329 }
330
331 static int __ssl_setup(struct ast_tls_config *cfg, int client)
332 {
333 #ifndef DO_SSL
334         cfg->enabled = 0;
335         return 0;
336 #else
337         if (!cfg->enabled) {
338                 return 0;
339         }
340
341         /* Get rid of an old SSL_CTX since we're about to
342          * allocate a new one
343          */
344         if (cfg->ssl_ctx) {
345                 SSL_CTX_free(cfg->ssl_ctx);
346                 cfg->ssl_ctx = NULL;
347         }
348
349         if (client) {
350 #ifndef OPENSSL_NO_SSL2
351                 if (ast_test_flag(&cfg->flags, AST_SSL_SSLV2_CLIENT)) {
352                         cfg->ssl_ctx = SSL_CTX_new(SSLv2_client_method());
353                 } else
354 #endif
355                 if (ast_test_flag(&cfg->flags, AST_SSL_SSLV3_CLIENT)) {
356                         cfg->ssl_ctx = SSL_CTX_new(SSLv3_client_method());
357                 } else if (ast_test_flag(&cfg->flags, AST_SSL_TLSV1_CLIENT)) {
358                         cfg->ssl_ctx = SSL_CTX_new(TLSv1_client_method());
359                 } else {
360                         /* SSLv23_client_method() sends SSLv2, this was the original
361                          * default for ssl clients before the option was given to
362                          * pick what protocol a client should use.  In order not
363                          * to break expected behavior it remains the default. */
364                         cfg->ssl_ctx = SSL_CTX_new(SSLv23_client_method());
365                 }
366         } else {
367                 /* SSLv23_server_method() supports TLSv1, SSLv2, and SSLv3 inbound connections. */
368                 cfg->ssl_ctx = SSL_CTX_new(SSLv23_server_method());
369         }
370
371         if (!cfg->ssl_ctx) {
372                 ast_debug(1, "Sorry, SSL_CTX_new call returned null...\n");
373                 cfg->enabled = 0;
374                 return 0;
375         }
376         if (!ast_strlen_zero(cfg->certfile)) {
377                 char *tmpprivate = ast_strlen_zero(cfg->pvtfile) ? cfg->certfile : cfg->pvtfile;
378                 if (SSL_CTX_use_certificate_file(cfg->ssl_ctx, cfg->certfile, SSL_FILETYPE_PEM) == 0) {
379                         if (!client) {
380                                 /* Clients don't need a certificate, but if its setup we can use it */
381                                 ast_verb(0, "SSL error loading cert file. <%s>\n", cfg->certfile);
382                                 cfg->enabled = 0;
383                                 SSL_CTX_free(cfg->ssl_ctx);
384                                 cfg->ssl_ctx = NULL;
385                                 return 0;
386                         }
387                 }
388                 if ((SSL_CTX_use_PrivateKey_file(cfg->ssl_ctx, tmpprivate, SSL_FILETYPE_PEM) == 0) || (SSL_CTX_check_private_key(cfg->ssl_ctx) == 0 )) {
389                         if (!client) {
390                                 /* Clients don't need a private key, but if its setup we can use it */
391                                 ast_verb(0, "SSL error loading private key file. <%s>\n", tmpprivate);
392                                 cfg->enabled = 0;
393                                 SSL_CTX_free(cfg->ssl_ctx);
394                                 cfg->ssl_ctx = NULL;
395                                 return 0;
396                         }
397                 }
398         }
399         if (!ast_strlen_zero(cfg->cipher)) {
400                 if (SSL_CTX_set_cipher_list(cfg->ssl_ctx, cfg->cipher) == 0 ) {
401                         if (!client) {
402                                 ast_verb(0, "SSL cipher error <%s>\n", cfg->cipher);
403                                 cfg->enabled = 0;
404                                 SSL_CTX_free(cfg->ssl_ctx);
405                                 cfg->ssl_ctx = NULL;
406                                 return 0;
407                         }
408                 }
409         }
410         if (!ast_strlen_zero(cfg->cafile) || !ast_strlen_zero(cfg->capath)) {
411                 if (SSL_CTX_load_verify_locations(cfg->ssl_ctx, S_OR(cfg->cafile, NULL), S_OR(cfg->capath,NULL)) == 0) {
412                         ast_verb(0, "SSL CA file(%s)/path(%s) error\n", cfg->cafile, cfg->capath);
413                 }
414         }
415
416         ast_verb(0, "SSL certificate ok\n");
417         return 1;
418 #endif
419 }
420
421 int ast_ssl_setup(struct ast_tls_config *cfg)
422 {
423         return __ssl_setup(cfg, 0);
424 }
425
426 void ast_ssl_teardown(struct ast_tls_config *cfg)
427 {
428 #ifdef DO_SSL
429         if (cfg->ssl_ctx) {
430                 SSL_CTX_free(cfg->ssl_ctx);
431                 cfg->ssl_ctx = NULL;
432         }
433 #endif
434 }
435
436 struct ast_tcptls_session_instance *ast_tcptls_client_start(struct ast_tcptls_session_instance *tcptls_session)
437 {
438         struct ast_tcptls_session_args *desc;
439         int flags;
440
441         if (!(desc = tcptls_session->parent)) {
442                 goto client_start_error;
443         }
444
445         if (ast_connect(desc->accept_fd, &desc->remote_address)) {
446                 ast_log(LOG_ERROR, "Unable to connect %s to %s: %s\n",
447                         desc->name,
448                         ast_sockaddr_stringify(&desc->remote_address),
449                         strerror(errno));
450                 goto client_start_error;
451         }
452
453         flags = fcntl(desc->accept_fd, F_GETFL);
454         fcntl(desc->accept_fd, F_SETFL, flags & ~O_NONBLOCK);
455
456         if (desc->tls_cfg) {
457                 desc->tls_cfg->enabled = 1;
458                 __ssl_setup(desc->tls_cfg, 1);
459         }
460
461         return handle_tcptls_connection(tcptls_session);
462
463 client_start_error:
464         if (desc) {
465                 close(desc->accept_fd);
466                 desc->accept_fd = -1;
467         }
468         ao2_ref(tcptls_session, -1);
469         return NULL;
470
471 }
472
473 struct ast_tcptls_session_instance *ast_tcptls_client_create(struct ast_tcptls_session_args *desc)
474 {
475         int x = 1;
476         struct ast_tcptls_session_instance *tcptls_session = NULL;
477
478         /* Do nothing if nothing has changed */
479         if (!ast_sockaddr_cmp(&desc->old_address, &desc->remote_address)) {
480                 ast_debug(1, "Nothing changed in %s\n", desc->name);
481                 return NULL;
482         }
483
484         /* If we return early, there is no connection */
485         ast_sockaddr_setnull(&desc->old_address);
486
487         if (desc->accept_fd != -1) {
488                 close(desc->accept_fd);
489         }
490
491         desc->accept_fd = socket(ast_sockaddr_is_ipv6(&desc->remote_address) ?
492                                  AF_INET6 : AF_INET, SOCK_STREAM, IPPROTO_TCP);
493         if (desc->accept_fd < 0) {
494                 ast_log(LOG_WARNING, "Unable to allocate socket for %s: %s\n",
495                         desc->name, strerror(errno));
496                 return NULL;
497         }
498
499         /* if a local address was specified, bind to it so the connection will
500            originate from the desired address */
501         if (!ast_sockaddr_isnull(&desc->local_address)) {
502                 setsockopt(desc->accept_fd, SOL_SOCKET, SO_REUSEADDR, &x, sizeof(x));
503                 if (ast_bind(desc->accept_fd, &desc->local_address)) {
504                         ast_log(LOG_ERROR, "Unable to bind %s to %s: %s\n",
505                                 desc->name,
506                                 ast_sockaddr_stringify(&desc->local_address),
507                                 strerror(errno));
508                         goto error;
509                 }
510         }
511
512         if (!(tcptls_session = ao2_alloc(sizeof(*tcptls_session), session_instance_destructor))) {
513                 goto error;
514         }
515
516         tcptls_session->overflow_buf = ast_str_create(128);
517         tcptls_session->client = 1;
518         tcptls_session->fd = desc->accept_fd;
519         tcptls_session->parent = desc;
520         tcptls_session->parent->worker_fn = NULL;
521         ast_sockaddr_copy(&tcptls_session->remote_address,
522                           &desc->remote_address);
523
524         /* Set current info */
525         ast_sockaddr_copy(&desc->old_address, &desc->remote_address);
526         return tcptls_session;
527
528 error:
529         close(desc->accept_fd);
530         desc->accept_fd = -1;
531         if (tcptls_session) {
532                 ao2_ref(tcptls_session, -1);
533         }
534         return NULL;
535 }
536
537 void ast_tcptls_server_start(struct ast_tcptls_session_args *desc)
538 {
539         int flags;
540         int x = 1;
541
542         /* Do nothing if nothing has changed */
543         if (!ast_sockaddr_cmp(&desc->old_address, &desc->local_address)) {
544                 ast_debug(1, "Nothing changed in %s\n", desc->name);
545                 return;
546         }
547
548         /* If we return early, there is no one listening */
549         ast_sockaddr_setnull(&desc->old_address);
550
551         /* Shutdown a running server if there is one */
552         if (desc->master != AST_PTHREADT_NULL) {
553                 pthread_cancel(desc->master);
554                 pthread_kill(desc->master, SIGURG);
555                 pthread_join(desc->master, NULL);
556         }
557
558         if (desc->accept_fd != -1) {
559                 close(desc->accept_fd);
560         }
561
562         /* If there's no new server, stop here */
563         if (ast_sockaddr_isnull(&desc->local_address)) {
564                 ast_debug(2, "Server disabled:  %s\n", desc->name);
565                 return;
566         }
567
568         desc->accept_fd = socket(ast_sockaddr_is_ipv6(&desc->local_address) ?
569                                  AF_INET6 : AF_INET, SOCK_STREAM, 0);
570         if (desc->accept_fd < 0) {
571                 ast_log(LOG_ERROR, "Unable to allocate socket for %s: %s\n", desc->name, strerror(errno));
572                 return;
573         }
574
575         setsockopt(desc->accept_fd, SOL_SOCKET, SO_REUSEADDR, &x, sizeof(x));
576         if (ast_bind(desc->accept_fd, &desc->local_address)) {
577                 ast_log(LOG_ERROR, "Unable to bind %s to %s: %s\n",
578                         desc->name,
579                         ast_sockaddr_stringify(&desc->local_address),
580                         strerror(errno));
581                 goto error;
582         }
583         if (listen(desc->accept_fd, 10)) {
584                 ast_log(LOG_ERROR, "Unable to listen for %s!\n", desc->name);
585                 goto error;
586         }
587         flags = fcntl(desc->accept_fd, F_GETFL);
588         fcntl(desc->accept_fd, F_SETFL, flags | O_NONBLOCK);
589         if (ast_pthread_create_background(&desc->master, NULL, desc->accept_fn, desc)) {
590                 ast_log(LOG_ERROR, "Unable to launch thread for %s on %s: %s\n",
591                         desc->name,
592                         ast_sockaddr_stringify(&desc->local_address),
593                         strerror(errno));
594                 goto error;
595         }
596
597         /* Set current info */
598         ast_sockaddr_copy(&desc->old_address, &desc->local_address);
599
600         return;
601
602 error:
603         close(desc->accept_fd);
604         desc->accept_fd = -1;
605 }
606
607 void ast_tcptls_close_session_file(struct ast_tcptls_session_instance *tcptls_session)
608 {
609         if (tcptls_session->f) {
610                 if (fclose(tcptls_session->f)) {
611                         ast_log(LOG_ERROR, "fclose() failed: %s\n", strerror(errno));
612                 }
613                 tcptls_session->f = NULL;
614                 tcptls_session->fd = -1;
615         } else if (tcptls_session->fd != -1) {
616                 if (close(tcptls_session->fd)) {
617                         ast_log(LOG_ERROR, "close() failed: %s\n", strerror(errno));
618                 }
619                 tcptls_session->fd = -1;
620         } else {
621                 ast_log(LOG_ERROR, "ast_tcptls_close_session_file invoked on session instance without file or file descriptor\n");
622         }
623 }
624
625 void ast_tcptls_server_stop(struct ast_tcptls_session_args *desc)
626 {
627         if (desc->master != AST_PTHREADT_NULL) {
628                 pthread_cancel(desc->master);
629                 pthread_kill(desc->master, SIGURG);
630                 pthread_join(desc->master, NULL);
631                 desc->master = AST_PTHREADT_NULL;
632         }
633         if (desc->accept_fd != -1) {
634                 close(desc->accept_fd);
635         }
636         desc->accept_fd = -1;
637         ast_debug(2, "Stopped server :: %s\n", desc->name);
638 }
639
640 int ast_tls_read_conf(struct ast_tls_config *tls_cfg, struct ast_tcptls_session_args *tls_desc, const char *varname, const char *value)
641 {
642         if (!strcasecmp(varname, "tlsenable") || !strcasecmp(varname, "sslenable")) {
643                 tls_cfg->enabled = ast_true(value) ? 1 : 0;
644         } else if (!strcasecmp(varname, "tlscertfile") || !strcasecmp(varname, "sslcert") || !strcasecmp(varname, "tlscert")) {
645                 ast_free(tls_cfg->certfile);
646                 tls_cfg->certfile = ast_strdup(value);
647         } else if (!strcasecmp(varname, "tlsprivatekey") || !strcasecmp(varname, "sslprivatekey")) {
648                 ast_free(tls_cfg->pvtfile);
649                 tls_cfg->pvtfile = ast_strdup(value);
650         } else if (!strcasecmp(varname, "tlscipher") || !strcasecmp(varname, "sslcipher")) {
651                 ast_free(tls_cfg->cipher);
652                 tls_cfg->cipher = ast_strdup(value);
653         } else if (!strcasecmp(varname, "tlscafile")) {
654                 ast_free(tls_cfg->cafile);
655                 tls_cfg->cafile = ast_strdup(value);
656         } else if (!strcasecmp(varname, "tlscapath") || !strcasecmp(varname, "tlscadir")) {
657                 ast_free(tls_cfg->capath);
658                 tls_cfg->capath = ast_strdup(value);
659         } else if (!strcasecmp(varname, "tlsverifyclient")) {
660                 ast_set2_flag(&tls_cfg->flags, ast_true(value), AST_SSL_VERIFY_CLIENT);
661         } else if (!strcasecmp(varname, "tlsdontverifyserver")) {
662                 ast_set2_flag(&tls_cfg->flags, ast_true(value), AST_SSL_DONT_VERIFY_SERVER);
663         } else if (!strcasecmp(varname, "tlsbindaddr") || !strcasecmp(varname, "sslbindaddr")) {
664                 if (ast_parse_arg(value, PARSE_ADDR, &tls_desc->local_address))
665                         ast_log(LOG_WARNING, "Invalid %s '%s'\n", varname, value);
666         } else if (!strcasecmp(varname, "tlsclientmethod") || !strcasecmp(varname, "sslclientmethod")) {
667                 if (!strcasecmp(value, "tlsv1")) {
668                         ast_set_flag(&tls_cfg->flags, AST_SSL_TLSV1_CLIENT);
669                         ast_clear_flag(&tls_cfg->flags, AST_SSL_SSLV3_CLIENT);
670                         ast_clear_flag(&tls_cfg->flags, AST_SSL_SSLV2_CLIENT);
671                 } else if (!strcasecmp(value, "sslv3")) {
672                         ast_set_flag(&tls_cfg->flags, AST_SSL_SSLV3_CLIENT);
673                         ast_clear_flag(&tls_cfg->flags, AST_SSL_SSLV2_CLIENT);
674                         ast_clear_flag(&tls_cfg->flags, AST_SSL_TLSV1_CLIENT);
675                 } else if (!strcasecmp(value, "sslv2")) {
676                         ast_set_flag(&tls_cfg->flags, AST_SSL_SSLV2_CLIENT);
677                         ast_clear_flag(&tls_cfg->flags, AST_SSL_TLSV1_CLIENT);
678                         ast_clear_flag(&tls_cfg->flags, AST_SSL_SSLV3_CLIENT);
679                 }
680         } else {
681                 return -1;
682         }
683
684         return 0;
685 }