tcptls: Prevent unsupported options from being set
[asterisk/asterisk.git] / main / tcptls.c
1 /*
2  * Asterisk -- An open source telephony toolkit.
3  *
4  * Copyright (C) 2007 - 2008, Digium, Inc.
5  *
6  * Luigi Rizzo (TCP and TLS server code)
7  * Brett Bryant <brettbryant@gmail.com> (updated for client support)
8  *
9  * See http://www.asterisk.org for more information about
10  * the Asterisk project. Please do not directly contact
11  * any of the maintainers of this project for assistance;
12  * the project provides a web site, mailing lists and IRC
13  * channels for your use.
14  *
15  * This program is free software, distributed under the terms of
16  * the GNU General Public License Version 2. See the LICENSE file
17  * at the top of the source tree.
18  */
19
20 /*!
21  * \file
22  * \brief Code to support TCP and TLS server/client
23  *
24  * \author Luigi Rizzo
25  * \author Brett Bryant <brettbryant@gmail.com>
26  */
27
28 /*** MODULEINFO
29         <support_level>core</support_level>
30  ***/
31
32 #include "asterisk.h"
33
34 ASTERISK_FILE_VERSION(__FILE__, "$Revision$")
35
36 #ifdef HAVE_FCNTL_H
37 #include <fcntl.h>
38 #endif
39
40 #include <signal.h>
41 #include <sys/signal.h>
42
43 #include "asterisk/compat.h"
44 #include "asterisk/tcptls.h"
45 #include "asterisk/http.h"
46 #include "asterisk/utils.h"
47 #include "asterisk/strings.h"
48 #include "asterisk/options.h"
49 #include "asterisk/manager.h"
50 #include "asterisk/astobj2.h"
51
52 /*! \brief
53  * replacement read/write functions for SSL support.
54  * We use wrappers rather than SSL_read/SSL_write directly so
55  * we can put in some debugging.
56  */
57
58 #ifdef DO_SSL
59 static HOOK_T ssl_read(void *cookie, char *buf, LEN_T len)
60 {
61         int i = SSL_read(cookie, buf, len-1);
62 #if 0
63         if (i >= 0) {
64                 buf[i] = '\0';
65         }
66         ast_verb(0, "ssl read size %d returns %d <%s>\n", (int)len, i, buf);
67 #endif
68         return i;
69 }
70
71 static HOOK_T ssl_write(void *cookie, const char *buf, LEN_T len)
72 {
73 #if 0
74         char *s = ast_alloca(len+1);
75
76         strncpy(s, buf, len);
77         s[len] = '\0';
78         ast_verb(0, "ssl write size %d <%s>\n", (int)len, s);
79 #endif
80         return SSL_write(cookie, buf, len);
81 }
82
83 static int ssl_close(void *cookie)
84 {
85         int cookie_fd = SSL_get_fd(cookie);
86         int ret;
87
88         if (cookie_fd > -1) {
89                 /*
90                  * According to the TLS standard, it is acceptable for an application to only send its shutdown
91                  * alert and then close the underlying connection without waiting for the peer's response (this
92                  * way resources can be saved, as the process can already terminate or serve another connection).
93                  */
94                 if ((ret = SSL_shutdown(cookie)) < 0) {
95                         ast_log(LOG_ERROR, "SSL_shutdown() failed: %d\n", SSL_get_error(cookie, ret));
96                 }
97
98                 if (!((SSL*)cookie)->server) {
99                         /* For client threads, ensure that the error stack is cleared */
100                         ERR_remove_state(0);
101                 }
102
103                 SSL_free(cookie);
104                 /* adding shutdown(2) here has no added benefit */
105                 if (close(cookie_fd)) {
106                         ast_log(LOG_ERROR, "close() failed: %s\n", strerror(errno));
107                 }
108         }
109         return 0;
110 }
111 #endif  /* DO_SSL */
112
113 HOOK_T ast_tcptls_server_read(struct ast_tcptls_session_instance *tcptls_session, void *buf, size_t count)
114 {
115         if (tcptls_session->fd == -1) {
116                 ast_log(LOG_ERROR, "server_read called with an fd of -1\n");
117                 errno = EIO;
118                 return -1;
119         }
120
121 #ifdef DO_SSL
122         if (tcptls_session->ssl) {
123                 return ssl_read(tcptls_session->ssl, buf, count);
124         }
125 #endif
126         return read(tcptls_session->fd, buf, count);
127 }
128
129 HOOK_T ast_tcptls_server_write(struct ast_tcptls_session_instance *tcptls_session, const void *buf, size_t count)
130 {
131         if (tcptls_session->fd == -1) {
132                 ast_log(LOG_ERROR, "server_write called with an fd of -1\n");
133                 errno = EIO;
134                 return -1;
135         }
136
137 #ifdef DO_SSL
138         if (tcptls_session->ssl) {
139                 return ssl_write(tcptls_session->ssl, buf, count);
140         }
141 #endif
142         return write(tcptls_session->fd, buf, count);
143 }
144
145 static void session_instance_destructor(void *obj)
146 {
147         struct ast_tcptls_session_instance *i = obj;
148         ast_free(i->overflow_buf);
149 }
150
151 /*! \brief
152 * creates a FILE * from the fd passed by the accept thread.
153 * This operation is potentially expensive (certificate verification),
154 * so we do it in the child thread context.
155 *
156 * \note must decrement ref count before returning NULL on error
157 */
158 static void *handle_tcptls_connection(void *data)
159 {
160         struct ast_tcptls_session_instance *tcptls_session = data;
161 #ifdef DO_SSL
162         int (*ssl_setup)(SSL *) = (tcptls_session->client) ? SSL_connect : SSL_accept;
163         int ret;
164         char err[256];
165 #endif
166
167         /*
168         * open a FILE * as appropriate.
169         */
170         if (!tcptls_session->parent->tls_cfg) {
171                 if ((tcptls_session->f = fdopen(tcptls_session->fd, "w+"))) {
172                         if(setvbuf(tcptls_session->f, NULL, _IONBF, 0)) {
173                                 ast_tcptls_close_session_file(tcptls_session);
174                         }
175                 }
176         }
177 #ifdef DO_SSL
178         else if ( (tcptls_session->ssl = SSL_new(tcptls_session->parent->tls_cfg->ssl_ctx)) ) {
179                 SSL_set_fd(tcptls_session->ssl, tcptls_session->fd);
180                 if ((ret = ssl_setup(tcptls_session->ssl)) <= 0) {
181                         ast_verb(2, "Problem setting up ssl connection: %s\n", ERR_error_string(ERR_get_error(), err));
182                 } else {
183 #if defined(HAVE_FUNOPEN)       /* the BSD interface */
184                         tcptls_session->f = funopen(tcptls_session->ssl, ssl_read, ssl_write, NULL, ssl_close);
185
186 #elif defined(HAVE_FOPENCOOKIE) /* the glibc/linux interface */
187                         static const cookie_io_functions_t cookie_funcs = {
188                                 ssl_read, ssl_write, NULL, ssl_close
189                         };
190                         tcptls_session->f = fopencookie(tcptls_session->ssl, "w+", cookie_funcs);
191 #else
192                         /* could add other methods here */
193                         ast_debug(2, "no tcptls_session->f methods attempted!\n");
194 #endif
195                         if ((tcptls_session->client && !ast_test_flag(&tcptls_session->parent->tls_cfg->flags, AST_SSL_DONT_VERIFY_SERVER))
196                                 || (!tcptls_session->client && ast_test_flag(&tcptls_session->parent->tls_cfg->flags, AST_SSL_VERIFY_CLIENT))) {
197                                 X509 *peer;
198                                 long res;
199                                 peer = SSL_get_peer_certificate(tcptls_session->ssl);
200                                 if (!peer) {
201                                         ast_log(LOG_ERROR, "No peer SSL certificate to verify\n");
202                                         ast_tcptls_close_session_file(tcptls_session);
203                                         ao2_ref(tcptls_session, -1);
204                                         return NULL;
205                                 }
206
207                                 res = SSL_get_verify_result(tcptls_session->ssl);
208                                 if (res != X509_V_OK) {
209                                         ast_log(LOG_ERROR, "Certificate did not verify: %s\n", X509_verify_cert_error_string(res));
210                                         X509_free(peer);
211                                         ast_tcptls_close_session_file(tcptls_session);
212                                         ao2_ref(tcptls_session, -1);
213                                         return NULL;
214                                 }
215                                 if (!ast_test_flag(&tcptls_session->parent->tls_cfg->flags, AST_SSL_IGNORE_COMMON_NAME)) {
216                                         ASN1_STRING *str;
217                                         unsigned char *str2;
218                                         X509_NAME *name = X509_get_subject_name(peer);
219                                         int pos = -1;
220                                         int found = 0;
221
222                                         for (;;) {
223                                                 /* Walk the certificate to check all available "Common Name" */
224                                                 /* XXX Probably should do a gethostbyname on the hostname and compare that as well */
225                                                 pos = X509_NAME_get_index_by_NID(name, NID_commonName, pos);
226                                                 if (pos < 0) {
227                                                         break;
228                                                 }
229                                                 str = X509_NAME_ENTRY_get_data(X509_NAME_get_entry(name, pos));
230                                                 ASN1_STRING_to_UTF8(&str2, str);
231                                                 if (str2) {
232                                                         if (!strcasecmp(tcptls_session->parent->hostname, (char *) str2)) {
233                                                                 found = 1;
234                                                         }
235                                                         ast_debug(3, "SSL Common Name compare s1='%s' s2='%s'\n", tcptls_session->parent->hostname, str2);
236                                                         OPENSSL_free(str2);
237                                                 }
238                                                 if (found) {
239                                                         break;
240                                                 }
241                                         }
242                                         if (!found) {
243                                                 ast_log(LOG_ERROR, "Certificate common name did not match (%s)\n", tcptls_session->parent->hostname);
244                                                 X509_free(peer);
245                                                 ast_tcptls_close_session_file(tcptls_session);
246                                                 ao2_ref(tcptls_session, -1);
247                                                 return NULL;
248                                         }
249                                 }
250                                 X509_free(peer);
251                         }
252                 }
253                 if (!tcptls_session->f) {       /* no success opening descriptor stacking */
254                         SSL_free(tcptls_session->ssl);
255                 }
256         }
257 #endif /* DO_SSL */
258
259         if (!tcptls_session->f) {
260                 ast_tcptls_close_session_file(tcptls_session);
261                 ast_log(LOG_WARNING, "FILE * open failed!\n");
262 #ifndef DO_SSL
263                 if (tcptls_session->parent->tls_cfg) {
264                         ast_log(LOG_WARNING, "Attempted a TLS connection without OpenSSL support. This will not work!\n");
265                 }
266 #endif
267                 ao2_ref(tcptls_session, -1);
268                 return NULL;
269         }
270
271         if (tcptls_session->parent->worker_fn) {
272                 return tcptls_session->parent->worker_fn(tcptls_session);
273         } else {
274                 return tcptls_session;
275         }
276 }
277
278 void *ast_tcptls_server_root(void *data)
279 {
280         struct ast_tcptls_session_args *desc = data;
281         int fd;
282         struct ast_sockaddr addr;
283         struct ast_tcptls_session_instance *tcptls_session;
284         pthread_t launched;
285
286         for (;;) {
287                 int i, flags;
288
289                 if (desc->periodic_fn) {
290                         desc->periodic_fn(desc);
291                 }
292                 i = ast_wait_for_input(desc->accept_fd, desc->poll_timeout);
293                 if (i <= 0) {
294                         continue;
295                 }
296                 fd = ast_accept(desc->accept_fd, &addr);
297                 if (fd < 0) {
298                         if ((errno != EAGAIN) && (errno != EINTR)) {
299                                 ast_log(LOG_WARNING, "Accept failed: %s\n", strerror(errno));
300                         }
301                         continue;
302                 }
303                 tcptls_session = ao2_alloc(sizeof(*tcptls_session), session_instance_destructor);
304                 if (!tcptls_session) {
305                         ast_log(LOG_WARNING, "No memory for new session: %s\n", strerror(errno));
306                         if (close(fd)) {
307                                 ast_log(LOG_ERROR, "close() failed: %s\n", strerror(errno));
308                         }
309                         continue;
310                 }
311
312                 tcptls_session->overflow_buf = ast_str_create(128);
313                 flags = fcntl(fd, F_GETFL);
314                 fcntl(fd, F_SETFL, flags & ~O_NONBLOCK);
315                 tcptls_session->fd = fd;
316                 tcptls_session->parent = desc;
317                 ast_sockaddr_copy(&tcptls_session->remote_address, &addr);
318
319                 tcptls_session->client = 0;
320
321                 /* This thread is now the only place that controls the single ref to tcptls_session */
322                 if (ast_pthread_create_detached_background(&launched, NULL, handle_tcptls_connection, tcptls_session)) {
323                         ast_log(LOG_WARNING, "Unable to launch helper thread: %s\n", strerror(errno));
324                         ast_tcptls_close_session_file(tcptls_session);
325                         ao2_ref(tcptls_session, -1);
326                 }
327         }
328         return NULL;
329 }
330
331 static int __ssl_setup(struct ast_tls_config *cfg, int client)
332 {
333 #ifndef DO_SSL
334         cfg->enabled = 0;
335         return 0;
336 #else
337         if (!cfg->enabled) {
338                 return 0;
339         }
340
341         /* Get rid of an old SSL_CTX since we're about to
342          * allocate a new one
343          */
344         if (cfg->ssl_ctx) {
345                 SSL_CTX_free(cfg->ssl_ctx);
346                 cfg->ssl_ctx = NULL;
347         }
348
349         if (client) {
350 #ifndef OPENSSL_NO_SSL2
351                 if (ast_test_flag(&cfg->flags, AST_SSL_SSLV2_CLIENT)) {
352                         cfg->ssl_ctx = SSL_CTX_new(SSLv2_client_method());
353                 } else
354 #endif
355                 if (ast_test_flag(&cfg->flags, AST_SSL_SSLV3_CLIENT)) {
356                         cfg->ssl_ctx = SSL_CTX_new(SSLv3_client_method());
357                 } else if (ast_test_flag(&cfg->flags, AST_SSL_TLSV1_CLIENT)) {
358                         cfg->ssl_ctx = SSL_CTX_new(TLSv1_client_method());
359                 } else {
360                         /* SSLv23_client_method() sends SSLv2, this was the original
361                          * default for ssl clients before the option was given to
362                          * pick what protocol a client should use.  In order not
363                          * to break expected behavior it remains the default. */
364                         cfg->ssl_ctx = SSL_CTX_new(SSLv23_client_method());
365                 }
366         } else {
367                 /* SSLv23_server_method() supports TLSv1, SSLv2, and SSLv3 inbound connections. */
368                 cfg->ssl_ctx = SSL_CTX_new(SSLv23_server_method());
369         }
370
371         if (!cfg->ssl_ctx) {
372                 ast_debug(1, "Sorry, SSL_CTX_new call returned null...\n");
373                 cfg->enabled = 0;
374                 return 0;
375         }
376
377         SSL_CTX_set_verify(cfg->ssl_ctx,
378                 ast_test_flag(&cfg->flags, AST_SSL_VERIFY_CLIENT) ? SSL_VERIFY_PEER | SSL_VERIFY_FAIL_IF_NO_PEER_CERT : SSL_VERIFY_NONE,
379                 NULL);
380
381         if (!ast_strlen_zero(cfg->certfile)) {
382                 char *tmpprivate = ast_strlen_zero(cfg->pvtfile) ? cfg->certfile : cfg->pvtfile;
383                 if (SSL_CTX_use_certificate_file(cfg->ssl_ctx, cfg->certfile, SSL_FILETYPE_PEM) == 0) {
384                         if (!client) {
385                                 /* Clients don't need a certificate, but if its setup we can use it */
386                                 ast_verb(0, "SSL error loading cert file. <%s>\n", cfg->certfile);
387                                 cfg->enabled = 0;
388                                 SSL_CTX_free(cfg->ssl_ctx);
389                                 cfg->ssl_ctx = NULL;
390                                 return 0;
391                         }
392                 }
393                 if ((SSL_CTX_use_PrivateKey_file(cfg->ssl_ctx, tmpprivate, SSL_FILETYPE_PEM) == 0) || (SSL_CTX_check_private_key(cfg->ssl_ctx) == 0 )) {
394                         if (!client) {
395                                 /* Clients don't need a private key, but if its setup we can use it */
396                                 ast_verb(0, "SSL error loading private key file. <%s>\n", tmpprivate);
397                                 cfg->enabled = 0;
398                                 SSL_CTX_free(cfg->ssl_ctx);
399                                 cfg->ssl_ctx = NULL;
400                                 return 0;
401                         }
402                 }
403         }
404         if (!ast_strlen_zero(cfg->cipher)) {
405                 if (SSL_CTX_set_cipher_list(cfg->ssl_ctx, cfg->cipher) == 0 ) {
406                         if (!client) {
407                                 ast_verb(0, "SSL cipher error <%s>\n", cfg->cipher);
408                                 cfg->enabled = 0;
409                                 SSL_CTX_free(cfg->ssl_ctx);
410                                 cfg->ssl_ctx = NULL;
411                                 return 0;
412                         }
413                 }
414         }
415         if (!ast_strlen_zero(cfg->cafile) || !ast_strlen_zero(cfg->capath)) {
416                 if (SSL_CTX_load_verify_locations(cfg->ssl_ctx, S_OR(cfg->cafile, NULL), S_OR(cfg->capath,NULL)) == 0) {
417                         ast_verb(0, "SSL CA file(%s)/path(%s) error\n", cfg->cafile, cfg->capath);
418                 }
419         }
420
421         ast_verb(0, "SSL certificate ok\n");
422         return 1;
423 #endif
424 }
425
426 int ast_ssl_setup(struct ast_tls_config *cfg)
427 {
428         return __ssl_setup(cfg, 0);
429 }
430
431 void ast_ssl_teardown(struct ast_tls_config *cfg)
432 {
433 #ifdef DO_SSL
434         if (cfg->ssl_ctx) {
435                 SSL_CTX_free(cfg->ssl_ctx);
436                 cfg->ssl_ctx = NULL;
437         }
438 #endif
439 }
440
441 struct ast_tcptls_session_instance *ast_tcptls_client_start(struct ast_tcptls_session_instance *tcptls_session)
442 {
443         struct ast_tcptls_session_args *desc;
444         int flags;
445
446         if (!(desc = tcptls_session->parent)) {
447                 goto client_start_error;
448         }
449
450         if (ast_connect(desc->accept_fd, &desc->remote_address)) {
451                 ast_log(LOG_ERROR, "Unable to connect %s to %s: %s\n",
452                         desc->name,
453                         ast_sockaddr_stringify(&desc->remote_address),
454                         strerror(errno));
455                 goto client_start_error;
456         }
457
458         flags = fcntl(desc->accept_fd, F_GETFL);
459         fcntl(desc->accept_fd, F_SETFL, flags & ~O_NONBLOCK);
460
461         if (desc->tls_cfg) {
462                 desc->tls_cfg->enabled = 1;
463                 __ssl_setup(desc->tls_cfg, 1);
464         }
465
466         return handle_tcptls_connection(tcptls_session);
467
468 client_start_error:
469         if (desc) {
470                 close(desc->accept_fd);
471                 desc->accept_fd = -1;
472         }
473         ao2_ref(tcptls_session, -1);
474         return NULL;
475
476 }
477
478 struct ast_tcptls_session_instance *ast_tcptls_client_create(struct ast_tcptls_session_args *desc)
479 {
480         int x = 1;
481         struct ast_tcptls_session_instance *tcptls_session = NULL;
482
483         /* Do nothing if nothing has changed */
484         if (!ast_sockaddr_cmp(&desc->old_address, &desc->remote_address)) {
485                 ast_debug(1, "Nothing changed in %s\n", desc->name);
486                 return NULL;
487         }
488
489         /* If we return early, there is no connection */
490         ast_sockaddr_setnull(&desc->old_address);
491
492         if (desc->accept_fd != -1) {
493                 close(desc->accept_fd);
494         }
495
496         desc->accept_fd = socket(ast_sockaddr_is_ipv6(&desc->remote_address) ?
497                                  AF_INET6 : AF_INET, SOCK_STREAM, IPPROTO_TCP);
498         if (desc->accept_fd < 0) {
499                 ast_log(LOG_WARNING, "Unable to allocate socket for %s: %s\n",
500                         desc->name, strerror(errno));
501                 return NULL;
502         }
503
504         /* if a local address was specified, bind to it so the connection will
505            originate from the desired address */
506         if (!ast_sockaddr_isnull(&desc->local_address)) {
507                 setsockopt(desc->accept_fd, SOL_SOCKET, SO_REUSEADDR, &x, sizeof(x));
508                 if (ast_bind(desc->accept_fd, &desc->local_address)) {
509                         ast_log(LOG_ERROR, "Unable to bind %s to %s: %s\n",
510                                 desc->name,
511                                 ast_sockaddr_stringify(&desc->local_address),
512                                 strerror(errno));
513                         goto error;
514                 }
515         }
516
517         if (!(tcptls_session = ao2_alloc(sizeof(*tcptls_session), session_instance_destructor))) {
518                 goto error;
519         }
520
521         tcptls_session->overflow_buf = ast_str_create(128);
522         tcptls_session->client = 1;
523         tcptls_session->fd = desc->accept_fd;
524         tcptls_session->parent = desc;
525         tcptls_session->parent->worker_fn = NULL;
526         ast_sockaddr_copy(&tcptls_session->remote_address,
527                           &desc->remote_address);
528
529         /* Set current info */
530         ast_sockaddr_copy(&desc->old_address, &desc->remote_address);
531         return tcptls_session;
532
533 error:
534         close(desc->accept_fd);
535         desc->accept_fd = -1;
536         if (tcptls_session) {
537                 ao2_ref(tcptls_session, -1);
538         }
539         return NULL;
540 }
541
542 void ast_tcptls_server_start(struct ast_tcptls_session_args *desc)
543 {
544         int flags;
545         int x = 1;
546
547         /* Do nothing if nothing has changed */
548         if (!ast_sockaddr_cmp(&desc->old_address, &desc->local_address)) {
549                 ast_debug(1, "Nothing changed in %s\n", desc->name);
550                 return;
551         }
552
553         /* If we return early, there is no one listening */
554         ast_sockaddr_setnull(&desc->old_address);
555
556         /* Shutdown a running server if there is one */
557         if (desc->master != AST_PTHREADT_NULL) {
558                 pthread_cancel(desc->master);
559                 pthread_kill(desc->master, SIGURG);
560                 pthread_join(desc->master, NULL);
561         }
562
563         if (desc->accept_fd != -1) {
564                 close(desc->accept_fd);
565         }
566
567         /* If there's no new server, stop here */
568         if (ast_sockaddr_isnull(&desc->local_address)) {
569                 ast_debug(2, "Server disabled:  %s\n", desc->name);
570                 return;
571         }
572
573         desc->accept_fd = socket(ast_sockaddr_is_ipv6(&desc->local_address) ?
574                                  AF_INET6 : AF_INET, SOCK_STREAM, 0);
575         if (desc->accept_fd < 0) {
576                 ast_log(LOG_ERROR, "Unable to allocate socket for %s: %s\n", desc->name, strerror(errno));
577                 return;
578         }
579
580         setsockopt(desc->accept_fd, SOL_SOCKET, SO_REUSEADDR, &x, sizeof(x));
581         if (ast_bind(desc->accept_fd, &desc->local_address)) {
582                 ast_log(LOG_ERROR, "Unable to bind %s to %s: %s\n",
583                         desc->name,
584                         ast_sockaddr_stringify(&desc->local_address),
585                         strerror(errno));
586                 goto error;
587         }
588         if (listen(desc->accept_fd, 10)) {
589                 ast_log(LOG_ERROR, "Unable to listen for %s!\n", desc->name);
590                 goto error;
591         }
592         flags = fcntl(desc->accept_fd, F_GETFL);
593         fcntl(desc->accept_fd, F_SETFL, flags | O_NONBLOCK);
594         if (ast_pthread_create_background(&desc->master, NULL, desc->accept_fn, desc)) {
595                 ast_log(LOG_ERROR, "Unable to launch thread for %s on %s: %s\n",
596                         desc->name,
597                         ast_sockaddr_stringify(&desc->local_address),
598                         strerror(errno));
599                 goto error;
600         }
601
602         /* Set current info */
603         ast_sockaddr_copy(&desc->old_address, &desc->local_address);
604
605         return;
606
607 error:
608         close(desc->accept_fd);
609         desc->accept_fd = -1;
610 }
611
612 void ast_tcptls_close_session_file(struct ast_tcptls_session_instance *tcptls_session)
613 {
614         if (tcptls_session->f) {
615                 if (fclose(tcptls_session->f)) {
616                         ast_log(LOG_ERROR, "fclose() failed: %s\n", strerror(errno));
617                 }
618                 tcptls_session->f = NULL;
619                 tcptls_session->fd = -1;
620         } else if (tcptls_session->fd != -1) {
621                 if (close(tcptls_session->fd)) {
622                         ast_log(LOG_ERROR, "close() failed: %s\n", strerror(errno));
623                 }
624                 tcptls_session->fd = -1;
625         } else {
626                 ast_log(LOG_ERROR, "ast_tcptls_close_session_file invoked on session instance without file or file descriptor\n");
627         }
628 }
629
630 void ast_tcptls_server_stop(struct ast_tcptls_session_args *desc)
631 {
632         if (desc->master != AST_PTHREADT_NULL) {
633                 pthread_cancel(desc->master);
634                 pthread_kill(desc->master, SIGURG);
635                 pthread_join(desc->master, NULL);
636                 desc->master = AST_PTHREADT_NULL;
637         }
638         if (desc->accept_fd != -1) {
639                 close(desc->accept_fd);
640         }
641         desc->accept_fd = -1;
642         ast_debug(2, "Stopped server :: %s\n", desc->name);
643 }
644
645 int ast_tls_read_conf(struct ast_tls_config *tls_cfg, struct ast_tcptls_session_args *tls_desc, const char *varname, const char *value)
646 {
647         if (!strcasecmp(varname, "tlsenable") || !strcasecmp(varname, "sslenable")) {
648                 tls_cfg->enabled = ast_true(value) ? 1 : 0;
649         } else if (!strcasecmp(varname, "tlscertfile") || !strcasecmp(varname, "sslcert") || !strcasecmp(varname, "tlscert")) {
650                 ast_free(tls_cfg->certfile);
651                 tls_cfg->certfile = ast_strdup(value);
652         } else if (!strcasecmp(varname, "tlsprivatekey") || !strcasecmp(varname, "sslprivatekey")) {
653                 ast_free(tls_cfg->pvtfile);
654                 tls_cfg->pvtfile = ast_strdup(value);
655         } else if (!strcasecmp(varname, "tlscipher") || !strcasecmp(varname, "sslcipher")) {
656                 ast_free(tls_cfg->cipher);
657                 tls_cfg->cipher = ast_strdup(value);
658         } else if (!strcasecmp(varname, "tlscafile")) {
659                 ast_free(tls_cfg->cafile);
660                 tls_cfg->cafile = ast_strdup(value);
661         } else if (!strcasecmp(varname, "tlscapath") || !strcasecmp(varname, "tlscadir")) {
662                 ast_free(tls_cfg->capath);
663                 tls_cfg->capath = ast_strdup(value);
664         } else if (!strcasecmp(varname, "tlsverifyclient")) {
665                 ast_set2_flag(&tls_cfg->flags, ast_true(value), AST_SSL_VERIFY_CLIENT);
666         } else if (!strcasecmp(varname, "tlsdontverifyserver")) {
667                 ast_set2_flag(&tls_cfg->flags, ast_true(value), AST_SSL_DONT_VERIFY_SERVER);
668         } else if (!strcasecmp(varname, "tlsbindaddr") || !strcasecmp(varname, "sslbindaddr")) {
669                 if (ast_parse_arg(value, PARSE_ADDR, &tls_desc->local_address))
670                         ast_log(LOG_WARNING, "Invalid %s '%s'\n", varname, value);
671         } else if (!strcasecmp(varname, "tlsclientmethod") || !strcasecmp(varname, "sslclientmethod")) {
672                 if (!strcasecmp(value, "tlsv1")) {
673                         ast_set_flag(&tls_cfg->flags, AST_SSL_TLSV1_CLIENT);
674                         ast_clear_flag(&tls_cfg->flags, AST_SSL_SSLV3_CLIENT);
675                         ast_clear_flag(&tls_cfg->flags, AST_SSL_SSLV2_CLIENT);
676                 } else if (!strcasecmp(value, "sslv3")) {
677                         ast_set_flag(&tls_cfg->flags, AST_SSL_SSLV3_CLIENT);
678                         ast_clear_flag(&tls_cfg->flags, AST_SSL_SSLV2_CLIENT);
679                         ast_clear_flag(&tls_cfg->flags, AST_SSL_TLSV1_CLIENT);
680                 } else if (!strcasecmp(value, "sslv2")) {
681                         ast_set_flag(&tls_cfg->flags, AST_SSL_SSLV2_CLIENT);
682                         ast_clear_flag(&tls_cfg->flags, AST_SSL_TLSV1_CLIENT);
683                         ast_clear_flag(&tls_cfg->flags, AST_SSL_SSLV3_CLIENT);
684                 }
685         } else {
686                 return -1;
687         }
688
689         return 0;
690 }