Do not use a FILE handle when doing SIP TCP reads.
[asterisk/asterisk.git] / main / tcptls.c
1 /*
2  * Asterisk -- An open source telephony toolkit.
3  *
4  * Copyright (C) 2007 - 2008, Digium, Inc.
5  *
6  * Luigi Rizzo (TCP and TLS server code)
7  * Brett Bryant <brettbryant@gmail.com> (updated for client support)
8  *
9  * See http://www.asterisk.org for more information about
10  * the Asterisk project. Please do not directly contact
11  * any of the maintainers of this project for assistance;
12  * the project provides a web site, mailing lists and IRC
13  * channels for your use.
14  *
15  * This program is free software, distributed under the terms of
16  * the GNU General Public License Version 2. See the LICENSE file
17  * at the top of the source tree.
18  */
19
20 /*!
21  * \file
22  * \brief Code to support TCP and TLS server/client
23  *
24  * \author Luigi Rizzo
25  * \author Brett Bryant <brettbryant@gmail.com>
26  */
27
28 /*** MODULEINFO
29         <support_level>core</support_level>
30  ***/
31
32 #include "asterisk.h"
33
34 ASTERISK_FILE_VERSION(__FILE__, "$Revision$")
35
36 #ifdef HAVE_FCNTL_H
37 #include <fcntl.h>
38 #endif
39
40 #include <signal.h>
41 #include <sys/signal.h>
42
43 #include "asterisk/compat.h"
44 #include "asterisk/tcptls.h"
45 #include "asterisk/http.h"
46 #include "asterisk/utils.h"
47 #include "asterisk/strings.h"
48 #include "asterisk/options.h"
49 #include "asterisk/manager.h"
50 #include "asterisk/astobj2.h"
51
52 /*! \brief
53  * replacement read/write functions for SSL support.
54  * We use wrappers rather than SSL_read/SSL_write directly so
55  * we can put in some debugging.
56  */
57
58 #ifdef DO_SSL
59 static HOOK_T ssl_read(void *cookie, char *buf, LEN_T len)
60 {
61         int i = SSL_read(cookie, buf, len-1);
62 #if 0
63         if (i >= 0) {
64                 buf[i] = '\0';
65         }
66         ast_verb(0, "ssl read size %d returns %d <%s>\n", (int)len, i, buf);
67 #endif
68         return i;
69 }
70
71 static HOOK_T ssl_write(void *cookie, const char *buf, LEN_T len)
72 {
73 #if 0
74         char *s = ast_alloca(len+1);
75
76         strncpy(s, buf, len);
77         s[len] = '\0';
78         ast_verb(0, "ssl write size %d <%s>\n", (int)len, s);
79 #endif
80         return SSL_write(cookie, buf, len);
81 }
82
83 static int ssl_close(void *cookie)
84 {
85         int cookie_fd = SSL_get_fd(cookie);
86         int ret;
87
88         if (cookie_fd > -1) {
89                 /*
90                  * According to the TLS standard, it is acceptable for an application to only send its shutdown
91                  * alert and then close the underlying connection without waiting for the peer's response (this
92                  * way resources can be saved, as the process can already terminate or serve another connection).
93                  */
94                 if ((ret = SSL_shutdown(cookie)) < 0) {
95                         ast_log(LOG_ERROR, "SSL_shutdown() failed: %d\n", SSL_get_error(cookie, ret));
96                 }
97
98                 if (!((SSL*)cookie)->server) {
99                         /* For client threads, ensure that the error stack is cleared */
100                         ERR_remove_state(0);
101                 }
102
103                 SSL_free(cookie);
104                 /* adding shutdown(2) here has no added benefit */
105                 if (close(cookie_fd)) {
106                         ast_log(LOG_ERROR, "close() failed: %s\n", strerror(errno));
107                 }
108         }
109         return 0;
110 }
111 #endif  /* DO_SSL */
112
113 HOOK_T ast_tcptls_server_read(struct ast_tcptls_session_instance *tcptls_session, void *buf, size_t count)
114 {
115         if (tcptls_session->fd == -1) {
116                 ast_log(LOG_ERROR, "server_read called with an fd of -1\n");
117                 errno = EIO;
118                 return -1;
119         }
120
121 #ifdef DO_SSL
122         if (tcptls_session->ssl) {
123                 return ssl_read(tcptls_session->ssl, buf, count);
124         }
125 #endif
126         return read(tcptls_session->fd, buf, count);
127 }
128
129 HOOK_T ast_tcptls_server_write(struct ast_tcptls_session_instance *tcptls_session, const void *buf, size_t count)
130 {
131         if (tcptls_session->fd == -1) {
132                 ast_log(LOG_ERROR, "server_write called with an fd of -1\n");
133                 errno = EIO;
134                 return -1;
135         }
136
137 #ifdef DO_SSL
138         if (tcptls_session->ssl) {
139                 return ssl_write(tcptls_session->ssl, buf, count);
140         }
141 #endif
142         return write(tcptls_session->fd, buf, count);
143 }
144
145 static void session_instance_destructor(void *obj)
146 {
147         struct ast_tcptls_session_instance *i = obj;
148         ast_free(i->overflow_buf);
149 }
150
151 /*! \brief
152 * creates a FILE * from the fd passed by the accept thread.
153 * This operation is potentially expensive (certificate verification),
154 * so we do it in the child thread context.
155 *
156 * \note must decrement ref count before returning NULL on error
157 */
158 static void *handle_tcptls_connection(void *data)
159 {
160         struct ast_tcptls_session_instance *tcptls_session = data;
161 #ifdef DO_SSL
162         int (*ssl_setup)(SSL *) = (tcptls_session->client) ? SSL_connect : SSL_accept;
163         int ret;
164         char err[256];
165 #endif
166
167         /*
168         * open a FILE * as appropriate.
169         */
170         if (!tcptls_session->parent->tls_cfg) {
171                 if ((tcptls_session->f = fdopen(tcptls_session->fd, "w+"))) {
172                         if(setvbuf(tcptls_session->f, NULL, _IONBF, 0)) {
173                                 ast_tcptls_close_session_file(tcptls_session);
174                         }
175                 }
176         }
177 #ifdef DO_SSL
178         else if ( (tcptls_session->ssl = SSL_new(tcptls_session->parent->tls_cfg->ssl_ctx)) ) {
179                 SSL_set_fd(tcptls_session->ssl, tcptls_session->fd);
180                 if ((ret = ssl_setup(tcptls_session->ssl)) <= 0) {
181                         ast_verb(2, "Problem setting up ssl connection: %s\n", ERR_error_string(ERR_get_error(), err));
182                 } else {
183 #if defined(HAVE_FUNOPEN)       /* the BSD interface */
184                         tcptls_session->f = funopen(tcptls_session->ssl, ssl_read, ssl_write, NULL, ssl_close);
185
186 #elif defined(HAVE_FOPENCOOKIE) /* the glibc/linux interface */
187                         static const cookie_io_functions_t cookie_funcs = {
188                                 ssl_read, ssl_write, NULL, ssl_close
189                         };
190                         tcptls_session->f = fopencookie(tcptls_session->ssl, "w+", cookie_funcs);
191 #else
192                         /* could add other methods here */
193                         ast_debug(2, "no tcptls_session->f methods attempted!\n");
194 #endif
195                         if ((tcptls_session->client && !ast_test_flag(&tcptls_session->parent->tls_cfg->flags, AST_SSL_DONT_VERIFY_SERVER))
196                                 || (!tcptls_session->client && ast_test_flag(&tcptls_session->parent->tls_cfg->flags, AST_SSL_VERIFY_CLIENT))) {
197                                 X509 *peer;
198                                 long res;
199                                 peer = SSL_get_peer_certificate(tcptls_session->ssl);
200                                 if (!peer) {
201                                         ast_log(LOG_WARNING, "No peer SSL certificate\n");
202                                 }
203                                 res = SSL_get_verify_result(tcptls_session->ssl);
204                                 if (res != X509_V_OK) {
205                                         ast_log(LOG_ERROR, "Certificate did not verify: %s\n", X509_verify_cert_error_string(res));
206                                 }
207                                 if (!ast_test_flag(&tcptls_session->parent->tls_cfg->flags, AST_SSL_IGNORE_COMMON_NAME)) {
208                                         ASN1_STRING *str;
209                                         unsigned char *str2;
210                                         X509_NAME *name = X509_get_subject_name(peer);
211                                         int pos = -1;
212                                         int found = 0;
213
214                                         for (;;) {
215                                                 /* Walk the certificate to check all available "Common Name" */
216                                                 /* XXX Probably should do a gethostbyname on the hostname and compare that as well */
217                                                 pos = X509_NAME_get_index_by_NID(name, NID_commonName, pos);
218                                                 if (pos < 0) {
219                                                         break;
220                                                 }
221                                                 str = X509_NAME_ENTRY_get_data(X509_NAME_get_entry(name, pos));
222                                                 ASN1_STRING_to_UTF8(&str2, str);
223                                                 if (str2) {
224                                                         if (!strcasecmp(tcptls_session->parent->hostname, (char *) str2)) {
225                                                                 found = 1;
226                                                         }
227                                                         ast_debug(3, "SSL Common Name compare s1='%s' s2='%s'\n", tcptls_session->parent->hostname, str2);
228                                                         OPENSSL_free(str2);
229                                                 }
230                                                 if (found) {
231                                                         break;
232                                                 }
233                                         }
234                                         if (!found) {
235                                                 ast_log(LOG_ERROR, "Certificate common name did not match (%s)\n", tcptls_session->parent->hostname);
236                                                 if (peer) {
237                                                         X509_free(peer);
238                                                 }
239                                                 ast_tcptls_close_session_file(tcptls_session);
240                                                 ao2_ref(tcptls_session, -1);
241                                                 return NULL;
242                                         }
243                                 }
244                                 if (peer) {
245                                         X509_free(peer);
246                                 }
247                         }
248                 }
249                 if (!tcptls_session->f) {       /* no success opening descriptor stacking */
250                         SSL_free(tcptls_session->ssl);
251                 }
252         }
253 #endif /* DO_SSL */
254
255         if (!tcptls_session->f) {
256                 ast_tcptls_close_session_file(tcptls_session);
257                 ast_log(LOG_WARNING, "FILE * open failed!\n");
258 #ifndef DO_SSL
259                 if (tcptls_session->parent->tls_cfg) {
260                         ast_log(LOG_WARNING, "Attempted a TLS connection without OpenSSL support. This will not work!\n");
261                 }
262 #endif
263                 ao2_ref(tcptls_session, -1);
264                 return NULL;
265         }
266
267         if (tcptls_session->parent->worker_fn) {
268                 return tcptls_session->parent->worker_fn(tcptls_session);
269         } else {
270                 return tcptls_session;
271         }
272 }
273
274 void *ast_tcptls_server_root(void *data)
275 {
276         struct ast_tcptls_session_args *desc = data;
277         int fd;
278         struct ast_sockaddr addr;
279         struct ast_tcptls_session_instance *tcptls_session;
280         pthread_t launched;
281
282         for (;;) {
283                 int i, flags;
284
285                 if (desc->periodic_fn) {
286                         desc->periodic_fn(desc);
287                 }
288                 i = ast_wait_for_input(desc->accept_fd, desc->poll_timeout);
289                 if (i <= 0) {
290                         continue;
291                 }
292                 fd = ast_accept(desc->accept_fd, &addr);
293                 if (fd < 0) {
294                         if ((errno != EAGAIN) && (errno != EINTR)) {
295                                 ast_log(LOG_WARNING, "Accept failed: %s\n", strerror(errno));
296                         }
297                         continue;
298                 }
299                 tcptls_session = ao2_alloc(sizeof(*tcptls_session), session_instance_destructor);
300                 if (!tcptls_session) {
301                         ast_log(LOG_WARNING, "No memory for new session: %s\n", strerror(errno));
302                         if (close(fd)) {
303                                 ast_log(LOG_ERROR, "close() failed: %s\n", strerror(errno));
304                         }
305                         continue;
306                 }
307
308                 tcptls_session->overflow_buf = ast_str_create(128);
309                 flags = fcntl(fd, F_GETFL);
310                 fcntl(fd, F_SETFL, flags & ~O_NONBLOCK);
311                 tcptls_session->fd = fd;
312                 tcptls_session->parent = desc;
313                 ast_sockaddr_copy(&tcptls_session->remote_address, &addr);
314
315                 tcptls_session->client = 0;
316
317                 /* This thread is now the only place that controls the single ref to tcptls_session */
318                 if (ast_pthread_create_detached_background(&launched, NULL, handle_tcptls_connection, tcptls_session)) {
319                         ast_log(LOG_WARNING, "Unable to launch helper thread: %s\n", strerror(errno));
320                         ast_tcptls_close_session_file(tcptls_session);
321                         ao2_ref(tcptls_session, -1);
322                 }
323         }
324         return NULL;
325 }
326
327 static int __ssl_setup(struct ast_tls_config *cfg, int client)
328 {
329 #ifndef DO_SSL
330         cfg->enabled = 0;
331         return 0;
332 #else
333         if (!cfg->enabled) {
334                 return 0;
335         }
336
337         /* Get rid of an old SSL_CTX since we're about to
338          * allocate a new one
339          */
340         if (cfg->ssl_ctx) {
341                 SSL_CTX_free(cfg->ssl_ctx);
342                 cfg->ssl_ctx = NULL;
343         }
344
345         if (client) {
346 #ifndef OPENSSL_NO_SSL2
347                 if (ast_test_flag(&cfg->flags, AST_SSL_SSLV2_CLIENT)) {
348                         cfg->ssl_ctx = SSL_CTX_new(SSLv2_client_method());
349                 } else
350 #endif
351                 if (ast_test_flag(&cfg->flags, AST_SSL_SSLV3_CLIENT)) {
352                         cfg->ssl_ctx = SSL_CTX_new(SSLv3_client_method());
353                 } else if (ast_test_flag(&cfg->flags, AST_SSL_TLSV1_CLIENT)) {
354                         cfg->ssl_ctx = SSL_CTX_new(TLSv1_client_method());
355                 } else {
356                         /* SSLv23_client_method() sends SSLv2, this was the original
357                          * default for ssl clients before the option was given to
358                          * pick what protocol a client should use.  In order not
359                          * to break expected behavior it remains the default. */
360                         cfg->ssl_ctx = SSL_CTX_new(SSLv23_client_method());
361                 }
362         } else {
363                 /* SSLv23_server_method() supports TLSv1, SSLv2, and SSLv3 inbound connections. */
364                 cfg->ssl_ctx = SSL_CTX_new(SSLv23_server_method());
365         }
366
367         if (!cfg->ssl_ctx) {
368                 ast_debug(1, "Sorry, SSL_CTX_new call returned null...\n");
369                 cfg->enabled = 0;
370                 return 0;
371         }
372         if (!ast_strlen_zero(cfg->certfile)) {
373                 char *tmpprivate = ast_strlen_zero(cfg->pvtfile) ? cfg->certfile : cfg->pvtfile;
374                 if (SSL_CTX_use_certificate_file(cfg->ssl_ctx, cfg->certfile, SSL_FILETYPE_PEM) == 0) {
375                         if (!client) {
376                                 /* Clients don't need a certificate, but if its setup we can use it */
377                                 ast_verb(0, "SSL error loading cert file. <%s>\n", cfg->certfile);
378                                 cfg->enabled = 0;
379                                 SSL_CTX_free(cfg->ssl_ctx);
380                                 cfg->ssl_ctx = NULL;
381                                 return 0;
382                         }
383                 }
384                 if ((SSL_CTX_use_PrivateKey_file(cfg->ssl_ctx, tmpprivate, SSL_FILETYPE_PEM) == 0) || (SSL_CTX_check_private_key(cfg->ssl_ctx) == 0 )) {
385                         if (!client) {
386                                 /* Clients don't need a private key, but if its setup we can use it */
387                                 ast_verb(0, "SSL error loading private key file. <%s>\n", tmpprivate);
388                                 cfg->enabled = 0;
389                                 SSL_CTX_free(cfg->ssl_ctx);
390                                 cfg->ssl_ctx = NULL;
391                                 return 0;
392                         }
393                 }
394         }
395         if (!ast_strlen_zero(cfg->cipher)) {
396                 if (SSL_CTX_set_cipher_list(cfg->ssl_ctx, cfg->cipher) == 0 ) {
397                         if (!client) {
398                                 ast_verb(0, "SSL cipher error <%s>\n", cfg->cipher);
399                                 cfg->enabled = 0;
400                                 SSL_CTX_free(cfg->ssl_ctx);
401                                 cfg->ssl_ctx = NULL;
402                                 return 0;
403                         }
404                 }
405         }
406         if (!ast_strlen_zero(cfg->cafile) || !ast_strlen_zero(cfg->capath)) {
407                 if (SSL_CTX_load_verify_locations(cfg->ssl_ctx, S_OR(cfg->cafile, NULL), S_OR(cfg->capath,NULL)) == 0) {
408                         ast_verb(0, "SSL CA file(%s)/path(%s) error\n", cfg->cafile, cfg->capath);
409                 }
410         }
411
412         ast_verb(0, "SSL certificate ok\n");
413         return 1;
414 #endif
415 }
416
417 int ast_ssl_setup(struct ast_tls_config *cfg)
418 {
419         return __ssl_setup(cfg, 0);
420 }
421
422 void ast_ssl_teardown(struct ast_tls_config *cfg)
423 {
424 #ifdef DO_SSL
425         if (cfg->ssl_ctx) {
426                 SSL_CTX_free(cfg->ssl_ctx);
427                 cfg->ssl_ctx = NULL;
428         }
429 #endif
430 }
431
432 struct ast_tcptls_session_instance *ast_tcptls_client_start(struct ast_tcptls_session_instance *tcptls_session)
433 {
434         struct ast_tcptls_session_args *desc;
435         int flags;
436
437         if (!(desc = tcptls_session->parent)) {
438                 goto client_start_error;
439         }
440
441         if (ast_connect(desc->accept_fd, &desc->remote_address)) {
442                 ast_log(LOG_ERROR, "Unable to connect %s to %s: %s\n",
443                         desc->name,
444                         ast_sockaddr_stringify(&desc->remote_address),
445                         strerror(errno));
446                 goto client_start_error;
447         }
448
449         flags = fcntl(desc->accept_fd, F_GETFL);
450         fcntl(desc->accept_fd, F_SETFL, flags & ~O_NONBLOCK);
451
452         if (desc->tls_cfg) {
453                 desc->tls_cfg->enabled = 1;
454                 __ssl_setup(desc->tls_cfg, 1);
455         }
456
457         return handle_tcptls_connection(tcptls_session);
458
459 client_start_error:
460         if (desc) {
461                 close(desc->accept_fd);
462                 desc->accept_fd = -1;
463         }
464         ao2_ref(tcptls_session, -1);
465         return NULL;
466
467 }
468
469 struct ast_tcptls_session_instance *ast_tcptls_client_create(struct ast_tcptls_session_args *desc)
470 {
471         int x = 1;
472         struct ast_tcptls_session_instance *tcptls_session = NULL;
473
474         /* Do nothing if nothing has changed */
475         if (!ast_sockaddr_cmp(&desc->old_address, &desc->remote_address)) {
476                 ast_debug(1, "Nothing changed in %s\n", desc->name);
477                 return NULL;
478         }
479
480         /* If we return early, there is no connection */
481         ast_sockaddr_setnull(&desc->old_address);
482
483         if (desc->accept_fd != -1) {
484                 close(desc->accept_fd);
485         }
486
487         desc->accept_fd = socket(ast_sockaddr_is_ipv6(&desc->remote_address) ?
488                                  AF_INET6 : AF_INET, SOCK_STREAM, IPPROTO_TCP);
489         if (desc->accept_fd < 0) {
490                 ast_log(LOG_WARNING, "Unable to allocate socket for %s: %s\n",
491                         desc->name, strerror(errno));
492                 return NULL;
493         }
494
495         /* if a local address was specified, bind to it so the connection will
496            originate from the desired address */
497         if (!ast_sockaddr_isnull(&desc->local_address)) {
498                 setsockopt(desc->accept_fd, SOL_SOCKET, SO_REUSEADDR, &x, sizeof(x));
499                 if (ast_bind(desc->accept_fd, &desc->local_address)) {
500                         ast_log(LOG_ERROR, "Unable to bind %s to %s: %s\n",
501                                 desc->name,
502                                 ast_sockaddr_stringify(&desc->local_address),
503                                 strerror(errno));
504                         goto error;
505                 }
506         }
507
508         if (!(tcptls_session = ao2_alloc(sizeof(*tcptls_session), session_instance_destructor))) {
509                 goto error;
510         }
511
512         tcptls_session->overflow_buf = ast_str_create(128);
513         tcptls_session->client = 1;
514         tcptls_session->fd = desc->accept_fd;
515         tcptls_session->parent = desc;
516         tcptls_session->parent->worker_fn = NULL;
517         ast_sockaddr_copy(&tcptls_session->remote_address,
518                           &desc->remote_address);
519
520         /* Set current info */
521         ast_sockaddr_copy(&desc->old_address, &desc->remote_address);
522         return tcptls_session;
523
524 error:
525         close(desc->accept_fd);
526         desc->accept_fd = -1;
527         if (tcptls_session) {
528                 ao2_ref(tcptls_session, -1);
529         }
530         return NULL;
531 }
532
533 void ast_tcptls_server_start(struct ast_tcptls_session_args *desc)
534 {
535         int flags;
536         int x = 1;
537
538         /* Do nothing if nothing has changed */
539         if (!ast_sockaddr_cmp(&desc->old_address, &desc->local_address)) {
540                 ast_debug(1, "Nothing changed in %s\n", desc->name);
541                 return;
542         }
543
544         /* If we return early, there is no one listening */
545         ast_sockaddr_setnull(&desc->old_address);
546
547         /* Shutdown a running server if there is one */
548         if (desc->master != AST_PTHREADT_NULL) {
549                 pthread_cancel(desc->master);
550                 pthread_kill(desc->master, SIGURG);
551                 pthread_join(desc->master, NULL);
552         }
553
554         if (desc->accept_fd != -1) {
555                 close(desc->accept_fd);
556         }
557
558         /* If there's no new server, stop here */
559         if (ast_sockaddr_isnull(&desc->local_address)) {
560                 ast_debug(2, "Server disabled:  %s\n", desc->name);
561                 return;
562         }
563
564         desc->accept_fd = socket(ast_sockaddr_is_ipv6(&desc->local_address) ?
565                                  AF_INET6 : AF_INET, SOCK_STREAM, 0);
566         if (desc->accept_fd < 0) {
567                 ast_log(LOG_ERROR, "Unable to allocate socket for %s: %s\n", desc->name, strerror(errno));
568                 return;
569         }
570
571         setsockopt(desc->accept_fd, SOL_SOCKET, SO_REUSEADDR, &x, sizeof(x));
572         if (ast_bind(desc->accept_fd, &desc->local_address)) {
573                 ast_log(LOG_ERROR, "Unable to bind %s to %s: %s\n",
574                         desc->name,
575                         ast_sockaddr_stringify(&desc->local_address),
576                         strerror(errno));
577                 goto error;
578         }
579         if (listen(desc->accept_fd, 10)) {
580                 ast_log(LOG_ERROR, "Unable to listen for %s!\n", desc->name);
581                 goto error;
582         }
583         flags = fcntl(desc->accept_fd, F_GETFL);
584         fcntl(desc->accept_fd, F_SETFL, flags | O_NONBLOCK);
585         if (ast_pthread_create_background(&desc->master, NULL, desc->accept_fn, desc)) {
586                 ast_log(LOG_ERROR, "Unable to launch thread for %s on %s: %s\n",
587                         desc->name,
588                         ast_sockaddr_stringify(&desc->local_address),
589                         strerror(errno));
590                 goto error;
591         }
592
593         /* Set current info */
594         ast_sockaddr_copy(&desc->old_address, &desc->local_address);
595
596         return;
597
598 error:
599         close(desc->accept_fd);
600         desc->accept_fd = -1;
601 }
602
603 void ast_tcptls_close_session_file(struct ast_tcptls_session_instance *tcptls_session)
604 {
605         if (tcptls_session->f) {
606                 if (fclose(tcptls_session->f)) {
607                         ast_log(LOG_ERROR, "fclose() failed: %s\n", strerror(errno));
608                 }
609                 tcptls_session->f = NULL;
610                 tcptls_session->fd = -1;
611         } else if (tcptls_session->fd != -1) {
612                 if (close(tcptls_session->fd)) {
613                         ast_log(LOG_ERROR, "close() failed: %s\n", strerror(errno));
614                 }
615                 tcptls_session->fd = -1;
616         } else {
617                 ast_log(LOG_ERROR, "ast_tcptls_close_session_file invoked on session instance without file or file descriptor\n");
618         }
619 }
620
621 void ast_tcptls_server_stop(struct ast_tcptls_session_args *desc)
622 {
623         if (desc->master != AST_PTHREADT_NULL) {
624                 pthread_cancel(desc->master);
625                 pthread_kill(desc->master, SIGURG);
626                 pthread_join(desc->master, NULL);
627                 desc->master = AST_PTHREADT_NULL;
628         }
629         if (desc->accept_fd != -1) {
630                 close(desc->accept_fd);
631         }
632         desc->accept_fd = -1;
633         ast_debug(2, "Stopped server :: %s\n", desc->name);
634 }
635
636 int ast_tls_read_conf(struct ast_tls_config *tls_cfg, struct ast_tcptls_session_args *tls_desc, const char *varname, const char *value)
637 {
638         if (!strcasecmp(varname, "tlsenable") || !strcasecmp(varname, "sslenable")) {
639                 tls_cfg->enabled = ast_true(value) ? 1 : 0;
640         } else if (!strcasecmp(varname, "tlscertfile") || !strcasecmp(varname, "sslcert") || !strcasecmp(varname, "tlscert")) {
641                 ast_free(tls_cfg->certfile);
642                 tls_cfg->certfile = ast_strdup(value);
643         } else if (!strcasecmp(varname, "tlsprivatekey") || !strcasecmp(varname, "sslprivatekey")) {
644                 ast_free(tls_cfg->pvtfile);
645                 tls_cfg->pvtfile = ast_strdup(value);
646         } else if (!strcasecmp(varname, "tlscipher") || !strcasecmp(varname, "sslcipher")) {
647                 ast_free(tls_cfg->cipher);
648                 tls_cfg->cipher = ast_strdup(value);
649         } else if (!strcasecmp(varname, "tlscafile")) {
650                 ast_free(tls_cfg->cafile);
651                 tls_cfg->cafile = ast_strdup(value);
652         } else if (!strcasecmp(varname, "tlscapath") || !strcasecmp(varname, "tlscadir")) {
653                 ast_free(tls_cfg->capath);
654                 tls_cfg->capath = ast_strdup(value);
655         } else if (!strcasecmp(varname, "tlsverifyclient")) {
656                 ast_set2_flag(&tls_cfg->flags, ast_true(value), AST_SSL_VERIFY_CLIENT);
657         } else if (!strcasecmp(varname, "tlsdontverifyserver")) {
658                 ast_set2_flag(&tls_cfg->flags, ast_true(value), AST_SSL_DONT_VERIFY_SERVER);
659         } else if (!strcasecmp(varname, "tlsbindaddr") || !strcasecmp(varname, "sslbindaddr")) {
660                 if (ast_parse_arg(value, PARSE_ADDR, &tls_desc->local_address))
661                         ast_log(LOG_WARNING, "Invalid %s '%s'\n", varname, value);
662         } else if (!strcasecmp(varname, "tlsclientmethod") || !strcasecmp(varname, "sslclientmethod")) {
663                 if (!strcasecmp(value, "tlsv1")) {
664                         ast_set_flag(&tls_cfg->flags, AST_SSL_TLSV1_CLIENT);
665                         ast_clear_flag(&tls_cfg->flags, AST_SSL_SSLV3_CLIENT);
666                         ast_clear_flag(&tls_cfg->flags, AST_SSL_SSLV2_CLIENT);
667                 } else if (!strcasecmp(value, "sslv3")) {
668                         ast_set_flag(&tls_cfg->flags, AST_SSL_SSLV3_CLIENT);
669                         ast_clear_flag(&tls_cfg->flags, AST_SSL_SSLV2_CLIENT);
670                         ast_clear_flag(&tls_cfg->flags, AST_SSL_TLSV1_CLIENT);
671                 } else if (!strcasecmp(value, "sslv2")) {
672                         ast_set_flag(&tls_cfg->flags, AST_SSL_SSLV2_CLIENT);
673                         ast_clear_flag(&tls_cfg->flags, AST_SSL_TLSV1_CLIENT);
674                         ast_clear_flag(&tls_cfg->flags, AST_SSL_SSLV3_CLIENT);
675                 }
676         } else {
677                 return -1;
678         }
679
680         return 0;
681 }