Coverity Report: Fix issues for error type REVERSE_INULL (core modules)
[asterisk/asterisk.git] / main / tcptls.c
1 /*
2  * Asterisk -- An open source telephony toolkit.
3  *
4  * Copyright (C) 2007 - 2008, Digium, Inc.
5  *
6  * Luigi Rizzo (TCP and TLS server code)
7  * Brett Bryant <brettbryant@gmail.com> (updated for client support)
8  *
9  * See http://www.asterisk.org for more information about
10  * the Asterisk project. Please do not directly contact
11  * any of the maintainers of this project for assistance;
12  * the project provides a web site, mailing lists and IRC
13  * channels for your use.
14  *
15  * This program is free software, distributed under the terms of
16  * the GNU General Public License Version 2. See the LICENSE file
17  * at the top of the source tree.
18  */
19
20 /*!
21  * \file
22  * \brief Code to support TCP and TLS server/client
23  *
24  * \author Luigi Rizzo
25  * \author Brett Bryant <brettbryant@gmail.com>
26  */
27
28 #include "asterisk.h"
29
30 ASTERISK_FILE_VERSION(__FILE__, "$Revision$")
31
32 #ifdef HAVE_FCNTL_H
33 #include <fcntl.h>
34 #endif
35
36 #include <signal.h>
37 #include <sys/signal.h>
38
39 #include "asterisk/compat.h"
40 #include "asterisk/tcptls.h"
41 #include "asterisk/http.h"
42 #include "asterisk/utils.h"
43 #include "asterisk/strings.h"
44 #include "asterisk/options.h"
45 #include "asterisk/manager.h"
46 #include "asterisk/astobj2.h"
47
48 /*! \brief
49  * replacement read/write functions for SSL support.
50  * We use wrappers rather than SSL_read/SSL_write directly so
51  * we can put in some debugging.
52  */
53
54 #ifdef DO_SSL
55 static HOOK_T ssl_read(void *cookie, char *buf, LEN_T len)
56 {
57         int i = SSL_read(cookie, buf, len-1);
58 #if 0
59         if (i >= 0) {
60                 buf[i] = '\0';
61         }
62         ast_verb(0, "ssl read size %d returns %d <%s>\n", (int)len, i, buf);
63 #endif
64         return i;
65 }
66
67 static HOOK_T ssl_write(void *cookie, const char *buf, LEN_T len)
68 {
69 #if 0
70         char *s = alloca(len+1);
71
72         strncpy(s, buf, len);
73         s[len] = '\0';
74         ast_verb(0, "ssl write size %d <%s>\n", (int)len, s);
75 #endif
76         return SSL_write(cookie, buf, len);
77 }
78
79 static int ssl_close(void *cookie)
80 {
81         int cookie_fd = SSL_get_fd(cookie);
82         int ret;
83         if (cookie_fd > -1) {
84                 /*
85                  * According to the TLS standard, it is acceptable for an application to only send its shutdown
86                  * alert and then close the underlying connection without waiting for the peer's response (this
87                  * way resources can be saved, as the process can already terminate or serve another connection).
88                  */
89                 if ((ret = SSL_shutdown(cookie)) < 0) {
90                         ast_log(LOG_ERROR, "SSL_shutdown() failed: %d\n", SSL_get_error(cookie, ret));
91                 }
92                 SSL_free(cookie);
93                 /* adding shutdown(2) here has no added benefit */
94                 if (close(cookie_fd)) {
95                         ast_log(LOG_ERROR, "close() failed: %s\n", strerror(errno));
96                 }
97         }
98         return 0;
99 }
100 #endif  /* DO_SSL */
101
102 HOOK_T ast_tcptls_server_read(struct ast_tcptls_session_instance *tcptls_session, void *buf, size_t count)
103 {
104         if (tcptls_session->fd == -1) {
105                 ast_log(LOG_ERROR, "server_read called with an fd of -1\n");
106                 errno = EIO;
107                 return -1;
108         }
109
110 #ifdef DO_SSL
111         if (tcptls_session->ssl) {
112                 return ssl_read(tcptls_session->ssl, buf, count);
113         }
114 #endif
115         return read(tcptls_session->fd, buf, count);
116 }
117
118 HOOK_T ast_tcptls_server_write(struct ast_tcptls_session_instance *tcptls_session, const void *buf, size_t count)
119 {
120         if (tcptls_session->fd == -1) {
121                 ast_log(LOG_ERROR, "server_write called with an fd of -1\n");
122                 errno = EIO;
123                 return -1;
124         }
125
126 #ifdef DO_SSL
127         if (tcptls_session->ssl) {
128                 return ssl_write(tcptls_session->ssl, buf, count);
129         }
130 #endif
131         return write(tcptls_session->fd, buf, count);
132 }
133
134 static void session_instance_destructor(void *obj)
135 {
136         struct ast_tcptls_session_instance *i = obj;
137         if (i->parent && i->parent->tls_cfg) {
138                 ast_ssl_teardown(i->parent->tls_cfg);
139         }
140 }
141
142 /*! \brief
143 * creates a FILE * from the fd passed by the accept thread.
144 * This operation is potentially expensive (certificate verification),
145 * so we do it in the child thread context.
146 *
147 * \note must decrement ref count before returning NULL on error
148 */
149 static void *handle_tcptls_connection(void *data)
150 {
151         struct ast_tcptls_session_instance *tcptls_session = data;
152 #ifdef DO_SSL
153         int (*ssl_setup)(SSL *) = (tcptls_session->client) ? SSL_connect : SSL_accept;
154         int ret;
155         char err[256];
156 #endif
157
158         /*
159         * open a FILE * as appropriate.
160         */
161         if (!tcptls_session->parent->tls_cfg) {
162                 if ((tcptls_session->f = fdopen(tcptls_session->fd, "w+"))) {
163                         if(setvbuf(tcptls_session->f, NULL, _IONBF, 0)) {
164                                 ast_tcptls_close_session_file(tcptls_session);
165                         }
166                 }
167         }
168 #ifdef DO_SSL
169         else if ( (tcptls_session->ssl = SSL_new(tcptls_session->parent->tls_cfg->ssl_ctx)) ) {
170                 SSL_set_fd(tcptls_session->ssl, tcptls_session->fd);
171                 if ((ret = ssl_setup(tcptls_session->ssl)) <= 0) {
172                         ast_verb(2, "Problem setting up ssl connection: %s\n", ERR_error_string(ERR_get_error(), err));
173                 } else {
174 #if defined(HAVE_FUNOPEN)       /* the BSD interface */
175                         tcptls_session->f = funopen(tcptls_session->ssl, ssl_read, ssl_write, NULL, ssl_close);
176
177 #elif defined(HAVE_FOPENCOOKIE) /* the glibc/linux interface */
178                         static const cookie_io_functions_t cookie_funcs = {
179                                 ssl_read, ssl_write, NULL, ssl_close
180                         };
181                         tcptls_session->f = fopencookie(tcptls_session->ssl, "w+", cookie_funcs);
182 #else
183                         /* could add other methods here */
184                         ast_debug(2, "no tcptls_session->f methods attempted!\n");
185 #endif
186                         if ((tcptls_session->client && !ast_test_flag(&tcptls_session->parent->tls_cfg->flags, AST_SSL_DONT_VERIFY_SERVER))
187                                 || (!tcptls_session->client && ast_test_flag(&tcptls_session->parent->tls_cfg->flags, AST_SSL_VERIFY_CLIENT))) {
188                                 X509 *peer;
189                                 long res;
190                                 peer = SSL_get_peer_certificate(tcptls_session->ssl);
191                                 if (!peer) {
192                                         ast_log(LOG_WARNING, "No peer SSL certificate\n");
193                                 }
194                                 res = SSL_get_verify_result(tcptls_session->ssl);
195                                 if (res != X509_V_OK) {
196                                         ast_log(LOG_ERROR, "Certificate did not verify: %s\n", X509_verify_cert_error_string(res));
197                                 }
198                                 if (!ast_test_flag(&tcptls_session->parent->tls_cfg->flags, AST_SSL_IGNORE_COMMON_NAME)) {
199                                         ASN1_STRING *str;
200                                         unsigned char *str2;
201                                         X509_NAME *name = X509_get_subject_name(peer);
202                                         int pos = -1;
203                                         int found = 0;
204
205                                         for (;;) {
206                                                 /* Walk the certificate to check all available "Common Name" */
207                                                 /* XXX Probably should do a gethostbyname on the hostname and compare that as well */
208                                                 pos = X509_NAME_get_index_by_NID(name, NID_commonName, pos);
209                                                 if (pos < 0) {
210                                                         break;
211                                                 }
212                                                 str = X509_NAME_ENTRY_get_data(X509_NAME_get_entry(name, pos));
213                                                 ASN1_STRING_to_UTF8(&str2, str);
214                                                 if (str2) {
215                                                         if (!strcasecmp(tcptls_session->parent->hostname, (char *) str2)) {
216                                                                 found = 1;
217                                                         }
218                                                         ast_debug(3, "SSL Common Name compare s1='%s' s2='%s'\n", tcptls_session->parent->hostname, str2);
219                                                         OPENSSL_free(str2);
220                                                 }
221                                                 if (found) {
222                                                         break;
223                                                 }
224                                         }
225                                         if (!found) {
226                                                 ast_log(LOG_ERROR, "Certificate common name did not match (%s)\n", tcptls_session->parent->hostname);
227                                                 if (peer) {
228                                                         X509_free(peer);
229                                                 }
230                                                 ast_tcptls_close_session_file(tcptls_session);
231                                                 ao2_ref(tcptls_session, -1);
232                                                 return NULL;
233                                         }
234                                 }
235                                 if (peer) {
236                                         X509_free(peer);
237                                 }
238                         }
239                 }
240                 if (!tcptls_session->f) {       /* no success opening descriptor stacking */
241                         SSL_free(tcptls_session->ssl);
242                 }
243         }
244 #endif /* DO_SSL */
245
246         if (!tcptls_session->f) {
247                 ast_tcptls_close_session_file(tcptls_session);
248                 ast_log(LOG_WARNING, "FILE * open failed!\n");
249 #ifndef DO_SSL
250                 if (tcptls_session->parent->tls_cfg) {
251                         ast_log(LOG_WARNING, "Attempted a TLS connection without OpenSSL support. This will not work!\n");
252                 }
253 #endif
254                 ao2_ref(tcptls_session, -1);
255                 return NULL;
256         }
257
258         if (tcptls_session->parent->worker_fn) {
259                 return tcptls_session->parent->worker_fn(tcptls_session);
260         } else {
261                 return tcptls_session;
262         }
263 }
264
265 void *ast_tcptls_server_root(void *data)
266 {
267         struct ast_tcptls_session_args *desc = data;
268         int fd;
269         struct ast_sockaddr addr;
270         struct ast_tcptls_session_instance *tcptls_session;
271         pthread_t launched;
272
273         for (;;) {
274                 int i, flags;
275
276                 if (desc->periodic_fn) {
277                         desc->periodic_fn(desc);
278                 }
279                 i = ast_wait_for_input(desc->accept_fd, desc->poll_timeout);
280                 if (i <= 0) {
281                         continue;
282                 }
283                 fd = ast_accept(desc->accept_fd, &addr);
284                 if (fd < 0) {
285                         if ((errno != EAGAIN) && (errno != EINTR)) {
286                                 ast_log(LOG_WARNING, "Accept failed: %s\n", strerror(errno));
287                         }
288                         continue;
289                 }
290                 tcptls_session = ao2_alloc(sizeof(*tcptls_session), session_instance_destructor);
291                 if (!tcptls_session) {
292                         ast_log(LOG_WARNING, "No memory for new session: %s\n", strerror(errno));
293                         if (close(fd)) {
294                                 ast_log(LOG_ERROR, "close() failed: %s\n", strerror(errno));
295                         }
296                         continue;
297                 }
298
299                 flags = fcntl(fd, F_GETFL);
300                 fcntl(fd, F_SETFL, flags & ~O_NONBLOCK);
301                 tcptls_session->fd = fd;
302                 tcptls_session->parent = desc;
303                 ast_sockaddr_copy(&tcptls_session->remote_address, &addr);
304
305                 tcptls_session->client = 0;
306
307                 /* This thread is now the only place that controls the single ref to tcptls_session */
308                 if (ast_pthread_create_detached_background(&launched, NULL, handle_tcptls_connection, tcptls_session)) {
309                         ast_log(LOG_WARNING, "Unable to launch helper thread: %s\n", strerror(errno));
310                         ast_tcptls_close_session_file(tcptls_session);
311                         ao2_ref(tcptls_session, -1);
312                 }
313         }
314         return NULL;
315 }
316
317 static int __ssl_setup(struct ast_tls_config *cfg, int client)
318 {
319 #ifndef DO_SSL
320         cfg->enabled = 0;
321         return 0;
322 #else
323         if (!cfg->enabled) {
324                 return 0;
325         }
326
327         SSL_load_error_strings();
328         SSLeay_add_ssl_algorithms();
329
330         /* Get rid of an old SSL_CTX since we're about to
331          * allocate a new one
332          */
333         if (cfg->ssl_ctx) {
334                 SSL_CTX_free(cfg->ssl_ctx);
335                 cfg->ssl_ctx = NULL;
336         }
337
338         if (client) {
339 #ifndef OPENSSL_NO_SSL2
340                 if (ast_test_flag(&cfg->flags, AST_SSL_SSLV2_CLIENT)) {
341                         cfg->ssl_ctx = SSL_CTX_new(SSLv2_client_method());
342                 } else
343 #endif
344                 if (ast_test_flag(&cfg->flags, AST_SSL_SSLV3_CLIENT)) {
345                         cfg->ssl_ctx = SSL_CTX_new(SSLv3_client_method());
346                 } else if (ast_test_flag(&cfg->flags, AST_SSL_TLSV1_CLIENT)) {
347                         cfg->ssl_ctx = SSL_CTX_new(TLSv1_client_method());
348                 } else {
349                         /* SSLv23_client_method() sends SSLv2, this was the original
350                          * default for ssl clients before the option was given to
351                          * pick what protocol a client should use.  In order not
352                          * to break expected behavior it remains the default. */
353                         cfg->ssl_ctx = SSL_CTX_new(SSLv23_client_method());
354                 }
355         } else {
356                 /* SSLv23_server_method() supports TLSv1, SSLv2, and SSLv3 inbound connections. */
357                 cfg->ssl_ctx = SSL_CTX_new(SSLv23_server_method());
358         }
359
360         if (!cfg->ssl_ctx) {
361                 ast_debug(1, "Sorry, SSL_CTX_new call returned null...\n");
362                 cfg->enabled = 0;
363                 return 0;
364         }
365         if (!ast_strlen_zero(cfg->certfile)) {
366                 char *tmpprivate = ast_strlen_zero(cfg->pvtfile) ? cfg->certfile : cfg->pvtfile;
367                 if (SSL_CTX_use_certificate_file(cfg->ssl_ctx, cfg->certfile, SSL_FILETYPE_PEM) == 0) {
368                         if (!client) {
369                                 /* Clients don't need a certificate, but if its setup we can use it */
370                                 ast_verb(0, "SSL error loading cert file. <%s>\n", cfg->certfile);
371                                 sleep(2);
372                                 cfg->enabled = 0;
373                                 SSL_CTX_free(cfg->ssl_ctx);
374                                 cfg->ssl_ctx = NULL;
375                                 return 0;
376                         }
377                 }
378                 if ((SSL_CTX_use_PrivateKey_file(cfg->ssl_ctx, tmpprivate, SSL_FILETYPE_PEM) == 0) || (SSL_CTX_check_private_key(cfg->ssl_ctx) == 0 )) {
379                         if (!client) {
380                                 /* Clients don't need a private key, but if its setup we can use it */
381                                 ast_verb(0, "SSL error loading private key file. <%s>\n", tmpprivate);
382                                 sleep(2);
383                                 cfg->enabled = 0;
384                                 SSL_CTX_free(cfg->ssl_ctx);
385                                 cfg->ssl_ctx = NULL;
386                                 return 0;
387                         }
388                 }
389         }
390         if (!ast_strlen_zero(cfg->cipher)) {
391                 if (SSL_CTX_set_cipher_list(cfg->ssl_ctx, cfg->cipher) == 0 ) {
392                         if (!client) {
393                                 ast_verb(0, "SSL cipher error <%s>\n", cfg->cipher);
394                                 sleep(2);
395                                 cfg->enabled = 0;
396                                 SSL_CTX_free(cfg->ssl_ctx);
397                                 cfg->ssl_ctx = NULL;
398                                 return 0;
399                         }
400                 }
401         }
402         if (!ast_strlen_zero(cfg->cafile) || !ast_strlen_zero(cfg->capath)) {
403                 if (SSL_CTX_load_verify_locations(cfg->ssl_ctx, S_OR(cfg->cafile, NULL), S_OR(cfg->capath,NULL)) == 0) {
404                         ast_verb(0, "SSL CA file(%s)/path(%s) error\n", cfg->cafile, cfg->capath);
405                 }
406         }
407
408         ast_verb(0, "SSL certificate ok\n");
409         return 1;
410 #endif
411 }
412
413 int ast_ssl_setup(struct ast_tls_config *cfg)
414 {
415         return __ssl_setup(cfg, 0);
416 }
417
418 void ast_ssl_teardown(struct ast_tls_config *cfg)
419 {
420 #ifdef DO_SSL
421         if (cfg->ssl_ctx) {
422                 SSL_CTX_free(cfg->ssl_ctx);
423                 cfg->ssl_ctx = NULL;
424         }
425 #endif
426 }
427
428 struct ast_tcptls_session_instance *ast_tcptls_client_start(struct ast_tcptls_session_instance *tcptls_session)
429 {
430         struct ast_tcptls_session_args *desc;
431         int flags;
432
433         if (!(desc = tcptls_session->parent)) {
434                 goto client_start_error;
435         }
436
437         if (ast_connect(desc->accept_fd, &desc->remote_address)) {
438                 ast_log(LOG_ERROR, "Unable to connect %s to %s: %s\n",
439                         desc->name,
440                         ast_sockaddr_stringify(&desc->remote_address),
441                         strerror(errno));
442                 goto client_start_error;
443         }
444
445         flags = fcntl(desc->accept_fd, F_GETFL);
446         fcntl(desc->accept_fd, F_SETFL, flags & ~O_NONBLOCK);
447
448         if (desc->tls_cfg) {
449                 desc->tls_cfg->enabled = 1;
450                 __ssl_setup(desc->tls_cfg, 1);
451         }
452
453         return handle_tcptls_connection(tcptls_session);
454
455 client_start_error:
456         if (desc) {
457                 close(desc->accept_fd);
458                 desc->accept_fd = -1;
459         }
460         ao2_ref(tcptls_session, -1);
461         return NULL;
462
463 }
464
465 struct ast_tcptls_session_instance *ast_tcptls_client_create(struct ast_tcptls_session_args *desc)
466 {
467         int x = 1;
468         struct ast_tcptls_session_instance *tcptls_session = NULL;
469
470         /* Do nothing if nothing has changed */
471         if (!ast_sockaddr_cmp(&desc->old_address, &desc->remote_address)) {
472                 ast_debug(1, "Nothing changed in %s\n", desc->name);
473                 return NULL;
474         }
475
476         /* If we return early, there is no connection */
477         ast_sockaddr_setnull(&desc->old_address);
478
479         if (desc->accept_fd != -1) {
480                 close(desc->accept_fd);
481         }
482
483         desc->accept_fd = socket(ast_sockaddr_is_ipv6(&desc->remote_address) ?
484                                  AF_INET6 : AF_INET, SOCK_STREAM, IPPROTO_TCP);
485         if (desc->accept_fd < 0) {
486                 ast_log(LOG_WARNING, "Unable to allocate socket for %s: %s\n",
487                         desc->name, strerror(errno));
488                 return NULL;
489         }
490
491         /* if a local address was specified, bind to it so the connection will
492            originate from the desired address */
493         if (!ast_sockaddr_isnull(&desc->local_address)) {
494                 setsockopt(desc->accept_fd, SOL_SOCKET, SO_REUSEADDR, &x, sizeof(x));
495                 if (ast_bind(desc->accept_fd, &desc->local_address)) {
496                         ast_log(LOG_ERROR, "Unable to bind %s to %s: %s\n",
497                                 desc->name,
498                                 ast_sockaddr_stringify(&desc->local_address),
499                                 strerror(errno));
500                         goto error;
501                 }
502         }
503
504         if (!(tcptls_session = ao2_alloc(sizeof(*tcptls_session), session_instance_destructor))) {
505                 goto error;
506         }
507
508         tcptls_session->client = 1;
509         tcptls_session->fd = desc->accept_fd;
510         tcptls_session->parent = desc;
511         tcptls_session->parent->worker_fn = NULL;
512         ast_sockaddr_copy(&tcptls_session->remote_address,
513                           &desc->remote_address);
514
515         /* Set current info */
516         ast_sockaddr_copy(&desc->old_address, &desc->remote_address);
517         return tcptls_session;
518
519 error:
520         close(desc->accept_fd);
521         desc->accept_fd = -1;
522         if (tcptls_session) {
523                 ao2_ref(tcptls_session, -1);
524         }
525         return NULL;
526 }
527
528 void ast_tcptls_server_start(struct ast_tcptls_session_args *desc)
529 {
530         int flags;
531         int x = 1;
532
533         /* Do nothing if nothing has changed */
534         if (!ast_sockaddr_cmp(&desc->old_address, &desc->local_address)) {
535                 ast_debug(1, "Nothing changed in %s\n", desc->name);
536                 return;
537         }
538
539         /* If we return early, there is no one listening */
540         ast_sockaddr_setnull(&desc->old_address);
541
542         /* Shutdown a running server if there is one */
543         if (desc->master != AST_PTHREADT_NULL) {
544                 pthread_cancel(desc->master);
545                 pthread_kill(desc->master, SIGURG);
546                 pthread_join(desc->master, NULL);
547         }
548
549         if (desc->accept_fd != -1) {
550                 close(desc->accept_fd);
551         }
552
553         /* If there's no new server, stop here */
554         if (ast_sockaddr_isnull(&desc->local_address)) {
555                 ast_debug(2, "Server disabled:  %s\n", desc->name);
556                 return;
557         }
558
559         desc->accept_fd = socket(ast_sockaddr_is_ipv6(&desc->local_address) ?
560                                  AF_INET6 : AF_INET, SOCK_STREAM, 0);
561         if (desc->accept_fd < 0) {
562                 ast_log(LOG_ERROR, "Unable to allocate socket for %s: %s\n", desc->name, strerror(errno));
563                 return;
564         }
565
566         setsockopt(desc->accept_fd, SOL_SOCKET, SO_REUSEADDR, &x, sizeof(x));
567         if (ast_bind(desc->accept_fd, &desc->local_address)) {
568                 ast_log(LOG_ERROR, "Unable to bind %s to %s: %s\n",
569                         desc->name,
570                         ast_sockaddr_stringify(&desc->local_address),
571                         strerror(errno));
572                 goto error;
573         }
574         if (listen(desc->accept_fd, 10)) {
575                 ast_log(LOG_ERROR, "Unable to listen for %s!\n", desc->name);
576                 goto error;
577         }
578         flags = fcntl(desc->accept_fd, F_GETFL);
579         fcntl(desc->accept_fd, F_SETFL, flags | O_NONBLOCK);
580         if (ast_pthread_create_background(&desc->master, NULL, desc->accept_fn, desc)) {
581                 ast_log(LOG_ERROR, "Unable to launch thread for %s on %s: %s\n",
582                         desc->name,
583                         ast_sockaddr_stringify(&desc->local_address),
584                         strerror(errno));
585                 goto error;
586         }
587
588         /* Set current info */
589         ast_sockaddr_copy(&desc->old_address, &desc->local_address);
590
591         return;
592
593 error:
594         close(desc->accept_fd);
595         desc->accept_fd = -1;
596 }
597
598 void ast_tcptls_close_session_file(struct ast_tcptls_session_instance *tcptls_session)
599 {
600         if (tcptls_session->f) {
601                 if (fclose(tcptls_session->f)) {
602                         ast_log(LOG_ERROR, "fclose() failed: %s\n", strerror(errno));
603                 }
604                 tcptls_session->f = NULL;
605                 tcptls_session->fd = -1;
606         } else if (tcptls_session->fd != -1) {
607                 if (close(tcptls_session->fd)) {
608                         ast_log(LOG_ERROR, "close() failed: %s\n", strerror(errno));
609                 }
610                 tcptls_session->fd = -1;
611         } else {
612                 ast_log(LOG_ERROR, "ast_tcptls_close_session_file invoked on session instance without file or file descriptor\n");
613         }
614 }
615
616 void ast_tcptls_server_stop(struct ast_tcptls_session_args *desc)
617 {
618         if (desc->master != AST_PTHREADT_NULL) {
619                 pthread_cancel(desc->master);
620                 pthread_kill(desc->master, SIGURG);
621                 pthread_join(desc->master, NULL);
622                 desc->master = AST_PTHREADT_NULL;
623         }
624         if (desc->accept_fd != -1) {
625                 close(desc->accept_fd);
626         }
627         desc->accept_fd = -1;
628         ast_debug(2, "Stopped server :: %s\n", desc->name);
629 }
630
631 int ast_tls_read_conf(struct ast_tls_config *tls_cfg, struct ast_tcptls_session_args *tls_desc, const char *varname, const char *value)
632 {
633         if (!strcasecmp(varname, "tlsenable") || !strcasecmp(varname, "sslenable")) {
634                 tls_cfg->enabled = ast_true(value) ? 1 : 0;
635         } else if (!strcasecmp(varname, "tlscertfile") || !strcasecmp(varname, "sslcert") || !strcasecmp(varname, "tlscert")) {
636                 ast_free(tls_cfg->certfile);
637                 tls_cfg->certfile = ast_strdup(value);
638         } else if (!strcasecmp(varname, "tlsprivatekey") || !strcasecmp(varname, "sslprivatekey")) {
639                 ast_free(tls_cfg->pvtfile);
640                 tls_cfg->pvtfile = ast_strdup(value);
641         } else if (!strcasecmp(varname, "tlscipher") || !strcasecmp(varname, "sslcipher")) {
642                 ast_free(tls_cfg->cipher);
643                 tls_cfg->cipher = ast_strdup(value);
644         } else if (!strcasecmp(varname, "tlscafile")) {
645                 ast_free(tls_cfg->cafile);
646                 tls_cfg->cafile = ast_strdup(value);
647         } else if (!strcasecmp(varname, "tlscapath") || !strcasecmp(varname, "tlscadir")) {
648                 ast_free(tls_cfg->capath);
649                 tls_cfg->capath = ast_strdup(value);
650         } else if (!strcasecmp(varname, "tlsverifyclient")) {
651                 ast_set2_flag(&tls_cfg->flags, ast_true(value), AST_SSL_VERIFY_CLIENT);
652         } else if (!strcasecmp(varname, "tlsdontverifyserver")) {
653                 ast_set2_flag(&tls_cfg->flags, ast_true(value), AST_SSL_DONT_VERIFY_SERVER);
654         } else if (!strcasecmp(varname, "tlsbindaddr") || !strcasecmp(varname, "sslbindaddr")) {
655                 if (ast_parse_arg(value, PARSE_ADDR, &tls_desc->local_address))
656                         ast_log(LOG_WARNING, "Invalid %s '%s'\n", varname, value);
657         } else if (!strcasecmp(varname, "tlsclientmethod") || !strcasecmp(varname, "sslclientmethod")) {
658                 if (!strcasecmp(value, "tlsv1")) {
659                         ast_set_flag(&tls_cfg->flags, AST_SSL_TLSV1_CLIENT);
660                         ast_clear_flag(&tls_cfg->flags, AST_SSL_SSLV3_CLIENT);
661                         ast_clear_flag(&tls_cfg->flags, AST_SSL_SSLV2_CLIENT);
662                 } else if (!strcasecmp(value, "sslv3")) {
663                         ast_set_flag(&tls_cfg->flags, AST_SSL_SSLV3_CLIENT);
664                         ast_clear_flag(&tls_cfg->flags, AST_SSL_SSLV2_CLIENT);
665                         ast_clear_flag(&tls_cfg->flags, AST_SSL_TLSV1_CLIENT);
666                 } else if (!strcasecmp(value, "sslv2")) {
667                         ast_set_flag(&tls_cfg->flags, AST_SSL_SSLV2_CLIENT);
668                         ast_clear_flag(&tls_cfg->flags, AST_SSL_TLSV1_CLIENT);
669                         ast_clear_flag(&tls_cfg->flags, AST_SSL_SSLV3_CLIENT);
670                 }
671         } else {
672                 return -1;
673         }
674
675         return 0;
676 }