tcptls.h File Reference

Generic support for tcp/tls servers in Asterisk. More...

#include <pthread.h>
#include <sys/param.h>
#include "asterisk/iostream.h"
#include "asterisk/netsock2.h"
#include "asterisk/utils.h"

Include dependency graph for tcptls.h:

This graph shows which files directly or indirectly include this file:

Go to the source code of this file.

Data Structures
struct	ast_tcptls_session_args
	arguments for the accepting thread More...
struct	ast_tcptls_session_instance
	describes a server instance More...
struct	ast_tls_config

Macros
#define	AST_CERTFILE   "asterisk.pem"

Enumerations
enum	ast_ssl_flags {   AST_SSL_VERIFY_CLIENT = (1 << 0) , AST_SSL_DONT_VERIFY_SERVER = (1 << 1) , AST_SSL_IGNORE_COMMON_NAME = (1 << 2) , AST_SSL_SSLV2_CLIENT = (1 << 3) ,   AST_SSL_SSLV3_CLIENT = (1 << 4) , AST_SSL_TLSV1_CLIENT = (1 << 5) , AST_SSL_SERVER_CIPHER_ORDER = (1 << 6) , AST_SSL_DISABLE_TLSV1 = (1 << 7) ,   AST_SSL_DISABLE_TLSV11 = (1 << 8) , AST_SSL_DISABLE_TLSV12 = (1 << 9) }

Functions
int	ast_ssl_setup (struct ast_tls_config *cfg)
	Set up an SSL server. More...
void	ast_ssl_teardown (struct ast_tls_config *cfg)
	free resources used by an SSL server More...
struct ast_tcptls_session_instance *	ast_tcptls_client_create (struct ast_tcptls_session_args *desc)
	Creates a client connection's ast_tcptls_session_instance. More...
struct ast_tcptls_session_instance *	ast_tcptls_client_start (struct ast_tcptls_session_instance *tcptls_session)
	Attempt to connect and start a tcptls session. More...
struct ast_tcptls_session_instance *	ast_tcptls_client_start_timeout (struct ast_tcptls_session_instance *tcptls_session, int timeout)
	Attempt to connect and start a tcptls session within the given timeout. More...
void	ast_tcptls_close_session_file (struct ast_tcptls_session_instance *tcptls_session)
	Closes a tcptls session instance's file and/or file descriptor. The tcptls_session will be set to NULL and it's file descriptor will be set to -1 by this function. More...
void *	ast_tcptls_server_root (void *)
void	ast_tcptls_server_start (struct ast_tcptls_session_args *desc)
	This is a generic (re)start routine for a TCP server, which does the socket/bind/listen and starts a thread for handling accept(). More...
void	ast_tcptls_server_stop (struct ast_tcptls_session_args *desc)
	Shutdown a running server if there is one. More...
int	ast_tls_read_conf (struct ast_tls_config *tls_cfg, struct ast_tcptls_session_args *tls_desc, const char *varname, const char *value)
	Used to parse conf files containing tls/ssl options. More...

Detailed Description

Generic support for tcp/tls servers in Asterisk.

Note

In order to have TLS/SSL support, we need the openssl libraries. Still we can decide whether or not to use them by commenting in or out the DO_SSL macro.

TLS/SSL support is basically implemented by reading from a config file (currently manager.conf, http.conf and pjsip.conf) the names of the certificate files and cipher to use, and then run ssl_setup() to create an appropriate data structure named ssl_ctx.

If we support multiple domains, presumably we need to read multiple certificates.

When we are requested to open a TLS socket, we run make_file_from_fd() on the socket, to do the necessary setup. At the moment the context's name is hardwired in the function, but we can certainly make it into an extra parameter to the function.

We declare most of ssl support variables unconditionally, because their number is small and this simplifies the code.

Note

The ssl-support variables (ssl_ctx, do_ssl, certfile, cipher) and their setup should be moved to a more central place, e.g. asterisk.conf and the source files that processes it. Similarly, ssl_setup() should be run earlier in the startup process so modules have it available.

TLS Implementation Overview

Definition in file tcptls.h.

Macro Definition Documentation

AST_CERTFILE

#define AST_CERTFILE   "asterisk.pem"

SSL support

Definition at line 63 of file tcptls.h.

Enumeration Type Documentation

ast_ssl_flags

enum ast_ssl_flags

Enumerator
AST_SSL_VERIFY_CLIENT	Verify certificate when acting as server
AST_SSL_DONT_VERIFY_SERVER	Don't verify certificate when connecting to a server
AST_SSL_IGNORE_COMMON_NAME	Don't compare "Common Name" against IP or hostname
AST_SSL_SSLV2_CLIENT	Use SSLv2 for outgoing client connections
AST_SSL_SSLV3_CLIENT	Use SSLv3 for outgoing client connections
AST_SSL_TLSV1_CLIENT	Use TLSv1 for outgoing client connections
AST_SSL_SERVER_CIPHER_ORDER	Use server cipher order instead of the client order
AST_SSL_DISABLE_TLSV1	Disable TLSv1 support
AST_SSL_DISABLE_TLSV11	Disable TLSv1.1 support
AST_SSL_DISABLE_TLSV12	Disable TLSv1.2 support

Definition at line 65 of file tcptls.h.

                   {
    /*! Verify certificate when acting as server */
    AST_SSL_VERIFY_CLIENT = (1 << 0),
    /*! Don't verify certificate when connecting to a server */
    AST_SSL_DONT_VERIFY_SERVER = (1 << 1),
    /*! Don't compare "Common Name" against IP or hostname */
    AST_SSL_IGNORE_COMMON_NAME = (1 << 2),
    /*! Use SSLv2 for outgoing client connections */
    AST_SSL_SSLV2_CLIENT = (1 << 3),
    /*! Use SSLv3 for outgoing client connections */
    AST_SSL_SSLV3_CLIENT = (1 << 4),
    /*! Use TLSv1 for outgoing client connections */
    AST_SSL_TLSV1_CLIENT = (1 << 5),
    /*! Use server cipher order instead of the client order */
    AST_SSL_SERVER_CIPHER_ORDER = (1 << 6),
    /*! Disable TLSv1 support */
    AST_SSL_DISABLE_TLSV1 = (1 << 7),
    /*! Disable TLSv1.1 support */
    AST_SSL_DISABLE_TLSV11 = (1 << 8),
    /*! Disable TLSv1.2 support */
    AST_SSL_DISABLE_TLSV12 = (1 << 9),
};

Function Documentation

ast_ssl_setup()

int ast_ssl_setup

(

struct ast_tls_config *

cfg

)

Set up an SSL server.

Parameters

cfg	Configuration for the SSL server

Return values

1	Success
0	Failure

Definition at line 570 of file tcptls.c.

{
    return __ssl_setup(cfg, 0);
}

References __ssl_setup().

Referenced by __ast_http_load(), and __init_manager().

ast_ssl_teardown()

void ast_ssl_teardown

(

struct ast_tls_config *

cfg

)

free resources used by an SSL server

Note

This only needs to be called if ast_ssl_setup() was directly called first.

Parameters

cfg	Configuration for the SSL server

Definition at line 575 of file tcptls.c.

{
#ifdef DO_SSL
    if (cfg && cfg->ssl_ctx) {
        SSL_CTX_free(cfg->ssl_ctx);
        cfg->ssl_ctx = NULL;
    }
#endif
}

References NULL, and ast_tls_config::ssl_ctx.

Referenced by websocket_client_args_destroy().

ast_tcptls_client_create()

struct ast_tcptls_session_instance * ast_tcptls_client_create

(

struct ast_tcptls_session_args *

desc

)

Creates a client connection's ast_tcptls_session_instance.

Definition at line 678 of file tcptls.c.

{
    int fd, x = 1;
    struct ast_tcptls_session_instance *tcptls_session = NULL;
 
    ast_assert(!desc->tls_cfg
            || ast_test_flag(&desc->tls_cfg->flags, AST_SSL_DONT_VERIFY_SERVER)
            || !ast_strlen_zero(desc->hostname));
 
    /* Do nothing if nothing has changed */
    if (!ast_sockaddr_cmp(&desc->old_address, &desc->remote_address)) {
        ast_debug(1, "Nothing changed in %s\n", desc->name);
        return NULL;
    }
 
    /* If we return early, there is no connection */
    ast_sockaddr_setnull(&desc->old_address);
 
    fd = desc->accept_fd = ast_socket_nonblock(ast_sockaddr_is_ipv6(&desc->remote_address) ?
                      AF_INET6 : AF_INET, SOCK_STREAM, IPPROTO_TCP);
    if (desc->accept_fd < 0) {
        ast_log(LOG_ERROR, "Unable to allocate socket for %s: %s\n",
            desc->name, strerror(errno));
        return NULL;
    }
 
    /* if a local address was specified, bind to it so the connection will
       originate from the desired address */
    if (!ast_sockaddr_isnull(&desc->local_address) &&
        !ast_sockaddr_is_any(&desc->local_address)) {
        setsockopt(desc->accept_fd, SOL_SOCKET, SO_REUSEADDR, &x, sizeof(x));
        if (ast_bind(desc->accept_fd, &desc->local_address)) {
            ast_log(LOG_ERROR, "Unable to bind %s to %s: %s\n",
                desc->name,
                ast_sockaddr_stringify(&desc->local_address),
                strerror(errno));
            goto error;
        }
    }
 
    tcptls_session = ao2_alloc(sizeof(*tcptls_session), session_instance_destructor);
    if (!tcptls_session) {
        goto error;
    }
 
    tcptls_session->overflow_buf = ast_str_create(128);
    if (!tcptls_session->overflow_buf) {
        goto error;
    }
    tcptls_session->client = 1;
    tcptls_session->stream = ast_iostream_from_fd(&fd);
    if (!tcptls_session->stream) {
        goto error;
    }
 
    /* From here on out, the iostream owns the accept_fd and it will take
     * care of closing it when the iostream is closed */
 
    tcptls_session->parent = desc;
    tcptls_session->parent->worker_fn = NULL;
    ast_sockaddr_copy(&tcptls_session->remote_address,
              &desc->remote_address);
 
    /* Set current info */
    ast_sockaddr_copy(&desc->old_address, &desc->remote_address);
 
    return tcptls_session;
 
error:
    close(desc->accept_fd);
    desc->accept_fd = -1;
    ao2_cleanup(tcptls_session);
    return NULL;
}

References ao2_alloc, ao2_cleanup, ast_assert, ast_bind(), ast_debug, ast_iostream_from_fd(), ast_log, ast_sockaddr_cmp(), ast_sockaddr_copy(), ast_sockaddr_is_any(), ast_sockaddr_is_ipv6(), ast_sockaddr_isnull(), ast_sockaddr_setnull(), ast_sockaddr_stringify(), ast_socket_nonblock, AST_SSL_DONT_VERIFY_SERVER, ast_str_create, ast_strlen_zero(), ast_test_flag, ast_tcptls_session_instance::client, desc, errno, error(), LOG_ERROR, NULL, ast_tcptls_session_instance::overflow_buf, ast_tcptls_session_instance::parent, ast_tcptls_session_instance::remote_address, session_instance_destructor(), ast_tcptls_session_instance::stream, and ast_tcptls_session_args::worker_fn.

Referenced by app_exec(), and websocket_client_connect().

ast_tcptls_client_start()

struct ast_tcptls_session_instance * ast_tcptls_client_start

(

struct ast_tcptls_session_instance *

tcptls_session

)

Attempt to connect and start a tcptls session.

Blocks until a connection is established, or an error occurs.

Note

On error the tcptls_session's ref count is decremented, fd and file are closed, and NULL is returned.

Parameters

tcptls_session

The session instance to connect and start

Returns

The tcptls_session, or NULL on error

Definition at line 673 of file tcptls.c.

{
    return ast_tcptls_client_start_timeout(tcptls_session, -1);
}

References ast_tcptls_client_start_timeout().

Referenced by app_exec().

ast_tcptls_client_start_timeout()

struct ast_tcptls_session_instance * ast_tcptls_client_start_timeout	(	struct ast_tcptls_session_instance *	tcptls_session,
		int	timeout
	)

Attempt to connect and start a tcptls session within the given timeout.

Note

On error the tcptls_session's ref count is decremented, fd and file are closed, and NULL is returned.

Parameters

tcptls_session	The session instance to connect and start
timeout	How long (in milliseconds) to attempt to connect (-1 equals infinite)

Returns

The tcptls_session, or NULL on error

Definition at line 645 of file tcptls.c.

{
    struct ast_tcptls_session_args *desc;
 
    if (!(desc = tcptls_session->parent)) {
        ao2_ref(tcptls_session, -1);
        return NULL;
    }
 
    if (socket_connect(desc->accept_fd, &desc->remote_address, timeout)) {
        ast_log(LOG_WARNING, "Unable to connect %s to %s: %s\n", desc->name,
                ast_sockaddr_stringify(&desc->remote_address), strerror(errno));
 
        ao2_ref(tcptls_session, -1);
        return NULL;
    }
 
    ast_fd_clear_flags(desc->accept_fd, O_NONBLOCK);
 
    if (desc->tls_cfg) {
        desc->tls_cfg->enabled = 1;
        __ssl_setup(desc->tls_cfg, 1);
    }
 
    return handle_tcptls_connection(tcptls_session);
}

References __ssl_setup(), ao2_ref, ast_fd_clear_flags, ast_log, ast_sockaddr_stringify(), desc, errno, handle_tcptls_connection(), LOG_WARNING, NULL, ast_tcptls_session_instance::parent, and socket_connect().

Referenced by ast_tcptls_client_start(), and websocket_client_connect().

ast_tcptls_close_session_file()

void ast_tcptls_close_session_file

(

struct ast_tcptls_session_instance *

tcptls_session

)

Closes a tcptls session instance's file and/or file descriptor. The tcptls_session will be set to NULL and it's file descriptor will be set to -1 by this function.

Definition at line 908 of file tcptls.c.

{
    if (tcptls_session->stream) {
        ast_iostream_close(tcptls_session->stream);
        tcptls_session->stream = NULL;
    } else {
        ast_debug(1, "ast_tcptls_close_session_file invoked on session instance without file or file descriptor\n");
    }
}

References ast_debug, ast_iostream_close(), NULL, and ast_tcptls_session_instance::stream.

Referenced by ast_http_create_response(), ast_http_send(), handle_tcptls_connection(), and httpd_helper_thread().

ast_tcptls_server_root()

void * ast_tcptls_server_root

(

void *

data

)

Definition at line 280 of file tcptls.c.

{
    struct ast_tcptls_session_args *desc = data;
    int fd;
    struct ast_sockaddr addr;
    struct ast_tcptls_session_instance *tcptls_session;
    pthread_t launched;
 
    for (;;) {
        int i;
 
        if (desc->periodic_fn) {
            desc->periodic_fn(desc);
        }
        i = ast_wait_for_input(desc->accept_fd, desc->poll_timeout);
        if (i <= 0) {
            /* Prevent tight loop from hogging CPU */
            usleep(1);
            continue;
        }
        fd = ast_accept(desc->accept_fd, &addr);
        if (fd < 0) {
            if (errno != EAGAIN
                && errno != EWOULDBLOCK
                && errno != EINTR
                && errno != ECONNABORTED) {
                ast_log(LOG_ERROR, "TCP/TLS accept failed: %s\n", strerror(errno));
                if (errno != EMFILE) {
                    break;
                }
            }
            /* Prevent tight loop from hogging CPU */
            usleep(1);
            continue;
        }
        tcptls_session = ao2_alloc(sizeof(*tcptls_session), session_instance_destructor);
        if (!tcptls_session) {
            close(fd);
            continue;
        }
 
        tcptls_session->overflow_buf = ast_str_create(128);
        if (!tcptls_session->overflow_buf) {
            ao2_ref(tcptls_session, -1);
            close(fd);
            continue;
        }
        ast_fd_clear_flags(fd, O_NONBLOCK);
 
        tcptls_session->stream = ast_iostream_from_fd(&fd);
        if (!tcptls_session->stream) {
            ao2_ref(tcptls_session, -1);
            close(fd);
            continue;
        }
 
        tcptls_session->parent = desc;
        ast_sockaddr_copy(&tcptls_session->remote_address, &addr);
 
        tcptls_session->client = 0;
 
        /* This thread is now the only place that controls the single ref to tcptls_session */
        if (ast_pthread_create_detached_background(&launched, NULL, handle_tcptls_connection, tcptls_session)) {
            ast_log(LOG_ERROR, "TCP/TLS unable to launch helper thread for peer '%s': %s\n",
                ast_sockaddr_stringify(&tcptls_session->remote_address),
                strerror(errno));
            ao2_ref(tcptls_session, -1);
        }
    }
 
    ast_log(LOG_ERROR, "TCP/TLS listener thread ended abnormally\n");
 
    /* Close the listener socket so Asterisk doesn't appear dead. */
    fd = desc->accept_fd;
    desc->accept_fd = -1;
    if (0 <= fd) {
        close(fd);
    }
    return NULL;
}

References ao2_alloc, ao2_ref, ast_accept(), ast_fd_clear_flags, ast_iostream_from_fd(), ast_log, ast_pthread_create_detached_background, ast_sockaddr_copy(), ast_sockaddr_stringify(), ast_str_create, ast_wait_for_input(), ast_tcptls_session_instance::client, desc, errno, handle_tcptls_connection(), LOG_ERROR, NULL, ast_tcptls_session_instance::overflow_buf, ast_tcptls_session_instance::parent, ast_tcptls_session_instance::remote_address, session_instance_destructor(), and ast_tcptls_session_instance::stream.

Referenced by http_server_create().

ast_tcptls_server_start()

void ast_tcptls_server_start

(

struct ast_tcptls_session_args *

desc

)

This is a generic (re)start routine for a TCP server, which does the socket/bind/listen and starts a thread for handling accept().

Version

1.6.1 changed desc parameter to be of ast_tcptls_session_args type

Definition at line 753 of file tcptls.c.

{
    int x = 1;
    int tls_changed = 0;
    int sd_socket;
 
    if (desc->tls_cfg) {
        char hash[41];
        char *str = NULL;
        struct stat st;
 
        /* Store the hashes of the TLS certificate etc. */
        if (stat(desc->tls_cfg->certfile, &st) || NULL == (str = ast_read_textfile(desc->tls_cfg->certfile))) {
            memset(hash, 0, 41);
        } else {
            ast_sha1_hash(hash, str);
        }
        ast_free(str);
        str = NULL;
        memcpy(desc->tls_cfg->certhash, hash, 41);
        if (stat(desc->tls_cfg->pvtfile, &st) || NULL == (str = ast_read_textfile(desc->tls_cfg->pvtfile))) {
            memset(hash, 0, 41);
        } else {
            ast_sha1_hash(hash, str);
        }
        ast_free(str);
        str = NULL;
        memcpy(desc->tls_cfg->pvthash, hash, 41);
        if (stat(desc->tls_cfg->cafile, &st) || NULL == (str = ast_read_textfile(desc->tls_cfg->cafile))) {
            memset(hash, 0, 41);
        } else {
            ast_sha1_hash(hash, str);
        }
        ast_free(str);
        str = NULL;
        memcpy(desc->tls_cfg->cahash, hash, 41);
 
        /* Check whether TLS configuration has changed */
        if (!desc->old_tls_cfg) { /* No previous configuration */
            tls_changed = 1;
            desc->old_tls_cfg = ast_calloc(1, sizeof(*desc->old_tls_cfg));
        } else if (memcmp(desc->tls_cfg->certhash, desc->old_tls_cfg->certhash, 41)) {
            tls_changed = 1;
        } else if (memcmp(desc->tls_cfg->pvthash, desc->old_tls_cfg->pvthash, 41)) {
            tls_changed = 1;
        } else if (strcmp(desc->tls_cfg->cipher, desc->old_tls_cfg->cipher)) {
            tls_changed = 1;
        } else if (memcmp(desc->tls_cfg->cahash, desc->old_tls_cfg->cahash, 41)) {
            tls_changed = 1;
        } else if (strcmp(desc->tls_cfg->capath, desc->old_tls_cfg->capath)) {
            tls_changed = 1;
        } else if (memcmp(&desc->tls_cfg->flags, &desc->old_tls_cfg->flags, sizeof(desc->tls_cfg->flags))) {
            tls_changed = 1;
        }
 
        if (tls_changed) {
            ast_debug(1, "Changed parameters for %s found\n", desc->name);
        }
    }
 
    /* Do nothing if nothing has changed */
    if (!tls_changed && !ast_sockaddr_cmp(&desc->old_address, &desc->local_address)) {
        ast_debug(1, "Nothing changed in %s\n", desc->name);
        return;
    }
 
    /* If we return early, there is no one listening */
    ast_sockaddr_setnull(&desc->old_address);
 
    /* Shutdown a running server if there is one */
    if (desc->master != AST_PTHREADT_NULL) {
        pthread_cancel(desc->master);
        pthread_kill(desc->master, SIGURG);
        pthread_join(desc->master, NULL);
    }
 
    sd_socket = ast_sd_get_fd(SOCK_STREAM, &desc->local_address);
 
    if (sd_socket != -1) {
        if (desc->accept_fd != sd_socket) {
            if (desc->accept_fd != -1) {
                close(desc->accept_fd);
            }
            desc->accept_fd = sd_socket;
        }
 
        goto systemd_socket_activation;
    }
 
    if (desc->accept_fd != -1) {
        close(desc->accept_fd);
        desc->accept_fd = -1;
    }
 
    /* If there's no new server, stop here */
    if (ast_sockaddr_isnull(&desc->local_address)) {
        ast_debug(2, "Server disabled:  %s\n", desc->name);
        return;
    }
 
    desc->accept_fd = ast_socket_nonblock(ast_sockaddr_is_ipv6(&desc->local_address) ?
                 AF_INET6 : AF_INET, SOCK_STREAM, 0);
    if (desc->accept_fd < 0) {
        ast_log(LOG_ERROR, "Unable to allocate socket for %s: %s\n", desc->name, strerror(errno));
        return;
    }
 
    setsockopt(desc->accept_fd, SOL_SOCKET, SO_REUSEADDR, &x, sizeof(x));
    if (ast_bind(desc->accept_fd, &desc->local_address)) {
        ast_log(LOG_ERROR, "Unable to bind %s to %s: %s\n",
            desc->name,
            ast_sockaddr_stringify(&desc->local_address),
            strerror(errno));
        goto error;
    }
    if (listen(desc->accept_fd, 10)) {
        ast_log(LOG_ERROR, "Unable to listen for %s!\n", desc->name);
        goto error;
    }
 
systemd_socket_activation:
    if (ast_pthread_create_background(&desc->master, NULL, desc->accept_fn, desc)) {
        ast_log(LOG_ERROR, "Unable to launch thread for %s on %s: %s\n",
            desc->name,
            ast_sockaddr_stringify(&desc->local_address),
            strerror(errno));
        goto error;
    }
 
    /* Set current info */
    ast_sockaddr_copy(&desc->old_address, &desc->local_address);
    if (desc->old_tls_cfg) {
        ast_free(desc->old_tls_cfg->certfile);
        ast_free(desc->old_tls_cfg->pvtfile);
        ast_free(desc->old_tls_cfg->cipher);
        ast_free(desc->old_tls_cfg->cafile);
        ast_free(desc->old_tls_cfg->capath);
        desc->old_tls_cfg->certfile = ast_strdup(desc->tls_cfg->certfile);
        desc->old_tls_cfg->pvtfile = ast_strdup(desc->tls_cfg->pvtfile);
        desc->old_tls_cfg->cipher = ast_strdup(desc->tls_cfg->cipher);
        desc->old_tls_cfg->cafile = ast_strdup(desc->tls_cfg->cafile);
        desc->old_tls_cfg->capath = ast_strdup(desc->tls_cfg->capath);
        memcpy(desc->old_tls_cfg->certhash, desc->tls_cfg->certhash, 41);
        memcpy(desc->old_tls_cfg->pvthash, desc->tls_cfg->pvthash, 41);
        memcpy(desc->old_tls_cfg->cahash, desc->tls_cfg->cahash, 41);
        memcpy(&desc->old_tls_cfg->flags, &desc->tls_cfg->flags, sizeof(desc->old_tls_cfg->flags));
    }
 
    return;
 
error:
    close(desc->accept_fd);
    desc->accept_fd = -1;
}

References ast_bind(), ast_calloc, ast_debug, ast_free, ast_log, ast_pthread_create_background, AST_PTHREADT_NULL, ast_read_textfile(), ast_sd_get_fd(), ast_sha1_hash(), ast_sockaddr_cmp(), ast_sockaddr_copy(), ast_sockaddr_is_ipv6(), ast_sockaddr_isnull(), ast_sockaddr_setnull(), ast_sockaddr_stringify(), ast_socket_nonblock, ast_strdup, desc, errno, error(), LOG_ERROR, NULL, and str.

Referenced by __ast_http_load(), __init_manager(), and http_server_start().

ast_tcptls_server_stop()

void ast_tcptls_server_stop

(

struct ast_tcptls_session_args *

desc

)

Shutdown a running server if there is one.

Version

1.6.1 changed desc parameter to be of ast_tcptls_session_args type

Definition at line 918 of file tcptls.c.

{
    if (desc->master != AST_PTHREADT_NULL) {
        pthread_cancel(desc->master);
        pthread_kill(desc->master, SIGURG);
        pthread_join(desc->master, NULL);
        desc->master = AST_PTHREADT_NULL;
    }
    if (desc->accept_fd != -1) {
        close(desc->accept_fd);
    }
    desc->accept_fd = -1;
 
    if (desc->old_tls_cfg) {
        ast_free(desc->old_tls_cfg->certfile);
        ast_free(desc->old_tls_cfg->pvtfile);
        ast_free(desc->old_tls_cfg->cipher);
        ast_free(desc->old_tls_cfg->cafile);
        ast_free(desc->old_tls_cfg->capath);
        ast_free(desc->old_tls_cfg);
        desc->old_tls_cfg = NULL;
    }
 
    ast_debug(2, "Stopped server :: %s\n", desc->name);
}

References ast_debug, ast_free, AST_PTHREADT_NULL, desc, and NULL.

Referenced by __ast_http_load(), __init_manager(), http_server_destroy(), manager_shutdown(), and unload_module().

ast_tls_read_conf()

int ast_tls_read_conf	(	struct ast_tls_config *	tls_cfg,
		struct ast_tcptls_session_args *	tls_desc,
		const char *	varname,
		const char *	value
	)

Used to parse conf files containing tls/ssl options.

Definition at line 944 of file tcptls.c.

{
    if (!strcasecmp(varname, "tlsenable") || !strcasecmp(varname, "sslenable")) {
        tls_cfg->enabled = ast_true(value) ? 1 : 0;
    } else if (!strcasecmp(varname, "tlscertfile") || !strcasecmp(varname, "sslcert") || !strcasecmp(varname, "tlscert")) {
        ast_free(tls_cfg->certfile);
        tls_cfg->certfile = ast_strdup(value);
    } else if (!strcasecmp(varname, "tlsprivatekey") || !strcasecmp(varname, "sslprivatekey")) {
        ast_free(tls_cfg->pvtfile);
        tls_cfg->pvtfile = ast_strdup(value);
    } else if (!strcasecmp(varname, "tlscipher") || !strcasecmp(varname, "sslcipher")) {
        ast_free(tls_cfg->cipher);
        tls_cfg->cipher = ast_strdup(value);
    } else if (!strcasecmp(varname, "tlscafile")) {
        ast_free(tls_cfg->cafile);
        tls_cfg->cafile = ast_strdup(value);
    } else if (!strcasecmp(varname, "tlscapath") || !strcasecmp(varname, "tlscadir")) {
        ast_free(tls_cfg->capath);
        tls_cfg->capath = ast_strdup(value);
    } else if (!strcasecmp(varname, "tlsverifyclient")) {
        ast_set2_flag(&tls_cfg->flags, ast_true(value), AST_SSL_VERIFY_CLIENT);
    } else if (!strcasecmp(varname, "tlsdontverifyserver")) {
        ast_set2_flag(&tls_cfg->flags, ast_true(value), AST_SSL_DONT_VERIFY_SERVER);
    } else if (!strcasecmp(varname, "tlsbindaddr") || !strcasecmp(varname, "sslbindaddr")) {
        if (ast_parse_arg(value, PARSE_ADDR, &tls_desc->local_address))
            ast_log(LOG_ERROR, "Invalid %s '%s'\n", varname, value);
    } else if (!strcasecmp(varname, "tlsclientmethod") || !strcasecmp(varname, "sslclientmethod")) {
        if (!strcasecmp(value, "tlsv1")) {
            ast_set_flag(&tls_cfg->flags, AST_SSL_TLSV1_CLIENT);
            ast_clear_flag(&tls_cfg->flags, AST_SSL_SSLV3_CLIENT);
            ast_clear_flag(&tls_cfg->flags, AST_SSL_SSLV2_CLIENT);
        } else if (!strcasecmp(value, "sslv3")) {
            ast_set_flag(&tls_cfg->flags, AST_SSL_SSLV3_CLIENT);
            ast_clear_flag(&tls_cfg->flags, AST_SSL_SSLV2_CLIENT);
            ast_clear_flag(&tls_cfg->flags, AST_SSL_TLSV1_CLIENT);
        } else if (!strcasecmp(value, "sslv2")) {
            ast_set_flag(&tls_cfg->flags, AST_SSL_SSLV2_CLIENT);
            ast_clear_flag(&tls_cfg->flags, AST_SSL_TLSV1_CLIENT);
            ast_clear_flag(&tls_cfg->flags, AST_SSL_SSLV3_CLIENT);
        }
    } else if (!strcasecmp(varname, "tlsservercipherorder")) {
        ast_set2_flag(&tls_cfg->flags, ast_true(value), AST_SSL_SERVER_CIPHER_ORDER);
    } else if (!strcasecmp(varname, "tlsdisablev1")) {
        ast_set2_flag(&tls_cfg->flags, ast_true(value), AST_SSL_DISABLE_TLSV1);
    } else if (!strcasecmp(varname, "tlsdisablev11")) {
        ast_set2_flag(&tls_cfg->flags, ast_true(value), AST_SSL_DISABLE_TLSV11);
    } else if (!strcasecmp(varname, "tlsdisablev12")) {
        ast_set2_flag(&tls_cfg->flags, ast_true(value), AST_SSL_DISABLE_TLSV12);
    } else {
        return -1;
    }
 
    return 0;
}

References ast_clear_flag, ast_free, ast_log, ast_parse_arg(), ast_set2_flag, ast_set_flag, AST_SSL_DISABLE_TLSV1, AST_SSL_DISABLE_TLSV11, AST_SSL_DISABLE_TLSV12, AST_SSL_DONT_VERIFY_SERVER, AST_SSL_SERVER_CIPHER_ORDER, AST_SSL_SSLV2_CLIENT, AST_SSL_SSLV3_CLIENT, AST_SSL_TLSV1_CLIENT, AST_SSL_VERIFY_CLIENT, ast_strdup, ast_true(), ast_tls_config::cafile, ast_tls_config::capath, ast_tls_config::certfile, ast_tls_config::cipher, ast_tls_config::enabled, ast_tls_config::flags, ast_tcptls_session_args::local_address, LOG_ERROR, PARSE_ADDR, ast_tls_config::pvtfile, and value.

Referenced by __ast_http_load(), and __init_manager().