tcptls.c File Reference

Code to support TCP and TLS server/client. More...

#include "asterisk.h"
#include "asterisk/tcptls.h"
#include "asterisk/iostream.h"
#include <fcntl.h>
#include <netinet/in.h>
#include <pthread.h>
#include <signal.h>
#include <sys/socket.h>
#include <sys/stat.h>
#include "asterisk/app.h"
#include "asterisk/astobj2.h"
#include "asterisk/compat.h"
#include "asterisk/config.h"
#include "asterisk/io.h"
#include "asterisk/lock.h"
#include "asterisk/logger.h"
#include "asterisk/netsock2.h"
#include "asterisk/pbx.h"
#include "asterisk/utils.h"

Include dependency graph for tcptls.c:

Go to the source code of this file.

Functions
static int	__ssl_setup (struct ast_tls_config *cfg, int client, int suppress_progress_msgs)
int	ast_ssl_setup (struct ast_tls_config *cfg)
	Set up an SSL server.
int	ast_ssl_setup_client (struct ast_tls_config *cfg)
	Set up an SSL client.
void	ast_ssl_teardown (struct ast_tls_config *cfg)
	free resources used by an SSL server
struct ast_tcptls_session_instance *	ast_tcptls_client_create (struct ast_tcptls_session_args *desc)
	Creates a client connection's ast_tcptls_session_instance.
struct ast_tcptls_session_instance *	ast_tcptls_client_start (struct ast_tcptls_session_instance *tcptls_session)
	Attempt to connect and start a tcptls session.
struct ast_tcptls_session_instance *	ast_tcptls_client_start_timeout (struct ast_tcptls_session_instance *tcptls_session, int timeout)
	Attempt to connect and start a tcptls session within the given timeout.
void	ast_tcptls_close_session_file (struct ast_tcptls_session_instance *tcptls_session)
	Closes a tcptls session instance's file and/or file descriptor. The tcptls_session will be set to NULL and it's file descriptor will be set to -1 by this function.
void *	ast_tcptls_server_root (void *data)
void	ast_tcptls_server_start (struct ast_tcptls_session_args *desc)
	This is a generic (re)start routine for a TCP server, which does the socket/bind/listen and starts a thread for handling accept().
void	ast_tcptls_server_stop (struct ast_tcptls_session_args *desc)
	Shutdown a running server if there is one.
struct ast_tcptls_session_instance *	ast_tcptls_start_tls (struct ast_tcptls_session_instance *tcptls_session)
	Start TLS negotiation on an existing unsecured connection.
int	ast_tls_read_conf (struct ast_tls_config *tls_cfg, struct ast_tcptls_session_args *tls_desc, const char *varname, const char *value)
	Used to parse conf files containing tls/ssl options.
static void *	handle_tcptls_connection (void *data)
	creates a FILE * from the fd passed by the accept thread. This operation is potentially expensive (certificate verification), so we do it in the child thread context.
static void	session_instance_destructor (void *obj)
static int	socket_connect (int sockfd, const struct ast_sockaddr *addr, int timeout)

Detailed Description

Code to support TCP and TLS server/client.

Author

Luigi Rizzo

Brett Bryant brett.nosp@m.brya.nosp@m.nt@gm.nosp@m.ail..nosp@m.com

Definition in file tcptls.c.

Function Documentation

__ssl_setup()

static int __ssl_setup ( struct ast_tls_config *  cfg, int  client, int  suppress_progress_msgs  )

static

Definition at line 392 of file tcptls.c.

{
#ifndef DO_SSL
    if (cfg->enabled) {
        ast_log(LOG_ERROR, "TLS server failed: Asterisk is compiled without OpenSSL support. Install OpenSSL development headers and rebuild Asterisk after running ./configure\n");
        cfg->enabled = 0;
    }
    return 0;
#else
    int disable_ssl = 0;
    long ssl_opts = 0;
 
    if (!cfg->enabled) {
        return 0;
    }
 
    /* Get rid of an old SSL_CTX since we're about to
     * allocate a new one
     */
    if (cfg->ssl_ctx) {
        SSL_CTX_free(cfg->ssl_ctx);
        cfg->ssl_ctx = NULL;
    }
 
    if (client) {
#if !defined(OPENSSL_NO_SSL2) && (OPENSSL_VERSION_NUMBER < 0x10100000L)
        if (ast_test_flag(&cfg->flags, AST_SSL_SSLV2_CLIENT)) {
            ast_log(LOG_WARNING, "Usage of SSLv2 is discouraged due to known vulnerabilities. Please use 'tlsv1' or leave the TLS method unspecified!\n");
            cfg->ssl_ctx = SSL_CTX_new(SSLv2_client_method());
        } else
#endif
#if !defined(OPENSSL_NO_SSL3_METHOD) && !(defined(OPENSSL_API_COMPAT) && (OPENSSL_API_COMPAT >= 0x10100000L)) && (OPENSSL_VERSION_NUMBER < 0x40000000L)
        if (ast_test_flag(&cfg->flags, AST_SSL_SSLV3_CLIENT)) {
            ast_log(LOG_WARNING, "Usage of SSLv3 is discouraged due to known vulnerabilities. Please use 'tlsv1' or leave the TLS method unspecified!\n");
            cfg->ssl_ctx = SSL_CTX_new(SSLv3_client_method());
        } else
#endif
#if OPENSSL_VERSION_NUMBER >= 0x10100000L
        cfg->ssl_ctx = SSL_CTX_new(TLS_client_method());
#else
        if (ast_test_flag(&cfg->flags, AST_SSL_TLSV1_CLIENT)) {
            cfg->ssl_ctx = SSL_CTX_new(TLSv1_client_method());
        } else {
            disable_ssl = 1;
            cfg->ssl_ctx = SSL_CTX_new(SSLv23_client_method());
        }
#endif
    } else {
        disable_ssl = 1;
        cfg->ssl_ctx = SSL_CTX_new(SSLv23_server_method());
    }
 
    if (!cfg->ssl_ctx) {
        ast_debug(1, "Sorry, SSL_CTX_new call returned null...\n");
        cfg->enabled = 0;
        return 0;
    }
 
    /* Due to the POODLE vulnerability, completely disable
     * SSLv2 and SSLv3 if we are not explicitly told to use
     * them. SSLv23_*_method supports TLSv1+.
     */
    if (disable_ssl) {
        ssl_opts |= SSL_OP_NO_SSLv2 | SSL_OP_NO_SSLv3;
    }
 
    if (ast_test_flag(&cfg->flags, AST_SSL_SERVER_CIPHER_ORDER)) {
        ssl_opts |= SSL_OP_CIPHER_SERVER_PREFERENCE;
    }
 
    if (ast_test_flag(&cfg->flags, AST_SSL_DISABLE_TLSV1)) {
        ssl_opts |= SSL_OP_NO_TLSv1;
    }
#if defined(SSL_OP_NO_TLSv1_1) && defined(SSL_OP_NO_TLSv1_2)
    if (ast_test_flag(&cfg->flags, AST_SSL_DISABLE_TLSV11)) {
        ssl_opts |= SSL_OP_NO_TLSv1_1;
    }
    if (ast_test_flag(&cfg->flags, AST_SSL_DISABLE_TLSV12)) {
        ssl_opts |= SSL_OP_NO_TLSv1_2;
    }
#else
    ast_log(LOG_WARNING, "Your version of OpenSSL leaves you potentially vulnerable "
            "to the SSL BEAST attack. Please upgrade to OpenSSL 1.0.1 or later\n");
#endif
 
    SSL_CTX_set_options(cfg->ssl_ctx, ssl_opts);
 
    SSL_CTX_set_verify(cfg->ssl_ctx,
        ast_test_flag(&cfg->flags, AST_SSL_VERIFY_CLIENT) ? SSL_VERIFY_PEER | SSL_VERIFY_FAIL_IF_NO_PEER_CERT : SSL_VERIFY_NONE,
        NULL);
 
    if (!ast_strlen_zero(cfg->certfile)) {
        char *tmpprivate = ast_strlen_zero(cfg->pvtfile) ? cfg->certfile : cfg->pvtfile;
        if (SSL_CTX_use_certificate_chain_file(cfg->ssl_ctx, cfg->certfile) == 0) {
            if (!client) {
                /* Clients don't need a certificate, but if its setup we can use it */
                ast_log(LOG_ERROR, "TLS/SSL error loading cert file. <%s>\n", cfg->certfile);
                write_openssl_error_to_log();
                cfg->enabled = 0;
                SSL_CTX_free(cfg->ssl_ctx);
                cfg->ssl_ctx = NULL;
                return 0;
            }
        }
        if ((SSL_CTX_use_PrivateKey_file(cfg->ssl_ctx, tmpprivate, SSL_FILETYPE_PEM) == 0) || (SSL_CTX_check_private_key(cfg->ssl_ctx) == 0 )) {
            if (!client) {
                /* Clients don't need a private key, but if its setup we can use it */
                ast_log(LOG_ERROR, "TLS/SSL error loading private key file. <%s>\n", tmpprivate);
                write_openssl_error_to_log();
                cfg->enabled = 0;
                SSL_CTX_free(cfg->ssl_ctx);
                cfg->ssl_ctx = NULL;
                return 0;
            }
        }
        if (!client) {
            size_t certfile_len = strlen(cfg->certfile);
 
            /* expects a file name which contains _rsa. like asterisk_rsa.pem
             * ignores any 3-character file-extension like .pem, .cer, .crt
             */
            if (certfile_len >= 8 && !strncmp(cfg->certfile + certfile_len - 8, "_rsa.", 5)) {
                __ssl_setup_certs(cfg, certfile_len, "_ecc.", "ECC");
                __ssl_setup_certs(cfg, certfile_len, "_dsa.", "DSA");
            }
        }
    }
    if (!ast_strlen_zero(cfg->cipher)) {
        if (SSL_CTX_set_cipher_list(cfg->ssl_ctx, cfg->cipher) == 0 ) {
            if (!client) {
                ast_log(LOG_ERROR, "TLS/SSL cipher error <%s>\n", cfg->cipher);
                write_openssl_error_to_log();
                cfg->enabled = 0;
                SSL_CTX_free(cfg->ssl_ctx);
                cfg->ssl_ctx = NULL;
                return 0;
            }
        }
    }
    if (!ast_strlen_zero(cfg->cafile) || !ast_strlen_zero(cfg->capath)) {
        if (SSL_CTX_load_verify_locations(cfg->ssl_ctx, S_OR(cfg->cafile, NULL), S_OR(cfg->capath,NULL)) == 0) {
            ast_log(LOG_ERROR, "TLS/SSL CA file(%s)/path(%s) error\n", cfg->cafile, cfg->capath);
            write_openssl_error_to_log();
        }
    }
 
#ifndef OPENSSL_NO_DH
    if (!ast_strlen_zero(cfg->pvtfile)) {
        BIO *bio = BIO_new_file(cfg->pvtfile, "r");
        if (bio != NULL) {
            DH *dh = PEM_read_bio_DHparams(bio, NULL, NULL, NULL);
            if (dh != NULL) {
                if (SSL_CTX_set_tmp_dh(cfg->ssl_ctx, dh)) {
                    long options = SSL_OP_CIPHER_SERVER_PREFERENCE | SSL_OP_SINGLE_DH_USE | SSL_OP_SINGLE_ECDH_USE;
                    options = SSL_CTX_set_options(cfg->ssl_ctx, options);
                    if (!suppress_progress_msgs) {
                        ast_verb(2, "TLS/SSL DH initialized, PFS cipher-suites enabled\n");
                    }
                }
                DH_free(dh);
            }
            BIO_free(bio);
        }
    }
#endif
 
    #ifndef SSL_CTRL_SET_ECDH_AUTO
        #define SSL_CTRL_SET_ECDH_AUTO 94
    #endif
    /* SSL_CTX_set_ecdh_auto(cfg->ssl_ctx, on); requires OpenSSL 1.0.2 which wraps: */
    if (SSL_CTX_ctrl(cfg->ssl_ctx, SSL_CTRL_SET_ECDH_AUTO, 1, NULL)) {
        if (!suppress_progress_msgs) {
            ast_verb(2, "TLS/SSL ECDH initialized (automatic), faster PFS ciphers enabled\n");
        }
#if !defined(OPENSSL_NO_ECDH) && (OPENSSL_VERSION_NUMBER >= 0x10000000L) && (OPENSSL_VERSION_NUMBER < 0x10100000L)
    } else {
        /* enables AES-128 ciphers, to get AES-256 use NID_secp384r1 */
        EC_KEY *ecdh = EC_KEY_new_by_curve_name(NID_X9_62_prime256v1);
        if (ecdh != NULL) {
            if (SSL_CTX_set_tmp_ecdh(cfg->ssl_ctx, ecdh)) {
                ast_verb(2, "TLS/SSL ECDH initialized (secp256r1), faster PFS cipher-suites enabled\n");
            }
            EC_KEY_free(ecdh);
        }
#endif
    }
 
    if (!suppress_progress_msgs) {
        ast_verb(2, "TLS/SSL certificate ok\n");    /* We should log which one that is ok. This message doesn't really make sense in production use */
    }
    return 1;
#endif
}

References ast_debug, ast_log, AST_SSL_DISABLE_TLSV1, AST_SSL_DISABLE_TLSV11, AST_SSL_DISABLE_TLSV12, AST_SSL_SERVER_CIPHER_ORDER, AST_SSL_SSLV2_CLIENT, AST_SSL_SSLV3_CLIENT, AST_SSL_TLSV1_CLIENT, AST_SSL_VERIFY_CLIENT, ast_strlen_zero(), ast_test_flag, ast_verb, ast_tls_config::cafile, ast_tls_config::capath, ast_tls_config::certfile, ast_tls_config::cipher, ast_tcptls_session_instance::client, ast_tls_config::enabled, ast_tls_config::flags, LOG_ERROR, LOG_WARNING, NULL, options, ast_tls_config::pvtfile, S_OR, and ast_tls_config::ssl_ctx.

Referenced by ast_ssl_setup(), ast_ssl_setup_client(), and ast_tcptls_client_start_timeout().

ast_ssl_setup()

int ast_ssl_setup

(

struct ast_tls_config *

cfg

)

Set up an SSL server.

Parameters

cfg	Configuration for the SSL server

Return values

1	Success
0	Failure

Definition at line 587 of file tcptls.c.

{
    return __ssl_setup(cfg, 0, 0);
}

References __ssl_setup().

Referenced by __ast_http_load(), and __init_manager().

ast_ssl_setup_client()

int ast_ssl_setup_client

(

struct ast_tls_config *

cfg

)

Set up an SSL client.

Since

20.21.0

22.11.0

23.5.0

Note

This function only needs to be called if an unsecured tcptls session is already established and you need to switch it to TLS. This function doesn't actually start any negotiation. It just reads any certificates, key files and options from the config and creates the SSL context.

Parameters

cfg	Configuration for the SSL client

Return values

1	Success
0	Failure

Definition at line 592 of file tcptls.c.

{
    return __ssl_setup(cfg, 1, 1);
}

References __ssl_setup().

Referenced by websocket_client_connect().

ast_ssl_teardown()

void ast_ssl_teardown

(

struct ast_tls_config *

cfg

)

free resources used by an SSL server

Note

This only needs to be called if ast_ssl_setup() was directly called first.

Parameters

cfg	Configuration for the SSL server

Definition at line 597 of file tcptls.c.

{
#ifdef DO_SSL
    if (cfg && cfg->ssl_ctx) {
        SSL_CTX_free(cfg->ssl_ctx);
        cfg->ssl_ctx = NULL;
    }
#endif
}

References NULL, and ast_tls_config::ssl_ctx.

Referenced by websocket_client_args_destroy().

ast_tcptls_client_create()

struct ast_tcptls_session_instance * ast_tcptls_client_create

(

struct ast_tcptls_session_args *

desc

)

Creates a client connection's ast_tcptls_session_instance.

Definition at line 701 of file tcptls.c.

{
    int fd, x = 1;
    struct ast_tcptls_session_instance *tcptls_session = NULL;
 
    ast_assert(!desc->tls_cfg
            || ast_test_flag(&desc->tls_cfg->flags, AST_SSL_DONT_VERIFY_SERVER)
            || !ast_strlen_zero(desc->hostname));
 
    /* Do nothing if nothing has changed */
    if (!ast_sockaddr_cmp(&desc->old_address, &desc->remote_address)) {
        ast_debug(1, "Nothing changed in %s\n", desc->name);
        return NULL;
    }
 
    /* If we return early, there is no connection */
    ast_sockaddr_setnull(&desc->old_address);
 
    fd = desc->accept_fd = ast_socket_nonblock(ast_sockaddr_is_ipv6(&desc->remote_address) ?
                      AF_INET6 : AF_INET, SOCK_STREAM, IPPROTO_TCP);
    if (desc->accept_fd < 0) {
        ast_log(LOG_ERROR, "Unable to allocate socket for %s: %s\n",
            desc->name, strerror(errno));
        return NULL;
    }
 
    /* if a local address was specified, bind to it so the connection will
       originate from the desired address */
    if (!ast_sockaddr_isnull(&desc->local_address) &&
        !ast_sockaddr_is_any(&desc->local_address)) {
        setsockopt(desc->accept_fd, SOL_SOCKET, SO_REUSEADDR, &x, sizeof(x));
        if (ast_bind(desc->accept_fd, &desc->local_address)) {
            ast_log(LOG_ERROR, "Unable to bind %s to %s: %s\n",
                desc->name,
                ast_sockaddr_stringify(&desc->local_address),
                strerror(errno));
            goto error;
        }
    }
 
    tcptls_session = ao2_alloc(sizeof(*tcptls_session), session_instance_destructor);
    if (!tcptls_session) {
        goto error;
    }
 
    tcptls_session->overflow_buf = ast_str_create(128);
    if (!tcptls_session->overflow_buf) {
        goto error;
    }
    tcptls_session->client = 1;
    tcptls_session->stream = ast_iostream_from_fd(&fd);
    if (!tcptls_session->stream) {
        goto error;
    }
 
    /* From here on out, the iostream owns the accept_fd and it will take
     * care of closing it when the iostream is closed */
 
    tcptls_session->parent = desc;
    tcptls_session->parent->worker_fn = NULL;
    ast_sockaddr_copy(&tcptls_session->remote_address,
              &desc->remote_address);
 
    /* Set current info */
    ast_sockaddr_copy(&desc->old_address, &desc->remote_address);
 
    if (!ast_strlen_zero(desc->hostname)) {
        if (ast_iostream_set_sni_hostname(tcptls_session->stream, desc->hostname) != 0) {
            ast_log(LOG_WARNING, "Unable to set SNI hostname '%s' on connection '%s'\n",
                desc->hostname, desc->name);
        }
    }
 
    return tcptls_session;
 
error:
    close(desc->accept_fd);
    desc->accept_fd = -1;
    ao2_cleanup(tcptls_session);
    return NULL;
}

References ao2_alloc, ao2_cleanup, ast_assert, ast_bind(), ast_debug, ast_iostream_from_fd(), ast_iostream_set_sni_hostname(), ast_log, ast_sockaddr_cmp(), ast_sockaddr_copy(), ast_sockaddr_is_any(), ast_sockaddr_is_ipv6(), ast_sockaddr_isnull(), ast_sockaddr_setnull(), ast_sockaddr_stringify(), ast_socket_nonblock, AST_SSL_DONT_VERIFY_SERVER, ast_str_create, ast_strlen_zero(), ast_test_flag, ast_tcptls_session_instance::client, desc, errno, error(), LOG_ERROR, LOG_WARNING, NULL, ast_tcptls_session_instance::overflow_buf, ast_tcptls_session_instance::parent, ast_tcptls_session_instance::remote_address, session_instance_destructor(), ast_tcptls_session_instance::stream, and ast_tcptls_session_args::worker_fn.

Referenced by app_exec(), and websocket_client_connect().

ast_tcptls_client_start()

struct ast_tcptls_session_instance * ast_tcptls_client_start

(

struct ast_tcptls_session_instance *

tcptls_session

)

Attempt to connect and start a tcptls session.

Blocks until a connection is established, or an error occurs.

Note

On error the tcptls_session's ref count is decremented, fd and file are closed, and NULL is returned.

Parameters

tcptls_session

The session instance to connect and start

Returns

The tcptls_session, or NULL on error

Definition at line 696 of file tcptls.c.

{
    return ast_tcptls_client_start_timeout(tcptls_session, -1);
}

References ast_tcptls_client_start_timeout().

Referenced by app_exec().

ast_tcptls_client_start_timeout()

struct ast_tcptls_session_instance * ast_tcptls_client_start_timeout	(	struct ast_tcptls_session_instance *	tcptls_session,
		int	timeout
	)

Attempt to connect and start a tcptls session within the given timeout.

Note

On error the tcptls_session's ref count is decremented, fd and file are closed, and NULL is returned.

Parameters

tcptls_session	The session instance to connect and start
timeout	How long (in milliseconds) to attempt to connect (-1 equals infinite)

Returns

The tcptls_session, or NULL on error

Definition at line 667 of file tcptls.c.

{
    struct ast_tcptls_session_args *desc;
 
    if (!(desc = tcptls_session->parent)) {
        ao2_ref(tcptls_session, -1);
        return NULL;
    }
 
    if (socket_connect(desc->accept_fd, &desc->remote_address, timeout)) {
        if (!desc->suppress_connection_msgs) {
            ast_log(LOG_WARNING, "Unable to connect %s to %s: %s\n", desc->name,
                    ast_sockaddr_stringify(&desc->remote_address), strerror(errno));
        }
 
        ao2_ref(tcptls_session, -1);
        return NULL;
    }
 
    ast_fd_clear_flags(desc->accept_fd, O_NONBLOCK);
 
    if (desc->tls_cfg) {
        __ssl_setup(desc->tls_cfg, 1, desc->suppress_connection_msgs);
    }
 
    return handle_tcptls_connection(tcptls_session);
}

References __ssl_setup(), ao2_ref, ast_fd_clear_flags, ast_log, ast_sockaddr_stringify(), desc, errno, handle_tcptls_connection(), LOG_WARNING, NULL, ast_tcptls_session_instance::parent, and socket_connect().

Referenced by ast_tcptls_client_start(), and websocket_client_connect().

ast_tcptls_close_session_file()

void ast_tcptls_close_session_file

(

struct ast_tcptls_session_instance *

tcptls_session

)

Closes a tcptls session instance's file and/or file descriptor. The tcptls_session will be set to NULL and it's file descriptor will be set to -1 by this function.

Definition at line 938 of file tcptls.c.

{
    if (tcptls_session->stream) {
        ast_iostream_close(tcptls_session->stream);
        tcptls_session->stream = NULL;
    } else {
        ast_debug(1, "ast_tcptls_close_session_file invoked on session instance without file or file descriptor\n");
    }
}

References ast_debug, ast_iostream_close(), NULL, and ast_tcptls_session_instance::stream.

Referenced by ast_http_create_response(), ast_http_send(), ast_tcptls_start_tls(), handle_tcptls_connection(), and httpd_helper_thread().

ast_tcptls_server_root()

void * ast_tcptls_server_root

(

void *

data

)

Definition at line 290 of file tcptls.c.

{
    struct ast_tcptls_session_args *desc = data;
    int fd;
    struct ast_sockaddr addr;
    struct ast_tcptls_session_instance *tcptls_session;
    pthread_t launched;
 
    for (;;) {
        int i;
 
        if (desc->periodic_fn) {
            desc->periodic_fn(desc);
        }
        i = ast_wait_for_input(desc->accept_fd, desc->poll_timeout);
        if (i <= 0) {
            /* Prevent tight loop from hogging CPU */
            usleep(1);
            continue;
        }
        fd = ast_accept(desc->accept_fd, &addr);
        if (fd < 0) {
            if (errno != EAGAIN
                && errno != EWOULDBLOCK
                && errno != EINTR
                && errno != ECONNABORTED) {
                ast_log(LOG_ERROR, "TCP/TLS accept failed: %s\n", strerror(errno));
                if (errno != EMFILE) {
                    break;
                }
            }
            /* Prevent tight loop from hogging CPU */
            usleep(1);
            continue;
        }
        tcptls_session = ao2_alloc(sizeof(*tcptls_session), session_instance_destructor);
        if (!tcptls_session) {
            close(fd);
            continue;
        }
 
        tcptls_session->overflow_buf = ast_str_create(128);
        if (!tcptls_session->overflow_buf) {
            ao2_ref(tcptls_session, -1);
            close(fd);
            continue;
        }
        ast_fd_clear_flags(fd, O_NONBLOCK);
 
        tcptls_session->stream = ast_iostream_from_fd(&fd);
        if (!tcptls_session->stream) {
            ao2_ref(tcptls_session, -1);
            close(fd);
            continue;
        }
 
        tcptls_session->parent = desc;
        ast_sockaddr_copy(&tcptls_session->remote_address, &addr);
 
        tcptls_session->client = 0;
 
        /* This thread is now the only place that controls the single ref to tcptls_session */
        if (ast_pthread_create_detached_background(&launched, NULL, handle_tcptls_connection, tcptls_session)) {
            ast_log(LOG_ERROR, "TCP/TLS unable to launch helper thread for peer '%s': %s\n",
                ast_sockaddr_stringify(&tcptls_session->remote_address),
                strerror(errno));
            ao2_ref(tcptls_session, -1);
        }
    }
 
    ast_log(LOG_ERROR, "TCP/TLS listener thread ended abnormally\n");
 
    /* Close the listener socket so Asterisk doesn't appear dead. */
    fd = desc->accept_fd;
    desc->accept_fd = -1;
    if (0 <= fd) {
        close(fd);
    }
    return NULL;
}

References ao2_alloc, ao2_ref, ast_accept(), ast_fd_clear_flags, ast_iostream_from_fd(), ast_log, ast_pthread_create_detached_background, ast_sockaddr_copy(), ast_sockaddr_stringify(), ast_str_create, ast_wait_for_input(), ast_tcptls_session_instance::client, desc, errno, handle_tcptls_connection(), LOG_ERROR, NULL, ast_tcptls_session_instance::overflow_buf, ast_tcptls_session_instance::parent, ast_tcptls_session_instance::remote_address, session_instance_destructor(), and ast_tcptls_session_instance::stream.

Referenced by http_server_create().

ast_tcptls_server_start()

void ast_tcptls_server_start

(

struct ast_tcptls_session_args *

desc

)

This is a generic (re)start routine for a TCP server, which does the socket/bind/listen and starts a thread for handling accept().

Version

1.6.1 changed desc parameter to be of ast_tcptls_session_args type

Definition at line 783 of file tcptls.c.

{
    int x = 1;
    int tls_changed = 0;
    int sd_socket;
 
    if (desc->tls_cfg) {
        char hash[41];
        char *str = NULL;
        struct stat st;
 
        /* Store the hashes of the TLS certificate etc. */
        if (stat(desc->tls_cfg->certfile, &st) || NULL == (str = ast_read_textfile(desc->tls_cfg->certfile))) {
            memset(hash, 0, 41);
        } else {
            ast_sha1_hash(hash, str);
        }
        ast_free(str);
        str = NULL;
        memcpy(desc->tls_cfg->certhash, hash, 41);
        if (stat(desc->tls_cfg->pvtfile, &st) || NULL == (str = ast_read_textfile(desc->tls_cfg->pvtfile))) {
            memset(hash, 0, 41);
        } else {
            ast_sha1_hash(hash, str);
        }
        ast_free(str);
        str = NULL;
        memcpy(desc->tls_cfg->pvthash, hash, 41);
        if (stat(desc->tls_cfg->cafile, &st) || NULL == (str = ast_read_textfile(desc->tls_cfg->cafile))) {
            memset(hash, 0, 41);
        } else {
            ast_sha1_hash(hash, str);
        }
        ast_free(str);
        str = NULL;
        memcpy(desc->tls_cfg->cahash, hash, 41);
 
        /* Check whether TLS configuration has changed */
        if (!desc->old_tls_cfg) { /* No previous configuration */
            tls_changed = 1;
            desc->old_tls_cfg = ast_calloc(1, sizeof(*desc->old_tls_cfg));
        } else if (memcmp(desc->tls_cfg->certhash, desc->old_tls_cfg->certhash, 41)) {
            tls_changed = 1;
        } else if (memcmp(desc->tls_cfg->pvthash, desc->old_tls_cfg->pvthash, 41)) {
            tls_changed = 1;
        } else if (strcmp(desc->tls_cfg->cipher, desc->old_tls_cfg->cipher)) {
            tls_changed = 1;
        } else if (memcmp(desc->tls_cfg->cahash, desc->old_tls_cfg->cahash, 41)) {
            tls_changed = 1;
        } else if (strcmp(desc->tls_cfg->capath, desc->old_tls_cfg->capath)) {
            tls_changed = 1;
        } else if (memcmp(&desc->tls_cfg->flags, &desc->old_tls_cfg->flags, sizeof(desc->tls_cfg->flags))) {
            tls_changed = 1;
        }
 
        if (tls_changed) {
            ast_debug(1, "Changed parameters for %s found\n", desc->name);
        }
    }
 
    /* Do nothing if nothing has changed */
    if (!tls_changed && !ast_sockaddr_cmp(&desc->old_address, &desc->local_address)) {
        ast_debug(1, "Nothing changed in %s\n", desc->name);
        return;
    }
 
    /* If we return early, there is no one listening */
    ast_sockaddr_setnull(&desc->old_address);
 
    /* Shutdown a running server if there is one */
    if (desc->master != AST_PTHREADT_NULL) {
        pthread_cancel(desc->master);
        pthread_kill(desc->master, SIGURG);
        pthread_join(desc->master, NULL);
    }
 
    sd_socket = ast_sd_get_fd(SOCK_STREAM, &desc->local_address);
 
    if (sd_socket != -1) {
        if (desc->accept_fd != sd_socket) {
            if (desc->accept_fd != -1) {
                close(desc->accept_fd);
            }
            desc->accept_fd = sd_socket;
        }
 
        goto systemd_socket_activation;
    }
 
    if (desc->accept_fd != -1) {
        close(desc->accept_fd);
        desc->accept_fd = -1;
    }
 
    /* If there's no new server, stop here */
    if (ast_sockaddr_isnull(&desc->local_address)) {
        ast_debug(2, "Server disabled:  %s\n", desc->name);
        return;
    }
 
    desc->accept_fd = ast_socket_nonblock(ast_sockaddr_is_ipv6(&desc->local_address) ?
                 AF_INET6 : AF_INET, SOCK_STREAM, 0);
    if (desc->accept_fd < 0) {
        ast_log(LOG_ERROR, "Unable to allocate socket for %s: %s\n", desc->name, strerror(errno));
        return;
    }
 
    setsockopt(desc->accept_fd, SOL_SOCKET, SO_REUSEADDR, &x, sizeof(x));
    if (ast_bind(desc->accept_fd, &desc->local_address)) {
        ast_log(LOG_ERROR, "Unable to bind %s to %s: %s\n",
            desc->name,
            ast_sockaddr_stringify(&desc->local_address),
            strerror(errno));
        goto error;
    }
    if (listen(desc->accept_fd, 10)) {
        ast_log(LOG_ERROR, "Unable to listen for %s!\n", desc->name);
        goto error;
    }
 
systemd_socket_activation:
    if (ast_pthread_create_background(&desc->master, NULL, desc->accept_fn, desc)) {
        ast_log(LOG_ERROR, "Unable to launch thread for %s on %s: %s\n",
            desc->name,
            ast_sockaddr_stringify(&desc->local_address),
            strerror(errno));
        goto error;
    }
 
    /* Set current info */
    ast_sockaddr_copy(&desc->old_address, &desc->local_address);
    if (desc->old_tls_cfg) {
        ast_free(desc->old_tls_cfg->certfile);
        ast_free(desc->old_tls_cfg->pvtfile);
        ast_free(desc->old_tls_cfg->cipher);
        ast_free(desc->old_tls_cfg->cafile);
        ast_free(desc->old_tls_cfg->capath);
        desc->old_tls_cfg->certfile = ast_strdup(desc->tls_cfg->certfile);
        desc->old_tls_cfg->pvtfile = ast_strdup(desc->tls_cfg->pvtfile);
        desc->old_tls_cfg->cipher = ast_strdup(desc->tls_cfg->cipher);
        desc->old_tls_cfg->cafile = ast_strdup(desc->tls_cfg->cafile);
        desc->old_tls_cfg->capath = ast_strdup(desc->tls_cfg->capath);
        memcpy(desc->old_tls_cfg->certhash, desc->tls_cfg->certhash, 41);
        memcpy(desc->old_tls_cfg->pvthash, desc->tls_cfg->pvthash, 41);
        memcpy(desc->old_tls_cfg->cahash, desc->tls_cfg->cahash, 41);
        memcpy(&desc->old_tls_cfg->flags, &desc->tls_cfg->flags, sizeof(desc->old_tls_cfg->flags));
    }
 
    return;
 
error:
    close(desc->accept_fd);
    desc->accept_fd = -1;
}

References ast_bind(), ast_calloc, ast_debug, ast_free, ast_log, ast_pthread_create_background, AST_PTHREADT_NULL, ast_read_textfile(), ast_sd_get_fd(), ast_sha1_hash(), ast_sockaddr_cmp(), ast_sockaddr_copy(), ast_sockaddr_is_ipv6(), ast_sockaddr_isnull(), ast_sockaddr_setnull(), ast_sockaddr_stringify(), ast_socket_nonblock, ast_strdup, desc, errno, error(), LOG_ERROR, NULL, and str.

Referenced by __ast_http_load(), __init_manager(), and http_server_start().

ast_tcptls_server_stop()

void ast_tcptls_server_stop

(

struct ast_tcptls_session_args *

desc

)

Shutdown a running server if there is one.

Version

1.6.1 changed desc parameter to be of ast_tcptls_session_args type

Definition at line 948 of file tcptls.c.

{
    if (desc->master != AST_PTHREADT_NULL) {
        pthread_cancel(desc->master);
        pthread_kill(desc->master, SIGURG);
        pthread_join(desc->master, NULL);
        desc->master = AST_PTHREADT_NULL;
    }
    if (desc->accept_fd != -1) {
        close(desc->accept_fd);
    }
    desc->accept_fd = -1;
 
    if (desc->old_tls_cfg) {
        ast_free(desc->old_tls_cfg->certfile);
        ast_free(desc->old_tls_cfg->pvtfile);
        ast_free(desc->old_tls_cfg->cipher);
        ast_free(desc->old_tls_cfg->cafile);
        ast_free(desc->old_tls_cfg->capath);
        ast_free(desc->old_tls_cfg);
        desc->old_tls_cfg = NULL;
    }
 
    ast_debug(2, "Stopped server :: %s\n", desc->name);
}

References ast_debug, ast_free, AST_PTHREADT_NULL, desc, and NULL.

Referenced by __ast_http_load(), __init_manager(), http_server_destroy(), manager_shutdown(), and unload_module().

ast_tcptls_start_tls()

struct ast_tcptls_session_instance * ast_tcptls_start_tls

(

struct ast_tcptls_session_instance *

tcptls_session

)

Start TLS negotiation on an existing unsecured connection.

Since

20.21.0

22.11.0

23.5.0

Note

This function only needs to be called if an unsecured tcptls session is already established and you need to switch it to TLS. This function performs the handshake and validation. ast_ssl_setup_client must be called first to create the SSL context.

Parameters

tcptls_session

The existing unsecured session

Warning

If this function fails, it will automatically dereference tcptls_session and close the connection so don't attempt to dereference it again.

Return values

tcptls_session	on Success
NULL	Failure

Definition at line 133 of file tcptls.c.

{
#ifdef DO_SSL
    SSL *ssl;
#endif
 
    if (tcptls_session->parent->tls_cfg && tcptls_session->parent->tls_cfg->enabled) {
#ifdef DO_SSL
        if (ast_iostream_start_tls(&tcptls_session->stream, tcptls_session->parent->tls_cfg->ssl_ctx, tcptls_session->client) < 0) {
            SSL *ssl = ast_iostream_get_ssl(tcptls_session->stream);
            if (ssl) {
                ast_log(LOG_ERROR, "Unable to set up ssl connection with peer '%s'\n",
                    ast_sockaddr_stringify(&tcptls_session->remote_address));
            }
            ast_tcptls_close_session_file(tcptls_session);
            ao2_ref(tcptls_session, -1);
            return NULL;
        }
 
        ssl = ast_iostream_get_ssl(tcptls_session->stream);
        if ((tcptls_session->client && !ast_test_flag(&tcptls_session->parent->tls_cfg->flags, AST_SSL_DONT_VERIFY_SERVER))
            || (!tcptls_session->client && ast_test_flag(&tcptls_session->parent->tls_cfg->flags, AST_SSL_VERIFY_CLIENT))) {
            X509 *peer;
            long res;
            peer = SSL_get_peer_certificate(ssl);
            if (!peer) {
                ast_log(LOG_ERROR, "No SSL certificate to verify from peer '%s'\n",
                    ast_sockaddr_stringify(&tcptls_session->remote_address));
                ast_tcptls_close_session_file(tcptls_session);
                ao2_ref(tcptls_session, -1);
                return NULL;
            }
 
            res = SSL_get_verify_result(ssl);
            if (res != X509_V_OK) {
                ast_log(LOG_ERROR, "Certificate from peer '%s' did not verify: %s\n",
                    ast_sockaddr_stringify(&tcptls_session->remote_address),
                    X509_verify_cert_error_string(res));
                X509_free(peer);
                ast_tcptls_close_session_file(tcptls_session);
                ao2_ref(tcptls_session, -1);
                return NULL;
            }
            if (!ast_test_flag(&tcptls_session->parent->tls_cfg->flags, AST_SSL_IGNORE_COMMON_NAME)) {
                ASN1_STRING *str;
                X509_NAME *name = X509_get_subject_name(peer);
                STACK_OF(GENERAL_NAME) *alt_names;
                int pos = -1;
                int found = 0;
 
                for (;;) {
                    /* Walk the certificate to check all available "Common Name" */
                    /* XXX Probably should do a gethostbyname on the hostname and compare that as well */
                    pos = X509_NAME_get_index_by_NID(name, NID_commonName, pos);
                    if (pos < 0) {
                        break;
                    }
                    str = X509_NAME_ENTRY_get_data(X509_NAME_get_entry(name, pos));
                    if (!check_tcptls_cert_name(str, tcptls_session->parent->hostname, "common name")) {
                        found = 1;
                        break;
                    }
                }
 
                if (!found) {
                    alt_names = X509_get_ext_d2i(peer, NID_subject_alt_name, NULL, NULL);
                    if (alt_names != NULL) {
                        int alt_names_count = sk_GENERAL_NAME_num(alt_names);
 
                        for (pos = 0; pos < alt_names_count; pos++) {
                            const GENERAL_NAME *alt_name = sk_GENERAL_NAME_value(alt_names, pos);
 
                            if (alt_name->type != GEN_DNS) {
                                continue;
                            }
 
                            if (!check_tcptls_cert_name(alt_name->d.dNSName, tcptls_session->parent->hostname, "alt name")) {
                                found = 1;
                                break;
                            }
                        }
 
                        sk_GENERAL_NAME_pop_free(alt_names, GENERAL_NAME_free);
                    }
                }
 
                if (!found) {
                    ast_log(LOG_ERROR, "Certificate common name from peer '%s' did not match (%s)\n",
                        ast_sockaddr_stringify(&tcptls_session->remote_address), tcptls_session->parent->hostname);
                    X509_free(peer);
                    ast_tcptls_close_session_file(tcptls_session);
                    ao2_ref(tcptls_session, -1);
                    return NULL;
                }
            }
            X509_free(peer);
        }
#else
        ast_log(LOG_ERROR, "TLS client failed: Asterisk is compiled without OpenSSL support. Install OpenSSL development headers and rebuild Asterisk after running ./configure\n");
        ast_tcptls_close_session_file(tcptls_session);
        ao2_ref(tcptls_session, -1);
        return NULL;
#endif /* DO_SSL */
    }
 
    return tcptls_session;
}

References ao2_ref, ast_iostream_get_ssl(), ast_iostream_start_tls(), ast_log, ast_sockaddr_stringify(), AST_SSL_DONT_VERIFY_SERVER, AST_SSL_IGNORE_COMMON_NAME, AST_SSL_VERIFY_CLIENT, ast_tcptls_close_session_file(), ast_test_flag, ast_tcptls_session_instance::client, ast_tls_config::enabled, ast_tls_config::flags, ast_tcptls_session_args::hostname, LOG_ERROR, name, NULL, ast_tcptls_session_instance::parent, ast_tcptls_session_instance::remote_address, ast_tls_config::ssl_ctx, str, ast_tcptls_session_instance::stream, and ast_tcptls_session_args::tls_cfg.

Referenced by handle_tcptls_connection(), and websocket_client_connect().

ast_tls_read_conf()

int ast_tls_read_conf	(	struct ast_tls_config *	tls_cfg,
		struct ast_tcptls_session_args *	tls_desc,
		const char *	varname,
		const char *	value
	)

Used to parse conf files containing tls/ssl options.

Definition at line 974 of file tcptls.c.

{
    if (!strcasecmp(varname, "tlsenable") || !strcasecmp(varname, "sslenable")) {
        tls_cfg->enabled = ast_true(value) ? 1 : 0;
    } else if (!strcasecmp(varname, "tlscertfile") || !strcasecmp(varname, "sslcert") || !strcasecmp(varname, "tlscert")) {
        ast_free(tls_cfg->certfile);
        tls_cfg->certfile = ast_strdup(value);
    } else if (!strcasecmp(varname, "tlsprivatekey") || !strcasecmp(varname, "sslprivatekey")) {
        ast_free(tls_cfg->pvtfile);
        tls_cfg->pvtfile = ast_strdup(value);
    } else if (!strcasecmp(varname, "tlscipher") || !strcasecmp(varname, "sslcipher")) {
        ast_free(tls_cfg->cipher);
        tls_cfg->cipher = ast_strdup(value);
    } else if (!strcasecmp(varname, "tlscafile")) {
        ast_free(tls_cfg->cafile);
        tls_cfg->cafile = ast_strdup(value);
    } else if (!strcasecmp(varname, "tlscapath") || !strcasecmp(varname, "tlscadir")) {
        ast_free(tls_cfg->capath);
        tls_cfg->capath = ast_strdup(value);
    } else if (!strcasecmp(varname, "tlsverifyclient")) {
        ast_set2_flag(&tls_cfg->flags, ast_true(value), AST_SSL_VERIFY_CLIENT);
    } else if (!strcasecmp(varname, "tlsdontverifyserver")) {
        ast_set2_flag(&tls_cfg->flags, ast_true(value), AST_SSL_DONT_VERIFY_SERVER);
    } else if (!strcasecmp(varname, "tlsbindaddr") || !strcasecmp(varname, "sslbindaddr")) {
        if (ast_parse_arg(value, PARSE_ADDR, &tls_desc->local_address))
            ast_log(LOG_ERROR, "Invalid %s '%s'\n", varname, value);
    } else if (!strcasecmp(varname, "tlsclientmethod") || !strcasecmp(varname, "sslclientmethod")) {
        if (!strcasecmp(value, "tlsv1")) {
            ast_set_flag(&tls_cfg->flags, AST_SSL_TLSV1_CLIENT);
            ast_clear_flag(&tls_cfg->flags, AST_SSL_SSLV3_CLIENT);
            ast_clear_flag(&tls_cfg->flags, AST_SSL_SSLV2_CLIENT);
        } else if (!strcasecmp(value, "sslv3")) {
            ast_set_flag(&tls_cfg->flags, AST_SSL_SSLV3_CLIENT);
            ast_clear_flag(&tls_cfg->flags, AST_SSL_SSLV2_CLIENT);
            ast_clear_flag(&tls_cfg->flags, AST_SSL_TLSV1_CLIENT);
        } else if (!strcasecmp(value, "sslv2")) {
            ast_set_flag(&tls_cfg->flags, AST_SSL_SSLV2_CLIENT);
            ast_clear_flag(&tls_cfg->flags, AST_SSL_TLSV1_CLIENT);
            ast_clear_flag(&tls_cfg->flags, AST_SSL_SSLV3_CLIENT);
        }
    } else if (!strcasecmp(varname, "tlsservercipherorder")) {
        ast_set2_flag(&tls_cfg->flags, ast_true(value), AST_SSL_SERVER_CIPHER_ORDER);
    } else if (!strcasecmp(varname, "tlsdisablev1")) {
        ast_set2_flag(&tls_cfg->flags, ast_true(value), AST_SSL_DISABLE_TLSV1);
    } else if (!strcasecmp(varname, "tlsdisablev11")) {
        ast_set2_flag(&tls_cfg->flags, ast_true(value), AST_SSL_DISABLE_TLSV11);
    } else if (!strcasecmp(varname, "tlsdisablev12")) {
        ast_set2_flag(&tls_cfg->flags, ast_true(value), AST_SSL_DISABLE_TLSV12);
    } else {
        return -1;
    }
 
    return 0;
}

References ast_clear_flag, ast_free, ast_log, ast_parse_arg(), ast_set2_flag, ast_set_flag, AST_SSL_DISABLE_TLSV1, AST_SSL_DISABLE_TLSV11, AST_SSL_DISABLE_TLSV12, AST_SSL_DONT_VERIFY_SERVER, AST_SSL_SERVER_CIPHER_ORDER, AST_SSL_SSLV2_CLIENT, AST_SSL_SSLV3_CLIENT, AST_SSL_TLSV1_CLIENT, AST_SSL_VERIFY_CLIENT, ast_strdup, ast_true(), ast_tls_config::cafile, ast_tls_config::capath, ast_tls_config::certfile, ast_tls_config::cipher, ast_tls_config::enabled, ast_tls_config::flags, ast_tcptls_session_args::local_address, LOG_ERROR, PARSE_ADDR, ast_tls_config::pvtfile, and value.

Referenced by __ast_http_load(), and __init_manager().

handle_tcptls_connection()

static void * handle_tcptls_connection ( void *  data )

static

creates a FILE * from the fd passed by the accept thread. This operation is potentially expensive (certificate verification), so we do it in the child thread context.

Note

must decrement ref count before returning NULL on error

Definition at line 248 of file tcptls.c.

{
    struct ast_tcptls_session_instance *tcptls_session = data;
 
    /* TCP/TLS connections are associated with external protocols, and
     * should not be allowed to execute 'dangerous' functions. This may
     * need to be pushed down into the individual protocol handlers, but
     * this seems like a good general policy.
     */
    if (ast_thread_inhibit_escalations()) {
        ast_log(LOG_ERROR, "Failed to inhibit privilege escalations; killing connection from peer '%s'\n",
            ast_sockaddr_stringify(&tcptls_session->remote_address));
        ast_tcptls_close_session_file(tcptls_session);
        ao2_ref(tcptls_session, -1);
        return NULL;
    }
 
    /*
     * TCP/TLS connections are associated with external protocols which can
     * be considered to be user interfaces (even for SIP messages), and
     * will not handle channel media.  This may need to be pushed down into
     * the individual protocol handlers, but this seems like a good start.
     */
    if (ast_thread_user_interface_set(1)) {
        ast_log(LOG_ERROR, "Failed to set user interface status; killing connection from peer '%s'\n",
            ast_sockaddr_stringify(&tcptls_session->remote_address));
        ast_tcptls_close_session_file(tcptls_session);
        ao2_ref(tcptls_session, -1);
        return NULL;
    }
 
    if (ast_tcptls_start_tls(tcptls_session) == NULL) {
        return NULL;
    }
 
    if (tcptls_session->parent->worker_fn) {
        return tcptls_session->parent->worker_fn(tcptls_session);
    } else {
        return tcptls_session;
    }
}

References ao2_ref, ast_log, ast_sockaddr_stringify(), ast_tcptls_close_session_file(), ast_tcptls_start_tls(), ast_thread_inhibit_escalations(), ast_thread_user_interface_set(), LOG_ERROR, NULL, ast_tcptls_session_instance::parent, ast_tcptls_session_instance::remote_address, and ast_tcptls_session_args::worker_fn.

Referenced by ast_tcptls_client_start_timeout(), and ast_tcptls_server_root().

session_instance_destructor()

static void session_instance_destructor ( void *  obj )

static

Definition at line 72 of file tcptls.c.

{
    struct ast_tcptls_session_instance *i = obj;
 
    if (i->stream) {
        ast_iostream_close(i->stream);
        i->stream = NULL;
    }
    ast_free(i->overflow_buf);
    ao2_cleanup(i->private_data);
}

References ao2_cleanup, ast_free, ast_iostream_close(), NULL, ast_tcptls_session_instance::overflow_buf, ast_tcptls_session_instance::private_data, and ast_tcptls_session_instance::stream.

Referenced by ast_tcptls_client_create(), and ast_tcptls_server_root().

socket_connect()

static int socket_connect ( int  sockfd, const struct ast_sockaddr *  addr, int  timeout  )

static

Definition at line 623 of file tcptls.c.

{
    int optval = 0;
    socklen_t optlen = sizeof(int);
 
    errno = 0;
 
    if (ast_connect(sockfd, addr)) {
        int res;
 
        /*
         * A connect failure could mean things are still in progress.
         * If so wait for it to complete.
         */
 
        if (errno != EINPROGRESS) {
            return -1;
        }
 
        while ((res = ast_wait_for_output(sockfd, timeout)) != 1) {
            if (res == 0) {
                errno = ETIMEDOUT;
                return -1;
            }
 
            if (errno != EINTR) {
                return -1;
            }
        }
    }
 
    /* Check the status to ensure it actually connected successfully */
    if (getsockopt(sockfd, SOL_SOCKET, SO_ERROR, &optval, &optlen) < 0) {
        return -1;
    }
 
    if (optval) {
        errno = optval;
        return -1;
    }
 
    return 0;
}

References ast_connect(), ast_wait_for_output(), and errno.

Referenced by ast_tcptls_client_start_timeout().