Consistent SSL/TLS options across conf files

ast_tls_read_conf() is a new api call for handling SSL/TLS options across all conf files.  Before this change, SSL/TLS options were not consistent.  http.conf and manager.conf required the 'ssl' prefix while sip.conf used options with the 'tls' prefix.  While the options had different names in different conf files, they all did the exact same thing.  Now, instead of mixing 'ssl' or 'tls' prefixes to do the same thing depending on what conf file you're in, all SSL/TLS options use the 'tls' prefix.  For example.  'sslenable' in http.conf and manager.conf is now 'tlsenable' which matches what already existed in sip.conf. Since this has the potential to break backwards compatibility, previous options containing the 'ssl' prefix still work, but they are no longer documented in the sample.conf files.  The change is noted in the CHANGES file though.

Review: http://reviewboard.digium.com/r/237/



git-svn-id: http://svn.digium.com/svn/asterisk/trunk@191028 f38db490-d61c-443f-a65b-d21fe96a405b

3 files changed, 52 insertions, 48 deletions

diff --git a/main/http.c b/main/http.c
index 595d6cbab..f99c03e91 100644
--- a/main/http.c
+++ b/main/http.c
@@ -983,7 +983,6 @@ static int __ast_http_load(int reload)
 	struct hostent *hp;
 	struct ast_hostent ahp;
 	char newprefix[MAX_PREFIX] = "";
-	int have_sslbindaddr = 0;
 	struct http_uri_redirect *redirect;
 	struct ast_flags config_flags = { reload ? CONFIG_FLAG_FILEUNCHANGED : 0 };
 
@@ -1024,32 +1023,18 @@ static int __ast_http_load(int reload)
 	if (cfg) {
 		v = ast_variable_browse(cfg, "general");
 		for (; v; v = v->next) {
+
+			/* handle tls conf */
+			if (!ast_tls_read_conf(&http_tls_cfg, &https_desc, v->name, v->value)) {
+				continue;
+			}
+
 			if (!strcasecmp(v->name, "enabled")) {
 				enabled = ast_true(v->value);
-			} else if (!strcasecmp(v->name, "sslenable")) {
-				http_tls_cfg.enabled = ast_true(v->value);
-			} else if (!strcasecmp(v->name, "sslbindport")) {
-				https_desc.local_address.sin_port = htons(atoi(v->value));
-			} else if (!strcasecmp(v->name, "sslcert")) {
-				ast_free(http_tls_cfg.certfile);
-				http_tls_cfg.certfile = ast_strdup(v->value);
-			} else if (!strcasecmp(v->name, "sslprivatekey")) {
-				ast_free(http_tls_cfg.pvtfile);
-				http_tls_cfg.pvtfile = ast_strdup(v->value);
-			} else if (!strcasecmp(v->name, "sslcipher")) {
-				ast_free(http_tls_cfg.cipher);
-				http_tls_cfg.cipher = ast_strdup(v->value);
 			} else if (!strcasecmp(v->name, "enablestatic")) {
 				newenablestatic = ast_true(v->value);
 			} else if (!strcasecmp(v->name, "bindport")) {
 				http_desc.local_address.sin_port = htons(atoi(v->value));
-			} else if (!strcasecmp(v->name, "sslbindaddr")) {
-				if ((hp = ast_gethostbyname(v->value, &ahp))) {
-					memcpy(&https_desc.local_address.sin_addr, hp->h_addr, sizeof(https_desc.local_address.sin_addr));
-					have_sslbindaddr = 1;
-				} else {
-					ast_log(LOG_WARNING, "Invalid bind address '%s'\n", v->value);
-				}
 			} else if (!strcasecmp(v->name, "bindaddr")) {
 				if ((hp = ast_gethostbyname(v->value, &ahp))) {
 					memcpy(&http_desc.local_address.sin_addr, hp->h_addr, sizeof(http_desc.local_address.sin_addr));
@@ -1072,8 +1057,8 @@ static int __ast_http_load(int reload)
 
 		ast_config_destroy(cfg);
 	}
-
-	if (!have_sslbindaddr) {
+	/* if the https addres has not been set, default is the same as non secure http */
+	if (!https_desc.local_address.sin_addr.s_addr) {
 		https_desc.local_address.sin_addr = http_desc.local_address.sin_addr;
 	}
 	if (enabled) {
diff --git a/main/manager.c b/main/manager.c
index a43f5518b..97d573c07 100644
--- a/main/manager.c
+++ b/main/manager.c
@@ -4719,9 +4719,6 @@ static int __init_manager(int reload)
 	const char *val;
 	char *cat = NULL;
 	int newhttptimeout = 60;
-	int have_sslbindaddr = 0;
-	struct hostent *hp;
-	struct ast_hostent ahp;
 	struct ast_manager_user *user = NULL;
 	struct ast_variable *var;
 	struct ast_flags config_flags = { reload ? CONFIG_FLAG_FILEUNCHANGED : 0 };
@@ -4804,27 +4801,12 @@ static int __init_manager(int reload)
 
 	for (var = ast_variable_browse(cfg, "general"); var; var = var->next) {
 		val = var->value;
-		if (!strcasecmp(var->name, "sslenable")) {
-			ami_tls_cfg.enabled = ast_true(val);
-		} else if (!strcasecmp(var->name, "sslbindport")) {
-			amis_desc.local_address.sin_port = htons(atoi(val));
-		} else if (!strcasecmp(var->name, "sslbindaddr")) {
-			if ((hp = ast_gethostbyname(val, &ahp))) {
-				memcpy(&amis_desc.local_address.sin_addr, hp->h_addr, sizeof(amis_desc.local_address.sin_addr));
-				have_sslbindaddr = 1;
-			} else {
-				ast_log(LOG_WARNING, "Invalid bind address '%s'\n", val);
-			}
-		} else if (!strcasecmp(var->name, "sslcert")) {
-			ast_free(ami_tls_cfg.certfile);
-			ami_tls_cfg.certfile = ast_strdup(val);
-		} else if (!strcasecmp(var->name, "sslprivatekey")) {
-			ast_free(ami_tls_cfg.pvtfile);
-			ami_tls_cfg.pvtfile = ast_strdup(val);
-		} else if (!strcasecmp(var->name, "sslcipher")) {
-			ast_free(ami_tls_cfg.cipher);
-			ami_tls_cfg.cipher = ast_strdup(val);
-		} else if (!strcasecmp(var->name, "enabled")) {
+
+		if (!ast_tls_read_conf(&ami_tls_cfg, &amis_desc, var->name, val)) {
+			continue;
+		}
+
+		if (!strcasecmp(var->name, "enabled")) {
 			manager_enabled = ast_true(val);
 		} else if (!strcasecmp(var->name, "block-sockets")) {
 			block_sockets = ast_true(val);
@@ -4856,7 +4838,8 @@ static int __init_manager(int reload)
 	if (manager_enabled) {
 		ami_desc.local_address.sin_family = AF_INET;
 	}
-	if (!have_sslbindaddr) {
+	/* if the amis address has not been set, default is the same as non secure ami */
+	if (!amis_desc.local_address.sin_addr.s_addr) {
 		amis_desc.local_address.sin_addr = ami_desc.local_address.sin_addr;
 	}
 	if (ami_tls_cfg.enabled) {
diff --git a/main/tcptls.c b/main/tcptls.c
index 5837668de..4609438f5 100644
--- a/main/tcptls.c
+++ b/main/tcptls.c
@@ -488,3 +488,39 @@ void ast_tcptls_server_stop(struct ast_tcptls_session_args *desc)
 	desc->accept_fd = -1;
 	ast_debug(2, "Stopped server :: %s\n", desc->name);
 }
+
+int ast_tls_read_conf(struct ast_tls_config *tls_cfg, struct ast_tcptls_session_args *tls_desc, const char *varname, const char *value)
+{
+	if (!strcasecmp(varname, "tlsenable") || !strcasecmp(varname, "sslenable")) {
+		tls_cfg->enabled = ast_true(value) ? 1 : 0;
+		tls_desc->local_address.sin_family = AF_INET;
+	} else if (!strcasecmp(varname, "tlscertfile") || !strcasecmp(varname, "sslcert")) {
+		ast_free(tls_cfg->certfile);
+		tls_cfg->certfile = ast_strdup(value);
+	} else if (!strcasecmp(varname, "tlsprivatekey") || !strcasecmp(varname, "sslprivatekey")) {
+		ast_free(tls_cfg->pvtfile);
+		tls_cfg->pvtfile = ast_strdup(value);
+	} else if (!strcasecmp(varname, "tlscipher") || !strcasecmp(varname, "sslcipher")) {
+		ast_free(tls_cfg->cipher);
+		tls_cfg->cipher = ast_strdup(value);
+	} else if (!strcasecmp(varname, "tlscafile")) {
+		ast_free(tls_cfg->cafile);
+		tls_cfg->cafile = ast_strdup(value);
+	} else if (!strcasecmp(varname, "tlscapath")) {
+		ast_free(tls_cfg->capath);
+		tls_cfg->capath = ast_strdup(value);
+	} else if (!strcasecmp(varname, "tlsverifyclient")) {
+		ast_set2_flag(&tls_cfg->flags, ast_true(value), AST_SSL_VERIFY_CLIENT);
+	} else if (!strcasecmp(varname, "tlsdontverifyserver")) {
+		ast_set2_flag(&tls_cfg->flags, ast_true(value), AST_SSL_DONT_VERIFY_SERVER);
+	} else if (!strcasecmp(varname, "tlsbindaddr") || !strcasecmp(varname, "sslbindaddr")) {
+		if (ast_parse_arg(value, PARSE_INADDR, &tls_desc->local_address))
+			ast_log(LOG_WARNING, "Invalid %s '%s'\n", varname, value);
+	} else if (!strcasecmp(varname, "tlsbindport") || !strcasecmp(varname, "sslbindport")) {
+		tls_desc->local_address.sin_port = htons(atoi(value));
+	} else {
+		return -1;
+	}
+
+	return 0;
+}