diff options
Diffstat (limited to 'main')
-rw-r--r-- | main/http.c | 31 | ||||
-rw-r--r-- | main/manager.c | 33 | ||||
-rw-r--r-- | main/tcptls.c | 36 |
3 files changed, 52 insertions, 48 deletions
diff --git a/main/http.c b/main/http.c index 595d6cbab..f99c03e91 100644 --- a/main/http.c +++ b/main/http.c @@ -983,7 +983,6 @@ static int __ast_http_load(int reload) struct hostent *hp; struct ast_hostent ahp; char newprefix[MAX_PREFIX] = ""; - int have_sslbindaddr = 0; struct http_uri_redirect *redirect; struct ast_flags config_flags = { reload ? CONFIG_FLAG_FILEUNCHANGED : 0 }; @@ -1024,32 +1023,18 @@ static int __ast_http_load(int reload) if (cfg) { v = ast_variable_browse(cfg, "general"); for (; v; v = v->next) { + + /* handle tls conf */ + if (!ast_tls_read_conf(&http_tls_cfg, &https_desc, v->name, v->value)) { + continue; + } + if (!strcasecmp(v->name, "enabled")) { enabled = ast_true(v->value); - } else if (!strcasecmp(v->name, "sslenable")) { - http_tls_cfg.enabled = ast_true(v->value); - } else if (!strcasecmp(v->name, "sslbindport")) { - https_desc.local_address.sin_port = htons(atoi(v->value)); - } else if (!strcasecmp(v->name, "sslcert")) { - ast_free(http_tls_cfg.certfile); - http_tls_cfg.certfile = ast_strdup(v->value); - } else if (!strcasecmp(v->name, "sslprivatekey")) { - ast_free(http_tls_cfg.pvtfile); - http_tls_cfg.pvtfile = ast_strdup(v->value); - } else if (!strcasecmp(v->name, "sslcipher")) { - ast_free(http_tls_cfg.cipher); - http_tls_cfg.cipher = ast_strdup(v->value); } else if (!strcasecmp(v->name, "enablestatic")) { newenablestatic = ast_true(v->value); } else if (!strcasecmp(v->name, "bindport")) { http_desc.local_address.sin_port = htons(atoi(v->value)); - } else if (!strcasecmp(v->name, "sslbindaddr")) { - if ((hp = ast_gethostbyname(v->value, &ahp))) { - memcpy(&https_desc.local_address.sin_addr, hp->h_addr, sizeof(https_desc.local_address.sin_addr)); - have_sslbindaddr = 1; - } else { - ast_log(LOG_WARNING, "Invalid bind address '%s'\n", v->value); - } } else if (!strcasecmp(v->name, "bindaddr")) { if ((hp = ast_gethostbyname(v->value, &ahp))) { memcpy(&http_desc.local_address.sin_addr, hp->h_addr, sizeof(http_desc.local_address.sin_addr)); @@ -1072,8 +1057,8 @@ static int __ast_http_load(int reload) ast_config_destroy(cfg); } - - if (!have_sslbindaddr) { + /* if the https addres has not been set, default is the same as non secure http */ + if (!https_desc.local_address.sin_addr.s_addr) { https_desc.local_address.sin_addr = http_desc.local_address.sin_addr; } if (enabled) { diff --git a/main/manager.c b/main/manager.c index a43f5518b..97d573c07 100644 --- a/main/manager.c +++ b/main/manager.c @@ -4719,9 +4719,6 @@ static int __init_manager(int reload) const char *val; char *cat = NULL; int newhttptimeout = 60; - int have_sslbindaddr = 0; - struct hostent *hp; - struct ast_hostent ahp; struct ast_manager_user *user = NULL; struct ast_variable *var; struct ast_flags config_flags = { reload ? CONFIG_FLAG_FILEUNCHANGED : 0 }; @@ -4804,27 +4801,12 @@ static int __init_manager(int reload) for (var = ast_variable_browse(cfg, "general"); var; var = var->next) { val = var->value; - if (!strcasecmp(var->name, "sslenable")) { - ami_tls_cfg.enabled = ast_true(val); - } else if (!strcasecmp(var->name, "sslbindport")) { - amis_desc.local_address.sin_port = htons(atoi(val)); - } else if (!strcasecmp(var->name, "sslbindaddr")) { - if ((hp = ast_gethostbyname(val, &ahp))) { - memcpy(&amis_desc.local_address.sin_addr, hp->h_addr, sizeof(amis_desc.local_address.sin_addr)); - have_sslbindaddr = 1; - } else { - ast_log(LOG_WARNING, "Invalid bind address '%s'\n", val); - } - } else if (!strcasecmp(var->name, "sslcert")) { - ast_free(ami_tls_cfg.certfile); - ami_tls_cfg.certfile = ast_strdup(val); - } else if (!strcasecmp(var->name, "sslprivatekey")) { - ast_free(ami_tls_cfg.pvtfile); - ami_tls_cfg.pvtfile = ast_strdup(val); - } else if (!strcasecmp(var->name, "sslcipher")) { - ast_free(ami_tls_cfg.cipher); - ami_tls_cfg.cipher = ast_strdup(val); - } else if (!strcasecmp(var->name, "enabled")) { + + if (!ast_tls_read_conf(&ami_tls_cfg, &amis_desc, var->name, val)) { + continue; + } + + if (!strcasecmp(var->name, "enabled")) { manager_enabled = ast_true(val); } else if (!strcasecmp(var->name, "block-sockets")) { block_sockets = ast_true(val); @@ -4856,7 +4838,8 @@ static int __init_manager(int reload) if (manager_enabled) { ami_desc.local_address.sin_family = AF_INET; } - if (!have_sslbindaddr) { + /* if the amis address has not been set, default is the same as non secure ami */ + if (!amis_desc.local_address.sin_addr.s_addr) { amis_desc.local_address.sin_addr = ami_desc.local_address.sin_addr; } if (ami_tls_cfg.enabled) { diff --git a/main/tcptls.c b/main/tcptls.c index 5837668de..4609438f5 100644 --- a/main/tcptls.c +++ b/main/tcptls.c @@ -488,3 +488,39 @@ void ast_tcptls_server_stop(struct ast_tcptls_session_args *desc) desc->accept_fd = -1; ast_debug(2, "Stopped server :: %s\n", desc->name); } + +int ast_tls_read_conf(struct ast_tls_config *tls_cfg, struct ast_tcptls_session_args *tls_desc, const char *varname, const char *value) +{ + if (!strcasecmp(varname, "tlsenable") || !strcasecmp(varname, "sslenable")) { + tls_cfg->enabled = ast_true(value) ? 1 : 0; + tls_desc->local_address.sin_family = AF_INET; + } else if (!strcasecmp(varname, "tlscertfile") || !strcasecmp(varname, "sslcert")) { + ast_free(tls_cfg->certfile); + tls_cfg->certfile = ast_strdup(value); + } else if (!strcasecmp(varname, "tlsprivatekey") || !strcasecmp(varname, "sslprivatekey")) { + ast_free(tls_cfg->pvtfile); + tls_cfg->pvtfile = ast_strdup(value); + } else if (!strcasecmp(varname, "tlscipher") || !strcasecmp(varname, "sslcipher")) { + ast_free(tls_cfg->cipher); + tls_cfg->cipher = ast_strdup(value); + } else if (!strcasecmp(varname, "tlscafile")) { + ast_free(tls_cfg->cafile); + tls_cfg->cafile = ast_strdup(value); + } else if (!strcasecmp(varname, "tlscapath")) { + ast_free(tls_cfg->capath); + tls_cfg->capath = ast_strdup(value); + } else if (!strcasecmp(varname, "tlsverifyclient")) { + ast_set2_flag(&tls_cfg->flags, ast_true(value), AST_SSL_VERIFY_CLIENT); + } else if (!strcasecmp(varname, "tlsdontverifyserver")) { + ast_set2_flag(&tls_cfg->flags, ast_true(value), AST_SSL_DONT_VERIFY_SERVER); + } else if (!strcasecmp(varname, "tlsbindaddr") || !strcasecmp(varname, "sslbindaddr")) { + if (ast_parse_arg(value, PARSE_INADDR, &tls_desc->local_address)) + ast_log(LOG_WARNING, "Invalid %s '%s'\n", varname, value); + } else if (!strcasecmp(varname, "tlsbindport") || !strcasecmp(varname, "sslbindport")) { + tls_desc->local_address.sin_port = htons(atoi(value)); + } else { + return -1; + } + + return 0; +} |