diff --git a/modules/proto_tls/proto_tls.c b/modules/proto_tls/proto_tls.c index c073c2b929e..985cc5320f6 100644 --- a/modules/proto_tls/proto_tls.c +++ b/modules/proto_tls/proto_tls.c @@ -227,10 +227,12 @@ static int tls_conn_init(struct tcp_connection* c) LM_DBG("looking up socket based TLS server " "domain [%s:%d]\n", ip_addr2a(&c->rcv.dst_ip), c->rcv.dst_port); dom = tls_mgm_api.find_server_domain(&c->rcv.dst_ip, c->rcv.dst_port); + tls_mgm_api.acquire_domain(dom); if (dom) { LM_DBG("found socket based TLS server domain " "[%s:%d]\n", ip_addr2a(&dom->addr), dom->port); c->extra_data = SSL_new(dom->ctx); + tls_mgm_api.release_domain(dom); } else { LM_ERR("no TLS server domain found\n"); return -1; @@ -240,9 +242,10 @@ static int tls_conn_init(struct tcp_connection* c) c->proto_flags = F_TLS_DO_CONNECT; dom = tls_mgm_api.find_client_domain(&c->rcv.src_ip, c->rcv.src_port); - + tls_mgm_api.acquire_domain(dom); if (dom) { c->extra_data = SSL_new(dom->ctx); + tls_mgm_api.release_domain(dom); } else { LM_ERR("no TLS client domain found\n"); return -1; diff --git a/modules/proto_tls/tls_server.c b/modules/proto_tls/tls_server.c index f00e8c6d0f5..a9a3a70595a 100644 --- a/modules/proto_tls/tls_server.c +++ b/modules/proto_tls/tls_server.c @@ -751,4 +751,4 @@ int tls_fix_read_conn(struct tcp_connection *c) lock_release(&c->write_lock); return ret; -} \ No newline at end of file +} diff --git a/modules/proto_tls/tls_server.h b/modules/proto_tls/tls_server.h index 5f8d37bcb6c..d4318a79ac2 100644 --- a/modules/proto_tls/tls_server.h +++ b/modules/proto_tls/tls_server.h @@ -42,7 +42,7 @@ #define F_TLS_DO_ACCEPT (1<<0) #define F_TLS_DO_CONNECT (1<<1) -static struct tls_mgm_binds tls_mgm_api; +struct tls_mgm_binds tls_mgm_api; size_t tls_blocking_write(struct tcp_connection *c, int fd, const char *buf, size_t len); @@ -55,4 +55,4 @@ int tls_conn_shutdown(struct tcp_connection *c); int tls_update_fd(struct tcp_connection *c, int fd); -#endif \ No newline at end of file +#endif diff --git a/modules/tls_mgm/api.h b/modules/tls_mgm/api.h index 0e3989dceef..4c95f4ac564 100644 --- a/modules/tls_mgm/api.h +++ b/modules/tls_mgm/api.h @@ -11,12 +11,18 @@ typedef struct tls_domain * (*tls_find_server_domain_f) (struct ip_addr *, unsig typedef struct tls_domain * (*tls_find_client_domain_f) (struct ip_addr *, unsigned short); typedef int (*get_send_timeout_f) (void); typedef int (*get_handshake_timeout_f) (void); +typedef int (*tls_mod_init_f) (void); +typedef void (*tls_acquire_domain_f) (struct tls_domain *); +typedef void (*tls_release_domain_f) (struct tls_domain *); struct tls_mgm_binds { get_send_timeout_f get_send_timeout; get_handshake_timeout_f get_handshake_timeout; tls_find_server_domain_f find_server_domain; tls_find_client_domain_f find_client_domain; + tls_mod_init_f mod_init; + tls_acquire_domain_f acquire_domain; + tls_release_domain_f release_domain; }; diff --git a/modules/tls_mgm/tls_config.c b/modules/tls_mgm/tls_config.c index 86ea9de9e3b..4f37568dd32 100644 --- a/modules/tls_mgm/tls_config.c +++ b/modules/tls_mgm/tls_config.c @@ -36,8 +36,9 @@ #include "tls_config.h" #include "../../config.h" +#include "../../ut.h" -int tls_method = TLS_USE_SSLv23; +int tls_default_method = TLS_USE_SSLv23; /* * These are the default values which will be used @@ -63,4 +64,21 @@ int tls_handshake_timeout = 100; int tls_send_timeout = 100; /* per default, the TLS domains do not have a name */ int tls_client_domain_avp = -1; - + +str id_col = str_init("id"); +str type_col = str_init("type"); +str address_col = str_init("address"); +str method_col = str_init("method"); +str verify_cert_col = str_init("verify_cert"); +str require_cert_col = str_init("require_cert"); +str certificate_col = str_init("certificate"); +str pk_col = str_init("private_key"); +str crl_check_col = str_init("crl_check_all"); +str crl_dir_col = str_init("crl_dir"); +str calist_col = str_init("ca_list"); +str cadir_col = str_init("ca_dir"); +str cplist_col = str_init("cipher_list"); +str dhparams_col = str_init("dh_params"); +str eccurve_col = str_init("ec_curve"); +str tls_db_table = str_init("tls_mgm"); +str tls_db_url = {NULL, 0}; \ No newline at end of file diff --git a/modules/tls_mgm/tls_config.h b/modules/tls_mgm/tls_config.h index b6e6ae3c833..ebde0754dbc 100644 --- a/modules/tls_mgm/tls_config.h +++ b/modules/tls_mgm/tls_config.h @@ -36,8 +36,9 @@ #define tls_config_h #include "tls_config_helper.h" +#include "../../str.h" -extern int tls_method; +extern int tls_default_method; extern int tls_verify_client_cert; extern int tls_verify_server_cert; @@ -49,6 +50,25 @@ extern char *tls_ca_file; extern char *tls_ca_dir; extern char *tls_tmp_dh_file; extern char *tls_ciphers_list; + +extern str tls_db_url; +extern str tls_db_table; +extern str id_col; +extern str type_col; +extern str address_col; +extern str method_col; +extern str verify_cert_col; +extern str require_cert_col; +extern str certificate_col; +extern str pk_col; +extern str crl_check_col; +extern str crl_dir_col; +extern str calist_col; +extern str cadir_col; +extern str cplist_col; +extern str dhparams_col; +extern str eccurve_col; + extern int tls_handshake_timeout; extern int tls_send_timeout; extern int tls_client_domain_avp; diff --git a/modules/tls_mgm/tls_domain.c b/modules/tls_mgm/tls_domain.c index 28e50a8feec..a9d26fd440d 100644 --- a/modules/tls_mgm/tls_domain.c +++ b/modules/tls_mgm/tls_domain.c @@ -35,18 +35,20 @@ #include "../../mem/mem.h" #include "tls_domain.h" +#include "tls_params.h" #include -struct tls_domain *tls_server_domains = NULL; -struct tls_domain *tls_client_domains = NULL; +struct tls_domain *tls_server_domains; +struct tls_domain *tls_client_domains; struct tls_domain tls_default_server_domain; struct tls_domain tls_default_client_domain; +rw_lock_t *dom_lock; struct tls_domain *tls_find_domain_by_id( str *id) { struct tls_domain *d; - + lock_start_read(dom_lock); for (d=tls_server_domains ; d ; d=d->next ) { if (id->len==d->id.len && memcmp(id->s,d->id.s,id->len)==0) return d; @@ -55,10 +57,177 @@ struct tls_domain *tls_find_domain_by_id( str *id) if (id->len==d->id.len && memcmp(id->s,d->id.s,id->len)==0) return d; } + lock_stop_read(dom_lock); return NULL; } +void tls_acquire_domain(struct tls_domain* dom) +{ + if (!dom || !tls_db_enabled || dom == &tls_default_server_domain || + dom == &tls_default_client_domain) + return; + lock_start_write(dom_lock); + dom->refs++; + lock_stop_write(dom_lock); +} + +void tls_release_domain_aux(struct tls_domain *dom) +{ + dom->refs--; + if (dom->refs == 0) { + if (dom->name.s) + shm_free(dom->name.s); + SSL_CTX_free(dom->ctx); + shm_free(dom); + } +} + +void tls_release_all_domains(struct tls_domain *dom) +{ + while (dom) { + tls_release_domain_aux(dom); + dom = dom->next; + } +} + +void tls_release_domain(struct tls_domain* dom) +{ + if (!dom || !tls_db_enabled || dom == &tls_default_server_domain || + dom == &tls_default_client_domain) + return; + lock_start_write(dom_lock); + tls_release_domain_aux(dom); + lock_stop_write(dom_lock); +} + +int set_all_domain_attr(struct tls_domain **dom, char **str_vals, int *int_vals) +{ + size_t len; + char *p; + struct tls_domain *d = *dom; + size_t cadir_len = strlen(str_vals[STR_VALS_CADIR_COL]); + size_t calist_len = strlen(str_vals[STR_VALS_CALIST_COL]); + size_t certificate_len = strlen(str_vals[STR_VALS_CERTIFICATE_COL]); + size_t cplist_len = strlen(str_vals[STR_VALS_CPLIST_COL]); + size_t crl_dir_len = strlen(str_vals[STR_VALS_CRL_DIR_COL]); + size_t dhparams_len = strlen(str_vals[STR_VALS_DHPARAMS_COL]); + size_t eccurve_len = strlen(str_vals[STR_VALS_ECCURVE_COL]); + size_t pk_len = strlen(str_vals[STR_VALS_PK_COL]); + + + len = sizeof(struct tls_domain) +d->id.len; + + if (cadir_len) + len += cadir_len + 1; + + if (calist_len) + len += calist_len + 1; + + + if (certificate_len) + len += certificate_len + 1; + + if (cplist_len) + len += cplist_len + 1; + + if (crl_dir_len) + len += crl_dir_len + 1; + + if (dhparams_len) + len += dhparams_len + 1; + + if (eccurve_len) + len += eccurve_len + 1; + + if (pk_len) + len += pk_len + 1; + + + d = shm_realloc(d, len); + if (d == NULL) { + LM_ERR("insufficient shm memory"); + d = *dom; + *dom = (*dom)->next; + shm_free(d); + return -1; + } + + *dom = d; + if (strcasecmp(str_vals[STR_VALS_METHOD_COL], "SSLV23") == 0 || strcasecmp(str_vals[STR_VALS_METHOD_COL], "TLSany") == 0) + d->method = TLS_USE_SSLv23; + else if (strcasecmp(str_vals[STR_VALS_METHOD_COL], "TLSV1") == 0) + d->method = TLS_USE_TLSv1; + else if (strcasecmp(str_vals[STR_VALS_METHOD_COL], "TLSV1_2") == 0) + d->method = TLS_USE_TLSv1_2; + + if (int_vals[INT_VALS_VERIFY_CERT_COL] != -1) { + d->verify_cert = int_vals[INT_VALS_VERIFY_CERT_COL]; + } + + if (int_vals[INT_VALS_CRL_CHECK_COL] != -1) { + d->crl_check_all = int_vals[INT_VALS_CRL_CHECK_COL]; + } + + if (int_vals[INT_VALS_REQUIRE_CERT_COL] != -1) { + d->require_client_cert = int_vals[INT_VALS_REQUIRE_CERT_COL]; + } + + p = (char *) (d + 1); + + p = p + d->id.len; + + memset(p, 0, len - (sizeof(struct tls_domain) +d->id.len)); + + if (cadir_len) { + d->ca_directory = p; + memcpy(p, str_vals[STR_VALS_CADIR_COL], cadir_len); + p = p + cadir_len + 1; + } + + if (calist_len) { + d->ca_file = p; + memcpy(p, str_vals[STR_VALS_CALIST_COL], calist_len); + p = p + calist_len + 1; + } + if (certificate_len) { + d->cert_file = p; + memcpy(p, str_vals[STR_VALS_CERTIFICATE_COL], certificate_len); + p = p + certificate_len + 1; + } + + if (cplist_len) { + d->ciphers_list = p; + memcpy(p, str_vals[STR_VALS_CPLIST_COL], cplist_len); + p = p + cplist_len + 1; + } + + if (crl_dir_len) { + d->crl_directory = p; + memcpy(p, str_vals[STR_VALS_CRL_DIR_COL], crl_dir_len); + p = p + crl_dir_len + 1; + } + + if (dhparams_len) { + d->tmp_dh_file = p; + memcpy(p, str_vals[STR_VALS_DHPARAMS_COL], dhparams_len); + p = p + dhparams_len + 1; + } + + if (eccurve_len) { + d->tls_ec_curve = p; + memcpy(p, str_vals[STR_VALS_ECCURVE_COL], eccurve_len); + p = p + eccurve_len + 1; + } + + if (pk_len) { + d->pkey_file = p; + memcpy(p, str_vals[STR_VALS_PK_COL], pk_len); + p = p + pk_len + 1; + } + + return 0; +} /* * find server domain with given ip and port * return default domain if virtual domain not found @@ -66,6 +235,8 @@ struct tls_domain *tls_find_domain_by_id( str *id) struct tls_domain * tls_find_server_domain(struct ip_addr *ip, unsigned short port) { + if (tls_db_enabled) + lock_start_read(dom_lock); struct tls_domain *p = tls_server_domains; while (p) { if ((p->port == port) && ip_addr_cmp(&p->addr, ip)) { @@ -74,6 +245,8 @@ tls_find_server_domain(struct ip_addr *ip, unsigned short port) } p = p->next; } + if (tls_db_enabled) + lock_stop_read(dom_lock); LM_DBG("virtual TLS server domain not found, " "Using default TLS server domain settings\n"); return &tls_default_server_domain; @@ -135,6 +308,8 @@ struct tls_domain *tls_find_client_domain(struct ip_addr *ip, } else { LM_DBG("name based TLS client domains are disabled\n"); } + if (tls_db_enabled) + lock_start_read(dom_lock); if (!avp) { LM_DBG("no TLS client doman AVP set, looking " "for socket based TLS client domain\n"); @@ -160,36 +335,41 @@ struct tls_domain *tls_find_client_domain(struct ip_addr *ip, } } } + if (tls_db_enabled) + lock_stop_read(dom_lock); return dom; } /* * create a new server domain (identified by a socket) */ -int tls_new_server_domain( str *id, struct ip_addr *ip, unsigned short port) +int tls_new_server_domain( str *id, struct ip_addr *ip, unsigned short port, + struct tls_domain **dom) { struct tls_domain *d; d = tls_new_domain( id, TLS_DOMAIN_SRV); if (d == NULL) { - LM_ERR("pkg memory allocation failure\n"); + LM_ERR("shm memory allocation failure\n"); return -1; } /* fill socket data */ memcpy(&d->addr, ip, sizeof(struct ip_addr)); d->port = port; + d->refs = 1; /* add this new domain to the linked list */ - d->next = tls_server_domains; - tls_server_domains = d; + d->next = *dom; + *dom = d; return 0; } /* * create a new client domain (identified by a socket) */ -int tls_new_client_domain(str *id, struct ip_addr *ip, unsigned short port) +int tls_new_client_domain(str *id, struct ip_addr *ip, unsigned short port, + struct tls_domain **dom) { struct tls_domain *d; @@ -202,17 +382,18 @@ int tls_new_client_domain(str *id, struct ip_addr *ip, unsigned short port) /* fill socket data */ memcpy(&d->addr, ip, sizeof(struct ip_addr)); d->port = port; + d->refs = 1; /* add this new domain to the linked list */ - d->next = tls_client_domains; - tls_client_domains = d; + d->next = *dom; + *dom = d; return 0; } /* * create a new client domain (identified by a string) */ -int tls_new_client_domain_name( str *id, str *domain) +int tls_new_client_domain_name( str *id, str *domain, struct tls_domain **dom) { struct tls_domain *d; @@ -221,20 +402,21 @@ int tls_new_client_domain_name( str *id, str *domain) LM_ERR("pkg memory allocation failure\n"); return -1; } - + LM_DBG("XXXAXXX %d\n", d->require_client_cert); /* initialize name data */ - d->name.s = pkg_malloc(domain->len); + d->name.s = shm_malloc(domain->len); if (d->name.s == NULL) { LM_ERR("pkg memory allocation failure\n"); - pkg_free(d); + shm_free(d); return -1; } memcpy(d->name.s, domain->s, domain->len); d->name.len = domain->len; + d->refs = 1; /* add this new domain to the linked list */ - d->next = tls_client_domains; - tls_client_domains = d; + d->next = *dom; + *dom = d; return 0; } @@ -248,7 +430,7 @@ struct tls_domain *tls_new_domain( str *id, int type) LM_DBG("adding new domain [%.*s] type %d\n", id->len, id->s, type); - d = pkg_malloc(sizeof(struct tls_domain) + id->len); + d = shm_malloc(sizeof(struct tls_domain) + id->len); if (d == NULL) { LM_ERR("pkg memory allocation failure\n"); return 0; @@ -284,7 +466,7 @@ tls_free_domains(void) while (tls_server_domains) { p = tls_server_domains; tls_server_domains = tls_server_domains->next; - pkg_free(p); + shm_free(p); } while (tls_client_domains) { p = tls_client_domains; @@ -292,9 +474,9 @@ tls_free_domains(void) /* ToDo: If socket based client domains will be implemented, the name may be empty (must be set to NULL manually). Thus no need to free it */ if (p->name.s) { - pkg_free(p->name.s); + shm_free(p->name.s); } - pkg_free(p); + shm_free(p); } } diff --git a/modules/tls_mgm/tls_domain.h b/modules/tls_mgm/tls_domain.h index ea84c3e173a..f7da3891093 100644 --- a/modules/tls_mgm/tls_domain.h +++ b/modules/tls_mgm/tls_domain.h @@ -45,6 +45,7 @@ #include "tls_helper.h" #include "../../usr_avp.h" #include "../../ut.h" +#include "../../rw_locking.h" /* @@ -66,7 +67,9 @@ extern struct tls_domain *tls_server_domains; extern struct tls_domain *tls_client_domains; extern struct tls_domain tls_default_server_domain; extern struct tls_domain tls_default_client_domain; +extern int tls_db_enabled; +extern rw_lock_t *dom_lock; /* * find domain with given ID @@ -97,17 +100,17 @@ struct tls_domain *tls_find_client_domain_name(str name); /* * create a new server domain (identified by socket) */ -int tls_new_server_domain(str *id, struct ip_addr *ip, unsigned short port); +int tls_new_server_domain(str *id, struct ip_addr *ip, unsigned short port, struct tls_domain **dom); /* * create a new client domain (identified by socket) */ -int tls_new_client_domain(str *id, struct ip_addr *ip, unsigned short port); +int tls_new_client_domain(str *id, struct ip_addr *ip, unsigned short port, struct tls_domain **dom); /* * create a new client domain (identified by string) */ -int tls_new_client_domain_name(str *id, str *domain); +int tls_new_client_domain_name(str *id, str *domain, struct tls_domain **dom); /* * allocate memory and set default values for @@ -120,4 +123,13 @@ struct tls_domain *tls_new_domain(str *id, int type); */ void tls_free_domains(void); +void tls_acquire_domain(struct tls_domain* dom); + + +void tls_release_domain(struct tls_domain* dom); + +void tls_release_all_domains(struct tls_domain* dom); + +int set_all_domain_attr(struct tls_domain **dom, char **str_vals, int *int_vals); + #endif diff --git a/modules/tls_mgm/tls_helper.h b/modules/tls_mgm/tls_helper.h index 2f3efd47188..d669ef00b20 100644 --- a/modules/tls_mgm/tls_helper.h +++ b/modules/tls_mgm/tls_helper.h @@ -27,6 +27,7 @@ struct tls_domain { char *tls_ec_curve; char *ca_directory; char *ciphers_list; + int refs; enum tls_method method; struct tls_domain *next; str name; diff --git a/modules/tls_mgm/tls_mgm.c b/modules/tls_mgm/tls_mgm.c index 19da050aacb..159c8524d39 100644 --- a/modules/tls_mgm/tls_mgm.c +++ b/modules/tls_mgm/tls_mgm.c @@ -22,6 +22,7 @@ #include "../../pt.h" #include "../../parser/msg_parser.h" #include "../../pvar.h" +#include "../../db/db.h" #include "../../net/proto_tcp/tcp_common_defs.h" #include "tls_config.h" @@ -31,6 +32,28 @@ #include "tls.h" #include "api.h" +#define DB_CAP DB_CAP_QUERY | DB_CAP_UPDATE +#define len(s) s == NULL?0:strlen(s) + +#define check_val( _col, _val, _type, _not_null, _is_empty_str) \ + do{\ + if ((_val)->type!=_type) { \ + LM_ERR("column %.*s has a bad type\n", _col.len, _col.s); \ + goto error;\ + } \ + if (_not_null && (_val)->nul) { \ + LM_ERR("column %.*s is null\n", _col.len, _col.s); \ + goto error;\ + } \ + if (_is_empty_str && VAL_STRING(_val)==0) { \ + LM_ERR("column %.*s (str) is empty\n", _col.len, _col.s); \ + goto error;\ + } \ + if ((_val)->type == DB_INT && (_val)->nul) { \ + (_val)->val.int_val = -1;\ + } \ + }while(0) + static char *tls_domain_avp = NULL; static int mod_init(void); @@ -38,7 +61,16 @@ static void mod_destroy(void); static int tls_get_handshake_timeout(void); static int tls_get_send_timeout(void); static int load_tls_mgm(struct tls_mgm_binds *binds); +static struct mi_root* tls_reload(struct mi_root *cmd, void *param); +static struct mi_root * tls_list(struct mi_root *root, void *param); +static int list_domain(struct mi_node *root, struct tls_domain *d); + +/* DB handler */ +static db_con_t *db_hdl = 0; +/* DB functions */ +static db_func_t dr_dbf; +int tls_db_enabled = 0; /* definition of exported functions */ static int is_peer_verified(struct sip_msg*, char*, char*); @@ -59,6 +91,23 @@ static param_export_t params[] = { { "ciphers_list", STR_PARAM|USE_FUNC_PARAM, (void*)tlsp_set_cplist }, { "dh_params", STR_PARAM|USE_FUNC_PARAM, (void*)tlsp_set_dhparams }, { "ec_curve", STR_PARAM|USE_FUNC_PARAM, (void*)tlsp_set_eccurve }, + { "db_mode", INT_PARAM, &tls_db_enabled }, + { "db_url", STR_PARAM, &tls_db_url.s }, + { "db_table", STR_PARAM, &tls_db_table.s }, + { "id_col", STR_PARAM, &id_col.s }, + { "address_col", STR_PARAM, &address_col.s }, + { "tls_method_col", STR_PARAM, &method_col.s }, + { "verify_cert_col", STR_PARAM, &verify_cert_col.s }, + { "require_cert_col", STR_PARAM, &require_cert_col.s }, + { "certificate_col", STR_PARAM, &certificate_col.s }, + { "private_key_col", STR_PARAM, &pk_col.s }, + { "crl_check_all_col", STR_PARAM, &crl_check_col.s }, + { "crl_dir_col", STR_PARAM, &crl_dir_col.s }, + { "ca_list_col", STR_PARAM, &calist_col.s }, + { "ca_dir_col", STR_PARAM, &cadir_col.s }, + { "ciphers_list_col", STR_PARAM, &cplist_col.s }, + { "dh_params_col", STR_PARAM, &dhparams_col.s }, + { "ec_curve_col", STR_PARAM, &eccurve_col.s }, { "tls_handshake_timeout", INT_PARAM, &tls_handshake_timeout }, { "tls_send_timeout", INT_PARAM, &tls_send_timeout }, {0, 0, 0} @@ -67,10 +116,19 @@ static param_export_t params[] = { static cmd_export_t cmds[] = { {"is_peer_verified", (cmd_function)is_peer_verified, 0, 0, 0, REQUEST_ROUTE}, - {"load_tls_mgm", (cmd_function)load_tls_mgm, 0, 0, 0, 0}, + {"load_tls_mgm", (cmd_function)load_tls_mgm, 0, 0, 0, 0}, {0,0,0,0,0,0} }; +/* + * Exported MI functions + */ +static mi_export_t mi_cmds[] = { + { "tls_reload", "reloads stored data from the database", tls_reload, 0, 0, 0}, + { "tls_list", "lists all domains", tls_list, 0, 0, 0}, + {0, 0, 0, 0, 0, 0} +}; + /* * pseudo variables */ @@ -251,7 +309,7 @@ struct module_exports exports = { 0, /* exported async functions */ params, /* module parameters */ 0, /* exported statistics */ - 0, /* exported MI functions */ + mi_cmds, /* exported MI functions */ mod_items, /* exported pseudo-variables */ 0, /* extra processes */ mod_init, /* module initialization function */ @@ -322,6 +380,153 @@ static int set_ec_params(SSL_CTX * ctx, const char* curve_name) } #endif +/* loads data from the db */ +int load_info(db_func_t *dr_dbf, db_con_t* db_hdl, str *db_table, + struct tls_domain **serv_dom, struct tls_domain **cli_dom) +{ + int int_vals[4]; + char *str_vals[11]; + int i, n; + int no_rows = 5; + int db_cols = 15; + + /* the columns from the db table */ + db_key_t columns[15]; + /* result from a db query */ + db_res_t* res; + /* a row from the db table */ + db_row_t* row; + + res = 0; + + columns[0] = &id_col; + columns[1] = &address_col; + columns[2] = &type_col; + columns[3] = &method_col; + columns[4] = &verify_cert_col; + columns[5] = &require_cert_col; + columns[6] = &certificate_col; + columns[7] = &pk_col; + columns[8] = &crl_check_col; + columns[9] = &crl_dir_col; + columns[10] = &calist_col; + columns[11] = &cadir_col; + columns[12] = &cplist_col; + columns[13] = &dhparams_col; + columns[14] = &eccurve_col; + + /* checking if the table version is up to date*/ + if (db_check_table_version(dr_dbf, db_hdl, db_table, 1/*version*/) != 0) + goto error; + + /* table to use*/ + if (dr_dbf->use_table(db_hdl, db_table) < 0) { + LM_ERR("cannot select table \"%.*s\"\n", db_table->len, db_table->s); + goto error; + } + + if (DB_CAPABILITY(*dr_dbf, DB_CAP_FETCH)) { + + if (dr_dbf->query(db_hdl, 0, 0, 0, columns, 0, db_cols, 0, 0) < 0) { + LM_ERR("DB query failed - retrieve valid connections \n"); + goto error; + } + no_rows = estimate_available_rows(10 + 45 + 4 + 45 + 4 + 4 + 45 + + 45 + 4 + 45 + 45 + 45 + 45 + 45 + 45, db_cols); + if (no_rows == 0) no_rows = 5; + if (dr_dbf->fetch_result(db_hdl, &res, no_rows) < 0) { + LM_ERR("Error fetching rows\n"); + goto error; + } + } else { + if (dr_dbf->query(db_hdl, 0, 0, 0, columns, 0, db_cols, 0, &res) < 0) { + LM_ERR("DB query failed - retrieve valid connections\n"); + goto error; + } + } + + LM_DBG("%d rows found in %.*s\n", + RES_ROW_N(res), db_table->len, db_table->s); + + n = 0; + do { + for (i = 0; i < RES_ROW_N(res); i++) { + row = RES_ROWS(res) + i; + + check_val(id_col, ROW_VALUES(row), DB_STRING, 1, 1); + str_vals[STR_VALS_ID_COL] = (char *) VAL_STRING(ROW_VALUES(row)); + + check_val(address_col, ROW_VALUES(row) + 1, DB_STRING, 1, 1); + str_vals[STR_VALS_ADDRESS_COL] = (char *) VAL_STRING(ROW_VALUES(row) + 1); + + check_val(type_col, ROW_VALUES(row) + 2, DB_INT, 1, 0); + int_vals[INT_VALS_TYPE_COL] = VAL_INT(ROW_VALUES(row) + 2); + + check_val(method_col, ROW_VALUES(row) + 3, DB_STRING, 0, 0); + str_vals[STR_VALS_METHOD_COL] = (char *) VAL_STRING(ROW_VALUES(row) + 3); + + check_val(verify_cert_col, ROW_VALUES(row) + 4, DB_INT, 0, 0); + int_vals[INT_VALS_VERIFY_CERT_COL] = VAL_INT(ROW_VALUES(row) + 4); + + check_val(require_cert_col, ROW_VALUES(row) + 5, DB_INT, 0, 0); + int_vals[INT_VALS_REQUIRE_CERT_COL] = VAL_INT(ROW_VALUES(row) + 5); + + check_val(certificate_col, ROW_VALUES(row) + 6, DB_STRING, 0, 0); + str_vals[STR_VALS_CERTIFICATE_COL] = (char *) VAL_STRING(ROW_VALUES(row) + 6); + + check_val(pk_col, ROW_VALUES(row) + 7, DB_STRING, 0, 0); + str_vals[STR_VALS_PK_COL] = (char *) VAL_STRING(ROW_VALUES(row) + 7); + + check_val(crl_check_col, ROW_VALUES(row) + 8, DB_INT, 0, 0); + int_vals[INT_VALS_CRL_CHECK_COL] = VAL_INT(ROW_VALUES(row) + 8); + + check_val(crl_dir_col, ROW_VALUES(row) + 9, DB_STRING, 0, 0); + str_vals[STR_VALS_CRL_DIR_COL] = (char *) VAL_STRING(ROW_VALUES(row) + 9); + + check_val(calist_col, ROW_VALUES(row) + 10, DB_STRING, 0, 0); + str_vals[STR_VALS_CALIST_COL] = (char *) VAL_STRING(ROW_VALUES(row) + 10); + + check_val(cadir_col, ROW_VALUES(row) + 11, DB_STRING, 0, 0); + str_vals[STR_VALS_CADIR_COL] = (char *) VAL_STRING(ROW_VALUES(row) + 11); + + check_val(cplist_col, ROW_VALUES(row) + 12, DB_STRING, 0, 0); + str_vals[STR_VALS_CPLIST_COL] = (char *) VAL_STRING(ROW_VALUES(row) + 12); + + check_val(dhparams_col, ROW_VALUES(row) + 13, DB_STRING, 0, 0); + str_vals[STR_VALS_DHPARAMS_COL] = (char *) VAL_STRING(ROW_VALUES(row) + 13); + + check_val(eccurve_col, ROW_VALUES(row) + 14, DB_STRING, 0, 0); + str_vals[STR_VALS_ECCURVE_COL] = (char *) VAL_STRING(ROW_VALUES(row) + 14); + + tlsp_db_add_domain(str_vals, int_vals, serv_dom, cli_dom); + + n++; + } + + if (DB_CAPABILITY(*dr_dbf, DB_CAP_FETCH)) { + if (dr_dbf->fetch_result(db_hdl, &res, no_rows) < 0) { + LM_ERR("fetching rows\n"); + goto error; + } + } else { + break; + } + + } while (RES_ROW_N(res) > 0); + + LM_DBG("%d records found in %.*s\n", + n, db_table->len, db_table->s); + + dr_dbf->free_result(db_hdl, res); + res = 0; + + return 0; +error: + LM_ERR("database"); + return -1; +} + + /* This callback is called during each verification process, at each step during the chain of certificates (this function is not the certificate_verification one!). */ @@ -773,7 +978,7 @@ static int init_tls_domains(struct tls_domain *d) if (d->method == TLS_METHOD_UNSPEC) { LM_DBG("no method for tls[%s:%d], using default\n", ip_addr2a(&d->addr), d->port); - d->method = tls_method; + d->method = tls_default_method; } /* @@ -787,7 +992,7 @@ static int init_tls_domains(struct tls_domain *d) } if (init_ssl_ctx_behavior( d ) < 0) return -1; - + /* * load certificate */ @@ -795,7 +1000,11 @@ static int init_tls_domains(struct tls_domain *d) LM_NOTICE("no certificate for tls[%s:%d] defined, using default" "'%s'\n", ip_addr2a(&d->addr), d->port, tls_cert_file); d->cert_file = tls_cert_file; + }else{ + LM_DBG("BBBBBBB\n"); + LM_DBG("BBB %s\n", d->cert_file); } + if (load_certificate(d->ctx, d->cert_file) < 0) return -1; @@ -852,6 +1061,7 @@ static int init_tls_domains(struct tls_domain *d) return -1; d = d->next; } + return 0; } @@ -860,7 +1070,7 @@ static int check_for_krb(void) SSL_CTX *xx; int j; - xx = SSL_CTX_new(ssl_methods[tls_method - 1]); + xx = SSL_CTX_new(ssl_methods[tls_default_method - 1]); if (xx==NULL) return -1; @@ -931,6 +1141,52 @@ init_ssl_methods(void) #endif } +/* reloads data from the db */ +static int reload_data(void) +{ + int n; + struct tls_domain *tls_client_domains_tmp; + struct tls_domain *tls_server_domains_tmp; + + tls_client_domains_tmp = NULL; + tls_server_domains_tmp = NULL; + + load_info(&dr_dbf, db_hdl, &tls_db_table, &tls_server_domains_tmp, + &tls_client_domains_tmp); + + /* + * now initialize tls virtual domains + */ + if ((n = init_tls_domains(tls_server_domains_tmp))) { + return n; + } + if ((n = init_tls_domains(tls_client_domains_tmp))) { + return n; + } + + lock_start_write(dom_lock); + + tls_release_all_domains(tls_client_domains); + tls_release_all_domains(tls_server_domains); + tls_client_domains = tls_client_domains_tmp; + tls_server_domains = tls_server_domains_tmp; + + lock_stop_write(dom_lock); + return 0; +} + +/* reloads data from the db */ +static struct mi_root* tls_reload(struct mi_root* root, void *param) +{ + LM_INFO("reload data MI command received!\n"); + + if (reload_data() < 0) { + LM_CRIT("failed to load routing data\n"); + return init_mi_tree(500, "Failed to reload", 16); + } + + return init_mi_tree(200, MI_SSTR(MI_OK)); +} static int mod_init(void){ str s; @@ -938,6 +1194,60 @@ static int mod_init(void){ LM_INFO("initializing TLS protocol\n"); + + if (tls_db_enabled != 0 && tls_db_enabled != 1) { + tls_db_enabled = 1; + } + + if (tls_db_enabled) { + + /* create & init lock */ + if ((dom_lock = lock_init_rw()) == NULL) { + LM_CRIT("failed to init lock\n"); + return -1; + } + + init_db_url(tls_db_url, 0 /*cannot be null*/); + + tls_db_table.len = strlen(tls_db_table.s); + + if (tls_db_table.len == 0) { + LM_ERR("db url not specified\n"); + return -1; + } + + id_col.len = strlen(id_col.s); + address_col.len = strlen(address_col.s); + type_col.len = strlen(type_col.s); + method_col.len = strlen(method_col.s); + verify_cert_col.len = strlen(verify_cert_col.s); + require_cert_col.len = strlen(require_cert_col.s); + certificate_col.len = strlen(certificate_col.s); + pk_col.len = strlen(pk_col.s); + crl_check_col.len = strlen(crl_check_col.s); + calist_col.len = strlen(calist_col.s); + cadir_col.len = strlen(cadir_col.s); + cplist_col.len = strlen(cplist_col.s); + dhparams_col.len = strlen(dhparams_col.s); + eccurve_col.len = strlen(eccurve_col.s); + + if (db_bind_mod(&tls_db_url, &dr_dbf)) { + LM_CRIT("cannot bind to database module! " + "Did you forget to load a database module ?\n"); + return -1; + } + /* init DB connection */ + if ((db_hdl = dr_dbf.init(&tls_db_url)) == 0) { + LM_CRIT("cannot initialize database connection\n"); + return -1; + } + + if (dr_dbf.use_table(db_hdl, &tls_db_table) < 0) { + LM_ERR("cannot select table \"%.*s\"\n", tls_db_table.len, tls_db_table.s); + return -1; + } + } + if (tls_domain_avp) { s.s = tls_domain_avp; s.len = strlen(s.s); @@ -967,7 +1277,6 @@ static int mod_init(void){ sk_SSL_COMP_zero(comp_methods); } #endif - if (tls_init_multithread() < 0) { LM_ERR("failed to init multi-threading support\n"); return -1; @@ -1011,15 +1320,23 @@ static int mod_init(void){ if ( (n=init_tls_domains(&tls_default_server_domain)) ) { return n; } + if ( (n=init_tls_domains(&tls_default_client_domain)) ) { return n; } /* * now initialize tls virtual domains */ + + if (tls_db_enabled && load_info(&dr_dbf, db_hdl, &tls_db_table, &tls_server_domains, + &tls_client_domains)){ + return -1; + } + if ( (n=init_tls_domains(tls_server_domains)) ) { return n; } + if ( (n=init_tls_domains(tls_client_domains)) ) { return n; } @@ -1038,6 +1355,11 @@ static void mod_destroy(void) struct tls_domain *d; LM_DBG("entered\n"); + if (dom_lock) { + lock_destroy_rw(dom_lock); + dom_lock = 0; + } + d = tls_server_domains; while (d) { if (d->ctx) @@ -1141,13 +1463,159 @@ static int tls_get_send_timeout(void) return tls_send_timeout; } +/* lists client or server domains*/ +static int list_domain(struct mi_node *root, struct tls_domain *d) +{ + struct mi_node *node = NULL; + struct mi_node *child; + char *addr; + + while (d) { + node = add_mi_node_child(root, MI_DUP_VALUE, "ID", 2, + d->id.s, d->id.len); + ; + if (node == NULL) goto error; + if (d->type & TLS_DOMAIN_SRV) + child = add_mi_node_child(node, 0, "Type", 4, "TLS_DOMAIN_SRV", 14); + else + child = add_mi_node_child(node, 0, "Type", 4, "TLS_DOMAIN_CLI", 14); + + if (child == NULL) goto error; + + if (d->type & TLS_DOMAIN_NAME) { + child = add_mi_node_child(node, MI_DUP_VALUE, "Name", 4, + d->name.s, d->name.len); + if (child == NULL) goto error; + } else { + addr = ip_addr2a(&d->addr); + + if (addr == NULL) goto error; + + child = add_mi_node_child(node, MI_DUP_VALUE, "Address", 7, + addr, strlen(addr)); + if (child == NULL) goto error; + } + + switch (d->method) { + case TLS_USE_TLSv1_cli: + case TLS_USE_TLSv1_srv: + case TLS_USE_TLSv1: + child = add_mi_node_child(node, 0, "METHOD", 4, "TLSv1", 5); + break; + case TLS_USE_SSLv23_cli: + case TLS_USE_SSLv23_srv: + case TLS_USE_SSLv23: + child = add_mi_node_child(node, 0, "METHOD", 4, "SSLv23", 6); + break; + case TLS_USE_TLSv1_2_cli: + case TLS_USE_TLSv1_2_srv: + case TLS_USE_TLSv1_2: + child = add_mi_node_child(node, 0, "METHOD", 4, "TLSv1_2", 7); + break; + default: goto error; + } + + if (d->verify_cert) + child = add_mi_node_child(node, 0, "VERIFY_CERT", 11, "yes", 3); + else + child = add_mi_node_child(node, 0, "VERIFY_CERT", 11, "no", 2); + + if (d->require_client_cert) + child = add_mi_node_child(node, 0, "REQ_CLI_CERT", 12, "yes", 3); + else + child = add_mi_node_child(node, 0, "REQ_CLI_CERT", 12, "no", 2); + + if (d->crl_check_all) + child = add_mi_node_child(node, 0, "CRL_CHECKALL", 12, "yes", 3); + else + child = add_mi_node_child(node, 0, "CRL_CHECKALL", 12, "no", 2); + + child = add_mi_node_child(node, MI_DUP_VALUE, "CERT_FILE", 9, + d->cert_file, len(d->cert_file)); + + if (child == NULL) goto error; + + child = add_mi_node_child(node, MI_DUP_VALUE, "CRL_DIR", 7, + d->crl_directory, len(d->crl_directory)); + + if (child == NULL) goto error; + + child = add_mi_node_child(node, MI_DUP_VALUE, "CA_FILE", 7, + d->ca_file, len(d->ca_file)); + + if (child == NULL) goto error; + + child = add_mi_node_child(node, MI_DUP_VALUE, "CA_DIR", 6, + d->ca_directory, len(d->ca_directory)); + + if (child == NULL) goto error; + + child = add_mi_node_child(node, MI_DUP_VALUE, "PKEY_FILE", 9, + d->pkey_file, len(d->pkey_file)); + + if (child == NULL) goto error; + + child = add_mi_node_child(node, MI_DUP_VALUE, "CIPHER_LIST", 11, + d->ciphers_list, len(d->ciphers_list)); + + if (child == NULL) goto error; + + child = add_mi_node_child(node, MI_DUP_VALUE, "DH_PARAMS", 9, + d->tmp_dh_file, len(d->tmp_dh_file)); + + if (child == NULL) goto error; + + child = add_mi_node_child(node, MI_DUP_VALUE, "EC_CURVE", 8, + d->tls_ec_curve, len(d->tls_ec_curve)); + + if (child == NULL) goto error; + d = d->next; + + } + return 0; +error: + return -1; +} + +/* lists all domains */ +static struct mi_root * tls_list(struct mi_root *cmd_tree, void *param) +{ + struct mi_node *root = NULL; + struct mi_root *rpl_tree = NULL; + + rpl_tree = init_mi_tree(200, MI_OK_S, MI_OK_LEN); + if (rpl_tree == NULL) { + LM_ERR("AICI\n"); + return NULL; + } + + lock_start_read(dom_lock); + + root = &rpl_tree->node; + + if (list_domain(root, tls_client_domains) < 0) + goto error; + + if (list_domain(root, tls_server_domains) < 0) + goto error; + + lock_stop_read(dom_lock); + + return rpl_tree; +error: + lock_stop_read(dom_lock); + if (rpl_tree) free_mi_tree(rpl_tree); + return NULL; +} + static int load_tls_mgm(struct tls_mgm_binds *binds) { binds->find_server_domain = tls_find_server_domain; binds->find_client_domain = tls_find_client_domain; binds->get_handshake_timeout = tls_get_handshake_timeout; binds->get_send_timeout = tls_get_send_timeout; - + binds->acquire_domain = tls_acquire_domain; + binds->release_domain = tls_release_domain; /* everything ok*/ return 1; } diff --git a/modules/tls_mgm/tls_params.c b/modules/tls_mgm/tls_params.c index 14475ebd7a7..af0b1d42f41 100644 --- a/modules/tls_mgm/tls_params.c +++ b/modules/tls_mgm/tls_params.c @@ -43,24 +43,14 @@ #include "../../resolve.h" /* for str2ip() */ #include "../../ut.h" #include "tls_params.h" -#include "tls_domain.h" -static int parse_domain_def(char *val, str *id, struct ip_addr **ip, +static int parse_domain_address(char *val, struct ip_addr **ip, unsigned int *port, str *domain) { char *p = (char*)val; str s; - /* format is ID=ip:port or ID=string */ - - /* first get the ID */ - id->s = p; - if ( (p=strchr( p, '='))==NULL ) - goto parse_err; - id->len = p-id->s; - p++; - /* get IP */ s.s = p; if ( (p=strchr( p, ':'))==NULL ) @@ -89,6 +79,28 @@ static int parse_domain_def(char *val, str *id, struct ip_addr **ip, *ip = NULL; return 0; +parse_err: + LM_ERR("invalid TSL domain [%s] (error around pos %d)\n", + val, (int)(long)(p-val) ); + return -1; + +} + + +static int parse_domain_def(char *val, str *id, struct ip_addr **ip, + unsigned int *port, str *domain) +{ + char *p = (char*)val; + + /* first get the ID */ + id->s = p; + if ( (p=strchr( p, '='))==NULL ) + goto parse_err; + id->len = p-id->s; + p++; + + return parse_domain_address(p, ip, port, domain); + parse_err: LM_ERR("invalid TSL domain [%s] (error around pos %d)\n", val, (int)(long)(p-val) ); @@ -103,6 +115,9 @@ int tlsp_add_srv_domain(modparam_t type, void *val) str domain; str id; + if (tls_db_enabled) + return -1; + if (parse_domain_def( (char*)val, &id, &ip, &port, &domain)<0 ) return -1; @@ -112,7 +127,7 @@ int tlsp_add_srv_domain(modparam_t type, void *val) } /* add domain */ - if (tls_new_server_domain( &id, ip, port )<0) { + if (tls_new_server_domain( &id, ip, port, &tls_server_domains) < 0) { LM_ERR("failed to add new server domain [%s]\n",(char*)val); return -1; } @@ -128,17 +143,20 @@ int tlsp_add_cli_domain(modparam_t type, void *val) str domain; str id; + if (tls_db_enabled) + return -1; + if (parse_domain_def( (char*)val, &id, &ip, &port, &domain)<0 ) return -1; /* add domain */ if (ip==NULL) { - if (tls_new_client_domain_name( &id, &domain)<0) { + if (tls_new_client_domain_name( &id, &domain, &tls_client_domains) < 0) { LM_ERR("failed to add new client domain name [%s]\n",(char*)val); return -1; } } else { - if (tls_new_client_domain( &id, ip, port )<0) { + if (tls_new_client_domain( &id, ip, port, &tls_client_domains ) < 0) { LM_ERR("failed to add new client domain [%s]\n",(char*)val); return -1; } @@ -147,6 +165,59 @@ int tlsp_add_cli_domain(modparam_t type, void *val) return 1; } +int tlsp_db_add_domain(char **str_vals, int *int_vals, struct tls_domain **serv_dom, struct tls_domain **cli_dom){ + struct ip_addr *ip; + unsigned int port; + str domain; + str id; + + id.s = str_vals[STR_VALS_ID_COL]; + id.len = strlen(id.s); + + if (parse_domain_address( str_vals[STR_VALS_ADDRESS_COL], &ip, &port, &domain)<0 ) + return -1; + + + /* add domain */ + if (int_vals[INT_VALS_TYPE_COL] == CLIENT_DOMAIN) { + + if (ip == NULL) { + if (tls_new_client_domain_name(&id, &domain, cli_dom) < 0) { + LM_ERR("failed to add new client domain name [%*.s]\n", domain.len, domain.s); + return -1; + } + } else { + + if (tls_new_client_domain(&id, ip, port, cli_dom) < 0) { + LM_ERR("failed to add new client domain [%*.s]\n", domain.len, domain.s); + return -1; + } + + } + if (set_all_domain_attr(cli_dom, str_vals, int_vals) < 0){ + LM_ERR("failed to set domain [%*.s] attr\n", domain.len, domain.s); + return -1; + } + + } else { + if (ip) { + + if (tls_new_server_domain(&id, ip, port, serv_dom) < 0) { + LM_ERR("failed to add new server domain [%*.s]\n", domain.len, domain.s); + return -1; + } + } else { + LM_ERR("server domains do not support 'domain name' in definition\n"); + return -1; + } + if (set_all_domain_attr(serv_dom, str_vals, int_vals) < 0){ + LM_ERR("failed to set domain [%*.s] attr\n", domain.len, domain.s ); + return -1; + } + } + + return 1; +} static void split_param_val(char *in, str *id, str *val) { char *p = (char*)in; @@ -200,6 +271,9 @@ int tlsp_set_method(modparam_t type, void *in) str val; int method; + if (tls_db_enabled) + return -1; + split_param_val( (char*)in, &id, &val); if ( strcasecmp( val.s, "SSLV23")==0 || strcasecmp( val.s, "TLSany")==0 ) @@ -224,6 +298,9 @@ int tlsp_set_verify(modparam_t type, void *in) str val; unsigned int verify; + if (tls_db_enabled) + return -1; + split_param_val( (char*)in, &id, &val); if (str2int( &val, &verify)!=0) { @@ -242,6 +319,9 @@ int tlsp_set_require(modparam_t type, void *in) str val; unsigned int req; + if (tls_db_enabled) + return -1; + split_param_val( (char*)in, &id, &val); if (str2int( &val, &req)!=0) { @@ -259,6 +339,9 @@ int tlsp_set_crl_check(modparam_t type, void *in) str val; unsigned int check; + if (tls_db_enabled) + return -1; + split_param_val( (char*)in, &id, &val); if (str2int( &val, &check)!=0) { @@ -275,6 +358,9 @@ int tlsp_set_crldir(modparam_t type, void *in) str id; str val; + if (tls_db_enabled) + return -1; + split_param_val( (char*)in, &id, &val); set_domain_attr( id, crl_directory, val.s); @@ -286,6 +372,9 @@ int tlsp_set_certificate(modparam_t type, void *in) str id; str val; + if (tls_db_enabled) + return -1; + split_param_val( (char*)in, &id, &val); set_domain_attr( id, cert_file, val.s); @@ -298,6 +387,9 @@ int tlsp_set_pk(modparam_t type, void *in) str id; str val; + if (tls_db_enabled) + return -1; + split_param_val( (char*)in, &id, &val); set_domain_attr( id, pkey_file, val.s); @@ -310,6 +402,9 @@ int tlsp_set_calist(modparam_t type, void *in) str id; str val; + if (tls_db_enabled) + return -1; + split_param_val( (char*)in, &id, &val); set_domain_attr( id, ca_file, val.s); @@ -334,6 +429,9 @@ int tlsp_set_cplist(modparam_t type, void *in) str id; str val; + if (tls_db_enabled) + return -1; + split_param_val( (char*)in, &id, &val); set_domain_attr( id, ciphers_list, val.s); @@ -346,6 +444,9 @@ int tlsp_set_dhparams(modparam_t type, void *in) str id; str val; + if (tls_db_enabled) + return -1; + split_param_val( (char*)in, &id, &val); set_domain_attr( id, tmp_dh_file, val.s); @@ -358,10 +459,11 @@ int tlsp_set_eccurve(modparam_t type, void *in) str id; str val; + if (tls_db_enabled) + return -1; + split_param_val( (char*)in, &id, &val); set_domain_attr( id, tls_ec_curve, val.s); return 1; } - - diff --git a/modules/tls_mgm/tls_params.h b/modules/tls_mgm/tls_params.h index ce6eb15f105..65df5a6cfea 100644 --- a/modules/tls_mgm/tls_params.h +++ b/modules/tls_mgm/tls_params.h @@ -41,6 +41,27 @@ #define _MOD_PROTO_TLS_tls_params_h #include "../../sr_module.h" +#include "tls_domain.h" + +#define STR_VALS_ID_COL 0 +#define STR_VALS_ADDRESS_COL 1 +#define STR_VALS_METHOD_COL 2 +#define STR_VALS_CERTIFICATE_COL 3 +#define STR_VALS_PK_COL 4 +#define STR_VALS_CRL_DIR_COL 5 +#define STR_VALS_CALIST_COL 6 +#define STR_VALS_CADIR_COL 7 +#define STR_VALS_CPLIST_COL 8 +#define STR_VALS_DHPARAMS_COL 9 +#define STR_VALS_ECCURVE_COL 10 + +#define INT_VALS_TYPE_COL 0 +#define INT_VALS_VERIFY_CERT_COL 1 +#define INT_VALS_REQUIRE_CERT_COL 2 +#define INT_VALS_CRL_CHECK_COL 3 + +#define CLIENT_DOMAIN 0 +#define SERVER_DOMAIN 1 int tlsp_add_srv_domain(modparam_t type, void *val); @@ -70,5 +91,8 @@ int tlsp_set_dhparams(modparam_t type, void *val); int tlsp_set_eccurve(modparam_t type, void *val); +int tlsp_db_add_domain(char **str_vals, int *int_vals, struct tls_domain **serv_dom, + struct tls_domain **cli_dom); + #endif