proto_tls: split tls init in different header

OpenSIPS · Sep 2, 2015 · 77f77e3 · 77f77e3
1 parent 5e19a94
commit 77f77e3
Show file tree

Hide file tree

Showing 2 changed files with 297 additions and 232 deletions.
diff --git a/modules/proto_tls/proto_tls.c b/modules/proto_tls/proto_tls.c
@@ -69,6 +69,8 @@
 #include "tls_params.h"
 #include "tls_select.h"
 
+#include "tls.h"
+
 /* definition of exported functions */
 static int is_peer_verified(struct sip_msg*, char*, char*);
 
@@ -334,196 +336,10 @@ struct module_exports exports = {
 };
 
 
-/**************  Controll related functions ***************/
-
-
-#define OS_SSL_SESS_ID ((unsigned char*)"opensips-tls-1.11.0")
-#define OS_SSL_SESS_ID_LEN (sizeof(OS_SSL_SESS_ID)-1)
-
-#if OPENSSL_VERSION_NUMBER < 0x00908000L
-        #error "using an unsupported version of OpenSSL (< 0.9.8)"
-#endif
-
-#if OPENSSL_VERSION_NUMBER < 0x10001000L
-	#warning ""
-	#warning "=============================================================="
-	#warning "Your version of OpenSSL is < 1.0.1."
-	#warning " Upgrade for better compatibility, features and security fixes!"
-	#warning "============================================================="
-	#warning ""
-#endif
-
-SSL_METHOD     *ssl_methods[TLS_USE_TLSv1_2 + 1];
 
-#define VERIFY_DEPTH_S 3
 
-static int tls_static_locks_no=0;
-static gen_lock_set_t* tls_static_locks=NULL;
 
-struct CRYPTO_dynlock_value {
-	gen_lock_t lock;
-};
 
-/*
- * Wrappers around OpenSIPS shared memory functions
- * (which can be macros)
- */
-static void* os_malloc(size_t size)
-{
-	return shm_malloc(size);
-}
-
-
-static void* os_realloc(void *ptr, size_t size)
-{
-	return shm_realloc(ptr, size);
-}
-
-
-static void os_free(void *ptr)
-{
-	if (ptr)
-		shm_free(ptr);
-}
-
-
-static void tls_static_locks_ops(int mode, int n, const char* file, int line)
-{
-	if (n<0 || n>tls_static_locks_no) {
-		LM_ERR("BUG - SSL Lib attempting to acquire bogus lock\n");
-		abort();
-	}
-
-	if (mode & CRYPTO_LOCK) {
-		lock_set_get(tls_static_locks,n);
-	} else {
-		lock_set_release(tls_static_locks,n);
-	}
-}
-
-
-static unsigned long tls_get_id(void)
-{
-	return my_pid();
-}
-
-
-static struct CRYPTO_dynlock_value* tls_dyn_lock_create(const char* file,
-																	int line)
-{
-	struct CRYPTO_dynlock_value* new_lock;
-
-	new_lock=shm_malloc(sizeof(struct CRYPTO_dynlock_value));
-	if (new_lock==0){
-		LM_ERR("Failed to allocated new dynamic lock\n");
-		return 0;
-	}
-	if (lock_init(&new_lock->lock)==0) {
-		LM_ERR("Failed to init new dynamic lock\n");
-		shm_free(new_lock);
-		return 0;
-	}
-
-	return new_lock;
-}
-
-
-static void tls_dyn_lock_ops(int mode, struct CRYPTO_dynlock_value* dyn_lock,
-												const char* file, int line)
-{
-	if (mode & CRYPTO_LOCK) {
-		lock_get(&dyn_lock->lock);
-	} else {
-		lock_release(&dyn_lock->lock);
-	}
-}
-
-
-static void tls_dyn_lock_destroy(struct CRYPTO_dynlock_value *dyn_lock,
-													const char* file, int line)
-{
-	lock_destroy(&dyn_lock->lock);
-	shm_free(dyn_lock);
-}
-
-
-static int tls_init_multithread(void)
-{
-	/* init static locks support */
-	tls_static_locks_no = CRYPTO_num_locks();
-
-	if (tls_static_locks_no>0) {
-		/* init a lock set & pass locking function to SSL */
-		tls_static_locks = lock_set_alloc(tls_static_locks_no);
-		if (tls_static_locks == NULL) {
-			LM_ERR("Failed to alloc static locks\n");
-			return -1;
-		}
-		if (lock_set_init(tls_static_locks)==0) {
-				LM_ERR("Failed to init static locks\n");
-				lock_set_dealloc(tls_static_locks);
-				return -1;
-		}
-		CRYPTO_set_locking_callback(tls_static_locks_ops);
-	}
-
-	CRYPTO_set_id_callback(tls_get_id);
-
-	/* dynamic locks support*/
-	CRYPTO_set_dynlock_create_callback(tls_dyn_lock_create);
-	CRYPTO_set_dynlock_lock_callback(tls_dyn_lock_ops);
-	CRYPTO_set_dynlock_destroy_callback(tls_dyn_lock_destroy);
-
-	return 0;
-}
-
-
-/*
- * initialize ssl methods
- */
-static void
-init_ssl_methods(void)
-{
-	LM_DBG("entered\n");
-
-	ssl_methods[TLS_USE_TLSv1_cli-1] = (SSL_METHOD*)TLSv1_client_method();
-	ssl_methods[TLS_USE_TLSv1_srv-1] = (SSL_METHOD*)TLSv1_server_method();
-	ssl_methods[TLS_USE_TLSv1-1] = (SSL_METHOD*)TLSv1_method();
-
-	ssl_methods[TLS_USE_SSLv23_cli-1] = (SSL_METHOD*)SSLv23_client_method();
-	ssl_methods[TLS_USE_SSLv23_srv-1] = (SSL_METHOD*)SSLv23_server_method();
-	ssl_methods[TLS_USE_SSLv23-1] = (SSL_METHOD*)SSLv23_method();
-
-#if OPENSSL_VERSION_NUMBER >= 0x10001000L
-	ssl_methods[TLS_USE_TLSv1_2_cli-1] = (SSL_METHOD*)TLSv1_2_client_method();
-	ssl_methods[TLS_USE_TLSv1_2_srv-1] = (SSL_METHOD*)TLSv1_2_server_method();
-	ssl_methods[TLS_USE_TLSv1_2-1] = (SSL_METHOD*)TLSv1_2_method();
-#endif
-}
-
-
-static int check_for_krb(void)
-{
-	SSL_CTX *xx;
-	int j;
-
-	xx = SSL_CTX_new(ssl_methods[tls_method - 1]);
-	if (xx==NULL)
-		return -1;
-
-	for( j=0 ; j<sk_SSL_CIPHER_num(xx->cipher_list) ; j++) {
-		SSL_CIPHER *yy = sk_SSL_CIPHER_value(xx->cipher_list,j);
-		if ( yy->id>=SSL3_CK_KRB5_DES_64_CBC_SHA &&
-		 yy->id<=SSL3_CK_KRB5_RC4_40_MD5 ) {
-			LM_INFO("KRB5 cipher %s found\n", yy->name);
-			SSL_CTX_free(xx);
-			return 1;
-		}
-	}
-
-	SSL_CTX_free(xx);
-	return 0;
-}
 
 
 #if (OPENSSL_VERSION_NUMBER > 0x10001000L)
@@ -1143,52 +959,8 @@ static int mod_init(void)
 		}
 	}
 
-	/*
-	* this has to be called before any function calling CRYPTO_malloc,
-	* CRYPTO_malloc will set allow_customize in openssl to 0
-	*/
-	if (!CRYPTO_set_mem_functions(os_malloc, os_realloc, os_free)) {
-		LM_ERR("unable to set the memory allocation functions\n");
-		return -1;
-	}
-
-#if !defined(OPENSSL_NO_COMP)
-	STACK_OF(SSL_COMP)* comp_methods;
-	/* disabling compression */
-	LM_WARN("disabling compression due ZLIB problems\n");
-	comp_methods = SSL_COMP_get_compression_methods();
-	if (comp_methods==0) {
-		LM_INFO("openssl compression already disabled\n");
-	} else {
-		sk_SSL_COMP_zero(comp_methods);
-	}
-#endif
-
-	if (tls_init_multithread() < 0) {
-		LM_ERR("failed to init multi-threading support\n");
-		return -1;
-	}
-
-	SSL_library_init();
-	SSL_load_error_strings();
-	init_ssl_methods();
-
-	n = check_for_krb();
-	if (n==-1) {
-		LM_ERR("kerberos check failed\n");
-		return -1;
-	}
-
-	if ( ( n ^
-#ifndef OPENSSL_NO_KRB5
-	1
-#else
-	0
-#endif
-	)!=0 ) {
-		LM_ERR("compiled agaist an openssl with %s"
-			"kerberos, but run with one with %skerberos\n",
-			(n==1)?"":"no ",(n!=1)?"no ":"");
+	if (tls_mod_init() < 0) {
+		LM_ERR("could not initialize TLS engine\n");
 		return -1;
 	}