Skip to content

Commit

Permalink
Merge pull request #654 from eseanucristian/tls-rework
Browse files Browse the repository at this point in the history 
Tls rework
  • Loading branch information
@bogdan-iancu
bogdan-iancu committed Sep 30, 2015
2 parents 5a07ba0 + c5b3fe3 commit 98dccc5
Show file tree
Hide file tree
Showing 31 changed files with 2,154 additions and 313 deletions.
2 changes: 1 addition & 1 deletion config.h
View file
Expand Up @@ -42,7 +42,7 @@
#define MEM_WARMING_DEFAULT_PATTERN_FILE CFG_DIR "mem_warming_pattern"
#define MEM_WARMING_DEFAULT_PERCENTAGE 75

#define TLS_PKEY_FILE CFG_DIR "tls/cert.pem"
#define TLS_PKEY_FILE CFG_DIR "tls/ckey.pem"
#define TLS_CERT_FILE CFG_DIR "tls/cert.pem"
#define TLS_CA_FILE 0 /*!< no CA list file by default */
#define TLS_CA_DIRECTORY "/etc/pki/CA/"
Expand Down
12 changes: 12 additions & 0 deletions db/schema/opensips-tls_mgm.xml
View file
@@ -0,0 +1,12 @@
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE database PUBLIC "-//opensips.org//DTD DBSchema V1.1//EN"
"http://opensips.org/pub/opensips/dbschema/dtd/1.1/dbschema.dtd" [

<!ENTITY % entities SYSTEM "entities.xml">
%entities;
]>

<database xmlns:xi="http://www.w3.org/2001/XInclude">
<name>TLS_MGM support</name>
<xi:include href="tls_mgm.xml"/>
</database>
144 changes: 144 additions & 0 deletions db/schema/tls_mgm.xml
View file
@@ -0,0 +1,144 @@
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE table PUBLIC "-//opensips.org//DTD DBSchema V1.1//EN"
"http://opensips.org/pub/opensips/dbschema/dtd/1.1/dbschema.dtd" [

<!ENTITY % entities SYSTEM "entities.xml">
%entities;

]>

<table id="tls_mgm" xmlns:db="http://docbook.org/ns/docbook">
<name>tls_mgm</name>
<version>1</version>
<type db="mysql">&MYSQL_TABLE_TYPE;</type>
<description>
<db:para>This table is used for defining domains.
</db:para>
</description>

<column id="id">
<name>id</name>
<type>string</type>
<size>&id_len;</size>
<primary/>
<description>unique ID</description>
</column>

<column id="address">
<name>address</name>
<type>string</type>
<size>&domain_len;</size>
<description>network location, like: "ip:port" or "name"</description>
</column>

<column id="type">
<name>type</name>
<type>int</type>
<size>1</size>
<type db="dbtext">int</type>
<description>specifies the type of a domain : client domain(0) or server domain (1)</description>
</column>

<column id="method">
<name>method</name>
<type>string</type>
<size>&method_len;</size>
<null/>
<description>SSL method used by a certain domain</description>
</column>

<column id="verify_cert">
<name>verify_cert</name>
<type>int</type>
<size>1</size>
<type db="dbtext">int</type>
<null/>
<description>verify certificate: 0 - no, 1 - yes</description>
</column>

<column id="require_cert">
<name>require_cert</name>
<type>int</type>
<size>1</size>
<type db="dbtext">int</type>
<null/>
<description>require certificate: 0 - no, 1 - yes</description>
</column>

<column id="certificate">
<name>certificate</name>
<type>string</type>
<size>255</size>
<type db="dbtext">string</type>
<null/>
<description>certificate associated with a certain domain</description>
</column>

<column id="private_key">
<name>private_key</name>
<type>string</type>
<size>255</size>
<type db="dbtext">int</type>
<null/>
<description>private_key</description>
</column>

<column id="crl_check_all">
<name>crl_check_all</name>
<type>int</type>
<size>1</size>
<type db="dbtext">int</type>
<null/>
<description>check all crl: 0 -no, 1 - yes</description>
</column>

<column id="crl_dir">
<name>crl_dir</name>
<type>string</type>
<size>255</size>
<null/>
<description>crl directory</description>
</column>

<column id="ca_list">
<name>ca_list</name>
<type>string</type>
<size>255</size>
<null/>
<description>CA list</description>
</column>

<column id="ca_dir">
<name>ca_dir</name>
<type>string</type>
<size>255</size>
<null/>
<description>ca directory</description>
</column>

<column id="cipher_list">
<name>cipher_list</name>
<type>string</type>
<size>255</size>
<null/>
<description>the list of algorithms used for authentication and encryption allowed</description>
</column>

<column id="dh_params">
<name>dh_params</name>
<type>string</type>
<size>255</size>
<null/>
<description>specifies the Diffie-Hellmann parameters</description>
</column>

<column id="ec_curve">
<name>ec_curve</name>
<type>string</type>
<size>255</size>
<null/>
<description>specifies an elliptic curve which should be used for
ciphers which demand an elliptic curve</description>
</column>

</table>
3 changes: 2 additions & 1 deletion modules/proto_tls/proto_tls.c
View file
Expand Up @@ -231,6 +231,7 @@ static int tls_conn_init(struct tcp_connection* c)
LM_DBG("found socket based TLS server domain "
"[%s:%d]\n", ip_addr2a(&dom->addr), dom->port);
c->extra_data = SSL_new(dom->ctx);
tls_mgm_api.release_domain(dom);
} else {
LM_ERR("no TLS server domain found\n");
return -1;
Expand All @@ -240,9 +241,9 @@ static int tls_conn_init(struct tcp_connection* c)
c->proto_flags = F_TLS_DO_CONNECT;

dom = tls_mgm_api.find_client_domain(&c->rcv.src_ip, c->rcv.src_port);

if (dom) {
c->extra_data = SSL_new(dom->ctx);
tls_mgm_api.release_domain(dom);
} else {
LM_ERR("no TLS client domain found\n");
return -1;
Expand Down
2 changes: 1 addition & 1 deletion modules/proto_tls/tls_server.c
View file
Expand Up @@ -751,4 +751,4 @@ int tls_fix_read_conn(struct tcp_connection *c)
lock_release(&c->write_lock);

return ret;
}
}
4 changes: 2 additions & 2 deletions modules/proto_tls/tls_server.h
View file
Expand Up @@ -42,7 +42,7 @@
#define F_TLS_DO_ACCEPT (1<<0)
#define F_TLS_DO_CONNECT (1<<1)

static struct tls_mgm_binds tls_mgm_api;
struct tls_mgm_binds tls_mgm_api;

size_t tls_blocking_write(struct tcp_connection *c, int fd,
const char *buf, size_t len);
Expand All @@ -55,4 +55,4 @@ int tls_conn_shutdown(struct tcp_connection *c);

int tls_update_fd(struct tcp_connection *c, int fd);

#endif
#endif

0 comments on commit 98dccc5

Please sign in to comment.