diff --git a/src/modules/tls/tls_domain.c b/src/modules/tls/tls_domain.c index 48c3aa26189..dde5fe08afd 100644 --- a/src/modules/tls/tls_domain.c +++ b/src/modules/tls/tls_domain.c @@ -37,7 +37,6 @@ #ifdef KSR_SSL_ENGINE #include -#include "tls_map.h" extern EVP_PKEY *tls_engine_private_key(const char *key_id); #endif /* KSR_SSL_ENGINE */ @@ -1229,31 +1228,6 @@ static int passwd_cb(char *buf, int size, int rwflag, void *filename) } #ifdef KSR_SSL_ENGINE -/* - * Implement a hash map from SSL_CTX to private key - * as HSM keys need to be process local - */ -static map_void_t private_key_map; - -/** - * @brief Return a private key from the lookup table - * @param p SSL_CTX* - * @return EVP_PKEY on success, NULL on error - */ -EVP_PKEY *tls_lookup_private_key(SSL_CTX *ctx) -{ - void *pkey; - char ctx_str[64]; - snprintf(ctx_str, 64, "SSL_CTX-%p", ctx); - pkey = map_get(&private_key_map, ctx_str); - LM_DBG("Private key lookup for %s: %p\n", ctx_str, pkey); - if(pkey) - return *(EVP_PKEY **)pkey; - else - return NULL; -} - - /** * @brief Load a private key from an OpenSSL engine * @param d TLS domain @@ -1274,8 +1248,6 @@ static int load_engine_private_key(tls_domain_t *d) { int idx, ret_pwd, i; EVP_PKEY *pkey = 0; - int procs_no; - char ctx_str[64]; if(!d->pkey_file.s || !d->pkey_file.len) { DBG("%s: No private key specified\n", tls_domain_str(d)); @@ -1283,22 +1255,15 @@ static int load_engine_private_key(tls_domain_t *d) } if(strncmp(d->pkey_file.s, "/engine:", 8) != 0) return 0; - procs_no = get_max_procs(); - for(i = 0; i < procs_no; i++) { - snprintf(ctx_str, 64, "SSL_CTX-%p", d->ctx[i]); + + do { + i = process_no; for(idx = 0, ret_pwd = 0; idx < 3; idx++) { - if(i) { - map_set(&private_key_map, ctx_str, pkey); - ret_pwd = 1; + pkey = tls_engine_private_key(d->pkey_file.s + 8); + if(pkey) { + ret_pwd = SSL_CTX_use_PrivateKey(d->ctx[i], pkey); } else { - pkey = tls_engine_private_key(d->pkey_file.s + 8); - if(pkey) { - map_set(&private_key_map, ctx_str, pkey); - // store the key for i = 0 to perform certificate sanity check - ret_pwd = SSL_CTX_use_PrivateKey(d->ctx[i], pkey); - } else { - ret_pwd = 0; - } + ret_pwd = 0; } if(ret_pwd) { break; @@ -1316,14 +1281,14 @@ static int load_engine_private_key(tls_domain_t *d) TLS_ERR("load_private_key:"); return -1; } - if(i == 0 && !SSL_CTX_check_private_key(d->ctx[i])) { + if(!SSL_CTX_check_private_key(d->ctx[i])) { ERR("%s: Key '%s' does not match the public key of the" " certificate\n", tls_domain_str(d), d->pkey_file.s); TLS_ERR("load_engine_private_key:"); return -1; } - } + } while(0); LM_INFO("%s: Key '%s' successfully loaded\n", tls_domain_str(d), diff --git a/src/modules/tls/tls_map.c b/src/modules/tls/tls_map.c deleted file mode 100644 index 70c275d31d0..00000000000 --- a/src/modules/tls/tls_map.c +++ /dev/null @@ -1,213 +0,0 @@ -/** - * Copyright (c) 2014 rxi - * - * This library is free software; you can redistribute it and/or modify it - * under the terms of the MIT license. See LICENSE for details. - */ - -#include -#include - -#include "../../core/mem/mem.h" -#include "tls_map.h" - -struct map_node_t -{ - unsigned hash; - void *value; - map_node_t *next; - /* char key[]; */ - /* char value[]; */ -}; - - -static unsigned map_hash(const char *str) -{ - unsigned hash = 5381; - while(*str) { - hash = ((hash << 5) + hash) ^ *str++; - } - return hash; -} - - -static map_node_t *map_newnode(const char *key, void *value, int vsize) -{ - map_node_t *node; - int ksize = strlen(key) + 1; - int voffset = ksize + ((sizeof(void *) - ksize) % sizeof(void *)); - node = pkg_malloc(sizeof(*node) + voffset + vsize); - if(!node) - return NULL; - memcpy(node + 1, key, ksize); - node->hash = map_hash(key); - node->value = ((char *)(node + 1)) + voffset; - memcpy(node->value, value, vsize); - return node; -} - - -static int map_bucketidx(map_base_t *m, unsigned hash) -{ - /* If the implementation is changed to allow a non-power-of-2 bucket count, - * the line below should be changed to use mod instead of AND */ - return hash & (m->nbuckets - 1); -} - - -static void map_addnode(map_base_t *m, map_node_t *node) -{ - int n = map_bucketidx(m, node->hash); - node->next = m->buckets[n]; - m->buckets[n] = node; -} - - -static int map_resize(map_base_t *m, int nbuckets) -{ - map_node_t *nodes, *node, *next; - map_node_t **buckets; - int i; - /* Chain all nodes together */ - nodes = NULL; - i = m->nbuckets; - while(i--) { - node = (m->buckets)[i]; - while(node) { - next = node->next; - node->next = nodes; - nodes = node; - node = next; - } - } - /* Reset buckets */ - buckets = realloc(m->buckets, sizeof(*m->buckets) * nbuckets); - if(buckets != NULL) { - m->buckets = buckets; - m->nbuckets = nbuckets; - } - if(m->buckets) { - memset(m->buckets, 0, sizeof(*m->buckets) * m->nbuckets); - /* Re-add nodes to buckets */ - node = nodes; - while(node) { - next = node->next; - map_addnode(m, node); - node = next; - } - } - /* Return error code if realloc() failed */ - return (buckets == NULL) ? -1 : 0; -} - - -static map_node_t **map_getref(map_base_t *m, const char *key) -{ - unsigned hash = map_hash(key); - map_node_t **next; - if(m->nbuckets > 0) { - next = &m->buckets[map_bucketidx(m, hash)]; - while(*next) { - if((*next)->hash == hash && !strcmp((char *)(*next + 1), key)) { - return next; - } - next = &(*next)->next; - } - } - return NULL; -} - - -void map_deinit_(map_base_t *m) -{ - map_node_t *next, *node; - int i; - i = m->nbuckets; - while(i--) { - node = m->buckets[i]; - while(node) { - next = node->next; - pkg_free(node); - node = next; - } - } - pkg_free(m->buckets); -} - - -void *map_get_(map_base_t *m, const char *key) -{ - map_node_t **next = map_getref(m, key); - return next ? (*next)->value : NULL; -} - - -int map_set_(map_base_t *m, const char *key, void *value, int vsize) -{ - int n, err; - map_node_t **next, *node; - /* Find & replace existing node */ - next = map_getref(m, key); - if(next) { - memcpy((*next)->value, value, vsize); - return 0; - } - /* Add new node */ - node = map_newnode(key, value, vsize); - if(node == NULL) - goto fail; - if(m->nnodes >= m->nbuckets) { - n = (m->nbuckets > 0) ? (m->nbuckets << 1) : 1; - err = map_resize(m, n); - if(err) - goto fail; - } - map_addnode(m, node); - m->nnodes++; - return 0; -fail: - if(node) - pkg_free(node); - return -1; -} - - -void map_remove_(map_base_t *m, const char *key) -{ - map_node_t *node; - map_node_t **next = map_getref(m, key); - if(next) { - node = *next; - *next = (*next)->next; - pkg_free(node); - m->nnodes--; - } -} - - -map_iter_t map_iter_(void) -{ - map_iter_t iter; - iter.bucketidx = -1; - iter.node = NULL; - return iter; -} - - -const char *map_next_(map_base_t *m, map_iter_t *iter) -{ - if(iter->node) { - iter->node = iter->node->next; - if(iter->node == NULL) - goto nextBucket; - } else { - nextBucket: - do { - if(++iter->bucketidx >= m->nbuckets) { - return NULL; - } - iter->node = m->buckets[iter->bucketidx]; - } while(iter->node == NULL); - } - return (char *)(iter->node + 1); -} diff --git a/src/modules/tls/tls_map.h b/src/modules/tls/tls_map.h deleted file mode 100644 index e4028a30256..00000000000 --- a/src/modules/tls/tls_map.h +++ /dev/null @@ -1,77 +0,0 @@ -/** - * Copyright (c) 2014 rxi - * - * This library is free software; you can redistribute it and/or modify it - * under the terms of the MIT license. See LICENSE for details. - */ - -#ifndef _TLS_MAP_H -#define _TLS_MAP_H - -#include - -#define MAP_VERSION "0.1.0" - -struct map_node_t; -typedef struct map_node_t map_node_t; - -typedef struct -{ - map_node_t **buckets; - unsigned nbuckets, nnodes; -} map_base_t; - -typedef struct -{ - unsigned bucketidx; - map_node_t *node; -} map_iter_t; - - -#define map_t(T) \ - struct \ - { \ - map_base_t base; \ - T *ref; \ - T tmp; \ - } - - -#define map_init(m) memset(m, 0, sizeof(*(m))) - - -#define map_deinit(m) map_deinit_(&(m)->base) - - -#define map_get(m, key) ((m)->ref = map_get_(&(m)->base, key)) - - -#define map_set(m, key, value) \ - ((m)->tmp = (value), map_set_(&(m)->base, key, &(m)->tmp, sizeof((m)->tmp))) - - -#define map_remove(m, key) map_remove_(&(m)->base, key) - - -#define map_iter(m) map_iter_() - - -#define map_next(m, iter) map_next_(&(m)->base, iter) - - -void map_deinit_(map_base_t *m); -void *map_get_(map_base_t *m, const char *key); -int map_set_(map_base_t *m, const char *key, void *value, int vsize); -void map_remove_(map_base_t *m, const char *key); -map_iter_t map_iter_(void); -const char *map_next_(map_base_t *m, map_iter_t *iter); - - -typedef map_t(void *) map_void_t; -typedef map_t(char *) map_str_t; -typedef map_t(int) map_int_t; -typedef map_t(char) map_char_t; -typedef map_t(float) map_float_t; -typedef map_t(double) map_double_t; - -#endif /* _TLS_MAP_H */ diff --git a/src/modules/tls/tls_server.c b/src/modules/tls/tls_server.c index 947f107131b..3e22ec42712 100644 --- a/src/modules/tls/tls_server.c +++ b/src/modules/tls/tls_server.c @@ -427,11 +427,6 @@ static void tls_dump_cert_info(char *s, X509 *cert) } } - -#ifdef KSR_SSL_ENGINE -// lookup HSM keys in process-local memory -EVP_PKEY *tls_lookup_private_key(SSL_CTX *); -#endif /* KSR_SSL_ENGINE */ /** wrapper around SSL_accept, usin SSL return convention. * It will also log critical errors and certificate debugging info. * @param c - tcp connection with tls (extra_data must be a filled @@ -462,12 +457,7 @@ int tls_accept(struct tcp_connection *c, int *error) BUG("Invalid connection state %d (bug in TLS code)\n", tls_c->state); goto err; } -#ifdef KSR_SSL_ENGINE - /* check if we have a HSM key */ - EVP_PKEY *pkey = tls_lookup_private_key(SSL_get_SSL_CTX(ssl)); - if(pkey) - SSL_use_PrivateKey(ssl, pkey); -#endif /* KSR_SSL_ENGINE */ + tls_openssl_clear_errors(); ret = SSL_accept(ssl); if(unlikely(ret == 1)) { @@ -532,13 +522,7 @@ int tls_connect(struct tcp_connection *c, int *error) BUG("Invalid connection state %d (bug in TLS code)\n", tls_c->state); goto err; } -#ifdef KSR_SSL_ENGINE - // lookup HSM private key in process-local memory - EVP_PKEY *pkey = tls_lookup_private_key(SSL_get_SSL_CTX(ssl)); - if(pkey) { - SSL_use_PrivateKey(ssl, pkey); - } -#endif + tls_openssl_clear_errors(); ret = SSL_connect(ssl); if(unlikely(ret == 1)) {