Browse code

tls: migrated to the runtime cfg framework

- moved all the module params to runtime config. Most of the
variables are read-only (for now) with the following exceptions:
config - can be changed at runtime and if followed by a
tls.realod, the configuration from the new file will
be loaded.
log
connection_timeout
low_mem_threshold1
low_mem_threshold2
- renamed tls_fix_cfg() to tls_fix_domains_cfg() to avoid
confusion with the runtime cfg (named tls_cfg).

Andrei Pelinescu-Onciul authored on 28/05/2010 10:35:07
Showing 13 changed files
1 1
new file mode 100644
... ...
@@ -0,0 +1,222 @@
1
+/* 
2
+ * $Id$
3
+ * 
4
+ * Copyright (C) 2010 iptelorg GmbH
5
+ *
6
+ * Permission to use, copy, modify, and distribute this software for any
7
+ * purpose with or without fee is hereby granted, provided that the above
8
+ * copyright notice and this permission notice appear in all copies.
9
+ *
10
+ * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
11
+ * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
12
+ * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
13
+ * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
14
+ * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
15
+ * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
16
+ * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
17
+ */
18
+/** tls runtime configuration.
19
+ * @file tls_cfg.c
20
+ * @ingroup: @tls
21
+ * Module: @ref tls
22
+ */
23
+/*
24
+ * History:
25
+ * --------
26
+ *  2010-05-27  initial version (andrei)
27
+*/
28
+
29
+#include "tls_cfg.h"
30
+#include "../../config.h"
31
+#include "../../str.h"
32
+#include "../../ut.h"
33
+#include "../../pt.h"
34
+#include "../../mem/shm_mem.h"
35
+
36
+struct cfg_group_tls default_tls_cfg = {
37
+	0, /* tls_force_run */
38
+	STR_STATIC_INIT("TLSv1"), /* method */
39
+	0, /* verify_certificate */
40
+	9, /* verify_depth */
41
+	0, /* require_certificate */
42
+	STR_STATIC_INIT(TLS_PKEY_FILE), /* private_key */
43
+	STR_STATIC_INIT(TLS_CA_FILE),   /* ca_list */
44
+	STR_STATIC_INIT(TLS_CERT_FILE), /* certificate */
45
+	STR_NULL, /* cipher_list */
46
+	0, /* session_cache */
47
+	STR_STATIC_INIT("sip-router-tls-3.1"), /* session_id */
48
+	STR_NULL, /* config_file */
49
+	3, /* log */
50
+	600, /* con_lifetime (s)*/
51
+	1, /* disable_compression */
52
+	-1, /* ssl_release_buffers (use the default: off) */
53
+	-1, /* ssl_freelist_max  (use the default: 32) */
54
+	-1, /* ssl_max_send_fragment (use the default: 16k)*/
55
+	1, /* ssl_read_ahead (set, use -1 for the openssl default value)*/
56
+	-1, /* low_mem_treshold1 */
57
+	-1, /* low_mem_treshold2 */
58
+};
59
+
60
+void* tls_cfg = &default_tls_cfg;
61
+
62
+
63
+/* if *to<0 to=default_val, else if to>max_val to=max_val */
64
+static void fix_timeout(char* name, int* to, int default_val, unsigned max_val)
65
+{
66
+	if (*to < 0) *to=default_val;
67
+	else if ((unsigned)*to > max_val){
68
+		WARN("%s: timeout too big (%u), the maximum value is %u\n",
69
+				name, *to, max_val);
70
+		*to=max_val;
71
+	}
72
+}
73
+
74
+
75
+static int fix_con_lt(void* cfg_h, str* gname, str* name, void** val)
76
+{
77
+	int v;
78
+	v=S_TO_TICKS((int)(long)*val);
79
+	fix_timeout("tls.connection_timeout", &v,
80
+					MAX_TLS_CON_LIFETIME, MAX_TLS_CON_LIFETIME);
81
+	*val=(void*)(long)v;
82
+	return 0;
83
+}
84
+
85
+
86
+
87
+/** cfg framework callback for fixing pathnames. */
88
+static int fix_rel_pathname(void* cfg_h, str* gname, str* name, void** val)
89
+{
90
+	str* f;
91
+	str new_f;
92
+	/* the cfg framework will immediately "clone" the value so
93
+	   we can pass a pointer to a temporary static buffer to it
94
+	   (using a dyn. alloc'd buffer would introduce the additional
95
+	    problem of having to free it somehow) */
96
+	static char path_buf[MAX_PATH_SIZE];
97
+
98
+	f = *val;
99
+	if (f && f->s) {
100
+		new_f.s = get_abs_pathname(0, f);
101
+		if (new_f.s == 0)
102
+			return -1;
103
+		new_f.len = strlen(new_f.s);
104
+		if (new_f.len >= MAX_PATH_SIZE) {
105
+			ERR("%.*s.%.*s path too long (%d bytes): \"%.*s\"\n",
106
+					gname->len, gname->s, name->len, name->s,
107
+					new_f.len, new_f.len, new_f.s);
108
+			pkg_free(new_f.s);
109
+			return -1;
110
+		}
111
+		memcpy(path_buf, new_f.s, new_f.len);
112
+		pkg_free(new_f.s);
113
+		new_f.s = path_buf;
114
+		*f = new_f;
115
+	}
116
+	return 0;
117
+}
118
+
119
+
120
+
121
+cfg_def_t	tls_cfg_def[] = {
122
+	{"force_run", CFG_VAR_INT | CFG_READONLY, 0, 1, 0, 0,
123
+		"force loading the tls module even when initial sanity checks fail"},
124
+	{"method",   CFG_VAR_STR | CFG_READONLY, 0, 0, 0, 0,
125
+		"TLS method used (TLSv1, SSLv3, SSLv2, SSLv23)"},
126
+	{"verify_certificate", CFG_VAR_INT | CFG_READONLY, 0, 1, 0, 0,
127
+		"if enabled the certificates will be verified" },
128
+	{"verify_depth", CFG_VAR_INT | CFG_READONLY, 0, 100, 0, 0,
129
+		"sets how far up the certificate chain will the certificate"
130
+		" verification go in the search for a trusted CA" },
131
+	{"require_certificate", CFG_VAR_INT | CFG_READONLY, 0, 1, 0, 0,
132
+		"if enabled a certificate will be required from clients" },
133
+	{"private_key", CFG_VAR_STR | CFG_READONLY, 0, 0, fix_rel_pathname, 0,
134
+		"name of the file containing the private key (pem format), if not"
135
+		" contained in the certificate file" },
136
+	{"ca_list", CFG_VAR_STR | CFG_READONLY, 0, 0, fix_rel_pathname, 0,
137
+		"name of the file containing the trusted CA list (pem format)" },
138
+	{"certificate", CFG_VAR_STR | CFG_READONLY, 0, 0, fix_rel_pathname, 0,
139
+		"name of the file containing the certificate (pem format)" },
140
+	{"cipher_list", CFG_VAR_STR | CFG_READONLY, 0, 0, 0, 0,
141
+		"list of the accepted ciphers (strings separated by colons)" },
142
+	{"session_cache", CFG_VAR_INT | CFG_READONLY, 0, 1, 0, 0,
143
+		"enables or disables the session cache" },
144
+	{"session_id", CFG_VAR_STR | CFG_READONLY, 0, 0, 0, 0,
145
+		"string used for the session id" },
146
+	{"config", CFG_VAR_STR, 0, 0, fix_rel_pathname, 0,
147
+		"tls config file name (used for the per domain options)" },
148
+	{"log", CFG_VAR_INT | CFG_ATOMIC, 0, 1000, 0, 0,
149
+		"tls info messages log level" },
150
+	{"connection_timeout", CFG_VAR_INT | CFG_ATOMIC,
151
+							-1, MAX_TLS_CON_LIFETIME, fix_con_lt, 0,
152
+		"initial connection lifetime (in s) (obsolete)" },
153
+	{"disable_compression", CFG_VAR_INT | CFG_READONLY, 0, 1, 0, 0,
154
+		"if set disable the built-in OpenSSL compression" },
155
+	{"ssl_release_buffers", CFG_VAR_INT | CFG_READONLY, -1, 1, 0, 0,
156
+		"quickly release internal OpenSSL read or write buffers."
157
+	    " Works only for OpenSSL >= 1.0."},
158
+	{"ssl_free_list_max", CFG_VAR_INT | CFG_READONLY, -1, 1<<30, 0, 0,
159
+		"maximum number of free/cached memory chunks that OpenSSL"
160
+		" will keep per connection. Works only for OpenSSL >= 1.0."},
161
+	{"ssl_max_send_fragment", CFG_VAR_INT | CFG_READONLY, -1, 65536, 0, 0,
162
+		"sets the maximum number of bytes (clear text) send into one TLS"
163
+		" record. Valid values are between 512 and 16384."
164
+		" Works only for OpenSSL >= 0.9.9"},
165
+	{"ssl_read_ahead", CFG_VAR_INT | CFG_READONLY, -1, 1, 0, 0,
166
+		"Enables read ahead, reducing the number of BIO read calls done"
167
+		" internally by the OpenSSL library" },
168
+	{"low_mem_threshold1", CFG_VAR_INT | CFG_ATOMIC, -1, 1<<30, 0, 0,
169
+		"sets the minimum amount of free memory for accepting new TLS"
170
+		" connections (KB)"},
171
+	{"low_mem_threshold2", CFG_VAR_INT | CFG_ATOMIC, -1, 1<<30, 0, 0,
172
+		"sets the minimum amount of free memory after which no more TLS"
173
+		" operations will be attempted (even on existing connections)" },
174
+	{0, 0, 0, 0, 0, 0}
175
+};
176
+
177
+
178
+
179
+/* to be used on start-up, with pkg_alloc'ed path names  (path->s)*/
180
+static int fix_initial_pathname(str* path)
181
+{
182
+	str new_path;
183
+	if (path->s) {
184
+		new_path.s = get_abs_pathname(0, path);
185
+		if (new_path.s == 0) return -1;
186
+		new_path.len = strlen(new_path.s);
187
+		pkg_free(path->s);
188
+		*path = new_path;
189
+	}
190
+	return 0;
191
+}
192
+
193
+
194
+
195
+/** fix the tls cfg, prior to registering.
196
+  * @return < 0 on error, 0 on success
197
+  */
198
+int fix_tls_cfg(struct cfg_group_tls* cfg)
199
+{
200
+	cfg->con_lifetime = S_TO_TICKS(cfg->con_lifetime);
201
+	fix_timeout("tls_connection_timeout", &cfg->con_lifetime, 
202
+						MAX_TLS_CON_LIFETIME, MAX_TLS_CON_LIFETIME);
203
+	/* Update relative paths of files configured through modparams, relative
204
+	 * pathnames will be converted to absolute and the directory of the main
205
+	 * SER configuration file will be used as reference.
206
+	 */
207
+	if (fix_initial_pathname(&cfg->config_file) < 0)
208
+		return -1;
209
+	if (fix_initial_pathname(&cfg->private_key) < 0)
210
+		return -1;
211
+	if (fix_initial_pathname(&cfg->ca_list) < 0 )
212
+		return -1;
213
+	if (fix_initial_pathname(&cfg->certificate) < 0)
214
+		return -1;
215
+	
216
+	return 0;
217
+}
218
+
219
+
220
+
221
+
222
+/* vi: set ts=4 sw=4 tw=79:ai:cindent: */
0 223
new file mode 100644
... ...
@@ -0,0 +1,102 @@
1
+/* 
2
+ * $Id$
3
+ * 
4
+ * Copyright (C) 2010 iptelorg GmbH
5
+ *
6
+ * Permission to use, copy, modify, and distribute this software for any
7
+ * purpose with or without fee is hereby granted, provided that the above
8
+ * copyright notice and this permission notice appear in all copies.
9
+ *
10
+ * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
11
+ * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
12
+ * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
13
+ * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
14
+ * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
15
+ * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
16
+ * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
17
+ */
18
+/** tls runtime configuration.
19
+ * @filetls_cfg.h
20
+ * @ingroup: tls
21
+ * Module: @ref tls
22
+ */
23
+/*
24
+ * History:
25
+ * --------
26
+ *  2010-05-27  initial version (andrei)
27
+*/
28
+
29
+#ifndef __tls_cfg_h
30
+#define __tls_cfg_h
31
+
32
+#include "../../str.h"
33
+#include "../../cfg/cfg.h"
34
+
35
+
36
+/* maximum accepted lifetime (maximum possible is  ~ MAXINT/2)
37
+ *  (it should be kept in sync w/ MAX_TCP_CON_LIFETIME from tcp_main.c:
38
+ *   MAX_TLS_CON_LIFETIME <= MAX_TCP_CON_LIFETIME )*/
39
+#define MAX_TLS_CON_LIFETIME	(1U<<(sizeof(ticks_t)*8-1))
40
+
41
+
42
+
43
+struct cfg_group_tls {
44
+	int force_run;
45
+	str method;
46
+	int verify_cert;
47
+	int verify_depth;
48
+	int require_cert;
49
+	str private_key;
50
+	str ca_list;
51
+	str certificate;
52
+	str cipher_list;
53
+	int session_cache;
54
+	str session_id;
55
+	str config_file;
56
+	int log;
57
+	int con_lifetime;
58
+	int disable_compression;
59
+	/* release internal openssl read or write buffer when they are no longer
60
+	 * used (complete read or write that does not have to buffer anything).
61
+	 * Should be used together with tls_free_list_max_len. Might have some
62
+	 * performance impact (and extra *malloc pressure), but has also the
63
+	 * potential of saving a lot of memory (at least 32k/idle connection in the
64
+	 * default config, or ~ 16k+tls_max_send_fragment)) */
65
+	int ssl_release_buffers;
66
+	/* maximum length of free/unused memory buffers/chunks per connection.
67
+	 * Setting it to 0 would cause any unused buffers to be immediately freed
68
+	 * and hence a lower memory footprint (at the cost of a possible
69
+	 * performance decrease and more *malloc pressure).
70
+	 * Too large value would result in extra memory consumption.
71
+	 * The default is 32 in openssl.
72
+	 * For lowest memory usage set it to 0 and tls_mode_release_buffers to 1
73
+	 */
74
+	int ssl_freelist_max;
75
+	/* maximum number of bytes (clear text) sent into one record.
76
+	 * The default and maximum value are ~16k. Lower values would lead to a
77
+	 * lower  memory footprint.
78
+	 * Values lower then the typical  app. write size might decrease
79
+	 * performance (extra write() syscalls), so it should be kept ~2k for ser.
80
+	 */
81
+	int ssl_max_send_fragment;
82
+	/* enable read ahead. Should increase performance (1 less syscall when
83
+	 * enabled, else openssl makes 1 read() for each record header and another
84
+	 * for the content), but might interact with SSL_pending() (not used right
85
+	 * now)
86
+	 */
87
+	int ssl_read_ahead;
88
+	int low_mem_threshold1;
89
+	int low_mem_threshold2;
90
+};
91
+
92
+
93
+extern struct cfg_group_tls default_tls_cfg;
94
+extern void* tls_cfg;
95
+extern cfg_def_t tls_cfg_def[];
96
+
97
+
98
+extern int fix_tls_cfg(struct cfg_group_tls* cfg);
99
+
100
+#endif /*__tls_cfg_h*/
101
+
102
+/* vi: set ts=4 sw=4 tw=79:ai:cindent: */
... ...
@@ -44,6 +44,7 @@
44 44
 #include "../../dprint.h"
45 45
 #include "../../trim.h"
46 46
 #include "../../ut.h"
47
+#include "../../cfg/cfg.h"
47 48
 
48 49
 static tls_domains_cfg_t* cfg = NULL;
49 50
 static tls_domain_t* domain = NULL;
... ...
@@ -39,11 +39,13 @@
39 39
 #include "../../ut.h"
40 40
 #include "../../mem/shm_mem.h"
41 41
 #include "../../pt.h"
42
+#include "../../cfg/cfg.h"
42 43
 #include "tls_server.h"
43 44
 #include "tls_util.h"
44 45
 #include "tls_mod.h"
45 46
 #include "tls_init.h"
46 47
 #include "tls_domain.h"
48
+#include "tls_cfg.h"
47 49
 
48 50
 
49 51
 /*
... ...
@@ -529,17 +531,21 @@ static int set_session_cache(tls_domain_t* d)
529 531
 {
530 532
 	int i;
531 533
 	int procs_no;
534
+	str tls_session_id;
532 535
 	
533 536
 	procs_no=get_max_procs();
537
+	tls_session_id=cfg_get(tls, tls_cfg, session_id);
534 538
 	for(i = 0; i < procs_no; i++) {
535
-		     /* janakj: I am not sure if session cache makes sense in ser, session 
536
-		      * cache is stored in SSL_CTX and we have one SSL_CTX per process, thus 
537
-		      * sessions among processes will not be reused
538
-		      */
539
-		SSL_CTX_set_session_cache_mode(d->ctx[i], 
540
-				   tls_session_cache ? SSL_SESS_CACHE_SERVER : SSL_SESS_CACHE_OFF);
541
-		SSL_CTX_set_session_id_context(d->ctx[i], 
542
-					       (unsigned char*)tls_session_id.s, tls_session_id.len);
539
+		/* janakj: I am not sure if session cache makes sense in ser, session
540
+		 * cache is stored in SSL_CTX and we have one SSL_CTX per process,
541
+		 * thus sessions among processes will not be reused
542
+		 */
543
+		SSL_CTX_set_session_cache_mode(d->ctx[i],
544
+				cfg_get(tls, tls_cfg, session_cache) ? SSL_SESS_CACHE_SERVER :
545
+				SSL_SESS_CACHE_OFF);
546
+		/* not really needed is SSL_SESS_CACHE_OFF */
547
+		SSL_CTX_set_session_id_context(d->ctx[i],
548
+					(unsigned char*)tls_session_id.s, tls_session_id.len);
543 549
 	}
544 550
 	return 0;
545 551
 }
... ...
@@ -738,10 +744,14 @@ static int load_private_key(tls_domain_t* d)
738 744
  * Initialize attributes of all domains from default domains
739 745
  * if necessary
740 746
  */
741
-int tls_fix_cfg(tls_domains_cfg_t* cfg, tls_domain_t* srv_defaults,
747
+int tls_fix_domains_cfg(tls_domains_cfg_t* cfg, tls_domain_t* srv_defaults,
742 748
 				tls_domain_t* cli_defaults)
743 749
 {
744 750
 	tls_domain_t* d;
751
+	int ssl_mode_release_buffers;
752
+	int ssl_freelist_max_len;
753
+	int ssl_max_send_fragment;
754
+	int ssl_read_ahead;
745 755
 
746 756
 	if (!cfg->cli_default) {
747 757
 		cfg->cli_default = tls_new_domain(TLS_DOMAIN_DEF | TLS_DOMAIN_CLI, 0, 0);
... ...
@@ -785,6 +795,10 @@ int tls_fix_cfg(tls_domains_cfg_t* cfg, tls_domain_t* srv_defaults,
785 795
 	/* set various global per CTX options
786 796
 	 * (done here to show possible missing features messages only once)
787 797
 	 */
798
+	ssl_mode_release_buffers = cfg_get(tls, tls_cfg, ssl_release_buffers);
799
+	ssl_freelist_max_len = cfg_get(tls, tls_cfg, ssl_freelist_max);
800
+	ssl_max_send_fragment = cfg_get(tls, tls_cfg, ssl_max_send_fragment);
801
+	ssl_read_ahead = cfg_get(tls, tls_cfg, ssl_read_ahead);
788 802
 #if OPENSSL_VERSION_NUMBER >= 0x01000000L
789 803
 	/* set SSL_MODE_RELEASE_BUFFERS if ssl_mode_release_buffers !=0,
790 804
 	   reset if == 0 and ignore if < 0 */
... ...
@@ -143,7 +143,7 @@ int tls_add_domain(tls_domains_cfg_t* cfg, tls_domain_t* d);
143 143
 /*
144 144
  * Fill in missing parameters
145 145
  */
146
-int tls_fix_cfg(tls_domains_cfg_t* cfg, tls_domain_t* srv_defaults,
146
+int tls_fix_domains_cfg(tls_domains_cfg_t* cfg, tls_domain_t* srv_defaults,
147 147
 				tls_domain_t* cli_defaults);
148 148
 
149 149
 
... ...
@@ -35,11 +35,15 @@
35 35
 #include <openssl/ssl.h>
36 36
 #include "../../dprint.h"
37 37
 #include "tls_mod.h"
38
+#include "tls_cfg.h"
38 39
 
39 40
 /** log the verification failure reason.
40 41
  */
41 42
 void tls_dump_verification_failure(long verification_result)
42 43
 {
44
+	int tls_log;
45
+	
46
+	tls_log = cfg_get(tls, tls_cfg, log);
43 47
 	switch(verification_result) {
44 48
 	case X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT:
45 49
 		LOG(tls_log, "verification failure: unable to get issuer certificate\n");
... ...
@@ -63,6 +63,8 @@
63 63
 #include "../../tcp_init.h"
64 64
 #include "../../socket_info.h"
65 65
 #include "../../pt.h"
66
+#include "../../cfg/cfg.h"
67
+#include "../../cfg/cfg_ctx.h"
66 68
 #include "tls_verify.h"
67 69
 #include "tls_domain.h"
68 70
 #include "tls_util.h"
... ...
@@ -70,6 +72,7 @@
70 72
 #include "tls_init.h"
71 73
 #include "tls_locking.h"
72 74
 #include "tls_ct_wrq.h"
75
+#include "tls_cfg.h"
73 76
 
74 77
 #if OPENSSL_VERSION_NUMBER < 0x00907000L
75 78
 #    warning ""
... ...
@@ -125,12 +128,6 @@ to compile on the  _target_ system)"
125 128
 #ifdef TLS_KSSL_WORKARROUND
126 129
 int openssl_kssl_malloc_bug=0; /* is openssl bug #1467 present ? */
127 130
 #endif
128
-int openssl_mem_threshold1=-1; /* low memory threshold for connect/accept */
129
-int openssl_mem_threshold2=-1; /* like above but for other tsl operations */
130
-int tls_disable_compression = 1; /* by default disabled due to high memory
131
-									use (~10x then without compression) */
132
-int tls_force_run = 0; /* ignore some start-up sanity checks, use it
133
-						  at your own risk */
134 131
 
135 132
 const SSL_METHOD* ssl_methods[TLS_USE_SSLv23 + 1];
136 133
 
... ...
@@ -372,7 +369,7 @@ static int init_tls_compression(void)
372 369
 		LOG(L_INFO, "tls: init_tls: compression support disabled in the"
373 370
 					" openssl lib\n");
374 371
 		goto end; /* nothing to do, exit */
375
-	} else if (tls_disable_compression){
372
+	} else if (cfg_get(tls, tls_cfg, disable_compression)){
376 373
 		LOG(L_INFO, "tls: init_tls: disabling compression...\n");
377 374
 		sk_SSL_COMP_zero(comp_methods);
378 375
 	}else{
... ...
@@ -457,6 +454,11 @@ int init_tls_h(void)
457 454
 	int kerberos_support;
458 455
 	int comp_support;
459 456
 	const char* lib_cflags;
457
+	int low_mem_threshold1;
458
+	int low_mem_threshold2;
459
+	str tls_grp;
460
+	str s;
461
+	cfg_ctx_t* cfg_ctx;
460 462
 
461 463
 #if OPENSSL_VERSION_NUMBER < 0x00907000L
462 464
 	WARN("You are using an old version of OpenSSL (< 0.9.7). Upgrade!\n");
... ...
@@ -473,7 +475,7 @@ int init_tls_h(void)
473 475
 				" (tls_force_run in ser.cfg will override this check)\n",
474 476
 				SSLeay_version(SSLEAY_VERSION), ssl_version,
475 477
 				OPENSSL_VERSION_TEXT, (long)OPENSSL_VERSION_NUMBER);
476
-		if (tls_force_run)
478
+		if (cfg_get(tls, tls_cfg, force_run))
477 479
 			LOG(L_WARN, "tls: init_tls_h: tls_force_run turned on, ignoring "
478 480
 						" openssl version mismatch\n");
479 481
 		else
... ...
@@ -525,7 +527,7 @@ int init_tls_h(void)
525 527
 						lib_kerberos?"enabled":"disabled",
526 528
 						kerberos_support?"enabled":"disabled"
527 529
 				);
528
-			if (tls_force_run)
530
+			if (cfg_get(tls, tls_cfg, force_run))
529 531
 				LOG(L_WARN, "tls: init_tls_h: tls_force_run turned on, "
530 532
 						"ignoring kerberos support mismatch\n");
531 533
 			else
... ...
@@ -562,54 +564,65 @@ int init_tls_h(void)
562 564
 			" kerberos support will be disabled...\n");
563 565
 	}
564 566
 	#endif
565
-	 /* set free memory threshold for openssl bug #1491 workaround */
566
-	if (openssl_mem_threshold1<0){
567
+	/* set free memory threshold for openssl bug #1491 workaround */
568
+	low_mem_threshold1 = cfg_get(tls, tls_cfg, low_mem_threshold1);
569
+	low_mem_threshold2 = cfg_get(tls, tls_cfg, low_mem_threshold2);
570
+	if (low_mem_threshold1<0){
567 571
 		/* default */
568
-		openssl_mem_threshold1=512*1024*get_max_procs();
572
+		low_mem_threshold1=512*1024*get_max_procs();
569 573
 	}else
570
-		openssl_mem_threshold1*=1024; /* KB */
571
-	if (openssl_mem_threshold2<0){
574
+		low_mem_threshold1*=1024; /* KB */
575
+	if (low_mem_threshold2<0){
572 576
 		/* default */
573
-		openssl_mem_threshold2=256*1024*get_max_procs();
577
+		low_mem_threshold2=256*1024*get_max_procs();
574 578
 	}else
575
-		openssl_mem_threshold2*=1024; /* KB */
576
-	if ((openssl_mem_threshold1==0) || (openssl_mem_threshold2==0))
579
+		low_mem_threshold2*=1024; /* KB */
580
+	if ((low_mem_threshold1==0) || (low_mem_threshold2==0))
577 581
 		LOG(L_WARN, "tls: openssl bug #1491 (crash/mem leaks on low memory)"
578 582
 					" workarround disabled\n");
579 583
 	else
580 584
 		LOG(L_WARN, "tls: openssl bug #1491 (crash/mem leaks on low memory)"
581 585
 				" workaround enabled (on low memory tls operations will fail"
582 586
 				" preemptively) with free memory thresholds %d and %d bytes\n",
583
-				openssl_mem_threshold1, openssl_mem_threshold2);
587
+				low_mem_threshold1, low_mem_threshold2);
584 588
 	
585 589
 	if (shm_available()==(unsigned long)(-1)){
586 590
 		LOG(L_WARN, "tls: ser compiled without MALLOC_STATS support:"
587 591
 				" the workaround for low mem. openssl bugs will _not_ "
588 592
 				"work\n");
589
-		openssl_mem_threshold1=0;
590
-		openssl_mem_threshold2=0;
593
+		low_mem_threshold1=0;
594
+		low_mem_threshold2=0;
591 595
 	}
592
-	SSL_library_init();
593
-	SSL_load_error_strings();
594
-	init_ssl_methods();
595
-#if 0
596
-	/* OBSOLETE: we are using the tls_h_init_si callback */
597
-	     /* Now initialize TLS sockets */
598
-	for(si = tls_listen; si; si = si->next) {
599
-		if (tls_h_init_si(si) < 0)  return -1;
600
-		     /* get first ipv4/ipv6 socket*/
601
-		if ((si->address.af == AF_INET) &&
602
-		    ((sendipv4_tls == 0) || (sendipv4_tls->flags & SI_IS_LO))) {
603
-			sendipv4_tls = si;
596
+	if ((low_mem_threshold1 != cfg_get(tls, tls_cfg, low_mem_threshold1)) ||
597
+	    (low_mem_threshold2 != cfg_get(tls, tls_cfg, low_mem_threshold2))) {
598
+		/* ugly hack to set the initial values for the mem tresholds */
599
+		if (cfg_register_ctx(&cfg_ctx, 0)) {
600
+			ERR("failed to register cfg context\n");
601
+			return -1;
604 602
 		}
605
-#ifdef USE_IPV6
606
-		if ((sendipv6_tls == 0) && (si->address.af == AF_INET6)) {
607
-			sendipv6_tls = si;
603
+		tls_grp.s = "tls";
604
+		tls_grp.len = strlen(tls_grp.s);
605
+		s.s = "low_mem_threshold1";
606
+		s.len = strlen(s.s);
607
+		if (low_mem_threshold1 != cfg_get(tls, tls_cfg, low_mem_threshold1) &&
608
+				cfg_set_now_int(cfg_ctx, &tls_grp, &s, low_mem_threshold1)) {
609
+			ERR("failed to set tls.low_mem_threshold1 to %d\n",
610
+					low_mem_threshold1);
611
+			return -1;
612
+		}
613
+		s.s = "low_mem_threshold2";
614
+		s.len = strlen(s.s);
615
+		if (low_mem_threshold2 != cfg_get(tls, tls_cfg, low_mem_threshold2) &&
616
+				cfg_set_now_int(cfg_ctx, &tls_grp, &s, low_mem_threshold2)) {
617
+			ERR("failed to set tls.low_mem_threshold1 to %d\n",
618
+					low_mem_threshold2);
619
+			return -1;
608 620
 		}
609
-#endif
610 621
 	}
611
-#endif
612
-
622
+	
623
+	SSL_library_init();
624
+	SSL_load_error_strings();
625
+	init_ssl_methods();
613 626
 	return 0;
614 627
 }
615 628
 
... ...
@@ -55,13 +55,8 @@
55 55
 #define TLS_KSSL_WORKARROUND
56 56
 extern int openssl_kssl_malloc_bug; /* is openssl bug #1467 present ? */
57 57
 #endif
58
-extern int openssl_mem_threshold1; /* low memory threshold for connect */
59
-extern int openssl_mem_threshold2; /* like above but for other tsl operations */
60 58
 
61 59
 
62
-extern int tls_disable_compression; /* by default enabled */
63
-extern int tls_force_run; /* by default disabled */
64
-
65 60
 extern const SSL_METHOD* ssl_methods[];
66 61
 
67 62
 
... ...
@@ -36,6 +36,7 @@
36 36
  * 2010-03-19  new parameters to control advanced openssl lib options
37 37
  *              (mostly work on 1.0.0+): ssl_release_buffers, ssl_read_ahead,
38 38
  *              ssl_freelist_max_len, ssl_max_send_fragment   (andrei)
39
+ * 2010-05-27  migrated to the runtime cfg framework (andrei)
39 40
  */
40 41
 /** SIP-router TLS support :: Module interface.
41 42
  * @file
... ...
@@ -57,6 +58,7 @@
57 58
 #include "../../tls_hooks.h"
58 59
 #include "../../ut.h"
59 60
 #include "../../rpc_lookup.h"
61
+#include "../../cfg/cfg.h"
60 62
 #include "tls_init.h"
61 63
 #include "tls_server.h"
62 64
 #include "tls_domain.h"
... ...
@@ -65,6 +67,7 @@
65 67
 #include "tls_rpc.h"
66 68
 #include "tls_util.h"
67 69
 #include "tls_mod.h"
70
+#include "tls_cfg.h"
68 71
 
69 72
 #ifndef TLS_HOOKS
70 73
 	#error "TLS_HOOKS must be defined, or the tls module won't work"
... ...
@@ -74,12 +77,6 @@
74 77
 #endif
75 78
 
76 79
 
77
-/* maximum accepted lifetime (maximum possible is  ~ MAXINT/2)
78
- *  (it should be kept in sync w/ MAX_TCP_CON_LIFETIME from tcp_main.c:
79
- *   MAX_TLS_CON_LIFETIME <= MAX_TCP_CON_LIFETIME )*/
80
-#define MAX_TLS_CON_LIFETIME	(1U<<(sizeof(ticks_t)*8-1))
81
-
82
-
83 80
 
84 81
 /*
85 82
  * FIXME:
... ...
@@ -166,48 +163,6 @@ tls_domain_t cli_defaults = {
166 163
 };
167 164
 
168 165
 
169
-/*
170
- * Defaults for client and server domains when using modparams
171
- */
172
-static str tls_method = STR_STATIC_INIT("TLSv1");
173
-
174
-
175
-int tls_send_timeout = 30;
176
-int tls_con_lifetime = 600; /* this value will be adjusted to ticks later */
177
-int tls_log = 3;
178
-int tls_session_cache = 0;
179
-str tls_session_id = STR_STATIC_INIT("ser-tls-2.1.0");
180
-/* release internal openssl read or write buffer when they are no longer used
181
- * (complete read or write that does not have to buffer anything).
182
- * Should be used together with tls_free_list_max_len. Might have some
183
- * performance impact (and extra *malloc pressure), but has also the potential
184
- * of saving a lot of memory (at least 32k/idle connection in the default
185
- * config, or ~ 16k+tls_max_send_fragment)) */
186
-int ssl_mode_release_buffers = -1; /* don't set, leave the default (off) */
187
-/* maximum length of free/unused memory buffers/chunks per connection.
188
- * Setting it to 0 would cause any unused buffers to be immediately freed
189
- * and hence a lower memory footprint (at the cost of a possible performance
190
- * decrease and more *malloc pressure).
191
- * Too large value would result in extra memory consumption.
192
- * The default is 32 in openssl.
193
- * For lowest memory usage set it to 0 and tls_mode_release_buffers to 1
194
- */
195
-int ssl_freelist_max_len = -1;   /* don't set, leave the default value (32) */
196
-/* maximum number of bytes (clear text) sent into one record.
197
- * The default and maximum value are ~16k. Lower values would lead to a lower
198
- *  memory footprint. 
199
- * Values lower then the typical  app. write size might decrease performance 
200
- * (extra write() syscalls), so it should be kept ~2k for ser.
201
- */
202
-int ssl_max_send_fragment = -1;  /* don't set, leave the default (16k) */
203
-/* enable read ahead. Should increase performance (1 less syscall when
204
- * enabled, else openssl makes 1 read() for each record header and another
205
- * for the content), but might interact with SSL_pending() (not used right now)
206
- */
207
-int ssl_read_ahead = 1; /* set (use -1 for the default value) */
208
-
209
-str tls_domains_cfg_file = STR_NULL;
210
-
211 166
 
212 167
 /* Current TLS configuration */
213 168
 tls_domains_cfg_t** tls_domains_cfg = NULL;
... ...
@@ -230,27 +185,29 @@ static cmd_export_t cmds[] = {
230 185
  * Exported parameters
231 186
  */
232 187
 static param_export_t params[] = {
233
-	{"tls_method",          PARAM_STR,    &tls_method             },
234
-	{"verify_certificate",  PARAM_INT,    &mod_params.verify_cert },
235
-	{"verify_depth",        PARAM_INT,    &mod_params.verify_depth},
236
-	{"require_certificate", PARAM_INT,    &mod_params.require_cert},
237
-	{"private_key",         PARAM_STR,    &mod_params.pkey_file   },
238
-	{"ca_list",             PARAM_STR,    &mod_params.ca_file     },
239
-	{"certificate",         PARAM_STR,    &mod_params.cert_file   },
240
-	{"cipher_list",         PARAM_STR,    &mod_params.cipher_list },
241
-	{"connection_timeout",  PARAM_INT,    &tls_con_lifetime       },
242
-	{"tls_log",             PARAM_INT,    &tls_log                },
243
-	{"session_cache",       PARAM_INT,    &tls_session_cache      },
244
-	{"session_id",          PARAM_STR,    &tls_session_id         },
245
-	{"config",              PARAM_STR,    &tls_domains_cfg_file   },
246
-	{"tls_disable_compression", PARAM_INT,&tls_disable_compression},
247
-	{"ssl_release_buffers",   PARAM_INT, &ssl_mode_release_buffers},
248
-	{"ssl_freelist_max_len",  PARAM_INT,    &ssl_freelist_max_len},
249
-	{"ssl_max_send_fragment", PARAM_INT,    &ssl_max_send_fragment},
250
-	{"ssl_read_ahead",        PARAM_INT,    &ssl_read_ahead},
251
-	{"tls_force_run",       PARAM_INT,    &tls_force_run},
252
-	{"low_mem_threshold1",  PARAM_INT,    &openssl_mem_threshold1},
253
-	{"low_mem_threshold2",  PARAM_INT,    &openssl_mem_threshold2},
188
+	{"tls_method",          PARAM_STR,    &default_tls_cfg.method       },
189
+	{"verify_certificate",  PARAM_INT,    &default_tls_cfg.verify_cert  },
190
+	{"verify_depth",        PARAM_INT,    &default_tls_cfg.verify_depth },
191
+	{"require_certificate", PARAM_INT,    &default_tls_cfg.require_cert },
192
+	{"private_key",         PARAM_STR,    &default_tls_cfg.private_key  },
193
+	{"ca_list",             PARAM_STR,    &default_tls_cfg.ca_list      },
194
+	{"certificate",         PARAM_STR,    &default_tls_cfg.certificate  },
195
+	{"cipher_list",         PARAM_STR,    &default_tls_cfg.cipher_list  },
196
+	{"connection_timeout",  PARAM_INT,    &default_tls_cfg.con_lifetime },
197
+	{"tls_log",             PARAM_INT,    &default_tls_cfg.log      },
198
+	{"session_cache",       PARAM_INT,    &default_tls_cfg.session_cache},
199
+	{"session_id",          PARAM_STR,    &default_tls_cfg.session_id   },
200
+	{"config",              PARAM_STR,    &default_tls_cfg.config_file  },
201
+	{"tls_disable_compression", PARAM_INT,
202
+										 &default_tls_cfg.disable_compression},
203
+	{"ssl_release_buffers",   PARAM_INT, &default_tls_cfg.ssl_release_buffers},
204
+	{"ssl_freelist_max_len",  PARAM_INT,  &default_tls_cfg.ssl_freelist_max},
205
+	{"ssl_max_send_fragment", PARAM_INT,
206
+									   &default_tls_cfg.ssl_max_send_fragment},
207
+	{"ssl_read_ahead",        PARAM_INT,    &default_tls_cfg.ssl_read_ahead},
208
+	{"tls_force_run",       PARAM_INT,    &default_tls_cfg.force_run},
209
+	{"low_mem_threshold1",  PARAM_INT,    &default_tls_cfg.low_mem_threshold1},
210
+	{"low_mem_threshold2",  PARAM_INT,    &default_tls_cfg.low_mem_threshold2},
254 211
 	{0, 0, 0}
255 212
 };
256 213
 
... ...
@@ -259,7 +216,7 @@ static param_export_t params[] = {
259 216
  * Module interface
260 217
  */
261 218
 struct module_exports exports = {
262
-	"tls", 
219
+	"tls",
263 220
 	DEFAULT_DLFLAGS, /* dlopen flags */
264 221
 	cmds,        /* Exported functions */
265 222
 	params,      /* Exported parameters */
... ...
@@ -305,34 +262,6 @@ static tls_domains_cfg_t* tls_use_modparams(void)
305 262
 #endif
306 263
 
307 264
 
308
-static int fix_rel_pathnames(void)
309
-{
310
-	if (tls_domains_cfg_file.s) {
311
-		tls_domains_cfg_file.s = get_abs_pathname(NULL, &tls_domains_cfg_file);
312
-		if (tls_domains_cfg_file.s == NULL) return -1;
313
-		tls_domains_cfg_file.len = strlen(tls_domains_cfg_file.s);
314
-	}
315
-	
316
-	if (mod_params.pkey_file.s) {
317
-		mod_params.pkey_file.s = get_abs_pathname(NULL, &mod_params.pkey_file);
318
-		if (mod_params.pkey_file.s == NULL) return -1;
319
-		mod_params.pkey_file.len = strlen(mod_params.pkey_file.s);
320
-	}
321
-	
322
-	if (mod_params.ca_file.s) {
323
-		mod_params.ca_file.s = get_abs_pathname(NULL, &mod_params.ca_file);
324
-		if (mod_params.ca_file.s == NULL) return -1;
325
-		mod_params.ca_file.len = strlen(mod_params.ca_file.s);
326
-	}
327
-	
328
-	if (mod_params.cert_file.s) {
329
-		mod_params.cert_file.s = get_abs_pathname(NULL, &mod_params.cert_file);
330
-		if (mod_params.cert_file.s == NULL) return -1;
331
-		mod_params.cert_file.len = strlen(mod_params.cert_file.s);
332
-	}
333
-	
334
-	return 0;
335
-}
336 265
 
337 266
 static int mod_init(void)
338 267
 {
... ...
@@ -343,30 +272,34 @@ static int mod_init(void)
343 272
 				"(set enable_tls=1 in the config to enable it)\n");
344 273
 		return 0;
345 274
 	}
346
-
347
-/*
348
-	if (cfg_get(tcp, tcp_cfg, async) && !tls_force_run){
349
-		ERR("tls does not support tcp in async mode, please use"
350
-				" tcp_async=no in the config file\n");
275
+	if (fix_tls_cfg(&default_tls_cfg) < 0 ) {
276
+		ERR("initial tls configuration fixup failed\n");
351 277
 		return -1;
352 278
 	}
353
-*/
354
-	     /* Convert tls_method parameter to integer */
355
-	method = tls_parse_method(&tls_method);
279
+	/* declare configuration */
280
+	if (cfg_declare("tls", tls_cfg_def, &default_tls_cfg,
281
+							cfg_sizeof(tls), &tls_cfg)) {
282
+		ERR("failed to register the configuration\n");
283
+		return -1;
284
+	}
285
+	/* Convert tls_method parameter to integer */
286
+	method = tls_parse_method(&cfg_get(tls, tls_cfg, method));
356 287
 	if (method < 0) {
357 288
 		ERR("Invalid tls_method parameter value\n");
358 289
 		return -1;
359 290
 	}
291
+	/* fill mod_params */
360 292
 	mod_params.method = method;
361
-
362
-	/* Update relative paths of files configured through modparams, relative
363
-	 * pathnames will be converted to absolute and the directory of the main
364
-	 * SER configuration file will be used as reference.
365
-	 */
366
-	if (fix_rel_pathnames() < 0) return -1;
367
-
368
-	tls_domains_cfg = 
369
-		(tls_domains_cfg_t**)shm_malloc(sizeof(tls_domains_cfg_t*));
293
+	mod_params.verify_cert = cfg_get(tls, tls_cfg, verify_cert);
294
+	mod_params.verify_depth = cfg_get(tls, tls_cfg, verify_depth);
295
+	mod_params.require_cert = cfg_get(tls, tls_cfg, require_cert);
296
+	mod_params.pkey_file = cfg_get(tls, tls_cfg, private_key);
297
+	mod_params.ca_file = cfg_get(tls, tls_cfg, ca_list);
298
+	mod_params.cert_file = cfg_get(tls, tls_cfg, certificate);
299
+	mod_params.cipher_list = cfg_get(tls, tls_cfg, cipher_list);
300
+
301
+	tls_domains_cfg =
302
+			(tls_domains_cfg_t**)shm_malloc(sizeof(tls_domains_cfg_t*));
370 303
 	if (!tls_domains_cfg) {
371 304
 		ERR("Not enough shared memory left\n");
372 305
 		goto error;
... ...
@@ -397,8 +330,9 @@ static int mod_init(void)
397 330
 		ERR("Unable to initialize TLS buffering\n");
398 331
 		goto error;
399 332
 	}
400
-	if (tls_domains_cfg_file.s) {
401
-		*tls_domains_cfg = tls_load_config(&tls_domains_cfg_file);
333
+	if (cfg_get(tls, tls_cfg, config_file).s) {
334
+		*tls_domains_cfg = 
335
+			tls_load_config(&cfg_get(tls, tls_cfg, config_file));
402 336
 		if (!(*tls_domains_cfg)) goto error;
403 337
 	} else {
404 338
 		*tls_domains_cfg = tls_new_cfg();
... ...
@@ -408,21 +342,6 @@ static int mod_init(void)
408 342
 	if (tls_check_sockets(*tls_domains_cfg) < 0)
409 343
 		goto error;
410 344
 
411
-	/* fix the timeouts from s to ticks */
412
-	if (tls_con_lifetime<0){
413
-		/* set to max value (~ 1/2 MAX_INT) */
414
-		tls_con_lifetime=MAX_TLS_CON_LIFETIME;
415
-	}else{
416
-		if ((unsigned)tls_con_lifetime > 
417
-				(unsigned)TICKS_TO_S(MAX_TLS_CON_LIFETIME)){
418
-			LOG(L_WARN, "tls: mod_init: tls_con_lifetime too big (%u s), "
419
-					" the maximum value is %u\n", tls_con_lifetime,
420
-					TICKS_TO_S(MAX_TLS_CON_LIFETIME));
421
-			tls_con_lifetime=MAX_TLS_CON_LIFETIME;
422
-		}else{
423
-			tls_con_lifetime=S_TO_TICKS(tls_con_lifetime);
424
-		}
425
-	}
426 345
 	return 0;
427 346
 error:
428 347
 	destroy_tls_h();
... ...
@@ -437,12 +356,13 @@ static int mod_child(int rank)
437 356
 	/* fix tls config only from the main proc/PROC_INIT., when we know 
438 357
 	 * the exact process number and before any other process starts*/
439 358
 	if (rank == PROC_INIT){
440
-		if (tls_domains_cfg_file.s){
441
-			if (tls_fix_cfg(*tls_domains_cfg, &srv_defaults,
442
-							&cli_defaults) < 0)
359
+		if (cfg_get(tls, tls_cfg, config_file).s){
360
+			if (tls_fix_domains_cfg(*tls_domains_cfg,
361
+									&srv_defaults, &cli_defaults) < 0)
443 362
 				return -1;
444 363
 		}else{
445
-			if (tls_fix_cfg(*tls_domains_cfg, &mod_params, &mod_params) < 0)
364
+			if (tls_fix_domains_cfg(*tls_domains_cfg,
365
+									&mod_params, &mod_params) < 0)
446 366
 				return -1;
447 367
 		}
448 368
 	}
... ...
@@ -472,7 +392,8 @@ static int is_peer_verified(struct sip_msg* msg, char* foo, char* foo2)
472 392
 
473 393
 	DBG("trying to find TCP connection of received message...\n");
474 394
 
475
-	c = tcpconn_get(msg->rcv.proto_reserved1, 0, 0, 0, tls_con_lifetime);
395
+	c = tcpconn_get(msg->rcv.proto_reserved1, 0, 0, 0,
396
+					cfg_get(tls, tls_cfg, con_lifetime));
476 397
 	if (c && c->type != PROTO_TLS) {
477 398
 		ERR("Connection found but is not TLS\n");
478 399
 		tcpconn_put(c);
... ...
@@ -43,14 +43,6 @@
43 43
 #include "../../locking.h"
44 44
 #include "tls_domain.h"
45 45
 
46
-extern int tls_con_lifetime;
47
-extern int tls_log;
48
-extern int tls_session_cache;
49
-extern str tls_session_id;
50
-extern int ssl_mode_release_buffers;
51
-extern int ssl_freelist_max_len;
52
-extern int ssl_max_send_fragment;
53
-extern int ssl_read_ahead;
54 46
 
55 47
 /* Current TLS configuration */
56 48
 extern tls_domains_cfg_t** tls_domains_cfg;
... ...
@@ -33,6 +33,7 @@
33 33
 #include "../../rpc.h"
34 34
 #include "../../tcp_conn.h"
35 35
 #include "../../timer.h"
36
+#include "../../cfg/cfg.h"
36 37
 #include "tls_init.h"
37 38
 #include "tls_mod.h"
38 39
 #include "tls_domain.h"
... ...
@@ -41,6 +42,7 @@
41 42
 #include "tls_server.h"
42 43
 #include "tls_ct_wrq.h"
43 44
 #include "tls_rpc.h"
45
+#include "tls_cfg.h"
44 46
 
45 47
 static const char* tls_reload_doc[2] = {
46 48
 	"Reload TLS configuration file",
... ...
@@ -50,7 +52,9 @@ static const char* tls_reload_doc[2] = {
50 52
 static void tls_reload(rpc_t* rpc, void* ctx)
51 53
 {
52 54
 	tls_domains_cfg_t* cfg;
55
+	str tls_domains_cfg_file;
53 56
 
57
+	tls_domains_cfg_file = cfg_get(tls, tls_cfg, config_file);
54 58
 	if (!tls_domains_cfg_file.s) {
55 59
 		rpc->fault(ctx, 500, "No TLS configuration file configured");
56 60
 		return;
... ...
@@ -66,7 +70,7 @@ static void tls_reload(rpc_t* rpc, void* ctx)
66 70
 		return;
67 71
 	}
68 72
 
69
-	if (tls_fix_cfg(cfg, &srv_defaults, &cli_defaults) < 0) {
73
+	if (tls_fix_domains_cfg(cfg, &srv_defaults, &cli_defaults) < 0) {
70 74
 		rpc->fault(ctx, 500, "Error while fixing TLS configuration"
71 75
 								" (consult server log)");
72 76
 		goto error;
... ...
@@ -37,10 +37,12 @@
37 37
 #include "../../tcp_server.h"
38 38
 #include "../../tcp_conn.h"
39 39
 #include "../../ut.h"
40
+#include "../../cfg/cfg.h"
40 41
 #include "tls_server.h"
41 42
 #include "tls_select.h"
42 43
 #include "tls_mod.h"
43 44
 #include "tls_init.h" /* features macros */
45
+#include "tls_cfg.h"
44 46
 
45 47
 enum {
46 48
 	CERT_LOCAL = 1,   /* Select local certificate */
... ...
@@ -107,7 +109,8 @@ struct tcp_connection* get_cur_connection(struct sip_msg* msg)
107 109
 		return 0;
108 110
 	}
109 111
 
110
-	c = tcpconn_get(msg->rcv.proto_reserved1, 0, 0, 0, tls_con_lifetime);
112
+	c = tcpconn_get(msg->rcv.proto_reserved1, 0, 0, 0,
113
+					cfg_get(tls, tls_cfg, con_lifetime));
111 114
 	if (c && c->type != PROTO_TLS) {
112 115
 		ERR("Connection found but is not TLS\n");
113 116
 		tcpconn_put(c);
... ...
@@ -47,6 +47,7 @@
47 47
 #include "../../pt.h"
48 48
 #include "../../tcp_int_send.h"
49 49
 #include "../../tcp_read.h"
50
+#include "../../cfg/cfg.h"
50 51
 
51 52
 #include "tls_init.h"
52 53
 #include "tls_domain.h"
... ...
@@ -55,12 +56,15 @@
55 56
 #include "tls_server.h"
56 57
 #include "tls_bio.h"
57 58
 #include "tls_dump_vf.h"
59
+#include "tls_cfg.h"
58 60
 
59 61
 /* low memory treshold for openssl bug #1491 workaround */
60 62
 #define LOW_MEM_NEW_CONNECTION_TEST() \
61
-	((openssl_mem_threshold1) && (shm_available()<openssl_mem_threshold1))
63
+	(cfg_get(tls, tls_cfg, low_mem_threshold1) && \
64
+	  (shm_available() < cfg_get(tls, tls_cfg, low_mem_threshold1)))
62 65
 #define LOW_MEM_CONNECTED_TEST() \
63
-	((openssl_mem_threshold2) && (shm_available()<openssl_mem_threshold2))
66
+	(cfg_get(tls, tls_cfg, low_mem_threshold2) && \
67
+	  (shm_available() <  cfg_get(tls, tls_cfg, low_mem_threshold2)))
64 68
 
65 69
 #define TLS_RD_MBUF_SZ	65536
66 70
 #define TLS_WR_MBUF_SZ	65536
... ...
@@ -216,11 +220,11 @@ static void tls_dump_cert_info(char* s, X509* cert)
216 220
 	issuer = X509_NAME_oneline(X509_get_issuer_name(cert), 0 , 0);
217 221
 	
218 222
 	if (subj){
219
-		LOG(tls_log, "%s subject:%s\n", s ? s : "", subj);
223
+		LOG(cfg_get(tls, tls_cfg, log), "%s subject:%s\n", s ? s : "", subj);
220 224
 		OPENSSL_free(subj);
221 225
 	}
222 226
 	if (issuer){
223
-		LOG(tls_log, "%s issuer:%s\n", s ? s : "", issuer);
227
+		LOG(cfg_get(tls, tls_cfg, log), "%s issuer:%s\n", s ? s : "", issuer);
224 228
 		OPENSSL_free(issuer);
225 229
 	}
226 230
 }
... ...
@@ -243,6 +247,7 @@ static int tls_accept(struct tcp_connection *c, int* error)
243 247
 	SSL *ssl;
244 248
 	X509* cert;
245 249
 	struct tls_extra_data* tls_c;
250
+	int tls_log;
246 251
 
247 252
 	if (LOW_MEM_NEW_CONNECTION_TEST()){
248 253
 		ERR("tls: ssl bug #1491 workaround: not enough memory for safe"
... ...
@@ -262,6 +267,7 @@ static int tls_accept(struct tcp_connection *c, int* error)
262 267
 	if (unlikely(ret == 1)) {
263 268
 		DBG("TLS accept successful\n");
264 269
 		tls_c->state = S_TLS_ESTABLISHED;
270
+		tls_log = cfg_get(tls, tls_cfg, log);
265 271
 		LOG(tls_log, "tls_accept: new connection from %s:%d using %s %s %d\n",
266 272
 		    ip_addr2a(&c->rcv.src_ip), c->rcv.src_port,
267 273
 		    SSL_get_cipher_version(ssl), SSL_get_cipher_name(ssl), 
... ...
@@ -349,6 +355,7 @@ static int tls_connect(struct tcp_connection *c, int* error)
349 355
 	int ret, ssl_err;
350 356
 	X509* cert;
351 357
 	struct tls_extra_data* tls_c;
358
+	int tls_log;
352 359
 
353 360
 	if (LOW_MEM_NEW_CONNECTION_TEST()){
354 361
 		ERR("tls: ssl bug #1491 workaround: not enough memory for safe"
... ...
@@ -369,6 +376,7 @@ static int tls_connect(struct tcp_connection *c, int* error)
369 376
 	if (unlikely(ret == 1)) {
370 377
 		DBG("TLS connect successful\n");
371 378
 		tls_c->state = S_TLS_ESTABLISHED;
379
+		tls_log = cfg_get(tls, tls_cfg, log);
372 380
 		LOG(tls_log, "tls_connect: new connection to %s:%d using %s %s %d\n", 
373 381
 		    ip_addr2a(&c->rcv.src_ip), c->rcv.src_port,
374 382
 		    SSL_get_cipher_version(ssl), SSL_get_cipher_name(ssl),
... ...
@@ -529,7 +537,7 @@ int tls_h_tcpconn_init(struct tcp_connection *c, int sock)
529 537
 {
530 538
 	c->type = PROTO_TLS;
531 539
 	c->rcv.proto = PROTO_TLS;
532
-	c->timeout = get_ticks_raw() + tls_con_lifetime;
540
+	c->timeout = get_ticks_raw() + cfg_get(tls, tls_cfg, con_lifetime);
533 541
 	c->extra_data = 0;
534 542
 	return 0;
535 543
 }