Browse code

- Support for external TLS configuration file - support for relative path names (CFG_DIR will be added automaticaly) - Support for run-time configuration re-load - tls.reload management command implemented

Jan Janak authored on 03/03/2006 11:26:53
Showing 14 changed files
... ...
@@ -32,10 +32,12 @@
32 32
 
33 33
 #include <stdio.h>
34 34
 #include <libgen.h>
35
+#include "../../mem/mem.h"
35 36
 #include "../../dprint.h"
36 37
 #include "../../trim.h"
37 38
 #include "../../ut.h"
38 39
 #include "tls_config.h"
40
+#include "tls_util.h"
39 41
 #include "tls_domain.h"
40 42
 
41 43
 #define MAX_TOKEN_LEN 256
... ...
@@ -49,6 +51,9 @@ static struct {
49 51
 	char* file;
50 52
 	int line;
51 53
 	int col;
54
+
55
+	tls_cfg_t* cfg;       /* Current configuration data */
56
+	tls_domain_t* domain; /* Current domain in the configuration data */
52 57
 } pstate;
53 58
 
54 59
 
... ...
@@ -450,7 +455,6 @@ static struct parser_tab* lookup_token(struct parser_tab* table, str* token)
450 455
 	}
451 456
 }
452 457
 
453
-
454 458
 static int parse_string_val(str* res, token_t* token)
455 459
 {
456 460
 	int ret;
... ...
@@ -536,6 +540,7 @@ static int parse_method_opt(token_t* token)
536 540
 		return -1;
537 541
 	}
538 542
 
543
+	pstate.domain->method = r->u.ival;
539 544
 	return 0;
540 545
 }
541 546
 
... ...
@@ -598,7 +603,9 @@ static int parse_bool_val(int* res, token_t* token)
598 603
 static int parse_verify_cert_opt(token_t* token)
599 604
 {
600 605
 	int ret;
601
-	return parse_bool_val(&ret, token);
606
+	if (parse_bool_val(&ret, token) < 0) return -1;
607
+	pstate.domain->verify_cert  = ret;
608
+	return 0;
602 609
 }
603 610
 
604 611
 
... ...
@@ -644,52 +651,84 @@ static int parse_verify_depth_opt(token_t* token)
644 651
 
645 652
 		return -1;
646 653
 	}
654
+	pstate.domain->verify_depth = val;
647 655
 	return 0;
648 656
 }
649 657
 
650 658
 
651 659
 static int parse_req_cert_opt(token_t* token)
652 660
 {
653
-	str val;
654
-	return parse_string_val(&val, token);
661
+	int ret;
662
+	if (parse_bool_val(&ret, token) < 0) return -1;
663
+	pstate.domain->require_cert  = ret;
664
+	return 0;
655 665
 }
656 666
 
657 667
 
658
-static int parse_pkey_opt(token_t* token)
668
+/*
669
+ * Parse filename value, the function would add CFG_DIR prefix
670
+ * if the filename does not start with /. The result is allocated
671
+ * using shm_malloc and must be freed using shm_free
672
+ */
673
+static char* parse_file_val(token_t* token)
659 674
 {
675
+	char* file, *res;
660 676
 	str val;
661
-	return parse_string_val(&val, token);
677
+        if (parse_string_val(&val, token) < 0) return 0;
678
+	file = get_pathname(&val);
679
+	if (!file) return 0;
680
+	if (shm_asciiz_dup(&res, file) < 0) {
681
+		pkg_free(file);
682
+		return 0;
683
+	}
684
+	pkg_free(file);
685
+	return res;
662 686
 }
663 687
 
664 688
 
665
-static int parse_ca_list_opt(token_t* token)
689
+static int parse_pkey_opt(token_t* token)
666 690
 {
667
-	str val;
668
-	return parse_string_val(&val, token);
691
+	char* file;
692
+	file = parse_file_val(token);
693
+	if (!file) return -1;
694
+	pstate.domain->pkey_file = file;
695
+	return 0;
669 696
 }
670 697
 
698
+static int parse_ca_list_opt(token_t* token)
699
+{
700
+	char* file;
701
+	file = parse_file_val(token);
702
+	if (!file) return -1;
703
+	pstate.domain->ca_file = file;
704
+	return 0;
705
+}
671 706
 
672 707
 static int parse_cert_opt(token_t* token)
673 708
 {
674
-	str val;
675
-	return parse_string_val(&val, token);
709
+	char* file;
710
+	file = parse_file_val(token);
711
+	if (!file) return -1;
712
+	pstate.domain->cert_file = file;
713
+	return 0;
676 714
 }
677 715
 
678 716
 static int parse_cipher_list_opt(token_t* token)
679 717
 {
680 718
 	str val;
681
-	return parse_string_val(&val, token);
719
+	if (parse_string_val(&val, token) < 0) return -1;
720
+	if (shm_str_dup(&pstate.domain->cipher_list, &val) < 0) return -1;
721
+	return 0;
682 722
 }
683 723
 
684
-static int parse_ipv6(token_t* token)
724
+static int parse_ipv6(struct ip_addr* ip, token_t* token)
685 725
 {
686 726
 	char buf[IP_ADDR_MAX_STR_SIZE];
687 727
 	int len, ret;
688 728
 	token_t t;
689
-	struct ip_addr ip;
690 729
 
691
-	ip.af = AF_INET6;
692
-	ip.len = 16;
730
+	ip->af = AF_INET6;
731
+	ip->len = 16;
693 732
 	len = 0;
694 733
 
695 734
 	while(1) {
... ...
@@ -703,7 +742,7 @@ static int parse_ipv6(token_t* token)
703 742
 	}
704 743
 	buf[len] = '\0';
705 744
 
706
-	if (inet_pton(ip.af, buf, ip.u.addr) <= 0)  goto err;
745
+	if (inet_pton(ip->af, buf, ip->u.addr) <= 0)  goto err;
707 746
 	return 0;
708 747
  err:
709 748
 	LOG(L_ERR, "ERROR:%s:%d:%d: Invalid IPv6 address\n", 
... ...
@@ -711,20 +750,19 @@ static int parse_ipv6(token_t* token)
711 750
 	return -1;
712 751
 }
713 752
 
714
-static int parse_ipv4(token_t* token)
753
+static int parse_ipv4(struct ip_addr* ip, token_t* token)
715 754
 {
716
-	struct ip_addr ip;
717 755
 	int ret, i;
718 756
 	token_t  t;
719 757
 	unsigned int v;
720 758
 
721
-	ip.af = AF_INET;
722
-	ip.len = 4;
759
+	ip->af = AF_INET;
760
+	ip->len = 4;
723 761
 
724 762
 	if (str2int(&token->val, &v) < 0) goto err;
725 763
 	if (v < 0 || v > 255) goto err;
726 764
 
727
-	ip.u.addr[0] = v;
765
+	ip->u.addr[0] = v;
728 766
 
729 767
 	for(i = 1; i < 4; i++) {
730 768
 		ret = tls_lex(&t, 0);
... ...
@@ -736,7 +774,7 @@ static int parse_ipv4(token_t* token)
736 774
 		if (ret == 0 || t.type != TOKEN_ALPHA) goto err;
737 775
 		if (str2int(&t.val, &v) < 0)  goto err;
738 776
 		if (v < 0 || v > 255) goto err;
739
-		ip.u.addr[i] = v;
777
+		ip->u.addr[i] = v;
740 778
 	}
741 779
 
742 780
 	return 0;
... ...
@@ -746,9 +784,8 @@ static int parse_ipv4(token_t* token)
746 784
 	return -1;
747 785
 }
748 786
 
749
-static int parse_hostport(token_t* token)
787
+static int parse_hostport(int* type, struct ip_addr* ip, unsigned int* port, token_t* token)
750 788
 {
751
-	unsigned int port;
752 789
 	int ret;
753 790
 	token_t t;
754 791
 	struct parser_tab* r;
... ...
@@ -762,20 +799,22 @@ static int parse_hostport(token_t* token)
762 799
 	}
763 800
 
764 801
 	if (t.type == '[') {
765
-		if (parse_ipv6(&t) < 0) return -1;
802
+		if (parse_ipv6(ip, &t) < 0) return -1;
766 803
 	} else if (t.type == TOKEN_ALPHA) {
767 804
 		r = lookup_token(token_default, &t.val);
768 805
 		if (r) {
806
+			*type = TLS_DOMAIN_DEF;
769 807
 			     /* Default domain */
770 808
 			return 0;
771 809
 		} else {
772
-			if (parse_ipv4(&t) < 0) return -1;
810
+			if (parse_ipv4(ip, &t) < 0) return -1;
773 811
 		}
774 812
 	} else {
775 813
 		LOG(L_ERR, "ERROR:%s:%d:%d: Syntax error, IP address expected\n", 
776 814
 		    pstate.file, t.start.line, t.start.col);
777 815
 		return -1;
778 816
 	}
817
+	*type = 0;
779 818
 
780 819
 	     /* Parse port */
781 820
 	ret = tls_lex(&t, 0);
... ...
@@ -800,7 +839,7 @@ static int parse_hostport(token_t* token)
800 839
 		return -1;
801 840
 	}
802 841
 
803
-	if (t.type != TOKEN_ALPHA || (str2int(&t.val, &port) < 0)) {
842
+	if (t.type != TOKEN_ALPHA || (str2int(&t.val, port) < 0)) {
804 843
 		LOG(L_ERR, "ERROR:%s:%d:%d: Invalid port number '%.*s'\n", 
805 844
 		    pstate.file, t.start.line, t.start.col,
806 845
 		    t.val.len, ZSW(t.val.s));
... ...
@@ -815,6 +854,12 @@ static int parse_domain(token_t* token)
815 854
 	int ret;
816 855
 	struct parser_tab* r;
817 856
 
857
+	int type;
858
+	struct ip_addr ip;
859
+	unsigned int port;
860
+
861
+	memset(&ip, 0, sizeof(struct ip_addr));
862
+
818 863
 	ret = tls_lex(&t, 0);
819 864
 	if (ret < 0) return -1;
820 865
 	if (ret == 0) {
... ...
@@ -844,7 +889,7 @@ static int parse_domain(token_t* token)
844 889
 		return -1;
845 890
 	}	
846 891
 
847
-	if (parse_hostport(&t) < 0) return -1;
892
+	if (parse_hostport(&type, &ip, &port, &t) < 0) return -1;
848 893
 
849 894
 	ret = tls_lex(&t, 0);
850 895
 	if (ret < 0) return -1;
... ...
@@ -859,6 +904,26 @@ static int parse_domain(token_t* token)
859 904
 		return -1;
860 905
 	}	
861 906
 
907
+	pstate.domain = tls_new_domain(r->u.ival | type, &ip, port);
908
+	if (!pstate.domain) {
909
+		LOG(L_ERR, "ERROR:%s:%d: Cannot create TLS domain structure\n", 
910
+		    pstate.file, token->start.line);
911
+		return -1;
912
+	}
913
+
914
+	ret = tls_add_domain(pstate.cfg, pstate.domain);
915
+	if (ret < 0) {
916
+		LOG(L_ERR, "ERROR:%s:%d: Error while creating TLS domain structure\n", 
917
+		    pstate.file, token->start.line);
918
+		tls_free_domain(pstate.domain);
919
+		return -1;
920
+	} else if (ret == 1) {
921
+		LOG(L_ERR, "ERROR:%s:%d: Duplicate TLS domain (appears earlier in the config file)\n", 
922
+		    pstate.file, token->start.line);
923
+		tls_free_domain(pstate.domain);
924
+		return -1;
925
+	}
926
+
862 927
 	return 0;
863 928
 }
864 929
 
... ...
@@ -875,6 +940,12 @@ static int parse_config(void)
875 940
 
876 941
 		switch(token.type) {
877 942
 		case TOKEN_ALPHA:
943
+			if (!pstate.domain) {
944
+				LOG(L_ERR, "ERROR:%s:%d: You need to specify TLS domain first\n", 
945
+				    pstate.file, token.start.line);
946
+				return -1;
947
+			}
948
+
878 949
 			     /* Lookup the option name */
879 950
 			r = lookup_token(option_name, &token.val);
880 951
 			if (!r) {
... ...
@@ -913,28 +984,61 @@ static int parse_config(void)
913 984
 }
914 985
 
915 986
 
916
-int tls_load_config(char* filename)
987
+/*
988
+ * Create configuration structures from configuration file
989
+ */
990
+tls_cfg_t* tls_load_config(str* filename)
917 991
 {
918 992
 	str val;
993
+	char* file;
919 994
 	struct token token;
920 995
 
921
-	pstate.f = fopen(filename, "r");
996
+	file = get_pathname(filename);
997
+	if (!file) return 0;
998
+
999
+	pstate.f = fopen(file, "r");
922 1000
 	if (pstate.f == NULL) {
923
-		ERR("Unable to open TLS config file '%s'\n", filename);
924
-		return -1;
1001
+		ERR("Unable to open TLS config file '%s'\n", file);
1002
+		pkg_free(file);
1003
+		return 0;
925 1004
 	}
926
-	pstate.file = basename(filename);
1005
+	pstate.file = basename(file);
927 1006
 	pstate.line = 1;
928 1007
 	pstate.col = 0;
1008
+	pstate.domain = 0;
929 1009
 
1010
+	pstate.cfg = tls_new_cfg();
1011
+	if (!pstate.cfg) goto error;
1012
+	
930 1013
 	if (parse_config() < 0) goto error;
931 1014
 
932 1015
 	fclose(pstate.f);
933
-	return 0;
1016
+	pkg_free(file);
1017
+	return pstate.cfg;
934 1018
 
935 1019
  error:
1020
+	pkg_free(file);
1021
+	if (pstate.cfg) tls_free_cfg(pstate.cfg);
936 1022
 	fclose(pstate.f);
937
-	return -1;
1023
+	return 0;
1024
+}
1025
+
1026
+/*
1027
+ * Convert TLS method string to integer
1028
+ */
1029
+int tls_parse_method(str* method)
1030
+{
1031
+	struct parser_tab* r;
1032
+
1033
+	if (!method) {
1034
+		ERR("BUG: Invalid parameter value\n");
1035
+		return -1;
1036
+	}
1037
+
1038
+	r = lookup_token(token_method, method);
1039
+	if (!r) return -1;
1040
+
1041
+	return r->u.ival;
938 1042
 }
939 1043
 
940 1044
 
... ...
@@ -34,7 +34,14 @@
34 34
 #define _TLS_CONFIG_H
35 35
 
36 36
 #include "../../str.h"
37
+#include "tls_domain.h"
38
+
39
+tls_cfg_t* tls_load_config(str* filename);
40
+
41
+/*
42
+ * Convert TLS method string to integer
43
+ */
44
+int tls_parse_method(str* method);
37 45
 
38
-int load_tls_config(char* filename);
39 46
 
40 47
 #endif /* _TLS_CONFIG_H */
... ...
@@ -28,41 +28,20 @@
28 28
  */
29 29
 
30 30
 #include <stdlib.h>
31
+#include <openssl/ssl.h>
32
+#include <openssl/opensslv.h>
33
+#if OPENSSL_VERSION_NUMBER >= 0x00907000L
34
+# include <openssl/ui.h>
35
+#endif
31 36
 #include "../../ut.h"
32 37
 #include "../../mem/shm_mem.h"
33 38
 #include "../../pt.h"
34 39
 #include "tls_server.h"
40
+#include "tls_util.h"
41
+#include "tls_mod.h"
42
+#include "tls_init.h"
35 43
 #include "tls_domain.h"
36 44
 
37
-tls_domain_t* tls_def_srv = 0;
38
-tls_domain_t* tls_def_cli = 0;
39
-tls_domain_t* tls_srv_list = 0;
40
-tls_domain_t* tls_cli_list = 0;
41
-
42
-
43
-/*
44
- * find domain with given ip and port 
45
- */
46
-tls_domain_t* tls_find_domain(int type, struct ip_addr *ip, unsigned short port)
47
-{
48
-	tls_domain_t *p;
49
-
50
-	if (type & TLS_DOMAIN_DEF) {
51
-		if (type & TLS_DOMAIN_SRV) return tls_def_srv;
52
-		else return tls_def_cli;
53
-	} else {
54
-		if (type & TLS_DOMAIN_SRV) p = tls_srv_list;
55
-		else p = tls_cli_list;
56
-	}
57
-
58
-	while (p) {
59
-		if ((p->port == port) && ip_addr_cmp(&p->ip, ip))
60
-			return p;
61
-		p = p->next;
62
-	}
63
-	return 0;
64
-}
65
-
66 45
 
67 46
 /*
68 47
  * create a new domain 
... ...
@@ -71,7 +50,7 @@ tls_domain_t* tls_new_domain(int type, struct ip_addr *ip, unsigned short port)
71 50
 {
72 51
 	tls_domain_t* d;
73 52
 
74
-	d = pkg_malloc(sizeof(tls_domain_t));
53
+	d = shm_malloc(sizeof(tls_domain_t));
75 54
 	if (d == NULL) {
76 55
 		ERR("Memory allocation failure\n");
77 56
 		return 0;
... ...
@@ -79,82 +58,59 @@ tls_domain_t* tls_new_domain(int type, struct ip_addr *ip, unsigned short port)
79 58
 	memset(d, '\0', sizeof(tls_domain_t));
80 59
 
81 60
 	d->type = type;
82
-	if (type & TLS_DOMAIN_DEF) {
83
-		if (type & TLS_DOMAIN_SRV) {
84
-			     /* Default server domain */
85
-			d->cert_file = TLS_CERT_FILE;
86
-			d->pkey_file = TLS_PKEY_FILE;
87
-			d->verify_cert = 0;
88
-			d->verify_depth = 3;
89
-			d->ca_file = TLS_CA_FILE;
90
-			d->require_cert = 0;
91
-			d->method = TLS_USE_TLSv1;
92
-			tls_def_srv = d;
93
-		} else {
94
-			     /* Default client domain */
95
-			d->cert_file = 0;
96
-			d->pkey_file = 0;
97
-			d->verify_cert = 0;
98
-			d->verify_depth = 3;
99
-			d->ca_file = TLS_CA_FILE;
100
-			d->require_cert = 0;
101
-			d->method = TLS_USE_TLSv1;
102
-			tls_def_cli = d;
103
-		}		
104
-	} else {
105
-		memcpy(&d->ip, ip, sizeof(struct ip_addr));
106
-		d->port = port;
107
-		d->verify_cert = -1;
108
-		d->verify_depth = -1;
109
-		d->require_cert = -1;
110
-
111
-		if (type & TLS_DOMAIN_SRV) {
112
-			d->next = tls_srv_list;
113
-			tls_srv_list = d;
114
-		} else {
115
-			d->next = tls_cli_list;
116
-			tls_cli_list = d;
117
-		}
118
-	}
61
+	if (ip) memcpy(&d->ip, ip, sizeof(struct ip_addr));
62
+	d->port = port;
63
+	d->verify_cert = -1;
64
+	d->verify_depth = -1;
65
+	d->require_cert = -1;
119 66
 	return d;
67
+
68
+ error:
69
+	shm_free(d);
70
+	return 0;
120 71
 }
121 72
 
122 73
 
123
-static void free_domain(tls_domain_t* d)
74
+/*
75
+ * Free all memory used by configuration domain
76
+ */
77
+void tls_free_domain(tls_domain_t* d)
124 78
 {
125 79
 	int i;
126 80
 	if (!d) return;
127 81
 	if (d->ctx) {
128
-		if (*d->ctx) {
129
-			for(i = 0; i < process_count; i++) {
130
-				if ((*d->ctx)[i]) SSL_CTX_free((*d->ctx)[i]);
131
-			}
132
-			shm_free(*d->ctx);
82
+		for(i = 0; i < process_count; i++) {
83
+			if (d->ctx[i]) SSL_CTX_free(d->ctx[i]);
133 84
 		}
134 85
 		shm_free(d->ctx);
135 86
 	}
136
-	pkg_free(d);
87
+
88
+	if (d->cipher_list) shm_free(d->cipher_list);
89
+	if (d->ca_file) shm_free(d->ca_file);
90
+	if (d->pkey_file) shm_free(d->pkey_file);
91
+	if (d->cert_file) shm_free(d->cert_file);
92
+	shm_free(d);
137 93
 }
138 94
 
139 95
 
140 96
 /*
141 97
  * clean up 
142 98
  */
143
-void tls_free_domains(void)
99
+void tls_free_cfg(tls_cfg_t* cfg)
144 100
 {
145 101
 	tls_domain_t* p;
146
-	while(tls_srv_list) {
147
-		p = tls_srv_list;
148
-		tls_srv_list = tls_srv_list->next;
149
-		free_domain(p);
150
-	}
151
-	while(tls_cli_list) {
152
-		p = tls_srv_list;
153
-		tls_srv_list = tls_srv_list->next;
154
-		free_domain(p);
155
-	}
156
-	if (tls_def_srv) free_domain(tls_def_srv);
157
-	if (tls_def_cli) free_domain(tls_def_cli);
102
+	while(cfg->srv_list) {
103
+		p = cfg->srv_list;
104
+		cfg->srv_list = cfg->srv_list->next;
105
+		tls_free_domain(p);
106
+	}
107
+	while(cfg->cli_list) {
108
+		p = cfg->cli_list;
109
+		cfg->cli_list = cfg->cli_list->next;
110
+		tls_free_domain(p);
111
+	}
112
+	if (cfg->srv_default) tls_free_domain(cfg->srv_default);
113
+	if (cfg->cli_default) tls_free_domain(cfg->cli_default);
158 114
 }
159 115
 
160 116
 
... ...
@@ -169,107 +125,328 @@ char* tls_domain_str(tls_domain_t* d)
169 125
 	buf[0] = '\0';
170 126
 	p = buf;
171 127
 	p = strcat(p, d->type & TLS_DOMAIN_SRV ? "TLSs<" : "TLSc<");
172
-	if (d->ip.len) {
128
+	if (d->type & TLS_DOMAIN_DEF) {
129
+		p = strcat(p, "default>");
130
+	} else {
173 131
 		p = strcat(p, ip_addr2a(&d->ip));
174 132
 		p = strcat(p, ":");
175 133
 		p = strcat(p, int2str(d->port, 0));
176 134
 		p = strcat(p, ">");
177
-	} else {
178
-		p = strcat(p, "default>");
179 135
 	}
180 136
 	return buf;
181 137
 }
182 138
 
183 139
 
184 140
 /*
185
- * Initialize all domain attributes from default domains
186
- * if necessary
141
+ * Initialize parameters that have not been configured from
142
+ * parent domain (usualy one of default domains
187 143
  */
188
-static int fix_domain(tls_domain_t* d, tls_domain_t* def)
144
+static int fill_missing(tls_domain_t* d, tls_domain_t* parent)
189 145
 {
190
-	d->ctx = (SSL_CTX***)shm_malloc(sizeof(SSL_CTX**));
191
-	if (!d->ctx) {
192
-		ERR("No shared memory left\n");
193
-		return -1;
194
-	}
195
-	*d->ctx = 0;
196
-
197
-	if (d->method == TLS_METHOD_UNSPEC) {
198
-		INFO("%s: Method not configured, using default value %d\n",
199
-		     tls_domain_str(d), def->method);
200
-		d->method = def->method;
201
-	} else {
202
-		INFO("%s: using TLS method %d\n",
203
-		     tls_domain_str(d), d->method);
204
-	}
146
+	if (d->method == TLS_METHOD_UNSPEC) d->method = parent->method;
147
+	LOG(L_INFO, "%s: tls_method=%d\n", tls_domain_str(d), d->method);
205 148
 	
206 149
 	if (d->method < 1 || d->method >= TLS_METHOD_MAX) {
207 150
 		ERR("%s: Invalid TLS method value\n", tls_domain_str(d));
208 151
 		return -1;
209 152
 	}
210 153
 	
154
+	if (!d->cert_file && 
155
+	    shm_asciiz_dup(&d->cert_file, parent->cert_file) < 0) return -1;
156
+	LOG(L_INFO, "%s: certificate='%s'\n", tls_domain_str(d), d->cert_file);
157
+	
158
+	if (!d->ca_file &&
159
+	    shm_asciiz_dup(&d->ca_file, parent->ca_file) < 0) return -1;
160
+	LOG(L_INFO, "%s: ca_list='%s'\n", tls_domain_str(d), d->ca_file);
161
+	
162
+	if (d->require_cert == -1) d->require_cert = parent->require_cert;
163
+	LOG(L_INFO, "%s: require_certificate=%d\n", tls_domain_str(d), d->require_cert);
164
+	
165
+	if (!d->cipher_list &&
166
+	    shm_asciiz_dup(&d->cipher_list, parent->cipher_list) < 0) return -1;
167
+	LOG(L_INFO, "%s: cipher_list='%s'\n", tls_domain_str(d), d->cipher_list);
168
+	
169
+	if (!d->pkey_file &&
170
+	    shm_asciiz_dup(&d->pkey_file, parent->pkey_file) < 0) return -1;
171
+	LOG(L_INFO, "%s: private_key='%s'\n", tls_domain_str(d), d->pkey_file);
172
+	
173
+	if (d->verify_cert == -1) d->verify_cert = parent->verify_cert;
174
+	LOG(L_INFO, "%s: verify_certificate=%d\n", tls_domain_str(d), d->verify_cert);
175
+	
176
+	if (d->verify_depth == -1) d->verify_depth = parent->verify_depth;
177
+	LOG(L_INFO, "%s: verify_depth=%d\n", tls_domain_str(d), d->verify_depth);
178
+
179
+	return 0;
180
+}
181
+
182
+
183
+/* 
184
+ * Load certificate from file 
185
+ */
186
+static int load_cert(tls_domain_t* d)
187
+{
188
+	int i;
189
+
211 190
 	if (!d->cert_file) {
212
-		INFO("%s: No certificate configured, using default '%s'\n",
213
-		     tls_domain_str(d), def->cert_file);
214
-		d->cert_file = def->cert_file;
215
-	} else {
216
-		INFO("%s: using certificate '%s'\n",
217
-		     tls_domain_str(d), d->cert_file);
191
+		DBG("%s: No certificate configured\n", tls_domain_str(d));
192
+		return 0;
218 193
 	}
219
-	
194
+
195
+	for(i = 0; i < process_count; i++) {
196
+		if (!SSL_CTX_use_certificate_chain_file(d->ctx[i], d->cert_file)) {
197
+			ERR("%s: Unable to load certificate file '%s'\n",
198
+			    tls_domain_str(d), d->cert_file);
199
+			TLS_ERR("load_cert:");
200
+			return -1;
201
+		}
202
+		
203
+	}
204
+	return 0;
205
+}
206
+
207
+
208
+/* 
209
+ * Load CA list from file 
210
+ */
211
+static int load_ca_list(tls_domain_t* d)
212
+{
213
+	int i;
214
+
220 215
 	if (!d->ca_file) {
221
-		INFO("%s: No CA list configured, using default '%s'\n",
222
-		     tls_domain_str(d), def->ca_file);
223
-		d->ca_file = def->ca_file;
224
-	} else {
225
-		INFO("%s: using CA list '%s'\n",
226
-		     tls_domain_str(d), d->ca_file);
216
+		DBG("%s: No CA list configured\n", tls_domain_str(d));
217
+		return 0;
227 218
 	}
228
-	
229
-	if (d->require_cert == -1) {
230
-		INFO("%s: require_certificate not configured, using default value %d\n",
231
-		     tls_domain_str(d), def->require_cert);
232
-		d->require_cert = def->require_cert;
219
+
220
+	for(i = 0; i < process_count; i++) {
221
+		if (SSL_CTX_load_verify_locations(d->ctx[i], d->ca_file, 0) != 1) {
222
+			ERR("%s: Unable to load CA list '%s'\n", tls_domain_str(d), d->ca_file);
223
+			TLS_ERR("load_ca_list:");
224
+			return -1;
225
+		}
226
+		SSL_CTX_set_client_CA_list(d->ctx[i], SSL_load_client_CA_file(d->ca_file));
227
+		if (SSL_CTX_get_client_CA_list(d->ctx[i]) == 0) {
228
+			ERR("%s: Error while setting client CA list\n", tls_domain_str(d));
229
+			TLS_ERR("load_ca_list:");
230
+			return -1;
231
+		}
232
+	}
233
+	return 0;
234
+}
235
+
236
+
237
+/* 
238
+ * Configure cipher list 
239
+ */
240
+static int set_cipher_list(tls_domain_t* d)
241
+{
242
+	int i;
243
+
244
+	if (!d->cipher_list) return 0;
245
+	for(i = 0; i < process_count; i++) {
246
+		if (SSL_CTX_set_cipher_list(d->ctx[i], d->cipher_list) == 0 ) {
247
+			ERR("%s: Failure to set SSL context cipher list\n", tls_domain_str(d));
248
+			return -1;
249
+		}
250
+	}
251
+	return 0;
252
+}
253
+
254
+
255
+/* 
256
+ * Enable/disable certificate verification 
257
+ */
258
+static int set_verification(tls_domain_t* d)
259
+{
260
+	int verify_mode, i;
261
+
262
+	if (d->require_cert) {
263
+		verify_mode = SSL_VERIFY_PEER | SSL_VERIFY_FAIL_IF_NO_PEER_CERT;
264
+		LOG(L_INFO, "%s: %s MUST present valid certificate\n", 
265
+		     tls_domain_str(d), d->type & TLS_DOMAIN_SRV ? "Client" : "Server");
233 266
 	} else {
234
-		INFO("%s: require_certificate = %d\n",
235
-		     tls_domain_str(d), d->require_cert);
267
+		if (d->verify_cert) {
268
+			verify_mode = SSL_VERIFY_PEER;
269
+			if (d->type & TLS_DOMAIN_SRV) {
270
+				LOG(L_INFO, "%s: IF client provides certificate then it MUST be valid\n", 
271
+				     tls_domain_str(d));
272
+			} else {
273
+				LOG(L_INFO, "%s: Server MUST present valid certificate\n", 
274
+				     tls_domain_str(d));
275
+			}
276
+		} else {
277
+			verify_mode = SSL_VERIFY_NONE;
278
+			if (d->type & TLS_DOMAIN_SRV) {
279
+				LOG(L_INFO, "%s: No client certificate required and no checks performed\n", 
280
+				     tls_domain_str(d));
281
+			} else {
282
+				LOG(L_INFO, "%s: Server MAY present invalid certificate\n", 
283
+				     tls_domain_str(d));
284
+			}
285
+		}
236 286
 	}
237 287
 	
238
-	if (!d->cipher_list) {
239
-		INFO("%s: Cipher list not configured, using default value %s\n",
240
-		     tls_domain_str(d), def->cipher_list);
241
-		d->cipher_list = def->cipher_list;
242
-	} else {
243
-		INFO("%s: using cipher list %s\n",
244
-		     tls_domain_str(d), d->cipher_list);
288
+	for(i = 0; i < process_count; i++) {
289
+		SSL_CTX_set_verify(d->ctx[i], verify_mode, 0);
290
+		SSL_CTX_set_verify_depth(d->ctx[i], d->verify_depth);
291
+		
292
+	}
293
+	return 0;
294
+}
295
+
296
+
297
+/* 
298
+ * Configure generic SSL parameters 
299
+ */
300
+static int set_ssl_options(tls_domain_t* d)
301
+{
302
+	int i;
303
+	for(i = 0; i < process_count; i++) {
304
+#if OPENSSL_VERSION_NUMBER >= 0x000907000
305
+		SSL_CTX_set_options(d->ctx[i], 
306
+				    SSL_OP_ALL | SSL_OP_NO_SESSION_RESUMPTION_ON_RENEGOTIATION | SSL_OP_CIPHER_SERVER_PREFERENCE);
307
+#else
308
+		SSL_CTX_set_options(d->ctx[i], 
309
+				    SSL_OP_ALL);
310
+#endif
311
+	}
312
+	return 0;
313
+}
314
+
315
+
316
+/* 
317
+ * Configure session cache parameters 
318
+ */
319
+static int set_session_cache(tls_domain_t* d)
320
+{
321
+	int i;
322
+	for(i = 0; i < process_count; i++) {
323
+		     /* janakj: I am not sure if session cache makes sense in ser, session 
324
+		      * cache is stored in SSL_CTX and we have one SSL_CTX per process, thus 
325
+		      * sessions among processes will not be reused
326
+		      */
327
+		SSL_CTX_set_session_cache_mode(d->ctx[i], 
328
+				   tls_session_cache ? SSL_SESS_CACHE_SERVER : SSL_SESS_CACHE_OFF);
329
+		SSL_CTX_set_session_id_context(d->ctx[i], 
330
+					       (unsigned char*)tls_session_id.s, tls_session_id.len);
331
+	}
332
+	return 0;
333
+}
334
+
335
+
336
+/*
337
+ * Initialize all domain attributes from default domains
338
+ * if necessary
339
+ */
340
+static int fix_domain(tls_domain_t* d, tls_domain_t* def)
341
+{
342
+	int i;
343
+
344
+	if (fill_missing(d, def) < 0) return -1;
345
+
346
+	d->ctx = (SSL_CTX**)shm_malloc(sizeof(SSL_CTX*) * process_count);
347
+	if (!d->ctx) {
348
+		ERR("%s: Cannot allocate shared memory\n", tls_domain_str(d));
349
+		return -1;
350
+	}
351
+	memset(d->ctx, 0, sizeof(SSL_CTX*) * process_count);
352
+	for(i = 0; i < process_count; i++) {
353
+		d->ctx[i] = SSL_CTX_new(ssl_methods[d->method - 1]);
354
+		if (d->ctx[i] == NULL) {
355
+			ERR("%s: Cannot create SSL context\n", tls_domain_str(d));
356
+			return -1;
357
+		}
245 358
 	}
246 359
 	
247
-	if (!d->pkey_file) {
248
-		INFO("%s: No private key configured, using default '%s'\n",
249
-		     tls_domain_str(d), def->pkey_file);
250
-		d->pkey_file = def->pkey_file;
251
-	} else {
252
-		INFO("%s: using private key '%s'\n",
253
-		     tls_domain_str(d), d->pkey_file);
360
+	if (load_cert(d) < 0) return -1;
361
+	if (load_ca_list(d) < 0) return -1;
362
+	if (set_cipher_list(d) < 0) return -1;
363
+	if (set_verification(d) < 0) return -1;
364
+	if (set_ssl_options(d) < 0) return -1;
365
+	if (set_session_cache(d) < 0) return -1;
366
+
367
+	return 0;
368
+}
369
+
370
+
371
+static int passwd_cb(char *buf, int size, int rwflag, void *filename)
372
+{
373
+#if OPENSSL_VERSION_NUMBER >= 0x00907000L	
374
+	UI             *ui;
375
+	const char     *prompt;
376
+	
377
+	ui = UI_new();
378
+	if (ui == NULL)
379
+		goto err;
380
+
381
+	prompt = UI_construct_prompt(ui, "passphrase", filename);
382
+	UI_add_input_string(ui, prompt, 0, buf, 0, size - 1);
383
+	UI_process(ui);
384
+	UI_free(ui);
385
+	return strlen(buf);
386
+ 
387
+ err:
388
+	ERR("passwd_cb: Error in passwd_cb\n");
389
+	if (ui) {
390
+		UI_free(ui);
254 391
 	}
392
+	return 0;
255 393
 	
256
-	if (d->verify_cert == -1) {
257
-		INFO("%s: verify_certificate not configured, using default value %d\n",
258
-		     tls_domain_str(d), def->verify_cert);
259
-		d->verify_cert = def->verify_cert;
260
-	} else {
261
-		INFO("%s: using verify_certificate = %d\n",
262
-		     tls_domain_str(d), d->verify_cert);
394
+#else
395
+	if (des_read_pw_string(buf, size-1, "Enter Private Key password:", 0)) {
396
+		ERR("Error in passwd_cb\n");
397
+		return 0;
263 398
 	}
399
+	return strlen(buf);
400
+#endif
401
+}
402
+
403
+
404
+#define NUM_RETRIES 3
405
+/*
406
+ * load a private key from a file 
407
+ */
408
+static int load_private_key(tls_domain_t* d)
409
+{
410
+	int idx, ret_pwd, i;
264 411
 	
265
-	if (d->verify_depth == -1) {
266
-		INFO("%s: verify_depth not configured, using default value %d\n",
267
-		     tls_domain_str(d), def->verify_depth);
268
-		d->verify_depth = def->verify_depth;
269
-	} else {
270
-		INFO("%s: using verify_depth = %d\n",
271
-		     tls_domain_str(d), d->verify_depth);
412
+	if (!d->pkey_file) {
413
+		DBG("%s: No private key specified\n", tls_domain_str(d));
414
+		return 0;
272 415
 	}
416
+
417
+	for(i = 0; i < process_count; i++) {
418
+		SSL_CTX_set_default_passwd_cb(d->ctx[i], passwd_cb);
419
+		SSL_CTX_set_default_passwd_cb_userdata(d->ctx[i], d->pkey_file);
420
+		
421
+		for(idx = 0, ret_pwd = 0; idx < NUM_RETRIES; idx++) {
422
+			ret_pwd = SSL_CTX_use_PrivateKey_file(d->ctx[i], d->pkey_file, SSL_FILETYPE_PEM);
423
+			if (ret_pwd) {
424
+				break;
425
+			} else {
426
+				ERR("%s: Unable to load private key '%s'\n",
427
+				    tls_domain_str(d), d->pkey_file);
428
+				TLS_ERR("load_private_key:");
429
+				continue;
430
+			}
431
+		}
432
+		
433
+		if (!ret_pwd) {
434
+			ERR("%s: Unable to load private key file '%s'\n", 
435
+			    tls_domain_str(d), d->pkey_file);
436
+			TLS_ERR("load_private_key:");
437
+			return -1;
438
+		}
439
+		
440
+		if (!SSL_CTX_check_private_key(d->ctx[i])) {
441
+			ERR("%s: Key '%s' does not match the public key of the certificate\n", 
442
+			    tls_domain_str(d), d->pkey_file);
443
+			TLS_ERR("load_private_key:");
444
+			return -1;
445
+		}
446
+	}		
447
+
448
+	DBG("%s: Key '%s' successfuly loaded\n",
449
+	    tls_domain_str(d), d->pkey_file);
273 450
 	return 0;
274 451
 }
275 452
 
... ...
@@ -278,25 +455,151 @@ static int fix_domain(tls_domain_t* d, tls_domain_t* def)
278 455
  * Initialize attributes of all domains from default domains
279 456
  * if necessary
280 457
  */
281
-int tls_fix_domains(void)
458
+int tls_fix_cfg(tls_cfg_t* cfg, tls_domain_t* srv_defaults, tls_domain_t* cli_defaults)
282 459
 {
283 460
 	tls_domain_t* d;
284 461
 
285
-	if (!tls_def_cli) tls_def_cli = tls_new_domain(TLS_DOMAIN_DEF | TLS_DOMAIN_CLI, 0, 0);
286
-	if (!tls_def_srv) tls_def_srv = tls_new_domain(TLS_DOMAIN_DEF | TLS_DOMAIN_SRV, 0, 0);
462
+	if (!cfg->cli_default) {
463
+		cfg->cli_default = tls_new_domain(TLS_DOMAIN_DEF | TLS_DOMAIN_CLI, 0, 0);
464
+	}
465
+
466
+	if (!cfg->srv_default) {
467
+		cfg->srv_default = tls_new_domain(TLS_DOMAIN_DEF | TLS_DOMAIN_SRV, 0, 0);
468
+	}
469
+
470
+	if (fix_domain(cfg->srv_default, srv_defaults) < 0) return -1;
471
+	if (fix_domain(cfg->cli_default, cli_defaults) < 0) return -1;
287 472
 
288
-	d = tls_srv_list;
473
+	d = cfg->srv_list;
289 474
 	while (d) {
290
-		if (fix_domain(d, tls_def_srv) < 0) return -1;
475
+		if (fix_domain(d, srv_defaults) < 0) return -1;
291 476
 		d = d->next;
292 477
 	}
293 478
 
294
-	d = tls_cli_list;
479
+	d = cfg->cli_list;
295 480
 	while (d) {
296
-		if (fix_domain(d, tls_def_cli) < 0) return -1;
481
+		if (fix_domain(d, cli_defaults) < 0) return -1;
482
+		d = d->next;
483
+	}
484
+
485
+	     /* Ask for passwords as the last step */
486
+	d = cfg->srv_list;
487
+	while(d) {
488
+		if (load_private_key(d) < 0) return -1;
297 489
 		d = d->next;
298 490
 	}
299
-	if (fix_domain(tls_def_srv, tls_def_srv) < 0) return -1;
300
-	if (fix_domain(tls_def_cli, tls_def_cli) < 0) return -1;
491
+
492
+	d = cfg->cli_list;
493
+	while(d) {
494
+		if (load_private_key(d) < 0) return -1;
495
+		d = d->next;
496
+	}
497
+
498
+	if (load_private_key(cfg->srv_default) < 0) return -1;
499
+	if (load_private_key(cfg->cli_default) < 0) return -1;
500
+
501
+	return 0;
502
+}
503
+
504
+
505
+/*
506
+ * Create new configuration structure
507
+ */
508
+tls_cfg_t* tls_new_cfg(void)
509
+{
510
+	tls_cfg_t* r;
511
+
512
+	r = (tls_cfg_t*)shm_malloc(sizeof(tls_cfg_t));
513
+	if (!r) {
514
+		ERR("No memory left\n");
515
+		return 0;
516
+	}
517
+	memset(r, 0, sizeof(tls_cfg_t));
518
+	return r;
519
+}
520
+
521
+
522
+/*
523
+ * Lookup TLS configuration based on type, ip, and port
524
+ */
525
+tls_domain_t* tls_lookup_cfg(tls_cfg_t* cfg, int type, struct ip_addr* ip, unsigned short port)
526
+{
527
+	tls_domain_t *p;
528
+
529
+	if (type & TLS_DOMAIN_DEF) {
530
+		if (type & TLS_DOMAIN_SRV) return cfg->srv_default;
531
+		else return cfg->cli_default;
532
+	} else {
533
+		if (type & TLS_DOMAIN_SRV) p = cfg->srv_list;
534
+		else p = cfg->cli_list;
535
+	}
536
+
537
+	while (p) {
538
+		if ((p->port == port) && ip_addr_cmp(&p->ip, ip))
539
+			return p;
540
+		p = p->next;
541
+	}
542
+
543
+	     /* No matching domain found, return default */
544
+	if (type & TLS_DOMAIN_SRV) return cfg->srv_default;
545
+	else return cfg->cli_default;
546
+}
547
+
548
+
549
+/*
550
+ * Check whether configuration domain exists
551
+ */
552
+static int domain_exists(tls_cfg_t* cfg, tls_domain_t* d)
553
+{
554
+	tls_domain_t *p;
555
+
556
+	if (d->type & TLS_DOMAIN_DEF) {
557
+		if (d->type & TLS_DOMAIN_SRV) return cfg->srv_default != NULL;
558
+		else return cfg->cli_default != NULL;
559
+	} else {
560
+		if (d->type & TLS_DOMAIN_SRV) p = cfg->srv_list;
561
+		else p = cfg->cli_list;
562
+	}
563
+
564
+	while (p) {
565
+		if ((p->port == d->port) && ip_addr_cmp(&p->ip, &d->ip))
566
+			return 1;
567
+		p = p->next;
568
+	}
569
+
570
+	return 0;
571
+}
572
+
573
+
574
+/*
575
+ * Add a domain to the configuration set
576
+ */
577
+int tls_add_domain(tls_cfg_t* cfg, tls_domain_t* d)
578
+{
579
+	tls_domain_t* p;
580
+
581
+	if (!cfg) {
582
+		ERR("TLS configuration structure missing\n");
583
+		return -1;
584
+	}
585
+
586
+	     /* Make sure the domain does not exist */
587
+	if (domain_exists(cfg, d)) return 1;
588
+
589
+	if (d->type & TLS_DOMAIN_DEF) {
590
+		if (d->type & TLS_DOMAIN_CLI) {
591
+			cfg->cli_default = d;
592
+		} else {
593
+			cfg->srv_default = d;
594
+		}
595
+	} else {
596
+		if (d->type & TLS_DOMAIN_SRV) {
597
+			d->next = cfg->srv_list;
598
+			cfg->srv_list = d;
599
+		} else {
600
+			d->next = cfg->cli_list;
601
+			cfg->cli_list = d;
602
+		}
603
+	}
301 604
 	return 0;
302 605
 }
... ...
@@ -35,6 +35,9 @@
35 35
 #include <openssl/ssl.h>
36 36
 
37 37
 
38
+/*
39
+ * Available TLS methods
40
+ */
38 41
 enum tls_method {
39 42
 	TLS_METHOD_UNSPEC = 0,
40 43
 	TLS_USE_SSLv2_cli,
... ...
@@ -52,20 +55,25 @@ enum tls_method {
52 55
 	TLS_METHOD_MAX
53 56
 };
54 57
 
58
+
59
+/*
60
+ * TLS configuration domain type
61
+ */
55 62
 enum tls_domain_type {
56 63
 	TLS_DOMAIN_DEF = (1 << 0), /* Default domain */
57 64
 	TLS_DOMAIN_SRV = (1 << 1), /* Server domain */
58 65
 	TLS_DOMAIN_CLI = (1 << 2)  /* Client domain */
59 66
 };
60 67
 
68
+
61 69
 /*
62
- * separate configuration per ip:port 
70
+ * separate configuration per ip:port
63 71
  */
64 72
 typedef struct tls_domain {
65 73
 	int type;
66 74
 	struct ip_addr ip;
67 75
 	unsigned short port;
68
-	SSL_CTX*** ctx;     /* Pointer to the array is stored in shm mem */
76
+	SSL_CTX** ctx;
69 77
 	char* cert_file;
70 78
 	char* pkey_file;
71 79
 	int verify_cert;
... ...
@@ -77,17 +85,19 @@ typedef struct tls_domain {
77 85
 	struct tls_domain* next;
78 86
 } tls_domain_t;
79 87
 
80
-extern tls_domain_t* tls_def_srv; /* Default server domain */
81
-extern tls_domain_t* tls_def_cli; /* Default client domain */
82
-extern tls_domain_t* tls_srv_list;
83
-extern tls_domain_t* tls_cli_list;
84 88
 
85 89
 /*
86
- * find domain with given ip and port, if ip == NULL then the
87
- * default domain will be returned
90
+ * TLS configuration structures
88 91
  */
89
-tls_domain_t *tls_find_domain(int type, struct ip_addr *ip,
90
-			      unsigned short port);
92
+typedef struct tls_cfg {
93
+	tls_domain_t* srv_default; /* Default server domain */
94
+	tls_domain_t* cli_default; /* Default client domain */
95
+	tls_domain_t* srv_list;    /* Server domain list */
96
+	tls_domain_t* cli_list;    /* Client domain list */
97
+	struct tls_cfg* next;      /* Next element in the garbage list */
98
+	int ref_count;             /* How many connections use this configuration */
99
+} tls_cfg_t;
100
+
91 101
 
92 102
 /*
93 103
  * create a new domain 
... ...
@@ -95,10 +105,11 @@ tls_domain_t *tls_find_domain(int type, struct ip_addr *ip,
95 105
 tls_domain_t *tls_new_domain(int type, struct ip_addr *ip, 
96 106
 			     unsigned short port);
97 107
 
108
+
98 109
 /*
99
- * clean up 
110
+ * Free all memory used for configuration domain
100 111
  */
101
-void tls_free_domains(void);
112
+void tls_free_domain(tls_domain_t* d);
102 113
 
103 114
 
104 115
 /*
... ...
@@ -106,9 +117,36 @@ void tls_free_domains(void);
106 117
  */
107 118
 char* tls_domain_str(tls_domain_t* d);
108 119
 
120
+
121
+
122
+/*
123
+ * Create new instance of TLS configuration data
124
+ */
125
+tls_cfg_t* tls_new_cfg(void);
126
+
127
+
128
+/*
129
+ * Add a new configuration domain
130
+ */
131
+int tls_add_domain(tls_cfg_t* cfg, tls_domain_t* d);
132
+
133
+
109 134
 /*
110 135
  * Fill in missing parameters
111 136
  */
112
-int tls_fix_domains(void);
137
+int tls_fix_cfg(tls_cfg_t* cfg, tls_domain_t* srv_defaults, tls_domain_t* cli_defaults);
138
+
139
+
140
+/*
141
+ * Lookup TLS configuration
142
+ */
143
+tls_domain_t* tls_lookup_cfg(tls_cfg_t* cfg, int type, struct ip_addr* ip, unsigned short port);
144
+
145
+
146
+/*
147
+ * Free TLS configuration data
148
+ */
149
+void tls_free_cfg(tls_cfg_t* cfg);
150
+
113 151
 
114 152
 #endif /* _TLS_DOMAIN_H */
... ...
@@ -34,10 +34,6 @@
34 34
 #include <unistd.h>
35 35
 
36 36
 #include <openssl/ssl.h>
37
-#include <openssl/opensslv.h>
38
-#if OPENSSL_VERSION_NUMBER >= 0x00907000L
39
-# include <openssl/ui.h>
40
-#endif
41 37
 
42 38
  
43 39
 #include "../../dprint.h"
... ...
@@ -70,7 +66,7 @@
70 66
 #endif
71 67
 
72 68
 
73
-static SSL_METHOD* ssl_methods[TLS_USE_SSLv23 + 1];
69
+SSL_METHOD* ssl_methods[TLS_USE_SSLv23 + 1];
74 70
 
75 71
 
76 72
 /*
... ...
@@ -95,39 +91,6 @@ static void ser_free(void *ptr)
95 91
 }
96 92
 
97 93
 
98
-static int passwd_cb(char *buf, int size, int rwflag, void *filename)
99
-{
100
-#if OPENSSL_VERSION_NUMBER >= 0x00907000L	
101
-	UI             *ui;
102
-	const char     *prompt;
103
-	
104
-	ui = UI_new();
105
-	if (ui == NULL)
106
-		goto err;
107
-
108
-	prompt = UI_construct_prompt(ui, "passphrase", filename);
109
-	UI_add_input_string(ui, prompt, 0, buf, 0, size - 1);
110
-	UI_process(ui);
111
-	UI_free(ui);
112
-	return strlen(buf);
113
- 
114
- err:
115
-	ERR("passwd_cb: Error in passwd_cb\n");
116
-	if (ui) {
117
-		UI_free(ui);
118
-	}
119
-	return 0;
120
-	
121
-#else
122
-	if (des_read_pw_string(buf, size-1, "Enter Private Key password:", 0)) {
123
-		ERR("Error in passwd_cb\n");
124
-		return 0;
125
-	}
126
-	return strlen(buf);
127
-#endif
128
-}
129
-
130
-
131 94
 /*
132 95
  * Initialize TLS socket
133 96
  */
... ...
@@ -156,109 +119,6 @@ int tls_init(struct socket_info *si)
156 119
 }
157 120
 
158 121
 
159
-#define NUM_RETRIES 3
160
-/*
161
- * load a private key from a file 
162
- */
163
-static int load_private_key(tls_domain_t* d)
164
-{
165
-	int idx, ret_pwd, i;
166
-	
167
-	if (!d->pkey_file) {
168
-		DBG("%s: No private key specified\n", tls_domain_str(d));
169
-		return 0;
170
-	}
171
-
172
-	for(i = 0; i < process_count; i++) {
173
-		SSL_CTX_set_default_passwd_cb((*d->ctx)[i], passwd_cb);
174
-		SSL_CTX_set_default_passwd_cb_userdata((*d->ctx)[i], d->pkey_file);
175
-		
176
-		for(idx = 0, ret_pwd = 0; idx < NUM_RETRIES; idx++) {
177
-			ret_pwd = SSL_CTX_use_PrivateKey_file((*d->ctx)[i], d->pkey_file, SSL_FILETYPE_PEM);
178
-			if (ret_pwd) {
179
-				break;
180
-			} else {
181
-				ERR("%s: Unable to load private key '%s'\n",
182
-				    tls_domain_str(d), d->pkey_file);
183
-				TLS_ERR("load_private_key:");
184
-				continue;
185
-			}
186
-		}
187
-		
188
-		if (!ret_pwd) {
189
-			ERR("%s: Unable to load private key file '%s'\n", 
190
-			    tls_domain_str(d), d->pkey_file);
191
-			TLS_ERR("load_private_key:");
192
-			return -1;
193
-		}
194
-		
195
-		if (!SSL_CTX_check_private_key((*d->ctx)[i])) {
196
-			ERR("%s: Key '%s' does not match the public key of the certificate\n", 
197
-			    tls_domain_str(d), d->pkey_file);
198
-			TLS_ERR("load_private_key:");
199
-			return -1;
200
-		}
201
-	}		
202
-
203
-	DBG("%s: Key '%s' successfuly loaded\n",
204
-	    tls_domain_str(d), d->pkey_file);
205
-	return 0;
206
-}
207
-
208
-
209
-/* 
210
- * Load CA list from file 
211
- */
212
-static int load_ca_list(tls_domain_t* d)
213
-{
214
-	int i;
215
-
216
-	if (!d->ca_file) {
217
-		DBG("%s: No CA list configured\n", tls_domain_str(d));
218
-		return 0;
219
-	}
220
-
221
-	for(i = 0; i < process_count; i++) {
222
-		if (SSL_CTX_load_verify_locations((*d->ctx)[i], d->ca_file, 0) != 1) {
223
-			ERR("%s: Unable to load CA list '%s'\n", tls_domain_str(d), d->ca_file);
224
-			TLS_ERR("load_ca_list:");
225
-			return -1;
226
-		}
227
-		SSL_CTX_set_client_CA_list((*d->ctx)[i], SSL_load_client_CA_file(d->ca_file));
228
-		if (SSL_CTX_get_client_CA_list((*d->ctx)[i]) == 0) {
229
-			ERR("%s: Error while setting client CA list\n", tls_domain_str(d));
230
-			TLS_ERR("load_ca_list:");
231
-			return -1;
232
-		}
233
-	}
234
-	return 0;
235
-}
236
-
237
-
238
-/* 
239
- * Load certificate from file 
240
- */
241
-static int load_cert(tls_domain_t* d)
242
-{
243
-	int i;
244
-
245
-	if (!d->cert_file) {
246
-		DBG("%s: No certificate configured\n", tls_domain_str(d));
247
-		return 0;
248
-	}
249
-
250
-	for(i = 0; i < process_count; i++) {
251
-		if (!SSL_CTX_use_certificate_chain_file((*d->ctx)[i], d->cert_file)) {
252
-			ERR("%s: Unable to load certificate file '%s'\n",
253
-			    tls_domain_str(d), d->cert_file);
254
-			TLS_ERR("load_cert:");
255
-			return -1;
256
-		}
257
-		
258
-	}
259
-	return 0;
260
-}
261
-
262 122
 
263 123
 /*
264 124
  * initialize ssl methods 
... ...
@@ -283,103 +143,9 @@ static void init_ssl_methods(void)
283 143
 }
284 144
 
285 145
 
286
-/* 
287
- * Configure cipher list 
288
- */
289
-static int set_cipher_list(tls_domain_t* d)
290
-{
291
-	int i;
292
-
293
-	if (!d->cipher_list) return 0;
294
-	for(i = 0; i < process_count; i++) {
295
-		if (SSL_CTX_set_cipher_list((*d->ctx)[i], d->cipher_list) == 0 ) {
296
-			ERR("%s: Failure to set SSL context cipher list\n", tls_domain_str(d));
297
-			return -1;
298
-		}
299
-	}
300
-	return 0;
301
-}
302
-
303
-
304
-/* 
305
- * Enable/disable certificate verification 
306
- */
307
-static int set_verification(tls_domain_t* d)
308
-{
309