Browse code

Preliminary TLS module (requires core patch which is attached), the module contains: - Many bugfixes and better implementation of tls_write and tls_read by Andrei - openssl compression fix by Andrei - extended tls multi-domain support (most parameters can be configured to different values in different domains) - support for outgoing domains (not complete) - support for certificate based authentication through selects ( if @tls.peer == "Bob") ... - the tls code is merge of experimental/tls and Andrei's tls to get best of both

Jan Janak authored on 28/01/2006 12:34:31
Showing 17 changed files
1 1
new file mode 100644
... ...
@@ -0,0 +1,15 @@
1
+# Makefile v 1.0 2002/12/27
2
+#
3
+# TLS module makefile
4
+#
5
+# 
6
+# WARNING: do not run this directly, it should be run by the master Makefile
7
+
8
+include ../../Makefile.defs
9
+auto_gen=
10
+NAME=tls.so
11
+
12
+DEFS+= -I$(LOCALBASE)/ssl/include
13
+LIBS+= -L$(LOCALBASE)/lib -L$(LOCALBASE)/ssl/lib -lssl  -lcrypto
14
+
15
+include ../../Makefile.modules
0 16
new file mode 100644
... ...
@@ -0,0 +1,412 @@
1
+
2
+free-TLS core module
3
+
4
+Created By: Peter Griffiths
5
+Mantainer: Cesc Santasusana
6
+
7
+Edited by
8
+
9
+Cesc Santasusana
10
+
11
+Copyright � 2005 Cesc Santasusana
12
+     _________________________________________________________
13
+
14
+   TABLE OF CONTENTS
15
+1. CHAPTER 1. USER'S GUIDE	2
16
+	1.1. OVERVIEW	2
17
+	1.2. DEPENDENCIES	2
18
+		1.2.1. SER Core and patches	2
19
+		1.2.2. SER Modules	2
20
+		1.2.3. External Libraries or Applications	2
21
+	1.3. HOW TO INSTALL	3
22
+		1.3.1. File Structure
23
+		1.3.2. Patches
24
+		1.3.3. Test Configuration in tls/etc
25
+		1.3.4. Tools to create certificates in tls/tools
26
+	1.4. HOW TO COMPILE	3
27
+	1.5. CONFIG FILE PARAMETERS	3
28
+		1.5.1. disable_tls	4
29
+		1.5.2. listen	4
30
+		1.5.3. tls_certificate	4
31
+		1.5.4. tls_private_key	4
32
+		1.5.5. tls_ca_list	4
33
+		1.5.6. tls_ciphers_list	4
34
+		1.5.7. tls_method	4
35
+		1.5.8. tls_verify and tls_require_certificate	4
36
+		1.5.9. tls_handshake_timeout and tls_send_timeout	5
37
+		1.5.10. tls_domain[IP_2:port2]	5
38
+	1.6. SSL/TLS AUTHENTICATION: CLIENT AND SERVER	5
39
+	1.7. EXPORTED FUNCTIONS	6
40
+2. CHAPTER 2. DEVELOPER'S GUIDE	6
41
+	2.1. TLS_CONFIG	6
42
+	2.2. TLS_INIT	6
43
+		2.2.1. default ssl context	6
44
+		2.2.2. init_tls(void)	6
45
+		2.2.3. destroy_tls(void)	6
46
+		2.2.4. tls_init(struct socket_info *)	7
47
+		2.2.5. ser_malloc, ser_realloc, ser_free	7
48
+	2.3. TLS_SERVER	7
49
+		2.3.1. SSL data per connection	7
50
+		2.3.2. tls_print_errstack(void)	7
51
+		2.3.3. tls_tcpconn_init( struct tcp_connection *, int)	7
52
+		2.3.4. tls_tcpconn_clean( struct tcp_connection *)	7
53
+		2.3.5. tls_close( struct tcp_connection *, int )	7
54
+		2.3.6. tls_blocking_write( struct tcp_connection, int, const char, size_t )	7
55
+		2.3.7. tls_read( struct tcp_connection *)	8
56
+		2.3.8. tls_fix_read_conn( struct tcp_connection )	8
57
+	2.4. TLS_DOMAIN	8
58
+		2.4.1. tls_domains	8
59
+		2.4.2. tls_find_domain( struct ip_addr *, unsigned short)	8
60
+		2.4.3. tls_new_domain( struct ip_addr *, unsigned *)	8
61
+		2.4.4. tls_free_domains(void)	8
62
+3. CHAPTER 3. FREQUENTLY ASKED QUESTIONS	8
63
+	3.1. WHERE CAN I FIND MORE ABOUT SER?	8
64
+	3.2. WHERE CAN I POST A QUESTION ABOUT THIS MODULE?	8
65
+	3.3. HOW CAN I REPORT A BUG?	9
66
+	3.4. WHAT IS THE DIFFERENCE WITH OpenSER-TLS?
67
+	3.5. I AM NOT HAPPY WITH THIS README ... NOW WHAT?
68
+
69
+     _________________________________________________________
70
+
71
+1. CHAPTER 1. USER'S GUIDE
72
+	1.1. OVERVIEW
73
+	TLS is an optional part of the core, not a module.
74
+	TLS, as defined in SIP RFC, is a mandatory feature for proxies and can be used to secure the SIP signalling 
75
+	on a hop-by-hop basis (not end-to-end). TLS works on top of TCP (DTLS, or TLS over UDP is already 
76
+	defined by IETF and may become available in the future).
77
+     _________________________________________________________
78
+
79
+1.2. DEPENDENCIES
80
+	1.2.1. SER Core and patches
81
+	Core must be compiled with TCP support and the patched cfg.y and cfg.lex, and some 
82
+	modification in Makefile.defs. 
83
+	The Makefile.defs file is where the library and include paths are set (where to locate Openssl) 
84
+	Read more on this below on the "external libraries" dependencies.
85
+	The cfg.XXX patch provide configuration features from the ser.cfg file, usefull and necessary.
86
+	This core module has been compiled successfully with ser branch rel_0_9_0 (updated
87
+		as of June 2005, ser-0.9.3). It should compile in HEAD too without problem.
88
+	It has been tested for functionality (successfully) with rel_0_9_0 (ser-0.9.0).
89
+	Report on success/failure stories to the mantainer. Tks!
90
+		 _________________________________________________________
91
+
92
+	1.2.2. SER Modules
93
+		No dependencies on SER modules
94
+		 _________________________________________________________
95
+	
96
+	1.2.3. External Libraries or Applications
97
+	The following libraries or applications must be installed before running SER with this module loaded:
98
+	* OpenSSL v0.9.7 or higher (OpenSSL v0.9.6 also compiles, though not recommended).
99
+	Out of OpenSSL, you need:
100
+	* libssl
101
+	* libcrypto
102
+	* openssl/*.h
103
+	Locate this, usually in:
104
+	/usr/local/lib (for libraries)
105
+	/usr/local/ssl/include/openssl (for header files)
106
+	Depending on your distro, these paths may vary. In this case, you need to modify Makefile.defs file in 
107
+	$SERROOT. At the bottom of the file, look for
108
+		ifneq ($(TLS),)
109
+		  LIBS+= -L$SOMEPATH/lib -lssl  -lcrypto
110
+		  DEFS+= -I$SOMEPATH/ssl/include
111
+		endif
112
+	Change the LIBS entry to include the folder where the libssl and libcrypto files are. 
113
+	Change the DEFS entry to include the folder where the openssl/ folder is.
114
+	NOTE: RedHat ships by default with a very strange setup of the paths, as well as not usual compilation of 
115
+	the libraries, which resumes in ... trouble. Look for solutions in Google, or locally compile OpenSSL 
116
+	sources on your system.
117
+	________________________________________________________
118
+1.3. HOW TO INSTALL
119
+	1.3.1. File Structure
120
+	This is the file structure that needs to be created:
121
+	$SER_ROOT/tls/tls_config.h and .c
122
+	$SER_ROOT/tls/tls_init.h and .c
123
+	$SER_ROOT/tls/tls_server.h and .c
124
+	$SER_ROOT/tls/tls_domain.h and .c
125
+	
126
+	The files that (may) need to be patched or modified
127
+	$SER_ROOT/Makefile.defs
128
+	$SER_ROOT/cfg.y
129
+	$SER_ROOT/cfg.lex
130
+	NOTE: patches can be found in the tls/patches. See above for Makefile.defs tweaking to locate OpenSSL.
131
+	
132
+	1.3.2. Patches
133
+	In the experimental/tls/patches folder, there are the following files:
134
+	- cfg.lex.patch and cfg.y.patch, to be used to patch the corresponding
135
+		files in $SERROOT.
136
+		> cp cfg.XXX.patch $SERROOT/
137
+		> cd $SERROOT
138
+		> patch -p0 < cfg.XXX.patch
139
+	- cfg.y and cfg.lex: these are the full files, taken from the cvs rel_0_9_0 and patched
140
+		with the above patches (for lazy people :D ). 
141
+	Use the patches if you have modified your cfg.y or cfg.lex files or if it is a different
142
+		branch. Use the full files if you don't want to patch the files, or have the standard
143
+		cvs rel_0_9_0 branch files.
144
+	
145
+	1.3.3. Test configuration
146
+	In the folder tls/etc you can find a sample config file, along with test certificates ready to use.
147
+	Note that in the tls/etc/tls.ser.cfg, the path to certificates and private keys are set to
148
+	          /usr/local/etc/ser/certs and /usr/local/etc/ser/private
149
+		  (change according to your local configuration)
150
+	
151
+	1.3.4. Tools to create certificates
152
+	In the folder tls/tools there are script and configuration files to be used with openssl application
153
+	to create certificate (root CA and user certs).
154
+	Read the README.tls.tools file there for more info.
155
+	________________________________________________________
156
+
157
+1.4. HOW TO COMPILE
158
+	Easy ;)  Add the TLS=1 flag when compiling, for example:
159
+	>	make TLS=1 install
160
+	If you have problems compiling the TLS code, such as header files not found, or linking problems related 
161
+	to SSL_* functions, check the paths in Makefile.defs (at the bottom, the DEFS+= and LIB+=, and check if 
162
+	the openssl/ folder is there, and if the libssl.so and libcrypto.so files are in the specified folders).
163
+	________________________________________________________
164
+	
165
+1.5. CONFIG FILE PARAMETERS
166
+	All these parameters can be used from the ser.cfg file, to configure the behavior of SER-tls.
167
+	________________________________________________________
168
+	1.5.1. disable_tls
169
+	Disables TLS (no server is created on the listen addresses, no outgoing connections can be set up).
170
+	It only exhists if TLS=1 is used at compile time.
171
+			Default_value: disable_tls=0
172
+	________________________________________________________
173
+	1.5.2. listen
174
+	Not specific to TLS. Allows to specify the protocol (udp, tcp, tls), the IP address and the port 
175
+	where the listening server will be.
176
+			listen=tls:IP:port
177
+	________________________________________________________
178
+	1.5.3. tls_certificate
179
+	NOTE: To be able to use most of this configuration parameters, you need to have patched cfg.y and cfg.lex 
180
+	(and recompile :D )
181
+		Public certificate file for SER. It will be used as server-side certificate for incoming TLS 
182
+	connections,  and as a client-side certificate for outgoing TLS connections.
183
+		default: "CFG_DIR/cert.pem"
184
+			example: tls_certificate="/mycerts/certs/ser_server_cert.pem"
185
+	________________________________________________________
186
+	1.5.4. tls_private_key
187
+		Private key of the above certificate ... keep it in a safe place with tight permissions!
188
+		default: CFG_DIR/cert.pem
189
+			example: tls_private_key="/mycerts/private/prik.pem"
190
+	________________________________________________________
191
+	1.5.5. tls_ca_list
192
+		List of trusted CAs. The file contains the certificates accepted, one after the other ( cat x >> 
193
+	ca.list). It MUST be a file, not a folder (for now).
194
+		default: "" (no ca_list)
195
+			example: tls_ca_list="/mycerts/certs/ca_list.pem"
196
+	________________________________________________________
197
+	1.5.6. tls_ciphers_list
198
+		We can specify the list of algorithms for authentication and encryption that we allow.
199
+		To obtain a list of ciphers and then choose, use the openssl application:
200
+		> openssl ciphers 'ALL:eNULL:!LOW:!EXPORT'
201
+		Do not use the NULL algorithms ... only for testing!!!
202
+		Default: no change, use the default ciphers choosen by OpenSSL.
203
+			Example: tls_ciphers_list="NULL-SHA:NULL-MD5:AES256-SHA:AES128-SHA"
204
+	________________________________________________________
205
+	1.5.7. tls_method
206
+		Protocol version to use. Best is to use sslv23, for extended compatibility. Using any of the other 
207
+	will restrict the version to just that one version. In fact, sslv2 is disabled in the source code... to use it, you 
208
+	need to edit tls_init.c
209
+		Default: sslv23
210
+			tls_method= [sslv2 | sslv23 | sslv3 | tlsv1]  
211
+	________________________________________________________
212
+	1.5.8. tls_verify and tls_require_certificate
213
+	This two variables highly effect the final security of your deployment. READ carefully!
214
+		Technically, tls_verify activates SSL_VERIFY_PEER in the ssl_context.
215
+		tls_require_certificate does the same with SSL_VERIFY_FAIL_IF_NO_PEER_CERT, which is 
216
+	only possible if SSL_VERIFY_PEER is also turned on.
217
+		See the "how does verification work" for more info
218
+		default is 0 for both.
219
+			Example: tls_verify = 1
220
+							tls_require_certificate = 1
221
+			(this example turns on the strictest and strongest authentication possible)
222
+	________________________________________________________
223
+	1.5.9. tls_handshake_timeout and tls_send_timeout
224
+		Timeouts ... advanced users only.
225
+		default is 120 seconds for both.
226
+			Example: tls_handshake_timeout=119    [number of seconds]
227
+			Example: tls_send_timeout=121              [number of seconds]
228
+	________________________________________________________
229
+	1.5.10. tls_domain[IP_2:port2]
230
+	Note: domains are only possible if cfg.y and cfg.lex are patched.
231
+			If you only run one domain, the main one is enough. If you are running several tls servers (that is, 
232
+	you have more than one listen:tls:ip:port entry in the config file), you can specify some parameters for each 
233
+	of them separately (not all the above). 
234
+			tls_domain[IP_2:port2] {
235
+			#specify parameters for a domain in particular, otherwise, 
236
+			#it will use the default. These are the possible parameters to
237
+			#change for each domain
238
+			tls_certificate="new_cert"
239
+			tls_private_key="new_cert_key"
240
+			tls_ca_list="other ca"
241
+			tls_method="tlsv1"
242
+			}
243
+			tls_domain[IP_3:port3] {
244
+		...
245
+			}
246
+			NOTE: For now, tls_ciphers_list cannot be specified on a per domain basis. When I have the time 
247
+	to thoroughly test tls_domains, I will add this.
248
+     _________________________________________________________
249
+
250
+1.6. SSL/TLS AUTHENTICATION: CLIENT AND SERVER
251
+	TLS provides for strong authentication mechanism, as well as encryption following authentication. Of 
252
+	course, null encryption can be used, as well as weak authentication mechanisms (for example, anonymous, 
253
+	that is, no authentication).
254
+	How does verification work?
255
+	Verification is the process by which the authentication data provided by the peers is checked. This data 
256
+	consists usually of a peer certificate, plus a chain of trusted certification authorities. If for whatever reason, 
257
+	either of the peers thinks that the handshake is not valid, the ssl connection is not established.
258
+	The reasons could be many: untrusted server certficate, too-weak algorithm, invalid client cert, no client 
259
+	authentication, ...
260
+	The "tls_verify" and "tls_require_certificate" are SER-names for the 
261
+	OpenSSL defined flags:
262
+	- SSL_VERIFY_PEER is tls_verify) and 
263
+	- SSL_VERIFY_FAIL_IF_NO_PEER_CERT is tls_require_certificate (tls_require_certificate is only used 
264
+	if tls_verify=1)
265
+	
266
+	If we are acting as a server, we always send our server-side certificate to the client. 
267
+	- If tls_verify=0, we do not request the client a client-certificate. This means that the client is not 
268
+		authenticated.
269
+	- If tls_verify=1, we (the server) send a client-certificate request to the client. But the client is free 
270
+		to not provide any. In this case,  tls_require_certificate comes into play:
271
+			_ if tls_require_cert=0, the verification process will succedd if
272
+				the client does not provide a certificate, or if it provides
273
+				one, it verifies correctly against the server's list of 
274
+				trusted certification authorities.
275
+			_ if tls_require_cert=1, the verification process will only succeed
276
+				if the client provides a certificate and this verifies correctly
277
+				against the server's list of trusted CAs.
278
+     _________________________________________________________
279
+
280
+1.7. EXPORTED FUNCTIONS
281
+	Functions are accessible by including the appropriate tls/tls_xxx.h file.
282
+
283
+     _________________________________________________________
284
+
285
+2. CHAPTER 2. DEVELOPER'S GUIDE
286
+	________________________________________________________
287
+2.1. TLS_CONFIG
288
+	It contains configuration variables for ser's tls (timeouts, file paths, etc).
289
+	________________________________________________________
290
+2.2. TLS_INIT
291
+	Initialization related functions and parameters.
292
+	________________________________________________________
293
+	2.2.1. default ssl context
294
+		extern SSL_CTX *default_ctx;
295
+		It is the common context for all tls sockets. If domains are used, each has its own.
296
+		________________________________________________________
297
+	2.2.2. init_tls(void)
298
+		Called once to initialize the tls subsystem, from the main().
299
+		int init_tls(void);
300
+		________________________________________________________
301
+	2.2.3. destroy_tls(void)
302
+		Called once, just before cleanup.
303
+		void destroy_tls(void);
304
+		________________________________________________________
305
+	2.2.4. tls_init(struct socket_info *)
306
+		Called once for each tls socket created.
307
+		int tls_init(struct socket_info *si);
308
+		________________________________________________________
309
+	2.2.5. ser_malloc, ser_realloc, ser_free
310
+		Wrapper functions around the shm_* functions. OpenSSL uses non-shared memory to create its objects, 
311
+		thus it would not work in SER. By creating these wrappers and configuring OpenSSL to use them instead 
312
+		of its default memory functions, we have all OpenSSL objects in shared memory, ready to use.
313
+		________________________________________________________
314
+2.3. TLS_SERVER
315
+	________________________________________________________
316
+	2.3.1. SSL data per connection
317
+		Each TLS connection, incoming or outgoing, creates an SSL * object, where configuration inherited from 
318
+		the SSL_CTX * and particular info on that socket are stored. This SSL * structure is kept in SER as long as 
319
+		the connection is alive, as part of the struct tcp_connection * object:
320
+		struct tcp_connection *c;
321
+		SSL *ssl;
322
+		//create somehow SSL object
323
+		c->extra_data = (void *) ssl; 
324
+		ssl = (SSL *) c->extra_data;
325
+		________________________________________________________
326
+	2.3.2. tls_print_errstack(void)
327
+		/*
328
+		 * dump ssl error stack 
329
+		 */
330
+		void            tls_print_errstack(void);
331
+		________________________________________________________
332
+	2.3.3. tls_tcpconn_init( struct tcp_connection *, int)
333
+		/*
334
+		 * Called when new tcp connection is accepted 
335
+		 */
336
+		int             tls_tcpconn_init(struct tcp_connection *c, int sock);
337
+		________________________________________________________
338
+	2.3.4. tls_tcpconn_clean( struct tcp_connection *)
339
+		/*
340
+		 * clean the extra data upon connection shut down 
341
+		 */
342
+		void            tls_tcpconn_clean(struct tcp_connection *c);
343
+		________________________________________________________
344
+	2.3.5. tls_close( struct tcp_connection *, int )
345
+		/*
346
+		 * shut down the TLS connection 
347
+		 */
348
+		void            tls_close(struct tcp_connection *c, int fd);
349
+		________________________________________________________
350
+	2.3.6. tls_blocking_write( struct tcp_connection, int, const char, size_t )
351
+		size_t          tls_blocking_write(struct tcp_connection *c, int fd,
352
+						   const char *buf, size_t len);
353
+		________________________________________________________
354
+	2.3.7. tls_read( struct tcp_connection *)
355
+		size_t          tls_read(struct tcp_connection *c);
356
+		________________________________________________________
357
+	2.3.8. tls_fix_read_conn( struct tcp_connection )
358
+		int             tls_fix_read_conn(struct tcp_connection *c);
359
+		________________________________________________________
360
+2.4. TLS_DOMAIN
361
+	________________________________________________________
362
+	2.4.1. tls_domains
363
+		extern struct tls_domain *tls_domains;
364
+	
365
+		________________________________________________________
366
+	2.4.2. tls_find_domain( struct ip_addr *, unsigned short)
367
+		/*
368
+		 * find domain with given ip and port 
369
+		 */
370
+		struct tls_domain *tls_find_domain(struct ip_addr *ip,
371
+						   unsigned short port);
372
+		________________________________________________________
373
+	2.4.3. tls_new_domain( struct ip_addr *, unsigned *)
374
+		/*
375
+		 * create a new domain 
376
+		 */
377
+		int             tls_new_domain(struct ip_addr *ip, unsigned short port);
378
+	
379
+		________________________________________________________
380
+	2.4.4. tls_free_domains(void)
381
+		/*
382
+		 * clean up 
383
+		 */
384
+		void            tls_free_domains(void);
385
+	
386
+	________________________________________________________
387
+CHAPTER 3. FREQUENTLY ASKED QUESTIONS
388
+
389
+		________________________________________________________
390
+	3.1.    WHERE CAN I FIND MORE ABOUT SER?
391
+		Take a look at http://iptel.org/ser and http://www.openser.org
392
+		________________________________________________________
393
+	3.2.    WHERE CAN I POST A QUESTION ABOUT THIS MODULE?
394
+		In the webpages above there is access to mailing list. Use the users list for normal user support, use the dev 
395
+		list for development questions (bugs, fixes, etc). 
396
+		________________________________________________________
397
+	3.3.    HOW CAN I REPORT A BUG?
398
+		At the dev lists on the above webpages, and also at:
399
+		http://bugs.sip-router.org
400
+		________________________________________________________
401
+	3.4.    WHAT IS THE DIFFERENCE WITH OpenSER-TLS?
402
+		None. At least for now. The initial commit in both repositories 
403
+		(experimental tree for SER, HEAD for OpenSER) come from the same source:
404
+		an extended version of that released sometime late in 2004 by Peter Griffiths 
405
+		and modified by Cesc Santasusana.
406
+		________________________________________________________
407
+	3.5.    I AM NOT HAPPY WITH THIS README ... NOW WHAT?
408
+		Three things: 
409
+		1 - Complain to the maintainer.
410
+		2 - Contribute yourself with your acquired knowledge. It is welcome.
411
+		3 - Take a look at OpenSER tutorials for TLS: http://openser.org/docs/tls.html
412
+		
0 413
new file mode 100644
... ...
@@ -0,0 +1,217 @@
1
+/* $Id$
2
+ * 
3
+ * This file contains modified zlib compression functions
4
+ * originally part of crypto/comp/c_zlib.c from the openssl library 
5
+ * (version 0.9.8a).
6
+ * It's distributed under the same license as OpenSSL.
7
+ *
8
+ * Copyright (c) 1998-2005 The OpenSSL Project.  All rights reserved.
9
+ */
10
+/*
11
+ * The changes are: 
12
+ *   - proper zalloc and zfree initialization for the zlib compression
13
+ *     methods (use OPENSSL_malloc & OPENSSL_free to construct zalloc/zfree)
14
+ *   - zlib_stateful_ex_idx is now a macro, a pointer to int is alloc'ed now
15
+ *    on init and zlib_stateful_ex_idx is now the contents of this pointer 
16
+ *    (deref). This allows using compression from different processes (if 
17
+ *    the OPENSSL_malloc's are initialized previously to a shared mem. using
18
+ *    version).
19
+ *  -- andrei
20
+ */
21
+
22
+
23
+#ifdef TLS_FIX_ZLIB_COMPRESSION
24
+
25
+#include <stdio.h>
26
+#include <stdlib.h>
27
+#include <string.h>
28
+#include <openssl/objects.h>
29
+#include <openssl/comp.h>
30
+#include <openssl/err.h>
31
+
32
+#include <zlib.h>
33
+
34
+
35
+/* alloc functions for zlib initialization */
36
+static void* comp_calloc(void* foo, unsigned int no, unsigned int size)
37
+{
38
+	void *p;
39
+	
40
+	p=OPENSSL_malloc(no*size);
41
+	if (p)
42
+		memset(p, 0, no*size);
43
+	return p;
44
+}
45
+
46
+
47
+/* alloc functions for zlib initialization */
48
+static void comp_free(void* foo, void* p)
49
+{
50
+	OPENSSL_free(p);
51
+}
52
+
53
+
54
+static int zlib_stateful_init(COMP_CTX *ctx);
55
+static void zlib_stateful_finish(COMP_CTX *ctx);
56
+static int zlib_stateful_compress_block(COMP_CTX *ctx, unsigned char *out,
57
+	unsigned int olen, unsigned char *in, unsigned int ilen);
58
+static int zlib_stateful_expand_block(COMP_CTX *ctx, unsigned char *out,
59
+	unsigned int olen, unsigned char *in, unsigned int ilen);
60
+
61
+
62
+static COMP_METHOD zlib_method={
63
+	NID_zlib_compression,
64
+	LN_zlib_compression,
65
+	zlib_stateful_init,
66
+	zlib_stateful_finish,
67
+	zlib_stateful_compress_block,
68
+	zlib_stateful_expand_block,
69
+	NULL,
70
+	NULL,
71
+	};
72
+
73
+
74
+struct zlib_state
75
+	{
76
+	z_stream istream;
77
+	z_stream ostream;
78
+	};
79
+
80
+static int* pzlib_stateful_ex_idx = 0; 
81
+#define zlib_stateful_ex_idx (*pzlib_stateful_ex_idx)
82
+
83
+int fixed_c_zlib_init()
84
+{
85
+	if (pzlib_stateful_ex_idx==0){
86
+		if ((pzlib_stateful_ex_idx=OPENSSL_malloc(sizeof(int)))!=0){
87
+			zlib_stateful_ex_idx=-1;
88
+			return 0;
89
+		} else return -1;
90
+	}
91
+	return -1;
92
+}
93
+
94
+
95
+
96
+static void zlib_stateful_free_ex_data(void *obj, void *item,
97
+	CRYPTO_EX_DATA *ad, int ind,long argl, void *argp)
98
+	{
99
+	struct zlib_state *state = (struct zlib_state *)item;
100
+	inflateEnd(&state->istream);
101
+	deflateEnd(&state->ostream);
102
+	OPENSSL_free(state);
103
+	}
104
+
105
+static int zlib_stateful_init(COMP_CTX *ctx)
106
+	{
107
+	int err;
108
+	struct zlib_state *state =
109
+		(struct zlib_state *)OPENSSL_malloc(sizeof(struct zlib_state));
110
+
111
+	if (state == NULL)
112
+		goto err;
113
+
114
+	state->istream.zalloc = comp_calloc;
115
+	state->istream.zfree = comp_free;
116
+	state->istream.opaque = Z_NULL;
117
+	state->istream.next_in = Z_NULL;
118
+	state->istream.next_out = Z_NULL;
119
+	state->istream.avail_in = 0;
120
+	state->istream.avail_out = 0;
121
+	err = inflateInit_(&state->istream,
122
+		ZLIB_VERSION, sizeof(z_stream));
123
+	if (err != Z_OK)
124
+		goto err;
125
+
126
+	state->ostream.zalloc = comp_calloc;
127
+	state->ostream.zfree = comp_free;
128
+	state->ostream.opaque = Z_NULL;
129
+	state->ostream.next_in = Z_NULL;
130
+	state->ostream.next_out = Z_NULL;
131
+	state->ostream.avail_in = 0;
132
+	state->ostream.avail_out = 0;
133
+	err = deflateInit_(&state->ostream,Z_DEFAULT_COMPRESSION,
134
+		ZLIB_VERSION, sizeof(z_stream));
135
+	if (err != Z_OK)
136
+		goto err;
137
+
138
+	CRYPTO_new_ex_data(CRYPTO_EX_INDEX_COMP,ctx,&ctx->ex_data);
139
+	if (zlib_stateful_ex_idx == -1)
140
+		{
141
+		CRYPTO_w_lock(CRYPTO_LOCK_COMP);
142
+		if (zlib_stateful_ex_idx == -1)
143
+			zlib_stateful_ex_idx =
144
+				CRYPTO_get_ex_new_index(CRYPTO_EX_INDEX_COMP,
145
+					0,NULL,NULL,NULL,zlib_stateful_free_ex_data);
146
+		CRYPTO_w_unlock(CRYPTO_LOCK_COMP);
147
+		if (zlib_stateful_ex_idx == -1)
148
+			goto err;
149
+		}
150
+	CRYPTO_set_ex_data(&ctx->ex_data,zlib_stateful_ex_idx,state);
151
+	return 1;
152
+ err:
153
+	if (state) OPENSSL_free(state);
154
+	return 0;
155
+	}
156
+
157
+static void zlib_stateful_finish(COMP_CTX *ctx)
158
+	{
159
+	CRYPTO_free_ex_data(CRYPTO_EX_INDEX_COMP,ctx,&ctx->ex_data);
160
+	}
161
+
162
+static int zlib_stateful_compress_block(COMP_CTX *ctx, unsigned char *out,
163
+	unsigned int olen, unsigned char *in, unsigned int ilen)
164
+	{
165
+	int err = Z_OK;
166
+	struct zlib_state *state =
167
+		(struct zlib_state *)CRYPTO_get_ex_data(&ctx->ex_data,
168
+			zlib_stateful_ex_idx);
169
+
170
+	if (state == NULL)
171
+		return -1;
172
+
173
+	state->ostream.next_in = in;
174
+	state->ostream.avail_in = ilen;
175
+	state->ostream.next_out = out;
176
+	state->ostream.avail_out = olen;
177
+	if (ilen > 0)
178
+		err = deflate(&state->ostream, Z_SYNC_FLUSH);
179
+	if (err != Z_OK)
180
+		return -1;
181
+#ifdef DEBUG_ZLIB
182
+	fprintf(stderr,"compress(%4d)->%4d %s\n",
183
+		ilen,olen - state->ostream.avail_out,
184
+		(ilen != olen - state->ostream.avail_out)?"zlib":"clear");
185
+#endif
186
+	return olen - state->ostream.avail_out;
187
+	}
188
+
189
+static int zlib_stateful_expand_block(COMP_CTX *ctx, unsigned char *out,
190
+	unsigned int olen, unsigned char *in, unsigned int ilen)
191
+	{
192
+	int err = Z_OK;
193
+
194
+	struct zlib_state *state =
195
+		(struct zlib_state *)CRYPTO_get_ex_data(&ctx->ex_data,
196
+			zlib_stateful_ex_idx);
197
+
198
+	if (state == NULL)
199
+		return 0;
200
+
201
+	state->istream.next_in = in;
202
+	state->istream.avail_in = ilen;
203
+	state->istream.next_out = out;
204
+	state->istream.avail_out = olen;
205
+	if (ilen > 0)
206
+		err = inflate(&state->istream, Z_SYNC_FLUSH);
207
+	if (err != Z_OK)
208
+		return -1;
209
+#ifdef DEBUG_ZLIB
210
+	fprintf(stderr,"expand(%4d)->%4d %s\n",
211
+		ilen,olen - state->istream.avail_out,
212
+		(ilen != olen - state->istream.avail_out)?"zlib":"clear");
213
+#endif
214
+	return olen - state->istream.avail_out;
215
+	}
216
+
217
+#endif /* TLS_FIX_ZLIB_COMPRESSION */
0 218
new file mode 100644
... ...
@@ -0,0 +1,413 @@
1
+Index: cfg.y
2
+===================================================================
3
+RCS file: /cvsroot/ser/sip_router/cfg.y,v
4
+retrieving revision 1.112
5
+diff -u -r1.112 cfg.y
6
+--- cfg.y	20 Jan 2006 15:24:28 -0000	1.112
7
+@@ -97,7 +97,7 @@
8
+ 
9
+ #include "config.h"
10
+ #ifdef USE_TLS
11
+-#include "tls/tls_config.h"
12
++/*#include "tls/tls_config.h"*/
13
+ #endif
14
+ 
15
+ #ifdef DEBUG_DMALLOC
16
+@@ -583,7 +583,7 @@
17
+ 	| DISABLE_TLS EQUAL error { yyerror("boolean value expected"); }
18
+ 	| TLSLOG EQUAL NUMBER {
19
+ 		#ifdef USE_TLS
20
+-			tls_log=$3;
21
++		     /*tls_log=$3;*/
22
+ 		#else
23
+ 			warn("tls support not compiled in");
24
+ 		#endif
25
+@@ -599,28 +599,28 @@
26
+ 	| TLS_PORT_NO EQUAL error { yyerror("number expected"); }
27
+ 	| TLS_METHOD EQUAL SSLv23 {
28
+ 		#ifdef USE_TLS
29
+-			tls_method=TLS_USE_SSLv23;
30
++		     /*tls_method=TLS_USE_SSLv23;*/
31
+ 		#else
32
+ 			warn("tls support not compiled in");
33
+ 		#endif
34
+ 	}
35
+ 	| TLS_METHOD EQUAL SSLv2 {
36
+ 		#ifdef USE_TLS
37
+-			tls_method=TLS_USE_SSLv2;
38
++		     /*tls_method=TLS_USE_SSLv2;*/
39
+ 		#else
40
+ 			warn("tls support not compiled in");
41
+ 		#endif
42
+ 	}
43
+ 	| TLS_METHOD EQUAL SSLv3 {
44
+ 		#ifdef USE_TLS
45
+-			tls_method=TLS_USE_SSLv3;
46
++		     /*tls_method=TLS_USE_SSLv3;*/
47
+ 		#else
48
+ 			warn("tls support not compiled in");
49
+ 		#endif
50
+ 	}
51
+ 	| TLS_METHOD EQUAL TLSv1 {
52
+ 		#ifdef USE_TLS
53
+-			tls_method=TLS_USE_TLSv1;
54
++		     /*tls_method=TLS_USE_TLSv1;*/
55
+ 		#else
56
+ 			warn("tls support not compiled in");
57
+ 		#endif
58
+@@ -634,7 +634,7 @@
59
+ 	}
60
+ 	| TLS_VERIFY EQUAL NUMBER {
61
+ 		#ifdef USE_TLS
62
+-			tls_verify_cert=$3;
63
++		     /*tls_verify_cert=$3;*/
64
+ 		#else
65
+ 			warn("tls support not compiled in");
66
+ 		#endif
67
+@@ -642,7 +642,7 @@
68
+ 	| TLS_VERIFY EQUAL error { yyerror("boolean value expected"); }
69
+ 	| TLS_REQUIRE_CERTIFICATE EQUAL NUMBER {
70
+ 		#ifdef USE_TLS
71
+-			tls_require_cert=$3;
72
++		     /*tls_require_cert=$3;*/
73
+ 		#else
74
+ 			warn( "tls support not compiled in");
75
+ 		#endif
76
+@@ -650,7 +650,7 @@
77
+ 	| TLS_REQUIRE_CERTIFICATE EQUAL error { yyerror("boolean value expected"); }
78
+ 	| TLS_CERTIFICATE EQUAL STRING {
79
+ 		#ifdef USE_TLS
80
+-			tls_cert_file=$3;
81
++		     /*tls_cert_file=$3;*/
82
+ 		#else
83
+ 			warn("tls support not compiled in");
84
+ 		#endif
85
+@@ -658,7 +658,7 @@
86
+ 	| TLS_CERTIFICATE EQUAL error { yyerror("string value expected"); }
87
+ 	| TLS_PRIVATE_KEY EQUAL STRING {
88
+ 		#ifdef USE_TLS
89
+-			tls_pkey_file=$3;
90
++		     /*tls_pkey_file=$3;*/
91
+ 		#else
92
+ 			warn("tls support not compiled in");
93
+ 		#endif
94
+@@ -666,7 +666,7 @@
95
+ 	| TLS_PRIVATE_KEY EQUAL error { yyerror("string value expected"); }
96
+ 	| TLS_CA_LIST EQUAL STRING {
97
+ 		#ifdef USE_TLS
98
+-			tls_ca_file=$3;
99
++		     /*tls_ca_file=$3;*/
100
+ 		#else
101
+ 			warn("tls support not compiled in");
102
+ 		#endif
103
+@@ -674,7 +674,7 @@
104
+ 	| TLS_CA_LIST EQUAL error { yyerror("string value expected"); }
105
+ 	| TLS_HANDSHAKE_TIMEOUT EQUAL NUMBER {
106
+ 		#ifdef USE_TLS
107
+-			tls_handshake_timeout=$3;
108
++		     /*tls_handshake_timeout=$3;*/
109
+ 		#else
110
+ 			warn("tls support not compiled in");
111
+ 		#endif
112
+@@ -682,7 +682,7 @@
113
+ 	| TLS_HANDSHAKE_TIMEOUT EQUAL error { yyerror("number expected"); }
114
+ 	| TLS_SEND_TIMEOUT EQUAL NUMBER {
115
+ 		#ifdef USE_TLS
116
+-			tls_send_timeout=$3;
117
++		     /*tls_send_timeout=$3;*/
118
+ 		#else
119
+ 			warn("tls support not compiled in");
120
+ 		#endif
121
+Index: globals.h
122
+===================================================================
123
+RCS file: /cvsroot/ser/sip_router/globals.h,v
124
+retrieving revision 1.60
125
+diff -u -r1.60 globals.h
126
+--- globals.h	27 Jan 2006 09:52:58 -0000	1.60
127
+@@ -37,6 +37,7 @@
128
+ #include "ip_addr.h"
129
+ #include "str.h"
130
+ #include "poll_types.h"
131
++#include "transport.h"
132
+ 
133
+ #define NO_DNS     0
134
+ #define DO_DNS     1
135
+@@ -164,5 +165,7 @@
136
+ extern int dns_retr_no;
137
+ extern int dns_servers_no;
138
+ extern int dns_search_list;
139
++
140
++extern transport_t* tls;
141
+ 
142
+ #endif
143
+Index: main.c
144
+===================================================================
145
+RCS file: /cvsroot/ser/sip_router/main.c,v
146
+retrieving revision 1.210
147
+diff -u -r1.210 main.c
148
+--- main.c	27 Jan 2006 09:52:58 -0000	1.210
149
+@@ -122,12 +122,12 @@
150
+ #include "poll_types.h"
151
+ #include "tcp_init.h"
152
+ #ifdef USE_TLS
153
+-#include "tls/tls_init.h"
154
++/*#include "tls/tls_init.h"*/
155
+ #endif
156
+ #endif
157
+ #include "usr_avp.h"
158
+ #include "core_cmd.h"
159
+-
160
++#include "transport.h"
161
+ #include "stats.h"
162
+ 
163
+ #ifdef DEBUG_DMALLOC
164
+@@ -350,6 +350,8 @@
165
+ /* cfg parsing */
166
+ int cfg_errors=0;
167
+ 
168
++transport_t* tls = 0;
169
++
170
+ /* shared memory (in MB) */
171
+ unsigned long shm_mem_size=SHM_MEM_SIZE * 1024 * 1024;
172
+ 
173
+@@ -384,7 +386,7 @@
174
+ 	destroy_tcp();
175
+ #endif
176
+ #ifdef USE_TLS
177
+-	destroy_tls();
178
++	     /*destroy_tls();*/
179
+ #endif
180
+ 	destroy_timer();
181
+ 	destroy_script_cb();
182
+@@ -916,14 +918,20 @@
183
+ 		if (!tls_disable){
184
+ 			for(si=tls_listen; si; si=si->next){
185
+ 				/* same as for tcp*/
186
++				/*
187
+ 				if (tls_init(si)==-1)  goto error;
188
++				*/
189
+ 				/* get first ipv4/ipv6 socket*/
190
++				/*
191
+ 				if ((si->address.af==AF_INET)&&
192
+ 						((sendipv4_tls==0)||(sendipv4_tls->flags&SI_IS_LO)))
193
+ 					sendipv4_tls=si;
194
++				*/
195
+ 		#ifdef USE_IPV6
196
++				/*
197
+ 				if((sendipv6_tls==0)&&(si->address.af==AF_INET6))
198
+ 					sendipv6_tls=si;
199
++				*/
200
+ 		#endif
201
+ 			}
202
+ 		}
203
+@@ -1551,10 +1559,12 @@
204
+ #ifdef USE_TLS
205
+ 	if (!tls_disable){
206
+ 		/* init tls*/
207
++		/*
208
+ 		if (init_tls()<0){
209
+ 			LOG(L_CRIT, "could not initialize tls, exiting...\n");
210
+ 			goto error;
211
+ 		}
212
++		*/
213
+ 	}
214
+ #endif /* USE_TLS */
215
+ #endif /* USE_TCP */
216
+Index: tcp_main.c
217
+===================================================================
218
+RCS file: /cvsroot/ser/sip_router/tcp_main.c,v
219
+retrieving revision 1.75
220
+diff -u -r1.75 tcp_main.c
221
+--- tcp_main.c	27 Jan 2006 09:52:58 -0000	1.75
222
+@@ -107,7 +107,7 @@
223
+ #include "tcp_init.h"
224
+ #include "tsend.h"
225
+ #ifdef USE_TLS
226
+-#include "tls/tls_server.h"
227
++/*#include "tls/tls_server.h"*/
228
+ #endif 
229
+ 
230
+ #define local_malloc pkg_malloc
231
+@@ -416,7 +416,7 @@
232
+ 	c->extra_data=0;
233
+ #ifdef USE_TLS
234
+ 	if (type==PROTO_TLS){
235
+-		if (tls_tcpconn_init(c, sock)==-1) goto error;
236
++		if (tls && (tls->u.tcp.init(c, sock) == -1)) goto error;
237
+ 	}else
238
+ #endif /* USE_TLS*/
239
+ 	{
240
+@@ -536,7 +536,8 @@
241
+ 						&c->con_aliases[r], next, prev);
242
+ 	lock_destroy(&c->write_lock);
243
+ #ifdef USE_TLS
244
+-	if (c->type==PROTO_TLS) tls_tcpconn_clean(c);
245
++	if (c->type==PROTO_TLS) 
246
++		if (tls) tls->u.tcp.clean(c);
247
+ #endif
248
+ 	shm_free(c);
249
+ }
250
+@@ -555,7 +556,8 @@
251
+ 	TCPCONN_UNLOCK;
252
+ 	lock_destroy(&c->write_lock);
253
+ #ifdef USE_TLS
254
+-	if ((c->type==PROTO_TLS)&&(c->extra_data)) tls_tcpconn_clean(c);
255
++	if ((c->type==PROTO_TLS)&&(c->extra_data)) 
256
++		if (tls) tls->u.tcp.clean(c);
257
+ #endif
258
+ 	shm_free(c);
259
+ }
260
+@@ -801,7 +803,11 @@
261
+ 	lock_get(&c->write_lock);
262
+ #ifdef USE_TLS
263
+ 	if (c->type==PROTO_TLS)
264
+-		n=tls_blocking_write(c, fd, buf, len);
265
++		if (tls) {
266
++			n = tls->u.tcp.blocking_write(c, fd, buf, len);
267
++		} else {
268
++			n = -1;
269
++		}
270
+ 	else
271
+ #endif
272
+ 		/* n=tcp_blocking_write(c, fd, buf, len); */
273
+@@ -1051,7 +1057,7 @@
274
+ #ifdef USE_TLS
275
+ 		/*FIXME: lock ->writelock ? */
276
+ 		if (tcpconn->type==PROTO_TLS)
277
+-			tls_close(tcpconn, fd);
278
++			if (tls) tls->u.tcp.close(tcpconn, fd);
279
+ #endif
280
+ 		_tcpconn_rm(tcpconn);
281
+ 		close(fd);
282
+@@ -1425,7 +1431,7 @@
283
+ 				fd=c->s;
284
+ #ifdef USE_TLS
285
+ 				if (c->type==PROTO_TLS)
286
+-					tls_close(c, fd);
287
++					if (tls) tls->u.tcp.close(c, fd);
288
+ #endif
289
+ 				_tcpconn_rm(c);
290
+ 				if ((fd>0)&&(c->refcnt==0)) {
291
+Index: tcp_read.c
292
+===================================================================
293
+RCS file: /cvsroot/ser/sip_router/tcp_read.c,v
294
+retrieving revision 1.31
295
+diff -u -r1.31 tcp_read.c
296
+--- tcp_read.c	28 Oct 2005 20:59:37 -0000	1.31
297
+@@ -60,7 +60,7 @@
298
+ #include "timer.h"
299
+ #include "ut.h"
300
+ #ifdef USE_TLS
301
+-#include "tls/tls_server.h"
302
++/*#include "tls/tls_server.h"*/
303
+ #endif
304
+ 
305
+ #define HANDLE_IO_INLINE
306
+@@ -184,7 +184,8 @@
307
+ 	}else{
308
+ #ifdef USE_TLS
309
+ 		if (c->type==PROTO_TLS)
310
+-			bytes=tls_read(c);
311
++			if (tls) bytes = tls->u.tcp.read(c);
312
++			else bytes = -1;
313
+ 		else
314
+ #endif
315
+ 			bytes=tcp_read(c);
316
+@@ -414,10 +415,11 @@
317
+ 		req=&con->req;
318
+ #ifdef USE_TLS
319
+ 		if (con->type==PROTO_TLS){
320
+-			if (tls_fix_read_conn(con)!=0){
321
++			if (!tls || (tls->u.tcp.fix_read_con(con)!=0)){
322
+ 				resp=CONN_ERROR;
323
+ 				goto end_req;
324
+ 			}
325
++
326
+ 			if(con->state!=S_CONN_OK) goto end_req; /* not enough data */
327
+ 		}
328
+ #endif
329
+--- transport.h.orig	2006-01-27 12:11:43.000000000 +0100
330
+@@ -0,0 +1,77 @@
331
++/*
332
++ * $Id$
333
++ *
334
++ * Copyright (C) 2001-2003 FhG Fokus
335
++ *
336
++ * This file is part of ser, a free SIP server.
337
++ *
338
++ * ser is free software; you can redistribute it and/or modify
339
++ * it under the terms of the GNU General Public License as published by
340
++ * the Free Software Foundation; either version 2 of the License, or
341
++ * (at your option) any later version
342
++ *
343
++ * For a license to use the ser software under conditions
344
++ * other than those described here, or to purchase support for this
345
++ * software, please contact iptel.org by e-mail at the following addresses:
346
++ *    info@iptel.org
347
++ *
348
++ * ser is distributed in the hope that it will be useful,
349
++ * but WITHOUT ANY WARRANTY; without even the implied warranty of
350
++ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
351
++ * GNU General Public License for more details.
352
++ *
353
++ * You should have received a copy of the GNU General Public License
354
++ * along with this program; if not, write to the Free Software
355
++ * Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA  02111-1307  USA
356
++ */
357
++
358
++#ifndef _TRANSPORT_H
359
++#define _TRANSPORT_H
360
++
361
++#include "tcp_conn.h"
362
++
363
++
364
++typedef int (*tcp_init_f)(struct tcp_connection *c, int sock);
365
++typedef void (*tcp_clean_f)(struct tcp_connection *c);
366
++typedef void (*tcp_close_f)(struct tcp_connection *c, int fd);
367
++typedef size_t (*tcp_blocking_write_f)(struct tcp_connection *c, int fd, const char *buf, size_t len);
368
++typedef size_t (*tcp_read_f)(struct tcp_connection *c);
369
++typedef int (*tcp_fix_read_con_f)(struct tcp_connection *c);
370
++
371
++
372
++enum trans_flags {
373
++	TRANSPORT_SECURE = (1 << 0),  /* Transport is secure */
374
++	TRANSPORT_STREAM = (1 << 1),  /* Transport uses stream (reliable) sockets */
375
++	TRANSPORT_DGRAM = (1 << 2)    /* Transport uses datagram (unrealiable) sockets */
376
++};
377
++
378
++/* TCP related functions */
379
++struct tcp_func {
380
++	tcp_init_f           init;
381
++	tcp_clean_f          clean;
382
++	tcp_close_f          close;
383
++	tcp_blocking_write_f blocking_write; 
384
++	tcp_read_f           read;
385
++	tcp_fix_read_con_f   fix_read_con;
386
++};
387
++
388
++/* UDP related functions */
389
++struct udp_func {
390
++};
391
++
392
++
393
++/* Structure representing transports on top of TCP or UDP */
394
++typedef struct transport {
395
++	int proto;  /* Protocol ID */
396
++	str name;   /* Protocol name */
397
++	int flags;  /* Various flags */
398
++
399
++	union {
400
++		struct tcp_func tcp;
401
++		struct udp_func udp;
402
++	} u;
403
++	struct transport* next;
404
++} transport_t;
405
++
406
++
407
++#endif /* _TLS_H */
0 408
new file mode 100644
... ...
@@ -0,0 +1,278 @@
1
+/*
2
+ * $Id$
3
+ *
4
+ * Copyright (C) 2001-2003 FhG FOKUS
5
+ * Copyright (C) 2004,2005 Free Software Foundation, Inc.
6
+ * Copyright (C) 2005,2006 iptelorg GmbH
7
+ *
8
+ * This file is part of ser, a free SIP server.
9
+ *
10
+ * ser is free software; you can redistribute it and/or modify
11
+ * it under the terms of the GNU General Public License as published by
12
+ * the Free Software Foundation; either version 2 of the License, or
13
+ * (at your option) any later version
14
+ *
15
+ * For a license to use the ser software under conditions
16
+ * other than those described here, or to purchase support for this
17
+ * software, please contact iptel.org by e-mail at the following addresses:
18
+ *    info@iptel.org
19
+ *
20
+ * ser is distributed in the hope that it will be useful,
21
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
22
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
23
+ * GNU General Public License for more details.
24
+ *
25
+ * You should have received a copy of the GNU General Public License 
26
+ * along with this program; if not, write to the Free Software 
27
+ * Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA  02111-1307  USA
28
+ */
29
+
30
+#include <stdlib.h>
31
+#include "../../ut.h"
32
+#include "../../mem/shm_mem.h"
33
+#include "../../pt.h"
34
+#include "tls_server.h"
35
+#include "tls_domain.h"
36
+
37
+tls_domain_t* tls_def_srv = 0;
38
+tls_domain_t* tls_def_cli = 0;
39
+tls_domain_t* tls_srv_list = 0;
40
+tls_domain_t* tls_cli_list = 0;
41
+
42
+
43
+/*
44
+ * find domain with given ip and port 
45
+ */
46
+tls_domain_t* tls_find_domain(int type, struct ip_addr *ip, unsigned short port)
47
+{
48
+	tls_domain_t *p;
49
+
50
+	if (type & TLS_DOMAIN_DEF) {
51
+		if (type & TLS_DOMAIN_SRV) return tls_def_srv;
52
+		else return tls_def_cli;
53
+	} else {
54
+		if (type & TLS_DOMAIN_SRV) p = tls_srv_list;
55
+		else p = tls_cli_list;
56
+	}
57
+
58
+	while (p) {
59
+		if ((p->port == port) && ip_addr_cmp(&p->ip, ip))
60
+			return p;
61
+		p = p->next;
62
+	}
63
+	return 0;
64
+}
65
+
66
+
67
+/*
68
+ * create a new domain 
69
+ */
70
+tls_domain_t* tls_new_domain(int type, struct ip_addr *ip, unsigned short port)
71
+{
72
+	tls_domain_t* d;
73
+
74
+	d = pkg_malloc(sizeof(tls_domain_t));
75
+	if (d == NULL) {
76
+		ERR("Memory allocation failure\n");
77
+		return 0;
78
+	}
79
+	memset(d, '\0', sizeof(tls_domain_t));
80
+
81
+	d->type = type;
82
+	if (type & TLS_DOMAIN_DEF) {
83
+		if (type & TLS_DOMAIN_SRV) {
84
+			     /* Default server domain */
85
+			d->cert_file = TLS_CERT_FILE;
86
+			d->pkey_file = TLS_PKEY_FILE;
87
+			d->verify_cert = 0;
88
+			d->verify_depth = 3;
89
+			d->ca_file = TLS_CA_FILE;
90
+			d->require_cert = 0;
91
+			d->method = TLS_USE_SSLv23;
92
+			tls_def_srv = d;
93
+		} else {
94
+			     /* Default client domain */
95
+			d->cert_file = 0;
96
+			d->pkey_file = 0;
97
+			d->verify_cert = 1;
98
+			d->verify_depth = 3;
99
+			d->ca_file = 0;
100
+			d->require_cert = 1;
101
+			d->method = TLS_USE_SSLv23;
102
+			tls_def_cli = d;
103
+		}		
104
+	} else {
105
+		memcpy(&d->ip, ip, sizeof(struct ip_addr));
106
+		d->port = port;
107
+		d->verify_cert = -1;
108
+		d->verify_depth = -1;
109
+		d->require_cert = -1;
110
+
111
+		if (type & TLS_DOMAIN_SRV) {
112
+			d->next = tls_srv_list;
113
+			tls_srv_list = d;
114
+		} else {
115
+			d->next = tls_cli_list;
116
+			tls_cli_list = d;
117
+		}
118
+	}
119
+	return d;
120
+}
121
+
122
+
123
+static void free_domain(tls_domain_t* d)
124
+{
125
+	int i;
126
+	if (!d) return;
127
+	if (d->ctx) {
128
+		if (*d->ctx) {
129
+			for(i = 0; i < process_count; i++) {
130
+				if ((*d->ctx)[i]) SSL_CTX_free((*d->ctx)[i]);
131
+			}
132
+			shm_free(*d->ctx);
133
+		}
134
+		shm_free(d->ctx);
135
+	}
136
+	pkg_free(d);
137
+}
138
+
139
+
140
+/*
141
+ * clean up 
142
+ */
143
+void tls_free_domains(void)
144
+{
145
+	tls_domain_t* p;
146
+	while(tls_srv_list) {
147
+		p = tls_srv_list;
148
+		tls_srv_list = tls_srv_list->next;
149
+		free_domain(p);
150
+	}
151
+	while(tls_cli_list) {
152
+		p = tls_srv_list;
153
+		tls_srv_list = tls_srv_list->next;
154
+		free_domain(p);
155
+	}
156
+	if (tls_def_srv) free_domain(tls_def_srv);
157
+	if (tls_def_cli) free_domain(tls_def_cli);
158
+}
159
+
160
+
161
+/*
162
+ * Print TLS domain identifier
163
+ */
164
+char* tls_domain_str(tls_domain_t* d)
165
+{
166
+	static char buf[1024];
167
+	char* p;
168
+
169
+	buf[0] = '\0';
170
+	p = buf;
171
+	p = strcat(p, d->type & TLS_DOMAIN_SRV ? "TLSs<" : "TLSc<");
172
+	if (d->ip.len) {
173
+		p = strcat(p, ip_addr2a(&d->ip));
174
+		p = strcat(p, ":");
175
+		p = strcat(p, int2str(d->port, 0));
176
+		p = strcat(p, ">");
177
+	} else {
178
+		p = strcat(p, "default>");
179
+	}
180
+	return buf;
181
+}
182
+
183
+
184
+/*
185
+ * Initialize all domain attributes from default domains
186
+ * if necessary
187
+ */
188
+static int fix_domain(tls_domain_t* d, tls_domain_t* def)
189
+{
190
+	d->ctx = (SSL_CTX***)shm_malloc(sizeof(SSL_CTX**));
191
+	if (!d->ctx) {
192
+		ERR("No shared memory left\n");
193
+		return -1;
194
+	}
195
+	*d->ctx = 0;
196
+
197
+	if (d->method == TLS_METHOD_UNSPEC) {
198
+		INFO("%s: Method not configured, using default value %d\n",
199
+		     tls_domain_str(d), def->method);
200
+		d->method = def->method;
201
+	}
202
+	
203
+	if (d->method < 1 || d->method >= TLS_METHOD_MAX) {
204
+		ERR("%s: Invalid TLS method value\n", tls_domain_str(d));
205
+		return -1;
206
+	}
207
+	
208
+	if (!d->cert_file) {
209
+		INFO("%s: No certificate configured, using default '%s'\n",
210
+		     tls_domain_str(d), def->cert_file);
211
+		d->cert_file = def->cert_file;
212
+	}
213
+	
214
+	if (!d->ca_file) {
215
+		INFO("%s: No CA list configured, using default '%s'\n",
216
+		     tls_domain_str(d), def->ca_file);
217
+		d->ca_file = def->ca_file;
218
+	}
219
+	
220
+	if (d->require_cert == -1) {
221
+		INFO("%s: require_certificate not configured, using default value %d\n",
222
+		     tls_domain_str(d), def->require_cert);
223
+		d->require_cert = def->require_cert;
224
+	}
225
+	
226
+	if (!d->cipher_list) {
227
+		INFO("%s: Cipher list not configured, using default value %s\n",
228
+		     tls_domain_str(d), def->cipher_list);
229
+		d->cipher_list = def->cipher_list;
230
+	}
231
+	
232
+	if (!d->pkey_file) {
233
+		INFO("%s: No private key configured, using default '%s'\n",
234
+		     tls_domain_str(d), def->pkey_file);
235
+		d->pkey_file = def->pkey_file;
236
+	}
237
+	
238
+	if (d->verify_cert == -1) {
239
+		INFO("%s: verify_certificate not configured, using default value %d\n",
240
+		     tls_domain_str(d), def->verify_cert);
241
+		d->verify_cert = def->verify_cert;
242
+	}
243
+	
244
+	if (d->verify_depth == -1) {
245
+		INFO("%s: verify_depth not configured, using default value %d\n",
246
+		     tls_domain_str(d), def->verify_depth);
247
+		d->verify_depth = def->verify_depth;
248
+	}
249
+	return 0;
250
+}
251
+
252
+
253
+/*
254
+ * Initialize attributes of all domains from default domains
255
+ * if necessary
256
+ */
257
+int tls_fix_domains(void)
258
+{
259
+	tls_domain_t* d;
260
+
261
+	if (!tls_def_cli) tls_def_cli = tls_new_domain(TLS_DOMAIN_DEF | TLS_DOMAIN_CLI, 0, 0);
262
+	if (!tls_def_srv) tls_def_srv = tls_new_domain(TLS_DOMAIN_DEF | TLS_DOMAIN_SRV, 0, 0);
263
+
264
+	d = tls_srv_list;
265
+	while (d) {
266
+		if (fix_domain(d, tls_def_srv) < 0) return -1;
267
+		d = d->next;
268
+	}
269
+
270
+	d = tls_cli_list;
271
+	while (d) {
272
+		if (fix_domain(d, tls_def_cli) < 0) return -1;
273
+		d = d->next;
274
+	}
275
+	if (fix_domain(tls_def_srv, tls_def_srv) < 0) return -1;
276
+	if (fix_domain(tls_def_cli, tls_def_cli) < 0) return -1;
277
+	return 0;
278
+}
0 279
new file mode 100644
... ...
@@ -0,0 +1,114 @@
1
+/*
2
+ * $Id$
3
+ * 
4
+ * Copyright (C) 2001-2003 FhG FOKUS
5
+ * Copyright (C) 2004,2005 Free Software Foundation, Inc.
6
+ * Copyright (C) 2005,2006 iptelorg GmbH
7
+ *
8
+ * This file is part of ser, a free SIP server.
9
+ *
10
+ * ser is free software; you can redistribute it and/or modify
11
+ * it under the terms of the GNU General Public License as published by
12
+ * the Free Software Foundation; either version 2 of the License, or
13
+ * (at your option) any later version
14
+ *
15
+ * For a license to use the ser software under conditions
16
+ * other than those described here, or to purchase support for this
17
+ * software, please contact iptel.org by e-mail at the following addresses:
18
+ *    info@iptel.org
19
+ *
20
+ * ser is distributed in the hope that it will be useful,
21
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
22
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
23
+ * GNU General Public License for more details.
24
+ *
25
+ * You should have received a copy of the GNU General Public License 
26
+ * along with this program; if not, write to the Free Software 
27
+ * Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA  02111-1307  USA
28
+ */
29
+
30
+#ifndef _TLS_DOMAIN_H
31
+#define _TLS_DOMAIN_H
32
+
33
+#include "../../str.h"
34
+#include "../../ip_addr.h"
35
+#include <openssl/ssl.h>
36
+
37
+
38
+enum tls_method {
39
+	TLS_METHOD_UNSPEC = 0,
40
+	TLS_USE_SSLv2_cli,
41
+	TLS_USE_SSLv2_srv,
42
+	TLS_USE_SSLv2,
43
+	TLS_USE_SSLv3_cli,
44
+	TLS_USE_SSLv3_srv,
45
+	TLS_USE_SSLv3,
46
+	TLS_USE_TLSv1_cli,
47
+	TLS_USE_TLSv1_srv,
48
+	TLS_USE_TLSv1,
49
+	TLS_USE_SSLv23_cli,
50
+	TLS_USE_SSLv23_srv,
51
+	TLS_USE_SSLv23,
52
+	TLS_METHOD_MAX
53
+};
54
+
55
+enum tls_domain_type {
56
+	TLS_DOMAIN_DEF = (1 << 0), /* Default domain */
57
+	TLS_DOMAIN_SRV = (1 << 1), /* Server domain */
58
+	TLS_DOMAIN_CLI = (1 << 2)  /* Client domain */
59
+};
60
+
61
+/*
62
+ * separate configuration per ip:port 
63
+ */
64
+typedef struct tls_domain {
65
+	int type;
66