tls_server.c File Reference

main tls part (implements the tls hooks that are called from the tcp code). More...

#include <sys/poll.h>
#include <openssl/err.h>
#include <openssl/ssl.h>
#include "../../dprint.h"
#include "../../ip_addr.h"
#include "../../mem/shm_mem.h"
#include "../../pt.h"
#include "../../timer.h"
#include "../../globals.h"
#include "../../tcp_int_send.h"
#include "../../tcp_read.h"
#include "../../cfg/cfg.h"
#include "tls_init.h"
#include "tls_domain.h"
#include "tls_util.h"
#include "tls_mod.h"
#include "tls_server.h"
#include "tls_bio.h"
#include "tls_dump_vf.h"
#include "tls_cfg.h"

Include dependency graph for tls_server.c:

Go to the source code of this file.

Functions

• int tls_accept (struct tcp_connection *c, int *error)

  wrapper around SSL_accept, usin SSL return convention.
  

• static int tls_complete_init (struct tcp_connection *c)

  finish the ssl init.
  

• int tls_connect (struct tcp_connection *c, int *error)

  wrapper around SSL_connect, using SSL return convention.
  

• int tls_encode_f (struct tcp_connection *c, const char **pbuf, unsigned int *plen, const char **rest_buf, unsigned int *rest_len, snd_flags_t *send_flags)

  tls encrypt before sending function.
  

• static int tls_fix_connection (struct tcp_connection *c)

  completes tls init if needed and checks if tls can be used, (safe).
  

• static int tls_fix_connection_unsafe (struct tcp_connection *c)

  completes tls init if needed and checks if tls can be used (unsafe).
  

• void tls_h_close (struct tcp_connection *c, int fd)

  perform one-way shutdown, do not wait for notify from the remote peer.
  

• void tls_h_tcpconn_clean (struct tcp_connection *c)

  clean the extra data upon connection shut down.
  

• int tls_h_tcpconn_init (struct tcp_connection *c, int sock)

  init tls specific data in a tcp connection.
  

• int tls_read_f (struct tcp_connection *c, int *flags)

  tls read.
  

• static int tls_set_mbufs (struct tcp_connection *c, struct tls_mbuf *rd, struct tls_mbuf *wr)

  sets an mbuf pair for the bio used by the tls connection.
  

---

Detailed Description

Module: SIP-router TLS support

Definition in file tls_server.c.

---

Function Documentation

int tls_accept	(	struct tcp_connection *	c,
		int *	error
	)

It will also log critical errors and certificate debugging info.

Parameters:

	c	- tcp connection with tls (extra_data must be a filled tcp_extra_data structure). The state must be S_TLS_ACCEPTING.
	error	set to the error reason (SSL_ERROR_*). Note that it can be SSL_ERROR_NONE while the return is < 0 ("internal" error, not at the SSL level, see below).

Returns:

>=1 on success, 0 and <0 on error. 0 means the underlying SSL connection was closed/shutdown. < 0 is returned for any SSL_ERROR (including WANT_READ or WANT_WRITE), but also for internal non SSL related errors (in this case -2 is returned and error==SSL_ERROR_NONE).

Definition at line 334 of file tls_server.c.

References tls_dump_verification_failure().

Referenced by ssl_flush(), tls_encode_f(), and tls_read_f().

Here is the call graph for this function:

Here is the caller graph for this function:

static int tls_complete_init

(

struct tcp_connection *

c

)

[static]

Creates the SSL context + internal tls_extra_data and sets extra_data to it. Separated from tls_tcpconn_init to allow delayed ssl context init (from the "child" process and not from the main one). WARNING: the connection should be already locked.

Returns:

0 on success, -1 on errror.

Definition at line 141 of file tls_server.c.

References process_no, tls_domains_cfg::ref_count, tls_BIO_new_mbuf(), TLS_DOMAIN_CLI, TLS_DOMAIN_SRV, tls_domain_str(), and tls_lookup_cfg().

Referenced by tls_fix_connection(), and tls_fix_connection_unsafe().

Here is the call graph for this function:

Here is the caller graph for this function:

int tls_connect	(	struct tcp_connection *	c,
		int *	error
	)

It will also log critical errors and certificate debugging info.

Parameters:

	c	- tcp connection with tls (extra_data must be a filled tcp_extra_data structure). The state must be S_TLS_CONNECTING.
	error	set to the error reason (SSL_ERROR_*). Note that it can be SSL_ERROR_NONE while the return is < 0 ("internal" error, not at the SSL level, see below).

Returns:

>=1 on success, 0 and <0 on error. 0 means the underlying SSL connection was closed/shutdown. < 0 is returned for any SSL_ERROR (including WANT_READ or WANT_WRITE), but also for internal non SSL related errors (in this case -2 is returned and error==SSL_ERROR_NONE).

Definition at line 399 of file tls_server.c.

References tls_dump_verification_failure().

Referenced by ssl_flush(), tls_encode_f(), and tls_read_f().

Here is the call graph for this function:

Here is the caller graph for this function:

int tls_encode_f	(	struct tcp_connection *	c,
		const char **	pbuf,
		unsigned int *	plen,
		const char **	rest_buf,
		unsigned int *	rest_len,
		snd_flags_t *	send_flags
	)

It is a callback that will be called by the tcp code, before a send on TLS would be attempted. It should replace the input buffer with a new static buffer containing the TLS processed data. If the input buffer could not be fully encoded (e.g. run out of space in the internal static buffer), it should set rest_buf and rest_len to the remaining part, so that it could be called again once the output has been used (sent). The send_flags used are also passed and they can be changed (e.g. to disallow a close() after a partial encode). WARNING: it must always be called with c->write_lock held!

Parameters:

	c	- tcp connection
	pbuf	- pointer to buffer (value/result, on success it will be replaced with a static buffer).
	plen	- pointer to buffer size (value/result, on success it will be replaced with the size of the replacement buffer.
	rest_buf	- (result) should be filled with a pointer to the remaining unencoded part of the original buffer if any, 0 otherwise.
	rest_len	- (result) should be filled with the length of the remaining unencoded part of the original buffer (0 if the original buffer was fully encoded).
	send_flags	- pointer to the send_flags that will be used for sending the message.

Returns:

*plen on success (>=0), < 0 on error.

Definition at line 661 of file tls_server.c.

References tls_accept(), tls_connect(), tls_ct_wq_add(), tls_fix_connection_unsafe(), tls_mbuf_init, and tls_set_mbufs().

Here is the call graph for this function:

static int tls_fix_connection

(

struct tcp_connection *

c

)

[static]

It will check for low memory. If it returns success, c->extra_data is guaranteed to be !=0. WARNING: must _not_ be called with c->write_lock held (it will lock/unlock internally), see also tls_fix_connection_unsafe().

Returns:

0 on success, < 0 on error (complete init failed or out of memory).

Definition at line 256 of file tls_server.c.

References tls_complete_init().

Referenced by tls_read_f().

Here is the call graph for this function:

Here is the caller graph for this function:

static int tls_fix_connection_unsafe

(

struct tcp_connection *

c

)

[static]

It will check for low memory. If it returns success, c->extra_data is guaranteed to be !=0. WARNING: must be called with c->write_lock held.

Returns:

0 on success, < 0 on error (complete init failed or out of memory).

Definition at line 233 of file tls_server.c.

References tls_complete_init().

Referenced by tls_encode_f().

Here is the call graph for this function:

Here is the caller graph for this function:

int tls_h_tcpconn_init	(	struct tcp_connection *	c,
		int	sock
	)

Called when a new tcp connection is accepted or connected. It completes the tcp connection initialisation by setting the tls specific parts. Note that ssl context creation and other expensive operation are left out (they are delayed until the first read/write). No locking is needed (when the connection is created no other process can access it).

Parameters:

	c	- tcp connection.
	sock	- socket (unused for now).

Returns:

0 on success, < 0 on error.

Definition at line 549 of file tls_server.c.

int tls_read_f	(	struct tcp_connection *	c,
		int *	flags
	)

Each modification of ssl data structures has to be protected, another process * might ask for the same connection and attempt write to it which would result in updating the ssl structures. WARNING: must be called whic c->write_lock _unlocked_.

Parameters:

	c	- tcp connection pointer. The following flags might be set:
	flags	- value/result: input: RD_CONN_FORCE_EOF - force EOF after the first successful read (bytes_read >=0 ) output: RD_CONN_SHORT_READ if the read exhausted all the bytes in the socket read buffer. RD_CONN_EOF if EOF detected (0 bytes read) or forced via RD_CONN_FORCE_EOF. RD_CONN_REPEAT_READ if this function should be called again (e.g. has some data buffered internally that didn't fit in tcp_req). Note: RD_CONN_SHORT_READ & RD_CONN_EOF should be cleared before calling this function when there is new data (e.g. POLLIN), but not if the called is retried because of RD_CONN_REPEAT_READ and there is no information about the socket having more read data available.

Returns:

bytes decrypted on success, -1 on error (it also sets some tcp connection flags and might set c->state and r->error on EOF or error).

handle SSL_read() return. There are 3 main cases, each with several sub-cases, depending on whether or not the output buffer was filled, if there is still unconsumed input data in the input buffer (rd) and if there is "cached" data in the internal openssl buffers. 0. error (n<=0): SSL_ERROR_WANT_READ - input data fully consumed, no more returnable cached data inside openssl => exit. SSL_ERROR_WANT_WRITE - should never happen (the write buffer is big enough to handle any re-negociation). SSL_ERROR_ZERO_RETURN - ssl level shutdown => exit. other errors are unexpected. 1. output buffer filled (n == bytes_free): 1i. - still unconsumed input, nothing buffered by openssl 1ip. - unconsumed input + buffered data by openssl (pending on the next SSL_read). 1p. - completely consumed input, buffered data internally by openssl (pending). Likely to happen, about the only case when SSL_pending() could be used (but only if readahead=0). 1f. - consumed input, no buffered data. 2. output buffer not fully filled (n < bytes_free): 2i. - still unconsumed input, nothing buffered by openssl. This can appear if SSL readahead is 0 (SSL_read() tries to get only 1 record from the input). 2ip. - unconsumed input and buffered data by openssl. Unlikely to happen (e.g. readahead is 1, more records are buffered internally by openssl, but there was not enough space for buffering the whole input). 2p - consumed input, but buffered data by openssl. It happens especially when readahead is 1. 2f. - consumed input, no buffered data.

One should repeat SSL_read() until and error is detected (0*) or the input and internal ssl buffers are fully consumed (1f or 2f). However in general is not possible to see if SSL_read() could return more data. SSL_pending() has very limited usability (basically it would return !=0 only if there was no enough space in the output buffer and only if this did not happen at a record boundary). The solution is to repeat SSL_read() until error or until the output buffer is filled (0* or 1*). In the later case, this whole function should be called again once there is more output space (set RD_CONN_REPEAT_READ).

Definition at line 902 of file tls_server.c.

References tls_accept(), tls_connect(), tls_ct_wq_flush(), tls_fix_connection(), tls_mbuf_init, and tls_set_mbufs().

Here is the call graph for this function:

static int tls_set_mbufs	(	struct tcp_connection *	c,
		struct tls_mbuf *	rd,
		struct tls_mbuf *	wr
	)			[static]

WARNING: must be called with c->write_lock held.

Returns:

0 on success, -1 on error.

Definition at line 283 of file tls_server.c.

References tls_BIO_mbuf_set().

Referenced by tls_encode_f(), tls_h_close(), and tls_read_f().

Here is the call graph for this function:

Here is the caller graph for this function: