Ejemplo n.º 1
0
/*
 * initialize tls virtual domains
 */
int
init_tls_domains(struct tls_domain *d)
{
	struct tls_domain *dom;

	dom = d;
	while (d) {
		if (d->name.len) {
			LM_INFO("Processing TLS domain '%.*s'\n",
				d->name.len, ZSW(d->name.s));
		} else {
			LM_INFO("Processing TLS domain [%s:%d]\n",
				ip_addr2a(&d->addr), d->port);
		}

		/*
		* set method
		*/
		if (d->method == TLS_METHOD_UNSPEC) {
			LM_DBG("no method for tls[%s:%d], using default\n",
				ip_addr2a(&d->addr), d->port);
			d->method = tls_method;
		}

		/*
		* create context
		*/
		d->ctx = SSL_CTX_new(ssl_methods[d->method - 1]);
		if (d->ctx == NULL) {
			LM_ERR("cannot create ssl context for "
				"tls[%s:%d]\n", ip_addr2a(&d->addr), d->port);
			return -1;
		}
		if (init_ssl_ctx_behavior( d ) < 0)
			return -1;

		/*
		* load certificate
		*/
		if (!d->cert_file) {
			LM_NOTICE("no certificate for tls[%s:%d] defined, using default"
					"'%s'\n", ip_addr2a(&d->addr), d->port,	tls_cert_file);
			d->cert_file = tls_cert_file;
		}
		if (load_certificate(d->ctx, d->cert_file) < 0)
			return -1;

		/*
		* load ca
		*/
		if (!d->ca_file) {
			LM_NOTICE("no CA for tls[%s:%d] defined, "
				"using default '%s'\n", ip_addr2a(&d->addr), d->port,
				tls_ca_file);
			d->ca_file = tls_ca_file;
		}
		if (d->ca_file && load_ca(d->ctx, d->ca_file) < 0)
			return -1;

		/*
		* load ca from directory
		*/
		if (!d->ca_directory) {

			LM_NOTICE("no CA for tls[%s:%d] defined, "
				"using default '%s'\n", ip_addr2a(&d->addr), d->port,
				 tls_ca_dir);
			d->ca_directory = tls_ca_dir;
		}

		if (d->ca_directory && load_ca_dir(d->ctx, d->ca_directory) < 0)
			return -1;

		d = d->next;
	}

	/*
	* load all private keys as the last step (may prompt for password)
	*/
	d = dom;
	while (d) {
		if (!d->pkey_file) {
			LM_NOTICE("no private key for tls[%s:%d] defined, using default"
					"'%s'\n", ip_addr2a(&d->addr), d->port, tls_pkey_file);
			d->pkey_file = tls_pkey_file;
		}
		if (load_private_key(d->ctx, d->pkey_file) < 0)
			return -1;
		d = d->next;
	}
	return 0;
}
Ejemplo n.º 2
0
/*
 * called once from main.c (main process) 
 */
int
init_tls(void)
{
	struct tls_domain *d;
	DBG("init_tls: Entered\n");
#if OPENSSL_VERSION_NUMBER < 0x00907000L
	LOG(L_ERR, "WARNING! You are using an old version of OpenSSL (< 0.9.7). Upgrade!\n");
#endif
	LOG(L_ALERT, "WARNING! TLS is considered as an EXPERIMENTAL module\n" );	
	/*
		* this has to be called before any function calling CRYPTO_malloc,
		* CRYPTO_malloc will set allow_customize in openssl to 0 
		*/
	if (!CRYPTO_set_mem_functions(ser_malloc, ser_realloc, ser_free)) {
		LOG(L_ERR,
			"init_tls: Unable to set the memory allocation functions\n");
		return -1;
	}
	
	SSL_library_init();
	SSL_load_error_strings();
	init_ssl_methods();

	/*
	 * initialize default context first 
	 */
	default_ctx = SSL_CTX_new(ssl_methods[tls_method - 1]);
	if (default_ctx == NULL) {
		LOG(L_ERR, "init_tls: Cannot create default ssl context\n");
		return -1;
	}
	init_ssl_ctx_behavior( default_ctx );
	if (load_certificate(default_ctx, tls_cert_file) < 0)
		return -1;
	if (tls_ca_file && load_ca(default_ctx, tls_ca_file) < 0)
		return -1;
	if (load_private_key(default_ctx, tls_pkey_file) < 0)
		return -1;

	/*
	 * now initialize tls virtual domains 
	 */
	d = tls_domains;
	while (d) {
		DBG("init_tls: Processing TLS domain [%s:%d]\n",
				ip_addr2a(&d->addr), d->port);
		/*
		* create context 
		*/
		if (d->method == TLS_METHOD_UNSPEC) {
			DBG("init_tls: No method for tls[%s:%d], using default\n",
			ip_addr2a(&d->addr), d->port);
			d->method = tls_method;
		}
	
		d->ctx = SSL_CTX_new(ssl_methods[d->method - 1]);
		if (d->ctx == NULL) {
			LOG(L_ERR,
				"init_tls: Cannot create ssl context for tls[%s:%d]\n",
				ip_addr2a(&d->addr), d->port);
			return -1;
		}
		init_ssl_ctx_behavior( d->ctx );
		/*
		* load certificate 
		*/
		if (!d->cert_file) {
			LOG(L_NOTICE,
				"init_tls: No certificate for tls[%s:%d] defined, using default '%s'\n",
				ip_addr2a(&d->addr), d->port, tls_cert_file);
			d->cert_file = tls_cert_file;
		}
		if (load_certificate(d->ctx, d->cert_file) < 0)
			return -1;
	
		/*
		* load ca 
		*/
		if (!d->ca_file) {
			LOG(L_NOTICE,
				"init_tls: No CA for tls[%s:%d] defined, using default '%s'\n",
				ip_addr2a(&d->addr), d->port, tls_ca_file);
			d->ca_file = tls_ca_file;
		}
		if (d->ca_file && load_ca(d->ctx, d->ca_file) < 0)
			return -1;
		d = d->next;
	}

	/*
		* load all private keys as the last step (may prompt for password) 
		*/
	d = tls_domains;
	while (d) {
		if (!d->pkey_file) {
			LOG(L_NOTICE,
				"init_tls: No private key for tls[%s:%d] defined, using default '%s'\n",
				ip_addr2a(&d->addr), d->port, tls_pkey_file);
			d->pkey_file = tls_pkey_file;
		}
		if (load_private_key(d->ctx, d->pkey_file) < 0)
			return -1;
		d = d->next;
	}
	/*
	 * we are all set 
	 */
	return 0;
}