tls: clean-up of ENGINE

- remove tls_map.* - not needed anymore
- install an ENGINE in each worker SSL_CTX
  no need to replicate to all processes

src/modules/tls/tls_domain.c

@@ -37,7 +37,6 @@
 
 #ifdef KSR_SSL_ENGINE
 #include <openssl/engine.h>
-#include "tls_map.h"
 extern EVP_PKEY *tls_engine_private_key(const char *key_id);
 #endif /* KSR_SSL_ENGINE */
 
@@ -1229,31 +1228,6 @@ err:
 }
 
 #ifdef KSR_SSL_ENGINE
-/*
- * Implement a hash map from SSL_CTX to private key
- * as HSM keys need to be process local
- */
-static map_void_t private_key_map;
-
-/**
- * @brief Return a private key from the lookup table
- * @param p SSL_CTX*
- * @return EVP_PKEY on success, NULL on error
- */
-EVP_PKEY *tls_lookup_private_key(SSL_CTX *ctx)
-{
-	void *pkey;
-	char ctx_str[64];
-	snprintf(ctx_str, 64, "SSL_CTX-%p", ctx);
-	pkey = map_get(&private_key_map, ctx_str);
-	LM_DBG("Private key lookup for %s: %p\n", ctx_str, pkey);
-	if(pkey)
-		return *(EVP_PKEY **)pkey;
-	else
-		return NULL;
-}
-
-
 /**
  * @brief Load a private key from an OpenSSL engine
  * @param d TLS domain
@@ -1274,8 +1248,6 @@ static int load_engine_private_key(tls_domain_t *d)
 {
 	int idx, ret_pwd, i;
 	EVP_PKEY *pkey = 0;
-	int procs_no;
-	char ctx_str[64];
 
 	if(!d->pkey_file.s || !d->pkey_file.len) {
 		DBG("%s: No private key specified\n", tls_domain_str(d));
@@ -1283,22 +1255,15 @@ static int load_engine_private_key(tls_domain_t *d)
 	}
 	if(strncmp(d->pkey_file.s, "/engine:", 8) != 0)
 		return 0;
-	procs_no = get_max_procs();
-	for(i = 0; i < procs_no; i++) {
-		snprintf(ctx_str, 64, "SSL_CTX-%p", d->ctx[i]);
+
+	do {
+		i = process_no;
 		for(idx = 0, ret_pwd = 0; idx < 3; idx++) {
-			if(i) {
-				map_set(&private_key_map, ctx_str, pkey);
-				ret_pwd = 1;
+			pkey = tls_engine_private_key(d->pkey_file.s + 8);
+			if(pkey) {
+				ret_pwd = SSL_CTX_use_PrivateKey(d->ctx[i], pkey);
 			} else {
-				pkey = tls_engine_private_key(d->pkey_file.s + 8);
-				if(pkey) {
-					map_set(&private_key_map, ctx_str, pkey);
-					// store the key for i = 0 to perform certificate sanity check
-					ret_pwd = SSL_CTX_use_PrivateKey(d->ctx[i], pkey);
-				} else {
-					ret_pwd = 0;
-				}
+				ret_pwd = 0;
 			}
 			if(ret_pwd) {
 				break;
@@ -1316,14 +1281,14 @@ static int load_engine_private_key(tls_domain_t *d)
 			TLS_ERR("load_private_key:");
 			return -1;
 		}
-		if(i == 0 && !SSL_CTX_check_private_key(d->ctx[i])) {
+		if(!SSL_CTX_check_private_key(d->ctx[i])) {
 			ERR("%s: Key '%s' does not match the public key of the"
 				" certificate\n",
 					tls_domain_str(d), d->pkey_file.s);
 			TLS_ERR("load_engine_private_key:");
 			return -1;
 		}
-	}
+	} while(0);
 
 
 	LM_INFO("%s: Key '%s' successfully loaded\n", tls_domain_str(d),

src/modules/tls/tls_map.c

@@ -1,213 +0,0 @@
-/**
- * Copyright (c) 2014 rxi
- *
- * This library is free software; you can redistribute it and/or modify it
- * under the terms of the MIT license. See LICENSE for details.
- */
-
-#include <stdlib.h>
-#include <string.h>
-
-#include "../../core/mem/mem.h"
-#include "tls_map.h"
-
-struct map_node_t
-{
-	unsigned hash;
-	void *value;
-	map_node_t *next;
-	/* char key[]; */
-	/* char value[]; */
-};
-
-
-static unsigned map_hash(const char *str)
-{
-	unsigned hash = 5381;
-	while(*str) {
-		hash = ((hash << 5) + hash) ^ *str++;
-	}
-	return hash;
-}
-
-
-static map_node_t *map_newnode(const char *key, void *value, int vsize)
-{
-	map_node_t *node;
-	int ksize = strlen(key) + 1;
-	int voffset = ksize + ((sizeof(void *) - ksize) % sizeof(void *));
-	node = pkg_malloc(sizeof(*node) + voffset + vsize);
-	if(!node)
-		return NULL;
-	memcpy(node + 1, key, ksize);
-	node->hash = map_hash(key);
-	node->value = ((char *)(node + 1)) + voffset;
-	memcpy(node->value, value, vsize);
-	return node;
-}
-
-
-static int map_bucketidx(map_base_t *m, unsigned hash)
-{
-	/* If the implementation is changed to allow a non-power-of-2 bucket count,
-   * the line below should be changed to use mod instead of AND */
-	return hash & (m->nbuckets - 1);
-}
-
-
-static void map_addnode(map_base_t *m, map_node_t *node)
-{
-	int n = map_bucketidx(m, node->hash);
-	node->next = m->buckets[n];
-	m->buckets[n] = node;
-}
-
-
-static int map_resize(map_base_t *m, int nbuckets)
-{
-	map_node_t *nodes, *node, *next;
-	map_node_t **buckets;
-	int i;
-	/* Chain all nodes together */
-	nodes = NULL;
-	i = m->nbuckets;
-	while(i--) {
-		node = (m->buckets)[i];
-		while(node) {
-			next = node->next;
-			node->next = nodes;
-			nodes = node;
-			node = next;
-		}
-	}
-	/* Reset buckets */
-	buckets = realloc(m->buckets, sizeof(*m->buckets) * nbuckets);
-	if(buckets != NULL) {
-		m->buckets = buckets;
-		m->nbuckets = nbuckets;
-	}
-	if(m->buckets) {
-		memset(m->buckets, 0, sizeof(*m->buckets) * m->nbuckets);
-		/* Re-add nodes to buckets */
-		node = nodes;
-		while(node) {
-			next = node->next;
-			map_addnode(m, node);
-			node = next;
-		}
-	}
-	/* Return error code if realloc() failed */
-	return (buckets == NULL) ? -1 : 0;
-}
-
-
-static map_node_t **map_getref(map_base_t *m, const char *key)
-{
-	unsigned hash = map_hash(key);
-	map_node_t **next;
-	if(m->nbuckets > 0) {
-		next = &m->buckets[map_bucketidx(m, hash)];
-		while(*next) {
-			if((*next)->hash == hash && !strcmp((char *)(*next + 1), key)) {
-				return next;
-			}
-			next = &(*next)->next;
-		}
-	}
-	return NULL;
-}
-
-
-void map_deinit_(map_base_t *m)
-{
-	map_node_t *next, *node;
-	int i;
-	i = m->nbuckets;
-	while(i--) {
-		node = m->buckets[i];
-		while(node) {
-			next = node->next;
-			pkg_free(node);
-			node = next;
-		}
-	}
-	pkg_free(m->buckets);
-}
-
-
-void *map_get_(map_base_t *m, const char *key)
-{
-	map_node_t **next = map_getref(m, key);
-	return next ? (*next)->value : NULL;
-}
-
-
-int map_set_(map_base_t *m, const char *key, void *value, int vsize)
-{
-	int n, err;
-	map_node_t **next, *node;
-	/* Find & replace existing node */
-	next = map_getref(m, key);
-	if(next) {
-		memcpy((*next)->value, value, vsize);
-		return 0;
-	}
-	/* Add new node */
-	node = map_newnode(key, value, vsize);
-	if(node == NULL)
-		goto fail;
-	if(m->nnodes >= m->nbuckets) {
-		n = (m->nbuckets > 0) ? (m->nbuckets << 1) : 1;
-		err = map_resize(m, n);
-		if(err)
-			goto fail;
-	}
-	map_addnode(m, node);
-	m->nnodes++;
-	return 0;
-fail:
-	if(node)
-		pkg_free(node);
-	return -1;
-}
-
-
-void map_remove_(map_base_t *m, const char *key)
-{
-	map_node_t *node;
-	map_node_t **next = map_getref(m, key);
-	if(next) {
-		node = *next;
-		*next = (*next)->next;
-		pkg_free(node);
-		m->nnodes--;
-	}
-}
-
-
-map_iter_t map_iter_(void)
-{
-	map_iter_t iter;
-	iter.bucketidx = -1;
-	iter.node = NULL;
-	return iter;
-}
-
-
-const char *map_next_(map_base_t *m, map_iter_t *iter)
-{
-	if(iter->node) {
-		iter->node = iter->node->next;
-		if(iter->node == NULL)
-			goto nextBucket;
-	} else {
-	nextBucket:
-		do {
-			if(++iter->bucketidx >= m->nbuckets) {
-				return NULL;
-			}
-			iter->node = m->buckets[iter->bucketidx];
-		} while(iter->node == NULL);
-	}
-	return (char *)(iter->node + 1);
-}

src/modules/tls/tls_map.h

@@ -1,77 +0,0 @@
-/**
- * Copyright (c) 2014 rxi
- *
- * This library is free software; you can redistribute it and/or modify it
- * under the terms of the MIT license. See LICENSE for details.
- */
-
-#ifndef _TLS_MAP_H
-#define _TLS_MAP_H
-
-#include <string.h>
-
-#define MAP_VERSION "0.1.0"
-
-struct map_node_t;
-typedef struct map_node_t map_node_t;
-
-typedef struct
-{
-	map_node_t **buckets;
-	unsigned nbuckets, nnodes;
-} map_base_t;
-
-typedef struct
-{
-	unsigned bucketidx;
-	map_node_t *node;
-} map_iter_t;
-
-
-#define map_t(T)         \
-	struct               \
-	{                    \
-		map_base_t base; \
-		T *ref;          \
-		T tmp;           \
-	}
-
-
-#define map_init(m) memset(m, 0, sizeof(*(m)))
-
-
-#define map_deinit(m) map_deinit_(&(m)->base)
-
-
-#define map_get(m, key) ((m)->ref = map_get_(&(m)->base, key))
-
-
-#define map_set(m, key, value) \
-	((m)->tmp = (value), map_set_(&(m)->base, key, &(m)->tmp, sizeof((m)->tmp)))
-
-
-#define map_remove(m, key) map_remove_(&(m)->base, key)
-
-
-#define map_iter(m) map_iter_()
-
-
-#define map_next(m, iter) map_next_(&(m)->base, iter)
-
-
-void map_deinit_(map_base_t *m);
-void *map_get_(map_base_t *m, const char *key);
-int map_set_(map_base_t *m, const char *key, void *value, int vsize);
-void map_remove_(map_base_t *m, const char *key);
-map_iter_t map_iter_(void);
-const char *map_next_(map_base_t *m, map_iter_t *iter);
-
-
-typedef map_t(void *) map_void_t;
-typedef map_t(char *) map_str_t;
-typedef map_t(int) map_int_t;
-typedef map_t(char) map_char_t;
-typedef map_t(float) map_float_t;
-typedef map_t(double) map_double_t;
-
-#endif /* _TLS_MAP_H */

src/modules/tls/tls_server.c

@@ -427,11 +427,6 @@ static void tls_dump_cert_info(char *s, X509 *cert)
 	}
 }
 
-
-#ifdef KSR_SSL_ENGINE
-// lookup HSM keys in process-local memory
-EVP_PKEY *tls_lookup_private_key(SSL_CTX *);
-#endif /* KSR_SSL_ENGINE */
 /** wrapper around SSL_accept, usin SSL return convention.
  * It will also log critical errors and certificate debugging info.
  * @param c - tcp connection with tls (extra_data must be a filled
@@ -462,12 +457,7 @@ int tls_accept(struct tcp_connection *c, int *error)
 		BUG("Invalid connection state %d (bug in TLS code)\n", tls_c->state);
 		goto err;
 	}
-#ifdef KSR_SSL_ENGINE
-	/* check if we have a HSM key */
-	EVP_PKEY *pkey = tls_lookup_private_key(SSL_get_SSL_CTX(ssl));
-	if(pkey)
-		SSL_use_PrivateKey(ssl, pkey);
-#endif /* KSR_SSL_ENGINE */
+
 	tls_openssl_clear_errors();
 	ret = SSL_accept(ssl);
 	if(unlikely(ret == 1)) {
@@ -532,13 +522,7 @@ int tls_connect(struct tcp_connection *c, int *error)
 		BUG("Invalid connection state %d (bug in TLS code)\n", tls_c->state);
 		goto err;
 	}
-#ifdef KSR_SSL_ENGINE
-	// lookup HSM private key in process-local memory
-	EVP_PKEY *pkey = tls_lookup_private_key(SSL_get_SSL_CTX(ssl));
-	if(pkey) {
-		SSL_use_PrivateKey(ssl, pkey);
-	}
-#endif
+
 	tls_openssl_clear_errors();
 	ret = SSL_connect(ssl);
 	if(unlikely(ret == 1)) {