- use the new tls hooks api (the core patch is no longer necessary)

- renamed some of tls_.* functions to tls_h_.* to avoid name conflicts with
the core
- fixed shutdown tls before tcp bug (if ser was stopped while tls connections
 were still active, the tls module was destroyed before tcp => crash when
  tcp tried to close the tls connections). Now all the destroy operation
 are moved into the new destroy_tls hook and the module destroy function is
  empty.

modules/tls/Makefile

@@ -10,6 +10,11 @@ auto_gen=
 NAME=tls.so
 
 DEFS+= -I$(LOCALBASE)/ssl/include
-LIBS+= -L$(LOCALBASE)/lib -L$(LOCALBASE)/ssl/lib -lssl  -lcrypto
+LIBS+= -L$(LOCALBASE)/lib -L$(LOCALBASE)/ssl/lib -lssl  -lcrypto \
+	$(TLS_EXTRA_LIBS)
+# NOTE: depending on the way in which libssl was compiled you might
+#       have to add -lz -lkrb5   (zlib and kerberos5).
+#       E.g.: make TLS_HOOKS=1 TLS_EXTRA_LIBS="-lz -lkrb5"
+
 
 include ../../Makefile.modules

modules/tls/tls_domain.c

@@ -119,6 +119,29 @@ void tls_free_cfg(tls_cfg_t* cfg)
 }
 
 
+
+void tls_destroy_cfg(void)
+{
+	tls_cfg_t* ptr;
+
+	if (tls_cfg_lock) {
+		lock_destroy(tls_cfg_lock);
+		lock_dealloc(tls_cfg_lock);
+	}
+
+	if (tls_cfg) {
+		while(*tls_cfg) {
+			ptr = *tls_cfg;
+			*tls_cfg = (*tls_cfg)->next;
+			tls_free_cfg(ptr);
+		}
+		
+		shm_free(tls_cfg);
+	}
+}
+
+
+
 /*
  * Print TLS domain identifier
  */

modules/tls/tls_domain.h

@@ -150,5 +150,9 @@ tls_domain_t* tls_lookup_cfg(tls_cfg_t* cfg, int type, struct ip_addr* ip, unsig
  */
 void tls_free_cfg(tls_cfg_t* cfg);
 
+/*
+ * Destroy all the config data
+ */
+void tls_destroy_cfg(void);
 
 #endif /* _TLS_DOMAIN_H */

modules/tls/tls_init.c

@@ -125,7 +125,7 @@ static void ser_free(void *ptr)
 /*
  * Initialize TLS socket
  */
-int tls_init(struct socket_info *si)
+int tls_h_init_si(struct socket_info *si)
 {
 	int ret;
 	     /*
@@ -266,9 +266,9 @@ end:
 /*
  * First step of TLS initialization
  */
-int init_tls(void)
+int init_tls_h(void)
 {
-	struct socket_info* si;
+	/*struct socket_info* si;*/
 	long ssl_version;
 	int lib_kerberos;
 	int lib_zlib;
@@ -283,16 +283,16 @@ int init_tls(void)
 	/* check if version have the same major minor and fix level
 	 * (e.g. 0.9.8a & 0.9.8c are ok, but 0.9.8 and 0.9.9x are not) */
 	if ((ssl_version>>8)!=(OPENSSL_VERSION_NUMBER>>8)){
-		LOG(L_CRIT, "ERROR: tls: tls_init: installed openssl library version "
-				"is too different from the library the ser tls module was "
-				"compiled with: installed \"%s\" (0x%08lx), compiled \"%s\" "
-				"(0x%08lx).\n"
+		LOG(L_CRIT, "ERROR: tls: init_tls_h: installed openssl library "
+				"version is too different from the library the ser tls module "
+				"was compiled with: installed \"%s\" (0x%08lx), compiled "
+				"\"%s\" (0x%08lx).\n"
 				" Please make sure a compatible version is used"
 				" (tls_force_run in ser.cfg will override this check)\n",
 				SSLeay_version(SSLEAY_VERSION), ssl_version,
 				OPENSSL_VERSION_TEXT, (long)OPENSSL_VERSION_NUMBER);
 		if (tls_force_run)
-			LOG(L_WARN, "tls: tls_init: tls_force_run turned on, ignoring "
+			LOG(L_WARN, "tls: init_tls_h: tls_force_run turned on, ignoring "
 						" openssl version mismatch\n");
 		else
 			return -1; /* safer to exit */
@@ -321,11 +321,11 @@ int init_tls(void)
 		if (strstr(lib_cflags, "-DKRB5_"))
 			lib_kerberos=1;
 	}
-	LOG(L_INFO, "tls: tls_init:  compiled  with  openssl  version " 
+	LOG(L_INFO, "tls: _init_tls_h:  compiled  with  openssl  version " 
 				"\"%s\" (0x%08lx), kerberos support: %s, compression: %s\n",
 				OPENSSL_VERSION_TEXT, (long)OPENSSL_VERSION_NUMBER,
 				kerberos_support?"on":"off", comp_support?"on":"off");
-	LOG(L_INFO, "tls: tls_init: installed openssl library version "
+	LOG(L_INFO, "tls: init_tls_h: installed openssl library version "
 				"\"%s\" (0x%08lx), kerberos support: %s, "
 				" zlib compression: %s"
 				"\n %s\n",
@@ -335,7 +335,7 @@ int init_tls(void)
 				SSLeay_version(SSLEAY_CFLAGS));
 	if (lib_kerberos!=kerberos_support){
 		if (lib_kerberos!=-1){
-			LOG(L_CRIT, "ERROR: tls: tls_init: openssl compile options"
+			LOG(L_CRIT, "ERROR: tls: init_tls_h: openssl compile options"
 						" mismatch: library has kerberos support"
 						" %s and ser tls %s (unstable configuration)\n"
 						" (tls_force_run in ser.cfg will override this"
@@ -344,12 +344,12 @@ int init_tls(void)
 						kerberos_support?"enabled":"disabled"
 				);
 			if (tls_force_run)
-				LOG(L_WARN, "tls: tls_init: tls_force_run turned on, ignoring "
-						" kerberos support mismatch\n");
+				LOG(L_WARN, "tls: init_tls_h: tls_force_run turned on, "
+						"ignoring kerberos support mismatch\n");
 			else
 				return -1; /* exit, is safer */
 		}else{
-			LOG(L_WARN, "WARNING: tls: tls_init: openssl  compile options"
+			LOG(L_WARN, "WARNING: tls: init_tls_h: openssl  compile options"
 						" missing -- cannot detect if kerberos support is"
 						" enabled. Possible unstable configuration\n");
 		}
@@ -366,16 +366,17 @@ int init_tls(void)
 		return -1;
 	init_tls_compression();
 	#ifdef TLS_KSSL_WORKARROUND
-		LOG(L_WARN, "tls: init_tls: openssl kerberos malloc bug detected, "
+		LOG(L_WARN, "tls: init_tls_h: openssl kerberos malloc bug detected, "
 			" kerberos support will be disabled...\n");
 	#endif
 	SSL_library_init();
 	SSL_load_error_strings();
 	init_ssl_methods();
-
+#if 0
+	/* OBSOLETE: we are using the tls_h_init_si callback */
 	     /* Now initialize TLS sockets */
 	for(si = tls_listen; si; si = si->next) {
-		if (tls_init(si) < 0)  return -1;
+		if (tls_h_init_si(si) < 0)  return -1;
 		     /* get first ipv4/ipv6 socket*/
 		if ((si->address.af == AF_INET) &&
 		    ((sendipv4_tls == 0) || (sendipv4_tls->flags & SI_IS_LO))) {
@@ -387,6 +388,7 @@ int init_tls(void)
 		}
 #endif
 	}
+#endif
 
 	return 0;
 }
@@ -417,9 +419,11 @@ int tls_check_sockets(tls_cfg_t* cfg)
 /*
  * TLS cleanup when SER exits
  */
-void destroy_tls(void)
+void destroy_tls_h(void)
 {
+	DBG("tls module final tls destroy\n");
 	ERR_free_strings();
 	/* TODO: free all the ctx'es */
+	tls_destroy_cfg();
 	tls_destroy_locks();
 }

modules/tls/tls_init.h

@@ -53,19 +53,19 @@ extern const SSL_METHOD* ssl_methods[];
 /*
  * just once, initialize the tls subsystem 
  */
-int init_tls(void);
+int init_tls_h(void);
 
 
 /*
  * just once before cleanup 
  */
-void destroy_tls(void);
+void destroy_tls_h(void);
 
 
 /*
  * for each socket 
  */
-int tls_init(struct socket_info *si);
+int tls_h_init_si(struct socket_info *si);
 
 /*
  * Make sure that all server domains in the configuration have corresponding

modules/tls/tls_mod.c

@@ -36,6 +36,8 @@
  * 2003-04-06: db connection closed in mod_init (janakj)
  * 2004-06-06  updated to the new DB api, cleanup: static dbf & handler,
  *              calls to domain_db_{bind,init,close,ver} (andrei)
+ * 2007-02-09  updated to the new tls_hooks api and renamed tls hooks hanlder
+ *              functions to avoid conflicts: s/tls_/tls_h_/   (andrei)
  */
 
 #include <sys/types.h>
@@ -45,10 +47,10 @@
 #include "../../sr_module.h"
 #include "../../ip_addr.h"
 #include "../../trim.h"
-#include "../../transport.h"
 #include "../../globals.h"
 #include "../../timer_ticks.h"
 #include "../../timer.h" /* ticks_t */
+#include "../../tls_hooks.h"
 #include "tls_init.h"
 #include "tls_server.h"
 #include "tls_domain.h"
@@ -57,6 +59,13 @@
 #include "tls_rpc.h"
 #include "tls_mod.h"
 
+#ifndef TLS_HOOKS
+	#error "TLS_HOOKS must be defined, or the tls module won't work"
+#endif
+#ifdef CORE_TLS
+	#error "conflict: CORE_TLS must _not_ be defined"
+#endif
+
 
 /* maximum accepted lifetime (maximum possible is  ~ MAXINT/2)
  *  (it should be kept in sync w/ MAX_TCP_CON_LIFETIME from tcp_main.c:
@@ -220,24 +229,20 @@ struct module_exports exports = {
 
 
 
-transport_t tls_transport = {
-	PROTO_TLS,
-	STR_STATIC_INIT("TLS"),
-	TRANSPORT_SECURE | TRANSPORT_STREAM,
-	{ 
-		.tcp = {
-			tls_tcpconn_init,
-			tls_tcpconn_clean,
-			tls_close,
-			tls_blocking_write,
-			tls_read,
-			tls_fix_read_conn,
-		}
-	},
-	0
+static struct tls_hooks tls_h = {
+	tls_h_read,
+	tls_h_blocking_write,
+	tls_h_tcpconn_init,
+	tls_h_tcpconn_clean,
+	tls_h_close,
+	tls_h_fix_read_conn,
+	tls_h_init_si,
+	init_tls_h,
+	destroy_tls_h
 };
 
 
+
 #if 0
 /*
  * Create TLS configuration from modparams
@@ -258,6 +263,11 @@ static int mod_init(void)
 {
 	int method;
 
+	if (tls_disable){
+		LOG(L_WARN, "WARNING: tls: mod_init: tls support is disabled "
+				"(set enable_tls=1 in the config to enable it)\n");
+		return 0;
+	}
 	     /* Convert tls_method parameter to integer */
 	method = tls_parse_method(&tls_method);
 	if (method < 0) {
@@ -273,10 +283,10 @@ static int mod_init(void)
 	}
 	*tls_cfg = NULL;
 
-	tls = &tls_transport;
+	register_tls_hooks(&tls_h);
 	register_select_table(tls_sel);
 
-	if (init_tls() < 0) return -1;
+	 /* if (init_tls() < 0) return -1; */
 	
 	tls_cfg_lock = lock_alloc();
 	if (tls_cfg_lock == 0) {
@@ -323,6 +333,8 @@ static int mod_init(void)
 
 static int mod_child(int rank)
 {
+	if (tls_disable || (tls_cfg==0))
+		return 0;
 	/* fix tls config only from the main proc., when we know 
 	 * the exact process number */
 	if (rank == PROC_MAIN){
@@ -340,21 +352,4 @@ static int mod_child(int rank)
 
 static void destroy(void)
 {
-	tls_cfg_t* ptr;
-
-	if (tls_cfg_lock) {
-		lock_destroy(tls_cfg_lock);
-		lock_dealloc(tls_cfg_lock);
-	}
-
-	if (tls_cfg) {
-		while(*tls_cfg) {
-			ptr = *tls_cfg;
-			*tls_cfg = (*tls_cfg)->next;
-			tls_free_cfg(ptr);
-		}
-		
-		shm_free(tls_cfg);
-	}
-	destroy_tls();
 }

modules/tls/tls_server.c

@@ -587,7 +587,7 @@ static int tls_write(struct tcp_connection *c, const void *buf, size_t len, int*
  * access to it yet, this is called before adding the tcp_connection
  * structure into the hash 
  */
-int tls_tcpconn_init(struct tcp_connection *c, int sock)
+int tls_h_tcpconn_init(struct tcp_connection *c, int sock)
 {
 	c->type = PROTO_TLS;
 	c->rcv.proto = PROTO_TLS;
@@ -600,7 +600,7 @@ int tls_tcpconn_init(struct tcp_connection *c, int sock)
 /*
  * clean the extra data upon connection shut down 
  */
-void tls_tcpconn_clean(struct tcp_connection *c)
+void tls_h_tcpconn_clean(struct tcp_connection *c)
 {
 	struct tls_extra_data* extra;
 	/*
@@ -623,7 +623,7 @@ void tls_tcpconn_clean(struct tcp_connection *c)
 /*
  * perform one-way shutdown, do not wait fro notify from the remote peer 
  */
-void tls_close(struct tcp_connection *c, int fd)
+void tls_h_close(struct tcp_connection *c, int fd)
 {
 	     /*
 	      * runs within global tcp lock 
@@ -643,8 +643,8 @@ void tls_close(struct tcp_connection *c, int fd)
 /*
  * fixme: probably does not work correctly 
  */
-size_t tls_blocking_write(struct tcp_connection *c, int fd, const char *buf,
-			  size_t len)
+int tls_h_blocking_write(struct tcp_connection *c, int fd, const char *buf,
+			  unsigned int len)
 {
 	int err, n, ticks, tout;
 	fd_set sel_set;
@@ -748,7 +748,7 @@ again:
  * connection and attempt write to it which would result in updating the
  * ssl structures 
  */
-size_t tls_read(struct tcp_connection * c)
+int tls_h_read(struct tcp_connection * c)
 {
 	struct tcp_req* r;
 	int bytes_free, bytes_read, err, ssl_err;
@@ -829,7 +829,7 @@ size_t tls_read(struct tcp_connection * c)
  * does not transit a connection into S_CONN_OK then tcp layer would not
  * call tcp_read 
  */
-int tls_fix_read_conn(struct tcp_connection *c)
+int tls_h_fix_read_conn(struct tcp_connection *c)
 {
 	int ret;
 	ret = 0;

modules/tls/tls_server.h

@@ -49,23 +49,23 @@ void tls_print_errstack(void);
 /*
  * Called when new tcp connection is accepted 
  */
-int tls_tcpconn_init(struct tcp_connection *c, int sock);
+int tls_h_tcpconn_init(struct tcp_connection *c, int sock);
 
 /*
  * clean the extra data upon connection shut down 
  */
-void tls_tcpconn_clean(struct tcp_connection *c);
+void tls_h_tcpconn_clean(struct tcp_connection *c);
 
 /*
  * shut down the TLS connection 
  */
-void tls_close(struct tcp_connection *c, int fd);
+void tls_h_close(struct tcp_connection *c, int fd);
 
-size_t tls_blocking_write(struct tcp_connection *c, int fd,
-			  const char *buf, size_t len);
+int tls_h_blocking_write(struct tcp_connection *c, int fd,
+			  const char *buf, unsigned int len);
 
-size_t tls_read(struct tcp_connection *c);
+int tls_h_read(struct tcp_connection *c);
 
-int tls_fix_read_conn(struct tcp_connection *c);
+int tls_h_fix_read_conn(struct tcp_connection *c);
 
 #endif /* _TLS_SERVER_H */