Merge ser tls module into the sip-router repository

* commit 'ser/modules/tls': (50 commits)
  - a set of minimalistic config files for testing purposes
  - tls module todo
  - default key and certificate names changed to ser-selfsigned*
  - updated to the latest changes in the cfg parser
  - Use the new configuration file parser
  - fixed includes (rm malloc.h) due to portability problems
  - shm_str_dup and shm_asciiz_dup set the destination buffer to NULL if
  - Convert all relative pathnames of files to absolute with
  - modified function get_pathname to return path relative to the
  - support for setting the source address in tcp_send() and tcpconn_get()
  - updated all the child_init users to ignore or treat specially the
  - added low_mem_threshold1 & low_mem_threshold2 (the ammount of free memory
  - tls: tls_update_fd improvement - use SSL_set_fd only when the connection is
  - workaround for openssl bug #1491 (multiple problems on low memory): tls
  -  malloc debugging for openssl and random malloc null returns turened off
  - added tls module documentation (not yet complete, still missing select, rpc and better tls.cfg description).
  - make tar doesn't exclude tls*, but instead tls/*
  - call tls_shutdown() only if tls_set_fd() was succesfull
  - tls: openssl kerberos malloc bug (# 1467) fixed on cvs (0.9.8e-dev and 0.9.9-dev), so add extra checks for enabling the workarround (which disables kerberos) only when necessary:  if openssl compiled with kerberos support, and openssl < 0.9.8e-beta1 or openssl between 0.9.9-dev and 0.9.9-beta1 apply workarround.
  - tls-core.patch removed (no longer necessary)
  ...

modules/tls/Makefile

@@ -0,0 +1,20 @@
+# Makefile v 1.0 2002/12/27
+#
+# TLS module makefile
+#
+# 
+# WARNING: do not run this directly, it should be run by the master Makefile
+
+include ../../Makefile.defs
+auto_gen=
+NAME=tls.so
+
+DEFS+= -I$(LOCALBASE)/ssl/include
+LIBS+= -L$(LOCALBASE)/lib -L$(LOCALBASE)/ssl/lib -lssl  -lcrypto \
+	$(TLS_EXTRA_LIBS)
+# NOTE: depending on the way in which libssl was compiled you might
+#       have to add -lz -lkrb5   (zlib and kerberos5).
+#       E.g.: make TLS_HOOKS=1 TLS_EXTRA_LIBS="-lz -lkrb5"
+
+
+include ../../Makefile.modules

modules/tls/README

@@ -0,0 +1,573 @@
+
+TLS Module
+
+Andrei Pelinescu-Onciul
+
+   iptelorg GmbH
+
+   Copyright © 2007 iptelorg GmbH
+   Revision History
+   Revision $Revision$ $Date$
+     _________________________________________________________________
+
+Overview
+
+   This module implements the TLS transport for ser using the openssl
+   library (http://www.openssl.org). To enable the TLS support this
+   module must be loaded and enable_tls=yes must be added to the ser
+   config file
+
+Quick Start
+
+   Make sure you have a proper certificate and private key and either use
+   the certificate and private_key module parameters, or make sure the
+   certificate and key are in the same PEM file, named cert.pem an placed
+   in [your-cfg-install-prefix]/etc/ser/. Don't forget to load the tls
+   module and to enable tls (add enable_tls=yes to your config).
+
+   Example 1. quick start config
+#...
+loadmodule "modules/tls/tls.so"
+
+modparam("tls", "private_key", "./andrei-test.pem")
+modparam("tls", "certificate", "./andrei-test.pem")
+modparam("tls", "ca_list", "./calist.pem")
+
+enable_tls=yes
+
+route{
+        # ....
+}
+
+Important Notes
+
+   The tls module needs some special options enabled when compiling ser.
+   These options are enabled by default, however in case you're using a
+   modified ser version or Makefile, make sure that you enable -DUSE_TLS
+   and -DTLS_HOOKS (or compile with make TLS_HOOKS=1 which will take care
+   of both options). To quickly check if your ser version was compiled
+   with these options, run ser -V and look for USE_TLS and TLS_HOOKS
+   among the flags.
+
+   This module includes several workarounds for various openssl bugs
+   (like compression and kerberos using the wrong memory allocations
+   functions, low memory problems a.s.o). On startup it will try to
+   enable the needed workarounds based on the openssl library version.
+   Each time a known problem is detected and a workaround is enabled, a
+   message will be logged. In general it is recommended to compile this
+   module on the same machine or a similar machine to where ser will be
+   run or to link it statically with libssl. For example if on the
+   compile machine openssl does not have the kerberos support enabled,
+   but on the target machine a kerberos enabled openssl library is
+   installed, ser cannot apply the needed workarounds and will refuse to
+   start. The same thing will happen if the openssl versions are too
+   different (to force ser startup anyway, see the tls_force_run module
+   parameter).
+
+   Try to avoid using keys larger then 1024 bytes. Large keys
+   significantly slow down the TLS connection handshake, thus limiting
+   the maximum ser TLS connection rate.
+
+   Compression is fully supported and used by default, if you have a new
+   enough openssl version (starting with 0.9.8). Although there are some
+   problems with zlib compression in currently deployed openssl versions
+   (up to and including 0.9.8d, see openssl bug #1468), the tls module
+   will automatically switch to its own fixed version. There's no need to
+   force-disable the compression.
+
+   The tls module includes workarounds for the following known openssl
+   bugs: openssl #1204 (disable SS_OP_TLS_BLOCK_PADDING_BUG if
+   compression is enabled, for versions between 0.9.8 and 0.9.8c),
+   openssl #1468 (fix zlib compression memory allocation), openssl #1467
+   (kerberos support will be disabled if the openssl version is less than
+   0.9.8e-beta1) and openssl #1491 (stop using tls in low memory
+   situations due to the very high risk of openssl crashing or leaking
+   memory). The bug reports can be viewed at http://rt.openssl.org/.
+
+Compiling the TLS Module
+
+   In most case compiling the TLS module is as simple as:
+make modules modules=modules/tls
+
+   or
+cd modules/tls
+make
+
+   or (compiling whole ser and the tls module)
+make all include_modules=tls
+
+   .
+
+   However in some cases the openssl library requires linking with other
+   libraries. For example compiling the openssl library with kerberos and
+   zlib-shared support will require linking the tls module with libkrb5
+   and libz. In this case just add TLS_EXTRA_LIBS="library list" to
+   make's command line. E.g.:
+make TLS_EXTRA_LIBS="-lkrb5 -lz" all include_modules=tls
+
+   In general, if ser fails to start with a symbol not found error when
+   trying to load the tls module (check the log), it means some needed
+   library was not linked and it must be added to TLS_EXTRA_LIBS
+
+TLS and Low Memory
+
+   The openssl library doesn't handle very well low memory situations. If
+   memory allocations start to fail (due to memory shortage), openssl can
+   crash or cause memory leaks (making the memory shortage even worse).
+   As of this writing all openssl versions were affected (includind
+   0.9.8e), see openssl bug #1491. The tls module has some workarounds
+   for preventing this problem (see low_mem_treshold1 and
+   low_mem_threshold2), however starting ser with enough shared memory is
+   higly recommended. When this is not possible a quick way to
+   significantly reduce openssl memory usage it to disable compression
+   (see tls_disable_compression).
+
+Known Limitations
+
+   The private key must not encrypted (ser cannot ask you for a password
+   on startup).
+
+   The tls certificate verifications ignores the certificate name,
+   altname and ip extensions, it just checks if the certificate is signed
+   by a recognized CA. One can use the select framework to try to
+   overcome this limitation (check in the script for the contents of
+   various certificate fields), but this is not only slow, but also not
+   exactly standard conforming (the verification should happen during TLS
+   connection establishment and not after).
+
+   TLS specific config reloading is not safe, so for now better don't use
+   it, especially under heavy traffic.
+
+   This documentation is incomplete. The select framework and rpc
+   sections are completely missing.
+
+Quick Certificate Howto
+
+   Revision History
+   Revision $Revision$ $Date$
+
+   There are various ways to create, sign certificates and manage small
+   CAs (Certificate Authorities). If you want a GUI, try tinyca
+   (http://tinyca.sm-zone.net/), a very nice and small CA management
+   application. If you are in a hurry and everything you have are the
+   installed openssl libraries and utilities, read on.
+
+   Assumptions: we run our own CA.
+
+   Warning: in this example no key is encrypted. The client and server
+   private keys must not be encrypted (ser doesn't support encrypted
+   keys), so make sure the corresponding files are readable only by
+   trusted people. You should use a password for your CA private key.
+
+Creating CA certificate
+-----------------------
+1. create CA dir
+        mkdir ca
+        cd ca
+
+2. create ca dir structure and files  (see ca(1))
+        mkdir demoCA #default CA name, edit /etc/ss/openssl.cnf
+        mkdir  demoCA/private
+        mkdir demoCA/newcerts
+        touch demoCA/index.txt
+        echo 01 >demoCA/serial
+
+2. create CA private key
+        openssl genrsa -out demoCA/private/cakey.pem 2048
+        chmod 600 demoCA/private/cakey.pem
+
+3. create CA self-signed certificate
+        openssl req -out demoCA/cacert.pem   -x509 -new -key demoCA/private/cak
+ey.pem
+
+
+Creating a server/client certificate
+------------------------------------
+1. create a certificate request (and its private key in privkey.pem)
+        openssl req -out ser1_cert_req.pem -new -nodes
+   WARNING: the organization name should be the same as in the ca certificate.
+
+2. sign it with the ca certificate
+        openssl ca -in ser1_cert_req.pem -out ser1_cert.pem
+
+3. copy ser1_cert.pem to your ser config. dir
+
+
+Setting ser to use the certificate
+----------------------------------
+1. create the ca list file:
+        for each of your ca certificates that you intend to use do:
+                cat cacert.pem >>calist.pem
+
+2. copy your ser certificate, private key and ca list file to your
+        intended machine (preferably in your ser cfg. directory, this is the
+        default place ser searches for)
+
+3. set up ser.cfg to use the certificate
+        if your ser certificate name is different from cert.pem or it is not
+        placed in ser cfg. directory, add to your ser.cfg:
+                modparam("tls", "certificate", "/path/cert_file_name")
+
+4. set up ser to use the private key
+        if your private key is not contained in the certificate (or the
+         certificate name is not the default cert.pem), add to your ser.cfg:
+                modparam("tls", "private_key", "/path/private_key_file")
+
+5. set up ser to use the ca list (optional)
+        add to your ser.cfg:
+                modparam("tls", "ca_list", "/path/ca_list_file")
+
+6. set up tls authentication options:
+                modparam("tls", "verify_certificate", 1)
+                modparam("tls", "require_certificate", 1)
+        (for more information see the module parameters documentation)
+
+Parameters
+
+   Revision History
+   Revision $Revision$ $Date$
+
+tls_method (string)
+
+   Sets the SSL protocol method. Possible values are:
+     * TLSv1 - only TLSv1 connections are accepted. This is the default
+       and recommended method (if you want to be rfc3261 conformant don't
+       change it).
+     * SSLv3 - only SSLv3 connections are accepted
+     * SSLv2 - only SSLv2 connections, for old clients. Note: you
+       shouldn't use SSLv2 for anything which should be highly secure.
+     * SSLv23 - any of the above methods will be accepted, with the
+       following limitation: the initial SSL hello message must be V2 (in
+       the initial hello all the supported protocols are advertised
+       enabling switching to a higher and more secure version). This
+       means connections from SSLv3 or TLSv1 clients will not be
+       accepted.
+
+   If rfc3261 conformance is desired, TLSv1 must be used. For
+   compatibility with older clients SSLv23 is a good option.
+
+   Example 2. Set tls_method parameter
+...
+modparam("tls", "tls_method", "TLSv1")
+...
+
+certificate (string)
+
+   Sets the certificate file name. The certificate file can also contain
+   the private key.
+
+   Warning: try not to use certificate with keys longer then 1024 bytes.
+   Longer keys will severely impact performance, in particular the tls
+   connection rate.
+
+   The default value is [SER_CFG_DIR]/cert.pem.
+
+   Example 3. Set certificate parameter
+...
+modparam("tls", "certificate", "/usr/local/etc/ser/my_certificate.pem")
+...
+
+private_key (string)
+
+   Sets the private key file name.
+
+   Note: the private key can be contained in the same file as the
+   certificate (just append it to the certificate file, e.g.: cat
+   pkey.pem >> cert.pem)
+
+   The default value is [SER_CFG_DIR]/cert.pem.
+
+   Example 4. Set private_key parameter
+...
+modparam("tls", "private", "/usr/local/etc/ser/my_pkey.pem")
+...
+
+ca_list (string)
+
+   Sets the CA list file name. This file contains a list of all the
+   trusted CAs certificates. If a signature in a certificate chain
+   belongs to one of the listed CAs, the authentication will succeed. See
+   also verify_certificate, verify_depth and require_certificate.
+
+   By default the CA file is not set.
+
+   An easy way to create the CA list is to append each trusted trusted CA
+   certificate in the PEM format to one file, e.g.: for f in
+   trusted_cas/*.pem ; do cat "$f" >> ca_list.pem ; done .
+
+   Example 5. Set ca_list parameter
+...
+modparam("tls", "ca_list", "/usr/local/etc/ser/ca_list.pem")
+...
+
+verify_certificate (boolean)
+
+   If enabled it will force certificate verification. For more
+   information see the verify(1) openssl man page.
+
+   Note: the certificate verification will always fail if the ca_list is
+   empty.
+
+   See also: ca_list, require_certificate, verify_depth.
+
+   By default the certificate verification is off.
+
+   Example 6. Set verify_certificate parameter
+...
+modparam("tls", "verify_certificate", 1)
+...
+
+verify_depth (integer)
+
+   Sets how far up the certificate chain will the certificate
+   verification go in the search for a trusted CA.
+
+   See also: ca_list, require_certificate, verify_certificate,
+
+   The default value is 9.
+
+   Example 7. Set verify_depth parameter
+...
+modparam("tls", "verify_depth", 9)
+...
+
+require_certificate (boolean)
+
+   When enabled it will require a certificate from a client. If the
+   client does not offer a certificate and verify_certificate is on, the
+   certificate verification will fail.
+
+   The default value is off.
+
+   Example 8. Set require_certificate parameter
+...
+modparam("tls", "require_certificate", 1)
+...
+
+cipher_list (string)
+
+   Sets the list of accepted ciphers. The list consists of cipher strings
+   separated by colons. For more information on the cipher list format
+   see the cipher(1) openssl man page.
+
+   The default value is not set (all the openssl supported ciphers are
+   enabled).
+
+   Example 9. Set cipher_list parameter
+...
+modparam("tls", "cipher_list", "HIGH")
+...
+
+send_timeout (int)
+
+   Sets the maximum interval of time after which ser will give up trying
+   to send a message over tls (time after a tls send will be aborted and
+   the corresponding tls connection closed). The value is in seconds.
+
+   The default value is 120 s.
+
+   Example 10. Set send_timeout parameter
+...
+modparam("tls", "send_timeout", 1)
+...
+
+handshake_timeout (int)
+
+   Sets the maximum interval of time after which ser will give up trying
+   to accept a tls connection or connect to a tls peer. The value is in
+   seconds.
+
+   The default value is 120 s.
+
+   Example 11. Set handshake_timeout parameter
+...
+modparam("tls", "handshake_timeout", 1)
+...
+
+connection_timeout (int)
+
+   Sets the amount of time after which an idle tls connection will be
+   closed. This is similar to tcp_connection_lifetime. The value is
+   expressed in seconds.
+
+   The default value is 10 min.
+
+   If the value set is -1, the connection will never be close on idle.
+
+   Example 12. Set connection_timeout parameter
+...
+modparam("tls", "connection_timeout", 60)
+...
+
+tls_disable_compression (boolean)
+
+   If set compression over SSL/TLS will be disabled.
+
+   By default compression is enabled.
+
+   Example 13. Set tls_disable_compression parameter
+...
+modparam("tls", "tls_disable_compression", 1)
+...
+
+tls_log (int)
+
+   Sets the log level at which tls related messages will be logged.
+
+   The default value is 3.
+
+   Example 14. Set tls_log parameter
+...
+# ignore tls messages if ser is started with debug less than 10
+modparam("tls", "tls_log", 10)
+...
+
+low_mem_threshold1 (integer)
+
+   Sets the minimal free memory from which new tls connection will start
+   to fail. The value is expressed in KB.
+
+   The default value depends on whether the openssl library used handles
+   well low memory situations (openssl bug #1491). As of this writing
+   this is not true for any openssl version (including 0.9.8e).
+
+   If an ill-behaved openssl version is detected, a very conservative
+   value is choosed, which depends on the maximum possible number of
+   simultaneously created tls connections (and hence on the process
+   number).
+
+   The following values have a special meaning:
+     * -1 - use the default value
+     * 0 - disable (tls connections will not fail preemptively)
+
+   See also low_mem_threshold2.
+
+   Example 15. Set low_memory_threshold1 parameter
+...
+modparam("tls", "low_memory_threshold1", -1)
+...
+
+low_mem_threshold2 (integer)
+
+   Sets the minimal free memory from which tls operations on already
+   established tls connections will start to fail preemptively. The value
+   is expressed in KB.
+
+   The default value depends on whether the openssl library used handles
+   well low memory situations (openssl bug #1491). As of this writing
+   this is not true for any openssl version (including 0.9.8e).
+
+   If an ill-behaved openssl version is detected, a very conservative
+   value is choosed, which depends on the maximum possible number of
+   simultaneously created tls connections (and hence on the process
+   number).
+
+   The following values have a special meaning:
+     * -1 - use the default value
+     * 0 - disable (tls operations will not fail preemptively)
+
+   See also low_mem_threshold1.
+
+   Example 16. Set low_memory_threshold2 parameter
+...
+modparam("tls", "low_memory_threshold2", -1)
+...
+
+tls_force_run (boolean)
+
+   If enabled ser will start even if some of the openssl sanity checks
+   fail (turn it on at your own risk).
+
+   Currently failing any of the following sanity checks will not allow
+   ser to start:
+     * the version of the library the tls module was compiled with is
+       "too different" from the library used at runtime. The versions
+       should have the same major, minor and fix level (e.g.: 0.9.8a and
+       0.9.8c are ok, but 0.9.8 and 0.9.9 are not)
+     * the openssl library used at compile time and the one used at
+       runtime have different kerberos options
+
+   By default tls_force_run is disabled.
+
+   Example 17. Set tls_force_run parameter
+...
+modparam("tls", "tls_force_run", 11)
+...
+
+config (string)
+
+   Sets the name of the TLS specific config file.
+
+   If set the tls module will load a special config file, in which
+   different tls parameters can be specified on a per role (server or
+   client) and domain basis (for now only IPs). The corresponding module
+   parameters will be ignored.
+
+   By default no config file is specified.
+
+   The following parameters can be set in the config file, for each
+   domain:
+     * tls_method
+     * verify_certificate
+     * require_certificate
+     * private_key
+     * certificate
+     * verify_depth
+     * ca_list
+     * cipher_list
+
+   ser acts as a server when it accepts a connection and as a client when
+   it initiates a new connection by itself (it connects to something).
+
+   Example 18. Short config file
+[server:default]
+method = TLSv1
+verify_certificate = no
+require_certificate = no
+private_key = default_key.pem
+certificate = default_cert.pem
+ca_list = default_ca.pem
+
+[client:default]
+verify_certificate = yes
+require_certificate = yes
+
+#more relaxed for connection on the loopback interface
+[server:127.0.0.1:5061]
+method = SSLv23
+verify_certificate = yes
+require_certificate = no
+private_key = local_key.pem
+certificate = local_cert.pem
+verify_depth = 3
+ca_list = local_ca.pem
+
+   For a more complete example check the tls.cfg distributed with the ser
+   source (sip_router/modules/tls/tls.cfg).
+
+   Example 19. Set config parameter
+...
+modparam("tls", "config", "/usr/local/etc/ser/tls.cfg")
+...
+
+Functions
+
+   Revision History
+   Revision $Revision$ $Date$
+
+History
+
+   Revision History
+   Revision $Revision$ $Date$
+
+   This module was put together by Jan Janak <[email protected]> from code
+   from the experimental tls core addon
+   (http://cvs.berlios.de/cgi-bin/viewcvs.cgi/ser/experimental/tls/),
+   code originally written by Peter Griffiths and later maintained by
+   Cesc Santasusana and from an iptelorg tls code addon, written by
+   Andrei Pelinescu-Onciul <[email protected]>. Jan also added support for
+   multiple domains, a tls specific config, config reloading and a tls
+   specific select framework.
+
+   The code is currently maintained by Andrei Pelinescu-Onciul
+   <[email protected]>.

modules/tls/README.TLS

@@ -0,0 +1,414 @@
+[NOTE: this file is obsolete, use README instead]
+
+
+free-TLS core module
+
+Created By: Peter Griffiths
+Mantainer: Cesc Santasusana
+
+Edited by
+
+Cesc Santasusana
+
+Copyright © 2005 Cesc Santasusana
+     _________________________________________________________
+
+   TABLE OF CONTENTS
+1. CHAPTER 1. USER'S GUIDE	2
+	1.1. OVERVIEW	2
+	1.2. DEPENDENCIES	2
+		1.2.1. SER Core and patches	2
+		1.2.2. SER Modules	2
+		1.2.3. External Libraries or Applications	2
+	1.3. HOW TO INSTALL	3
+		1.3.1. File Structure
+		1.3.2. Patches
+		1.3.3. Test Configuration in tls/etc
+		1.3.4. Tools to create certificates in tls/tools
+	1.4. HOW TO COMPILE	3
+	1.5. CONFIG FILE PARAMETERS	3
+		1.5.1. disable_tls	4
+		1.5.2. listen	4
+		1.5.3. tls_certificate	4
+		1.5.4. tls_private_key	4
+		1.5.5. tls_ca_list	4
+		1.5.6. tls_ciphers_list	4
+		1.5.7. tls_method	4
+		1.5.8. tls_verify and tls_require_certificate	4
+		1.5.9. tls_handshake_timeout and tls_send_timeout	5
+		1.5.10. tls_domain[IP_2:port2]	5
+	1.6. SSL/TLS AUTHENTICATION: CLIENT AND SERVER	5
+	1.7. EXPORTED FUNCTIONS	6
+2. CHAPTER 2. DEVELOPER'S GUIDE	6
+	2.1. TLS_CONFIG	6
+	2.2. TLS_INIT	6
+		2.2.1. default ssl context	6
+		2.2.2. init_tls(void)	6
+		2.2.3. destroy_tls(void)	6
+		2.2.4. tls_init(struct socket_info *)	7
+		2.2.5. ser_malloc, ser_realloc, ser_free	7
+	2.3. TLS_SERVER	7
+		2.3.1. SSL data per connection	7
+		2.3.2. tls_print_errstack(void)	7
+		2.3.3. tls_tcpconn_init( struct tcp_connection *, int)	7
+		2.3.4. tls_tcpconn_clean( struct tcp_connection *)	7
+		2.3.5. tls_close( struct tcp_connection *, int )	7
+		2.3.6. tls_blocking_write( struct tcp_connection, int, const char, size_t )	7
+		2.3.7. tls_read( struct tcp_connection *)	8
+		2.3.8. tls_fix_read_conn( struct tcp_connection )	8
+	2.4. TLS_DOMAIN	8
+		2.4.1. tls_domains	8
+		2.4.2. tls_find_domain( struct ip_addr *, unsigned short)	8
+		2.4.3. tls_new_domain( struct ip_addr *, unsigned *)	8
+		2.4.4. tls_free_domains(void)	8
+3. CHAPTER 3. FREQUENTLY ASKED QUESTIONS	8
+	3.1. WHERE CAN I FIND MORE ABOUT SER?	8
+	3.2. WHERE CAN I POST A QUESTION ABOUT THIS MODULE?	8
+	3.3. HOW CAN I REPORT A BUG?	9
+	3.4. WHAT IS THE DIFFERENCE WITH OpenSER-TLS?
+	3.5. I AM NOT HAPPY WITH THIS README ... NOW WHAT?
+
+     _________________________________________________________
+
+1. CHAPTER 1. USER'S GUIDE
+	1.1. OVERVIEW
+	TLS is an optional part of the core, not a module.
+	TLS, as defined in SIP RFC, is a mandatory feature for proxies and can be used to secure the SIP signalling 
+	on a hop-by-hop basis (not end-to-end). TLS works on top of TCP (DTLS, or TLS over UDP is already 
+	defined by IETF and may become available in the future).
+     _________________________________________________________
+
+1.2. DEPENDENCIES
+	1.2.1. SER Core and patches
+	Core must be compiled with TCP support and the patched cfg.y and cfg.lex, and some 
+	modification in Makefile.defs. 
+	The Makefile.defs file is where the library and include paths are set (where to locate Openssl) 
+	Read more on this below on the "external libraries" dependencies.
+	The cfg.XXX patch provide configuration features from the ser.cfg file, usefull and necessary.
+	This core module has been compiled successfully with ser branch rel_0_9_0 (updated
+		as of June 2005, ser-0.9.3). It should compile in HEAD too without problem.
+	It has been tested for functionality (successfully) with rel_0_9_0 (ser-0.9.0).
+	Report on success/failure stories to the mantainer. Tks!
+		 _________________________________________________________
+
+	1.2.2. SER Modules
+		No dependencies on SER modules
+		 _________________________________________________________
+	
+	1.2.3. External Libraries or Applications
+	The following libraries or applications must be installed before running SER with this module loaded:
+	* OpenSSL v0.9.7 or higher (OpenSSL v0.9.6 also compiles, though not recommended).
+	Out of OpenSSL, you need:
+	* libssl
+	* libcrypto
+	* openssl/*.h
+	Locate this, usually in:
+	/usr/local/lib (for libraries)
+	/usr/local/ssl/include/openssl (for header files)
+	Depending on your distro, these paths may vary. In this case, you need to modify Makefile.defs file in 
+	$SERROOT. At the bottom of the file, look for
+		ifneq ($(TLS),)
+		  LIBS+= -L$SOMEPATH/lib -lssl  -lcrypto
+		  DEFS+= -I$SOMEPATH/ssl/include
+		endif
+	Change the LIBS entry to include the folder where the libssl and libcrypto files are. 
+	Change the DEFS entry to include the folder where the openssl/ folder is.
+	NOTE: RedHat ships by default with a very strange setup of the paths, as well as not usual compilation of 
+	the libraries, which resumes in ... trouble. Look for solutions in Google, or locally compile OpenSSL 
+	sources on your system.
+	________________________________________________________
+1.3. HOW TO INSTALL
+	1.3.1. File Structure
+	This is the file structure that needs to be created:
+	$SER_ROOT/tls/tls_config.h and .c
+	$SER_ROOT/tls/tls_init.h and .c
+	$SER_ROOT/tls/tls_server.h and .c
+	$SER_ROOT/tls/tls_domain.h and .c
+	
+	The files that (may) need to be patched or modified
+	$SER_ROOT/Makefile.defs
+	$SER_ROOT/cfg.y
+	$SER_ROOT/cfg.lex
+	NOTE: patches can be found in the tls/patches. See above for Makefile.defs tweaking to locate OpenSSL.
+	
+	1.3.2. Patches
+	In the experimental/tls/patches folder, there are the following files:
+	- cfg.lex.patch and cfg.y.patch, to be used to patch the corresponding
+		files in $SERROOT.
+		> cp cfg.XXX.patch $SERROOT/
+		> cd $SERROOT
+		> patch -p0 < cfg.XXX.patch
+	- cfg.y and cfg.lex: these are the full files, taken from the cvs rel_0_9_0 and patched
+		with the above patches (for lazy people :D ). 
+	Use the patches if you have modified your cfg.y or cfg.lex files or if it is a different
+		branch. Use the full files if you don't want to patch the files, or have the standard
+		cvs rel_0_9_0 branch files.
+	
+	1.3.3. Test configuration
+	In the folder tls/etc you can find a sample config file, along with test certificates ready to use.
+	Note that in the tls/etc/tls.ser.cfg, the path to certificates and private keys are set to
+	          /usr/local/etc/ser/certs and /usr/local/etc/ser/private
+		  (change according to your local configuration)
+	
+	1.3.4. Tools to create certificates
+	In the folder tls/tools there are script and configuration files to be used with openssl application
+	to create certificate (root CA and user certs).
+	Read the README.tls.tools file there for more info.
+	________________________________________________________
+
+1.4. HOW TO COMPILE
+	Easy ;)  Add the TLS=1 flag when compiling, for example:
+	>	make TLS=1 install
+	If you have problems compiling the TLS code, such as header files not found, or linking problems related 
+	to SSL_* functions, check the paths in Makefile.defs (at the bottom, the DEFS+= and LIB+=, and check if 
+	the openssl/ folder is there, and if the libssl.so and libcrypto.so files are in the specified folders).
+	________________________________________________________
+	
+1.5. CONFIG FILE PARAMETERS
+	All these parameters can be used from the ser.cfg file, to configure the behavior of SER-tls.
+	________________________________________________________
+	1.5.1. disable_tls
+	Disables TLS (no server is created on the listen addresses, no outgoing connections can be set up).
+	It only exhists if TLS=1 is used at compile time.
+			Default_value: disable_tls=0
+	________________________________________________________
+	1.5.2. listen
+	Not specific to TLS. Allows to specify the protocol (udp, tcp, tls), the IP address and the port 
+	where the listening server will be.
+			listen=tls:IP:port
+	________________________________________________________
+	1.5.3. tls_certificate
+	NOTE: To be able to use most of this configuration parameters, you need to have patched cfg.y and cfg.lex 
+	(and recompile :D )
+		Public certificate file for SER. It will be used as server-side certificate for incoming TLS 
+	connections,  and as a client-side certificate for outgoing TLS connections.
+		default: "CFG_DIR/cert.pem"
+			example: tls_certificate="/mycerts/certs/ser_server_cert.pem"
+	________________________________________________________
+	1.5.4. tls_private_key
+		Private key of the above certificate ... keep it in a safe place with tight permissions!
+		default: CFG_DIR/cert.pem
+			example: tls_private_key="/mycerts/private/prik.pem"
+	________________________________________________________
+	1.5.5. tls_ca_list
+		List of trusted CAs. The file contains the certificates accepted, one after the other ( cat x >> 
+	ca.list). It MUST be a file, not a folder (for now).
+		default: "" (no ca_list)
+			example: tls_ca_list="/mycerts/certs/ca_list.pem"
+	________________________________________________________
+	1.5.6. tls_ciphers_list
+		We can specify the list of algorithms for authentication and encryption that we allow.
+		To obtain a list of ciphers and then choose, use the openssl application:
+		> openssl ciphers 'ALL:eNULL:!LOW:!EXPORT'
+		Do not use the NULL algorithms ... only for testing!!!
+		Default: no change, use the default ciphers choosen by OpenSSL.
+			Example: tls_ciphers_list="NULL-SHA:NULL-MD5:AES256-SHA:AES128-SHA"
+	________________________________________________________
+	1.5.7. tls_method
+		Protocol version to use. Best is to use sslv23, for extended compatibility. Using any of the other 
+	will restrict the version to just that one version. In fact, sslv2 is disabled in the source code... to use it, you 
+	need to edit tls_init.c
+		Default: sslv23
+			tls_method= [sslv2 | sslv23 | sslv3 | tlsv1]  
+	________________________________________________________
+	1.5.8. tls_verify and tls_require_certificate
+	This two variables highly effect the final security of your deployment. READ carefully!
+		Technically, tls_verify activates SSL_VERIFY_PEER in the ssl_context.
+		tls_require_certificate does the same with SSL_VERIFY_FAIL_IF_NO_PEER_CERT, which is 
+	only possible if SSL_VERIFY_PEER is also turned on.
+		See the "how does verification work" for more info
+		default is 0 for both.
+			Example: tls_verify = 1
+							tls_require_certificate = 1
+			(this example turns on the strictest and strongest authentication possible)
+	________________________________________________________
+	1.5.9. tls_handshake_timeout and tls_send_timeout
+		Timeouts ... advanced users only.
+		default is 120 seconds for both.
+			Example: tls_handshake_timeout=119    [number of seconds]
+			Example: tls_send_timeout=121              [number of seconds]
+	________________________________________________________
+	1.5.10. tls_domain[IP_2:port2]
+	Note: domains are only possible if cfg.y and cfg.lex are patched.
+			If you only run one domain, the main one is enough. If you are running several tls servers (that is, 
+	you have more than one listen:tls:ip:port entry in the config file), you can specify some parameters for each 
+	of them separately (not all the above). 
+			tls_domain[IP_2:port2] {
+			#specify parameters for a domain in particular, otherwise, 
+			#it will use the default. These are the possible parameters to
+			#change for each domain
+			tls_certificate="new_cert"
+			tls_private_key="new_cert_key"
+			tls_ca_list="other ca"
+			tls_method="tlsv1"
+			}
+			tls_domain[IP_3:port3] {
+		...
+			}
+			NOTE: For now, tls_ciphers_list cannot be specified on a per domain basis. When I have the time 
+	to thoroughly test tls_domains, I will add this.
+     _________________________________________________________
+
+1.6. SSL/TLS AUTHENTICATION: CLIENT AND SERVER
+	TLS provides for strong authentication mechanism, as well as encryption following authentication. Of 
+	course, null encryption can be used, as well as weak authentication mechanisms (for example, anonymous, 
+	that is, no authentication).
+	How does verification work?
+	Verification is the process by which the authentication data provided by the peers is checked. This data 
+	consists usually of a peer certificate, plus a chain of trusted certification authorities. If for whatever reason, 
+	either of the peers thinks that the handshake is not valid, the ssl connection is not established.
+	The reasons could be many: untrusted server certficate, too-weak algorithm, invalid client cert, no client 
+	authentication, ...
+	The "tls_verify" and "tls_require_certificate" are SER-names for the 
+	OpenSSL defined flags:
+	- SSL_VERIFY_PEER is tls_verify) and 
+	- SSL_VERIFY_FAIL_IF_NO_PEER_CERT is tls_require_certificate (tls_require_certificate is only used 
+	if tls_verify=1)
+	
+	If we are acting as a server, we always send our server-side certificate to the client. 
+	- If tls_verify=0, we do not request the client a client-certificate. This means that the client is not 
+		authenticated.
+	- If tls_verify=1, we (the server) send a client-certificate request to the client. But the client is free 
+		to not provide any. In this case,  tls_require_certificate comes into play:
+			_ if tls_require_cert=0, the verification process will succedd if
+				the client does not provide a certificate, or if it provides
+				one, it verifies correctly against the server's list of 
+				trusted certification authorities.
+			_ if tls_require_cert=1, the verification process will only succeed
+				if the client provides a certificate and this verifies correctly
+				against the server's list of trusted CAs.
+     _________________________________________________________
+
+1.7. EXPORTED FUNCTIONS
+	Functions are accessible by including the appropriate tls/tls_xxx.h file.
+
+     _________________________________________________________
+
+2. CHAPTER 2. DEVELOPER'S GUIDE
+	________________________________________________________
+2.1. TLS_CONFIG
+	It contains configuration variables for ser's tls (timeouts, file paths, etc).
+	________________________________________________________
+2.2. TLS_INIT
+	Initialization related functions and parameters.
+	________________________________________________________
+	2.2.1. default ssl context
+		extern SSL_CTX *default_ctx;
+		It is the common context for all tls sockets. If domains are used, each has its own.
+		________________________________________________________
+	2.2.2. init_tls(void)
+		Called once to initialize the tls subsystem, from the main().
+		int init_tls(void);
+		________________________________________________________
+	2.2.3. destroy_tls(void)
+		Called once, just before cleanup.
+		void destroy_tls(void);
+		________________________________________________________
+	2.2.4. tls_init(struct socket_info *)
+		Called once for each tls socket created.
+		int tls_init(struct socket_info *si);
+		________________________________________________________
+	2.2.5. ser_malloc, ser_realloc, ser_free
+		Wrapper functions around the shm_* functions. OpenSSL uses non-shared memory to create its objects, 
+		thus it would not work in SER. By creating these wrappers and configuring OpenSSL to use them instead 
+		of its default memory functions, we have all OpenSSL objects in shared memory, ready to use.
+		________________________________________________________
+2.3. TLS_SERVER
+	________________________________________________________
+	2.3.1. SSL data per connection
+		Each TLS connection, incoming or outgoing, creates an SSL * object, where configuration inherited from 
+		the SSL_CTX * and particular info on that socket are stored. This SSL * structure is kept in SER as long as 
+		the connection is alive, as part of the struct tcp_connection * object:
+		struct tcp_connection *c;
+		SSL *ssl;
+		//create somehow SSL object
+		c->extra_data = (void *) ssl; 
+		ssl = (SSL *) c->extra_data;
+		________________________________________________________
+	2.3.2. tls_print_errstack(void)
+		/*
+		 * dump ssl error stack 
+		 */
+		void            tls_print_errstack(void);
+		________________________________________________________
+	2.3.3. tls_tcpconn_init( struct tcp_connection *, int)
+		/*
+		 * Called when new tcp connection is accepted 
+		 */
+		int             tls_tcpconn_init(struct tcp_connection *c, int sock);
+		________________________________________________________
+	2.3.4. tls_tcpconn_clean( struct tcp_connection *)
+		/*
+		 * clean the extra data upon connection shut down 
+		 */
+		void            tls_tcpconn_clean(struct tcp_connection *c);
+		________________________________________________________
+	2.3.5. tls_close( struct tcp_connection *, int )
+		/*
+		 * shut down the TLS connection 
+		 */
+		void            tls_close(struct tcp_connection *c, int fd);
+		________________________________________________________
+	2.3.6. tls_blocking_write( struct tcp_connection, int, const char, size_t )
+		size_t          tls_blocking_write(struct tcp_connection *c, int fd,
+						   const char *buf, size_t len);
+		________________________________________________________
+	2.3.7. tls_read( struct tcp_connection *)
+		size_t          tls_read(struct tcp_connection *c);
+		________________________________________________________
+	2.3.8. tls_fix_read_conn( struct tcp_connection )
+		int             tls_fix_read_conn(struct tcp_connection *c);
+		________________________________________________________
+2.4. TLS_DOMAIN
+	________________________________________________________
+	2.4.1. tls_domains
+		extern struct tls_domain *tls_domains;
+	
+		________________________________________________________
+	2.4.2. tls_find_domain( struct ip_addr *, unsigned short)
+		/*
+		 * find domain with given ip and port 
+		 */
+		struct tls_domain *tls_find_domain(struct ip_addr *ip,
+						   unsigned short port);
+		________________________________________________________
+	2.4.3. tls_new_domain( struct ip_addr *, unsigned *)
+		/*
+		 * create a new domain 
+		 */
+		int             tls_new_domain(struct ip_addr *ip, unsigned short port);
+	
+		________________________________________________________
+	2.4.4. tls_free_domains(void)
+		/*
+		 * clean up 
+		 */
+		void            tls_free_domains(void);
+	
+	________________________________________________________
+CHAPTER 3. FREQUENTLY ASKED QUESTIONS
+
+		________________________________________________________
+	3.1.    WHERE CAN I FIND MORE ABOUT SER?
+		Take a look at http://iptel.org/ser and http://www.openser.org
+		________________________________________________________
+	3.2.    WHERE CAN I POST A QUESTION ABOUT THIS MODULE?
+		In the webpages above there is access to mailing list. Use the users list for normal user support, use the dev 
+		list for development questions (bugs, fixes, etc). 
+		________________________________________________________
+	3.3.    HOW CAN I REPORT A BUG?
+		At the dev lists on the above webpages, and also at:
+		http://bugs.sip-router.org
+		________________________________________________________
+	3.4.    WHAT IS THE DIFFERENCE WITH OpenSER-TLS?
+		None. At least for now. The initial commit in both repositories 
+		(experimental tree for SER, HEAD for OpenSER) come from the same source:
+		an extended version of that released sometime late in 2004 by Peter Griffiths 
+		and modified by Cesc Santasusana.
+		________________________________________________________
+	3.5.    I AM NOT HAPPY WITH THIS README ... NOW WHAT?
+		Three things: 
+		1 - Complain to the maintainer.
+		2 - Contribute yourself with your acquired knowledge. It is welcome.
+		3 - Take a look at OpenSER tutorials for TLS: http://openser.org/docs/tls.html
+		

modules/tls/doc/Makefile

@@ -0,0 +1,29 @@
+#
+# The list of documents to build (without extensions)
+#
+DOCUMENTS = tls
+
+#
+# The root directory containing Makefile.doc
+#
+ROOT_DIR=../../..
+
+#
+# Validate docbook documents before generating output
+# (may be slow)
+#
+#VALIDATE=1
+
+#
+# You can override the stylesheet used to generate
+# xhtml documents here
+#
+#XHTML_XSL=$(ROOT_DIR)/doc/stylesheets/xhtml.xsl
+
+#
+# You can override the stylesheet used to generate
+# plain text documents here
+#
+#TXT_XSL=$(XHTML_XSL)
+
+include $(ROOT_DIR)/Makefile.doc

modules/tls/doc/certs_howto.xml

@@ -0,0 +1,94 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!DOCTYPE section PUBLIC "-//OASIS//DTD DocBook XML V4.2//EN" 
+   "http://www.oasis-open.org/docbook/xml/4.2/docbookx.dtd">
+
+<section id="tls.certs_howto" xmlns:xi="http://www.w3.org/2001/XInclude">
+    <sectioninfo>
+	<revhistory>
+	    <revision>
+		<revnumber>$Revision$</revnumber>
+		<date>$Date$</date>
+	    </revision>
+	</revhistory>
+    </sectioninfo>
+
+	<title>Quick Certificate Howto</title>
+		<para>
+			There are various ways to create, sign certificates and manage small CAs (Certificate Authorities). If you want a GUI, try <ulink url="http://tinyca.sm-zone.net/">tinyca (http://tinyca.sm-zone.net/)</ulink>, a very nice and small CA management application. If you are in a hurry and everything you have are the installed openssl libraries and utilities, read on.
+		</para>
+		<para>
+			Assumptions: we run our own CA.
+		</para>
+		<para>
+			Warning: in this example no key is encrypted. The client and server private keys must not be encrypted (ser doesn't support encrypted keys), so make sure the corresponding files are readable only by trusted people. You should use a password for your CA private key.
+		</para>
+		<para>
+		<programlisting>
+
+Creating CA certificate
+-----------------------
+1. create CA dir
+	mkdir ca
+	cd ca
+	
+2. create ca dir structure and files  (see ca(1))
+	mkdir demoCA #default CA name, edit /etc/ss/openssl.cnf
+	mkdir  demoCA/private
+	mkdir demoCA/newcerts
+	touch demoCA/index.txt
+	echo 01 >demoCA/serial
+	
+2. create CA private key
+	openssl genrsa -out demoCA/private/cakey.pem 2048
+	chmod 600 demoCA/private/cakey.pem
+	
+3. create CA self-signed certificate
+	openssl req -out demoCA/cacert.pem   -x509 -new -key demoCA/private/cakey.pem
+
+
+Creating a server/client certificate
+------------------------------------
+1. create a certificate request (and its private key in privkey.pem)
+	openssl req -out ser1_cert_req.pem -new -nodes
+   WARNING: the organization name should be the same as in the ca certificate.
+	
+2. sign it with the ca certificate
+	openssl ca -in ser1_cert_req.pem -out ser1_cert.pem
+	
+3. copy ser1_cert.pem to your ser config. dir
+
+
+Setting ser to use the certificate
+----------------------------------
+1. create the ca list file:
+	for each of your ca certificates that you intend to use do:
+		cat cacert.pem >>calist.pem
+	
+2. copy your ser certificate, private key and ca list file to your 
+	intended machine (preferably in your ser cfg. directory, this is the 
+	default place ser searches for)
+	
+3. set up ser.cfg to use the certificate
+	if your ser certificate name is different from cert.pem or it is not
+	placed in ser cfg. directory, add to your ser.cfg:
+		modparam("tls", "certificate", "/path/cert_file_name")
+	
+4. set up ser to use the private key
+	if your private key is not contained in the certificate (or the
+	 certificate name is not the default cert.pem), add to your ser.cfg:
+		modparam("tls", "private_key", "/path/private_key_file")
+	
+5. set up ser to use the ca list (optional)
+	add to your ser.cfg:
+		modparam("tls", "ca_list", "/path/ca_list_file")
+	
+6. set up tls authentication options:
+		modparam("tls", "verify_certificate", 1)
+		modparam("tls", "require_certificate", 1) 
+	(for more information see the module parameters documentation)
+
+		</programlisting>
+		</para>
+
+
+</section>

modules/tls/doc/functions.xml

@@ -0,0 +1,17 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!DOCTYPE section PUBLIC "-//OASIS//DTD DocBook XML V4.2//EN"
+   "http://www.oasis-open.org/docbook/xml/4.2/docbookx.dtd">
+
+<section id="textops.functions" xmlns:xi="http://www.w3.org/2001/XInclude">
+    <sectioninfo>
+	<revhistory>
+	    <revision>
+		<revnumber>$Revision$</revnumber>
+		<date>$Date$</date>
+	    </revision>
+	</revhistory>
+    </sectioninfo>
+
+    <title>Functions</title>
+
+</section>

modules/tls/doc/history.xml

@@ -0,0 +1,22 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!DOCTYPE section PUBLIC "-//OASIS//DTD DocBook XML V4.2//EN" 
+   "http://www.oasis-open.org/docbook/xml/4.2/docbookx.dtd">
+
+<section id="tls.certs_howto" xmlns:xi="http://www.w3.org/2001/XInclude">
+    <sectioninfo>
+	<revhistory>
+	    <revision>
+		<revnumber>$Revision$</revnumber>
+		<date>$Date$</date>
+	    </revision>
+	</revhistory>
+    </sectioninfo>
+
+	<title>History</title>
+		<para>
+			This module was put together by Jan Janak <email>[email protected]</email> from code  from the experimental tls core addon (<ulink url="http://cvs.berlios.de/cgi-bin/viewcvs.cgi/ser/experimental/tls/">http://cvs.berlios.de/cgi-bin/viewcvs.cgi/ser/experimental/tls/</ulink>), code originally written by Peter Griffiths and later maintained by Cesc Santasusana and from an iptelorg tls code addon, written by Andrei Pelinescu-Onciul <email>[email protected]</email>. Jan also added support for multiple domains, a tls specific config, config reloading and a tls specific select framework.
+		</para>
+		<para>
+			The code is currently maintained by Andrei Pelinescu-Onciul <email>[email protected]</email>.
+		</para>
+</section>

modules/tls/doc/params.xml

@@ -0,0 +1,473 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!DOCTYPE section PUBLIC "-//OASIS//DTD DocBook XML V4.2//EN" 
+   "http://www.oasis-open.org/docbook/xml/4.2/docbookx.dtd">
+
+<section id="tm.parameters" xmlns:xi="http://www.w3.org/2001/XInclude">
+    <sectioninfo>
+	<revhistory>
+	    <revision>
+		<revnumber>$Revision$</revnumber>
+		<date>$Date$</date>
+	    </revision>
+	</revhistory>
+    </sectioninfo>
+
+    <title>Parameters</title>
+
+	<section id="tls_method">
+	<title><varname>tls_method</varname> (string)</title>
+	<para>
+		Sets the SSL protocol method. Possible values are:
+	</para>
+	<itemizedlist>
+			<listitem>
+				<para>
+				<emphasis>TLSv1</emphasis> - only TLSv1 connections are accepted. This is the default and recommended method (if you want to be rfc3261  conformant don't change it).
+				</para>
+			</listitem>
+			<listitem>
+				<para>
+				<emphasis>SSLv3</emphasis> - only SSLv3 connections are accepted
+				</para>
+			</listitem>
+			<listitem>
+				<para>
+				<emphasis>SSLv2</emphasis> - only SSLv2 connections, for old clients. Note: you shouldn't use SSLv2 for anything which should be highly secure.
+				</para>
+			</listitem>
+			<listitem>
+				<para>
+				<emphasis>SSLv23</emphasis> - any of the above methods will be accepted, with the following limitation: the initial SSL hello message must be V2 (in the initial hello all the supported protocols are advertised enabling switching to a higher and more secure version). This means connections from SSLv3 or TLSv1 clients will not be accepted.
+				</para>
+			</listitem>
+	</itemizedlist>
+	<para>
+		If rfc3261 conformance is desired,  TLSv1 must be used. For compatibility with older clients SSLv23 is a good option.
+	</para>
+	<example>
+	    <title>Set <varname>tls_method</varname> parameter</title>
+	    <programlisting>
+...
+modparam("tls", "tls_method", "TLSv1")
+...
+	    </programlisting>
+	</example>
+	</section>
+
+	<section id="certificate">
+	<title><varname>certificate</varname> (string)</title>
+	<para>
+		Sets the certificate file name. The certificate file can also contain the private key.
+	</para>
+	<para>
+		<emphasis>Warning:</emphasis> try not to use certificate with keys longer then 1024 bytes. Longer keys will severely impact performance, in particular the tls connection rate.
+	</para>
+	<para>
+		The default value is [SER_CFG_DIR]/cert.pem.
+	</para>
+	<example>
+	    <title>Set <varname>certificate</varname> parameter</title>
+	    <programlisting>
+...
+modparam("tls", "certificate", "/usr/local/etc/ser/my_certificate.pem")
+...
+	    </programlisting>
+	</example>
+	</section>
+
+	<section id="private_key">
+	<title><varname>private_key</varname> (string)</title>
+	<para>
+		Sets the private key file name.
+	</para>
+	<para>
+		Note: the private key can be contained in the same file as the certificate (just append it to the certificate file, e.g.: cat pkey.pem >> cert.pem)
+	</para>
+	<para>
+		The default value is [SER_CFG_DIR]/cert.pem.
+	</para>
+	<example>
+	    <title>Set <varname>private_key</varname> parameter</title>
+	    <programlisting>
+...
+modparam("tls", "private", "/usr/local/etc/ser/my_pkey.pem")
+...
+	    </programlisting>
+	</example>
+	</section>
+
+<section id="ca_list">
+	<title><varname>ca_list</varname> (string)</title>
+	<para>
+		Sets the CA list file name. This file contains a list of all the trusted CAs certificates. If a signature in a certificate chain belongs to one of the listed CAs, the authentication will succeed. See also <emphasis>verify_certificate</emphasis>, <emphasis>verify_depth</emphasis> and <emphasis>require_certificate</emphasis>.
+	</para>
+	<para>
+		By default the CA file is not set.
+	</para>
+	<para>
+		An easy way to create the CA list is to append each trusted trusted CA certificate in the PEM format to one file, e.g.: for f in trusted_cas/*.pem ; do cat "$f" >> ca_list.pem ; done .
+	</para>
+	<example>
+	    <title>Set <varname>ca_list</varname> parameter</title>
+	    <programlisting>
+...
+modparam("tls", "ca_list", "/usr/local/etc/ser/ca_list.pem")
+...
+	    </programlisting>
+	</example>
+	</section>
+
+<section id="verify_certificate">
+	<title><varname>verify_certificate</varname> (boolean)</title>
+	<para>
+		If enabled it will force certificate verification. For more information see the <ulink url="http://www.openssl.org/docs/apps/verify.html">verify(1)</ulink> openssl man page.
+	</para>
+	<para>
+		Note: the certificate verification will always fail if the ca_list is empty.
+	</para>
+	<para>
+		See also: <varname>ca_list</varname>, <varname>require_certificate</varname>, <varname>verify_depth</varname>.
+	</para>
+	<para>
+		By default the certificate verification is off.
+	</para>
+	<example>
+	    <title>Set <varname>verify_certificate</varname> parameter</title>
+	    <programlisting>
+...
+modparam("tls", "verify_certificate", 1)
+...
+	    </programlisting>
+	</example>
+	</section>
+
+<section id="verify_depth">
+	<title><varname>verify_depth</varname> (integer)</title>
+	<para>
+		Sets how far up the certificate chain will the certificate verification go in the search for a trusted CA.
+	</para>
+	<para>
+		See also: <varname>ca_list</varname>, <varname>require_certificate</varname>, <varname>verify_certificate</varname>,
+	</para>
+	<para>
+		The default value is 9.
+	</para>
+	<example>
+	    <title>Set <varname>verify_depth</varname> parameter</title>
+	    <programlisting>
+...
+modparam("tls", "verify_depth", 9)
+...
+	    </programlisting>
+	</example>
+	</section>
+
+<section id="require_certificate">
+	<title><varname>require_certificate</varname> (boolean)</title>
+	<para>
+		When enabled it will require a certificate from a client. If the client does not offer a certificate and <varname>verify_certificate</varname> is on, the certificate verification will fail.
+	</para>
+	<para>
+		The default value is off.
+	</para>
+	<example>
+	    <title>Set <varname>require_certificate</varname> parameter</title>
+	    <programlisting>
+...
+modparam("tls", "require_certificate", 1)
+...
+	    </programlisting>
+	</example>
+	</section>
+
+<section id="cipher_list">
+	<title><varname>cipher_list</varname> (string)</title>
+	<para>
+		Sets the list of accepted ciphers. The list consists of cipher strings separated by colons. For more information on the cipher list format see the <ulink url="http://www.openssl.org/docs/apps/ciphers.html">cipher(1)</ulink> openssl man page.
+	</para>
+	<para>
+		The default value is not set (all the openssl supported ciphers are enabled).
+	</para>
+	<example>
+	    <title>Set <varname>cipher_list</varname> parameter</title>
+	    <programlisting>
+...
+modparam("tls", "cipher_list", "HIGH")
+...
+	    </programlisting>
+	</example>
+	</section>
+
+	<section id="send_timeout">
+	<title><varname>send_timeout</varname> (int)</title>
+	<para>
+		Sets the maximum interval of time after which ser will give up trying to send a message over tls (time after a tls send will be aborted and the corresponding tls connection closed). The value is in seconds.
+	</para>
+	<para>
+		The default value is 120 s.
+	</para>
+	<example>
+	    <title>Set <varname>send_timeout</varname> parameter</title>
+	    <programlisting>
+...
+modparam("tls", "send_timeout", 1)
+...
+	    </programlisting>
+	</example>
+	</section>
+
+	<section id="handshake_timeout">
+	<title><varname>handshake_timeout</varname> (int)</title>
+	<para>
+		Sets the maximum interval of time after which ser will give up trying to accept a tls connection or connect to a tls peer. The value is in seconds.
+	</para>
+	<para>
+		The default value is 120 s.
+	</para>
+	<example>
+	    <title>Set <varname>handshake_timeout</varname> parameter</title>
+	    <programlisting>
+...
+modparam("tls", "handshake_timeout", 1)
+...
+	    </programlisting>
+	</example>
+	</section>
+
+	<section id="connection_timeout">
+	<title><varname>connection_timeout</varname> (int)</title>
+	<para>
+		Sets the amount of time after which an idle tls connection will be closed. This is similar to tcp_connection_lifetime. The value is expressed in seconds.
+	</para>
+	<para>
+		The default value is 10 min.
+	</para>
+	<para>
+		If the value set is -1, the connection will never be close on idle.
+	</para>
+	<example>
+	    <title>Set <varname>connection_timeout</varname> parameter</title>
+	    <programlisting>
+...
+modparam("tls", "connection_timeout", 60)
+...
+	    </programlisting>
+	</example>
+	</section>
+
+	<section id="tls_disable_compression">
+	<title><varname>tls_disable_compression</varname> (boolean)</title>
+	<para>
+		If set compression over SSL/TLS will be disabled.
+	</para>
+	<para>
+		By default compression is enabled.
+	</para>
+	<example>
+	    <title>Set <varname>tls_disable_compression</varname> parameter</title>
+	    <programlisting>
+...
+modparam("tls", "tls_disable_compression", 1)
+...
+	    </programlisting>
+	</example>
+	</section>
+
+	<section id="tls_log">
+	<title><varname>tls_log</varname> (int)</title>
+	<para>
+		Sets the log level at which tls related messages will be logged.
+	</para>
+	<para>
+		The default value is 3.
+	</para>
+	<example>
+		<title>Set <varname>tls_log</varname> parameter</title>
+		<programlisting>
+...
+# ignore tls messages if ser is started with debug less than 10
+modparam("tls", "tls_log", 10)
+...
+		</programlisting>
+	</example>
+	</section>
+
+<section id="low_mem_threshold1">
+	<title><varname>low_mem_threshold1</varname> (integer)</title>
+	<para>
+		Sets the minimal free memory from which new tls connection will start to fail. The value is expressed in KB.
+	</para>
+	<para>
+		The default value depends on whether the openssl library used handles well low memory situations (openssl bug #1491). As of this writing this is not true for any openssl version (including 0.9.8e).
+	</para>
+	<para>
+		If an ill-behaved openssl version is detected, a very conservative value is choosed, which depends on the maximum possible number of simultaneously created tls connections (and hence on the process number).
+	</para>
+	<para>
+		The following values have a special meaning:
+	</para>
+	<itemizedlist>
+			<listitem>
+				<para>
+					-1 - use the default value
+				</para>
+			</listitem>
+			<listitem>
+				<para>
+					0 - disable (tls connections will not fail preemptively)
+				</para>
+			</listitem>
+	</itemizedlist>
+	<para>
+		See also <varname>low_mem_threshold2</varname>.
+	</para>
+	<example>
+		<title>Set <varname>low_memory_threshold1</varname> parameter</title>
+		<programlisting>
+...
+modparam("tls", "low_memory_threshold1", -1)
+...
+	</programlisting>
+	</example>
+	</section>
+
+<section id="low_mem_threshold2">
+	<title><varname>low_mem_threshold2</varname> (integer)</title>
+	<para>
+		Sets the minimal free memory from which tls operations on already established tls connections will start to fail preemptively.  The value is expressed in KB.
+	</para>
+	<para>
+		The default value depends on whether the openssl library used handles well low memory situations (openssl bug #1491). As of this writing this is not true for any openssl version (including 0.9.8e).
+	</para>
+	<para>
+		If an ill-behaved openssl version is detected, a very conservative value is choosed, which depends on the maximum possible number of simultaneously created tls connections (and hence on the process number).
+	</para>
+	<para>
+		The following values have a special meaning:
+	</para>
+	<itemizedlist>
+			<listitem>
+				<para>
+					-1 - use the default value
+				</para>
+			</listitem>
+			<listitem>
+				<para>
+					0 - disable (tls operations will not fail preemptively)
+				</para>
+			</listitem>
+	</itemizedlist>
+	<para>
+		See also <varname>low_mem_threshold1</varname>.
+	</para>
+	<example>
+		<title>Set <varname>low_memory_threshold2</varname> parameter</title>
+		<programlisting>
+...
+modparam("tls", "low_memory_threshold2", -1)
+...
+	</programlisting>
+	</example>
+	</section>
+
+	<section id="tls_force_run">
+	<title><varname>tls_force_run</varname> (boolean)</title>
+	<para>
+		If enabled ser will start even if some of the openssl sanity checks fail (turn it on at your own risk).
+	</para>
+	<para>
+		Currently failing any of the following sanity checks will not allow ser to start:
+	</para>
+	<itemizedlist>
+			<listitem>
+				<para>
+					the version of the library the tls module was compiled with is "too different" from the library used at runtime. The versions should have the same major, minor and fix level (e.g.: 0.9.8a and 0.9.8c are ok, but 0.9.8 and 0.9.9 are not)
+				</para>
+			</listitem>
+			<listitem>
+				<para>
+					the openssl library used at compile time and the one used at runtime have different kerberos options 
+				</para>
+			</listitem>
+	</itemizedlist>
+	<para>
+		By default tls_force_run is disabled.
+	</para>
+	<example>
+		<title>Set <varname>tls_force_run</varname> parameter</title>
+		<programlisting>
+...
+modparam("tls", "tls_force_run", 11)
+...
+	</programlisting>
+	</example>
+	</section>
+
+	<section id="config">
+	<title><varname>config</varname> (string)</title>
+	<para>
+		Sets the name of the TLS specific config file.
+	</para>
+	<para>
+		If set the tls module will load a special config file, in which different tls parameters can be specified on a per role (server or client) and domain basis (for now only IPs). The corresponding module parameters will be ignored.
+	</para>
+	<para>
+		By default no config file is specified.
+	</para>
+	<para>
+		The following parameters can be set in the config file, for each domain:
+	</para>
+	<itemizedlist>
+			<listitem><para>tls_method</para></listitem>
+			<listitem><para>verify_certificate</para></listitem>
+			<listitem><para>require_certificate</para></listitem>
+			<listitem><para>private_key</para></listitem>
+			<listitem><para>certificate</para></listitem>
+			<listitem><para>verify_depth</para></listitem>
+			<listitem><para>ca_list</para></listitem>
+			<listitem><para>cipher_list</para></listitem>
+	</itemizedlist>
+	<para>
+		ser acts as a server when it accepts a connection and as a client when it initiates a new connection by itself (it connects to something).
+	</para>
+	<example>
+		<title>Short config file</title>
+	<programlisting>
+[server:default]
+method = TLSv1
+verify_certificate = no
+require_certificate = no
+private_key = default_key.pem
+certificate = default_cert.pem
+ca_list = default_ca.pem
+
+[client:default]
+verify_certificate = yes
+require_certificate = yes
+
+#more relaxed for connection on the loopback interface
+[server:127.0.0.1:5061]
+method = SSLv23
+verify_certificate = yes
+require_certificate = no
+private_key = local_key.pem
+certificate = local_cert.pem
+verify_depth = 3
+ca_list = local_ca.pem
+
+	</programlisting>
+	</example>
+	<para>
+		For a more complete example check the <emphasis>tls.cfg</emphasis> distributed with the ser source (sip_router/modules/tls/tls.cfg).
+	</para>
+	<example>
+		<title>Set <varname>config</varname> parameter</title>
+		<programlisting>
+...
+modparam("tls", "config", "/usr/local/etc/ser/tls.cfg")
+...
+	</programlisting>
+	</example>
+	</section>
+
+</section>

modules/tls/doc/tls.xml

@@ -0,0 +1,140 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!DOCTYPE section PUBLIC "-//OASIS//DTD DocBook XML V4.2//EN"
+   "http://www.oasis-open.org/docbook/xml/4.2/docbookx.dtd">
+
+<section id="tls" xmlns:xi="http://www.w3.org/2001/XInclude">
+	<sectioninfo>
+	<authorgroup>
+		<author>
+		<firstname>Andrei</firstname>
+		<surname>Pelinescu-Onciul</surname>
+		<affiliation><orgname>iptelorg GmbH</orgname></affiliation>
+		<address>
+			<email>[email protected]</email>
+		</address>
+		</author>
+	</authorgroup>
+	<copyright>
+		<year>2007</year>
+		<holder>iptelorg GmbH</holder>
+	</copyright>
+	<revhistory>
+		<revision>
+		<revnumber>$Revision$</revnumber>
+		<date>$Date$</date>
+		</revision>
+	</revhistory>
+	</sectioninfo>
+
+	<title>TLS Module</title>
+
+		<section id="tls.overview">
+		<title>Overview</title>
+		<para>
+			This module implements the TLS transport for ser using the <ulink url="http://www.openssl.org">openssl library</ulink> (http://www.openssl.org). To enable the TLS support this module must be loaded and <emphasis>enable_tls=yes</emphasis> must be added to the ser config file 
+		</para>
+		</section>
+		<section id="tls.quick_start">
+		<title>Quick Start</title>
+		<para>
+			Make sure you have a proper certificate and private key and either use the certificate and private_key module parameters, or make sure the certificate and key are in the same PEM file, named cert.pem an placed in [your-cfg-install-prefix]/etc/ser/. Don't forget to load the tls module and to enable tls (add <emphasis>enable_tls=yes</emphasis> to your config).
+		</para>
+		<example>
+		<title>quick start config</title>
+		<programlisting>
+#...
+loadmodule "modules/tls/tls.so"
+
+modparam("tls", "private_key", "./andrei-test.pem")
+modparam("tls", "certificate", "./andrei-test.pem")
+modparam("tls", "ca_list", "./calist.pem")
+
+enable_tls=yes
+
+route{
+	# ....
+}
+		</programlisting>
+		</example>
+		</section>
+
+		<section id="tls.notes">
+		<title>Important Notes</title>
+		<para>
+			The tls module needs some special options enabled when compiling ser. These options are enabled by default, however in case you're using a modified ser version or Makefile, make sure that you enable -DUSE_TLS and -DTLS_HOOKS (or compile with make TLS_HOOKS=1 which will take care of both options). To quickly check if your ser version was compiled with these options, run ser -V and look for USE_TLS and TLS_HOOKS among the flags.
+		</para>
+		<para>
+			This module includes several workarounds for various openssl bugs (like compression and kerberos using the wrong memory allocations functions, low memory problems a.s.o). On startup it will try to enable the needed workarounds based on the openssl library version. Each time a known problem is detected and a workaround is enabled, a message will be logged. In general it is recommended to compile this module on the same machine or a similar machine to where ser will be run or to link it statically with libssl. For example if on the compile machine openssl does not have the kerberos support enabled, but on the target machine a kerberos enabled openssl library is installed, ser cannot apply the needed workarounds and will refuse to start. The same thing will happen if the openssl versions are too different (to force ser startup anyway, see the <varname>tls_force_run</varname> module parameter).
+		</para>
+		<para>
+			Try to avoid using keys larger then 1024 bytes. Large keys significantly slow down the TLS connection handshake, thus limiting the maximum ser TLS connection rate.
+		</para>
+		<para>
+			Compression is fully supported and used by default, if you have a new enough openssl version (starting with 0.9.8). Although there are some problems with zlib compression in currently deployed openssl versions (up to and including 0.9.8d, see openssl bug #1468), the tls module will automatically switch to its own fixed version. There's no need to force-disable the compression.
+		</para>
+		<para>
+			The tls module includes workarounds for the following known openssl bugs:  openssl #1204 (disable SS_OP_TLS_BLOCK_PADDING_BUG if compression is enabled, for versions between 0.9.8 and 0.9.8c), openssl #1468 (fix zlib compression memory allocation), openssl #1467 (kerberos support will be disabled if the openssl version is less than 0.9.8e-beta1) and openssl #1491 (stop using tls in low memory situations due to the very high risk of openssl crashing or leaking memory). The bug reports can be viewed at
+  <ulink url="http://rt.openssl.org/">http://rt.openssl.org/</ulink>.
+		</para>
+		</section>
+
+
+		<section id="tls.compile">
+		<title>Compiling the TLS Module</title>
+		<para>
+			In most case compiling the TLS module is as simple as:
+			<programlisting>
+make modules modules=modules/tls
+			</programlisting>
+			or
+			<programlisting>
+cd modules/tls
+make
+			</programlisting>
+			or (compiling whole ser and the tls module)
+			<programlisting>
+make all include_modules=tls
+			</programlisting>
+			.
+		</para>
+		<para>
+			However in some cases the openssl library requires linking with other libraries. For example compiling the openssl library with kerberos and zlib-shared support will require linking the tls module with libkrb5 and libz. In this case just add  <emphasis>TLS_EXTRA_LIBS</emphasis>="library list" to make's command line. E.g.:
+			<programlisting>
+make TLS_EXTRA_LIBS="-lkrb5 -lz" all include_modules=tls
+			</programlisting>
+		</para>
+		<para>
+			In general, if ser fails to start with a symbol not found error when trying to load the tls module (check the log), it means some needed library was not linked and it must be added to <emphasis>TLS_EXTRA_LIBS</emphasis>
+		</para>
+		</section>
+
+		<section id="tls.low_memory">
+		<title>TLS and Low Memory</title>
+		<para>
+			The openssl library doesn't handle very well low memory situations. If memory allocations start to fail (due to memory shortage), openssl can crash or cause memory leaks (making the memory shortage even worse). As of this writing all openssl versions were affected (includind 0.9.8e), see openssl bug #1491. The tls module has some workarounds for preventing this problem (see <varname>low_mem_treshold1</varname> and <varname>low_mem_threshold2</varname>), however starting ser with enough shared memory is higly recommended. When this is not possible a quick way to significantly reduce openssl memory usage it to  disable compression (see <varname>tls_disable_compression</varname>).
+		</para>
+		</section>
+
+		<section id="tls.known_limitations">
+		<title>Known Limitations</title>
+		<para>
+			The private key must not encrypted (ser cannot ask you for a password on startup).
+		</para>
+		<para>
+			The tls certificate verifications ignores the certificate name, altname and ip extensions, it just checks if the certificate is signed by a recognized CA. One can use the select framework to try to overcome this limitation (check in the script for the contents of various certificate fields), but this is not only slow, but also not exactly standard conforming (the verification should happen during TLS connection establishment and not after).
+		</para>
+		<para>
+			TLS specific config reloading is not safe, so for now better don't use it, especially under heavy traffic.
+		</para>
+		<para>
+			This documentation is incomplete. The select framework and rpc sections are completely missing.
+		</para>
+		</section>
+
+	<xi:include href="certs_howto.xml"/>
+	<xi:include href="params.xml"/>
+	<xi:include href="functions.xml"/>
+	<xi:include href="history.xml"/>
+
+</section>
+

modules/tls/fixed_c_zlib.h

@@ -0,0 +1,247 @@
+/* $Id$
+ * 
+ * This file contains modified zlib compression functions
+ * originally part of crypto/comp/c_zlib.c from the openssl library 
+ * (version 0.9.8a).
+ * It's distributed under the same license as OpenSSL.
+ *
+ * Copyright (c) 1998-2005 The OpenSSL Project.  All rights reserved.
+ */
+/*
+ * The changes are: 
+ *   - proper zalloc and zfree initialization for the zlib compression
+ *     methods (use OPENSSL_malloc & OPENSSL_free to construct zalloc/zfree)
+ *   - zlib_stateful_ex_idx is now a macro, a pointer to int is alloc'ed now
+ *    on init and zlib_stateful_ex_idx is now the contents of this pointer 
+ *    (deref). This allows using compression from different processes (if 
+ *    the OPENSSL_malloc's are initialized previously to a shared mem. using
+ *    version).
+ *  -- andrei
+ */
+
+
+#ifdef TLS_FIX_ZLIB_COMPRESSION
+
+#include <stdio.h>
+#include <stdlib.h>
+#include <string.h>
+#include <openssl/objects.h>
+#include <openssl/comp.h>
+#include <openssl/err.h>
+
+#include <zlib.h>
+
+
+/* alloc functions for zlib initialization */
+static void* comp_calloc(void* foo, unsigned int no, unsigned int size)
+{
+	void *p;
+	
+	p=OPENSSL_malloc(no*size);
+	if (p)
+		memset(p, 0, no*size);
+	return p;
+}
+
+
+/* alloc functions for zlib initialization */
+static void comp_free(void* foo, void* p)
+{
+	OPENSSL_free(p);
+}
+
+
+static int zlib_stateful_init(COMP_CTX *ctx);
+static void zlib_stateful_finish(COMP_CTX *ctx);
+static int zlib_stateful_compress_block(COMP_CTX *ctx, unsigned char *out,
+	unsigned int olen, unsigned char *in, unsigned int ilen);
+static int zlib_stateful_expand_block(COMP_CTX *ctx, unsigned char *out,
+	unsigned int olen, unsigned char *in, unsigned int ilen);
+
+
+static COMP_METHOD zlib_method={
+	NID_zlib_compression,
+	LN_zlib_compression,
+	zlib_stateful_init,
+	zlib_stateful_finish,
+	zlib_stateful_compress_block,
+	zlib_stateful_expand_block,
+	NULL,
+	NULL,
+	};
+
+
+struct zlib_state
+	{
+	z_stream istream;
+	z_stream ostream;
+	};
+
+static int* pzlib_stateful_ex_idx = 0; 
+#define zlib_stateful_ex_idx (*pzlib_stateful_ex_idx)
+
+static void zlib_stateful_free_ex_data(void *obj, void *item,
+	CRYPTO_EX_DATA *ad, int ind,long argl, void *argp);
+
+int fixed_c_zlib_init()
+{
+	if (pzlib_stateful_ex_idx==0){
+		if ((pzlib_stateful_ex_idx=OPENSSL_malloc(sizeof(int)))!=0){
+			/* good side effect: it makes sure the ex_data hash
+			 * in crypto/ex_data.c is created before fork
+			 * (else each process would have its own copy :-( ) */
+			CRYPTO_w_lock(CRYPTO_LOCK_COMP);
+			zlib_stateful_ex_idx =
+				CRYPTO_get_ex_new_index(CRYPTO_EX_INDEX_COMP,
+					0,NULL,NULL,NULL,zlib_stateful_free_ex_data);
+			CRYPTO_w_unlock(CRYPTO_LOCK_COMP);
+			return 0;
+		} else return -1;
+	}
+	return -1;
+}
+
+
+
+static void zlib_stateful_free_ex_data(void *obj, void *item,
+	CRYPTO_EX_DATA *ad, int ind,long argl, void *argp)
+	{
+	struct zlib_state *state = (struct zlib_state *)item;
+	if (state)
+		{
+			inflateEnd(&state->istream);
+			deflateEnd(&state->ostream);
+			OPENSSL_free(state);
+		}
+	else LOG(L_CRIT, "WARNING: zlib_stateful_free_ex(%p, %p, %p, %d, %ld, %p)" ": cannot free, null item/state\n", obj, item, ad, ind, argl, argp);
+	}
+
+static int zlib_stateful_init(COMP_CTX *ctx)
+	{
+	int err;
+	struct zlib_state *state =
+		(struct zlib_state *)OPENSSL_malloc(sizeof(struct zlib_state));
+	int inflate_init, deflate_init;
+
+	if (state == NULL)
+		goto err;
+	inflate_init=0;
+	deflate_init=0;
+
+	state->istream.zalloc = comp_calloc;
+	state->istream.zfree = comp_free;
+	state->istream.opaque = Z_NULL;
+	state->istream.next_in = Z_NULL;
+	state->istream.next_out = Z_NULL;
+	state->istream.avail_in = 0;
+	state->istream.avail_out = 0;
+	err = inflateInit_(&state->istream,
+		ZLIB_VERSION, sizeof(z_stream));
+	if (err != Z_OK)
+		goto err;
+	inflate_init=1;
+
+	state->ostream.zalloc = comp_calloc;
+	state->ostream.zfree = comp_free;
+	state->ostream.opaque = Z_NULL;
+	state->ostream.next_in = Z_NULL;
+	state->ostream.next_out = Z_NULL;
+	state->ostream.avail_in = 0;
+	state->ostream.avail_out = 0;
+	err = deflateInit_(&state->ostream,Z_DEFAULT_COMPRESSION,
+		ZLIB_VERSION, sizeof(z_stream));
+	if (err != Z_OK)
+		goto err;
+	deflate_init=1;
+
+	if (!CRYPTO_new_ex_data(CRYPTO_EX_INDEX_COMP,ctx,&ctx->ex_data))
+		goto err;
+	if (zlib_stateful_ex_idx == -1)
+		{
+		CRYPTO_w_lock(CRYPTO_LOCK_COMP);
+		if (zlib_stateful_ex_idx == -1)
+			zlib_stateful_ex_idx =
+				CRYPTO_get_ex_new_index(CRYPTO_EX_INDEX_COMP,
+					0,NULL,NULL,NULL,zlib_stateful_free_ex_data);
+		CRYPTO_w_unlock(CRYPTO_LOCK_COMP);
+		if (zlib_stateful_ex_idx == -1)
+			goto err_ex_data;
+		}
+	if (!CRYPTO_set_ex_data(&ctx->ex_data,zlib_stateful_ex_idx,state))
+		goto err_ex_data;
+	return 1;
+err_ex_data:
+	CRYPTO_free_ex_data(CRYPTO_EX_INDEX_COMP,ctx,&ctx->ex_data);
+err:
+	if (state){
+		/* ctx->ex_data freed from outside */
+		if (inflate_init)
+				inflateEnd(&state->istream);
+		if (deflate_init)
+				deflateEnd(&state->ostream);
+		OPENSSL_free(state);
+	}
+	return 0;
+	}
+
+static void zlib_stateful_finish(COMP_CTX *ctx)
+	{
+	CRYPTO_free_ex_data(CRYPTO_EX_INDEX_COMP,ctx,&ctx->ex_data);
+	}
+
+static int zlib_stateful_compress_block(COMP_CTX *ctx, unsigned char *out,
+	unsigned int olen, unsigned char *in, unsigned int ilen)
+	{
+	int err = Z_OK;
+	struct zlib_state *state =
+		(struct zlib_state *)CRYPTO_get_ex_data(&ctx->ex_data,
+			zlib_stateful_ex_idx);
+
+	if (state == NULL)
+		return -1;
+
+	state->ostream.next_in = in;
+	state->ostream.avail_in = ilen;
+	state->ostream.next_out = out;
+	state->ostream.avail_out = olen;
+	if (ilen > 0)
+		err = deflate(&state->ostream, Z_SYNC_FLUSH);
+	if (err != Z_OK)
+		return -1;
+#ifdef DEBUG_ZLIB
+	fprintf(stderr,"compress(%4d)->%4d %s\n",
+		ilen,olen - state->ostream.avail_out,
+		(ilen != olen - state->ostream.avail_out)?"zlib":"clear");
+#endif
+	return olen - state->ostream.avail_out;
+	}
+
+static int zlib_stateful_expand_block(COMP_CTX *ctx, unsigned char *out,
+	unsigned int olen, unsigned char *in, unsigned int ilen)
+	{
+	int err = Z_OK;
+
+	struct zlib_state *state =
+		(struct zlib_state *)CRYPTO_get_ex_data(&ctx->ex_data,
+			zlib_stateful_ex_idx);
+
+	if (state == NULL)
+		return 0;
+
+	state->istream.next_in = in;
+	state->istream.avail_in = ilen;
+	state->istream.next_out = out;
+	state->istream.avail_out = olen;
+	if (ilen > 0)
+		err = inflate(&state->istream, Z_SYNC_FLUSH);
+	if (err != Z_OK)
+		return -1;
+#ifdef DEBUG_ZLIB
+	fprintf(stderr,"expand(%4d)->%4d %s\n",
+		ilen,olen - state->istream.avail_out,
+		(ilen != olen - state->istream.avail_out)?"zlib":"clear");
+#endif
+	return olen - state->istream.avail_out;
+	}
+
+#endif /* TLS_FIX_ZLIB_COMPRESSION */

modules/tls/ser-tls.cfg

@@ -0,0 +1,25 @@
+#
+# This is a minimalistic SER configuration file which can
+# be used to test the TLS module.
+#
+debug=4         # debug level (cmd line: -dddddddddd)
+fork=yes
+log_stderror=yes
+
+children=1
+enable_tls=1
+
+loadpath   "./modules"
+
+loadmodule "sl"
+loadmodule "tls"
+
+modparam("tls", "config", "tls.cfg")
+
+listen=tls:127.0.0.1:5061
+
+route {
+	sl_reply("200", "OK");
+	break;
+}
+

modules/tls/ser_cert.sh

@@ -0,0 +1,168 @@
+#!/bin/sh
+#
+# $Id$
+#
+# This script generates a self-signed TLS/SSL certificate that can be
+# immediately used with the TLS module of SER. The file was inspired
+# by a script from Debian's uw-imapd package.
+#
+
+#############################################################################
+# Configuration variables
+#############################################################################
+DEFAULT_DIR="/usr/local/etc/ser"
+DEFAULT_DAYS=365
+DEFAULT_INFO="Self-signed certificate for SER"
+DEFAULT_CERT_FILENAME="ser-selfsigned.pem"
+DEFAULT_KEY_FILENAME="ser-selfsigned.key"
+
+DEFAULT_OPENSSL='openssl'
+
+HOSTNAME=`hostname -s`
+FQDN=`hostname -f`
+MAILNAME=`cat /etc/mailname 2> /dev/null || hostname -f`
+
+usage() {
+cat <<EOF
+NAME
+  $COMMAND - Generate a self-signed TLS/SSL certificate for use with SER.
+
+SYNOPSIS
+  $COMMAND [options]
+
+DESCRIPTION
+  This is a simple shell script that generates a self signed TLS/SSL
+  certificate (and private key) for use with the tls module of SER. The
+  self-signed certificate is suitable for testing and/or private setups.
+  You are encouraged to create a proper authorized one if needed.
+
+  Both certificate and key files are by default stored in the directory
+  containing the configuration file of SER (unless you change it using
+  the options below).
+
+OPTIONS
+  -h, --help
+      Display this help text.
+
+  -d, --dir=DIRECTORY
+      The path to the directory where cert and key files will be stored.
+	  (Default value is '$DEFAULT_DIR')
+
+  -c, --certificate=FILENAME
+      The name of the file where the certificate will be stored.
+	  (Default value is '$DEFAULT_CERT_FILENAME')
+
+  -k, --key=FILENAME
+      The name of the file where the private key will be stored.
+	  (Default value is '$DEFAULT_KEY_FILENAME')
+
+  -e, --expires=DAYS
+      Number of days for which the certificate will be valid.
+	  (Default value is '$DEFAULT_DAYS')
+
+  -i, --info=TEXT
+      The description text to be embedded in the certificate.
+	  (Default value is '$DEFAULT_INFO')
+
+  -o, --overwrite
+      Overwrite certificate and key files if they exist already.
+      (By default they will be not overwritten.)
+
+ENVIRONMENT VARIABLES
+  OPENSSL	Path to openssl command (Currently ${OPENSSL})
+
+AUTHOR
+  Written by Jan Janak <[email protected]>
+
+REPORTING BUGS
+  Report bugs to <[email protected]>
+EOF
+} #usage
+
+
+COMMAND=`basename $0`
+if [ -z "$DIR" ] ; then DIR=$DEFAULT_DIR; fi;
+if [ -z "$DAYS" ] ; then DAYS=$DEFAULT_DAYS; fi;
+if [ -z "$INFO" ] ; then INFO=$DEFAULT_INFO; fi;
+if [ -z "$CERT_FILENAME" ] ; then CERT_FILENAME=$DEFAULT_CERT_FILENAME; fi;
+if [ -z "$KEY_FILENAME" ] ; then KEY_FILENAME=$DEFAULT_KEY_FILENAME; fi;
+if [ -z "$OPENSSL" ] ; then OPENSSL=$DEFAULT_OPENSSL; fi;
+
+TEMP=`getopt -o hd:c:k:e:i:o --long help,dir:,certificate:,key:,expires:,info:,overwrite -n $COMMAND -- "$@"`
+if [ $? != 0 ] ; then exit 1; fi
+eval set -- "$TEMP"
+
+while true ; do
+	case "$1" in
+	-h|--help)         usage;                 exit 0 ;;
+	-d|--dir)          DIR=$2;                shift 2 ;;
+	-c|--certificate)  CERT_FILENAME=$2;      shift 2 ;;
+	-k|--key)          KEY_FILENAME=$2;       shift 2 ;;
+	-e|--expires)      DAYS=$2;               shift 2 ;;
+	-i|--info)         INFO=$2;               shift 2 ;;
+    -o|--overwrite)    OVERWRITE=1;           shift ;;
+	--)                shift;                 break ;;
+	*)                 echo "Internal error"; exit 1 ;;
+	esac
+done
+
+TEMP=`which $OPENSSL`
+if [ $? != 0 ] ; then
+	echo "Could not find openssl command"
+	echo "Set OPENSSL environment variable properly (see -h for more info)"
+	exit 1
+fi
+
+if [ ! -d "$DIR" ] ; then
+	echo "Directory '$DIR' does not exist."
+	exit 1
+fi
+
+if [ -z "$OVERWRITE" -a \( -f "$DIR/$CERT_FILENAME" \) ] ; then
+	echo "File '$DIR/$CERT_FILENAME' already exists, doing nothing."
+	echo "(Use -o to override)"
+	exit 0;
+fi
+
+
+if [ -z "$OVERWRITE" -a \( -f "$DIR/$KEY_FILENAME" \) ] ; then
+	echo "File '$DIR/$KEY_FILENAME' already exists, doing nothing."
+	echo "(Use -o to override)."
+	exit 0;
+fi
+
+touch "$DIR/$CERT_FILENAME" > /dev/null 2>&1
+if [ $? != 0 ] ; then
+	echo "Could not create file '$DIR/$CERT_FILENAME'"
+	exit 1
+fi
+
+touch "$DIR/$KEY_FILENAME" > /dev/null 2>&1
+if [ $? != 0 ] ; then
+	echo "Could not create file '$DIR/$KEY_FILENAME'"
+	rm -f "$DIR/$CERT_FILE"
+	exit 1
+fi
+
+echo "Creating a new SER self-signed certificate for '$FQDN'" \
+     "valid for $DAYS days."
+openssl req -new -x509 -days "$DAYS" -nodes -out "$DIR/$CERT_FILENAME" \
+        -keyout "$DIR/$KEY_FILENAME" > /dev/null 2>&1 <<+
+.
+.
+.
+$INFO
+$HOSTNAME
+$FQDN
+root@$MAILNAME
++
+
+if [ $? != 0 ] ; then
+	echo "Error while executing openssl command."
+	rm -f "$DIR/$CERT_FILE" "$DIR/$KEY_FILE"
+	exit 1;
+else
+	echo "Private key stored in '$DIR/$KEY_FILENAME'."
+	echo "Certificate stored in '$DIR/$CERT_FILENAME'."
+	exit 0;
+fi

modules/tls/tls.cfg

@@ -0,0 +1,61 @@
+#
+# $Id$
+#
+# Example SER TLS Configuration File
+#
+
+# This is the default server domain, settings
+# in this domain will be used for all incoming
+# connections that do not match any other server
+# domain in this configuration file.
+#
+# We do not enable anything else than TLSv1
+# over the public internet. Clients do not have
+# to present client certificates by default.
+#
+[server:default]
+method = TLSv1
+verify_certificate = no
+require_certificate = no
+private_key = ser-selfsigned.key
+certificate = ser-selfsigned.pem
+
+# This is the default client domain, settings
+# in this domain will be used for all outgoing
+# TLS connections that do not match any other
+# client domain in this configuration file.
+# We require that servers present valid certificate.
+#
+[client:default]
+verify_certificate = yes
+require_certificate = yes
+
+# This is example server domain for TLS connections
+# received from the loopback interface. We allow
+# the use of SSLv2 and SSLv3 protocols here, we do
+# not require that clients present client certificates
+# but if they present it it must be valid. We also use
+# a special certificate and CA list for loopback
+# interface.
+#
+#[server:127.0.0.1:5061]
+#method = SSLv23
+#verify_certificate = yes
+#require_certificate = no
+#private_key = local_key.pem
+#certificate = local_cert.pem
+#verify_depth = 3
+#ca_list = local_ca.pem
+
+# Special settings for the iptel.org public SIP
+# server. We do not verify the certificate of the
+# server because it can be expired. The server
+# implements authentication using SSL client
+# certificates so configure the client certificate
+# that was given to use by iptel.org staff here.
+#
+#[client:195.37.77.101:5061]
+#verify_certificate = no
+#certificate = iptel_client.pem
+#private_key = iptel_key.pem
+#ca_list = iptel_ca.pem

modules/tls/tls_config.c

@@ -0,0 +1,374 @@
+/*
+ * $Id$
+ *
+ * TLS module - Configuration file parser
+ *
+ * Copyright (C) 2001-2003 FhG FOKUS
+ * Copyright (C) 2004,2005 Free Software Foundation, Inc.
+ * Copyright (C) 2005,2006 iptelorg GmbH
+ *
+ * This file is part of ser, a free SIP server.
+ *
+ * ser is free software; you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License as published by
+ * the Free Software Foundation; either version 2 of the License, or
+ * (at your option) any later version
+ *
+ * For a license to use the ser software under conditions
+ * other than those described here, or to purchase support for this
+ * software, please contact iptel.org by e-mail at the following addresses:
+ *    [email protected]
+ *
+ * ser is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ * GNU General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License
+ * along with this program; if not, write to the Free Software
+ * Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA  02111-1307  USA
+ *
+ */
+
+#include "tls_config.h"
+#include "tls_domain.h"
+#include "tls_mod.h"
+#include "tls_util.h"
+
+#include "../../cfg_parser.h"
+
+#include "../../resolve.h"
+#include "../../mem/mem.h"
+#include "../../dprint.h"
+#include "../../trim.h"
+#include "../../ut.h"
+
+static tls_cfg_t* cfg = NULL;
+static tls_domain_t* domain = NULL;
+
+
+static int parse_ipv6(struct ip_addr* ip, cfg_token_t* token, 
+					  cfg_parser_t* st)
+{
+	int ret;
+	cfg_token_t t;
+	struct ip_addr* ipv6;
+	str ip6_str;
+
+	ip6_str.s = t.val.s;
+	while(1) {
+		ret = cfg_get_token(&t, st, 0);
+		if (ret != 0) goto err;
+		if (t.type == ']') break;
+		if (t.type != CFG_TOKEN_ALPHA && t.type != ':') goto err;
+	}
+	ip6_str.len = (int)(long)(t.val.s - ip6_str.s);
+
+	ipv6 = str2ip6(&ip6_str);
+	if (ipv6 == 0) goto err;
+	*ip = *ipv6;
+	return 0;
+
+ err:
+	ERR("%s:%d:%d: Invalid IPv6 address\n", 
+	    st->file, token->start.line, token->start.col);
+	return -1;
+}
+
+
+static int parse_ipv4(struct ip_addr* ip, cfg_token_t* token, 
+					  cfg_parser_t* st)
+{
+	int ret, i;
+	cfg_token_t  t;
+	unsigned int v;
+
+	ip->af = AF_INET;
+	ip->len = 4;
+
+	if (str2int(&token->val, &v) < 0) goto err;
+	if (v < 0 || v > 255) goto err;
+
+	ip->u.addr[0] = v;
+
+	for(i = 1; i < 4; i++) {
+		ret = cfg_get_token(&t, st, 0);
+		if (ret < 0) return -1;
+		if (ret > 0 || t.type != '.')  goto err;
+		
+		ret = cfg_get_token(&t, st, 0);
+		if (ret < 0) return -1;
+		if (ret > 0 || t.type != CFG_TOKEN_ALPHA) goto err;
+		if (str2int(&t.val, &v) < 0)  goto err;
+		if (v < 0 || v > 255) goto err;
+		ip->u.addr[i] = v;
+	}
+
+	return 0;
+ err:
+	ERR("%s:%d:%d: Invalid IPv4 address\n", 
+	    st->file, token->start.line, token->start.col);
+	return -1;
+}
+
+
+static cfg_option_t methods[] = { 
+	{"SSLv2",  .val = TLS_USE_SSLv2},
+	{"SSLv3",  .val = TLS_USE_SSLv3},
+	{"SSLv23", .val = TLS_USE_SSLv23},
+	{"TLSv1",  .val = TLS_USE_TLSv1},
+	{0}
+};
+
+
+static cfg_option_t domain_types[] = {
+	{"server", .val = TLS_DOMAIN_SRV},
+	{"srv",    .val = TLS_DOMAIN_SRV},
+	{"s",      .val = TLS_DOMAIN_SRV},
+	{"client", .val = TLS_DOMAIN_CLI},
+	{"cli",    .val = TLS_DOMAIN_CLI},
+	{"c",      .val = TLS_DOMAIN_CLI}, 
+	{0}
+};
+
+
+static cfg_option_t token_default[] = { 
+	{"default"},
+	{"def"},
+	{"*"},
+	{0}
+};
+
+
+static cfg_option_t options[] = {
+	{"method",              .param = methods, .f = cfg_parse_enum_opt},
+	{"tls_method",          .param = methods, .f = cfg_parse_enum_opt},
+	{"verify_certificate",  .f = cfg_parse_bool_opt},
+	{"verify_cert",         .f = cfg_parse_bool_opt},
+	{"verify_depth",        .f = cfg_parse_int_opt},
+	{"require_certificate", .f = cfg_parse_bool_opt},
+	{"require_cert",        .f = cfg_parse_bool_opt},
+	{"private_key",         .f = cfg_parse_str_opt, .flags = CFG_STR_SHMMEM},
+	{"pkey_file",           .f = cfg_parse_str_opt, .flags = CFG_STR_SHMMEM},
+	{"calist_file",         .f = cfg_parse_str_opt, .flags = CFG_STR_SHMMEM},
+	{"certificate",         .f = cfg_parse_str_opt, .flags = CFG_STR_SHMMEM},
+	{"cert_file",           .f = cfg_parse_str_opt, .flags = CFG_STR_SHMMEM},
+	{"cipher_list",         .f = cfg_parse_str_opt, .flags = CFG_STR_SHMMEM},
+	{"ca_list",             .f = cfg_parse_str_opt, .flags = CFG_STR_SHMMEM},
+	{0}
+};
+
+
+static void update_opt_variables(void)
+{
+	int i;
+	for(i = 0; methods[i].name; i++) {
+		methods[i].param = &domain->method;
+	}
+	options[2].param = &domain->verify_cert;
+	options[3].param = &domain->verify_cert;
+	options[4].param = &domain->verify_depth;
+	options[5].param = &domain->require_cert;
+	options[6].param = &domain->require_cert;
+	options[7].param = &domain->pkey_file;
+	options[8].param = &domain->pkey_file;
+	options[9].param = &domain->ca_file;
+	options[10].param = &domain->cert_file;
+	options[11].param = &domain->cert_file;
+	options[12].param = &domain->cipher_list;
+	options[13].param = &domain->ca_file;
+}
+
+
+static int parse_hostport(int* type, struct ip_addr* ip, unsigned int* port, 
+						  cfg_token_t* token, cfg_parser_t* st)
+{
+	int ret;
+	cfg_token_t t;
+    cfg_option_t* opt;
+
+	ret = cfg_get_token(&t, st, 0);
+	if (ret < 0) return -1;
+	if (ret > 0) {
+		ERR("%s:%d:%d: Missing IP address\n", st->file, 
+			token->start.line, token->start.col);
+		return -1;
+	}
+
+	if (t.type == '[') {
+		if (parse_ipv6(ip, &t, st) < 0) return -1;
+	} else if (t.type == CFG_TOKEN_ALPHA) {
+		opt = cfg_lookup_token(token_default, &t.val);
+		if (opt) {
+			*type = TLS_DOMAIN_DEF;
+			     /* Default domain */
+			return 0;
+		} else {
+			if (parse_ipv4(ip, &t, st) < 0) return -1;
+		}
+	} else {
+		ERR("%s:%d:%d: Syntax error, IP address expected\n", 
+		    st->file, t.start.line, t.start.col);
+		return -1;
+	}
+	*type = 0;
+
+	     /* Parse port */
+	ret = cfg_get_token(&t, st, 0);
+	if (ret < 0) return -1;
+	if (ret > 0) {
+		ERR("%s:%d:%d: Syntax error, ':' expected\n", st->file, st->line, 
+			st->col);
+		return -1;
+	}
+	
+	if (t.type != ':') {
+		ERR("%s:%d:%d: Syntax error, ':' expected\n", 
+		    st->file, t.start.line, t.start.col);
+		return -1;
+	}	
+	
+	ret = cfg_get_token(&t, st, 0);
+	if (ret < 0) return -1;
+	if (ret > 0) {
+		ERR("%s:%d:%d: Premature end of file, port number missing\n", 
+		    st->file, t.start.line, t.start.col);
+		return -1;
+	}
+	
+	if (t.type != CFG_TOKEN_ALPHA || (str2int(&t.val, port) < 0)) {
+		ERR("%s:%d:%d: Invalid port number '%.*s'\n", 
+		    st->file, t.start.line, t.start.col, STR_FMT(&t.val));
+		return -1;
+	}		
+	return 0;
+}
+
+
+static int parse_domain(void* param, cfg_parser_t* st, unsigned int flags)
+{
+	cfg_token_t t;
+	int ret;
+	cfg_option_t* opt;
+
+	int type;
+	struct ip_addr ip;
+	unsigned int port;
+
+	memset(&ip, 0, sizeof(struct ip_addr));
+
+	ret = cfg_get_token(&t, st, 0);
+	if (ret < 0) return -1;
+	if (ret > 0) {
+		ERR("%s:%d:%d: TLS domain type missing\n", 
+		    st->file, st->line, st->col);
+		return -1;
+	}
+
+	if (t.type != CFG_TOKEN_ALPHA || 
+	    ((opt = cfg_lookup_token(domain_types, &t.val)) == NULL)) {
+		ERR("%s:%d:%d: Invalid TLS domain type %d:'%.*s'\n", 
+		    st->file, t.start.line, t.start.col, t.type, STR_FMT(&t.val));
+		return -1;
+	}
+	
+	ret = cfg_get_token(&t, st, 0);
+	if (ret < 0) return -1;
+	if (ret > 0) {
+		ERR("%s:%d:%d: TLS domain IP address missing\n", 
+		    st->file, st->line, st->col);
+		return -1;
+	}
+	if (t.type != ':') {
+		ERR("%s:%d:%d: Syntax error, ':' expected\n", 
+		    st->file, t.start.line, t.start.col);
+		return -1;
+	}	
+
+	port = 0;
+	if (parse_hostport(&type, &ip, &port, &t, st) < 0) return -1;
+
+	ret = cfg_get_token(&t, st, 0);
+	if (ret < 0) return -1;
+	if (ret > 0) {
+		ERR("%s:%d:%d: Closing ']' missing\n", 
+		    st->file, st->line, st->col);
+		return -1;
+	}
+	if (t.type != ']') {
+		ERR("%s:%d:%d: Syntax error, ']' expected\n", 
+		    st->file, t.start.line, t.start.col);
+		return -1;
+	}
+
+	if (cfg_eat_eol(st, flags)) return -1;
+
+	if ((domain = tls_new_domain(opt->val | type, &ip, port)) == NULL) {
+		ERR("%s:%d: Cannot create TLS domain structure\n", st->file, st->line);
+		return -1;
+	}
+
+	ret = tls_add_domain(cfg, domain);
+	if (ret < 0) {
+		ERR("%s:%d: Error while creating TLS domain structure\n", st->file, 
+			st->line);
+		tls_free_domain(domain);
+		return -1;
+	} else if (ret == 1) {
+		ERR("%s:%d: Duplicate TLS domain (appears earlier in the config file)\n", 
+		    st->file, st->line);
+		tls_free_domain(domain);
+		return -1;
+	}
+	
+	update_opt_variables();
+	cfg_set_options(st, options);
+	return 0;
+}
+
+
+/*
+ * Create configuration structures from configuration file
+ */
+tls_cfg_t* tls_load_config(str* filename)
+{
+	cfg_parser_t* parser;
+
+	parser = NULL;
+	if ((cfg = tls_new_cfg()) == NULL) goto error;
+
+	if ((parser = cfg_parser_init(filename)) == NULL) {
+		ERR("tls: Error while initializing configuration file parser.\n");
+		goto error;
+	}
+
+	cfg_section_parser(parser, parse_domain, NULL);
+
+	if (cfg_parse(parser)) goto error;
+	cfg_parser_close(parser);
+	return cfg;
+
+ error:
+	if (parser) cfg_parser_close(parser);
+	if (cfg) tls_free_cfg(cfg);
+	return 0;
+}
+
+
+/*
+ * Convert TLS method string to integer
+ */
+int tls_parse_method(str* method)
+{
+    cfg_option_t* opt;
+
+    if (!method) {
+        BUG("Invalid parameter value\n");
+        return -1;
+    }
+
+    opt = cfg_lookup_token(methods, method);
+    if (!opt) return -1;
+
+    return opt->val;
+}

modules/tls/tls_config.h

@@ -0,0 +1,47 @@
+/*
+ * $Id$
+ *
+ * TLS module - Configuration file parser
+ *
+ * Copyright (C) 2001-2003 FhG FOKUS
+ * Copyright (C) 2004,2005 Free Software Foundation, Inc.
+ * Copyright (C) 2005,2006 iptelorg GmbH
+ *
+ * This file is part of ser, a free SIP server.
+ *
+ * ser is free software; you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License as published by
+ * the Free Software Foundation; either version 2 of the License, or
+ * (at your option) any later version
+ *
+ * For a license to use the ser software under conditions
+ * other than those described here, or to purchase support for this
+ * software, please contact iptel.org by e-mail at the following addresses:
+ *    [email protected]
+ *
+ * ser is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ * GNU General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License
+ * along with this program; if not, write to the Free Software
+ * Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA  02111-1307  USA
+ *
+ */
+
+#ifndef _TLS_CONFIG_H
+#define _TLS_CONFIG_H
+
+#include "../../str.h"
+#include "tls_domain.h"
+
+tls_cfg_t* tls_load_config(str* filename);
+
+/*
+ * Convert TLS method string to integer
+ */
+int tls_parse_method(str* method);
+
+
+#endif /* _TLS_CONFIG_H */

modules/tls/tls_domain.c

@@ -0,0 +1,678 @@
+/*
+ * $Id$
+ *
+ * TLS module - virtual configuration domain support
+ *
+ * Copyright (C) 2001-2003 FhG FOKUS
+ * Copyright (C) 2004,2005 Free Software Foundation, Inc.
+ * Copyright (C) 2005,2006 iptelorg GmbH
+ *
+ * This file is part of ser, a free SIP server.
+ *
+ * ser is free software; you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License as published by
+ * the Free Software Foundation; either version 2 of the License, or
+ * (at your option) any later version
+ *
+ * For a license to use the ser software under conditions
+ * other than those described here, or to purchase support for this
+ * software, please contact iptel.org by e-mail at the following addresses:
+ *    [email protected]
+ *
+ * ser is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ * GNU General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License 
+ * along with this program; if not, write to the Free Software 
+ * Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA  02111-1307  USA
+ */
+
+#include <stdlib.h>
+#include <openssl/ssl.h>
+#include <openssl/opensslv.h>
+#if OPENSSL_VERSION_NUMBER >= 0x00907000L
+# include <openssl/ui.h>
+#endif
+#include "../../ut.h"
+#include "../../mem/shm_mem.h"
+#include "../../pt.h"
+#include "tls_server.h"
+#include "tls_util.h"
+#include "tls_mod.h"
+#include "tls_init.h"
+#include "tls_domain.h"
+
+
+/*
+ * create a new domain 
+ */
+tls_domain_t* tls_new_domain(int type, struct ip_addr *ip, unsigned short port)
+{
+	tls_domain_t* d;
+
+	d = shm_malloc(sizeof(tls_domain_t));
+	if (d == NULL) {
+		ERR("Memory allocation failure\n");
+		return 0;
+	}
+	memset(d, '\0', sizeof(tls_domain_t));
+
+	d->type = type;
+	if (ip) memcpy(&d->ip, ip, sizeof(struct ip_addr));
+	d->port = port;
+	d->verify_cert = -1;
+	d->verify_depth = -1;
+	d->require_cert = -1;
+	return d;
+/*
+ error:
+	shm_free(d);
+	return 0; */
+}
+
+
+/*
+ * Free all memory used by configuration domain
+ */
+void tls_free_domain(tls_domain_t* d)
+{
+	int i;
+	int procs_no;
+	
+	if (!d) return;
+	if (d->ctx) {
+		procs_no=get_max_procs();
+		for(i = 0; i < procs_no; i++) {
+			if (d->ctx[i]) SSL_CTX_free(d->ctx[i]);
+		}
+		shm_free(d->ctx);
+	}
+
+	if (d->cipher_list.s) shm_free(d->cipher_list.s);
+	if (d->ca_file.s) shm_free(d->ca_file.s);
+	if (d->pkey_file.s) shm_free(d->pkey_file.s);
+	if (d->cert_file.s) shm_free(d->cert_file.s);
+	shm_free(d);
+}
+
+
+/*
+ * clean up 
+ */
+void tls_free_cfg(tls_cfg_t* cfg)
+{
+	tls_domain_t* p;
+	while(cfg->srv_list) {
+		p = cfg->srv_list;
+		cfg->srv_list = cfg->srv_list->next;
+		tls_free_domain(p);
+	}
+	while(cfg->cli_list) {
+		p = cfg->cli_list;
+		cfg->cli_list = cfg->cli_list->next;
+		tls_free_domain(p);
+	}
+	if (cfg->srv_default) tls_free_domain(cfg->srv_default);
+	if (cfg->cli_default) tls_free_domain(cfg->cli_default);
+}
+
+
+
+void tls_destroy_cfg(void)
+{
+	tls_cfg_t* ptr;
+
+	if (tls_cfg_lock) {
+		lock_destroy(tls_cfg_lock);
+		lock_dealloc(tls_cfg_lock);
+	}
+
+	if (tls_cfg) {
+		while(*tls_cfg) {
+			ptr = *tls_cfg;
+			*tls_cfg = (*tls_cfg)->next;
+			tls_free_cfg(ptr);
+		}
+		
+		shm_free(tls_cfg);
+	}
+}
+
+
+
+/*
+ * Print TLS domain identifier
+ */
+char* tls_domain_str(tls_domain_t* d)
+{
+	static char buf[1024];
+	char* p;
+
+	buf[0] = '\0';
+	p = buf;
+	p = strcat(p, d->type & TLS_DOMAIN_SRV ? "TLSs<" : "TLSc<");
+	if (d->type & TLS_DOMAIN_DEF) {
+		p = strcat(p, "default>");
+	} else {
+		p = strcat(p, ip_addr2a(&d->ip));
+		p = strcat(p, ":");
+		p = strcat(p, int2str(d->port, 0));
+		p = strcat(p, ">");
+	}
+	return buf;
+}
+
+
+/*
+ * Initialize parameters that have not been configured from
+ * parent domain (usualy one of default domains
+ */
+static int fill_missing(tls_domain_t* d, tls_domain_t* parent)
+{
+	if (d->method == TLS_METHOD_UNSPEC) d->method = parent->method;
+	LOG(L_INFO, "%s: tls_method=%d\n", tls_domain_str(d), d->method);
+	
+	if (d->method < 1 || d->method >= TLS_METHOD_MAX) {
+		ERR("%s: Invalid TLS method value\n", tls_domain_str(d));
+		return -1;
+	}
+	
+	if (!d->cert_file.s && 
+	    shm_asciiz_dup(&d->cert_file.s, parent->cert_file.s) < 0) return -1;
+	d->cert_file.len = parent->cert_file.len;
+	LOG(L_INFO, "%s: certificate='%s'\n", tls_domain_str(d), d->cert_file.s);
+	
+	if (!d->ca_file.s &&
+	    shm_asciiz_dup(&d->ca_file.s, parent->ca_file.s) < 0) return -1;
+	d->ca_file.len = parent->ca_file.len;
+	LOG(L_INFO, "%s: ca_list='%s'\n", tls_domain_str(d), d->ca_file.s);
+	
+	if (d->require_cert == -1) d->require_cert = parent->require_cert;
+	LOG(L_INFO, "%s: require_certificate=%d\n", tls_domain_str(d), d->require_cert);
+	
+	if (!d->cipher_list.s &&
+	    shm_asciiz_dup(&d->cipher_list.s, parent->cipher_list.s) < 0) return -1;
+	d->cipher_list.len = parent->cipher_list.len;
+	LOG(L_INFO, "%s: cipher_list='%s'\n", tls_domain_str(d), d->cipher_list.s);
+	
+	if (!d->pkey_file.s &&
+	    shm_asciiz_dup(&d->pkey_file.s, parent->pkey_file.s) < 0) return -1;
+	d->pkey_file.len = parent->pkey_file.len;
+	LOG(L_INFO, "%s: private_key='%s'\n", tls_domain_str(d), d->pkey_file.s);
+	
+	if (d->verify_cert == -1) d->verify_cert = parent->verify_cert;
+	LOG(L_INFO, "%s: verify_certificate=%d\n", tls_domain_str(d), d->verify_cert);
+	
+	if (d->verify_depth == -1) d->verify_depth = parent->verify_depth;
+	LOG(L_INFO, "%s: verify_depth=%d\n", tls_domain_str(d), d->verify_depth);
+
+	return 0;
+}
+
+
+/* 
+ * Load certificate from file 
+ */
+static int load_cert(tls_domain_t* d)
+{
+	int i;
+	int procs_no;
+
+	if (!d->cert_file.s) {
+		DBG("%s: No certificate configured\n", tls_domain_str(d));
+		return 0;
+	}
+
+	procs_no=get_max_procs();
+	for(i = 0; i < procs_no; i++) {
+		if (!SSL_CTX_use_certificate_chain_file(d->ctx[i], d->cert_file.s)) {
+			ERR("%s: Unable to load certificate file '%s'\n",
+			    tls_domain_str(d), d->cert_file.s);
+			TLS_ERR("load_cert:");
+			return -1;
+		}
+		
+	}
+	return 0;
+}
+
+
+/* 
+ * Load CA list from file 
+ */
+static int load_ca_list(tls_domain_t* d)
+{
+	int i;
+	int procs_no;
+
+	if (!d->ca_file.s) {
+		DBG("%s: No CA list configured\n", tls_domain_str(d));
+		return 0;
+	}
+
+	procs_no=get_max_procs();
+	for(i = 0; i < procs_no; i++) {
+		if (SSL_CTX_load_verify_locations(d->ctx[i], d->ca_file.s, 0) != 1) {
+			ERR("%s: Unable to load CA list '%s'\n", tls_domain_str(d), d->ca_file.s);
+			TLS_ERR("load_ca_list:");
+			return -1;
+		}
+		SSL_CTX_set_client_CA_list(d->ctx[i], SSL_load_client_CA_file(d->ca_file.s));
+		if (SSL_CTX_get_client_CA_list(d->ctx[i]) == 0) {
+			ERR("%s: Error while setting client CA list\n", tls_domain_str(d));
+			TLS_ERR("load_ca_list:");
+			return -1;
+		}
+	}
+	return 0;
+}
+
+
+/* 
+ * Configure cipher list 
+ */
+static int set_cipher_list(tls_domain_t* d)
+{
+	int i;
+	int procs_no;
+
+	if (!d->cipher_list.s) return 0;
+	procs_no=get_max_procs();
+	for(i = 0; i < procs_no; i++) {
+		if (SSL_CTX_set_cipher_list(d->ctx[i], d->cipher_list.s) == 0 ) {
+			ERR("%s: Failure to set SSL context cipher list\n", tls_domain_str(d));
+			return -1;
+		}
+	}
+	return 0;
+}
+
+
+/* 
+ * Enable/disable certificate verification 
+ */
+static int set_verification(tls_domain_t* d)
+{
+	int verify_mode, i;
+	int procs_no;
+
+	if (d->require_cert) {
+		verify_mode = SSL_VERIFY_PEER | SSL_VERIFY_FAIL_IF_NO_PEER_CERT;
+		LOG(L_INFO, "%s: %s MUST present valid certificate\n", 
+		     tls_domain_str(d), d->type & TLS_DOMAIN_SRV ? "Client" : "Server");
+	} else {
+		if (d->verify_cert) {
+			verify_mode = SSL_VERIFY_PEER;
+			if (d->type & TLS_DOMAIN_SRV) {
+				LOG(L_INFO, "%s: IF client provides certificate then it MUST be valid\n", 
+				     tls_domain_str(d));
+			} else {
+				LOG(L_INFO, "%s: Server MUST present valid certificate\n", 
+				     tls_domain_str(d));
+			}
+		} else {
+			verify_mode = SSL_VERIFY_NONE;
+			if (d->type & TLS_DOMAIN_SRV) {
+				LOG(L_INFO, "%s: No client certificate required and no checks performed\n", 
+				     tls_domain_str(d));
+			} else {
+				LOG(L_INFO, "%s: Server MAY present invalid certificate\n", 
+				     tls_domain_str(d));
+			}
+		}
+	}
+	
+	procs_no=get_max_procs();
+	for(i = 0; i < procs_no; i++) {
+		SSL_CTX_set_verify(d->ctx[i], verify_mode, 0);
+		SSL_CTX_set_verify_depth(d->ctx[i], d->verify_depth);
+		
+	}
+	return 0;
+}
+
+
+/* 
+ * Configure generic SSL parameters 
+ */
+static int set_ssl_options(tls_domain_t* d)
+{
+	int i;
+	int procs_no;
+	long options;
+#if OPENSSL_VERSION_NUMBER >= 0x00908000L
+	long ssl_version;
+	STACK_OF(SSL_COMP)* comp_methods;
+#endif
+	
+	procs_no=get_max_procs();
+	options=SSL_OP_ALL; /* all the bug workarrounds by default */
+#if OPENSSL_VERSION_NUMBER >= 0x00907000L
+	options|=SSL_OP_NO_SESSION_RESUMPTION_ON_RENEGOTIATION |
+				SSL_OP_CIPHER_SERVER_PREFERENCE;
+#if		OPENSSL_VERSION_NUMBER >= 0x00908000L
+	ssl_version=SSLeay();
+	if ((ssl_version >= 0x0090800L) && (ssl_version < 0x0090803fL)){
+		/* if 0.9.8 <= openssl version < 0.9.8c and compression support is
+		 * enabled disable SSL_OP_TLS_BLOCK_PADDING_BUG (set by SSL_OP_ALL),
+		 * see openssl #1204 http://rt.openssl.org/Ticket/Display.html?id=1204
+		 */
+		
+		comp_methods=SSL_COMP_get_compression_methods();
+		if (comp_methods && (sk_SSL_COMP_num(comp_methods) > 0)){
+			options &= ~SSL_OP_TLS_BLOCK_PADDING_BUG;
+			LOG(L_WARN, "tls: set_ssl_options: openssl "
+					"SSL_OP_TLS_BLOCK_PADDING bug workaround enabled "
+					"(openssl version %lx)\n", ssl_version);
+		}else{
+			LOG(L_INFO, "tls: set_ssl_options: detected openssl version (%lx) "
+					" has the SSL_OP_TLS_BLOCK_PADDING bug, but compression "
+					" is disabled so no workaround is needed\n", ssl_version);
+		}
+	}
+#	endif
+#endif
+	for(i = 0; i < procs_no; i++) {
+		SSL_CTX_set_options(d->ctx[i], options);
+	}
+	return 0;
+}
+
+
+/* 
+ * Configure session cache parameters 
+ */
+static int set_session_cache(tls_domain_t* d)
+{
+	int i;
+	int procs_no;
+	
+	procs_no=get_max_procs();
+	for(i = 0; i < procs_no; i++) {
+		     /* janakj: I am not sure if session cache makes sense in ser, session 
+		      * cache is stored in SSL_CTX and we have one SSL_CTX per process, thus 
+		      * sessions among processes will not be reused
+		      */
+		SSL_CTX_set_session_cache_mode(d->ctx[i], 
+				   tls_session_cache ? SSL_SESS_CACHE_SERVER : SSL_SESS_CACHE_OFF);
+		SSL_CTX_set_session_id_context(d->ctx[i], 
+					       (unsigned char*)tls_session_id.s, tls_session_id.len);
+	}
+	return 0;
+}
+
+
+/*
+ * Initialize all domain attributes from default domains
+ * if necessary
+ */
+static int fix_domain(tls_domain_t* d, tls_domain_t* def)
+{
+	int i;
+	int procs_no;
+
+	if (fill_missing(d, def) < 0) return -1;
+
+	procs_no=get_max_procs();
+	d->ctx = (SSL_CTX**)shm_malloc(sizeof(SSL_CTX*) * procs_no);
+	if (!d->ctx) {
+		ERR("%s: Cannot allocate shared memory\n", tls_domain_str(d));
+		return -1;
+	}
+	memset(d->ctx, 0, sizeof(SSL_CTX*) * procs_no);
+	for(i = 0; i < procs_no; i++) {
+		d->ctx[i] = SSL_CTX_new((SSL_METHOD*)ssl_methods[d->method - 1]);
+		if (d->ctx[i] == NULL) {
+			ERR("%s: Cannot create SSL context\n", tls_domain_str(d));
+			return -1;
+		}
+	}
+	
+	if (load_cert(d) < 0) return -1;
+	if (load_ca_list(d) < 0) return -1;
+	if (set_cipher_list(d) < 0) return -1;
+	if (set_verification(d) < 0) return -1;
+	if (set_ssl_options(d) < 0) return -1;
+	if (set_session_cache(d) < 0) return -1;
+
+	return 0;
+}
+
+
+static int passwd_cb(char *buf, int size, int rwflag, void *filename)
+{
+#if OPENSSL_VERSION_NUMBER >= 0x00907000L	
+	UI             *ui;
+	const char     *prompt;
+	
+	ui = UI_new();
+	if (ui == NULL)
+		goto err;
+
+	prompt = UI_construct_prompt(ui, "passphrase", filename);
+	UI_add_input_string(ui, prompt, 0, buf, 0, size - 1);
+	UI_process(ui);
+	UI_free(ui);
+	return strlen(buf);
+ 
+ err:
+	ERR("passwd_cb: Error in passwd_cb\n");
+	if (ui) {
+		UI_free(ui);
+	}
+	return 0;
+	
+#else
+	if (des_read_pw_string(buf, size-1, "Enter Private Key password:", 0)) {
+		ERR("Error in passwd_cb\n");
+		return 0;
+	}
+	return strlen(buf);
+#endif
+}
+
+
+#define NUM_RETRIES 3
+/*
+ * load a private key from a file 
+ */
+static int load_private_key(tls_domain_t* d)
+{
+	int idx, ret_pwd, i;
+	int procs_no;
+	
+	if (!d->pkey_file.s) {
+		DBG("%s: No private key specified\n", tls_domain_str(d));
+		return 0;
+	}
+
+	procs_no=get_max_procs();
+	for(i = 0; i < procs_no; i++) {
+		SSL_CTX_set_default_passwd_cb(d->ctx[i], passwd_cb);
+		SSL_CTX_set_default_passwd_cb_userdata(d->ctx[i], d->pkey_file.s);
+		
+		for(idx = 0, ret_pwd = 0; idx < NUM_RETRIES; idx++) {
+			ret_pwd = SSL_CTX_use_PrivateKey_file(d->ctx[i], d->pkey_file.s, SSL_FILETYPE_PEM);
+			if (ret_pwd) {
+				break;
+			} else {
+				ERR("%s: Unable to load private key '%s'\n",
+				    tls_domain_str(d), d->pkey_file.s);
+				TLS_ERR("load_private_key:");
+				continue;
+			}
+		}
+		
+		if (!ret_pwd) {
+			ERR("%s: Unable to load private key file '%s'\n", 
+			    tls_domain_str(d), d->pkey_file.s);
+			TLS_ERR("load_private_key:");
+			return -1;
+		}
+		
+		if (!SSL_CTX_check_private_key(d->ctx[i])) {
+			ERR("%s: Key '%s' does not match the public key of the certificate\n", 
+			    tls_domain_str(d), d->pkey_file.s);
+			TLS_ERR("load_private_key:");
+			return -1;
+		}
+	}		
+
+	DBG("%s: Key '%s' successfuly loaded\n",
+	    tls_domain_str(d), d->pkey_file.s);
+	return 0;
+}
+
+
+/*
+ * Initialize attributes of all domains from default domains
+ * if necessary
+ */
+int tls_fix_cfg(tls_cfg_t* cfg, tls_domain_t* srv_defaults, tls_domain_t* cli_defaults)
+{
+	tls_domain_t* d;
+
+	if (!cfg->cli_default) {
+		cfg->cli_default = tls_new_domain(TLS_DOMAIN_DEF | TLS_DOMAIN_CLI, 0, 0);
+	}
+
+	if (!cfg->srv_default) {
+		cfg->srv_default = tls_new_domain(TLS_DOMAIN_DEF | TLS_DOMAIN_SRV, 0, 0);
+	}
+
+	if (fix_domain(cfg->srv_default, srv_defaults) < 0) return -1;
+	if (fix_domain(cfg->cli_default, cli_defaults) < 0) return -1;
+
+	d = cfg->srv_list;
+	while (d) {
+		if (fix_domain(d, srv_defaults) < 0) return -1;
+		d = d->next;
+	}
+
+	d = cfg->cli_list;
+	while (d) {
+		if (fix_domain(d, cli_defaults) < 0) return -1;
+		d = d->next;
+	}
+
+	     /* Ask for passwords as the last step */
+	d = cfg->srv_list;
+	while(d) {
+		if (load_private_key(d) < 0) return -1;
+		d = d->next;
+	}
+
+	d = cfg->cli_list;
+	while(d) {
+		if (load_private_key(d) < 0) return -1;
+		d = d->next;
+	}
+
+	if (load_private_key(cfg->srv_default) < 0) return -1;
+	if (load_private_key(cfg->cli_default) < 0) return -1;
+
+	return 0;
+}
+
+
+/*
+ * Create new configuration structure
+ */
+tls_cfg_t* tls_new_cfg(void)
+{
+	tls_cfg_t* r;
+
+	r = (tls_cfg_t*)shm_malloc(sizeof(tls_cfg_t));
+	if (!r) {
+		ERR("No memory left\n");
+		return 0;
+	}
+	memset(r, 0, sizeof(tls_cfg_t));
+	return r;
+}
+
+
+/*
+ * Lookup TLS configuration based on type, ip, and port
+ */
+tls_domain_t* tls_lookup_cfg(tls_cfg_t* cfg, int type, struct ip_addr* ip, unsigned short port)
+{
+	tls_domain_t *p;
+
+	if (type & TLS_DOMAIN_DEF) {
+		if (type & TLS_DOMAIN_SRV) return cfg->srv_default;
+		else return cfg->cli_default;
+	} else {
+		if (type & TLS_DOMAIN_SRV) p = cfg->srv_list;
+		else p = cfg->cli_list;
+	}
+
+	while (p) {
+		if ((p->port == port) && ip_addr_cmp(&p->ip, ip))
+			return p;
+		p = p->next;
+	}
+
+	     /* No matching domain found, return default */
+	if (type & TLS_DOMAIN_SRV) return cfg->srv_default;
+	else return cfg->cli_default;
+}
+
+
+/*
+ * Check whether configuration domain exists
+ */
+static int domain_exists(tls_cfg_t* cfg, tls_domain_t* d)
+{
+	tls_domain_t *p;
+
+	if (d->type & TLS_DOMAIN_DEF) {
+		if (d->type & TLS_DOMAIN_SRV) return cfg->srv_default != NULL;
+		else return cfg->cli_default != NULL;
+	} else {
+		if (d->type & TLS_DOMAIN_SRV) p = cfg->srv_list;
+		else p = cfg->cli_list;
+	}
+
+	while (p) {
+		if ((p->port == d->port) && ip_addr_cmp(&p->ip, &d->ip))
+			return 1;
+		p = p->next;
+	}
+
+	return 0;
+}
+
+
+/*
+ * Add a domain to the configuration set
+ */
+int tls_add_domain(tls_cfg_t* cfg, tls_domain_t* d)
+{
+	if (!cfg) {
+		ERR("TLS configuration structure missing\n");
+		return -1;
+	}
+
+	     /* Make sure the domain does not exist */
+	if (domain_exists(cfg, d)) return 1;
+
+	if (d->type & TLS_DOMAIN_DEF) {
+		if (d->type & TLS_DOMAIN_CLI) {
+			cfg->cli_default = d;
+		} else {
+			cfg->srv_default = d;
+		}
+	} else {
+		if (d->type & TLS_DOMAIN_SRV) {
+			d->next = cfg->srv_list;
+			cfg->srv_list = d;
+		} else {
+			d->next = cfg->cli_list;
+			cfg->cli_list = d;
+		}
+	}
+	return 0;
+}

modules/tls/tls_domain.h

@@ -0,0 +1,158 @@
+/*
+ * $Id$
+ *
+ * TLS module - virtual configuration domain support
+ * 
+ * Copyright (C) 2001-2003 FhG FOKUS
+ * Copyright (C) 2004,2005 Free Software Foundation, Inc.
+ * Copyright (C) 2005,2006 iptelorg GmbH
+ *
+ * This file is part of ser, a free SIP server.
+ *
+ * ser is free software; you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License as published by
+ * the Free Software Foundation; either version 2 of the License, or
+ * (at your option) any later version
+ *
+ * For a license to use the ser software under conditions
+ * other than those described here, or to purchase support for this
+ * software, please contact iptel.org by e-mail at the following addresses:
+ *    [email protected]
+ *
+ * ser is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ * GNU General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License 
+ * along with this program; if not, write to the Free Software 
+ * Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA  02111-1307  USA
+ */
+
+#ifndef _TLS_DOMAIN_H
+#define _TLS_DOMAIN_H
+
+#include "../../str.h"
+#include "../../ip_addr.h"
+#include <openssl/ssl.h>
+
+
+/*
+ * Available TLS methods
+ */
+enum tls_method {
+	TLS_METHOD_UNSPEC = 0,
+	TLS_USE_SSLv2_cli,
+	TLS_USE_SSLv2_srv,
+	TLS_USE_SSLv2,
+	TLS_USE_SSLv3_cli,
+	TLS_USE_SSLv3_srv,
+	TLS_USE_SSLv3,
+	TLS_USE_TLSv1_cli,
+	TLS_USE_TLSv1_srv,
+	TLS_USE_TLSv1,
+	TLS_USE_SSLv23_cli,
+	TLS_USE_SSLv23_srv,
+	TLS_USE_SSLv23,
+	TLS_METHOD_MAX
+};
+
+
+/*
+ * TLS configuration domain type
+ */
+enum tls_domain_type {
+	TLS_DOMAIN_DEF = (1 << 0), /* Default domain */
+	TLS_DOMAIN_SRV = (1 << 1), /* Server domain */
+	TLS_DOMAIN_CLI = (1 << 2)  /* Client domain */
+};
+
+
+/*
+ * separate configuration per ip:port
+ */
+typedef struct tls_domain {
+	int type;
+	struct ip_addr ip;
+	unsigned short port;
+	SSL_CTX** ctx;
+	str cert_file;
+	str pkey_file;
+	int verify_cert;
+	int verify_depth;
+	str ca_file;
+	int require_cert;
+	str cipher_list;
+	enum tls_method method;
+	struct tls_domain* next;
+} tls_domain_t;
+
+
+/*
+ * TLS configuration structures
+ */
+typedef struct tls_cfg {
+	tls_domain_t* srv_default; /* Default server domain */
+	tls_domain_t* cli_default; /* Default client domain */
+	tls_domain_t* srv_list;    /* Server domain list */
+	tls_domain_t* cli_list;    /* Client domain list */
+	struct tls_cfg* next;      /* Next element in the garbage list */
+	int ref_count;             /* How many connections use this configuration */
+} tls_cfg_t;
+
+
+/*
+ * create a new domain 
+ */
+tls_domain_t *tls_new_domain(int type, struct ip_addr *ip, 
+			     unsigned short port);
+
+
+/*
+ * Free all memory used for configuration domain
+ */
+void tls_free_domain(tls_domain_t* d);
+
+
+/*
+ * Generate tls domain string identifier
+ */
+char* tls_domain_str(tls_domain_t* d);
+
+
+
+/*
+ * Create new instance of TLS configuration data
+ */
+tls_cfg_t* tls_new_cfg(void);
+
+
+/*
+ * Add a new configuration domain
+ */
+int tls_add_domain(tls_cfg_t* cfg, tls_domain_t* d);
+
+
+/*
+ * Fill in missing parameters
+ */
+int tls_fix_cfg(tls_cfg_t* cfg, tls_domain_t* srv_defaults, tls_domain_t* cli_defaults);
+
+
+/*
+ * Lookup TLS configuration
+ */
+tls_domain_t* tls_lookup_cfg(tls_cfg_t* cfg, int type, struct ip_addr* ip, unsigned short port);
+
+
+/*
+ * Free TLS configuration data
+ */
+void tls_free_cfg(tls_cfg_t* cfg);
+
+/*
+ * Destroy all the config data
+ */
+void tls_destroy_cfg(void);
+
+#endif /* _TLS_DOMAIN_H */

modules/tls/tls_init.c

@@ -0,0 +1,621 @@
+/*
+ * $Id$
+ *
+ * TLS module - OpenSSL initialization funtions
+ *
+ * Copyright (C) 2001-2003 FhG FOKUS
+ * Copyright (C) 2004,2005 Free Software Foundation, Inc.
+ * Copyright (C) 2005,2006 iptelorg GmbH
+ *
+ * This file is part of ser, a free SIP server.
+ *
+ * ser is free software; you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License as published by
+ * the Free Software Foundation; either version 2 of the License, or
+ * (at your option) any later version
+ *
+ * For a license to use the ser software under conditions
+ * other than those described here, or to purchase support for this
+ * software, please contact iptel.org by e-mail at the following addresses:
+ *    [email protected]
+ *
+ * ser is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ * GNU General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License 
+ * along with this program; if not, write to the Free Software 
+ * Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA  02111-1307  USA
+ */
+/*
+ * History:
+ * --------
+ *  2007-01-26  openssl kerberos malloc bug detection/workaround (andrei)
+ *  2007-02-23  openssl low memory bugs workaround (andrei)
+ */
+
+#include <stdio.h>
+#include <sys/types.h>
+#include <netinet/in_systm.h>
+#include <netinet/in.h>
+#include <netinet/tcp.h>
+#include <netinet/ip.h>
+#include <unistd.h>
+#include <string.h>
+#include <openssl/ssl.h>
+ 
+#include "../../dprint.h"
+#include "../../mem/shm_mem.h"
+#include "../../tcp_init.h"
+#include "../../socket_info.h"
+#include "../../pt.h"
+#include "tls_verify.h"
+#include "tls_domain.h"
+#include "tls_util.h"
+#include "tls_mod.h"
+#include "tls_init.h"
+#include "tls_locking.h"
+
+#if OPENSSL_VERSION_NUMBER < 0x00907000L
+#    warning ""
+#    warning "==============================================================="
+#    warning " Your version of OpenSSL is < 0.9.7."
+#    warning " Upgrade for better compatibility, features and security fixes!"
+#    warning "==============================================================="
+#    warning ""
+#endif
+
+#if OPENSSL_VERSION_NUMBER >= 0x00908000L  /* 0.9.8*/
+#    ifndef OPENSSL_NO_COMP
+#        warning "openssl zlib compression bug workaround enabled"
+#    endif
+#    define TLS_FIX_ZLIB_COMPRESSION
+#    include "fixed_c_zlib.h"
+#endif
+
+#ifdef TLS_KSSL_WORKARROUND
+#if OPENSSL_VERSION_NUMBER < 0x00908050L
+#	warning "openssl lib compiled with kerberos support which introduces a bug\
+ (wrong malloc/free used in kssl.c) -- attempting workaround"
+#	warning "NOTE: if you don't link libssl staticaly don't try running the \
+compiled code on a system with a differently compiled openssl (it's safer \
+to compile on the  _target_ system)"
+#endif /* OPENSSL_VERSION_NUMBER */
+#endif /* TLS_KSSL_WORKARROUND */
+
+
+
+#ifndef OPENSSL_NO_COMP
+#define TLS_COMP_SUPPORT
+#else
+#undef TLS_COMP_SUPPORT
+#endif
+
+#ifndef OPENSSL_NO_KRB5
+#define TLS_KERBEROS_SUPPORT
+#else
+#undef TLS_KERBEROS_SUPPORT
+#endif
+
+
+#ifdef TLS_KSSL_WORKARROUND
+int openssl_kssl_malloc_bug=0; /* is openssl bug #1467 present ? */
+#endif
+int openssl_mem_threshold1=-1; /* low memory threshold for connect/accept */
+int openssl_mem_threshold2=-1; /* like above but for other tsl operations */
+int tls_disable_compression = 0; /* by default enabled */
+int tls_force_run = 0; /* ignore some start-up sanity checks, use it
+						  at your own risk */
+
+const SSL_METHOD* ssl_methods[TLS_USE_SSLv23 + 1];
+
+#undef TLS_MALLOC_DBG /* extra malloc debug info from openssl */
+/*
+ * Wrappers around SER shared memory functions
+ * (which can be macros)
+ */
+#ifdef TLS_MALLOC_DBG
+#include <execinfo.h>
+
+/*
+#define RAND_NULL_MALLOC (1024)
+#define NULL_GRACE_PERIOD 10U
+*/
+
+
+inline static char* buf_append(char* buf, char* end, char* str, int str_len)
+{
+	if ( (buf+str_len)<end){
+		memcpy(buf, str, str_len);
+		return buf+str_len;
+	}
+	return 0;
+}
+
+
+inline static int backtrace2str(char* buf, int size)
+{
+	void* bt[32];
+	int bt_size, i;
+	char** bt_strs;
+	char* p;
+	char* end;
+	char* next;
+	char* s;
+	char* e;
+	
+	p=buf; end=buf+size;
+	bt_size=backtrace(bt, sizeof(bt)/sizeof(bt[0]));
+	bt_strs=backtrace_symbols(bt, bt_size);
+	if (bt_strs){
+		p=buf; end=buf+size;
+		/*if (bt_size>16) bt_size=16;*/ /* go up only 12 entries */
+		for (i=3; i< bt_size; i++){
+			/* try to isolate only the function name*/
+			s=strchr(bt_strs[i], '(');
+			if (s && ((e=strchr(s, ')'))!=0)){
+				s++;
+			}else if ((s=strchr(bt_strs[i], '['))!=0){
+				e=s+strlen(s);
+			}else{
+				s=bt_strs[i]; e=s+strlen(s); /* add thw whole string */
+			}
+			next=buf_append(p, end, s, (int)(long)(e-s));
+			if (next==0) break;
+			else p=next;
+			if (p<end){
+				*p=':'; /* separator */
+				p++;
+			}else break;
+		}
+		if (p==buf){
+			*p=0;
+			p++;
+		}else
+			*(p-1)=0;
+		free(bt_strs);
+	}
+	return (int)(long)(p-buf);
+}
+
+static void* ser_malloc(size_t size, const char* file, int line)
+{
+	void  *p;
+	char bt_buf[1024];
+	int s;
+#ifdef RAND_NULL_MALLOC
+	static ticks_t st=0;
+
+	/* start random null returns only after 
+	 * NULL_GRACE_PERIOD from first call */
+	if (st==0) st=get_ticks();
+	if (((get_ticks()-st)<NULL_GRACE_PERIOD) || (random()%RAND_NULL_MALLOC)){
+#endif
+		s=backtrace2str(bt_buf, sizeof(bt_buf));
+		/* ugly hack: keep the bt inside the alloc'ed fragment */
+		p=_shm_malloc(size+s, file, "via ser_malloc", line);
+		if (p==0){
+			LOG(L_CRIT, "tsl: ser_malloc(%d)[%s:%d]==null, bt: %s\n", 
+						size, file, line, bt_buf);
+		}else{
+			memcpy(p+size, bt_buf, s);
+			((struct qm_frag*)((char*)p-sizeof(struct qm_frag)))->func=
+				p+size;
+		}
+#ifdef RAND_NULL_MALLOC
+	}else{
+		p=0;
+		backtrace2str(bt_buf, sizeof(bt_buf));
+		LOG(L_CRIT, "tsl: random ser_malloc(%d)[%s:%d]"
+				" returning null - bt: %s\n",
+				size, file, line, bt_buf);
+	}
+#endif
+	return p;
+}
+
+
+static void* ser_realloc(void *ptr, size_t size, const char* file, int line)
+{
+	void  *p;
+	char bt_buf[1024];
+	int s;
+#ifdef RAND_NULL_MALLOC
+	static ticks_t st=0;
+
+	/* start random null returns only after 
+	 * NULL_GRACE_PERIOD from first call */
+	if (st==0) st=get_ticks();
+	if (((get_ticks()-st)<NULL_GRACE_PERIOD) || (random()%RAND_NULL_MALLOC)){
+#endif
+		s=backtrace2str(bt_buf, sizeof(bt_buf));
+		p=_shm_realloc(ptr, size+s, file, "via ser_realloc", line);
+		if (p==0){
+			LOG(L_CRIT, "tsl: ser_realloc(%p, %d)[%s:%d]==null, bt: %s\n",
+					ptr, size, file, line, bt_buf);
+		}else{
+			memcpy(p+size, bt_buf, s);
+			((struct qm_frag*)((char*)p-sizeof(struct qm_frag)))->func=
+				p+size;
+		}
+#ifdef RAND_NULL_MALLOC
+	}else{
+		p=0;
+		backtrace2str(bt_buf, sizeof(bt_buf));
+		LOG(L_CRIT, "tsl: random ser_realloc(%p, %d)[%s:%d]"
+					" returning null - bt: %s\n", ptr, size, file, line,
+					bt_buf);
+	}
+#endif
+	return p;
+}
+
+#else /*TLS_MALLOC_DBG */
+
+static void* ser_malloc(size_t size)
+{
+	return shm_malloc(size);
+}
+
+
+static void* ser_realloc(void *ptr, size_t size)
+{
+		return shm_realloc(ptr, size);
+}
+
+#endif
+
+static void ser_free(void *ptr)
+{
+	shm_free(ptr);
+}
+
+
+/*
+ * Initialize TLS socket
+ */
+int tls_h_init_si(struct socket_info *si)
+{
+	int ret;
+	     /*
+	      * reuse tcp initialization 
+	      */
+	ret = tcp_init(si);
+	if (ret != 0) {
+		ERR("Error while initializing TCP part of TLS socket %.*s:%d\n",
+		    si->address_str.len, si->address_str.s, si->port_no);
+		goto error;
+	}
+	
+	si->proto = PROTO_TLS;
+	return 0;
+	
+ error:
+	if (si->socket != -1) {
+		close(si->socket);
+		si->socket = -1;
+	}
+	return ret;
+}
+
+
+
+/*
+ * initialize ssl methods 
+ */
+static void init_ssl_methods(void)
+{
+	ssl_methods[TLS_USE_SSLv2_cli - 1] = SSLv2_client_method();
+	ssl_methods[TLS_USE_SSLv2_srv - 1] = SSLv2_server_method();
+	ssl_methods[TLS_USE_SSLv2 - 1] = SSLv2_method();
+	
+	ssl_methods[TLS_USE_SSLv3_cli - 1] = SSLv3_client_method();
+	ssl_methods[TLS_USE_SSLv3_srv - 1] = SSLv3_server_method();
+	ssl_methods[TLS_USE_SSLv3 - 1] = SSLv3_method();
+	
+	ssl_methods[TLS_USE_TLSv1_cli - 1] = TLSv1_client_method();
+	ssl_methods[TLS_USE_TLSv1_srv - 1] = TLSv1_server_method();
+	ssl_methods[TLS_USE_TLSv1 - 1] = TLSv1_method();
+	
+	ssl_methods[TLS_USE_SSLv23_cli - 1] = SSLv23_client_method();
+	ssl_methods[TLS_USE_SSLv23_srv - 1] = SSLv23_server_method();
+	ssl_methods[TLS_USE_SSLv23 - 1] = SSLv23_method();
+}
+
+
+/*
+ * Fix openssl compression bugs if necessary
+ */
+static int init_tls_compression(void)
+{
+#if OPENSSL_VERSION_NUMBER >= 0x00908000L
+	int n, r;
+	STACK_OF(SSL_COMP)* comp_methods;
+	SSL_COMP* zlib_comp;
+	long ssl_version;
+	
+	/* disabling compression */
+#	ifndef SSL_COMP_ZLIB_IDX
+#		define SSL_COMP_ZLIB_IDX 1 /* openssl/ssl/ssl_ciph.c:84 */
+#	endif 
+	comp_methods = SSL_COMP_get_compression_methods();
+	if (comp_methods == 0) {
+		LOG(L_INFO, "tls: init_tls: compression support disabled in the"
+					" openssl lib\n");
+		goto end; /* nothing to do, exit */
+	} else if (tls_disable_compression){
+		LOG(L_INFO, "tls: init_tls: disabling compression...\n");
+		sk_SSL_COMP_zero(comp_methods);
+	}else{
+		ssl_version=SSLeay();
+		/* replace openssl zlib compression with our version if necessary
+		 * (the openssl zlib compression uses the wrong malloc, see
+		 *  openssl #1468): 0.9.8-dev < version  <0.9.8e-beta1 */
+		if ((ssl_version >= 0x00908000L) && (ssl_version < 0x00908051L)){
+			/* the above SSL_COMP_get_compression_methods() call has the side
+			 * effect of initializing the compression stack (if not already
+			 * initialized) => after it zlib is initialized and in the stack */
+			/* find zlib_comp (cannot use ssl3_comp_find, not exported) */
+			n = sk_SSL_COMP_num(comp_methods);
+			zlib_comp = 0;
+			for (r = 0; r < n; r++) {
+				zlib_comp = sk_SSL_COMP_value(comp_methods, r);
+				DBG("tls: init_tls: found compression method %p id %d\n",
+						zlib_comp, zlib_comp->id);
+				if (zlib_comp->id == SSL_COMP_ZLIB_IDX) {
+					DBG("tls: init_tls: found zlib compression (%d)\n", 
+							SSL_COMP_ZLIB_IDX);
+					break /* found */;
+				} else {
+					zlib_comp = 0;
+				}
+			}
+			if (zlib_comp == 0) {
+				LOG(L_INFO, "tls: init_tls: no openssl zlib compression "
+							"found\n");
+			}else{
+				LOG(L_WARN, "tls: init_tls: detected openssl lib with "
+							"known zlib compression bug: \"%s\" (0x%08lx)\n",
+							SSLeay_version(SSLEAY_VERSION), ssl_version);
+#	ifdef TLS_FIX_ZLIB_COMPRESSION
+				LOG(L_WARN, "tls: init_tls: enabling openssl zlib compression "
+							"bug workaround (replacing zlib COMP method with "
+							"our own version)\n");
+				/* hack: make sure that the CRYPTO_EX_INDEX_COMP class is empty
+				 * and it does not contain any free_ex_data from the 
+				 * built-in zlib. This can happen if the current openssl
+				 * zlib malloc fix patch is used (CRYPTO_get_ex_new_index() in
+				 * COMP_zlib()). Unfortunately the only way
+				 * to do this it to cleanup all the ex_data stuff.
+				 * It should be safe if this is executed before SSL_init()
+				 * (only the COMP class is initialized before).
+				 */
+				CRYPTO_cleanup_all_ex_data();
+				
+				if (fixed_c_zlib_init() != 0) {
+					LOG(L_CRIT, "tls: init_tls: BUG: failed to initialize zlib"
+							" compression fix, disabling compression...\n");
+					sk_SSL_COMP_zero(comp_methods); /* delete compression */
+					goto end;
+				}
+				/* "fix" it */
+				zlib_comp->method = &zlib_method;
+#	else
+				LOG(L_WARN, "tls: init_tls: disabling openssl zlib "
+							"compression \n");
+				zlib_comp=sk_SSL_COMP_delete(comp_methods, r);
+				if (zlib_comp)
+					OPENSSL_free(zlib_comp);
+#	endif
+			}
+		}
+	}
+end:
+#endif /* OPENSSL_VERSION_NUMBER >= 0.9.8 */
+	return 0;
+}
+
+
+/*
+ * First step of TLS initialization
+ */
+int init_tls_h(void)
+{
+	/*struct socket_info* si;*/
+	long ssl_version;
+	int lib_kerberos;
+	int lib_zlib;
+	int kerberos_support;
+	int comp_support;
+	const char* lib_cflags;
+
+#if OPENSSL_VERSION_NUMBER < 0x00907000L
+	WARN("You are using an old version of OpenSSL (< 0.9.7). Upgrade!\n");
+#endif
+	ssl_version=SSLeay();
+	/* check if version have the same major minor and fix level
+	 * (e.g. 0.9.8a & 0.9.8c are ok, but 0.9.8 and 0.9.9x are not) */
+	if ((ssl_version>>8)!=(OPENSSL_VERSION_NUMBER>>8)){
+		LOG(L_CRIT, "ERROR: tls: init_tls_h: installed openssl library "
+				"version is too different from the library the ser tls module "
+				"was compiled with: installed \"%s\" (0x%08lx), compiled "
+				"\"%s\" (0x%08lx).\n"
+				" Please make sure a compatible version is used"
+				" (tls_force_run in ser.cfg will override this check)\n",
+				SSLeay_version(SSLEAY_VERSION), ssl_version,
+				OPENSSL_VERSION_TEXT, (long)OPENSSL_VERSION_NUMBER);
+		if (tls_force_run)
+			LOG(L_WARN, "tls: init_tls_h: tls_force_run turned on, ignoring "
+						" openssl version mismatch\n");
+		else
+			return -1; /* safer to exit */
+	}
+#ifdef TLS_KERBEROS_SUPPORT
+	kerberos_support=1;
+#else
+	kerberos_support=0;
+#endif
+#ifdef TLS_COMP_SUPPORT
+	comp_support=1;
+#else
+	comp_support=0;
+#endif
+	/* attempt to guess if the library was compiled with kerberos or
+	 * compression support from the cflags */
+	lib_cflags=SSLeay_version(SSLEAY_CFLAGS);
+	lib_kerberos=0;
+	lib_zlib=0;
+	if ((lib_cflags==0) || strstr(lib_cflags, "not available")){ 
+		lib_kerberos=-1;
+		lib_zlib=-1;
+	}else{
+		if (strstr(lib_cflags, "-DZLIB"))
+			lib_zlib=1;
+		if (strstr(lib_cflags, "-DKRB5_"))
+			lib_kerberos=1;
+	}
+	LOG(L_INFO, "tls: _init_tls_h:  compiled  with  openssl  version " 
+				"\"%s\" (0x%08lx), kerberos support: %s, compression: %s\n",
+				OPENSSL_VERSION_TEXT, (long)OPENSSL_VERSION_NUMBER,
+				kerberos_support?"on":"off", comp_support?"on":"off");
+	LOG(L_INFO, "tls: init_tls_h: installed openssl library version "
+				"\"%s\" (0x%08lx), kerberos support: %s, "
+				" zlib compression: %s"
+				"\n %s\n",
+				SSLeay_version(SSLEAY_VERSION), ssl_version,
+				(lib_kerberos==1)?"on":(lib_kerberos==0)?"off":"unkown",
+				(lib_zlib==1)?"on":(lib_zlib==0)?"off":"unkown",
+				SSLeay_version(SSLEAY_CFLAGS));
+	if (lib_kerberos!=kerberos_support){
+		if (lib_kerberos!=-1){
+			LOG(L_CRIT, "ERROR: tls: init_tls_h: openssl compile options"
+						" mismatch: library has kerberos support"
+						" %s and ser tls %s (unstable configuration)\n"
+						" (tls_force_run in ser.cfg will override this"
+						" check)\n",
+						lib_kerberos?"enabled":"disabled",
+						kerberos_support?"enabled":"disabled"
+				);
+			if (tls_force_run)
+				LOG(L_WARN, "tls: init_tls_h: tls_force_run turned on, "
+						"ignoring kerberos support mismatch\n");
+			else
+				return -1; /* exit, is safer */
+		}else{
+			LOG(L_WARN, "WARNING: tls: init_tls_h: openssl  compile options"
+						" missing -- cannot detect if kerberos support is"
+						" enabled. Possible unstable configuration\n");
+		}
+	}
+	     /*
+	      * this has to be called before any function calling CRYPTO_malloc,
+	      * CRYPTO_malloc will set allow_customize in openssl to 0 
+	      */
+#ifdef TLS_MALLOC_DBG
+	if (!CRYPTO_set_mem_ex_functions(ser_malloc, ser_realloc, ser_free)) {
+#else
+	if (!CRYPTO_set_mem_functions(ser_malloc, ser_realloc, ser_free)) {
+#endif
+		ERR("Unable to set the memory allocation functions\n");
+		return -1;
+	}
+	if (tls_init_locks()<0)
+		return -1;
+	init_tls_compression();
+	#ifdef TLS_KSSL_WORKARROUND
+	/* if openssl compiled with kerberos support, and openssl < 0.9.8e-dev
+	 * or openssl between 0.9.9-dev and 0.9.9-beta1 apply workaround for
+	 * openssl bug #1467 */
+	if (ssl_version < 0x00908050L || 
+			(ssl_version >= 0x00909000L && ssl_version < 0x00909001L)){
+		openssl_kssl_malloc_bug=1;
+		LOG(L_WARN, "tls: init_tls_h: openssl kerberos malloc bug detected, "
+			" kerberos support will be disabled...\n");
+	}
+	#endif
+	 /* set free memory threshold for openssl bug #1491 workaround */
+	if (openssl_mem_threshold1<0){
+		/* default */
+		openssl_mem_threshold1=512*1024*get_max_procs();
+	}else
+		openssl_mem_threshold1*=1024; /* KB */
+	if (openssl_mem_threshold2<0){
+		/* default */
+		openssl_mem_threshold2=256*1024*get_max_procs();
+	}else
+		openssl_mem_threshold2*=1024; /* KB */
+	if ((openssl_mem_threshold1==0) || (openssl_mem_threshold2==0))
+		LOG(L_WARN, "tls: openssl bug #1491 (crash/mem leaks on low memory)"
+					" workarround disabled\n");
+	else
+		LOG(L_WARN, "tls: openssl bug #1491 (crash/mem leaks on low memory)"
+				" workaround enabled (on low memory tls operations will fail"
+				" preemptively) with free memory thresholds %d and %d bytes\n",
+				openssl_mem_threshold1, openssl_mem_threshold2);
+	
+	if (shm_available()==(unsigned long)(-1)){
+		LOG(L_WARN, "tls: ser compiled without MALLOC_STATS support:"
+				" the workaround for low mem. openssl bugs will _not_ "
+				"work\n");
+		openssl_mem_threshold1=0;
+		openssl_mem_threshold2=0;
+	}
+	SSL_library_init();
+	SSL_load_error_strings();
+	init_ssl_methods();
+#if 0
+	/* OBSOLETE: we are using the tls_h_init_si callback */
+	     /* Now initialize TLS sockets */
+	for(si = tls_listen; si; si = si->next) {
+		if (tls_h_init_si(si) < 0)  return -1;
+		     /* get first ipv4/ipv6 socket*/
+		if ((si->address.af == AF_INET) &&
+		    ((sendipv4_tls == 0) || (sendipv4_tls->flags & SI_IS_LO))) {
+			sendipv4_tls = si;
+		}
+#ifdef USE_IPV6
+		if ((sendipv6_tls == 0) && (si->address.af == AF_INET6)) {
+			sendipv6_tls = si;
+		}
+#endif
+	}
+#endif
+
+	return 0;
+}
+
+
+/*
+ * Make sure that all server domains in the configuration have corresponding
+ * listening socket in SER
+ */
+int tls_check_sockets(tls_cfg_t* cfg)
+{
+	tls_domain_t* d;
+
+	if (!cfg) return 0;
+
+	d = cfg->srv_list;
+	while(d) {
+		if (d->ip.len && !find_si(&d->ip, d->port, PROTO_TLS)) {
+			ERR("%s: No listening socket found\n", tls_domain_str(d));
+			return -1;
+		}
+		d = d->next;
+	}
+	return 0;
+}
+
+
+/*
+ * TLS cleanup when SER exits
+ */
+void destroy_tls_h(void)
+{
+	DBG("tls module final tls destroy\n");
+	ERR_free_strings();
+	/* TODO: free all the ctx'es */
+	tls_destroy_cfg();
+	tls_destroy_locks();
+}

modules/tls/tls_init.h

@@ -0,0 +1,79 @@
+/*
+ * $Id$
+ * 
+ * TLS module - OpenSSL initialization funtions
+ *
+ * Copyright (C) 2001-2003 FhG FOKUS
+ * Copyright (C) 2004,2005 Free Software Foundation, Inc.
+ * Copyright (C) 2005,2006 iptelorg GmbH
+ *
+ * This file is part of ser, a free SIP server.
+ *
+ * ser is free software; you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License as published by
+ * the Free Software Foundation; either version 2 of the License, or
+ * (at your option) any later version
+ *
+ * For a license to use the ser software under conditions
+ * other than those described here, or to purchase support for this
+ * software, please contact iptel.org by e-mail at the following addresses:
+ *    [email protected]
+ *
+ * ser is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ * GNU General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License 
+ * along with this program; if not, write to the Free Software 
+ * Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA  02111-1307  USA
+ */
+
+#ifndef _TLS_INIT_H
+#define _TLS_INIT_H
+
+#include <openssl/ssl.h>
+#include "../../ip_addr.h"
+#include "tls_domain.h"
+
+#ifndef OPENSSL_NO_KRB5
+/* enable workarround for openssl kerberos wrong malloc bug
+ * (kssl code uses libc malloc/free/calloc instead of OPENSSL_malloc & 
+ * friends)*/
+#define TLS_KSSL_WORKARROUND
+extern int openssl_kssl_malloc_bug; /* is openssl bug #1467 present ? */
+#endif
+extern int openssl_mem_threshold1; /* low memory threshold for connect */
+extern int openssl_mem_threshold2; /* like above but for other tsl operations */
+
+
+extern int tls_disable_compression; /* by default enabled */
+extern int tls_force_run; /* by default disabled */
+
+extern const SSL_METHOD* ssl_methods[];
+
+
+/*
+ * just once, initialize the tls subsystem 
+ */
+int init_tls_h(void);
+
+
+/*
+ * just once before cleanup 
+ */
+void destroy_tls_h(void);
+
+
+/*
+ * for each socket 
+ */
+int tls_h_init_si(struct socket_info *si);
+
+/*
+ * Make sure that all server domains in the configuration have corresponding
+ * listening socket in SER
+ */
+int tls_check_sockets(tls_cfg_t* cfg);
+
+#endif /* _TLS_INIT_H */

modules/tls/tls_locking.c

@@ -0,0 +1,173 @@
+/*
+ * $Id$
+ *
+ * Copyright (C) 2007 iptelorg GmbH 
+ *
+ * Permission to use, copy, modify, and distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+ * copyright notice and this permission notice appear in all copies.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
+ * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
+ * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
+ * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
+ * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
+ * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
+ * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
+ */
+/*
+ * tls locking and atomic ops related init functions
+ *
+ * History:
+ * --------
+ *  2007-01-22  created by andrei
+ */
+
+#include <stdlib.h> /* abort() */
+#include <openssl/crypto.h>
+#include "../../dprint.h"
+#include "../../locking.h"
+
+static int n_static_locks=0;
+static gen_lock_set_t* static_locks=0;
+
+/* "dynamic" locks */
+
+struct CRYPTO_dynlock_value{
+	gen_lock_t lock;
+};
+
+
+static struct CRYPTO_dynlock_value* dyn_create_f(const char* file, int line)
+{
+	struct CRYPTO_dynlock_value* l;
+	
+	l=shm_malloc(sizeof(struct CRYPTO_dynlock_value));
+	if (l==0){
+		LOG(L_CRIT, "ERROR: tls: dyn_create_f locking callback out of shm."
+				" memory (called from %s:%d)\n", file, line);
+		goto error;
+	}
+	if (lock_init(&l->lock)==0){
+		LOG(L_CRIT, "ERROR: tls: dyn_create_f locking callback: lock "
+				"initialization failed (called from %s:%d)\n", file, line);
+		shm_free(l);
+		goto error;
+	}
+	return l;
+error:
+	return 0;
+}
+
+
+
+static void dyn_lock_f(int mode, struct CRYPTO_dynlock_value* l,
+						const char* file, int line)
+{
+	if (l==0){
+		LOG(L_CRIT, "BUG: tls: dyn_lock_f locking callback: null lock"
+				" (called from %s:%d)\n", file, line);
+		/* try to continue */
+		return;
+	}
+	if (mode & CRYPTO_LOCK){
+		lock_get(&l->lock);
+	}else{
+		lock_release(&l->lock);
+	}
+}
+
+
+
+static void dyn_destroy_f(struct CRYPTO_dynlock_value *l,
+							const char* file, int line)
+{
+	if (l==0){
+		LOG(L_CRIT, "BUG: tls: dyn_destroy_f locking callback: null lock"
+				" (called from %s:%d)\n", file, line);
+		return;
+	}
+	lock_destroy(&l->lock);
+	shm_free(l);
+}
+
+
+
+/* normal locking callback */
+static void locking_f(int mode, int n, const char* file, int line)
+{
+	if (n<0 || n>=n_static_locks){
+		LOG(L_CRIT, "BUG: tls: locking_f (callback): invalid lock number: "
+				" %d (range 0 - %d), called from %s:%d\n",
+				n, n_static_locks, file, line);
+		abort(); /* quick crash :-) */
+	}
+	if (mode & CRYPTO_LOCK){
+		lock_set_get(static_locks, n);
+	}else{
+		lock_set_release(static_locks, n);
+	}
+	
+}
+
+
+
+void tls_destroy_locks()
+{
+	if (static_locks){
+		lock_set_destroy(static_locks);
+		lock_set_dealloc(static_locks);
+		static_locks=0;
+		n_static_locks=0;
+	}
+}
+
+
+
+/* returns -1 on error, 0 on success */
+int tls_init_locks()
+{
+	/* init "static" tls locks */
+	n_static_locks=CRYPTO_num_locks();
+	if (n_static_locks<0){
+		LOG(L_CRIT, "BUG: tls: tls_init_locking: bad CRYPTO_num_locks %d\n",
+					n_static_locks);
+		n_static_locks=0;
+	}
+	if (n_static_locks){
+		static_locks=lock_set_alloc(n_static_locks);
+		if (static_locks==0){
+			LOG(L_CRIT, "ERROR: tls_init_locking: could not allocate lockset"
+					" with %d locks\n", n_static_locks);
+			goto error;
+		}
+		if (lock_set_init(static_locks)==0){
+			LOG(L_CRIT, "ERROR: tls_init_locking: lock_set_init failed "
+					"(%d locks)\n", n_static_locks);
+			lock_set_dealloc(static_locks);
+			static_locks=0;
+			n_static_locks=0;
+			goto error;
+		}
+		CRYPTO_set_locking_callback(locking_f);
+	}
+	/* set "dynamic" locks callbacks */
+	CRYPTO_set_dynlock_create_callback(dyn_create_f);
+	CRYPTO_set_dynlock_lock_callback(dyn_lock_f);
+	CRYPTO_set_dynlock_destroy_callback(dyn_destroy_f);
+	
+	/* thread id callback: not needed because ser doesn't use thread and
+	 * openssl already uses getpid() (by default)
+	 * CRYPTO_set_id_callback(id_f);
+	 */
+	/* atomic add -- since for now we don't have atomic_add
+	 *  (only atomic_inc), fallback to the default use-locks mode
+	 * CRYPTO_set_add_lock_callback(atomic_add_f);
+	 */
+	
+	
+	return 0;
+error:
+	tls_destroy_locks();
+	return -1;
+}

modules/tls/tls_locking.h

@@ -0,0 +1,33 @@
+/*
+ * $Id$
+ *
+ * Copyright (C) 2007 iptelorg GmbH 
+ *
+ * Permission to use, copy, modify, and distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+ * copyright notice and this permission notice appear in all copies.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
+ * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
+ * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
+ * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
+ * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
+ * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
+ * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
+ */
+/*
+ * tls locking and atomic ops related init functions
+ *
+ * History:
+ * --------
+ *  2007-01-22  created by andrei
+ */
+
+#ifndef _tls_locking_h
+#define _tls_locking_h
+
+
+void tls_destroy_locks();
+int tls_init_locks();
+
+#endif

modules/tls/tls_mod.c

@@ -0,0 +1,394 @@
+/*
+ * $Id$
+ *
+ * TLS module - module interface
+ *
+ * Copyright (C) 2001-2003 FhG FOKUS
+ * Copyright (C) 2004,2005 Free Software Foundation, Inc.
+ * Copyright (C) 2005,2006 iptelorg GmbH
+ *
+ * This file is part of ser, a free SIP server.
+ *
+ * ser is free software; you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License as published by
+ * the Free Software Foundation; either version 2 of the License, or
+ * (at your option) any later version
+ *
+ * For a license to use the ser software under conditions
+ * other than those described here, or to purchase support for this
+ * software, please contact iptel.org by e-mail at the following addresses:
+ *    [email protected]
+ *
+ * ser is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ * GNU General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License
+ * along with this program; if not, write to the Free Software
+ * Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA  02111-1307  USA
+ *
+ * History:
+ * -------
+ * 2003-03-11: New module interface (janakj)
+ * 2003-03-16: flags export parameter added (janakj)
+ * 2003-04-05: default_uri #define used (jiri)
+ * 2003-04-06: db connection closed in mod_init (janakj)
+ * 2004-06-06  updated to the new DB api, cleanup: static dbf & handler,
+ *              calls to domain_db_{bind,init,close,ver} (andrei)
+ * 2007-02-09  updated to the new tls_hooks api and renamed tls hooks hanlder
+ *              functions to avoid conflicts: s/tls_/tls_h_/   (andrei)
+ */
+
+#include <sys/types.h>
+#include <sys/socket.h>
+#include <arpa/inet.h>
+#include "../../locking.h"
+#include "../../sr_module.h"
+#include "../../ip_addr.h"
+#include "../../trim.h"
+#include "../../globals.h"
+#include "../../timer_ticks.h"
+#include "../../timer.h" /* ticks_t */
+#include "../../tls_hooks.h"
+#include "../../ut.h"
+#include "tls_init.h"
+#include "tls_server.h"
+#include "tls_domain.h"
+#include "tls_select.h"
+#include "tls_config.h"
+#include "tls_rpc.h"
+#include "tls_util.h"
+#include "tls_mod.h"
+
+#ifndef TLS_HOOKS
+	#error "TLS_HOOKS must be defined, or the tls module won't work"
+#endif
+#ifdef CORE_TLS
+	#error "conflict: CORE_TLS must _not_ be defined"
+#endif
+
+
+/* maximum accepted lifetime (maximum possible is  ~ MAXINT/2)
+ *  (it should be kept in sync w/ MAX_TCP_CON_LIFETIME from tcp_main.c:
+ *   MAX_TLS_CON_LIFETIME <= MAX_TCP_CON_LIFETIME )*/
+#define MAX_TLS_CON_LIFETIME	(1U<<(sizeof(ticks_t)*8-1))
+
+
+
+/*
+ * FIXME:
+ * - How do we ask for secret key password ? Mod_init is called after
+ *   daemonize and thus has no console access
+ * - forward_tls and t_relay_to_tls should be here
+ * add tls_log
+ * - Currently it is not possible to reset certificate in a domain,
+ *   for example if you specify client certificate in the default client
+ *   domain then there is no way to define another client domain which would
+ *   have no client certificate configured
+ */
+
+
+/*
+ * Module management function prototypes
+ */
+static int mod_init(void);
+static int mod_child(int rank);
+static void destroy(void);
+
+MODULE_VERSION
+
+
+/*
+ * Default settings when modparams are used 
+ */
+static tls_domain_t mod_params = {
+	TLS_DOMAIN_DEF | TLS_DOMAIN_SRV,   /* Domain Type */
+	{},               /* IP address */
+	0,                /* Port number */
+	0,                /* SSL ctx */
+	STR_STATIC_INIT(TLS_CERT_FILE),    /* Certificate file */
+	STR_STATIC_INIT(TLS_PKEY_FILE),    /* Private key file */
+	0,                /* Verify certificate */
+	9,                /* Verify depth */
+	STR_STATIC_INIT(TLS_CA_FILE),      /* CA file */
+	0,                /* Require certificate */
+	{0, },                /* Cipher list */
+	TLS_USE_TLSv1,    /* TLS method */
+	0                 /* next */
+};
+
+
+/*
+ * Default settings for server domains when using external config file
+ */
+tls_domain_t srv_defaults = {
+	TLS_DOMAIN_DEF | TLS_DOMAIN_SRV,   /* Domain Type */
+	{},               /* IP address */
+	0,                /* Port number */
+	0,                /* SSL ctx */
+	STR_STATIC_INIT(TLS_CERT_FILE),    /* Certificate file */
+	STR_STATIC_INIT(TLS_PKEY_FILE),    /* Private key file */
+	0,                /* Verify certificate */
+	9,                /* Verify depth */
+	STR_STATIC_INIT(TLS_CA_FILE),      /* CA file */
+	0,                /* Require certificate */
+	{0, 0},                /* Cipher list */
+	TLS_USE_TLSv1,    /* TLS method */
+	0                 /* next */
+};
+
+
+/*
+ * Default settings for client domains when using external config file
+ */
+tls_domain_t cli_defaults = {
+	TLS_DOMAIN_DEF | TLS_DOMAIN_CLI,   /* Domain Type */
+	{},               /* IP address */
+	0,                /* Port number */
+	0,                /* SSL ctx */
+	{0, 0},                /* Certificate file */
+	{0, 0},                /* Private key file */
+	0,                /* Verify certificate */
+	9,                /* Verify depth */
+	STR_STATIC_INIT(TLS_CA_FILE),      /* CA file */
+	0,                /* Require certificate */
+	{0, 0},                /* Cipher list */
+	TLS_USE_TLSv1,    /* TLS method */
+	0                 /* next */
+};
+
+
+/*
+ * Defaults for client and server domains when using modparams
+ */
+static str tls_method = STR_STATIC_INIT("TLSv1");
+
+
+int tls_handshake_timeout = 120;
+int tls_send_timeout = 120;
+int tls_con_lifetime = 600; /* this value will be adjusted to ticks later */
+int tls_log = 3;
+int tls_session_cache = 0;
+str tls_session_id = STR_STATIC_INIT("ser-tls-2.1.0");
+str tls_cfg_file = STR_NULL;
+
+
+/* Current TLS configuration */
+tls_cfg_t** tls_cfg = NULL;
+
+/* List lock, used by garbage collector */
+gen_lock_t* tls_cfg_lock = NULL;
+
+
+/*
+ * Exported functions
+ */
+static cmd_export_t cmds[] = {
+	{0, 0, 0, 0, 0}
+};
+
+
+/*
+ * Exported parameters
+ */
+static param_export_t params[] = {
+	{"tls_method",          PARAM_STR,    &tls_method             },
+	{"verify_certificate",  PARAM_INT,    &mod_params.verify_cert },
+	{"verify_depth",        PARAM_INT,    &mod_params.verify_depth},
+	{"require_certificate", PARAM_INT,    &mod_params.require_cert},
+	{"private_key",         PARAM_STR,    &mod_params.pkey_file   },
+	{"ca_list",             PARAM_STR,    &mod_params.ca_file     },
+	{"certificate",         PARAM_STR,    &mod_params.cert_file   },
+	{"cipher_list",         PARAM_STR,    &mod_params.cipher_list },
+	{"handshake_timeout",   PARAM_INT,    &tls_handshake_timeout  },
+	{"send_timeout",        PARAM_INT,    &tls_send_timeout       },
+	{"connection_timeout",  PARAM_INT,    &tls_con_lifetime       },
+	{"tls_log",             PARAM_INT,    &tls_log                },
+	{"session_cache",       PARAM_INT,    &tls_session_cache      },
+	{"session_id",          PARAM_STR,    &tls_session_id         },
+	{"config",              PARAM_STR,    &tls_cfg_file           },
+	{"tls_disable_compression", PARAM_INT,&tls_disable_compression},
+	{"tls_force_run",       PARAM_INT,    &tls_force_run},
+	{"low_mem_threshold1",       PARAM_INT,    &openssl_mem_threshold1},
+	{"low_mem_threshold2",       PARAM_INT,    &openssl_mem_threshold2},
+	{0, 0, 0}
+};
+
+
+/*
+ * Module interface
+ */
+struct module_exports exports = {
+	"tls",
+	cmds,       /* Exported functions */
+	tls_rpc,    /* RPC methods */
+	params,     /* Exported parameters */
+	mod_init,   /* module initialization function */
+	0,          /* response function*/
+	destroy,    /* destroy function */
+	0,          /* cancel function */
+	mod_child   /* per-child init function */
+};
+
+
+
+static struct tls_hooks tls_h = {
+	tls_h_read,
+	tls_h_blocking_write,
+	tls_h_tcpconn_init,
+	tls_h_tcpconn_clean,
+	tls_h_close,
+	tls_h_fix_read_conn,
+	tls_h_init_si,
+	init_tls_h,
+	destroy_tls_h
+};
+
+
+
+#if 0
+/*
+ * Create TLS configuration from modparams
+ */
+static tls_cfg_t* tls_use_modparams(void)
+{
+	tls_cfg_t* ret;
+	
+	ret = tls_new_cfg();
+	if (!ret) return;
+
+	
+}
+#endif
+
+
+static int fix_rel_pathnames(void)
+{
+	if (tls_cfg_file.s) {
+		tls_cfg_file.s = get_abs_pathname(NULL, &tls_cfg_file);
+		if (tls_cfg_file.s == NULL) return -1;
+		tls_cfg_file.len = strlen(tls_cfg_file.s);
+	}
+	
+	if (mod_params.pkey_file.s) {
+		mod_params.pkey_file.s = get_abs_pathname(NULL, &mod_params.pkey_file);
+		if (mod_params.pkey_file.s == NULL) return -1;
+		mod_params.pkey_file.len = strlen(mod_params.pkey_file.s);
+	}
+	
+	if (mod_params.ca_file.s) {
+		mod_params.ca_file.s = get_abs_pathname(NULL, &mod_params.ca_file);
+		if (mod_params.ca_file.s == NULL) return -1;
+		mod_params.ca_file.len = strlen(mod_params.ca_file.s);
+	}
+	
+	if (mod_params.cert_file.s) {
+		mod_params.cert_file.s = get_abs_pathname(NULL, &mod_params.cert_file);
+		if (mod_params.cert_file.s == NULL) return -1;
+		mod_params.cert_file.len = strlen(mod_params.cert_file.s);
+	}
+	
+	return 0;
+}
+
+static int mod_init(void)
+{
+	int method;
+
+	if (tls_disable){
+		LOG(L_WARN, "WARNING: tls: mod_init: tls support is disabled "
+				"(set enable_tls=1 in the config to enable it)\n");
+		return 0;
+	}
+	     /* Convert tls_method parameter to integer */
+	method = tls_parse_method(&tls_method);
+	if (method < 0) {
+		ERR("Invalid tls_method parameter value\n");
+		return -1;
+	}
+	mod_params.method = method;
+
+	/* Update relative paths of files configured through modparams, relative
+	 * pathnames will be converted to absolute and the directory of the main
+	 * SER configuration file will be used as reference.
+	 */
+	if (fix_rel_pathnames() < 0) return -1;
+
+	tls_cfg = (tls_cfg_t**)shm_malloc(sizeof(tls_cfg_t*));
+	if (!tls_cfg) {
+		ERR("Not enough shared memory left\n");
+		return -1;
+	}
+	*tls_cfg = NULL;
+
+	register_tls_hooks(&tls_h);
+	register_select_table(tls_sel);
+
+	 /* if (init_tls() < 0) return -1; */
+	
+	tls_cfg_lock = lock_alloc();
+	if (tls_cfg_lock == 0) {
+		ERR("Unable to create TLS configuration lock\n");
+		return -1;
+	}
+	if (lock_init(tls_cfg_lock) == 0) {
+		lock_dealloc(tls_cfg_lock);
+		ERR("Unable to initialize TLS configuration lock\n");
+		return -1;
+	}
+
+	if (tls_cfg_file.s) {
+		*tls_cfg = tls_load_config(&tls_cfg_file);
+		if (!(*tls_cfg)) return -1;
+	} else {
+		*tls_cfg = tls_new_cfg();
+		if (!(*tls_cfg)) return -1;
+	}
+
+	if (tls_check_sockets(*tls_cfg) < 0) return -1;
+
+	/* fix the timeouts from s to ticks */
+	if (tls_con_lifetime<0){
+		/* set to max value (~ 1/2 MAX_INT) */
+		tls_con_lifetime=MAX_TLS_CON_LIFETIME;
+	}else{
+		if ((unsigned)tls_con_lifetime > 
+				(unsigned)TICKS_TO_S(MAX_TLS_CON_LIFETIME)){
+			LOG(L_WARN, "tls: mod_init: tls_con_lifetime too big (%u s), "
+					" the maximum value is %u\n", tls_con_lifetime,
+					TICKS_TO_S(MAX_TLS_CON_LIFETIME));
+			tls_con_lifetime=MAX_TLS_CON_LIFETIME;
+		}else{
+			tls_con_lifetime=S_TO_TICKS(tls_con_lifetime);
+		}
+	}
+	
+
+
+	return 0;
+}
+
+
+static int mod_child(int rank)
+{
+	if (tls_disable || (tls_cfg==0))
+		return 0;
+	/* fix tls config only from the main proc/PROC_INIT., when we know 
+	 * the exact process number and before any other process starts*/
+	if (rank == PROC_INIT){
+		if (tls_cfg_file.s){
+			if (tls_fix_cfg(*tls_cfg, &srv_defaults, &cli_defaults) < 0) 
+				return -1;
+		}else{
+			if (tls_fix_cfg(*tls_cfg, &mod_params, &mod_params) < 0) 
+				return -1;
+		}
+	}
+	return 0;
+}
+
+
+static void destroy(void)
+{
+}

modules/tls/tls_mod.h

@@ -0,0 +1,56 @@
+/*
+ * $Id$
+ *
+ * TLS module - module interface
+ *
+ * Copyright (C) 2001-2003 FhG FOKUS
+ * Copyright (C) 2004,2005 Free Software Foundation, Inc.
+ * Copyright (C) 2005 iptelorg GmbH
+ *
+ * This file is part of ser, a free SIP server.
+ *
+ * ser is free software; you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License as published by
+ * the Free Software Foundation; either version 2 of the License, or
+ * (at your option) any later version
+ *
+ * For a license to use the ser software under conditions
+ * other than those described here, or to purchase support for this
+ * software, please contact iptel.org by e-mail at the following addresses:
+ *    [email protected]
+ *
+ * ser is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ * GNU General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License 
+ * along with this program; if not, write to the Free Software 
+ * Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA  02111-1307  USA
+ */
+
+
+#ifndef _TLS_MOD_H
+#define _TLS_MOD_H
+
+#include "../../str.h"
+#include "../../locking.h"
+#include "tls_domain.h"
+
+extern int tls_handshake_timeout;
+extern int tls_send_timeout;
+extern int tls_con_lifetime;
+extern int tls_log;
+extern int tls_session_cache;
+extern str tls_session_id;
+
+/* Current TLS configuration */
+extern tls_cfg_t** tls_cfg;
+extern gen_lock_t* tls_cfg_lock;
+
+extern tls_domain_t cli_defaults;
+extern tls_domain_t srv_defaults;
+
+extern str tls_cfg_file;
+
+#endif /* _TLS_MOD_H */

modules/tls/tls_rpc.c

@@ -0,0 +1,145 @@
+/*
+ * $Id$
+ *
+ * TLS module - management interface
+ *
+ * Copyright (C) 2001-2003 FhG FOKUS
+ * Copyright (C) 2004,2005 Free Software Foundation, Inc.
+ * Copyright (C) 2005 iptelorg GmbH
+ *
+ * This file is part of ser, a free SIP server.
+ *
+ * ser is free software; you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License as published by
+ * the Free Software Foundation; either version 2 of the License, or
+ * (at your option) any later version
+ *
+ * For a license to use the ser software under conditions
+ * other than those described here, or to purchase support for this
+ * software, please contact iptel.org by e-mail at the following addresses:
+ *    [email protected]
+ *
+ * ser is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ * GNU General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License 
+ * along with this program; if not, write to the Free Software 
+ * Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA  02111-1307  USA
+ */
+
+#include "../../rpc.h"
+#include "../../tcp_conn.h"
+#include "../../timer.h"
+#include "tls_init.h"
+#include "tls_mod.h"
+#include "tls_domain.h"
+#include "tls_config.h"
+#include "tls_util.h"
+#include "tls_server.h"
+#include "tls_rpc.h"
+
+static const char* tls_reload_doc[2] = {
+	"Reload TLS configuration file",
+	0
+};
+
+static void tls_reload(rpc_t* rpc, void* ctx)
+{
+	tls_cfg_t* cfg;
+
+	if (!tls_cfg_file.s) {
+		rpc->fault(ctx, 500, "No TLS configuration file configured");
+		return;
+	}
+
+	     /* Try to delete old configurations first */
+	collect_garbage();
+
+	cfg = tls_load_config(&tls_cfg_file);
+	if (!cfg) {
+		rpc->fault(ctx, 500, "Error while loading TLS configuration file (consult server log)");
+		return;
+	}
+
+	if (tls_fix_cfg(cfg, &srv_defaults, &cli_defaults) < 0) {
+		rpc->fault(ctx, 500, "Error while fixing TLS configuration (consult server log)");
+		goto error;
+	}
+	if (tls_check_sockets(cfg) < 0) {
+		rpc->fault(ctx, 500, "No server listening socket found for one of TLS domains (consult server log)");
+		goto error;
+	}
+
+	DBG("TLS configuration successfuly loaded");
+	cfg->next = (*tls_cfg);
+	*tls_cfg = cfg;
+	return;
+
+ error:
+	tls_free_cfg(cfg);
+	
+}
+
+
+static const char* tls_list_doc[2] = {
+	"List currently open TLS connections",
+	0
+};
+
+extern gen_lock_t* tcpconn_lock;
+extern struct tcp_connection** tcpconn_id_hash;
+
+static void tls_list(rpc_t* rpc, void* c)
+{
+	static char buf[128];
+	void* handle;
+	char* tls_info;
+	SSL* ssl;
+	struct tcp_connection* con;
+	int i, len, timeout;
+
+	ssl=0;
+	TCPCONN_LOCK;
+	for(i = 0; i < TCP_ID_HASH_SIZE; i++) {
+		if (tcpconn_id_hash[i] == NULL) continue;
+		con = tcpconn_id_hash[i];
+		while(con) {
+			if (con->rcv.proto != PROTO_TLS) goto skip;
+			if (con->extra_data) 
+				ssl = ((struct tls_extra_data*)con->extra_data)->ssl;
+			if (ssl) {
+				tls_info = SSL_CIPHER_description(SSL_get_current_cipher(ssl),
+													buf, 128);
+				len = strlen(buf);
+				if (len && buf[len - 1] == '\n') buf[len - 1] = '\0';
+			} else {
+				tls_info = "Unknown";
+			}
+			timeout = con->timeout - get_ticks();
+			if (timeout < 0) timeout = 0;
+			rpc->add(c, "{", &handle);
+			rpc->struct_add(handle, "ddsdsds",
+					"id", con->id,
+					"timeout", timeout,
+					"src_ip", ip_addr2a(&con->rcv.src_ip),
+					"src_port", con->rcv.src_port,
+					"dst_ip", ip_addr2a(&con->rcv.dst_ip),
+					"dst_port", con->rcv.dst_port,
+					"tls", 	tls_info);
+		skip:
+			con = con->id_next;
+		}
+	}
+
+	TCPCONN_UNLOCK;
+}
+
+
+
+rpc_export_t tls_rpc[] = {
+	{"tls.reload", tls_reload, tls_reload_doc, 0},
+	{"tls.list",   tls_list,   tls_list_doc,   RET_ARRAY},
+	{0, 0, 0, 0}
+};

modules/tls/tls_rpc.h

@@ -0,0 +1,38 @@
+/*
+ * $Id$
+ *
+ * TLS module - management interface
+ *
+ * Copyright (C) 2001-2003 FhG FOKUS
+ * Copyright (C) 2004,2005 Free Software Foundation, Inc.
+ * Copyright (C) 2005 iptelorg GmbH
+ *
+ * This file is part of ser, a free SIP server.
+ *
+ * ser is free software; you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License as published by
+ * the Free Software Foundation; either version 2 of the License, or
+ * (at your option) any later version
+ *
+ * For a license to use the ser software under conditions
+ * other than those described here, or to purchase support for this
+ * software, please contact iptel.org by e-mail at the following addresses:
+ *    [email protected]
+ *
+ * ser is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ * GNU General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License 
+ * along with this program; if not, write to the Free Software 
+ * Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA  02111-1307  USA
+ */
+#ifndef _TLS_RPC_H
+#define _TLS_RPC_H
+
+#include "../../rpc.h"
+
+extern rpc_export_t tls_rpc[];
+
+#endif /* _TLS_RPC_H */

modules/tls/tls_select.c

@@ -0,0 +1,686 @@
+/*
+ * $Id$
+ *
+ * TLS module - select interface
+ *
+ * Copyright (C) 2001-2003 FhG FOKUS
+ * Copyright (C) 2004,2005 Free Software Foundation, Inc.
+ * COpyright (C) 2005 iptelorg GmbH
+ *
+ * This file is part of ser, a free SIP server.
+ *
+ * ser is free software; you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License as published by
+ * the Free Software Foundation; either version 2 of the License, or
+ * (at your option) any later version
+ *
+ * For a license to use the ser software under conditions
+ * other than those described here, or to purchase support for this
+ * software, please contact iptel.org by e-mail at the following addresses:
+ *    [email protected]
+ *
+ * ser is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ * GNU General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License
+ * along with this program; if not, write to the Free Software
+ * Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA  02111-1307  USA
+ */
+
+#include <openssl/ssl.h>
+#include <openssl/x509v3.h>
+#include "../../globals.h"
+#include "../../tcp_server.h"
+#include "../../tcp_conn.h"
+#include "../../ut.h"
+#include "tls_server.h"
+#include "tls_select.h"
+#include "tls_mod.h"
+
+enum {
+	CERT_LOCAL = 1,   /* Select local certificate */
+	CERT_PEER,        /* Select peer certificate */
+	CERT_SUBJECT,     /* Select subject part of certificate */
+	CERT_ISSUER,      /* Select issuer part of certificate */
+	CERT_VERIFIED,    /* Test for verified certificate */
+	CERT_REVOKED,     /* Test for revoked certificate */
+	CERT_EXPIRED,     /* Expiration certificate test */
+	CERT_SELFSIGNED,  /* self-signed certificate test */
+	CERT_NOTBEFORE,   /* Select validity end from certificate */
+	CERT_NOTAFTER,    /* Select validity start from certificate */
+	COMP_CN,          /* Common name */
+	COMP_O,           /* Organization name */
+	COMP_OU,          /* Organization unit */
+	COMP_C,           /* Country name */
+	COMP_ST,          /* State */
+	COMP_L,           /* Locality/town */
+	COMP_HOST,        /* hostname from subject/alternative */
+	COMP_URI,         /* URI from subject/alternative */
+	COMP_E,           /* Email address */
+        COMP_IP           /* IP from subject/alternative */
+};
+
+
+struct tcp_connection* get_cur_connection(struct sip_msg* msg)
+{
+	struct tcp_connection* c;
+	if (msg->rcv.proto != PROTO_TLS) {
+		ERR("Transport protocol is not TLS (bug in config)\n");
+		return 0;
+	}
+
+	c = tcpconn_get(msg->rcv.proto_reserved1, 0, 0, 0, tls_con_lifetime);
+	if (c && c->type != PROTO_TLS) {
+		ERR("Connection found but is not TLS\n");
+		tcpconn_put(c);
+		return 0;
+	}
+	return c;
+}
+
+
+static SSL* get_ssl(struct tcp_connection* c)
+{
+	struct tls_extra_data* extra;
+
+	if (!c || !c->extra_data) {
+		ERR("Unable to extract SSL data from TLS connection\n");
+		return 0;
+	}
+	extra = (struct tls_extra_data*)c->extra_data;
+	return extra->ssl;
+}
+
+
+static int get_cert(X509** cert, struct tcp_connection** c, struct sip_msg* msg, int my)
+{
+	SSL* ssl;
+
+	*cert = 0;
+	*c = get_cur_connection(msg);
+	if (!(*c)) {
+		INFO("TLS connection not found\n");
+		return -1;
+	}
+	ssl = get_ssl(*c);
+	if (!ssl) goto err;
+	*cert = my ? SSL_get_certificate(ssl) : SSL_get_peer_certificate(ssl);
+	if (!*cert) goto err;
+        return 0;
+	
+ err:
+	tcpconn_put(*c);
+	return -1;
+}
+
+
+static int sel_cipher(str* res, select_t* s, struct sip_msg* msg) 
+{
+	str cipher;
+	static char buf[1024];
+
+	struct tcp_connection* c;
+	SSL* ssl;
+
+	c = get_cur_connection(msg);
+	if (!c) {
+		INFO("TLS connection not found in select_cipher\n");
+		goto err;
+	}
+	ssl = get_ssl(c);
+	if (!ssl) goto err;
+
+	cipher.s = (char*)SSL_CIPHER_get_name(SSL_get_current_cipher(ssl));
+	cipher.len = cipher.s ? strlen(cipher.s) : 0;
+	if (cipher.len >= 1024) {
+		ERR("Cipher name too long\n");
+		goto err;
+	}
+	memcpy(buf, cipher.s, cipher.len);
+	res->s = buf;
+	res->len = cipher.len;
+	tcpconn_put(c);
+        return 0;
+
+ err:
+	if (c) tcpconn_put(c);
+	return -1;
+}
+
+
+static int sel_bits(str* res, select_t* s, struct sip_msg* msg) 
+{
+	str bits;
+	int b;
+	static char buf[1024];
+
+	struct tcp_connection* c;
+	SSL* ssl;
+
+	c = get_cur_connection(msg);
+	if (!c) {
+		INFO("TLS connection not found in select_bits\n");
+		goto err;
+	}
+	ssl = get_ssl(c);
+	if (!ssl) goto err;
+
+	b = SSL_CIPHER_get_bits(SSL_get_current_cipher(ssl), 0);
+	bits.s = int2str(b, &bits.len);
+	if (bits.len >= 1024) {
+		ERR("Bits string too long\n");
+		goto err;
+	}
+	memcpy(buf, bits.s, bits.len);
+	res->s = buf;
+	res->len = bits.len;
+	tcpconn_put(c);
+        return 0;
+
+ err:
+	if (c) tcpconn_put(c);
+	return -1;
+}
+
+
+static int sel_version(str* res, select_t* s, struct sip_msg* msg)
+{
+	str version;
+	static char buf[1024];
+
+	struct tcp_connection* c;
+	SSL* ssl;
+
+	c = get_cur_connection(msg);
+	if (!c) {
+		INFO("TLS connection not found in select_version\n");
+		goto err;
+	}
+	ssl = get_ssl(c);
+	if (!ssl) goto err;
+
+	version.s = (char*)SSL_get_version(ssl);
+	version.len = version.s ? strlen(version.s) : 0;
+	if (version.len >= 1024) {
+		ERR("Version string too long\n");
+		goto err;
+	}
+	memcpy(buf, version.s, version.len);
+	res->s = buf;
+	res->len = version.len;
+	tcpconn_put(c);
+        return 0;
+
+ err:
+	if (c) tcpconn_put(c);
+	return -1;
+}
+
+
+static int sel_desc(str* res, select_t* s, struct sip_msg* msg)
+{
+	static char buf[128];
+
+	struct tcp_connection* c;
+	SSL* ssl;
+
+	c = get_cur_connection(msg);
+	if (!c) {
+		INFO("TLS connection not found in select_desc\n");
+		goto err;
+	}
+	ssl = get_ssl(c);
+	if (!ssl) goto err;
+
+	buf[0] = '\0';
+	SSL_CIPHER_description(SSL_get_current_cipher(ssl), buf, 128);
+	res->s = buf;
+	res->len = strlen(buf);
+	tcpconn_put(c);
+        return 0;
+
+ err:
+	if (c) tcpconn_put(c);
+	return -1;	
+}
+
+
+static int sel_cert_version(str* res, select_t* s, struct sip_msg* msg)
+{
+	static char buf[INT2STR_MAX_LEN];
+	X509* cert;
+	struct tcp_connection* c;
+	char* version;
+	int my;
+
+	switch(s->params[s->n - 2].v.i) {
+	case CERT_PEER: my = 0; break;
+	case CERT_LOCAL: my = 1; break;
+	default:
+		BUG("Bug in call to sel_cert_version\n");
+		return -1;
+	}
+
+	if (get_cert(&cert, &c, msg, my) < 0) return -1;
+	version = int2str(X509_get_version(cert), &res->len);
+	memcpy(buf, version, res->len);
+	res->s = buf;
+	if (!my) X509_free(cert);
+	tcpconn_put(c);
+	return 0;
+}
+
+
+/*
+ * Check whether peer certificate exists and verify the result
+ * of certificate verification
+ */
+static int check_cert(str* res, select_t* s, struct sip_msg* msg)
+{
+	static str succ = STR_STATIC_INIT("1");
+	static str fail = STR_STATIC_INIT("0");
+
+	int ret, my, err;
+	struct tcp_connection* c;
+	SSL* ssl;
+	X509* cert = 0;
+
+	switch(s->params[s->n - 2].v.i) {
+	case CERT_PEER: my = 0; break;
+	case CERT_LOCAL: my = 1; break;
+	default:
+		BUG("Bug in call to sel_cert_version\n");
+		return -1;
+	}
+
+	switch (s->params[s->n - 1].v.i) {
+	case CERT_VERIFIED:   err = X509_V_OK;                              break;
+	case CERT_REVOKED:    err = X509_V_ERR_CERT_REVOKED;                break;
+	case CERT_EXPIRED:    err = X509_V_ERR_CERT_HAS_EXPIRED;            break;
+	case CERT_SELFSIGNED: err = X509_V_ERR_DEPTH_ZERO_SELF_SIGNED_CERT; break;
+	default:
+		BUG("Unexpected parameter value \"%d\"\n", s->params[s->n - 1].v.i);
+		return -1;
+	}   
+
+	c = get_cur_connection(msg);
+	if (!c) return -1;
+
+	ssl = get_ssl(c);
+	if (!ssl) goto err;
+
+	if (my) {
+		DBG("Verification of local certificates not supported\n");
+		goto err;
+	} else {
+		if ((cert = SSL_get_peer_certificate(ssl)) && SSL_get_verify_result(ssl) == err) {
+			*res = succ;
+			ret = 0; /* Verified certificate */
+		} else {
+			*res = fail;
+			/* I is better to return 0, because the select function
+			call is successful, only the result is false (Miklos) */
+			ret = 0; /* Certificate missing or not verified */
+		}
+	}
+
+	if (cert) X509_free(cert);
+	tcpconn_put(c);
+        return ret;
+
+ err:
+	if (cert) X509_free(cert);
+	if (c) tcpconn_put(c);
+	return -1;
+}
+
+
+static int sel_validity(str* res, select_t* s, struct sip_msg* msg)
+{
+	static char buf[1024];
+	X509* cert;
+	struct tcp_connection* c;
+	BUF_MEM* p;
+	BIO* mem = 0;
+	ASN1_TIME* date;
+	int my;
+
+	switch(s->params[s->n - 2].v.i) {
+	case CERT_PEER:  my = 0; break;
+	case CERT_LOCAL: my = 1; break;
+	default:
+		BUG("Could not determine certificate\n");
+		return -1;
+	}
+
+	if (get_cert(&cert, &c, msg, my) < 0) return -1;
+
+	switch (s->params[s->n - 1].v.i) {
+	case CERT_NOTBEFORE: date = X509_get_notBefore(cert); break;
+	case CERT_NOTAFTER:  date = X509_get_notAfter(cert);  break;
+	default:
+		BUG("Unexpected parameter value \"%d\"\n", s->params[s->n - 1].v.i);
+		goto err;
+	}
+
+	mem = BIO_new(BIO_s_mem());
+	if (!mem) {
+		ERR("Error while creating memory BIO\n");
+		goto err;
+	}
+
+	if (!ASN1_TIME_print(mem, date)) {
+		ERR("Error while printing certificate date/time\n");
+		goto err;
+	}
+	
+	BIO_get_mem_ptr(mem, &p);
+	if (p->length >= 1024) {
+		ERR("Date/time too long\n");
+		goto err;
+	}
+	memcpy(buf, p->data, p->length);
+	res->s = buf;
+	res->len = p->length;
+
+	BIO_free(mem);
+	if (!my) X509_free(cert);
+	tcpconn_put(c);
+	return 0;
+ err:
+	if (mem) BIO_free(mem);
+	if (!my) X509_free(cert);
+	tcpconn_put(c);
+	return -1;
+}
+
+
+static int sel_sn(str* res, select_t* s, struct sip_msg* msg)
+{
+	static char buf[INT2STR_MAX_LEN];
+	X509* cert;
+	struct tcp_connection* c;
+	int my;
+	char* sn;
+
+	switch(s->params[s->n - 2].v.i) {
+	case CERT_PEER:  my = 0; break;
+	case CERT_LOCAL: my = 1; break;
+	default:
+		BUG("Could not determine certificate\n");
+		return -1;
+	}
+
+	if (get_cert(&cert, &c, msg, my) < 0) return -1;
+
+	sn = int2str(ASN1_INTEGER_get(X509_get_serialNumber(cert)), &res->len);
+	memcpy(buf, sn, res->len);
+	res->s = buf;
+	if (!my) X509_free(cert);
+	tcpconn_put(c);
+	return 0;
+}
+
+static int sel_comp(str* res, select_t* s, struct sip_msg* msg)
+{
+	static char buf[1024];
+	X509* cert;
+	struct tcp_connection* c;
+	X509_NAME* name;
+	X509_NAME_ENTRY* e;
+	ASN1_STRING* asn1;
+	int nid = NID_commonName, index, my = 0, issuer = 0, i;
+	char* elem;
+	unsigned char* text_s;
+	int text_len;
+	       
+	text_s = 0;
+
+	for(i = 1; i <= s->n - 1; i++) {
+		switch(s->params[i].v.i) {
+		case CERT_LOCAL: my = 1; break;
+		case CERT_PEER: my = 0; break;
+		case CERT_SUBJECT: issuer = 0;  break;
+		case CERT_ISSUER: issuer = 1; break;
+		case COMP_CN: nid = NID_commonName; break;
+		case COMP_O: nid = NID_organizationName; break;
+		case COMP_OU: nid = NID_organizationalUnitName; break;
+		case COMP_C: nid = NID_countryName; break;
+		case COMP_ST: nid = NID_stateOrProvinceName; break;
+		case COMP_L: nid = NID_localityName; break;
+		default:
+			BUG("Bug in sel_comp: %d\n", s->params[s->n - 1].v.i);
+			return -1;
+		}
+	}
+
+	if (get_cert(&cert, &c, msg, my) < 0) return -1;
+
+	name = issuer ? X509_get_issuer_name(cert) : X509_get_subject_name(cert);
+	if (!name) {
+		ERR("Cannot extract subject or issuer name from peer certificate\n");
+		goto err;
+	}
+
+	index = X509_NAME_get_index_by_NID(name, nid, -1);
+	if (index == -1) {
+		switch(nid) {
+		case NID_commonName:             elem = "CommonName";              break;
+		case NID_organizationName:       elem = "OrganizationName";        break;
+		case NID_organizationalUnitName: elem = "OrganizationalUnitUname"; break;
+		case NID_countryName:            elem = "CountryName";             break;
+		case NID_stateOrProvinceName:    elem = "StateOrProvinceName";     break;
+		case NID_localityName:           elem = "LocalityName";            break;
+		default:                         elem = "Unknown";                 break;
+		}
+		DBG("Element %s not found in certificate subject/issuer\n", elem);
+		goto err;
+	}
+
+	e = X509_NAME_get_entry(name, index);
+	asn1 = X509_NAME_ENTRY_get_data(e);
+	text_len = ASN1_STRING_to_UTF8(&text_s, asn1);
+	if (text_len < 0 || text_len >= 1024) {
+		ERR("Error converting ASN1 string\n");
+		goto err;
+	}
+	memcpy(buf, text_s, text_len);
+	res->s = buf;
+	res->len = text_len;
+
+	OPENSSL_free(text_s);
+	if (!my) X509_free(cert);
+	tcpconn_put(c);
+	return 0;
+
+ err:
+	if (text_s) OPENSSL_free(text_s);
+	if (!my) X509_free(cert);
+	tcpconn_put(c);
+	return -1;
+}
+
+static int sel_alt(str* res, select_t* s, struct sip_msg* msg)
+{
+	static char buf[1024];
+	int type = GEN_URI, my = 0, n, i, found = 0;
+	STACK_OF(GENERAL_NAME)* names = 0;
+	GENERAL_NAME* nm;
+	X509* cert;
+	struct tcp_connection* c;
+	str text;
+	struct ip_addr ip;
+
+	for(i = 1; i <= s->n - 1; i++) {
+		switch(s->params[i].v.i) {
+		case CERT_LOCAL: my = 1; break;
+		case CERT_PEER: my = 0; break;
+		case COMP_E:    type = GEN_EMAIL; break;
+		case COMP_HOST: type = GEN_DNS;   break;
+		case COMP_URI:  type = GEN_URI;   break;
+		case COMP_IP:   type = GEN_IPADD; break;
+		default:
+			BUG("Bug in sel_alt: %d\n", s->params[s->n - 1].v.i);
+			return -1;
+		}
+	}
+
+	if (get_cert(&cert, &c, msg, my) < 0) return -1;
+
+	names = X509_get_ext_d2i(cert, NID_subject_alt_name, NULL, NULL);
+	if (!names) {
+		DBG("Cannot get certificate alternative subject\n");
+		goto err;
+
+	}
+
+	for (n = 0; n < sk_GENERAL_NAME_num(names); n++) {
+		nm = sk_GENERAL_NAME_value(names, n);
+		if (nm->type != type) continue;
+		switch(type) {
+		case GEN_EMAIL:
+		case GEN_DNS:
+		case GEN_URI:
+			text.s = (char*)nm->d.ia5->data;
+			text.len = nm->d.ia5->length;
+			if (text.len >= 1024) {
+				ERR("Alternative subject text too long\n");
+				goto err;
+			}
+			memcpy(buf, text.s, text.len);
+			res->s = buf;
+			res->len = text.len;
+			found = 1;
+			break;
+
+		case GEN_IPADD:
+			ip.len = nm->d.iPAddress->length;
+			ip.af = (ip.len == 16) ? AF_INET6 : AF_INET;
+			memcpy(ip.u.addr, nm->d.iPAddress->data, ip.len);
+			text.s = ip_addr2a(&ip);
+			text.len = strlen(text.s);
+			memcpy(buf, text.s, text.len);
+			res->s = buf;
+			res->len = text.len;
+			found = 1;
+			break;
+		}
+		break;
+	}
+	if (!found) goto err;
+
+	if (names) sk_GENERAL_NAME_pop_free(names, GENERAL_NAME_free);
+	if (!my) X509_free(cert);
+	tcpconn_put(c);
+	return 0;
+ err:
+	if (names) sk_GENERAL_NAME_pop_free(names, GENERAL_NAME_free);
+	if (!my) X509_free(cert);
+	tcpconn_put(c);
+	return -1;
+}
+
+
+static int sel_tls(str* res, select_t* s, struct sip_msg* msg)
+{
+	return sel_desc(res, s, msg);
+}
+
+
+static int sel_name(str* res, select_t* s, struct sip_msg* msg)
+{
+	return sel_comp(res, s, msg);
+}
+
+
+static int sel_cert(str* res, select_t* s, struct sip_msg* msg)
+{
+	return sel_comp(res, s, msg);
+}
+
+
+select_row_t tls_sel[] = {
+	     /* Current cipher parameters */
+        { NULL, SEL_PARAM_STR, STR_STATIC_INIT("tls"), sel_tls, 0},
+
+	{ sel_tls, SEL_PARAM_STR, STR_STATIC_INIT("version"),     sel_version, 0},
+	{ sel_tls, SEL_PARAM_STR, STR_STATIC_INIT("desc"),        sel_desc,    0},
+	{ sel_tls, SEL_PARAM_STR, STR_STATIC_INIT("description"), sel_desc,    0},
+        { sel_tls, SEL_PARAM_STR, STR_STATIC_INIT("cipher"),      sel_cipher,  0},
+	{ sel_tls, SEL_PARAM_STR, STR_STATIC_INIT("peer"),        sel_cert,    DIVERSION | CERT_PEER},
+	{ sel_tls, SEL_PARAM_STR, STR_STATIC_INIT("my"),          sel_cert,    DIVERSION | CERT_LOCAL},
+	{ sel_tls, SEL_PARAM_STR, STR_STATIC_INIT("me"),          sel_cert,    DIVERSION | CERT_LOCAL},
+	{ sel_tls, SEL_PARAM_STR, STR_STATIC_INIT("myself"),      sel_cert,    DIVERSION | CERT_LOCAL},
+
+        { sel_cipher, SEL_PARAM_STR, STR_STATIC_INIT("bits"), sel_bits, 0},
+
+	{ sel_cert, SEL_PARAM_STR, STR_STATIC_INIT("subject"), sel_name, DIVERSION | CERT_SUBJECT},
+	{ sel_cert, SEL_PARAM_STR, STR_STATIC_INIT("subj"),    sel_name, DIVERSION | CERT_SUBJECT},
+	{ sel_cert, SEL_PARAM_STR, STR_STATIC_INIT("issuer"),  sel_name, DIVERSION | CERT_ISSUER},
+
+	{ sel_cert, SEL_PARAM_STR, STR_STATIC_INIT("verified"),    check_cert, DIVERSION | CERT_VERIFIED},
+	{ sel_cert, SEL_PARAM_STR, STR_STATIC_INIT("revoked"),     check_cert, DIVERSION | CERT_REVOKED},
+	{ sel_cert, SEL_PARAM_STR, STR_STATIC_INIT("expired"),     check_cert, DIVERSION | CERT_EXPIRED},
+	{ sel_cert, SEL_PARAM_STR, STR_STATIC_INIT("self_signed"), check_cert, DIVERSION | CERT_SELFSIGNED},
+
+	{ sel_cert, SEL_PARAM_STR, STR_STATIC_INIT("version"), sel_cert_version, 0},
+
+	{ sel_cert, SEL_PARAM_STR, STR_STATIC_INIT("sn"),            sel_sn, 0},
+	{ sel_cert, SEL_PARAM_STR, STR_STATIC_INIT("serialNumber"),  sel_sn, 0},
+	{ sel_cert, SEL_PARAM_STR, STR_STATIC_INIT("serial_number"), sel_sn, 0},
+
+	{ sel_cert, SEL_PARAM_STR, STR_STATIC_INIT("notBefore"),  sel_validity, DIVERSION | CERT_NOTBEFORE},
+	{ sel_cert, SEL_PARAM_STR, STR_STATIC_INIT("not_before"), sel_validity, DIVERSION | CERT_NOTBEFORE},
+	{ sel_cert, SEL_PARAM_STR, STR_STATIC_INIT("notAfter"),   sel_validity, DIVERSION | CERT_NOTAFTER},
+	{ sel_cert, SEL_PARAM_STR, STR_STATIC_INIT("not_after"),  sel_validity, DIVERSION | CERT_NOTAFTER},
+
+	{ sel_cert, SEL_PARAM_STR, STR_STATIC_INIT("email"),         sel_alt, DIVERSION | COMP_E},
+	{ sel_cert, SEL_PARAM_STR, STR_STATIC_INIT("emailAddress"),  sel_alt, DIVERSION | COMP_E},
+	{ sel_cert, SEL_PARAM_STR, STR_STATIC_INIT("email_address"), sel_alt, DIVERSION | COMP_E},
+
+	{ sel_cert, SEL_PARAM_STR, STR_STATIC_INIT("host"),     sel_alt, DIVERSION | COMP_HOST},
+	{ sel_cert, SEL_PARAM_STR, STR_STATIC_INIT("hostname"), sel_alt, DIVERSION | COMP_HOST},
+	{ sel_cert, SEL_PARAM_STR, STR_STATIC_INIT("dns"),      sel_alt, DIVERSION | COMP_HOST},
+
+	{ sel_cert, SEL_PARAM_STR, STR_STATIC_INIT("uri"), sel_alt, DIVERSION | COMP_URI},
+	{ sel_cert, SEL_PARAM_STR, STR_STATIC_INIT("url"), sel_alt, DIVERSION | COMP_URI},
+	{ sel_cert, SEL_PARAM_STR, STR_STATIC_INIT("urn"), sel_alt, DIVERSION | COMP_URI},
+
+	{ sel_cert, SEL_PARAM_STR, STR_STATIC_INIT("ip"),         sel_alt, DIVERSION | COMP_IP},
+	{ sel_cert, SEL_PARAM_STR, STR_STATIC_INIT("IPAddress"),  sel_alt, DIVERSION | COMP_IP},
+	{ sel_cert, SEL_PARAM_STR, STR_STATIC_INIT("ip_address"), sel_alt, DIVERSION | COMP_IP},
+
+	{ sel_name, SEL_PARAM_STR, STR_STATIC_INIT("cn"),          sel_comp, DIVERSION | COMP_CN},
+	{ sel_name, SEL_PARAM_STR, STR_STATIC_INIT("commonName"),  sel_comp, DIVERSION | COMP_CN},
+	{ sel_name, SEL_PARAM_STR, STR_STATIC_INIT("common_name"), sel_comp, DIVERSION | COMP_CN},
+	{ sel_name, SEL_PARAM_STR, STR_STATIC_INIT("name"),        sel_comp, DIVERSION | COMP_CN},
+
+	{ sel_name, SEL_PARAM_STR, STR_STATIC_INIT("l"),             sel_comp, DIVERSION | COMP_L},
+	{ sel_name, SEL_PARAM_STR, STR_STATIC_INIT("localityName"),  sel_comp, DIVERSION | COMP_L},
+	{ sel_name, SEL_PARAM_STR, STR_STATIC_INIT("locality_name"), sel_comp, DIVERSION | COMP_L},
+	{ sel_name, SEL_PARAM_STR, STR_STATIC_INIT("locality"),      sel_comp, DIVERSION | COMP_L},
+
+	{ sel_name, SEL_PARAM_STR, STR_STATIC_INIT("c"),            sel_comp, DIVERSION | COMP_C},
+	{ sel_name, SEL_PARAM_STR, STR_STATIC_INIT("countryName"),  sel_comp, DIVERSION | COMP_C},
+	{ sel_name, SEL_PARAM_STR, STR_STATIC_INIT("country_name"), sel_comp, DIVERSION | COMP_C},
+	{ sel_name, SEL_PARAM_STR, STR_STATIC_INIT("country"),      sel_comp, DIVERSION | COMP_C},
+
+	{ sel_name, SEL_PARAM_STR, STR_STATIC_INIT("st"),                     sel_comp, DIVERSION | COMP_ST},
+	{ sel_name, SEL_PARAM_STR, STR_STATIC_INIT("stateOrProvinceName"),    sel_comp, DIVERSION | COMP_ST},
+	{ sel_name, SEL_PARAM_STR, STR_STATIC_INIT("state_or_province_name"), sel_comp, DIVERSION | COMP_ST},
+	{ sel_name, SEL_PARAM_STR, STR_STATIC_INIT("state"),                  sel_comp, DIVERSION | COMP_ST},
+
+	{ sel_name, SEL_PARAM_STR, STR_STATIC_INIT("o"),                 sel_comp, DIVERSION | COMP_O},
+	{ sel_name, SEL_PARAM_STR, STR_STATIC_INIT("organizationName"),  sel_comp, DIVERSION | COMP_O},
+	{ sel_name, SEL_PARAM_STR, STR_STATIC_INIT("organization_name"), sel_comp, DIVERSION | COMP_O},
+	{ sel_name, SEL_PARAM_STR, STR_STATIC_INIT("organization"),      sel_comp, DIVERSION | COMP_O},
+
+	{ sel_name, SEL_PARAM_STR, STR_STATIC_INIT("ou"),                       sel_comp, DIVERSION | COMP_OU},
+	{ sel_name, SEL_PARAM_STR, STR_STATIC_INIT("organizationalUnitName"),   sel_comp, DIVERSION | COMP_OU},
+	{ sel_name, SEL_PARAM_STR, STR_STATIC_INIT("organizational_unit_name"), sel_comp, DIVERSION | COMP_OU},
+	{ sel_name, SEL_PARAM_STR, STR_STATIC_INIT("unit"),                     sel_comp, DIVERSION | COMP_OU},
+
+        { NULL, SEL_PARAM_INT, STR_NULL, NULL, 0}
+};

modules/tls/tls_select.h

@@ -0,0 +1,39 @@
+/*
+ * $Id$
+ *
+ * TLS module - select interface
+ *
+ * Copyright (C) 2001-2003 FhG FOKUS
+ * Copyright (C) 2004,2005 Free Software Foundation, Inc.
+ * COpyright (C) 2005,2006 iptelorg GmbH
+ *
+ * This file is part of ser, a free SIP server.
+ *
+ * ser is free software; you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License as published by
+ * the Free Software Foundation; either version 2 of the License, or
+ * (at your option) any later version
+ *
+ * For a license to use the ser software under conditions
+ * other than those described here, or to purchase support for this
+ * software, please contact iptel.org by e-mail at the following addresses:
+ *    [email protected]
+ *
+ * ser is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ * GNU General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License
+ * along with this program; if not, write to the Free Software
+ * Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA  02111-1307  USA
+ */
+
+#ifndef _TLS_SELECT_H
+#define _TLS_SELECT_H
+
+#include "../../select.h"
+
+extern select_row_t tls_sel[];
+
+#endif /* _TLS_SELECT_H */

modules/tls/tls_server.c

@@ -0,0 +1,927 @@
+/*
+ * $Id$
+ *
+ * TLS module - main server part
+ * 
+ * Copyright (C) 2001-2003 FhG FOKUS
+ * Copyright (C) 2004,2005 Free Software Foundation, Inc.
+ * Copyright (C) 2005,2006 iptelorg GmbH
+ *
+ * This file is part of ser, a free SIP server.
+ *
+ * ser is free software; you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License as published by
+ * the Free Software Foundation; either version 2 of the License, or
+ * (at your option) any later version
+ *
+ * For a license to use the ser software under conditions
+ * other than those described here, or to purchase support for this
+ * software, please contact iptel.org by e-mail at the following addresses:
+ *    [email protected]
+ *
+ * ser is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ * GNU General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License 
+ * along with this program; if not, write to the Free Software 
+ * Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA  02111-1307  USA
+ */
+/*
+ * History:
+ * --------
+ *  2007-01-26  openssl kerberos malloc bug detection/workaround (andrei)
+ *  2007-02-23  openssl low memory bugs workaround (andrei)
+ */
+
+#include <sys/poll.h>
+#include <openssl/err.h>
+#include <openssl/ssl.h>
+#include "../../dprint.h"
+#include "../../ip_addr.h"
+#include "../../mem/shm_mem.h"
+#include "../../pt.h"
+#include "../../timer.h"
+#include "../../globals.h"
+#include "../../pt.h"
+
+#include "tls_init.h"
+#include "tls_domain.h"
+#include "tls_util.h"
+#include "tls_mod.h"
+#include "tls_server.h"
+
+/* low memory treshold for openssl bug #1491 workaround */
+#define LOW_MEM_NEW_CONNECTION_TEST() \
+	((openssl_mem_threshold1) && (shm_available()<openssl_mem_threshold1))
+#define LOW_MEM_CONNECTED_TEST() \
+	((openssl_mem_threshold2) && (shm_available()<openssl_mem_threshold2))
+
+/* 
+ * finish the ssl init (creates the SSL and set extra_data to it)
+ * separated from tls_tcpconn_init to allow delayed ssl context
+ * init. (from the "child" process and not from the main one 
+ */
+static int tls_complete_init(struct tcp_connection* c)
+{
+	tls_domain_t* dom;
+	struct tls_extra_data* data = 0;
+	tls_cfg_t* cfg;
+
+	if (LOW_MEM_NEW_CONNECTION_TEST()){
+		ERR("tls: ssl bug #1491 workaround: not enough memory for safe"
+				" operation: %lu\n", shm_available());
+		goto error2;
+	}
+	     /* Get current TLS configuration and increate reference
+	      * count immediately. There is no need to lock the structure
+	      * here, because it does not get deleted immediately. When
+	      * SER reloads TLS configuration it will put the old configuration
+	      * on a garbage queue and delete it later, so we know here that
+	      * the pointer we get from *tls_cfg will be valid for a while, at
+	      * least by the time this function finishes
+	      */
+	cfg = *tls_cfg;
+
+	     /* Increment the reference count in the configuration structure, this
+	      * is to ensure that, while on the garbage queue, the configuration does
+	      * not get deleted if there are still connection referencing its SSL_CTX
+	      */
+	cfg->ref_count++;
+
+	if (c->state == S_CONN_ACCEPT) {
+		dom = tls_lookup_cfg(cfg, TLS_DOMAIN_SRV, &c->rcv.dst_ip, c->rcv.dst_port);
+	} else if (c->state == S_CONN_CONNECT) {
+		dom = tls_lookup_cfg(cfg, TLS_DOMAIN_CLI, &c->rcv.dst_ip, c->rcv.dst_port);
+	} else {
+		BUG("Invalid connection state (bug in TCP code)\n");
+		goto error;
+	}
+	DBG("Using TLS domain %s\n", tls_domain_str(dom));
+
+	data = (struct tls_extra_data*)shm_malloc(sizeof(struct tls_extra_data));
+	if (!data) {
+		ERR("Not enough shared memory left\n");
+		goto error;
+	}
+	memset(data, '\0', sizeof(struct tls_extra_data));
+	data->ssl = SSL_new(dom->ctx[process_no]);
+	data->cfg = cfg;
+
+	if (data->ssl == 0) {
+		TLS_ERR("Failed to create SSL structure:");
+		goto error;
+	}
+#ifdef TLS_KSSL_WORKARROUND
+	 /* if needed apply workaround for openssl bug #1467 */
+	if (data->ssl->kssl_ctx && openssl_kssl_malloc_bug){
+		kssl_ctx_free(data->ssl->kssl_ctx);
+		data->ssl->kssl_ctx=0;
+	}
+#endif
+	c->extra_data = data;
+	return 0;
+
+ error:
+	cfg->ref_count--;
+	if (data) shm_free(data);
+ error2:
+	c->state = S_CONN_BAD;
+	return -1;
+}
+
+
+/*
+ * Update ssl structure with new fd 
+ */
+static int tls_update_fd(struct tcp_connection *c, int fd)
+{
+	SSL *ssl;
+	BIO *rbio;
+	BIO *wbio;
+	
+	if (!c->extra_data && tls_complete_init(c) < 0) {
+		ERR("Delayed init failed\n");
+		return -1;
+	}else if (LOW_MEM_CONNECTED_TEST()){
+		ERR("tls: ssl bug #1491 workaround: not enough memory for safe"
+				" operation: %lu\n", shm_available());
+		return -1;
+	}
+	ssl = ((struct tls_extra_data*)c->extra_data)->ssl;
+	
+	if (((rbio=SSL_get_rbio(ssl))==0) || ((wbio=SSL_get_wbio(ssl))==0)){
+		/* no BIO connected */
+		if (SSL_set_fd(ssl, fd) != 1) {
+			TLS_ERR("tls_update_fd:");
+			return -1;
+		}
+		return 0;
+	}
+	if ((BIO_set_fd(rbio, fd, BIO_NOCLOSE)!=1) ||
+		(BIO_set_fd(wbio, fd, BIO_NOCLOSE)!=1)) {
+		/* it should be always 1 */
+		TLS_ERR("tls_update_fd:");
+		return -1;
+	}
+	return 0;
+}
+
+
+static void tls_dump_cert_info(char* s, X509* cert)
+{
+	char* subj;
+	char* issuer;
+	
+	subj=issuer=0;
+	subj = X509_NAME_oneline(X509_get_subject_name(cert), 0 , 0);
+	issuer = X509_NAME_oneline(X509_get_issuer_name(cert), 0 , 0);
+	
+	if (subj){
+		LOG(tls_log, "%s subject:%s\n", s ? s : "", subj);
+		OPENSSL_free(subj);
+	}
+	if (issuer){
+		LOG(tls_log, "%s issuer:%s\n", s ? s : "", issuer);
+		OPENSSL_free(issuer);
+	}
+}
+
+
+static void tls_dump_verification_failure(long verification_result)
+{
+	switch(verification_result) {
+	case X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT:
+		LOG(tls_log, "verification failure: unable to get issuer certificate\n");
+		break;
+	case X509_V_ERR_UNABLE_TO_GET_CRL:
+		LOG(tls_log, "verification failure: unable to get certificate CRL\n");
+		break;
+	case X509_V_ERR_UNABLE_TO_DECRYPT_CERT_SIGNATURE:
+		LOG(tls_log, "verification failure: unable to decrypt certificate's signature\n");
+		break;
+	case X509_V_ERR_UNABLE_TO_DECRYPT_CRL_SIGNATURE:
+		LOG(tls_log, "verification failure: unable to decrypt CRL's signature\n");
+		break;
+	case X509_V_ERR_UNABLE_TO_DECODE_ISSUER_PUBLIC_KEY:
+		LOG(tls_log, "verification failure: unable to decode issuer public key\n");
+		break;
+	case X509_V_ERR_CERT_SIGNATURE_FAILURE:
+		LOG(tls_log, "verification failure: certificate signature failure\n");
+		break;
+	case X509_V_ERR_CRL_SIGNATURE_FAILURE:
+		LOG(tls_log, "verification failure: CRL signature failure\n");
+		break;
+	case X509_V_ERR_CERT_NOT_YET_VALID:
+		LOG(tls_log, "verification failure: certificate is not yet valid\n");
+		break;
+	case X509_V_ERR_CERT_HAS_EXPIRED:
+		LOG(tls_log, "verification failure: certificate has expired\n");
+		break;
+	case X509_V_ERR_CRL_NOT_YET_VALID:
+		LOG(tls_log, "verification failure: CRL is not yet valid\n");
+		break;
+	case X509_V_ERR_CRL_HAS_EXPIRED:
+		LOG(tls_log, "verification failure: CRL has expired\n");
+		break;
+	case X509_V_ERR_ERROR_IN_CERT_NOT_BEFORE_FIELD:
+		LOG(tls_log, "verification failure: format error in certificate's notBefore field\n");
+		break;
+	case X509_V_ERR_ERROR_IN_CERT_NOT_AFTER_FIELD:
+		LOG(tls_log, "verification failure: format error in certificate's notAfter field\n");
+		break;
+	case X509_V_ERR_ERROR_IN_CRL_LAST_UPDATE_FIELD:
+		LOG(tls_log, "verification failure: format error in CRL's lastUpdate field\n");
+		break;
+	case X509_V_ERR_ERROR_IN_CRL_NEXT_UPDATE_FIELD:
+		LOG(tls_log, "verification failure: format error in CRL's nextUpdate field\n");
+		break;
+	case X509_V_ERR_OUT_OF_MEM:
+		LOG(tls_log, "verification failure: out of memory\n");
+		break;
+	case X509_V_ERR_DEPTH_ZERO_SELF_SIGNED_CERT:
+		LOG(tls_log, "verification failure: self signed certificate\n");
+		break;
+	case X509_V_ERR_SELF_SIGNED_CERT_IN_CHAIN:
+		LOG(tls_log, "verification failure: self signed certificate in certificate chain\n");
+		break;
+	case X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT_LOCALLY:
+		LOG(tls_log, "verification failure: unable to get local issuer certificate\n");
+		break;
+	case X509_V_ERR_UNABLE_TO_VERIFY_LEAF_SIGNATURE:
+		LOG(tls_log, "verification failure: unable to verify the first certificate\n");
+		break;
+	case X509_V_ERR_CERT_CHAIN_TOO_LONG:
+		LOG(tls_log, "verification failure: certificate chain too long\n");
+		break;
+	case X509_V_ERR_CERT_REVOKED:
+		LOG(tls_log, "verification failure: certificate revoked\n");
+		break;
+	case X509_V_ERR_INVALID_CA:
+		LOG(tls_log, "verification failure: invalid CA certificate\n");
+		break;
+	case X509_V_ERR_PATH_LENGTH_EXCEEDED:
+		LOG(tls_log, "verification failure: path length constraint exceeded\n");
+		break;
+	case X509_V_ERR_INVALID_PURPOSE:
+		LOG(tls_log, "verification failure: unsupported certificate purpose\n");
+		break;
+	case X509_V_ERR_CERT_UNTRUSTED:
+		LOG(tls_log, "verification failure: certificate not trusted\n");
+		break;
+	case X509_V_ERR_CERT_REJECTED:
+		LOG(tls_log, "verification failure: certificate rejected\n");
+		break;
+	case X509_V_ERR_SUBJECT_ISSUER_MISMATCH:
+		LOG(tls_log, "verification failure: subject issuer mismatch\n");
+		break;
+	case X509_V_ERR_AKID_SKID_MISMATCH:
+		LOG(tls_log, "verification failure: authority and subject key identifier mismatch\n");
+		break;
+	case X509_V_ERR_AKID_ISSUER_SERIAL_MISMATCH:
+		LOG(tls_log, "verification failure: authority and issuer serial number mismatch\n");
+		break;
+	case X509_V_ERR_KEYUSAGE_NO_CERTSIGN:
+		LOG(tls_log, "verification failure: key usage does not include certificate signing\n");
+		break;
+	case X509_V_ERR_APPLICATION_VERIFICATION:
+		LOG(tls_log, "verification failure: application verification failure\n");
+		break;
+	}
+}
+
+
+/*
+ * Wrapper around SSL_accept, returns -1 on error, 0 on success 
+ */
+static int tls_accept(struct tcp_connection *c, int* error)
+{
+	int ret, err, ssl_err;
+	SSL *ssl;
+	X509* cert;
+
+	if (c->state != S_CONN_ACCEPT) {
+		BUG("Invalid connection state (bug in TLS code)\n");
+		     /* Not critical */
+		return 0;
+	}
+	if (LOW_MEM_NEW_CONNECTION_TEST()){
+		ERR("tls: ssl bug #1491 workaround: not enough memory for safe"
+				" operation: %lu\n", shm_available());
+		goto err;
+	}
+
+	ssl = ((struct tls_extra_data*)c->extra_data)->ssl;
+	ret = SSL_accept(ssl);
+	if (ret == 1) {
+		DBG("TLS accept successful\n");
+		c->state = S_CONN_OK;
+		LOG(tls_log, "tls_accept: new connection from %s:%d using %s %s %d\n", 
+		    ip_addr2a(&c->rcv.src_ip), c->rcv.src_port,
+		    SSL_get_cipher_version(ssl), SSL_get_cipher_name(ssl), 
+		    SSL_get_cipher_bits(ssl, 0)
+		    );
+		LOG(tls_log, "tls_accept: local socket: %s:%d\n", 
+		    ip_addr2a(&c->rcv.dst_ip), c->rcv.dst_port
+		    );
+		cert = SSL_get_peer_certificate(ssl);
+		if (cert != 0) { 
+			tls_dump_cert_info("tls_accept: client certificate", cert);
+			if (SSL_get_verify_result(ssl) != X509_V_OK) {
+				LOG(tls_log, "WARNING: tls_accept: client certificate "
+				    "verification failed!!!\n");
+				tls_dump_verification_failure(SSL_get_verify_result(ssl));
+			}
+			X509_free(cert);
+		} else {
+			LOG(tls_log, "tls_accept: client did not present a certificate\n");
+		}
+	} else {
+		err = SSL_get_error(ssl, ret);
+		if (error) *error = err;
+		switch (err) {
+		case SSL_ERROR_ZERO_RETURN:
+			DBG("TLS handshake failed cleanly\n");
+			goto err;
+			
+		case SSL_ERROR_WANT_READ:
+			DBG("Need to get more data to finish TLS accept\n");
+			break;
+			
+		case SSL_ERROR_WANT_WRITE:
+			DBG("Need to send more data to finish TLS accept\n");
+			break;
+			
+#if OPENSSL_VERSION_NUMBER >= 0x00907000L /*0.9.7*/
+		case SSL_ERROR_WANT_CONNECT:
+			DBG("Need to retry connect\n");
+			break;
+			
+		case SSL_ERROR_WANT_ACCEPT:
+			DBG("Need to retry accept\n");
+			break;
+#endif
+		case SSL_ERROR_WANT_X509_LOOKUP:
+			DBG("Application callback asked to be called again\n");
+			break;
+			
+		case SSL_ERROR_SYSCALL:
+			TLS_ERR_RET(ssl_err, "TLS accept:");
+			if (!ssl_err) {
+				if (ret == 0) {
+					WARN("Unexpected EOF occurred while performing TLS accept\n");
+				} else {
+					ERR("IO error: (%d) %s\n", errno, strerror(errno));
+				}
+			}
+			goto err;
+			
+		default:
+			TLS_ERR("SSL error:");
+			goto err;
+		}
+	}
+	return 0;
+ err:
+	c->state = S_CONN_BAD;
+	return -1;
+}
+
+
+/*
+ * wrapper around SSL_connect, returns 0 on success, -1 on error 
+ */
+static int tls_connect(struct tcp_connection *c, int* error)
+{
+	SSL *ssl;
+	int ret, err, ssl_err;
+	X509* cert;
+
+	if (c->state != S_CONN_CONNECT) {
+		BUG("Invalid connection state\n");
+		     /* Not critical */
+		return 0;
+	}
+	if (LOW_MEM_NEW_CONNECTION_TEST()){
+		ERR("tls: ssl bug #1491 workaround: not enough memory for safe"
+				" operation: %lu\n", shm_available());
+		goto err;
+	}
+
+	ssl = ((struct tls_extra_data*)c->extra_data)->ssl;
+	ret = SSL_connect(ssl);
+	if (ret == 1) {
+		DBG("TLS connect successuful\n");
+		c->state = S_CONN_OK;
+		LOG(tls_log, "tls_connect: new connection to %s:%d using %s %s %d\n", 
+		    ip_addr2a(&c->rcv.src_ip), c->rcv.src_port,
+		    SSL_get_cipher_version(ssl), SSL_get_cipher_name(ssl),
+		    SSL_get_cipher_bits(ssl, 0)
+		    );
+		LOG(tls_log, "tls_connect: sending socket: %s:%d \n", 
+		    ip_addr2a(&c->rcv.dst_ip), c->rcv.dst_port
+		    );
+		cert = SSL_get_peer_certificate(ssl);
+		if (cert != 0) { 
+			tls_dump_cert_info("tls_connect: server certificate", cert);
+			if (SSL_get_verify_result(ssl) != X509_V_OK) {
+				LOG(tls_log, "WARNING: tls_connect: server certificate "
+				    "verification failed!!!\n");
+				tls_dump_verification_failure(SSL_get_verify_result(ssl));
+			}
+			X509_free(cert);
+		} else {
+			     /* this should not happen, servers always present a cert */
+			LOG(tls_log, "tls_connect: server did not present a certificate\n");
+		}
+	} else {
+		err = SSL_get_error(ssl, ret);
+		if (error) *error = err;
+		switch (err) {
+		case SSL_ERROR_ZERO_RETURN:
+			DBG("TLS handshake failed cleanly\n");
+			goto err;
+			
+		case SSL_ERROR_WANT_READ:
+			DBG("Need to get more data to finish TLS connect\n");
+			break;
+			
+		case SSL_ERROR_WANT_WRITE:
+			DBG("Need to send more data to finish TLS connect\n");
+			break;
+			
+#if OPENSSL_VERSION_NUMBER >= 0x00907000L /*0.9.7*/
+		case SSL_ERROR_WANT_CONNECT:
+			DBG("Need to retry connect\n");
+			break;
+			
+		case SSL_ERROR_WANT_ACCEPT:
+			DBG("Need to retry accept\n");
+			break;
+#endif
+		case SSL_ERROR_WANT_X509_LOOKUP:
+			DBG("Application callback asked to be called again\n");
+			break;
+			
+		case SSL_ERROR_SYSCALL:
+			TLS_ERR_RET(ssl_err, "TLS connect:");
+			if (!ssl_err) {
+				if (ret == 0) {
+					WARN("Unexpected EOF occurred while performing TLS connect\n");
+				} else {
+					ERR("IO error: (%d) %s\n", errno, strerror(errno));
+				}
+			}
+			goto err;
+			
+		default:
+			TLS_ERR("SSL error:");
+			goto err;
+		}
+	}
+	return 0;
+ err:
+	c->state = S_CONN_BAD;
+	return -1;
+}
+
+
+/*
+ * wrapper around SSL_shutdown, returns -1 on error, 0 on success 
+ */
+static int tls_shutdown(struct tcp_connection *c)
+{
+	int ret, err, ssl_err;
+	SSL *ssl;
+
+	ssl = ((struct tls_extra_data*)c->extra_data)->ssl;
+	if (ssl == 0) {
+		ERR("No SSL data to perform tls_shutdown\n");
+		return -1;
+	}
+	if (LOW_MEM_CONNECTED_TEST()){
+		ERR("tls: ssl bug #1491 workaround: not enough memory for safe"
+				" operation: %lu\n", shm_available());
+		goto err;
+	}
+	
+	ret = SSL_shutdown(ssl);
+	if (ret == 1) {
+		DBG("TLS shutdown successful\n");
+		return 0;
+	} else if (ret == 0) {
+		DBG("First phase of 2-way handshake completed succesfuly\n");
+		return 0;
+	} else {
+		err = SSL_get_error(ssl, ret);
+		switch (err) {
+		case SSL_ERROR_ZERO_RETURN:
+			DBG("TLS shutdown failed cleanly\n");
+			goto err;
+			
+		case SSL_ERROR_WANT_READ:
+			DBG("Need to get more data to finish TLS shutdown\n");
+			break;
+			
+		case SSL_ERROR_WANT_WRITE:
+			DBG("Need to send more data to finish TLS shutdown\n");
+			break;
+			
+#if OPENSSL_VERSION_NUMBER >= 0x00907000L /*0.9.7*/
+		case SSL_ERROR_WANT_CONNECT:
+			DBG("Need to retry connect\n");
+			break;
+			
+		case SSL_ERROR_WANT_ACCEPT:
+			DBG("Need to retry accept\n");
+			break;
+#endif
+		case SSL_ERROR_WANT_X509_LOOKUP:
+			DBG("Application callback asked to be called again\n");
+			break;
+			
+		case SSL_ERROR_SYSCALL:
+			TLS_ERR_RET(ssl_err, "TLS shutdown");
+			if (!ssl_err) {
+				if (ret == 0) {
+					WARN("Unexpected EOF occurred while performing TLS shutdown\n");
+				} else {
+					ERR("IO error: (%d) %s\n", errno, strerror(errno));
+				}
+			}
+			goto err;
+			
+		default:
+			TLS_ERR("SSL error:");
+			goto err;
+		}
+	}
+	
+	return 0;
+ err:
+	return -1;
+}
+
+
+/* "normal", return number of bytes written,  -1 on error/EOF & sets error
+ * & c->state on EOF; 0 on want READ/WRITE
+ * 
+ * expects a set fd */
+static int tls_write(struct tcp_connection *c, const void *buf, size_t len, int* error)
+{
+	int ret, err, ssl_err;
+	SSL *ssl;
+	ssl = ((struct tls_extra_data*)c->extra_data)->ssl;
+
+	err = 0;
+	if (LOW_MEM_CONNECTED_TEST()){
+		ERR("tls: ssl bug #1491 workaround: not enough memory for safe"
+				" operation: %lu\n", shm_available());
+		ret=-1;
+		goto err;
+	}
+	ret = SSL_write(ssl, buf, len);
+	if (ret <= 0) {
+		err = SSL_get_error(ssl, ret);
+		switch (err) {
+		case SSL_ERROR_ZERO_RETURN:
+			DBG("TLS connection has been closed\n");
+			c->state = S_CONN_EOF;
+			ret = -1;
+			break;
+			
+		case SSL_ERROR_WANT_READ:
+			DBG("Need to get more data to finish TLS write\n");
+			ret = 0;
+			break;
+
+		case SSL_ERROR_WANT_WRITE:
+			DBG("Need to send more data to finish TLS write\n");
+			ret = 0;
+			break;
+			
+#if OPENSSL_VERSION_NUMBER >= 0x00907000L /*0.9.7*/
+		case SSL_ERROR_WANT_CONNECT:
+		case SSL_ERROR_WANT_ACCEPT:
+			DBG("TLS not connected\n");
+			ret = -1;
+			break;
+#endif
+		case SSL_ERROR_WANT_X509_LOOKUP:
+			DBG("Application callback asked to be called again\n");
+			ret = 0;
+			break;
+			
+		case SSL_ERROR_SYSCALL:
+			TLS_ERR_RET(ssl_err, "tls_write:");
+			if (!ssl_err) {
+				if (ret == 0) {
+					WARN("Unexpected EOF occurred while performing TLS shutdown\n");
+					c->state = S_CONN_EOF;
+					ret = -1;
+				} else {
+					ERR("IO error: (%d) %s\n", errno, strerror(errno));
+				}
+			}
+			break;
+			
+		default:
+			TLS_ERR("SSL error:");
+			break;
+		}
+	}
+
+err:
+	if (error) *error = err;
+	return ret;
+}
+
+
+/*
+ * Called when new tcp connection is accepted or connected, create ssl
+ * data structures here, there is no need to acquire any lock, because the 
+ * connection is being created by a new process and on other process has
+ * access to it yet, this is called before adding the tcp_connection
+ * structure into the hash 
+ */
+int tls_h_tcpconn_init(struct tcp_connection *c, int sock)
+{
+	c->type = PROTO_TLS;
+	c->rcv.proto = PROTO_TLS;
+	c->timeout = get_ticks_raw() + tls_con_lifetime;
+	c->extra_data = 0;
+	return 0;
+}
+
+
+/*
+ * clean the extra data upon connection shut down 
+ */
+void tls_h_tcpconn_clean(struct tcp_connection *c)
+{
+	struct tls_extra_data* extra;
+	/*
+	* runs within global tcp lock 
+	*/
+	if (c->type != PROTO_TLS) {
+		BUG("Bad connection structure\n");
+		abort();
+	}
+	if (c->extra_data) {
+		extra = (struct tls_extra_data*)c->extra_data;
+		SSL_free(extra->ssl);
+		extra->cfg->ref_count--;
+		shm_free(c->extra_data);
+		c->extra_data = 0;
+	}
+}
+
+
+/*
+ * perform one-way shutdown, do not wait for notify from the remote peer 
+ */
+void tls_h_close(struct tcp_connection *c, int fd)
+{
+	     /*
+	      * runs within global tcp lock 
+	      */
+	DBG("Closing SSL connection\n");
+	if (c->extra_data) {
+		if (tls_update_fd(c, fd)==0)
+			tls_shutdown(c); /* shudown only on succesfull set fd */
+	}
+}
+
+
+
+/*
+ * This is shamelessly stolen tsend_stream from tsend.c 
+ */
+/*
+ * fixme: probably does not work correctly 
+ */
+int tls_h_blocking_write(struct tcp_connection *c, int fd, const char *buf,
+			  unsigned int len)
+{
+	int err, n, ticks, tout;
+	fd_set sel_set;
+	struct timeval timeout;
+	
+	n = 0;
+	if (tls_update_fd(c, fd) < 0) goto error;
+again:
+	err = 0;
+	     /* first try  a "fast" write -- avoid the extra select call,
+	      * we might get lucky and not need it */
+	if (c->state == S_CONN_CONNECT) {
+		if (tls_connect(c, &err) < 0) goto error;
+		tout = tls_handshake_timeout;
+	} else if (c->state == S_CONN_ACCEPT) {
+		if (tls_accept(c, &err) < 0) goto error;
+		tout = tls_handshake_timeout;
+	} else {
+		n = tls_write(c, buf, len, &err);
+		if (n < 0) {
+			DBG("tls_write error %d (ssl %d)\n", n, err);
+			goto error;
+		} else if (n < len) {
+			     /* not all the contents was written => try again w/ the rest
+			      * (possible when SSL_MODE_ENABLE_PARTIAL_WRITE is set)
+			      */
+			DBG("%ld bytes still need to be written\n", 
+				(long)(len - n));
+			buf += n; 
+			len -= n;
+		} else {
+			     /* succesfull write */
+			DBG("write finished, %d bytes written\n", n);
+			goto end;
+		}
+		tout = tls_send_timeout;
+	}
+
+	while(1) {
+		FD_ZERO(&sel_set);
+		FD_SET(fd, &sel_set);
+		timeout.tv_sec = tout;
+		timeout.tv_usec = 0;
+		ticks = get_ticks();
+
+		     /* blocking part, wait until we can write again on the fd */
+		switch(err){
+			case 0:
+			case SSL_ERROR_WANT_WRITE:
+				n = select(fd + 1, 0, &sel_set ,0 , &timeout);
+				break;
+
+			case SSL_ERROR_WANT_READ:
+				n = select(fd + 1, &sel_set, 0 ,0 , &timeout);
+				break;
+
+#if OPENSSL_VERSION_NUMBER >= 0x00907000L /*0.9.7*/
+			case SSL_ERROR_WANT_ACCEPT:
+#endif
+			case SSL_ERROR_WANT_CONNECT:
+				DBG("re-trying accept/connect\n");
+				goto again;
+
+			default:
+				BUG("Unhandled SSL error %d\n", err);
+				goto error;
+		}
+		if (n < 0) {
+			if (errno == EINTR) continue;/* just a signal */
+			ERR("Select failed:"
+			    " (%d) %s\n", errno, strerror(errno));
+			goto error;
+		}
+		if (n == 0) {
+			     /* timeout, make sure the interval really expired */
+			if ((get_ticks() - ticks) >= tout) {
+				ERR("Peer not "
+				    " responding after %d s=> timeout (state %d) \n",
+				    tout, c->state);
+				goto error;
+			}
+		}
+		if (FD_ISSET(fd, &sel_set)) {
+			     /* we can write again */
+			DBG("Ready to read/write again\n");
+			goto again;
+		}
+	}
+	
+ error:
+	return -1;
+ end:
+	return n;
+}
+
+
+/*
+ * called only when a connection is in S_CONN_OK, we do not have to care
+ * about accepting or connecting here, each modification of ssl data
+ * structures has to be protected, another process might ask for the same
+ * connection and attempt write to it which would result in updating the
+ * ssl structures 
+ */
+int tls_h_read(struct tcp_connection * c)
+{
+	struct tcp_req* r;
+	int bytes_free, bytes_read, err, ssl_err;
+	SSL* ssl;
+
+	r = &c->req;
+	bytes_free = TCP_BUF_SIZE - (int)(r->pos - r->buf);
+	
+	if (bytes_free == 0) {
+		ERR("Buffer overrun, dropping\n");
+		r->error = TCP_REQ_OVERRUN;
+		return -1;
+	}
+	if (LOW_MEM_CONNECTED_TEST()){
+		ERR("tls: ssl bug #1491 workaround: not enough memory for safe"
+				" operation: %lu\n", shm_available());
+		return -1;
+	}
+	     /* we have to avoid to run in the same time 
+	      * with a tls_write because of the 
+	      * update_fd stuff  (we don't want a write
+	      * stealing the fd under us or vice versa)
+	      * => lock on con->write_lock (ugly hack) */
+	lock_get(&c->write_lock);
+	if (tls_update_fd(c, c->fd) != 0) {
+		     /* error */
+		lock_release(&c->write_lock);
+		return -1;
+	}
+	ssl = ((struct tls_extra_data*)c->extra_data)->ssl;
+	bytes_read = SSL_read(ssl, r->pos, bytes_free);
+	lock_release(&c->write_lock);
+	
+	if (bytes_read <= 0) {
+		err = SSL_get_error(ssl, bytes_read);
+		switch(err){
+		case SSL_ERROR_ZERO_RETURN:
+			     /* tls connection has been closed */
+			DBG("tls_read: eof\n");
+			c->state = S_CONN_EOF;
+			return 0;
+
+		case SSL_ERROR_WANT_READ:
+			DBG("tls_read: Need to read more data\n");
+			return 0;
+			
+		case SSL_ERROR_WANT_WRITE:
+			     /* retry later */
+			DBG("tls_read: Need to write more data\n");
+			return 0;
+
+		case SSL_ERROR_SYSCALL:
+			TLS_ERR_RET(ssl_err, "tls_read:");
+			if (!ssl_err) {
+				if (bytes_read == 0) {
+					LOG(tls_log, "WARNING: tls_read: improper EOF on tls"
+					    " (harmless)\n");
+					c->state = S_CONN_EOF;
+					return 0;
+				} else {
+					ERR("Error reading: syscall"
+					    " (%d) %s\n", errno, strerror(errno));
+				}
+			} 
+			     /* error return */
+			r->error = TCP_READ_ERROR;
+			return -1;
+		default:
+			TLS_ERR("tls_read:");
+			r->error = TCP_READ_ERROR;
+			return -1;
+		}
+	}
+
+	r->pos += bytes_read;
+	return bytes_read;
+}
+
+
+/*
+ * called before tls_read, the this function should attempt tls_accept or
+ * tls_connect depending on the state of the connection, if this function
+ * does not transit a connection into S_CONN_OK then tcp layer would not
+ * call tcp_read 
+ */
+int tls_h_fix_read_conn(struct tcp_connection *c)
+{
+	int ret;
+	ret = 0;
+
+	switch (c->state) {
+	case S_CONN_ACCEPT:
+		lock_get(&c->write_lock);
+		     /* It might have changed meanwhile */
+		if (c->state == S_CONN_ACCEPT) {
+			ret = tls_update_fd(c, c->fd);
+			if (ret == 0) ret = tls_accept(c, 0);
+			else ret = -1;
+		}
+		lock_release(&c->write_lock);
+		break;
+		
+	case S_CONN_CONNECT:
+		lock_get(&c->write_lock);
+		     /* It might have changed meanwhile */
+		if (c->state == S_CONN_CONNECT) {
+			ret = tls_update_fd(c, c->fd);
+			if (ret == 0) ret = tls_connect(c, 0);
+			else ret = -1;
+		}
+		lock_release(&c->write_lock);
+		break;
+		
+	default: /* fall through */
+		break;
+	}
+	return ret;
+}

modules/tls/tls_server.h

@@ -0,0 +1,71 @@
+/*
+ * $Id$
+ *
+ * TLS module - main server part
+ *
+ * Copyright (C) 2001-2003 FhG FOKUS
+ * Copyright (C) 2004,2005 Free Software Foundation, Inc.
+ * Copyright (C) 2005,2006 iptelorg GmbH
+ *
+ * This file is part of ser, a free SIP server.
+ *
+ * ser is free software; you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License as published by
+ * the Free Software Foundation; either version 2 of the License, or
+ * (at your option) any later version
+ *
+ * For a license to use the ser software under conditions
+ * other than those described here, or to purchase support for this
+ * software, please contact iptel.org by e-mail at the following addresses:
+ *    [email protected]
+ *
+ * ser is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ * GNU General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License 
+ * along with this program; if not, write to the Free Software 
+ * Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA  02111-1307  USA
+ */
+
+#ifndef _TLS_SERVER_H
+#define _TLS_SERVER_H
+
+#include <stdio.h>
+#include "../../tcp_conn.h"
+#include "tls_domain.h"
+
+struct tls_extra_data {
+	tls_cfg_t* cfg; /* Configuration used for this connection */
+	SSL* ssl;       /* SSL context used for the connection */
+};
+
+/*
+ * dump ssl error stack 
+ */
+void tls_print_errstack(void);
+
+/*
+ * Called when new tcp connection is accepted 
+ */
+int tls_h_tcpconn_init(struct tcp_connection *c, int sock);
+
+/*
+ * clean the extra data upon connection shut down 
+ */
+void tls_h_tcpconn_clean(struct tcp_connection *c);
+
+/*
+ * shut down the TLS connection 
+ */
+void tls_h_close(struct tcp_connection *c, int fd);
+
+int tls_h_blocking_write(struct tcp_connection *c, int fd,
+			  const char *buf, unsigned int len);
+
+int tls_h_read(struct tcp_connection *c);
+
+int tls_h_fix_read_conn(struct tcp_connection *c);
+
+#endif /* _TLS_SERVER_H */

modules/tls/tls_util.c

@@ -0,0 +1,126 @@
+/*
+ * $Id$
+ *
+ * TLS module - common functions
+ *
+ * Copyright (C) 2001-2003 FhG FOKUS
+ * Copyright (C) 2004,2005 Free Software Foundation, Inc.
+ * Copyright (C) 2005 iptelorg GmbH
+ *
+ * This file is part of ser, a free SIP server.
+ *
+ * ser is free software; you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License as published by
+ * the Free Software Foundation; either version 2 of the License, or
+ * (at your option) any later version
+ *
+ * For a license to use the ser software under conditions
+ * other than those described here, or to purchase support for this
+ * software, please contact iptel.org by e-mail at the following addresses:
+ *    [email protected]
+ *
+ * ser is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ * GNU General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License
+ * along with this program; if not, write to the Free Software
+ * Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA  02111-1307  USA
+ */
+
+#define _GNU_SOURCE 1 /* Needed for strndup */
+
+#include <string.h>
+#include <libgen.h>
+#include "../../mem/shm_mem.h"
+#include "../../globals.h"
+#include "tls_mod.h"
+#include "tls_util.h"
+
+
+/*
+ * Make a shared memory copy of str string
+ * Return value: -1 on error
+ *                0 on success
+ */
+int shm_str_dup(char** dest, str* val)
+{
+	char* ret;
+
+	if (!val) {
+		*dest = NULL;
+		return 0;
+	}
+
+	ret = shm_malloc(val->len + 1);
+	if (!ret) {
+		ERR("No memory left\n");
+		return 1;
+	}
+	memcpy(ret, val->s, val->len);
+	ret[val->len] = '\0';
+	*dest = ret;
+	return 0;
+}
+
+
+/*
+ * Make a shared memory copy of ASCII zero terminated string
+ * Return value: -1 on error
+ *                0 on success
+ */
+int shm_asciiz_dup(char** dest, char* val)
+{
+	char* ret;
+	int len;
+
+	if (!val) {
+		*dest = NULL;
+		return 0;
+	}
+
+	len = strlen(val);
+	ret = shm_malloc(len + 1);
+	if (!ret) {
+		ERR("No memory left\n");
+		return -1;
+	}
+	memcpy(ret, val, len + 1);
+	*dest = ret;
+        return 0;
+}
+
+
+/*
+ * Delete old TLS configuration that is not needed anymore
+ */
+void collect_garbage(void)
+{
+	tls_cfg_t* prev, *cur;
+
+	     /* Make sure we do not run two garbage collectors
+	      * at the same time
+	      */
+	lock_get(tls_cfg_lock);
+
+	     /* Skip the current configuration, garbage starts
+	      * with the 2nd element on the list
+	      */
+	prev = *tls_cfg;
+	cur = (*tls_cfg)->next;
+
+	while(cur) {
+		if (cur->ref_count == 0) {
+			     /* Not referenced by any existing connection */
+			prev->next = cur->next;
+			tls_free_cfg(cur);
+		}
+
+		prev = cur;
+		cur = cur->next;
+	}
+
+	lock_release(tls_cfg_lock);
+}
+

modules/tls/tls_util.h

@@ -0,0 +1,84 @@
+/*
+ * $Id$
+ *
+ * TLS module - common functions
+ *
+ * Copyright (C) 2001-2003 FhG FOKUS
+ * Copyright (C) 2004,2005 Free Software Foundation, Inc.
+ * COpyright (C) 2005 iptelorg GmbH
+ *
+ * This file is part of ser, a free SIP server.
+ *
+ * ser is free software; you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License as published by
+ * the Free Software Foundation; either version 2 of the License, or
+ * (at your option) any later version
+ *
+ * For a license to use the ser software under conditions
+ * other than those described here, or to purchase support for this
+ * software, please contact iptel.org by e-mail at the following addresses:
+ *    [email protected]
+ *
+ * ser is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ * GNU General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License
+ * along with this program; if not, write to the Free Software
+ * Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA  02111-1307  USA
+ */
+
+#ifndef _TLS_UTIL_H
+#define _TLS_UTIL_H
+
+#include <openssl/err.h>
+#include "../../dprint.h"
+#include "../../str.h"
+#include "tls_domain.h"
+
+
+#define TLS_ERR_RET(r, s)                               \
+do {                                                    \
+	long err;                                       \
+        (r) = 0;                                        \
+	if ((*tls_cfg)->srv_default->ctx &&             \
+	    (*tls_cfg)->srv_default->ctx[0]) {          \
+		while((err = ERR_get_error())) {        \
+			(r) = 1;                        \
+			ERR("%s%s\n", ((s)) ? (s) : "", \
+			    ERR_error_string(err, 0));  \
+		}                                       \
+	}                                               \
+} while(0)
+
+
+#define TLS_ERR(s)           \
+do {                         \
+	int ret;             \
+	TLS_ERR_RET(ret, s); \
+} while(0)
+
+
+/*
+ * Make a shared memory copy of str string
+ * Return value: -1 on error
+ *                0 on success
+ */
+int shm_str_dup(char** dest, str* val);
+
+
+/*
+ * Make a shared memory copy of ASCII zero terminated string
+ * Return value: -1 on error
+ *                0 on success
+ */
+int shm_asciiz_dup(char** dest, char* val);
+
+
+/*
+ * Delete old TLS configuration that is not needed anymore
+ */
+void collect_garbage(void);
+
+#endif /* _TLS_UTIL_H */

modules/tls/tls_verify.c

@@ -0,0 +1,126 @@
+/*
+ * $Id$
+ *
+ * TLS module - certificate verification function
+ *
+ * Copyright (C) 2001-2003 FhG FOKUS
+ * Copyright (C) 2004,2005 Free Software Foundation, Inc.
+ * COpyright (C) 2005 iptelorg GmbH
+ *
+ * This file is part of ser, a free SIP server.
+ *
+ * ser is free software; you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License as published by
+ * the Free Software Foundation; either version 2 of the License, or
+ * (at your option) any later version
+ *
+ * For a license to use the ser software under conditions
+ * other than those described here, or to purchase support for this
+ * software, please contact iptel.org by e-mail at the following addresses:
+ *    [email protected]
+ *
+ * ser is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ * GNU General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License
+ * along with this program; if not, write to the Free Software
+ * Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA  02111-1307  USA
+ */
+
+#include "../../dprint.h"
+#include "tls_verify.h"
+
+/* FIXME: remove this and use the value in domains instead */
+#define VERIFY_DEPTH_S 3
+
+/* This callback is called during each verification process, 
+at each step during the chain of certificates (this function
+is not the certificate_verification one!). */
+int verify_callback(int pre_verify_ok, X509_STORE_CTX *ctx) {
+	char buf[256];
+	X509 *err_cert;
+	int err, depth;
+
+	depth = X509_STORE_CTX_get_error_depth(ctx);
+	DBG("verify_callback: depth = %d\n",depth);
+	if ( depth > VERIFY_DEPTH_S ) {
+		LOG(L_NOTICE, "tls_init: verify_callback: cert chain too long ( depth > VERIFY_DEPTH_S)\n");
+		pre_verify_ok=0;
+	}
+	
+	if( pre_verify_ok ) {
+		LOG(L_NOTICE, "tls_init: verify_callback: preverify is good: verify return: %d\n", pre_verify_ok);
+		return pre_verify_ok;
+	}
+	
+	err_cert = X509_STORE_CTX_get_current_cert(ctx);
+	err = X509_STORE_CTX_get_error(ctx);	
+	X509_NAME_oneline(X509_get_subject_name(err_cert),buf,sizeof buf);
+	
+	LOG(L_NOTICE, "tls_init: verify_callback: subject = %s\n", buf);
+	LOG(L_NOTICE, "tls_init: verify_callback: verify error:num=%d:%s\n", err, X509_verify_cert_error_string(err));	
+	LOG(L_NOTICE, "tls_init: verify_callback: error code is %d\n", ctx->error);
+	
+	switch (ctx->error) {
+		case X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT:
+			X509_NAME_oneline(X509_get_issuer_name(ctx->current_cert),buf,sizeof buf);
+			LOG(L_NOTICE, "tls_init: verify_callback: issuer= %s\n",buf);
+			break;
+			
+		case X509_V_ERR_ERROR_IN_CERT_NOT_BEFORE_FIELD:
+		case X509_V_ERR_CERT_NOT_YET_VALID:
+			LOG(L_NOTICE, "tls_init: verify_callback: notBefore\n");
+			break;
+		
+		case X509_V_ERR_ERROR_IN_CERT_NOT_AFTER_FIELD:
+		case X509_V_ERR_CERT_HAS_EXPIRED:
+			LOG(L_NOTICE, "tls_init: verify_callback: notAfter\n");
+			break;
+			
+		case X509_V_ERR_CERT_SIGNATURE_FAILURE:
+		case X509_V_ERR_UNABLE_TO_DECRYPT_CERT_SIGNATURE:
+			LOG(L_NOTICE, "tls_init: verify_callback: unable to decrypt cert signature\n");
+			break;
+			
+		case X509_V_ERR_UNABLE_TO_DECODE_ISSUER_PUBLIC_KEY:
+			LOG(L_NOTICE, "tls_init: verify_callback: unable to decode issuer public key\n");
+			break;
+			
+		case X509_V_ERR_OUT_OF_MEM:
+			ERR("tls_init: verify_callback: Out of memory \n");
+			break;
+			
+		case X509_V_ERR_DEPTH_ZERO_SELF_SIGNED_CERT:
+		case X509_V_ERR_SELF_SIGNED_CERT_IN_CHAIN:
+			LOG(L_NOTICE, "tls_init: verify_callback: Self signed certificate issue\n");
+			break;
+
+		case X509_V_ERR_CERT_CHAIN_TOO_LONG:
+			LOG(L_NOTICE, "tls_init: verify_callback: certificate chain too long\n");
+			break;
+		case X509_V_ERR_INVALID_CA:
+			LOG(L_NOTICE, "tls_init: verify_callback: invalid CA\n");
+			break;
+		case X509_V_ERR_PATH_LENGTH_EXCEEDED:
+			LOG(L_NOTICE, "tls_init: verify_callback: path length exceeded\n");
+			break;
+		case X509_V_ERR_INVALID_PURPOSE:
+			LOG(L_NOTICE, "tls_init: verify_callback: invalid purpose\n");
+			break;
+		case X509_V_ERR_CERT_UNTRUSTED:
+			LOG(L_NOTICE, "tls_init: verify_callback: certificate untrusted\n");
+			break;
+		case X509_V_ERR_CERT_REJECTED:
+			LOG(L_NOTICE, "tls_init: verify_callback: certificate rejected\n");
+			break;
+		
+		default:
+			LOG(L_NOTICE, "tls_init: verify_callback: something wrong with the cert ... error code is %d (check x509_vfy.h)\n", ctx->error);
+			break;
+	}
+	
+	LOG(L_NOTICE, "tls_init: verify_callback: verify return:%d\n", pre_verify_ok);
+	return(pre_verify_ok);
+}

modules/tls/tls_verify.h

@@ -0,0 +1,42 @@
+/*
+ * $Id$
+ *
+ * TLS module - certificate verification function
+ *
+ * Copyright (C) 2001-2003 FhG FOKUS
+ * Copyright (C) 2004,2005 Free Software Foundation, Inc.
+ * COpyright (C) 2005 iptelorg GmbH
+ *
+ * This file is part of ser, a free SIP server.
+ *
+ * ser is free software; you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License as published by
+ * the Free Software Foundation; either version 2 of the License, or
+ * (at your option) any later version
+ *
+ * For a license to use the ser software under conditions
+ * other than those described here, or to purchase support for this
+ * software, please contact iptel.org by e-mail at the following addresses:
+ *    [email protected]
+ *
+ * ser is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ * GNU General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License
+ * along with this program; if not, write to the Free Software
+ * Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA  02111-1307  USA
+ */
+
+#ifndef _TLS_VERIFY_H
+#define _TLS_VERIFY_H
+
+#include <openssl/ssl.h>
+
+/* This callback is called during each verification process, 
+at each step during the chain of certificates (this function
+is not the certificate_verification one!). */
+int verify_callback(int pre_verify_ok, X509_STORE_CTX *ctx);
+
+#endif /* _TLS_VERIFY_H */

modules/tls/todo.txt

@@ -0,0 +1,4 @@
+* After the parser change relative pathnames are not handled
+  properly (they are not expanded to absolute pathnames with
+  respect to the configuration file).
+