Module: sip-router Branch: andrei/tcp_tls_changes Commit: 93c495f34ebb001f9509db82acad5a7483b61d41 URL: http://git.sip-router.org/cgi-bin/gitweb.cgi/sip-router/?a=commit;h=93c495f3...
Author: Andrei Pelinescu-Onciul andrei@iptel.org Committer: Andrei Pelinescu-Onciul andrei@iptel.org Date: Thu May 20 18:24:38 2010 +0200
tls: async support (major tls core rewrite)
The new tls hook interface (exported by the tcp code) is now used. All the IO operations are made through a custom SSL BIO, that reads and writes in some memory buffers (see tls_bio.h), while externally emulating a socket. This BIO provides in fact some functions that will be called by the openssl code on IO. In the case of a read event, the data is first read in memory (using tcp_read_data()), then assigned to the BIO and after that one of SSL_read(), SSL_connect/accept (if the connection is not yet established) or SSL_write (if the last write wanted to read some data due to re-keying) are called. They will all read from the custom BIO. A SSL_read() might not use all the data (in some very unlikely situations), so in this case the encrypted data is queued and the tcp code is signaled (via some flags) that it should repeat the read call when more space is available. Writes are split in 2: 1st write on a new connection in async mode and other writes (they need to be handled slightly differently). The encrypted data will end up in a memory buffer (via SSL_write() and the custom BIO). From there it will be either sent directly if possible or queued (tcp_async). In the case when the SSL_write() needs to read some data (e.g. re-keying), the whole clear text data will be queued and the SSL_write() will be retried on the first read event.
There is no separate async mode for tls, if tcp is in async mode, then tls will be too and vice versa. Runtime tunning (queue sizes a.s.o) and statistics are missing for now.
(C) and license changes: - moved tls_dump_verification_failure into a separate file (tls_dump_vf.c), out of tls_server.c. - the remaining tcp_server.[ch] code is either re-written (most of it, the entire read & write part) or comes from old iptel code => changed the (c) to iptelorg only and the license to BSD-like (only for tcp_server.[ch]).
---
modules/tls/tls_dump_vf.c | 144 ++++++ modules/tls/tls_dump_vf.h | 41 ++ modules/tls/tls_init.c | 2 + modules/tls/tls_mod.c | 34 +- modules/tls/tls_server.c | 1105 ++++++++++++++++++++++++--------------------- modules/tls/tls_server.h | 76 ++-- 6 files changed, 831 insertions(+), 571 deletions(-)
Diff: http://git.sip-router.org/cgi-bin/gitweb.cgi/sip-router/?a=commitdiff;h=93c4...
Hi Andrei!
Great news. Please drop a message when the code is ready to test.
regards Klaus
Am 20.05.2010 19:12, schrieb Andrei Pelinescu-Onciul:
Module: sip-router Branch: andrei/tcp_tls_changes Commit: 93c495f34ebb001f9509db82acad5a7483b61d41 URL:http://git.sip-router.org/cgi-bin/gitweb.cgi/sip-router/?a=commit;h=93c495f3...
Author: Andrei Pelinescu-Onciulandrei@iptel.org Committer: Andrei Pelinescu-Onciulandrei@iptel.org Date: Thu May 20 18:24:38 2010 +0200
tls: async support (major tls core rewrite)
On May 20, 2010 at 19:53, Klaus Darilion klaus.mailinglists@pernau.at wrote:
Hi Andrei!
Great news. Please drop a message when the code is ready to test.
It is. It has some extra debug (visible if loglevel >= L_INFO) and it's not yet tunable (hard coded queue sizes a.s.o.), but it's ready for testing.
So far I did only rather basic server mode tests (phone registering over tls and calls to the tls phone). No stress testing yet.
Andrei
-
Andrei Pelinescu-Onciul -
Klaus Darilion