20 May
2010
20 May
'10
8:12 p.m.
Module: sip-router
Branch: andrei/tcp_tls_changes
Commit: 93c495f34ebb001f9509db82acad5a7483b61d41
URL:
http://git.sip-router.org/cgi-bin/gitweb.cgi/sip-router/?a=commit;h=93c495f…
Author: Andrei Pelinescu-Onciul <andrei(a)iptel.org>
Committer: Andrei Pelinescu-Onciul <andrei(a)iptel.org>
Date: Thu May 20 18:24:38 2010 +0200
tls: async support (major tls core rewrite)
The new tls hook interface (exported by the tcp code) is now used.
All the IO operations are made through a custom SSL BIO, that
reads and writes in some memory buffers (see tls_bio.h), while
externally emulating a socket. This BIO provides in fact some
functions that will be called by the openssl code on IO.
In the case of a read event, the data is first read in memory
(using tcp_read_data()), then assigned to the BIO and after that
one of SSL_read(), SSL_connect/accept (if the connection is not
yet established) or SSL_write (if the last write wanted to read
some data due to re-keying) are called. They will all read from
the custom BIO. A SSL_read() might not use all the data (in some
very unlikely situations), so in this case the encrypted data is
queued and the tcp code is signaled (via some flags) that it
should repeat the read call when more space is available.
Writes are split in 2: 1st write on a new connection in async mode
and other writes (they need to be handled slightly differently).
The encrypted data will end up in a memory buffer (via SSL_write()
and the custom BIO). From there it will be either sent directly if
possible or queued (tcp_async). In the case when the SSL_write()
needs to read some data (e.g. re-keying), the whole clear text
data will be queued and the SSL_write() will be retried on the
first read event.
There is no separate async mode for tls, if tcp is in async mode,
then tls will be too and vice versa.
Runtime tunning (queue sizes a.s.o) and statistics are missing for
now.
(C) and license changes:
- moved tls_dump_verification_failure into a separate file
(tls_dump_vf.c), out of tls_server.c.
- the remaining tcp_server.[ch] code is either re-written (most of it,
the entire read & write part) or comes from old iptel code =>
changed the (c) to iptelorg only and the license to BSD-like
(only for tcp_server.[ch]).
---
modules/tls/tls_dump_vf.c | 144 ++++++
modules/tls/tls_dump_vf.h | 41 ++
modules/tls/tls_init.c | 2 +
modules/tls/tls_mod.c | 34 +-
modules/tls/tls_server.c | 1105 ++++++++++++++++++++++++---------------------
modules/tls/tls_server.h | 76 ++--
6 files changed, 831 insertions(+), 571 deletions(-)
Diff:
http://git.sip-router.org/cgi-bin/gitweb.cgi/sip-router/?a=commitdiff;h=93c…
20 May
20 May
8:53 p.m.
Hi Andrei!
Great news. Please drop a message when the code is ready to test.
regards
Klaus
Am 20.05.2010 19:12, schrieb Andrei Pelinescu-Onciul:
Module: sip-router
Branch: andrei/tcp_tls_changes
Commit: 93c495f34ebb001f9509db82acad5a7483b61d41
URL:http://git.sip-router.org/cgi-bin/gitweb.cgi/sip-router/?a=commit;h=93c…
Author: Andrei Pelinescu-Onciul<andrei(a)iptel.org>
Committer: Andrei Pelinescu-Onciul<andrei(a)iptel.org>
Date: Thu May 20 18:24:38 2010 +0200
tls: async support (major tls core rewrite)
8:58 p.m.
On May 20, 2010 at 19:53, Klaus Darilion <klaus.mailinglists(a)pernau.at> wrote:
Hi Andrei!
Great news. Please drop a message when the code is ready to test.
It is. It has some extra debug (visible if loglevel >= L_INFO) and
it's not yet tunable (hard coded queue sizes a.s.o.), but it's ready
for testing.
So far I did only rather basic server mode tests (phone registering over
tls and calls to the tls phone). No stress testing yet.
Andrei
5303
days inactive
5303
days old
2 comments
2 participants
participants (2)
-
Andrei Pelinescu-Onciul -
Klaus Darilion